A New Approach to Practical Active-Secure Two-Party Computation
|
|
- Clifton Tate
- 5 years ago
- Views:
Transcription
1 A New Approach to Practical Active-Secure Two-Party Computation Jesper Buus Nielsen 1, Peter Sebastian Nordholt 1, Claudio Orlandi 1, Sai Sheshank Burra 2 1 Aarhus University, Denmark 2 Indian Institute of Technology Guwahati August 21, / 19
2 Active-Secure Two-Party Computation (2PC) x y C z 2 / 19
3 Active-Secure Two-Party Computation (2PC) x y z z 2 / 19
4 Active-Secure Two-Party Computation (2PC) x y z z Correctness: C(x, y) = z 2 / 19
5 Active-Secure Two-Party Computation (2PC) x y z z Correctness: C(x, y) = z Privacy: Inputs are kept private. 2 / 19
6 Active-Secure Two-Party Computation (2PC) x y z z Correctness: C(x, y) = z Privacy: Inputs are kept private. 2 / 19
7 Active-Secure Two-Party Computation (2PC) x y z z Correctness: C(x, y) = z Privacy: Inputs are kept private. Practical: Runs in reasonable time for reasonable size circuits. 2 / 19
8 Motivation for this Work Solving real-world problems. E.g. computing outcome of auctions [BCD+09]. 3 / 19
9 Motivation for this Work Solving real-world problems. E.g. computing outcome of auctions [BCD+09]. Lack of diversity in practical 2PC. In fact all previous practical approaches uses Yao's Garbled Circuits technique. 3 / 19
10 Our approach Building blocks Passive-secure 2PC: The protocol of [GMW87] heavily utilizing Oblivious Transfer (OT). 4 / 19
11 Our approach Building blocks Passive-secure 2PC: The protocol of [GMW87] heavily utilizing Oblivious Transfer (OT). Information theoretic MACs: To ensure active security. 4 / 19
12 Our approach Building blocks Passive-secure 2PC: The protocol of [GMW87] heavily utilizing Oblivious Transfer (OT). Information theoretic MACs: To ensure active security. OT-extension: A huge amount of OT at low amortized cost from the passive-secure protocol of [IKNP03]. 4 / 19
13 Our Results New OT-extension technique with active security: 5 / 19
14 Our Results New OT-extension technique with active security: Only a factor 2 slower than the passive-secure protocol of [IKNP03]. (No asymptotic improvement). 5 / 19
15 Our Results New OT-extension technique with active security: Only a factor 2 slower than the passive-secure protocol of [IKNP03]. (No asymptotic improvement). Implements OT/sec pr. core (vs OT/sec without extension). 5 / 19
16 Our Results New OT-extension technique with active security: Only a factor 2 slower than the passive-secure protocol of [IKNP03]. (No asymptotic improvement). Implements OT/sec pr. core (vs OT/sec without extension). New practical 2PC protocol: 5 / 19
17 Our Results New OT-extension technique with active security: Only a factor 2 slower than the passive-secure protocol of [IKNP03]. (No asymptotic improvement). Implements OT/sec pr. core (vs OT/sec without extension). New practical 2PC protocol: UC secure against an active and static adversary in the Random Oracle model. 5 / 19
18 Our Results New OT-extension technique with active security: Only a factor 2 slower than the passive-secure protocol of [IKNP03]. (No asymptotic improvement). Implements OT/sec pr. core (vs OT/sec without extension). New practical 2PC protocol: UC secure against an active and static adversary in the Random Oracle model. Implements gates/sec (online gates/sec). 5 / 19
19 Our Results New OT-extension technique with active security: Only a factor 2 slower than the passive-secure protocol of [IKNP03]. (No asymptotic improvement). Implements OT/sec pr. core (vs OT/sec without extension). New practical 2PC protocol: UC secure against an active and static adversary in the Random Oracle model. Implements gates/sec (online gates/sec). Faster than all implementations based on Garbled Circuits... except for [KsS12]. 5 / 19
20 Overview Protocol Overview MACs Concluding 6 / 19
21 Passive-Secure 2PC [GMW87] x y z 7 / 19
22 Passive-Secure 2PC [GMW87] x A, y A x = x A x B y = y A y B x B, y B z 7 / 19
23 Passive-Secure 2PC [GMW87] x A, y A x = x A x B y = y A y B x B, y B w z 7 / 19
24 Passive-Secure 2PC [GMW87] x A, y A x = x A x B y = y A y B x B, y B w A w = w A w B w B z 7 / 19
25 Passive-Secure 2PC [GMW87] x A, y A x = x A x B y = y A y B x B, y B w A w = w A w B w B z A z = z A z B z B 7 / 19
26 Passive-Secure 2PC [GMW87] x A, y A x = x A x B y = y A y B x B, y B w A w = w A w B w B z A z = z A z B z B z B 7 / 19
