Multi-Party 2 Computation Part 3
|
|
- Wilfred Golden
- 5 years ago
- Views:
Transcription
1 ECRYPT.NET Cloud Summer School Multi-Party 2 Computation Part 3 Claudio Orlandi, Aarhus University
2 Plan for the next 3 hours Part 1: Secure Computation with a Trusted Dealer Warmup: One-Time Truth Tables Evaluating Circuits with Beaver s trick MAC-then-Compute for Active Security Part 2: Oblivious Transfer OT: Definitions and Applications Passive Secure OT Extension OT Protocols from DDH (Naor-Pinkas/PVW) Part 3: Garbled Circuits GC: Definitions and Applications Garbling gate-by-gate: Basic and optimizations Active security 101: simple-cut-and choose, dual-execution
3 Part 3: Garbled Circuits GC: Definitions and Applications Garbling gate-by-gate: Basic and optimizations Active security 101: simple-cut-and choose, dual-execution
4 Garbled Circuit Cryptographic primitive that allows to evaluate encrypted functions on encrypted inputs
5 r Garbled Circuits d Values in a box are garbled f x Gb e En [F] [X] Ev [Z] De z Correct if z=f(x)
6 Alice Application 1: Delegation via GC Bob(x) [F] ([F],e,d) ßGb( f,r ) [X] [X]ßEn(e,x) [Z]ßEv([F],[X]) [Z] z=de(d,[z])
7 Alice Application 1: Delegation via GC Bob(x) [F] ([F],e,d) ßGb( f,r ) Authenticity: If A is corrupted and [Z*] ß A([F],[X]), then De([Z*],d) is f(x) or ^ [X] [Z*] [X]ßEn(e,x) z*=de(d,[z*])
8 Garbled Circuits: Authenticity r d f x Gb e En [F] [X] Ev [Z*] De z* z*=f(x) OR z*= abort
9 Application 2: Passive Constant Round 2PC (Yao) Alice(x) Bob(y) x [X] 2PC (OT) e ([F],e,d) ßGb( f,r ) [Y]ßEn(e,y) [Z]ßEv([F],[X],[Y]) [F], [Y], d z=de(d,[z])
10 Application 2: Passive Constant Round 2PC (Yao) Alice(x) Bob(y) x [X] 2PC (OT) e ([F],e,d) ßGb( f,r ) [Y]ßEn(e,y) [Z]ßEv([F],[X],[Y]) [F], [Y], d z=de(d,[z]) Bob learns nothing about x!
11 Application 2: Passive Constant Round 2PC (Yao) Alice(x) Bob(y) x [X] 2PC (OT) e ([F],e,d) ßGb( f,r ) [Y]ßEn(e,y) [Z]ßEv([F],[X],[Y]) [F], [Y], d z=de(d,[z]) How much information is leaked by GC?
12 Garbled Circuits: Privacy r d f x Gb e Or even less/no info about f En [F] [X] Ev [Z] Exist Sim s.t. ([F],[X],d) ~ Sim(f,f(x)) De z
13 Part 3: Garbled Circuits Definitions and Applications Garbling gate-by-gate: Basic and optimizations Active security 101: simple-cut-and choose, dual-execution
14 Garbling: Gate-by-gate [x 1 ] [y 1 ] [x 2 ] [y 2 ] [x 3 ] [y 3 ] [x 4 ] [y 4 ] [x 5 ] [y 5 ] [w] w +e z * [w+e] 14
15 PROJECTIVE SCHEMES: CIRCUIT BASED GARBLING/EVALUATIONS
16 Garbling a Circuit : ([F],e,d)ß Gb(f) K 1 0,K 1 1 K 2 0,K 2 1 L 0,L 1 R 0,R 1 K 0,K 1 Z 0,Z 1 Choose 2 random keys K i 0,K i 1 for each wire in the circuit Input, internaland, output wires For each gate g compute gg ß Gb(g,L 0,L 1,R 0,R 1,K 0,K 1 ) Output e=(k i 0,K i 1) for all input wires d=(z 0,Z 1 ) [F]=(gg i ) for all gates i
17 Encoding and Decoding [X] = En(e,x) e={ K i 0, K i 1} x= { x 1,,x n } [X]={K 1 x1,,k n xn} z=de(d,[z]) d = { Z 0,Z 1 } [Z] = { K } z= 0 if K=Z 0, 1 if K=Z 1, abort else
18 Evaluating a GC : [Z]ß Ev([F],[X]) K 1 Parse [X]={K 1,,K n } K 2 gg 1 gg i gg i gg i gg i Parse [F]={gg i } L gg 2 K R gg i gg i gg i gg i For each gate i compute K ß Ev(gg i,l,r) gg n Output Z Z
19 INDIVIDUAL GATES GARBLING/EVALUATION
20 Notation L 0,L 1 R 0,R 1 gg A garbled gate is a gadget that given two inputs keys gives you the right output key (and nothing else) gg ß Gb(g,L 0,L 1,R 0,R 1,Z 0,Z 1 ) Z g(a,b) ß Ev(gg,L a,r b ) Z 0,Z 1 //and not Z 1-g(a,b)
21 Yao Gate Garbling (1) L R K NAND gate L K R 21
22 Yao Gate Garbling (2) L R K L 0 R 0 K 1 L 0 R 1 K 1 L 1 R 0 K 1 L R L 1 R 1 K 0 K Choose labels (e.g., 128 bits strings) for every value on every wire 22
23 Yao Gate Garbling (3) C C 1 = H(L 0,R 0 ) K 1 L R C 2 = H(L 0,R 1 ) K 1 C 3 = H(L 1,R 0 ) K 1 C 4 = H(L 1,R 1 ) K 0 K Encrypt the output key with the input keys 23
