A Round and Communication Efficient Secure Ranking Protocol
|
|
- Ralf Goodman
- 6 years ago
- Views:
Transcription
1 A Round and Communication Efficient Secure Ranking Protocol Shaoquan Jiang 1,2 and Guang Gong 2 1 Department of Computer Science, University of Electronic Science and Technology, Chengdu, CHINA. 2 Department of Electrical and Computer Engineering, University of Waterloo, Waterloo, ON, N2L 3G1, CANADA {jiangshq, ggong}@calliope.uwaterloo.ca Abstract. In this work, we initiate the study of realizing a ranking functionality (m 1,, m n ) (r 1,, r n ) in the non-adaptive malicious model, where r i = 1 + {m j : m j < m i}. Generically, it has been solved by a general multi-party computation technique (via a circuit formulation). However, such a solution is inefficient in either round complexity or communication complexity. In this work, we propose an efficient construction without a circuit. Our protocol is constant round and efficient in communication complexity as well. Furthermore, we show it is directly secure in the non-adaptive malicious model (i.e., without a compiler, as is used in many general constructions). 1 Introduction A general multi-party computation paradigm was initially studied by Yao [15]. In this paradigm, any cryptographic functionality can be solved as a special case. Such a functionality can be first formulated into some circuit. Then, a semi-honestly secure protocol for this circuit is constructed. In the semi-honest model, all the parties (including corrupted parties) strictly follow the protocol specification. This, of course, does not suffice for real applications. To obtain a realistically secure protocol, a compiler is proposed which, given a semi-honestly secure protocol, outputs a maliciously secure protocol. This approach is generally very powerful, as one need not take care of the problem s specific features (except the circuit itself). However, since a generic solution does not exploit the problem s special properties, it is not efficient in general. Therefore, it is very interesting and valuable to solve the specific problem without the generic approach. With this motivation in mind, we study a multi-party millionaire problem below. There are n parties, P 1,, P n. Each P i has m i dollars for 1 m i N. The problem is how to admit P i to get the rank of m i but nothing beyond this. Formally, we are interested in
2 realizing the ranking functionality (m 1,, m n ) (r 1,, r n ), where r i = 1 + {m j : m j < m i }, i = 1,, n. 1.1 Related Work Since Yao [15], many authors [6, 9, 8, 5, 12] worked in the circuit paradigm. However, prior to the work by Cramer et al. [3] and by Jakobsson et al. [13], none of them have achieved both the non-adaptive malicious security and the communication complexity O(kn C ), where communication complexity is the total number of bits sent by all parties, C is the circuit size, n is the number of parties, and k is the security parameter. Applying to a ranking functionality, one can achieve communication complexity Õ(kn3 ). However, [3] has a round complexity O(d) and [13] has a round complexity O(d + n), where d is the depth of circuit size and in case of ranking functionality d = Ω(log n) 1. All these results are evaluated in the broadcast channel. The currently most communication efficient and maliciously secure multi-party computation protocol is due to Hirt and Maurer [11], whose communication complexity is O((mn 2 + n I n 4 + n o n + n 4 )k) (in the pairwise channel), where m is the number of multiplication gates in the circuit, n I and n o are the number of inputs and outputs respectively. Applying to the ranking functionality, it implies a solution of communication complexity O(kn 5 ). However, their protocol has a very high round complexity O(n 2 ). Note a broadcast channel with communication complexity O(n 2 ) and round complexity O(n) can be constructed [10]. Therefore, no maliciously secure protocol for the ranking problem has previously achieved a result equivalent to a constant round with communication complexity O(kn 3 ) in the broadcast channel. 1.2 Contribution In this work, we construct an efficient n-party ranking protocol. Our protocol has a constant round complexity. Assume k is the security parameter and each party P i has an input m i {1,, N}. Then our protocol has a communication complexity O(kn 2 (n + N)). Therefore, if N = O(n) which is the typical case, the communication complexity is O(kn 3 ). Thus, our protocol is efficient in both communication complexity and round complexity. In addition, we prove that our construction is secure in the non-adaptive malicious model. 1 This easily follows from two facts: (1) the circuit is acyclic and each node has at most two inputs; (2) the circuit size for ranking is trivially lower bounded by Ω(n).
3 This work is organized as follows. Section 2 introduces the security model. Section 3 introduces a building block: a zero sharing protocol. Section 4 introduces our ranking protocol containing some sub ideal functionalities and its security analysis. Section 5 considers how to realize the sub ideal functionalities and obtain a full functional ranking protocol. 2 Security Model In this section, we introduce the security model for non-adaptive malicious adversary. In this model, we first have an ideal process in the non-adaptive malicious model, where the computation is achieved via a trusted third party. Then, we turn to the maliciously real process, which is a model for the execution of the real protocol. Finally, a protocol is said to be secure if the real process and ideal process essentially have an identical performance. Ideal Process. We consider the ideal process w.r.t. a non-adaptive malicious adversary S. Let f be an ideal functionality and F be a trusted third party. Let P 1,, P n be n parties involved in the execution. S has an arbitrary auxiliary input z and P i has an input x i D. Before the protocol starts, S can select a set of parties Φ {P 1,, P n } for corruption. As a result, all the inputs of these parties are provided to S. In addition, their future actions are fully taken by S. After the protocol starts, the execution is described as follows. Upon input x i, an uncorrupted P i forwards it to F. Upon receiving an output from F, P i outputs it directly. S can change the input x i of a corrupted party P i to x i D { }, and sends x i to F. Upon receiving x 1, x 2,, x n from all parties (x i = x i for an uncorrupted P i ), F may ask S for a message. Then, he follows f to compute output (o 1, o 2,, o n ) from (x 1,, x n) and the response from S (if any). By default, if some x i =, then o 1 = = o n =. Finally, F asks S to deliver o i to P i. S can deliver o i or for an uncorrupted P i. In any case, the secret part of o i will be kept invisible from S. Finally, S can output whatever he wishes. Let r 0 and r S be the random input of F and S, respectively. The joint execution in the ideal process, denoted by IDEAL F,S(z) (x; r 0, r S ), is a concatenation of the outputs for uncorrupted parties as well as the adversary S. Later we will use random variable IDEAL F,S(z) (x) to denote
4 IDEAL F,S(z) (x; r 0, r S ) with random input r 0 and r S. Real Process. Let Γ be a protocol to realize a functionality f. Let P 1,, P n be n parties involved in the execution. Let A is a PPT adversary with an auxiliary input z. Before the protocol starts, A specifies a set of parties Φ {P 1,, P n } for corruption. As in the ideal process, once a party is corrupted, his secret input is provided to A. In addition, his future action is fully taken by A. After the protocol starts, the real process is described as follows. Upon input x i, an uncorrupted P i exactly follows the protocol Γ to answer the incoming message and generates its output o i. The action for each corrupted P i is fully taken by A. In addition, we assume the channel is authenticated with a guaranteed delivery. That is, for any message M from an uncorrupted P i, A must deliver M to the specified receiver without any change. Let r A, r i, (P i Φ) are the random input for A and P i, respectively. o A, o i, (P i Φ) are the outputs for A, P i, respectively. Similar to the ideal process, we can define the joint execution, denoted by REAL Γ,A(z) (x; r A, {r i : P i Φ}), to be a concatenation of outputs for uncorrupted parties and the output of A. We use REAL Γ,A(z) (x) to denote the variable of the joint execution with uniform random input. Definition 1. Let Γ be an n-party protocol to implement a functionality f. Γ is said to be secure in a malicious but non-adaptive model if for any probabilistic polynomial-time adversary A in this model there exists an expected polynomial-time ideal adversary S such that { } { } c IDEAL f,s(z) (x) REAL Γ,A(z) (x) z,x where c means computational indistinguishability, z is auxiliary input and x = (x 1,, x n ) is the input vector for parties. 3 A Zero-Sharing Protocol In our ranking protocol (Section 4), rank r j is computed by pair-wise comparing m j with other m i and then summarizing the results. In order not to leak the comparison bit (m i < m j ), we employ a blinding technique such that all blinding values (for a fixed i) collectively constitute a random sharing of zero. The zero-sharing protocol is constructed in z,x,
