Human amnion epithelial stem cells as a therapy for liver disease

Placenta-derived stem cells have been proposed as potential new treatments for acute and congenital liver diseases. Of all the different perinatal tissues, amnion membrane and isolated amnion epithelial cells have been shown to be an outstanding readily available source of multipotent stem cells. Human amnion epithelial cells (hAEC) have unique properties, including low immunogenicity and immunomodulatory properties, which may allow the first allogenic stem cell therapy without immunosuppression. Animal studies have shown that hAEC differentiate into hepatocyte-like cells and support missing liver functions commonly responsible for inborn errors of metabolism. In the present thesis, we describe early preclinical steps which will likely be necessary to translate hAEC therapy into clinical practice. These steps include detailed and optimized methods for primary hAEC isolation and preservation, methods to validate the final cell product and investigations of the route of infusion for efficient engraftment in the target organ (liver). The efficacy of hAEC transplants was assessed in preclinical models of liver disease. In Project 1, we have detailed the hAEC isolation procedure with GMP reagents, providing a homogenous amnion epithelial cell suspension. The preclinical validation of hAEC-based therapy was continued in Project 2, where 14 different batches of primary hAEC were characterized by immunocytological and biomolecular techniques. The presented findings indicate this technology results in an enriched suspension of epithelial cells with a minimal contamination with mesenchymal, endothelial or hematopoietic cells. In Project 5, we validated the route of infusion of hAEC to reach high level of engraftment in liver. We investigated the bio-distribution of injected DiR-labelled hAEC administered via tail-vein or intra-splenic, and monitored their localization using in vivo live imaging (IVIS) techniques. Twenty-four hours post-splenic infusion, the majority of hAEC was safely delivered and detected in the liver parenchyma. On the contrary, tail-vein infusion resulted in a wide distribution pattern to multiple organs. In Project 3, we have investigated the in vivo engraftment, long-term survival and hepatic maturation of hAEC. We have injected hAEC into a metabolic liver disease model of Phenylketonuria (PKU). This immune-competent PAH-deficient mouse develops a pathological level of phenylalanine (PHE) in the blood, which is commonly observed in PKU patients. We assessed hAEC engrafted into murine liver parenchyma out to 100 days. Such long-term survival resulted in significant correction of blood PHE levels in blood and a statistical complete correction or PHE levels in the brain. The described xeno-transplantation was carried out without any immunosuppressant regimen, and no signs of rejection were noticed. Problems generating clinically relevant results by extrapolation of data from mouse models was also addressed in Project 4, we successfully generated a liver-humanized mouse model that faithfully reproduces the metabolic liver disease observed in patients. We injected hepatocytes isolated from a CPS1 deficient patient into immune-compromised mice (FRGN), where primary human hepatocytes have been previously reported to engraft and fully repopulate the mouse liver. The resultant chimeric CPS1-Deficient (CPS1-D) model exhibited high blood ammonia levels, elevated disease-correlated amino acids (glutamine and glutamate) and low CPS1 enzymatic activity. In conclusion, during the past 4-year study we have successfully analyzed preclinical data and validated the hypothesis that human amnion epithelial cells are useful for the cellular therapy of liver disease, supporting their potential to become a therapeutic tool to treat and support metabolic liver disease patients

Just How Fair is an Unreactive World?

Fitzi, Garay, Maurer, and Ostrovsky (J. Cryptology 2005) showed that in the presence of a dishonest majority, no primitive of cardinality $n - 1$ is complete for realizing an arbitrary $n$-party functionality with guaranteed output delivery. In this work, we show that in the presence of $n - 1$ corrupt parties, no unreactive primitive of cardinality $n - 1$ is complete for realizing an arbitrary $n$-party functionality with fairness. We show more generally that for $t > \frac{n}{2}$, in the presence of $t$ malicious parties, no unreactive primitive of cardinality $t$ is complete for realizing an arbitrary $n$-party functionality with fairness. We complement this result by noting that $(t+1)$-wise fair exchange is complete for realizing an arbitrary $n$-party functionality with fairness. In order to prove our results, we utilize the primitive of fair coin tossing and the notion of predictability. While this notion has been considered in some form in past works, we come up with a novel and non-trivial framework to employ it, one that readily generalizes from the setting of two parties to multiple parties, and also to the setting of unreactive functionalities

