#### DMCA

## Two-Party Computing with Encrypted Data (2007)

Venue: | ASIACRYPT'07 |

Citations: | 10 - 1 self |

### Citations

3464 | New directions in cryptography
- DIFFIE, HELLMAN
- 1976
(Show Context)
Citation Context ...s (gr,m · yr) for r ∈R [1, q]. The decryption of a cyphertext (α, β) (denoted Dx(α, β) is β/αx. The ElGamal cryptosystem is semantically secure [18] under the Decision Diffie-Hellman (DDH) assumption =-=[10]-=- over Gq. We intensively use the multiplicative homomorphism of the ElGamal cryptosystem: Ey(m1) · Ey(m2) = Ey(m1 ·m2). Our protocol makes use of a private/public keys (xA, yA = gxA) for Alice, as wel... |

1506 | A public-key cryptosystem and a signature scheme based on discrete logarithms
- ElGamal
- 1985
(Show Context)
Citation Context ...l) < 1/|poly(l)|. To achieve non-interactive proofs in the malicious case, we also assume a random oracle for the underlying hash function. 2.1 ElGamal Cryptosystem We employ the ElGamal cryptosystem =-=[11]-=- in our first construction. ElGamal encryption takes place over the group Gq over which it is hard to compute discrete logarithms. Typically, Gq is taken to be a subgroup of Z∗p , where q | p − 1, for... |

1373 |
Probabilistic encryption
- Goldwasser, Micali
(Show Context)
Citation Context ...t key x. The encryption of a message m (denoted Ey(m)) is (gr,m · yr) for r ∈R [1, q]. The decryption of a cyphertext (α, β) (denoted Dx(α, β) is β/αx. The ElGamal cryptosystem is semantically secure =-=[18]-=- under the Decision Diffie-Hellman (DDH) assumption [10] over Gq. We intensively use the multiplicative homomorphism of the ElGamal cryptosystem: Ey(m1) · Ey(m2) = Ey(m1 ·m2). Our protocol makes use o... |

1009 | How to prove yourself: Practical solutions to identification and signature problems
- Fiat, Shamir
- 1987
(Show Context)
Citation Context ...eference string model, the NIZK PoK of De Santis and Persiano [28] can be used, assuming dense secure public-key encryption scheme. Under the random oracle model, the well-known Fiat-Shamir technique =-=[14]-=- can be used. A main primitive our work relies upon is a conditional exposure primitive we call CODE (Conditional Oblivious Decryption Exposure). CODE is a two-party non-interactive protocol, which al... |

981 | Public-key cryptosystems based on composite degree residuosity classes
- Paillier
- 1999
(Show Context)
Citation Context ...r of Gn′ . For the simplified-Camenisch-Shoup (as well as the original Camenisch-Shoup), all operations take place in Z∗n2 . Note that h has order n and that h c = 1 + cn (mod n2). The DCR assumption =-=[23]-=- is that given only n, random elements of Z∗n2 are hard to distinguish from random elements of P , which is the subgroup of Z∗n2 consisting of all nth powers of elements in Z ∗ n2 . The sCS encryption... |

724 |
Efficient signature generation by smart cards
- Schnorr
- 1991
(Show Context)
Citation Context ...the prover convinces the verifier that she knows the value of b, such that a = gb, when a is known to both. We denote such proof by PK{b : a = gb}. There are many variants on these proofs, such as in =-=[30]-=-. In this paper, we make use of variants in which Alice proves conjunctive statements, and statements regarding her knowledge of sets of discrete logs. See [9, 29, 5] for 11 a description of how to ac... |

724 |
How to Generate and Exchange Secrets
- Yao
- 1986
(Show Context)
Citation Context ...l vision of [24] for computing with encrypted data. If we limit the input contribution to the two parties involved, our model matches naturally the theory of general secure two party computation (see =-=[17, 32]-=- and [20, 21] for some of the earliest and the latest works in this area). While it may be possible to turn many of the works on two party computations to single message protocols (based on random ora... |

