Results 1  10
of
21
Privacy Preserving Data Mining
 JOURNAL OF CRYPTOLOGY
, 2000
"... In this paper we address the issue of privacy preserving data mining. Specifically, we consider a scenario in which two parties owning confidential databases wish to run a data mining algorithm on the union of their databases, without revealing any unnecessary information. Our work is motivated b ..."
Abstract

Cited by 372 (8 self)
 Add to MetaCart
In this paper we address the issue of privacy preserving data mining. Specifically, we consider a scenario in which two parties owning confidential databases wish to run a data mining algorithm on the union of their databases, without revealing any unnecessary information. Our work is motivated by the need to both protect privileged information and enable its use for research or other purposes. The
Priced Oblivious Transfer: How to Sell Digital Goods
 In Birgit Pfitzmann, editor, Advances in Cryptology — EUROCRYPT 2001, volume 2045 of Lecture Notes in Computer Science
, 2001
"... Abstract. We consider the question of protecting the privacy of customers buying digital goods. More specifically, our goal is to allow a buyer to purchase digital goods from a vendor without letting the vendor learn what, and to the extent possible also when and how much, it is buying. We propose s ..."
Abstract

Cited by 95 (5 self)
 Add to MetaCart
Abstract. We consider the question of protecting the privacy of customers buying digital goods. More specifically, our goal is to allow a buyer to purchase digital goods from a vendor without letting the vendor learn what, and to the extent possible also when and how much, it is buying. We propose solutions which allow the buyer, after making an initial deposit, to engage in an unlimited number of priced oblivioustransfer protocols, satisfying the following requirements: As long as the buyer’s balance contains sufficient funds, it will successfully retrieve the selected item and its balance will be debited by the item’s price. However, the buyer should be unable to retrieve an item whose cost exceeds its remaining balance. The vendor should learn nothing except what must inevitably be learned, namely, the amount of interaction and the initial deposit amount (which imply upper bounds on the quantity and total price of all information obtained by the buyer). In particular, the vendor should be unable to learn what the buyer’s current balance is or when it actually runs out of its funds. The technical tools we develop, in the process of solving this problem, seem to be of independent interest. In particular, we present the first oneround (twopass) protocol for oblivious transfer that does not rely on the random oracle model (a very similar protocol was independently proposed by Naor and Pinkas [21]). This protocol is a special case of a more general “conditional disclosure ” methodology, which extends a previous approach from [11] and adapts it to the 2party setting. 1
Cryptographic Techniques for PrivacyPreserving Data Mining
 SIGKDD Explorations
, 2002
"... Research in secure distributed computation, which was done as part of a larger body of research in the theory of cryptography, has achieved remarkable results. It was shown that nontrusting parties can jointly compute functions of their different inputs while ensuring that no party learns anything ..."
Abstract

Cited by 63 (0 self)
 Add to MetaCart
Research in secure distributed computation, which was done as part of a larger body of research in the theory of cryptography, has achieved remarkable results. It was shown that nontrusting parties can jointly compute functions of their different inputs while ensuring that no party learns anything but the defined output of the function. These results were shown using generic constructions that can be applied to any function that has an ecient representation as a circuit. We describe these results, discuss their efficiency, and demonstrate their relevance to privacy preserving computation of data mining algorithms. We also show examples of secure computation of data mining algorithms that use these generic constructions.
Extending Oblivious Transfers Efficiently
, 2003
"... We consider the problem of extending oblivious transfers: Given a small number of oblivious transfers \for free," can one implement a large number of oblivious transfers? Beaver has shown how to extend oblivious transfers given a oneway function. However, this protocol is inecient in practice, ..."
Abstract

Cited by 57 (1 self)
 Add to MetaCart
We consider the problem of extending oblivious transfers: Given a small number of oblivious transfers \for free," can one implement a large number of oblivious transfers? Beaver has shown how to extend oblivious transfers given a oneway function. However, this protocol is inecient in practice, in part due to its nonblackbox use of the underlying oneway function.
Communication Preserving Protocols for Secure Function Evaluation
 In Proc. of 33rd STOC
, 2001
"... A secure function evaluation protocol allows two parties to jointly compute a function f(x; y) of their inputs in a manner not leaking more information than necessary. A major result in this field is: "any function f that can be computed using polynomial resources can be computed securely using pol ..."
Abstract

