Results 1  10
of
23
Billiongate secure computation with malicious adversaries
 In USENIX Security
, 2012
"... The goal of this paper is to assess the feasibility of twoparty secure computation in the presence of a malicious adversary. Prior work has shown the feasibility of billiongate circuits in the semihonest model, but only the 35kgate AES circuit in the malicious model, in part because security in ..."
Abstract

Cited by 64 (1 self)
 Add to MetaCart
(Show Context)
The goal of this paper is to assess the feasibility of twoparty secure computation in the presence of a malicious adversary. Prior work has shown the feasibility of billiongate circuits in the semihonest model, but only the 35kgate AES circuit in the malicious model, in part because security in the malicious model is much harder to achieve. We show that by incorporating the best known techniques and parallelizing almost all steps of the resulting protocol, evaluating billiongate circuits is feasible in the malicious model. Our results are in the standard model (i.e., no common reference strings or PKIs) and, in contrast to prior work, we do not use the random oracle model which has wellestablished theoretical shortcomings. 1
Private Set Intersection: Are Garbled Circuits Better than Custom Protocols?
, 2012
"... Cryptographic protocols for Private Set Intersection (PSI) are the basis for many important privacypreserving applications. Over the past few years, intensive research has been devoted to designing custom protocols for PSI based on homomorphic encryption and other publickey techniques, apparently ..."
Abstract

Cited by 49 (7 self)
 Add to MetaCart
(Show Context)
Cryptographic protocols for Private Set Intersection (PSI) are the basis for many important privacypreserving applications. Over the past few years, intensive research has been devoted to designing custom protocols for PSI based on homomorphic encryption and other publickey techniques, apparently due to the belief that solutions using generic approaches would be impractical. This paper explores the validity of that belief. We develop three classes of protocols targeted to different set sizes and domains, all based on Yao’s generic garbledcircuit method. We then compare the performance of our protocols to the fastest custom PSI protocols in the literature. Our results show that a careful application of garbled circuits leads to solutions that can run on millionelement sets on typical desktops, and that can be competitive with the fastest custom protocols. Moreover, generic protocols like ours can be used directly for performing more complex secure computations, something we demonstrate by adding a simple informationauditing mechanism to our PSI protocols.
More efficient oblivious transfer and extensions for faster secure computation
, 2013
"... Protocols for secure computation enable parties to compute a joint function on their private inputs without revealing anything but the result. A foundation for secure computation is oblivious transfer (OT), which traditionally requires expensive public key cryptography. A more efficient way to perf ..."
Abstract

Cited by 28 (5 self)
 Add to MetaCart
Protocols for secure computation enable parties to compute a joint function on their private inputs without revealing anything but the result. A foundation for secure computation is oblivious transfer (OT), which traditionally requires expensive public key cryptography. A more efficient way to perform many OTs is to extend a small number of base OTs using OT extensions based on symmetric cryptography. In this work we present optimizations and efficient implementations of OT and OT extensions in the semihonest model. We propose a novel OT protocol with security in the standard model and improve OT extensions with respect to communication complexity, computation complexity, and scalability. We also provide specific optimizations of OT extensions that are tailored to the secure computation protocols of Yao and GoldreichMicaliWigderson and reduce the communication complexity even further. We experimentally verify the efficiency gains of our protocols and optimizations. By applying our implementation to current secure computation frameworks, we can securely compute a Levenshtein distance circuit with 1.29 billion AND gates at a rate of 1.2 million AND gates per second. Moreover, we demonstrate the importance of correctly implementing OT within secure computation protocols by presenting an attack on the FastGC framework.
Resolving the conflict between generality and plausibility in verified computation. Cryptology ePrint Archive,
, 2012
"... Abstract. The area of proofbased verified computation (outsourced computation built atop probabilistically checkable proofs and cryptographic machinery) has lately seen renewed interest. Although recent work has made great strides in reducing the overhead of naive applications of the theory, these ..."
Abstract

