secure 2 party computation
play

Secure 2-Party Computation Lecture 14 Yao s Garbled Circuit - PowerPoint PPT Presentation

Aug 09, 2023 •296 likes •1.33k views

Secure 2-Party Computation Lecture 14 Yao s Garbled Circuit RECALL SIM-Secure MPC F F proto proto iface iface Secure (and correct) if: s.t. output of is distributed Env Env identically in REAL IDEAL REAL and

  1. Circuits and Functions e.g.: OR (single gate, 2 input bits, 1 bit output) e.g.: X > Y for two bit inputs X=x 1 x 0 , Y=y 1 y 0 : (x 1 AND (NOT y 1 )) OR (NOT(x 1 XOR y 1 ) AND (x 0 AND (NOT y 0 )) Can convert any (“efficient”) program into a (“small”) circuit Size of circuit: number of wires (as a function of number of input wires) 00 01 10 11 00 0 0 0 0 Can convert a truth-table into a circuit 01 1 0 0 0 10 1 1 0 0 Directly: circuit size exponential in input size 11 1 1 1 0 In general, finding a small/smallest circuit from truth-table is notoriously hard

  2. Circuits and Functions e.g.: OR (single gate, 2 input bits, 1 bit output) e.g.: X > Y for two bit inputs X=x 1 x 0 , Y=y 1 y 0 : (x 1 AND (NOT y 1 )) OR (NOT(x 1 XOR y 1 ) AND (x 0 AND (NOT y 0 )) Can convert any (“efficient”) program into a (“small”) circuit Size of circuit: number of wires (as a function of number of input wires) 00 01 10 11 00 0 0 0 0 Can convert a truth-table into a circuit 01 1 0 0 0 10 1 1 0 0 Directly: circuit size exponential in input size 11 1 1 1 0 In general, finding a small/smallest circuit from truth-table is notoriously hard Often problems already described as succinct programs/circuits

  3. 2-Party SFE using General Circuits

  4. 2-Party SFE using General Circuits “General”: evaluate any arbitrary circuit

  5. 2-Party SFE using General Circuits “General”: evaluate any arbitrary circuit One-sided output: both parties give inputs, one party gets outputs

  6. 2-Party SFE using General Circuits “General”: evaluate any arbitrary circuit One-sided output: both parties give inputs, one party gets outputs Either party maybe corrupted passively

  7. 2-Party SFE using General Circuits 0 1 “General”: evaluate any arbitrary circuit 0 0 1 1 1 1 One-sided output: both parties give inputs, one party gets outputs Either party maybe corrupted passively Consider evaluating OR (single gate circuit)

  8. 2-Party SFE using General Circuits 0 1 “General”: evaluate any arbitrary circuit 0 0 1 1 1 1 One-sided output: both parties give inputs, one party gets outputs Either party maybe corrupted passively Consider evaluating OR (single gate circuit) Alice holds x=a, Bob has y=b; Bob should get OR(x,y)

  9. 2-Party SFE using General Circuits 0 1 “General”: evaluate any arbitrary circuit 0 0 1 1 1 1 One-sided output: both parties give inputs, one party gets outputs Either party maybe corrupted passively Consider evaluating OR (single gate circuit) Alice holds x=a, Bob has y=b; Bob should get OR(x,y) Can use Oblivious Transfer

  10. 2-Party SFE using General Circuits 0 1 “General”: evaluate any arbitrary circuit 0 0 1 1 1 1 One-sided output: both parties give inputs, one party gets outputs Either party maybe corrupted passively Consider evaluating OR (single gate circuit) Alice holds x=a, Bob has y=b; Bob should get OR(x,y) Can use Oblivious Transfer Any ideas?