27 Active-Secure 2PC x A, y A x y x B, y B w A w w B z A z z B z B 8 / 19
28 Active-Secure 2PC x A, y A x y x B, y B M xa, M ya M xb, M yb w A, M wa w w B, M wb z A, M za z z B, M zb z B, M zb Add message authentication codes (MACs) 8 / 19
29 The Preprocessing model Preprocessing: 9 / 19
30 The Preprocessing model Preprocessing: Prepare random authenticated messages: 9 / 19
31 The Preprocessing model Preprocessing: Prepare random authenticated messages: 1 per Input-gate. 9 / 19
32 The Preprocessing model Preprocessing: Prepare random authenticated messages: 1 per Input-gate. 16B per AND-gate, for security 2 B log( C ). 9 / 19
33 The Preprocessing model Preprocessing: Prepare random authenticated messages: 1 per Input-gate. 16B per AND-gate, for security 2 B log( C ). Prove correlations between authenticated messages (think multiplication-triples). 9 / 19
34 The Preprocessing model Preprocessing: Prepare random authenticated messages: 1 per Input-gate. 16B per AND-gate, for security 2 B log( C ). Prove correlations between authenticated messages (think multiplication-triples). Online: 9 / 19
35 The Preprocessing model Preprocessing: Prepare random authenticated messages: 1 per Input-gate. 16B per AND-gate, for security 2 B log( C ). Prove correlations between authenticated messages (think multiplication-triples). Online: Use preprocessed values and simple (non-crypto) protocols to evaluate circuit on actual input. 9 / 19
36 The Preprocessing model Preprocessing: Prepare random authenticated messages: 1 per Input-gate. 16B per AND-gate, for security 2 B log( C ). Prove correlations between authenticated messages (think multiplication-triples). Online: Use preprocessed values and simple (non-crypto) protocols to evaluate circuit on actual input. 9 / 19
37 Overview Protocol Overview MACs Concluding 10 / 19
38 Information Theoretic MACs Message x R {0, 1} MAC M = K x Global key R {0, 1} n Local key K R {0, 1} n 11 / 19
39 Information Theoretic MACs Message x R {0, 1} MAC M = K x Global key R {0, 1} n Local key K R {0, 1} n Unforgeability: 11 / 19
40 Information Theoretic MACs Message x R {0, 1} MAC M = K x Global key R {0, 1} n Local key K R {0, 1} n Unforgeability: M = K x does not give information on. 11 / 19
41 Information Theoretic MACs Message x R {0, 1} MAC M = K x Global key R {0, 1} n Local key K R {0, 1} n Unforgeability: M = K x does not give information on. Let M 0 = K 0 = K and M 1 = K 1 = K. 11 / 19
42 Information Theoretic MACs Message x R {0, 1} MAC M = K x Global key R {0, 1} n Local key K R {0, 1} n Unforgeability: M = K x does not give information on. Let M 0 = K 0 = K and M 1 = K 1 = K. M 0 M 1 =. 11 / 19
43 Obtaining MACs: The Functionality x K, M = K x abit 12 / 19
44 Obtaining MACs: Protocol Steps Step 1: Obtain a few, long MACs on Alice's random bits. Step 2: Turn into many, short MACs on Bob's random bits. 13 / 19
45 Step 1: Long MACs for Alice To authenticate bits x 1, x 2,..., x n : c {0, 1} S 0, S 1 {0, 1} T S c OT 14 / 19
46 Step 1: Long MACs for Alice To authenticate bits x 1, x 2,..., x n : x i K i, K i K i x i = M i OT n 14 / 19
47 Step 1: Long MACs for Alice To authenticate bits x 1, x 2,..., x n : x i K i, K i K i x i = M i OT 2n Problem: Bob must use same in every OT. 14 / 19
48 Step 1: Long MACs for Alice To authenticate bits x 1, x 2,..., x n : x i K i, K i K i x i = M i OT 2n Problem: Bob must use same in every OT. Solution: Do 2n OTs. 14 / 19
49 Step 1: Long MACs for Alice To authenticate bits x 1, x 2,..., x n : x i K i, K i K i x i = M i OT 2n Problem: Bob must use same in every OT. Solution: Do 2n OTs. Force Bob to use consistent, using a cut-n-chose-like technique. 14 / 19
50 Step 1: Long MACs for Alice To authenticate bits x 1, x 2,..., x n : x i K i, K i K i x i = M i OT 2n Problem: Bob must use same in every OT. Solution: Do 2n OTs. Force Bob to use consistent, using a cut-n-chose-like technique. Sacrice half of the authenticated messages. 14 / 19
51 Step 2: Short MACs For Bob M 1 M 2... M n = K 1 K 2... K n x 1 x 2... x n 15 / 19
52 Step 2: Short MACs For Bob K 1 K 2... K n = M 1 M 2... M n x 1 x 2... x n 15 / 19
53 Step 2: Short MACs For Bob (K 1,1,..., K 1,n) (K 2,1,..., K 2,n) (M 1,1,..., M 1,n) (M 2,1,..., M 2,n) (x 1,..., x n ) 1 (x 1,..., x n ) 2. =.. (K T,1,..., K T,n ) (M T,1,..., M T,n ) (x 1,..., x n ) T 16 / 19
