Results 11  20
of
120
Automating efficient rammodel secure computation
 in IEEE Symposium on Security and Privacy
, 2014
"... Abstract—RAMmodel secure computation addresses the inherent limitations of circuitmodel secure computation considered in almost all previous work. Here, we describe the first automated approach for RAMmodel secure computation in the semihonest model. We define an intermediate representation cal ..."
Abstract

Cited by 19 (8 self)
 Add to MetaCart
(Show Context)
Abstract—RAMmodel secure computation addresses the inherent limitations of circuitmodel secure computation considered in almost all previous work. Here, we describe the first automated approach for RAMmodel secure computation in the semihonest model. We define an intermediate representation called SCVM and a corresponding type system suited for RAMmodel secure computation. Leveraging compiletime optimizations, our approach achieves orderofmagnitude speedups compared to both circuitmodel secure computation and the stateofart RAMmodel secure computation. I.
Secure TwoParty Computation in Sublinear (Amortized) Time
"... Traditional approaches to generic secure computation begin by representing the function f being computed as a circuit. If f depends on each of its input bits, this implies a protocol with complexity at least linear in the input size. In fact, linear running time is inherent for nontrivial functions ..."
Abstract

Cited by 18 (3 self)
 Add to MetaCart
(Show Context)
Traditional approaches to generic secure computation begin by representing the function f being computed as a circuit. If f depends on each of its input bits, this implies a protocol with complexity at least linear in the input size. In fact, linear running time is inherent for nontrivial functions since each party must “touch ” every bit of their input lest information about the other party’s input be leaked. This seems to rule out many applications of secure computation (e.g., database search) in scenarios where inputs are huge. Adapting and extending an idea of Ostrovsky and Shoup, we present an approach to secure twoparty computation that yields protocols running in sublinear time, in an amortized sense, for functions that can be computed in sublinear time on a randomaccess machine (RAM). Moreover, each party is required to maintain state that is only (essentially) linear in its own input size. Our protocol applies generic secure twoparty computation on top of oblivious RAM (ORAM). We present an optimized version of our protocol using Yao’s garbledcircuit approach and a recent ORAM construction of Shi et al. We describe an implementation of this protocol, and evaluate its performance for the task of obliviously searching a database with over 1 million entries. Because of the cost of our basic steps, our solution is slower than Yao on small inputs. However, our implementation outperforms Yao already on DB sizes of 2 18 entries (a quite small DB by today’s standards). 1.
Efficient Secure TwoParty Computation Using Symmetric CutandChoose
"... Beginning with the work of Lindell and Pinkas, researchers have proposed several protocols for secure twoparty computation based on the cutandchoose paradigm. In existing instantiations of this paradigm, one party generates κ garbled circuits; some fraction of those are “checked ” by the other pa ..."
Abstract

Cited by 18 (1 self)
 Add to MetaCart
(Show Context)
Beginning with the work of Lindell and Pinkas, researchers have proposed several protocols for secure twoparty computation based on the cutandchoose paradigm. In existing instantiations of this paradigm, one party generates κ garbled circuits; some fraction of those are “checked ” by the other party, and the remaining fraction are evaluated. We introduce here the idea of symmetric cutandchoose protocols, in which each party generates κ circuits to be checked by the other party. The main advantage of our technique is that the number κ of garbled circuits can be reduced by a factor of 3 while attaining the same statistical security level as in prior work. Since the number of garbled circuits dominates the costs of the protocol, especially as larger circuits are evaluated, our protocol is expected to run up to 3 times faster than existing schemes. Preliminary experiments validate this claim. 1
MiniLEGO: Efficient Secure TwoParty Computation From General Assumptions (Full Version)
"... Abstract One of the main tools to construct secure twoparty computation protocols are Yao garbled circuits. Using the cutandchoose technique, one can get reasonably efficient Yaobased protocols with security against malicious adversaries. At TCC 2009, Nielsen and Orlandi [NO09] suggested to appl ..."
Abstract

Cited by 16 (2 self)
 Add to MetaCart
Abstract One of the main tools to construct secure twoparty computation protocols are Yao garbled circuits. Using the cutandchoose technique, one can get reasonably efficient Yaobased protocols with security against malicious adversaries. At TCC 2009, Nielsen and Orlandi [NO09] suggested to apply cutandchoose at the gate level, while previously cutandchoose was applied on the circuit as a whole. This appealing idea allows for a speed up with practical significance (in the order of the logarithm of the size of the circuit) and has become known as the “LEGO ” construction. Unfortunately the construction in [NO09] is based on a specific numbertheoretic assumption and requires publickey operations per gate of the circuit. The main technical contribution of this work is a new XORhomomorphic commitment scheme based on oblivious transfer, that we use to cope with the problem of connecting the gates in the LEGO construction. Our new protocol has the following advantages: 1. It maintains the efficiency of the LEGO cutandchoose. 2. After a number of seed oblivious transfers linear in the security parameter, the construction uses only primitives from Minicrypt (i.e., privatekey cryptography) per gate in the circuit (hence the name MiniLEGO).
PrivacyPreserving Ridge Regression on Hundreds of Millions of Records
"... Abstract—Ridge regression is an algorithm that takes as input a large number of data points and finds the bestfit linear curve through these points. The algorithm is a building block for many machinelearning operations. We present a system for privacypreserving ridge regression. The system output ..."
Abstract

