Results 1  10
of
64
Pinocchio: Nearly practical verifiable computation
 In Proceedings of the IEEE Symposium on Security and Privacy
, 2013
"... To instill greater confidence in computations outsourced to the cloud, clients should be able to verify the correctness of the results returned. To this end, we introduce Pinocchio, a built system for efficiently verifying general computations while relying only on cryptographic assumptions. With Pi ..."
Abstract

Cited by 64 (6 self)
 Add to MetaCart
To instill greater confidence in computations outsourced to the cloud, clients should be able to verify the correctness of the results returned. To this end, we introduce Pinocchio, a built system for efficiently verifying general computations while relying only on cryptographic assumptions. With Pinocchio, the client creates a public evaluation key to describe her computation; this setup is proportional to evaluating the computation once. The worker then evaluates the computation on a particular input and uses the evaluation key to produce a proof of correctness. The proof is only 288 bytes, regardless of the computation performed or the size of the inputs and outputs. Anyone can use a public verification key to check the proof. Crucially, our evaluation on seven applications demonstrates that Pinocchio is efficient in practice too. Pinocchio’s verification time is typically 10ms: 57 orders of magnitude less than previous work; indeed Pinocchio is the first generalpurpose system to demonstrate verification cheaper than native execution (for some apps). Pinocchio also reduces the worker’s proof effort by an additional 1960×. As an additional feature, Pinocchio generalizes to zeroknowledge proofs at a negligible cost over the base protocol. Finally, to aid development, Pinocchio provides an endtoend toolchain that compiles a subset of C into programs that implement the verifiable computation protocol. 1
Efficient Garbling from a FixedKey Blockcipher
, 2013
"... Abstract. We advocate schemes based on fixedkey AES as the best route to highly efficient circuitgarbling. We provide such schemes making only one AES call per garbledgate evaluation. On the theoretical side, we justify the security of these methods in the randompermutation model, where parties h ..."
Abstract

Cited by 33 (3 self)
 Add to MetaCart
Abstract. We advocate schemes based on fixedkey AES as the best route to highly efficient circuitgarbling. We provide such schemes making only one AES call per garbledgate evaluation. On the theoretical side, we justify the security of these methods in the randompermutation model, where parties have access to a public random permutation. On the practical side, we provide the JustGarble system, which implements our schemes. JustGarble evaluates moderatesized garbledcircuits at an
Fast CutandChoose Based Protocols for Malicious and Covert Adversaries ∗
, 2013
"... In the setting of secure twoparty computation, two parties wish to securely compute a joint function of their private inputs, while revealing only the output. One of the primary techniques for achieving efficient secure twoparty computation is that of Yao’s garbled circuits (FOCS 1986). In the sem ..."
Abstract

Cited by 27 (3 self)
 Add to MetaCart
(Show Context)
In the setting of secure twoparty computation, two parties wish to securely compute a joint function of their private inputs, while revealing only the output. One of the primary techniques for achieving efficient secure twoparty computation is that of Yao’s garbled circuits (FOCS 1986). In the semihonest model, where just one garbled circuit is constructed and evaluated, Yao’s protocol has proven itself to be very efficient. However, a malicious adversary who constructs the garbled circuit may construct a garbling of a different circuit computing a different function, and this cannot be detected (due to the garbling). In order to solve this problem, many circuits are sent and some of them are opened to check that they are correct while the others are evaluated. This methodology, called cutandchoose, introduces significant overhead, both in computation and in communication, and is mainly due to the number of circuits that must be used in order to prevent cheating. In this paper, we present a cutandchoose protocol for secure computation based on garbled circuits, with security in the presence of malicious adversaries, that vastly improves on all previous protocols of this type. Concretely, for a cheating probability of at most 2−40, the best previous works send between 125 and 128 circuits. In contrast, in our protocol 40 circuits alone suffice (with some additional overhead). Asymptotically, we achieve a cheating probability of 2−s where s is the number of garbled circuits, in contrast to the previous best of 2−0.32s. We achieve this by introducing a new cutandchoose methodology with the property that in order to cheat, all of the evaluated circuits must be incorrect, and not just the majority as in previous works. Keywords: twoparty computation, Yao’s protocol, cutandchoose, concrete efficiency
A hybrid architecture for interactive verifiable computation
 In IEEE Symposium on Security and Privacy
, 2013
"... Abstract—We consider interactive, proofbased verifiable computation: how can a client machine specify a computation to a server, receive an answer, and then engage the server in an interactive protocol that convinces the client that the answer is correct, with less work for the client than executin ..."
Abstract

