Communication complexity of key agreement on small ranges

Approximation algorithms can sometimes provide efficient solutions when no efficient exact computation is known. In particular, approximations are often useful in a distributed setting where the inputs are held by different parties and may be extremely large. Furthermore, for some applications, the parties want to compute a function of their inputs securely, without revealing more information than necessary. In this work we study the question of simultaneously addressing the above efficiency and security concerns via what we call secure approximations.

2010

We consider the round complexity of a basic cryptographic task: verifiable secret sharing (VSS). This well-studied primitive provides a good "test case" for our understanding of round complexity in general; moreover, VSS is important in its own right as a central building block for, e.g., Byzantine agreement and secure multi-party computation.

ACM Transactions on Algorithms, 2006

Approximation algorithms can sometimes provide efficient solutions when no efficient exact computation is known. In particular, approximations are often useful in a distributed setting where the inputs are held by different parties and may be extremely large. Furthermore, for some applications, the parties want to compute a function of their inputs securely, without revealing more information than necessary. In this work we study the question of simultaneously addressing the above efficiency and security concerns via what we call secure approximations.

Journal of Computer and System Sciences, 1998

We derive a general technique for obtaining lower bounds on the multiparty communication complexity of boolean functions. We extend the two-party method based on a crossing sequence argument introduced by Yao to the multiparty communication model. We use our technique to derive optimal lower and upper bounds of some simple boolean functions. Lower bounds for the multiparty model have been a challenge since (D. Dolev and T. Feder, in``Proceedings, 30th IEEE FOCS, 1989,'' pp. 428 433), where only an upper bound on the number of bits exchanged by a deterministic algorithm computing a boolean function f (x 1 , ..., x n) was derived, namely of the order (k 0 C 0)(k 1 C 1) 2 , up to logarithmic factors, where k 1 and C 1 are the number of processors accessed and the bits exchanged in a nondeterministic algorithm for f, and k 0 and C 0 are the analogous parameters for the complementary function 1& f. We show that C 0 n(1+2 C1) and D n(1+2 C1), where D is the number of bits exchanged by a deterministic algorithm computing f. We also investigate the power of a restricted multiparty communication model in which the coordinator is allowed to send at most one message to each party.

2009

Many advancements in the area of Secure Multi-Party Computation (SMC) protocols use improvements in communication complexity as a justification. We conducted an experimental study of a specific protocol for a real-world sized problem under realistic conditions and it suggests that the practical performance of the protocol is almost independent of the network performance. We argue that our result can be generalized to a whole class of SMC protocols.

Information and Computation, 1987

International Crytology Conference, 2009

The round complexity of interactive protocols is one of their most important complexity measures. In this work we prove that existing lower bounds for the round complexity of VSS can be circumvented by introducing a negligible probability of error in the reconstruction phase. Previous results show matching lower and upper bounds of three rounds for VSS, with n = 3t + 1, where the reconstruction of the secrets always succeeds, i.e. with probability 1. In contrast we show that with a negligible probability of error in the reconstruction phase: There exists an efficient 2-round VSS protocol for n = 3t + 1. If we assume that the adversary is non-rushing then we can achieve a 1-round reconstruction phase. There exists an efficient 1-round VSS for t = 1 and n > 3. We prove that our results are optimal both in resilience and number of sharing rounds by showing: There does not exist a 2-round WSS (and hence VSS) for n ≤ 3t. There does not exist a 1-round VSS protocol for t ≥ 2 and n ≥ 4.

Computational Complexity, 1999

We consider the classic problem of n honest but curious players with private inputs x 1 ; : : : ; x n who wish to compute the value of a xed function F(x 1 ; ; x n ) in such way that at the end of the protocol every player knows the value F(x 1 ; ; x n ). Each pair of players is connected by a secure point-to-point communication channel. The players have unbounded computational resources and they intend to compute F in a t-private way. That is, after the execution of the protocol no coalition of size at most t n ? 1

53rd Annual IEEE Symposium on Foundations of Computer Science (FOCS'12), 2012

We show that almost all known lower bound methods for communication complexity are also lower bounds for the information complexity. In particular, we define a relaxed version of the partition bound of Jain and Klauck and prove that it lower bounds the information complexity of any function. Our relaxed partition bound subsumes all norm based methods (e.g. the γ 2 method) and rectangle-based methods (e.g. the rectangle/corruption bound, the smooth rectangle bound, and the discrepancy bound), except the partition bound.