  11. A Physical Protocol 0 1 0 0 1 1 1 1

  12. A Physical Protocol Alice prepares 4 boxes B xy corresponding to 4 0 1 possible input scenarios, and 4 padlocks/keys 0 0 1 1 1 1 K x=0 , K x=1 , K y=0 and K y=1

  13. A Physical Protocol Alice prepares 4 boxes B xy corresponding to 4 0 1 possible input scenarios, and 4 padlocks/keys 0 0 1 1 1 1 K x=0 , K x=1 , K y=0 and K y=1 11 1 00 0 10 1 01 1

  14. A Physical Protocol Alice prepares 4 boxes B xy corresponding to 4 0 1 possible input scenarios, and 4 padlocks/keys 0 0 1 1 1 1 K x=0 , K x=1 , K y=0 and K y=1 11 1 00 0 10 1 01 1 0 1 0 1

  15. A Physical Protocol Alice prepares 4 boxes B xy corresponding to 4 0 1 possible input scenarios, and 4 padlocks/keys 0 0 1 1 1 1 K x=0 , K x=1 , K y=0 and K y=1 11 Inside B xy=ab she places the bit OR(a,b) and locks 1 it with two padlocks K x=a and K y=b (need to open both to open the box) 00 0 10 1 01 1 0 1 0 1

  16. A Physical Protocol Alice prepares 4 boxes B xy corresponding to 4 0 1 possible input scenarios, and 4 padlocks/keys 0 0 1 1 1 1 K x=0 , K x=1 , K y=0 and K y=1 11 Inside B xy=ab she places the bit OR(a,b) and locks 1 it with two padlocks K x=a and K y=b (need to open both to open the box) 00 0 10 1 0 0 01 1 0 1 0 1

  17. A Physical Protocol Alice prepares 4 boxes B xy corresponding to 4 0 1 possible input scenarios, and 4 padlocks/keys 0 0 1 1 1 1 K x=0 , K x=1 , K y=0 and K y=1 11 Inside B xy=ab she places the bit OR(a,b) and locks 1 it with two padlocks K x=a and K y=b (need to open both to open the box) 1 1 00 0 10 1 0 0 1 0 01 1 0 1 0 1 0 1

  18. A Physical Protocol Alice prepares 4 boxes B xy corresponding to 4 0 1 possible input scenarios, and 4 padlocks/keys 0 0 1 1 1 1 K x=0 , K x=1 , K y=0 and K y=1 11 Inside B xy=ab she places the bit OR(a,b) and locks 1 it with two padlocks K x=a and K y=b (need to open both to open the box) 1 1 00 0 10 She un-labels the four boxes and sends them in 1 random order to Bob. Also sends the key K x=a 0 0 (labeled only as K x ). 1 0 01 1 0 1 0 1 0 1

  19. A Physical Protocol Alice prepares 4 boxes B xy corresponding to 4 0 1 possible input scenarios, and 4 padlocks/keys 0 0 1 1 1 1 K x=0 , K x=1 , K y=0 and K y=1 Inside B xy=ab she places the bit OR(a,b) and locks 1 it with two padlocks K x=a and K y=b (need to open both to open the box) 0 She un-labels the four boxes and sends them in 1 random order to Bob. Also sends the key K x=a (labeled only as K x ). 1 0 1 0 1

  20. A Physical Protocol Alice prepares 4 boxes B xy corresponding to 4 0 1 possible input scenarios, and 4 padlocks/keys 0 0 1 1 1 1 K x=0 , K x=1 , K y=0 and K y=1 Inside B xy=ab she places the bit OR(a,b) and locks 1 it with two padlocks K x=a and K y=b (need to open both to open the box) 0 She un-labels the four boxes and sends them in 1 random order to Bob. Also sends the key K x=a (labeled only as K x ). 1 0 1 0 1

  21. A Physical Protocol Alice prepares 4 boxes B xy corresponding to 4 0 1 possible input scenarios, and 4 padlocks/keys 0 0 1 1 1 1 K x=0 , K x=1 , K y=0 and K y=1 Inside B xy=ab she places the bit OR(a,b) and locks 1 it with two padlocks K x=a and K y=b (need to open both to open the box) 0 She un-labels the four boxes and sends them in 1 random order to Bob. Also sends the key K x=a (labeled only as K x ). 1 0 1 0 1