Cited by 16 (1 self)
 Add to MetaCart
(Show Context)
Abstract—Ridge regression is an algorithm that takes as input a large number of data points and finds the bestfit linear curve through these points. The algorithm is a building block for many machinelearning operations. We present a system for privacypreserving ridge regression. The system outputs the bestfit curve in the clear, but exposes no other information about the input data. Our approach combines both homomorphic encryption and Yao garbled circuits, where each is used in a different part of the algorithm to obtain the best performance. We implement the complete system and experiment with it on real datasets, and show that it significantly outperforms pure implementations based only on homomorphic encryption or Yao circuits. x1,y1 x x2,y2
Q.: Secure and efficient outsourcing of sequence comparisons
 In: Proceedings of the European Symposium on Research in Computer Security, ESORICS’12
"... Abstract. In this work we treat the problem of secure outsourcing of sequence comparisons by a client to remote servers. The sequence comparison problem, given two strings λ and µ of respective lengths n and m, consists of finding a minimumcost sequence of insertions, deletions, and substitutions ( ..."
Abstract

Cited by 14 (3 self)
 Add to MetaCart
(Show Context)
Abstract. In this work we treat the problem of secure outsourcing of sequence comparisons by a client to remote servers. The sequence comparison problem, given two strings λ and µ of respective lengths n and m, consists of finding a minimumcost sequence of insertions, deletions, and substitutions (also called an edit script) that transform λ into µ. In our framework a client owns strings λ and µ and outsources the computation to two remote servers without revealing to them information about either the input strings or the output sequence. Our solution is noninteractive for the client (who only sends information about the inputs and receives the output) and the client’s work is linear in its input/output. The servers ’ performance is O(σmn) computation (which is optimal) and communication, where σ is the alphabet size, and the solution is designed to work when the servers have only O(σ(m + n)) memory. By utilizing garbled circuit evaluation techniques in a novel way, we completely avoid the use of publickey cryptography, which makes our solution efficient in practice. 1
On the Security of the “FreeXOR” Technique
"... Yao’s garbledcircuit approach enables constantround secure twoparty computation for any boolean circuit. In Yao’s original construction, each gate in the circuit requires the parties to perform a constant number of encryptions/decryptions, and to send/receive a constant number of ciphertexts. Kol ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
Yao’s garbledcircuit approach enables constantround secure twoparty computation for any boolean circuit. In Yao’s original construction, each gate in the circuit requires the parties to perform a constant number of encryptions/decryptions, and to send/receive a constant number of ciphertexts. Kolesnikov and Schneider (ICALP 2008) proposed an improvement that allows XOR gates in the circuit to be evaluated “for free”, i.e., incurring no cryptographic operations and zero communication. Their “freeXOR ” technique has proven very popular, and has been shown to improve performance of garbledcircuit protocols by up to a factor of 4. Kolesnikov and Schneider proved security of their approach in the random oracle model, and claimed that (an unspecified variant of) correlation robustness would suffice; this claim has been repeated in subsequent work, and similar ideas have since been used (with the same claim about correlation robustness) in other contexts. We show that, in fact, the freeXOR technique cannot be proven secure based on correlation robustness alone: somewhat surprisingly, some form of circular security is also required. We propose an appropriate notion of security for hash functions capturing the necessary requirements, and prove security of the freeXOR approach when instantiated with any hash function satisfying our definition. Our results do not impact the security of the freeXOR technique in practice, or imply an error in the freeXOR work, but instead pin down the assumptions needed to prove security.
PrivacyPreserving Applications on Smartphones
"... Smartphones are becoming some of our most trusted computing devices. People use them to store highly sensitive information including email, passwords, financial accounts, and medical records. These properties make smartphones an essential platform for privacypreserving applications. To date, this a ..."
Abstract

Cited by 13 (1 self)
 Add to MetaCart
(Show Context)
Smartphones are becoming some of our most trusted computing devices. People use them to store highly sensitive information including email, passwords, financial accounts, and medical records. These properties make smartphones an essential platform for privacypreserving applications. To date, this area remains largely unexplored mainly because privacypreserving computation protocols were thought to be too heavyweight for practical applications, even for standard desktops. We propose using smartphones to perform secure multiparty computation. The limitations of smartphones provide a number of challenges for building such applications. In this paper, we introduce the issues that make smartphones a unique platform for secure computation, identify some interesting potential applications, and describe our initial experiences creating privacypreserving applications on Android devices. 1
Circuit Structures for Improving Efficiency of Security and Privacy Tools
"... Abstract—Several techniques in computer security, including generic protocols for secure computation and symbolic execution, depend on implementing algorithms in static circuits. Despite substantial improvements in recent years, tools built using these techniques remain too slow for most practical u ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
(Show Context)
Abstract—Several techniques in computer security, including generic protocols for secure computation and symbolic execution, depend on implementing algorithms in static circuits. Despite substantial improvements in recent years, tools built using these techniques remain too slow for most practical uses. They require transforming arbitrary programs into either Boolean logic circuits, constraint sets on Boolean variables, or other equivalent representations, and the costs of using these tools scale directly with the size of the input circuit. Hence, techniques for more efficient circuit constructions have benefits across these tools. We show efficient circuit constructions for various simple but commonly used data structures including stacks, queues, and associative maps. While current practice requires effectively copying the entire structure for each operation, our techniques take advantage of locality and batching to provide amortized costs that scale polylogarithmically in the size of the structure. We demonstrate how many common array usage patterns can be significantly improved with the help of these circuit structures. We report on experiments using our circuit structures for both generic secure computation using garbled circuits and automated test input generation using symbolic execution, and demonstrate order of magnitude improvements for both applications. I.
Secure outsourced garbled circuit evaluation for mobile devices
, 2012
"... Open access to the Proceedings of the ..."
(Show Context)