Efficient MPC Optimizations for Garbled Circuits
|
|
- Stephen Parrish
- 5 years ago
- Views:
Transcription
1 CIS 2018 Efficient MPC Optimizations for Garbled Circuits Claudio Orlandi, Aarhus University
2 Part 3: Garbled Circuits GC: Definitions and Applications Garbling gate-by-gate: Basic and optimizations Active security 101: simple-cut-and choose, dual-execution
3 Garbled Circuit Cryptographic primitive that allows to evaluate encrypted functions on encrypted inputs
4 r Garbled Circuits d Values in a box are garbled f x Gb e En [F] [X] Ev [Z] De z Correct if z=f(x)
5 Alice Application 1: One-time Delegation via GC Bob(x) [F] ([F],e,d) Gb( f,r ) preprocessing online [X] [X] En(e,x) [Z] Ev([F],[X]) [Z] z=de(d,[z])
6 Alice Application 1: One-time Delegation via GC Bob(x) [F] ([F],e,d) Gb( f,r ) Authenticity: If A is corrupted and [Z*] A([F],[X]), then De([Z*],d) is f(x) or preprocessing online [X] [Z*] [X] En(e,x) z*=de(d,[z*])
7 Garbled Circuits: Authenticity r d f x Gb e En [F] [X] Ev [Z*] De z* z*=f(x) OR z*= abort
8 Application 2: Passive Constant Round 2PC (Yao) Alice(x) Bob(y) x [X] 2PC (OT) e ([F],e,d) Gb( f,r ) [Y] En(e,y) [Z] Ev([F],[X],[Y]) [F], [Y], d z=de(d,[z])
9 Application 2: Passive Constant Round 2PC (Yao) Alice(x) Bob(y) x [X] 2PC (OT) e ([F],e,d) Gb( f,r ) [Y] En(e,y) [Z] Ev([F],[X],[Y]) [F], [Y], d z=de(d,[z]) Bob learns nothing about x!
10 Application 2: Passive Constant Round 2PC (Yao) Alice(x) Bob(y) x [X] 2PC (OT) e ([F],e,d) Gb( f,r ) [Y] En(e,y) [Z] Ev([F],[X],[Y]) [F], [Y], d z=de(d,[z]) How much information is leaked by GC?
11 Garbled Circuits: Privacy r d f x Gb e e.g., ϕ(f)=f or ϕ(f)= f En [F] [X] Ev [Z] Exist Sim s.t. ([F],[X],d) ~ Sim(ϕ(f),f(x)) De z
12 Part 3: Garbled Circuits Definitions and Applications Garbling gate-by-gate: Basic and optimizations Active security 101: simple-cut-and choose, dual-execution
13 Garbling: Gate-by-gate [x 1 ] [y 1 ] [x 2 ] [y 2 ] [x 3 ] [y 3 ] [x 4 ] [y 4 ] [x 5 ] [y 5 ] [w] w +e z * [w+e] 13
14 PROJECTIVE SCHEMES: CIRCUIT BASED GARBLING/EVALUATIONS
15 Garbling a Circuit : ([F],e,d) Gb(f) K 1 0,K 1 1 K 2 0,K 2 1 L 0,L 1 R 0,R 1 K 0,K 1 Z 0,Z 1 Choose 2 random keys K i 0,K i 1 for each wire in the circuit Input, internal and, output wires For each gate g compute gg Gb(g,L 0,L 1,R 0,R 1,K 0,K 1 ) Output e=(k i 0,K i 1) for all input wires d=(z 0,Z 1 ) [F]=(gg i ) for all gates i
16 Encoding and Decoding [X] = En(e,x) e={ K i 0, K i 1} x= { x 1,,x n } [X]={K 1 x1,,k n xn} z=de(d,[z]) d = { Z 0,Z 1 } [Z] = { K } z= 0 if K=Z 0, 1 if K=Z 1, abort else
17 Evaluating a GC : [Z] Ev([F],[X]) K 1 Parse [X]={K 1,,K n } K 2 gg 1 gg i gg i gg i gg i Parse [F]={gg i } L gg 2 K R gg i gg i gg i gg i For each gate i compute K Ev(gg i,l,r) gg n Output Z Z
18 INDIVIDUAL GATES GARBLING/EVALUATION
19 Notation L 0,L 1 R 0,R 1 gg A garbled gate is a gadget that given two inputs keys gives you the right output key (and nothing else) gg Gb(g,L 0,L 1,R 0,R 1,Z 0,Z 1 ) Z g(a,b) Ev(gg,L a,r b ) Z 0,Z 1 //and not Z 1-g(a,b)
20 Yao Gate Garbling (1) L R Z AND gate L Z R 20
21 Yao Gate Garbling (2) L R Z L 0 R 0 Z 0 L 0 R 1 Z 0 L 1 R 0 Z 0 L R L 1 R 1 Z 1 Z Choose labels (e.g., 128 bits strings) for every value on every wire 21
22 Yao Gate Garbling (3) C L R C 1 = G(L 0,R 0 ) Z 0 C 2 = G(L 0,R 1 ) Z 0 C 3 = G(L 1,R 0 ) Z 0 C 4 = G(L 1,R 1 ) Z 1 Z Encrypt the output key with the input keys G is some key derivation function so that the encryption is secure 22
23 Yao Gate Garbling (4) C C 1 = G(L 0,R 0 ) (Z 0,0 k ) C 2 = G(L 0,R 1 ) (Z 0,0 k ) C 3 = G(L 1,R 0 ) (Z 0,0 k ) L R C 4 = G(L 1,R 1 ) (Z 1,0 k ) K Add redundancy (later used to check if decryption is successful) 23
24 Yao Gate Garbling (5) C C 1 = G(L 0,R 0 ) (Z 0,0 k ) C 2 = G(L 0,R 1 ) (Z 0,0 k ) C 3 = G(L 1,R 0 ) (Z 0,0 k ) C 4 = G(L 1,R 1 ) (Z 1,0 k ) L R C 1,C 2,C 3,C 4 = perm(c 1,C 2,C 3,C 4 ) Z Permute the order of the ciphertexts (to hide information about inputs/outputs) 24
