Secure Merge with O(n log log n) Secure Operations

Data-oblivious algorithms are a key component of many secure computation protocols. In this work, we show that advances in secure multiparty shuffling algorithms can be used to increase the efficiency of several key cryptographic tools. The key observation is that many secure computation protocols rely heavily on secure shuffles. The best data-oblivious shuffling algorithms require $O(n \log n)$, operations, but in the two-party or multiparty setting, secure shuffling can be achieved with only $O(n)$ communication. Leveraging the efficiency of secure multiparty shuffling, we give novel algorithms that improve the efficiency of securely sorting sparse lists, secure stable compaction, and securely merging two sorted lists. Securely sorting private lists is a key component of many larger secure computation protocols. The best data-oblivious sorting algorithms for sorting a list of $n$ elements require $O(n \log n)$ comparisons. Using black-box access to a linear-communication secure shuffle, we give a secure algorithm for sorting a list of length $n$ with $t \ll n$ nonzero elements with communication $O(t \log^2 n + n)$, which beats the best oblivious algorithms when the number of nonzero elements, $t$, satisfies $t < n/\log^2 n$. Secure compaction is the problem of removing dummy elements from a list, and is essentially equivalent to sorting on 1-bit keys. The best oblivious compaction algorithms run in $O(n)$-time, but they are unstable, i.e., the order of the remaining elements is not preserved. Using black-box access to a linear-communication secure shuffle, we give a stable compaction algorithm with only $O(n)$ communication. Our main result is a novel secure merge protocol. The best previous algorithms for securely merging two sorted lists into a sorted whole required $O(n \log n)$ secure operations. Using black-box access to an $O(n)$-communication secure shuffle, we give the first secure merge algorithm that requires only $O(n \log \log n)$ communication. Our algorithm takes as input $n$ secret-shared values, and outputs a secret-sharing of the sorted list. All our algorithms are generic, i.e., they can be implemented using generic secure computations techniques and make black-box access to a secure shuffle. Our techniques extend naturally to the multiparty situation (with a constant number of parties) as well as to handle malicious adversaries without changing the asymptotic efficiency. These algorithm have applications to securely computing database joins and order statistics on private data as well as multiparty Oblivious RAM protocols

Secure Computation over Lattices and Elliptic Curves

Traditional threshold cryptosystems have decentralized core cryptographic primitives like key generation, decryption and signatures. Most threshold cryptosystems, however, rely on special purpose protocols that cannot easily be integrated into more complex multiparty protocols. In this work, we design and implement decentralized versions of lattice-based and elliptic-curve-based public-key cryptoystems using generic secure multiparty computation (MPC) protocols. These are standard cryptosystems, so we introduce no additional work for encrypting devices and no new assumptions beyond those of the generic MPC framework. Both cryptosystems are also additively homomorphic, which allows for secure additions directly on ciphertexts. By using generic MPC techniques, our multiparty decryption protocols compute secret-shares of the plaintext, whereas most special-purpose cryptosystems either do not support decryption or must reveal the decryptions in the clear. Our method allows complex functions to be securely evaluated after decryption, revealing only the results of the functions and not the plaintexts themselves. To improve performance, we present a novel oblivious elliptic curve multiplication protocol and a new noise-masking technique which may be of independent interest. We implemented our protocols using the SCALE-MAMBA secure multiparty computation platform, which provides security against malicious adversaries and supports arbitrary numbers of participants

