Machine Learning Classification over Encrypted Data. Raphael Bost, Raluca Ada Popa, Stephen Tu, Shafi Goldwasser
|
|
- Cornelia Booker
- 6 years ago
- Views:
Transcription
1 Machine Learning Classification over Encrypted Data Raphael Bost, Raluca Ada Popa, Stephen Tu, Shafi Goldwasser
2 Classification (Machine Learning) Supervised learning (training) Classification data set training phase model classification phase data prediction server client
3 Secure Classification The provider s model is sensible financial model, genetic sequences, Client s private data medical records, credit history,
4 Secure Classification The provider s model is sensible financial model, genetic sequences, Client s private data medical records, credit history, MPC / 2PC
5 Using General 2PC? + Works for every circuit + Constant number of interactions - Have to build circuits - Hard to compose - Not easily reusable Ad Hoc protocols
6 Scope of our work Secure classification, no learning the model is already known Differential privacy is out of scope can be treated separately Classifiers as specialized 2PC, but not a specialized classifier
7 Approach Security model: passive (honest-but-curious) adversary Identify and construct reusable building blocks Practical performance as a primary goal Choose the best fitted primitives Homomorphic Encryption, FHE, Garbled Circuits,
8 Building Blocks Dot product Encrypted Comparison Encrypted (arg)max Decision trees Encryption scheme switching
9 Argmax Alice Bob (Ja 1 K,...,Ja n K, PK) SK The comparison pattern must not depend on the values
10 Argmax Alice Bob (Ja 1 K,...,Ja n K, PK) SK The comparison pattern must not depend on the values Compare everything
11 Argmax Alice Bob (Ja 1 K,...,Ja n K, PK) SK The comparison pattern must not depend on the values Compare everything ) O(n 2 )
12 Argmax Alice Bob (Ja 1 K,...,Ja n K, PK) SK The comparison pattern must not depend on the values Compare everything ) O(n 2 )
13 Argmax Alice Bob (Ja 1 K,...,Ja n K, PK) SK The comparison pattern must not depend on the values Compare everything ) O(n 2 ) Classical algorithm
14 Argmax Alice Bob (Ja 1 K,...,Ja n K, PK) SK The comparison pattern must not depend on the values Compare everything Classical algorithm ) O(n 2 ) ) O(n)
15 Compare & Swap Alice (PK, JvK, JwK) Bob SK Jmax(v, w)k (v <w)
16 Compare & Swap Alice (PK, JvK, JwK) Bob SK Compare? (v <w) Jmax(v, w)k (v <w)
17 Compare & Swap Alice (PK, JvK, JwK) Bob SK Compare? (v <w) Swap? Jmax(v, w)k (v <w)
18 Compare & Swap Alice (PK, JvK, JwK) EncCompare Bob SK b =(v<w) Jmax(v, w)k (v <w)
19 Compare & Swap Alice (PK, JvK, JwK) (r, s) M 2 Jv 0 K = Jv + rk Jw 0 K = Jw + sk EncCompare Bob SK b =(v<w) Jmax(v, w)k (v <w)
20 Compare & Swap Alice (PK, JvK, JwK) (r, s) M 2 Jv 0 K = Jv + rk Jw 0 K = Jw + sk EncCompare Jv 0 K, Jw 0 K Bob SK b =(v<w) Jmax(v, w)k (v <w)
21 Compare & Swap Alice (PK, JvK, JwK) (r, s) M 2 Jv 0 K = Jv + rk Jw 0 K = Jw + sk EncCompare Jv 0 K, Jw 0 K Bob SK b =(v<w) ( Jw 0 K if b Jm 0 K Jv 0 K o/w. Jmax(v, w)k (v <w)
22 Compare & Swap Alice (PK, JvK, JwK) (r, s) M 2 Jv 0 K = Jv + rk Jw 0 K = Jw + sk EncCompare Jv 0 K, Jw 0 K (JbK, Jm 0 K) Bob SK b =(v<w) ( Jw 0 K if b Jm 0 K Jv 0 K o/w. Jmax(v, w)k (v <w)
23 Compare & Swap Alice (PK, JvK, JwK) (r, s) M 2 Jv 0 K = Jv + rk Jw 0 K = Jw + sk JmK Jm 0 K (g 1 JbK) r JbK s EncCompare Jv 0 K, Jw 0 K (JbK, Jm 0 K) Bob SK b =(v<w) ( Jw 0 K if b Jm 0 K Jv 0 K o/w. Jmax(v, w)k (v <w)
24 Compare & Swap Alice (PK, JvK, JwK) (r, s) M 2 Jv 0 K = Jv + rk Jw 0 K = Jw + sk JmK Jm 0 K (g 1 JbK) r JbK s JmK Jm 0 b.r b.sk Jmax(v, w)k EncCompare Jv 0 K, Jw 0 K (JbK, Jm 0 K) Bob SK b =(v<w) ( Jw 0 K if b Jm 0 K (v <w) Jv 0 K o/w.