5 this section, which will be introduced now. Formally, we propose a protocol for functionality F 0 : (1 κ,, 1 κ ) f 1 (x),, f n (x), where f i (x) is uniformly at random from Z q [x] of degree at most n 1 such that n i=1 f i(x) = 0. In the ideal process, the adversary is allowed to choose f i (x) for corrupted parties. Our zero-sharing protocol is presented in Table 1, where p, q are primes with p = 2q + 1, and g, h Z p have an order of q. Let R 2dl = {(g y 1 h y 2, (y 1, y 2 )) : y 1, y 2 Z q }. The protocol employs a multi-party functionality F m2dl for each party to prove the knowledge of his commitment. F m2dl is defined as follows. Definition 2. (Multi-party Functionality: F m2dl ) F m2dl does the following with parties P 1,, P n and adversary S, and is parameterized by relation R 2dl. Upon (F jt, (f jt, f jt ))n t=1 from each P j, F m2dl checks if (F jt, (f jt, f jt )) R 2dl. If it holds for all j and t, F m2dl sends message ok to P 1,, P n and S; otherwise, it does nothing. After the protocol execution, P i can compute u ij = f i (j), for each j = 1,, n. All parties can compute U ij = g u ij h u ij, where u ij = f i (j). Note the sharing scheme has a property that for each j, i u ij = 0. That is why we call it a zero-sharing protocol. In our ranking protocol (Section 4), u ij will be used to blind the bit (m i < m j ). The completeness of ranking will be guaranteed by the fact i u ij = 0. Lemma 1. Our zero-sharing protocol securely realizes F 0. Specifically, if Φ is the set of corrupted parties with Φ n 1, then f i (x) for uncorrupted P i is uniformly at random in F [x] with degree at most n 1 such that the only constraint is P i Φ f i(x) = P i Φ f i(x). In addition, {u ij } i Φ,1 j n is uniform at random in Zq n (n Φ ) with only constraint i Φ u ij = i Φ u ij, for each j = 1,, n. Proof. We now show that for any PPT real process adversary A, there exists an expected polynomial-time ideal process adversary S such that the two executions are indistinguishable. S first prepares p = 2q + 1, g, and computes h = g a, for a Z q. Then he runs A with p, g, h. In turn, he will receive a set Φ for corruption. Then he corrupts Φ in the ideal process. For simplicity, we use P i to represent a party in the internal simulation and P i the party in the external ideal process. S follows the real protocol execution to interact with A for Step one and Step two, at the end of which he will obtain f j (x) for each uncorrupted P j. In Step three, upon (F jt, (f jt, f jt )) from each corrupted P j (controlled by A), S
6 Params: p = 2q + 1, g, h; Output: f i(x) Z q[x] for each P i, i = 1,, n. 1. For each j = 1,, n, P i takes f ij(x) = n 1 t=0 fijtxt, f ij(x) = n 1 t=0 f ijtx t Z q [x] randomly such that j f ij(x) = 0 and j f ij(x) = 0. Then he computes F ijt = g f ijt h f ijt. He privately sends (f ij (x), f ij(x)) to P j, and makes F ijt public. 2. P j verifies if n l=1 F ilt = 1 and if F ijt = g f ijt h f ijt for all i, t. If the verification fails, P j broadcasts a complaint toward unsuccessful P i. P i tries to resolve it by making (f ij (x), f ij(x)) public. If the complaint still remains unresolved, by default set (f ij (x), f ij(x)) = (0, 0) for all j. P j computes f j (x) = n i=1 f ij(x), f j(x) = n i=1 f ij(x). 3. F m2dl is invoked such that P j proves (F jt, (f jt, f jt)) R 2dl for all t, where F jt = n i=1 Fijt, fj(x) := n 1 t=0 fitxt, f j(x) := n 1 t=0 f itx t. If ok is received, P i accepts and outputs (f i (x), f i(x)); otherwise, he outputs. Table 1. An Efficient Zero Sharing Protocol Zero-Sharing(n) verifies if (F jt, (f jt, f jt )) R 2dl. If yes, S sends message ok back to A 2 and in the ideal process he sends f jt for corrupted P j to F 0. When F 0 asks him to deliver the messages, he does it faithfully. On the other hand, if the verification fails, S sends for corrupted party P j to F 0 (note if no party is corrupted, ok must occur). Finally, S outputs whatever A does. The difference between this simulated execution and real execution is that the outputs for uncorrupted parties might be different. In order to be consistent with the ideal process, the output for an uncorrupted P i in the internal simulation is supposed to output f j (x), where f j (x) is the polynomial sent to P j from the ideal functionality (but invisible to S). However, in the simulated execution, the output f j (x) of P j might be different from f j (x). However, this is not a problem as given the adversary view in the simulated system, we can consistently reformulate the output of P j to f j (x). Indeed, take a fixed party P r Φ, reformulate f rj (x) to f rj (x) = f rj (x)+ f j (x) f j (x) and f rj (x) to f rj (x) = f rj (x) a 1 ( f j (x) f j (x)), for each other P j Φ. After the reformulation, adversary view does not change. However, the distribution of the reformulated simulation is exactly according to the real protocol since for each j = 1,, n f rj (x) + i r f ij(x) = f j (x) f j (x) + n i=1 f ij(x) = f j (x), f rj (x) + i r f ij (x) = f j (x) f j (x) + n i=1 f ij (x) = f j (x). 2 Note in this case we must have j f jt = j f jt = 0; otherwise, the adversary can be transformed to break Discrete Log problem as 1 = j Fjt = g j f jt h j f jt
7 Thus, our protocol realizes the functionality F 0. The second statement is immediate from the first statement. 4 Our Hybrid Ranking Protocol In this section, we introduce our cryptographic ranking protocol in the hybrid model, see Table 2. Let p, q be large primes with p = 2q + 1. Let g, h, σ, z 1 be random elements in z p of order q. These parameters are setup by a trusted third party. Before the ranking protocol, we assume that all parties have jointly run a zero sharing protocol. Consequently, each P i has the secret output f i (x), f i (x) and public output F jt for all j and t. Let U ij = n 1 t=0 F jt it (publicly computable), u ij = f i (j), u ij = f i (j) (known to P i ). Then, U ij = g u ij h u ij. As mentioned before, u ij will be used in the ranking protocol to blind the bit (m j < m i ). Our ranking protocol is divided into two phases: input commitment and rank computation. In the input commitment phase, we first encode m i {1,, N} as a N-tuple (0,, 0, 1, 1,, 1), where 1 starts at the (m i + 1)th component. Next, each P i commits to the encoded N-tuple of m i : B i1 = h x i1,, B i(mi ) = h x i(m i), B i(mi +1) = σh x i(m i +1),, B in = σh x in. Then, we ask each P j to prove the knowledge of the commitment. Let B it = B i(t+1) Bit 1, 1 t N, where B i(n+1) = σ by default. Then, it suffices to prove: B i1 is commitment of bit 0, B it is a commitment of either 0 or 1, for each t. Indeed, once this is done, the digital committed in B it is no more than that in B i(t+1). Since B i1 is a commitment of 0 and B i(n+1) is a commitment of 1, the tuple committed in {B it } N+1 t=1 must start with a sequence of 0, followed by a sequence of 1. Thus, the proof task can be formalized as an ideal functionality F mor + below, where relations R dl = {(h x, x) : x Z q } and R or = R dl {(σh x, x) : x Z q }. In the protocol, F mor + is invoked in which each P i proves (B it, x it ) R or for all t and (B i1, x i1 ) R dl. Definition 3. (Multi-party Functionality: F mor +) F mor + does the following, running P 1,, P n and S, and parameterized by relations R or and R dl. Upon receiving (B i1, x i1 ) and {(B it, x it )}N t=1 from each P i, F mor + verifies if (B it, x it ) R or and (B i1, x i1 ) R dl. It holds for all i and t, F mor + sends message ok to P 1,, P n and S; otherwise, it does nothing.
