Muthuramakrishnan Venkitasubramaniam Contact 357 St Mary's Hall Georgetown University Mail: mv783@georgetown.edu 
I am an Associate Professor in the Department of Computer Science at Georgetown University. I got my Ph.D in the Computer Science Department at Cornell University under the supervision of Rafael Pass and spent a year as a CI Fellow at NYU and Columbia University. Prior to coming to Georgetown I was an Assistant/Associate Profossor at University of Rochester. My research interests lie in cryptography, network security and complexity theory. My research is funded by the National Science Foundation and Google Faculty Research Award.
Teaching
PhD Students
Postdoc
Program Committees
Recent Talks
Visitors
Publications: (click title for abstract)
Diogenes: Lightweight Scalable RSA Modulus Generation with a Dishonest Majority. (SBC 2020)
Blockchains and cryptocurrencies have resurrected demand for secure distributed keygeneration protocols. We design and implement the first such protocol that remains practical even with thousands of parties, while offering security against an arbitrary number of corrupted parties.
Our approach begins with the design of the ``best'' protocol for the task that is secure against passive corruption. We then obtain security against active corruption via efficient zeroknowledge proofs.
In more detail, our passively secure protocol is based on a recent work of Chen et al. that extends the BonehFranklin protocol (J. ACM, 2001). Whereas the previous work relies on pairwise execution of an oblivious transfer protocol to implement secure multiplication, our protocol implements multiplication via a threshold additively homomorphic encryption (AHE) scheme based on the Ring LWE assumption. This results in significantly better throughput when the number of parties grows. In particular, it reduces the perparty communication from being linear in the number of parties to polylogarithmic. Then, we obtain our actively secure protocol by composing two zeroknowledge proof systems: (1) the Ligero sublinear zeroknowledge proof system (Ames et al., CCS 2017), and (2) $\Sigma$protocol for proving the knowledge of a discrete logarithm in unknown order groups (Shoup, Eurocrypt 2000).
We implemented the passive variant of our protocol and ran experiments from 1,000 to 10,000 parties distributed geographically across multiple AWS cloud centers. For generating a 2048bit modulus among 1,000 parties, our protocol executed in under 5 minutes in expectation. For 10,000 parties our protocol completed in 35 minutes in expectation. This is the first implementation of any MPC protocol that has been deployed at this scale.
 
The Price of Active Security in Cryptographic Protocols. (EUROCRYPT 2020)
We construct the first activelysecure MultiParty Computation (MPC) protocols with an arbitrary number of parties in the dishonest majority setting, for an arbitrary field F with constant communication overhead over the “passiveGMW” protocol (Goldreich, Micali and Wigderson, STOC ‘87). Our protocols rely on passive implementations of Oblivious Transfer (OT) in the boolean setting and Oblivious Linear function Evaluation (OLE) in the arithmetic setting. Previously, such protocols were only known over sufficiently large fields (Genkin et al. STOC ‘14) or a constant number of parties (Ishai et al. CRYPTO ‘08).
Conceptually, our protocols are obtained via a new compiler from a passivelysecure protocol for a distributed multiplication functionality Fmult , to an activelysecure protocol for general functionalities. Roughly, Fmult is parameterized by a linearsecret sharing scheme S, where it takes Sshares of two secrets and returns Sshares of their product.
We show that our compilation is concretely efficient for sufficiently large fields, resulting in an over head of 2 when securely computing natural circuits. Our compiler has two additional benefits: (1) it can rely on any passive implementation of Fmult, which, besides the standard implementation based on OT (for boolean) and OLE (for arithmetic) allows us to rely on implementations based on threshold cryptosystems (Cramer et al. Eurocrypt ‘01); and (2) it can rely on weakerthanpassive (i.e., imperfect/leaky) implementations, which in some parameter regimes yield activelysecure protocols with overhead less than 2.
Instantiating this compiler with an “honestmajority” implementation of FMULT, we obtain the first honestmajority protocol with optimal corruption threshold for boolean circuits with constant communication overhead over the best passive protocol (Damgård and Nielsen, CRYPTO ‘07).
 
Which Languages Have 4Round Fully BlackBox ZeroKnowledge Arguments from OneWay Functions? (EUROCRYPT 2020)
We prove that if a language $\cal L$ has a 4round fully blackbox zeroknowledge argument with negligible soundness based on oneway functions, then $\overline{\cal L} \in \mathsf{MA}$. Since $\mathsf{coNP} \subseteq \mathsf{MA}$ implies that the polynomial hierarchy collapses, our result implies that $\mathsf{NP}$complete languages are unlikely to have 4round fully blackbox zeroknowledge arguments based on oneway functions. In TCC 2018, Hazay and Venkitasubramaniam, and Khurana, Ostrovsky, and Srinivasan demonstrated 4round fully blackbox zeroknowledge arguments for all languages in $\mathsf{NP}$ based on injective oneway functions.
Their results also imply a 5round protocol based on oneway functions. In essence, our result resolves the round complexity of fully blackbox zeroknowledge arguments based on oneway functions.
 
