No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Additive Randomized Encodings and Their Applications
Abstract
Addition of n inputs is often the easiest nontrivial function to compute securely. Motivated by several open questions, we ask what can be computed securely given only an oracle that computes the sum. Namely, what functions can be computed in a model where parties can only encode their input locally, then sum up the encodings over some Abelian group , and decode the result to get the function output.An additive randomized encoding (ARE) of a function maps every input independently into a randomized encoding , such that reveals and nothing else about the inputs. In a robust ARE, the sum of any subset of the only reveals the residual function obtained by restricting the corresponding inputs.
We obtain positive and negative results on ARE. In particular:
Information-theoretic ARE. We fully characterize the 2-party functions admitting a perfectly secure ARE. For parties, we show a useful “capped sum” function that separates statistical security from perfect security.
Computational ARE. We present a general feasibility result, showing that all functions can be computed in this model, under a standard hardness assumption in bilinear groups. We also describe a heuristic lattice-based construction.
Robust ARE. We present a similar feasibility result for robust computational ARE based on ideal obfuscation along with standard cryptographic assumptions.
We then describe several applications of ARE and the above results.
Under a standard cryptographic assumption, our computational ARE schemes imply the feasibility of general non-interactive secure computation in the shuffle model, where messages from different parties are shuffled. This implies a general utility-preserving compiler from differential privacy in the central model to computational differential privacy in the (non-robust) shuffle model.
The existence of information-theoretic robust ARE implies “best-possible” information-theoretic MPC protocols (Halevi et al., TCC 2018) and degree-2 multiparty randomized encodings (Applebaum et al., TCC 2018). This yields new positive results for specific functions in the former model, as well as a simple unifying barrier for obtaining negative results in both models.
We design a novel, communication-efficient, failure-robust protocol for secure aggregation of high-dimensional data. Our protocol allows a server to compute the sum of large, user-held data vectors from mobile devices in a secure manner (i.e. without learning each user's individual contribution), and can be used, for example, in a federated learning setting, to aggregate user-provided model updates for a deep neural network. We prove the security of our protocol in the honest-but-curious and active adversary settings, and show that security is maintained even if an arbitrarily chosen subset of users drop out at any time. We evaluate the efficiency of our protocol and show, by complexity analysis and a concrete implementation, that its runtime and communication overhead remain low even on large data sets and client pools. For 16-bit input values, our protocol offers $1.73 x communication expansion for 2¹⁰ users and 2²⁰-dimensional vectors, and 1.98 x expansion for 2¹⁴ users and 2²⁴-dimensional vectors over sending data in the clear.
Every function of n inputs can be efficiently computed by a complete network of n processors in such a way that:
If no faults occur, no set of size t < n/2 of players gets any additional information (other than the function value),Even if Byzantine faults are allowed, no set of size t < n/3 can either disrupt the computation or get additional information.Furthermore, the above bounds on t are tight!
It has been shown previously how almost any multiparty protocol problem can be solved. All the constructions suggested so far rely on trapdoor one-way functions, and therefore must assume essentially that public key cryptography is possible. It has also been shown that unconditional protection of a single designated participant is all that can be achieved under that model. Assuming only authenticated secrecy channels between pairs of participants, we show that essentially any multiparty protocol problem can be solved. Such a model actually implies the further requirement that less than one third of the participants deviate from the protocol. The techniques presented do not, however, rely on any cryptographic assumptions; they achieve the optimal result and provide security as good as the secrecy and authentication of the channels used. Moreover, the constructions have a built-in fault tolerance: once the participants have sent messages committing themselves to the secrets they will use in the protocol, there is no way less than a third of them can stop the protocol from completing correctly. Our technique relies on the so called key-safeguarding or secret-sharing schemes proposed by Blakley and Shamir as basic building blocks. The usefulness of their homomorphic structure was observed by Benaloh, who proposed techniques very similar to ours.
Informally, an obfuscator
\(
\mathcal{O}
\) is an (efficient, probabilistic) “compiler” that takes as input a program (or circuit) P and produces a new program \(
\mathcal{O}
\)(P) that has the same functionality as P yet is “unintelligible” in some sense. Obfuscators, if they exist, would have a wide variety of cryptographic and complexity-theoretic applications, ranging from software protection to homomorphic encryption to complexity-theoretic analogues of Rice’s theorem. Most of these applications are based on an interpretation of the “unintelligibility” condition in obfuscation as meaning that \(
\mathcal{O}
\) is a “virtual black box,” in the sense that anything one can efficiently compute given \(
\mathcal{O}
\), one could also efficiently compute given oracle access to P.
In this work, we initiate a theoretical investigation of obfuscation. Our main result is that, even under very weak formalizations of the above intuition, obfuscation is impossible. We prove this by constructing a family of functions \(
\mathcal{F}
\) that are inherently unobfuscatable in the following sense: there is a property π: \(
\mathcal{F}
\) → {0,1} such that (a) given any program that computes a function f ∈ \(
\mathcal{F}
\), the value π(f) can be efficiently computed, yet (b) given oracle access to a (randomly selected) function f ∈ \(
\mathcal{F}
\), no efficient algorithm can compute π(f) much better than random guessing. We extend our impossibility result in a number of ways, including even obfuscators that (a) are not necessarily computable in polynomial time, (b) only approximately preserve the functionality, and (c) only need to work for very restricted models of computation (TC
0). We also rule out several potential applications of obfuscators, by constructing “unobfuscatable” signature schemes, encryption schemes, and pseudorandom function families.
We introduce a new idealized model of hash functions, which we refer to as the pseudorandom oracle (Pr) model. Intuitively, it allows us to model cryptosystems that use the code of an ideal hash function in a non-black-box way. Formally, we model hash functions via a combination of a pseudorandom function (PRF) family and an ideal oracle. A user can initialize the hash function by choosing a PRF key k and mapping it to a public handle h using the oracle. Given the handle h and some input x, the oracle can also be called to evaluate the PRF at x with the corresponding key k. A user who chooses the PRF key k therefore has a complete description of the hash function and can use its code in non-black-box constructions, while an adversary, who just gets the handle h, only has black-box access to the hash function via the oracle.As our main result, we show how to construct ideal obfuscation in the Pr model, starting from functional encryption (FE), which in turn can be based on well-studied polynomial hardness assumptions. In contrast, we know that ideal obfuscation cannot be instantiated in the basic random oracle model under any assumptions. We believe our result provides heuristic justification for the following: (1) most natural security goals implied by ideal obfuscation can be achieved in the real world; (2) obfuscation can be constructed from FE at polynomial security loss.We also discuss how to interpret our result in the Pr model as a construction of ideal obfuscation using simple hardware tokens or as a way to bootstrap ideal obfuscation for PRFs to that for all functions.
Multiparty randomized encodings (Applebaum, Brakerski, and Tsabary, SICOMP 2021) reduce the task of securely computing a complicated multiparty functionality f to the task of securely computing a simpler functionality g. The reduction is non-interactive and preserves information-theoretic security against a passive (semi-honest) adversary, also referred to as privacy. The special case of a degree-2 encoding g (2MPRE) has recently found several applications to secure multiparty computation (MPC) with either information-theoretic security or making black-box access to cryptographic primitives. Unfortunately, as all known constructions are based on information-theoretic MPC protocols in the plain model, they can only be private with an honest majority. In this paper, we break the honest-majority barrier and present the first construction of general 2MPRE that remains secure in the presence of a dishonest majority. Our construction encodes every n-party functionality f by a 2MPRE that tolerates at most t=⌊2n/3⌋ passive corruptions. We derive several applications including: (1) The first non-interactive client-server MPC protocol with perfect privacy against any coalition of a minority of the servers and up to t of the n clients; (2) Completeness of 3-party functionalities under non-interactive t-private reductions; and (3) A single-round t-private reduction from general-MPC to an ideal oblivious transfer (OT). These positive results partially resolve open questions that were posed in several previous works. We also show that t-private 2MPREs are necessary for solving (2) and (3), thus establishing new equivalence theorems between these three notions. Finally, we present a new approach for constructing fully-private 2MPREs based on multi-round protocols in the OT-hybrid model that achieve perfect privacy against active attacks. Moreover, by slightly restricting the power of the active adversary, we derive an equivalence between these notions. This forms a surprising, and quite unique, connection between a non-interactive passively-private primitive to an interactive actively-private primitive.
