Results 1  10
of
19
Oblivious polynomial evaluation and oblivious neural learning
 Theoretical Computer Science
, 2001
"... Abstract. We study the problem of Oblivious Polynomial Evaluation (OPE). There are two parties, Alice who has a polynomial P, and Bob who has an input x. The goal is for Bob to compute P (x) in such way that Alice learns nothing about x and Bob learns only what can be inferred from P (x). Previously ..."
Abstract

Cited by 31 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We study the problem of Oblivious Polynomial Evaluation (OPE). There are two parties, Alice who has a polynomial P, and Bob who has an input x. The goal is for Bob to compute P (x) in such way that Alice learns nothing about x and Bob learns only what can be inferred from P (x). Previously existing protocols are based on some intractability assumptions that have not been well studied [15, 14], and these protocols are only applicable for polynomials over finite fields. In this paper, we propose efficient OPE protocols which are based on Oblivious Transfer only. Unlike that of [15], slight modifications to our protocols immediately give protocols to handle multivariate polynomials and polynomials over floatingpoint numbers. Many important realworld applications deal with floatingpoint numbers, instead of integers or arbitrary finite fields, and our protocols have the advantage of operating directly on floatingpoint numbers, instead of going through finite field simulation as that of [14]. As an example, we give a protocol for the problem of Oblivious Neural Learning, where one party has a neural network and the other, with some training set, wants to train the neural network in an oblivious way. 1
Telex: Anticensorship in the Network Infrastructure
"... In this paper, we present Telex, a new approach to resisting statelevel Internet censorship. Rather than attempting to win the catandmouse game of finding open proxies, we leverage censors ’ unwillingness to completely block daytoday Internet access. In effect, Telex converts innocuous, unblock ..."
Abstract

Cited by 30 (4 self)
 Add to MetaCart
In this paper, we present Telex, a new approach to resisting statelevel Internet censorship. Rather than attempting to win the catandmouse game of finding open proxies, we leverage censors ’ unwillingness to completely block daytoday Internet access. In effect, Telex converts innocuous, unblocked websites into proxies, without their explicit collaboration. We envision that friendly ISPs would deploy Telex stations on paths between censors’ networks and popular, uncensored Internet destinations. Telex stations would monitor seemingly innocuous flows for a special “tag ” and transparently divert them to a forbidden website or service instead. We propose a new cryptographic scheme based on elliptic curves for tagging TLS handshakes such that the tag is visible to a Telex station but not to a censor. In addition, we use our tagging scheme to build a protocol that allows clients to connect to Telex stations while resisting both passive and active attacks. We also present a proofofconcept implementation that demonstrates the feasibility of our system. 1
PrivacyPreserving Data Aggregation without Secure Channel: Multivariate Polynomial Evaluation
"... Abstract—Much research has been conducted to securely outsource multiple parties ’ data aggregation to an untrusted aggregator without disclosing each individual’s privately owned data, or to enable multiple parties to jointly aggregate their data while preserving privacy. However, those works eithe ..."
Abstract

Cited by 18 (11 self)
 Add to MetaCart
(Show Context)
Abstract—Much research has been conducted to securely outsource multiple parties ’ data aggregation to an untrusted aggregator without disclosing each individual’s privately owned data, or to enable multiple parties to jointly aggregate their data while preserving privacy. However, those works either require secure pairwise communication channels or suffer from high complexity. In this paper, we consider how an external aggregator or multiple parties can learn some algebraic statistics (e.g., sum, product) over participants ’ privately owned data while preserving the data privacy. We assume all channels are subject to eavesdropping attacks, and all the communications throughout the aggregation are open to others. We propose several protocols that successfully guarantee data privacy under this weak assumption while limiting both the communication and computation complexity of each participant to a small constant. Index Terms—Privacy, aggregation, secure channels, SMC, homomorphic.
DiffieHellman key exchange protocol and nonabelian nilpotent groups
, 2008
"... In this paper we study a key exchange protocol similar to the DiffieHellman key exchange protocol, using abelian subgroups of the automorphism group of a nonabelian nilpotent group. We also generalize group no.92 of the HallSenior table [16] to an arbitrary prime p and show that, for those groups ..."
Abstract

Cited by 9 (3 self)
 Add to MetaCart
In this paper we study a key exchange protocol similar to the DiffieHellman key exchange protocol, using abelian subgroups of the automorphism group of a nonabelian nilpotent group. We also generalize group no.92 of the HallSenior table [16] to an arbitrary prime p and show that, for those groups, the group of central automorphisms is commutative. We use these for the key exchange we are studying.
Provably secure threshold passwordauthenticated key exchange
 in Eurocrypt 2003, LNCS 2656
, 2003
"... We present two protocols for threshold password authenticated key exchange. In this model for password authentication, the password is not stored in a single authenticating server but rather shared among a set of n servers so that an adversary can learn the password only by breaking into t + 1 of th ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
(Show Context)
We present two protocols for threshold password authenticated key exchange. In this model for password authentication, the password is not stored in a single authenticating server but rather shared among a set of n servers so that an adversary can learn the password only by breaking into t + 1 of them. The protocols require n> 3t servers to work. The goal is to protect the password against hackers attacks that can break into the authenticating server and steal password information. All known centralized password authentication schemes are susceptible to such an attack. Ours are the first protocols which are provably secure in the standard model (i.e. no random oracles are used for the proof of security). Moreover our protocols are reasonably efficient and implementable in practice. In particular a goal of the design was to avoid costly zeroknowledge proofs to keep interaction to a minimum.
A Security Analysis of the NIST SP 80090 Elliptic Curve Random Number Generator. Cryptology ePrint Archive, Report 2007/048
, 2007
"... An elliptic curve random number generator (ECRNG) has been approved in a NIST standards and proposed for ANSI and SECG draft standards. This paper proves that, if three conjectures are true, then the ECRNG is secure. The three conjectures are hardness of the elliptic curve decisional DiffieHellman ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
(Show Context)
An elliptic curve random number generator (ECRNG) has been approved in a NIST standards and proposed for ANSI and SECG draft standards. This paper proves that, if three conjectures are true, then the ECRNG is secure. The three conjectures are hardness of the elliptic curve decisional DiffieHellman problem and the hardness of two newer problems, the xlogarithm problem and the truncated point problem. The xlogarithm problem is shown to be hard if the decisional DiffieHellman problem is hard, although the reduction is not tight. The truncated point problem is shown to be solvable when the minimum amount of bits allowed in NIST standards are truncated, thereby making it insecure for applications such as stream ciphers. Nevertheless, it is argued that for nonce and key generation this distinguishability is harmless.
1CollusionTolerable PrivacyPreserving Sum and Product Calculation without Secure Channel
"... Abstract—Much research has been conducted to securely outsource multiple parties ’ data aggregation to an untrusted aggregator without disclosing each individual’s privately owned data, or to enable multiple parties to jointly aggregate their data while preserving privacy. However, those works eithe ..."
Abstract

