50 Hits in 1.3 sec

Computing the distance distribution of systematic non-linear codes [article]

Eleonora Guerrini, Emmanuela Orsini, Massimiliano Sala
2009 arXiv   pre-print
The most important families of non-linear codes are systematic. A brute-force check is the only known method to compute their weight distribution and distance distribution. On the other hand, it outputs also all closest word pairs in the code. In the black-box complexity model, the check is optimal among closest-pair algorithms. In this paper we provide a Groebner basis technique to compute the weight/distance distribution of any systematic non-linear code. Also our technique outputs all
more » ... pairs. Unlike the check, our method can be extended to work on code families.
arXiv:0909.1626v1 fatcat:tiqm5xzc35dexn4tn2wjyhjziy

Decoding Cyclic Codes: the Cooper Philosophy [chapter]

Teo Mora, Emmanuela Orsini
2009 Gröbner Bases, Coding, and Cryptography  
In 1990, Cooper [6, 7] suggested to use Gröbner basis computation in order to deduce error locator polynomials of cyclic codes. Following his idea, Chen et al. [3, 4, 5] suggested a general algorithm to pursue Cooper's approach. The aim of the talk is to follow, on an illuminating example, the arguments which, through a series of papers [8, 2, 9] , led to the following result: Theorem 1. For each [n, k, d] binary cyclic code C with n odd, denoting F the splitting field of x n − 1 over Z 2 , a
more » ... oper Gröbner basis computation allows to produce a polynomial L ∈ Z 2 [X, z], where X = (x 1 , . . . , x n−k ) which satisfies the following properties: 1. L(X, z) = z t + a t−1 (X)z t−1 + · · · + a 0 (X), with a j ∈ Z 2 [X], 0 ≤ j ≤ t − 1; 2. given a syndrome vector s = (s 1 , . . . , s n−k ) ∈ (F) n−k corresponding to an error with weight µ ≤ t, if we evaluate the X variables in s, then the t roots of L(s, z) are the µ error locations plus zero counted with multiplicity t − µ. We illustrate the efficiency of this approach on the recent results discussed in [10] and we also discuss an alternative approach to the solution of the Cooper problem proposed in [4, 1] .
doi:10.1007/978-3-540-93806-4_5 fatcat:xczwmjtnhnfhndvdcwbpz4jctq

Actively Secure OT Extension with Optimal Overhead [chapter]

Marcel Keller, Emmanuela Orsini, Peter Scholl
2015 Lecture Notes in Computer Science  
We describe an actively secure OT extension protocol in the random oracle model with efficiency very close to the passively secure IKNP protocol of Ishai et al. (Crypto 2003). For computational security parameter κ, our protocol requires κ base OTs, and is the first practical, actively secure protocol to match the cost of the passive IKNP extension in this regard. The added communication cost is only additive in O(κ), independent of the number of OTs being created, while the computation cost is
more » ... essentially two finite field operations per extended OT. We present implementation results that show our protocol takes no more than 5% more time than the passively secure IKNP extension, in both LAN and WAN environments, and thus is essentially optimal with respect to the passive protocol.
doi:10.1007/978-3-662-47989-6_35 fatcat:wejihy7ixreihbn3w7g5fprvja

An Introduction to Linear and Cyclic Codes [chapter]

Daniel Augot, Emanuele Betti, Emmanuela Orsini
2009 Gröbner Bases, Coding, and Cryptography  
Our purpose is to recall some basic aspects about linear and cyclic codes. We first briefly describe the role of error-correcting codes in communication. To do this we introduce, with examples, the concept of linear codes and their parameters, in particular the Hamming distance. A fundamental subclass of linear codes is given by cyclic codes, that enjoy a very interesting algebraic structure. In fact, cyclic codes can be viewed as ideals in a residue classes ring of univariate polynomials. BCH
more » ... odes are the most studied family of cyclic codes, for which some efficient decoding algorithms are known, as the method of Sugiyama.
doi:10.1007/978-3-540-93806-4_4 fatcat:chgov2rw4rgcfik2vsdpc77zta

