Yuval Ishai

Founding Cryptography on Oblivious Transfer --- Efficiently

We present a simple and efficient compiler for transforming secure multi-party computation (MPC) protocols that enjoy security only with an honest majority into MPC protocols that guarantee security with no honest majority, in the oblivious-transfer (OT) hybrid model. Our technique works by combining a secure protocol in the honest majority setting with a protocol achieving only security against semi-honestparties in the setting of no honest majority. n nApplying our compiler to variants of protocols from the literature, we get several applications for secure two-party computation and for MPC with no honest majority. These include: n n n Constant-rate two-party computation in the OT-hybrid model. We obtain a statistically UC-secure two-party protocol in the OT-hybrid model that can evaluate a general circuit Cof size sand depth dwith a total communication complexity of O(s) + poly(k, d, log s) and O(d) rounds. The above result generalizes to a constant number of parties. n Extending OTs in the malicious model. We obtain a computationally efficient protocol for generating many string OTs from few string OTs with only a constant amortized communication overheadcompared to the total length of the string OTs. n Black-box constructions for constant-round MPC with no honest majority. We obtain general computationally UC-secure MPC protocols in the OT-hybrid model that use only a constant number of rounds, and only make a black-boxaccess to a pseudorandom generator. This gives the first constant-round protocols for three or more parties that only make a black-box use of cryptographic primitives (and avoid expensive zero-knowledge proofs).

Secure Arithmetic Computation with No Honest Majority

We study the complexity of securely evaluating arithmetic circuits over finite rings. This question is motivated by natural secure computation tasks. Focusing mainly on the case of two-party protocols with security against malicious parties, our main goals are to: (1) only make black-box calls to the ring operations and standard cryptographic primitives, and (2) minimize the number of such black-box calls as well as the communication overhead. n nWe present several solutions which differ in their efficiency, generality, and underlying intractability assumptions. These include: nAn unconditionally secure protocol in the OT-hybrid model which makes a black-box use of an arbitrary ring R ,but where the number of ring operations grows linearly with (an upper bound on) log|R |. nComputationally secure protocols in the OT-hybrid model which make a black-box use of an underlying ring, and in which the number of ring operations does not grow with the ring size. The protocols rely on variants of previous intractability assumptions related to linear codes. In the most efficient instance of these protocols, applied to a suitable class of fields, the (amortized) communication cost is a constant number of field elements per multiplication gate and the computational cost is dominated by O (logk ) field operations per gate, where k is a security parameter. These results extend a previous approach of Naor and Pinkas for secure polynomial evaluation (SIAM J. Comput. , 2006). nA protocol for the rings *** m = ***/m *** which only makes a black-box use of a homomorphic encryption scheme. When m is prime, the (amortized) number of calls to the encryption scheme for each gate of the circuit is constant. n nAll of our protocols are in fact UC-secure in the OT-hybrid model and can be generalized to multiparty computation with an arbitrary number of malicious parties.

Sub-linear zero-knowledge argument for correctness of a shuffle

A shuffle of a set of ciphertexts is a new set of ciphertexts with the same plaintexts in permuted order. Shuffles of homomorphic encryptions are a key component in mix-nets, which in turn are used in protocols for anonymization and voting. Since the plaintexts are encrypted it is not directly verifiable whether a shuffle is correct, and it is often necessary to prove the correctness of a shuffle using a zero-knowledge proof or argument. n nIn previous zero-knowledge shuffle arguments from the literature the communication complexity grows linearly with the number of ciphertexts in the shuffle. We suggest the first practical shuffle argument with sub-linear communication complexity. Our result stems from combining previous work on shuffle arguments with ideas taken from probabilistically checkable proofs.

On Locally Decodable Codes, Self-Correctable Codes, and t -Private PIR

A k-query locally decodable code (LDC) allows to probabilistically decode any bit of an encoded message by probing only k bits of its corrupted encoding. Axa0stronger and desirable property is that of self-correction, allowing to efficiently recover not only bits of the message but also arbitrary bits of its encoding. In contrast to the initial constructions of LDCs, the recent and most efficient constructions are not known to be self-correctable. The existence of self-correctable codes of comparable efficiency remains open.A closely related problem with a very different motivation is that of private information retrieval (PIR). Axa0k-server PIR protocol allows a user to retrieve the i-th bit of a database, which is replicated among k servers, without revealing information about i to any individual server. Axa0natural generalization is t-private PIR, which keeps i hidden from any t colluding servers. In contrast to the initial PIR protocols, it is not known how to generalize the recent and most efficient protocols to yield t-private protocols of comparable efficiency.In this work we study both of the above questions, showing that they are in fact related. We start by presenting a general transformation of any 1-private PIR protocol (equivalently, LDC) into a t-private protocol with a similar amount of communication per server. Combined with the recent result of Yekhanin (STOC 2007), this yields an improvement over previous t-private PIR protocols. Axa0major weakness of our transformation is that the number of servers grows exponentially with t. We show that if the underlying LDC satisfies the stronger self-correction property, then there is a similar transformation in which the number of servers grows only linearly withxa0t, which is the best one can hope for. Finally, we explore the possibility of improving current constructions of self-correctable codes and relate this question to a conjecture of Hamada concerning the algebraic rank of combinatorial designs.

Ligero: Lightweight Sublinear Arguments Without a Trusted Setup

We design and implement a simple zero-knowledge argument protocol for NP whose communication complexity is proportional to the square-root of the verification circuit size. The protocol can be based on any collision-resistant hash function. Alternatively, it can be made non-interactive in the random oracle model, yielding concretely efficient zk-SNARKs that do not require a trusted setup or public-key cryptography. Our protocol is attractive not only for very large verification circuits but also for moderately large circuits that arise in applications. For instance, for verifying a SHA-256 preimage in zero-knowledge with 2-40 soundness error, the communication complexity is roughly 44KB (or less than 34KB under a plausible conjecture), the prover running time is 140 ms, and the verifier running time is 62 ms. This proof is roughly 4 times shorter than a similar proof of ZKB++ (Chase et al., CCS 2017), an optimized variant of ZKBoo (Giacomelli et al., USENIX 2016). The communication complexity of our protocol is independent of the circuit structure and depends only on the number of gates. For 2-40 soundness error, the communication becomes smaller than the circuit size for circuits containing roughly 3 million gates or more. Our efficiency advantages become even bigger in an amortized setting, where several instances need to be proven simultaneously. Our zero-knowledge protocol is obtained by applying an optimized version of the general transformation of Ishai et al. (STOC 2007) to a variant of the protocol for secure multiparty computation of Damgard and Ishai (Crypto 2006). It can be viewed as a simple zero-knowledge interactive PCP based on interleaved Reed-Solomon codes.

Lattice-Based SNARGs and Their Application to More Efficient Obfuscation

Succinct non-interactive arguments (SNARGs) enable verifying ({{mathsf {NP}}}) computations with substantially lower complexity than that required for classical ({{mathsf {NP}}}) verification. In this work, we give the first lattice-based SNARG candidate with quasi-optimal succinctness (where the argument size is quasilinear in the security parameter). Further extension of our methods yields the first SNARG (from any assumption) that is quasi-optimal in terms of both prover overhead (polylogarithmic in the security parameter) as well as succinctness. Moreover, because our constructions are lattice-based, they plausibly resist quantum attacks. Central to our construction is a new notion of linear-only vector encryption which is a generalization of the notion of linear-only encryption introduced by Bitansky et al. (TCC 2013). We conjecture that variants of Regev encryption satisfy our new linear-only definition. Then, together with new information-theoretic approaches for building statistically-sound linear PCPs over small finite fields, we obtain the first quasi-optimal SNARGs.

Two-Message Witness Indistinguishability and Secure Computation in the Plain Model from New Assumptions

We study the feasibility of two-message protocols for secure two-party computation in the plain model, for functionalities that deliver output to one party, with security against malicious parties. Since known impossibility results rule out polynomial-time simulation in this setting, we consider the common relaxation of allowing super-polynomial simulation.

Secure Protocol Transformations

In the rich literature of secure multi-party computation MPC, several important results rely on protocol transformations, whereby protocols from one model of MPC are transformed to protocols from another model. Motivated by the goal of simplifying and unifying results in the area of MPC, we formalize a general notion of black-box protocol transformations that captures previous transformations from the literature as special cases, and present several new transformations. We motivate our study of protocol transformations by presenting the following applications. n nSimplifying feasibility results:Easily rederive a result in Goldreichs book 2004, on MPC with full security in the presence of an honest majority, from an earlier result in the book, on MPC that offers security with abort.Rederive the classical result of Rabin and Ben-Or 1989 by applying a transformation to the simpler protocols of Ben-Or et al. or Chaum et al. 1988.Efficiency improvements:The first constant-rate MPC protocol for a constant number of parties that offers full information-theoretic security with an optimal threshold, improving over the protocol of Rabin and Ben-Or;A fully secure MPC protocol with optimal threshold that improves over a previous protocol of Ben-Sasson et al. 2012 in the case of deep and narrow computations;A fully secure MPC protocol with near-optimal threshold that improves over a previous protocol of Damgard et al. 2010 by improving the dependence on the security parameter from linear to polylogarithmic;An efficient new transformation from passive-secure two-party computation in the OT-hybrid and OLE-hybrid model to zero-knowledge proofs, improving over a recent similar transformation of Hazay and Venkitasubramaniam 2016 for the case of static zero-knowledge, which is restricted to the OT-hybrid model and requires a large number of commitments. n nFinally, we prove the impossibility of two simple types of black-box protocol transformations, including an unconditional variant of a previous negative result of Rosulek 2012 that relied on the existence of one-way functions.

Making the Best of a Leaky Situation: Zero-Knowledge PCPs from Leakage-Resilient Circuits

A Probabilistically Checkable Proof (PCP) allows a randomized verifier, with oracle access to a purported proof, to probabilistically verify an input statement of the form “(xin L)” by querying only few bits of the proof. A zero-knowledge PCP (ZKPCP) is a PCP with the additional guarantee that the view of any verifier querying a bounded number of proof bits can be efficiently simulated given the input x alone, where the simulated and actual views are statistically close.

Quasi-Optimal SNARGs via Linear Multi-Prover Interactive Proofs

Succinct non-interactive arguments (SNARGs) enable verifying (mathsf {NP} ) computations with significantly less complexity than that required for classical (mathsf {NP} ) verification. In this work, we focus on simultaneously minimizing the proof size and the prover complexity of SNARGs. Concretely, for a security parameter (lambda ), we measure the asymptotic cost of achieving soundness error (2^{-lambda }) against provers of size (2^lambda ). We say a SNARG is quasi-optimally succinct if its proof length is (widetilde{O}(lambda )), and that it is quasi-optimal, if moreover, its prover complexity is only polylogarithmically greater than the running time of the classical (mathsf {NP} ) prover. We show that this definition is the best we could hope for assuming that (mathsf {NP} ) does not have succinct proofs. Our definition strictly strengthens the previous notion of quasi-optimality introduced in the work of Boneh et al. (Eurocrypt 2017).