Giuseppe Persiano

• University of Salerno

We study the problem of differentially private (DP) mechanisms for representing sets of size $k$ from a large universe. Our first construction creates $(\epsilon,\delta)$-DP representations with error probability of $1/(e^\epsilon + 1)$ using space at most $1.05 k \epsilon \cdot \log(e)$ bits where the time to construct a representation is $O(k \lo...

As part of the responses to the ongoing crypto wars, the notion of Anamorphic Encryption was put forth. The notion allows private communication in spite of a dictator who is engaged in an extreme form of surveillance and or censorship, where it asks for all private keys and knows and may even dictate all messages. The original work pointed out effi...

The goal of this research is to raise technical doubts regarding the usefulness of the repeated attempts by governments to curb Cryptography (aka the “Crypto Wars”), and argue that they, in fact, cause more damage than adding effective control. The notion of Anamorphic Encryption was presented in Eurocrypt’22 for a similar aim. There, despite the p...

Oblivious RAMs (ORAMs) are an important cryptographic primitive that enable outsourcing data to a potentially untrusted server while hiding patterns of access to the data. ORAMs provide strong guarantees even in the face of a persistent adversary that views the transcripts of all operations and resulting memory contents. Unfortunately, the strong g...

In this invited lecture, I survey the recent results on the complexity of Oblivious RAMs and of related cryptographic data structures and highlight the proof techniques employed.

In recent years, there has been significant work in studying data structures that provide privacy for the operations that are executed. These primitives aim to guarantee that observable access patterns to physical memory do not reveal substantial information about the queries and updates executed on the data structure. Multiple recent works, includ...

We study encrypted storage schemes where a client outsources data to an untrusted third-party server (such as a cloud storage provider) while maintaining the ability to privately query and dynamically update the data. We focus on encrypted multi-maps (EMMs), a structured encryption (STE) scheme that stores pairs of label and value tuples. EMMs allo...

Performing searches over encrypted data is a very current and active area. Several efficient solutions have been provided for the single-writer scenario in which all sensitive data originate with one party (the Data Owner ) that encrypts and uploads the data to a public repository. Subsequently, the Data Owner accesses the encrypted data through a...

Encrypted multi-maps enable outsourcing the storage of a multi-map to an untrusted server while maintaining the ability to query privately. We focus on encrypted Boolean multi-maps that support arbitrary Boolean queries over the multi-map. Kamara and Moataz [Eurocrypt’17] presented the first encrypted multi-map, BIEX, that supports CNF queries with...

We consider a game on a graph G=⟨V,E⟩\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$G=\langle V, E\rangle $$\end{document} with two confronting classes of randomized p...

Encrypted multi-maps (EMMs) enable clients to outsource the storage of a multi-map to a potentially untrusted server while maintaining the ability to perform operations in a privacy-preserving manner. EMMs are an important primitive as they are an integral building block for many practical applications such as searchable encryption and encrypted da...

In this paper, we study the static cell probe complexity of non-adaptive data structures that maintain a subset of $n$ points from a universe consisting of $m=n^{1+\Omega(1)}$ points. A data structure is defined to be non-adaptive when the memory locations that are chosen to be accessed during a query depend only on the query inputs and not on the...

Volume leakage has recently been identified as a major threat to the security of cryptographic cloud-based data structures by Kellaris \em et al. [CCS'16] (see also the attacks in Grubbs \em et al. [CCS'18] and Lacharité \em et al. [S&P'18]). In this work, we focus on volume-hiding implementations of \em encrypted multi-maps as first considered by...

Oblivious RAM (ORAM) and private information retrieval (PIR) are classic cryptographic primitives used to hide the access pattern to data whose storage has been outsourced to an untrusted server. Unfortunately, both primitives require considerable overhead compared to plaintext access. For large-scale storage infrastructure with highly frequent acc...

In this work, we study privacy-preserving storage primitives that are suitable for use in data analysis on outsourced databases within the differential privacy framework. The goal in differentially private data analysis is to disclose global properties of a group without compromising any individual’s privacy. Typically, differentially private adver...

Oblivious RAM (ORAM) and private information retrieval (PIR) are classic cryptographic primitives used to hide the access pattern to data whose storage has been outsourced to an untrusted server. Unfortunately, both primitives require considerable overhead compared to plaintext access. For large-scale storage infrastructure with highly frequent acc...

