Results 1  10
of
13
TwoParty Computing with Encrypted Data
 ASIACRYPT'07
, 2007
"... We consider a new model for online secure computation on encrypted inputs in the presence of malicious adversaries. The inputs are independent of the circuit computed in the sense that they can be contributed by separate third parties. The model attempts to emulate as closely as possible the model o ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
(Show Context)
We consider a new model for online secure computation on encrypted inputs in the presence of malicious adversaries. The inputs are independent of the circuit computed in the sense that they can be contributed by separate third parties. The model attempts to emulate as closely as possible the model of “Computing with Encrypted Data” that was put forth in 1978 by Rivest, Adleman and Dertouzos which involved a single online message. In our model, two parties publish their public keys in an offline stage, after which any party (i.e., any of the two and any third party) can publish encryption of their local inputs. Then in an online stage, given any common input circuit C and its set of inputs from among the published encryptions, the first party sends a single message to the second party, who completes the computation.
Noninteractive secure computation based on cutandchoose
 EUROCRYPT 2014, volume 8441 of LNCS
, 2014
"... Abstract. In recent years, secure twoparty computation (2PC) has been demonstrated to be feasible in practice. However, all efficient generalcomputation 2PC protocols require multiple rounds of interaction between the two players. This property restricts 2PC to be only relevant to scenarios where ..."
Abstract

Cited by 7 (3 self)
 Add to MetaCart
Abstract. In recent years, secure twoparty computation (2PC) has been demonstrated to be feasible in practice. However, all efficient generalcomputation 2PC protocols require multiple rounds of interaction between the two players. This property restricts 2PC to be only relevant to scenarios where both players can be simultaneously online, and where communication latency is not an issue. This work considers the model of 2PC with a single round of interaction, called NonInteractive Secure Computation (NISC). In addition to the noninteraction property, we also consider a flavor of NISC that allows reusing the first message for many different 2PC invocations, possibly with different players acting as the player who sends the second message, similar to a publickey encryption where a single publickey can be used to encrypt many different messages. We present a NISC protocol that is based on the cutandchoose paradigm of Lindell and Pinkas (Eurocrypt 2007). This protocol achieves concrete efficiency similar to that of best multiround 2PC protocols based on the cutandchoose paradigm. The protocol requires only t garbled circuits for achieving cheating probability of 2−t, similar to the recent result of Lindell (Crypto 2013), but only needs a single round of interaction. To validate the efficiency of our protocol, we provide a prototype implementation of it and show experiments that confirm its competitiveness with that of the best multiround 2PC protocols. This is the first prototype implementation of an efficient NISC protocol. In addition to our NISC protocol, we introduce a new encoding technique that significantly reduces communication in the NISC setting. We further show how our NISC protocol can be improved in the multiround setting, resulting in a highly efficient constantround 2PC that is also suitable for pipelined implementation. 1
Impossibility Results for Static Input Secure Computation
"... Abstract. Consider a setting of two mutually distrustful parties Alice and Bob who want to securely evaluate some function on prespecified inputs. The well studied notion of twoparty secure computation allows them to do so in the standalone setting. Consider a deterministic function (e.g., 1out ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Abstract. Consider a setting of two mutually distrustful parties Alice and Bob who want to securely evaluate some function on prespecified inputs. The well studied notion of twoparty secure computation allows them to do so in the standalone setting. Consider a deterministic function (e.g., 1outof2 bit OT) that Alice and Bob can not evaluate trivially and which allows only Bob to receive the output. We show that Alice and Bob can not securely compute any such function in the concurrent setting even when their inputs are prespecified. Our impossibility result also extends to all deterministic functions in which both Alice and Bob get the same output. Our results have implications in the boundedconcurrent setting as well. Consider a setting of two mutually distrustful parties Alice and Bob who want to securely evaluate a function f. The well studied notion of twoparty secure computation [Yao86,GMW87] allows them to do so. However this notion is only relevant to the standalone setting where security holds only if a single protocol session is executed in isolation. Additionally these secure computation protocols are interactive and Alice and Bob
Round optimal blind signatures
 In CRYPTO 2011, volume 6841 of LNCS
, 2011
"... Abstract. Constructing roundoptimal blind signatures in the standard model has been a long standing open problem. In particular, Fischlin and Schröder recently ruled out a large class of threemove blind signatures in the standard model (Eurocrypt’10). In particular, their result shows that finding ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Constructing roundoptimal blind signatures in the standard model has been a long standing open problem. In particular, Fischlin and Schröder recently ruled out a large class of threemove blind signatures in the standard model (Eurocrypt’10). In particular, their result shows that finding security proofs for the wellknown blind signature schemes by Chaum, and by Pointcheval and Stern in the standard model via blackbox reductions is hard. In this work we propose the first roundoptimal, i.e., twomove, blind signature scheme in the standard model (i.e., without assuming random oracles or the existence of a common reference string). Our scheme relies on the Decisional Diffie Hellman assumption and the existence of subexponentially hard 1to1 one way functions. This scheme is also secure in the concurrent setting. 1
Impossibility of Blind Signatures From OneWay Permutations
"... Abstract. A seminal result in cryptography is that signature schemes can be constructed (in a blackbox fashion) from any oneway function. The minimal assumptions needed to construct blind signature schemes, however, have remained unclear. Here, we rule out blackbox constructions of blind signatur ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
