LNCS 8617 Juan A Garay Rosario Gennaro (Eds.) Advances in Cryptology – CRYPTO 2014 34th Annual Cryptology Conference Santa Barbara, CA, USA, August 17–21, 2014 Proceedings, Part II 123 Lecture Notes in Computer Science Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen Editorial Board David Hutchison Lancaster University, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M Kleinberg Cornell University, Ithaca, NY, USA Alfred Kobsa University of California, Irvine, CA, USA Friedemann Mattern ETH Zurich, Switzerland John C Mitchell Stanford University, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel Oscar Nierstrasz University of Bern, Switzerland C Pandu Rangan Indian Institute of Technology, Madras, India Bernhard Steffen TU Dortmund University, Germany Demetri Terzopoulos University of California, Los Angeles, CA, USA Doug Tygar University of California, Berkeley, CA, USA Gerhard Weikum Max Planck Institute for Informatics, Saarbruecken, Germany 8617 Juan A Garay Rosario Gennaro (Eds.) Advances in Cryptology – CRYPTO 2014 34th Annual Cryptology Conference Santa Barbara, CA, USA, August 17-21, 2014 Proceedings, Part II 13 Volume Editors Juan A Garay Yahoo Labs 701 First Avenue Sunnyvale, CA 94089, USA E-mail: garay@yahoo-inc.com Rosario Gennaro The City College of New York 160 Convent Avenue New York, NY 10031, USA E-mail: rosario@cs.ccny.cuny.edu ISSN 0302-9743 e-ISSN 1611-3349 ISBN 978-3-662-44380-4 e-ISBN 978-3-662-44381-1 DOI 10.1007/978-3-662-44381-1 Springer Heidelberg New York Dordrecht London Library of Congress Control Number: 2014944726 LNCS Sublibrary: SL – Security and Cryptology © International Association for Cryptologic Research 2014 This work is subject to copyright All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed Exempted from this legal reservation are brief excerpts in connection with reviews or scholarly analysis or material supplied specifically for the purpose of being entered and executed on a computer system, for exclusive use by the purchaser of the work Duplication of this publication or parts thereof is permitted only under the provisions of the Copyright Law of the Publisher’s location, in ist current version, and permission for use must always be obtained from Springer Permissions for use may be obtained through RightsLink at the Copyright Clearance Center Violations are liable to prosecution under the respective Copyright Law The use of general descriptive names, registered names, trademarks, service marks, etc in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use While the advice and information in this book are believed to be true and accurate at the date of publication, neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or omissions that may be made The publisher makes no warranty, express or implied, with respect to the material contained herein Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India Printed on acid-free paper Springer is part of Springer Science+Business Media (www.springer.com) Preface CRYPTO 2014, the 34rd Annual International Cryptology Conference, was held August 17–21, 2014, on the campus of the University of California, Santa Barbara The event was sponsored by the International Association for Cryptologic Research (IACR) in cooperation with the UCSB Computer Science Department The program represents the recent significant advances and trends in all areas of cryptology Out of 227 submissions, 60 were included in the program; these two-volume proceedings contains the revised versions of all the papers Two of the papers shared a single presentation slot in the program The program also included two invited talks On Monday, Mihir Bellare from UCSD delivered the IACR Distinguished Lecture, entitled “Caught in Between Theory and Practice.” On Wednesday, Yael Tauman Kalai from Microsoft Research New England spoke about “How to Delegate Computations: The Power of No-Signalling Proofs.” As usual, the rump session took place on Tuesday evening, and was chaired by Dan Bernstein and Tanja Lange This year’s program continued the trend started last year of trying to accommodate as many high-quality submissions as possible, yielding a high number of accepted papers As a result, sessions were also held on Tuesday and Thursday afternoons, and presentations were kept short (20 minutes per paper, including questions and answers) The option of having parallel sessions, which would allow for longer presentations and an early adjournment on Thursday, was also discussed and decided against, since we assessed that our research field is still sufficiently homogeneous and the community would benefit from the option of attending all the talks However, we believe that future Program Committees should continue to explore possible options to implement some form of parallel sessions The submissions were reviewed by a Program Committee (PC) consisting of 38 leading researchers in the field, in addition to the two co-chairs Each PC member was allowed to submit one paper, plus an additional one if co-authored with a junior researcher (a student or a postdoc) PC-authored submissions were held to higher standards during the review process Papers were reviewed in a double-blind fashion Initially, each paper was assigned to three reviewers (four for PC-authored papers); during the discussion phase, when necessary, extra reviews were solicited The process also included a rebuttal phase after preliminary reviews were finalized, where authors received them and were given the option to comment on the reviews within a window of several days The authors’ comments were then taken into account in the discussions within the PC and the final reviews Despite being labor-intensive, we feel the rebuttal phase was a worthwhile process as it resulted in the significantly better understanding of many submissions As part of the discussion phase, the PC held a 1.5-day in-person meeting on May 15 and 16 in Copenhagen, Denmark, right after Eurocrypt VI Preface We would like to sincerely thank the authors of all submissions—those whose papers made it into the program and those whose papers did not Our deep appreciation also goes out to the PC members, who invested an extraordinaty amount of time in reviewing papers, interacting with the authors via the rebuttal mechanism, and participating in so many discussions on papers, their contribution, and the state of the art in their areas of expertise We also sympathize with the occasional frustration from seeing decisions go against personal recommendations and preferences, in spite of all the hard work We are also indebted to the many external reviewers who significantly contributed to the comprehensive evaluation of the submissions A list of PC members and external