Cited by 26 (4 self)
 Add to MetaCart
(Show Context)
Abstract—We consider interactive, proofbased verifiable computation: how can a client machine specify a computation to a server, receive an answer, and then engage the server in an interactive protocol that convinces the client that the answer is correct, with less work for the client than executing the computation in the first place? Complexity theory and cryptography offer solutions in principle, but if implemented naively, they are ludicrously expensive. Recently, however, several strands of work have refined this theory and implemented the resulting protocols in actual systems. This work is promising but suffers from one of two problems: either it relies on expensive cryptography, or else it applies to a restricted class of computations. Worse, it is not always clear which protocol will perform better for a given problem. We describe a system that (a) extends optimized refinements of the noncryptographic protocols to a much broader class of computations, (b) uses static analysis to fail over to the cryptographic ones when the noncryptographic ones would be more expensive, and (c) incorporates this core into a built system that includes a compiler for a highlevel language, a distributed server, and GPU acceleration. Experimental results indicate that our system performs better and applies more widely than the best in the literature. 1
More efficient oblivious transfer and extensions for faster secure computation
, 2013
"... Protocols for secure computation enable parties to compute a joint function on their private inputs without revealing anything but the result. A foundation for secure computation is oblivious transfer (OT), which traditionally requires expensive public key cryptography. A more efficient way to perf ..."
Abstract

Cited by 25 (4 self)
 Add to MetaCart
Protocols for secure computation enable parties to compute a joint function on their private inputs without revealing anything but the result. A foundation for secure computation is oblivious transfer (OT), which traditionally requires expensive public key cryptography. A more efficient way to perform many OTs is to extend a small number of base OTs using OT extensions based on symmetric cryptography. In this work we present optimizations and efficient implementations of OT and OT extensions in the semihonest model. We propose a novel OT protocol with security in the standard model and improve OT extensions with respect to communication complexity, computation complexity, and scalability. We also provide specific optimizations of OT extensions that are tailored to the secure computation protocols of Yao and GoldreichMicaliWigderson and reduce the communication complexity even further. We experimentally verify the efficiency gains of our protocols and optimizations. By applying our implementation to current secure computation frameworks, we can securely compute a Levenshtein distance circuit with 1.29 billion AND gates at a rate of 1.2 million AND gates per second. Moreover, we demonstrate the importance of correctly implementing OT within secure computation protocols by presenting an attack on the FastGC framework.
Efficient Secure TwoParty Computation Using Symmetric CutandChoose
"... Beginning with the work of Lindell and Pinkas, researchers have proposed several protocols for secure twoparty computation based on the cutandchoose paradigm. In existing instantiations of this paradigm, one party generates κ garbled circuits; some fraction of those are “checked ” by the other pa ..."
Abstract

Cited by 18 (1 self)
 Add to MetaCart
(Show Context)
Beginning with the work of Lindell and Pinkas, researchers have proposed several protocols for secure twoparty computation based on the cutandchoose paradigm. In existing instantiations of this paradigm, one party generates κ garbled circuits; some fraction of those are “checked ” by the other party, and the remaining fraction are evaluated. We introduce here the idea of symmetric cutandchoose protocols, in which each party generates κ circuits to be checked by the other party. The main advantage of our technique is that the number κ of garbled circuits can be reduced by a factor of 3 while attaining the same statistical security level as in prior work. Since the number of garbled circuits dominates the costs of the protocol, especially as larger circuits are evaluated, our protocol is expected to run up to 3 times faster than existing schemes. Preliminary experiments validate this claim. 1
PrivacyPreserving Ridge Regression on Hundreds of Millions of Records
"... Abstract—Ridge regression is an algorithm that takes as input a large number of data points and finds the bestfit linear curve through these points. The algorithm is a building block for many machinelearning operations. We present a system for privacypreserving ridge regression. The system output ..."
Abstract

