On Improving Communication Complexity in Cryptography

Cryptography grew to be much more than "the study of secret writing". Modern cryptography is concerned with establishing properties such as privacy, integrity and authenticity in protocols for secure communication and computation. This comes at a price: Cryptographic tools usually introduce an overhead, both in terms of communication complexity (that is, number and size of messages transmitted) and computational efficiency (that is, time and memory required). As in many settings communication between the parties involved is the bottleneck, this thesis is concerned with improving communication complexity in cryptographic protocols. One direction towards this goal is scalable cryptography: In many cryptographic schemes currently deployed, the security degrades linearly with the number of instances (e.g. encrypted messages) in the system. As this number can be huge in contexts like cloud computing, the parameters of the scheme have to be chosen considerably larger - and in particular depending on the expected number of instances in the system - to maintain security guarantees. We advance the state-of-the-art regarding scalable cryptography by constructing schemes where the security guarantees are independent of the number of instances. This allows to choose smaller parameters, even when the expected number of instances is immense. - We construct the first scalable encryption scheme with security against active adversaries which has both compact public keys and ciphertexts. In particular, we significantly reduce the size of the public key to only about 3% of the key-size of the previously most efficient scalable encryption scheme. (Gay,Hofheinz, and Kohl, CRYPTO, 2017) - We present a scalable structure-preserving signature scheme which improves both in terms of public-key and signature size compared to the previously best construction to about 40% and 56% of the sizes, respectively. (Gay, Hofheinz, Kohl, and Pan, EUROCRYPT, 2018) Another important area of cryptography is secure multi-party computation, where the goal is to jointly evaluate some function while keeping each party’s input private. In traditional approaches towards secure multi-party computation either the communication complexity scales linearly in the size of the function, or the computational efficiency is poor. To overcome this issue, Boyle, Gilboa, and Ishai (CRYPTO, 2016) introduced the notion of homomorphic secret sharing. Here, inputs are shared between parties such that each party does not learn anything about the input, and such that the parties can locally evaluate functions on the shares. Homomorphic secret sharing implies secure computation where the communication complexity only depends on the size of the inputs, which is typically much smaller than the size of the function. A different approach towards efficient secure computation is to split the protocol into an input-independent preprocessing phase, where long correlated strings are generated, and a very efficient online phase. One example for a useful correlation are authenticated Beaver triples, which allow to perform efficient multiplications in the online phase such that privacy of the inputs is preserved and parties deviating the protocol can be detected. The currently most efficient protocols implementing the preprocessing phase require communication linear in the number of triples to be generated. This results typically in high communication costs, as the online phase requires at least one authenticated Beaver triple per multiplication. We advance the state-of-the art regarding efficient protocols for secure computation with low communication complexity as follows. - We construct the first homomorphic secret sharing scheme for computing arbitrary functions in NC 1 (that is, functions that are computably by circuits with logarithmic depth) which supports message spaces of arbitrary size, has only negligible correctness error, and does not require expensive multiplication on ciphertexts. (Boyle, Kohl, and Scholl, EUROCRYPT, 2019) - We introduce the notion of a pseudorandom correlation generator for general correlations. Pseudorandom correlation generators allow to locally extend short correlated seeds into long pseudorandom correlated strings. We show that pseudorandom correlation generators can replace the preprocessing phase in many protocols, leading to a preprocessing phase with sublinear communication complexity. We show connections to homomorphic secret sharing schemes and give the first instantiation of pseudorandom correlation generators for authenticated Beaver triples at reasonable computational efficiency. (Boyle, Couteau, Gilboa, Ishai, Kohl, and Scholl, CRYPTO, 2019

Etablierung von Q-Fieber-Mausmodellen zur Untersuchung von Wirtsfaktoren mit einer Rolle in Resolution und Chronizität

The obligate intracellular Gram-negative bacterium Coxiella burnetii replicates within phagocytes and is the causative agent of the zoonotic disease Q fever. Q fever occurs as acute self-limited respiratory infection that becomes chronic and develops into endocarditis in some patients. However, the molecular mechanisms that contribute to the development of chronic Q fever are poorly understood. In this work, we employed different mouse models and infection routes to study the course of the disease upon infection with the attenuated C. burnetii Nine Mile phase II strain (NMII). Since monocytes from patients suffering from chronic Q fever produce high amounts of the regulatory cytokine IL-10, macrophage deactivation by the IL-10-STAT3 pathway may cause inefficient control of NMII. In macIL-10tg mice that overexpress IL-10 in monocytes and macrophages, we observed significantly increased NMII loads in affected organs up to 42 days post intraperitoneal infection. In contrast, intratracheal NMII infections did not lead to a chronic phenotype in macIL-10tg mice. Further, we observed different effects of the two IL-10-induced genes, Dusp1 and Socs3, on the course of infection. Whereas a knockout of Dusp1 in mice did not have any impact on NMII control, a myeloid cell-specific deletion of Socs3 resulted in elevated NMII loads in lungs and spleens of mice after intratracheal infection. Besides IL-10-mediated macrophage deactivation, innate immune recognition of C. burnetii was hypothesized to be another checkpoint determining resolution versus chronicity of Q fever. In mice, recognition of C. burnetii by macrophages requires TLR2 and triggers production of pro- and anti-inflammatory cytokines. In humans, a single nucleotide polymorphism in the gene for the TLR adapter protein MyD88 is associated with the development of chronic Q fever. By employing MyD88-deficient mice, we observed a significantly higher NMII bacterial burden on day 5 and 20 in affected organs following intraperitoneal infection. In addition, intratracheal infection of mice resulted in a higher bacterial load in the lung and increased dissemination of NMII to other organs in MyD88-deficient mice. While wild-type mice essentially cleared NMII on day 27 after intratracheal infection, it was still readily detectable on day 42 in multiple organs in the absence of MyD88. Despite the elevated bacterial load, Myd88-/- mice had less granulomatous inflammation and expressed significantly lower levels of chemoattractants, inflammatory cytokines, and the IFNg-induced genes Nos2, Gbp1, Ido1 and Acod1 that are relevant for control of intracellular pathogens. These IFNg- V induced genes were validated in vitro using BMM generated from the corresponding knock out mice. Lack of Acod1, encoding the enzyme IRG1 which converts citrate to itaconate, most significantly impaired bacterial control in macrophages in vitro. In vivo, C. burnetii-infected IRG1-deficient mice showed significantly increased weight loss, increased expression of pro-inflammatory genes in spleen and lungs, and higher bacterial burden in lung tissue. These findings underpin the importance of MyD88- induced expression of IRG1 for a protective host response to C. burnetii and its role for the resolution of Q fever. Together, the establishment of different mouse models for Q fever allowed us to identify several disease-regulating host factors, which will serve as a basis for future research to determine the exact molecular mechanisms driving either chronicity or resolution of Q fever.Das obligat intrazelluläre Gram-negative Bakterium Coxiella burnetii vermehrt sich in Phagozyten und ist der Erreger der Zoonose Q-Fieber. Q-Fieber tritt als akute selbstlimitierende, mitunter chronische Atemwegsinfektion auf. Zudem entwickelt sich bei einigen Patienten eine Endokarditis. Die molekularen Mechanismen, welche zur Entstehung von chronischem Q-Fieber beitragen, sind jedoch nur unzureichend verstanden. In dieser Arbeit verwendeten wir verschiedene Mausmodelle und Infektionswege, um die Auswirkungen auf den Krankheitsverlauf bei Infektionen mit dem attenuierten C. burnetii Nine Mile Phase II-Stamm (NMII) zu untersuchen. Es wird vermutet, dass die Deaktivierung von Makrophagen durch den IL-10-STAT3- Signalweg zu einer ineffizienten Kontrolle von NMII führt, da hohe Mengen des regulatorischen Zytokins IL-10 im Blut von Patienten mit chronischem Q-Fieber gefunden wurden. In macIL-10tg-Mäusen, die IL-10 in Monozyten und Makrophagen überexprimieren, beobachteten wir bis Tag 42 nach intraperitonealen Infektion eine signifikant erhöhte NMII-Last in befallenen Organen. Im Gegensatz dazu führten intratracheale NMII-Infektionen bei der Mehrzahl der macIL-10tg-Mäuse nicht zu einem chronischen Phänotyp. Darüber hinaus beobachteten wir unterschiedliche Auswirkungen der beiden IL-10-Zielgene Dusp1 und Socs3 auf den Verlauf der Infektion. Während das Abschalten von Dusp1 bei Mäusen keinen Einfluss auf die NMII-Kontrolle hatte, führte eine myeloisch-zellspezifische Deletion von Socs3 zu erhöhten NMII-Lasten in Lunge und Milz bis zu 14 Tage nach intratrachealer Infektion. Neben der IL-10-vermittelten Makrophagen-Deaktivierung trägt auch die angeborene Immunerkennung von C. burnetii zur Entscheidung zwischen Beendigung der Infektion und Chronizität bei. So erfordert die Erkennung von C. burnetii durch Makrophagen TLR2 und löst die Produktion von pro- und anti-entzündlichen Zytokinen aus. Ein Einzelnukleotid-Polymorphismus im Gen für das TLR-Adapterprotein MyD88 ist mit der Entwicklung von chronischem Q-Fieber in Menschen assoziiert. In MyD88- defizienten Mäusen konnte 5 und 20 Tage nach intraperitonealer Infektion eine signifikant höhere NMII-Bakterienlast in betroffenen Organen gemessen werden. Im Gegensatz dazu führte eine intratracheale Infektion von Mäusen mit MyD88-Defizienz zu einer höheren Bakterienlast in der Lunge und zu einer vermehrten Ausbreitung von NMII zu anderen Organen. Während Wildtyp-Mäuse NMII im Wesentlichen am Tag 27 nach der intratrachealen Infektion eliminierten, waren die Bakterien bei Defizienz von VII MyD88 noch an Tag 42 in mehreren Organen nachweisbar. Trotz der erhöhten Bakterienlast wiesen Myd88-/- Mäuse weniger granulomatöse Entzündungen auf und exprimierten signifikant niedrigere Konzentrationen von Chemoattraktanten, von Entzündungsbotenstoffen und von den IFNg induzierten Genen Nos2, Gbp, Ido1 und Acod1, die für die Kontrolle intrazellulärer Pathogene relevant sind. Diese IFNg- induzierten Gene wurden in vitro mit aus Knochenmark generierten Makrophagen validiert, das aus entsprechenden Knock-out-Mäusen generiert wurde. Das Fehlen von Acod1, welches das Enzym IRG1 kodiert, welches wiederum Zitrat in Itakonat umwandelt, beeinträchtigte die Kontrolle der bakteriellen Infektion in Makrophagen in vitro am stärksten. In vivo zeigten C. burnetii-infizierte IRG1-defiziente Mäuse eine signifikant erhöhte Gewichtsabnahme, eine erhöhte Expression von entzündungs- fördernden Genen in Milz und Lunge und eine höhere Bakterienlast im Lungengewebe. Diese Befunde verdeutlichen die Bedeutung der MyD88-induzierten Expression von IRG1 für eine schützende Wirtsreaktion gegen C. burnetii und für die Auflösung des Q-Fiebers. Zusammenfassend ermöglichte uns die Etablierung verschiedener Maus- modelle für Q-Fieber die Identifizierung mehrerer krankheitsfördernder Wirtsfaktoren, die als Grundlage für zukünftige Forschung dienen werden, um die genauen molekularen Mechanismen zu bestimmen, die entweder zur Chronifizierung oder Auflösung von Q-Fiebers beitragen

New Tools for Multi-Party Computation

In this work we extend the electronic voting scheme introduced by R. Cramer, R. Gennaro and B. Schoenmakers in [CGS97]. In the original paper the privacy of votes is based on the decisional Diffie-Hellman or respectively the higher residuosity assumption. Since both problems can be solved efficiently in the event of quantum computers, a desirable goal is to implement the voting scheme with privacy based on different assumptions. We present the framework and a concrete instantiation for an efficient solution with privacy based on learning with errors over rings. Additionally we show how to achieve privacy assuming hardness of worst-case lattice problems, which are well analyzed and conjectured to be secure against quantum computers

On Homomorphic Secret Sharing from Polynomial-Modulus LWE

Homomorphic secret sharing (HSS) is a form of secret sharing that supports the local evaluation of functions on the shares, with applications to multi-server private information retrieval, secure computation, and more. Insisting on additive reconstruction, all known instantiations of HSS from Learning with Error (LWE) -type assumptions either have to rely on LWE with superpolynomial modulus, come with non-negligible error probability, and/or have to perform expensive ciphertext multiplications, resulting in bad concrete efficiency. In this work, we present a new 2-party local share conversion procedure, which allows to locally convert noise encoded shares to non-noise plaintext shares such that the parties can detect whenever a (potential) error occurs and in that case resort to an alternative conversion procedure. Building on this technique, we present the first HSS for branching programs from (Ring-)LWE with polynomial input share size which can make use of the efficient multiplication procedure of Boyle et al.~(Eurocrypt 2019) and has no correctness error. Our construction comes at the cost of a -- on expectation -- slightly increased output share size (which is insignificant compared to the input share size) and a more involved reconstruction procedure. More concretely, we show that in the setting of 2-server private counting queries we can choose ciphertext sizes of only a quarter of the size of the scheme of Boyle et al. at essentially no extra cost

Homomorphic Secret Sharing from Lattices Without FHE

Homomorphic secret sharing (HSS) is an analog of somewhat- or fully homomorphic encryption (S/FHE) to the setting of secret sharing, with applications including succinct secure computation, private manipulation of remote databases, and more. While HSS can be viewed as a relaxation of S/FHE, the only constructions from lattice-based assumptions to date build atop specific forms of threshold or multi-key S/FHE. In this work, we present new techniques directly yielding efficient 2-party HSS for polynomial-size branching programs from a range of lattice-based encryption schemes, without S/FHE. More concretely, we avoid the costly key-switching and modulus-reduction steps used in S/FHE ciphertext multiplication, replacing them with a new distributed decryption procedure for performing restricted multiplications of an input with a partial computation value. Doing so requires new methods for handling the blowup of noise\u27\u27 in ciphertexts in a distributed setting, and leverages several properties of lattice-based encryption schemes together with new tricks in share conversion. The resulting schemes support a superpolynomial-size plaintext space and negligible correctness error, with share sizes comparable to SHE ciphertexts, but cost of homomorphic multiplication roughly one order of magnitude faster. Over certain rings, our HSS can further support some level of packed SIMD homomorphic operations. We demonstrate the practical efficiency of our schemes within two application settings, where we compare favorably with current best approaches: 2-server private database pattern-match queries, and secure 2-party computation of low-degree polynomials

Towards Topology-Hiding Computation from Oblivious Transfer

Topology-Hiding Computation (THC) enables parties to securely compute a function on an incomplete network without revealing the network topology. It is known that secure computation on a complete network can be based on oblivious transfer (OT), even if a majority of the participating parties are corrupt. In contrast, THC in the dishonest majority setting is only known from assumptions that imply (additively) homomorphic encryption, such as Quadratic Residuosity, Decisional Diffie-Hellman, or Learning With Errors. In this work we move towards closing the gap between MPC and THC by presenting a protocol for THC on general graphs secure against all-but-one semi-honest corruptions from constant-round constant-overhead secure two-party computation. Our protocol is therefore the first to achieve THC on arbitrary networks without relying on assumptions with rich algebraic structure. As a technical tool, we introduce the notion of locally simulatable MPC, which we believe to be of independent interest

Direct FSS Constructions for Branching Programs and More from PRGs with Encoded-Output Homomorphism

Function secret sharing (FSS) for a class $\cal{F}$ allows to split a secret function $f \in \cal{F}$ into (succinct) secret shares $f_0,f_1$, such that for all $x\in \{0,1\}^n$ it holds $f_0(x)-f_1(x)=f(x)$. FSS has numerous applications, including private database queries, nearest neighbour search, private heavy hitters and secure computation in the preprocessing model, where the supported class $\cal{F}$ translates to richness in the application. Unfortunately, concretely efficient FSS constructions are only known for very limited function classes. In this work we introduce the notion of pseudorandom generators with encoded-output homomorphism (EOH-PRGs), and give direct FSS constructions for bit-fixing predicates, branching programs and more based on this primitive. Further, we give constructions of FSS for deterministic finite automatas (DFAs) from a KDM secure variant of EOH-PRGs. - New abstractions. Following the work of Alamati et al.(EUROCRYPT \u2719), who classify minicrypt primitives with algebraic structure and their applications, we capture the essence of our FSS constructions in the notion of EOH-PRG, paving the road towards future efficiency improvements via new instantiations of this primitive. The abstraction of EOH-PRG and its instantiations may be of independent interest, as it is an approximate substitution of an ideal homomorphic PRG. - Better efficiency. We show that EOH-PRGs can be instantiated from LWE and a small-exponent variant of the DCR assumption. A theoretical analysis of our instantiations suggest efficiency improvements over the state of the art both in terms of key size and evaluation time: We show that our FSS instantiations lead to smaller key sizes, improving over previous constructions by a factor of $3.5$ and more. While for bit-fixing predicates our FSS constructions show comparable or mildly improved run time (depending on the instantiation), we achieve considerable improvements for branching programs by avoiding the expensive generic transformation via universal circuits, shaving off a factor of $w$ and more in the number of abstract operations, where $w$ corresponds to an upper bound on the width of the underlying class of branching programs. - New constructions. We show that our instantiations of EOH-PRGs additionally support a form of KDM-security, without requiring an additional circular-security assumption. Based on this, we give the first FSS construction for DFAs which supports the evaluation of inputs of a-priori unbounded length without relying on FHE. - Applications. We outline applications of our FSS constructions including pattern matching with wild cards, image matching, nearest neighbor search and regular expression matching