Abstract
Can a sender commit to a long input without even reading all of it? Can a prover convince a verifier that an NP statement holds without even reading the entire witness? Can a set of parties run a multiparty computation (MPC) protocol in the RAM model, without necessarily even reading their entire inputs? We show how to construct such “doubly efficient” schemes in a setting where parties can preprocess their input offline, but subsequently they can engage in many different protocol executions over this input in sublinear online time. We do so in the plain model, without any common setup. Our constructions rely on doubly efficient private information retrieval (DEPIR) as a building block and can be instantiated based on Ring LWE.
In more detail, we begin by constructing doubly efficient (interactive) commitments, where the sender preprocesses the input offline, and can later commit to this input to arbitrary receivers in sublinear online time. Moreover, the sender can open individual bits of the committed input in sublinear time. We then use these commitments to implement doubly succinct (interactive) arguments, where the prover preprocesses the statement/witness offline, and can subsequently run many proof protocoils to convince arbitrary verifiers of the statement’s validity in sublinear online time. Furthermore, we augment these to get a doubly efficient “commit, prove and locally open” protocol, where the prover can commit to a long preprocessed input, prove that it satisfies some global property, and locally open individual bits, all in sublinear time. Finally, we leverage these tools to construct a RAM-MPC with malicious security in the plain model. Each party individually preprocesses its input offline, and can then run arbitrary MPC executions over this input with arbitrary other parties. The online run-time of each MPC execution is only proportional to the RAM run-time of the underlying program, that can be sublinear in the input size.
Research supported by NSF grant CNS-1750795, CNS-2055510 and the JP Morgan Faculty Research Award. Work on this paper by the first author was done while at Northeastern University.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
For simplicity, we will ignore fixed polynomial factors in the security parameter throughout the introduction.
- 2.
We justify this choice for several reasons. Firstly, there is no good prior term for an interactive analogue of collision resistant hashing and the term commitment captures the intuitive goal well. Secondly, since we will require that the commitment protocol runs in sublinear time and communication, it inherently achieves at least a weak form of hiding, in that it is too short to fully reveal the input. Lastly, when it comes to doubly efficient commitments, achieving binding is the main difficulty and there are generic techniques to then add hiding on top of it.
- 3.
It is a fascinating open problem to get rid of this restriction, or even better, to construct a public-coin scheme.
- 4.
We note that previous work used the term doubly efficient succinct arguments to denote ones where the prover runs in time \(\textrm{poly}(T)\). In contrast our notion of DSA requires the prover’s online run time to be sublinear in T.
- 5.
We assume that the identity of the party i whose input is read in each step of the program execution is input-independent. We can always make this so by incurring at most a factor n (number of parties) overhead, by reading input bits from the parties in a round-robin fashion. However, the location j being read is input-dependent and therefore must be kept secret from the parties.
- 6.
In contrast, DEPIR is immediately implied by RAM-MPC.
- 7.
We refer the reader to the full version of this paper for a simple construction of doubly efficient collision-resistant hashing without local openings.
- 8.
Recall that, for a set of locations \(J \subseteq [\widetilde{N}]\), we write \(\textsf{Query}(1^\lambda , \widetilde{N}, J)\) to refer to independently sampling DEPIR queries on each of the locations \(j \in J\).
- 9.
Each time \(\mathcal {R}\) makes a query under the outer layer DEPIR, it does so using fresh randomness. As such, the queries \( \left\{ \overline{J}_k \right\} \) that \(\mathcal {R}\) sends to \(\mathcal {S}\) in \(\varPi _\textsf{Open}\) are not the same as those it sends in \(\varPi _\textsf{Com}\).
- 10.
We use the notation \(\overline{V}_k\) and \(\overline{W}_k\) for greater clarity in distinguishing between the responses corresponding to queries \( \left\{ \overline{J}_k \right\} \) and \( \left\{ \overline{I}_k \right\} \) respectively. However, \(\mathcal {S}\) simply iterates through the randomly ordered list of queries it receives.
- 11.
Recall that we assume without loss of generality that all DEPIR queries require the server to read the same number of locations in the database and are thus of the same size.
- 12.
Here we adopt the definition that an argument of knowledge must have an extractor that runs in strict polynomial time rather than expected polynomial time. See Remark 1 for further discussion.
- 13.
Note that some locations of \(\pi ^*\) may still be equal to \(\bot \). Without loss of generality, we assume that \(V_\textsf{PCP}\) rejects if any of its queries are answered with \(\bot \).
- 14.
Note that here \(y^*\) may have some remaining locations that are equal to \(\bot \). For the purposes of relative Hamming distance, we count all of those locations as being ones where \(y^*\) differs from \(\textsf{LDC}(x)\).