25 Argmax Protocol : n-1 Compare & Swap Alice JmK Ja 1 K Bob
26 Argmax Protocol : n-1 Compare & Swap Alice Bob JmK Ja 1 K JmK Jmax(m, a 2 )K C & S (m <a 2 )
27 Argmax Protocol : n-1 Compare & Swap Alice Bob JmK Ja 1 K JmK Jmax(m, a 2 )K C & S (m <a 2 ) C & S JmK Jmax(m, a i )K (m <a i )
28 Argmax Protocol : n-1 Compare & Swap Alice Bob JmK Ja 1 K JmK Jmax(m, a 2 )K C & S (m <a 2 ) C & S JmK Jmax(m, a i )K (m <a i ) C & S JmK Jmax(m, a n )K (m <a n )
29 Argmax Protocol : n-1 Compare & Swap Alice Bob JmK Ja 1 K JmK Jmax(a 1,a 2 )K C & S (m <a 2 ) JmK JmK s { max a j j2[1,i] s { max a j j2[1,n] C & S C & S (m <a i ) (m <a n )
30 Argmax Protocol : n-1 Compare & Swap Alice Bob JmK Ja 1 K JmK Jmax(a 1,a 2 )K C & S (a 1 <a 2 ) JmK JmK s { max a j j2[1,i] s { max a j j2[1,n] C & S C & S (m <a i ) ) argmax j2[1,i] (m <a n ) ) argmax j2[1,n] a j a j
31 Argmax Protocol : n-1 Compare & Swap Alice JmK JmK JmK Ja (1) K JmK Jmax(a (1), a s (2) )K { max a (j) j2[1,i] s { max a (j) j2[1,n] max a j C & S C & S C & S Bob (a (1) <a (1) ) (m <a (i) ) ) argmax j2[1,i] (m <a (n) ) ) argmax j2[1,n] a (j) a (j) (argmax a j )
32 Argmax Protocol : n-1 Compare & Swap
33 Argmax Protocol : n-1 Compare & Swap sequentially
34 Argmax Protocol : n-1 Compare & Swap sequentially or in parallel
35 Argmax Protocol : n-1 Compare & Swap sequentially or in parallel Party A Party B Communication Tree Time (ms) Elements
36 Decision Trees y y 2 B D x x 2 x<x 2 y<y 1 y>y 2 y 1 A C E E D B x<x 1 x x 1 A C x 1 x 2 x
37 Decision Trees b b 2 b c 1 c 2 c 3 b c 4 c 5 P (b 1,b 2,b 3,b 4,c 1,...,c 5 )= b 1 (b 3 (b 4 c 5 +(1 b 4 ) c 4 )+(1 b 3 ) c 3 ) +(1 b 1 ) (b 2 c 2 +(1 b 2 ) c 1 )
38 Decision Trees P (b 1,b 2,b 3,b 4,c 1,...,c 5 )= b 1 (b 3 (b 4 c 5 +(1 b 4 ) c 4 )+(1 b 3 ) c 3 ) +(1 b 1 ) (b 2 c 2 +(1 b 2 ) c 1 ) Polynomial evaluation Leveled Homomorphic Encryption Binary Variables Binary Coefficients! (SIMD) ) Efficient LHE
39 Classifiers In Practice Linear Classifier Naïve Bayes Classifier Decision Trees
40 Linear Classifier Separate two sets of points Very common classifier Dot product + Encrypted compare
41 Linear Classifier Model Size Computation Client Server Time / protocol Dot Product Enc. Comp. Total Comm. Inter ms 43.8 ms 194 ms 9.67 ms 204 ms kb ms 43.8 ms 194 ms 23.6 ms 217 ms kb 7 Evaluation on UC Irvine ML databases 40 ms network latency 2,66 GHz Intel Core i7
42 Naïve Bayes Classifier
43 Naïve Bayes Classifier Classification argmax i2[k] p(c = c i X = x)
44 Naïve Bayes Classifier Classification Bayes Formula argmax i2[k] argmax i2[k] p(c = c i X = x) p(c = c i,x = x) p(x = x)
45 Naïve Bayes Classifier Classification Bayes Formula argmax i2[k] argmax i2[k] p(c = c i X = x) p(c = c i,x = x)
46 Naïve Bayes Classifier Classification Bayes Formula Naïve Model argmax i2[k] argmax i2[k] argmax i2[k] p(c = c i X = x) p(c = c i,x = x) p(c = c i,x 1 = x 1,...,X d = x d )
47 Naïve Bayes Classifier Classification Bayes Formula Naïve Model argmax i2[k] argmax i2[k] argmax i2[k] p(c = c i X = x) p(c = c i,x = x) dy p(c = c i ) p(x j = x j C = c i ) j=1
48 Naïve Bayes Classifier Classification Bayes Formula Naïve Model argmax i2[k] argmax i2[k] argmax i2[k] p(c = c i X = x) p(c = c i,x = x) dy p(c = c i ) p(x j = x j C = c i ) j=1
49 Naïve Bayes Classifier Classification Bayes Formula Naïve Model argmax i2[k] argmax i2[k] argmax i2[k] p(c = c i X = x) p(c = c i,x = x) dy p(c = c i ) p(x j = x j C = c i ) j=1 argmax i2[k] log p(c = c i ) dx log p(x j = x j C = c i ) j=1
50 Naïve Bayes Classifier k d Computation Client Server Running Time Comm. Inter ms 104 ms 479 ms kb ms 368 ms 1415 ms kb ms 1664 ms 3810 ms 1911 kb 166 Evaluation on UC Irvine ML databases 40 ms network latency 2,66 GHz Intel Core i7
51 Decision Tree Combination of other classifiers In this example, linear classifiers Linear classifier + ES Switching + Decision Trees
52 Decision Tree Tree Specs. Computation N D Client Server Time / Protoc. Lin. Class. ES Switch Eval FHE Decrypt Com m. Inter ms 798 ms 446 ms 1639 ms 239 ms ms 2639 kb ms 1723 ms 1410 ms 7406 ms 899 ms 35.1 ms 3555 kb 44 Evaluation on UC Irvine ML databases 40 ms network latency 2,66 GHz Intel Core i7
53 In conclusion Composable building blocks for secure classifiers Practical performances Future work : Less roundtrips (work on the protocols) More parallelism (work on the implementation)
54 Questions?
Are you the one to share? Secret Transfer with Access Structure
Are you the one to share? Secret Transfer with Access Structure Yongjun Zhao, Sherman S.M. Chow Department of Information Engineering The Chinese University of Hong Kong, Hong Kong Private Set Intersection
More informationEvaluating 2-DNF Formulas on Ciphertexts
Evaluating 2-DNF Formulas on Ciphertexts Dan Boneh, Eu-Jin Goh, and Kobbi Nissim Theory of Cryptography Conference 2005 Homomorphic Encryption Enc. scheme is homomorphic to function f if from E[A], E[B],
More informationSecure Multi-Party Computation. Lecture 17 GMW & BGW Protocols
Secure Multi-Party Computation Lecture 17 GMW & BGW Protocols MPC Protocols MPC Protocols Yao s Garbled Circuit : 2-Party SFE secure against passive adversaries MPC Protocols Yao s Garbled Circuit : 2-Party
More informationEfficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply
CIS 2018 Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply Claudio Orlandi, Aarhus University Circuit Evaluation 3) Multiplication? How to compute [z]=[xy]? Alice, Bob
More informationPrivate Comparison. Chloé Hébant 1, Cedric Lefebvre 2, Étienne Louboutin3, Elie Noumon Allini 4, Ida Tucker 5
Private Comparison Chloé Hébant 1, Cedric Lefebvre 2, Étienne Louboutin3, Elie Noumon Allini 4, Ida Tucker 5 1 École Normale Supérieure, CNRS, PSL University 2 IRIT 3 Chair of Naval Cyber Defense, IMT
More informationKeyword Search and Oblivious Pseudo-Random Functions
Keyword Search and Oblivious Pseudo-Random Functions Mike Freedman NYU Yuval Ishai, Benny Pinkas, Omer Reingold 1 Background: Oblivious Transfer Oblivious Transfer (OT) [R], 1-out-of-N [EGL]: Input: Server:
More informationA Practical Universal Circuit Construction and Secure Evaluation of Private Functions
A Practical Universal Circuit Construction and, Bell Labs, Murray Hill, NJ, USA http://www.cs.toronto.edu/~vlad/, University of Erlangen-Nuremberg, Germany http://thomaschneider.de Financial Cryptography
More informationComputing on Encrypted Data
Computing on Encrypted Data COSIC, KU Leuven, ESAT, Kasteelpark Arenberg 10, bus 2452, B-3001 Leuven-Heverlee, Belgium. August 31, 2018 Computing on Encrypted Data Slide 1 Outline Introduction Multi-Party
More informationBenny Pinkas Bar Ilan University
Winter School on Bar-Ilan University, Israel 30/1/2011-1/2/2011 Bar-Ilan University Benny Pinkas Bar Ilan University 1 Extending OT [IKNP] Is fully simulatable Depends on a non-standard security assumption
More informationNaïve Bayes classification
Naïve Bayes classification 1 Probability theory Random variable: a variable whose possible values are numerical outcomes of a random phenomenon. Examples: A person s height, the outcome of a coin toss
More informationk-nearest Neighbor Classification over Semantically Secure Encry
k-nearest Neighbor Classification over Semantically Secure Encrypted Relational Data Reporter:Ximeng Liu Supervisor: Rongxing Lu School of EEE, NTU May 9, 2014 1 2 3 4 5 Outline 1. Samanthula B K, Elmehdwi
More informationPerfect Secure Computation in Two Rounds
Perfect Secure Computation in Two Rounds Benny Applebaum Tel Aviv University Joint work with Zvika Brakerski and Rotem Tsabary Theory and Practice of Multiparty Computation Workshop, Aarhus, 2018 The MPC
More informationPrivacy-preserving Data Mining
Privacy-preserving Data Mining What is [data] privacy? Privacy and Data Mining Privacy-preserving Data mining: main approaches Anonymization Obfuscation Cryptographic hiding Challenges Definition of privacy
More informationNaïve Bayes classification. p ij 11/15/16. Probability theory. Probability theory. Probability theory. X P (X = x i )=1 i. Marginal Probability
Probability theory Naïve Bayes classification Random variable: a variable whose possible values are numerical outcomes of a random phenomenon. s: A person s height, the outcome of a coin toss Distinguish
More informationOn the Communication Complexity of Secure Function Evaluation with Long Output