Cited by 16 (1 self)
 Add to MetaCart
(Show Context)
Abstract—Ridge regression is an algorithm that takes as input a large number of data points and finds the bestfit linear curve through these points. The algorithm is a building block for many machinelearning operations. We present a system for privacypreserving ridge regression. The system outputs the bestfit curve in the clear, but exposes no other information about the input data. Our approach combines both homomorphic encryption and Yao garbled circuits, where each is used in a different part of the algorithm to obtain the best performance. We implement the complete system and experiment with it on real datasets, and show that it significantly outperforms pure implementations based only on homomorphic encryption or Yao circuits. x1,y1 x x2,y2
Circuit Structures for Improving Efficiency of Security and Privacy Tools
"... Abstract—Several techniques in computer security, including generic protocols for secure computation and symbolic execution, depend on implementing algorithms in static circuits. Despite substantial improvements in recent years, tools built using these techniques remain too slow for most practical u ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
(Show Context)
Abstract—Several techniques in computer security, including generic protocols for secure computation and symbolic execution, depend on implementing algorithms in static circuits. Despite substantial improvements in recent years, tools built using these techniques remain too slow for most practical uses. They require transforming arbitrary programs into either Boolean logic circuits, constraint sets on Boolean variables, or other equivalent representations, and the costs of using these tools scale directly with the size of the input circuit. Hence, techniques for more efficient circuit constructions have benefits across these tools. We show efficient circuit constructions for various simple but commonly used data structures including stacks, queues, and associative maps. While current practice requires effectively copying the entire structure for each operation, our techniques take advantage of locality and batching to provide amortized costs that scale polylogarithmically in the size of the structure. We demonstrate how many common array usage patterns can be significantly improved with the help of these circuit structures. We report on experiments using our circuit structures for both generic secure computation using garbled circuits and automated test input generation using symbolic execution, and demonstrate order of magnitude improvements for both applications. I.
How to Obfuscate Programs Directly
"... We propose a new way to obfuscate programs, using compositeorder multilinear maps. Our construction operates directly on straightline programs (arithmetic circuits), rather than converting them to matrix branching programs as in other known approaches. This yields considerable efficiency improveme ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
We propose a new way to obfuscate programs, using compositeorder multilinear maps. Our construction operates directly on straightline programs (arithmetic circuits), rather than converting them to matrix branching programs as in other known approaches. This yields considerable efficiency improvements. For an NC1 circuit of size s and depth d, with n inputs, we require only O(d2s2 + n2) multilinear map operations to evaluate the obfuscated circuit—as compared with other known approaches, for which the number of operations is exponential in d. We prove virtual blackbox (VBB) security for our construction in a generic model of multilinear maps of hidden composite order, extending previous models for the primeorder setting. Our scheme works either with “noisy ” multilinear maps, which can only evaluate expressions of degree λc for prespecified constant c; or with “clean ” multilinear maps, which can evaluate arbitrary expressions. The “noisy ” variant can be instantiated at present with the CoronLepointTibouchi scheme, while the existence of “clean ” maps is still unknown. With known “noisy ” maps, our new obfuscator applies only to NC1 circuits, requiring the additional assumption of FHE in order to bootstrap to P/poly (as in other obfuscation constructions). From “clean ” multilinear maps, on the other hand (whose existence is still open), we present the first approach that would achieve obfuscation for P/poly directly, without FHE. We also introduce the concept of succinct obfuscation, in which the obfuscation overhead size depends only on the length of the input and of the secret part of the circuit. Using our new techniques, along with the assumption that factoring is hard on average, we show that “clean ” multilinear maps imply succinct obfuscation for P/poly. For the first time, the only remaining obstacle to implementable obfuscation in practice is the noise growth in known, “noisy ” multilinear maps. Our results demonstrate that the question of “clean ” multilinear maps is not a technicality, but a central open problem.
Secure outsourced garbled circuit evaluation for mobile devices
, 2012
"... Open access to the Proceedings of the ..."
(Show Context)