WPEC 2024 (September 24th–26th) is a virtual workshop, free to attend, and with a call for talk proposals.
Featured topics: Private-Set Intersection (PSI); Fully-Homomorphic Encryption (FHE); Secure Multi-Party Computation (MPC); Zero-Knowledge Proofs (ZKP).
WPEC 2024 fosters Privacy-Enhancing Cryptography (PEC), hosting The First PSI Day, and various talks on FHE, MPC and ZKP.
WPEC 2024, the NIST Workshop on Privacy-Enhancing Cryptography 2024, will bring together multiple perspectives of Privacy-Enhancing Cryptography (PEC) from diverse stakeholders. The 3-day virtual workshop is organized for sharing insights about PEC capabilities, use-cases, real-world deployment, initiatives, challenges and opportunities, and the related context of privacy & auditability. The workshop delves into:
WPEC 2024 is organized within the scope of the NIST Privacy-Enhancing Cryptography (PEC) project. Various topics are also of direct interest to the NIST Multi-Party Threshold Cryptography (MPTC) project.
The workshop will host technical and positioning talks, and panel discussions, in a learning and collaborative environment. The presentations will be recorded and made available online. The gathering of reference material is intended as informative for future characterization of PEC techniques, listing of potential use-cases, and the matching between PEC capabilities and real-world privacy & auditability challenges.
To receive announcements about PEC and MPTC, subscribe to the PEC-Forum and MPTC-Forum.
The workshop spans three (3) days, organized into two (2) sessions per day, with six (6) slots per session.
Overall, the schedule has 36 slots, including 20 accepted talk proposals, 9 invited talks, and other slots for introductions or open-comments. The list of talks is detailed in the schedule of each day, below, inside each corresponding collapsible container.
All times are shown in Eastern Daylight Time (EDT), UTC -4.
All times are shown in Eastern Daylight Time (EDT), UTC -4.
All times are shown in Eastern Daylight Time (EDT), UTC -4.
External proposals for talks are welcomed by email, using the provided PDF form and following its instructions. All submissions will be reviewed, and an acceptance or rejection decision will be sent by email. The review phase may include asking submitters to refine their proposals for better alignment with the thematic and logistical needs of the workshop. The overall selection, which will also include invited talks or panels, will prioritize the creation of a high-quality balanced program, aligned with the workshop goals. The workshop welcomes highly-technical crypto material, and also less-technical inter-disciplinary perspectives about PEC development and integration.
WPEC 2024 participation included 37 speakers (including the co-chairs), the live attendees, and other supporting members. The set of speakers included those (24) presenting an accepted talk proposal, those (11) presenting an invited talk, and the two (2) co-chairs. The live attendees were able to interact in the virtual chat. Some of their comments were posed as questions to the speakers. There was also a session [3a6] for lightning oral comments by the attendees. The PEC team organized the workshop.
11 speakers in 10 invited talks: Dan Bogdanov (MPC Alliance; Cybernetica, Estonia) [3a5], Shu Hui (Sue) Chen (NIH, USA) [2a5], Gary Howarth (NIST, USA) [2a3], James Joshi (National Science Foundation, USA) [2a4], Anna Lysyanskaya (Brown University, USA) [3b3], Daniele Micciancio (UC San Diego, USA) [2b1], Curtis Mitchell (Census Bureau, USA) [2a3], Benny Pinkas (Bar Ilan University; Aptos Labs, Israel) [3a2], Matt Scholl (NIST, USA) [1a0], Tjerand Silde (NTNU, Norway) [3b1], Akira Takahashi (JPMorgan, USA) [3b1].
24 speakers in 20 accepted talk proposals: Rashmi Agrawal (CipherSonic Labs, USA) [2b2], Andreea Alexandru (Duality Technologies, USA; OpenFHE) [2a6], Gurgen Arakelov (Fair Math Inc, Spain) [2b4], Wayne Chang (SpruceID, USA) [3b4], Antoine Dumanois (Orange Innovation, France) [3b5], Kasra Edalatnejad (TU-Darmstadt, Germany) [1a5], Gayathri Garimella (Brown University, USA) [1b3], Bhavish Raj Gopal (Indian Institute of Science, India) [3a4], Erin Hales (Royal Holloway, University of London, UK) [2b5], Seongkwang Kim (Samsung SDS, South Korea) [1a4], Evgenios Kornaropoulos (George Mason University, USA) [1b5], Tomo Lazovich (Census Bureau, USA) [2a2], Steve Lu (Stealth Software Technologies, USA) [1b1], Emil Olaisen (NTNU, Norway) [3b2], Peter Rindal (Visa, USA) [1a6], Kurt Rohloff (Duality Technologies, USA; OpenFHE) [2a6], Mike Rosulek (Oregon State University, USA) [1a2], Junbum Shin (CryptoLab, South Korea) [2b3], Damien Stehlé (CryptoLab, France) [2b3], Yunqing Sun (Northwestern University, USA) [1a3], Jacques Traoré (Orange Innovation, France) [3b5], Ni Trieu (Arizona State University, USA) [1a2], Yongqin Wang (University of Southern California, USA) [3a3], Christian Weinert (Royal Holloway, University of London, UK) [1b4].
2 co-chairs (who also gave 3 talks): Luís Brandão (NIST/Strativia, USA) [1a1, 3a1] and Angela Robinson (NIST, USA) [2a1]
Attendees (statistics):
Organizing team and supporting members: WPEC 2024 was organized by the NIST PEC team (including the co-chairs and René Peralta). We also thank Daniel Canright (NIST), D. C., and Nathan Meadows (NIST) for technical support related to the video-conference platform.
Selected Presentations | |
---|---|
September 24, 2024 | Type |
9:20 AM
WPEC 2024 Talk 1a0: Welcoming Remarks Matthew Scholl - NIST This talk presents the welcoming remarks to the NIST Workshop on Privacy-Enhancing Cryptography (WPEC) 2024, focused on advancing the understanding of Privacy-Enhancing Cryptography (PEC) and its potential for real-world cases. The agenda features technical sessions on Private Set Intersection (PSI), Fully Homomorphic Encryption (FHE), Multiparty Computation (MPC), and Zero-Knowledge Proofs (ZKP). The event, organized by the PEC team, promotes knowledge sharing and encourages participants to develop reference materials that support future innovations. The discussions will consider key security and privacy properties, as well as technical capabilities, to ensure that PEC is resilient and adaptable to emerging challenges and opportunities, including post-quantum security, in the evolving cryptographic landscape. |
Opening Remarks |
9:30 AM
WPEC 2024 Talk 1a1: Intro to WPEC 2024 and The PSI day Luís T. A. N. Brandão - Contractor FGR - NIST/Strativia WPEC 2024, the NIST Workshop on Privacy-Enhancing Cryptography 2024, brings together multiple perspectives of Privacy-Enhancing Cryptography (PEC) from diverse stakeholders. The 3-day virtual workshop is organized for sharing insights about PEC capabilities, use-cases, real-world deployment, initiatives, challenges and opportunities, and the related context of privacy & auditability. The workshop features the topics of Private-Set Intersection (PSI), Fully-Homomorphic Encryption (FHE), Secure Multi-Party Computation (MPC), and Zero-Knowledge Proofs (ZKP). In the first day (2024-Sep-24), the workshop hosts The First PSI Day. In the second day (2024-Sep-25), the workshop hosts various talks about PEC in Government, and FHE. In the final day (2024-Sep-26), the workshop hosts talks on MPC and ZKP. This talk recalls the context of the NIST-PEC project, sets expectations for the workshop, presents the schedule, and gives other logistics notes. Updates to the workshop program will be published in the workshop webpage: https://csrc.nist.gov/events/2024/wpec2024 Joint work with: René Peralta (NIST) and Angela Robinson (NIST) [Slides] |
Presentation |
9:45 AM
WPEC 2024 Talk 1a2: Spotlight on PSI for Small Sets Mike Rosulek - Oregon State University Abstract. In 2-party private set intersection (PSI), different techniques are favorable depending on whether the input sets are large (e.g., millions of items) or small (e.g., hundreds of items). In this talk I will motivate the need for different techniques and describe the state of the art for PSI on small sets. I will also describe in detail an application of PSI-for-small-sets to significantly enhance privacy and security features of authentication in the SSH (secure shell) protocol. Joint work with: Ni Trieu, Lawrence Roy, Stanislav Lyakhov, Yeongjin Jang [Slides] |
Presentation |
10:10 AM
WPEC 2024 Talk 1a3: Actively Secure Private Set Intersection in the Client-Server Setting Yunqing Sun - Northwestern University (USA) Abstract. In this presentation, we introduce an efficient and actively secure private set intersection (PSI) protocol for password checkup scenarios, where a server with one large set performs PSI with multiple clients, each holding a small set. First, we demonstrate the use of an oblivious verifiable unpredictable function (OVUF) to instantiate this PSI efficiently. The OVUF-based PSI protocol enhances one-time, reusable, and asynchronous linear-size server encoding. It allows multiple clients to perform low-cost interactions with the server, with complexity linear to the size of each client's set. Next, we present an efficient instantiation of a fully maliciously secure OVUF based on weak multiplication-to-addition (MtA) triples, which is of independent interest. The weak MtA triples leverage oblivious transfer (OT), reducing communication in OT messages to achieve optimal complexity for OVUF. Finally, we briefly discuss the protocol's performance in this setting, with the server set up to millions and clients set ranging from hundreds to thousands, demonstrating high efficiency compared to other state-of-the-art work. Joint work with: Xiao Wang (Northwestern University), Jonathan Katz (Google and University of Maryland), Phillipp Schoppmann (Google), Mariana Raykova (Google) [Slides] |
Presentation |
10:45 AM
WPEC 2024 Talk 1a4: Circuit-PSI and Applications Seongkwang Kim - Samsung SDS Abstract. In this talk, we will explore the increasing use of Private Set Intersection (PSI) protocols in various industrial applications, such as Microsoft's and Google's password monitoring systems and Apple's detection of Child Sexual Abuse Material (CSAM). Samsung SDS's proof-of-concept for secure data aggregation with Korean government agencies highlights the practical applications of PSI, which can be performed without a trusted third party using Circuit-PSI.Circuit-PSI allows arbitrary computations without revealing intersection information but has performance drawbacks compared to Simple PSI. By leveraging homomorphic encryption schemes, we can reduce the communication costs associated with Circuit-PSI and its optimized version, Unbalanced Circuit-PSI. This talk will also address the necessity for Circuit-PSI to match records based on quasi-identifiers or fuzzy matching in real-world applications, proposing a technology combining multiple Circuit-PSI protocols and Multi-Party Computation (MPC) techniques.Additionally, we will identify security and performance challenges in PSI protocols, focusing on the Oblivious Pseudo-Random Function (OPRF) and the Oblivious Key-Value Store (OKVS) algorithm. We will discuss potential security issues when a malicious receiver inserts more key-value pairs than expected, compromising PSI security. Our proposed solutions include evaluating and preventing such attacks and introducing a novel OPRF protocol incorporating techniques from the SoftSpoken OT framework, balancing communication and computation costs for more efficient and secure PSI protocols. Joint work with: (Samsung SDS) Kyoohyung Han, Byeonghak Lee, (Sungshin Women's University) Yongha Son. [Slides] |
