Showing papers on "Secure two-party computation published in 2011"

Faster secure two-party computation using garbled circuits

Abstract: Secure two-party computation enables two parties to evaluate a function cooperatively without revealing to either party anything beyond the function’s output. The garbled-circuit technique, a generic approach to secure two-party computation for semi-honest participants, was developed by Yao in the 1980s, but has been viewed as being of limited practical significance due to its inefficiency. We demonstrate several techniques for improving the running time and memory requirements of the garbled-circuit technique, resulting in an implementation of generic secure two-party computation that is significantly faster than any previously reported while also scaling to arbitrarily large circuits. We validate our approach by demonstrating secure computation of circuits with over 10 9 gates at a rate of roughly 10 ms per garbled gate, and showing order-of-magnitude improvements over the best previous privacy-preserving protocols for computing Hamming distance, Levenshtein distance, Smith-Waterman genome alignment, and AES.

Secure two-party computation via cut-and-choose oblivious transfer

Abstract: Protocols for secure two-party computation enable a pair of parties to compute a function of their inputs while preserving security properties such as privacy, correctness and independence of inputs. Recently, a number of protocols have been proposed for the efficient construction of two-party computation secure in the presence of malicious adversaries (where security is proven under the standard simulationbased ideal/real model paradigm for defining security). In this paper, we present a protocol for this task that follows the methodology of using cut-and-choose to boost Yao's protocol to be secure in the presence of malicious adversaries. Relying on specific assumptions (DDH), we construct a protocol that is significantly more efficient and far simpler than the protocol of Lindell and Pinkas (Eurocrypt 2007) that follows the same methodology. We provide an exact, concrete analysis of the efficiency of our scheme and demonstrate that (at least for not very small circuits) our protocol is more efficient than any other known today.

Outsourcing Multi-Party Computation.

Abstract: We initiate the study of secure multi-party computation (MPC) in a server-aided setting, where the parties have access to a single server that (1) does not have any input to the computation; (2) does not receive any output from the computation; but (3) has a vast (but bounded) amount of computational resources. In this setting, we are concerned with designing protocols that minimize the computation of the parties at the expense of the server. We develop new definitions of security for this server-aided setting that generalize the standard simulation-based definitions for MPC and allow us to formally capture the existence of dishonest but non-colluding participants. This requires us to introduce a formal characterization of non-colluding adversaries that may be of independent interest. We then design general and special-purpose server-aided MPC protocols that are more efficient (in terms of computation and communication) for the parties than the alternative of running a standard MPC protocol (i.e., without the server). Our main general-purpose protocol provides security when there is at least one honest party with input. We also construct a new and efficient server-aided protocol for private set intersection and give a general transformation from any secure delegated computation scheme to a server-aided two-party protocol. ∗Microsoft Research. senyk@microsoft.com. †University of Calgary. pmohassel@cspc.ucalgary.ca. Work done while visiting Microsoft Research. ‡Columbia University. mariana@cs.columbia.edu. Work done as an intern at Microsoft Research.

Efficient secure computation with garbled circuits

Abstract: Secure two-party computation enables applications in which participants compute the output of a function that depends on their private inputs, without revealing those inputs or relying on any trusted third party In this paper, we show the potential of building privacy-preserving applications using garbled circuits, a generic technique that until recently was believed to be too inefficient to scale to realistic problems We present a Java-based framework that uses pipelining and circuit-level optimizations to build efficient and scalable privacy-preserving applications Although the standard garbled circuit protocol assumes a very week, honest-but-curious adversary, techniques are available for converting such protocols to resist stronger adversaries, including fully malicious adversaries We summarize approaches to producing malicious-resistant secure computations that reduce the costs of transforming a protocol to be secure against stronger adversaries In addition, we summarize results on ensuring fairness, the property that either both parties receive the result or neither party does Several open problems remain, but as theory and pragmatism advance, secure computation is approaching the point where it offers practical solutions for a wide variety of important problems

Secure computation on the web: computing without simultaneous interaction

Abstract: Secure computation enables mutually suspicious parties to compute a joint function of their private inputs while providing strong security guarantees. However, its use in practice seems limited. We argue that one of the reasons for this is that the model of computation on the web is not suited to the type of communication patterns needed for secure computation. Specifically, in most web scenarios clients independently connect to servers, interact with them and then leave. This rules out the use of secure computation protocols that require that all participants interact simultaneously. We initiate a study of secure computation in a client-server model where each client connects to the server once and interacts with it, without any other client necessarily being connected at the same time. We point out some inherent limitations in this model and present definitions that capture what can be done. We also present a general feasibility result and several truly practical protocols for a number of functions of interest. All our protocols are based on standard assumptions, and we achieve security both in the semi-honest and malicious adversary models.

Theory of Secure Network Coding

Abstract: In this tutorial paper, we focus on the basic theory of linear secure network coding. Our goal is to present fundamental results and provide preliminary knowledge for anyone interested in the area. We first present a model for secure network coding and then a necessary and sufficient condition for a linear network code to be secure. Optimal methods to construct linear secure network codes are also provided. For further investigation of the secure properties of linear network codes, we illuminate different secure criteria and requirements, with a few alternative models.

Complete Fairness in Secure Two-Party Computation

Abstract: In the setting of secure two-party computation, two mutually distrusting parties wish to compute some function of their inputs while preserving, to the extent possible, various security properties such as privacy, correctness, and more. One desirable property is fairness which guarantees, informally, that if one party receives its output, then the other party does too. Cleve [1986] showed that complete fairness cannot be achieved in general without an honest majority. Since then, the accepted folklore has been that nothing non-trivial can be computed with complete fairness in the two-party setting.We demonstrate that this folklore belief is false by showing completely fair protocols for various nontrivial functions in the two-party setting based on standard cryptographic assumptions. We first show feasibility of obtaining complete fairness when computing any function over polynomial-size domains that does not contain an “embedded XOR”; this class of functions includes boolean AND/OR as well as Yao’s “millionaires’ problem”. We also demonstrate feasibility for certain functions that do contain an embedded XOR, though we prove a lower bound showing that any completely fair protocol for such functions must have round complexity super-logarithmic in the security parameter. Our results demonstrate that the question of completely fair secure computation without an honest majority is far from closed.

Unconditional and composable security using a single stateful tamper-proof hardware token

Abstract: Cryptographic assumptions regarding tamper proof hardware tokens have gained increasing attention. Even if the tamperproof hardware is issued by one of the parties, and hence not necessarily trusted by the other, many tasks become possible: Tamper proof hardware is sufficient for universally composable protocols, for information-theoretically secure protocols, and even allow to create software which can only be used once (One-Time-Programs). However, all known protocols employing tamper-proof hardware are either indirect, i.e., additional computational assumptions must be used to obtain general two party computations or a large number of devices must be used. In this work we present the first protocol realizing universally composable two-party computations (and even trusted One-Time-Programs) with information-theoretic security using only one single tamper-proof device issued by one of the mutually distrusting parties.

Automatically optimizing secure computation

Abstract: On the one hand, compilers for secure computation protocols, such as FairPlay or FairPlayMP, have significantly simplified the development of such protocols. On the other hand, optimized protocols with high performance for special problems demand manual development and security verification. The question considered in this paper is: Can we construct a compiler that produces optimized protocols? We present an optimization technique based on logic inference about what is known from input and output. Using the example of median computation we can show that our program analysis and rewriting technique translates a FairPlay program into an equivalent -- in functionality and security -- program that corresponds to the protocol by Aggarwal et al. Nevertheless our technique is general and can be applied to optimize a wide variety of secure computation protocols.

Adaptively secure broadcast, revisited

Abstract: We consider the classical problem of synchronous broadcast with dishonest majority, when a public-key infrastructure and digital signatures are available In a surprising result, Hirt and Zikas (Eurocrypt 2010) recently observed that all existing protocols for this task are insecure against an adaptive adversary who can choose which parties to corrupt as the protocol progresses Moreover, they prove an impossibility result for adaptively secure broadcast in their settingWe argue that the communication model adopted by Hirt and Zikas is unrealistically pessimistic We revisit the problem of adaptively secure broadcast in a more natural synchronous model (with rushing), and show that broadcast is possible in this setting for an arbitrary number of corruptions Our positive result holds under a strong, simulation-based definition in the universal-composability frameworkWe also study the impact of adaptive attacks on protocols for secure multi-party computation where broadcast is used as a sub-routine

Is multiparty computation any good in practice

Abstract: The aim of this paper is to present some of the recent progress in efficient secure multiparty computation (MPC). In MPC we have a set of parties owning a set of private inputs. The parties want to compute a function of their inputs, but they do not trust each other, therefore they need a cryptographic protocol to perform the computation in a way that 1) the output is correct and 2) cheating parties will not be able to learn any information about the honest parties inputs. Even though this problem has been formulated and essentially solved almost 30 years ago, practical solutions that can be relevant for real-world applications have been discovered only in the last few years. We will present some of these advances, trying to explain to a non-specialized audience the significance of the several existing security notions.

Secure outsourced computation

Abstract: The development of multi-party computation was one of the early achievements of theoretical cryptography. Since that time a number of papers have been published which look at specific application scenarios (e-voting, e-auctions), different security guarantees (computational vs unconditional), different adversarial models (active vs passive, static vs adaptive), different communication models (secure channels, broadcast) and different set-up assumptions (CRS, trusted hardware etc). We examine an application scenario in the area of cloud computing which we call Secure Outsourced Computation. We show that this variant produces less of a restriction on the allowable adversary structures than full multi-party computation. We also show that if one provides the set of computation engines (or Cloud Computing providers) with a small piece of isolated trusted hardware one can outsource any computation in a manner which requires less security constraints on the underlying communication model and at greater computational/communication efficiency than full multi-party computation. In addition our protocol is highly efficient and thus of greater practicality than previous solutions, our required trusted hardware being particularly simple and with minimal trust requirements.

Secure Blocking + Secure Matching = Secure Record Linkage

Abstract: Performing approximate data matching has always been an intriguing problem for both industry and academia. This task becomes even more challenging when the requirement of data privacy rises. In this paper, we propose a novel technique to address the problem of efficient privacy-preserving approximate record linkage. The secure framework we propose consists of two basic components. First, we utilize a secure blocking component based on phonetic algorithms statistically enhanced to improve security. Second, we use a secure matching component where actual approximate matching is performed using a novel private approach of the Levenshtein Distance algorithm. Our goal is to combine the speed of private blocking with the increased accuracy of approximate secure matching. Category: Ubiquitous computing; Security and privacy

Threshold Fully Homomorphic Encryption and Secure Computation.

Abstract: Cramer, Damgard, and Nielsen [CDN01] show how to construct an efficient secure multiparty computation scheme using a threshold homomorphic encryption scheme that has four properties i) a honest-verifier zero-knowledge proof of knowledge of encrypted values, ii) proving multiplications correct iii) threshold decryption and iv) trusted shared key setup. Naor and Nissim [NN01a] show how to construct secure multi-party protocols for a function f whose communication is proportional to the communication required to evaluate f without security, albeit at the cost of computation that might be exponential in the description of f . Gentry [Gen09a] shows how to combine both ideas with fully homomorphic encryption in order to construct secure multi-party protocol that allows evaluation of a function f using communication that is independent of the circuit description of f and computation that is polynomial in | f |. This paper addresses the major drawback’s of Gentry’s approach: we eliminate the use of non-black box methods that are inherent in Naor and Nissim’s compiler. To do this we show how to modify the fully homomorphic encryption construction of van Dijk et al. [vDGHV10] to be threshold fully homomorphic encryption schemes. We directly construct (information theoretically) secure protocols for sharing the secret key for our threshold scheme (thereby removing the setup assumptions) and for jointly decrypting a bit. All of these constructions are constant round and we thoroughly analyze their complexity; they address requirements (iii) and (iv). The fact that the encryption scheme is fully homomorphic addresses requirement (ii). To address the need for an honest-verifier zero-knowledge proof of knowledge of encrypted values, we instead argue that a weaker solution suffices. We provide a 2-round blackbox protocol that allows us to prove knowledge of encrypted bits. Our protocol is not zeroknowledge, but it provably does not release any information about the bit being discussed, and this is sufficient to prove the correctness of a simulation in a method similar to Cramer et al. Altogether, we construct the first black-box secure multi-party computation protocol that allows evaluation of a function f using communication that is independent of the circuit description of f .

Stateless Cryptographic Protocols

Abstract: Secure computation protocols inherently involve multiple rounds of interaction among the parties where, typically a party has to keep a state about what has happened in the protocol so far and then \emph{wait} for the other party to respond. We study if this is inherent. In particular, we study the possibility of designing cryptographic protocols where the parties can be completely stateless and compute the outgoing message by applying a single fixed function to the incoming message (independent of any state). The problem of designing stateless secure computation protocols can be reduced to the problem of designing protocols satisfying the notion of reset table computation introduced by Canetti, Goldreich, Gold wasser and Micali (FOCS'01) and widely studied thereafter. The current start of art in reset table computation allows for construction of protocols which provide security only when a \emph{single predetermined} party is reset table \cite{GoyalSa09}. An exception is for the case of the zero-knowledge functionality for which a protocol in which both parties are reset table was recently obtained by Deng, Goyal and Sahai (FOCS'09). The fundamental question left open in this sequence of works is, whether fully-reset table computation is possible, when:\begin{enumerate}\item An adversary can corrupt any number of parties, and\item The adversary can reset any party to its original state during the execution of the protocol and can restart the protocol. \end{enumerate}In this paper, we resolve the above problem by constructing secure protocols realizing \emph{any} efficiently computable multi-party functionality in the plain model under standard cryptographic assumptions. First, we construct a Fully-Reset table Simulation Sound Zero-Knowledge (ss-rs-rZK) protocol. Next, based on these ss-rs-rZK protocols, we show how to compile any semi-honest secure protocol into a protocol secure against fully resetting adversaries. Next, we study a seemingly unrelated open question: ``Does there exist a functionality which, in the concurrent setting, is impossible to securely realize using BB simulation but can be realized using NBB simulation ? & quot;. We resolve the above question in the affirmative by giving an example of such a (reactive) functionality. Somewhat surprisingly, this is done by making a connection to the existence of a fully reset table simulation sound zero-knowledge protocol.

Server-aided multi-party protocols

Abstract: The disclosed architecture employs techniques that make secure multi-party computation (MPC) practical and scalable. In support of utilizing cloud computing, for example, for evaluating functionality, a third party server can be employed which does not have any input to the computation and does not receive any output from the computation, yet has a vast amount of computational resources. Accordingly, the secure MPC architecture can outsource as much as possible of the computation and communications burden of the parties without the server(s) learning any information about the party inputs.

A Full Proof of the BGW Protocol for Perfectly-Secure Multiparty Computation.

Abstract: In the setting of secure multiparty computation, a set of n parties with private inputs wish to jointly compute some functionality of their inputs. One of the most fundamental results of secure computation was presented by Ben-Or, Goldwasser, and Wigderson (BGW) in 1988. They demonstrated that any n-party functionality can be computed with perfect security, in the private channels model. When the adversary is semi-honest, this holds as long as $$t

Forecasting Run-Times of Secure Two-Party Computation

Abstract: Secure computation (SC) are cryptographic protocols that enable multiple parties to perform a joint computation while retaining the privacy of their inputs. It is current practice to evaluate the performance of SC protocols using complexity approximations of computation and communication. Due to the disparate complexity measures and constants this approach fails at reliably predicting the performance. We contribute a performance model (PM) for forecasting run-times of secure two-party computations. We show the correctness of our PM by an empirical study on the problem of secure division which is relevant for many real world SCs, e.g., k-means clustering or supply chain optimization. We show that our PM can be used to make an optimal selection of an algorithm and cryptographic protocol combination, as well as to determine the implicit security tradeoffs. The predictions of our PM can be used to design or select more efficient or more secure protocols.

