Results 1  10
of
92
Fully Homomorphic Encryption over the Integers
, 2009
"... We construct a simple fully homomorphic encryption scheme, using only elementary modular arithmetic. We use Gentry’s technique to construct fully homomorphic scheme from a “bootstrappable” somewhat homomorphic scheme. However, instead of using ideal lattices over a polynomial ring, our bootstrappabl ..."
Abstract

Cited by 138 (10 self)
 Add to MetaCart
We construct a simple fully homomorphic encryption scheme, using only elementary modular arithmetic. We use Gentry’s technique to construct fully homomorphic scheme from a “bootstrappable” somewhat homomorphic scheme. However, instead of using ideal lattices over a polynomial ring, our bootstrappable encryption scheme merely uses addition and multiplication over the integers. The main appeal of our scheme is the conceptual simplicity. We reduce the security of our scheme to finding an approximate integer gcd – i.e., given a list of integers that are nearmultiples of a hidden integer, output that hidden integer. We investigate the hardness of this task, building on earlier work of HowgraveGraham.
Secure Twoparty Computation is Practical
 In Advances in Cryptology — Asiacrypt
, 2009
"... Abstract. Secure multiparty computation has been considered by the cryptographic community for a number of years. Until recently it has been a purely theoretical area, with few implementations with which to test various ideas. This has led to a number of optimisations being proposed which are quite ..."
Abstract

Cited by 102 (18 self)
 Add to MetaCart
Abstract. Secure multiparty computation has been considered by the cryptographic community for a number of years. Until recently it has been a purely theoretical area, with few implementations with which to test various ideas. This has led to a number of optimisations being proposed which are quite restricted in their application. In this paper we describe an implementation of the twoparty case, using Yao’s garbled circuits, and present various algorithmic protocol improvements. These optimisations are analysed both theoretically and empirically, using experiments of various adversarial situations. Our experimental data is provided for reasonably large circuits, including one which performs an AES encryption, a problem which we discuss in the context of various possible applications. 1
Private Set Intersection: Are Garbled Circuits Better than Custom Protocols?
, 2012
"... Cryptographic protocols for Private Set Intersection (PSI) are the basis for many important privacypreserving applications. Over the past few years, intensive research has been devoted to designing custom protocols for PSI based on homomorphic encryption and other publickey techniques, apparently ..."
Abstract

Cited by 50 (7 self)
 Add to MetaCart
(Show Context)
Cryptographic protocols for Private Set Intersection (PSI) are the basis for many important privacypreserving applications. Over the past few years, intensive research has been devoted to designing custom protocols for PSI based on homomorphic encryption and other publickey techniques, apparently due to the belief that solutions using generic approaches would be impractical. This paper explores the validity of that belief. We develop three classes of protocols targeted to different set sizes and domains, all based on Yao’s generic garbledcircuit method. We then compare the performance of our protocols to the fastest custom PSI protocols in the literature. Our results show that a careful application of garbled circuits leads to solutions that can run on millionelement sets on typical desktops, and that can be competitive with the fastest custom protocols. Moreover, generic protocols like ours can be used directly for performing more complex secure computations, something we demonstrate by adding a simple informationauditing mechanism to our PSI protocols.
Reusable garbled circuits and succinct functional encryption
, 2013
"... Garbled circuits, introduced by Yao in the mid 80s, allow computing a function f on an input x without leaking anything about f or x besides f(x). Garbled circuits found numerous applications, but every known construction suffers from one limitation: it offers no security if used on multiple inputs ..."
Abstract

