On Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan)
|
|
- Dennis Reed
- 5 years ago
- Views:
Transcription
1 On Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan)
2 Secure Multiparty Computation (MPC)
3 Ideal World/ Functionality
4 Simulation-Based Security
5 Simulation-Based Security
6 Simulation-Based Security
7 Simulation-Based Security
8 Simulation-Based Security
9 Corrupting All Parties
10 Corrupting All Parties
11 Corrupting All Parties
12 Corrupting All Parties
13 Modeling Adaptive Security Modular Composition [Canetti 00] Sequential composition Universal Composition [Canetti 01] Concurrent composition Synchronous protocols (Mostly) non-interactive environment Inputs are given statically before the computation Asynchronous protocols Interactive environment Inputs are given dynamically during the computation
14 Feasibility Result [CLOS 02] 1. Semi-honest protocol in the plain model Round complexity is O d d= depth of the circuit 2. Semi-honest to malicious compiler in CRS model Round complexity blows up by constant factor 3. Malicious protocol in CRS model Round complexity is O d CRS CRS compiler Semi-honest Malicious
15 Constant-Round Protocols Constant-round adaptive MPC [CGP 15] [DKR 15] [GP 15] In the CRS model, also for the semi-honest case CRS contains obfuscated program that gets the circuit as input The size of the CRS grows with the size of the circuit Constant-round in RAM model [CP 16] The size of the CRS grows with the size of the inputs CRS
16 Protocols with Short CRS Semi-honest setting No CRS (plain model) Malicious setting CRS independent of the circuit (depends only on security parameter) Can use [CLOS 02] compiler
17 Outline 1. Non-Interactive NCE in UC framework 2. Protocols with round complexity independent of circuit 3. Constant-round protocols for class of functions
18 Non-Interactive Non-Committing Encryption
19 Non-Interactive Non-Committing Encryption
20 Secure Message Transmission (SMT) m m m
21 Secure Message Transmission (SMT) m m Upon corruption reveal m m
22 Statically Secure Protocol pk Gen 1 κ c Enc pk, m Use public-key encryption (PKE) Simulation: Both parties are honest, encrypt 0 One party corrupted, S learns m and encrypts m PKE can be defined as a non-interactive (2-round) protocol statically realizes F SMT
23 Adaptive Corruptions Using PKE simulation fails when parties start honest [CFGN 96] defined Non-Committing Encryption (NCE) as n-party protocol that adaptively realizes F SMT [DN 00] defined strong NCE as 2-party protocol that adaptively realizes F SMT (in [Canetti 00]) Both definitions and constructions are interactive Can define non-interactive NCE as 2-round protocol [CLOS 02] provided a simpler definition
24 Non-Interactive NCE Definition: A PKE scheme Gen, Enc, Dec with algorithm Sim is non-interactive NCE if m 0,1 the distributions are comp. indistinguishable Honest view of encryption of m pk, c, r G, r E pk = Gen 1 κ ; r G, c = Enc pk, m; r E Simulated encryption explained for m pk, c, ρ G m, ρ E m pk, c, ρ G 0, ρ E 0, ρ G 1, ρ E 1 Sim 1 κ
25 Non-Interactive NCE (2) IDEAL REAL pk pk Gen r G pk c Enc m; r E c c m m pk, c, ρ 0 G, ρ 0 E, ρ 1 G, ρ 1 E Sim 1 κ
26 Non-Interactive NCE (2) IDEAL REAL pk pk Gen r G pk c Enc m; r E c c m m pk, c, ρ m m G, ρ E pk, c, r G, r E pk, c, ρ 0 G, ρ 0 E, ρ 1 G, ρ 1 E Sim 1 κ
27 Problem Simulation is valid if inputs are given before the computation begins (as in modular composition) In UC inputs are dynamically generated Need to simulate corruptions before inputs are given
28 Problem Simulation is valid if inputs are given before the computation begins (as in modular composition) In UC inputs are dynamically generated Need to simulate corruptions before inputs are given pk Gen r G pk
29 Problem Simulation is valid if inputs are given before the computation begins (as in modular composition) In UC inputs are dynamically generated Need to simulate corruptions before inputs are given pk pk Gen r G pk pk, c, ρ 0 G, ρ 0 E, ρ 1 G, ρ 1 E Sim 1 κ
