Results 1  10
of
49
QuidProQuotocols: Strengthening SemiHonest Protocols with Dual Execution
"... Abstract—Known protocols for secure twoparty computation that are designed to provide full security against malicious behavior are significantly less efficient than protocols intended only to thwart semihonest adversaries. We present a concrete design and implementation of protocols achieving secu ..."
Abstract

Cited by 27 (5 self)
 Add to MetaCart
(Show Context)
Abstract—Known protocols for secure twoparty computation that are designed to provide full security against malicious behavior are significantly less efficient than protocols intended only to thwart semihonest adversaries. We present a concrete design and implementation of protocols achieving security guarantees that are much stronger than are possible with semihonest protocols, at minimal extra cost. Specifically, we consider protocols in which a malicious adversary may learn a single (arbitrary) bit of additional information about the honest party’s input. Correctness of the honest party’s output is still guaranteed. Adapting prior work of Mohassel and Franklin, the basic idea in our protocols is to conduct two separate runs of a (specific) semihonest, garbledcircuit protocol, with the parties swapping roles, followed by an inexpensive secure equality test. We provide a rigorous definition and prove that this protocol leaks no more than one additional bit against a malicious adversary. In addition, we propose some heuristic enhancements to reduce the overall information a cheating adversary learns. Our experiments show that protocols meeting this security level can be implemented at cost very close to that of protocols that only achieve semihonest security. Our results indicate that this model enables the largescale, practical applications possible within the semihonest security model, while providing dramatically stronger security guarantees. Keywordssecure twoparty computation, privacypreserving protocols. I.
More efficient oblivious transfer and extensions for faster secure computation
, 2013
"... Protocols for secure computation enable parties to compute a joint function on their private inputs without revealing anything but the result. A foundation for secure computation is oblivious transfer (OT), which traditionally requires expensive public key cryptography. A more efficient way to perf ..."
Abstract

Cited by 25 (4 self)
 Add to MetaCart
Protocols for secure computation enable parties to compute a joint function on their private inputs without revealing anything but the result. A foundation for secure computation is oblivious transfer (OT), which traditionally requires expensive public key cryptography. A more efficient way to perform many OTs is to extend a small number of base OTs using OT extensions based on symmetric cryptography. In this work we present optimizations and efficient implementations of OT and OT extensions in the semihonest model. We propose a novel OT protocol with security in the standard model and improve OT extensions with respect to communication complexity, computation complexity, and scalability. We also provide specific optimizations of OT extensions that are tailored to the secure computation protocols of Yao and GoldreichMicaliWigderson and reduce the communication complexity even further. We experimentally verify the efficiency gains of our protocols and optimizations. By applying our implementation to current secure computation frameworks, we can securely compute a Levenshtein distance circuit with 1.29 billion AND gates at a rate of 1.2 million AND gates per second. Moreover, we demonstrate the importance of correctly implementing OT within secure computation protocols by presenting an attack on the FastGC framework.
Efficient Secure TwoParty Computation Using Symmetric CutandChoose
"... Beginning with the work of Lindell and Pinkas, researchers have proposed several protocols for secure twoparty computation based on the cutandchoose paradigm. In existing instantiations of this paradigm, one party generates κ garbled circuits; some fraction of those are “checked ” by the other pa ..."
Abstract

Cited by 18 (1 self)
 Add to MetaCart
(Show Context)
Beginning with the work of Lindell and Pinkas, researchers have proposed several protocols for secure twoparty computation based on the cutandchoose paradigm. In existing instantiations of this paradigm, one party generates κ garbled circuits; some fraction of those are “checked ” by the other party, and the remaining fraction are evaluated. We introduce here the idea of symmetric cutandchoose protocols, in which each party generates κ circuits to be checked by the other party. The main advantage of our technique is that the number κ of garbled circuits can be reduced by a factor of 3 while attaining the same statistical security level as in prior work. Since the number of garbled circuits dominates the costs of the protocol, especially as larger circuits are evaluated, our protocol is expected to run up to 3 times faster than existing schemes. Preliminary experiments validate this claim. 1
PrivacyPreserving Ridge Regression on Hundreds of Millions of Records
"... Abstract—Ridge regression is an algorithm that takes as input a large number of data points and finds the bestfit linear curve through these points. The algorithm is a building block for many machinelearning operations. We present a system for privacypreserving ridge regression. The system output ..."
Abstract

