secure 2 party computation
play

Secure 2-Party Computation Lecture 14 Yao s Garbled Circuit - PowerPoint PPT Presentation

Oct 28, 2022 •23 likes •1.28k views

Secure 2-Party Computation Lecture 14 Yao s Garbled Circuit RECALL SIM-Secure MPC F F proto proto iface iface Secure (and correct) if: s.t. output of is distributed Env Env identically in REAL IDEAL REAL and

  1. 2-Party SFE Can reduce any SFE (even randomized) to a single-output deterministic SFE f’(X, M, r 1 ; Y, r 2 ) = ( g(X; Y; r 1 ⊕ r 2 ) ⊕ M, f(X; Y; r 1 ⊕ r 2 ) ). Compute f’(X, M, r 1 ; Y, r 2 ) with random M, r 1 , r 2 Bob sends g(X, Y; r 1 ⊕ r 2 ) ⊕ M to Alice Passive secure For active security, f’ authenticates (one-time MAC) as well as encrypts g(X; Y; r 1 ⊕ r 2 ) using keys input by Alice Generalizes to more than 2 parties Can reduce any single-output deterministic SFE to OT!

  2. “Completeness” of OT

  3. “Completeness” of OT Can reduce any single-output deterministic SFE to OT!

  4. “Completeness” of OT Can reduce any single-output deterministic SFE to OT! No computational assumptions needed

  5. “Completeness” of OT Can reduce any single-output deterministic SFE to OT! No computational assumptions needed For passive security

  6. “Completeness” of OT Can reduce any single-output deterministic SFE to OT! No computational assumptions needed For passive security Proof of concept for 2 parties: An inefficient reduction

  7. “Completeness” of OT Can reduce any single-output deterministic SFE to OT! No computational assumptions needed For passive security Proof of concept for 2 parties: An inefficient reduction Yao’ s garbled circuit for 2 parties

  8. “Completeness” of OT Can reduce any single-output deterministic SFE to OT! No computational assumptions needed For passive security Proof of concept for 2 parties: An inefficient reduction Yao’ s garbled circuit for 2 parties “Basic GMW”: Information-theoretic reduction to OT (next time)

  9. “Completeness” of OT Can reduce any single-output deterministic SFE to OT! No computational assumptions needed For passive security Proof of concept for 2 parties: An inefficient reduction Yao’ s garbled circuit for 2 parties “Basic GMW”: Information-theoretic reduction to OT (next time) Fact: OT is complete even for active security

  10. “Completeness” of OT: 
 Proof of Concept Single-output 2-party function f Alice (who knows x, but not y) prepares a table for 
 f(x, ⋅ ) with N = 2 |y| entries (one for each y) Bob uses y to decide which entry in the table to pick up using 1-out-of-N OT (without learning the other entries)

  11. “Completeness” of OT: 
 Proof of Concept Single-output 2-party function f Alice (who knows x, but not y) prepares a table for 
 f(x, ⋅ ) with N = 2 |y| entries (one for each y) Bob uses y to decide which entry in the table to pick up using 1-out-of-N OT (without learning the other entries) Bob learns only f(x,y) (in addition to y). Alice learns nothing beyond x.

  12. “Completeness” of OT: 
 Proof of Concept Single-output 2-party function f Alice (who knows x, but not y) prepares a table for 
 f(x, ⋅ ) with N = 2 |y| entries (one for each y) Bob uses y to decide which entry in the table to pick up using 1-out-of-N OT (without learning the other entries) Bob learns only f(x,y) (in addition to y). Alice learns nothing beyond x. Problem: N is exponentially large in |y|

  13. Functions as Circuits Directed acyclic graph Nodes: AND, OR, NOT, CONST gates, inputs, output(s) Edges: Boolean valued wires Each wire comes out of a unique gate, but a wire might fan-out 0 1

  14. Functions as Circuits Directed acyclic graph Nodes: AND, OR, NOT, CONST gates, inputs, output(s) Edges: Boolean valued wires Each wire comes out of a unique gate, but a wire might fan-out Can evaluate wires according to a topologically sorted order of gates 0 1 they come out of

  15. Functions as Circuits Directed acyclic graph Nodes: AND, OR, NOT, CONST gates, inputs, output(s) Edges: Boolean valued wires Each wire comes out of a unique gate, but a wire might fan-out Can evaluate wires according to a topologically sorted order of gates 0 1 they come out of

