Showing papers on "Secure multi-party computation published in 2001"

Secure multi-party computation problems and their applications: a review and open problems

Abstract: The growth of the Internet has triggered tremendous opportunities for cooperative computation, where people are jointly conducting computation tasks based on the private inputs they each supplies. These computations could occur between mutually untrusted parties, or even between competitors. For example, customers might send to a remote database queries that contain private information; two competing financial organizations might jointly invest in a project that must satisfy both organizations' private and valuable constraints, and so on. Today, to conduct such computations, one entity must usually know the inputs from all the participants; however if nobody can be trusted enough to know all the inputs, privacy will become a primary concern.This problem is referred to as Secure Multi-party Computation Problem (SMC) in the literature. Research in the SMC area has been focusing on only a limited set of specific SMC problems, while privacy concerned cooperative computations call for SMC studies in a variety of computation domains. Before we can study the problems, we need to identify and define the specific SMC problems for those computation domains. We have developed a framework to facilitate this problem-discovery task. Based on our framework, we have identified and defined a number of new SMC problems for a spectrum of computation domains. Those problems include privacy-preserving database query, privacy-preserving scientific computations, privacy-preserving intrusion detection, privacy-preserving statistical analysis, privacy-preserving geometric computations, and privacy-preserving data mining.The goal of this paper is not only to present our results, but also to serve as a guideline so other people can identify useful SMC problems in their own computation domains.

Privacy-preserving cooperative statistical analysis

Abstract: The growth of the Internet opens up tremendous opportunities for cooperative computation, where the answer depends on the private inputs of separate entities. Sometimes these computations may occur between mutually untrusting entities. The problem is trivial if the context allows the conduct of these computations by a trusted entity that would know the inputs from all the participants; however if the context disallows this then the techniques of secure multiparty computation become very relevant and can provide useful solutions. Statistical analysis is a widely used computation in real life, but the known methods usually require one to know the whole data set; little work has been conducted to investigate how statistical analysis could be performed in a cooperative environment, where the participants want to conduct statistical analysis on the joint data set, but each participant is concerned about the confidentiality of its own data. We have developed protocols for conducting the statistical analysis in such a cooperative environment based on a data perturbation technique and cryptography primitives.

The round complexity of verifiable secret sharing and secure multicast

Abstract: The round complexity of interactive protocols is one of their most important complexity measures. In this work we study the exact round complexity of two basic secure computation tasks: Verifiable Secret Sharing (VSS) and Secure Multicast.VSS allows a dealer to share a secret among several players in a way that would later allow a unique reconstruction of the secret. It is a well-studied primitive, which is used as a building block in virtually every general protocol for secure multi-party computation. Secure multicast is perhaps the simplest non-trivial instance of a secure computation. It allows a dealer to securely distribute an identical message to all players in a prescribed subset M. Both types of protocols are parameterized by the number of players, n, and a security threshold, t, which bounds the total number of malicious players (possibly including the dealer).We focus on a standard setting of perfect information-theoretic security, where all players have access to secure point-to-point channels and a common broadcast medium. For both types of primitives we prove, using related techniques, tight tradeoffs between the round complexity and the achievable security threshold. Specifically, for the VSS problem we show:2-round VSS is possible iff n>4t, where the ``if'' direction is realized by an efficient protocol.3-round VSS is possible iff n>3t, where the ``if'' direction is realized by an inefficient protocol.4-round efficient VSS is possible if n>3t.For the secure multicast problem we show:2-round secure multicast is (efficiently) possible iff

Secure Multiparty Computation of Approximations

Abstract: Approximation algorithms can sometimes provide efficient solutions when no efficient exact computation is known. In particular, approximations are often useful in a distributed setting where the inputs are held by different parties and are extremely large. Furthermore, for some applications, the parties want to cooperate to compute a function of their inputs without revealing more information than necessary. If f is an approximation to f, secure multiparty computation of f allows the parties to compute f without revealing unnecessary information. However, secure computation of f may not be as private as secure computation of f, because the output of f may itself reveal more information than the output of f. In this paper, we present definitions of secure multiparty approximate computations that retain the privacy of a secure computation of f. We present an efficient, sublinear-communication, private approximate computation for the Hamming distance and an efficient private approximation of the permanent.

