SPDZ 2 k: Efficient MPC mod 2 k for Dishonest Majority a
|
|
- Dustin Williams
- 5 years ago
- Views:
Transcription
1 SPDZ 2 k: Efficient MPC mod 2 k for Dishonest Majority a Ronald Cramer 1 Ivan Damgård 2 Daniel Escudero 2 Peter Scholl 2 Chaoping Xing 3 August 21, CWI, Amsterdam 2 Aarhus University, Denmark 3 Nanyang Technological University, Singapore a Supported by the European Research Council (ERC); the European Union s Horizon 2020 research and innovation programme; the European Union s Horizon 2020 research and innovation programme and the Danish Independent Research Council.
2 Introduction
3 MPC Alice Bob Trusted Party Charlie Dave 1
4 MPC Alice x 1 x 2 Trusted Party Bob x 3 x 4 Charlie Dave 1
5 MPC Alice z z x 1 x 2 Trusted Party Bob x 3 x 4 z z Charlie Dave 1
6 MPC Alice Bob Trusted Party Charlie Dave 1
7 Many different approaches Circuits over F 2 Garbled Circuits BMR GMW Circuits over F p BGW BeDOZa SPDZ MASCOT 2
8 Many different approaches Circuits over F 2 Garbled Circuits BMR GMW Circuits over F p BGW BeDOZa SPDZ MASCOT Few works address circuits over Z 2 k with active security 2
9 Why should we care about computation modulo 2k? Closer to standard CPUs Efficiency improvement Simple compilation of existing 32/64-bit code into arithmetic circuits. Simplified implementations 3
10 Why should we care about computation modulo 2k? Closer to standard CPUs Efficiency improvement Simple compilation of existing 32/64-bit code into arithmetic circuits. Simplified implementations Completeness result Filling a gap in the theory of MPC Just for fun! 3
11 Some works on this direction Cramer et al, EUROCRYPT 2003 Actively secure MPC over black-box rings Mostly a feasibility result, honest majority Bogdanov et al, ESORICS 2008 (Sharemind); Araki et al, CCS 2016 Computation over Z 2 k Passive security, n = 3 and t = 1 Damgård, Orlandi, Simkin, CRYPTO 2018 Compiler from passive to active security for arbitrary rings Small number of corruptions 4
12 Why is it so difficult? Pratical protocols use information-theoretic MACs over finite fields. Problems with Z 2 k Zero-divisors! Non-invertible elements! x, y is not a 2-universal hash function! Open problem Design an efficient homomorphic authentication scheme modulo 2 k 5
13 Our contributions 1. A new additively homomorphic authentication scheme over Z 2 k Efficient Number-theoretic tricks Fine-grained analysis of batch-checking 6
14 Our contributions 1. A new additively homomorphic authentication scheme over Z 2 k Efficient Number-theoretic tricks Fine-grained analysis of batch-checking 2. Triples generation Communication complexity: O((k + s) 2 ) bits per multiplication gate. Roughly twice the communication cost of MASCOT 6
15 Our contributions 1. A new additively homomorphic authentication scheme over Z 2 k Efficient Number-theoretic tricks Fine-grained analysis of batch-checking 2. Triples generation Communication complexity: O((k + s) 2 ) bits per multiplication gate. Roughly twice the communication cost of MASCOT 3. A protocol for MPC over Z 2 k O( C n) operations over Z 2 k+s Amortized communication complexity of online phase: O( C k) bits 6
16 SPDZ
17 Additive Secret sharing with MACs We denote by [x] the following x i = x. α i = α, where α is a random global key m i = α x. P i has x i, α i, m i 7
18 Additive Secret sharing with MACs We denote by [x] the following x i = x. α i = α, where α is a random global key m i = α x. P i has x i, α i, m i Important! [x + y] = [x] + [y], [c x] = c [x] and [x + c] = [x] + c can be computed locally. 7
19 Secure computation with preprocessing Input phase [x i ] = (x i r i ) +[r }{{} i ] open where x i are the inputs and (r i, [r i ]) is preprocessed. Addition gates [x + y] = [x] + [y] Multiplication gates [x y] = [c] + (x a) [b] + (y b) [a] + (x a) (y b) }{{}}{{}}{{}}{{} open open open open where ([a], [b], [c]) is preprocessed with c = a b. 8
20 Reconstruction of [x] x 1 x 2 Alice x 3 x 4 Bob Charlie Dave n i=1 x i = x 9
21 Reconstruction of [x] x 1 x 2 z 1 = m 1 α 1 x z 2 = m 2 α 2 x Alice x 3 x 4 Bob Alice z 3 = m 3 α 3 x Bob z 4 = m 4 α 4 x Charlie Dave Charlie Dave n i=1 x i = x Check that n i=1 z i = 0 9
22 Security Analysis Adversarial behavior can cause: x = x + δ and z = z + with δ 0. Adversary knows and δ such that δ α =. The adversary guesses α = δ 1 Probability at most 1/ F 10