Performing searches over encrypted data is a very current and active area. Several efficient solutions have been provided for the single-writer scenario in which all sensitive data originates with one party (the Data Owner) that encrypts it and uploads it to a public repository. Subsequently the Data Owner (or authorized clients, the Query Sources)...

Private information retrieval (PIR) is a fundamental tool for preserving query privacy when accessing outsourced data. All previous PIR constructions have significant costs preventing widespread use. In this work, we present private stateful information retrieval (PSIR), an extension of PIR, allowing clients to be stateful and maintain information...

In this paper, we study Symmetric Searchable Encryption (SSE) in a multi-user setting in which each user dynamically shares its documents with selected other users, allowing sharees also to perform searches. We introduce the concept of a Symmetric Searchable Encryption with Sharing and Unsharing, an extension of Multi-Key Searchable Encryption (NSD...

At ICS 2010, Dziembowski, Pietrzak and Wichs introduced the notion of non-malleable codes, a weaker form of error-correcting codes guaranteeing that the decoding of a tampered codeword either corresponds to the original message or to an unrelated value. The last few years established non-malleable codes as one of the recently invented cryptographic...

A dynamics retains a specific information about the starting state of a networked multi-player system if this information can be computed from the state of the system also after several rounds of the dynamics. Information retention has been studied for the function that returns the majority of the states in systems in which players have states in \...

Logit dynamics (Blume in Games Econ Behav 5:387–424, 1993) are randomized best response dynamics for strategic games: at every time step a player is selected uniformly at random and she chooses a new strategy according to a probability distribution biased toward strategies promising higher payoffs. This process defines an ergodic Markov chain, over...

Fully Homomorphic Encryption schemes (FHEs) and Functional Encryption schemes (FunctEs) have a tremendousimpact in cryptography both for the natural questions that they address and for the wide range of applications in which they have been (sometimes critically) used. In this work we put forth the notion of a Controllable Homomorphic Encryption sch...

Game Theory is the main tool used to model the behavior of agents that are guided by their own objective in contexts where their gains depend also on the choices made by neighboring agents. Game theoretic approaches have been often proposed for modeling phenomena in a complex social network, such as the formation of the social network itself. We ar...

We present the first general bounds on the mixing time of the Markov chain associated to the logit dynamics for wide classes of strategic games. The logit dynamics with inverse noise β describes the behavior of a complex system whose individual components act selfishly according to some partial (“noisy”) knowledge of the system, where the capacity...

Proofs of partial knowledge allow a prover to prove knowledge of witnesses for k out of n instances of NP languages. Cramer, Schoenmakers and Damgård [10] provided an efficient construction of a 3-round public-coin witness-indistinguishable (k, n)-proof of partial knowledge for any NP language, by cleverly combining n executions of \(\varSigma \)-p...

We study discrete preference games in heterogeneous social networks. These games model the interplay between a player's private belief and his/her publicly stated opinion (which could be different from the player's belief) as a strategic game in which the players' strategies are the opinions and the cost of an opinion in a state is a convex combina...

In [18] Cramer, Damgård and Schoenmakers (CDS) devise an OR-composition technique for \(\varSigma \)-protocols that allows to construct highly-efficient proofs for compound statements. Since then, such technique has found countless applications as building block for designing efficient protocols.

The Fiat-Shamir (FS) transform is a popular technique for obtaining practical zero-knowledge argument systems. The FS transform uses a hash function to generate, without any further overhead, non-interactive zero-knowledge (NIZK) argument systems from public-coin honest-verifier zero-knowledge (public-coin HVZK) proof systems. In the proof of zero...

It is often observed that agents tend to imitate the behavior of their neighbors in a social network. This imitating behavior might lead to the strategic decision of adopting a public behavior that differs from what the agent believes is the right one and this can subvert the behavior of the population as a whole. In this paper, we consider the cas...

In this work, we show how to use the positive results on succinct argument systems to prove impossibility results on leakage-resilient black-box zero knowledge. This recently proposed notion of zero knowledge deals with an adversary that can make leakage queries on the state of the prover. Our result holds for black-box simulation only and we also...

In this paper we consider the problem of enforcing dependencies during software distribution process. We consider a model in which multiple independent vendors encrypt their software and distribute it by means of untrusted mirror repositories. The decryption of each package is executed on the user side and it is possible if and only if the target d...

Outsourcing data in the cloud has become nowadays very common. Since – generally speaking – cloud data storage and management providers cannot be fully trusted, mechanisms providing the confidentiality of the stored data are necessary. A possible solution is to encrypt all the data, but – of course – this poses serious problems about the effective...

We study Input Indistinguishable Computation (IIC), a security notion proposed by Micali, Pass, and Rosen in [14] and recently considered also by Garg, Goyal, Jain and Sahai in [19]. IIC aims at generalizing the notion of a Witness Indistinguishable (WI) proof system to general two-party functionalities and in its concurrent version (cIIC) also con...

We consider mechanisms without payments for the problem of scheduling unrelated machines. Specifically, we consider truthful in expectation randomized mechanisms under the assumption that a machine (player) is bound by its reports: when a machine lies ...

Outsourcing data in the cloud has become nowadays very common. Since -- generally speaking -- cloud data storage and management providers cannot be fully trusted, mechanisms providing the confidentiality of the stored data are necessary. A possible solution is to encrypt all the data, but -- of course -- this poses serious problems about the effect...

We study discrete preference games that have been used to model issues such as the formation of opinions or the adoption of innovations in the context of a social network. In these games, the payoff of each agent depends on the agreement of her strategy to her internal belief and on its coordination with the strategies of her neighbors in the socia...

Certified Information Access (CIA) primitive allows a user to obtain answers to database queries in a way that she can verify the correctness of the received information. The database owner answers a query by providing the information matching the query along with a proof that such information are consistent with the actual content of the database....

This work attempts to clarify to what extent simulation-based security (SIM-security) is achievable for functional encryption (FE) and its relation to the weaker indistinguishability-based security (IND-security). Our main result is a compiler that transforms any FE scheme for the general circuit functionality (which we denote by Circuit-FE) meetin...

We present the first general bounds on the mixing time of the Markov chain associated to the logit dynamics for wide classes of strategic games. The logit dynamics with inverse noise beta describes the behavior of a complex system whose individual components act selfishly and keep responding according to some partial ("noisy") knowledge of the syst...

Logit dynamics are a family of randomized best response dynamics based on the logit choice function [21] that is used to model players with limited rationality and knowledge. In this paper we study the all-logit dynamics, where at each time step all players concurrently update their strategies according to the logit choice function. In the well stu...

We consider large systems composed of stategic players and look at ways of describing their long term behaviour. We give evidence that the notion of a Nash equilibrium is not a completely satisfactory answer to this question and propose to look at the stationary equilibrium induced by the logit dynamics [4]. Here at every stage of the game a player...

Predicate encryption is an important cryptographic primitive (see [3,5,9,11]) that enables fine-grained control on the decryption keys. Roughly speaking, in a predicate encryption scheme the owner of the master secret key Msk can derive secret key Sk P , for any predicate P from a specified class of predicates ℙ. In encrypting a message M, the send...

Providing functionalities that allow online social network users to manage in a secure and private way the publication of their information and/or resources is a relevant and far from trivial topic that has been under scrutiny from various research communities. In this work, we provide a framework that allows users to define highly expressive acces...

Logit Dynamics [Blume, Games and Economic Behavior, 1993] are randomized best response dynamics for strategic games: at every time step a player is selected uniformly at random and she chooses a new strategy according to a probability distribution biased toward strategies promising higher payoffs. This process defines an ergodic Markov chain, over...

In this paper, we discuss the conceptual problems arising from security issues for small artefacts. We propose two frameworks for security of small artefacts and present some preliminary results for the two frameworks.

Predicate encryption is an important cryptographic primitive (see [3, 6, 10, 11]) that enables fine-grained control on the decryption keys. Let P be a binary predicate. Roughly speaking, in a predicate encryption scheme for predicate P the owner of the master secret key Msk can derive secret key Sk y , for any vector y. In encrypting a message M ,...

Agents that must reach agreements with other agents need to reason about how their preferences, judgments, and beliefs might be aggregated with those of others by the social choice mechanisms that govern their interactions. The emerging field of judgment ...

Predicate encryption is a new powerful cryptographic primitive which allows for fine-grained access control for encrypted data: the owner of the secret key can release partial keys, called tokens, that can decrypt only a specific subset of ciphertexts. More specifically, in a predicate encryption scheme, ciphertexts and tokens have attributes and a...

We present and discuss challenges and solutions posed by the design of an adaptable network infrastructure of tiny artifacts. Such artifacts are characterized by severe limitations in computational power, communications capacity and energy; nevertheless they must realize a communication infrastructure able to deliver services to the end-users in a...

Lewko and Waters [Eurocrypt 2010] presented a fully secure HIBE with short ciphertexts. In this paper we show how to modify their construction to achieve anonymity. We prove the security of our scheme under static (and generically secure) assumptions formulated in composite order bilinear groups. In addition, we present a fully secure Anonymous IB...

We propose efficient schemes for information-theoretically secure key exchange in the Bounded Storage Model (BSM), where the adversary is assumed to have limited storage. Our schemes generate a secret One Time Pad (OTP) shared by the sender and the receiver,from a large number of public random bits produced by the sender or by an external source. O...

In this paper we propose a fully decentralized approach for recommending new contacts in the social network of mobile phone users. With respect to existing solutions, our approach is characterized by some distinguishing features. In particular, the application we propose does not assume any centralized coordination: it transparently collects and pr...

We propose efficient schemes for information-theoretically secure key exchange in the Bounded Storage Model (BSM), where the ad-versary is assumed to have limited storage. Our schemes generate a secret One Time Pad (OTP) shared by the sender and the receiver, from a large number of public random bits produced by the sender or by an external source....

In this talk I will overview the results on the mixing time of the logit dynamics [2] for strategic games. At every stage of the game a player is selected uniformly at random and she plays according to a noisy best-response dynamics where the noise level is tuned by a parameter beta. Such a dynamics defines a family of ergodic Markov chains, indexe...

We study logit dynamics (Blume in Games Econ. Behav. 5:387–424, 1993) for strategic games. This dynamics works as follows: at every stage of the game a player is selected uniformly at random and she plays according to a noisy best-response where the noise level is tuned by a parameter β. Such a dynamics defines a family of ergodic Markov chains, in...

The recent introduction of electronic passports (e-Passports) motivates the need of a thorough investigation on potential security and privacy issues. In this paper, we focus on the e-Passport implementation adopted in Italy. Leveraging previous attacks to e-Passports adopted in other countries, we analyze (in)security of Italian e-Passports and we...

Predicate encryption is an important cryptographic primitive that has been recently studied [BDOP04, BW07, GPSW06, KSW08] and that has found wide applications. Roughly speaking, in a predicate encryption scheme the owner of the master secret key K can derive secret key \(\tilde K\), for any pattern vector k. In encrypting a message M, the sender ca...

We study the online version of the scheduling problem involving selfish agents, considered by Archer and Tardos in [A. Archer, E. Tardos, Truthful mechanisms for one-parameter agents, in: Proceedings of the 42nd IEEE Symposium on Foundations of Computer Science (FOCS), 2001, pp. 482–491], where jobs must be scheduled on m related machines, each of...

Algorithmic mechanism design considers distributed settings where the participants, termed agents, cannot be assumed to follow the protocol but rather their own interests. The protocol can be regarded as an algorithm augmented with a suitable payment rule and the desired condition is termed truthfulness, meaning that it is never convenient for an a...

Collusion-free protocols prevent subliminal communication (i.e., covert channels) between parties running the protocol. In the standard communication model, if one-way functions exist, then protocols satisfying any reasonable degree of privacy cannot be collusion-free. To circumvent this impossibility, Alwen, shelat and Visconti (CRYPTO 2008) recen...

We initiate the study of mechanisms with verification for one-parameter agents. We give an algorithmic characterization of such mechanisms and show that they are provably better than mechanisms without verification, i.e., those previously considered in the literature. These results are obtained for a number of optimization problems motivated by the...

In this paper we consider commitment schemes that are secure against concurrent man-in-the-middle (cMiM) attacks. Under such attacks, two possible notions of security for commitment schemes have been proposed in the literature: concurrent non-malleability with respect to commitment and concurrent non-malleability with respect to decommitment (i.e.,...

Radio frequency identification (RFID) chips have been widely deployed in large-scale systems such as inventory control and supply chain management. While RFID technology has much advantage, however it may create new problems to privacy. Tag untraceability is a significant concern that needs to be addressed in deploying RFID-based system. In this pa...

We present a game-theoretic approach to the study of scheduling communications in wireless networks and introduce and study a class of games that we call Interference Games. In our setting, a player can successfully transmit if it "shouts strongly enough"; that is, if its transmission power is suciently higher than all other (simultaneous) transmis...

In this paper we consider the problem of securely outsourcing computation on private data. We present a protocol for securely distributing the computation of the data structures used by current implementations of the Certified Information Access primitive. To this aim, we introduce the concept of a Verifiable Deterministic Envelope - that may be of...

