Results 1  10
of
32
Fully homomorphic encryption using ideal lattices
 In Proc. STOC
, 2009
"... We propose a fully homomorphic encryption scheme – i.e., a scheme that allows one to evaluate circuits over encrypted data without being able to decrypt. Our solution comes in three steps. First, we provide a general result – that, to construct an encryption scheme that permits evaluation of arbitra ..."
Abstract

Cited by 522 (15 self)
 Add to MetaCart
(Show Context)
We propose a fully homomorphic encryption scheme – i.e., a scheme that allows one to evaluate circuits over encrypted data without being able to decrypt. Our solution comes in three steps. First, we provide a general result – that, to construct an encryption scheme that permits evaluation of arbitrary circuits, it suffices to construct an encryption scheme that can evaluate (slightly augmented versions of) its own decryption circuit; we call a scheme that can evaluate its (augmented) decryption circuit bootstrappable. Next, we describe a public key encryption scheme using ideal lattices that is almost bootstrappable. Latticebased cryptosystems typically have decryption algorithms with low circuit complexity, often dominated by an inner product computation that is in NC1. Also, ideal lattices provide both additive and multiplicative homomorphisms (modulo a publickey ideal in a polynomial ring that is represented as a lattice), as needed to evaluate general circuits. Unfortunately, our initial scheme is not quite bootstrappable – i.e., the depth that the scheme can correctly evaluate can be logarithmic in the lattice dimension, just like the depth of the decryption circuit, but the latter is greater than the former. In the final step, we show how to modify the scheme to reduce the depth of the decryption circuit, and thereby obtain a bootstrappable encryption scheme, without reducing the depth that the scheme can evaluate. Abstractly, we accomplish this by enabling the encrypter to start the decryption process, leaving less work for the decrypter, much like the server leaves less work for the decrypter in a serveraided cryptosystem.
A Verifiable Secret Shuffle of Homomorphic Encryptions
, 2003
"... We show how to prove in honest verifier zeroknowledge the correctness of a shuffle of homomorphic encryptions (or homomorphic commitments.) A shuffle consists in a rearrangement of the input ciphertexts and a reencryption of them so that the permutation is not revealed. Our scheme ..."
Abstract

Cited by 76 (7 self)
 Add to MetaCart
We show how to prove in honest verifier zeroknowledge the correctness of a shuffle of homomorphic encryptions (or homomorphic commitments.) A shuffle consists in a rearrangement of the input ciphertexts and a reencryption of them so that the permutation is not revealed. Our scheme
Secure outsourcing of dna searching via finite automata
, 2010
"... Abstract. This work treats the problem of errorresilient DNA searching via oblivious evaluation of finite automata, where a client has a DNA sequence, and a service provider has a pattern that corresponds to a genetic test. Errorresilient searching is achieved by representing the pattern as a fini ..."
Abstract

Cited by 24 (5 self)
 Add to MetaCart
(Show Context)
Abstract. This work treats the problem of errorresilient DNA searching via oblivious evaluation of finite automata, where a client has a DNA sequence, and a service provider has a pattern that corresponds to a genetic test. Errorresilient searching is achieved by representing the pattern as a finite automaton and evaluating it on the DNA sequence (which is treated as the input), where privacy of both the pattern and the DNA sequence must be preserved. Interactive solutions to this problem already exist, but can be a burden on the participating parties. Thus, in this work we propose techniques for secure outsourcing of oblivious evaluation of finite automata to computational servers, such that the servers do not learn any information. Our techniques are applicable to any type of finite automata, but the optimizations are tailored to the setting of DNA searching. 1
Trust negotiation with hidden credentials, hidden policies, and policy cycles
 In Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS
, 2006
"... In an open environment such as the Internet, the decision to collaborate with a stranger (e.g., by granting access to a resource) is often based on the characteristics (rather than the identity) of the requester, via digital credentials: Access is granted if Alice’s credentials satisfy Bob’s access ..."
Abstract

