Can You Trust Your Encrypted Cloud? An Assessment of SpiderOakONE’s Security

This paper presents an independent security review of a popular encrypted cloud storage service (ECS) SpiderOakONE. Contrary to previous work analyzing similar programs, we formally define a minimal security requirements for confidentiality in ECS which takes into account the possibility that the ECS actively turns against its users in an attempt to break the confidentiality of the users\u27 data. Our analysis uncovered several serious issues, which either directly or indirectly damage the confidentiality of a user\u27s files, therefore breaking the claimed Zero- or No-Knowledge property (e.g., the claim that even the ECS itself cannot access the users\u27 data). After responsibly disclosing the issues we found to SpiderOak, most have been fixed

Secure Evaluation of Quantized Neural Networks

Image classification using Deep Neural Networks that preserve the privacy of both the input image and the model being used, has received considerable attention in the last couple of years. Recent work in this area have shown that it is possible to perform image classification with realistically sized networks using e.g., Garbled Circuits as in XONN (USENIX '19) or MPC (CrypTFlow, Eprint '19). These, and other prior work, require models to be either trained in a specific way or postprocessed in order to be evaluated securely. We contribute to this line of research by showing that this postprocessing can be handled by standard Machine Learning frameworks. More precisely, we show that quantization as present in Tensorflow suffices to obtain models that can be evaluated directly and as-is in standard off-the-shelve MPC. We implement secure inference of these quantized models in MP-SPDZ, and the generality of our technique means we can demonstrate benchmarks for a wide variety of threat models, something that has not been done before. In particular, we provide a comprehensive comparison between running secure inference of large ImageNet models with active and passive security, as well as honest and dishonest majority. The most efficient inference can be performed using a passive honest majority protocol which takes between 0.9 and 25.8 seconds, depending on the size of the model; for active security and an honest majority, inference is possible between 9.5 and 147.8 seconds.Comment: 18 page

Fast Fully Secure Multi-Party Computation over Any Ring with Two-Thirds Honest Majority

We introduce a new MPC protocol to securely compute any functionality over an arbitrary black-box finite ring (which may not be commutative), tolerating $t<n/3$ active corruptions while \textit{guaranteeing output delivery} (G.O.D.). Our protocol is based on replicated secret-sharing, whose share size is known to grow exponentially with the number of parties $n$. However, even though the internal storage and computation in our protocol remains exponential, the communication complexity of our protocol is \emph{constant}, except for a light constant-round check that is performed at the end before revealing the output. Furthermore, the amortized communication complexity of our protocol is not only constant, but very small: only $1 + \frac{t-1}{n}<1\frac{1}{3}$ ring elements per party, per multiplication gate over two rounds of interaction. This improves over the state-of-the art protocol in the same setting by Furukawa and Lindell (CCS 2019), which has a communication complexity of $2\frac{2}{3}$ \emph{field} elements per party, per multiplication gate and while achieving fairness only. As an alternative, we also describe a variant of our protocol which has only one round of interaction per multiplication gate on average, and amortized communication cost of $\le 1\frac{1}{2}$ ring elements per party on average for any natural circuit. Motivated by the fact that efficiency of distributed protocols are much more penalized by high communication complexity than local computation/storage, we perform a detailed analysis together with experiments in order to explore how large the number of parties can be, before the storage and computation overhead becomes prohibitive. Our results show that our techniques are viable even for a moderate number of parties (e.g., $n>10$)

Circuit Amortization Friendly Encodings and their Application to Statistically Secure Multiparty Computation

At CRYPTO 2018, Cascudo et al. introduced Reverse Multiplication Friendly Embeddings (RMFEs). These are a mechanism to compute $\delta$ parallel evaluations of the same arithmetic circuit over a field $\mathbb{F}_q$ at the cost of a single evaluation of that circuit in $\mathbb{F}_{q^d}$, where $\delta < d$. Due to this inequality, RMFEs are a useful tool when protocols require to work over $\mathbb{F}_{q^d}$ but one is only interested in computing over $\mathbb{F}_q$. In this work we introduce Circuit Amortization Friendly Encodings (CAFEs), which generalize RMFEs while having concrete efficiency in mind. For a Galois Ring $R = GR(2^{k}, d)$, CAFEs allow to compute certain circuits over $\mathbb{Z}_{2^k}$ at the cost of a single secure multiplication in $R$. We present three CAFE instantiations, which we apply to the protocol for MPC over $\mathbb{Z}_{2^k}$ via Galois Rings by Abspoel et al. (TCC 2019). Our protocols allow for efficient switching between the different CAFEs, as well as between computation over $GR(2^{k}, d)$ and $\mathbb{F}_{2^{d}}$ in a way that preserves the CAFE in both rings. This adaptability leads to efficiency gains for e.g. Machine Learning applications, which can be represented as highly parallel circuits over $\mathbb{Z}_{2^k}$ followed by bit-wise operations. From an implementation of our techniques, we estimate that an SVM can be evaluated on 250 images in parallel up to $\times 7$ more efficiently using our techniques, compared to the protocol from Abspoel et al. (TCC 2019)

Improved Threshold Signatures, Proactive Secret Sharing, and Input Certification from LSS Isomorphisms

In this paper we present a series of applications steming from a formal treatment of linear secret-sharing isomorphisms, which are linear transformations between different secret-sharing schemes defined over vector spaces over a field $\mathbb{F}$ and allow for efficient multiparty conversion from one secret-sharing scheme to the other. This concept generalizes the folklore idea that moving from a secret-sharing scheme over $\mathbb{F}_{p}$ to a secret sharing ``in the exponent\u27\u27 can be done non-interactively by multiplying the share unto a generator of e.g., an elliptic curve group. We generalize this idea and show that it can also be used to compute arbitrary bilinear maps and in particular pairings over elliptic curves. We include the following practical applications originating from our framework: First we show how to securely realize the Pointcheval-Sanders signature scheme (CT-RSA 2016) in MPC. Second we present a construction for dynamic proactive secret-sharing which outperforms the current state of the art from CCS 2019. Third we present a construction for MPC input certification using digital signatures that we show experimentally to outperform the previous best solution in this area

Ranking Functions for Vector Addition Systems

Vector addition systems are an important model in theoretical computer science and have been used for the analysis of systems in a variety of areas. Termination is a crucial property of vector addition systems and has received considerable interest in the literature. In this paper we give a complete method for the construction of ranking functions for vector addition systems with states. The interest in ranking functions is motivated by the fact that ranking functions provide valuable additional information in case of termination: They provide an explanation for the progress of the vector addition system, which can be reported to the user of a verification tool, and can be used as certificates for termination. Moreover, we show how ranking functions can be used for the computational complexity analysis of vector addition systems (here complexity refers to the number of steps the vector addition system under analysis can take in terms of the given initial vector)

Low physical activity level and short sleep duration are associated with an increased cardio-metabolic risk profile:a longitudinal study in 8-11 year old danish children

BACKGROUND:As cardio-metabolic risk tracks from childhood to adulthood, a better understanding of the relationship between movement behaviors (physical activity, sedentary behavior and sleep) and cardio-metabolic risk in childhood may aid in preventing metabolic syndrome (MetS) in adulthood. OBJECTIVE:To examine independent and combined cross-sectional and longitudinal associations between movement behaviors and the MetS score in 8-11 year old Danish children. DESIGN:Physical activity, sedentary time and sleep duration (seven days and eight nights) were assessed by accelerometer and fat mass index (fat mass/height2) was assessed using Dual-energy X-ray absorptiometry. The MetS-score was based on z-scores of waist circumference, mean arterial blood pressure, homeostatic model assessment of insulin resistance, triglycerides and high density lipoprotein cholesterol. All measurements were taken at three time points separated by 100 days. Average of the three measurements was used as habitual behavior in the cross-sectional analysis and changes from first to third measurement was used in the longitudinal analysis. RESULTS:723 children were included. In the cross-sectional analysis, physical activity was negatively associated with the MetS-score (P0.17). Children in the most favorable tertiles of changes in moderate-to-vigorous physical activity, sleep duration and sedentary time during the 200-day follow-up period had an improved MetS-score relative to children in the opposite tertiles (P = 0.005). CONCLUSION:The present findings indicate that physical activity, sedentary time and sleep duration should all be targeted to improve cardio-metabolic risk markers in childhood; this is possibly mediated by adiposity

An efficient passive-to-active compiler for honest-majority MPC over rings

Multiparty computation (MPC) over rings such as Z232 or Z264 has received a great deal of attention recently due to its ease of implementation and attractive performance. Several actively secure protocols over these rings have been implemented, for both the dishonest majority setting and the setting of three parties with one corruption. However, in the honest majority setting, no concretely efficient protocol for arithmetic computation over rings has yet been proposed that allows for an arbitrary number of parties. We present a novel compiler for MPC over the ring Z2k in the honest majority setting that turns a semi-honest protocol into an actively secure protocol with very little overhead. The communication cost per multiplication is only twice that of the semi-honest protocol, making the resultant actively secure protocol almost as fast. To demonstrate the efficiency of our compiler, we implement both an optimized 3-party variant (based on replicated secret-sharing), as well as a protocol for n parties (based on a recent protocol from TCC 2019). For the 3-party variant, we obtain a protocol which outperforms the previous state of the art that we can experimentally compare against. Our n-party variant is the first implementation for this particular setting, and we show that it performs comparably to the current state of the art over fields