54 Step 2: Short MACs For Bob N 1 L 1 (x 1,..., x n ) 1 N 2 L 2 (x 1,..., x n ) 2. =.. N T L T (x 1,..., x n ) T 16 / 19
55 Step 2: Short MACs For Bob N 1 L 1 Γ 1 N 2 L 2 Γ 2. =.. N T L T Γ T 16 / 19
56 Step 2: Short MACs For Bob N 1 L 1 Γy 1 N 2 L 2 Γy 2. =.. N T L T Γy T N i = L i y i Γ, i.e. N i is a MAC on y i w. keys L i, Γ. 16 / 19
57 Obtaining MACs: Summary OT OT OT A few (2n) OTs with long messages (T = poly(n) bits). 17 / 19
58 Obtaining MACs: Summary OT OT OT abit A few (2n) OTs with long messages (T = poly(n) bits). A few (n) long (T bits) MACs for Alice. 17 / 19
59 Obtaining MACs: Summary OT OT OT abit abit abit abit abit abit abit A few (2n) OTs with long messages (T = poly(n) bits). A few (n) long (T bits) MACs for Alice. Many (T ) short (n bits) MACs for Bob. 17 / 19
60 Obtaining MACs: Summary OT OT OT OT OT OT abit abit abit abit abit abit abit A few (2n) OTs with long messages (T = poly(n) bits). A few (n) long (T bits) MACs for Alice. Many (T ) short (n bits) MACs for Bob. Note 1: Can get long OTs from short OT using a PRG. 17 / 19
61 Obtaining MACs: Summary OT OT OT OT OT OT abit abit abit OT abit OT abit OT abit OT abit OT OT A few (2n) OTs with long messages (T = poly(n) bits). A few (n) long (T bits) MACs for Alice. Many (T ) short (n bits) MACs for Bob. Note 1: Can get long OTs from short OT using a PRG. Note 2: Can get short OT from short abit (i.e. OT-extension). 17 / 19
62 Overview Protocol Overview MACs Concluding 18 / 19
63 Concluding... Take away: Finally a non-garbled Circuits approach do practical 2PC! 19 / 19
64 Concluding... Take away: Finally a non-garbled Circuits approach do practical 2PC! It's based on GMW and OT-extension. 19 / 19
65 Concluding... Take away: Finally a non-garbled Circuits approach do practical 2PC! It's based on GMW and OT-extension. It's really fast! 19 / 19
66 Concluding... Take away: Finally a non-garbled Circuits approach do practical 2PC! It's based on GMW and OT-extension. It's really fast!... So if you're implementing a 2PC protocol, why not give this a try? 19 / 19
67 Concluding... Take away: Finally a non-garbled Circuits approach do practical 2PC! It's based on GMW and OT-extension. It's really fast!... So if you're implementing a 2PC protocol, why not give this a try? Thank you. 19 / 19
A New Approach to Practical Secure Two-Party Computation. Jesper Buus Nielsen Peter Sebastian Nordholt Claudio Orlandi Sai Sheshank
A New Approach to Practical Secure Two-Party Computation Jesper Buus Nielsen Peter Sebastian Nordholt Claudio Orlandi Sai Sheshank Secure Two-Party Computation Alice has an input a {0,1} * Bob has an input
More informationSPDZ 2 k: Efficient MPC mod 2 k for Dishonest Majority a
SPDZ 2 k: Efficient MPC mod 2 k for Dishonest Majority a Ronald Cramer 1 Ivan Damgård 2 Daniel Escudero 2 Peter Scholl 2 Chaoping Xing 3 August 21, 2018 1 CWI, Amsterdam 2 Aarhus University, Denmark 3
More informationMASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer
MASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer Tore Frederiksen Emmanuela Orsini Marcel Keller Peter Scholl Aarhus University University of Bristol 31 May 2016 Secure Multiparty
More informationA New Approach to Practical Active-Secure Two-Party Computation
A New Approach to Practical Active-Secure Two-Party Computation Jesper Buus Nielsen 1,,, Peter Sebastian Nordholt 1,, Claudio Orlandi 2,, Sai Sheshank Burra 3 1 Aarhus University 2 Bar-Ilan University
More informationHigh Performance Multi-Party Computation for Binary Circuits Based on Oblivious Transfer
High Performance Multi-Party Computation for Binary Circuits Based on Oblivious Transfer Sai Sheshank Burra 3, Enrique Larraia 5, Jesper Buus Nielsen 1, Peter Sebastian Nordholt 2, Claudio Orlandi 1, Emmanuela
More informationZKBoo: Faster Zero-Knowledge for Boolean Circuits
Aarhus University ZKBoo: Faster Zero-Knowledge for Boolean Circuits Irene Giacomelli, Jesper Madsen and Claudio Orlandi Usenix Security Symposium 2016 1 / 15 Zero-Knowledge (ZK) Arguments Alice Bob. Private
More informationCut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings
Cut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings Yehuda Lindell Bar-Ilan University, Israel Technion Cryptoday 2014 Yehuda Lindell Online/Offline and Batch Yao 30/12/2014
