On the Cryptographic Complexity of the Worst Functions Amos Beimel (BGU) Yuval Ishai (Technion) Ranjit Kumaresan (Technion) Eyal Kushilevitz (Technion)

Slides:



Advertisements
Similar presentations
Polylogarithmic Private Approximations and Efficient Matching
Advertisements

Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.
1 Cryptography: on the Hope for Privacy in a Digital World Omer Reingold VVeizmann and Harvard CRCS.
Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)
Private Inference Control
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.
The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory.
Secure Computation of Linear Algebraic Functions
Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto
Oblivious Branching Program Evaluation
An Ω(n 1/3 ) Lower Bound for Bilinear Group Based Private Information Retrieval Alexander Razborov Sergey Yekhanin.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)
Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.
New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems Omer Barkol Yuval Ishai Technion.
Oblivious Transfer based on the McEliece Assumptions
How to Share a Secret Amos Beimel. Secret Sharing [Shamir79,Blakley79,ItoSaitoNishizeki87] ? bad.
Private Analysis of Data Sets Benny Pinkas HP Labs, Princeton.
Private Information Retrieval. What is Private Information retrieval (PIR) ? Reduction from Private Information Retrieval (PIR) to Smooth Codes Constructions.
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
Privacy Preserving Data Mining Yehuda Lindell & Benny Pinkas.
Private Information Retrieval Amos Beimel – Ben-Gurion University Tel-Hai, June 4, 2003 This talk is based on talks by:
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Multi-Client Non-Interactive Verifiable Computation Seung Geol Choi (Columbia U.) Jonathan Katz (U. Maryland) Ranjit Kumaresan (Technion) Carlos Cid (Royal.
Secure Computation of the k’th Ranked Element Gagan Aggarwal Stanford University Joint work with Nina Mishra and Benny Pinkas, HP Labs.
Insert presenter logo here on slide master. See hidden slide 4 for directions  Session ID: Session Classification: SEUNG GEOL CHOI UNIVERSITY OF MARYLAND.
A Linear Lower Bound on the Communication Complexity of Single-Server PIR Weizmann Institute of Science Israel Iftach HaitnerJonathan HochGil Segev.
Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.
Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.
Cryptography In the Bounded Quantum-Storage Model Christian Schaffner, BRICS University of Århus, Denmark ECRYPT Autumn School, Bertinoro Wednesday, October.
Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized.
Secure Computation Lecture Arpita Patra. Recap >> MPC with dishonest majority over Boolean circuit- [GMW87] > Oblivious Transfer (from CPA secure.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
1 Secure Multi-party Computation Minimizing Online Rounds Seung Geol Choi Columbia University Joint work with Ariel Elbaz(Columbia University) Tal Malkin(Columbia.
Secure Computation (Lecture 2) Arpita Patra. Vishwaroop of MPC.
Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.
On Locally Decodable Codes Self Correctable Codes t-private PIR and Omer Barkol, Yuval Ishai and Enav Weinreb Technion, Israel.
Secure Computation Lecture Arpita Patra. Recap > Shamir Secret-sharing > BGW Protocol based on secret-sharing > Offline/Online phase > Creating.
Secure Computation (Lecture 9-10) Arpita Patra. Recap >> MPC with honest majority in i.t. settings > Protocol using (n,t)-sharing, proof of security---
Efficient Private Matching and Set Intersection Mike Freedman, NYU Kobbi Nissim, MSR Benny Pinkas, HP Labs EUROCRYPT 2004.
Secret Sharing Non-Shannon Information Inequalities Presented in: Theory of Cryptography Conference (TCC) 2009 Published in: IEEE Transactions on Information.
Private Information Retrieval Based on the talk by Yuval Ishai, Eyal Kushilevitz, Tal Malkin.
Secure Computation with Minimal Interaction, Revisited Yuval Ishai (Technion) Ranjit Kumaresan (MIT) Eyal Kushilevitz (Technion) Anat Paskin-Cherniavsky.
Improved OT Extension for Transferring Short Secrets Vladimir Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion)
Verifiable Threshold Secret Sharing and Full Fair Secure Two-party Computation YE Jian-wei March 7, 2009.
Round-Efficient Multi-Party Computation in Point-to-Point Networks Jonathan Katz Chiu-Yuen Koo University of Maryland.
Verifiable Distributed Oblivious Transfer and Mobile-agent Security Speaker: Sheng Zhong (joint work with Yang Richard Yang) Yale University.
Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.
Secret Sharing Schemes: A Short Survey Secret Sharing 2.
Linear, Nonlinear, and Weakly-Private Secret Sharing Schemes
Secure Computation Basics Yan Huang Indiana University May 9, 2016.
Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.
Lower bounds for Unconditionally Secure MPC Ivan Damgård Jesper Buus Nielsen Antigoni Polychroniadou Aarhus University.
Foundations of Secure Computation
Committed MPC Multiparty Computation from Homomorphic Commitments
Cryptography CS 555 Lecture 22
Gate Evaluation Secret Sharing and Secure Two-Party Computation
Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems Omer Barkol Yuval Ishai Technion.
Cryptography for Quantum Computers
Secret Sharing: Linear vs. Nonlinear Schemes (A Survey)
Limits of Practical Sublinear Secure Computation
Presentation transcript:

