Secure Two-Party Computation Is Practical

Pinkas, Benny; Schneider, Thomas; Smart, Nigel P.; Williams, S.

doi:10.1007/978-3-642-10366-7_15

Cited by 350 publications

(361 citation statements)

References 29 publications

Supporting

Mentioning

359

Contrasting

Unclassified

Order By: Relevance

“…We remark that our proposed solutions can be modified to work with any of the existing garbled-circuit optimization techniques of [14,5,25,6,15].…”

Section: Our Contributionsmentioning

confidence: 99%

“…Furthermore, recent results show how to improve both the computation and communication cost of the garbling process (e.g., getting XOR gates for free [14], reducing communication [5,25], and designing tailored circuits [6]). …”

Section: Introductionmentioning

confidence: 99%

“…A slightly more explored direction is based on using the cut-and-choose method for checking the garbled circuit. (E.g., see implementations by [25,26,15].) Instead of sending only one (and possibly not properly constructed) garbled circuit, Alice sends t garbled circuits.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Garbled Circuits Checking Garbled Circuits: More Efficient and Secure Two-Party Computation

Mohassel

Riva

2013

Advances in Cryptology – CRYPTO 2013

View full text Add to dashboard Cite

Applying cut-and-choose techniques to Yao's garbled circuit protocol has been a promising approach for designing efficient Two-Party Computation (2PC) with malicious and covert security, as is evident from various optimizations and software implementations in the recent years. We revisit the security and efficiency properties of this popular approach and propose alternative constructions and a new definition that are more suitable for use in practice.• We design an efficient fully-secure 2PC protocol for two-output functions that only requires O(t|C|) symmetric-key operations (with small constant factors, and ignoring factors that are independent of the circuit in use) in the Random Oracle Model, where |C| is the circuit size and t is a statistical security parameter. This is essentially the optimal complexity for protocols based on cut-and-choose, resolving a main question left open by the previous work on the subject. Our protocol utilizes novel techniques for enforcing garbler's input consistency and handling twooutput functions that are more efficient than all prior solutions.• Motivated by the goal of eliminating the all-or-nothing nature of 2PC with covert security (that privacy and correctness are fully compromised if the adversary is not caught in the challenge phase), we propose a new security definition for 2PC that strengthens the guarantees provided by the standard covert model, and offers a smoother security vs. efficiency tradeoff to protocol designers in choosing the right deterrence factor. In our new notion, correctness is always guaranteed, privacy is fully guaranteed with probability (1 − ), and with probability (i.e. the event of undetected cheating), privacy is only "partially compromised" with at most a single bit of information leaked, in case of an abort. We present two efficient 2PC constructions achieving our new notion. Both protocols are competitive with the previous covert 2PC protocols based on cut-and-choose.A distinct feature of the techniques we use in all our constructions is to check consistency of inputs and outputs using new gadgets that are themselves garbled circuits, and to verify validity of these gadgets using multi-stage cut-and-choose openings.

show abstract

“…We remark that our proposed solutions can be modified to work with any of the existing garbled-circuit optimization techniques of [14,5,25,6,15].…”

Section: Our Contributionsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Garbled Circuits Checking Garbled Circuits: More Efficient and Secure Two-Party Computation

Mohassel

Riva

2013

Advances in Cryptology – CRYPTO 2013

View full text Add to dashboard Cite

show abstract

“…Efficient solutions for MPC over Boolean circuits have been extensively investigated in the past years [LP07,LPS08,NO09,PSSW09]. For the case of arithmetic computation, a step towards efficient solutions has been taken by Cramer, Damgård and Nielsen in [CDN01,DN03], based on threshold homomorphic encryption: however efficient protocols for the distributed key generation phase are still lacking and the use of homomorphic encryption during the on-line computation makes these protocol impractical.…”

Section: State Of the Artmentioning

confidence: 99%

Multiparty Computation for Dishonest Majority: From Passive to Active Security at Low Cost

Damgård

Orlandi

2010

Advances in Cryptology – CRYPTO 2010

View full text Add to dashboard Cite

Abstract. Multiparty computation protocols have been known for more than twenty years now, but due to their lack of efficiency their use is still limited in real-world applications: the goal of this paper is the design of efficient two and multi party computation protocols aimed to fill the gap between theory and practice. We propose a new protocol to securely evaluate reactive arithmetic circuits, that offers security against an active adversary in the universally composable security framework. Instead of the "do-and-compile" approach (where the parties use zero-knowledge proofs to show that they are following the protocol) our key ingredient is an efficient version of the "cut-and-choose" technique, that allow us to achieve active security for just a (small) constant amount of work more than for passive security.

show abstract

“…Since the associated computations are fast, we believe that in many (but not all, of course) practical scenarios communication complexity of our constructions will correlate with their total execution time. Indeed, in this work, we use aggressive (2-row) garbled row reduction (GRR2) due to Pinkas et al [PSSW09], which involves computing polynomial interpolation. While more expensive than the standard PRF or hash function garbling, GRR2 nevertheless is a very efficient technique as evidenced by the performance experiments in [PSSW09].…”

Section: Introductionmentioning

confidence: 99%

FleXOR: Flexible Garbling for XOR Gates That Beats Free-XOR

Kolesnikov¹,

Mohassel

Rosulek

2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Most implementations of Yao's garbled circuit approach for 2-party secure computation use the free-XOR optimization of Kolesnikov & Schneider (ICALP 2008). We introduce an alternative technique called flexible-XOR (fleXOR) that generalizes free-XOR and offers several advantages. First, fleXOR can be instantiated under a weaker hardness assumption on the underlying cipher/hash function (related-key security only, compared to related-key and circular security required for free-XOR) while maintaining most of the performance improvements that free-XOR offers. Alternatively, even though XOR gates are not always "free" in our approach, we show that the other (non-XOR) gates can be optimized more heavily than what is possible when using free-XOR. For many circuits of cryptographic interest, this can yield a significantly (over 30%) smaller garbled circuit than any other known techniques (including free-XOR) or their combinations. * An extended abstract of this work appeared in the proceedings of CRYPTO 2014. This is the full version. † Bell Labs, kolesnikov@research.bell-labs.com.

show abstract

Secure Two-Party Computation Is Practical

Cited by 350 publications

References 29 publications

Garbled Circuits Checking Garbled Circuits: More Efficient and Secure Two-Party Computation

Garbled Circuits Checking Garbled Circuits: More Efficient and Secure Two-Party Computation

Multiparty Computation for Dishonest Majority: From Passive to Active Security at Low Cost

FleXOR: Flexible Garbling for XOR Gates That Beats Free-XOR

Contact Info

Product

Resources

About