Presentation is loading. Please wait.

Presentation is loading. Please wait.

What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University.

Published byBryan Howard Modified over 9 years ago

Similar presentations

Presentation on theme: "What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University."— Presentation transcript:

1 What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University

2 Systemic Risk from Local Information

3

4

5

6

7

8 M.C.Escher, Belvedere

9 Who Puts Together the Big Picture?

10 The government?

11 Who Puts Together the Big Picture? The government?

12 Who Puts Together the Big Picture? An independent trustworthy party?

13 Who Puts Together the Big Picture? An independent trustworthy party?

14 Who Puts Together the Big Picture? The data owners (financial institutions) themselves?

15 Who Puts Together the Big Picture? The data owners (financial institutions) themselves?

16 Who Puts Together the Big Picture? Cryptography tells us: For any efficiently computable function F, there is an “efficient” interactive algorithm that n data owners, P 1 (x 1 ),…,P n (x n ), can run together such that: 1.They learn F(x 1,x 2,…,x n ) 2.Other than that, P i learns nothing about x j, j≠i [Yao, GMW, BGW, …]

17 Example: Set Intersection 12 18 5 6 31 42 5 24 12 3 Alice’s set Bob’s set 5 12 Intersection

18 How to compute the intersection w/o learning the rest of each other’s sets? [FMP04,…,BCCKLS09,…,KMRS14]

19 Step 1: Alice’s set becomes a polynomial 12 18 5 6 31 Alice’s set p(x) = (x-12)(x-18)(x-5)(x-6)(x-31) mod q = x 5 + c 4 x 4 + c 3 x 3 + c 2 x 2 + c 1 x + c 0 c4c4 c3c3 c2c2 c1c1 c0c0

20 Step 1: Alice’s set becomes a polynomial Alice’s polynomial p(x) c4c4 c3c3 c2c2 c1c1 c0c0

21 Step 2: Alice encrypts her polynomial Alice’s polynomial p(x) c4c4 c3c3 c2c2 c1c1 c0c0

22 Step 2: Alice encrypts her polynomial Alice’s encrypted polynomial p(x) E(c 4 )E(c 3 )E(c 2 )E(c 1 )E(c 0 )

23 Step 2: Alice encrypts her polynomial… Alice’s encrypted polynomial p(x) E(c 4 )E(c 3 )E(c 2 )E(c 1 )E(c 0 ) …using an “additive” encryption scheme E(x) * E(y) = E(x+y) [Paillier’99]

24 Step 2: Alice encrypts her polynomial… Alice’s encrypted polynomial p(x) E(c 4 )E(c 3 )E(c 2 )E(c 1 )E(c 0 ) …using an “additive” encryption scheme …for which she holds the decryption key

25 Step 3: Alice sends the encrypted Alice’s encrypted polynomial p(x) E(c 4 )E(c 3 )E(c 2 )E(c 1 )E(c 0 ) polynomial to Bob

26 Step 4: Bob evaluates the encrypted Alice’s encrypted polynomial p(x) E(c 4 )E(c 3 )E(c 2 )E(c 1 )E(c 0 ) polynomial on his set 42 5 24 12 3 Bob’s set p(42) = 42 5 + c 4 42 4 + c 3 42 3 +c 2 42 2 +c 1 42+c 0 mod q E(p(42)) = E(42 5 ) * E(c 4 )42 4 * E(c 3 )42 3 * E(c 2 )42 2 * E(c 1 )42 * E(c 0 )

27 Step 4: Bob evaluates the encrypted Alice’s encrypted polynomial p(x) E(c 4 )E(c 3 )E(c 2 )E(c 1 )E(c 0 ) polynomial on his set 42 5 24 12 3 Bob’s set p(x) evaluated on Bob’s set E(p(42))E(p(5))E(p(24))E(p(12))E(p(3))

28 Step 4: Bob evaluates the encrypted Alice’s encrypted polynomial p(x) E(c 4 )E(c 3 )E(c 2 )E(c 1 )E(c 0 ) polynomial on his set p(x) evaluated on Bob’s set E(p(42))E(0)E(p(24))E(0)E(p(3)) Note: p(y) = 0 iff y is in Alice’s set

29 Step 5: Bob randomizes the result E(p(42))R 1 E(0)R 2 E(p(24))R 3 E(0)R 4 E(p(3))R 5

30 Step 5: Bob randomizes the result E(u 1 )E(0)E(u 3 )E(0)E(u 5 )

31 Step 6: Bob sends the result to Alice E(u 1 )E(0)E(u 3 )E(0)E(u 5 )

32 Step 7: Alice decrypts it... E(u 1 )E(0)E(u 3 )E(0)E(u 5 ) u1u1 0u3u3 0u5u5

33 Step 7: Alice decrypts it... and sends the locations of 0’s to Bob u1u1 0u3u3 0u5u5

34 Step 7: Alice decrypts it... and sends the locations of 0’s to Bob ?0?0?

35 Step 8: Bob derives the intersection ?0?0? 42 5 24 12 3

36 Step 8: Bob derives the intersection and sends it to Alice 5 12

37 A More General Solution for Two Parties: Yao’s Encrypted Circuit Alice’s logical circuit C Bob’s input x 0 1 1 Encrypted circuit Oblivious transfer of keys

38 A More General Solution for N Parties: Secure Multi-Party Computation Split the computation into logical steps (ANDs, ORs, NOTs) or algebraic steps (ADD, MULT) Securely evaluate step by step [GMW, BGW, …]

39 Conclusion Tell me how you could detect systemic risk given complete information… …and I will tell you how to do it via a privacy- preserving protocol!

Download ppt "What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University."

Similar presentations

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.
Public Key Cryptosystem

Public Key Cryptosystem
COS 461 Fall 1997 Todays Lecture u intro to security in networking –confidentiality –integrity –authentication –authorization u orientation for assignment.

COS 461 Fall 1997 Todays Lecture u intro to security in networking –confidentiality –integrity –authentication –authorization u orientation for assignment.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Oblivious Branching Program Evaluation

Oblivious Branching Program Evaluation
Mental Poker The SRA Protocol. What is Mental Poker? Playing poker without cards (ie over telephone or internet). No Trusted Third Party or source of.

Mental Poker The SRA Protocol. What is Mental Poker? Playing poker without cards (ie over telephone or internet). No Trusted Third Party or source of.
ITIS 6200/8200. 2 Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.

ITIS 6200/ Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Netprog: Cryptgraphy1 Cryptography Reference: Network Security PRIVATE Communication in a PUBLIC World. by Kaufman, Perlman & Speciner.

Netprog: Cryptgraphy1 Cryptography Reference: Network Security PRIVATE Communication in a PUBLIC World. by Kaufman, Perlman & Speciner.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Oblivious Transfer based on the McEliece Assumptions

Oblivious Transfer based on the McEliece Assumptions
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications Dana Dachman-Soled, Tal Malkin, Mariana Raykova, Moti Yung.

Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications Dana Dachman-Soled, Tal Malkin, Mariana Raykova, Moti Yung.

Similar presentations

Ads by Google