  16. Functions as Circuits Directed acyclic graph Nodes: AND, OR, NOT, CONST gates, inputs, output(s) Edges: Boolean valued wires Each wire comes out of a unique gate, but a wire might fan-out Can evaluate wires according to a topologically sorted order of gates 0 1 they come out of

  17. Functions as Circuits Directed acyclic graph Nodes: AND, OR, NOT, CONST gates, inputs, output(s) Edges: Boolean valued wires Each wire comes out of a unique gate, but a wire might fan-out Can evaluate wires according to a topologically sorted order of gates 0 1 they come out of

  18. Functions as Circuits Directed acyclic graph Nodes: AND, OR, NOT, CONST gates, inputs, output(s) Edges: Boolean valued wires Each wire comes out of a unique gate, but a wire might fan-out Can evaluate wires according to a topologically sorted order of gates 0 1 they come out of

  19. Functions as Circuits Directed acyclic graph Nodes: AND, OR, NOT, CONST gates, inputs, output(s) Edges: Boolean valued wires Each wire comes out of a unique gate, but a wire might fan-out Can evaluate wires according to a topologically sorted order of gates 0 1 they come out of

  20. Functions as Circuits Directed acyclic graph Nodes: AND, OR, NOT, CONST gates, inputs, output(s) Edges: Boolean valued wires Each wire comes out of a unique gate, but a wire might fan-out Can evaluate wires according to a topologically sorted order of gates 0 1 they come out of

  21. Functions as Circuits

  22. Functions as Circuits e.g.: OR (single gate, 2 input bits, 1 bit output)

  23. Functions as Circuits e.g.: OR (single gate, 2 input bits, 1 bit output) e.g.: X > Y for two bit inputs X=x 1 x 0 , Y=y 1 y 0 : 00 01 10 11 (x 1 ∧ ¬y 1 ) ∨ (¬(x 1 ⊕ y 1 ) ∧ (x 0 ∧ ¬y 0 ) 00 0 0 0 0 01 1 0 0 0 10 1 1 0 0 11 1 1 1 0

  24. Functions as Circuits e.g.: OR (single gate, 2 input bits, 1 bit output) e.g.: X > Y for two bit inputs X=x 1 x 0 , Y=y 1 y 0 : 00 01 10 11 (x 1 ∧ ¬y 1 ) ∨ (¬(x 1 ⊕ y 1 ) ∧ (x 0 ∧ ¬y 0 ) 00 0 0 0 0 01 1 0 0 0 Can directly convert a truth-table 
 10 1 1 0 0 into a circuit, but circuit size 
 11 1 1 1 0 exponential in input size

  25. Functions as Circuits e.g.: OR (single gate, 2 input bits, 1 bit output) e.g.: X > Y for two bit inputs X=x 1 x 0 , Y=y 1 y 0 : 00 01 10 11 (x 1 ∧ ¬y 1 ) ∨ (¬(x 1 ⊕ y 1 ) ∧ (x 0 ∧ ¬y 0 ) 00 0 0 0 0 01 1 0 0 0 Can directly convert a truth-table 
 10 1 1 0 0 into a circuit, but circuit size 
 11 1 1 1 0 exponential in input size Can convert any (“efficient”) program into 
 a (“small”) circuit

  26. Functions as Circuits e.g.: OR (single gate, 2 input bits, 1 bit output) e.g.: X > Y for two bit inputs X=x 1 x 0 , Y=y 1 y 0 : 00 01 10 11 (x 1 ∧ ¬y 1 ) ∨ (¬(x 1 ⊕ y 1 ) ∧ (x 0 ∧ ¬y 0 ) 00 0 0 0 0 01 1 0 0 0 Can directly convert a truth-table 
 10 1 1 0 0 into a circuit, but circuit size 
 11 1 1 1 0 exponential in input size Can convert any (“efficient”) program into 
 a (“small”) circuit Interesting problems already given as succinct programs/circuits

  27. 2-Party SFE for 
 General Circuits

  28. 2-Party SFE for 
 General Circuits “General”: evaluate any arbitrary circuit

  29. 2-Party SFE for 
 General Circuits “General”: evaluate any arbitrary circuit One-sided output: both parties give inputs, one party gets outputs

  30. 2-Party SFE for 
 General Circuits “General”: evaluate any arbitrary circuit One-sided output: both parties give inputs, one party gets outputs Either party maybe corrupted passively