More informationSecure Multi-Party Computation. Lecture 17 GMW & BGW Protocols
Secure Multi-Party Computation Lecture 17 GMW & BGW Protocols MPC Protocols MPC Protocols Yao s Garbled Circuit : 2-Party SFE secure against passive adversaries MPC Protocols Yao s Garbled Circuit : 2-Party
More informationNew Approaches to Practical Secure Two-Party Computation
New Approaches to Practical Secure Two-Party Computation Peter Sebastian Nordholt, 20022601 PhD Dissertation, Computer Science May 2013 Advisor: Jesper Buus Nielsen AARHUS AU UNIVERSITY DEPARTMENT OF COMPUTER
More informationMultiparty Computation from Somewhat Homomorphic Encryption. November 9, 2011
Multiparty Computation from Somewhat Homomorphic Encryption Ivan Damgård 1 Valerio Pastro 1 Nigel Smart 2 Sarah Zakarias 1 1 Aarhus University 2 Bristol University CTIC 交互计算 November 9, 2011 Damgård, Pastro,
More informationActively secure two-party evaluation of any quantum operation
Actively secure two-party evaluation of any quantum operation Frédéric Dupuis ETH Zürich Joint work with Louis Salvail (Université de Montréal) Jesper Buus Nielsen (Aarhus Universitet) August 23, 2012
More informationFaster Maliciously Secure Two-Party Computation Using the GPU Full version
Faster Maliciously Secure Two-Party Computation Using the GPU Full version Tore Kasper Frederiksen, Thomas P. Jakobsen, and Jesper Buus Nielsen July 15, 2014 Department of Computer Science, Aarhus University
More informationLecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension
CS 294 Secure Computation February 16 and 18, 2016 Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension Instructor: Sanjam Garg Scribe: Alex Irpan 1 Overview Garbled circuits
More informationLectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols
CS 294 Secure Computation January 19, 2016 Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols Instructor: Sanjam Garg Scribe: Pratyush Mishra 1 Introduction Secure multiparty computation
More informationEfficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply
CIS 2018 Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply Claudio Orlandi, Aarhus University Circuit Evaluation 3) Multiplication? How to compute [z]=[xy]? Alice, Bob
More informationExtending Oblivious Transfer Efficiently
Extending Oblivious Transfer Efficiently or - How to get active security with constant cryptographic overhead Enrique Larraia Dept. Computer Science, University of Bristol, United Kingdom cseldv@bristol.ac.uk
More informationSecurity of Symmetric Primitives under Incorrect Usage of Keys
Security of Symmetric Primitives under Incorrect Usage of Keys Pooya Farshim 1 Claudio Orlandi 2 Răzvan Roşie 1 1 ENS, CNRS, INRIA & PSL Research University, Paris, France 2 Aarhus University, Aarhus,
More informationAuthenticated Garbling and Efficient Maliciously Secure Two-Party Computation
Authenticated Garbling and Efficient Maliciously Secure Two-Party Computation Xiao Wang University of Maryland wangxiao@cs.umd.edu Samuel Ranellucci University of Maryland George Mason University samuel@umd.edu
More informationMultiparty Computation (MPC) Arpita Patra
Multiparty Computation (MPC) Arpita Patra MPC offers more than Traditional Crypto! > MPC goes BEYOND traditional Crypto > Models the distributed computing applications that simultaneously demands usability
More informationOptimizing Authenticated Garbling for Faster Secure Two-Party Computation
Optimizing Authenticated Garbling for Faster Secure Two-Party Computation Jonathan Katz University of Maryland jkatz@cs.umd.edu Samuel Ranellucci University of Maryland George Mason University samuel@umd.edu
More informationBenny Pinkas Bar Ilan University
Winter School on Bar-Ilan University, Israel 30/1/2011-1/2/2011 Bar-Ilan University Benny Pinkas Bar Ilan University 1 Extending OT [IKNP] Is fully simulatable Depends on a non-standard security assumption
More informationExtending Oblivious Transfers Efficiently
Extending Oblivious Transfers Efficiently Yuval Ishai Technion Joe Kilian Kobbi Nissim Erez Petrank NEC Microsoft Technion Motivation x y f(x,y) How (in)efficient is generic secure computation? myth don
More informationDishonest Majority Multi-Party Computation for Binary Circuits
Dishonest Majority Multi-Party Computation for Binary Circuits Enrique Larraia, Emmanuela Orsini, and Nigel P. Smart Dept. Computer Science, University of Bristol, United Kingdom Enrique.LarraiadeVega@bristol.ac.uk,Emmanuela.Orsini@bristol.ac.uk,