23 Security Analysis Adversarial behavior can cause: x = x + δ and z = z + with δ 0. Adversary knows and δ such that δ α =. The adversary guesses α = δ 1 Probability at most 1/ F This does not work modulo 2 k The equation α δ mod 2 k can be satisfied with high probability Main problem: δ may not be invertible modulo 2 k. For instance: δ = 2 k 1 and = 0 10
24 SPDZ 2 k
25 Our solution The computation is done in Z 2 k+s but correctness is only guaranteed modulo 2 k 11
26 Our solution The computation is done in Z 2 k+s but correctness is only guaranteed modulo 2 k To share x Z 2 k : We denote by [x] the following x i k+s x with x k x α i k+s α, where α Z 2 s global key m i k+s α x. is a random P i has x i, α i, m i Z 2 k+s x y mod 2 l will be abbreviated by x l y 11
27 k + s k+s x 1 x 2 x n x 12
28 s k + s k+s x k x 1 x 2 x n x 12
29 Security Analysis 13
30 Security Analysis There is an error x = x + δ with δ k 0 13
31 Security Analysis There is an error x = x + δ with δ k 0 The check passes α δ k+s 13
32 k + s k+s α δ 14
33 k + s k+s v < k 0 0 α δ 14
34 k + s k+s v (k + s) v > s α δ 2 v 2 v 14
35 (k + s) v > s k+s v α ( δ 2 v ) 1 2 v 14
36 Security Analysis There is an error x = x + δ with δ k 0 The check passes α δ k+s 15
37 Security Analysis There is an error x = x + δ with δ k 0 The check passes α δ k+s α δ 2 v k+s v 2 v where v is the largest integer such that 2 v δ (we have that v < k) But δ/2 v ( is odd! So we can invert: α δ ) 1 k+s v 2 v 2 v Therefore, the adversary knows the last k + s v bits of α, which happens with probability at most 2 v k s < 2 s. 15
38 SPDZ 2 k: Protocol overview Offline phase (preprocessing) 1. Random authenticated values 2. Multiplication triples 3. Generate shares of MAC key and shares of MACked values Online phase 1. Distribute inputs 2. Compute shares of the values on the circuit 3. Check correctness of the opened values using their MACs Checking individual MACs Batch MAC-checking 16
39 SPDZ 2 k: Protocol overview Offline phase (preprocessing) 1. Random authenticated values 2. Multiplication triples 3. Generate shares of MAC key and shares of MACked values Online phase 1. Distribute inputs 2. Compute shares of the values on the circuit 3. Check correctness of the opened values using their MACs Checking individual MACs Batch MAC-checking 16
40 Batch MAC-checking
41 Motivation Many values are opened... it is expensive to check each one of them! 17
42 Motivation Many values are opened... it is expensive to check each one of them! Typical solution over fields To check correctness of x 1,..., x t, only check correctness of x = i r i x i. Individual errors δ i get aggregated δ = i r i δ i δ i 0 for at least one i implies δ 0 with high probability 17
43 Motivation Many values are opened... it is expensive to check each one of them! Typical solution over fields To check correctness of x 1,..., x t, only check correctness of x = i r i x i. Individual errors δ i get aggregated δ = i r i δ i δ i 0 for at least one i implies δ 0 with high probability Key idea for SPDZ 2 k Do the same! (analysis gets tricky...) 17
44 Batch MAC-checking in SPDZ 2 k Let E be the event: δ α k+s Naive approach Pr[E] 2 s 2 18
45 Batch MAC-checking in SPDZ 2 k Let E be the event: δ α k+s Naive approach Pr[E] 2 s 2 Fine-grained analysis Pr[E] 2 s + 2 s 1+log s 18
46 Multiplication Triples
47 General Idea (high level) Preprocess triples ([a], [b], [c]) such that a, b are random and c k a b. Key idea (two parties) ( a 1 + a 2) (b 1 + b 2) = a 1 b 1 + a 2 b 2 + a 1 b 2 + a 2 b 1 Share mixed products using OT Similar to the MASCOT triple generation protocol (Keller et al, CCS 2016). Based on Oblivious Transfer. 19
48 General Idea (high level) 1. OT: c k+s a b 2. Combine: Take inner product with a random vector: r, c k+s r, a b MASCOT: a is a vector of (field) elements SPDZ 2 k : a is a vector of bits 3. Authenticate: Shares are authenticated (using a MAC functionality) 4. Sacrifice: Check correctness 20
49 Conclusions
50 We develop an efficient dishonest majority MPC protocol for computation over Z 2 k. New number-theoretic tricks introduced to overcome the difficulties of working over a ring as Z 2 k : Zero-divisors! Non-invertible elements! Taking dot product with random vectors is not a 2-universal function! First efficient, information-theoretic secure, homomorphic authentication scheme modulo 2 k. 21
