Oblivious Transfer

We develop cryptographically secure techniques to guarantee unconditional privacy for respondents to polls. Our constructions are efficient and practical, and are shown not to allow cheating respondents to affect the "tally" by more than their own vote -which will be given the exact same weight as that of other respondents. We demonstrate solutions to this problem based on both traditional cryptographic techniques and quantum cryptography.

The Distributed Computing Column covers the theory of systems that are composed of a number of interacting computing elements. These include problems of communication and networking, databases, distributed shared memory, multiprocessor architectures, operating systems, verification, Internet, and the Web. This issue consists of: • "Delayed Password Disclosure," by Markus Jakobsson and Steven Myers. Many thanks to them for their contribution to this issue. Request for Collaborations: Please send me any suggestions for material I should be including in this column, including news and communications, open problems, and authors willing to write a guest column or to review an event related to theory of distributed computing.

We provide the first construction of a concurrent and non-malleable zero knowledge argument for every language in NP. We stress that our construction is in the plain model without allowing a common random string, trusted parties, or super-polynomial simulation. That is, we construct a zero knowledge protocol Π such that for every polynomial-time adversary that can adaptively and concurrently schedule polynomially many executions of Π, and corrupt some of the verifiers and some of the provers in these sessions, there is a polynomial-time simulator that can simulate a transcript of the entire execution, along with the witnesses for all statements proven by a corrupt prover to an honest verifier. Our security model is the traditional model for concurrent zero knowledge, where the statements to be proven by the honest provers are fixed in advance and do not depend on the previous history (but can be correlated with each other); corrupted provers, of course, can chose the statements adaptively. We also prove that there exists some functionality F (a combination of zero knowledge and oblivious transfer) such that it is impossible to obtain a concurrent non-malleable protocol for F in this model. Previous impossibility results for composable protocols ruled out existence of protocols for a wider class of functionalities (including zero knowledge!) but only if these protocols were required to remain secure when executed concurrently with arbitrarily chosen different protocols (Lindell, FOCS 2003) or if these protocols were required to remain secure when the honest parties' inputs in each execution are chosen adaptively based on the results of previous executions (Lindell, TCC 2004). We obtain an Õ(n)-round protocol under the assumption that one-to-one one-way functions exist. This can be improved to Õ(k log n) rounds under the assumption that there exist k-round statistically hiding commitment schemes. Our protocol is a black-box zero knowledge protocol.

We study the problem of secure two-party and multiparty computation (MPC) in a setting where a cheating polynomial-time adversary can corrupt an arbitrary subset of parties and, in addition, learn arbitrary auxiliary information on the entire states of all honest parties (including their inputs and random coins), in an adaptive manner, throughout the protocol execution. We formalize a definition of multiparty computation secure against adaptive auxiliary information (AAI-MPC), that intuitively guarantees that such an adversary learns no more than the function output and the adaptive auxiliary information. In particular, if the auxiliary information contains only partial, "noisy," or computationally invertible information on secret inputs, then only such information should be revealed. We construct a universally composable AAI two-party and multiparty computation protocol that realizes any (efficiently computable) functionality against malicious adversaries in the common reference string model, based on the linear assumption over bilinear groups and the n-th residuosity assumption. Apart from theoretical interest, our result has interesting applications to the regime of leakage-resilient cryptography. At the heart of our construction is a new two-round oblivious transfer protocol secure against malicious adversaries who may receive adaptive auxiliary information. This may be of independent interest.

Secure multiparty computation enables a set of parties to securely carry out a joint computation on their private inputs without revealing anything but the output. A particularly motivated setting is that of three parties with a single corruption (hereafter denoted 3PC). This 3PC setting is particularly appealing for two main reasons: (1) it admits more efficient MPC protocols than in other standard settings; (2) it allows in principle to achieve full security (and fairness). Highly efficient protocols exist within this setting with security against a semi-honest adversary; however, a significant gap remains between these and protocols with stronger security against a malicious adversary. In this paper, we narrow this gap within concretely efficient protocols. More explicitly, we have the following contributions:

Secure multiparty computation (MPC) enables n parties, of which up to t may be corrupted, to perform joint computations on their private inputs while revealing only the outputs. Optimizing the asymptotic and concrete costs of MPC protocols has become an important line of research. Much of this research focuses on the setting of an honest majority, where n ≥ 2t + 1, which gives rise to concretely efficient protocols that are either information-theoretic or make a black-box use of symmetric cryptography. Efficiency can be further improved in the case of a strong honest majority, where n > 2t + 1. Motivated by the goal of minimizing the communication and latency costs of MPC with a strong honest majority, we make two related contributions.