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationSecure Arithmetic Computation with Constant Computational Overhead
Secure Arithmetic Computation with Constant Computational Overhead Benny Applebaum 1, Ivan Damgård 2, Yuval Ishai 3, Michael Nielsen 2, and Lior Zichron 1 1 Tel Aviv University, {bennyap@post,liorzichron@mail}.tau.ac.il
More informationPerfect Secure Computation in Two Rounds
Perfect Secure Computation in Two Rounds Benny Applebaum Tel Aviv University Joint work with Zvika Brakerski and Rotem Tsabary Theory and Practice of Multiparty Computation Workshop, Aarhus, 2018 The MPC
More informationCommunication Complexity and Secure Function Evaluation
Communication Complexity and Secure Function Evaluation arxiv:cs/0109011v1 [cs.cr] 9 Sep 2001 Moni Naor Kobbi Nissim Department of Computer Science and Applied Mathematics Weizmann Institute of Science,
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationLecture 38: Secure Multi-party Computation MPC
Lecture 38: Secure Multi-party Computation Problem Statement I Suppose Alice has private input x, and Bob has private input y Alice and Bob are interested in computing z = f (x, y) such that each party
More informationMarch 19: Zero-Knowledge (cont.) and Signatures
March 19: Zero-Knowledge (cont.) and Signatures March 26, 2013 1 Zero-Knowledge (review) 1.1 Review Alice has y, g, p and claims to know x such that y = g x mod p. Alice proves knowledge of x to Bob w/o
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationMalicious Security. 6.1 Cut-and-Choose. Figure 6.1: Summary of malicious MPC protocols discussed in this chapter.
6 Malicious Security So far, we have focused on semi-honest protocols which provide privacy and security only against passive adversaries who follow the protocol as specified. The semi-honest threat model
More informationLecture 14: Secure Multiparty Computation
600.641 Special Topics in Theoretical Cryptography 3/20/2007 Lecture 14: Secure Multiparty Computation Instructor: Susan Hohenberger Scribe: Adam McKibben 1 Overview Suppose a group of people want to determine
More informationFrom Secure MPC to Efficient Zero-Knowledge
From Secure MPC to Efficient Zero-Knowledge David Wu March, 2017 The Complexity Class NP NP the class of problems that are efficiently verifiable a language L is in NP if there exists a polynomial-time
More informationConstructing secure MACs Message authentication in action. Table of contents
Constructing secure MACs Message authentication in action Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents From last time Recall the definition of message
More informationLecture 3,4: Multiparty Computation
CS 276 Cryptography January 26/28, 2016 Lecture 3,4: Multiparty Computation Instructor: Sanjam Garg Scribe: Joseph Hui 1 Constant-Round Multiparty Computation Last time we considered the GMW protocol,
More informationAdditive Conditional Disclosure of Secrets
Additive Conditional Disclosure of Secrets Sven Laur swen@math.ut.ee Helsinki University of Technology Motivation Consider standard two-party computation protocol. x f 1 (x, y) m 1 m2 m r 1 mr f 2 (x,
More informationYuval Ishai Technion
Winter School on, Israel 30/1/2011-1/2/2011 Yuval Ishai Technion 1 Several potential advantages Unconditional security Guaranteed output and fairness Universally composable security This talk: efficiency
More informationDistributed Oblivious RAM for Secure Two-Party Computation
Seminar in Distributed Computing Distributed Oblivious RAM for Secure Two-Party Computation Steve Lu & Rafail Ostrovsky Philipp Gamper Philipp Gamper 2017-04-25 1 Yao s millionaires problem Two millionaires
More informationMultiparty Computation
Multiparty Computation Principle There is a (randomized) function f : ({0, 1} l ) n ({0, 1} l ) n. There are n parties, P 1,...,P n. Some of them may be adversarial. Two forms of adversarial behaviour:
More informationComputing on Encrypted Data
Computing on Encrypted Data COSIC, KU Leuven, ESAT, Kasteelpark Arenberg 10, bus 2452, B-3001 Leuven-Heverlee, Belgium. August 31, 2018 Computing on Encrypted Data Slide 1 Outline Introduction Multi-Party
More informationFundamental MPC Protocols