- 15.
Our construction naturally extends to other variants, such as security with fairness in the case of an honest majority. However, we focus on the above default scenario for concreteness and simplicity.
- 16.
ORAM is usually defined with passive security by default, but malicious security can always be added generically by authenticating the ORAM data structure via a Merkle-tree. The idea that ORAM can be made maliciously secure was noted in several prior works, starting with [GO96] who referred to it as “tamper-proof” ORAM.
- 17.
Syntactically, the RAM-MPC has a method for the receiver to preprocess the index i offline, but since it is small, there is no point to doing so and the receiver can simply do all the computation online.
References
Afshar, A., Zhangxiang, H., Mohassel, P., Rosulek, M.: How to efficiently evaluate RAM programs with malicious security. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part I. LNCS, vol. 9056, pp. 702–729. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_27
Bitansky, N., Chiesa, A.: Succinct arguments from multi-prover interactive proofs and their efficiency benefits. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 255–272. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_16
Beimel, A., Ishai, Y., Malkin, T.: Reducing the servers computation in private information retrieval: PIR with preprocessing. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 55–73. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44598-6_4
Boyle, E., Ishai, Y., Pass, R., Wootters, M.: Can we access a database both locally and privately? In: Kalai, Y., Reyzin, L. (eds.) TCC 2017, Part II. LNCS, vol. 10678, pp. 662–693. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-319-70503-3_22
Bitansky, N., Kalai, Y.T., Paneth, O.: Multi-collision resistance: a paradigm for keyless hash functions. In: Diakonikolas, I., Kempe, D., Henzinger, M. (eds.) 50th Annual ACM Symposium on Theory of Computing, pp. 671–684. ACM Press (2018)
Chor, B., Goldreich, O., Kushilevitz, E., Sudan, M.: Private information retrieval. In: 36th Annual Symposium on Foundations of Computer Science, pp. 41–50. IEEE Computer Society Press (1995)
Canetti, R., Holmgren, J., Richelson, S.: Towards doubly efficient private information retrieval. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017, Part II. LNCS, vol. 10678, pp. 694–726. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-319-70503-3_23
Chung, K.-M., Kalai, Y., Vadhan, S.P.: Improved delegation of computation using fully homomorphic encryption. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 483–501. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_26
Gordon, S.D., et al.: Secure two-party computation in sublinear (amortized) time. In: Yu, T., Danezis, G., Gligor, V.D. (eds.) ACM CCS 2012: 19th Conference on Computer and Communications Security, pp. 513–524. ACM Press (2012)
Goldreich, O., Ostrovsky, R.: Software protection and simulation on oblivious rams. J. ACM 43(3), 431–473 (1996)
Goldreich, O.: The Foundations of Cryptography - Volume 2: Basic Applications. Cambridge University Press, Cambridge (2004)
Ishai, Y., Kushilevitz, E., Ostrovsky, R.: Sufficient conditions for collision-resistant hashing. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 445–456. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30576-7_24
Kilian, J.: A note on efficient zero-knowledge proofs and arguments (extended abstract). In: 24th Annual ACM Symposium on Theory of Computing, pp. 723–732. ACM Press (1992)
Kushilevitz, E., Ostrovsky, R.: One-way trapdoor permutations are sufficient for non-trivial single-server private information retrieval. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 104–121. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_9
Keller, M., Yanai, A.: Efficient maliciously secure multiparty computation for RAM. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part III. LNCS, vol. 10822, pp. 91–124. Springer, Heidelberg (2018). https://doi.org/10.1007/978-3-319-78372-7_4
Lin, W.K., Mook, E., Wichs, D.: Doubly efficient private information retrieval and fully homomorphic ram computation from ring LWE. In: STOC (2023)
Ostrovsky, R., Shoup, V.: Private information storage (extended abstract). In 29th Annual ACM Symposium on Theory of Computing, pp. 294–303. ACM Press (1997)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 International Association for Cryptologic Research
About this paper
Cite this paper
Lin, WK., Mook, E., Wichs, D. (2024). Doubly Efficient Cryptography: Commitments, Arguments and RAM MPC. In: Reyzin, L., Stebila, D. (eds) Advances in Cryptology – CRYPTO 2024. CRYPTO 2024. Lecture Notes in Computer Science, vol 14927. Springer, Cham. https://doi.org/10.1007/978-3-031-68397-8_8
Download citation
DOI: https://doi.org/10.1007/978-3-031-68397-8_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-68396-1
Online ISBN: 978-3-031-68397-8
eBook Packages: Computer ScienceComputer Science (R0)