Cited by 18 (4 self)
 Add to MetaCart
(Show Context)
In an open environment such as the Internet, the decision to collaborate with a stranger (e.g., by granting access to a resource) is often based on the characteristics (rather than the identity) of the requester, via digital credentials: Access is granted if Alice’s credentials satisfy Bob’s access policy. The literature contains many examples where protecting the credentials and the access control policies is useful, and there are numerous protocols that achieve this. In many of these schemes, the server does not learn whether the client obtained access (e.g., to a message, or a service via an eticket). A consequence of this property is that the client can use all of her credentials without fear of “probing ” attacks by the server, because the server cannot glean information about which credentials the client has (when this property is lacking, the literature uses a framework where the very use of a credential is subject to a policy specific to that credential). The main result of this paper is a protocol for negotiating trust between Alice and Bob without revealing either credentials or policies, when each credential has its own access policy associated with it (e.g., “a topsecret clearance credential can only be used when the other party is a government employee and has a topsecret clearance”). Our protocol carries out this privacypreserving trust negotiation between Alice and Bob, while enforcing each credential’s policy (thereby protecting sensitive credentials). Note that there can be a deep nesting of dependencies between credential policies, and that there can be (possibly overlapping) policy cycles of these dependencies. Our result is not achieved through the routine use of standard techniques to implement, in this framework, one of the known strategies for trust negotiations (such as the “eager strategy”). Rather, this paper uses novel techniques to implement a nonstandard trust negotiation strategy specifically suited to this framework (and in fact unusable outside of this framework, as will become clear). Our work is therefore ∗ Portions of this work were supported by Grants IIS0325345, IIS
Efficient Maximal Privacy in Boardroom Voting and Anonymous Broadcast
, 2004
"... Most voting schemes rely on a number of authorities. If too many of these authorities are dishonest then voter privacy may be violated. To give stronger guarantees of voter privacy Kiayias and Yung \cite{KY} introduced the concept of elections with perfect ballot secrecy. In this type of election sc ..."
Abstract

Cited by 15 (0 self)
 Add to MetaCart
(Show Context)
Most voting schemes rely on a number of authorities. If too many of these authorities are dishonest then voter privacy may be violated. To give stronger guarantees of voter privacy Kiayias and Yung \cite{KY} introduced the concept of elections with perfect ballot secrecy. In this type of election scheme it is guaranteed that the only thing revealed about voters' choices is the result of the election, no matter how many parties are corrupt. Our first contribution is to suggest a simple voting scheme with perfect ballot secrecy that is more efficient than \cite{KY}. Considering the question of achieving maximal privacy in other protocols, we look at anonymous broadcast. We suggest the notion of perfect message secrecy; meaning that nothing is revealed about who sent which message, no matter how many parties are corrupt. Our second contribution is an anonymous broadcast channel with perfect message secrecy built on top of a broadcast channel.
A LatticeBased ComputationallyEfficient Private Information Retrieval Protocol
"... Abstract. A PIR scheme is a scheme that allows an user to get an element of a database without giving any information about what part of the database he is interested in. In this paper we present a latticebased PIR scheme, using an NTRUlike approach, in which the computational cost is a few thousa ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
(Show Context)
Abstract. A PIR scheme is a scheme that allows an user to get an element of a database without giving any information about what part of the database he is interested in. In this paper we present a latticebased PIR scheme, using an NTRUlike approach, in which the computational cost is a few thousand bitoperations per bit in the database. This improves the protocol computational performance by two orders of magnitude when compared to existing approaches. Our scheme has worse communication performance than other existing protocols, but we show that practical usability of PIR schemes is not as dependent on communication performance as the literature suggests, and that a tradeoff between communication and computation leads to much more versatile schemes. 1
Practical Cryptography in High Dimensional Tori
 In Advances in Cryptology (EUROCRYPT 2005), Springer LNCS 3494
, 2004
"... At Crypto 2004, van Dijk and Woodruff introduced a new way of using the algebraic tori Tn in cryptography, and obtained an asymptotically optimal n/φ(n) savings in bandwidth and storage for a number of cryptographic applications. However, the computational requirements of compression and dec ..."
Abstract

