Showing papers on "Secure multi-party computation published in 2009"
29 Jun 2009
TL;DR: A new asymmetric scalar-product-preserving encryption (ASPE) that preserves a special type of scalar product and is shown to resist practical attacks of a different background knowledge level, at a different overhead cost.
Abstract: Service providers like Google and Amazon are moving into the SaaS (Software as a Service) business. They turn their huge infrastructure into a cloud-computing environment and aggressively recruit businesses to run applications on their platforms. To enforce security and privacy on such a service model, we need to protect the data running on the platform. Unfortunately, traditional encryption methods that aim at providing "unbreakable" protection are often not adequate because they do not support the execution of applications such as database queries on the encrypted data. In this paper we discuss the general problem of secure computation on an encrypted database and propose a SCONEDB Secure Computation ON an Encrypted DataBase) model, which captures the execution and security requirements. As a case study, we focus on the problem of k-nearest neighbor (kNN) computation on an encrypted database. We develop a new asymmetric scalar-product-preserving encryption (ASPE) that preserves a special type of scalar product. We use APSE to construct two secure schemes that support kNN computation on encrypted data; each of these schemes is shown to resist practical attacks of a different background knowledge level, at a different overhead cost. Extensive performance studies are carried out to evaluate the overhead and the efficiency of the schemes.
801 citations
TL;DR: This paper provides a complete description of Yao’s protocol, along with a rigorous proof of security, for the first time that an explicitProof of security has been published.
Abstract: In the mid 1980s, Yao presented a constant-round protocol for securely computing any two-party functionality in the presence of semi-honest adversaries (FOCS 1986). In this paper, we provide a complete description of Yao’s protocol, along with a rigorous proof of security. Despite the importance of Yao’s protocol to the theory of cryptography and in particular to the field of secure computation, to the best of our knowledge, this is the first time that an explicit proof of security has been published.
704 citations
01 Apr 2009
TL;DR: In this article, the basic paradigms and notions of secure mul-tiparty computation and their relevance to the field of privacy-preserving data mining are surveyed and discussed, as well as the relationship between secure multiparty computations and privacy preserving data mining.
Abstract: In this paper, we survey the basic paradigms and notions of secure mul- tiparty computation and discuss their relevance to the fleld of privacy-preserving data mining. In addition to reviewing deflnitions and constructions for secure mul- tiparty computation, we discuss the issue of e-ciency and demonstrate the di-cul- ties involved in constructing highly e-cient protocols. We also present common errors that are prevalent in the literature when secure multiparty computation techniques are applied to privacy-preserving data mining. Finally, we discuss the relationship between secure multiparty computation and privacy-preserving data mining, and show which problems it solves and which problems it does not.
651 citations
21 Jul 2009
TL;DR: The first large-scale and practical application of secure multiparty computation, which took place in January 2008, is reported on and the novel cryptographic protocols used are reported on.
Abstract: In this note, we report on the first large-scale and practical application of secure multiparty computation, which took place in January 2008. We also report on the novel cryptographic protocols that were used.
604 citations
27 Jul 2009
TL;DR: This paper proposes for the first time a strongly privacy-enhanced face recognition system, which allows to efficiently hide both the biometrics and the result from the server that performs the matching operation, by using techniques from secure multiparty computation.
Abstract: Face recognition is increasingly deployed as a means to unobtrusively verify the identity of people. The widespread use of biometrics raises important privacy concerns, in particular if the biometric matching process is performed at a central or untrusted server, and calls for the implementation of Privacy-Enhancing Technologies. In this paper we propose for the first time a strongly privacy-enhanced face recognition system, which allows to efficiently hide both the biometrics and the result from the server that performs the matching operation, by using techniques from secure multiparty computation. We consider a scenario where one party provides a face image, while another party has access to a database of facial templates. Our protocol allows to jointly run the standard Eigenfaces recognition algorithm in such a way that the first party cannot learn from the execution of the protocol more than basic parameters of the database, while the second party does not learn the input image or the result of the recognition process. At the core of our protocol lies an efficient protocol for securely comparing two Pailler-encrypted numbers. We show through extensive experiments that the system can be run efficiently on conventional hardware.