Token-weighted crowdsourcing

Blockchain-based platforms often rely on token-weighted voting (“τ-weighting”) to efficiently crowdsource information from their users for a wide range of applications, including content curation and on-chain governance. We examine the effectiveness of such decentralized platforms for harnessing the wisdom and effort of the crowd. We find that τ-weighting generally discourages truthful voting and erodes the platform’s predictive power unless users are “strategic enough” to unravel the underlying aggregation mechanism. Platform accuracy decreases with the number of truthful users and the dispersion in their token holdings, and in many cases, platforms would be better off with a “flat” 1/n mechanism. When, prior to voting, strategic users can exert effort to endogenously improve their signals, users with more tokens generally exert more effort—a feature often touted in marketing materials as a core advantage of τ-weighting—however, this feature is not attributable to the mechanism itself, and more importantly, the ensuing equilibrium fails to achieve the first-best accuracy of a centralized platform. The optimality gap decreases as the distribution of tokens across users approaches a theoretical optimum, which we derive, but tends to increase with the dispersion in users’ token holdings. This paper was accepted by Gabriel Weintraub, revenue management and market analytics.Published versio

Scaling blockchains: can committee-based consensus help?

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3914471First author draf

3-Party Distributed ORAM from Oblivious Set Membership

Distributed Oblivious RAM (DORAM) protocols allow a group of participants to obliviously access a secret-shared array at a secret-shared index, and DORAM is the key tool for secure multiparty computation (MPC) in the RAM model. In this work, we present a novel 3-party semi-honest DORAM protocol with O((κ + D) log N) communication per access, where N is the size of the memory, κ is a security parameter and D is the block size. Our protocol performs polylogarithmic computation and does not require homomorphic encryption. Under natural parameter choices, this is the most communication-efficient DORAM with these properties. To build this DORAM protocol, we first present an extremely efficient oblivious data structure for answering set membership queries. From this we build an oblivious hash table with asymptotically optimal memory usage and access cost and with negligible failure probability. We believe these are of independent interest

Economics of NFTs: The Value of Creator Royalties

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4284776First author draf

A Linear-Time 2-Party Secure Merge Protocol

We present a linear-time, space and communication data-oblivious algorithm for securely merging two private, sorted lists into a single sorted, secret-shared list in the two party setting. Although merging two sorted lists can be done insecurely in linear time, previous secure merge algorithms all require super-linear time and communication. A key feature of our construction is a novel method to obliviously traverse permuted lists in sorted order. Our algorithm only requires black-box use of the underlying Additively Homomorphic cryptosystem and generic secure computation schemes for comparison and equality testing

Private Set Intersection with Linear Communication from General Assumptions

This work presents a hashing-based algorithm for Private Set Intersection (PSI) in the honest-but-curious setting. The protocol is generic, modular and provides both asymptotic and concrete efficiency improvements over existing PSI protocols. If each player has $m$ elements, our scheme requires only O(m \secpar) communication between the parties, where \secpar is a security parameter. Our protocol builds on the hashing-based PSI protocol of Pinkas et al. (USENIX 2014, USENIX 2015), but we replace one of the sub-protocols (handling the cuckoo ``stash\u27\u27) with a special-purpose PSI protocol that is optimized for comparing sets of unbalanced size. This brings the asymptotic communication complexity of the overall protocol down from \omega(m \secpar) to O(m\secpar), and provides concrete performance improvements (10-15\% reduction in communication costs) over Kolesnikov et al. (CCS 2016) under real-world parameter choices. Our protocol is simple, generic and benefits from the permutation-hashing optimizations of Pinkas et al. (USENIX 2015) and the Batched, Relaxed Oblivious Pseudo Random Functions of Kolesnikov et al. (CCS 2016)

Privacy-preserving network analytics

We develop a new privacy-preserving framework for a general class of financial network models, leveraging cryptographic principles from secure multiparty computation and decentralized systems. We show how aggregate-level network statistics required for stability assessment and stress testing can be derived from real data without any individual node revealing its private information to any outside party, be it other nodes in the network, or even a central agent. Our work bridges the gap between established theories of financial network contagion and systemic risk that assume agents have full network information and the real world where information sharing is hindered by privacy and security concerns. This paper was accepted by Agostino Capponi, finance. Supplemental Material: The data files and online appendices are available at https://doi.org/10.1287/mnsc.2022.4582 .https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3680000Othe