  31. 2-Party SFE for 
 General Circuits 0 1 0 0 1 “General”: evaluate any arbitrary circuit 1 1 1 One-sided output: both parties give inputs, one party gets outputs Either party maybe corrupted passively Consider evaluating OR (single gate circuit)

  32. 2-Party SFE for 
 General Circuits 0 1 0 0 1 “General”: evaluate any arbitrary circuit 1 1 1 One-sided output: both parties give inputs, one party gets outputs Either party maybe corrupted passively Consider evaluating OR (single gate circuit) Alice holds x=a, Bob has y=b; Bob should get OR(x,y)

  33. A Physical Protocol 0 1 0 0 1 1 1 1

  34. A Physical Protocol Alice prepares 4 boxes B xy corresponding to 4 0 1 possible input scenarios, and 4 padlocks/keys K x=0 , 0 0 1 K x=1 , K y=0 and K y=1 1 1 1

  35. A Physical Protocol Alice prepares 4 boxes B xy corresponding to 4 0 1 possible input scenarios, and 4 padlocks/keys K x=0 , 0 0 1 K x=1 , K y=0 and K y=1 1 1 1 11 1 00 0 10 1 01 1

  36. A Physical Protocol Alice prepares 4 boxes B xy corresponding to 4 0 1 possible input scenarios, and 4 padlocks/keys K x=0 , 0 0 1 K x=1 , K y=0 and K y=1 1 1 1 11 1 00 0 10 1 01 1 0 1 0 1

  37. A Physical Protocol Alice prepares 4 boxes B xy corresponding to 4 0 1 possible input scenarios, and 4 padlocks/keys K x=0 , 0 0 1 K x=1 , K y=0 and K y=1 1 1 1 11 Inside B xy=ab she places the bit OR(a,b) and locks it 1 with two padlocks K x=a and K y=b (need to open both to open the box) 00 0 10 1 01 1 0 1 0 1

  38. A Physical Protocol Alice prepares 4 boxes B xy corresponding to 4 0 1 possible input scenarios, and 4 padlocks/keys K x=0 , 0 0 1 K x=1 , K y=0 and K y=1 1 1 1 11 Inside B xy=ab she places the bit OR(a,b) and locks it 1 with two padlocks K x=a and K y=b (need to open both to open the box) 00 0 10 1 0 0 01 1 0 1 0 1

  39. A Physical Protocol Alice prepares 4 boxes B xy corresponding to 4 0 1 possible input scenarios, and 4 padlocks/keys K x=0 , 0 0 1 K x=1 , K y=0 and K y=1 1 1 1 11 Inside B xy=ab she places the bit OR(a,b) and locks it 1 with two padlocks K x=a and K y=b (need to open both to open the box) 1 1 00 0 10 1 0 0 1 0 01 1 0 1 0 1 0 1

  40. A Physical Protocol Alice prepares 4 boxes B xy corresponding to 4 0 1 possible input scenarios, and 4 padlocks/keys K x=0 , 0 0 1 K x=1 , K y=0 and K y=1 1 1 1 11 Inside B xy=ab she places the bit OR(a,b) and locks it 1 with two padlocks K x=a and K y=b (need to open both to open the box) 1 1 00 0 10 She un-labels the four boxes and sends them in 1 random order to Bob. Also sends the key K x=a 0 0 (labeled only as K x ). 1 0 01 1 0 1 0 1 0 1

  41. A Physical Protocol Alice prepares 4 boxes B xy corresponding to 4 0 1 possible input scenarios, and 4 padlocks/keys K x=0 , 0 0 1 K x=1 , K y=0 and K y=1 1 1 1 Inside B xy=ab she places the bit OR(a,b) and locks it 1 with two padlocks K x=a and K y=b (need to open both to open the box) 0 She un-labels the four boxes and sends them in 1 random order to Bob. Also sends the key K x=a (labeled only as K x ). 1 0 1 0 1

  42. A Physical Protocol Alice prepares 4 boxes B xy corresponding to 4 0 1 possible input scenarios, and 4 padlocks/keys K x=0 , 0 0 1 K x=1 , K y=0 and K y=1 1 1 1 Inside B xy=ab she places the bit OR(a,b) and locks it 1 with two padlocks K x=a and K y=b (need to open both to open the box) 0 She un-labels the four boxes and sends them in 1 random order to Bob. Also sends the key K x=a (labeled only as K x ). 1 0 1 0 1