Different security notions and settings for identification protocols have been proposed so far, considering different adversary models where the main objective is the non-transferability of the proof. In this paper we consider one of the strongest non-transferability notions, namely resettable non-transferable identification introduced by Bellare e...

Predicate encryption schemes are encryption schemes in which each ciphertext Ct is associated with a binary attribute vector and keys K are associated with predicates. A key K can decrypt a ciphertext if and only if the attribute vector of the ciphertext satisfies the predicate of the key. Predicate encryption schemes can be used to implement fine-...

One of the central questions in Cryptography is the design of round-efficient protocols that are secure under concurrent man-in-the- middle attacks. In this paper we present the first constant-round concur- rent non-malleable zero-knowledge argument system for NP in the Bare Public-Key model (Canetti et al., STOC 2000), resolving one of the ma- jor...

The online removable square packing problem is a two-dimen-sional version of the online removable Knapsack problem. For a sequence of squares with side length at most 1, we are requested to pack a subset of them into a unit square bin in an online fashion ...

In this paper, we present a framework providing integrity and authentication for secure workflow computation based on BPEL Web service orchestration.Whereas much attention has been dedicated to security issues for Web services, no standard and practical solutions have been provided to secure workflows. In this paper, we address a recent cryptograph...

The central question in mechanism design is how to implement a given social choice function. One of the most studied concepts is that of truthful implementations in which truth-telling is always the best response of the players. The Revelation Principle says that one can focus on truthful implementations without loss of generality (if there is no t...

We investigate structural properties of interactive perfect zero-knowledge (PZK) proofs. Specifically, we look into the closure properties of PZK languages under monotone boolean formula composition. This gives rise to new protocol techniques. We show that interactive PZK for random self-reducible languages (RSR) (and for co-RSR) is closed under mo...

67> e,from f to c, from d to b, and from a to b. A possiblevalid coloring is to assign these paths thecolors 1, 2, 1, 2, and 3, respectively. The maximumload of the paths is 2, because 2 paths usethe edge (d; c). It is not possible to color thesepaths with 2 colors, because the conflict graphof the paths (a graph with a vertex for each pathand an e...

Radio-Frequency Identification (RFID) is going to be the preferred technol- ogy for the realization of Machine Readable Travel Documents (MRTDs), and has been deployed in the last generation of e-passports. The proposed technical specifications for e-passport systems have been analyzed and criticized by security experts showing various functional,...

We consider general resource assignment games involving selfish users/agents in which users compete for resources and try to be assigned to those which maximize their own benefits (e.g., try to route their traffic through links which minimize the latency of their own traffic). We propose and study a mechanism design approach in which an allocation...

In this paper we describe a primitive, which we call, Certified Information Access, in which a database answers to a query by provid- ing the information matching the query along with a proof that such information are consistent with the actual content of the database. We show that such a primitive can be securely implemented in a distributed fashi...

In this paper we study the randomness complexity needed to distributively perform k XOR computations in a t-private way using constant-round protocols in the case in which the players are honest but curious. We show that the existence of a particular family of subsets allows the recycling of random bits for constant-round private protocols. More p...

Consider a network vulnerable to security attacks and equipped with defense mechanisms. How much is the loss in the provided security guarantees due to the selfish nature of attacks and defenses? The Price of Defense was recently introduced in [7] as a worst-case measure, over all associated Nash equilibria, of this loss. In the particular strategi...

In this paper we study the notion of a Double-Round NIZ- KPK in the SRS model. In a Double-Round NIZKPK prover and verifier have access to the same random string Σ and, in addition, the prover is allowed to send one message to the verifier before Σ is made available. The verifier needs not to reply to this message. The random string and initial pro...

We show that the class NISZK of languages that admit non-interactive statistical zero-knowledge proof system has a natural complete promise problem. This characterizes statistical zero-knowledge in the public random string model without reference to the public random string or to zero knowledge. Building on this result we are able to show structur...

A social choice function A is implementable with verification if there exists a payment scheme P such that (A,P) is a truthful mechanism for verifiable agents [Nisan and Ronen, STOC 99]. We give a simple sufficient condition for a social choice function to be implementable with verification for comparable types. Comparable types are a generalizatio...

Andrews et al. (Automatic method for hiding latency in high bandwidth networks, in: Proceedings of the ACM Symposium on Theory of Computing, 1996, pp. 257-265; Improved methods for hiding latency in high bandwidth networks, in: Proceedings of the Eighth Annual ACM Symposium on Parallel Algorithms and Architectures, 1996, pp. 52-61) introduced a num...