eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2023-07-21
267
1
358
10.4230/LIPIcs.ITC.2023
article
LIPIcs, Volume 267, ITC 2023, Complete Volume
Chung, Kai-Min
1
https://orcid.org/0000-0002-3356-369X
Academia Sinica, Taipei City, Taiwan
LIPIcs, Volume 267, ITC 2023, Complete Volume
https://drops.dagstuhl.de/storage/00lipics/lipics-vol267-itc2023/LIPIcs.ITC.2023/LIPIcs.ITC.2023.pdf
LIPIcs, Volume 267, ITC 2023, Complete Volume
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2023-07-21
267
0:i
0:xii
10.4230/LIPIcs.ITC.2023.0
article
Front Matter, Table of Contents, Preface, Conference Organization
Chung, Kai-Min
1
https://orcid.org/0000-0002-3356-369X
Academia Sinica, Taipei City, Taiwan
Front Matter, Table of Contents, Preface, Conference Organization
https://drops.dagstuhl.de/storage/00lipics/lipics-vol267-itc2023/LIPIcs.ITC.2023.0/LIPIcs.ITC.2023.0.pdf
Front Matter
Table of Contents
Preface
Conference Organization
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2023-07-21
267
1:1
1:20
10.4230/LIPIcs.ITC.2023.1
article
Two-Round Perfectly Secure Message Transmission with Optimal Transmission Rate
Resch, Nicolas
1
https://orcid.org/0000-0002-5133-5631
Yuan, Chen
2
https://orcid.org/0000-0002-3730-8397
Informatics' Institute, University of Amsterdam, The Netherlands
School of Electronic Information and Electrical Engineering, Shanghai Jiao Tong University, China
In the model of Perfectly Secure Message Transmission (PSMT), a sender Alice is connected to a receiver Bob via n parallel two-way channels, and Alice holds an 𝓁 symbol secret that she wishes to communicate to Bob. There is an unbounded adversary Eve that controls t of the channels, where n = 2t+1. Eve is able to corrupt any symbol sent through the channels she controls, and furthermore may attempt to infer Alice’s secret by observing the symbols sent through the channels she controls. The transmission is required to be (a) reliable, i.e., Bob must always be able to recover Alice’s secret, regardless of Eve’s corruptions; and (b) private, i.e., Eve may not learn anything about Alice’s secret. We focus on the two-round model, where Bob is permitted to first transmit to Alice, and then Alice responds to Bob.
In this work we provide upper and lower bounds for the PSMT model when the length of the communicated secret 𝓁 is asymptotically large. Specifically, we first construct a protocol that allows Alice to communicate an 𝓁 symbol secret to Bob by transmitting at most 2(1+o_{𝓁→∞}(1))n𝓁 symbols. Under a reasonable assumption (which is satisfied by all known efficient two-round PSMT protocols), we complement this with a lower bound showing that 2n𝓁 symbols are necessary for Alice to privately and reliably communicate her secret. This provides strong evidence that our construction is optimal (even up to the leading constant).
https://drops.dagstuhl.de/storage/00lipics/lipics-vol267-itc2023/LIPIcs.ITC.2023.1/LIPIcs.ITC.2023.1.pdf
Secure transmission
Information theoretical secure
MDS codes
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2023-07-21
267
2:1
2:9
10.4230/LIPIcs.ITC.2023.2
article
A Lower Bound on the Share Size in Evolving Secret Sharing
Mazor, Noam
1
The Blavatnik School of Computer Science, Tel Aviv University, Israel
Secret sharing schemes allow sharing a secret between a set of parties in a way that ensures that only authorized subsets of the parties learn the secret. Evolving secret sharing schemes (Komargodski, Naor, and Yogev [TCC '16]) allow achieving this end in a scenario where the parties arrive in an online fashion, and there is no a-priory bound on the number of parties.
An important complexity measure of a secret sharing scheme is the share size, which is the maximum number of bits that a party may receive as a share. While there has been a significant progress in recent years, the best constructions for both secret sharing and evolving secret sharing schemes have a share size that is exponential in the number of parties. On the other hand, the best lower bound, by Csirmaz [Eurocrypt '95], is sub-linear.
In this work, we give a tight lower bound on the share size of evolving secret sharing schemes. Specifically, we show that the sub-linear lower bound of Csirmaz implies an exponential lower bound on evolving secret sharing.
https://drops.dagstuhl.de/storage/00lipics/lipics-vol267-itc2023/LIPIcs.ITC.2023.2/LIPIcs.ITC.2023.2.pdf
Secret sharing
Evolving secret sharing
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2023-07-21
267
3:1
3:6
10.4230/LIPIcs.ITC.2023.3
article
Csirmaz’s Duality Conjecture and Threshold Secret Sharing
Bogdanov, Andrej
1
https://orcid.org/0000-0002-0338-6151
University of Ottawa, Canada
We conjecture that the smallest possible share size for binary secrets for the t-out-of-n and (n-t+1)-out-of-n access structures is the same for all 1 ≤ t ≤ n. This is a strenghtening of a recent conjecture by Csirmaz (J. Math. Cryptol., 2020). We prove the conjecture for t = 2 and all n. Our proof gives a new (n-1)-out-of-n secret sharing scheme for binary secrets with share alphabet size n.
https://drops.dagstuhl.de/storage/00lipics/lipics-vol267-itc2023/LIPIcs.ITC.2023.3/LIPIcs.ITC.2023.3.pdf
Threshold secret sharing
Fourier analysis
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2023-07-21
267
4:1
4:23
10.4230/LIPIcs.ITC.2023.4
article
The Cost of Statistical Security in Proofs for Repeated Squaring
Freitag, Cody
1
https://orcid.org/0000-0002-6307-204X
Komargodski, Ilan
2
3
https://orcid.org/0000-0002-1647-2112
Cornell Tech, New York, NY, USA
The Hebrew University, Jerusalem, Israel
NTT Research, Sunnyvale, CA, USA
In recent years, the number of applications of the repeated squaring assumption has been growing rapidly. The assumption states that, given a group element x, an integer T, and an RSA modulus N, it is hard to compute x^2^T mod N - or even decide whether y?=x^2^T mod N - in parallel time less than the trivial approach of simply computing T squares. This rise has been driven by efficient proof systems for repeated squaring, opening the door to more efficient constructions of verifiable delay functions, various secure computation primitives, and proof systems for more general languages.
In this work, we study the complexity of statistically sound proofs for the repeated squaring relation. Technically, we consider proofs where the prover sends at most k ≥ 0 elements and the (probabilistic) verifier performs generic group operations over the group ℤ_N^⋆. As our main contribution, we show that for any (one-round) proof with a randomized verifier (i.e., an MA proof) the verifier either runs in parallel time Ω(T/(k+1)) with high probability, or is able to factor N given the proof provided by the prover. This shows that either the prover essentially sends p,q such that N = p⋅ q (which is infeasible or undesirable in most applications), or a variant of Pietrzak’s proof of repeated squaring (ITCS 2019) has optimal verifier complexity O(T/(k+1)). In particular, it is impossible to obtain a statistically sound one-round proof of repeated squaring with efficiency on par with the computationally-sound protocol of Wesolowski (EUROCRYPT 2019), with a generic group verifier.
We further extend our one-round lower bound to a natural class of recursive interactive proofs for repeated squaring. For r-round recursive proofs where the prover is allowed to send k group elements per round, we show that the verifier either runs in parallel time Ω(T/(k+1)^r) with high probability, or is able to factor N given the proof transcript.
https://drops.dagstuhl.de/storage/00lipics/lipics-vol267-itc2023/LIPIcs.ITC.2023.4/LIPIcs.ITC.2023.4.pdf
Cryptographic Proofs
Repeated Squaring
Lower Bounds
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2023-07-21
267
5:1
5:26
10.4230/LIPIcs.ITC.2023.5
article
Interactive Non-Malleable Codes Against Desynchronizing Attacks in the Multi-Party Setting
Fleischhacker, Nils
1
https://orcid.org/0000-0002-2770-5444
Ghoshal, Suparno
1
https://orcid.org/0000-0002-3675-1629
Simkin, Mark
2
https://orcid.org/0000-0002-7325-5261
Ruhr-Universität Bochum, Germany
Ethereum Foundation, Aarhus, Denmark
Interactive Non-Malleable Codes were introduced by Fleischhacker et al. (TCC 2019) in the two party setting with synchronous tampering. The idea of this type of non-malleable code is that it "encodes" an interactive protocol in such a way that, even if the messages are tampered with according to some class F of tampering functions, the result of the execution will either be correct, or completely unrelated to the inputs of the participating parties. In the synchronous setting the adversary is able to modify the messages being exchanged but cannot drop messages nor desynchronize the two parties by first running the protocol with the first party and then with the second party. In this work, we define interactive non-malleable codes in the non-synchronous multi-party setting and construct such interactive non-malleable codes for the class F^s_bounded of bounded-state tampering functions.
https://drops.dagstuhl.de/storage/00lipics/lipics-vol267-itc2023/LIPIcs.ITC.2023.5/LIPIcs.ITC.2023.5.pdf
non-malleability
multi-party protocols
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2023-07-21
267
6:1
6:25
10.4230/LIPIcs.ITC.2023.6
article
Asymmetric Multi-Party Computation
Goyal, Vipul
1
2
Liu-Zhang, Chen-Da
1
https://orcid.org/0000-0002-0349-3838
Ostrovsky, Rafail
3
NTT Research, Sunnyvale, CA, USA
Carnegie Mellon University, Pittsburgh, PA, USA
University of California at Los Angeles, CA, USA
Current protocols for Multi-Party Computation (MPC) consider the setting where all parties have access to similar resources. For example, all parties have access to channels bounded by the same worst-case delay upper bound Δ, and all channels have the same cost of communication. As a consequence, the overall protocol performance (resp. the communication cost) may be heavily affected by the slowest (resp. the most expensive) channel, even when most channels are fast (resp. cheap). Given the state of affairs, we initiate a systematic study of asymmetric MPC. In asymmetric MPC, the parties are divided into two categories: fast and slow parties, depending on whether they have access to high-end or low-end resources.
We investigate two different models. In the first, we consider asymmetric communication delays: Fast parties are connected via channels with small delay δ among themselves, while channels connected to (at least) one slow party have a large delay Δ ≫ δ. In the second model, we consider asymmetric communication costs: Fast parties benefit from channels with cheap communication, while channels connected to a slow party have an expensive communication. We provide a wide range of positive and negative results exploring the trade-offs between the achievable number of tolerated corruptions t and slow parties s, versus the round complexity and communication cost in each of the models. Among others, we achieve the following results. In the model with asymmetric communication delays, focusing on the information-theoretic (i-t) setting:
- An i-t asymmetric MPC protocol with security with abort as long as t+s < n and t < n/2, in a constant number of slow rounds.
- We show that achieving an i-t asymmetric MPC protocol for t+s = n and with number of slow rounds independent of the circuit size implies an i-t synchronous MPC protocol with round complexity independent of the circuit size, which is a major problem in the field of round-complexity of MPC.
- We identify a new primitive, asymmetric broadcast, that allows to consistently distribute a value among the fast parties, and at a later time the same value to slow parties. We completely characterize the feasibility of asymmetric broadcast by showing that it is possible if and only if 2t + s < n.
- An i-t asymmetric MPC protocol with guaranteed output delivery as long as t+s < n and t < n/2, in a number of slow rounds independent of the circuit size.
In the model with asymmetric communication cost, we achieve an asymmetric MPC protocol for security with abort for t+s < n and t < n/2, based on one-way functions (OWF). The protocol communicates a number of bits over expensive channels that is independent of the circuit size. We conjecture that assuming OWF is needed and further provide a partial result in this direction.
https://drops.dagstuhl.de/storage/00lipics/lipics-vol267-itc2023/LIPIcs.ITC.2023.6/LIPIcs.ITC.2023.6.pdf
multiparty computation
asymmetric
delays
communication
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2023-07-21
267
7:1
7:21
10.4230/LIPIcs.ITC.2023.7
article
Phoenix: Secure Computation in an Unstable Network with Dropouts and Comebacks
Damgård, Ivan
1
Escudero, Daniel
2
Polychroniadou, Antigoni
2
Aarhus University, Denmark
J.P. Morgan AI Research & J.P. Morgan AlgoCRYPT CoE, New York, NY, USA
We consider the task of designing secure computation protocols in an unstable network where honest parties can drop out at any time, according to a schedule provided by the adversary. This type of setting, where even honest parties are prone to failures, is more realistic than traditional models, and has therefore gained a lot of attention recently. Our model, Phoenix, enables a new approach to secure multiparty computation with dropouts, allowing parties to drop out and re-enter the computation on an adversarially-chosen schedule and without assuming that these parties receive the messages that were sent to them while being offline - features that are not available in the existing models of Sleepy MPC (Guo et al., CRYPTO '19), Fluid MPC (Choudhuri et al., CRYPTO '21 ) and YOSO (Gentry et al. CRYPTO '21). Phoenix does assume an upper bound on the number of rounds that an honest party can be off-line - otherwise protocols in this setting cannot guarantee termination within a bounded number of rounds; however, if one settles for a weaker notion, namely guaranteed output delivery only for honest parties who stay on-line long enough, this requirement is not necessary.