24 Yao Gate Garbling (4) C C 1 = H(L 0,R 0 ) (K 1,0 k ) C 2 = H(L 0,R 1 ) (K 1,0 k ) C 3 = H(L 1,R 0 ) (K 1,0 k ) L R C 4 = H(L 1,R 1 ) (K 0,0 k ) K Add redundancy (later used to check if decryption is successful) 24
25 Yao Gate Garbling (5) C C 1 = H(L 0,R 0 ) (K 1,0 k ) C 2 = H(L 0,R 1 ) (K 1,0 k ) C 3 = H(L 1,R 0 ) (K 1,0 k ) C 4 = H(L 1,R 1 ) (K 0,0 k ) L R C 1,C 2,C 3,C 4 = perm(c 1,C 2,C 3,C 4 ) K Permute the order of the ciphertexts (to hide information about inputs/outputs) 25
26 Yao Gate Evaluation (1) Eval(gg, L a, R b ) //not a,b For i=1..4 (K,t)=C i H(L a,r b ) If t=0 k output K Output is correct: t=0 k only for right row Evaluator learns nothing else: Encryption + permutation gg (permuted) C 1 = H(L 0,R 0 ) (K 1,0 k ) C 2 = H(L 0,R 1 ) (K 1,0 k ) C 3 = H(L 1,R 0 ) (K 1,0 k ) C 4 = H(L 1,R 1 ) (K 0,0 k ) 26
27 GARBLING OPTIMIZATIONS: POINT-AND-PERMUTE
28 Point-and-permute Problem: Evaluator needs to try to decrypt all 4 rows Solution: add permutation bits to keys (L 0, p) (L 1,!p) (R 0, q) (R 1,!q) gg ß Gb(g,L 0,L 1,p,R 0,R 1,q,Z 0,Z 1,r) (Z g(a,b),r g(a,b))ß Ev(gg,L a,a p,r b,b q) gg (Z 0, r) (Z 1,!r)
29 Point-and-permute Garbling (4) C C 1 = H(L 0,R 0 ) (K g(0,0), r g(0,0) ) C 2 = H(L 0,R 1 ) (K g(0,1), r g(0,1) ) C 3 = H(L 1,R 0 ) (K g(1,0), r g(1,0) ) L R C 4 = H(L 1,R 1 ) (K g(1,1), r g(1,1) ) K Remove redundancy Add random permutation bit 29
30 Point-and-permute Garbling (5) C C 1 = H(L p,r q ) (K g(p,q), r g(p,q) ) C 2 = H(L p,r!q ) (K g(p,!q), r g(p,!q) ) C 3 = H(L!p,R q ) (K g(!p,q), r g(!p,q) ) C 4 = H(L!p,R!q ) (K g(!p,!q), r g(!p,!q) ) Permute rows using p,q 30
31 Point-and-permute Evaluation Eval(gg, L, u, R, v) //not a,b (K,r)=C 2u+v H(L,R) C C 1 = H(L p,r q ) (K g(p,q), r g(p,q) ) C 2 = H(L p,r!q ) (K g(p,!q), r g(p,!q) ) Output is correct: (Check permutation) Privacy: u=p a, v=q b p,q are one time pads for a,b C 3 = H(L!p,R q ) (K g(!p,q), r g(!p,q) ) C 4 = H(L!p,R!q ) (K g(!p,!q), r g(!p,!q) ) 31
32 GARBLING OPTIMIZATIONS: SIMPLE GARBLED ROW REDUCTION
33 Point-and-permute Problem: each gg is 4 ciphertexts Solution: define output key pseudorandomly as functions of input keys, reduce comm. complexity L 0 L 1 R 0 R 1 (gg, Z 0,Z 1 ) ß Gb(g,L 0,L 1,R 0,R 1 ) (Z g(a,b) )ß Ev(gg,L a,r b ) gg Z 0 Z 1
34 Garbling a Circuit : ([F],e,d)ß Gb(f) K 1 0,K 1 1 K 2 0,K 2 1 L 0,L 1 R 0,R 1 K 0,K 1 Z 0,Z 1 Choose 2 random keys K i 0,K i 1 for each wire in the circuit Input wire only! For each gate g compute (gg,k 0,K 1 )ß Gb(g,L 0,L 1,R 0,R 1 ) Output e=(k i 0,K i 1) for all input wires d=(z 0,Z 1 ) [F]=(gg i ) for all gates i
35 Yao Gate Garbling (3) C C 1 = H(L 0,R 0 ) K 1 L R C 2 = H(L 0,R 1 ) K 1 C 3 = H(L 1,R 0 ) K 1 C 4 = H(L 1,R 1 ) K 0 K Encrypt the output key with the input keys 35
36 Garbled Row Reduction Garbling C K 1 = H(L 0,R 0 ) (C 1 =0 k ) L R C 2 = H(L 0,R 1 ) K 1 C 3 = H(L 1,R 0 ) K 1 C 4 = H(L 1,R 1 ) K 0 K Define output keys as function of input keys (compatible with p&p) Can reduce 2 rows, but 1 is compatible with Free-XOR (coming up!) 36
37 GARBLING OPTIMIZATIONS: FREE XOR
38 Free-XOR Problem: in BeDOZa linear gates are for free. What about GC? Solution: introduce correlation between keys, make XOR computation free L 0 L 1 =L 0 Δ R 0 R 1 =R 0 Δ (gg,z 0 ) ß Gb(g,L 0,R 0,Δ) (Z g(a,b) )ß Ev(gg,L a,r b ) gg Z 0 Z 1 =Z 0 Δ
39 Garbling a Circuit : ([F],e,d)ß Gb(f) K 1 0 K 2 0 Choose 1 random key K i 0 for each input wire in the circuit And global difference Δ L 0 R 0 K 0 For each gate g compute (gg,k 0 )ß Gb(g,L 0,R 0,Δ) Z 0,Z 1 Output e=(k i 0,K i 1) for all input wires d=(z 0,Z 1 ) [F]=(gg i ) for all gates i
40 Garbling non-linear gates Like before, but requires circular security assumption (Compatible with GRR and p&p) Example for AND gate Evaluator sees L 0, R 0, K 0, H(L 0 Δ, R 0 Δ) K 0 Δ And should not be able to compute Δ!
