Ignacio Cascudo

Bounds on the Threshold Gap in Secret Sharing and its Applications

We consider the class of secret sharing schemes where there is no a priori bound on the number of players n but where each of the n share-spaces has fixed cardinality q. We show two fundamental lower bounds on the threshold gap of such schemes. The threshold gap g is defined as r-t, where r is minimal and t is maximal such that the following holds: for a secret with arbitrary a priori distribution, each r-subset of players can reconstruct this secret from their joint shares without error ( r-reconstruction) and the information gain about the secret is nil for each t-subset of players jointly ( t-privacy). Our first bound, which is completely general, implies that if , then g ≥ [( n-t+1)/q] independently of the cardinality of the secret-space. Our second bound pertains to \BBF q-linear schemes with secret-space \BBF qk ( k ≥ 2). It improves the first bound when k is large enough. Concretely, it implies that g ≥ [( n-t+1)/ q]+f(q,k,t,n), for some function f that is strictly positive when k is large enough. Moreover, also in the \BBF q-linear case, bounds on the threshold gap independent of t or r are obtained by additionally employing a dualization argument. As an application of our results, we answer an open question about the asymptotics of arithmetic secret sharing schemes and prove that the asymptotic optimal corruption tolerance rate is strictly smaller than 1.

Squares of Random Linear Codes

Given a linear code C, one can define the dth power of C as the span of all componentwise products of d elements of C. A power of C may quickly fill the whole space. Our purpose is to answer the following question: does the square of a code typically fill the whole space? We give a positive answer, for codes of dimension k and length roughly (1/2)k2 or smaller. Moreover, the convergence speed is exponential if the difference k(k+1)/2-n is at least linear in k. The proof uses random coding and combinatorial arguments, together with algebraic tools involving the precise computation of the number of quadratic forms of a given rank, and the number of their zeros.

Rate-1, Linear Time and Additively Homomorphic UC Commitments

We construct the first UC commitment scheme for binary strings with the optimal properties of rate approaching 1 and linear time complexity in the amortised sense, using a small number of seed OTs. On top of this, the scheme is additively homomorphic, which allows for applications to maliciously secure 2-party computation. As tools for obtaining this, we make three contributions of independent interest: we construct the first binary linear time encodable codes with non-trivial distance and rate approaching 1, we construct the first almost universal hash function with small seed that can be computed in linear time, and we introduce a new primitive called interactive proximity testing that can be used to verify whether a string is close to a given linear code.

Torsion Limits and Riemann-Roch Systems for Function Fields and Applications

The Ihara limit (or constant) A(q) has been a central problem of study in the asymptotic theory of global function fields (or equivalently, algebraic curves over finite fields). It addresses global function fields with many rational points and, so far, most applications of this theory do not require additional properties. Motivated by recent applications, we require global function fields with the additional property that their zero class divisor groups contain at most a small number of d -torsion points. We capture this with the notion of torsion limit, a new asymptotic quantity for global function fields. It seems that it is even harder to determine values of this new quantity than the Ihara constant. Nevertheless, some nontrivial upper bounds are derived. Apart from this new asymptotic quantity and bounds on it, we also introduce Riemann-Roch systems of equations. It turns out that this type of equation system plays an important role in the study of several other problems in each of these areas: arithmetic secret sharing, symmetric bilinear complexity of multiplication in finite fields, frameproof codes, and the theory of error correcting codes. Finally, we show how our new asymptotic quantity, our bounds on it and Riemann-Roch systems can be used to improve results in these areas.

The arithmetic codex

In this invited talk,1 we introduce the notion of arithmetic codex, or codex for short. It encompasses several well-established notions from cryptography (arithmetic secret sharing schemes, which enjoy additive as well as multiplicative properties) and algebraic complexity theory (bilinear complexity of multiplication) in a natural mathematical framework. Arithmetic secret sharing schemes have important applications to secure multi-party computation and even to two-party cryptography. Interestingly, several recent applications to two-party cryptography rely crucially on the existing results on “asymptotically good families” of suitable such schemes. Moreover, the construction of these schemes requires asymptotically good towers of function fields over finite fields: no elementary (probabilistic) constructions are known in these cases. Besides introducing the notion, we discuss some of the constructions, as well as some limitations.

