vladimir kolesnikov payman mohassel mike rosulek
play

. Vladimir Kolesnikov . . Payman Mohassel Mike Rosulek . - PowerPoint PPT Presentation

Feb 14, 2024 •356 likes •1.29k views

fle XOR : flexible garbling for XOR gates that beats free- XOR . Vladimir Kolesnikov . . Payman Mohassel Mike Rosulek . . background 1 . . . Enc A C B Enc A C B Enc A C B Enc A C B . background: garbled

  1. fle XOR : flexible garbling for XOR gates that beats free- XOR . � Vladimir Kolesnikov ≫ . . Payman Mohassel ≫ � Mike Rosulek ≫ ◮ . .

  2. background 1 . . .

  3. Enc A C B Enc A C B Enc A C B Enc A C B . background: garbled circuit . false: A 0 true: A 1 . . . false: C 0 true: C 1 false: B 0 true: B 1 . .

  4. background: garbled circuit . Enc A 0 , B 0 ( C 0 ) Enc A 0 , B 1 ( C 1 ) Enc A 1 , B 0 ( C 1 ) Enc A 1 , B 1 ( C 0 ) false: A 0 true: A 1 . . . . false: C 0 true: C 1 false: B 0 true: B 1 . .

  5. background: garbled circuit . Enc A 0 , B 0 ( C 0 ) Enc A 0 , B 1 ( C 1 ) Enc A 1 , B 0 ( C 1 ) Enc A 1 , B 1 ( C 0 ) false: A 0 true: A 1 . . . . false: C 0 true: C 1 false: B 0 true: B 1 . .

  6. background: row reduction . . .

  7. n C Dec A B . Fix one of the ciphertexts to be all zeroes n , not uniform Corresponding wire label must be Dec Only 3 ciphertexts needed for garbled gate More advanced technique reduces size to 2 ciphertexts background: row reduction Enc A 0 , B 0 ( C 0 ) Enc A 0 , B 1 ( C 0 ) Enc A 1 , B 0 ( C 0 ) Enc A 1 , B 1 ( C 1 ) false: A 0 . true: A 1 . . . . false: C 0 true: C 1 false: B 0 true: B 1 . Garbled row reduction [NaorPinkasSumner99,PinkasSchneiderSmartWilliams09] . . . .

  8. n C Dec A B . n , not uniform Corresponding wire label must be Dec Only 3 ciphertexts needed for garbled gate More advanced technique reduces size to 2 ciphertexts background: row reduction Enc A 0 , B 0 ( C 0 ) 0 n Enc A 0 , B 1 ( C 0 ) Enc A 1 , B 0 ( C 0 ) Enc A 1 , B 1 ( C 1 ) false: A 0 . true: A 1 . . . . false: C 0 true: C 1 false: B 0 true: B 1 . Garbled row reduction [NaorPinkasSumner99,PinkasSchneiderSmartWilliams09] . ◮ Fix one of the ciphertexts to be all zeroes . . .

  9. Only 3 ciphertexts needed for garbled gate More advanced technique reduces size to 2 ciphertexts background: row reduction Enc A 0 , B 0 ( C 0 ) 0 n C 0 := Dec A 0 , B 0 (0 n ) Enc A 0 , B 1 ( C 0 ) Enc A 1 , B 0 ( C 0 ) Enc A 1 , B 1 ( C 1 ) false: A 0 . true: A 1 . . . . . false: C 0 true: C 1 false: B 0 true: B 1 . Garbled row reduction [NaorPinkasSumner99,PinkasSchneiderSmartWilliams09] . ◮ Fix one of the ciphertexts to be all zeroes ◮ Corresponding wire label must be Dec (0 n ) , not uniform . . .

  10. background: row reduction Enc A 0 , B 1 ( C 0 ) C 0 := Dec A 0 , B 0 (0 n ) Enc A 1 , B 0 ( C 0 ) Enc A 1 , B 1 ( C 1 ) false: A 0 . true: A 1 . . . . . . false: C 0 true: C 1 false: B 0 true: B 1 . Garbled row reduction [NaorPinkasSumner99,PinkasSchneiderSmartWilliams09] . ◮ Fix one of the ciphertexts to be all zeroes ◮ Corresponding wire label must be Dec (0 n ) , not uniform ◮ Only 3 ciphertexts needed for garbled gate ◮ More advanced technique reduces size to 2 ciphertexts . . .

  11. background: offsets & free XOR . . .

  12. all wires have same (secret) offset wire labels for XOR gate satisfy C A B compute output wire label by XOR’ing input wire labels (no crypto!) . Free XOR optimization [KolesnikovSchneider08] : . . background: offsets & free XOR false: A 0 true: A 1 offset: A 0 ⊕ A 1 false: C 0 . . . . true: C 1 offset: C 0 ⊕ C 1 false: B 0 . true: B 1 offset: B 0 ⊕ B 1 . Definition . Offset of a wire = XOR of its two wire labels . . .

  13. all wires have same (secret) offset wire labels for XOR gate satisfy C A B compute output wire label by XOR’ing input wire labels (no crypto!) . Free XOR optimization [KolesnikovSchneider08] : . . background: offsets & free XOR false: A true: A ⊕ ∆ A offset: ∆ A false: C . . . . true: C ⊕ ∆ C offset: ∆ C false: B . true: B ⊕ ∆ B offset: ∆ B . Definition . Offset of a wire = XOR of its two wire labels . . .

  14. wire labels for XOR gate satisfy C A B compute output wire label by XOR’ing input wire labels (no crypto!) background: offsets & free XOR false: A true: A ⊕ ∆ offset: ∆ false: C . . . . true: C ⊕ ∆ offset: ∆ false: B . true: B ⊕ ∆ offset: ∆ . Definition . Offset of a wire = XOR of its two wire labels . . Free XOR optimization [KolesnikovSchneider08] : . ◮ all wires have same (secret) offset ∆ . . .

  15. compute output wire label by XOR’ing input wire labels (no crypto!) background: offsets & free XOR false: A true: A ⊕ ∆ offset: ∆ false: A ⊕ B . . . . true: A ⊕ B ⊕ ∆ offset: ∆ false: B . true: B ⊕ ∆ offset: ∆ . Definition . Offset of a wire = XOR of its two wire labels . . Free XOR optimization [KolesnikovSchneider08] : . ◮ all wires have same (secret) offset ∆ ◮ wire labels for XOR gate satisfy C = A ⊕ B . . .

  16. background: offsets & free XOR false: A true: A ⊕ ∆ offset: ∆ false: A ⊕ B . . . . true: A ⊕ B ⊕ ∆ offset: ∆ false: B . true: B ⊕ ∆ offset: ∆ . Definition . Offset of a wire = XOR of its two wire labels . . Free XOR optimization [KolesnikovSchneider08] : . ◮ all wires have same (secret) offset ∆ ◮ wire labels for XOR gate satisfy C = A ⊕ B ◮ compute output wire label by XOR’ing input wire labels (no crypto!) . . .

  17. Hint: yes! . Motivating Question . Can we overcome these limitations, while retaining Free XOR’s benefits (as much as possible)? . free XOR . Free XOR limitations: . . 1. Requires strong circularity hardness assumption [ChoiKatzKumaresanZhou12] 2. Incompatible with 4-to-2 row reduction [PinkasSchneiderSmartWilliams09] . . .

  18. Hint: yes! free XOR . Free XOR limitations: . . 1. Requires strong circularity hardness assumption [ChoiKatzKumaresanZhou12] 2. Incompatible with 4-to-2 row reduction [PinkasSchneiderSmartWilliams09] . . Motivating Question . Can we overcome these limitations, while retaining Free XOR’s benefits (as much as possible)? . . .