Cited by 25 (5 self)
 Add to MetaCart
(Show Context)
Abstract. The area of proofbased verified computation (outsourced computation built atop probabilistically checkable proofs and cryptographic machinery) has lately seen renewed interest. Although recent work has made great strides in reducing the overhead of naive applications of the theory, these schemes still cannot be considered practical. A core issue is that the work for the server is immense, in general; it is practical only for handcompiled computations that can be expressed in special forms. This paper addresses that problem. Provided one is willing to batch verification, we develop a protocol that achieves the efficiency of the best manually constructed protocols in the literature yet applies to most computations. We show that Quadratic Arithmetic Programs, a new formalism for representing computations efficiently, can yield a particularly efficient PCP that integrates easily into the core protocols, resulting in a server whose work is roughly linear in the running time of the computation. We implement this protocol in the context of a system, called Zaatar, that includes a compiler and a GPU implementation. Zaatar is almost usable for real problemswithout specialpurpose tailoring. We argue that many (but not all) of the next research questions in verified computation are questions in secure systems.
Secure TwoParty Computation in Sublinear (Amortized) Time
"... Traditional approaches to generic secure computation begin by representing the function f being computed as a circuit. If f depends on each of its input bits, this implies a protocol with complexity at least linear in the input size. In fact, linear running time is inherent for nontrivial functions ..."
Abstract

Cited by 18 (3 self)
 Add to MetaCart
(Show Context)
Traditional approaches to generic secure computation begin by representing the function f being computed as a circuit. If f depends on each of its input bits, this implies a protocol with complexity at least linear in the input size. In fact, linear running time is inherent for nontrivial functions since each party must “touch ” every bit of their input lest information about the other party’s input be leaked. This seems to rule out many applications of secure computation (e.g., database search) in scenarios where inputs are huge. Adapting and extending an idea of Ostrovsky and Shoup, we present an approach to secure twoparty computation that yields protocols running in sublinear time, in an amortized sense, for functions that can be computed in sublinear time on a randomaccess machine (RAM). Moreover, each party is required to maintain state that is only (essentially) linear in its own input size. Our protocol applies generic secure twoparty computation on top of oblivious RAM (ORAM). We present an optimized version of our protocol using Yao’s garbledcircuit approach and a recent ORAM construction of Shi et al. We describe an implementation of this protocol, and evaluate its performance for the task of obliviously searching a database with over 1 million entries. Because of the cost of our basic steps, our solution is slower than Yao on small inputs. However, our implementation outperforms Yao already on DB sizes of 2 18 entries (a quite small DB by today’s standards). 1.
Secure outsourced garbled circuit evaluation for mobile devices
, 2012
"... Open access to the Proceedings of the ..."
(Show Context)
On the Security of the “FreeXOR” Technique
"... Yao’s garbledcircuit approach enables constantround secure twoparty computation for any boolean circuit. In Yao’s original construction, each gate in the circuit requires the parties to perform a constant number of encryptions/decryptions, and to send/receive a constant number of ciphertexts. Kol ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
Yao’s garbledcircuit approach enables constantround secure twoparty computation for any boolean circuit. In Yao’s original construction, each gate in the circuit requires the parties to perform a constant number of encryptions/decryptions, and to send/receive a constant number of ciphertexts. Kolesnikov and Schneider (ICALP 2008) proposed an improvement that allows XOR gates in the circuit to be evaluated “for free”, i.e., incurring no cryptographic operations and zero communication. Their “freeXOR ” technique has proven very popular, and has been shown to improve performance of garbledcircuit protocols by up to a factor of 4. Kolesnikov and Schneider proved security of their approach in the random oracle model, and claimed that (an unspecified variant of) correlation robustness would suffice; this claim has been repeated in subsequent work, and similar ideas have since been used (with the same claim about correlation robustness) in other contexts. We show that, in fact, the freeXOR technique cannot be proven secure based on correlation robustness alone: somewhat surprisingly, some form of circular security is also required. We propose an appropriate notion of security for hash functions capturing the necessary requirements, and prove security of the freeXOR approach when instantiated with any hash function satisfying our definition. Our results do not impact the security of the freeXOR technique in practice, or imply an error in the freeXOR work, but instead pin down the assumptions needed to prove security.
Secure multiparty computation of boolean circuits with applications to privacy in online marketplaces
 In Cryptology ePrint Archive, Report 2011/257, 2011. Available at http://eprint.iacr.org/2011/257
"... Abstract. Protocols for generic secure multipartycomputation (MPC) generally come in two forms: they either represent the function being computed as a boolean circuit, or as an arithmetic circuit over a large field. Either type of protocol can be used for any function, but the choice of which proto ..."
Abstract