Efficient Secure Multiparty Computation with Identifiable Abort [chapter]

Carsten Baum, Emmanuela Orsini, Peter Scholl
2016 Lecture Notes in Computer Science  
We study secure multiparty computation (MPC) in the dishonest majority setting providing security with identifiable abort, where if the protocol aborts, the honest parties can agree upon the identity of a corrupt party. All known constructions that achieve this notion require expensive zero-knowledge techniques to obtain active security, so are not practical. In this work, we present the first efficient MPC protocol with identifiable abort. Our protocol has an information-theoretic online phase
more » ... with message complexity O(n 2 ) for each secure multiplication (where n is the number of parties), similar to the BDOZ protocol (Bendlin et al., Eurocrypt 2011), and a factor in the security parameter lower than the identifiable abort protocol of Ishai et al. (Crypto 2014). A key component of our protocol is a linearly homomorphic information-theoretic signature scheme, for which we provide the first definitions and construction based on a previous non-homomorphic scheme. We then show how to implement the preprocessing for our protocol using somewhat homomorphic encryption, similarly to the SPDZ protocol (Damgård et al., Crypto 2012) and other recent works with applicable efficiency improvements.
doi:10.1007/978-3-662-53641-4_18 fatcat:uajn77hcjbfvrdqfxhyk75ibbi


Marcel Keller, Emmanuela Orsini, Peter Scholl
2016 Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security - CCS'16  
., Orsini, E., Scholl, P., and Smart, N. P. High performance multi-party computation for binary circuits based on oblivious transfer. A Security of the Π COPEe Protocol Lemma 1.  ... 
doi:10.1145/2976749.2978357 dblp:conf/ccs/KellerOS16 fatcat:zx3eencx2nax7ircss5fx73a2a

Limbo: Efficient Zero-knowledge MPCitH-based Arguments [article]

Cyprien Delpech de Saint Guilhem, Emmanuela Orsini, Titouan Tanguy
2021 IACR Cryptology ePrint Archive  
This work introduces a new interactive oracle proof system based on the MPC-in-the-Head paradigm. To improve concrete efficiency and offer flexibility between computation time and communication size, a generic proof construction based on multi-round MPC protocols is proposed, instantiated with a specific protocol and implemented and compared to similar proof systems. Performance gains over previous work derive from a multi-party multiplication check optimized for the multi-round and
more » ... ead settings. Of most interest among implementation optimizations is the use of identical randomness across repeated MPC protocol executions in order to accelerate computation without excessive cost to the soundness error. The new system creates proofs of SHA-256 pre-images of 43KB in 53ms with 16 MPC parties, or 23KB in 188ms for 128 parties. As a signature scheme, the non-interactive variant produces signatures, based on the AES-128 circuit, of 18KB in about 4ms; this is 20% faster and 32 % larger than the Picnic3 scheme (13kB in 5.3ms for 16 parties) which is based on the 90% smaller LowMC circuit.
dblp:journals/iacr/GuilhemOT21 fatcat:4hqdcdsy5jdedc3q3l2kctkv3u

Dishonest Majority Multi-Party Computation for Binary Circuits [chapter]

Enrique Larraia, Emmanuela Orsini, Nigel P. Smart
2014 Lecture Notes in Computer Science  
We extend the Tiny-OT two party protocol of Nielsen et al (CRYPTO 2012) to the case of n parties in the dishonest majority setting. This is done by presenting a novel way of transferring pairwise authentications into global authentications. As a by product we obtain a more efficient manner of producing globally authenticated shares, in the random oracle model, which in turn leads to a more efficient two party protocol than that of Nielsen et al.
doi:10.1007/978-3-662-44381-1_28 fatcat:nmsve4zccfblvctcenwg5x5lza

Feta: Efficient Threshold Designated-Verifier Zero-Knowledge Proofs [article]

