Papers by Satyanarayana Lokam
arXiv (Cornell University), Feb 28, 2024
Reviews and ratings by users form a central component in several widely used products today (e.g.... more Reviews and ratings by users form a central component in several widely used products today (e.g., product reviews, ratings of online content, etc.), but today's platforms for managing such reviews are ad-hoc and vulnerable to various forms of tampering and hijack by fake reviews either by bots or motivated paid workers. We define a new metric called 'hijack-resistance' for such review platforms, and then present TrustRate, an end-to-end decentralized, hijackresistant platform for authentic, anonymous, tamper-proof reviews. With a prototype implementation and evaluation at the scale of thousands of nodes, we demonstrate the efficacy and performance of our platform, towards a new paradigm for building products based on trusted reviews by end users without having to trust a single organization that manages the reviews.
Numerous information-tracking solutions have been implemented worldwide to fight the COVID-19 pan... more Numerous information-tracking solutions have been implemented worldwide to fight the COVID-19 pandemic. While prior work has heavily explored the factors affecting people's willingness to adopt contact-tracing solutions, which inform people when they have been exposed to someone positive for COVID-19, numerous countries have implemented other information-tracking solutions that use more data and more sensitive data than these commonly studied contact-tracing apps. In this work, we build on existing work focused on contact-tracing apps to explore adoption and design considerations for six representative information-tracking solutions for COVID-19, which differ in their goals and in the types of information they collect. To do so, we conducted semistructured interviews with 44 participants to investigate the factors that influence their willingness to adopt these solutions. We find four main categories of influences on participants' willingness to adopt such solutions: individual benefits of the solution, societal benefits of the solution, functionality concern, and digital safety (e.g., security and privacy) concerns. Further, we enumerate the factors that inform participants' evaluations of these categories. Based on our findings, we make recommendations for the future design of information-tracking solutions and discuss how different factors may balance against benefits in future crisis situations. CCS CONCEPTS • Computer systems organization → Human Computer Interaction (HCI).
We present a randomized algorithm for reconstructing multilinear ΣΠΣΠ(2) circuits, i.e. multiline... more We present a randomized algorithm for reconstructing multilinear ΣΠΣΠ(2) circuits, i.e. multilinear depth-4 circuits with fan-in 2 at the top + gate. The algorithm is given blackbox access to a polynomial f ∈ F[x 1 ,. .. , x n ] computable by a multilinear ΣΠΣΠ(2) circuit of size s and outputs an equivalent multilinear ΣΠΣΠ(2) circuit, runs in time poly(n, s), and works over any field F. This is the first reconstruction result for any model of depth-4 arithmetic circuits. Prior to our work, reconstruction results for bounded depth circuits were known only for depth-2 arithmetic circuits (Klivans & Spielman, STOC 2001), ΣΠΣ(2) circuits (depth-3 arithmetic circuits with top fan-in 2) (Shpilka, STOC 2007), and ΣΠΣ(k) with k = O(1) (Karnin & Shpilka, CCC 2009). Moreover, the running times of these algorithms have a polynomial dependence on |F| and hence do not work for infinite fields such as Q. Our techniques are quite different from the previous ones for depth-3 reconstruction and rely on a polynomial operator introduced by Karnin et al. (STOC 2010) and Saraf & Volkovich (STOC 2011) for devising blackbox identity tests for multilinear ΣΠΣΠ(k) circuits. Some other ingredients of our algorithm include the classical multivariate blackbox factoring algorithm by Kaltofen & Trager (FOCS 1988) and an algorithm for reconstructing set-multilinear ΣΠΣ(2) circuits by Kayal.