30 Problem Simulation is valid if inputs are given before the computation begins (as in modular composition) In UC inputs are dynamically generated Need to simulate corruptions before inputs are given pk pk Gen r G pk pk, r G pk, c, ρ 0 G, ρ 0 E, ρ 1 G, ρ 1 E Sim 1 κ
31 Problem Simulation is valid if inputs are given before the computation begins (as in modular composition) In UC inputs are dynamically generated Need to simulate corruptions before inputs are given pk pk Gen r G pk pk, ρ G 0 pk, r G pk, c, ρ 0 G, ρ 0 E, ρ 1 G, ρ 1 E Sim 1 κ
32 Problem Simulation is valid if inputs are given before the computation begins (as in modular composition) In UC inputs are dynamically generated Need to simulate corruptions before inputs are given pk pk Gen r G pk m = 1 m = 1 pk, ρ G 0 pk, r G pk, c, ρ 0 G, ρ 0 E, ρ 1 G, ρ 1 E Sim 1 κ
33 Problem Simulation is valid if inputs are given before the computation begins (as in modular composition) In UC inputs are dynamically generated Need to simulate corruptions before inputs are given pk pk Gen r G pk c Enc m; r E c m = 1 m = 1 pk, ρ G 0 pk, r G, c, r E pk, c, ρ 0 G, ρ 0 E, ρ 1 G, ρ 1 E Sim 1 κ
34 Problem Once pk, ρ 0 G (or ρ 1 G ) are fixed, c is committing c won t decrypt to random m with noticeable prob. pk pk Gen r G pk c Enc m; r E c m = 1 m = 1 pk, ρ G 0 pk, r G, c, r E pk, c, ρ 0 G, ρ 0 E, ρ 1 G, ρ 1 E Sim 1 κ
35 Adjust the Simulation Simulation of c only after sender activated with m S learns m from ideal functionality (receiver corrupt) S encrypts c Enc pk, m; r E pk pk Gen r G pk c Enc m; r E c m = 1 m = 1 pk, ρ G 0 pk, r G, c, r E pk, c, ρ 0 G, ρ 0 E, ρ 1 G, ρ 1 E Sim 1 κ
36 Adjust the Simulation Simulation of c only after sender activated with m S learns m from ideal functionality (receiver corrupt) S encrypts c Enc pk, m; r E pk pk Gen r G pk c Enc m; r E c c m = 1 m = 1 0 pk, ρ G, c, r E pk, r G, c, r E pk, c, ρ 0 G, ρ 0 E, ρ 1 G, ρ 1 E Sim 1 κ
37 Adjust the Simulation (2) We show how to combine committing and non-committing ciphertexts in simulation Thm: If non-interactive NCE exists, then F SMT can be adaptively UC realized in 2 rounds pk pk Gen r G pk c Enc m; r E c c m = 1 m = 1 pk, ρ G 0, c, r E pk, r G, c, r E pk, c, ρ 0 G, ρ 0 E, ρ 1 G, ρ 1 E Sim 1 κ
38 Application: Oblivious Transfer (OT) m 0, m 1 c m c Augmented NCE: Oblivious sampling of public keys pk OGen 1 κ Invertible sampling pk, r pk = OGen 1 κ ; r pk, OGen 1 pk pk Gen 1 κ
39 Adaptive OT [CLOS 02] m 0, m 1 pk c Gen 1 κ pk 1 c OGen 1 κ c c 0 Enc pk 0, m 0 Simulation (semi-honest) c 1 Enc pk 1, m 1 m c S simulate using pk 0, c 0, ρ 0 0,G, ρ 0 0,E, ρ 1 1 0,G, ρ 0,E Sim 1 κ pk 1, c 1, ρ 0 1,G, ρ 0 1,E, ρ 1 1 1,G, ρ 1,E Sim 1 κ
40 Adaptive OT [CLOS 02] m 0, m 1 pk c Gen 1 κ pk 1 c OGen 1 κ c c 0 Enc pk 0, m 0 Simulation (semi-honest) c 1 Enc pk 1, m 1 m c S simulate using pk 0, c 0, ρ 0 0,G, ρ 0 0,E, ρ 1 1 0,G, ρ 0,E Sim 1 κ pk 1, c 1, ρ 0 1,G, ρ 0 1,E, ρ 1 1 1,G, ρ 1,E Sim 1 κ Upon receiver corruption, S learns c, m c and provides m randomness ρ c c,g
41 Adaptive OT [CLOS 02] m 0, m 1 pk c Gen 1 κ pk 1 c OGen 1 κ c c 0 Enc pk 0, m 0 Simulation (semi-honest) c 1 Enc pk 1, m 1 m c S simulate using pk 0, c 0, ρ 0 0,G, ρ 0 0,E, ρ 1 1 0,G, ρ 0,E Sim 1 κ pk 1, c 1, ρ 0 1,G, ρ 0 1,E, ρ 1 1 1,G, ρ 1,E Sim 1 κ Upon receiver corruption, S learns c, m c and provides m randomness ρ c c,g See the paper for details input & output
42 Round Complexity Independent of C
43 Indistinguishability Obfuscation (io) C 1 C 2 io C 1 io C 2 Candidate construction [GGHRSW 13] Nice property: the depth of the obfuscation circuit is independent of the circuit to obfuscate
44 Non-Committing io Γ = C 1 C 2 C 3 C 4 All circuits are functionally equivalent Def: io, Sim 1, Sim 2 is non-committing io for Γ if Sim 1 generates canonical obf. circuit C for Γ Given any C Γ, Sim 2 can explain C as io C C C 2 C Sim 2 C, C 2 io C 2 ; r C 2 r
