Private Set Intersection with Linear Communication from General Assumptions

This work presents a hashing-based algorithm for Private Set Intersection (PSI) in the honest-but-curious setting. The protocol is generic, modular and provides both asymptotic and concrete efficiency improvements over existing PSI protocols. If each player has $m$ elements, our scheme requires only O(m \secpar) communication between the parties, where \secpar is a security parameter. Our protocol builds on the hashing-based PSI protocol of Pinkas et al. (USENIX 2014, USENIX 2015), but we replace one of the sub-protocols (handling the cuckoo ``stash\u27\u27) with a special-purpose PSI protocol that is optimized for comparing sets of unbalanced size. This brings the asymptotic communication complexity of the overall protocol down from \omega(m \secpar) to O(m\secpar), and provides concrete performance improvements (10-15\% reduction in communication costs) over Kolesnikov et al. (CCS 2016) under real-world parameter choices. Our protocol is simple, generic and benefits from the permutation-hashing optimizations of Pinkas et al. (USENIX 2015) and the Batched, Relaxed Oblivious Pseudo Random Functions of Kolesnikov et al. (CCS 2016)

3-Party Distributed ORAM from Oblivious Set Membership

Distributed Oblivious RAM (DORAM) protocols allow a group of participants to obliviously access a secret-shared array at a secret-shared index, and DORAM is the key tool for secure multiparty computation (MPC) in the RAM model. In this work, we present a novel 3-party semi-honest DORAM protocol with O((κ + D) log N) communication per access, where N is the size of the memory, κ is a security parameter and D is the block size. Our protocol performs polylogarithmic computation and does not require homomorphic encryption. Under natural parameter choices, this is the most communication-efficient DORAM with these properties. To build this DORAM protocol, we first present an extremely efficient oblivious data structure for answering set membership queries. From this we build an oblivious hash table with asymptotically optimal memory usage and access cost and with negligible failure probability. We believe these are of independent interest

MetaDORAM: Breaking the Log-Overhead Information Theoretic Barrier

This paper presents the first Distributed Oblivious RAM (DORAM) protocol that achieves sub-logarithmic communication overhead without computational assumptions. That is, given $n$ $d$-bit memory locations, we present an information-theoretically secure protocol which requires $o(d \cdot \log(n))$ bits of communication per access (when $d = \Omega(\log^2(n)$). This comes as a surprise, since the Goldreich-Ostrovsky lower bound shows that the related problem of Oblivious RAMs requires logarithmic overhead in the number of memory locations accessed. It was shown that this bound also applies in the multi-server ORAM setting, and therefore also applies in the DORAM setting. Achieving sub-logarithmic communication therefore requires accessing and using $\Omega(\log(n) \cdot d)$ bits of memory, without engaging in communication for each bit accessed. Techniques such as Fully Homomorphic Encryption and Function Secret Sharing allow secure selection of the relevant memory locations with small communication overhead, but introduce computational assumptions. In this paper we show that it is possible to avoid a logarithmic communication overhead even without any computational assumptions. Concretely, we present a 3-party honest-majority DORAM that is secure against semi-honest adversaries. The protocol has communication cost $$\Theta\left((\log^2(n) + d) \cdot \frac{\log(n)}{\log(\log(n)}\right)$$ For any $d = \Omega(\log^2(n))$ the overhead is therefore $\Theta(\log(n)/\log(\log(n)))$. Additionally, we show a subtle flaw in a common approach for analyzing the security of Oblivious Hash Tables. We prove our construction secure using an alternative approach

