## About

246

Publications

17,064

Reads

**How we measure 'reads'**

A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more

20,811

Citations

Citations since 2017

## Publications

Publications (246)

In the shuffle model for differential privacy, n users locally randomize their data and submit the results to a trusted “shuffler” who mixes the results before sending them to a server for analysis. This is a promising model for real-world applications of differential privacy, as several recent results have shown that, in some cases, the shuffle mo...

Group key-exchange protocols allow a set of N parties to agree on a shared, secret key by communicating over a public network. A number of solutions to this problem have been proposed over the years, mostly based on variants of Diffie-Hellman (two-party) key exchange. To the best of our knowledge, however, there has been almost no work looking at c...

A recent line of work has explored the use of physically unclonable functions (PUFs) for secure computation, with the goals of (1) achieving universal composability without additional setup and/or (2) obtaining unconditional security (i.e., avoiding complexity-theoretic assumptions). Initial work assumed that all PUFs, even those created by an atta...

The notion of covert security for secure two-party computation serves as a compromise between the traditional semi-honest and malicious security definitions. Roughly, covert security ensures that cheating behavior is detected by the honest party with reasonable probability (say, 1/2). It provides more realistic guarantees than semi-honest security...

Recent work, including ZKBoo, ZKB++, and Ligero, has developed efficient non-interactive zero-knowledge proofs of knowledge (NIZKPoKs) for Boolean circuits based on symmetric-key primitives alone, using the "MPC-in-the-head" paradigm of Ishai et al. We show how to instantiate this paradigm with MPC protocols in the preprocessing model; once optimiz...

The problem of Oblivious RAM (ORAM) has traditionally been studied in a single-server setting, but more recently the multi-server setting has also been considered. Yet it is still unclear whether the multi-server setting has any inherent advantages, e.g., whether the multi-server setting can be used to achieve stronger security goals or provably be...

We continue the line of work initiated by Katz (Eurocrypt 2007) on using tamper-proof hardware tokens for universally composable secure computation. As our main result, we show an oblivious-transfer (OT) protocol in which two parties each create and transfer a single, stateless token and can then run an unbounded number of OTs. We also show a more...

In this work we introduce the notion of Subset Predicate Encryption, a form of attribute-based encryption (ABE) in which a message is encrypted with respect to a set \(s'\) and the resulting ciphertext can be decrypted by a key that is associated with a set \(s\) if and only if \(s\subseteq s'\). We formally define our primitive and identify severa...

A fuzzy extractor (FE) enables reproducible generation of high-quality randomness from noisy inputs having sufficient min-entropy. FEs have been proposed for deriving cryptographic keys from biometric data. FEs rely in their operation on a public “helper string” that is guaranteed not to leak too much information about the original input. Unfortuna...

We propose a new protocol for two-party computation, secure against malicious adversaries, that is significantly faster than prior work in the single-execution setting (i.e., non-amortized and with no pre-processing). In particular, for computational security parameter \({\kappa }\) and statistical security parameter \({\rho }\), our protocol uses...

We initiate the study of public-key encryption (PKE) secure against selective-opening attacks (SOA) in the presence of randomness failures, i.e., when the sender may (inadvertently) use low-quality randomness. In the SOA setting, an adversary can adaptively corrupt senders; this notion is natural to consider in tandem with randomness failures since...

Secure multilinear maps (mmaps) have been shown to have remarkable applications in cryptography , such as program obfuscation and multi-input functional encryption (MIFE). To date, there has been little evaluation of the performance of these applications. In this paper we initiate a systematic study of mmap-based constructions. We build a general f...

It is well known that the random-oracle (RO) model is not sound in the sense that there are schemes that are secure in the RO model but are insecure when instantiated by any family of hash functions. However, existing separation results do not hold for all cryptographic schemes in the RO model (e.g., bit encryption), leaving open the possibility th...

We revisit the question of constructing an ideal cipher from a random oracle. Coron et al. (Journal of Cryptology, 2014) proved that a 14-round Feistel network using random, independent, keyed round functions is indifferentiable from an ideal cipher, thus demonstrating the feasibility of such a transformation. Left unresolved is the number of round...

An implicit goal of Bitcoin's reward structure is to diffuse network influence over a diverse, decentralized population of individual participants. Indeed, Bitcoin's security claims rely on no single entity wielding a sufficiently large portion of the network's overall computational power. Unfortunately, rather than participating independently, mos...

Authenticated encryption (AE) schemes are symmetric-key encryption schemes ensuring strong notions of confidentiality and integrity. Although various AE schemes are known, there remains significant interest in developing schemes that are more efficient, meet even stronger security notions (e.g., misuse-resistance), or satisfy certain non-cryptograp...

Security of distributed cryptographic protocols usually requires privacy (inputs of the honest parties remain hidden), correctness (the adversary cannot improperly affect the outcome), and fairness (if the adversary learns the output, all honest parties do also). Cleve's seminal result (STOC '86) implies that satisfying these properties simultaneou...

Cryptographic constructions are often designed and analyzed in idealized frameworks such as the random-oracle or ideal-cipher models. When the underlying primitives are instantiated in the real world, however, they may be far from ideal. Constructions should therefore be robust to known or potential defects in the lower-level primitives.
With this...

At TCC 2013, Choi et al. introduced the notion of multiclient verifiable computation (MVC) in which a set of clients outsource to an untrusted server the computation of a function f over their collective inputs in a sequence of time periods. In that work, the authors defined and realized multi-client verifiable computation satisfying soundness agai...

Block ciphers such as AES are deterministic, keyed functions that operate on small, fixed-size blocks. Block-cipher modes of operation define a mechanism for probabilistic encryption of arbitrary length messages using any underlying block cipher. A mode of operation can be proven secure (say, against chosen-plaintext attacks) based on the assumptio...

RAM-model secure computation addresses the inherent limitations of circuit-model secure computation considered in almost all previous work. Here, we describe the first automated approach for RAM-model secure computation in the semi-honest model. We define an intermediate representation called SCVM and a corresponding type system suited for RAM-mode...

Cryptographic protocols with adaptive security ensure that security holds against an adversary
who can dynamically determine which parties to corrupt as the protocol progresses—or
even after the protocol is finished. In the setting where all parties may potentially be corrupted,
and secure erasure is not assumed, it has been a long-standing open qu...

A recent line of work has explored the use of physically uncloneable functions (PUFs) for secure computation, with the goals of (1) achieving universal composability without (additional) setup, and/or (2) obtaining unconditional security (i.e., avoiding complexity-theoretic assumptions). Initial work assumed that all PUFs, even those created by an...

With relatively few exceptions, the literature on efficient (practical) secure computation has focused on secure two-party computation (2PC). It is, in general, unclear whether the techniques used to construct practical 2PC protocols—in particular, the cut-and-choose approach—can be adapted to the multi-party setting.
In this work we explore the po...

We consider secure two-party computation in a multiple-execution setting, where two parties wish to securely evaluate the same circuit multiple times. We design efficient garbled-circuit-based two-party protocols secure against malicious adversaries. Recent works by Lindell (Crypto 2013) and Huang-Katz-Evans (Crypto 2013) have obtained optimal comp...

Universally composable (UC) protocols retain their security properties even when run concurrently alongside arbitrary other protocols. Unfortunately, it is known that UC multiparty computation (for general functionalities, and without assuming honest majority) is impossible without some form of setup. To circumvent this impossibility, various compl...

We introduce the problem of Multi-Input Functional Encryption, where a secret key sk
f
can correspond to an n-ary function f that takes multiple ciphertexts as input. We formulate both indistinguishability-based and simulation-based definitions of security for this notion, and show close connections with indistinguishability and virtual black-box d...

Bit coin is widely regarded as the first broadly successful e-cash system. An oft-cited concern, though, is that mining Bit coins wastes computational resources. Indeed, Bit coin's underlying mining mechanism, which we call a scratch-off puzzle (SOP), involves continuously attempting to solve computational puzzles that have no intrinsic utility. We...

