Publications‎ > ‎

Bibtex

@mastersthesis{Schneider07Thesis,
  author = {Thomas Schneider},
  month = {July 10,},
  school = {University Erlangen-N{\"u}rnberg, Germany},
  title = {Secure Task Migration and Interprocess Communication in 
    Reconfigurable, Distributed, Embedded Systems},
  type = {{B}achelor's thesis},
  url = {http://thomaschneider.de/papers/S07Thesis.pdf},
  year = {2007}
}
@inproceedings{KS08UC,
  abstract = {We consider general secure function evaluation (SFE) of {\em 
    private functions} (PF-SFE). Recall, privacy of functions is often most 
    efficiently achieved by general SFE [Yao82,Yao86,LP04] of a Universal 
    Circuit (UC).\\ Our main contribution is a new simple and efficient UC 
    construction. Our circuit $UC_k$, universal for circuits of $k$ gates, has 
    size $\sim 1.5 k \log^2 k$ and depth $\sim k \log k$. It is up to $50\%$ 
    smaller than the best UC (of Valiant [Valiant76], of size $\sim 19k\log k$) 
    for circuits of size up to $\approx 5000$ gates.\\ Our improvement results 
    in corresponding performance improvement of SFE of (small) private 
    functions. Since, due to cost, only small circuits (i.e. $<5000$ gates) are 
    practical for PF-SFE, our construction appears to be the best fit for many 
    practical PF-SFE.\\ We implement PF-SFE based on our UC and Fairplay SFE 
    system [MNPS04].},
  author = {Vladimir Kolesnikov and Thomas Schneider},
  booktitle = {12th International Conference on Financial Cryptography and 
    Data Security (FC'08)},
  month = {January 28-31,},
  note = {Code: \url{http://encrypto.de/code/FairplayPF}.},
  pages = {83--97},
  publisher = {Springer},
  puburl = {http://dx.doi.org/10.1007/978-3-540-85230-8_7},
  rate = {$19.1\%$},
  series = {LNCS},
  title = {A Practical Universal Circuit Construction and Secure Evaluation 
    of Private Functions},
  url = {http://thomaschneider.de/papers/KS08UC.pdf},
  volume = {5143},
  weburl = {http://fc08.ifca.ai},
  year = {2008},
  doi = {10.1007/978-3-540-85230-8_7}
}
@misc{patentUC,
  author = {Vladimir Kolesnikov and Thomas Schneider},
  abstract = {An exemplary method enables implementation of a universal 
    circuit capable of emulating each gate of a circuit designed to calculate a 
    function. A first selection module receives inputs associated with the 
    function. It generates outputs that are an ordered series of the inputs. A 
    universal module receives these outputs and generates another set of 
    outputs. A second selection module receives the outputs from the universal 
    module and generates final function outputs that are an ordered series 
    inputs received from the universal module. The selection modules and 
    universal module themselves are also aspects of the present invention.},
  howpublished = {U.S. patent no 8175854 (applied July 14, 2008; issued May 
    8, 2012)},
  title = {Universal Circuit for Secure Function Evaluation},
  month = {July},
  year = {2008},
  puburl = {http://www.google.com/patents/US20090140767}
}
@mastersthesis{Schneider08Thesis,
  abstract = {This thesis focuses on practical aspects of general two-party 
    Secure Function Evaluation (SFE). We give a new SFE protocol that allows 
    free evaluation of XOR gates and is provably secure against semi-honest 
    adversaries in the random oracle model.
Furthermore, the extension of SFE to private functions (PF-SFE) using 
    universal circuits (UC) is considered. Based on our new practical UC 
    construction, FairplayPF is implemented as extension of the well-known 
    Fairplay SFE system to demonstrate practicability of UC-based PF-SFE.
Also new protocols for SFE and PF-SFE of functions alternatively 
    represented as Ordered Binary Decision Diagram (OBDD) are given.},
  author = {Thomas Schneider},
  month = {February 27,},
  school = {University Erlangen-N{\"u}rnberg, Germany},
  title = {Practical Secure Function Evaluation},
  url = {http://thomaschneider.de/papers/S08Thesis.pdf},
  year = {2008}
}
@inproceedings{S08,
  author = {Thomas Schneider},
  booktitle = {Fachwissenschaftlicher Informatik-Kongress (Informatiktage 
    2008)},
  month = {March 14,},
  pages = {37--40},
  publisher = {GI},
  puburl = {http://www.gi.de/service/publikationen/lni/mehr-zur-schriftenreihe/seminars/gi-edition-seminars-s-6.html},
  series = {LNI},
  title = {Practical Secure Function Evaluation},
  url = {http://thomaschneider.de/papers/S08Abstract.pdf},
  posterurl = {http://thomaschneider.de/papers/S08Poster.pdf},
  volume = {S-6},
  weburl = {http://informatiktage.gi.de/informatiktage/rueckblicke/informatiktage-2008.html},
  year = {2008}
}
@inproceedings{KSS08,
  author = {Vladimir Kolesnikov and Thomas Schneider and Volker Strehl},
  booktitle = {8. Workshop der Fachgruppe Kryptographie in der Gesellschaft 
    f\"ur Informatik (Kryptotag)},
  month = {April 11,},
  volume = {WSI-2008-02},
  title = {Practical Secure Function Evaluation},
  url = {http://thomaschneider.de/papers/KSS08.pdf},
  weburl = {http://www-dm.informatik.uni-tuebingen.de/kryptotag/},
  year = {2008}
}
@inproceedings{KS08XOR,
  abstract = {We present a new garbled circuit construction for two-party 
    secure function evaluation (SFE). In our one-round protocol, XOR gates are 
    evaluated ``for free'', which results in the corresponding improvement over 
    the best garbled circuit implementations (e.g. Fairplay [MNPS04]).\\ We 
    build permutation networks [Waksman68] and Universal Circuits (UC) 
    [Valiant76] almost exclusively of XOR gates; this results in a factor of up 
    to $4$ improvement (in both computation and communication) of their SFE. We 
    also improve integer addition and equality testing by factor of up to 
    $2$.\\ We rely on the Random Oracle (RO) assumption. Our constructions are 
    proven secure in the semi-honest model.},
  author = {Vladimir Kolesnikov and Thomas Schneider},
  booktitle = {35th International Colloquium on Automata, Languages and 
    Programming (ICALP'08)},
  month = {July 6-13,},
  pages = {486--498},
  publisher = {Springer},
  doi = {10.1007/978-3-540-70583-3_40},
  rate = {$30\%$},
  series = {LNCS},
  title = {Improved Garbled Circuit: Free {XOR} Gates and Applications},
  url = {http://thomaschneider.de/papers/KS08XOR.pdf},
  volume = {5126},
  weburl = {http://www2.ru.is/icalp08/},
  year = {2008}
}
@misc{patentXOR,
  author = {Vladimir Kolesnikov and Thomas Schneider},
  abstract = {An embodiment of the present invention provides a method that 
    minimizes the number of entries required in a garbled circuit associated 
    with secure function evaluation of a given circuit. Exclusive OR (XOR) 
    gates are evaluated in accordance with an embodiment of the present 
    invention without the need of associated entries in the garbled table to 
    yield minimal computational and communication effort. This improves the 
    performance of SFE evaluation. Another embodiment of the present invention 
    provides a method that replaces regular gates with more efficient 
    constructions containing XOR gates in an implementation of a Universal 
    Circuit, and circuits for integer addition and multiplication, thereby 
    maximizing the performance improvement provided by the above.},
  howpublished = {U.S. patent no 8443205 (applied October 24, 2008; issued 
    May 14, 2013)},
  title = {Secure Function Evaluation Techniques for Circuits Containing 
    {XOR} Gates with Applications to Universal Circuits},
  month = {October},
  year = {2008},
  puburl = {http://www.google.com/patents/US8443205}
}
@inproceedings{SS08,
  abstract = {Secure Evaluation of Private Functions (PF-SFE) allows two 
    parties to compute a private function which is known by one party only on 
    private data of both. It is known that PF-SFE can be reduced to Secure 
    Function Evaluation (SFE) of a Universal Circuit (UC). Previous UC 
    constructions only simulated circuits with gates of $d=2$ inputs while 
    gates with $d>2$ inputs were decomposed into many gates with $2$ inputs 
    which is inefficient for large $d$ as the size of UC heavily depends on the 
    number of gates.\\ We present generalized UC constructions to efficiently 
    simulate any circuit with gates of $d \ge 2$ inputs having efficient 
    circuit representation. Our constructions are non-trivial generalizations 
    of previously known UC constructions.\\ As application we show how to 
    securely evaluate private functions such as neural networks (NN) which are 
    increasingly used in commercial applications. Our provably secure PF-SFE 
    protocol needs only one round in the semi-honest model (or even no online 
    communication at all using non-interactive oblivious transfer) and 
    evaluates a generalized UC that entirely hides the structure of the private 
    NN. This enables applications like privacy-preserving data classification 
    based on private NNs without trusted third party while simultaneously 
    protecting user's data and NN owner's intellectual property.},
  author = {Ahmad-Reza Sadeghi and Thomas Schneider},
  booktitle = {11th International Conference on Information Security and 
    Cryptology (ICISC'08)},
  month = {December 3-5,},
  note = {Full version: \url{http://eprint.iacr.org/2008/453}.},
  pages = {336--353},
  publisher = {Springer},
  doi = {10.1007/978-3-642-00730-9_21},
  rate = {$19.8\%$},
  series = {LNCS},
  title = {Generalized Universal Circuits for Secure Evaluation of Private 
    Functions with Application to Data Classification},
  url = {http://thomaschneider.de/papers/SS08.pdf},
  volume = {5461},
  weburl = {http://www.icisc.org/icisc08/asp/cfp.html},
  year = {2008}
}
@inproceedings{BBKSST09,
  abstract = {Efficient zero-knowledge proofs of knowledge (ZK-PoK) are 
    basic building blocks of many practical cryptographic applications such as 
    identification schemes, group signatures, and secure multiparty 
    computation. Currently, first applications that critically rely on ZK-PoKs 
    are being deployed in the real world. The most prominent example is Direct 
    Anonymous Attestation (DAA), which was adopted by the Trusted Computing 
    Group (TCG) and implemented as one of the functionalities of the 
    cryptographic Trusted Platform Module (TPM) chip.\\ Implementing systems 
    using ZK-PoK turns out to be challenging, since ZK-PoK are, loosely 
    speaking, significantly more complex than standard crypto primitives, such 
    as encryption and signature schemes. As a result, implementation cycles of 
    ZK-PoK are time-consuming and error-prone, in particular for developers 
    with minor or no cryptographic skills.\\ In this paper we report on our 
    ongoing and future research vision with the goal to bring ZK-PoK to 
    practice by making them accessible to crypto and security engineers. To 
    this end we are developing compilers and related tools that support and 
    partially automate the design, implementation, verification and secure 
    implementation of ZK-PoK protocols.},
  author = {Endre Bangerter and Stefania Barzan and Stephan Krenn and 
    Ahmad-Reza Sadeghi and Thomas Schneider and Joe-Kai Tsay},
  booktitle = {17th International Workshop on Security Protocols (SPW'09)},
  month = {April 1-3,},
  note = {Full version: \url{http://eprint.iacr.org/2009/211}.},
  title = {Bringing Zero-Knowledge Proofs of Knowledge to Practice},
  series = {LNCS},
  volume = {7028},
  pages = {51--62},
  publisher = {Springer},
  doi = {10.1007/978-3-642-36213-2_9},
  url = {http://thomaschneider.de/papers/BBKSST09.pdf},
  year = {2009}
}
@misc{BCKSS09,
  abstract = {Efficient zero-knowledge proofs of knowledge (ZK-PoK) are 
    basic building blocks of many practical cryptographic applications such as 
    identification schemes, group signatures, and secure multiparty 
    computation. Currently, first applications that critically rely on ZK-PoKs 
    are being deployed in the real world. The most prominent example is Direct 
    Anonymous Attestation (DAA), which was adopted by the Trusted Computing 
    Group (TCG) and implemented as one of the functionalities of the 
    cryptographic chip Trusted Platform Module (TPM).\\ Implementing systems 
    using ZK-PoK turns out to be challenging, since ZK-PoK are, loosely 
    speaking, significantly more complex than standard crypto primitives, such 
    as encryption and signature schemes. As a result, implementation cycles of 
    ZK-PoK are time-consuming and error-prone, in particular for developers 
    with minor or no cryptographic skills.\\ In this paper we report on our 
    ongoing and future research vision with the goal to bring ZK-PoK to 
    practice by automatically generating sound ZK-PoK protocols and make them 
    accessible to crypto and security engineers. To this end we are developing 
    protocols and compilers that support and automate the design and generation 
    of secure and efficient implementation of ZK-PoK protocols.},
  author = {Endre Bangerter and Jan Camenisch and Stephan Krenn and 
    Ahmad-Reza Sadeghi and Thomas Schneider},
  howpublished = {28th Advances in Cryptology -- EUROCRYPT 2009 Poster 
    Session},
  month = {April 26-30,},
  note = {Full version: \url{http://eprint.iacr.org/2008/471}.},
  posterurl = {http://thomaschneider.de/papers/BCKSS09Poster.pdf},
  rate = {$33\%$ for papers and posters},
  title = {Automatic Generation of Sound Zero-Knowledge Protocols},
  url = {http://thomaschneider.de/papers/BCKSS09Abstract.pdf},
  weburl = {http://www.iacr.org/conferences/eurocrypt2009/},
  year = {2009}
}
@inproceedings{PSS09,
  abstract = {Two-party Secure Function Evaluation (SFE) is a very useful 
    cryptographic tool which allows two parties to evaluate a function known to 
    both parties on their private (secret) inputs. Some applications with 
    sophisticated privacy needs require the function to be known only to one 
    party and kept private (hidden) from the other one. However, existing 
    solutions for SFE of private functions (PF-SFE) deploy Universal Circuits 
    (UC) and are still very inefficient in practice.\\ In this paper we bridge 
    the gap between SFE and PF-SFE with SFE of what we call {\em semi-private 
    functions} (SPF-SFE), i.e., one function out of a given class of functions 
    is evaluated without revealing which one.\\ We present a general framework 
    for SPF-SFE allowing a fine-grained trade-off and tuning between SFE and 
    PF-SFE covering both extremes. In our framework, semi-private functions can 
    be composed from several privately programmable blocks (PPB) which can be 
    programmed with one function out of a class of functions. The framework 
    allows efficient and secure embedding of constants into the resulting 
    circuit to improve performance. To show practicability of the framework we 
    have implemented a compiler for SPF-SFE based on the Fairplay SFE 
    framework.\\ SPF-SFE is sufficient for many practically relevant 
    privacy-preserving applications, such as privacy-preserving credit checking 
    which can be implemented with our framework and compiler as described in 
    the paper.},
  author = {Annika Paus and Ahmad-Reza Sadeghi and Thomas Schneider},
  booktitle = {7th International Conference on Applied Cryptography and 
    Network Security (ACNS'09)},
  month = {June 2-5,},
  note = {Full version: \url{http://eprint.iacr.org/2009/124}. Code: 
    \url{http://encrypto.de/code/FairplaySPF}.},
  pages = {89--106},
  publisher = {Springer},
  doi = {10.1007/978-3-642-01957-9_6},
  rate = {$21.3\%$},
  series = {LNCS},
  title = {Practical Secure Evaluation of Semi-Private Functions},
  url = {http://thomaschneider.de/papers/PSS09.pdf},
  volume = {5536},
  year = {2009}
}
@inproceedings{KSS09SPEED,
  abstract = {We show how two existing paradigms for two-party secure 
    function evaluation (SFE) in the semi-honest model can be combined securely 
    and efficiently -- those based on additively homomorphic encryption (HE) 
    with those based on garbled circuits (GC) and vice versa.\\ Additionally, 
    we propose new GC constructions for addition, subtraction, multiplication, 
    and comparison functions. Our circuits are approximately two times smaller 
    (in terms of garbled tables) than previous constructions. This implies 
    corresponding computation and communication improvements in SFE of 
    functions using the above building blocks (including the protocols for 
    combining HE and GC).\\ Based on these results, we present efficient 
    constant-round protocols for secure integer comparison, and the related 
    problems of minimum selection and minimum distance, which are crucial 
    building blocks of many cryptographic schemes such as privacy preserving 
    biometric authentication (e.g., face recognition, fingerprint matching, 
    etc).},
  author = {Vladimir Kolesnikov and Ahmad-Reza Sadeghi and Thomas 
    Schneider},
  booktitle = {1st International Workshop on Signal Processing in the 
    EncryptEd Domain (SPEED'09)},
  month = {September 10,},
  title = {How to Combine Homomorphic Encryption and Garbled Circuits - 
    Improved Circuits and Computing the Minimum Distance Efficiently},
  url = {http://thomaschneider.de/papers/KSS09SPEED.pdf},
  year = {2009}
}
@inproceedings{BFKLSS09SPEED,
  abstract = {We describe a privacy-preserving system where a server can 
    classify an ElectroCardioGram (ECG) signal without learning any information 
    about the ECG signal and the client is prevented from gaining knowledge 
    about the classificationalgorithm used by the server. The system relies on 
    the concept of Linear Branching Programs (LBP) and a recently proposed 
    cryptographic protocol for secure evaluation of private LBPs. We study the 
    trade-off between signal representation accuracy and system complexity both 
    from practical and theoretical perspective. We show how the overall system 
    complexity can be strongly reduced by modifying the original ECG 
    classification algorithm. Two alternatives of the underlying cryptographic 
    protocol are implemented and their corresponding complexities are analyzed 
    to show suitability of our system in real-life applications for current and 
    future security levels.},
  author = {Mauro Barni and Pierluigi Failla and Vladimir Kolesnikov and 
    Riccardo Lazzeretti and Ahmad-Reza Sadeghi and Thomas Schneider},
  booktitle = {1st International Workshop on Signal Processing in the 
    EncryptEd Domain (SPEED'09)},
  month = {September 10,},
  title = {Combining Signal Processing and Cryptographic Protocol Design 
    for Efficient {ECG} Classification},
  url = {http://thomaschneider.de/papers/BFKLSS09SPEED.pdf},
  year = {2009}
}
@inproceedings{BBHKSS09,
  abstract = {Efficient-knowledge proofs knowledge (ZK-PoK) are basic 
    building blocks of many practical cryptographic applications such as 
    identification schemes, group signatures, and secure multi-party 
    computation (SMPC). Currently, first applications that essentially rely on 
    ZK-PoKs are being deployed in the real world. The most prominent example is 
    the Direct Anonymous Attestation (DAA) protocol, which was adopted by the 
    Trusted Computing Group (TCG) and implemented as one of the functionalities 
    of the cryptographic chip Trusted Platform Module (TPM).\\ Implementing 
    systems using ZK-PoK turns out to be challenging, since ZK-PoK are 
    significantly more complex than standard crypto primitives (e.g., 
    encryption and signature schemes). As a result, the design-implementation 
    cycles of ZK-PoK are time-consuming and error-prone.\\ To overcome this, we 
    present a compiler with corresponding languages for the automatic 
    generation of sound and efficient ZK-PoK based on $\Sigma$-protocols. The 
    protocol designer using our compiler formulates the goal of a ZK-PoK proof 
    in a high-level protocol specification language, which	Abstracts away 
    unnecessary technicalities from the designer. The compiler then 
    automatically generates the protocol implementation in Java code; 
    alternatively, the compiler can output a description of the protocol in 
    \LaTeX\ which can be used for documentation or verification.},
  author = {Endre Bangerter and Thomas Briner and Wilko Henecka and Stephan 
    Krenn and Ahmad-Reza Sadeghi and Thomas Schneider},
  booktitle = {6th European Workshop on Public Key Services, Applications 
    and Infrastructures (EUROPKI'09)},
  month = {September 10-11,},
  publisher = {Springer},
  series = {LNCS},
  rate = {$45.0\%$},
  volume = {6391},
  pages = {67--82},
  title = {Automatic Generation of Sigma-Protocols},
  url = {http://thomaschneider.de/papers/BBHKSS09.pdf},
  doi = {10.1007/978-3-642-16441-5_5},
  year = {2009},
  note = {Code: \url{http://www.cace-project.eu/index.php?Itemid=15}.}
}
@inproceedings{BFKLSS09,
  abstract = {Diagnostic and classification algorithms play an important 
    role in data analysis, with applications in areas such as health care, 
    fault diagnostics, or benchmarking. Branching programs (BP) is a popular 
    representation model for describing the underlying 
    classification/diagnostics algorithms. Typical application scenarios 
    involve a client who provides data and a service provider (server) whose 
    diagnostic program is run on client's data. Both parties need to keep their 
    inputs private.\\ We present new, more efficient privacy-protecting 
    protocols for remote evaluation of such classification/diagnostic programs. 
    In addition to efficiency improvements, we generalize previous solutions -- 
    we securely evaluate private linear branching programs (LBP), a useful 
    generalization of BP that we introduce. We show practicality of our 
    solutions: we apply our protocols to the privacy-preserving classification 
    of medical ElectroCardioGram (ECG) signals and present implementation 
    results. Finally, we discover and fix a subtle security weakness of the 
    most recent remote diagnostic proposal, which allowed malicious clients to 
    learn partial information about the program.},
  author = {Mauro Barni and Pierluigi Failla and Vladimir Kolesnikov and 
    Riccardo Lazzeretti and Ahmad-Reza Sadeghi and Thomas Schneider},
  booktitle = {14th European Symposium on Research in Computer Security 
    (ESORICS'09)},
  month = {September 21-25,},
  note = {Full version: \url{http://eprint.iacr.org/2009/195}.},
  pages = {424--439},
  publisher = {Springer},
  doi = {10.1007/978-3-642-04444-1_26},
  rate = {$19.1\%$},
  series = {LNCS},
  title = {Secure Evaluation of Private Linear Branching Programs with 
    Medical Applications},
  url = {http://thomaschneider.de/papers/BFKLSS09.pdf},
  volume = {5789},
  weburl = {http://conferences.telecom-bretagne.eu/esorics2009/EN/home.php},
  year = {2009}
}
@inproceedings{BKSST09,
  abstract = {Zero-knowledge proofs of knowledge (ZK-PoK) play an important 
    role in many cryptographic applications. Direct anonymous attestation (DAA) 
    and the identity mixer anonymous authentication system are first real world 
    applications using ZK-PoK as building blocks. But although being used for 
    many years now, design and implementation of sound ZK-PoK remains 
    challenging. In fact, there are security flaws in various protocols found 
    in literatur. Especially for non-experts in the field it is often hard to 
    design ZK-PoK, since a unified and easy to use theoretical framework on 
    ZK-PoK is missing.\\ With this paper we overcome important challenges and 
    facilitate the design and implementation of efficient and sound ZK-PoK in 
    practice. First, Camenisch et al. have presented at EUROCRYPT 2009 a first 
    unified and modular theoretical framework for ZK-PoK. This is compelling, 
    but makes use of a rather inefficient 6-move protocol. We extend and 
    improve their framework in terms of efficiency and show how to realize it 
    using efficient 3-move $\Sigma$-protocols. Second, we perform an exact 
    security and efficiency analysis for our new protocol and various protocols 
    found in the literature. The analysis yields novel - and perhaps surprising 
    - results and insights. It reveals for instance that using a 2048 bit RSA 
    modulus, as specified in the DAA standard, only guarantees an upper bound 
    on the success probability of a malicious prover between $1/24$ and 
    $1/224$. Also, based on that analysis we show how to select the most 
    efficient protocol to realize a given proof goal. Finally, we also provide 
    low-level support to a designer by presenting a compiler realizing our 
    framework and optimization techniques, allowing easy imple- mentation of 
    efficient and sound protocols.},
  author = {Endre Bangerter and Stephan Krenn and Ahmad-Reza Sadeghi and 
    Thomas Schneider and Joe-Kai Tsay},
  booktitle = {ECRYPT workshop on Software Performance Enhancements for 
    Encryption and Decryption and Cryptographic Compilers (SPEED-CC'09)},
  month = {October 12-13,},
  title = {On the Design and Implementation of Efficient Zero-Knowledge 
    Proofs of Knowledge},
  url = {http://thomaschneider.de/papers/BKSST09.pdf},
  weburl = {http://www.hyperelliptic.org/SPEED/},
  year = {2009},
  note = {Code: \url{http://zkc.cace-project.eu}.}
}
@inproceedings{KSS09SPEEDCC,
  abstract = {We consider generic Garbled Circuit (GC)-based techniques for 
    Secure Function Evaluation (SFE) in the semi-honest model.\\ We describe 
    efficient GC constructions for addition, subtraction, multiplication, and 
    comparison functions. Our circuits for subtraction and comparison are 
    approximately two times smaller (in terms of garbled tables) than previous 
    constructions. This implies corresponding computation and communication 
    improvements in SFE of functions using our efficient building blocks. The 
    techniques rely on recently proposed ``free XOR'' GC technique.\\ Further, 
    we present concrete and detailed improved GC protocols for the problem of 
    secure integer comparison, and related problems of auctions, minimum 
    selection, and minimal distance. Performance improvement comes both from 
    building on our efficient basic blocks and several problem-specific GC 
    optimizations. We provide precise cost evaluation of our constructions, 
    which serves as a baseline for future protocols.},
  author = {Vladimir Kolesnikov and Ahmad-Reza Sadeghi and Thomas 
    Schneider},
  booktitle = {ECRYPT workshop on Software Performance Enhancements for 
    Encryption and Decryption and Cryptographic Compilers (SPEED-CC'09)},
  month = {October 12-13,},
  title = {Improved Garbled Circuit Building Blocks and Applications to 
    Auctions and Computing Minima},
  url = {http://thomaschneider.de/papers/KSS09SPEEDCC.pdf},
  weburl = {http://www.hyperelliptic.org/SPEED/},
  year = {2009}
}
@misc{SS09,
  author = {Ahmad-Reza Sadeghi and Thomas Schneider},
  howpublished = {Section Days of Ruhr-University Bochum Research School},
  month = {November 6,},
  note = {(Poster prize awarded)},
  posterurl = {http://thomaschneider.de/papers/SS09Poster.pdf},
  title = {Ask Your E-Doctor Without Telling: Privacy-Preserving Medical 
    Diagnostics},
  weburl = {http://www.research-school.rub.de/section_days.html},
  year = {2009}
}
@inproceedings{SSW09,
  abstract = {Automatic recognition of human faces is becoming increasingly 
    popular in civilian and law enforcement applications that require reliable 
    recognition of humans. However, the rapid improvement and widespread 
    deployment of this technology raises strong concerns regarding the 
    violation of individuals' privacy. A typical application scenario for 
    privacy-preserving face recognition concerns a client who privately 
    searches for a specific face image in the face image database of a 
    server.\\ In this paper we present a privacy-preserving face recognition 
    scheme that substantially improves over previous work in terms of 
    communication- and computation efficiency: the most recent proposal of 
    Erkin et al. (PETS'09) requires $\mathcal{O}(\log M)$ rounds and 
    computationally expensive operations on homomorphically encrypted data to 
    recognize a face in a database of $M$ faces. Our improved scheme requires 
    only $\mathcal{O}(1)$ rounds and has a substantially smaller online 
    communication complexity (by a factor of $15$ for each database entry) and 
    less computation complexity.\\ Our solution is based on known cryptographic 
    building blocks combining homomorphic encryption with garbled circuits. Our 
    implementation results show the practicality of our scheme also for large 
    databases (e.g., for $M = 1000$ we need less than $13$ seconds and less 
    than $4$ MByte online communication on two 2.4GHz PCs connected via Gigabit 
    Ethernet).},
  author = {Ahmad-Reza Sadeghi and Thomas Schneider and Immo Wehrenberg},
  booktitle = {12th International Conference on Information Security and 
    Cryptology (ICISC'09)},
  month = {December 2-4,},
  note = {Full version: \url{http://eprint.iacr.org/2009/507}.},
  publisher = {Springer},
  doi = {10.1007/978-3-642-14423-3_16},
  rate = {$19.8\%$},
  series = {LNCS},
  title = {Efficient Privacy-Preserving Face Recognition},
  url = {http://thomaschneider.de/papers/SSW09.pdf},
  volume = {5984},
  pages = {229--244},
  weburl = {http://www.icisc.org/icisc09/asp/cfp/icisc2009cfp.pdf},
  year = {2009}
}
@inproceedings{BFKLPSS09,
  abstract = {We describe a privacy-preserving system where a server can 
    classify an ElectroCardioGram (ECG) signal without learning any information 
    about the ECG signal and the client is prevented from gaining knowledge 
    about the classification algorithm used by the server. The system relies on 
    the concept of Linear Branching Programs (LBP) and a recently proposed 
    cryptographic protocol for secure evaluation of private LBPs. We study the 
    trade-off between signal representation accuracy and system complexity both 
    from practical and theoretical perspective. As a result, the inputs to the 
    system are represented with the minimum number of bits ensuring the same 
    classification accuracy of a plain implementation. We show how the overall 
    system complexity can be strongly reduced by modifying the original ECG 
    classification algorithm. Two alternatives of the underlying cryptographic 
    protocol are implemented and their corresponding complexities are analyzed 
    to show suitability of our system in real-life applications for current and 
    future security levels.},
  author = {Mauro Barni and Pierluigi Failla and Vladimir Kolesnikov and 
    Riccardo Lazzeretti and Annika Paus and Ahmad-Reza Sadeghi and Thomas 
    Schneider},
  booktitle = {1st IEEE International Workshop on Information Forensics and 
    Security (IEEE WIFS'09)},
  month = {December 6-9,},
  pages = {91--95},
  publisher = {IEEE},
  doi = {10.1109/WIFS.2009.5386475},
  rate = {$32.5\%$},
  title = {Efficient Privacy-Preserving Classification of {ECG} Signals},
  url = {http://thomaschneider.de/papers/BFKLPSS09.pdf},
  year = {2009}
}
@inproceedings{PSSW09,
  abstract = {Secure multi-party computation has been considered by the 
    cryptographic community for a number of years. Until recently it has been a 
    purely theoretical area, with few implementations with which to test 
    various ideas. This has led to a number of optimisations being proposed 
    which are quite restricted in their application. In this paper we describe 
    an implementation of the two-party case, using Yao's garbled circuits, and 
    present various algorithmic protocol improvements. These optimisations are 
    analysed both theoretically and empirically, using experiments of various 
    adversarial situations. Our experimental data is provided for reasonably 
    large circuits, including one which performs an AES encryption, a problem 
    which we discuss in the context of various possible applications.},
  author = {Benny Pinkas and Thomas Schneider and Nigel P. Smart and 
    Stephen C. Williams},
  booktitle = {15th Advances in Cryptology -- ASIACRYPT 2009},
  month = {December 6-10,},
  note = {Full version: \url{http://eprint.iacr.org/2009/314}.},
  pages = {250--267},
  publisher = {Springer},
  doi = {10.1007/978-3-642-10366-7_15},
  rate = {$13.7\%$},
  series = {LNCS},
  title = {Secure Two-Party Computation is Practical},
  url = {http://thomaschneider.de/papers/PSSW09.pdf},
  volume = {5912},
  weburl = {http://asiacrypt2009.cipher.risk.tsukuba.ac.jp},
  year = {2009}
}
@inproceedings{KSS09,
  abstract = {We consider generic Garbled Circuit (GC)-based techniques for 
    Secure Function Evaluation (SFE) in the semi-honest model.\\ We describe 
    efficient GC constructions for addition, subtraction, multiplication, and 
    comparison functions. Our circuits for subtraction and comparison are 
    approximately two times smaller (in terms of garbled tables) than previous 
    constructions. This implies corresponding computation and communication 
    improvements in SFE of functions using our efficient building blocks. The 
    techniques rely on recently proposed ``free XOR'' GC technique.\\ Further, 
    we present concrete and detailed improved GC protocols for the problem of 
    secure integer comparison, and related problems of auctions, minimum 
    selection, and minimal distance. Performance improvement comes both from 
    building on our efficient basic blocks and several problem-specific GC 
    optimizations. We provide precise cost evaluation of our constructions, 
    which serves as a baseline for future protocols.},
  author = {Vladimir Kolesnikov and Ahmad-Reza Sadeghi and Thomas 
    Schneider},
  booktitle = {8th International Conference on Cryptology And Network 
    Security (CANS'09)},
  month = {December 12-14,},
  note = {Full version: \url{http://eprint.iacr.org/2009/411}.},
  pages = {1--20},
  publisher = {Springer},
  doi = {10.1007/978-3-642-10433-6_1},
  rate = {$29.4\%$},
  series = {LNCS},
  title = {Improved Garbled Circuit Building Blocks and Applications to 
    Auctions and Computing Minima},
  url = {http://thomaschneider.de/papers/KSS09.pdf},
  volume = {5888},
  weburl = {http://www.rcis.aist.go.jp/cans2009/},
  year = {2009}
}
@inproceedings{JKSS10TOKEN,
  abstract = {We consider Secure Function Evaluation (SFE) in the 
    client-server setting where the server issues a secure token to the client. 
    The token is not trusted by the client and is {\em not} a trusted third 
    party.\\ We show how to take advantage of the token to drastically reduce 
    the communication complexity of SFE and computation load of the server.\\ 
    Our main contribution is the detailed consideration of design decisions, 
    optimizations, and trade-offs, associated with the setting and its strict 
    hardware requirements for practical deployment. In particular, we model the 
    token as a computationally weak device with small constant-size memory and 
    limit communication between client and server.\\ We consider semi-honest, 
    covert, and malicious adversaries. We show the feasibility of our protocols 
    based on a FPGA implementation.},
  author = {Kimmo J\"arvinen and Vladimir Kolesnikov and Ahmad-Reza Sadeghi 
    and Thomas Schneider},
  booktitle = {14th International Conference on Financial Cryptography and 
    Data Security (FC'10)},
  month = {January 25-28,},
  note = {Full version: \url{http://eprint.iacr.org/2009/591}.},
  publisher = {Springer},
  rate = {$14.6\%$},
  series = {LNCS},
  volume = {6052},
  pages = {207--221},
  title = {Embedded {SFE}: Offloading Server and Network using Hardware 
    Tokens},
  url = {http://thomaschneider.de/papers/JKSS10TOKEN.pdf},
  doi = {10.1007/978-3-642-14577-3_17},
  weburl = {http://fc10.ifca.ai},
  year = {2010}
}
@inproceedings{SSW10,
  abstract = {Secure outsourcing of computation to an untrusted (cloud) 
    service provider is becoming more and more important. Pure cryptographic 
    solutions based on fully homomorphic and verifiable encryption, recently 
    proposed, are promising but suffer from very high latency. Other proposals 
    perform the whole computation on tamper-proof hardware and usually suffer 
    from the same problem. Trusted computing (TC) is another promising approach 
    that uses trusted software and hardware components on computing platforms 
    to provide useful mechanisms such as attestation allowing the data owner to 
    verify the integrity of the cloud and its computation. However, on the one 
    hand these solutions require trust in hardware (CPU, trusted computing 
    modules) that are under the physical control of the cloud provider, and on 
    the other hand they still have to face the challenge of run-time 
    attestation. \\
In this paper we focus on applications where the latency of the computation 
    should be minimized, i.e., the time from submitting the query until 
    receiving the outcome of the computation should be as small as possible. To 
    achieve this we show how to combine a trusted hardware token (e.g., a 
    cryptographic coprocessor or provided by the customer) with Secure Function 
    Evaluation (SFE) to compute arbitrary functions on secret (encrypted) data 
    where the computation leaks no information and is verifiable. The token is 
    used in the setup phase only whereas in the time-critical online phase the 
    cloud computes the encrypted function on encrypted data using symmetric 
    encryption primitives only and without any interaction with other 
    entities.},
  author = {Ahmad-Reza Sadeghi and Thomas Schneider and Marcel Winandy},
  booktitle = {3rd International Conference on Trust and Trustworthy 
    Computing (TRUST'10) - Workshop on Trust in the Cloud},
  month = {June 21-23,},
  publisher = {Springer},
  series = {LNCS},
  pages = {417--429},
  volume = {6101},
  title = {Token-Based Cloud Computing -- Secure Outsourcing of Data and 
    Arbitrary Computations with Lower Latency},
  weburl = {http://www.trust2010.org/workshop-cloud.html},
  doi = {10.1007/978-3-642-13869-0_30},
  url = {http://thomaschneider.de/papers/SSW10.pdf},
  year = {2010}
}
@misc{BKSS10,
  author = {Endre Bangerter and Stephan Krenn and Ahmad-Reza Sadeghi and 
    Thomas Schneider},
  howpublished = {19th USENIX Security Symposium (Security'10) Poster 
    Session},
  month = {August 11-13,},
  title = {{YAZKC: Yet Another Zero-Knowledge Compiler}},
  abstract = {Automatic generation of cryptographic protocols is an 
    emerging field of research which aims to bring complex protocols into 
    practice. In this work we discuss the desired properties of a compiler for 
    automatic generation of zero-knowledge proof of knowledge (ZKPoK) 
    protocols. We evaluate and compare existing approaches with respect to 
    these properties:
In particular, it seems to us that the authors of the paper accepted for 
    USENIX Security 2010 (ZKPDL: A Language-Based System for Efficient 
    Zero-Knowledge Proofs and Electronic Cash) were not aware of our previous 
    work done within the European project ``Computer Aided Cryptography 
    Engineering'' (CACE).
We hope that this poster stimulates scientific debates and exchange in this 
    field of research.},
  weburl = {http://www.usenix.org/events/sec10/poster.html},
  posterurl = {http://thomaschneider.de/papers/BKSS10Poster.pdf},
  url = {http://thomaschneider.de/papers/BKSS10Abstract.pdf},
  year = {2010}
}
@inproceedings{JKSS10OTP,
  abstract = {The power of side-channel leakage attacks on cryptographic 
    implementations is evident. Today's practical defenses are typically 
    attack-specific countermeasures against certain classes of side-channel 
    attacks. The demand for a more general solution has given rise to the 
    recent theoretical research that aims to build provably leakage-resilient 
    cryptography. This direction is, however, very new and still largely lacks 
    practitioners' evaluation with regard to both efficiency and practical 
    security. A recent approach, One-Time Programs (OTPs), proposes using Yao's 
    Garbled Circuit (GC) and very simple tamper-proof hardware to securely 
    implement oblivious transfer, to guarantee leakage resilience.\\
Our main contributions are (i) a generic architecture for using GC/OTP 
    modularly, and (ii) hardware implementation and efficiency analysis of 
    GC/OTP evaluation. We implemented two FPGA-based prototypes: a 
    system-on-a-programmable-chip with access to hardware crypto accelerator 
    (suitable for smartcards and future smartphones), and a stand-alone 
    hardware implementation (suitable for ASIC design). We chose AES as a 
    representative complex function for implementation and measurements. As a 
    result of this work, we are able to understand, evaluate and improve the 
    practicality of employing GC/OTP as a leakage-resistance approach.},
  title = {Garbled Circuits for Leakage-Resilience: Hardware Implementation 
    and Evaluation of One-Time Programs},
  author = {Kimmo J\"arvinen and Vladimir Kolesnikov and Ahmad-Reza Sadeghi 
    and Thomas Schneider},
  booktitle = {12th International Workshop on Cryptographic Hardware and 
    Embedded Systems (CHES'10)},
  month = {August 17-20,},
  publisher = {Springer},
  series = {LNCS},
  volume = {6225},
  pages = {383--397},
  year = {2010},
  rate = {$27.8\%$},
  note = {Full version: \url{http://eprint.iacr.org/2010/276}.},
  url = {http://thomaschneider.de/papers/JKSS10OTP.pdf},
  weburl = {http://www.chesworkshop.org/ches2010/},
  doi = {10.1007/978-3-642-15031-9_26}
}
@inproceedings{SS10,
  abstract = {Die rasant fortschreitende Modernisierung des 
    Gesundheitswesens durch neuartige elektronische Dienste wie die 
    elektronische Patientenakte und medizinische online Dienste erlaubt es, 
    medizinische Prozesse effizienter zu gestalten. Andererseits birgt die 
    digitale Verarbeitung sensibler Patientendaten Risiken und Gefahren 
    hinsichtlich des Datenschutzes und des Missbrauchs.\\
Klassische kryptographische und IT sicherheitstechnische Methoden erlauben 
    die sichere Verteilung und Speicherung medizinischer Daten. Allerdings 
    erfordert die Verarbeitung der Daten deren Entschl\"usselung. Zu diesem 
    Zeitpunkt kann auf die Daten im Klartext (z.B. durch Systemadministratoren) 
    zugegriffen und die Vertraulichkeit verletzt werden. Um dies zu verhindern, 
    sollten Daten in verschl\"usselter Form verarbeitet werden. F\"ur 
    ebendieses ``Rechnen unter Verschl\"usselung'' wurden in den vergangenen 25 
    Jahren verschiedene kryptographische Verfahren vorgeschlagen.\\
Die Ziele dieser Arbeit sind folgende: 1) Der aktuelle Stand der Forschung 
    im Bereich des effizienten Rechnens unter Verschl\"usselung wird 
    zusammengefasst. 2)~Ein Werkzeug wird vorgestellt, das es erlaubt, 
    effiziente Protokolle zum Rechnen unter Verschl\"usselung abstrakt und ohne 
    detaillierte kryptographische Kenntnisse zu beschreiben und automatisch zu 
    generieren. 3) Es wird gezeigt, wie das vorgestellte Werkzeug exemplarisch 
    zum Generieren eines medizinischen Web-Services verwendet werden kann, der 
    EKG Daten in verschl\"usselter Form klassifiziert.},
  booktitle = {Workshop Innovative und sichere Informationstechnologie 
    f\"ur das Gesundheitswesen von morgen (perspeGKtive'10)},
  title = {{Verschl\"usselt Rechnen: Sichere Verarbeitung verschl\"usselter 
    medizinischer Daten am Beispiel der Klassifikation von EKG-Daten}},
  author = {Ahmad-Reza Sadeghi and Thomas Schneider},
  series = {LNI},
  volume = {P-174},
  pages = {11--25},
  month = {September 8,},
  year = {2010},
  publisher = {Bonner K\"ollen Verlag},
  weburl = {http://www.perspegktive.de},
  puburl = {http://www.gi-ev.de/service/publikationen/lni/gi-edition-proceedings-2010/gi-edition-lecture-notes-in-informatics-lni-p-174.html},
  url = {http://thomaschneider.de/papers/SS10.pdf}
}
@inproceedings{ABBKSS10,
  abstract = {Zero-knowledge proofs of knowledge (ZK-PoK) are important 
    building blocks for numerous cryptographic applications. Although ZK-PoK 
    have a high potential impact, their real world deployment is typically 
    hindered by their significant complexity compared to other 
    (non-interactive) crypto primitives. Moreover, their design and 
    implementation are time-consuming and error-prone.\\
We contribute to overcoming these challenges as follows: We present a 
    comprehensive specification language and a compiler for ZK-PoK protocols 
    based on $\Sigma$-protocols. The compiler allows the fully automatic 
    translation of an Abstract description of a proof goal into an executable 
    implementation. Moreover, the compiler overcomes various restrictions of 
    previous approaches, e.g., it supports the important class of 
    exponentiation homomorphisms with hidden-order co-domain, needed for 
    privacy-preserving applications such as DAA. Finally, our compiler is 
    certifying, in the sense that it automatically produces a formal proof of 
    the soundness of the compiled protocol for a large class of protocols using 
    the Isabelle/HOL theorem prover.},
  title = {A Certifying Compiler for Zero-Knowledge Proofs of Knowledge 
    Based on Sigma-Protocols},
  author = {Jos{\'e} Bacelar Almeida and Endre Bangerter and Manuel Barbosa 
    and Stephan Krenn and Ahmad-Reza Sadeghi and Thomas Schneider},
  year = {2010},
  booktitle = {15th European Symposium on Research in Computer Security 
    (ESORICS'10)},
  month = {September 20-22,},
  publisher = {Springer},
  series = {LNCS},
  pages = {151--167},
  volume = {6345},
  rate = {$20.9\%$},
  weburl = {http://www.esorics2010.org},
  doi = {10.1007/978-3-642-15497-3_10},
  url = {http://thomaschneider.de/papers/ABBKSS10.pdf},
  note = {Full version: \url{http://eprint.iacr.org/2010/339}.}
}
@inproceedings{HKSSW10,
  abstract = {Secure two-party computation allows two untrusting parties to 
    jointly compute an arbitrary function on their respective private inputs 
    while revealing no information beyond the outcome. Existing cryptographic 
    compilers can automatically generate secure computation protocols from 
    high-level specifications, but are often limited in their use and 
    efficiency of generated protocols as they are based on either garbled 
    circuits or (additively) homomorphic encryption only.\\
In this paper we present TASTY, a novel tool for automating, i.e., 
    describing, generating, executing, benchmarking, and comparing, efficient 
    secure two-party computation protocols. TASTY is a new compiler that can 
    generate protocols based on homomorphic encryption and efficient garbled 
    circuits as well as combinations of both, which often yields the most 
    efficient protocols available today. The user provides a high-level 
    description of the computations to be performed on encrypted data in a 
    domain-specific language. This is automatically transformed into a 
    protocol. TASTY provides most recent techniques and optimizations for 
    practical secure two-party computation with low online latency. Moreover, 
    it allows to efficiently evaluate circuits generated by the well-known 
    Fairplay compiler.\\
We use TASTY to compare protocols for secure multiplication based on 
    homomorphic encryption with those based on garbled circuits and highly 
    efficient Karatsuba multiplication. Further, we show how TASTY improves the 
    online latency for securely evaluating the AES functionality by an order of 
    magnitude compared to previous software implementations. TASTY allows to 
    automatically generate efficient secure protocols for many 
    privacy-preserving applications where we consider the use cases for private 
    set intersection and face recognition protocols.},
  title = {{TASTY: Tool for Automating Secure Two-partY computations}},
  author = {Wilko Henecka and Stefan K{\"o}gl and Ahmad-Reza Sadeghi and 
    Thomas Schneider and Immo Wehrenberg},
  booktitle = {17th ACM Conference on Computer and Communications Security 
    (CCS'10)},
  month = {October 4-8,},
  publisher = {ACM},
  year = {2010},
  pages = {451--462},
  rate = {$17.2\%$},
  note = {Full version: \url{http://eprint.iacr.org/2010/365}. Code: 
    \url{http://encrypto.de/code/TASTY}.},
  url = {http://thomaschneider.de/papers/HKSSW10.pdf},
  doi = {10.1145/1866307.1866358},
  weburl = {http://www.sigsac.org/ccs/CCS2010/}
}
@incollection{JKSS10Full,
  author = {Kimmo J\"arvinen and Vladimir Kolesnikov and Ahmad-Reza Sadeghi 
    and Thomas Schneider},
  booktitle = {Towards Hardware Intrinsic Security: Foundation and 
    Practice},
  editor = {Ahmad-Reza Sadeghi and David Naccache},
  publisher = {Springer-Verlag Berlin Heidelberg},
  series = {Information Security and Cryptography},
  title = {Efficient Secure Two-Party Computation with Untrusted Hardware 
    Tokens},
  year = {2010},
  doi = {10.1007/978-3-642-14452-3_17},
  pages = {367--386},
  isbn = {978-3-642-14452-3}
}
@phdthesis{Schneider11Thesis,
  title = {Engineering Secure Two-Party Computation Protocols -- Advances 
    in Design, Optimization, and Applications of Efficient Secure Function 
    Evaluation},
  author = {Thomas Schneider},
  month = {February 9,},
  year = {2011},
  school = {Ruhr-University Bochum, Germany},
  abstract = {Secure Function Evaluation (SFE) allows two mutually 
    mistrusting parties to compute an arbitrary function on their inputs 
    without revealing any information beyond the result. We give advances in 
    the design, optimization and application of efficient SFE.\\
We optimize SFE protocols by reducing the size of Boolean circuits with 
    cheap XOR gates and give efficient circuits for standard functionalities.\\
Secure hardware reduces the communication of SFE protocols and allows to 
    evaluate arbitrary functions in a side-channel resistant way.\\
Efficient SFE protocols can be modularly modeled as sequence of operations 
    on encrypted data; TASTY (Tool for Automating Secure Two-partY 
    computations) allows to describe, automatically generate, and execute 
    them.\\
As applications we improve protocols for secure auctions and face 
    recognition, and give a hardware-assisted protocol to securely outsource 
    data and arbitrary computations to an untrusted (cloud) provider.},
  url = {http://thomaschneider.de/papers/S11Thesis.pdf}
}
@inproceedings{FPSSV11,
  abstract = {Secure set intersection protocols are the core building block 
    for a manifold of privacy-preserving applications.\\
In a recent work, Hazay and Lindell (ACM CCS 2008) introduced the idea of 
    using trusted hardware tokens for the set intersection problem, devising 
    protocols which improve over previous (in the standard model of two-party 
    computation) protocols in terms of efficiency and secure composition. 
Their protocol uses only a linear number of symmetric-key computations and 
    the amount of data stored in the token does not depend on the sizes of the 
    sets. 
The security proof of the protocol is in the universal composability model 
    and is based on the strong assumption that the token is trusted by 
    \emph{both} parties.\\
In this paper we revisit the idea and model of hardware-based secure set 
    intersection, and in particular consider a setting where tokens are not 
    necessarily trusted by both participants to additionally cover threats like 
    side channel attacks, firmware trapdoors and malicious hardware.
Our protocols are very efficient and achieve the same level of security as 
    those by Hazay and Lindell for trusted tokens. 
For untrusted tokens, our protocols ensure privacy against malicious 
    adversaries, and correctness facing covert adversaries.},
  title = {Secure Set Intersection with Untrusted Hardware Tokens},
  author = {Marc Fischlin and Benny Pinkas and Ahmad-Reza Sadeghi and 
    Thomas Schneider and Ivan Visconti},
  booktitle = {11th Cryptographers' Track at the RSA Conference 
    (CT-RSA'11)},
  year = {2011},
  month = {February 14-18,},
  publisher = {Springer},
  series = {LNCS},
  volume = {6558},
  pages = {1--16},
  weburl = {http://ct-rsa2011.di.uoa.gr},
  doi = {10.1007/978-3-642-19074-2_1},
  url = {http://thomaschneider.de/papers/FPSSV11.pdf},
  rate = {$29.9\%$}
}
@misc{BNSS11WCSC,
  author = {Sven Bugiel and Stefan N\"urnberger and Ahmad-Reza Sadeghi and 
    Thomas Schneider},
  abstract = {Cloud computing promises a more cost effective enabling 
    technology to outsource storage and computations.
Existing approaches for secure outsourcing of data and arbitrary 
    computations are either based on a single tamper-proof hardware, or based 
    on recently proposed fully homomorphic encryption. The hardware based 
    solutions are not scaleable, and fully homomorphic encryption is currently 
    only of theoretical interest and very inefficient.\\
In this paper we propose an architecture for secure outsourcing of data and 
    arbitrary computations to an untrusted commodity cloud. In our approach, 
    the user communicates with a trusted cloud (either a private cloud or built 
    from multiple secure hardware modules) which encrypts and verifies the data 
    stored and operations performed in the untrusted commodity cloud. We split 
    the computations such that the trusted cloud is mostly used for 
    security-critical operations in the less time-critical setup phase, whereas 
    queries to the outsourced data are processed in parallel by the fast 
    commodity cloud on encrypted data.},
  title = {{Twin Clouds}: An Architecture for Secure Cloud Computing 
    {(Extended Abstract)}},
  year = {2011},
  howpublished = {Workshop on Cryptography and Security in Clouds 
    (WCSC'11)},
  month = {March 15-16,},
  weburl = {http://www.zurich.ibm.com/~cca/csc2011/},
  url = {http://www.zurich.ibm.com/~cca/csc2011/submissions/bugiel.pdf}
}
@inproceedings{Schneider11,
  author = {Thomas Schneider},
  title = {{Reden ist Silber - Schweigen ist Gold: Datensparsamkeit durch 
    effizientes Rechnen unter Verschl\"usselung}},
  abstract = {Wo immer sensible Daten gespeichert werden zeigt die Praxis, 
    dass es lediglich eine Frage der Zeit ist, bis diese durch ein 
    Sicherheitsleck an unerw\"unschte Personen gelangen. Die einzige 
    M\"oglichkeit, um dies zuverl\"assig zu vermeiden ist Datensparsamkeit, die 
    Daten also erst gar nicht zu speichern. In vielen F\"allen werden die Daten 
    jedoch trotzdem f\"ur Berechnungen ben\"otigt.\\
Dieser Beitrag gibt einen \"Uberblick \"uber Methoden des effizienten 
    Rechnens unter Verschl\"usselung und zeigt, wie diese erm\"oglichen, 
    beliebige Berechnungen auf sensiblen, verschl\"usselten Daten 
    durchzuf\"uhren, ohne dass diese im Klartext gespeichert oder zu 
    irgendeinem Zeitpunkt im Klartext vorliegen m\"ussen. Insbesondere wird 
    hierbei auf Erweiterungen durch sichere Hardware auch im Kontext des 
    Rechnens in der ``Cloud'', sowie die Unterst\"utzung durch Werkzeuge 
    eingegangen. Als m\"ogliche Anwendungen werden Systeme zur 
    Gesichtserkennung und Klassifikation medizinischer Daten betrachtet, welche 
    die Privatsph\"are erhalten.},
  booktitle = {12. Deutscher IT-Sicherheitskongress des BSI: Sicher in die 
    digitale Welt von morgen},
  year = {2011},
  month = {10.-12. Mai,},
  publisher = {SecuMedia-Verlag},
  weburl = {http://www.bsi.bund.de/ContentBSI/Aktuelles/Veranstaltungen/IT-SiKongress/12itkongress2011.html},
  url = {http://thomaschneider.de/papers/S11.pdf},
  pages = {191--198},
  isbn = {978-3-922746-96-6},
  puburl = {http://buchshop.secumedia.de/buchshop/index.php?page=detail&match=LISA_NR2=BSI2011}
}
@article{BFLSS11,
  abstract = {Privacy protection is a crucial problem in many biomedical 
    signal processing applications. For this reason particular attention has 
    been given to the use of secure multi party computation techniques for 
    processing biomedical signals, whereby non-trusted parties are able to 
    manipulate the signals although they are encrypted.\\
This paper focuses on the development of a privacy preserving automatic 
    diagnosis system whereby a remote server classifies a biomedical signal 
    provided by the client without getting any information about the signal 
    itself and the final result of the classification. Specifically, we present 
    and compare two methods for the secure classification of ElectroCardioGram 
    (ECG) signals: the former based on Linear Branching Programs (a particular 
    kind of decision tree) and the latter relying on Neural Networks.\\
The paper faces with all the requirements and difficulties related to 
    working with data that must stay encrypted during all the computation 
    steps, including the necessity of working with fixed point arithmetic with 
    no truncation while guaranteeing the same performance of a floating point 
    implementation in the plain domain. A highly efficient version of the 
    underlying cryptographic primitives is used, ensuring a good efficiency of 
    the two proposed methods, from both a communication and computational 
    complexity perspectives.\\
The proposed systems prove that carrying out complex tasks like ECG 
    classification in the encrypted domain efficiently is indeed possible in 
    the semi-honest model, paving the way to interesting future applications 
    wherein privacy of signal owners is protected by applying high security 
    standards.},
  author = {Mauro Barni and Pierluigi Failla and Riccardo Lazzeretti and 
    Ahmad-Reza Sadeghi and Thomas Schneider},
  title = {Privacy-Preserving {ECG} Classification with Branching Programs 
    and Neural Networks},
  journal = {IEEE Transactions on Information Forensics and Security 
    (TIFS)},
  pages = {452--468},
  volume = {6},
  number = {2},
  month = {June},
  year = {2011},
  weburl = {http://www.signalprocessingsociety.org/publications/periodicals/forensics/},
  doi = {10.1109/TIFS.2011.2108650},
  url = {http://thomaschneider.de/papers/BFLSS11.pdf}
}
@inproceedings{BNPSS11,
  abstract = {Cloud Computing is an emerging technology promising new 
    business opportunities and easy deployment of web services.\\
Much has been written about the risks and benefits of cloud computing in 
    the last years. The literature on clouds often points out security and 
    privacy challenges as the main obstacles, and proposes solutions and 
    guidelines to avoid them. However, most of these works deal with either 
    malicious cloud providers or customers, but ignore the severe threats 
    caused by unaware users.\\
In this paper we consider security and privacy aspects of \emph{real-life} 
    cloud deployments, independently from malicious cloud providers or 
    customers. We focus on the popular Amazon Elastic Compute Cloud (EC2) and 
    give a detailed and systematic analysis of various crucial vulnerabilities 
    in publicly available and widely used Amazon Machine Images (AMIs) and show 
    how to eliminate them.\\
Our Amazon \underline{I}mage \underline{A}ttacks (AmazonIA) deploy an 
    automated tool that uses only publicly available interfaces and makes 
    \emph{no} assumptions on the underlying cloud infrastructure. We were able 
    to extract highly sensitive information (including passwords, keys, and 
    credentials) from a variety of publicly available AMIs. The extracted 
    information allows to (i) start (botnet) instances worth thousands of 
    dollars per day, (ii) provide backdoors into the running machines, (iii) 
    launch impersonation attacks, or (iv) access the source code of the entire 
    web service. Our attacks can be used to completely compromise several real 
    web services offered by companies (including IT-security companies), e.g., 
    for website statistics/user tracking, two-factor authentication, or price 
    comparison. Further, we show mechanisms to identify the AMI of certain 
    running instances.\\
Following the maxim ``security and privacy by design'' we show how our 
    automated tools together with changes to the user interface can be used to 
    mitigate our attacks.},
  author = {Sven Bugiel and Thomas P\"oppelmann and Stefan N\"urnberger and 
    Ahmad-Reza Sadeghi and Thomas Schneider},
  title = {{AmazonIA}: When Elasticity Snaps Back},
  year = {2011},
  booktitle = {18th ACM Conference on Computer and Communications Security 
    (CCS'11)},
  month = {October 17-21,},
  publisher = {ACM},
  weburl = {http://www.sigsac.org/ccs/CCS2011/},
  doi = {10.1145/2046707.2046753},
  rate = {$14.0\%$},
  note = {See \url{http://trust.cased.de/AMID}},
  url = {http://thomaschneider.de/papers/BNPSS11.pdf},
  pages = {389--400}
}
@inproceedings{BNSS11,
  abstract = {Cloud computing promises a cost effective enabling technology 
    to outsource storage and massively parallel computations. However, existing 
    approaches for provably secure outsourcing of data and arbitrary 
    computations are either based on tamper-proof hardware or fully homomorphic 
    encryption. The former approaches are not scaleable, while the latter ones 
    are currently not efficient enough to be used in practice.\\
We propose an architecture and protocols that accumulate slow secure 
    computations over time and provide the possibility to query them in 
    parallel on demand by leveraging the benefits of cloud computing. In our 
    approach, the user communicates with a resource-constrained Trusted Cloud 
    (either a private cloud or built from multiple secure hardware modules) 
    which encrypts algorithms and data to be stored and later on queried in the 
    powerful but untrusted Commodity Cloud. We split our protocols such that 
    the Trusted Cloud performs security-critical pre-computations in the setup 
    phase, while the Commodity Cloud computes the time-critical query in 
    parallel under encryption in the query phase.},
  author = {Sven Bugiel and Stefan N\"urnberger and Ahmad-Reza Sadeghi and 
    Thomas Schneider},
  title = {{Twin Clouds}: Secure Cloud Computing with Low Latency},
  year = {2011},
  booktitle = {12th Communications and Multimedia Security Conference 
    (CMS'11)},
  month = {October 19-21,},
  publisher = {Springer},
  series = {LNCS},
  volume = {7025},
  pages = {32--44},
  weburl = {http://www.cms2011.net/},
  url = {http://thomaschneider.de/papers/BNSS11.pdf},
  doi = {10.1007/978-3-642-24712-5_3},
  rate = {$21.2\%$},
  note = {Best Paper Award}
}
@inproceedings{ALSS12,
  abstract = {The diversity of computing platforms is increasing rapidly. 
    In order to allow security applications to run on such diverse platforms, 
    implementing and optimizing the same cryptographic primitives for multiple 
    target platforms and heterogeneous systems can result in high costs. In 
    this paper, we report our efforts in developing and benchmarking a 
    platform-independent Crypto Tools Library (CTL). CTL is based on a dataflow 
    programming framework called Reconfigurable Video Coding (RVC), which was 
    recently standardized by ISO/IEC for building complicated reconfigurable 
    video codecs. CTL benefits from various properties of the RVC framework 
    including tools to 1) simulate the platform-independent designs, 2) 
    automatically generate implementations in different target programming 
    languages (e.g., C/C++, Java, LLVM, and Verilog/VHDL) for deployment on 
    different platforms as software and/or hardware modules, and 3) design 
    space exploitation such as automatic parallelization for multi- and 
    many-core systems. We benchmarked the performance of the SHA-256 
    implementation in CTL on single-core target platforms and demonstrated that 
    implementations automatically generated from platform-independent RVC 
    applications can achieve a run-time performance comparable to reference 
    implementations manually written in C and Java.
For a quad-core target platform, we benchmarked a 4-adic hash tree 
    application based on SHA-256 that achieves a performance gain of up to 
    300\% for hashing messages of size 8 MB.},
  author = {Junaid Jameel Ahmad and Shujun Li and Ahmad-Reza Sadeghi and 
    Thomas
Schneider},
  booktitle = {16th International Conference on Financial Cryptography and 
    Data Security (FC'12)},
  month = {February 27 - March 2,},
  publisher = {Springer},
  series = {LNCS},
  title = {{CTL}: A Platform-Independent Crypto Tools Library Based on 
    Dataflow Programming Paradigm},
  weburl = {http://fc12.ifca.ai},
  year = {2012},
  rate = {$26.1\%$},
  url = {http://thomaschneider.de/papers/ALSS12.pdf},
  volume = {7397},
  pages = {299--313},
  note = {Full version: \url{http://eprint.iacr.org/2011/679}.},
  doi = {10.1007/978-3-642-32946-3_22}
}
@book{Schneider12Book,
  author = {Thomas Schneider},
  title = {Engineering Secure Two-Party Computation Protocols: Design, 
    Optimization, and Applications of Efficient Secure Function Evaluation},
  publisher = {Springer-Verlag Berlin Heidelberg},
  isbn = {978-3-642-30041-7},
  puburl = {http://www.springer.com/computer/security+and+cryptology/book/978-3-642-30041-7},
  year = 2012,
  pages = {138},
  month = {August 4,},
  note = {\url{http://thomaschneider.de/engineeringSFEbook}},
  doi = {10.1007/978-3-642-30042-4}
}
@techreport{PBS12,
  title = {The design and implementation of a two-party protocol suite for 
    {SHAREMIND} 3},
  author = {Pille Pullonen and Dan Bogdanov and Thomas Schneider},
  institution = {CYBERNETICA Institute of Information Security},
  note = {T-4-17},
  year = {2012},
  url = {http://research.cyber.ee/reports/T-4-17-The-design-and-implementation-of-a-two-party-protocol-suite-for-Sharemind-3.pdf}
}
@inproceedings{SZ12,
  author = {Thomas Schneider and Michael Zohner},
  booktitle = {17. Workshop der Fachgruppe Kryptographie in der 
    Gesellschaft f\"ur Informatik (Kryptotag)},
  month = {December 7,},
  title = {Efficient Secure Two-Party Computation},
  weburl = {http://pi1.informatik.uni-mannheim.de/index.php?pagecontent=site/Events.menu/Kryptotag.menu/17.%20Kryptotag.page},
  year = {2012},
  url = {http://thomaschneider.de/papers/SZ12.pdf}
}
@article{KSS13,
  abstract = {
General two-party Secure Function Evaluation (SFE) allows mutually 
    distrusting parties to correctly compute any function on their private 
    input data, without revealing the inputs. Two-party SFE can benefit almost 
    any client-server interaction where privacy is required, such as 
    privacy-preserving credit checking, medical classification, or face 
    recognition. Today, SFE is a subject of immense amount of research in a 
    variety of directions and is not easy to navigate.\\
In this article, we systematize the most practically important works of the 
    vast research knowledge on general SFE. We argue that in many cases the 
    most efficient SFE protocols are obtained by combining several basic 
    techniques, e.g., garbled circuits and (additively) homomorphic encryption.

As a valuable methodological contribution, we present a framework in which 
    today's most efficient techniques for general SFE can be viewed as building 
    blocks with well-defined interfaces that can be easily combined into a 
    complete efficient solution. Further, our approach naturally allows 
    automated protocol generation (compilation) and has been implemented 
    partially in the TASTY framework.
In summary, we provide a comprehensive guide in state-of-the-art SFE, with 
    the additional goal of extracting, systematizing and unifying the most 
    relevant and promising general SFE techniques. Our target audience are 
    graduate students wishing to enter the SFE field and advanced engineers 
    seeking to develop SFE solutions. We hope our guide paints a high-level 
    picture of the field, including most common approaches and their trade-offs 
    and gives precise and numerous pointers to formal treatment of its specific 
    aspects.},
  author = {Vladimir Kolesnikov and Ahmad-Reza Sadeghi and Thomas 
    Schneider},
  month = {01},
  number = {2},
  volume = {21},
  pages = {283--315},
  title = {A Systematic Approach to Practically Efficient General Two-Party 
    Secure Function Evaluation Protocols and their Modular Design},
  journal = {Journal of Computer Security (JCS)},
  doi = {10.3233/JCS-130464},
  url = {http://thomaschneider.de/papers/KSS13.pdf},
  year = {2013},
  publisher = {IOS Press},
  weburl = {http://www.iospress.nl/journal/journal-of-computer-security/},
  note = {Preliminary version: \url{http://eprint.iacr.org/2010/079}}
}
@misc{KSS13_short,
  title = {Automatic Protocol Selection in Secure Two-Party Computations},
  author = {Florian Kerschbaum and Thomas Schneider and Axel Schr\"opfer},
  howpublished = {20th Network \& Distributed System Security Symposium 
    (NDSS'13)},
  month = {February 24-27,},
  year = {2013},
  weburl = {http://www.internetsociety.org/events/ndss-symposium-2013},
  url = {http://www.internetsociety.org/sites/default/files/automatic%20protocol%20selection%20in%20secure%20two-party%20computations.pdf},
  note = {Short Talk}
}
@inproceedings{SZ13,
  abstract = {Secure two-party computation is a rapidly emerging field of 
    research and enables a large variety of privacy-preserving applications 
    such as mobile social networks or biometric identification. In the late 
    eighties, two different approaches were proposed: Yao’s garbled circuits 
    and the protocol of Goldreich-Micali-Wigderson (GMW). Since then, research 
    has mostly focused on Yao’s garbled circuits as they were believed to yield 
    better efficiency due to their constant round complexity.\\
In this work we give several optimizations for an efficient implementation 
    of the GMW protocol. We show that for semi-honest adversaries the optimized 
    GMW protocol can outperform today’s most efficient implementations of Yao’s 
    garbled circuits, but highly depends on a low network latency. As a first 
    step to overcome these latency issues, we summarize depth-optimized circuit 
    constructions for various standard tasks. As application scenario we 
    consider privacy-preserving face recognition and show that our optimized 
    framework is up to 100 times faster than previous works even in settings 
    with high network latency.},
  author = {Thomas Schneider and Michael Zohner},
  title = {{GMW} vs. {Yao}? {E}fficient Secure Two-Party Computation with 
    Low Depth Circuits},
  booktitle = {17th International Conference on Financial Cryptography and 
    Data Security (FC'13)},
  year = {2013},
  publisher = {Springer},
  series = {LNCS},
  volume = {7859},
  pages = {275--292},
  month = {April 1-5,},
  url = {http://thomaschneider.de/papers/SZ13.pdf},
  weburl = {http://fc13.ifca.ai},
  rate = {$12.5\%$ for regular papers},
  doi = {10.1007/978-3-642-39884-1_23}
}
@inproceedings{HS13,
  abstract = {Secure two-party computation is used as the basis for a large 
    variety of privacy-preserving protocols, but often concerns about the low 
    performance hinder the move away from nonprivate solutions.\\
In this paper we present an improved implementation of Yao’s garbled 
    circuit protocol in the semi-honest adversaries setting which is up to 10 
    times faster than previous implementations. Our improvements include (1) 
    the first multi-threaded implementation of the base oblivious transfers 
    resulting in a speedup of a factor of two, (2) techniques for minimizing 
    the memory footprint during oblivious transfer extensions and processing of 
    circuits, (3) compilation of sub-circuits into files, and (4) caching of 
    circuit descriptions and network packets. We implement improved circuit 
    building blocks from the literature and present for the first time 
    performance results for secure evaluation of the ultra-lightweight block 
    cipher PRESENT within 7 ms online time.},
  author = {Wilko Henecka and Thomas Schneider},
  title = {Faster Secure Two-Party Computation with Less Memory},
  booktitle = {8th ACM Symposium on Information, Computer and 
    Communications Security (ASIACCS'13)},
  month = {May 7-10,},
  year = {2013},
  publisher = {ACM},
  rate = {$16.2\%$ for full papers},
  url = {http://thomaschneider.de/papers/HS13.pdf},
  weburl = {http://hise.hznu.edu.cn/asiaccs/},
  pages = {437--446},
  doi = {10.1145/2484313.2484369},
  note = {Code: \url{http://encrypto.de/code/me-sfe}}
}
@inproceedings{ADNRSSS13,
  abstract = {
Mobile smart devices and services have become an integral part of our daily 
    life. In this context there are many compelling scenarios for mobile device 
    users to share resources. A popular example is tethering. However, sharing 
    resources also raises privacy and security issues. In this paper, we 
    present CrowdShare, a complete framework and its (Android) implementation 
    for secure and private resource sharing among nearby devices. CrowdShare 
    provides pseudonymity for users, accountability of resource usage, and the 
    possibility of specifying access control in terms of social network 
    relationships. Further, CrowdShare preserves secure connectivity between 
    nearby devices even in the absence of the mobile infrastructure. We have 
    implemented CrowdShare on Android devices and report good performance 
    results.},
  author = {N. Asokan and Alexandra Dmitrienko and Marcin Nagy and Elena 
    Reshetova and Ahmad-Reza Sadeghi and Thomas Schneider and Stanislaus 
    Stelle},
  title = {{CrowdShare}: Secure Mobile Resource Sharing},
  booktitle = {11th International Conference on Applied Cryptography and 
    Network Security (ACNS'13)},
  month = {June 25-28,},
  year = {2013},
  publisher = {Springer},
  series = {LNCS},
  volume = {7954},
  pages = {432--440},
  weburl = {http://acns2013.cpsc.ucalgary.ca},
  url = {http://thomaschneider.de/papers/ADNRSSS13.pdf},
  doi = {10.1007/978-3-642-38980-1_27}
}
@inproceedings{ALSZ13,
  abstract = {
Protocols for secure computation enable parties to compute a joint function 
    on their private inputs without revealing anything but the result. A 
    foundation for secure computation is oblivious transfer (OT), which 
    traditionally requires expensive public key cryptography. A more efficient 
    way to perform many OTs is to extend a small number of base OTs using OT 
    extensions based on symmetric cryptography.\\
In this work we present optimizations and efficient implementations of OT 
    and OT extensions in the semi-honest model. We propose a novel OT protocol 
    with security in the standard model and improve OT extensions with respect 
    to communication complexity, computation complexity, and scalability. We 
    also provide specific optimizations of OT extensions that are tailored to 
    the secure computation protocols of Yao and Goldreich-Micali-Wigderson and 
    reduce the communication complexity even further. We experimentally verify 
    the efficiency gains of our protocols and optimizations. By applying our 
    implementation to current secure computation frameworks, we can securely 
    compute a Levenshtein distance circuit with 1.29 billion AND gates at a 
    rate of 1.2 million AND gates per second. Moreover, we demonstrate the 
    importance of correctly implementing OT within secure computation protocols 
    by presenting an attack on the FastGC framework.},
  author = {Gilad Asharov and Yehuda Lindell and Thomas Schneider and 
    Michael Zohner},
  title = {More Efficient Oblivious Transfer and Extensions for Faster 
    Secure Computation},
  booktitle = {20th ACM Conference on Computer and Communications Security 
    (CCS'13)},
  month = {November 4-8,},
  year = {2013},
  publisher = {ACM},
  pages = {535--548},
  doi = {10.1145/2508859.2516738},
  url = {http://thomaschneider.de/papers/ALSZ13.pdf},
  weburl = {http://www.sigsac.org/ccs/CCS2013/},
  rate = {$19.8\%$},
  note = {Full version: \url{http://eprint.iacr.org/2013/552}. Code: 
    \url{http://encrypto.de/code/OTExtension}}
}
@inproceedings{DSZ13,
  author = {Daniel Demmler and Thomas Schneider and Michael Zohner},
  booktitle = {19. Workshop der Fachgruppe Kryptographie in der 
    Gesellschaft f\"ur Informatik (Kryptotag)},
  month = {November 14-15,},
  title = {Hardware-Assisted Ad-Hoc Secure Two-Party Computation on 
    Smartphones},
  weburl = {http://fg-krypto.gi.de/krypto-tag/19-kryptotag.html},
  url = {http://fg-krypto.gi.de/fileadmin/fg-krypto/Kryptotag_Stuttgart.pdf},
  year = {2013}
}
@inproceedings{KSS14,
  abstract = {Performance of secure computation is still often an obstacle 
    to its practical adaption. There are different protocols for secure 
    computation that compete for the best performance.\\
In this paper we propose {\em automatic protocol selection} which selects a 
    protocol for each operation resulting in a mix with the best performance so 
    far. Based on an elaborate performance model, we propose an optimization 
    algorithm and an efficient heuristic for this selection problem. We show 
    that our mixed protocols achieve the best performance on a set of use 
    cases. Furthermore, our results underpin that the selection problem is so 
    complicated and large in size, that a programmer is unlikely to manually 
    make the optimal selection. Our proposed algorithms nevertheless can be 
    integrated into a compiler in order to yield the best (or near-optimal) 
    performance.},
  author = {Florian Kerschbaum and Thomas Schneider and Axel Schr\"opfer},
  title = {Automatic Protocol Selection in Secure Two-Party Computations},
  booktitle = {12th International Conference on Applied Cryptography and 
    Network Security (ACNS'14)},
  month = {June 10-13,},
  year = {2014},
  publisher = {Springer},
  series = {LNCS},
  volume = {8479},
  pages = {566--584},
  weburl = {http://acns2014.epfl.ch},
  note = {Full version: \url{http://eprint.iacr.org/2014/200}.},
  doi = {10.1007/978-3-319-07536-5_33},
  rate = {$22.4\%$},
  url = {http://thomaschneider.de/papers/KSS14.pdf}
}
@inproceedings{SS14,
  abstract = {Protocols for secure comparison are a fundamental building 
    block of many privacy-preserving protocols such as privacy-preserving face 
    recognition or privacy-preserving fingerprint authentication. So far, all 
    existing secure comparison protocols that have been used in practical 
    implementations require interaction.\\
In recent work, Hsu et al. (IEEE Transactions on Image Processing 2012) 
    propose protocols for privacy-preserving computation of the scale-invariant 
    feature transform (SIFT) in the encrypted domain. Their fundamental 
    building block is a new protocol for performing secure comparisons under 
    additively homomorphic encryption that requires no interaction.

In this paper we present potential for optimization and shortcomings of 
    their secure comparison protocol. More specifically, we show that it 1) 
    allows optimizations by shifting computation from the server to the user, 
    2) removes the gain that the user has in outsourcing computations to the 
    server, and most importantly is 3) either computationally intractable for 
    the server or insecure. As alternatives we propose to use either 
    interactive comparison protocols or non-interactive somewhat or fully 
    homomorphic encryption.},
  author = {Matthias Schneider and Thomas Schneider},
  title = {Notes on Non-Interactive Secure Comparison in ``Image Feature 
    Extraction in the Encrypted Domain with Privacy-Preserving {SIFT}''},
  booktitle = {2nd ACM Workshop on Information Hiding and Multimedia 
    Security (IH\&MMSEC'14)},
  month = {June 11-13,},
  year = {2014},
  publisher = {ACM},
  weburl = {http://ihmmsec.org},
  rate = {$37.5\%$},
  doi = {10.1145/2600918.2600927},
  pages = {432--440},
  url = {http://thomaschneider.de/papers/SS14.pdf}
}
@inproceedings{BCFPSZ14,
  abstract = {At WAHC’13, Bringer et al. introduced a protocol called SHADE 
    for secure and efficient Hamming distance computation using oblivious 
    transfer only. In this paper, we introduce a generalization of the SHADE 
    protocol, called GSHADE, that enables privacy-preserving computation of 
    several distance metrics, including (normalized) Hamming distance, 
    Euclidean distance, Mahalanobis distance, and scalar product. GSHADE can be 
    used to efficiently compute one-to-many biometric identification for 
    several traits (iris, face, fingerprint) and benefits from recent 
    optimizations of oblivious transfer extensions. GSHADE allows 
    identification against a database of 1000 Eigenfaces in 1.28 seconds and 
    against a database of 10000 IrisCodes in 17.2 seconds which is more than 10 
    times faster than previous works.},
  author = {Julien Bringer and Herv\'e Chabanne and M\'elanie Favre and 
    Alain Patey and Thomas Schneider and Michael Zohner},
  title = {{GSHADE}: Faster Privacy-Preserving Distance Computation and 
    Biometric Identification},
  booktitle = {2nd ACM Workshop on Information Hiding and Multimedia 
    Security (IH\&MMSEC'14)},
  month = {June 11-13,},
  year = {2014},
  publisher = {ACM},
  weburl = {http://ihmmsec.org},
  rate = {$37.5\%$},
  pages = {187--198},
  doi = {10.1145/2600918.2600922},
  url = {http://thomaschneider.de/papers/BCFPSZ14.pdf},
  note = {Code: \url{http://encrypto.de/code/GSHADE}}
}
@inproceedings{PSZ14,
  abstract = {Private set intersection (PSI) allows two parties to compute 
    the intersection of their sets without revealing any information about 
    items that are not in the intersection. It is one of the best studied 
    applications of secure computation and many PSI protocols have been 
    proposed. However, the variety of existing PSI protocols makes it difficult 
    to identify the solution that performs best in a respective scenario, 
    especially since they were not all implemented and compared in the same 
    setting.\\
In this work, we give an overview on existing PSI protocols that are secure 
    against semi-honest adversaries. We take advantage of the most recent 
    efficiency improvements in OT extension to propose significant 
    optimizations to previous PSI protocols and to suggest a new PSI protocol 
    whose runtime is superior to that of existing protocols. We compare the 
    performance of the protocols both theoretically and experimentally, by 
    implementing all protocols on the same platform, and give recommendations 
    on which protocol to use in a particular setting.},
  author = {Benny Pinkas and Thomas Schneider and Michael Zohner},
  title = {Faster Private Set Intersection based on {OT} Extension},
  booktitle = {23rd USENIX Security Symposium (USENIX Security'14)},
  month = {August 20-22,},
  year = {2014},
  publisher = {USENIX},
  weburl = {https://www.usenix.org/conference/usenixsecurity14},
  note = {Full version: \url{http://eprint.iacr.org/2014/447}},
  rate = {$19.1\%$},
  url = {http://thomaschneider.de/papers/PSZ14.pdf},
  pages = {797--812}
}
@inproceedings{DSZ14,
  abstract = {Secure two-party computation allows two mutually distrusting 
    parties to jointly compute an arbitrary function on their private inputs 
    without revealing anything but the result. An interesting target for 
    deploying secure computation protocols are mobile devices as they contain a 
    lot of sensitive user data. However, their resource restrictions make this 
    a challenging task.\\
In this work, we optimize and implement the secure computation protocol by 
    Goldreich-Micali-Wigderson (GMW) on mobile phones. To increase performance, 
    we extend the protocol by a trusted hardware token (i.e., a smartcard). The 
    trusted hardware token allows to pre-compute most of the workload in an 
    initialization phase, which is executed locally on one device and can be 
    pre-computed independently of the later communication partner. We develop 
    and analyze a proof-of-concept implementation of generic secure two-party 
    computation on Android smart phones making use of a microSD smartcard. Our 
    use cases include private set intersection for finding shared contacts and 
    private scheduling of a meeting with location preferences. For private set 
    intersection, our token-aided implementation on mobile phones is up to two 
    orders of magnitude faster than previous generic secure two-party 
    computation protocols on mobile phones and even as fast as previous work on 
    desktop computers.},
  author = {Daniel Demmler and Thomas Schneider and Michael Zohner},
  title = {Ad-Hoc Secure Two-Party Computation on Mobile Devices using 
    Hardware Tokens},
  booktitle = {23rd USENIX Security Symposium (USENIX Security'14)},
  month = {August 20-22,},
  year = {2014},
  publisher = {USENIX},
  weburl = {https://www.usenix.org/conference/usenixsecurity14},
  note = {Full version: \url{http://eprint.iacr.org/2014/467}},
  rate = {$19.1\%$},
  url = {http://thomaschneider.de/papers/DSZ14.pdf},
  pages = {893--908}
}
@inproceedings{DHS14,
  abstract = {Private Information Retrieval (PIR) allows to privately 
    request a block of data from a database such that no information about the 
    queried block is revealed to the database owner. With the rapid rise of 
    cloud computing, data is often shared across multiple servers, making 
    multi-server PIR a promising privacy-enhancing technology.\\
In this paper, we introduce RAID-PIR, an efficient and simple multi-server 
    PIR scheme, which has similar approach to RAID (Redundant Arrays of 
    Inexpensive Disks) systems. Each server stores only a part of the database, 
    its computational complexity depends only on this part, and multiple blocks 
    can be queried efficiently in parallel. RAID-PIR improves efficiency over 
    known PIR protocols, using only very efficient cryptographic primitives 
    (pseudo-random generator). We demonstrate that RAID-PIR is practical and 
    well-suited for cloud deployment as it reduces  the communication as well 
    as the computational workload per server.},
  author = {Daniel Demmler and Amir Herzberg and Thomas Schneider},
  title = {{RAID-PIR}: Practical Multi-Server {PIR}},
  booktitle = {6th ACM Cloud Computing Security Workshop (ACM CCSW'14)},
  month = {November 7,},
  year = {2014},
  publisher = {ACM},
  pages = {45--56},
  weburl = {http://digitalpiglet.org/nsac/ccsw14/},
  rate = {$33.3\%$},
  doi = {10.1145/2664168.2664181},
  url = {http://thomaschneider.de/papers/DHS14.pdf},
  note = {Code: \url{http://encrypto.de/code/RAID-PIR}}
}
@inproceedings{DSZ15,
  abstract = {Secure computation enables mutually distrusting parties to 
    jointly evaluate a function on their private inputs without revealing 
    anything but the function's output. Generic secure computation protocols in 
    the semi-honest model have been studied extensively and several best 
    practices have evolved.\\
        In this work, we design and implement a mixed-protocol framework, 
    called \emph{ABY}, that efficiently combines secure computation schemes 
    based on \underline{A}rithmetic sharing, \underline{B}oolean sharing, and 
    \underline{Y}ao's garbled circuits and that makes available best practice 
    solutions in secure two-party computation. Our framework allows to 
    pre-compute almost all cryptographic operations and provides novel, highly 
    efficient conversions between secure computation schemes based on 
    pre-computed oblivious transfer extensions. ABY supports several standard 
    operations and we perform benchmarks on a local network and in a public 
    intercontinental cloud. From our benchmarks we deduce new insights on the 
    efficient design of secure computation protocols, most prominently that 
    oblivious transfer-based multiplications are much more efficient than 
    multiplications based on homomorphic encryption. We use ABY to construct 
    mixed-protocols for three example applications -- private set intersection, 
    biometric matching, and modular exponentiation -- and show that they are 
    more efficient than using a single protocol.},
  author = {Daniel Demmler and Thomas Schneider and Michael Zohner},
  title = {{ABY} -- A Framework for Efficient Mixed-Protocol Secure 
    Two-Party Computation},
  booktitle = {21st Annual Network and Distributed System Security 
    Symposium (NDSS'15)},
  month = {February 8-11,},
  year = {2015},
  publisher = {The Internet Society},
  weburl = {http://www.internetsociety.org/events/ndss-symposium-2015},
  note = {Code: \url{http://encrypto.de/code/ABY}},
  doi = {10.14722/ndss.2015.23113},
  url = {http://thomaschneider.de/papers/DSZ15.pdf},
  rate = {$18.4\%$}
}
@inproceedings{ARSTZ15,
  abstract = {Designing an efficient cipher was always a delicate balance 
    between linear and non-linear operations. This goes back to the design of 
    DES, and in fact all the way back to the seminal work of Shannon. Here we 
    focus, for the first time, on an extreme corner of the design space and 
    initiate a study of symmetric-key primitives that minimize the 
    multiplicative size and depth of their descriptions. This is motivated by 
    recent progress in practical instantiations of secure multi-party 
    computation (MPC), fully homomorphic encryption (FHE), and zero-knowledge 
    proofs (ZK) where linear computations are, compared to non-linear 
    operations, essentially ``free''.
We focus on the case of a block cipher, and propose the family of block 
    ciphers ``LowMC'', beating all existing proposals with respect to these 
    metrics by far. We sketch several applications for such ciphers and give 
    implementation comparisons suggesting that when encrypting larger amounts 
    of data the new design strategy translates into improvements in computation 
    and communication complexity by up to a factor of 5 compared to AES-128, 
    which incidentally is one of the most competitive classical designs. 
    Furthermore, we identify cases where ``free XORs'' can no longer be 
    regarded as such but represent a bottleneck, hence refuting this commonly 
    held belief with a practical example.},
  title = {Ciphers for {MPC} and {FHE}},
  author = {Martin Albrecht and Christian Rechberger and Thomas Schneider 
    and Tyge Tiessen and Michael Zohner},
  booktitle = {34th Advances in Cryptology -- EUROCRYPT 2015},
  month = {April 26-30,},
  year = {2015},
  publisher = {Springer},
  series = {LNCS},
  volume = {9056},
  pages = {430--454},
  doi = {10.1007/978-3-662-46800-5_17},
  url = {http://thomaschneider.de/papers/ARSTZ15.pdf},
  weburl = {https://www.cosic.esat.kuleuven.be/eurocrypt_2015/},
  rate = {$29.4\%$}
}
@inproceedings{ALSZ15,
  abstract = {Oblivious transfer (OT) is one of the most fundamental 
    primitives in cryptography and is widely used in protocols for secure 
    two-party and multi-party computation. As secure computation becomes more 
    practical, the need for practical large scale oblivious transfer protocols 
    is becoming more evident. Oblivious transfer extensions are protocols that 
    enable a relatively small number of ``base-OTs'' to be utilized to compute 
    a very large number of OTs at low cost. In the semi-honest setting, Ishai 
    et al. (CRYPTO 2003) presented an OT extension protocol for which the cost 
    of each OT (beyond the base-OTs) is just a few hash function operations. In 
    the malicious setting, Nielsen et al. (CRYPTO 2012) presented an efficient 
    OT extension protocol for the setting of active adversaries, that is secure 
    in the random oracle model.
In this work, we present an OT extension protocol for the setting of 
    malicious adversaries that is more efficient and uses less communication 
    than previous works. In addition, our protocol can be proven secure in both 
    the random oracle model, and in the standard model with a type of 
    correlation robustness. Given the importance of OT in many secure 
    computation protocols, increasing the efficiency of OT extensions is 
    another important step forward to making secure computation practical.},
  title = {More Efficient Oblivious Transfer Extensions with Security for 
    Malicious Adversaries},
  author = {Gilad Asharov and Yehuda Lindell and Thomas Schneider and 
    Michael Zohner},
  booktitle = {34th Advances in Cryptology -- EUROCRYPT 2015},
  month = {April 26-30,},
  year = {2015},
  publisher = {Springer},
  series = {LNCS},
  volume = {9056},
  pages = {673--701},
  doi = {10.1007/978-3-662-46800-5_26},
  weburl = {https://www.cosic.esat.kuleuven.be/eurocrypt_2015/},
  url = {http://thomaschneider.de/papers/ALSZ15.pdf},
  note = {Full version: \url{http://eprint.iacr.org/2015/061}. Code: 
    \url{http://encrypto.de/code/ OTExtension}},
  rate = {$29.4\%$}
}
@inproceedings{SHSSK15,
  abstract = {We introduce TinyGarble, a novel automated methodology based 
    on powerful logic synthesis techniques for generating and optimizing 
    compressed Boolean circuits used in secure computation, such as Yao’s 
    Garbled Circuit (GC) protocol. TinyGarble achieves an unprecedented level 
    of compactness and scalability by using a sequential circuit description 
    for GC. We introduce new libraries and transformations, such that our 
    sequential circuits can be optimized and securely evaluated by interfacing 
    with available garbling frameworks. The circuit compactness makes the 
    memory footprint of the garbling operation fit in the processor cache, 
    resulting in fewer cache misses and thereby less CPU cycles. Our 
    proof-of-concept implementation of benchmark functions using TinyGarble 
    demonstrates a high degree of compactness and scalability. We improve the 
    results of existing automated tools for GC generation by orders of 
    magnitude; for example, TinyGarble can compress the memory footprint 
    required for 1024-bit multiplication by a factor of 4,172, while decreasing 
    the number of non-XOR gates by 67\%. Moreover, with TinyGarble we are able 
    to implement functions that have never been reported before, such as SHA-3. 
    Finally, our sequential description enables us to design and realize a 
    garbled processor, using the MIPS I instruction set, for private function 
    evaluation. To the best of our knowledge, this is the first scalable 
    emulation of a general purpose processor.},
  title = {{TinyGarble}: Highly Compressed and Scalable Sequential Garbled 
    Circuits},
  author = {Ebrahim M. Songhori and Siam U. Hussain and Ahmad-Reza Sadeghi 
    and Thomas Schneider and Farinaz Koushanfar},
  booktitle = {36th IEEE Symposium on Security and Privacy (IEEE S\&P'15)},
  month = {May 18-20,},
  year = {2015},
  publisher = {IEEE},
  weburl = {http://www.ieee-security.org/TC/SP2015/index.html},
  rate = {$13.5\%$},
  url = {http://esonghori.github.io/file/TinyGarble.pdf},
  doi = {10.1109/SP.2015.32},
  pages = {411--428}
}
@inproceedings{PSSZ15,
  abstract = {  Private Set Intersection (PSI) allows two parties to 
    compute the intersection of private sets while revealing nothing more than 
    the intersection itself. PSI needs to be applied to large data sets in 
    scenarios such as measurement of ad conversion rates, data sharing, or 
    contact discovery.  Existing PSI protocols do not scale up well, and 
    therefore some applications use insecure solutions instead.

We describe a new approach for designing PSI protocols based on 
    permutation-based hashing, which enables to reduce the length of items 
    mapped to bins while ensuring that no collisions occur. We denote this 
    approach as Phasing, for Permutation-based Hashing Set Intersection. 
    Phasing can dramatically improve the performance of PSI protocols whose 
    overhead depends on the length of the representations of input items.

We apply Phasing to design a new approach for circuit-based PSI protocols.  
    The resulting protocol is up to 5~times faster than the previously best 
    Sort-Compare-Shuffle circuit of Huang et al. (NDSS 2012).  We also apply 
    Phasing to the OT-based PSI protocol of Pinkas et al. (USENIX Security 
    2014), which is the fastest PSI protocol to date. Together with additional 
    improvements that reduce the computation complexity by a logarithmic 
    factor, the resulting protocol improves run-time by a factor of up to 20 
    and can also have better communication overhead than the previously best 
    PSI protocol in that respect. The new protocol is only moderately less 
    efficient than an {\em insecure} PSI protocol that is currently used by 
    real-world applications, and is therefore the first secure PSI protocol 
    that is scalable to the demands and the constraints of current real-world 
    settings.},
  author = {Benny Pinkas and Thomas Schneider and Gil Segev and Michael 
    Zohner},
  title = {Phasing: Private Set Intersection using Permutation-based 
    Hashing},
  booktitle = {24th USENIX Security Symposium (USENIX Security'15)},
  month = {August 12-14,},
  year = {2015},
  publisher = {USENIX},
  weburl = {https://www.usenix.org/conference/usenixsecurity15},
  rate = {$15.7\%$},
  note = {Full version: \url{http://eprint.iacr.org/2015/634}}
}
@inproceedings{KPRSSZ15,
  abstract = {Mining and analysis of digital data has the potential to 
    provide improved quality of life and offer even life-saving insights. 
    However, loss of privacy or secret information would be detrimental to 
    these goals and inhibit widespread application. Traditional data protection 
    measures tend to result in the formation of data silos, severely limiting 
    the scope and yield of ``Big Data''. Technology such as privacy-preserving 
    multi-party computation~(MPC) and data de-identification can break these 
    silos enabling privacy-preserving computation.
	
However, currently available de-identification schemes tend to suffer from 
    privacy/utility trade-offs, and MPC has found deployment only in niche 
    applications. As the assurance and availability of hardware-based Trusted 
    Execution Environments~(TEEs) is increasing, we propose an alternative 
    direction of using TEEs as ``neutral'' environments for efficient yet 
    secure multi-party computation. To this end, we survey the current state of 
    the art, propose a generic initial solution architecture and identify 
    remaining challenges.},
  author = {Patrick Koeberl and Vinay Phegade and Anand Rajan and Thomas 
    Schneider and Steffen Schulz and Maria Zhdanova},
  title = {Time to Rethink: Trust Brokerage using Trusted Execution 
    Environments},
  booktitle = {8th International Conference on Trust \& Trustworthy 
    Computing (TRUST'15)},
  month = {August 24-26,},
  year = {2015},
  publisher = {Springer},
  series = {LNCS},
  weburl = {http://www.ics.forth.gr/trust2015/}
}