Garbled Elections

Majority rules are frequently used to decide whether or not a public good should be provided, but will typically fail to achieve an efficient provision. We provide a worst-case analysis of the majority rule with an optimally chosen majority threshold, assuming that voters have independent private valuations and are exante symmetric (provision cost shares are included in the valuations). We show that if the population is large it can happen that the optimal majority rule is essentially no better than a random provision of the public good. But the optimal majority rule is worst-case asymptotically efficient in the large-population limit if (i) the voters’ expected valuation is bounded away from 0, and (ii) an absolute bound for valuations is known

Garbled Elections

Majority rules are frequently used to decide whether or not a public good should be provided, but will typically fail to achieve an efficient provision. We provide a worst-case analysis of the majority rule with an optimally chosen majority threshold, assuming that voters have independent private valuations and are exante symmetric (provision cost shares are included in the valuations). We show that if the population is large it can happen that the optimal majority rule is essentially no better than a random provision of the public good. But the optimal majority rule is worst-case asymptotically efficient in the large-population limit if (i) the voters’ expected valuation is bounded away from 0, and (ii) an absolute bound for valuations is known.

Garbling Schemes and Applications

The topic of this thesis is garbling schemes and their applications. A garbling scheme is a set of algorithms for realizing secure two-party computation. A party called a client possesses a private algorithm as well as a private input and would like to compute the algorithm with this input. However, the client might not have enough computational resources to evaluate the function with the input on his own. The client outsources the computation to another party, called an evaluator. Since the client wants to protect the algorithm and the input, he cannot just send the algorithm and the input to the evaluator. With a garbling scheme, the client can protect the privacy of the algorithm, the input and possibly also the privacy of the output. The increase in network-based applications has arisen concerns about the privacy of user data. Therefore, privacy-preserving or privacy-enhancing techniques have gained interest in recent research. Garbling schemes seem to be an ideal solution for privacy-preserving applications. First of all, secure garbling schemes hide the algorithm and its input. Secondly, garbling schemes are known to have efficient implementations. In this thesis, we propose two applications utilizing garbling schemes. The first application provides privacy-preserving electronic surveillance. The second application extends electronic surveillance to more versatile monitoring, including also health telemetry. This kind of application would be ideal for assisted living services. In this work, we also present theoretical results related to garbling schemes. We present several new security definitions for garbling schemes which are of practical use. Traditionally, the same garbled algorithm can be evaluated once with garbled input. In applications, the same function is often evaluated several times with different inputs. Recently, a solution based on fully homomorphic encryption provides arbitrarily reusable garbling schemes. The disadvantage in this approach is that the arbitrary reuse cannot be efficiently implemented due to the inefficiency of fully homomorphic encryption. We propose an alternative approach. Instead of arbitrary reusability, the same garbled algorithm could be used a limited number of times. This gives us a set of new security classes for garbling schemes. We prove several relations between new and established security definitions. As a result, we obtain a complex hierarchy which can be represented as a product of three directed graphs. The three graphs in turn represent the different flavors of security: the security notion, the security model and the level of reusability. In addition to defining new security classes, we improve the definition of side-information function, which has a central role in defining the security of a garbling scheme. The information allowed to be leaked by the garbled algorithm and the garbled input depend on the representation of the algorithm. The established definition of side-information models the side-information of circuits perfectly but does not model side-information of Turing machines as well. The