8 If F mor + does not send ok, each P i aborts; otherwise, he is ready for phase two. In the rank computation stage, each P i essentially uses an oblivious transfer to send a blinded comparison bit (m i < m j ) to P j. To do this, he does a fresh commitment to m i using {B ijt } N t=1, and then computes D ijt = (B j σ t ) x ijt z u ij 1 = h y jx ijt z u ij 1 σ (m j t)x ijt. Then P i sends {B ijt D ijt } N t=1 to P j. If P j computed this message honestly, then D ij(mj ) = h x ijty j z u ij Thus, P j can compute ξ i = B ij(mj ) D 1/y j ij(m j ) = σδ ij z u ij/y j 1, where δ ij is the bit (m i < m j ). Note i δ ij = r j 1 and i u ij = 0. We have n i=1 ξ i = σ rj 1. Finally, P j can obtain r j by trial. So what is left is for P i to prove that {B ijt D ijt } N t=1 is computed appropriately. To do this, define ) R rc = {({A t Ãt D t } N 1 U, {x t x t } N 1 u u : Ã t A 1 t = h x t x t, (A t, x t ) R or, D t = ( σ t ) x t z1 u, U = gu h u, G q, x t, x t, u, u Z q }. This relation is motivated by ( {Bit B ijt D ijt } N 1 U ij B j, {x t x ijt } N 1 u ij u ) ij Rrc, 1. which implies {B ijt D ijt } N t=1 is computed appropriately. In the protocol, an ideal functionality F mrc below is invoked for this purpose. This completes the description of our protocol. Definition 4. (Multi-party Functionality: F mrc ) F mrc does the following, running P 1,, P n and S, and parameterized by R rc, σ and z 1. Upon input ( {Bit B ijt D ijt } N 1 U ij B j, {x it x ijt } N 1 u ij u ij) from P i, F mrc checks it is consistent w.r.t. R rc. If it holds, then F mrc sends message ok(p i, P j ) to P j and S; otherwise, it ignores the verification for (P i, P j ). Now we formally prove the security of our ranking protocol. Theorem 1. Under the Decisional Diffie-Hellman (DDH) assumption, our hybrid ranking protocol is secure in the non-adaptive malicious model.
9 Params: p, g, σ, h, z 1 ; Input: m i for P i, i = 1,, n. PHASE ONE: Input Commitment. { h x it if 1 t m i, 1. Each P i takes x it Z q, computes B it = σh x. Then Pi it if m i < t N broadcasts B i1,, B in. 2. Let B it = B i(t+1) B 1 it for 1 t N, where by default B i(n+1) = σ. Let x it = x i(t+1) x it and x i(n+1) = 0. F mor + is invoked in which each P i proves (B i1, x i1) R dl and (B it, x it) R or for all t. If a message ok is not received from F mor +, P i aborts; otherwise, he is ready for Phase Two. Let B i = σ N N t=1 B 1 it = σ m i h y i, for y i = N t=1 xit. Pi keeps yi secret. PHASE TWO: Rank Computation. 1. P i prepares the outgoing message to { P j as follows. h x ijt if 1 t m i, - P i takes x ijt Z q, set B ijt = σh x ijt if m i < t N. In other words, P i commits to m i again. - P i computes D ijt = (B j σ t ) x ijt z u ij 1, sends {D ijt} N t=1 to P j. 2. ( F mrc is invoked in which ) each P i proves {B it B ijt D ijt } N t=1 U ij B j, {x it x ijt } N t=1 u ij u ij R rc to P j. 3. Receiving ok(p i, P j ) for all i, P j computes ξ i = B ij(mj ) D 1/y j ij(m j ). Finally, he derives ξ = N i=1 ξ i = σ r j 1 and obtains r j by trial. Table 2. Our Hybrid Ranking Protocol Proof. We show that for any PPT real process adversary A, there exists an expected polynomial-time ideal process adversary S such that the joint executions in the two processes are indistinguishable. S internally runs the simulated real process with A, playing the uncorrupted parties. At the same time, he is externally involved in the ideal process execution, on behalf of corrupted party P i Φ. The code of S is described as below. S first gets the input m i for each P i Φ, and provides to A as the input for P i. He prepares p, g, h, σ = h a for a Z q and runs A with it. S plays the role of uncorrupted P i to compute B it = h x it, where x it Z q, 1 t N. Note that S does not know the real input m i. Thus, he is unable to do a real commitment to m i. Then, S simulates the ideal functionality F mor +. If all the inputs from corrupted parties (controlled by A) have been successfully verified, S (simulating F mor +) sends ok to A; otherwise, he does nothing.
10 S calculates m i from the input to F mor + for corrupted P i. He then externally sends m i for P i to F 0. And in turn, he obtains the corresponding r i. He then chooses arbitrary m j for uncorrupted P j such that each m i for corrupted P i has a rank r i among ( m 1,, m n ). Then for uncorrupted P j, he defines x jt = x jt if t m j; x jt = x jt a if m j < t N. Under this formulation, {B it } N 1 is an encoding of m i as computed in Step 1 of Phase One. In Phase Two, S faithfully interacts with A by simulating F mrc and all uncorrupted P i with {x it } N 1. In the external execution (ideal process), S delivers r j to uncorrupted P j if and only if ok(p i, P j ) for all i has been computed in the internal execution for all corrupted P i. Finally, S outputs whatever A does. The view of A is different from the real process: for uncorrupted P i, (1) Input commitment is dummy instead of a commitment of m i ; (2) m i is not equal to m i for uncorrupted P i. In the remaining part, we show this modification does change the distribution of A s view. Let the simulated game be Γ. Consider the mental game Γ 1 of Γ, where the only difference is that for uncorrupted P i, the input commitment is for m i instead of first being dummy and reformulating later. The view of A under this change is identically distributed in Γ, as x it in Γ is uniformly at random (thus x it obtained in the reformation is random) in Z q. Now we will show that the adversary view in Γ 1 and the variant of Γ 1, where m i for uncorrupted P i is replaced by m i, is indistinguishable. We achieve this via a sequence of game techniques. First we modify Γ 1 to Γ 2 such that in Phase Two, for each uncorrupted P i, D ijt = h y jx ijt β m j t ijt z u ij 1, where β ijt G q. Note if β ijt = σ x ijt, then Γ 2 becomes Γ 1. We show that the execution in these two games are indistinguishable. If this were not true, we construct an adversary B 2 to break DDH assumption. Given (h, σ, α, β) (either DH tuple or random tuple), B 2 takes (σ, α ljt, β ljt ) Rud 0 (h, σ, α, β), 1 t N, 1 j n, for each uncorrupted P l (algorithm Rud is presented in Appendix A). He then follows Γ 1 (and Γ 2 ) for input commitment stage. In the second phase, he follows the simulator S in Γ 2, except that for uncorrupted P i, h x ijt in defining B ijt is taken as α ijt and that D ijt = α y j ijt β m j t ijt z u ij 1. Finally, B 2 feeds the execution output to the distinguisher and outputs whatever he does. Note if (h, σ, α, β) is DH tuple, then the simulated game by B 2 is distributed as in Γ 1 ; otherwise, it is distributed according to Γ 2.
