TY - CHAP
T1 - Trapdoor Hash Functions and Their Applications
AU - Dottling, Nico
AU - Garg, Sanjam
AU - Ishai, Yuval
AU - Malavolta, Giulio
AU - Mour, Tamer
AU - Ostrovsky, Rafail
AU - Döttling, Nico
N1 - Publisher Copyright:
© 2019, International Association for Cryptologic Research.
PY - 2019
Y1 - 2019
N2 - We introduce a new primitive, called trapdoor hash functions (TDH), which are hash functions (Formula Presented) with additional trapdoor function-like properties. Specifically, given an index (Formula Presented), TDHs allow for sampling an encoding key (Formula Presented) (that hides i) along with a corresponding trapdoor. Furthermore, given (Formula Presented), a hint value (Formula Presented), and the trapdoor corresponding to (Formula Presented), the (Formula Presented) bit of x can be efficiently recovered. In this setting, one of our main questions is: How small can the hint value (Formula Presented) be? We obtain constructions where the hint is only one bit long based on DDH, QR, DCR, or LWE. This primitive opens a floodgate of applications for low-communication secure computation. We mainly focus on two-message protocols between a receiver and a sender, with private inputs x and y, resp., where the receiver should learn f(x, y). We wish to optimize the (download) rate of such protocols, namely the asymptotic ratio between the size of the output and the sender’s message. Using TDHs, we obtain: 1.The first protocols for (two-message) rate-1 string OT based on DDH, QR, or LWE. This has several useful consequences, such as:(a)The first constructions of PIR with communication cost poly-logarithmic in the database size based on DDH or QR. These protocols are in fact rate-1 when considering block PIR.(b)The first constructions of a semi-compact homomorphic encryption scheme for branching programs, where the encrypted output grows only with the program length, based on DDH or QR.(c)The first constructions of lossy trapdoor functions with input to output ratio approaching 1 based on DDH, QR or LWE.(d)The first constant-rate LWE-based construction of a 2-message “statistically sender-private” OT protocol in the plain model.2.The first rate-1 protocols (under any assumption) for n parallel OTs and matrix-vector products from DDH, QR or LWE. We further consider the setting where f evaluates a RAM program y with running time (Formula Presented) on x. We obtain the first protocols with communication sublinear in the size of x, namely (Formula Presented) or(Formula Presented), based on DDH or, resp., pairings (and correlated-input secure hash functions).
AB - We introduce a new primitive, called trapdoor hash functions (TDH), which are hash functions (Formula Presented) with additional trapdoor function-like properties. Specifically, given an index (Formula Presented), TDHs allow for sampling an encoding key (Formula Presented) (that hides i) along with a corresponding trapdoor. Furthermore, given (Formula Presented), a hint value (Formula Presented), and the trapdoor corresponding to (Formula Presented), the (Formula Presented) bit of x can be efficiently recovered. In this setting, one of our main questions is: How small can the hint value (Formula Presented) be? We obtain constructions where the hint is only one bit long based on DDH, QR, DCR, or LWE. This primitive opens a floodgate of applications for low-communication secure computation. We mainly focus on two-message protocols between a receiver and a sender, with private inputs x and y, resp., where the receiver should learn f(x, y). We wish to optimize the (download) rate of such protocols, namely the asymptotic ratio between the size of the output and the sender’s message. Using TDHs, we obtain: 1.The first protocols for (two-message) rate-1 string OT based on DDH, QR, or LWE. This has several useful consequences, such as:(a)The first constructions of PIR with communication cost poly-logarithmic in the database size based on DDH or QR. These protocols are in fact rate-1 when considering block PIR.(b)The first constructions of a semi-compact homomorphic encryption scheme for branching programs, where the encrypted output grows only with the program length, based on DDH or QR.(c)The first constructions of lossy trapdoor functions with input to output ratio approaching 1 based on DDH, QR or LWE.(d)The first constant-rate LWE-based construction of a 2-message “statistically sender-private” OT protocol in the plain model.2.The first rate-1 protocols (under any assumption) for n parallel OTs and matrix-vector products from DDH, QR or LWE. We further consider the setting where f evaluates a RAM program y with running time (Formula Presented) on x. We obtain the first protocols with communication sublinear in the size of x, namely (Formula Presented) or(Formula Presented), based on DDH or, resp., pairings (and correlated-input secure hash functions).
UR - http://www.scopus.com/inward/record.url?scp=85071658455&partnerID=8YFLogxK
U2 - 10.1007/978-3-030-26954-8_1
DO - 10.1007/978-3-030-26954-8_1
M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.chapter???
SN - 978-3-030-26953-1
SN - 9783030269531
VL - 11694
T3 - Lecture Notes in Computer Science
SP - 3
EP - 32
BT - ADVANCES IN CRYPTOLOGY - CRYPTO 2019, PT III
A2 - Micciancio, Daniele
A2 - Boldyreva, Alexandra
T2 - 39th Annual International Cryptology Conference, CRYPTO 2019
Y2 - 18 August 2019 through 22 August 2019
ER -