51 Future work Implementation and performance test Preprocessing is theoretically slower than MASCOT SPDZ 2 k s online phase is expected to be faster in practice. 22
52 Future work Implementation and performance test Preprocessing is theoretically slower than MASCOT SPDZ 2 k s online phase is expected to be faster in practice. Develop sub-protocols for basic primitives Inequality and equality tests, bit comparisons, bit decomposition, shifting, etc. Highly non-trivial! Dividing by 2 is not possible directly. 22
53 Future work Implementation and performance test Preprocessing is theoretically slower than MASCOT SPDZ 2 k s online phase is expected to be faster in practice. Develop sub-protocols for basic primitives Inequality and equality tests, bit comparisons, bit decomposition, shifting, etc. Highly non-trivial! Dividing by 2 is not possible directly. Extending security model MPC over Z 2 k in the honest majority setting. 22
54 Thank you! 22
55 Supplementary Material
56 A Secret-sharing-based protocol 23
57 A Secret-sharing-based protocol x y Input phase [x] [y] 23
58 A Secret-sharing-based protocol x y [x] [y] Input phase [x] [y] [x y] 23
59 A Secret-sharing-based protocol x y [x] [y] [z] Input phase Output phase [x] [y] [x y] z 23
60 Batch MAC-checking in SPDZ 2 k Let E be the event: δ α k+s Let w be the largest integer such that 2 w divides δ. 2 s 1 {}}{{}}{ Pr[E] = Pr[E 0 w k] Pr[0 w k] s + Pr[E w = k + c] Pr[w = k + c] 2 s + 2 s 1+log s }{{}}{{} c=1 2 c s 2 c 1 24
61 Pr[E 0 w k] 2 s We have that ( ) δ 1 α k+s w 2 w 2 w α mod 2 k+s w is fully determined This happens with probability at most 2 w k s 2 s. 25
62 Pr[0 w k]
63 Pr[E w = k + c] 2 c s, c {1,..., s} Follows from the first proof (writing w = k + c) 27
64 Pr[w = k + c] 2 c 1, c {1,..., s} Since 2 w divides δ, we have that δ w 0, which implies t 1 χ t δ t w χ i δ i i=1 } {{ } S Let v k 1 be the largest integer such that 2 v divides δ t, then ( ) 1 δt χ t w v 2 v S 2 v. Since χ t mod 2 w v is fully determined, this happens with probability at most 2 v w 2 c 1. 28
65 Batch MAC Checking 29
66 Triples - Part 1 30
67 Triples - Part 2 31
68 Triples - Part 3 32
69 Communication 33
70 Performance (1) 34
71 Performance (2) 35
A New Approach to Practical Active-Secure Two-Party Computation
A New Approach to Practical Active-Secure Two-Party Computation Jesper Buus Nielsen 1, Peter Sebastian Nordholt 1, Claudio Orlandi 1, Sai Sheshank Burra 2 1 Aarhus University, Denmark 2 Indian Institute
More informationMASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer
MASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer Tore Frederiksen Emmanuela Orsini Marcel Keller Peter Scholl Aarhus University University of Bristol 31 May 2016 Secure Multiparty
More informationSecure Multi-Party Computation. Lecture 17 GMW & BGW Protocols
Secure Multi-Party Computation Lecture 17 GMW & BGW Protocols MPC Protocols MPC Protocols Yao s Garbled Circuit : 2-Party SFE secure against passive adversaries MPC Protocols Yao s Garbled Circuit : 2-Party
More informationCut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings
Cut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings Yehuda Lindell Bar-Ilan University, Israel Technion Cryptoday 2014 Yehuda Lindell Online/Offline and Batch Yao 30/12/2014
More informationEfficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply
CIS 2018 Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply Claudio Orlandi, Aarhus University Circuit Evaluation 3) Multiplication? How to compute [z]=[xy]? Alice, Bob
More informationA New Approach to Practical Secure Two-Party Computation. Jesper Buus Nielsen Peter Sebastian Nordholt Claudio Orlandi Sai Sheshank
A New Approach to Practical Secure Two-Party Computation Jesper Buus Nielsen Peter Sebastian Nordholt Claudio Orlandi Sai Sheshank Secure Two-Party Computation Alice has an input a {0,1} * Bob has an input
More informationMultiparty Computation from Somewhat Homomorphic Encryption. November 9, 2011
Multiparty Computation from Somewhat Homomorphic Encryption Ivan Damgård 1 Valerio Pastro 1 Nigel Smart 2 Sarah Zakarias 1 1 Aarhus University 2 Bristol University CTIC 交互计算 November 9, 2011 Damgård, Pastro,
