Results 11  20
of
92
Vmcrypt  modular software architecture for scalable secure computation
, 2010
"... Garbled circuits play a key role in secure computation. Unlike previous work, which focused mainly on efficiency and automation aspects of secure computation, in this paper we focus on software modularity and scalability, considering very large circuits. Our main contribution is a virtual machine th ..."
Abstract

Cited by 22 (3 self)
 Add to MetaCart
(Show Context)
Garbled circuits play a key role in secure computation. Unlike previous work, which focused mainly on efficiency and automation aspects of secure computation, in this paper we focus on software modularity and scalability, considering very large circuits. Our main contribution is a virtual machine that dynamically loads hardware descriptions into memory and destructs them as soon as they are done computing. Our software also introduces a new technique for parallel evaluation of garbled circuits. The software is designed in a completely modular fashion, allowing developers to integrate garbled circuits through an API (Abstract Programming Interface), without having to modify the base code. We measure the performance of this architecture on several circuits with hundreds of millions of gates. To the best of our knowledge, these are the largest scalable secure computations done to date.
Secure TwoParty Computation in Sublinear (Amortized) Time
"... Traditional approaches to generic secure computation begin by representing the function f being computed as a circuit. If f depends on each of its input bits, this implies a protocol with complexity at least linear in the input size. In fact, linear running time is inherent for nontrivial functions ..."
Abstract

Cited by 18 (3 self)
 Add to MetaCart
(Show Context)
Traditional approaches to generic secure computation begin by representing the function f being computed as a circuit. If f depends on each of its input bits, this implies a protocol with complexity at least linear in the input size. In fact, linear running time is inherent for nontrivial functions since each party must “touch ” every bit of their input lest information about the other party’s input be leaked. This seems to rule out many applications of secure computation (e.g., database search) in scenarios where inputs are huge. Adapting and extending an idea of Ostrovsky and Shoup, we present an approach to secure twoparty computation that yields protocols running in sublinear time, in an amortized sense, for functions that can be computed in sublinear time on a randomaccess machine (RAM). Moreover, each party is required to maintain state that is only (essentially) linear in its own input size. Our protocol applies generic secure twoparty computation on top of oblivious RAM (ORAM). We present an optimized version of our protocol using Yao’s garbledcircuit approach and a recent ORAM construction of Shi et al. We describe an implementation of this protocol, and evaluate its performance for the task of obliviously searching a database with over 1 million entries. Because of the cost of our basic steps, our solution is slower than Yao on small inputs. However, our implementation outperforms Yao already on DB sizes of 2 18 entries (a quite small DB by today’s standards). 1.
Efficient Secure TwoParty Computation Using Symmetric CutandChoose
"... Beginning with the work of Lindell and Pinkas, researchers have proposed several protocols for secure twoparty computation based on the cutandchoose paradigm. In existing instantiations of this paradigm, one party generates κ garbled circuits; some fraction of those are “checked ” by the other pa ..."
Abstract

Cited by 18 (1 self)
 Add to MetaCart
(Show Context)
Beginning with the work of Lindell and Pinkas, researchers have proposed several protocols for secure twoparty computation based on the cutandchoose paradigm. In existing instantiations of this paradigm, one party generates κ garbled circuits; some fraction of those are “checked ” by the other party, and the remaining fraction are evaluated. We introduce here the idea of symmetric cutandchoose protocols, in which each party generates κ circuits to be checked by the other party. The main advantage of our technique is that the number κ of garbled circuits can be reduced by a factor of 3 while attaining the same statistical security level as in prior work. Since the number of garbled circuits dominates the costs of the protocol, especially as larger circuits are evaluated, our protocol is expected to run up to 3 times faster than existing schemes. Preliminary experiments validate this claim. 1
PrivacyPreserving Ridge Regression on Hundreds of Millions of Records
"... Abstract—Ridge regression is an algorithm that takes as input a large number of data points and finds the bestfit linear curve through these points. The algorithm is a building block for many machinelearning operations. We present a system for privacypreserving ridge regression. The system output ..."
Abstract