25 Yao Gate Evaluation (1) Eval(gg, L a, R b ) //not a,b For i=1..4 (K,t)=C i G(L a,r b ) If t=0 k output K Output is correct: t=0 k only for right row Evaluator learns nothing else: Encryption + permutation gg (permuted) C 1 = G(L 0,R 0 ) (K 1,0 k ) C 2 = G(L 0,R 1 ) (K 1,0 k ) C 3 = G(L 1,R 0 ) (K 1,0 k ) C 4 = G(L 1,R 1 ) (K 0,0 k ) 25
26 Efficiency gg G/Gb G/Eval Assumption on G Classic 8k 4 4 Standard
27 Point-and-permute Problem: Evaluator needs to try to decrypt all 4 rows Solution: add permutation bits to keys (L 0, p) (L 1,!p) (R 0, q) (R 1,!q) gg Gb(g,L 0,L 1,p,R 0,R 1,q,Z 0,Z 1,r) gg (Z 0, r) (Z 1,!r) (Z g(a,b),r ab) Ev(gg,L a,a p,r b,b q)
28 Point-and-permute Garbling (4) C C 1 = G(L 0,R 0 ) (Z 0, r 0 ) C 2 = G(L 0,R 1 ) (Z 0, r 0 ) C 3 = G(L 1,R 0 ) (Z 0, r 0 ) L R C 4 = G(L 1,R 1 ) (Z 1, r 1 ) Z Remove redundancy Add random permutation bit 28
29 Point-and-permute Garbling (5) C 0 = G(L p,r q ) (Z p q, r p q ) C 1 = G(L p,r!q ) (Z p!q, r p!q ) C 2 = G(L!p,R q ) (Z!p q, r!p q ) C 3 = G(L!p,R!q ) (Z p!q, r!p!q ) C Permute rows using p,q 29
30 Point-and-permute Evaluation Eval(gg, L, u, R, v) //not a,b (Z,r)=C 2u+v G(L,R) C C 0 = G(L p,r q ) (Z p q, r p q ) C 1 = G(L p,r!q ) (Z p!q, r p!q ) Output is correct: (Check permutation) Privacy: u=p a, v=q b p,q are one time pads for a,b C 2 = G(L!p,R q ) (Z! p q, r!p q ) C 3 = G(L!p,R!q ) (Z!p!q, r!p!q ) 30
31 Efficiency gg G/Gb G/Eval Assumption on G Classic 8k 4 4 Standard P&P 4k 4 1 Standard
32 GARBLING OPTIMIZATIONS: SIMPLE GARBLED ROW REDUCTION
33 Changing the syntax Problem: each gg is 4 ciphertexts Solution: define output key pseudorandomly as functions of input keys, reduce comm. complexity L 0 L 1 R 0 R 1 (gg, Z 0,Z 1 ) Gb(g,L 0,L 1,R 0,R 1 ) (Z g(a,b) ) Ev(gg,L a,r b ) gg Z 0 Z 1 Note, now garbling cannot be done in parallel anymore!
34 Garbling a Circuit : ([F],e,d) Gb(f) K 1 0,K 1 1 K 2 0,K 2 1 L 0,L 1 R 0,R 1 K 0,K 1 Z 0,Z 1 Choose 2 random keys K i 0,K i 1 for each wire in the circuit Input wire only! For each gate g compute (gg,k 0,K 1 ) Gb(g,L 0,L 1,R 0,R 1 ) Output e=(k i 0,K i 1) for all input wires d=(z 0,Z 1 ) [F]=(gg i ) for all gates i
35 Yao Gate Garbling (3) C C 1 = G(L 0,R 0 ) Z 0 L R C 2 = G(L 0,R 1 ) Z 0 C 3 = G(L 1,R 0 ) Z 0 C 4 = G(L 1,R 1 ) Z 1 K Encrypt the output key with the input keys 35
36 Garbled Row Reduction Garbling C Z 0 = G(L 0,R 0 ) (C 1 =0 k ) L R C 2 = G(L 0,R 1 ) Z 0 C 3 = G(L 1,R 0 ) Z 0 C 4 = G(L 1,R 1 ) Z 1 K Define output keys as function of input keys (compatible with p&p) Can reduce 2 rows, but 1 is compatible with Free-XOR (coming up!) 36
37 Efficiency gg G/Gb G/Eval Assumption on G Classic 8k 4 4 Standard P&P 4k 4 1 Standard +GRR 3k/2k 4 1 Standard
38 GARBLING OPTIMIZATIONS: FREE XOR
39 Free-XOR Problem: with secret sharing linear gates are for free. What about GC? Solution: introduce correlation between keys, make XOR computation free L 0 L 1 =L 0 Δ XOR R 0 R 1 =R 0 Δ (gg,z 0 ) Gb(g,L 0,R 0,Δ) (Z g(a,b) ) Ev(gg,L a,r b ) Z 0 Z 1 =Z 0 Δ
40 Changing syntax, again! K 1 0 K 2 0 Choose 1 random key K i 0 for each input wire in the circuit And global difference Δ L 0 R 0 K 0 Z 0 For each gate g compute (gg,k 0 ) Gb(g,L 0,R 0,Δ) Output e=(k i 0,K i 1) for all input wires d=(z 0,Z 1 ) [F]=(gg i ) for all gates i
41 What about AND Gates? Like before, but requires circular security assumption Evaluator sees L 0, R 0, Z 0, and G(L 0 Δ, R 0 Δ) Z 0 Δ And should not be able to compute Δ! Effectively an encryption of Δ under Δ!
42 Garbling/Evaluating XOR Gates L 0 L 1 =L 0 Δ XOR R 0 R 1 =R 0 Δ Gb(XOR,L 0,R 0,Δ) Output Z 0 =L 0 R 0 (gg is empty) Z 0 Z 1 =Z 0 Δ Ev(XOR,L a,r b,δ) (gg,z 0 ) Gb(g,L 0,R 0,Δ) Z a b Ev(gg,L a,r b ) Output Z a b =L a R b L a R b = L 0 aδ R 0 bδ = Z 0 (a b)δ = Z a b
43 Efficiency AND XOR gg G/Gb G/Eval gg G/Gb G/Eval Assumption on G Classic 8k 4 4 8k 4 4 Standard P&P 4k 4 1 4k 4 1 Standard +GRR 3k/2k 4 1 3k/2k 4 1 Standard +Free-XOR 3k Circular
44 Privacy Free Garbing In some application (example, the delegation of computation from the first slide) we don t care about hiding the input/output of the circuit to the evaluator. Can we construct more efficient garbling if we don t care about privacy, but only authenticity?
