Volume
LIPIcs, Volume 267
4th Conference on Information-Theoretic Cryptography (ITC 2023)
-
Part of:
Series:
Leibniz International Proceedings in Informatics (LIPIcs)
Conference: Conference on Information-Theoretic Cryptography (ITC)
Publication Details
- published at: 2023-07-21
- Publisher: Schloss Dagstuhl – Leibniz-Zentrum für Informatik
- ISBN: 978-3-95977-271-6
- DBLP: db/conf/citc/citc2023
Access Numbers
- Detailed Access Statistics available here
-
Total Document Accesses (updated on a weekly basis):
0PDF Downloads
Documents
No documents found matching your filter selection.
Document
Complete Volume
LIPIcs, Volume 267, ITC 2023, Complete Volume
Abstract
LIPIcs, Volume 267, ITC 2023, Complete Volume
Cite as
4th Conference on Information-Theoretic Cryptography (ITC 2023). Leibniz International Proceedings in Informatics (LIPIcs), Volume 267, pp. 1-358, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2023)
Copy BibTex To Clipboard
@Proceedings{chung:LIPIcs.ITC.2023,
title = {{LIPIcs, Volume 267, ITC 2023, Complete Volume}},
booktitle = {4th Conference on Information-Theoretic Cryptography (ITC 2023)},
pages = {1--358},
series = {Leibniz International Proceedings in Informatics (LIPIcs)},
ISBN = {978-3-95977-271-6},
ISSN = {1868-8969},
year = {2023},
volume = {267},
editor = {Chung, Kai-Min},
publisher = {Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
address = {Dagstuhl, Germany},
URL = {https://drops.dagstuhl.de/entities/document/10.4230/LIPIcs.ITC.2023},
URN = {urn:nbn:de:0030-drops-183272},
doi = {10.4230/LIPIcs.ITC.2023},
annote = {Keywords: LIPIcs, Volume 267, ITC 2023, Complete Volume}
}
Document
Front Matter
Front Matter, Table of Contents, Preface, Conference Organization
Abstract
Front Matter, Table of Contents, Preface, Conference Organization
Cite as
4th Conference on Information-Theoretic Cryptography (ITC 2023). Leibniz International Proceedings in Informatics (LIPIcs), Volume 267, pp. 0:i-0:xii, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2023)
Copy BibTex To Clipboard
@InProceedings{chung:LIPIcs.ITC.2023.0,
author = {Chung, Kai-Min},
title = {{Front Matter, Table of Contents, Preface, Conference Organization}},
booktitle = {4th Conference on Information-Theoretic Cryptography (ITC 2023)},
pages = {0:i--0:xii},
series = {Leibniz International Proceedings in Informatics (LIPIcs)},
ISBN = {978-3-95977-271-6},
ISSN = {1868-8969},
year = {2023},
volume = {267},
editor = {Chung, Kai-Min},
publisher = {Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
address = {Dagstuhl, Germany},
URL = {https://drops.dagstuhl.de/entities/document/10.4230/LIPIcs.ITC.2023.0},
URN = {urn:nbn:de:0030-drops-183280},
doi = {10.4230/LIPIcs.ITC.2023.0},
annote = {Keywords: Front Matter, Table of Contents, Preface, Conference Organization}
}
Document
Two-Round Perfectly Secure Message Transmission with Optimal Transmission Rate
Abstract
In the model of Perfectly Secure Message Transmission (PSMT), a sender Alice is connected to a receiver Bob via n parallel two-way channels, and Alice holds an 𝓁 symbol secret that she wishes to communicate to Bob. There is an unbounded adversary Eve that controls t of the channels, where n = 2t+1. Eve is able to corrupt any symbol sent through the channels she controls, and furthermore may attempt to infer Alice’s secret by observing the symbols sent through the channels she controls. The transmission is required to be (a) reliable, i.e., Bob must always be able to recover Alice’s secret, regardless of Eve’s corruptions; and (b) private, i.e., Eve may not learn anything about Alice’s secret. We focus on the two-round model, where Bob is permitted to first transmit to Alice, and then Alice responds to Bob.
In this work we provide upper and lower bounds for the PSMT model when the length of the communicated secret 𝓁 is asymptotically large. Specifically, we first construct a protocol that allows Alice to communicate an 𝓁 symbol secret to Bob by transmitting at most 2(1+o_{𝓁→∞}(1))n𝓁 symbols. Under a reasonable assumption (which is satisfied by all known efficient two-round PSMT protocols), we complement this with a lower bound showing that 2n𝓁 symbols are necessary for Alice to privately and reliably communicate her secret. This provides strong evidence that our construction is optimal (even up to the leading constant).
Cite as
Nicolas Resch and Chen Yuan. Two-Round Perfectly Secure Message Transmission with Optimal Transmission Rate. In 4th Conference on Information-Theoretic Cryptography (ITC 2023). Leibniz International Proceedings in Informatics (LIPIcs), Volume 267, pp. 1:1-1:20, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2023)
Copy BibTex To Clipboard
@InProceedings{resch_et_al:LIPIcs.ITC.2023.1,
author = {Resch, Nicolas and Yuan, Chen},
title = {{Two-Round Perfectly Secure Message Transmission with Optimal Transmission Rate}},
booktitle = {4th Conference on Information-Theoretic Cryptography (ITC 2023)},
pages = {1:1--1:20},
series = {Leibniz International Proceedings in Informatics (LIPIcs)},
ISBN = {978-3-95977-271-6},
ISSN = {1868-8969},
year = {2023},
volume = {267},
editor = {Chung, Kai-Min},
publisher = {Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
address = {Dagstuhl, Germany},
URL = {https://drops.dagstuhl.de/entities/document/10.4230/LIPIcs.ITC.2023.1},
URN = {urn:nbn:de:0030-drops-183297},
doi = {10.4230/LIPIcs.ITC.2023.1},
annote = {Keywords: Secure transmission, Information theoretical secure, MDS codes}
}
Document
A Lower Bound on the Share Size in Evolving Secret Sharing
Abstract
Secret sharing schemes allow sharing a secret between a set of parties in a way that ensures that only authorized subsets of the parties learn the secret. Evolving secret sharing schemes (Komargodski, Naor, and Yogev [TCC '16]) allow achieving this end in a scenario where the parties arrive in an online fashion, and there is no a-priory bound on the number of parties.
