Results 1 
5 of
5
An efficient protocol for secure twoparty computation in the presence of malicious adversaries
 In Proceedings of the annual international conference on Advances in Cryptology
, 2007
"... Abstract. We show an efficient secure twoparty protocol, based on Yao’s construction, which provides security against malicious adversaries. Yao’s original protocol is only secure in the presence of semihonest adversaries. Security against malicious adversaries can be obtained by applying the comp ..."
Abstract

Cited by 118 (14 self)
 Add to MetaCart
(Show Context)
Abstract. We show an efficient secure twoparty protocol, based on Yao’s construction, which provides security against malicious adversaries. Yao’s original protocol is only secure in the presence of semihonest adversaries. Security against malicious adversaries can be obtained by applying the compiler of Goldreich, Micali and Wigderson (the “GMW compiler”). However, this approach does not seem to be very practical as it requires using generic zeroknowledge proofs. Our construction is based on applying cutandchoose techniques to the original circuit and inputs. Security is proved according to the ideal/real simulation paradigm, and the proof is in the standard model (with no random oracle model or common reference string assumptions). The resulting protocol is computationally efficient: the only usage of asymmetric cryptography is for running O(1) oblivious transfers for each input bit (or for each bit of a statistical security parameter, whichever is larger). Our protocol combines techniques from folklore (like cutandchoose) along with new techniques for efficiently proving consistency of inputs. We remark that a naive implementation of the cutandchoose technique with Yao’s protocol does not yield a secure protocol. This is the first paper to show how to properly implement these techniques, and to provide a full proof of security. Our protocol can also be interpreted as a constantround blackbox reduction of secure twoparty computation to oblivious transfer and perfectlyhiding commitments, or a blackbox reduction of secure twoparty computation to oblivious transfer alone, with a number of rounds which is linear in a statistical security parameter. These two reductions are comparable to Kilian’s reduction, which uses OT alone but incurs a number of rounds which is linear in the depth of the circuit [18]. 1
Precise Zero Knowledge
, 2007
"... We put forward the notion of Precise Zero Knowledge and provide its first implementations in a variety of settings under standard complexity assumptions. Whereas the classical notion of Zero Knowledge bounds the knowledge of a player in terms of his potential computational power (technically defined ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
We put forward the notion of Precise Zero Knowledge and provide its first implementations in a variety of settings under standard complexity assumptions. Whereas the classical notion of Zero Knowledge bounds the knowledge of a player in terms of his potential computational power (technically defined as polynomialtime computation), Precise Zero Knowledge bounds the knowledge gained by a player in terms of its actual computation (which can be considerably less than any arbitrary polynomialtime computation). Consequently, our approach not only remains valid even if P = NP, but is most meaningful when modeling knowledge of computationally easy properties.
Precise Cryptography
, 2007
"... Precise zero knowledge guarantees that the view of any verifier V can be simulated in time closely related to the actual (as opposed to worstcase) time spent by V in the generated view. We generalize this notion in two ways: 1. We provide definitions and constructions of precise encryption, precise ..."
Abstract
 Add to MetaCart
Precise zero knowledge guarantees that the view of any verifier V can be simulated in time closely related to the actual (as opposed to worstcase) time spent by V in the generated view. We generalize this notion in two ways: 1. We provide definitions and constructions of precise encryption, precise proofs of knowledge and precise secure computation. 2. We introduce relaxed notions of precise zero knowledge—which relate the expectation (or higher moments) of the running time of the simulation with the expectation (highermoments) of the runningtime of the verifier—and provide conditions under which these
1A Framework For FullySimulatable hOutOfn Oblivious Transfer
"... Abstract—We present a framework for fullysimulatable houtofn oblivious transfer (OTnh) with security against nonadaptive malicious adversaries. The framework costs six communication rounds and costs at most 40n publickey operations in computational overhead. Compared with the known protocols ..."
Abstract
 Add to MetaCart
Abstract—We present a framework for fullysimulatable houtofn oblivious transfer (OTnh) with security against nonadaptive malicious adversaries. The framework costs six communication rounds and costs at most 40n publickey operations in computational overhead. Compared with the known protocols for fullysimulatable oblivious transfer that works in the plain mode (where there is no trusted common reference string available) and proven to be secure under standard model (where there is no random oracle available), the instantiation based on the decisional DiffieHellman assumption of the framework is the most efficient one, no matter seen from communication rounds or computational overhead. Our framework uses three abstract tools, i.e., informationtheoretically binding commitment, informationtheoretically hiding commitment and our new smooth projective hash. This allows a simple and intuitive understanding of its security. We instantiate the new smooth projective hash under the lattice assumption, the decisional DiffieHellman assumption, the decisionalNth residuosity assumption, the decisional quadratic residuosity assumption. This indeed shows that the folklore that it is technically difficult to instantiate the projective hash framework under the lattice assumption is not true. What’s more, by using this latticebased hash and latticebased commitment scheme, we gain a concrete protocol for OTnh which is secure against quantum algorithms. Index Terms—oblivious transfer (OT) protocols. 1
NOTIONS OF EFFICIENCY IN SIMULATION PARADIGM
"... Abstract. There are some wellknown conceptional and technical issues related to a common setting of simulation paradigm, i.e., EPT (expected polynomial time) simulator versus SPT (strict polynomial time) adversary. In fact, it has been shown that this setting is essential for achieving constantrou ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. There are some wellknown conceptional and technical issues related to a common setting of simulation paradigm, i.e., EPT (expected polynomial time) simulator versus SPT (strict polynomial time) adversary. In fact, it has been shown that this setting is essential for achieving constantround blackbox zeroknowledge protocols. Many suggestions and results have been proposed to deal with these issues. In this paper, we propose an alternative solution. We study a new class of machines, MPT (Markov polynomial time), which is a cryptographic adaption of Levin’s average polynomialtime. Since MPT has good compatibility to SPT and intuitive composition properties, we can use it as a dropin replacement of SPT. Moreover, it is easy to construct simulators in MPT. Key words. Markov polynomialtime, Average polynomialtime, Expected polynomialtime,