Cited by 42 (3 self)
 Add to MetaCart
(Show Context)
Garbled circuits, introduced by Yao in the mid 80s, allow computing a function f on an input x without leaking anything about f or x besides f(x). Garbled circuits found numerous applications, but every known construction suffers from one limitation: it offers no security if used on multiple inputs x. In this paper, we construct for the first time reusable garbled circuits. The key building block is a new succinct singlekey functional encryption scheme. Functional encryption is an ambitious primitive: given an encryption Enc(x) of a value x, and a secret key skf for a function f, anyone can compute f(x) without learning any other information about x. We construct, for the first time, a succinct functional encryption scheme for any polynomialtime function f where succinctness means that the ciphertext size does not grow with the size of the circuit for f, but only with its depth. The security of our construction is based on the intractability of the Learning with Errors (LWE) problem and holds as long as an adversary has access to a single key skf (or even an a priori bounded number of keys for different functions). Building on our succinct singlekey functional encryption scheme, we show several new applications in addition to reusable garbled circuits, such as a paradigm for general function obfuscation which we call tokenbased obfuscation, homomorphic encryption for a class of Turing machines where the evaluation runs in inputspecific time rather than worstcase time, and a scheme for delegating computation which is publicly verifiable and maintains the privacy of the computation.
A Simple BGNtype Cryptosystem from LWE
 Proceedings of Eurocrypt 2010, LNCS 6110
, 2010
"... We construct a simple publickey encryption scheme that supports polynomially many additions and one multiplication, similarly to the cryptosystem of Boneh, Goh, and Nissim (BGN). Security is based on the hardness of learning with errors (LWE), which is known to be as hard as certain worstcase latt ..."
Abstract

Cited by 38 (5 self)
 Add to MetaCart
We construct a simple publickey encryption scheme that supports polynomially many additions and one multiplication, similarly to the cryptosystem of Boneh, Goh, and Nissim (BGN). Security is based on the hardness of learning with errors (LWE), which is known to be as hard as certain worstcase lattice problems. Some features of our cryptosystem include support for large message space, an easy way of achieving formulaprivacy, and a better messagetociphertext expansion ratio than BGN. Also, it offers an easy way of multiplying two encrypted polynomials.
Efficient Garbling from a FixedKey Blockcipher
, 2013
"... Abstract. We advocate schemes based on fixedkey AES as the best route to highly efficient circuitgarbling. We provide such schemes making only one AES call per garbledgate evaluation. On the theoretical side, we justify the security of these methods in the randompermutation model, where parties h ..."
Abstract

Cited by 33 (3 self)
 Add to MetaCart
Abstract. We advocate schemes based on fixedkey AES as the best route to highly efficient circuitgarbling. We provide such schemes making only one AES call per garbledgate evaluation. On the theoretical side, we justify the security of these methods in the randompermutation model, where parties have access to a public random permutation. On the practical side, we provide the JustGarble system, which implements our schemes. JustGarble evaluates moderatesized garbledcircuits at an
Efficient PrivacyPreserving Biometric Identification
"... We present an efficient matching protocol that can be used in many privacypreserving biometric identification systems in the semihonest setting. Our most general technical contribution is a new backtracking protocol that uses the byproduct of evaluating a garbled circuit to enable efficient oblivi ..."
Abstract

Cited by 32 (8 self)
 Add to MetaCart
(Show Context)
We present an efficient matching protocol that can be used in many privacypreserving biometric identification systems in the semihonest setting. Our most general technical contribution is a new backtracking protocol that uses the byproduct of evaluating a garbled circuit to enable efficient oblivious information retrieval. We also present a more efficient protocol for computing the Euclidean distances of vectors, and optimized circuits for finding the closest match between a point held by one party and a set of points held by another. We evaluate our protocols by implementing a practical privacypreserving fingerprint matching system. 1
QuidProQuotocols: Strengthening SemiHonest Protocols with Dual Execution
"... Abstract—Known protocols for secure twoparty computation that are designed to provide full security against malicious behavior are significantly less efficient than protocols intended only to thwart semihonest adversaries. We present a concrete design and implementation of protocols achieving secu ..."
Abstract