Secure multiparty computation (MPC) enables n parties, of which up to t may be corrupted, to perform joint computations on their private inputs while revealing only the outputs. Optimizing the asymptotic and concrete costs of MPC protocols has become an important line of research. Much of this research focuses on the setting of an honest majority, where n ≥ 2t + 1, which gives rise to concretely efficient protocols that are either information-theoretic or make a black-box use of symmetric cryptography. Efficiency can be further improved in the case of a strong honest majority, where n > 2t + 1. Motivated by the goal of minimizing the communication and latency costs of MPC with a strong honest majority, we make two related contributions.

Secure multiparty computation enables a set of parties to securely carry out a joint computation on their private inputs without revealing anything but the output. A particularly motivated setting is that of three parties with a single corruption (hereafter denoted 3PC). This 3PC setting is particularly appealing for two main reasons: (1) it admits more efficient MPC protocols than in other standard settings; (2) it allows in principle to achieve full security (and fairness). Highly efficient protocols exist within this setting with security against a semi-honest adversary; however, a significant gap remains between these and protocols with stronger security against a malicious adversary. In this paper, we narrow this gap within concretely efficient protocols. More explicitly, we have the following contributions:

We present the design and implementation of a compiler that automatically generates protocols that perform two-party computations. The input to our protocol is the specification of a computation with secret inputs (e.g., a signature algorithm) expressed using operations in the field Õ of integers modulo a prime Õ and in the multiplicative subgroup of order Õ in £ Ô for Õ Ô ½ with generator . The output of our compiler is an implementation of each party in a two-party protocol to perform the same computation securely, i.e., so that both parties can together compute the function but neither can alone. The protocols generated by our compiler are provably secure, in that their strength can be reduced to that of the original cryptographic computation via simulation arguments. Our compiler can be applied to various cryptographic primitives (e.g., signature schemes, encryption schemes, oblivious transfer protocols) and other protocols that employ a trusted party (e.g., key retrieval, key distribution).

We show how the Bitcoin currency system (with a small modification) can be used to obtain fairness in any two-party secure computation protocol in the following sense: if one party aborts the protocol after learning the output then the other party gets a financial compensation (in bitcoins). One possible application of such protocols is the fair contract signing: each party is forced to complete the protocol, or to pay to the other one a fine. We also show how to link the output of this protocol to the Bitcoin currency. More precisely: we show a method to design secure two-party protocols for functionalities that result in a "forced" financial transfer from one party to the other. Our protocols build upon the ideas of our recent paper "Secure Multiparty Computations on Bitcoin" (Cryptology ePrint Archive, Report 2013/784). Compared to that paper, our results are more general, since our protocols allow to compute any function, while in the previous paper we concentrated only on some specific tasks (commitment schemes and lotteries). On the other hand, as opposed to "Secure Multiparty Computations on Bitcoin", to obtain security we need to modify the Bitcoin specification so that the transactions are "non-malleable" (we discuss this concept in more detail in the paper).

Oblivious Transfer (OT) is one of the most fundamental cryptographic primitives with wide-spread application in general secure multi-party computation (MPC) as well as in a number of tailored and special-purpose problems of interest such as private set intersection (PSI), private information retrieval (PIR), contract signing to name a few. Often the instantiations of OT require prohibitive communication and computation complexity. OT extension protocols are introduced to compute a very large number of OTs referred as extended OTs at the cost of a small number of OTs referred as seed OTs. We present a fast OT extension protocol for small secrets in active setting. Our protocol when used to produce 1-out-of-n OTs outperforms all the known actively secure OT extensions. Our protocol is built on the semi-honest secure extension protocol of Kolesnikov and Kumaresan of CRYPTO'13 (referred as KK13 protocol henceforth) which is the best known OT extension for short secrets. At the heart of our protocol lies an efficient consistency checking mechanism that relies on the linearity of Walsh-Hadamard (WH) codes. Asymptotically, our protocol adds a communication overhead of O(µ log κ) bits over KK13 protocol irrespective of the number of extended OTs, where κ and µ refer to computational and statistical security parameter respectively. Concretely, our protocol when used to generate a large enough number of OTs adds only 0.011-0.028% communication overhead and 4-6% runtime overhead both in LAN and WAN over KK13 extension. The runtime overheads drop below 2% when in addition the number of inputs of the sender in the extended OTs is large enough. As an application of our proposed extension protocol, we show that it can be used to obtain the most efficient PSI protocol secure against a malicious receiver and a semi-honest sender.

Adaptive security embodies one of the strongest notions of security that allows an adversary to corrupt parties at any point during protocol execution and gain access to its internal state. Since it models real-life situations such as "hacking", efficient adaptively-secure multiparty computation (MPC) protocols are desirable. Such protocols demand primitives such as oblivious transfer (OT) and commitment schemes that are adaptively-secure as building blocks. Efficient realizations of these primitives have been found to be challenging, especially in the no erasure model. We make progress in this direction and provide efficient constructions that are Universally-Composable in the random oracle model. Oblivious Transfer. We present the first round optimal framework for building adaptively-secure OT in the programmable random oracle (PRO) model, relying upon the framework of Peikert et al. (Crypto 2008). When instantiated with Decisional Diffie Hellman assumption, it incurs a minimal communication overhead of one κ bit string and computational overhead of 5 random oracle queries over its static counterpart, where κ is the security parameter. This computation overhead translates to 0.02% and 1% in the LAN and WAN setting. Additionally, we obtain a construction of adaptively-secure 1-out-of-N OT by extending the result of Naor et al. (Journal of Cryptology 2005) that transforms log N copies of 1-outof-2 OTs to one 1-out-of-N OT in the PRO model. We complete the picture of efficient OT constructions by presenting the first adaptively secure OT Extension, extending the protocol of Asharov et al. (Eurocrypt 2015) for the adaptive setting using PRO. Our OT extension enables us to obtain adaptive OTs at an amortized cost of 3 symmetric key operations and communication of 3κ bit strings. It incurs a runtime overhead of 2% and 11.95%, in the LAN and WAN setting and almost no communication overhead over the static OT extension protocol. In concrete terms, the cost is 2 µs and 115 µs for each OT in LAN and WAN. Commitment Scheme. We present an adaptively secure commitment scheme in the Global Random Oracle model solely relying on observable random oracle (ORO). Our commitment scheme has a one-time offline setup phase, where a common reference string (crs) is generated between the parties using an ORO. In the online phase, the parties use the crs and ORO to generate commitments in a non-interactive fashion. Our construction incurs communication of 4κ bit strings and computation of 4 exponentiations and 4 random oracle queries for committing to an arbitrary length message. Empirically, it takes around 0.18ms and 0.2 ms for committing to 128 bits and 2048 bits respectively. It finds applications in secure two-party computation (2PC) protocols that adopt offline-online paradigm, where the crs can be generated in the offline phase and the scheme can be used in the online phase.

We construct the most efficient two-round adaptively secure bit-OT in the Common Random String (CRS) model. The scheme is UC secure under the Decisional Diffie-Hellman (DDH) assumption. It incurs O(1) exponentiations and sends O(1) group elements, whereas the state of the art requires O(κ 2 ) exponentiations and communicates poly(κ) bits, where κ is the computational security parameter. Along the way, we obtain several other efficient UC-secure OT protocols under DDH : -The most efficient yet two-round adaptive string-OT protocol assuming global programmable random oracle. Furthermore, the protocol can be made non-interactive in the simultaneous message setting, assuming random inputs for the sender. -The first two-round string-OT with amortized constant exponentiations and communication overhead which is secure in the global observable random oracle model. -The first two-round receiver equivocal string-OT in the CRS model that incurs constant computation and communication overhead. We also obtain the first non-interactive adaptive string UC-commitment in the CRS model which incurs a sublinear communication overhead in the security parameter. Specifically, we commit to polylog(κ) bits while communicating O(κ) bits. Moreover, it is additively homomorphic. We can also extend our results to the single CRS model where multiple sessions share the same CRS. As a corollary, we obtain a two-round adaptively secure MPC protocol in this model.

Modern cryptography is more than sending secret messages, and quantum cryptography is more than quantum key distribution. One example is oblivious transfer, which is interesting partly because it can be used to implement secure multiparty computation. 1, 2 We discuss a protocol for quantum XOR oblivious transfer, and how non-interactive quantum oblivious transfer protocols can be "reversed", so that oblivious transfer is still implemented from a sender to a receiver, but so that it is the receiver who sends a quantum state to the sender, who measures it, instead of the other way round. This is useful when one party can only prepare and send quantum states, and the other party can only measure them, which is often the case in practical quantum communication systems. Both the "original" XOR oblivious transfer protocol and its reversed version have been implemented optically. We also discuss how quantum random access codes can be connected with quantum oblivious transfer.

In the DRM environment, content is usually distributed in an encrypted form. Typically, a secure encryption algorithm is utilized to accomplish such protection. However, executing this algorithm in an insecure environment may allow adversaries to compromise the system and obtain information about the decryption key. Keeping such a key secret is a major challenge for content distribution systems. We consider two solutions for securing content delivery. The first solution involves modifying the algorithm in such a way as to make implementation unintelligible. The second solution involves setting a buyer-seller protocol to communicate the key securely. In addition, the protocol can be set to achieve security for the content provider and privacy protection for user. This paper describes a study of these scenarios for DRM applications w.r.t securing content delivery.

