Computer-aided proofs for multiparty computation with active security

Secure multi-party computation (MPC) is a general cryptographic technique that allows distrusting parties to compute a function of their individual inputs, while only revealing the output of the function. It has found applications in areas such as auctioning, email filtering, and secure teleconference. Given its importance, it is crucial that the protocols are specified and implemented correctly. In the programming language community it has become good practice to use computer proof assistants to verify correctness proofs. In the field of cryptography, EasyCrypt is the state of the art proof assistant. It provides an embedded language for probabilistic programming, together with a specialized logic, embedded into an ambient general purpose higher-order logic. It allows us to conveniently express cryptographic properties. EasyCrypt has been used successfully on many applications, including public-key encryption, signatures, garbled circuits and differential privacy. Here we show for the first time that it can also be used to prove security of MPC against a malicious adversary. We formalize additive and replicated secret sharing schemes and apply them to Maurer's MPC protocol for secure addition and multiplication. Our method extends to general polynomial functions. We follow the insights from EasyCrypt that security proofs can be often be reduced to proofs about program equivalence, a topic that is well understood in the verification of programming languages. In particular, we show that in the passive case the non-interference-based definition is equivalent to a standard game-based security definition. For the active case we provide a new NI definition, which we call input independence

Spin-the-bottle Sort and Annealing Sort: Oblivious Sorting via Round-robin Random Comparisons

We study sorting algorithms based on randomized round-robin comparisons. Specifically, we study Spin-the-bottle sort, where comparisons are unrestricted, and Annealing sort, where comparisons are restricted to a distance bounded by a \emph{temperature} parameter. Both algorithms are simple, randomized, data-oblivious sorting algorithms, which are useful in privacy-preserving computations, but, as we show, Annealing sort is much more efficient. We show that there is an input permutation that causes Spin-the-bottle sort to require $\Omega(n^2\log n)$ expected time in order to succeed, and that in $O(n^2\log n)$ time this algorithm succeeds with high probability for any input. We also show there is an implementation of Annealing sort that runs in $O(n\log n)$ time and succeeds with very high probability.Comment: Full version of a paper appearing in ANALCO 2011, in conjunction with SODA 201

The Meeting Businessmen Problem: Requirements and Limitations

Let us assume that some businessmen wish to have a meeting. For this to happen, they usually have to meet somewhere. If they cannot meet physically, then they can take part in a video (or audio) conference to discuss whatever needs to be discussed. But what if their meeting is meant to be private? In this case they need a cryptographic protocol that allows them to exchange their ideas remotely, while keeping them secure from any potential eavesdropper. In this paper we list all the necessary requirements that a cryptographic protocol must have in order to allow several businessmen to exchange their ideas securely over the Internet. Moreover, and based on the standard taxonomy of cryptographic pro- tocols, we suggest several approaches on how to design cryptographic protocols that enable us to achieve our aim. Finally, we propose the design of a protocol that solves the meeting businessmen problem

Protocols for The Meeting Businessmen Problem

Assume that some businessmen wish to have a meeting. For this to occur, they usuallyhave to meet somewhere. If they cannot meet physically, then they can take part in a video (oraudio) conference to discuss whatever needs to be discussed. But what if their meeting is meant tobe private? In this case they need a cryptographic protocol that allows them to exchange their ideasremotely, while keeping them secure from any potential eavesdropper. In this paper we list all thenecessary requirements that a cryptographic protocol must have in order to allow several businessmento exchange their ideas securely over the Internet. Moreover, and based on the standard taxonomy ofcryptographic protocols, we suggest several approaches on how to design cryptographic protocols thatenable us to achieve our aim. Finally, we propose the design of a protocol that solves the meetingbusinessmen problem

Optimal Contracts for Outsourced Computation

While expensive cryptographically verifiable computation aims at defeating malicious agents, many civil purposes of outsourced computation tolerate a weaker notion of security, i.e., “lazy-but-honest” contractors. Targeting this type of agents, we develop optimal contracts for outsourcing of computational tasks via appropriate use of rewards, punishments, auditing rate, and “redundancy”. Our contracts provably minimize the expense of the outsourcer (principal) while guaranteeing correct computation. Furthermore, we incorporate practical restrictions of the maximum enforceable fine, limited and/or costly auditing, and bounded budget of the outsourcer. By examining the optimal contracts, we provide insights on how resources should be utilized when auditing capacity and enforceability are limited. Finally, we present a light-weight cryptographic implementation of the contracts and discuss a comparison across different implementations of auditing in outsourced computation