45 Bad news: If NCiO for circuits exists poly-time solution to circuit equivalence (co-np) polynomial hierarchy collapses Good news: Non-Committing io (2) Circuit equivalence is easy for constant circuits (no input wires) Thm: If NCiO for constant circuits exists then adaptive SFE protocol with short CRS whose round complexity is independent of C
46 Protocol Idea x 1 x 2 x 1, r 1 1. Circuit C 1 : hard-wire x 1, x 2 to C 2. Obfuscate C 2 = io C 1 ; r 1 r 2 x 2, r 2 C 2 C2
47 Protocol Idea x 1 x 2 x 1, r 1 1. Circuit C 1 : hard-wire x 1, x 2 to C 2. Obfuscate C 2 = io C 1 ; r 1 r 2 x 2, r 2 C 2 Simulation idea C2 1 st corruption: learn x 1, y and randomly sample r 1 Compute C Sim 1 obfuscated constant circuit with output y
48 Protocol Idea x 1 x 2 x 1, r 1 1. Circuit C 1 : hard-wire x 1, x 2 to C 2. Obfuscate C 2 = io C 1 ; r 1 r 2 x 2, r 2 C 2 Simulation idea C2 1 st corruption: learn x 1, y and randomly sample r 1 Compute C Sim 1 obfuscated constant circuit with output y 2 nd corruption: learn x 2, y and compute C 1 (using C, x 1, x 2 ) Compute r Sim 2 C, C 1 and set r 2 = r r 1
49 Constant Round for One-Sided Poly-Size Domain
50 Constant-Round Protocol Thm: Assume adaptively secure OT exist f is deterministic 2-party functionality x 1 D 0,1 n, D = poly n x 2 0,1 n Then f can be adaptively realized with short CRS in constant number of rounds Optimistic view: feasibility result Pessimistic view: to rule out constant-round protocols in general, consider super-poly domain or randomized functions
51 Summary 1. How to simulate non-interactive NCE in UC 2. NCiO is complete for round complexity ind. of circuit 3. Constant-round protocols for class of functions Open questions: Does NCiO for constant circuits exist? Find more functions that have constant-round protocols with short CRS
CSA E0 312: Secure Computation September 09, [Lecture 9-10]
CSA E0 312: Secure Computation September 09, 2015 Instructor: Arpita Patra [Lecture 9-10] Submitted by: Pratik Sarkar 1 Summary In this lecture we will introduce the concept of Public Key Samplability
More informationLectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols
CS 294 Secure Computation January 19, 2016 Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols Instructor: Sanjam Garg Scribe: Pratyush Mishra 1 Introduction Secure multiparty computation
More informationOblivious Transfer and Secure Multi-Party Computation With Malicious Parties
CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties Vitaly Shmatikov slide 1 Reminder: Oblivious Transfer b 0, b 1 i = 0 or 1 A b i B A inputs two bits, B inputs the index
More information6.897: Advanced Topics in Cryptography. Lecturer: Ran Canetti
6.897: Advanced Topics in Cryptography Lecturer: Ran Canetti Focus for first half (until Spring Break): Foundations of cryptographic protocols Goal: Provide some theoretical foundations of secure cryptographic
More informationOblivious Transfer (OT) and OT Extension
Oblivious Transfer (OT) and OT Extension School on Secure Multiparty Computation Arpita Patra Arpita Patra Roadmap o Oblivious Transfer - Construction from `special PKE o OT Extension - IKNP OT extension
More informationFang Song. Joint work with Sean Hallgren and Adam Smith. Computer Science and Engineering Penn State University
Fang Song Joint work with Sean Hallgren and Adam Smith Computer Science and Engineering Penn State University Are classical cryptographic protocols secure against quantum attackers? 2 Are classical cryptographic
More informationRound-Preserving Parallel Composition of Probabilistic-Termination Cryptographic Protocols
Round-Preserving Parallel Composition o Probabilistic-Termination Cryptographic Protocols [ICALP 17] Ran Cohen (TAU) Sandro Coretti (NYU) Juan Garay (Yahoo Research) Vassilis Zikas (RPI) 2 Secure Multiparty
More informationNew Notions of Security: Universal Composability without Trusted Setup