We formalize the notion of Verifiable Oblivious Storage (VOS), where a client outsources the storage of data to a server while ensuring data confidentiality, access pattern privacy, and integrity and freshness of data accesses. VOS generalizes the notion of Oblivious RAM (ORAM) in that it allows the server to perform computation, and also explicitl...

We continue the line of work initiated by Katz (Eurocrypt 2007) on using tamper-proof hardware for universally composable secure computation. As our main result, we show an efficient oblivious-transfer (OT) protocol in which two parties each create and exchange a single, stateless token and can then run an unbounded number of OTs. Our result yields...

An authenticated data structure (ADS) is a data structure whose operations can be carried out by an untrusted prover , the results of which a verifier can efficiently check as authentic. This is done by having the prover produce a compact proof that the verifier can check along with each operation's result. ADSs thus support outsourcing data mainte...

An authenticated data structure (ADS) is a data structure whose operations can be carried out by an untrusted prover, the results of which a verifier can efficiently check as authentic. This is done by having the prover produce a compact proof that the verifier can check along with each operation's result. ADSs thus support outsourcing data mainten...

We present the design, security proof, and implementation of an anonymous subscription service. Users register for the service by providing some form of identity, which might or might not be linked to a real-world identity such as a credit card, a web login, or a public key. A user logs on to the system by presenting a credential derived from infor...

Functional encryption (FE) enables fine-grained access control of encrypted data while promising simplified key management. In the past few years substantial progress has been made on functional encryption and a weaker variant called predicate encryption. Unfortunately, fundamental impossibility results have been demonstrated for constructing FE sc...

We propose a new framework for defining privacy in statistical databases that enables reasoning about and exploiting adversarial uncertainty about the data. Roughly, our framework requires indistinguishability of the real world in which a mechanism is computed over the real dataset, and an ideal world in which a simulator outputs some function of a...

Existing work on "rational cryptographic protocols" treats each party (or coalition of parties) running the protocol as a selfish agent trying to maximize its utility. In this work we propose a fundamentally different approach that is better suited to modeling a protocol under attack from an external entity. Specifically, we consider a two-party ga...

It is known that cryptographic feasibility results can change by moving from the classical to the quantum world. With this in mind, we study the feasibility of realizing functionalities in the framework of universal composability, with respect to both computational and information-theoretic security. With respect to computational security, we show...

We present a general framework for efficient, universally composable oblivious transfer (OT) protocols in which a single, global, common reference string (CRS) can be used for multiple invocations of oblivious transfer by arbitrary pairs of parties. In addition:
Our framework is round-efficient. E.g., under the DLIN or SXDH assumptions we achieve r...

We consider an instance of the following problem: Parties P_1,..., P_k each
receive an input x_i, and a coordinator (distinct from each of these parties)
wishes to compute f(x_1,..., x_k) for some predicate f. We are interested in
one-round protocols where each party sends a single message to the coordinator;
there is no communication between the p...

Fully homomorphic encryption (FHE) is a form of public-key encryption that enables arbitrary computation over encrypted data. The past few years have seen several realizations of FHE under different assumptions, and FHE has been used as a building block in many cryptographic applications.
Adaptive security for public-key encryption schemes is an i...

Gennaro et al. (Crypto 2010) introduced the notion of non-interactive verifiable computation, which allows a computationally weak client to outsource the computation of a function f on a series of inputs x
(1),... to a more powerful but untrusted server. Following a pre-processing phase (that is carried out only once), the client sends some represe...

Beginning with the work of Lindell and Pinkas, researchers have proposed several protocols for secure two-party computation based on the cut-and-choose paradigm. In current instantiations of this approach, one party generates κ garbled circuits; some fraction of those are “checked” by the other party, and the remaining fraction are evaluated.
We i...

Traditional approaches to generic secure computation begin by representing the function f being computed as a circuit. If f depends on each of its input bits, this implies a protocol with complexity at least linear in the input size. In fact, linear running time is inherent for non-trivial functions since each party must "touch" every bit of their...

