eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2024-08-06
304
1
232
10.4230/LIPIcs.ITC.2024
article
LIPIcs, Volume 304, ITC 2024, Complete Volume
Aggarwal, Divesh
1
https://orcid.org/0000-0002-3841-0262
National University of Singapore, Singapore
LIPIcs, Volume 304, ITC 2024, Complete Volume
https://drops.dagstuhl.de/storage/00lipics/lipics-vol304-itc2024/LIPIcs.ITC.2024/LIPIcs.ITC.2024.pdf
LIPIcs, Volume 304, ITC 2024, Complete Volume
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2024-08-06
304
0:i
0:xii
10.4230/LIPIcs.ITC.2024.0
article
Front Matter, Table of Contents, Preface, Conference Organization
Aggarwal, Divesh
1
https://orcid.org/0000-0002-3841-0262
National University of Singapore, Singapore
Front Matter, Table of Contents, Preface, Conference Organization
https://drops.dagstuhl.de/storage/00lipics/lipics-vol304-itc2024/LIPIcs.ITC.2024.0/LIPIcs.ITC.2024.0.pdf
Front Matter
Table of Contents
Preface
Conference Organization
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2024-08-06
304
1:1
1:13
10.4230/LIPIcs.ITC.2024.1
article
Information-Theoretic Topology-Hiding Broadcast: Wheels, Stars, Friendship, and Beyond
Banoun, D'or
1
Boyle, Elette
2
3
https://orcid.org/0009-0002-0360-8129
Cohen, Ran
1
https://orcid.org/0000-0002-1293-552X
Reichman University, Herzliya, Israel
Reichman University, Israel
NTT Research, Sunnyvale, CA, USA
Topology-hiding broadcast (THB) enables parties communicating over an incomplete network to broadcast messages while hiding the network topology from within a given class of graphs. Although broadcast is a privacy-free task, it is known that THB for certain graph classes necessitates computational assumptions, even against "honest but curious" adversaries, and even given a single corrupted party. Recent works have tried to understand when THB can be obtained with information-theoretic (IT) security (without cryptography or setup assumptions) as a function of properties of the corresponding graph class.
We revisit this question through a case study of the class of wheel graphs and their subgraphs. The nth wheel graph is established by connecting n nodes who form a cycle with another "center" node, thus providing a natural extension that captures and enriches previously studied graph classes in the setting of IT-THB.
We present a series of new findings in this line. We fully characterize feasibility of IT-THB for any class of subgraphs of the wheel, each possessing an embedded star (i.e., a well-defined center connected to all other nodes). Our characterization provides evidence that IT-THB feasibility may correlate with a more fine-grained degree structure - as opposed to pure connectivity - of the corresponding graphs. We provide positive results achieving perfect IT-THB for new graph classes, including ones where the number of nodes is unknown. Further, we provide the first feasibility of IT-THB on non-degenerate graph-classes with t > 1 corruptions, for the class of friendship graphs (Erdös, Rényi, Sós '66).
https://drops.dagstuhl.de/storage/00lipics/lipics-vol304-itc2024/LIPIcs.ITC.2024.1/LIPIcs.ITC.2024.1.pdf
broadcast
topology-hiding protocols
information-theoretic security
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2024-08-06
304
2:1
2:16
10.4230/LIPIcs.ITC.2024.2
article
Communication Complexity vs Randomness Complexity in Interactive Proofs
Applebaum, Benny
1
Bhushan, Kaartik
2
Prabhakaran, Manoj
2
Tel-Aviv University, Israel
IIT Bombay, India
In this work, we study the interplay between the communication from a verifier in a general private-coin interactive protocol and the number of random bits it uses in the protocol. Under worst-case derandomization assumptions, we show that it is possible to transform any I-round interactive protocol that uses ρ random bits into another one for the same problem with the additional property that the verifier’s communication is bounded by O(I⋅ ρ). Importantly, this is done with a minor, logarithmic, increase in the communication from the prover to the verifier and while preserving the randomness complexity. Along the way, we introduce a new compression game between computationally-bounded compressor and computationally-unbounded decompressor and a new notion of conditioned efficient distributions that may be of independent interest. Our solutions are based on a combination of perfect hashing and pseudorandom generators.
