In this work, we present METIS, a system that assists the computation over encrypted data stored in the cloud while leaving the decision on admissible computations to the data owner. A critical feature of our system is that the data owner is free from computational overload and her communication complexity is independent of the size of the input data and only linear in the size of the circuit's output. METIS is based on garbled circuits and supports any polynomially-computable function. We demonstrate the practicality of our approach with an implementation and an evaluation of several functions over real dataset}, author = {Deuber, Dominic and Egger, Christoph and Fech, Katharina and Malavolta, Giulio and Schröder, Dominique and Thyagarajan, Sri Aravinda Krishnan and Battke, Florian and Durand, Claudia}, doi = {10.2478/popets-2019-0007}, faupublication = {yes}, journal = {Proceedings on Privacy Enhancing Technologies}, pages = {108-132}, peerreviewed = {Yes}, title = {{My} {Genome} {Belongs} to {Me}: {Controlling} {Third} {Party} {Computation} on {Genomic} {Data}}, volume = {2019}, year = {2019} } @inproceedings{faucris.230551975, abstract = {Monero is the largest cryptocurrency with built-in cryptographic privacy features. The transactions are authenticated using zero-knowledge spend proofs, which provide a certain level of anonymity by hiding the source accounts from which the funds are sent among a set of other accounts. Due to its similarities to ring signatures, this core cryptographic component is called Ring Confidential Transactions (RingCT). Because of its practical relevance, several works attempt to analyze the security of RingCT. Since RingCT is rather complex, most of them are either informal, miss fundamental functionalities, or introduce undesirable trusted setup assumptions. Regarding efficiency, Monero currently deploys a scheme in which the size of the spend proof is linear in the ring size. This limits the ring size to only a few accounts, which in turn limits the acquired anonymity significantly and facilitates de-anonymization attacks. As a solution to these problems, we present the first rigorous formalization of RingCT as a cryptographic primitive. We then propose a generic construction of RingCT and prove it secure in our formal security model. By instantiating our generic construction with new efficient zero-knowledge proofs, we obtain Omniring, a fully-fledged RingCT scheme in the discrete logarithm setting that provides the highest concrete and asymptotic efficiency as of today. Omniring is the first RingCT scheme which 1) does not require a trusted setup or pairing-friendly elliptic curves, 2) has a proof size logarithmic in the size of the ring, and 3) allows to share the same ring between all source accounts in a transaction, thereby enabling significantly improved privacy level without sacrificing performance. Our zero-knowledge proofs rely on novel enhancements to the Bulletproofs framework (S&P 2018), which we believe are of independent interest.