Secure Computation with Information Leaking to an Adversary.

Abstract: Assume that Alice is running a program P on a RAM, and an adversary Bob would like to get some information about the input or output of the program. At each time, during the execution of P, Bob is able to see the addresses of the memory cells involved in the instruction which is executed and the name of the instruction. In addition to this, at certain times, Bob can even see the contents of all of the memory cells involved in the instruction. We will call a time when this happens a compromised time. Bob can choose the compromised times in an adaptive way, that is, immediately before the instruction at time t is executed, Bob, using all of the information at his disposal, can decide whether time t will be compromised or not. The only restriction on his choice is, that among m consecutive instructions there can be at most e m whose time is compromised, where e>0 is a small constant. We show that if m= c⌊ log n ⌋, where c>0 is a large constant, then for each program P, using n memory cells and time T=O(poly(n)), Alice can construct a functionally equivalent program P', such that the probability that Bob gets any nontrivial information about the input of P is negligible, and the time and space requirements of P' grows, compared to P, only by a factor of poly(log n). We assume that the program P' gets its input in an encoded form, namely each input bit b is encoded by a random 0,1-sequence of length m whose parity is b. The output bits must be encoded by P' in a similar way.As part of the proof of the result described above we also construct for all positive integers m, and for all boolean circuits C of size n a functionally equivalent circuit C' of size O(n poly(m)) with the following properties. Assume that an adversary can observe each bit going through the wires of the circuit C' independently with a probability of e, where e>0 is a small constant, and each input/output bit of C is encoded by m input/output bits of C' the same way as described above for RAMs. Then, such an adversary, while observing C', can get any information about the input/output of the circuit C only with a probability of ne-cm, where c>0 is a constant.

Secure Computation Without Authentication

Abstract: Research on secure multiparty computation has mainly concentrated on the case where the parties can authenticate each other and the communication between them. This work addresses the question of what security can be guaranteed when authentication is not available. We consider a completely unauthenticated setting, where all messages sent by the parties may be tampered with and modified by the adversary without the uncorrupted parties being able to detect this fact. In this model, it is not possible to achieve the same level of security as in the authenticated-channel setting. Nevertheless, we show that meaningful security guarantees can be provided: Essentially, all the adversary can do is to partition the network into disjoint sets, where in each set the computation is secure in of itself, and also independent of the computation in the other sets. In this setting we provide, for the first time, nontrivial security guarantees in a model with no setup assumptions whatsoever. We also obtain similar results while guaranteeing universal composability, in some variants of the common reference string model. Finally, our protocols can be used to provide conceptually simple and unified solutions to a number of problems that were studied separately in the past, including password-based authenticated key exchange and nonmalleable commitments. As an application of our results, we study the question of constructing secure protocols in partially authenticated networks, where some of the links are authenticated, and some are not (as is the case in most networks today).

Secure data structures based on multi-party computation

Abstract: This work considers data structures based on multi-party computation (MPC) primitives: structuring secret (e.g. secret shared and potentially unknown) data such that it can both be queried and updated efficiently. Implementing an oblivious RAM (ORAM) using MPC allows any existing data structure to be realized using MPC primitives, however, by focusing on a specific example -- a priority queue -- it is shown that it is possible to achieve much better results than the generic solutions can provide. Moreover, the techniques differ significantly from existing ORAM constructions. Indeed it has recently been shown that any information theoretically secure ORAM with n memory locations requires at least log n random bits per read/write to hide the access pattern. In contrast, the present construction achieves security with a completely deterministic access pattern.

Quantum entanglement and non-locality based secure computation for future communication

Abstract: Traditionally, the authors could establish secure computation protocols using variants of public key cryptology whose security is based on hard mathematics problems However, classical protocols will become insecure owing to the emergence of quantum algorithms like Shors In this paper, the authors demonstrate that nanoscale phenomenon can be applied not only in device level but also in high layer applications, such as secure computation The authors study the possibility of performing secure computation by building non-local machines based on quantum entanglement and non-locality, which are phenomena available only at the nanometre scale Comparing with classical secure computation algorithms, the security of this protocol is based on physical laws, instead of any unproven mathematic conjecture

Concurrent composition in the bounded quantum storage model

Abstract: We define the BQS-UC model, a variant of the UC model, that deals with protocols in the bounded quantum storage model. We present a statistically secure commitment protocol in the BQS-UC model that composes concurrently with other protocols and an (a-priori) polynomially-bounded number of instances of itself. Our protocol has an efficient simulator which is important if one wishes to compose our protocol with protocols that are only computationally secure. Combining our result with prior results, we get a statistically BQS-UC secure constant-round protocol for general two-party computation without the need for any setup assumption.

Secure Two-Party Computation with Low Communication.

Abstract: We propose a 2-party UC-secure protocol that can compute any function securely. The protocol requires only two messages, communication that is poly-logarithmic in the size of the circuit description of the function, and the workload for one of the parties is also only poly-logarithmic in the size of the circuit. This implies, for instance, delegatable computation that requires no expensive off-line phase and remains secure even if the server learns whether the client accepts its results. To achieve this, we define two new notions of extractable hash functions, propose an instantiation based on the knowledge of exponent in an RSA group, and build succinct zero-knowledge arguments in the CRS model.

On the efficiency of bit commitment reductions

Abstract: Two fundamental building blocks of secure two-party computation are oblivious transfer and bit commitment. While there exist unconditionally secure implementations of oblivious transfer from noisy correlations or channels that achieve constant rates, similar constructions are not known for bit commitment. In this paper, we show that any protocol that implements n instances of bit commitment with an error of at most 2−k needs at least Ω(kn) instances of a given resource such as oblivious transfer or a noisy channel. This implies in particular that it is impossible to achieve a constant rate. We then show that it is possible to circumvent the above lower bound by restricting the way in which the bit commitments can be opened. We present a protocol that achieves a constant rate in the special case where only a constant number of instances can be opened, which is optimal. Our protocol implements these restricted bit commitments from string commitments and is universally composable. The protocol provides significant speed-up over individual commitments in situations where restricted commitments are sufficient.

Secure Multiparty Computation: From Millionaires Problem to Anonymizer

Abstract: In Secure Multiparty Computation (SMC), multiple parties perform joint computation over their private data inputs preserving the privacy of their individual inputs. This type of computation needs to provide correct result while keeping the individual input a secret. In today's scenario of tremendous growth of the Internet and large volumes of online transactions, the concept of data privacy and SMC has become a matter of great concern. People frequently need to perform joint computations for the sake of their mutual benefits, but they are also worried about confidentiality of their private data. This situation arises due to lack of trust among computing parties. For example, two banks may want to find some details of a customer but each of the banks may want to keep their sensitive database a secret or they may not want to disclose the customer's identity. The subject of SMC has evolved from earlier solutions of combinational logic circuits to the recent proposals of anonymity-enabled computation. In this paper, we put together the significant research that has been carried out. We propose new possibilities of problem discovery and its analysis. We put critical issues and challenges and the level of adaptation achieved before the researchers. We also provide some research proposals based on the literature survey.

Secure two party comparison over encrypted data

Abstract: Yao's classical millionaires' problem is about securely determining whether x>y, given two input values x, y, which are held as private inputs by two parties, respectively The output which is result of comparison becomes known to both parties In this paper we consider a variant of comparison problem in which the inputs x, y are encrypted and the actual values are not known to the parties Our first solution deals with single comparison; however, in many applications, we encounter situations where it is necessary to make multiple comparisons to find the maximum among several encrypted data, so we make a modification to our first protocol to solve the multiple comparisons problem Such a secure comparison is an important building block for applications like privacy preserving data mining and secure business Our second protocol is based on Homomorphic encryption which achieves very low communication and computational complexities Also our protocols can be performed in constant rounds and do not use general circuit evaluation techniques so they are more efficient than circuit based ones but not general Implementation is easy and fast

The arithmetic codex: theory and applications

Abstract: We define the notion of an arithmetic codex (or codex, for short), and as a special case, arithmetic secret sharing This notion encompasses as well as generalizes, in a single mathematical framework, all known types of specialized secret sharing schemes from the area of secure multi-party computation, ie, the so-called (strongly) multiplicative linear secret sharing schemes These schemes were first studied as an abstract primitive by Cramer, Damgard, and Maurer in the late 1990s They showed that the "Fundamental Theorem of Information-Theoretically Secure Multi-Party Computation," the landmark 1988 result by Ben-Or, Goldwasser, and Wigderson and, independently at the same time by Chaum, Crepeau, Damgard, admits a proof that uses this primitive as a blackbox: it is possible to bootstrap, in a blackbox fashion, from this primitive a set of atomic sub-protocols upon which general secure computation can be based They also showed when and how multiplicative schemes (but not strongly multiplicative ones) reduce to ordinary ones and gave applications to security against non-threshold adversaries In 2006, Chen and Cramer showed an "asymptotically good" version of the Fundamental Theorem, where the size of the network is unbounded and where an adversary corrupts a constant fraction of the network, yet the information rate of the secret sharing primitive is constant Their result relies on a careful choice of algebraic geometric codes, in combination with the earlier work of Cramer, Damgard, and Maurer In 2007 this asymptotic result turned out to have a surprising application in two-party cryptography, through the work of Ishai, Kushilevitz, Ostrovsky and Sahai ("Multi-Party Computation in the Head") This first application was to zero knowledge for circuit satisfiability, but soon after other applications to secure two-party computation and information theory (correlation extractors) followed Our notion of arithmetic secret sharing is not merely a unification for its own sake First, it casts these schemes in terms of a dedicated "representation" of K-algebras, thereby bringing the relevant mathematical structure to the surface Second, it identifies novel types of special secret sharing schemes And, third, there are novel cryptographic applications Besides presenting some elementary examples and giving an overview of the basic theory and the main applications, we discuss a construction of arithmetic secret sharing schemes based on a novel algebraic-geometric paradigm that we also introduce This talk is mainly based on several recent joint works with Nacho Cascudo (CWI) and Chaoping Xing (NTU) But in part it is also based on recent joint work with Ivan Damgard (Aarhus University) and Valerio Pastro (Aarhus University)

Information Sharing across Private Databases: Secure Union Revisited

Abstract: There is a growing demand for sharing information across multiple autonomous and private databases The problem is usually formulated as a secure multi-party computation problem in which a set of parties wish to jointly compute a function of their private inputs such that the parties learn only the result of the function but nothing else In this paper we perform an analysis and an experimental evaluation of existing and potential solutions for secure multi-party computation of union We also present an alternative random shares based protocol and show that the protocol, although quite simple, is efficient while providing reasonable level of security that can be adjusted by users We formally analyze the security properties and the cost of our protocol We also experimentally compare the various existing and potential solutions and show the tradeoff between different protocols in terms of security, efficiency and accuracy

A Domain-Specific Language for Computing on Encrypted Data

Abstract: In cloud computing, a client may request computation on confidential data that is sent to untrusted servers. While homomorphic encryption and secure multiparty computation provide building blocks for secure computation, software must be properly structured to preserve confidentiality. Using a general definition of secure execution platform, we propose a single Haskellbased domain-specific language for cryptographic cloud computing and prove correctness and confidentiality for two representative and distinctly dierent implementations of the same programming language. The secret sharing execution platform provides information-theoretic security against colluding servers. The homomorphic encryption execution platform requires only one server, but has limited eciency, and provides secrecy against a computationally-bounded adversary. Experiments with our implementation suggest promising computational feasibility, as cryptography improves, and show how code can be developed uniformly for a variety of secure cloud platforms, without explicitly programming separate clients and servers. 1998 ACM Subject Classification D.3.3 Language Constructs and Features