Consider the setup where n parties are each given an element in the finite field and the goal is to compute the sum in a secure fashion and with as little communication as possible. We study this problem in the anonymized model of Ishai et al. (FOCS 2006) where each party may broadcast anonymous messages on an insecure channel.
Every function of n inputs can be efficiently computed by a complete network of n processors in such a way that:
1. If no faults occur, no set of size t < n/2 of players gets any additional information (other than the function value),
2. Even if Byzantine faults are allowed, no set of size t < n/3 can either disrupt the computation or get additional information.
Furthermore, the above bounds on t are tight!
We present a polynomial-time algorithm that, given as a input the description of a game with incomplete information and any number of players, produces a protocol for playing the game that leaks no partial information, provided the majority of the players is honest.
Our algorithm automatically solves all the multi-party protocol problems addressed in complexity-based cryptography during the last 10 years. It actually is a completeness theorem for the class of distributed protocols with honest majority. Such completeness theorem is optimal in the sense that, if the majority of the players is not honest, some protocol problems have no efficient solution [c].
We consider the problem of designing scalable, robust protocols for computing statistics about sensitive data. Specifically, we look at how best to design differentially private protocols in a distributed setting, where each user holds a private datum. The literature has mostly considered two models: the “central” model, in which a trusted server collects users’ data in the clear, which allows greater accuracy; and the “local” model, in which users individually randomize their data, and need not trust the server, but accuracy is limited. Attempts to achieve the accuracy of the central model without a trusted server have so far focused on variants of cryptographic multiparty computation (MPC), which limits scalability.
A fundamental problem in the theory of secure multi-party computation (MPC) is to characterize functions with more than 2 parties which admit MPC protocols with information-theoretic security against passive corruption. This question has seen little progress since the work of Chor and Ishai (1996), which demonstrated difficulties in resolving it. In this work, we make significant progress towards resolving this question in the important case of aggregating functionalities, in which m parties hold inputs and an aggregating party must learn .
We reconsider the security guarantee that can be achieved by general protocols for secure multiparty computation in the most basic of settings: information-theoretic security against a semi-honest adversary. Since the 1980s, we have elegant solutions to this problem that offer full security, as long as the adversary controls a minority of the parties, but fail completely when that threshold is crossed. In this work, we revisit this problem, questioning the optimality of the standard notion of security. We put forward a new notion of information-theoretic security which is strictly stronger than the standard one, and which we argue to be “best possible.” This notion still requires full security against dishonest minority in the usual sense, and adds a meaningful notion of information-theoretic security even against dishonest majority.
We study the problem of non-interactive multiparty computation (NI-MPC) where a group of completely asynchronous parties can evaluate a function over their joint inputs by sending a single message to an evaluator who computes the output. Previously, the only general solutions to this problem that resisted collusions between the evaluator and a set of parties were based on multi-input functional encryption and required the use of complex correlated randomness setup.
Yao’s garbled circuit (GC) construction is a central cryptographic tool with numerous applications. In this tutorial, we study garbled circuits from a foundational point of view under the framework of randomized encoding (RE) of functions. We review old and new constructions of REs, present some lower bounds, and describe some applications. We also discuss new directions and open problems in the foundations of REs.