Blazing Fast PSI from Improved OKVS and Subfield VOLE

We present new semi-honest and malicious secure PSI protocols that outperform all prior works by several times in both communication and running time. For example, our semi-honest protocol for $n=2^{20}$ can be performed in 0.37 seconds compared to the previous best of 2 seconds (Kolesnikov et al., CCS 2016). This can be further reduced to 0.16 seconds with 4 threads, a speedup of $12\times$. Similarly, our protocol sends $187n$ bits compared to $426n$ bits of the next most communication efficient protocol (Rindal et al., Eurocrypt 2021). Additionally, we apply our new techniques to the circuit PSI protocol of Rindal et al. and $6\times$ improvement in running time. These performance results are obtained by two types of improvements. The first is an optimization to the protocol of Rindal et al. to utilize sub-field vector oblivious linear evaluation. This optimization allows our construction to be the first to achieve a communication complexity of $\mathcal{O}(n\lambda + n\log n)$ where $\lambda$ is the statistical security parameter. In particular, the communication overhead of our protocol does not scale with the computational security parameter times $n$. Our second improvement is to the OKVS data structure which our protocol crucially relies on. In particular, our construction improves both the computation and communication efficiency as compared to prior work (Garimella et al., Crypto 2021). These improvements stem from algorithmic changes to the data structure along with new techniques for obtaining both asymptotic and tight concrete bounds on its failure probability. This in turn allows for a highly optimized parameter selection and thereby better performance

Privacy-Enhancing Technologies for Financial Data Sharing

Today, financial institutions (FIs) store and share consumers' financial data for various reasons such as offering loans, processing payments, and protecting against fraud and financial crime. Such sharing of sensitive data have been subject to data breaches in the past decade. While some regulations (e.g., GDPR, FCRA, and CCPA) help to prevent institutions from freely sharing clients' sensitive information, some regulations (e.g., BSA 1970) require FIs to share certain financial data with government agencies to combat financial crime. This creates an inherent tension between the privacy and the integrity of financial transactions. In the past decade, significant progress has been made in building efficient privacy-enhancing technologies that allow computer systems and networks to validate encrypted data automatically. In this paper, we investigate some of these technologies to identify the benefits and limitations of each, in particular, for use in data sharing among FIs. As a case study, we look into the emerging area of Central Bank Digital Currencies (CBDCs) and how privacy-enhancing technologies can be integrated into the CBDC architecture. Our study, however, is not limited to CBDCs and can be applied to other financial scenarios with tokenized bank deposits such as cross-border payments, real-time settlements, and card payments

Oblivious Accumulators

A cryptographic accumulator is a succinct set commitment scheme with efficient (non-)membership proofs that typically supports updates (additions and deletions) on the accumulated set. When elements are added to or deleted from the set, an update message is issued. The collection of all the update messages essentially leaks the underlying accumulated set which in certain applications is not desirable. In this work, we define oblivious accumulators, a set commitment with concise membership proofs that hides the elements and the set size from every entity: an outsider, a verifier or other element holders. We formalize this notion of privacy via two properties: element hiding and add-delete indistinguishability. We also define almost-oblivious accumulators, that only achieve a weaker notion of privacy called add-delete unlinkability. Such accumulators hide the elements but not the set size. We consider the trapdoorless, decentralized setting where different users can add and delete elements from the accumulator and compute membership proofs. We then give a generic construction of an oblivious accumulator based on key-value commitments (KVC). We also show a generic way to construct KVCs from an accumulator and a vector commitment scheme. Finally, we give lower bounds on the communication (size of update messages) required for oblivious accumulators and almost-oblivious accumulators

Silver: Silent VOLE and Oblivious Transfer from Hardness of Decoding Structured LDPC Codes

We put forth new protocols for oblivious transfer extension and vector OLE, called \emph{Silver}, for SILent Vole and oblivious transfER. Silver offers extremely high performances: generating 10 million random OTs on one core of a standard laptop requires only 300ms of computation and 122KB of communication. This represents 37% less computation and ~1300x less communication than the standard IKNP protocol, as well as ~4x less computation and ~4x less communication than the recent protocol of Yang et al. (CCS 2020). Silver is \emph{silent}: after a one-time cheap interaction, two parties can store small seeds, from which they can later \emph{locally} generate a large number of OTs \emph{while remaining offline}. Neither IKNP nor Yang et al. enjoys this feature; compared to the best known silent OT extension protocol of Boyle et al. (CCS 2019), upon which we build up, Silver has 19x less computation, and the same communication. Due to its attractive efficiency features, Silver yields major efficiency improvements in numerous MPC protocols. Our approach is a radical departure from the standard paradigm for building MPC protocols, in that we do \emph{not} attempt to base our constructions on a well-studied assumption. Rather, we follow an approach closer in spirit to the standard paradigm in the design of symmetric primitives: we identify a set of fundamental structural properties that allow us to withstand all known attacks, and put forth a candidate design, guided by our analysis. We also rely on extensive experimentations to analyze our candidate and experimentally validate their properties. In essence, our approach boils down to constructing new families of linear codes with (plausibly) high minimum distance and extremely low encoding time. While further analysis is of course warranted to confidently assess the security of Silver, we hope and believe that initiating this approach to the design of MPC primitives will pave the way to new secure primitives with extremely attractive efficiency features

Synchronizable Exchange

Fitzi, Garay, Maurer, and Ostrovsky (Journal of Cryptology 2005) showed that in the presence of a dishonest majority, no primitive of cardinality $n - 1$ is complete for realizing an arbitrary $n$-party functionality with guaranteed output delivery. In this work, we introduce a new $2$-party primitive $\mathcal{F}_{\mathsf{SyX}}$ (``synchronizable fair exchange\u27\u27) and show that it is complete for realizing any $n$-party functionality with fairness in a setting where all $n$ parties are pairwise connected by independent instances of $\mathcal{F}_{\mathsf{SyX}}$. In the $\mathcal{F}_{\mathsf{SyX}}$-hybrid model, the two parties load $\mathcal{F}_{\mathsf{SyX}}$ with some input, and following this, either party can trigger $\mathcal{F}_{\mathsf{SyX}}$ with a suitable ``witness\u27\u27 at a later time to receive the output from $\mathcal{F}_{\mathsf{SyX}}$. Crucially the other party also receives output from $\mathcal{F}_{\mathsf{SyX}}$ when $\mathcal{F}_{\mathsf{SyX}}$ is triggered. The trigger witnesses allow us to synchronize the trigger phases of multiple instances of $\mathcal{F}_{\mathsf{SyX}}$, thereby aiding in the design of fair multiparty protocols. Additionally, a pair of parties may reuse a single a priori loaded instance of $\mathcal{F}_{\mathsf{SyX}}$ in any number of multiparty protocols (possibly involving different sets of parties)

Reducing Depth in Constrained PRFs: From Bit-Fixing to NC1

The candidate construction of multilinear maps by Garg, Gentry, and Halevi (Eurocrypt 2013) has lead to an explosion of new cryptographic constructions ranging from attribute-based encryption (ABE) for arbitrary polynomial size circuits, to program obfuscation, and to constrained pseudorandom functions (PRFs). Many of these constructions require k-linear maps for large k. In this work, we focus on the reduction of k in certain constructions of access control primitives that are based on k-linear maps; in particular, we consider the case of constrained PRFs and ABE. We construct the following objects: - A constrained PRF for arbitrary circuit predicates based on (n+l_{OR}-1)-linear maps (where n is the input length and l_{OR} denotes the OR-depth of the circuit). - For circuits with a specific structure, we also show how to construct such PRFs based on (n+l_{AND}-1)-linear maps (where l_{AND} denotes the AND-depth of the circuit). We then give a black-box construction of a constrained PRF for NC1 predicates, from any bit-fixing constrained PRF that fixes only one of the input bits to 1; we only require that the bit-fixing PRF have certain key homomorphic properties. This construction is of independent interest as it sheds light on the hardness of constructing constrained PRFs even for ``simple\u27\u27 predicates such as bit-fixing predicates. Instantiating this construction with the bit-fixing constrained PRF from Boneh and Waters (Asiacrypt 2013) gives us a constrained PRF for NC1 predicates that is based only on n-linear maps, with no dependence on the predicate. In contrast, the previous constructions of constrained PRFs (Boneh and Waters, Asiacrypt 2013) required (n+l+1)-linear maps for circuit predicates (where l is the total depth of the circuit) and n-linear maps even for bit-fixing predicates. We also show how to extend our techniques to obtain a similar improvement in the case of ABE and construct ABE for arbitrary circuits based on (l_{OR}+1)-linear (respectively (l_{AND}+1)-linear) maps

Constrained Pseudorandom Functions: Verifiable and Delegatable

Constrained pseudorandom functions (introduced independently by Boneh and Waters (CCS 2013), Boyle, Goldwasser, and Ivan (PKC 2014), and Kiayias, Papadopoulos, Triandopoulos, and Zacharias (CCS 2013)), are pseudorandom functions (PRFs) that allow the owner of the secret key $k$ to compute a constrained key $k_f$, such that anyone who possesses $k_f$ can compute the output of the PRF on any input $x$ such that $f(x) = 1$ for some predicate $f$. The security requirement of constrained PRFs state that the PRF output must still look indistinguishable from random for any $x$ such that $f(x) = 0$. Boneh and Waters show how to construct constrained PRFs for the class of bit-fixing as well as circuit predicates. They explicitly left open the question of constructing constrained PRFs that are delegatable - i.e., constrained PRFs where the owner of $k_f$ can compute a constrained key $k_{f\u27}$ for a further restrictive predicate $f\u27$. Boyle, Goldwasser, and Ivan left open the question of constructing constrained PRFs that are also verifiable. Verifiable random functions (VRFs), introduced by Micali, Rabin, and Vadhan (FOCS 1999), are PRFs that allow the owner of the secret key $k$ to prove, for any input $x$, that $y$ indeed is the output of the PRF on $x$; the security requirement of VRFs state that the PRF output must still look indistinguishable from random, for any $x$ for which a proof is not given. In this work, we solve both the above open questions by constructing constrained pseudorandom functions that are simultaneously verifiable and delegatable

Information-theoretic Local Non-malleable Codes and their Applications

Error correcting codes, though powerful, are only applicable in scenarios where the adversarial channel does not introduce ``too many errors into the codewords. Yet, the question of having guarantees even in the face of many errors is well-motivated. Non-malleable codes, introduced by Dziembowski, Pietrzak and Wichs (ICS 2010), address precisely this question. Such codes guarantee that even if an adversary completely over-writes the codeword, he cannot transform it into a codeword for a related message. Not only is this a creative solution to the problem mentioned above, it is also a very meaningful one. Indeed, non-malleable codes have inspired a rich body of theoretical constructions as well as applications to tamper-resilient cryptography, CCA2 encryption schemes and so on. Another remarkable variant of error correcting codes were introduced by Katz and Trevisan (STOC 2000) when they explored the question of decoding ``locally . Locally decodable codes are coding schemes which have an additional ``local decode procedure: in order to decode a bit of the message, this procedure accesses only a few bits of the codeword. These codes too have received tremendous attention from researchers and have applications to various primitives in cryptography such as private information retrieval. More recently, Chandran, Kanukurthi and Ostrovsky (TCC 2014) explored the converse problem of making the ``re-encoding process local. Locally updatable codes have an additional ``local update procedure: in order to update a bit of the message, this procedure accesses/rewrites only a few bits of the codeword. At TCC 2015, Dachman-Soled, Liu, Shi and Zhou initiated the study of locally decodable and updatable non-malleable codes, thereby combining all the important properties mentioned above into one tool. Achieving locality and non-malleability is non-trivial. Yet, Dachman-Soled \etal \ provide a meaningful definition of local non-malleability and provide a construction that satisfies it. Unfortunately, their construction is secure only in the computational setting. In this work, we construct information-theoretic non-malleable codes which are locally updatable and decodable. Our codes are non-malleable against \s{F}_{\textsf{half}}, the class of tampering functions where each function is arbitrary but acts (independently) on two separate parts of the codeword. This is one of the strongest adversarial models for which explicit constructions of standard non-malleable codes (without locality) are known. Our codes have \bigo(1) rate and locality \bigo(\lambda), where $\lambda$ is the security parameter. We also show a rate $1$ code with locality $\omega(1)$ that is non-malleable against bit-wise tampering functions. Finally, similar to Dachman-Soled \etal, our work finds applications to information-theoretic secure RAM computation