Post-Quantum Cryptography (PQC) attempts to find cryptographic protocols resistant to attacks using Shor's polynomial time algorithm for numerical field problems or Grover's algorithm to find the unique input to a black-box function that produces a particular output value. The use of nonstandard algebraic structures like non-commutative or nonassociative structures, combined with one-way trapdoor functions derived from combinatorial group theory, are mainly unexplored choices for these new kinds of protocols and overlooked in current PQC solutions. In this paper, we develop an algebraic extension ring framework who could be applied to different asymmetric protocols (i.e. key exchange, key transport, enciphering, digital signature, zero-knowledge authentication, oblivious transfer, secret sharing etc.). A valuable feature is that there is no need for big number libraries as all arithmetic is performed in extension field operations (precisely the AES field). We assume that the new framework is cryptographical secure against strong classical attacks like the sometimes-useful length-based attack, Roman'kov's linearization attacks and Tsaban's algebraic span attack. This statement is based on the non-linear structure of the selected platform which proved to be useful protecting the AES protocol. Otherwise, it could resist post-quantum attacks (Grover, Shor) and be particularly useful for computational platforms with limited capabilities like USB cryptographic keys or smartcards. Semantic security (IND-CCA2) could also be inferred for this new platform.

Oblivious transfer (OT) protocols mainly contain three categories: 1-out-of-2 OT, 1-out-of-nOT, andk-out-of-nOT. In most cases, they are treated as cryptographic primitives and are usually executed without consideration of possible attacks that might frequently occur in an open network, such as an impersonation, replaying, or man-in-the-middle attack. Therefore, when used in certain applications, such as mental poker games and fair contract signings, some extra mechanisms must be combined to ensure the security of the protocol. However, after a combination, we found that very few of the resulting schemes are efficient enough in terms of communicational cost, which is a significant concern for generic commercial transactions. Therefore, we propose a novelk-out-of-noblivious transfer protocol based on bilinear pairing, which not only satisfies the requirements of ak-out-of-nOT protocol, but also provides mutual authentication to resist malicious attacks. Meanwhile, it is efficient in ...

As traditional oblivious transfer protocols are treated as a cryptographic primitive, they are usually executed without the consideration of possible attacks, e.g., impersonation, replaying, and man-in-the-middle attacks. Therefore, when these protocols are applied in certain applications such as mental poker playing, some necessary mechanism must be executed first to ensure the security of subsequent communications. But doing this way, we found that almost all of the resulting mechanisms are not efficient enough in communicational cost which is a significant concern for commercial transactions. Inspired by these observations, we propose a novel secure oblivious transfer protocol based on bilinear pairing which not only can provide mutual authentication to resist malicious attacks but also is efficient in communicational cost, other than its original functions.

We propose a new defense mechanism against undetected infiltration into controllers in cyber-physical systems. To this end, we cautiously design the outputs of the sensors that monitor the state of the system. Different from the defense mechanisms that seek to detect infiltration, the proposed approach seeks to minimize the damage of possible attacks before they have been detected. Controller of a cyber-physical system could have been infiltrated into by an undetected attacker at any time of the operation. Disregarding such a possibility and disclosing system's state without caution benefits the attacker in his/her malicious objective. Therefore, secure sensor design can improve the security of cyber-physical systems further when incorporated along with other defense mechanisms. We, specifically, consider a controlled Gauss-Markov process, where the controller could have been infiltrated into at any time within the system's operation. In the sense of game-theoretic hierarchical equilibrium, we provide a semi-definite programming based algorithm to compute the optimal linear secure sensor outputs and analyze the performance for various scenarios numerically.

The Distributed Computing Column covers the theory of systems that are composed of a number of interacting computing elements. These include problems of communication and networking, databases, distributed shared memory, multiprocessor architectures, operating systems, verification, Internet, and the Web. This issue consists of: • "Delayed Password Disclosure," by Markus Jakobsson and Steven Myers. Many thanks to them for their contribution to this issue. Request for Collaborations: Please send me any suggestions for material I should be including in this column, including news and communications, open problems, and authors willing to write a guest column or to review an event related to theory of distributed computing.

In most password-authenticated key exchange systems there is a single server storing password verification data. To provide some resilience against server compromise, this data typically takes the form of a one-way function of the password (and possibly a salt, or other public values), rather than the password itself. However, if the server is compromised, this password verification data can be used to perform an offline dictionary attack on the user's password. In this paper we propose an efficient password-authenticated key exchange system involving a set of servers, in which a certain threshold of servers must participate in the authentication of a user, and in which the compromise of any fewer than that threshold of servers does not allow an attacker to perform an offline dictionary attack. We prove our system is secure in the random oracle model under the Decision Diffie-Hellman assumption against an attacker that may eavesdrop on, insert, delete, or modify messages between the user and servers, and that compromises fewer than that threshold of servers.

Oblivious transfer between two untrusting parties is an important primitive in cryptography. There are different variants of oblivious transfer. In Rabin oblivious transfer, the sender Alice holds a bit, and the receiver Bob either obtains the bit, or obtains no information with probability p ?. Alice should not know whether or not Bob obtained the bit. We examine a quantum Rabin oblivious transfer protocol that uses two pure states. Investigating different cheating scenarios for the sender and for the receiver, we determine optimal cheating probabilities in each case. Comparing the quantum Rabin oblivious transfer protocol to classical Rabin oblivious transfer protocols, we show that the quantum protocol outperforms classical protocols which do not use a third party, for some values of p ? .