Cited by 27 (5 self)
 Add to MetaCart
(Show Context)
Abstract—Known protocols for secure twoparty computation that are designed to provide full security against malicious behavior are significantly less efficient than protocols intended only to thwart semihonest adversaries. We present a concrete design and implementation of protocols achieving security guarantees that are much stronger than are possible with semihonest protocols, at minimal extra cost. Specifically, we consider protocols in which a malicious adversary may learn a single (arbitrary) bit of additional information about the honest party’s input. Correctness of the honest party’s output is still guaranteed. Adapting prior work of Mohassel and Franklin, the basic idea in our protocols is to conduct two separate runs of a (specific) semihonest, garbledcircuit protocol, with the parties swapping roles, followed by an inexpensive secure equality test. We provide a rigorous definition and prove that this protocol leaks no more than one additional bit against a malicious adversary. In addition, we propose some heuristic enhancements to reduce the overall information a cheating adversary learns. Our experiments show that protocols meeting this security level can be implemented at cost very close to that of protocols that only achieve semihonest security. Our results indicate that this model enables the largescale, practical applications possible within the semihonest security model, while providing dramatically stronger security guarantees. Keywordssecure twoparty computation, privacypreserving protocols. I.
Bounded KeyDependent Message Security
, 2009
"... We construct the first publickey encryption scheme that is proven secure (in the standard model, under standard assumptions) even when the attacker gets access to encryptions of arbitrary efficient functions of the secret key. Specifically, under either the DDH or LWE assumption, for every polynomi ..."
Abstract

Cited by 23 (3 self)
 Add to MetaCart
We construct the first publickey encryption scheme that is proven secure (in the standard model, under standard assumptions) even when the attacker gets access to encryptions of arbitrary efficient functions of the secret key. Specifically, under either the DDH or LWE assumption, for every polynomials L and N we obtain a publickey encryption scheme that resists keydependent message (KDM) attacks for up to N(k) public keys and functions of circuit size up to L(k), where k denotes the size of the secret key. We call such a scheme bounded KDM secure. Moreover, we show that our scheme suffices for one of the important applications of KDM security: ability to securely instantiate symbolic protocols with axiomatic proofs of security. We also observe that any fully homomorphic encryption scheme which additionally enjoys circular security and circuit privacy is fully KDM secure in the sense that the encryption and decryption algorithms can be independent of the polynomials L and N as above. Thus, the recent fully homomorphic encryption scheme of Gentry (STOC 2009) is fully KDM secure under certain nonstandard hardness assumptions. Previous works obtained either full KDM security in the random oracle model (Black et al., SAC 2002) or security with respect to a very restricted class of functions (e.g., clique/circular security and affine functions, Boneh et al., CRYPTO 2008, and Applebaum et al., CRYPTO 2009). Our main result is based on a combination of the circularsecure encryption scheme of either Boneh et al. or Applebaum et al. with Yao’s garbled circuit construction. Finally, we extend the impossibility result of Haitner and Holenstein (TCC 2009), showing that it is impossible to prove KDM security against a family of query functions that contains exponentially hard pseudorandom functions, using only blackbox access to the query function and the adversary attacking the scheme. This proves that the nonblackbox usage of the query function in our proof of security makes to the KDM query function is inherent. Keywords: KDM/clique/circular security; fully homomorphic encryption; formal security. 1
How to Garble RAM Programs ∗
"... Assuming solely the existence of oneway functions, we show how to construct Garbled RAM Programs (GRAM) where its size only depends on fixed polynomial in the security parameter times the program running time. We stress that we avoid converting the RAM programs into circuits. As an example, our tec ..."
Abstract

Cited by 22 (2 self)
 Add to MetaCart
(Show Context)
Assuming solely the existence of oneway functions, we show how to construct Garbled RAM Programs (GRAM) where its size only depends on fixed polynomial in the security parameter times the program running time. We stress that we avoid converting the RAM programs into circuits. As an example, our techniques implies the first garbled binary search program (searching over sorted encrypted data stored in a cloud) which is polylogarithmic in the data size instead of linear. Our result requires the existence of oneway function and enjoys the same noninteractive properties as Yao’s original garbled circuits.