We introduce a novel approach to general secure multiparty computation that avoids the intensive use of verifiable secret sharing characterizing nearly all previous protocols in the literature. Instead, our scheme involves manipulation of ciphertexts for which the underlying private key is shared by participants in the computation. The benefits of this protocol include a high degree of conceptual and structural simplicity, low message complexity, and substantial flexibility with respect to input and output value formats. We refer to this new approach as mix and match. While the atomic operations in mix and match are logical operations, rather than full field operations as in previous approaches, the techniques we introduce are nonetheless highly practical for computations involving intensive bitwise manipulation. One application for which mix and match is particularly well suited is that of sealed-bid auctions. Thus, as another contribution in this paper, we present a practical, mix-and-match-based auction protocol that is fully private and non-interactive and may be readily adapted to a wide range of auction strategies.

Everybody has its own constraint satisfaction problem, private concerns that owners prefer to keep as secret as possible. Resources may be shared and cause the need for cooperation. Here we consider the case where privacy is an overwhelming requirement and we assume that a majority of the participants are incorruptible. Namely, given n participants, at least an n/2 unknown subset of them are trustworthy and not corrupted or controlled by attackers. This is a common assumption in cryptographic multi-party computations where techniques exploiting such assumptions are known as threshold schemes. This work shows how a random solution of the described problem can be offered with a secure protocol that does not reveal anything except the existence of the solution and tells each participant the valuations corresponding to its subproblem. The technique is based on the properties of the recent Paillier cryptosystem and needs no external arbiter.

Abstract. We present a very efficient multi-party computation protocol unconditionally secure against an active adversary. The security is maximal, i.e., active corruption of up to t < n/3 of the n players is tolerated. The communication complexity for securely evaluating a circuit with m multiplication gates over a finite field is O(mn 2) field elements, including the communication required for simulating broadcast, but excluding some overhead costs (independent of m) for sharing the inputs and reconstructing the outputs. This corresponds to the complexity of the best known protocols for the passive model, where the corrupted players are guaranteed not to deviate from the protocol. The complexity of our protocol may well be optimal. The constant overhead factor for robustness is small and the protocol is practical. 1

Abstract. Naor, Pinkas, and Sumner introduced and implemented a sealed-bid, two-server auction system that is perhaps the most efficient and practical to date. Based on a cryptographic primitive known as oblivious transfer, their system aims to ensure privacy and correctness provided that at least one auction server behaves honestly. As observed in [19], however, the NPS system suffers from a security flaw in which one of the two servers can cheat so as to modify bids almost arbitrarily and without detection. We propose a means of repairing this flaw while preserving the attractive practical elements of the NPS protocol, including minimal round complexity for servers and minimal computation by players providing private inputs. Our proposal requires a slightly greater amount of computation and communication on the part of the two auction servers, but actually involves much less computation on the part of bidders. This latter feature makes our proposal particularly attractive for use with low-power devices. While the original proposal of NPS involved several dozen exponentiations for a typical auction, ours by contrast involves only several dozen modular multiplications. The key idea in our proposal is a form of oblivious transfer that we refer to as verifiable proxy oblivious transfer (VPOT). Key words: auction, sealed-bid auction, oblivious transfer, secure multiparty computation, secure function evaluation 1

There is an increasing interest in distributed and asynchronous search algorithms for solving distributed constraint satisfaction problems (DisCSP). An important motivation for distributed problem solving is the agents ’ ability to keep their constraints private. Cryptographic techniques [GB96] offer a certain protection from several types of attacks. However, when an attack succeeds, no agent can know how much privacy he has lost. We assume that agents enforce their privacy by dropping out of the search process whenever the estimated value of the information that they need to reveal in the future exceeds that attached to a successful solution of the DisCSP. We compare several distributed search algorithms as to how likely they are to terminate prematurely for privacy reasons, and arrange the algorithms in a hierarchy that reflects this relation. 1.