45 Privacy Free with Free XOR For XOR-gates it is hard to do better than free-xor What about AND gates? Let c=and(a,b) then If a = 0 c = 0 If a =1 c = b
46 Privacy-Free AND gates L 0 L 1 =L 0 Δ AND R 0 R 1 =R 0 Δ Gb(AND,L 0,R 0,Δ) Z 0 =G(L 0 ) // GRR C=G(L 1 ) Z 0 R 0 Z 0 Z 1 =Z 0 Δ (gg,z 0 ) Gb(g,L 0,R 0,Δ) Z ab Ev(gg,L a,a,r b,b) Ev(gg,L a,a,r b,b,δ) If a=0 : output Z 0 = G(L 0 ) If a=1 : output Z b =C G(L 1 ) R b Z b = C G(L 1 ) = Z 0 R 0 (R 0 Δ) = Z b
47 Efficiency AND XOR gg G/Gb G/Eval gg G/Gb G/Eval Assumption on G Classic 8k 4 4 8k 4 4 Standard P&P 4k 4 1 4k 4 1 Standard +GRR 3k/2k 4 1 3k/2 4 1 Standard +Free-XOR 3k Circular Privacy-Free* k Circular
48 Privacy-Free Garbling: Extension? Can the same trick help us also in garbling for 2PC? Can we let the evaluator learn the bit of some internal wires? No! Can we let the evalutor learn a one-time pad encryption of some internal wire? Sure, why not!
49 Half-Gate (Two Halves Make a Whole) Note that we can write: a b = (a r) (a (r b)) r known to garbler How to garble efficiently? r b known to evaluator can use PF garbling 1 AND 2 ANDs. How is this better? The garbled can choose a random r at garbling time Make sure that the evaluator learns (r b) How? Use the permutation bits from point&permute!
50 How to garble with hidden constant The garbled knows r and wants to garble c = a r If r = 0 c=0 If r = 1 c=a How to garble an unary gate, which is either the 0 gate or the identity gate depending on r?
51 Garbling AND with hidden-constant L 0 L 1 =L 0 Δ AND(a,r) Z 0 Z 1 =Z 0 Δ (gg,z 0 ) Gb(g,L 0,r,Δ) Z ar Ev(gg,L a ) Gb(AND,L 0,p,Δ) Z p =G(L p ) //GRR C 0 =0 k C 1 =G(L!p ) Z p rδ Ev(gg,L a,a p,δ) Output Z ar = C a p G(L a ) Let p=0 for simplicity C a G(L a ) = Z 0 a(rδ) = Z ar
52 Efficiency AND XOR gg G/Gb G/Eval gg G/Gb G/Eval Assumption on G Classic 8k 4 4 8k 4 4 Standard P&P 4k 4 1 4k 4 1 Standard +GRR 3k/2k 4 1 3k/2k 4 1 Standard +Free-XOR 3k Circular Privacy-Free* k Circular Half-Gate 2k Circular GLP 2k Standard GLP : Fast Garbling of Circuits Under Standard Assumptions (Gueron, Lindell, Pinkas) (The measure of G in this table is somehow arbitrary, in practice the size of the input to G makes a difference in runtime)
53 Part 3: Garbled Circuits Definitions and Applications Garbling gate-by-gate: Basic and optimizations Active security 101: simple-cut-and choose, dual-execution
54 ACTIVE ATTACKS VS YAO
55 Yao s protocol Alice Bob x [X] OT e ([F],e,d) Gb( f,r ) [Y] En(e,y) [Z] Ev([F],[X],[Y]) [F], [Y], d z=de(d,[z]) Passive Security Only 1 GC! Constant round! Very fast!
56 Active security of Yao Alice Bob x [X] OT e ([F],e,d) Gb( f,r ) [Y] En(e,y) [F], [Y], d Cannot really cheat!
57 Alice Active security of Yao (v2, Bob gets output) Bob x [X] OT e ([F],e,d) Gb( f,r ) [Y] En(e,y) [F], [Y], d [Z*] z*=de(d,[z*]) Still can t cheat, authenticity!
58 Garbled Circuits: Authenticy r d f x Gb e En [F] [X] Ev [Z*] De z* For all corrupt Ev z*=f(x) or z*=abort
59 Active security of Yao Alice(x) Bob(y) x [X] OT e ([F],e,d) Gb( f,r ) [Y] En(e,y) [Z] Ev([F],[X],[Y]) [F], [Y], d z=de(d,[z]) What if B is corrupted?
60 Insecurity 1 (wrong f) Alice(x) Bob(y) x [X] OT e ([G],e,d) Gb( g,r ) [Y] En(e,y) [Z] Ev([G],[X],[Y]) [G], [Y], d z=de(d,[z]) g!= f z!= f(x,y)
61 Insecurity 2 (selective failure) Alice(x) [Z] Ev([G],[X],[Y]) z=de(d,[z]) x (K 0,K 1 ) ([F],e,d) Gb( f,r ) [X]=K x OT [G], [Y], d Bob(y) [Y] En(e,y)
62 Insecurity 2 (selective failure) Alice(x) Bob(y) x [X*] OT (K 0,K*) ([F],e,d) Gb( f,r ) [Y] En(e,y) [Z*] Ev([G],[X*],[Y]) [G], [Y], d z*=de(d,[z*]) x=0 z*=f(x,y) x=1 z*=abort
63 SIMPLE TRICKS FOR ACTIVE SECURITY
64 ZKGC (Alice proves f(x)=z) Alice(x) Bob( ) x [X] OT e ([F],e,d) Gb( f,r ) [F] [Z] Ev([F],[X]) [Z] z=de(d,[z]) Bob has no input!
65 ZKGC (Alice proves f(x)=z) Alice(?) Bob( ) x [X] OT e ([F],e,d) Gb( f,r ) [F] [Z*] z*=de(d,[z*]) Authenticity!
66 ZKGC (Alice proves f(x)=z) Alice Bob x [X] OT e ([F],e,d) Gb( f,r ) [F] [Z] Ev([F],[X]) [Z] z=de(d,[z]) Corrupt B can change f with g. Break privacy!
67 ZKGC (Alice proves f(x)=z) Alice Bob Commitment x [X] OT e ([F],e,d) Gb( f,r ) [F] [Z] Ev([F],[X]) [Z] If [F]!=Gb(f,r) abort else r [Z] Opening z=de(d,[z]) Active security! Only 1 GC!