3 Fundamental MPC Protocols In this chapter we survey several important MPC approaches, covering the main protocols and presenting the intuition behind each approach. All of the approaches discussed can
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationOblivious Transfer (OT) and OT Extension
Oblivious Transfer (OT) and OT Extension School on Secure Multiparty Computation Arpita Patra Arpita Patra Roadmap o Oblivious Transfer - Construction from `special PKE o OT Extension - IKNP OT extension
More informationA Practical Universal Circuit Construction and Secure Evaluation of Private Functions
A Practical Universal Circuit Construction and, Bell Labs, Murray Hill, NJ, USA http://www.cs.toronto.edu/~vlad/, University of Erlangen-Nuremberg, Germany http://thomaschneider.de Financial Cryptography
More informationABSTRACT EFFICIENT SECURE COMPUTATION FOR REAL-WORLD SETTINGS AND SECURITY MODELS. Alex J. Malozemoff, Doctor of Philosophy, 2016
ABSTRACT Title of thesis: EFFICIENT SECURE COMPUTATION FOR REAL-WORLD SETTINGS AND SECURITY MODELS Alex J. Malozemoff, Doctor of Philosophy, 2016 Thesis directed by: Professor Jonathan Katz Department
More informationFaster Malicious 2-party Secure Computation with Online/Offline Dual Execution
Faster Malicious 2-party Secure Computation with Online/Offline Dual Execution Peter Rindal Mike Rosulek June 17, 2016 Abstract We describe a highly optimized protocol for general-purpose secure two-party
More informationOn the Cryptographic Complexity of the Worst Functions
On the Cryptographic Complexity of the Worst Functions Amos Beimel 1, Yuval Ishai 2, Ranjit Kumaresan 2, and Eyal Kushilevitz 2 1 Dept. of Computer Science, Ben Gurion University of the Negev, Be er Sheva,
More informationDan Boneh. Introduction. Course Overview
Online Cryptography Course Introduction Course Overview Welcome Course objectives: Learn how crypto primitives work Learn how to use them correctly and reason about security My recommendations: Take notes
More informationOblivious Transfer and Secure Multi-Party Computation With Malicious Parties
CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties Vitaly Shmatikov slide 1 Reminder: Oblivious Transfer b 0, b 1 i = 0 or 1 A b i B A inputs two bits, B inputs the index
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationHomework 7 Solutions
Homework 7 Solutions Due: March 22, 2018 CS 151: Intro. to Cryptography and Computer Security 1 Fun with PRFs a. F a s = F 0 k(x) F s (x) is not a PRF, for any choice of F. Consider a distinguisher D a
More information1 Secure two-party computation
CSCI 5440: Cryptography Lecture 7 The Chinese University of Hong Kong, Spring 2018 26 and 27 February 2018 In the first half of the course we covered the basic cryptographic primitives that enable secure
More informationActively Secure OT-Extension from q-ary Linear Codes
Actively Secure OT-Extension from q-ary Linear Codes Ignacio Cascudo, René Bødker Christensen, and Jaron Skovsted Gundersen Department of Mathematical Sciences, Aalborg University {ignacio,rene,jaron}@math.aau.dk
More informationPr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]
Midterm Review Sheet The definition of a private-key encryption scheme. It s a tuple Π = ((K n,m n,c n ) n=1,gen,enc,dec) where - for each n N, K n,m n,c n are sets of bitstrings; [for a given value of
More informationQuestion 1. The Chinese University of Hong Kong, Spring 2018
CSCI 5440: Cryptography The Chinese University of Hong Kong, Spring 2018 Homework 2 Solutions Question 1 Consider the following encryption algorithm based on the shortlwe assumption. The secret key is
More informationLecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics
0368.4162: Introduction to Cryptography Ran Canetti Lecture 11 12th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics Introduction to cryptographic protocols Commitments 1 Cryptographic
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationFast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries
Fast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries Yehuda Lindell Dept. of Computer Science Bar-Ilan University, Israel lindell@biu.ac.il February 8, 2015 Abstract In the setting
More informationA Zero-One Law for Secure Multi-Party Computation with Ternary Outputs
A Zero-One Law for Secure Multi-Party Computation with Ternary Outputs KTH Royal Institute of Technology gkreitz@kth.se TCC, Mar 29 2011 Model Limits of secure computation Our main result Theorem (This