Cryptographic security for mobile code

Abstract: We address the protection of mobile code against cheating and potentially malicious hosts. We point out that the recent approach based on computing with "encrypted functions" is limited to the case where only the code originator learns the result of the completion and the host running the code must not notice anything at all. We argue that if the host is to receive some output of the computation, then securing mobile code requires minimal trust in a third party. Tamper-proof hardware installed on each host has been proposed for this purpose. We introduce a new approach for securely executing (fragments of) mobile code that relies on a minimally trusted third party. This party is a generic independent entity, called the secure computation service, which performs some operations on behalf of the mobile application, but does not learn anything about the encrypted computation. Because it is universal, the secure computation service needs to be only minimally trusted and can serve many different applications. We present a protocol based on tools from theoretical cryptography that is quite practical for computing small functions.

Secure distributed linear algebra in a constant number of rounds

Abstract: Consider a network of processors among which elements in a finite field K can be verifiably shared in a constant number of rounds. Assume furthermore constant-round protocols are available for generating random shared values, for secure multiplication and for addition of shared values. These requirements can be met by known techniques in all standard models of communication. In this model we construct protocols allowing the network to securely solve standard computational problems in linear algebra. In particular, we show how the network can securely, efficiently and in constant-round compute determinant, characteristic polynomial, rank, and the solution space of linear systems of equations. Constant round solutions follow for all problems which can be solved by direct application of such linear algebraic methods, such as deciding whether a graph contains a perfect match. If the basic protocols (for shared random values, addition and multiplication) we start from are unconditionally secure, then so are our protocols. Our results offer solutions that are significantly more efficient than previous techniques for secure linear algebra, they work for arbitrary fields and therefore extend the class of functions previously known to be computable in constant round and with unconditional security. In particular, we obtain an unconditionally secure protocol for computing a function f in constant round, where the protocol has complexity polynomial in the span program size of f over an arbitrary finite field.

Efficient techniques for sharing a secret

Abstract: An n person secret sharing solution computes n unique keys to be distributed to the secret owners along with an exponentiated version of the secret. The custodian performs an exponent/modulo operation each time one of the keys is received from one of the secret owners. Alternatively, n+1 keys are created by the custodian, and the custodian retains one key after distributing the remaining n keys to the secret owners. After the custodian has received and processed the n keys from the secret owners, he performs an exponent/modulo operation using his own retained key. According to another aspect, a k out of n secret sharing solution involves computing and storing a database having an entry for each unique combination of k keys that could be returned from among the n keys. After k keys have been received, the custodian looks up in the database the entry corresponding to the particular unique combination of secret owners who returned keys. The custodian performs another exponent/modulo operation using the entry retrieved from the database in order to reconstruct the original secret. According to an embodiment, the custodian computes n+1 keys, distributes n of the keys to the secret owners, and keeps one of the keys for himself. The custodian retrieves his own key and performs a final exponent/modulo operation in order to reconstruct the original secret. According to another aspect, a k out of n secret sharing solution involves encrypting the original secret before applying any conventional k out of n secret sharing solution.

Secure Communication in Multicast Channels: The Answer to Franklin and Wright's Question

Abstract: Problems of secure communication and computation have been studied extensively in network models. Goldreich et al., Franklin and Yung, and Franklin and Wright have initiated the study of secure communication and secure computation in multirecipient (multicast) models. A ``multicast channel'' (such as ethernet) enables one processor to send the same message--simultaneously and privately--to a fixed subset of processors. In their recent paper, Franklin and Wright have shown that if there are n multicast lines between a sender and a receiver and there are at most t malicious (Byzantine style) processors, then the condition n>t is necessary and sufficient for achieving efficient probabilistically reliable and probabilistically private communication. They also showed that if n> \lceil 3t/2\rceil , then there is an efficient protocol to achieve probabilistically reliable and perfectly private communication. They left open the question whether there exists an efficient protocol to achieve probabilistically reliable and perfectly private communication when \lceil 3t/2\rceil? n>t . In this paper, by using a different authentication scheme, we answer this question affirmatively and study related problems.

Method of using biometric information for secret generation

Abstract: A method and system that generates a secret from individual's biometric information, such as voice, handwriting and fingeprint. It extracts a feature vector from the captured biometric data. The feature vector is then transformed into a codewood, and the codeword is used to construct the secret. A one-way hash of the secret is stored. Only if a user generates a new secret that has the same hash value as that stored will the user be confirmed. To keep pace with the gradual change of the measured biometric features, the a secret can be updated adaptively. The secret may be an encryption key.

Universal Service-Providers for Private Information Retrieval

Abstract: A private information retrieval scheme allows a user to retrieve a data item of his choice from a remote database (or several copies of a database) while hiding from the database owner which particular data item he is interested in. We consider the question of private information retrieval in the so-called ``commodity-based'' model, recently proposed by Beaver for practically oriented service-provider Internet applications. We present simple and modular schemes allowing us to reduce dramatically the overall communication involving users, and substantially reduce their computation, using off-line messages sent from service-providers to databases and users. The service-providers do not need to know the database contents nor the future user's requests; all they need to know is an upper bound on the data size. Our solutions can be made resilient against collusions of databases with more than a majority (in fact, all-but-one) of the service-providers.

Systems and methods for using cryptography to protect secure computing environments

Abstract: Secure computation environments are protected from bogus or rogue load modules, executables and other data elements through use of digital signatures, seals and certificates issued by a verifying authority. A verifying authority—which may be a trusted independent third party—tests the load modules or other executables to verify that their corresponding specifications are accurate and complete, and then digitally signs the load module or other executable based on tamper resistance work factor classification. Secure computation environments with different tamper resistance work factors use different verification digital signature authentication techniques (e.g., different signature algorithms and/or signature verification keys)—allowing one tamper resistance work factor environment to protect itself against load modules from another, different tamper resistance work factor environment. Several dissimilar digital signature algorithms may be used to reduce vulnerability from algorithm compromise, and subsets of multiple digital signatures may be used to reduce the scope of any specific compromise.

An Analytic Construction of the Visual Secret Sharing Scheme for Color Images

Abstract: This paper proposes a new construction of the visual secret sharing scheme for the (n, n)-threshold access structure applicable to color images. The construction uses matrices with n rows that can be identified with homogeneous polynomials of degree n. It is shown that, if we find a set of homogeneous polynomials of degree n satisfying a certain system of simultaneous partial differential equations, we can construct a visual secret sharing scheme for the (n, n)-threshold access structure by using the matrices corresponding to the homogeneous polynomials. The construction is easily extended to the cases of the (t, n)-threshold access structure and more general access structures. key words: secret sharing, visual secret sharing, visual cryptol-

Minimal Complete Primitives for Secure Multi-party Computation

Abstract: The study of minimal cryptographic primitives needed to implement secure computation among two or more players is a fundamental question in cryptography. The issue of complete primitives for the case of two players has been thoroughly studied. However, in the multiparty setting, when there are n > 2 players and t of them are corrupted, the question of what are the simplest complete primitives remained open for t ≥ n/3. We consider this question, and introduce complete primitives of minimal cardinality for secure multi-party computation. The cardinality issue (number of players accessing the primitive) is essential in settings where the primitives are implemented by some other means, and the simpler the primitive the easier it is to realize it.We show that our primitives are complete and of minimal cardinality possible.

On the Composition of Matroids and Ideal Secret Sharing Schemes

Abstract: In an ideal secret sharing scheme, the access structure is uniquely determined by its minimal sets \Delta_s. The purpose of this paper is to characterise \Delta_s. We introduce the concept of strong connectivity and show that under this equivalence relation, an ideal secret sharing scheme decomposes into threshold schemes. We also give a description of the minimal sets that span the strong connectivity classes. As a result we obtain a necessary condition on the types of subsets that are allowed in an ideal access structure as well as an upper bound on the number of such access structures.

Minimal complete primitives for secure multi-party computation

Abstract: The study of minimal cryptographic primitives needed to implement secure computation among two or more players is a fundamental question in cryptography. The issue of complete primitives for the case of two players has been thoroughly studied. However, in the multi-party setting, when there are n > 2 players and t of them are corrupted, the question of what are the simplest complete primitives remained open for t > n/3. We consider this question, and introduce complete primitives of minimal cardinality for secure multi-party computation. The cardinality issue (number of players accessing the primitive) is essential in settings where the primitives are implemented by some other means, and the simpler the primitive the easier it is to realize it. We show that our primitives are complete and of minimal cardinality possible.

Cheating Immune Secret Sharing

Abstract: We consider secret sharing with binary shares. This model allows us to use the well developed theory of cryptographically strong boolean functions. We prove that for given secret sharing, the average cheating probability over all cheating and original vectors, i.e., ? = 1/n ? 2-n?c=1n???Vn ?c,? satisfies ? ?= 1/2, and the equality holds ? ?c,? satisfies ?c,? = 1/2 for every cheating vector ?c and every original vector ?. In this case the secret sharing is said to be cheating immune. We further establish a relationship between cheating-immune secret sharing and cryptographic criteria of boolean functions. This enables us to construct cheating-immune secret sharing.

