Spooky Encryption and its Applications

Consider a setting where inputs $x_1,\ldots,x_n$ are encrypted under independent public keys. Given the ciphertexts $\{c_i = Enc(pk_i,x_i)\}_i$, Alice outputs ciphertexts $c\u27_1,\ldots,c\u27_n$ that decrypt to $y_1,\ldots,y_n$ respectively. What relationships between the $x_i$\u27s and $y_i$\u27s can Alice induce? Motivated by applications to delegating computations, Dwork, Langberg, Naor, Nissim and Reingold (unpublished manuscript, 2004) showed that a semantically secure scheme disallows signaling in this setting, meaning that $y_i$ cannot depend on $x_j$ for $j \neq i$ . On the other hand if the scheme is homomorphic then any local (component-wise) relationship is achievable, meaning that each $y_i$ can be an arbitrary function of $x_i$. However, there are also relationships which are neither signaling nor local. Dwork et al. asked if it is possible to have encryption schemes that support such ``spooky\u27\u27 relationships. Answering this question is the focus of our work. Our first result shows that, under the LWE assumption, there exist encryption schemes supporting a large class of ``spooky\u27\u27 relationships, which we call additive function sharing (AFS) spooky. In particular, for any polynomial-time function $f$, Alice can ensure that $y_1,\ldots,y_n$ are random subject to $\sum_{i=1}^n y_i = f(x_1,\ldots,x_n)$. For this result, the public keys all depend on common public randomness. Our second result shows that, assuming sub-exponentially hard indistinguishability obfuscation (iO) (and additional more standard assumptions), we can remove the common randomness and choose the public keys completely independently. Furthermore, in the case of $n=2$ inputs, we get a scheme that supports an even larger class of spooky relationships. We discuss several implications of AFS-spooky encryption. Firstly, it gives a strong counter-example to a method proposed by Aiello et al. (ICALP, 2000) for building arguments for NP from homomorphic encryption. Secondly, it gives a simple 2-round multi-party computation protocol where, at the end of the first round, the parties can locally compute an additive secret sharing of the output. Lastly, it immediately yields a function secret sharing (FSS) scheme for all functions. We also define a notion of spooky-free encryption, which ensures that no spooky relationship is achievable. We show that any non-malleable encryption scheme is spooky-free. Furthermore, we can construct spooky-free homomorphic encryption schemes from SNARKs, and it remains an open problem whether it is possible to do so from falsifiable assumptions

Separating Two-Round Secure Computation From Oblivious Transfer

We consider the question of minimizing the round complexity of protocols for secure multiparty computation (MPC) with security against an arbitrary number of semi-honest parties. Very recently, Garg and Srinivasan (Eurocrypt 2018) and Benhamouda and Lin (Eurocrypt 2018) constructed such 2-round MPC protocols from minimal assumptions. This was done by showing a round preserving reduction to the task of secure 2-party computation of the oblivious transfer functionality (OT). These constructions made a novel non-black-box use of the underlying OT protocol. The question remained whether this can be done by only making black-box use of 2-round OT. This is of theoretical and potentially also practical value as black-box use of primitives tends to lead to more efficient constructions. Our main result proves that such a black-box construction is impossible, namely that non-black-box use of OT is necessary. As a corollary, a similar separation holds when starting with any 2-party functionality other than OT. As a secondary contribution, we prove several additional results that further clarify the landscape of black-box MPC with minimal interaction. In particular, we complement the separation from 2-party functionalities by presenting a complete 4-party functionality, give evidence for the difficulty of ruling out a complete 3-party functionality and for the difficulty of ruling out black-box constructions of 3-round MPC from 2-round OT, and separate a relaxed "non-compact" variant of 2-party homomorphic secret sharing from 2-round OT

Scooby: Improved Multi-Party Homomorphic Secret Sharing Based on FHE

We present new constructions of multi-party homomorphic secret sharing (HSS) based on a new primitive that we call homomorphic encryption with decryption to shares (HEDS). Our first construction, which we call Scooby, is based on many popular fully homomorphic encryption (FHE) schemes with a linear decryption property. Scooby achieves an $n$-party HSS for general circuits with complexity $O(|F| + \log n)$, as opposed to $O(n^2 \cdot |F|)$ for the prior best construction based on multi-key FHE. Scooby can be based on (ring)-LWE with a super-polynomial modulus-to-noise ratio. In our second construction, Scrappy, assuming any generic FHE plus HSS for NC1-circuits, we obtain a HEDS scheme which does not require a super-polynomial modulus. While these schemes all require FHE, in another instantiation, Shaggy, we show how in some cases it is possible to obtain multi-party HSS without FHE, for a small number of parties and constant-degree polynomials. Finally, we show that our Scooby scheme can be adapted to use multi-key fully homomorphic encryption, giving more efficient spooky encryption and setup-free HSS. This latter scheme, Casper, if concretely instantiated with a B/FV-style multi-key FHE scheme, for functions $F$ which do not require bootstrapping, gives an HSS complexity of $O(n \cdot |F| + n^2 \cdot \log n)$