11 Thus, the distinguishability between Γ 1 and Γ 2 implies the non-negligible advantage of B 2, a contradiction to DDH assumption. We modify Γ 2 to Γ 3 such that in Phase Two, for any uncorrupted pair P i and P j, D ijt = γ ijt β m j t ijt z u ij 1 for γ ijt G q (instead of γ ijt = h y jx ijt ). We show the execution in Γ 2 and Γ 3 is indistinguishable; otherwise, consider a DDH breaker B 3. Upon receiving input (h, µ, ν, γ), B 3 first takes (µ j, ν j, γ j ) Rud 1 (h, µ, ν, γ) (See Appendix A for details) for each uncorrupted P j and then further takes (µ j, ν ijt, γ ijt ) Rud 0 (h, µ j, ν j, γ j ) for 1 t N and each uncorrupted P i. He follows the simulation in Γ 2 for input commitment except that h x jn is computed as µ j N 1 t=1 h x jt. Note this simulation is distributed identically as in Γ 2 (and Γ 3 ) as µ j is uniform in G q. In Phase Two, B 3 follows the simulation in Γ 3, except that for any uncorrupted pair P i, P j, (1) h x ijt in computing B ijt is defined to be ν ijt ; (2) D ijt = γ ijt β m j t ijt z u ij 1, where β ijt G q as in Γ 2 and γ ijt is the value just derived from Rud. By the property of Rud algorithm, if (h, µ, ν, γ) is a DH tuple, then the simulated game is identically distributed as Γ 2 ; otherwise, it is according to Γ 3. Thus, the distinguishablity between Γ 2 and Γ 3 implies the distinguishability of DDH, contradiction. Consider the mental game Γ 4, a variant of Γ 3 while m i is replaced by m i (registered by P i to the ideal functionality). We show that the views of A between Γ 3 and Γ 4 are identically distributed. Otherwise, commitments for { m i } Pi Φ and {m i } Pi Φ using the method in Step 1 can be distinguished. However, this is impossible since the two set of commitments have identical distribution. Here is details. Upon input {B it } N 1 for each uncorrupted P i (either commit of m i or commitment of m i ), a distinguisher B 4 simulates Step 2 normally (as in Γ 3 ). Phase Two is simulated as follows. - For each uncorrupted P i, B ijt = B it h ijt for each j, t, where ijt Z q. - For each uncorrupted P i and corrupted P j, take D ijt G q for t m j. Fix P i0 Φ. Take D i0 j( m j ) = B y j i 0 j( m j ) σ R jyj z u ij 1, where R j = {i : P i Φ, m i m j }. For i i 0, take D ij( mj ) = B y j ij( m j ) zu ij 1. Note y j = N t=1 x jt and x jt is obtained from the input to functionality F mor + by A in Phase One. - For uncorrupted P i and P j, take D ijt G q. Now we claim that no matter the input to the simulator is commitment of { m i } or {m i }, the above simulation is consistent with Γ 4. It suffices to show that D ij( mj ) for uncorrupted P i and corrupted P j is according to Γ 4. Notice for corrupted P j, m j is ranked r j for both cases
12 {m i } Pi Φ and { m i } Pi Φ, it follows that {i : P i Φ, m i m j } = {i : P i Φ, m i m j }. Thus, we only need to consider the case, where for uncorrupted P i, {B it } N 1 is a commitment of m i. Our key point is that for any j, {u ij : P i Φ} are uniform in Z q with only constraint P i Φ u ij = P i Φ u ij (by Lemma 1). Note that B ijt = σ δ it h x ijt, where δ it is the bit ( m i < t). Thus, in the simulation, D i0 j m j = h y jx i0 j m j σ y jδ i0 m j σ y jrj z u i 0 j 1 ; for other uncorrupted P i, D ij mj = h y jx ij mj σ y jδ i mj z u ij 1. Note that σ R j P i Φ σδ i m j z u ij 1 = P i Φ zu ij 1. Let ũ i 0 j = u i0 j (R j δ i0 m j )y j log z1 σ, and ũ ij = u ij +δ i mj log z1 σ for other uncorrupted P i. Note that P i Φ ũij = P i Φ u ij, we have that {ũ ij } Pi Φ can be regarded as another feasible assignment for {u ij } Pi Φ. Furthermore, {ũ ij } Pi Φ is according to the real distribution since {u ij } Pi Φ is uniform at random with the only constraint on their additive sum. Therefore, the simulation is actually distributed as in Γ 4. Our claim follows. Furthermore, notice adversary view in Γ 1,, Γ 4 when m i = m i for all uncorrupted P i is still indistinguishable. On the other hand adversary view in Γ 1 with m i = m i for all uncorrupted P i is according to the real execution. Thus, the execution of ideal process by S is indistinguishable from the execution of the real process by A. 5 Full Ranking Protocol Cramer et al. [3] demonstrates a transformation which, given any - protocol, outputs a secure 3-round multi-party (parallel) -protocol. In this section, we realize our building functionalities F m2dl, F mor +, F mrc using their transformation. Then a full ranking protocol can be obtained by (sequentially) composing these realizations with the hybrid protocol in the last section. We start with the notion of -protocol Protocol Let R be a binary relation consisting of pair (x, w), where x is a public string and w is a witness of polynomial length. Consider a 3-round proof of knowledge protocol for (x, w) R, where x is the common input and w is the private input for the prover. The prover starts with a message a. The verifier responds with a challenge e. Finally, the prover responds with a finishing message z. Then the verifier accepts if and only if ver(a, e, z, x) = 1 for a public algorithm ver. Such an interactive proof system is said to be a -protocol if it satisfies the following.
13 Completeness. If the prover is given a private input w such that (x, w) R, then the verifier always accepts. Special Honest Verifier Zero-knowledge. For any e, one can efficiently compute (a, e, z) such that (a, e, z) is according to the real distribution with a fixed e. Witness Extraction. For a fixed x, one can efficiently extract witness w from any two accepting transcripts (a, e, z) and (a, e, z ) with e e. Useful Examples. The protocols in Appendix B are -protocols π dl, π 2dl, π or, and π rc for relations R dl, R 2dl, R or and R rc respectively. These examples will soon be applied to realize our building functionalities. 5.2 Secure Multi-Party -Protocol Let R 1,, R v be v binary relations. Assume n parties P 1,, P n. Let Λ = (Λ 1,, Λ n ), where Λ i is a collection of numbers from {1,, v} with replacement (i.e., taking two identical numbers is allowed). Let x i,j, for j Λ i and 1 i n, be the common input for all parties. Suppose F Λ be an n-party functionality in which each P i proves the knowledge of witness w ij s.t. (x ij, w ij ) R j, for each j Λ i. The following has been established by Cramer et al. [3] (Section 6.3 in their paper). Lemma 2. Let R 1,, R v be v binary relations. Let π i be a -protocol for relation R i for 1 i v. Then there exists a 3-round multi-party protocol π Λ realizing F Λ. In addition, if π i (1 i v) has a communication complexity upper bounded by O(K), then the communication complexity of π Λ is upper bounded by O(K n i=1 Λ i ). Now we are ready to realize F m2dl, F mor +, F mrc. From Lemma 2, we we can easily conclude the following result. Corollary 1. There exists a 3-round multi-party protocol π m2dl (resp. π mor +, π mrc ) realizing the ideal functionality F m2dl (resp. F mor +, F mrc ). Furthermore, the communication complexity of π m2dl (resp. π mor +, π mrc ) is O(n 2 k) (resp. O(nNk), O(nNk)), where k is the security parameter (i.e., the length of p). Proof. In F m2dl, each P i proves the knowledge of witness for n instances w.r.t R 2dl. In F mor +, each P i proves the knowledge of witness of N instances w.r.t. R or and one instance w.r.t. R dl. In F mrc, each P i proves the knowledge of witness of one instance w.r.t. R rc. On the other hand, π dl, π 2dl, π or and π rc are -protocols for R dl, R 2dl, R or and
14 R rc respectively. Thus, the first part follows from Lemma 2. The second part follows since π dl, π 2dl, π or and π rc have communication complexity O(k), O(k), O(k), O(Nk), respectively. 5.3 Full Ranking Protocol Now we are ready to state our full ranking protocol. Let F ulrank be the ranking protocol in the last section but functionalities F m2dl, F mor +, F mrc are replaced by π m2dl, π mor +, π mrc respectively. Theorem 2. Protocol F ulrank realizes the ranking functionality in the non-adaptive but malicious model. In addition, F ulrank has a constant round complexity and a communication complexity O(n 2 k(n + n)). Proof. Since F ulrank is obtained from the hybrid protocol via sequential compositions, the security follows. It has a constant round complexity since the hybrid protocol, and π m2dl, π mor +, π mrc all are constant round. Since the zero-sharing protocol has the communication complexity O(n 3 k) and the main ranking part has O(n 2 Nk), it follows that the whole protocol has O(n 2 k(n + n)). References 1. M. Bellare, A. Boldyreva, S. Micali, Public-Key Encryption in a Multi-user Setting: Security Proofs and Improvements, EUROCRYPT 00, pp , M. Bellare and S. Goldwasser, Verifiable Partial Key Escrow, ACM CCS 97, pp , R. Cramer, I. Damgrd, J. Nielsen, Multiparty Computation from Threshold Homomorphic Encryption, EUROCRYPT 01, pp , R. Cramer, I. Damgard, and B. Schoenmakers, Proofs of partial knowledge and simplified design of witness hiding protocols, CRYPTO 94, LNCS 839, Y. Desmedt (ed.), SpringerVerlag, R. Cramer, I. Damgard, and U. Maurer, Gemeral secure multi-party computation from any linear secret sharing scheme, Advances in Cryptology-EUROCRYPT 00, B. Preneel (Ed.), LNCS 1807, Springer-Verlag, pp , M. Franklin, Comlexity and Security of Distributed Protocols, Ph. D thesis, Columbia University, M. Franklin and Haber, Joint encryption and message-efficient computation, Journal of Cryptology, 9(4): , Z. Galil, S. Haber, and M. Yung. Cryptographic computation: secure fault-tolerant protocol and the public-key model. In Advances in Cryptology-CRYPTO 87, C. Pomerance (Ed.), LNCS 293, Spriner-Verlag, New York, O. Goldreich, S. Micali, and A. Wigderson, How to play any mental game or a completeness theorem for protocols with honest majority, STOC 87, pp , New York City, May, 1987.