An important complexity measure of a secret sharing scheme is the share size, which is the maximum number of bits that a party may receive as a share. While there has been a significant progress in recent years, the best constructions for both secret sharing and evolving secret sharing schemes have a share size that is exponential in the number of parties. On the other hand, the best lower bound, by Csirmaz [Eurocrypt '95], is sub-linear.
In this work, we give a tight lower bound on the share size of evolving secret sharing schemes. Specifically, we show that the sub-linear lower bound of Csirmaz implies an exponential lower bound on evolving secret sharing.
Cite as
Noam Mazor. A Lower Bound on the Share Size in Evolving Secret Sharing. In 4th Conference on Information-Theoretic Cryptography (ITC 2023). Leibniz International Proceedings in Informatics (LIPIcs), Volume 267, pp. 2:1-2:9, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2023)
Copy BibTex To Clipboard
@InProceedings{mazor:LIPIcs.ITC.2023.2,
author = {Mazor, Noam},
title = {{A Lower Bound on the Share Size in Evolving Secret Sharing}},
booktitle = {4th Conference on Information-Theoretic Cryptography (ITC 2023)},
pages = {2:1--2:9},
series = {Leibniz International Proceedings in Informatics (LIPIcs)},
ISBN = {978-3-95977-271-6},
ISSN = {1868-8969},
year = {2023},
volume = {267},
editor = {Chung, Kai-Min},
publisher = {Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
address = {Dagstuhl, Germany},
URL = {https://drops.dagstuhl.de/entities/document/10.4230/LIPIcs.ITC.2023.2},
URN = {urn:nbn:de:0030-drops-183300},
doi = {10.4230/LIPIcs.ITC.2023.2},
annote = {Keywords: Secret sharing, Evolving secret sharing}
}
Document
Csirmaz’s Duality Conjecture and Threshold Secret Sharing
Abstract
We conjecture that the smallest possible share size for binary secrets for the t-out-of-n and (n-t+1)-out-of-n access structures is the same for all 1 ≤ t ≤ n. This is a strenghtening of a recent conjecture by Csirmaz (J. Math. Cryptol., 2020). We prove the conjecture for t = 2 and all n. Our proof gives a new (n-1)-out-of-n secret sharing scheme for binary secrets with share alphabet size n.
Cite as
Andrej Bogdanov. Csirmaz’s Duality Conjecture and Threshold Secret Sharing. In 4th Conference on Information-Theoretic Cryptography (ITC 2023). Leibniz International Proceedings in Informatics (LIPIcs), Volume 267, pp. 3:1-3:6, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2023)
Copy BibTex To Clipboard
@InProceedings{bogdanov:LIPIcs.ITC.2023.3,
author = {Bogdanov, Andrej},
title = {{Csirmaz’s Duality Conjecture and Threshold Secret Sharing}},
booktitle = {4th Conference on Information-Theoretic Cryptography (ITC 2023)},
pages = {3:1--3:6},
series = {Leibniz International Proceedings in Informatics (LIPIcs)},
ISBN = {978-3-95977-271-6},
ISSN = {1868-8969},
year = {2023},
volume = {267},
editor = {Chung, Kai-Min},
publisher = {Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
address = {Dagstuhl, Germany},
URL = {https://drops.dagstuhl.de/entities/document/10.4230/LIPIcs.ITC.2023.3},
URN = {urn:nbn:de:0030-drops-183317},
doi = {10.4230/LIPIcs.ITC.2023.3},
annote = {Keywords: Threshold secret sharing, Fourier analysis}
}
Document
The Cost of Statistical Security in Proofs for Repeated Squaring
Abstract
In recent years, the number of applications of the repeated squaring assumption has been growing rapidly. The assumption states that, given a group element x, an integer T, and an RSA modulus N, it is hard to compute x^2^T mod N - or even decide whether y?=x^2^T mod N - in parallel time less than the trivial approach of simply computing T squares. This rise has been driven by efficient proof systems for repeated squaring, opening the door to more efficient constructions of verifiable delay functions, various secure computation primitives, and proof systems for more general languages.
In this work, we study the complexity of statistically sound proofs for the repeated squaring relation. Technically, we consider proofs where the prover sends at most k ≥ 0 elements and the (probabilistic) verifier performs generic group operations over the group ℤ_N^⋆. As our main contribution, we show that for any (one-round) proof with a randomized verifier (i.e., an MA proof) the verifier either runs in parallel time Ω(T/(k+1)) with high probability, or is able to factor N given the proof provided by the prover. This shows that either the prover essentially sends p,q such that N = p⋅ q (which is infeasible or undesirable in most applications), or a variant of Pietrzak’s proof of repeated squaring (ITCS 2019) has optimal verifier complexity O(T/(k+1)). In particular, it is impossible to obtain a statistically sound one-round proof of repeated squaring with efficiency on par with the computationally-sound protocol of Wesolowski (EUROCRYPT 2019), with a generic group verifier.
We further extend our one-round lower bound to a natural class of recursive interactive proofs for repeated squaring. For r-round recursive proofs where the prover is allowed to send k group elements per round, we show that the verifier either runs in parallel time Ω(T/(k+1)^r) with high probability, or is able to factor N given the proof transcript.
Cite as
Cody Freitag and Ilan Komargodski. The Cost of Statistical Security in Proofs for Repeated Squaring. In 4th Conference on Information-Theoretic Cryptography (ITC 2023). Leibniz International Proceedings in Informatics (LIPIcs), Volume 267, pp. 4:1-4:23, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2023)
Copy BibTex To Clipboard
@InProceedings{freitag_et_al:LIPIcs.ITC.2023.4,
author = {Freitag, Cody and Komargodski, Ilan},
title = {{The Cost of Statistical Security in Proofs for Repeated Squaring}},
booktitle = {4th Conference on Information-Theoretic Cryptography (ITC 2023)},
pages = {4:1--4:23},
series = {Leibniz International Proceedings in Informatics (LIPIcs)},
ISBN = {978-3-95977-271-6},
ISSN = {1868-8969},
year = {2023},
volume = {267},
editor = {Chung, Kai-Min},
publisher = {Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
address = {Dagstuhl, Germany},
URL = {https://drops.dagstuhl.de/entities/document/10.4230/LIPIcs.ITC.2023.4},
URN = {urn:nbn:de:0030-drops-183326},
doi = {10.4230/LIPIcs.ITC.2023.4},
annote = {Keywords: Cryptographic Proofs, Repeated Squaring, Lower Bounds}
}
Document
Interactive Non-Malleable Codes Against Desynchronizing Attacks in the Multi-Party Setting
Abstract
Interactive Non-Malleable Codes were introduced by Fleischhacker et al. (TCC 2019) in the two party setting with synchronous tampering. The idea of this type of non-malleable code is that it "encodes" an interactive protocol in such a way that, even if the messages are tampered with according to some class F of tampering functions, the result of the execution will either be correct, or completely unrelated to the inputs of the participating parties. In the synchronous setting the adversary is able to modify the messages being exchanged but cannot drop messages nor desynchronize the two parties by first running the protocol with the first party and then with the second party. In this work, we define interactive non-malleable codes in the non-synchronous multi-party setting and construct such interactive non-malleable codes for the class F^s_bounded of bounded-state tampering functions.
