Secure Computation against Adaptive Auxiliary Information

Boyle, Elette; Garg, Sanjam; Jain, Abhishek; Kalai, Yael Tauman; Sahai, Amit

doi:10.1007/978-3-642-40041-4_18

Cited by 25 publications

(15 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We remark that the our ideal model resembles that considered in the recent works on leakage-resilient secure computation protocols [14,5,6]. However, we stress that in our setting, there is no physical leakage in the real world and instead there are just an (unbounded) polynomial number of concurrent sessions.…”

Section: Introductionmentioning

confidence: 92%

“…However, we stress that in our setting, there is no physical leakage in the real world and instead there are just an (unbounded) polynomial number of concurrent sessions. Indeed, while [14,5,6] use the leaky ideal world approach to bound the security loss in the real world due to leakage attacks, we use the leaky ideal world approach to bound the security loss in the real world due to concurrent attacks. Nevertheless, we find it interesting that there is a parallel between the ideal world guarantees considered in two unrelated settings: leaky real world, and, concurrent real world.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

What Information Is Leaked under Concurrent Composition?

Goyal

Gupta

Jain

2013

Advances in Cryptology – CRYPTO 2013

Self Cite

View full text Add to dashboard Cite

Abstract.A long series of works have established far reaching impossibility results for concurrently secure computation. On the other hand, some positive results have also been obtained according to various weaker notions of security (such as by using a super-polynomial time simulator). This suggest that somehow, "not all is lost in the concurrent setting."In this work, we ask what and exactly how much private information can an adversary learn by launching a concurrent attack? Inspired by the recent works on leakage-resilient protocols, we consider a security model where the ideal world adversary (a.k.a simulator) is allowed to query the trusted party for some "leakage" on the honest party inputs. (Intuitively, the amount of leakage required by the simulator upper bounds the security loss in the real world).We show for the first time that in the concurrent setting, it is possible to achieve full security for "most" of the sessions, while incurring significant loss of security in the remaining (fixed polynomial fraction of total) sessions. We also give a lower bound showing that (for general functionalities) this is essentially optimal. Our results also have interesting implications to bounded concurrent secure computation [Barak-FOCS'01], as well as to precise concurrent zero-knowledge and concurrently secure computation in the multiple ideal query model At the heart of our positive results is a new simulation strategy that is inspired by the classical set covering problem. On the other hand, interestingly, our negative results use techniques from leakage-resilient cryptography .

show abstract

Section: Introductionmentioning

confidence: 92%

Section: Introductionmentioning

confidence: 99%

What Information Is Leaked under Concurrent Composition?

Goyal

Gupta

Jain

2013

Advances in Cryptology – CRYPTO 2013

Self Cite

View full text Add to dashboard Cite

show abstract

“…7. To create the transcript, every party puts all values it ever sends or receives onto F Bulletin (except for the private reconstruction of input values) 8 . During the Initialize step of Π, the parties set up the secret-shared MAC key α, generate the parameters g, h of the commitment scheme as well as correlated randomness for the computation.…”

Section: The Online Phasementioning

confidence: 99%

“…Several notions of "strong" semi-honest protocols have been used in recent works -see Remark 1 in [28] or the notion of "semi-malicious" in [8]. In all notions different requirements of security still hold when the adversary can tamper with the randomness of otherwise semi-honest parties.…”

Section: A a Generic Solutionmentioning

confidence: 99%

Publicly Auditable Secure Multi-Party Computation

Baum

Damgård

Orlandi

2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. In the last few years, the efficiency of secure multi-party computation (MPC) increased in several orders of magnitudes. However, this alone might not be enough if we want MPC protocols to be used in practice. A crucial property that is needed in many applications is that everyone can check that a given (secure) computation was performed correctly -even in the extreme case where all the parties involved in the computation are corrupted, and even if the party who wants to verify the result was not participating. This is especially relevant in the clients-servers setting, where many clients provide input to a secure computation performed by a few servers. An obvious example of this is electronic voting, but also in many types of auctions one may want independent verification of the result. Traditionally, this is achieved by using non-interactive zero-knowledge proofs during the computation. A recent trend in MPC protocols is to have a more expensive preprocessing phase followed by a very efficient online phase, e.g., the recent so-called SPDZ protocol by Damgård et al. Applications such as voting and some auctions are perfect use-case for these protocols, as the parties usually know well in advance when the computation will take place, and using those protocols allows us to use only cheap information-theoretic primitives in the actual computation. Unfortunately no protocol of the SPDZ type supports an audit phase. In this paper, we show how to achieve efficient MPC with a public audit. We formalize the concept of publicly auditable secure computation and provide an enhanced version of the SPDZ protocol where, even if all the servers are corrupted, anyone with access to the transcript of the protocol can check that the output is indeed correct. Most importantly, we do so without significantly compromising the performance of SPDZ i.e. our online phase has complexity approximately twice that of SPDZ.

show abstract

“…Simulation-based notions of leakage tolerance have been considered also for public-key encryption schemes by Halevi and Lin [29], and in the context of zero-knowledge protocols [27,42,1], coin tossing [10], and secure multi-party computation [9,8,7].…”

Section: Related Workmentioning

confidence: 99%

On the Connection between Leakage Tolerance and Adaptive Security

Nielsen

Venturi

Zottarel

2013

Public-Key Cryptography – PKC 2013

View full text Add to dashboard Cite

We revisit the context of leakage-tolerant interactive protocols as defined by Bitanski, Canetti and Halevi (TCC 2012). Our contributions can be summarized as follows:• For the purpose of secure message transmission, any encryption protocol with message space M and secret key space SK tolerating poly-logarithmic leakage on the secret state of the receiver must satisfy |SK| ≥ (1 − )|M|, for every 0 < ≤ 1, and if |SK| = |M|, then the scheme must use a fresh key pair to encrypt each message.• More generally, we show that any n party protocol tolerates leakage of ≈ poly(log κ) bits from one party at the end of the protocol execution, if and only if the protocol has passive adaptive security against an adaptive corruption of one party at the end of the protocol execution. This shows that as soon as a little leakage is tolerated, one needs full adaptive security.All our results can be based on the only assumption that collision-resistant function ensembles exist.

show abstract

Secure Computation against Adaptive Auxiliary Information

Cited by 25 publications

References 33 publications

What Information Is Leaked under Concurrent Composition?

What Information Is Leaked under Concurrent Composition?

Publicly Auditable Secure Multi-Party Computation

On the Connection between Leakage Tolerance and Adaptive Security

Contact Info

Product

Resources

About