Showing papers on "Secure two-party computation published in 2001"

Universally composable security: a new paradigm for cryptographic protocols

Abstract: We propose a novel paradigm for defining security of cryptographic protocols, called universally composable security. The salient property of universally composable definitions of security is that they guarantee security even when a secure protocol is composed of an arbitrary set of protocols, or more generally when the protocol is used as a component of an arbitrary system. This is an essential property for maintaining security of cryptographic protocols in complex and unpredictable environments such as the Internet. In particular, universally composable definitions guarantee security even when an unbounded number of protocol instances are executed concurrently in an adversarially controlled manner, they guarantee non-malleability with respect to arbitrary protocols, and more. We show how to formulate universally composable definitions of security for practically any cryptographic task. Furthermore, we demonstrate that practically any such definition can be realized using known techniques, as long as only a minority of the participants are corrupted. We then proceed to formulate universally composable definitions of a wide array of cryptographic tasks, including authenticated and secure communication, key-exchange, public-key encryption, signature, commitment, oblivious transfer, zero knowledge and more. We also make initial steps towards studying the realizability of the proposed definitions in various settings.

Secure multi-party computation problems and their applications: a review and open problems

Abstract: The growth of the Internet has triggered tremendous opportunities for cooperative computation, where people are jointly conducting computation tasks based on the private inputs they each supplies. These computations could occur between mutually untrusted parties, or even between competitors. For example, customers might send to a remote database queries that contain private information; two competing financial organizations might jointly invest in a project that must satisfy both organizations' private and valuable constraints, and so on. Today, to conduct such computations, one entity must usually know the inputs from all the participants; however if nobody can be trusted enough to know all the inputs, privacy will become a primary concern.This problem is referred to as Secure Multi-party Computation Problem (SMC) in the literature. Research in the SMC area has been focusing on only a limited set of specific SMC problems, while privacy concerned cooperative computations call for SMC studies in a variety of computation domains. Before we can study the problems, we need to identify and define the specific SMC problems for those computation domains. We have developed a framework to facilitate this problem-discovery task. Based on our framework, we have identified and defined a number of new SMC problems for a spectrum of computation domains. Those problems include privacy-preserving database query, privacy-preserving scientific computations, privacy-preserving intrusion detection, privacy-preserving statistical analysis, privacy-preserving geometric computations, and privacy-preserving data mining.The goal of this paper is not only to present our results, but also to serve as a guideline so other people can identify useful SMC problems in their own computation domains.

Communication preserving protocols for secure function evaluation

Abstract: A secure function evaluation protocol allows two parties to jointly compute a function f(x,y) of their inputs in a manner not leaking more information than necessary. A major result in this field is: “any function f that can be computed using polynomial resources can be computed securely using polynomial resources” (where “resources” refers to communication and computation). This result follows by a general transformation from any circuit for f to a secure protocol that evaluates f. Although the resources used by protocols resulting from this transformation are polynomial in the circuit size, they are much higher (in general) than those required for an insecure computation of f.We propose a new methodology for designing secure protocols, utilizing the communication complexity tree (or branching program) representation of f. We start with an efficient (insecure) protocol for f and transform it into a secure protocol. In other words, ``any function f that can be computed using communication complexity c can be can be computed securely using communication complexity that is polynomial in c and a security parameter''. We show several simple applications of this new methodology resulting in protocols efficient either in communication or in computation. In particular, we exemplify a protocol for the Millionaires problem, where two participants want to compare their values but reveal no other information. Our protocol is more efficient than previously known ones in either communication or computation.

The round complexity of verifiable secret sharing and secure multicast

Abstract: The round complexity of interactive protocols is one of their most important complexity measures. In this work we study the exact round complexity of two basic secure computation tasks: Verifiable Secret Sharing (VSS) and Secure Multicast.VSS allows a dealer to share a secret among several players in a way that would later allow a unique reconstruction of the secret. It is a well-studied primitive, which is used as a building block in virtually every general protocol for secure multi-party computation. Secure multicast is perhaps the simplest non-trivial instance of a secure computation. It allows a dealer to securely distribute an identical message to all players in a prescribed subset M. Both types of protocols are parameterized by the number of players, n, and a security threshold, t, which bounds the total number of malicious players (possibly including the dealer).We focus on a standard setting of perfect information-theoretic security, where all players have access to secure point-to-point channels and a common broadcast medium. For both types of primitives we prove, using related techniques, tight tradeoffs between the round complexity and the achievable security threshold. Specifically, for the VSS problem we show:2-round VSS is possible iff n>4t, where the ``if'' direction is realized by an efficient protocol.3-round VSS is possible iff n>3t, where the ``if'' direction is realized by an inefficient protocol.4-round efficient VSS is possible if n>3t.For the secure multicast problem we show:2-round secure multicast is (efficiently) possible iff

