IACR News
Here you can see all recent updates to the IACR webpage. These updates are also available:
17 November 2020
Real World Crypto
The registration for RWC 2021 (virtual) is now open at https://rwc.iacr.org/2021/registration.php
Attendance is free but attendees are required to pay the IACR membership fee for 2022 if they have not already paid it (USD 50 for regular attendees and USD 25 for student attendee).
Attendance is free but attendees are required to pay the IACR membership fee for 2022 if they have not already paid it (USD 50 for regular attendees and USD 25 for student attendee).
The conference program is coming soon - talks will be roughly 4pm UTC - 7.30pm UTC on January 11-14.
George Mason University, USA
Job Posting
A Postdoc position is available on the areas Cryptography and/or Blockchain. Candidates with interests in one or both areas are encouraged to apply.
The starting date can be anytime in Spring or Summer of 2021.
For more information and to apply please contact Prof. Foteini Baldimtsi at foteini@gmu.edu
The starting date can be anytime in Spring or Summer of 2021.
For more information and to apply please contact Prof. Foteini Baldimtsi at foteini@gmu.edu
Closing date for applications:
Contact: Foteini Baldimtsi
15 November 2020
Election
The 2020 election was held to fill three of nine IACR Director positions. 719 votes have been cast. The results are below, with elected candidates marked in bold:
Directors:
Masayuki Abe: 384
Britta Hale: 222
Tancrède Lepoint: 352
Emmanuel Thomé : 212
Moti Yung : 345
Congratulations to all elected members and thank to you all candidates for your contributions to the IACR and willingness to serve.
Election verification data can be found at https://vote.heliosvoting.org/helios/e/IACR2020Election.
Directors:
Masayuki Abe: 384
Britta Hale: 222
Tancrède Lepoint: 352
Emmanuel Thomé : 212
Moti Yung : 345
Congratulations to all elected members and thank to you all candidates for your contributions to the IACR and willingness to serve.
Election verification data can be found at https://vote.heliosvoting.org/helios/e/IACR2020Election.
Kevin "Kenny" Niehage
ePrint Report
Nextcloud provides a server side encryption feature that is implemented by the Default Encryption Module. This paper presents cryptographic vulnerabilities that existed within the Default Encryption Module as well as other shortcomings that still need to be addressed. The vulnerabilities allowed an attacker to break the provided confidentiality and integrity protection guarantees. There is a high risk that ownCloud also contains some of the issues presented in this paper as it still has cryptographic code in common with Nextcloud.
Ravi Anand, Subhamoy Maitra, Arpita Maitra, Chandra Sekhar Mukherjee, Sourav Mukhopadhyay
ePrint Report
In this paper, we present a detailed study of the cost of the quantum key search attack using Grover. We consider the popular Feedback Shift Register (FSR) based ciphers Grain-128-AEAD, TinyJAMBU, LIZARD, and Grain-v1 considering the NIST's MAXDEPTH depth restriction. We design reversible quantum circuits for these ciphers and also provide the QISKIT implementations for estimating gate counts. Our results show that cryptanalysis is possible with gate count less than $2^{170}$. In this direction, we also study the scenario where initial keystreams may be discarded before using it for encryption so that the Grovers attack on key search becomes costly in terms of circuit repetition. Finally, we connect Grover with BSW sampling for stream ciphers with low sampling resistance. We implement this attack on LIZARD (secret key size of 120 bits, state 121 bits, and security equivalent to 80 bits) and successfully recover the internal states with $2^{40.5}$ queries to the cryptographic oracle and $ 2^{40} $ amount of data. Our results provide a clear view of the exact status of quantum cryptanalysis against FSR based symmetric ciphers.
11 November - 15 June 2021
Event Calendar
Event date: 11 November to 15 June 2021
Submission deadline: 15 June 2021
Notification: 30 June 2021
Submission deadline: 15 June 2021
Notification: 30 June 2021
Cambridge, USA, 2 December - 3 December 2020
Event Calendar
Event date: 2 December to 3 December 2020
Rhodes, Greece, 26 July - 28 July 2021
Event Calendar
Event date: 26 July to 28 July 2021
Submission deadline: 15 February 2021
Notification: 12 April 2021
Submission deadline: 15 February 2021
Notification: 12 April 2021
Michele Ciampi, Rafail Ostrovsky, Hendrik Waldner, Vassilis Zikas
ePrint Report
Typical approaches for minimizing the round complexity of multi-party computation (MPC) do so at the cost of increased communication complexity (CC) or reliance on setup assumptions. A notable exception is the recent work of Ananth et al. [TCC 2019], which used Functional Encryption (FE) combiners to obtain a round optimal (two-round) semi-honest MPC in the plain model with CC proportional to the depth and input-output length of the circuit being computed---we refer to such protocols as circuit scalable. This leaves open the question of obtaining communication efficient malicious security in the plain model which we answer in this work:
1) We provide a round-preserving black-box compiler that compiles a wide class of MPC protocols into a circuit-scalable maliciously secure MPC in the plain model, assuming a (succinct) FE combiner. By using our compiler with a round-optimal MPC, we derive the first round-optimal and circuit-scalable maliciously secure MPC in the plain model.
2) We provide a round-preserving black-box compiler that compiles a wide class of MPC protocols into a circuit-independent---i.e., with CC that depends only on the input-output length of the circuit---maliciously secure MPC in the plain model, assuming Multi-Key Fully-Homomorphic Encryption (MFHE). Again, by using this second compiler with a round-optimal MPC, we derive the first round-optimal and circuit-independent maliciously secure MPC in the plain model. This is the best to-date CC for a round-optimal malicious MPC protocol, which is even communication-optimal when the output size of the function being evaluated is smaller than its input size (e.g., for boolean functions).
Our compilers assume the existence of four-round maliciously secure oblivious transfer which can be obtained from standard cryptographic assumptions.
1) We provide a round-preserving black-box compiler that compiles a wide class of MPC protocols into a circuit-scalable maliciously secure MPC in the plain model, assuming a (succinct) FE combiner. By using our compiler with a round-optimal MPC, we derive the first round-optimal and circuit-scalable maliciously secure MPC in the plain model.
2) We provide a round-preserving black-box compiler that compiles a wide class of MPC protocols into a circuit-independent---i.e., with CC that depends only on the input-output length of the circuit---maliciously secure MPC in the plain model, assuming Multi-Key Fully-Homomorphic Encryption (MFHE). Again, by using this second compiler with a round-optimal MPC, we derive the first round-optimal and circuit-independent maliciously secure MPC in the plain model. This is the best to-date CC for a round-optimal malicious MPC protocol, which is even communication-optimal when the output size of the function being evaluated is smaller than its input size (e.g., for boolean functions).
Our compilers assume the existence of four-round maliciously secure oblivious transfer which can be obtained from standard cryptographic assumptions.
Michael John Jacobson Jr., Prabhat Kushwaha
ePrint Report
We describe a novel type of weak cryptographic private key that can exist in any discrete logarithm based
public-key cryptosystem set in a group of prime order $p$ where $p-1$ has small divisors.
Unlike the weak private keys based on numerical size (such as smaller private keys, or private keys lying in an interval) that will always exist in any DLP cryptosystems, our type of weak private keys occurs purely due to parameter choice of $p$, and hence, can be removed with appropriate value of $p$.
Using the theory of implicit group representations, we present algorithms that can determine whether a key
is weak, and if so, recover the private key from the corresponding public key.
We analyze several elliptic curves proposed in the literature and in various standards, giving counts
of the number of keys that can be broken with relatively small amounts of computation. Our results show
that many of these curves, including some from standards, have a considerable number of such weak private keys.
We also use our methods to show that none of the 14 outstanding Certicom Challenge problem instances are
weak in our sense, up to a certain weakness bound.
Alessandra Scafuro, Luisa Siniscalchi, Ivan Visconti
ePrint Report
In TCC 2017 Goyal and Goyal proposed the first -- and currently only-- construction of a publicly verifiable zero-knowledge (pvZK) proof system that leverages a blockchain as a setup assumption. Such construction can be instantiated only through proof-of-stake blockchains and presents a few more limitations and assumptions: (1) the adversary can only perform
static corruption of the stakeholders, (2) keys of the stakeholders must also allow for encryption, and (3) honest stakeholders must never leak their secret keys (even when no stake is left with respect to those keys).
In this work, we first show that, even if all the above limitations/assumptions hold, a malicious verifier could still violate the zero-knowledge property by leveraging smart contracts. We show an ``attack of the clones'' that allows a malicious verifier to clone some of the stakeholder capabilities via a smart contract that is designed after the proof is received from the prover. This leaves open the question of constructing publicly verifiable zero-knowledge proofs from blockchains. Moreover, it raises the issue of using blockchains as setup assumptions since they evolve over time and could even become unreliable in the future. Then, we provide a publicly verifiable zero-knowledge proof system, based on any blockchain (i.e., not only proof-of-stake) that, very roughly, satisfies the following unpredictability property. Sufficiently many future honest blocks added to the blockchain contain a high min-entropy string in a specific location (e.g., a new wallet for cashing the mining reward). Our proof system is secure against a verifier/prover that can corrupt blockchain players adaptively. In particular, it remains zero knowledge even if the blockchain eventually collapses and all blockchain players are controlled by the zero-knowledge adversary.
In this work, we first show that, even if all the above limitations/assumptions hold, a malicious verifier could still violate the zero-knowledge property by leveraging smart contracts. We show an ``attack of the clones'' that allows a malicious verifier to clone some of the stakeholder capabilities via a smart contract that is designed after the proof is received from the prover. This leaves open the question of constructing publicly verifiable zero-knowledge proofs from blockchains. Moreover, it raises the issue of using blockchains as setup assumptions since they evolve over time and could even become unreliable in the future. Then, we provide a publicly verifiable zero-knowledge proof system, based on any blockchain (i.e., not only proof-of-stake) that, very roughly, satisfies the following unpredictability property. Sufficiently many future honest blocks added to the blockchain contain a high min-entropy string in a specific location (e.g., a new wallet for cashing the mining reward). Our proof system is secure against a verifier/prover that can corrupt blockchain players adaptively. In particular, it remains zero knowledge even if the blockchain eventually collapses and all blockchain players are controlled by the zero-knowledge adversary.
Ran Canetti, Oxana Poburinnaya
ePrint Report
Incoercible multi-party computation (Canetti-Gennaro ’96) allows parties to engage in secure computation with the additional guarantee that the public transcript of the computation cannot be used by a coercive outsider to verify representations made by the parties regarding their inputs, outputs, and local random choices. That is, it is guaranteed that the only deductions regarding the truthfulness of such representations, made by an outsider who has witnessed the communication among the parties, are the ones that can be drawn just from the represented inputs and outputs alone.
To date, all incoercible secure computation protocols withstand coercion of only a fraction of the parties, or else assume that all parties use an execution environment that makes some crucial parts of their local states physically inaccessible even to themselves.
We consider, for the first time, the setting where all parties are coerced, and the coercer expects to see the entire history of the computation. We allow both protocol participants and external attackers to access a common reference string which is generated once and for all by an uncorruptable trusted party. In this setting we construct:
- A general multi-party function evaluation protocol, for any number of parties, that withstands coercion of all parties, as long as all parties use the prescribed ``faking algorithm'' upon coercion. This holds even if the inputs and outputs represented by coerced parties are globally inconsistent with the evaluated function.
- A general two-party function evaluation protocol that withstands even the %``mixed'' case where some of the coerced parties do follow the prescribed faking algorithm. (For instance, these parties might collude with the coercer and disclose their true local states.) This protocol is limited to functions where the input of at least one of the parties is taken from a small (poly-size) domain. It uses fully deniable encryption with public deniability for one of the parties; when instantiated using the fully deniable encryption of Canetti, Park, and Poburinnaya (Crypto'20), it takes 3 rounds of communication.
Both protocols operate in the common reference string model, and use fully bideniable encryption (Canetti Park and Poburinnaya, Crypto'20) and sub-sexponential indistiguishability obfuscation. Finally, we show that protocols with certain communication pattern cannot be incoercible, even in a weaker setting where only some parties are coerced.
We consider, for the first time, the setting where all parties are coerced, and the coercer expects to see the entire history of the computation. We allow both protocol participants and external attackers to access a common reference string which is generated once and for all by an uncorruptable trusted party. In this setting we construct:
- A general multi-party function evaluation protocol, for any number of parties, that withstands coercion of all parties, as long as all parties use the prescribed ``faking algorithm'' upon coercion. This holds even if the inputs and outputs represented by coerced parties are globally inconsistent with the evaluated function.
- A general two-party function evaluation protocol that withstands even the %``mixed'' case where some of the coerced parties do follow the prescribed faking algorithm. (For instance, these parties might collude with the coercer and disclose their true local states.) This protocol is limited to functions where the input of at least one of the parties is taken from a small (poly-size) domain. It uses fully deniable encryption with public deniability for one of the parties; when instantiated using the fully deniable encryption of Canetti, Park, and Poburinnaya (Crypto'20), it takes 3 rounds of communication.
Both protocols operate in the common reference string model, and use fully bideniable encryption (Canetti Park and Poburinnaya, Crypto'20) and sub-sexponential indistiguishability obfuscation. Finally, we show that protocols with certain communication pattern cannot be incoercible, even in a weaker setting where only some parties are coerced.
Liran Katzir, Clara Shikhelman, Eylon Yogev
ePrint Report
We consider interactive proofs for social graphs, where the verifier has only oracle access to the graph and can query for the $i^{th}$ neighbor of a vertex $v$, given $i$ and $v$. In this model, we construct a doubly-efficient public-coin two-message interactive protocol for estimating the size of the graph to within a multiplicative factor $\epsilon>0$. The verifier performs $\tilde{O}(1/\epsilon^2 \cdot \tau_{mix} \cdot \Delta)$ queries to the graph, where $\tau_{mix}$ is the mixing time of the graph and $\Delta$ is the average degree of the graph. The prover runs in quasi-linear time in the number of nodes in the graph.
Furthermore, we develop a framework for computing the quantiles of essentially any (reasonable) function $f$ of vertices/edges of the graph. Using this framework, we can estimate many health measures of social graphs such as the clustering coefficients and the average degree, where the verifier performs only a small number of queries to the graph.
Using the Fiat-Shamir paradigm, we are able to transform the above protocols to a non-interactive argument in the random oracle model. The result is that social media companies (e.g., Facebook, Twitter, etc.) can publish, once and for all, a short proof for the size or health of their social network. This proof can be publicly verified by any single user using a small number of queries to the graph.
Furthermore, we develop a framework for computing the quantiles of essentially any (reasonable) function $f$ of vertices/edges of the graph. Using this framework, we can estimate many health measures of social graphs such as the clustering coefficients and the average degree, where the verifier performs only a small number of queries to the graph.
Using the Fiat-Shamir paradigm, we are able to transform the above protocols to a non-interactive argument in the random oracle model. The result is that social media companies (e.g., Facebook, Twitter, etc.) can publish, once and for all, a short proof for the size or health of their social network. This proof can be publicly verified by any single user using a small number of queries to the graph.
Shweta Agrawal, Shota Yamada
ePrint Report
The celebrated work of Gorbunov, Vaikuntanathan and Wee provided the first key policy attribute based encryption scheme (ABE) for circuits from the Learning With Errors (LWE) assumption. However, the arguably more natural ciphertext policy variant has remained elusive, and is a central primitive not yet known from LWE.
In this work, we construct the first symmetric key ciphertext policy attribute based encryption scheme (CP-ABE) for all polynomial sized circuits from the learning with errors (LWE) assumption. In more detail, the ciphertext for a message $m$ is labelled with an access control policy $f$, secret keys are labelled with public attributes $x$ from the domain of $f$ and decryption succeeds to yield the hidden message $m$ if and only if $f(x)=1$. The size of our public and secret key do not depend on the size of the circuits supported by the scheme -- this enables our construction to support circuits of unbounded size (but bounded depth). Our construction is secure against collusions of unbounded size. We note that current best CP-ABE schemes [BSW07,Wat11,LOSTW10,OT10,LW12,RW13,Att14,Wee14,AHY15,CGW15,AC17,KW19] rely on pairings and only support circuits in the class NC1 (albeit in the public key setting).
We adapt our construction to the public key setting for the case of bounded size circuits. The size of the ciphertext and secret key as well as running time of encryption, key generation and decryption satisfy the efficiency properties desired from CP-ABE, assuming that all algorithms have RAM access to the public key. However, the running time of the setup algorithm and size of the public key depends on the circuit size bound, restricting the construction to support circuits of a-priori bounded size. We remark that the inefficiency of setup is somewhat mitigated by the fact that setup must only be run once.
We generalize our construction to consider attribute and function hiding. The compiler of lockable obfuscation upgrades any attribute based encryption scheme to predicate encryption, i.e. with attribute hiding [GKW17,WZ17]. Since lockable obfuscation can be constructed from LWE, we achieve ciphertext policy predicate encryption immediately. For function privacy, we show that the most natural notion of function hiding ABE for circuits, even in the symmetric key setting, is sufficient to imply indistinguishability obfuscation. We define a suitable weakening of function hiding to sidestep the implication and provide a construction to achieve this notion for both the key policy and ciphertext policy case. Previously, the largest function class for which function private predicate encryption (supporting unbounded keys) could be achieved was inner product zero testing, by Shen, Shi and Waters [SSW09].
In this work, we construct the first symmetric key ciphertext policy attribute based encryption scheme (CP-ABE) for all polynomial sized circuits from the learning with errors (LWE) assumption. In more detail, the ciphertext for a message $m$ is labelled with an access control policy $f$, secret keys are labelled with public attributes $x$ from the domain of $f$ and decryption succeeds to yield the hidden message $m$ if and only if $f(x)=1$. The size of our public and secret key do not depend on the size of the circuits supported by the scheme -- this enables our construction to support circuits of unbounded size (but bounded depth). Our construction is secure against collusions of unbounded size. We note that current best CP-ABE schemes [BSW07,Wat11,LOSTW10,OT10,LW12,RW13,Att14,Wee14,AHY15,CGW15,AC17,KW19] rely on pairings and only support circuits in the class NC1 (albeit in the public key setting).
We adapt our construction to the public key setting for the case of bounded size circuits. The size of the ciphertext and secret key as well as running time of encryption, key generation and decryption satisfy the efficiency properties desired from CP-ABE, assuming that all algorithms have RAM access to the public key. However, the running time of the setup algorithm and size of the public key depends on the circuit size bound, restricting the construction to support circuits of a-priori bounded size. We remark that the inefficiency of setup is somewhat mitigated by the fact that setup must only be run once.
We generalize our construction to consider attribute and function hiding. The compiler of lockable obfuscation upgrades any attribute based encryption scheme to predicate encryption, i.e. with attribute hiding [GKW17,WZ17]. Since lockable obfuscation can be constructed from LWE, we achieve ciphertext policy predicate encryption immediately. For function privacy, we show that the most natural notion of function hiding ABE for circuits, even in the symmetric key setting, is sufficient to imply indistinguishability obfuscation. We define a suitable weakening of function hiding to sidestep the implication and provide a construction to achieve this notion for both the key policy and ciphertext policy case. Previously, the largest function class for which function private predicate encryption (supporting unbounded keys) could be achieved was inner product zero testing, by Shen, Shi and Waters [SSW09].
Huijia Lin, Tianren Liu, Hoeteck Wee
ePrint Report
We present simpler and improved constructions of 2-round protocols for secure multi-party computation (MPC) in the semi-honest setting. Our main results are new information-theoretically secure protocols for arithmetic NC1 in two settings:
(i) the plain model tolerating up to $t < n/2$ corruptions; and
(ii) in the OLE-correlation model tolerating any number of corruptions.
Our protocols achieve adaptive security and require only black-box access to the underlying field, whereas previous results only achieve static security and require non-black-box field access. Moreover, both results extend to polynomial-size circuits with computational and adaptive security, while relying on black-box access to a pseudorandom generator. In the OLE correlation model, the extended protocols for circuits tolerate up to $n-1$ corruptions.
Along the way, we introduce a conceptually novel framework for 2-round MPC that does not rely on the round collapsing framework underlying all of the recent advances in 2-round MPC.
Dana Dachman-Soled
ePrint Report
We investigate fairness in secure multiparty computation when the number of parties $n = poly(\lambda)$ grows polynomially in the security parameter, $\lambda$. Prior to this work, efficient protocols achieving fairness with no honest majority and polynomial number of parties were known only for the AND and OR functionalities (Gordon and Katz, TCC'09).
We show the following:
--We first consider symmetric Boolean functions $F : \{0,1\}^n \to \{0,1\}$, where the underlying function $f_{n/2,n/2}: \{0, \ldots, n/2\} \times \{0, \ldots, n/2\} \to \{0,1\}$ can be computed fairly and efficiently in the $2$-party setting. We present an efficient protocol for any such $F$ tolerating $n/2$ or fewer corruptions, for $n = poly(\lambda)$ number of parties.
--We present an efficient protocol for $n$-party majority tolerating $n/2+1$ or fewer corruptions, for $n = poly(\lambda)$ number of parties. The construction extends to $n/2+c$ or fewer corruptions, for constant $c$.
--We extend both of the above results to more general types of adversarial structures and present instantiations of non-threshold adversarial structures of these types. These instantiations are obtained via constructions of projective planes and combinatorial designs.
--We first consider symmetric Boolean functions $F : \{0,1\}^n \to \{0,1\}$, where the underlying function $f_{n/2,n/2}: \{0, \ldots, n/2\} \times \{0, \ldots, n/2\} \to \{0,1\}$ can be computed fairly and efficiently in the $2$-party setting. We present an efficient protocol for any such $F$ tolerating $n/2$ or fewer corruptions, for $n = poly(\lambda)$ number of parties.
--We present an efficient protocol for $n$-party majority tolerating $n/2+1$ or fewer corruptions, for $n = poly(\lambda)$ number of parties. The construction extends to $n/2+c$ or fewer corruptions, for constant $c$.
--We extend both of the above results to more general types of adversarial structures and present instantiations of non-threshold adversarial structures of these types. These instantiations are obtained via constructions of projective planes and combinatorial designs.
Matthew M. Hong, Yuval Ishai, Victor I. Kolobov, Russell W. F. Lai
ePrint Report
Information-theoretic private information retrieval (PIR) schemes have attractive concrete efficiency features. However, in the standard PIR model, the computational complexity of the servers must scale linearly with the database size.
We study the possibility of bypassing this limitation in the case where the database is a truth table of a "simple" function, such as a union of (multi-dimensional) intervals or convex shapes, a decision tree, or a DNF formula. This question is motivated by the goal of obtaining lightweight homomorphic secret sharing (HSS) schemes and secure multiparty computation (MPC) protocols for the corresponding families.
We obtain both positive and negative results. For "first-generation" PIR schemes based on Reed-Muller codes, we obtain computational shortcuts for the above function families, with the exception of DNF formulas for which we show a (conditional) hardness result. For "third-generation" PIR schemes based on matching vectors, we obtain stronger hardness results that apply to all of the above families.
Our positive results yield new information-theoretic HSS schemes and MPC protocols with attractive efficiency features for simple but useful function families. Our negative results establish new connections between information-theoretic cryptography and fine-grained complexity.
We study the possibility of bypassing this limitation in the case where the database is a truth table of a "simple" function, such as a union of (multi-dimensional) intervals or convex shapes, a decision tree, or a DNF formula. This question is motivated by the goal of obtaining lightweight homomorphic secret sharing (HSS) schemes and secure multiparty computation (MPC) protocols for the corresponding families.
We obtain both positive and negative results. For "first-generation" PIR schemes based on Reed-Muller codes, we obtain computational shortcuts for the above function families, with the exception of DNF formulas for which we show a (conditional) hardness result. For "third-generation" PIR schemes based on matching vectors, we obtain stronger hardness results that apply to all of the above families.
Our positive results yield new information-theoretic HSS schemes and MPC protocols with attractive efficiency features for simple but useful function families. Our negative results establish new connections between information-theoretic cryptography and fine-grained complexity.
Dakshita Khurana, Muhammad Haris Mughees
ePrint Report
There has been a large body of work characterizing the round complexity of general-purpose maliciously secure two-party computation (2PC) against probabilistic polynomial time adversaries. This is particularly true for zero-knowledge, which is a special case of 2PC. In fact, in the special case of zero knowledge, optimal protocols with unconditional security against one of the two players have also been meticulously studied and constructed.
On the other hand, general-purpose maliciously secure 2PC with statistical or unconditional security against one of the two participants has remained largely unexplored so far. In this work, we initiate the study of such protocols, which we refer to as 2PC with one-sided statistical security. We settle the round complexity of 2PC with one-sided statistical security with respect to black-box simulation by obtaining the following tight results: In a setting where only one party obtains an output, we design 2PC in $4$ rounds with statistical security against receivers and computational security against senders. In a setting where both parties obtain outputs, we design 2PC in $5$ rounds with computational security against the party that obtains output first and statistical security against the party that obtains output last.
Katz and Ostrovsky (CRYPTO 2004) showed that 2PC with black-box simulation requires at least $4$ rounds when one party obtains an output and $5$ rounds when both parties obtain outputs, even when only computational security is desired against both parties. Thus in these settings, not only are our results tight, but they also show that statistical security is achievable at no extra cost to round complexity. This still leaves open the question of whether 2PC can be achieved with black-box simulation in $4$ rounds with statistical security against senders and computational security against receivers. Based on a lower bound on computational zero-knowledge proofs due to Katz (TCC 2008), we observe that the answer is negative unless the polynomial hierarchy collapses.
On the other hand, general-purpose maliciously secure 2PC with statistical or unconditional security against one of the two participants has remained largely unexplored so far. In this work, we initiate the study of such protocols, which we refer to as 2PC with one-sided statistical security. We settle the round complexity of 2PC with one-sided statistical security with respect to black-box simulation by obtaining the following tight results: In a setting where only one party obtains an output, we design 2PC in $4$ rounds with statistical security against receivers and computational security against senders. In a setting where both parties obtain outputs, we design 2PC in $5$ rounds with computational security against the party that obtains output first and statistical security against the party that obtains output last.
Katz and Ostrovsky (CRYPTO 2004) showed that 2PC with black-box simulation requires at least $4$ rounds when one party obtains an output and $5$ rounds when both parties obtain outputs, even when only computational security is desired against both parties. Thus in these settings, not only are our results tight, but they also show that statistical security is achievable at no extra cost to round complexity. This still leaves open the question of whether 2PC can be achieved with black-box simulation in $4$ rounds with statistical security against senders and computational security against receivers. Based on a lower bound on computational zero-knowledge proofs due to Katz (TCC 2008), we observe that the answer is negative unless the polynomial hierarchy collapses.
Alessandro Chiesa, Eylon Yogev
ePrint Report
We establish barriers on the efficiency of succinct arguments in the random oracle model. We give evidence that, under standard complexity assumptions, there do not exist succinct arguments where the argument verifier makes a small number of queries to the random oracle.
The new barriers follow from new insights into how probabilistic proofs play a fundamental role in constructing succinct arguments in the random oracle model.
*IOPs are necessary for succinctness.* We prove that any succinct argument in the random oracle model can be transformed into a corresponding interactive oracle proof (IOP). The query complexity of the IOP is related to the succinctness of the argument. *Algorithms for IOPs.* We prove that if a language has an IOP with good soundness relative to query complexity, then it can be decided via a fast algorithm with small space complexity.
By combining these results we obtain barriers for a large class of deterministic and non-deterministic languages. For example, a succinct argument for 3SAT with few verifier queries implies an IOP with good parameters, which in turn implies a fast algorithm for 3SAT that contradicts the Exponential-Time Hypothesis.
We additionally present results that shed light on the necessity of several features of probabilistic proofs that are typically used to construct succinct arguments, such as holography and state restoration soundness. Our results collectively provide an explanation for "why" known constructions of succinct arguments have a certain structure.
The new barriers follow from new insights into how probabilistic proofs play a fundamental role in constructing succinct arguments in the random oracle model.
*IOPs are necessary for succinctness.* We prove that any succinct argument in the random oracle model can be transformed into a corresponding interactive oracle proof (IOP). The query complexity of the IOP is related to the succinctness of the argument. *Algorithms for IOPs.* We prove that if a language has an IOP with good soundness relative to query complexity, then it can be decided via a fast algorithm with small space complexity.
By combining these results we obtain barriers for a large class of deterministic and non-deterministic languages. For example, a succinct argument for 3SAT with few verifier queries implies an IOP with good parameters, which in turn implies a fast algorithm for 3SAT that contradicts the Exponential-Time Hypothesis.
We additionally present results that shed light on the necessity of several features of probabilistic proofs that are typically used to construct succinct arguments, such as holography and state restoration soundness. Our results collectively provide an explanation for "why" known constructions of succinct arguments have a certain structure.
Jonathan Bootle, Alessandro Chiesa, Jens Groth
ePrint Report
Minimizing the computational cost of the prover is a central goal in the area of succinct arguments. In particular, it remains a challenging open problem to construct a succinct argument where the prover runs in linear time and the verifier runs in polylogarithmic time.
We make progress towards this goal by presenting a new linear-time probabilistic proof. For any fixed $\epsilon > 0$, we construct an interactive oracle proof (IOP) that, when used for the satisfiability of an $N$-gate arithmetic circuit, has a prover that uses $O(N)$ field operations and a verifier that uses $O(N^{\epsilon})$ field operations. The sublinear verifier time is achieved in the holographic setting for every circuit (the verifier has oracle access to a linear-size encoding of the circuit that is computable in linear time).
When combined with a linear-time collision-resistant hash function, our IOP immediately leads to an argument system where the prover performs $O(N)$ field operations and hash computations, and the verifier performs $O(N^{\epsilon})$ field operations and hash computations (given a short digest of the $N$-gate circuit).
We make progress towards this goal by presenting a new linear-time probabilistic proof. For any fixed $\epsilon > 0$, we construct an interactive oracle proof (IOP) that, when used for the satisfiability of an $N$-gate arithmetic circuit, has a prover that uses $O(N)$ field operations and a verifier that uses $O(N^{\epsilon})$ field operations. The sublinear verifier time is achieved in the holographic setting for every circuit (the verifier has oracle access to a linear-size encoding of the circuit that is computable in linear time).
When combined with a linear-time collision-resistant hash function, our IOP immediately leads to an argument system where the prover performs $O(N)$ field operations and hash computations, and the verifier performs $O(N^{\epsilon})$ field operations and hash computations (given a short digest of the $N$-gate circuit).