reviewers appears after this note Despite all our efforts, the list of external reviewers may contain errors or omissions; we apologize for that in advance We would like to thank Sasha Boldyreva, the general chair, for working closely with us throughout the whole process and providing the much needed support at every step, including artfully creating and maintaining the website and taking care of all aspects of the conference’s logistics—especially the in-person PC meeting arrangements As always, special thanks are due to Shai Halevi for his tireless support regarding the websubrev software, which we used for the whole conference planning and operation, including paper submission and evaluation and interaction among PC members and with the authors Alfred Hofmann and his colleagues at Springer provided a meticulous service for the timely production of these proceedings Finally, we would like to thank Google, Microsoft Research, and the National Science Foundation for their generous support August 2014 Juan A Garay Rosario Gennaro CRYPTO 2014 The 34rd International Cryptology Conference Sponsored by the International Association for Cryptologic Research General Chair Alexandra Boldyreva Georgia Institute of Technology, USA Program Co-Chairs Juan A Garay Rosario Gennaro Yahoo Labs, USA The City College of New York – CUNY, USA Program Committee Yevgeniy Dodis Orr Dunkelman Serge Fehr Pierre-Alain Fouque Craig Gentry Vipul Goyal Nadia Heninger Thomas Holenstein Yuval Ishai Dimitar Jetchev Aggelos Kiayias Kaoru Kurosawa Alexander May Ilya Mironov Payman Mohassel Jăorn Mă uller-Quade Mara Naya-Plasencia Claudio Orlandi Rafael Pass Christopher Peikert Krzysztof Pietrzak Leonid Reyzin Ron Rivest New York University, USA University of Haifa, Israel CWI, The Netherlands Universit´e Rennes I, France IBM Research, USA MSR India University of Pennsylvania, USA ETH, Switzerland Technion, Israel EPFL, Switzerland University of Athens, Greece Ibaraki University, Japan Ruhr-Universităat Bochum, Germany MSR, USA University of Calgary, Canada Karlruhe Institute of Technology, Germany Inria Paris-Rocquencourt, France Aarhus University, Denmark Cornell University, USA Georgia Institute of Technology, USA Institute of Science and Technology, Austria Boston University, USA MIT, USA VIII CRYPTO 2014 Amit Sahai Gil Segev Elaine Shi Tom Shrimpton Alice Silverberg Marc Stevens Katsuyuki Takashima Stefano Tessaro Vinod Vaikuntanathan Gilles Van Assche Muthu Venkitasubramanian Ivan Visconti Bogdan Warinschi Brent Waters Vassilis Zikas UCLA, USA Hebrew University, USA University of Maryland, USA Portland State University, USA UC Irvine, USA CWI, The Netherlands Mitsubishi Electric, Japan UC Santa Barbara, USA MIT, USA STMicroelectronics, Belgium University of Rochester, USA University of Salerno, Italy University of Bristol, UK UT Austin, USA ETH, Switzerland External Reviewers Michel Abdalla Masayuki Abe Arash Afshar Divesh Aggarwal Martin Albrecht Joel Alwen Scott Ames Prabhanjan Ananth Daniel Apon George Argyros Gilad Asharov Nuttapong Attrapadung Christian Badertscher Abhishek Banerjee Carsten Baum Amos Beimel Mihir Bellare David Bernhard Dan Bernstein Guido Bertoni Raghav Bhaskar Joppe Bos Elette Boyle Brandon Broadnax Christina Brzuska Ran Canetti Anne Canteaut Ignacio Cascudo David Cash Dario Catalano Andr Chailloux Nishanth Chandran Jie Chen Cheng Chen C´eline Chevalier Kai-Min Chung Aloni Cohen Henry Cohn Sandro Coretti Jean-Sebastien Coron Craig Costello Dana Dachman-Soled Joan Daemen Ivan Damg˚ ard Bernardo David Gregory Demay Yi Deng Itai Dinur Nico Doettling Rafael Dowsley Chandan Dubey Alexandre Duc Leo Ducas Alina Dudeanu Markus Duermuth Fr´ed´eric Dupuis Aner Ben Efraim Xiong Fan Antonio Faonio Sebastian Faust Dario Fiore Marc Fischlin Georg Fuchsbauer Benjamin Fuller Jun Furukawa Steven Galbraith Nicolas Gama Chaya Ganesh Peter Gaˇzi Ran Gelles Essam Ghadafi Sasha Golovnev Sergey Gorbunov Dov Gordon Robert Granger Jens Groth Divya Gupta Tim Gneysu CRYPTO 2014 Shai Halevi Sean Hallgren Moritz Hardt Brett Hemenway Yan Huang Jan Hazla William Skeith III Vincenzo Iovino Takashi Ito Ioana Ivan Tibor Jager Abhishek Jain David Jao Stanislaw Jarecki Mahavir Jhawar Antoine Joux Marc Joye Yael Kalai Seny Kamara Jean-Gabriel Kammerer Pierre Karpman Jonathan Katz Yutaka Kawai Nathan Keller Dakshita Khurana Eike Kiltz Thorsten Kleinjung Vlad Kolesnikov Venkata Koppula Daniel Kraschewski Hugo Krawczyk Sara Krehbiel Abishek Kumarasubramaniam Ranjit Kumaresan Robin Kă unzler Tanja Lange Gregor Leander Nikos Leonardos Anthony Leverrier Kevin Lewi Allison Bishop Lewko Benoit Libert Huijia (Rachel) Lin Yehuda Lindell Feng-Hao Liu Adriana Lopez-Alt Steve Lu Stefan Lucks Atul Luykx Vadim Lyubashevsky Mohammad Mahmoody Hemanta Maji Alex Malozemoff Mohammad Mammody Christian Matt Daniele Micciancio Andrea Miele Eric Miles Andrew Miller Brice Minaud Toru Nakanishi Jesper Buus Nielsen Valeria Nikolaenko Tobias Nilges Ryo Nishimaki Adam O’Neill Wakaha Ogata Cristina Onete Pascal Paillier Omkant Pandey Omer Paneth Dimitris Papadopoulos Charalampos Papamanthou Sunoo Park Anat Paskin-Cherniavsky Valerio Pastro Kenny Paterson Michal Peeters Ludovic Perret Christophe Petit Le Trieu Phong Stefano Pironio Manoj Prabhakaran Ananth Raghunathan Kim Ramchen Vanishree Rao Pavel Raykov IX Mariana Raykova Christian Rechberger Oded Regev Thomas Ristenpart Ben Riva Mike Rosulek Aaron Roth Yannis Rouselakis saeed Sadeghian Yusuke Sakai Katerina Samari Alessandra Scafuro Christian Schaffner Thomas Schneider Lior Seeman Nicolas Sendrier Karn Seth Yannick Seurin Barak Shani Nigel Smart Ben Smith Florian Speelman Fran¸cois-Xavier Standaert Damien Stehl´e John Steinberger Noah Stephens-Davidowitz Mario Streer Takeshi Sugawara Koutarou Suzuki Bjăorn Tackmann Qiang Tang Sidharth Telang Aris Tentes Isamu Teranishi R Seth Terashima Abhradeep Guha Thakurta Justin Thaler Emmanuel Thom Mehdi Tibouchi Jean-Pierre Tillich Joana Treger Roberto Trifiletti X CRYPTO 2014 Eran Tromer Yiannis Tselekounis Hoang Viet Tung Dominique Unruh Berkant Ustaoglu Prashant Vasudevan Thomas Vidick Dhinakaran Vinayagamurthy Akshay Wadia Gaven Watson Hoeteck Wee Daniel Wichs Shota Yamada Kazuki Yoneyama Thomas Zacharias Hila Zarosim Mark Zhandry Bingsheng Zhang Hong-Sheng Zhou Jens Zumbră agel 518 S.G Choi et al Auxiliary Inputs: Security parameter k, circuit (n, m, q, L, R, G) ← C Generate masks: $ – For w ∈ {1, , n + q − m}: set λw ← {0, 1} – For w ∈ {n + q − m + 1, , n + q}: set λw ← Generate sub-keys: $ – For w ∈ {1, , n + q} and b ∈ {0, 1}: set s1w,b , s2w,b ← {0, 1}k Construct garbled circuit: – For γ ∈ {n + 1, , n + q}: Let α ← L(γ) and β ← R(γ) be the index of the left and right input wires, respectively, of the gate indexed by