(Show Context)
Abstract. A seminal result in cryptography is that signature schemes can be constructed (in a blackbox fashion) from any oneway function. The minimal assumptions needed to construct blind signature schemes, however, have remained unclear. Here, we rule out blackbox constructions of blind signature schemes from oneway functions. In fact, we rule out constructions even from a random permutation oracle, and our results hold even for blind signature schemes for 1bit messages that achieve security only against honestbutcurious behavior. 1
Secure Multiparty Computation Minimizing Online Rounds
"... Abstract. Multiparty secure computations are general important procedures to compute any function while keeping the security of private inputs. In this work we ask whether preprocessing can allow low latency (that is, small round) secure multiparty protocols that are universallycomposable (UC). I ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Abstract. Multiparty secure computations are general important procedures to compute any function while keeping the security of private inputs. In this work we ask whether preprocessing can allow low latency (that is, small round) secure multiparty protocols that are universallycomposable (UC). In particular, we allow any polynomial time preprocessing as long as it is independent of the exact circuit and actual inputs of the specific instance problem to solve, with only a bound k on the number of gates in the circuits known. To address the question, we first define the model of “MultiParty Computation on Encrypted Data ” (MPCED), implicitly described in [FH96,JJ00,CDN01,DN03]. In this model, computing parties establish a threshold public key in a preprocessing stage, and only then private data, encrypted under the shared public key, is revealed. The computing parties then get the computational circuit they agree upon and evaluate the circuit on the encrypted data. The MPCED model is interesting since it is well suited for modern computing environments, where many repeated computations on overlapping data are performed.
Security of Blind Signatures Revisited
"... Abstract. We revisit the definition of unforgeability of blind signatures as proposed by Pointcheval and Stern (Journal of Cryptology 2000). Surprisingly, we show that this established definition falls short in two ways of what one would intuitively expect from a secure blind signature scheme: It is ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Abstract. We revisit the definition of unforgeability of blind signatures as proposed by Pointcheval and Stern (Journal of Cryptology 2000). Surprisingly, we show that this established definition falls short in two ways of what one would intuitively expect from a secure blind signature scheme: It is not excluded that an adversary submits the same message m twice for signing, and then produces a signature for m ′ = m. The reason is that the forger only succeeds if all messages are distinct. Moreover, it is not excluded that an adversary performs k signing queries and produces signatures on k + 1 messages as long as each of these signatures does not pass verification with probability 1. Finally, we proposed a new definition, honestuser unforgeability, that covers these attacks. We give a simple and efficient transformation that transforms any unforgeable blind signature scheme (with deterministic verification) into an honestuser unforgeable one.
EXPRESSIVENESS OF DEFINITIONS AND EFFICIENCY OF CONSTRUCTIONS IN COMPUTATIONAL CRYPTOGRAPHY
, 2007
"... The computational treatment of cryptography, and indeed any scientific treatment of a problem, is marked by its definitional side and by it constructive side. Results in this thesis better our understanding of both: on one side, they characterize the extent to which computational definitions capture ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
The computational treatment of cryptography, and indeed any scientific treatment of a problem, is marked by its definitional side and by it constructive side. Results in this thesis better our understanding of both: on one side, they characterize the extent to which computational definitions capture the security of the basic task of symmetric encryption; on the other, they provide explicit bounds on the efficiency of commitment and secure twoparty computation constructions. Specifically: • We relate the formal and computational treatments of symmetric encryption, obtaining a precise characterization of computational schemes whose computational semantics imply their formal semantics. We prove that this characterization is strictly weaker than previouslyidentified notions, and show how it may be realized in a simpler, more efficient manner. • We provide lowerbounds on the number of times a oneway permutation needsto be invoked (as a “blackbox”) in order to construct statisticallybinding commitments. Our bounds are tight for the case of perfectlybinding schemes. • We show that the secure computation of any twoparty functionality can be performed in an optimal two rounds of communication even in a setting that accounts for concurrent execution with other protocols (i.e., the Universal Composability framework). Here, we rely on the assumption that parties have access to a common reference string; some sort of setup is known to be necessary.
Efficient, Adaptively Secure, and Composable Oblivious Transfer with a Single, Global CRS
"... We present a general framework for efficient, universally composable oblivious transfer (OT) protocols in which a single, global, common reference string (CRS) can be used for multiple invocations of oblivious transfer by arbitrary pairs of parties. In addition: • Our framework is roundefficient. E ..."
Abstract
 Add to MetaCart
We present a general framework for efficient, universally composable oblivious transfer (OT) protocols in which a single, global, common reference string (CRS) can be used for multiple invocations of oblivious transfer by arbitrary pairs of parties. In addition: • Our framework is roundefficient. E.g., under the DLIN or SXDH assumptions we achieve roundoptimal protocols with static security, or 3round protocols with adaptive security (assuming erasure). • Our resulting protocols are more efficient than any known previously, and in particular yield protocols for string OT using O(1) exponentiations and communicating O(1) group elements. Our result improves on that of Peikert et al. (Crypto 2008), which uses a CRS whose length depends on the number of parties in the network and achieves only static security. Compared to Garay et al. (Crypto 2009), we achieve adaptive security with better round complexity and efficiency.