On the Cryptographic Complexity of the Worst Functions Amos Beimel (BGU) Yuval Ishai (Technion) Ranjit Kumaresan (Technion) Eyal Kushilevitz (Technion)

How Bad are the Worst Functions? Function class F N of all functions f : [N]  [N]  {0,1} This work: Cryptographic complexity of the worst functions Standard Complexity Theoretic Measures Circuit complexity  (N 2 /log N) [Sha48,Lup58] 2-party communication complexity  (log N) [Yao79] Standard Complexity Theoretic Measures Circuit complexity  (N 2 /log N) [Sha48,Lup58] 2-party communication complexity  (log N) [Yao79] Information-theoretic Cryptography Communication complexity Randomness complexity Information-theoretic Cryptography Communication complexity Randomness complexity

Model Security Model Information-theoretic Unbounded adversaries Statistical/perfect security Semi-honest adversary No deviation from protocol Security Model Information-theoretic Unbounded adversaries Statistical/perfect security Semi-honest adversary No deviation from protocol Functions Function class F N : Class of all two argument functions f : [N]  [N]  {0,1} Interested in worst f  F N Functions Function class F N : Class of all two argument functions f : [N]  [N]  {0,1} Interested in worst f  F N Crypto Primitives Secure Computation Various models Communication/randomness Secret Sharing Share complexity Crypto Primitives Secure Computation Various models Communication/randomness Secret Sharing Share complexity

Secure Computation What is Known? x f 1 (x,y) y f 2 (x,y) Best upper bounds linear in N – Sublinear if big honest majority [BFKR90,IK04] Counting arguments yield weak lower bounds Can communication complexity be made logarithmic in N?

2-Party Secure Computation (2PC) Information-theoretic garbled circuits [Yao86] Depends on circuit structure Quadratic in formula depth Exponential in depth overhead for circuits Information-theoretic garbled circuits [Yao86] Depends on circuit structure Quadratic in formula depth Exponential in depth overhead for circuits GMW [GMW87] Gate-by-gate evaluation of given circuit #OTs required: Twice #AND gates Communication cost: Twice #AND gates GMW [GMW87] Gate-by-gate evaluation of given circuit #OTs required: Twice #AND gates Communication cost: Twice #AND gates x f 1 (x,y) y f 2 (x,y) What is Known?