  22. A Physical Protocol Alice prepares 4 boxes B xy corresponding to 4 0 1 possible input scenarios, and 4 padlocks/keys 0 0 1 1 1 1 K x=0 , K x=1 , K y=0 and K y=1 Inside B xy=ab she places the bit OR(a,b) and locks 1 it with two padlocks K x=a and K y=b (need to open both to open the box) 0 She un-labels the four boxes and sends them in 1 random order to Bob. Also sends the key K x=a (labeled only as K x ). 1 So far Bob gets no information 0 1 0 1

  23. A Physical Protocol Alice prepares 4 boxes B xy corresponding to 4 0 1 possible input scenarios, and 4 padlocks/keys 0 0 1 1 1 1 K x=0 , K x=1 , K y=0 and K y=1 Inside B xy=ab she places the bit OR(a,b) and locks 1 it with two padlocks K x=a and K y=b (need to open both to open the box) 0 She un-labels the four boxes and sends them in 1 random order to Bob. Also sends the key K x=a (labeled only as K x ). 1 So far Bob gets no information Bob “obliviously picks up” K y=b , and tries the two keys K x ,K y=b on the four boxes. For one box both 0 1 locks open and he gets the output. 0 1

  24. A Physical Protocol Alice prepares 4 boxes B xy corresponding to 4 0 1 possible input scenarios, and 4 padlocks/keys 0 0 1 1 1 1 K x=0 , K x=1 , K y=0 and K y=1 Inside B xy=ab she places the bit OR(a,b) and locks 1 it with two padlocks K x=a and K y=b (need to open both to open the box) 0 She un-labels the four boxes and sends them in 1 random order to Bob. Also sends the key K x=a (labeled only as K x ). 1 So far Bob gets no information Bob “obliviously picks up” K y=b , and tries the two keys K x ,K y=b on the four boxes. For one box both 0 1 locks open and he gets the output. F b 0 1

  25. A Physical Protocol 0 1 0 0 1 1 1 1 1 0 1 1 0 1 F b 0 1

  26. A Physical Protocol Secure? 0 1 0 0 1 1 1 1 1 0 1 1 0 1 F b 0 1

  27. A Physical Protocol Secure? 0 1 For curious Alice: only influence from Bob is when 0 0 1 1 1 1 he picks up his key K y=b 1 0 1 1 0 1 F b 0 1

  28. A Physical Protocol Secure? 0 1 For curious Alice: only influence from Bob is when 0 0 1 1 1 1 he picks up his key K y=b But this is done “obliviously”, and so she learns 1 nothing 0 1 1 0 1 F b 0 1

  29. A Physical Protocol Secure? 0 1 For curious Alice: only influence from Bob is when 0 0 1 1 1 1 he picks up his key K y=b But this is done “obliviously”, and so she learns 1 nothing For curious Bob: Everything is predictable (i.e., 0 simulatable), given the final outcome 1 1 0 1 F b 0 1

  30. A Physical Protocol Secure? 0 1 For curious Alice: only influence from Bob is when 0 0 1 1 1 1 he picks up his key K y=b But this is done “obliviously”, and so she learns 1 nothing For curious Bob: Everything is predictable (i.e., 0 simulatable), given the final outcome 1 What Bob sees: K y opens a lock in two boxes, K x opens a lock in two boxes; only one random 1 box fully opens. It has the outcome. 0 1 F b 0 1

  31. A Physical Protocol Secure? 0 1 For curious Alice: only influence from Bob is when 0 0 1 1 1 1 he picks up his key K y=b But this is done “obliviously”, and so she learns 1 nothing For curious Bob: Everything is predictable (i.e., 0 simulatable), given the final outcome 1 What Bob sees: K y opens a lock in two boxes, K x opens a lock in two boxes; only one random 1 box fully opens. It has the outcome. Note when y=1, cases x=0 and x=1 appear same 0 1 F b 0 1