15 10. V. Hadzilacos, J. Halpern, Message-Optimal Protocols for Byzantine Agreement (Extended Abstract), PODC 1991, pp , M. Hirt and U. Maurer, Robustness for Free in Uncondidtional Multi-party Computation, Advances in Cryptology-CRYPTO 01, J. Killian(Ed.), LNCS 2139, Springer-Verlag, pp , Y. Ishai and E. Kushilevitz, Randomizing polynomials: a new representation with application to random efficient secure computation, FOCS 00, pp , M. Jakobsson and A. Juels, Mix and match: secure function evaluation via ciphertexts, Advances in Cryptology-ASIACRYPT 00, T. Okamoto (Ed.), LNCS 1976, Springer-Verlag, pp , V. Shoup, On Formal Models for Secure Key Exchange, Available at A. C. Yao, Protocols for secure computations (extended abstract), FOCS 82, pp , Appendix A Diffie-Hellman Self-reduction. Now we introduce a self-reduction technique [1, 14]. Let p, q be two large primes with p = 2q + 1; G q be the subgroup of order q in Z p. And g G q \{1}. Thus, g = G q. Given a bit x and a tuple (g, g a, g b, g c ), a self-reduction algorithm Rud x in [1, 14] can efficiently compute a new triple (g a, g b, g c ) with the properties in Table 3. Table 3. Properties of Output from Self-reduction Rud x x = 0 x = 1 c = ab a = a & b random in Z q & c = a b a, b random in Z q & c = a b c ab a = a &b, c random in Z q a, b, c random in Z q For example, if the input is x = 0 and a tuple (g, g a, g b, g ab ), then the output will be (g a, g b, g ab ), where b is uniformly random in Z q. For simplicity, we use (g a, g b, g c ) Rud x (g, g a, g b, g c ) to denote a random output of Rud with input x and (g, g a, g b, g c ). Appendix B In our protocol, -protocols for R dl, R 2dl, R or and R rc are presented in Tables 4, 5, 6, 7. All these protocols are not new. For example, Tables 6 [2] and Table 7 both are examples of the general OR protocol in [4].
16 Common Input: p = 2q + 1, h, X = h x. Auxiliary Input: x for Prover. 1. Prover takes x Z q, computes X = h x. Then he sends X to Verifier. 2. Verifier takes e Z q and sends to Prover. 3. Prover computes r = ex + x and sends r to Verifier. 4. Verifier checks if h r = X e X. He accepts if the check is successful. Table 4. The -Protocol π dl for relation R dl Common Input: p = 2q + 1, g, h, and S = g x h y. Auxiliary Input: (x, y) for Prover. 1. Prover takes x, y Z q, computes S = g x h y and sends it to Verifier. 2. Verifier takes e Z q and sends back to Prover. 3. Prover computes r 1 = ex + x, r 2 = ey + y and sends (r 1, r 2 ) to Verifier. 4. Verifier checks if S e S = g r 1 h r 2. The proof is accepted if the verification is successful. Table 5. The -Protocol π 2dl for relation R 2dl Common Input: p = 2q + 1, h, σ, X = h x or σh x. Auxiliary Input: x for Prover. 1. If X = h x, Prover takes w 1, r 2, c 2 Z q, computes R 1 = h w 1, R 2 = h r 2 (X/σ) c 2. If X = σh x, Prover takes w 2, r 1, c 1 Z q, computes R 1 = h r 1 X c 1, R 2 = h w 2. Then he sends (R 1, R 2) to Verifier. 2. Verifier takes c Z q and sends back to Prover. 3. If X = h x, Prover computes c 1 = c c 2, r 1 = w 1 + c 1 x. If X = σh x, Prover computes c 2 = c c 1, r 2 = w 2 + c 2x. Then he sends r 1, r 2, c 1, c 2 to Verifier. 4. Verifier checks if c 1 + c 2 = c, h r 1 = R 1 X c 1, h r 2 = R 2 (X/σ) c 2. He accepts if the verification is successful. Table 6. The -Protocol π or for relation R or
17 Common Input: Auxiliary Input: p = 2q + 1, g, h, σ, z 1, {B t B t D t} N t=1 U B {x t x t } N t=1 u u for Prover. 1. If B t = h x t, Prover takes x t1, u t1, u t1, r t2, r t2, s t2, s t2, e t2 Z q, computes Bt1 = h x t1, Bt2 = h r t2 (B t /σ) e t2, B t1 = h x t1, B t2 = h r t2 ( B t /σ) e t2, Dt1 = (Bσ t ) x t1z u t1 1, Dt2 = (Bσ t ) r t2 z s t2 Ut1 = g u t1h u t1, Ut2 = g s t2 h s t2u e t2. 1 D e t2 t, If B t = σh x t, Prover takes x t2, u t2, u t2, r t1, r t1, s t1, s t1, e t1 Z q, computes Bt1 = h r t1 B e t1 t, Bt2 = h x t2, B t1 = h r t1 B e t1 t, B t2 = h x t2, Dt1 = (Bσ t ) r t1 z s t1 1 D e t1 t, Dt2 = (Bσ t ) x t2z u t2 Ut1 = g s t1 h s t1u e t1, Ut2 = g u t2h u t2. Then he sends {Bt1 B t2, B t1 B t2, Dt1 D t2, Ut1 U t2} N 1 to Verifier. 2. Verifier takes e Z q and sends back to Prover. 3. If B t = h x t, Prover computes e t1 = e e t2, r t1 = x t1 + e t1x t, r t1 = x t1 + e t1 x t, s t1 = u t1 + e t1 u, s t1 = u t1 + e t1 u. If B t = σh x t, Prover computes e t2 = e e t1, r t2 = x t2 + e t2x t, r t2 = x t2 + e t2 x t, s t2 = u t2 + e t2 u, s t2 = u t2 + e t2 u. Then he sends {r t1 r t2, r t1 r t2, s t1 s t2, s t1 s t2, e t1, e t2 } N 1 to Verifier. 4. Verifier checks if e t1 + e t2 = e, and if the following for all t: 1, h r t1 = Bt1B e t1 t, h r t2 = Bt2(B t /σ) e t2, h r t1 = B t1 B e t1 t, h r t2 = B t2( B t /σ) e t2, (Bσ t ) r t1 z s t1 1 = Dt1D e t1 t, (Bσ t ) r t2 z s t2 1 = Dt2D e t2 t, g s t1 h s t1 = Ut1U e t1, g s t2 h s t2 = Ut2U e t2. He accepts if the verification is successful. Notation: B t = h x t and B t = h x t, or, B t = σh x t and B t = σh x t ; U = g u h u ; D t = (Bσ t ) x t z u 1. Table 7. The -protocol π rc for relation R rc
An Unconditionally Secure Protocol for Multi-Party Set Intersection
An Unconditionally Secure Protocol for Multi-Party Set Intersection Ronghua Li 1,2 and Chuankun Wu 1 1 State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences,
More informationLectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols
CS 294 Secure Computation January 19, 2016 Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols Instructor: Sanjam Garg Scribe: Pratyush Mishra 1 Introduction Secure multiparty computation
More informationImpossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs
Impossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs Dafna Kidron Yehuda Lindell June 6, 2010 Abstract Universal composability and concurrent general composition
More informationOn Achieving the Best of Both Worlds in Secure Multiparty Computation
On Achieving the Best of Both Worlds in Secure Multiparty Computation Yuval Ishai Jonathan Katz Eyal Kushilevitz Yehuda Lindell Erez Petrank Abstract Two settings are traditionally considered for secure
More informationA Fair and Efficient Solution to the Socialist Millionaires Problem
In Discrete Applied Mathematics, 111 (2001) 23 36. (Special issue on coding and cryptology) A Fair and Efficient Solution to the Socialist Millionaires Problem Fabrice Boudot a Berry Schoenmakers b Jacques
More informationSecure Multiplication of Shared Secrets In The Exponent
Secure Multiplication of Shared Secrets In The Exponent Rosario Gennaro Mario Di Raimondo May 26, 2003 Abstract We present a new protocol for the following task. Given tow secrets a, b shared among n players,
More informationUniversally Composable Multi-Party Computation with an Unreliable Common Reference String
Universally Composable Multi-Party Computation with an Unreliable Common Reference String Vipul Goyal 1 and Jonathan Katz 2 1 Department of Computer Science, UCLA vipul@cs.ucla.edu 2 Department of Computer
More information6.897: Advanced Topics in Cryptography. Lecturer: Ran Canetti
6.897: Advanced Topics in Cryptography Lecturer: Ran Canetti Focus for first half (until Spring Break): Foundations of cryptographic protocols Goal: Provide some theoretical foundations of secure cryptographic
More information6.897: Selected Topics in Cryptography Lectures 7 and 8. Lecturer: Ran Canetti
6.897: Selected Topics in Cryptography Lectures 7 and 8 Lecturer: Ran Canetti Highlights of past lectures Presented a basic framework for analyzing the security of protocols for multi-party function evaluation.
