Results 1  10
of
56
Faster Secure TwoParty Computation Using Garbled Circuits
 In USENIX Security Symposium
, 2011
"... Secure twoparty computation enables two parties to evaluate a function cooperatively without revealing to either party anything beyond the function’s output. The garbledcircuit technique, a generic approach to secure twoparty computation for semihonest participants, was developed by Yao in the 1 ..."
Abstract

Cited by 122 (22 self)
 Add to MetaCart
Secure twoparty computation enables two parties to evaluate a function cooperatively without revealing to either party anything beyond the function’s output. The garbledcircuit technique, a generic approach to secure twoparty computation for semihonest participants, was developed by Yao in the 1980s, but has been viewed as being of limited practical significance due to its inefficiency. We demonstrate several techniques for improving the running time and memory requirements of the garbledcircuit technique, resulting in an implementation of generic secure twoparty computation that is significantly faster than any previously reported while also scaling to arbitrarily large circuits. We validate our approach by demonstrating secure computation of circuits with over 10 9 gates at a rate of roughly 10 µs per garbled gate, and showing orderofmagnitude improvements over the best previous privacypreserving protocols for computing Hamming distance, Levenshtein distance, SmithWaterman genome alignment, and AES. 1
TASTY: Tool for Automating Secure TwopartY computations
 In ACM Conference on Computer and Communications Security (ACM CCS’10
"... Secure twoparty computation allows two untrusting parties to jointly compute an arbitrary function on their respective private inputs while revealing no information beyond the outcome. Existing cryptographic compilers can automatically generate secure computation protocols from highlevel specifica ..."
Abstract

Cited by 85 (7 self)
 Add to MetaCart
Secure twoparty computation allows two untrusting parties to jointly compute an arbitrary function on their respective private inputs while revealing no information beyond the outcome. Existing cryptographic compilers can automatically generate secure computation protocols from highlevel specifications, but are often limited in their use and efficiency of generated protocols as they are based on either garbled circuits or (additively) homomorphic encryption only. In this paper we present TASTY, a novel tool for automating, i.e., describing, generating, executing, benchmarking, and comparing, efficient secure twoparty computation protocols. TASTY is a new compiler that can generate protocols based on homomorphic encryption and efficient garbled circuits as well as combinations of both, which often yields the most efficient protocols available today. The user provides a highlevel description of the computations to be performed on encrypted data in a domainspecific language. This is automatically transformed into a protocol. TASTY provides most recent techniques and optimizations for practical secure twoparty computation with low online latency. Moreover, it allows to efficiently evaluate circuits generated by the wellknown Fairplay compiler. We use TASTY to compare protocols for secure multiplication based on homomorphic encryption with those based on garbled circuits and highly efficient Karatsuba multiplication. Further, we show how TASTY improves the online latency for securely evaluating the AES functionality by an order of magnitude compared to previous software implementations. TASTY allows to automatically generate efficient secure protocols for many privacypreserving applications where we consider the use cases for private set intersection and face recognition protocols.
Efficient privacypreserving face recognition
, 2009
"... Automatic recognition of human faces is becoming increasingly popular in civilian and law enforcement applications that require reliable recognition of humans. However, the rapid improvement and widespread deployment of this technology raises strong concerns regarding the violation of individuals ’ ..."
Abstract

Cited by 72 (6 self)
 Add to MetaCart
Automatic recognition of human faces is becoming increasingly popular in civilian and law enforcement applications that require reliable recognition of humans. However, the rapid improvement and widespread deployment of this technology raises strong concerns regarding the violation of individuals ’ privacy. A typical application scenario for privacypreserving face recognition concerns a client who privately searches for a specific face image in the face image database of a server. In this paper we present a privacypreserving face recognition scheme that substantially improves over previous work in terms of communicationand computation efficiency: the most recent proposal of Erkin et al. (PETS’09) requires O(log M) rounds and computationally expensive operations on homomorphically encrypted data to recognize a face in a database of M faces. Our improved scheme requires only O(1) rounds and has a substantially smaller online communication complexity (by a factor of 15 for each database entry) and less computation complexity. Our solution is based on known cryptographic building blocks combining homomorphic encryption with garbled circuits. Our implementation results show the practicality of our scheme also for large databases (e.g., for M = 1000 we need less than 13 seconds and less than 4 MByte online communication on two 2.4GHz PCs connected via Gigabit Ethernet).
Private Set Intersection: Are Garbled Circuits Better than Custom Protocols?
, 2012
"... Cryptographic protocols for Private Set Intersection (PSI) are the basis for many important privacypreserving applications. Over the past few years, intensive research has been devoted to designing custom protocols for PSI based on homomorphic encryption and other publickey techniques, apparently ..."
Abstract

Cited by 49 (7 self)
 Add to MetaCart
(Show Context)
Cryptographic protocols for Private Set Intersection (PSI) are the basis for many important privacypreserving applications. Over the past few years, intensive research has been devoted to designing custom protocols for PSI based on homomorphic encryption and other publickey techniques, apparently due to the belief that solutions using generic approaches would be impractical. This paper explores the validity of that belief. We develop three classes of protocols targeted to different set sizes and domains, all based on Yao’s generic garbledcircuit method. We then compare the performance of our protocols to the fastest custom PSI protocols in the literature. Our results show that a careful application of garbled circuits leads to solutions that can run on millionelement sets on typical desktops, and that can be competitive with the fastest custom protocols. Moreover, generic protocols like ours can be used directly for performing more complex secure computations, something we demonstrate by adding a simple informationauditing mechanism to our PSI protocols.
Efficient PrivacyPreserving Biometric Identification
"... We present an efficient matching protocol that can be used in many privacypreserving biometric identification systems in the semihonest setting. Our most general technical contribution is a new backtracking protocol that uses the byproduct of evaluating a garbled circuit to enable efficient oblivi ..."
Abstract

Cited by 32 (8 self)
 Add to MetaCart
(Show Context)
We present an efficient matching protocol that can be used in many privacypreserving biometric identification systems in the semihonest setting. Our most general technical contribution is a new backtracking protocol that uses the byproduct of evaluating a garbled circuit to enable efficient oblivious information retrieval. We also present a more efficient protocol for computing the Euclidean distances of vectors, and optimized circuits for finding the closest match between a point held by one party and a set of points held by another. We evaluate our protocols by implementing a practical privacypreserving fingerprint matching system. 1
Secure and efficient protocols for iris and fingerprint identification
 ESORICS. LECTURE NOTES IN COMPUTER SCIENCE
, 2011
"... Recent advances in biometric recognition and the increasing use of biometric data prompt significant privacy challenges associated with the possible misuse, loss or theft, of biometric data. Biometric matching isoftenperformedbytwomutuallysuspiciousparties, one ofwhichholdsone biometric image while ..."
Abstract

Cited by 27 (8 self)
 Add to MetaCart
(Show Context)
Recent advances in biometric recognition and the increasing use of biometric data prompt significant privacy challenges associated with the possible misuse, loss or theft, of biometric data. Biometric matching isoftenperformedbytwomutuallysuspiciousparties, one ofwhichholdsone biometric image while the other owns a possibly large biometric collection. Due to privacy and liability considerations, neither party is willing to share its data. This gives rise to the need to develop secure computation techniques over biometric data where no information is revealed to the parties except theoutcomeofthecomparisonorsearch. To address the problem, in this work we develop and implement the first privacypreserving identification protocol for iris codes. We also design and implement a secure protocol for fingerprint identification based on FingerCodes with a substantial improvement in the performance compared to existing solutions. We show that new techniques and optimizations employed in this work allow us to achieve particularly efficient protocols suitable for large data sets and obtain notable performance gain compared to the stateoftheart prior work.
Vmcrypt  modular software architecture for scalable secure computation. Cryptology ePrint Archive
"... Garbled circuits play a key role in secure computation. Unlike previous work, which focused mainly on efficiency and automation aspects of secure computation, in this paper we focus on software modularity and scalability, considering very large circuits. Our main contribution is a virtual machine th ..."
Abstract

Cited by 22 (3 self)
 Add to MetaCart
(Show Context)
Garbled circuits play a key role in secure computation. Unlike previous work, which focused mainly on efficiency and automation aspects of secure computation, in this paper we focus on software modularity and scalability, considering very large circuits. Our main contribution is a virtual machine that dynamically loads hardware descriptions into memory and destructs them as soon as they are done computing. Our software also introduces a new technique for parallel evaluation of garbled circuits. The software is designed in a completely modular fashion, allowing developers to integrate garbled circuits through an API (Abstract Programming Interface), without having to modify the base code. We measure the performance of this architecture on several circuits with hundreds of millions of gates. To the best of our knowledge, these are the largest scalable secure computations done to date. 1
Semantic security under relatedkey attacks and applications
 Cited on page 4.) 16 M. Bellare. New proofs for NMAC and HMAC: Security without collisionresistance. In C. Dwork, editor, CRYPTO 2006, volume 4117 of LNCS
, 2011
"... In a relatedkey attack (RKA) an adversary attempts to break a cryptographic primitive by invoking the primitive with several secret keys which satisfy some known, or even chosen, relation. We initiate a formal study of RKA security for randomized encryption schemes. We begin by providing general de ..."
Abstract

Cited by 17 (2 self)
 Add to MetaCart
(Show Context)
In a relatedkey attack (RKA) an adversary attempts to break a cryptographic primitive by invoking the primitive with several secret keys which satisfy some known, or even chosen, relation. We initiate a formal study of RKA security for randomized encryption schemes. We begin by providing general definitions for semantic security under passive and active RKAs. We then focus on RKAs in which the keys satisfy known linear relations over some Abelian group. We construct simple and efficient schemes which resist such RKAs even when the adversary can choose the linear relation adaptively during the attack. More concretely, we present two approaches for constructing RKAsecure encryption schemes. The first is based on standard randomized encryption schemes which additionally satisfy a natural “keyhomomorphism” property. We instantiate this approach under numbertheoretic or latticebased assumptions such as the Decisional DiffieHellman (DDH) assumption and the Learning Noisy Linear Equations assumption. Our second approach is based on RKAsecure pseudorandom generators. This approach can yield either deterministic, onetime use schemes with optimal ciphertext size or randomized unlimited use schemes. We instantiate this approach by constructing a simple RKAsecure pseurodandom generator
PrivacyPreserving Ridge Regression on Hundreds of Millions of Records
"... Abstract—Ridge regression is an algorithm that takes as input a large number of data points and finds the bestfit linear curve through these points. The algorithm is a building block for many machinelearning operations. We present a system for privacypreserving ridge regression. The system output ..."
Abstract

Cited by 17 (1 self)
 Add to MetaCart
(Show Context)
Abstract—Ridge regression is an algorithm that takes as input a large number of data points and finds the bestfit linear curve through these points. The algorithm is a building block for many machinelearning operations. We present a system for privacypreserving ridge regression. The system outputs the bestfit curve in the clear, but exposes no other information about the input data. Our approach combines both homomorphic encryption and Yao garbled circuits, where each is used in a different part of the algorithm to obtain the best performance. We implement the complete system and experiment with it on real datasets, and show that it significantly outperforms pure implementations based only on homomorphic encryption or Yao circuits. x1,y1 x x2,y2
On the Security of the “FreeXOR” Technique
"... Yao’s garbledcircuit approach enables constantround secure twoparty computation for any boolean circuit. In Yao’s original construction, each gate in the circuit requires the parties to perform a constant number of encryptions/decryptions, and to send/receive a constant number of ciphertexts. Kol ..."
Abstract

Cited by 16 (0 self)
 Add to MetaCart
Yao’s garbledcircuit approach enables constantround secure twoparty computation for any boolean circuit. In Yao’s original construction, each gate in the circuit requires the parties to perform a constant number of encryptions/decryptions, and to send/receive a constant number of ciphertexts. Kolesnikov and Schneider (ICALP 2008) proposed an improvement that allows XOR gates in the circuit to be evaluated “for free”, i.e., incurring no cryptographic operations and zero communication. Their “freeXOR ” technique has proven very popular, and has been shown to improve performance of garbledcircuit protocols by up to a factor of 4. Kolesnikov and Schneider proved security of their approach in the random oracle model, and claimed that (an unspecified variant of) correlation robustness would suffice; this claim has been repeated in subsequent work, and similar ideas have since been used (with the same claim about correlation robustness) in other contexts. We show that, in fact, the freeXOR technique cannot be proven secure based on correlation robustness alone: somewhat surprisingly, some form of circular security is also required. We propose an appropriate notion of security for hash functions capturing the necessary requirements, and prove security of the freeXOR approach when instantiated with any hash function satisfying our definition. Our results do not impact the security of the freeXOR technique in practice, or imply an error in the freeXOR work, but instead pin down the assumptions needed to prove security.