Trade-Offs in Distributed Interactive Proofs

The study of interactive proofs in the context of distributed network computing is a novel topic, recently introduced by Kol, Oshman, and Saxena [PODC 2018]. In the spirit of sequential interactive proofs theory, we study the power of distributed interactive proofs. This is achieved via a series of results establishing trade-offs between various parameters impacting the power of interactive proofs, including the number of interactions, the certificate size, the communication complexity, and the form of randomness used. Our results also connect distributed interactive proofs with the established field of distributed verification. In general, our results contribute to providing structure to the landscape of distributed interactive proofs

RiffleScrambler - a memory-hard password storing function

We introduce RiffleScrambler: a new family of directed acyclic graphs and a corresponding data-independent memory hard function with password independent memory access. We prove its memory hardness in the random oracle model. RiffleScrambler is similar to Catena -- updates of hashes are determined by a graph (bit-reversal or double-butterfly graph in Catena). The advantage of the RiffleScrambler over Catena is that the underlying graphs are not predefined but are generated per salt, as in Balloon Hashing. Such an approach leads to higher immunity against practical parallel attacks. RiffleScrambler offers better efficiency than Balloon Hashing since the in-degree of the underlying graph is equal to 3 (and is much smaller than in Ballon Hashing). At the same time, because the underlying graph is an instance of a Superconcentrator, our construction achieves the same time-memory trade-offs.Comment: Accepted to ESORICS 201

Self-testing of binary observables based on commutation

We consider the problem of certifying binary observables based on a Bell inequality violation alone, a task known as self-testing of measurements. We introduce a family of commutation-based measures, which encode all the distinct arrangements of two projective observables on a qubit. These quantities by construction take into account the usual limitations of self-testing and since they are "weighted" by the (reduced) state, they automatically deal with rank-deficient reduced density matrices. We show that these measures can be estimated from the observed Bell violation in several scenarios and the proofs rely only on standard linear algebra. The trade-offs turn out to be tight and, in particular, they give non-trivial statements for arbitrarily small violations. On the other extreme, observing the maximal violation allows us to deduce precisely the form of the observables, which immediately leads to a complete rigidity statement. In particular, we show that for all $n \geq 3$ the $n$-partite Mermin-Ardehali-Belinskii-Klyshko inequality self-tests the $n$-partite Greenberger-Horne-Zeilinger state and maximally incompatible qubit measurements on every party. Our results imply that any pair of projective observables on a qubit can be certified in a truly robust manner. Finally, we show that commutation-based measures give a convenient way of expressing relations among more than two observables.Comment: 5 + 4 pages. v2: published version; v3: formatting errors fixe

High-Performance Distributed ML at Scale through Parameter Server Consistency Models

As Machine Learning (ML) applications increase in data size and model complexity, practitioners turn to distributed clusters to satisfy the increased computational and memory demands. Unfortunately, effective use of clusters for ML requires considerable expertise in writing distributed code, while highly-abstracted frameworks like Hadoop have not, in practice, approached the performance seen in specialized ML implementations. The recent Parameter Server (PS) paradigm is a middle ground between these extremes, allowing easy conversion of single-machine parallel ML applications into distributed ones, while maintaining high throughput through relaxed "consistency models" that allow inconsistent parameter reads. However, due to insufficient theoretical study, it is not clear which of these consistency models can really ensure correct ML algorithm output; at the same time, there remain many theoretically-motivated but undiscovered opportunities to maximize computational throughput. Motivated by this challenge, we study both the theoretical guarantees and empirical behavior of iterative-convergent ML algorithms in existing PS consistency models. We then use the gleaned insights to improve a consistency model using an "eager" PS communication mechanism, and implement it as a new PS system that enables ML algorithms to reach their solution more quickly.Comment: 19 pages, 2 figure

Constructing TI-Friendly Substitution Boxes Using Shift-Invariant Permutations

The threat posed by side channels requires ciphers that can be efficiently protected in both software and hardware against such attacks. In this paper, we proposed a novel Sbox construction based on iterations of shift-invariant quadratic permutations and linear diffusions. Owing to the selected quadratic permutations, all of our Sboxes enable uniform 3-share threshold implementations, which provide first order SCA protections without any fresh randomness. More importantly, because of the shift-invariant property, there are ample implementation trade-offs available, in software as well as hardware. We provide implementation results (software and hardware) for a four-bit and an eight-bit Sbox, which confirm that our constructions are competitive and can be easily adapted to various platforms as claimed. We have successfully verified their resistance to first order attacks based on real acquisitions. Because there are very few studies focusing on software-based threshold implementations, our software implementations might be of independent interest in this regard

Higher-Order Threshold Implementation of the AES S-Box

In this paper we present a threshold implementation of the Advanced Encryption Standard’s S-box which is secure against first- and second-order power analysis attacks. This security guarantee holds even in the presence of glitches, and includes resistance against bivariate attacks. The design requires an area of 7849 Gate Equivalents and 126 bits of randomness per S-box execution. The implementation is tested on an FPGA platform and its security claim is supported by practical leakage detection tests