Carsten Baum, Robin Jadoul, Emmanuela Orsini, Peter Scholl, Nigel P. Smart
2022 IACR Cryptology ePrint Archive  
Orsini ID , Peter Scholl ID , and Nigel P.  ...  nW + 2n1 + n2 + 2], i.e. each Vj obtains the share s Feta: Efficient Threshold Designated-Verifier Zero-Knowledge Proofs . . . . . . . . . . . . . . . . . . . . 1 Carsten Baum ID , Robin Jadoul ID , Emmanuela  ... 
dblp:journals/iacr/BaumJOSS22 fatcat:sn6bkupejnh7riydgibivhtsxa

Error Term Checking: Towards Chosen Ciphertext Security without Re-encryption [article]

Jan-Pieter D'Anvers, Emmanuela Orsini, Frederik Vercauteren
2021 IACR Cryptology ePrint Archive  
Chosen ciphertext security for lattice based encryption schemes is generally achieved through a generic transformation such as the Fujisaki-Okamoto transformation. This method requires full re-encryption of the plaintext during decapsulation, which typically dominates the cost of the latter procedure. In this work we show that it is possible to develop alternative transformations specifically designed for lattice based encryption schemes. We propose two novel chosen ciphertext transformations,
more » ... TC1 and ETC2, in which re-encryption is replaced by checking the error term of the input ciphertext. We show that our new ciphertext validity check can be securely applied to lattice based encryption schemes under specific conditions. For the NIST post-quantum standardization candidate Threebears we show a speedup for decapsulation of up to 37.4%. Moreover, as our method only changes the validation check during decapsulation, it is fully backwards compatible with existing implementations of the Fujisaki-Okamoto transformation. Fujisaki-Okamoto (FO) transformation [FO13, Den03]. Classical and quantum secure versions of this transformation have been proposed with increasingly tighter security bounds in [TU16,HHK17,AOP + 17,JZC + 18,SXY18,BHH + 19]. Decapsulation of a ciphertext in a FO compiled primitive roughly consists of two parts: decryption of the ciphertext into the message which was used as a random seed during encryption, and re-encryption of the plaintext into the valid ciphertext. The legitimacy of the input ciphertext is then checked by comparing the input ciphertext with the regenerated valid one. While this is a generic off-the-shelf procedure that works for a wide range of encryption schemes, it can be rather expensive if the cost of re-encryption is higher than the cost of decryption. This is typically the case for schemes based on the learning with errors problem. The generic nature of this transformation also means that specific properties of the underlying encryption primitive are completely ignored. However, for other families of encryption schemes there exist specifically designed transformations exploiting properties of the underlying encryption that outperform the standard FO transformation, as is for example the case in RSA-OAEP+ [BR95,Sho01]. Our Contribution. Our goal is to show it is possible to design chosen ciphertext transformations tailored for lattice based cryptography by taking into account specific properties of the underlying encryption scheme. We propose a novel methodology to design chosen ciphertext secure KEMs out of lattice based encryption schemes and reduce the cost of validating an input ciphertext by replacing the generic check using a complete re-encryption of the ciphertext by a faster alternative. Our approach is based on checking the validity of the error term, which is the consolidation of the noise introduced by both parties as a result of the learning with errors (LWE) paradigm. As such, the error term is a combination of the secret terms of the two communicating parties which makes it hard to predict. We argue that for some lattice based schemes it is hard, or sometimes even impossible, to construct a non-valid ciphertext with the same error term as the corresponding valid ciphertext of the same message. Using this observation we develop two new chosen ciphertext transformations and bound their security. Our transformation relies on a new computational problem: Search Inner Product from Mod-LWE (SIP-LWE), in which an adversary is given l Mod-LWE samples (A A A,b b b :=A A As s s+e e e) and is challenged to generate a new pair (a a a * ,b b b * ) where b b b * is the inner product of a a a * and the secret key s s s, i.e. b b b * =a a a T * s s s. Note that is equivalent to generating a Mod-LWE sample (or reusing a given one) with zero error. We also consider the special case where b b b * is required to be 0 0 0, i.e. the problem now becomes generating a vector a a a * that is orthogonal to s s s. We denote this as the SIP0-LWE problem. We discuss the hardness of both problems, and show that for some parameter settings it is hard or even impossible for an adversary to distinguish the outcome of our transformation from a generic transformation with re-encryption. Our transformation avoids the regeneration of the uniformly random public element of the public key Mod-LWE sample. Furthermore it changes the
dblp:journals/iacr/DAnversOV21 fatcat:7nqblvjq5zh6feghqtmzsf5u4q