γ Letting Kw,b = (s1w,b , s2w,b ), for i, j ∈ {0, 1}2 , compute the following: P [γ, i, j] ← EncKα,i ,Kβ,j Kγ,Gγ (λα ⊕i,λβ ⊕j)⊕λγ Gγ (λα , λβ ) ⊕ λγ Output circuit: – Set GC ← (n, m, q, L, R, P ), and output: GC, (s1w,b⊕λw , s2w,b⊕λw , b ⊕ λw ) : w ∈ {1, , n}, b ∈ {0, 1} Fig Circuit garbling scheme the circuit-garbling procedure from Section 3.1 Finally, in Section 3.3, we show how to make the garbling procedure maliciously secure 3.1 Single-Party Garbling Scheme Our garbling scheme is a slight variant of the Damg˚ ard and Ishai protocol [11] adapted to two parties This should be regarded as an initial step towards our ultimate goal of a distributed garbling scheme Here, we describe the high-level construction; see Figure for the detailed protocol We associate two random keys Kw,0 , Kw,1 with each wire w in the circuit; key Kw,0 corresponds to the value ‘0’ and Kw,1 corresponds to the value ‘1’ Each key Kw,b consists of two sub-keys s1w,b and s2w,b ; that is, Kw,b = (s1w,b , s2w,b ) In addition, for each wire w we choose a random mask bit λw Each key has an associated tag, derived from the mask bit, which acts as a blinding of the true value the key represents Now, consider gate Gγ in the circuit with input wires α and β The garbled gate of Gγ consists of an array of four encryptions: for each (bα , bβ ) ∈ {0, 1} × {0, 1}, the row (bα , bβ ) consists of an encryption of Kγ,Gγ (bα ⊕λα ,bβ ⊕λβ )⊕λγ and its corresponding tag Gγ (bα ⊕ λα , bβ ⊕ λβ ) ⊕ λγ under keys Kα,bα and Kβ,bβ Let P denote a table that stores all the garbled gates; in particular, the entry P [γ, bα , bβ ] contains an encryption corresponding to row (bα , bβ ) of the garbled gate for Gγ Evaluation proceeds as follows Let α and β be input wires connected to gate G with index γ The evaluator is given (Kα,bα ⊕λα , bα ⊕λα ) and (Kβ,bβ ⊕λβ , bβ ⊕λβ ), along with P He takes the row P [γ, bα ⊕ λα , bβ ⊕ λβ ] and decrypts it using the Efficient Three-Party Computation from Cut-and-Choose 519 keys Kα,bα ⊕λα and Kβ,bβ ⊕λβ , resulting in (Kγ,G(bα,bβ )⊕λγ , G(bα , bβ ) ⊕ λγ ) It is straightforward to verify that by continuing this evaluation, the output of each gate will be revealed masked by its corresponding mask By picking masks of the output wires to be ‘0’ we ensure that the evaluator receives the (unmasked) output of the circuit 3.2 Distributing the Garbling Scheme between Two Parties We now show how to emulate the above garbling scheme between two parties in the semi-honest setting We assume the parties have access to the following two-party ideal functionalities: G ( a , b ): The functionality takes as input sharings – Gate computation Fgate a and b of bits a and b, respectively, and is parameterized by a binary gate G; it outputs a sharing G(a, b) of the output of G on input (a, b) i ( b , m0 , m1 ): The function– One-out-of-two oblivious secret sharing Foshare ality takes as input a sharing b of a bit b (i.e., each party inputs his share), along with two messages m0 , m1 from Pi , and outputs a random two-outof-two sharing [mb ] of mb b (): The functionality is parameterized by a bit – Constant bit sharing Fconst b ∈ {0, 1}, and outputs a random sharing b of b $ – Random bit sharing Frand (): The functionality chooses a random bit r ← {0, 1} and computes and outputs a random sharing r of r i (b): The functionality takes input bit b ∈ {0, 1} from – Bit secret sharing Fss Pi and outputs a random two-out-of-two sharing b of b Each of these can be instantiated efficiently in the semi-honest setting; see the full version [9] for details Distributed Encryption Scheme We utilize Damg˚ ard and Ishai’s distributed encryption scheme [11] Suppose the message and the key for the encryption scheme are distributed as follows: (1) (2) – The message m is secret-shared; i.e., P1 holds [m] and P2 holds [m] – The encryption key K = (s1 , s2 ) is distributed such that P1 holds s1 and P2 holds s2 The encryption of the secret-shared message m with tweak T under key K = (s1 , s2 ) is: EncTK (m) = (Enc1s1 ,T (m), Enc2s2 ,T (m)) = [m] (1) ⊕ Fs11 (T ), [m] (2) ⊕ Fs12 (T ) , where Fk1 is a PRF keyed by key k To decrypt a ciphertext c := EncTK (m), each party Pi sends his sub-key si to the decrypter, who uses them to recover the shares of m and reconstruct m Double encryption is defined analogously For keys Kα = (s1α , s2α ) and Kβ = (sβ , s2β ), where Pi holds (siα , siβ ), encryption with tweak T works as follows: EncTKα ,Kβ (m) = [m] (1) ⊕ Fs11α (T ) ⊕ Fs21 (T ), [m] β (2) ⊕ Fs12α (T ) ⊕ Fs22 (T ) β 520 S.G Choi et al Auxiliary Inputs: Security parameter k, circuit (n, m, q, L, R, G) ← C P1 and P2 compute ← Fconst , which they use throughout Generate mask bits: $ (λw ) – For w ∈ {1, , n1 }: P1 sets λw ← {0, 1} and λw ← Fss $ (λw ) – For w ∈ {n1 + 1, , n}: P2 sets λw ← {0, 1} and λw ← Fss – For w ∈ {n + 1, , n + q − m}: set λw ← Frand – For w ∈ {n + q − m + 1, , n + q}: set λw ← Fconst Generate sub-keys: $ – For w ∈ {1, , n + q} and b ∈ {0, 1}: Pi sets siw,b ← {0, 1}k Construct garbled circuit: – For γ ∈ {n + 1, , n + q}: Let α ← L(γ) and β ← R(γ) be the indices of the left and right input wires, respectively, of the gate indexed by γ For i, j ∈ {0, 1}2 , compute the following selector bits: G γ ( λα ⊕ i , λβ ⊕ j ) ⊕ λγ σγ,i,j ← Fgate Next, for i, j ∈ {0, 1}2 , compute sharings of the appropriate sub-keys to use for each row: ( σγ,i,j , s1γ,0 , s1γ,1 ), sˆ1γ,i,j ← Foshare 2 sˆγ,i,j ← Foshare ( σγ,i,j , s2γ,0 , s2γ,1 ) Finally, for i, j ∈ {0, 1}2 , compute the distributed encryptions of the (permuted) sub-keys and selector bits That is, letting Kw,b = (s1w,b , s2w,b ), compute: γ i j (P [γ, i, j], P [γ, i, j]) ← EncKα,i ,Kβ,j ( sˆ1γ,i,j sˆ2γ,i,j σγ,i,j ) Output circuit: – Let C i ← (n, m, q, L, R, P i ), S i ← (siw,0 , siw,1 ) : w ∈ {1, , n} – P1 outputs C , S , ( bw (1) , λw (1) , bw , λw ) : w ∈ {1, , n1 } – P2 outputs C , S , ( bw (2) , λw (2) , bw , λw ) : w ∈ {n1 + 1, , n} Fig Two-party distributed circuit-garbling protocol ΠGC (P1 , P2 ) For semi-honest security, use standard secret sharing; for malicious security use authenticated secret sharing Distributed Garbling Scheme We now give a high-level description of our two-party distributed garbling scheme ΠGC (P1 , P2 ); see Figure for details As before, for each wire w in the circuit we associate keys Kw,0 = (s1w,0 , s2w,0 ) and Kw,1 = (s1w,1 , s2w,1 ) corresponding to bits ‘0’ and ‘1’, respectively However, in the distributed setting, each sub-key is only known to one of the two parties; i.e., Pi only knows (siw,0 , siw,1 ) Each wire is also associated with a mask bit λw which is secret shared between the two parties such that no party knows λw Consider gate Gγ in the circuit with input wires indexed by α and β As in the non-distributed case, we