Results 1  10
of
24
Fast CutandChoose Based Protocols for Malicious and Covert Adversaries ∗
, 2013
"... In the setting of secure twoparty computation, two parties wish to securely compute a joint function of their private inputs, while revealing only the output. One of the primary techniques for achieving efficient secure twoparty computation is that of Yao’s garbled circuits (FOCS 1986). In the sem ..."
Abstract

Cited by 29 (3 self)
 Add to MetaCart
(Show Context)
In the setting of secure twoparty computation, two parties wish to securely compute a joint function of their private inputs, while revealing only the output. One of the primary techniques for achieving efficient secure twoparty computation is that of Yao’s garbled circuits (FOCS 1986). In the semihonest model, where just one garbled circuit is constructed and evaluated, Yao’s protocol has proven itself to be very efficient. However, a malicious adversary who constructs the garbled circuit may construct a garbling of a different circuit computing a different function, and this cannot be detected (due to the garbling). In order to solve this problem, many circuits are sent and some of them are opened to check that they are correct while the others are evaluated. This methodology, called cutandchoose, introduces significant overhead, both in computation and in communication, and is mainly due to the number of circuits that must be used in order to prevent cheating. In this paper, we present a cutandchoose protocol for secure computation based on garbled circuits, with security in the presence of malicious adversaries, that vastly improves on all previous protocols of this type. Concretely, for a cheating probability of at most 2−40, the best previous works send between 125 and 128 circuits. In contrast, in our protocol 40 circuits alone suffice (with some additional overhead). Asymptotically, we achieve a cheating probability of 2−s where s is the number of garbled circuits, in contrast to the previous best of 2−0.32s. We achieve this by introducing a new cutandchoose methodology with the property that in order to cheat, all of the evaluated circuits must be incorrect, and not just the majority as in previous works. Keywords: twoparty computation, Yao’s protocol, cutandchoose, concrete efficiency
Efficient cryptographic protocol design based on distributed El Gamal encryption
 In Proceedings of 8th International Conference on Information Security and Cryptology (ICISC
, 2005
"... Abstract. We propose a set of primitives based on El Gamal encryption that can be used to construct efficient multiparty computation protocols for certain lowcomplexity functions. In particular, we show how to privately count the number of true Boolean disjunctions of literals and pairwise exclusiv ..."
Abstract

Cited by 28 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We propose a set of primitives based on El Gamal encryption that can be used to construct efficient multiparty computation protocols for certain lowcomplexity functions. In particular, we show how to privately count the number of true Boolean disjunctions of literals and pairwise exclusive disjunctions of literals. Applications include efficient twoparty protocols for computing the Hamming distance of two bitstrings and the greaterthan function. The resulting protocols only require 6 rounds of interaction (in the random oracle model) and their communication complexity is O(kQ) where k is the length of bitstrings and Q is a security parameter. The protocols are secure against active adversaries but do not provide fairness. Security relies on the decisional DiffieHellman assumption and error probability is negligible in Q. 1
An Efficient Solution to the Millionaires' Problem Based on Homomorphic Encryption
 In ACNS 2005, volume 3531 of Lecture
, 2005
"... We proposed a tworound protocol for solving the Millionaires' Problem in the setting of semihonest parties. Our protocol uses either multiplicative or additive homomorphic encryptions. Previously proposed protocols used additive or XOR homomorphic encryption schemes only. The computation and ..."
Abstract

Cited by 16 (0 self)
 Add to MetaCart
(Show Context)
We proposed a tworound protocol for solving the Millionaires' Problem in the setting of semihonest parties. Our protocol uses either multiplicative or additive homomorphic encryptions. Previously proposed protocols used additive or XOR homomorphic encryption schemes only. The computation and communication costs of our protocol are in the same asymptotic order as those of the other efficient protocols. Nevertheless, since multiplicative homomorphic encryption scheme is more efficient than an additive one practically, our construction saves computation time and communication bandwidth in practicality. In comparison with the most efficient previous solution, our protocol saves 89% computation time and 25% communication bits.
Efficiently computing private recommendations
 in Proc. Int. Conf. Acoust. Speech Signal Processing
"... Online recommender systems enable personalized service to users. The underlying collaborative filtering techniques operate on privacy sensitive user data, which could be misused by the service provider. To protect user privacy, we propose to encrypt the data and generate recommendations by processin ..."
Abstract

Cited by 15 (5 self)
 Add to MetaCart
(Show Context)
Online recommender systems enable personalized service to users. The underlying collaborative filtering techniques operate on privacy sensitive user data, which could be misused by the service provider. To protect user privacy, we propose to encrypt the data and generate recommendations by processing them under encryption. Thus, the service provider observes neither user preferences nor recommendations. The proposed method uses homomorphic encryption and secure multiparty computation (MPC) techniques, which introduce a significant overhead in computational complexity. We minimize the introduced overhead by packing data and using cryptographic protocols particularly developed for this purpose. The proposed cryptographic protocol is implemented to test its correctness and performance. Index Terms — Recommender systems, privacy, secure multiparty computation, homomorphic encryption, data packing
Generating private recommendations efficiently using homomorphic encryption and data packing
 IEEE Trans. Inform. Forensics Security
, 2012
"... Abstract—Recommender systems have become an important tool for personalization of online services. Generating recommendations in online services depends on privacysensitive data collected from the users. Traditional data protection mechanisms focus on access control and secure transmission, which p ..."
Abstract

