# Comments regarding a few TCC'13 talks

This is a "farewell from TCC" post: As I announced in the business meeting, I am stepping down as chair and member of the steering committee of TCC, and also do not intend to attend future venues. The reason is that, in the last decade, my research interests and activities have been drifting away from cryptography. I still find cryptography very interesting, but I believe one cannot pursue all that one finds interesting: Painful choices to keep away from many interesting issues (due to limited personal resources) are inevitable.

This posting is aimed only at TCC fans; thus, I allowed myself many TCC-standard abbreviations. As usual, I include summaries only of talks and/or extended abstracts that I understood and was able to appreciate and/or "take home".

#### 1.1 Overcoming Weak Expectations by Yevgeniy Dodis and Yu Yu

Basically, the paper present two simple probabilistic inequalities and discusses their relevance to security w.r.t deficient cryptographic keys. Both inequalities refer to a source $R\in\{0,1\}^n$ of deficiency $d$ (i.e., min-entropy $n-d$), and the function $f:\{0,1\}^n\to\R$ represents a measure of the effect of an adversarial behavior w.r.t a given key. For "one sided" security (aka "unpredictable type"), the following trivial inequality should be applied: $E[|f(R)|] \leq 2^d E[|f(U)|]$, where $U$ is the uniform distribution over $n$-bit strings. For "two sided" security (aka "indistinguishability type"), the following inequality should be applied: $E[f(R)] \leq 2^{d/2} \sqrt{E[f(U)^2]}$.

#### 1.2 A Counterexample to the Chain Rule for Conditional HILL Entropy: And What Deniable Encryption Has to Do with It by Stephan Krenn, Krzysztof Pietrzak, and Akshay Wadia

This refers to conditional pseudo-entropy (PE) as defined in HILL. It is shown that $PE[X|Y] > t$ while $PE[X|Y,b]=0$ with $b$ being a random bit. Let $f$ be a OWF and $h$ be a hard-core of $f$. Consider the following probability space:
• $b\in_R\{0,1\}$,
• For $i=1,...,2t$ select $x_i$ uniformly in $\{0,1\}^n$ s.t. $h(x_i)=b$, and for $i=2t+1,...,3t$ select $x_i$ uniformly in $\{0,1\}^n$ s.t. $h(x_i)=1-b$.
• Let $X=sort(x_{2t+1},...,x_{3t})$ and $Y=sort(f(x_1),...,f(x_{3t}))$.
Then, $PE(X|Y) = \log_2 {{2t}\choose t}$, because given $Y$ we need to present $t$ preimages having the same $h$-value and this value may be arbitrary (since $b$ cannot be approximated based on $Y$). On the other hand, $PE(X|Y,b)=0$, since $Y$ and $b$ determine $X$.

#### 1.3 Hardness Preserving Reductions via Cuckoo Hashing by Itay Berman, Iftach Haitner, Ilan Komargodski, and Moni Naor

The point is going beyond the birthday bound, which is a natural barrier in may applications in which (standard) hashing is applied. Furthermore, the value obtained via Cuckoo hashing are suitable to many of these applications.

#### 2.2 Public-Coin Concurrent Zero-Knowledge in the Global Hash Model by Ran Canetti, Huijia Lin, and Omer Paneth

The question addressed in paper is whether a *public-coin* interactive proof system (for NP) can be concurrent zero-knowledge. (N.B.: The issue is "public coin" vs general interactive proofs.) Not being able to prove (the affirmative answer), they introduce a relaxed model akin the "global CRS" model; that is, the same random hash function is used in all invocations of the protocol. In this model, they obtain round complexity that is almost logarithmic. A latter work [by whom?] provides an affirmative answer in the standard model, but uses a polynomial (in security parameter) number of rounds. Open: can the number of rounds be reduced to (almost) logarithmic?

#### 3.2 When Homomorphism Becomes a Liability by Zvika Brakerski

Essentially, it is shown that if the decryption function can be weakly learned in the presence of noise (corresponding to decryption error), then homomorphism w.r.t the majority function implies insecurity, since such a homomorphism provides a way of reducing decryption errors. This provides a way of proving insecurity of schemes, and was indeed applied to the scheme of Bogdanov & Lee.

#### 4.1 Why "Fiat-Shamir for Proofs" Lacks a Proof by Nir Bitansky, Dana Dachman-Soled, Sanjam Garg, Abhishek Jain, Yael Tauman Kalai, Adriana Lopez-Alt, and Daniel Wichs

The work of Goldwasser and Kalai explains why the Fiat-Shamir heuristic fails for arguments (computationally sound proofs), and the question here is what happens wrt proofs (i.e., statistically sound proofs). This work shows that the security of the result of applying this heuristic cannot be proved secure (based on "standard assumptions") via a black-box reduction.