construct an array containing four rows corresponding Efficient Three-Party Computation from Cut-and-Choose 521 to a random permutation of the four possible outcomes of gate Gγ applied to bits bα and bβ However, in the distributed case neither party should know what is being encrypted Recall that in the non-distributed setting, the circuit generator can easily compute Gγ (λα ⊕ bα , λβ ⊕ bβ ) to construct the array However, in the distributed setting, neither party knows (and should not know) λα or λβ Thus, the parties utilize the Fgate functionality, which takes as input the shares λα ⊕ bα and λβ ⊕ bβ , and computes a sharing of Gγ (λα ⊕ bα , λβ ⊕ bβ ) Let σγ,bα ,bβ = G Fgate ( bα ⊕ λα , bβ ⊕ λβ ) ⊕ λγ The value σγ,bα ,bβ denotes which key to encrypt; that is, in row (bα , bβ ) we encrypt key Kγ,σγ,bα ,bβ However, we must still enforce that neither party knows what key Kγ,σγ,bα ,bβ represents We handle this by utilizing another functionality, Foshare For each of the four σγ,bα ,bβ i values, and for each party Pi , the parties compute Foshare ( σγ,bα ,bβ , siγ,0 , siγ,1 ) This produces a share of the appropriate sub-key for party Pi , with the crucial fact that Pi does not know which of his sub-keys was shared The results of Foshare are used as the shares to be encrypted Note that we can use this two-party distributed garbling scheme as a building block for a somewhat efficient semi-honest two-party secure computation protocol See the full version [9] for the detailed construction We not claim that this scheme is superior to existing 2PC protocols; however, it serves as an important building-block to our end goal of an efficient 3PC protocol Also note that this distributed garbling scheme can scale to more than two parties, given access to multi-party variants of the necessary functionalities Thus, we can also achieve (semi-honest) multi-party secure computation using this approach; we leave the development of efficient instantiations of these functionalities as future work 3.3 Achieving Malicious Security The semi-honest distributed garbling scheme described in Section 3.2 can be directly adapted to work against a malicious adversary by modifying the hybrid functionalities to work in an authenticated manner; namely, we use authenticated sharings in place of standard secret sharings: – – – – () and Frand (): The output share is authenticated Fconst G Fgate ( a , b ): The inputs and outputs are all authenticated sharings i ( b , m0 , m1 ): The selection bit b is an authenticated sharing Foshare i Fss (b): The output is an authenticated sharing of b Observe that we only authenticate sharings of bits and not sharings of the subkeys siw,b This complicates the proof, as the sharing does not provide means of protecting against a malicious party sending inconsistent key-shares, but yields a more efficient construction; see the full version [9] for details We also need a notion of encrypting authenticated shares Recall that for an authenticated share b = ( b (1) , b (2) ), we have b (i) = (bi , ti , kj ), where party Pi holds bi and ti , and party Pj holds kj Thus, letting K = (s1 , s2 ), we define EncTK ( b ) = (Enc1s1 ,T (b1 t1 k1 ), Enc2s2 ,T (b2 t2 k2 )) 522 S.G Choi et al On decryption, each party’s ciphertext is decrypted and the authenticity of b1 and b2 are verified using the (encrypted) tags and keys Thus, when evaluating a garbled circuit, the party checks the authenticity of the share from the decrypted row of each garbled gate; if the check fails, the party aborts Again, we can convert this garbling scheme into a (now maliciously-secure) 2PC scheme; see the full version [9] for the details Likewise, we could also construct an MPC variant with efficient multi-party instantiations of the underlying functionalities which we leave as future work Three-Party Computation from Cut-and-Choose As mentioned above, we can directly adapt the distributed garbling scheme to work over multiple parties, and thus construct a 3PC scheme; however, in this case the underlying functionalities need to support multiple parties rather than just two parties and are thus unlikely to be more efficient in practice Thus, in this section we show how to utilize the maliciously secure two-party distributed garbling scheme from Section to construct a maliciously secure three-party secure computation protocol, using almost entirely two-party constructs (the only three-party functionality needed is that of coin-tossing) We first cover preliminary notions, such as the ideal functionalities we need, in Section 4.1 Then, in Section 4.2 we show how to adapt a combination of two existing cut-and-choose protocols [27, 28] to the three-party setting In the full version [9] we use this “generic” protocol to show how to adapt Lindell’s protocol [25] (the current state-of-the-art garbled-circuit-based protocol at the time of writing) to the three-party setting The cost of each of these three-party protocols is roughly eight times the computational cost of the underlying twoparty protocol they are based on, and roughly sixteen times the communication cost (plus the cost of a small number of OTs per gate, which can be efficiently amortized using OT extension [21, 32]), and thus we show that we can achieve efficient secure three-party computation at only a small factor of the cost of the most efficient Yao-based two-party protocol 4.1 Preliminaries Ideal Functionalities In addition to the ideal functionalities used in the twoparty distributed garbling scheme, we need the following additional (maliciously secure) functionalities: – Three-party coin-flipping Fcf (): The functionality outputs a random bit$ string ρ ← {0, 1}s to each party i,j – One-out-of-two oblivious transfer Fot (b, m0 , m1 ): The functionality takes as input a choice bit b from party Pi and messages m0 , m1 from Pj , and outputs mb to party Pi i,j – ZKPoK of extended Diffie-Hellman tuple Fzkpok (a, (g, h0 , h1 , {ui , vi }i )): The functionality takes as input a from party Pi , and tuple (g, h0 , h1 , {ui , vi }i ) Efficient Three-Party Computation from Cut-and-Choose 523 from party Pj , and outputs to party Pj if either all tuples in {(g, h0 , ui , vi )}i are Diffie-Hellman tuples with h0 = g a or all tuples in {(g, h1 , ui , vi )}i are Diffie-Hellman tuples with h1 = g a , and otherwise These can all be efficiently instantiated in a standard fashion; see the full version [9] for the details Distributed Garbled Circuits for Three Parties Note that the garbling protocol ΠGC in Figure only garbles a circuit containing inputs from two parties We can easily adapt this to support input from a third (external) party as follows Let ΠGC (P1 , P2 ) be the same as ΠGC (P1 , P2 ) except for the following modifications: – All operations