OT-Hybrid Model x 0, x 1 ??? b xbxb OT Extension Impossible in information theoretic setting [Bea97] OT as an “atomic currency” OT Extension Impossible in information theoretic setting [Bea97] OT as an “atomic currency” Pre-computation Random OT correlations can be “corrected” [Bea95] Pre-computation Random OT correlations can be “corrected” [Bea95] d = c  b z 0 = x 0  y d z 1 = x 1  y 1-d y 0, y 1 c, y c zbyczbyc x 0, x 1 b b xbxb Oblivious Transfer [Rab81,EGL85] *Slide created before revelations

OT Complexity This work: O(N 2/3 ) OT complexity ???f(x,y) x y f(x,1) f(x,2). f(x,N) f(x,1) f(x,2). f(x,N) y y Circuit based 2PC: O(N 2 /log N) [GMW87] Truth-table based 2PC: O(N) via1-out-of-N OT 1-out-of-N OT from O(N) 1-out-of-2 OTs [BCR86] Circuit based 2PC: O(N 2 /log N) [GMW87] Truth-table based 2PC: O(N) via1-out-of-N OT 1-out-of-N OT from O(N) 1-out-of-2 OTs [BCR86] Let F N be the class of all 2-party f : [N]  [N]  {0,1} What is the OT complexity of the worst function in F N ?

Preprocessing Model Correlated Randomness Independent of inputs May depend on f Correlated Randomness Independent of inputs May depend on f Correlated Randomness Offline Phase Online Phase x x rBrB rBrB rArA rArA y y rBrB rBrB rArA rArA f(x,y) OT Correlations Special case Pre-computed OTs “Simpler” correlations Indep. of function OT Correlations Special case Pre-computed OTs “Simpler” correlations Indep. of function

Correlated Randomness Complexity O(log N) online communication [IKMOP13] Correlated randomness: O(N 2 ) Truth-table based 2PC: O(N) Via 1-out-of-N OT [BCR86] O(log N) online communication [IKMOP13] Correlated randomness: O(N 2 ) Truth-table based 2PC: O(N) Via 1-out-of-N OT [BCR86] This work: 2 Õ(  log N) correlated randomness Let F N be the class of all 2-party f : [N]  [N]  {0,1} Correlated randomness complexity of the worst function in F N ?

Private Simultaneous Messages (PSM) r r Model [FKN94] Multiple clients Share randomness Single referee Non-interactive Referee learns only f(x,y) No collusion Model [FKN94] Multiple clients Share randomness Single referee Non-interactive Referee learns only f(x,y) No collusion x x y y r r f (x,y) Why PSM? Minimal model of secure computation [FKN94] Applications in round-efficient protocol design [IKP10] Connections to secret sharing! [BI01] Why PSM? Minimal model of secure computation [FKN94] Applications in round-efficient protocol design [IKP10] Connections to secret sharing! [BI01] What is Known?

f(x,1) f(x,2). f(x,N) f(x,1) f(x,2). f(x,N) [FKN94,IK97] Efficient for f with small formulas, branching programs Worst case f : O(N) Lower bound: 3logN-4 [FKN94,IK97] Efficient for f with small formulas, branching programs Worst case f : O(N) Lower bound: 3logN-4 f(x,1+s) + r 1 f(x,2+s) + r 2. f(x,N+s) + r N f(x,1+s) + r 1 f(x,2+s) + r 2. f(x,N+s) + r N y-s, r y-s f(x,y) PSM Complexity This work: O(  N) PSM complexity r r x x y y r r r = s, (r 1, …, r N ) What is the PSM complexity of the worst function in F N ?

Secret Sharing Model External dealer + n parties Dealer has input secret s Sends “shares” to parties Then, inactive Access structure Set of “authorized” subsets Secret hidden from unauth. subsets Any auth. subset can reconstruct s Model External dealer + n parties Dealer has input secret s Sends “shares” to parties Then, inactive Access structure Set of “authorized” subsets Secret hidden from unauth. subsets Any auth. subset can reconstruct s What is Known? Poly(n) share complexity for every n-party access structure? Best upper bound: 2 O(n) [BL90,Bri89,KW93] Best lower bound:  (n/log n) [Csi97]

Share Complexity Forbidden Graph [SS97] Graph G = (V,E) with |V| = N Authorized subsets: Sets {u,v} with (u,v)  E Any set of size 3 Forbidden Graph [SS97] Graph G = (V,E) with |V| = N Authorized subsets: Sets {u,v} with (u,v)  E Any set of size 3 Forbidden Graph Access Structures Naïve solution: O(N) [SS97,BL90] O(N/log N) share complexity [BDGV96,EP97,Bub86] Naïve solution: O(N) [SS97,BL90] O(N/log N) share complexity [BDGV96,EP97,Bub86] This work: O(  N) share complexity What is the share complexity of the worst N-vertex graph?