In this work, we study the settings of perfect, statistical and computational security and design MPC protocols in each of these scenarios. We assume that the intersection of online-and-honest parties from one round to the next is at least 2t+1, t+1 and 1 respectively, where t is the number of (actively) corrupt parties. We show the intersection requirements to be optimal. Our (positive) results are obtained in a way that may be of independent interest: we implement a traditional stable network on top of the unstable one, which allows us to plug in any MPC protocol on top. This approach adds a necessary overhead to the round count of the protocols, which is related to the maximal number of rounds an honest party can be offline. We also present a novel, perfectly secure MPC protocol in the preprocessing model that avoids this overhead by following a more "direct" approach rather than first building a stable network and then using existing protocols. We introduce our network model in the UC-framework, show that the composition theorem still holds, and prove the security of our protocols within this setting.
https://drops.dagstuhl.de/storage/00lipics/lipics-vol267-itc2023/LIPIcs.ITC.2023.7/LIPIcs.ITC.2023.7.pdf
Secure Multiparty Computation
Unstable Networks
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2023-07-21
267
8:1
8:19
10.4230/LIPIcs.ITC.2023.8
article
Weighted Secret Sharing from Wiretap Channels
Benhamouda, Fabrice
1
https://orcid.org/0000-0002-8300-1820
Halevi, Shai
1
https://orcid.org/0000-0003-3432-7899
Stambler, Lev
2
Algorand Foundation, New York, NY, USA
Independent Researcher, NJ, USA
Secret-sharing allows splitting a piece of secret information among a group of shareholders, so that it takes a large enough subset of them to recover it. In weighted secret-sharing, each shareholder has an integer weight, and it takes a subset of large-enough weight to recover the secret. Schemes in the literature for weighted threshold secret sharing either have share sizes that grow linearly with the total weight, or ones that depend on huge public information (essentially a garbled circuit) of size (quasi)polynomial in the number of parties.
To do better, we investigate a relaxation, (α, β)-ramp weighted secret sharing, where subsets of weight β W can recover the secret (with W the total weight), but subsets of weight α W or less cannot learn anything about it. These can be constructed from standard secret-sharing schemes, but known constructions require long shares even for short secrets, achieving share sizes of max(W,|secret|/ε), where ε = β-α. In this note we first observe that simple rounding let us replace the total weight W by N/ε, where N is the number of parties. Combined with known constructions, this yields share sizes of O(max(N,|secret|)/ε).
Our main contribution is a novel connection between weighted secret sharing and wiretap channels, that improves or even eliminates the dependence on N, at a price of increased dependence on 1/ε. We observe that for certain additive-noise (ℛ,𝒜) wiretap channels, any semantically secure scheme can be naturally transformed into an (α,β)-ramp weighted secret-sharing, where α,β are essentially the respective capacities of the channels 𝒜,ℛ. We present two instantiations of this type of construction, one using Binary Symmetric wiretap Channels, and the other using additive Gaussian Wiretap Channels. Depending on the parameters of the underlying wiretap channels, this gives rise to (α, β)-ramp schemes with share sizes |secret|⋅log N/poly(ε) or even just |secret|/poly(ε).
https://drops.dagstuhl.de/storage/00lipics/lipics-vol267-itc2023/LIPIcs.ITC.2023.8/LIPIcs.ITC.2023.8.pdf
Secret sharing
ramp weighted secret sharing
wiretap channel
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2023-07-21
267
9:1
9:17
10.4230/LIPIcs.ITC.2023.9
article
Quantum Security of Subset Cover Problems
Bouaziz-Ermann, Samuel
1
2
3
Grilo, Alex B.
1
2
4
Vergnaud, Damien
1
2
3
LIP6, Paris, France
Sorbonne Université, Paris, France
CNRS, Paris, France
CNRS, paris, France
The subset cover problem for k ≥ 1 hash functions, which can be seen as an extension of the collision problem, was introduced in 2002 by Reyzin and Reyzin to analyse the security of their hash-function based signature scheme HORS. The security of many hash-based signature schemes relies on this problem or a variant of this problem (e.g. HORS, SPHINCS, SPHINCS+, ...).
