Multiparty Computation
|
|
- Barnard Wells
- 5 years ago
- Views:
Transcription
1 Multiparty Computation
2 Principle There is a (randomized) function f : ({0, 1} l ) n ({0, 1} l ) n. There are n parties, P 1,...,P n. Some of them may be adversarial. Two forms of adversarial behaviour: Semi-honest will follow the protocol as prescribed, but tries to deduce extra information from what it sees. Malicious will not necessarily follow the protocol. Party P i has the bit-string x i {0, 1} l. Party P i wants to learn y i, where (y 1,...,y n ) = f(x 1,...,x n ). No party P i may learn anything beyond x i and y i. 2 / 32
3 Examples Two millionaires want to determine who is richer. Revealing one s net worth to the other party means losing one s face if the other party turns out to be much richer. Alice and Bob are considering to start dating each other. Revealing that one is interesting in dating means losing one s face if the other party is not interested. Three cryptographers are dining in a restaurant. The waiter informs them that the bill has already been payed. The cryptographers want to know whether the payer was one of them (who wants to remain anonymous) or the NSA. Everything else... 3 / 32
4 Pieces The number of parties n. n = 2 n 3 A function f, represented as a Boolean circuit. Deterministic or randomized. Common output or separate outputs. A n-party protocol Π. Two main techniques: Garbled circuits Secret-sharing the values on wires. The adversary (a coalition of parties) maximum size semi-honest or malicious non-adaptive or adaptive 4 / 32
5 Security definition Consider the deterministic two-party, semi-honest case. A protocol Π securely evaluates the function f(x 1,x 2 ) if there exist PPT simulators S 1 and S 2, such that for all x 1 and x 2 : The distribution of S 1 (x 1,f 1 (x 1,x 2 )) is indistinguishable from the view of the first party in the execution of Π(x 1,x 2 ). The distribution of S 2 (x 2,f 2 (x 1,x 2 )) is indistinguishable from the view of the second party in the execution of Π(x 1,x 2 ). 5 / 32
6 Security definition Consider the randomized two-party, semi-honest case. A protocol Π securely evaluates the randomized function f(x 1,x 2 ) if there exist PPT simulators S 1 and S 2, such that for all x 1 and x 2 : The following two distributions are indistinguishable (for i {1, 2}): 1. First distribution: sample (y 1,y 2 ) f(x 1,x 2 ); run S i (x i,y 1,y 2 ). 2. Second distribution: sample tr Π(x 1,x 2 ); take (View 1 (tr),result 2 (tr)). 6 / 32
7 Exercises Show that the secure evaluation of a randomized f is reducible to the secure evaluation of some deterministic f. Show that the secure evaluation of some f with separate outputs for all parties is reducible to the secure evaluation of some f with common output. 7 / 32
8 Example functionality f(x,y) = (x? = y,x? < y) (common output). For one-bit x and y: x y & 8 / 32
9 Example functionality For 2k-bit x and y: x 1...k y 1...k x k+1...2k y k+1...2k k-bit k-bit & & 9 / 32
10 Example functionality For 4-bit x and y: x 1 y 1 x 2 y 2 x 3 y 3 x 4 y 4 & & & & & & & & & & 10 / 32
11 Evaluating a circuit Each internal gate g is determined by the function it computes: 0 0 g(00) 0 1 g(01) 1 0 g(10) 1 1 g(11) The values of input gates are the bits of x and y. The value of an internal gate is found from its inputs. Computed from top to bottom. The value of an output gate is its input. 11 / 32
12 Garbling a circuit For each input and internal gate g, generate two (symmetric) encryption keys k 0 g and k 1 g. Let g be an internal gate. Let g 1 and g 2 provide the two inputs to g. Compute {{k g(00) g } r 2 k 0 g 2 } r 1 k 0 g 1, {{k g(01) g } r 4 k 1 g 2 } r 3 k 0 g 1, {{k g(10) g } r 6 k 0 g 2 } r 5 k 1 g 1, {{k g(11) g } r 8 k 1 g 2 } r 7 k 1 g 1 The encoding of an internal gate g is a random permutation of these four values. Let g provide the input to some output gate. The encoding of this output gate is ({0} k 0 g, {1} k 1 g ) or ({1} k 1 g, {0} k 0 g ). The encoding of a circuit maps each internal and output gate to its encoding. 12 / 32
13 Evaluating a garbled circuit Let the input gates be g 1,...,g l. Let the input be b 1 b l. Somehow obtain k b 1 g 1,...,k b l g l. Do not obtain k b 1 g 1,...,k b l g l. Let g be an internal gate. Let (m 1,m 2,m 3,m 4 ) be its encoding. Let g and g provide the inputs to g. Let us know a key k corresponding to g. Let us know a key k corresponding to g. Try to decrypt: compute D k (D k (m i )) for 1 i 4. Let k be the result of successful decryption. This key corresponds to g. At an output gate we can decrypt one of the ciphertexts, giving us either the bit 0 or the bit / 32
14 The protocol Π Both parties have agreed on the circuit that computes f. Party P 1 prepares the garbled circuit and sends it to P 2. P 1 sends to P 2 the keys k x 1 1,...,k x l l corresponding to its input x going into the input gates g 1,...,g l. Party P 1 and P 2 run a protocol, resulting in P 2 learning the keys k y 1 l+1,...,ky l 2l corresponding to its input y going into the input gates g l+1,...,g 2l ; P 1 not learning anything new at all. P 2 evaluates the garbled circuit, eventually learning f(x,y). P 2 sends f(x,y) back to P / 32
15 Oblivious transfer A special case of two-party computation. P 1 (sender) has l-bit strings m 1,...,m n. P 2 (receiver) has an integer i {1,...,n}. P 2 should learn m i and nothing else. P 1 should learn nothing. 15 / 32
16 Oblivious transfer A special case of two-party computation. P 1 (sender) has l-bit strings m 1,...,m n. P 2 (receiver) has an integer i {1,...,n}. P 2 should learn m i and nothing else. P 1 should learn nothing. Let E be a trapdoor permutation of some set X including {0, 1} l. for example RSA. Let (k e,k d ) be the public and secret key of P 1. P 2 randomly chooses r 1,...,r n X. He defines { r j, if j i z j := E ke (r j ), if j = i and sends (z 1,...,z n ) to P 1. P 2 computes w j := m j E 1 k d (z j ) and sends (w 1,...,w n ) to P 1. a group operation on X P 1 finds m i as w i r 1 i. 15 / 32
17 Exercise Show that the preceeding protocol securely performs oblivious transfer in the presence of semi-honest adversaries. I.e. construct the simulators. 16 / 32
18 Exercise Show that the preceeding protocol securely performs oblivious transfer in the presence of semi-honest adversaries. I.e. construct the simulators. This simulation is not quite correct, though. E ke (r) reveals some information about r. But each trapdoor permutation has a hardcore bit B. If m 1,...,m n are just 1 bit long, then the sender may define w j := m j B(E 1 k d (z j )). The receiver recovers m i as w i B(r i ). 16 / 32
19 Correctness of the protocol Π Trace of the first party: Random coins for all the keys and encryptions. Traces of the OT-protocol as the sender. The final result. Trace of the second party: A garbled circuit and the keys corresponding to the input bits. Traces of the OT-protocol as the receiver. Exercise. Construct a simulator for the first party. 17 / 32
20 Simulator for P 2 For each input or internal gate g, generate two keys k g, k g. The simulated encoding of the gate g g 1,g 2 is {{k g } r 2 k g2 } r 1 k g1, {{k g } r 4 k g2 } r 3 k g1, {{k g } r 6 k g2 } r 5 k g1, {{k g } r 8 k g2 } r 7 k g1 The simulated encoding of an output gate g is ({z} r 1 k g, {z} r 2 k g ), where z is the output bit corresponding to this gate. The simulated trace consists of simulated garbled circuit; the keys k 1,...,k l ; Simulated traces of the OT-protocol as the receiver, resulting in the keys k l+1,...,k 2l. 18 / 32
21 Example comparing one bit Let x 0 = 0, y 0 = 1. Then the output bits are (0, 1). The real view is k1 0,k1 2,{{{k1 3 }r 2 } r k2 0 1, {{k 0 k1 0 3 }r 4 } r k2 1 3, {{k 0 k1 0 3 }r 6 } r k2 0 5, {{k 1 k1 1 3 }r 8 } r k2 1 7 k1}, 1 {{{k4} 0 r 10} r k2 0 9 k1 0 The simulated view is, {{k 1 4} r 12 k 1 2 } r 11 k 0 1, {{k 0 4} r 14 k 0 2 {{0} r 17 k 0 3 } r 13 k 1 1, {{k 0 4} r 16 k 1 2, {1} r 18 k 1 3 } r 15}, k1 1 },{{0} r 19 k 0 4 k 1,k 2,{{{k 3 } r 2 k 2 } r 1 k 1, {{k 3 } r 4 k 2 } r 3 k 1, {{k 3 } r 6 k 2 } r 5 k 1, {{k 3 } r 8 k 2 } r 7 k 1 }, {{{k 4 } r 10 k 2 } r 9 k 1, {{k 4 } r 12 k 2 } r 11 k 1, {{k 4 } r 14 k 2 } r 13 k 1, {{k 4 } r 16 k 2 } r 15 k 1 },, {1} r 20} k4 1 {{0} r 17 k 3, {0} r 18 k 3 },{{1} r 19 k 4, {1} r 20 k 4 } 19 / 32
22 The real pattern The real view is k1,k 0 2,{{{k 1 3} 1 r 2 } r k2 0 1, {{k k 3} 0 r } r k2 1 3, {{k k 3} 0 r } r k2 0 5, {{k k 3} 1 r } r k2 1 7 k1}, 1 Its pattern is {{{k4} 0 r 10} r k2 0 9 k1 0, {{k 1 4} r 12 k 1 2 } r 11 k 0 1, {{k 0 4} r 14 k 0 2 {{0} r 17 k 0 3 k1,k 0 2,{{ 1 r 2 } r 1, {{k k 3} 0 r } r k2 1 3 k1, r 5, r 7 }, 0 {{ r 10 } r 9 k 0 1, {{k 1 4 }r 12 k 1 2 } r 13 k 1 1, {{k 0 4} r 16 k 1 2, {1} r 18 k 1 3 } r 11, r k1 0 13, r 15 }, {{0} r 17 k 0 3 } r 15}, k1 1 },{{0} r 19 k 0 4, {1} r 20} k4 1, r 18 },{ r 19, {1} r 20} k / 32
23 The simulated pattern The simulated view is k 1,k 2,{{{k 3 } r 2 k 2 } r 1 k 1, {{k 3 } r 4 k 2 } r 3 k 1, {{k 3 } r 6 k 2 } r 5 k 1, {{k 3 } r 8 k 2 } r 7 k 1 }, Its pattern is {{{k 4 } r 10 k 2 } r 9 k 1, {{k 4 } r 12 k 2 } r 11 k 1, {{k 4 } r 14 k 2 } r 13 k 1, {{k 4 } r 16 k 2 } r 15 k 1 }, k 1,k 2,{{{k 3 } r 2 k 2 } r 1 k 1, { r 4 } r 3 k 1, r 5, r 7 }, {{0} r 17 k 3, {0} r 18 k 3 },{{1} r 19 k 4, {1} r 20 k 4 } {{{k 4 } r 10 k 2 } r 9 k 1, { r 12 } r 11 k 1, r 13, r 15 }, {{0} r 17 k 3, r 18 },{{1} r 19 k 4, r 20 } 21 / 32
24 Compare the patterns The real pattern k1,k 0 2,{{ 1 r 2 } r 1, {{k k 3} 0 r } r k2 1 3 k1, r 5, r 7 }, 0 {{ r 10 } r 9 k 0 1, {{k 1 4} r 12 k 1 2 The simulated pattern } r 11 k 0 1, r 13, r 15 },{{0} r 17 k 0 3, r 18 },{ r 19, {1} r 20} k4 1 k 1,k 2,{{{k 3 } r 2 k 2 } r 1 k 1, { r 4 } r 3 k 1, r 5, r 7 }, {{{k 4 } r 10 k 2 } r 9 k 1, { r 12 } r 11 k 1, r 13, r 15 },{{0} r 17 k 3, r 18 },{{1} r 19 k 4, r 20 } They are equal up to renaming. In general, the real and simulated garbled circuits will be indistinguishable. 22 / 32
25 Sharing the contents of wires Assume that the only operations of circuits are and &. These are the addition and multiplication in the field Z 2. They, together with the constant 1, are sufficient to express any functionality. Let there be an extra 1-gate that takes no inputs. During the protocol, the parties compute for all gates g the values a 1 g and a 2 g, such that the real value computed by g is a 1 g + a 2 g; P 1 knows a 1 g and P 2 knows a 2 g. The protocol is well-suited for functionalities with separate outputs. At the end of the protocol, P 1 will send to P 2 the values a 1 g corresponding to the output gates g of P 2. P 2 behaves similarly. 23 / 32
26 The protocol Sharing the inputs For P i s input b at the input gate g generate a random bit r and send (g,r) to the other party. Let a i g = b + r. For the 1-gate g let P 1 generate a random bit r and send (g,r) to P 2. Let a 1 g = r + 1. When P i receives (g,r) from the other party, set a i g = r. Evaluating an addition gate Let g = g 1 + g 2. Define a i g = a i g 1 + a i g 2. Communicating the outputs If g is an output gate for P i, then the other party P j will send (g,a j g ) to P i once he has it. P i outputs a i g + a j g as the output of that gate. 24 / 32
27 Evaluating a multiplication gate Let g = g 1 g 2 = (a 1 g 1 + a 2 g 1 ) (a 1 g 2 + a 2 g 2 ). We ll define a protocol for finding a 1 g and a 2 g, such that P i does not learn anything besides a i g ; a i g is uniformly distributed; a 1 g + a 2 g = a g. 25 / 32
28 Evaluating a multiplication gate Let g = g 1 g 2 = (a 1 g 1 + a 2 g 1 ) (a 1 g 2 + a 2 g 2 ). We ll define a protocol for finding a 1 g and a 2 g, such that P i does not learn anything besides a i g ; a i g is uniformly distributed; a 1 g + a 2 g = a g. a 1 g is picked uniformly from {0, 1}. P 1 defines m 1 = a 1 g + a1 g 1 a 1 g 2 m 3 = a 1 g + (a1 g 1 + 1)a 1 g 2 m 2 = a 1 g + a1 g 1 (a 1 g 2 + 1) m 4 = a 1 g + (a1 g 1 + 1)(a 1 g 2 + 1) P 2 defines a 2 g = m 2a 2 g1 +a 2 g Use oblivious transfer to transmit that m to P 2. Exercise. Correctness and security? 25 / 32
29 Exercise How can one party simulate the computation of this protocol? 26 / 32
30 Multi-party semi-honest case A protocol Π securely evaluates the function (y 1,...,y n ) = f(x 1,...,x n ) if there exists a PPT simulator S, such that for each I = {i 1,...,i m } {1,...,n} for all x 1,...,x n the distribution S(I, (x i1,...,x im ), (y i1,...,y im )) equals the joint view of the parties P i1,...,p im in the execution of Π(x 1,...,x n ). 27 / 32
31 The protocol Most steps of the two-party case easily generalize to the multi-party case. How about multiplication? 28 / 32
32 The protocol Most steps of the two-party case easily generalize to the multi-party case. How about multiplication? We have a 1 g 1,...,a n g 1,a 1 g 2,...,a n g 2 with j aj g i = a gi. We want a 1 g,...,a n g that sum up to a g1 a g2. ( n ) ( n ) a j g 1 a j g 2 = j=1 (1 (n 1)) j=1 n a j g 1 a j g 2 + j=1 n a j g 1 a j g 2 + j=1 1 i<j n n 1 i<j n (a i g 1 a j g 2 + a i g 2 a j g 1 ) = (a i g 1 a i g 2 + a i g 1 a j g 2 + a i g 2 a j g 1 + a j g 1 a j g 2 ) = n a j g 1 a j g 2 + j=1 1 i<j n (a i g 1 + a i g 2 )(a j g 1 + a j g 2 ) 28 / 32
33 Multiplication protocol Each party P i engages in the two-party multiplication protocol with all other parties P j. As result, party P i learns the values c i,j, such that c i,j + c j,i = (a i g 1 + a i g 2 ) (a j g 1 + a j g 2 ) P i defines a i g = n a i g 1 a i g 2 + j i ci,j. Exercise. Correctness, security? Uniformity of the values a i g? 29 / 32
34 Oblivious transfer in the malicious model Bellare-Micali construction (1-out-of-2 OT): Let G be a group with hard Diffie-Hellman problem. Let g generate G. Let p = G. Sender randomly picks C G and sends it to the receiver. Receiver chooses x Z p and defines h b = g x, h 1 b = c/h b. Sends h 0,h 1 to the sender. Sender checks that h 0 h 1 = C. Uses ElGamal encryption to encrypt m i with h i. Sends (g r 0,m 0 h r 0 0 ), (g r 1,m 1 h r 1 1 ) to the receiver. Receiver decrypts the ciphertext that he can decrypt and learns m b. Exercise. Security? 30 / 32
35 Naor-Pinkas construction Let G, g, p be as before. Receiver picks s,t,c 1 b R Z p, defines c b = st mod p, x = g s, y = g t, z i = g c i. Sends x,y,z 0,z 1 to sender. Sender checks that z 0 z 1. Picks random r 0,r 0,r 1,r 1 Z p and returns to the receiver ((xg r 0 ) r 0,m0 (z 0 y r 0 ) r 0 ), ((xg r 1 ) r 1,m1 (z 1 y r 1 ) r 1 ) The receiver... Exercise. What is the receiver going to do with the values it got? What about security? Exercise. Generalize this construction to 1-out-of-n OT. 31 / 32
36 Securing the original OT Exercise. The original OT-protocol can also be secured by letting the receiver first commit to the randomness he s going to use, and then letting him prove in zero knowledge that he really used that randomness. Work out the details for 1-out-of-2 OT. 32 / 32
Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties
CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties Vitaly Shmatikov slide 1 Reminder: Oblivious Transfer b 0, b 1 i = 0 or 1 A b i B A inputs two bits, B inputs the index
More informationIntroduction to Cryptography Lecture 13
Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 10
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 10 Lecture date: 14 and 16 of March, 2005 Scribe: Ruzan Shahinian, Tim Hu 1 Oblivious Transfer 1.1 Rabin Oblivious Transfer
More information1 Basic Number Theory
ECS 228 (Franklin), Winter 2013, Crypto Review 1 Basic Number Theory This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More information1 Secure two-party computation
CSCI 5440: Cryptography Lecture 7 The Chinese University of Hong Kong, Spring 2018 26 and 27 February 2018 In the first half of the course we covered the basic cryptographic primitives that enable secure
More informationLecture 14: Secure Multiparty Computation
600.641 Special Topics in Theoretical Cryptography 3/20/2007 Lecture 14: Secure Multiparty Computation Instructor: Susan Hohenberger Scribe: Adam McKibben 1 Overview Suppose a group of people want to determine
More informationLecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension
CS 294 Secure Computation February 16 and 18, 2016 Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension Instructor: Sanjam Garg Scribe: Alex Irpan 1 Overview Garbled circuits
More informationLectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols
CS 294 Secure Computation January 19, 2016 Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols Instructor: Sanjam Garg Scribe: Pratyush Mishra 1 Introduction Secure multiparty computation
More informationOblivious Evaluation of Multivariate Polynomials. and Applications
The Open University of Israel Department of Mathematics and Computer Science Oblivious Evaluation of Multivariate Polynomials and Applications Thesis submitted as partial fulfillment of the requirements
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationIntroduction to Modern Cryptography Lecture 11
Introduction to Modern Cryptography Lecture 11 January 10, 2017 Instructor: Benny Chor Teaching Assistant: Orit Moskovich School of Computer Science Tel-Aviv University Fall Semester, 2016 17 Tuesday 12:00
More informationLecture 38: Secure Multi-party Computation MPC
Lecture 38: Secure Multi-party Computation Problem Statement I Suppose Alice has private input x, and Bob has private input y Alice and Bob are interested in computing z = f (x, y) such that each party
More informationLecture Notes 20: Zero-Knowledge Proofs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties
More informationCut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings
Cut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings Yehuda Lindell Bar-Ilan University, Israel Technion Cryptoday 2014 Yehuda Lindell Online/Offline and Batch Yao 30/12/2014
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Fun with Public-Key Tonight we ll Introduce some basic tools of public-key crypto Combine the tools to create more powerful tools Lay the ground work for substantial
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationLecture 11: Key Agreement
Introduction to Cryptography 02/22/2018 Lecture 11: Key Agreement Instructor: Vipul Goyal Scribe: Francisco Maturana 1 Hardness Assumptions In order to prove the security of cryptographic primitives, we
More informationCSA E0 312: Secure Computation September 09, [Lecture 9-10]
CSA E0 312: Secure Computation September 09, 2015 Instructor: Arpita Patra [Lecture 9-10] Submitted by: Pratik Sarkar 1 Summary In this lecture we will introduce the concept of Public Key Samplability
More informationLecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations
CMSC 858K Advanced Topics in Cryptography April 20, 2004 Lecturer: Jonathan Katz Lecture 22 Scribe(s): agaraj Anthapadmanabhan, Ji Sun Shin 1 Introduction to These otes In the previous lectures, we saw
More informationLecture 3,4: Multiparty Computation
CS 276 Cryptography January 26/28, 2016 Lecture 3,4: Multiparty Computation Instructor: Sanjam Garg Scribe: Joseph Hui 1 Constant-Round Multiparty Computation Last time we considered the GMW protocol,
More informationBenny Pinkas. Winter School on Secure Computation and Efficiency Bar-Ilan University, Israel 30/1/2011-1/2/2011
Winter School on Bar-Ilan University, Israel 30/1/2011-1/2/2011 Bar-Ilan University Benny Pinkas Bar-Ilan University 1 What is N? Bar-Ilan University 2 Completeness theorems for non-cryptographic fault-tolerant
More informationSecure Computation. Unconditionally Secure Multi- Party Computation
Secure Computation Unconditionally Secure Multi- Party Computation Benny Pinkas page 1 Overview Completeness theorems for non-cryptographic faulttolerant distributed computation M. Ben-Or, S. Goldwasser,
More informationBenny Pinkas Bar Ilan University
Winter School on Bar-Ilan University, Israel 30/1/2011-1/2/2011 Bar-Ilan University Benny Pinkas Bar Ilan University 1 Extending OT [IKNP] Is fully simulatable Depends on a non-standard security assumption
More informationComputing on Encrypted Data
Computing on Encrypted Data COSIC, KU Leuven, ESAT, Kasteelpark Arenberg 10, bus 2452, B-3001 Leuven-Heverlee, Belgium. August 31, 2018 Computing on Encrypted Data Slide 1 Outline Introduction Multi-Party
More informationEfficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply
CIS 2018 Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply Claudio Orlandi, Aarhus University Circuit Evaluation 3) Multiplication? How to compute [z]=[xy]? Alice, Bob
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationFast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries
Fast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries Yehuda Lindell Dept. of Computer Science Bar-Ilan University, Israel lindell@biu.ac.il February 8, 2015 Abstract In the setting
More informationA Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM
A Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM Paulo S. L. M. Barreto Bernardo David Rafael Dowsley Kirill Morozov Anderson C. A. Nascimento Abstract Oblivious Transfer
More informationCommunication Complexity and Secure Function Evaluation
Communication Complexity and Secure Function Evaluation arxiv:cs/0109011v1 [cs.cr] 9 Sep 2001 Moni Naor Kobbi Nissim Department of Computer Science and Applied Mathematics Weizmann Institute of Science,
More informationFaster Maliciously Secure Two-Party Computation Using the GPU Full version
Faster Maliciously Secure Two-Party Computation Using the GPU Full version Tore Kasper Frederiksen, Thomas P. Jakobsen, and Jesper Buus Nielsen July 15, 2014 Department of Computer Science, Aarhus University
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More information4-3 A Survey on Oblivious Transfer Protocols
4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem
More information8 Elliptic Curve Cryptography
8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given
More informationOn Everlasting Security in the Hybrid Bounded Storage Model
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor Abstract The bounded storage model (BSM) bounds the storage space of an adversary rather than its running time. It utilizes
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 23 (rev. 1) Professor M. J. Fischer November 29, 2005 1 Oblivious Transfer Lecture Notes 23 In the locked
More informationDistributed Oblivious RAM for Secure Two-Party Computation
Seminar in Distributed Computing Distributed Oblivious RAM for Secure Two-Party Computation Steve Lu & Rafail Ostrovsky Philipp Gamper Philipp Gamper 2017-04-25 1 Yao s millionaires problem Two millionaires
More informationSecure Multi-Party Computation. Lecture 17 GMW & BGW Protocols
Secure Multi-Party Computation Lecture 17 GMW & BGW Protocols MPC Protocols MPC Protocols Yao s Garbled Circuit : 2-Party SFE secure against passive adversaries MPC Protocols Yao s Garbled Circuit : 2-Party
More informationLogic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation
Quantum logic gates Logic gates Classical NOT gate Quantum NOT gate (X gate) A NOT A α 0 + β 1 X α 1 + β 0 A N O T A 0 1 1 0 Matrix form representation 0 1 X = 1 0 The only non-trivial single bit gate
More informationReducing Garbled Circuit Size While Preserving Circuit Gate Privacy *
Reducing Garbled Circuit Size While Preserving Circuit Gate Privacy * Yongge Wang 1 and Qutaibah m. Malluhi 2 1 Department of SIS, UNC Charlotte, USA (yonwang@uncc.edu) 2 Department of CS, Qatar University,
More informationOne-Round Secure Computation and Secure Autonomous Mobile Agents
One-Round Secure Computation and Secure Autonomous Mobile Agents (Extended Abstract) Christian Cachin 1, Jan Camenisch 1, Joe Kilian 2, and Joy Müller 1 Abstract. This paper investigates one-round secure
More informationLecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics
0368.4162: Introduction to Cryptography Ran Canetti Lecture 11 12th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics Introduction to cryptographic protocols Commitments 1 Cryptographic
More informationImproved Non-Committing Encryption Schemes based on a General Complexity Assumption
Improved Non-Committing Encryption Schemes based on a General Complexity Assumption Ivan Damgård and Jesper Buus Nielsen BRICS Department of Computer Science University of Aarhus Ny Munkegade DK-8000 Arhus
More informationLecture 3: Interactive Proofs and Zero-Knowledge
CS 355 Topics in Cryptography April 9, 2018 Lecture 3: Interactive Proofs and Zero-Knowledge Instructors: Henry Corrigan-Gibbs, Sam Kim, David J. Wu So far in the class, we have only covered basic cryptographic
More informationParallel Coin-Tossing and Constant-Round Secure Two-Party Computation
Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation Yehuda Lindell Dept. of Computer Science and Applied Math. The Weizmann Institute of Science Rehovot 76100, Israel. lindell@wisdom.weizmann.ac.il
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationOblivious Keyword Search
Oblivious Keyword Search Wakaha Ogata 1 Kaoru Kurosawa 2 1 Tokyo Institute of Technology, 2-12-1 O-okayama, Meguro-ku, Tokyo 152-8552, Japan wakaha@ss.titech.ac.jp 2 Ibaraki University, 4-12-1 Nakanarusawa,
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationPractice Assignment 2 Discussion 24/02/ /02/2018
German University in Cairo Faculty of MET (CSEN 1001 Computer and Network Security Course) Dr. Amr El Mougy 1 RSA 1.1 RSA Encryption Practice Assignment 2 Discussion 24/02/2018-29/02/2018 Perform encryption
More informationOn Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan)
On Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan) Secure Multiparty Computation (MPC) Ideal World/ Functionality
More informationPrivacy Preserving Set Intersection Protocol Secure Against Malicious Behaviors
Privacy Preserving Set Intersection Protocol Secure Against Malicious Behaviors Yingpeng Sang, Hong Shen School of Computer Science The University of Adelaide Adelaide, South Australia, 5005, Australia
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More information18734: Foundations of Privacy. Anonymous Cash. Anupam Datta. CMU Fall 2018
18734: Foundations of Privacy Anonymous Cash Anupam Datta CMU Fall 2018 Today: Electronic Cash Goals Alice can ask for Bank to issue coins from her account. Alice can spend coins. Bank cannot track what
More informationCryptography in the Multi-string Model
Cryptography in the Multi-string Model Jens Groth 1 and Rafail Ostrovsky 1 University of California, Los Angeles, CA 90095 {jg,rafail}@cs.ucla.edu Abstract. The common random string model introduced by
More informationCommitment Schemes and Zero-Knowledge Protocols (2011)
Commitment Schemes and Zero-Knowledge Protocols (2011) Ivan Damgård and Jesper Buus Nielsen Aarhus University, BRICS Abstract This article is an introduction to two fundamental primitives in cryptographic
More informationLecture 22: RSA Encryption. RSA Encryption
Lecture 22: Recall: RSA Assumption We pick two primes uniformly and independently at random p, q $ P n We define N = p q We shall work over the group (Z N, ), where Z N is the set of all natural numbers
More information1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:
Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how
More informationZero-Knowledge Proofs and Protocols
Seminar: Algorithms of IT Security and Cryptography Zero-Knowledge Proofs and Protocols Nikolay Vyahhi June 8, 2005 Abstract A proof is whatever convinces me. Shimon Even, 1978. Zero-knowledge proof is
More informationGarbled Protocols and Two-Round MPC from Bilinear Maps
Garbled Protocols and Two-Round MPC from Bilinear Maps Sanjam Garg University of California, Berkeley sanjamg@berkeley.edu Akshayaram Srinivasan University of California, Berkeley akshayaram@berkeley.edu
More informationSecurity Protocols and Application Final Exam
Security Protocols and Application Final Exam Solution Philippe Oechslin and Serge Vaudenay 25.6.2014 duration: 3h00 no document allowed a pocket calculator is allowed communication devices are not allowed
More informationPublic-Key Encryption: ElGamal, RSA, Rabin
Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Serge Vaudenay 17.1.2017 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices are not
More informationLecture 10: Zero-Knowledge Proofs
Lecture 10: Zero-Knowledge Proofs Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Some of these slides are based on note by Boaz Barak. Quo vadis? Eo Romam
More informationPublic Key Encryption
Public Key Encryption KG October 17, 2017 Contents 1 Introduction 1 2 Public Key Encryption 2 3 Schemes Based on Diffie-Hellman 3 3.1 ElGamal.................................... 5 4 RSA 7 4.1 Preliminaries.................................
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationLossy Trapdoor Functions and Their Applications
1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationA New Approach to Practical Secure Two-Party Computation. Jesper Buus Nielsen Peter Sebastian Nordholt Claudio Orlandi Sai Sheshank
A New Approach to Practical Secure Two-Party Computation Jesper Buus Nielsen Peter Sebastian Nordholt Claudio Orlandi Sai Sheshank Secure Two-Party Computation Alice has an input a {0,1} * Bob has an input
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 10 February 19, 2013 CPSC 467b, Lecture 10 1/45 Primality Tests Strong primality tests Weak tests of compositeness Reformulation
More informationThe Laws of Cryptography Zero-Knowledge Protocols
26 The Laws of Cryptography Zero-Knowledge Protocols 26.1 The Classes NP and NP-complete. 26.2 Zero-Knowledge Proofs. 26.3 Hamiltonian Cycles. An NP-complete problem known as the Hamiltonian Cycle Problem
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationFast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries
Fast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries Yehuda Lindell Dept. of Computer Science Bar-Ilan University, Israel lindell@biu.ac.il Abstract. In the setting of secure two-party
More informationSemantic Security of RSA. Semantic Security
Semantic Security of RSA Murat Kantarcioglu Semantic Security As before our goal is to come up with a public key system that protects against more than total break We want our system to be secure against
More informationCovert Multi-party Computation
Covert Multi-party Computation Nishanth Chandran Vipul Goyal Rafail Ostrovsky Amit Sahai University of California, Los Angeles {nishanth,vipul,rafail,sahai}@cs.ucla.edu Abstract In STOC 05, Ahn, Hopper
More informationAn Efficient and Secure Protocol for Privacy Preserving Set Intersection
An Efficient and Secure Protocol for Privacy Preserving Set Intersection Yingpeng Sang 1, Hong Shen 2, Laurence T. Yang 3, Naixue Xiong 1, Yasuo Tan 1 1 School of Information Science, Japan Advanced Institute
More informationSolutions for week 1, Cryptography Course - TDA 352/DIT 250
Solutions for week, Cryptography Course - TDA 352/DIT 250 In this weekly exercise sheet: you will use some historical ciphers, the OTP, the definition of semantic security and some combinatorial problems.
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationi-hop Homomorphic Encryption Schemes
i-hop Homomorphic Encryption Schemes Craig Gentry Shai Halevi Vinod Vaikuntanathan March 12, 2010 Abstract A homomorphic encryption scheme enables computing on encrypted data by means of a public evaluation
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationMulti-Party Computation with Conversion of Secret Sharing
Multi-Party Computation with Conversion of Secret Sharing Josef Pieprzyk joint work with Hossein Ghodosi and Ron Steinfeld NTU, Singapore, September 2011 1/ 33 Road Map Introduction Background Our Contribution
More informationMarch 19: Zero-Knowledge (cont.) and Signatures
March 19: Zero-Knowledge (cont.) and Signatures March 26, 2013 1 Zero-Knowledge (review) 1.1 Review Alice has y, g, p and claims to know x such that y = g x mod p. Alice proves knowledge of x to Bob w/o
More informationPERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY
PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY BURTON ROSENBERG UNIVERSITY OF MIAMI Contents 1. Perfect Secrecy 1 1.1. A Perfectly Secret Cipher 2 1.2. Odds Ratio and Bias 3 1.3. Conditions for Perfect
More informationFaster Secure Two-Party Computation in the Single-Execution Setting
Faster Secure Two-Party Computation in the Single-Execution Setting Xiao Wang 1, Alex J. Malozemoff 2, and Jonathan Katz 1 1 University of Maryland, USA {wangxiao,jkatz}@cs.umd.edu 2 Galois, USA amaloz@galois.com
More informationEfficient Constant Round Multi-Party Computation Combining BMR and SPDZ
Efficient Constant Round Multi-Party Computation Combining BMR and SPDZ Yehuda Lindell Benny Pinkas Nigel P. Smart vishay Yanai bstract Recently, there has been huge progress in the field of concretely
More informationMTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Zero-knowledge Proofs Sven Laur University of Tartu Formal Syntax Zero-knowledge proofs pk (pk, sk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) (pk,sk)? R
More informationComplexity of Multi-Party Computation Functionalities
Complexity of Multi-Party Computation Functionalities Hemanta K. Maji Manoj Prabhakaran Mike Rosulek October 16, 2012 Abstract The central objects of secure multiparty computation are the multiparty functions
More informationAn Efficient and Secure Protocol for Privacy Preserving Set Intersection
An Efficient and Secure Protocol for Privacy Preserving Set Intersection PhD Candidate: Yingpeng Sang Advisor: Associate Professor Yasuo Tan School of Information Science Japan Advanced Institute of Science
More informationAn Introduction to Probabilistic Encryption
Osječki matematički list 6(2006), 37 44 37 An Introduction to Probabilistic Encryption Georg J. Fuchsbauer Abstract. An introduction to probabilistic encryption is given, presenting the first probabilistic
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More information