  43. A Physical Protocol Alice prepares 4 boxes B xy corresponding to 4 0 1 possible input scenarios, and 4 padlocks/keys K x=0 , 0 0 1 K x=1 , K y=0 and K y=1 1 1 1 Inside B xy=ab she places the bit OR(a,b) and locks it 1 with two padlocks K x=a and K y=b (need to open both to open the box) 0 She un-labels the four boxes and sends them in 1 random order to Bob. Also sends the key K x=a (labeled only as K x ). 1 0 1 0 1

  44. A Physical Protocol Alice prepares 4 boxes B xy corresponding to 4 0 1 possible input scenarios, and 4 padlocks/keys K x=0 , 0 0 1 K x=1 , K y=0 and K y=1 1 1 1 Inside B xy=ab she places the bit OR(a,b) and locks it 1 with two padlocks K x=a and K y=b (need to open both to open the box) 0 She un-labels the four boxes and sends them in 1 random order to Bob. Also sends the key K x=a (labeled only as K x ). 1 So far Bob gets no information 0 1 0 1

  45. A Physical Protocol Alice prepares 4 boxes B xy corresponding to 4 0 1 possible input scenarios, and 4 padlocks/keys K x=0 , 0 0 1 K x=1 , K y=0 and K y=1 1 1 1 Inside B xy=ab she places the bit OR(a,b) and locks it 1 with two padlocks K x=a and K y=b (need to open both to open the box) 0 She un-labels the four boxes and sends them in 1 random order to Bob. Also sends the key K x=a (labeled only as K x ). 1 So far Bob gets no information Bob “obliviously picks up” K y=b , and tries the two keys K x ,K y on the four boxes. For one box both locks open 0 1 and he gets the output. 0 1

  46. A Physical Protocol Alice prepares 4 boxes B xy corresponding to 4 0 1 possible input scenarios, and 4 padlocks/keys K x=0 , 0 0 1 K x=1 , K y=0 and K y=1 1 1 1 Inside B xy=ab she places the bit OR(a,b) and locks it 1 with two padlocks K x=a and K y=b (need to open both to open the box) 0 She un-labels the four boxes and sends them in 1 random order to Bob. Also sends the key K x=a (labeled only as K x ). 1 So far Bob gets no information Bob “obliviously picks up” K y=b , and tries the two keys K x ,K y on the four boxes. For one box both locks open 0 1 and he gets the output. F b 0 1

  47. A Physical Protocol 0 1 0 0 1 1 1 1 1 0 1 1 0 1 F b 0 1

  48. A Physical Protocol 0 1 Secure? 0 0 1 1 1 1 1 0 1 1 0 1 F b 0 1

  49. A Physical Protocol 0 1 Secure? 0 0 1 1 1 1 For curious Alice: only influence from Bob is when he picks up his key K y=b 1 0 1 1 0 1 F b 0 1

  50. A Physical Protocol 0 1 Secure? 0 0 1 1 1 1 For curious Alice: only influence from Bob is when he picks up his key K y=b 1 But this is done “obliviously”, so she learns nothing 0 1 1 0 1 F b 0 1

  51. A Physical Protocol 0 1 Secure? 0 0 1 1 1 1 For curious Alice: only influence from Bob is when he picks up his key K y=b 1 But this is done “obliviously”, so she learns nothing 0 For curious Bob: What he sees is predictable (i.e., 1 simulatable), given the final outcome 1 0 1 F b 0 1

  52. A Physical Protocol 0 1 Secure? 0 0 1 1 1 1 For curious Alice: only influence from Bob is when he picks up his key K y=b 1 But this is done “obliviously”, so she learns nothing 0 For curious Bob: What he sees is predictable (i.e., 1 simulatable), given the final outcome What Bob sees: His key opens K y in two boxes, 1 Alice’ s opens K x in two boxes; only one random box fully opens. It has the outcome. 0 1 F b 0 1

  53. A Physical Protocol 0 1 Secure? 0 0 1 1 1 1 For curious Alice: only influence from Bob is when he picks up his key K y=b 1 But this is done “obliviously”, so she learns nothing 0 For curious Bob: What he sees is predictable (i.e., 1 simulatable), given the final outcome What Bob sees: His key opens K y in two boxes, 1 Alice’ s opens K x in two boxes; only one random box fully opens. It has the outcome. Note when y=1, cases x=0 and x=1 appear same 0 1 F b 0 1

