7,044 research outputs found
Computer-aided proofs for multiparty computation with active security
Secure multi-party computation (MPC) is a general cryptographic technique
that allows distrusting parties to compute a function of their individual
inputs, while only revealing the output of the function. It has found
applications in areas such as auctioning, email filtering, and secure
teleconference. Given its importance, it is crucial that the protocols are
specified and implemented correctly. In the programming language community it
has become good practice to use computer proof assistants to verify correctness
proofs. In the field of cryptography, EasyCrypt is the state of the art proof
assistant. It provides an embedded language for probabilistic programming,
together with a specialized logic, embedded into an ambient general purpose
higher-order logic. It allows us to conveniently express cryptographic
properties. EasyCrypt has been used successfully on many applications,
including public-key encryption, signatures, garbled circuits and differential
privacy. Here we show for the first time that it can also be used to prove
security of MPC against a malicious adversary. We formalize additive and
replicated secret sharing schemes and apply them to Maurer's MPC protocol for
secure addition and multiplication. Our method extends to general polynomial
functions. We follow the insights from EasyCrypt that security proofs can be
often be reduced to proofs about program equivalence, a topic that is well
understood in the verification of programming languages. In particular, we show
that in the passive case the non-interference-based definition is equivalent to
a standard game-based security definition. For the active case we provide a new
NI definition, which we call input independence
An Efficient Normalisation Procedure for Linear Temporal Logic and Very Weak Alternating Automata
In the mid 80s, Lichtenstein, Pnueli, and Zuck proved a classical theorem
stating that every formula of Past LTL (the extension of LTL with past
operators) is equivalent to a formula of the form , where
and contain only past operators. Some years later, Chang,
Manna, and Pnueli built on this result to derive a similar normal form for LTL.
Both normalisation procedures have a non-elementary worst-case blow-up, and
follow an involved path from formulas to counter-free automata to star-free
regular expressions and back to formulas. We improve on both points. We present
a direct and purely syntactic normalisation procedure for LTL yielding a normal
form, comparable to the one by Chang, Manna, and Pnueli, that has only a single
exponential blow-up. As an application, we derive a simple algorithm to
translate LTL into deterministic Rabin automata. The algorithm normalises the
formula, translates it into a special very weak alternating automaton, and
applies a simple determinisation procedure, valid only for these special
automata.Comment: This is the extended version of the referenced conference paper and
contains an appendix with additional materia
Approximating Cumulative Pebbling Cost Is Unique Games Hard
The cumulative pebbling complexity of a directed acyclic graph is defined
as , where the minimum is taken over all
legal (parallel) black pebblings of and denotes the number of
pebbles on the graph during round . Intuitively, captures
the amortized Space-Time complexity of pebbling copies of in parallel.
The cumulative pebbling complexity of a graph is of particular interest in
the field of cryptography as is tightly related to the
amortized Area-Time complexity of the Data-Independent Memory-Hard Function
(iMHF) [AS15] defined using a constant indegree directed acyclic
graph (DAG) and a random oracle . A secure iMHF should have
amortized Space-Time complexity as high as possible, e.g., to deter brute-force
password attacker who wants to find such that . Thus, to
analyze the (in)security of a candidate iMHF , it is crucial to
estimate the value but currently, upper and lower bounds for
leading iMHF candidates differ by several orders of magnitude. Blocki and Zhou
recently showed that it is -Hard to compute , but
their techniques do not even rule out an efficient
-approximation algorithm for any constant . We
show that for any constant , it is Unique Games hard to approximate
to within a factor of .
(See the paper for the full abstract.)Comment: 28 pages, updated figures and corrected typo
Formalizing structured file services for the data storage and retrieval subsystem of the data management system for Spacestation Freedom
A brief example of the use of formal methods techniques in the specification of a software system is presented. The report is part of a larger effort targeted at defining a formal methods pilot project for NASA. One possible application domain that may be used to demonstrate the effective use of formal methods techniques within the NASA environment is presented. It is not intended to provide a tutorial on either formal methods techniques or the application being addressed. It should, however, provide an indication that the application being considered is suitable for a formal methods by showing how such a task may be started. The particular system being addressed is the Structured File Services (SFS), which is a part of the Data Storage and Retrieval Subsystem (DSAR), which in turn is part of the Data Management System (DMS) onboard Spacestation Freedom. This is a software system that is currently under development for NASA. An informal mathematical development is presented. Section 3 contains the same development using Penelope (23), an Ada specification and verification system. The complete text of the English version Software Requirements Specification (SRS) is reproduced in Appendix A
A syntactic approach to continuity of T-definable functionals
We give a new proof of the well-known fact that all functions which are definable in G\"odel's System T are
continuous via a syntactic approach. Differing from the usual syntactic method,
we firstly perform a translation of System T into itself in which natural
numbers are translated to functions . Then we inductively define a continuity predicate on the
translated elements and show that the translation of any term in System T
satisfies the continuity predicate. We obtain the desired result by relating
terms and their translations via a parametrized logical relation. Our
constructions and proofs have been formalized in the Agda proof assistant.
Because Agda is also a programming language, we can execute our proof to
compute moduli of continuity of T-definable functions
Proofs of Quantumness from Trapdoor Permutations
Assume that Alice can do only classical probabilistic polynomial-time computing while Bob can do quantum polynomial-time computing. Alice and Bob communicate over only classical channels, and finally Bob gets a state with some bit strings and . Is it possible that Alice can know but Bob cannot? Such a task, called {\it remote state preparations}, is indeed possible under some complexity assumptions, and is bases of many quantum cryptographic primitives such as proofs of quantumness, (classical-client) blind quantum computing, (classical) verifications of quantum computing, and quantum money. A typical technique to realize remote state preparations is to use 2-to-1 trapdoor collision resistant hash functions: Alice sends a 2-to-1 trapdoor collision resistant hash function to Bob, and Bob evaluates it coherently, i.e., Bob generates . Bob measures the second register to get the measurement result , and sends to Alice. Bob\u27s post-measurement state is , where . With the trapdoor, Alice can learn from , but due to the collision resistance, Bob cannot. This Alice\u27s advantage can be leveraged to realize the quantum cryptographic primitives listed above. It seems that the collision resistance is essential here. In this paper, surprisingly, we show that the collision resistance is not necessary for a restricted case: we show that (non-verifiable) remote state preparations of secure against {\it classical} probabilistic polynomial-time Bob can be constructed from classically-secure (full-domain) trapdoor permutations. Trapdoor permutations are not likely to imply the collision resistance, because black-box reductions from collision-resistant hash functions to trapdoor permutations are known to be impossible. As an application of our result, we construct proofs of quantumness from classically-secure (full-domain) trapdoor permutations
Limits to Non-Malleability
There have been many successes in constructing explicit non-malleable codes for various classes of tampering functions in recent years, and strong existential results are also known. In this work we ask the following question:
When can we rule out the existence of a non-malleable code for a tampering class ??
First, we start with some classes where positive results are well-known, and show that when these classes are extended in a natural way, non-malleable codes are no longer possible. Specifically, we show that no non-malleable codes exist for any of the following tampering classes:
- Functions that change d/2 symbols, where d is the distance of the code;
- Functions where each input symbol affects only a single output symbol;
- Functions where each of the n output bits is a function of n-log n input bits.
Furthermore, we rule out constructions of non-malleable codes for certain classes ? via reductions to the assumption that a distributional problem is hard for ?, that make black-box use of the tampering functions in the proof. In particular, this yields concrete obstacles for the construction of efficient codes for NC, even assuming average-case variants of P ? NC
On the Cryptographic Hardness of Local Search
We show new hardness results for the class of Polynomial Local Search problems (PLS):
- Hardness of PLS based on a falsifiable assumption on bilinear groups introduced by Kalai, Paneth, and Yang (STOC 2019), and the Exponential Time Hypothesis for randomized algorithms. Previous standard model constructions relied on non-falsifiable and non-standard assumptions.
- Hardness of PLS relative to random oracles. The construction is essentially different than previous constructions, and in particular is unconditionally secure. The construction also demonstrates the hardness of parallelizing local search.
The core observation behind the results is that the unique proofs property of incrementally-verifiable computations previously used to demonstrate hardness in PLS can be traded with a simple incremental completeness property
SoK:Communication across distributed ledgers
Since the inception of Bitcoin, a plethora of distributed ledgers differing in design and purpose has been created. While by design, blockchains provide no means to securely communicate with external systems, numerous attempts towards trustless cross-chain communication have been proposed over the years. Today, cross-chain communication (CCC) plays a fundamental role in cryptocurrency exchanges, scalability efforts via sharding, extension of existing systems through sidechains, and bootstrapping of new blockchains. Unfortunately, existing proposals are designed ad-hoc for specific use-cases, making it hard to gain confidence in their correctness and composability. We provide the first systematic exposition of cross-chain communication protocols. We formalize the underlying research problem and show that CCC is impossible without a trusted third party, contrary to common beliefs in the blockchain community. With this result in mind, we develop a framework to design new and evaluate existing CCC protocols, focusing on the inherent trust assumptions thereof, and derive a classification covering the field of cross-chain communication to date. We conclude by discussing open challenges for CCC research and the implications of interoperability on the security and privacy of blockchains
- …