[PDF] Top 20 Billion-Gate Secure Computation with Malicious Adversaries

... In this section, we give a detailed description of our system, upon which we have implemented various real world secure computation applications. The experimen- tal environment is the Ranger cluster in the ... See full document

... circuit computation, thereby constituting a SPDZ-like MAC ...the computation, and so any cheating by the adversary will be ...actually secure for malicious adversaries up to an additive ... See full document

... a malicious PUF in a number of ...model malicious PUFs analogously in the following way: to create a malicious PUF, the adversary simply specifies to the ideal functionality, the (malicious) ... See full document

... We then present a generic compiler that upgrades our intermediate solution (as well as the one by Choi et al. [15]) to handle an arbitrary subset of malicious clients. While we could rely on standard techniques ... See full document

... for secure compu- ...active adversaries of [PVW08] achieves approximately 350 random OTs per second on standard ...RSA computation is only carried out to encrypt a symmetric key, which is then used ... See full document

... obtain secure MPC protocols, which requires a way to bound the aggregated leakage when multiple small-leakage protocols are executed in parallel or ...topology-hiding computation on ... See full document

... multiparty computation in the simultaneous message ...semi-honest adversaries, (or even the slightly stronger setting of semi-malicious 3 adversaries) three round protocols based on the ... See full document

... information-theoretically secure key agreement, commit- ment and oblivious transfer protocols, among ...for secure multi- party computation, and the OT capacity characterizes how efficiently a ... See full document

... efficient secure two-party (2PC) computation protocols in the pres- ence of malicious adversaries has been an active area of research in the recent ...the malicious setting, which is ... See full document

... are malicious. The malicious misbehavior is modeled by a central adversary corrupting up to t parties and taking full control of their ...for secure multi-party computation (MPC) as defined in ... See full document

... a secure two-party computation problem: Two parties, Client and Server, each with an integer b and an integer interval [a, e] respectively, want to evaluate whether b ∈ [a, e], such that: (i) Client can not ... See full document

... in the semi-honest model, extended in [17, 27, 25, 26] in the malicious model. However, these general protocols are inefficient for practical uses (because these protocols were constructed based on the boolean ... See full document

... provide secure two-party ...perfectly secure protocols in which the adversary simply does not have any information about the secret, the adversary in the computationally secure model is unable to ... See full document

... actively secure OT extension, and more recently the overhead of active security has been reduced to almost nothing for both the 1-out-of-2 [ALSZ15,KOS15] and 1-out-of-n cases ... See full document

... involving secure computations without interaction, such as the one described ...against malicious parties in the above model is in some sense easier than in the standard MPC ...Indeed, malicious ... See full document

... Lastly, we describe truncation Trunc([a], `, [m]) and provide its protocol below. In the solution, we first produce bit-wise unary representation of its argument [m] using B2U. Because B2U also computes [2 m ] at an ... See full document

... The negative result holds even when the parties can communicate over secure point-to-point channels or, more generally, even when allowing an arbitrary input-independent correlated randomness setup. This result ... See full document

... actual intersection set. For the network, we assume devices communicate through wireless interfaces such as Bluetooth or WIFI. For simplicity, we assume every participating device is in the communication range of each ... See full document

... When the signing algorithm is deterministic there is no need to choose an r. However, for randomized signing algorithms the same randomness is used to compute the tag for all slots in the superposition. Alternatively, we ... See full document

... protocol secure only against semi hon- est adversaries and is based on the constant round BMR construction ...to malicious security, we employ cut and choose techniques where the parties en- sure the ... See full document