Talk Outline Main Technical Tool – PIR OT Complexity Correlated Randomness Complexity PSM Complexity Share Complexity for Forbidden Graphs

Private Information Retrieval Model [CGKS95] Single client Multiple servers Each server has same DB Size of DB = N (bits) DB unknown to client Client input: index i  [N] Privately retrieve DB[ i ] No collusion among servers Goal: min. communication Model [CGKS95] Single client Multiple servers Each server has same DB Size of DB = N (bits) DB unknown to client Client input: index i  [N] Privately retrieve DB[ i ] No collusion among servers Goal: min. communication i DB Query generation (q 1, q 2 )  Q(i, r) Query generation (q 1, q 2 )  Q(i, r) Answer generation a k  A( k, q k, DB) Answer generation a k  A( k, q k, DB) Reconstruction z  R(i, r, a 1, a 2 ) Reconstruction z  R(i, r, a 1, a 2 ) r r q1q1 q1q1 a1a1 a1a1 a2a2 a2a2 q2q2 q2q2 q1q1 q1q1 q2q2 q2q2 a1a1 a1a1 a2a2 a2a2 z z

Talk Outline Main Technical Tool – PIR OT Complexity – Upper bound: O(N 2/3 ) Correlated Randomness Complexity PSM Complexity Share Complexity for Forbidden Graphs

OT-Hybrid Model (Recap) Let F N be the class of all 2-party f : [N]  [N]  {0,1} What is the OT complexity of the worst function in F N ? Circuit based 2PC for worst f : O(N 2 /log N) [GMW87] Truth-table based 2PC for worst f : O(N), 1-out-of-N OT [BCR86] Circuit based 2PC for worst f : O(N 2 /log N) [GMW87] Truth-table based 2PC for worst f : O(N), 1-out-of-N OT [BCR86] x 0, x 1 b xbxb

O(N 2/3 ) Upper Bound on OT Complexity Via 2-server PIR xy r1r1 r1r1 r2r2 r2r2 q1q1 q1q1 q2q2 q2q2 GMW( C (Q’)) Q’ = Q(x||y, r 1  r 2 ) R’ = R(x||y, r 1  r 2, a 1, a 2 ) xy r1r1 r1r1 r2r2 r2r2 GMW( C (R’)) a 1 = A(1, q 1, f ) a 2 = A(2, q 2, f ) a1a1 a1a1 a2a2 a2a2 f(x,y)

O(N 2/3 ) Upper Bound on OT Complexity Via 2-server PIR xy r1r1 r1r1 r2r2 r2r2 q1q1 q1q1 q2q2 q2q2 GMW( C (Q’)) Q’ = Q(x||y, r 1  r 2 ) R’ = R(x||y, r 1  r 2, a 1, a 2 ) xy r1r1 r1r1 r2r2 r2r2 GMW( C (R’)) a 1 = A(1, q 1, f ) a 2 = A(2, q 2, f ) a1a1 a1a1 a2a2 a2a2 f(x,y) Privacy Privacy of GMW Privacy of 2-server PIR Query does not leak additional info Privacy Privacy of GMW Privacy of 2-server PIR Query does not leak additional info

More Applications Honest majority secure computation – Efficient in circuit size [RB89,BGW88] – Specific setting: n = 3 parties with at most 1 corruption – Communication 2 Õ(  log N) via 3-server PIR “  - Secure Sampling” from joint distribution D [PP12] – Protocol lets Alice & Bob to sample (x,y) from D Alice knows nothing about y (over what is implied by D) Bob knows nothing about x (over what is implied by D) – Rate of secure sampling D  [N]  [N] from OT – New upper bound: O(N 2/3 poly(log N, 1/  ))

