Pub Date : 2023-01-01DOI: 10.4230/LIPIcs.ITC.2023.4
Cody R. Freitag, Ilan Komargodski
In recent years, the number of applications of the repeated squaring assumption has been growing rapidly. The assumption states that, given a group element x , an integer T , and an RSA modulus N , it is hard to compute x 2 T mod N – or even decide whether y ? = x 2 T mod N – in parallel time less than the trivial approach of simply computing T squares. This rise has been driven by efficient proof systems for repeated squaring, opening the door to more efficient constructions of verifiable delay functions, various secure computation primitives, and proof systems for more general languages. In this work, we study the complexity of statistically sound proofs for the repeated squaring relation. Technically, we consider proofs where the prover sends at most k ≥ 0 elements and the (probabilistic) verifier performs generic group operations over the group Z ⋆N . As our main contribution, we show that for any (one-round) proof with a randomized verifier (i.e., an MA proof) the verifier either runs in parallel time Ω( T/ ( k + 1)) with high probability, or is able to factor N given the proof provided by the prover. This shows that either the prover essentially sends p, q such that N = p · q (which is infeasible or undesirable in most applications), or a variant of Pietrzak’s proof of repeated squaring (ITCS 2019) has optimal verifier complexity O ( T/ ( k + 1)). In particular, it is impossible to obtain a statistically sound one-round proof of repeated squaring with efficiency on par with the computationally-sound protocol of Wesolowski (EUROCRYPT 2019), with a generic group verifier. We further extend our one-round lower bound to a natural class of recursive interactive proofs for repeated squaring. For r -round recursive proofs where the prover is allowed to send k group elements per round, we show that the verifier either runs in parallel time Ω( T/ ( k + 1) r ) with high probability, or is able to factor N given the proof transcript
{"title":"The Cost of Statistical Security in Proofs for Repeated Squaring","authors":"Cody R. Freitag, Ilan Komargodski","doi":"10.4230/LIPIcs.ITC.2023.4","DOIUrl":"https://doi.org/10.4230/LIPIcs.ITC.2023.4","url":null,"abstract":"In recent years, the number of applications of the repeated squaring assumption has been growing rapidly. The assumption states that, given a group element x , an integer T , and an RSA modulus N , it is hard to compute x 2 T mod N – or even decide whether y ? = x 2 T mod N – in parallel time less than the trivial approach of simply computing T squares. This rise has been driven by efficient proof systems for repeated squaring, opening the door to more efficient constructions of verifiable delay functions, various secure computation primitives, and proof systems for more general languages. In this work, we study the complexity of statistically sound proofs for the repeated squaring relation. Technically, we consider proofs where the prover sends at most k ≥ 0 elements and the (probabilistic) verifier performs generic group operations over the group Z ⋆N . As our main contribution, we show that for any (one-round) proof with a randomized verifier (i.e., an MA proof) the verifier either runs in parallel time Ω( T/ ( k + 1)) with high probability, or is able to factor N given the proof provided by the prover. This shows that either the prover essentially sends p, q such that N = p · q (which is infeasible or undesirable in most applications), or a variant of Pietrzak’s proof of repeated squaring (ITCS 2019) has optimal verifier complexity O ( T/ ( k + 1)). In particular, it is impossible to obtain a statistically sound one-round proof of repeated squaring with efficiency on par with the computationally-sound protocol of Wesolowski (EUROCRYPT 2019), with a generic group verifier. We further extend our one-round lower bound to a natural class of recursive interactive proofs for repeated squaring. For r -round recursive proofs where the prover is allowed to send k group elements per round, we show that the verifier either runs in parallel time Ω( T/ ( k + 1) r ) with high probability, or is able to factor N given the proof transcript","PeriodicalId":6403,"journal":{"name":"2007 IEEE International Test Conference","volume":"79 1","pages":"4:1-4:23"},"PeriodicalIF":0.0,"publicationDate":"2023-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"83928249","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-01-01DOI: 10.4230/LIPIcs.ITC.2023.15
Mohammad Mahmoody, Wei Qi
In this work we study a new information theoretic problem, called online merging , that has direct applications for constructing public-state accumulators and registration-based encryption schemes. An online merger receives the sequence of sets { 1 } , { 2 } , . . . in an online way, and right after receiving { i } , it can re-partition the elements 1 , . . . , i into T 1 , . . . , T m i by merging some of these sets. The goal of the merger is to balance the trade-off between the maximum number of sets wid = max i ∈ [ n ] m i that co-exist at any moment, called the width of the scheme, with its depth dep = max i ∈ [ n ] d i , where d i is the number of times that the sets that contain i get merged. An online merger can be used to maintain a set of Merkle trees that occasionally get merged. An online merger can be directly used to obtain