68 Cut-And-Choose
69 2PC, simple cut-and-choose Alice x e 1,e 2 OT Bob [X 1 ],[X 2 ] ([F] i,e i,d i ) Gb( f,r i ) If Gb(f,r -j )!= [F] -j abort else [Z] j Ev([F] j,[x] j,[y] j ) [F] 1,[F] 2,d 1,d 2 rand j r -j, [Y] j [Y] j En(e j,y) z=de(d j,[z] j )
70 2PC, simple cut-and-choose Alice If Gb(f,r -j )!= [F] -j abort else [Z] j Ev([F] j,[x] j,[y] j ) x e 1,e 2 [X 1 ],[X 2 ] OT [F] 1,[F] 2,d 1,d 2 rand j r -j, [Y] j Bob z=de(d j,[z] j ) Corrupt Bob only wins with probability 1/2
71 2PC, cut-and-choose Simple cut-and-choose Garble k, check k-1, evaluate 1. Security 1-1/k Advanced cut-and-choose (see references) Garble 2k, check k, evaluate k Output majority result Security with 2 -O(k) (Need mechanisms to ensure the same input is used!)
72 Dual Execution
73 Alice [Z 1 ] Ev([F 1 ],[X 1 ],[Y 1 ]) x e Bob 1 [X 1 ] OT ([F 1 ],e 1,d 1 ) Gb(f,r 1 ) [Y [F 1 ], [Y 1 ] 1 ] En(e 1,y) ([F 2 ],e 2,d 2 ) Gb(f,r 2 ) [X 2 ] En(e 2,x) e 2 OT [F 2 ], [X 2 ] y [Y 2 ] [Z 2 ] Ev([F 2 ],[X 2 ],[Y 2 ]) [Z 1 ],d 2 [Z 2 ],d 1 z/abort De(d,[Z]) == De(d,[Z]) z/abort
74 Alice x e Bob 1 [X 1 ] OT ([F 1 ],e 1,d 1 ) Gb(f,r 1 ) [Y [F 1 ], [Y 1 ] 1 ] En(e 1,y) Authenticity [Z 1 ] is the right output! e 2 OT [F * ], [X 2 ] y [Y 2 ] [Z * ] Ev([F 2 ],[X 2 ],[Y 2 ]) [Z 1 ],d 2 [Z * ],d 1 z/abort De(d,[Z]) == De(d,[Z]) z/abort f(x,y) or abort
75 Alice x e Bob 1 [X 1 ] OT ([F 1 ],e 1,d 1 ) Gb(f,r 1 ) [Y [F 1 ], [Y 1 ] 1 ] En(e 1,y) e 2 OT [F * ], [X 2 ] y [Y 2 ] [Z * ] Ev([F 2 ],[X 2 ],[Y 2 ]) [Z 1 ],d 2 [Z * ],d 1 z/abort De(d,[Z]) == De(d,[Z]) z/abort Selective failure [Z*]=[Z] iff y=0 1 bit leakage
76 Forge And Lose
77 2PC, forge-and-lose (idea) Alice x OT e i Bob [X i ] ([F] i,e i,d i ) Gb( f,r i ) { [F] i } i Cut-and-Choose Generate k, check k/2 [Y i ] [Y] i En(e i,y) [Z] i Ev([F] i,[x] i,[y] i ) [Z] i y SMAC Punish Bob If exist i, j De(d i,[z] i )!= De(d j,[z] j ) y,d i
78 2PC, forge-and-lose (idea) Alice x OT e i Bob [X i ] ([F] i,e i,d i ) Gb( f,r i ) { [F] i } i Cut-and-Choose Generate k, check k/2 [Y i ] [Y] i En(e i,y) [Z] i Ev([F] i,[x] i,[y] i ) [Z] i y SMAC Punish Bob If exist i, j De(d i,[z] i )!= De(d j,[z] j ) y,d i Whp at least one unchecked circuit is correct real output will be used in SMAC
79 2PC, forge-and-lose (idea) Alice x OT e i Bob [X i ] ([F] i,e i,d i ) Gb( f,r i ) Cut-and-Choose Generate k, check k/2 [Y i ] [Y] i En(e i,y) Authenticity Corrupt Alice cannot blame honest Bob [Z] i y SMAC Punish Bob If exist i, j De(d i,[z] i )!= De(d j,[z] j ) y,d i
80 Summary Garbling Schemes Definitions and Applications Efficient Garbling Techniques Point&Permute, Garbled Row Reduction, Free- XOR, Half-Gate, Privacy-Free, How to use Garbled Circuits with active corruptions
81 Primary References Cryptographic Computing, lecture notes, (with theory and programming exercises) A Brief History of Practical Garbled Circuit Optimizations (Rosulek) Fast Cut-and-Choose-Based Protocols for Malicious and Covert Adversaries (Lindell) Two Halves Make a Whole - Reducing Data Transfer in Garbled Circuits Using Half Gates (Zahur et al.) Privacy-Free Garbled Circuits with Applications to Efficient Zero- Knowledge (Frederiksen et al.) Zero-knowledge using garbled circuits: how to prove non-algebraic statements efficiently (Jawurek et al.) Improved Garbled Circuit: Free XOR Gates and Applications (Kolesnikov et al.) Foundations of Garbled Circuits (Bellare et al.)
82 Other References Fast Garbling of Circuits Under Standard Assumptions (Gueron et al.) Garbling Gadgets for Boolean and Arithmetic Circuits (Ball et al.) FleXOR: Flexible Garbling for XOR Gates That Beats Free-XOR (Kolesnikov et al.) MiniLEGO: Efficient Secure Two-Party Computation From General Assumptions (Frederiksen et al.) Secure Two-Party Computation with Reusable Bit-Commitments, via a Cutand-Choose with Forge-and-Lose Technique (Brandao) Secure Two-Party Computation via Cut-and-Choose Oblivious Transfer (Lindell, Pinkas) An Efficient Protocol for Secure Two-Party Computation in the Presence of Malicious Adversaries (Lindell, Pinkas) Efficiency Tradeoffs for Malicious Two-Party Computation (Mohassel et al.)
Multi-Party 2 Computation Part 3
ECRYPT.NET Cloud Summer School Multi-Party 2 Computation Part 3 Claudio Orlandi, Aarhus University Plan for the next 3 hours Part 1: Secure Computation with a Trusted Dealer Warmup: One-Time Truth Tables
More informationEfficient Secure Two-Party Computation
INDOCRYPT 2016 Tutorial Efficient Secure Two-Party Computation Claudio Orlandi, Aarhus University Plan for the next 3 hours Part 1: Secure Computation with a Trusted Dealer Warmup: One-Time Truth Tables
More information2018: Problem Set 1
crypt@b-it 2018 Problem Set 1 Mike Rosulek crypt@b-it 2018: Problem Set 1 1. Sometimes it is not clear whether certain behavior is an attack against a protocol. To decide whether something is an attack
More informationMulti-Party 2 Computation Part 1
ECRYPT.NET Cloud Summer School Multi-Party 2 Computation Part 1 Claudio Orlandi, Aarhus University Plan for the next 3 hours Part 1: Secure Computation with a Trusted Dealer Warmup: One-Time Truth Tables
More informationIntroduction to Secure Multi-Party Computation
Introduction to Secure Multi-Party Computation Many thanks to Vitaly Shmatikov of the University of Texas, Austin for providing these slides. slide 1 Motivation General framework for describing computation
More informationSecure Multiparty Computation
Secure Multiparty Computation Li Xiong CS573 Data Privacy and Security Outline Secure multiparty computation Problem and security definitions Basic cryptographic tools and general constructions Yao s Millionnare
More informationCS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong
CS573 Data Privacy and Security Cryptographic Primitives and Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationfrom circuits to RAM programs in malicious-2pc
from circuits to RAM programs in malicious-2pc Abstract: Secure 2-party computation (2PC) is becoming practical in some domains However, most approaches are limited by the fact that the desired functionality
More informationMichael Zohner (TU Darmstadt)
Efficient OT Extension and its Impact on Secure Computation Pushing the Communication Barrier of Passive Secure Two-Party Computation Michael Zohner (TU Darmstadt) Joint work with Ghada Dessouky, Ahmad-Reza
More informationGarbled Circuits via Structured Encryption Seny Kamara Microsoft Research Lei Wei University of North Carolina
Garbled Circuits via Structured Encryption Seny Kamara Microsoft Research Lei Wei University of North Carolina Garbled Circuits Fundamental cryptographic primitive Possess many useful properties Homomorphic
More informationVlad Kolesnikov Bell Labs
Vlad Kolesnikov Bell Labs DIMACS/Northeast Big Data Hub Workshop on Privacy and Security for Big Data Apr 25, 2017 You are near Starbucks; here is a special Legislation may require user consent each time
More informationAn Overview of Active Security in Garbled Circuits
An Overview of Active Security in Garbled Circuits Author: Cesar Pereida Garcia Supervisor: Pille Pullonen Department of Mathematics and Computer Science. University of Tartu Tartu, Estonia. December 15,
More informationSecure Multi-Party Computation. Lecture 13
Secure Multi-Party Computation Lecture 13 Must We Trust? Can we have an auction without an auctioneer?! Declared winning bid should be correct Only the winner and winning bid should be revealed Using data
More informationFast Optimistically Fair Cut-and-Choose 2PC
Fast Optimistically Fair Cut-and-Choose 2PC Alptekin Küpçü Koç University, TURKEY akupcu@ku.edu.tr Payman Mohassel Yahoo Labs, USA pmohassel@yahoo-inc.com February 25, 2016 Abstract Secure two party computation
More informationSecure Multiparty Computation
CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More information1 A Tale of Two Lovers
CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Dec. 12, 2006 Lecture Notes 19 (expanded): Secure Two-Party Computation Recommended Reading. Goldreich Volume II 7.2.2, 7.3.2, 7.3.3.
More information- Presentation 25 minutes + 5 minutes for questions. - Presentation is on Wednesday, 11:30-12:00 in B05-B06
Information: - Presentation 25 minutes + 5 minutes for questions. - Presentation is on Wednesday, 11:30-12:00 in B05-B06 - Presentation is after: Abhi Shelat (fast two-party secure computation with minimal
More informationEfficient Zero-Knowledge Proof of Algebraic and Non-Algebraic Statements with Applications to Privacy Preserving Credentials
Efficient Zero-Knowledge Proof of Algebraic and Non-Algebraic Statements with Applications to Privacy Preserving Credentials Melissa Chase 1, Chaya Ganesh 2, and Payman Mohassel 3 1 Microsoft Research,
More informationLecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422
Lecture 18 Message Integrity Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422 Cryptography is the study/practice of techniques for secure communication,
More informationYuval Ishai Technion
Winter School on Bar-Ilan University, Israel 30/1/2011-1/2/2011 Bar-Ilan University Yuval Ishai Technion 1 Zero-knowledge proofs for NP [GMR85,GMW86] Bar-Ilan University Computational MPC with no honest
More informationD1.1 State of the Art Analysis of MPC Techniques and Frameworks
D1.1 State of the Art Analysis of MPC Techniques and Frameworks Peter S. Nordholt (ALX), Nikolaj Volgushev (ALX), Prastudy Fauzi (AU), Claudio Orlandi (AU), Peter Scholl (AU), Mark Simkin (AU), Meilof
More informationSecure Outsourced Garbled Circuit Evaluation for Mobile Devices
Secure Outsourced Garbled Circuit Evaluation for Mobile Devices Henry Carter, Georgia Institute of Technology Benjamin Mood, University of Oregon Patrick Traynor, Georgia Institute of Technology Kevin
More informationActively Secure Garbled Circuits with Constant Communication Overhead in the Plain Model
Actively Secure Garbled Circuits with Constant Communication Overhead in the Plain Model Carmit Hazay 1, Yuval Ishai 2, and Muthuramakrishnan Venkitasubramaniam 3 1 Bar-Ilan University carmit.hazay@biu.ac.il,
More informationFoundations of Cryptography CS Shweta Agrawal
Foundations of Cryptography CS 6111 Shweta Agrawal Course Information 4-5 homeworks (20% total) A midsem (25%) A major (35%) A project (20%) Attendance required as per institute policy Challenge questions
More informationBlind Seer: Scalable Private DB Querying
Blind Seer: Scalable Private DB Querying Columbia-Bell Labs work on IARPA SPAR project Vladimir Kolesnikov (Bell Labs), Steve Bellovin, Seung Geol Choi, Ben Fisch, Angelos Keromytis, Fernando Krell, Tal
More informationSecure Multi-Party Computation
Secure Multi-Party Computation A Short Tutorial By no means a survey! Manoj Prabhakaran :: University of Illinois at Urbana-Champaign Secure Multi-Party Computation A Short Tutorial Part I Must We Trust?
