[Resource Topic] 2013/577: Secure Two-Party Computation with Reusable Bit-Commitments, via a Cut-and-Choose with Forge-and-Lose Technique

Resource Cryptographic protocols
#1

Welcome to the resource topic for 2013/577

Title:
Secure Two-Party Computation with Reusable Bit-Commitments, via a Cut-and-Choose with Forge-and-Lose Technique

Authors: Luís T. A. N. Brandão

Abstract:

A Secure Two Party Computation (S2PC) protocol allows two parties to compute over their combined private inputs, as if intermediated by a trusted third party. In the active model, security is maintained even if one party is malicious, deviating from the protocol specification. For example, a honest party retains privacy of its input and is ensured a correct output. This can be achieved with a cut-and-choose of garbled circuits (C&C-GCs), where some GCs are verified for correctness and the remaining are evaluated to determine the circuit output. This paper presents a new C&C-GCs-based S2PC protocol, with significant advantages in efficiency and applicability. First, in contrast with prior protocols that require a majority of evaluated GCs to be correct, the new protocol only requires that at least one evaluated GC is correct. In practice this reduces the total number of GCs to approximately one third, for the same statistical security goal. This is accomplished by augmenting the C&C with a new forge-and-lose technique based on bit commitments with trapdoor. Second, the output of the new protocol includes reusable XOR-homomorphic bit commitments of all circuit input and output bits, thereby enabling efficient linkage of several S2PCs in a reactive manner. The protocol has additional interesting characteristics (which may allow new comparison tradeoffs). The number of exponentiations is only linear with the number of input and output wires and a statistical parameter – this is an improvement over protocols whose number of exponentiations is proportional to the number of GCs multiplied by the number of input and output wires. It uses unconditionally hiding bit commitments with trapdoor as the basis of oblivious transfers, with the circuit evaluator choosing a single value and the circuit constructor receiving two (a sort of 2-out-of-1 oblivious transfer, instead of the typical 1-out-of-2). The verification of consistency of circuit input and output keys across different GCs is embedded in the C&C structure.

ePrint: https://eprint.iacr.org/2013/577

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .