On the Impossibility of Surviving (Iterated) Deletion of Weakly Dominated Strategies in Rational MPC

Rational multiparty computation (rational MPC) provides a framework for analyzing MPC protocols through the lens of game theory. One way to judge whether an MPC protocol is rational is through weak domination: Rational players would not adhere to an MPC protocol if deviating never decreases their utility, but sometimes increases it. Secret reconstruction protocols are of particular importance in this setting because they represent the last phase of most (rational) MPC protocols. We show that most secret reconstruction protocols from the literature are not, in fact, stable with respect to weak domination. Furthermore, we formally prove that (under certain assumptions) it is impossible to design a secret reconstruction protocol which is a Nash equlibrium but not weakly dominated if (1) shares are authenticated or (2) half of all players may form a coalition

Efficient Threshold Secret Sharing Schemes Secure against Rushing Cheaters

In this paper, we consider three very important issues namely detection, identification and robustness of $k$-out-of-$n$ secret sharing schemes against rushing cheaters who are allowed to submit (possibly forged) shares {\em after} observing shares of the honest users in the reconstruction phase. Towards this we present five different schemes. Among these, first we present two $k$-out-of-$n$ secret sharing schemes, the first one being capable of detecting $(k-1)/3$ cheaters such that $|V_i|=|S|/\epsilon^3$ and the second one being capable of detecting $n-1$ cheaters such that $|V_i|=|S|/\epsilon^{k+1}$, where $S$ denotes the set of all possible secrets, $\epsilon$ denotes the successful cheating probability of cheaters and $V_i$ denotes set all possible shares. Next we present two $k$-out-of-$n$ secret sharing schemes, the first one being capable of identifying $(k-1)/3$ rushing cheaters with share size $|V_i|$ that satisfies $|V_i|=|S|/\epsilon^k$. This is the first scheme whose size of shares does not grow linearly with $n$ but only with $k$, where $n$ is the number of participants. For the second one, in the setting of public cheater identification, we present an efficient optimal cheater resilient $k$-out-of-$n$ secret sharing scheme against rushing cheaters having the share size $|V_i|= (n-t)^{n+2t}|S|/\epsilon^{n+2t}$. The proposed scheme achieves {\em flexibility} in the sense that the security level (i.e. the cheater(s) success probability) is independent of the secret size. Finally, we design an efficient $(k, \delta)$ robust secret sharing secure against rushing adversary with optimal cheater resiliency. Each of the five proposed schemes has the smallest share size having the mentioned properties among the existing schemes in the respective fields

Pre-Constrained Encryption

In all existing encryption systems, the owner of the master secret key has the ability to decrypt all ciphertexts. In this work, we propose a new notion of pre-constrained encryption (PCE) where the owner of the master secret key does not have "full" decryption power. Instead, its decryption power is constrained in a pre-specified manner during the system setup. We present formal definitions and constructions of PCE, and discuss societal applications and implications to some well-studied cryptographic primitives

On the Impossibility of Surviving (Iterated) Deletion of Weakly Dominated Strategies in Rational MPC

Rational multiparty computation (rational MPC) provides a framework for analyzing MPC protocols through the lens of game theory. One way to judge whether an MPC protocol is rational is through weak domination: Rational players would not adhere to an MPC protocol if deviating never decreases their utility, but sometimes increases it. Secret reconstruction protocols are of particular importance in this setting because they represent the last phase of most (rational) MPC protocols. We show that most secret reconstruction protocols from the literature are not, in fact, stable with respect to weak domination. Furthermore, we formally prove that (under certain assumptions) it is impossible to design a secret reconstruction protocol which is a Nash equlibrium but not weakly dominated if (1) shares are authenticated or (2) half of all players may form a coalition

Efficient Robust Secret Sharing from Expander Graphs

Threshold secret sharing is a protocol that allows a dealer to share a secret among $n$ players so that any coalition of $t$ players learns nothing about the secret, but any $t+1$ players can reconstruct the secret in its entirety. Robust secret sharing (RSS) provides the additional guarantee that even if $t$ malicious players mangle their shares, they cannot cause the honest players to reconstruct an incorrect secret. When $t \frac{n}{2}$, RSS is known to be impossible, but for $\frac{n}{3} < t < \frac{n}{2}$ much less is known. When $\frac{n}{3} < t < \frac{n}{2}$ previous RSS protocols could either achieve optimal share size with inefficient (exponential time) reconstruction procedures, or sub-optimal share size with polynomial time reconstruction. In this work, we construct a simple RSS protocol for $t = \left( \frac{1}{2} - \epsilon\right)n$ that achieves logarithmic overhead in terms of share size and simultaneously allows efficient reconstruction. Our shares size increases by an additive term of $O(\kappa + \log n)$, and reconstruction succeeds except with probability at most $2^{-\kappa}$. This provides a partial solution to a problem posed by Cevallos et al. in Eurocrypt 2012. Namely, when $t = \left( \frac{1}{2} - O(1) \right)n$ we show that the share size in RSS schemes do not require an overhead that is linear in $n$. Previous efficient RSS protocols like that of Rabin and Ben-Or (STOC \u2789) and Cevallos et al. (Eurocrypt \u2712) use MACs to allow each player to check the shares of each other player in the protocol. These checks provide robustness, but require significant overhead in share size. Our construction identifies the $n$ players as nodes in an expander graph, each player only checks its neighbors in the expander graph. When $t = \left\{ \frac{1}{2} - O(1) \right\}n$, the concurrent, independent work of Cramer et al. (Eurocrypt \u2715) shows how to achieve shares that \emph{decrease} with the number of players using completely different techniques

On Improving Communication Complexity in Cryptography

Cryptography grew to be much more than "the study of secret writing". Modern cryptography is concerned with establishing properties such as privacy, integrity and authenticity in protocols for secure communication and computation. This comes at a price: Cryptographic tools usually introduce an overhead, both in terms of communication complexity (that is, number and size of messages transmitted) and computational efficiency (that is, time and memory required). As in many settings communication between the parties involved is the bottleneck, this thesis is concerned with improving communication complexity in cryptographic protocols. One direction towards this goal is scalable cryptography: In many cryptographic schemes currently deployed, the security degrades linearly with the number of instances (e.g. encrypted messages) in the system. As this number can be huge in contexts like cloud computing, the parameters of the scheme have to be chosen considerably larger - and in particular depending on the expected number of instances in the system - to maintain security guarantees. We advance the state-of-the-art regarding scalable cryptography by constructing schemes where the security guarantees are independent of the number of instances. This allows to choose smaller parameters, even when the expected number of instances is immense. - We construct the first scalable encryption scheme with security against active adversaries which has both compact public keys and ciphertexts. In particular, we significantly reduce the size of the public key to only about 3% of the key-size of the previously most efficient scalable encryption scheme. (Gay,Hofheinz, and Kohl, CRYPTO, 2017) - We present a scalable structure-preserving signature scheme which improves both in terms of public-key and signature size compared to the previously best construction to about 40% and 56% of the sizes, respectively. (Gay, Hofheinz, Kohl, and Pan, EUROCRYPT, 2018) Another important area of cryptography is secure multi-party computation, where the goal is to jointly evaluate some function while keeping each party’s input private. In traditional approaches towards secure multi-party computation either the communication complexity scales linearly in the size of the function, or the computational efficiency is poor. To overcome this issue, Boyle, Gilboa, and Ishai (CRYPTO, 2016) introduced the notion of homomorphic secret sharing. Here, inputs are shared between parties such that each party does not learn anything about the input, and such that the parties can locally evaluate functions on the shares. Homomorphic secret sharing implies secure computation where the communication complexity only depends on the size of the inputs, which is typically much smaller than the size of the function. A different approach towards efficient secure computation is to split the protocol into an input-independent preprocessing phase, where long correlated strings are generated, and a very efficient online phase. One example for a useful correlation are authenticated Beaver triples, which allow to perform efficient multiplications in the online phase such that privacy of the inputs is preserved and parties deviating the protocol can be detected. The currently most efficient protocols implementing the preprocessing phase require communication linear in the number of triples to be generated. This results typically in high communication costs, as the online phase requires at least one authenticated Beaver triple per multiplication. We advance the state-of-the art regarding efficient protocols for secure computation with low communication complexity as follows. - We construct the first homomorphic secret sharing scheme for computing arbitrary functions in NC 1 (that is, functions that are computably by circuits with logarithmic depth) which supports message spaces of arbitrary size, has only negligible correctness error, and does not require expensive multiplication on ciphertexts. (Boyle, Kohl, and Scholl, EUROCRYPT, 2019) - We introduce the notion of a pseudorandom correlation generator for general correlations. Pseudorandom correlation generators allow to locally extend short correlated seeds into long pseudorandom correlated strings. We show that pseudorandom correlation generators can replace the preprocessing phase in many protocols, leading to a preprocessing phase with sublinear communication complexity. We show connections to homomorphic secret sharing schemes and give the first instantiation of pseudorandom correlation generators for authenticated Beaver triples at reasonable computational efficiency. (Boyle, Couteau, Gilboa, Ishai, Kohl, and Scholl, CRYPTO, 2019

Combining Shamir & Additive Secret Sharing to Improve Efficiency of SMC Primitives Against Malicious Adversaries

Secure multi-party computation provides a wide array of protocols for mutually distrustful parties be able to securely evaluate functions of private inputs. Within recent years, many such protocols have been proposed representing a plethora of strategies to securely and efficiently handle such computation. These protocols have become increasingly efficient, but their performance still is impractical in many settings. We propose new approaches to some of these problems which are either more efficient than previous works within the same security models or offer better security guarantees with comparable efficiency. The goals of this research are to improve efficiency and security of secure multi-party protocols and explore the application of such approaches to novel threat scenarios. Some of the novel optimizations employed are dynamically switching domains of shared secrets, asymmetric computations, and advantageous functional transformations, among others. Specifically, this work presents a novel combination of Shamir and Additive secret sharing to be used in parallel which allows for the transformation of efficient protocols secure against passive adversaries to be secure against active adversaries. From this set of primitives we propose the construction of a comparison protocol which can be implemented under that approach with a complexity which is more efficient than other recent works for common domains of interest. Finally, we present a system which addresses a critical security threat for the protection and obfuscation of information which may be of high consequence.Comment: arXiv admin note: text overlap with arXiv:1810.0157