More informationGarbled Circuits for Leakage-Resilience: Hardware Implementation and Evaluation of One-Time Programs
Ruhr-University Bochum Bochum Chair for System Security Garbled Circuits for Leakage-Resilience: Hardware Implementation and Evaluation of One-Time Programs Kimmo Järvinen Aalto University, Finland Vladimir
More informationIntroduction to Cryptography Lecture 13
Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple
More informationMachine Learning Classification over Encrypted Data. Raphael Bost, Raluca Ada Popa, Stephen Tu, Shafi Goldwasser
Machine Learning Classification over Encrypted Data Raphael Bost, Raluca Ada Popa, Stephen Tu, Shafi Goldwasser Classification (Machine Learning) Supervised learning (training) Classification data set
More informationBlazing Fast 2PC in the Offline/Online Setting with Security for Malicious Adversaries
Blazing Fast 2PC in the Offline/Online Setting with Security for Malicious Adversaries Yehuda Lindell Ben Riva June 21, 2016 Abstract Recently, several new techniques were presented to dramatically improve
More informationAn Introduction to Quantum Information and Applications
An Introduction to Quantum Information and Applications Iordanis Kerenidis CNRS LIAFA-Univ Paris-Diderot Quantum information and computation Quantum information and computation How is information encoded
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem
More informationSecure Multiparty Computation from Graph Colouring
Secure Multiparty Computation from Graph Colouring Ron Steinfeld Monash University July 2012 Ron Steinfeld Secure Multiparty Computation from Graph Colouring July 2012 1/34 Acknowledgements Based on joint
More informationAmortizing Garbled Circuits
Amortizing Garbled Circuits Yan Huang Jonathan Katz Vladimir Kolesnikov Ranjit Kumaresan Alex J. Malozemoff Abstract Motivated by a recent line of work improving the performance of secure two-party computation,
More informationTHE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY
THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY Mark Zhandry - Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical
More informationOn the Complexity of Additively Homomorphic UC Commitments
On the Complexity of Additively Homomorphic UC Commitments Tore Kasper Frederiksen, Thomas P. Jakobsen, Jesper Buus Nielsen, and Roberto Trifiletti ( ) Department of Computer Science, Aarhus University
More informationOblivious Evaluation of Multivariate Polynomials. and Applications
The Open University of Israel Department of Mathematics and Computer Science Oblivious Evaluation of Multivariate Polynomials and Applications Thesis submitted as partial fulfillment of the requirements
More informationAre you the one to share? Secret Transfer with Access Structure
Are you the one to share? Secret Transfer with Access Structure Yongjun Zhao, Sherman S.M. Chow Department of Information Engineering The Chinese University of Hong Kong, Hong Kong Private Set Intersection
More informationNon-Interactive Secure Multiparty Computation
Non-Interactive Secure Multiparty Computation Amos Beimel 1, Ariel Gabizon 2, Yuval Ishai 2, Eyal Kushilevitz 2, Sigurd Meldgaard 3, and Anat Paskin-Cherniavsky 4 1 Dept. of Computer Science, Ben Gurion
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More informationQuantum Differential and Linear Cryptanalysis
Quantum Differential and Linear Cryptanalysis Marc Kaplan 1,2 Gaëtan Leurent 3 Anthony Leverrier 3 María Naya-Plasencia 3 1 LTCI, Télécom ParisTech 2 School of Informatics, University of Edinburgh 3 Inria
More informationOblivious Transfer and Secure Multiparty Computation
Oblivious Transfer and Secure Multiparty Computation Brett Hemenway September 11th 2013 Introduction Oblivious Transfer Circuit Garbling Secure Computation from Secret Sharing Applications of MPC The Satellite
More informationUniversal Blind Quantum Computing
Universal Blind Quantum Computing Elham Kashefi Laboratoire d Informatique de Grenoble Joint work with Anne Broadbent Montreal Joe Fitzsimons Oxford Classical Blind Computing Fundamentally asymmetric unlike
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More information1 Basic Number Theory