public-state accumulators (using collision-resistant hashing) and registration-based encryptions (relying on more assumptions). Doing so, the width of an online merger translates into the size of the public-parameter of the constructed scheme, and the depth of the online algorithm corresponds to the number of times that parties need to update their “witness” (for accumulators) or their decryption key (for RBE). In this work, we construct online mergers with poly (log n ) width and O (log n/ log log n ) depth, which can be shown to be optimal for all schemes with poly (log n ) width. More generally, we show how to achieve optimal depth for a given fixed width and to achieve a 2-approximate optimal width for a given depth d that can possibly grow as a function of n (e.g., d = 2 or d = log n/ log log n ). As applications, we obtain accumulators with O (log n/ log log n ) number of updates for parties’ witnesses (which can be shown to be optimal for accumulator digests of length poly (log n )) as well as registration based encryptions that again have an optimal O (log n/ log log n ) number of decryption updates, resolving the open question of Mahmoody, Rahimi, Qi [TCC’22] who proved that Ω(log n/ log log n ) number of decryption updates are necessary for any RBE (with public parameter of length poly (log n )). More generally, for any given number of decryption updates d = d ( n ) (under believable computational assumptions) our online merger implies RBE schemes with public parameters of length that is optimal, up to a constant factor that depends on the security parameter. For example, for any constant number of updates d , we get RBE schemes with public parameters of length O ( n 1 / ( d +1) ).
{"title":"Online Mergers and Applications to Registration-Based Encryption and Accumulators","authors":"Mohammad Mahmoody, Wei Qi","doi":"10.4230/LIPIcs.ITC.2023.15","DOIUrl":"https://doi.org/10.4230/LIPIcs.ITC.2023.15","url":null,"abstract":"In this work we study a new information theoretic problem, called online merging , that has direct applications for constructing public-state accumulators and registration-based encryption schemes. An online merger receives the sequence of sets { 1 } , { 2 } , . . . in an online way, and right after receiving { i } , it can re-partition the elements 1 , . . . , i into T 1 , . . . , T m i by merging some of these sets. The goal of the merger is to balance the trade-off between the maximum number of sets wid = max i ∈ [ n ] m i that co-exist at any moment, called the width of the scheme, with its depth dep = max i ∈ [ n ] d i , where d i is the number of times that the sets that contain i get merged. An online merger can be used to maintain a set of Merkle trees that occasionally get merged. An online merger can be directly used to obtain public-state accumulators (using collision-resistant hashing) and registration-based encryptions (relying on more assumptions). Doing so, the width of an online merger translates into the size of the public-parameter of the constructed scheme, and the depth of the online algorithm corresponds to the number of times that parties need to update their “witness” (for accumulators) or their decryption key (for RBE). In this work, we construct online mergers with poly (log n ) width and O (log n/ log log n ) depth, which can be shown to be optimal for all schemes with poly (log n ) width. More generally, we show how to achieve optimal depth for a given fixed width and to achieve a 2-approximate optimal width for a given depth d that can possibly grow as a function of n (e.g., d = 2 or d = log n/ log log n ). As applications, we obtain accumulators with O (log n/ log log n ) number of updates for parties’ witnesses (which can be shown to be optimal for accumulator digests of length poly (log n )) as well as registration based encryptions that again have an optimal O (log n/ log log n ) number of decryption updates, resolving the open question of Mahmoody, Rahimi, Qi [TCC’22] who proved that Ω(log n/ log log n ) number of decryption updates are necessary for any RBE (with public parameter of length poly (log n )). More generally, for any given number of decryption updates d = d ( n ) (under believable computational assumptions) our online merger implies RBE schemes with public parameters of length that is optimal, up to a constant factor that depends on the security parameter. For example, for any constant number of updates d , we get RBE schemes with public parameters of length O ( n 1 / ( d +1) ).","PeriodicalId":6403,"journal":{"name":"2007 IEEE International Test Conference","volume":"64 1","pages":"15:1-15:23"},"PeriodicalIF":0.0,"publicationDate":"2023-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"80818277","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-01-01DOI: 10.4230/LIPIcs.ITC.2023.3
Andrej Bogdanov
We conjecture that the smallest possible share size for binary secrets for the t-out-of-n and (n− t+1)out-of-n access structures is the same for all 1 ≤ t ≤ n. This is a strenghtening of a recent conjecture by Csirmaz (J. Math. Cryptol., 2020). We prove the conjecture for t = 2 and all n. Our proof gives a new (n − 1)-out-of-n secret sharing scheme for binary secrets with share alphabet size n. 2012 ACM Subject Classification Theory of computation → Randomness, geometry and discrete structures; Theory of computation → Cryptographic primitives; Mathematics of computing → Information theory; Security and privacy → Mathematical foundations of cryptography
