A Protocol for Generating Random Elements with their Probabilities

We give an AM protocol that allows the verifier to sample elements x from a probability distribution P, which is held by the prover. If the prover is honest, the verifier outputs (x, P(x)) with probability close to P(x). In case the prover is dishonest, one may hope for the following guarantee: if the verifier outputs (x, p), then the probability that the verifier outputs x is close to p. Simple examples show that this cannot be achieved. Instead, we show that the following weaker condition holds (in a well defined sense) on average: If (x, p) is output, then p is an upper bound on the probability that x is output. Our protocol yields a new transformation to turn interactive proofs where the verifier uses private random coins into proofs with public coins. The verifier has better running time compared to the well-known Goldwasser-Sipser transformation (STOC, 1986). For constant-round protocols, we only lose an arbitrarily small constant in soundness and completeness, while our public-coin verifier calls the private-coin verifier only once

Periodic harmonic functions on lattices and points count in positive characteristic

This survey addresses pluri-periodic harmonic functions on lattices with values in a positive characteristic field. We mention, as a motivation, the game "Lights Out" following the work of Sutner, Goldwasser-Klostermeyer-Ware, Barua-Ramakrishnan-Sarkar, Hunzikel-Machiavello-Park e.a.; see also 2 previous author's preprints for a more detailed account. Our approach explores harmonic analysis and algebraic geometry over a positive characteristic field. The Fourier transform allows us to interpret pluri-periods of harmonic functions on lattices as torsion multi-orders of points on the corresponding affine algebraic variety.Comment: These are notes on 13p. based on a talk presented during the meeting "Analysis on Graphs and Fractals", the Cardiff University, 29 May-2 June 2007 (a sattelite meeting of the programme "Analysis on Graphs and its Applications" at the Isaac Newton Institute from 8 January to 29 June 2007

An Improved Interactive Streaming Algorithm for the Distinct Elements Problem

The exact computation of the number of distinct elements (frequency moment $F_0$) is a fundamental problem in the study of data streaming algorithms. We denote the length of the stream by $n$ where each symbol is drawn from a universe of size $m$. While it is well known that the moments $F_0,F_1,F_2$ can be approximated by efficient streaming algorithms, it is easy to see that exact computation of $F_0,F_2$ requires space $\Omega(m)$. In previous work, Cormode et al. therefore considered a model where the data stream is also processed by a powerful helper, who provides an interactive proof of the result. They gave such protocols with a polylogarithmic number of rounds of communication between helper and verifier for all functions in NC. This number of rounds $\left(O(\log^2 m) \;\text{in the case of} \;F_0 \right)$ can quickly make such protocols impractical. Cormode et al. also gave a protocol with $\log m +1$ rounds for the exact computation of $F_0$ where the space complexity is $O\left(\log m \log n+\log^2 m\right)$ but the total communication $O\left(\sqrt{n}\log m\left(\log n+ \log m \right)\right)$. They managed to give $\log m$ round protocols with $\operatorname{polylog}(m,n)$ complexity for many other interesting problems including $F_2$, Inner product, and Range-sum, but computing $F_0$ exactly with polylogarithmic space and communication and $O(\log m)$ rounds remained open. In this work, we give a streaming interactive protocol with $\log m$ rounds for exact computation of $F_0$ using $O\left(\log m \left(\,\log n + \log m \log\log m\,\right)\right)$ bits of space and the communication is $O\left( \log m \left(\,\log n +\log^3 m (\log\log m)^2 \,\right)\right)$. The update time of the verifier per symbol received is $O(\log^2 m)$.Comment: Submitted to ICALP 201

Securing computation against continuous leakage

30th Annual Cryptology Conference, Santa Barbara, CA, USA, August 15-19, 2010. ProceedingsWe present a general method to compile any cryptographic algorithm into one which resists side channel attacks of the only computation leaks information variety for an unbounded number of executions. Our method uses as a building block a semantically secure subsidiary bit encryption scheme with the following additional operations: key refreshing, oblivious generation of cipher texts, leakage resilience re-generation, and blinded homomorphic evaluation of one single complete gate (e.g. NAND). Furthermore, the security properties of the subsidiary encryption scheme should withstand bounded leakage incurred while performing each of the above operations. We show how to implement such a subsidiary encryption scheme under the DDH intractability assumption and the existence of a simple secure hardware component. The hardware component is independent of the encryption scheme secret key. The subsidiary encryption scheme resists leakage attacks where the leakage is computable in polynomial time and of length bounded by a constant fraction of the security parameter.Israel Science Foundation (710267)United States-Israel Binational Science Foundation (710613)National Science Foundation (U.S.) (6914349)Weizmann KAMAR Gran

Almost Perfect Privacy for Additive Gaussian Privacy Filters

We study the maximal mutual information about a random variable $Y$ (representing non-private information) displayed through an additive Gaussian channel when guaranteeing that only $\epsilon$ bits of information is leaked about a random variable $X$ (representing private information) that is correlated with $Y$. Denoting this quantity by $g_\epsilon(X,Y)$, we show that for perfect privacy, i.e., $\epsilon=0$, one has $g_0(X,Y)=0$ for any pair of absolutely continuous random variables $(X,Y)$ and then derive a second-order approximation for $g_\epsilon(X,Y)$ for small $\epsilon$. This approximation is shown to be related to the strong data processing inequality for mutual information under suitable conditions on the joint distribution $P_{XY}$. Next, motivated by an operational interpretation of data privacy, we formulate the privacy-utility tradeoff in the same setup using estimation-theoretic quantities and obtain explicit bounds for this tradeoff when $\epsilon$ is sufficiently small using the approximation formula derived for $g_\epsilon(X,Y)$.Comment: 20 pages. To appear in Springer-Verla

Circular and leakage resilient public-key encryption under subgroup indistinguishability (or: Quadratic residuosity strikes back)

30th Annual Cryptology Conference, Santa Barbara, CA, USA, August 15-19, 2010. ProceedingsThe main results of this work are new public-key encryption schemes that, under the quadratic residuosity (QR) assumption (or Paillier’s decisional composite residuosity (DCR) assumption), achieve key-dependent message security as well as high resilience to secret key leakage and high resilience to the presence of auxiliary input information. In particular, under what we call the subgroup indistinguishability assumption, of which the QR and DCR are special cases, we can construct a scheme that has: • Key-dependent message (circular) security. Achieves security even when encrypting affine functions of its own secret key (in fact, w.r.t. affine “key-cycles” of predefined length). Our scheme also meets the requirements for extending key-dependent message security to broader classes of functions beyond affine functions using previous techniques of Brakerski et al. or Barak et al. • Leakage resiliency. Remains secure even if any adversarial low-entropy (efficiently computable) function of the secret key is given to the adversary. A proper selection of parameters allows for a “leakage rate” of (1 − o(1)) of the length of the secret key. • Auxiliary-input security. Remains secure even if any sufficiently hard to invert (efficiently computable) function of the secret key is given to the adversary. Our scheme is the first to achieve key-dependent security and auxiliary-input security based on the DCR and QR assumptions. Previous schemes that achieved these properties relied either on the DDH or LWE assumptions. The proposed scheme is also the first to achieve leakage resiliency for leakage rate (1 − o(1)) of the secret key length, under the QR assumption. We note that leakage resilient schemes under the DCR and the QR assumptions, for the restricted case of composite modulus product of safe primes, were implied by the work of Naor and Segev, using hash proof systems. However, under the QR assumption, known constructions of hash proof systems only yield a leakage rate of o(1) of the secret key length.Microsoft Researc

Algorithmic Tamper-Proof (ATP) Security: Theoretical Foundations for Security against Hardware Tampering

Abstract. Traditionally, secure cryptographic algorithms provide security against an adversary who has only black-box access to the secret information of honest parties. However, such models are not always adequate. In particular, the security of these algorithms may completely break under (feasible) attacks that tamper with the secret key. In this paper we propose a theoretical framework to investigate the algorithmic aspects related to tamper-proof security. In particular, we define a model of security against an adversary who is allowed to apply arbitrary feasible functions f to the secret key sk, and obtain the result of the cryptographic algorithms using the new secret key f(sk). We prove that in the most general setting it is impossible to achieve this strong notion of security. We then show minimal additions to the model, which are needed in order to obtain provable security. We prove that these additions are necessary and also sufficient for most common cryptographic primitives, such as encryption and signature schemes. We discuss the applications to portable devices protected by PINs and show how to integrate PIN security into the generic security design. Finally we investigate restrictions of the model in which the tampering powers of the adversary are limited. These restrictions model realistic attacks (like differential fault analysis) that have been demonstrated in practice. In these settings we show security solutions that work even without the additions mentioned above

Zero-Knowledge Protocols for Search Problems

We consider natural ways to extend the notion of Zero-Knowledge (ZK) Proofs beyond decision problems. Specifically, we consider search problems, and define zero-knowledge proofs in this context as interactive protocols in which the prover can establish the correctness of a solution to a given instance without the verifier learning anything beyond the intended solution, even if it deviates from the protocol. The goal of this work is to initiate a study of Search Zero-Knowledge (search-ZK), the class of search problems for which such systems exist. This class trivially contains search problems where the validity of a solution can be efficiently verified (using a single message proof containing only the solution). A slightly less obvious, but still straightforward, way to obtain zero-knowledge proofs for search problems is to let the prover send a solution and prove in zero-knowledge that the instance-solution pair is valid. However, there may be other ways to obtain such zero-knowledge proofs, and they may be more advantageous. In fact, we prove that there are search problems for which the aforementioned approach fails, but still search zero-knowledge protocols exist. On the other hand, we show sufficient conditions for search problems under which some form of zero-knowledge can be obtained using the straightforward way