More informationHigh Performance Multi-Party Computation for Binary Circuits Based on Oblivious Transfer
High Performance Multi-Party Computation for Binary Circuits Based on Oblivious Transfer Sai Sheshank Burra 3, Enrique Larraia 5, Jesper Buus Nielsen 1, Peter Sebastian Nordholt 2, Claudio Orlandi 1, Emmanuela
More informationDishonest Majority Multi-Party Computation for Binary Circuits
Dishonest Majority Multi-Party Computation for Binary Circuits Enrique Larraia, Emmanuela Orsini, and Nigel P. Smart Dept. Computer Science, University of Bristol, United Kingdom Enrique.LarraiadeVega@bristol.ac.uk,Emmanuela.Orsini@bristol.ac.uk,
More informationEfficient Constant Round Multi-Party Computation Combining BMR and SPDZ
Efficient Constant Round Multi-Party Computation Combining BMR and SPDZ Yehuda Lindell Benny Pinkas Nigel P. Smart vishay Yanai bstract Recently, there has been huge progress in the field of concretely
More informationMulti-Party Computation with Conversion of Secret Sharing
Multi-Party Computation with Conversion of Secret Sharing Josef Pieprzyk joint work with Hossein Ghodosi and Ron Steinfeld NTU, Singapore, September 2011 1/ 33 Road Map Introduction Background Our Contribution
More informationYuval Ishai Technion
Winter School on, Israel 30/1/2011-1/2/2011 Yuval Ishai Technion 1 Several potential advantages Unconditional security Guaranteed output and fairness Universally composable security This talk: efficiency
More informationMalicious Security. 6.1 Cut-and-Choose. Figure 6.1: Summary of malicious MPC protocols discussed in this chapter.
6 Malicious Security So far, we have focused on semi-honest protocols which provide privacy and security only against passive adversaries who follow the protocol as specified. The semi-honest threat model
More informationOverdrive: Making SPDZ Great Again
Overdrive: Making SPDZ Great Again Marcel Keller 1, Valerio Pastro 2, and Dragos Rotaru 1,3 1 University of Bristol 2 Yale University 3 imec-cosic, Dept. Electrical Engineering, KU Leuven m.keller@bristol.ac.uk,
More informationLecture 3,4: Multiparty Computation
CS 276 Cryptography January 26/28, 2016 Lecture 3,4: Multiparty Computation Instructor: Sanjam Garg Scribe: Joseph Hui 1 Constant-Round Multiparty Computation Last time we considered the GMW protocol,
More informationHomomorphic Encryption
Overdrive2k: Efficient Secure MPC over Z 2 k Homomorphic Encryption from Somewhat Emmanuela Orsini 1, Nigel P. Smart 1,2, and Frederik Vercauteren 1 1 imec-cosic, KU Leuven, Leuven, Belgium. 2 University
More informationIntroduction to Cryptography Lecture 13
Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple
More informationA New Approach to Practical Active-Secure Two-Party Computation
A New Approach to Practical Active-Secure Two-Party Computation Jesper Buus Nielsen 1,,, Peter Sebastian Nordholt 1,, Claudio Orlandi 2,, Sai Sheshank Burra 3 1 Aarhus University 2 Bar-Ilan University
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationLecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension
CS 294 Secure Computation February 16 and 18, 2016 Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension Instructor: Sanjam Garg Scribe: Alex Irpan 1 Overview Garbled circuits
More informationA Zero-One Law for Secure Multi-Party Computation with Ternary Outputs
A Zero-One Law for Secure Multi-Party Computation with Ternary Outputs KTH Royal Institute of Technology gkreitz@kth.se TCC, Mar 29 2011 Model Limits of secure computation Our main result Theorem (This
More informationAuthenticated Garbling and Efficient Maliciously Secure Two-Party Computation
Authenticated Garbling and Efficient Maliciously Secure Two-Party Computation Xiao Wang University of Maryland wangxiao@cs.umd.edu Samuel Ranellucci University of Maryland George Mason University samuel@umd.edu
More informationMultiparty Computation (MPC) Arpita Patra
Multiparty Computation (MPC) Arpita Patra MPC offers more than Traditional Crypto! > MPC goes BEYOND traditional Crypto > Models the distributed computing applications that simultaneously demands usability
More informationFast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries
Fast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries Yehuda Lindell Dept. of Computer Science Bar-Ilan University, Israel lindell@biu.ac.il February 8, 2015 Abstract In the setting
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationENEE 459-C Computer Security. Message authentication (continue from previous lecture)
ENEE 459-C Computer Security Message authentication (continue from previous lecture) Last lecture Hash function Cryptographic hash function Message authentication with hash function (attack?) with cryptographic
More informationEfficient Multiparty Protocols via Log-Depth Threshold Formulae
Efficient Multiparty Protocols via Log-Depth Threshold Formulae Gil Cohen Ivan Bjerre Damgård Yuval Ishai Jonas Kölker Peter Bro Miltersen Ran Raz Ron D. Rothblum August 1, 2013 Abstract We put forward
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationWhen It s All Just Too Much: Outsourcing MPC-Preprocessing
When It s All Just Too Much: Outsourcing MPC-rocessing Peter Scholl 1, Nigel P. Smart 2, and Tim Wood 2 1 Dept. Computer Science, Aarhus University, Denmark 2 Dept. Computer Science, University of Bristol,
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Secret Sharing Vault should only open if both Alice and Bob are present Vault should only open if Alice, Bob, and Charlie are
More informationEfficient and Private Scoring of Decision Trees, Support Vector Machines and Logistic Regression Models based on Pre-Computation
1 Efficient and Private Scoring of Decision Trees, Support Vector Machines and Logistic Regression Models based on Pre-Computation Martine De Cock, Rafael Dowsley, Caleb Horst, Raj Katti, Anderson C. A.
More informationFundamental MPC Protocols
3 Fundamental MPC Protocols In this chapter we survey several important MPC approaches, covering the main protocols and presenting the intuition behind each approach. All of the approaches discussed can
More informationLectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols
CS 294 Secure Computation January 19, 2016 Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols Instructor: Sanjam Garg Scribe: Pratyush Mishra 1 Introduction Secure multiparty computation
More informationFrom Secure MPC to Efficient Zero-Knowledge
From Secure MPC to Efficient Zero-Knowledge David Wu March, 2017 The Complexity Class NP NP the class of problems that are efficiently verifiable a language L is in NP if there exists a polynomial-time
More informationLecture 14: Secure Multiparty Computation
600.641 Special Topics in Theoretical Cryptography 3/20/2007 Lecture 14: Secure Multiparty Computation Instructor: Susan Hohenberger Scribe: Adam McKibben 1 Overview Suppose a group of people want to determine
More informationProtocols for Multiparty Coin Toss with a Dishonest Majority
Protocols for Multiparty Coin Toss with a Dishonest Maority Amos Beimel Department of Computer Science Ben Gurion University Be er Sheva, Israel Eran Omri Department of Computer Science and Mathematics
More informationPerfect Secure Computation in Two Rounds
Perfect Secure Computation in Two Rounds Benny Applebaum Tel Aviv University Joint work with Zvika Brakerski and Rotem Tsabary Theory and Practice of Multiparty Computation Workshop, Aarhus, 2018 The MPC
More informationADVERTISING AGGREGATIONARCHITECTURE
SOMAR LAPS PRIVACY-PRESERVING LATTICE-BASED PRIVATE-STREAM SOCIAL MEDIA ADVERTISING AGGREGATIONARCHITECTURE OR: HOW NOT TO LEAVE YOUR PERSONAL DATA AROUND REVISITING PRIVATE-STREAM AGGREGATION: LATTICE-BASED
More informationFaster Maliciously Secure Two-Party Computation Using the GPU Full version
Faster Maliciously Secure Two-Party Computation Using the GPU Full version Tore Kasper Frederiksen, Thomas P. Jakobsen, and Jesper Buus Nielsen July 15, 2014 Department of Computer Science, Aarhus University
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More informationZKBoo: Faster Zero-Knowledge for Boolean Circuits
Aarhus University ZKBoo: Faster Zero-Knowledge for Boolean Circuits Irene Giacomelli, Jesper Madsen and Claudio Orlandi Usenix Security Symposium 2016 1 / 15 Zero-Knowledge (ZK) Arguments Alice Bob. Private
More informationActively secure two-party evaluation of any quantum operation
