## Homepage of Thomas Schneider

Publications‎ > ‎

### Bibtex

 @mastersthesis{Schneider07Thesis, author = {Thomas Schneider}, month = {July 10,}, note = {\url{http://thomaschneider.de/theses/sa/}}, school = {University Erlangen-N{\"u}rnberg, Germany}, title = {Secure Task Migration and Interprocess Communication in Reconfigurable, Distributed, Embedded Systems}, type = {{B}achelor's thesis}, url = {http://thomaschneider.de/papers/S07Thesis.pdf}, year = {2007} }  @inproceedings{KS08UC, abstract = {We consider general secure function evaluation (SFE) of {\em private functions} (PF-SFE). Recall, privacy of functions is often most efficiently achieved by general SFE [Yao82,Yao86,LP04] of a Universal Circuit (UC).\\ Our main contribution is a new simple and efficient UC construction. Our circuit $UC_k$, universal for circuits of $k$ gates, has size $\sim 1.5 k \log^2 k$ and depth $\sim k \log k$. It is up to $50\%$ smaller than the best UC (of Valiant [Valiant76], of size $\sim 19k\log k$) for circuits of size up to $\approx 5000$ gates.\\ Our improvement results in corresponding performance improvement of SFE of (small) private functions. Since, due to cost, only small circuits (i.e. $<5000$ gates) are practical for PF-SFE, our construction appears to be the best fit for many practical PF-SFE.\\ We implement PF-SFE based on our UC and Fairplay SFE system [MNPS04].}, author = {Vladimir Kolesnikov and Thomas Schneider}, booktitle = {12th International Conference on Financial Cryptography and Data Security (FC'08)}, month = {January 28-31,}, note = {Implementation available at \url{http://thomaschneider.de/FairplayPF}.}, pages = {83--97}, publisher = {Springer}, puburl = {http://dx.doi.org/10.1007/978-3-540-85230-8_7}, series = {LNCS}, talkurl = {http://thomaschneider.de/talks/KS08UC_PracticalUC_FC.pdf}, title = {A Practical Universal Circuit Construction and Secure Evaluation of Private Functions}, url = {http://thomaschneider.de/papers/KS08UC.pdf}, volume = {5143}, weburl = {http://fc08.ifca.ai}, year = {2008}, doi = {10.1007/978-3-540-85230-8_7} }  @misc{patentUC, author = {Vladimir Kolesnikov and Thomas Schneider}, abstract = {An exemplary method enables implementation of a universal circuit capable of emulating each gate of a circuit designed to calculate a function. A first selection module receives inputs associated with the function. It generates outputs that are an ordered series of the inputs. A universal module receives these outputs and generates another set of outputs. A second selection module receives the outputs from the universal module and generates final function outputs that are an ordered series inputs received from the universal module. The selection modules and universal module themselves are also aspects of the present invention.}, howpublished = {U.S. patent no 8175854 (applied July 14, 2008; issued May 8, 2012)}, title = {Universal Circuit for Secure Function Evaluation}, month = {July}, year = {2008}, puburl = {http://www.google.com/patents/US20090140767} }  @mastersthesis{Schneider08Thesis, abstract = {This thesis focuses on practical aspects of general two-party Secure Function Evaluation (SFE). We give a new SFE protocol that allows free evaluation of XOR gates and is provably secure against semi-honest adversaries in the random oracle model. Furthermore, the extension of SFE to private functions (PF-SFE) using universal circuits (UC) is considered. Based on our new practical UC construction, FairplayPF is implemented as extension of the well-known Fairplay SFE system to demonstrate practicability of UC-based PF-SFE. Also new protocols for SFE and PF-SFE of functions alternatively represented as Ordered Binary Decision Diagram (OBDD) are given.}, author = {Thomas Schneider}, month = {February 27,}, note = {\url{http://thomaschneider.de/theses/da/}}, school = {University Erlangen-N{\"u}rnberg, Germany}, title = {Practical Secure Function Evaluation}, url = {http://thomaschneider.de/papers/S08Thesis.pdf}, year = {2008} }  @inproceedings{S08, author = {Thomas Schneider}, booktitle = {Fachwissenschaftlicher Informatik-Kongress (Informatiktage 2008)}, month = {March 14,}, pages = {37--40}, posterurl = {http://thomaschneider.de/posters/S08_PracticalSFE_Informatiktage.pdf}, publisher = {GI}, puburl = {http://www.gi-ev.de/service/publikationen/gi-edition-lecture-notes-in-informatics-lni-2005/mehr-zur-schriftenreihe/seminars/gi-edition-seminars-s-6/}, series = {LNI}, title = {Practical Secure Function Evaluation}, url = {http://thomaschneider.de/papers/S08.pdf}, volume = {S-6}, weburl = {http://www.gi-ev.de/informatiktage/informatiktage-2008/}, year = {2008} }  @inproceedings{KSS08, author = {Vladimir Kolesnikov and Thomas Schneider and Volker Strehl}, booktitle = {8. Workshop der Fachgruppe Kryptographie in der Gesellschaft f\"ur Informatik (Kryptotag)}, month = {April 11,}, volume = {WSI-2008-02}, talkurl = {http://thomaschneider.de/talks/KSS08_PracticalSFE_KRYPTOTAG.pdf}, title = {Practical Secure Function Evaluation}, url = {http://thomaschneider.de/papers/KSS08.pdf}, weburl = {http://www-dm.informatik.uni-tuebingen.de/kryptotag/}, year = {2008} }  @inproceedings{KS08XOR, abstract = {We present a new garbled circuit construction for two-party secure function evaluation (SFE). In our one-round protocol, XOR gates are evaluated for free'', which results in the corresponding improvement over the best garbled circuit implementations (e.g. Fairplay [MNPS04]).\\ We build permutation networks [Waksman68] and Universal Circuits (UC) [Valiant76] almost exclusively of XOR gates; this results in a factor of up to $4$ improvement (in both computation and communication) of their SFE. We also improve integer addition and equality testing by factor of up to $2$.\\ We rely on the Random Oracle (RO) assumption. Our constructions are proven secure in the semi-honest model.}, author = {Vladimir Kolesnikov and Thomas Schneider}, booktitle = {35th International Colloquium on Automata, Languages and Programming (ICALP'08)}, month = {July 6-13,}, pages = {486--498}, publisher = {Springer}, doi = {10.1007/978-3-540-70583-3_40}, series = {LNCS}, talkurl = {http://thomaschneider.de/talks/KS08XOR_ImprovedGC_ICALP.pdf}, title = {Improved Garbled Circuit: Free {XOR} Gates and Applications}, url = {http://thomaschneider.de/papers/KS08XOR.pdf}, volume = {5126}, weburl = {http://www2.ru.is/icalp08/}, year = {2008} }  @misc{patentXOR, author = {Vladimir Kolesnikov and Thomas Schneider}, abstract = {An embodiment of the present invention provides a method that minimizes the number of entries required in a garbled circuit associated with secure function evaluation of a given circuit. Exclusive OR (XOR) gates are evaluated in accordance with an embodiment of the present invention without the need of associated entries in the garbled table to yield minimal computational and communication effort. This improves the performance of SFE evaluation. Another embodiment of the present invention provides a method that replaces regular gates with more efficient constructions containing XOR gates in an implementation of a Universal Circuit, and circuits for integer addition and multiplication, thereby maximizing the performance improvement provided by the above.}, howpublished = {U.S. patent no 8443205 (applied October 24, 2008; issued May 14, 2013)}, title = {Secure Function Evaluation Techniques for Circuits Containing {XOR} Gates with Applications to Universal Circuits}, month = {October}, year = {2008}, puburl = {http://www.google.com/patents/US8443205} }  @inproceedings{SS08, abstract = {Secure Evaluation of Private Functions (PF-SFE) allows two parties to compute a private function which is known by one party only on private data of both. It is known that PF-SFE can be reduced to Secure Function Evaluation (SFE) of a Universal Circuit (UC). Previous UC constructions only simulated circuits with gates of $d=2$ inputs while gates with $d>2$ inputs were decomposed into many gates with $2$ inputs which is inefficient for large $d$ as the size of UC heavily depends on the number of gates.\\ We present generalized UC constructions to efficiently simulate any circuit with gates of $d \ge 2$ inputs having efficient circuit representation. Our constructions are non-trivial generalizations of previously known UC constructions.\\ As application we show how to securely evaluate private functions such as neural networks (NN) which are increasingly used in commercial applications. Our provably secure PF-SFE protocol needs only one round in the semi-honest model (or even no online communication at all using non-interactive oblivious transfer) and evaluates a generalized UC that entirely hides the structure of the private NN. This enables applications like privacy-preserving data classification based on private NNs without trusted third party while simultaneously protecting user's data and NN owner's intellectual property.}, author = {Ahmad-Reza Sadeghi and Thomas Schneider}, booktitle = {11th International Conference on Information Security and Cryptology (ICISC'08)}, month = {December 3-5,}, note = {Full version available at \url{http://eprint.iacr.org/2008/453}.}, pages = {336--353}, publisher = {Springer}, doi = {10.1007/978-3-642-00730-9_21}, series = {LNCS}, talkurl = {http://thomaschneider.de/talks/SS08_GeneralizedUC_ICALP.pdf}, title = {Generalized Universal Circuits for Secure Evaluation of Private Functions with Application to Data Classification}, url = {http://thomaschneider.de/papers/SS08.pdf}, volume = {5461}, weburl = {http://www.icisc.org/icisc08/asp/cfp.html}, year = {2008} }  @inproceedings{BBKSST09, abstract = {Efficient zero-knowledge proofs of knowledge (ZK-PoK) are basic building blocks of many practical cryptographic applications such as identification schemes, group signatures, and secure multiparty computation. Currently, first applications that critically rely on ZK-PoKs are being deployed in the real world. The most prominent example is Direct Anonymous Attestation (DAA), which was adopted by the Trusted Computing Group (TCG) and implemented as one of the functionalities of the cryptographic Trusted Platform Module (TPM) chip.\\ Implementing systems using ZK-PoK turns out to be challenging, since ZK-PoK are, loosely speaking, significantly more complex than standard crypto primitives, such as encryption and signature schemes. As a result, implementation cycles of ZK-PoK are time-consuming and error-prone, in particular for developers with minor or no cryptographic skills.\\ In this paper we report on our ongoing and future research vision with the goal to bring ZK-PoK to practice by making them accessible to crypto and security engineers. To this end we are developing compilers and related tools that support and partially automate the design, implementation, verification and secure implementation of ZK-PoK protocols.}, author = {Endre Bangerter and Stefania Barzan and Stephan Krenn and Ahmad-Reza Sadeghi and Thomas Schneider and Joe-Kai Tsay}, booktitle = {17th International Workshop on Security Protocols (SPW'09)}, month = {April 1-3,}, note = {Full version available at \url{http://eprint.iacr.org/2009/211}.}, title = {Bringing Zero-Knowledge Proofs of Knowledge to Practice}, series = {LNCS}, volume = {7028}, pages = {51--62}, publisher = {Springer}, doi = {10.1007/978-3-642-36213-2_9}, url = {http://thomaschneider.de/papers/BBKSST09.pdf}, weburl = {http://spw.feis.herts.ac.uk}, year = {2009} }  @misc{BCKSS09, abstract = {Efficient zero-knowledge proofs of knowledge (ZK-PoK) are basic building blocks of many practical cryptographic applications such as identification schemes, group signatures, and secure multiparty computation. Currently, first applications that critically rely on ZK-PoKs are being deployed in the real world. The most prominent example is Direct Anonymous Attestation (DAA), which was adopted by the Trusted Computing Group (TCG) and implemented as one of the functionalities of the cryptographic chip Trusted Platform Module (TPM).\\ Implementing systems using ZK-PoK turns out to be challenging, since ZK-PoK are, loosely speaking, significantly more complex than standard crypto primitives, such as encryption and signature schemes. As a result, implementation cycles of ZK-PoK are time-consuming and error-prone, in particular for developers with minor or no cryptographic skills.\\ In this paper we report on our ongoing and future research vision with the goal to bring ZK-PoK to practice by automatically generating sound ZK-PoK protocols and make them accessible to crypto and security engineers. To this end we are developing protocols and compilers that support and automate the design and generation of secure and efficient implementation of ZK-PoK protocols.}, author = {Endre Bangerter and Jan Camenisch and Stephan Krenn and Ahmad-Reza Sadeghi and Thomas Schneider}, howpublished = {28th Advances in Cryptology -- EUROCRYPT 2009 Poster Session}, month = {April 26-30,}, note = {Full version available at \url{http://eprint.iacr.org/2008/471}.}, posterurl = {http://thomaschneider.de/posters/BCKSS09_AutomaticZK_EUROCRYPT.pdf}, title = {Automatic Generation of Sound Zero-Knowledge Protocols}, url = {http://thomaschneider.de/papers/BCKSS09.pdf}, weburl = {http://www.iacr.org/conferences/eurocrypt2009/}, year = {2009} }  @inproceedings{PSS09, abstract = {Two-party Secure Function Evaluation (SFE) is a very useful cryptographic tool which allows two parties to evaluate a function known to both parties on their private (secret) inputs. Some applications with sophisticated privacy needs require the function to be known only to one party and kept private (hidden) from the other one. However, existing solutions for SFE of private functions (PF-SFE) deploy Universal Circuits (UC) and are still very inefficient in practice.\\ In this paper we bridge the gap between SFE and PF-SFE with SFE of what we call {\em semi-private functions} (SPF-SFE), i.e., one function out of a given class of functions is evaluated without revealing which one.\\ We present a general framework for SPF-SFE allowing a fine-grained trade-off and tuning between SFE and PF-SFE covering both extremes. In our framework, semi-private functions can be composed from several privately programmable blocks (PPB) which can be programmed with one function out of a class of functions. The framework allows efficient and secure embedding of constants into the resulting circuit to improve performance. To show practicability of the framework we have implemented a compiler for SPF-SFE based on the Fairplay SFE framework.\\ SPF-SFE is sufficient for many practically relevant privacy-preserving applications, such as privacy-preserving credit checking which can be implemented with our framework and compiler as described in the paper.}, author = {Annika Paus and Ahmad-Reza Sadeghi and Thomas Schneider}, booktitle = {7th International Conference on Applied Cryptography and Network Security (ACNS'09)}, month = {June 2-5,}, note = {Implementation available at \url{http://www.trust.rub.de/FairplaySPF}. Full version available at \url{http://eprint.iacr.org/2009/124}.}, pages = {89--106}, publisher = {Springer}, doi = {10.1007/978-3-642-01957-9_6}, series = {LNCS}, talkurl = {http://thomaschneider.de/talks/PSS09_SemiPrivateSFE_ACNS.pdf}, title = {Practical Secure Evaluation of Semi-Private Functions}, url = {http://thomaschneider.de/papers/PSS09.pdf}, volume = {5536}, year = {2009} }  @inproceedings{KSS09SPEED, abstract = {We show how two existing paradigms for two-party secure function evaluation (SFE) in the semi-honest model can be combined securely and efficiently -- those based on additively homomorphic encryption (HE) with those based on garbled circuits (GC) and vice versa.\\ Additionally, we propose new GC constructions for addition, subtraction, multiplication, and comparison functions. Our circuits are approximately two times smaller (in terms of garbled tables) than previous constructions. This implies corresponding computation and communication improvements in SFE of functions using the above building blocks (including the protocols for combining HE and GC).\\ Based on these results, we present efficient constant-round protocols for secure integer comparison, and the related problems of minimum selection and minimum distance, which are crucial building blocks of many cryptographic schemes such as privacy preserving biometric authentication (e.g., face recognition, fingerprint matching, etc).}, author = {Vladimir Kolesnikov and Ahmad-Reza Sadeghi and Thomas Schneider}, booktitle = {1st International Workshop on Signal Processing in the EncryptEd Domain (SPEED'09)}, month = {September 10,}, talkurl = {http://thomaschneider.de/talks/KSS09SPEED_HE+GC_SPEED.pdf}, title = {How to Combine Homomorphic Encryption and Garbled Circuits - Improved Circuits and Computing the Minimum Distance Efficiently}, url = {http://thomaschneider.de/papers/KSS09SPEED.pdf}, weburl = {http://www.speedproject.eu/index.php?option=com_content&task=view&id=33&Itemid=68}, year = {2009} }  @inproceedings{BFKLSS09SPEED, abstract = {We describe a privacy-preserving system where a server can classify an ElectroCardioGram (ECG) signal without learning any information about the ECG signal and the client is prevented from gaining knowledge about the classificationalgorithm used by the server. The system relies on the concept of Linear Branching Programs (LBP) and a recently proposed cryptographic protocol for secure evaluation of private LBPs. We study the trade-off between signal representation accuracy and system complexity both from practical and theoretical perspective. We show how the overall system complexity can be strongly reduced by modifying the original ECG classification algorithm. Two alternatives of the underlying cryptographic protocol are implemented and their corresponding complexities are analyzed to show suitability of our system in real-life applications for current and future security levels.}, author = {Mauro Barni and Pierluigi Failla and Vladimir Kolesnikov and Riccardo Lazzeretti and Ahmad-Reza Sadeghi and Thomas Schneider}, booktitle = {1st International Workshop on Signal Processing in the EncryptEd Domain (SPEED'09)}, month = {September 10,}, title = {Combining Signal Processing and Cryptographic Protocol Design for Efficient {ECG} Classification}, url = {http://thomaschneider.de/papers/BFKLSS09SPEED.pdf}, weburl = {http://www.speedproject.eu/index.php?option=com_content&task=view&id=33&Itemid=68}, year = {2009} }  @inproceedings{BBHKSS09, abstract = {Efficient-knowledge proofs knowledge (ZK-PoK) are basic building blocks of many practical cryptographic applications such as identification schemes, group signatures, and secure multi-party computation (SMPC). Currently, first applications that essentially rely on ZK-PoKs are being deployed in the real world. The most prominent example is the Direct Anonymous Attestation (DAA) protocol, which was adopted by the Trusted Computing Group (TCG) and implemented as one of the functionalities of the cryptographic chip Trusted Platform Module (TPM).\\ Implementing systems using ZK-PoK turns out to be challenging, since ZK-PoK are significantly more complex than standard crypto primitives (e.g., encryption and signature schemes). As a result, the design-implementation cycles of ZK-PoK are time-consuming and error-prone.\\ To overcome this, we present a compiler with corresponding languages for the automatic generation of sound and efficient ZK-PoK based on $\Sigma$-protocols. The protocol designer using our compiler formulates the goal of a ZK-PoK proof in a high-level protocol specification language, which Abstracts away unnecessary technicalities from the designer. The compiler then automatically generates the protocol implementation in Java code; alternatively, the compiler can output a description of the protocol in \LaTeX\ which can be used for documentation or verification.}, author = {Endre Bangerter and Thomas Briner and Wilko Henecka and Stephan Krenn and Ahmad-Reza Sadeghi and Thomas Schneider}, booktitle = {6th European Workshop on Public Key Services, Applications and Infrastructures (EUROPKI'09)}, month = {September 10-11,}, publisher = {Springer}, series = {LNCS}, volume = {6391}, pages = {67--82}, title = {Automatic Generation of Sigma-Protocols}, url = {http://thomaschneider.de/papers/BBHKSS09.pdf}, weburl = {http://www.iit.cnr.it/EUROPKI09/}, doi = {10.1007/978-3-642-16441-5_5}, year = {2009} }  @inproceedings{BFKLSS09, abstract = {Diagnostic and classification algorithms play an important role in data analysis, with applications in areas such as health care, fault diagnostics, or benchmarking. Branching programs (BP) is a popular representation model for describing the underlying classification/diagnostics algorithms. Typical application scenarios involve a client who provides data and a service provider (server) whose diagnostic program is run on client's data. Both parties need to keep their inputs private.\\ We present new, more efficient privacy-protecting protocols for remote evaluation of such classification/diagnostic programs. In addition to efficiency improvements, we generalize previous solutions -- we securely evaluate private linear branching programs (LBP), a useful generalization of BP that we introduce. We show practicality of our solutions: we apply our protocols to the privacy-preserving classification of medical ElectroCardioGram (ECG) signals and present implementation results. Finally, we discover and fix a subtle security weakness of the most recent remote diagnostic proposal, which allowed malicious clients to learn partial information about the program.}, author = {Mauro Barni and Pierluigi Failla and Vladimir Kolesnikov and Riccardo Lazzeretti and Ahmad-Reza Sadeghi and Thomas Schneider}, booktitle = {14th European Symposium on Research in Computer Security (ESORICS'09)}, month = {September 21-25,}, note = {Full version available at \url{http://eprint.iacr.org/2009/195}.}, pages = {424--439}, publisher = {Springer}, doi = {10.1007/978-3-642-04444-1_26}, series = {LNCS}, talkurl = {http://thomaschneider.de/talks/BFKLSS09_LinearBP_ESORICS.pdf}, title = {Secure Evaluation of Private Linear Branching Programs with Medical Applications}, url = {http://thomaschneider.de/papers/BFKLSS09.pdf}, volume = {5789}, weburl = {http://conferences.telecom-bretagne.eu/esorics2009/EN/home.php}, year = {2009} }  @inproceedings{BKSST09, abstract = {Zero-knowledge proofs of knowledge (ZK-PoK) play an important role in many cryptographic applications. Direct anonymous attestation (DAA) and the identity mixer anonymous authentication system are first real world applications using ZK-PoK as building blocks. But although being used for many years now, design and implementation of sound ZK-PoK remains challenging. In fact, there are security flaws in various protocols found in literatur. Especially for non-experts in the field it is often hard to design ZK-PoK, since a unified and easy to use theoretical framework on ZK-PoK is missing.\\ With this paper we overcome important challenges and facilitate the design and implementation of efficient and sound ZK-PoK in practice. First, Camenisch et al. have presented at EUROCRYPT 2009 a first unified and modular theoretical framework for ZK-PoK. This is compelling, but makes use of a rather inefficient 6-move protocol. We extend and improve their framework in terms of efficiency and show how to realize it using efficient 3-move $\Sigma$-protocols. Second, we perform an exact security and efficiency analysis for our new protocol and various protocols found in the literature. The analysis yields novel - and perhaps surprising - results and insights. It reveals for instance that using a 2048 bit RSA modulus, as specified in the DAA standard, only guarantees an upper bound on the success probability of a malicious prover between $1/24$ and $1/224$. Also, based on that analysis we show how to select the most efficient protocol to realize a given proof goal. Finally, we also provide low-level support to a designer by presenting a compiler realizing our framework and optimization techniques, allowing easy imple- mentation of efficient and sound protocols.}, author = {Endre Bangerter and Stephan Krenn and Ahmad-Reza Sadeghi and Thomas Schneider and Joe-Kai Tsay}, booktitle = {ECRYPT workshop on Software Performance Enhancements for Encryption and Decryption and Cryptographic Compilers (SPEED-CC'09)}, month = {October 12-13,}, title = {On the Design and Implementation of Efficient Zero-Knowledge Proofs of Knowledge}, url = {http://thomaschneider.de/papers/BKSST09.pdf}, weburl = {http://www.hyperelliptic.org/SPEED/}, year = {2009}, note = {Implementation available at \url{http://zkc.cace-project.eu}.} }  @inproceedings{KSS09SPEEDCC, abstract = {We consider generic Garbled Circuit (GC)-based techniques for Secure Function Evaluation (SFE) in the semi-honest model.\\ We describe efficient GC constructions for addition, subtraction, multiplication, and comparison functions. Our circuits for subtraction and comparison are approximately two times smaller (in terms of garbled tables) than previous constructions. This implies corresponding computation and communication improvements in SFE of functions using our efficient building blocks. The techniques rely on recently proposed free XOR'' GC technique.\\ Further, we present concrete and detailed improved GC protocols for the problem of secure integer comparison, and related problems of auctions, minimum selection, and minimal distance. Performance improvement comes both from building on our efficient basic blocks and several problem-specific GC optimizations. We provide precise cost evaluation of our constructions, which serves as a baseline for future protocols.}, author = {Vladimir Kolesnikov and Ahmad-Reza Sadeghi and Thomas Schneider}, booktitle = {ECRYPT workshop on Software Performance Enhancements for Encryption and Decryption and Cryptographic Compilers (SPEED-CC'09)}, month = {October 12-13,}, title = {Improved Garbled Circuit Building Blocks and Applications to Auctions and Computing Minima}, url = {http://thomaschneider.de/papers/KSS09SPEEDCC.pdf}, weburl = {http://www.hyperelliptic.org/SPEED/}, year = {2009} }  @misc{SS09, author = {Ahmad-Reza Sadeghi and Thomas Schneider}, howpublished = {Section Days of Ruhr-University Bochum Research School}, month = {November 6,}, note = {(Poster prize awarded)}, posterurl = {http://thomaschneider.de/posters/SS09_MedicalDiagnostics_SectionDays.pdf}, title = {Ask Your E-Doctor Without Telling: Privacy-Preserving Medical Diagnostics}, weburl = {http://www.research-school.rub.de/section_days.html}, year = {2009} }  @inproceedings{SSW09, abstract = {Automatic recognition of human faces is becoming increasingly popular in civilian and law enforcement applications that require reliable recognition of humans. However, the rapid improvement and widespread deployment of this technology raises strong concerns regarding the violation of individuals' privacy. A typical application scenario for privacy-preserving face recognition concerns a client who privately searches for a specific face image in the face image database of a server.\\ In this paper we present a privacy-preserving face recognition scheme that substantially improves over previous work in terms of communication- and computation efficiency: the most recent proposal of Erkin et al. (PETS'09) requires $\mathcal{O}(\log M)$ rounds and computationally expensive operations on homomorphically encrypted data to recognize a face in a database of $M$ faces. Our improved scheme requires only $\mathcal{O}(1)$ rounds and has a substantially smaller online communication complexity (by a factor of $15$ for each database entry) and less computation complexity.\\ Our solution is based on known cryptographic building blocks combining homomorphic encryption with garbled circuits. Our implementation results show the practicality of our scheme also for large databases (e.g., for $M = 1000$ we need less than $13$ seconds and less than $4$ MByte online communication on two 2.4GHz PCs connected via Gigabit Ethernet).}, author = {Ahmad-Reza Sadeghi and Thomas Schneider and Immo Wehrenberg}, booktitle = {12th International Conference on Information Security and Cryptology (ICISC'09)}, month = {December 2-4,}, note = {Full version available at \url{http://eprint.iacr.org/2009/507}.}, publisher = {Springer}, doi = {10.1007/978-3-642-14423-3_16}, series = {LNCS}, title = {Efficient Privacy-Preserving Face Recognition}, url = {http://thomaschneider.de/papers/SSW09.pdf}, volume = {5984}, pages = {229-244}, weburl = {http://www.icisc.org/icisc09/asp/cfp/icisc2009cfp.pdf}, year = {2009} }  @inproceedings{BFKLPSS09, abstract = {We describe a privacy-preserving system where a server can classify an ElectroCardioGram (ECG) signal without learning any information about the ECG signal and the client is prevented from gaining knowledge about the classification algorithm used by the server. The system relies on the concept of Linear Branching Programs (LBP) and a recently proposed cryptographic protocol for secure evaluation of private LBPs. We study the trade-off between signal representation accuracy and system complexity both from practical and theoretical perspective. As a result, the inputs to the system are represented with the minimum number of bits ensuring the same classification accuracy of a plain implementation. We show how the overall system complexity can be strongly reduced by modifying the original ECG classification algorithm. Two alternatives of the underlying cryptographic protocol are implemented and their corresponding complexities are analyzed to show suitability of our system in real-life applications for current and future security levels.}, author = {Mauro Barni and Pierluigi Failla and Vladimir Kolesnikov and Riccardo Lazzeretti and Annika Paus and Ahmad-Reza Sadeghi and Thomas Schneider}, booktitle = {1st IEEE International Workshop on Information Forensics and Security (IEEE WIFS'09)}, month = {December 6-9,}, pages = {91--95}, publisher = {IEEE}, doi = {10.1109/WIFS.2009.5386475}, title = {Efficient Privacy-Preserving Classification of {ECG} Signals}, url = {http://thomaschneider.de/papers/BFKLPSS09.pdf}, year = {2009} }  @inproceedings{PSSW09, abstract = {Secure multi-party computation has been considered by the cryptographic community for a number of years. Until recently it has been a purely theoretical area, with few implementations with which to test various ideas. This has led to a number of optimisations being proposed which are quite restricted in their application. In this paper we describe an implementation of the two-party case, using Yao's garbled circuits, and present various algorithmic protocol improvements. These optimisations are analysed both theoretically and empirically, using experiments of various adversarial situations. Our experimental data is provided for reasonably large circuits, including one which performs an AES encryption, a problem which we discuss in the context of various possible applications.}, author = {Benny Pinkas and Thomas Schneider and Nigel P. Smart and Stephen C. Williams}, booktitle = {15th Advances in Cryptology -- ASIACRYPT 2009}, month = {December 6-10,}, note = {Full version available at \url{http://eprint.iacr.org/2009/314}.}, pages = {250--267}, publisher = {Springer}, doi = {10.1007/978-3-642-10366-7_15}, series = {LNCS}, title = {Secure Two-Party Computation is Practical}, url = {http://thomaschneider.de/papers/PSSW09.pdf}, volume = {5912}, weburl = {http://asiacrypt2009.cipher.risk.tsukuba.ac.jp}, year = {2009} }  @inproceedings{KSS09, abstract = {We consider generic Garbled Circuit (GC)-based techniques for Secure Function Evaluation (SFE) in the semi-honest model.\\ We describe efficient GC constructions for addition, subtraction, multiplication, and comparison functions. Our circuits for subtraction and comparison are approximately two times smaller (in terms of garbled tables) than previous constructions. This implies corresponding computation and communication improvements in SFE of functions using our efficient building blocks. The techniques rely on recently proposed free XOR'' GC technique.\\ Further, we present concrete and detailed improved GC protocols for the problem of secure integer comparison, and related problems of auctions, minimum selection, and minimal distance. Performance improvement comes both from building on our efficient basic blocks and several problem-specific GC optimizations. We provide precise cost evaluation of our constructions, which serves as a baseline for future protocols.}, author = {Vladimir Kolesnikov and Ahmad-Reza Sadeghi and Thomas Schneider}, booktitle = {8th International Conference on Cryptology And Network Security (CANS'09)}, month = {December 12-14,}, note = {Full version available at \url{http://eprint.iacr.org/2009/411}.}, pages = {1--20}, publisher = {Springer}, doi = {10.1007/978-3-642-10433-6_1}, series = {LNCS}, talkurl = {http://thomaschneider.de/talks/KSS09_ImprovedMinimum_CANS.pdf}, title = {Improved Garbled Circuit Building Blocks and Applications to Auctions and Computing Minima}, url = {http://thomaschneider.de/papers/KSS09.pdf}, volume = {5888}, weburl = {http://www.rcis.aist.go.jp/cans2009/}, year = {2009} }  @inproceedings{JKSS10TOKEN, abstract = {We consider Secure Function Evaluation (SFE) in the client-server setting where the server issues a secure token to the client. The token is not trusted by the client and is {\em not} a trusted third party.\\ We show how to take advantage of the token to drastically reduce the communication complexity of SFE and computation load of the server.\\ Our main contribution is the detailed consideration of design decisions, optimizations, and trade-offs, associated with the setting and its strict hardware requirements for practical deployment. In particular, we model the token as a computationally weak device with small constant-size memory and limit communication between client and server.\\ We consider semi-honest, covert, and malicious adversaries. We show the feasibility of our protocols based on a FPGA implementation.}, author = {Kimmo J\"arvinen and Vladimir Kolesnikov and Ahmad-Reza Sadeghi and Thomas Schneider}, booktitle = {14th International Conference on Financial Cryptography and Data Security (FC'10)}, month = {January 25-28,}, note = {Full version available at \url{http://eprint.iacr.org/2009/591}.}, publisher = {Springer}, series = {LNCS}, volume = {6052}, pages = {207--221}, talkurl = {http://thomaschneider.de/talks/JKSS10_EmbeddedSFE.pdf}, title = {Embedded {SFE}: Offloading Server and Network using Hardware Tokens}, url = {http://thomaschneider.de/papers/JKSS10TOKEN.pdf}, doi = {10.1007/978-3-642-14577-3_17}, weburl = {http://fc10.ifca.ai}, year = {2010} }  @inproceedings{SSW10, abstract = {Secure outsourcing of computation to an untrusted (cloud) service provider is becoming more and more important. Pure cryptographic solutions based on fully homomorphic and verifiable encryption, recently proposed, are promising but suffer from very high latency. Other proposals perform the whole computation on tamper-proof hardware and usually suffer from the same problem. Trusted computing (TC) is another promising approach that uses trusted software and hardware components on computing platforms to provide useful mechanisms such as attestation allowing the data owner to verify the integrity of the cloud and its computation. However, on the one hand these solutions require trust in hardware (CPU, trusted computing modules) that are under the physical control of the cloud provider, and on the other hand they still have to face the challenge of run-time attestation. \\ In this paper we focus on applications where the latency of the computation should be minimized, i.e., the time from submitting the query until receiving the outcome of the computation should be as small as possible. To achieve this we show how to combine a trusted hardware token (e.g., a cryptographic coprocessor or provided by the customer) with Secure Function Evaluation (SFE) to compute arbitrary functions on secret (encrypted) data where the computation leaks no information and is verifiable. The token is used in the setup phase only whereas in the time-critical online phase the cloud computes the encrypted function on encrypted data using symmetric encryption primitives only and without any interaction with other entities.}, author = {Ahmad-Reza Sadeghi and Thomas Schneider and Marcel Winandy}, booktitle = {3rd International Conference on Trust and Trustworthy Computing (TRUST'10) - Workshop on Trust in the Cloud}, month = {June 21-23,}, publisher = {Springer}, series = {LNCS}, pages = {417--429}, volume = {6101}, title = {Token-Based Cloud Computing -- Secure Outsourcing of Data and Arbitrary Computations with Lower Latency}, weburl = {http://www.trust2010.org/workshop-cloud.html}, doi = {10.1007/978-3-642-13869-0_30}, url = {http://thomaschneider.de/papers/SSW10.pdf}, year = {2010}, talkurl = {http://thomaschneider.de/talks/SSW10_TokenCloudsourcing_TRUST.pdf} }  @misc{BKSS10, author = {Endre Bangerter and Stephan Krenn and Ahmad-Reza Sadeghi and Thomas Schneider}, howpublished = {19th USENIX Security Symposium (Security'10) Poster Session}, month = {August 11-13,}, title = {{YAZKC: Yet Another Zero-Knowledge Compiler}}, abstract = {Automatic generation of cryptographic protocols is an emerging field of research which aims to bring complex protocols into practice. In this work we discuss the desired properties of a compiler for automatic generation of zero-knowledge proof of knowledge (ZKPoK) protocols. We evaluate and compare existing approaches with respect to these properties: In particular, it seems to us that the authors of the paper accepted for USENIX Security 2010 (ZKPDL: A Language-Based System for Efficient Zero-Knowledge Proofs and Electronic Cash) were not aware of our previous work done within the European project Computer Aided Cryptography Engineering'' (CACE). We hope that this poster stimulates scientific debates and exchange in this field of research.}, weburl = {http://www.usenix.org/events/sec10/poster.html}, posterurl = {http://thomaschneider.de/posters/BKSS10_YetAnotherZKC_USENIX.pdf}, url = {http://thomaschneider.de/papers/BKSS10.pdf}, year = {2010} }  @inproceedings{JKSS10OTP, abstract = {The power of side-channel leakage attacks on cryptographic implementations is evident. Today's practical defenses are typically attack-specific countermeasures against certain classes of side-channel attacks. The demand for a more general solution has given rise to the recent theoretical research that aims to build provably leakage-resilient cryptography. This direction is, however, very new and still largely lacks practitioners' evaluation with regard to both efficiency and practical security. A recent approach, One-Time Programs (OTPs), proposes using Yao's Garbled Circuit (GC) and very simple tamper-proof hardware to securely implement oblivious transfer, to guarantee leakage resilience.\\ Our main contributions are (i) a generic architecture for using GC/OTP modularly, and (ii) hardware implementation and efficiency analysis of GC/OTP evaluation. We implemented two FPGA-based prototypes: a system-on-a-programmable-chip with access to hardware crypto accelerator (suitable for smartcards and future smartphones), and a stand-alone hardware implementation (suitable for ASIC design). We chose AES as a representative complex function for implementation and measurements. As a result of this work, we are able to understand, evaluate and improve the practicality of employing GC/OTP as a leakage-resistance approach.}, title = {Garbled Circuits for Leakage-Resilience: Hardware Implementation and Evaluation of One-Time Programs}, author = {Kimmo J\"arvinen and Vladimir Kolesnikov and Ahmad-Reza Sadeghi and Thomas Schneider}, booktitle = {12th International Workshop on Cryptographic Hardware and Embedded Systems (CHES'10)}, month = {August 17-20,}, publisher = {Springer}, series = {LNCS}, volume = {6225}, pages = {383--397}, year = {2010}, note = {Full version available at \url{http://eprint.iacr.org/2010/276}.}, url = {http://thomaschneider.de/papers/JKSS10OTP.pdf}, weburl = {http://www.chesworkshop.org/ches2010/}, doi = {10.1007/978-3-642-15031-9_26}, talkurl = {http://thomaschneider.de/talks/JKSS10_OTP.pdf} }  @inproceedings{SS10, abstract = {Die rasant fortschreitende Modernisierung des Gesundheitswesens durch neuartige elektronische Dienste wie die elektronische Patientenakte und medizinische online Dienste erlaubt es, medizinische Prozesse effizienter zu gestalten. Andererseits birgt die digitale Verarbeitung sensibler Patientendaten Risiken und Gefahren hinsichtlich des Datenschutzes und des Missbrauchs.\\ Klassische kryptographische und IT sicherheitstechnische Methoden erlauben die sichere Verteilung und Speicherung medizinischer Daten. Allerdings erfordert die Verarbeitung der Daten deren Entschl\"usselung. Zu diesem Zeitpunkt kann auf die Daten im Klartext (z.B. durch Systemadministratoren) zugegriffen und die Vertraulichkeit verletzt werden. Um dies zu verhindern, sollten Daten in verschl\"usselter Form verarbeitet werden. F\"ur ebendieses Rechnen unter Verschl\"usselung'' wurden in den vergangenen 25 Jahren verschiedene kryptographische Verfahren vorgeschlagen.\\ Die Ziele dieser Arbeit sind folgende: 1) Der aktuelle Stand der Forschung im Bereich des effizienten Rechnens unter Verschl\"usselung wird zusammengefasst. 2)~Ein Werkzeug wird vorgestellt, das es erlaubt, effiziente Protokolle zum Rechnen unter Verschl\"usselung abstrakt und ohne detaillierte kryptographische Kenntnisse zu beschreiben und automatisch zu generieren. 3) Es wird gezeigt, wie das vorgestellte Werkzeug exemplarisch zum Generieren eines medizinischen Web-Services verwendet werden kann, der EKG Daten in verschl\"usselter Form klassifiziert.}, booktitle = {Workshop Innovative und sichere Informationstechnologie f\"ur das Gesundheitswesen von morgen (perspeGKtive'10)}, title = {{Verschl\"usselt Rechnen: Sichere Verarbeitung verschl\"usselter medizinischer Daten am Beispiel der Klassifikation von EKG-Daten}}, author = {Ahmad-Reza Sadeghi and Thomas Schneider}, series = {LNI}, volume = {P-174}, pages = {11--25}, month = {September 8,}, year = {2010}, publisher = {Bonner K\"ollen Verlag}, weburl = {http://www.perspegktive.de}, talkurl = {http://thomaschneider.de/talks/SS10_EKG.pdf}, puburl = {http://www.gi-ev.de/service/publikationen/lni/gi-edition-proceedings-2010/gi-edition-lecture-notes-in-informatics-lni-p-174.html}, url = {http://thomaschneider.de/papers/SS10.pdf} }  @inproceedings{ABBKSS10, abstract = {Zero-knowledge proofs of knowledge (ZK-PoK) are important building blocks for numerous cryptographic applications. Although ZK-PoK have a high potential impact, their real world deployment is typically hindered by their significant complexity compared to other (non-interactive) crypto primitives. Moreover, their design and implementation are time-consuming and error-prone.\\ We contribute to overcoming these challenges as follows: We present a comprehensive specification language and a compiler for ZK-PoK protocols based on $\Sigma$-protocols. The compiler allows the fully automatic translation of an Abstract description of a proof goal into an executable implementation. Moreover, the compiler overcomes various restrictions of previous approaches, e.g., it supports the important class of exponentiation homomorphisms with hidden-order co-domain, needed for privacy-preserving applications such as DAA. Finally, our compiler is certifying, in the sense that it automatically produces a formal proof of the soundness of the compiled protocol for a large class of protocols using the Isabelle/HOL theorem prover.}, title = {A Certifying Compiler for Zero-Knowledge Proofs of Knowledge Based on Sigma-Protocols}, author = {Jos{\'e} Bacelar Almeida and Endre Bangerter and Manuel Barbosa and Stephan Krenn and Ahmad-Reza Sadeghi and Thomas Schneider}, year = {2010}, booktitle = {15th European Symposium on Research in Computer Security (ESORICS'10)}, month = {September 20-22,}, publisher = {Springer}, series = {LNCS}, pages = {151--167}, volume = {6345}, weburl = {http://www.esorics2010.org}, doi = {10.1007/978-3-642-15497-3_10}, url = {http://thomaschneider.de/papers/ABBKSS10.pdf}, note = {Full version available at \url{http://eprint.iacr.org/2010/339}.} }  @inproceedings{HKSSW10, abstract = {Secure two-party computation allows two untrusting parties to jointly compute an arbitrary function on their respective private inputs while revealing no information beyond the outcome. Existing cryptographic compilers can automatically generate secure computation protocols from high-level specifications, but are often limited in their use and efficiency of generated protocols as they are based on either garbled circuits or (additively) homomorphic encryption only.\\ In this paper we present TASTY, a novel tool for automating, i.e., describing, generating, executing, benchmarking, and comparing, efficient secure two-party computation protocols. TASTY is a new compiler that can generate protocols based on homomorphic encryption and efficient garbled circuits as well as combinations of both, which often yields the most efficient protocols available today. The user provides a high-level description of the computations to be performed on encrypted data in a domain-specific language. This is automatically transformed into a protocol. TASTY provides most recent techniques and optimizations for practical secure two-party computation with low online latency. Moreover, it allows to efficiently evaluate circuits generated by the well-known Fairplay compiler.\\ We use TASTY to compare protocols for secure multiplication based on homomorphic encryption with those based on garbled circuits and highly efficient Karatsuba multiplication. Further, we show how TASTY improves the online latency for securely evaluating the AES functionality by an order of magnitude compared to previous software implementations. TASTY allows to automatically generate efficient secure protocols for many privacy-preserving applications where we consider the use cases for private set intersection and face recognition protocols.}, title = {{TASTY: Tool for Automating Secure Two-partY computations}}, author = {Wilko Henecka and Stefan K{\"o}gl and Ahmad-Reza Sadeghi and Thomas Schneider and Immo Wehrenberg}, booktitle = {17th ACM Conference on Computer and Communications Security (CCS'10)}, month = {October 4-8,}, publisher = {ACM}, year = {2010}, pages = {451--462}, note = {Full version available at \url{http://eprint.iacr.org/2010/365}. \url{http://tastyproject.net}}, url = {http://thomaschneider.de/papers/HKSSW10.pdf}, talkurl = {http://thomaschneider.de/talks/HKSSW10.pdf}, doi = {10.1145/1866307.1866358}, weburl = {http://www.sigsac.org/ccs/CCS2010/} }  @incollection{JKSS10Full, author = {Kimmo J\"arvinen and Vladimir Kolesnikov and Ahmad-Reza Sadeghi and Thomas Schneider}, booktitle = {Towards Hardware Intrinsic Security: Foundation and Practice}, editor = {Ahmad-Reza Sadeghi and David Naccache}, publisher = {Springer-Verlag Berlin Heidelberg}, series = {Information Security and Cryptography}, title = {Efficient Secure Two-Party Computation with Untrusted Hardware Tokens}, year = {2010}, doi = {10.1007/978-3-642-14452-3_17}, pages = {367--386}, isbn = {978-3-642-14452-3} }  @phdthesis{Schneider11Thesis, title = {Engineering Secure Two-Party Computation Protocols -- Advances in Design, Optimization, and Applications of Efficient Secure Function Evaluation}, author = {Thomas Schneider}, month = {February 9,}, year = {2011}, school = {Ruhr-University Bochum, Germany}, abstract = {Secure Function Evaluation (SFE) allows two mutually mistrusting parties to compute an arbitrary function on their inputs without revealing any information beyond the result. We give advances in the design, optimization and application of efficient SFE.\\ We optimize SFE protocols by reducing the size of Boolean circuits with cheap XOR gates and give efficient circuits for standard functionalities.\\ Secure hardware reduces the communication of SFE protocols and allows to evaluate arbitrary functions in a side-channel resistant way.\\ Efficient SFE protocols can be modularly modeled as sequence of operations on encrypted data; TASTY (Tool for Automating Secure Two-partY computations) allows to describe, automatically generate, and execute them.\\ As applications we improve protocols for secure auctions and face recognition, and give a hardware-assisted protocol to securely outsource data and arbitrary computations to an untrusted (cloud) provider.}, url = {http://thomaschneider.de/papers/S11Thesis.pdf} }  @inproceedings{FPSSV11, abstract = {Secure set intersection protocols are the core building block for a manifold of privacy-preserving applications.\\ In a recent work, Hazay and Lindell (ACM CCS 2008) introduced the idea of using trusted hardware tokens for the set intersection problem, devising protocols which improve over previous (in the standard model of two-party computation) protocols in terms of efficiency and secure composition. Their protocol uses only a linear number of symmetric-key computations and the amount of data stored in the token does not depend on the sizes of the sets. The security proof of the protocol is in the universal composability model and is based on the strong assumption that the token is trusted by \emph{both} parties.\\ In this paper we revisit the idea and model of hardware-based secure set intersection, and in particular consider a setting where tokens are not necessarily trusted by both participants to additionally cover threats like side channel attacks, firmware trapdoors and malicious hardware. Our protocols are very efficient and achieve the same level of security as those by Hazay and Lindell for trusted tokens. For untrusted tokens, our protocols ensure privacy against malicious adversaries, and correctness facing covert adversaries.}, title = {Secure Set Intersection with Untrusted Hardware Tokens}, author = {Marc Fischlin and Benny Pinkas and Ahmad-Reza Sadeghi and Thomas Schneider and Ivan Visconti}, booktitle = {11th Cryptographers' Track at the RSA Conference (CT-RSA'11)}, year = {2011}, month = {February 14-18,}, publisher = {Springer}, series = {LNCS}, volume = {6558}, pages = {1--16}, weburl = {http://ct-rsa2011.di.uoa.gr}, doi = {10.1007/978-3-642-19074-2_1}, talkurl = {http://thomaschneider.de/talks/FPSSV11.pdf}, url = {http://thomaschneider.de/papers/FPSSV11.pdf} }  @misc{BNSS11WCSC, author = {Sven Bugiel and Stefan N\"urnberger and Ahmad-Reza Sadeghi and Thomas Schneider}, abstract = {Cloud computing promises a more cost effective enabling technology to outsource storage and computations. Existing approaches for secure outsourcing of data and arbitrary computations are either based on a single tamper-proof hardware, or based on recently proposed fully homomorphic encryption. The hardware based solutions are not scaleable, and fully homomorphic encryption is currently only of theoretical interest and very inefficient.\\ In this paper we propose an architecture for secure outsourcing of data and arbitrary computations to an untrusted commodity cloud. In our approach, the user communicates with a trusted cloud (either a private cloud or built from multiple secure hardware modules) which encrypts and verifies the data stored and operations performed in the untrusted commodity cloud. We split the computations such that the trusted cloud is mostly used for security-critical operations in the less time-critical setup phase, whereas queries to the outsourced data are processed in parallel by the fast commodity cloud on encrypted data.}, title = {{Twin Clouds}: An Architecture for Secure Cloud Computing {(Extended Abstract)}}, year = {2011}, howpublished = {Workshop on Cryptography and Security in Clouds (WCSC'11)}, month = {March 15-16,}, weburl = {http://www.zurich.ibm.com/~cca/csc2011/}, talkurl = {http://thomaschneider.de/talks/BNSS11_TwinClouds_WCSC.pdf}, url = {http://www.zurich.ibm.com/~cca/csc2011/submissions/bugiel.pdf} }  @inproceedings{Schneider11, author = {Thomas Schneider}, title = {{Reden ist Silber - Schweigen ist Gold: Datensparsamkeit durch effizientes Rechnen unter Verschl\"usselung}}, abstract = {Wo immer sensible Daten gespeichert werden zeigt die Praxis, dass es lediglich eine Frage der Zeit ist, bis diese durch ein Sicherheitsleck an unerw\"unschte Personen gelangen. Die einzige M\"oglichkeit, um dies zuverl\"assig zu vermeiden ist Datensparsamkeit, die Daten also erst gar nicht zu speichern. In vielen F\"allen werden die Daten jedoch trotzdem f\"ur Berechnungen ben\"otigt.\\ Dieser Beitrag gibt einen \"Uberblick \"uber Methoden des effizienten Rechnens unter Verschl\"usselung und zeigt, wie diese erm\"oglichen, beliebige Berechnungen auf sensiblen, verschl\"usselten Daten durchzuf\"uhren, ohne dass diese im Klartext gespeichert oder zu irgendeinem Zeitpunkt im Klartext vorliegen m\"ussen. Insbesondere wird hierbei auf Erweiterungen durch sichere Hardware auch im Kontext des Rechnens in der Cloud'', sowie die Unterst\"utzung durch Werkzeuge eingegangen. Als m\"ogliche Anwendungen werden Systeme zur Gesichtserkennung und Klassifikation medizinischer Daten betrachtet, welche die Privatsph\"are erhalten.}, booktitle = {12. Deutscher IT-Sicherheitskongress des BSI: Sicher in die digitale Welt von morgen}, year = {2011}, month = {10.-12. Mai,}, publisher = {SecuMedia-Verlag}, weburl = {http://www.bsi.bund.de/ContentBSI/Aktuelles/Veranstaltungen/IT-SiKongress/12itkongress2011.html}, url = {http://thomaschneider.de/papers/S11.pdf}, pages = {191--198}, isbn = {978-3-922746-96-6}, talkurl = {http://thomaschneider.de/talks/S11.pdf}, puburl = {http://buchshop.secumedia.de/buchshop/index.php?page=detail&match=LISA_NR2=BSI2011} }  @article{BFLSS11, abstract = {Privacy protection is a crucial problem in many biomedical signal processing applications. For this reason particular attention has been given to the use of secure multi party computation techniques for processing biomedical signals, whereby non-trusted parties are able to manipulate the signals although they are encrypted.\\ This paper focuses on the development of a privacy preserving automatic diagnosis system whereby a remote server classifies a biomedical signal provided by the client without getting any information about the signal itself and the final result of the classification. Specifically, we present and compare two methods for the secure classification of ElectroCardioGram (ECG) signals: the former based on Linear Branching Programs (a particular kind of decision tree) and the latter relying on Neural Networks.\\ The paper faces with all the requirements and difficulties related to working with data that must stay encrypted during all the computation steps, including the necessity of working with fixed point arithmetic with no truncation while guaranteeing the same performance of a floating point implementation in the plain domain. A highly efficient version of the underlying cryptographic primitives is used, ensuring a good efficiency of the two proposed methods, from both a communication and computational complexity perspectives.\\ The proposed systems prove that carrying out complex tasks like ECG classification in the encrypted domain efficiently is indeed possible in the semi-honest model, paving the way to interesting future applications wherein privacy of signal owners is protected by applying high security standards.}, author = {Mauro Barni and Pierluigi Failla and Riccardo Lazzeretti and Ahmad-Reza Sadeghi and Thomas Schneider}, title = {Privacy-Preserving {ECG} Classification with Branching Programs and Neural Networks}, journal = {IEEE Transactions on Information Forensics and Security (TIFS)}, pages = {452--468}, volume = {6}, number = {2}, month = {June}, year = {2011}, weburl = {http://www.signalprocessingsociety.org/publications/periodicals/forensics/}, doi = {10.1109/TIFS.2011.2108650}, url = {http://thomaschneider.de/papers/BFLSS11.pdf} }  @inproceedings{BNPSS11, abstract = {Cloud Computing is an emerging technology promising new business opportunities and easy deployment of web services.\\ Much has been written about the risks and benefits of cloud computing in the last years. The literature on clouds often points out security and privacy challenges as the main obstacles, and proposes solutions and guidelines to avoid them. However, most of these works deal with either malicious cloud providers or customers, but ignore the severe threats caused by unaware users.\\ In this paper we consider security and privacy aspects of \emph{real-life} cloud deployments, independently from malicious cloud providers or customers. We focus on the popular Amazon Elastic Compute Cloud (EC2) and give a detailed and systematic analysis of various crucial vulnerabilities in publicly available and widely used Amazon Machine Images (AMIs) and show how to eliminate them.\\ Our Amazon \underline{I}mage \underline{A}ttacks (AmazonIA) deploy an automated tool that uses only publicly available interfaces and makes \emph{no} assumptions on the underlying cloud infrastructure. We were able to extract highly sensitive information (including passwords, keys, and credentials) from a variety of publicly available AMIs. The extracted information allows to (i) start (botnet) instances worth thousands of dollars per day, (ii) provide backdoors into the running machines, (iii) launch impersonation attacks, or (iv) access the source code of the entire web service. Our attacks can be used to completely compromise several real web services offered by companies (including IT-security companies), e.g., for website statistics/user tracking, two-factor authentication, or price comparison. Further, we show mechanisms to identify the AMI of certain running instances.\\ Following the maxim security and privacy by design'' we show how our automated tools together with changes to the user interface can be used to mitigate our attacks.}, author = {Sven Bugiel and Thomas P\"oppelmann and Stefan N\"urnberger and Ahmad-Reza Sadeghi and Thomas Schneider}, title = {{AmazonIA}: When Elasticity Snaps Back}, year = {2011}, booktitle = {18th ACM Conference on Computer and Communications Security (CCS'11)}, month = {October 17-21,}, publisher = {ACM}, weburl = {http://www.sigsac.org/ccs/CCS2011/}, doi = {10.1145/2046707.2046753}, note = {See \url{http://trust.cased.de/AMID}}, url = {http://thomaschneider.de/papers/BNPSS11.pdf}, pages = {389--400} }  @inproceedings{BNSS11, abstract = {Cloud computing promises a cost effective enabling technology to outsource storage and massively parallel computations. However, existing approaches for provably secure outsourcing of data and arbitrary computations are either based on tamper-proof hardware or fully homomorphic encryption. The former approaches are not scaleable, while the latter ones are currently not efficient enough to be used in practice. We propose an architecture and protocols that accumulate slow secure computations over time and provide the possibility to query them in parallel on demand by leveraging the benefits of cloud computing. In our approach, the user communicates with a resource-constrained Trusted Cloud (either a private cloud or built from multiple secure hardware modules) which encrypts algorithms and data to be stored and later on queried in the powerful but untrusted Commodity Cloud. We split our protocols such that the Trusted Cloud performs security-critical pre-computations in the setup phase, while the Commodity Cloud computes the time-critical query in parallel under encryption in the query phase.}, author = {Sven Bugiel and Stefan N\"urnberger and Ahmad-Reza Sadeghi and Thomas Schneider}, title = {{Twin Clouds}: Secure Cloud Computing with Low Latency}, year = {2011}, booktitle = {12th Communications and Multimedia Security Conference (CMS'11)}, month = {October 19-21,}, publisher = {Springer}, series = {LNCS}, volume = {7025}, pages = {32--44}, weburl = {http://www.cms2011.net/}, url = {http://thomaschneider.de/papers/BNSS11.pdf}, doi = {10.1007/978-3-642-24712-5_3}, note = {Best Paper Award} }  @inproceedings{ALSS12, abstract = {The diversity of computing platforms is increasing rapidly. In order to allow security applications to run on such diverse platforms, implementing and optimizing the same cryptographic primitives for multiple target platforms and heterogeneous systems can result in high costs. In this paper, we report our efforts in developing and benchmarking a platform-independent Crypto Tools Library (CTL). CTL is based on a dataflow programming framework called Reconfigurable Video Coding (RVC), which was recently standardized by ISO/IEC for building complicated reconfigurable video codecs. CTL benefits from various properties of the RVC framework including tools to 1) simulate the platform-independent designs, 2) automatically generate implementations in different target programming languages (e.g., C/C++, Java, LLVM, and Verilog/VHDL) for deployment on different platforms as software and/or hardware modules, and 3) design space exploitation such as automatic parallelization for multi- and many-core systems. We benchmarked the performance of the SHA-256 implementation in CTL on single-core target platforms and demonstrated that implementations automatically generated from platform-independent RVC applications can achieve a run-time performance comparable to reference implementations manually written in C and Java. For a quad-core target platform, we benchmarked a 4-adic hash tree application based on SHA-256 that achieves a performance gain of up to 300\% for hashing messages of size 8 MB.}, author = {Junaid Jameel Ahmad and Shujun Li and Ahmad-Reza Sadeghi and Thomas Schneider}, booktitle = {16th International Conference on Financial Cryptography and Data Security (FC'12)}, month = {February 27 - March 2,}, publisher = {Springer}, series = {LNCS}, title = {{CTL}: A Platform-Independent Crypto Tools Library Based on Dataflow Programming Paradigm}, weburl = {http://fc12.ifca.ai}, year = {2012}, url = {http://thomaschneider.de/papers/ALSS12.pdf}, volume = {7397}, pages = {299--313}, note = {Full version available at \url{http://eprint.iacr.org/2011/679}.}, doi = {10.1007/978-3-642-32946-3_22} }  @book{Schneider12Book, author = {Thomas Schneider}, title = {Engineering Secure Two-Party Computation Protocols: Design, Optimization, and Applications of Efficient Secure Function Evaluation}, publisher = {Springer-Verlag Berlin Heidelberg}, isbn = {978-3-642-30041-7}, puburl = {http://www.springer.com/computer/security+and+cryptology/book/978-3-642-30041-7}, year = 2012, pages = {138}, month = {August 4,}, note = {\url{http://thomaschneider.de/engineeringSFEbook}}, doi = {10.1007/978-3-642-30042-4} }  @techreport{PBS12, title = {The design and implementation of a two-party protocol suite for {SHAREMIND} 3}, author = {Pille Pullonen and Dan Bogdanov and Thomas Schneider}, institution = {CYBERNETICA Institute of Information Security}, note = {T-4-17}, year = {2012}, url = {http://research.cyber.ee/reports/T-4-17-The-design-and-implementation-of-a-two-party-protocol-suite-for-Sharemind-3.pdf} }  @inproceedings{SZ12, author = {Thomas Schneider and Michael Zohner}, booktitle = {17. Workshop der Fachgruppe Kryptographie in der Gesellschaft f\"ur Informatik (Kryptotag)}, month = {December 7,}, title = {Efficient Secure Two-Party Computation}, weburl = {http://pi1.informatik.uni-mannheim.de/index.php?pagecontent=site/Events.menu/Kryptotag.menu/17.%20Kryptotag.page}, year = {2012} }  @article{KSS13, abstract = { General two-party Secure Function Evaluation (SFE) allows mutually distrusting parties to correctly compute any function on their private input data, without revealing the inputs. Two-party SFE can benefit almost any client-server interaction where privacy is required, such as privacy-preserving credit checking, medical classification, or face recognition. Today, SFE is a subject of immense amount of research in a variety of directions and is not easy to navigate. In this article, we systematize the most practically important works of the vast research knowledge on general SFE. We argue that in many cases the most efficient SFE protocols are obtained by combining several basic techniques, e.g., garbled circuits and (additively) homomorphic encryption. As a valuable methodological contribution, we present a framework in which today's most efficient techniques for general SFE can be viewed as building blocks with well-defined interfaces that can be easily combined into a complete efficient solution. Further, our approach naturally allows automated protocol generation (compilation) and has been implemented partially in the TASTY framework. In summary, we provide a comprehensive guide in state-of-the-art SFE, with the additional goal of extracting, systematizing and unifying the most relevant and promising general SFE techniques. Our target audience are graduate students wishing to enter the SFE field and advanced engineers seeking to develop SFE solutions. We hope our guide paints a high-level picture of the field, including most common approaches and their trade-offs and gives precise and numerous pointers to formal treatment of its specific aspects.}, author = {Vladimir Kolesnikov and Ahmad-Reza Sadeghi and Thomas Schneider}, month = {01}, number = {2}, volume = {21}, pages = {283--315}, title = {A Systematic Approach to Practically Efficient General Two-Party Secure Function Evaluation Protocols and their Modular Design}, journal = {Journal of Computer Security (JCS)}, doi = {10.3233/JCS-130464}, url = {http://thomaschneider.de/papers/KSS13.pdf}, year = {2013}, publisher = {IOS Press}, weburl = {http://www.iospress.nl/journal/journal-of-computer-security/}, note = {Preliminary version available at \url{http://eprint.iacr.org/2010/079}} }  @misc{KSS13_short, title = {Automatic Protocol Selection in Secure Two-Party Computations}, author = {Florian Kerschbaum and Thomas Schneider and Axel Schr\"opfer}, howpublished = {20th Network \& Distributed System Security Symposium (NDSS'13)}, month = {February 24-27,}, year = {2013}, weburl = {http://www.internetsociety.org/events/ndss-symposium-2013}, url = {http://www.internetsociety.org/sites/default/files/automatic%20protocol%20selection%20in%20secure%20two-party%20computations.pdf}, note = {Short Talk} }  @inproceedings{SZ13, abstract = {Secure two-party computation is a rapidly emerging field of research and enables a large variety of privacy-preserving applications such as mobile social networks or biometric identification. In the late eighties, two different approaches were proposed: Yao’s garbled circuits and the protocol of Goldreich-Micali-Wigderson (GMW). Since then, research has mostly focused on Yao’s garbled circuits as they were believed to yield better efficiency due to their constant round complexity. In this work we give several optimizations for an efficient implementation of the GMW protocol. We show that for semi-honest adversaries the optimized GMW protocol can outperform today’s most efficient implementations of Yao’s garbled circuits, but highly depends on a low network latency. As a first step to overcome these latency issues, we summarize depth-optimized circuit constructions for various standard tasks. As application scenario we consider privacy-preserving face recognition and show that our optimized framework is up to 100 times faster than previous works even in settings with high network latency.}, author = {Thomas Schneider and Michael Zohner}, title = {{GMW} vs. {Yao}? {E}fficient Secure Two-Party Computation with Low Depth Circuits}, booktitle = {17th International Conference on Financial Cryptography and Data Security (FC'13)}, year = {2013}, publisher = {Springer}, series = {LNCS}, volume = {7859}, pages = {275--292}, month = {April 1-5,}, url = {http://thomaschneider.de/papers/SZ13.pdf}, weburl = {http://fc13.ifca.ai}, doi = {10.1007/978-3-642-39884-1_23} }  @inproceedings{HS13, abstract = {Secure two-party computation is used as the basis for a large variety of privacy-preserving protocols, but often concerns about the low performance hinder the move away from nonprivate solutions. In this paper we present an improved implementation of Yao’s garbled circuit protocol in the semi-honest adversaries setting which is up to 10 times faster than previous implementations. Our improvements include (1) the first multi-threaded implementation of the base oblivious transfers resulting in a speedup of a factor of two, (2) techniques for minimizing the memory footprint during oblivious transfer extensions and processing of circuits, (3) compilation of sub-circuits into files, and (4) caching of circuit descriptions and network packets. We implement improved circuit building blocks from the literature and present for the first time performance results for secure evaluation of the ultra-lightweight block cipher PRESENT within 7 ms online time.}, author = {Wilko Henecka and Thomas Schneider}, title = {Faster Secure Two-Party Computation with Less Memory}, booktitle = {8th ACM Symposium on Information, Computer and Communications Security (ASIACCS'13)}, month = {May 7-10,}, year = {2013}, publisher = {ACM}, url = {http://thomaschneider.de/papers/HS13.pdf}, weburl = {http://hise.hznu.edu.cn/asiaccs/}, talkurl = {http://thomaschneider.de/talks/HS13.pdf}, pages = {437--446}, doi = {10.1145/2484313.2484369} }  @inproceedings{ADNRSSS13, abstract = { Mobile smart devices and services have become an integral part of our daily life. In this context there are many compelling scenarios for mobile device users to share resources. A popular example is tethering. However, sharing resources also raises privacy and security issues. In this paper, we present CrowdShare, a complete framework and its (Android) implementation for secure and private resource sharing among nearby devices. CrowdShare provides pseudonymity for users, accountability of resource usage, and the possibility of specifying access control in terms of social network relationships. Further, CrowdShare preserves secure connectivity between nearby devices even in the absence of the mobile infrastructure. We have implemented CrowdShare on Android devices and report good performance results.}, author = {N. Asokan and Alexandra Dmitrienko and Marcin Nagy and Elena Reshetova and Ahmad-Reza Sadeghi and Thomas Schneider and Stanislaus Stelle}, title = {{CrowdShare}: Secure Mobile Resource Sharing}, booktitle = {11th International Conference on Applied Cryptography and Network Security (ACNS'13)}, month = {June 25-28,}, year = {2013}, publisher = {Springer}, series = {LNCS}, volume = {7954}, pages = {432--440}, weburl = {http://acns2013.cpsc.ucalgary.ca}, url = {http://thomaschneider.de/papers/ADNRSSS13.pdf}, doi = {10.1007/978-3-642-38980-1_27} }  @inproceedings{ALSZ13, abstract = { Protocols for secure computation enable parties to compute a joint function on their private inputs without revealing anything but the result. A foundation for secure computation is oblivious transfer (OT), which traditionally requires expensive public key cryptography. A more efficient way to perform many OTs is to extend a small number of base OTs using OT extensions based on symmetric cryptography. In this work we present optimizations and efficient implementations of OT and OT extensions in the semi-honest model. We propose a novel OT protocol with security in the standard model and improve OT extensions with respect to communication complexity, computation complexity, and scalability. We also provide specific optimizations of OT extensions that are tailored to the secure computation protocols of Yao and Goldreich-Micali-Wigderson and reduce the communication complexity even further. We experimentally verify the efficiency gains of our protocols and optimizations. By applying our implementation to current secure computation frameworks, we can securely compute a Levenshtein distance circuit with 1.29 billion AND gates at a rate of 1.2 million AND gates per second. Moreover, we demonstrate the importance of correctly implementing OT within secure computation protocols by presenting an attack on the FastGC framework.}, author = {Gilad Asharov and Yehuda Lindell and Thomas Schneider and Michael Zohner}, title = {More Efficient Oblivious Transfer and Extensions for Faster Secure Computation}, booktitle = {20th ACM Conference on Computer and Communications Security (CCS'13)}, month = {November 4-8,}, year = {2013}, publisher = {ACM}, pages = {535--548}, doi = {10.1145/2508859.2516738}, url = {http://thomaschneider.de/papers/ALSZ13.pdf}, weburl = {http://www.sigsac.org/ccs/CCS2013/}, note = {Full version available at \url{http://eprint.iacr.org/2013/552}; code at \url{http://encrypto.de/code/OTExtension}} }