546 citations
Posted Content•
TL;DR: A new protocol for non-relativistic strong coin tossing is introduced, which matches the security of the best protocol known to date while using a conceptually different approach to achieve the task.
Abstract: After a general introduction, the thesis is divided into four parts. In the first, we discuss the task of coin tossing, principally in order to highlight the effect different physical theories have on security in a straightforward manner, but, also, to introduce a new protocol for non-relativistic strong coin tossing. This protocol matches the security of the best protocol known to date while using a conceptually different approach to achieve the task.
In the second part variable bias coin tossing is introduced. This is a variant of coin tossing in which one party secretly chooses one of two biased coins to toss. It is shown that this can be achieved with unconditional security for a specified range of biases, and with cheat-evident security for any bias. We also discuss two further protocols which are conjectured to be unconditionally secure for any bias.
The third section looks at other two-party secure computations for which, prior to our work, protocols and no-go theorems were unknown. We introduce a general model for such computations, and show that, within this model, a wide range of functions are impossible to compute securely. We give explicit cheating attacks for such functions.
In the final chapter we discuss the task of expanding a private random string, while dropping the usual assumption that the protocol's user trusts her devices. Instead we assume that all quantum devices are supplied by an arbitrarily malicious adversary. We give two protocols that we conjecture securely perform this task. The first allows a private random string to be expanded by a finite amount, while the second generates an arbitrarily large expansion of such a string.
368 citations
20 Feb 2009
TL;DR: A new cut-and-choose based approach called LEGO (Large Efficient Garbled-circuit Optimization): It is specifically aimed at large circuits, and obtains a factor $\log\vert\mathcal{C}\vert$ improvement in computation and communication over previous cut- and-cho choose based solutions.
Abstract: This paper continues the recent line of work of making Yao's garbled circuit approach to two-party computation secure against an active adversary. We propose a new cut-and-choose based approach called LEGO (Large Efficient Garbled-circuit Optimization): It is specifically aimed at large circuits. Asymptotically it obtains a factor $\log\vert\mathcal{C}\vert$ improvement in computation and communication over previous cut-and-choose based solutions, where $\vert\mathcal{C}\vert$ is the size of the circuit being computed. The protocol is universally composable (UC) in the OT-hybrid model against a static, active adversary.
160 citations
20 Feb 2009
TL;DR: These results extend a previous approach of Naor and Pinkas for secure polynomial evaluation to two-party protocols with security against malicious parties and present several solutions which differ in their efficiency, generality, and underlying intractability assumptions.
Abstract: We study the complexity of securely evaluating arithmetic circuits over finite rings. This question is motivated by natural secure computation tasks. Focusing mainly on the case of two-party protocols with security against malicious parties, our main goals are to: (1) only make black-box calls to the ring operations and standard cryptographic primitives, and (2) minimize the number of such black-box calls as well as the communication overhead.
We present several solutions which differ in their efficiency, generality, and underlying intractability assumptions. These include:
An unconditionally secure protocol in the OT-hybrid model which makes a black-box use of an arbitrary ring R ,but where the number of ring operations grows linearly with (an upper bound on) log|R |.
Computationally secure protocols in the OT-hybrid model which make a black-box use of an underlying ring, and in which the number of ring operations does not grow with the ring size. The protocols rely on variants of previous intractability assumptions related to linear codes. In the most efficient instance of these protocols, applied to a suitable class of fields, the (amortized) communication cost is a constant number of field elements per multiplication gate and the computational cost is dominated by O (logk ) field operations per gate, where k is a security parameter. These results extend a previous approach of Naor and Pinkas for secure polynomial evaluation (SIAM J. Comput. , 2006).
A protocol for the rings *** m = ***/m *** which only makes a black-box use of a homomorphic encryption scheme. When m is prime, the (amortized) number of calls to the encryption scheme for each gate of the circuit is constant.
All of our protocols are in fact UC-secure in the OT-hybrid model and can be generalized to multiparty computation with an arbitrary number of malicious parties.
148 citations
19 Nov 2009
TL;DR: In this paper, the authors introduce variable bias coin tossing, a variant of coin tossing in which one party secretly chooses one of two biased coins to toss, and show that this can be achieved with unconditional security for a specified range of biases, and with cheat-evident security for any bias.