Talk Outline Main Technical Tool – PIR OT Complexity – Upper bound: O(N 2/3 ) Correlated Randomness Complexity – Upper bound: 2 Õ(  log N) PSM Complexity Share Complexity for Forbidden Graphs

Preprocessing Model (Recap) Correlated Randomness Offline Phase Correlated Randomness Independent of inputs May depend on f OT correlations special case Correlated Randomness Independent of inputs May depend on f OT correlations special case Online Phase x x y y rBrB rBrB rArA rArA f(x,y) rBrB rBrB rArA rArA Truth-table based 2PC: O(N) Via 1-out-of-N OT [BCR86] Truth-table based 2PC: O(N) Via 1-out-of-N OT [BCR86] Correlated randomness complexity of the worst function in F N ?

Correlated Randomness Complexity: Via 3-server PIR 2 O(  log N) Upper Bound Offline Phase Key Observation Individual PIR query independent of input Q = (Q 1,2, Q 3 ) (q 1, q 2 )  Q 1,2 (i, r) q 3  Q 3 (r) Key Observation Individual PIR query independent of input Q = (Q 1,2, Q 3 ) (q 1, q 2 )  Q 1,2 (i, r) q 3  Q 3 (r) r1r1 r1r1 r2r2 r2r2 r1r1 r1r1 r2r2 r2r2 q 3 =Q 3 (r 1  r 2 ) a 3 = A(3, q 3, f ) a 3,1 a 3,2 a 3 = a 3,1  a 3,2 OT A OT B a 3,1 OT A OT B a 3,2

Correlated Randomness Complexity: 2 O(  log N) Upper Bound xy q1q1 q1q1 q2q2 q2q2 GMW( C (Q’)) Q’ = Q 1,2 (x||y, r 1  r 2 ) R’ = R(x||y, r 1  r 2, a 1, a 2, a 3,1  a 3,1 ) xy GMW( C (R’)) a 1 = A(1, q 1, f ) a 2 = A(2, q 2, f ) a1a1 a1a1 a2a2 a2a2 f(x,y) r1r1 r1r1 r2r2 r2r2 r1r1 r1r1 r2r2 r2r2 a 3,1 a 3,2 Online Phase Correlated Randomness Shares of randomness for PIR query generation alg. Shares of answer to third PIR query OT correlations for GMW Correlated Randomness Shares of randomness for PIR query generation alg. Shares of answer to third PIR query OT correlations for GMW

Correlated Randomness Complexity: 2 O(  log N) Upper Bound xy q1q1 q1q1 q2q2 q2q2 GMW( C (Q’)) Q’ = Q 1,2 (x||y, r 1  r 2 ) R’ = R(x||y, r 1  r 2, a 1, a 2, a 3,1  a 3,1 ) xy GMW( C (R’)) a 1 = A(1, q 1, f ) a 2 = A(2, q 2, f ) a1a1 a1a1 a2a2 a2a2 f(x,y) r1r1 r1r1 r2r2 r2r2 r1r1 r1r1 r2r2 r2r2 a 3,1 a 3,2 a 3,1 a 3,2 Privacy Additive secret sharing Privacy of GMW Privacy of 3-server PIR Query does not leak additional info Privacy Additive secret sharing Privacy of GMW Privacy of 3-server PIR Query does not leak additional info

Improving the Bounds? (OT + communication) complexity of 2PC – Bounded by communication complexity of 2-server PIR Client shares its input, then acts as OT oracle (Cor. Rand. + communication) complexity of 2PC – Bounded by communication comp. of 3-server PIR [IKM + 13] 3 rd server provides correlated randomness to servers 1 & 2 Qualitative explanation of difference in efficiency – 2-server PIR ~ 2PC with OT preprocessing – 3-server PIR ~ 2PC with arbitrary preprocessing

Summary Main Technical Tool – PIR OT Complexity – Upper bound: O(N 2/3 ) Correlated Randomness Complexity – Upper bound: 2 Õ(  log N) PSM Complexity – Upper bound: O(  N) Share Complexity for Forbidden Graphs – Upper bound: O(  N)

Thank You! Preliminary Version: Slides:

Talk Outline Main Technical Tool – PIR OT Complexity – Upper bound: O(N 2/3 ) Correlated Randomness Complexity – Upper bound: 2 Õ(  log N) PSM Complexity – Upper bound: O(  N) Share Complexity for Forbidden Graphs – Upper bound: O(  N)

Share Complexity (Recap) Forbidden Graph Access Structures O(N/log N) share complexity [DPGV96,EP97,B86] Model External dealer + n parties Dealer inactive after sending “shares” Access structure: “authorized” subsets Model External dealer + n parties Dealer inactive after sending “shares” Access structure: “authorized” subsets Forbidden Graph [SS97] Graph G = (V,E) with |V| = N Authorized subsets: Sets {u,v} with (u,v)  E Any set of size 3 Forbidden Graph [SS97] Graph G = (V,E) with |V| = N Authorized subsets: Sets {u,v} with (u,v)  E Any set of size 3 What is the share complexity of the worst N-vertex graph?

Bipartite Case Forbidden Bipartite Graph Graph G = (L,R,E) with |L| = |R| = N Authorized subsets: {x,y} with x  L, y  R, (x,y)  E Any set of size 3 G associated with f :[N]  [N]  {0,1} Forbidden Bipartite Graph Graph G = (L,R,E) with |L| = |R| = N Authorized subsets: {x,y} with x  L, y  R, (x,y)  E Any set of size 3 G associated with f :[N]  [N]  {0,1} Secret Sharing Share s using 3-out-of-2N Shamir secret sharing Also secret share s = s L  s R  s’ Send s L to x  L Send s R to y  R How to share s’ ? Secret Sharing Share s using 3-out-of-2N Shamir secret sharing Also secret share s = s L  s R  s’ Send s L to x  L Send s R to y  R How to share s’ ?

PSM & Secret Sharing Secret Sharing Scheme for s’ If dealer input s’ = 0 x  L : A f (x 0,r) y  R : B f (y 0,r) If dealer input s’ = 1 x  L : A f (x,r) y  R : B f (y,r) Secret Sharing Scheme for s’ If dealer input s’ = 0 x  L : A f (x 0,r) y  R : B f (y 0,r) If dealer input s’ = 1 x  L : A f (x,r) y  R : B f (y,r) A f (x,r) B f (y,r) r r x  Ly  R Good for s’ = 1 For s’ = 0 Pick some x 0, y 0 s.t f (x 0, y 0 ) = 0 For s’ = 0 Pick some x 0, y 0 s.t f (x 0, y 0 ) = 0

Forbidden Graph Access Structures From Bipartite to General Graphs – Decomposed into log N bipartite graphs – Apply standard techniques [BL90,Sti94] Forbidden graph access structures – O(  N) share complexity – Via O(  N) PSM Scheme is non-linear (?) – Matches best known lower bound for linear schemes:  (  N) [Min12]

Summary Cryptographic complexity of worst functions – Main Technical Tool - PIR OT Complexity – Upper bound: O(N 2/3 ) Correlated Randomness Complexity – Upper bound: 2 Õ(  log N) PSM Complexity – Upper bound: O(  N) Share Complexity for Forbidden Graphs – Upper bound: O(  N)

Thank You! Preliminary Version: Slides:

Talk Outline Main Technical Tool – PIR OT Complexity – Upper bound: O(N 2/3 ) Correlated Randomness Complexity – Upper bound: 2 Õ(  log N) PSM Complexity – Upper bound: O(  N) Share Complexity for Forbidden Graphs