Cited by 16 (1 self)
 Add to MetaCart
(Show Context)
Abstract—Ridge regression is an algorithm that takes as input a large number of data points and finds the bestfit linear curve through these points. The algorithm is a building block for many machinelearning operations. We present a system for privacypreserving ridge regression. The system outputs the bestfit curve in the clear, but exposes no other information about the input data. Our approach combines both homomorphic encryption and Yao garbled circuits, where each is used in a different part of the algorithm to obtain the best performance. We implement the complete system and experiment with it on real datasets, and show that it significantly outperforms pure implementations based only on homomorphic encryption or Yao circuits. x1,y1 x x2,y2
ihop homomorphic encryption and rerandomizable yao circuits
 In Advances in Cryptology  CRYPTO 2010, 30th Annual Cryptology Conference
, 2010
"... Homomorphic encryption (HE) schemes enable computing functions on encrypted data, by means of a public Eval procedure that can be applied to ciphertexts. But the evaluated ciphertexts so generated may differ from freshly encrypted ones. This brings up the question of whether one can keep computing ..."
Abstract

Cited by 14 (2 self)
 Add to MetaCart
(Show Context)
Homomorphic encryption (HE) schemes enable computing functions on encrypted data, by means of a public Eval procedure that can be applied to ciphertexts. But the evaluated ciphertexts so generated may differ from freshly encrypted ones. This brings up the question of whether one can keep computing on evaluated ciphertexts. An ihop homomorphic encryption scheme is one where Eval can be called on its own output up to i times, while still being able to decrypt the result. A multihop homomorphic encryption is a scheme which is ihop for all i. In this work we study ihop and multihop schemes in conjunction with the properties of functionprivacy (i.e., Eval’s output hides the function) and compactness (i.e., the output of Eval is short). We provide formal definitions and describe several constructions. First, we observe that “bootstrapping ” techniques can be used to convert any (1hop) homomorphic encryption scheme into an ihop scheme for any i, and the result inherits the functionprivacy and/or compactness of the underlying scheme. However, if the underlying scheme is not compact (such as schemes derived from Yao circuits) then the complexity of the resulting ihop scheme can be as high as kO(i). We then describe a specific DDHbased multihop homomorphic encryption scheme that does not suffer from this exponential blowup. Although not compact, this scheme has complexity linear in the size of the composed function, independently of the number of hops. The main technical ingredient in this solution is a rerandomizable variant of the Yao circuits. Namely, given a garbled circuit, anyone can regarble it in such a way that even the party that generated the original garbled circuit cannot recognize it. This construction may be of independent interest.
On the Security of the “FreeXOR” Technique
"... Yao’s garbledcircuit approach enables constantround secure twoparty computation for any boolean circuit. In Yao’s original construction, each gate in the circuit requires the parties to perform a constant number of encryptions/decryptions, and to send/receive a constant number of ciphertexts. Kol ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
Yao’s garbledcircuit approach enables constantround secure twoparty computation for any boolean circuit. In Yao’s original construction, each gate in the circuit requires the parties to perform a constant number of encryptions/decryptions, and to send/receive a constant number of ciphertexts. Kolesnikov and Schneider (ICALP 2008) proposed an improvement that allows XOR gates in the circuit to be evaluated “for free”, i.e., incurring no cryptographic operations and zero communication. Their “freeXOR ” technique has proven very popular, and has been shown to improve performance of garbledcircuit protocols by up to a factor of 4. Kolesnikov and Schneider proved security of their approach in the random oracle model, and claimed that (an unspecified variant of) correlation robustness would suffice; this claim has been repeated in subsequent work, and similar ideas have since been used (with the same claim about correlation robustness) in other contexts. We show that, in fact, the freeXOR technique cannot be proven secure based on correlation robustness alone: somewhat surprisingly, some form of circular security is also required. We propose an appropriate notion of security for hash functions capturing the necessary requirements, and prove security of the freeXOR approach when instantiated with any hash function satisfying our definition. Our results do not impact the security of the freeXOR technique in practice, or imply an error in the freeXOR work, but instead pin down the assumptions needed to prove security.
PrivacyPreserving Applications on Smartphones
"... Smartphones are becoming some of our most trusted computing devices. People use them to store highly sensitive information including email, passwords, financial accounts, and medical records. These properties make smartphones an essential platform for privacypreserving applications. To date, this a ..."
Abstract

Cited by 13 (1 self)
 Add to MetaCart
(Show Context)
Smartphones are becoming some of our most trusted computing devices. People use them to store highly sensitive information including email, passwords, financial accounts, and medical records. These properties make smartphones an essential platform for privacypreserving applications. To date, this area remains largely unexplored mainly because privacypreserving computation protocols were thought to be too heavyweight for practical applications, even for standard desktops. We propose using smartphones to perform secure multiparty computation. The limitations of smartphones provide a number of challenges for building such applications. In this paper, we introduce the issues that make smartphones a unique platform for secure computation, identify some interesting potential applications, and describe our initial experiences creating privacypreserving applications on Android devices. 1
Circuit Structures for Improving Efficiency of Security and Privacy Tools
"... Abstract—Several techniques in computer security, including generic protocols for secure computation and symbolic execution, depend on implementing algorithms in static circuits. Despite substantial improvements in recent years, tools built using these techniques remain too slow for most practical u ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
(Show Context)
Abstract—Several techniques in computer security, including generic protocols for secure computation and symbolic execution, depend on implementing algorithms in static circuits. Despite substantial improvements in recent years, tools built using these techniques remain too slow for most practical uses. They require transforming arbitrary programs into either Boolean logic circuits, constraint sets on Boolean variables, or other equivalent representations, and the costs of using these tools scale directly with the size of the input circuit. Hence, techniques for more efficient circuit constructions have benefits across these tools. We show efficient circuit constructions for various simple but commonly used data structures including stacks, queues, and associative maps. While current practice requires effectively copying the entire structure for each operation, our techniques take advantage of locality and batching to provide amortized costs that scale polylogarithmically in the size of the structure. We demonstrate how many common array usage patterns can be significantly improved with the help of these circuit structures. We report on experiments using our circuit structures for both generic secure computation using garbled circuits and automated test input generation using symbolic execution, and demonstrate order of magnitude improvements for both applications. I.
Amortizing Garbled Circuits
 Advances in Cryptology – CRYPTO 2014
"... Abstract. We consider secure twoparty computation in a multipleexecution setting, where two parties wish to securely evaluate the same circuit multiple times. We design efficient garbledcircuitbased twoparty protocols secure against malicious adversaries. Recent works by Lindell (Crypto 2013) a ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
Abstract. We consider secure twoparty computation in a multipleexecution setting, where two parties wish to securely evaluate the same circuit multiple times. We design efficient garbledcircuitbased twoparty protocols secure against malicious adversaries. Recent works by Lindell (Crypto 2013) and HuangKatzEvans (Crypto 2013) have obtained optimal complexity for cutandchoose performed over garbled circuits in the single execution setting. We show that it is possible to obtain much lower amortized overhead for cutandchoose in the multipleexecution setting. Our efficiency improvements result from a novel way to combine a recent technique of Lindell (Crypto 2013) with LEGObased cutandchoose techniques (TCC 2009, Eurocrypt 2013). In concrete terms, for 40bit statistical security we obtain a 2 × improvement (per execution) in communication and computation for as few as 7 executions, and require only 8 garbled circuits (i.e., a 5 × improvement) per execution for as low as 3500 executions. Our results suggest the exciting possibility that secure twoparty computation in the malicious setting can be less than an order of magnitude more expensive than in the semihonest setting. 1
Garbling XOR Gates “For Free” in the Standard Model
"... Yao’s garbled circuit (GC) technique is a powerful cryptographic tool which allows to “encrypt” a circuit C by another circuit Ĉ in a way that hides all information except for the final output. Yao’s original construction incurs a constant overhead in both computation and communication per gate of t ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
Yao’s garbled circuit (GC) technique is a powerful cryptographic tool which allows to “encrypt” a circuit C by another circuit Ĉ in a way that hides all information except for the final output. Yao’s original construction incurs a constant overhead in both computation and communication per gate of the circuit C (proportional to the complexity of symmetric encryption). Kolesnikov and Schneider (ICALP 2008) introduced an optimized variant that garbles XOR gates “for free ” in a way that involves no cryptographic operations and no communication. This variant has become very popular and has lead to notable performance improvements. The security of the freeXOR optimization was originally proved in the random oracle model. Despite some partial progress (Choi et al., TCC 2012), the question of replacing the random oracle with a standard cryptographic assumption has remained open. We resolve this question by showing that the freeXOR approach can be realized in the standard model under the learning parity with noise (LPN) assumption. Our result is obtained in two steps: 1. We show that the random oracle can be replaced with a symmetric encryption which remains secure under a combined form of relatedkey (RK) and keydependent message (KDM) attacks; 2. We show that such a symmetric encryption can be constructed based on the LPN assumption. As an additional contribution, we prove that the combination of RK and KDM security is nontrivial in the following sense: There exists an encryption scheme which achieves RK security and KDM security separately, but breaks completely at the presence of combined RKKDM attacks.