682 research outputs found
Garbled Elections
Majority rules are frequently used to decide whether or not a public good should be provided, but will typically fail to achieve an efficient provision. We provide a worst-case analysis of the majority rule with an optimally chosen majority threshold, assuming that voters have independent private valuations and are exante symmetric (provision cost shares are included in the valuations). We show that if the population is large it can happen that the optimal majority rule is essentially no better than a random provision of the public good. But the optimal majority rule is worst-case asymptotically efficient in the large-population limit if (i) the votersâ expected valuation is bounded away from 0, and (ii) an absolute bound for valuations is known
Garbled Elections
Majority rules are frequently used to decide whether or not a public good should be provided, but will typically fail to achieve an efficient provision. We provide a worst-case analysis of the majority rule with an optimally chosen majority threshold, assuming that voters have independent private valuations and are exante symmetric (provision cost shares are included in the valuations). We show that if the population is large it can happen that the optimal majority rule is essentially no better than a random provision of the public good. But the optimal majority rule is worst-case asymptotically efficient in the large-population limit if (i) the votersâ expected valuation is bounded away from 0, and (ii) an absolute bound for valuations is known.
Garbling Schemes and Applications
The topic of this thesis is garbling schemes and their applications. A garbling scheme is a set of algorithms for realizing secure two-party computation. A party called a client possesses a private algorithm as well as a private input and would like to compute the algorithm with this input. However, the client might not have enough computational resources to evaluate the function with the input on his own. The client outsources the computation to another party, called an evaluator. Since the client wants to protect the algorithm and the input, he cannot just send the algorithm and the input to the evaluator. With a garbling scheme, the client can protect the privacy of the algorithm, the input and possibly also the privacy of the output.
The increase in network-based applications has arisen concerns about the privacy of user data. Therefore, privacy-preserving or privacy-enhancing techniques have gained interest in recent research. Garbling schemes seem to be an ideal solution for privacy-preserving applications. First of all, secure garbling schemes hide the algorithm and its input. Secondly, garbling schemes are known to have eïŹcient implementations.
In this thesis, we propose two applications utilizing garbling schemes. The ïŹrst application provides privacy-preserving electronic surveillance. The second application extends electronic surveillance to more versatile monitoring, including also health telemetry. This kind of application would be ideal for assisted living services.
In this work, we also present theoretical results related to garbling schemes. We present several new security deïŹnitions for garbling schemes which are of practical use. Traditionally, the same garbled algorithm can be evaluated once with garbled input. In applications, the same function is often evaluated several times with diïŹerent inputs. Recently, a solution based on fully homomorphic encryption provides arbitrarily reusable garbling schemes. The disadvantage in this approach is that the arbitrary reuse cannot be eïŹciently implemented due to the ineïŹciency of fully homomorphic encryption.
We propose an alternative approach. Instead of arbitrary reusability, the same garbled algorithm could be used a limited number of times. This gives us a set of new security classes for garbling schemes. We prove several relations between new and established security deïŹnitions. As a result, we obtain a complex hierarchy which can be represented as a product of three directed graphs. The three graphs in turn represent the diïŹerent ïŹavors of security: the security notion, the security model and the level of reusability.
In addition to deïŹning new security classes, we improve the deïŹnition of side-information function, which has a central role in deïŹning the security of a garbling scheme. The information allowed to be leaked by the garbled algorithm and the garbled input depend on the representation of the algorithm. The established deïŹnition of side-information models the side-information of circuits perfectly but does not model side-information of Turing machines as well. The established model requires that the length of the argument, the length of the ïŹnal result and the length of the function can be eïŹciently computable from the side-information function. Moreover, the side-information depends only on the function. In other words, the length of the argument, the length of the ïŹnal result and the length of the function should only depend on the function. For circuits this is a natural requirement since the number of input wires tells the size of the argument, the number of output wires tells the size of the ïŹnal result and the number of gates and wires tell the size of the function. On the other hand, the description of a Turing machine does not set any limitation to the size of the argument. Therefore, side-information that depends only on the function cannot provide information about the length of the argument. To tackle this problem, we extend the model of side-information so that side-information depends on both the function and the argument. The new model of side information allows us to deïŹne new security classes. We show that the old security classes are compatible with the new model of side-information. We also prove relations between the new security classes.TĂ€mĂ€ vĂ€itöskirja kĂ€sittelee garblausskeemoja ja niiden sovelluksia. Garblausskeema on työkalu, jota kĂ€ytetÀÀn turvallisen kahden osapuolen laskennan toteuttamiseen. Asiakas pitÀÀ hallussaan yksityistĂ€ algoritmia ja sen yksityistĂ€ syötettĂ€, joilla hĂ€n haluaisi suorittaa tietyn laskennan. Asiakkaalla ei vĂ€lttĂ€mĂ€ttĂ€ ole riittĂ€vĂ€sti laskentatehoa, minkĂ€ vuoksi hĂ€n ei pysty suorittamaan laskentaa itse, vaan joutuu ulkoistamaan laskennan toiselle osapuolelle, palvelimelle. Koska asiakas tahtoo suojella algoritmiaan ja syötettÀÀn, hĂ€n ei voi vain lĂ€hettÀÀ niitĂ€ palvelimen laskettavaksi. Asiakas pystyy suojelemaan syötteensĂ€ ja algoritminsa yksityisyyttĂ€ kĂ€yttĂ€mĂ€llĂ€ garblausskeemaa.
Verkkopohjaisten sovellusten kasvu on herÀttÀnyt huolta kÀyttÀjien datan yksityisyyden turvasta. Siksi yksityisyyden sÀilyttÀvien tai yksityisyyden suojaa lisÀÀvien tekniikoiden tutkimus on saanut huomiota. Garblaustekniikan avulla voidaan suojata sekÀ syöte ettÀ algoritmi. LisÀksi garblaukselle tiedetÀÀn olevan useita tehokkaita toteutuksia. NÀiden syiden vuoksi garblausskeemat ovat houkutteleva tekniikka kÀytettÀvÀksi yksityisyyden sÀilyttÀvien sovellusten toteutuksessa. TÀssÀ työssÀ esittelemme kaksi sovellusta, jotka hyödyntÀvÀt garblaustekniikkaa. NÀistÀ ensimmÀinen on yksityisyyden sÀilyttÀvÀ sÀhköinen seuranta. Toinen sovellus laajentaa seurantaa monipuolisempaan monitorointiin, kuten terveyden kaukoseurantaan. TÀstÀ voi olla hyötyÀ etenkin kotihoidon palveluille.
TĂ€ssĂ€ työssĂ€ esitĂ€mme myös teoreettisia tuloksia garblausskeemoihin liittyen. EsitĂ€mme garblausskeemoille uusia turvallisuusmÀÀritelmiĂ€, joiden tarve kumpuaa kĂ€ytĂ€nnön sovelluksista. Perinteisen mÀÀritelmĂ€n mukaan samaa garblattua algoritmia voi kĂ€yttÀÀ vain yhdellĂ€ garblatulla syötteellĂ€ laskemiseen. KĂ€ytĂ€nnössĂ€ kuitenkin samaa algoritmia kĂ€ytetÀÀn usean eri syötteen evaluoimiseen. Hiljattain on esitetty tĂ€hĂ€n ongelmaan ratkaisu, joka perustuu tĂ€ysin homomorïŹseen salaukseen. TĂ€mĂ€n ratkaisun ansiosta samaa garblattua algoritmia voi turvallisesti kĂ€yttÀÀ mielivaltaisen monta kertaa. Ratkaisun haittapuoli kuitenkin on, ettei sille ole tiedossa tehokasta toteutusta, sillĂ€ tĂ€ysin homomorïŹseen salaukseen ei ole vielĂ€ onnistuttu löytĂ€mÀÀn sellaista. EsitĂ€mme vaihtoehtoisen nĂ€kökulman: sen sijaan, ettĂ€ samaa garblattua algoritmia voisi kĂ€yttÀÀ mielivaltaisen monta kertaa, sitĂ€ voikin kĂ€yttÀÀ vain tietyn, ennalta rajatun mÀÀrĂ€n kertoja. TĂ€mĂ€ nĂ€kökulman avulla voidaan mÀÀritellĂ€ lukuisia uusia turvallisuusluokkia. Todistamme useita relaatioita uusien ja vanhojen turvallisuusmÀÀritelmien vĂ€lillĂ€. Relaatioiden avulla garblausskeemojen turvallisuusluokille saadaan muodostettua hierarkia, joka koostuu kolmesta komponentista.
Tieto, joka paljastuu garblatusta algoritmista tai garblatusta syötteestÀ riippuu siitÀ, millaisessa muodossa algoritmi on esitetty, kutsutaan sivutiedoksi. Vakiintunut mÀÀritelmÀ mallintaa loogisen piiriin liittyvÀÀ sivutietoa tÀydellisesti, mutta ei yhtÀ hyvin Turingin koneeseen liittyvÀÀ sivutietoa. TÀmÀ johtuu siitÀ, ettÀ jokainen yksittÀinen looginen piiri asettaa syötteensÀ pituudelle rajan, mutta yksittÀisellÀ Turingin koneella vastaavanlaista rajoitusta ei ole. Parannamme sivutiedon mÀÀritelmÀÀ, jolloin tÀmÀ ongelma poistuu. Uudenlaisen sivutiedon avulla voidaan mÀÀritellÀ uusia turvallisuusluokkia. Osoitamme, ettÀ vanhat turvallisuusluokat voidaan esittÀÀ uudenkin sivutiedon avulla. Todistamme myös relaatioita uusien luokkien vÀlillÀ.Siirretty Doriast
Correlated Equilibrium in Games with Incomplete Information
We define a notion of correlated equilibrium for games with incomplete information in a general setting with finite players, finite actions, and finite states, which we call Bayes correlated equilibrium. The set of Bayes correlated equilibria of a fixed incomplete information game equals the set of probability distributions over actions, states and types that might arise in any Bayes Nash equilibrium where players observed additional information. We show that more information always shrinks the set of Bayes correlated equilibria.Correlated equilibrium, Incomplete information, Robust predictions, Information structure
Reusable Garbled Circuit Implementation of AES to Avoid Power Analysis Attacks
Unintended side-channel leaks can be exploited by attackers and achieved quickly, and using relatively inexpensive equipment. Cloud providers arenât equipped to provide assurances of security against such attacks. One most well-known and effective of the side-channel attack is on information leaked through power consumption. Differential Power Analysis (DPA) can extract a secret key by measuring the power used while a device is executing the any algorithm. This research explores the susceptibility of current implementations of Circuit Garbling to power analysis attacks and a simple variant to obfuscate functionality and randomize the power consumption reusing the garbling keys and the garbled gates. AES has been chosen as an example. The first task is to implement the garbled variants of basic logic gates in hardware (RTL design) using Circuit Garbling. The second task is to use the above created gates and create an RTL implementation of AES using Verilog HDL. The next task is to perform a Differential Power Analysis(DPA) on this circuit and evaluate its resilience to attack
IST Austria Thesis
Many security definitions come in two flavors: a stronger âadaptiveâ flavor, where the adversary can arbitrarily make various choices during the course of the attack, and a weaker âselectiveâ flavor where the adversary must commit to some or all of their choices a-priori. For example, in the context of identity-based encryption, selective security requires the adversary to decide on the identity of the attacked party at the very beginning of the game whereas adaptive security allows the attacker to first see the master public key and some secret keys before making this choice. Often, it appears to be much easier to achieve selective security than it is to achieve adaptive security. A series of several recent works shows how to cleverly achieve adaptive security in several such scenarios including generalized selective decryption [Pan07][FJP15], constrained PRFs [FKPR14], and Yaoâs garbled circuits [JW16]. Although the above works expressed vague intuition that they share a common technique, the connection was never made precise. In this work we present a new framework (published at Crypto â17 [JKK+17a]) that connects all of these works and allows us to present them in a unified and simplified fashion. Having the framework in place, we show how to achieve adaptive security for proxy re-encryption schemes (published at PKC â19 [FKKP19]) and provide the first adaptive security proofs for continuous group key agreement protocols (published at S&P â21 [KPW+21]). Questioning optimality of our framework, we then show that currently used proof techniques cannot lead to significantly better security guarantees for "graph-building" games (published at TCC â21 [KKPW21a]). These games cover generalized selective decryption, as well as the security of prominent constructions for constrained PRFs, continuous group key agreement, and proxy re-encryption. Finally, we revisit the adaptive security of Yaoâs garbled circuits and extend the analysis of Jafargholi and Wichs in two directions: While they prove adaptive security only for a modified construction with increased online complexity, we provide the first positive results for the original construction by Yao (published at TCC â21 [KKP21a]). On the negative side, we prove that the results of Jafargholi and Wichs are essentially optimal by showing that no black-box reduction can provide a significantly better security bound (published at Crypto â21 [KKPW21c])
- âŠ