Results 1  10
of
25
Improved Garbled Circuit: Free XOR Gates and Applications
"... Abstract. We present a new garbled circuit construction for twoparty secure function evaluation (SFE). In our oneround protocol, XOR gates are evaluated “for free”, which results in the corresponding improvement over the best garbled circuit implementations (e.g. Fairplay [19]). We build permutati ..."
Abstract

Cited by 109 (17 self)
 Add to MetaCart
(Show Context)
Abstract. We present a new garbled circuit construction for twoparty secure function evaluation (SFE). In our oneround protocol, XOR gates are evaluated “for free”, which results in the corresponding improvement over the best garbled circuit implementations (e.g. Fairplay [19]). We build permutation networks [26] and Universal Circuits (UC) [25] almost exclusively of XOR gates; this results in a factor of up to 4 improvement (in both computation and communication) of their SFE. We also improve integer addition and equality testing by factor of up to 2. We rely on the Random Oracle (RO) assumption. Our constructions are proven secure in the semihonest model. 1
TASTY: Tool for Automating Secure TwopartY computations
 In ACM Conference on Computer and Communications Security (ACM CCS’10
"... Secure twoparty computation allows two untrusting parties to jointly compute an arbitrary function on their respective private inputs while revealing no information beyond the outcome. Existing cryptographic compilers can automatically generate secure computation protocols from highlevel specifica ..."
Abstract

Cited by 88 (7 self)
 Add to MetaCart
Secure twoparty computation allows two untrusting parties to jointly compute an arbitrary function on their respective private inputs while revealing no information beyond the outcome. Existing cryptographic compilers can automatically generate secure computation protocols from highlevel specifications, but are often limited in their use and efficiency of generated protocols as they are based on either garbled circuits or (additively) homomorphic encryption only. In this paper we present TASTY, a novel tool for automating, i.e., describing, generating, executing, benchmarking, and comparing, efficient secure twoparty computation protocols. TASTY is a new compiler that can generate protocols based on homomorphic encryption and efficient garbled circuits as well as combinations of both, which often yields the most efficient protocols available today. The user provides a highlevel description of the computations to be performed on encrypted data in a domainspecific language. This is automatically transformed into a protocol. TASTY provides most recent techniques and optimizations for practical secure twoparty computation with low online latency. Moreover, it allows to efficiently evaluate circuits generated by the wellknown Fairplay compiler. We use TASTY to compare protocols for secure multiplication based on homomorphic encryption with those based on garbled circuits and highly efficient Karatsuba multiplication. Further, we show how TASTY improves the online latency for securely evaluating the AES functionality by an order of magnitude compared to previous software implementations. TASTY allows to automatically generate efficient secure protocols for many privacypreserving applications where we consider the use cases for private set intersection and face recognition protocols.
AttributeBased Access Control with Hidden Policies and Hidden Credentials
 IEEE Transaction on Computers
, 2006
"... Abstract—In an open environment such as the Internet, the decision to collaborate with a stranger (e.g., by granting access to a resource) is often based on the characteristics (rather than the identity) of the requester, via digital credentials: Access is granted if Alice’s credentials satisfy Bob’ ..."
Abstract

Cited by 36 (0 self)
 Add to MetaCart
(Show Context)
Abstract—In an open environment such as the Internet, the decision to collaborate with a stranger (e.g., by granting access to a resource) is often based on the characteristics (rather than the identity) of the requester, via digital credentials: Access is granted if Alice’s credentials satisfy Bob’s access policy. The literature contains many scenarios in which it is desirable to carry out such trust negotiations in a privacypreserving manner, i.e., so as minimize the disclosure of credentials and/or of access policies. Elegant solutions were proposed for achieving various degrees of privacypreservation through minimal disclosure. In this paper, we present protocols that protect both sensitive credentials and sensitive policies. That is, Alice gets the resource only if she satisfies the policy, Bob does not learn anything about Alice’s credentials (not even whether Alice got access), and Alice learns neither Bob’s policy structure nor which credentials caused her to gain access. Our protocols are efficient in terms of communication and in rounds of interaction. Index Terms—Electronic commercesecurity, management of computing and information systems, security and protection, authentication, access control, trust negotiation, hidden credentials, privacy. Ç 1
T.: A Practical Universal Circuit Construction and Secure Evaluation of Private Functions
, 2008
"... Abstract. We consider general secure function evaluation (SFE) of private functions (PFSFE). Recall, privacy of functions is often most efficiently achieved by general SFE [18,19,10] of a Universal Circuit (UC). Our main contribution is a new simple and efficient UC construction. Our circuit UCk, ..."
Abstract

