References

[1] G. Aggarwal, N. Mishra and B. Pinkas. Secure Computation of thek’th-ranked Element. In EUROCRYPT’04, Springer-Verlag (LNCS3027), pages 40–55, 2004.

[2] W. Aiello, Y. Ishai and O. Reingold. Priced Oblivious Transfer: Howto Sell Digital Goods. In EUROCRYPT’01, Springer-Verlag (LNCS2045), pages 110–135, 2001.

[3] Y. Aumann and Y. Lindell. Security Against Covert Adversaries:Efficient Protocols for Realistic Adversaries. In 4th TCC, Springer-Verlag (LNCS 4392), pages 137–156, 2007.

[4] D. Beaver. Multiparty Protocols Tolerating Half Faulty Processors.In CRYPTO’89, Springer-Verlag (LNCS 435), pages 560–572, 1990.

[5] D. Beaver. Foundations of Secure Interactive Computing. InCRYPTO’91, Springer-Verlag (LNCS 576), pages 377–391, 1991.

[6] D. Beaver and S. Goldwasser. Multiparty Computation with FaultyMajority. In 30th FOCS, pages 468–473, 1989.

[7] M. Bellare and O. Goldreich. On Defining Proofs of Knowledge. InCRYPTO’92, Springer-Verlag (LNCS 740), pages 390–420, 1992.

[8] M. Bellare and O. Goldreich. On Probabilistic Versus DeterministicProvers in the Definition of Proofs of Knowledge. Manuscript, 2006.

[9] M. Ben-Or, S. Goldwasser and A. Wigderson. Completeness The-orems for Non-Cryptographic Fault-Tolerant Distributed Computa-tions. In 20th STOC, pages 1-10, 1988.

[10] R.S. Boyer and J.S. Moore. A Fast String Searching Algorithm. Com-munications of the Association for Computing Machinery, 20:762–772, 1977.

[11] R. Canetti. Security and Composition of Multiparty CryptographicProtocols. Journal of Cryptology, 13(1):143–202, 2000.

[12] R. Canetti. Universally Composable Security: A New Paradigm forCryptographic Protocols. In 42nd FOCS, pages 136–145, 2001.

255C. Hazay, Y. Lindell, Efficient Secure Two-Party Protocols, Information Security and Cryptography, DOI 10.1007/978-3-642-14303-8,© Springer-Verlag Berlin Heidelberg 2010

256 References

[13] R. Canetti and A. Herzberg. Maintaining Security in the Presencesof Transient Faults. In CRYPTO’94, Springer-Verlag (LNCS 839),pages 425–438, 1994.

[14] R. Canetti, E. Kushilevitz and Y. Lindell. On the Limitations ofUniversal Composable Two-Party Computation Without Set-Up As-sumptions. Journal of Cryptology, 19(2):135-167, 2006.

[15] D. Chaum, C. Crepeau and I. Damgard. Multiparty UnconditionallySecure Protocols. In 20th STOC, pages 11-19, 1988.

[16] B. Chor, N. Gilboa and M. Naor. Private Information Retrieval byKeywords. Technical Report TR-CS0917, Department of ComputerScience, Technion, 1997.

[17] R. Cleve. Limits on the Security of Coin Flips When Half the Pro-cessors Are Faulty. In 18th STOC, pages 364–369, 1986.

[18] R. Cramer and I. Damgard. On the Amortized Complexity of Zero-Knowledge Protocols. In CRYPTO’09. Springer-Verlag (LNCS 5677),pages 177–191, 2009.

[19] R. Cramer, I. Damgard and B. Schoenmakers. Proofs of PartialKnowledge and Simplified Design of Witness Hiding Protocols. InCRYPTO’94, Springer-Verlag (LNCS 839), pages 174–187, 1994.

[20] I. Damgard. On Σ Protocols. http://www.daimi.au.dk/∼ivan/Sigma.pdf.[21] I. Damgard, T. P. Pedersen and B. Pfitzmann. On the Existence of

Statistically Hiding Bit Commitment Schemes and Fail-Stop Signa-tures. In CRYPTO’93, Springer-Verlag (LNCS 773), pages 250–265,1994.

[22] I. Damgard and T. Toft. Trading Sugar Beet Quotas – Secure Multi-party Computation in Practice. ERCIM News 2008(73), 2008.

[23] C. Dwork, M. Naor and O. Reingold. Immunizing Encryption Schemesfrom Decryption Errors. In Eurocrypt’04, Springer-Verlag (LNCS3027), pages 342–360, 2004.

[24] T. El-Gamal. A Public-Key Cryptosystem and a Signature SchemeBased on Discrete Logarithms. In CRYPTO’84, Springer-Verlag(LNCS 196), pages 10–18, 1984.