Traditionally, cryptographers assume a "worst-case" adversary who can act arbitrarily. More recently, they have begun to consider rational adversaries who can be expected to act in a utility-maximizing way. Here we apply this model for the first time to the problem of Byzantine agreement (BA) and the closely related problem of broadcast, for natura...

Protocols for secure multiparty computation (SMC) allow a set of mutually distrusting parties to compute a function f of their private inputs while revealing nothing about their inputs beyond what is implied by the result. Depending on f, however, the result itself may reveal more information than parties are comfortable with. Almost all previous w...

We introduce the idea of associating a set of elements with a rational function represented using a reversed Laurent series . Using this representation, we propose private set-union protocols in the multi-party setting, assuming an honest majority. Our protocols are the first efficient protocol for private set union with constant round complexity (...

y (CS) as follows: CS = fC j C is a circuit, and 9 s.t. C( ) = 1g: Theorem 1 CS is NP-complete. Proof It is relatively easy to see that CS 2 NP. We show that CS is NP-complete by giving a Karp reduction from any L 2 NP to CS. Fix such an L, and let ML be a non-deterministic machine deciding L and running in time n c on inputs of size n. The idea is...

Known protocols for secure two-party computation that are designed to provide full security against malicious behavior are significantly less efficient than protocols intended only to thwart semi-honest adversaries. We present a concrete design and implementation of protocols achieving security guarantees that are much stronger than are possible wi...

In this paper we propose a game-theoretic model to analyze events similar to the 2009 DARPA Network Challenge, which was organized by the Defense Advanced Research Projects Agency (DARPA) for exploring the roles that the Internet and social networks play in incentivizing wide-area collaborations. The challenge was to form a group that would be the...

Protocols for generic secure multi-party computation (MPC) generally come in two forms: they either represent the function being computed as a boolean circuit, or as an arithmetic circuit over a large field. Either type of protocol can be used for any function, but the choice of which protocol to use can have a significant impact on efficiency. The...

Secure two-party computation enables applications in which participants compute the output of a function that depends on their private inputs, without revealing those inputs or relying on any trusted third party. In this paper, we show the potential of building privacy-preserving applications using garbled circuits, a generic technique that until r...

Secure two-party computation enables two parties to evaluate a function cooperatively without revealing to either party anything beyond the function's output. The garbled-circuit technique, a generic approach to secure two-party computation for semi-honest participants, was developed by Yao in the 1980s, but has been viewed as being of limited prac...

For over 20 years, black-box impossibility results have been used to argue the infeasibility of constructing certain cryptographic
primitives (e.g., key agreement) from others (e.g., one-way functions). A widely recognized limitation of such impossibility
results, however, is that they say nothing about the usefulness of (known) nonblack-box techni...

A seminal result in cryptography is that signature schemes can be constructed (in a black-box fashion) from any one-way function.
The minimal assumptions needed to construct blind signature schemes, however, have remained unclear. Here, we rule out black-box constructions of blind signature schemes from
one-way functions. In fact, we rule out const...

Differential privacy is a well established definition guaranteeing that queries to a database do not reveal “too much” information
about specific individuals who have contributed to the database. The standard definition of differential privacy is information
theoretic in nature, but it is natural to consider computational relaxations and to explore...

We show a general framework for constructing password-based authenticated key exchange protocols with optimal round complexity — one message per party, sent simultaneously — in the standard model, assuming a common reference string.
When our framework is instantiated using bilinear-map cryptosystems, the resulting protocol is also (reasonably) effi...

Group signature schemes allow users to sign messages on behalf of a group while (1) maintaining anonymity (within that group) with respect to an observer, yet (2) ensuring traceability of a signer (by the group manager) when needed. In this work we give the first construction of a group signature scheme based on lattices (more precisely, the learni...

We consider the problem of fairness in two-party computation, where this means (informally) that both parties should learn the correct output. A seminal result of Cleve (STOC 1986) shows that fairness is, in general, impossible to achieve for malicious parties. Here, we treat the parties as rational and seek to understand what can be done.
Asharov...

In collusion-free protocols, subliminal communication is impossible and parties are thus unable to communicate any information “beyond what the protocol allows.” Collusion-free protocols are interesting for several reasons, but have specifically attracted attention because they can be used to reduce trust in game-theoretic mechanisms. Collusion-fre...

Protocols for generic secure multi-party computation (MPC) come in two forms: they either represent the function being computed as a boolean circuit, or as an arithmetic circuit over a large field. Either type of protocol can be used for any function, but the choice of which type of protocol to use can have a significant impact on efficiency. The m...

Yao’s garbled-circuit approach enables constant-round secure two-party computation of any function. In Yao’s original construction, each gate in the circuit requires the parties to perform a constant number of encryptions/decryptions and to send/receive a constant number of ciphertexts. Kolesnikov and Schneider (ICALP 2008) proposed an improvement...

In synchronous networks, protocols can achieve security guarantees that are not possible in an asynchronous world: they can simultaneously achieve input completeness (all honest parties’ inputs are included in the computation) and guaranteed termination (honest parties do not “hang” indefinitely). In practice truly synchronous networks rarely exist...

We consider the classical problem of synchronous broadcast with dishonest majority, when a public-key infrastructure and digital signatures are available. In a surprising result, Hirt and Zikas (Eurocrypt 2010) recently observed that all existing protocols for this task are insecure against an adaptive adversary who can choose which parties to corr...

We show a general framework for constructing password-based authenticated key exchange protocols with optimal round complexity — one message per party, sent simultaneously — in the standard model, assuming the existence of a common reference string. When our framework is instantiated using bilinear-map cryptosystems, the resulting protocol is also...

Group signature schemes allow users to sign messages on behalf of a group while (1) maintaining anonymity (within that group) with respect to an outside observer, yet (2) ensuring traceability of a signer (by the group manager) when needed. In this work we give the first construction of a group signature scheme based
on lattices (more precisely, th...

Protocols for password-based authenticated key exchange (PAKE) allow two users who share only a short, low-entropy password to agree on a cryptographically strong session key. The challenge in designing such protocols is that they must be immune to off-line dictionary attacks in which an eavesdropping adversary exhaustively enumerates the dictionar...

In recent years, there has been a major efiort to design cryptographic schemes that remain secure even if part of the secret key is leaked. This is due to a recent proliferation of side channel attacks which, through various physical means, can recover part of the secret key. We explore the possibility of achieving security even with continual leak...

Given a public-key infrastructure (PKI) and digital signatures, it is possible to construct broadcast protocols tolerating any number of corrupted parties. Almost all existing protocols, however, do not distinguish between corrupted parties (who do not follow the protocol), and honest parties whose secret (signing) keys have been compromised (but w...

A seminal result of Cleve (STOC ’86) is that complete fairness is impossible to achieve in two-party computation. In light of this, various techniques for obtaining partial fairness have been suggested in the literature. We propose a definition of partial fairness within the standard real-/ideal-world
paradigm that addresses deficiencies of prior d...

Network coding offers the potential to increase throughput and improve robustness without any centralized control. Unfortunately, network coding is highly susceptible to “pollution attacks” in which malicious nodes modify packets improperly so as to prevent message recovery at the recipient(s); such attacks cannot be prevented using standard end-to...

Our objective in this chapter is to present a construction of a digital signature scheme based on the minimal assumption (cf. Theorem 2.1) that one-way functions exist. Along the way we will see a relatively simple construction, due to Lamport, of a one-time signature scheme based on the same assumption. We warn the reader at the outset that effici...

Loosely speaking, a digital signature scheme offers a cryptographic analogue of handwritten signatures that, in fact, provides much stronger security guarantees. Digital signatures serve as a powerful tool and are now accepted as legally binding in many countries; they can be used for certifying contracts or notarizing documents, for authentication...

An important class of signature schemes proven secure in the random oracle model is given by the full-domain hash (FDH) signature scheme and its variants. In addition to being simple and natural, as well as quite efficient, constructions in this family are also the basis for standardizes signature schemes that are widely used.

In the past 10 years cryptographic constructions based on bilinear maps have become extremely popular, most prominently following their use in constructing identity-based encryption schemes. Bilinear maps have also led to several efficient signature schemes, and we explore two such constructions here.

The signature schemes described in the previous chapters, whether based on the RSA/strong RSA assumptions or bilinear maps, represent essentially the extent of what is currently known regarding efficient yet provably secure signature schemes.

There are currently two main techniques for constructing signature schemes in the random oracle model. The first technique uses the “full-domain hash” approach, and several schemes designed using this approach were introduced in the previous chapter. Here we cover the second central method, in which signature schemes are derived from so-called iden...

As noted in the previous chapter, it is impossible to construct a digital signaturescheme that is secure against an all-powerful adversary. Instead, the best we canhope for is to construct schemes that are secure against computationally bounded adversaries (that, for our purposes, means adversaries running in probabilistic polynomialtime). Even for...

The signature schemes described in the previous chapter have the advantage of being based on very weak cryptographic assumptions, but have the drawback of being incredibly inefficient. (Even the Lamport scheme, which could conceivably be used, has very large public keys and signatures.) It is natural to wonder whether relying on stronger, more spec...

Constructions of cryptographic primitives based on general assumptions (e.g., one-way functions) tend to be less efficient than constructions based on specific (e.g., number-theoretic) assumptions. This has prompted a recent line of research aimed at investigating the best possible efficiency of (black-box) cryptographic constructions based on gene...

We propose a new methodology for rational secret sharing leading to various instantiations (in both the two-party and multi-party
settings) that are simple and efficient in terms of computation, share size, and round complexity. Our protocols do not require
physical assumptions or simultaneous channels, and can even be run over asynchronous, point-...

We consider the problem of private function evaluation (PFE) in the two-party setting. Here, informally, one party holds an input x while the other holds a (circuit describing a) function f; the goal is for one (or both) of the parties to learn f(x) while revealing nothing more to either party. In contrast to the usual setting of secure computation...

Two settings are traditionally considered for secure multiparty computation, depending on whether or not a majority of the parties are assumed to be honest. Existing protocols that assume an honest majority provide “full security” (and, in particular, guarantee output delivery and fairness) when this assumption holds, but are completely insecure if...

Garbled circuit play a key role in secure computation, but existing implementations do not scale and are not modular. In this paper we present VMCrypt, a library for secure computation. This library introduces novel algorithms that, regardless of the circuit being garbled or its size, have a very small memory requirement and use no disk storage. By...

In this paper we present a general framework for password- based authenticated key exchange protocols, in the common reference stringmodel.Ourprotocolisactuallyanabstractionofthekeyexchange protocolofKatzetal.andisbasedontherecentlyintroducednotionof smooth projective hashing by Cramer and Shoup. We gain a number of beneflts fromthisabstraction.Fir...

Consider two parties holding samples from correlated distributions $W$ and $W^{prime}$, respectively, where these samples are within distance $t$ of each other in some metric space. The parties wish to agree on a close-to-uniformly distributed secret key $R$ by sending a single message over an insecure channel controlled by an all-powerful adversar...

In recent years, there has been a major effort to design cryptographic schemes that remain secure even when arbitrary information about the secret key is leaked (e.g., via side-channel attacks). We explore the possibility of achieving security under emph{continual} leakage from the emph{entire} secret key by designing schemes in which the secret ke...

Motivated by the problem of private DNA matching, we consider the design of efficient protocols for secure text processing. Here, informally, a party P1 holds a text T and a party P2 holds a pattern p and some additional information y, and P2 wants to learn {f(T,j,y)} for all locations j where p is found as a substring in T. (In particular, this ge...

Digital Signatures is the first comprehensive account of the theoretical principles and techniques used in the design of provably secure signature schemes. In addition to providing the reader with a better understanding of the security guarantees provided by digital signatures, the book also contains full descriptions and detailed proofs for essent...

Public-key cryptography ensures both secrecy and authenticity of communication using public-key encryption schemes and digital signatures, respectively. Following a brief introduction to the public-key setting (and a comparison with the classical symmetric-key setting), we present rigorous definitions of security for public-key encryption and digit...