Method and apparatus for secure electronic transaction authentication

Abstract: Disclosed is a method and apparatus for authenticating a secure transaction by using information about the transaction and about the user, including a secret key Secure information based upon information about the transaction, and information about the user, including a secret key is processed This secure information is provided to the vendor as ordinary private transaction information, in the same manner as a credit card number, or a user name A verifier, such as the user's bank, credit card company, a trusted authority, or the like, can then use the information about the transaction, the user, and the user's secret key to verify the secure information

New method of secret image sharing based upon vector quantization

Abstract: Like data encryption, secret sharing is an important method of protecting secret messages. However, the basic ideas of secret sharing and data encryption are radically different. In this paper, a new method for secret sharing is proposed that focuses on image data. It is called the virtual image sharing method (VISM). It is basically derived from the virtual image cryptosystem. According to our experiments and security analyses, VISM can divide a secret image into a large number of different shadows which are guaran- teed to be significant images. Illegal users cannot detect whether they are real images or not. VISM also guarantees the security of the secret image because no one is able to reconstruct any piece of the secret image without possessing all of the shadows. Besides camouflage and security, VISM has two other benefits. One is its compression ability. The total size of shadows can be smaller than that of the secret image. The other benefit is its efficiency. VISM avoids the painstaking task of applying complex operations or tech- niques. © 2001 SPIE and IS&T. (DOI: 10.1117/1.1407823)

Design, analysis and applications of cryptographic techniques

Abstract: Cryptographic techniques, such as encipherment, digital signatures, key management and secret sharing schemes, are important building blocks in the implementation of all security services. In this thesis, we present a general model for online secret sharing schemes and investigate the design of online secret sharing schemes which are derived from this model such as Cachin and Pinch’s schemes [13, 48]. We propose a modified version of the Pinch multiple secret sharing protocol, which identifies all cheaters, regardless of their number, improving on previous results by Ghodosi et al. [21]. A new scheme is then proposed for computationally secure online secret sharing, in which the shares of the participants can be reused. The security of the scheme is based on the intractability of factoring. This scheme has the advantage that it detects cheating and it enables the identification of all cheaters by an arbitrator, regardless of their number. The scheme does not rely on a “last participant” who reconstructs the secret on behalf of a minimal trusted set: the responsibility is diffused among all participants. In addition, we cryptanalyse the recently proposed signature scheme by Shao, based on the discrete logarithm problem, and show it is subject to homomorphism attacks, despite a claim in [54] to the contrary. Moreover, we show that there are major differences between a digital signature with message recovery scheme and an authenticated encryption scheme and point out that the signature with message recovery scheme that was recently proposed by Chen [14] is actually not a signature scheme. It would more accurately be described as an authenticated encryption scheme. Furthermore, we propose a modification to the Helsinki protocol [5] which prevents 2 attacks by an adversary. Some of the material in Chapters 2, 3 and 4 of the thesis has appeared in published papers [40, 41, 59, 60, 61].

Robustness for Free in Unconditional Multi-party Computation

Abstract: We present a very efficient multi-party computation protocol unconditionally secure against an active adversary. The security is maximal, i.e., active corruption of up to t < n/3 of the n players is tolerated. The communication complexity for securely evaluating a circuit with m multiplication gates over a finite field is O(mn2) field elements, including the communication required for simulating broadcast, but excluding some overhead costs (independent of m) for sharing the inputs and reconstructing the outputs. This corresponds to the complexity of the best known protocols for the passive model, where the corrupted players are guaranteed not to deviate from the protocol. The complexity of our protocol may well be optimal. The constant overhead factor for robustness is small and the protocol is practical.

Secure Multiparty Computation of Approximations.

Abstract: Approximation algorithms can sometimes provide efficient solutions when no efficient exact computation is known. In particular, approximations are often useful in a distributed setting where the inputs are held by different parties and may be extremely large. Furthermore, for some applications, the parties want to compute a function of their inputs securely without revealing more information than necessary. In this work, we study the question of simultaneously addressing the above efficiency and security concerns via what we call secure approximations.We start by extending standard definitions of secure (exact) computation to the setting of secure approximations. Our definitions guarantee that no additional information is revealed by the approximation beyond what follows from the output of the function being approximated. We then study the complexity of specific secure approximation problems. In particular, we obtain a sublinear-communication protocol for securely approximating the Hamming distance and a polynomial-time protocol for securely approximating the permanent and related nP-hard problems.