Going Beyond Dual Execution: MPC for Functions with Efficient Verification (PKC 2020)
The dual execution paradigm of Mohassel and Franklin (PKC'06) and Huang, Katz and Evans (IEEE '12) shows how
to achieve the notion of 1bit leakage security at roughly twice the cost of semihonest security for the special case of twoparty secure computation. To date, there are no multiparty computation (MPC) protocols that offer such a strong tradeoff between security and semihonest performance.
Our main result is to address this shortcoming by designing 1bit leakage protocols for the multiparty setting, albeit for a special class of functions. We say that function $f(x,y)$ is efficiently verifiable by $g$ if the running time of $g$ is always smaller than $f$ and $g(x,y,z)=1$ if and only if $f(x,y)=z$. In the twoparty setting, we first improve dual execution by observing that the "second execution" can be an evaluation of $g$ instead of $f$, and that by definition, the evaluation of $g$ is asymptotically more efficient. Our main MPC result is to construct a 1bit leakage protocol for such functions from any passive protocol for $f$ that is secure up to additive errors and any active protocol for $g$. An important result by Genkin et al. (STOC '14) shows how the classic protocols by Goldreich et al. (STOC '87) and BenOr et al. (STOC '88) naturally support this property, which allows to instantiate our compiler with twoparty and multiparty protocols. As another concrete example of instantiating our approach, we present a novel protocol for computing perfect matching that is secure in the 1bit leakage model and whose communication complexity is less than the honestbutcurious implementations of textbook algorithms for perfect matching.  
A RoundCollapse Theorem for ComputationallySound Protocols; or, TFNP is Hard (on Average) in Pessiland.
Consider the following two fundamental open problems in complexity theory: 1) Does a hardonaverage language in NP imply the existence of oneway functions? 2) Does a hardonaverage language in NP imply a hard problem in TFNP (i.e., the class of total NP search problem)? We show that the answer to (at least) one of these questions is yes. In other words, in Impagliazzo's Pessiland (where NP is hardonaverage, but oneway functions do not exist), TFNP is unconditionally hard (on average). This result follows from a more general theory of interactive averagecase complexity, and in particular, a novel roundcollapse theorem for computationallysound protocols, analogous to BabaiMoran's celebrated roundcollapse theorem for informationtheoretically sound protocols. As another consequence of this treatment, we show that the existence of O(1)round publiccoin nontrivial arguments (i.e., argument systems that are not proofs) imply the existence of a hardonaverage problem in NP/poly.
 
LevioSA: Lightweight Secure Arithmetic Computation. (CCS 2019)
We study the problem of secure twoparty computation of arithmetic circuits in the presence of active ("malicious") parties. This problem is motivated by privacypreserving numerical computations, such as ones arising in the context of machine learning training and classification, as well as in threshold cryptographic schemes. In this work, we design, optimize, and implement anactively secure protocol for secure twoparty arithmetic computation. A distinctive feature of our protocol is that it can make a fully modular blackbox use of any passively secure implementation of oblivious linear function evaluation (OLE). OLE is a commonly used primitive for secure arithmetic computation, analogously to the role of oblivious transfer in secure computation for Boolean circuits. For typical (large but nottoonarrow) circuits, our protocol requires roughly 4 invocations of passively secure OLE per multiplication gate. This significantly improves over the recent TinyOLE protocol (Döttling et al., ACM CCS 2017), which requires 22 invocations of actively secure OLE in general, or 44 invocations of a specific codebased passively secure OLE. Our protocol follows the high level approach of the IPS compiler (Ishai et al., CRYPTO 2008, TCC 2009), optimizing it in several ways. In particular, we adapt optimization ideas that were used in the context of the practical zeroknowledge argument system Ligero (Ames et al., ACM CCS 2017) to the more general setting of secure computation, and explore the possibility of boosting efficiency by employing a "leaky" passively secure OLE protocol. The latter is motivated by recent (passively secure) latticebased OLE implementations in which allowing such leakage enables better efficiency. We showcase the performance of our protocol by applying its implementation to several useful instances of secure arithmetic computation. On "wide" circuits, such as ones computing a fixed function on many different inputs, our protocol is 5x faster and transmits 4x less data than the stateoftheart Overdrive (Keller et al., Eurocrypt 2018). Our benchmarks include a general passivetoactive OLE compiler, authenticated generation of "Beaver triples", and a system for securely outsourcing neural network classification. The latter is the first actively secure implementation of its kind, strengthening the passive security provided by recent related works (Mohassel and Zhang, IEEE S&P 2017; Juvekar et al., USENIX 2018).
 
RoundOptimal Fully BlackBox ZeroKnowledge Arguments from OneWay Permutations. (TCC 2018)
In this paper, we revisit the round complexity of designing zeroknowledge (ZK) arguments via a blackbox construction from minimal assumptions. Our main result implements a 4round ZK argument for any language in NP, based on injective oneway functions, that makes blackbox use of the underlying function. As a corollary, we also obtain the first 4round perfect zeroknowledge argument for NP based on clawfree permutations via a blackbox construction and 4round inputdelayed commitandprove zeroknowledge argument based on injective oneway functions.
 
TwoRound Adaptively Secure Multiparty Computation from Standard Assumptions. (TCC 2018)
We present the first tworound multiparty computation (MPC) protocols secure against malicious adaptive corruption in the common reference string (CRS) model, based on DDH, LWE, or QR. Prior tworound adaptively secure protocols were known only in the twoparty setting against semihonest adversaries, or in the general multiparty setting assuming the existence of indistinguishability obfuscation (iO).Our protocols are constructed in two steps. First, we construct tworound oblivious transfer (OT) protocols secure against malicious adaptive corruption in the CRS model based on DDH, LWE, or QR. We achieve this by generically transforming any tworound OT that is only secure against static corruption but has certain oblivious sampleability properties, into a tworound adaptively secure OT. Prior constructions were only secure against semihonest adversaries or based on iO.Second, building upon recent constructions of tworound MPC from tworound OT in the weaker static corruption setting [Garg and Srinivasan, Benhamouda and Lin, Eurocrypt’18] and using equivocal garbled circuits from [Canetti, Poburinnaya and Venkitasubramaniam, STOC’17], we show how to construct tworound adaptively secure MPC from tworound adaptively secure OT and constantround adaptively secure MPC, with respect to both malicious and semihonest adversaries. As a corollary, we also obtain the first 2round MPC secure against semihonest adaptive corruption in the plain model based on augmented noncommitting encryption (NCE), which can be based on a variety of assumptions, CDH, RSA, DDH, LWE, or factoring Blum integers. Finally, we mention that our OT and MPC protocols in the CRS model are, in fact, adaptively secure in the Universal Composability framework.
 