41 Garbling/Evaluating XOR Gates L 0 L 1 =L 0 Δ R 0 R 1 =R 0 Δ Gb(XOR,L 0,R 0,Δ) gg Z 0 Z 1 =Z 0 Δ (gg,,z 0 ) ß Gb(g,L 0,R 0,Δ) (Z g(a,b) )ß Ev(gg,L a,r b ) Output Z 0 =L 0 R 0 (gg is empty) Ev(XOR,L a,r b,δ) Output Z a b =L a R b L a R b = L 0 aδ R 0 bδ = Z 0 (a b)δ = Z a b
42 Part 3: Garbled Circuits Definitions and Applications Garbling gate-by-gate: Basic and optimizations Active security 101: simple-cut-and choose, dual-execution
43 ACTIVE ATTACKS VS YAO
44 Yao s protocol Alice Bob x [X] OT e ([F],e,d) ßGb( f,r ) [Y]ßEn(e,y) [Z]ßEv([F],[X],[Y]) [F], [Y], d z=de(d,[z]) Passive Security Only 1 GC! Constant round! Very fast!
45 Active security of Yao Alice Bob x [X] OT e ([F],e,d) ßGb( f,r ) [Y]ßEn(e,y) [F], [Y], d Cannot really cheat!
46 Alice Active security of Yao (v2, Bob gets output) Bob x [X] OT e ([F],e,d) ßGb( f,r ) [Y]ßEn(e,y) [F], [Y], d [Z*] z*=de(d,[z*]) Still can t cheat, authenticity!
47 Garbled Circuits: Authenticy r d f x Gb e En [F] [X] Ev [Z*] De z* For all corrupt Ev z*=f(x) or z*=abort
48 Active security of Yao Alice(x) Bob(y) x [X] OT e ([F],e,d) ßGb( f,r ) [Y]ßEn(e,y) [Z]ßEv([F],[X],[Y]) [F], [Y], d z=de(d,[z]) What if B is corrupted?
49 Insecurity 1 (wrong f) Alice(x) Bob(y) x [X] OT e ([G],e,d) ßGb( g,r ) [Y]ßEn(e,y) [Z]ßEv([G],[X],[Y]) [G], [Y], d z=de(d,[z]) g!= f z!= f(x,y)
50 Insecurity 2 (selective failure) Alice(x) [Z]ßEv([G],[X],[Y]) z=de(d,[z]) x (K 0,K 1 ) ([F],e,d) ßGb( f,r ) [X]=K x OT [G], [Y], d Bob(y) [Y]ßEn(e,y)
51 Insecurity 2 (selective failure) Alice(x) Bob(y) x [X*] OT (K 0,K*) ([F],e,d) ßGb( f,r ) [Y]ßEn(e,y) [Z*]ßEv([G],[X*],[Y]) [G], [Y], d z*=de(d,[z*]) x=0 à z*=f(x,y) x=1 à z*=abort
52 SIMPLE TRICKS FOR ACTIVE SECURITY
53 ZKGC (Alice proves f(x)=z) Alice(x) Bob( ) x [X] OT e ([F],e,d) ßGb( f,r ) [F] [Z]ßEv([F],[X]) [Z] z=de(d,[z]) Bob has no input!
54 ZKGC (Alice proves f(x)=z) Alice(?) Bob( ) x [X] OT e ([F],e,d) ßGb( f,r ) [F] [Z*] z*=de(d,[z*]) Authenticity!
55 ZKGC (Alice proves f(x)=z) Alice Bob x [X] OT e ([F],e,d) ßGb( f,r ) [F] [Z]ßEv([F],[X]) [Z] z=de(d,[z]) Corrupt B can change f with g. Break privacy!
56 ZKGC (Alice proves f(x)=z) Alice Bob Commitment x [X] OT e ([F],e,d) ßGb( f,r ) [F] [Z]ßEv([F],[X]) [Z] If [F]!=Gb(f,r) abort else r [Z] Opening z=de(d,[z]) Active security! Only 1 GC!
57 Cut-And-Choose
58 2PC, simple cut-and-choose Alice x e 1,e 2 OT Bob [X 1 ],[X 2 ] ([F] i,e i,d i ) ßGb( f,r i ) If Gb(f,r -j )!= [F] -j abort else [Z] j ßEv([F] j,[x] j,[y] j ) [F] 1,[F] 2,d 1,d 2 rand j r -j, [Y] j [Y] j ßEn(e j,y) z=de(d j,[z] j )
59 2PC, simple cut-and-choose Alice If Gb(f,r -j )!= [F] -j abort else [Z] j ßEv([F] j,[x] j,[y] j ) x e 1,e 2 [X 1 ],[X 2 ] OT [F] 1,[F] 2,d 1,d 2 rand j r -j, [Y] j Bob z=de(d j,[z] j ) Corrupt Bob only wins with probability 1/2
60 2PC, cut-and-choose Simple cut-and-choose Garble k, check k-1, evaluate 1. Security 1-1/k
61 Dual Execution
62 Alice [Z]ßEv([F],[X],[Y]) x OT e Bob [X] ([F],e,d) ßGb( f,r ) [Y]ßEn(e,y) [F], [Y] ([F],e,d) ßGb( f,r ) [X]ßEn(e,x) e OT [F], [X] y [Y] [Z]ßEv([F],[X],[Y]) [Z],d [Z],d z/abort De(d,[Z]) == De(d,[Z]) z/abort
63 Alice x OT e Bob [X] ([F],e,d) ßGb( f,r ) [Y]ßEn(e,y) [F], [Y] Authenticity à [Z] is the right output! e OT [F*], [X] y [Y] [Z*]ßEv([F*],[X],[Y]) [Z],d [Z*],d z/abort De(d,[Z]) == De(d,[Z]) z/abort f(x,y) or abort
64 Alice x OT e Bob [X] ([F],e,d) ßGb( f,r ) [Y]ßEn(e,y) [F], [Y] e OT [F*], [X] y [Y] [Z*]ßEv([F*],[X],[Y]) [Z],d z/abort De(d,[Z]) == De(d,[Z]) [Z*],d z/abort Selective failure [Z*]=[Z] iff y=0 è 1 bit leakage
65 Forge And Lose
66 2PC, forge-and-lose (idea) Alice x OT e i Bob [X i ] ([F] i,e i,d i ) ßGb( f,r i ) { [F] i } i Cut-and-Choose Generate k, check k/2 [Y i ] [Y] i ßEn(e i,y) [Z] i ßEv([F] i,[x] i,[y] i ) [Z] i y SMAC Punish Bob If exist i, j De(d i,[z] i )!= De(d j,[z] j ) y,d i
67 2PC, forge-and-lose (idea) Alice x OT e i Bob [X i ] ([F] i,e i,d i ) ßGb( f,r i ) { [F] i } i Cut-and-Choose Generate k, check k/2 [Y i ] [Y] i ßEn(e i,y) [Z] i ßEv([F] i,[x] i,[y] i ) [Z] i y SMAC Punish Bob If exist i, j De(d i,[z] i )!= De(d j,[z] j ) y,d i Whp at least one unchecked circuit is correct à real output will be used in SMAC
68 2PC, forge-and-lose (idea) Alice x OT e i Bob [X i ] ([F] i,e i,d i ) ßGb( f,r i ) Cut-and-Choose Generate k, check k/2 [Y i ] [Y] i ßEn(e i,y) Authenticity è Corrupt Alice cannot blame honest Bob [Z] i y SMAC Punish Bob If exist i, j De(d i,[z] i )!= De(d j,[z] j ) y,d i
69 Recap: Garbled Circuits Garbled circuits: allow to evaluate encrypted functions on encryptedinputs With properties like privacy, authenticity, etc. Applications: constant-round 2PC Different techniques for garbling gates Efficiency vs. Assumptions Active security How to check that the right function is garbled? Cut-and-choose and other tricks
70 Want more? Cryptographic Computing Foundations Programming & Theory Exercises Will be happy to answer questions by mail! also the reason why I cannot stay here longer L These slides (+ references & pointers)
Efficient MPC Optimizations for Garbled Circuits
CIS 2018 Efficient MPC Optimizations for Garbled Circuits Claudio Orlandi, Aarhus University Part 3: Garbled Circuits GC: Definitions and Applications Garbling gate-by-gate: Basic and optimizations Active
More informationEfficient Secure Two-Party Computation
INDOCRYPT 2016 Tutorial Efficient Secure Two-Party Computation Claudio Orlandi, Aarhus University Plan for the next 3 hours Part 1: Secure Computation with a Trusted Dealer Warmup: One-Time Truth Tables
More informationMulti-Party 2 Computation Part 1
ECRYPT.NET Cloud Summer School Multi-Party 2 Computation Part 1 Claudio Orlandi, Aarhus University Plan for the next 3 hours Part 1: Secure Computation with a Trusted Dealer Warmup: One-Time Truth Tables
More informationIntroduction to Secure Multi-Party Computation
Introduction to Secure Multi-Party Computation Many thanks to Vitaly Shmatikov of the University of Texas, Austin for providing these slides. slide 1 Motivation General framework for describing computation
More informationCS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong
CS573 Data Privacy and Security Cryptographic Primitives and Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationVlad Kolesnikov Bell Labs
Vlad Kolesnikov Bell Labs DIMACS/Northeast Big Data Hub Workshop on Privacy and Security for Big Data Apr 25, 2017 You are near Starbucks; here is a special Legislation may require user consent each time
More information2018: Problem Set 1
crypt@b-it 2018 Problem Set 1 Mike Rosulek crypt@b-it 2018: Problem Set 1 1. Sometimes it is not clear whether certain behavior is an attack against a protocol. To decide whether something is an attack
More informationSecure Multiparty Computation
Secure Multiparty Computation Li Xiong CS573 Data Privacy and Security Outline Secure multiparty computation Problem and security definitions Basic cryptographic tools and general constructions Yao s Millionnare
More informationSecure Multiparty Computation
CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationSecure Multi-Party Computation. Lecture 13
Secure Multi-Party Computation Lecture 13 Must We Trust? Can we have an auction without an auctioneer?! Declared winning bid should be correct Only the winner and winning bid should be revealed Using data
More informationfrom circuits to RAM programs in malicious-2pc
from circuits to RAM programs in malicious-2pc Abstract: Secure 2-party computation (2PC) is becoming practical in some domains However, most approaches are limited by the fact that the desired functionality
More informationPractical Secure Two-Party Computation and Applications
Practical Secure Two-Party Computation and Applications Lecture 2: Private Set Intersection Estonian Winter School in Computer Science 2016 Overview of this lecture Private Set Intersection Special Purpose
More informationAn Overview of Active Security in Garbled Circuits
An Overview of Active Security in Garbled Circuits Author: Cesar Pereida Garcia Supervisor: Pille Pullonen Department of Mathematics and Computer Science. University of Tartu Tartu, Estonia. December 15,
More informationSecure Multi-Party Computation
Secure Multi-Party Computation A Short Tutorial By no means a survey! Manoj Prabhakaran :: University of Illinois at Urbana-Champaign Secure Multi-Party Computation A Short Tutorial Part I Must We Trust?
