Papers by Anat Paskin-Cherniavsky
IACR Cryptology ePrint Archive, 2013
We present a framework for transforming FHE (fully homomorphic encryption) schemes with no circui... more We present a framework for transforming FHE (fully homomorphic encryption) schemes with no circuit privacy requirements into maliciously circuit-private FHE. That is, even if both maliciously formed public key and ciphertext are used, encrypted outputs only reveal the evaluation of the circuit on some well-formed input x *. Previous literature on FHE only considered semi-honest circuit privacy. Circuit-private FHE schemes have direct applications to computing on encrypted data. In that setting, one party (a receiver) holding an input x wishes to learn the evaluation of a circuit C held by another party (a sender). The goal is to make receiver's work sublinear (and ideally independent) of |C|, using a 2-message protocol. The transformation technique may be of independent interest, and have various additional applications. The framework uses techniques akin to Gentry's bootstrapping and conditional disclosure of secrets (CDS [AIR01]) combining a non circuit private FHE scheme, with a homomorphic encryption (HE) scheme for a smaller class of circuits which is maliciously circuit-private. We devise the first known circuit private FHE, by instantiating our framework by various (standard) FHE schemes from the literature.
Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security
Private set intersection (PSI) protocols allow a set of mutually distrustful parties, each holdin... more Private set intersection (PSI) protocols allow a set of mutually distrustful parties, each holding a private set of items, to compute the intersection over all their sets, such that no other information is revealed. PSI has a wide variety of applications including online advertising (e.g., efficacy computation), security (e.g., botnet detection, intrusion detection), proximity testing (e.g., COVID-19 contact tracing), and more. Private set intersection is a rapidly developing area and there exist many highly efficient protocols. However, almost all of these protocols are for the case of two parties or for semi-honest security. In particular, despite the high interest in this problem, prior to our work there has been no concretely efficient, maliciously secure multiparty PSI protocol. We present PSImple, the first concretely efficient maliciouslysecure multiparty PSI protocol. Our construction is based on oblivious transfer and garbled Bloom filters, and has a round-optimal online phase. To demonstrate the practicality of PSImple, we implemented it and ran experiments with up to 32 parties and 2 20 inputs. We show that PSImple is competitive even with the state-of-the-art concretely efficient semi-honest multiparty PSI protocols. Additionally, we revisit the garbled Bloom filter parameters used in the 2-party PSI protocol of Rindal and Rosulek (Eurocrypt 2017). Using a more careful analysis, we show that the size of the garbled Bloom filters and the number of oblivious transfers required for malicious security can be significantly reduced, often by more than 20%. These improved parameters also imply a better security guarantee, and can be used both in the 2-party PSI protocol of Rindal and Rosulek and in PSImple. CCS CONCEPTS • Theory of computation → Communication complexity; Cryptographic protocols; • Security and privacy → Cryptography.
IACR Cryptology ePrint Archive, 2018
A well known result by Kilian (ACM 1988) asserts that general secure two computation (2PC) with s... more A well known result by Kilian (ACM 1988) asserts that general secure two computation (2PC) with statistical security, can be based on OT. Specifically, in the client-server model, where only one party-the client-receives an output, Kilian's result shows that given the ability to call an ideal oracle that computes OT, two parties can securely compute an arbitrary function of their inputs with unconditional security. Ishai et al. (EUROCRYPT 2011) further showed that this can be done efficiently for every two-party functionality in NC 1 in a single round. However, their results only achieve statistical security, namely, it is allowed to have some error in security. This leaves open the natural question as to which client-server functionalities can be computed with perfect security in the OT-hybrid model, and what is the round complexity of such computation. So far, only a handful of functionalities were known to have such protocols. In addition to the obvious theoretical appeal of the question towards better understanding secure computation, perfect, as opposed to statistical reductions, may be useful for designing secure multiparty protocols with high concrete efficiency, achieved by eliminating the dependence on a security parameter. In this work, we identify a large class of client-server functionalities f : X ×Y → {0, 1}, where the server's domain X is larger than the client's domain Y, that have a perfect reduction to OT. Furthermore, our reduction is 1-round using an oracle to secure evaluation of many parallel invocations of 1-out-of-2 bit OT, as done by Ishai et al. (EUROCRYPT 2011). Interestingly, the set of functions that we are able to compute was previously identified by Asharov (TCC 2014) in the context of fairness in two-party computation, naming these functions full-dimensional. Our result also extends to randomized non-Boolean functions f : X × Y → {0,. .. , k − 1} satisfying |X | > (k − 1) • |Y|.
