Abhi Shelat

The smallest grammar problem

This paper addresses the smallest grammar problem: What is the smallest context-free grammar that generates exactly one given string /spl sigma/? This is a natural question about a fundamental object connected to many fields such as data compression, Kolmogorov complexity, pattern identification, and addition chains. Due to the problems inherent complexity, our objective is to find an approximation algorithm which finds a small grammar for the input string. We focus attention on the approximation ratio of the algorithm (and implicitly, the worst case behavior) to establish provable performance guarantees and to address shortcomings in the classical measure of redundancy in the literature. Our first results are concern the hardness of approximating the smallest grammar problem. Most notably, we show that every efficient algorithm for the smallest grammar problem has approximation ratio at least 8569/8568 unless P=NP. We then bound approximation ratios for several of the best known grammar-based compression algorithms, including LZ78, B ISECTION, SEQUENTIAL, LONGEST MATCH, GREEDY, and RE-PAIR. Among these, the best upper bound we show is O(n/sup 1/2/). We finish by presenting two novel algorithms with exponentially better ratios of O(log/sup 3/n) and O(log(n/m/sup */)), where m/sup */ is the size of the smallest grammar for that input. The latter algorithm highlights a connection between grammar-based compression and LZ77.

Efficient Protocols for Set Membership and Range Proofs

We consider the following problem: Given a commitment to a valueσ , prove in zero-knowledge that σ belongs to some discrete set φ . The set φ can perhaps be a list of cities or clubs; often φ canbe a numerical range such as [1,220]. This problemarises in e-cash systems, anonymous credential systems, and variousother practical uses of zero-knowledge protocols. When using commitment schemes relying on RSA-like assumptions,there are solutions to this problem which require only a constantnumber of RSA-group elements to be exchanged between the prover andverifier [5, 15, 16]. However, for many commitment schemes based onbilinear group assumptions, these techniques do not work, and thebest known protocols require O (k ) group elementsto be exchanged where k is a security parameter. In this paper, we present two new approaches to buildingset-membership proofs. The first is based on bilinear groupassumptions. When applied to the case where φ is arange of integers, our protocols require

One-to-many propensity score matching in cohort studies.

O(\frac{k}{\log k -\log\log k})

Securely obfuscating re-encryption

group elements to be exchanged. Not only is thisresult asymptotically better, but the constants are small enough toprovide significant improvements even for small ranges. Indeed, fora discrete logarithm based setting, our new protocol is an order ofmagnitude more efficient than previously known ones. We also discuss alternative implementations of our membershipproof based on the strong RSA assumption. Depending on theapplication, e.g., when φ is a published set of valuessuch a frequent flyer clubs, cities, or other ad hoc collections,these alternative also outperform prior solutions.

Simulatable Adaptive Oblivious Transfer

Among the large number of cohort studies that employ propensity score matching, most match patients 1:1. Increasing the matching ratio is thought to improve precision but may come with a trade‐off with respect to bias.

Two-output secure computation with malicious adversaries

We present the first positive obfuscation result for a traditional cryptographic functionality. This positive result stands in contrast to well-known negative impossibility results [BGI+01] for general obfuscation and recent negative impossibility and improbability [GK05] results for obfuscation of many cryptographic functionalities. Whereas other positive obfuscation results in the standard model apply to very simple point functions, our obfuscation result applies to the significantly more complicated and widely-used re-encryption functionality. This functionality takes a ciphertext for message m encrypted under Alices public key and transforms it into a ciphertext for the same message m under Bobs public key. To overcome impossibility results and to make our results meaningful for cryptographic functionalities, we use a new definition of obfuscation. This new definition incorporates more security-aware provisions.

Collusion-free protocols

We study an adaptivevariant of oblivious transfer in which a sender has Nmessages, of which a receiver can adaptively choose to receive kone-after-the-other, in such a way that (a) the sender learns nothing about the receivers selections, and (b) the receiver only learns about the krequested messages. We propose two practical protocols for this primitive that achieve a stronger security notion than previous schemes with comparable efficiency. In particular, by requiring full simulatability for both sender and receiver security, our notion prohibits a subtle selective-failure attack not addressed by the security notions achieved by previous practical schemes. Our first protocol is a very efficient generic construction from unique blind signatures in the random oracle model. The second construction does not assume random oracles, but achieves remarkable efficiency with only a constant number of group elements sent during each transfer. This second construction uses novel techniques for building efficient simulatable protocols.

Bounded CCA2-secure encryption

We present a method to compile Yaos two-player garbled circuit protocol into one that is secure against malicious adversaries that relies on witness indistinguishability. Our approach can enjoy lower communication and computation overhead than methods based on cut-and-choose [13] and lower overhead than methods based on zero-knowledge proofs [8] (or Σ-protocols [14]). To do so, we develop and analyze new solutions to issues arising with this transformation: -- How to guarantee the generators input consistency -- How to support different outputs for each player without adding extra gates to the circuit of the function f being computed -- How the evaluator can retrieve input keys but avoid selective failure attacks -- Challenging 3/5 of the circuits is near optimal for cut-and-choose (and better than challenging 1/2). Our protocols require the existence of secure-OT and claw-free functions that have a weak malleability property. We discuss an experimental implementation of our protocol to validate our efficiency claims.

Matching by Propensity Score in Cohort Studies with Three Treatment Groups

Secure protocols attempt to minimize the injuries to privacy and correctness inflicted by malicious participants who collude during run-time. They do not, however, prevent malicious parties from colluding and coordinating their actions in the first place!Eliminating such collusion of malicious parties during the execution of a protocol is an important and exciting direction for research in Cryptography. We contribute the first general result in this direction: (1) We provide a rigorous definition of what a collusion-free protocol is; and (2) We prove that, under standard physical and computational assumptions ---i.e., plain envelopes and trapdoor permutations---collusion-free protocols exist for all finite protocol tasks with publicly observable actions. (Note that such tasks are allowed to have secret global state, and thus include Poker, Bridge, and other such games.Our solution is tight in the sense that, for a collusion-free protocol to exist, each of (a) the finiteness of the game of interest, (b) the public observability of its actions, and (c) the use of some type of physically private channel is provably essential.

Analysis of the Blockchain Protocol in Asynchronous Networks

Whereas encryption schemes withstanding passive chosen-plaintext attacks (CPA) can be constructed based on a variety of computational assumptions, only a few assumptions are known to imply the existence of encryption schemes withstanding adaptive chosen-ciphertext attacks (CCA2). Towards addressing this asymmetry, we consider a weakening of the CCA2 model--bounded CCA2-security -- wherein security needs only hold against adversaries that make an a-priori bounded number of queries to the decryption oracle. Regarding this notion we show (without any further assumptions): - For any polynomial q, a simple black-box construction of q-bounded IND-CCA2-secure encryption schemes, from any IND-CPA-secure encryption scheme. When instantiated with the Decisional Diffie-Hellman (DDH) assumption, this construction additionally yields encryption schemes with very short ciphertexts. - For any polynomial q, a (non-black box) construction of q-bounded NM-CCA2-secure encryption schemes, from any IND-CPA-secure encryption scheme. Bounded-CCA2 non-malleability is the strongest notion of security yet known to be achievable assuming only the existence of IND-CPA secure encryption schemes. Finally, we show that non-malleability and indistinguishability are not equivalent under bounded-CCA2 attacks (in contrast to general CCA2 attacks).