Pub Date : 2021-01-01DOI: 10.4230/LIPIcs.ITC.2021.10
I. Damgård, Kasper Green Larsen, Sophia Yakoubov
Consider a sender S and a group of n recipients. S holds a secret message m of length l bits and the goal is to allow S to create a secret sharing of m with privacy threshold t among the recipients, by broadcasting a single message c to the recipients. Our goal is to do this with information theoretic security in a model with a simple form of correlated randomness. Namely, for each subset A of recipients of size q, S may share a random key with all recipients in A. (The keys shared with different subsets A must be independent.) We call this Broadcast Secret-Sharing (BSS) with parameters l, n, t and q. Our main question is: how large must c be, as a function of the parameters? We show that n−t q l is a lower bound, and we show an upper bound of ( n(t+1) q+t − t)l, matching the lower bound whenever t = 0, or when q = 1 or n − t. When q = n − t, the size of c is exactly l which is clearly minimal. The protocol demonstrating the upper bound in this case requires S to share a key with every subset of size n − t. We show that this overhead cannot be avoided when c has minimal size. We also show that if access is additionally given to an idealized PRG, the lower bound on ciphertext size becomes n−t q λ + l − negl(λ) (where λ is the length of the input to the PRG). The upper bound becomes ( n(t+1) q+t − t)λ + l. BSS can be applied directly to secret-key threshold encryption. We can also consider a setting where the correlated randomness is generated using computationally secure and non-interactive key exchange, where we assume that each recipient has an (independently generated) public key for this purpose. In this model, any protocol for non-interactive secret sharing becomes an ad hoc threshold encryption (ATE) scheme, which is a threshold encryption scheme with no trusted setup beyond a PKI. Our upper bounds imply new ATE schemes, and our lower bound becomes a lower bound on the ciphertext size in any ATE scheme that uses a key exchange functionality and no other cryptographic primitives. 2012 ACM Subject Classification Security and privacy → Information-theoretic techniques
{"title":"Broadcast Secret-Sharing, Bounds and Applications","authors":"I. Damgård, Kasper Green Larsen, Sophia Yakoubov","doi":"10.4230/LIPIcs.ITC.2021.10","DOIUrl":"https://doi.org/10.4230/LIPIcs.ITC.2021.10","url":null,"abstract":"Consider a sender S and a group of n recipients. S holds a secret message m of length l bits and the goal is to allow S to create a secret sharing of m with privacy threshold t among the recipients, by broadcasting a single message c to the recipients. Our goal is to do this with information theoretic security in a model with a simple form of correlated randomness. Namely, for each subset A of recipients of size q, S may share a random key with all recipients in A. (The keys shared with different subsets A must be independent.) We call this Broadcast Secret-Sharing (BSS) with parameters l, n, t and q. Our main question is: how large must c be, as a function of the parameters? We show that n−t q l is a lower bound, and we show an upper bound of ( n(t+1) q+t − t)l, matching the lower bound whenever t = 0, or when q = 1 or n − t. When q = n − t, the size of c is exactly l which is clearly minimal. The protocol demonstrating the upper bound in this case requires S to share a key with every subset of size n − t. We show that this overhead cannot be avoided when c has minimal size. We also show that if access is additionally given to an idealized PRG, the lower bound on ciphertext size becomes n−t q λ + l − negl(λ) (where λ is the length of the input to the PRG). The upper bound becomes ( n(t+1) q+t − t)λ + l. BSS can be applied directly to secret-key threshold encryption. We can also consider a setting where the correlated randomness is generated using computationally secure and non-interactive key exchange, where we assume that each recipient has an (independently generated) public key for this purpose. In this model, any protocol for non-interactive secret sharing becomes an ad hoc threshold encryption (ATE) scheme, which is a threshold encryption scheme with no trusted setup beyond a PKI. Our upper bounds imply new ATE schemes, and our lower bound becomes a lower bound on the ciphertext size in any ATE scheme that uses a key exchange functionality and no other cryptographic primitives. 