Results 1  10
of
55
Fairplay — a secure twoparty computation system
 In USENIX Security Symposium
, 2004
"... Advances in modern cryptography coupled with rapid growth in processing and communication speeds make secure twoparty computation a realistic paradigm. Yet, thus far, interest in this paradigm has remained mostly theoretical. This paper introduces Fairplay [28], a fullfledged system that implements ..."
Abstract

Cited by 229 (6 self)
 Add to MetaCart
Advances in modern cryptography coupled with rapid growth in processing and communication speeds make secure twoparty computation a realistic paradigm. Yet, thus far, interest in this paradigm has remained mostly theoretical. This paper introduces Fairplay [28], a fullfledged system that implements generic secure function evaluation (SFE). Fairplay comprises a high level procedural definition language called SFDL tailored to the SFE paradigm; a compiler of SFDL into a onepass Boolean circuit presented in a language called SHDL; and Bob/Alice programs that evaluate the SHDL circuit in the manner suggested by Yao in [39]. This system enables us to present the first evaluation of an overall SFE in real settings, as well as examining its components and identifying potential bottlenecks. It provides a testbed of ideas and enhancements concerning SFE, whether by replacing parts of it, or by integrating with it. We exemplify its utility by examining several alternative implementations of oblivious transfer within the system, and reporting on their effect on overall performance. 1
Secure multiparty computation of approximations
, 2001
"... Approximation algorithms can sometimes provide efficient solutions when no efficient exact computation is known. In particular, approximations are often useful in a distributed setting where the inputs are held by different parties and may be extremely large. Furthermore, for some applications, the ..."
Abstract

Cited by 108 (25 self)
 Add to MetaCart
Approximation algorithms can sometimes provide efficient solutions when no efficient exact computation is known. In particular, approximations are often useful in a distributed setting where the inputs are held by different parties and may be extremely large. Furthermore, for some applications, the parties want to compute a function of their inputs securely, without revealing more information than necessary. In this work we study the question of simultaneously addressing the above efficiency and security concerns via what we call secure approximations. We start by extending standard definitions of secure (exact) computation to the setting of secure approximations. Our definitions guarantee that no additional information is revealed by the approximation beyond what follows from the output of the function being approximated. We then study the complexity of specific secure approximation problems. In particular, we obtain a sublinearcommunication protocol for securely approximating the Hamming distance and a polynomialtime protocol for securely approximating the permanent and related #Phard problems. 1
PrivacyPreserving Multivariate Statistical Analysis: Linear Regression and Classification
 In Proceedings of the 4th SIAM International Conference on Data Mining
, 2004
"... analysis technique that has found applications in various areas. In this paper, we study some multivariate statistical analysis methods in Secure 2party Computation (S2C) framework illustrated by the following scenario: two parties, each having a secret data set, want to conduct the statistical ana ..."
Abstract

Cited by 89 (1 self)
 Add to MetaCart
(Show Context)
analysis technique that has found applications in various areas. In this paper, we study some multivariate statistical analysis methods in Secure 2party Computation (S2C) framework illustrated by the following scenario: two parties, each having a secret data set, want to conduct the statistical analysis on their joint data, but neither party is willing to disclose its private data to the other party or any third party. The current statistical analysis techniques cannot be used directly to support this kind of computation because they require all parties to send the necessary data to a central place. In this paper, We define two Secure 2party multivariate statistical analysis problems: Secure 2party Multivariate Linear Regression problem and Secure 2party Multivariate Classification problem. We have developed a practical security model, based on which we have developed a number of building blocks for solving these two problems.
Secure Computation of the kthRanked Element
 In Avdances in Cryptology  Proc. of Eurocyrpt ’04
, 2004
"... Given two or more parties possessing large, confidential datasets, we consider the problem of securely computing the k of the datasets, e.g. the median of the values in the datasets. We investigate protocols with sublinear computation and communication costs. In the twoparty case, we show tha ..."
Abstract

Cited by 60 (7 self)
 Add to MetaCart
Given two or more parties possessing large, confidential datasets, we consider the problem of securely computing the k of the datasets, e.g. the median of the values in the datasets. We investigate protocols with sublinear computation and communication costs. In the twoparty case, we show that the k ranked element can be computed in log k rounds, where the computation and communication costs of each round are O(log M), where log M is the number of bits needed to describe each element of the input data.
A Practical Approach to Solve Secure MultiParty Computation Problems
 IN NEW SECURITY PARADIGMS WORKSHOP
, 2002
"... Secure Multiparty Computation (SMC) problems deal with the following situation: Two (or many) parties want to jointly perform a computation. Each party needs to contribute its private input to this computation, but no party should disclose its private inputs to the other parties, or to any third pa ..."
Abstract

Cited by 43 (1 self)
 Add to MetaCart
(Show Context)
Secure Multiparty Computation (SMC) problems deal with the following situation: Two (or many) parties want to jointly perform a computation. Each party needs to contribute its private input to this computation, but no party should disclose its private inputs to the other parties, or to any third party. With the proliferation of the Internet, SMC problems becomes more and more important. So far no practical solution has emerged, largely because SMC studies have been focusing on zero information disclosure, an ideal security model that is expensive to achieve. Aiming at developing practical solutions to SMC problems, we propose a new paradigm, in which we use an acceptable security model that allows partial information disclosure. Our conjecture is that by lowering the restriction on the security, we can achieve a much better performance. The paradigm is motivated by the observation that in practice people do accept a less secure but much more efficient solution because sometimes disclosing information about their private data to certain degree is a risk that many people would rather take if the performance gain is so significant. Moreover, in our paradigm, the security is adjustable, such that users can adjust the level of security based on their definition of the acceptable security. We have developed a number of techniques under this new paradigm, and are currently conducting extensive studies based on this new paradigm.
Secure computation of the k th ranked element
 In Avdances in Cryptology  Proc. of Eurocyrpt ’04
, 2004
"... Given two or more parties possessing large, confidential datasets, we consider the problem of securely computing the k thranked element of the union of the datasets, e.g. the median of the values in the datasets. We investigate protocols with sublinear computation and communication costs. In the tw ..."
Abstract

Cited by 26 (2 self)
 Add to MetaCart
Given two or more parties possessing large, confidential datasets, we consider the problem of securely computing the k thranked element of the union of the datasets, e.g. the median of the values in the datasets. We investigate protocols with sublinear computation and communication costs. In the twoparty case, we show that the k thranked element can be computed in logk rounds, where the computation and communication costs of each round are O ¡ logM ¢ , where logM is the number of bits needed to describe each element of the input data. The protocol can be made secure against a malicious adversary, and can hide the sizes of the original datasets. In the multiparty setting, we show that the k thranked element can be computed in logM rounds, with O ¡ slogM ¢ overhead per round, where s is the number of parties. The multiparty protocol can be used in the twoparty case and can also be made secure against a malicious adversary. 1
PrivacyPreserving Remote Diagnostics
, 2007
"... We present an efficient protocol for privacypreserving evaluation of diagnostic programs, represented as binary decision trees or branching programs. The protocol applies a branching diagnostic program with classification labels in the leaves to the user’s attribute vector. The user learns only the ..."
Abstract

Cited by 26 (4 self)
 Add to MetaCart
We present an efficient protocol for privacypreserving evaluation of diagnostic programs, represented as binary decision trees or branching programs. The protocol applies a branching diagnostic program with classification labels in the leaves to the user’s attribute vector. The user learns only the label assigned by the program to his vector; the diagnostic program itself remains secret. The program’s owner does not learn anything. Our construction is significantly more efficient than those obtained by direct application of generic secure multiparty computation techniques. We use our protocol to implement a privacypreserving version of the Clarify system for software fault diagnosis, and demonstrate that its performance is acceptable for many practical scenarios.
Batch Codes and Their Applications
, 2004
"... A batch code encodes a string x into an mtuple of strings, called buckets, such that each batch of k bits from x can be decoded by reading at most one (more generally, t) bits from each bucket. Batch codes can be viewed as relaxing several combinatorial objects, including expanders and locally deco ..."
Abstract

Cited by 24 (6 self)
 Add to MetaCart
(Show Context)
A batch code encodes a string x into an mtuple of strings, called buckets, such that each batch of k bits from x can be decoded by reading at most one (more generally, t) bits from each bucket. Batch codes can be viewed as relaxing several combinatorial objects, including expanders and locally decodable codes.
A Vision of the Next Generation Internet: A
 Policy Oriented View,” British Computer Society Conference on Visions of Computer Science, Sep 2008, http://www.cse.wustl.edu/~jain/papers/pona.htm
"... Abstract: The next generation Internet needs to support multiple diverse application contexts. In this paper, we present Internet 3.0, a diversified, multitier architecture for the next generation Internet. Unlike the current Internet, Internet 3.0 defines a new set of primitives that allows divers ..."
Abstract

Cited by 22 (13 self)
 Add to MetaCart
(Show Context)
Abstract: The next generation Internet needs to support multiple diverse application contexts. In this paper, we present Internet 3.0, a diversified, multitier architecture for the next generation Internet. Unlike the current Internet, Internet 3.0 defines a new set of primitives that allows diverse applications to compose and optimize their specific contexts over resources belonging to multiple ownerships. The key design philosophy is to enable diversity through explicit representation, negotiation and enforcement of policies at the granularity of network infrastructure, compute resources, data and users. The basis of the Internet 3.0 architecture is a generalized threetier object model. The bottom tier consists of a highspeed network infrastructure. The second tier consists of compute resources or hosts. The third tier consists of data and users. The “tiered ” organization of the entities in the object model depicts the natural dependency relationship between these entities in a communication context. All communication contexts, including the current Internet, may be represented as special cases within this generalized threetier object model. The key contribution of this paper is a formal architectural representation of the Internet 3.0 architecture over the key primitive of the “Object Abstraction ” and a detailed discussion of the various design aspects of the architecture, including the design of the “Context Router ” the key architectural element that powers an evolutionary deployment plan for the clean slate design ideas of
Trust negotiation with hidden credentials, hidden policies, and policy cycles
 In Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS
, 2006
"... In an open environment such as the Internet, the decision to collaborate with a stranger (e.g., by granting access to a resource) is often based on the characteristics (rather than the identity) of the requester, via digital credentials: Access is granted if Alice’s credentials satisfy Bob’s access ..."
Abstract

Cited by 18 (4 self)
 Add to MetaCart
(Show Context)
In an open environment such as the Internet, the decision to collaborate with a stranger (e.g., by granting access to a resource) is often based on the characteristics (rather than the identity) of the requester, via digital credentials: Access is granted if Alice’s credentials satisfy Bob’s access policy. The literature contains many examples where protecting the credentials and the access control policies is useful, and there are numerous protocols that achieve this. In many of these schemes, the server does not learn whether the client obtained access (e.g., to a message, or a service via an eticket). A consequence of this property is that the client can use all of her credentials without fear of “probing ” attacks by the server, because the server cannot glean information about which credentials the client has (when this property is lacking, the literature uses a framework where the very use of a credential is subject to a policy specific to that credential). The main result of this paper is a protocol for negotiating trust between Alice and Bob without revealing either credentials or policies, when each credential has its own access policy associated with it (e.g., “a topsecret clearance credential can only be used when the other party is a government employee and has a topsecret clearance”). Our protocol carries out this privacypreserving trust negotiation between Alice and Bob, while enforcing each credential’s policy (thereby protecting sensitive credentials). Note that there can be a deep nesting of dependencies between credential policies, and that there can be (possibly overlapping) policy cycles of these dependencies. Our result is not achieved through the routine use of standard techniques to implement, in this framework, one of the known strategies for trust negotiations (such as the “eager strategy”). Rather, this paper uses novel techniques to implement a nonstandard trust negotiation strategy specifically suited to this framework (and in fact unusable outside of this framework, as will become clear). Our work is therefore ∗ Portions of this work were supported by Grants IIS0325345, IIS