Results 1  10
of
84
Evaluating 2dnf formulas on ciphertexts
 In proceedings of TCC ’05, LNCS series
, 2005
"... Abstract. Let ψ be a 2DNF formula on boolean variables x1,..., xn ∈ {0, 1}. We present a homomorphic public key encryption scheme that allows the public evaluation of ψ given an encryption of the variables x1,..., xn. In other words, given the encryption of the bits x1,..., xn, anyone can create th ..."
Abstract

Cited by 231 (7 self)
 Add to MetaCart
(Show Context)
Abstract. Let ψ be a 2DNF formula on boolean variables x1,..., xn ∈ {0, 1}. We present a homomorphic public key encryption scheme that allows the public evaluation of ψ given an encryption of the variables x1,..., xn. In other words, given the encryption of the bits x1,..., xn, anyone can create the encryption of ψ(x1,..., xn). More generally, we can evaluate quadratic multivariate polynomials on ciphertexts provided the resulting value falls within a small set. We present a number of applications of the system: 1. In a database of size n, the total communication in the basic step of the KushilevitzOstrovsky PIR protocol is reduced from √ n to 3 √ n. 2. An efficient election system based on homomorphic encryption where voters do not need to include noninteractive zero knowledge proofs that their ballots are valid. The election system is proved secure without random oracles but still efficient. 3. A protocol for universally verifiable computation. 1
Selective private function evaluation with applications to private statistics
 In Proceedings of Twentieth ACM Symposium on Principles of Distributed Computing (PODC
, 2001
"... Motivated by the application of private statistical analysis of large databases, we consider the problem of selective private function evaluation (SPFE). In this problem, a client interacts with one or more servers holding copies of a database z = zt,...,z, in order to compute f(z~t,...,z~,,,) , fo ..."
Abstract

Cited by 56 (9 self)
 Add to MetaCart
(Show Context)
Motivated by the application of private statistical analysis of large databases, we consider the problem of selective private function evaluation (SPFE). In this problem, a client interacts with one or more servers holding copies of a database z = zt,...,z, in order to compute f(z~t,...,z~,,,) , for some function f and indices i = it,...,i, ~ chosen by the client. Ideally, the client must learn nothing more about the database than f(zit,..., zi,,~), and the servers should learn nothing. Generic solutions for this problem, based on standard techniques for secure function evaluation, incur communication complexity that is at least linear in n, making them prohibitive for large databases even when f is relatively simple and m is small. We present various approaches for constructing sublinearcommunication $PFE protocols, both for the general problem and for special cases of interest. Our solutions not only offer sublinear communication complexity, but are also practical in many scenarios. 1.
Foundations of Garbled Circuits
, 2012
"... Garbled circuits, a classical idea rooted in the work of Andrew Yao, have long been understood as a cryptographic technique, not a cryptographic goal. Here we cull out a primitive corresponding to this technique. We call it a garbling scheme. We provide a provablesecurity treatment for garbling s ..."
Abstract

Cited by 51 (5 self)
 Add to MetaCart
Garbled circuits, a classical idea rooted in the work of Andrew Yao, have long been understood as a cryptographic technique, not a cryptographic goal. Here we cull out a primitive corresponding to this technique. We call it a garbling scheme. We provide a provablesecurity treatment for garbling schemes, endowing them with a versatile syntax and multiple security definitions. The most basic of these, privacy, suffices for twoparty secure function evaluation (SFE) and private function evaluation (PFE). Starting from a PRF, we provide an efficient garbling scheme achieving privacy and we analyze its concrete security. We next consider obliviousness and authenticity, properties needed for private and verifiable outsourcing of computation. We extend our scheme to achieve these ends. We provide highly efficient blockcipherbased instantiations of both schemes. Our treatment of garbling schemes presages more efficient garbling, more rigorous analyses, and more
Strong conditional oblivious transfer and computing on intervals
 In Advances in Cryptology—ASIACRYPT 2004
, 2004
"... Abstract. We consider the problem of securely computing the Greater Than (GT) predicate and its generalization – securely determining membership in a union of intervals. We approach these problems from the point of view of QConditional Oblivious Transfer (QCOT), introduced by Di Crescenzo, Ostrovs ..."
Abstract