More informationEfficient Private Matching and Set Intersection
Efficient Private Matching and Set Intersection Mike Freedman, NYU Kobbi Nissim, MSR Benny Pinkas, HP Labs EUROCRYPT 2004 A Story Is there any chance we might be compatible? We could see if we have similar
More informationSecure Function Evaluation using an FPGA Overlay Architecture
Secure Function Evaluation using an FPGA Overlay Architecture Xin Fang Stratis Ioannidis Miriam Leeser Dept. of Electrical and Computer Engineering Northeastern University Boston, MA, USA FPGA 217 1 Introduction
More informationHow to (not) Share a Password:
How to (not) Share a Password: Privacy preserving protocols for finding heavy hitters with adversarial behavior Moni Naor Benny Pinkas Eyal Ronen Passwords First modern use in MIT's CTSS (1961) Passwords
More informationPractical Secure Two-Party Computation and Applications
Practical Secure Two-Party Computation and Applications Lecture 2: Private Set Intersection Estonian Winter School in Computer Science 2016 Overview of this lecture Private Set Intersection Special Purpose
More informationSecure Multiparty Computation: Introduction. Ran Cohen (Tel Aviv University)
Secure Multiparty Computation: Introduction Ran Cohen (Tel Aviv University) Scenario 1: Private Dating Alice and Bob meet at a pub If both of them want to date together they will find out If Alice doesn
More informationSecure Computation of Functionalities based on Hamming Distance and its Application to Computing Document Similarity
Secure Computation of Functionalities based on Hamming Distance and its Application to Computing Document Similarity Ayman Jarrous 1 and Benny Pinkas 2,* 1 University of Haifa, Israel. 2 Bar Ilan University,
More informationFaster Malicious 2-Party Secure Computation with Online/Offline Dual Execution
Faster Malicious 2-Party Secure Computation with Online/Offline Dual Execution Peter Rindal and Mike Rosulek, Oregon State University https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/rindal
More informationSymmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University
Symmetric-Key Cryptography Part 1 Tom Shrimpton Portland State University Building a privacy-providing primitive I want my communication with Bob to be private -- Alice What kind of communication? SMS?
More informationSecure Two-Party Computation: Generic Approach and Exploiting Specific Properties of Functions Approach
Secure Two-Party Computation: Generic Approach and Exploiting Specific Properties of Functions Approach A. Anasuya Threse Innocent, K. Sangeeta Department of CSE Amrita School of Engineering Amrita Vishwa
More informationFree IF: How to Omit Inactive Branches and Implement S-Universal Garbled Circuit (Almost) for Free
Free IF: How to Omit Inactive Branches and Implement S-Universal Garbled Circuit (Almost) for Free Vladimir Kolesnikov School of Computer Science, Georgia Institute of Technology kolesnikov@gatech.edu
More informationCryptography Functions
Cryptography Functions Lecture 3 1/29/2013 References: Chapter 2-3 Network Security: Private Communication in a Public World, Kaufman, Perlman, Speciner Types of Cryptographic Functions Secret (Symmetric)
More informationBetter 2-round adaptive MPC
Better 2-round adaptive MPC Ran Canetti, Oxana Poburinnaya TAU and BU BU Adaptive Security of MPC Adaptive corruptions: adversary adversary can decide can decide who to who corrupt to corrupt adaptively
More informationCryptography with Updates
Cryptography with Updates Slides and research in collaboration with: Prabhanjan Ananth UCLA Aloni Cohen MIT Abhishek Jain JHU Garbled Circuits C Offline: slow Online: fast x C(x) Garbled Circuits C Offline:
More informationFast and Secure Three-party Computation: The Garbled Circuit Approach
Fast and Secure Three-party Computation: The Garbled Circuit Approach Payman Mohassel Yahoo Labs Sunnyvale, California pmohassel@yahooinc.com Mike Rosulek Oregon State University Corvallis, Oregon rosulekm@eecs.
More informationCRYPTOLOGY KEY MANAGEMENT CRYPTOGRAPHY CRYPTANALYSIS. Cryptanalytic. Brute-Force. Ciphertext-only Known-plaintext Chosen-plaintext Chosen-ciphertext
CRYPTOLOGY CRYPTOGRAPHY KEY MANAGEMENT CRYPTANALYSIS Cryptanalytic Brute-Force Ciphertext-only Known-plaintext Chosen-plaintext Chosen-ciphertext 58 Types of Cryptographic Private key (Symmetric) Public
More informationDefining Encryption. Lecture 2. Simulation & Indistinguishability
Defining Encryption Lecture 2 Simulation & Indistinguishability Roadmap First, Symmetric Key Encryption Defining the problem We ll do it elaborately, so that it will be easy to see different levels of
More informationClassic Cryptography: From Caesar to the Hot Line
Classic Cryptography: From Caesar to the Hot Line Wenyuan Xu Department of Computer Science and Engineering University of South Carolina Overview of the Lecture Overview of Cryptography and Security Classical
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationCIS 4360 Secure Computer Systems Symmetric Cryptography
CIS 4360 Secure Computer Systems Symmetric Cryptography Professor Qiang Zeng Spring 2017 Previous Class Classical Cryptography Frequency analysis Never use home-made cryptography Goals of Cryptography
More informationFaster Private Set Intersection based on OT Extension
Faster Private Set Intersection based on OT Extension Michael Zohner (TU Darmstadt) Joint work with Benny Pinkas (Bar Ilan University) Thomas Schneider (TU Darmstadt) 22.08.14 Faster PSI based on OT extension
More informationINDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator
INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator EXAMINATION ( Mid Semester ) SEMESTER ( Spring ) Roll Number Section Name Subject Number C S 6 0 0 8 8 Subject Name Foundations
More informationISA 562: Information Security, Theory and Practice. Lecture 1
ISA 562: Information Security, Theory and Practice Lecture 1 1 Encryption schemes 1.1 The semantics of an encryption scheme. A symmetric key encryption scheme allows two parties that share a secret key
More informationHomework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING
UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING ENEE 457 Computer Systems Security Instructor: Charalampos Papamanthou Homework 2 Out: 09/23/16 Due: 09/30/16 11:59pm Instructions
More informationLecture 22 - Oblivious Transfer (OT) and Private Information Retrieval (PIR)
Lecture 22 - Oblivious Transfer (OT) and Private Information Retrieval (PIR) Boaz Barak December 8, 2005 Oblivious Transfer We are thinking of the following situation: we have a server and a client (or
More informationIntroduction to Cryptography Lecture 7
Introduction to Cryptography Lecture 7 El Gamal Encryption RSA Encryption Benny Pinkas page 1 1 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing
More informationIntroduction to Cryptography Lecture 7
Introduction to Cryptography Lecture 7 Public-Key Encryption: El-Gamal, RSA Benny Pinkas page 1 1 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing
More informationMalicious-Client Security in Blind Seer: A Scalable Private DBMS
2015 IEEE Symposium on Security and Privacy Malicious-Client Security in Blind Seer: A Scalable Private DBMS Ben A. Fisch, Binh Vo, Fernando Krell, Abishek Kumarasubramanian, Vladimir Kolesnikov, Tal Malkin,
More informationImplementation Techniques
4 Implementation Techniques Although secure computation protocols (as described in Section 3) were known since the 1980s, the first full implementation of a generic secure computation system was Fairplay
More informationLecture 19 - Oblivious Transfer (OT) and Private Information Retrieval (PIR)
Lecture 19 - Oblivious Transfer (OT) and Private Information Retrieval (PIR) Boaz Barak November 29, 2007 Oblivious Transfer We are thinking of the following situation: we have a server and a client (or
More informationHow to (not) Share a Password:
How to (not) Share a Password: Privacy preserving protocols for finding heavy hitters with adversarial behavior Moni Naor Benny Pinkas Eyal Ronen Passwords First modern use in MIT's CTSS (1961) Passwords
More informationLecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24
Assume encryption and decryption use the same key. Will discuss how to distribute key to all parties later Symmetric ciphers unusable for authentication of sender Lecturers: Mark D. Ryan and David Galindo.
