Results 11  20
of
125
Efficient TwoParty Secure Computation on Committed Inputs
 In EUROCRYPT
, 2007
"... Abstract. We present an efficient construction of Yao’s “garbled circuits ” protocol for securely computing any twoparty circuit on committed inputs. The protocol is secure in a universally composable way in the presence of malicious adversaries under the decisional composite residuosity (DCR) and ..."
Abstract

Cited by 60 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We present an efficient construction of Yao’s “garbled circuits ” protocol for securely computing any twoparty circuit on committed inputs. The protocol is secure in a universally composable way in the presence of malicious adversaries under the decisional composite residuosity (DCR) and strong RSA assumptions, in the common reference string model. The protocol requires a constant number of rounds (fourfive in the standard model, twothree in the random oracle model, depending on whether both parties receive the output), O(C) modular exponentiations per player, and a bandwidth of O(C) group elements, where C  is the size of the computed circuit. Our technical tools are of independent interest. We propose a homomorphic, semantically secure variant of the CamenischShoup verifiable cryptosystem, which uses shorter keys, is unambiguous (it is infeasible to generate two keys which successfully decrypt the same ciphertext), and allows efficient proofs that a committed plaintext is encrypted under a committed key. Our second tool is a practical fourround (tworound in ROM) protocol for committed oblivious transfer on strings (stringCOT) secure against malicious participants. The stringCOT protocol takes a few exponentiations per player, and is UCsecure under the DCR assumption in the common reference string model. Previous protocols of comparable efficiency achieved either committed OT on bits, or standard (noncommitted) OT on strings. 1
Improved Garbled Circuit Building Blocks and Applications to Auctions and Computing Minima
 In Cryptology and Network Security (CANS
, 2009
"... Abstract. We consider generic Garbled Circuit (GC)based techniques for Secure Function Evaluation (SFE) in the semihonest model. We describe efficient GC constructions for addition, subtraction, multiplication, and comparison functions. Our circuits for subtraction and comparison are approximately ..."
Abstract

Cited by 56 (8 self)
 Add to MetaCart
(Show Context)
Abstract. We consider generic Garbled Circuit (GC)based techniques for Secure Function Evaluation (SFE) in the semihonest model. We describe efficient GC constructions for addition, subtraction, multiplication, and comparison functions. Our circuits for subtraction and comparison are approximately two times smaller (in terms of garbled tables) than previous constructions. This implies corresponding computation and communication improvements in SFE of functions using our efficient building blocks. The techniques rely on recently proposed “free XOR ” GC technique. Further, we present concrete and detailed improved GC protocols for the problem of secure integer comparison, and related problems of auctions, minimum selection, and minimal distance. Performance improvement comes both from building on our efficient basic blocks and several problemspecific GC optimizations. We provide precise cost evaluation of our constructions, which serves as a baseline for future protocols.
Selective private function evaluation with applications to private statistics
 In Proceedings of Twentieth ACM Symposium on Principles of Distributed Computing (PODC
, 2001
"... Motivated by the application of private statistical analysis of large databases, we consider the problem of selective private function evaluation (SPFE). In this problem, a client interacts with one or more servers holding copies of a database z = zt,...,z, in order to compute f(z~t,...,z~,,,) , fo ..."
Abstract

Cited by 56 (9 self)
 Add to MetaCart
Motivated by the application of private statistical analysis of large databases, we consider the problem of selective private function evaluation (SPFE). In this problem, a client interacts with one or more servers holding copies of a database z = zt,...,z, in order to compute f(z~t,...,z~,,,) , for some function f and indices i = it,...,i, ~ chosen by the client. Ideally, the client must learn nothing more about the database than f(zit,..., zi,,~), and the servers should learn nothing. Generic solutions for this problem, based on standard techniques for secure function evaluation, incur communication complexity that is at least linear in n, making them prohibitive for large databases even when f is relatively simple and m is small. We present various approaches for constructing sublinearcommunication $PFE protocols, both for the general problem and for special cases of interest. Our solutions not only offer sublinear communication complexity, but are also practical in many scenarios. 1.
Implementing TwoParty Computation Efficiently with Security Against Malicious Adversaries
 6th Conf. on Security and Cryptography for Networks (SCN), SpringerVerlag LNCS 5229
, 2008
"... Abstract. We present an implementation of the protocol of Lindell and Pinkas for secure twoparty computation which is secure against malicious adversaries [13]. This is the first running system which provides security against malicious adversaries according to rigorous security definition and witho ..."
Abstract

