vladimir kolesnikov payman mohassel mike rosulek
play

. Vladimir Kolesnikov . . Payman Mohassel Mike Rosulek . - PowerPoint PPT Presentation

Feb 14, 2024 •356 likes •1.29k views

fle XOR : flexible garbling for XOR gates that beats free- XOR . Vladimir Kolesnikov . . Payman Mohassel Mike Rosulek . . background 1 . . . Enc A C B Enc A C B Enc A C B Enc A C B . background: garbled

  1. fle XOR : flexible garbling for XOR gates that beats free- XOR . � Vladimir Kolesnikov ≫ . . Payman Mohassel ≫ � Mike Rosulek ≫ ◮ . .

  2. background 1 . . .

  3. Enc A C B Enc A C B Enc A C B Enc A C B . background: garbled circuit . false: A 0 true: A 1 . . . false: C 0 true: C 1 false: B 0 true: B 1 . .

  4. background: garbled circuit . Enc A 0 , B 0 ( C 0 ) Enc A 0 , B 1 ( C 1 ) Enc A 1 , B 0 ( C 1 ) Enc A 1 , B 1 ( C 0 ) false: A 0 true: A 1 . . . . false: C 0 true: C 1 false: B 0 true: B 1 . .

  5. background: garbled circuit . Enc A 0 , B 0 ( C 0 ) Enc A 0 , B 1 ( C 1 ) Enc A 1 , B 0 ( C 1 ) Enc A 1 , B 1 ( C 0 ) false: A 0 true: A 1 . . . . false: C 0 true: C 1 false: B 0 true: B 1 . .

  6. background: row reduction . . .

  7. n C Dec A B . Fix one of the ciphertexts to be all zeroes n , not uniform Corresponding wire label must be Dec Only 3 ciphertexts needed for garbled gate More advanced technique reduces size to 2 ciphertexts background: row reduction Enc A 0 , B 0 ( C 0 ) Enc A 0 , B 1 ( C 0 ) Enc A 1 , B 0 ( C 0 ) Enc A 1 , B 1 ( C 1 ) false: A 0 . true: A 1 . . . . false: C 0 true: C 1 false: B 0 true: B 1 . Garbled row reduction [NaorPinkasSumner99,PinkasSchneiderSmartWilliams09] . . . .

  8. n C Dec A B . n , not uniform Corresponding wire label must be Dec Only 3 ciphertexts needed for garbled gate More advanced technique reduces size to 2 ciphertexts background: row reduction Enc A 0 , B 0 ( C 0 ) 0 n Enc A 0 , B 1 ( C 0 ) Enc A 1 , B 0 ( C 0 ) Enc A 1 , B 1 ( C 1 ) false: A 0 . true: A 1 . . . . false: C 0 true: C 1 false: B 0 true: B 1 . Garbled row reduction [NaorPinkasSumner99,PinkasSchneiderSmartWilliams09] . ◮ Fix one of the ciphertexts to be all zeroes . . .

  9. Only 3 ciphertexts needed for garbled gate More advanced technique reduces size to 2 ciphertexts background: row reduction Enc A 0 , B 0 ( C 0 ) 0 n C 0 := Dec A 0 , B 0 (0 n ) Enc A 0 , B 1 ( C 0 ) Enc A 1 , B 0 ( C 0 ) Enc A 1 , B 1 ( C 1 ) false: A 0 . true: A 1 . . . . . false: C 0 true: C 1 false: B 0 true: B 1 . Garbled row reduction [NaorPinkasSumner99,PinkasSchneiderSmartWilliams09] . ◮ Fix one of the ciphertexts to be all zeroes ◮ Corresponding wire label must be Dec (0 n ) , not uniform . . .

  10. background: row reduction Enc A 0 , B 1 ( C 0 ) C 0 := Dec A 0 , B 0 (0 n ) Enc A 1 , B 0 ( C 0 ) Enc A 1 , B 1 ( C 1 ) false: A 0 . true: A 1 . . . . . . false: C 0 true: C 1 false: B 0 true: B 1 . Garbled row reduction [NaorPinkasSumner99,PinkasSchneiderSmartWilliams09] . ◮ Fix one of the ciphertexts to be all zeroes ◮ Corresponding wire label must be Dec (0 n ) , not uniform ◮ Only 3 ciphertexts needed for garbled gate ◮ More advanced technique reduces size to 2 ciphertexts . . .

  11. background: offsets & free XOR . . .

  12. all wires have same (secret) offset wire labels for XOR gate satisfy C A B compute output wire label by XOR’ing input wire labels (no crypto!) . Free XOR optimization [KolesnikovSchneider08] : . . background: offsets & free XOR false: A 0 true: A 1 offset: A 0 ⊕ A 1 false: C 0 . . . . true: C 1 offset: C 0 ⊕ C 1 false: B 0 . true: B 1 offset: B 0 ⊕ B 1 . Definition . Offset of a wire = XOR of its two wire labels . . .

  13. all wires have same (secret) offset wire labels for XOR gate satisfy C A B compute output wire label by XOR’ing input wire labels (no crypto!) . Free XOR optimization [KolesnikovSchneider08] : . . background: offsets & free XOR false: A true: A ⊕ ∆ A offset: ∆ A false: C . . . . true: C ⊕ ∆ C offset: ∆ C false: B . true: B ⊕ ∆ B offset: ∆ B . Definition . Offset of a wire = XOR of its two wire labels . . .

  14. wire labels for XOR gate satisfy C A B compute output wire label by XOR’ing input wire labels (no crypto!) background: offsets & free XOR false: A true: A ⊕ ∆ offset: ∆ false: C . . . . true: C ⊕ ∆ offset: ∆ false: B . true: B ⊕ ∆ offset: ∆ . Definition . Offset of a wire = XOR of its two wire labels . . Free XOR optimization [KolesnikovSchneider08] : . ◮ all wires have same (secret) offset ∆ . . .

  15. compute output wire label by XOR’ing input wire labels (no crypto!) background: offsets & free XOR false: A true: A ⊕ ∆ offset: ∆ false: A ⊕ B . . . . true: A ⊕ B ⊕ ∆ offset: ∆ false: B . true: B ⊕ ∆ offset: ∆ . Definition . Offset of a wire = XOR of its two wire labels . . Free XOR optimization [KolesnikovSchneider08] : . ◮ all wires have same (secret) offset ∆ ◮ wire labels for XOR gate satisfy C = A ⊕ B . . .

  16. background: offsets & free XOR false: A true: A ⊕ ∆ offset: ∆ false: A ⊕ B . . . . true: A ⊕ B ⊕ ∆ offset: ∆ false: B . true: B ⊕ ∆ offset: ∆ . Definition . Offset of a wire = XOR of its two wire labels . . Free XOR optimization [KolesnikovSchneider08] : . ◮ all wires have same (secret) offset ∆ ◮ wire labels for XOR gate satisfy C = A ⊕ B ◮ compute output wire label by XOR’ing input wire labels (no crypto!) . . .

  17. Hint: yes! . Motivating Question . Can we overcome these limitations, while retaining Free XOR’s benefits (as much as possible)? . free XOR . Free XOR limitations: . . 1. Requires strong circularity hardness assumption [ChoiKatzKumaresanZhou12] 2. Incompatible with 4-to-2 row reduction [PinkasSchneiderSmartWilliams09] . . .

  18. Hint: yes! free XOR . Free XOR limitations: . . 1. Requires strong circularity hardness assumption [ChoiKatzKumaresanZhou12] 2. Incompatible with 4-to-2 row reduction [PinkasSchneiderSmartWilliams09] . . Motivating Question . Can we overcome these limitations, while retaining Free XOR’s benefits (as much as possible)? . . .

