Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.
Wählen Sie Textabschnitte aus um mit Künstlicher Intelligenz passenden Patente zu finden.
powered by
Markieren Sie Textabschnitte, um KI-gestützt weitere passende Inhalte zu finden.
powered by
Abstract
We introduce a new primitive, called trapdoor hash functions (TDH), which are hash functions \(\mathsf {H}: \{0,1\}^n \rightarrow \{0,1\}^\lambda \) with additional trapdoor function-like properties. Specifically, given an index \(i\in [n]\), TDHs allow for sampling an encoding key \(\mathsf {ek}\) (that hides i) along with a corresponding trapdoor. Furthermore, given \(\mathsf {H}(x)\), a hint value \(\mathsf {E}(\mathsf {ek},x)\), and the trapdoor corresponding to \(\mathsf {ek}\), the \(i^{th}\) bit of x can be efficiently recovered. In this setting, one of our main questions is: How small can the hint value \(\mathsf {E}(\mathsf {ek},x)\) be? We obtain constructions where the hint is only one bit long based on DDH, QR, DCR, or LWE.
This primitive opens a floodgate of applications for low-communication secure computation. We mainly focus on two-message protocols between a receiver and a sender, with private inputs x and y, resp., where the receiver should learn f(x, y). We wish to optimize the (download) rate of such protocols, namely the asymptotic ratio between the size of the output and the sender’s message. Using TDHs, we obtain:
1.
The first protocols for (two-message) rate-1 string OT based on DDH, QR, or LWE. This has several useful consequences, such as:
(a)
The first constructions of PIR with communication cost poly-logarithmic in the database size based on DDH or QR. These protocols are in fact rate-1 when considering block PIR.
(b)
The first constructions of a semi-compact homomorphic encryption scheme for branching programs, where the encrypted output grows only with the program length, based on DDH or QR.
(c)
The first constructions of lossy trapdoor functions with input to output ratio approaching 1 based on DDH, QR or LWE.
(d)
The first constant-rate LWE-based construction of a 2-message “statistically sender-private” OT protocol in the plain model.
2.
The first rate-1 protocols (under any assumption) for n parallel OTs and matrix-vector products from DDH, QR or LWE.
We further consider the setting where f evaluates a RAM program y with running time \(T\ll |x|\) on x. We obtain the first protocols with communication sublinear in the size of x, namely \(T\cdot \sqrt{|x|}\) or \(T\cdot \root 3 \of {|x|}\), based on DDH or, resp., pairings (and correlated-input secure hash functions).
Anzeige
Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.
It seems plausible that these gaps can be closed using indistinguishability obfuscation [25]. However, the focus of this work is on constructions that can be based on more traditional assumptions.
A simple “hybrid FHE” technique [28] can generically convert any FHE scheme into one whose encrypted (long) input is roughly as long as the input. However, no such generic technique is known for compressing the encrypted output.
Our protocols can be efficiently extended to provide security against malicious parties (under the same assumptions) using sublinear arguments [46]. This increases the number of rounds, but does not affect the asymptotic communication.
The work of Cho et al. [16] on laconic OT gives a batch OT protocol where \(|\mathsf {msg}_1|\) is independent of |x|. This generalizes to arbitrary functions f; however, even in the simple case of batch OT the download rate is sub-constant. The same applies to the more recent work of Quach et al. [52] on laconic function evaluation.
In this work, we consider this question in the more stringent two-message setting. However, we note that no other protocols with rate \(> \frac{1}{2}\) are known even when additional rounds of communication are allowed.
The notion of trapdoor hash functions is inspired by the closely related notion of hash encryption [13, 21, 22, 26] and somewhere statistically binding hash functions [36, 43, 49].
Our protocols achieve asymptotic download rate 1, which is clearly optimal. However, the (additive) difference between the sender’s message length and the output length grows with the security parameter \(\lambda \). In the full version we show that that this gap is necessary even in the more liberal setting of secure computation with preprocessing.
More specifically, as our group-based constructions are black-box in the underlying group, we can count the communication complexity in terms of the number of group elements, which in our case is \(\log n\cdot \mathsf {poly}(\lambda )\), where n is the size of the database and \(\lambda \) is the security parameter.
For this application, we insist on the two-message setting. Allowing O(T) rounds of interaction, similar protocols can be based on any single-server PIR scheme [46].
We can ensure that both sender and receiver run in strict polynomial time by introducing a suitable polynomial upper bound for the number of trials in the exhaustive search step of \(\mathsf {Dist}(\cdot )\). For small erasure probabilities, a near-quadratic improvement in the running time can be obtained via the recent optimal “distributed discrete log” algorithm of Dinur, Keller, and Klein [19].
for the SXDH-based construction we further assume the existence of correlated-input secure hash for group-induced correlations over bilinear groups [3, 32].