Results 1  10
of
64
(Leveled) Fully Homomorphic Encryption without Bootstrapping
"... We present a novel approach to fully homomorphic encryption (FHE) that dramatically improves performance and bases security on weaker assumptions. A central conceptual contribution in our work is a new way of constructing leveled fully homomorphic encryption schemes (capable of evaluating arbitrary ..."
Abstract

Cited by 74 (9 self)
 Add to MetaCart
(Show Context)
We present a novel approach to fully homomorphic encryption (FHE) that dramatically improves performance and bases security on weaker assumptions. A central conceptual contribution in our work is a new way of constructing leveled fully homomorphic encryption schemes (capable of evaluating arbitrary polynomialsize circuits), without Gentry’s bootstrapping procedure. Specifically, we offer a choice of FHE schemes based on the learning with error (LWE) or Ring LWE (RLWE) problems that have 2λ security against known attacks. We construct: • A leveled FHE scheme that can evaluate depthL arithmetic circuits (composed of fanin 2 gates) using Õ(λ·L3) pergate computation. That is, the computation is quasilinear in the security parameter. Security is based on RLWE for an approximation factor exponential in L. This construction does not use the bootstrapping procedure. • A leveled FHE scheme that can evaluate depthL arithmetic circuits (composed of fanin 2 gates) using Õ(λ2) pergate computation, which is independent of L. Security is based on RLWE for quasipolynomial factors. This construction uses bootstrapping as an
Billiongate secure computation with malicious adversaries
 In USENIX Security
, 2012
"... The goal of this paper is to assess the feasibility of twoparty secure computation in the presence of a malicious adversary. Prior work has shown the feasibility of billiongate circuits in the semihonest model, but only the 35kgate AES circuit in the malicious model, in part because security in ..."
Abstract

Cited by 66 (1 self)
 Add to MetaCart
(Show Context)
The goal of this paper is to assess the feasibility of twoparty secure computation in the presence of a malicious adversary. Prior work has shown the feasibility of billiongate circuits in the semihonest model, but only the 35kgate AES circuit in the malicious model, in part because security in the malicious model is much harder to achieve. We show that by incorporating the best known techniques and parallelizing almost all steps of the resulting protocol, evaluating billiongate circuits is feasible in the malicious model. Our results are in the standard model (i.e., no common reference strings or PKIs) and, in contrast to prior work, we do not use the random oracle model which has wellestablished theoretical shortcomings. 1
Pinocchio: Nearly practical verifiable computation
 In Proceedings of the IEEE Symposium on Security and Privacy
, 2013
"... To instill greater confidence in computations outsourced to the cloud, clients should be able to verify the correctness of the results returned. To this end, we introduce Pinocchio, a built system for efficiently verifying general computations while relying only on cryptographic assumptions. With Pi ..."
Abstract

Cited by 64 (6 self)
 Add to MetaCart
(Show Context)
To instill greater confidence in computations outsourced to the cloud, clients should be able to verify the correctness of the results returned. To this end, we introduce Pinocchio, a built system for efficiently verifying general computations while relying only on cryptographic assumptions. With Pinocchio, the client creates a public evaluation key to describe her computation; this setup is proportional to evaluating the computation once. The worker then evaluates the computation on a particular input and uses the evaluation key to produce a proof of correctness. The proof is only 288 bytes, regardless of the computation performed or the size of the inputs and outputs. Anyone can use a public verification key to check the proof. Crucially, our evaluation on seven applications demonstrates that Pinocchio is efficient in practice too. Pinocchio’s verification time is typically 10ms: 57 orders of magnitude less than previous work; indeed Pinocchio is the first generalpurpose system to demonstrate verification cheaper than native execution (for some apps). Pinocchio also reduces the worker’s proof effort by an additional 1960×. As an additional feature, Pinocchio generalizes to zeroknowledge proofs at a negligible cost over the base protocol. Finally, to aid development, Pinocchio provides an endtoend toolchain that compiles a subset of C into programs that implement the verifiable computation protocol. 1
Optimizing ORAM and Using it Efficiently for Secure Computation
, 2013
"... Oblivious RAM (ORAM) allows a client to access her data on a remote server while hiding the access pattern (which locations she is accessing) from the server. Beyond its immediate utility in allowing private computation over a client’s outsourced data, ORAM also allows mutually distrustful parties t ..."
Abstract

