Content uploaded by Oded Goldreich

Author content

All content in this area was uploaded by Oded Goldreich

Content may be subject to copyright.

We present a polynomial-time algorithm that, given as a input the description of a game with incomplete information and any number of players, produces a protocol for playing the game that leaks no partial information, provided the majority of the players is honest.
Our algorithm automatically solves all the multi-party protocol problems addressed in complexity-based cryptography during the last 10 years. It actually is a completeness theorem for the class of distributed protocols with honest majority. Such completeness theorem is optimal in the sense that, if the majority of the players is not honest, some protocol problems have no efficient solution [C].

Content uploaded by Oded Goldreich

Author content

All content in this area was uploaded by Oded Goldreich

Content may be subject to copyright.

... Now we bootstrap this protocol into a maliciously secure one. Note that the most standard approaches such as the GMW compiler [GMW87] would not immediately work. To see this, we re-emphasize the two requirements. ...

... The compiler needs to be "black-box" in the sense that it should be insensitive to the presence of a quantum-computable primitive. Compilers like [GMW87] are not even relativizing since they use zero-knowledge protocols to prove statements about the underlying protocol. The underlying protocol here involves computing a quantum-computable cryptographic primitive, thus it appears that a zero-knowledge protocol for must be used instead. ...

We construct a classical oracle relative to which $\mathsf{P} = \mathsf{NP}$ but quantum-computable quantum-secure trapdoor one-way functions exist. This is a substantial strengthening of the result of Kretschmer, Qian, Sinha, and Tal (STOC 2023), which only achieved single-copy pseudorandom quantum states relative to an oracle that collapses $\mathsf{NP}$ to $\mathsf{P}$. For example, our result implies multi-copy pseudorandom states and pseudorandom unitaries, but also classical-communication public-key encryption, signatures, and oblivious transfer schemes relative to an oracle on which $\mathsf{P}=\mathsf{NP}$. Hence, in our new relativized world, classical computers live in "Algorithmica" whereas quantum computers live in "Cryptomania," using the language of Impagliazzo's worlds. Our proof relies on a new distributional block-insensitivity lemma for $\mathsf{AC^0}$ circuits, wherein a single block is resampled from an arbitrary distribution.

... The primary party then employs attention blocks for forward propagation to compute the final prediction (line 13). Backpropagation sends gradient updates from the primary to secondary parties to refine their local models (lines [14][15][16]. The privacy mechanism including norm clipping (lines 8, 11) and distributed Gaussian noise (line 12) are further discussed in Section 6. ...

... In our analysis, we assess the computational efficiency of standard addition compared to multi-party computation (MPC) addition, as shown in Table 7. Under the arithmetic GMW protocol [15], and given that the size of the aggregated vector varies by dataset, we use a typical size for our experiments. Specifically, we conduct MPC addition to aggregate 10,000-dimensional vectors from multiple parties. ...

Federated Learning (FL) is an evolving paradigm that enables multiple parties to collaboratively train models without sharing raw data. Among its variants, Vertical Federated Learning (VFL) is particularly relevant in real-world, cross-organizational collaborations, where distinct features of a shared instance group are contributed by different parties. In these scenarios, parties are often linked using fuzzy identifiers, leading to a common practice termed as multi-party fuzzy VFL. Existing models generally address either multi-party VFL or fuzzy VFL between two parties. Extending these models to practical multi-party fuzzy VFL typically results in significant performance degradation and increased costs for maintaining privacy. To overcome these limitations, we introduce the Federated Transformer (FeT), a novel framework that supports multi-party VFL with fuzzy identifiers. FeT innovatively encodes these identifiers into data representations and employs a transformer architecture distributed across different parties, incorporating three new techniques to enhance performance. Furthermore, we have developed a multi-party privacy framework for VFL that integrates differential privacy with secure multi-party computation, effectively protecting local representations while minimizing associated utility costs. Our experiments demonstrate that the FeT surpasses the baseline models by up to 46\% in terms of accuracy when scaled to 50 parties. Additionally, in two-party fuzzy VFL settings, FeT also shows improved performance and privacy over cutting-edge VFL models.

... OT has been shown to be complete for secure multi-party computation [48], i.e., any such task, including OLE, can be achieved given an OT implementation. A compelling reason to study OLE protocols is that they can serve as building blocks for the secure evaluation of arithmetic circuits [4,32,35,38], just like OT allows the secure evaluation of boolean circuits [41]. Specifically, OLE can be used to generate multiplication triples which are the basic tool for securely computing multiplication gates [32]. ...

Oblivious linear evaluation is a generalization of oblivious transfer, whereby two distrustful parties obliviously compute a linear function, f ( x ) = a x + b , i.e., each one provides their inputs that remain unknown to the other, in order to compute the output f ( x ) that only one of them receives. From both a structural and a security point of view, oblivious linear evaluation is fundamental for arithmetic-based secure multi-party computation protocols. In the classical case, oblivious linear evaluation protocols can be generated using oblivious transfer, and their quantum counterparts can, in principle, be constructed as straightforward extensions using quantum oblivious transfer. Here, we present the first, to the best of our knowledge, quantum protocol for oblivious linear evaluation that, furthermore, does not rely on quantum oblivious transfer. We start by presenting a semi-honest protocol, and then extend it to the dishonest setting employing a c o m m i t − a n d − o p e n strategy. Our protocol uses high-dimensional quantum states to obliviously compute f ( x ) on Galois Fields of prime and prime-power dimension. These constructions utilize the existence of a complete set of mutually unbiased bases in prime-power dimension Hilbert spaces and their linear behaviour upon the Heisenberg-Weyl operators. We also generalize our protocol to achieve vector oblivious linear evaluation, where several instances of oblivious linear evaluation are generated, thus making the protocol more efficient. We prove the protocols to have static security in the framework of quantum universal composability.

... However, there are also serious drawbacks, such as having to trust a cloud provider to maintain both the availability and privacy of our data in an era of frequent data breaches. Secure multi-party computation (MPC) [CCD88, GMW87,Yao86] allows a cloud comprised of many distinct machines to not only store, but also process our data securely. MPC guarantees that the data remains private even from an attacker controlling fewer that some threshold t of the machines. ...

YOSO MPC (Gentry et al., Crypto 2021) is a new MPC framework where each participant can speak at most once. This models an adaptive adversary’s ability to watch the network and corrupt or destroy parties it deems significant based on their communication. By using private channels to anonymous receivers (e.g. by encrypting to a public key whose owner is unknown), the communication complexity of YOSO MPC can scale sublinearly with the total number N of available parties, even when the adversary’s corruption threshold is linear in N (e.g. just under N/2). It was previously an open problem whether YOSO MPC can achieve guaranteed output delivery in a constant number of rounds without relying on trusted setup. In this work, we show that this can indeed be accomplished. We demonstrate three different approaches: the first two (which we call YaOSO and YOSO-GLS) use two and three rounds of communication, respectively. Our third approach (which we call YOSO-LHSS) uses O(d) rounds, where d is the multiplicative depth of the circuit being evaluated; however, it can be used to bootstrap any constant-round YOSO protocol that requires setup, by generating that setup within YOSO-LHSS. Though YOSO-LHSS requires more rounds than our first two approaches, it may be more practical, since the zero knowledge proofs it employs are more efficient to instantiate. As a contribution of independent interest, we introduce a verifiable state propagation UC functionality, which allows parties to send private message which are verifiably derived in the “correct” way (according to the protocol in question) to anonymous receivers. This is a natural functionality to build YOSO protocols on top of.

... We provide a brief introduction to MPC, radar fingerprints and the necessary statistics in Section 2. In Section 3, we report on some of the insights we gathered on sorting with many parties. We then go on to describe the threat model and the experiment setup in Section 4, before providing our results in Section 5 2 Background 2.1 Secure multiparty computations MPC [Yao86,GMW87] is a cryptographic technique allowing multiple parties to jointly compute a function over their inputs while keeping them confidential. Unlike traditional computation methods that rely on a central authority, MPC ensures that no single party learns more than what they can deduce from the output and their own input. ...

Vessels can be recognised by their navigation radar due to the characteristics of the emitted radar signal. This is particularly useful if one wants to build situational awareness without revealing one's own presence. Most countries maintain databases of radar fingerprints but will not readily share these due to national security regulations. Sharing of such information will generally require some form of information exchange agreement.
However, all parties in a coalition benefit from correct identification. We use secure multiparty computation to match a radar signal measurement against secret databases and output plausible matches with their likelihoods. We also provide a demonstrator using MP-SPDZ.

... Then 0 and 1 invoke a two-party computation protocol for equality check, which functionality is described in Figure 10. The protocol of equality check can be constructed by garbled circuit (GC) [21,51] with several optimizations such as point-andpermute [3], Free-XOR [32], the half-gate [52], and fixed-key AES garbling optimizations [2]. ...

This paper studies a multi-party private set union (mPSU), a fundamental cryptographic problem that allows multiple parties to compute the union of their respective datasets without revealing any additional information. We propose an efficient mPSU protocol which is secure in the presence of any number of colluding semi-honest participants. Our protocol avoids computationally expensive homomorphic operations or generic multi-party computation, thus providing an efficient solution for mPSU. The crux of our protocol lies in the utilization of new cryptographic tool, namely, Membership Oblivious Transfer (mOT). We believe that the mOT may be of independent interest. We implement our mPSU protocol and evaluate its performance. Our protocol shows an improvement of up to $80.84 times$ in terms of running time and $405.73 times$ bandwidth cost compared to the existing state-of-the-art protocols.

... In this section, we introduce the notion of non-interactive zero knowledge (NIZK) proofs [11,38,44]. Besides completeness, a NIZK system should also fulfill the notions of soundness and zero-knowledge, which we introduce in the following two definitions: ...

Privacy-preserving payment systems face the difficult task of balancing privacy and accountability: on one hand, users should be able to transact privately and anonymously, on the other hand, no illegal activities should be tolerated. The challenging question of finding the right balance lies at the core of the research on accountable privacy that stipulates the use of cryptographic techniques for policy enforcement. Current state-of-the-art systems are only able to enforce rather limited policies, such as spending or transaction limits, or assertions about single participants, but are unable to enforce more complex policies that for example jointly evaluate both, the private credentials of sender and recipient, situations that occur in cross-border payments, let alone to do this without auditors in the loop during payment. This severely limits the cases where decentralized virtual assets can be used in accordance with regulatory compliance such as the Financial Action Task Force (FATF) travel rule, while retaining strong privacy features. We present unlinkable Policy-Compliant Signatures (ul-PCS), an enhanced cryptographic primitive extending the work of Badertscher et al.~(TCC 21). We give rigorous definitions, formally proven constructions, and benchmarks using our prototype developed using CharmCrypto which gives the first insights into feasibility of PCS. Unlinkable PCS has the following unique combination of features: 1) It is an enhanced signature scheme where the public key encodes in a privacy-preserving way the user's verifiable credentials (obtained from a credential authority). 2) Signatures can be created (and later publicly verified) by additionally specifying a recipient's public key aside of the to-be-signed message. A valid signature can only ever be created if the attributes $x_S$ of the signer and the attributes $x_R$ of the receiver fulfill some global policy $F(x_S,x_R)$. 3) The signature can be created by the signer just knowing the recipient's public key; there is no further interaction needed and no information is leaked (beyond the validity of the policy). 4) Once credentials are obtained, a user can generate fresh public keys without interacting with the credential authority. By merging the act of signing a transaction with the act of providing an assurance about the involved participants being compliant with complex policies, yet retain that participants are able to change public keys without the involvement of an authority, we formally show how ul-PCS is a step towards improving regulatory compliance of privacy coins such as Monero or Zcash.

Smart cities, which can monitor the real world and provide smart services in a variety of fields, have improved people's living standards as urbanization has accelerated. However, there are security and privacy concerns because smart city applications collect large amounts of privacy-sensitive information from people and their social circles. Anonymization, which generalizes data and reduces data uniqueness, is an important step in preserving the privacy of sensitive information. However, anonymization methods frequently require large datasets and rely on untrusted third parties to collect and manage data, particularly in a cloud environment. In this case, private data leakage remains a critical issue, discouraging users from sharing their data and impeding the advancement of smart city services. This problem can be solved if the computational entity performs anonymization without obtaining the original plain text. This study proposed a hierarchical k-anonymization framework using homomorphic encryption and secret sharing composed of two types of domains. Different computing methods are selected flexibly, and two domains are connected hierarchically to obtain higher-level anonymization results efficiently. The experimental results show that connecting two domains can accelerate the anonymization process, indicating that the proposed secure hierarchical architecture is practical and efficient.

Randomized protocols for signing contracts, certified mail, and flipping a coin are presented. The protocols use a 1-out-of-2 oblivious transfer subprotocol which is axiomatically defined.
The 1-out-of-2 oblivious transfer allows one party to transfer exactly one secret, out of two recognizable secrets, to his counterpart. The first (second) secret is received with probability one half, while the sender is ignorant of which secret has been received.
An implementation of the 1-out-of-2 oblivious transfer, using any public key cryptosystem, is presented.

Pseudorandom generators transform in polynomial time a short random “seed” into a long “pseudorandom” string. This string
cannot be random in the classical sense of [6], but testing that requires an unrealistic amount of time (say, exhaustive search
for the seed). Such pseudorandom generators were first discovered in [2] assuming that the function (a
x
modb) is one-way, i.e., easy to compute, but hard to invert on a noticeable fraction of instances. In [12] this assumption was
generalized to the existence of any one-way permutation. The permutation requirement is sufficient but still very strong.
It is unlikely to be proven necessary, unless something crucial, like P=NP, is discovered. Below, among other observations,
a weaker assumption about one-way functions is proposed, which is not only sufficient, but also necessary for the existence
of pseudorandom generators.

The authors give a set of conditions that allow one to generate 50-50 unpredictable bits. Based on those conditions, they present a general algorithmic scheme for constructing polynomial-time deterministic algorithms that stretch a short secret random input into a long sequence of unpredictable pseudo-random bits. They give an implementation of their scheme and exhibit a pseudo-random bit generator for which any efficient strategy for predicting the next output bit with better than 50-50 chance is easily transformable to an 'equally efficient' algorithm for solving the discrete logarithm problem. In particular: if the discrete logarithm problem cannot be solved in probabilistic polynomial time, no probabilistic polynomial-time algorithm can guess the next output bit better than by flipping a coin: if 'head' guess '0', if 'tail' guesss '1'.

In this paper we demonstrate the generality and wide applicability of zero-knowledge proofs, a notion introduced by Goldwasser, Micali and Rackoff. These are probabilistic and interactive proofs that, for the members x of a language L, efficiently demonstrate membership in the language without conveying any additional knowledge. So far, zero-knowledge proofs were known only for some number theoretic languages in NP ∩ Co-NP.

Bits Are 1/2 4- 1/poly(log N) Seeure

- Cg B Chor
- O Goldreich

Pseudo-Random Generatoro and Complexity Clauses

- Bh R Boppana
- R Hirschfeld

A Digital Signature Scheme Secure Against Adaptive, Chosen Gyphertext Attack To appear in SIAM J. on Computing (available from authors) Earlier version, titled 'A Paradoxical Solution to The Signature Problem

- S Gomiri
- S Goldwasser
- R Micali
- Rivest