Secure Multiparty Computation of Approximations

Abstract: Approximation algorithms can sometimes provide efficient solutions when no efficient exact computation is known. In particular, approximations are often useful in a distributed setting where the inputs are held by different parties and are extremely large. Furthermore, for some applications, the parties want to cooperate to compute a function of their inputs without revealing more information than necessary. If f is an approximation to f, secure multiparty computation of f allows the parties to compute f without revealing unnecessary information. However, secure computation of f may not be as private as secure computation of f, because the output of f may itself reveal more information than the output of f. In this paper, we present definitions of secure multiparty approximate computations that retain the privacy of a secure computation of f. We present an efficient, sublinear-communication, private approximate computation for the Hamming distance and an efficient private approximation of the permanent.

Cryptographic security for mobile code

Abstract: We address the protection of mobile code against cheating and potentially malicious hosts. We point out that the recent approach based on computing with "encrypted functions" is limited to the case where only the code originator learns the result of the completion and the host running the code must not notice anything at all. We argue that if the host is to receive some output of the computation, then securing mobile code requires minimal trust in a third party. Tamper-proof hardware installed on each host has been proposed for this purpose. We introduce a new approach for securely executing (fragments of) mobile code that relies on a minimally trusted third party. This party is a generic independent entity, called the secure computation service, which performs some operations on behalf of the mobile application, but does not learn anything about the encrypted computation. Because it is universal, the secure computation service needs to be only minimally trusted and can serve many different applications. We present a protocol based on tools from theoretical cryptography that is quite practical for computing small functions.

A study of several specific secure two-party computation problems

Abstract: Alice has a private input x (of any data type, such as a number, a matrix or a data set). Bob has another private input y. Alice and Bob want to cooperatively conduct a specific computation on x and y without disclosing to the other person any information about her or his private input except for what could be derived from the results. This problem is a Secure Two-party Computation (STC) problem, which has been extensively studied in the past. Several generic solutions have been proposed to solve the general STC problem; however the generic solutions are often too inefficient to be practical. Therefore, in this dissertation, we study several specific STC problems with the goal of finding more efficient solutions than the generic ones. We introduce a number of specific STC problems in the domains of scientific computation, statistical analysis, computational geometry and database query. Most of the problems have not been studied before in the literature. To solve these problems: (1) We investigate how data perturbation could be used to hide data. Data perturbation hides a datum by adding to it a random number. We show that this technique is effective in preserving privacy. (2) We explore how domain specific knowledge can improve the efficiency of the solutions that we develop over the generic solutions that do not consider domain specific knowledge. We show that such knowledge is important in both hiding data and achieving higher efficiency. (3) We also introduce a number of common building blocks that are useful in solving secure two-party computation problems in various computation domains.

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

Abstract: In this paper we show that any two-party functionality can be securely computed in a constant number of rounds, where security is obtained against malicious adversaries that may arbitrarily deviate from the protocol specification. This is in contrast to Yao's constant-round protocol that ensures security only in the face of semi-honest adversaries, and to its malicious adversary version that requires a polynomial number of rounds. In order to obtain our result, we present a constant-round protocol for secure coin-tossing of polynomially many coins (in parallel). We then show how this protocol can be used in conjunction with other existing constructions in order to obtain a constant-round protocol for securely computing any two-party functionality. On the subject of coin-tossing, we also present a constant-round perfect coin-tossing protocol, where by "perfect" we mean that the resulting coins are guaranteed to be statistically close to uniform (and not just pseudorandom).

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation.

Abstract: In this paper we show that any two-party functionality can be securely computed in a constant number of rounds, where security is obtained against (polynomial-time) malicious adversaries that may arbitrarily deviate from the protocol specification. This is in contrast to Yao’s constantround protocol that ensures security only in the face of semi-honest adversaries, and to its malicious adversary version that requires a polynomial number of rounds. In order to obtain our result, we present a constant-round protocol for secure coin-tossing of polynomially many coins (in parallel). We then show how this protocol can be used in conjunction with other existing constructions in order to obtain a constant-round protocol for securely computing any two-party functionality. On the subject of coin-tossing, we also present a constant-round almost perfect coin-tossing protocol, where by “almost perfect” we mean that the resulting coins are guaranteed to be statistically close to uniform (and not just pseudorandom).