More informationGarbled Circuits via Structured Encryption Seny Kamara Microsoft Research Lei Wei University of North Carolina
Garbled Circuits via Structured Encryption Seny Kamara Microsoft Research Lei Wei University of North Carolina Garbled Circuits Fundamental cryptographic primitive Possess many useful properties Homomorphic
More informationLecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422
Lecture 18 Message Integrity Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422 Cryptography is the study/practice of techniques for secure communication,
More informationFast Optimistically Fair Cut-and-Choose 2PC
Fast Optimistically Fair Cut-and-Choose 2PC Alptekin Küpçü Koç University, TURKEY akupcu@ku.edu.tr Payman Mohassel Yahoo Labs, USA pmohassel@yahoo-inc.com February 25, 2016 Abstract Secure two party computation
More informationSecure Multiparty Computation: Introduction. Ran Cohen (Tel Aviv University)
Secure Multiparty Computation: Introduction Ran Cohen (Tel Aviv University) Scenario 1: Private Dating Alice and Bob meet at a pub If both of them want to date together they will find out If Alice doesn
More informationSecure Outsourced Garbled Circuit Evaluation for Mobile Devices
Secure Outsourced Garbled Circuit Evaluation for Mobile Devices Henry Carter, Georgia Institute of Technology Benjamin Mood, University of Oregon Patrick Traynor, Georgia Institute of Technology Kevin
More informationCRYPTOLOGY KEY MANAGEMENT CRYPTOGRAPHY CRYPTANALYSIS. Cryptanalytic. Brute-Force. Ciphertext-only Known-plaintext Chosen-plaintext Chosen-ciphertext
CRYPTOLOGY CRYPTOGRAPHY KEY MANAGEMENT CRYPTANALYSIS Cryptanalytic Brute-Force Ciphertext-only Known-plaintext Chosen-plaintext Chosen-ciphertext 58 Types of Cryptographic Private key (Symmetric) Public
More informationImprovement of Camenisch-Neven-Shelat Oblivious Transfer Scheme
Improvement of Camenisch-Neven-Shelat Oblivious Transfer Scheme Zhengjun Cao and Hanyue Cao Department of Mathematics, Shanghai University, Shanghai, China caozhj@shu.edu.cn Abstract. In 2007, Camenisch,
More informationD1.1 State of the Art Analysis of MPC Techniques and Frameworks
D1.1 State of the Art Analysis of MPC Techniques and Frameworks Peter S. Nordholt (ALX), Nikolaj Volgushev (ALX), Prastudy Fauzi (AU), Claudio Orlandi (AU), Peter Scholl (AU), Mark Simkin (AU), Meilof
More information- Presentation 25 minutes + 5 minutes for questions. - Presentation is on Wednesday, 11:30-12:00 in B05-B06
Information: - Presentation 25 minutes + 5 minutes for questions. - Presentation is on Wednesday, 11:30-12:00 in B05-B06 - Presentation is after: Abhi Shelat (fast two-party secure computation with minimal
More informationCryptography Functions
Cryptography Functions Lecture 3 1/29/2013 References: Chapter 2-3 Network Security: Private Communication in a Public World, Kaufman, Perlman, Speciner Types of Cryptographic Functions Secret (Symmetric)
More informationActively Secure Garbled Circuits with Constant Communication Overhead in the Plain Model
Actively Secure Garbled Circuits with Constant Communication Overhead in the Plain Model Carmit Hazay 1, Yuval Ishai 2, and Muthuramakrishnan Venkitasubramaniam 3 1 Bar-Ilan University carmit.hazay@biu.ac.il,
More information1 A Tale of Two Lovers
CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Dec. 12, 2006 Lecture Notes 19 (expanded): Secure Two-Party Computation Recommended Reading. Goldreich Volume II 7.2.2, 7.3.2, 7.3.3.