More informationBenny Pinkas. Winter School on Secure Computation and Efficiency Bar-Ilan University, Israel 30/1/2011-1/2/2011
Winter School on Bar-Ilan University, Israel 30/1/2011-1/2/2011 Bar-Ilan University Benny Pinkas Bar-Ilan University 1 What is N? Bar-Ilan University 2 Completeness theorems for non-cryptographic fault-tolerant
More informationRobustness for Free in Unconditional Multi-Party Computation
Robustness for Free in Unconditional Multi-Party Computation Martin Hirt and Ueli Maurer ETH Zurich Department of Computer Science {hirt,maurer}@inf.ethz.ch Abstract. We present a very efficient multi-party
More informationOblivious Transfer in Incomplete Networks
Oblivious Transfer in Incomplete Networks Varun Narayanan and Vinod M. Prabahakaran Tata Institute of Fundamental Research, Mumbai varun.narayanan@tifr.res.in, vinodmp@tifr.res.in bstract. Secure message
More informationComplete Fairness in Secure Two-Party Computation
Complete Fairness in Secure Two-Party Computation S. Dov Gordon Dept. of Computer Science University of Maryland gordon@cs.umd.edu Carmit Hazay Dept. of Computer Science Bar-Ilan University harelc@cs.biu.ac.il
More informationMulti-Party Computation with Conversion of Secret Sharing
Multi-Party Computation with Conversion of Secret Sharing Josef Pieprzyk joint work with Hossein Ghodosi and Ron Steinfeld NTU, Singapore, September 2011 1/ 33 Road Map Introduction Background Our Contribution
More informationEfficient General-Adversary Multi-Party Computation
Efficient General-Adversary Multi-Party Computation Martin Hirt, Daniel Tschudi ETH Zurich {hirt,tschudid}@inf.ethz.ch Abstract. Secure multi-party computation (MPC) allows a set P of n players to evaluate
More informationOn the Message Complexity of Secure Multiparty Computation
On the Message Complexity of Secure Multiparty Computation Yuval Ishai 1, Manika Mittal 2, and Rafail Ostrovsky 3 1 Technion, yuvali@cs.technion.ac.il 2 UCLA and Yahoo!, manikamittal22@gmail.com 3 UCLA,
More informationParallel Coin-Tossing and Constant-Round Secure Two-Party Computation
Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation Yehuda Lindell Dept. of Computer Science and Applied Math. The Weizmann Institute of Science Rehovot 76100, Israel. lindell@wisdom.weizmann.ac.il
More informationPrivacy Preserving Set Intersection Protocol Secure Against Malicious Behaviors
Privacy Preserving Set Intersection Protocol Secure Against Malicious Behaviors Yingpeng Sang, Hong Shen School of Computer Science The University of Adelaide Adelaide, South Australia, 5005, Australia
More informationCryptographic Asynchronous Multi-Party Computation with Optimal Resilience
Cryptographic Asynchronous Multi-Party Computation with Optimal Resilience Martin Hirt 1, Jesper Buus Nielsen 2, and Bartosz Przydatek 1 1 Department of Computer Science, ETH Zurich 8092 Zurich, Switzerland
More information1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds
1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds Amos Beimel Department of Computer Science Ben Gurion University Be er Sheva, Israel Eran Omri Department of Computer
More informationSecure Computation. Unconditionally Secure Multi- Party Computation
Secure Computation Unconditionally Secure Multi- Party Computation Benny Pinkas page 1 Overview Completeness theorems for non-cryptographic faulttolerant distributed computation M. Ben-Or, S. Goldwasser,
More informationLecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension
CS 294 Secure Computation February 16 and 18, 2016 Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension Instructor: Sanjam Garg Scribe: Alex Irpan 1 Overview Garbled circuits
More informationAugmented Black-Box Simulation and Zero Knowledge Argument for NP
Augmented Black-Box Simulation and Zero Knowledge Argument for N Li Hongda, an Dongxue, Ni eifang The Data Assurance and Communication Security Research Center, School of Cyber Security, University of
More informationFrom Secure MPC to Efficient Zero-Knowledge
From Secure MPC to Efficient Zero-Knowledge David Wu March, 2017 The Complexity Class NP NP the class of problems that are efficiently verifiable a language L is in NP if there exists a polynomial-time
More informationON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL
1 ON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL GIOVANNI DI CRESCENZO Telcordia Technologies, Piscataway, NJ, USA. E-mail: giovanni@research.telcordia.com IVAN VISCONTI Dipartimento di Informatica
More informationSecure Multi-Party Computation. Lecture 17 GMW & BGW Protocols
Secure Multi-Party Computation Lecture 17 GMW & BGW Protocols MPC Protocols MPC Protocols Yao s Garbled Circuit : 2-Party SFE secure against passive adversaries MPC Protocols Yao s Garbled Circuit : 2-Party
More informationComplete Fairness in Multi-Party Computation Without an Honest Majority
Complete Fairness in Multi-Party Computation Without an Honest Maority S. Dov Gordon Jonathan Katz Abstract Gordon et al. recently showed that certain (non-trivial) functions can be computed with complete
More informationComplete Fairness in Multi-Party Computation Without an Honest Majority
Complete Fairness in Multi-Party Computation Without an Honest Maority Samuel Dov Gordon Abstract A well-known result of Cleve shows that complete fairness is impossible, in general, without an honest
More informationYuval Ishai Technion
Winter School on, Israel 30/1/2011-1/2/2011 Yuval Ishai Technion 1 Several potential advantages Unconditional security Guaranteed output and fairness Universally composable security This talk: efficiency
More informationA Note on the Cramer-Damgård Identification Scheme
A Note on the Cramer-Damgård Identification Scheme Yunlei Zhao 1, Shirley H.C. Cheung 2,BinyuZang 1,andBinZhu 3 1 Software School, Fudan University, Shanghai 200433, P.R. China {990314, byzang}@fudan.edu.cn
More informationAuthenticated Broadcast with a Partially Compromised Public-Key Infrastructure
Authenticated Broadcast with a Partially Compromised Public-Key Infrastructure S. Dov Gordon Jonathan Katz Ranjit Kumaresan Arkady Yerukhimovich Abstract Given a public-key infrastructure (PKI) and digital
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationOn Two Round Rerunnable MPC Protocols
On Two Round Rerunnable MPC Protocols Paul Laird Dublin Institute of Technology, Dublin, Ireland email: {paul.laird}@dit.ie Abstract. Two-rounds are minimal for all MPC protocols in the absence of a trusted
More informationOn Expected Constant-Round Protocols for Byzantine Agreement
On Expected Constant-Round Protocols for Byzantine Agreement Jonathan Katz Chiu-Yuen Koo Abstract In a seminal paper, Feldman and Micali (STOC 88) show an n-party Byzantine agreement protocol tolerating
More informationOn Expected Constant-Round Protocols for Byzantine Agreement
On Expected Constant-Round Protocols for Byzantine Agreement Jonathan Katz Chiu-Yuen Koo Abstract In a seminal paper, Feldman and Micali show an n-party Byzantine agreement protocol in the plain model
More informationAn Efficient Transform from Sigma Protocols to NIZK with a CRS and Non-Programmable Random Oracle
An Efficient Transform from Sigma Protocols to NIZK with a CRS and Non-Programmable Random Oracle Yehuda Lindell Dept. of Computer Science Bar-Ilan University, Israel lindell@biu.ac.il September 6, 2015
More informationA Full Characterization of Functions that Imply Fair Coin Tossing and Ramifications to Fairness
A Full Characterization of Functions that Imply Fair Coin Tossing and Ramifications to Fairness Gilad Asharov Yehuda Lindell Tal Rabin February 25, 2013 Abstract It is well known that it is impossible
More informationMultiparty Computation, an Introduction
Multiparty Computation, an Introduction Ronald Cramer and Ivan Damgård Lecture Notes, 2004 1 introduction These lecture notes introduce the notion of secure multiparty computation. We introduce some concepts
More informationStrongly Unforgeable Signatures Based on Computational Diffie-Hellman
Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Dan Boneh 1, Emily Shen 1, and Brent Waters 2 1 Computer Science Department, Stanford University, Stanford, CA {dabo,emily}@cs.stanford.edu
More informationOne-Round Secure Computation and Secure Autonomous Mobile Agents
One-Round Secure Computation and Secure Autonomous Mobile Agents (Extended Abstract) Christian Cachin 1, Jan Camenisch 1, Joe Kilian 2, and Joy Müller 1 Abstract. This paper investigates one-round secure
More informationSingle Database Private Information Retrieval with Logarithmic Communication
Single Database Private Information Retrieval with Logarithmic Communication Yan-Cheng Chang Harvard University ycchang@eecs.harvard.edu February 10, 2004 Abstract In this paper, we study the problem of
More informationImpossibility and Feasibility Results for Zero Knowledge with Public Keys
Impossibility and Feasibility Results for Zero Knowledge with Public Keys Joël Alwen 1, Giuseppe Persiano 2, and Ivan Visconti 2 1 Technical University of Vienna A-1010 Vienna, Austria. e9926980@stud3.tuwien.ac.at
More informationMultiparty Computation
Multiparty Computation Principle There is a (randomized) function f : ({0, 1} l ) n ({0, 1} l ) n. There are n parties, P 1,...,P n. Some of them may be adversarial. Two forms of adversarial behaviour:
More informationImproved Non-Committing Encryption Schemes based on a General Complexity Assumption
Improved Non-Committing Encryption Schemes based on a General Complexity Assumption Ivan Damgård and Jesper Buus Nielsen BRICS Department of Computer Science University of Aarhus Ny Munkegade DK-8000 Arhus
More informationPrivate Computation Using a PEZ Dispenser
Private Computation Using a PEZ Dispenser József Balogh, János A. Csirik, Yuval Ishai, Eyal Kushilevitz November 6, 2001 Abstract We show how two or more deterministic players can privately compute a function
More informationHow many rounds can Random Selection handle?
