Results 1  10
of
53
NonInteractive Verifiable Computing: Outsourcing Computation to Untrusted Workers
, 2009
"... Verifiable Computation enables a computationally weak client to “outsource ” the computation of a function F on various inputs x1,...,xk to one or more workers. The workers return the result of the function evaluation, e.g., yi = F(xi), as well as a proof that the computation of F was carried out co ..."
Abstract

Cited by 97 (10 self)
 Add to MetaCart
Verifiable Computation enables a computationally weak client to “outsource ” the computation of a function F on various inputs x1,...,xk to one or more workers. The workers return the result of the function evaluation, e.g., yi = F(xi), as well as a proof that the computation of F was carried out correctly on the given value xi. The verification of the proof should require substantially less computational effort than computing F(xi) from scratch. We present a protocol that allows the worker to return a computationallysound, noninteractive proof that can be verified in O(m) time, where m is the bitlength of the output of F. The protocol requires a onetime preprocessing stage by the client which takes O(C) time, where C is the smallest Boolean circuit computing F. Our scheme also provides input and output privacy for the client, meaning that the workers do not learn any information about the xi or yi values. 1
TASTY: Tool for Automating Secure TwopartY computations
 In ACM Conference on Computer and Communications Security (ACM CCS’10
"... Secure twoparty computation allows two untrusting parties to jointly compute an arbitrary function on their respective private inputs while revealing no information beyond the outcome. Existing cryptographic compilers can automatically generate secure computation protocols from highlevel specifica ..."
Abstract

Cited by 35 (3 self)
 Add to MetaCart
Secure twoparty computation allows two untrusting parties to jointly compute an arbitrary function on their respective private inputs while revealing no information beyond the outcome. Existing cryptographic compilers can automatically generate secure computation protocols from highlevel specifications, but are often limited in their use and efficiency of generated protocols as they are based on either garbled circuits or (additively) homomorphic encryption only. In this paper we present TASTY, a novel tool for automating, i.e., describing, generating, executing, benchmarking, and comparing, efficient secure twoparty computation protocols. TASTY is a new compiler that can generate protocols based on homomorphic encryption and efficient garbled circuits as well as combinations of both, which often yields the most efficient protocols available today. The user provides a highlevel description of the computations to be performed on encrypted data in a domainspecific language. This is automatically transformed into a protocol. TASTY provides most recent techniques and optimizations for practical secure twoparty computation with low online latency. Moreover, it allows to efficiently evaluate circuits generated by the wellknown Fairplay compiler. We use TASTY to compare protocols for secure multiplication based on homomorphic encryption with those based on garbled circuits and highly efficient Karatsuba multiplication. Further, we show how TASTY improves the online latency for securely evaluating the AES functionality by an order of magnitude compared to previous software implementations. TASTY allows to automatically generate efficient secure protocols for many privacypreserving applications where we consider the use cases for private set intersection and face recognition protocols.
Computing arbitrary functions of encrypted data
 Commun. ACM
, 2010
"... Suppose that you want to delegate the ability to process your data, without giving away access to it. We show that this separation is possible: we describe a “fully homomorphic” encryption scheme that keeps data private, but that allows a worker that does not have the secret decryption key to comput ..."
Abstract

Cited by 32 (0 self)
 Add to MetaCart
Suppose that you want to delegate the ability to process your data, without giving away access to it. We show that this separation is possible: we describe a “fully homomorphic” encryption scheme that keeps data private, but that allows a worker that does not have the secret decryption key to compute any (still encrypted) result of the data, even when the function of the data is very complex. In short, a third party can perform complicated processing of data without being able to see it. Among other things, this helps make cloud computing compatible with privacy. 1.
Fully Homomorphic Encryption from RingLWE and Security for Key Dependent Messages
 in Advances in Cryptology—CRYPTO 2011, Lect. Notes in Comp. Sci. 6841 (2011
"... Abstract. We present a somewhat homomorphic encryption scheme that is both very simple to describe and analyze, and whose security (quantumly) reduces to the worstcase hardness of problems on ideal lattices. We then transform it into a fully homomorphic encryption scheme using standard “squashing ” ..."
Abstract