Cite as
Nils Fleischhacker, Suparno Ghoshal, and Mark Simkin. Interactive Non-Malleable Codes Against Desynchronizing Attacks in the Multi-Party Setting. In 4th Conference on Information-Theoretic Cryptography (ITC 2023). Leibniz International Proceedings in Informatics (LIPIcs), Volume 267, pp. 5:1-5:26, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2023)
Copy BibTex To Clipboard
@InProceedings{fleischhacker_et_al:LIPIcs.ITC.2023.5,
author = {Fleischhacker, Nils and Ghoshal, Suparno and Simkin, Mark},
title = {{Interactive Non-Malleable Codes Against Desynchronizing Attacks in the Multi-Party Setting}},
booktitle = {4th Conference on Information-Theoretic Cryptography (ITC 2023)},
pages = {5:1--5:26},
series = {Leibniz International Proceedings in Informatics (LIPIcs)},
ISBN = {978-3-95977-271-6},
ISSN = {1868-8969},
year = {2023},
volume = {267},
editor = {Chung, Kai-Min},
publisher = {Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
address = {Dagstuhl, Germany},
URL = {https://drops.dagstuhl.de/entities/document/10.4230/LIPIcs.ITC.2023.5},
URN = {urn:nbn:de:0030-drops-183331},
doi = {10.4230/LIPIcs.ITC.2023.5},
annote = {Keywords: non-malleability, multi-party protocols}
}
Document
Asymmetric Multi-Party Computation
Abstract
Current protocols for Multi-Party Computation (MPC) consider the setting where all parties have access to similar resources. For example, all parties have access to channels bounded by the same worst-case delay upper bound Δ, and all channels have the same cost of communication. As a consequence, the overall protocol performance (resp. the communication cost) may be heavily affected by the slowest (resp. the most expensive) channel, even when most channels are fast (resp. cheap). Given the state of affairs, we initiate a systematic study of asymmetric MPC. In asymmetric MPC, the parties are divided into two categories: fast and slow parties, depending on whether they have access to high-end or low-end resources.
We investigate two different models. In the first, we consider asymmetric communication delays: Fast parties are connected via channels with small delay δ among themselves, while channels connected to (at least) one slow party have a large delay Δ ≫ δ. In the second model, we consider asymmetric communication costs: Fast parties benefit from channels with cheap communication, while channels connected to a slow party have an expensive communication. We provide a wide range of positive and negative results exploring the trade-offs between the achievable number of tolerated corruptions t and slow parties s, versus the round complexity and communication cost in each of the models. Among others, we achieve the following results. In the model with asymmetric communication delays, focusing on the information-theoretic (i-t) setting:
- An i-t asymmetric MPC protocol with security with abort as long as t+s < n and t < n/2, in a constant number of slow rounds.
- We show that achieving an i-t asymmetric MPC protocol for t+s = n and with number of slow rounds independent of the circuit size implies an i-t synchronous MPC protocol with round complexity independent of the circuit size, which is a major problem in the field of round-complexity of MPC.
- We identify a new primitive, asymmetric broadcast, that allows to consistently distribute a value among the fast parties, and at a later time the same value to slow parties. We completely characterize the feasibility of asymmetric broadcast by showing that it is possible if and only if 2t + s < n.
- An i-t asymmetric MPC protocol with guaranteed output delivery as long as t+s < n and t < n/2, in a number of slow rounds independent of the circuit size.
In the model with asymmetric communication cost, we achieve an asymmetric MPC protocol for security with abort for t+s < n and t < n/2, based on one-way functions (OWF). The protocol communicates a number of bits over expensive channels that is independent of the circuit size. We conjecture that assuming OWF is needed and further provide a partial result in this direction.
Cite as
Vipul Goyal, Chen-Da Liu-Zhang, and Rafail Ostrovsky. Asymmetric Multi-Party Computation. In 4th Conference on Information-Theoretic Cryptography (ITC 2023). Leibniz International Proceedings in Informatics (LIPIcs), Volume 267, pp. 6:1-6:25, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2023)
Copy BibTex To Clipboard
@InProceedings{goyal_et_al:LIPIcs.ITC.2023.6,
author = {Goyal, Vipul and Liu-Zhang, Chen-Da and Ostrovsky, Rafail},
title = {{Asymmetric Multi-Party Computation}},
booktitle = {4th Conference on Information-Theoretic Cryptography (ITC 2023)},
pages = {6:1--6:25},
series = {Leibniz International Proceedings in Informatics (LIPIcs)},
ISBN = {978-3-95977-271-6},
ISSN = {1868-8969},
year = {2023},
volume = {267},
editor = {Chung, Kai-Min},
publisher = {Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
address = {Dagstuhl, Germany},
URL = {https://drops.dagstuhl.de/entities/document/10.4230/LIPIcs.ITC.2023.6},
URN = {urn:nbn:de:0030-drops-183342},
doi = {10.4230/LIPIcs.ITC.2023.6},
annote = {Keywords: multiparty computation, asymmetric, delays, communication}
}
Document
Phoenix: Secure Computation in an Unstable Network with Dropouts and Comebacks
Abstract
We consider the task of designing secure computation protocols in an unstable network where honest parties can drop out at any time, according to a schedule provided by the adversary. This type of setting, where even honest parties are prone to failures, is more realistic than traditional models, and has therefore gained a lot of attention recently. Our model, Phoenix, enables a new approach to secure multiparty computation with dropouts, allowing parties to drop out and re-enter the computation on an adversarially-chosen schedule and without assuming that these parties receive the messages that were sent to them while being offline - features that are not available in the existing models of Sleepy MPC (Guo et al., CRYPTO '19), Fluid MPC (Choudhuri et al., CRYPTO '21 ) and YOSO (Gentry et al. CRYPTO '21). Phoenix does assume an upper bound on the number of rounds that an honest party can be off-line - otherwise protocols in this setting cannot guarantee termination within a bounded number of rounds; however, if one settles for a weaker notion, namely guaranteed output delivery only for honest parties who stay on-line long enough, this requirement is not necessary.