Cited by 10 (5 self)
 Add to MetaCart
(Show Context)
At Crypto 2004, van Dijk and Woodruff introduced a new way of using the algebraic tori Tn in cryptography, and obtained an asymptotically optimal n/&phi;(n) savings in bandwidth and storage for a number of cryptographic applications. However, the computational requirements of compression and decompression in their scheme were impractical, and it was left open to reduce them to a practical level. We give a new method that compresses orders of magnitude faster than the original, while also speeding up the decompression and improving on the compression factor (by a constant term). Further, we give the first efficient implementation that uses T30 , compare its performance to XTR, CEILIDH, and ECC, and present new applications. Our methods achieve better compression than XTR and CEILIDH for the compression of as few as two group elements. This allows us to apply our results to ElGamal encryption with a small message domain to obtain ciphertexts that are 10% smaller than in previous schemes.
First CPIR Protocol with DataDependent Computation
"... Abstract We design a new (n, 1)CPIR protocol BddCpir for ℓbit strings as a combination of a noncryptographic (BDDbased) data structure and a more basic cryptographic primitive (communicationefficient (2, 1)CPIR). BddCpir is the first CPIR protocol where server’s online computation depends subst ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
(Show Context)
Abstract We design a new (n, 1)CPIR protocol BddCpir for ℓbit strings as a combination of a noncryptographic (BDDbased) data structure and a more basic cryptographic primitive (communicationefficient (2, 1)CPIR). BddCpir is the first CPIR protocol where server’s online computation depends substantially on the concrete database. We then show that (a) for reasonably small values of ℓ, BddCpir is guaranteed to have simultaneously logsquared communication and sublinear online computation, and (b) BddCpir can handle huge but sparse matrices, common in datamining applications, significantly more efficiently compared to all previous protocols. The security of BddCpir can be based on the wellknown Decisional Composite Residuosity assumption.
SingleDatabase Private Information Retrieval Protocols: Overview, Usability and Trends
"... A Private Information Retrieval (PIR) scheme is a protocol in which a user retrieves a record out of N from a replicated database, while hiding from the database which record has been retrieved, as long as the different replicas do not collude. A specially interesting subfield of research, called ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
A Private Information Retrieval (PIR) scheme is a protocol in which a user retrieves a record out of N from a replicated database, while hiding from the database which record has been retrieved, as long as the different replicas do not collude. A specially interesting subfield of research, called singledatabase PIR, deals with the schemes that allow a user to retrieve privately an element of a nonreplicated database. In these schemes, user privacy is related to the intractability of a mathematical problem, instead of based on the assumption that different replicas exist and do not collude against their users. Singledatabase and replicateddatabase PIR schemes have generated an enormous amount of research in the privacy protection field during the last two decades. However, many scientists believe, specially for singledatabase PIR schemes, that these are theoretical tools unusable in almost any situation. It is true that these schemes usually require the database to use an enormous amount of computational power, but considering the huge amount of applications these protocols have, it is important to evaluate precisely their usability. We present in this article an overview of the current singledatabase PIR schemes through the innovations they have brought to this field of research. This gives a unified view of the evolution since the first of these schemes was presented by Kushilevitz and Ostrovsky in 1997 and up to the latest trends in singledatabase PIR research such as trusted hardware usage, and noisebased schemes. Then, we compare the most representative of these schemes with a single set of communication and computational performance measures. We highlight that practical usability of PIR schemes is not as dependent on communication performance as the literature suggests, and that a tradeoff between communication and computation leads to much more versatile schemes.