RoundOptimal Secure MultiParty Computation. (CRYPTO 2018)
Secure multiparty computation (MPC) is a central cryptographic task that allows a set of mutually distrustful parties to jointly compute some function of their private inputs where security should hold in the presence of a malicious adversary that can corrupt any number of parties. Despite extensive research, the precise round complexity of this ``standardbearer'' cryptographic primitive is unknown. Recently, Garg, Mukherjee, Pandey and Polychroniadou, in Eurocrypt 2016 demonstrated that the round complexity of any MPC protocol relying on blackbox proofs of security in the plain model must be at least four. Following this work, independently Ananth, Choudhuri and Jain, CRYPTO 2017 and Brakerski, Halevi, and Polychroniadou, TCC 2017 made progress towards solving this question and constructed fourround protocols based on nonpolynomial time assumptions. More recently, Ciampi, Ostrovsky, Siniscalchi and Visconti in TCC 2017 closed the gap for twoparty protocols by constructing a 4round protocol from polynomialtime assumptions. In another work, Ciampi, Ostrovsky, Siniscalchi and Visconti TCC 2017 showed how to design a 4round multiparty protocol for the specific case of multiparty cointossing.
In this work, we resolve this question by designing a 4round actively secure multiparty (two or more parties) protocol for general functionalities under standard polynomialtime hardness assumptions.  
A Unified Approach to Constructing Blackbox UC Protocols in Trusted Setup Models. (TCC 2017)
We present a unified framework for obtaining blackbox constructions of Universal Composable (UC) protocol in trusted setup models. Our result is analogous to the unified framework of Lin, Pass, and Venkitasubramaniam [STOC'09, Asiacrypt'12] that, however, only yields nonblackbox constructions of UC protocols. Our unified framework shows that to obtain blackbox constructions of UC protocols, it suffices to implement a special purpose commitment scheme that is, in particular, concurrently extractable using a given trusted setup. Using our framework, we improve blackbox constructions in the common reference string and tamperproof hardware token models by weakening the underlying computational and setup assumptions.
 
Actively Secure Garbled Circuits with Constant Communication Overhead in the Plain Model. (TCC 2017)
We consider the problem of constantround secure twoparty computation in the presence of active (malicious) adversaries. We present the first protocol that has only a constant multiplicative communication overhead compared to Yao's protocol for passive adversaries and can be implemented in the plain model by only making a blackbox use of (parallel) oblivious transfer and a pseudorandom generator. This improves over the polylogarithmic overhead of the previous best protocol. A similar result could previously be obtained only in an amortized setting, using preprocessing, or by assuming bitoblivioustransfer as an ideal primitive that has a constant cost.
We present two variants of this result, one which is aimed at minimizing the number of oblivious transfers and another which is aimed at optimizing concrete efficiency. Our protocols are based on a novel combination of previous techniques together with a new efficient protocol to certify that pairs of strings transmitted via oblivious transfer satisfy a global relation. The communication complexity of the second variant of our protocol can beat the best previous protocols even for realistic values of the circuit size and the security parameter. This variant is particularly attractive in the offlineonline setting, where the online cost is dominated by a single evaluation of an authenticated garbled circuit, and can also be made noninteractive using the FiatShamir heuristic.  
Ligero: Lightweight Sublinear Arguments without a Trusted Setup. (CCS 2017)
We design and implement a simple zeroknowledge argument protocol for NP whose communication complexity is proportional to the squareroot of the verification circuit size. The protocol can be based on any collisionresistant hash function. Alternatively, it can be made noninteractive in the random oracle model, yielding concretely efficient zkSNARKs that do not require a trusted setup or publickey cryptography.
Our protocol is attractive not only for very large verification circuits but also for moderately large circuits that arise in applications. For instance, for verifying a SHA256 preimage in zeroknowledge with $2^{40}$ soundness error, the communication complexity is roughly 44KB (or less than 34KB under a plausible conjecture), the prover running time is 140 ms, and the verifier running time is 62 ms. This proof is roughly 4 times shorter than a similar proof of ZKB++ (Chase et al., CCS 2017), an optimized variant of ZKBoo (Giacomelli et al., USENIX 2016). The communication complexity of our protocol is independent of the circuit structure and depends only on the number of gates. For $2^{40}$ soundness error, the communication becomes smaller than the circuit size for circuits containing roughly 3 million gates or more. Our efficiency advantages become even bigger in an amortized setting, where several instances need to be proven simultaneously. Our zeroknowledge protocol is obtained by applying an optimized version of the general transformation of Ishai et al. (STOC 2007) to a variant of the protocol for secure multiparty computation of Damg{\aa}rd and Ishai (Crypto 2006). It can be viewed as a simple zeroknowledge interactive PCP based on ``interleaved'' ReedSolomon codes. 

Equivocating Yao: ConstantRounds Adaptively Secure
Multiparty Computation in the Plain Model. (STOC 2017) Yao's garbling scheme is one of the basic building blocks of cryptographic protocol design. Originally designed to enable twomessage, twoparty secure computation, the scheme has been extended in many ways and has innumerable applications. Still, a basic question has remained open throughout the years: Can the scheme be extended to guarantee security in the face of an adversary that corrupts both parties, adaptively, as the computation proceeds?
We answer this question in the affirmative. We define a new type of encryption, called functionally equivocal encryption (FEE),and show that when Yao's scheme is implemented with an FEE as the underlying encryption mechanism, it becomes secure against such adaptive adversaries. We then show how to implement FEE from any one way function. Combining our scheme with noncommitting encryption, we obtain the first twomessage, twoparty computation protocol, and the first constantround multiparty computation protocol, in the plain model, that are secure against semihonest adversaries who can adaptively corrupt all parties. A number of extensions and applications are described within. 

