175 research outputs found

    Secure Function Extensions to Additively Homomorphic Cryptosystems

    Get PDF
    The number-theoretic literature has long studied the question of distributions of sequences of quadratic residue symbols modulo a prime number. In this paper, we present an efficient algorithm for generating primes containing chosen sequences of quadratic residue symbols and use it as the basis of a method extending the functionality of additively homomorphic cryptosystems. We present an algorithm for encoding a chosen Boolean function into the public key and an efficient two-party protocol for evaluating this function on an encrypted sum. We demonstrate concrete parameters for secure function evaluation on encrypted sums up to eight bits at standard key sizes in the integer factorization setting. Although the approach is limited to applications involving small sums, it is a practical way to extend the functionality of existing secure protocols built on partially homomorphic encryption schemes

    Can We Access a Database Both Locally and Privately?

    Get PDF
    We consider the following strong variant of private information retrieval (PIR). There is a large database x that we want to make publicly available. To this end, we post an encoding X of x together with a short public key pk in a publicly accessible repository. The goal is to allow any client who comes along to retrieve a chosen bit x_i by reading a small number of bits from X, whose positions may be randomly chosen based on i and pk, such that even an adversary who can fully observe the access to X does not learn information about i. Towards solving the above problem, we study a weaker secret key variant where the data is encoded and accessed by the same party. This primitive, that we call an oblivious locally decodable code (OLDC), is independently motivated by applications such as searchable sym- metric encryption. We reduce the public-key variant of PIR to OLDC using an ideal form of obfuscation that can be instantiated heuristically with existing indistinguishability obfuscation candidates, or alternatively implemented with small and stateless tamper-proof hardware. Finally, a central contribution of our work is the first proposal of an OLDC candidate. Our candidate is based on a secretly permuted Reed-Muller code. We analyze the security of this candidate against several natural attacks and leave its further study to future work

    The Parallel Dynamic Complexity of the Abelian Cayley Group Membership Problem

    Full text link
    Let GG be a finite group given as input by its multiplication table. For a subset SS of GG and an element gGg\in G the Cayley Group Membership Problem (denoted CGM) is to check if gg belongs to the subgroup generated by SS. While this problem is easily seen to be in polynomial time, pinpointing its parallel complexity has been of research interest over the years. In this paper we further explore the parallel complexity of the abelian CGM problem, with focus on the dynamic setting: the generating set SS changes with insertions and deletions and the goal is to maintain a data structure that supports efficient membership queries to the subgroup S\angle{S}. We obtain the following results: 1. We first consider the more general problem of Monoid Membership. When GG is a commutative monoid we give a deterministic dynamic algorithm constant time parallel algorithm for membership testing that supports O(1)O(1) insertions and deletions in each step. 2. Building on the previous result we show that there is a dynamic randomized constant-time parallel algorithm for abelian CGM that supports polylogarithmically many insertions/deletions to SS in each step. 3. If the number of insertions/deletions is at most O(logn/loglogn)O(\log n/\log\log n) then we obtain a deterministic dynamic constant-time parallel algorithm for the problem. 4. We obtain analogous results for the dynamic abelian Group Isomorphism

    Cryptography with Weights: MPC, Encryption and Signatures

    Get PDF
    The security of several cryptosystems rests on the trust assumption that a certain fraction of the parties are honest. This trust assumption has enabled a diverse of cryptographic applications such as secure multiparty computation, threshold encryption, and threshold signatures. However, current and emerging practical use cases suggest that this paradigm of one-person-one-vote is outdated. In this work, we consider {\em weighted} cryptosystems where every party is assigned a certain weight and the trust assumption is that a certain fraction of the total weight is honest. This setting can be translated to the standard setting (where each party has a unit weight) via virtualization. However, this method is quite expensive, incurring a multiplicative overhead in the weight. We present new weighted cryptosystems with significantly better efficiency. Specifically, our proposed schemes incur only an {\em additive} overhead in weights. \begin{itemize} \item We first present a weighted ramp secret-sharing scheme where the size of the secret share is as short as O(w)O(w) (where ww corresponds to the weight). In comparison, Shamir\u27s secret sharing with virtualization requires secret shares of size wλw\cdot\lambda, where λ=logF\lambda=\log |\mathbb{F}| is the security parameter. \item Next, we use our weighted secret-sharing scheme to construct weighted versions of (semi-honest) secure multiparty computation (MPC), threshold encryption, and threshold signatures. All these schemes inherit the efficiency of our secret sharing scheme and incur only an additive overhead in the weights. \end{itemize} Our weighted secret-sharing scheme is based on the Chinese remainder theorem. Interestingly, this secret-sharing scheme is {\em non-linear} and only achieves statistical privacy. These distinct features introduce several technical hurdles in applications to MPC and threshold cryptosystems. We resolve these challenges by developing several new ideas

    Weighted Secret Sharing from Wiretap Channels

    Get PDF
    Secret-sharing allows splitting a piece of secret information among a group of shareholders, so that it takes a large enough subset of them to recover it. In weighted secret-sharing, each shareholder has an integer weight, and it takes a subset of large-enough weight to recover the secret. Schemes in the literature for weighted threshold secret sharing either have share sizes that grow linearly with the total weight, or ones that depend on huge public information (essentially a garbled circuit) of size (quasi)polynomial in the number of parties. To do better, we investigate a relaxation, (?, ?)-ramp weighted secret sharing, where subsets of weight ? W can recover the secret (with W the total weight), but subsets of weight ? W or less cannot learn anything about it. These can be constructed from standard secret-sharing schemes, but known constructions require long shares even for short secrets, achieving share sizes of max(W,|secret|/?), where ? = ?-?. In this note we first observe that simple rounding let us replace the total weight W by N/?, where N is the number of parties. Combined with known constructions, this yields share sizes of O(max(N,|secret|)/?). Our main contribution is a novel connection between weighted secret sharing and wiretap channels, that improves or even eliminates the dependence on N, at a price of increased dependence on 1/?. We observe that for certain additive-noise (?,?) wiretap channels, any semantically secure scheme can be naturally transformed into an (?,?)-ramp weighted secret-sharing, where ?,? are essentially the respective capacities of the channels ?,?. We present two instantiations of this type of construction, one using Binary Symmetric wiretap Channels, and the other using additive Gaussian Wiretap Channels. Depending on the parameters of the underlying wiretap channels, this gives rise to (?, ?)-ramp schemes with share sizes |secret|?log N/poly(?) or even just |secret|/poly(?)

    LIPIcs, Volume 274, ESA 2023, Complete Volume

    Get PDF
    LIPIcs, Volume 274, ESA 2023, Complete Volum

    Weighted Secret Sharing from Wiretap Channels

    Get PDF
    Secret-sharing allows splitting a piece of secret information among a group of shareholders, so that it takes a large enough subset of them to recover it. In \emph{weighted} secret-sharing, each shareholder has an integer weight, and it takes a subset of large-enough weight to recover the secret. Schemes in the literature for weighted threshold secret sharing either have share sizes that grow linearly with the total weight, or ones that depend on huge public information (essentially a garbled circuit) of size (quasi)polynomial in the number of parties. To do better, we investigate a relaxation, (α,β)(\alpha, \beta)-ramp weighted secret sharing, where subsets of weight βW\beta W can recover the secret (with WW the total weight), but subsets of weight αW\alpha W or less cannot learn anything about it. These can be constructed from standard secret-sharing schemes, but known constructions require long shares even for short secrets, achieving share sizes of max(W,secretϵ)\max\big(W,\frac{|\mathrm{secret}|}{\epsilon}\big), where ϵ=βα\epsilon=\beta-\alpha. In this note we first observe that simple rounding let us replace the total weight WW by N/ϵN/\epsilon, where NN is the number of parties. Combined with known constructions, this yields share sizes of O(max(N,secret)/ϵ)O\big(\max(N,|\mathrm{secret}|)/{\epsilon}\big). Our main contribution is a novel connection between weighted secret sharing and wiretap channels, that improves or even eliminates the dependence on~NN, at a price of increased dependence on 1/ϵ1/\epsilon. We observe that for certain additive-noise (R,A)(R,A) wiretap channels, any semantically secure scheme can be naturally transformed into an (α,β)(\alpha,\beta)-ramp weighted secret-sharing, where α,β\alpha,\beta are essentially the respective capacities of the channels A,RA,R. We present two instantiations of this type of construction, one using Binary Symmetric wiretap Channels, and the other using additive Gaussian Wiretap Channels. Depending on the parameters of the underlying wiretap channels, this gives rise to (α,β)(\alpha, \beta)-ramp schemes with share sizes secret/poly(ϵlogN)|\mathrm{secret}|/\mathrm{poly}(\epsilon\log N) or even just secret/poly(ϵ)|\mathrm{secret}|/\mathrm{poly}(\epsilon)

    Revisiting Fast Fourier multiplication algorithms on quotient rings

    Full text link
    This work formalizes efficient Fast Fourier-based multiplication algorithms for polynomials in quotient rings such as \mathbb{Z}_{m}[x]/\left, with nn a power of 2 and mm a non necessarily prime integer. We also present a meticulous study on the necessary and/or sufficient conditions required for the applicability of these multiplication algorithms. This paper allows us to unify the different approaches to the problem of efficiently computing the product of two polynomials in these quotient rings

    Dressing Modern Frenchwomen

    Get PDF
    At a glance, high fashion and feminism seem unlikely partners. Between the First and Second World Wars, however, these forces combined femininity and modernity to create the new, modern French woman. In this engaging study, Mary Lynn Stewart reveals the fashion industry as an integral part of women's transition into modernity. Analyzing what female columnists in fashion magazines and popular women novelists wrote about the "new silhouette," Stewart shows how bourgeois women feminized the more severe, masculine images that elite designers promoted to create a hybrid form of modern that both emancipated women and celebrated their femininity. She delves into the intricacies of marketing the new clothes and the new image to middle-class women and examines the nuts and bolts of a changing industry—including textile production, relationships between suppliers and department stores, and privacy and intellectual property issues surrounding ready-to-wear couture designs. Dressing Modern Frenchwomen draws from thousands of magazine covers, advertisements, fashion columns, and features to uncover and untangle the fascinating relationships among the fashion industry, the development of modern marketing techniques, and the evolution of the modern woman as active, mobile, and liberated

    Algorithms for Scheduling Problems and Integer Programming

    Get PDF
    The first part of this thesis gives approximation results to scheduling problems. The classical makespan minimization problem on identical parallel machines asks for a distribution of a set of jobs to a set of machines such that the latest job completion time is minimized. For this strongly NP-complete problem we give a new EPTAS algorithm. In fact, it admits a practical implementation which beats the currently best approximation ratio of the MULTIFIT algorithm. A well-studied extension of the problem is the partition of the jobs into classes which impose a class-specific setup time on a machine whenever the processing switches to a job of a different class. For these so-called scheduling problems with batch setup times we present a 1.5-approximation algorithm for each of the three major settings. We achieve similar results for the likewise natural variant of many shared resources scheduling (MSRS) where instead of imposing a setup time each class is identified by a resource which can be occupied by at most one of its jobs at a time. For MSRS we present a 1.5-approximation and two EPTAS results. The second part provides results for fixed-priority uniprocessor real-time scheduling and variants of block-structured integer programming. We give a new approach to compute worst-case response times which admits a polynomial-time algorithm for harmonic periods even in the presence of task release jitters. In more detail, we prove a duality between Response Time Computation (RTC) and the Mixing Set problem. Furthermore, both problems can be expressed as block-structured integer programs which are closely related to simultaneous congruences. However, the setting of the famous Chinese Remainder Theorem is that each congruence has to have a certain remainder. We relax this setting such that the remainder of each congruence may lie in a given interval. We show that the smallest solution to these congruences can be computed in polynomial time if the set of divisors is harmonic
    corecore