Cited by 54 (8 self)
 Add to MetaCart
(Show Context)
Abstract. We present an implementation of the protocol of Lindell and Pinkas for secure twoparty computation which is secure against malicious adversaries [13]. This is the first running system which provides security against malicious adversaries according to rigorous security definition and without using the random oracle model. We ran experiments showing that the protocol is practical. In addition we show that there is little benefit in replacing subcomponents secure in the standard model with those which are only secure in the random oracle model. Throughout we pay particular attention to using the most efficient subcomponents in the protocol, and we select parameters for the encryption schemes, commitments and oblivious transfers which are consistent with a security level equivalent to AES128. 1
Verifiable homomorphic oblivious transfer and private equality test
 In Proc. of Asiacrypt
, 2003
"... Abstract. We describe slightly modified version (that we call the HOT protocol) of the AielloIshaiReingold oblivious transfer protocol from Eurocrypt 2001. In particular, the HOT protocol will be what we call weakly secure when coupled with many different homomorphic semantically secure publickey ..."
Abstract

Cited by 43 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We describe slightly modified version (that we call the HOT protocol) of the AielloIshaiReingold oblivious transfer protocol from Eurocrypt 2001. In particular, the HOT protocol will be what we call weakly secure when coupled with many different homomorphic semantically secure publickey cryptosystems. Based on the HOT protocol, we construct an efficient verifiable oblivious transfer protocol and an efficient verifiable private equality test. As a concrete application of our results, we propose a novel protocol called proxy verifiable private equality test, and apply it to a cryptographic auction scheme to improve its security.
Finding collisions in interactive protocols – A tight lower bound on the round complexity of statisticallyhiding commitments
 In Proceedings of the 48th Annual IEEE Symposium on Foundations of Computer Science
, 2007
"... We study the round complexity of various cryptographic protocols. Our main result is a tight lower bound on the round complexity of any fullyblackbox construction of a statisticallyhiding commitment scheme from oneway permutations, and even from trapdoor permutations. This lower bound matches th ..."
Abstract

Cited by 42 (13 self)
 Add to MetaCart
(Show Context)
We study the round complexity of various cryptographic protocols. Our main result is a tight lower bound on the round complexity of any fullyblackbox construction of a statisticallyhiding commitment scheme from oneway permutations, and even from trapdoor permutations. This lower bound matches the round complexity of the statisticallyhiding commitment scheme due to Naor, Ostrovsky, Venkatesan and Yung (CRYPTO ’92). As a corollary, we derive similar tight lower bounds for several other cryptographic protocols, such as singleserver private information retrieval, interactive hashing, and oblivious transfer that guarantees statistical security for one of the parties. Our techniques extend the collisionfinding oracle due to Simon (EUROCRYPT ’98) to the setting of interactive protocols (our extension also implies an alternative proof for the main property of the original oracle). In addition, we substantially extend the reconstruction paradigm of Gennaro and Trevisan (FOCS ‘00). In both cases, our extensions are quite delicate and may be found useful in proving additional blackbox separation results.
Single Database Private Information Retrieval with Logarithmic Communication
, 2004
"... In this paper, we study the problem of single database private information retrieval, and present schemes with only logarithmic serverside communication complexity. Previously the best result could only achieve polylogarithmic communication, and was based on certain less wellstudied assumptions ..."
Abstract

Cited by 41 (0 self)
 Add to MetaCart
(Show Context)
In this paper, we study the problem of single database private information retrieval, and present schemes with only logarithmic serverside communication complexity. Previously the best result could only achieve polylogarithmic communication, and was based on certain less wellstudied assumptions in number theory [CMS99]. On the contrary, our construction is based on Paillier's cryptosystem [P99], which along with its variants have drawn extensive studies in recent cryptographic researches [PP99, G00, CGGN01, DJ01, CGG02, CNS02, ST02, GMMV03, KT03], and have many important applications (e.g., the CramerShoup CCA2 encryption scheme in the standard model [CS02]).
Efficiency Tradeoffs for Malicious TwoParty Computation
 In the 9th PKC conference, SpringerVerlag (LNCS 3958
, 2006
"... Abstract. We study efficiency tradeoffs for secure twoparty computation in presence of malicious behavior. We investigate two main approaches for defending against malicious behavior in Yao’s garbled circuit method: (1) Committedinput scheme, (2) Equalitychecker scheme. We provide asymptotic and ..."
Abstract

Cited by 40 (4 self)
 Add to MetaCart
(Show Context)
Abstract. We study efficiency tradeoffs for secure twoparty computation in presence of malicious behavior. We investigate two main approaches for defending against malicious behavior in Yao’s garbled circuit method: (1) Committedinput scheme, (2) Equalitychecker scheme. We provide asymptotic and concrete analysis of communication and computation costs of the designed protocols. We also develop a weaker definition of security (kleaked model) for malicious twoparty computation that allows for disclosure of some information to a malicious party. We design more efficient variations of Yao’s protocol that are secure in the proposed model. Keywords: secure twoparty computation, secure function evaluation, Yao’s garbled circuit, malicious adversary. 1
Simulatable adaptive oblivious transfer
 IN EUROCRYPT
, 2007
"... We study an adaptive variant of oblivious transfer in which a sender has N messages, of which a receiver can adaptively choose to receive k oneaftertheother, in such a way that (a) the sender learns nothing about the receiver’s selections, and (b) the receiver only learns about the k requested m ..."
Abstract

Cited by 35 (1 self)
 Add to MetaCart
We study an adaptive variant of oblivious transfer in which a sender has N messages, of which a receiver can adaptively choose to receive k oneaftertheother, in such a way that (a) the sender learns nothing about the receiver’s selections, and (b) the receiver only learns about the k requested messages. We propose two practical protocols for this primitive that achieve a stronger security notion than previous schemes with comparable efficiency. In particular, by requiring full simulatability for both sender and receiver security, our notion prohibits a subtle selectivefailure attack not addressed by the security notions achieved by previous practical schemes. Our first protocol is a very efficient generic construction from unique blind signatures in the random oracle model. The second construction does not assume random oracles, but achieves remarkable efficiency with only a constant number of group elements sent during each transfer. This second construction uses novel techniques for building efficient simulatable protocols.
Evaluating branching programs on encrypted data
 In TCC 2007
, 2007
"... Abstract. We present a publickey encryption scheme with the following properties. Given a branching program P and an encryption c of an input x, it is possible to efficiently compute a succinct ciphertext c ′ from which P (x) can be efficiently decoded using the secret key. The size of c ′ depends ..."
Abstract

Cited by 33 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We present a publickey encryption scheme with the following properties. Given a branching program P and an encryption c of an input x, it is possible to efficiently compute a succinct ciphertext c ′ from which P (x) can be efficiently decoded using the secret key. The size of c ′ depends polynomially on the size of x and the length of P, but does not further depend on the size of P. As interesting special cases, one can efficiently evaluate finite automata, decision trees, and OBDDs on encrypted data, where the size of the resulting ciphertext c ′ does not depend on the size of the object being evaluated. These are the first general representation models for which such a feasibility result is shown. Our main construction generalizes the approach of Kushilevitz and Ostrovsky (FOCS 1997) for constructing singleserver Private Information Retrieval protocols. We also show how to strengthen the above so that c ′ does not contain additional information about P (other than P (x) for some x) even if the public key and the ciphertext c are maliciously formed. This yields a twomessage secure protocol for evaluating a lengthbounded branching program P held by a server on an input x held by a client. A distinctive feature of this protocol is that it hides the size of the server’s input P from the client. In particular, the client’s work is independent of the size of P. 1