2012 ACM Subject Classification Security and privacy → Information-theoretic techniques","PeriodicalId":6403,"journal":{"name":"2007 IEEE International Test Conference","volume":" 43","pages":"10:1-10:20"},"PeriodicalIF":0.0,"publicationDate":"2021-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"91515296","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2021-01-01DOI: 10.4230/LIPIcs.ITC.2021.23
Xinze Li, Qiang Tang, Zhenfeng Zhang
This article is motivated by the classical results from Shannon that put the simple and elegant one-time pad away from practice: key length has to be as large as message length and the same key could not be used more than once. In particular, we consider encryption algorithm to be defined relative to specific message distributions in order to trade for unconditional security. Such a notion named honey encryption (HE) was originally proposed for achieving best possible security for password based encryption where secrete key may have very small amount of entropy. Exploring message distributions as in HE indeed helps circumvent the classical restrictions on secret keys.We give a new and very simple honey encryption scheme satisfying the unconditional semantic security (for the targeted message distribution) in the standard model (all previous constructions are in the random oracle model, even for message recovery security only). Our new construction can be paired with an extremely simple yet “tighter” analysis, while all previous analyses (even for message recovery security only) were fairly complicated and require stronger assumptions. We also show a concrete instantiation further enables the secret key to be used for encrypting multiple messages. 2012 ACM Subject Classification Security and privacy → Cryptography; Theory of computation → Cryptographic primitives
{"title":"Fooling an Unbounded Adversary with a Short Key, Repeatedly: The Honey Encryption Perspective","authors":"Xinze Li, Qiang Tang, Zhenfeng Zhang","doi":"10.4230/LIPIcs.ITC.2021.23","DOIUrl":"https://doi.org/10.4230/LIPIcs.ITC.2021.23","url":null,"abstract":"This article is motivated by the classical results from Shannon that put the simple and elegant one-time pad away from practice: key length has to be as large as message length and the same key could not be used more than once. In particular, we consider encryption algorithm to be defined relative to specific message distributions in order to trade for unconditional security. Such a notion named honey encryption (HE) was originally proposed for achieving best possible security for password based encryption where secrete key may have very small amount of entropy. Exploring message distributions as in HE indeed helps circumvent the classical restrictions on secret keys.We give a new and very simple honey encryption scheme satisfying the unconditional semantic security (for the targeted message distribution) in the standard model (all previous constructions are in the random oracle model, even for message recovery security only). Our new construction can be paired with an extremely simple yet “tighter” analysis, while all previous analyses (even for message recovery security only) were fairly complicated and require stronger assumptions. We also show a concrete instantiation further enables the secret key to be used for encrypting multiple messages. 2012 ACM Subject Classification Security and privacy → Cryptography; Theory of computation → Cryptographic primitives","PeriodicalId":6403,"journal":{"name":"2007 IEEE International Test Conference","volume":"26 1","pages":"23:1-23:21"},"PeriodicalIF":0.0,"publicationDate":"2021-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"86422347","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2021-01-01DOI: 10.4230/LIPIcs.ITC.2021.25