In this work, we study the settings of perfect, statistical and computational security and design MPC protocols in each of these scenarios. We assume that the intersection of online-and-honest parties from one round to the next is at least 2t+1, t+1 and 1 respectively, where t is the number of (actively) corrupt parties. We show the intersection requirements to be optimal. Our (positive) results are obtained in a way that may be of independent interest: we implement a traditional stable network on top of the unstable one, which allows us to plug in any MPC protocol on top. This approach adds a necessary overhead to the round count of the protocols, which is related to the maximal number of rounds an honest party can be offline. We also present a novel, perfectly secure MPC protocol in the preprocessing model that avoids this overhead by following a more "direct" approach rather than first building a stable network and then using existing protocols. We introduce our network model in the UC-framework, show that the composition theorem still holds, and prove the security of our protocols within this setting.
Cite as
Ivan Damgård, Daniel Escudero, and Antigoni Polychroniadou. Phoenix: Secure Computation in an Unstable Network with Dropouts and Comebacks. In 4th Conference on Information-Theoretic Cryptography (ITC 2023). Leibniz International Proceedings in Informatics (LIPIcs), Volume 267, pp. 7:1-7:21, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2023)
Copy BibTex To Clipboard
@InProceedings{damgard_et_al:LIPIcs.ITC.2023.7,
author = {Damg\r{a}rd, Ivan and Escudero, Daniel and Polychroniadou, Antigoni},
title = {{Phoenix: Secure Computation in an Unstable Network with Dropouts and Comebacks}},
booktitle = {4th Conference on Information-Theoretic Cryptography (ITC 2023)},
pages = {7:1--7:21},
series = {Leibniz International Proceedings in Informatics (LIPIcs)},
ISBN = {978-3-95977-271-6},
ISSN = {1868-8969},
year = {2023},
volume = {267},
editor = {Chung, Kai-Min},
publisher = {Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
address = {Dagstuhl, Germany},
URL = {https://drops.dagstuhl.de/entities/document/10.4230/LIPIcs.ITC.2023.7},
URN = {urn:nbn:de:0030-drops-183355},
doi = {10.4230/LIPIcs.ITC.2023.7},
annote = {Keywords: Secure Multiparty Computation, Unstable Networks}
}
Document
Weighted Secret Sharing from Wiretap Channels
Abstract
Secret-sharing allows splitting a piece of secret information among a group of shareholders, so that it takes a large enough subset of them to recover it. In weighted secret-sharing, each shareholder has an integer weight, and it takes a subset of large-enough weight to recover the secret. Schemes in the literature for weighted threshold secret sharing either have share sizes that grow linearly with the total weight, or ones that depend on huge public information (essentially a garbled circuit) of size (quasi)polynomial in the number of parties.
To do better, we investigate a relaxation, (α, β)-ramp weighted secret sharing, where subsets of weight β W can recover the secret (with W the total weight), but subsets of weight α W or less cannot learn anything about it. These can be constructed from standard secret-sharing schemes, but known constructions require long shares even for short secrets, achieving share sizes of max(W,|secret|/ε), where ε = β-α. In this note we first observe that simple rounding let us replace the total weight W by N/ε, where N is the number of parties. Combined with known constructions, this yields share sizes of O(max(N,|secret|)/ε).
Our main contribution is a novel connection between weighted secret sharing and wiretap channels, that improves or even eliminates the dependence on N, at a price of increased dependence on 1/ε. We observe that for certain additive-noise (ℛ,𝒜) wiretap channels, any semantically secure scheme can be naturally transformed into an (α,β)-ramp weighted secret-sharing, where α,β are essentially the respective capacities of the channels 𝒜,ℛ. We present two instantiations of this type of construction, one using Binary Symmetric wiretap Channels, and the other using additive Gaussian Wiretap Channels. Depending on the parameters of the underlying wiretap channels, this gives rise to (α, β)-ramp schemes with share sizes |secret|⋅log N/poly(ε) or even just |secret|/poly(ε).
Cite as
Fabrice Benhamouda, Shai Halevi, and Lev Stambler. Weighted Secret Sharing from Wiretap Channels. In 4th Conference on Information-Theoretic Cryptography (ITC 2023). Leibniz International Proceedings in Informatics (LIPIcs), Volume 267, pp. 8:1-8:19, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2023)
Copy BibTex To Clipboard
@InProceedings{benhamouda_et_al:LIPIcs.ITC.2023.8,
author = {Benhamouda, Fabrice and Halevi, Shai and Stambler, Lev},
title = {{Weighted Secret Sharing from Wiretap Channels}},
booktitle = {4th Conference on Information-Theoretic Cryptography (ITC 2023)},
pages = {8:1--8:19},
series = {Leibniz International Proceedings in Informatics (LIPIcs)},
ISBN = {978-3-95977-271-6},
ISSN = {1868-8969},
year = {2023},
volume = {267},
editor = {Chung, Kai-Min},
publisher = {Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
address = {Dagstuhl, Germany},
URL = {https://drops.dagstuhl.de/entities/document/10.4230/LIPIcs.ITC.2023.8},
URN = {urn:nbn:de:0030-drops-183365},
doi = {10.4230/LIPIcs.ITC.2023.8},
annote = {Keywords: Secret sharing, ramp weighted secret sharing, wiretap channel}
}
Document
Quantum Security of Subset Cover Problems
Abstract
The subset cover problem for k ≥ 1 hash functions, which can be seen as an extension of the collision problem, was introduced in 2002 by Reyzin and Reyzin to analyse the security of their hash-function based signature scheme HORS. The security of many hash-based signature schemes relies on this problem or a variant of this problem (e.g. HORS, SPHINCS, SPHINCS+, ...).