[25] S. Even, O. Goldreich and A. Lempel. A Randomized Protocol forSigning Contracts. In Communications of the ACM, 28(6):637–647,1985.

[26] U. Feige and A. Shamir. Zero Knowledge Proofs of Knowledge inTwo Rounds. In CRYPTO’89, Springer-Verlag (LNCS 435), pages526–544, 1989.

[27] U. Feige and A. Shamir. Witness Indistinguishability and WitnessHiding Protocols. In 22nd STOC, pages 416–426, 1990.

[28] M. J. Freedman, Y. Ishai, B. Pinkas and O. Reingold. Keyword Searchand Oblivious Pseudorandom Functions. In 2nd TCC, Springer-Verlag (LNCS 3378), pages 303–324, 2005.

References 257

[29] Z. Galil, S. Haber and M. Yung. Cryptographic Computation: SecureFault-Tolerant Protocols and the Public Key Model. In CRYPTO’87,Springer-Verlag (LNCS 293), pages 135–155, 1987.

[30] O. Goldreich. Foundations of Cryptography: Volume 1 – Basic Tools.Cambridge University Press, 2001.

[31] O. Goldreich. Concurrent Zero-Knowledge with Timing, Revisited.In 34th STOC, pages 332–340, 2002.

[32] O. Goldreich. Foundations of Cryptography: Volume 2 – Basic Appli-cations. Cambridge University Press, 2004.

[33] O. Goldreich. On Expected Probabilistic Polynomial-Time Adver-saries: A Suggestion for Restricted Definitions and Their Benefits. In4th TCC, Springer-Verlag (LNCS 4392), pages 174–193, 2007.

[34] O. Goldreich and A. Kahan. How to Construct Constant-Round Zero-Knowledge Proof Systems for NP. Journal of Cryptology, 9(3):167–190, 1996.

[35] O. Goldreich, S. Micali and A. Wigderson. How to Play Any MentalGame – A Completeness Theorem for Protocols with Honest Majority.In 19th STOC, pages 218–229, 1987.

[36] O. Goldreich, S. Micali and A. Wigderson. How to Prove all NP-Statements in Zero-Knowledge, and a Methodology of CryptographicProtocol Design. In CRYPTO’86, Springer-Verlag (LNCS 263), pages171–185, 1986.

[37] S. Goldwasser and L. Levin. Fair Computation of General Functionsin Presence of Immoral Majority. In CRYPTO’90, Springer-Verlag(LNCS 537), pages 77–93, 1990.

[38] S. Goldwasser, S. Micali, and R. L. Rivest. A Digital Signature SchemeSecure Against Adaptive Chosen-Message Attacks. SIAM Journal onComputing, 17(2):281–308, 1988.

[39] S. D. Gordon, C. Hazay, J. Katz and Y. Lindell. Complete Fairnessin Secure Two-Party Computation. In 40th STOC, pages 413–422,2008.

[40] S. D. Gordon and J. Katz. Partial Fairness in Secure Two-PartyComputation. In EUROCRYPT’10, Springer-Verlag (LNCS 6110),2010.

[41] S. Halevi and S. Micali. Practical and Provably-Secure Commit-ment Schemes from Collision-Free Hashing, In CRYPTO’96, Springer-Verlag (LNCS 1109), pages 201–215, 1996.

[42] S. Halevi and Y. Tauman-Kalai. Smooth Projective Hashing andTwo-Message Oblivious Transfer. Cryptology ePrint Archive, Report2007/118, 2007.

[43] S. Har-Peled. Lecture Notes on Approximation Algorithms in Ge-ometry, Chapter 27, Excercise 27.5.3, 2010. Currently found athttp://valis.cs.uiuc.edu/∼sariel/teach/notes/aprx/.

258 References

[44] C. Hazay and Y. Lindell. Constructions of Truly Practical SecureProtocols Using Standard Smartcards. In ACM CCS, pages 491–500,2008.

[45] Y. Ishai. Personal Communication, 2004.[46] Y. Ishai, M. Prabhakaran and A. Sahai. Founding Cryptography

on Oblivious Transfer – Efficiently. In CRYPTO’08, Springer-Verlag(LNCS 5157), pages 572–591, 2008.

[47] S. Jarecki and V. Shmatikov. Efficient Two-Party Secure Compu-tation on Committed Inputs. In EUROCRYPT’07, Springer-Verlag(LNCS 4515), pages 97–114, 2007.

[48] J. Katz and Y. Lindell. Handling Expected Polynomial-Time Strate-gies in Simulation-Based Proofs. In Journal of Cryptology, 21(3):303-349, 2008.

[49] J. Katz and Y. Lindell. Introduction to Modern Cryptography. Chap-man and Hall/CRC Press, 2007.

[50] J. Katz, R. Ostrovsky and A. Smith. Round Efficiency of Multi-party Computation with a Dishonest Majority. In EUROCRYPT’03,Springer-Verlag (LNCS 2656), pages 578–595, 2003.

[51] J. Katz and R. Ostrovsky. Round-Optimal Secure Two-Party Compu-tation. In CRYPTO’04, Springer-Verlag (LNCS 3152), pages 35–354,2004.

[52] J. Kilian. Improved Efficient Arguments. In CRYPTO’95, Springer-Verlag (LNCS 963), pages 311–324, 1995.

[53] D. E. Knuth, J. H. Morris and V. R. Pratt. Fast Pattern Matchingin Strings. SIAM Journal on Computing, 6(2): 323–350, 1977.

[54] Y. Lindell. Composition of Secure Multi-party Protocols – A Com-prehensive Study. Lecture Notes in Computer Science Vol. 2815,Springer-Verlag, 2003.

[55] Y. Lindell and B. Pinkas. An Efficient Protocol for Secure Two-PartyComputation in the Presence of Malicious Adversaries. In EURO-CRYPT’07, Springer-Verlag (LNCS 4515), pages 52–78, 2007.

[56] Y. Lindell and B. Pinkas. A Proof of Security of Yao’s Protocol forTwo-Party Computation. Journal of Cryptology, 22(2):161–188, 2009.

[57] Y. Lindell and B. Pinkas. Secure Two-Party Computation via Cut-and-Choose Oblivious Transfer. Manuscript, 2010.

[58] Y. Lindell, B. Pinkas and N. Smart. Implementing Two-Party Com-putation Efficiently with Security Against Malicious Adversaries. InConference on Security and Cryptography for Networks, pages 2–20,2008.

[59] S. Micali and P. Rogaway. Secure Computation. Unpublishedmanuscript, 1992. Preliminary version in CRYPTO’91, Springer-Verlag (LNCS 576), pages 392–404, 1991.

[60] M. Naor. Bit Commitment Using Pseudorandomness. Journal ofCryptology, 4(2):151–158, 1991.

References 259

[61] M. Naor and K. Nissim. Communication Preserving Protocols forSecure Function Evaluation. In 33rd STOC, pages 590–599, 2001.

[62] M. Naor and B. Pinkas. Efficient Oblivious Transfer Protocols. In12th SODA, pages 448–457, 2001.

[63] M. Naor, B. Pinkas and R. Sumner. Privacy Preserving Auctions andMechanism Design. In the ACM Conference on Electronic Commerce,pages 129–139, 1999.

[64] M. Naor and O. Reingold. Number-Theoretic Constructions of Effi-cient Pseudo-Random Functions. In 38th FOCS, pages 231–262, 1997.

[65] J. B. Nielsen and C. Orlandi. LEGO for Two-Party Secure Compu-tation. In 6th TCC, Springer-Verlag (LNCS 5444), pages 368–386,2009.

[66] C. Orlandi. Personal communication, 2010.[67] R. Ostrovsky and M. Yung. How to Withstand Mobile Virus Attacks.

In 10th PODC, pages 51–59, 1991.[68] P. Paillier. Public-Key Cryptosystems Based on Composite Degree

Residuosity Classes. In EUROCRYPT’99, Springer-Verlag (LNCS1592), pages 223–238, 1999.

[69] T. P. Pedersen. Non-interactive and Information-Theoretical SecureVerifiable Secret Sharing. In CRYPTO’91, Springer-Verlag (LNCS576) pp. 129–140, 1991.

[70] C. Peikert, V. Vaikuntanathan and B. Waters. A Framework for Effi-cient and Composable Oblivious Transfer. In CRYPTO’08, Springer-Verlag (LNCS 5157), pages 554–571, 2008.

[71] B. Pinkas, T. Schneider, N. P. Smart and S. C. Williams. Secure Two-Party Computation Is Practical. In ASIACRYPT 2009, Springer-Verlag (LNCS 5912), pages 250–267, 2009.

[72] M. Rabin. How to Exchange Secrets by Oblivious Transfer. Tech.Memo TR-81, Aiken Computation Laboratory, Harvard University,1981.

[73] T. Rabin and M. Ben-Or. Verifiable Secret Sharing and Multi-partyProtocols with Honest Majority. In 21st STOC, pages 73–85, 1989.

[74] M. Rodeh. Finding the Median Distributively. Journal of Computerand System Sciences, 24(2): 162–166, 1982.

[75] P. Schnorr. Efficient Identification and Signatures for Smart Cards.In CRYPTO’89, Springer-Verlag (LNCS 435), pages 239–252, 1989.

