## CryptoDB

### Marshall Ball

#### Publications

**Year**

**Venue**

**Title**

2024

EUROCRYPT

Non-malleable codes with optimal rate for poly-size circuits
Abstract

We give an explicit construction of non-malleable codes with rate $1-o(1)$ for the tampering class of poly-size circuits. This rate is optimal, and improves upon the previous explicit construction of Ball, Dachman-Soled and Loss \cite{BDL22} which achieves a rate smaller than $\frac{1}{n}$. Our codes are based on the same hardness assumption used by Ball, Dachman-Soled and Loss, namely, that there exists a problem in $\text{E}=\text{DTIME}(2^{O(n)})$ that requires nondeterministic circuits of size $2^{\Omega(n)}$. This is a standard complexity theoretic assumption that was used in many papers in complexity theory and cryptography, and can be viewed as a scaled, nonuniform version of the widely believed assumption that $\text{EXP} \not \subseteq \text{NP}$. Our result is incomparable to that of Ball, Dachman-Soled and Loss, as we only achieve computational (rather than statistical) security. Non-malleable codes with Computational security (with lower error than what we get) were obtained by \cite{BDKLM19,DKP21} under strong cryptographic assumptions. We show that our approach can potentially yield statistical security if certain explicit constructions of pseudorandom objects can be improved.
By composing our new non-malleable codes with standard (information theoretic) error-correcting codes (that recover from a $p$ fraction of errors) we achieve the \emph{best of both worlds}. Namely, we achieve explicit codes that recover from a $p$-fraction of errors and have the same rate as the best known explicit information theoretic codes, while \emph{also} being non-malleable for poly-size circuits.
Moreover, if we restrict our attention to errors that are introduced by poly-size circuits, we can achieve best of both worlds codes with rate $1-H(p)$. This is superior to the rate achieved by standard (information theoretic) error-correcting codes, and this result is obtained by composing our new non-malleable codes with the recent codes of Shaltiel and Silbak \cite{SS23}.
Our technique combines ideas from non-malleable codes and pseudorandomness. We show how to take a low rate ``small set non-malleable code (this is a variant of non-malleable codes with a different notion of security that was introduced by Shaltiel and Silbak \cite{SS22}) and compile it into a (standard) high-rate non-malleable code. Using small set non-malleable codes (as well as seed-extending PRGs) bypasses difficulties that arise when analysing standard non-malleable codes, and allows us to use a simple construction.

2024

CRYPTO

Towards Permissionless Consensus in the Standard Model via Fine-Grained Complexity
Abstract

We investigate the feasibility of {\em permissionless} consensus (aka Byzantine agreement) under standard assumptions.
A number of protocols have been proposed to achieve permissionless consensus, most notably based on the Bitcoin protocol; however, to date no protocol is known that can be provably instantiated outside of the random oracle model.
In this work, we take the first steps towards achieving permissionless consensus in the standard model. In particular, we demonstrate that worst-case conjectures in fine-grained complexity, in particular the orthogonal vectors conjecture (implied by the Strong Exponential Time Hypothesis),
imply permissionless consensus in the random beacon model---a setting where a fresh random value is delivered to all parties at regular intervals. This gives a remarkable win-win result: \emph{either permissionless
consensus exists relative to a random beacon, or there are non-trivial worst-case algorithmic speed-ups for a host of natural algorithmic problems} (including $\mathsf{SAT}$).
Our protocol achieves resilience against adversaries that control an inverse-polynomial fraction of the honest computational power, i.e.,~adversarial power $A=T^{1-\epsilon}$ for some constant $\epsilon>0$, where $T$ denotes the honest computational power. This relatively low threshold is a byproduct of the slack in the fine-grained complexity conjectures.
One technical highlight is the construction of a \emph{Seeded Proof of Work}: a Proof of Work where many (correlated) challenges can be derived from a single short \emph{public} seed, and yet still no non-trivial amortization is possible.

