Elaine Shi’s research while affiliated with Carnegie Mellon University and other places

What is this page?


This page lists works of an author who doesn't have a ResearchGate profile or hasn't added the works to their profile yet. It is automatically generated from public (personal) data to further our legitimate goal of comprehensive and accurate scientific recordkeeping. If you are this author and want this page removed, please let us know.

Publications (173)


Almost Instance-optimal Clipping for Summation Problems in the Shuffle Model of Differential Privacy
  • Conference Paper

December 2024

·

1 Read

Wei Dong

·

Qiyao Luo

·

Giulia Fanti

·

[...]

·



Figure 7: An overview of the Setup phase of MicroSecAgg í µí±”í µí°·í µí°¿
Figure 8: An overview of the Aggregation phase of MicroSecAgg í µí±”í µí°·í µí°¿
MicroSecAgg: Streamlined Single-Server Secure Aggregation
  • Article
  • Full-text available

July 2024

·

10 Reads

·

2 Citations

Proceedings on Privacy Enhancing Technologies

This work introduces MicroSecAgg, a framework that addresses the intricacies of secure aggregation in the single-server landscape, specifically tailored to situations where distributed trust among multiple non-colluding servers presents challenges. Our protocols are purpose-built to handle situations featuring multiple successive aggregation phases among a dynamic pool of clients who can drop out during the aggregation. Our different protocols thrive in three distinct cases: firstly, secure aggregation within a small input domain; secondly, secure aggregation within a large input domain; and finally, facilitating federated learning for the cases where moderately sized models are considered. Compared to the prior works of Bonawitz et al. (CCS 2017), Bell et al. (CCS 2020), and the recent work of Ma et al. (S&P 2023), our approach significantly reduces the overheads. In particular, MicroSecAgg halves the round complexity to just 3 rounds, thereby offering substantial improvements in communication cost efficiency. Notably, it outperforms Ma et al. by a factor of n on the user side, where n represents the number of users. Furthermore, in MicroSecAgg the computation complexity of each aggregation per user exhibits a logarithmic growth with respect to n, contrasting with the linearithmic or quadratic growth observed in Ma et al. and Bonawitz et al., respectively. We also require linear (in n) computation work from the server as opposed to quadratic in Bonawitz et al., or linearithmic in Ma et al. and Bell et al. In the realm of federated learning, a delicate tradeoff comes into play: our protocols shine brighter as the number of participating parties increases, yet they exhibit diminishing computational efficiency as the sheer volume of weights/parameters increases significantly. We report an implementation of our system and compare the performance against prior works, demonstrating that MicroSecAgg significantly reduces the computational burden and the message size.

Download

Continual Observation of Joins under Differential Privacy

May 2024

·

7 Reads

·

2 Citations

Proceedings of the ACM on Management of Data

The problem of continual observation under differential privacy has been studied extensively in the literature. However, all existing works, with the exception of [28,51], have only studied the simple counting query and its derivatives. Join queries, which are arguably the most important class of queries in relational databases, have only been considered in [28,51], but the solutions offered there have two limitations: First, they only support a few specific graph pattern queries, which are special cases of joins. Second, they require hard degree/frequency constraints on the graph/database instance, and the privatized query answers have errors proportional to these constraints. In this paper, we propose a new differentially private mechanism for continual observation of joins that overcomes these two limitations. Our mechanism supports arbitrary joins and predicates, and do not require any constraints to be given in advance, even over an infinite stream. More importantly, it yields an error that is proportional to the actual maximum degree/frequencies in the graph/database instance at the current time of observation. Such an instance-specific utility guarantee is much preferred for the continual observation problem, where the database size and the query answer may change significantly over time.




Distributed-Prover Interactive Proofs

November 2023

·

43 Reads

Lecture Notes in Computer Science

Interactive proof systems enable a verifier with limited resources to decide an intractable language (or compute a hard function) by communicating with a powerful but untrusted prover. Such systems guarantee soundness: the prover can only convince the verifier of true statements. This is a central notion in computer science with far-reaching implications. One key drawback of the classical model is that the data on which the prover operates must be held by a single machine. In this work, we initiate the study of distributed-prover interactive proofs (dpIPs): an untrusted cluster of machines, acting as a distributed prover, interacts with a single verifier. The machines in the cluster jointly store and operate on a massive data-set that no single machine can store. The goal is for the machines in the cluster to convince the verifier of the validity of some statement about its data-set. We formalize the communication and space constraints via the massively parallel computation (MPC) model, a widely accepted analytical framework capturing the computational power of massive data-centers. Our main result is a compiler that generically augments any verification algorithm in the MPC model with a (computational) soundness guarantee. Concretely, for any language L for which there is an MPC algorithm verifying whether xLx \in L, we design a new MPC protocol capable of convincing a verifier of the validity of xLx \in L and where if x∉Lx\not \in L, the verifier rejects with overwhelming probability. The new protocol requires only slightly more rounds, i.e., a poly(logN)\textsf{poly}(\log N) blowup, and a slightly bigger memory per machine, i.e., poly(λ)\textsf{poly}(\lambda ) blowup, where N is the total size of the dataset and λ\lambda is a security parameter independent of N. En route, we introduce distributed-prover interactive oracle proofs (dpIOPs), a natural adaptation of the (by now classical) IOP model to the distributed prover setting. We design a dpIOP for verification algorithms in the MPC model and then translate them to “plain model” dpIPs via an adaptation of existing polynomial commitment schemes into the distributed prover setting.


Non-Interactive Anonymous Router with Quasi-Linear Router Computation

November 2023

·

10 Reads

·

1 Citation

Lecture Notes in Computer Science

Anonymous routing is an important cryptographic primitive that allows users to communicate privately on the Internet, without revealing their message contents or their contacts. Until the very recent work of Shi and Wu (Eurocrypt’21), all classical anonymous routing schemes are interactive protocols, and their security rely on a threshold number of the routers being honest. The recent work of Shi and Wu suggested a new abstraction called Non-Interactive Anonymous Router (NIAR), and showed how to achieve anonymous routing non-interactively for the first time. In particular, a single untrusted router receives a token which allows it to obliviously apply a permutation to a set of encrypted messages from the senders. Shi and Wu’s construction suffers from two drawbacks: 1) the router takes time quadratic in the number of senders to obliviously route their messages; and 2) the scheme is proven secure only in the presence of static corruptions. In this work, we show how to construct a non-interactive anonymous router scheme with sub-quadratic router computation, and achieving security in the presence of adaptive corruptions. To get this result, we assume the existence of indistinguishability obfuscation and one-way functions. Our final result is obtained through a sequence of stepping stones. First, we show how to achieve the desired efficiency, but with security under static corruption and in a selective, single-challenge setting. Then, we go through a sequence of upgrades which eventually get us the final result. We devise various new techniques along the way which lead to some additional results. In particular, our techniques for reasoning about a network of obfuscated programs may be of independent interest.


XCRYPT: Accelerating Lattice Based Cryptography with Memristor Crossbar Arrays

September 2023

·

9 Reads

·

4 Citations

IEEE Micro

This paper makes a case for accelerating lattice-based post quantum cryptography with memristor-based crossbars. We map the polynomial multiplications in a representative algorithm, SABER, and show that analog dot-products can yield 1.7 − 32.5× performance and energy efficiency improvement, compared to recent hardware proposals. We introduce several additional techniques to address the bottlenecks in this initial design. First, we show that software techniques used in SABER, that are effective on CPU platforms, are unhelpful in crossbars. Relying on simpler algorithms further improves our efficiency by 1.3 − 3.6×. Second, modular arithmetic in SABER offers an opportunity to drop most significant bits, enabling techniques that exploit a few variable precision ADCs, and yielding up to 1.8× higher efficiency. Third, to further reduce ADC pressure, we propose a simple analog Shift-and-Add technique, demonstrating a 1.3 − 6.3× improvement. Overall, XCRYPT achieve 3 − 15× higher efficiency over the initial design and highlight the importance of algorithm-accelerator co-design.



Citations (71)


... Note that PIR schemes without a preprocessing phase can achieve polylogarithmic communication cost per query, but require linear computation cost per query for the server [BIM00]. Many recent works construct practical single-server PIR protocols in the client-dependent preprocessing model [HHC + 23, ZPZS24,MIR23,GZS24]. Practical constructions of twoserver PIR schemes also work in this client-dependent preprocessing model [KC21,LP23]. ...

Reference:

Amortizing Circuit-PSI in the Multiple Sender/Receiver Setting
Piano: Extremely Simple, Single-Server PIR with Sublinear Server Computation
  • Citing Conference Paper
  • May 2024

... Despite these security advancements, the communication and computational complexity of traditional secure aggregation methods remains a significant challenge, particularly when applied to largescale FL settings or models such as large language models (LLMs) [9] with many participating users. In response to this, Guo et al. introduced MicroSecAgg (MicroSecAgg) [10], which improves upon existing methods by employing a onetime setup phase that distributes the necessary secret material for multiple iterations, reducing the overhead caused by continually refreshing the masking terms [4], [7]. ...

MicroSecAgg: Streamlined Single-Server Secure Aggregation

Proceedings on Privacy Enhancing Technologies

... Note that PIR schemes without a preprocessing phase can achieve polylogarithmic communication cost per query, but require linear computation cost per query for the server [BIM00]. Many recent works construct practical single-server PIR protocols in the client-dependent preprocessing model [HHC + 23, ZPZS24,MIR23,GZS24]. Practical constructions of twoserver PIR schemes also work in this client-dependent preprocessing model [KC21,LP23]. ...

Efficient Pre-processing PIR Without Public-Key Cryptography
  • Citing Chapter
  • April 2024

Lecture Notes in Computer Science

... Some of them use threshold signatures [66], which extend beyond the idealized authenticated model. Additionally, an amortized communication cost of ( ) words has been achieved in multi-shot Byzantine broadcast [70]. However, the possibility of reducing word complexity to ( 3 ) for interactive consistency remains an open question (1) under a dishonest majority and (2) against an unbounded adversary (assuming < /3 [36]). ...

On the Amortized Communication Complexity of Byzantine Broadcast
  • Citing Conference Paper
  • June 2023

... For instance, suppose that two clients respectively encrypt { 0 , 1 } and { 0 , 1 }, and a evaluator can calculate ( 0 , 1 ) for any combination of 0 , 1 = {0, 1} , which leads to too much leakage. To resist this attack, multi-client functional encryption [33] was proposed, where a label is applied to encrypt messages. As a result, ciphertexts can be combined to decrypt if and only if they contain the same label. ...

Multi-Client Inner Product Encryption: Function-Hiding Instantiations Without Random Oracles
  • Citing Chapter
  • May 2023

Lecture Notes in Computer Science

... The efficiency problems in MPC can intuitively be seen as caused by the need to spread out the secret information such that, at all times, all sufficiently small coalitions of parties cannot learn any information about the underlying secret. Oftentimes, such efficiency problems can be reduced if one relaxes the demand that no information should leak, to that the information that is leaked is from a differentially private function of the secret inputs [5,40,46,71]. When unifying the formalities in MPC and DP, some hurdles arise however. ...

A Theory of Composition for Differential Obliviousness
  • Citing Chapter
  • April 2023

Lecture Notes in Computer Science

... Via their statistically secure priority queue, Shi [29] obtain an optimal offline ORAM with statistical security for a private memory of constant size. For computational security, the state-of-the-art online ORAM construction [5] is also the best known offline construction (asymptotically). While the upper bounds for statistical and computational security match the (conjectured) Ω(log N ) lower bound, prior to our work there remained a gap for perfect security. ...

Oblivious RAM with Worst-Case Logarithmic Overhead
  • Citing Article
  • February 2023

Journal of Cryptology

... For the HE-HW to have advantages, it must efficiently perform two core operations required for the HE, which are (i) encryption key generation and (ii) analog vector-matrix multiplication (VMM) 17,22,23 . Implementing these characteristics individually with respective memristors is feasible 5,[24][25][26] . However, if they are integrated into separate chips, reading the encryption and decryption keys is necessary for data transfer between the chips, exposing them to the risk of side-channel attacks [27][28][29][30] . ...

XCRYPT: Accelerating Lattice Based Cryptography with Memristor Crossbar Arrays
  • Citing Article
  • September 2023

IEEE Micro

... This will require fundamental changes to the denotational semantics and inference rules, although prior work on Concurrent Separation Logic [O'Hearn 2004], Outcome Separation Logic , and Concurrent Kleene Algebra [Hoare et al. 2011] will provide a good source of inspiration. Using the resulting logic, we will verify concurrent algorithms such as distributed cryptographic protocols, for which state of the art techniques use limited models of concurrency and operate by establishing observational equivalence and then separately proving properties of an idealized program [Gancher et al. 2023]. By contrast, we plan to develop a logic based on a fine-grain concurrency model, which can prove direct specifications involving probabilistic outcomes. ...

A Core Calculus for Equational Proofs of Cryptographic Protocols
  • Citing Article
  • January 2023

Proceedings of the ACM on Programming Languages

... This concept has inspired a substantial body of research focused on developing algorithms that achieve obliviousness in practical database systems [55,24,20,17]. A generic approach to achieving obliviousness is Oblivious Random Access Memory (ORAM) [31,41,29, 52,23,48,7], which translates each logical access into a poly-logarithmic (in terms of the data size) number of physical accesses to random locations of the memory. but the poly-logarithmic additional cost per memory access is very expensive in practice [15]. ...

OptORAMa: Optimal Oblivious RAM
  • Citing Article
  • October 2022

Journal of the ACM