Recently, Yuan, Tibouchi and Abe (2022) introduced a variant to the subset cover problem, called restricted subset cover, and proposed a quantum algorithm for this problem. In this work, we prove that any quantum algorithm needs to make Ω((k+1)^{-(2^k)/(2^{k+1}-1})⋅ N^{(2^{k}-1})/(2^{k+1}-1)}) queries to the underlying hash functions with codomain size N to solve the restricted subset cover problem, which essentially matches the query complexity of the algorithm proposed by Yuan, Tibouchi and Abe.
We also analyze the security of the general (r,k)-subset cover problem, which is the underlying problem that implies the unforgeability of HORS under a r-chosen message attack (for r ≥ 1). We prove that a generic quantum algorithm needs to make Ω(N^{k/5}) queries to the underlying hash functions to find a (1,k)-subset cover. We also propose a quantum algorithm that finds a (r,k)-subset cover making O (N^{k/(2+2r)}) queries to the k hash functions.
https://drops.dagstuhl.de/storage/00lipics/lipics-vol267-itc2023/LIPIcs.ITC.2023.9/LIPIcs.ITC.2023.9.pdf
Cryptography
Random oracle model
Quantum information
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2023-07-21
267
10:1
10:15
10.4230/LIPIcs.ITC.2023.10
article
Distributed Shuffling in Adversarial Environments
Larsen, Kasper Green
1
https://orcid.org/0000-0001-8841-5929
Obremski, Maciej
2
https://orcid.org/0000-0003-4174-0438
Simkin, Mark
3
https://orcid.org/0000-0002-7325-5261
Aarhus University, Denmark
National University of Singapore, Singapore
Ethereum Foundation, Aarhus, Denmark
We study mix-nets in the context of cryptocurrencies. Here we have many computationally weak shufflers that speak one after another and want to joinlty shuffle a list of ciphertexts (c₁, … , c_n). Each shuffler can only permute k << n ciphertexts at a time. An adversary A can track some of the ciphertexts and adaptively corrupt some of the shufflers.
We present a simple protocol for shuffling the list of ciphertexts efficiently. The main technical contribution of this work is to prove that our simple shuffling strategy does indeed provide good anonymity guarantees and at the same time terminates quickly.
Our shuffling algorithm provides a strict improvement over the current shuffling strategy in Ethereum’s block proposer elections. Our algorithm is secure against a stronger adversary, provides provable security guarantees, and is comparably in efficiency to the current approach.
https://drops.dagstuhl.de/storage/00lipics/lipics-vol267-itc2023/LIPIcs.ITC.2023.10/LIPIcs.ITC.2023.10.pdf
Distributed Computing
Shuffling
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2023-07-21
267
11:1
11:22
10.4230/LIPIcs.ITC.2023.11
article
MPC with Low Bottleneck-Complexity: Information-Theoretic Security and More
Keller, Hannah
1
https://orcid.org/0000-0002-4461-7067
Orlandi, Claudio
1
https://orcid.org/0000-0003-4992-0249
Paskin-Cherniavsky, Anat
2
Ravi, Divya
1
https://orcid.org/0000-0001-6423-8331
Aarhus University, Denmark
Ariel University, Israel
The bottleneck-complexity (BC) of secure multiparty computation (MPC) protocols is a measure of the maximum number of bits which are sent and received by any party in protocol. As the name suggests, the goal of studying BC-efficient protocols is to increase overall efficiency by making sure that the workload in the protocol is somehow "amortized" by the protocol participants.
Orlandi et al. [Orlandi et al., 2022] initiated the study of BC-efficient protocols from simple assumptions in the correlated randomness model and for semi-honest adversaries. In this work, we extend the study of [Orlandi et al., 2022] in two primary directions: (a) to a larger and more general class of functions and (b) to the information-theoretic setting.
In particular, we offer semi-honest secure protocols for the useful function classes of abelian programs, "read-k" non-abelian programs, and "read-k" generalized formulas.
Our constructions use a novel abstraction, called incremental function secret-sharing (IFSS), that can be instantiated with unconditional security or from one-way functions (with different efficiency trade-offs).
https://drops.dagstuhl.de/storage/00lipics/lipics-vol267-itc2023/LIPIcs.ITC.2023.11/LIPIcs.ITC.2023.11.pdf
Secure Multiparty Computation
Bottleneck Complexity
Information-theoretic
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2023-07-21
267
12:1
12:25
10.4230/LIPIcs.ITC.2023.12
article
Randomness Recoverable Secret Sharing Schemes
Hajiabadi, Mohammad
1
Khazaei, Shahram
2
https://orcid.org/0000-0002-2493-8840
Vahdani, Behzad
2
Cheriton School of Computer Science, University of Waterloo, Canada
Department of Mathematical Sciences, Sharif University of Technology, Tehran, Iran
It is well-known that randomness is essential for secure cryptography. The randomness used in cryptographic primitives is not necessarily recoverable even by the party who can, e.g., decrypt or recover the underlying secret/message. Several cryptographic primitives that support randomness recovery have turned out useful in various applications. In this paper, we study randomness recoverable secret sharing schemes (RR-SSS), in both information-theoretic and computational settings and provide two results. First, we show that while every access structure admits a perfect RR-SSS, there are very simple access structures (e.g., in monotone AC⁰) that do not admit efficient perfect (or even statistical) RR-SSS. Second, we show that the existence of efficient computational RR-SSS for certain access structures in monotone AC⁰ implies the existence of one-way functions. This stands in sharp contrast to (non-RR) SSS schemes for which no such results are known.
RR-SSS plays a key role in making advanced attributed-based encryption schemes randomness recoverable, which in turn have applications in the context of designated-verifier non-interactive zero knowledge.
https://drops.dagstuhl.de/storage/00lipics/lipics-vol267-itc2023/LIPIcs.ITC.2023.12/LIPIcs.ITC.2023.12.pdf
Secret sharing
Randomness recovery
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2023-07-21
267
13:1
13:21
10.4230/LIPIcs.ITC.2023.13
article
Secure Communication in Dynamic Incomplete Networks
Damgård, Ivan
1
Ravi, Divya
1
https://orcid.org/0000-0001-6423-8331
Tschudi, Daniel
2
https://orcid.org/0000-0001-6188-1049
Yakoubov, Sophia
1
Aarhus University, Denmark
Concordium, Zürich, Switzerland
In this paper, we explore the feasibility of reliable and private communication in dynamic networks, where in each round the adversary can choose which direct peer-to-peer links are available in the network graph, under the sole condition that the graph is k-connected at each round (for some k).
We show that reliable communication is possible in such a dynamic network if and only if k > 2t. We also show that if k = cn > 2 t for a constant c, we can achieve reliable communication with polynomial round and communication complexity.
For unconditionally private communication, we show that for a passive adversary, k > t is sufficient (and clearly necessary). For an active adversary, we show that k > 2t is sufficient for statistical security (and clearly necessary), while k > 3t is sufficient for perfect security. We conjecture that, in contrast to the static case, k > 2t is not enough for perfect security, and we give evidence that the conjecture is true.
Once we have reliable and private communication between each pair of parties, we can emulate a complete network with secure channels, and we can use known protocols to do secure computation.
https://drops.dagstuhl.de/storage/00lipics/lipics-vol267-itc2023/LIPIcs.ITC.2023.13/LIPIcs.ITC.2023.13.pdf
Secure Communication
Dynamic Incomplete Network
Information-theoretic
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2023-07-21
267
14:1
14:12
10.4230/LIPIcs.ITC.2023.14
article
Locally Covert Learning
Holmgren, Justin
1
Jawale, Ruta
2
NTT Research, Sunnyvale, CA, USA
University of Illinois at Urbana-Champaign, IL, USA
The goal of a covert learning algorithm is to learn a function f by querying it, while ensuring that an adversary, who sees all queries and their responses, is unable to (efficiently) learn any more about f than they could learn from random input-output pairs. We focus on a relaxation that we call local covertness, in which queries are distributed across k servers and we only limit what is learnable by k - 1 colluding servers.
For any constant k, we give a locally covert algorithm for efficiently learning any Fourier-sparse function (technically, our notion of learning is improper, agnostic, and with respect to the uniform distribution). Our result holds unconditionally and for computationally unbounded adversaries. Prior to our work, such an algorithm was known only for the special case of O(log n)-juntas, and only with k = 2 servers [Yuval Ishai et al., 2019].