Asymptotic Bound for Multiplication Complexity in the Extensions of Small Finite Fields

In 1986, D. V. Chudnovsky and G. V. Chudnovsky first employed algebraic curves over finite fields to construct bilinear multiplication algorithms implicitly through supercodes introduced by Shparlinski-Tsfasman-Vladuţ, or equivalently, multiplication-friendly codes that we will introduce in this paper. This idea was further developed by Shparlinski-Tsfasman-Vladuţ in order to study the asymptotic behavior of multiplication complexity in extension fields. Later on, Ballet et al. further investigated the method and obtained some improvements. Recently, Ballet and Pieltant made use of curves over an extension field of to obtain an improvement on the complexity of multiplications in extensions of the binary field. In this paper, we develop the multiplication-friendly splitting technique and then apply this technique to study asymptotic behavior of multiplications in extension fields. By combining this with the idea of using algebraic function fields, we are able to improve further the asymptotic results of multiplication complexity. In particular, the improvement for small fields such as the binary and ternary fields is substantial.

SCRAPE: Scalable Randomness Attested by Public Entities

Uniform randomness beacons whose output can be publicly attested to be unbiased are required in several cryptographic protocols. A common approach to building such beacons is having a number parties run a coin tossing protocol with guaranteed output delivery (so that adversaries cannot simply keep honest parties from obtaining randomness, consequently halting protocols that rely on it). However, current constructions face serious scalability issues due to high computational and communication overheads. We present a coin tossing protocol for an honest majority that allows for any entity to verify that an output was honestly generated by observing publicly available information (even after the execution is complete), while achieving both guaranteed output delivery and scalability. The main building block of our construction is the first Publicly Verifiable Secret Sharing scheme for threshold access structures that requires only O(n) exponentiations. Previous schemes required O(nt) exponentiations (where t is the threshold) from each of the parties involved, making them unfit for scalable distributed randomness generation, which requires \(t=n/2\) and thus \(O(n^2)\) exponentiations.

Amortized Complexity of Information-Theoretically Secure MPC Revisited

A fundamental and widely-applied paradigm due to Franklin and Yung (STOC 1992) on Shamir-secret-sharing based general n-player MPC shows how one may trade the adversary threshold t against amortized communication complexity, by using a so-called packed version of Shamir’s scheme. For e.g. the BGW-protocol (with active security), this trade-off means that if \(t + 2k -2 < n/3\), then k parallel evaluations of the same arithmetic circuit on different inputs can be performed at the overall cost corresponding to a single BGW-execution.

Actively Secure OT-Extension from q-ary Linear Codes

We consider recent constructions of 1-out-of-N OT-extension from Kolesnikov and Kumaresan (CRYPTO 2013) and from Orru et al. (CT-RSA 2017), based on binary error-correcting codes. We generalize their constructions such that q-ary codes can be used for any prime power q. This allows to reduce the number of base 1-out-of-2 OT’s that are needed to instantiate the construction for any value of N, at the cost of increasing the complexity of the remaining part of the protocol. We analyze these trade-offs in some concrete cases.

Resource-Efficient OT Combiners with Active Security

An OT-combiner takes n candidate implementations of the oblivious transfer (OT) functionality, some of which may be faulty, and produces a secure instance of oblivious transfer as long as a large enough number of the candidates are secure. We see an OT-combiner as a 2-party protocol that can make several black-box calls to each of the n OT candidates, and we want to protect against an adversary that can corrupt one of the parties and a certain number of the OT candidates, obtaining their inputs and (in the active case) full control of their outputs.