https://drops.dagstuhl.de/storage/00lipics/lipics-vol304-itc2024/LIPIcs.ITC.2024.2/LIPIcs.ITC.2024.2.pdf
Interactive Proof Systems
Communication Complexity
Hash Functions
Pseudo-Random Generators
Compression
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2024-08-06
304
3:1
3:28
10.4230/LIPIcs.ITC.2024.3
article
Are Your Keys Protected? Time Will Tell
Ben Dov, Yoav
1
David, Liron
1
https://orcid.org/0000-0002-1502-5257
Naor, Moni
1
https://orcid.org/0000-0003-3381-0221
Tzalik, Elad
1
Weizmann Institute of Science, Rehovot, Israel
Side channel attacks, and in particular timing attacks, are a fundamental obstacle to obtaining secure implementation of algorithms and cryptographic protocols, and have been widely researched for decades. While cryptographic definitions for the security of cryptographic systems have been well established for decades, none of these accepted definitions take into account the running time information leaked from executing the system. In this work, we give the foundation of new cryptographic definitions for cryptographic systems that take into account information about their leaked running time, focusing mainly on keyed functions such as signature and encryption schemes. Specifically, [(1)]
1) We define several cryptographic properties to express the claim that the timing information does not help an adversary to extract sensitive information, e.g. the key or the queries made. We highlight the definition of key-obliviousness, which means that an adversary cannot tell whether it received the timing of the queries with the actual key or the timing of the same queries with a random key.
2) We present a construction of key-oblivious pseudorandom permutations on a small or medium-sized domain. This construction is not "fixed-time," and at the same time is secure against any number of queries even in case the adversary knows the running time exactly. Our construction, which we call Janus Sometimes Recurse, is a variant of the "Sometimes Recurse" shuffle by Morris and Rogaway.
3) We suggest a new security notion for keyed functions, called noticeable security, and prove that cryptographic schemes that have noticeable security remain secure even when the exact timings are leaked, provided the implementation is key-oblivious. We show that our notion applies to cryptographic signatures, private key encryption and PRPs.
https://drops.dagstuhl.de/storage/00lipics/lipics-vol304-itc2024/LIPIcs.ITC.2024.3/LIPIcs.ITC.2024.3.pdf
Side channel attacks
Timing attacks
Keyed functions
Key oblivious
Noticeable security
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2024-08-06
304
4:1
4:13
10.4230/LIPIcs.ITC.2024.4
article
Pure-DP Aggregation in the Shuffle Model: Error-Optimal and Communication-Efficient
Ghazi, Badih
1
Kumar, Ravi
1
Manurangsi, Pasin
2
Google Research, Mountain View, CA, USA
Google Research, Bangkok, Thailand
We obtain a new protocol for binary counting in the ε-DP_shuffle model with error O(1/ε) and expected communication Õ((log n)/ε) messages per user. Previous protocols incur either an error of O(1/ε^1.5) with O_ε(log n) messages per user (Ghazi et al., ITC 2020) or an error of O(1/ε) with O_ε(n²) messages per user (Cheu and Yan, TPDP 2022). Using the new protocol, we obtained improved ε-DP_shuffle protocols for real summation and histograms.
https://drops.dagstuhl.de/storage/00lipics/lipics-vol304-itc2024/LIPIcs.ITC.2024.4/LIPIcs.ITC.2024.4.pdf
Differential Privacy
Shuffle Model
Aggregation
Pure Differential Privacy
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2024-08-06
304
5:1
5:10
10.4230/LIPIcs.ITC.2024.5
article
On the Power of Adaptivity for Function Inversion
Gajulapalli, Karthik
1
Golovnev, Alexander
1
King, Samuel
1
Georgetown University, Washington, DC, USA
We study the problem of function inversion with preprocessing where, given a function f : [N] → [N] and a point y in its image, the goal is to find an x such that f(x) = y using at most T oracle queries to f and S bits of preprocessed advice that depend on f.
The seminal work of Corrigan-Gibbs and Kogan [TCC 2019] initiated a line of research that shows many exciting connections between the non-adaptive setting of this problem and other areas of theoretical computer science. Specifically, they introduced a very weak class of algorithms (strongly non-adaptive) where the points queried by the oracle depend only on the inversion point y, and are independent of the answers to the previous queries and the S bits of advice. They showed that proving even mild lower bounds on strongly non-adaptive algorithms for function inversion would imply a breakthrough result in circuit complexity.
We prove that every strongly non-adaptive algorithm for function inversion (and even for its special case of permutation inversion) must have ST = Ω(N log (N) log (T)). This gives the first improvement to the long-standing lower bound of ST = Ω(N log N) due to Yao [STOC 90]. As a corollary, we conclude the first separation between strongly non-adaptive and adaptive algorithms for permutation inversion, where the adaptive algorithm by Hellman [TOIT 80] achieves the trade-off ST = O(N log N).
Additionally, we show equivalence between lower bounds for strongly non-adaptive data structures and the one-way communication complexity of certain partial functions. As an example, we recover our lower bound on function inversion in the communication complexity framework.
https://drops.dagstuhl.de/storage/00lipics/lipics-vol304-itc2024/LIPIcs.ITC.2024.5/LIPIcs.ITC.2024.5.pdf
Function Inversion
Non-Adaptive lower bounds
Communication Complexity
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2024-08-06
304
6:1
6:23
10.4230/LIPIcs.ITC.2024.6
article
Information-Theoretic Single-Server PIR in the Shuffle Model
Ishai, Yuval
1
Kelkar, Mahimna
2
Lee, Daniel
3
Ma, Yiping
4
Technion, Haifa, Israel
Cornell University, New York, NY, USA
MIT, Cambridge, MA, USA
University of Pennsylvania, Philadelphia, PA, USA
We revisit the problem of private information retrieval (PIR) in the shuffle model, where queries can be made anonymously by multiple clients. We present the first single-server PIR protocol in this model that has sublinear per-client communication and information-theoretic security. Moreover, following one-time preprocessing on the server side, our protocol only requires sublinear per-client computation. Concretely, for every γ > 0, the protocol has O(n^{γ}) communication and computation costs per (stateless) client, with 1/poly(n) statistical security, assuming that a size-n database is simultaneously accessed by poly(n) clients. This should be contrasted with the recent breakthrough result of Lin, Mook, and Wichs (STOC 2023) on doubly efficient PIR in the standard model, which is (inherently) limited to computational security.
https://drops.dagstuhl.de/storage/00lipics/lipics-vol304-itc2024/LIPIcs.ITC.2024.6/LIPIcs.ITC.2024.6.pdf
Private information retrieval
Shuffle model
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2024-08-06
304
7:1
7:21
10.4230/LIPIcs.ITC.2024.7
article
Improved Trade-Offs Between Amortization and Download Bandwidth for Linear HSS
Blackwell, Keller
1
https://orcid.org/0000-0003-3588-9199
Wootters, Mary
2
https://orcid.org/0000-0002-2345-2531
Department of Computer Science, Stanford University, CA, USA
Departments of Computer Science and Electrical Engineering, Stanford University, CA, USA
A Homomorphic Secret Sharing (HSS) scheme is a secret-sharing scheme that shares a secret x among s servers, and additionally allows an output client to reconstruct some function f(x) using information that can be locally computed by each server. A key parameter in HSS schemes is download rate, which quantifies how much information the output client needs to download from the servers. Often, download rate is improved by amortizing over 𝓁 instances of the problem, making 𝓁 also a key parameter of interest.
Recent work [Fosli et al., 2022] established a limit on the download rate of linear HSS schemes for computing low-degree polynomials and constructed schemes that achieve this optimal download rate; their schemes required amortization over 𝓁 = Ω(s log(s)) instances of the problem. Subsequent work [Blackwell and Wootters, 2023] completely characterized linear HSS schemes that achieve optimal download rate in terms of a coding-theoretic notion termed optimal labelweight codes. A consequence of this characterization was that 𝓁 = Ω(s log(s)) is in fact necessary to achieve optimal download rate.