Secure Oblivious Transfer from Semi-Commutative Masking [article]

Cyprien Delpech de Saint Guilhem, Emmanuela Orsini, Christophe Petit, Nigel P. Smart
2018 IACR Cryptology ePrint Archive  
We define semi-commutative invertible masking structures which aim to capture the methodology of exponentiation-only protocol design (such as discrete logarithm and isogeny-based cryptography). We discuss two instantiations: the first is based on commutative group actions and captures both the action of exponentiation in the discrete logarithm setting and the action of the class group of commutative endomorphism rings of elliptic curves, in the style of the CSIDH key-exchange protocol; the
more » ... d is based on the semi-commutative action of isogenies of supersingular elliptic curves, in the style of the SIDH key-exchange protocol. We then construct two oblivious transfer protocols using this new structure and prove that these UC-securely realise the oblivious transfer functionality in the random-oracle-hybrid model against passive adversaries with static corruptions. Moreover, by starting from one of these two protocols and using the compiler introduced by Döttling et al. (Eurocrypt 2020), we achieve the first fully UC-secure two-round OT protocol based on supersingular isogenies.
dblp:journals/iacr/GuilhemOPS18 fatcat:6vjrpswbrzc35ioshsodghhk6y

Linear Overhead Optimally-Resilient Robust MPC Using Preprocessing [chapter]