  19. free XOR . Free XOR limitations: . . 1. Requires strong circularity hardness assumption [ChoiKatzKumaresanZhou12] 2. Incompatible with 4-to-2 row reduction [PinkasSchneiderSmartWilliams09] . . Motivating Question . Can we overcome these limitations, while retaining Free XOR’s benefits (as much as possible)? Hint: yes! . . .

  20. fleXOR garbling 2 . . .

  21. : each “adjustment” requires 1 ciphertext Enc A A n A A A Dec A Enc A A A C . . . . . Enc B B n B Dec B Enc B B B C , then use free XOR apply row reduction if C , no need to “adjust” first wire at all! A garble XOR gate using 0, 1, or 2 ciphertexts depending on how many of are distinct A B C fleXOR garbling false: A true: A ⊕ ∆ A offset: ∆ A false: . . . . true: . false: B offset: ∆ C true: B ⊕ ∆ B offset: ∆ B . Flexible XOR (fleXOR) technique [this work] : . ◮ “adjust” offsets of both input wires to ∆ C . . .

  22. : each “adjustment” requires 1 ciphertext Enc A A n A A A Dec A Enc A A A C . . . . . Enc B B n B Dec B Enc B B B C , then use free XOR apply row reduction if C , no need to “adjust” first wire at all! A garble XOR gate using 0, 1, or 2 ciphertexts depending on how many of are distinct A B C fleXOR garbling false: A false: A ∗ A ∗ ⊕ ∆ C ?? true: A ⊕ ∆ A true: offset: ∆ A offset: ∆ C false: . . . . . . . . true: . false: B false: B ∗ offset: ∆ C B ∗ ⊕ ∆ C ?? true: B ⊕ ∆ B true: offset: ∆ B offset: ∆ C . Flexible XOR (fleXOR) technique [this work] : . ◮ “adjust” offsets of both input wires to ∆ C . . .

  23. : each “adjustment” requires 1 ciphertext Enc A A n A A Dec A A Enc A A A C . . . . . Enc B B n B Dec B Enc B B B C apply row reduction if C , no need to “adjust” first wire at all! A garble XOR gate using 0, 1, or 2 ciphertexts depending on how many of are distinct A B C fleXOR garbling false: A false: A ∗ A ∗ ⊕ ∆ C ?? true: A ⊕ ∆ A true: A ∗ ⊕ B ∗ offset: ∆ A offset: ∆ C false: . . . . . . . . A ∗ ⊕ B ∗ ⊕ ∆ C true: . false: B false: B ∗ offset: ∆ C B ∗ ⊕ ∆ C ?? true: B ⊕ ∆ B true: offset: ∆ B offset: ∆ C . Flexible XOR (fleXOR) technique [this work] : . ◮ “adjust” offsets of both input wires to ∆ C , then use free XOR . . .

  24. : each “adjustment” requires 1 ciphertext n A A Dec A A . . . . Enc B B n B Dec B Enc B B B C apply row reduction if C , no need to “adjust” first wire at all! A garble XOR gate using 0, 1, or 2 ciphertexts depending on how many of are distinct A B C fleXOR garbling Enc A ( A ∗ ) Enc A ⊕ ∆ A ( A ∗ ⊕ ∆ C ) false: A false: A ∗ A ∗ ⊕ ∆ C true: A ⊕ ∆ A true: A ∗ ⊕ B ∗ offset: ∆ A offset: ∆ C false: . . . . . . . A ∗ ⊕ B ∗ ⊕ ∆ C true: . false: B false: B ∗ offset: ∆ C B ∗ ⊕ ∆ C true: B ⊕ ∆ B true: offset: ∆ B offset: ∆ C . Flexible XOR (fleXOR) technique [this work] : . ◮ “adjust” offsets of both input wires to ∆ C , then use free XOR . . .

Recommend

. Collaborators: Arash Afshar / Zhangxiang Hu / Payman Mohassel .. .. .. .. .. .. .. . . .

. Collaborators: Arash Afshar / Zhangxiang Hu / Payman Mohassel .. .. .. .. .. .. .. . . .

Secure Computation with Sublinear Cost Mike Rosulek . Collaborators: Arash Afshar / Zhangxiang Hu / Payman Mohassel .. .. .. .. .. .. .. . . . . . . f x y f x y Examples: Run proprietary classifier x on private data y Evaluate

1.11k views • 98 slides
Practical Garbled Circuit Optimizations Mike Rosulek Collaborators: David Evans / Vlad Kolesnikov

Practical Garbled Circuit Optimizations Mike Rosulek Collaborators: David Evans / Vlad Kolesnikov

Practical Garbled Circuit Optimizations Mike Rosulek Collaborators: David Evans / Vlad Kolesnikov / Payman Mohassel / Samee Zahur Garbled circuit framework [Yao86] Garbled circuit framework [Yao86] 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 1 1

2.19k views • 160 slides
Batched Non-interactive 2PC Payman Mohassel Mike Rosulek Visa Research OSU Secure Two-Party

Batched Non-interactive 2PC Payman Mohassel Mike Rosulek Visa Research OSU Secure Two-Party

Batched Non-interactive 2PC Payman Mohassel Mike Rosulek Visa Research OSU Secure Two-Party Computation 2 1 (, ) Secure Two-Party Computation 2 1 (, ) Non-Interactive Secure

2.32k views • 48 slides
Sublinear Zero-Knowledge Arguments for RAM Programs Payman Mike Alessandra Mohassel Scafuro

Sublinear Zero-Knowledge Arguments for RAM Programs Payman Mike Alessandra Mohassel Scafuro

Sublinear Zero-Knowledge Arguments for RAM Programs Payman Mike Alessandra Mohassel Scafuro Rosulek OSU NCState V I S Oregon State University A Problem C Data S Problem C Data S R 1 Problem C Data S R 1 y 1 Problem C

1.04k views • 99 slides
DISE: DISTRIBUTED SYMMETRIC-KEY ENCRYTION Shashank Agrawal Payman Mohassel Pratyay Mukherjee

DISE: DISTRIBUTED SYMMETRIC-KEY ENCRYTION Shashank Agrawal Payman Mohassel Pratyay Mukherjee

DISE: DISTRIBUTED SYMMETRIC-KEY ENCRYTION Shashank Agrawal Payman Mohassel Pratyay Mukherjee Peter Rindal Threshold Cryto Has focused on public-key crypto Symmetric-key encryption got less attention Symmetric keys dont stay

338 views • 31 slides
Privacy-Preserving Payment Splitting Saba Eskandarian Mihai Christodorescu Payman Mohassel

Privacy-Preserving Payment Splitting Saba Eskandarian Mihai Christodorescu Payman Mohassel

Privacy-Preserving Payment Splitting Saba Eskandarian Mihai Christodorescu Payman Mohassel Stanford University Visa Research Facebook Payment Splitting Apps Splitwise, Receipt Ninja, Billpin, SpotMe, Conmigo, Settle Up, Convenient way to

685 views • 42 slides
Salus Seny Kamara - Microsoft Research Payman Mohassel U. of Calgary Ben Riva Tel Aviv U.

Salus Seny Kamara - Microsoft Research Payman Mohassel U. of Calgary Ben Riva Tel Aviv U.

Salus Seny Kamara - Microsoft Research Payman Mohassel U. of Calgary Ben Riva Tel Aviv U. Cooperation without Trust x f (x,y,z) y Alice Bob z Eve Cooperation without Trust Examples Data mining o Negotiations o Electronic

554 views • 27 slides
universal composability from essentially any trusted setup Mike Rosulek | | CRYPTO 2012 .

universal composability from essentially any trusted setup Mike Rosulek | | CRYPTO 2012 .

universal composability from essentially any trusted setup Mike Rosulek | | CRYPTO 2012 . Example: Set intersection A B ( function evaluation ) Generate a fair coin toss ( randomized ) Online poker without a dealer ( reactive ) secure

882 views • 48 slides
On the Structure of Unconditional UC Hybrid Protocols Mike Rosulek (Oregon State University) and

On the Structure of Unconditional UC Hybrid Protocols Mike Rosulek (Oregon State University) and

On the Structure of Unconditional UC Hybrid Protocols Mike Rosulek (Oregon State University) and Morgan Shirley (University of Toronto) Problem Statement & Summary of Results Our Parameters f(x, y) y x 2-Party functions A B

1.07k views • 77 slides
to securely compute f ? Mike Rosulek | | CRYPTO 2012 . B : B X is an algorithm for Y Black-box:

to securely compute f ? Mike Rosulek | | CRYPTO 2012 . B : B X is an algorithm for Y Black-box:

Q: Must you know the code of f to securely compute f ? Mike Rosulek | | CRYPTO 2012 . B : B X is an algorithm for Y Black-box: Non-black-box: Algorithm for Y depends on code of algorithm for X . Pervasive question since [ImpagliazzoRudich89] : .

742 views • 63 slides
PIR-PSI : SCALING PRIVATE CONTACT DISCOVERY PETS 2018 Peter Rindal Daniel Demmler Mike Rosulek

PIR-PSI : SCALING PRIVATE CONTACT DISCOVERY PETS 2018 Peter Rindal Daniel Demmler Mike Rosulek

PIR-PSI : SCALING PRIVATE CONTACT DISCOVERY PETS 2018 Peter Rindal Daniel Demmler Mike Rosulek Ni Trieu Motivation Application: Contact Discovery Contact discovery tells social network users which of their contacts are in the social

755 views • 38 slides
Hashing Garbled Circuits for Free Xiong Fan, Chaya Ganesh and Vladimir Kolesnikov Motivation

Hashing Garbled Circuits for Free Xiong Fan, Chaya Ganesh and Vladimir Kolesnikov Motivation

Hashing Garbled Circuits for Free Xiong Fan, Chaya Ganesh and Vladimir Kolesnikov Motivation Garbled circuits (GC) main technique for secure computation Motivation Garbled circuits (GC) main technique for secure computation Primitive in

2k views • 188 slides
Improved Private Set Intersection against Malicious Adversaries Peter Rindal Mike Rosulek

Improved Private Set Intersection against Malicious Adversaries Peter Rindal Mike Rosulek

Improved Private Set Intersection against Malicious Adversaries Peter Rindal Mike Rosulek Private Set Intersection (PSI) Private Set Intersection (PSI) Sender Receiver PSI

1.59k views • 99 slides
New Advances in Secure RAM Computation Sanjam Garg University of California, Berkeley Based on

New Advances in Secure RAM Computation Sanjam Garg University of California, Berkeley Based on

New Advances in Secure RAM Computation Sanjam Garg University of California, Berkeley Based on joint works with Steve Lu, Payman Mohassel, Charalampos Papamanthou, Rafail Ostrovsky and Alessandra Scafuro Yaos garbled circuits Server User

387 views • 20 slides
Restructuring the NSA Metadata Program Seny Kamara Microsoft Research Thanks to: Timothy Edgar,

Restructuring the NSA Metadata Program Seny Kamara Microsoft Research Thanks to: Timothy Edgar,

Restructuring the NSA Metadata Program Seny Kamara Microsoft Research Thanks to: Timothy Edgar, Matt Green, Noah Kunin, Payman Mohassel, Kurt Rohloff, Chris Soghoian and Marcy Wheeler June 5 th , 2013 1 st Snowden document published Verizon

554 views • 43 slides
Threshold Schnorr with Stateless Deterministic Signing Franois Garillot, Yash vanth Kondi,

Threshold Schnorr with Stateless Deterministic Signing Franois Garillot, Yash vanth Kondi,

Threshold Schnorr with Stateless Deterministic Signing Franois Garillot, Yash vanth Kondi, Payman Mohassel, Valeria Nikolaenko Northeastern University Facebook Novi/Facebook Novi/Facebook Schnorr: Practical Issues SchnorrSign( , m )

485 views • 21 slides
SpOT-Light: Lightweight Private Set Intersection from Sparse OT Extension Benny Pinkas Mike

SpOT-Light: Lightweight Private Set Intersection from Sparse OT Extension Benny Pinkas Mike

SpOT-Light: Lightweight Private Set Intersection from Sparse OT Extension Benny Pinkas Mike Rosulek Ni Trieu Avishay Yanai Presented by Cui Hongrui October 18, 2019 PRTY (BIU&OSU) SpOT October 18, 2019 1 / 30 Overview Introduction

1.5k views • 33 slides
On KLS conjecture for certain classes of convex sets Alexander Kolesnikov joint work with Emanuel

On KLS conjecture for certain classes of convex sets Alexander Kolesnikov joint work with Emanuel

On KLS conjecture for certain classes of convex sets Alexander Kolesnikov joint work with Emanuel Milman (Haifa) Higher School of Economics, Moscow B edlewo, 2017 Poincar e inequality We say that a probability measure satisfies the

858 views • 28 slides
Cyclical consistency and cyclical monotonicity Alexander Kolesnikov Higher School of Economics

Cyclical consistency and cyclical monotonicity Alexander Kolesnikov Higher School of Economics

Cyclical consistency and cyclical monotonicity Alexander Kolesnikov Higher School of Economics 2014 joint work with Olga Kudryavtseva, Tigran Nagapetyan Rationalizability problem and revealed preferences P. Samuelson (1938), H.S. Houthakker

909 views • 48 slides
The Picnic Digital Signature Algorithm NIST Second PQC Standardization Conference August 2019

The Picnic Digital Signature Algorithm NIST Second PQC Standardization Conference August 2019

The Picnic Digital Signature Algorithm NIST Second PQC Standardization Conference August 2019 Melissa Chase, David Derler, Steven Goldfeder, Jonathan Katz, Vladimir Kolesnikov, Claudio Orlandi, Sebastian Ramacher, Christian Rechberger, Daniel

765 views • 21 slides
Optimal transportation, curvature flows, and related a priori estimates Alexander Kolesnikov

Optimal transportation, curvature flows, and related a priori estimates Alexander Kolesnikov

Optimal transportation, curvature flows, and related a priori estimates Alexander Kolesnikov Moscow 2010 1 Curvature flow Shrinking family of (convex) surfaces A t , where every point x A t is moving in the direction of the normal n

140 views • 10 slides
IDN. for Russia ICANN 38, Brussels, Andrei Kolesnikov, ccTLD.RU IDN . for Russia IT

IDN. for Russia ICANN 38, Brussels, Andrei Kolesnikov, ccTLD.RU IDN . for Russia IT

IDN. for Russia ICANN 38, Brussels, Andrei Kolesnikov, ccTLD.RU IDN . for Russia IT WORKS! April, 22 the ICANN Board of Directors approved 4 requests for delegation of the IDN ccTLD May, 12, 17:40 MSK IDN .

377 views • 8 slides
Arindam K. Das, Mohamed El-Sharkawi, Robert J. Marks, Payman Arabshahi and Andrew Gray,

Arindam K. Das, Mohamed El-Sharkawi, Robert J. Marks, Payman Arabshahi and Andrew Gray,

Arindam K. Das, Mohamed El-Sharkawi, Robert J. Marks, Payman Arabshahi and Andrew Gray, Minimum Hop Multicasting in Broadcast Wireless Networks with Omni- Directional Antennas", Military Communications Conference, 2004. MILCOM 2004 (Oct

397 views • 36 slides
Why attribute-based signatures? The kind of authentication required in an attribute-based system

Why attribute-based signatures? The kind of authentication required in an attribute-based system

Attribute-Based Signatures Hemanta K. Maji Manoj Prabhakaran Mike Rosulek November 22, 2010 Abstract We introduce Attribute-Based Signatures (ABS) , a versatile primitive that allows a party to sign a message with fine-grained

864 views • 35 slides

More recommend