[76] M. Witteman. Advances in Smartcard Security. In Information Se-curity Bulletin, pages 11–22, July 2002.

[77] A. Yao. How to Generate and Exchange Secrets. In 27th FOCS, pages162–167, 1986.

Index

A

adversary

adaptive 7

malicious 8

semi-honest 8

static 7

augmented semi-honest adversary 22,28–29, 36–37

C

commitment scheme 163

Σ-protocol 173–175

Pedersen’s commitment 163–164, 166

perfectly hiding 163

trapdoor commitment 165–166, 175

committed pseudorandom permutationfunctionality 228

smartcards 242–248

computational indistinguishability 19

covert adversary 30–35

cut and choose 81

D

deterministic functionalities 39

double encryption

security 58–59

E

efficiency measures 78–80

encryption scheme

double-encryption security 58–59

efficiently verifiable range 57

elusive range 57

enhanced trapdoor permutation 61Euclidean algorithm 185

F

fairness 5, 7, 35

G

garbled circuitconstruction 63–66description 53–55

GMW 11–13

malicious adversaries 11–12semi-honest adversaries 11

H

hard relations 173and commitments 174

homomorphic encryption 109–110efficiently recognizable public keys 119efficiently verifiable 183, 185oblivious transfer (covert) 111–118

oblivious transfer (privacy only)182–185

hybrid model 47–49

I

ideal ZKPOK functionality 167

ideal/real paradigm 14independence of inputs 6indexed PRF evaluation

one-sided simulation 249–252

K

kth element functionality 213

261

262 Index

M

malicious adversary 36, 40

median protocol

malicious adversaries 221–226

semi-honest adversaries 218–220

modular sequential composition 46–49

covert adversaries 48–49

hybrid model 47

malicious adversaries 48

O

oblivious transfer 211

batch 120, 196–200, 202, 212

covert 109–119

enhanced trapdoor permutation 61–62

full simulation 188–196, 201–202

homomorphic encryption 109–119

one-sided simulation 185–187

privacy only

based on DDH 178–182

based on homomorphic encryption

182–185

batch 205–206

security definition

privacy only 43–45

semi-honest 61–62

string oblivious transfer 119

one-sided simulation

indexed PRF evaluation 249–252

oblivious transfer 185–187

pseudorandom function evaluation 212

secure text search (254, 252–254

security definition 45–46

P

pairwise-independent hash function 41

privacy 5, 14, 212

privacy only

batch oblivious transfer 205–206

oblivious transfer

DDH 178–182

homomorphic encryption 182–185

pseudorandom function evaluation203–209

security definition 42–43

proof of knowledge 153–154

Σ-protocol 154–158

pseudorandom function evaluation

batch 212–213

covert 211–212

full simulation 209–211

functionality 203

indexed PRF evaluation 249

one-sided simulation 212

privacy only 203–209

pseudorandom functions 202

the Naor-Reingold function 203

R

reactive functionalities 25–26, 41–42

malicious adversaries 42

semi-honest adversaries 42

S

secure search

database search 227, 229–238

database search basic functionality 231

database search full functionality 237

document search 228, 238–242

document search functionality 239

text search 228, 248–254

text search functionality 248

security definition

augmented semi-honest adversaries 22

covert adversaries 30–35

cheating versus aborting 35

detection accuracy 35

covert versus other models 36–38

ideal/real paradigm 6

malicious adversaries 23–25

malicious versus semi-honest 26–29

motivation 4–7

one-sided simulation 45–46

privacy only 42–43

oblivious transfer 43–45

reactive functionalities 25–26

relaxation

covert adversaries 14

one-sided simulation 14

privacy only 14

semi-honest adversaries 20–22

semi-honest adversary 36

sequential composition 46–49

covert adversaries 48–49

hybrid model 47

malicious adversaries 48

Σ-protocol 147–175

and proof of knowledge 154–158

constructing commitment schemes173–175

constructing zero-knowledge 161–164

constructing zero-knowledge proof ofknowledge 164–166

Index 263

error reduction 152

for Diffie-Hellman Tuples 152for discrete log 148parallel repetition 152proving compound statements 158–160

the ideal ZKPOK functionality167–173

single-output functionalities 39–41malicious adversaries 40–41

semi-honest adversaries 40smartcards 243–246

committed pseudorandom permutationfunctionality 242–248

T

trapdoor commitment 165

Y

Yao’s protocol 53–56

Z

zero-knowledge

for Diffie-Hellman Tuples 152

for discrete log 148

Σ-protocol 161–164

zero-knowledge proof of knowledge

Σ-protocol 164–166

the ideal ZKPOK functionality

167–173