ABSTRACT
We present the design and implementation of a compiler that automatically generates protocols that perform two-party computations. The input to our protocol is the specification of a computation with secret inputs (e.g., a signature algorithm) expressed using operations in the field Zq of integers modulo a prime q and in the multiplicative subgroup of order q in Z*p for q|p-1 with generator g. The output of our compiler is an implementation of each party in a two-party protocol to perform the same computation securely, i.e., so that both parties can together compute the function but neither can alone. The protocols generated by our compiler are provably secure, in that their strength can be reduced to that of the original cryptographic computation via simulation arguments. Our compiler can be applied to various cryptographic primitives (e.g., signature schemes, encryption schemes, oblivious transfer protocols) and other protocols that employ a trusted party (e.g., key retrieval, key distribution).
- B. Barak, A. Herzberg, D. Naor, and E. Shai. The proactive security toolkit and applications. In Proc. 6th ACM Conf. Computer and Communications Security, pp. 18--27, Nov. 1999.]] Google ScholarDigital Library
- M. Bellare, S. Micali. Non-interactive oblivious transfer and applications. In Proc. CRYPTO '89, 1989.]] Google ScholarDigital Library
- M. Bellare, R. Sandhu. The security of practical two-party RSA signature schemes. 2001.]]Google Scholar
- M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In Proc. 1st ACM Conf. Computer and Communications Security, pp. 62--73, Nov. 1993.]] Google ScholarDigital Library
- J. Benaloh. Dense probabilistic encryption. In Workshop on Selected Areas of Cryptography, pp. 120--128, 1994.]]Google Scholar
- M. Blum, A. DeSantis, S. Micali, and G. Persiano. Noninteractive zero-knowledge. SIAM Journal of Computing 20(6):1084--1118, 1991.]] Google ScholarDigital Library
- M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway. Relations among notions of security for public-key encryption systems. In Proc. CRYPTO '98 (LNCS 1462), 1998.]] Google ScholarDigital Library
- D. Boneh, X. Ding, G. Tsudik, and M. Wong. A method for fast revocation of public key certificates and security capabilities. In Proc. 10th USENIX Security Symposium, Aug. 2001.]] Google ScholarDigital Library
- C. Boyd. Digital multisignatures. In H. J. Beker and F. C. Piper, editors, Cryptography and Coding, pp. 241--246. Clarendon Press, 1986.]]Google Scholar
- R. Cramer and V. Shoup. A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In CRYPTO '98, 1998.]] Google ScholarDigital Library
- R. Cramer and V. Shoup. Signature schemes based on the strong RSA assumption. ACM Transactions on Information and System Security 3(3):161--185, 2000.]] Google ScholarDigital Library
- A. De Santis, G. Di Crescenzo, R. Ostrovsky, G. Persiano, and A. Sahai. Robust non-interactive zero knowledge. In Proc. CRYPTO~2001 (LNCS 2139), pp. 566--598, 2001.]] Google ScholarDigital Library
- Y. Desmedt. Society and group oriented cryptography: a new concept. In Proc. CRYPTO '87 (LNCS 293), pp. 120--127, 1987.]] Google ScholarDigital Library
- Y. Desmedt and Y. Frankel. Threshold cryptosystems. In Proc. CRYPTO '89 (LNCS 435), pp. 307--315, 1989.]] Google ScholarDigital Library
- W. Ford, B. Kaliski. Server-assisted generation of a strong secret from a password. In Proc. 5th International Workshop on Enterprise Security, 2000.]]Google ScholarCross Ref
- R. Ganesan. Yaksha: Augmenting Kerberos with public key cryptography. In Proc. 1995 ISOC Network and Distributed System Security Symposium, Feb. 1995.]] Google ScholarDigital Library
- R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Robust threshold DSS signatures. In Proc. EUROCRYPT '96 (LNCS 1070), pp. 354--371, 1996.]]Google ScholarCross Ref
- S. Goldwasser and S. Micali. Probabilistic encryption. Journal of Computer and System Sciences 28:270--299, 1984.]]Google ScholarCross Ref
