Efficient Two-Party Secure Computation on Committed Inputs

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4515)


We present an efficient construction of Yao’s “garbled circuits” protocol for securely computing any two-party circuit on committed inputs. The protocol is secure in a universally composable way in the presence of malicious adversaries under the decisional composite residuosity (DCR) and strong RSA assumptions, in the common reference string model. The protocol requires a constant number of rounds (four-five in the standard model, two-three in the random oracle model, depending on whether both parties receive the output), O(|C|) modular exponentiations per player, and a bandwidth of O(|C|) group elements, where |C| is the size of the computed circuit.

Our technical tools are of independent interest. We propose a homomorphic, semantically secure variant of the Camenisch-Shoup verifiable cryptosystem, which uses shorter keys, is unambiguous (it is infeasible to generate two keys which successfully decrypt the same ciphertext), and allows efficient proofs that a committed plaintext is encrypted under a committed key.

Our second tool is a practical four-round (two-round in ROM) protocol for committed oblivious transfer on strings (string-COT) secure against malicious participants. The string-COT protocol takes a few exponentiations per player, and is UC-secure under the DCR assumption in the common reference string model. Previous protocols of comparable efficiency achieved either committed OT on bits, or standard (non-committed) OT on strings.


Proof System Commitment Scheme Oblivious Transfer Modular Exponentiation Output Wire 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [AIR01]
    Aiello, W., Ishai, Y., Reingold, O.: Priced oblivious transfer: How to sell digital goods. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 119–135. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  2. [Bou00]
    Boudot, F.: Efficient proofs that a committed number lies in an interval. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 431–444. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  3. [CC00]
    Camenisch, J., Cachin, C.: Optimistic fair secure computation. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 93–111. Springer, Heidelberg (2000)Google Scholar
  4. [CD97]
    Cramer, R., Damgård, I.: Linear zero-knowledge – a note on efficient zero-knowledge proofs and arguments. In: Proc. STOC, pp. 436–445 (1997)Google Scholar
  5. [CDS94]
    Cramer, R.J.F., Damgård, I.B., Schoenmakers, B.: Proof of partial knowledge and simplified design of witness hiding protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174–187. Springer, Heidelberg (1994)Google Scholar
  6. [CGHG01]
    Catalano, D., Gennaro, R., Howgrave-Graham, N.: The bit security of Paillier’s encryption scheme and its applications. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 229–243. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  7. [CGHGN01]
    Catalano, D., Gennaro, R., Howgrave-Graham, N., Nguyen, P.: Paillier’s cryptosystem revisited. In: Proc. CCS, pp. 206–214 (2001)Google Scholar
  8. [CM99]
    Camenisch, J.L., Michels, M.: Proving in zero-knowledge that a number is the product of two safe primes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 107–122. Springer, Heidelberg (1999)Google Scholar
  9. [Cré89]
    Crépeau, C.: Verifiable disclose for secrets and applications. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 150–154. Springer, Heidelberg (1990)Google Scholar
  10. [CS03]
    Camenisch, J., Shoup, V.: Practical verifiable encryption and decryption of discrete logarithms. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 126–144. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  11. [CvdGT95]
    Crépeau, C., van de Graaf, J., Tapp, A.: Committed oblivious transfer and private multiparty computation. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 110–123. Springer, Heidelberg (1995)Google Scholar
  12. [Dam02]
    Damgård, I.: Efficient concurrent zero-knowledge in the auxiliary string model. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 418–430. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  13. [DF02]
    Damgård, I., Fujisaki, E.: A statistically hiding integer commitment scheme based on groups with hidden order. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 125–142. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  14. [DI05]
    Damgård, I., Ishai, Y.: Constant-round multiparty computation using a black-box pseudorandom generator. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 378–394. Springer, Heidelberg (2005)Google Scholar
  15. [FO97]
    Fujisaki, E., Okamoto, T.: Statistical zero knowledge protocols to prove modular polynomial relations. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 16–30. Springer, Heidelberg (1997)Google Scholar
  16. [GMW87]
    Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game. In: Proc. STOC, pp. 218–229. ACM Press, New York (1987)Google Scholar
  17. [GMY04]
    Garay, J.A.: Efficient and universally composable committed oblivious transfer and applications. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 297–316. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  18. [HSS93]
    Håstad, J., Schrift, A., Shamir, A.: The discrete logarithm modulo a composite hides o(n) bits. J. Comput. Syst. Sci. 47, 850–864 (1993)Google Scholar
  19. [JJ00]
    Jakobsson, M., Juels, A.: Mix and match: Secure function evaluation via ciphertexts. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 162–177. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  20. [Kil88]
    Kilian, J.: Founding cryptography on oblivious transfer. In: Proc. STOC, pp. 20–31 (1988)Google Scholar
  21. [KO04]
    Katz, J., Ostrovsky, R.: Round-optimal secure two-party computation. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 335–354. Springer, Heidelberg (2004)Google Scholar
  22. [Lin03]
    Lindell, Y.: Parallel coin-tossing and constant-round secure two-party computation. J. Cryptology 16(3), 143–184 (2003)zbMATHCrossRefMathSciNetGoogle Scholar
  23. [Lip03]
    Lipmaa, H.: Verifiable homomorphic oblivious transfer and private equality test. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 416–433. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  24. [LP07]
    Lindell, Y., Pinkas, B.: An efficient protocol for secure two-party computation in the presence of malicious adversaries. In: Proc. EUROCRYPT 2007, these proceedings (2007)Google Scholar
  25. [MF06]
    Mohassel, P., Franklin, M.: Efficiency tradeoffs for malicious two-party computation. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T.G. (eds.) PKC 2006. LNCS, vol. 3958, pp. 458–473. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  26. [Pai99]
    Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999)Google Scholar
  27. [Ped91]
    Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992)Google Scholar
  28. [Pin03]
    Pinkas, B.: Fair secure two-party computation. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 87–105. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  29. [Woo07]
    Woodruff, D.: Revisiting the efficiency of malicious two-party computation. In: Proc. EUROCRYPT 2007, these proceedings (2007)Google Scholar
  30. [Yao86]
    Yao, A.: How to generate and exchange secrets. In: Proc. FOCS, pp. 162–167 (1986)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  1. 1.University of California, Irvine, The University of Texas at Austin 

Personalised recommendations