Ashish Choudhury, Emmanuela Orsini, Arpita Patra, Nigel P. Smart
2016 Lecture Notes in Computer Science  
We present a new technique for robust secret reconstruction with O(n) communication complexity. By applying this technique, we achieve O(n) communication complexity per multiplication for a wide class of robust practical Multi-Party Computation (MPC) protocols. In particular our technique applies to robust threshold computationally secure protocols in the case of t < n/2 in the pre-processing model. Previously in the pre-processing model, O(n) communication complexity per multiplication was
more » ... known in the case of computationally secure non-robust protocols in the dishonest majority setting (i.e. with t < n) and in the case of perfectly-secure robust protocols with t < n/3. A similar protocol was sketched by Damgård and Nielsen, but no details were given to enable an estimate of the communication complexity. Surprisingly our robust reconstruction protocol applies for both the synchronous and asynchronous settings. Introduction Secure MPC is a fundamental problem in secure distributed computing [33,27, 8, 14 ]. An MPC protocol allows a set of n mutually distrusting parties with private inputs to securely compute a joint function of their inputs, even if t out of the n parties are corrupted. Determining the communication complexity of MPC in terms of n, is a task which is both interesting from a theoretical and a practical standpoint. It is a folklore belief that the complexity should be essentially O(n) per multiplication in the computation. However, "most" robust secret-sharing based MPC protocols which are practical have complexity O(n 2 ). To understand the problem notice that apart from the protocols for entering parties inputs and determining parties outputs, the main communication task in secret-sharing based MPC protocols is the evaluation of the multiplication gates (we assume a standard arithmetic circuit representation of the function to be computed for purely expository reasons, in practice other representations may be better). If we consider the classic information-theoretic passively secure sub-protocol for multiplication gates when t < n/2 (locally multiply the shares, reshare and then recombine) we require O(n 2 ) messages per multiplication gate [8, 26]. This is because each party needs to send the shares representing its local multiplication to every other party, thus requiring O(n 2 ) messages, and hence O(n 2 ) bits if we only look at complexity depending on n. Even if we look at such protocols in the pre-processing model, where the so-called "Beaver multiplication triples" are produced in an offline phase [4], and we are primarily concerned about the communication complexity of the online phase, a similar situation occurs. In such protocols, see for example [19] , the standard multiplication sub-protocol is for each party to broadcast a masking of their shares of the gate input values to every other party. This again has O(n 2 ) communication complexity. In the SPDZ protocol [22] , for the case of non-robust 4 maliciously secure MPC (with abort) in the dishonest majority setting (i.e. with t < n), an online communication complexity of O(n) was achieved. This is attained by replacing the broadcast communication of the previous method with the following trick. For each multiplication gate one party is designated as the "reconstructor". The broadcast round is then replaced by each party sending their masked values to the reconstructor, who then reconstructs the value and then sends it to each party. This requires exactly 2 · n 4 An MPC protocol is called robust if the honest parties obtain the correct output at the end of the protocol irrespective of the behaviour of the corrupted parties, otherwise it is called non-robust. messages being sent, and is hence O(n). However, this protocol is only relevant in the dishonest majority setting as any dishonest behaviour of any party is subsequently detected via the SPDZ MAC-checking procedure, in which case the protocol aborts. Our goal is to achieve such a result for robust protocols in the pre-processing model. Related Work: With t < n/3, information-theoretically secure an online protocols with O(n) communication per multiplication are presented in [21] . There the basic idea is a new method of reconstructing a batch of Θ(n) secretshared values with O(n 2 ) communication complexity, thus providing a linear overhead. However, the method is tailormade only for t < n/3 (as it is based on the error-correcting capability of the Reed-Solomon (RS) codes) and will not work with t < n/2. Hence with t < n/2 in the computational setting, a new technique to obtain O(n) online complexity is needed. In [21] a similar protocol in the pre-processing model is also sketched, which uses the designatred reconstructor idea (similar to the idea used in SPDZ, discussed above). The protocol is only sketched, and appears to require O(t) rounds to identify the faulty shares; as opposed to our method which requires no additional rounds. In [28], a computationally-secure MPC protocol with t < n/2 and communication complexity O(n) per multiplication is presented. The protocol is not designed in the pre-processing model, but rather in the player-elimination framework, where the circuit is divided into segments and each segment is evaluated "optimistically", assuming no fault will occur. At the end of the segment evaluation, a detection protocol is executed to identify whether the segment is evaluated correctly and if any inconsistency is detected, then a fault-localization protocol is executed. The faultlocalization process identifies a pair of parties, with at least one of them being corrupted. The pair is then neglected for the rest of the protocol execution and the procedure is repeated. There are several drawbacks of this protocol. The protocol cannot be adapted to the pre-processing model; so the benefits provided by the pre-processing based MPC protocols (namely efficiently generating circuit-independent raw materials for several instances of the computation in parallel) cannot be obtained. The protocol also makes expensive use of zero-knowledge (ZK) machinery throughout the protocol and it does not seem to be adaptable