Our main technical observation is that the original Goldreich-Levin algorithm only utilizes i.i.d. pairs of correlated queries, where each half of every pair is uniformly random. We give a simple generalization of this algorithm in which pairs are replaced by k-tuples in which any k - 1 components are jointly uniform. The cost of this generalization is that the number of queries needed grows exponentially with k.
https://drops.dagstuhl.de/storage/00lipics/lipics-vol267-itc2023/LIPIcs.ITC.2023.14/LIPIcs.ITC.2023.14.pdf
learning theory
adversarial machine learning
zero knowledge
Fourier analysis of boolean functions
Goldreich-Levin algorithm
Kushilevitz-Mansour algorithm
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2023-07-21
267
15:1
15:23
10.4230/LIPIcs.ITC.2023.15
article
Online Mergers and Applications to Registration-Based Encryption and Accumulators
Mahmoody, Mohammad
1
Qi, Wei
1
University of Virginia, Charlottesville, VA, USA
In this work we study a new information theoretic problem, called online merging, that has direct applications for constructing public-state accumulators and registration-based encryption schemes. An {online merger} receives the sequence of sets {1}, {2}, … in an online way, and right after receiving {i}, it can re-partition the elements 1,…,i into T₁,…,T_{m_i} by merging some of these sets. The goal of the merger is to balance the trade-off between the maximum number of sets wid = max_{i ∈ [n]} m_i that co-exist at any moment, called the width of the scheme, with its depth dep = max_{i ∈ [n]} d_i, where d_i is the number of times that the sets that contain i get merged. An online merger can be used to maintain a set of Merkle trees that occasionally get merged.
An online merger can be directly used to obtain public-state accumulators (using collision-resistant hashing) and registration-based encryptions (relying on more assumptions). Doing so, the width of an online merger translates into the size of the public-parameter of the constructed scheme, and the depth of the online algorithm corresponds to the number of times that parties need to update their "witness" (for accumulators) or their decryption key (for RBE).
In this work, we construct online mergers with poly(log n) width and O(log n / log log n) depth, which can be shown to be optimal for all schemes with poly(log n) width. More generally, we show how to achieve optimal depth for a given fixed width and to achieve a 2-approximate optimal width for a given depth d that can possibly grow as a function of n (e.g., d = 2 or d = log n / log log n). As applications, we obtain accumulators with O(log n / log log n) number of updates for parties' witnesses (which can be shown to be optimal for accumulator digests of length poly(log n)) as well as registration based encryptions that again have an optimal O(log n / log log n) number of decryption updates, resolving the open question of Mahmoody, Rahimi, Qi [TCC'22] who proved that Ω(log n / log log n) number of decryption updates are necessary for any RBE (with public parameter of length poly(log n)). More generally, for any given number of decryption updates d = d(n) (under believable computational assumptions) our online merger implies RBE schemes with public parameters of length that is optimal, up to a constant factor that depends on the security parameter. For example, for any constant number of updates d, we get RBE schemes with public parameters of length O(n^{1/(d+1)}).
https://drops.dagstuhl.de/storage/00lipics/lipics-vol267-itc2023/LIPIcs.ITC.2023.15/LIPIcs.ITC.2023.15.pdf
Registration-based encryption
Accumulators
Merkle Trees
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2023-07-21
267
16:1
16:13
10.4230/LIPIcs.ITC.2023.16
article
Lower Bounds for Secret-Sharing Schemes for k-Hypergraphs
Beimel, Amos
1
https://orcid.org/0000-0002-6572-4195
Department of Computer Science, Ben-Gurion University of the Negev, Beer-Sheva, Israel
A secret-sharing scheme enables a dealer, holding a secret string, to distribute shares to parties such that only pre-defined authorized subsets of parties can reconstruct the secret. The collection of authorized sets is called an access structure. There is a huge gap between the best known upper bounds on the share size of a secret-sharing scheme realizing an arbitrary access structure and the best known lower bounds on the size of these shares. For an arbitrary n-party access structure, the best known upper bound on the share size is 2^{O(n)}. On the other hand, the best known lower bound on the total share size is much smaller, i.e., Ω(n²/log(n)) [Csirmaz, Studia Sci. Math. Hungar.]. This lower bound was proved more than 25 years ago and no major progress has been made since.
In this paper, we study secret-sharing schemes for k-hypergraphs, i.e., for access structures where all minimal authorized sets are of size exactly k (however, unauthorized sets can be larger). We consider the case where k is small, i.e., constant or at most log(n). The trivial upper bound for these access structures is O(n⋅ binom(n-1,k-1)) and this can be slightly improved. If there were efficient secret-sharing schemes for such k-hypergraphs (e.g., 2-hypergraphs or 3-hypergraphs), then we would be able to construct secret-sharing schemes for arbitrary access structures that are better than the best known schemes. Thus, understanding the share size required for k-hypergraphs is important. Prior to our work, the best known lower bound for these access structures was Ω(n log(n)), which holds already for graphs (i.e., 2-hypergraphs).
We improve this lower bound, proving a lower bound of Ω(n^{2-1/(k-1)}/k) on the total share size for some explicit k-hypergraphs, where 3 ≤ k ≤ log(n). For example, for 3-hypergraphs we prove a lower bound of Ω(n^{3/2}). For log(n)-hypergraphs, we prove a lower bound of Ω(n²/log(n)), i.e., we show that the lower bound of Csirmaz holds already when all minimal authorized sets are of size log(n). Our proof is simple and shows that the lower bound of Csirmaz holds for a simple variant of the access structure considered by Csirmaz. Using our results, we prove a near quadratic separation between the required share size for realizing an explicit access structure and the monotone circuit size describing the access structure, i.e., the share size in Ω(n²/log(n)) and the monotone circuit size is O(nlog(n)) (where the circuit has depth 3).
https://drops.dagstuhl.de/storage/00lipics/lipics-vol267-itc2023/LIPIcs.ITC.2023.16/LIPIcs.ITC.2023.16.pdf
Secret Sharing
Share Size
Lower Bounds
Monotone Circuits
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2023-07-21
267
17:1
17:22
10.4230/LIPIcs.ITC.2023.17
article
Differentially Private Aggregation via Imperfect Shuffling
Ghazi, Badih
1
Kumar, Ravi
1
Manurangsi, Pasin
1
Nelson, Jelani
2
1
Zhou, Samson
2
3
Google Research, Mountain View, CA, USA
University of California at Berkeley, CA, USA
Rice University, Houston, TX, USA
In this paper, we introduce the imperfect shuffle differential privacy model, where messages sent from users are shuffled in an almost uniform manner before being observed by a curator for private aggregation. We then consider the private summation problem. We show that the standard split-and-mix protocol by Ishai et. al. [FOCS 2006] can be adapted to achieve near-optimal utility bounds in the imperfect shuffle model. Specifically, we show that surprisingly, there is no additional error overhead necessary in the imperfect shuffle model.
https://drops.dagstuhl.de/storage/00lipics/lipics-vol267-itc2023/LIPIcs.ITC.2023.17/LIPIcs.ITC.2023.17.pdf
Differential privacy
private summation
shuffle model
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2023-07-21
267
18:1
18:16
10.4230/LIPIcs.ITC.2023.18
article
Exponential Correlated Randomness Is Necessary in Communication-Optimal Perfectly Secure Two-Party Computation
Hiwatashi, Keitaro
1
2
Nuida, Koji
3
2
https://orcid.org/0000-0001-8259-9958
The University of Tokyo, Japan
National Institute of Advanced Industrial Science and Technology (AIST), Tokyo, Japan
Kyushu University, Japan
Secure two-party computation is a cryptographic technique that enables two parties to compute a function jointly while keeping each input secret. It is known that most functions cannot be realized by information-theoretically secure two-party computation, but any function can be realized in the correlated randomness (CR) model, where a trusted dealer distributes input-independent CR to the parties beforehand. In the CR model, three kinds of complexities are mainly considered; the size of CR, the number of rounds, and the communication complexity.
Ishai et al. (TCC 2013) showed that any function can be securely computed with optimal online communication cost, i.e., the number of rounds is one round and the communication complexity is the same as the input length, at the price of exponentially large CR. In this paper, we prove that exponentially large CR is necessary to achieve perfect security and online optimality for a general function and that the protocol by Ishai et al. is asymptotically optimal in terms of the size of CR. Furthermore, we also prove that exponentially large CR is still necessary even when we allow multiple rounds while keeping the optimality of communication complexity.
https://drops.dagstuhl.de/storage/00lipics/lipics-vol267-itc2023/LIPIcs.ITC.2023.18/LIPIcs.ITC.2023.18.pdf
Secure Computation
Correlated Randomness
Lower Bound