## CryptoDB

### Tianren Liu

#### Publications

**Year**

**Venue**

**Title**

2019

CRYPTO

Reusable Non-Interactive Secure Computation
Abstract

We consider the problem of Non-Interactive Two-Party Secure Computation (NISC), where Rachel wishes to publish an encryption of her input x, in such a way that any other party, who holds an input y, can send her a single message which conveys to her the value f(x, y), and nothing more. We demand security against malicious parties. While such protocols are easy to construct using garbled circuits and general non-interactive zero-knowledge proofs, this approach inherently makes a non-black-box use of the underlying cryptographic primitives and is infeasible in practice.Ishai et al. (Eurocrypt 2011) showed how to construct NISC protocols that only use parallel calls to an ideal oblivious transfer (OT) oracle, and additionally make only a black-box use of any pseudorandom generator. Combined with the efficient 2-message OT protocol of Peikert et al. (Crypto 2008), this leads to a practical approach to NISC that has been implemented in subsequent works. However, a major limitation of all known OT-based NISC protocols is that they are subject to selective failure attacks that allows a malicious sender to entirely compromise the security of the protocol when the receiver’s first message is reused.Motivated by the failure of the OT-based approach, we consider the problem of basing reusable NISC on parallel invocations of a standard arithmetic generalization of OT known as oblivious linear-function evaluation (OLE). We obtain the following results:We construct an information-theoretically secure reusable NISC protocol for arithmetic branching programs and general zero-knowledge functionalities in the OLE-hybrid model. Our zero-knowledge protocol only makes an absolute constant number of OLE calls per gate in an arithmetic circuit whose satisfiability is being proved. We also get reusable NISC in the OLE-hybrid model for general Boolean circuits using any one-way function.We complement this by a negative result, showing that reusable NISC is impossible to achieve in the OT-hybrid model. This provides a formal justification for the need to replace OT by OLE.We build a universally composable 2-message reusable OLE protocol in the CRS model that can be based on the security of Paillier encryption and requires only a constant number of modular exponentiations. This provides the first arithmetic analogue of the 2-message OT protocols of Peikert et al. (Crypto 2008).By combining our NISC protocol in the OLE-hybrid model and the 2-message OLE protocol, we get protocols with new attractive asymptotic and concrete efficiency features. In particular, we get the first (designated-verifier) NIZK protocols for NP where following a statement-independent preprocessing, both proving and verifying are entirely “non-cryptographic” and involve only a constant computational overhead. Furthermore, we get the first statistical designated-verifier NIZK argument for NP under an assumption related to factoring.

2018

TCC

On Basing Search SIVP on NP-Hardness
★
Abstract

The possibility of basing cryptography on the minimal assumption
$$\mathbf{NP }\nsubseteq \mathbf{BPP }$$
NP⊈BPP is at the very heart of complexity-theoretic cryptography. The closest we have gotten so far is lattice-based cryptography whose average-case security is based on the worst-case hardness of approximate shortest vector problems on integer lattices. The state-of-the-art is the construction of a one-way function (and collision-resistant hash function) based on the hardness of the
$$\tilde{O}(n)$$
O~(n)-approximate shortest independent vector problem
$${\textsf {SIVP}}_{\tilde{O}(n)}$$
SIVPO~(n).Although
$${\textsf {SIVP}}$$
SIVP is NP-hard in its exact version, Guruswami et al. (CCC 2004) showed that
$${\textsf {gapSIVP}}_{\sqrt{n/\log n}}$$
gapSIVPn/logn is in
$$\mathbf{NP } \cap \mathbf{coAM }$$
NP∩coAM and thus unlikely to be
$$\mathbf{NP }$$
NP-hard. Indeed, any language that can be reduced to
$${\textsf {gapSIVP}}_{\tilde{O}(\sqrt{n})}$$
gapSIVPO~(n) (under general probabilistic polynomial-time adaptive reductions) is in
$$\mathbf{AM } \cap \mathbf{coAM }$$
AM∩coAM by the results of Peikert and Vaikuntanathan (CRYPTO 2008) and Mahmoody and Xiao (CCC 2010). However, none of these results apply to reductions to search problems, still leaving open a ray of hope: can
$$\mathbf{NP }$$
NPbe reduced to solving search SIVP with approximation factor
$$\tilde{O}(n)$$
O~(n)?We eliminate such possibility, by showing that any language that can be reduced to solving search
$${\textsf {SIVP}}$$
SIVP with any approximation factor
$$\lambda (n) = \omega (n\log n)$$
λ(n)=ω(nlogn) lies in AM intersect coAM.

#### Coauthors

- Melissa Chase (1)
- Yevgeniy Dodis (3)
- Yuval Ishai (1)
- Daniel Kraschewski (1)
- Rafail Ostrovsky (1)
- Martijn Stam (2)
- John P. Steinberger (2)
- Vinod Vaikuntanathan (5)
- Hoeteck Wee (2)