We study the question of designing leakage-resilient secure computation protocols. Our model is that of only computation leaks information with a leak-free input encoding phase. In more detail, we assume an offline phase called the input encoding phase in which each party encodes its input in a specified format. This phase is assumed to be free of any leakage and may or may not depend upon the function that needs to be jointly computed by the parties. Then finally, we have a secure computation phase in which the parties exchange messages with each other. In this phase, the adversary gets access to a leakage oracle which allows it to download a function of the computation transcript produced by an honest party to compute the next outgoing message. We present two main constructions of secure computation protocols in the above model. Our first construction is based only on the existence of (semi-honest) oblivious transfer. This construction employs an encoding phase which is dependent of the function to be computed (and the size of the encoded input is dependent on the size of the circuit of the function to be computed). Our second construction has an input encoding phase independent of the function to be computed. Hence in this construction, the parties can simple encode their input and store it as soon as it is received and then later on run secure computation for any function of their choice. Both of the above constructions, tolerate complete leakage in the secure computation phase. Our second construction (with a function independent input encoding phase) makes use of a fully homomorphic encryption scheme. A natural question that arises is "can a leakage-resilient secure computation protocol with function independent input encoding be based on simpler and weaker primitives?". Towards that end, we show that any such construction would imply a secure two-party computation protocol with sub-linear communication complexity (in fact, communication complexity independent of the size of the function being computed). Finally, we also show how to extend our constructions for the continual leakage case where there is: a one time leak-free input encoding phase, a leaky secure computation phase which could be run multiple times for different functionalities (but the same input vector), and, a leaky refresh phase after each secure computation phase where the input is "re-encoded". Work done in part while visiting Microsoft Research, India.

The noisy-storage model of quantum cryptography allows for information-theoretically secure two-party computation based on the assumption that a cheating user has at most access to an imperfect, noisy quantum memory, whereas the honest users do not need a quantum memory at all. In general, the more noisy the quantum memory of the cheating user, the more secure the implementation of oblivious transfer, which is a primitive that allows universal secure two-party and multi-party computation. For experimental implementations of oblivious transfer, one has to consider that also the devices held by the honest users are lossy and noisy, and error correction needs to be applied to correct these trusted errors. The latter are expected to reduce the security of the protocol, since a cheating user may hide themselves in the trusted noise. Here we leverage entropic uncertainty relations to derive tight bounds on the security of oblivious transfer with a trusted and untrusted noise. In particular, we discuss noisy storage and bounded storage, with independent and correlated noise.

In the well-studied cryptographic primitive 1-out-of-Noblivious transfer, a user retrieves a single element from a database of sizeNwithout the database learning which element was retrieved. While it has previously been shown that a secure implementation of 1-out-of-Noblivious transfer is impossible against arbitrarily powerful adversaries, recent research has revealed an interesting class of private query protocols based on quantum mechanics in a cheat sensitive model. Specifically, a practical protocol does not need to guarantee that the database provider cannot learn what element was retrieved if doing so carries the risk of detection. The latter is sufficient motivation to keep a database provider honest. However, none of the previously proposed protocols could cope with noisy channels. Here we present a fault-tolerant private query protocol, in which the novel error correction procedure is integral to the security of the protocol. Furthermore, we present a proof-of-concept demo...

Title of dissertation: ON THE MODEL THEORY OF RANDOM GRAPHS Justin Brody, Doctor of Philosophy, 2009 Dissertation directed by: Professor Michael C. Laskowski Department of Mathematics Hrushovski’s amalgamation construction can be used to join a collection of finite graphs to produce a “generic” of this collection. The choice of the collection and the way they are joined are determined by a real-valued parameter α. Classical results have shown that for α irrational in (0, 1), the model theory of the resulting structure is very well-behaved. This dissertation examines analogous constructions for rational r. Depending on the way in which the parameter’s control of the construction is defined, the model theory of the resulting generic will be either very well-behaved or very wild. We characterize when each of these situations occurs. ON THE MODEL THEORY OF RANDOM GRAPHS

Hrushovski's amalgamation construction can be used to join a collection of finite graphs to produce a "generic" of this collection. The choice of the collection and the way they are joined are determined by a real-valued parameter α. Classical results have shown that for α irrational in (0, 1), the model theory of the resulting structure is very well-behaved. This dissertation examines analogous constructions for rational r. Depending on the way in which the parameter's control of the construction is defined, the model theory of the resulting generic will be either very well-behaved or very wild. We characterize when each of these situations occurs.

The no-go theorem regarding unconditionally secure Quantum Bit Commitment protocols is a relevant result in quantum cryptography. Such result has been used to prove the impossibility of unconditional security for other protocols, such as Quantum Oblivious Transfer or One-Sided Two Party Computation. In this paper, we formally define two non-deterministic versions of Quantum Private Queries, a protocol addressing the Symmetric-Private Information Retrieval problem. We show that the strongest variant of such scheme is formally equivalent to Quantum Bit Commitment, Quantum Oblivious Transfer and One-Sided Two Party Computation protocols. This equivalence serves as conclusive evidence of the impracticality of achieving unconditionally secure Strong Probabilistic Quantum Private Queries.