over P2 ’s input now operate over wires w ∈ {n1 + 1, , n2 } – In Step 1, we add the following for generating shares for P3 ’s input wires: For w ∈ {n2 + 1, , n}: generate λw ← Frand – In Step 4, party Pi outputs λw (i) : w ∈ {n2 + 1, , n} in addition to his normal outputs 4.2 Achieving Malicious Security for Three Parties Note that our two-party distributed garbling scheme has the property that if at most one of the two parties is corrupt, the garbling of circuit C either correctly evaluates C on P1 ’s and P2 ’s inputs, or causes the evaluator to abort That is, a malicious party cannot “alter” the garbling to evaluate some circuit other than C Now, if both P1 and P2 are corrupt, they can of course garble an arbitrary circuit This suggests the following approach to three-party computation: If either P1 or P2 are honest, we need only construct a single garbled circuit, which is sent to P3 to be evaluated To cover the case where both P1 and P2 are corrupt, we use cut-and-choose to prevent P3 from evaluating a maliciously constructed circuit In what follows, we utilize existing cut-and-choose protocols from the literature [27, 28] and “plug in” our distributed garbling scheme as necessary Thus, security mostly follows from the security proofs of the underlying cut-andchoose protocols In the full version [9] we show how we can use this protocol in an adaptation of Lindell’s protocol [25] to the three-party setting The basic intuition for security is as follows Cut-and-choose is used to prevent P3 from evaluating maliciously constructed circuits when both P1 and P2 are malicious For the case where either P1 or P2 is honest, ΠGC (P1 , P2 ) assures us that the garbled circuit constructed between P1 and P2 is either correctly constructed or causes P3 to abort (independent of any party’s input) Protocol Description We assume the reader is familiar with the cut-andchoose technique; here we briefly discuss the main technical challenges that result from a naăve application of cut-and-choose and how we address them – Input inconsistency The use of cut-and-choose produces multiple garbled circuits to be evaluated by P3 The idea with this attack is that a given party (either P1 or P2 in the three-party case) can give inconsistent sub-keys 524 S.G Choi et al in each of these circuits such that P3 ends up evaluating different inputs for P1 /P2 instead of consistent inputs across all garbled circuits This is a well-known attack, and there are multiple solutions in the two-party setting Here, we use the Diffie-Hellman pseudorandom synthesizer trick [30, 28] and adapt it in a straightforward manner to the three-party setting – Selective failure This attack arises when the parties execute OT to send the sub-keys for P3 ’s input Note that if the sender in the OT inputs one valid label and one invalid label, he can learn a bit of P3 ’s input by learning whether the garbled-circuit evaluation fails or not We circumvent this problem by directly applying the “XOR-tree” approach [27] We now give a high-level description of our protocol The parties first replace the input circuit C with a circuit C, where the only difference is each of P3 ’s input wires is replaced by an XOR of s new input wires, preventing either party P1 or P2 from launching a selective failure attack on P3 ’s input choices P1 and P2 generate the required commitments needed for input consistency, as is done in the protocol of Lindell and Pinkas [28] P1 and P2 construct s garbled circuits using ΠGC and the input sub-keys generated as in the protocol of Lindell and Pinkas [28] P1 and P2 compute authenticated sharings (between each other; P3 is not involved here) of their input bits P1 and P2 both run (separately) an OT protocol with P3 for each of P3 ’s input wires, where P1 /P2 input their sub-keys and P3 chooses based on his input (Note that any cheating by P1 /P2 here will be caught with highprobability by the cut-and-choose step below.) Thus, P3 now has keys for each of his input bits P1 and P2 send the (distributed) garbled circuits, along with the input consistency commitments, to P3 All three parties run a coin-tossing protocol to determine which circuits for P3 to open and which to evaluate For the evaluation circuits, P1 and P2 send the sub-keys and selector bits for their inputs to P3 Note that we need to be careful in this step, as we need to enforce that, for example, P1 uses the same input as was shared in Step above This is accomplished as follows Recall that P1 and P2 have sharings of each other’s inputs and mask bits, all of which are authenticated Thus, P1 can send the (authenticated) share of her masked input to P2 , who can verify its authenticity, and thus reconstruct the masked input bit using his own share (and likewise for P2 ) This allows an honest P2 to send the correct sub-key (correct in the sense that it corresponds to P1 ’s input shared in Step 2) to P3 , even with a malicious P1 For the check circuits, P1 and P2 send the required information for P3 to decrypt the check circuits and verify correctness If any of these check circuits are incorrectly constructed, P3 aborts; otherwise, he has high confidence that the majority of the evaluation circuits are correctly constructed Efficient Three-Party Computation from Cut-and-Choose 525 10 For the evaluation circuits, P3 checks for input consistency against the subkeys sent by P1 and P2 in Step using a zero-knowledge proof-of-knowledge protocol [28], aborting on any inconsistency 11 Finally, P3 evaluates the evaluation circuits, outputting the majority over the circuits’ output See below for the full protocol description m Protocol Π3PC (P1 , P2 , P3 ) Auxiliary Inputs: Security parameter k, statistical security parameter s, circuit C , cyclic group G with (prime) order q and generator g, and randomness extractor H Inputs: For w ∈ {1, , n1 }, P1 has inputs bw ; for w ∈ {n1 + 1, , n2 }, P1 has inputs bw ; for w ∈ {n2 + 1, , n}, P3 has inputs bw Each party replaces C with a circuit C where each of P3 ’s input wires is replaced by an exclusive-or of s new input wires We let (n, m, q, L, R, G) ← C, and denote P3 ’s new inputs by ˆbw $ For w ∈ {1, , n1 }: P1 sets a1w,0 , a1w,1 ← Zq and constructs 1 (w, 0, g aw,0 ), (w, 1, g aw,1 ) For w ∈ {n1 + 1, , n2 }: P2 sets a2w,0 , a2w,1 (w, 0, g a2 w,0 ), (w, 1, g a2 w,1 $ ← Zq and constructs ) $ For j ∈ {1, , s}: Pi , for i ∈ {1, 2}, sets rji ← Zq and constructs i (j, g rj ) For j ∈ {1, , s}: P1 and P2 run up to Step (“Generate sub-keys”) of (P1 , P2 ), where the parties the following in the jth iteration: ΠGC 1 – For w ∈ {1, , n1 }: P1 sets s1w,b⊕λw,j ,j ← H(g aw,b·rj ) for b ∈ {0, 1} 2 – For w ∈ {n1 + 1, , n2 }: P2 sets s2w,b⊕λw,j ,j ← H(g aw,b ·rj ) for b ∈ {0, 1} – All other sub-keys are