  32. A Physical Protocol Secure? 0 1 For curious Alice: only influence from Bob is when 0 0 1 1 1 1 he picks up his key K y=b But this is done “obliviously”, and so she learns 1 nothing For curious Bob: Everything is predictable (i.e., 0 simulatable), given the final outcome 1 What Bob sees: K y opens a lock in two boxes, K x opens a lock in two boxes; only one random 1 box fully opens. It has the outcome. Note when y=1, cases x=0 and x=1 appear same Formally, easy to simulate (can stuff 0 1 unopenable boxes arbitrarily) F b 0 1

  33. Larger Circuits

  34. Larger Circuits

  35. Larger Circuits Idea: For each gate in the circuit Alice will prepare locked boxes, but will use it to keep keys for the next gate

  36. Larger Circuits Idea: For each gate in the circuit Alice will prepare locked boxes, but will use it to keep keys for the next gate

  37. Larger Circuits Idea: For each gate in the circuit Alice will prepare locked boxes, but will use it to keep keys for the next gate For each wire w in the circuit (i.e., input wires, or output of a gate) pick 2 keys K w=0 and K w=1

  38. Larger Circuits Idea: For each gate in the circuit Alice will 0 1 prepare locked boxes, but will use it to keep keys for the next gate 0 1 0 1 For each wire w in the circuit (i.e., input wires, or output of a gate) pick 2 keys K w=0 and K w=1

  39. Larger Circuits Idea: For each gate in the circuit Alice will 0 1 prepare locked boxes, but will use it to keep keys for the next gate 0 1 0 1 For each wire w in the circuit (i.e., input wires, or output of a gate) pick 2 keys K w=0 and K w=1

  40. Larger Circuits Idea: For each gate in the circuit Alice will 0 1 prepare locked boxes, but will use it to keep keys for the next gate 0 1 0 1 For each wire w in the circuit (i.e., input wires, or output of a gate) pick 2 keys K w=0 and K w=1 For each gate G with input wires (u,v) and output wire w, prepare 4 boxes B uv and place K w=G(a,b) inside box B uv=ab . Lock B uv=ab with keys K u=a and K v=b

  41. Larger Circuits Idea: For each gate in the circuit Alice will 0 1 prepare locked boxes, but will use it to keep keys for the next gate 0 1 0 1 For each wire w in the circuit (i.e., input wires, or output of a gate) pick 2 keys K w=0 and K w=1 For each gate G with input wires (u,v) and output wire w, prepare 4 boxes B uv and place K w=G(a,b) inside box B uv=ab . Lock B uv=ab with keys K u=a and K v=b Give to Bob: Boxes for each gate, one key for each of Alice’ s input wires

  42. Larger Circuits Idea: For each gate in the circuit Alice will 0 1 prepare locked boxes, but will use it to keep keys for the next gate 0 1 0 1 For each wire w in the circuit (i.e., input wires, or output of a gate) pick 2 keys K w=0 and K w=1 For each gate G with input wires (u,v) and output wire w, prepare 4 boxes B uv and place K w=G(a,b) inside box B uv=ab . Lock B uv=ab with keys K u=a and K v=b Give to Bob: Boxes for each gate, one key for each of Alice’ s input wires

  43. Larger Circuits Idea: For each gate in the circuit Alice will 0 1 prepare locked boxes, but will use it to keep keys for the next gate 0 1 0 1 For each wire w in the circuit (i.e., input wires, or output of a gate) pick 2 keys K w=0 and K w=1 For each gate G with input wires (u,v) and output wire w, prepare 4 boxes B uv and place K w=G(a,b) inside box B uv=ab . Lock B uv=ab with keys K u=a and K v=b Give to Bob: Boxes for each gate, one key for each of Alice’ s input wires Obliviously: one key for each of Bob’ s input wires

  44. Larger Circuits Idea: For each gate in the circuit Alice will 0 1 prepare locked boxes, but will use it to keep keys for the next gate 0 1 0 1 For each wire w in the circuit (i.e., input wires, or output of a gate) pick 2 keys K w=0 and K w=1 For each gate G with input wires (u,v) and output wire w, prepare 4 boxes B uv and place K w=G(a,b) inside box B uv=ab . Lock B uv=ab with keys K u=a and K v=b Give to Bob: Boxes for each gate, one key for each of Alice’ s input wires Obliviously: one key for each of Bob’ s input wires F b F b F b

  45. Larger Circuits Idea: For each gate in the circuit Alice will 0 1 prepare locked boxes, but will use it to keep keys for the next gate 0 1 0 1 For each wire w in the circuit (i.e., input wires, or output of a gate) pick 2 keys K w=0 and K w=1 For each gate G with input wires (u,v) and output wire w, prepare 4 boxes B uv and place K w=G(a,b) inside box B uv=ab . Lock B uv=ab with keys K u=a and K v=b Give to Bob: Boxes for each gate, one key for each of Alice’ s input wires Obliviously: one key for each of Bob’ s input wires F b F Boxes for output gates have values instead of keys b F b

  46. Larger Circuits 0 1 0 1 0 1 F b F b F b

  47. Larger Circuits Evaluation: Bob gets one key for each input wire of a 0 1 gate, opens one box for the gate, gets one key for the output wire, and proceeds 0 1 0 1 F b F b F b

  48. Larger Circuits Evaluation: Bob gets one key for each input wire of a 0 1 gate, opens one box for the gate, gets one key for the output wire, and proceeds 0 1 0 1 Gets output from a box in the output gate F b F b F b

  49. Larger Circuits Evaluation: Bob gets one key for each input wire of a 0 1 gate, opens one box for the gate, gets one key for the output wire, and proceeds 0 1 0 1 Gets output from a box in the output gate Security similar to before F b F b F b

  50. Larger Circuits Evaluation: Bob gets one key for each input wire of a 0 1 gate, opens one box for the gate, gets one key for the output wire, and proceeds 0 1 0 1 Gets output from a box in the output gate Security similar to before Curious Alice sees nothing (as Bob picks up keys obliviously) F b F b F b

  51. Larger Circuits Evaluation: Bob gets one key for each input wire of a 0 1 gate, opens one box for the gate, gets one key for the output wire, and proceeds 0 1 0 1 Gets output from a box in the output gate Security similar to before Curious Alice sees nothing (as Bob picks up keys obliviously) Everything is simulatable for curious Bob given final output: Bob could prepare boxes and keys (stuffing unopenable boxes arbitrarily); for an output gate, place the output bit in the box that opens F b F b F b

  52. Garbled Circuit

  53. Garbled Circuit That was too physical!

  54. Garbled Circuit That was too physical! Yao’ s Garbled circuit: boxes/keys replaced by IND-CPA secure SKE (i.e., using PRF , and independent randomness when key reused)

  55. Garbled Circuit That was too physical! Yao’ s Garbled circuit: boxes/keys replaced by IND-CPA secure SKE (i.e., using PRF , and independent randomness when key reused) Double lock: Enc Kx (Enc Ky (m))

  56. Garbled Circuit That was too physical! Yao’ s Garbled circuit: boxes/keys replaced by IND-CPA secure SKE (i.e., using PRF , and independent randomness when key reused) Double lock: Enc Kx (Enc Ky (m)) Need proof to ensure that this suffices for indistinguishability of simulation. (In fact, one-time-like security for Enc suffices)

  57. Garbled Circuit That was too physical! Yao’ s Garbled circuit: boxes/keys replaced by IND-CPA secure SKE (i.e., using PRF , and independent randomness when key reused) Double lock: Enc Kx (Enc Ky (m)) Need proof to ensure that this suffices for indistinguishability of simulation. (In fact, one-time-like security for Enc suffices) Oblivious Transfer: We already saw for one bit (using T-OWP); with passive adversaries, just repeat bit-OT several times to transfer longer keys

  58. Garbled Circuit That was too physical! Yao’ s Garbled circuit: boxes/keys replaced by IND-CPA secure SKE (i.e., using PRF , and independent randomness when key reused) Double lock: Enc Kx (Enc Ky (m)) Need proof to ensure that this suffices for indistinguishability of simulation. (In fact, one-time-like security for Enc suffices) Oblivious Transfer: We already saw for one bit (using T-OWP); with passive adversaries, just repeat bit-OT several times to transfer longer keys Can we really compose? Yes, for passive security.

  59. Today

  60. Today 2-Party SFE secure against passive adversaries

  61. Today 2-Party SFE secure against passive adversaries Yao’ s Garbled Circuit

  62. Today 2-Party SFE secure against passive adversaries Yao’ s Garbled Circuit Using OT and IND-CPA encryption

  63. Today 2-Party SFE secure against passive adversaries Yao’ s Garbled Circuit Using OT and IND-CPA encryption OT using TOWP

Recommend

Communication Locality in C i i L li i Secure Multi Party Secure Multi-Party Computation

Communication Locality in C i i L li i Secure Multi Party Secure Multi-Party Computation

Communication Locality in C i i L li i Secure Multi Party Secure Multi-Party Computation Computation How to Run Sublinear Algorithms in a Distributed Algorithms in a Distributed Setting Elette Boyle Shafi Goldwasser Stefano Tessaro

1.01k views • 36 slides
Secure Multi-Party Computation Gunnar Kreitz KTH Royal Institute of Technology

Secure Multi-Party Computation Gunnar Kreitz KTH Royal Institute of Technology

Background Secure Computation Security Model Generic Protocol Applications Secure Multi-Party Computation Gunnar Kreitz KTH Royal Institute of Technology gkreitz@kth.se October 4 2012 Gunnar Kreitz Secure Multi-Party Computation

1.28k views • 59 slides
Secure Computation ORAM The Case of 3-Party Computation Stanislaw Jarecki, UC Irvine

Secure Computation ORAM The Case of 3-Party Computation Stanislaw Jarecki, UC Irvine

Secure Computation ORAM The Case of 3-Party Computation Stanislaw Jarecki, UC Irvine Cryptography in the RAM Model Workshop, Cambridge, MA, June 2016 AC15: Sky Faber, S.J. , Sotirios Kentros, Boyang Wei New Work: S.J. , Boyang Wei Secure

595 views • 23 slides
2-party secure computation Problem: Two parties, Alice and Bob, with private inputs, a and b ,

2-party secure computation Problem: Two parties, Alice and Bob, with private inputs, a and b ,

1 International Conference on Practice and Theory of Public-Key Cryptography (PKC) 2020 Mon Z a: fast maliciously-secure 2-party computation on the ring 2 k Dario Catalano 1 , Mario Di Raimondo 1 , Dario Fiore 2 and Irene Giacomelli 3 1

504 views • 25 slides
Introduction to Secure Multi-Party Computation Many thanks to Vitaly Shmatikov of the

Introduction to Secure Multi-Party Computation Many thanks to Vitaly Shmatikov of the

Introduction to Secure Multi-Party Computation Many thanks to Vitaly Shmatikov of the University of Texas, Austin for providing these slides. slide 1 Motivation General framework for describing computation between parties who do not

1.03k views • 35 slides
SoK: General Purpose Frameworks for Secure Multi-party Computation Marcella Brett Daniel Steve

SoK: General Purpose Frameworks for Secure Multi-party Computation Marcella Brett Daniel Steve

SoK: General Purpose Frameworks for Secure Multi-party Computation Marcella Brett Daniel Steve Hemenway Hastings Noble Zdancewic University of Pennsylvania 1 / 20 Secure Multi-party Computation (MPC) Compute an arbitrary function among

1.13k views • 36 slides
General Purpose Frameworks for Secure Multi-party Computation Marcella Brett Daniel Steve

General Purpose Frameworks for Secure Multi-party Computation Marcella Brett Daniel Steve

General Purpose Frameworks for Secure Multi-party Computation Marcella Brett Daniel Steve Hemenway Hastings Noble Zdancewic University of Pennsylvania 1 / 26 Secure multi-party computation (MPC) MPC allows a group of mutually

882 views • 51 slides
Practical Secure Two-Party Computation and Applications Thomas Schneider Estonian Winter School

Practical Secure Two-Party Computation and Applications Thomas Schneider Estonian Winter School

Practical Secure Two-Party Computation and Applications Thomas Schneider Estonian Winter School in Computer Science 2016 Overview Lecture 1: Introduction to Secure Two-Party Computation Lecture 2: Private Set Intersection Lecture 3: Tools

935 views • 67 slides
Adaptively Secure Multi-Party Computation with Dishonest Majority Sanjam Garg Amit

Adaptively Secure Multi-Party Computation with Dishonest Majority Sanjam Garg Amit

Adaptively Secure Multi-Party Computation with Dishonest Majority Sanjam Garg Amit Sahai UCLA Secure Multiparty Computation A set of mutually distrustful parties (n) wish to compute a joint function of their private inputs

309 views • 16 slides
Advanced Tools from Modern Cryptography Lecture 7 Secure 2-Party Computation: Yao s

Advanced Tools from Modern Cryptography Lecture 7 Secure 2-Party Computation: Yao s

Advanced Tools from Modern Cryptography Lecture 7 Secure 2-Party Computation: Yao s Garbled Circuit Recall MPC without Honest-Majority Plan (Still sticking with passive corruption): Two protocols, that are secure computationally The

449 views • 15 slides
Secure 2-Party Computation Lecture 14 Yao s Garbled Circuit RECALL SIM-Secure MPC F F

Secure 2-Party Computation Lecture 14 Yao s Garbled Circuit RECALL SIM-Secure MPC F F

Secure 2-Party Computation Lecture 14 Yao s Garbled Circuit RECALL SIM-Secure MPC F F proto proto iface iface Secure (and correct) if: s.t. output of is distributed Env Env identically in REAL IDEAL REAL and

1.28k views • 126 slides
Secure Two-Party Computation Jesper Buus Nielsen Peter Sebastian Nordholt Claudio Orlandi Sai

Secure Two-Party Computation Jesper Buus Nielsen Peter Sebastian Nordholt Claudio Orlandi Sai

A New Approach to Practical Secure Two-Party Computation Jesper Buus Nielsen Peter Sebastian Nordholt Claudio Orlandi Sai Sheshank Secure Two-Party Computation a {0,1} * Alice has an input b {0,1} * Bob has an input They

609 views • 47 slides
Asynchronous Multi-Party Computation Vassilis Zikas RPI MPC School IIT Mumbai Secure

Asynchronous Multi-Party Computation Vassilis Zikas RPI MPC School IIT Mumbai Secure

Asynchronous Multi-Party Computation Vassilis Zikas RPI MPC School IIT Mumbai Secure Multi-Party Computation (MPC) Security D 1 D 2 D 4 D 3 Secure Multi-Party Computation (MPC) Security D 1 D 2 1 2 4 3 D 4 D 3 Secure

1.36k views • 124 slides
Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted

Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted

Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted Cryptographic Protocols Estonian Winter School in Computer Science 2016 Motivation 2 Two Areas Cryptographic Protocols Secure Hardware strong security

759 views • 52 slides
Secure Multi-Party Computation Lecture 17 GMW & BGW Protocols MPC Protocols MPC Protocols

Secure Multi-Party Computation Lecture 17 GMW & BGW Protocols MPC Protocols MPC Protocols

Secure Multi-Party Computation Lecture 17 GMW & BGW Protocols MPC Protocols MPC Protocols Yao s Garbled Circuit : 2-Party SFE secure against passive adversaries MPC Protocols Yao s Garbled Circuit : 2-Party SFE secure against

2.07k views • 85 slides
Secure Multi-party Quantum Computation with a Dishonest Majority Yfke Dulek, Alex Grilo, Stacey

Secure Multi-party Quantum Computation with a Dishonest Majority Yfke Dulek, Alex Grilo, Stacey