Making Public Key Functional Encryption Function Private, Distributively

We put forth a new notion of distributed public key functional encryption. In such a functional encryption scheme, the secret key for a function $f$ will be split into shares $sk_i^f$. Given a ciphertext $ct$ that encrypts a message $x$, a secret key share $sk_i^f$, one can evaluate and obtain a shared value $y_i$. Adding all the shares up can recover the actual value of $f(x)$, while partial shares reveal nothing about the plaintext. More importantly, this new model allows us to establish {\em function privacy} which was not possible in the setting of regular public key functional encryption. We formalize such notion and construct such a scheme from any public key functional encryption scheme together with learning with error assumption. We then consider the problem of hosting services in the untrusted cloud. Boneh, Gupta, Mironov, and Sahai (Eurocrypt 2014) first studied such application and gave a construction based on indistinguishability obfuscation. Their construction had the restriction that the number of corrupted clients has to be bounded and known. They left an open problem how to remove such restriction. We resolve this problem by applying our function private (distributed) public key functional encryption to the setting of hosting service in multiple clouds. Furthermore, our construction provides a much simpler and more flexible paradigm which is of both conceptual and practical interests. Along the way, we strengthen and simplify the security notions of the underlying primitives, including function secret sharing

Quantum Computing for the Quantum Curious

This open access book makes quantum computing more accessible than ever before. A fast-growing field at the intersection of physics and computer science, quantum computing promises to have revolutionary capabilities far surpassing “classical” computation. Getting a grip on the science behind the hype can be tough: at its heart lies quantum mechanics, whose enigmatic concepts can be imposing for the novice. This classroom-tested textbook uses simple language, minimal math, and plenty of examples to explain the three key principles behind quantum computers: superposition, quantum measurement, and entanglement. It then goes on to explain how this quantum world opens up a whole new paradigm of computing. The book bridges the gap between popular science articles and advanced textbooks by making key ideas accessible with just high school physics as a prerequisite. Each unit is broken down into sections labelled by difficulty level, allowing the course to be tailored to the student’s experience of math and abstract reasoning. Problem sets and simulation-based labs of various levels reinforce the concepts described in the text and give the reader hands-on experience running quantum programs. This book can thus be used at the high school level after the AP or IB exams, in an extracurricular club, or as an independent project resource to give students a taste of what quantum computing is really about. At the college level, it can be used as a supplementary text to enhance a variety of courses in science and computing, or as a self-study guide for students who want to get ahead. Additionally, readers in business, finance, or industry will find it a quick and useful primer on the science behind computing’s future.https://digitalcommons.imsa.edu/books/1000/thumbnail.jp

Quantum Computing for the Quantum Curious

This open access book makes quantum computing more accessible than ever before. A fast-growing field at the intersection of physics and computer science, quantum computing promises to have revolutionary capabilities far surpassing “classical” computation. Getting a grip on the science behind the hype can be tough: at its heart lies quantum mechanics, whose enigmatic concepts can be imposing for the novice. This classroom-tested textbook uses simple language, minimal math, and plenty of examples to explain the three key principles behind quantum computers: superposition, quantum measurement, and entanglement. It then goes on to explain how this quantum world opens up a whole new paradigm of computing. The book bridges the gap between popular science articles and advanced textbooks by making key ideas accessible with just high school physics as a prerequisite. Each unit is broken down into sections labelled by difficulty level, allowing the course to be tailored to the student’s experience of math and abstract reasoning. Problem sets and simulation-based labs of various levels reinforce the concepts described in the text and give the reader hands-on experience running quantum programs. This book can thus be used at the high school level after the AP or IB exams, in an extracurricular club, or as an independent project resource to give students a taste of what quantum computing is really about. At the college level, it can be used as a supplementary text to enhance a variety of courses in science and computing, or as a self-study guide for students who want to get ahead. Additionally, readers in business, finance, or industry will find it a quick and useful primer on the science behind computing’s future

Post-Quantum Multi-Party Computation

We initiate the study of multi-party computation for classical functionalities (in the plain model) with security against malicious polynomial-time quantum adversaries. We observe that existing techniques readily give a polynomial-round protocol, but our main result is a construction of constant-round post-quantum multi-party computation. We assume mildly super-polynomial quantum hardness of learning with errors (LWE), and polynomial quantum hardness of an LWE-based circular security assumption. Along the way, we develop the following cryptographic primitives that may be of independent interest: - A spooky encryption scheme for relations computable by quantum circuits, from the quantum hardness of an LWE-based circular security assumption. This yields the first quantum multi-key fully-homomorphic encryption scheme with classical keys. - Constant-round zero-knowledge secure against multiple parallel quantum verifiers from spooky encryption for relations computable by quantum circuits. To enable this, we develop a new straight-line non-black-box simulation technique against parallel verifiers that does not clone the adversary\u27s state. This forms the heart of our technical contribution and may also be relevant to the classical setting. - A constant-round post-quantum non-malleable commitment scheme, from the mildly super-polynomial quantum hardness of LWE