{"title":"Csirmaz's Duality Conjecture and Threshold Secret Sharing","authors":"Andrej Bogdanov","doi":"10.4230/LIPIcs.ITC.2023.3","DOIUrl":"https://doi.org/10.4230/LIPIcs.ITC.2023.3","url":null,"abstract":"We conjecture that the smallest possible share size for binary secrets for the t-out-of-n and (n− t+1)out-of-n access structures is the same for all 1 ≤ t ≤ n. This is a strenghtening of a recent conjecture by Csirmaz (J. Math. Cryptol., 2020). We prove the conjecture for t = 2 and all n. Our proof gives a new (n − 1)-out-of-n secret sharing scheme for binary secrets with share alphabet size n. 2012 ACM Subject Classification Theory of computation → Randomness, geometry and discrete structures; Theory of computation → Cryptographic primitives; Mathematics of computing → Information theory; Security and privacy → Mathematical foundations of cryptography","PeriodicalId":6403,"journal":{"name":"2007 IEEE International Test Conference","volume":"72 1","pages":"3:1-3:6"},"PeriodicalIF":0.0,"publicationDate":"2023-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"76308151","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-01-01DOI: 10.4230/LIPIcs.ITC.2023.18
Keitaro Hiwatashi, K. Nuida
Secure two-party computation is a cryptographic technique that enables two parties to compute a function jointly while keeping each input secret. It is known that most functions cannot be realized by information-theoretically secure two-party computation, but any function can be realized in the correlated randomness (CR) model, where a trusted dealer distributes input-independent CR to the parties beforehand. In the CR model, three kinds of complexities are mainly considered; the size of CR, the number of rounds
{"title":"Exponential Correlated Randomness Is Necessary in Communication-Optimal Perfectly Secure Two-Party Computation","authors":"Keitaro Hiwatashi, K. Nuida","doi":"10.4230/LIPIcs.ITC.2023.18","DOIUrl":"https://doi.org/10.4230/LIPIcs.ITC.2023.18","url":null,"abstract":"Secure two-party computation is a cryptographic technique that enables two parties to compute a function jointly while keeping each input secret. It is known that most functions cannot be realized by information-theoretically secure two-party computation, but any function can be realized in the correlated randomness (CR) model, where a trusted dealer distributes input-independent CR to the parties beforehand. In the CR model, three kinds of complexities are mainly considered; the size of CR, the number of rounds","PeriodicalId":6403,"journal":{"name":"2007 IEEE International Test Conference","volume":"26 1","pages":"18:1-18:16"},"PeriodicalIF":0.0,"publicationDate":"2023-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"82927609","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-01-01DOI: 10.4230/LIPIcs.ITC.2022.7
Marshall Ball, Tim Randolph
For k = ω (log n ), we prove a Ω( k 2 n/ log( kn )) lower bound on private simultaneous messages (PSM) with k parties who receive n -bit inputs. This extends the Ω( n ) lower bound due to Appelbaum, Holenstein, Mishra and Shayevitz [Journal of Cryptology, 2019] to the many-party ( k = ω (log n )) setting. It is the first PSM lower bound that increases quadratically with the number of parties, and moreover the first unconditional, explicit bound that grows with both k and n . This note extends the work of Ball, Holmgren, Ishai, Liu, and Malkin [ITCS 2020], who prove communication complexity lower bounds on decomposable randomized encodings (DREs), which correspond to the special case of k -party PSMs with n = 1. To give a concise and readable introduction to the method, we focus our presentation on perfect PSM schemes. Theory of computation Communication complexity;
{"title":"A Note on the Complexity of Private Simultaneous Messages with Many Parties","authors":"Marshall Ball, Tim Randolph","doi":"10.4230/LIPIcs.ITC.2022.7","DOIUrl":"https://doi.org/10.4230/LIPIcs.ITC.2022.7","url":null,"abstract":"For k = ω (log n ), we prove a Ω( k 2 n/ log( kn )) lower bound on private simultaneous messages (PSM) with k parties who receive n -bit inputs. This extends the Ω( n ) lower bound due to Appelbaum, Holenstein, Mishra and Shayevitz [Journal of Cryptology, 2019] to the many-party ( k = ω (log n )) setting. It is the first PSM lower bound that increases quadratically with the number of parties, and moreover the first unconditional, explicit bound that grows with both k and n . This note extends the work of Ball, Holmgren, Ishai, Liu, and Malkin [ITCS 2020], who prove communication complexity lower bounds on decomposable randomized encodings (DREs), which correspond to the special case of k -party PSMs with n = 1. To give a concise and readable introduction to the method, we focus our presentation on perfect PSM schemes. Theory of computation Communication complexity;","PeriodicalId":6403,"journal":{"name":"2007 IEEE International Test Conference","volume":"21 1","pages":"7:1-7:12"},"PeriodicalIF":0.0,"publicationDate":"2022-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"80866907","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-01-01DOI: 10.4230/LIPIcs.ITC.2022.11
C. Dhar, Y. Dodis, M. Nandi