PIR Examples [CGKS95] i DB A(1,T 1 ) 2 d server PIR with O(N 1/d ) communication T  c T  {c}, if c  T T \{c}, if c  T T  c T  {c}, if c  T T \{c}, if c  T PIR Answers  DB[ j ] j  T PIR Answers  DB[ j ] j  T A(2,T 2 ) z = A(1,T 1 )  A(2,T 2 ) T1T1 T1T1 T2T2 T2T2 T1T1 T1T1 PIR Queries T 1  R [N] T 2 = T 1  i PIR Queries T 1  R [N] T 2 = T 1  i      T2T2 T2T2 Efficiency Client  Server j : O(N) bits Server j  Client : 1 bit Efficiency Client  Server j : O(N) bits Server j  Client : 1 bit

PIR Examples [CGKS95] i DB A(1, T ) 2 d server PIR with O(N 1/d ) communication PIR Answers  DB[k 1,…, k d ] k 1  T 1 ’,…,k d  T d ’ PIR Answers  DB[k 1,…, k d ] k 1  T 1 ’,…,k d  T d ’ A(2 d,T 11…1 ) z = A(1,T )    A(2 d,T ) S1S1 S1S1 S2S2 S2S2 d      T Efficiency Client  Server j : O(dN 1/d ) bits Server j  Client : 1 bit Efficiency Client  Server j : O(dN 1/d ) bits Server j  Client : 1 bit PIR Queries Pick (T 1, …, T d )  R [N 1/d ] d Server k : Query T (T 1  (k 1  i 1 ), …,T d  (k d  i d )) where k  (k 1,…, k d ) PIR Queries Pick (T 1, …, T d )  R [N 1/d ] d Server k : Query T (T 1  (k 1  i 1 ), …,T d  (k d  i d )) where k  (k 1,…, k d ) k 1, …, k d      d T 11…1

Reducing the #Servers [CGKS95] Key Observation Any server can emulate d other servers with cost O(N 1/d ) Key Observation Any server can emulate d other servers with cost O(N 1/d ) Example: 2-server O(N 1/3 ) PIR Server 1: Query T 000 = (T 1, T 2, T 3 ) List “potential” queries for T 100 : (T 1  t, T 2, T 3 ) for t  [N 1/3 ] Similarly for T 010 : (T 1, T 2  t, T 3 ) & T 001 : (T 1, T 2, T 3  t) Answer query & 3N 1/3 “potential” queries Server 2: Query T 111 =(T 1  i 1, T 2  i 2, T 3  i 3 ) List “potential” queries for T 011,T 101, T 110 Answer query & 3N 1/3 “potential” queries Client picks correct answer in each answer list and XORs them Example: 2-server O(N 1/3 ) PIR Server 1: Query T 000 = (T 1, T 2, T 3 ) List “potential” queries for T 100 : (T 1  t, T 2, T 3 ) for t  [N 1/3 ] Similarly for T 010 : (T 1, T 2  t, T 3 ) & T 001 : (T 1, T 2, T 3  t) Answer query & 3N 1/3 “potential” queries Server 2: Query T 111 =(T 1  i 1, T 2  i 2, T 3  i 3 ) List “potential” queries for T 011,T 101, T 110 Answer query & 3N 1/3 “potential” queries Client picks correct answer in each answer list and XORs them Query T for Server k (T 1  (k 1  i 1 ), …,T d  (k d  i d )) where k  ( k 1,…, k d ) Query T for Server k (T 1  (k 1  i 1 ), …,T d  (k d  i d )) where k  ( k 1,…, k d ) k 1, …, k d

Private Simultaneous Messages (Recap) Model [FKN94] Single referee Two (or more) clients Non-interactive Referee learns only f(x,y) Clients share randomness Unknown to referee All parties know f No collusion Model [FKN94] Single referee Two (or more) clients Non-interactive Referee learns only f(x,y) Clients share randomness Unknown to referee All parties know f No collusion r r x x y y r r f(x,y) Efficient for small-depth formulae Worst case f : O(N) [FKN94] Efficient for small-depth formulae Worst case f : O(N) [FKN94] What is the PSM complexity of the worst function in F N ?

O(  N) Upper Bound on PSM Complexity Via 4-server PIR Key Observation Index i  (i 1, i 2, i 3, i 4 ) Input x specifies i 1, i 2 Input y specifies i 3, i 4 15 of 16 servers emulated by clients Key Observation Index i  (i 1, i 2, i 3, i 4 ) Input x specifies i 1, i 2 Input y specifies i 3, i 4 15 of 16 servers emulated by clients 4-server PIR [CGKS95] Obtained by collapsing basic 16-server O(N 1/4 ) PIR scheme 4-server PIR [CGKS95] Obtained by collapsing basic 16-server O(N 1/4 ) PIR scheme r r x x y y r r f(x,y)

Query + Answer Generation Alice knows T 1  i 1, T 2  i 2 Answers for T **00 “Potential” answers for T **01, T **10 Bob knows T 3  i 3, T 4  i 4 Answers for T 00** “Potential” answers for T 01**, T 10** Missing query T 1111 equals (T 1  i 1, T 2  i 2, T 3  i 3, T 4  i 4 ) Answer to T 1111 computed by referee Query + Answer Generation Alice knows T 1  i 1, T 2  i 2 Answers for T **00 “Potential” answers for T **01, T **10 Bob knows T 3  i 3, T 4  i 4 Answers for T 00** “Potential” answers for T 01**, T 10** Missing query T 1111 equals (T 1  i 1, T 2  i 2, T 3  i 3, T 4  i 4 ) Answer to T 1111 computed by referee O(  N) Upper Bound on PSM Complexity Via 4-server PIR Query T for Server k (T 1  (k 1  i 1 ), …,T 4  (k 4  i 4 )) where k  ( k 1,…, k 4 ) Query T for Server k (T 1  (k 1  i 1 ), …,T 4  (k 4  i 4 )) where k  ( k 1,…, k 4 ) k 1, …, k d x x y y T 0000 =(T 1,…,T 4 ) i1i1 i1i1 i2i2 i2i2 i3i3 i3i3 i4i4 i4i4 T **00 T 00** T1 i1T1 i1 T1 i1T1 i1 T2 i2T2 i2 T2 i2T2 i2 T3 i3T3 i3 T3 i3T3 i3 T4 i4T4 i4 T4 i4T4 i4 T **01 T **10 T 01** T 10** T 1111 Key Observation i  (i 1, i 2, i 3, i 4 ) x specifies i 1, i 2 y specifies i 3, i 4 Key Observation i  (i 1, i 2, i 3, i 4 ) x specifies i 1, i 2 y specifies i 3, i 4

Query + Answer Generation Answers for T **00,T 00** “Potential” answers for T **01, T **10, T 01**, T 10** Referee answers T 1111 Query + Answer Generation Answers for T **00,T 00** “Potential” answers for T **01, T **10, T 01**, T 10** Referee answers T 1111 O(  N) Upper Bound on PSM Complexity Via 4-server PIR Reconstruction Selecting from “potential” answer list Use known PSM (small-depth circuit) PSM outputs XOR of these 15 answers Remaining answer computed by referee Finally, XORs this with PSM output Reconstruction Selecting from “potential” answer list Use known PSM (small-depth circuit) PSM outputs XOR of these 15 answers Remaining answer computed by referee Finally, XORs this with PSM output

Summary Cryptographic complexity of worst functions – Main Technical Tool - PIR OT Complexity – Upper bound: O(N 2/3 ) Correlated Randomness Complexity – Upper bound: 2 Õ(  log N) PSM Complexity – Upper bound: O(  N) Share Complexity for Forbidden Graphs – Upper bound: O(  N)

Thank You! Preliminary Version: Slides:

The research leading to these results has received funding from the European Union's Seventh Framework Programme (FP7/ ) under grant agreement no – ERC – Cryptography and Complexity

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.