established model requires that the length of the argument, the length of the final result and the length of the function can be efficiently computable from the side-information function. Moreover, the side-information depends only on the function. In other words, the length of the argument, the length of the final result and the length of the function should only depend on the function. For circuits this is a natural requirement since the number of input wires tells the size of the argument, the number of output wires tells the size of the final result and the number of gates and wires tell the size of the function. On the other hand, the description of a Turing machine does not set any limitation to the size of the argument. Therefore, side-information that depends only on the function cannot provide information about the length of the argument. To tackle this problem, we extend the model of side-information so that side-information depends on both the function and the argument. The new model of side information allows us to define new security classes. We show that the old security classes are compatible with the new model of side-information. We also prove relations between the new security classes.Tämä väitöskirja käsittelee garblausskeemoja ja niiden sovelluksia. Garblausskeema on työkalu, jota käytetään turvallisen kahden osapuolen laskennan toteuttamiseen. Asiakas pitää hallussaan yksityistä algoritmia ja sen yksityistä syötettä, joilla hän haluaisi suorittaa tietyn laskennan. Asiakkaalla ei välttämättä ole riittävästi laskentatehoa, minkä vuoksi hän ei pysty suorittamaan laskentaa itse, vaan joutuu ulkoistamaan laskennan toiselle osapuolelle, palvelimelle. Koska asiakas tahtoo suojella algoritmiaan ja syötettään, hän ei voi vain lähettää niitä palvelimen laskettavaksi. Asiakas pystyy suojelemaan syötteensä ja algoritminsa yksityisyyttä käyttämällä garblausskeemaa. Verkkopohjaisten sovellusten kasvu on herättänyt huolta käyttäjien datan yksityisyyden turvasta. Siksi yksityisyyden säilyttävien tai yksityisyyden suojaa lisäävien tekniikoiden tutkimus on saanut huomiota. Garblaustekniikan avulla voidaan suojata sekä syöte että algoritmi. Lisäksi garblaukselle tiedetään olevan useita tehokkaita toteutuksia. Näiden syiden vuoksi garblausskeemat ovat houkutteleva tekniikka käytettäväksi yksityisyyden säilyttävien sovellusten toteutuksessa. Tässä työssä esittelemme kaksi sovellusta, jotka hyödyntävät garblaustekniikkaa. Näistä ensimmäinen on yksityisyyden säilyttävä sähköinen seuranta. Toinen sovellus laajentaa seurantaa monipuolisempaan monitorointiin, kuten terveyden kaukoseurantaan. Tästä voi olla hyötyä etenkin kotihoidon palveluille. Tässä työssä esitämme myös teoreettisia tuloksia garblausskeemoihin liittyen. Esitämme garblausskeemoille uusia turvallisuusmääritelmiä, joiden tarve kumpuaa käytännön sovelluksista. Perinteisen määritelmän mukaan samaa garblattua algoritmia voi käyttää vain yhdellä garblatulla syötteellä laskemiseen. Käytännössä kuitenkin samaa algoritmia käytetään usean eri syötteen evaluoimiseen. Hiljattain on esitetty tähän ongelmaan ratkaisu, joka perustuu täysin homomorfiseen salaukseen. Tämän ratkaisun ansiosta samaa garblattua algoritmia voi turvallisesti käyttää mielivaltaisen monta kertaa. Ratkaisun haittapuoli kuitenkin on, ettei sille ole tiedossa tehokasta toteutusta, sillä täysin homomorfiseen salaukseen ei ole vielä onnistuttu löytämään sellaista. Esitämme vaihtoehtoisen näkökulman: sen sijaan, että samaa garblattua algoritmia voisi käyttää mielivaltaisen monta kertaa, sitä voikin käyttää vain tietyn, ennalta rajatun määrän kertoja. Tämä näkökulman avulla voidaan määritellä lukuisia uusia turvallisuusluokkia. Todistamme useita relaatioita uusien ja vanhojen turvallisuusmääritelmien välillä. Relaatioiden avulla garblausskeemojen turvallisuusluokille saadaan muodostettua hierarkia, joka koostuu kolmesta komponentista. Tieto, joka paljastuu garblatusta algoritmista tai garblatusta syötteestä riippuu siitä, millaisessa muodossa algoritmi on esitetty, kutsutaan sivutiedoksi. Vakiintunut määritelmä mallintaa loogisen piiriin liittyvää sivutietoa täydellisesti, mutta ei yhtä hyvin Turingin koneeseen liittyvää sivutietoa. Tämä johtuu siitä, että jokainen yksittäinen looginen piiri asettaa syötteensä pituudelle rajan, mutta yksittäisellä Turingin koneella vastaavanlaista rajoitusta ei ole. Parannamme sivutiedon määritelmää, jolloin tämä ongelma poistuu. Uudenlaisen sivutiedon avulla voidaan määritellä uusia turvallisuusluokkia. Osoitamme, että vanhat turvallisuusluokat voidaan esittää uudenkin sivutiedon avulla. Todistamme myös relaatioita uusien luokkien välillä.Siirretty Doriast