- S. Goldwasser, S. Micali and R. L. Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal of Computing 17(2):281-308, Apr. 1988.]] Google ScholarDigital Library
- P. Horster, H. Petersen, and M. Michels. Meta-ElGamal signature schemes. In Proc. 2nd ACM Conf. Computer and Communications Security, pp. 96--107, Nov. 1994.]] Google ScholarDigital Library
- P. MacKenzie and M. K. Reiter. Networked cryptographic devices resilient to capture. DIMACS Technical Report 2001-19, May 2001. Extended abstract in 2001 IEEE Symposium on Security and Privacy, May 2001.]] Google ScholarDigital Library
- P. MacKenzie and M. K. Reiter. Two-party generation of DSA Signatures. In Proc. CRYPTO 2001 (LNCS 2139), Aug. 2001.]] Google ScholarDigital Library
- A. Menezes, P. van Oorschot, S. Vanstone. Handbook of Applied Cryptography. CRC Press, 1996.]] Google ScholarDigital Library
- D. Naccache and J. Stern. A new public-key cryptosystem. In Proc. EUROCRYPT '97 (LNCS 1233), pp. 27--36, 1997.]]Google ScholarCross Ref
- A. Nicolosi, M. Krohn, Y. Dodis, D. Mazieres. Proactive two-party signatures for user authentication. In Proc. 10th ISOC Network and Distributed System Security Symposium, Feb. 2003.]]Google Scholar
- M. Naor, B. Pinkas. Distributed oblivious transfer. In Proc. ASIACRYPT 2000, Dec. 2000.]] Google ScholarDigital Library
- M. Naor, B. Pinkas. Efficient oblivious transfer protocols. In Proc. SODA 2001, Jan. 2001.]] Google ScholarDigital Library
- T. Okamoto and S. Uchiyama. A new public-key cryptosystem, as secure as factoring. In Proc. EUROCRYPT '98 (LNCS 1403), pp. 308--318, 1998.]]Google ScholarCross Ref
- P. Paillier. Public-key cryptosystems based on composite degree residuosity classes. In Proc. EUROCRYPT '99 (LNCS 1592), pp. 223--238, 1999.]]Google ScholarCross Ref
- M. Reiter, M. Franklin, J. Lacy, R. Wright. The Omega key management service. Journal of Computer Security 4(4):267--297, 1996.]] Google ScholarDigital Library
- R. L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM 21(2):120--126, Feb. 1978.]] Google ScholarDigital Library
- A. Shamir. How to share a secret. Communications of the ACM 22, 1979.]] Google ScholarDigital Library
- D. Song, A. Perrig and D. Phan. AGVI --- Automatic generation, verification, and implementation of security protocols. In Proc. 13th Conference on Computer Aided Verification, July 2001.]] Google ScholarDigital Library
- T. Wu, M. Malkin, D. Boneh. Building intrusion tolerant applications. In Proc. 8th USENIX Security Symposium, pp. 79-91, Aug. 1999.]] Google ScholarDigital Library
- A. Yao. Protocols for secure computation. In Proc. 23 IEEE Symposium on Foundations of Computer Science, pp. 160--164, 1982.]]Google ScholarCross Ref
- L. Zhou, F. Schneider, R. van Renesse. COCA: A secure distributed on-line certification authority. In ACM Transactions on Computer Systems 20(4), Nov. 2002.]] Google ScholarDigital Library
Index Terms
- Automatic generation of two-party computations
Recommendations
Efficient RSA Key Generation and Threshold Paillier in the Two-Party Setting
The problem of generating an RSA composite in a distributed manner without leaking its factorization is particularly challenging and useful in many cryptographic protocols. Our first contribution is the first non-generic fully simulatable protocol for ...
An Efficient Protocol for Secure Two-Party Computation in the Presence of Malicious Adversaries
We show an efficient secure two-party protocol, based on Yao's construction, which provides security against malicious adversaries. Yao's original protocol is only secure in the presence of semi-honest adversaries, and can be transformed into a protocol ...
On the Power of Secure Two-Party Computation
Proceedings, Part II, of the 36th Annual International Cryptology Conference on Advances in Cryptology --- CRYPTO 2016 - Volume 9815Ishai, Kushilevitz, Ostrovsky and Sahai STOC 2007, SIAM JoC 2009 introduced the powerful "MPC-in-the-head" technique that provided a general transformation of information-theoretic MPC protocols secure against passive adversaries to a ZK proof in a "...
Comments