generated in the normal fashion (P1 , P2 ), pro3 For j ∈ {1, , s}: P1 and P2 continue their executions of ΠGC ducing garbled circuit GCj (bw ) For w ∈ {1, , n1 }: P1 and P2 compute bw ← Fss (bw ) For w ∈ {n1 + 1, , n2 }: P1 and P2 compute bw ← Fss For j ∈ {1, , s} and w ∈ {n2 + 1, , n}: P1 and P2 exchange λw,j with each other, reconstructing λw,j locally Both P1 and P2 send λw,j to P3 For w ∈ {n2 +1, , n}: Pi , for i ∈ {1, 2}, and P3 run Fot , with Pi as the sender inputting siw,λw,j ,j j∈{1, ,s} , siw,λw,j ⊕1,j and P3 as the rej∈{1, ,s} ceiver inputting ˆbw s Pi , for i ∈ {1, 2}, sends the sets from Step 2, along with GCji i=1 , to P3 The parties set ρ ← Fcf Let CC = {i : ρi = 1}, and E C = {1, , s} \ CC For j ∈ E C: – For w ∈ {1, , n1 }: P1 sends bw (1) ⊕ λw,j (1) to P2 , who reconstructs bw ⊕ λw,j locally P1 sends (s1w,bw ⊕λw,j ,j , bw ⊕ λw,j ) to P3 , and P2 sends (s2w,bw ⊕λw,j ,j , bw ⊕ λw,j ) to P3 526 S.G Choi et al – For w ∈ {n1 +1, , n}: P2 sends bw (2) ⊕ λw,j (2) to P1 , who reconstructs bw ⊕ λw,j locally P1 sends (s1w,bw ⊕λw,j ,j , bw ⊕ λw,j ) to P3 , and P2 sends (s2w,bw ⊕λw,j ,j , bw ⊕ λw,j ) to P3 For j ∈ CC: – Pi , for i ∈ {1, 2}, does the following: • Sends rji to P3 , and P3 checks that these values are consistent with the pairs i (j, g rj ) sent before • For w ∈ {1, , n}: Sends sub-keys siw,0,j and siw,1,j , mask bit share (i) λw,j , and the keys to the authenticated bits to P3 – Given the above information, P3 reconstructs all input labels and verifies they match with those labels sent previously Also, using said labels, P3 verifies that the garbled circuit is correctly constructed 10 For j ∈ E C: 1 – For w ∈ {1, , n1 }: P1 sends g aw,bw ·rj to P3 , who sets s1w,bw ⊕λw,j ,j ← 1 2 H(g aw,bw ·rj ) 2 – For w ∈ {n1 +1, , n2 }: P2 sends g aw,bw ·rj to P3 , who sets s2w,bw ⊕λw,j ,j ← H(g aw,bw ·rj ) For w ∈ {1, , n1 }: P1 and P3 run Fzkpok , with P1 acting as the prover inputting a1w,bw and P3 acting as the verifier inputting 1 1 g, g aw,0 , g aw,1 , (g rj , g aw,bw ·rj ) j∈EC For w ∈ {n1 + 1, , n2 }: P2 and P3 run Fzkpok , with P2 acting as the prover inputting a2w,bw and P3 acting as the verifier inputting 2 2 g, g aw,0 , g aw,1 , (g rj , g aw,bw ·rj ) j∈EC 11 For j ∈ E C: – P3 evaluates GCj using (s1w,bw ⊕λw,j ,j , s2w,bw ⊕λw,j ,j , bw ⊕ λw,j ) w∈{1, ,n} as inputs P3 outputs the majority output over the evaluated circuits In the full version [9] we prove the following Theorem Let C be an arbitrary polynomial-size circuit and let G be a cyclic group with prime order Given access to ideal functionalities Fconst , Fgate , Foshare , Fot , Frand , and Fss , and assuming that the decisional Diffie-Hellman m problem is hard in G, then Π3PC (P1 , P2 , P3 ) securely computes the circuit C in the presence of an adversary corrupting an arbitrary number of parties 4.3 Efficiency We now argue why our 3PC protocol is roughly eight times as expensive in terms of computation as the underlying 2PC protocol we utilize, and roughly sixteen times as expensive in terms of communication Both protocols are very similar Efficient Three-Party Computation from Cut-and-Choose 527 to the underlying 2PC protocol they are based on; the major changes in terms of computational cost are that (1) the cost of encrypting a single row increases due to the use of the distributed encryption scheme, and (2) P3 needs to twice the work (due to communicating with both P1 and P2 ) as compared to the evaluator in the underlying 2PC protocol Indeed, it takes about eight PRF calls (where one PRF call equals outputting k bits) to encrypt a single row of the garbled circuit, and thus the cost and size of a garbled circuit increases by a factor of eight The cost for P1 and P2 to distributively garble a circuit is a small number of OTs per gate, and this can be amortized using OT extension techniques [21] In terms of communication cost, both P1 and P2 need to send their half of the distributed garbled circuit to P3 , and the communication cost of actually constructing a distributed garbled circuit is roughly the cost of a standard garbled circuit Since each garbled circuit is eight times larger than in the underlying 2PC protocol, we find that the overall communication size increases my approximately sixteen Comparison with SPDZ We compare our three-party protocol with the SPDZ protocol [4, 12–14, 23], an efficient protocol over arithmetic circuits that works for n parties and arbitrary corruptions, and uses the preprocessing paradigm SPDZ represents the state-of-the-art in terms of efficiency in the multi-party setting Here we focus on the differences between both SPDZ and our protocol, and discuss their strengths and weaknesses Due to the different characteristics of each protocol (e.g., arithmetic versus boolean, linear versus constant round, etc.), these protocols are somewhat “incomparable” However, we hope to give a general idea of the efficiency trade-offs of both protocols There are several key differences between the SPDZ protocol and our own For one, SPDZ works over arithmetic circuits, whereas our protocol works over boolean circuits In terms of communication, the SPDZ protocol requires rounds linear in the depth of the circuit, whereas our protocol is constant-round While it is difficult to compare the impact of this without an implementation and experiments, it seems intuitive that as the latency between machines increases, the cost of each additional communication round increases as well; this intuition has been backed up by experiments in the semi-honest setting [35] And while SPDZ works in the standard model, the most efficient instantiation of our protocol requires the random oracle model Finally, we consider the start-to-finish execution time (i.e., including the cost of preprocessing) for running an AES circuit The preprocessing in our protocol is basically that found in the TinyOT protocol [32], and, using the numbers presented there, is fairly efficient (around minute [32, Figure 21]) Efficiency comes from the fact that the preprocessing is only between two parties, namely, the circuit generators The on-line running time is conjectured to be around that of maliciously secure two-party protocols using cut-and-choose The SPDZ protocol, on the other hand, has a very efficient (information-theoretic) online phase but a much costlier offline phase (around 17 minutes for three parties [12, Table 2]) In addition, it has a one-time setup phase which is very costly: the parties need to execute an MPC protocol for a circuit which generates a key pair 528 S.G Choi et al with the secret key secret-shared among the parties Executing this on its own would likely eclipse the running time of our protocol.2 Thus, given preprocessing, it seems likely that SPDZ would out-perform