Alibi: A Flaw in Cuckoo-Hashing based Hierarchical ORAM Schemes and a Solution

There once was a table of hashes That held extra items in stashes It all seemed like bliss But things went amiss When the stashes were stored in the caches The first Oblivious RAM protocols introduced the ``hierarchical solution,\u27\u27 (STOC \u2790) where the servers store a series of hash tables of geometrically increasing capacities. Each ORAM query would read a small number of locations from each level of the hierarchy, and each level of the hierarchy would be reshuffled and rebuilt at geometrically increasing intervals to ensure that no single query was ever repeated twice at the same level. This yielded an ORAM protocol with polylogarithmic overhead. Future works extended and improved the hierarchical solution, replacing traditional hashing with cuckoo hashing (ICALP \u2711) and cuckoo hashing with a combined stash (Goodrich et al. SODA \u2712). In this work, we identify a subtle flaw in the protocol of Goodrich et al. (SODA \u2712) that uses cuckoo hashing with a stash in the hierarchical ORAM solution. We give a concrete distinguishing attack against this type of hierarchical ORAM that uses cuckoo hashing with a combined stash. This security flaw has propagated to at least 5 subsequent hierarchical ORAM protocols, including the recent optimal ORAM scheme, OptORAMa (Eurocrypt \u2720). In addition to our attack, we identify a simple fix that does not increase the asymptotic complexity. We note, however, that our attack only affects more recent hierarchical ORAMs, but does not affect the early protocols that predate the use of cuckoo hashing, or other types of ORAM solutions (e.g. Path ORAM or Circuit ORAM)

Attitudes toward risk among emergency physicians and advanced practice clinicians in Massachusetts

Objective Risk aversion is a personality trait influential to decision making in medicine. Little is known about how emergency department (ED) clinicians differ in their attitudes toward risk taking. Methods We conducted a cross-sectional survey of practicing ED clinicians (physicians and advanced practice clinicians [APCs]) in Massachusetts using the following 4 existing validated scales: the Risk-Taking Scale (RTS), Stress from Uncertainty Scale (SUS), the Fear of Malpractice Scale (FMS), and the Need for (Cognitive) Closure Scale (NCC). We used Cronbach\u27s α to assess the reliability of each scale and performed multivariable linear regressions to analyze the association between the score for each scale and clinician characteristics. Results Of 1458 ED clinicians recruited for participation, 1116 (76.5%) responded from 93% of acute care hospitals in Massachusetts. Each of the 4 scales demonstrated high internal consistency reliability with Cronbach\u27s αs ranging from 0.76 to 0.92. The 4 scales also were moderately correlated with one another (0.08 to 0.54; all P \u3c 0.05). The multivariable results demonstrated differences between physicians and APCs, with physicians showing a greater tolerance for risk or uncertainty (NCC difference, −3.58 [95% confidence interval, CI, −5.26 to −1.90]; SUS difference, −3.14 [95% CI: −4.99 to −1.29]) and a higher concern about malpractice (FMS difference, 1.14 [95% CI, 0.11–2.17]). Differences were also observed based on clinician age (a proxy for years of experience), with greater age associated with greater tolerance of risk or uncertainty (age older than 50 years compared with age 35 years and younger; NCC difference, −2.84 [95% CI, −4.69 to −1.00]; SUS difference, −4.71 [95% CI, −6,74 to −2.68]) and less concern about malpractice (FMS difference, −3.19 [95% CI, −4.31 to −2.06]). There were no appreciable differences based on sex, and there were no consistent associations between scale scores and the practice and payment characteristics assessed. Conclusion We found that risk attitudes of ED clinicians were associated with type of training (physician vs APC) and age (experience). These differences suggest one possible explanation for the observed differences in decision making

Private Anonymous Data Access

We consider a scenario where a server holds a huge database that it wants to make accessible to a large group of clients. After an initial setup phase, clients should be able to read arbitrary locations in the database while maintaining privacy (the server does not learn which locations are being read) and anonymity (the server does not learn which client is performing each read). This should hold even if the server colludes with a subset of the clients. Moreover, the run-time of both the server and the client during each read operation should be low, ideally only poly-logarithmic in the size of the database and the number of clients. We call this notion Private Anonymous Data Access (PANDA). PANDA simultaneously combines aspects of Private Information Retrieval (PIR) and Oblivious RAM (ORAM). PIR has no initial setup, and allows anybody to privately and anonymously access a public database, but the server\u27s run-time is linear in the data size. On the other hand, ORAM achieves poly-logarithmic server run-time, but requires an initial setup after which only a single client with a secret key can access the database. The goal of PANDA is to get the best of both worlds: allow many clients to privately and anonymously access the database as in PIR, while having an efficient server as in ORAM. In this work, we construct bounded-collusion PANDA schemes, where the efficiency scales linearly with a bound on the number of corrupted clients that can collude with the server, but is otherwise poly-logarithmic in the data size and the total number of clients. Our solution relies on standard assumptions, namely the existence of fully homomorphic encryption, and combines techniques from both PIR and ORAM. We also extend PANDA to settings where clients can write to the database

DORAM revisited: Maliciously secure RAM-MPC with logarithmic overhead

Distributed Oblivious Random Access Memory (DORAM) is a secure multiparty protocol that allows a group of participants holding a secret-shared array to read and write to secret-shared locations within the array. The efficiency of a DORAM protocol is measured by the amount of communication and computation required per read/write query into the array. DORAM protocols are a necessary ingredient for executing Secure Multiparty Computation (MPC) in the RAM model. Although DORAM has been widely studied, all existing DORAM protocols have focused on the setting where the DORAM servers are semi-honest. Generic techniques for upgrading a semi-honest DORAM protocol to the malicious model typically increase the asymptotic communication complexity of the DORAM scheme. In this work, we present a 3-party DORAM protocol which requires $O((\kappa + D)\log N)$ communication and computation per query, for a database of size $N$ with $D$-bit values, where $\kappa$ is the security parameter. Our hidden constants in a big-O nation are small. We show that our protocol is UC-secure in the presence of a malicious, static adversary. This matches the communication and computation complexity of the best semi-honest DORAM protocol, and is the first malicious DORAM protocol with this complexity

Adaptively Secure Garbled Circuits from One-Way Functions

A garbling scheme is used to garble a circuit $C$ and an input $x$ in a way that reveals the output $C(x)$ but hides everything else. In many settings, the circuit can be garbled off-line without strict efficiency constraints, but the input must be garbled very efficiently on-line, with much lower complexity than evaluating the circuit. Yao\u27s scheme has essentially optimal on-line complexity, but only achieves selective security, where the adversary must choose the input $x$ prior to seeing the garbled circuit. It has remained an open problem to achieve adaptive security, where the adversary can choose $x$ after seeing the garbled circuit, while preserving on-line efficiency. In this work, we modify Yao\u27s scheme in a way that allows us to prove adaptive security under one-way functions. As our main instantiation, we get a scheme where the on-line complexity is only proportional to the width $w$ of the circuit, which corresponds to the space complexity of the computation, but is independent of the circuit\u27s depth $d$. Alternately, we can also get an instantiation where the on-line complexity is only proportional to the input/output size and the depth $d$ of the circuit but independent of its width $w$, albeit in this case we incur a $2^{O(d)}$ security loss in our reduction. More broadly, we relate the on-line complexity of adaptively secure garbling schemes in our framework to a certain type of pebble complexity of the circuit. As our main tool, of independent interest, we develop a new notion of somewhere equivocal encryption, which allows us to efficiently equivocate on a small subset of the message bits

Correlation between kinetic and kinematic measures, clinical tests and subjective self-evaluation questionnaires of the affected upper limb in people after stroke

IntroductionAssessment of stroke recovery should include multiple sources of information in order to obtain a complete understanding of the individual’s rehabilitation progress. Self-evaluation questionnaires’ scores do not always correspond to the scores of commonly used clinical evaluation tools. The purpose of this study was to assess the relationship between self-evaluation questionnaires, clinical tests, and kinematic and kinetic analyses of the affected upper limb after stroke, and to determine the correlation between these measures and self-reported general function 2–4 years after the stroke.MethodsTwenty-six subjects recovering from stroke were included in the study. Spearman’s correlation coefficient was used to measure the correlation between Stroke Impact Scale (SIS), Motor activity Log (MAL), Fugl-Meyer Assessment (FMA) and Action Reach Arm Test (ARAT) scores, and kinematic and kinetic analyses. A logistic regression was used to assess the extent to which these measures may predict the participants’ functional self-reported status 2–4 years post stroke.ResultsSections regarding hand function, hand force and general ADL of the self-evaluation questionnaires correlated with kinematic variables. However, only questionnaires that focus on hand function correlated with clinical tests. Mean and maximal hand velocity had the strongest correlations with self-evaluation questionnaires and with the clinical tests, more than other kinematic variables. Self-evaluation questionnaires and clinical tests were found to be correlated with hand kinetic metrics force-to-time ratio and number of force peaks. SIS hand force domain, mean velocity and maximal velocity predicted self-reported general function 2–4 years after the stroke.ConclusionSelf-evaluation questionnaires should be considered for wider use in the clinical evaluation of a patient’s stroke recovery, since they add important information on the individual’s functional status, which is not reflected in the clinical tests