Cited by 47 (10 self)
 Add to MetaCart
(Show Context)
Abstract. We consider the problem of securely computing the Greater Than (GT) predicate and its generalization – securely determining membership in a union of intervals. We approach these problems from the point of view of QConditional Oblivious Transfer (QCOT), introduced by Di Crescenzo, Ostrovsky and Rajagopalan [4]. QCOT is an oblivious transfer that occurs iff predicate Q evaluates to true on the parties’ inputs. We are working in the semihonest model with computationally unbounded receiver. In this paper, we propose: (i) a stronger, simple and intuitive definition of COT, which we call strong COT, or QSCOT. (ii) A simpler and more efficient oneround protocol for securely computing GT and GTSCOT. (iii) A simple and efficient modular construction reducing SCOT based on membership in a union of intervals (UISCOT) to GTSCOT, producing an efficient oneround UISCOT. 1
can mobile agents do secure electronic transactions on untrusted hosts? A survey of the security issues and the current solutions
 ACM Trans. Internet Technol
, 2003
"... This article investigates if and how mobile agents can execute secure electronic transactions on untrusted hosts. An overview of the security issues of mobile agents is first given. The problem of untrusted (i.e., potentially malicious) hosts is one of these issues, and appears to be the most diffic ..."
Abstract

Cited by 41 (0 self)
 Add to MetaCart
This article investigates if and how mobile agents can execute secure electronic transactions on untrusted hosts. An overview of the security issues of mobile agents is first given. The problem of untrusted (i.e., potentially malicious) hosts is one of these issues, and appears to be the most difficult to solve. The current approaches to counter this problem are evaluated, and their relevance for secure electronic transactions is discussed. In particular, a stateoftheart survey of mobile agentbased secure electronic transactions is presented. Categories and Subject Descriptors: A.1 [Introductory and Survey]; E.3 [Data Encryption];
Polylogarithmic private approximations and efficient matching
, 2005
"... In [12] a private approximation of a function f is defined to be another function F that approximates f in the usual sense, but does not reveal any information about x other than what can be deduced from f(x). We give the first twoparty private approximation of the l2 distance with polylogarithmic ..."
Abstract

Cited by 39 (3 self)
 Add to MetaCart
In [12] a private approximation of a function f is defined to be another function F that approximates f in the usual sense, but does not reveal any information about x other than what can be deduced from f(x). We give the first twoparty private approximation of the l2 distance with polylogarithmic communication. This, in particular, resolves the main open question of [12]. We then look at the private near neighbor problem in which Alice has a query point in {0, 1} d and Bob a set of n points in {0, 1} d, and Alice should privately learn the point closest to her query. We improve upon existing protocols, resolving open questions of [13, 10]. Then, we relax the problem by defining the private approximate near neighbor problem, which requires introducing a notion of secure computation of approximations for functions that return sets of points rather than values. For this problem we give several protocols with sublinear communication.
Cryptographic primitives enforcing communication and storage complexity
 In Financial Cryptography (FC 2002
, 2003
"... Abstract. We introduce a new type of cryptographic primitives which enforce high communication or storage complexity. Intuitively, to evaluate these primitives on a random input one has to engage in a protocol of high communication complexity, or one has to use a lot of storage. Therefore, the abili ..."
Abstract

Cited by 37 (0 self)
 Add to MetaCart
Abstract. We introduce a new type of cryptographic primitives which enforce high communication or storage complexity. Intuitively, to evaluate these primitives on a random input one has to engage in a protocol of high communication complexity, or one has to use a lot of storage. Therefore, the ability to compute these primitives constitutes certain “proof of work, ” because the computing party is forced to contribute a lot of its communication or storage resources to this task. Such primitives can be used in applications which deal with nonmalicious but selfishly resourcemaximizing parties. For example, they can be useful in constructing peertopeer systems which are robust against so called “free riders. ” In this paper we define two such primitives, a communicationenforcing signature and a storageenforcing commitment scheme, and we give constructions for both.
On 2Round Secure Multiparty Computation
 In Proc. Crypto ’02
, 2002
"... Abstract. Substantial efforts have been spent on characterizing the round complexity of various cryptographic tasks. In this work we study the round complexity of secure multiparty computation in the presence of an active (Byzantine) adversary, assuming the availability of secure pointtopoint chan ..."
Abstract

