Presentation is loading. Please wait.

Presentation is loading. Please wait.

On the Cryptographic Complexity of the Worst Functions Amos Beimel (BGU) Yuval Ishai (Technion) Ranjit Kumaresan (Technion) Eyal Kushilevitz (Technion)

Published byGordon Carson Modified over 8 years ago

Similar presentations

Presentation on theme: "On the Cryptographic Complexity of the Worst Functions Amos Beimel (BGU) Yuval Ishai (Technion) Ranjit Kumaresan (Technion) Eyal Kushilevitz (Technion)"— Presentation transcript:

1 On the Cryptographic Complexity of the Worst Functions Amos Beimel (BGU) Yuval Ishai (Technion) Ranjit Kumaresan (Technion) Eyal Kushilevitz (Technion)

2 How Bad are the Worst Functions? Function class F N of all functions f : [N]  [N]  {0,1} This work: Cryptographic complexity of the worst functions Standard Complexity Theoretic Measures Circuit complexity  (N 2 /log N) [Sha48,Lup58] 2-party communication complexity  (log N) [Yao79] Standard Complexity Theoretic Measures Circuit complexity  (N 2 /log N) [Sha48,Lup58] 2-party communication complexity  (log N) [Yao79] Information-theoretic Cryptography Communication complexity Randomness complexity Information-theoretic Cryptography Communication complexity Randomness complexity

3 Model Security Model Information-theoretic Unbounded adversaries Statistical/perfect security Semi-honest adversary No deviation from protocol Security Model Information-theoretic Unbounded adversaries Statistical/perfect security Semi-honest adversary No deviation from protocol Functions Function class F N : Class of all two argument functions f : [N]  [N]  {0,1} Interested in worst f  F N Functions Function class F N : Class of all two argument functions f : [N]  [N]  {0,1} Interested in worst f  F N Crypto Primitives Secure Computation Various models Communication/randomness Secret Sharing Share complexity Crypto Primitives Secure Computation Various models Communication/randomness Secret Sharing Share complexity

4 Secure Computation What is Known? x f 1 (x,y) y f 2 (x,y) Best upper bounds linear in N – Sublinear if big honest majority [BFKR90,IK04] Counting arguments yield weak lower bounds Can communication complexity be made logarithmic in N?

5 2-Party Secure Computation (2PC) Information-theoretic garbled circuits [Yao86] Depends on circuit structure Quadratic in formula depth Exponential in depth overhead for circuits Information-theoretic garbled circuits [Yao86] Depends on circuit structure Quadratic in formula depth Exponential in depth overhead for circuits GMW [GMW87] Gate-by-gate evaluation of given circuit #OTs required: Twice #AND gates Communication cost: Twice #AND gates GMW [GMW87] Gate-by-gate evaluation of given circuit #OTs required: Twice #AND gates Communication cost: Twice #AND gates x f 1 (x,y) y f 2 (x,y) What is Known?

6 OT-Hybrid Model x 0, x 1 ??? b xbxb OT Extension Impossible in information theoretic setting [Bea97] OT as an “atomic currency” OT Extension Impossible in information theoretic setting [Bea97] OT as an “atomic currency” Pre-computation Random OT correlations can be “corrected” [Bea95] Pre-computation Random OT correlations can be “corrected” [Bea95] d = c  b z 0 = x 0  y d z 1 = x 1  y 1-d y 0, y 1 c, y c zbyczbyc x 0, x 1 b b xbxb Oblivious Transfer [Rab81,EGL85] *Slide created before revelations

7 OT Complexity This work: O(N 2/3 ) OT complexity ???f(x,y) x y f(x,1) f(x,2). f(x,N) f(x,1) f(x,2). f(x,N) y y Circuit based 2PC: O(N 2 /log N) [GMW87] Truth-table based 2PC: O(N) via1-out-of-N OT 1-out-of-N OT from O(N) 1-out-of-2 OTs [BCR86] Circuit based 2PC: O(N 2 /log N) [GMW87] Truth-table based 2PC: O(N) via1-out-of-N OT 1-out-of-N OT from O(N) 1-out-of-2 OTs [BCR86] Let F N be the class of all 2-party f : [N]  [N]  {0,1} What is the OT complexity of the worst function in F N ?

8 Preprocessing Model Correlated Randomness Independent of inputs May depend on f Correlated Randomness Independent of inputs May depend on f Correlated Randomness Offline Phase Online Phase x x rBrB rBrB rArA rArA y y rBrB rBrB rArA rArA f(x,y) OT Correlations Special case Pre-computed OTs “Simpler” correlations Indep. of function OT Correlations Special case Pre-computed OTs “Simpler” correlations Indep. of function

9 Correlated Randomness Complexity O(log N) online communication [IKMOP13] Correlated randomness: O(N 2 ) Truth-table based 2PC: O(N) Via 1-out-of-N OT [BCR86] O(log N) online communication [IKMOP13] Correlated randomness: O(N 2 ) Truth-table based 2PC: O(N) Via 1-out-of-N OT [BCR86] This work: 2 Õ(  log N) correlated randomness Let F N be the class of all 2-party f : [N]  [N]  {0,1} Correlated randomness complexity of the worst function in F N ?

10 Private Simultaneous Messages (PSM) r r Model [FKN94] Multiple clients Share randomness Single referee Non-interactive Referee learns only f(x,y) No collusion Model [FKN94] Multiple clients Share randomness Single referee Non-interactive Referee learns only f(x,y) No collusion x x y y r r f (x,y) Why PSM? Minimal model of secure computation [FKN94] Applications in round-efficient protocol design [IKP10] Connections to secret sharing! [BI01] Why PSM? Minimal model of secure computation [FKN94] Applications in round-efficient protocol design [IKP10] Connections to secret sharing! [BI01] What is Known?

11 f(x,1) f(x,2). f(x,N) f(x,1) f(x,2). f(x,N) [FKN94,IK97] Efficient for f with small formulas, branching programs Worst case f : O(N) Lower bound: 3logN-4 [FKN94,IK97] Efficient for f with small formulas, branching programs Worst case f : O(N) Lower bound: 3logN-4 f(x,1+s) + r 1 f(x,2+s) + r 2. f(x,N+s) + r N f(x,1+s) + r 1 f(x,2+s) + r 2. f(x,N+s) + r N y-s, r y-s f(x,y) PSM Complexity This work: O(  N) PSM complexity r r x x y y r r r = s, (r 1, …, r N ) What is the PSM complexity of the worst function in F N ?

12 Secret Sharing Model External dealer + n parties Dealer has input secret s Sends “shares” to parties Then, inactive Access structure Set of “authorized” subsets Secret hidden from unauth. subsets Any auth. subset can reconstruct s Model External dealer + n parties Dealer has input secret s Sends “shares” to parties Then, inactive Access structure Set of “authorized” subsets Secret hidden from unauth. subsets Any auth. subset can reconstruct s What is Known? Poly(n) share complexity for every n-party access structure? Best upper bound: 2 O(n) [BL90,Bri89,KW93] Best lower bound:  (n/log n) [Csi97]

13 Share Complexity Forbidden Graph [SS97] Graph G = (V,E) with |V| = N Authorized subsets: Sets {u,v} with (u,v)  E Any set of size 3 Forbidden Graph [SS97] Graph G = (V,E) with |V| = N Authorized subsets: Sets {u,v} with (u,v)  E Any set of size 3 Forbidden Graph Access Structures Naïve solution: O(N) [SS97,BL90] O(N/log N) share complexity [BDGV96,EP97,Bub86] Naïve solution: O(N) [SS97,BL90] O(N/log N) share complexity [BDGV96,EP97,Bub86] This work: O(  N) share complexity What is the share complexity of the worst N-vertex graph?