This paper presents Prio, a privacy-preserving system for the collection of aggregate statistics. Each Prio client holds a private data value (e.g., its current location), and a small set of servers compute statistical functions over the values of all clients (e.g., the most popular location). As long as at least one server is honest, the Prio servers learn nearly nothing about the clients' private data, except what they can infer from the aggregate statistics that the system computes. To protect functionality in the face of faulty or malicious clients, Prio uses secret-shared non-interactive proofs (SNIPs), a new cryptographic technique that yields a hundred-fold performance improvement over conventional zero-knowledge approaches. Prio extends classic private aggregation techniques to enable the collection of a large class of useful statistics. For example, Prio can perform a least-squares regression on high-dimensional client-provided data without ever seeing the data in the clear.
To what extent can a computation be made "simpler" by settling for computing a randomized encoding of the output? Originating from Yao's seminal idea of garbled circuits, answers to this question have found applications in cryptography and elsewhere. We will survey the state of the art on different flavors of this question that are motivated by different problems in secure computation and correspond to different notions of simplicity.
An evasive circuit family is a collection of circuits such that for every input x, a random circuit from outputs 0 on x with overwhelming probability. We provide a combination of definitional, constructive, and impossibility results regarding obfuscation for evasive functions:
1
The (average case variants of the) notions of virtual black box obfuscation (Barak et al, CRYPTO ’01) and virtual gray box obfuscation (Bitansky and Canetti, CRYPTO ’10) coincide for evasive function families. We also define the notion of input-hiding obfuscation for evasive function families, stipulating that for a random it is hard to find, given , a value outside the preimage of 0. Interestingly, this natural definition, also motivated by applications, is likely not implied by the seemingly stronger notion of average-case virtual black-box obfuscation.
2
If there exist average-case virtual gray box obfuscators for all evasive function families, then there exist (quantitatively weaker) average-case virtual gray obfuscators for all function families.
3
There does not exist a worst-case virtual black box obfuscator even for evasive circuits, nor is there an average-case virtual gray box obfuscator for evasive Turing machine families.
4
Let be an evasive circuit family consisting of functions that test if a low-degree polynomial (represented by an efficient arithmetic circuit) evaluates to zero modulo some large prime p. Then under a natural analog of the discrete logarithm assumption in a group supporting multilinear maps, there exists an input-hiding obfuscator for . Under a new perfectly-hiding multilinear encoding assumption, there is an average-case virtual black box obfuscator for the family .
We introduce and study the notion of non-interactive secure multiparty computation (NIMPC). An NIMPC protocol for a function f(x 1,…,x n ) is specified by a joint probability distribution R = (R 1,…,R n ) and local encoding functions Enc i (x i ,r i ), 1 ≤ i ≤ n. Given correlated randomness (r 1,…,r n ) ∈ R R, each party P i , using its input x i and its randomness r i , computes the message m i = Enc i (x i ,r i ). The messages m 1,…,m n can be used to decode f(x 1,…,x n ). For a set T ⊆ [n], the protocol is said to be T-robust if revealing the messages together with the randomness (r i ) i ∈ T gives the same information about as an oracle access to the function f restricted to these input values. Namely, a coalition T can learn no more than the restriction of f fixing the inputs of uncorrupted parties, which, in this non-interactive setting, one cannot hope to hide. For 0 ≤ t ≤ n, the protocol is t-robust if it is T-robust for every T of size at most t and it is fully robust if it is n-robust. A 0-robust NIMPC protocol for f coincides with a protocol in the private simultaneous messages model of Feige et al. (STOC 1994). In the setting of computational (indistinguishability-based) security, fully robust NIMPC is implied by multi-input functional encryption, a notion that was recently introduced by Goldwasser et al. (Eurocrypt 2014) and realized using indistinguishability obfuscation. We consider NIMPC in the information-theoretic setting and obtain unconditional positive results for some special cases of interest: On the negative side, we show that natural attempts to realize NIMPC using private simultaneous messages protocols and garbling schemes from the literature fail to achieve even 1-robustness.