Cited by 38 (0 self)
 Add to MetaCart
(Show Context)
Oblivious RAM (ORAM) allows a client to access her data on a remote server while hiding the access pattern (which locations she is accessing) from the server. Beyond its immediate utility in allowing private computation over a client’s outsourced data, ORAM also allows mutually distrustful parties to run securecomputations over their joint data with sublinear online complexity. In this work we revisit the treebased ORAM of Shi et al. [20] and show how to optimize its performance as a standalone scheme, as well as its performance within higher level constructions. More specifically, we make several contributions: • We describe two optimizations to the treebased ORAM protocol of Shi et al., one reducing the storage overhead of that protocol by an O(k) multiplicative factor, and another reducing its time complexity by an O(log k) multiplicative factor, where k is the security parameter. Our scheme also enjoys a much simpler and tighter analysis than the original protocol. • We describe a protocol for binary search over this ORAM construction, where the entire binary search operation is done in the same complexity as a single ORAM access (as
Taking proofbased verified computation a few steps closer to practicality
 In USENIX Security
, 2012
"... Abstract. We describe GINGER, a built system for unconditional, generalpurpose, and nearly practical verification of outsourced computation. GINGER is based on PEPPER, which uses the PCP theorem and cryptographic techniques to implement an efficient argument system (a kind of interactive protocol). ..."
Abstract

Cited by 29 (6 self)
 Add to MetaCart
(Show Context)
Abstract. We describe GINGER, a built system for unconditional, generalpurpose, and nearly practical verification of outsourced computation. GINGER is based on PEPPER, which uses the PCP theorem and cryptographic techniques to implement an efficient argument system (a kind of interactive protocol). GINGER slashes the query size and costs via theoretical refinements that are of independent interest; broadens the computational model to include (primitive) floatingpoint fractions, inequality comparisons, logical operations, and conditional control flow; and includes a parallel GPUbased implementation that dramatically reduces latency. 1
A hybrid architecture for interactive verifiable computation
 In IEEE Symposium on Security and Privacy
, 2013
"... Abstract—We consider interactive, proofbased verifiable computation: how can a client machine specify a computation to a server, receive an answer, and then engage the server in an interactive protocol that convinces the client that the answer is correct, with less work for the client than executin ..."
Abstract

Cited by 26 (4 self)
 Add to MetaCart
(Show Context)
Abstract—We consider interactive, proofbased verifiable computation: how can a client machine specify a computation to a server, receive an answer, and then engage the server in an interactive protocol that convinces the client that the answer is correct, with less work for the client than executing the computation in the first place? Complexity theory and cryptography offer solutions in principle, but if implemented naively, they are ludicrously expensive. Recently, however, several strands of work have refined this theory and implemented the resulting protocols in actual systems. This work is promising but suffers from one of two problems: either it relies on expensive cryptography, or else it applies to a restricted class of computations. Worse, it is not always clear which protocol will perform better for a given problem. We describe a system that (a) extends optimized refinements of the noncryptographic protocols to a much broader class of computations, (b) uses static analysis to fail over to the cryptographic ones when the noncryptographic ones would be more expensive, and (c) incorporates this core into a built system that includes a compiler for a highlevel language, a distributed server, and GPU acceleration. Experimental results indicate that our system performs better and applies more widely than the best in the literature. 1
Resolving the conflict between generality and plausibility in verified computation
"... ..."
(Show Context)
Improved Security for a RingBased Fully Homomorphic Encryption Scheme
"... Abstract. In 1996, Hoffstein, Pipher and Silverman introduced an efficient lattice based encryption scheme dubbed NTRUEncrypt. Unfortunately, this scheme lacks a proof of security. However, in 2011, Stehlé and Steinfeld showed how to modify NTRUEncrypt to reduce security to standard problems in idea ..."
Abstract

