TY - GEN
T1 - Secure computation on the web
T2 - 31st Annual International Cryptology Conference, CRYPTO 2011
AU - Halevi, Shai
AU - Lindell, Yehuda
AU - Pinkas, Benny
N1 - Place of conference:Barbara, CA, USA
PY - 2011
Y1 - 2011
N2 - Secure computation enables mutually suspicious parties to compute a joint function of their private inputs while providing strong security guarantees. However, its use in practice seems limited. We argue that one of the reasons for this is that the model of computation on the web is not suited to the type of communication patterns needed for secure computation. Specifically, in most web scenarios clients independently connect to servers, interact with them and then leave. This rules out the use of secure computation protocols that require that all participants interact simultaneously. We initiate a study of secure computation in a client-server model where each client connects to the server once and interacts with it, without any other client necessarily being connected at the same time. We point out some inherent limitations in this model and present definitions that capture what can be done. We also present a general feasibility result and several truly practical protocols for a number of functions of interest. All our protocols are based on standard assumptions, and we achieve security both in the semi-honest and malicious adversary models.
AB - Secure computation enables mutually suspicious parties to compute a joint function of their private inputs while providing strong security guarantees. However, its use in practice seems limited. We argue that one of the reasons for this is that the model of computation on the web is not suited to the type of communication patterns needed for secure computation. Specifically, in most web scenarios clients independently connect to servers, interact with them and then leave. This rules out the use of secure computation protocols that require that all participants interact simultaneously. We initiate a study of secure computation in a client-server model where each client connects to the server once and interacts with it, without any other client necessarily being connected at the same time. We point out some inherent limitations in this model and present definitions that capture what can be done. We also present a general feasibility result and several truly practical protocols for a number of functions of interest. All our protocols are based on standard assumptions, and we achieve security both in the semi-honest and malicious adversary models.
UR - http://www.scopus.com/inward/record.url?scp=80051976682&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-22792-9_8
DO - 10.1007/978-3-642-22792-9_8
M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???
AN - SCOPUS:80051976682
SN - 9783642227912
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 132
EP - 150
BT - Advances in Cryptology - CRYPTO 2011 - 31st Annual Cryptology Conference, Proceedings
PB - Springer Verlag
Y2 - 14 August 2011 through 18 August 2011
ER -