How many rounds can Random Selection handle? Shengyu Zhang Abstract The construction of zero-knowledge proofs can be greatly simplified if the protocol is only required be secure against the honest verifier.
More informationZero-Knowledge Against Quantum Attacks
Zero-Knowledge Against Quantum Attacks John Watrous Department of Computer Science University of Calgary January 16, 2006 John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP
More informationRound-Efficient Perfectly Secure Message Transmission Scheme Against General Adversary
Round-Efficient Perfectly Secure Message Transmission Scheme Against General Adversary Kaoru Kurosawa Department of Computer and Information Sciences, Ibaraki University, 4-12-1 Nakanarusawa, Hitachi,
More informationShort Exponent Diffie-Hellman Problems
Short Exponent Diffie-Hellman Problems Takeshi Koshiba 12 and Kaoru Kurosawa 3 1 Secure Computing Lab., Fujitsu Laboratories Ltd. 2 ERATO Quantum Computation and Information Project, Japan Science and
More informationOn The Security of The ElGamal Encryption Scheme and Damgård s Variant
On The Security of The ElGamal Encryption Scheme and Damgård s Variant J. Wu and D.R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, ON, Canada {j32wu,dstinson}@uwaterloo.ca
More informationLecture 14: Secure Multiparty Computation
600.641 Special Topics in Theoretical Cryptography 3/20/2007 Lecture 14: Secure Multiparty Computation Instructor: Susan Hohenberger Scribe: Adam McKibben 1 Overview Suppose a group of people want to determine
More informationLecture 3,4: Multiparty Computation
CS 276 Cryptography January 26/28, 2016 Lecture 3,4: Multiparty Computation Instructor: Sanjam Garg Scribe: Joseph Hui 1 Constant-Round Multiparty Computation Last time we considered the GMW protocol,
More informationRealistic Failures in Secure Multi-Party Computation
Realistic Failures in Secure Multi-Party Computation Vassilis Zikas 1, Sarah Hauser 2, and Ueli Maurer 1 Department of Computer Science, ETH Zurich, 8092 Zurich, Switzerland 1 {vzikas,maurer}@inf.ethz.ch,
More informationOn the Cryptographic Complexity of the Worst Functions
On the Cryptographic Complexity of the Worst Functions Amos Beimel 1, Yuval Ishai 2, Ranjit Kumaresan 2, and Eyal Kushilevitz 2 1 Dept. of Computer Science, Ben Gurion University of the Negev, Be er Sheva,
More informationA Verifiable 1-out-of-n Distributed Oblivious Transfer Protocol
A Verifiable 1-out-of-n Distributed Oblivious Transfer Protocol Christian L F Corniaux and Hossein Ghodosi James Cook University, Townsville QLD 4811, Australia chriscorniaux@myjcueduau, hosseinghodosi@jcueduau
More informationRound-Efficient Multi-party Computation with a Dishonest Majority
Round-Efficient Multi-party Computation with a Dishonest Majority Jonathan Katz, U. Maryland Rafail Ostrovsky, Telcordia Adam Smith, MIT Longer version on http://theory.lcs.mit.edu/~asmith 1 Multi-party
More informationNon-interactive Designated Verifier Proofs and Undeniable Signatures
Non-interactive Designated Verifier Proofs and Undeniable Signatures Caroline Kudla and Kenneth G. Paterson Information Security Group Royal Holloway, University of London, UK {c.j.kudla,kenny.paterson}@rhul.ac.uk
More informationMultiparty Computation (MPC) Arpita Patra
Multiparty Computation (MPC) Arpita Patra MPC offers more than Traditional Crypto! > MPC goes BEYOND traditional Crypto > Models the distributed computing applications that simultaneously demands usability
More informationFast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries
Fast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries Yehuda Lindell Dept. of Computer Science Bar-Ilan University, Israel lindell@biu.ac.il February 8, 2015 Abstract In the setting
More informationLecture 19: Verifiable Mix-Net Voting. The Challenges of Verifiable Mix-Net Voting
6.879 Special Topics in Cryptography Instructors: Ran Canetti April 15, 2004 Lecture 19: Verifiable Mix-Net Voting Scribe: Susan Hohenberger In the last lecture, we described two types of mix-net voting
More informationSELECTED APPLICATION OF THE CHINESE REMAINDER THEOREM IN MULTIPARTY COMPUTATION
Journal of Applied Mathematics and Computational Mechanics 2016, 15(1), 39-47 www.amcm.pcz.pl p-issn 2299-9965 DOI: 10.17512/jamcm.2016.1.04 e-issn 2353-0588 SELECTED APPLICATION OF THE CHINESE REMAINDER
More informationGeneration of Shared RSA Keys by Two Parties
Generation of Shared RSA Keys by Two Parties Guillaume Poupard and Jacques Stern École Normale Supérieure, Laboratoire d informatique 45 rue d Ulm, F-75230 Paris Cedex 05, France email: {Guillaume.Poupard,Jacques.Stern}@ens.fr
More informationID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More informationMultiparty Computation from Threshold Homomorphic Encryption
Multiparty Computation from Threshold Homomorphic Encryption Ronald Cramer Ivan Damgård Jesper Buus Nielsen Aarhus University, Dept. of Computer Science, BRICS October 31, 2000 Abstract We introduce a
More informationPAPER An Identification Scheme with Tight Reduction
IEICE TRANS. FUNDAMENTALS, VOL.Exx A, NO.xx XXXX 200x PAPER An Identification Scheme with Tight Reduction Seiko ARITA, Member and Natsumi KAWASHIMA, Nonmember SUMMARY There are three well-known identification
More informationError-Tolerant Combiners for Oblivious Primitives
Error-Tolerant Combiners for Oblivious Primitives Bartosz Przydatek 1 and Jürg Wullschleger 2 1 Google Switzerland, (Zurich, Switzerland) przydatek@google.com 2 University of Bristol (Bristol, United Kingdom)
More informationAn Efficient Protocol for Fair Secure Two-Party Computation
Appears in Cryptographers Track-RSA Conference (CT-RSA 2008), Lecture Notes in Computer Science 4964 (2008) 88 105. Springer-Verlag. An Efficient Protocol for Fair Secure Two-Party Computation Mehmet S.