Cited by 16 (1 self)
 Add to MetaCart
(Show Context)
Abstract—Ridge regression is an algorithm that takes as input a large number of data points and finds the bestfit linear curve through these points. The algorithm is a building block for many machinelearning operations. We present a system for privacypreserving ridge regression. The system outputs the bestfit curve in the clear, but exposes no other information about the input data. Our approach combines both homomorphic encryption and Yao garbled circuits, where each is used in a different part of the algorithm to obtain the best performance. We implement the complete system and experiment with it on real datasets, and show that it significantly outperforms pure implementations based only on homomorphic encryption or Yao circuits. x1,y1 x x2,y2
When Private Set Intersection Meets Big Data: An Efficient and Scalable Protocol
"... Large scale data processing brings new challenges to the design of privacypreserving protocols: how to meet the increasing requirements of speed and throughput of modern applications, and how to scale up smoothly when data being protected is big. Efficiency and scalability become critical criteria ..."
Abstract

Cited by 14 (2 self)
 Add to MetaCart
(Show Context)
Large scale data processing brings new challenges to the design of privacypreserving protocols: how to meet the increasing requirements of speed and throughput of modern applications, and how to scale up smoothly when data being protected is big. Efficiency and scalability become critical criteria for privacy preserving protocols in the age of Big Data. In this paper, we present a new Private Set Intersection (PSI) protocol that is extremely efficient and highly scalable compared with existing protocols. The protocol is based on a novel approach that we call oblivious Bloom intersection. It has linear complexity and relies mostly on efficient symmetric key operations. It has high scalability due to the fact that most operations can be parallelized easily. The protocol has two versions: a basic protocol and an enhanced protocol, the security of the two variants is analyzed and proved in the semihonest model and the malicious model respectively. A prototype of the basic protocol has been built. We report the result of performance evaluation and compare it against the two previously fastest PSI protocols. Our protocol is orders of magnitude faster than these two protocols. To compute the intersection of two millionelement sets, our protocol needs only 41 seconds (80bit security) and 339 seconds (256bit security) on moderate hardware in parallel mode. 1
PrivacyPreserving Applications on Smartphones
"... Smartphones are becoming some of our most trusted computing devices. People use them to store highly sensitive information including email, passwords, financial accounts, and medical records. These properties make smartphones an essential platform for privacypreserving applications. To date, this a ..."
Abstract

Cited by 13 (1 self)
 Add to MetaCart
(Show Context)
Smartphones are becoming some of our most trusted computing devices. People use them to store highly sensitive information including email, passwords, financial accounts, and medical records. These properties make smartphones an essential platform for privacypreserving applications. To date, this area remains largely unexplored mainly because privacypreserving computation protocols were thought to be too heavyweight for practical applications, even for standard desktops. We propose using smartphones to perform secure multiparty computation. The limitations of smartphones provide a number of challenges for building such applications. In this paper, we introduce the issues that make smartphones a unique platform for secure computation, identify some interesting potential applications, and describe our initial experiences creating privacypreserving applications on Android devices. 1
Circuit Structures for Improving Efficiency of Security and Privacy Tools
"... Abstract—Several techniques in computer security, including generic protocols for secure computation and symbolic execution, depend on implementing algorithms in static circuits. Despite substantial improvements in recent years, tools built using these techniques remain too slow for most practical u ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
(Show Context)
Abstract—Several techniques in computer security, including generic protocols for secure computation and symbolic execution, depend on implementing algorithms in static circuits. Despite substantial improvements in recent years, tools built using these techniques remain too slow for most practical uses. They require transforming arbitrary programs into either Boolean logic circuits, constraint sets on Boolean variables, or other equivalent representations, and the costs of using these tools scale directly with the size of the input circuit. Hence, techniques for more efficient circuit constructions have benefits across these tools. We show efficient circuit constructions for various simple but commonly used data structures including stacks, queues, and associative maps. While current practice requires effectively copying the entire structure for each operation, our techniques take advantage of locality and batching to provide amortized costs that scale polylogarithmically in the size of the structure. We demonstrate how many common array usage patterns can be significantly improved with the help of these circuit structures. We report on experiments using our circuit structures for both generic secure computation using garbled circuits and automated test input generation using symbolic execution, and demonstrate order of magnitude improvements for both applications. I.
Secure outsourced garbled circuit evaluation for mobile devices
, 2012
"... Open access to the Proceedings of the ..."
(Show Context)
WYSTERIA: A Programming Language for Generic, MixedMode Multiparty Computations
"... distrusting parties use cryptographic techniques to cooperatively compute over their private data; in the process each party learns only explicitly revealed outputs. In this paper, we present WYSTERIA, a highlevel programming language for writing SMCs. As with past languages, like Fairplay, WYSTERI ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
(Show Context)
distrusting parties use cryptographic techniques to cooperatively compute over their private data; in the process each party learns only explicitly revealed outputs. In this paper, we present WYSTERIA, a highlevel programming language for writing SMCs. As with past languages, like Fairplay, WYSTERIA compiles secure computations to circuits that are executed by an underlying engine. Unlike past work, WYSTERIA provides support for mixedmode programs, which combine local, private computations with synchronous SMCs. WYSTERIA complements a standard feature set with builtin support for secret shares and with wire bundles, a new abstraction that supports generic nparty computations. We have formalized WYSTERIA, its refinement type system, and its operational semantics. We show that WYSTERIA programs have an easytounderstand singlethreaded interpretation and prove that this view corresponds to the actual multithreaded semantics. We also prove type soundness, a property we show has security ramifications, namely that information about one party’s data can only be revealed to another via (agreed upon) secure computations. We have implemented WYSTERIA, and used it to program a variety of interesting SMC protocols from the literature, as well as several new ones. We find that WYSTERIA’s performance is competitive with prior approaches while making programming far easier, and more trustworthy. I.
I.: Publicly auditable secure multiparty computation
 SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge. In: CRYPTO 2013
, 2013
"... Abstract. In the last few years the efficiency of secure multiparty computation (MPC) increased in several orders of magnitudes. However, this alone might not be enough if we want MPC protocols to be used in practice. A crucial property that is needed in many applications is that everyone can check ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In the last few years the efficiency of secure multiparty computation (MPC) increased in several orders of magnitudes. However, this alone might not be enough if we want MPC protocols to be used in practice. A crucial property that is needed in many applications is that everyone can check that a given (secure) computation was performed correctly – even in the extreme case where all the parties involved in the computation are corrupted, and even if the party who wants to verify the result was not participating. This is especially relevant in the clientsservers setting, where many clients provide input to a secure computation performed by a few servers. An obvious example of this is electronic voting, but also in many types of auctions one may want independent verification of the result. Traditionally, this is achieved by using noninteractive zeroknowledge proofs during the computation. A recent trend in MPC protocols is to have a more expensive preprocessing phase followed by a very efficient online phase, e.g., the recent socalled SPDZ protocol by Damg̊ard et al. Applications such as voting and some auctions are perfect usecase for these protocols, as the parties usually know well in advance when the computation will take place, and using those protocols allows us to use only cheap informationtheoretic primitives in the actual computation. Unfortunately no protocol of the SPDZ type supports an audit phase.