New Notions of Security: Universal Composability without Trusted Setup Manoj Prabhakaran & Amit Sahai Princeton University To appear in STOC 04 Defining Security Central Problem in Cryptography Understanding
More informationMultiparty Computation
Multiparty Computation Principle There is a (randomized) function f : ({0, 1} l ) n ({0, 1} l ) n. There are n parties, P 1,...,P n. Some of them may be adversarial. Two forms of adversarial behaviour:
More informationPerfect Secure Computation in Two Rounds
Perfect Secure Computation in Two Rounds Benny Applebaum Tel Aviv University Joint work with Zvika Brakerski and Rotem Tsabary Theory and Practice of Multiparty Computation Workshop, Aarhus, 2018 The MPC
More informationA Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM
A Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM Paulo S. L. M. Barreto Bernardo David Rafael Dowsley Kirill Morozov Anderson C. A. Nascimento Abstract Oblivious Transfer
More informationRound-Efficient Multi-party Computation with a Dishonest Majority
Round-Efficient Multi-party Computation with a Dishonest Majority Jonathan Katz, U. Maryland Rafail Ostrovsky, Telcordia Adam Smith, MIT Longer version on http://theory.lcs.mit.edu/~asmith 1 Multi-party
More information6.897: Selected Topics in Cryptography Lectures 11 and 12. Lecturer: Ran Canetti
6.897: Selected Topics in Cryptography Lectures 11 and 12 Lecturer: Ran Canetti Highlights of last week s lectures Formulated the ideal commitment functionality for a single instance, F com. Showed that
More informationLecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension
CS 294 Secure Computation February 16 and 18, 2016 Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension Instructor: Sanjam Garg Scribe: Alex Irpan 1 Overview Garbled circuits
More informationLecture Notes 20: Zero-Knowledge Proofs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties
More informationEvaluating 2-DNF Formulas on Ciphertexts
Evaluating 2-DNF Formulas on Ciphertexts Dan Boneh, Eu-Jin Goh, and Kobbi Nissim Theory of Cryptography Conference 2005 Homomorphic Encryption Enc. scheme is homomorphic to function f if from E[A], E[B],
More informationUniversally Composable Multi-Party Computation with an Unreliable Common Reference String
Universally Composable Multi-Party Computation with an Unreliable Common Reference String Vipul Goyal 1 and Jonathan Katz 2 1 Department of Computer Science, UCLA vipul@cs.ucla.edu 2 Department of Computer
More informationEfficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply
CIS 2018 Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply Claudio Orlandi, Aarhus University Circuit Evaluation 3) Multiplication? How to compute [z]=[xy]? Alice, Bob
More informationPhysically Uncloneable Functions in the Universal Composition Framework. Christina Brzuska Marc Fischlin Heike Schröder Stefan Katzenbeisser
Physically Uncloneable Functions in the Universal Composition Framework Marc Fischlin Heike Schröder Stefan Katzenbeisser Security of s Optical Arbiter Coating Many other s bounded noise physically uncloneable
More informationComputing on Encrypted Data
Computing on Encrypted Data COSIC, KU Leuven, ESAT, Kasteelpark Arenberg 10, bus 2452, B-3001 Leuven-Heverlee, Belgium. August 31, 2018 Computing on Encrypted Data Slide 1 Outline Introduction Multi-Party
More informationk-round MPC from k-round OT via Garbled Interactive Circuits
k-round MPC from k-round OT via Garbled Interactive Circuits Fabrice Benhamouda Huijia Lin Abstract We present new constructions of round-efficient, or even round-optimal, Multi- Party Computation (MPC)
More information6.897: Selected Topics in Cryptography Lectures 7 and 8. Lecturer: Ran Canetti
6.897: Selected Topics in Cryptography Lectures 7 and 8 Lecturer: Ran Canetti Highlights of past lectures Presented a basic framework for analyzing the security of protocols for multi-party function evaluation.