Proceedings of the ACM on human-computer interaction, Nov 7, 2022
We conducted semi-structured interviews with 20 users of Canada's exposure-notification app, COVI... more We conducted semi-structured interviews with 20 users of Canada's exposure-notification app, COVID Alert. We identified several types of users' mental models for the app. Participants' concerns were found to correlate with their level of understanding of the app. Compared to a centralized contact-tracing app, COVID Alert was favored for its more efficient notification delivery method, its higher privacy protection, and its optional level of cooperation. Based on our findings, we suggest decision-makers rethink the app's privacy-utility trade-off and improve its utility by giving users more control over their data. We also suggest technology companies build and maintain trust with the public. Further, we recommend increasing diagnosed users' motivation to notify the app and encouraging exposed users to follow the guidelines. Last, we provide design suggestions to help users with Unsound and Innocent mental models to better understand the app. CCS Concepts: • Human-centered computing → Empirical studies in HCI; Human computer interaction (HCI); • Security and privacy → Human and societal aspects of security and privacy; Usability in security and privacy;
Proceedings of the ACM Workshop on Blockchain, Cryptocurrencies and Contracts
It is our pleasure to welcome you to The 1st ACM Workshop on Blockchain, Cryptocurrencies and Con... more It is our pleasure to welcome you to The 1st ACM Workshop on Blockchain, Cryptocurrencies and Contracts (BCC'17) held in conjunction with The 12th ACM Asia Conference on Computer and Communications Security (AsiaCCS'17) during April 2-6, at Abu Dhabi, UAE. Blockchain is an emerging technology currently being used for a variety of applications such as cryptocurrencies and other financial transactions, smart properties, credential management, Internet-of-Things, supply chain management and many more. The theme of this workshop is to understand the foundations of blockchain technology and the design of new blockchain applications using smart contracts. The call for papers attracted 17 submissions from Asia, Europe, and North America. The program committee accepted 5 papers based on their overall quality and novelty. Apart from the research papers, there are two keynote talks by Dr. Juan Garay and Dr. Marko Vukolic. We are grateful to the keynote speakers for accepting our invitations and to the authors of all the papers for submitting their work to this workshop. We thank the members of the program committee and external reviewers for their valuable service in evaluating the submissions. We hope these proceedings will serve as a valuable reference for researchers and practitioners in the field of blockchain technologies.
Program obfuscation is a central primitive in cryptography, and has important real-world applicat... more Program obfuscation is a central primitive in cryptography, and has important real-world applications in protecting software from IP theft. However, well known results from the cryptographic literature have shown that software only virtual black box (VBB) obfuscation of general programs is impossible. In this paper we propose HOP, a system (with matching theoretic analysis) that achieves simulation-secure obfuscation for RAM programs, using secure hardware to circumvent previous impossibility results. To the best of our knowledge, HOP is the first implementation of a provably secure VBB obfuscation scheme in any model under any assumptions. HOP trusts only a hardware single-chip processor. We present a theoretical model for our complete hardware design and prove its security in the UC framework. Our goal is both provable security and practicality. To this end, our theoretic analysis accounts for all optimizations used in our practical design, including the use of a hardware Oblivious RAM (ORAM), hardware scratchpad memories, instruction scheduling techniques and context switching. We then detail a prototype hardware implementation of HOP. The complete design requires 72% of the area of a V7485t Field Programmable Gate Array (FPGA) chip. Evaluated on a variety of benchmarks, HOP achieves an overhead of 8× ∼ 76× relative to an insecure system. Compared to all prior (not implemented) work that strives to achieve obfuscation, HOP improves performance by more than three orders of magnitude. We view this as an important step towards deploying obfuscation technology in practice. Permission to freely reproduce all or part of this paper for noncommercial purposes is granted provided that copies bear this notice and the full citation on the first page. Reproduction for commercial purposes is strictly prohibited without the prior written consent of the Internet Society, the first-named author (for reproduction of an entire paper only), and the author's employer if the paper was prepared within the scope of employment.
arXiv (Cornell University), Mar 28, 2023
We analyze the number of queries that a whitebox adversary needs to make to a private learner in ... more We analyze the number of queries that a whitebox adversary needs to make to a private learner in order to reconstruct its training data. For (ϵ, δ) DP learners with training data drawn from any arbitrary compact metric space, we provide the first known lower bounds on the adversary's query complexity as a function of the learner's privacy parameters. Our results are minimax optimal for every ϵ ≥ 0, δ ∈ [0, 1], covering both ϵ-DP and (0, δ) DP as corollaries. Beyond this, we obtain query complexity lower bounds for (α, ϵ) Rényi DP learners that are valid for any α > 1, ϵ ≥ 0. Finally, we analyze data reconstruction attacks on locally compact metric spaces via the framework of Metric DP, a generalization of DP that accounts for the underlying metric structure of the data. In this setting, we provide the first known analysis of data reconstruction in unbounded, high dimensional spaces and obtain query complexity lower bounds that are nearly tight modulo logarithmic factors.