  54. Larger Circuits

  55. Larger Circuits

  56. Larger Circuits Idea: For each gate in the circuit Alice will prepare locked boxes, but will use it to keep keys for the next gate

  57. Larger Circuits Idea: For each gate in the circuit Alice will prepare locked boxes, but will use it to keep keys for the next gate

  58. Larger Circuits Idea: For each gate in the circuit Alice will prepare locked boxes, but will use it to keep keys for the next gate For each wire w in the circuit (i.e., input wires, or output of a gate) pick 2 keys K w=0 and K w=1

  59. Larger Circuits Idea: For each gate in the circuit Alice will 0 1 prepare locked boxes, but will use it to keep keys for the next gate 0 1 0 1 For each wire w in the circuit (i.e., input wires, or output of a gate) pick 2 keys K w=0 and K w=1

  60. Larger Circuits Idea: For each gate in the circuit Alice will 0 1 prepare locked boxes, but will use it to keep keys for the next gate 0 1 0 1 For each wire w in the circuit (i.e., input wires, or output of a gate) pick 2 keys K w=0 and K w=1 0 1 0 1 0 1

  61. Larger Circuits Idea: For each gate in the circuit Alice will 0 1 prepare locked boxes, but will use it to keep keys for the next gate 0 1 0 1 For each wire w in the circuit (i.e., input wires, or output of a gate) pick 2 keys K w=0 and K w=1 0 1 0 1 0 1 0 1 0 1 0 1

  62. Larger Circuits Idea: For each gate in the circuit Alice will 0 1 prepare locked boxes, but will use it to keep keys for the next gate 0 1 0 1 For each wire w in the circuit (i.e., input wires, or output of a gate) pick 2 keys K w=0 and K w=1

Recommend

Communication Locality in C i i L li i Secure Multi Party Secure Multi-Party Computation

Communication Locality in C i i L li i Secure Multi Party Secure Multi-Party Computation

Communication Locality in C i i L li i Secure Multi Party Secure Multi-Party Computation Computation How to Run Sublinear Algorithms in a Distributed Algorithms in a Distributed Setting Elette Boyle Shafi Goldwasser Stefano Tessaro

1.01k views • 36 slides
Secure Multi-Party Computation Gunnar Kreitz KTH Royal Institute of Technology

Secure Multi-Party Computation Gunnar Kreitz KTH Royal Institute of Technology

Background Secure Computation Security Model Generic Protocol Applications Secure Multi-Party Computation Gunnar Kreitz KTH Royal Institute of Technology gkreitz@kth.se October 4 2012 Gunnar Kreitz Secure Multi-Party Computation

1.28k views • 59 slides
Secure Computation ORAM The Case of 3-Party Computation Stanislaw Jarecki, UC Irvine

Secure Computation ORAM The Case of 3-Party Computation Stanislaw Jarecki, UC Irvine

Secure Computation ORAM The Case of 3-Party Computation Stanislaw Jarecki, UC Irvine Cryptography in the RAM Model Workshop, Cambridge, MA, June 2016 AC15: Sky Faber, S.J. , Sotirios Kentros, Boyang Wei New Work: S.J. , Boyang Wei Secure

595 views • 23 slides
2-party secure computation Problem: Two parties, Alice and Bob, with private inputs, a and b ,

2-party secure computation Problem: Two parties, Alice and Bob, with private inputs, a and b ,

1 International Conference on Practice and Theory of Public-Key Cryptography (PKC) 2020 Mon Z a: fast maliciously-secure 2-party computation on the ring 2 k Dario Catalano 1 , Mario Di Raimondo 1 , Dario Fiore 2 and Irene Giacomelli 3 1

504 views • 25 slides
Introduction to Secure Multi-Party Computation Many thanks to Vitaly Shmatikov of the

Introduction to Secure Multi-Party Computation Many thanks to Vitaly Shmatikov of the

Introduction to Secure Multi-Party Computation Many thanks to Vitaly Shmatikov of the University of Texas, Austin for providing these slides. slide 1 Motivation General framework for describing computation between parties who do not

1.03k views • 35 slides
SoK: General Purpose Frameworks for Secure Multi-party Computation Marcella Brett Daniel Steve

SoK: General Purpose Frameworks for Secure Multi-party Computation Marcella Brett Daniel Steve

