DOCSLIB.ORG

Setup-Free Secure Search on Encrypted Data: Faster and Post-Processing Free

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Setup-Free Secure Search on Encrypted Data: Faster and Post-Processing Free Proceedings on Privacy Enhancing Technologies ; 2019 (3):87–107 Adi Akavia*, Craig Gentry, Shai Halevi, and Max Leibovich Setup-Free Secure Search on Encrypted Data: Faster and Post-Processing Free Abstract: We present a novel secure search protocol Keywords: Secure search, Fully homomorphic encryp- on data and queries encrypted with Fully Homomor- tion, Randomized algorithms, Universal hash functions phic Encryption (FHE). Our protocol enables organiza- DOI 10.2478/popets-2019-0038 tions (client) to (1) securely upload an unsorted data Received 2018-11-30; revised 2019-03-15; accepted 2019-03-16. array x = (x[1], . , x[n]) to an untrusted honest-but- curious sever, where data may be uploaded over time 1 Introduction and from multiple data-sources; and (2) securely is- Following the rapid advancement and widespread avail- sue repeated search queries q for retrieving the first ability of cloud computing it is a common practice ∗ ∗ element (i , x[i ]) satisfying an agreed matching crite- to outsource data storage and computations to cloud ∗ rion i = min {i ∈ [n] | IsMatch(x[i], q) = 1}, as well as providers. Placing cleartext (i.e unencrypted) data on fetching the next matching elements with further inter- the cloud compromises data security. To regain data action. For security, the client encrypts the data and privacy one could encrypt the data prior to upload- queries with FHE prior to uploading, and the server ing to the cloud. However, if using standard encryp- processes the ciphertexts to produce the result cipher- tion (e.g. AES), this solution nullifies the benefits of text for the client to decrypt. Our secure search pro- cloud computing: when given only ciphertexts the cloud tocol improves over the prior state-of-the-art for secure provider cannot process the underlying cleartext data in search on FHE encrypted data (Akavia, Feldman, Shaul any meaningful way. (AFS), CCS’2018) in achieving: Fully homomorphic encryption (FHE) [22, 23, 49] is – Post-processing free protocol where the server produces an encryption scheme that allows processing the under- a ciphertext for the correct search outcome with over- lying cleartext data while it still remains in encrypted whelming success probability. This is in contrast to form, and without giving away the secret key (see Def- returning a list of candidates for the client to post- inition 2.1). With FHE it is possible for the client to process, or suffering from a noticeable error probabil- securely outsource computations to the server as fol- ity, in AFS. Our post-processing freeness enables the lows: The client first encrypts its data x with an FHE server to use secure search as a sub-component in a scheme to obtain the ciphertext [[x]] ← Enc (x), and larger computation without interaction with the client. pk sends [[x]] to the server. The server can now compute any – Faster protocol: (a) Client time and communication function f on the underlying clear-text data x by eval- bandwidth are improved by a log2 n/ log log n factor. uating a homomorphic version of f on the ciphertext (b) Server evaluates a polynomial of degree linear in [[x]]. The outcome of this computation is a ciphertext log n (compare to cubic in AFS), and overall number of [[y]] ← Eval (f, [[x]]) that decrypts to the desired output multiplications improved by up to log n factor. (c) Em- pk y = f(x). The server can now send the ciphertext [[y]] to ploying only GF(2) computations (compare to GF(p) the client who would decrypt y ← Dec ([[y]]) to obtain for p 2 in AFS) to gain both further speedup and sk the result. compatibility to all current FHE candidates. The homomorphic computations achievable by the – Order of magnitude speedup exhibited by extensive known FHE candidates (e.g. [7, 19, 24, 43]) are specified benchmarks we executed on identical hardware for im- plementations of ours versus AFS’s protocols. Additionally, like other FHE based solutions, our solu- tion is setup-free: to outsource elements from the client *Corresponding Author: Adi Akavia: University of Haifa, to the server, no additional actions are performed on x E-mail: [email protected] except for encrypting it element by element (each ele- Craig Gentry: IBM Research, E-mail: craigbgen- [email protected] ment bit by bit) and uploading the resulted ciphertexts Shai Halevi: IBM Research, E-mail: [email protected] to the server. Max Leibovich: University of Haifa, E-mail: [email protected] Setup-Free Secure Search on Encrypted Data: Faster and Post-Processing Free 88 by a polynomial over a finite ring (i.e. by repeated ap- (d) no initial setup is performed on x except for en- plication of homomorphic-addition and homomorphic- crypting it element-by-element (each element encrypted multiplication for that ring). For example, for data bit-by-bit) and uploading