arXiv (Cornell University), Oct 14, 2020
We introduce Blockene, a blockchain that reduces resource usage at member nodes by orders of magn... more We introduce Blockene, a blockchain that reduces resource usage at member nodes by orders of magnitude, requiring only a smartphone to participate in block validation and consensus. Despite being lightweight, Blockene provides a high throughput of transactions and scales to a large number of participants. Blockene consumes negligible battery and data in smartphones, enabling millions of users to participate in the blockchain without incentives, to secure transactions with their collective honesty. Blockene achieves these properties with a novel split-trust design based on delegating storage and gossip to untrusted nodes. We show, with a prototype implementation, that Blockene provides throughput of 1045 transactions/sec, and runs with very low resource usage on smartphones, pointing to a new paradigm for building secure, decentralized applications.
The use of blockchain in regulatory ecosystems is a promising approach to address challenges of c... more The use of blockchain in regulatory ecosystems is a promising approach to address challenges of compliance among mutually untrusted entities. In this work, we consider applications of blockchain technologies in telecom regulations. In particular, we address growing concerns around Unsolicited Commercial Communication (UCC aka. spam) sent through text messages (SMS) and phone calls in India. Despite several regulatory measures taken to curb the menace of spam it continues to be a nuisance to subscribers while posing challenges to telecom operators and regulators alike. In this paper, we present a consortium blockchain based architecture to address the problem of UCC in India. Our solution improves subscriber experiences, improves the efficiency of regulatory processes while also positively impacting all stakeholders in the telecom ecosystem. Unlike previous approaches to the problem of UCC, which are all ex-post, our approach to adherence to the regulations is ex-ante. The proposal described in this paper is a primary contributor to the revision of regulations concerning UCC and spam by the Telecom Regulatory Authority of India (TRAI). The new regulations published in July 2018 were first of a kind in the world and amended the 2010 Telecom Commercial Communication This work is licensed under a Creative Commons Attribution International 4.0 License.
Lecture Notes in Computer Science, Jun 24, 2015
Given a function f : {0, 1} n → R, its Fourier Entropy is defined to be − S f 2 (S) log f 2 (S), ... more Given a function f : {0, 1} n → R, its Fourier Entropy is defined to be − S f 2 (S) log f 2 (S), wheref denotes the Fourier transform of f. This quantity arises in a number of applications, especially in the study of Boolean functions. An outstanding open question is a conjecture of Friedgut and Kalai (1996), called the Fourier Entropy Influence (FEI) Conjecture, asserting that the Fourier Entropy of any Boolean function f is bounded above, up to a constant factor, by the total influence (= average sensitivity) of f. In this paper we give several upper bounds on the Fourier Entropy of Boolean as well as real valued functions. We first give upper bounds on the Fourier Entropy of Boolean functions in terms of several complexity measures that are known to be bigger than the influence. These complexity measures include, among others, the logarithm of the number of leaves and the average depth of a parity decision tree. We then show that for the class of Linear Threshold Functions (LTF), the Fourier Entropy is at most O(√ n). It is known that the average sensitivity for the class of LTF is bounded by Θ(√ n). We also establish a bound of O d (n 1− 1 4d+6) for general degree-d polynomial threshold functions. Our proof is based on a new upper bound on the derivative of noise sensitivity. Next we proceed to show that the FEI Conjecture holds for read-once formulas that use AND, OR, XOR, and NOT gates. The last result is independent of a recent result due to O'Donnell and Tan [15] for read-once formulas with arbitrary gates of bounded fan-in, but our proof is completely elementary and very different from theirs. Finally, we give a general bound involving the first and second moments of sensitivities of a function (average sensitivity being the first moment), which holds for real valued functions as well.