2023

EUROCRYPT

New Ways to Garble Arithmetic Circuits
Abstract

The beautiful work of Applebaum, Ishai, and Kushileviz [FOCS’11]
initiated the study of arithmetic variants of Yao’s garbled
circuits. An arithmetic garbling scheme is an efficient transformation
that converts an arithmetic circuit C : Rn → Rm over a ring R into a
garbled circuit \widehat{C} and n affine functions Li for i ∈ [n],
such that \widehat{C} and Li(xi) reveals only the output C(x) and no
other information of x. AIK presented the first arithmetic garbling
scheme supporting computation over integers from a bounded (possibly
exponentially large) range, based on Learning With Errors (LWE). In
contrast, converting C into a Boolean circuit and applying Yao’s
garbled circuit treat the inputs as bit strings instead of ring
elements, and hence is not “arithmetic”.
In this work, we present new ways to garble arithmetic circuits, which
improve the state-of-the-art on efficiency, modularity, and
functionality. To measure efficiency, we define the rate of a garbling
scheme as the maximal ratio between the bit-length of the garbled
circuit |\widehat{C}| and that of the computation tableau |C|ℓ in the
clear, where ℓ is the bit length of wire values (e.g., Yao’s garbled
circuit has rate O(λ)).
– We present the first constant-rate arithmetic garbled circuit for
computation over large integers based on the Decisional Composite
Residuosity (DCR) assumption, significantly improving the efficiency
of the schemes of Applebaum, Ishai, and Kushilevitz.
– We construct an arithmetic garbling scheme for modular computation
over R = Zp for any integer modulus p, based on either DCR or LWE. The
DCR-based instantiation achieves rate O(λ) for large p. Furthermore,
our construction is modular and makes black-box use of the underlying
ring and a simple key extension gadget.
– We describe a variant of the first scheme supporting arithmetic
circuits over bounded integers that are augmented with Boolean
computation (e.g., truncation of an integer value, and comparison
between two values), while keeping the constant rate when garbling the
arithmetic part.
To the best of our knowledge, constant-rate (Boolean or arithmetic)
garbling were only achieved before using the powerful primitive of
indistinguishability obfuscation, or for restricted circuits with
small depth.

2023

TCC

Towards Topology-Hiding Computation from Oblivious Transfer
Abstract

Topology-Hiding Computation (THC) enables parties to securely compute a function on an incomplete network without revealing the network topology. It is known that secure computation on a complete network can be based on oblivious transfer (OT), even if a majority of the participating parties are corrupt. In contrast, THC in the dishonest majority setting is only known from assumptions that imply (additively) homomorphic encryption, such as Quadratic Residuosity, Decisional Diffie-Hellman, or Learning With Errors.
In this work we move towards closing the gap between MPC and THC by presenting a protocol for THC on general graphs secure against all-but-one semi-honest corruptions from constant-round constant-overhead secure two-party computation. Our protocol is therefore the first to achieve THC on arbitrary networks without relying on assumptions with rich algebraic structure. As a technical tool, we introduce the notion of locally simulatable MPC, which we believe to be of independent interest.

2023

TCC

Immunizing Backdoored PRGs
Abstract

A backdoored Pseudorandom Generator (PRG) is a PRG
which looks pseudorandom to the outside world, but a saboteur can break
PRG security by planting a backdoor into a seemingly honest choice of
public parameters, pk, for the system. Backdoored PRGs became increas-
ingly important due to revelations about NIST’s backdoored Dual EC
PRG, and later results about its practical exploitability.
Motivated by this, at Eurocrypt’15 Dodis et al. [20] initiated the ques-
tion of immunizing backdoored PRGs. A k-immunization scheme repeat-
edly applies a post-processing function to the output of k backdoored
PRGs, to render any (unknown) backdoors provably useless. For k = 1,
[20] showed that no deterministic immunization is possible, but then
constructed “seeded” 1-immunizer either in the random oracle model,
or under strong non-falsifiable assumptions. As our first result, we show
that no seeded 1-immunization scheme can be black-box reduced to any
efficiently falsifiable assumption.
This motivates studying k-immunizers for k ≥ 2, which have an ad-
ditional advantage of being deterministic (i.e., “seedless”). Indeed, prior
work at CCS’17 [35] and CRYPTO’18 [7] gave supporting evidence that
simple k-immunizers might exist, albeit in slightly different settings. Un-
fortunately, we show that simple standard model proposals of
[35,7]
(including the XOR function [7]) provably do not work in our setting.
On a positive, we confirm the intuition of [35] that a (seedless) random
oracle is a provably secure 2-immunizer. On a negative, no (seedless)
2-immunization scheme can be black-box reduced to any efficiently falsi-
fiable assumption, at least for a large class of natural 2-immunizers which
includes all “cryptographic hash functions.”
In summary, our results show that k-immunizers occupy a peculiar
place in the cryptographic world. While they likely exist, and can be
made practical and efficient, it is unlikely one can reduce their security
to a “clean” standard-model assumption.