Abstract: After a general introduction, the thesis is divided into four parts. In the first, we discuss the task of coin tossing, principally in order to highlight the effect different physical theories have on security in a straightforward manner, but, also, to introduce a new protocol for non-relativistic strong coin tossing. This protocol matches the security of the best protocol known to date while using a conceptually different approach to achieve the task.
In the second part variable bias coin tossing is introduced. This is a variant of coin tossing in which one party secretly chooses one of two biased coins to toss. It is shown that this can be achieved with unconditional security for a specified range of biases, and with cheat-evident security for any bias. We also discuss two further protocols which are conjectured to be unconditionally secure for any bias.
The third section looks at other two-party secure computations for which, prior to our work, protocols and no-go theorems were unknown. We introduce a general model for such computations, and show that, within this model, a wide range of functions are impossible to compute securely. We give explicit cheating attacks for such functions.
In the final chapter we discuss the task of expanding a private random string, while dropping the usual assumption that the protocol's user trusts her devices. Instead we assume that all quantum devices are supplied by an arbitrarily malicious adversary. We give two protocols that we conjecture securely perform this task. The first allows a private random string to be expanded by a finite amount, while the second generates an arbitrarily large expansion of such a string.
122 citations
TL;DR: A general construction of a zero-knowledge proof for an NP relation $R(x,w)$, which makes only a black-box use of any secure protocol for a related multiparty functionality $f$.
Abstract: A zero-knowledge proof allows a prover to convince a verifier of an assertion without revealing any further information beyond the fact that the assertion is true. Secure multiparty computation allows $n$ mutually suspicious players to jointly compute a function of their local inputs without revealing to any $t$ corrupted players additional information beyond the output of the function. We present a new general connection between these two fundamental notions. Specifically, we present a general construction of a zero-knowledge proof for an NP relation $R(x,w)$, which makes only a black-box use of any secure protocol for a related multiparty functionality $f$. The latter protocol is required only to be secure against a small number of “honest but curious” players. We also present a variant of the basic construction that can leverage security against a large number of malicious players to obtain better efficiency. As an application, one can translate previous results on the efficiency of secure multiparty computation to the domain of zero-knowledge, improving over previous constructions of efficient zero-knowledge proofs. In particular, if verifying $R$ on a witness of length $m$ can be done by a circuit $C$ of size $s$, and assuming that one-way functions exist, we get the following types of zero-knowledge proof protocols: (1) Approaching the witness length. If $C$ has constant depth over $\wedge,\vee,\oplus,
eg$ gates of unbounded fan-in, we get a zero-knowledge proof protocol with communication complexity $m\cdot{poly}(k)\cdot{polylog}(s)$, where $k$ is a security parameter. (2) “Constant-rate” zero-knowledge. For an arbitrary circuit $C$ of size $s$ and a bounded fan-in, we get a zero-knowledge protocol with communication complexity $O(s)+{poly}(k,\log s)$. Thus, for large circuits, the ratio between the communication complexity and the circuit size approaches a constant. This improves over the $O(ks)$ complexity of the best previous protocols.
121 citations
20 Jun 2009
TL;DR: This paper designs a 6-card AND protocol and a 4-card XOR protocol, which succeeds in reducing the number of required cards for secure computations of a Boolean function.
Abstract: There have existed several "card-based protocols" for secure computations of a Boolean function such as AND and XOR. The best result currently known is that AND and XOR can be securely computed using 8 cards and 10 cards, respectively. In this paper, we improve the result: we design a 6-card AND protocol and a 4-card XOR protocol. Thus, this paper succeeds in reducing the number of required cards for secure computations.
31 May 2009
TL;DR: A unified framework for obtaining Universally Composable (UC) protocols by relying on stand-alone secure non-malleable commitments and shows that UC security where the adversary is a uniform PPT but the simulator is allowed to be a non-uniform PPT is possible without any trusted set-up.
