[PDF] Top 20 There Is Always an Exception: Controlling Partial Information Leakage in Secure Computation

... the information leakage of her ...some information about the input of Alice such that it remains hidden what was exactly ...sensitive information about the input? We argue that most often ... See full document

... is secure (in the semi-honest model) with respect to standard definitions of security [Gol04], with one important caveat: our system leaks the total number of instructions executed in a given run of the ...leak ... See full document

... of leakage-resilient cryptography is that a cryptographic scheme is still secure even if the partial leakage information of the private (or se- cret) keys involved in the scheme is ... See full document

... for secure computation. Prior work on adaptively secure OT includes [Bea97, CLOS02, Lin09, ...with partial erasures since the statically-corrupted party can always be viewed as the ... See full document

... possible secure implement, the receiver samples a random string r, and outputs r if the sender’s input is >, outputs x ⊕ r if the sender’s input is ...party computation protocol under OT hybrid model for ... See full document

... Abstract. We study the question of how much interaction is needed for un- conditionally secure multiparty computation. We first consider the number of messages that need to be sent to compute a Boolean ... See full document

... and has effective degree 2. We do this in a sequence of steps. The first step is noticing that we can get a “friendly” MPRE from any protocol for computing f, even one with many rounds. We stress that this will not be ... See full document

... the secure computation literature handles the case of corrupted com- putation parties, and gives absolute freedom for the input players to choose their inputs, and for the output players to choose the ... See full document

... first part might compromise the security. This is the reason which the latter should only be decrypted if the former is different from 1. Note also that the third component of the ciphertext is not used in the decryption ... See full document

... The original SFE protocol proposed by Yao has been the subject of renewed interest. On one hand, it is now widely accepted that this generic protocol offers the best performance tradeoff to evalu- ate important classes ... See full document

... sublinear computation protocols from “impractical” ones, by means of a notion of PIR ...protocol computation complexity in the sublinear communication regime: The functionality is natural and convenient to ... See full document

... non-interactive secure computation (NISC); however, informal versions of it became popular in connection with Gentry’s breakthrough result on fully homomorphic encryption (FHE) ...some computation to ... See full document

... traditional secure watermark detection ...for secure watermark detection. However, most of the existing secure water-mark detection works assume the watermarked copy are publicly available and focus ... See full document

... Next we demonstrate the scheme with a simple example. Assume provider Peter wants to store a network log file in clouds and user David wants to search the string “attack America” in the file. But Peter does not want to ... See full document

... Combining Theorem 4.1 and Theorem 4.3, we get the following corol- lary for message-optimal MPC with correlated randomness setup. Corollary 4.4. Suppose a one-way function exists. Then, any polyno- mial time n-party ... See full document

... In this section, we show the performance of scoram when used in practical applications. We assume Alice holds a sorted array and Bob holds queries. They would like to re- peatedly search for some element over the sorted ... See full document

... bounded leakage model) who introduced a “graceful degradation” property, essentially requiring that an adversary should not be able to produce more forgeries than what he could have leaked via leakage ...of ... See full document

... To subvert this problem, we instead maintain two instantiations of ORAM data structures: One will hold the parties’ inputs (and any state information to be maintained between program executions), and will be of a ... See full document

... local computation can be done without invocations of ...party secure comparison and this results in a communi- cation cost of O(log n log N), a significant reduction from the naive ...can always ... See full document

... These protocols are essentially optimal for transferring messages of length ` = Ω(k), but when ` is short (as in bit-OT where ` = 1) there is still an overhead in O(k). Kolesnikov and Kumaresan [KK13] presented a variant ... See full document