Cited by 6 (4 self)
 Add to MetaCart
(Show Context)
Abstract—Much research has been conducted to securely outsource multiple parties ’ data aggregation to an untrusted aggregator without disclosing each individual’s privately owned data, or to enable multiple parties to jointly aggregate their data while preserving privacy. However, those works either require secure pairwise communication channels or suffer from high complexity. In this paper, we consider how an external aggregator or multiple parties can learn some algebraic statistics (e.g., sum, product) over participants ’ privately owned data while preserving the data privacy. We assume all channels are subject to eavesdropping attacks, and all the communications throughout the aggregation are open to others. We first propose several protocols that successfully guarantee data privacy under semihonest model, and then present advanced protocols which tolerate up to k passive adversaries who do not try to tamper the computation. Under this weak assumption, we limit both the communication and computation complexity of each participant to a small constant. At the end, we present applications which solve several interesting problems via our protocols.
Establishing and Preserving Protocol Security Goals ∗
, 2012
"... We take a modeltheoretic viewpoint on security goals and how to establish them. The models are (possibly fragmentary) executions. Security goals such as authentication and confidentiality are implications over the geometric fragment of predicate logic, i.e. implications Φ − → Ψ where Φ and Ψ are b ..."
Abstract

Cited by 6 (5 self)
 Add to MetaCart
(Show Context)
We take a modeltheoretic viewpoint on security goals and how to establish them. The models are (possibly fragmentary) executions. Security goals such as authentication and confidentiality are implications over the geometric fragment of predicate logic, i.e. implications Φ − → Ψ where Φ and Ψ are built from atomic formulas without negations, implications, or universal quantifiers. Security goals are then essentially statements about homomorphisms where the source is a minimal (fragmentary) model of the antecedent Φ. If every homomorphism to a model representing a nonfragmentary, complete execution factors through a model in which Ψ is satisfied, then the goal is achieved. This idea suggests validating security goals via a process of information enrichment. This idea also clarifies protocol transformation. A protocol transformation preserves security goals when it preserves the form of the information enrichment process. We formalize this idea using simulation relations between labeled transition systems. 1
Riposte: An Anonymous Messaging System Handling Millions of Users
"... Abstract—This paper presents Riposte, a new system for anonymous broadcast messaging. Riposte is the first such system, to our knowledge, that simultaneously protects against trafficanalysis attacks, prevents anonymous denialofservice by malicious clients, and scales to millionuser anonymity se ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Abstract—This paper presents Riposte, a new system for anonymous broadcast messaging. Riposte is the first such system, to our knowledge, that simultaneously protects against trafficanalysis attacks, prevents anonymous denialofservice by malicious clients, and scales to millionuser anonymity sets. To achieve these properties, Riposte makes novel use of techniques used in systems for private information retrieval and secure multiparty computation. For latencytolerant workloads with many more readers than writers (e.g. Twitter, Wikileaks), we demonstrate that a threeserver Riposte cluster can build an anonymity set of 2,895,216 users in 32 hours. Index Terms—anonymity; messaging; privacy; private information retrieval; I.
Security of the JPAKE PasswordAuthenticated Key Exchange Protocol
"... JPAKE is an efficient passwordauthenticated key exchange protocol that is included in the OpenSSL library and is currently being used in practice. We present the first proof of security for this protocol in a wellknown and accepted model for authenticated keyexchange, that incorporates online a ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
JPAKE is an efficient passwordauthenticated key exchange protocol that is included in the OpenSSL library and is currently being used in practice. We present the first proof of security for this protocol in a wellknown and accepted model for authenticated keyexchange, that incorporates online and offline password guessing, concurrent sessions, forward secrecy, server compromise, and loss of session keys. This proof relies on the Decision Square DiffieHellman assumption, as well as a strong security assumption for the noninteractive zeroknowledge (NIZK) proofs in the protocol (specifically, simulationsound extractability). We show that the Schnorr proofofknowledge protocol, which was recommended for the JPAKE protocol, satisfies this strong security assumption in a model with algebraic adversaries and random oracles, and extend the full JPAKE proof of security to this model. Finally, we show that by modifying the recommended labels in the Schnorr protocol used in JPAKE, we can achieve a security proof for JPAKE with a tighter security reduction.