Completeness theorems for non-cryptographic fault-tolerant distributed computation

Ben-Or, Michael; Goldwasser, Shafi; Wigderson, Avi

doi:10.1145/62212.62213

Cited by 1,737 publications

(1,029 citation statements)

References 10 publications

Supporting

Mentioning

1,027

Contrasting

Unclassified

Order By: Relevance

“…Secure two party computation was first investigated by Yao [21], and was later generalized to multi-party computation in [13,2,5]. These works all use a similar methodology: the function F to be computed is first represented as a combinatorial circuit, and then the parties run a short protocol for every gate in the circuit.…”

Section: Related Workmentioning

confidence: 99%

“…At the end of the protocol the receiver should learn X σ and no other information, and the sender should learn nothing. Very attractive non-interactive OT 2 1 protocols were presented in [1]. More recent results in [17] reduce the amortized overhead of OT 2 1 , and describe non-interactive OT 2 1 of strings whose security is not based on the "random oracle" assumption.…”

Section: Oblivious Transfermentioning

confidence: 99%

See 1 more Smart Citation

Privacy Preserving Data Mining

Lindell

Pinkas

2000

Advances in Cryptology — CRYPTO 2000

841

637

View full text Add to dashboard Cite

Abstract. In this paper we introduce the concept of privacy preserving data mining. In our model, two parties owning confidential databases wish to run a data mining algorithm on the union of their databases, without revealing any unnecessary information. This problem has many practical and important applications, such as in medical research with confidential patient records. Data mining algorithms are usually complex, especially as the size of the input is measured in megabytes, if not gigabytes. A generic secure multi-party computation solution, based on evaluation of a circuit computing the algorithm on the entire input, is therefore of no practical use. We focus on the problem of decision tree learning and use ID3, a popular and widely used algorithm for this problem. We present a solution that is considerably more efficient than generic solutions. It demands very few rounds of communication and reasonable bandwidth. In our solution, each party performs by itself a computation of the same order as computing the ID3 algorithm for its own database. The results are then combined using efficient cryptographic protocols, whose overhead is only logarithmic in the number of transactions in the databases. We feel that our result is a substantial contribution, demonstrating that secure multi-party computation can be made practical, even for complex problems and large inputs.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Oblivious Transfermentioning

confidence: 99%

Privacy Preserving Data Mining

Lindell

Pinkas

2000

Advances in Cryptology — CRYPTO 2000

841

637

View full text Add to dashboard Cite

show abstract

“…He considered the problem under cryptographic assumptions. Private computation in the information-theoretical secure setting has been introduced by Ben-Or et al [3] and Chaum et al [5]. Ben-Or et al have presented a function that is not privately computable.…”

Section: Introductionmentioning

confidence: 99%

Revealing Additional Information in Two-Party Computations

Jakoby

Liśkiewicz

2005

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract.A two-argument function is computed privately by two parties if after the computation, no party should know anything about the other inputs except for what he is able to deduce from his own input and the function value. In [1] Bar-Yehuda, Chor, Kushilevitz, and Orlitsky give a complete characterisation of two-argument functions which can be computed privately (in the information-theoretical sense) in the Honest-But-Curious model and study protocols for "non-private" functions revealing as little information about the inputs as possible. The authors define a measure which determines for any function f the additional information E (f ) required for computing f and claim that f is privately-computable if and only if E (f ) = 0. In our paper we show that the characterisation is false: we give a privately-computable function f with E (f ) = 0 and another function g with E (g) = 0 that is not privately-computable. Moreover, we show some rather unexpected and strange properties of the measure for additional information given by Bar-Yehuda et al. and we introduce an alternative measure. We show that for this new measure the minimal leakage of information of randomized and deterministic protocols are equal. Finally, we present some general relations between the information gain of an optimal protocol and the communication complexity of a function.

show abstract

“…Proving correctness of a simulation in the case of [15] requires a complexity assumption, such as existence of trapdoor permutations. Later, unconditionally secure MPC protocols were proposed by Ben-Or et al and Chaum et al [6,10], in the model where private channels are assumed between every pair of players. These protocols are in fact secure, even if the adversary is adaptive, i.e.…”

Section: Introductionmentioning

confidence: 99%

“…However, in [9], Canetti et al introduce a new concept called non-committing encryption and observe that if one replaces messages on the secure channels used in [6,10] by non-committing encryptions sent on an open network, one obtains adaptively secure MPC in the computational setting. They also showed how to implement non-committing encryption based on so called common-domain trapdoor permutations.…”

Section: Introductionmentioning

confidence: 99%

Improved Non-committing Encryption Schemes Based on a General Complexity Assumption

Damgård

Nielsen

2000

Advances in Cryptology — CRYPTO 2000

113

View full text Add to dashboard Cite

Abstract. Non-committing encryption enables the construction of multiparty computation protocols secure against an adaptive adversary in the computational setting where private channels between players are not assumed. While any non-committing encryption scheme must be secure in the ordinary semantic sense, the converse is not necessarily true. We propose a construction of non-committing encryption that can be based on any public-key system which is secure in the ordinary sense and which has an extra property we call simulatability. This generalises an earlier scheme proposed by Beaver based on the Diffie-Hellman problem, and we propose another implementation based on RSA. In a more general setting, our construction can be based on any collection of trapdoor permutations with a certain simulatability property. This offers a considerable efficiency improvement over the first non-committing encryption scheme proposed by Canetti et al. Finally, at some loss of efficiency, our scheme can be based on general collections of trapdoor permutations without the simulatability assumption, and without the common-domain assumption of Canetti et al. In showing this last result, we identify and correct a bug in a key generation protocol from Canetti et al.

show abstract

Completeness theorems for non-cryptographic fault-tolerant distributed computation

Cited by 1,737 publications

References 10 publications

Privacy Preserving Data Mining

Privacy Preserving Data Mining

Revealing Additional Information in Two-Party Computations

Improved Non-committing Encryption Schemes Based on a General Complexity Assumption

Contact Info

Product

Resources

About