Cited by 26 (6 self)
 Add to MetaCart
Abstract. In 1996, Hoffstein, Pipher and Silverman introduced an efficient lattice based encryption scheme dubbed NTRUEncrypt. Unfortunately, this scheme lacks a proof of security. However, in 2011, Stehlé and Steinfeld showed how to modify NTRUEncrypt to reduce security to standard problems in ideal lattices. At STOC 2012, LópezAlt, Tromer and Vaikuntanathan proposed a fully homomorphic scheme based on this modified system. However, to allow homomorphic operations and prove security, a nonstandard assumption is required in their scheme. In this paper, we show how to remove this nonstandard assumption via techniques introduced by Brakerski at CRYPTO 2012 and construct a new fully homomorphic encryption scheme from the Stehlé and Steinfeld version based on standard lattice assumptions and a circular security assumption. The scheme is scaleinvariant and therefore avoids modulus switching, it eliminates ciphertext expansion in homomorphic multiplication, and the size of ciphertexts is one ring element. Moreover, we present a practical variant of our scheme, which is secure under stronger assumptions, along with parameter recommendations and promising implementation results. Finally, we present a novel approach for encrypting larger input sizes by applying a CRT approach on the input space.
A toolkit for ringLWE cryptography
 In EUROCRYPT
, 2013
"... Recent advances in lattice cryptography, mainly stemming from the development of ringbased primitives such as ringLWE, have made it possible to design cryptographic schemes whose efficiency is competitive with that of more traditional numbertheoretic ones, along with entirely new applications lik ..."
Abstract

Cited by 21 (7 self)
 Add to MetaCart
Recent advances in lattice cryptography, mainly stemming from the development of ringbased primitives such as ringLWE, have made it possible to design cryptographic schemes whose efficiency is competitive with that of more traditional numbertheoretic ones, along with entirely new applications like fully homomorphic encryption. Unfortunately, realizing the full potential of ringbased cryptography has so far been hindered by a lack of practical algorithms and analytical tools for working in this context. As a result, most previous works have focused on very special classes of rings such as poweroftwo cyclotomics, which significantly restricts the possible applications. We bridge this gap by introducing a toolkit of fast, modular algorithms and analytical techniques that can be used in a wide variety of ringbased cryptographic applications, particularly those built around ringLWE. Our techniques yield applications that work in arbitrary cyclotomic rings, with no loss in their underlying worstcase hardness guarantees, and very little loss in computational efficiency, relative to poweroftwo cyclotomics. To demonstrate the toolkit’s applicability, we develop a few illustrative applications: two variant publickey cryptosystems, and a “somewhat homomorphic ” symmetric encryption scheme. Both apply to arbitrary cyclotomics, have tight parameters, and very efficient implementations. 1
Packed Ciphertexts in LWEbased Homomorphic Encryption
, 2012
"... In this short note we observe that the PeikertVaikuntanathanWaters (PVW) method of packing many plaintext elements in a single Regevtype ciphertext, can be used for performing SIMD homomorphic operations on packed ciphertext. This provides an alternative to the SmartVercauteren (SV) ciphertextpa ..."
Abstract

Cited by 12 (1 self)
 Add to MetaCart
In this short note we observe that the PeikertVaikuntanathanWaters (PVW) method of packing many plaintext elements in a single Regevtype ciphertext, can be used for performing SIMD homomorphic operations on packed ciphertext. This provides an alternative to the SmartVercauteren (SV) ciphertextpacking technique that relies on polynomialCRT. While the SV technique is only applicable to schemes that rely on ringLWE (or other hardness assumptions in ideal lattices), the PVW method can be used also for cryptosystems whose security is based on standard LWE (or more broadly on the hardness of “GeneralLWE”). Although using the PVW method with LWEbased schemes leads to worse asymptotic efficiency than using the SV technique with ringLWE schemes, the simplicity of this method may still offer some practical advantages. Also, the two techniques can be used in tandem with “generalLWE ” schemes, suggesting yet another tradeoff that can be optimized for different settings.