Abstract: We present a unified framework for obtaining Universally Composable (UC) protocols by relying on stand-alone secure non-malleable commitments. Essentially all results on concurrent secure computation--both in relaxed models (e.g., quasi-polynomial time simulation), or with trusted set-up assumptions (e.g., the CRS model, the imperfect CRS model, or the timing model)--are obtained as special cases of our framework. This not only leads to conceptually simpler solutions, but also to improved set-up assumptions, round-complexity, and computational assumptions.Additionally, this framework allows us to consider new relaxed models of security: we show that UC security where the adversary is a uniform PPT but the simulator is allowed to be a non-uniform PPT (i.e., essentially, traditional UC security, but with a non-uniform reduction) is possible without any trusted set-up. This gives the first results on concurrent secure computation without set-up, which can be used for securely computing "computationally-sensitive" functionalities (e.g., data-base queries, "proof of work"-protocols, or playing bridge on the Internet).
01 Sep 2009
TL;DR: This paper proposes an efficient framework to carry out privacy preserving surveillance by splitting each frame into a set of random images, which enables distributed secure processing and storage, while retaining the ability to reconstruct the original data in case of a legal requirement.
Abstract: Widespread use of surveillance cameras in offices and other business establishments, pose a significant threat to the privacy of the employees and visitors. The challenge of introducing privacy and security in such a practical surveillance system has been stifled by the enormous computational and communication overhead required by the solutions. In this paper, we propose an efficient framework to carry out privacy preserving surveillance. We split each frame into a set of random images. Each image by itself does not convey any meaningful information about the original frame, while collectively, they retain all the information. Our solution is derived from a secret sharing scheme based on the Chinese Remainder Theorem, suitably adapted to image data. Our method enables distributed secure processing and storage, while retaining the ability to reconstruct the original data in case of a legal requirement. The system installed in an office like environment can effectively detect and track people, or solve similar surveillance tasks. Our proposed paradigm is highly efficient compared to Secure Multiparty Computation, making privacy preserving surveillance, practical.
TL;DR: A verifiable image secret sharing scheme, which is based on the Thien-Lin scheme and the intractability of the discrete logarithm, and the size of each shadow image is smaller than that of the original secret image.
09 Nov 2009
TL;DR: A privacy-protection framework is proposed that partitions a genomic computation, distributing the part on sensitive data to the data provider and the parts on the pubicData to the user of the data through program specialization.
Abstract: In this paper, we present a new approach to performing important classes of genomic computations (e.g., search for homologous genes) that makes a significant step towards privacy protection in this domain. Our approach leverages a key property of the human genome, namely that the vast majority of it is shared across humans (and hence public), and consequently relatively little of it is sensitive. Based on this observation, we propose a privacy-protection framework that partitions a genomic computation, distributing the part on sensitive data to the data provider and the part on the pubic data to the user of the data. Such a partition is achieved through program specialization that enables a biocomputing program to perform a concrete execution on public data and a symbolic execution on sensitive data. As a result, the program is simplified into an efficient query program that takes only sensitive genetic data as inputs. We prove the effectiveness of our techniques on a set of dynamic programming algorithms common in genomic computing. We develop a program transformation tool that automatically instruments a legacy program for specialization operations. We also demonstrate that our techniques can greatly facilitate secure multi-party computations on large biocomputing problems.
20 Feb 2009
TL;DR: In this article, a simple protocol for secret reconstruction in any threshold secret sharing scheme was proposed, and it was shown that all parties will learn the secret with high probability when the honest parties follow the protocol and the rational parties act in their own self-interest.
Abstract: We provide a simple protocol for secret reconstruction in any threshold secret sharing scheme, and prove that it is fair when executed with many rational parties together with a small minority of honest parties. That is, all parties will learn the secret with high probability when the honest parties follow the protocol and the rational parties act in their own self-interest (as captured by a set-Nash analogue of trembling hand perfect equilibrium). The protocol only requires a standard (synchronous) broadcast channel, tolerates both early stopping and incorrectly computed messages, and only requires 2 rounds of communication.
Previous protocols for this problem in the cryptographic or economic models have either required an honest majority, used strong communication channels that enable simultaneous exchange of information, or settled for approximate notions of security/equilibria. They all also required a nonconstant number of rounds of communication.
TL;DR: This paper considers the situation that there are more than t shareholders participated in the secret reconstruction and uses the shares generated by the dealer to reconstruct the secret and, at the same time, to detect and identify cheaters.
Abstract: In a (t, n) secret sharing scheme, a secret s is divided into n shares and shared among a set of n shareholders by a mutually trusted dealer in such a way that any t or more than t shares will be able to reconstruct this secret; but fewer than t shares cannot know any information about the secret. When shareholders present their shares in the secret reconstruction phase, dishonest shareholder(s) (i.e. cheater(s)) can always exclusively derive the secret by presenting faked share(s) and thus the other honest shareholders get nothing but a faked secret. Cheater detection and identification are very important to achieve fair reconstruction of a secret. In this paper, we consider the situation that there are more than t shareholders participated in the secret reconstruction. Since there are more than t shares (i.e. it only requires t shares) for reconstructing the secret, the redundant shares can be used for cheater detection and identification. Our proposed scheme uses the shares generated by the dealer to reconstruct the secret and, at the same time, to detect and identify cheaters. We have included discussion on three attacks of cheaters and bounds of detectability and identifiability of our proposed scheme under these three attacks. Our proposed scheme is an extension of Shamir's secret sharing scheme.
TL;DR: The Anonymous Veto Network (or AV-net), overcomes all the major limitations of DC-nets, including the complex key setup, message collisions and susceptibility to disruptions, and provides the strongest protection against collusion -- only full collusion can breach the anonymity of message senders.
Abstract: The dining cryptographers network (or DC-net) is a seminal technique devised by Chaum to solve the dining cryptographers problem -- namely, how to send a boolean-OR bit anonymously from a group of participants. In this paper, we investigate the weaknesses of DC-nets, study alternative methods and propose a new way to tackle this problem. Our protocol, Anonymous Veto Network (or AV-net), overcomes all the major limitations of DC-nets, including the complex key setup, message collisions and susceptibility to disruptions. While DC-nets are unconditionally secure, AV-nets are computationally secure under the Decision Diffie-Hellman (DDH) assumption. An AV-net is more efficient than other techniques based on the same public-key primitives. It requires only two rounds of broadcast and the least computational load and bandwidth usage per participant. Furthermore, it provides the strongest protection against collusion -- only full collusion can breach the anonymity of message senders.
16 Apr 2009
TL;DR: The results show that in cryptographic protocols, the reliance on randomness and the ability to keep state can be made significantly weaker.
Abstract: The notion of resettable zero-knowledge (rZK) was introduced by Canetti, Goldreich, Goldwasser and Micali (FOCS'01) as a strengthening of the classical notion of zero-knowledge. A rZK protocol remains zero-knowledge even if the verifier can reset the prover back to its initial state anytime during the protocol execution and force it to use the same random tape again and again. Following this work, various extensions of this notion were considered for the zero-knowledge and witness indistinguishability functionalities.
In this paper, we initiate the study of resettability for more general functionalities. We first consider the setting of resettable two-party computation where a party (called the user) can reset the other party (called the smartcard) anytime during the protocol execution. After being reset, the smartcard comes back to its original state and thus the user has the opportunity to start interacting with it again (knowing that the smartcard will use the same set of random coins). In this setting, we show that it is possible to secure realize all PPT computable functionalities under the most natural (simulation based) definition. Thus our results show that in cryptographic protocols, the reliance on randomness and the ability to keep state can be made significantly weaker. Our simulator for the aforementioned resettable two-party computation protocol (inherently) makes use of non-black box techniques. Second, we provide a construction of simultaneous resettable multi-party computation with an honest majority (where the adversary not only controls a minority of parties but is also allowed to reset any number of parties at any point). Interestingly, all our results are in the plain model.
TL;DR: By modifying the distribution process of particles and adding a detection step after each distribution process, this work proposes an improved protocol which can resist this kind of attack.
Abstract: The security of quantum secret sharing based on entanglement swapping is revisited and a participant attack is presented. In this attack two dishonest agents together can illegally recover the secret quantum state without the help of any other controller, and it will not be detected by any other users. Furthermore, by modifying the distribution process of particles and adding a detection step after each distribution process, we propose an improved protocol which can resist this kind of attack.
TL;DR: This paper presents a distributed PSS method for the matrix projection SSS so that adversaries cannot discover the secrets from k shares which are mixed with past and present shares.