More informationHow to Shuffle in Public
How to Shuffle in Public Ben Adida Harvard (work done at MIT) Douglas Wikström ETH Zürich TCC 27 February 24th, 27 How to Shuffle in Public Ben Adida Harvard (work done at MIT) Douglas Wikström ETH Zürich
More informationOn Minimal Assumptions for Sender-Deniable Public Key Encryption
On Minimal Assumptions for Sender-Deniable Public Key Encryption Dana Dachman-Soled University of Maryland danadach@ece.umd.edu Abstract. The primitive of deniable encryption was introduced by Canetti
More informationRound-Preserving Parallel Composition of Probabilistic-Termination Cryptographic Protocols
Round-Preserving Parallel Composition of Probabilistic-Termination Cryptographic Protocols Ran Cohen Sandro Coretti Juan Garay Vassilis Zikas September 28, 2017 Abstract An important benchmark for multi-party
More informationGeneralizing Efficient Multiparty Computation
Generalizing Efficient Multiparty Computation Bernardo David 1, Ryo Nishimaki 2, Samuel Ranellucci 1, and Alain Tapp 3 1 Department of Computer Science Aarhus University, Denmark {bernardo,samuel}@cs.au.dk
More informationGarbled Protocols and Two-Round MPC from Bilinear Maps
Garbled Protocols and Two-Round MPC from Bilinear Maps Sanjam Garg University of California, Berkeley sanjamg@berkeley.edu Akshayaram Srinivasan University of California, Berkeley akshayaram@berkeley.edu
More informationCryptography in the Multi-string Model
Cryptography in the Multi-string Model Jens Groth 1 and Rafail Ostrovsky 1 University of California, Los Angeles, CA 90095 {jg,rafail}@cs.ucla.edu Abstract. The common random string model introduced by
More informationCut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings
Cut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings Yehuda Lindell Bar-Ilan University, Israel Technion Cryptoday 2014 Yehuda Lindell Online/Offline and Batch Yao 30/12/2014
More informationFrom Secure MPC to Efficient Zero-Knowledge
From Secure MPC to Efficient Zero-Knowledge David Wu March, 2017 The Complexity Class NP NP the class of problems that are efficiently verifiable a language L is in NP if there exists a polynomial-time
More informationA New Approach to Black-Box Concurrent Secure Computation
A New Approach to Black-Box Concurrent Secure Computation Sanjam Garg 1, Susumu Kiyoshima 2, Omkant Pandey 3 1 University of California, Berkeley, USA sanjamg@berkeley.edu 2 NTT Secure Platform Laboratories,
More informationCandidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation
Candidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation Dongxue Pan 1,2, Hongda Li 1,2, Peifang Ni 1,2 1 The Data Assurance and Communication
More informationOutput Compression, MPC, and io for Turing Machines
Output Compression, MPC, and io for Turing Machines Saikrishna Badrinarayanan Rex Fernando Venkata Koppula Amit Sahai Brent Waters Abstract In this work, we study the fascinating notion of output-compressing
More informationMASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer
MASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer Tore Frederiksen Emmanuela Orsini Marcel Keller Peter Scholl Aarhus University University of Bristol 31 May 2016 Secure Multiparty
More informationRobust MPC: Asynchronous Responsiveness yet Synchronous Security
Robust MPC: Asynchronous Responsiveness yet Synchronous Security Chen-Da Liu-Zhang 1, Julian Loss 2, Ueli Maurer 1, Tal Moran 3, and Daniel Tschudi 4 1 {lichen,maurer}@inf.ethz.ch, ETH Zurich 2 julian.loss@rub.de,
More informationSecure Computation. Unconditionally Secure Multi- Party Computation
Secure Computation Unconditionally Secure Multi- Party Computation Benny Pinkas page 1 Overview Completeness theorems for non-cryptographic faulttolerant distributed computation M. Ben-Or, S. Goldwasser,
More informationBenny Pinkas. Winter School on Secure Computation and Efficiency Bar-Ilan University, Israel 30/1/2011-1/2/2011
Winter School on Bar-Ilan University, Israel 30/1/2011-1/2/2011 Bar-Ilan University Benny Pinkas Bar-Ilan University 1 What is N? Bar-Ilan University 2 Completeness theorems for non-cryptographic fault-tolerant
More informationParallel Coin-Tossing and Constant-Round Secure Two-Party Computation
Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation Yehuda Lindell Dept. of Computer Science and Applied Math. The Weizmann Institute of Science Rehovot 76100, Israel. lindell@wisdom.weizmann.ac.il
More informationFully Bideniable Interactive Encryption
Fully Bideniable Interactive Encryption Ran Canetti Sunoo Park Oxana Poburinnaya January 1, 19 Abstract While standard encryption guarantees secrecy of the encrypted plaintext only against an attacker
More informationMTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Zero-knowledge Proofs Sven Laur University of Tartu Formal Syntax Zero-knowledge proofs pk (pk, sk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) (pk,sk)? R
More informationMultiparty Computation from Somewhat Homomorphic Encryption. November 9, 2011