The question of building the most efficient tn -to- n -bit collision-resistant hash function H from a smaller (say, 2 n -to- n -bit) compression function f is one of the fundamental questions in symmetric key cryptography. This question has a rich history, and was open for general t , until a recent breakthrough paper by Andreeva, Bhattacharyya and Roy at Eurocrypt’21, who designed an elegant mode (which we call ABR ) achieving roughly 2 t/ 3 calls to f , which matches the famous Stam’s bound from CRYPTO’08. Unfortunately, we have found serious issues in the claims made by the authors. These issues appear quite significant, and range from verifiably false statements to noticeable gaps in the proofs (e.g., omissions of important cases and unjustified bounds). We were unable to patch up the current proof provided by the authors. Instead, we prove from scratch the security of the ABR construction for the first non-trivial case t = 11 ( ABR mode of height 3), which was incorrectly handled by the authors. In particular, our result matches Stam’s bound for t = 11. While the general case is still open, we hope our techniques will prove useful to finally settle the question of the optimal efficiency of hash functions.
{"title":"Revisiting Collision and Local Opening Analysis of ABR Hash","authors":"C. Dhar, Y. Dodis, M. Nandi","doi":"10.4230/LIPIcs.ITC.2022.11","DOIUrl":"https://doi.org/10.4230/LIPIcs.ITC.2022.11","url":null,"abstract":"The question of building the most efficient tn -to- n -bit collision-resistant hash function H from a smaller (say, 2 n -to- n -bit) compression function f is one of the fundamental questions in symmetric key cryptography. This question has a rich history, and was open for general t , until a recent breakthrough paper by Andreeva, Bhattacharyya and Roy at Eurocrypt’21, who designed an elegant mode (which we call ABR ) achieving roughly 2 t/ 3 calls to f , which matches the famous Stam’s bound from CRYPTO’08. Unfortunately, we have found serious issues in the claims made by the authors. These issues appear quite significant, and range from verifiably false statements to noticeable gaps in the proofs (e.g., omissions of important cases and unjustified bounds). We were unable to patch up the current proof provided by the authors. Instead, we prove from scratch the security of the ABR construction for the first non-trivial case t = 11 ( ABR mode of height 3), which was incorrectly handled by the authors. In particular, our result matches Stam’s bound for t = 11. While the general case is still open, we hope our techniques will prove useful to finally settle the question of the optimal efficiency of hash functions.","PeriodicalId":6403,"journal":{"name":"2007 IEEE International Test Conference","volume":"19 1","pages":"11:1-11:22"},"PeriodicalIF":0.0,"publicationDate":"2022-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"88112307","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-01-01DOI: 10.4230/LIPIcs.ITC.2022.16
H. K. Maji, H. Nguyen, Anat Paskin-Cherniavsky, Tom Suad, Mingyuan Wang, Xiuyu Ye, Albert Yu
Innovative side-channel attacks have repeatedly exposed the secrets of cryptosystems. Benhamouda, Degwekar, Ishai, and Rabin (CRYPTO–2018) introduced local leakage resilience of secret-sharing schemes to study some of these vulnerabilities. In this framework, the objective is to characterize the unintended information revelation about the secret by obtaining independent leakage from each secret share. This work accurately quantifies the vulnerability of the additive secret-sharing scheme to local leakage attacks and its consequences for other secret-sharing schemes. Consider the additive secret-sharing scheme over a prime field among k parties, where the secret shares are stored in their natural binary representation, requiring λ bits – the security parameter. We prove that the reconstruction threshold k = ω (log λ ) is necessary to protect against local physical-bit probing attacks, improving the previous ω (log λ/ log log λ ) lower bound. This result is a consequence of accurately determining the distinguishing advantage of the “parity-of-parity” physical-bit local leakage attack proposed by Maji, Nguyen, Paskin-Cherniavsky, Suad, and Wang (EUROCRYPT–2021). Our lower bound is optimal because the additive secret-sharing scheme is perfectly secure against any ( k − 1)-bit (global) leakage and (statistically) secure against (arbitrary) one-bit local leakage attacks when k = ω (log λ ). Any physical-bit local leakage (1) physical-bit local leakage attacks on the Shamir secret-sharing scheme with adversarially-chosen evaluation places, and (2) local leakage attacks on the Massey secret-sharing scheme corresponding to any linear code. In particular, for Shamir’s secret-sharing scheme, the reconstruction threshold k = ω (log λ ) is necessary when the number of parties is n = O ( λ log λ ). Our analysis of the “parity-of-parity” attack’s distinguishing advantage establishes it as the best-known local leakage attack in these scenarios. Our work employs Fourier-analytic techniques to analyze the “parity-of-parity” attack on the additive secret-sharing scheme. We accurately estimate an exponential sum that captures the vulnerability of this secret-sharing scheme to the parity-of-parity attack, a quantity that is also closely related to the “discrepancy” of the Irwin-Hall probability distribution. Any findings and conclusions or recommendations expressed in this are those of the author(s) and do not necessarily reflect the views of the United or DARPA.