Correlated Equilibrium in Games with Incomplete Information

We define a notion of correlated equilibrium for games with incomplete information in a general setting with finite players, finite actions, and finite states, which we call Bayes correlated equilibrium. The set of Bayes correlated equilibria of a fixed incomplete information game equals the set of probability distributions over actions, states and types that might arise in any Bayes Nash equilibrium where players observed additional information. We show that more information always shrinks the set of Bayes correlated equilibria.Correlated equilibrium, Incomplete information, Robust predictions, Information structure

Reusable Garbled Circuit Implementation of AES to Avoid Power Analysis Attacks

Unintended side-channel leaks can be exploited by attackers and achieved quickly, and using relatively inexpensive equipment. Cloud providers aren’t equipped to provide assurances of security against such attacks. One most well-known and effective of the side-channel attack is on information leaked through power consumption. Differential Power Analysis (DPA) can extract a secret key by measuring the power used while a device is executing the any algorithm. This research explores the susceptibility of current implementations of Circuit Garbling to power analysis attacks and a simple variant to obfuscate functionality and randomize the power consumption reusing the garbling keys and the garbled gates. AES has been chosen as an example. The first task is to implement the garbled variants of basic logic gates in hardware (RTL design) using Circuit Garbling. The second task is to use the above created gates and create an RTL implementation of AES using Verilog HDL. The next task is to perform a Differential Power Analysis(DPA) on this circuit and evaluate its resilience to attack

IST Austria Thesis

Many security definitions come in two flavors: a stronger “adaptive” flavor, where the adversary can arbitrarily make various choices during the course of the attack, and a weaker “selective” flavor where the adversary must commit to some or all of their choices a-priori. For example, in the context of identity-based encryption, selective security requires the adversary to decide on the identity of the attacked party at the very beginning of the game whereas adaptive security allows the attacker to first see the master public key and some secret keys before making this choice. Often, it appears to be much easier to achieve selective security than it is to achieve adaptive security. A series of several recent works shows how to cleverly achieve adaptive security in several such scenarios including generalized selective decryption [Pan07][FJP15], constrained PRFs [FKPR14], and Yao’s garbled circuits [JW16]. Although the above works expressed vague intuition that they share a common technique, the connection was never made precise. In this work we present a new framework (published at Crypto ’17 [JKK+17a]) that connects all of these works and allows us to present them in a unified and simplified fashion. Having the framework in place, we show how to achieve adaptive security for proxy re-encryption schemes (published at PKC ’19 [FKKP19]) and provide the first adaptive security proofs for continuous group key agreement protocols (published at S&P ’21 [KPW+21]). Questioning optimality of our framework, we then show that currently used proof techniques cannot lead to significantly better security guarantees for "graph-building" games (published at TCC ’21 [KKPW21a]). These games cover generalized selective decryption, as well as the security of prominent constructions for constrained PRFs, continuous group key agreement, and proxy re-encryption. Finally, we revisit the adaptive security of Yao’s garbled circuits and extend the analysis of Jafargholi and Wichs in two directions: While they prove adaptive security only for a modified construction with increased online complexity, we provide the first positive results for the original construction by Yao (published at TCC ’21 [KKP21a]). On the negative side, we prove that the results of Jafargholi and Wichs are essentially optimal by showing that no black-box reduction can provide a significantly better security bound (published at Crypto ’21 [KKPW21c])