Presentation |
11:10 AM
WPEC 2024 Talk 1a5: Private Collection Matching Protocols Kasra Edalatnejad - TU-Darmstadt (Germany) Abstract. In this presentation, we introduce a new class of problems called Private Collection Matching (PCM), in which clients aim to determine whether a collection of sets owned by a server matches their interests. This class of problems is closely linked to an existing cryptographic primitive called Private Set Intersection (PSI), as interest in server sets is often determined based on a function of their intersection with the client's set. However, we show that existing privacy-preserving cryptographic primitives, including PSI, cannot solve PCM problems efficiently without harming privacy. We propose a modular framework that enables designers to build privacy-preserving PCM systems that output one bit: whether a collection of server sets matches the client's set. The communication cost of our protocols scales linearly with the size of the client's set and is independent of the number of server elements. We demonstrate the potential of our framework by designing and implementing novel solutions for two real-world PCM problems: determining whether a dataset has chemical compounds of interest, and determining whether a document collection has relevant documents. Our evaluation shows that we offer a privacy gain with respect to existing works at a reasonable communication and computation cost. Joint work with: Mathilde Raynal (EPFL), Wouter Lueks (CISPA Helmholtz Center for Information Security), Carmela Troncoso (EPFL) [Slides] |
Presentation |
11:35 AM
WPEC 2024 Talk 1a6: Vole-PSI: Fast Private Set Intersection from the LPN Assumption Peter Rindal - Visa (USA) Abstract. In this talk we present the state of art protocol for performing Private Set Intersection (PSI) for moderate to large set sizes(500+ elements). These protocols are based on a combination of the cryptographic primitive known as Vector Oblivious LinearEvaluation (VOLE) and a linear data structure referred to as a Oblivious Key-Value Store (OKVS). Details of these protocols willbe presented along with a brief description of how other primitives (e.g. OPRF, multi-party PSI) can be constructed from themas well. In addition, we will present how these protocols make use of the Learning Parity with Noise (LPN) assumptions alongwith a discussion on why LPN is believed to be hard for both classical and quantum adversaries. This will primarily focusattacks in to so called linear test framework along with a brief discussion on algebraic attacks. Join work with: Phillipp Schoppmann, Srinivasan Raghuraman [Slides] |
Presentation |
1:00 PM
WPEC 2024 Talk 1b1: Paths Toward PSI Standardization and a New Approximate PSI Steve Lu - Stealth Software Technologies, USA Abstract. In this presentation, we talk about a new Approximate Private Set Intersection scheme that allows for fuzzy matching of set items. Under the assumption that the set elements are either close (due to errors or rounding) or far enough apart, we can greatly improve the performance of matching close elements under various distance metrics. Asymptotically, we improve the result from quadratic to near-linear, and empirically is 20x faster with 30% less communication than previous schemes. This adds to the growing menagerie of PSI flavors, and in this talk we also explore broad and narrow approaches towards a path to standardizing specific PSI schemes or PSI as a whole. Joint work with: Wutichai Chongchitmate, and Rafail Ostrovsky [Slides] |
Presentation |
1:25 PM
WPEC 2024 Talk 1b2: Multiparty Private Set Intersection and Beyond Ni Trieu - Arizona State University, USA Abstract. In this talk, I will present various private set intersection (PSI) protocols, with a particular focus on the multi-party setting. I will cover the development from the first practical multi-party PSI protocol in the semi-honest setting (Kolesnikov et al., CCS 2017) to the state-of-the-art protocol in the malicious setting (Nevo et al., CCS 2021). These protocols are designed to avoid computationally intensive public-key operations and are secure with any number of participants (i.e., without an honest majority). Furthermore, I will explore various variants of multi-party PSI, including PSI-cardinality and delegated computation. These variants have significant applications in areas like contact tracing and secure dot product computations. Joint work with: Vladimir Kolesnikov, Naor Matania, Benny Pinkas, Mike Rosulek, Ofri Nevo, Avishay Yanai, Thai Duong, Duong Hieu Phan, Jiahui Gao [Slides] |
Presentation |
1:50 PM
WPEC 2024 Talk 1b3: Structure-Aware Private Set Intersection from Function Secret Sharing Gayathri Garimella - Brown University, USA Abstract. Structure-Aware Private Set Intersection (sa-PSI) is a PSI variant where Alice has an input set \(S_A\) belonging to a publicly known family of structured sets (for example, a high-dimensional ball, union of balls) and Bob's input set \(S_B\) consists of an unstructured collection of elements. The main motivation for sa-PSI is to enable Alice (or Bob) to learn the intersection with protocol communication and computation cost that scales with a succinct description size of Alice's input \(S_A\), instead of her set cardinality \(|S_A|\). sa-PSI can be useful in applications like noisy/fuzzy biometric matching, privacy-preserving ride sharing among others. In this talk, I will present in detail a general framework for semi-honest sa-PSI using a cryptographic building block called Function Secret Sharing. Joint work with: Benjamin Goff, Peihan Miao, Mike Rosulek and Jaspal Singh [Slides] |
Presentation |
2:25 PM
WPEC 2024 Talk 1b4: Unbalanced PSI: Applications, Constructions, and Combinations with PIR Christian Weinert - Royal Holloway, University of London, UK Abstract. Unbalanced private set intersection (PSI) refers to PSI variants that are optimized for settings where a client has a significantly smaller input set than the server. There exist numerous real-world applications for which efficient unbalanced PSI protocols would be nice to have, e.g., to implement mobile private contact discovery. In this talk, we will motivate why unbalanced PSI is important through discussing such real-world applications. Furthermore, we will present general approaches and state-of-the-art constructions for implementing unbalanced PSI. Finally, we will highlight a number of promising works that construct efficient unbalanced PSI through a combination with private information retrieval (PIR). [Slides] |
Presentation |
2:50 PM
WPEC 2024 Talk 1b5: Asymmetric PSI and Its Leakage: A Case Study of the MIGP Protocol Evgenios Kornaropoulos - George Mason University, USA Abstract. Private Set Intersection (PSI) is a well-established area in applied cryptography with numerous applications and real-world deployments. PSI protocols enable parties to compute the intersection of their private datasets without revealing additional information. The case of an asymmetric PSI protocol presents several scalability challenges since one of the two sets is several order of magnitude larger than the other. Consequently, the community has shifted to scalable PSI designs that permit controlled disclosure in the form of cryptographic leakage. In this talk, we discuss security issues that we discovered (and fixed) in a recent asymmetric PSI protocol called “Might I Get Pwned” (MIGP). We will present the leakage issues of the original construction and demonstrate how an adversary can exploit this leakage with Deep Neural Networks to reconstruct encrypted credentials. Joint work with: Dario Pasquini, Danilo Francati, Giuseppe Ateniese [Slides] |
Presentation |
3:15 PM
WPEC 2024 Slot 1b6: Closing of The PSI Day At the end of "The First PSI Day", after numerous talks about Private Set Intersection (PSI), the PEC team will propose some questions for reflection or open comments by the various speakers of the day. [Slide] |
Presentation |
September 25, 2024 | Type |
9:20 AM
WPEC 2024 Talk 2a1: The Role of PEC in Recent and Upcoming U.S. National Strategies Angela Robinson - NIST Abstract. The United States’ Office of Science and Technology Policy (OSTP) has shown increasing interest in the opportunities presented by privacy-enhancing technologies. The first National Privacy Research Strategy was released in 2016 and was, in part, a response to privacy challenges emerging from the large-scale deployment of information technology systems and “Big Data”. The development and promise of privacy-enhancing technologies has since been recognized as a means to enable collaboration and innovation in a privacy-preserving manner. The National Strategy to Advance Privacy-Preserving Data Sharing and Analytics was released in 2023 and established foundational guiding principles to ensuring the advancement of PETs in a responsible and trustworthy manner. In this talk, we will discuss the role of privacy-enhancing cryptography in these national strategies, as well as the upcoming 2024 National Privacy Research Strategy. [Slides] |
Presentation |
9:45 AM
WPEC 2024 Talk 2a2: Measuring Demographic Disparities with Groupwise Private Set Intersection: A Federal Government Case Study Tomo Lazovich - U.S. Census Bureau Abstract. With an increased focus on equity across the federal government, federal agencies and civil society have a need to join datasets with sensitive demographic data. Given legal, policy, and ethical constraints, the agencies that collect demographics cannot share them directly with such stakeholders in many cases. This presentation will show the application of Google's Private Join and Compute protocol to a public dataset of race and ethnicity information, enabling secure measurement of demographic disparities without explicit data sharing. We will describe the adaptations to open-source tools that were required to implement the protocol on government infrastructure. We will also illustrate potential use cases of the work that were ascertained through user interviews, including enabling third party audits of machine learning models. This presentation aims to be a primer on the practicalities of demonstrating a Privacy Enhancing Cryptography protocol on real infrastructure in a government setting. Joint work with: Marina DeFrates, Samantha Weinstock [Slides] |
Presentation |
10:10 AM
WPEC 2024 Talk 2a3: The US PETs Lab — Making Privacy Technologies Accessible Throughout Government Curtis Mitchell - Census Bureau xD, USA Gary Howarth - NIST, USA Abstract. In this talk we will present an overview of the United States Privacy-Enhancing Technologies Lab, a collaboration between \NIST\ and the Census Bureau to create an online collection of documentation, use cases, and testing sandbox for privacy-enhancing technologies. We will discuss the goals and brief history of the project, its current focus on an example implementation of privacy-preserving federated learning, and plans for the future of our work. Joint work with: Naomi Lefkovitz [Slides] |
Presentation |
10:45 AM
WPEC 2024 Talk 2a4: NSF PDaSP: Towards Accelerating Use-inspired and Translational Research in Privacy James Joshi - National Science Foundation (NSF), USA Abstract. In this talk, I will introduce the NSF's new program called Privacy-preserving Data Sharing in Practice. I will discuss its goals and types of projects it will fund, and the broader partnership efforts involved. I will also overview related earlier efforts that led to it and potential future plans. Joint work: PDaSP Partnership includes Intel and VMware from Industry and NIST and DoT-FHWA from government. [Slides] |
Presentation |
11:10 AM
WPEC 2024 Talk 2a5: NIH Workshop on Homomorphic Encryption and Privacy-Enhancing Technologies Shu Hui (Sue) Chen - NIH, USA Abstract. The NIH Homomorphic Encryption and Privacy Enhancing Technologies (PETs) webinar series (https://datascience.nih.gov/homomorphic-encryption-and-privacy-enhancing-technologies-webinar-series) cumulated in an in-person workshop for the webinar presenters to discuss key issues in linking disparate data from disparate data resources (e.g., different data repositories) to conduct large-scale analysis, to train and develop tools for analyzing data, etc. This workshop discussion and future work product will provide insights on how to promote sharing of and integration of data while maintaining confidentiality via homomorphic encryption, other PETs, and challenges in application of techniques including the ethical, legal, and social implication of increasing data sharing and access to data and data containing sensitive information. To date, fully homomorphic encryption schemes are limited by the amount of data that can be encrypted, the accumulation of noise, and the power and speed required to perform encryption and conduct analyses on encrypted data. Workshop participants discussed the limitations of current fully homomorphic encryptions schemes, the challenges needed to overcome these limitations, and applications of other alternatives that would maintain privacy while allowing integration of disparate data across data bases and combining homomorphic encryption with other PETs such as differential privacy and / or block chain technologies. Joint work with: Jonathan Pollock, Heidi Sophia, Rebecca Rodriguez, Rui Pereira De Sa, Freddie Pruitt, Craig Hayn, Rachel Leffler, Susan Wright, Roger Little, Ishwar Chandramouliswaran, Elaine Collier (NIH) [Slides] |
Presentation |
11:35 AM
WPEC 2024 Talk 2a6: Privacy-Preserving Data Sharing across Financial Institutions Kurt Rohloff - Duality Technologies, Inc. and OpenFHE, USA Andreea Alexandru - Duality Technologies, Inc. and OpenFHE, USA Abstract. Data collaboration is critical for improving the quality of models, identifying trends, and fighting financial crime. However, both regulations and the proprietary nature of the data discourage institutions from sharing their data, thus severely limiting the global fight against money laundering. To address the first challenge, anti-financial crime legislation such as USA PATRIOT Act and EU 5th Anti-Money Laundering Directive have been put forward to allow financial institutions to collaborate on sensitive information related to suspicious activity. Nevertheless, participation of financial institutions is still scarce due to proprietorship and perceived risks to competition-sensitive information. Privacy-preserving technologies such as fully homomorphic encryption (FHE) are being considered to address these challenges. Secure collaboration capabilities based on FHE allow private search without the need of sharing data in the clear. But despite regulatory and technical advancements, developing solutions to fight financial crime remains challenging. In this presentation, we will describe real-world use cases of private collaboration for fighting financial crime. Concretely, we will discuss case studies, such as with the US Department of Treasury, UK Information Commissioner's Office and Mastercard's Cross Border Data Collaboration project using Duality Technologies' platform. In the process, we will identify insights and challenges that should be considered when designing solutions for FHE-based private search, private information retrieval or private set intersection for practical application in fighting financial crime. Join work with: Yuriy Polyakov [Slides] |
Presentation |
1:00 PM
WPEC 2024 Talk 2b1: Overview of Fully Homomorphic Encryption Daniele Micciancio - UC San Diego Abstract. Fully Homomorphic Encryption (FHE) is an encryption scheme that allows to perform arbitrary computations on encrypted data. In this talk I will present an overview of FHE, covering the functionality, security properties, and main approaches to the design of FHE schemes. The presentation will focus on the security guarantees offered by current FHE schemes, how these guarantees may or may not fit specific application settings, and research directions currently being investigated to make FHE more robust, efficient and widely applicable. Specific topics covered in the talk include security against passive and active attacks, the security of exact vs approximate computations, the distributed decryption problem, and a recently introduced notion of "application aware" security. [Slides] |
Presentation |
1:40 PM
WPEC 2024 Talk 2b2: Practical and Affordable FPGA-based Fully Homomorphic Encryption Rashmi Agrawal - CipherSonic Labs, USA Abstract. In this talk, we present an affordable and practical acceleration of approximate homomorphic computing to enable real world privacy-preserving machine learning applications. Our initial analysis reveals that memory bandwidth is the main performance bottleneck due to the large amount of data that needs to be shuttled between the compute units and the main memory. To alleviate this memory bandwidth bottleneck, we make three contributions. First, we introduce memory-aware design techniques wherein we propose several hardware-centric and algorithmic optimizations while considering small cache sizes that exist in the most commercially available compute platforms. Through these techniques, we observe significant improvement in CKKS bootstrapping throughput. However, we also observe that the memory bandwidth still remains a bottleneck. Our second contribution is FAB, an FPGA-based accelerator that implements fully packed bootstrapping for the first time on an FPGA while utilizing several FPGA-centric design optimizations. Our design utilizes limited on-chip memory and the compute resources efficiently, thus providing practical performance at a fraction of ASIC cost. Even though FAB outperforms all prior CPU/GPU implementations by 9.5x to 456x, the performance is still limited by the bootstrapping operation, which could not be parallelized on multiple FPGAs. To overcome this we propose HEAP, an FHE accelerator with parallelized bootstrapping using a hybrid scheme switching approach. HEAP uses the CKKS scheme for the non-bootstrapping steps, but switches to the TFHE scheme when performing the bootstrapping step of the CKKS scheme. The approach in HEAP is agnostic of the hardware and can be mapped to any system with multiple compute nodes. With this proposed approach, we require smaller-sized bootstrapping keys leading to about 18× less amount of data to be read from the main memory for the keys. HEAP outperforms FAB by 15.39x for the bootstrapping operation. HEAP outperforms FAB and FAB-2 for the logistic regression model training by 14.71x and 11.57x, respectively. [Slides] |
Presentation |
2:05 PM
WPEC 2024 Talk 2b3: Practical performance of CKKS and encrypted training and inference for classification Junbum Shin - CryptoLab, South Korea Damien Stehlé - CryptoLab, France Fully Homomorphic Encryption (FHE) is one of the core technologies in Privacy Enhancing Cryptography. Its applicability encompasses a broad range of functionalities (PSI, PIR, privacy-preserving AI, threshold cryptography, etc). Unlike hardware-based solutions like Trusted Execution Environments (TEEs), which have larger attack surfaces, FHE offers cryptographic security with a smaller attack surface. However, it is sometimes discarded for being computationally too heavy for practical deployment. In this presentation, we will first highlight the concrete performance of the CKKS FHE scheme (Cheon, Kim, Kim and Song, Asiacrypt ‘17), when implemented in central and graphical processor units (CPU and GPU). CKKS natively enables approximate computations on complex and real numbers and may also be used for exact computations (Drucker, Moshkowitz, Pelleg, Shaul; J. Cryptol. ‘24). The strong performance of CKKS enables practical solutions for numerous privacy-preserving applications, such as privacy-preserving AI. It also makes it possible to homomorphically evaluate massive circuits, such as those occurring in large language model inference. We will then focus on the FHE-based approach for privacy-preserving AI outsourcing, focusing on image and text classification. AI services offered by cloud providers make AI accessible by automating model training, but raise privacy concerns since sensitive data is handled on remote servers. For practical performance, we leverage public transformer encoders—such as Vision Transformer for images and BERT, MPNET, and E5 for text. Instead of applying homomorphic encryption to the entire model, we protect only the features extracted by open source transformers. This approach accelerates both training and inference dramatically. As an example, we showcase one application of classification of vehicles. Using FHE-based Vision Transformer takes about 4 minutes for training and 0.2 seconds for inference, demonstrating the method’s practicality. A live demo using AutoFHE (https://autofhe.com) will be shown in the presentation. [Slides] |
Presentation |
2:40 PM
WPEC 2024 Talk 2b4: Decentralized FHE computer and its applications Gurgen Arakelov - Self, Fair Math Inc., Spain Abstract. In this talk, we will explain the concept of a Decentralized Fully Homomorphic Encryption (FHE) Computer. This system seamlessly integrates the principles of decentralized computing—security, privacy, fault tolerance, and resilience—with the advantages of Fully Homomorphic Encryption, resulting in a secure distributed network capable of performing computations on encrypted data. The results of these computations remain encrypted, and only the data owner, who possesses the decryption key, can decrypt and verify the output, thereby maintaining data privacy throughout the entire process. This topic directly addresses several key areas of interest:Applied and programmable cryptography;Cryptography use cases;Applications of ZK, FHE, and MPC;Decentralized FHE/MPC-based network architectures;The impact of applied crypto usability on a widespread adoption;Economics of computation in applied cryptography (e.g., market strategies).%%%The talk will provide in-depth insights into the practical applications of FHE within decentralized networks, highlighting the security and privacy benefits of this approach, along with the pros and cons it entails. I will present key points of our ongoing research and development, demonstrating how these advancements can address current challenges in secure multi-party computations, data analysis, privacy-preserving smart contracts, and collaborative computing. Additionally, I will discuss some of the known limitations and roadblocks in the adoption of FHE that we are currently working to overcome. My ultimate goal is to equip attendees with a deeper understanding of the potential and challenges of integrating FHE with decentralized systems, fostering advancements in secure and private computing technologies. Joint work with: Fair Math team [Slides] |
Presentation |
3:05 PM
WPEC 2024 Talk 2b5: Security Guidelines for Implementing Homomorphic Encryption Erin Hales - University of Edinburgh; Royal Holloway, University of London, UK Abstract. In this talk I will be introducing the homomorphic encryption standardisation process. The field of homomorphic encryption has evolved a lot since the first community standardisation white paper was released in 2018. This work is a community security guideline from a large group of researchers, supporting the ISO/IEC standardisation process. We contextualise this work within other standardisation efforts, give an overview of security estimation methodology, and describe why secure parameter selection is so important in homomorphic encryption. Join work with: Jean-Philippe Bossuat, Rosario Cammarota, Jung Hee Cheon, Ilaria Chillotti, Benjamin R Curtis, Wei Dai, Huijing Gong, Duhyeong Kim, Bryan Kumara, Changmin Lee, Xianhui Lu, Carsten Maple, Alberto Pedrouzo-Ulloa, Rachel Player, Luis Antonio Ruiz Lopez, Yongsoo Song, Donggeon Yhee, Bahattin Yildiz. [Slides] |
Presentation |
3:30 PM
WPEC 2024 Slot 2b6: Brief Comments on FHE Abstract. This time slot is for some reflection comments in the end of WPEC 2024 session 2b on Fully-Homomorphic Encryption. [Slide] |
Presentation |
September 26, 2024 | Type |
9:20 AM
WPEC 2024 Talk 3a1: NIST Threshold Call: Notes on the Upcoming Second Public Draft Luís T. A. N. Brandão - Contractor FGR - NIST/Strativia Abstract. This brief presentation, opening the MPC session (3a) of WPEC 2024, will recall the scope of the NIST Threshold Call, how it relates to privacy-enhancing cryptography, and give an update about its upcoming second public draft. [Slides] |
Presentation |
9:30 AM
WPEC 2024 Talk 3a2: The Many Facets of MPC (Secure Multi-Party Computation) Benny Pinkas - Bar Ilan University and Aptos Labs, Israel Abstract. This talk will provide a fundamental introduction to secure multi-party computation (MPC). It will explore various trust models supported by MPC and the types of computations that can be efficiently executed using it. The talk will also delve into current and future applications of MPC, along with the most prevalent methods for its implementation. [Slides] |
Presentation |
10:10 AM
WPEC 2024 Talk 3a3: Optimizing ML MPC from System & Theoretical Perspectives Yongqin Wang - University of Southern California, USA Abstract. In this talk, we will delve into advancements in optimizing n-party Multi-Party Computation (MPC) protocols for machine learning (ML), focusing on system and theoretical innovations presented in two key papers. Firstly, we explore MPC-Pipe, an efficient pipeline scheme designed to enhance the performance of n-party MPC protocols. Traditional MPC implementations suffer from significant performance bottlenecks due to the sequential implementation of communication and computation phases. MPC-Pipe introduces three innovative pipeline schemes, thereby improving GPU utilization and reducing idle times. This approach demonstrates substantial performance gains, with throughput improvements of up to 50% and latency reductions of up to 16% for deep neural networks and transformer models in various network settings. Additionally, we present CompactTag, a scheme that significantly reduces the overhead of actively secure n-party MPC by compacting the tags associated with input data. CompactTag leverages a novel tagging mechanism that ensures data integrity and authenticity while minimizing the computation costs typically associated with traditional tagging methods. This innovation is particularly effective in large-scale ML training scenarios, where reducing overhead can lead to substantial performance improvements. Optimizing MPC for machine learning from both system and theoretical perspectives is essential for advancing privacy-preserving technologies. The innovations presented in MPC-Pipe and CompactTag offer practical solutions to overcome existing bottlenecks, enhancing the performance of MPC protocols in ML applications. [Slides] |
Presentation |
10:45 AM
WPEC 2024 Talk 3a4: Graphiti: Secure Graph Computation Made More Scalable Bhavish Raj Gopal - Indian Institute of Science, India Abstract. Graphs are fundamental tools for modelling data in diverse real-world applications such as communication networks, traffic systems, and social networks. However, graph data is often distributed across multiple data owners and contains sensitive information, posing significant privacy concerns that impede collaborative analysis. Privacy-preserving graph analysis enables computations on graphs that store sensitive information, ensuring that all information about the topology of the graph, as well as data associated with the nodes and edges, remains hidden.In this talk, we will discuss potential solutions for privacy-preserving graph analysis, with an emphasis on using secure multiparty computation (MPC). We will review existing MPC-based approaches for privacy-preserving graph analysis, identifying their limitations in terms of efficiency, scalability, and adaptability. Furthermore, we will present our results in enhancing privacy-preserving graph analysis and highlight the remaining challenges.Specifically, we will introduce our highly scalable framework, Graphiti, that can realize any graph algorithm securely. Since round complexity forms one of the key parameters in determining the efficiency of MPC protocols, one of our key technical contributions is that Graphiti has round complexity independent of the graph size, which in turn allows for attaining the desired scalability.This is in contrast to the state-of-the-art framework of GraphSC by Araki et al. (CCS'21) whose round complexity scales with the graph size. Benchmarks show that Graphiti takes less than 2 minutes for contact tracing via BFS for 10 hops when computing over a graph of size 107. Concretely, it improves over the Araki et al. (CCS'21) by up to a factor of 964x in online run time. Joint work with: Nishat Koti, Varsha Bhat Kukkala, Arpita Patra [Slides] |
Presentation |
11:10 AM
WPEC 2024 Talk 3a5: Signs of Life for Secure Multi-Party Computation in Protecting Data Dan Bogdanov - MPC Alliance; Cybernetica, Estonia Abstract. Secure multi-party computation (MPC) is a versatile technology that has been adopted in public sector, advertising technology, financial industry, healthcare and more. However, MPC exists in a space with other technologies like fully homomorphic encryption, differential privacy, confidential computing, zero knowledge and several others. In this talk, we will discuss the strengths of MPC, its synergies with other technologies and illustrate it all with examples of real-world applications and traction. Joint work with: Brian LaMacchia, Andrei Lapets, MPC Alliance member organisations. [Slides] |
Presentation |
11:35 AM
WPEC 2024 Slot 3a6: Lightning comments about PEC Abstract. This time slot in the end of session 3a at WPEC 2024 is reserved for PEC-related lightning comments by attendees of the workshop. [Slide] |
Lightning |
1:00 PM
WPEC 2024 Talk 3b1: Zero Knowledge Proofs: Technical Challenges, Applications, and Real-world Deployment Tjerand Silde - NTNU, Norway Akira Takahashi - JP Morgan AI Research & AlgoCRYPT Center of Excellence, USA Abstract. In this talk we will introduce zero-knowledge proofs, the security properties they achieve, and explain how they work. We will furthermore discuss some technical challenges we face when we want to deploy zero-knowledge proofs in real-world applications such as how to achieve fast and small proofs without trusting other parties. We will also present some interesting use cases where zero-knowledge proofs play an important role, for example, how they are used in electronic voting, machine learning and blockchain applications. We will finally share our insights from the recent ICMS workshop on zero-knowledge proofs and review other initiatives of community building and standardization efforts. [Slides] |
Presentation |
1:40 PM
WPEC 2024 Talk 3b2: Verifiable Decryption from Learning with Rounding Emil A.H. Olaisen - NTNU, Norway Abstract. We present a simple and efficient post-quantum verifiable decryption scheme improving upon the framework by Gjøsteen et al. (ACISP 2022) based on a passively secure distributed decryption scheme and MPC-in-the-Head techniques. Our improvements lead to 440x smaller proof sizes compared to Gjøsteen et al., by adapting the nearly linear decryption algorithm by Boyle et al. (Eurocrypt 2019). This furthermore lead to 10x decrease in proof size compared to the state-of-the-art schemes by Silde (Voting 2022) and Lyubashevsky et al. (PKC 2021). Joint work with: Thomas Haines, Peter B. Rønne, Tjerand Silde [Slides] |
Presentation |
2:05 PM
WPEC 2024 Talk 3b3: Making BBS Anonymous Credentials eIDAS 2.0 Compliant Antoine Dumanois - Orange Innovation, France Jacques Traoré - Orange Innovation, France Abstract. eIDAS 2.0 (electronic IDentification, Authentication and trust Services) is a very ambitious regulation aimed at equipping European citizens with a digital identity wallet that not only needs to achieve a high level of security but also needs to be available as soon as possible for a large number of citizens and respect their privacy (as per GDPR - General Data Protection Regulation). As of today (July 2024), it does not seem that this goal has been achieved in the European Digital Identity Architecture and Reference Framework (ARF). The goal of this presentation is to introduce the foundations of a digital identity wallet solution that could help move closer to this objective by leveraging the proven anonymous credentials protocol BBS (also known as BBS+) but modifying it to avoid the limitations that have hindered its widespread adoption, especially in certified infrastructures requiring hardware implementation. In particular, the solution we propose, which we call BBS#, does not use bilinear pairings or pairing-friendly curves and only depends on the hardware implementation of well-known (i.e., listed in the SOG-IS Crypto Working Group document on agreed cryptographic mechanisms) digital signature schemes such as ECDSA or ECSDSA (also known as ECSchnorr) using classical elliptic curves. In this presentation, after reminding the main aspects of the eIDAS 2.0 context, we will recall the stringent stated requirements from the European Commission for eIDAS 2.0 to achieve a Level of Assurance High and explain why current anonymous credentials protocols such as BBS/BBS+ fail to satisfy them. We will then present our proposed protocol BBS# and show that it is possible to achieve eIDAS 2.0 transactions which are not only efficient (around 50 ms on SIM Cards or Android StrongBox), secure and certifiable at the highest level but also provide strong (optimal) privacy protection for all European ID Wallet users. [Slides] |
Presentation |
2:40 PM
WPEC 2024 Talk 3b4: Provably Forgotten Signatures: Adding Privacy to Digital Identity Wayne Chang - SpruceID Abstract. In this talk, we'll explore Provably Forgotten Signatures, an approach that adds privacy by upgrading existing systems to prevent linkability (or ``correlation'') and instead of overhauling them entirely. It aims to be compatible with already-deployed implementations of digital credential standards such as ISO/IEC 18013-5 mDL, SD-JWT, and W3C Verifiable Credentials, while also aligning with cryptographic security standards such as FIPS 140-2/3. It is compatible with and can even pave the way for future privacy technologies such as post-quantum cryptography (PQC) or zero-knowledge proofs (ZKPs) while unlocking beneficial use cases today. Given the challenges in deploying zero-knowledge proof systems in today's production environments, we propose a simpler approach that, when combined with key and signature cycling, can provide protection from both verifier-verifier collusion and issuer-verifier collusion by using confidential computing environments: the issuer can forget the unique values that create the risk in the first place, and provide proof of this deletion to the user. This is implementable today, and would be supported by existing hardware security mechanisms that are suitable for high-assurance environments. [Slides] |
Presentation |
3:05 PM
WPEC 2024 Talk 3b5: Anonymous Credentials and the EUDI Wallet Anna Lysyanskaya - Brown University Abstract. The European Commission and European member states are working on developing an EU Digital Identity (EUDI) Wallet that would allow citizens to use an app in order to prove their identity or identity attributes. This effort is required, by law, to develop a privacy-preserving approach. In this talk, we will go over the solution the European Commission originally put forth and why it falls short. We will also go over the state of the art in privacy-preserving authentication: anonymous credentials that satisfy both the organizations' need for trustworthy identity and identity attributes, and the privacy needs of citizens. [Slides] |
Presentation |
3:30 PM
WPEC 2024 Slot 3b6: Closing Remarks Abstract. This final slot of WPEC 2024 will make some final remarks about what we learned during the 3-day workshop, and will thank all participants (speakers and attendees). |
Presentation |
Starts: September 24, 2024 - 09:20 AM EDT
Ends: September 26, 2024 - 03:40 PM EDT
Format: Virtual Type: Workshop
Attendance Type: Open to public
Audience Type: Industry,Government,Academia,Other
Sponsors: NIST Cryptographic Technology Group
Virtual
Security and Privacy: cryptography, privacy