{"title":"Tight Estimate of the Local Leakage Resilience of the Additive Secret-Sharing Scheme & Its Consequences","authors":"H. K. Maji, H. Nguyen, Anat Paskin-Cherniavsky, Tom Suad, Mingyuan Wang, Xiuyu Ye, Albert Yu","doi":"10.4230/LIPIcs.ITC.2022.16","DOIUrl":"https://doi.org/10.4230/LIPIcs.ITC.2022.16","url":null,"abstract":"Innovative side-channel attacks have repeatedly exposed the secrets of cryptosystems. Benhamouda, Degwekar, Ishai, and Rabin (CRYPTO–2018) introduced local leakage resilience of secret-sharing schemes to study some of these vulnerabilities. In this framework, the objective is to characterize the unintended information revelation about the secret by obtaining independent leakage from each secret share. This work accurately quantifies the vulnerability of the additive secret-sharing scheme to local leakage attacks and its consequences for other secret-sharing schemes. Consider the additive secret-sharing scheme over a prime field among k parties, where the secret shares are stored in their natural binary representation, requiring λ bits – the security parameter. We prove that the reconstruction threshold k = ω (log λ ) is necessary to protect against local physical-bit probing attacks, improving the previous ω (log λ/ log log λ ) lower bound. This result is a consequence of accurately determining the distinguishing advantage of the “parity-of-parity” physical-bit local leakage attack proposed by Maji, Nguyen, Paskin-Cherniavsky, Suad, and Wang (EUROCRYPT–2021). Our lower bound is optimal because the additive secret-sharing scheme is perfectly secure against any ( k − 1)-bit (global) leakage and (statistically) secure against (arbitrary) one-bit local leakage attacks when k = ω (log λ ). Any physical-bit local leakage (1) physical-bit local leakage attacks on the Shamir secret-sharing scheme with adversarially-chosen evaluation places, and (2) local leakage attacks on the Massey secret-sharing scheme corresponding to any linear code. In particular, for Shamir’s secret-sharing scheme, the reconstruction threshold k = ω (log λ ) is necessary when the number of parties is n = O ( λ log λ ). Our analysis of the “parity-of-parity” attack’s distinguishing advantage establishes it as the best-known local leakage attack in these scenarios. Our work employs Fourier-analytic techniques to analyze the “parity-of-parity” attack on the additive secret-sharing scheme. We accurately estimate an exponential sum that captures the vulnerability of this secret-sharing scheme to the parity-of-parity attack, a quantity that is also closely related to the “discrepancy” of the Irwin-Hall probability distribution. Any findings and conclusions or recommendations expressed in this are those of the author(s) and do not necessarily reflect the views of the United or DARPA.","PeriodicalId":6403,"journal":{"name":"2007 IEEE International Test Conference","volume":"38 1","pages":"16:1-16:19"},"PeriodicalIF":0.0,"publicationDate":"2022-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"72981700","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2021-01-01DOI: 10.4230/LIPIcs.ITC.2021.16
Alexander R. Block, Simina Brânzei, H. K. Maji, H. Mehta, Tamalika Mukherjee, H. Nguyen
P4-free graphs– also known as cographs, complement-reducible graphs, or hereditary Dacey graphs– have been well studied in graph theory. Motivated by computer science and information theory applications, our work encodes (flat) joint probability distributions and Boolean functions as bipartite graphs and studies bipartite P4-free graphs. For these applications, the graph properties of edge partitioning and covering a bipartite graph using the minimum number of these graphs are particularly relevant. Previously, such graph properties have appeared in leakage-resilient cryptography and (variants of) coloring problems. Interestingly, our covering problem is closely related to the well-studied problem of product (a.k.a., Prague) dimension of loopless undirected graphs, which allows us to employ algebraic lowerbounding techniques for the product/Prague dimension. We prove that computing these numbers is NP-complete, even for bipartite graphs. We establish a connection to the (unsolved) Zarankiewicz problem to show that there are bipartite graphs with size-N partite sets such that these numbers are at least ε · N1−2ε, for ε ∈ {1/3, 1/4, 1/5, . . . }. Finally, we accurately estimate these numbers for bipartite graphs encoding well-studied Boolean functions from circuit complexity, such as set intersection, set disjointness, and inequality. For applications in information theory and communication & cryptographic complexity, we consider a system where a setup samples from a (flat) joint distribution and gives the participants, Alice and Bob, their portion from this joint sample. Alice and Bob’s objective is to non-interactively establish a shared key and extract the left-over entropy from their portion of the samples as independent private randomness. A genie, who observes the joint sample, provides appropriate assistance to help Alice and Bob with their objective. Lower bounds to the minimum size of the genie’s assistance translate into communication and cryptographic lower bounds. We show that (the log2 of) the P4-free partition number of a graph encoding the joint distribution that the setup uses is equivalent to the size of the genie’s assistance. Consequently, the joint distributions corresponding to the bipartite graphs constructed above with high P4-free partition numbers correspond to joint distributions requiring more assistance from the genie. As a representative application in non-deterministic communication complexity, we study the communication complexity of nondeterministic protocols augmented by access to the equality oracle at the output. We show that (the log2 of) the P4-free cover number of the bipartite graph encoding a Boolean function f is equivalent to the minimum size of the nondeterministic input required by the parties (referred to as the communication complexity of f in this model). Consequently, the functions corresponding to the bipartite graphs with high P4-free cover numbers have high communication complexity. Furthermore, th
{"title":"P4-free Partition and Cover Numbers & Applications","authors":"Alexander R. Block, Simina Brânzei, H. K. Maji, H. Mehta, Tamalika Mukherjee, H. Nguyen","doi":"10.4230/LIPIcs.ITC.2021.16","DOIUrl":"https://doi.org/10.4230/LIPIcs.ITC.2021.16","url":null,"abstract":"P4-free graphs– also known as cographs, complement-reducible graphs, or hereditary Dacey graphs– have been well studied in graph theory. Motivated by computer science and information theory applications, our work encodes (flat) joint probability distributions and Boolean functions as bipartite graphs and studies bipartite P4-free graphs. For these applications, the graph properties of edge partitioning and covering a bipartite graph using the minimum number of these graphs are particularly relevant. Previously, such graph properties have appeared in leakage-resilient cryptography and (variants of) coloring problems. Interestingly, our covering problem is closely related to the well-studied problem of product (a.k.a., Prague) dimension of loopless undirected graphs, which allows us to employ algebraic lowerbounding techniques for the product/Prague dimension. We prove that computing these numbers is NP-complete, even for bipartite graphs. We establish a connection to the (unsolved) Zarankiewicz problem to show that there are bipartite graphs with size-N partite sets such that these numbers are at least ε · N1−2ε, for ε ∈ {1/3, 1/4, 1/5, . . . }. Finally, we accurately estimate these numbers for bipartite graphs encoding well-studied Boolean functions from circuit complexity, such as set intersection, set disjointness, and inequality. For applications in information theory and communication & cryptographic complexity, we consider a system where a setup samples from a (flat) joint distribution and gives the participants, Alice and Bob, their portion from this joint sample. Alice and Bob’s objective is to non-interactively establish a shared key and extract the left-over entropy from their portion of the samples as independent private randomness. A genie, who observes the joint sample, provides appropriate assistance to help Alice and Bob with their objective. Lower bounds to the minimum size of the genie’s assistance translate into communication and cryptographic lower bounds. We show that (the log2 of) the P4-free partition number of a graph encoding the joint distribution that the setup uses is equivalent to the size of the genie’s assistance. Consequently, the joint distributions corresponding to the bipartite graphs constructed above with high P4-free partition numbers correspond to joint distributions requiring more assistance from the genie. As a representative application in non-deterministic communication complexity, we study the communication complexity of nondeterministic protocols augmented by access to the equality oracle at the output. We show that (the log2 of) the P4-free cover number of the bipartite graph encoding a Boolean function f is equivalent to the minimum size of the nondeterministic input required by the parties (referred to as the communication complexity of f in this model). Consequently, the functions corresponding to the bipartite graphs with high P4-free cover numbers have high communication complexity. Furthermore, th","PeriodicalId":6403,"journal":{"name":"2007 IEEE International Test Conference","volume":"42 1","pages":"16:1-16:25"},"PeriodicalIF":0.0,"publicationDate":"2021-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"87078668","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2021-01-01DOI: 10.4230/LIPIcs.ITC.2021.8
T-H. Hubert Chan, E. Shi, Wei-Kai Lin, Kartik Nayak
Oblivious RAM (ORAM) is a technique for compiling any RAM program to an oblivious counterpart, i.e., one whose access patterns do not leak information about the secret inputs. Similarly, Oblivious Parallel RAM (OPRAM) compiles a parallel RAM program to an oblivious counterpart. In this paper, we care about ORAM/OPRAM with perfect security, i.e., the access patterns must be identically distributed no matter what the program’s memory request sequence is. In the past, two types of perfect ORAMs/OPRAMs have been considered: constructions whose performance bounds hold in expectation (but may occasionally run more slowly); and constructions whose performance bounds hold deterministically (even though the algorithms themselves are randomized). In this paper, we revisit the performance metrics for perfect ORAM/OPRAM, and show novel constructions that achieve asymptotical improvements for all performance metrics. Our first result is a new perfectly secure OPRAM scheme with O(logN/ log logN) expected overhead. In comparison, prior literature has been stuck at O(logN) for more than a decade. Next, we show how to construct a perfect ORAM with O(logN/ log logN) deterministic simulation overhead. We further show how to make the scheme parallel, resulting in an perfect OPRAM with O(logN/ log logN) deterministic simulation overhead. For perfect ORAMs/OPRAMs with deterministic performance bounds, our results achieve subexponential improvement over the state-of-the-art. Specifically, the best known prior scheme incurs more than √ N deterministic simulation overhead (Raskin and Simkin, Asiacrypt’19); moreover, their scheme works only for the sequential setting and is not amenable to parallelization. Finally, we additionally consider perfect ORAMs/OPRAMs whose performance bounds hold with high probability. For this new performance metric, we show new constructions whose simulation overhead is upper bounded by O(log / log logN) except with negligible in N probability, i.e., we prove high-probability performance bounds that match the expected bounds mentioned earlier. Author ordering is randomized. T-H. Hubert Chan was partially supported by the Hong Kong RGC under the grants 17200418 and 17201220. Elaine Shi was partially supported by NSF CNS-1601879, an ONR YIP award, and a Packard Fellowship. Wei-Kai Lin was supported by a DARPA Brandeis award. Kartik Nayak was partially supported by NSF Award 2016393.
{"title":"Perfectly Oblivious (Parallel) RAM Revisited, and Improved Constructions","authors":"T-H. Hubert Chan, E. Shi, Wei-Kai Lin, Kartik Nayak","doi":"10.4230/LIPIcs.ITC.2021.8","DOIUrl":"https://doi.org/10.4230/LIPIcs.ITC.2021.8","url":null,"abstract":"Oblivious RAM (ORAM) is a technique for compiling any RAM program to an oblivious counterpart, i.e., one whose access patterns do not leak information about the secret inputs. Similarly, Oblivious Parallel RAM (OPRAM) compiles a parallel RAM program to an oblivious counterpart. In this paper, we care about ORAM/OPRAM with perfect security, i.e., the access patterns must be identically distributed no matter what the program’s memory request sequence is. In the past, two types of perfect ORAMs/OPRAMs have been considered: constructions whose performance bounds hold in expectation (but may occasionally run more slowly); and constructions whose performance bounds hold deterministically (even though the algorithms themselves are randomized). In this paper, we revisit the performance metrics for perfect ORAM/OPRAM, and show novel constructions that achieve asymptotical improvements for all performance metrics. Our first result is a new perfectly secure OPRAM scheme with O(logN/ log logN) expected overhead. In comparison, prior literature has been stuck at O(logN) for more than a decade. Next, we show how to construct a perfect ORAM with O(logN/ log logN) deterministic simulation overhead. We further show how to make the scheme parallel, resulting in an perfect OPRAM with O(logN/ log logN) deterministic simulation overhead. For perfect ORAMs/OPRAMs with deterministic performance bounds, our results achieve subexponential improvement over the state-of-the-art. Specifically, the best known prior scheme incurs more than √ N deterministic simulation overhead (Raskin and Simkin, Asiacrypt’19); moreover, their scheme works only for the sequential setting and is not amenable to parallelization. Finally, we additionally consider perfect ORAMs/OPRAMs whose performance bounds hold with high probability. For