Motivated by questions aboutsecure multi-party compu- tation, we introduce and study a new natural representa- tion of functions by polynomials, which we termrandomiz- ing polynomials. "Standard" low-degree polynomials over a finite field are easy to compute with a small number of com- munication rounds in virtually any setting for secure com- putation. However, most Boolean functions cannot be eval- uated by a polynomial whose degree is smaller than their in- put size. We get around this barrier by relaxing the require- ment of evaluatingf into a weaker requirement ofrandomiz- ing f: mapping the inputs off along with independent ran- dom inputs into a vector of outputs, whose distribution de- pends only on the value off. We show that degree-3 poly- nomials are sufficient to randomize any function f, relating the efficiency of such a randomization to the branching pro- gram size of f. On the other hand, by characterizing the ex- act class of Boolean functions which can be randomized by degree-2 polynomials, we show that 3 is the minimal ran- domization degree of most functions. As an application, randomizing polynomials provide a powerful, general, and conceptually simple tool for the de- sign of round-efficient secure protocols. Specifically, the se- cure evaluation of any function can be reduced to a secure evaluation of degree-3 polynomials. One corollary of this reduction is that two (respectively, three) communication rounds are sufficient fork parties to compute any Boolean functionf of their inputs, with perfect information-theoretic ⌊ k−1 3 ⌋-privacy (resp., ⌊ k−1 2 ⌋-privacy), and communication complexity which is at most quadratic in the branching pro- gram size off (with a small probability of one-sided error).
— Secure computation protocols inherently involve multiple rounds of interaction among the parties where, typically a party has to keep a state about what has happened in the protocol so far and then wait for the other party to respond. We study if this is inherent. In particular, we study the possibility of designing cryptographic protocols where the parties can be completely stateless and compute the outgoing message by applying a single fixed function to the incoming message (independent of any state). The problem of designing stateless secure computation protocols can be reduced to the problem of designing protocols satisfying the notion of resettable computation introduced by Canetti, Goldreich, Goldwasser and Micali (FOCS’01) and widely studied thereafter. The current start of art in resettable computation allows for construction of protocols which provide security only when a single predetermined party is resettable [13]. An exception is for the
There is a vast body of work on implementing anonymous communication. In this paper, we study the possibility of using anonymous communication as a building block, and show that one can leverage on anonymity in a variety of cryptographic contexts. Our results go in two directions. middot Feasibility. We show that anonymous communication over insecure channels can be used to implement unconditionally secure point-to-point channels, broadcast, and general multi-party protocols that remain unconditionally secure as long as less than half of the players are maliciously corrupted. middot Efficiency. We show that anonymous channels can yield substantial efficiency improvements for several natural secure computation tasks. In particular, we present the first solution to the problem of private information retrieval (PIR) which can handle multiple users while being close to optimal with respect to both communication and computation
The notion of resettable zero-knowledge (rZK) was introduced by Canetti, Goldreich, Goldwasser and Micali (FOCS’01) as a strengthening of the classical notion of zero-knowledge. A rZK protocol remains zero-knowledge even if the verifier can reset the prover back to its initial state anytime during the protocol execution and force it to use the same random tape again and again. Following this work, various extensions of this notion were considered for the zero-knowledge and witness indistinguishability functionalities.
In this paper, we initiate the study of resettability for more general functionalities. We first consider the setting of resettable two-party computation where a party (called the user) can reset the other party (called the smartcard) anytime during the protocol execution. After being reset, the smartcard comes back to its original state and thus the user has the opportunity to start interacting with it again (knowing that the smartcard will use the same set of random coins). In this setting, we show that it is possible to secure realize all PPT computable functionalities under the most natural (simulation based) definition. Thus our results show that in cryptographic protocols, the reliance on randomness and the ability to keep state can be made significantly weaker. Our simulator for the aforementioned resettable two-party computation protocol (inherently) makes use of non-black box techniques. Second, we provide a construction of simultaneous resettable multi-party computation with an honest majority (where the adversary not only controls a minority of parties but is also allowed to reset any number of parties at any point). Interestingly, all our results are in the plain model.