Gwangbae Choi, F. Durak, S. Vaudenay
In self-encryption, a device encrypts some piece of information for itself to decrypt in the future. We are interested in security of self-encryption when the state occasionally leaks. Applications that use self-encryption include cloud storage, when a client encrypts files to be stored, and in 0-RTT session resumptions, when a server encrypts a resumption key to be kept by the client. Previous works focused on forward security and resistance to replay attacks. In our work, we study post-compromise security (PCS). PCS was achieved in ratcheted instant messaging schemes, at the price of having an inflating state size. An open question was whether state inflation was necessary. In our results, we prove that post-compromise security implies a super-linear state size in terms of the number of active ciphertexts which can still be decrypted. We apply our result to self-encryption for cloud storage, 0-RTT session resumption, and secure messaging. We further show how to construct a secure scheme matching our bound on the state size up to a constant factor. 2012 ACM Subject Classification Security and privacy → Cryptography
{"title":"Post-Compromise Security in Self-Encryption","authors":"Gwangbae Choi, F. Durak, S. Vaudenay","doi":"10.4230/LIPIcs.ITC.2021.25","DOIUrl":"https://doi.org/10.4230/LIPIcs.ITC.2021.25","url":null,"abstract":"In self-encryption, a device encrypts some piece of information for itself to decrypt in the future. We are interested in security of self-encryption when the state occasionally leaks. Applications that use self-encryption include cloud storage, when a client encrypts files to be stored, and in 0-RTT session resumptions, when a server encrypts a resumption key to be kept by the client. Previous works focused on forward security and resistance to replay attacks. In our work, we study post-compromise security (PCS). PCS was achieved in ratcheted instant messaging schemes, at the price of having an inflating state size. An open question was whether state inflation was necessary. In our results, we prove that post-compromise security implies a super-linear state size in terms of the number of active ciphertexts which can still be decrypted. We apply our result to self-encryption for cloud storage, 0-RTT session resumption, and secure messaging. We further show how to construct a secure scheme matching our bound on the state size up to a constant factor. 2012 ACM Subject Classification Security and privacy → Cryptography","PeriodicalId":6403,"journal":{"name":"2007 IEEE International Test Conference","volume":"24 1","pages":"25:1-25:23"},"PeriodicalIF":0.0,"publicationDate":"2021-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"84073943","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
C. C. Wit, A. Abate, Pedro Aguilar, Liguo Zhang, Amir Abbaszadeh, Masoud Aguilar Bustos, Luis Tupak, Ahmed, Qadeer Ahmed-Ali, Tarek Ajorlou, Amir Al Janaideh
Mikio Aoyama (Nanzan University) Doo-Hwan Bae (Korea Advanced Institute of Science and Technology) Ricky W.K. Chan (The University of Hong Kong) Dickson K.W. Chiu (Dickson Computer Systems) Dimitra Giannakopoulou (NASA) Paul Grefen (Eindhoven University of Technology) Yanbo Han (Institute of Computing Technology, CAS) Patrick Hung (University of Ontario Institute of Technology) Zhi Jin (Academy of Mathematics and Systems Science, CAS) Ryszard Kowalczyk (Swinburne University of Technology) Bernd Kraemer (Fern University) Shonali Krishnaswamy (Monash University) Francis C.M. Lau (The University of Hong Kong) Minglu Li (Shanghai Jiao Tong University) Chengfei Liu (Swinburne University of Technology) Hong Mei (Peking University) Balasubramaniam Ramesh (Georgia State University) Andreas Ulrich (Siemens) Zhiwei Xu (Institute of Computing Technology, CAS) (Eric Wong (University of Texas, Dallas) Zhaohui Wu (Zhejiang University) Jian Yang (Macquarie University) Y.T. Yu (City University of Hong Kong) Liang-Jie Zhang (IBM T.J. Watson Research Center) Yanchun Zhang (Victoria University of Technology) Hong Zhu (University of Oxford Brookes) CALL FOR PAPERS