Actively secure two-party evaluation of any quantum operation Frédéric Dupuis ETH Zürich Joint work with Louis Salvail (Université de Montréal) Jesper Buus Nielsen (Aarhus Universitet) August 23, 2012
More informationEfficient Conversion of Secret-shared Values Between Different Fields
Efficient Conversion of Secret-shared Values Between Different Fields Ivan Damgård and Rune Thorbek BRICS, Dept. of Computer Science, University of Aarhus Abstract. We show how to effectively convert a
More informationSecure Computation. Unconditionally Secure Multi- Party Computation
Secure Computation Unconditionally Secure Multi- Party Computation Benny Pinkas page 1 Overview Completeness theorems for non-cryptographic faulttolerant distributed computation M. Ben-Or, S. Goldwasser,
More informationFast Large-Scale Honest-Majority MPC for Malicious Adversaries
Fast Large-Scale Honest-Majority MPC for Malicious Adversaries Koji Chida 1, Daniel Genkin 2, Koki Hamada 1, Dai Ikarashi 1, Ryo Kikuchi 1, Yehuda Lindell 3, and Ariel Nof 3 1 NTT Secure Platform Laboratories,
More information1 Secure two-party computation
CSCI 5440: Cryptography Lecture 7 The Chinese University of Hong Kong, Spring 2018 26 and 27 February 2018 In the first half of the course we covered the basic cryptographic primitives that enable secure
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Fun with Public-Key Tonight we ll Introduce some basic tools of public-key crypto Combine the tools to create more powerful tools Lay the ground work for substantial
More informationFast Signature Generation with a. Fiat Shamir { Like Scheme. Fachbereich Mathematik / Informatik. Abstract
Fast Signature Generation with a Fiat Shamir { Like Scheme H. Ong Deutsche Bank AG Stuttgarter Str. 16{24 D { 6236 Eschborn C.P. Schnorr Fachbereich Mathematik / Informatik Universitat Frankfurt Postfach
More informationLecture 38: Secure Multi-party Computation MPC
Lecture 38: Secure Multi-party Computation Problem Statement I Suppose Alice has private input x, and Bob has private input y Alice and Bob are interested in computing z = f (x, y) such that each party
More informationMessage Authentication Codes (MACs)
Message Authentication Codes (MACs) Tung Chou Technische Universiteit Eindhoven, The Netherlands October 8, 2015 1 / 22 About Me 2 / 22 About Me Tung Chou (Tony) 2 / 22 About Me Tung Chou (Tony) Ph.D.
More informationSecure Arithmetic Computation with Constant Computational Overhead
Secure Arithmetic Computation with Constant Computational Overhead Benny Applebaum 1, Ivan Damgård 2, Yuval Ishai 3, Michael Nielsen 2, and Lior Zichron 1 1 Tel Aviv University, {bennyap@post,liorzichron@mail}.tau.ac.il
More informationResource-efficient OT combiners with active security
Resource-efficient OT combiners with active security Ignacio Cascudo 1, Ivan Damgård 2, Oriol Farràs 3, and Samuel Ranellucci 4 1 Aalborg University, ignacio@math.aau.dk 2 Aarhus University, ivan@cs.au.dk
More informationLinear Secret-Sharing Schemes for Forbidden Graph Access Structures
Linear Secret-Sharing Schemes for Forbidden Graph Access Structures Amos Beimel 1, Oriol Farràs 2, Yuval Mintz 1, and Naty Peter 1 1 Ben Gurion University of the Negev, Be er Sheva, Israel 2 Universitat
More informationOptimizing Authenticated Garbling for Faster Secure Two-Party Computation
Optimizing Authenticated Garbling for Faster Secure Two-Party Computation Jonathan Katz University of Maryland jkatz@cs.umd.edu Samuel Ranellucci University of Maryland George Mason University samuel@umd.edu
More informationBenny Pinkas Bar Ilan University
Winter School on Bar-Ilan University, Israel 30/1/2011-1/2/2011 Bar-Ilan University Benny Pinkas Bar Ilan University 1 Extending OT [IKNP] Is fully simulatable Depends on a non-standard security assumption
More informationSign Modules in Secure Arithmetic Circuits (A Full Version)
Sign Modules in Secure Arithmetic Circuits (A Full Version) Ching-Hua Yu chinghua.yu@gmail.com Abstract In 1994 [18], Feige, Killian, and Naor suggested a toy protocol of secure comparison, which takes
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More information1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds
1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds Amos Beimel Department of Computer Science Ben Gurion University Be er Sheva, Israel Eran Omri Department of Computer