to the asynchronous setting with O(n) communication complexity. Our techniques on the other hand are focused on efficient protocols in the pre-processing model. For example we use ZK tools only in the offline phase, and our online methods are easily applicable to the asynchronous communication setting 5 , which models real-world networks like the Internet more appropriately than the synchronous communication setting. In [9] , an information-theoretically secure MPC protocol in the pre-processing model with t < n/2 and O(n) communication complexity per multiplication is presented. Both the offline and online phase of [9] are designed in the dispute control framework [5], which is a generalisation of the player-elimination technique and so like other papers in the same framework it is not known if the protocol can be made to work in the more practical asynchronous communication setting. Moreover since their online phase protocol is in the dispute control framework, it requires O(n 2 + D) rounds of interaction in the online phase, where D is the multiplicative depth of the circuit. This is unlike other MPC protocols in the pre-processing model whose online phase requires only O(D) rounds of interaction [21, 6, 10, 22] . Our technique for the online phase protocol does not deploy any player-elimination/dispute-control techniques and so requires fewer rounds than [9] . And our online phase can be executed even in the asynchronous setting with t < n/2 and O(n) communication complexity. Imagine a scenario involving a large number of parties, participating from various parts of the globe. Clearly (an asynchronous) online protocol with less number of communication rounds is desirable here and so our online phase protocol will fit the bill appropriately. In the non-preprocessing model, information-theoretically secure MPC protocols with "near linear" amortized communication complexity but non-optimal resilience are presented in [3, 20, 25] . Namely the overall communication complexity of these protocols are O (polylog(n, C) · C), where C is the circuit size. While the protocol of [20] is perfectly-secure and can tolerate upto t < (1/3 − ) · n corruptions where 0 < < 1/3, the protocols in [3, 25] are statistical with resilience t < (1/2 − ) · n where 0 < < 1/2. The central idea in these protocols is to take advantage of the non-optimal resilience by deploying packed secret-sharing, where "several" values are secret shared simultaneously via a single sharing instance. None of the protocols are known to work in asynchronous settings and all of them heavily rely on the fact that there are more honest parties than just 1/2 (making them non-optimal in terms of resilience). processing model is presented in [17] . However the online phase protocol of [17] is based on the O(n) reconstruction method of [6, 21] with t < n/3 and hence cannot be adapted to the t < n/2 setting. Our Contribution: We present a computationally-secure method to obtain O(n) communication complexity for the online phase of robust MPC protocols with t < n/2. We are focused on protocols which could be practically relevant, so we are interested in suitable modifications of protocols such as VIFF [19] , BDOZ [10] and SPDZ [22] . Our main contribution is a trick to robustly reconstruct a secret with an amortized communication complexity of O(n) messages. Assuming our arithmetic circuit is suitably wide, this implies an O(n) online phase when combined with the standard method for evaluating multiplication gates based on pre-processed Beaver triples. To produce this sub-protocol we utilize the error-correcting capability of the underlying secret-sharing scheme when error positions are already known. To detect the error positions we apply the the pair-wise BDOZ MACs from [10] . The overall sub-protocol is highly efficient and can be utilized in practical MPC protocols. Interestingly our reconstruction protocol also works in the asynchronous setting. Thus we obtain a practical optimization in both synchronous and asynchronous setting. Before proceeding we pause to examine the communication complexity of the offline phase of protocols such as SPDZ. It is obvious that in the case of a computationally secure offline phase one can easily adapt the somewhat homomorphic encryption (SHE) based offline phase of SPDZ to the case of Shamir secret sharing when t < n/2. In addition one can adapt it to generate SPDZ or BDOZ style MACs. And this is what we exactly do to implement our offline phase in the synchronous setting. In [22] the offline communication complexity is given as O(n 2 /s) in terms of the number of messages sent, where s is the "packing" parameter of the SHE scheme. As shown in the full version of [23], assuming a cyclotomic polynomial is selected which splits completely modulo the plaintext modulus p, the packing parameter grows very slowly in terms of the number of parties (for all practical purposes it does not increase at all). In addition since s is in the many thousands, for all practical purposes the communication complexity of the offline phase is O(n) in terms of the number of messages. However, each message is O(s) and so the bit communication complexity is still O(n 2 ). As our online phase also works in the asynchronous setting, we explore how the offline phase, and the interaction between the offline and online phases can be done asynchronously. For this we follow the VIFF framework [19] , which implements the offline phase asynchronously with t < n/3 via the pseudo-random secret sharing, assuming a single synchronization point between the offline and online phases. Following the same approach, we show how the interaction between our offline and online phase can be handled asynchronously with t < n/2. However we require an additional technicality for t < n/2 to deal with the issue of agreement among the parties at the end of asynchronous offline phase. Specifically, we either require "few" synchronous rounds or a non-equivocation mechanism at the end of offline phase to ensure agreement among the parties. We stress that once this is done then the online phase protocol can be executed in a completely asynchronous fashion with t < n/2.
doi:10.1007/978-3-319-44618-9_8 fatcat:a6ymetazazh6jlnaxgl56w6spi

