172 research outputs found
Two-Party Direct-Sum Questions Through the Lens of Multiparty Communication Complexity
Direct-sum questions in (two-party) communication complexity ask whether two parties, Alice and Bob, can compute the value of a function f on l inputs (x_1,y_1),...,(x_l,y_l) more efficiently than by applying the best protocol for f, independently on each input (x_i,y_i). In spite of significant efforts to understand these questions (under various communication-complexity measures), the general question is still far from being well understood.
In this paper, we offer a multiparty view of these questions: The direct-sum setting is just a two-player system with Alice having inputs x_1,...,x_l, Bob having inputs y_1,...,y_l and the desired output is f(x_1,y_1),...,f(x_l,y_l). The naive solution of solving the l problems independently, is modeled by a network with l (disconnected) pairs of players Alice i and Bob i, with inputs x_i,y_i respectively, and communication only within each pair. Then, we consider an intermediate ("star") model, where there is one Alice having l inputs x_1,...,x_l and l players Bob_1,...,Bob_l holding y_1,...,y_l, respectively (in fact, we consider few variants of this intermediate model, depending on whether communication between each Bob i and Alice is point-to-point or whether we allow broadcast). Our goal is to get a better understanding of the relation between the two extreme models (i.e., of the two-party direct-sum question). If, for instance, Alice and Bob can do better (for some complexity measure) than solving the l problems independently, we wish to understand what intermediate model already allows to do so (hereby understanding the "source" of such savings). If, on the other hand, we wish to prove that there is no better solution than solving the l problems independently, then our approach gives a way of breaking the task of proving such a statement into few (hopefully, easier) steps.
We present several results of both types. Namely, for certain complexity measures, communication problems f and certain pairs of models, we can show gaps between the complexity of solving f on l instances in the two models in question; while, for certain other complexity measures and pairs of models, we can show that such gaps do not exist (for any communication problem f). For example, we prove that if only point-to-point communication is allowed in the intermediate "star" model, then significant savings are impossible in the public-coin randomized setting. On the other hand, in the private-coin randomized setting, if Alice is allowed to broadcast messages to all Bobs in the "star" network, then some savings are possible. While this approach does not lead yet to new results on the original two-party direct-sum question, we believe that our work gives new insights on the already-known direct-sum results, and may potentially lead to more such results in the future
Random-Index Oblivious RAM
We study the notion of Random-index ORAM (RORAM), which is a weak form of ORAM where the Client is limited to asking for (and possibly modifying) random elements of the -items memory, rather than specific ones. That is, whenever the client issues a request, it gets in return a pair where is a random index and is the content of the -th memory item. Then, the client can also modify the content to some new value .
We first argue that the limited functionality of RORAM still suffices for certain applications. These include various applications of sampling (or sub-sampling), and in particular the very-large-scale MPC application in the setting of~ Benhamouda et al. (TCC 2020). Clearly, RORAM can be implemented using any ORAM scheme (by the Client selecting the random \u27s by himself), but the hope is that the limited functionality of RORAM can make it faster and easier to implement than ORAM. Indeed, our main contributions are several RORAM schemes (both of the hierarchical-type and the tree-type) of lighter complexity than that of ORAM
Information-Theoretically Secure Protocols and Security Under Composition
We investigate the question of whether security of protocols in the information-theoretic setting (where the adversary is computationally unbounded) implies the security of these protocols under concurrent composition. This question is motivated by the folklore that all known protocols that are secure in the information-theoretic setting are indeed secure under concurrent composition. We provide answers to this question for a number of different settings (i.e., considering perfect versus statistical security, and concurrent composition with adaptive versus fixed inputs). Our results enhance the understanding of what is necessary for obtaining security under composition, as well as providing tools (i.e., composition theorems) that can be used for proving the security of protocols under composition while considering only the standard stand-alone definitions of security
Ad Hoc PSM Protocols: Secure Computation Without Coordination
We study the notion of {\em ad hoc secure computation}, recently introduced by Beimel et al. (ITCS 2016),
in the context of the {\em Private Simultaneous Messages} (PSM) model of Feige et al.\ (STOC 2004).
In ad hoc secure computation we have parties that may potentially participate in a protocol but, at the actual time of execution, only of them, whose identity is {\em not} known in advance, actually participate. This situation is particularly challenging in the PSM setting, where protocols are non-interactive (a single message from each participating party to a special output party) and where the parties rely on pre-distributed, correlated randomness (that in the ad-hoc setting will have to take into account all possible sets of participants).
We present several different constructions of \apsm\ protocols from standard PSM protocols. These constructions imply, in particular, that efficient information-theoretic \apsm\ protocols exist for NC1 and different classes of log-space computation, and efficient computationally-secure \apsm\ protocols for polynomial-time computable functions can be based on a one-way function. As an application, we obtain an information-theoretic implementation of {\em order-revealing encryption} whose security holds for two messages.
We also consider the case where the actual number of participating parties may be larger than the minimal for which the protocol is designed to work. In this case, it is unavoidable that the output party learns the output corresponding to each subset of out of the participants. Therefore, a ``best possible security\u27\u27 notion, requiring that this will be the {\em only} information that the output party learns, is needed. We present connections between this notion and the previously studied notion of {\em -robust PSM} (also known as ``non-interactive MPC\u27\u27).