ECS 228 (Franklin), Winter 2013, Crypto Review 1 Basic Number Theory This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationMore Efficient Oblivious Transfer Extensions with Security for Malicious Adversaries
More Efficient Oblivious Transfer Extensions with Security for Malicious Adversaries Gilad Asharov 1, Yehuda Lindell 2, Thomas Schneider 3, and Michael Zohner 3 1 The Hebrew University of Jerusalem, Israel
More information6.897: Selected Topics in Cryptography Lectures 11 and 12. Lecturer: Ran Canetti
6.897: Selected Topics in Cryptography Lectures 11 and 12 Lecturer: Ran Canetti Highlights of last week s lectures Formulated the ideal commitment functionality for a single instance, F com. Showed that
More informationPublic-Seed Pseudorandom Permutations
Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB Joint work with Pratik Soni (UCSB) DIMACS Workshop New York June 8, 2017 We look at existing class of cryptographic primitives and introduce/study
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationComplexity of Multi-Party Computation Functionalities
Complexity of Multi-Party Computation Functionalities Hemanta K. Maji Manoj Prabhakaran Mike Rosulek October 16, 2012 Abstract The central objects of secure multiparty computation are the multiparty functions
More informationRevisiting LEGOs: Optimizations, Analysis, and their Limit
Revisiting LEGOs: Optimizations, Analysis, and their Limit Yan Huang and Ruiyu Zhu ndiana University, Bloomington {yh33,zhu5}@indiana.edu Abstract. The Cut-and-choose paradigm gives by far the most popular
More informationEfficient Constant Round Multi-Party Computation Combining BMR and SPDZ
Efficient Constant Round Multi-Party Computation Combining BMR and SPDZ Yehuda Lindell Benny Pinkas Nigel P. Smart vishay Yanai bstract Recently, there has been huge progress in the field of concretely
More informationEfficient Conversion of Secret-shared Values Between Different Fields
Efficient Conversion of Secret-shared Values Between Different Fields Ivan Damgård and Rune Thorbek BRICS, Dept. of Computer Science, University of Aarhus Abstract. We show how to effectively convert a
More informationCryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1
Cryptography CS 555 Topic 25: Quantum Crpytography CS555 Topic 25 1 Outline and Readings Outline: What is Identity Based Encryption Quantum cryptography Readings: CS555 Topic 25 2 Identity Based Encryption
More informationRobust Non-Interactive Multiparty Computation Against Constant-Size Collusion
Robust Non-Interactive Multiparty Computation Against Constant-Size Collusion Fabrice Benhamouda, Hugo Krawczyk, and Tal Rabin IBM Research, Yorktown Heights, US Abstract. Non-Interactive Multiparty Computations
More informationTutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction
Tutorial on Quantum Computing Vwani P. Roychowdhury Lecture 1: Introduction 1 & ) &! # Fundamentals Qubits A single qubit is a two state system, such as a two level atom we denote two orthogonal states
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 10
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 10 Lecture date: 14 and 16 of March, 2005 Scribe: Ruzan Shahinian, Tim Hu 1 Oblivious Transfer 1.1 Rabin Oblivious Transfer
More informationENEE 459-C Computer Security. Message authentication (continue from previous lecture)
ENEE 459-C Computer Security Message authentication (continue from previous lecture) Last lecture Hash function Cryptographic hash function Message authentication with hash function (attack?) with cryptographic
More informationMulti-Party Computation with Conversion of Secret Sharing
Multi-Party Computation with Conversion of Secret Sharing Josef Pieprzyk joint work with Hossein Ghodosi and Ron Steinfeld NTU, Singapore, September 2011 1/ 33 Road Map Introduction Background Our Contribution
More informationAn Efficient Protocol for Fair Secure Two-Party Computation
Appears in Cryptographers Track-RSA Conference (CT-RSA 2008), Lecture Notes in Computer Science 4964 (2008) 88 105. Springer-Verlag. An Efficient Protocol for Fair Secure Two-Party Computation Mehmet S.
More informationEfficient General-Adversary Multi-Party Computation
Efficient General-Adversary Multi-Party Computation Martin Hirt, Daniel Tschudi ETH Zurich {hirt,tschudid}@inf.ethz.ch Abstract. Secure multi-party computation (MPC) allows a set P of n players to evaluate
More information