In this paper, we characterize all linear HSS schemes, showing that schemes of any download rate are equivalent to a generalization of optimal labelweight codes. This equivalence is constructive and provides a way to obtain an explicit linear HSS scheme from any linear code. Using this characterization, we present explicit linear HSS schemes with slightly sub-optimal rate but with much improved amortization 𝓁 = O(s). Our constructions are based on algebraic geometry codes (specifically Hermitian codes and Goppa codes).
https://drops.dagstuhl.de/storage/00lipics/lipics-vol304-itc2024/LIPIcs.ITC.2024.7/LIPIcs.ITC.2024.7.pdf
Error Correcting Codes
Homomorphic Secret Sharing
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2024-08-06
304
8:1
8:24
10.4230/LIPIcs.ITC.2024.8
article
Breaking RSA Generically Is Equivalent to Factoring, with Preprocessing
Dachman-Soled, Dana
1
Loss, Julian
2
https://orcid.org/0000-0002-7979-3810
O'Neill, Adam
3
https://orcid.org/0009-0006-0233-6466
University of Maryland, College Park, MD, USA
CISPA Helmholtz Center for Information Security, Saarbrücken, Germany
Manning College of Information & Computer Sciences, UMass Amherst, MA, USA
We investigate the relationship between the classical RSA and factoring problems when preprocessing is considered. In such a model, adversaries can use an unbounded amount of precomputation to produce an "advice" string to then use during the online phase, when a problem instance becomes known. Previous work (e.g., [Bernstein, Lange ASIACRYPT '13]) has shown that preprocessing attacks significantly improve the runtime of the best-known factoring algorithms. Due to these improvements, we ask whether the relationship between factoring and RSA fundamentally changes when preprocessing is allowed. Specifically, we investigate whether there is a superpolynomial gap between the runtime of the best attack on RSA with preprocessing and on factoring with preprocessing.
Our main result rules this out with respect to algorithms that perform generic computation on the RSA instance x^e od N yet arbitrary computation on the modulus N, namely a careful adaptation of the well-known generic ring model of Aggarwal and Maurer (Eurocrypt 2009) to the preprocessing setting. In particular, in this setting we show the existence of a factoring algorithm with polynomially related parameters, for any setting of RSA parameters.
Our main technical contribution is a set of new information-theoretic techniques that allow us to handle or eliminate cases in which the Aggarwal and Maurer result does not yield a factoring algorithm in the standard model with parameters that are polynomially related to those of the RSA algorithm. These techniques include two novel compression arguments, and a variant of the Fiat-Naor/Hellman tables construction that is tailored to the factoring setting.
https://drops.dagstuhl.de/storage/00lipics/lipics-vol304-itc2024/LIPIcs.ITC.2024.8/LIPIcs.ITC.2024.8.pdf
RSA
factoring
generic ring model
preprocessing
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2024-08-06
304
9:1
9:22
10.4230/LIPIcs.ITC.2024.9
article
Time-Space Tradeoffs for Finding Multi-Collisions in Merkle-Damgård Hash Functions
Akshima
1
NYU Shanghai, China
We analyze the multi-collision resistance of Merkle-Damgård hash function construction in the auxiliary input random oracle model. Finding multi-collisions or m-way collisions, for some parameter m, in a hash function consists of m distinct input that have the same output under the hash function. This is a natural generalization of the collision finding problem in hash functions, which is basically finding 2-way collisions. Hardness of finding collisions, or collision resistance, is an important security assumption in cryptography. While the time-space trade-offs for collision resistance of hash functions has received considerable attention, this is the first work that studies time-space trade-offs for the multi-collision resistance property of hash functions based on the popular and widely used Merkle-Damgård (MD) constructions.
In this work, we study how the advantage of finding m-way collisions depends on the parameter m. We believe understanding whether multi-collision resistance is a strictly easier property than collision resistance is a fundamental problem and our work facilitates this for adversaries with auxiliary information against MD based hash functions. Furthermore, in this work we study how the advantage varies with the bound on length of the m colliding inputs. Prior works [Akshima et al., 2020; Ashrujit Ghoshal and Ilan Komargodski, 2022; Akshima et al., 2022] have shown that finding "longer" collisions with auxiliary input in MD based hash functions becomes easier. More precisely, the advantage of finding collisions linearly depends on the bound on the length of colliding inputs. In this work, we show similar dependence for m-way collision finding, for any m ≥ 2.
We show a simple attack for finding 1-block m-way collisions which achieves an advantage of Ω̃(S/mN). For 2 ≤ B < log m, we give the best known attack for finding B-blocks m-way collision which achieves an advantage of Ω̃(ST/m^{1/(B-1)}N) when m^{1/(B-1)}-way collisions exist on every salt. For B > log m, our attack achieves an advantage of Ω̃(STB/N) which is optimal when SB ≥ T and ST² ≤ N. The main results of this work is showing that our attacks are optimal for B = 1 and B = 2. This implies that in the auxiliary-input random oracle model, the advantage decreases by a multiplicative factor of m for finding 1-block and 2-block m-way collisions (compared to collision finding) in Merkle-Damgård based hash functions.
https://drops.dagstuhl.de/storage/00lipics/lipics-vol304-itc2024/LIPIcs.ITC.2024.9/LIPIcs.ITC.2024.9.pdf
Collision
hash functions
multi-collisions
Merkle-Damgård
pre-computation
auxiliary input
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2024-08-06
304
10:1
10:22
10.4230/LIPIcs.ITC.2024.10
article
Secure Multiparty Computation of Symmetric Functions with Polylogarithmic Bottleneck Complexity and Correlated Randomness
Eriguchi, Reo
1
https://orcid.org/0000-0002-0019-6934
National Institute of Advanced Industrial Science and Technology, Tokyo, Japan
Bottleneck complexity is an efficiency measure of secure multiparty computation (MPC) protocols introduced to achieve load-balancing in large-scale networks, which is defined as the maximum communication complexity required by any one player within the protocol execution. Towards the goal of achieving low bottleneck complexity, prior works proposed MPC protocols for computing symmetric functions in the correlated randomness model, where players are given input-independent correlated randomness in advance. However, the previous protocols with polylogarithmic bottleneck complexity in the number n of players require a large amount of correlated randomness that is linear in n, which limits the per-party efficiency as receiving and storing correlated randomness are the bottleneck for efficiency. In this work, we present for the first time MPC protocols for symmetric functions such that bottleneck complexity and the amount of correlated randomness are both polylogarithmic in n, assuming semi-honest adversaries colluding with at most n-o(n) players. Furthermore, one of our protocols is even computationally efficient in that each player performs only polylog(n) arithmetic operations while the computational complexity of the previous protocols is O(n). Technically, our efficiency improvements come from novel protocols based on ramp secret sharing to realize basic functionalities with low bottleneck complexity, which we believe may be of interest beyond their applications to secure computation of symmetric functions.
https://drops.dagstuhl.de/storage/00lipics/lipics-vol304-itc2024/LIPIcs.ITC.2024.10/LIPIcs.ITC.2024.10.pdf
Secure multiparty computation
Bottleneck complexity
Secret sharing
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Leibniz International Proceedings in Informatics
1868-8969
2024-08-06
304
11:1
11:24
10.4230/LIPIcs.ITC.2024.11
article
Fast Secure Computations on Shared Polynomials and Applications to Private Set Operations
Giorgi, Pascal
1
https://orcid.org/0000-0002-0489-5134
Laguillaumie, Fabien
1
https://orcid.org/0000-0001-6464-1139
Ottow, Lucas
1
https://orcid.org/0009-0007-8382-5233
Vergnaud, Damien
2
https://orcid.org/0000-0002-2113-3967
LIRMM, Univ. Montpellier, CNRS, France
LIP6, Sorbonne University, CNRS, France
Secure multi-party computation aims to allow a set of players to compute a given function on their secret inputs without revealing any other information than the result of the computation. In this work, we focus on the design of secure multi-party protocols for shared polynomial operations. We consider the classical model where the adversary is honest-but-curious, and where the coefficients (or any secret values) are either encrypted using an additively homomorphic encryption scheme or shared using a threshold linear secret-sharing scheme. Our protocols terminate after a constant number of rounds and minimize the number of secure multiplications.
In their seminal article at PKC 2006, Mohassel and Franklin proposed constant-rounds protocols for the main operations on (shared) polynomials. In this work, we improve the fan-in multiplication of nonzero polynomials, the multi-point polynomial evaluation and the polynomial interpolation (on secret points) to reach a quasi-linear complexity (instead of quadratic in Mohassel and Franklin’s work) in the degree of shared input/output polynomials.
Computing with shared polynomials is a core component of several multi-party protocols for privacy-preserving operations on private sets, like the private disjointness test or the private set intersection. Using our new protocols, we are able to improve the complexity of such protocols and to design the first variants which always return a correct result.
https://drops.dagstuhl.de/storage/00lipics/lipics-vol304-itc2024/LIPIcs.ITC.2024.11/LIPIcs.ITC.2024.11.pdf
Multi-party computation
polynomial operations
privacy-preserving set operations