Abstract: Proactive Secret Sharing (PSS) scheme is a method to periodically renew n secret shares in a (k, n) threshold-based Secret Sharing Scheme (SSS) without modifying the secret, or reconstructing the secret to reproduce new shares. Traditionally, PSS schemes are developed for the Shamir's SSS which is a single SSS. Bai (2006) developed a multiple-secret sharing scheme using matrix projection. This paper presents a distributed PSS method for the matrix projection SSS. Once the new shares are updated, adversaries cannot discover the secrets from k shares which are mixed with past and present shares.
31 Aug 2009
TL;DR: This paper proposes efficient secure comparison protocols for both the homomorphic encryption and secret sharing schemes and gives experimental results to show their practical relevance.
Abstract: Secure Multiparty Computation (SMC) has gained tremendous importance with the growth of the Internet and E-commerce, where mutually untrusted parties need to jointly compute a function of their private inputs. However, SMC protocols usually have very high computational complexities, rendering them practically unusable. In this paper, we tackle the problem of comparing two input values in a secure distributed fashion. We propose efficient secure comparison protocols for both the homomorphic encryption and secret sharing schemes. We also give experimental results to show their practical relevance.
TL;DR: This paper enhances commonly used subprotocols that are secure in the semi-honest model with zero knowledge proofs to besecure in the malicious model and compares the performance of these protocols in both models.
Abstract: Most of the cryptographic work in privacy-preserving distributed data mining deals with semi-honest adversaries, which are assumed to follow the prescribed protocol but try to infer private information using the messages they receive during the protocol. Although the semi-honest model is reasonable in some cases, it is unrealistic to assume that adversaries will always follow the protocols exactly. In particular, malicious adversaries could deviate arbitrarily from their prescribed protocols. Secure protocols that are developed against malicious adversaries require utilisation of complex techniques. Clearly, protocols that can withstand malicious adversaries provide more security. However, there is an obvious trade-off: protocols that are secure against malicious adversaries are generally more expensive than those secure against semi-honest adversaries only. In this paper, our goal is to make an analysis of trade-offs between performance and security in privacy-preserving distributed data mining algorithms in the two models. In order to make a realistic comparison, we enhance commonly used subprotocols that are secure in the semi-honest model with zero knowledge proofs to be secure in the malicious model. We compare the performance of these protocols in both models.
08 Mar 2009
TL;DR: In this article, the authors consider the case where the objective function and the constraints are partitioned between two parties with one party holding the objective while the other holds the constraints, and propose a secure transformation based solution that has the significant added benefit of being independent of the specific linear programming algorithm used.
Abstract: With the rapid increase in computing, storage and networking resources, data is not only collected and stored, but also analyzed. This creates a serious privacy problem which often inhibits the use of this data. In this paper, we focus on the problem of linear programming, which is the most important sub-class of optimization problems. We consider the case where the objective function and the constraints are partitioned between two parties with one party holding the objective while the other holds the constraints. We propose a very efficient and secure transformation based solution that has the significant added benefit of being independent of the specific linear programming algorithm used.
Posted Content•
TL;DR: In this paper the data of individual party is broken into a fixed number of segments and the randomization technique with segmentation is used for increasing the complexity.
Abstract: Secure Multiparty Computation (SMC) allows parties to know the result of cooperative computation while preserving privacy of individual data. Secure sum computation is an important application of SMC. In our proposed protocols parties are allowed to compute the sum while keeping their individual data secret with increased computation complexity for hacking individual data. In this paper the data of individual party is broken into a fixed number of segments. For increasing the complexity we have used the randomization technique with segmentation
07 Dec 2009
TL;DR: This work develops a mechanism to select the most reliable delegates based on an effective trust measure that minimizes the likelihood of the secret being stolen by an adversary and is shown to be effective against various collusive attacks.
Abstract: We study a new application of threshold-based secret sharing in a distributed online social network (DOSN), where users need a means to back up and recover their private keys in a network of untrusted servers. Using a simple threshold-based secret sharing in such an environment is insufficiently secured since delegates keeping the secret shares may collude to steal the user's private keys. To mitigate this problem, we propose using different techniques to improve the system security: by selecting only the most reliable delegates for keeping these shares and further by encrypting the shares with passwords. We develop a mechanism to select the most reliable delegates based on an effective trust measure. Specifically, relationships among the secret owner, delegate candidates and their related friends are used to estimate the trustworthiness of a delegate. This trust measure minimizes the likelihood of the secret being stolen by an adversary and is shown to be effective against various collusive attacks. Extensive simulations show that the proposed trust-based delegate selection performs very well in highly vulnerable environments where the adversary controls many nodes with different distributions and even with spreading of infections in the network. In fact, the number of keys lost is very low under extremely pessimistic assumptions of the adversary model.