Recently, Yuan, Tibouchi and Abe (2022) introduced a variant to the subset cover problem, called restricted subset cover, and proposed a quantum algorithm for this problem. In this work, we prove that any quantum algorithm needs to make Ω((k+1)^{-(2^k)/(2^{k+1}-1})⋅ N^{(2^{k}-1})/(2^{k+1}-1)}) queries to the underlying hash functions with codomain size N to solve the restricted subset cover problem, which essentially matches the query complexity of the algorithm proposed by Yuan, Tibouchi and Abe.
We also analyze the security of the general (r,k)-subset cover problem, which is the underlying problem that implies the unforgeability of HORS under a r-chosen message attack (for r ≥ 1). We prove that a generic quantum algorithm needs to make Ω(N^{k/5}) queries to the underlying hash functions to find a (1,k)-subset cover. We also propose a quantum algorithm that finds a (r,k)-subset cover making O (N^{k/(2+2r)}) queries to the k hash functions.
Cite as
Samuel Bouaziz-Ermann, Alex B. Grilo, and Damien Vergnaud. Quantum Security of Subset Cover Problems. In 4th Conference on Information-Theoretic Cryptography (ITC 2023). Leibniz International Proceedings in Informatics (LIPIcs), Volume 267, pp. 9:1-9:17, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2023)
Copy BibTex To Clipboard
@InProceedings{bouazizermann_et_al:LIPIcs.ITC.2023.9,
author = {Bouaziz-Ermann, Samuel and Grilo, Alex B. and Vergnaud, Damien},
title = {{Quantum Security of Subset Cover Problems}},
booktitle = {4th Conference on Information-Theoretic Cryptography (ITC 2023)},
pages = {9:1--9:17},
series = {Leibniz International Proceedings in Informatics (LIPIcs)},
ISBN = {978-3-95977-271-6},
ISSN = {1868-8969},
year = {2023},
volume = {267},
editor = {Chung, Kai-Min},
publisher = {Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
address = {Dagstuhl, Germany},
URL = {https://drops.dagstuhl.de/entities/document/10.4230/LIPIcs.ITC.2023.9},
URN = {urn:nbn:de:0030-drops-183378},
doi = {10.4230/LIPIcs.ITC.2023.9},
annote = {Keywords: Cryptography, Random oracle model, Quantum information}
}
Document
Distributed Shuffling in Adversarial Environments
Abstract
We study mix-nets in the context of cryptocurrencies. Here we have many computationally weak shufflers that speak one after another and want to joinlty shuffle a list of ciphertexts (c₁, … , c_n). Each shuffler can only permute k << n ciphertexts at a time. An adversary A can track some of the ciphertexts and adaptively corrupt some of the shufflers.
We present a simple protocol for shuffling the list of ciphertexts efficiently. The main technical contribution of this work is to prove that our simple shuffling strategy does indeed provide good anonymity guarantees and at the same time terminates quickly.
Our shuffling algorithm provides a strict improvement over the current shuffling strategy in Ethereum’s block proposer elections. Our algorithm is secure against a stronger adversary, provides provable security guarantees, and is comparably in efficiency to the current approach.
Cite as
Kasper Green Larsen, Maciej Obremski, and Mark Simkin. Distributed Shuffling in Adversarial Environments. In 4th Conference on Information-Theoretic Cryptography (ITC 2023). Leibniz International Proceedings in Informatics (LIPIcs), Volume 267, pp. 10:1-10:15, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2023)
Copy BibTex To Clipboard
@InProceedings{larsen_et_al:LIPIcs.ITC.2023.10,
author = {Larsen, Kasper Green and Obremski, Maciej and Simkin, Mark},
title = {{Distributed Shuffling in Adversarial Environments}},
booktitle = {4th Conference on Information-Theoretic Cryptography (ITC 2023)},
pages = {10:1--10:15},
series = {Leibniz International Proceedings in Informatics (LIPIcs)},
ISBN = {978-3-95977-271-6},
ISSN = {1868-8969},
year = {2023},
volume = {267},
editor = {Chung, Kai-Min},
publisher = {Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
address = {Dagstuhl, Germany},
URL = {https://drops.dagstuhl.de/entities/document/10.4230/LIPIcs.ITC.2023.10},
URN = {urn:nbn:de:0030-drops-183385},
doi = {10.4230/LIPIcs.ITC.2023.10},
annote = {Keywords: Distributed Computing, Shuffling}
}
Document
MPC with Low Bottleneck-Complexity: Information-Theoretic Security and More
Abstract
The bottleneck-complexity (BC) of secure multiparty computation (MPC) protocols is a measure of the maximum number of bits which are sent and received by any party in protocol. As the name suggests, the goal of studying BC-efficient protocols is to increase overall efficiency by making sure that the workload in the protocol is somehow "amortized" by the protocol participants.
Orlandi et al. [Orlandi et al., 2022] initiated the study of BC-efficient protocols from simple assumptions in the correlated randomness model and for semi-honest adversaries. In this work, we extend the study of [Orlandi et al., 2022] in two primary directions: (a) to a larger and more general class of functions and (b) to the information-theoretic setting.
In particular, we offer semi-honest secure protocols for the useful function classes of abelian programs, "read-k" non-abelian programs, and "read-k" generalized formulas.
Our constructions use a novel abstraction, called incremental function secret-sharing (IFSS), that can be instantiated with unconditional security or from one-way functions (with different efficiency trade-offs).