Better TwoRound Adaptive MultiParty Computation.
(PKC 2017)
The only known tworound multiparty computation protocol that withstands adaptive corruption of all parties is the ingenious protocol of Garg and Polychroniadou [GP] (TCC 15).
We present protocols that improve on the GP protocol in a number of ways.
First, concentrating on the semihonest case and taking a different approach than GP, we show a tworound, adaptively secure protocol where:


Scalable MultiParty Private SetIntersection (PKC 2017)
In this work we study the problem of private setintersection in the multiparty setting and design two protocols with the following improvement compared to prior work. First, our protocols take a new approach of leveraging the 2PC protocol of Freedman, Nissim and Pinkas (Eurocrypt 2004) and minimize the usage of a broadcast channel, where our semihonest protocol does not make any use of such a channel. In addition, the communication complexity of our protocols scale with the number of parties.
More concretely, (1) our first semihonest secure protocol with communication complexity that is linear in the input sizes, namely $O(\sum_{i=1}^n m_i)$ where $m_i$ is the size of $P_i$'s input set, whereas the computational overhead is quadratic in the input sizes only for a designated party, and linear for the rest. (2) Our second protocol is proven secure in the malicious setting. This protocol induces communication complexity $O(\sum_{i=1}^2 m_i + n^2)$ where $n$ is the number of parties. 

ConstantRound Adaptively Secure Protocols in the TamperProof Hardware Model (PKC 2017)
Achieving constantround adaptively secure protocols (where all parties can be corrupted) in the plain model is a notoriously hard problem. Very recently, three works published in TCC 2015 (DachmanSoled et al., Garg and Polychroniadou, Canetti et al.), solved the problem in the Common Reference String (CRS) model. In this work, we present a constantround adaptive UCsecure computation protocol for all wellformed functionalities in the tamperproof hardware model using stateless tokens from only oneway functions. In contrast, all prior works in the CRS model require very strong assumptions, in particular, the existence of indistinguishability obfuscation.
As a corollary to our techniques, we present the first adaptively secure protocols in the Random Oracle Model (ROM) with round complexity proportional to the depth of circuit implementing the functionality. Our protocols are secure in the Global Random Oracle Model introduced recently by Canetti, Jain and Scafuro in CCS 2014 that provides strong compositional guarantees. More precisely, we obtain an adaptively secure UCcommitment scheme in the global ROM assuming only oneway functions. In comparison, the protocol of Canetti, Jain and Scafuro achieves only static security and relies on the specific assumption of Discrete DiffieHellman assumption (DDH). 

Composable Adaptive Secure Protocols without Setup
under Polytime Assumptions. (TCC 2016B)
All previous constructions of general multiparty computation protocols that are secure against adaptive corruptions in the concurrent setting either require some form of setup or nonstandard assumptions. In this paper we provide the first general construction of secure multiparty computation protocol without any setup that guarantees composable security in the presence of an adaptive adversary based on standard polynomialtime assumptions. We prove security under the notion of "UC with superpolynomial helpers" introduced by Canetti et al. (FOCS 2010), which is closed under universal composition and implies "superpolynomialtime simulation". Moreover, our construction
relies on the underlying cryptographic primitives in a blackbox manner.
Next, we revisit the zeroone law for twoparty secure functions evaluation initiated by the work of Maji, Prabhakaran and Rosulek (CRYPTO 2010). According to this law, every twoparty functionality is either trivial (meaning, such functionalities can be reduced to any other functionality) or complete (meaning, any other functionality can be reduced to these functionalities) in the Universal Composability (UC) framework. As our second contribution, assuming the existence of a simulatable publickey encryption scheme, we establish a zeroone law in the adaptive setting. Our result implies that every twoparty nonreactive functionality is either trivial or complete in the UC framework in the presence of adaptive, malicious adversaries. 

Composable Security in the Tamper Proof Hardware Model
under Minimal Complexity. (TCC
2016B)
We put forth a new formulation of tamperproof hardware in the Global Universal Composable (GUC) framework introduced by Canetti
et al. in TCC 2007. Almost all of the previous works rely on the formulation by Katz in Eurocrypt 2007 and this formulation does not fully capture tokens in a concurrent setting. We address these shortcomings by relying on the GUC framework where we make the following
contributions:


On Negation Complexity of Injections, Surjections and CollisionResistance in Cryptography (INDOCRYPT 2016)
Goldreich and Izsak (Theory of Computing, 2012) initiated the research on understanding the role of negations in circuits implementing cryptographic primitives, notably, considering oneway functions and pseudorandom generators. More recently, Guo, Malkin, Oliveira and Rosen (TCC, 2015) determined tight bounds on the minimum number of negations gates (i.e., negation complexity) of a wide variety of cryptographic primitives including pseudorandom functions, errorcorrecting codes, hardcorepredicates and randomness extractors.
We continue this line of work to establish the following results:

PDF


On the Power of TwoParty Computation. (CRYPTO
2016)
Ishai, Kushilevitz, Ostrovsky and Sahai (STOC 2007, SIAM JoC 2009) introduced the powerful "MPCinthehead" technique that provided a general transformation of informationtheoretic MPC protocols secure against passive adversaries to a ZK proof in a "blackbox" way. In this work, we extend this technique and provide a generic transformation of any semihonest secure twoparty computation (2PC) protocol (with mild adaptive security guarantees) in the so called oblivioustransfer hybrid model to an adaptive ZK proof for any $\mathsf{NP}$language, in a ``blackbox'' way assuming only oneway functions. Our basic construction based on GoldreichMicaliWigderson's 2PC protocol yields an adaptive ZK proof with communication complexity proportional to quadratic in the size of the circuit implementing the $\mathsf{NP}$ relation. Previously such proofs relied on an expensive Karp reduction of the $\mathsf{NP}$ language to Graph Hamiltonicity (Lindell and Zarosim (TCC 2009, Journal of Cryptology 2011)). We also improve our basic construction to obtain the first linearrate adaptive ZK proofs by relying on efficient maliciously secure 2PC protocols. Core to this construction is a new way of transforming 2PC protocols to efficient (adaptively secure) instancedependent commitment schemes.
As our second contribution, we provide a general transformation to construct a randomized encoding of a function $f$ from any 2PC protocol that securely computes a related functionality (in a blackbox way). We show that if the 2PC protocol has mild adaptive security guarantees then the resulting randomized encoding (RE) can be decomposed to an offline/online encoding. As an application of our techniques, we show how to obtain a ZK proof for any $\mathsf{NP}$ language that is blackbox in the underlying oneway function with an "inputdelayed" property and without relying on expensive Karp reductions. Namely, the honest prover's algorithm does not require the actual statement to be proved until the last round. We further generalize this to obtain a "commit and prove" protocol with the same property where the prover commits to a witness $w$ in the second message and proves a statement $x$ regarding the witness $w$ in zeroknowledge where the statement is determined only in the last round. This improves previous constructions of Lapidot and Shamir (Crypto 1990) was designed specifically for the Graph Hamiltonicity problem and relied on the underlying primitives in a nonblackbox way. 
PDF


Privacy Enhancement for Interconnected Vehicles via Secure Multiparty Computation. (ITS World Congress 2016)
Vehicletovehicle communication is wireless transmission of data between vehicles where the goal is to prevent accidents by sharing speed and position data. As has been well established, V2V has the potential to dramatically improve highway safety, however, the same technology raises serious concerns regarding security and privacy of the data being created, collected and shared. In this work, we identify a particular privacy vulnerability of the proposed Security Credential Management System (SCMS) and suggest an alternative mechanism to provide stronger privacy guarantees by using a powerful tool from modern cryptography known as secure multiparty computation.


What Security Can We Achieve in 4rounds. (SCN
2016)
Katz and Ostrovsky (Crypto 2004) proved that five rounds are necessary for standalone general blackbox constructions of secure twoparty protocols and at least four rounds are necessary if only one party needs to receive the output. Recently, Ostrovsky, Richelson and Scafuro (Crypto 2015) proved optimality of this result by showing how to realize arbitrary functionalities in four rounds where only one party receives the output via a blackbox construction (and an extension to five rounds where both parties receive the output). In this paper we study the question of what security is achievable for standalone twoparty protocols within four rounds.
We first provide a fourround twoparty protocol for cointossing that achieves $1/p$simulation security (i.e. simulation fails with probability at most $1/p+\ngl$), in the presence of malicious corruptions. Next, we provide a fourround twoparty protocol for general functionalities, where both parties receive the output, that achieves $1/p$security in the presence of malicious adversaries corrupting one of the parties, and full security in the presence of nonaborting malicious adversaries corrupting the other party. Next, we provide a threeround oblivioustransfer protocol, that achieves $1/p$simulation security against arbitrary malicious senders, while simultaneously guaranteeing a meaningful notion of privacy against malicious corruptions of either party. Finally, we show that the simulationbased security guarantees for our threeround protocols are optimal by proving that 1/psimulation security is impossible to achieve against both parties in three rounds or less when requiring some minimal guarantees on the privacy of their inputs. 

Secure Computation from Millionaires. (ASIACRYPT
2015)
The standard method for designing a secure computation protocol for function f first transforms f into either a circuit or a RAM program and then applies a generic secure computation protocol that either handles boolean gates or translates the RAM program into oblivious RAM instructions.
In this paper, we show a large class of functions for which a different iterative approach to secure computation results in more efficient protocols. The first such examples of this technique was presented by Aggrawal, Mishra, and Pinkas (J. of Cryptology, 2010) for computing the median; later, Brickell and Shmatikov (Asiacrypt 2005) showed a similar technique for shortest path problems. We generalize the technique in both of those works and show that it applies to a large class of problems including certain matroid optimizations, submodular optimization, convex hulls, and other scheduling problems. The crux of our technique is to securely reduce these problems to secure comparison operations and to employ the idea of gradually releasing part of the output. We then identify conditions under which both of these techniques for protocol design are compatible with achieving simulationbased security in the honestbutcurious and covert adversary models. In special cases such as median, we also show how to achieve malicious security. 

On the BlackBox Complexity of UCCommitments.
(ASIACRYPT 2015)
In this work, we study the intrinsic complexity of blackbox Universally Composable (UC) secure computation based on general assumptions. We present a thorough study in various corruption modelings while focusing on achieving security in the common reference string (CRS) model. Our results involve the following:


Resettably Sound ZeroKnoweldge Arguments from OWFs
 the (semi) BlackBox way. (TCC 2015)
We construct a constantround resettablysound zeroknowledge argument of knowledge based on blackbox use of any oneway function. Resettablesoundness was introduced by Barak, Goldreich, Goldwasser and Lindell (FOCS 01) and is a strengthening of the soundness requirement in interactive proofs demanding that soundness should hold even if the malicious prover is allowed to “reset” and “restart” the verifier. In their work they show that resettablysound ZK arguments require nonblackbox simulation techniques, and also provide the first construction based on the breakthrough simulation technique of Barak (FOCS 01). All known implementations of Barak’s nonblackbox technique required nonblackbox use of a collisionresistance hashfunction (CRHF).
Very recently, Goyal, Ostrovsky, Scafuro and Visconti (STOC 14) showed an implementation of Barak’s technique that needs only blackbox access to a collisionresistant hashfunction while still having a nonblackbox simulator. (Such a construction is referred to as semi blackbox.) Plugging this implementation in the BGGL’s construction yields the first resettablysound ZK arguments based on blackbox use of CRHFs.
However, from the work of Chung, Pass and Seth (STOC 13) and Bitansky and Paneth (STOC13), we know that resettablysound ZK arguments can be constructed from nonblackbox use of any oneway function (OWF), which is the minimal assumption for ZK arguments. Hence, a natural question is whether it is possible to construct resettablysound zeroknowledge arguments from blackbox use of any OWF only. In this work we provide a positive answer to this question thus closing the gap between blackbox and nonblackbox constructions for resettablysound ZK arguments.


Concurrent Zero Knowledge, Revisited (Journal
of Cryptology, 2014)
We show a parallelrepetition theorem for constantround ArthurMerlin Proofs, using an efficient reduction. As a consequence,
we show that parallel repetition reduces the soundnesserror at an
optimal rate (up to a negligible factor) in constantround publiccoin argument systems, and constantround publiccoin
proofs of knowledge.
The former of these results resolves an open question
posed by Bellare, Impagliazzo and Naor (FOCS '97).


Cloudbased Secure Health Monitoring: Optimizing FullyHomomorphic Encryption for Streaming Algorithms (CCSNA 2014)
There are many incentives for healthcare providers
to shift their datacenters to the cloud. However, privacy of
patient health information is a major concern when processing
medical data offsite. One possible solution is the use of Fully
Homomorphic Encryption (FHE), but this solution is too slow
for most applications. We present a technique that increases
efficiency and parallelism for certain algorithms under FHE.
Through experiments and simulations, we demonstrate that our
method yields about 20x speedup in a sample application. This
is a significant step towards practical FHEbased medical remote
monitoring


4Round Resettably
Sound Zero Knowledge (TCC 2014)
While 4round constructions of zeroknowledge arguments
are known based on the existence of oneway functions, constuctions of
resettablysound zeroknowledge arguments require either stronger assumptions
(the existence of a fullyhomomorphic encryption scheme), or
more communication rounds. We close this gap by demonstrating a 4
round resettablysound zeroknowledge argument for $\mathsf{NP}$ based on the
existence of oneway functions.


On Adaptively Secure Protocols (SCN 2014)
Adaptive security captures the capability of an adversary to
adaptively affect a system during the course of its computation based
on partial information gathered. In this work, we explore the theoretical
complexity of achieving adaptive security in two settings:


Adaptive and Concurrent Secure Computation from
New Adaptive, NonMalleable Commitments (Asiacrypt 2013)
We present a unified approach for obtaining general secure computation that achieves adaptiveUniversally Composable (UC)security. Using our
approach we essentially obtain all previous results on adaptive concurrent secure computation, both in relaxed models (e.g., quasipolynomial time simulation), as well as trusted setup models (e.g., the CRS model, the imperfect CRS model). This provides conceptual simplicity and insight into what is required for adaptive and concurrent security, as well as yielding improvements to setup assumptions and/or computational assumptions in known models. Additionally, we provide the first constructions of concurrent secure computation protocols that are adaptively secure in the timing model, and the nonuniform simulation model. As a corollary we also obtain the first adaptively secure multiparty computation protocol in the plain model that is secure under boundedconcurrency.
Conceptually, our approach can be viewed as an adaptive analogue to the recent work of Lin, Pass and Venkitasubramaniam [STOC '09], who considered only nonadaptive adversaries. Their main insight was that the nonmalleability requirement could be decoupled from the simulation requirement to achieve UCsecurity. A main conceptual contribution of this work is, quite surprisingly, that it is still the case even when considering adaptive security. A key element in our construction is a commitment scheme that satisfies a strong definition of nonmalleability. Our new primitive of concurrent equivocal nonmalleable commitments, intuitively, guarantees that even when a maninthemiddle adversary observes concurrent equivocal commitments and decommitments, the binding property of the commitments continues to hold for commitments made by the adversary. This definition is stronger than previous ones, and may be of independent interest. Previous constructions that satisfy our definition have been constructed in setup models, but either require existence of stronger encryption schemes such as CCAsecure encryption or require independent “trapdoors” provided by the setup for every pair of parties to ensure nonmalleability. A main technical contribution of this work is to provide a construction that eliminates these requirements and requires only a single trapdoor. 

The Generalized Randomized Iterate and Its Application to New Efficient Constructions of UOWHFs from Regular OneWay Functions (Asiacrypt 2012)
This paper presents the Generalized Randomized Iterate of a (regular) oneway function f and showthat it can be used to build Universal OneWay Hash Function (UOWHF) families with O(n^{2}) key length. We then show that Shoup's technique for UOWHF domain extension can be used to improve the efficiency of the previous construction. We present the Reusable Generalized Randomized Iterate which consists of k ≥ n + 1 iterations of a regular oneway function composed at each iteration with a pairwise independent hash function, where we only use log k such hash functions, and we "schedule" them according to the same scheduling of Shoup's domain extension technique. The end result is a UOWHF construction from regular oneway functions with an O(n log n) key. These are the first such efficient constructions of UOWHF from regular oneway functions of unknown regularity. Finally we show that the Shoup's domain extension technique can also be used in lieu of derandomization techniques to improve the efficiency of PRGs and of hardness amplification constructions for regular oneway functions.


A Unified Framework for UC from Only OT (Asiacrypt 2012)
In [LPV09], the authors presented a unified framework for constructing Universally Composable (UC) secure computation protocols, assuming only enhanced trapdoor permutations. In this work, we weaken the hardness assumption underlying the unified framework to only the existence of a standalone secure semihonest Oblivious Transfer (OT) protocol. The new framwork directly implies new and improved UC feasibility results from only the existence of a semihonest OT protocol in various models. Since in many models, the existence of UCOT implies the existence of a semihonest OT protocol.
Furthermore, we show that by relying on a more finegrained analysis of the unified framework, we obtain concurrently secure computation protocols with superpolynomialtime simulation (SPS), based on the necessary assumption of the existence of a semihonest OT protocol that can be simulated in superpolynomial times. When the underlying OT protocol has constant rounds, the SPS secure protocols constructed also have constant rounds. This yields the first construction of constantround secure computation protocols that satisfy a meaningful notions of concurrent security (i.e., SPS security) based on tight assumptions.
A notable corollary following from our new unifed framwork is that standalone (or boundedconcurrent) password authenticated keyexchange protocols (PAKE) can be constructed from only semihonest OT protocols; combined with the result of [Nguyen05] that the existence of PAKE protocols implies that of OT, we derive a tight characterization of PAKE protocols.


Towards NonBlackBox Lower Bounds in Cryptography (TCC 2011)
We consider averagecase strengthenings of the traditional assumption that coNP is not contained in AM. Under these assumptions, we rule out generic and potentially nonblackbox constructions of various cryptographic primitives (e.g., oneway permutations, collisionresistant hashfunctions, constantround statistically hiding commitments, and constantround blackbox zeroknowledge proofs for NP) from oneway functions, assuming the security reductions are blackbox.


Concurrent NonMalleable Zero Knowledge Proofs (CRYPTO 2010)
Concurrent nonmalleable zeroknowledge (NMZK) considers the concurrent execution of zeroknowledge protocols in a setting where the attacker can simultaneously corrupt multiple provers and veriﬁers. Barak, Prabhakaran and Sahai (FOCS’06) recently provided the ﬁrst construction of a concurrent NMZK protocol without any setup assumptions. Their protocol, however, is only computationally sound (a.k.a., a concurrent NMZK argument). In this work we present the ﬁrst construction of a concurrent NMZK proof without any setup assumptions. Our protocol requires poly(n) rounds assuming oneway functions, or Õ(log n) rounds assuming collisionresistant hash functions. As an additional contribution, we improve the round complexity of concurrent NMZK arguments based on oneway functions (from poly(n) to Õ(log n)), and achieve a near linear (instead of cubic) security reductions. Taken together, our results close the gap between concurrent ZK protocols and concurrent NMZK protocols (in terms of feasibility, round complexity, hardness assumptions, and tightness of the security reduction).


Eye for an Eye: On Concurrent ZeroKnowledge in the Timing Model. (TCC 2010)
We present new and efficient concurrent zeroknowledge protocols in the timing model. In contrast to earlier workwhich through artificiallyimposed delays require every protocol execution to run at the speed of the slowest link in the networkour protocols essentially only delay messages based on the actual response time of each verifier (which can be significantly smaller).


Private Coins versus Public Coins in ZeroKnowledge Proof Systems. (TCC 2010)
GoldreichKrawczyk (Siam J of Comp'96) showed that only languages in BPP have constantround publiccoin blackbox zeroknowledge protocols. We extend their lower bound to fully blackbox" private coin protocols based on oneway functions. More precisely, we show that only languages in BPP^{Sam}where Sam is a "collisionfinding" oracle in analogy with Simon (Eurocrypt'98) and Haitner et. al (FOCS'07)can have constantround fully blackbox zeroknowledge proofs; the same holds for constantround fully blackbox zeroknowledge arguments with sublinear verifier communication complexity. We also establish nearlinear lower bounds on the round complexity of fully blackbox concurrent zeroknowledge proofs (or arguments with sublinear verifier communication) for languages outside BPP^{Sam}. The technique used to establish these results is a transformation from privatecoin protocols into Samrelativized publiccoin protocols; for the case of fully blackbox protocols based on oneway functions, this transformation preserves zero knowledge, round complexity and communication complexity.


A Unified Framework for Concurrent Security: Universal Composability from Standalone Nonmalleability. (STOC 2009)
We present a unified framework for obtaining Universally Composable (UC) protocols by relying on standalone secure nonmalleable commitments Essentially all results on concurrent secure computationboth in relaxed models (e.g., quasipolynomial time simulation), or with trusted setup assumptions (e.g., the CRS model, the imperfect CRS model, or the timing model)are obtained as special cases of our framework. This not only leads to conceptually simpler solutions, but also to improved setup assumptions, roundcomplexity, and computational assumptions. Additionally, this framework allows us to consider new relaxed models of security: we show that UC security where the adversary is a uniform PPT but the simulator is allowed to be a nonuniform PPT (i.e., essentially, traditional UC security, but with a nonuniform reduction) is possible without any trusted setup. This gives the first results on concurrent secure computation without setup, which can be used for securely computing ``computationallysensitive'' functionalities (e.g., database queries, ``proof of work''protocols, or playing bridge on the Internet).


Precise Concurrent Zero Knowledge. (EUROCRYPT 2008)
Precise zero knowledge introduced by Micali and Pass (STOC 06) guarantees that the view of any verifier V can be simulated in time closely related to the actual (as opposed to worstcase) time spent by V in the generated view. We provide the first constructions of precise concurrent zeroknowledge protocols. Our constructions have essentially optimal precision; consequently this improves also upon the previously tightest nonprecise concurrent zeroknowledge protocols by Kilian and Petrank (STOC 01) and Prabhakaran, Rosen and Sahai (FOCS 02) whose simulators have a quadratic worstcase overhead. Additionally, we achieve a statisticallyprecise concurrent zeroknowledge propertyâ€”which requires simulation of unbounded verifiers participating in an unbounded number of concurrent executions; as such we obtain the first (even nonprecise) concurrent zeroknowledge protocols which handle verifiers participating in a superpolynomial number of concurrent executions.


On ConstantRound Concurrent ZeroKnowledge. (TCC 2008)
Loosely speaking, an interactive proof is said to be zero knowledge if the view of every "efficient" verifier can be "efficiently" simulated. An outstanding open question regarding zeroknowledge is whether constantround concurrent zeroknowledge proofs exists for non trivial languages. We answer this question to the affirmative when mod eling "efficient adversaries" as probabilistic quasipolynomial time ma chines (instead of the traditional notion of probabilistic polynomialtime machines).


Concurrent NonMalleable Commitments from Oneway Functions (TCC 2008)
We show the existence of concurrent nonmalleable commitments based on the existence of oneway functions. Our proof of security only requires the use of blackbox techniques, and additionally provides an arguably simplified proof of the existence of even standalone secure nonmalleable commitments.


An Efficient Parallel Repetition Theorem for ArthurMerlin Games. (STOC 2007)
We show a parallelrepetition theorem for constantround ArthurMerlin Games, using an efficient reduction. As a consequence, we show that parallel repetition reduces the soundnesserror at an optimal rate (up to a negligible factor) in constantround publiccoin argument systems, and constantround publiccoin proofs of knowledge. The former of these results resolves an open question posed by Bellare, Impagliazzo and Naor (FOCS '97).


lDiversity: Privacy Beyond kAnonymity. (TKDD 2007)
Publishing data about individuals without revealing sensitive information about them is an important problem. In recent years, a new definition of privacy called kanonymity has gained popularity. In a kanonymized dataset, each record is indistinguishable from at least k1 other records with respect to certain "identifying" attributes. In this paper we show using two simple attacks that a kanonymized dataset has some subtle, but severe privacy problems. First, an attacker can discover the values of sensitive attributes when there is little diversity in those sensitive attributes. This is a known problem. Second, attackers often have background knowledge, and we show that kanonymity does not guarantee privacy against attackers using background knowledge. We give a detailed analysis of these two attacks and we propose a novel and powerful privacy criterion called ldiversity that can defend against such attacks. In addition to building a formal foundation for ldiversity, we show in an experimental evaluation that ldiversity is practical and can be implemented efficiently.


lDiversity: Privacy Beyond kAnonymity. (ICDE 2006)
Publishing data about individuals without revealing sensitive information about them is an important problem. In recent years, a new definition of privacy called kanonymity has gained popularity. In a kanonymized dataset, each record is indistinguishable from at least k1 other records with respect to certain "identifying" attributes. In this paper we show with two simple attacks that a kanonymized dataset has some subtle, but severe privacy problems. First, we show that an attacker can discover the values of sensitive attributes when there is little diversity in those sensitive attributes. Second, attackers often have background knowledge, and we show that kanonymity does not guarantee privacy against attackers using background knowledge. We give a detailed analysis of these two attacks and we propose a novel and powerful privacy definition called ldiversity. In addition to building a formal foundation for ldiversity, we show in an experimental evaluation that ldiversity is practical and can be implemented efficiently.


Trusted CVS. (STD3S  ICDE Workshops)
The CVS (Concurrent Versions System) software is a popular method for recording modifications to data objects, in addition to concurrent access to data in a multiuser environment. In current implementations, all users have to trust that the CVS server performs all user operations as instructed. In this paper, we develop protocols that allow users to verify that the server has been compromised, and that it has performed exactly the usersâ€™ operations on the data. We first show that communication between users is necessary to guarantee that users can detect that the server has been compromised. We then propose efficient protocols that fast enable detection of server integrity under CVS workloads. Our techniques also have applications in the outsourcing model where multiple users own a common database maintained by an untrusted thirdparty vendor.


On Byzantine Agreement over (2, 3)Uniform Hypergraphs. (DISC 2004)
Byzantine Agreement is possible on a network consists of only unicast channels (i.e. a 2uniform hypergraph) if and only if n > 3t (Pease et. al. [PSL80]). However, Fitzi and Maurer ([FM00]) show that if, in addition to all unicast channels, there exists local broadcast among every three processes in the network (i.e. a complete (2,3)uniform hypergraph), n>2t is necessary and sufficient for Byzantine agreement. In this paper, we show that optimum tolerance of n>2t can be achieved even if a substantial fraction of the local broadcast channels are not available. Specifically, we model the network as a (2,3)uniform hypergraph H = (P,E), where P denotes the set of n processes and E is a set of 2tuples and/or 3tuples of processes (edges or 3hyperedges), wherein each 3hyperedge represents a local broadcast among the three processes; we obtain a characterization of the hypergraphs on which Byzantine agreement is possible. Using this characterization, we show that for n=2t+1, (2/3t^{3} + Theta(t^{2})) 3hyperedges are necessary and sufficient to enable Byzantine agreement. This settles an open problem raised by Fitzi and Maurer in [FM00]. An efficient protocol is also given whenever Byzantine agreement is possible.


Brief announcement: On the round complexity of distributed consensus over synchronous networks. (PODC 2004)
In a synchronous network, it is wellknown that t + 1 rounds are necessary and sufficient to achieve distributed consensus tolerating t stopping faults[2]. In this work, we show that in a network consisting of all kcast channels, the corresponding number of rounds is floor[(t  1)/k] + 2.

This material is based upon work supported by the National Science Foundation and Google. Any opinions, findings, and conclusions or recommendations expressed in these publications are those of the author(s) and do not necessarily reflect the views of the National Science Foundation and Google.