A Minimal Trusted Computing Base for Dynamically Ensuring Secure Information Flow

Abstract: With each passing year, more and more valuable, confidential information is stored in government and commercial computer systems. Ensuring the security of those computer systems is a challenge with social, political, and technological aspects; computer networks, however, make the technological aspects particularly important as computer systems are exposed to assault from remote sites. Two critical components of the technological computer security problem are access control and data dissemination control. Access control mechanisms prevent unauthorized parties from accessing (e.g. reading, modifying, or executing) confidential data or programs. Data dissemination control mechanisms prevent confidential data from being exposed to unauthorized parties, either by accident or due to malicious code which has gained read-access to the data; e.g. a malicious or erroneous program should never be able to read a “Top Secret” value and write it out as an “Unclassified” result. In this memo we present two contributions addressing the problem of controlling data dissemination, also known as ensuring secure information flow. First, we present a sound, flexible model which dynamically ensures secure data flow with respect to a lattice-based information flow policy, with security classification on a per-word basis. Second, we present a set of hardware mechanisms, most notably the Hash Execution (HEX) unit, which enable the practical implementation of our model. We believe that recent trends in logic and memory density and costs make the architectural overhead of our mechanisms small, and that they are more than offset by the significant benefits they bring to system security. Our dynamic strategy has several advantages over static (compile-time) verificationof secure information flow. It

Communication Complexity and Secure Function Evaluation

Abstract: We suggest two new methodologies for the design of efficient secure protocols, that differ with respect to their underlying computational models. In one methodology we utilize the communication complexity tree (or branching for f and transform it into a secure protocol. In other words, "any function f that can be computed using communication complexity c can be can be computed securely using communication complexity that is polynomial in c and a security parameter". The second methodology uses the circuit computing f, enhanced with look-up tables as its underlying computational model. It is possible to simulate any RAM machine in this model with polylogarithmic blowup. Hence it is possible to start with a computation of f on a RAM machine and transform it into a secure protocol. We show many applications of these new methodologies resulting in protocols efficient either in communication or in computation. In particular, we exemplify a protocol for the "millionaires problem", where two participants want to compare their values but reveal no other information. Our protocol is more efficient than previously known ones in either communication or computation.

About Generic Conversions from any Weakly Secure Encryption Scheme into a Chosen-Ciphertext Secure Scheme

Abstract: Since the appearance of public-key cryptography in the seminal DiffieHellman paper, many schemes have been proposed, but many have been broken. Indeed, for many people, the simple fact that a cryptographic algorithm withstands cryptanalytic attacks for several years is considered as a kind of validation. But some schemes took a long time before being widely studied, and maybe thereafter being broken. A much more convincing line of research has tried to provide “provable” security for cryptographic protocols, in a complexity theory sense: if one can break the cryptographic protocol, one can efficiently solve the underlying problem. Unfortunately, very few practical schemes can be proven in this so-called “standard model” because such a security level rarely meets with efficiency. A convenient way to achieve some kind of validation of efficient schemes has been to identify some concrete cryptographic objects with ideal random ones: hash functions are considered as behaving like random functions, in the so-called “random oracle model”, and groups are used as black-box groups, in which one has to ask for additions to get new elements, in the so-called “generic model”. In this paper we present some generic designs for asymmetric encryption with provable security in the random oracle model.

Secure Multiparty Computation of Approximations (Extended Abstract)

Abstract: Approximation algorithms can sometimes provide ecient solutions when no ecient exact computation is known. In particular, approximations are often useful in a distributed setting where the inputs are held by dierent parties and are extremely large. Furthermore, for some applications, the parties want to cooperate to compute a function of their inputs without revealing more information than necessary. If ^ f is an approximation to f, secure multiparty computation of ^ f may itself reveal more informa- tion than the output of f. In this paper, we present denitions of secure multiparty approximate computations that retain the privacy of a secure computation of f. We present an ecient, sublinear-communication, pri- vate approximate computation for the Hamming distance and an ecient private approximation of the permanent.

Secure computation in a probabilistic polynomial-time process calculus

Abstract: In this paper, we present a general definition for secure computation following the general paradigm: a protocol is secure iff it can emulate an ideal protocol. We start by adopting the probabilistic polynomial-time process calculus, originally presented in [LMMS98], as the natural language to specify protocols. Given the nature of the adversaries together with the secrecy requirements of secure computation protocols, we need to augment the calculus with local output channels and priority terms. Capitalizing on the semantics of the calculus, we extract a Markov process of observations and establish the notion of emulation. After representing the ideal secure computation protocol in the calculus, we present the concept of secure computation via emulation and obtain the associated composition theorem, encompassing both active and passive adversaries. To illustrate the concepts and results in an intuitive and simple manner, we focus the simpler case of oblivious transfer (OT). Finally, we show that our concept of secure OT is equivalent to the concept formalized by Canetti in [Can00], which is based on interactive Turing machines, and discuss the advantages and simplifications introduced by this work.