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Lecture 6 Michael J. Fischer Department of Computer Science Yale University January 27, 2010 Michael J. Fischer CPSC 467b, Lecture 6 1/36 1 Using block ciphers
More informationpage 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas
Introduction to Cryptography Lecture 3 Benny Pinkas page 1 1 Pseudo-random generator Pseudo-random generator seed output s G G(s) (random, s =n) Deterministic function of s, publicly known G(s) = 2n Distinguisher
More informationIntroduction to Cryptography. Lecture 6
Introduction to Cryptography Lecture 6 Benny Pinkas page 1 1 Data Integrity, Message Authentication Risk: an active adversary might change messages exchanged between Alice and Bob M Alice M M M Bob Eve
More informationECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos
ECE596C: Handout #9 Authentication Using Shared Secrets Electrical and Computer Engineering, University of Arizona, Loukas Lazos Abstract. In this lecture we introduce the concept of authentication and
More informationGoals of Modern Cryptography
Goals of Modern Cryptography Providing information security: Data Privacy Data Integrity and Authenticity in various computational settings. Data Privacy M Alice Bob The goal is to ensure that the adversary
More informationKey Establishment and Authentication Protocols EECE 412
Key Establishment and Authentication Protocols EECE 412 1 where we are Protection Authorization Accountability Availability Access Control Data Protection Audit Non- Repudiation Authentication Cryptography
More informationIntroduction to Cryptography. Ramki Thurimella
Introduction to Cryptography Ramki Thurimella Encryption & Decryption 2 Generic Setting 3 Kerckhoff s Principle Security of the encryption scheme must depend only on The secret key NOT on the secrecy of
More informationABY 3 : A Mixed Protocol Framework for Machine Learning
ABY 3 : A Mixed Protocol Framework for Machine Learning Payman Mohassel and Peter Rindal Abstract Machine learning is widely used to produce models for a range of applications and is increasingly offered
More informationPart VI. Public-key cryptography
Part VI Public-key cryptography Drawbacks with symmetric-key cryptography Symmetric-key cryptography: Communicating parties a priori share some secret information. Secure Channel Alice Unsecured Channel
More informationResearch Statement. Yehuda Lindell. Dept. of Computer Science Bar-Ilan University, Israel.
Research Statement Yehuda Lindell Dept. of Computer Science Bar-Ilan University, Israel. lindell@cs.biu.ac.il www.cs.biu.ac.il/ lindell July 11, 2005 The main focus of my research is the theoretical foundations
More informationMore crypto and security
More crypto and security CSE 199, Projects/Research Individual enrollment Projects / research, individual or small group Implementation or theoretical Weekly one-on-one meetings, no lectures Course grade
More informationKey Establishment. Chester Rebeiro IIT Madras. Stinson : Chapter 10
Key Establishment Chester Rebeiro IIT Madras CR Stinson : Chapter 10 Multi Party secure communication C D A B E F N parties want to communicate securely with each other (N=6 in this figure) If sends a
More informationMichael Zohner (TU Darmstadt)
ABY - A Framework for Efficient Mixed-Protocol Secure Two-Party Computation Michael Zohner (TU Darmstadt) Joint work with Daniel Demmler and Thomas Schneider 11.02.14 ABY: Mixed-Protocol Secure Two-Party
More informationCPSC 467b: Cryptography and Computer Security
Outline ZKIP Other IP CPSC 467b: Cryptography and Computer Security Lecture 19 Michael J. Fischer Department of Computer Science Yale University March 31, 2010 Michael J. Fischer CPSC 467b, Lecture 19
More informationCOMPOSABLE AND ROBUST OUTSOURCED STORAGE
SESSION ID: CRYP-R14 COMPOSABLE AND ROBUST OUTSOURCED STORAGE Christian Badertscher and Ueli Maurer ETH Zurich, Switzerland Motivation Server/Database Clients Write Read block 2 Outsourced Storage: Security
More informationDetectable Byzantine Agreement Secure Against Faulty Majorities
Detectable Byzantine Agreement Secure Against Faulty Majorities Matthias Fitzi, ETH Zürich Daniel Gottesman, UC Berkeley Martin Hirt, ETH Zürich Thomas Holenstein, ETH Zürich Adam Smith, MIT (currently
More informationCrypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))
Introduction (Mihir Bellare Text/Notes: http://cseweb.ucsd.edu/users/mihir/cse207/) Cryptography provides: Data Privacy Data Integrity and Authenticity Crypto-systems all around us ATM machines Remote
More informationCryptography CS 555. Topic 1: Course Overview & What is Cryptography
Cryptography CS 555 Topic 1: Course Overview & What is Cryptography 1 Administrative Note Professor Blocki is traveling and will be back on Wednesday. E-mail: jblocki@purdue.edu Thanks to Professor Spafford
More informationLecture 1: Perfect Security
CS 290G (Fall 2014) Introduction to Cryptography Oct 2nd, 2014 Instructor: Rachel Lin 1 Recap Lecture 1: Perfect Security Scribe: John Retterer-Moore Last class, we introduced modern cryptography and gave
More informationWhat did we talk about last time? Public key cryptography A little number theory
Week 4 - Friday What did we talk about last time? Public key cryptography A little number theory If p is prime and a is a positive integer not divisible by p, then: a p 1 1 (mod p) Assume a is positive
More informationRSA. Public Key CryptoSystem
RSA Public Key CryptoSystem DIFFIE AND HELLMAN (76) NEW DIRECTIONS IN CRYPTOGRAPHY Split the Bob s secret key K to two parts: K E, to be used for encrypting messages to Bob. K D, to be used for decrypting
More information1 Defining Message authentication
ISA 562: Information Security, Theory and Practice Lecture 3 1 Defining Message authentication 1.1 Defining MAC schemes In the last lecture we saw that, even if our data is encrypted, a clever adversary
More informationCSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring and 6 February 2018
CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring 2018 5 and 6 February 2018 Identification schemes are mechanisms for Alice to prove her identity to Bob They comprise a setup
More informationQuid-Pro-Quo-tocols: Strengthening Semi-Honest Protocols with Dual Execution
In 33 rd IEEE Symposium on Security and Privacy ( Oakland ), San Francisco, May 212 Quid-Pro-Quo-tocols: Strengthening Semi-Honest Protocols with Dual Execution Yan Huang University of Virginia yhuang@virginia.edu
More informationLectures 6+7: Zero-Leakage Solutions
Lectures 6+7: Zero-Leakage Solutions Contents 1 Overview 1 2 Oblivious RAM 1 3 Oblivious RAM via FHE 2 4 Oblivious RAM via Symmetric Encryption 4 4.1 Setup........................................ 5 4.2
More informationUntraceable Electronic Mail, Return Addresses, and Digital Pseudonyms. EJ Jung
Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms EJ Jung Goals 1. Hide what you wrote encryption of any kind symmetric/asymmetric/stream 2. Hide to whom you sent and when pseudonym?