20 Feb 2009
TL;DR: A very efficient and purely rational solution to the rational secret sharing problem with a verifiable trusted channel is exhibited.
Abstract: Rational secret sharing is a problem at the intersection of cryptography and game theory. In essence, a dealer wishes to engineer a communication game that, when rationally played, guarantees that each of the players learns the dealer's secret. Yet, all solutions proposed so far did not rely solely on the players' rationality, but also on their beliefs , and were also quite inefficient.
After providing a more complete definition of the problem, we exhibit a very efficient and purely rational solution to it with a verifiable trusted channel.
19 Aug 2009
TL;DR: It is proved that in the basic setting, rational secret sharing cannot be achieved without dependence on the actual utility values of parties, and it is shown that by somewhat relaxing the standard assumptions on the utility functions, it is possible to achieve utility independence.
Abstract: The problem of carrying out cryptographic computations when the participating parties are rational in a game-theoretic sense has recently gained much attention. One problem that has been studied considerably is that of rational secret sharing. In this setting, the aim is to construct a mechanism (protocol) so that parties behaving rationally have incentive to cooperate and provide their shares in the reconstruction phase, even if each party prefers to be the only one to learn the secret.
Although this question was only recently asked by Halpern and Teague (STOC 2004), a number of works with beautiful ideas have been presented to solve this problem. However, they all have the property that the protocols constructed need to know the actual utility values of the parties (or at least a bound on them). This assumption is very problematic because the utilities of parties are not public knowledge. We ask whether this dependence on the actual utility values is really necessary and prove that in the basic setting, rational secret sharing cannot be achieved without it. On the positive side, we show that by somewhat relaxing the standard assumptions on the utility functions, it is possible to achieve utility independence. In addition to the above, observe that the known protocols for rational secret sharing that do not assume simultaneous channels all suffer from the problem that one of the parties can cause the others to output an incorrect value. (This problem arises when a party gains higher utility by having another output an incorrect value than by learning the secret itself; we argue that such a scenario is not at all unlikely.) We show that this problem is inherent in the non-simultaneous channels model, unless the actual values of the parties' utilities from this attack is known, in which case it is possible to prevent this from happening.
TL;DR: This work proposes an enhancement of Zhou et al.'s QSS protocol with the technique of the Bell measurement, which has 50% qubit efficiency.
Abstract: Recently, Zhou et al. proposed a quantum secret sharing (QSS) protocol, which provides only 25% qubit efficiency after the processes of the random sampling discussion and the secret derivation. This work proposes an enhancement of Zhou et al.'s protocol. With the technique of the Bell measurement, the improved QSS protocol has 50% qubit efficiency.
30 Aug 2009
TL;DR: A privacy-aware centralized solution based on an efficient three-party secure computation protocol, named Longitude, that allows a user to know if any of her contacts is close-by without revealing any location information to the service provider.
Abstract: A "friend finder" is a Location Based Service (LBS) that informs users about the presence of participants in a geographical area. In particular, one of the functionalities of this kind of application, reveals the users that are in proximity. Several implementations of the friend finder service already exist but, to the best of our knowledge, none of them provides a satisfactory technique to protect users' privacy. While several techniques have been proposed to protect users' privacy for other types of spatial queries, these techniques are not appropriate for range queries over moving objects, like those used in friend finders. Solutions based on cryptography in decentralized architectures have been proposed, but we show that a centralized service has several advantages in terms of communication costs, in addition to support current business models. In this paper, we propose a privacy-aware centralized solution based on an efficient three-party secure computation protocol, named Longitude . The protocol allows a user to know if any of her contacts is close-by without revealing any location information to the service provider. The protocol also ensures that user-defined minimum privacy requirements with respect to the location information revealed to other buddies are satisfied. Finally, we present an extensive experimental work that shows the applicability of the proposed technique and the advantages over alternative proposals.