Cited by 56 (5 self)
 Add to MetaCart
A secure function evaluation protocol allows two parties to jointly compute a function f(x; y) of their inputs in a manner not leaking more information than necessary. A major result in this field is: "any function f that can be computed using polynomial resources can be computed securely using polynomial resources" (where `resources' refers to communication and computation). This result follows by a general transformation from any circuit for f to a secure protocol that evaluates f . Although the resources used by protocols resulting from this transformation are polynomial in the circuit size, they are much higher (in general) than those required for an insecure computation of f . We propose a new methodology for designing secure protocols, utilizing the communication complexity tree (or branching program) representation of f . We start with an efficient (insecure) protocol for f and transform it into a secure protocol. In other words, "any function f that can be computed using communication complexity c can be can be computed securely using communication complexity that is polynomial in c and a security parameter". We show several simple applications of this new methodology resulting in protocols efficient either in communication or in computation. In particular, we exemplify a protocol for the "millionaires problem ", where two participants want to compare their values but reveal no other information. Our protocol is more efficient than previously known ones in either communication or computation. 1.
Selective private function evaluation with applications to private statistics
 In Proceedings of Twentieth ACM Symposium on Principles of Distributed Computing (PODC
, 2001
"... Motivated by the application of private statistical analysis of large databases, we consider the problem of selective private function evaluation (SPFE). In this problem, a client interacts with one or more servers holding copies of a database z = zt,...,z, in order to compute f(z~t,...,z~,,,) , fo ..."
Abstract

Cited by 44 (9 self)
 Add to MetaCart
Motivated by the application of private statistical analysis of large databases, we consider the problem of selective private function evaluation (SPFE). In this problem, a client interacts with one or more servers holding copies of a database z = zt,...,z, in order to compute f(z~t,...,z~,,,) , for some function f and indices i = it,...,i, ~ chosen by the client. Ideally, the client must learn nothing more about the database than f(zit,..., zi,,~), and the servers should learn nothing. Generic solutions for this problem, based on standard techniques for secure function evaluation, incur communication complexity that is at least linear in n, making them prohibitive for large databases even when f is relatively simple and m is small. We present various approaches for constructing sublinearcommunication $PFE protocols, both for the general problem and for special cases of interest. Our solutions not only offer sublinear communication complexity, but are also practical in many scenarios. 1.
Zaps and Their Applications
 In 41st FOCS
, 2000
"... A zap is a tworound, witnessindistinguishable protocol in which the first round, consisting of a message from the verifier to the prover, can be fixed "onceandforall" and applied to any instance, and where the verifier does not use any private coins. We present a zap for every language in NP, ..."
Abstract

Cited by 40 (8 self)
 Add to MetaCart
A zap is a tworound, witnessindistinguishable protocol in which the first round, consisting of a message from the verifier to the prover, can be fixed "onceandforall" and applied to any instance, and where the verifier does not use any private coins. We present a zap for every language in NP, based on the existence of noninteractive zeroknowledge proofs in the shared random string model. The zap is in the standard model, and hence requires no common guaranteed random string.
Single Database Private Information Retrieval with Logarithmic Communication
, 2004
"... In this paper, we study the problem of single database private information retrieval, and present schemes with only logarithmic serverside communication complexity. Previously the best result could only achieve polylogarithmic communication, and was based on certain less wellstudied assumptions ..."
Abstract

Cited by 37 (0 self)
 Add to MetaCart
In this paper, we study the problem of single database private information retrieval, and present schemes with only logarithmic serverside communication complexity. Previously the best result could only achieve polylogarithmic communication, and was based on certain less wellstudied assumptions in number theory [CMS99]. On the contrary, our construction is based on Paillier's cryptosystem [P99], which along with its variants have drawn extensive studies in recent cryptographic researches [PP99, G00, CGGN01, DJ01, CGG02, CNS02, ST02, GMMV03, KT03], and have many important applications (e.g., the CramerShoup CCA2 encryption scheme in the standard model [CS02]).
Oblivious Keyword Search
, 2002
"... In this paper, we introduce a notion of Oblivious Keyword Search (OKS). Let W be the set of possible keywords. In the commit phase, a database supplier T commits n data. In each transfer subphase, a user U can choose a keyword w 2 W adaptively and nd Search(w) without revealing w to T , where Searc ..."
Abstract

Cited by 33 (3 self)
 Add to MetaCart
In this paper, we introduce a notion of Oblivious Keyword Search (OKS). Let W be the set of possible keywords. In the commit phase, a database supplier T commits n data. In each transfer subphase, a user U can choose a keyword w 2 W adaptively and nd Search(w) without revealing w to T , where Search(w) is the set of all data which includes w as a keyword.