Results 1  10
of
35
Faster Secure TwoParty Computation Using Garbled Circuits
 In USENIX Security Symposium
, 2011
"... Secure twoparty computation enables two parties to evaluate a function cooperatively without revealing to either party anything beyond the function’s output. The garbledcircuit technique, a generic approach to secure twoparty computation for semihonest participants, was developed by Yao in the 1 ..."
Abstract

Cited by 121 (22 self)
 Add to MetaCart
(Show Context)
Secure twoparty computation enables two parties to evaluate a function cooperatively without revealing to either party anything beyond the function’s output. The garbledcircuit technique, a generic approach to secure twoparty computation for semihonest participants, was developed by Yao in the 1980s, but has been viewed as being of limited practical significance due to its inefficiency. We demonstrate several techniques for improving the running time and memory requirements of the garbledcircuit technique, resulting in an implementation of generic secure twoparty computation that is significantly faster than any previously reported while also scaling to arbitrarily large circuits. We validate our approach by demonstrating secure computation of circuits with over 10 9 gates at a rate of roughly 10 µs per garbled gate, and showing orderofmagnitude improvements over the best previous privacypreserving protocols for computing Hamming distance, Levenshtein distance, SmithWaterman genome alignment, and AES. 1
Secure multiparty computation of approximations
, 2001
"... Approximation algorithms can sometimes provide efficient solutions when no efficient exact computation is known. In particular, approximations are often useful in a distributed setting where the inputs are held by different parties and may be extremely large. Furthermore, for some applications, the ..."
Abstract

Cited by 108 (25 self)
 Add to MetaCart
Approximation algorithms can sometimes provide efficient solutions when no efficient exact computation is known. In particular, approximations are often useful in a distributed setting where the inputs are held by different parties and may be extremely large. Furthermore, for some applications, the parties want to compute a function of their inputs securely, without revealing more information than necessary. In this work we study the question of simultaneously addressing the above efficiency and security concerns via what we call secure approximations. We start by extending standard definitions of secure (exact) computation to the setting of secure approximations. Our definitions guarantee that no additional information is revealed by the approximation beyond what follows from the output of the function being approximated. We then study the complexity of specific secure approximation problems. In particular, we obtain a sublinearcommunication protocol for securely approximating the Hamming distance and a polynomialtime protocol for securely approximating the permanent and related #Phard problems. 1
Simulatable adaptive oblivious transfer
 IN EUROCRYPT
, 2007
"... We study an adaptive variant of oblivious transfer in which a sender has N messages, of which a receiver can adaptively choose to receive k oneaftertheother, in such a way that (a) the sender learns nothing about the receiver’s selections, and (b) the receiver only learns about the k requested m ..."
Abstract

Cited by 35 (1 self)
 Add to MetaCart
(Show Context)
We study an adaptive variant of oblivious transfer in which a sender has N messages, of which a receiver can adaptively choose to receive k oneaftertheother, in such a way that (a) the sender learns nothing about the receiver’s selections, and (b) the receiver only learns about the k requested messages. We propose two practical protocols for this primitive that achieve a stronger security notion than previous schemes with comparable efficiency. In particular, by requiring full simulatability for both sender and receiver security, our notion prohibits a subtle selectivefailure attack not addressed by the security notions achieved by previous practical schemes. Our first protocol is a very efficient generic construction from unique blind signatures in the random oracle model. The second construction does not assume random oracles, but achieves remarkable efficiency with only a constant number of group elements sent during each transfer. This second construction uses novel techniques for building efficient simulatable protocols.
Efficient PrivacyPreserving Biometric Identification
"... We present an efficient matching protocol that can be used in many privacypreserving biometric identification systems in the semihonest setting. Our most general technical contribution is a new backtracking protocol that uses the byproduct of evaluating a garbled circuit to enable efficient oblivi ..."
Abstract

Cited by 31 (8 self)
 Add to MetaCart
(Show Context)
We present an efficient matching protocol that can be used in many privacypreserving biometric identification systems in the semihonest setting. Our most general technical contribution is a new backtracking protocol that uses the byproduct of evaluating a garbled circuit to enable efficient oblivious information retrieval. We also present a more efficient protocol for computing the Euclidean distances of vectors, and optimized circuits for finding the closest match between a point held by one party and a set of points held by another. We evaluate our protocols by implementing a practical privacypreserving fingerprint matching system. 1
Oblivious Polynomial Evaluation
 SIAM J. Comput
, 2006
"... Oblivious polynomial evaluation is a protocol involving two parties, a sender whose input is a polynomial P, and a receiver whose input is a value α. At the end of the protocol the receiver learns P (α) and the sender learns nothing. We describe efficient constructions for this protocol, which are b ..."
Abstract