Mikio Aoyama(南山大学)Doo-Hwan Bae(韩国科学技术院)Ricky W.K. Chan(香港大学)Dickson K.W. Chiu(迪信计算机系统)Dimitra Giannakopoulou(美国国家航空航天局)Paul Grefen(埃因霍温理工大学)Yanbo Han(中国科学院计算技术研究所)Patrick Hung(加拿大安大略省理工大学)Zhi Jin(中国科学院数学与系统科学研究院)中科院Ryszard Kowalczyk (Swinburne University) Bernd Kraemer (Fern University) Shonali Krishnaswamy (Monash University) Francis C.M. Lau(香港大学)李明路(上海交通大学)刘成飞(Swinburne University) Mei Hong(北京大学)Balasubramaniam Ramesh (Georgia State University) Andreas Ulrich (Siemens)徐志伟(中科院计算技术研究所)Eric Wong(德克萨斯大学,达拉斯)吴朝晖(浙江大学)杨健(麦考瑞大学)余彦涛(香港城市大学)张良杰(IBM T.J. Watson研究中心)张彦春(维多利亚理工大学)朱红(牛津布鲁克斯大学
{"title":"Technical Program Committee","authors":"C. C. Wit, A. Abate, Pedro Aguilar, Liguo Zhang, Amir Abbaszadeh, Masoud Aguilar Bustos, Luis Tupak, Ahmed, Qadeer Ahmed-Ali, Tarek Ajorlou, Amir Al Janaideh","doi":"10.1109/ITC.2004.172","DOIUrl":"https://doi.org/10.1109/ITC.2004.172","url":null,"abstract":"Mikio Aoyama (Nanzan University) Doo-Hwan Bae (Korea Advanced Institute of Science and Technology) Ricky W.K. Chan (The University of Hong Kong) Dickson K.W. Chiu (Dickson Computer Systems) Dimitra Giannakopoulou (NASA) Paul Grefen (Eindhoven University of Technology) Yanbo Han (Institute of Computing Technology, CAS) Patrick Hung (University of Ontario Institute of Technology) Zhi Jin (Academy of Mathematics and Systems Science, CAS) Ryszard Kowalczyk (Swinburne University of Technology) Bernd Kraemer (Fern University) Shonali Krishnaswamy (Monash University) Francis C.M. Lau (The University of Hong Kong) Minglu Li (Shanghai Jiao Tong University) Chengfei Liu (Swinburne University of Technology) Hong Mei (Peking University) Balasubramaniam Ramesh (Georgia State University) Andreas Ulrich (Siemens) Zhiwei Xu (Institute of Computing Technology, CAS) (Eric Wong (University of Texas, Dallas) Zhaohui Wu (Zhejiang University) Jian Yang (Macquarie University) Y.T. Yu (City University of Hong Kong) Liang-Jie Zhang (IBM T.J. Watson Research Center) Yanchun Zhang (Victoria University of Technology) Hong Zhu (University of Oxford Brookes) CALL FOR PAPERS","PeriodicalId":6403,"journal":{"name":"2007 IEEE International Test Conference","volume":"95 1","pages":"6-8"},"PeriodicalIF":0.0,"publicationDate":"2020-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"89875912","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-06-19DOI: 10.4230/LIPIcs.ITC.2021.22
Jeremiah Blocki, Seunghoon Lee, Samson Zhou
A proof of sequential work allows a prover to convince a resource-bounded verifier that the prover invested a substantial amount of sequential time to perform some underlying computation. Proofs of sequential work have many applications including time-stamping, blockchain design, and universally verifiable CPU benchmarks. Mahmoody, Moran, and Vadhan (ITCS 2013) gave the first construction of proofs of sequential work in the random oracle model though the construction relied on expensive depth-robust graphs. In a recent breakthrough, Cohen and Pietrzak (EUROCRYPT 2018) gave a more efficient construction that does not require depth-robust graphs. In each of these constructions, the prover commits to a labeling of a directed acyclic graph $G$ with $N$ nodes and the verifier audits the prover by checking that a small subset of labels are locally consistent, e.g., $L_v = H(L_{v_1},ldots,L_{v_delta})$, where $v_1,ldots,v_delta$ denote the parents of node $v$. Provided that the graph $G$ has certain structural properties (e.g., depth-robustness), the prover must produce a long $mathcal{H}$-sequence to pass the audit with non-negligible probability. An $mathcal{H}$-sequence $x_0,x_1ldots x_T$ has the property that $H(x_i)$ is a substring of $x_{i+1}$ for each $i$, i.e., we can find strings $a_i,b_i$ such that $x_{i+1} = a_i cdot H(x_i) cdot b_i$. In the parallel random oracle model, it is straightforward to argue that any attacker running in sequential time $T-1$ will fail to produce an $mathcal{H}$-sequence of length $T$ except with negligible probability -- even if the attacker submits large batches of random oracle queries in each round. (See the paper for the full abstract.)
{"title":"On the Security of Proofs of Sequential Work in a Post-Quantum World","authors":"Jeremiah Blocki, Seunghoon Lee, Samson Zhou","doi":"10.4230/LIPIcs.ITC.2021.22","DOIUrl":"https://doi.org/10.4230/LIPIcs.ITC.2021.22","url":null,"abstract":"A proof of sequential work allows a prover to convince a resource-bounded verifier that the prover invested a substantial amount of sequential time to perform some underlying computation. Proofs of sequential work have many applications including time-stamping, blockchain design, and universally verifiable CPU benchmarks. Mahmoody, Moran, and Vadhan (ITCS 2013) gave the first construction of proofs of sequential work in the random oracle model though the construction relied on expensive depth-robust graphs. In a recent breakthrough, Cohen and Pietrzak (EUROCRYPT 2018) gave a more efficient construction that does not require depth-robust graphs. In each of these constructions, the prover commits to a labeling of a directed acyclic graph $G$ with $N$ nodes and the verifier audits the prover by checking that a small subset of labels are locally consistent, e.g., $L_v = H(L_{v_1},ldots,L_{v_delta})$, where $v_1,ldots,v_delta$ denote the parents of node $v$. Provided that the graph $G$ has certain structural properties (e.g., depth-robustness), the prover must produce a long $mathcal{H}$-sequence to pass the audit with non-negligible probability. An $mathcal{H}$-sequence $x_0,x_1ldots x_T$ has the property that $H(x_i)$ is a substring of $x_{i+1}$ for each $i$, i.e., we can find strings $a_i,b_i$ such that $x_{i+1} = a_i cdot H(x_i) cdot b_i$. In the parallel random oracle model, it is straightforward to argue that any attacker running in sequential time $T-1$ will fail to produce an $mathcal{H}$-sequence of length $T$ except with negligible probability -- even if the attacker submits large batches of random oracle queries in each round. (See the paper for the full abstract.)","PeriodicalId":6403,"journal":{"name":"2007 IEEE International Test Conference","volume":"1 1","pages":"22:1-22:27"},"PeriodicalIF":0.0,"publicationDate":"2020-06-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"86921109","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
PURPOSE: The Test Technology Technical Council is a volunteer professional organization sponsored by the IEEE Computer Society. The goals of TTTC are to contribute to members’ professional development and advancement and to help them solve engineering problems in electronic test, and help advance the state-of-the art. In particular, TTTC aims at facilitating the knowledge flow in an integrated manner, to ensure overall quality in terms of technical excellence, fairness, openness, and equal opportunities.
{"title":"TTTC: Test Technology Technical Council","authors":"Chen-Huan Chiang","doi":"10.1109/ITC.2004.198","DOIUrl":"https://doi.org/10.1109/ITC.2004.198","url":null,"abstract":"PURPOSE: The Test Technology Technical Council is a volunteer professional organization sponsored by the IEEE Computer Society. The goals of TTTC are to contribute to members’ professional development and advancement and to help them solve engineering problems in electronic test, and help advance the state-of-the art. In particular, TTTC aims at facilitating the knowledge flow in an integrated manner, to ensure overall quality in terms of technical excellence, fairness, openness, and equal opportunities.","PeriodicalId":6403,"journal":{"name":"2007 IEEE International Test Conference","volume":"106 1","pages":"14-16"},"PeriodicalIF":0.0,"publicationDate":"2020-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"80418433","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-01-01DOI: 10.4230/LIPIcs.ITC.2020.7
Fuchun Lin, Mahdi Cheraghchi, V. Guruswami, R. Safavi-Naini, Huaxiong Wang
{"title":"Leakage-Resilient Secret Sharing in Non-Compartmentalized Models","authors":"Fuchun Lin, Mahdi Cheraghchi, V. Guruswami, R. Safavi-Naini, Huaxiong Wang","doi":"10.4230/LIPIcs.ITC.2020.7","DOIUrl":"https://doi.org/10.4230/LIPIcs.ITC.2020.7","url":null,"abstract":"","PeriodicalId":6403,"journal":{"name":"2007 IEEE International Test Conference","volume":"27 1","pages":"7:1-7:24"},"PeriodicalIF":0.0,"publicationDate":"2020-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"74738341","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-01-01DOI: 10.4230/LIPIcs.ITC.2020.13
Naty Peter, Rotem Tsabary, H. Wee