our protocol; however, in the setting of executing the protocol from start to finish, we conjecture that our protocol would be more efficient Acknowledgments Work of Seung Geol Choi supported in part by the Office of Naval Research under Grant Number N0001414WX20588 Work of Jonathan Katz supported in part by NSF awards #0964541 and #1111599 Work of Alex J Malozemoff supported by a National Defense Science and Engineering Graduate (NDSEG) Fellowship, 32 CFG 168a, awarded by DoD, Air Force Office of Scientific Research Work of Vassilis Zikas supported in part by NSF awards #09165174, #1065276, #1118126, and #1136174, US-Israel BSF grant #2008411, OKAWA Foundation Research Award, IBM Faculty Research Award, Xerox Faculty Research Award, B John Garrick Foundation Award, Teradata Research Award, Lockheed-Martin Corporation Research Award, the Defense Advanced Research Projects Agency through the U.S Office of Naval Research under Contract N00014-11-1-0392, and Swiss National Science Foundation (SNF) Ambizione grant PZ00P2 142549 The views expressed are those of the authors and not reflect the official policy or position of the Department of Defense or the U.S Government References Beaver, D., Micali, S., Rogaway, P.: The round complexity of secure protocols In: 22nd ACM STOC, pp 503–513 ACM Press (1990) Bellare, M., Hoang, V.T., Rogaway, P.: Foundations of garbled circuits In: Yu, T., Danezis, G., Gligor, V.D (eds.) ACM CCS 2012, pp 784–796 ACM Press (2012) Ben-David, A., Nisan, N., Pinkas, B.: FairplayMP: a system for secure multiparty computation In: Ning, P., Syverson, P.F., Jha, S (eds.) ACM CCS 2008, pp 257–266 ACM Press (2008) Bendlin, R., Damg˚ ard, I., Orlandi, C., Zakarias, S.: Semi-homomorphic encryption and multiparty computation In: Paterson, K.G (ed.) EUROCRYPT 2011 LNCS, vol 6632, pp 169–188 Springer, Heidelberg (2011) Bogdanov, D., Laur, S., Willemson, J.: Sharemind: A framework for fast privacypreserving computations In: Jajodia, S., Lopez, J (eds.) ESORICS 2008 LNCS, vol 5283, pp 192–206 Springer, Heidelberg (2008) Bogetoft, P., et al.: Secure multiparty computation goes live In: Dingledine, R., Golle, P (eds.) FC 2009 LNCS, vol 5628, pp 325–343 Springer, Heidelberg (2009) Burkhart, M., Strasser, M., Many, D., Dimitropoulos, X.: SEPIA: Privacypreserving aggregation of multi-domain network events and statistics In: Goldberg, I (ed.) 19th USENIX Security Symposium USENIX Association, Washington (2010) We note that Damg˚ ard et al [13] present an efficient protocol for this one-time setup phase in the weaker covert security model Efficient Three-Party Computation from Cut-and-Choose 529 Choi, S.G., Hwang, K.-W., Katz, J., Malkin, T., Rubenstein, D.: Secure multiparty computation of boolean circuits with applications to privacy in on-line marketplaces In: Dunkelman, O (ed.) CT-RSA 2012 LNCS, vol 7178, pp 416– 432 Springer, Heidelberg (2012) Choi, S.G., Katz, J., Malozemoff, A.J., Zikas, V.: Efficient three-party computation from cut-and-choose Cryptology ePrint Archive, Report 2014/128 (2014), https://eprint.iacr.org/ 10 Damg˚ ard, I., Geisler, M., Krøigaard, M., Nielsen, J.B.: Asynchronous multiparty computation: Theory and implementation In: Jarecki, S., Tsudik, G (eds.) PKC 2009 LNCS, vol 5443, pp 160–179 Springer, Heidelberg (2009) 11 Damg˚ ard, I., Ishai, Y.: Constant-round multiparty computation using a black-box pseudorandom generator In: Shoup, V (ed.) CRYPTO 2005 LNCS, vol 3621, pp 378–394 Springer, Heidelberg (2005) 12 Damg˚ ard, I., Keller, M., Larraia, E., Miles, C., Smart, N.P.: Implementing AES via an actively/Covertly secure dishonest-majority MPC protocol In: Visconti, I., De Prisco, R (eds.) SCN 2012 LNCS, vol 7485, pp 241–263 Springer, Heidelberg (2012) 13 Damg˚ ard, I., Keller, M., Larraia, E., Pastro, V., Scholl, P., Smart, N.P.: Practical Covertly Secure MPC for Dishonest Majority – Or: Breaking the SPDZ Limits In: Crampton, J., Jajodia, S., Mayes, K (eds.) ESORICS 2013 LNCS, vol 8134, pp 1–18 Springer, Heidelberg (2013) 14 Damg˚ ard, I., Pastro, V., Smart, N.P., Zakarias, S.: Multiparty computation from somewhat homomorphic encryption In: Safavi-Naini, R., Canetti, R (eds.) CRYPTO 2012 LNCS, vol 7417, pp 643–662 Springer, Heidelberg (2012) 15 Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or A completeness theorem for protocols with honest majority In: Aho, A (ed.) 19th ACM STOC, pp 218–229 ACM Press (May 1987) 16 Goyal, V., Mohassel, P., Smith, A.: Efficient two party and multi party computation against covert adversaries In: Smart, N.P (ed.) EUROCRYPT 2008 LNCS, vol 4965, pp 289–306 Springer, Heidelberg (2008) 17 Henecka, W., Kă ogl, S., Sadeghi, A.R., Schneider, T., Wehrenberg, I.: TASTY: Tool for automating secure two-party computations In: Al-Shaer, E., Keromytis, A.D., Shmatikov, V (eds.) ACM CCS 2010, pp 451–462 ACM Press (2010) 18 Huang, Y., Evans, D., Katz, J.: Private set intersection: Are garbled circuits better than custom protocols? In: NDSS 2012, The Internet Society (February 2012) 19 Huang, Y., Evans, D., Katz, J., Malka, L.: Faster secure two-party computation using garbled circuits In: Wagner, D (ed.) 20th USENIX Security Symposium USENIX Association, San Francisco (2011) 20 Huang, Y., Katz, J., Evans, D.: Efficient secure two-party computation using symmetric cut-and-choose In: Canetti, R., Garay, J.A (eds.) CRYPTO 2013, Part II LNCS, vol 8043, pp 18–35 Springer, Heidelberg (2013) 21 Ishai, Y., Kilian, J., Nissim, K., Petrank, E.: Extending oblivious transfers efficiently In: Boneh, D (ed.) CRYPTO 2003 LNCS, vol 2729, pp 145–161 Springer, Heidelberg (2003) 22 Ishai, Y., Prabhakaran, M., Sahai, A.: Founding cryptography on oblivious transfer – efficiently In: Wagner, D (ed.) CRYPTO 2008 LNCS, vol 5157, pp 572– 591 Springer, Heidelberg (2008) 23 Keller, M., Scholl, P., Smart, N.P.: An architecture for practical actively secure MPC with dishonest majority In: Sadeghi, A.R., Gligor, V.D., Yung, M (eds.) ACM CCS 2013, pp 549–560 ACM Press (November 2013) 530 S.G Choi et al 24 Kreuter, B., Shelat, A., Shen, C.H.: Towards billion-gate secure computation with malicious adversaries In: Kohno, T (ed.) 21st USENIX Security Symposium USENIX Association, Bellevue (2012) 25 Lindell, Y.: Fast cut-and-choose based protocols for malicious and covert adversaries In: Canetti, R., Garay, J.A (eds.) CRYPTO 2013, Part II LNCS, vol 8043, pp 1–17 Springer, Heidelberg (2013) 26 Lindell, Y., Oxman, E., Pinkas, B.: The IPS compiler: Optimizations, variants and concrete efficiency In: Rogaway, P (ed.) CRYPTO 2011 LNCS, vol 6841, pp 259–276 Springer, Heidelberg (2011) 27 Lindell, Y., Pinkas, B.: An efficient protocol for secure two-party computation in the presence of malicious adversaries In: Naor, M (ed.) EUROCRYPT 