On the Communication Complexity of Secure Function Evaluation with Long Output Pavel Hubáček Daniel Wichs Abstract We study the communication complexity of secure function evaluation (SFE). Consider a
More information1 Secure two-party computation
CSCI 5440: Cryptography Lecture 7 The Chinese University of Hong Kong, Spring 2018 26 and 27 February 2018 In the first half of the course we covered the basic cryptographic primitives that enable secure
More informationComputing with Encrypted Data Lecture 26
Computing with Encrypted Data 6.857 Lecture 26 Encryption for Secure Communication M Message M All-or-nothing Have Private Key, Can Decrypt No Private Key, No Go cf. Non-malleable Encryption Encryption
More informationEfficient and Private Scoring of Decision Trees, Support Vector Machines and Logistic Regression Models based on Pre-Computation
1 Efficient and Private Scoring of Decision Trees, Support Vector Machines and Logistic Regression Models based on Pre-Computation Martine De Cock, Rafael Dowsley, Caleb Horst, Raj Katti, Anderson C. A.
More informationLectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols
CS 294 Secure Computation January 19, 2016 Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols Instructor: Sanjam Garg Scribe: Pratyush Mishra 1 Introduction Secure multiparty computation
More informationi-hop Homomorphic Encryption Schemes
i-hop Homomorphic Encryption Schemes Craig Gentry Shai Halevi Vinod Vaikuntanathan March 12, 2010 Abstract A homomorphic encryption scheme enables computing on encrypted data by means of a public evaluation
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé Adeline Langlois Classical Hardness of LWE 1/ 13 Our
More informationFully Homomorphic Encryption from LWE
Fully Homomorphic Encryption from LWE Based on joint works with: Zvika Brakerski (Stanford) Vinod Vaikuntanathan (University of Toronto) Craig Gentry (IBM) Post-Quantum Webinar, November 2011 Outsourcing
More informationCryptographic Solutions for Data Integrity in the Cloud
Cryptographic Solutions for Stanford University, USA Stanford Computer Forum 2 April 2012 Homomorphic Encryption Homomorphic encryption allows users to delegate computation while ensuring secrecy. Homomorphic
More informationMultiparty Computation
Multiparty Computation Principle There is a (randomized) function f : ({0, 1} l ) n ({0, 1} l ) n. There are n parties, P 1,...,P n. Some of them may be adversarial. Two forms of adversarial behaviour:
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationOn Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan)
On Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan) Secure Multiparty Computation (MPC) Ideal World/ Functionality
More informationClassical hardness of the Learning with Errors problem
Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More informationFrom Minicrypt to Obfustopia via Private-Key Functional Encryption
From Minicrypt to Obfustopia via Private-Key Functional Encryption Ilan Komargodski Weizmann Institute of Science Joint work with Gil Segev (Hebrew University) Functional Encryption [Sahai-Waters 05] Enc
More informationBootstrapping for Approximate Homomorphic Encryption
Bootstrapping for Approximate Homomorphic Encryption Jung Hee Cheon, Kyoohyung Han, Andrey Kim (Seoul National University) Miran Kim, Yongsoo Song (University of California, San Diego) Landscape of Homomorphic
More informationOn Homomorphic Encryption and Secure Computation
On Homomorphic Encryption and Secure Computation challenge response Shai Halevi IBM NYU Columbia Theory Day, May 7, 2010 Computing on Encrypted Data Wouldn t it be nice to be able to o Encrypt my data
More informationA New Approach to Practical Active-Secure Two-Party Computation
A New Approach to Practical Active-Secure Two-Party Computation Jesper Buus Nielsen 1, Peter Sebastian Nordholt 1, Claudio Orlandi 1, Sai Sheshank Burra 2 1 Aarhus University, Denmark 2 Indian Institute
More informationMulti-Party Computation with Conversion of Secret Sharing
Multi-Party Computation with Conversion of Secret Sharing Josef Pieprzyk joint work with Hossein Ghodosi and Ron Steinfeld NTU, Singapore, September 2011 1/ 33 Road Map Introduction Background Our Contribution
More informationPrivacy-Preserving Data Imputation
Privacy-Preserving Data Imputation Geetha Jagannathan Stevens Institute of Technology Hoboken, NJ, 07030, USA gjaganna@cs.stevens.edu Rebecca N. Wright Stevens Institute of Technology Hoboken, NJ, 07030,
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationBayesian Learning (II)
Universität Potsdam Institut für Informatik Lehrstuhl Maschinelles Lernen Bayesian Learning (II) Niels Landwehr Overview Probabilities, expected values, variance Basic concepts of Bayesian learning MAP
More informationLattice Based Crypto: Answering Questions You Don't Understand
Lattice Based Crypto: Answering Questions You Don't Understand Vadim Lyubashevsky INRIA / ENS, Paris Cryptography Secure communication in the presence of adversaries Symmetric-Key Cryptography Secret key
More informationModulo Reduction for Paillier Encryptions and Application to Secure Statistical Analysis. Financial Cryptography '10, Tenerife, Spain
Modulo Reduction for Paillier Encryptions and Application to Secure Statistical Analysis Bart Mennink (K.U.Leuven) Joint work with: Jorge Guajardo (Philips Research Labs) Berry Schoenmakers (TU Eindhoven)
More informationOn the CCA1-Security of Elgamal and Damgård s Elgamal
On the CCA1-Security of Elgamal and Damgård s Elgamal Cybernetica AS, Estonia Tallinn University, Estonia October 21, 2010 Outline I Motivation 1 Motivation 2 3 Motivation Three well-known security requirements
More informationBayes Classifiers. CAP5610 Machine Learning Instructor: Guo-Jun QI
Bayes Classifiers CAP5610 Machine Learning Instructor: Guo-Jun QI Recap: Joint distributions Joint distribution over Input vector X = (X 1, X 2 ) X 1 =B or B (drinking beer or not) X 2 = H or H (headache
More informationFully Homomorphic Encryption
Fully Homomorphic Encryption Thomas PLANTARD Universiy of Wollongong - thomaspl@uow.edu.au Plantard (UoW) FHE 1 / 24 Outline 1 Introduction Privacy Homomorphism Applications Timeline 2 Gentry Framework
More informationDEIM Forum 207 H6-4 305 8573 305 8573 305 8573 E-mail: sn@kde.cs.tsukuba.ac.jp, chiemi@cs.tsukuba.ac.jp, kitagawa@cs.tsukuba.ac.jp DBaaS m. Database as a ServiceDBaaSDBaaS Amazon Relational Database Service
More informationSecureML: A System for Scalable Privacy-Preserving Machine Learning
SecureML: A System for Scalable Privacy-Preserving Machine Learning Payman Mohassel Yupeng Zhang Abstract Machine learning is widely used in practice to produce predictive models for applications such
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationBetween a Rock and a Hard Place: Interpolating Between MPC and FHE
Between a Rock and a Hard Place: Interpolating Between MPC and FHE A. Choudhury, J. Loftus, E. Orsini, A. Patra and N.P. Smart Dept. Computer Science, University of Bristol, United Kingdom. {Ashish.Choudhary,Emmanuela.Orsini,Arpita.Patra}@bristol.ac.uk,
More informationMachine Learning 2017
Machine Learning 2017 Volker Roth Department of Mathematics & Computer Science University of Basel 21st March 2017 Volker Roth (University of Basel) Machine Learning 2017 21st March 2017 1 / 41 Section
More informationOn i-hop Homomorphic Encryption
No relation to On i-hop Homomorphic Encryption Craig Gentry, Shai Halevi, Vinod Vaikuntanathan IBM Research 2 This Work is About Connections between: Homomorphic encryption (HE) Secure function evaluation
More informationSPDZ 2 k: Efficient MPC mod 2 k for Dishonest Majority a
SPDZ 2 k: Efficient MPC mod 2 k for Dishonest Majority a Ronald Cramer 1 Ivan Damgård 2 Daniel Escudero 2 Peter Scholl 2 Chaoping Xing 3 August 21, 2018 1 CWI, Amsterdam 2 Aarhus University, Denmark 3
More informationMulti-Party Computation of
Multi-Party Computation of Polynomials & Branching Programs without Simultaneous Interaction Hoeteck Wee (ENS) + Dov Gordon (ACS) Tal Malkin (Columbia) Mike Rosulek (OSU) multi-party computation x x 2
More informationFundamental MPC Protocols
3 Fundamental MPC Protocols In this chapter we survey several important MPC approaches, covering the main protocols and presenting the intuition behind each approach. All of the approaches discussed can
More informationData-Mining on GBytes of
Data-Mining on GBytes of Encrypted Data In collaboration with Dan Boneh (Stanford); Udi Weinsberg, Stratis Ioannidis, Marc Joye, Nina Taft (Technicolor). Outline Motivation Background on cryptographic
More informationBasics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018
Basics in Cryptology II Distributed Cryptography David Pointcheval Ecole normale supérieure, CNRS & INRIA ENS Paris 2018 NS/CNRS/INRIA Cascade David Pointcheval 1/26ENS/CNRS/INRIA Cascade David Pointcheval
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More informationOblivious Transfer and Secure Multi-Party Computation With Malicious Parties
CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties Vitaly Shmatikov slide 1 Reminder: Oblivious Transfer b 0, b 1 i = 0 or 1 A b i B A inputs two bits, B inputs the index
More informationFully Homomorphic Encryption over the Integers
Fully Homomorphic Encryption over the Integers Many slides borrowed from Craig Marten van Dijk 1, Craig Gentry 2, Shai Halevi 2, Vinod Vaikuntanathan 2 1 MIT, 2 IBM Research The Goal I want to delegate
More informationLecture 38: Secure Multi-party Computation MPC
Lecture 38: Secure Multi-party Computation Problem Statement I Suppose Alice has private input x, and Bob has private input y Alice and Bob are interested in computing z = f (x, y) such that each party
More informationPrivacy-Preserving Ridge Regression over Distributed Data from LHE
Privacy-Preserving Ridge Regression over Distributed Data from LHE Irene Giacomelli 1, Somesh Jha 1, Marc Joye, C. David Page 1, and Kyonghwan Yoon 1 1 University of Wisconsin-Madison, Madison, WI, USA
More informationIntroduction to Modern Cryptography Lecture 11
Introduction to Modern Cryptography Lecture 11 January 10, 2017 Instructor: Benny Chor Teaching Assistant: Orit Moskovich School of Computer Science Tel-Aviv University Fall Semester, 2016 17 Tuesday 12:00
More informationDay 5: Generative models, structured classification
Day 5: Generative models, structured classification Introduction to Machine Learning Summer School June 18, 2018 - June 29, 2018, Chicago Instructor: Suriya Gunasekar, TTI Chicago 22 June 2018 Linear regression
More informationFully Homomorphic Encryption. Zvika Brakerski Weizmann Institute of Science
Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of Science AWSCS, March 2015 Outsourcing Computation x x f f(x) Email, web-search, navigation, social networking What if x is private? Search
More informationDistributed Oblivious RAM for Secure Two-Party Computation
Seminar in Distributed Computing Distributed Oblivious RAM for Secure Two-Party Computation Steve Lu & Rafail Ostrovsky Philipp Gamper Philipp Gamper 2017-04-25 1 Yao s millionaires problem Two millionaires
More informationPeculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology
1 / 19 Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 7 May 2010 2 / 19 Talk Agenda Encryption schemes
More informationPrivacy-Preserving Ridge Regression Without Garbled Circuits
Privacy-Preserving Ridge Regression Without Garbled Circuits Marc Joye NXP Semiconductors, San Jose, USA marc.joye@nxp.com Abstract. Ridge regression is an algorithm that takes as input a large number
More informationMultiparty Computation from Somewhat Homomorphic Encryption. November 9, 2011
Multiparty Computation from Somewhat Homomorphic Encryption Ivan Damgård 1 Valerio Pastro 1 Nigel Smart 2 Sarah Zakarias 1 1 Aarhus University 2 Bristol University CTIC 交互计算 November 9, 2011 Damgård, Pastro,
More informationCOS Cryptography - Final Take Home Exam
COS 433 - Cryptography - Final Take Home Exam Boaz Barak May 12, 2010 Read these instructions carefully before starting to work on the exam. If any of them are not clear, please email me before you start
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationCRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16
CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16 Groth-Sahai proofs helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Interactive zero knowledge from Σ-protocols
More informationMemory Delegation. June 15, 2011
Memory Delegation Kai-Min Chung Yael Tauman Kalai Feng-Hao Liu Ran Raz June 15, 2011 Abstract We consider the problem of delegating computation, where the delegator doesn t even know the input to the function
More informationMidterm: CS 6375 Spring 2015 Solutions
Midterm: CS 6375 Spring 2015 Solutions The exam is closed book. You are allowed a one-page cheat sheet. Answer the questions in the spaces provided on the question sheets. If you run out of room for an
More informationA Zero-One Law for Secure Multi-Party Computation with Ternary Outputs
A Zero-One Law for Secure Multi-Party Computation with Ternary Outputs KTH Royal Institute of Technology gkreitz@kth.se TCC, Mar 29 2011 Model Limits of secure computation Our main result Theorem (This
More informationLogistic Regression. Jia-Bin Huang. Virginia Tech Spring 2019 ECE-5424G / CS-5824
Logistic Regression Jia-Bin Huang ECE-5424G / CS-5824 Virginia Tech Spring 2019 Administrative Please start HW 1 early! Questions are welcome! Two principles for estimating parameters Maximum Likelihood
More informationProbabilistic classification CE-717: Machine Learning Sharif University of Technology. M. Soleymani Fall 2016
Probabilistic classification CE-717: Machine Learning Sharif University of Technology M. Soleymani Fall 2016 Topics Probabilistic approach Bayes decision theory Generative models Gaussian Bayes classifier
More informationA New Approach to Practical Secure Two-Party Computation. Jesper Buus Nielsen Peter Sebastian Nordholt Claudio Orlandi Sai Sheshank
A New Approach to Practical Secure Two-Party Computation Jesper Buus Nielsen Peter Sebastian Nordholt Claudio Orlandi Sai Sheshank Secure Two-Party Computation Alice has an input a {0,1} * Bob has an input
More informationSecure Multi-Party Computation
Secure Multi-Party Computation (cryptography for the not so good, the not so bad and the not so ugly) María Isabel González Vasco mariaisabel.vasco@urjc.es Based on joint work with Paolo D Arco (U. Salerno)
More information4-3 A Survey on Oblivious Transfer Protocols
4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of
More informationMultiparty Computation with Low Communication, Computation and Interaction via Threshold FHE
Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Gilad Asharov Abhishek Jain Daniel Wichs June 9, 2012 Abstract Fully homomorphic encryption (FHE) provides a
More informationA SHUFFLE ARGUMENT SECURE IN THE GENERIC MODEL
A SHUFFLE ARGUMENT SECURE IN THE GENERIC MODEL Prastudy Fauzi, Helger Lipmaa, Michal Zajac University of Tartu, Estonia ASIACRYPT 2016 OUR RESULTS A new efficient CRS-based NIZK shuffle argument OUR RESULTS
More informationEncryption Switching Protocols
This is the full version of the extended abstract which appears in In Advances in Cryptology Proceedings of CRYPTO 16 Part I Springer-Verlag, LNCS 9814, pages 308 338 . Encryption
More informationLecture 22: RSA Encryption. RSA Encryption
Lecture 22: Recall: RSA Assumption We pick two primes uniformly and independently at random p, q $ P n We define N = p q We shall work over the group (Z N, ), where Z N is the set of all natural numbers
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationTopics. Bayesian Learning. What is Bayesian Learning? Objectives for Bayesian Learning
Topics Bayesian Learning Sattiraju Prabhakar CS898O: ML Wichita State University Objectives for Bayesian Learning Bayes Theorem and MAP Bayes Optimal Classifier Naïve Bayes Classifier An Example Classifying
More informationShai Halevi IBM August 2013
Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation
More informationClassification CE-717: Machine Learning Sharif University of Technology. M. Soleymani Fall 2012
Classification CE-717: Machine Learning Sharif University of Technology M. Soleymani Fall 2012 Topics Discriminant functions Logistic regression Perceptron Generative models Generative vs. discriminative
More informationFaster Maliciously Secure Two-Party Computation Using the GPU Full version
Faster Maliciously Secure Two-Party Computation Using the GPU Full version Tore Kasper Frederiksen, Thomas P. Jakobsen, and Jesper Buus Nielsen July 15, 2014 Department of Computer Science, Aarhus University
More informationLecture 2: Linear Algebra Review
CS 4980/6980: Introduction to Data Science c Spring 2018 Lecture 2: Linear Algebra Review Instructor: Daniel L. Pimentel-Alarcón Scribed by: Anh Nguyen and Kira Jordan This is preliminary work and has
More informationA Posteriori Openable Public Key Encryption *
A Posteriori Openable Public Key Encryption * Xavier Bultel 1, Pascal Lafourcade 1, CNRS, UMR 6158, LIMOS, F-63173 Aubière, France Université Clermont Auvergne, LIMOS, BP 10448, 63000 Clermont-Ferrand,
More informationPrastudy Fauzi, HelgerLipmaa, Michal Zajac University of Tartu, Estonia ASIACRYPT 2016
Prastudy Fauzi, HelgerLipmaa, Michal Zajac University of Tartu, Estonia ASIACRYPT 2016 A new efficient CRS-based NIZK shuffle argument Four+ times more efficient verification than in prior work Verification
More informationZKBoo: Faster Zero-Knowledge for Boolean Circuits
Aarhus University ZKBoo: Faster Zero-Knowledge for Boolean Circuits Irene Giacomelli, Jesper Madsen and Claudio Orlandi Usenix Security Symposium 2016 1 / 15 Zero-Knowledge (ZK) Arguments Alice Bob. Private
More informationConstant-Round MPC with Fairness and Guarantee of Output Delivery
Constant-Round MPC with Fairness and Guarantee of Output Delivery S. Dov Gordon Feng-Hao Liu Elaine Shi April 22, 2015 Abstract We study the round complexity of multiparty computation with fairness and
More informationAn Unconditionally Secure Protocol for Multi-Party Set Intersection
An Unconditionally Secure Protocol for Multi-Party Set Intersection Ronghua Li 1,2 and Chuankun Wu 1 1 State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences,
More informationInstance-based Domain Adaptation
Instance-based Domain Adaptation Rui Xia School of Computer Science and Engineering Nanjing University of Science and Technology 1 Problem Background Training data Test data Movie Domain Sentiment Classifier
More informationKaggle.
Administrivia Mini-project 2 due April 7, in class implement multi-class reductions, naive bayes, kernel perceptron, multi-class logistic regression and two layer neural networks training set: Project
More informationYuval Ishai Technion
Winter School on, Israel 30/1/2011-1/2/2011 Yuval Ishai Technion 1 Several potential advantages Unconditional security Guaranteed output and fairness Universally composable security This talk: efficiency
More informationLecture 19: Verifiable Mix-Net Voting. The Challenges of Verifiable Mix-Net Voting
6.879 Special Topics in Cryptography Instructors: Ran Canetti April 15, 2004 Lecture 19: Verifiable Mix-Net Voting Scribe: Susan Hohenberger In the last lecture, we described two types of mix-net voting
More informationFully Homomorphic Encryption and Bootstrapping
Fully Homomorphic Encryption and Bootstrapping Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography Fully Homomorphic Encryption (FHE) A FHE scheme can evaluate unbounded
More informationANALYSIS OF PRIVACY-PRESERVING ELEMENT REDUCTION OF A MULTISET
J. Korean Math. Soc. 46 (2009), No. 1, pp. 59 69 ANALYSIS OF PRIVACY-PRESERVING ELEMENT REDUCTION OF A MULTISET Jae Hong Seo, HyoJin Yoon, Seongan Lim, Jung Hee Cheon, and Dowon Hong Abstract. The element
More informationOutsourcing Multi-Party Computation
Outsourcing Multi-Party Computation Seny Kamara Payman Mohassel Mariana Raykova Abstract We initiate the study of secure multi-party computation (MPC) in a server-aided setting, where the parties have
More informationQuestion 1. The Chinese University of Hong Kong, Spring 2018
CSCI 5440: Cryptography The Chinese University of Hong Kong, Spring 2018 Homework 2 Solutions Question 1 Consider the following encryption algorithm based on the shortlwe assumption. The secret key is
More informationCircular Range Search on Encrypted Spatial Data
Circular Range Search on Encrypted Spatial Data Boyang Wang, Ming Li, Haitao Wang and Hui Li Department of Computer Science, Utah State University, Logan, UT, USA State Key Laboratory of Integrated Service
More information