Theoretical Computer Science, Sep 1, 2021
A well known result by Kilian [22] (ACM 1988) asserts that general secure two computation (2PC) w... more A well known result by Kilian [22] (ACM 1988) asserts that general secure two computation (2PC) with statistical security, can be based on OT. Specifically, in the client-server model, where only one party-the client-receives an output, Kilian's result shows that given the ability to call an ideal oracle that computes OT, two parties can securely compute an arbitrary function of their inputs with unconditional security. Ishai et al. [19] (EUROCRYPT 2011) further showed that this can be done efficiently for every two-party functionality in NC 1 in a single round. However, their results only achieve statistical security, namely, it is allowed to have some error in security. This leaves open the natural question as to which client-server functionalities can be computed with perfect security in the OT-hybrid model, and what is the round complexity of such computation. So far, only a handful of functionalities were known to have such protocols. In addition to the obvious theoretical appeal of the question towards better understanding secure computation, perfect, as opposed to statistical reductions, may be useful for designing secure multiparty protocols with high concrete efficiency, achieved by eliminating the dependence on a security parameter. In this work, we identify a large class of client-server functionalities f : X × Y → {0, 1}, where the server's domain X is larger than the client's domain Y, that have a perfect reduction to OT. Furthermore, our reduction is 1-round using an oracle to secure evaluation of many parallel invocations of 2 1-bit-OT, as done by Ishai et al. [19] (EURO-CRYPT 2011). Interestingly, the set of functions that we are able to compute was previously identified by Asharov [2] (TCC 2014) in the context of fairness in two-party computation, naming these functions full-dimensional. Our result also extends to randomized non-Boolean functions f : X × Y → {0,. .. , k − 1} satisfying |X | > (k − 1) • |Y|.
On Perfectly Secure Two-Party Computation for Symmetric Functionalities with Correlated Randomness
Lecture Notes in Computer Science, 2022
Lecture Notes in Computer Science, 2022
Side-channel attacks on threshold secret-sharing schemes have revealed partial information about ... more Side-channel attacks on threshold secret-sharing schemes have revealed partial information about the secrets, in turn compromising any cryptographic primitives built using them. Leakage-resilient cryptography studies the construction of cryptographic primitives and their vulnerability to such unintentional information revelation. For example, in the context of secure computation, linear leakage-resilient secret-sharing schemes naturally facilitate the leakage-resilient addition of secrets. However, the leakage-resilient secure multiplication requires k/n < 0.5, where k is the reconstruction threshold and n is the total number of secret shares. Motivated by leakage-resilient secure computation of circuits with addition and multiplication gates, this work studies the leakage-resilience of Massey secret-sharing schemes corresponding to linear codes with small reconstruction thresholds against a family of joint leakage attacks, i.e., the leakage function can leak global information from all secret shares. Even against the highly restrictive class of local leakage attacks, where the leakage functions perform independent leakage from each secret share, the leakage-resilience of linear secret-sharing schemes with k/n < 0.5 is not well-understood. Benhamouda, Degwekar, Ishai, and Rabin (Journal of Cryptology-2021) proved the leakage-resilience of Shamir secretsharing scheme against one-bit local leakage from each secret share when k/n > 0.8. Maji, Paskin-Cherniavsky, Suad, and Wang (CRYPTO-2021) proved that the Massey secret-sharing scheme corresponding to a random linear code is leakage-resilient to one-bit local leakage when k/n > 0.5. In the small reconstruction threshold regime, Maji, Paskin-Cherniavsky, Nguyen, Suad, and Wang (EUROCRYPT-2021) proved that the Shamir secret-sharing scheme with random evaluation places is leakage-resilient to physical-bit leakage (with high probability) for any k 2, which makes them useful for leakage-resilient secure multiplication. However, handling