We define and study a new cryptographic primitive, named One-One Constrained Pseudorandom Functions. In this model there are two parties, Alice and Bob, that hold a common random string K, where Alice in addition holds a predicate f : [N ] → {0, 1} and Bob in addition holds an input x ∈ [N ]. We then let Alice generate a key Kf based on f and K, and let Bob evaluate a value Kx based on x and K. We consider a third party that sees the values (x, f, Kf ) and the goal is to allow her to reconstruct Kx whenever f(x) = 1, while keeping Kx pseudorandom whenever f(x) = 0. This primitive can be viewed as a relaxation of constrained PRFs, such that there is only a single key query and a single evaluation query. We focus on the information-theoretic setting, where the one-one cPRF has perfect correctness and perfect security. Our main results are as follows. 1. A Lower Bound. We show that in the information-theoretic setting, any one-one cPRF for punctured predicates is of exponential complexity (and thus the lower bound meets the upper bound that is given by a trivial construction). This stands in contrast with the well known GGM-based punctured PRF from OWF, which is in particular a one-one cPRF. This also implies a similar lower bound for all NC1. 2. New Constructions. On the positive side, we present efficient information-theoretic constructions of one-one cPRFs for a few other predicate families, such as equality predicates, inner-product predicates, and subset predicates. We also show a generic AND composition lemma that preserves complexity. 3. An Amplification to standard cPRF. We show that all of our one-one cPRF constructions can be amplified to a standard (single-key) cPRF via any key-homomorphic PRF that supports linear computations. More generally, we suggest a new framework that we call the double-key model which allows to construct constrained PRFs via key-homomorphic PRFs. 4. Relation to CDS. We show that one-one constrained PRFs imply conditional disclosure of secrets (CDS) protocols. We believe that this simple model can be used to better understand constrained PRFs and related cryptographic primitives, and that further applications of one-one constrained PRFs and our doublekey model will be found in the future, in addition to those we show in this paper. 2012 ACM Subject Classification Security and privacy → Information-theoretic techniques; Theory of computation → Cryptographic primitives
{"title":"One-One Constrained Pseudorandom Functions","authors":"Naty Peter, Rotem Tsabary, H. Wee","doi":"10.4230/LIPIcs.ITC.2020.13","DOIUrl":"https://doi.org/10.4230/LIPIcs.ITC.2020.13","url":null,"abstract":"We define and study a new cryptographic primitive, named One-One Constrained Pseudorandom Functions. In this model there are two parties, Alice and Bob, that hold a common random string K, where Alice in addition holds a predicate f : [N ] → {0, 1} and Bob in addition holds an input x ∈ [N ]. We then let Alice generate a key Kf based on f and K, and let Bob evaluate a value Kx based on x and K. We consider a third party that sees the values (x, f, Kf ) and the goal is to allow her to reconstruct Kx whenever f(x) = 1, while keeping Kx pseudorandom whenever f(x) = 0. This primitive can be viewed as a relaxation of constrained PRFs, such that there is only a single key query and a single evaluation query. We focus on the information-theoretic setting, where the one-one cPRF has perfect correctness and perfect security. Our main results are as follows. 1. A Lower Bound. We show that in the information-theoretic setting, any one-one cPRF for punctured predicates is of exponential complexity (and thus the lower bound meets the upper bound that is given by a trivial construction). This stands in contrast with the well known GGM-based punctured PRF from OWF, which is in particular a one-one cPRF. This also implies a similar lower bound for all NC1. 2. New Constructions. On the positive side, we present efficient information-theoretic constructions of one-one cPRFs for a few other predicate families, such as equality predicates, inner-product predicates, and subset predicates. We also show a generic AND composition lemma that preserves complexity. 3. An Amplification to standard cPRF. We show that all of our one-one cPRF constructions can be amplified to a standard (single-key) cPRF via any key-homomorphic PRF that supports linear computations. More generally, we suggest a new framework that we call the double-key model which allows to construct constrained PRFs via key-homomorphic PRFs. 4. Relation to CDS. We show that one-one constrained PRFs imply conditional disclosure of secrets (CDS) protocols. We believe that this simple model can be used to better understand constrained PRFs and related cryptographic primitives, and that further applications of one-one constrained PRFs and our doublekey model will be found in the future, in addition to those we show in this paper. 2012 ACM Subject Classification Security and privacy → Information-theoretic techniques; Theory of computation → Cryptographic primitives","PeriodicalId":6403,"journal":{"name":"2007 IEEE International Test Conference","volume":"95 1","pages":"13:1-13:22"},"PeriodicalIF":0.0,"publicationDate":"2020-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"79568054","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-01-01DOI: 10.4230/LIPIcs.ITC.2020.2
Reo Eriguchi, N. Kunihiro
Secret sharing schemes are said to be d-multiplicative if the i-th shares of any d secrets s(j), j ∈ [d] can be converted into an additive share of the product ∏ j∈[d] s (j). d-Multiplicative secret sharing is a central building block of multiparty computation protocols with minimum number of rounds which are unconditionally secure against possibly non-threshold adversaries. It is known that d-multiplicative secret sharing is possible if and only if no d forbidden subsets covers the set of all the n players or, equivalently, it is private with respect to an adversary structure of type Qd. However, the only known method to achieve d-multiplicativity for any adversary structure of type Qd is based on CNF secret sharing schemes, which are not efficient in general in that the information ratios are exponential in n. In this paper, we explicitly construct a d-multiplicative secret sharing scheme for any `-partite adversary structure of type Qd whose information ratio is O(n`+1). Our schemes are applicable to the class of all the `-partite adversary structures, which is much wider than that of the threshold ones. Furthermore, our schemes achieve information ratios which are polynomial in n if ` is constant and hence are more efficient than CNF schemes. In addition, based on the standard embedding of `-partite adversary structures into R, we introduce a class of `-partite adversary structures of type Qd with good geometric properties and show that there exist more efficient d-multiplicative secret sharing schemes for adversary structures in that family than the above general construction. The family of adversary structures is a natural generalization of that of the threshold ones and includes some adversary structures which arise in real-world scenarios. 2012 ACM Subject Classification Security and privacy → Information-theoretic techniques
如果任何d个秘密s(j), j∈[d]的第i个份额可以转换为产品∏j∈[d] s(j)的可加性份额,则秘密共享方案被称为d乘性的。d乘性秘密共享是具有最小轮数的多方计算协议的中心构建块,它对可能的非阈值对手是无条件安全的。众所周知,当且仅当没有d个禁止子集覆盖所有n个参与者的集合时,d乘法秘密共享是可能的,或者,等价地,它对于类型Qd的对手结构是私有的。然而,对于任何Qd类型的对手结构,目前已知的实现d-相乘性的唯一方法是基于CNF秘密共享方案,由于信息比在n中呈指数增长,因此通常效率不高。本文针对信息比为O(n ' +1)的Qd类型的任何' -部对手结构,明确构造了一个d-相乘的秘密共享方案。我们的方案适用于所有的' -部对抗结构的类别,这比阈值结构的范围要宽得多。此外,我们的方案实现了在n if '为常数时的多项式信息比,因此比CNF方案更有效。此外,基于“-部对抗结构”在R中的标准嵌入,我们引入了一类具有良好几何性质的Qd型“-部对抗结构”,并证明了该类对抗结构存在比上述一般构造更有效的d乘秘密共享方案。敌对结构族是阈值结构族的自然概括,包括一些在现实场景中出现的敌对结构。2012 ACM主题分类安全与隐私→信息理论技术
{"title":"d-Multiplicative Secret Sharing for Multipartite Adversary Structures","authors":"Reo Eriguchi, N. Kunihiro","doi":"10.4230/LIPIcs.ITC.2020.2","DOIUrl":"https://doi.org/10.4230/LIPIcs.ITC.2020.2","url":null,"abstract":"Secret sharing schemes are said to be d-multiplicative if the i-th shares of any d secrets s(j), j ∈ [d] can be converted into an additive share of the product ∏ j∈[d] s (j). d-Multiplicative secret sharing is a central building block of multiparty computation protocols with minimum number of rounds which are unconditionally secure against possibly non-threshold adversaries. It is known that d-multiplicative secret sharing is possible if and only if no d forbidden subsets covers the set of all the n players or, equivalently, it is private with respect to an adversary structure of type Qd. However, the only known method to achieve d-multiplicativity for any adversary structure of type Qd is based on CNF secret sharing schemes, which are not efficient in general in that the information ratios are exponential in n. In this paper, we explicitly construct a