This article describes a polynomial attack on the new multilinear map over the integers presented by Coron, Lepoint and Tibouchi at Crypto 2015 (CLT15). This version is a fix of the first multilinear map over the integers presented by the same authors at Crypto 2013 (CLT13) and broken by Cheon et al. at Eurocrypt 2015. The attack essentially downgrades CLT15 to its original version CLT13, and leads to a full break of the multilinear map for virtually all applications. In addition to the main attack, we present an alternate probabilistic attack underpinned by a different technique, as well as an instant-time attack on the optimized variant of the scheme.

To prevent illegal users accessing the database and protect users' privacy, oblivious transfer with access control (AC-OT) was proposed. In an AC-OT scheme, the database provider can encrypt the records and publish corresponding access control lists (ACLs). Prior to accessing the records, a user needs to obtain anonymous credentials from the issuer. Subsequently, an authorized user can obtain the intended records without the database provider knowing its choices. Although AC-OT schemes have shown a lot of merits, there are some practical issues: (1) One of the inherited problems in anonymous credentials is timely revocation; (2) how to prevent malicious users overusing the records. In this paper, we propose an accountable AC-OT (AAC-OT) scheme to address these issues. In our scheme, an authorized user can access the protected records without the database provider knowing his personal information and choices if (1) he has obtained the required credentials listed in the ACLs; (2) the number of the access times for each record is no more than the specified bound. Notably, the database provider can trace and revoke the user who overused the records even in the lifetime of his credentials. To the best of our knowledge, it is the first AC-OT scheme where timely revocation and overuse detection are considered.

We describe a probabilistic polynomial-time process calculus for analyzing cryptographic protocols and use it to derive compositionality properties of protocols in the presence of computationally bounded adversaries. We illustrate these concepts on oblivious transfer, an example from cryptography. We also compare our approach with a framework based on interactive Turing machines.

Post-quantum cryptography (PQC) is a trend that has a deserved NIST status, and which aims to be resistant to quantum computers attacks like Shor and Grover algorithms. In this paper, we propose a method for designing post-quantum provable IND-CPA/IND-CCA2 public key cryptosystems based on polynomials over a non-commutative algebraic extension ring. The key ideas of our proposal is that (a) for a given non-commutative ring of rank-3 tensors, we can define polynomials and take them as the underlying work structure (b) we replace all numeric field arithmetic with GF(2 8) field operations. By doing so, it is easy to implement Rpropped Diffie-Helman-like key exchange protocol and consequently ElGamal-like cryptosystems. Here R stands for Rijndael as we work over the AES field. This approach yields secure post-quantum protocols since the resulting multiplicative monoid is immune against quantum algorithms and resist classical linearization attacks like Tsaban's Algebraic Span or Roman'kov. The protocols have been proved to be semantically secure. Finally, we present numerical examples of the proposed R-Propped protocols.

Radio Frequency Identification (RFID) is a technology for automatic object identification that has been implemented in several real-life applications. In this work, we expand a novel relevant application of RFID tags for grocery stores, which aims to check the adequacy of food items with respect to the shoppers' personal preferences. Unlike similar works, we focus on shoppers' privacy and running time efficiency. For this aim, we propose a novel private set intersection (PSI) protocol to be used in matching the shoppers' personal preferences with the set of each item's adequate profiles that are held by the back-end server of the store. We provide a standard security proof against curious stores and malicious customers. For efficiency concern, we build our protocol without cryptographic operations, and we achieve a linear asymptotic complexity of O(v + c) for communications and store-side computations, where v and c are the numbers of profiles in the store's back-end server and the shopper's list of preferences respectively. Moreover, experimental results and comparisons with state-of-the art solutions reveal the scalability of our novel PSI protocol for big market stores.

Private Set Intersection (PSI) is a fundamental multi-party computation primitive used to secure many political, commercial, and social applications. PSI allows mistrustful parties to compute the intersection of their private sets without leaking additional information. PSI protocols has been largely proposed for both the semi-honest and the malicious settings. Nevertheless, the semi-honest setting does not suffice in many realistic scenarios and security in the malicious setting is built upon cryptographic schemes, which require hard assumptions and induce a high computational cost. In this work, we propose a novel twoparty PSI protocol secure under the mixed model, where the server may be semi-honest and the client may be malicious. We build our protocol upon matrix algebra without using any cryptographic schemes or nonstandard assumptions and we provide simulation-based security proof. Our protocol achieves a linear asymptotic complexity O(kv + kc) for communications and server computations, where kv and kc are sizes of participating parties' sets. Besides, we compare empirical performance of our solution to the insecure hashing solution used in practice. Experimental results reveal efficiency and scalability of our new PSI protocol, which makes it adequate for Big Data analytics.

