18,461 research outputs found
Round-Optimal Secure Multi-Party Computation
Secure multi-party computation (MPC) is a central cryptographic task that allows a set of mutually distrustful parties to jointly compute some function of their private inputs where security should hold in the presence of a malicious adversary that can corrupt any number of parties. Despite extensive research, the precise round complexity of this standard-bearer\u27\u27 cryptographic primitive is unknown. Recently, Garg, Mukherjee, Pandey and Polychroniadou, in EUROCRYPT 2016 demonstrated that the round complexity of any MPC protocol relying on black-box proofs of security in the plain model must be at least four. Following this work, independently Ananth, Choudhuri and Jain, CRYPTO 2017 and Brakerski, Halevi, and Polychroniadou, TCC 2017 made progress towards solving this question and constructed four-round protocols based on non-polynomial time assumptions. More recently, Ciampi, Ostrovsky, Siniscalchi and Visconti in TCC 2017 closed the gap for two-party protocols by constructing a four-round protocol from polynomial-time assumptions. In another work, Ciampi, Ostrovsky, Siniscalchi and Visconti TCC 2017 showed how to design a four-round multi-party protocol for the specific case of multi-party coin-tossing.
In this work, we resolve this question by designing a four-round actively secure multi-party (two or more parties) protocol for general functionalities under standard polynomial-time hardness assumptions with a black-box proof of security
A Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM
Oblivious Transfer (OT) is a fundamental cryptographic protocol that finds a
number of applications, in particular, as an essential building block for
two-party and multi-party computation. We construct a round-optimal (2 rounds)
universally composable (UC) protocol for oblivious transfer secure against
active adaptive adversaries from any OW-CPA secure public-key encryption scheme
with certain properties in the random oracle model (ROM). In terms of
computation, our protocol only requires the generation of a public/secret-key
pair, two encryption operations and one decryption operation, apart from a few
calls to the random oracle. In~terms of communication, our protocol only
requires the transfer of one public-key, two ciphertexts, and three binary
strings of roughly the same size as the message. Next, we show how to
instantiate our construction under the low noise LPN, McEliece, QC-MDPC, LWE,
and CDH assumptions. Our instantiations based on the low noise LPN, McEliece,
and QC-MDPC assumptions are the first UC-secure OT protocols based on coding
assumptions to achieve: 1) adaptive security, 2) optimal round complexity, 3)
low communication and computational complexities. Previous results in this
setting only achieved static security and used costly cut-and-choose
techniques.Our instantiation based on CDH achieves adaptive security at the
small cost of communicating only two more group elements as compared to the
gap-DH based Simplest OT protocol of Chou and Orlandi (Latincrypt 15), which
only achieves static security in the ROM
Generic Secure Repair for Distributed Storage
This paper studies the problem of repairing secret sharing schemes, i.e.,
schemes that encode a message into shares, assigned to nodes, so that
any nodes can decode the message but any colluding nodes cannot infer
any information about the message. In the event of node failures so that shares
held by the failed nodes are lost, the system needs to be repaired by
reconstructing and reassigning the lost shares to the failed (or replacement)
nodes. This can be achieved trivially by a trustworthy third-party that
receives the shares of the available nodes, recompute and reassign the lost
shares. The interesting question, studied in the paper, is how to repair
without a trustworthy third-party. The main issue that arises is repair
security: how to maintain the requirement that any colluding nodes,
including the failed nodes, cannot learn any information about the message,
during and after the repair process? We solve this secure repair problem from
the perspective of secure multi-party computation. Specifically, we design
generic repair schemes that can securely repair any (scalar or vector) linear
secret sharing schemes. We prove a lower bound on the repair bandwidth of
secure repair schemes and show that the proposed secure repair schemes achieve
the optimal repair bandwidth up to a small constant factor when dominates
, or when the secret sharing scheme being repaired has optimal rate. We
adopt a formal information-theoretic approach in our analysis and bounds. A
main idea in our schemes is to allow a more flexible repair model than the
straightforward one-round repair model implicitly assumed by existing secure
regenerating codes. Particularly, the proposed secure repair schemes are simple
and efficient two-round protocols
Round-Optimal Oblivious Transfer and MPC from Computational CSIDH
We present the first round-optimal and plausibly quantum-safe oblivious transfer (OT) and multi-party computation (MPC) protocols from the computational CSIDH assumption - the weakest and most widely studied assumption in the CSIDH family of isogeny-based assumptions. We obtain the following results:
- The first round-optimal maliciously secure OT and MPC protocols in the plain model that achieve (black-box) simulation-based security while relying on the computational CSIDH assumption.
- The first round-optimal maliciously secure OT and MPC protocols that achieves Universal Composability (UC) security in the presence of a trusted setup (common reference string plus random oracle) while relying on the computational CSIDH assumption.
Prior plausibly quantum-safe isogeny-based OT protocols (with/without setup assumptions) are either not round-optimal, or rely on potentially stronger assumptions.
We also build a 3-round maliciously-secure OT extension protocol where each base OT protocol requires only 4 isogeny computations. In comparison, the most efficient isogeny-based OT extension protocol till date due to Lai et al. [Eurocrypt 2021] requires 12 isogeny computations and 4 rounds of communication, while relying on the same assumption as our construction, namely the reciprocal CSIDH assumption
Private Federated Frequency Estimation: Adapting to the Hardness of the Instance
In federated frequency estimation (FFE), multiple clients work together to
estimate the frequencies of their collective data by communicating with a
server that respects the privacy constraints of Secure Summation (SecSum), a
cryptographic multi-party computation protocol that ensures that the server can
only access the sum of client-held vectors. For single-round FFE, it is known
that count sketching is nearly information-theoretically optimal for achieving
the fundamental accuracy-communication trade-offs [Chen et al., 2022]. However,
we show that under the more practical multi-round FEE setting, simple
adaptations of count sketching are strictly sub-optimal, and we propose a novel
hybrid sketching algorithm that is provably more accurate. We also address the
following fundamental question: how should a practitioner set the sketch size
in a way that adapts to the hardness of the underlying problem? We propose a
two-phase approach that allows for the use of a smaller sketch size for simpler
problems (e.g., near-sparse or light-tailed distributions). We conclude our
work by showing how differential privacy can be added to our algorithm and
verifying its superior performance through extensive experiments conducted on
large-scale datasets.Comment: NeurIPS 2023 camera ready versio
Broadcast and Verifiable Secret Sharing: New Security Models and Round Optimal Constructions
Broadcast and verifiable secret sharing (VSS) are central building blocks for secure multi-party computation. These protocols are required to be resilient against a Byzantine adversary who controls at most t out of the n parties running the protocol. In this dissertation, we consider the design of fault-tolerant protocols for broadcast and verifiable secret sharing with stronger security guarantees and improved round complexity.
Broadcast allows a party to send the same message to all parties, and all parties are assured they have received identical messages. Given a public-key infrastructure (PKI) and digital signatures, it is possible to construct broadcast protocols tolerating any number of corrupted parties. We address two important issues related to broadcast: (1) Almost all existing protocols do not distinguish between corrupted parties (who do not follow the protocol) and honest parties whose secret (signing) keys have been compromised (but who continue to behave honestly); (2) all existing protocols for broadcast are insecure against an adaptive adversary who can choose which parties to corrupt as the protocol progresses. We propose new security models that capture these issues, and present tight feasibility and impossibility results.
In the problem of verifiable secret sharing, there is a designated player who shares a secret during an initial sharing phase such that the secret is hidden from an adversary that corrupts at most t parties. In a subsequent reconstruction phase of the protocol, a unique secret, well-defined by the view of honest players in the sharing phase, is reconstructed. The round complexity of VSS protocols is a very important metric of their efficiency. We show two improvements regarding the round complexity of information-theoretic VSS. First, we construct an efficient perfectly secure VSS protocol tolerating t < n/3 corrupted parties that is simultaneously optimal in both the number of rounds and the number of invocations of broadcast. Second, we construct a statistically secure VSS protocol tolerating t < n/2 corrupted parties that has optimal round complexity, and an efficient statistical VSS protocol tolerating t < n/2 corrupted parties that requires one additional round
BOREALIS: Building Block for Sealed Bid Auctions on Blockchains
We focus on securely computing the ranks of sealed integers
distributed among parties. For example, we securely compute the
largest or smallest integer, the median, or in general the
-ranked integer. Such computations are a useful building
block to securely implement a variety of sealed-bid auctions. Our
objective is efficiency, specifically low interactivity between
parties to support blockchains or other scenarios where multiple
rounds are time-consuming. Hence, we dismiss powerful, yet
highly-interactive MPC frameworks and propose BOREALIS, a
special-purpose protocol for secure computation of ranks among
integers. BOREALIS uses additively homomorphic encryption to implement
core comparisons, but computes under distinct keys, chosen by each
party to optimize the number of rounds. By carefully combining
cryptographic primitives, such as ECC Elgamal encryption, encrypted
comparisons, ciphertext blinding, secret sharing, and shuffling,
BOREALIS sets up systems of multi-scalar equations which we efficiently
prove with Groth-Sahai ZK proofs. Therewith, BOREALIS implements a
multi-party computation of pairwise comparisons and rank
zero-knowledge proofs secure against malicious adversaries. BOREALIS
completes in at most rounds which is constant in both bit length
of integers and the number of parties . This is not only
asymptotically optimal, but surpasses generic constant-round secure
multi-party computation protocols, even those based on shared-key
fully homomorphic encryption. Furthermore, our implementation shows
that BOREALIS is very practical. Its main bottleneck, ZK proof
computations, is small in practice. Even for a large number of
parties () and high-precision integers (),
computation time of all proofs is less than a single Bitcoin block
interval
Composable Security in the Tamper Proof Hardware Model under Minimal Complexity
We put forth a new formulation of tamper-proof hardware in the Global Universal Composable (GUC) framework introduced by Canetti
et al. in TCC 2007. Almost all of the previous works rely on the formulation by Katz in Eurocrypt 2007 and this formulation does not fully capture tokens in a concurrent setting. We address these shortcomings by relying on the GUC framework where we make the following
contributions:
(1) We construct secure Two-Party Computation (2PC) protocols for general functionalities with optimal round complexity and
computational assumptions using stateless tokens. More precisely, we show how to realize arbitrary functionalities with GUC
security in two rounds under the minimal assumption of One-Way Functions (OWFs). Moreover, our construction relies on the
underlying function in a black-box way. As a corollary, we obtain feasibility of Multi-Party Computation (MPC) with GUC-security
under the minimal assumption of OWFs.
As an independent contribution, we identify an issue with a claim in a previous work by Goyal, Ishai, Sahai, Venkatesan and Wadia
in TCC 2010 regarding the feasibility of UC-secure computation with stateless tokens assuming collision-resistant hash-functions
(and the extension based only on one-way functions).
(2) We then construct a 3-round MPC protocol to securely realize arbitrary functionalities with GUC-security starting from any
semi-honest secure MPC protocol. For this construction, we require the so-called one-many commit-and-prove primitive introduced in
the original work of Canetti, Lindell, Ostrovsky and Sahai in STOC 2002 that is round-efficient and black-box in the underlying
commitment.
Using specially designed ``input-delayed\u27\u27 protocols we realize this primitive (with a 3-round protocol in our framework) using
stateless tokens and one-way functions (where the underlying one-way function is used in a black-box way)
Broadcast-Optimal Two-Round MPC
An intensive effort by the cryptographic community to minimize the round complexity of secure multi-party computation (MPC) has recently led to optimal two-round protocols from minimal assumptions. Most of the proposed solutions, however, make use of a broadcast channel in every round, and it is unclear if the broadcast channel can be replaced by standard point-to-point communication in a round-preserving manner, and if so, at what cost on the resulting security.
In this work, we provide a complete characterization of the trade-off between number of broadcast rounds and achievable security level for two-round MPC tolerating arbitrarily many active corruptions. Specifically, we consider all possible combinations of broadcast and point-to-point rounds against the three standard levels of security for maliciously secure MPC protocols, namely, security with identifiable, unanimous, and selective abort. For each of these notions and each combination of broadcast and point-to-point rounds, we provide either a tight feasibility or an infeasibility result of two-round MPC. Our feasibility results hold assuming two-round OT in the CRS model, whereas our impossibility results hold given any correlated randomness
Round-Efficient Byzantine Agreement and Multi-Party Computation with Asynchronous Fallback
Protocols for Byzantine agreement (BA) and secure multi-party computation (MPC) can be classified according to the underlying communication model. The two most commonly considered models are the synchronous one and the asynchronous one. Synchronous protocols typically lose their security guarantees as soon as the network violates the synchrony assumptions. Asynchronous protocols remain secure regardless of the network conditions, but achieve weaker security guarantees even when the network is synchronous.
Recent works by Blum, Katz and Loss [TCC\u2719], and Blum, Liu-Zhang and Loss [CRYPTO\u2720] introduced BA and MPC protocols achieving security guarantees in both settings: security up to corruptions in a synchronous network, and up to corruptions in an asynchronous network, under the provably optimal threshold trade-offs and . However, current solutions incur a high synchronous round complexity when compared to state-of-the-art purely synchronous protocols. When the network is synchronous, the round complexity of BA protocols is linear in the number of parties, and the round complexity of MPC protocols also depends linearly on the depth of the circuit to evaluate.
In this work, we provide round-efficient constructions for both primitives with optimal resilience: fixed-round and expected constant-round BA protocols, and an MPC protocol whose round complexity is independent of the circuit depth
- …