more sophisticated leakages seems challenging because Maji, Paskin-Cherniavsky, Suad, and Wang (CRYPTO-2021) demonstrate the shortcomings of the state-of-the-art techniques against the specific local leakage attack that leaks the quadratic residuosity of each secret share; unless k/n > 0.5. Our work, first, characterizes the leakage-resilience of linear secret sharing schemes against bounded-size (possibly global) leakage families. Let λ be the security parameter and F be a finite field (possibly of composite order), whose size is roughly 2 λ. Fix any family L of-bit leakage-attacks of size at most |F | k−2−c /8 , for any positive constant c. This paper proves that the Massey secret-sharing scheme corresponding to a random linear code over F of dimension (k + 1) is leakage-resilient against every leakage attack in the family L, except with an exponentially small probability in λ. In particular, k = 3 suffices when L is the singleton set containing the quadratic residuosity local leakage or L is the set of all physical-bit leakage functions. Furthermore, when L is the family of all NC 0-local leakage attacks, which subsumes physical-bit leakage attacks, any k = ω(n/λ) suffices (ignoring a log λ multiplicative factor). As long as the reconstruction threshold k √ n, one can use these secret-sharing schemes to multiply secrets securely. Our result is near-optimal because there is a (global) leakage family of size |F | k+1 and = 1 that breaks the leakage-resilience of the Massey secret-sharing scheme corresponding to any dimension-(k + 1) linear code. Finally, our work presents a tight Fourier-analytic analysis of the "parityof-parity" local leakage attack proposed by Maji, Paskin-Cherniavsky, Nguyen, Suad, and Wang (EUROCRYPT-2021), which leaks one physical bit from every secret share. We show that the reconstruction threshold of the additive secret-sharing scheme must be Ω(log λ) to be leakageresilient to this attack; improving the best previous bound of Ω(log λ/ log log λ). The proof proceeds by tightly estimating an exponential sum. This result yields a local leakage family of size |F | k+1 such that the leakage-resilience of the Massey secret-sharing scheme corresponding to any dimension-(k + 1) linear code must satisfy k = Ω(log λ).
Springer International Publishing eBooks, Nov 4, 2021
A well known result by Kilian [22] (ACM 1988) asserts that general secure two computation (2PC) w... more A well known result by Kilian [22] (ACM 1988) asserts that general secure two computation (2PC) with statistical security, can be based on OT. Specifically, in the client-server model, where only one party-the client-receives an output, Kilian's result shows that given the ability to call an ideal oracle that computes OT, two parties can securely compute an arbitrary function of their inputs with unconditional security. Ishai et al. [19] (EUROCRYPT 2011) further showed that this can be done efficiently for every two-party functionality in NC 1 in a single round. However, their results only achieve statistical security, namely, it is allowed to have some error in security. This leaves open the natural question as to which client-server functionalities can be computed with perfect security in the OT-hybrid model, and what is the round complexity of such computation. So far, only a handful of functionalities were known to have such protocols. In addition to the obvious theoretical appeal of the question towards better understanding secure computation, perfect, as opposed to statistical reductions, may be useful for designing secure multiparty protocols with high concrete efficiency, achieved by eliminating the dependence on a security parameter. In this work, we identify a large class of client-server functionalities f : X × Y → {0, 1}, where the server's domain X is larger than the client's domain Y, that have a perfect reduction to OT. Furthermore, our reduction is 1-round using an oracle to secure evaluation of many parallel invocations of 2 1-bit-OT, as done by Ishai et al. [19] (EURO-CRYPT 2011). Interestingly, the set of functions that we are able to compute was previously identified by Asharov [2] (TCC 2014) in the context of fairness in two-party computation, naming these functions full-dimensional. Our result also extends to randomized non-Boolean functions f : X × Y → {0,. .. , k − 1} satisfying |X | > (k − 1) • |Y|.
IACR Cryptology ePrint Archive, 2019
Nearly all secret sharing schemes studied so far are linear or multilinear schemes. Although thes... more Nearly all secret sharing schemes studied so far are linear or multilinear schemes. Although these schemes allow to implement any monotone access structure, the share complexity, SC, may be suboptimal-there are access structures for which the gap between the best known lower bounds and best known multi-linear schemes is exponential. There is growing evidence in the literature, that non-linear schemes can improve share complexity for some access structures, with the work of Beimel and Ishai (CCC '01) being among the first to demonstrate it. This motivates further study of non linear schemes. We initiate a systematic study of polynomial secret sharing schemes (PSSS), where shares are (multi-variate) polynomials of secret and randomness vectors s, r respectively over some finite field Fq. Our main hope is that the algebraic structure of polynomials would help obtain better lower bounds than those known for the general secret sharing. Some of the initial results we prove in this work are as follows. On share complexity of polynomial schemes. First we study degree (at most) 1 in randomness variables r (where the degree of secret variables is unlimited). We have shown that for a large subclass of these schemes, there exist equivalent multi-linear schemes with O(n) share complexity overhead. Namely, PSSS where every polynomial misses monomials of exact degree c ≥ 2 in s and 0 in r, and PSSS where all polynomials miss monomials of exact degree ≥ 1 in s and 1 in r. This translates the known lower bound of Ω(n log(n)) for multi linear schemes onto a class of schemes strictly larger than multi linear schemes, to contrast with the best Ω(n 2 / log(n)) bound known for general schemes, with no progress since 94'. An observation in the positive direction we make refers to the share complexity (per bit) of multi linear schemes (polynomial schemes of total degree 1). We observe that the scheme by Liu et. al obtaining share complexity O(2 0.994n) can be transformed into a multi-linear scheme with similar share complexity per bit, for sufficiently long secrets. For the next natural degree to consider, 2 in r, we have shown that PSSS where all share polynomials are of exact degree 2 in r (without exact degree 1 in r monomials) where Fq has odd characteristic, can implement only trivial access structures where the minterms consist of single parties.
Entropy, Apr 1, 2022
This article is an open access article distributed under the terms and conditions of the Creative... more This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY
2021 IEEE International Symposium on Information Theory (ISIT)
Historically, side-channel attacks have revealed partial information about the intermediate value... more Historically, side-channel attacks have revealed partial information about the intermediate values and secrets of computations to compromise the security of cryptographic primitives. The objective of leakage-resilient cryptography is to model such avenues of information leakage and study techniques to realize them securely. This work studies the local leakage-resilience of prominent secret-sharing schemes like Shamir's secret-sharing scheme and the additive secret-sharing scheme against probing attacks that leak physical-bits from the memory hardware storing the secret shares. Consider the additive secret-sharing scheme among k parties over a prime field such that the prime needs λ-bits for its binary representation, where λ is the security parameter. We prove that k must be at least ω(log λ/ log log λ) for the scheme to be secure against even one physical-bit leakage from each secret share. This result improves the previous state-of-the-art result where an identical lower bound was known for one-bit general leakage from each secret share (Benhamouda, Degwekar, Ishai, and Rabin, CRYPTO-2018). This lower bound on the reconstruction threshold extends to Shamir's secret-sharing scheme if one does not carefully choose the evaluation places for generating the secret shares. For this scheme, our result additionally improves another lower bound on the reconstruction threshold k of Shamir's secret-sharing scheme (Nielsen and Simkin, EUROCRYPT-2020) when the total number of parties is O(λ log λ/ log log λ). Our work provides the analysis of the recently-proposed (explicit) physical-bit leakage attack proposed by Maji, Nguyen, Paskin-Cherniavsky, Suad, and Wang (EUROCRYPT-2021), namely the "parity-ofparity" attack. This analysis relies on lower-bounding the "discrepancy" of the Irwin-Hall probability distribution.
Interactive Non-malleable Codes
Theory of Cryptography, 2019
Non-malleable codes (NMC) introduced by Dziembowski et al. [ICS’10] allow one to encode “passive”... more Non-malleable codes (NMC) introduced by Dziembowski et al. [ICS’10] allow one to encode “passive” data in such a manner that when a codeword is tampered, the original data either remains completely intact or is essentially destroyed.