We show that constructions in this setting for even simple functions (like AND or threshold) can be translated into non-trivial instances of program obfuscation (such as {\em point function obfuscation} and {\em fuzzy point function obfuscation}, respectively). We view these results as a negative indication that protocols with ``best possible security\u27\u27 are impossible to realize efficiently in the information-theoretic setting or require strong assumptions in the computational setting
How to Garble Arithmetic Circuits
Yao\u27s garbled circuit construction transforms a boolean circuit into a ``garbled circuit\u27\u27 along with pairs of -bit keys, one for each input bit, such that together with the keys corresponding to an input reveal and no additional information about . The garbled circuit construction is a central tool for constant-round secure computation and has several other applications.
Motivated by these applications, we suggest an efficient arithmetic variant of Yao\u27s original construction. Our construction transforms an arithmetic circuit over integers from a bounded (but possibly exponential) range into a garbled circuit along with affine functions such that together with the integer vectors reveal and no additional information about . The security of our construction relies on the intractability of the learning with errors (LWE) problem
Anonymous Permutation Routing
The Non-Interactive Anonymous Router (NIAR) model was introduced by Shi and Wu [SW21] as an alternative to conventional solutions to the anonymous routing problem, in which a set of senders wish to send messages to a set of receivers. In contrast to most known approaches to support anonymous routing (e.g. mix-nets, DC-nets, etc.) which rely on a network of routers communicating with users via interactive protocols, the NIAR model assumes a router and is inherently - (after an initial setup phase). In addition to being non-interactive, the NIAR model is compelling due to the security it provides: instead of relying on the honesty of some subset of the routers, the NIAR model requires anonymity even if the router (as well as an arbitrary subset of senders/receivers) is corrupted.
In this paper, we present a protocol for the NIAR model that improves upon the results from [SW21] in two ways:
- Improved computational efficiency (quadratic to near linear): Our protocol matches the communication complexity of [SW21] for each sender/receiver, while reducing the computational overhead for the router to polylog overhead instead of linear overhead.
- Relaxation of assumptions: Security of the protocol in [SW21] relies on the Decisional Linear assumption in bilinear groups; while security for our protocol follows from the existence of any rate-1 oblivious transfer (OT) protocol (instantiations of this primitive are known to exist under DDH, QR and LWE [DGI19,GHO20])
CNF-FSS and its Applications
Function Secret Sharing (FSS), introduced by Boyle, Gilboa and Ishai [BGI15],
extends the classical notion of secret-sharing a *value* to secret sharing a
*function*. Namely, for a secret function f (from a class ), FSS provides a
sharing of f whereby *succinct shares (``keys\u27\u27) are distributed to a set of
parties, so that later the parties can non-interactively compute an additive
sharing of f(x), for any input x in the domain of f. Previous work on FSS
concentrated mostly on the two-party case, where highly efficient schemes are
obtained for some simple, yet extremely useful, classes (in particular,
FSS for the class of point functions, a task referred to as DPF -- Distributed
Point Functions [GI14,BGI15].
In this paper, we concentrate on the multi-party case, with p >= 3 parties and
t-security (1 <= t < p). First, we introduce the notion of CNF-DPF (or, more
generally, CNF-FSS), where the scheme uses the CNF version of secret sharing
(rather than additive sharing) to share each value . We then demonstrate
the utility of CNF-DPF by providing several applications. Our main result
shows how CNF-DPF can be used to achieve substantial asymptotic improvement in
communication complexity when using it as a building block for constructing
*standard* (t,p)-DPF protocols that tolerate t > 1 (semi-honest) corruptions.
For example, we build a 2-out-of-5 secure (standard) DPF scheme of
communication complexity O(N^{1/4}), where N is the domain size of f (compared
with the current best-known of O(N^{1/2}) for (2,5)-DPF). More generally,
with p > d*t parties, we give a (t,p)-DPF whose complexity grows as
O(N^{1/2d}) (rather than O(\sqrt{N}) that follows from the (p-1,p)-DPF scheme
of [BGI15]).
We also present a 1-out-of-3 secure CNF-DPF scheme, in which each party holds
two of the three keys, with poly-logarithmic communication complexity. These
results have immediate implications to scenarios where (multi-server) DPF was
shown to be applicable. For example, we show how to use such a scheme to
obtain asymptotic improvement (O(\log^2N) versus O(\sqrt{N})) in communication
complexity over the 3-party protocol of [BKKO20]
Low-Complexity Cryptographic Hash Functions
Cryptographic hash functions are efficiently computable functions that shrink a long input into a shorter output while achieving some of the useful security properties of a random function.
The most common type of such hash functions is collision resistant hash functions (CRH), which prevent an efficient attacker from finding a pair of inputs on which the function has the same output
Cryptographic Sensing
Is it possible to measure a physical object in a way that makes the measurement signals unintelligible to an external observer? Alternatively, can one learn a natural concept by using a contrived training set that makes the labeled examples useless without the line of thought that has led to their choice?
We initiate a study of ``cryptographic sensing\u27\u27 problems of this type, presenting definitions, positive and negative results, and directions for further research
- …