Cited by 10 (3 self)
 Add to MetaCart
(Show Context)
Abstract—Recommender systems have become an important tool for personalization of online services. Generating recommendations in online services depends on privacysensitive data collected from the users. Traditional data protection mechanisms focus on access control and secure transmission, which provide security only against malicious third parties, but not the service provider. This creates a serious privacy risk for the users. In this paper, we aim to protect the private data against the service provider while preserving the functionality of the system. We propose encrypting private data and processing them under encryption to generate recommendations. By introducing a semitrusted third party and using data packing, we construct ahighlyefficient system that does not require the active participation of the user. We also present a comparison protocol, which is the first one to the best of our knowledge, that compares multiple values that are packed in one encryption. Conducted experiments show that this work opens a door to generate private recommendations in a privacypreserving manner. Index Terms—Homomorphic encryption, privacy, recommender systems, secure multiparty computation. I.
Efficient committed oblivious transfer of bit strings. Information Security
, 2007
"... Abstract. Oblivious transfer (OT) is a powerful primitive in modern cryptography, often used in a context of semihonest adversaries. Committed oblivious transfer (COT) is an enhancement involving the use of commitments, which can be used in many applications of OT covering particular malicious adv ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Oblivious transfer (OT) is a powerful primitive in modern cryptography, often used in a context of semihonest adversaries. Committed oblivious transfer (COT) is an enhancement involving the use of commitments, which can be used in many applications of OT covering particular malicious adversarial behavior. For OT, many protocols are known that cover the transfer of bit strings rather than just single bits. For COT, though, the known protocols only cover the transfer of bits. In this paper, we thus present efficient COT protocols for transferring (long) bit strings, which perform quite well in comparison to the most efficient COT protocols for bits. We prove the security of our protocols following the simulation paradigm in the cryptographic model, also assuming the random oracle model for efficient noninteractive proofs. Also, as a motivation for the use of COT instead of OT, we point out that a protocol which uses OT as a subprotocol may have subtle security issues in the presence of malicious adversaries.
Modulo reduction for Paillier encryptions and application to secure statistical analysis. Full version of this paper, available from the authors
, 2009
"... Abstract. For the homomorphic Paillier cryptosystem we construct a protocol for secure modulo reduction, that on input of an encryptionJxK with x of bit length `x and a public ‘modulus ’ a of bit length `a outputs an encryption Jx mod aK. As a result, a protocol for computing an encrypted integer di ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
(Show Context)
Abstract. For the homomorphic Paillier cryptosystem we construct a protocol for secure modulo reduction, that on input of an encryptionJxK with x of bit length `x and a public ‘modulus ’ a of bit length `a outputs an encryption Jx mod aK. As a result, a protocol for computing an encrypted integer division Jxdiv aK is obtained. Surprisingly, efficiency of the protocol is independent of `x: the broadcast complexity of the protocol varies between O(nk`a) and O(n 2k`a), for n parties and security parameter k, and it is very efficient in case of small `a (in practical cases `a often is much smaller than `x). Our protocol allows for efficient multiparty computation of statistics such as the mean, the variance and the median, and it is therefore very applicable to surveys for the benefit of statistical analysis. 1
Cryptography and the Economics of Supervisory Information: Balancing Transparency and Confidentiality
, 2013
"... ..."
(Show Context)
Cryptographic asynchronous multiparty computation with optimal resilience (extended abstract
 In Proc. EUROCRYPT ’05
, 2005
"... Abstract. We consider secure multiparty computation in the asynchronous model and present an efficient protocol with optimal resilience. For n parties, up to t < n/3 of them being corrupted, and security parameter κ, a circuit with c gates can be securely computed with communication complexity O ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We consider secure multiparty computation in the asynchronous model and present an efficient protocol with optimal resilience. For n parties, up to t < n/3 of them being corrupted, and security parameter κ, a circuit with c gates can be securely computed with communication complexity O(cn 3 κ) bits. In contrast to all previous asynchronous protocols with optimal resilience, our protocol requires access to an expensive broadcast primitive only O(n) times — independently of the size c of the circuit. This results in a practical protocol with a very low communication overhead. One major drawback of a purely asynchronous network is that the inputs of up to t honest parties cannot be considered for the evaluation of the circuit. Waiting for all inputs could take infinitely long when the missing inputs belong to corrupted parties. Our protocol can easily be extended to a hybrid model, in which we have one round of synchronicity at the end of the input stage, but are fully asynchronous afterwards. In this model, our protocol allows to evaluate the circuit on the inputs of every honest party. 1
Efficient Correlated Action Selection
, 2007
"... Participants in ecommerce and other forms of online collaborations tend to be selfish and rational, and therefore game theory has been recognized as particularly relevant to this area. In many common games, the joint strategy of the players is described by a list of pairs of actions, and one of tho ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Participants in ecommerce and other forms of online collaborations tend to be selfish and rational, and therefore game theory has been recognized as particularly relevant to this area. In many common games, the joint strategy of the players is described by a list of pairs of actions, and one of those pairs is chosen according to a specified correlated probability distribution. In traditional game theory, a trusted third party mediator carries out this random selection, and reveals to each player its recommended action.In such games that have a correlated equilibrium, each player follows the mediator’s recommendation because deviating from it cannot increase a player’s expected payoff. Dodis, Halevi, and Rabin [1] described a twoparty protocol that eliminates, through cryptographic means, the third party mediator. That protocol was designed and works well for a uniform distribution, but can be quite inefficient if applied to nonuniform distributions. Teague [2] has subsequently built on this work and extended it to the case where the probabilistic strategy no longer assigns equal probabilities to all the pairs of moves. Our present paper improves on the work of Teague by providing, for the same problem, a protocol whose worstcase complexity is exponentially better. The protocol also uses tools that are of independent interest.