SoK: General Purpose Frameworks for Secure Multi-party Computation Marcella Brett Daniel Steve Hemenway Hastings Noble Zdancewic University of Pennsylvania 1 / 20 Secure Multi-party Computation (MPC) Compute an arbitrary function among

1.13k views • 36 slides
General Purpose Frameworks for Secure Multi-party Computation Marcella Brett Daniel Steve

General Purpose Frameworks for Secure Multi-party Computation Marcella Brett Daniel Steve

General Purpose Frameworks for Secure Multi-party Computation Marcella Brett Daniel Steve Hemenway Hastings Noble Zdancewic University of Pennsylvania 1 / 26 Secure multi-party computation (MPC) MPC allows a group of mutually

882 views • 51 slides
Practical Secure Two-Party Computation and Applications Thomas Schneider Estonian Winter School

Practical Secure Two-Party Computation and Applications Thomas Schneider Estonian Winter School

Practical Secure Two-Party Computation and Applications Thomas Schneider Estonian Winter School in Computer Science 2016 Overview Lecture 1: Introduction to Secure Two-Party Computation Lecture 2: Private Set Intersection Lecture 3: Tools

935 views • 67 slides
Adaptively Secure Multi-Party Computation with Dishonest Majority Sanjam Garg Amit

Adaptively Secure Multi-Party Computation with Dishonest Majority Sanjam Garg Amit

Adaptively Secure Multi-Party Computation with Dishonest Majority Sanjam Garg Amit Sahai UCLA Secure Multiparty Computation A set of mutually distrustful parties (n) wish to compute a joint function of their private inputs

309 views • 16 slides
Advanced Tools from Modern Cryptography Lecture 7 Secure 2-Party Computation: Yao s

Advanced Tools from Modern Cryptography Lecture 7 Secure 2-Party Computation: Yao s

Advanced Tools from Modern Cryptography Lecture 7 Secure 2-Party Computation: Yao s Garbled Circuit Recall MPC without Honest-Majority Plan (Still sticking with passive corruption): Two protocols, that are secure computationally The

449 views • 15 slides
Secure 2-Party Computation Lecture 14 Yao s Garbled Circuit RECALL SIM-Secure MPC F F

Secure 2-Party Computation Lecture 14 Yao s Garbled Circuit RECALL SIM-Secure MPC F F

Secure 2-Party Computation Lecture 14 Yao s Garbled Circuit RECALL SIM-Secure MPC F F proto proto iface iface Secure (and correct) if: s.t. output of is distributed Env Env identically in REAL IDEAL REAL and

1.33k views • 102 slides
Secure Two-Party Computation Jesper Buus Nielsen Peter Sebastian Nordholt Claudio Orlandi Sai

Secure Two-Party Computation Jesper Buus Nielsen Peter Sebastian Nordholt Claudio Orlandi Sai

A New Approach to Practical Secure Two-Party Computation Jesper Buus Nielsen Peter Sebastian Nordholt Claudio Orlandi Sai Sheshank Secure Two-Party Computation a {0,1} * Alice has an input b {0,1} * Bob has an input They

609 views • 47 slides
Asynchronous Multi-Party Computation Vassilis Zikas RPI MPC School IIT Mumbai Secure

Asynchronous Multi-Party Computation Vassilis Zikas RPI MPC School IIT Mumbai Secure

Asynchronous Multi-Party Computation Vassilis Zikas RPI MPC School IIT Mumbai Secure Multi-Party Computation (MPC) Security D 1 D 2 D 4 D 3 Secure Multi-Party Computation (MPC) Security D 1 D 2 1 2 4 3 D 4 D 3 Secure

1.36k views • 124 slides
Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted

Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted

Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted Cryptographic Protocols Estonian Winter School in Computer Science 2016 Motivation 2 Two Areas Cryptographic Protocols Secure Hardware strong security

759 views • 52 slides
Secure Multi-Party Computation Lecture 17 GMW & BGW Protocols MPC Protocols MPC Protocols

Secure Multi-Party Computation Lecture 17 GMW & BGW Protocols MPC Protocols MPC Protocols

Secure Multi-Party Computation Lecture 17 GMW & BGW Protocols MPC Protocols MPC Protocols Yao s Garbled Circuit : 2-Party SFE secure against passive adversaries MPC Protocols Yao s Garbled Circuit : 2-Party SFE secure against

