Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Computation Lecture 11-12 Arpita Patra. Recap >> MPC with dishonest majority over Boolean circuit- [GMW87] > Oblivious Transfer (from CPA secure.

Published byLouise Bailey Modified over 9 years ago

Similar presentations

Presentation on theme: "Secure Computation Lecture 11-12 Arpita Patra. Recap >> MPC with dishonest majority over Boolean circuit- [GMW87] > Oblivious Transfer (from CPA secure."— Presentation transcript:

1 Secure Computation Lecture 11-12 Arpita Patra

2 Recap >> MPC with dishonest majority over Boolean circuit- [GMW87] > Oblivious Transfer (from CPA secure PKE with key samplability) > (n,n)-sharing > Protocol for 2PC Inputs are (2,2)-shared Maintain invariant for every gate XOR and NOT are free AND gate evaluation needs two 1-out-of-2 OTs/ one 1-out-of 4 OT > Extension to MPC (n-party case) > Security Proof >> Impossibility for i.t MPC with n<= 2t

3 Extension to Multiparty Case To compute (2,2)-secret sharing of x i  y j >> Use (n,n) secret sharing instead of (2,2)-secret sharing >> XOR and NOT gate evaluation extend in natural way in n party case >> AND gate evaluation: x  y = ( x 1 +x 2 + ……+ x n )  ( y 1 + y 2 + ……+ y n ) = n summands that can be locally computed of the form (x 1  y 1, ……, x n  y n ) + (n 2 -n) summands that need 1-out-of-2 OT for (2,2)-sharing ( x 1  y 2, y 1  x 2 etc) 1-out-of-2 OT riri r i + x i yjyj r i + x i  y j PiPi PjPj

4 AND Gate Evaluation P0P0 PnPn x0x0 xnxn y0y0 ynyn y   x  Two cross summands x i  y j and y i  x j PiPi xixi yiyi  PjPj xjxj yjyj  1-out-of-2 OT riri r i + x i yjyj r i + x i  y j 1-out-of-2 OT yiyi r j + y i  x j rjrj r j + x j P i ‘s share: his summand + 2 shares of two cross terms (for every other party) >> Security will hold even in the presence of (n-1) corruptions. Adv will have no info about the shares held by the sole honest party (reduces to OT security)

5 OT is Complete for Secure Computation >> the security of GMW is information-theoretic assuming ideal realization of OT. >> the security of GMW relies on crypto only inside the OTs. >> If OT can be realized i.t settings then secure computation via GMW can be done in i.t. settings. >> Unconventional setting (noisy channel) where OT can be realized in i.t. security

6 Efficiency Computation Complexity: O(n 2 c AND ) PKE operations Multiplication gate computation: O(1) PKE operation [1 PKE Op = one Gen, one Enc, one Dec] Goal: O(n 2 c AND ) SKE operations in offline phase I.T online phase with no operations other than bit XOR. Round Complexity: O(d); d = multiplicative depth of the circuit Goal: Constant? Yes, will be discussed soon >> Computation Complexity ≥ Communication Complexity (the parties will send subset of what it computes) >> Unlike i.t. settings computation complexity matters here as we usually work on huge algebraic structures to maintain security I.T settings: k > log n (perfect security) k > 40 (statistical security) Comp. settings: k > 128 (symmetric key) k > 3248 (public key)

7 Efficiency Computation Complexity: O(n 2 c AND ) PKE operations Goal: O(n 2 c AND ) SKE operations in offline phase I.T online phase with no operations other than bit XOR. Step 1: O(n 2 c AND ) OTs (PKE operations) in offline phase I.T online phase with no operations other than bit XOR. Step 2: O(n 2 c AND ) SKE operations + k OTs in offline phase I.T online phase with no operations other than bit XOR.