Cited by 28 (9 self)
 Add to MetaCart
(Show Context)
Abstract. We consider general secure function evaluation (SFE) of private functions (PFSFE). Recall, privacy of functions is often most efficiently achieved by general SFE [18,19,10] of a Universal Circuit (UC). Our main contribution is a new simple and efficient UC construction. Our circuit UCk, universal for circuits of k gates, has size ∼ 1.5k log2 k and depth ∼ k log k. It is up to 50 % smaller than the best UC (of Valiant [16], of size ∼ 19k log k) for circuits of size up to ≈ 5000 gates. Our improvement results in corresponding performance improvement of SFE of (small) private functions. Since, due to cost, only small circuits (i.e. < 5000 gates) are practical for PFSFE, our construction appears to be the best fit for many practical PFSFE. We implement PFSFE based on our UC and Fairplay SFE system [11].
Parallel Solutions to Geometric Problems in the Scan Model of Computation
 IN PROCEEDINGS INTERNATIONAL CONFERENCE ON PARALLEL PROCESSING
, 1994
"... This paper describes several parallel algorithms that solve geometric problems. The algorithms are based on a vector model of computationthe scanmodel. The purpose of this paper is both to show how the model can be used and to formulate a set of practical algorithms. The scanmodel is based on a ..."
Abstract

Cited by 24 (8 self)
 Add to MetaCart
(Show Context)
This paper describes several parallel algorithms that solve geometric problems. The algorithms are based on a vector model of computationthe scanmodel. The purpose of this paper is both to show how the model can be used and to formulate a set of practical algorithms. The scanmodel is based on a small set of operations on vectors of atomic values. It differs from the PRAM models both in that it includes a set of scan primitives, also called parallel prefix computations, and in that it is a strictly dataparallel model. A very useful abstraction in the scanmodel is the segment abstraction, the subdivision of a vector into a collection of independent smaller vectors. The segment abstraction permits a clean formulation of divideandconquer algorithms, and is used heavily in the algorithms described in this paper. Within the scanmodel, using the operations and routines defined, the paper describes a kD tree algorithm requiring O(lg n) calls to the primitives for n points, a closes...
Practical secure evaluation of semiprivate functions
 IN APPLIED CRYPTOGRAPHY AND NETWORK SECURITY (ACNS’09), VOLUME 5536 OF LNCS
, 2009
"... Twoparty Secure Function Evaluation (SFE) is a very useful cryptographic tool which allows two parties to evaluate a function known to both parties on their private (secret) inputs. Some applications with sophisticated privacy needs require the function to be known only to one party and kept privat ..."
Abstract

Cited by 19 (10 self)
 Add to MetaCart
Twoparty Secure Function Evaluation (SFE) is a very useful cryptographic tool which allows two parties to evaluate a function known to both parties on their private (secret) inputs. Some applications with sophisticated privacy needs require the function to be known only to one party and kept private (hidden) from the other one. However, existing solutions for SFE of private functions (PFSFE) deploy Universal Circuits (UC) and are still very ine cient in practice. In this paper we bridge the gap between SFE and PFSFE with SFE of what we call semiprivate functions (SPFSFE), i.e., one function out of a given class of functions is evaluated without revealing which one. We present a general framework for SPFSFE allowing a negrained tradeo and tuning between SFE and PFSFE covering both extremes. In our framework, semiprivate functions can be composed from several privately programmable blocks (PPB) which can be programmed with one function out of a class of functions. The framework allows e cient and secure embedding of constants into the resulting circuit to improve performance. To demonstrate practicability of the framework we have implemented a compiler for SPFSFE based on the Fairplay SFE framework. SPFSFE is su cient for many practically relevant privacypreserving applications, such as privacypreserving credit checking which can be implemented using our framework and compiler as described in the paper.
Generalized universal circuits for secure evaluation of private functions with application to data classification
 In ICISC’08, volume 5461 of LNCS
, 2008
"... Abstract. Secure Evaluation of Private Functions (PFSFE) allows two parties to compute a private function which is known by one party only on private data of both. It is known that PFSFE can be reduced to Secure Function Evaluation (SFE) of a Universal Circuit (UC). Previous UC constructions only ..."
Abstract

Cited by 16 (8 self)
 Add to MetaCart
(Show Context)
Abstract. Secure Evaluation of Private Functions (PFSFE) allows two parties to compute a private function which is known by one party only on private data of both. It is known that PFSFE can be reduced to Secure Function Evaluation (SFE) of a Universal Circuit (UC). Previous UC constructions only simulated circuits with gates of d = 2 inputs while gates with d>2 inputs were decomposed into many gates with 2 inputs which is inefficient for large d as the size of UC heavily depends on the number of gates. We present generalized UC constructions to efficiently simulate any circuit with gates of d ≥ 2 inputs having efficient circuit representation. Our constructions are nontrivial generalizations of previously known UC constructions. As application we show how to securely evaluate private functions such as neural networks (NN) which are increasingly used in commercial applications. Our provably secure PFSFE protocol needs only one round in the semihonest model (or even no online communication at all using noninteractive oblivious transfer) and evaluates a generalized UC that entirely hides the structure of the private NN. This enables applications like privacypreserving data classification based on private NNs without trusted third party while simultaneously protecting user’s data and NN owner’s intellectual property.
Garbled circuits for leakageresilience: Hardware implementation and evaluation of onetime programs
 CRYPTOLOGY EPRINT ARCHIVE, REPORT 2010/276
, 2010
"... The power of sidechannel leakage attacks on cryptographic implementations is evident. Today’s practical defenses are typically attackspecific countermeasures against certain classes of sidechannel attacks. The demand for a more general solution has given rise to the recent theoretical research th ..."
Abstract

Cited by 15 (8 self)
 Add to MetaCart
(Show Context)
The power of sidechannel leakage attacks on cryptographic implementations is evident. Today’s practical defenses are typically attackspecific countermeasures against certain classes of sidechannel attacks. The demand for a more general solution has given rise to the recent theoretical research that aims to build provably leakageresilient cryptography. This direction is, however, very new and still largely lacks practitioners ’ evaluation with regard to both efficiency and practical security. A recent approach, OneTime Programs (OTPs), proposes using Yao’s Garbled Circuit (GC) and very simple tamperproof hardware to securely implement oblivious transfer, to guarantee leakage resilience. Our main contributions are (i) a generic architecture for using GC/ OTP modularly, and (ii) hardware implementation and efficiency analysis of GC/OTP evaluation. We implemented two FPGAbased prototypes: a systemonaprogrammablechip with access to hardware crypto accelerator (suitable for smartcards and future smartphones), and a standalone hardware implementation (suitable for ASIC design). We chose AES as a representative complex function for implementation and measurements. As a result of this work, we are able to understand, evaluate and improve the practicality of employing GC/OTP as a leakageresistance approach.
From Dust to Dawn: Practically Efficient TwoParty Secure Function Evaluation Protocols and their Modular Design
, 2010
"... General twoparty Secure Function Evaluation (SFE) allows mutually distrusting parties to (jointly) correctly compute any function on their private input data, without revealing the inputs. SFE, properly designed, guarantees to satisfy the most stringent security requirements, even for interactive ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
General twoparty Secure Function Evaluation (SFE) allows mutually distrusting parties to (jointly) correctly compute any function on their private input data, without revealing the inputs. SFE, properly designed, guarantees to satisfy the most stringent security requirements, even for interactive computation. Twoparty SFE can benefit almost any clientserver interaction where privacy is required, such as privacypreserving credit checking, medical classification, or face recognition. Today, SFE is subject of an immense amount of research in a variety of directions, and is not easy to navigate. In this paper, we systematize the most practically important work of the vast research knowledge on general SFE. It turns out that the most efficient SFE protocols today are obtained by combining several basic techniques, such as garbled circuits and homomorphic encryption. We limit our detailed discussion to efficient general techniques. In particular, we do not discuss the details of currently practically inefficient techniques, such as fully homomorphic encryption (although we elaborate on its practical relevance), nor do we cover specialized techniques applicable only to small classes of functions. As an important practical contribution, we present a framework in which today’s practically most