2.07k views • 85 slides
Secure Multi-party Quantum Computation with a Dishonest Majority Yfke Dulek, Alex Grilo, Stacey

Secure Multi-party Quantum Computation with a Dishonest Majority Yfke Dulek, Alex Grilo, Stacey

Secure Multi-party Quantum Computation with a Dishonest Majority Yfke Dulek, Alex Grilo, Stacey Je ff ery, Christian Majenz, Christian Scha ff ner Introduction Multi-party computation (MPC) Input (player i): x i 83 false Output: f(x 1 , ,

686 views • 20 slides
Hiding the Input Size in Secure Two-Party Computation Yehuda Lindell , Kobbi Nissim, Claudio

Hiding the Input Size in Secure Two-Party Computation Yehuda Lindell , Kobbi Nissim, Claudio

Hiding the Input Size in Secure Two-Party Computation Yehuda Lindell , Kobbi Nissim, Claudio Orlandi (or a more privacy Privacy on sensitive social network) My friends should only see our common friends Secure Computation 8dx2rru3d0fW2TS y

520 views • 36 slides
Secure Multi-Party Computation Lecture 13 Must We Trust ? Can we have an auction

Secure Multi-Party Computation Lecture 13 Must We Trust ? Can we have an auction

Secure Multi-Party Computation Lecture 13 Must We Trust ? Can we have an auction without an auctioneer?! Declared winning bid should be correct Only the winner and winning bid should be revealed Using data without sharing?

446 views • 20 slides
Advanced Tools from Modern Cryptography Lecture 6 Secure Multi-Party Computation without

Advanced Tools from Modern Cryptography Lecture 6 Secure Multi-Party Computation without

Advanced Tools from Modern Cryptography Lecture 6 Secure Multi-Party Computation without Honest Majority: GMW Protocol MPC without Honest-Majority Plan (Still sticking with passive corruption): Two protocols, that are secure

465 views • 12 slides
Multi-Party Computation Based on One-Way Functions Sandro Coretti (New York University) Juan

Multi-Party Computation Based on One-Way Functions Sandro Coretti (New York University) Juan

Constant-Round Asynchronous Multi-Party Computation Based on One-Way Functions Sandro Coretti (New York University) Juan Garay (Yahoo Research) Martin Hirt (ETH Zurich) Vassilis Zikas (RPI) Secure Multi-Party Computation (MPC) [Yao82, GMW87,

677 views • 47 slides
Advanced Tools from Modern Cryptography Lecture 4 Secure Multi-Party Computation: Passive

Advanced Tools from Modern Cryptography Lecture 4 Secure Multi-Party Computation: Passive

Advanced Tools from Modern Cryptography Lecture 4 Secure Multi-Party Computation: Passive Corruption + Honest-Majority Must We Trust ? Can we have an auction without an auctioneer?! Declared winning bid should be correct Only the

497 views • 20 slides
On the Exact Round Complexity of Secure Three-Party Computation Arpita Patra, Divya Ravi Indian

On the Exact Round Complexity of Secure Three-Party Computation Arpita Patra, Divya Ravi Indian

On the Exact Round Complexity of Secure Three-Party Computation Arpita Patra, Divya Ravi Indian Institute of Science CRYPTO 2018 Our Objective What is the exact round complexity of 3-party protocols with honest majority under the following

446 views • 10 slides
The Exact Round Complexity of Secure Computation Antigoni Polychroniadou (Aarhus University)

The Exact Round Complexity of Secure Computation Antigoni Polychroniadou (Aarhus University)

The Exact Round Complexity of Secure Computation Antigoni Polychroniadou (Aarhus University) joint work with Sanjam Garg, Pratyay Mukherjee (UC Berkeley), Omkant Pandey (Drexel University) Background: Secure Multi-Party Computation x 1 f(x 1 ,

750 views • 54 slides
Non-Interactive Secure Computation from One-Way Functions Saikrishna Badrinarayanan Abhishek

Non-Interactive Secure Computation from One-Way Functions Saikrishna Badrinarayanan Abhishek

Non-Interactive Secure Computation from One-Way Functions Saikrishna Badrinarayanan Abhishek Jain (UCLA) (JHU) Rafail Ostrovsky Ivan Visconti (UCLA) (University of Salerno) Secure Two Party Computation Function f Input x Input y P 2 P 1

443 views • 21 slides

More recommend