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More information14 Diffie-Hellman Key Agreement
14 Diffie-Hellman Key Agreement 14.1 Cyclic Groups Definition 14.1 Example Let д Z n. Define д n = {д i % n i Z}, the set of all powers of д reduced mod n. Then д is called a generator of д n, and д n
More informationSecureML: A System for Scalable Privacy-Preserving Machine Learning
SecureML: A System for Scalable Privacy-Preserving Machine Learning Payman Mohassel Yupeng Zhang Abstract Machine learning is widely used in practice to produce predictive models for applications such
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More information1 Basic Number Theory
ECS 228 (Franklin), Winter 2013, Crypto Review 1 Basic Number Theory This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationNon-Interactive Zero-Knowledge from Homomorphic Encryption. Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU)
Non-Interactive Zero-Knowledge from Homomorphic Encryption Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU) January 27th, 2006 NYU Crypto Reading Group Zero-Knowledge and Interaction
More informationCircuits Resilient to Additive Attacks with Applications to Secure Computation
Circuits Resilient to Additive Attacks with Applications to Secure Computation Daniel Genkin Technion danielg3@cs.technion.ac.il Yuval Ishai Technion yuvali@cs.technion.ac.il Manoj M. Prabhakaran University
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationSecure Equality and Greater-Than Tests with Sublinear Online Complexity
Secure Equality and Greater-Than Tests with Sublinear Online Complexity Helger Lipmaa 1 and Tomas Toft 2 1 Institute of CS, University of Tartu, Estonia 2 Dept. of CS, Aarhus University, Denmark Abstract.
More informationComputing on Encrypted Data
Computing on Encrypted Data COSIC, KU Leuven, ESAT, Kasteelpark Arenberg 10, bus 2452, B-3001 Leuven-Heverlee, Belgium. August 31, 2018 Computing on Encrypted Data Slide 1 Outline Introduction Multi-Party
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationThe Cramer-Shoup Strong-RSA Signature Scheme Revisited
The Cramer-Shoup Strong-RSA Signature Scheme Revisited Marc Fischlin Johann Wolfgang Goethe-University Frankfurt am Main, Germany marc @ mi.informatik.uni-frankfurt.de http://www.mi.informatik.uni-frankfurt.de/
More informationNetwork Oblivious Transfer
Network Oblivious Transfer Ranjit Kumaresan Srinivasan Raghuraman Adam Sealfon Abstract Motivated by the goal of improving the concrete efficiency of secure multiparty computation (MPC), we study the possibility
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationPAPER An Identification Scheme with Tight Reduction
IEICE TRANS. FUNDAMENTALS, VOL.Exx A, NO.xx XXXX 200x PAPER An Identification Scheme with Tight Reduction Seiko ARITA, Member and Natsumi KAWASHIMA, Nonmember SUMMARY There are three well-known identification
More informationOblivious Transfer and Secure Multi-Party Computation With Malicious Parties
CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties Vitaly Shmatikov slide 1 Reminder: Oblivious Transfer b 0, b 1 i = 0 or 1 A b i B A inputs two bits, B inputs the index
More informationThreshold Cryptography
Threshold Cryptography Cloud Security Mechanisms Björn Groneberg - Summer Term 2013 09.07.2013 Threshold Cryptography 1 ? 09.07.2013 Threshold Cryptography 2 Threshold Cryptography Sharing Secrets Treasure
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationEfficient General-Adversary Multi-Party Computation
Efficient General-Adversary Multi-Party Computation Martin Hirt, Daniel Tschudi ETH Zurich {hirt,tschudid}@inf.ethz.ch Abstract. Secure multi-party computation (MPC) allows a set P of n players to evaluate
More informationBenny Pinkas. Winter School on Secure Computation and Efficiency Bar-Ilan University, Israel 30/1/2011-1/2/2011
Winter School on Bar-Ilan University, Israel 30/1/2011-1/2/2011 Bar-Ilan University Benny Pinkas Bar-Ilan University 1 What is N? Bar-Ilan University 2 Completeness theorems for non-cryptographic fault-tolerant
More informationII. Digital signatures
II. Digital signatures Alice m Bob Eve 1. Did Bob send message m, or was it Eve? 2. Did Eve modify the message m, that was sent by Bob? 1 Digital signatures Digital signature - are equivalent of handwritten
More informationIntroduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication
Common Usage of MACs for message authentication Introduction to Cryptography k Alice α m, MAC k (m) Isα= MAC k (m)? Bob k Lecture 5 Benny Pinkas k Alice m, MAC k (m) m,α Got you! α MAC k (m )! Bob k Eve
More informationHomework 7 Solutions
Homework 7 Solutions Due: March 22, 2018 CS 151: Intro. to Cryptography and Computer Security 1 Fun with PRFs a. F a s = F 0 k(x) F s (x) is not a PRF, for any choice of F. Consider a distinguisher D a
More informationParallel Coin-Tossing and Constant-Round Secure Two-Party Computation
Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation Yehuda Lindell Dept. of Computer Science and Applied Math. The Weizmann Institute of Science Rehovot 76100, Israel. lindell@wisdom.weizmann.ac.il
More informationFull Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5
Full Attacks on HMAC/NMAC- and NMAC-MD5 Pierre-Alain Fouque, Gaëtan Leurent, Phong Nguyen Laboratoire d Informatique de l École Normale Supérieure CRYPTO 2007 1/26 WhatisaMACalgorithm? M Alice wants to
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem
More informationMultiparty Computation
Multiparty Computation Principle There is a (randomized) function f : ({0, 1} l ) n ({0, 1} l ) n. There are n parties, P 1,...,P n. Some of them may be adversarial. Two forms of adversarial behaviour:
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationMore Efficient Oblivious Transfer Extensions with Security for Malicious Adversaries
More Efficient Oblivious Transfer Extensions with Security for Malicious Adversaries Gilad Asharov 1, Yehuda Lindell 2, Thomas Schneider 3, and Michael Zohner 3 1 The Hebrew University of Jerusalem, Israel
More information1 Introduction. Proceedings on Privacy Enhancing Technologies ; 2017 (4):
Proceedings on Privacy Enhancing Technologies ; 2017 (4):345 364 Adrià Gascón, Phillipp Schoppmann, Borja Balle, Mariana Raykova, Jack Doerner, Samee Zahur, and David Evans Privacy-Preserving Distributed
More informationPublic key exchange using semidirect product of (semi)groups
Public key exchange using semidirect product of (semi)groups Maggie Habeeb 1, Delaram Kahrobaei 2, Charalambos Koupparis 3, and Vladimir Shpilrain 4 1 California University of Pennsylvania habeeb@calu.edu
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationThanks to: University of Illinois at Chicago NSF CCR Alfred P. Sloan Foundation
The Poly1305-AES message-authentication code D. J. Bernstein Thanks to: University of Illinois at Chicago NSF CCR 9983950 Alfred P. Sloan Foundation The AES function ( Rijndael 1998 Daemen Rijmen; 2001
More informationMultiparty Computation from Somewhat Homomorphic Encryption
Multiparty Computation from Somewhat Homomorphic Encryption Ivan Damgård 1, Valerio Pastro 1, Nigel Smart 2, and Sarah Zakarias 1 1 Department of Computer Science, Aarhus University 2 Department of Computer
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationAmortized Complexity of Zero-Knowledge Proofs Revisited: Achieving Linear Soundness Slack
Amortized Complexity of Zero-Knowledge Proofs Revisited: Achieving Linear Soundness Slack Ronald Cramer 1, Ivan Damgård 2, Chaoping Xing 3, and Chen Yuan 3 1 CWI, Amsterdam & Mathematical Institute, Leiden
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationCryptanalysis of Threshold-Multisignature Schemes
Cryptanalysis of Threshold-Multisignature Schemes Lifeng Guo Institute of Systems Science, Academy of Mathematics and System Sciences, Chinese Academy of Sciences, Beijing 100080, P.R. China E-mail address:
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More informationCPSC 467b: Cryptography and Computer Security
Outline Quadratic residues Useful tests Digital Signatures CPSC 467b: Cryptography and Computer Security Lecture 14 Michael J. Fischer Department of Computer Science Yale University March 1, 2010 Michael
More informationRound-Efficient Multi-party Computation with a Dishonest Majority
Round-Efficient Multi-party Computation with a Dishonest Majority Jonathan Katz, U. Maryland Rafail Ostrovsky, Telcordia Adam Smith, MIT Longer version on http://theory.lcs.mit.edu/~asmith 1 Multi-party
More information