the resulting ciphertexts to in binary representation, bitwise operations on plain- the server. text bits (addition and multiplication modulo 2) can We point out that the latter condition, among other be replaced by their homomorphic counterparts on en- things, prevents speeding up the search by using stan- crypted bits (homomorphic-addition and homomorphic- dard data structures such as search-trees, hash-tables, multiplication). or sorted arrays (on top of, or instead of, the encrypted Key factors influencing the running-time of such unsorted array [[x]]). A linear scan lower bound is thus homomorphic computations are the degree and overall implied by the addressed formulation, even if we were to multiplications of the polynomial. Leading to the main search on clear-text data. This restriction is nonetheless two constraints in designing algorithms that compute on motivated by many use-cases, as discussed next. FHE encrypted data: they must be realized by a poly- Use-cases motivating the aforementioned no-setup re- nomial of low degree and low amount of overall multi- striction arise in settings where, for example: plications. – Matching criteria are unknown in advance, thus pre- Note that this FHE approach for securely outsourc- cluding appropriate indexing or sorting at setup; ing to the server the computation of y = f(x) has the – High dimensional range queries, where index size is benefits of requiring only a single round of communica- exponential in the number attributes and infeasible tion, and with low communication bandwidth (commu- to compute or store; nicating only the encrypted input [[x]] and output [[y]]). – Streaming data with client discarding each element Furthermore, the server in this protocol learns no new immediately after encrypting and uploading to the information about x or y (assuming the FHE is seman- server, thus precluding client’s setup or maintenance tically secure). of the desired data-structures (and where for the Secure search is a fundamental computational problem, server, seeing only ciphertexts, secure maintenance useful in numerous data analysis and retrieval tasks. An of advanced data structures seems even harder than abundance of proposed solutions were presented to solve secure search); it using different cryptographic tools (see Section 1.1 – Low capacity clients that are too weak to run setup and Tables 1-2). In particular, Gentry [22, 23] proposed over the entire cleartext array prior to encrypting using FHE to securely search on encrypted data. and uploading it to the server; In this work we address the natural and simple for- – Fragmented data uploaded to the server from mul- mulation for secure search on FHE encrypted data (se- tiple distinct client endpoints (data-sources) with cure search) as considered by [2]: Secure search is a two no single endpoint that can perform setup over the party protocol between a server and a client. The server entire cleartext data. holds an unsorted array [[x]] = [[x[1]]],..., [[x[n]]] of en- The single-round and low-communication restric- crypted elements (not necessarily distinct) that were tions are motivated by use-cases in settings where com- previously encrypted and uploaded by the client, as well munication is a major bottleneck, e.g. in being intermit- as a specification of a predicate IsMatch(a, b) ∈ {0, 1} tent or unreliable, or where communicating is with data- specifying the matching condition. The client submits sources that are mostly offline, or have restricted bat- encrypted queries [[q]] to the server in order to re- tery capacity as in sensors-networks or some Internet- trieve the first matching element. The server returns of-Things (IoT) devices. to the client the encrypted index and element pair The single server restriction is motivated, not only [[y]] = [[i∗]], [[x[i∗]]] for i∗ the index of the first element by the simplicity of such architecture, but also by its satisfying the matching condition, i∗ = min{i ∈ [n] | stronger security guarantee: requiring no non-collusion IsMatch(x[i], q) = 1}. See detailed definition and exten- assumption on servers. sions in Section 3 and 5. Threat model. We address computationally-bounded Restrictions on protocols. Note that the above secure semi-honest adversaries that follow the protocol but search formulation, as addressed in this work, focuses on may try to learn additional information. Our security re- protocols that involve (a) a single server, and where quirement is that adversaries controlling the server can- the client-server interaction is of (b) a single round, not distinguish between two adversarially-chosen equal and (c) low communication complexity. Furthermore, size queries or data arrays. See Section 3.3. Setup-Free Secure Search on Encrypted Data: Faster and Post-Processing Free 89 The leakage of our protocols include only size in- ing setup necessitates –even on cleartext data– a linear formation (specifically, upper-bounds on array size, ele- scan of the data. Our work focuses on the no-setup case.
Load more

Recommended publications
  • Fundamentals of Fully Homomorphic Encryption – a Survey
    Electronic Colloquium on Computational Complexity, Report No. 125 (2018) Fundamentals of Fully Homomorphic Encryption { A Survey Zvika Brakerski∗ Abstract A homomorphic encryption scheme is one that allows computing on encrypted data without decrypting it first. In fully homomorphic encryption it is possible to apply any efficiently com- putable function to encrypted data. We provide a survey on the origins, definitions, properties, constructions and uses of fully homomorphic encryption. 1 Homomorphic Encryption: Good, Bad or Ugly? In the seminal RSA cryptosystem [RSA78], the public key consists of a product of two primes ∗ N = p · q as well as an integer e, and the message space is the set of elements in ZN . Encrypting a message m involved simply raising it to the power e and taking the result modulo N, i.e. c = me (mod N). For the purpose of the current discussion we ignore the decryption process. It is not hard to see that the product of two ciphertexts c1 and c2 encrypting messages m1 and m2 allows e to compute the value c1 · c2 (mod N) = (m1m2) (mod N), i.e. to compute an encryption of m1 · m2 without knowledge of the secret private key. Rabin's cryptosystem [Rab79] exhibited similar behavior, where a product of ciphertexts corresponded to an encryption of their respective plaintexts. This behavior can be expressed in formal terms by saying that the ciphertext space and the plaintext space are homomorphic (multiplicative) groups. The decryption process defines the homomorphism by mapping a ciphertext to its image plaintext. Rivest, Adleman and Dertouzos [RAD78] realized the potential advantage of this property.
    [Show full text]
  • Lecture Notes in Computer Science 6223 Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan Van Leeuwen
    Lecture Notes in Computer Science 6223 Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen Editorial Board David Hutchison Lancaster University, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M. Kleinberg Cornell University, Ithaca, NY, USA Alfred Kobsa University of California, Irvine, CA, USA Friedemann Mattern ETH Zurich, Switzerland John C. Mitchell Stanford University, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel Oscar Nierstrasz University of Bern, Switzerland C. Pandu Rangan Indian Institute of Technology, Madras, India Bernhard Steffen TU Dortmund University, Germany Madhu Sudan Microsoft Research, Cambridge, MA, USA Demetri Terzopoulos University of California, Los Angeles, CA, USA Doug Tygar University of California, Berkeley, CA, USA Gerhard Weikum Max-Planck Institute of Computer Science, Saarbruecken, Germany Tal Rabin (Ed.) Advances in Cryptology – CRYPTO 2010 30th Annual Cryptology Conference Santa Barbara, CA, USA, August 15-19, 2010 Proceedings 13 Volume Editor Tal Rabin IBM T.J.Watson Research Center Hawthorne, NY, USA E-mail: [email protected] Library of Congress Control Number: 2010931385 CR Subject Classification (1998): E.3, G.2.1, F.2.1-2, D.4.6, K.6.5, C.2, J.1 LNCS Sublibrary: SL 4 – Security and Cryptology ISSN 0302-9743 ISBN-10 3-642-14622-8 Springer Berlin Heidelberg New York ISBN-13 978-3-642-14622-0 Springer Berlin Heidelberg New York This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks.
    [Show full text]
  • Indistinguishability Obfuscation from Functional Encryption
    Indistinguishability Obfuscation from Functional Encryption The MIT Faculty has made this article openly available. Please share how this access benefits you. Your story matters. Citation Bitansky, Nir, and Vinod Vaikuntanathan. "Indistinguishability Obfuscation from Functional Encryption." 2015 IEEE 56th Annual Symposium on Foundations of Computer Science (FOCS), 17-20 October 2015, Berkeley, CA, 2015, pp. 171–90. As Published http://dx.doi.org/10.1109/FOCS.2015.20 Publisher Institute of Electrical and Electronics Engineers (IEEE) Version Original manuscript Citable link http://hdl.handle.net/1721.1/113077 Terms of Use Creative Commons Attribution-Noncommercial-Share Alike Detailed Terms http://creativecommons.org/licenses/by-nc-sa/4.0/ Indistinguishability Obfuscation from Functional Encryption∗ Nir Bitanskyy Vinod Vaikuntanathanz Abstract Indistinguishability obfuscation (IO) is a tremendous notion, powerful enough to give rise to almost any known cryptographic object. Prior candidate IO constructions were based on specific assumptions on algebraic objects called multi-linear graded encodings. We present a generic construction of indistinguishability obfuscation from public-key functional encryption with succinct encryption circuits and subexponential security. This shows the equivalence of indistinguishability obfuscation and public-key functional en- cryption, a primitive that has so far seemed to be much weaker, lacking the power and the staggering range of applications of indistinguishability obfuscation. Our main construction can be based on functional encryption schemes that support a single function key, and where the encryption circuit grows sub-linearly in the circuit-size of the function. We further show that sublinear succinctness in circuit-size for single-key schemes can be traded with sublinear succinctness in the number of keys (also known as the collusion-size) for multi-key schemes.
    [Show full text]
  • Homomorphic Encryption for Machine Learning in Medicine and Bioinformatics
    This is a repository copy of Homomorphic Encryption for Machine Learning in Medicine and Bioinformatics. White Rose Research Online URL for this paper: https://eprints.whiterose.ac.uk/151333/ Version: Accepted Version Article: Kahrobaei, Delaram orcid.org/0000-0001-5467-7832, Wood, Alexander and Najarian, Kayvan (2020) Homomorphic Encryption for Machine Learning in Medicine and Bioinformatics. ACM Comput. Surv.. ISSN 0360-0300 Reuse Items deposited in White Rose Research Online are protected by copyright, with all rights reserved unless indicated otherwise. They may be downloaded and/or printed for private study, or other acts as permitted by national copyright laws. The publisher or other rights holders may allow further reproduction and re-use of the full text version. This is indicated by the licence information on the White Rose Research Online record for the item. Takedown If you consider content in White Rose Research Online to be in breach of UK law, please notify us by emailing [email protected] including the URL of the record and the reason for the withdrawal request. [email protected] https://eprints.whiterose.ac.uk/ Homomorphic Encryption for Machine Learning in Medicine and Bioinformatics ALEXANDER WOOD∗, University of Michigan, United States KAYVAN NAJARIAN, University of Michigan, United States DELARAM KAHROBAEI, University of York, United Kingdom Machine learning and statistical techniques are powerful tools for analyzing large amounts of medical and genomic data. On the other hand, ethical concerns and privacy regulations prevent free sharing of this data. Encryption techniques such as fully homomorphic encryption (FHE) enable evaluation over encrypted data. Using FHE, machine learning models such as deep learning, decision trees, and naive Bayes have been implemented for privacy-preserving applications using medical data.
    [Show full text]
  • Short Signatures from Weaker Assumptions
    Short Signatures From Weaker Assumptions Dennis Hofheinz1, Tibor Jager2, and Eike Kiltz2 1 Institut f¨urKryptographie und Sicherheit, Karlsruhe Institute of Technology, Germany. [email protected] 2 Horst-G¨ortzInstitute for IT Security, Ruhr-University Bochum, Germany. ftibor.jager,[email protected] Abstract. We provide constructions of (m; 1)-programmable hash functions (PHFs) for m ≥ 2. Mim- icking certain programmability properties of random oracles, PHFs can, e.g., be plugged into the generic constructions by Hofheinz and Kiltz (J. Cryptol. 2011) to yield digital signature schemes from the strong RSA and strong q-Diffie-Hellman assumptions. As another application of PHFs, we propose new and efficient constructions of digital signature schemes from weaker assumptions, i.e., from the (standard, non-strong) RSA and the (standard, non-strong) q-Diffie-Hellman assumptions. The resulting signature schemes offer interesting tradeoffs between efficiency/signature length and the size of the public-keys. For example, our q-Diffie-Hellman signatures can be as short as 200 bits; the signing algorithm of our Strong RSA signature scheme can be as efficient as the one in RSA full domain hash; compared to previous constructions, our RSA signatures are shorter (by a factor of roughly 2) and we obtain a considerable efficiency improvement (by an even larger factor). All our constructions are in the standard model, i.e., without random oracles. Keywords: digital signatures, RSA assumption, q-DH assumption, programmable hash functions. 1 Introduction Digital Signatures are one of the most fundamental cryptographic primitives. They are used as a building block in numerous high-level cryptographic protocols.
    [Show full text]
  • K-Anonymously Private Search Over Encrypted Data
    k-Anonymously Private Search over Encrypted Data Shiyu Ji, Kun Wan {shiyu, kun}@cs.ucsb.edu Abstract In this paper we compare the performance of various homomorphic encryption methods on a private search scheme that can achieve k-anonymity privacy. To make our benchmarking fair, we use open sourced cryptographic libraries which are written by experts and well scrutinized. We find that Goldwasser-Micali encryption achieves good enough performance for practical use, whereas fully homomorphic encryptions are much slower than partial ones like Goldwasser-Micali and Paillier. 1 Introduction How to securely and privately search over encrypted dataset has been popular in research community for the past decade [27, 28, 32, 33, 11, 10, 1]. A private search scheme should allow the client to have access to one of the posting lists in the inverted index, while the server hosting the index cannot tell which posting is accessed by the client. Also for privacy concern, the client should not know any other posting except the legally requested one. To address this problem, one possible way is to leverage Homomorphic Encryption [21, 22, 37, 38, 19, 4, 5]. Recently there is some debate over the question whether such a homomorphic encryption based private search scheme can be practically used [40, 36, 1]. We note that it is important which encryption method is used, since the involved operations may be very different, e.g., there are many modular exponential operations in Paillier [37, 38], while Goldwasser-Micali only requires quadratic exponentiation; some lattice based HEs (e.g. [6, 4]) require noise management techniques such as bootstrapping [16], re- linearization [6] and approximate eigenvector [20], which need more time.
    [Show full text]
  • Techniques for Computing on Encrypted Data in a Practical System*
    Techniques for computing on encrypted data in a practical system* Raluca Ada Popa September 2014 In this document, we survey various techniques for computing on encrypted data that might be useful when designing a practical security system. These tools or methods provide an interesting spectrum over three coordinates: functionality, security, and performance. Unfortunately, none of these tools alone suffices to enable running the systems we have today over encrypted data. They typically fail to achieve a desired goal with respect to at least one of these three coordinates. Nevertheless, understanding the tradeoffs these tools provide in functionality, security, and performance, coupled with an understanding of the targeted system, has enabled building systems that are practical for a class of applications and provide a meaningful level of security. Some examples of such systems are [PRZB11, PSV+14, ABE+13, AEK+13, TKMZ13, TLMM13, KGM+14, SSSE14, TSCS13, HHCW12, KKM+13]. Hence, below we describe each tool or method from a functionality, security and performance standpoint, describing the tradeoff it strikes in this space, and the settings in which it might be practical. Since our focus is this tradeoff, we keep the cryptographic presentation of each tool informal, and instead reference outside formal presentations. We divide these tools and methods in two categories: tools that leak (virtually) nothing about the data and tools that reveal a well-defined function of the data. Many times, the information revealed in the second category helps improve performance drastically. 2 1 Tools with no leakage ◇ 1.1 Fully homomorphic encryption Functionality. FHE [Gen09] is a public-key encryption scheme [Gol04].
    [Show full text]
  • Private-Key Fully Homomorphic Encryption for Private Classification of Medical Data
    City University of New York (CUNY) CUNY Academic Works All Dissertations, Theses, and Capstone Projects Dissertations, Theses, and Capstone Projects 9-2018 Private-Key Fully Homomorphic Encryption for Private Classification of Medical Data Alexander N. Wood The Graduate Center, City University of New York How does access to this work benefit ou?y Let us know! More information about this work at: https://academicworks.cuny.edu/gc_etds/2888 Discover additional works at: https://academicworks.cuny.edu This work is made publicly available by the City University of New York (CUNY). Contact: [email protected] Private-Key Fully Homomorphic Encryption for Private Classification of Medical Data by Alexander Nicolas Wood A dissertation submitted to the Graduate Faculty in Computer Science in partial fulfillment of the requirements for the degree of Doctor of Philosophy, The City University of New York 2018 ii c 2018 Alexander Nicolas Wood All Rights Reserved iii Private-Key Fully Homomorphic Encryption for Private Classification of Medical Data by Alexander Nicolas Wood This manuscript has been read and accepted by the Graduate Faculty in Computer Science in satisfaction of the dissertation requirement for the degree of Doctor of Philosophy. Date Delaram Kahrobaei Chair of Examining Committee Date Robert M. Haralick Executive Officer Supervisory Committee: Robert M. Haralick Delaram Kahrobaei Ali Mostashari Kayvan Najarian Vladimir Shpilrain The City University of New York iv Abstract Private-Key Fully Homomorphic Encryption for Private Classification of Medical Data by Alexander Nicolas Wood Advisor: Professor Delaram Kahrobaei A wealth of medical data is inaccessible to researchers and clinicians due to privacy restrictions such as HIPAA.
    [Show full text]
  • Security and Privacy on Blockchain 1:3 Scientists and Engineers to Uncover Suitable Blockchain Models and Techniques for Many Domain Specific Application Scenarios
    1 Security and Privacy on Blockchain RUI ZHANG and RUI XUE, State Key Laboratory of Information Security, Institute of Information Engi- neering, Chinese Academy of Sciences, China and School of Cyber Security, University of Chinese Academy of Sciences, China LING LIU, School of Computer Science, Georgia Institute of Technology, USA, USA Blockchain offers an innovative approach to storing information, executing transactions, performing func- tions, and establishing trust in an open environment. Many consider blockchain as a technology breakthrough for cryptography and cybersecurity, with use cases ranging from globally deployed cryptocurrency systems like Bitcoin, to smart contracts, smart grids over the Internet of Things, and so forth. Although blockchain has received growing interests in both academia and industry in the recent years, the security and privacy of blockchains continue to be at the center of the debate when deploying blockchain in different applications. This paper presents a comprehensive overview of the security and privacy of blockchain. To facilitate the discussion, we first introduce the notion of blockchains and its utility in the context of Bitcoin like online transactions. Then we describe the basic security properties that are supported as the essential requirements and building blocks for Bitcoin like cryptocurrency systems, followed by presenting the additional security and privacy properties that are desired in many blockchain applications. Finally, we review the security and privacy techniques for achieving these security properties in blockchain-based systems, including represen- tative consensus algorithms, hash chained storage, mixing protocols, anonymous signatures, non-interactive zero-knowledge proof, and so forth. We conjecture that this survey can help readers to gain an in-depth understanding of the security and privacy of blockchain with respect to concept, attributes, techniques and systems.
    [Show full text]
  • Practical Secure Two-Party Computation
    Practical Secure Two-Party Computation: Techniques, Tools, and Applications David Evans (PI), Aaron Mackey, abhi shelat (University of Virginia) Michael Hicks, Jonathan Katz (University of Maryland); Steven Myers (Indiana University) Project Summary Many compelling applications involve computations that require sensitive data from two or more individuals. As an example, consider the myriad genetics applications soon to be within reach of individuals as the cost of personal genome sequencing rapidly plummets. An individual may wish to compare her genome with the genomes of different groups of participants in a study to determine which treatment is likely to be most effective for her. Such comparisons could have tremendous value, but are infeasible because of the privacy concerns both for the individual and study participants. What is needed is a way to compute the output of the comparison without exposing either party’s private inputs. Theoretical solutions to this problem, known as secure multi-party computation, have been known for several decades, including a general solution developed by Andrew Yao based on garbled circuits. Because of its extensive memory use and computational cost, however, the garbled circuits approach has traditionally been considered more of a theoretical curiosity than a practical mechanism for building privacy-preserving applications. Recent developments in cryptographic techniques and new implementation approaches are beginning to change this, however, and admit the possibility of scalable, practical secure computation. Building on this work, we propose to develop techniques and tools to enable practical secure two-party computations and to evaluate these tools by building several scalable privacy-preserving applications. We will develop methods for avoiding the memory bottleneck associated with garbled circuit evaluation by aggressively pipelining circuit generation and evaluation.
    [Show full text]
  • Online-Offline Functional Encryption for Bounded Collusions
    Online-Offline Functional Encryption for Bounded Collusions Shweta Agrawal∗ Alon Roseny Abstract We give a new construction of bounded key functional encryption. Our scheme is well suited for optimization in an online-offline model that allows for preparation in an offline phase, where a majority of the computation is done before the data becomes available. This is followed by an efficient online phase, which is performed when the data becomes known. Such a model has been considered in the context of Attribute-Based Encryption by Hohenberger and Waters (PKC'14). The online component of our scheme significantly outperforms the best previously known construction of bounded key functional encryption by Gorbunov, Vaikuntanathan and Wee (CRYPTO'12), and in fact quasi-linearly depends only on the message size in contrast to the GVW12 ciphertext, which additionally grows as O(q4) for q queries. Security of our scheme is based on the Ring LWE assumption, which is comparable to the assumption underlying the GVW scheme and is well-established compared to those underlying known constructions of unbounded key functional encryption (based on multilinear maps and/or obfuscation). To prove security of our scheme, we introduce a new proof technique, which we call noisy functional encryption. Arguing security via this technique requires the encryptor to artificially add noise to the decryption equation, providing an intriguing tradeoff between correctness and security. This technique appears to be quite general and we believe it is likely to have other applications. ∗IIT Delhi, India. Email: [email protected]. Work done (in part) while visiting IDC Herzliya, supported by the ERC under the EU's Seventh Framework Programme (FP/2007-2013) ERC Grant Agreement n.
    [Show full text]
  • Arxiv:2008.10733V1 [Cs.CR] 24 Aug 2020 to Predict the Hygiene of the Restaurant and Health Risks [4]
    Precision Health Data: Requirements, Challenges and Existing Techniques for Data Security and Privacy Chandra Thapa and Seyit Camtepe CSIRO Data61, Australia fchandra.thapa, [email protected] Abstract. Precision health leverages information from various sources, including omics, lifestyle, environment, social media, medical records, and medical insurance claims to enable personalized care, prevent and predict illness, and precise treatments. It extensively uses sensing technologies (e.g., electronic health monitoring devices), computations (e.g., machine learning), and communication (e.g., interaction between the health data centers). As health data contain sensitive private information, including the identity of patient and carer and medical conditions of the patient, proper care is required at all times. Leakage of these private information affects the personal life, including bullying, high insurance premium, and loss of job due to the medical history. Thus, the security, privacy of and trust on the information are of utmost importance. Moreover, government legislation and ethics committees demand the security and privacy of healthcare data. Besides, the public, who is the data source, always expects the security, privacy, and trust of their data. Otherwise, they can avoid contributing their data to the precision health system. Consequently, as the public is the targeted beneficiary of the system, the effectiveness of precision health diminishes. Herein, in the light of precision health data security, privacy, ethical and regulatory requirements, finding the best methods and techniques for the utilization of the health data, and thus precision health is essential. In this regard, firstly, this paper explores the regulations, ethical guidelines around the world, and domain-specific needs.
    [Show full text]