14 Talk Outline Main Technical Tool – PIR OT Complexity Correlated Randomness Complexity PSM Complexity Share Complexity for Forbidden Graphs

15 Private Information Retrieval Model [CGKS95] Single client Multiple servers Each server has same DB Size of DB = N (bits) DB unknown to client Client input: index i  [N] Privately retrieve DB[ i ] No collusion among servers Goal: min. communication Model [CGKS95] Single client Multiple servers Each server has same DB Size of DB = N (bits) DB unknown to client Client input: index i  [N] Privately retrieve DB[ i ] No collusion among servers Goal: min. communication i DB Query generation (q 1, q 2 )  Q(i, r) Query generation (q 1, q 2 )  Q(i, r) Answer generation a k  A( k, q k, DB) Answer generation a k  A( k, q k, DB) Reconstruction z  R(i, r, a 1, a 2 ) Reconstruction z  R(i, r, a 1, a 2 ) r r q1q1 q1q1 a1a1 a1a1 a2a2 a2a2 q2q2 q2q2 q1q1 q1q1 q2q2 q2q2 a1a1 a1a1 a2a2 a2a2 z z

16 Talk Outline Main Technical Tool – PIR OT Complexity – Upper bound: O(N 2/3 ) Correlated Randomness Complexity PSM Complexity Share Complexity for Forbidden Graphs

17 OT-Hybrid Model (Recap) Let F N be the class of all 2-party f : [N]  [N]  {0,1} What is the OT complexity of the worst function in F N ? Circuit based 2PC for worst f : O(N 2 /log N) [GMW87] Truth-table based 2PC for worst f : O(N), 1-out-of-N OT [BCR86] Circuit based 2PC for worst f : O(N 2 /log N) [GMW87] Truth-table based 2PC for worst f : O(N), 1-out-of-N OT [BCR86] x 0, x 1 b xbxb

18 O(N 2/3 ) Upper Bound on OT Complexity Via 2-server PIR xy r1r1 r1r1 r2r2 r2r2 q1q1 q1q1 q2q2 q2q2 GMW( C (Q’)) Q’ = Q(x||y, r 1  r 2 ) R’ = R(x||y, r 1  r 2, a 1, a 2 ) xy r1r1 r1r1 r2r2 r2r2 GMW( C (R’)) a 1 = A(1, q 1, f ) a 2 = A(2, q 2, f ) a1a1 a1a1 a2a2 a2a2 f(x,y)

19 O(N 2/3 ) Upper Bound on OT Complexity Via 2-server PIR xy r1r1 r1r1 r2r2 r2r2 q1q1 q1q1 q2q2 q2q2 GMW( C (Q’)) Q’ = Q(x||y, r 1  r 2 ) R’ = R(x||y, r 1  r 2, a 1, a 2 ) xy r1r1 r1r1 r2r2 r2r2 GMW( C (R’)) a 1 = A(1, q 1, f ) a 2 = A(2, q 2, f ) a1a1 a1a1 a2a2 a2a2 f(x,y) Privacy Privacy of GMW Privacy of 2-server PIR Query does not leak additional info Privacy Privacy of GMW Privacy of 2-server PIR Query does not leak additional info

20 More Applications Honest majority secure computation – Efficient in circuit size [RB89,BGW88] – Specific setting: n = 3 parties with at most 1 corruption – Communication 2 Õ(  log N) via 3-server PIR “  - Secure Sampling” from joint distribution D [PP12] – Protocol lets Alice & Bob to sample (x,y) from D Alice knows nothing about y (over what is implied by D) Bob knows nothing about x (over what is implied by D) – Rate of secure sampling D  [N]  [N] from OT – New upper bound: O(N 2/3 poly(log N, 1/  ))

21 Talk Outline Main Technical Tool – PIR OT Complexity – Upper bound: O(N 2/3 ) Correlated Randomness Complexity – Upper bound: 2 Õ(  log N) PSM Complexity Share Complexity for Forbidden Graphs

22 Preprocessing Model (Recap) Correlated Randomness Offline Phase Correlated Randomness Independent of inputs May depend on f OT correlations special case Correlated Randomness Independent of inputs May depend on f OT correlations special case Online Phase x x y y rBrB rBrB rArA rArA f(x,y) rBrB rBrB rArA rArA Truth-table based 2PC: O(N) Via 1-out-of-N OT [BCR86] Truth-table based 2PC: O(N) Via 1-out-of-N OT [BCR86] Correlated randomness complexity of the worst function in F N ?

23 Correlated Randomness Complexity: Via 3-server PIR 2 O(  log N) Upper Bound Offline Phase Key Observation Individual PIR query independent of input Q = (Q 1,2, Q 3 ) (q 1, q 2 )  Q 1,2 (i, r) q 3  Q 3 (r) Key Observation Individual PIR query independent of input Q = (Q 1,2, Q 3 ) (q 1, q 2 )  Q 1,2 (i, r) q 3  Q 3 (r) r1r1 r1r1 r2r2 r2r2 r1r1 r1r1 r2r2 r2r2 q 3 =Q 3 (r 1  r 2 ) a 3 = A(3, q 3, f ) a 3,1 a 3,2 a 3 = a 3,1  a 3,2 OT A OT B a 3,1 OT A OT B a 3,2

24 Correlated Randomness Complexity: 2 O(  log N) Upper Bound xy q1q1 q1q1 q2q2 q2q2 GMW( C (Q’)) Q’ = Q 1,2 (x||y, r 1  r 2 ) R’ = R(x||y, r 1  r 2, a 1, a 2, a 3,1  a 3,1 ) xy GMW( C (R’)) a 1 = A(1, q 1, f ) a 2 = A(2, q 2, f ) a1a1 a1a1 a2a2 a2a2 f(x,y) r1r1 r1r1 r2r2 r2r2 r1r1 r1r1 r2r2 r2r2 a 3,1 a 3,2 Online Phase Correlated Randomness Shares of randomness for PIR query generation alg. Shares of answer to third PIR query OT correlations for GMW Correlated Randomness Shares of randomness for PIR query generation alg. Shares of answer to third PIR query OT correlations for GMW

25 Correlated Randomness Complexity: 2 O(  log N) Upper Bound xy q1q1 q1q1 q2q2 q2q2 GMW( C (Q’)) Q’ = Q 1,2 (x||y, r 1  r 2 ) R’ = R(x||y, r 1  r 2, a 1, a 2, a 3,1  a 3,1 ) xy GMW( C (R’)) a 1 = A(1, q 1, f ) a 2 = A(2, q 2, f ) a1a1 a1a1 a2a2 a2a2 f(x,y) r1r1 r1r1 r2r2 r2r2 r1r1 r1r1 r2r2 r2r2 a 3,1 a 3,2 a 3,1 a 3,2 Privacy Additive secret sharing Privacy of GMW Privacy of 3-server PIR Query does not leak additional info Privacy Additive secret sharing Privacy of GMW Privacy of 3-server PIR Query does not leak additional info

26 Improving the Bounds? (OT + communication) complexity of 2PC – Bounded by communication complexity of 2-server PIR Client shares its input, then acts as OT oracle (Cor. Rand. + communication) complexity of 2PC – Bounded by communication comp. of 3-server PIR [IKM + 13] 3 rd server provides correlated randomness to servers 1 & 2 Qualitative explanation of difference in efficiency – 2-server PIR ~ 2PC with OT preprocessing – 3-server PIR ~ 2PC with arbitrary preprocessing

27 Summary Main Technical Tool – PIR OT Complexity – Upper bound: O(N 2/3 ) Correlated Randomness Complexity – Upper bound: 2 Õ(  log N) PSM Complexity – Upper bound: O(  N) Share Complexity for Forbidden Graphs – Upper bound: O(  N)

28 Thank You! Preliminary Version: www.cs.umd.edu/~ranjit/BIKK.pdfwww.cs.umd.edu/~ranjit/BIKK.pdf Slides: www.cs.umd.edu/~ranjit/BIKK.pptxwww.cs.umd.edu/~ranjit/BIKK.pptx

29 Talk Outline Main Technical Tool – PIR OT Complexity – Upper bound: O(N 2/3 ) Correlated Randomness Complexity – Upper bound: 2 Õ(  log N) PSM Complexity – Upper bound: O(  N) Share Complexity for Forbidden Graphs – Upper bound: O(  N)

30 Share Complexity (Recap) Forbidden Graph Access Structures O(N/log N) share complexity [DPGV96,EP97,B86] Model External dealer + n parties Dealer inactive after sending “shares” Access structure: “authorized” subsets Model External dealer + n parties Dealer inactive after sending “shares” Access structure: “authorized” subsets Forbidden Graph [SS97] Graph G = (V,E) with |V| = N Authorized subsets: Sets {u,v} with (u,v)  E Any set of size 3 Forbidden Graph [SS97] Graph G = (V,E) with |V| = N Authorized subsets: Sets {u,v} with (u,v)  E Any set of size 3 What is the share complexity of the worst N-vertex graph?

31 Bipartite Case Forbidden Bipartite Graph Graph G = (L,R,E) with |L| = |R| = N Authorized subsets: {x,y} with x  L, y  R, (x,y)  E Any set of size 3 G associated with f :[N]  [N]  {0,1} Forbidden Bipartite Graph Graph G = (L,R,E) with |L| = |R| = N Authorized subsets: {x,y} with x  L, y  R, (x,y)  E Any set of size 3 G associated with f :[N]  [N]  {0,1} Secret Sharing Share s using 3-out-of-2N Shamir secret sharing Also secret share s = s L  s R  s’ Send s L to x  L Send s R to y  R How to share s’ ? Secret Sharing Share s using 3-out-of-2N Shamir secret sharing Also secret share s = s L  s R  s’ Send s L to x  L Send s R to y  R How to share s’ ?

32 PSM & Secret Sharing Secret Sharing Scheme for s’ If dealer input s’ = 0 x  L : A f (x 0,r) y  R : B f (y 0,r) If dealer input s’ = 1 x  L : A f (x,r) y  R : B f (y,r) Secret Sharing Scheme for s’ If dealer input s’ = 0 x  L : A f (x 0,r) y  R : B f (y 0,r) If dealer input s’ = 1 x  L : A f (x,r) y  R : B f (y,r) A f (x,r) B f (y,r) r r x  Ly  R Good for s’ = 1 For s’ = 0 Pick some x 0, y 0 s.t f (x 0, y 0 ) = 0 For s’ = 0 Pick some x 0, y 0 s.t f (x 0, y 0 ) = 0

33 Forbidden Graph Access Structures From Bipartite to General Graphs – Decomposed into log N bipartite graphs – Apply standard techniques [BL90,Sti94] Forbidden graph access structures – O(  N) share complexity – Via O(  N) PSM Scheme is non-linear (?) – Matches best known lower bound for linear schemes:  (  N) [Min12]

34 Summary Cryptographic complexity of worst functions – Main Technical Tool - PIR OT Complexity – Upper bound: O(N 2/3 ) Correlated Randomness Complexity – Upper bound: 2 Õ(  log N) PSM Complexity – Upper bound: O(  N) Share Complexity for Forbidden Graphs – Upper bound: O(  N)

35 Thank You! Preliminary Version: www.cs.umd.edu/~ranjit/BIKK.pdfwww.cs.umd.edu/~ranjit/BIKK.pdf Slides: www.cs.umd.edu/~ranjit/BIKK.pptxwww.cs.umd.edu/~ranjit/BIKK.pptx

36 Talk Outline Main Technical Tool – PIR OT Complexity – Upper bound: O(N 2/3 ) Correlated Randomness Complexity – Upper bound: 2 Õ(  log N) PSM Complexity – Upper bound: O(  N) Share Complexity for Forbidden Graphs

37 PIR Examples [CGKS95] i DB A(1,T 1 ) 2 d server PIR with O(N 1/d ) communication T  c T  {c}, if c  T T \{c}, if c  T T  c T  {c}, if c  T T \{c}, if c  T PIR Answers  DB[ j ] j  T PIR Answers  DB[ j ] j  T A(2,T 2 ) z = A(1,T 1 )  A(2,T 2 ) T1T1 T1T1 T2T2 T2T2 T1T1 T1T1 PIR Queries T 1  R [N] T 2 = T 1  i PIR Queries T 1  R [N] T 2 = T 1  i      T2T2 T2T2 Efficiency Client  Server j : O(N) bits Server j  Client : 1 bit Efficiency Client  Server j : O(N) bits Server j  Client : 1 bit

38 PIR Examples [CGKS95] i DB A(1, T 00...0 ) 2 d server PIR with O(N 1/d ) communication PIR Answers  DB[k 1,…, k d ] k 1  T 1 ’,…,k d  T d ’ PIR Answers  DB[k 1,…, k d ] k 1  T 1 ’,…,k d  T d ’ A(2 d,T 11…1 ) z = A(1,T 00..0 )    A(2 d,T 11..1 ) S1S1 S1S1 S2S2 S2S2 d      T 00...0 Efficiency Client  Server j : O(dN 1/d ) bits Server j  Client : 1 bit Efficiency Client  Server j : O(dN 1/d ) bits Server j  Client : 1 bit PIR Queries Pick (T 1, …, T d )  R [N 1/d ] d Server k : Query T (T 1  (k 1  i 1 ), …,T d  (k d  i d )) where k  (k 1,…, k d ) PIR Queries Pick (T 1, …, T d )  R [N 1/d ] d Server k : Query T (T 1  (k 1  i 1 ), …,T d  (k d  i d )) where k  (k 1,…, k d ) k 1, …, k d      d T 11…1

39 Reducing the #Servers [CGKS95] Key Observation Any server can emulate d other servers with cost O(N 1/d ) Key Observation Any server can emulate d other servers with cost O(N 1/d ) Example: 2-server O(N 1/3 ) PIR Server 1: Query T 000 = (T 1, T 2, T 3 ) List “potential” queries for T 100 : (T 1  t, T 2, T 3 ) for t  [N 1/3 ] Similarly for T 010 : (T 1, T 2  t, T 3 ) & T 001 : (T 1, T 2, T 3  t) Answer query & 3N 1/3 “potential” queries Server 2: Query T 111 =(T 1  i 1, T 2  i 2, T 3  i 3 ) List “potential” queries for T 011,T 101, T 110 Answer query & 3N 1/3 “potential” queries Client picks correct answer in each answer list and XORs them Example: 2-server O(N 1/3 ) PIR Server 1: Query T 000 = (T 1, T 2, T 3 ) List “potential” queries for T 100 : (T 1  t, T 2, T 3 ) for t  [N 1/3 ] Similarly for T 010 : (T 1, T 2  t, T 3 ) & T 001 : (T 1, T 2, T 3  t) Answer query & 3N 1/3 “potential” queries Server 2: Query T 111 =(T 1  i 1, T 2  i 2, T 3  i 3 ) List “potential” queries for T 011,T 101, T 110 Answer query & 3N 1/3 “potential” queries Client picks correct answer in each answer list and XORs them Query T for Server k (T 1  (k 1  i 1 ), …,T d  (k d  i d )) where k  ( k 1,…, k d ) Query T for Server k (T 1  (k 1  i 1 ), …,T d  (k d  i d )) where k  ( k 1,…, k d ) k 1, …, k d

40 Private Simultaneous Messages (Recap) Model [FKN94] Single referee Two (or more) clients Non-interactive Referee learns only f(x,y) Clients share randomness Unknown to referee All parties know f No collusion Model [FKN94] Single referee Two (or more) clients Non-interactive Referee learns only f(x,y) Clients share randomness Unknown to referee All parties know f No collusion r r x x y y r r f(x,y) Efficient for small-depth formulae Worst case f : O(N) [FKN94] Efficient for small-depth formulae Worst case f : O(N) [FKN94] What is the PSM complexity of the worst function in F N ?

41 O(  N) Upper Bound on PSM Complexity Via 4-server PIR Key Observation Index i  (i 1, i 2, i 3, i 4 ) Input x specifies i 1, i 2 Input y specifies i 3, i 4 15 of 16 servers emulated by clients Key Observation Index i  (i 1, i 2, i 3, i 4 ) Input x specifies i 1, i 2 Input y specifies i 3, i 4 15 of 16 servers emulated by clients 4-server PIR [CGKS95] Obtained by collapsing basic 16-server O(N 1/4 ) PIR scheme 4-server PIR [CGKS95] Obtained by collapsing basic 16-server O(N 1/4 ) PIR scheme r r x x y y r r f(x,y)