#### 5.1 A Full Characterization of Functions that Imply Fair Coin Tossing and Ramifications to Fairness by Gilad Asharov, Yehuda Lindell, and Tal Rabin

It is easy to reduce (fair) coin tossing to the fair computation of the XOR functionality: Each party sends a random bit, and the outcome is defined as the XOR of these bits. The question addressed in this work is what other two-party deterministic functionalities can be used towards this end. The answer is that a function can be used towards this end iff, when viewed as a matrix, there exists a linear combination of its rows (ditto columns) that yield a uniform vector (equiv., the all-one vector).

#### 6.1 Languages with Efficient Zero-Knowledge PCPs are in SZK by Mohammad Mahmoody and David Xiao

A PCP is called efficient if the proof oracle can be represented by a small circuit (i.e., a circuit of size polynomial in the PCP-input). N.B.: A ZK PCP for a set outside BPP must use proofs of super-polynomial length, and (non-efficient) ZK PCPs for NEXP were shown in [KPT, STOC'97]. An interesting result of [GOVW, TCC12] implies that Quadratic Residuosity has *efficient* ZK PCPs. The paper's main result is captured in its title, and it leaves open the question of characterizing the class "efficient ZK PCP".

#### 6.3 Unprovable Security of Perfect NIZK and Non-interactive Non-malleable Commitments by Rafael Pass

This paper advocates building a hierarchy of assumptions, viewing possible constructions also as assumption alas of a more complex nature. Building on the suggestion of Naor (2003), the author present a taxonomy of assumptions and separates the two primitives in the title from the set of "refutable assumption", where separation is wrt black-box proofs of security. The result also provide an appealing example of natural primitives that are security implemented in the ROM but cannot be proved secure (via a black box reduction) in the standard model.

#### Invited Talk by Tal Malkin: Secure Computation for Big Data

This talk focuses on secure multi-party computation on huge data, where the underlying computation can be performed in sublinear time (e.g., binary search or any other common data base operation). Using oblivious RAM (see 7.2 (next)) and standard MPC, such secure computation can be performed with polylogarithmic overhead.

#### 7.2 Distributed Oblivious RAM for Secure Two-Party Computation by Steve Lu and Rafail Ostrovsky

A very important result of Ostrovsky and Shoup (1997), which I managed to forget..., is that secure multi-party computation can be implemented with polylogarithmic overhead with respect to the time of a plain RAM computation (rather than w.r.t. to time on a TM). The solution relies on an Oblivious RAM (ORAM) and a secure MPC of the reactive functionality performed by its CPU. In the current work, this construction is optimized by introducing an auxiliary model (of "two-party RAM") and capitalizing of additional features of the known ORAM constructions.

#### 8.1 Testing the Lipschitz Property over Product Distributions with Applications to Data Privacy by Kashyap Dixit, Madhav Jha, Sofya Raskhodnikova, and Abhradeep Thakurta

This inspiring work starts by relating ("average case") differential privacy to a Lipschitz condition regarding the utility provided by the algorithm. For an algorithm $A$, and any possible output $z$, define $f_z(x) = \log_2(Prob[A(x)=z])$. Then saying that $A$ has differential privacy $e$ iff for every $z$ the function $f_z$ is $e$-Lipschitz. The next idea is that a privacy preserving mechanism that is designed to allow only questions that preserve privacy (wrt a distribution of databases) may answer a query (presented as a function of the database) iff the corresponding functions are Lipschitz. Hence the role of testing the Lipschitz property. The main result is a transformation that given an arbitrary query translates it to an admissible one, while keeping the admissible ones intact.

#### 8.2 Limits on the Usefulness of Random Oracles by Iftach Haitner, Eran Omri, and Hila Zarosim

While it is know that the ROM is "useful" (i.e., "too useful") in many cases, this works asks whether there are cases in which the ROM is not useful; that is, it seems to identify general classes of functionalities for which a solution in the ROM implies the existence of a solution in the plain model (w.o., using any add'l assumptions). They show one such class -- the class of input-free functionalities (e.g., coin tossing or KE). Indeed, the fact that KE cannot be based on OWF follows as a corollary, since the ROM provides a OWF.

#### 8.3 Analyzing Graphs with Node Differential Privacy by Shiva Prasad Kasiviswanathan, Kobbi Nissim, Sofya Raskhodnikova, and Adam Smith

This work studies differential privacy in the context of data that is represented as a graph (rather than as a plain array). This model was studied before mainly in the context of "edge privacy" (i.e., data bases are at distance 1 iff they differ on one edge) and/or for dense graphs, but it seems that the current work that focuses on "node privacy" (i.e., the removal of a vertex and its edges) in the bounded-degree model is more appealing.

#### 9.1 Universally Composable Synchronous Computation by Jonathan Katz, Ueli Maurer, Bjorn Tackmann, and Vassilis Zikas

It is observed that the standard UC framework is inherently asynchronous, and the standard protocols do not have a guaranteed termination time. This paper focuses on integrating various notions of synchronoucity into the UC framework.

#### 9.3 On the Feasibility of Extending Oblivious Transfer by Yehuda Lindell and Hila Zarosim

By "extending OT" one means implementing more than $n$ instances of OT based on $n$ invocations of the OT protocol. Such an extension can be done by using OWF, but cannot be done in the information theoretic model [Beaver'96]. This work shows (1) that OWF (rather than a weaker computation assumption) is indeed necessary for extending OT, (2) that in the malicious model the minimal number of OTs being used must be super logarithmic (or else one gets an OT from scratch), and (3) extending OT in the malicious adaptive model requires assumptions at least at the strength of static OT.

#### 10.2 Revisiting Lower and Upper Bounds for Selective Decommitments by Rafail Ostrovsky, Vanishree Rao, Alessandra Scafuro, and Ivan Visconti

The question of selective decommitment has first occurred to me in the summer of 1986, in the wake of working on GMW2. I also discussed it with Ran Canetti in early 1990s, but it seems that we did not mention it in our paper with Feige and Noar (on "Adaptively Secure Multi-party Computation"). This may explain how please I were when seeing the elegant 5-round protocol of this work. Ditto the other results (e.g., Thm 3).

#### 10.3 On the Circular Security of Bit-Encryption by Ron D. Rothblum

It seems a folklore belief that any bit-encryption is circular secure, but this work outlines two obstacles towards proving that conjecture: Firstly, such a proof cannot use a black-box reduction (of circular security to standard security or even to the stronger CCA security). Secondly, such a proof would imply that the multilinear map conjecture is false. While the latter conjecture seems a significant extension of the (already questionable) bilinear map conjecture, ruling it out does not see easy...

#### Invited Talk by Benny Applebaum: Cryptographic Hardness of Random Local Functions - Survey

The talk touched on a variety of issues regarding the hardness of random local functions, while only mentioning the alternative structured construction of hard local functions by generically compiling hard log-space functions. One concrete motivation for avoiding the latter transformation is it effect on the input/output lengths. Benny pointed out that in the context of local computation there are implications that are not valid in the standard setting (e.g., robustness to linear tests implies robusteness to stronger tests). I would also stress that things we take for granted in the standard setting may not hold in the context of local computation (or may be hard to establish in it): e.g., amplification of the stretch of PRGs.

#### 11.1 On the Power of Correlated Randomness in Secure Computation by Yuval Ishai, Eyal Kushilevitz, Sigurd Meldgaard, Claudio Orlandi and Anat Paskin-Cherniavsky

The model of correlated randomness may be viewed as "extending" a simple cryptographic primitive to performing more complex tasks (i.e., general MPC). Alternatively, one may view the correlated randomness as the outcome of a preprocessing stage, which is performed before the actual inputs are available. In any case, this model turns out to be very powerful: It allows for general MPC with communication that is linear in the input length (regardless of the circuit size), and it allows for perfectly secure computation of any unidirectional two-party functionalities (rather than statistically secure computation in which the communication must grow linearly with the security parameter that determines the error). In both results the correlated randomness has exponential length, and it is left open whether this is inherent.

#### 12.3 Randomness-Dependent Message Security by Eleanor Birrell, Kai-Min Chung, Rafael Pass, Sidharth Telang

This work introduces the notion of randomness-dependent message (KDM) security, which has a spirit analogous to KDM (key-dependent message). Also in this case, the motivation that I find more convincing is that such schemes are a powerful primitive, having applications that are not offered by standard encryption schemes. (Indeed, also in this case, I'm unconvinced of the other motivation; that is, the need to develope a theory of undoing damage caused by careless implementations. Theory schould insist that implementation conforms to basic cryptographic principles such as keeping the keys and the encryption-randomness out of the reach of the application level.) This work provides a few basic results regarding this new notion.

[For a change, I have also attended the Rump session, which featured relatively few talks and many announcements (of conferences and positions).]

#### R1. How to Garble RAM Programs (Ostrovsky).

The main result was already reviewed by me in my choices (Nr 106). A very recent result, just reported, is a RAM analogue of a recent result of Goldwasser et al on resusable garbled circuits.

#### R2. Malicious security Based on Garbled Circuits achiving $2^{-s}$ security with just $s$ circuits (Lindell).

Consider the standard cut-and-choose technique applied for verifying the proper construction of garbled circuits: $s$ garbled copies are constructed and sent, and $s/2$ are selected at random and revealed for verification of proper construction. But when computing with the remaining $s/2$ copies and seeing inconsistent answers, what should we do? We should complain only if there are many non-majority outcomes, which means that our detection probability will be $1-2^{-\Omega(s)}$ not $1-2^{-s}$. The alternative provided suggested in this talk is to construct $O(s)$ (small) auxiliary circuits that will reveal the constructor's input if any inconsistency is detected (via the secret associated with the circuit's outputs), and apply the wasteful analysis only to the small circuits.

#### R3. Interactive Coding Revisited (Pass).

The starting point is the observation that the communication-efficient interactive coding do not preserve security, since they involve rewinding. Indeed, it is a theorem that if one wish to preserve security, then msg-by-msg encoding is optimal. However, we may consider "computationally bounded noise" (as done in single msg encoding). Indeed, assuming OWF, one may get a corresponding result for interactive coding, and the use of OWF is necessary.