Results 1 
9 of
9
Collaborative Filtering with Privacy
, 2002
"... Serverbased collaborative filtering systems have been very successful in ecommerce and in direct recommendation applications. In future, they have many potential applications in ubiquitous computing settings. But today's schemes have problems such as loss of privacy, favoring retail monopolie ..."
Abstract

Cited by 166 (9 self)
 Add to MetaCart
(Show Context)
Serverbased collaborative filtering systems have been very successful in ecommerce and in direct recommendation applications. In future, they have many potential applications in ubiquitous computing settings. But today's schemes have problems such as loss of privacy, favoring retail monopolies, and with hampering diffusion of innovations. We propose an alternative model in which users control all of their log data. We describe an algorithm whereby a community of users can compute a public "aggregate" of their data that does not expose individual users' data. The aggregate allows personalized recommendations to be computed by members of the community, or by outsiders. The numerical algorithm is fast, robust and accurate. Our method reduces the collaborative filtering task to an iterative calculation of the aggregate requiring only addition of vectors of user data. Then we use homomorphic encryption to allow sums of encrypted vectors to be computed and decrypted without exposing individual data. We give verification schemes for all parties in the computation. Our system can be implemented with untrusted servers, or with additional infrastructure, as a fully peertopeer (P2P) system. 1
General Secure MultiParty Computation from any Linear SecretSharing Scheme
, 2000
"... Abstract. We show that verifiable secret sharing (VSS) and secure multiparty computation (MPC) among a set of n players can efficiently be based on any linear secret sharing scheme (LSSS) for the players, provided that the access structure of the LSSS allows MPC or VSS at all. Because an LSSS neith ..."
Abstract

Cited by 162 (23 self)
 Add to MetaCart
Abstract. We show that verifiable secret sharing (VSS) and secure multiparty computation (MPC) among a set of n players can efficiently be based on any linear secret sharing scheme (LSSS) for the players, provided that the access structure of the LSSS allows MPC or VSS at all. Because an LSSS neither guarantees reconstructability when some shares are false, nor verifiability of a shared value, nor allows for the multiplication of shared values, an LSSS is an apparently much weaker primitive than VSS or MPC. Our approach to secure MPC is generic and applies to both the informationtheoretic and the cryptographic setting. The construction is based on 1) a formalization of the special multiplicative property of an LSSS that is needed to perform a multiplication on shared values, 2) an efficient generic construction to obtain from any LSSS a multiplicative LSSS for the same access structure, and 3) an efficient generic construction to build verifiability into every LSSS (always assuming that the adversary structure allows for MPC or VSS at all). The protocols are efficient. In contrast to all previous informationtheoretically secure protocols, the field size is not restricted (e.g, to be greater than n). Moreover, we exhibit adversary structures for which our protocols are polynomial in n while all previous approaches to MPC for nonthreshold adversaries provably have superpolynomial complexity. 1
Simplified VSS and Fasttrack Multiparty Computations with Applications to Threshold Cryptography
, 1998
"... The goal of this paper is to introduce a simple verifiable secret sharing scheme, to improve the efficiency of known secure multiparty protocols and, by employing these techniques, to improve the efficiency of applications which use these protocols. First we present a very simple Verifiable Secret ..."
Abstract

Cited by 118 (6 self)
 Add to MetaCart
The goal of this paper is to introduce a simple verifiable secret sharing scheme, to improve the efficiency of known secure multiparty protocols and, by employing these techniques, to improve the efficiency of applications which use these protocols. First we present a very simple Verifiable Secret Sharing protocol which is based on fast cryptographic primitives and avoids altogether the need for expensive zeroknowledge proofs. This is followed by a highly simplified protocol to compute multiplications over shared secrets. This is a major component in secure multiparty computation protocols and accounts for much of the complexity of proposed solutions. Using our protocol as a plugin unit in known protocols reduces their complexity. We show how to achieve efficient multiparty computations in the computational model, through the application of homomorphic commitments. Finally, we present fasttrack multiparty computation protocols. In a model in which malicious faults are rare we s...
Span Programs and General Secure MultiParty Computation
 DFF
, 1997
"... The contributions of this paper are threefold. First, as an abstraction of previously proposed cryptographic protocols we propose two cryptographic primitives: homomorphic shared commitments and linear secret sharing schemes with an additional multiplication property. We describe new constructio ..."
Abstract