Side-channel attacks have repeatedly falsified the assumption that cryptosystems are black boxes.... more Side-channel attacks have repeatedly falsified the assumption that cryptosystems are black boxes. Leakage-resilient cryptography studies the robustness of cryptographic constructions when an unforeseen revelation of information occurs. In this context, recently, Benhamouda, Degwekar, Ishai, and Rabin (CRYPTO–2018) motivated the study of the local leakage resilience of secret-sharing schemes against an adversary who obtains independent leakage from each secret share. Motivated by applications in secure computation, Benhamouda et al. (CRYPTO–2018) initiated the study of the local leakage resilience of Shamir’s secret-sharing scheme, an essential primitive for nearly all threshold cryptography. The objective is to achieve local leakage resilience with as small a fractional reconstruction threshold as possible. Previously, Benhamouda et al. showed that the reconstruction threshold k being at least 0.907 times the number of parties n is sufficient for Shamir’s secret-sharing scheme to be...
Lecture Notes in Computer Science, 2018
We consider information-theoretic secure two-party computation in the plain model where no reliab... more We consider information-theoretic secure two-party computation in the plain model where no reliable channels are assumed, and all communication is performed over the binary symmetric channel (BSC) that flips each bit with fixed probability. In this reality-driven setting we investigate feasibility of communication-optimal noise-resilient semihonest two-party computation i.e., efficient computation which is both private and correct despite channel noise. We devise an information-theoretic technique that converts any correct, but not necessarily private, two-party protocol that assumes reliable channels, into a protocol which is both correct and private against semihonest adversaries, assuming BSC channels alone. Our results also apply to other types of noisy-channels such as the elastic-channel. Our construction combines tools from the cryptographic literature with tools from the literature on interactive coding, and achieves, to our knowledge, the best known communication overhead. Specifically, if f is given as a circuit of size s, our scheme communicates O(s + κ) bits for κ a security parameter. This improves the state of the art (Ishai et al., CRYPTO' 11) where the communication is O(s) + poly(κ • depth(s)).
Advances in Cryptology – CRYPTO 2020, 2020
Classical definitions for secure multiparty computation assume the existence of a single adversar... more Classical definitions for secure multiparty computation assume the existence of a single adversarial entity controlling the set of corrupted parties. Intuitively, the definition requires that the view of the adversary, corrupting t parties, in a real-world execution can be simulated by an adversary in an ideal model, where parties interact only via a trusted-party. No restrictions, however, are imposed on the view of honest parties in the protocol, thus, if honest parties obtain information about the private inputs of other honest parties-it is not counted as a violation of privacy. This is arguably undesirable in many situations that fall into the MPC framework. Nevertheless, there are secure protocols (e.g., the 2-round multiparty protocol of Ishai et al. [CRYPTO 2010] tolerating a single corrupted party) that instruct the honest parties to reveal their private inputs to all other honest parties (once the malicious party is somehow identified). In this paper, we put forth a new security notion, which we call FaFsecurity, extending the classical notion. In essence, (t, h *)-FaF-security requires the view of a subset of up to h * honest parties to also be simulatable in the ideal model (in addition to the view of the malicious adversary, corrupting up to t parties). This property should still hold, even if the adversary leaks information to honest parties by sending them non-prescribed messages. We provide a thorough exploration of the new notion, investigating it in relation to a variety of existing security notions. We further investigate the feasibility of achieving FaF-security and show that every functionality can be computed with (computational) (t, h *)-FaF full-security, if and only if 2t + h * < m. Interestingly, the lowerbound result actually shows that even fair FaF-security is impossible in general when 2t + h * ≥ m (surprisingly, the view of the malicious attacker is not used as the trigger for the attack). We also investigate the optimal round complexity for (t, h *)-FaFsecure protocols and give evidence that the leakage of private inputs of honest parties in the protocol of Ishai et al. [CRYPTO 2010] is inherent.
Innovative side-channel attacks have repeatedly falsified the assumption that cryptographic imple... more Innovative side-channel attacks have repeatedly falsified the assumption that cryptographic implementations are opaque black-boxes. Therefore, it is essential to ensure cryptographic constructions’ security even when information leaks via unforeseen avenues. One such fundamental cryptographic primitive is the secret-sharing schemes, which underlies nearly all threshold cryptography. Our understanding of the leakage-resilience of secret-sharing schemes is still in its preliminary stage. This work studies locally leakage-resilient linear secret-sharing schemes. An adversary can leak m bits of arbitrary local leakage from each n secret shares. However, in a locally leakageresilient secret-sharing scheme, the leakage’s joint distribution reveals no additional information about the secret. For every constant m, we prove that the Massey secret-sharing scheme corresponding to a random linear code of dimension k (over sufficiently large prime fields) is locally leakage-resilient, where k/n ...
Nearly all secret sharing schemes studied so far are linear or multilinear schemes. Although thes... more Nearly all secret sharing schemes studied so far are linear or multilinear schemes. Although these schemes allow to implement any monotone access structure, the share complexity, SC, may be suboptimal – there are access structures for which the gap between the best known lower bounds and best known multi-linear schemes is exponential. There is growing evidence in the literature, that non-linear schemes can improve share complexity for some access structures, with the work of Beimel and Ishai (CCC ’01) being among the first to demonstrate it. This motivates further study of non linear schemes. We initiate a systematic study of polynomial secret sharing schemes (PSSS), where shares are (multi-variate) polynomials of secret and randomness vectors ~s, ~r respectively over some finite field Fq. Our main hope is that the algebraic structure of polynomials would help obtain better lower bounds than those known for the general secret sharing. Some of the initial results we prove in this wor...
IACR Cryptol. ePrint Arch., 2020
The security of cryptographic primitives typically relies on the storage of private secrets by ea... more The security of cryptographic primitives typically relies on the storage of private secrets by each participant in a perfect manner. However, increasingly, side-channel attacks are demonstrating the pitfalls of assuming these cryptographic entities as opaque monolithic objects over the entire duration the primitive remains alive. Motivated by such concerns, there is a significant interest in revisiting well-established cryptographic primitives and their implementations to identify whether their security continues to hold in the presence of such side-channel attacks. Although there are compilers to convert any secret sharing scheme into one that is robust to local leakage on each of their shares, it is not feasible to replace every instance of traditional secret sharing schemes in use with a leakage-resilient counterpart. Beyond efficiency considerations, there may be an appropriate structure in specific secret-sharing schemes that are fundamental to their usage in a particular conte...
IACR Cryptol. ePrint Arch., 2016
We device a general secret sharing scheme for evolving access structures (following [KNY16]). Our... more We device a general secret sharing scheme for evolving access structures (following [KNY16]). Our scheme has (sub)exponentially smaller share complexity (share of i’th party) for certain access structures compared to the general scheme in [5]. We stress that unlike [5]’s scheme, our scheme requires that the entire evolving access structure is known in advance. Revising, [5]’s scheme (in its most optimized form) is based on a representation of the access structure by an ordered (possibly infinite) oblivious, read once decision tree. Each node is associated with an output of the function (0 or 1). The tree is augmented to cut paths that reach a node where f evaluates to 1 at that node (works for evolving access structures, in which the descendants of all 1-nodes must be 1). Each party Pi receives a (single-bit) share for each edge exiting a node labeled by xi. Generally, the scheme of [5] has share complexity O(wT (i)), where wT (i) is the width of layer i in a decision tree for the a...
On Cryptographic Anonimity and Unpredicatbility in Secret Sharing
IACR Cryptol. ePrint Arch., 2017
We revisit the setting of coding for interactive communication, CIC, (initiated by Schulman 96... more We revisit the setting of coding for interactive communication, CIC, (initiated by Schulman 96') for non-threshold tampering functions. In a nutshell, in the (special case of) the communication complexity setting, Alice and Bob holding inputs x, y wish to compute a function g(x, y) on their inputs over the identity channel using an interactive protocol. The goal here is to minimize the total communication complexity (CC). A "code" for interactive communication is a compiler transforming any π0 working in the communication complexity setting into a protocol π evaluating the same function over any channel f picked from a family F . Here f is a function modifying the entire communication transcript. The goal here is to minimize the code's rate, which is the CC overhead CC(π)/CC(π0) incurred by the compiler. All previous work in coding for interactive communication considered error correction (that is, g(x, y) must be recovered correctly with high probability), which p...
Uploads
Papers by Anat Paskin-Cherniavsky