  19. free XOR . Free XOR limitations: . . 1. Requires strong circularity hardness assumption [ChoiKatzKumaresanZhou12] 2. Incompatible with 4-to-2 row reduction [PinkasSchneiderSmartWilliams09] . . Motivating Question . Can we overcome these limitations, while retaining Free XOR’s benefits (as much as possible)? Hint: yes! . . .

  20. fleXOR garbling 2 . . .

  21. : each “adjustment” requires 1 ciphertext Enc A A n A A A Dec A Enc A A A C . . . . . Enc B B n B Dec B Enc B B B C , then use free XOR apply row reduction if C , no need to “adjust” first wire at all! A garble XOR gate using 0, 1, or 2 ciphertexts depending on how many of are distinct A B C fleXOR garbling false: A true: A ⊕ ∆ A offset: ∆ A false: . . . . true: . false: B offset: ∆ C true: B ⊕ ∆ B offset: ∆ B . Flexible XOR (fleXOR) technique [this work] : . ◮ “adjust” offsets of both input wires to ∆ C . . .

  22. : each “adjustment” requires 1 ciphertext Enc A A n A A A Dec A Enc A A A C . . . . . Enc B B n B Dec B Enc B B B C , then use free XOR apply row reduction if C , no need to “adjust” first wire at all! A garble XOR gate using 0, 1, or 2 ciphertexts depending on how many of are distinct A B C fleXOR garbling false: A false: A ∗ A ∗ ⊕ ∆ C ?? true: A ⊕ ∆ A true: offset: ∆ A offset: ∆ C false: . . . . . . . . true: . false: B false: B ∗ offset: ∆ C B ∗ ⊕ ∆ C ?? true: B ⊕ ∆ B true: offset: ∆ B offset: ∆ C . Flexible XOR (fleXOR) technique [this work] : . ◮ “adjust” offsets of both input wires to ∆ C . . .

  23. : each “adjustment” requires 1 ciphertext Enc A A n A A Dec A A Enc A A A C . . . . . Enc B B n B Dec B Enc B B B C apply row reduction if C , no need to “adjust” first wire at all! A garble XOR gate using 0, 1, or 2 ciphertexts depending on how many of are distinct A B C fleXOR garbling false: A false: A ∗ A ∗ ⊕ ∆ C ?? true: A ⊕ ∆ A true: A ∗ ⊕ B ∗ offset: ∆ A offset: ∆ C false: . . . . . . . . A ∗ ⊕ B ∗ ⊕ ∆ C true: . false: B false: B ∗ offset: ∆ C B ∗ ⊕ ∆ C ?? true: B ⊕ ∆ B true: offset: ∆ B offset: ∆ C . Flexible XOR (fleXOR) technique [this work] : . ◮ “adjust” offsets of both input wires to ∆ C , then use free XOR . . .

  24. : each “adjustment” requires 1 ciphertext n A A Dec A A . . . . Enc B B n B Dec B Enc B B B C apply row reduction if C , no need to “adjust” first wire at all! A garble XOR gate using 0, 1, or 2 ciphertexts depending on how many of are distinct A B C fleXOR garbling Enc A ( A ∗ ) Enc A ⊕ ∆ A ( A ∗ ⊕ ∆ C ) false: A false: A ∗ A ∗ ⊕ ∆ C true: A ⊕ ∆ A true: A ∗ ⊕ B ∗ offset: ∆ A offset: ∆ C false: . . . . . . . A ∗ ⊕ B ∗ ⊕ ∆ C true: . false: B false: B ∗ offset: ∆ C B ∗ ⊕ ∆ C true: B ⊕ ∆ B true: offset: ∆ B offset: ∆ C . Flexible XOR (fleXOR) technique [this work] : . ◮ “adjust” offsets of both input wires to ∆ C , then use free XOR . . .

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

. Collaborators: Arash Afshar / Zhangxiang Hu / Payman Mohassel .. .. .. .. .. .. .. . . .

. Collaborators: Arash Afshar / Zhangxiang Hu / Payman Mohassel .. .. .. .. .. .. .. . . .

Secure Computation with Sublinear Cost Mike Rosulek . Collaborators: Arash Afshar / Zhangxiang Hu / Payman Mohassel .. .. .. .. .. .. .. . . . . . . f x y f x y Examples: Run proprietary classifier x on private data y Evaluate

1.11k views • 98 slides
Practical Garbled Circuit Optimizations Mike Rosulek Collaborators: David Evans / Vlad Kolesnikov

Practical Garbled Circuit Optimizations Mike Rosulek Collaborators: David Evans / Vlad Kolesnikov

Practical Garbled Circuit Optimizations Mike Rosulek Collaborators: David Evans / Vlad Kolesnikov / Payman Mohassel / Samee Zahur Garbled circuit framework [Yao86] Garbled circuit framework [Yao86] 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 1 1

2.19k views • 160 slides
Batched Non-interactive 2PC Payman Mohassel Mike Rosulek Visa Research OSU Secure Two-Party

Batched Non-interactive 2PC Payman Mohassel Mike Rosulek Visa Research OSU Secure Two-Party

Batched Non-interactive 2PC Payman Mohassel Mike Rosulek Visa Research OSU Secure Two-Party Computation 2 1 (, ) Secure Two-Party Computation 2 1 (, ) Non-Interactive Secure

2.32k views • 48 slides
Sublinear Zero-Knowledge Arguments for RAM Programs Payman Mike Alessandra Mohassel Scafuro

Sublinear Zero-Knowledge Arguments for RAM Programs Payman Mike Alessandra Mohassel Scafuro

Sublinear Zero-Knowledge Arguments for RAM Programs Payman Mike Alessandra Mohassel Scafuro Rosulek OSU NCState V I S Oregon State University A Problem C Data S Problem C Data S R 1 Problem C Data S R 1 y 1 Problem C

1.04k views • 99 slides
DISE: DISTRIBUTED SYMMETRIC-KEY ENCRYTION Shashank Agrawal Payman Mohassel Pratyay Mukherjee

DISE: DISTRIBUTED SYMMETRIC-KEY ENCRYTION Shashank Agrawal Payman Mohassel Pratyay Mukherjee

DISE: DISTRIBUTED SYMMETRIC-KEY ENCRYTION Shashank Agrawal Payman Mohassel Pratyay Mukherjee Peter Rindal Threshold Cryto Has focused on public-key crypto Symmetric-key encryption got less attention Symmetric keys dont stay

338 views • 31 slides
Privacy-Preserving Payment Splitting Saba Eskandarian Mihai Christodorescu Payman Mohassel

Privacy-Preserving Payment Splitting Saba Eskandarian Mihai Christodorescu Payman Mohassel

Privacy-Preserving Payment Splitting Saba Eskandarian Mihai Christodorescu Payman Mohassel Stanford University Visa Research Facebook Payment Splitting Apps Splitwise, Receipt Ninja, Billpin, SpotMe, Conmigo, Settle Up, Convenient way to

685 views • 42 slides
Salus Seny Kamara - Microsoft Research Payman Mohassel U. of Calgary Ben Riva Tel Aviv U.

Salus Seny Kamara - Microsoft Research Payman Mohassel U. of Calgary Ben Riva Tel Aviv U.

Salus Seny Kamara - Microsoft Research Payman Mohassel U. of Calgary Ben Riva Tel Aviv U. Cooperation without Trust x f (x,y,z) y Alice Bob z Eve Cooperation without Trust Examples Data mining o Negotiations o Electronic

554 views • 27 slides
universal composability from essentially any trusted setup Mike Rosulek | | CRYPTO 2012 .

universal composability from essentially any trusted setup Mike Rosulek | | CRYPTO 2012 .

universal composability from essentially any trusted setup Mike Rosulek | | CRYPTO 2012 . Example: Set intersection A B ( function evaluation ) Generate a fair coin toss ( randomized ) Online poker without a dealer ( reactive ) secure

882 views • 48 slides
On the Structure of Unconditional UC Hybrid Protocols Mike Rosulek (Oregon State University) and

On the Structure of Unconditional UC Hybrid Protocols Mike Rosulek (Oregon State University) and

On the Structure of Unconditional UC Hybrid Protocols Mike Rosulek (Oregon State University) and Morgan Shirley (University of Toronto) Problem Statement & Summary of Results Our Parameters f(x, y) y x 2-Party functions A B

1.07k views • 77 slides
to securely compute f ? Mike Rosulek | | CRYPTO 2012 . B : B X is an algorithm for Y Black-box:

to securely compute f ? Mike Rosulek | | CRYPTO 2012 . B : B X is an algorithm for Y Black-box:

Q: Must you know the code of f to securely compute f ? Mike Rosulek | | CRYPTO 2012 . B : B X is an algorithm for Y Black-box: Non-black-box: Algorithm for Y depends on code of algorithm for X . Pervasive question since [ImpagliazzoRudich89] : .

742 views • 63 slides
PIR-PSI : SCALING PRIVATE CONTACT DISCOVERY PETS 2018 Peter Rindal Daniel Demmler Mike Rosulek

PIR-PSI : SCALING PRIVATE CONTACT DISCOVERY PETS 2018 Peter Rindal Daniel Demmler Mike Rosulek

PIR-PSI : SCALING PRIVATE CONTACT DISCOVERY PETS 2018 Peter Rindal Daniel Demmler Mike Rosulek Ni Trieu Motivation Application: Contact Discovery Contact discovery tells social network users which of their contacts are in the social

755 views • 38 slides
Hashing Garbled Circuits for Free Xiong Fan, Chaya Ganesh and Vladimir Kolesnikov Motivation

Hashing Garbled Circuits for Free Xiong Fan, Chaya Ganesh and Vladimir Kolesnikov Motivation

Hashing Garbled Circuits for Free Xiong Fan, Chaya Ganesh and Vladimir Kolesnikov Motivation Garbled circuits (GC) main technique for secure computation Motivation Garbled circuits (GC) main technique for secure computation Primitive in

2k views • 188 slides
Improved Private Set Intersection against Malicious Adversaries Peter Rindal Mike Rosulek

Improved Private Set Intersection against Malicious Adversaries Peter Rindal Mike Rosulek

Improved Private Set Intersection against Malicious Adversaries Peter Rindal Mike Rosulek Private Set Intersection (PSI) Private Set Intersection (PSI) Sender Receiver PSI

1.59k views • 99 slides
New Advances in Secure RAM Computation Sanjam Garg University of California, Berkeley Based on

New Advances in Secure RAM Computation Sanjam Garg University of California, Berkeley Based on

New Advances in Secure RAM Computation Sanjam Garg University of California, Berkeley Based on joint works with Steve Lu, Payman Mohassel, Charalampos Papamanthou, Rafail Ostrovsky and Alessandra Scafuro Yaos garbled circuits Server User

387 views • 20 slides
Restructuring the NSA Metadata Program Seny Kamara Microsoft Research Thanks to: Timothy Edgar,

Restructuring the NSA Metadata Program Seny Kamara Microsoft Research Thanks to: Timothy Edgar,

Restructuring the NSA Metadata Program Seny Kamara Microsoft Research Thanks to: Timothy Edgar, Matt Green, Noah Kunin, Payman Mohassel, Kurt Rohloff, Chris Soghoian and Marcy Wheeler June 5 th , 2013 1 st Snowden document published Verizon

554 views • 43 slides
Threshold Schnorr with Stateless Deterministic Signing Franois Garillot, Yash vanth Kondi,

Threshold Schnorr with Stateless Deterministic Signing Franois Garillot, Yash vanth Kondi,

Threshold Schnorr with Stateless Deterministic Signing Franois Garillot, Yash vanth Kondi, Payman Mohassel, Valeria Nikolaenko Northeastern University Facebook Novi/Facebook Novi/Facebook Schnorr: Practical Issues SchnorrSign( , m )

485 views • 21 slides
Cryptography for Software and Web Developers Part 4: randomness, hashing, tokens Hanno B ock

Cryptography for Software and Web Developers Part 4: randomness, hashing, tokens Hanno B ock

Random numbers Hashes Cryptography for Software and Web Developers Part 4: randomness, hashing, tokens Hanno B ock 2014-05-28 1 / 13 Bad random numbers Random numbers Random fails Hashes Example: Factoring RSA keys Good / bad

811 views • 13 slides
Collisions for simplified variants of SHA-256 Krystian Matusiewicz and Josef Pieprzyk

Collisions for simplified variants of SHA-256 Krystian Matusiewicz and Josef Pieprzyk

Collisions for simplified variants of SHA-256 Krystian Matusiewicz and Josef Pieprzyk kmatus@ics.mq.edu.au, josef@ics.mq.edu.au Centre For Advanced Computing, Algorithms and Cryptography, Department of Computing, Macquarie University

822 views • 48 slides
Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing Mathy

Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing Mathy

Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing Mathy Vanhoef, Domien Schepers, Frank Piessens imec-DistriNet, KU Leuven Asia CCS 2017 Introduction More and more Wi-Fi network use encryption: 2010 Most

531 views • 19 slides
HEP Applications with Globus Virtual Workspaces Ian Gable , A. Agarwal, A. Charbonneau, R.

HEP Applications with Globus Virtual Workspaces Ian Gable , A. Agarwal, A. Charbonneau, R.

HEP Applications with Globus Virtual Workspaces Ian Gable , A. Agarwal, A. Charbonneau, R. Desmarais, R. Enge, D. Grundy, A. Norton, D. Penfold-Brown, R. Seuster, R.J. Sobie, D. C. Vanderster National Research Council of Canada, Ottawa, Ontario,

244 views • 20 slides
Koen Lindstrm Claessen, Alejandro Russo, John Hughes WG2.8, Park City, Utah, Chalmers

Koen Lindstrm Claessen, Alejandro Russo, John Hughes WG2.8, Park City, Utah, Chalmers

Koen Lindstrm Claessen, Alejandro Russo, John Hughes WG2.8, Park City, Utah, Chalmers University of Technology June 2008 Dictionary Passwords on UNIX systems attacks, offline attacks, ... Universal Access /etc/passwd RootAccess

775 views • 38 slides
CptS 360 (System Programming) Unit 8: System Data Files Bob Lewis School of Engineering and

CptS 360 (System Programming) Unit 8: System Data Files Bob Lewis School of Engineering and

Unit 8: System Data Files CptS 360 (System Programming) Unit 8: System Data Files Bob Lewis School of Engineering and Applied Sciences Washington State University Spring, 2020 Bob Lewis WSU CptS 360 (Spring, 2020) Unit 8: System Data Files

604 views • 13 slides
User Accounts Even a single-user workstation (Desktop Computer) uses multiple accounts. Such a

User Accounts Even a single-user workstation (Desktop Computer) uses multiple accounts. Such a

User Accounts Even a single-user workstation (Desktop Computer) uses multiple accounts. Such a computer may have just one user account, but several system accounts help keep the computer running. Accounts enable multiple users to share a single

481 views • 11 slides
CSN11121 System Administration and Forensics Week 3 : Users, Permissions, Processes, and Pipes

CSN11121 System Administration and Forensics Week 3 : Users, Permissions, Processes, and Pipes

CSN11121 System Administration and Forensics Week 3 : Users, Permissions, Processes, and Pipes Week 3 : Users, Permissions, Processes, and Pipes Module Leader: Dr Gordon Russell Lecturers: G. Russell, R.Ludwiniak Aliases: CSN11122 (Distance

644 views • 51 slides

More recommend