TinyKeys: A New Approach to Efficient Multi-Party Computation [chapter]

Carmit Hazay, Emmanuela Orsini, Peter Scholl, Eduardo Soria-Vazquez
2018 Lecture Notes in Computer Science  
We present a new approach to designing concretely efficient MPC protocols with semi-honest security in the dishonest majority setting. Motivated by the fact that within the dishonest majority setting the efficiency of most practical protocols does not depend on the number of honest parties, we investigate how to construct protocols which improve in efficiency as the number of honest parties increases. Our central idea is to take a protocol which is secure for n − 1 corruptions and modify it to
more » ... se short symmetric keys, with the aim of basing security on the concatenation of all honest parties' keys. This results in a more efficient protocol tolerating fewer corruptions, whilst also introducing an LPN-style syndrome decoding assumption. We first apply this technique to a modified version of the semi-honest GMW protocol, using OT extension with short keys, to improve the efficiency of standard GMW with fewer corruptions. We also obtain more efficient constantround MPC, using BMR-style garbled circuits with short keys, and present an implementation of the online phase of this protocol. Our techniques start to improve upon existing protocols when there are around n = 20 parties with h = 6 honest parties, and as these increase we obtain up to a 13 times reduction (for n = 400, h = 120) in communication complexity for our GMW variant, compared with the best-known GMW-based protocol modified to use the same threshold.
doi:10.1007/978-3-319-96878-0_1 fatcat:k7xjoou2ifcjvfol443kkblsrm

Correcting errors and erasures via the syndrome variety

Emmanuela Orsini, Massimiliano Sala
2005 Journal of Pure and Applied Algebra  
We propose a new syndrome variety, which can be used to decode cyclic codes. We present also a generalization to erasure and error decoding. We can exhibit a polynomial whose roots give the error locations, once it has been specialized to a given syndrome. This polynomial has degree t in the variable corresponding to the error locations and its coefficients are polynomials in the syndromes. Observe that I = I X I XW I XW Z I XW ZU I XW ZU Y and that G = G X G XW G XW Z G XW ZU G XW ZU Y (
more » ... s disjoint union). Remark 2.6. We extend our notation to the case = 0, meaning that the variable sets W and U are void, e.g. P XW Z = P XZ = F q [X, Z]\F q [X]. When convenient, we enclose the ideal name within brackets, e.g. (I ) X = I X . Assume G is a Gröbner basis for an ideal I ⊂ K[S, Z, T ], S = (s 1 , . . . , s H ), Z = (z 1 , . . . , z L ), T = (t 1 , . . . , t M ) w.r.t. a block order with S < Z < T and with the Z-variables
doi:10.1016/j.jpaa.2004.12.027 fatcat:rqwepmil2vafdopuxxxlw24tva

A Unified Approach to MPC with Preprocessing Using OT [chapter]

Tore Kasper Frederiksen, Marcel Keller, Emmanuela Orsini, Peter Scholl
2015 Lecture Notes in Computer Science  
SPDZ, TinyOT and MiniMAC are a family of MPC protocols based on secret sharing with MACs, where a preprocessing stage produces multiplication triples in a finite field. This work describes new protocols for generating multiplication triples in fields of characteristic two using OT extensions. Before this work, TinyOT, which works on binary circuits, was the only protocol in this family using OT extensions. Previous SPDZ protocols for triples in large finite fields require somewhat homomorphic
more » ... cryption, which leads to very inefficient runtimes in practice, while no dedicated preprocessing protocol for MiniMAC (which operates on vectors of small field elements) was previously known. Since actively secure OT extensions can be performed very efficiently using only symmetric primitives, it is highly desirable to base MPC protocols on these rather than expensive public key primitives. We analyze the practical efficiency of our protocols, showing that they should all perform favorably compared with previous works; we estimate our protocol for SPDZ triples in F 2 40 will perform around 2 orders of magnitude faster than the best known previous protocol.
doi:10.1007/978-3-662-48797-6_29 fatcat:hz4dap2sznculjmehnkchii3kq
« Previous Showing results 1 — 15 out of 50 results