Cited by 27 (1 self)
 Add to MetaCart
Abstract. We present a somewhat homomorphic encryption scheme that is both very simple to describe and analyze, and whose security (quantumly) reduces to the worstcase hardness of problems on ideal lattices. We then transform it into a fully homomorphic encryption scheme using standard “squashing ” and “bootstrapping ” techniques introduced by Gentry (STOC 2009). One of the obstacles in going from “somewhat ” to full homomorphism is the requirement that the somewhat homomorphic scheme be circular secure, namely, the scheme can be used to securely encrypt its own secret key. For all known somewhat homomorphic encryption schemes, this requirement was not known to be achievable under any cryptographic assumption, and had to be explicitly assumed. We take a step forward towards removing this additional assumption by proving that our scheme is in fact secure when encrypting polynomial functions of the secret key. Our scheme is based on the ring learning with errors (RLWE) assumption that was recently introduced by Lyubashevsky, Peikert and Regev (Eurocrypt 2010). The RLWE assumption is reducible to worstcase problems on ideal lattices, and allows us to completely abstract out the lattice interpretation, resulting in an extremely simple scheme. For example, our secret key is s, and our public key is (a, b = as + 2e), where s, a, e are all degree (n − 1) integer polynomials whose coefficients are independently drawn from easy to sample distributions. 1
Homomorphic signatures for polynomial functions
, 2010
"... We construct the first homomorphic signature scheme that is capable of evaluating multivariate polynomials on signed data. Given the public key and a signed data set, there is an efficient algorithm to produce a signature on the mean, standard deviation, and other statistics of the signed data. Prev ..."
Abstract

Cited by 26 (4 self)
 Add to MetaCart
We construct the first homomorphic signature scheme that is capable of evaluating multivariate polynomials on signed data. Given the public key and a signed data set, there is an efficient algorithm to produce a signature on the mean, standard deviation, and other statistics of the signed data. Previous systems for computing on signed data could only handle linear operations. For polynomials of constant degree, the length of a derived signature only depends logarithmically on the size of the data set. Our system uses ideal lattices in a way that is a “signature analogue” of Gentry’s fully homomorphic encryption. Security is based on hard problems on ideal lattices similar to those in Gentry’s system.
Privacypreserving aggregation of timeseries data
 In NDSS
, 2011
"... We consider how an untrusted data aggregator can learn desired statistics over multiple participants ’ data, without compromising each individual’s privacy. We propose a construction that allows a group of participants to periodically upload encrypted values to a data aggregator, such that the aggre ..."
Abstract

Cited by 20 (3 self)
 Add to MetaCart
We consider how an untrusted data aggregator can learn desired statistics over multiple participants ’ data, without compromising each individual’s privacy. We propose a construction that allows a group of participants to periodically upload encrypted values to a data aggregator, such that the aggregator is able to compute the sum of all participants ’ values in every time period, but is unable to learn anything else. We achieve strong privacy guarantees using two main techniques. First, we show how to utilize applied cryptographic techniques to allow the aggregator to decrypt the sum from multiple ciphertexts encrypted under different user keys. Second, we describe a distributed data randomization procedure that guarantees the differential privacy of the outcome statistic, even when a subset of participants might be compromised. 1
Faster Fully Homomorphic Encryption
"... Abstract. We describe two improvements to Gentry's fully homomorphic scheme based on ideal lattices and its analysis: we provide a re ned analysis of one of the hardness assumptions (the one related to the Sparse Subset Sum Problem) and we introduce a probabilistic decryption algorithm that can be i ..."
Abstract

Cited by 18 (0 self)
 Add to MetaCart
Abstract. We describe two improvements to Gentry's fully homomorphic scheme based on ideal lattices and its analysis: we provide a re ned analysis of one of the hardness assumptions (the one related to the Sparse Subset Sum Problem) and we introduce a probabilistic decryption algorithm that can be implemented with an algebraic circuit of low multiplicative degree. Combined together, these improvements lead to a faster fully homomorphic scheme, with a e O(λ 3) bit complexity per elementary binary add/mult gate, where λ is the security parameter. These improvements also apply to the fully homomorphic schemes of Smart and Vercauteren [PKC'2010] and van Dijk et al. [Eurocrypt'2010]. Keywords: fully homomorphic encryption, ideal lattices, SSSP. 1
Fully homomorphic encryption over the integers with shorter public keys
 CRYPTO 2011, volume 6841 of Lecture Notes in Computer Science
, 2011
"... Abstract. We extend the fully homomorphic encryption scheme over the integers of van Dijk et al. (DGHV) to batch fully homomorphic encryption, i.e. to a scheme that supports encrypting and homomorphically processing a vector of plaintext bits as a single ciphertext. Our variant remains semantically ..."
Abstract

Cited by 16 (2 self)
 Add to MetaCart
Abstract. We extend the fully homomorphic encryption scheme over the integers of van Dijk et al. (DGHV) to batch fully homomorphic encryption, i.e. to a scheme that supports encrypting and homomorphically processing a vector of plaintext bits as a single ciphertext. Our variant remains semantically secure under the (errorfree) approximateGCD problem. We also show how to perform arbitrary permutations on the underlying plaintext vector given the ciphertext and the public key. Our scheme offers competitive performance: we describe an implementation of the fully homomorphic evaluation of AES encryption, with an amortized cost of about 12 minutes per AES ciphertext on a standard desktop computer; this is comparable to the timings presented by Gentry et al. at Crypto 2012 for their implementation of a RingLWE based fully homomorphic encryption scheme.
Vmcrypt  modular software architecture for scalable secure computation. Cryptology ePrint Archive
"... Garbled circuits play a key role in secure computation. Unlike previous work, which focused mainly on efficiency and automation aspects of secure computation, in this paper we focus on software modularity and scalability, considering very large circuits. Our main contribution is a virtual machine th ..."
Abstract

Cited by 12 (3 self)
 Add to MetaCart
Garbled circuits play a key role in secure computation. Unlike previous work, which focused mainly on efficiency and automation aspects of secure computation, in this paper we focus on software modularity and scalability, considering very large circuits. Our main contribution is a virtual machine that dynamically loads hardware descriptions into memory and destructs them as soon as they are done computing. Our software also introduces a new technique for parallel evaluation of garbled circuits. The software is designed in a completely modular fashion, allowing developers to integrate garbled circuits through an API (Abstract Programming Interface), without having to modify the base code. We measure the performance of this architecture on several circuits with hundreds of millions of gates. To the best of our knowledge, these are the largest scalable secure computations done to date. 1
TokenBased Cloud Computing ⋆ Secure Outsourcing of Data and Arbitrary Computations with Lower Latency
"... Abstract. Secure outsourcing of computation to an untrusted (cloud) service provider is becoming more and more important. Pure cryptographic solutions based on fully homomorphic and verifiable encryption, recently proposed, are promising but suffer from very high latency. Other proposals perform the ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
Abstract. Secure outsourcing of computation to an untrusted (cloud) service provider is becoming more and more important. Pure cryptographic solutions based on fully homomorphic and verifiable encryption, recently proposed, are promising but suffer from very high latency. Other proposals perform the whole computation on tamperproof hardware and usually suffer from the the same problem. Trusted computing (TC) is another promising approach that uses trusted software and hardware components on computing platforms to provide useful mechanisms such as attestation allowing the data owner to verify the integrity of the cloud and its computation. However, on the one hand these solutions require trust in hardware (CPU, trusted computing modules) that are under the physical control of the cloud provider, and on the other hand they still have to face the challenge of runtime attestation. In this paper we focus on applications where the latency of the computation should be minimized, i.e., the time from submitting the query until receiving the outcome of the computation should be as small as possible. To achieve this we show how to combine a trusted hardware token (e.g., a cryptographic coprocessor or provided by the customer) with Secure Function Evaluation (SFE) to compute arbitrary functions on secret (encrypted) data where the computation leaks no information and is verifiable. The token is used in the setup phase only whereas in the timecritical online phase the cloud computes the encrypted function on encrypted data using symmetric encryption primitives only and without any interaction with other entities. Keywords: Cloud Computing, Hardware Token, Outsourcing. 1