Giovanni Di Crescenzo

Public Key Encryption with Keyword Search

We study the problem of searching on data that is encrypted using a public key system. Consider user Bob who sends email to user Alice encrypted under Alice’s public key. An email gateway wants to test whether the email contains the keyword “urgent” so that it could route the email accordingly. Alice, on the other hand does not wish to give the gateway the ability to decrypt all her messages. We define and construct a mechanism that enables Alice to provide a key to the gateway that enables the gateway to test whether the word “urgent” is a keyword in the email without learning anything else about the email. We refer to this mechanism as Public Key Encryption with keyword Search. As another example, consider a mail server that stores various messages publicly encrypted for Alice by others. Using our mechanism Alice can send the mail server a key that will enable the server to identify all messages containing some specific keyword, but learn nothing else. We define the concept of public key encryption with keyword search and give several constructions.

Non-interactive and non-malleable commitment

A commitment protocol is a fundamental cryptographic primitive used as a basic building block throughoutmodern cryptography. In STOC 1991, Dolev Dwork and Naor showed that in many settings the implementation of this fundamental primitive requires a strong non-malleability property in order not to be susceptible to a certain class of attacks. In this paper, assuming that a common random string is available to all players, we show how to implement nonmalleable commitment without any interaction and based on any one-way function. In contrast, all previous solutions required either logarithmically many rounds of interaction or strong algebraic

Single database private information retrieval implies oblivious transfer

A Single-Database Private Information Retrieval (PIR) is a protocol that allows a user to privately retrieve from a database an entry with as small as possible communication complexity. We call a PIR protocol non-trivial if its total communication is strictly less than the size of the database. Non-trivial PIR is an important cryptographic primitive with many applications. Thus, understanding which assumptions are necessary for implementing such a primitive is an important task, although (so far) not a well-understood one. In this paper we show that any non-trivial PIR implies Oblivious Transfer, a far better understood primitive. Our result not only significantly clarifies our understanding of any non-trivial PIR protocol, but also yields the following consequences: - Any non-trivial PIR is complete for all two-party and multiparty secure computations. - There exists a communication-efficient reduction from any PIR protocol to a 1-out-of-n Oblivious Transfer protocol (also called SPIR). - There is strong evidence that the assumption of the existence of a one-way function is necessary but not sufficient for any non-trivial PIR protocol.

Efficient and Non-interactive Non-malleable Commitment

We present new constructions of non-malleable commitment schemes, in the public parameter model (where a trusted party makes parameters available to all parties), based on the discrete logarithm or RSA assumptions. The main features of our schemes are: they achieve near-optimal communication for arbitrarily-large messages and are noninteractive. Previous schemes either required (several rounds of) interaction or focused on achieving non-malleable commitment based on general assumptions and were thus efficient only when committing to a single bit. Although our main constructions are for the case of perfectly-hiding commitment, we also present a communication-efficient, noninteractive commitment scheme (based on general assumptions) that is perfectly binding.

How to forget a secret

We uncover a new class of attacks that can potentially affect any cryptographic protocol. The attack is performed by an adversary that at some point has access to the physical memory of a participant, including all its previous states. In order to protect protocols from such attacks, we introduce a cryptographic primitive that we call erasable memory. Using this primitive, it is possible to implement the essential cryptographic action of forgetting a secret. We show how to use a small erasable memory in order to transform a large non-erasable memory into a large and erasable memory. In practice, this shows how to turn any type of storage device into a storage device that can selectively forget. Moreover, the transformation can be performed using the minimal assumption of the existence of any one-way function, and can be implemented using any block cipher, in which case it is quite efficient. We conclude by suggesting some concrete implementations of small amounts of erasable memory.

Constant-Round Resettable Zero Knowledge with Concurrent Soundness in the Bare Public-Key Model

In the bare public-key model (BPK in short), each verifier is assumed to have deposited a public key in a file that is accessible by all users at all times. In this model, introduced by Canetti et al. [STOC 2000], constant-round black-box concurrent and resettable zero knowledge is possible as opposed to the standard model for zero knowledge. As pointed out by Micali and Reyzin [Crypto 2001], the notion of soundness in this model is more subtle and complex than in the classical model and indeed four distinct notions have been introduced (from weakest to strongest): one-time, sequential, concurrent and resettable soundness.

Multi-Secret Sharing Schemes

A multi-secret sharing scheme is a protocol to share m arbitrarily related secrets s1,..., sm among a set of participants P. In this paper we put forward a general theory of multi-secret sharing schemes by using an information theoretical framework. We prove lower bounds on the size of information held by each participant for various access structures. Finally, we prove the optimality of the bounds by providing protocols.

Private Selective Payment Protocols

We consider the following generic type of payment protocol: a server is willing to make a payment to one among several clients, to be selectively chosen; for instance, the one whose private input is maximum. Instances of this protocol arise in several financial transactions, such as auctions, lotteries and prize-winning competitions.We define such a task by introducing the notion of private selective payment protocol for a given function, deciding which client is selected. We then present an efficient private selective payment protocol for the especially interesting case in which the function selects the client with maximum private input. Our protocol can be performed in constant rounds, does not require any interaction among the clients, and does not use general circuit evaluation techniques. Moreover, our protocol satisfies strong privacy properties: it is information-theoretically private with respect to all but-one clients trying to learn the other clients private input or which client is selected; and assuming the hardness of deciding quadratic residuosity modulo Blum integers, a honest-but-curious server does not learn any information about which client is selected, or about the private inputs of selected or non-selected clients. The techniques underlying this protocol involve the introduction and constructions for a novel variant of oblivious transfer, of independent interest, which we call symmetrically-private conditional oblivious transfer.

Necessary and Sufficient Assumptions for Non-iterative Zero-Knowledge Proofs of Knowledge for All NP Relations

Establishing relationships between primitives is an important area in the foundations of Cryptography. In this paper we consider the primitive of non-interactive zero-knowledge proofs of knowledge, namely, methods for writing a proof that on input x the prover knows y such that relation R(x, y) holds. These proofs have important applications for the construction of cryptographic protocols, as cryptosystems and signatures that are secure under strong types of attacks. They were first defined in [10], where a sufficient condition for the existence of such proofs for all NP relations was given. In this paper we show, perhaps unexpectedly, that such condition, based on a variant of publickey cryptosystems, is also necessary. Moreover, we present an alternative and natural condition, based on a variant of commitment schemes, which we show to be necessary and sufficient as well for the construction of such proofs. Such equivalence also allows us to improve known results on the construction of such proofs under the hardness of specific computational problems. Specifically, we show that assuming the hardness of factoring Blum integers is sufficient for such constructions.

Succinct NP Proofs from an Extractability Assumption

We prove, using a non-standard complexity assumption, that any language in has a 1-round(that is, the verifier sends a message to the prover, and the prover sends a message to the verifier) argument system (that is, a proof system where soundness holds against polynomial-time provers) with communication complexity only polylogarithmic in the size of the instance. We also show formal evidence that the nature of the non-standard complexity assumption we use is analogous to previous assumptions proposed in the cryptographic literature. The question of whether complexity assumptions of this nature can be considered acceptable or not remains of independent interest in complexity-theoretic cryptography as well as complexity theory.