2007 LNCS, vol 4515, pp 52–78 Springer, Heidelberg (2007) 28 Lindell, Y., Pinkas, B.: Secure two-party computation via cut-and-choose oblivious transfer In: Ishai, Y (ed.) TCC 2011 LNCS, vol 6597, pp 329–346 Springer, Heidelberg (2011) 29 Lindell, Y., Pinkas, B., Smart, N.P.: Implementing two-party computation efficiently with security against malicious adversaries In: Ostrovsky, R., De Prisco, R., Visconti, I (eds.) SCN 2008 LNCS, vol 5229, pp 2–20 Springer, Heidelberg (2008) 30 Mohassel, P., Franklin, M.: Efficiency tradeoffs for malicious two-party computation In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T (eds.) PKC 2006 LNCS, vol 3958, pp 458–473 Springer, Heidelberg (2006) 31 Mohassel, P., Riva, B.: Garbled circuits checking garbled circuits: More efficient and secure two-party computation In: Canetti, R., Garay, J.A (eds.) CRYPTO 2013, Part II LNCS, vol 8043, pp 36–53 Springer, Heidelberg (2013) 32 Nielsen, J.B., Nordholt, P.S., Orlandi, C., Burra, S.S.: A new approach to practical active-secure two-party computation In: Safavi-Naini, R., Canetti, R (eds.) CRYPTO 2012 LNCS, vol 7417, pp 681–700 Springer, Heidelberg (2012) 33 Nielsen, J.B., Orlandi, C.: LEGO for two-party secure computation In: Reingold, O (ed.) TCC 2009 LNCS, vol 5444, pp 368–386 Springer, Heidelberg (2009) 34 Pinkas, B., Schneider, T., Smart, N.P., Williams, S.C.: Secure two-party computation is practical In: Matsui, M (ed.) ASIACRYPT 2009 LNCS, vol 5912, pp 250–267 Springer, Heidelberg (2009) 35 Schneider, T., Zohner, M.: GMW vs Yao? Efficient secure two-party computation with low depth circuits In: Sadeghi, A.-R (ed.) FC 2013 LNCS, vol 7859, pp 275–292 Springer, Heidelberg (2013) 36 Shelat, A., Shen, C.H.: Two-output secure computation with malicious adversaries In: Paterson, K.G (ed.) EUROCRYPT 2011 LNCS, vol 6632, pp 386– 405 Springer, Heidelberg (2011) 37 Shelat, A., Shen, C.H.: Fast two-party secure computation with minimal assumptions In: Sadeghi, A.R., Gligor, V.D., Yung, M (eds.) ACM CCS 2013, pp 523– 534 ACM Press (November 2013) 38 Yao, A.C.C.: How to generate and exchange secrets (extended abstract) In: 27th FOCS, pp 162–167 IEEE Computer Society Press (October 1986) Author Index Abdalla, Michel I-77 Abe, Masayuki I-241, I-390 Aggarwal, Divesh II-183 Albrecht, Martin R I-57 Alperin-Sheriff, Jacob I-297 Ananth, Prabhanjan II-164 Austrin, Per I-462 Banerjee, Abhishek I-353 Barthe, Gilles I-95 Beimel, Amos II-387 Bellare, Mihir I-1, I-169 Benhamouda, Fabrice I-77 Ben-Sasson, Eli II-276 Bentov, Iddo II-421 Bhargavan, Karthikeyan II-235 Bitansky, Nir II-71, II-108, II-146 Blazy, Olivier I-408 Boneh, Dan I-206, I-480 Brzuska, Christina I-188 Camenisch, Jan II-256 Canetti, Ran II-71, II-108, II-337 Catalano, Dario I-371 Chen, Shan I-39 Chiesa, Alessandro II-276 Choi, Seung Geol II-513 Chung, Kai-Min I-462 Cohn, Henry II-71 Dachman-Soled, Dana II-146, II-405 Dai, Yuanxi I-20 Data, Deepesh II-199 Dinur, Itai I-149 Dodis, Yevgeniy II-37, II-183 Driessen, Benedikt I-57 Ducas, L´eo I-335 Fagerholm, Edvard I-95 Farr` as, Oriol II-217 Farshim, Pooya I-188 Fiore, Dario I-95, I-371 Fisch, Ben II-313 Fleischhacker, Nils II-405 Fournet, C´edric Freund, Daniel II-235 II-313 Gabizon, Ariel II-387 Garg, Sanjam I-518 Gaˇzi, Peter I-113 Genkin, Daniel I-444 Gentry, Craig I-426, I-518 Goldwasser, Shafi II-71 Goyal, Vipul II-164 Granger, Robert II-126 Groth, Jens I-241, I-390 Guo, Jian I-131 Halevi, Shai I-518, I-554 Hanaoka, Goichiro II-90 Hansen, Torben II-217 Herold, Gottfried I-261 Hesse, Julia I-261 Hoang, Viet Tung I-169 Hofheinz, Dennis I-261 Huang, Yan II-458 Ishai, Yuval II-369, II-387 Jafargholi, Zahra II-183 Jain, Abhishek II-337 Jutla, Charanjit S II-295 Kaced, Tarik II-217 Kalai, Yael Tauman II-71, II-108 Katz, Jonathan II-405, II-458, II-513 Kavun, Elif Bilge I-57 Keelveedhi, Sriram I-169 Kiltz, Eike I-408 Kiyoshima, Susumu II-351 Kleinjung, Thorsten II-126 Kohlweiss, Markulf II-235 Kolesnikov, Vladimir II-440, II-458 Kumaresan, Ranjit II-421, II-458 Kunihiro, Noboru II-90 Kushilevitz, Eyal II-387 Lampe, Rodolphe I-39 Larraia, Enrique II-495 532 Author Index Leander, Gregor I-57 Lee, Hyung Tae I-224 Lee, Jooyoung I-20, I-39 Lehmann, Anja II-256 Lenstra, H.W I-280 Leurent, Gaăetan I-149 Lewko, Allison I-426 Lin, Huijia II-146 Lindell, Yehuda II-476 Ling, San I-315 Liu, Yi-Kai II-19 Lysyanskaya, Anna II-256, II-405 Mahmoody, Mohammad I-462 Malozemoff, Alex J II-458, II-513 Meldgaard, Sigurd II-387 Mennink, Bart I-20 Micciancio, Daniele I-335 Miles, Eric II-183 Mitchell, John I-95 Mittelbach, Arno I-188 Mohassel, Payman II-440 Naor, Moni II-313 Neven, Gregory II-256 Ohkubo, Miyako I-241, I-390 Orsini, Emmanuela II-495 Ostrovsky, Rafail I-536, II-369 Paar, Christof I-57 Padr´ o, Carles II-217 Pan, Jiaxin I-408 Pandey, Omkant II-164 Paneth, Omer II-71, II-108, II-337 Papakonstantinou, Periklis A II-55 Paskin-Cherniavsky, Anat I-536, II-387 Paskin-Cherniavsky, Beni I-536 Pass, Rafael I-462, I-500 Passel`egue, Alain I-77 Paterson, Kenneth G I-1, I-77 Peikert, Chris I-297, I-353 Peyrin, Thomas I-131 Phan, Duong Hieu I-315 Pietrzak, Krzysztof I-113 Pironti, Alfredo II-235 Prabhakaran, Manoj M II-199 Prabhakaran, Vinod M II-199 R` afols, Carla I-261 Reyzin, Leonid II-183 Riva, Ben II-476 Rogaway, Phillip I-1 Rosen, Alon II-71 Rosulek, Mike II-440 Roy, Arnab II-295 Rupp, Andy I-261 Ryb´ ar, Michal I-113 Sasaki, Yu I-131 Scedrov, Andre I-95 Schmidt, Benedikt I-95 Schră oder, Dominique II-405 Seo, Jae Hong I-224 Seth, Karn I-462, I-500 Seurin, Yannick I-39 Shamir, Adi I-444, II-37 Shoup, Victor I-554 Silverberg, A I-280 Smart, Nigel P II-495 Stehl´e, Damien I-315 Steinberger, John I-20, I-39 Steinfeld, Ron I-315 Stephens-Davidowitz, Noah II-37 Strub, Pierre-Yves II-235 Tango, Takeya I-241 Telang, Sidharth I-500 Tibouchi, Mehdi I-390 Tromer, Eran I-444, II-276 Unruh, Dominique Virza, Madars II-1 II-276 Wang, Lei I-131 Warinschi, Bogdan I-371 Waters, Brent I-206, I-426 Wichs, Daniel I-518, II-37 Yal¸cın, Tolga I-57 Yamada, Shota II-90 Yamakawa, Takashi II-90 Yang, Guang II-55 Zanella-B´eguelin, Santiago II-235 Zhandry, Mark I-206, I-480 Zikas, Vassilis II-369, II-513 Zumbră agel, Jens II-126 ... Game 5] ≤ 2h(γ) we have Pr[Accept : Game 1] − Pr[Accept : Game 5] ≤ 2q2− Thus altogether Pr[Accept : Game 1] ≤ 2q2− /2 + h(γ) 1+ /2 √ 1 /2 n D Unruh R1 |Ψ x1 R3 R2 ≈ δ x3 √ P R3 R2 x2 V2 V3 (a)... Number-Theoretic Hardness Breaking ‘ 128 -bit Secure’ Supersingular Binary Curves (Or How to Solve Discrete Logarithms in F24· 122 3 and F2 12 367 ) Robert Granger, Thorsten Kleinjung, and Jens... P2∗ perform at most q queries to H Then in an execution of V1 , V2 , P1∗ , P2∗ with V1 , V2 following the protocol from Definition 1, the probability that V1 , V2 accept is at most 2q2− /2 + 2h(γ)