A Generalized Secret Image Sharing and Recovery Scheme

Abstract: The secret sharing is an important issue in confirming the security of confidential information. This paper proposes a generalized sharing and recovery scheme suitable for secret images. The scheme coalesces vector quantization (VQ) compression technique and conventional generalized secret sharing scheme to produce pseudo codebooks out of the secret codebook used for compressing the secret image. Every pseudo codebook is held by a participant of the generalized access structure for secret sharing. On the other hand, the secret image can be only recovered by all participants, who belong to the same qualified subgroup of the generalized access structure, to work together with their possessed pseudo codebooks.

Nonlinear secret sharing immune against cheating

Abstract: The paper investigates the design of secret sharing that is immune against cheating (as defined by the Tompa-Woll attack) We examine secret sharing with binary shares and secrets Bounds on the probability of successful cheating are given for two cases The first case relates to secret sharing based on bent functions and results in a non-perfect scheme The second case considers perfect secret sharing built on highly nonlinear balanced Boolean functions

Comment on Lin-Wu (t, n)-threshold verifiable multisecret sharing scheme

Abstract: T.Y. Lin and T.C. Wu (1999) gave a (t, n)-threshold verifiable multisecret sharing scheme ((t, n)-VMSS) of the following kind. A secret dealer (SD) issues secret shares to each of n participants, and any more than t participants can cooperatively reconstruct the secrets. The purpose of this paper is to paint out that the claim made previously by the authors, that their scheme is secure against cheating by a participant, is false. Further, the cheater might also be the only one who obtains the secret.

How to Stop a Cheater: Secret Sharing with Dishonest Participation

Abstract: Excellence in Undergraduate Research. Keywords: Cryptography, secret sharing, distributed security, simultaneously exchange, zero-exchange proof 16 pages [FTP: CMU-CS-93-182.ps] At times it is necessary to obtain a group decision from a number of different nodes over a large network. Secret sharing protocols allow a quorum q of a group of n people to arrive at decisions by having the quorum recompute a predetermined secret, such as an access code, while preventing less that q people from gaining any information about the secret. However, current protocols are vulnerable when participants cheat, for example by giving false information to other participants. In this work, I present a powerful new protocol which detects cheaters immediately and halts the exchange before any more information is revealed. In addition, it prevents cheaters from gaining any information without revealing an equal amount of their own. This protocol will present new paradigms in a variety of applications, such as electronic balloting and secure file system fault tolerance.

Secret Sharing and Visual Cryptography Schemes

Abstract: A secret sharing scheme is a method for sharing a secret among a set P of n participants. The secret is encoded into n pieces called shares each of which is given to a distinct participant. Certain qualified subsets of participants can recover the secret by pooling together their information, whereas forbidden subsets of participants have no information on the secret. The specification of the qualified sets and the forbidden sets is called access structure.

A New Method for Construction Multiple Assignment Schemes for Generalized Secret Sharing.

Abstract: A secret sharing scheme is a way of protecting a secret by distributing partial information to a set of participants P in such a way that only authorized subsets of P can recover the secret. The family of authorized subsets is called the access structure of the scheme. In 1979, threshold schemes were proposed to realize threshold access structures, and in 1987, multiple assignment schemes were proposed to realize monotone access structures. In this paper, we propose a new method for constructing multiple assignment schemes. Basically, our construction method is a combination of the threshold scheme and the cumulative scheme. We also show that the new method yields better results for some special access structures.

Secure Multiparty Computation of Approximations (Extended Abstract)

Abstract: Approximation algorithms can sometimes provide ecient solutions when no ecient exact computation is known. In particular, approximations are often useful in a distributed setting where the inputs are held by dierent parties and are extremely large. Furthermore, for some applications, the parties want to cooperate to compute a function of their inputs without revealing more information than necessary. If ^ f is an approximation to f, secure multiparty computation of ^ f may itself reveal more informa- tion than the output of f. In this paper, we present denitions of secure multiparty approximate computations that retain the privacy of a secure computation of f. We present an ecient, sublinear-communication, pri- vate approximate computation for the Hamming distance and an ecient private approximation of the permanent.