Cited by 36 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Substantial efforts have been spent on characterizing the round complexity of various cryptographic tasks. In this work we study the round complexity of secure multiparty computation in the presence of an active (Byzantine) adversary, assuming the availability of secure pointtopoint channels and a broadcast primitive. It was recently shown that in this setting three rounds are sufficient for arbitrary secure computation tasks, with a linear security threshold, and two rounds are sufficient for certain nontrivial tasks. This leaves open the question whether every function can be securely computed in two rounds. We show that the answer to this question is “no”: even some very simple functions do not admit secure 2round protocols (independently of their communication and time complexity) and thus 3 is the exact round complexity of general secure multiparty computation. Yet, we also present some positive results by identifying a useful class of functions which can be securely computed in two rounds. Our results apply both to the informationtheoretic and to the computational notions of security.
Evaluating branching programs on encrypted data
 In TCC 2007
, 2007
"... Abstract. We present a publickey encryption scheme with the following properties. Given a branching program P and an encryption c of an input x, it is possible to efficiently compute a succinct ciphertext c ′ from which P (x) can be efficiently decoded using the secret key. The size of c ′ depends ..."
Abstract

Cited by 33 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We present a publickey encryption scheme with the following properties. Given a branching program P and an encryption c of an input x, it is possible to efficiently compute a succinct ciphertext c ′ from which P (x) can be efficiently decoded using the secret key. The size of c ′ depends polynomially on the size of x and the length of P, but does not further depend on the size of P. As interesting special cases, one can efficiently evaluate finite automata, decision trees, and OBDDs on encrypted data, where the size of the resulting ciphertext c ′ does not depend on the size of the object being evaluated. These are the first general representation models for which such a feasibility result is shown. Our main construction generalizes the approach of Kushilevitz and Ostrovsky (FOCS 1997) for constructing singleserver Private Information Retrieval protocols. We also show how to strengthen the above so that c ′ does not contain additional information about P (other than P (x) for some x) even if the public key and the ciphertext c are maliciously formed. This yields a twomessage secure protocol for evaluating a lengthbounded branching program P held by a server on an input x held by a client. A distinctive feature of this protocol is that it hides the size of the server’s input P from the client. In particular, the client’s work is independent of the size of P. 1
T.: A Practical Universal Circuit Construction and Secure Evaluation of Private Functions
, 2008
"... Abstract. We consider general secure function evaluation (SFE) of private functions (PFSFE). Recall, privacy of functions is often most efficiently achieved by general SFE [18,19,10] of a Universal Circuit (UC). Our main contribution is a new simple and efficient UC construction. Our circuit UCk, ..."
Abstract

Cited by 30 (9 self)
 Add to MetaCart
(Show Context)
Abstract. We consider general secure function evaluation (SFE) of private functions (PFSFE). Recall, privacy of functions is often most efficiently achieved by general SFE [18,19,10] of a Universal Circuit (UC). Our main contribution is a new simple and efficient UC construction. Our circuit UCk, universal for circuits of k gates, has size ∼ 1.5k log2 k and depth ∼ k log k. It is up to 50 % smaller than the best UC (of Valiant [16], of size ∼ 19k log k) for circuits of size up to ≈ 5000 gates. Our improvement results in corresponding performance improvement of SFE of (small) private functions. Since, due to cost, only small circuits (i.e. < 5000 gates) are practical for PFSFE, our construction appears to be the best fit for many practical PFSFE. We implement PFSFE based on our UC and Fairplay SFE system [11].