Cited by 26 (2 self)
 Add to MetaCart
(Show Context)
Oblivious polynomial evaluation is a protocol involving two parties, a sender whose input is a polynomial P, and a receiver whose input is a value α. At the end of the protocol the receiver learns P (α) and the sender learns nothing. We describe efficient constructions for this protocol, which are based on new intractability assumptions that are closely related to noisy polynomial reconstruction. Oblivious polynomial evaluation can be used as a primitive in many applications. We describe several such applications, including protocols for private comparison of data, for mutually authenticated key exchange based on (possibly weak) passwords, and for anonymous coupons. 1
Secure Hamming Distance Based Computation and Its Applications
"... Abstract. This paper examines secure twoparty computation of functions which depend only on the Hamming distance of the inputs of the two parties. We present efficient protocols for computing these functions. In particular, we present protocols which are secure in the sense of full simulatability a ..."
Abstract

Cited by 18 (1 self)
 Add to MetaCart
(Show Context)
Abstract. This paper examines secure twoparty computation of functions which depend only on the Hamming distance of the inputs of the two parties. We present efficient protocols for computing these functions. In particular, we present protocols which are secure in the sense of full simulatability against malicious adversaries. We show different applications of this family of functions, including a protocol we call mpointSPIR, which is an efficient variant of symmetric private information retrieval (SPIR). It can be used if the server’s database contains N entries, at most N / log N of which have individual values, and the rest are set to some default value. This variant of PIR is unique since it can be based on the existence of OT alone. 1
Secure multiparty computation of boolean circuits with applications to privacy in online marketplaces
 In Cryptology ePrint Archive, Report 2011/257, 2011. Available at http://eprint.iacr.org/2011/257
"... Abstract. Protocols for generic secure multipartycomputation (MPC) generally come in two forms: they either represent the function being computed as a boolean circuit, or as an arithmetic circuit over a large field. Either type of protocol can be used for any function, but the choice of which proto ..."
Abstract

Cited by 12 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Protocols for generic secure multipartycomputation (MPC) generally come in two forms: they either represent the function being computed as a boolean circuit, or as an arithmetic circuit over a large field. Either type of protocol can be used for any function, but the choice of which protocol to use can have a significant impact on efficiency. The magnitude of the effect, however, has never been quantified. With this in mind, we implement the MPC protocol of Goldreich, Micali, and Wigderson [13], which uses a boolean representation and is secure against a semihonest adversary corrupting any number of parties. We then consider applications of secure MPC in online marketplaces, where customers select resources advertised by providers and it is desired to ensure privacy to the extent possible. Problems here are more naturally formulated in terms of boolean circuits, and we study the performance of our MPC implementation relative to existing ones that use an arithmeticcircuit representation. Ourprotocol easily handles tens ofcustomers/providers and thousands of resources, and outperforms existing implementations including FairplayMP [3], VIFF [11], and SEPIA [7]. 1
Generalized oblivious transfer by secret sharing
 DES. CODES CRYPTOGRAPHY
"... The notion of Generalized Oblivious Transfer (GOT) was introduced by Ishai and Kushilevitz in [12]. In a GOT protocol, Alice holds a set U of messages. A decreasing monotone collection of subsets of U defines the retrieval restrictions. Bob is allowed to learn any permissable subset of messages from ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
(Show Context)
The notion of Generalized Oblivious Transfer (GOT) was introduced by Ishai and Kushilevitz in [12]. In a GOT protocol, Alice holds a set U of messages. A decreasing monotone collection of subsets of U defines the retrieval restrictions. Bob is allowed to learn any permissable subset of messages from that collection, but nothing else, while Alice must remain oblivious regarding the selection that Bob made. We propose a simple and efficient GOT protocol that employs secret sharing. We compare it to another secret sharing based solution for that problem that was recently proposed in [18]. In particular, we show that the access structures that are realized by the two solutions are related through a dualitytype relation that we introduce here. We show that there are examples which favor our solution over the second one, while in other examples the contrary holds. Two applications of GOT are considered — priced oblivious transfer, and oblivious evaluation of multivariate polynomials.
An Asymmetric Fingerprinting Scheme based on Tardos Codes
"... Asymmetric fingerprinting protocols are designed to prevent an untrustworthy Provider incriminating an innocent Buyer. These protocols enable the Buyer to generate their own fingerprint by themself, and ensure that the Provider never has access to the Buyer’s copy of the Work. Until recently, such p ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
Asymmetric fingerprinting protocols are designed to prevent an untrustworthy Provider incriminating an innocent Buyer. These protocols enable the Buyer to generate their own fingerprint by themself, and ensure that the Provider never has access to the Buyer’s copy of the Work. Until recently, such protocols were not practical because the collusionresistant codes they rely on were too long. However, the advent of Tardos codes means that the probabilistic collusionresistant codes are now sufficiently short that asymmetric fingerprint codes should, in theory, be practical. Unfortunately, previous asymmetric fingerprinting protocols cannot be directly applied to Tardos codes, because generation of the Tardos codes depends on a secret vector that is only known to the Provider. This knowledge allows an untrustworthy Provider to attack traditional asymmetric fingerprinting protocols. We describe this attack, and then propose a new asymmetric fingerprinting protocol, specifically designed for Tardos codes.