arXiv (Cornell University), Feb 1, 2015
Let F * n be the set of Boolean functions depending on all n variables. We prove that for any f ∈... more Let F * n be the set of Boolean functions depending on all n variables. We prove that for any f ∈ F * n , f | xi=0 or f | xi=1 depends on the remaining n − 1 variables, for some variable x i. This existent result suggests a possible way to deal with general Boolean functions via its subfunctions of some restrictions. As an application, we consider the degree lower bound of representing polynomials over finite rings. Let f ∈ F * n and denote the exact representing degree over the ring Z m (with the integer m > 2) as d m (f). Let m = Π r i=1 p ei i , where p i 's are distinct primes, and r and e i 's are positive integers. If f is symmetric, then m • d p e 1 1 (f) • • • d p er r (f) > n. If f is non-symmetric, by the second moment method we prove almost always m • d p e 1 1 (f) • • • d p er r (f) > lg n − 1. In particular, as m = pq where p and q are arbitrary distinct primes, we have d p (f)d q (f) = Ω(n) for symmetric f and d p (f)d q (f) = Ω(lg n − 1) almost always for non-symmetric f. Hence any n-variate symmetric Boolean function can have exact representing degree o(√ n) in at most one finite field, and for non-symmetric functions, with o(√ lg n)-degree in at most one finite field.
We study the question of designing leakage-resilient secure computation protocols. Our model is t... more We study the question of designing leakage-resilient secure computation protocols. Our model is that of only computation leaks information with a leak-free input encoding phase. In more detail, we assume an offline phase called the input encoding phase in which each party encodes its input in a specified format. This phase is assumed to be free of any leakage and may or may not depend upon the function that needs to be jointly computed by the parties. Then finally, we have a secure computation phase in which the parties exchange messages with each other. In this phase, the adversary gets access to a leakage oracle which allows it to download a function of the computation transcript produced by an honest party to compute the next outgoing message. We present two main constructions of secure computation protocols in the above model. Our first construction is based only on the existence of (semi-honest) oblivious transfer. This construction employs an encoding phase which is dependent of the function to be computed (and the size of the encoded input is dependent on the size of the circuit of the function to be computed). Our second construction has an input encoding phase independent of the function to be computed. Hence in this construction, the parties can simple encode their input and store it as soon as it is received and then later on run secure computation for any function of their choice. Both of the above constructions, tolerate complete leakage in the secure computation phase. Our second construction (with a function independent input encoding phase) makes use of a fully homomorphic encryption scheme. A natural question that arises is "can a leakage-resilient secure computation protocol with function independent input encoding be based on simpler and weaker primitives?". Towards that end, we show that any such construction would imply a secure two-party computation protocol with sub-linear communication complexity (in fact, communication complexity independent of the size of the function being computed). Finally, we also show how to extend our constructions for the continual leakage case where there is: a one time leak-free input encoding phase, a leaky secure computation phase which could be run multiple times for different functionalities (but the same input vector), and, a leaky refresh phase after each secure computation phase where the input is "re-encoded". Work done in part while visiting Microsoft Research, India.
Lecture Notes in Computer Science, 2012
We prove that there is no black-box construction of a threshold predicate encryption system from ... more We prove that there is no black-box construction of a threshold predicate encryption system from identity-based encryption. Our result signifies nontrivial progress in a line of research suggested by Boneh, Sahai and Waters (TCC '11), where they proposed a study of the relative power of predicate encryption for different functionalities. We rely on and extend the techniques of Boneh et al. (FOCS '08), where they give a blackbox separation of identity-based encryption from trapdoor permutations. In contrast to previous results where only trapdoor permutations were used, our starting point is a more powerful primitive, namely identitybased encryption, which allows planting exponentially many trapdoors in the public-key by only planting a single master public-key of an identitybased encryption system. This makes the combinatorial aspect of our black-box separation result much more challenging. Our work gives the first impossibility result on black-box constructions of any cryptographic primitive from identity-based encryption. We also study the more general question of constructing predicate encryption for a complexity class F, given predicate encryption for a (potentially less powerful) complexity class G. Toward that end, we rule out certain natural black-box constructions of predicate encryption for NC 1 from predicate encryption for AC 0 assuming a widely believed conjecture in communication complexity.