More informationBootstrapping Obfuscators via Fast Pseudorandom Functions
Bootstrapping Obfuscators via Fast Pseudorandom Functions Benny Applebaum October 26, 2013 Abstract We show that it is possible to upgrade an obfuscator for a weak complexity class WEAK into an obfuscator
More informationLecture 15 - Zero Knowledge Proofs
Lecture 15 - Zero Knowledge Proofs Boaz Barak November 21, 2007 Zero knowledge for 3-coloring. We gave a ZK proof for the language QR of (x, n) such that x QR n. We ll now give a ZK proof (due to Goldreich,
More informationLecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics
0368.4162: Introduction to Cryptography Ran Canetti Lecture 11 12th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics Introduction to cryptographic protocols Commitments 1 Cryptographic
More informationFrom Non-Adaptive to Adaptive Pseudorandom Functions
From Non-Adaptive to Adaptive Pseudorandom Functions Itay Berman Iftach Haitner January, 202 Abstract Unlike the standard notion of pseudorandom functions (PRF), a non-adaptive PRF is only required to
More informationINFORMATION-THEORETICALLY SECURE STRONG VERIFIABLE SECRET SHARING
INFORMATION-THEORETICALLY SECURE STRONG VERIFIABLE SECRET SHARING Changlu Lin State Key Lab. of Information Security, Graduate University of Chinese Academy of Sciences, China Key Lab. of Network Security
More information6.892 Computing on Encrypted Data October 28, Lecture 7
6.892 Computing on Encrypted Data October 28, 2013 Lecture 7 Lecturer: Vinod Vaikuntanathan Scribe: Prashant Vasudevan 1 Garbled Circuits Picking up from the previous lecture, we start by defining a garbling
More informationBasics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018
Basics in Cryptology II Distributed Cryptography David Pointcheval Ecole normale supérieure, CNRS & INRIA ENS Paris 2018 NS/CNRS/INRIA Cascade David Pointcheval 1/26ENS/CNRS/INRIA Cascade David Pointcheval
More informationConcurrent Non-malleable Commitments from any One-way Function
Concurrent Non-malleable Commitments from any One-way Function Margarita Vald Tel-Aviv University 1 / 67 Outline Non-Malleable Commitments Problem Presentation Overview DDN - First NMC Protocol Concurrent
More informationA Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM
A Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM Paulo S. L. M. Barreto Bernardo David Rafael Dowsley Kirill Morozov Anderson C. A. Nascimento Abstract Oblivious Transfer
More information4-3 A Survey on Oblivious Transfer Protocols
4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of
More informationAn Efficient and Secure Protocol for Privacy Preserving Set Intersection
An Efficient and Secure Protocol for Privacy Preserving Set Intersection Yingpeng Sang 1, Hong Shen 2, Laurence T. Yang 3, Naixue Xiong 1, Yasuo Tan 1 1 School of Information Science, Japan Advanced Institute
More informationSecure Modulo Zero-Sum Randomness as Cryptographic Resource
Secure Modulo Zero-Sum Randomness as Cryptographic Resource Masahito Hayashi 12 and Takeshi Koshiba 3 1 Graduate School of Mathematics, Nagoya University masahito@math.nagoya-u.ac.jp 2 Centre for Quantum
More informationCMSC 858K Introduction to Secure Computation October 18, Lecture 19
CMSC 858K Introduction to Secure Computation October 18, 2013 Lecturer: Jonathan Katz Lecture 19 Scribe(s): Alex J. Malozemoff 1 Zero Knowledge Variants and Results Recall that a proof-of-knowledge (PoK)
More informationA Strong Identity Based Key-Insulated Cryptosystem
A Strong Identity Based Key-Insulated Cryptosystem Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275, P.R.China
More informationSealed-bid Auctions with Efficient Bids
Sealed-bid Auctions with Efficient Bids Toru Nakanishi, Daisuke Yamamoto, and Yuji Sugiyama Department of Communication Network Engineering, Faculty of Engineering, Okayama University 3-1-1 Tsushima-naka,
More informationConstant-Round MPC with Fairness and Guarantee of Output Delivery
Constant-Round MPC with Fairness and Guarantee of Output Delivery S. Dov Gordon Feng-Hao Liu Elaine Shi April 22, 2015 Abstract We study the round complexity of multiparty computation with fairness and
More informationMTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Zero-knowledge Proofs Sven Laur University of Tartu Formal Syntax Zero-knowledge proofs pk (pk, sk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) (pk,sk)? R
More informationBroadcast and Verifiable Secret Sharing: New Security Models and Round-Optimal Constructions
Broadcast and Verifiable Secret Sharing: New Security Models and Round-Optimal Constructions Dissertation submitted to the Faculty of the Graduate School of the University of Maryland, College Park in
More informationSecure Multiparty Computation from Graph Colouring
Secure Multiparty Computation from Graph Colouring Ron Steinfeld Monash University July 2012 Ron Steinfeld Secure Multiparty Computation from Graph Colouring July 2012 1/34 Acknowledgements Based on joint
More information1 Secure two-party computation
CSCI 5440: Cryptography Lecture 7 The Chinese University of Hong Kong, Spring 2018 26 and 27 February 2018 In the first half of the course we covered the basic cryptographic primitives that enable secure
More informationCSA E0 312: Secure Computation September 09, [Lecture 9-10]
CSA E0 312: Secure Computation September 09, 2015 Instructor: Arpita Patra [Lecture 9-10] Submitted by: Pratik Sarkar 1 Summary In this lecture we will introduce the concept of Public Key Samplability
More informationSimple SK-ID-KEM 1. 1 Introduction
1 Simple SK-ID-KEM 1 Zhaohui Cheng School of Computing Science, Middlesex University The Burroughs, Hendon, London, NW4 4BT, United Kingdom. m.z.cheng@mdx.ac.uk Abstract. In 2001, Boneh and Franklin presented
More informationEfficient Asynchronous Multiparty Computation with Optimal Resilience
Efficient Asynchronous Multiparty Computation with Optimal Resilience Arpita Patra Ashish Choudhary C. Pandu Rangan Department of Computer Science and Engineering Indian Institute of Technology Madras
More informationSharing DSS by the Chinese Remainder Theorem
Sharing DSS by the Chinese Remainder Theorem Kamer Kaya,a, Ali Aydın Selçuk b a Ohio State University, Columbus, 43210, OH, USA b Bilkent University, Ankara, 06800, Turkey Abstract In this paper, we propose
More informationGame-Theoretic Security for Two-Party Protocols
Game-Theoretic Security for Two-Party Protocols Haruna Higo Keisuke Tanaka Akihiro Yamada Kenji Yasunaga November 1, 017 Abstract Asharov, Canetti, and Hazay (Eurocrypt 011) studied how game-theoretic
More informationProtocols for Multiparty Coin Toss with a Dishonest Majority
Protocols for Multiparty Coin Toss with a Dishonest Maority Amos Beimel Department of Computer Science Ben Gurion University Be er Sheva, Israel Eran Omri Department of Computer Science and Mathematics
More informationA New Paradigm of Hybrid Encryption Scheme
A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa 1 and Yvo Desmedt 2 1 Ibaraki University, Japan kurosawa@cis.ibaraki.ac.jp 2 Dept. of Computer Science, University College London, UK, and Florida
More informationType-based Proxy Re-encryption and its Construction
Type-based Proxy Re-encryption and its Construction Qiang Tang Faculty of EWI, University of Twente, the Netherlands q.tang@utwente.nl Abstract. Recently, the concept of proxy re-encryption has been shown
More informationEfficient Identity-Based Encryption Without Random Oracles
Efficient Identity-Based Encryption Without Random Oracles Brent Waters Abstract We present the first efficient Identity-Based Encryption (IBE) scheme that is fully secure without random oracles. We first
More informationCovert Multi-party Computation
Covert Multi-party Computation Nishanth Chandran Vipul Goyal Rafail Ostrovsky Amit Sahai University of California, Los Angeles {nishanth,vipul,rafail,sahai}@cs.ucla.edu Abstract In STOC 05, Ahn, Hopper
More informationG Advanced Cryptography April 10th, Lecture 11
G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More information: Cryptography and Game Theory Ran Canetti and Alon Rosen. Lecture 8
0368.4170: Cryptography and Game Theory Ran Canetti and Alon Rosen Lecture 8 December 9, 2009 Scribe: Naama Ben-Aroya Last Week 2 player zero-sum games (min-max) Mixed NE (existence, complexity) ɛ-ne Correlated
More information