Multiparty Computation from Somewhat Homomorphic Encryption Ivan Damgård 1 Valerio Pastro 1 Nigel Smart 2 Sarah Zakarias 1 1 Aarhus University 2 Bristol University CTIC 交互计算 November 9, 2011 Damgård, Pastro,
More informationLattice-Based Non-Interactive Arugment Systems
Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai Soundness: x L, P Pr P, V (x) = accept = 0 No prover
More information4-3 A Survey on Oblivious Transfer Protocols
4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of
More informationPublic-seed Pseudorandom Permutations EUROCRYPT 2017
Public-seed Pseudorandom Permutations Pratik Soni UC Santa Barbara Stefano Tessaro UC Santa Barbara EUROCRYPT 2017 Cryptographic schemes often built from generic building blocks Cryptographic schemes often
More information1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds
1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds Amos Beimel Department of Computer Science Ben Gurion University Be er Sheva, Israel Eran Omri Department of Computer
More informationSmooth Projective Hash Function and Its Applications
Smooth Projective Hash Function and Its Applications Rongmao Chen University of Wollongong November 21, 2014 Literature Ronald Cramer and Victor Shoup. Universal Hash Proofs and a Paradigm for Adaptive
More informationOn the Communication Complexity of Secure Function Evaluation with Long Output
On the Communication Complexity of Secure Function Evaluation with Long Output Pavel Hubáček Daniel Wichs Abstract We study the communication complexity of secure function evaluation (SFE). Consider a
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 10
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 10 Lecture date: 14 and 16 of March, 2005 Scribe: Ruzan Shahinian, Tim Hu 1 Oblivious Transfer 1.1 Rabin Oblivious Transfer
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationResource Fairness and Composability of Cryptographic Protocols
Resource Fairness and Composability of Cryptographic Protocols Juan A. Garay Philip MacKenzie Manoj Prabhakaran Ke Yang October 1, 2005 Abstract We introduce the notion of resource-fair protocols. Informally,
More informationEfficient Public-Key Distance Bounding
Efficient Public-Key Distance Bounding HNDN KILINÇ ND SERGE VUDENY 1 1. Introduction of Distance Bounding 2. Formal Definitions for Security and Privacy 3. Weak uthenticated Key greement 4. Our Protocols:
More informationTopology-Hiding Computation
Topology-Hiding Computation Tal Moran 1,, Ilan Orlov 1, and Silas Richelson 2 1 Efi Arazi School of Computer Science, IDC Herzliya. {talm,iorlov}@idc.ac.il 2 Department of Computer Science, UCLA SiRichel@ucla.edu
More informationCOS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7
COS 597C: Recent Developments in Program Obfuscation Lecture 7 10/06/16 Lecturer: Mark Zhandry Princeton University Scribe: Jordan Tran Notes for Lecture 7 1 Introduction In this lecture, we show how to
More informationSelective Opening Security for Receivers
Selective Opening Security for Receivers Carmit Hazay Arpita Patra Bogdan Warinschi Abstract In a selective opening (SO) attack an adversary breaks into a subset of honestly created ciphertexts and tries
More informationMulti-Input Functional Encryption
Multi-Input Functional Encryption S. Dov Gordon Jonathan Katz Feng-Hao Liu Elaine Shi Hong-Sheng Zhou Abstract Functional encryption (FE) is a powerful primitive enabling fine-grained access to encrypted
More informationFrom FE Combiners to Secure MPC and Back
From FE Combiners to Secure MPC and Back Prabhanjan Ananth Saikrishna Badrinarayanan Aayush Jain Nathan Manohar Amit Sahai Abstract Functional encryption (FE) has incredible applications towards computing
More informationFully Homomorphic Encryption. Zvika Brakerski Weizmann Institute of Science
Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of Science AWSCS, March 2015 Outsourcing Computation x x f f(x) Email, web-search, navigation, social networking What if x is private? Search
More informationEfficient Adaptively Secure Zero-knowledge from Garbled Circuits
Efficient Adaptively Secure Zero-knowledge from Garbled Circuits Chaya Ganesh 1, Yashvanth Kondi 2, Arpita Patra 3, and Pratik Sarkar 4 1 Department of Computer Science, Aarhus University. ganesh@cs.nyu.edu
More informationAre you the one to share? Secret Transfer with Access Structure
Are you the one to share? Secret Transfer with Access Structure Yongjun Zhao, Sherman S.M. Chow Department of Information Engineering The Chinese University of Hong Kong, Hong Kong Private Set Intersection
More informationFrom Minicrypt to Obfustopia via Private-Key Functional Encryption
From Minicrypt to Obfustopia via Private-Key Functional Encryption Ilan Komargodski Weizmann Institute of Science Joint work with Gil Segev (Hebrew University) Functional Encryption [Sahai-Waters 05] Enc
More information6.892 Computing on Encrypted Data October 28, Lecture 7
6.892 Computing on Encrypted Data October 28, 2013 Lecture 7 Lecturer: Vinod Vaikuntanathan Scribe: Prashant Vasudevan 1 Garbled Circuits Picking up from the previous lecture, we start by defining a garbling
More informationEfficient Constant Round Multi-Party Computation Combining BMR and SPDZ
Efficient Constant Round Multi-Party Computation Combining BMR and SPDZ Yehuda Lindell Benny Pinkas Nigel P. Smart vishay Yanai bstract Recently, there has been huge progress in the field of concretely
More informationBasing Obfuscation on Simple Tamper-Proof Hardware Assumptions
Basing Obfuscation on Simple Tamper-Proof Hardware Assumptions Nico Döttling, Thilo Mie, Jörn Müller-Quade, and Tobias Nilges Karlsruhe Institute of Technology, Karlsruhe, Germany Abstract Code obfuscation
More informationConstant-Round MPC with Fairness and Guarantee of Output Delivery
Constant-Round MPC with Fairness and Guarantee of Output Delivery S. Dov Gordon Feng-Hao Liu Elaine Shi April 22, 2015 Abstract We study the round complexity of multiparty computation with fairness and
More informationTwo-Round Multiparty Secure Computation from Minimal Assumptions
Two-Round Multiparty Secure Computation from Minimal Assumptions Sanjam Garg University of California, Berkeley sanjamg@berkeley.edu Akshayaram Srinivasan University of California, Berkeley akshayaram@berkeley.edu
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationNew Notions of Security: Achieving Universal Composability without Trusted Setup
New Notions of Security: Achieving Universal Composability without Trusted Setup Manoj Prabhakaran Princeton University Amit Sahai Princeton University September 27, 2004 Abstract We propose a modification
More informationFundamental MPC Protocols
3 Fundamental MPC Protocols In this chapter we survey several important MPC approaches, covering the main protocols and presenting the intuition behind each approach. All of the approaches discussed can
More informationBroadcast and Verifiable Secret Sharing: New Security Models and Round-Optimal Constructions
Broadcast and Verifiable Secret Sharing: New Security Models and Round-Optimal Constructions Dissertation submitted to the Faculty of the Graduate School of the University of Maryland, College Park in
More informationMultiparty Computation with Low Communication, Computation and Interaction via Threshold FHE
Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Gilad Asharov Abhishek Jain Daniel Wichs June 9, 2012 Abstract Fully homomorphic encryption (FHE) provides a
More informationKeyword Search and Oblivious Pseudo-Random Functions
Keyword Search and Oblivious Pseudo-Random Functions Mike Freedman NYU Yuval Ishai, Benny Pinkas, Omer Reingold 1 Background: Oblivious Transfer Oblivious Transfer (OT) [R], 1-out-of-N [EGL]: Input: Server:
More informationSpooky Encryption and its Applications
Spooky Encryption and its Applications Yevgeniy Dodis NYU Shai Halevi IBM Research Ron D. Rothblum MIT Daniel Wichs Northeastern University March 10, 2016 Abstract Consider a setting where inputs x 1,...,
More informationBetween a Rock and a Hard Place: Interpolating Between MPC and FHE
Between a Rock and a Hard Place: Interpolating Between MPC and FHE A. Choudhury, J. Loftus, E. Orsini, A. Patra and N.P. Smart Dept. Computer Science, University of Bristol, United Kingdom. {Ashish.Choudhary,Emmanuela.Orsini,Arpita.Patra}@bristol.ac.uk,
More informationNotes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.
COS 533: Advanced Cryptography Lecture 9 (October 11, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Udaya Ghai Notes for Lecture 9 1 Last Time Last time, we introduced zero knowledge proofs
More informationLecture 9 - Symmetric Encryption
0368.4162: Introduction to Cryptography Ran Canetti Lecture 9 - Symmetric Encryption 29 December 2008 Fall 2008 Scribes: R. Levi, M. Rosen 1 Introduction Encryption, or guaranteeing secrecy of information,
More informationPractical Verifiable Encryption and Decryption of Discrete Logarithms
Practical Verifiable Encryption and Decryption of Discrete Logarithms Jan Camenisch IBM Zurich Research Lab Victor Shoup New York University p.1/27 Verifiable encryption of discrete logs Three players:
More informationLecture 14: Secure Multiparty Computation
600.641 Special Topics in Theoretical Cryptography 3/20/2007 Lecture 14: Secure Multiparty Computation Instructor: Susan Hohenberger Scribe: Adam McKibben 1 Overview Suppose a group of people want to determine
More informationThe Exact Round Complexity of Secure Computation
The Exact Round Complexity of Secure Computation Sanjam Garg 1, Pratyay Mukherjee, 1 Omkant Pandey 2, Antigoni Polychroniadou 3 1 University of California, Berkeley {sanjamg,pratyay85}@berkeley.edu 2 Stony
More informationPeculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology
1 / 19 Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 7 May 2010 2 / 19 Talk Agenda Encryption schemes
More informationFounding Cryptography on Smooth Projective Hashing
Founding Cryptography on Smooth Projective Hashing Bing Zeng a a School of Software Engineering, South China University of Technology, Guangzhou, 510006, China Abstract Oblivious transfer (OT) is a fundamental
More informationThe Exact Round Complexity of Secure Computation
The Exact Round Complexity of Secure Computation Sanjam Garg 1, Pratyay Mukherjee, 1 Omkant Pandey 2, Antigoni Polychroniadou 3 1 University of California, Berkeley {sanjamg,pratyay85}@berkeley.edu 2 Drexel
More informationComputational Oblivious Transfer and Interactive Hashing
Computational Oblivious Transfer and Interactive Hashing Kirill Morozov and George Savvides May 28, 2009 Abstract We use interactive hashing to achieve the most efficient OT protocol to date based solely
More informationComputing with Encrypted Data Lecture 26
Computing with Encrypted Data 6.857 Lecture 26 Encryption for Secure Communication M Message M All-or-nothing Have Private Key, Can Decrypt No Private Key, No Go cf. Non-malleable Encryption Encryption
More informationPoint Obfuscation and 3-round Zero-Knowledge
Point Obfuscation and 3-round Zero-Knowledge Nir Bitansky and Omer Paneth Tel Aviv University and Boston University September 21, 2011 Abstract We construct 3-round proofs and arguments with negligible
More informationFoundation of Cryptography, Lecture 4 Pseudorandom Functions
Foundation of Cryptography, Lecture 4 Pseudorandom Functions Handout Mode Iftach Haitner, Tel Aviv University Tel Aviv University. March 11, 2014 Iftach Haitner (TAU) Foundation of Cryptography March 11,
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationFast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries
Fast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries Yehuda Lindell Dept. of Computer Science Bar-Ilan University, Israel lindell@biu.ac.il February 8, 2015 Abstract In the setting
More informationClassical Cryptographic Protocols in a Quantum World
Classical Cryptographic Protocols in a Quantum World Sean Hallgren, Adam Smith, and Fang Song Department of Computer Science and Engineering, Pennsylvania State University, University Park, PA, U.S.A.
More informationMultiparty Computation (MPC) Arpita Patra
Multiparty Computation (MPC) Arpita Patra MPC offers more than Traditional Crypto! > MPC goes BEYOND traditional Crypto > Models the distributed computing applications that simultaneously demands usability
More information1 Basic Number Theory
ECS 228 (Franklin), Winter 2013, Crypto Review 1 Basic Number Theory This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationConcurrent Zero Knowledge in the Bounded Player Model
Concurrent Zero Knowledge in the Bounded Player Model VIPUL GOYAL Microsoft Research India vipul@microsoft.com ABHISHEK JAIN UCLA USA abhishek@cs.ucla.edu RAFAIL OSTROVSKY UCLA USA rafail@cs.ucla.edu SILAS
More informationBounded-Communication Leakage Resilience via Parity-Resilient Circuits
Bounded-Communication Leakage Resilience via Parity-Resilient Circuits Vipul Goyal Yuval Ishai Hemanta K. Maji Amit Sahai Alexander A. Sherstov September 6, 2016 Abstract We consider the problem of distributing
More informationChosen-Ciphertext Security (I)
Chosen-Ciphertext Security (I) CS 601.442/642 Modern Cryptography Fall 2018 S 601.442/642 Modern Cryptography Chosen-Ciphertext Security (I) Fall 2018 1 / 20 Recall: Public-Key Encryption Syntax: Genp1
More informationReducing Garbled Circuit Size While Preserving Circuit Gate Privacy *
Reducing Garbled Circuit Size While Preserving Circuit Gate Privacy * Yongge Wang 1 and Qutaibah m. Malluhi 2 1 Department of SIS, UNC Charlotte, USA (yonwang@uncc.edu) 2 Department of CS, Qatar University,
More informationi-hop Homomorphic Encryption Schemes
i-hop Homomorphic Encryption Schemes Craig Gentry Shai Halevi Vinod Vaikuntanathan March 12, 2010 Abstract A homomorphic encryption scheme enables computing on encrypted data by means of a public evaluation
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationDistinguisher-Dependent Simulation in Two Rounds and its Applications
Distinguisher-Dependent Simulation in Two Rounds and its Applications Abhishek Jain Yael Tauman Kalai Dakshita Khurana Ron Rothblum Abstract We devise a novel simulation technique that makes black-box
More informationOn Achieving the Best of Both Worlds in Secure Multiparty Computation
On Achieving the Best of Both Worlds in Secure Multiparty Computation Yuval Ishai Jonathan Katz Eyal Kushilevitz Yehuda Lindell Erez Petrank Abstract Two settings are traditionally considered for secure
More information1 Secure two-party computation
CSCI 5440: Cryptography Lecture 7 The Chinese University of Hong Kong, Spring 2018 26 and 27 February 2018 In the first half of the course we covered the basic cryptographic primitives that enable secure
More informationCryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1
Cryptography CS 555 Topic 23: Zero-Knowledge Proof and Cryptographic Commitment CS555 Topic 23 1 Outline and Readings Outline Zero-knowledge proof Fiat-Shamir protocol Schnorr protocol Commitment schemes
More information