Lecture Notes in Computer Science, 2006

Let x1, . . . , x k be n-bit numbers and T ∈ N. Assume that P1, . . . , P k are players such that Pi knows all of the numbers except xi. They want to determine if k j=1 xj = T by broadcasting as few bits as possible. In an upper bound of O( √ n) bits was obtained for the k = 3 case, and a lower bound of ω(1) for k ≥ 3 when T = Θ(2 n ). We obtain (1) for k ≥ 3 an upper bound of k +O((n+log k) 1/( lg(2k−2) ) ), (2) for k = 3, T = Θ(2 n ), a lower bound of Ω(log log n), (3) a generalization of the protocol to abelian groups, (4) lower bounds on the multiparty communication complexity of some regular languages, and (5) empirical. results for k = 3,

1989

In [A&3], Abrahamson presented a solution to the randomized consensus problem of Chor, Israeli and Li [CIL87], without assuming the existence of an atomic coin flip operation. This elegant algorithm uses unbounded memory, and has expected exponential running time. In [AH89], Aspens and Herlihy provide a breakthrough polynomial-time algorithm. However, it too is based on the use of unbounded memory. In this paper, we present a solution to the randomized consensus problem, that is bounded in space and runs in polynomial expected time.

SIAM Journal on Computing, 2008

We study the round complexity of two-party protocols for generating a random nbit string such that the output is guaranteed to have bounded bias (according to some measure) even if one of the two parties deviates from the protocol (even using unlimited computational resources). Specifically, we require that the output's statistical difference from the uniform distribution on {0, 1} n is bounded by a constant less than 1. We present a protocol for the above problem that has 2 log * n + O(1) rounds, improving a previous 2n-round protocol of Goldreich, Goldwasser, and Linial (FOCS '91). Like the GGL protocol, our protocol actually provides a stronger guarantee, ensuring that the output lands in any set T ⊆ {0, 1} n of density µ with probability at most O(√ µ + δ), where δ is an arbitarily small constant. We then prove a matching lower bound, showing that any protocol guaranteeing bounded statistical difference requires at least log * n − log * log * n − O(1) rounds. As far as we know, this is the first nontrivial lower bound on the round complexity of random selection protocols (of any type) that does not impose additional constraints (e.g. on communication or "simulatability"). We also prove several results for the case when the output's bias is measured by the maximum multiplicative factor by which a party can increase the probability of a set T ⊆ {0, 1} n .

Journal of Cryptology, 2013

We present a protocol that allows to prove in zero-knowledge that committed values xi, yi, zi, i = 1,. .. , l satisfy xiyi = zi, where the values are taken from a finite field. For error probability 2 −u the size of the proof is linear in u and only logarithmic in l. Therefore, for any fixed error probability, the amortized complexity vanishes as we increase l. In particular, when the committed values are from a field of small constant size, we improve complexity of previous solutions by a factor of l. Assuming preprocessing, we can make the commitments (and hence the protocol itself) be information theoretically secure. Using this type of commitments we obtain, in the preprocessing model, a perfect zero-knowledge interactive proof for circuit satisfiability of circuit C where the proof has size O(|C|). We then generalize our basic scheme to a protocol that verifies l instances of an algebraic circuit D over K with v inputs, in the following sense: given committed values xi,j and zi, with i = 1,. .. , l and j = 1,. .. , v, the prover shows that D(xi,1,. .. , xi,v) = zi for i = 1,. .. , l. The interesting property is that the amortized complexity of verifying one circuit only depends on the multiplicative depth of the circuit and not the size. So for circuits with small multiplicative depth, the amortized cost can be asymptotically smaller than the number of multiplications in D. Finally we look at commitments to integers, and we show how to implement information theoretically secure homomorphic commitments to integer values, based on preprocessing. After preprocessing, they require only a constant number of multiplications per commitment. We also show a variant of our basic protocol, which can verify l integer multiplications with low amortized complexity. This protocol also works for standard computationally secure commitments and in this case we improve on security: whereas previous solutions with similar efficiency require the strong RSA assumption, we only need the assumption required by the commitment scheme itself, namely factoring.

2007

Broadcast among n parties in the presence of t ≥ n/3 malicious parties is possible only with some additional setup. The most common setup considered is the existence of a PKI and secure digital signatures, where so-called authenticated broadcast is achievable for any t < n. It is known that t+1 rounds are necessary and sufficient for deterministic protocols achieving authenticated broadcast. Recently, however, randomized protocols running in expected constant rounds have been shown for the case of t < n/2. It has remained open whether randomization can improve the round complexity when an honest majority is not present. We address this question and show upper/ lower bounds on how much randomization can help: rounds. In particular, we obtain expected constant-round protocols for t = n/2 + O(1). • On the negative side, we show that even randomized protocols require Ω(2n/(n -t)) rounds. This in particular rules out expected constant-round protocols when the fraction of honest parties is sub-constant. * A portion of this work was done while the authors were visiting the Institute for Pure and Applied Mathematics (IPAM), UCLA.

Proceedings of the nineteenth annual ACM conference on Theory of computing - STOC '87

Improving a result of Mehlhorn and Schmidt, a function f with deterministiccommunication complexity n2 is shown to have Las Vegas communication complexity O(n:l. This is the best possible, because the deterministic complexity cannot be more than the square of the Las Vegas communication complexity for any function.