Various information-theoretic constant-round secure multiparty protocols are known for classes such as NC1 and polynomial-size branching programs [1,13,18,3,19,10]. All these protocols have a small probability of failure, or alternatively use an expected constant number of rounds, suggesting that this might be an inherent phenomenon. In this paper we prove that this is not the case by presenting several constructions of perfect constant-round protocols.
Our protocols are obtained using randomizing polynomials — a recently introduced representation [19], which naturally relaxes the standard polynomial representation of boolean functions. Randomizing polynomials represent a function f by a low-degree mapping from its inputs and independent random inputs to a vector of outputs, whose distribution depends only on the value of f. We obtain several constructions of degree-optimal perfect randomizing polynomials, whose distinct output distributions are perfectly separated. These results on randomizing polynomials are of independent complexity-theoretic interest.
We study the parallel time-complexity of basic cryptographic primitives such as one-way functions (OWFs) and pseudorandom generators (PRGs). Specifically, we study the possibility of implementing instances of these primitives by NC0 functions, namely, by functions in which each output bit depends on a constant number of input bits. Despite previous efforts in this direction, there has been no convincing theoretical evidence supporting this possibility, which was posed as an open question in several previous works. We essentially settle this question by providing strong positive evidence for the possibility of cryptography in NC0. Our main result is that every "moderately easy" OWF (resp., PRG), say computable in NC1, can be compiled into a corresponding OWF (resp., "low-stretch" PRG) in which each output bit depends on at most 4 input bits. The existence of OWFs and PRGs in NC1 is a relatively mild assumption, implied by most number-theoretic or algebraic intractability assumptions commonly used in cryptography. A similar compiler can also be obtained for other cryptographic primitives such as one-way permutations, encryption, signatures, commitment, and collision-resistant hashing. Our techniques can also be applied to obtain (unconditional) constructions of "noncryptographic" PRGs. In particular, we obtain ε-biased generators and a PRG for space-bounded computation in which each output bit depends on only 3 input bits. Our results make use of the machinery of randomizing polynomials [Y. Ishai and E. Kushilevitz, Proceedings of the 41st Annual IEEE Symposium on Foundations of Computer Science (FOCS), 2000, pp. 294-304], which was originally motivated by questions in the domain of information-theoretic secure multiparty computation.
In this paper we introduce a new tool for controlling the knowledge transfer process in cryptographic protocol design. It is applied to solve a general class of problems which include most of the two-party cryptographic problems in the literature. Specifically, we show how two parties A and B can interactively generate a random integer N = p¿q such that its secret, i.e., the prime factors (p, q), is hidden from either party individually but is recoverable jointly if desired. This can be utilized to give a protocol for two parties with private values i and j to compute any polynomially computable functions f(i,j) and g(i,j) with minimal knowledge transfer and a strong fairness property. As a special case, A and B can exchange a pair of secrets sA, sB, e.g. the factorization of an integer and a Hamiltonian circuit in a graph, in such a way that sA becomes computable by B when and only when sB becomes computable by A. All these results are proved assuming only that the problem of factoring large intergers is computationally intractable.
Separating two-round secure computation from oblivious transfer
- B Applebaum
- Z Brakerski
- S Garg
- Y Ishai
- A Srinivasan
Low-complexity cryptographic hash functions
- B Applebaum
- N Haramaty
- Y Ishai
- E Kushilevitz
- V Vaikuntanathan
How to garble arithmetic circuits
- B Applebaum
- Y Ishai
- E Kushilevitz
Refuting the dream XOR lemma via ideal obfuscation and resettable MPC
- S Badrinarayanan
- Y Ishai
- D Khurana
- A Sahai
- D Wichs
Encode, shuffle, analyze privacy revisited: Formalizations and empirical evaluation
- Ú Erlingsson