2023

JOFC

Topology-Hiding Communication from Minimal Assumptions
Abstract

Topology-hiding broadcast ( THB ) enables parties communicating over an incomplete network to broadcast messages while hiding the topology from within a given class of graphs. THB is a central tool underlying general topology-hiding secure computation ( THC ) (Moran et al. TCC’15). Although broadcast is a privacy-free task, it was recently shown that THB for certain graph classes necessitates computational assumptions, even in the semi-honest setting, and even given a single corrupted party. In this work, we investigate the minimal assumptions required for topology-hiding communication: both Broadcast or Anonymous Broadcast (where the broadcaster’s identity is hidden). We develop new techniques that yield a variety of necessary and sufficient conditions for the feasibility of THB / THAB in different cryptographic settings: information theoretic, given existence of key agreement, and given existence of oblivious transfer. Our results show that feasibility can depend on various properties of the graph class, such as connectivity , and highlight the role of different properties of topology when kept hidden, including direction , distance , and/or distance-of-neighbors to the broadcaster. An interesting corollary of our results is a dichotomy for THC with a public number of at least three parties, secure against one corruption: information-theoretic feasibility if all graphs are 2-connected; necessity and sufficiency of key agreement otherwise.

2022

CRYPTO

(Nondeterministic) Hardness vs. Non-Malleability
📺
Abstract

We present the first truly explicit constructions of \emph{non-malleable codes} against tampering by bounded polynomial size circuits. These objects imply unproven circuit lower bounds and our construction is secure provided $\Eclass$ requires exponential size nondeterministic circuits, an assumption from the derandomization literature.
Prior works on NMC for polysize circuits, either required an untamperable CRS [Cheraghchi, Guruswami ITCS'14; Faust, Mukherjee, Venturi, Wichs EUROCRYPT'14] or very strong cryptographic assumptions [Ball, Dachman-Soled, Kulkarni, Lin, Malkin EUROCRYPT'18; Dachman-Soled, Komargodski, Pass CRYPTO'21]. Both of works in the latter category only achieve non-malleability with respect to efficient distinguishers and, more importantly, utilize cryptographic objects for which no provably secure instantiations are known outside the random oracle model. In this sense, none of the prior yields fully explicit codes from non-heuristic assumptions. Our assumption is not known to imply the existence of one-way functions, which suggests that cryptography is unnecessary for non-malleability against this class.
Technically, security is shown by \emph{non-deterministically} reducing polynomial size tampering to split-state tampering. The technique is general enough that it allows us to to construct the first \emph{seedless non-malleable extractors} [Cheraghchi, Guruswami TCC'14] for sources sampled by polynomial size circuits [Trevisan, Vadhan FOCS'00] (resp.~recognized by polynomial size circuits [Shaltiel CC'11]) and tampered by polynomial size circuits. Our construction is secure assuming $\Eclass$ requires exponential size $\Sigma_4$-circuits (resp. $\Sigma_3$-circuits), this assumption is the state-of-the-art for extracting randomness from such sources (without non-malleability).
Several additional results are included in the full version of this paper [Eprint 2022/070].
First, we observe that non-malleable codes and non-malleable secret sharing [Goyal, Kumar STOC'18] are essentially equivalent with respect to polynomial size tampering. In more detail, assuming $\Eclass$ is hard for exponential size nondeterministic circuits, any efficient secret sharing scheme can be made non-malleable against polynomial size circuit tampering.
Second, we observe that the fact that our constructions only achieve inverse polynomial (statistical) security is inherent. Extending a result from [Applebaum, Artemenko, Shaltiel, Yang CC'16] we show it is impossible to do better using black-box reductions. However, we extend the notion of relative error from [Applebaum, Artemenko, Shaltiel, Yang CC'16] to non-malleable extractors and show that they can be constructed from similar assumptions.
Third, we observe that relative-error non-malleable extractors can be utilized to render a broad class of cryptographic primitives tamper and leakage resilient, while preserving negligible security guarantees.

2020

CRYPTO

Non-Malleability against Polynomial Tampering
📺
Abstract

We present the first explicit construction of a non-malleable code that can handle tampering functions that are bounded-degree polynomials.
Prior to our work, this was only known for degree-1 polynomials (affine tampering functions), due to Chattopadhyay and Li (STOC 2017). As a direct corollary, we obtain an explicit non-malleable code that is secure against tampering by bounded-size arithmetic circuits.
We show applications of our non-malleable code in constructing non-malleable secret sharing schemes that are robust against bounded-degree polynomial tampering. In fact our result is stronger: we can handle adversaries that can adaptively choose the polynomial tampering function based on initial leakage of a bounded number of shares.
Our results are derived from explicit constructions of seedless non-malleable extractors that can handle bounded-degree polynomial tampering functions. Prior to our work, no such result was known even for degree-2 (quadratic) polynomials.

2020

CRYPTO

New Techniques for Zero-Knowledge: Leveraging Inefficient Provers to Reduce Assumptions, Interaction, and Trust
📺
Abstract

We present a transformation from NIZK with inefficient provers in the uniform random string (URS) model to ZAPs (two message witness indistinguishable proofs) with inefficient provers. While such a transformation was known for the case where the prover is efficient, the security proof breaks down if the prover is inefficient. Our transformation is obtained via new applications of Nisan-Wigderson designs, a combinatorial object originally introduced in the derandomization literature.
We observe that our transformation is applicable both in the setting of super-polynomial provers/poly-time adversaries, as well as a new fine-grained setting, where the prover is polynomial time and the verifier/simulator/zero knowledge distinguisher are in a lower complexity class, such as $\mathsf{NC}^1$. We also present $\mathsf{NC}^1$-fine-grained NIZK in the URS model for all of NP from the worst-case assumption $\oplus L/\poly \not\subseteq \mathsf{NC}^1$.
Our techniques yield the following applications:
--ZAPs for $\mathsf{AM}$ from Minicrypt assumptions (with super-polynomial time provers),
--$\mathsf{NC}^1$-fine-grained ZAPs for $\mathsf{NP}$ from worst-case assumptions,
--Protocols achieving an ``offline'' notion of NIZK (oNIZK) in the standard (no-CRS) model with uniform soundness in both the super-polynomial setting (from Minicrypt assumptions) and
the $\mathsf{NC}^1$-fine-grained setting (from worst-case assumptions). The oNIZK notion is sufficient for use in indistinguishability-based proofs.

2020

TCC

Topology-Hiding Communication from Minimal Assumptions.
📺
Abstract

Topology-hiding broadcast (THB) enables parties communicating over an incomplete network to broadcast messages while hiding the topology from within a given class of graphs. THB is a central tool underlying general topology-hiding secure computation (THC) (Moran et al. TCC’15). Although broadcast is a privacy-free task, it was recently shown that THB for certain graph classes necessitates computational assumptions, even in the semi-honest setting, and even given a single corrupted party.
In this work we investigate the minimal assumptions required for topology-hiding communication—both Broadcast or Anonymous Broadcast (where the broadcaster’s identity is hidden). We develop new techniques that yield a variety of necessary and sufficient conditions for the feasibility of THB/THAB in different cryptographic settings: information theoretic, given existence of key agreement, and given existence of oblivious transfer. Our results show that feasibility can depend on various properties of the graph class, such as connectivity, and highlight the role of different properties of topology when kept hidden, including direction, distance, and/or distance-of-neighbors to the broadcaster. An interesting corollary of our results is a dichotomy for THC with a public number of at least three parties, secure against one corruption: information-theoretic feasibility if all graphs are 2-connected; necessity and sufficiency of key agreement otherwise.

2019

EUROCRYPT

Non-Malleable Codes Against Bounded Polynomial Time Tampering
📺
Abstract

We construct efficient non-malleable codes (NMC) that are (computationally) secure against tampering by functions computable in any fixed polynomial time. Our construction is in the plain (no-CRS) model and requires the assumptions that (1) $$\mathbf {E}$$E is hard for $$\mathbf {NP}$$NP circuits of some exponential $$2^{\beta n}$$2βn ($$\beta >0$$β>0) size (widely used in the derandomization literature), (2) sub-exponential trapdoor permutations exist, and (3) $$\mathbf {P}$$P-certificates with sub-exponential soundness exist.While it is impossible to construct NMC secure against arbitrary polynomial-time tampering (Dziembowski, Pietrzak, Wichs, ICS ’10), the existence of NMC secure against $$O(n^c)$$O(nc)-time tampering functions (for any fixedc), was shown (Cheraghchi and Guruswami, ITCS ’14) via a probabilistic construction. An explicit construction was given (Faust, Mukherjee, Venturi, Wichs, Eurocrypt ’14) assuming an untamperable CRS with length longer than the runtime of the tampering function. In this work, we show that under computational assumptions, we can bypass these limitations. Specifically, under the assumptions listed above, we obtain non-malleable codes in the plain model against $$O(n^c)$$O(nc)-time tampering functions (for any fixed c), with codeword length independent of the tampering time bound.Our new construction of NMC draws a connection with non-interactive non-malleable commitments. In fact, we show that in the NMC setting, it suffices to have a much weaker notion called quasi non-malleable commitments—these are non-interactive, non-malleable commitments in the plain model, in which the adversary runs in $$O(n^c)$$O(nc)-time, whereas the honest parties may run in longer (polynomial) time. We then construct a 4-tag quasi non-malleable commitment from any sub-exponential OWF and the assumption that $$\mathbf {E}$$E is hard for some exponential size $$\mathbf {NP}$$NP-circuits, and use tag amplification techniques to support an exponential number of tags.

2019

CRYPTO

Non-malleable Codes for Decision Trees
📺
Abstract

We construct efficient, unconditional non-malleable codes that are secure against tampering functions computed by decision trees of depth
$$d= n^{1/4-o(1)}$$
. In particular, each bit of the tampered codeword is set arbitrarily after adaptively reading up to d arbitrary locations within the original codeword. Prior to this work, no efficient unconditional non-malleable codes were known for decision trees beyond depth
$$O(\log ^2 n)$$
.Our result also yields efficient, unconditional non-malleable codes that are
$$\exp (-n^{\varOmega (1)})$$
-secure against constant-depth circuits of
$$\exp (n^{\varOmega (1)})$$
-size. Prior work of Chattopadhyay and Li (STOC 2017) and Ball et al. (FOCS 2018) only provide protection against
$$\exp (O(\log ^2n))$$
-size circuits with
$$\exp (-O(\log ^2n))$$
-security.We achieve our result through simple non-malleable reductions of decision tree tampering to split-state tampering. As an intermediary, we give a simple and generic reduction of leakage-resilient split-state tampering to split-state tampering with improved parameters. Prior work of Aggarwal et al. (TCC 2015) only provides a reduction to split-state non-malleable codes with decoders that exhibit particular properties.

