What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University.

Slides:



Advertisements
Similar presentations
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Advertisements

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.
Public Key Cryptosystem
COS 461 Fall 1997 Todays Lecture u intro to security in networking –confidentiality –integrity –authentication –authorization u orientation for assignment.
Secure Evaluation of Multivariate Polynomials
Oblivious Branching Program Evaluation
Mental Poker The SRA Protocol. What is Mental Poker? Playing poker without cards (ie over telephone or internet). No Trusted Third Party or source of.
ITIS 6200/ Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Netprog: Cryptgraphy1 Cryptography Reference: Network Security PRIVATE Communication in a PUBLIC World. by Kaufman, Perlman & Speciner.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Oblivious Transfer based on the McEliece Assumptions
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications Dana Dachman-Soled, Tal Malkin, Mariana Raykova, Moti Yung.
How to Share a Secret Amos Beimel. Secret Sharing [Shamir79,Blakley79,ItoSaitoNishizeki87] ? bad.
Security Considerations in Adaptive Middleware Security and Mobile Agents Ajanta – Mobile Agent’s research project papers (
Private Analysis of Data Sets Benny Pinkas HP Labs, Princeton.
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Privacy Preserving Learning of Decision Trees Benny Pinkas HP Labs Joint work with Yehuda Lindell (done while at the Weizmann Institute)
CSCI 172/283 Fall 2010 Public Key Cryptography. New paradigm introduced by Diffie and Hellman The mailbox analogy: Bob has a locked mailbox Alice can.
Asymmetric encryption. Asymmetric encryption, often called "public key" encryption, allows Alice to send Bob an encrypted message without a shared secret.
ElGamal Public Key Cryptography CS 303 Alg. Number Theory & Cryptography Jeremy Johnson Taher ElGamal, "A Public-Key Cryptosystem and a Signature Scheme.
Pretty Good Privacy by Philip Zimmerman presented by: Chris Ward.
Cryptography Lecture 8 Stefan Dziembowski
Efficient and Robust Private Set Intersection and multiparty multivariate polynomials Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung.
Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University.
Overview of Privacy Preserving Techniques.  This is a high-level summary of the state-of-the-art privacy preserving techniques and research areas  Focus.
Public-Key Cryptography CS110 Fall Conventional Encryption.
On the Practical Feasibility of Secure Distributed Computing A Case Study Gregory Neven, Frank Piessens, Bart De Decker Dept. of Computer Science, K.U.Leuven.
1 Information Security – Theory vs. Reality , Winter Lecture 10: Garbled circuits (cont.), fully homomorphic encryption Eran Tromer.
Slide 1 Vitaly Shmatikov CS 380S Yao’s Protocol. slide Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert.
Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.
Slide 1 Yao’s Protocol. slide Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert the function into a boolean.
Software Security Seminar - 1 Chapter 5. Advanced Protocols 조미성 Applied Cryptography.
1 Cryptography NOTES. 2 Secret Key Cryptography Single key used to encrypt and decrypt. Key must be known by both parties. Assuming we live in a hostile.
Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.
Privacy-Preserving Credit Checking Keith Frikken, Mikhail Atallah, and Chen Zhang Purdue University June 7, 2005.
Digital Signatures, Message Digest and Authentication Week-9.
Non-Interactive Verifiable Computing August 5, 2009 Bryan Parno Carnegie Mellon University Rosario Gennaro, Craig Gentry IBM Research.
CRYPTOGRAPHY. WHAT IS PUBLIC-KEY ENCRYPTION? Encryption is the key to information security The main idea- by using only public information, a sender can.
A A E E D D C C B B # Symmetric Keys = n*(n-1)/2 F F
Identity based signature schemes by using pairings Parshuram Budhathoki Department of Mathematical Science FAU 02/21/2013 Cyber Security Seminar, FAU.
FHE Introduction Nigel Smart Avoncrypt 2015.
Hidden Access Control Policies with Hidden Credentials Keith Frikken, Mikhail Atallah, Jiangtao Li CERIAS and Department of Computer Sciences Purdue University.
Umans Complexity Theory Lectures Lecture 7b: Randomization in Communication Complexity.
Efficient Private Matching and Set Intersection Mike Freedman, NYU Kobbi Nissim, MSR Benny Pinkas, HP Labs EUROCRYPT 2004.
Efficient Oblivious Transfer with Stateless Secure Tokens Alcatel-Lucent Bell Labs Vlad Kolesnikov.
Cryptographic Security Aveek Chakraborty CS5204 – Operating Systems1.
 5.1 Zero-Knowledge Proofs  5.2 Zero-Knowledge Proofs of Identity  5.3 Identity-Based Public-Key Cryptography  5.4 Oblivious Transfer  5.5 Oblivious.
Privacy-Preserving Data Aggregation without Secure Channel: Multivariate Polynomial Evaluation Taeho Jung 1, XuFei Mao 2, Xiang-Yang Li 1, Shao-Jie Tang.
Bit Commitment, Fair Coin Flips, and One-Way Accumulators Matt Ashoff 11/9/2004 Cryptographic Protocols.
Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.
Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.
Topic 36: Zero-Knowledge Proofs
The first Few Slides stolen from Boaz Barak
Course Business I am traveling April 25-May 3rd
Cryptography CS 555 Lecture 22
Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems Omer Barkol Yuval Ishai Technion.
Cryptography for Quantum Computers
Privacy Preserving analytics Private Set Intersection(PSI)
How to Use Charm Crypto Lib
Presentation transcript:

What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University

Systemic Risk from Local Information

M.C.Escher, Belvedere

Who Puts Together the Big Picture?

The government?

Who Puts Together the Big Picture? The government?

Who Puts Together the Big Picture? An independent trustworthy party?

Who Puts Together the Big Picture? An independent trustworthy party?

Who Puts Together the Big Picture? The data owners (financial institutions) themselves?

Who Puts Together the Big Picture? The data owners (financial institutions) themselves?

Who Puts Together the Big Picture? Cryptography tells us: For any efficiently computable function F, there is an “efficient” interactive algorithm that n data owners, P 1 (x 1 ),…,P n (x n ), can run together such that: 1.They learn F(x 1,x 2,…,x n ) 2.Other than that, P i learns nothing about x j, j≠i [Yao, GMW, BGW, …]

Example: Set Intersection Alice’s set Bob’s set 5 12 Intersection

How to compute the intersection w/o learning the rest of each other’s sets? [FMP04,…,BCCKLS09,…,KMRS14]

Step 1: Alice’s set becomes a polynomial Alice’s set p(x) = (x-12)(x-18)(x-5)(x-6)(x-31) mod q = x 5 + c 4 x 4 + c 3 x 3 + c 2 x 2 + c 1 x + c 0 c4c4 c3c3 c2c2 c1c1 c0c0

Step 1: Alice’s set becomes a polynomial Alice’s polynomial p(x) c4c4 c3c3 c2c2 c1c1 c0c0

Step 2: Alice encrypts her polynomial Alice’s polynomial p(x) c4c4 c3c3 c2c2 c1c1 c0c0

Step 2: Alice encrypts her polynomial Alice’s encrypted polynomial p(x) E(c 4 )E(c 3 )E(c 2 )E(c 1 )E(c 0 )

Step 2: Alice encrypts her polynomial… Alice’s encrypted polynomial p(x) E(c 4 )E(c 3 )E(c 2 )E(c 1 )E(c 0 ) …using an “additive” encryption scheme E(x) * E(y) = E(x+y) [Paillier’99]

Step 2: Alice encrypts her polynomial… Alice’s encrypted polynomial p(x) E(c 4 )E(c 3 )E(c 2 )E(c 1 )E(c 0 ) …using an “additive” encryption scheme …for which she holds the decryption key

Step 3: Alice sends the encrypted Alice’s encrypted polynomial p(x) E(c 4 )E(c 3 )E(c 2 )E(c 1 )E(c 0 ) polynomial to Bob

Step 4: Bob evaluates the encrypted Alice’s encrypted polynomial p(x) E(c 4 )E(c 3 )E(c 2 )E(c 1 )E(c 0 ) polynomial on his set Bob’s set p(42) = c c c c 1 42+c 0 mod q E(p(42)) = E(42 5 ) * E(c 4 )42 4 * E(c 3 )42 3 * E(c 2 )42 2 * E(c 1 )42 * E(c 0 )

Step 4: Bob evaluates the encrypted Alice’s encrypted polynomial p(x) E(c 4 )E(c 3 )E(c 2 )E(c 1 )E(c 0 ) polynomial on his set Bob’s set p(x) evaluated on Bob’s set E(p(42))E(p(5))E(p(24))E(p(12))E(p(3))

Step 4: Bob evaluates the encrypted Alice’s encrypted polynomial p(x) E(c 4 )E(c 3 )E(c 2 )E(c 1 )E(c 0 ) polynomial on his set p(x) evaluated on Bob’s set E(p(42))E(0)E(p(24))E(0)E(p(3)) Note: p(y) = 0 iff y is in Alice’s set

Step 5: Bob randomizes the result E(p(42))R 1 E(0)R 2 E(p(24))R 3 E(0)R 4 E(p(3))R 5

Step 5: Bob randomizes the result E(u 1 )E(0)E(u 3 )E(0)E(u 5 )

Step 6: Bob sends the result to Alice E(u 1 )E(0)E(u 3 )E(0)E(u 5 )

Step 7: Alice decrypts it... E(u 1 )E(0)E(u 3 )E(0)E(u 5 ) u1u1 0u3u3 0u5u5

Step 7: Alice decrypts it... and sends the locations of 0’s to Bob u1u1 0u3u3 0u5u5

Step 7: Alice decrypts it... and sends the locations of 0’s to Bob ?0?0?

Step 8: Bob derives the intersection ?0?0?

Step 8: Bob derives the intersection and sends it to Alice 5 12

A More General Solution for Two Parties: Yao’s Encrypted Circuit Alice’s logical circuit C Bob’s input x Encrypted circuit Oblivious transfer of keys

A More General Solution for N Parties: Secure Multi-Party Computation Split the computation into logical steps (ANDs, ORs, NOTs) or algebraic steps (ADD, MULT) Securely evaluate step by step [GMW, BGW, …]

Conclusion Tell me how you could detect systemic risk given complete information… …and I will tell you how to do it via a privacy- preserving protocol!