42 Query + Answer Generation Alice knows T 1  i 1, T 2  i 2 Answers for T **00 “Potential” answers for T **01, T **10 Bob knows T 3  i 3, T 4  i 4 Answers for T 00** “Potential” answers for T 01**, T 10** Missing query T 1111 equals (T 1  i 1, T 2  i 2, T 3  i 3, T 4  i 4 ) Answer to T 1111 computed by referee Query + Answer Generation Alice knows T 1  i 1, T 2  i 2 Answers for T **00 “Potential” answers for T **01, T **10 Bob knows T 3  i 3, T 4  i 4 Answers for T 00** “Potential” answers for T 01**, T 10** Missing query T 1111 equals (T 1  i 1, T 2  i 2, T 3  i 3, T 4  i 4 ) Answer to T 1111 computed by referee O(  N) Upper Bound on PSM Complexity Via 4-server PIR Query T for Server k (T 1  (k 1  i 1 ), …,T 4  (k 4  i 4 )) where k  ( k 1,…, k 4 ) Query T for Server k (T 1  (k 1  i 1 ), …,T 4  (k 4  i 4 )) where k  ( k 1,…, k 4 ) k 1, …, k d x x y y T 0000 =(T 1,…,T 4 ) i1i1 i1i1 i2i2 i2i2 i3i3 i3i3 i4i4 i4i4 T **00 T 00** T1 i1T1 i1 T1 i1T1 i1 T2 i2T2 i2 T2 i2T2 i2 T3 i3T3 i3 T3 i3T3 i3 T4 i4T4 i4 T4 i4T4 i4 T **01 T **10 T 01** T 10** T 1111 Key Observation i  (i 1, i 2, i 3, i 4 ) x specifies i 1, i 2 y specifies i 3, i 4 Key Observation i  (i 1, i 2, i 3, i 4 ) x specifies i 1, i 2 y specifies i 3, i 4

43 Query + Answer Generation Answers for T **00,T 00** “Potential” answers for T **01, T **10, T 01**, T 10** Referee answers T 1111 Query + Answer Generation Answers for T **00,T 00** “Potential” answers for T **01, T **10, T 01**, T 10** Referee answers T 1111 O(  N) Upper Bound on PSM Complexity Via 4-server PIR Reconstruction Selecting from “potential” answer list Use known PSM (small-depth circuit) PSM outputs XOR of these 15 answers Remaining answer computed by referee Finally, XORs this with PSM output Reconstruction Selecting from “potential” answer list Use known PSM (small-depth circuit) PSM outputs XOR of these 15 answers Remaining answer computed by referee Finally, XORs this with PSM output

44 Summary Cryptographic complexity of worst functions – Main Technical Tool - PIR OT Complexity – Upper bound: O(N 2/3 ) Correlated Randomness Complexity – Upper bound: 2 Õ(  log N) PSM Complexity – Upper bound: O(  N) Share Complexity for Forbidden Graphs – Upper bound: O(  N)

45 Thank You! Preliminary Version: www.cs.umd.edu/~ranjit/BIKK.pdfwww.cs.umd.edu/~ranjit/BIKK.pdf Slides: www.cs.umd.edu/~ranjit/BIKK.pptxwww.cs.umd.edu/~ranjit/BIKK.pptx

46 The research leading to these results has received funding from the European Union's Seventh Framework Programme (FP7/2007-2013) under grant agreement no. 259426 – ERC – Cryptography and Complexity

Download ppt "On the Cryptographic Complexity of the Worst Functions Amos Beimel (BGU) Yuval Ishai (Technion) Ranjit Kumaresan (Technion) Eyal Kushilevitz (Technion)"

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.

Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.
1 Cryptography: on the Hope for Privacy in a Digital World Omer Reingold VVeizmann and Harvard CRCS.

1 Cryptography: on the Hope for Privacy in a Digital World Omer Reingold VVeizmann and Harvard CRCS.
Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)

Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)
Private Inference Control

Private Inference Control
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory.

The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory.
Secure Computation of Linear Algebraic Functions

Secure Computation of Linear Algebraic Functions
Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto

Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto
Oblivious Branching Program Evaluation

Oblivious Branching Program Evaluation
An Ω(n 1/3 ) Lower Bound for Bilinear Group Based Private Information Retrieval Alexander Razborov Sergey Yekhanin.

An Ω(n 1/3 ) Lower Bound for Bilinear Group Based Private Information Retrieval Alexander Razborov Sergey Yekhanin.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)

On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)
Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.

Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.

Similar presentations

Ads by Google