Cited by 7 (4 self)
 Add to MetaCart
The contributions of this paper are threefold. First, as an abstraction of previously proposed cryptographic protocols we propose two cryptographic primitives: homomorphic shared commitments and linear secret sharing schemes with an additional multiplication property. We describe new constructions for general secure multiparty computation protocols, both in the cryptographic and the informationtheoretic (or secure channels) setting, based on any realizations of these primitives. Second, span
Some techniques for privacy in ubicomp and contextaware applications
 In Workshop on Sociallyinformed Design of Privacyenhancing Solutions in Ubiquitous Computing
, 2002
"... Abstract. The emergence of ubiquitous computing opens up radical new possibilities for acquiring and sharing information. But the privacy risks from widespread use of location or environmental sensing are unacceptable to many users. This paper describes a new methodology that provides much finer con ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
(Show Context)
Abstract. The emergence of ubiquitous computing opens up radical new possibilities for acquiring and sharing information. But the privacy risks from widespread use of location or environmental sensing are unacceptable to many users. This paper describes a new methodology that provides much finer control over information exchange: only the information needed for the collaboration is shared, everything else is protected, and protection is provably strong. This allows us to explore collaborative applications in ubicomp settings that are exciting but which would be difficult or impossible without the techniques we propose. Specifically, we are developing an ubiquitous informationsharing service. This service provides recommendations for places, events, and many other items and services, using recommendations from a community of users. The recommendations are both explicit from user ratings, and implicit by using log data to infer a user’s presence or use of a service. The services is intended for locationenabled devices like cell phones and PDAs with GPS. 1
How to Prove That a Committed Number is Prime
, 2000
"... The problem of proving a number is of an arithmetic format of which some elements are prime, is raised in RSA undeniable signature, group signature and many other cryptographic protocols. So far, there have been several studies in literature on this topic. However, except the scheme of Camenisch and ..."
Abstract
 Add to MetaCart
The problem of proving a number is of an arithmetic format of which some elements are prime, is raised in RSA undeniable signature, group signature and many other cryptographic protocols. So far, there have been several studies in literature on this topic. However, except the scheme of Camenisch and Michels, other works are only limited to some special forms of arithmetic format with prime elements. In Camenisch and Michels's scheme, the main building block is a protocol to prove a committed number to be prime. In this paper, we propose a new protocol to prove a committed number to be prime. Our protocol is O(t) times more ecient than Camenisch and Michels's protocol, where t is the security parameter. This results in O(t) time improvement for the overall scheme.
Verifiable Rotation of Homomorphic Encryptions
"... Abstract. Similar to verifiable shuffling (or, mixing), we consider the problem of verifiable rotating (and random reencrypting) a given list of homomorphic encryptions. The offset by which the list is rotated (cyclic shift) should remain hidden. Basically, we will present zeroknowledge proofs of ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. Similar to verifiable shuffling (or, mixing), we consider the problem of verifiable rotating (and random reencrypting) a given list of homomorphic encryptions. The offset by which the list is rotated (cyclic shift) should remain hidden. Basically, we will present zeroknowledge proofs of knowledge for the existence of a rotation offset and reencryption exponents, which define how the input list is transformed into the output list. We also briefly address various applications of verifiable rotators, ranging from ‘fragile mixing ’ as introduced by Reiter and Wang at CCS’04 to applications in protocols for secure multiparty computation and voting. We present two new, efficient protocols. Our first protocol is quite elegant and involves the use of the Discrete Fourier Transform (and also the FFT algorithm), and works under some reasonable conditions. We believe that this is the first time that Fourier Transforms are used to construct an efficient zeroknowledge proof of knowledge. Our second protocol is more general (requiring no further conditions) and only slightly less efficient than the DFTbased protocol. Unlike the previously best protocol by Reiter and Wang, however, which relies on extensive use of verifiable shuffling as a building block (invoking it four times as a subprotocol), our construction is direct and its performance is about equal to the performance of a single run of the best protocol for verifiable shuffling. 1