542 |
How to play any mental game
- Goldreich, Micali, et al.
- 1987
(Show Context)
Citation Context ...l vision of [24] for computing with encrypted data. If we limit the input contribution to the two parties involved, our model matches naturally the theory of general secure two party computation (see =-=[17, 32]-=- and [20, 21] for some of the earliest and the latest works in this area). While it may be possible to turn many of the works on two party computations to single message protocols (based on random ora... |

332 | Proofs of partial knowledge and simplified design of witness hiding protocols
- Cramer, Damgård, et al.
- 1994
(Show Context)
Citation Context ...ny variants on these proofs, such as in [30]. In this paper, we make use of variants in which Alice proves conjunctive statements, and statements regarding her knowledge of sets of discrete logs. See =-=[9, 29, 5]-=- for 11 a description of how to achieve such variants in an efficient manner. Proof of Boolean Plaintext. Let σ0 = 1 and σ1 represent boolean values 0 and 1, respectively. Specifically, we define σ :=... |

320 | Protecting Mobile Agents against Malicious Hosts
- Sander, Tschudin
- 1998
(Show Context)
Citation Context ...). Note that because of its essentially non-interactive nature, our model is also particularly suitable for applications involving low-latency remote executions, such as for mobile agent applications =-=[26]-=-. We give two protocols in this model, which differ only in the cryptographic assumptions and the communication complexity. Both protocols are secure even against malicious parties, and both allow com... |

308 | Efficient group signature schemes for large groups
- Camenisch, Stadler
- 1997
(Show Context)
Citation Context ... ζ = (βj,w1/δi,v) e , yA = gxA , η = gr3 , D̃ = zr3i,v · ( · λj,w1)xA } . The above proof uses proofs of knowledge of the double discrete log, which can be constructed by using Camenisch and Stadler =-=[7]-=-. They showed how to construct such proof in their paper, and this costs Θ(`) communication complexity (` is security parameter). 14 For the sCS based protocol, ZKVerify is simpler, and we do not need... |

300 | A secure and optimally efficient multi-authority election scheme
- Cramer, Gennaro, et al.
- 1997
(Show Context)
Citation Context ...anner. Proof of Boolean Plaintext. Let σ0 = 1 and σ1 represent boolean values 0 and 1, respectively. Specifically, we define σ := g in ElGamal encryption while σ := h in sCS encryption. Cramer et al. =-=[8]-=- showed how to prove that the plaintext of an ElGamal cyphertext A = (α, β) is Boolean, i.e., Bool(A) def = PK{r : α = gr, (β = yr or β = σ · yr)}. Proof of Equality/Inequality of Boolean Plaintext. U... |

245 | Privacy preserving auctions and mechanism design, in
- Naor, Pinkas, et al.
- 1999
(Show Context)
Citation Context ...t of f . Beaver [2] extends [27] to accommodate any function in NLOGSPACE. Other reduced round secure computations (two message constructions, in fact) have been suggested by Naor, Pinkas, and Sumner =-=[22]-=- and by Cachin, Camenisch, Kilian, and Müller [4]. Their approaches are based on the two-party secure function evaluation scheme of Yao [32] and Goldreich, Micali, and Wigderson [17]. Recently the ar... |

193 |
On data banks and privacy homomorphisms
- Rivest, Adleman, et al.
- 1977
(Show Context)
Citation Context ...t (a single message) to the owner of the public key for output decryption. This wishful single message scenario for secure computation, was put forth as early as 1978 by Rivest, Adleman and Dertouzos =-=[24]-=-. This model is highly attractive since it represents the case where a database is first collected and maintained and only later a computation on it is decided upon and executed (i.e., data mining and... |

183 | Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security
- Sahai
- 1999
(Show Context)
Citation Context ...th their public keys. We note that both in the common reference string model and in the random oracle model, adding non-malleability to NIZK PoK [28] is simple: In the CRS, we follow the technique of =-=[25]-=-; In the random oracle model, adding non-malleability to Fiat-Shamir style NIZK PoK [14] is simple: include the name of the publisher in hash function evalution. A corrupt Alice may cheat in the const... |

166 | Practical Verifiable Encryption and Decryption of Discrete Logarithms
- Camenisch, Shoup
- 2003
(Show Context)
Citation Context ...itz and Katz [19] gave protocols for two-party computation using Yao’s garbled circuit that are secure against malicious adversaries. [20] uses a modified Camenisch-Shoup verifiable encryption scheme =-=[6]-=- to allow the party that sends the garbled circuit to prove its correctness. Our simplified-Camenisch-Shoup based protocol was devised by combining the ideas of our first protocol with those from [20]... |

135 | Protecting data privacy in private information retrieval schemes
- Gertner, Ishai, et al.
- 1998
(Show Context)
Citation Context ...interactive protocol, which allows Bob to learn the plaintext of a cyphertext c, if two other cyphertexts a, b encrypt the same value. Unlike other conditional exposure primitives (e.g. Gertner et al =-=[16]-=- and Aeillo et al [1]), in CODE the three cyphertexts a, b, c are encrypted with a shared public key, such that third parties can contribute them, and neither Alice nor Bob alone know anything else ab... |

123 | Priced oblivious transfer: How to sell digital goods
- Aiello, Ishai, et al.
- 2001
(Show Context)
Citation Context ...which allows Bob to learn the plaintext of a cyphertext c, if two other cyphertexts a, b encrypt the same value. Unlike other conditional exposure primitives (e.g. Gertner et al [16] and Aeillo et al =-=[1]-=-), in CODE the three cyphertexts a, b, c are encrypted with a shared public key, such that third parties can contribute them, and neither Alice nor Bob alone know anything else about the result of COD... |

121 | An efficient scheme for proving a shuffle
- Furukawa, Sako
- 2001
(Show Context)
Citation Context ... e} and denote such proof by Eq(A,A′). To prove inequality of Dx(A) 6= Dx(A′), we give PK{e : y = ge, µ = νe} and denote such proof by Neq(A,A′). Shuffling Lists of CyphertextsWe adopt a protocol of =-=[15]-=- for non-interactively proving that two lists of cyphertexts are equivalent, and that one is a permutation of the other. We denote this protocol Shuffle and note that the length of the transcript of t... |

116 | An efficient protocol for secure two-party computation in the presence of malicious adversaries - Lindell, Pinkas |

88 | Non-interactive Cryptocomputing for NC1
- Sander, Young, et al.
- 1999
(Show Context)
Citation Context ...g our results to this setting, we can have Alice and Bob encrypt their input during the off-line stage (independently of any computation); then the subsequent secure computation (or “cryptocomputing” =-=[27]-=-) only requires a single message per function to be computed. A similar result was previously known only for functions of restricted complexity classes (e.g., [27] show how to securely compute functio... |

87 |
Algorithms for black-box fields and their application to cryptography
- Boneh, Lipton
- 1996
(Show Context)
Citation Context ...a construction that we do not have (finding such a scheme is a long standing open problem and would have far reaching consequences); further, we have indications such a scheme cannot be highly secure =-=[3]-=-. In this paper we put forth a relaxation of the above model, that relies on two party secure computations, yet retains much of the desired properties of the original model, namely, it allows computin... |

83 | One-round secure computation and secure autonomous mobile agents
- Cachin, Camenisch, et al.
(Show Context)
Citation Context ...sible to turn many of the works on two party computations to single message protocols (based on random oracle or non-interactive proofs), we have not seen this mentioned explicitly (the closest being =-=[4]-=-) or a proof of security given for it. To the best of our knowledge none of the previous garbled-circuitbased two party secure computation results allows for data contribution by third parties (an iss... |

69 |
Zero-knowledge proofs of knowledge without interaction (extended abstract
- Santis, Persiano
- 1992
(Show Context)
Citation Context ...or the malicious case, which can be achieved either in the common reference string model or in the random oracle model. Under the common reference string model, the NIZK PoK of De Santis and Persiano =-=[28]-=- can be used, assuming dense secure public-key encryption scheme. Under the random oracle model, the well-known Fiat-Shamir technique [14] can be used. A main primitive our work relies upon is a condi... |

58 | Efficient two-party secure computation on committed inputs
- Jarecki, Shmatikov
- 2007
(Show Context)
Citation Context ...24] for computing with encrypted data. If we limit the input contribution to the two parties involved, our model matches naturally the theory of general secure two party computation (see [17, 32] and =-=[20, 21]-=- for some of the earliest and the latest works in this area). While it may be possible to turn many of the works on two party computations to single message protocols (based on random oracle or non-in... |

43 | On monotone formula closure of SZK
- Santis, Crescenzo, et al.
- 1994
(Show Context)
Citation Context ...ny variants on these proofs, such as in [30]. In this paper, we make use of variants in which Alice proves conjunctive statements, and statements regarding her knowledge of sets of discrete logs. See =-=[9, 29, 5]-=- for 11 a description of how to achieve such variants in an efficient manner. Proof of Boolean Plaintext. Let σ0 = 1 and σ1 represent boolean values 0 and 1, respectively. Specifically, we define σ :=... |

22 | Minimal-latency secure function evaluation
- Beaver
- 2000
(Show Context)
Citation Context ...ides it) within her transcript, and information theoretic security is achieved with respect to Bob. This is to say that Bob learns no information whatever about sA apart from the output of f . Beaver =-=[2]-=- extends [27] to accommodate any function in NLOGSPACE. Other reduced round secure computations (two message constructions, in fact) have been suggested by Naor, Pinkas, and Sumner [22] and by Cachin,... |

22 | Open questions, talk abstracts and summary of discussions
- Feigenbaum, Merritt
- 1991
(Show Context)
Citation Context ..., Adleman, and Dertouzos [24] offer perhaps the first proposal for the study of blind computation on cyphertexts, considering them as a primitive for private data manipulation. Feigenbaum and Merritt =-=[13]-=- subsequently urged more focused investigation on cryptosystems with algebraic homomorphisms. The term “CryptoComputing” and the first non-trivial instantiation originated with Sander, Young, and Yung... |

16 |
Holographic circuits
- Valiant
- 2005
(Show Context)
Citation Context ...ob computes Ĉ on the committed inputs. Note that since we deal with any polynomial-size function (or circuit), we can have some of the data encode circuits and the on-line circuit be a universal one =-=[31]-=-. We give two protocols that are secure within this model. The first is based on the traditional and quite minimal DDH assumption and uses ElGamal encryption, and the other is based on the DCR assumpt... |

12 |
On-line/off-line digital schemes
- Even, Goldreich, et al.
- 1990
(Show Context)
Citation Context ...ck to the notion of Off-line On-line Signature of Even, Goldreich and Micali where they minimized the amount of computations of a signature at the on-line stage (after a message is given as an input) =-=[12]-=-. 2 1.1 Our Model and Results As outlined above, we propose the off-line/on-line model for crypto-computing using a single message (and thus optimal round complexity) for the on-line stage. For k ≥ 2,... |

12 | Universally-composable two-party computation in two rounds
- Horvitz, Katz
- 2007
(Show Context)
Citation Context ...]. Recently the area of robust two-party computations in constant rounds has gained some attention. Specifically, the works of Jarecki and Shmatikov [20], Lindell and Pinkas [21] and Horvitz and Katz =-=[19]-=- gave protocols for two-party computation using Yao’s garbled circuit that are secure against malicious adversaries. [20] uses a modified Camenisch-Shoup verifiable encryption scheme [6] to allow the ... |

5 |
Proving that a number is the product of two safe primes
- Camenisch, Michels
(Show Context)
Citation Context ...ny variants on these proofs, such as in [30]. In this paper, we make use of variants in which Alice proves conjunctive statements, and statements regarding her knowledge of sets of discrete logs. See =-=[9, 29, 5]-=- for 11 a description of how to achieve such variants in an efficient manner. Proof of Boolean Plaintext. Let σ0 = 1 and σ1 represent boolean values 0 and 1, respectively. Specifically, we define σ :=... |

5 | C.F.: Protecting mobile agents against malicious hosts - Sander, Tschudin - 1998 |