Secure Multi-party Quantum Computation with a Dishonest Majority Yfke Dulek, Alex Grilo, Stacey Je ff ery, Christian Majenz, Christian Scha ff ner Introduction Multi-party computation (MPC) Input (player i): x i 83 false Output: f(x 1 , ,

686 views • 20 slides
Hiding the Input Size in Secure Two-Party Computation Yehuda Lindell , Kobbi Nissim, Claudio

Hiding the Input Size in Secure Two-Party Computation Yehuda Lindell , Kobbi Nissim, Claudio

Hiding the Input Size in Secure Two-Party Computation Yehuda Lindell , Kobbi Nissim, Claudio Orlandi (or a more privacy Privacy on sensitive social network) My friends should only see our common friends Secure Computation 8dx2rru3d0fW2TS y

520 views • 36 slides
Secure Multi-Party Computation Lecture 13 Must We Trust ? Can we have an auction

Secure Multi-Party Computation Lecture 13 Must We Trust ? Can we have an auction

Secure Multi-Party Computation Lecture 13 Must We Trust ? Can we have an auction without an auctioneer?! Declared winning bid should be correct Only the winner and winning bid should be revealed Using data without sharing?

446 views • 20 slides
Advanced Tools from Modern Cryptography Lecture 6 Secure Multi-Party Computation without

Advanced Tools from Modern Cryptography Lecture 6 Secure Multi-Party Computation without

Advanced Tools from Modern Cryptography Lecture 6 Secure Multi-Party Computation without Honest Majority: GMW Protocol MPC without Honest-Majority Plan (Still sticking with passive corruption): Two protocols, that are secure

465 views • 12 slides
Multi-Party Computation Based on One-Way Functions Sandro Coretti (New York University) Juan

Multi-Party Computation Based on One-Way Functions Sandro Coretti (New York University) Juan

Constant-Round Asynchronous Multi-Party Computation Based on One-Way Functions Sandro Coretti (New York University) Juan Garay (Yahoo Research) Martin Hirt (ETH Zurich) Vassilis Zikas (RPI) Secure Multi-Party Computation (MPC) [Yao82, GMW87,

677 views • 47 slides
Advanced Tools from Modern Cryptography Lecture 4 Secure Multi-Party Computation: Passive

Advanced Tools from Modern Cryptography Lecture 4 Secure Multi-Party Computation: Passive

Advanced Tools from Modern Cryptography Lecture 4 Secure Multi-Party Computation: Passive Corruption + Honest-Majority Must We Trust ? Can we have an auction without an auctioneer?! Declared winning bid should be correct Only the

497 views • 20 slides
On the Exact Round Complexity of Secure Three-Party Computation Arpita Patra, Divya Ravi Indian

On the Exact Round Complexity of Secure Three-Party Computation Arpita Patra, Divya Ravi Indian

On the Exact Round Complexity of Secure Three-Party Computation Arpita Patra, Divya Ravi Indian Institute of Science CRYPTO 2018 Our Objective What is the exact round complexity of 3-party protocols with honest majority under the following

446 views • 10 slides
The Exact Round Complexity of Secure Computation Antigoni Polychroniadou (Aarhus University)

The Exact Round Complexity of Secure Computation Antigoni Polychroniadou (Aarhus University)

The Exact Round Complexity of Secure Computation Antigoni Polychroniadou (Aarhus University) joint work with Sanjam Garg, Pratyay Mukherjee (UC Berkeley), Omkant Pandey (Drexel University) Background: Secure Multi-Party Computation x 1 f(x 1 ,

750 views • 54 slides
Non-Interactive Secure Computation from One-Way Functions Saikrishna Badrinarayanan Abhishek

Non-Interactive Secure Computation from One-Way Functions Saikrishna Badrinarayanan Abhishek

Non-Interactive Secure Computation from One-Way Functions Saikrishna Badrinarayanan Abhishek Jain (UCLA) (JHU) Rafail Ostrovsky Ivan Visconti (UCLA) (University of Salerno) Secure Two Party Computation Function f Input x Input y P 2 P 1

443 views • 21 slides

More recommend