On the looseness of FO derandomization

This paper proves, for two examples of a randomized ROM PKE C, that derandomizing C degrades ROM OW-CPA security by a factor close to the number of hash queries. The first example can be explained by the size of the message space of C but the second cannot. This paper also gives a concrete example of a randomized non-ROM PKE C that appears to have the same properties regarding known attacks

Fast Evaluation of S-boxes with Garbled Circuits

Garbling schemes are vital primitives for privacy-preserving protocols and for secure two-party computation. This paper presents a projective garbling scheme that assigns $2^n$ values to wires in a circuit comprising XOR and unary projection gates. A generalization of FreeXOR allows the XOR of wires with $2^n$ values to be very efficient. We then analyze the performance of our scheme by evaluating substitution-permutation ciphers. Using our proposal, we measure high-speed evaluation of the ciphers with a moderately increased cost in garbling and bandwidth. Theoretical analysis suggests that for evaluating the nine examined ciphers, one can expect a 4- to 70-fold improvement in evaluation performance with, at most, a 4-fold increase in garbling cost and, at most, an 8-fold increase in communication cost compared to state-of-the-art garbling schemes. In an offline/online setting, such as secure function evaluation as a service, the circuit garbling and communication to the evaluator can proceed before the input phase. Thus our scheme offers a fast online phase. Furthermore, we present efficient computation formulas for the S-boxes of TWINE and Midori64 in Boolean circuits. To our knowledge, our formulas give the smallest number of AND gates for the S-boxes of these two ciphers

Practical Zero-Knowledge Arguments from Structured Reference Strings

Zero-knowledge proofs have become an important tool for addressing privacy and scalability concerns in cryptographic protocols. For zero-knowledge proofs used in blockchain applications, it is desirable to have small proof sizes and fast verification. Yet by design, existing constructions with these properties such as zk-SNARKs also have a secret trapdoor embedded in a relation dependent structured reference string (SRS). Knowledge of this trapdoor suffices to break the security of these proofs. The SRSs required by zero-knowledge proofs are usually constructed with multiparty computation protocols, but the resulting parameters are specific to each individual circuit. In this thesis, we propose a model for constructing zero-knowledge arguments (i.e. zero-knowledge proofs with computational soundness) in which the generation of the SRS is directly considered in the security analysis. In our model the same SRS can be used across multiple applications. Further, the model is updatable i.e. users can update the universal SRS and the SRS is considered secure provided at least one of these users is honest. We propose two zero-knowledge arguments with updatable and universal SRSs, as well as a third which is neither updatable nor universal, but which through similar techniques achieves simulation extractability. The proposed arguments are practical, with proof sizes never more than a constant number of group elements. Verification for two of our constructions consist of a small number of pairing operations. For our other construction, which has the desirable property of a linear sized updatable and universal SRS, we describe efficient batching techniques so that verification is fast in the amortised setting

Constructive Post-Quantum Reductions

Is it possible to convert classical reductions into post-quantum ones? It is customary to argue that while this is problematic in the interactive setting, non-interactive reductions do carry over. However, when considering quantum auxiliary input, this conversion results in a non-constructive post-quantum reduction that requires duplicating the quantum auxiliary input, which is in general inefficient or even impossible. This violates the win-win premise of provable cryptography: an attack against a cryptographic primitive should lead to an algorithmic advantage. We initiate the study of constructive quantum reductions and present positive and negative results for converting large classes of classical reductions to the post-quantum setting in a constructive manner. We show that any non-interactive non-adaptive reduction from assumptions with a polynomial solution space (such as decision assumptions) can be made post-quantum constructive. In contrast, assumptions with super-polynomial solution space (such as general search assumptions) cannot be generally converted. Along the way, we make several additional contributions: 1. We put forth a framework for reductions (or general interaction) with stateful solvers for a computational problem, that may change their internal state between consecutive calls. We show that such solvers can still be utilized. This framework and our results are meaningful even in the classical setting. 2. A consequence of our negative result is that quantum auxiliary input that is useful against a problem with a super-polynomial solution space cannot be generically ``restored\u27\u27 post-measurement. This shows that the novel rewinding technique of Chiesa et al. (FOCS 2021) is tight in the sense that it cannot be extended beyond a polynomial measurement space

Advisor-Verifier-Prover Games and the Hardness of Information Theoretic Cryptography

A major open problem in information-theoretic cryptography is to obtain a super-polynomial lower bound for the communication complexity of basic cryptographic tasks. This question is wide open even for very powerful non-interactive primitives such as private information retrieval (or locally-decodable codes), general secret sharing schemes, conditional disclosure of secrets, and fully-decomposable randomized encoding (or garbling schemes). In fact, for all these primitives we do not even have super-linear lower bounds. Furthermore, it is unknown how to relate these questions to each other or to other complexity-theoretic questions. In this note, we relate all these questions to the classical topic of query/space trade-offs, lifted to the setting of interactive proof systems. Specifically, we consider the following Advisor-Verifier-Prover (AVP) game: First, a function $f$ is given to the advisor who computes an advice $a$. Next, an input $x$ is given to the verifier and to the prover who claims that $f(x)=1$. The verifier should check this claim via a single round of interaction based on the private advice $a$ and without having any additional information on $f$. We focus on the case where the prover is laconic and communicates only a constant number of bits, and, mostly restrict the attention to the simplest, purely information-theoretic setting, where all parties are allowed to be computationally unbounded. The goal is to minimize the total communication complexity which is dominated by the length of the advice plus the length of the verifier\u27s query. As our main result, we show that a super-polynomial lower bound for AVPs implies a super-polynomial lower bound for a wide range of information-theoretic cryptographic tasks. In particular, we present a communication-efficient transformation from any of the above primitives into an AVP protocol. Interestingly, each primitive induces some additional property over the resulting protocol. Thus AVP games form a new common yardstick that highlights the differences between all the above primitives. Equipped with this view, we revisit the existing (somewhat weak) lower bounds for the above primitives, and show that many of these lower bounds can be unified by proving a single counting-based lower bound on the communication of AVPs, whereas some techniques are inherently limited to specific domains. The latter is shown by proving the first polynomial separations between the complexity of secret-sharing schemes and conditional disclosure of secrets and between the complexity of randomized encodings and conditional disclosure of secrets

Quantum Garbled Circuits

We present a garbling scheme for quantum circuits, thus achieving a decomposable randomized encoding scheme for quantum computation. Specifically, we show how to compute an encoding of a given quantum circuit and quantum input, from which it is possible to derive the output of the computation and nothing else. In the classical setting, garbled circuits (and randomized encodings in general) are a versatile cryptographic tool with many applications such as secure multiparty computation, delegated computation, depth-reduction of cryptographic primitives, complexity lower-bounds, and more. However, a quantum analogue for garbling general circuits was not known prior to this work. We hope that our quantum randomized encoding scheme can similarly be useful for applications in quantum computing and cryptography. To illustrate the usefulness of quantum randomized encoding, we use it to design a conceptually-simple zero-knowledge (ZK) proof system for the complexity class $\mathbf{QMA}$. Our protocol has the so-called $\Sigma$ format with a single-bit challenge, and allows the inputs to be delayed to the last round. The only previously-known ZK $\Sigma$-protocol for $\mathbf{QMA}$ is due to Broadbent and Grilo (FOCS 2020), which does not have the aforementioned properties.Comment: 66 pages. Updated the erroneous claim from v1 about the complexity of information-theoretic QRE as matching the classical case. Added an application of QRE to zero-knowledge for QM