8 Preprocessing of OT >> Can we run OTs on random inputs in the offline phase and use during online phase.. 1-out-of-2 OT r0r0 r1r1 c rcrc P0P0 P1P1 Preprocessing on Random Inputs Computation in Online Phase m0m0 m1m1 b mbmb z = b + c If z = 0 y 0 = m 0 + r 0 y 1 = m 1 + r 1 If z = 1 y 0 = m 0 + r 1 y 1 = m 1 + r 0 y 0, y 1 m b = y b + r c

9 GMW in Offline/Online Setting >> c AND OT operations in the offline phase. Offline Phase Online Phase >> Cheap XOR operations in the online phase. >> c AND PKE operations >> Goal: c AND SKE operations + k OT operations (via OT-extension) >> Information theoretic!!

10 Reducing OT to Symmetric Key Operations via OT Extension >> OTs are intrinsically expensive- usually based on public key primitives PRG >> Millions of OTs are needed (think of distributed AES encryption) >> Small no. X  many no. X > PRG: Truly Random short Seed  huge (pseudo-)random string > Hybrid Encryption: one instance of PKE  many instances of PKE @ SKE operations >> X (task/object): executing/generating X is not very efficient None of this sort can be i.t. s  R {0,1} k PRG(s)  {0,1} poly(k) HE PKE @ cheap op @ cheap SKE

11 OT Extension >> Small no. X  many no. X > OT Extension: k OTs  poly(k) OTs >> X: generating X is not very efficient None of this sort can be i.t. OT Extension @ cheap SKE OT 1 OT 2 OT k OT 1 OT 2 OT 3 OT poly(k) >> OT Ext is not possible information theoretically [Bea96] >> OT Ext with log(k) seed OTs implies OT from scratch [LZ13] >> OT Ext implies OWF [LZ13] Reduces the cost of OT to O(1)SKE operations

12 Roadmap for Building OT Extension [IKNP03] OT 1 OT 2 OT k OT 1 OT 2 OT 3 OT m k bit input s OT 1 OT 2 OT k m (=poly(k)) > k bit inputs l bit input s r 10 r 11 r 20 r 21 r 30 r 31 r m0 r m1 b1b1 b2b2 b3b3 bmbm r 1 b1 r 2 b2 r m bm r 3 b3 Cost for transformation

13 OT k bit input s m bit inputs Transformation I: Domain Extension k0k0 k1k1 b kbkb P0P0 P1P1 m0m0 m1m1 y 0 = G(k 0 ) + m 0 y 1 = G(k 1 ) + m 1 PRG G: {0,1} k -> {0,1} m=poly(k) y 0, y 1 m b = G(k b ) + y b

14 Transformation II: OT Extension B= [b 1,…b m ] P0P0 P1P1 T= [T 1 T 2. T m ] Q= [Q 1 = T 1 (if b 1 = 0) / T 1 + S (otherwise) Q 2 = T 2 (if b 2 = 0) / T 2 + S (otherwise) Q m = T m (if b m = 0) / T m + S (otherwise)] r 10 r 11 r 20 r 21 r m0 r m1 r 1 b1 r 2 b2 r m bm Random S is known to P 0 only |T i | = k

15 Transformation II: OT Extension B= [b 1,…b m ] P0P0 P1P1 y 10 = Q 1 + r 10 y 11 = Q 1 + S + r 11 (y 10, y 11 )…….. (y m0, y m1 ) r 1 b1 = T 1 + y 1 b1 r 10 r 11 r 20 r 21 r m0 r m1 T= [T 1 T 2. T m ] y m0 = Q m + r m0 y m1 = Q m + S + r m1 r m bm = T m + y m bm Q= [Q 1 = T 1 (if b 1 = 0) / T 1 + S (otherwise) Q 2 = T 2 (if b 2 = 0) / T 2 + S (otherwise) Q m = T m (if b m = 0) / T m + S (otherwise)]

16 Transformation II: OT Extension B= [b 1,…b m ] P0P0 P1P1 (y 10, y 11 )…….. (y m0, y m1 ) r 1 b1 = T 1 + y 1 b1 r 10 r 11 r 20 r 21 r m0 r m1 T= [T 1 T 2. T k ] r m bm = T m + y m bm Q= [Q 1 = T 1 (if b 1 = 0) / T 1 + S (otherwise) Q 2 = T 2 (if b 2 = 0) / T 2 + S (otherwise) Q m = T m (if b m = 0) / T m + S (otherwise)] Correlation Robust H: [m] × {0,1} k -> {0,1} l y 10 = H(1,Q 1 ) + r 10 y 11 = H(1,Q 1 + S) + r 11 y m0 = H(m,Q m ) + r m0 y m1 = H(m,Q m + S) + r m1 Given random and independent S, T 1 ….. T m, the joint distribution {H(T 1 + S),…. H(T m + S), T 1 …..T m } must be pseudo-random Cryptographic Hash function: SHA 1/2/3, RC4

17 Transformation II: OT Extension B= [b 1,…b m ] P0P0 P1P1 (y 10, y 11 )…….. (y m0, y m1 ) r 1 b1 = T 1 + y 1 b1 r 10 r 11 r 20 r 21 r m0 r m1 T= [T 1 T 2. T k ] r m bm = T m + y m bm Q= [Q 1 = T 1 (if b 1 = 0) / T 1 + S (otherwise) Q 2 = T 2 (if b 2 = 0) / T 2 + S (otherwise) Q m = T m (if b m = 0) / T m + S (otherwise)] Random Function H: [m] × {0,1} k -> {0,1} l y 10 = H(1,Q 1 ) + r 10 y 11 = H(1,Q 1 + S) + r 11 y m0 = H(m,Q m ) + r m0 y m1 = H(m,Q m + S) + r m1 Every time query an input: same output New input: output is completely random in the range Every RO is Correlation-Robust (HR) Hash function

18 A little diversion to RO Model Random Function H: [m] × {0,1} k -> {0,1} l >> Love and hate relationship with this model >> Many protocols have proof in RO model which otherwise does not have any proof. >> Protocol analyzed for Security: Hash functions replaced with RO box. >> Proof is for any good?: Existence of such a proof implies the real protocol go wrong only when hash function does not simulate RO. Some proof better than no proof >> Real protocol: RO replaced with hash functions >> Examples: RSA-OEAP (practically in use). CCA-secure extension of RSA >> Finding proof under relatively realistic assumption (e.g. CR) than RO has been very challenging and considered to be great achievement!!

19 Transformation II: OT Extension B= [b 1,…b m ] P0P0 P1P1 T= [T 1 T 2. T m ] Q= [Q 1 = T 1 (if b 1 = 0) / T 1 + S (otherwise) Q 2 = T 2 (if b 2 = 0) / T 2 + S (otherwise) Q m = T m (if b m = 0) / T m + S (otherwise)] r 10 r 11 r 20 r 21 r m0 r m1 r 1 b1 r 2 b2 r m bm Random S is known to P 0 only |T i | = k

20 Transformation II: OT Extension B= [b 1,…b m ] P0P0 P1P1 r 10 r 11 r 20 r 21 r m0 r m1 OT 1 s1s1 Q1Q1 T1T1 T 1 + B OT 2 OT k T is a {0,1} m.k matrix T = [T 1, …..T k ] T= [T 1 T 2. T m ] T2T2 T 2 + B TkTk T k + B s2s2 sksk Q2Q2 QkQk Q is a {0,1} m.k matrix Q = [Q 1, …..Q k ] Q= [Q 1 Q 2. Q m ] m bit inputs

21 Transformation II: OT Extension B= [b 1,…b m ] P0P0 P1P1 OT 1 s1s1 Q1Q1 T1T1 T 1 + B OT 2 OT k T is a {0,1} m.k matrix T = [T 1, …..T k ] T= [T 1 T 2. T m ] T2T2 T 2 + B TkTk T k + B s2s2 sksk Q2Q2 QkQk Q= [Q 1 = T 1 (if b 1 = 0) / T 1 + S (otherwise) T[1,1] + s 1 Q 2 = T 2 (if b 2 = 0) / T 2 + S (otherwise) Q m = T m (if b m = 0) / T m + S (otherwise)] T[1,2] + s 2 T[1,k] + s k T[1,1] T[1,2] T[1,k]

22 Transformation II: Putting everything together B= [b 1,…b m ] P0P0 P1P1 y 10 = H(1,Q 1 ) + r 10 y 11 = H(1,Q 1 + S) + r 11 (y 10, y 11 )…….. (y m0, y m1 ) r 1 b1 = H(1,T 1 ) + y 1 b1 r 10 r 11 r 20 r 21 r m0 r m1 OT 1 s1s1 Q1Q1 T1T1 T 1 + B OT 2 OT k T is a {0,1} m.k matrix T = [T 1, …..T k ] T= [T 1 T 2. T k ] T2T2 T 2 + B TkTk T k + B s2s2 sksk Q2Q2 QkQk Q is a {0,1} m.k matrix Q = [Q 1, …..Q k ] Q= [Q 1 Q 2. Q k ] y m0 = H(m,Q m ) + r m0 y m1 = H(1,Q m + S) + r m1 r m bm = H(m,T m ) + y m bm

23 Roadmap for Building OT Extension [IKNP03] OT 1 OT 2 OT k OT 1 OT 2 OT 3 OT m k bit input s OT 1 OT 2 OT k m (=poly(k)) > k bit inputs l bit input s r 10 r 11 r 20 r 21 r 30 r 31 r m0 r m1 b1b1 b2b2 b3b3 bmbm r 1 b1 r 2 b2 r m bm r 3 b3

24 Security For Receiver B= [b 1,…b m ] P0P0 P1P1 y 10 = H(1,Q 1 ) + r 10 y 11 = H(1,Q 1 + S) + r 11 (y 10, y 11 )…….. (y m0, y m1 ) r 1 b1 = H(1,T 1 ) + y 1 b1 r 10 r 11 r 20 r 21 r m0 r m1 OT 1 s1s1 Q1Q1 T1T1 T 1 + B OT 2 OT k T is a {0,1} m.k matrix T = [T 1, …..T k ] T= [T 1 T 2. T k ] T2T2 T 2 + B TkTk T k + B s2s2 sksk Q2Q2 QkQk Q is a {0,1} m.k matrix Q = [Q 1, …..Q k ] Q= [Q 1 Q 2. Q k ] y m0 = H(m,Q m ) + r m0 y m1 = H(1,Q m + S) + r m1 r m bm = H(m,T m ) + y m bm Reduces to the sender’s security of OT 1 …OT k

25 Security For Sender B= [b 1,…b m ] P0P0 P1P1 y 10 = H(1,Q 1 ) + r 10 y 11 = H(1,Q 1 + S) + r 11 (y 10, y 11 )…….. (y m0, y m1 ) r 1 b1 = H(1,T 1 ) + y 1 b1 r 10 r 11 r 20 r 21 r m0 r m1 OT 1 s1s1 Q1Q1 T1T1 T 1 + B OT 2 OT k T is a {0,1} m.k matrix T = [T 1, …..T k ] T= [T 1 T 2. T k ] T2T2 T 2 + B TkTk T k + B s2s2 sksk Q2Q2 QkQk Q is a {0,1} m.k matrix Q = [Q 1, …..Q k ] Q= [Q 1 Q 2. Q k ] y m0 = H(m,Q m ) + r m0 y m1 = H(1,Q m + S) + r m1 r m bm = H(m,T m ) + y m bm Reduces to the receiver’s security of OT 1 …OT k Reduces to the security of RO except with S=0 [IKNP03]: Yuval Ishai, Joe Kilian, Kobbi Nissim, and Erez Petrank. Extending oblivious transfers efficiently. In CRYPTO,pages 145–161, 2003.

26 Chalk & Talk CT4: [KK13] Vladimir Kolesnikov and Ranjit Kumaresan. Improved ot extension for transferring short secrets. In CRYPTO(2), pages 54–70, 2013. Open problem: IKNP03 has been extended for malicious security with almost the same cost Doing the same for KK13 is an interesting open question. Practical Project: Implement the best known OT extension!

27 1-out-of-4 OT from 1-out-of-2 OT S R m 00 m 01 m 10 m 11 b0b1b0b1 Dec k b1 Dec k’ b0 (c b0 b1 ) c 00  Enc k0 (Enc k’0 (m 00 )) c 01  Enc k0 (Enc k’1 (m 01 )) (c 00,c 01, c 10,c 11 ) 1-out-of-2 OT k0k0 k1k1 b0b0 k b0 k 0, k 1 : key for SKE with C = M 1-out-of-2 OT k’ 0 k’ 1 b1b1 k’ b1 c 10  Enc k1 (Enc k’0 (m 10 )) c 11  Enc k1 (Enc k’1 (m 11 ))

28 Motivating Yao Computation Complexity: O(n 2 c AND ) SKE operations + k OTs in offline phase I.T online phase with no operations other than bit XOR. Round Complexity: O(d); d = multiplicative depth of the circuit Computation Complexity: k OTs in offline phase O(c) SKE operations for every gate in online phase. Round Complexity: two rounds Many application requires less interaction! Yao is only for two parties!! And does not extend to n-party unlike GMW87

29 Constant Round Protocol 2-party protocol- [Yoa82] Garbled Circuit / Scrambled Circuit / Encrypted circuit: Phenomenal Idea! Andrew Chi-Chih Yao. Protocols for secure computations (extended abstract). In FOCS, pages 160–164, 1982. Yehuda Lindell, Benny Pinkas: A Proof of Security of Yao's Protocol for Two-Party Computation. J. Cryptology 22(2): 161-188 (2009)J. Cryptology 22(2): 161-188 (2009)

30 Looking Ahead and a few open problems… >> Garbled circuit is still an active area of research. How concisely we can construct garbled circuit? Application in verifiable computation..open problems >> Yao’s 2PC protocol is so asymmetric that it took a decade to extend Yao for multiparty [BMR90] (note unlike GMW it is not easy to extend for n-party) >> [BMR90] does it for honest majority. Another two decades for dishonest majority setting [LPSY15] >> [BMR90] and [LPSY15] could not extend the optimizations done for Yao’s garbled circuit...open problem >> Non-interactive Secure Computation: Yao leads to 2-round protocol (non-interactive). Extended for malicious. Not as efficient as malicious 2PC with constant rounds..open problem >> Heated Argument: GMW or Yao? [SZ13] Thomas Schneider, Michael Zohner: GMW vs. Yao? Efficient Secure Two-Party Computation with Low Depth Circuit. Financial Cryptography 2013: 275-292Financial Cryptography 2013: 275-292 http://fc13.ifca.ai/proc/8-3.pdf

31 Yao’s Garbled Circuit It enables one to evaluate a circuit without knowing the inputs to the circuit x1x1 x2x2 x3x3 x4x4 f(x 1, x 2, x 3, x 4 ) +   Step 1: Every wire is associated with a pair of identical looking keys. 0 1 No information about the associated bit can be inferred from a key corresponding to a wire Garbling of wires complete!

32 Yao’s Garbled Circuit +  

33  Step 2: Every two input gate is associated with four doubly locked boxes Each pair of input wire keys (one from each input wire) will open one and only one box. What’s there in the boxes?- Appropriate gate output wire key. Assume AND gate: 1st input wire2 nd Input wireOutput wire Key for 0 Key for 1Key for 0 Key for 1Key for 0 Key for 1 Boxes are randomly permutated

34 Yao’s Garbled Circuit  Step 2: Every two input gate is associated with four doubly locked boxes Each pair of input wire keys (one from each input wire) will open one and only box. What’s there in the boxes?- Appropriate gate output wire key. Assume XOR gate: 1st input wire2 nd Input wireOutput wire Key for 0 Key for 1 Key for 0Key for 1 Key for 0

35 Yao’s Garbled Circuit Step 2: Every one input gate is associated with two doubly locked boxes Each input wire key will open exactly one box. What’s there in the boxes?- Appropriate gate output wire key. Assume NOT gate: Input wireOutput wire Key for 0Key for 1 Key for 0

36 Yao’s Garbled Circuit It enables one to evaluate a circuit without knowing the inputs to the circuit. x1x1 x2x2 x3x3 x4x4 f(x 1, x 2, x 3, x 4 ) +   Step 1: Every wire is associated with a pair of identical looking keys. Step 2: Every two input gate is associated with four doubly locked boxes (in randomly permuted order) so that each pair of keys (one from each input wire) will open one and only one box. Garbled Circuit: Pairs of keys for all the wires in the circuit + four/two locked boxes for each gate

37 Yao’s Garbled Circuit It enables one to evaluate a circuit without knowing the inputs to the circuit. x1x1 x2x2 x3x3 x4x4 f(x 1, x 2, x 3, x 4 ) +   Garbled Circuit: Pairs of keys for all the wires in the circuit + four/two locked boxes for each gate + meaning of the output wire keys 1. Give input keys corresponding to the inputs and the locked boxes for all the gates in the circuit. 2. For every gate, exactly one box can be opened and the key corresponding to the output value for the inputs can be obtained 3. For the output gate, the key corresponding to the output value for given inputs can be obtained. Output Physical Keys: Keys of SKE Locked boxes: Encryptions Doubly Locked boxes: Double Encryptions

38 Yao’s 2 Party Protocol Y = (y 1,y 2,…y k ) P0P0 P1P1 X = (x 1,x 2,…x k ) Circuit Constructor Circuit Evaluator 1. Construct a Garbled Circuit for Circuit C: Pairs of keys for all the wires in the circuit + four/two locked boxes for each gate + meaning of the output wire keys Keys corresponding to X = (x 1,x 2,…x k ) and the locked boxes of all the gates + meaning of the output wire keys OT 1 k 0 w1 k 1 w1 y1y1 OT k k y1 w1 k 0 wk k 1 wk ykyk k yk wk Evaluate the garbled circuit with the given input keys and interpret the output Z using + meaning of the output wire keys Z

39 Chalk & Talk CT6: [SZ13]Thomas Schneider, Michael Zohner: GMW vs. Yao? Efficient Secure Two-Party Computation with Low Depth Circuit. Financial Cryptography 2013: 275-292 Financial Cryptography 2013: 275-292 http://fc13.ifca.ai/proc/8-3.pdf CT5: [BMR90]Donald Beaver, Silvio Micali, Phillip Rogaway:Silvio Micali, Phillip Rogaway: The Round Complexity of Secure Protocols (Extended Abstract). STOC 1990: 503-513. STOC 1990: 503-513. http://web.cs.ucla.edu/~rafail/TEACHING/SPRING-2004/WEB- RESOURCES/BMR.pdf

40

Download ppt "Secure Computation Lecture 11-12 Arpita Patra. Recap >> MPC with dishonest majority over Boolean circuit- [GMW87] > Oblivious Transfer (from CPA secure."

Similar presentations

Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto

Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
Lecturer: Moni Naor Foundations of Cryptography Lecture 15: Oblivious Transfer and Secure Function Evaluation.

Lecturer: Moni Naor Foundations of Cryptography Lecture 15: Oblivious Transfer and Secure Function Evaluation.
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),

Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)

On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)
GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION

GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION
New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.

New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Oblivious Transfer based on the McEliece Assumptions

Oblivious Transfer based on the McEliece Assumptions

Similar presentations

Ads by Google