this new performance metric, we show new constructions whose simulation overhead is upper bounded by O(log / log logN) except with negligible in N probability, i.e., we prove high-probability performance bounds that match the expected bounds mentioned earlier. Author ordering is randomized. T-H. Hubert Chan was partially supported by the Hong Kong RGC under the grants 17200418 and 17201220. Elaine Shi was partially supported by NSF CNS-1601879, an ONR YIP award, and a Packard Fellowship. Wei-Kai Lin was supported by a DARPA Brandeis award. Kartik Nayak was partially supported by NSF Award 2016393.","PeriodicalId":6403,"journal":{"name":"2007 IEEE International Test Conference","volume":"79 1","pages":"8:1-8:23"},"PeriodicalIF":0.0,"publicationDate":"2021-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"83867641","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2021-01-01DOI: 10.4230/LIPIcs.ITC.2021.15
Luke Demarest, Benjamin Fuller, A. Russell
Fuzzy extractors derive stable keys from noisy sources. They are a fundamental tool for key derivation from biometric sources. This work introduces a new construction, code offset in the exponent. This construction is the first reusable fuzzy extractor that simultaneously supports structured, low entropy distributions with correlated symbols and confidence information. These properties are specifically motivated by the most pertinent applications – key derivation from biometrics and physical unclonable functions – which typically demonstrate low entropy with additional statistical correlations and benefit from extractors that can leverage confidence information for efficiency. Code offset in the exponent is a group encoding of the code offset construction (Juels and Wattenberg, CCS 1999). A random codeword of a linear error-correcting code is used as a one-time pad for a sampled value from the noisy source. Rather than encoding this directly, code offset in the exponent encodes by exponentiation of a generator in a cryptographically strong group. We introduce and characterize a condition on noisy sources that directly translates to security of our construction in the generic group model. Our condition requires the inner product between the source distribution and all vectors in the null space of the code to be unpredictable. 2012 ACM Subject Classification Security and privacy→ Information-theoretic techniques; Security and privacy → Biometrics
模糊提取器从噪声源中提取稳定的密钥。它们是从生物识别来源提取密钥的基本工具。本文引入了一种新的结构,即指数中的代码偏移量。该结构是第一个可重用的模糊提取器,同时支持具有相关符号和置信度信息的结构化、低熵分布。这些特性是由最相关的应用程序(生物识别和物理不可克隆函数的关键派生)特别激发的,这些应用程序通常具有低熵和额外的统计相关性,并受益于可以利用置信度信息提高效率的提取器。指数中的码差是码差结构的一组编码(Juels and Wattenberg, CCS 1999)。线性纠错码的随机码字被用作从噪声源采样值的一次性衬垫。指数中的代码偏移量不是直接编码,而是通过对加密强组中的生成器取幂进行编码。在一般群模型中,我们引入并描述了一个直接影响结构安全性的噪声源条件。我们的条件要求源分布和代码零空间中所有向量之间的内积是不可预测的。2012 ACM主题分类安全与隐私→信息理论技术;安全和隐私→生物识别
{"title":"Code Offset in the Exponent","authors":"Luke Demarest, Benjamin Fuller, A. Russell","doi":"10.4230/LIPIcs.ITC.2021.15","DOIUrl":"https://doi.org/10.4230/LIPIcs.ITC.2021.15","url":null,"abstract":"Fuzzy extractors derive stable keys from noisy sources. They are a fundamental tool for key derivation from biometric sources. This work introduces a new construction, code offset in the exponent. This construction is the first reusable fuzzy extractor that simultaneously supports structured, low entropy distributions with correlated symbols and confidence information. These properties are specifically motivated by the most pertinent applications – key derivation from biometrics and physical unclonable functions – which typically demonstrate low entropy with additional statistical correlations and benefit from extractors that can leverage confidence information for efficiency. Code offset in the exponent is a group encoding of the code offset construction (Juels and Wattenberg, CCS 1999). A random codeword of a linear error-correcting code is used as a one-time pad for a sampled value from the noisy source. Rather than encoding this directly, code offset in the exponent encodes by exponentiation of a generator in a cryptographically strong group. We introduce and characterize a condition on noisy sources that directly translates to security of our construction in the generic group model. Our condition requires the inner product between the source distribution and all vectors in the null space of the code to be unpredictable. 2012 ACM Subject Classification Security and privacy→ Information-theoretic techniques; Security and privacy → Biometrics","PeriodicalId":6403,"journal":{"name":"2007 IEEE International Test Conference","volume":"56 1","pages":"15:1-15:23"},"PeriodicalIF":0.0,"publicationDate":"2021-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"79360650","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: