Elette Boyle

Function Secret Sharing

Motivated by the goal of securely searching and updating distributed data, we introduce and study the notion of function secret sharing (FSS). This new notion is a natural generalization of distributed point functions (DPF), a primitive that was recently introduced by Gilboa and Ishai (Eurocrypt 2014). Given a positive integer \(p\ge 2\) and a class \(\mathcal F\) of functions \(f:\{0,1\}^n\rightarrow \mathbb G\), where \(\mathbb G\) is an Abelian group, a \(p\)-party FSS scheme for \(\mathcal F\) allows one to split each \(f\in \mathcal F\) into \(p\) succinctly described functions \(f_i:\{0,1\}^n\rightarrow \mathbb G\), \(1\le i\le p\), such that: (1) \(\sum _{i=1}^p f_i=f\), and (2) any strict subset of the \(f_i\) hides \(f\). Thus, an FSS for \(\mathcal F\) can be thought of as method for succinctly performing an “additive secret sharing” of functions from \(\mathcal F\). The original definition of DPF coincides with a two-party FSS for the class of point functions, namely the class of functions that have a nonzero output on at most one input.

Oblivious Parallel RAM and Applications

We initiate the study of cryptography for parallel RAM (PRAM) programs. The PRAM model captures modern multi-core architectures and cluster computing models, where several processors execute in parallel and make accesses to shared memory, and provides the “best of both” circuit and RAM models, supporting both cheap random access and parallelism.

Fully Leakage-Resilient Signatures

A signature scheme is fully leakage resilient (Katz and Vaikuntanathan, ASIACRYPT’09) if it is existentially unforgeable under an adaptive chosen-message attack even in a setting where an adversary may obtain bounded (yet arbitrary) leakage information on all intermediate values that are used throughout the lifetime of the system. This is a strong and meaningful notion of security that captures a wide range of side-channel attacks.One of the main challenges in constructing fully leakage-resilient signature schemes is dealing with leakage that may depend on the random bits used by the signing algorithm, and constructions of such schemes are known only in the random-oracle model. Moreover, even in the random-oracle model, known schemes are only resilient to leakage of less than half the length of their signing key.In this paper we construct the first fully leakage-resilient signature schemes without random oracles. We present a scheme that is resilient to any leakage of length (1−o(1))L bits, where L is the length of the signing key. Our approach relies on generic cryptographic primitives, and at the same time admits rather efficient instantiations based on specific number-theoretic assumptions. In addition, we show that our approach extends to the continual-leakage model, recently introduced by Dodis, Haralambiev, Lopez-Alt and Wichs (FOCS’10), and by Brakerski, Tauman Kalai, Katz and Vaikuntanathan (FOCS’10). In this model the signing key is allowed to be refreshed, while its corresponding verification key remains fixed, and the amount of leakage is assumed to be bounded only in between any two successive key refreshes.

Large-Scale Secure Computation: Multi-party Computation for (Parallel) RAM Programs

We present the first efficient (i.e., polylogarithmic overhead) method for securely and privately processing large data sets over multiple parties with parallel, distributed algorithms. More specifically, we demonstrate load-balanced, statistically secure computation protocols for computing Parallel RAM (PRAM) programs, handling \((1/3 - \epsilon )\) fraction malicious players, while preserving up to polylogarithmic factors the computation, parallel time, and memory complexities of the PRAM program, aside from a one-time execution of a broadcast protocol per party. Additionally, our protocol has \(\mathsf{polylog}\) communication locality—that is, each of the n parties speaks only with \(\mathsf{polylog}(n)\) other parties.

Breaking the Circuit Size Barrier for Secure Computation Under DDH

Under the Decisional Diffie-Hellman DDH assumption, we present a 2-out-of-2 secret sharing scheme that supports a compact evaluation of branching programs on the shares. More concretely, there is an evaluation algorithm

Function Secret Sharing: Improvements and Extensions

\mathsf{Eval}

Leakage-resilient coin tossing

with a single bit of output, such that if an input