Abstract. Secure multi-party computation (MPC) is an active research area, and a wide range of literature can be found nowadays suggesting improvements and generalizations of existing protocols in various directions. However, all current techniques for secure MPC apply to functions that are represented by (boolean or arithmetic) circuits over finite fields. We are motivated by two limitations of these techniques: – Generality. Existing protocols do not apply to computation over more general algebraic structures (except via a brute-force simulation of computation in these structures). – Efficiency. The best known constant-round protocols do not efficiently scale even to the case of large finite fields. Our contribution goes in these two directions. First, we propose a basis for unconditionally secure MPC over an arbitrary finite ring, an algebraic object with a much less nice structure than a field, and obtain efficient MPC protocols requiring only a black-box access to the ring operations and to random ring elements. Second, we extend these results to the constant-round setting, and suggest efficiency improvements that are relevant also for the important special case of fields. We demonstrate the usefulness of the above results by presenting a novel application of MPC over (non-field) rings to the round-efficient secure computation of the maximum function. 1

A large class of problems like meeting scheduling, negotiation, or different types of coordination, can be formulated in terms of agents, variables, and constraints (i.e. predicates) on those variables. Distributed Constraint Satisfaction (DisCSP) is a framework addressing such general problems, namely defined in terms of a set of agents, variables, and constraints that the different agents enforce. General algorithms for DisCSPs yield a basic solution for each of those problems. Each participant has its own constraint satisfaction problem, private concerns that should remain as secret as possible. Resources may be shared and cause the need for cooperation. Here we consider the case where privacy is an overwhelming requirement and we assume that any majority of the participants are incorruptible. Namely, given n participants, at least an n/2 unknown subset of them are trustworthy and not corrupted by attackers. This is a common assumption in cryptographic multi-partycomputations, known as a threshold scheme. This work shows how a solution of a general DisCSP can be found securely by the owners of the problem without appealing to any trusted servers. The constraints are shared with Shamir’s secret sharing scheme, transforming the DisCSP into a shared constraint satisfaction problem. An algorithm for such problems is developed. 1

Data linkage is the task of matching and aggregating records that relate to the same entity from one or more data sets. A related technique is geocoding, the matching of addresses to their geographic locations (latitude and longitude). As data linkage is often based on personal information (like names, dates of birth, and addresses), privacy and confidentiality issues are of paramount importance, especially when linking data across organisations. In this paper we present an overview of current approaches to privacy-preserving data linkage and geocoding and discuss their limitations, and using several real-world scenarios we illustrate the significance of developing improved techniques for large scale and distributed privacypreserving linking and geocoding. We discuss four core areas of research that need to be addressed in order to make linking and geocoding of large confidential data collections possible: secure matching techniques, automated record pair classification, scalability, and techniques that prevent re-identification of records over collections of linked data. 1.

We survey the contributions of the entire theoretical computer science/cryptography community during 1975-2002 that impact the question of how to run verifiable elections with secret ballots. The approach based on homomorphic encryptions is the most successful; one such scheme is sketched in detail and argued to be feasible to implement. It is explained precisely what these ideas accomplish but also what they do not accomplish, and a short history of election fraud throughout history is included.

We consider the problem of secure multi-party computation (SMC) in a new model where individual processes contain a tamper-proof security module. Security modules can be trusted by other processes and can establish secure channels between each other. However, their availability is restricted by their host, i.e., a corrupted party can stop the computation of its own security module as well as drop any message sent by or to its security module. In this model we show that SMC is solvable if and only if a majority of processes is correct. We prove this by relating SMC to the problem of Uniform Interactive Consistency among security modules (a variant of the Byzantine Generals Problem from the area of fault-tolerance). The obtained solutions to SMC for the first time allow to compute any function securely with a complexity which is polynomial only in the number of processes (i.e., the complexity does not depend on the function which is computed). We conclude that adding secure hardware does not improve the resilience of SMC but can effectively improve the efficiency. 1