More informationMulti-Theorem Preprocessing NIZKs from Lattices
Multi-Theorem Preprocessing NIZKs from Lattices Sam Kim and David J. Wu Stanford University Soundness: x L, P Pr P, V (x) = accept = 0 No prover can convince honest verifier of false statement Proof Systems
More informationPreserving Privacy through Processing Encrypted Data
Preserving Privacy through Processing Encrypted Data Prof. Miriam Leeser Department of Electrical and Computer Engineering Northeastern University Boston, MA mel@coe.neu.edu Joint work with Prof. Stratis
More informationAn Overview of Secure Multiparty Computation
An Overview of Secure Multiparty Computation T. E. Bjørstad The Selmer Center Department of Informatics University of Bergen Norway Prøveforelesning for PhD-graden 2010-02-11 Outline Background 1 Background
More informationCRYPTOGRAPHIC PROTOCOLS: PRACTICAL REVOCATION AND KEY ROTATION
#RSAC SESSION ID: CRYP-W04 CRYPTOGRAPHIC PROTOCOLS: PRACTICAL REVOCATION AND KEY ROTATION Adam Shull Recent Ph.D. Graduate Indiana University Access revocation on the cloud #RSAC sk sk Enc Pub Sym pk k
More informationConstant Round Maliciously Secure 2PC with Function-independent Preprocessing using LEGO
Constant Round Maliciously Secure 2PC with Function-independent Preprocessing using LEGO Jesper Buus Nielsen Aarhus University jbn@cs.au.dk Thomas Schneider Technische Universität Darmstadt thomas.schneider@crisp-da.de
More informationCSC 5930/9010 Cloud S & P: Cloud Primitives
CSC 5930/9010 Cloud S & P: Cloud Primitives Professor Henry Carter Spring 2017 Methodology Section This is the most important technical portion of a research paper Methodology sections differ widely depending
More informationSecure Set Intersection with Untrusted Hardware Tokens
Secure Set Intersection with Untrusted Hardware Tokens Thomas Schneider Engineering Cryptographic Protocols Group, TU Darmstadt http://encrypto.de joint work with Marc Fischlin (TU Darmstadt) Benny Pinkas
More informationBlind Machine Learning
Blind Machine Learning Vinod Vaikuntanathan MIT Joint work with Chiraag Juvekar and Anantha Chandrakasan Problem 1. Blind Inference (application: Monetizing ML) 6)(asdpasfz $0.1 Convolutional NN MRI Image
More informationWhitewash: Outsourcing Garbled Circuit Generation for Mobile Devices
Whitewash: Outsourcing Garbled Circuit Generation for Mobile Devices Annual Computer Security Applications Conference 2014 Henry Hank Carter, Charles Lever, Patrick Traynor SMC on mobile devices Mobile
More informationSymmetric Encryption 2: Integrity
http://wwmsite.wpengine.com/wp-content/uploads/2011/12/integrity-lion-300x222.jpg Symmetric Encryption 2: Integrity With material from Dave Levin, Jon Katz, David Brumley 1 Summing up (so far) Computational
More informationLecture 10, Zero Knowledge Proofs, Secure Computation
CS 4501-6501 Topics in Cryptography 30 Mar 2018 Lecture 10, Zero Knowledge Proofs, Secure Computation Lecturer: Mahmoody Scribe: Bella Vice-Van Heyde, Derrick Blakely, Bobby Andris 1 Introduction Last
More informationCryptography. Andreas Hülsing. 6 September 2016
Cryptography Andreas Hülsing 6 September 2016 1 / 21 Announcements Homepage: http: //www.hyperelliptic.org/tanja/teaching/crypto16/ Lecture is recorded First row might be on recordings. Anything organizational:
More informationBillion-Gate Secure Computation with Malicious Adversaries
Billion-Gate Secure Computation with Malicious Adversaries Benjamin Kreuter brk7bx@virginia.edu University of Virginia abhi shelat abhi@virginia.edu University of Virginia Chih-hao Shen cs6zb@virginia.edu
More informationComputational Security, Stream and Block Cipher Functions
Computational Security, Stream and Block Cipher Functions 18 March 2019 Lecture 3 Most Slides Credits: Steve Zdancewic (UPenn) 18 March 2019 SE 425: Communication and Information Security 1 Topics for
More informationSecure Outsourced Garbled Circuit Evaluation for Mobile Devices
Secure Outsourced Garbled Circuit Evaluation for Mobile Devices Henry Carter, Georgia Institute of Technology; Benjamin Mood, University of Oregon; Patrick Traynor, Georgia Institute of Technology; Kevin
More informationSenior Math Circles Cryptography and Number Theory Week 1
Senior Math Circles Cryptography and Number Theory Week 1 Dale Brydon Feb. 2, 2014 1 One-Time Pads Cryptography deals with the problem of encoding a message in such a way that only the intended recipient
More information