d-multiplicative secret sharing scheme for any `-partite adversary structure of type Qd whose information ratio is O(n`+1). Our schemes are applicable to the class of all the `-partite adversary structures, which is much wider than that of the threshold ones. Furthermore, our schemes achieve information ratios which are polynomial in n if ` is constant and hence are more efficient than CNF schemes. In addition, based on the standard embedding of `-partite adversary structures into R, we introduce a class of `-partite adversary structures of type Qd with good geometric properties and show that there exist more efficient d-multiplicative secret sharing schemes for adversary structures in that family than the above general construction. The family of adversary structures is a natural generalization of that of the threshold ones and includes some adversary structures which arise in real-world scenarios. 2012 ACM Subject Classification Security and privacy → Information-theoretic techniques","PeriodicalId":6403,"journal":{"name":"2007 IEEE International Test Conference","volume":"17 1","pages":"2:1-2:16"},"PeriodicalIF":0.0,"publicationDate":"2020-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"88998193","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2019-12-18DOI: 10.4230/LIPIcs.ITC.2020.14
A. Beimel, A. Korolova, Kobbi Nissim, Or Sheffet, Uri Stemmer
Motivated by the desire to bridge the utility gap between local and trusted curator models of differential privacy for practical applications, we initiate the theoretical study of a hybrid model introduced by "Blender" [Avent et al., USENIX Security '17], in which differentially private protocols of n agents that work in the local-model are assisted by a differentially private curator that has access to the data of m additional users. We focus on the regime where m << n and study the new capabilities of this (m,n)-hybrid model. We show that, despite the fact that the hybrid model adds no significant new capabilities for the basic task of simple hypothesis-testing, there are many other tasks (under a wide range of parameters) that can be solved in the hybrid model yet cannot be solved either by the curator or by the local-users separately. Moreover, we exhibit additional tasks where at least one round of interaction between the curator and the local-users is necessary -- namely, no hybrid model protocol without such interaction can solve these tasks. Taken together, our results show that the combination of the local model with a small curator can become part of a promising toolkit for designing and implementing differential privacy.
{"title":"The power of synergy in differential privacy: Combining a small curator with local randomizers","authors":"A. Beimel, A. Korolova, Kobbi Nissim, Or Sheffet, Uri Stemmer","doi":"10.4230/LIPIcs.ITC.2020.14","DOIUrl":"https://doi.org/10.4230/LIPIcs.ITC.2020.14","url":null,"abstract":"Motivated by the desire to bridge the utility gap between local and trusted curator models of differential privacy for practical applications, we initiate the theoretical study of a hybrid model introduced by \"Blender\" [Avent et al., USENIX Security '17], in which differentially private protocols of n agents that work in the local-model are assisted by a differentially private curator that has access to the data of m additional users. We focus on the regime where m << n and study the new capabilities of this (m,n)-hybrid model. We show that, despite the fact that the hybrid model adds no significant new capabilities for the basic task of simple hypothesis-testing, there are many other tasks (under a wide range of parameters) that can be solved in the hybrid model yet cannot be solved either by the curator or by the local-users separately. Moreover, we exhibit additional tasks where at least one round of interaction between the curator and the local-users is necessary -- namely, no hybrid model protocol without such interaction can solve these tasks. Taken together, our results show that the combination of the local model with a small curator can become part of a promising toolkit for designing and implementing differential privacy.","PeriodicalId":6403,"journal":{"name":"2007 IEEE International Test Conference","volume":"1 1","pages":"14:1-14:25"},"PeriodicalIF":0.0,"publicationDate":"2019-12-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"81111799","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: