C. Cr'epeau, J. van de Graaf, and A. Tapp. Committed oblivious transfer and private multi-party computation. In Advances in Cryptology --- CRYPTO '95, volume 963 of Lecture Notes in Computer Science, pages 110--123. Springer-Verlag, 1995.  Home/Search   Document Not in Database   Summary   Related Articles   Check

.... The types of tolerable adversaries have recently been generalized in a number of directions (adaptive adversaries [CFGN96] uncoercibility [CG96] non threshold adversaries [HM97] and some authors have investigated multi party computation for various minimality and complexity criteria [FKN94,CGT95,FY92,Kus89]. Security can also be classified according to the adversary s computational resources (limited, hence cryptographic security, e.g. CDG87,GMW87] or unlimited, hence unconditional or information theoretic security, e.g. BGW88,CCD88,RB89] In the information theoretic model one can distinguish ....

C. Cr'epeau, J. van de Graaf, and A. Tapp. Committed oblivious transfer and private multi-party computation. In Advances in Cryptology --- CRYPTO '95, volume 963 of Lecture Notes in Computer Science, pages 110--123. Springer-Verlag, 1995.

....A 1 , containing two values a 0 and a 1 , and R has made a commitment C, containing a bit c. The requirements are that R outputs a c without learning anything about a c 1 and that S does not learn anything about c. A committed oblivious transfer as described by Cr epeau, van de Graaf, and Tapp [19] is a similar protocol that performs an oblivious transfer of commitments such that R ends up being committed to a c ; Cramer and Damg ard [16] give an ecient implementation for this. Suppose the commitments A 0 ; A 1 , and C are of the form B = g b g 1 r for a randomly chosen r 2 Z q and ....

C. Crepeau, J. van de Graaf, and A. Tapp, \Committed oblivious transfer and private multi-party computation," in Advances in Cryptology: CRYPTO '95 (D. Coppersmith, ed.), vol. 963 of Lecture Notes in Computer Science, Springer, 1995.

....to the merchant Mary that a hash value was correctly computed by the buyer. 1.1 Our result We present in this paper a scheme for anonymous ngerprinting which is e ciently and completely speci ed from a computational point of view. The basic primitive used is committed oblivious transfer (see [Cr ep95]) Section 2 contains some background on committed oblivious transfer. Section 3 describes the new construction. Section 4 contains a complexity evaluation. Section 5 is a security analysis. Section 6 is a conclusion. 2 Background In Subsection 2.1, bit commitment with XOR is recalled. This ....

....reviewed in Subsection 2.2. 2.1 Bit commitment with XOR In a bit commitment (bc) Mary sends a committed bit a to Bob in such a way that she is able to reveal it later in a unique way (a) but Bob is not able to nd the value a by himself. Mary cannot change her mind and open a as a. In [Cr ep95], bit commitment with XOR was introduced. If a special kind of bit commitments (bcx) is used, then it is possible to prove that some commitments satisfy an XOR relation, without giving away any other information about the contents of the commitments. In particular, it is possible to prove that two ....

[Article contains additional citation context not shown here]

C. Crepeau, J. van de Graaf and A. Tapp, \Committed oblivious transfer and private multi-party computation", in Advances in Cryptology-CRYPTO'95, LNCS 963. Berlin: Springer-Verlag, 1995, pp. 110-123.

.... The types of tolerable adversaries have recently been generalized in a number of directions (adaptive adversaries [CFGN96] uncoercibility [CG96] non threshold adversaries [HM97] and some authors have investigated multi party computation for various minimality and complexity criteria [FKN94,CGT95,FY92,Kus89]. Security can also be classified according to the adversary s computational resources (limited, hence cryptographic security, e.g. CDG87,GMW87] or unlimited, hence unconditional or information theoretic security, e.g. BGW88,CCD88,RB89] In the information theoretic model one can distinguish ....

C. Cr'epeau, J. van de Graaf, and A. Tapp. Committed oblivious transfer and private multi-party computation. In Advances in Cryptology --- CRYPTO '95, volume 963 of Lecture Notes in Computer Science, pages 110--123. Springer-Verlag, 1995.

.... The types of tolerable adversaries have recently been generalized in a number of directions (adaptive adversaries [CFGN96] uncoercibility [CG96] non threshold adversaries [HM97] and some authors have investigated multi party computation for various minimality and complexity criteria [FKN94,CGT95,FY92,Kus89]. Security can also be classified according to the adversary s computational resources (limited, hence cryptographic security, e.g. CDG87,GMW87] or unlimited, hence unconditional or information theoretic security, e.g. BGW88,CCD88,RB89] In the information theoretic model one can distinguish ....

C. Cr'epeau, J. van de Graaf, and A. Tapp. Committed oblivious transfer and private multi-party computation. In Advances in Cryptology --- CRYPTO '95, volume 963 of Lecture Notes in Computer Science, pages 110--123. Springer-Verlag, 1995.

....discovered his attack and implement bit commitment, oblivious transfer and general cryptographic protocols securely. Moreover, if we are willing to make extra (temporary) assumptions it may well be that both bit commitment and oblivious transfer can be achieved and, using standard reductions [51, 28], all cryptographic protocols as well, in the multiparty model for instance. The big lesson to learn from all this is that quantum information is always more elusive than its classical counterpart: extra care must be taken when reasoning about quantum cryptographic protocols and analysing them. ....

Cr' epeau, C., J. van de Graaf and A. Tapp, "Committed oblivious transfer and private multi-party computations", Advances in Cryptology --- Proceedings of Crypto '95, August 1995, Springer -- Verlag, pp. 110 -- 123.

....the latter as perfect multi party computation. The types of tolerable adversaries have recently been generalized in a number of directions (adaptive adversaries [4] and uncoercibility [5] and some authors have investigated multi party computation for various minimality and complexity criteria [12, 11, 18, 26, 27, 22]. All previous results in the literature specify the sets of potential adverse players (passive or active) that can be tolerated by their cardinality, i.e. by a threshold. In a setting with perfect security, Ben Or, Goldwasser and Wigderson [2] proved that with n players all passive collusions ....

Cr' epeau, C., Graaf, J. v., and Tapp, A. Committed oblivious transfer and private multi-party computation. In Advances in Cryptology --- CRYPTO '95 (1995), vol. 963 of Lecture Notes in Computer Science, Springer-Verlag, pp. 110--123.

....RAND. k CNRS URA 410. Laboratoire de Recherche en Informatique, Universit e Paris Sud, Batiment 490, 91405 Orsay, France. e mail: santha lri.fr. to appear in IEEE Transactions on Information Theory 2 1 Introduction The equivalence between cryptographic primitives is a major research topic [6, 11, 16, 30, 12, 25, 13, 31, 18, 19, 15, 17]. A large number of cryptographic protocols have been shown equivalent to one another. One out of two String Oblivious Transfer, denoted ( 2 1 ) OT k 2 , is a primitive that originates with [43] under the name of multiplexing ) a paper that marked the birth of quantum cryptography. ....

....k 2 to ( 2 1 ) OT 2 , i.e. an efficient twoparty protocol to achieve andos based on the assumption of the existence of a protocol for the simpler type of oblivious transfer. The fact that the more general andos can be reduced to ( 2 1 ) OT 2 is not surprising because a number of authors [23, 24, 30, 12, 25, 15] have later shown that ( 2 1 ) OT 2 is sufficient to implement any two party computation. Nevertheless, our direct reductions are interesting because of their greater efficiency. Even more efficient direct reductions of this kind were subsequently given in [19] In the remainder of this section, ....

C. Cr'epeau, J. van de Graaf and A. Tapp, "Committed oblivious transfer and private multi-party computations", Advances in Cryptology: Crypto '95 Proceedings, SpringerVerlag, 1995, pp. 110 -- 123.

....given to achieve One out of two String Oblivious Transfer based on the assumption of the availability of a protocol for the simpler One out of two Bit Oblivious Transfer. The fact that ( 2 1 ) OT k can be reduced to ( 2 1 ) OT is not surprising because a number of authors [Kil88, Cr e89, CGT95] have shown that ( 2 1 ) OT is sufficient to implement any two party computation. Our interest in direct reductions is their far greater efficiency. With the exception of [CS91a] all previous direct reductions that we are aware of [BCR86, CS91b, BCS96] are based on a notion called zigzag ....

C. Cr'epeau, J. van de Graaf and A. Tapp, "Committed oblivious transfer and private multi-party computations", Advances in Cryptology: Proceedings of Crypto '95, Springer-Verlag, 1995, pp. 110 -- 123.

....bits, in favor of cryptography. For instance, in the theoretical notion of Oblivious Transfer [34, 18] it is assumed that half of the bits transmitted by a party just disappear; the other party receives a . It has been proven that Oblivious Transfer is sufficient for obtaining a pmpc protocol [15, 29, 30, 35, 26, 13]. More practically, Oblivious Transfer can be implemented on top of a Noisy Channel [17, 16] or on a Quantum Channel [5] It turns out that most protocols represent the function f by a Boolean circuit and they often exhibit the following overall structure: Initialization phase: All participants ....

C. Cr' epeau, J. van de Graaf, & A. Tapp (1995). Committed oblivious transfer and private multi-party computation. In Proc. CRYPTO 95. Springer-Verlag.

....bits, in favor of cryptography. For instance, in the theoretical notion of Oblivious Transfer [34, 18] it is assumed that half of the bits transmitted by a party just disappear; the other party receives a . It has been proven that Oblivious Transfer is sufficient for obtaining a pmpc protocol [15, 29, 30, 35, 26, 13]. More practically, Oblivious Transfer can be implemented on top of a Noisy Channel [17, 16] or on a Quantum Channel [5] It turns out that the overall structure of most protocols is quite similar: Initialization phase: All participants agree on the circuit to be evaluated and on all parameters ....

C. Cr'epeau, J. van de Graaf, and A. Tapp. Committed oblivious transfer and private multi-party computation. In Proc. CRYPTO 95. Springer-Verlag, 1995.

....simple protocols are sufficient to achieve the general ones. The two primitives known as Bit Commitment (defined in Section 3) and Oblivious Transfer (defined in Section 4) are elementary protocols that are sufficient in general to accomplish any Mental Games, even in a non computational scenario [15, 8]. The current paper considers a scenario where only two people, Alice and Bob, are involved and where we put no limitation on their computing power. If we made no further assumption, it would be impossible to accomplish Mental Games. Thus, the extra assumption we make is that Alice and Bob are ....

.... of Two Oblivious Transfer based on the existence of a BSC using Privacy Amplification. The protocol for BC requires O(n) uses of the BSC, while the protocol for ( 2 1 ) OT 2 requires O(n 3 ) uses of the BSC. If we combine these protocols with the protocol of Cr epeau, van de Graaf and Tapp [8] for Private Multi Party Computation to achieve any two party function evaluation which requires O(n 2 ) BCs and O(n) 2 1 ) OT 2 per gate, we end up with a protocol requiring a total of O(n 4 ) uses of the BSC per gate of the computation. Our main open question is to obtain ( 2 1 ) OT 2 ....

C. Cr'epeau, J. van de Graaf and A. Tapp. Committed Oblivious Transfer and Private MultiParty Computations. Advances in Cryptology: Proceedings of Crypto '95, August 1995.

....to another party B who chooses to receive either w 0 or w 1 but cannot get both. A never finds out which information B got. This small primitive later known as one out of two Oblivious Transfer by cryptographers [24, 13] can be used to implement very general cryptographic tasks of the same flavour [16, 14, 11]. Prompted by Wiesner s work, Bennett and Brassard [1] later introduced two new cryptographic applications of quantum mechanics: quantum key distribution and quantum coinflipping. Quantum coin flipping allows A and B to flip a coin at a distance in such a way that neither of them can force the ....

....oblivious transfer may no longer work. Some cryptographic protocols may still be achieved, some may not. On the other hand, if we are willing to make extra (temporary) assumptions it may very well be that both bit commitment and oblivious transfer can be achieved and using standard reductions [16, 11], all cryptographic protocols as well. From a practical point of view, the same remarks as before apply: unless an adversary can build a quantum computer, we may still reason as before and implement bit commitment, oblivious transfer and general cryptographic protocols securely. 7 Conclusion ....

C. Cr'epeau, J. van de Graaf and A. Tapp, "Committed oblivious transfer and private multi-party computations", Advances in Cryptology: Crypto '95 Proceedings, SpringerVerlag, 1995, pp. 110 -- 123.

....simple protocols are sufficient to achieve the general ones. The two primitives known as Bit Commitment (defined in Section 3) and Oblivious Transfer (defined in Section 4) are elementary protocols that are sufficient in general to accomplish any Mental Games, even in a non computational scenario [14, 8]. The current paper considers a scenario where only two people, A and B, are involved and where we put no limitation on their computing power. If we made no further assumption, it would be impossible to accomplish Mental Games. Thus, the extra assumption we make is that A and B are connected by a ....

....Oblivious Transfer based on the existence of a BSC using Privacy Amplification. The protocol for BC requires O(n) uses of the BSC, while the protocol for ( 2 1 ) OT requires O(n 3 ) uses of the BSC. If we combine these protocols with the protocol of Cr epeau, van de Graaf and Tapp [8] for Private Multi Party Computation to achieve any two party function evaluation which requires O(n 2 ) BCs and O(n) 2 1 ) OT per gate, we end up with a protocol requiring a total of O(n 4 ) uses of the BSC per gate of the computation. Our main open question is to obtain ( 2 1 ) OT with ....

C. Cr'epeau, J. van de Graaf and A. Tapp. Committed Oblivious Transfer and Private Multi-Party Computations. Advances in Cryptology: Proceedings of Crypto '95, August 1995, pp. 110--123.

....for Oblivious Transfer between each pair of participants exists, then they can evaluate any function f . The reduction from Multi Party Computation to Oblivious Transfer was done by Beaver and Goldwasser [BG89] 16 A more efficient reduction from MPC to OT using coding theory can be found in [CGT95]. Nevertheless, despite the abundance of papers on the subject of Multi Party Computation, and even though the security of all the proposed protocols is commonly believed to be true, most of them lack a rigorous mathematical proof. Even worse, they lack a proper definition. This is probably due to ....

CR EPEAU, C., J. VAN DE GRAAF AND A. TAPP, "Committed oblivious transfer and private multi-party computation", In Proc. CRYPTO 95 (1995), Springer-Verlag, pp. 110--123, Lecture Notes in Computer Science No. 963.

....The density matrices ae B 0 and ae B 1 on Bob s side must be close one to the other, otherwise Bob can cheat. We shall do the simpler case ae B 0 = ae B 1 . The more subtle case where the density matrices are not identical is done in the next section. Consider the Schmidt decomposition [20, 21] of jOE 0 i and jOE 1 i respectively given by jOE 0 i = X i p i je (0) i i Omega jf i i and jOE 1 i = X i p i je (1) i i Omega jf i i In the above formula, i are eigenvalues of the density matrices ae B , ae A 0 and ae A 1 . The fact that these density matrices share the ....

....and jOE 1 i = X i p i je (1) i i Omega jf i i In the above formula, i are eigenvalues of the density matrices ae B , ae A 0 and ae A 1 . The fact that these density matrices share the same positive eigenvalues with the same multiplicity is part of the Schmidt decomposition theorem [20, 21]. The states je (b) i i and jf i i are respectively eigenstates of ae A b and ae B associated with the same eigenvalue i . Clearly, the same unitary transformation that maps je (0) i i into je (1) i i also maps jOE (0) i into jOE (1) i. We recall that Alice knows what are the states ....

[Article contains additional citation context not shown here]

Cr' epeau, C., J. van de Graaf, and A. Tapp, "Committed Oblivious Transfer and Private Multi-Party Computation", in Advances in Cryptology: Proceedings of Crypto '95 (Springer -- Verlag, Berlin, 1995), Vol. 963, pp. 110 -- 123.

No context found.

C. Cr'epeau, J. van de Graaf and A. Tapp, Committed oblivious transfer and private multi-party computation, proc. CRYPTO '95, Springer Verlag LNCS, vol. 963, pp. 110--123.

No context found.

C. Cr'epeau, J. van de Graaf and A. Tapp, "Committed Oblivious Transfer and Private Multi-Party Computations", Advances in Cryptology: Proceedings of Crypto '95, August 1995, pp. 110 -- 123.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC