YOLO YOSO: Fast and Simple Encryption and Secret Sharing in the YOSO Model

Achieving adaptive (or proactive) security in cryptographic protocols is notoriously difficult due to the adversary\u27s power to dynamically corrupt parties as the execution progresses. Inspired by the work of Benhamouda et al. in TCC 2020, Gentry et al. in CRYPTO 2021 introduced the YOSO (You Only Speak Once) model for constructing adaptively (or proactively) secure protocols in massively distributed settings (e.g. blockchains). In this model, instead of having all parties execute an entire protocol, smaller anonymous committees are randomly chosen to execute each individual round of the protocol. After playing their role, parties encrypt protocol messages towards the the next anonymous committee and erase their internal state before publishing their ciphertexts. However, a big challenge remains in realizing YOSO protocols: efficiently encrypting messages towards anonymous parties selected at random without learning their identities, while proving the encrypted messages are valid w.r.t. the protocol. In particular, the protocols of Benhamouda et al. and of Gentry et al. require showing ciphertexts contain valid shares of secret states. We propose concretely efficient methods for encrypting a protocol\u27s secret state towards a random anonymous committee. We start by proposing a very simple and efficient scheme for encrypting messages towards randomly and anonymously selected parties. We then show constructions of publicly verifiable secret (re-)sharing (PVSS) schemes with concretely efficient proofs of (re-)share validity that can be generically instantiated from encryption schemes with certain linear homomorphic properties. Finally, we show that our PVSS schemes can be efficiently realized from our encyption scheme

Perfect MPC over Layered Graphs

The classical BGW protocol (Ben-Or, Goldwasser and Wigderson, STOC 1988) shows that secure multiparty computation (MPC) among $n$ parties can be realized with perfect full security if $t < n/3$ parties are corrupted. This holds against malicious adversaries in the standard model for MPC, where a fixed set of $n$ parties is involved in the full execution of the protocol. However, the picture is less clear in the mobile adversary setting of Ostrovsky and Yung (PODC 1991), where the adversary may periodically move by uncorrupting parties and corrupting a new set of $t$ parties. In this setting, it is unclear if full security can be achieved against an adversary that is maximally mobile, i.e., moves after every round. The question is further motivated by the You Only Speak Once (YOSO) setting of Gentry et al. (Crypto 2021), where not only the adversary is mobile but also each round is executed by a disjoint set of parties. Previous positive results in this model do not achieve perfect security, and either assume probabilistic corruption and a nonstandard communication model, or only realize the weaker goal of security-with-abort. The question of matching the BGW result in these settings remained open. In this work, we tackle the above two challenges simultaneously. We consider a layered MPC model, a simplified variant of the fluid MPC model of Choudhuri et al. (Crypto 2021). Layered MPC is an instance of standard MPC where the interaction pattern is defined by a layered graph of width $n$, allowing each party to send secret messages and broadcast messages only to parties in the next layer. We require perfect security against a malicious adversary who may corrupt at most $t$ parties in each layer. Our main result is a perfect, fully secure layered MPC protocol with an optimal corruption threshold of $t < n/3$, thus extending the BGW feasibility result to the layered setting. This implies perfectly secure MPC protocols against a maximally mobile adversary

Encryption to the Future: A Paradigm for Sending Secret Messages to Future (Anonymous) Committees

A number of recent works have constructed cryptographic protocols with flavors of adaptive security by having a randomly-chosen anonymous committee run at each round. Since most of these protocols are stateful, transferring secret states from past committees to future, but still unknown, committees is a crucial challenge. Previous works have tackled this problem with approaches tailor-made for their specific setting, which mostly rely on using a blockchain to orchestrate auxiliary committees that aid in state hand-over process. In this work, we look at this challenge as an important problem on its own and initiate the study of Encryption to the Future (EtF) as a cryptographic primitive. First, we define a notion of an EtF scheme where time is determined with respect to an underlying blockchain and a lottery selects parties to receive a secret message at some point in the future. While this notion seems overly restrictive, we establish two important facts: 1. if used to encrypt towards parties selected in the ``far future\u27\u27, EtF implies witness encryption for NP over a blockchain; 2. if used to encrypt only towards parties selected in the ``near future\u27\u27, EtF is not only sufficient for transferring state among committees as required by previous works, but also captures previous tailor-made solutions. To corroborate these results, we provide a novel construction of EtF based on witness encryption over commitments (cWE), which we instantiate from a number of standard assumptions via a construction based on generic cryptographic primitives. Finally, we show how to use ``near future\u27\u27 EtF to obtain ``far future\u27\u27 EtF with a protocol based on an auxiliary committee whose communication complexity is \emph{independent} of the length of plaintext messages being sent to the future

On Large-Scale Multiparty Computation with sub-linear Communication using Ephemeral Servers

Secure Multiparty Computation (MPC) is a technology that enables a set of mutually distrustful parties to securely compute a function on their inputs, without leaking any information about these inputs, beyond what is inferred from the output of the function. MPC is a useful tool in settings where it is unacceptable to rely on a trusted third-party to compute the function on behalf of the parties. This includes settings where data privacy is desirable (e.g. private auctions) but also in places where law and regulation (e.g. GDPR, CCPA, LGPD) would otherwise prevent such data from being subject to computation. The study of MPC protocols dates back to the seminal work of Andrew Yao (FOCS, 1986) and has garnered significant attention from cryptography researchers exploring new techniques, added efficiency, and inherent limitations of MPC protocols.The emergence of large-scale permissionless networks such as Bitcoin and Ethereum has driven new interest in specific branches of MPC research aimed at combining the input-privacy of MPC with the resilience and scalability of modern blockchain networks. This would allow a set of limited clients to outsource a computation to “the blockchain” without revealing their inputs aka. MPC-as-a-Service. However, existing MPC protocols are designed to thrive when executed in the context of static and homogenous networks with high availability and low-latency communication and this makes them incompatible with the heterogenous and dynamic nature of permissionless networks. Moreover, the communication complexity of these protocols scales quadratically with the number of parties making them prohibitively expensive to execute at this scale.Recent work of Gentry et al. (CRYPTO, 2021) proposed a model for MPC with the goal of identifying MPC protocols that overcome the above challenges. Such protocols are executed by a set of small randomly-selected committees and only allow each committee member to send a single message. Hence, the name: YOSO (You Only Speak Once) model. They also presented actual YOSO MPC protocols with statistical and computational security but left the question of establishing the underlying communication channels to future committee members largely unanswered.This thesis provides a rigorous treatment of the problem of sending secret messages to future committee members. We provide a definitional framework around our main primitive - Encryption to the Future - and propose concrete constructions improving on existing protocols for establishing communication channels in the YOSO model. In addition, these existing protocols are not amenable to new efficient techniques for publicly verifiable resharing which is a key primitive when designing MPC protocols in the YOSO model. Weobserve that our framework naturally generalizes to settings where these efficient techniques are applicable by taking advantage of the underlying additive homomorphism of the encryption scheme. Thus, instead of relying on expensive generic non-interactive zero knowledge proofs for proving correct resharing, we utilize the algebraic structure and obtain extremely efficient proofs. Finally, we take a step back from communication in the YOSO model and ask a basic question of feasibility of perfect and fully secure protocols in the setting of standard MPC but with a specific layered interaction pattern. We answer this question in the affirmative and prove interesting implications for the YOSO model and other areas of dynamic MPC.<br/