Cited by 12 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Protocols for generic secure multipartycomputation (MPC) generally come in two forms: they either represent the function being computed as a boolean circuit, or as an arithmetic circuit over a large field. Either type of protocol can be used for any function, but the choice of which protocol to use can have a significant impact on efficiency. The magnitude of the effect, however, has never been quantified. With this in mind, we implement the MPC protocol of Goldreich, Micali, and Wigderson [13], which uses a boolean representation and is secure against a semihonest adversary corrupting any number of parties. We then consider applications of secure MPC in online marketplaces, where customers select resources advertised by providers and it is desired to ensure privacy to the extent possible. Problems here are more naturally formulated in terms of boolean circuits, and we study the performance of our MPC implementation relative to existing ones that use an arithmeticcircuit representation. Ourprotocol easily handles tens ofcustomers/providers and thousands of resources, and outperforms existing implementations including FairplayMP [3], VIFF [11], and SEPIA [7]. 1
RoundEfficient Oblivious Database Manipulation
 Information Security, volume 7001 of LNCS
"... Abstract. Most of the multiparty computation frameworks can be viewed as oblivious databases where data is stored and processed in a secretshared form. However, data manipulation in such databases can be slow and cumbersome without dedicated protocols for certain database operations. In this paper ..."
Abstract

Cited by 12 (4 self)
 Add to MetaCart
(Show Context)
Abstract. Most of the multiparty computation frameworks can be viewed as oblivious databases where data is stored and processed in a secretshared form. However, data manipulation in such databases can be slow and cumbersome without dedicated protocols for certain database operations. In this paper, we provide efficient protocols for oblivious selection, filtering and shuffle—essential tools in privacypreserving data analysis. As the first contribution, we present a 1outofn oblivious transfer protocol with O(log log n) rounds, which achieves optimal communication and time complexity and works over any ring ZN. Secondly, we show that the round complexity τbd of a bit decomposition protocol can be almost matched with oblivious transfer, and that there exists an oblivious transfer protocol with O(τbd log ∗ n) rounds. Finally, we also show how to construct roundefficient shuffle protocols with optimal asymptotic computation complexity and provide several optimizations.
Garbling XOR Gates “For Free” in the Standard Model
"... Yao’s garbled circuit (GC) technique is a powerful cryptographic tool which allows to “encrypt” a circuit C by another circuit Ĉ in a way that hides all information except for the final output. Yao’s original construction incurs a constant overhead in both computation and communication per gate of t ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
Yao’s garbled circuit (GC) technique is a powerful cryptographic tool which allows to “encrypt” a circuit C by another circuit Ĉ in a way that hides all information except for the final output. Yao’s original construction incurs a constant overhead in both computation and communication per gate of the circuit C (proportional to the complexity of symmetric encryption). Kolesnikov and Schneider (ICALP 2008) introduced an optimized variant that garbles XOR gates “for free ” in a way that involves no cryptographic operations and no communication. This variant has become very popular and has lead to notable performance improvements. The security of the freeXOR optimization was originally proved in the random oracle model. Despite some partial progress (Choi et al., TCC 2012), the question of replacing the random oracle with a standard cryptographic assumption has remained open. We resolve this question by showing that the freeXOR approach can be realized in the standard model under the learning parity with noise (LPN) assumption. Our result is obtained in two steps: 1. We show that the random oracle can be replaced with a symmetric encryption which remains secure under a combined form of relatedkey (RK) and keydependent message (KDM) attacks; 2. We show that such a symmetric encryption can be constructed based on the LPN assumption. As an additional contribution, we prove that the combination of RK and KDM security is nontrivial in the following sense: There exists an encryption scheme which achieves RK security and KDM security separately, but breaks completely at the presence of combined RKKDM attacks.