Dew: A Transparent Constant-Sized Polynomial Commitment Scheme
Lecture Notes in Computer Science, 2023
Non-Asymptotic Lower Bounds For Training Data Reconstruction
arXiv (Cornell University), Mar 28, 2023
Proceedings of the ACM on Human-Computer Interaction
We conducted semi-structured interviews with 20 users of Canada's exposure-notification app, ... more We conducted semi-structured interviews with 20 users of Canada's exposure-notification app, COVID Alert. We identified several types of users' mental models for the app. Participants' concerns were found to correlate with their level of understanding of the app. Compared to a centralized contact-tracing app, COVID Alert was favored for its more efficient notification delivery method, its higher privacy protection, and its optional level of cooperation. Based on our findings, we suggest decision-makers rethink the app's privacy-utility trade-off and improve its utility by giving users more control over their data. We also suggest technology companies build and maintain trust with the public. Further, we recommend increasing diagnosed users' motivation to notify the app and encouraging exposed users to follow the guidelines. Last, we provide design suggestions to help users with Unsound and Innocent mental models to better understand the app.
Lecture Notes in Computer Science, 2015
Given a function f : {0, 1} n → R, its Fourier Entropy is defined to be − S f 2 (S) log f 2 (S), ... more Given a function f : {0, 1} n → R, its Fourier Entropy is defined to be − S f 2 (S) log f 2 (S), wheref denotes the Fourier transform of f. This quantity arises in a number of applications, especially in the study of Boolean functions. An outstanding open question is a conjecture of Friedgut and Kalai (1996), called the Fourier Entropy Influence (FEI) Conjecture, asserting that the Fourier Entropy of any Boolean function f is bounded above, up to a constant factor, by the total influence (= average sensitivity) of f. In this paper we give several upper bounds on the Fourier Entropy of Boolean as well as real valued functions. We first give upper bounds on the Fourier Entropy of Boolean functions in terms of several complexity measures that are known to be bigger than the influence. These complexity measures include, among others, the logarithm of the number of leaves and the average depth of a parity decision tree. We then show that for the class of Linear Threshold Functions (LTF), the Fourier Entropy is at most O(√ n). It is known that the average sensitivity for the class of LTF is bounded by Θ(√ n). We also establish a bound of O d (n 1− 1 4d+6) for general degree-d polynomial threshold functions. Our proof is based on a new upper bound on the derivative of noise sensitivity. Next we proceed to show that the FEI Conjecture holds for read-once formulas that use AND, OR, XOR, and NOT gates. The last result is independent of a recent result due to O'Donnell and Tan [15] for read-once formulas with arbitrary gates of bounded fan-in, but our proof is completely elementary and very different from theirs. Finally, we give a general bound involving the first and second moments of sensitivities of a function (average sensitivity being the first moment), which holds for real valued functions as well.
IACR Cryptol. ePrint Arch., 2022
We construct polynomial commitment schemes with constant sized evaluation proofs and logarithmic ... more We construct polynomial commitment schemes with constant sized evaluation proofs and logarithmic verification time in the transparent setting. To the best of our knowledge, this is the first result achieving this combination of properties. Our starting point is a transparent inner product commitment scheme with constant-sized proofs and linear verification. We build on this to construct a polynomial commitment scheme with constant size evaluation proofs and logarithmic (in the degree of the polynomial) verification time. Our constructions makes use of groups of unknown order instantiated by class groups. We prove security of our construction in the Generic Group Model (GGM). Using our polynomial commitment scheme to compile an information-theoretic proof system yields Dew – a transparent and constant-sized zkSNARK (Zero-knowledge Succinct Non-interactive ARguments of Knowledge) with logarithmic verification. Finally, we show how to recover the result of DARK (Bünz et al., Eurocrypt ...
Uploads
Papers by Satyanarayana Lokam