2019

TCC

Is Information-Theoretic Topology-Hiding Computation Possible?
Abstract

Topology-hiding computation (THC) is a form of multi-party computation over an incomplete communication graph that maintains the privacy of the underlying graph topology. Existing THC protocols consider an adversary that may corrupt an arbitrary number of parties, and rely on cryptographic assumptions such as DDH.In this paper we address the question of whether information-theoretic THC can be achieved by taking advantage of an honest majority. In contrast to the standard MPC setting, this problem has remained open in the topology-hiding realm, even for simple “privacy-free” functions like broadcast, and even when considering only semi-honest corruptions.We uncover a rich landscape of both positive and negative answers to the above question, showing that what types of graphs are used and how they are selected is an important factor in determining the feasibility of hiding topology information-theoretically. In particular, our results include the following.
We show that topology-hiding broadcast (THB) on a line with four nodes, secure against a single semi-honest corruption, implies key agreement. This result extends to broader classes of graphs, e.g., THB on a cycle with two semi-honest corruptions.On the other hand, we provide the first feasibility result for information-theoretic THC: for the class of cycle graphs, with a single semi-honest corruption.
Given the strong impossibilities, we put forth a weaker definition of distributional-THC, where the graph is selected from some distribution (as opposed to worst-case).
We present a formal separation between the definitions, by showing a distribution for which information theoretic distributional-THC is possible, but even topology-hiding broadcast is not possible information-theoretically with the standard definition.We demonstrate the power of our new definition via a new connection to adaptively secure low-locality MPC, where distributional-THC enables parties to “reuse” a secret low-degree communication graph even in the face of adaptive corruptions.

2018

EUROCRYPT

2018

CRYPTO

Proofs of Work From Worst-Case Assumptions
📺
Abstract

We give Proofs of Work (PoWs) whose hardness is based on well-studied worst-case assumptions from fine-grained complexity theory. This extends the work of (Ball et al., STOC ’17), that presents PoWs that are based on the Orthogonal Vectors, 3SUM, and All-Pairs Shortest Path problems. These, however, were presented as a ‘proof of concept’ of provably secure PoWs and did not fully meet the requirements of a conventional PoW: namely, it was not shown that multiple proofs could not be generated faster than generating each individually. We use the considerable algebraic structure of these PoWs to prove that this non-amortizability of multiple proofs does in fact hold and further show that the PoWs’ structure can be exploited in ways previous heuristic PoWs could not.This creates full PoWs that are provably hard from worst-case assumptions (previously, PoWs were either only based on heuristic assumptions or on much stronger cryptographic assumptions (Bitansky et al., ITCS ’16)) while still retaining significant structure to enable extra properties of our PoWs. Namely, we show that the PoWs of (Ball et al., STOC ’17) can be modified to have much faster verification time, can be proved in zero knowledge, and more.Finally, as our PoWs are based on evaluating low-degree polynomials originating from average-case fine-grained complexity, we prove an average-case direct sum theorem for the problem of evaluating these polynomials, which may be of independent interest. For our context, this implies the required non-amortizability of our PoWs.

#### Program Committees

- Crypto 2023
- Eurocrypt 2023
- Eurocrypt 2022
- TCC 2022
- Eurocrypt 2021
- TCC 2020

#### Coauthors

- Marshall Ball (17)
- Alexander Bienstock (1)
- Elette Boyle (4)
- Anupam Chattopadhyay (1)
- Ran Cohen (3)
- Dana Dachman-Soled (5)
- Yevgeniy Dodis (1)
- Juan A. Garay (1)
- Eli Goldin (1)
- Siyao Guo (1)
- Peter Hall (1)
- Loïs Huguenin-Dumittan (1)
- Aggelos Kiayias (1)
- Lisa Kohl (3)
- Mukul Kulkarni (4)
- Hanjun Li (1)
- Jyun-Jie Liao (1)
- Huijia Lin (2)
- Tianren Liu (1)
- Julian Loss (1)
- Tal Malkin (8)
- Pierre Meyer (3)
- Tal Moran (4)
- Giorgos Panagiotakos (1)
- Alon Rosen (1)
- Manuel Sabin (1)
- Ronen Shaltiel (1)
- Jad Silbak (1)
- Prashant Nalini Vasudevan (1)
- Daniel Wichs (1)