13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Rate-Limited Secure Function Evaluation 21. Public Key Cryptography, March 1 st, 2013 Özgür.

Slides:

Advertisements

Similar presentations

Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.

Advertisements

1 Cryptography: on the Hope for Privacy in a Digital World Omer Reingold VVeizmann and Harvard CRCS.

Private Inference Control

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.

Secure Evaluation of Multivariate Polynomials

Oblivious Branching Program Evaluation

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)

GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION

Impossibility Results for Concurrent Two-Party Computation Yehuda Lindell IBM T.J.Watson.

Oblivious Transfer based on the McEliece Assumptions

Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.

Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications Dana Dachman-Soled, Tal Malkin, Mariana Raykova, Moti Yung.

Jointly Restraining Big Brother: Using cryptography to reconcile privacy with data aggregation Ran Canetti IBM Research.

1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.

Tutorial on Secure Multi-Party Computation

Privacy Preserving Learning of Decision Trees Benny Pinkas HP Labs Joint work with Yehuda Lindell (done while at the Weizmann Institute)

Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.

1 Cross-Domain Secure Computation Chongwon Cho (HRL Laboratories) Sanjam Garg (IBM T.J. Watson) Rafail Ostrovsky (UCLA)

Adaptively Secure Broadcast, Revisited

Multi-Client Non-Interactive Verifiable Computation Seung Geol Choi (Columbia U.) Jonathan Katz (U. Maryland) Ranjit Kumaresan (Technion) Carlos Cid (Royal.

How to play ANY mental game

Efficient and Robust Private Set Intersection and multiparty multivariate polynomials Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung.

Impossibility and Feasibility Results for Zero Knowledge with Public Keys Joël Alwen Tech. Univ. Vienna AUSTRIA Giuseppe Persiano Univ. Salerno ITALY Ivan.

Slide 1 Vitaly Shmatikov CS 380S Introduction to Secure Multi-Party Computation.

GARBLED CIRCUITS CHECKING GARBLED CIRCUITS MORE EFFICIENT AND SECURE TWO-PARTY COMPUTATION Payman Mohassel Ben Riva University of Calgary Tel Aviv University.

Device-independent security in quantum key distribution Lluis Masanes ICFO-The Institute of Photonic Sciences arXiv:

Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.

2012/1/25 Complete Problem for Perfect Zero-Knowledge Quantum Interactive Proof Jun Yan State Key Laboratory of Computer Science, Institute.

On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.

1 Secure Multi-party Computation Minimizing Online Rounds Seung Geol Choi Columbia University Joint work with Ariel Elbaz(Columbia University) Tal Malkin(Columbia.

Input-Indistinguishable Computation Silvio MicaliMIT Rafael PassCornell Alon RosenHarvard.

Non-Interactive Verifiable Computing August 5, 2009 Bryan Parno Carnegie Mellon University Rosario Gennaro, Craig Gentry IBM Research.

Game-based composition for key exchange Cristina Brzuska, Marc Fischlin (University of Darmstadt) Nigel Smart, Bogdan Warinschi, Steve Williams (University.

Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.

Strong Conditional Oblivious Transfer and Computing on Intervals Vladimir Kolesnikov Joint work with Ian F. Blake University of Toronto.

Universally Composable computation with any number of faults Ran Canetti IBM Research Joint works with Marc Fischlin, Yehuda Lindell, Rafi Ostrovsky, Tal.

Feasibility and Completeness of Cryptographic Tasks in the Quantum World Hong-Sheng Zhou (U. Maryland) Joint work with Jonathan Katz (U. Maryland) Fang.

Honest-Verifier Statistical Zero-Knowledge Equals General Statistical Zero-Knowledge Oded Goldreich (Weizmann) Amit Sahai (MIT) Salil Vadhan (MIT)

Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/08/08 CRYP-106 Efficient Fully-Simulatable Oblivious Transfer.

Secure Computation (Lecture 9-10) Arpita Patra. Recap >> MPC with honest majority in i.t. settings > Protocol using (n,t)-sharing, proof of security---

Efficient Private Matching and Set Intersection Mike Freedman, NYU Kobbi Nissim, MSR Benny Pinkas, HP Labs EUROCRYPT 2004.

1 / 23 Efficient Garbling from A Fixed-key Blockcipher Applied MPC workshop February 20, 2014 Mihir Bellare UC San Diego Viet Tung Hoang UC San Diego Phillip.

Efficient Oblivious Transfer with Stateless Secure Tokens Alcatel-Lucent Bell Labs Vlad Kolesnikov.

Verifiable Threshold Secret Sharing and Full Fair Secure Two-party Computation YE Jian-wei March 7, 2009.

Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.

Lower bounds for Unconditionally Secure MPC Ivan Damgård Jesper Buus Nielsen Antigoni Polychroniadou Aarhus University.

A Fixed-key Blockcipher

Topic 36: Zero-Knowledge Proofs

The Exact Round Complexity of Secure Computation

TCC 2016-B Composable Security in the Tamper-Proof Hardware Model under Minimal Complexity Carmit Hazay Bar-Ilan University, Israel Antigoni Ourania.

Committed MPC Multiparty Computation from Homomorphic Commitments

Course Business I am traveling April 25-May 3rd

Cryptography CS 555 Lecture 22

Verifiable Oblivious Storage

Cryptography for Quantum Computers

Fiat-Shamir for Highly Sound Protocols is Instantiable

Malicious-Secure Private Set Intersection via Dual Execution

Post-Quantum Security of Fiat-Shamir

Presentation transcript:

13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Rate-Limited Secure Function Evaluation 21. Public Key Cryptography, March 1 st, 2013 Özgür Dagdelen* Technische Universität Darmstadt; Germany Payman Mohassel University of Calgary, Canada Daniele Venturi Aarhus University, Denmark (based on slides by Daniele)

March 1st, 2013 | Özgür Dagdelen | Rate-Limited Secure Function Evaluation | 2 Two-party SFE  Any functionality can be computed securely [Yao82,Yao85,GMW89,…]  By now, several real-world deployments [Fairplay (‘04), Sharemind (‘08), DGKN09,…] f = (f A, f B ) y A = f A (x A,x B )y B = f B (x A,x B ) Input x A Input x B

March 1st, 2013 | Özgür Dagdelen | Rate-Limited Secure Function Evaluation | 3 Special-purpose SFE

March 1st, 2013 | Özgür Dagdelen | Rate-Limited Secure Function Evaluation | 4 Oracle Attacks & Secure Metering  A shared feature of the previous examples is that they are thought for multiple executions Secure Metering. Service providers charge clients according to their level of usage  Can be applied to any secure implementation which realizes the black-box functionality  In OPE, n+1 distinct inputs interpolates p(.) !!  A location-based service based on the number of locations  A database owner based on the number of distinct search queries  An IDS provider based on the number of suspicious files sent for vulnerability analysis

March 1st, 2013 | Özgür Dagdelen | Rate-Limited Secure Function Evaluation | 5 f = (f A, f B ) Input x A Input x B  Communication errors or device upgrades  Prove the validity of the outcome to a third-party

March 1st, 2013 | Özgür Dagdelen | Rate-Limited Secure Function Evaluation | 6 Outline Definitions Rate- Hiding Rate- Revealing Pattern- Revealing Compilers StatefulStateless Instantiation OPE

March 1st, 2013 | Özgür Dagdelen | Rate-Limited Secure Function Evaluation | 7 Definitions

March 1st, 2013 | Özgür Dagdelen | Rate-Limited Secure Function Evaluation | 8 Rate-Limited Secure Function Evaluation (RL-SFE) realideal

March 1st, 2013 | Özgür Dagdelen | Rate-Limited Secure Function Evaluation | 9 Commit-first SFE  Any SFE, where the parties are committed to their inputs  In an ideal implementation, must be able to extract the input and the randomness for the commitment  We build compilers transforming any cf-SFE into an RL-SFE  Intuition: exhibit some argument to convince the other party that the current commitment hides an already used value f = (f A, f B ) Input x A Input x B C(x B ;r B ) C(x A ;r A )

March 1st, 2013 | Özgür Dagdelen | Rate-Limited Secure Function Evaluation | 10 Instantiations of cf-SFE  General Compilers  GMW compiler: semi-honest SFE → malicious SFE  Input-committing, coin-generation, protocol emulation phase  Yao‘s garbled circuits: general purpose 2-party SFE  One-sided commit-first (w.r.t. the “evaluator“) if OT is commit-first  Jarecki-Shmatikov: variant of Yao w/ UC-sec in CRS model  With a slight modification: replacing Camenisch-Shoup Enc with e.g. Paillier  Specific protocols  Private Set Intersection [HN10]  Oblivious Automata Evaluation [GHS10]  Oblivious Polynomial Evaluation [HL08]

March 1st, 2013 | Özgür Dagdelen | Rate-Limited Secure Function Evaluation | 11 Compilers

March 1st, 2013 | Özgür Dagdelen | Rate-Limited Secure Function Evaluation | 12

March 1st, 2013 | Özgür Dagdelen | Rate-Limited Secure Function Evaluation | 13 Description of the simulator cf 1 cf 2 ZK

March 1st, 2013 | Özgür Dagdelen | Rate-Limited Secure Function Evaluation | 14 Proof Sketch  In the first experiment, the simulator updates the state on the basis of the verification of the ZK proofs  Indistinguishability follows from the soundness of the ZK proof  In the second experiment, the real input of the honest party is used for the simulation  Indistinguishability follows from the hiding property of the commitment scheme  In the third experiment, we replace the simulated ZK proof, with an actual ZK proof  Indistinguishability follows from the zero-knowledge property of the proof

March 1st, 2013 | Özgür Dagdelen | Rate-Limited Secure Function Evaluation | 15 More Compilers

March 1st, 2013 | Özgür Dagdelen | Rate-Limited Secure Function Evaluation | 16 Making the compilers stateless

March 1st, 2013 | Özgür Dagdelen | Rate-Limited Secure Function Evaluation | 17 Applications

March 1st, 2013 | Özgür Dagdelen | Rate-Limited Secure Function Evaluation | 18 Hazay-Lindell OPE pk + “valid key“ …….

March 1st, 2013 | Özgür Dagdelen | Rate-Limited Secure Function Evaluation | 19 Conclusion

March 1st, 2013 | Özgür Dagdelen | Rate-Limited Secure Function Evaluation | 20 Conclusion  Rate-Limited Secure Function Evaluation  Secure metering  Oracle attacks  Auxiliary notion: commit-first SFE  Existing generic compilers and specific protocols  Compilers for  Rate-Hiding RL-SFE  Rate-Revealing RL-SFE  Pattern-Revealing RL-SFE  Instantiation  OPE [HL08] STATELESS (constant)

March 1st, 2013 | Özgür Dagdelen | Rate-Limited Secure Function Evaluation | 21 Thank you! Questions? eprint.iacr.org/2013/021

March 1st, 2013 | Özgür Dagdelen | Rate-Limited Secure Function Evaluation | 22 Possible extensions:  Concurrent executions + UC-security  Efficient compiler from any SFE  not necessarily commit-first  Avoid ZK proofs (using simpler machinery)