More informationLecture 1: Perfect Security
CS 290G (Fall 2014) Introduction to Cryptography Oct 2nd, 2014 Instructor: Rachel Lin 1 Recap Lecture 1: Perfect Security Scribe: John Retterer-Moore Last class, we introduced modern cryptography and gave
More informationFoundations of Cryptography CS Shweta Agrawal
Foundations of Cryptography CS 6111 Shweta Agrawal Course Information 4-5 homeworks (20% total) A midsem (25%) A major (35%) A project (20%) Attendance required as per institute policy Challenge questions
More informationINDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator
INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator EXAMINATION ( Mid Semester ) SEMESTER ( Spring ) Roll Number Section Name Subject Number C S 6 0 0 8 8 Subject Name Foundations
More informationEfficient Zero-Knowledge Proof of Algebraic and Non-Algebraic Statements with Applications to Privacy Preserving Credentials
Efficient Zero-Knowledge Proof of Algebraic and Non-Algebraic Statements with Applications to Privacy Preserving Credentials Melissa Chase 1, Chaya Ganesh 2, and Payman Mohassel 3 1 Microsoft Research,
More informationYuval Ishai Technion
Winter School on Bar-Ilan University, Israel 30/1/2011-1/2/2011 Bar-Ilan University Yuval Ishai Technion 1 Zero-knowledge proofs for NP [GMR85,GMW86] Bar-Ilan University Computational MPC with no honest
More informationEfficient Private Matching and Set Intersection
Efficient Private Matching and Set Intersection Mike Freedman, NYU Kobbi Nissim, MSR Benny Pinkas, HP Labs EUROCRYPT 2004 A Story Is there any chance we might be compatible? We could see if we have similar
More informationECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos
ECE596C: Handout #9 Authentication Using Shared Secrets Electrical and Computer Engineering, University of Arizona, Loukas Lazos Abstract. In this lecture we introduce the concept of authentication and
More informationIntroduction to Cryptography Lecture 7
Introduction to Cryptography Lecture 7 Public-Key Encryption: El-Gamal, RSA Benny Pinkas page 1 1 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing
More informationsymmetric cryptography s642 computer security adam everspaugh
symmetric cryptography s642 adam everspaugh ace@cs.wisc.edu computer security Announcement Midterm next week: Monday, March 7 (in-class) Midterm Review session Friday: March 4 (here, normal class time)
More informationHow to (not) Share a Password:
How to (not) Share a Password: Privacy preserving protocols for finding heavy hitters with adversarial behavior Moni Naor Benny Pinkas Eyal Ronen Passwords First modern use in MIT's CTSS (1961) Passwords
More informationSymmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University
Symmetric-Key Cryptography Part 1 Tom Shrimpton Portland State University Building a privacy-providing primitive I want my communication with Bob to be private -- Alice What kind of communication? SMS?
More informationCSC 5930/9010 Cloud S & P: Cloud Primitives
CSC 5930/9010 Cloud S & P: Cloud Primitives Professor Henry Carter Spring 2017 Methodology Section This is the most important technical portion of a research paper Methodology sections differ widely depending
More informationIntroduction to Cryptography Lecture 7
Introduction to Cryptography Lecture 7 El Gamal Encryption RSA Encryption Benny Pinkas page 1 1 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing
More informationSymmetric Encryption 2: Integrity
http://wwmsite.wpengine.com/wp-content/uploads/2011/12/integrity-lion-300x222.jpg Symmetric Encryption 2: Integrity With material from Dave Levin, Jon Katz, David Brumley 1 Summing up (so far) Computational
More informationLecture 22 - Oblivious Transfer (OT) and Private Information Retrieval (PIR)
Lecture 22 - Oblivious Transfer (OT) and Private Information Retrieval (PIR) Boaz Barak December 8, 2005 Oblivious Transfer We are thinking of the following situation: we have a server and a client (or
More informationCryptography [Symmetric Encryption]
CSE 484 / CSE M 584: Computer Security and Privacy Cryptography [Symmetric Encryption] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,
More informationCIS 4360 Secure Computer Systems Symmetric Cryptography
CIS 4360 Secure Computer Systems Symmetric Cryptography Professor Qiang Zeng Spring 2017 Previous Class Classical Cryptography Frequency analysis Never use home-made cryptography Goals of Cryptography
More informationHomework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING
UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING ENEE 457 Computer Systems Security Instructor: Charalampos Papamanthou Homework 2 Out: 09/23/16 Due: 09/30/16 11:59pm Instructions
More informationLecture 19 - Oblivious Transfer (OT) and Private Information Retrieval (PIR)
Lecture 19 - Oblivious Transfer (OT) and Private Information Retrieval (PIR) Boaz Barak November 29, 2007 Oblivious Transfer We are thinking of the following situation: we have a server and a client (or
More informationKey Establishment. Chester Rebeiro IIT Madras. Stinson : Chapter 10
Key Establishment Chester Rebeiro IIT Madras CR Stinson : Chapter 10 Multi Party secure communication C D A B E F N parties want to communicate securely with each other (N=6 in this figure) If sends a
More informationFaster Private Set Intersection based on OT Extension
Faster Private Set Intersection based on OT Extension Michael Zohner (TU Darmstadt) Joint work with Benny Pinkas (Bar Ilan University) Thomas Schneider (TU Darmstadt) 22.08.14 Faster PSI based on OT extension
More informationBlind Seer: Scalable Private DB Querying
Blind Seer: Scalable Private DB Querying Columbia-Bell Labs work on IARPA SPAR project Vladimir Kolesnikov (Bell Labs), Steve Bellovin, Seung Geol Choi, Ben Fisch, Angelos Keromytis, Fernando Krell, Tal
More informationNetwork Security Technology Project
Network Security Technology Project Shanghai Jiao Tong University Presented by Wei Zhang zhang-wei@sjtu.edu.cn!1 Part I Implement the textbook RSA algorithm. The textbook RSA is essentially RSA without
More informationDefining Encryption. Lecture 2. Simulation & Indistinguishability
Defining Encryption Lecture 2 Simulation & Indistinguishability Roadmap First, Symmetric Key Encryption Defining the problem We ll do it elaborately, so that it will be easy to see different levels of
More informationMore crypto and security
More crypto and security CSE 199, Projects/Research Individual enrollment Projects / research, individual or small group Implementation or theoretical Weekly one-on-one meetings, no lectures Course grade
More informationSecure Outsourced Garbled Circuit Evaluation for Mobile Devices
Secure Outsourced Garbled Circuit Evaluation for Mobile Devices Henry Carter, Georgia Institute of Technology; Benjamin Mood, University of Oregon; Patrick Traynor, Georgia Institute of Technology; Kevin
More informationSecure Two-Party Computation: Generic Approach and Exploiting Specific Properties of Functions Approach
Secure Two-Party Computation: Generic Approach and Exploiting Specific Properties of Functions Approach A. Anasuya Threse Innocent, K. Sangeeta Department of CSE Amrita School of Engineering Amrita Vishwa
More informationAn Overview of Secure Multiparty Computation
An Overview of Secure Multiparty Computation T. E. Bjørstad The Selmer Center Department of Informatics University of Bergen Norway Prøveforelesning for PhD-graden 2010-02-11 Outline Background 1 Background
More informationComputational Security, Stream and Block Cipher Functions
Computational Security, Stream and Block Cipher Functions 18 March 2019 Lecture 3 Most Slides Credits: Steve Zdancewic (UPenn) 18 March 2019 SE 425: Communication and Information Security 1 Topics for
More informationCrypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))
Introduction (Mihir Bellare Text/Notes: http://cseweb.ucsd.edu/users/mihir/cse207/) Cryptography provides: Data Privacy Data Integrity and Authenticity Crypto-systems all around us ATM machines Remote
More informationCS 425 / ECE 428 Distributed Systems Fall 2017
CS 425 / ECE 428 Distributed Systems Fall 2017 Indranil Gupta (Indy) Dec 5, 2017 Lecture 27: Security All slides IG Security Threats Leakage Unauthorized access to service or data E.g., Someone knows your
More informationCSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography
CSCI 454/554 Computer and Network Security Topic 2. Introduction to Cryptography Outline Basic Crypto Concepts and Definitions Some Early (Breakable) Cryptosystems Key Issues 2 Basic Concepts and Definitions
More informationCSE 127: Computer Security Cryptography. Kirill Levchenko
CSE 127: Computer Security Cryptography Kirill Levchenko October 24, 2017 Motivation Two parties want to communicate securely Secrecy: No one else can read messages Integrity: messages cannot be modified
More informationLecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24
Assume encryption and decryption use the same key. Will discuss how to distribute key to all parties later Symmetric ciphers unusable for authentication of sender Lecturers: Mark D. Ryan and David Galindo.
More informationCryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes
CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu
More informationCOMPOSABLE AND ROBUST OUTSOURCED STORAGE
SESSION ID: CRYP-R14 COMPOSABLE AND ROBUST OUTSOURCED STORAGE Christian Badertscher and Ueli Maurer ETH Zurich, Switzerland Motivation Server/Database Clients Write Read block 2 Outsourced Storage: Security
More informationsymmetric cryptography s642 computer security adam everspaugh
symmetric cryptography s642 adam everspaugh ace@cs.wisc.edu computer security Announcements Midterm next week: Monday, March 7 (in-class) Midterm Review session Friday: March 4 (here, normal class time)
More informationPart VI. Public-key cryptography
Part VI Public-key cryptography Drawbacks with symmetric-key cryptography Symmetric-key cryptography: Communicating parties a priori share some secret information. Secure Channel Alice Unsecured Channel
More informationKey Establishment and Authentication Protocols EECE 412
Key Establishment and Authentication Protocols EECE 412 1 where we are Protection Authorization Accountability Availability Access Control Data Protection Audit Non- Repudiation Authentication Cryptography
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Chapter 1: Overview What is Cryptography? Cryptography is the study of
More informationCPSC 467b: Cryptography and Computer Security
Outline ZKIP Other IP CPSC 467b: Cryptography and Computer Security Lecture 19 Michael J. Fischer Department of Computer Science Yale University March 31, 2010 Michael J. Fischer CPSC 467b, Lecture 19
More informationCryptography (Overview)
Cryptography (Overview) Some history Caesar cipher, rot13 substitution ciphers, etc. Enigma (Turing) Modern secret key cryptography DES, AES Public key cryptography RSA, digital signatures Cryptography
More informationSecure Function Evaluation using an FPGA Overlay Architecture
Secure Function Evaluation using an FPGA Overlay Architecture Xin Fang Stratis Ioannidis Miriam Leeser Dept. of Electrical and Computer Engineering Northeastern University Boston, MA, USA FPGA 217 1 Introduction
More informationCIS 6930/4930 Computer and Network Security. Project requirements
CIS 6930/4930 Computer and Network Security Project requirements Project Requirement Form a team of 3 people to complete the course project. The project has 100pts + 20pts (extra credit) Report requirement:
More informationUntraceable Electronic Mail, Return Addresses, and Digital Pseudonyms. EJ Jung
Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms EJ Jung Goals 1. Hide what you wrote encryption of any kind symmetric/asymmetric/stream 2. Hide to whom you sent and when pseudonym?
More informationCryptography. Lecture 03
Cryptography Lecture 03 Recap Consider the following Encryption Schemes: 1. Shift Cipher: Crackable. Keyspace has only 26 elements. 2. Affine Cipher: Crackable. Keyspace has only 312 elements. 3. Vig Cipher:
More information1 Defining Message authentication
ISA 562: Information Security, Theory and Practice Lecture 3 1 Defining Message authentication 1.1 Defining MAC schemes In the last lecture we saw that, even if our data is encrypted, a clever adversary
More informationSecure Computation of Functionalities based on Hamming Distance and its Application to Computing Document Similarity
Secure Computation of Functionalities based on Hamming Distance and its Application to Computing Document Similarity Ayman Jarrous 1 and Benny Pinkas 2,* 1 University of Haifa, Israel. 2 Bar Ilan University,
More informationCryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes
CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu
More informationMichael Zohner (TU Darmstadt)
Efficient OT Extension and its Impact on Secure Computation Pushing the Communication Barrier of Passive Secure Two-Party Computation Michael Zohner (TU Darmstadt) Joint work with Ghada Dessouky, Ahmad-Reza
More informationLecture 18 - Chosen Ciphertext Security
Lecture 18 - Chosen Ciphertext Security Boaz Barak November 21, 2005 Public key encryption We now go back to public key encryption. As we saw in the case of private key encryption, CPA security is not
More informationUnbounded Inner Product Functional Encryption from Bilinear Maps ASIACRYPT 2018
Unbounded Inner Product Functional Encryption from Bilinear Maps ASIACRYPT 2018 Junichi Tomida (NTT), Katsuyuki Takashima (Mitsubishi Electric) Functional Encryption[OʼNeill10, BSW11] msk Bob f(x) sk f
More informationData Integrity. Modified by: Dr. Ramzi Saifan
Data Integrity Modified by: Dr. Ramzi Saifan Encryption/Decryption Provides message confidentiality. Does it provide message authentication? 2 Message Authentication Bob receives a message m from Alice,
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Lecture 6 Michael J. Fischer Department of Computer Science Yale University January 27, 2010 Michael J. Fischer CPSC 467b, Lecture 6 1/36 1 Using block ciphers
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationWhat did we talk about last time? Public key cryptography A little number theory
Week 4 - Friday What did we talk about last time? Public key cryptography A little number theory If p is prime and a is a positive integer not divisible by p, then: a p 1 1 (mod p) Assume a is positive
More informationWhite-box attack resistant cryptography
White-box attack resistant cryptography Hiding cryptographic keys against the powerful attacker Dušan Klinec, Petr Švenda {xklinec, svenda}@fi.muni.cz Outline CEF&CED, fully homomorphic encryption Whitebox
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationApplied Cryptography and Computer Security CSE 664 Spring 2017
Applied Cryptography and Computer Security Lecture 18: Key Distribution and Agreement Department of Computer Science and Engineering University at Buffalo 1 Key Distribution Mechanisms Secret-key encryption
More informationIntroduction to Secure Multi-Party Computation
CS 380S Introduction to Secure Multi-Party Computation Vitaly Shmatikov slide 1 Motivation General framework for describing computation between parties who do not trust each other Example: elections N
More informationCS408 Cryptography & Internet Security
CS408 Cryptography & Internet Security Lecture 18: Cryptographic hash functions, Message authentication codes Functions Definition Given two sets, X and Y, a function f : X Y (from set X to set Y), is
More informationHow Do We Make Designs Insecure?
How Do We Make Designs Insecure? Gang Qu University of Maryland, College Park gangqu@umd.edu Design Automation Summer School Austin, TX June 5, 2016 Modular Exponentiation: a e (mod n) What is modular
More informationSymmetric Cryptography
CSE 484 (Winter 2010) Symmetric Cryptography Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials...
More informationHow to (not) Share a Password:
How to (not) Share a Password: Privacy preserving protocols for finding heavy hitters with adversarial behavior Moni Naor Benny Pinkas Eyal Ronen Passwords First modern use in MIT's CTSS (1961) Passwords
More informationThe Simplest Protocol for Oblivious Transfer
The Simplest Protocol for Oblivious Transfer Preliminary Report in MTAT.07.022 Research Seminar in Cryptography, Fall 2015 Author: Sander Siim Supervisor: Pille Pullonen December 15, 2015 Abstract This
More informationOutline. Cryptography. Encryption/Decryption. Basic Concepts and Definitions. Cryptography vs. Steganography. Cryptography: the art of secret writing
Outline CSCI 454/554 Computer and Network Security Basic Crypto Concepts and Definitions Some Early (Breakable) Cryptosystems Key Issues Topic 2. Introduction to Cryptography 2 Cryptography Basic Concepts
More informationCryptography (cont.)
CSE 484 / CSE M 584 (Autumn 2011) Cryptography (cont.) Daniel Halperin Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others
More informationSecurely Outsourcing Garbled Circuit Evaluation
Securely Outsourcing Garbled Circuit Evaluation USENIX Security Symposium 2013 Henry Hank Carter Patrick Traynor Benjamin Mood Kevin Butler SMC on mobile devices Mobile devices loaded with private and
More informationNotes for Lecture 14
COS 533: Advanced Cryptography Lecture 14 (November 6, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Fermi Ma Notes for Lecture 14 1 Applications of Pairings 1.1 Recap Consider a bilinear e
More informationCSCE 813 Internet Security Symmetric Cryptography
CSCE 813 Internet Security Symmetric Cryptography Professor Lisa Luo Fall 2017 Previous Class Essential Internet Security Requirements Confidentiality Integrity Authenticity Availability Accountability
More informationBasic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline
CSC/ECE 574 Computer and Network Security Topic 2. Introduction to Cryptography 1 Outline Basic Crypto Concepts and Definitions Some Early (Breakable) Cryptosystems Key Issues 2 Basic Concepts and Definitions
More informationUNIT - IV Cryptographic Hash Function 31.1
UNIT - IV Cryptographic Hash Function 31.1 31-11 SECURITY SERVICES Network security can provide five services. Four of these services are related to the message exchanged using the network. The fifth service
More informationLecture 7 - Applied Cryptography
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Lecture 7 - Applied Cryptography CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger
More informationCS61A Lecture #39: Cryptography
Announcements: CS61A Lecture #39: Cryptography Homework 13 is up: due Monday. Homework 14 will be judging the contest. HKN surveys on Friday: 7.5 bonus points for filling out their survey on Friday (yes,
More information