Cite as
Hannah Keller, Claudio Orlandi, Anat Paskin-Cherniavsky, and Divya Ravi. MPC with Low Bottleneck-Complexity: Information-Theoretic Security and More. In 4th Conference on Information-Theoretic Cryptography (ITC 2023). Leibniz International Proceedings in Informatics (LIPIcs), Volume 267, pp. 11:1-11:22, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2023)
Copy BibTex To Clipboard
@InProceedings{keller_et_al:LIPIcs.ITC.2023.11,
author = {Keller, Hannah and Orlandi, Claudio and Paskin-Cherniavsky, Anat and Ravi, Divya},
title = {{MPC with Low Bottleneck-Complexity: Information-Theoretic Security and More}},
booktitle = {4th Conference on Information-Theoretic Cryptography (ITC 2023)},
pages = {11:1--11:22},
series = {Leibniz International Proceedings in Informatics (LIPIcs)},
ISBN = {978-3-95977-271-6},
ISSN = {1868-8969},
year = {2023},
volume = {267},
editor = {Chung, Kai-Min},
publisher = {Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
address = {Dagstuhl, Germany},
URL = {https://drops.dagstuhl.de/entities/document/10.4230/LIPIcs.ITC.2023.11},
URN = {urn:nbn:de:0030-drops-183391},
doi = {10.4230/LIPIcs.ITC.2023.11},
annote = {Keywords: Secure Multiparty Computation, Bottleneck Complexity, Information-theoretic}
}
Document
Randomness Recoverable Secret Sharing Schemes
Abstract
It is well-known that randomness is essential for secure cryptography. The randomness used in cryptographic primitives is not necessarily recoverable even by the party who can, e.g., decrypt or recover the underlying secret/message. Several cryptographic primitives that support randomness recovery have turned out useful in various applications. In this paper, we study randomness recoverable secret sharing schemes (RR-SSS), in both information-theoretic and computational settings and provide two results. First, we show that while every access structure admits a perfect RR-SSS, there are very simple access structures (e.g., in monotone AC⁰) that do not admit efficient perfect (or even statistical) RR-SSS. Second, we show that the existence of efficient computational RR-SSS for certain access structures in monotone AC⁰ implies the existence of one-way functions. This stands in sharp contrast to (non-RR) SSS schemes for which no such results are known.
RR-SSS plays a key role in making advanced attributed-based encryption schemes randomness recoverable, which in turn have applications in the context of designated-verifier non-interactive zero knowledge.
Cite as
Mohammad Hajiabadi, Shahram Khazaei, and Behzad Vahdani. Randomness Recoverable Secret Sharing Schemes. In 4th Conference on Information-Theoretic Cryptography (ITC 2023). Leibniz International Proceedings in Informatics (LIPIcs), Volume 267, pp. 12:1-12:25, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2023)
Copy BibTex To Clipboard
@InProceedings{hajiabadi_et_al:LIPIcs.ITC.2023.12,
author = {Hajiabadi, Mohammad and Khazaei, Shahram and Vahdani, Behzad},
title = {{Randomness Recoverable Secret Sharing Schemes}},
booktitle = {4th Conference on Information-Theoretic Cryptography (ITC 2023)},
pages = {12:1--12:25},
series = {Leibniz International Proceedings in Informatics (LIPIcs)},
ISBN = {978-3-95977-271-6},
ISSN = {1868-8969},
year = {2023},
volume = {267},
editor = {Chung, Kai-Min},
publisher = {Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
address = {Dagstuhl, Germany},
URL = {https://drops.dagstuhl.de/entities/document/10.4230/LIPIcs.ITC.2023.12},
URN = {urn:nbn:de:0030-drops-183404},
doi = {10.4230/LIPIcs.ITC.2023.12},
annote = {Keywords: Secret sharing, Randomness recovery}
}
Document
Secure Communication in Dynamic Incomplete Networks
Abstract
In this paper, we explore the feasibility of reliable and private communication in dynamic networks, where in each round the adversary can choose which direct peer-to-peer links are available in the network graph, under the sole condition that the graph is k-connected at each round (for some k).
We show that reliable communication is possible in such a dynamic network if and only if k > 2t. We also show that if k = cn > 2 t for a constant c, we can achieve reliable communication with polynomial round and communication complexity.
For unconditionally private communication, we show that for a passive adversary, k > t is sufficient (and clearly necessary). For an active adversary, we show that k > 2t is sufficient for statistical security (and clearly necessary), while k > 3t is sufficient for perfect security. We conjecture that, in contrast to the static case, k > 2t is not enough for perfect security, and we give evidence that the conjecture is true.
Once we have reliable and private communication between each pair of parties, we can emulate a complete network with secure channels, and we can use known protocols to do secure computation.
Cite as
Ivan Damgård, Divya Ravi, Daniel Tschudi, and Sophia Yakoubov. Secure Communication in Dynamic Incomplete Networks. In 4th Conference on Information-Theoretic Cryptography (ITC 2023). Leibniz International Proceedings in Informatics (LIPIcs), Volume 267, pp. 13:1-13:21, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2023)
Copy BibTex To Clipboard
@InProceedings{damgard_et_al:LIPIcs.ITC.2023.13,
author = {Damg\r{a}rd, Ivan and Ravi, Divya and Tschudi, Daniel and Yakoubov, Sophia},
title = {{Secure Communication in Dynamic Incomplete Networks}},
booktitle = {4th Conference on Information-Theoretic Cryptography (ITC 2023)},
pages = {13:1--13:21},
series = {Leibniz International Proceedings in Informatics (LIPIcs)},
ISBN = {978-3-95977-271-6},
ISSN = {1868-8969},
year = {2023},
volume = {267},
editor = {Chung, Kai-Min},
publisher = {Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
address = {Dagstuhl, Germany},
URL = {https://drops.dagstuhl.de/entities/document/10.4230/LIPIcs.ITC.2023.13},
URN = {urn:nbn:de:0030-drops-183419},
doi = {10.4230/LIPIcs.ITC.2023.13},
annote = {Keywords: Secure Communication, Dynamic Incomplete Network, Information-theoretic}
}
Document
Locally Covert Learning
Abstract
The goal of a covert learning algorithm is to learn a function f by querying it, while ensuring that an adversary, who sees all queries and their responses, is unable to (efficiently) learn any more about f than they could learn from random input-output pairs. We focus on a relaxation that we call local covertness, in which queries are distributed across k servers and we only limit what is learnable by k - 1 colluding servers.
For any constant k, we give a locally covert algorithm for efficiently learning any Fourier-sparse function (technically, our notion of learning is improper, agnostic, and with respect to the uniform distribution). Our result holds unconditionally and for computationally unbounded adversaries. Prior to our work, such an algorithm was known only for the special case of O(log n)-juntas, and only with k = 2 servers [Yuval Ishai et al., 2019].
Our main technical observation is that the original Goldreich-Levin algorithm only utilizes i.i.d. pairs of correlated queries, where each half of every pair is uniformly random. We give a simple generalization of this algorithm in which pairs are replaced by k-tuples in which any k - 1 components are jointly uniform. The cost of this generalization is that the number of queries needed grows exponentially with k.
Cite as
Justin Holmgren and Ruta Jawale. Locally Covert Learning. In 4th Conference on Information-Theoretic Cryptography (ITC 2023). Leibniz International Proceedings in Informatics (LIPIcs), Volume 267, pp. 14:1-14:12, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2023)
Copy BibTex To Clipboard
@InProceedings{holmgren_et_al:LIPIcs.ITC.2023.14,
author = {Holmgren, Justin and Jawale, Ruta},
title = {{Locally Covert Learning}},
booktitle = {4th Conference on Information-Theoretic Cryptography (ITC 2023)},
pages = {14:1--14:12},
series = {Leibniz International Proceedings in Informatics (LIPIcs)},
ISBN = {978-3-95977-271-6},
ISSN = {1868-8969},
year = {2023},
volume = {267},
editor = {Chung, Kai-Min},
publisher = {Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
address = {Dagstuhl, Germany},
URL = {https://drops.dagstuhl.de/entities/document/10.4230/LIPIcs.ITC.2023.14},
URN = {urn:nbn:de:0030-drops-183421},
doi = {10.4230/LIPIcs.ITC.2023.14},
annote = {Keywords: learning theory, adversarial machine learning, zero knowledge, Fourier analysis of boolean functions, Goldreich-Levin algorithm, Kushilevitz-Mansour algorithm}
}
Document
Online Mergers and Applications to Registration-Based Encryption and Accumulators
Abstract
In this work we study a new information theoretic problem, called online merging, that has direct applications for constructing public-state accumulators and registration-based encryption schemes. An {online merger} receives the sequence of sets {1}, {2}, … in an online way, and right after receiving {i}, it can re-partition the elements 1,…,i into T₁,…,T_{m_i} by merging some of these sets. The goal of the merger is to balance the trade-off between the maximum number of sets wid = max_{i ∈ [n]} m_i that co-exist at any moment, called the width of the scheme, with its depth dep = max_{i ∈ [n]} d_i, where d_i is the number of times that the sets that contain i get merged. An online merger can be used to maintain a set of Merkle trees that occasionally get merged.
An online merger can be directly used to obtain public-state accumulators (using collision-resistant hashing) and registration-based encryptions (relying on more assumptions). Doing so, the width of an online merger translates into the size of the public-parameter of the constructed scheme, and the depth of the online algorithm corresponds to the number of times that parties need to update their "witness" (for accumulators) or their decryption key (for RBE).
In this work, we construct online mergers with poly(log n) width and O(log n / log log n) depth, which can be shown to be optimal for all schemes with poly(log n) width. More generally, we show how to achieve optimal depth for a given fixed width and to achieve a 2-approximate optimal width for a given depth d that can possibly grow as a function of n (e.g., d = 2 or d = log n / log log n). As applications, we obtain accumulators with O(log n / log log n) number of updates for parties' witnesses (which can be shown to be optimal for accumulator digests of length poly(log n)) as well as registration based encryptions that again have an optimal O(log n / log log n) number of decryption updates, resolving the open question of Mahmoody, Rahimi, Qi [TCC'22] who proved that Ω(log n / log log n) number of decryption updates are necessary for any RBE (with public parameter of length poly(log n)). More generally, for any given number of decryption updates d = d(n) (under believable computational assumptions) our online merger implies RBE schemes with public parameters of length that is optimal, up to a constant factor that depends on the security parameter. For example, for any constant number of updates d, we get RBE schemes with public parameters of length O(n^{1/(d+1)}).
Cite as
Mohammad Mahmoody and Wei Qi. Online Mergers and Applications to Registration-Based Encryption and Accumulators. In 4th Conference on Information-Theoretic Cryptography (ITC 2023). Leibniz International Proceedings in Informatics (LIPIcs), Volume 267, pp. 15:1-15:23, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2023)
Copy BibTex To Clipboard
@InProceedings{mahmoody_et_al:LIPIcs.ITC.2023.15,
author = {Mahmoody, Mohammad and Qi, Wei},
title = {{Online Mergers and Applications to Registration-Based Encryption and Accumulators}},
booktitle = {4th Conference on Information-Theoretic Cryptography (ITC 2023)},
pages = {15:1--15:23},
series = {Leibniz International Proceedings in Informatics (LIPIcs)},
ISBN = {978-3-95977-271-6},
ISSN = {1868-8969},
year = {2023},
volume = {267},
editor = {Chung, Kai-Min},
publisher = {Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
address = {Dagstuhl, Germany},
URL = {https://drops.dagstuhl.de/entities/document/10.4230/LIPIcs.ITC.2023.15},
URN = {urn:nbn:de:0030-drops-183432},
doi = {10.4230/LIPIcs.ITC.2023.15},
annote = {Keywords: Registration-based encryption, Accumulators, Merkle Trees}
}
Document
Lower Bounds for Secret-Sharing Schemes for k-Hypergraphs
Abstract
A secret-sharing scheme enables a dealer, holding a secret string, to distribute shares to parties such that only pre-defined authorized subsets of parties can reconstruct the secret. The collection of authorized sets is called an access structure. There is a huge gap between the best known upper bounds on the share size of a secret-sharing scheme realizing an arbitrary access structure and the best known lower bounds on the size of these shares. For an arbitrary n-party access structure, the best known upper bound on the share size is 2^{O(n)}. On the other hand, the best known lower bound on the total share size is much smaller, i.e., Ω(n²/log(n)) [Csirmaz, Studia Sci. Math. Hungar.]. This lower bound was proved more than 25 years ago and no major progress has been made since.
In this paper, we study secret-sharing schemes for k-hypergraphs, i.e., for access structures where all minimal authorized sets are of size exactly k (however, unauthorized sets can be larger). We consider the case where k is small, i.e., constant or at most log(n). The trivial upper bound for these access structures is O(n⋅ binom(n-1,k-1)) and this can be slightly improved. If there were efficient secret-sharing schemes for such k-hypergraphs (e.g., 2-hypergraphs or 3-hypergraphs), then we would be able to construct secret-sharing schemes for arbitrary access structures that are better than the best known schemes. Thus, understanding the share size required for k-hypergraphs is important. Prior to our work, the best known lower bound for these access structures was Ω(n log(n)), which holds already for graphs (i.e., 2-hypergraphs).
We improve this lower bound, proving a lower bound of Ω(n^{2-1/(k-1)}/k) on the total share size for some explicit k-hypergraphs, where 3 ≤ k ≤ log(n). For example, for 3-hypergraphs we prove a lower bound of Ω(n^{3/2}). For log(n)-hypergraphs, we prove a lower bound of Ω(n²/log(n)), i.e., we show that the lower bound of Csirmaz holds already when all minimal authorized sets are of size log(n). Our proof is simple and shows that the lower bound of Csirmaz holds for a simple variant of the access structure considered by Csirmaz. Using our results, we prove a near quadratic separation between the required share size for realizing an explicit access structure and the monotone circuit size describing the access structure, i.e., the share size in Ω(n²/log(n)) and the monotone circuit size is O(nlog(n)) (where the circuit has depth 3).
Cite as
Amos Beimel. Lower Bounds for Secret-Sharing Schemes for k-Hypergraphs. In 4th Conference on Information-Theoretic Cryptography (ITC 2023). Leibniz International Proceedings in Informatics (LIPIcs), Volume 267, pp. 16:1-16:13, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2023)
Copy BibTex To Clipboard
@InProceedings{beimel:LIPIcs.ITC.2023.16,
author = {Beimel, Amos},
title = {{Lower Bounds for Secret-Sharing Schemes for k-Hypergraphs}},
booktitle = {4th Conference on Information-Theoretic Cryptography (ITC 2023)},
pages = {16:1--16:13},
series = {Leibniz International Proceedings in Informatics (LIPIcs)},
ISBN = {978-3-95977-271-6},
ISSN = {1868-8969},
year = {2023},
volume = {267},
editor = {Chung, Kai-Min},
publisher = {Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
address = {Dagstuhl, Germany},
URL = {https://drops.dagstuhl.de/entities/document/10.4230/LIPIcs.ITC.2023.16},
URN = {urn:nbn:de:0030-drops-183440},
doi = {10.4230/LIPIcs.ITC.2023.16},
annote = {Keywords: Secret Sharing, Share Size, Lower Bounds, Monotone Circuits}
}
Document
Differentially Private Aggregation via Imperfect Shuffling
Abstract
In this paper, we introduce the imperfect shuffle differential privacy model, where messages sent from users are shuffled in an almost uniform manner before being observed by a curator for private aggregation. We then consider the private summation problem. We show that the standard split-and-mix protocol by Ishai et. al. [FOCS 2006] can be adapted to achieve near-optimal utility bounds in the imperfect shuffle model. Specifically, we show that surprisingly, there is no additional error overhead necessary in the imperfect shuffle model.
Cite as
Badih Ghazi, Ravi Kumar, Pasin Manurangsi, Jelani Nelson, and Samson Zhou. Differentially Private Aggregation via Imperfect Shuffling. In 4th Conference on Information-Theoretic Cryptography (ITC 2023). Leibniz International Proceedings in Informatics (LIPIcs), Volume 267, pp. 17:1-17:22, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2023)
Copy BibTex To Clipboard
@InProceedings{ghazi_et_al:LIPIcs.ITC.2023.17,
author = {Ghazi, Badih and Kumar, Ravi and Manurangsi, Pasin and Nelson, Jelani and Zhou, Samson},
title = {{Differentially Private Aggregation via Imperfect Shuffling}},
booktitle = {4th Conference on Information-Theoretic Cryptography (ITC 2023)},
pages = {17:1--17:22},
series = {Leibniz International Proceedings in Informatics (LIPIcs)},
ISBN = {978-3-95977-271-6},
ISSN = {1868-8969},
year = {2023},
volume = {267},
editor = {Chung, Kai-Min},
publisher = {Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
address = {Dagstuhl, Germany},
URL = {https://drops.dagstuhl.de/entities/document/10.4230/LIPIcs.ITC.2023.17},
URN = {urn:nbn:de:0030-drops-183453},
doi = {10.4230/LIPIcs.ITC.2023.17},
annote = {Keywords: Differential privacy, private summation, shuffle model}
}
Document
Exponential Correlated Randomness Is Necessary in Communication-Optimal Perfectly Secure Two-Party Computation
Abstract
Secure two-party computation is a cryptographic technique that enables two parties to compute a function jointly while keeping each input secret. It is known that most functions cannot be realized by information-theoretically secure two-party computation, but any function can be realized in the correlated randomness (CR) model, where a trusted dealer distributes input-independent CR to the parties beforehand. In the CR model, three kinds of complexities are mainly considered; the size of CR, the number of rounds, and the communication complexity.
Ishai et al. (TCC 2013) showed that any function can be securely computed with optimal online communication cost, i.e., the number of rounds is one round and the communication complexity is the same as the input length, at the price of exponentially large CR. In this paper, we prove that exponentially large CR is necessary to achieve perfect security and online optimality for a general function and that the protocol by Ishai et al. is asymptotically optimal in terms of the size of CR. Furthermore, we also prove that exponentially large CR is still necessary even when we allow multiple rounds while keeping the optimality of communication complexity.
Cite as
Keitaro Hiwatashi and Koji Nuida. Exponential Correlated Randomness Is Necessary in Communication-Optimal Perfectly Secure Two-Party Computation. In 4th Conference on Information-Theoretic Cryptography (ITC 2023). Leibniz International Proceedings in Informatics (LIPIcs), Volume 267, pp. 18:1-18:16, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2023)
Copy BibTex To Clipboard
@InProceedings{hiwatashi_et_al:LIPIcs.ITC.2023.18,
author = {Hiwatashi, Keitaro and Nuida, Koji},
title = {{Exponential Correlated Randomness Is Necessary in Communication-Optimal Perfectly Secure Two-Party Computation}},
booktitle = {4th Conference on Information-Theoretic Cryptography (ITC 2023)},
pages = {18:1--18:16},
series = {Leibniz International Proceedings in Informatics (LIPIcs)},
ISBN = {978-3-95977-271-6},
ISSN = {1868-8969},
year = {2023},
volume = {267},
editor = {Chung, Kai-Min},
publisher = {Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
address = {Dagstuhl, Germany},
URL = {https://drops.dagstuhl.de/entities/document/10.4230/LIPIcs.ITC.2023.18},
URN = {urn:nbn:de:0030-drops-183462},
doi = {10.4230/LIPIcs.ITC.2023.18},
annote = {Keywords: Secure Computation, Correlated Randomness, Lower Bound}
}