A New Approach to Round-Optimal Secure Multiparty Computation

We present a new approach towards constructing round-optimal secure multiparty computation (MPC) protocols against malicious adversaries without trusted setup assumptions. Our approach builds on ideas previously developed in the context of covert multiparty computation [Chandran et al., FOCS\u2707] even though we do not seek covert security. Using our new approach, we obtain the following results: 1. A five round MPC protocol based on the Decisional Diffie-Hellman (DDH) assumption. 2. A four round MPC protocol based on one-way permutations and sub-exponentially secure DDH. This result is {\em optimal} in the number of rounds. Previously, no four-round MPC protocol for general functions was known and five-round protocols were only known based on indistinguishability obfuscation (and some additional assumptions) [Garg et al., EUROCRYPT\u2716]

Separating Two-Round Secure Computation From Oblivious Transfer

We consider the question of minimizing the round complexity of protocols for secure multiparty computation (MPC) with security against an arbitrary number of semi-honest parties. Very recently, Garg and Srinivasan (Eurocrypt 2018) and Benhamouda and Lin (Eurocrypt 2018) constructed such 2-round MPC protocols from minimal assumptions. This was done by showing a round preserving reduction to the task of secure 2-party computation of the oblivious transfer functionality (OT). These constructions made a novel non-black-box use of the underlying OT protocol. The question remained whether this can be done by only making black-box use of 2-round OT. This is of theoretical and potentially also practical value as black-box use of primitives tends to lead to more efficient constructions. Our main result proves that such a black-box construction is impossible, namely that non-black-box use of OT is necessary. As a corollary, a similar separation holds when starting with any 2-party functionality other than OT. As a secondary contribution, we prove several additional results that further clarify the landscape of black-box MPC with minimal interaction. In particular, we complement the separation from 2-party functionalities by presenting a complete 4-party functionality, give evidence for the difficulty of ruling out a complete 3-party functionality and for the difficulty of ruling out black-box constructions of 3-round MPC from 2-round OT, and separate a relaxed "non-compact" variant of 2-party homomorphic secret sharing from 2-round OT

Delayed-Input Non-Malleable Zero Knowledge and Multi-Party Coin Tossing in Four Rounds

In this work we start from the following two results in the state-of-the art: 1.4-round non-malleable zero knowledge (NMZK): Goyal et al. in FOCS 2014 showed the first 4-round one-one NMZK argument from one-way functions (OWFs). Their construction requires the prover to know the instance and the witness already at the 2nd round.2.4-round multi-party coin tossing (MPCT): Garg et al. in Eurocrypt 2016 showed the first 4-round protocol for MPCT. Their result crucially relies on 3-round 3-robust parallel non-malleable commitments. So far there is no candidate construction for such a commitment scheme under standard polynomial-time hardness assumptions. We improve the state-of-the art on NMZK and MPCT by presenting the following two results: 1.a delayed-input 4-round one-many NMZK argument IINMZKfrom OWFs; moreover IINMZKis also a delayed-input many-many synchronous NMZK argument.2.a 4-round MPCT protocol IIMPCTfrom one-to-one OWFs; IIMPCTuses IINMZKas subprotocol and exploits the special properties (e.g., delayed input, many-many synchronous) of IINMZK. Both IINMZKand IIMPCTmake use of a special proof of knowledge that offers additional security guarantees when played in parallel with other protocols. The new technique behind such a proof of knowledge is an additional contribution of this work and is of independent interest

The Round Complexity of Secure Computation Against Covert Adversaries

We investigate the exact round complexity of secure multiparty computation (MPC) against *covert* adversaries who may attempt to cheat, but do not wish to be caught doing so. Covert adversaries lie in between semi-honest adversaries who follow protocol specification and malicious adversaries who may deviate arbitrarily. Recently, two round protocols for semi-honest MPC and four round protocols for malicious-secure MPC were constructed, both of which are optimal. While these results can be viewed as constituting two end points of a security spectrum, we investigate the design of protocols that potentially span the spectrum. Our main result is an MPC protocol against covert adversaries with variable round complexity: when the detection probability is set to the lowest setting, our protocol requires two rounds and offers same security as semi-honest MPC. By increasing the detecting probability, we can increase the security guarantees, with round complexity five in the extreme case. The security of our protocol is based on standard cryptographic assumptions. We supplement our positive result with a negative result, ruling out *strict* three round protocols with respect to black-box simulation

On Statistical Security in Two-Party Computation

There has been a large body of work characterizing the round complexity of general-purpose maliciously secure two-party computation (2PC) against probabilistic polynomial time adversaries. This is particularly true for zero-knowledge, which is a special case of 2PC. In fact, in the special case of zero knowledge, optimal protocols with unconditional security against one of the two players have also been meticulously studied and constructed. On the other hand, general-purpose maliciously secure 2PC with statistical or unconditional security against one of the two participants has remained largely unexplored so far. In this work, we initiate the study of such protocols, which we refer to as 2PC with one-sided statistical security. We settle the round complexity of 2PC with one-sided statistical security with respect to black-box simulation by obtaining the following tight results: In a setting where only one party obtains an output, we design 2PC in $4$ rounds with statistical security against receivers and computational security against senders. In a setting where both parties obtain outputs, we design 2PC in $5$ rounds with computational security against the party that obtains output first and statistical security against the party that obtains output last. Katz and Ostrovsky (CRYPTO 2004) showed that 2PC with black-box simulation requires at least $4$ rounds when one party obtains an output and $5$ rounds when both parties obtain outputs, even when only computational security is desired against both parties. Thus in these settings, not only are our results tight, but they also show that statistical security is achievable at no extra cost to round complexity. This still leaves open the question of whether 2PC can be achieved with black-box simulation in $4$ rounds with statistical security against senders and computational security against receivers. Based on a lower bound on computational zero-knowledge proofs due to Katz (TCC 2008), we observe that the answer is negative unless the polynomial hierarchy collapses

Non-Malleable Commitments Using Goldreich-Levin List Decoding

We give the first construction of three-round non-malleable commitments from the almost minimal assumption of injective one-way functions. Combined with the lower bound of Pass (TCC 2013), our result is almost the best possible w.r.t. standard polynomial-time hardness assumptions (at least w.r.t. black-box reductions). Our results rely on a novel technique which we call bidirectional Goldreich-Levin extraction. Along the way, we also obtain the first rewind secure delayed-input witness indistinguishable (WI) proofs from only injective one-way functions. We also obtain the first construction of a distributionally extractable commitment scheme from injective one-way functions. We believe both of these to be of independent interest. In particular, as a direct corollary of our rewind secure WI construction, we are able to obtain a construction of 3-round promise zero-knowledge from only injective one-way functions

k-Round MPC from k-Round OT via Garbled Interactive Circuits

We present new constructions of round-efficient, or even round-optimal, Multi-Party Computation (MPC) protocols from Oblivious Transfer (OT) protocols. Our constructions establish a tight connection between MPC and OT: In the setting of semi-honest security, for any $k \ge 2$, $k$-round semi-honest OT is necessary and complete for $k$-round semi-honest MPC. In the round-optimal case of $k = 2$, we obtain 2-round semi-honest MPC from 2-round semi-honest OT, resolving the round complexity of semi-honest MPC assuming weak and necessary assumption. In comparison, previous 2-round constructions rely on either the heavy machinery of indistinguishability obfuscation or witness encryption, or the algebraic structure of bilinear pairing groups. More generally, for an arbitrary number of rounds $k$, all previous constructions of $k$-round semi-honest MPC require at least OT with $k\u27$ rounds for $k\u27 \le \lfloor k/2 \rfloor$. In the setting of malicious security, we show: For any $k \ge 5$, $k$-round malicious OT is necessary and complete for $k$-round malicious MPC. In fact, OT satisfying a weaker notion of delayed-semi-malicious security suffices. In the common reference string model, for any $k \ge 2$, we obtain $k$-round malicious Universal Composable (UC) protocols from any $k$-round semi-malicious OT and non-interactive zero-knowledge. Previous 5-round protocols in the plain model, and 2-round protocols in the common reference string model all require algebraic assumptions such as DDH or LWE. At the core of our constructions is a new framework for garbling interactive circuits. Roughly speaking, it allows for garbling interactive machines that participates in interactions of a special form. The garbled machine can emulate the original interactions receiving messages sent in the clear (without being encoded using secrets), and reveals only the transcript of the interactions, provided that the transcript is computationally uniquely defined. We show that garbled interactive circuits for the purpose of constructing MPC can be implemented using OT. Along the way, we also propose a new primitive of witness selector that strengthens witness encryption, and a new notion of zero-knowledge functional commitments

Pursuing the Limits of Cryptography

Modern cryptography has gone beyond traditional notions of encryption, allowing for new applications such as digital signatures, software obfuscation among others. While cryptography might seem like a magical tool for one's privacy needs, there are mathematical limitations to what cryptography can achieve. In this thesis we focus on understanding what lies on the boundary of what cryptography enables. In particular, we focus on three specific aspects that we elaborate on below. Necessity of Randomness in Zero-Knowledge Protocols: A Zero-Knowledge protocol consists of an interaction between two parties, designated prover and verifier, where the prover is trying to convince the verifier of the validity of a statement without revealing anything beyond the validity. We study the necessity of randomness, a scarce resource, in such protocols. Prior works have shown that for most settings, the prover necessarily *requires* randomness to run any such protocol. We show, somewhat surprisingly, one can design protocols where a prover requires *no* randomness. Minimizing Interaction in Secure Computation Protocols: The next part of the thesis focuses on one of the most general notions in cryptography, that of *secure computation*. It allows mutually distrusting parties to jointly compute a function over a network without revealing anything but the output of the computation. Considering that these protocols are going to be run on high-latency networks such as the internet, it is imperative that we design protocols to minimize the interaction between participants of the protocol. Prior works have established lower bounds on the amount of interaction, and in our work we show that these lower bounds are tight by constructing new protocols that are also optimal in their assumptions. Circumventing Impossibilities with Blockchains: In some cases, there are desired usages of secure computations protocols that are provably impossible on the (regular) Internet, i.e. existing protocols can no longer be proven secure when multiple concurrent instances of the protocol are executed. We show that by assuming the existence of a secure blockchain, a minimal additional trust assumption, we can push past the boundaries of what is cryptographically possible by constructing *new* protocols that are provably secure on the Internet