Abhi Shelat scite author profile

Abstract. Secure two-party computation enables applications in which participants compute the output of a function that depends on their private inputs, without revealing those inputs or relying on any trusted third party. In this paper, we show the potential of building privacy-preserving applications using garbled circuits, a generic technique that until recently was believed to be too inefficient to scale to realistic problems. We present a Java-based framework that uses pipelining and circuit-level optimizations to build efficient and scalable privacypreserving applications. Although the standard garbled circuit protocol assumes a very week, honest-but-curious adversary, techniques are available for converting such protocols to resist stronger adversaries, including fully malicious adversaries. We summarize approaches to producing malicious-resistant secure computations that reduce the costs of transforming a protocol to be secure against stronger adversaries. In addition, we summarize results on ensuring fairness, the property that either both parties receive the result or neither party does. Several open problems remain, but as theory and pragmatism advance, secure computation is approaching the point where it offers practical solutions for a wide variety of important problems.

show abstract

Analysis of the Blockchain Protocol in Asynchronous Networks

Pass

2017

View full text Add to dashboard Cite

The Smallest Grammar Problem

Charikar

Lehman

Liu

et al. 2005

IEEE Trans. Inform. Theory

334

464

View full text Add to dashboard Cite

One‐to‐many propensity score matching in cohort studies

Rassen

Shelat

Myers

et al. 2012

Pharmacoepidemiology and Drug

386

283

View full text Add to dashboard Cite

Background Among the large number of cohort studies that employ propensity score matching, most match patients 1:1. Increasing the matching ratio is thought to improve precision but may come with a trade-off with respect to bias. Objective To evaluate several methods of propensity score matching in cohort studies through simulation and empirical analyses. Methods We simulated cohorts of 20 000 patients with exposure prevalence of 10%-50%. We simulated five dichotomous and five continuous confounders. We estimated propensity scores and matched using digit-based greedy ("greedy"), pairwise nearest neighbor within a caliper ("nearest neighbor"), and a nearest neighbor approach that sought to balance the scores of the comparison patient above and below that of the treated patient ("balanced nearest neighbor"). We matched at both fixed and variable matching ratios and also evaluated sequential and parallel schemes for the order of formation of 1:n match groups. We then applied this same approach to two cohorts of patients drawn from administrative claims data. Results Increasing the match ratio beyond 1:1 generally resulted in somewhat higher bias. It also resulted in lower variance with variable ratio matching but higher variance with fixed. The parallel approach generally resulted in higher mean squared error but lower bias than the sequential approach. Variable ratio, parallel, balanced nearest neighbor matching generally yielded the lowest bias and mean squared error. Conclusions 1:n matching can be used to increase precision in cohort studies. We recommend a variable ratio, parallel, balanced 1:n, nearest neighbor approach that increases precision over 1:1 matching at a small cost in bias.

show abstract

Efficient Protocols for Set Membership and Range Proofs

Camenisch

Chaabouni

Shelat³

2008

215

267

View full text Add to dashboard Cite

Abstract. We consider the following problem: Given a commitment to a value σ, prove in zero-knowledge that σ belongs to some discrete set Φ. The set Φ can perhaps be a list of cities or clubs; often Φ can be a numerical range such as [1, 2 20 ]. This problem arises in e-cash systems, anonymous credential systems, and various other practical uses of zeroknowledge protocols.When using commitment schemes relying on RSA-like assumptions, there are solutions to this problem which require only a constant number of RSA-group elements to be exchanged between the prover and verifier [5,15,16]. However, for many commitment schemes based on bilinear group assumptions, these techniques do not work, and the best known protocols require O(k) group elements to be exchanged where k is a security parameter.In this paper, we present two new approaches to building set-membership proofs. The first is based on bilinear group assumptions. When applied to the case where Φ is a range of integers, our protocols require O( k log k−log log k ) group elements to be exchanged. Not only is this result asymptotically better, but the constants are small enough to provide significant improvements even for small ranges. Indeed, for a discrete logarithm based setting, our new protocol is an order of magnitude more efficient than previously known ones.We also discuss alternative implementations of our membership proof based on the strong RSA assumption. Depending on the application, e.g., when Φ is a published set of values such a frequent flyer clubs, cities, or other ad hoc collections, these alternative also outperform prior solutions.

show abstract

Simulatable Adaptive Oblivious Transfer

2007

View full text Add to dashboard Cite

Abstract. We study an adaptive variant of oblivious transfer in which a sender has N messages, of which a receiver can adaptively choose to receive k one-after-the-other, in such a way that (a) the sender learns nothing about the receiver's selections, and (b) the receiver only learns about the k requested messages. We propose two practical protocols for this primitive that achieve a stronger security notion than previous schemes with comparable efficiency. In particular, by requiring full simulatability for both sender and receiver security, our notion prohibits a subtle selective-failure attack not addressed by the security notions achieved by previous practical schemes. Our first protocol is a very efficient generic construction from unique blind signatures in the random oracle model. The second construction does not assume random oracles, but achieves remarkable efficiency with only a constant number of group elements sent during each transfer. This second construction uses novel techniques for building efficient simulatable protocols.

show abstract

Two-Output Secure Computation with Malicious Adversaries

Shelat

Shen

2011

130

View full text Add to dashboard Cite

We present a method to compile Yao's two-player garbled circuit protocol into one that is secure against malicious adversaries that relies on witness indistinguishability. Our approach can enjoy lower communication and computation overhead than methods based on cut-andchoose [13] and lower overhead than methods based on zero-knowledge proofs [8] (or Σ-protocols [14]). To do so, we develop and analyze new solutions to issues arising with this transformation:-How to guarantee the generator's input consistency-How to support different outputs for each player without adding extra gates to the circuit of the function f being computed-How the evaluator can retrieve input keys but avoid selective failure attacks-Challenging 3/5 of the circuits is near optimal for cut-and-choose (and better than challenging 1/2) Our protocols require the existence of secure-OT and claw-free functions that have a weak malleability property. We discuss an experimental implementation of our protocol to validate our efficiency claims.

show abstract

Securely Obfuscating Re-Encryption

et al. 2010

View full text Add to dashboard Cite

We present a positive obfuscation result for a traditional cryptographic functionality. This positive result stands in contrast to well-known impossibility results (Barak et al. in Advances in Cryptology-CRYPTO'01, 2002), for general obfuscation and recent impossibility and implausibility (Goldwasser and Kalai in 46th IEEE Symposium on Foundations of Computer Science (FOCS), pp. [553][554][555][556][557][558][559][560][561][562] 2005) results for obfuscation of many cryptographic functionalities.Whereas other positive obfuscation results in the standard model apply to very simple point functions (Canetti in Advances in Cryptology-CRYPTO'97, 1997; Wee in 37th ACM Symposium on Theory of Computing (STOC), pp. [523][524][525][526][527][528][529][530][531][532] 2005), our obfuscation result applies to the significantly more complex and widely-used re- * This paper was solicited by the Editors-in-Chief as one of the best papers from TCC 2007, based on the recommendation of the program committee.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

hi@scite.ai

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Abhi Shelat

Efficient Secure Computation with Garbled Circuits

Analysis of the Blockchain Protocol in Asynchronous Networks

The Smallest Grammar Problem

One‐to‐many propensity score matching in cohort studies

Efficient Protocols for Set Membership and Range Proofs

Simulatable Adaptive Oblivious Transfer

Two-Output Secure Computation with Malicious Adversaries

Securely Obfuscating Re-Encryption

Contact Info

Product

Resources

About