Private Set Intersection (PSI) is a fundamental multi-party computation primitive used to secure many political, commercial, and social applications. PSI allows mistrustful parties to compute the intersection of their private sets without leaking additional information. PSI protocols has been largely proposed for both the semi-honest and the malicious settings. Nevertheless, the semi-honest setting does not suffice in many realistic scenarios and security in the malicious setting is built upon cryptographic schemes, which require hard assumptions and induce a high computational cost. In this work, we propose a novel twoparty PSI protocol secure under the mixed model, where the server may be semi-honest and the client may be malicious. We build our protocol upon matrix algebra without using any cryptographic schemes or nonstandard assumptions and we provide simulation-based security proof. Our protocol achieves a linear asymptotic complexity O(kv + kc) for communications and server computations, where kv and kc are sizes of participating parties' sets. Besides, we compare empirical performance of our solution to the insecure hashing solution used in practice. Experimental results reveal efficiency and scalability of our new PSI protocol, which makes it adequate for Big Data analytics.

Oblivious Transfer (OT) is a primitive of asymmetrically distributing information between users, proposed to build Secure Computations. In this letter, we propose an informationtheoretical variant of OT that requires weak assumptions and can be therefore more easily implemented with transmission media. We show then that One-out-of-two Oblivious Transfer (O-OT), the central version of OT, can be reduced to this Weak OT (WOT) with arbitrary small loss of security, i.e. secure O-OT can be realised from our WOT.

A simple method to produce a random order type is to take the order type of a random point set. We conjecture that many probability distributions on order types defined in this way are heavily concentrated and therefore sample inefficiently the space of order types. We present two results on this question. First, we study experimentally the bias in the order types of $n$ random points chosen uniformly and independently in a square, for $n$ up to $16$. Second, we study algorithms for determining the order type of a point set in terms of the number of coordinate bits they require to know. We give an algorithm that requires on average $4n \log_2 n+O(n)$ bits to determine the order type of $P$, and show that any algorithm requires at least $4n \log_2 n - O(n \log\log n)$ bits. This implies that the concentration conjecture cannot be proven by an ``efficient encoding'' argument.

Secure Multi-Party Computation (SMPC) enables parties to compute a public function over private inputs. A classical example is the millionaires problem, where two millionaires want to figure out who is wealthier without revealing their actual wealth to each other. The insight gained from the secure computation is nothing more than what is revealed by the output (in this case, who was wealthier but not the actual value of the wealth). Other applications of secure computation include secure voting, on-line bidding and privacy-preserving cloud computations, to name a few. Technological advancements are making secure computations practical, and recent optimizations have made dramatic improvements on their performance. However, there is still a need for effective tools that facilitate the development of SMPC applications using standard and familiar programming languages and techniques, without requiring the involvement of security experts with special training and background. This work addresses the latter problem by enabling SMPC application development through programs (or repurposing existing code) written in a standard programming language such as ANSI C. Several high-level language (HLL) platforms have been proposed to enable secure computation such as Obliv-C [1], ObliVM [2] and Frigate [3] These platforms utilize a variation of Yao's garbled circuits [4] in order to evaluate the program securely. The source code written for these frameworks is then converted into a lower-level intermediate language that utilizes garbled circuits for program evaluation. Garbled Circuits have one party (garbler) who compiles the program that the other party (evaluator) runs, and the communication between the two parties happens through oblivious transfer. Garbled circuits allow two parties to do this evaluation without a need for a

Secure Multi-Party Computation (SMPC) enables parties to compute a public function over private inputs. A classical example is the millionaires problem, where two millionaires want to figure out who is wealthier without revealing their actual wealth to each other. The insight gained from the secure computation is nothing more than what is revealed by the output (in this case, who was wealthier but not the actual value of the wealth). Other applications of secure computation include secure voting, on-line bidding and privacy-preserving cloud computations, to name a few. Technological advancements are making secure computations practical, and recent optimizations have made dramatic improvements on their performance. However, there is still a need for effective tools that facilitate the development of SMPC applications using standard and familiar programming languages and techniques, without requiring the involvement of security experts with special training and background. This work addresses the latter problem by enabling SMPC application development through programs (or repurposing existing code) written in a standard programming language such as ANSI C. Several high-level language (HLL) platforms have been proposed to enable secure computation such as Obliv-C [1], ObliVM [2] and Frigate [3] These platforms utilize a variation of Yao's garbled circuits [4] in order to evaluate the program securely. The source code written for these frameworks is then converted into a lower-level intermediate language that utilizes garbled circuits for program evaluation. Garbled Circuits have one party (garbler) who compiles the program that the other party (evaluator) runs, and the communication between the two parties happens through oblivious transfer. Garbled circuits allow two parties to do this evaluation without a need for a

Secure multiparty computation (MPC) has been repeatedly optimized, and protocols with two communication rounds and strong security guarantees have been achieved. While progress has been made constructing non-interactive protocols with just one-round of online communication (i.e., non-interactive MPC or NI-MPC), since correct evaluation must be guaranteed with only one round, these protocols are by their nature vulnerable to the residual function attack in the standard model. This is because a party that receives a garbled circuit may repeatedly evaluate the circuit locally, while varying their own inputs and fixing the inputs of others to learn the values entered by other participants. We present the first MPC protocol with a one-round online phase that is secure against the residual function attack. We also present rigorous proofs of correctness and security in the covert adversary model, a reduction of the malicious model that is stronger than the semi-honest model and better suited for modeling the behaviour of parties in the real world, for our protocol. Furthermore, we rigorously analyze the communication and computational complexity of current state of the art protocols which require two rounds of communication or one round during the online-phase with a reduced security requirement, and demonstrate that our protocol is comparable to or outperforms their complexity.

We propose simple, realistic protocols for polling that allow the responder to plausibly repudiate his response, while at the same time allow accurate statistical analysis of poll results. The protocols use simple physical objects (envelopes or scratch-off cards) and can be performed without the aid of computers. One of the main innovations of this work is the use of techniques from theoretical cryptography to rigorously prove the security of a realistic, physical protocol. We show that, given a few properties of physical envelopes, the protocols are unconditionally secure in the universal composability framework.

Oblivious Transfer (OT) is a primitive of asymmetrically distributing information between users, proposed to build Secure Computations. In this letter, we propose an informationtheoretical variant of OT that requires weak assumptions and can be therefore more easily implemented with transmission media. We show then that One-out-of-two Oblivious Transfer (O-OT), the central version of OT, can be reduced to this Weak OT (WOT) with arbitrary small loss of security, i.e. secure O-OT can be realised from our WOT.

Research on security in the domain of wireless has an active area. Wireless security study uses cryptographic tools. The major problem with these tolls, they based on computational assumptions, which may not be usable in the future. Hence there is requirement to make tools which are not dependable on assumptions. There is a tool known as 1-out-of-2 oblivious transfer tool which plays a major role in cryptography & can build a cryptographic protocol for any polynomial-time computable function which does not depend on any computational assumption. Privacy preserving password verification and private communication are applications. This protocol fully implemented on wireless devices and conducted experiments in real environments.

We study the problem of pliable private information retrieval with side information (PPIR-SI) for the single server case. In PPIR, the messages are partitioned into nonoverlapping classes and stored in a number of noncolluding databases. The user wishes to retrieve any one message from a desired class while revealing no information about the desired class identity to the databases. In PPIR-SI, the user has prior access to some side information in the form of messages from different classes and wishes to retrieve any one new message from a desired class, i.e., the message is not included in the side information set, while revealing no information about the desired class to the databases. We characterize the capacity of (linear) single-server PPIR-SI for the case where the user's side information is unidentified, i.e., the user is oblivious of the identities of its side information messages and the database structure. We term this case PPIR-USI. Surprisingly, we show that having side information, in PPIR-USI, is disadvantageous, in terms of the download rate, compared to PPIR.

The main security service in the connected world of cyber physical systems necessitates to authenticate a large number of nodes privately. In this paper, the private authentication problem is considered, that consists of a certificate authority, a verifier, many legitimate users (prover) and any arbitrary number of illegitimate users. Each legitimate user wants to be authenticated (using his personal key) by the verifier, while simultaneously wants to stay completely anonymous (even to the verifier and the CA). On the other hand, an illegitimate user must fail to authenticate himself. We analyze this problem from an information theoretical perspective. First, we propose a general interactive information-theoretic model for the problem. As a metric to measure the reliability, we consider the authentication key rate whose rate maximization has a trade-off with establishing privacy. Then, we analyze the problem in two different regimes: finite size regime (i.e., the variables are elements of a finite field) and asymptotic regime (i.e., the variables are considered to have large enough length). For both regimes, we propose schemes that satisfy the completeness, soundness and privacy properties. In finite size regime, the idea is to generate the authentication keys according to a secret sharing scheme. In asymptotic regime, we use a random binning based scheme which relies on the joint typicality to generate the authentication keys. Moreover, providing the converse proof, we show that our scheme achieves capacity in the asymptotic regime. For finite size regime our scheme achieves capacity for large field size.

We propose an efficient Key-policy Attribute-based Encryption (KP-ABE) scheme for general (monotone) Boolean circuits based on secret sharing and on a very particular and simple form of leveled multilinear maps, called chained multilinear maps. The number of decryption key components is substantially reduced in comparison with the scheme in [6], and the size of the multilinear map (in terms of bilinear map components) is less than the Boolean circuit depth, while it is quadratic in the Boolean circuit depth for the scheme in [6]. Moreover, it is much easier to find chained multilinear maps than leveled multilinear maps. Selective security of the proposed schemes in the standard model is proved, under the decisional multilinear Diffie-Hellman assumption.