##
###
Multi-party Indirect Indexing and Applications
[chapter]

Matthew Franklin, Mark Gondree, Payman Mohassel

*
Advances in Cryptology – ASIACRYPT 2007
*

We develop a new multi-party generalization of Naor-Nissim indirect indexing, making it possible for many participants to simulate a RAM machine with only poly-logarithmic blow-up. Our most efficient instantiation (built from length-flexible additively homomorphic public key encryption) improves the communication complexity of secure multi-party computation for a number of problems in the literature. Underlying our approach is a new multi-party variant of oblivious transfer which may be of
## more »

... hich may be of independent interest. Proof (Proof (sketch)). The primitives used by the input share conversion protocol have O(poly(m, log q)) communication complexity, where q is the size of the field in which σ lives. Since σ is a pointer into a table of size n, the communication complexity becomes, in our case, O(poly(m, log log n)) = o(poly(m) log n). Also, the messages passed between the database and the other parties are the same as those passed during the oblivious transfer protocol from Section 5.2, whose communication complexity is Θ(k log 2 n + log n). Thus, our complete protocol has O(m(k log 2 n+ log n)+poly(m) log n) = O(k log 2 npoly(m)) communication complexity and O(log n) round complexity. Claim. The complete protocol of Section 5.2 is t-private, assuming the threshold length-flexible additively homomorphic public-key encryption scheme is IND-CPA secure. Proof (Proof (sketch)). The above security claim follows from the security of the share conversion protocols, from general composition theorems [6, 17] , and from the same security arguments of [25] since (although we make use of the protocol in a non-blackbox manner) the transcript of the messages passed between the chooser and database in our protocol is identical. More specifically, the g-mOT protocol is (t, t, t − 1, m)-secure, because the Aiello-Ishai-Reingold transform makes the OT scheme information-theoretically database-private. When the PIR protocol is converted into an OT protocol using a transformation that provides computational sender privacy, like the Naor-Pinkas transform [28] , the resulting mOT protocol is (t, t, t − 1, t)-secure. The threshold, length-flexible homomorphic encryption scheme of Damgård and Jurik [11] is IND-CPA secure in the standard model, under the Paillier and composite DDH assumptions.

doi:10.1007/978-3-540-76900-2_17
dblp:conf/asiacrypt/FranklinGM07
fatcat:wr2iv4x6dfajvbydlzkve4bsne