TY - GEN
T1 - Additive Randomized Encodings and Their Applications
AU - Halevi, Shai
AU - Ishai, Yuval
AU - Kushilevitz, Eyal
AU - Rabin, Tal
N1 - Publisher Copyright:
© 2023, International Association for Cryptologic Research.
PY - 2023
Y1 - 2023
N2 - Addition of n inputs is often the easiest nontrivial function to compute securely. Motivated by several open questions, we ask what can be computed securely given only an oracle that computes the sum. Namely, what functions can be computed in a model where parties can only encode their input locally, then sum up the encodings over some Abelian group G, and decode the result to get the function output. An additive randomized encoding (ARE) of a function f(x1, …, xn) maps every input xi independently into a randomized encoding x^ i, such that ∑i=1n x^ i reveals f(x1, …, xn) and nothing else about the inputs. In a robust ARE, the sum of any subset of the x^ i only reveals the residual function obtained by restricting the corresponding inputs. We obtain positive and negative results on ARE. In particular: Information-theoretic ARE. We fully characterize the 2-party functions f: X1× X2→ { 0, 1 } admitting a perfectly secure ARE. For n≥ 3 parties, we show a useful “capped sum” function that separates statistical security from perfect security.Computational ARE. We present a general feasibility result, showing that all functions can be computed in this model, under a standard hardness assumption in bilinear groups. We also describe a heuristic lattice-based construction.Robust ARE. We present a similar feasibility result for robust computational ARE based on ideal obfuscation along with standard cryptographic assumptions. We then describe several applications of ARE and the above results. Under a standard cryptographic assumption, our computational ARE schemes imply the feasibility of general non-interactive secure computation in the shuffle model, where messages from different parties are shuffled. This implies a general utility-preserving compiler from differential privacy in the central model to computational differential privacy in the (non-robust) shuffle model.The existence of information-theoretic robust ARE implies “best-possible” information-theoretic MPC protocols (Halevi et al., TCC 2018) and degree-2 multiparty randomized encodings (Applebaum et al., TCC 2018). This yields new positive results for specific functions in the former model, as well as a simple unifying barrier for obtaining negative results in both models.
AB - Addition of n inputs is often the easiest nontrivial function to compute securely. Motivated by several open questions, we ask what can be computed securely given only an oracle that computes the sum. Namely, what functions can be computed in a model where parties can only encode their input locally, then sum up the encodings over some Abelian group G, and decode the result to get the function output. An additive randomized encoding (ARE) of a function f(x1, …, xn) maps every input xi independently into a randomized encoding x^ i, such that ∑i=1n x^ i reveals f(x1, …, xn) and nothing else about the inputs. In a robust ARE, the sum of any subset of the x^ i only reveals the residual function obtained by restricting the corresponding inputs. We obtain positive and negative results on ARE. In particular: Information-theoretic ARE. We fully characterize the 2-party functions f: X1× X2→ { 0, 1 } admitting a perfectly secure ARE. For n≥ 3 parties, we show a useful “capped sum” function that separates statistical security from perfect security.Computational ARE. We present a general feasibility result, showing that all functions can be computed in this model, under a standard hardness assumption in bilinear groups. We also describe a heuristic lattice-based construction.Robust ARE. We present a similar feasibility result for robust computational ARE based on ideal obfuscation along with standard cryptographic assumptions. We then describe several applications of ARE and the above results. Under a standard cryptographic assumption, our computational ARE schemes imply the feasibility of general non-interactive secure computation in the shuffle model, where messages from different parties are shuffled. This implies a general utility-preserving compiler from differential privacy in the central model to computational differential privacy in the (non-robust) shuffle model.The existence of information-theoretic robust ARE implies “best-possible” information-theoretic MPC protocols (Halevi et al., TCC 2018) and degree-2 multiparty randomized encodings (Applebaum et al., TCC 2018). This yields new positive results for specific functions in the former model, as well as a simple unifying barrier for obtaining negative results in both models.
UR - http://www.scopus.com/inward/record.url?scp=85172332911&partnerID=8YFLogxK
U2 - 10.1007/978-3-031-38557-5_7
DO - 10.1007/978-3-031-38557-5_7
M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???
AN - SCOPUS:85172332911
SN - 9783031385568
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 203
EP - 235
BT - Advances in Cryptology – CRYPTO 2023 - 43rd Annual International Cryptology Conference, CRYPTO 2023, Proceedings
A2 - Handschuh, Helena
A2 - Lysyanskaya, Anna
T2 - Advances in Cryptology – CRYPTO 2023 - 43rd Annual International Cryptology Conference, CRYPTO 2023, Proceedings
Y2 - 20 August 2023 through 24 August 2023
ER -