## Bar Alon - בר אלון

## Simplified PIR and CDS Protocols and Improved Linear Secret-Sharing Schemes

###### 2024

Bar Alon, Amos Beimel, and Or Lasri

UNPUBLISHED

We consider 3 related cryptographic primitives, private information retrieval (PIR) protocols, conditional disclosure of secrets (CDS) protocols, and secret-sharing schemes; these primitives have many applications in cryptography. We study these primitives requiring informationtheoretic security. The complexity of these primitives has been dramatically improved in the last few years are they are closely related, i.e., the the 2-server PIR protocol of Dvir and Gopi (J. ACM 2016) was transformed to construct the CDS protocols of Liu, Vaikuntanathan, and Wee (CRYPTO 2017, Eurocrypt 2018) and these CDS protocols are the main ingredient in the construction of the best known secret-sharing schemes. To date, the messages size required in PIR and CDS protocols and the share size required in secret-sharing schemes is not understood and there are big gaps between their upper bounds and lower bounds. The goal of this paper is to try to better understand the upper bounds by simplifying current constructions and improving their complexity. We obtain the following two independent results:

We simplify, abstract, and generalize the 2-server PIR protocol of Dvir and Gopi (J. ACM 2016) and the 2-server and multi-server CDS protocols of Liu et al. (CRYPTO 2017, Eurocrypt 2018) and Beimel, Farràs, and Lasri (TCC 2023). This is done by considering a new variant of matching vectors and by using a general share conversion. In addition to simplifying previous protocols, our protocols can use matching vectors over any m that is product of two distinct primes. Our construction does not improve the communication complexity of PIR and CDS protocols; however, construction of better matching vectors over any m that is product of two distinct primes will improve their communication complexity.

In many applications of secret-sharing schemes it is important that the scheme is linear, e.g., by using the fact that parties can locally add shares of two secrets and obtain shares of the sum of the secrets. We provide a construction of linear secret-sharing schemes for

*n*-party access structures with improved share size of 2^{0.7563*n*}. Previously, the best share size for linear secret-sharing schemes was 2^{0.7576*n*} and it is known that for most n-party access structures the shares size is at least 2^{0.5*n*}. This results is achieved by a reduction to unbalanced CDS protocols (compared to balanced CDS protocols in previous constructions).

## New Upper Bounds for Evolving Secret Sharing via Infinite Branching Programs

###### 2024

Bar Alon, Amos Beimel, Tamar Ben David, Eran Omri, and Anat Paskin-Cherniavsky

TCC 2024

Evolving secret-sharing schemes, defined by Komargodski, Naor, and Yogev [TCC 2016B, IEEE Trans. on Info. Theory 2018], are secret-sharing schemes in which there is no a-priory bound on the number of parties. In such schemes, parties arrive one by one; when a party arrives, the dealer gives it a share and cannot update this share in later stages. The requirement is that some predefined sets (called authorized sets) should be able to reconstruct the secret, while other sets should learn no information on the secret. The collection of authorized sets that can reconstruct the secret is called an evolving access structure. The challenge of the dealer is to be able to give short shares to the the current parties without knowing how many parties will arrive in the future. The requirement that the dealer cannot update shares is designed to prevent expensive updates. Komargodski et al. constructed an evolving secret-sharing scheme for every monotone evolving access structure; the share size of the 𝑡-th party in this scheme is 2^{𝑡−1}.

Recently, Mazor [ITC 2023] proved that evolving secret-sharing schemes require exponentially-long shares for some evolving access structure, namely shares of size 2^{𝑡−𝑜(𝑡)}. In light of these results, our goal is to construct evolving secret-sharing schemes with non-trivial share size for wide classes of evolving access structures; e.g., schemes with share size 2^{𝑐𝑡} for 𝑐<1 or even polynomial size. We provide several results achieving this goal:

We define layered infinite branching programs representing evolving access structures, show how to transform them into generalized infinite decision trees, and show how to construct evolving secret-sharing schemes for generalized infinite decision trees. Combining these steps, we get a secret-sharing scheme realizing the evolving access structure. As an application of this framework, we construct an evolving secret-sharing scheme with non-trivial share size for access structures that can be represented by layered infinite branching programs with width at layer 𝑡 of at most 2^{0.15𝑡}. If the width is polynomial, then we get an evolving secret-sharing scheme with quasi-polynomial share size.

We construct efficient evolving secret-sharing schemes for dynamic-threshold access structures with high dynamic-threshold and for infinite 2 slice and 3-slice access structures. The share size of the 𝑡th party in these schemes is 2^{\tilde{𝑂}((log 𝑡)^1/\sqrt{2}+𝜖)} for any constant 𝜖>0, which is comparable to the best-known share size of 2^{\tilde{𝑂}((log 𝑡)^1/2)} for finite 2-slice and 3-slice access structures.

We prove lower bounds on the share size of evolving secret-sharing schemes for infinite 𝑘-hypergraph access structures and for infinite directed st-connectivity access structures. As a by-product of the lower bounds, we provide the first non-trivial lower bound for finite directed st-connectivity access structures for general secret-sharing schemes.

## Can Alice and Bob Guarantee Output to Carol?

###### 2024

Bar Alon, Eran Omri, and Muthuramakrishnan Venkitasubramaniam

EUROCRYPT 2024

In the setting of solitary output computations, only a single designated party learns the output of some function applied to the private inputs of all participating parties with the guarantee that nothing beyond the output is revealed. The setting of solitary output functionalities is a special case of secure multiparty computation, which allows a set of mutually distrusting parties to compute some function of their private inputs. The computation should guarantee some security properties, such as correctness, privacy, fairness, and output delivery. Full security captures all these properties together.

Solitary output computation is a common setting that has become increasingly important, as it is relevant to many real-world scenarios, such as federated learning and set disjointness. In the set-disjointness problem, a set of parties with private datasets wish to convey to another party whether they have a common input. In this work, we investigate the limits of achieving set-disjointness which already has numerous applications and whose feasibility (under non-trivial conditions) was left open in the work of Halevi et al. (TCC 2019).

Towards resolving this, we completely characterize the set of Boolean functions that can be computed in the three-party setting in the face of a malicious adversary that corrupts up to two of the parties. As a corollary, we characterize the family of set-disjointness functions that can be computed in this setting, providing somewhat surprising results regarding this family and resolving the open question posed by Halevi et al.

## MPC for Tech Giants (GMPC): Enabling Gulliver and the Lilliputians to Cooperate Amicably

###### 2024

Bar Alon, Moni Naor, Eran Omri, and Uri Stemmer

CRYPTO 2024

In the current digital world, large organizations (sometimes referred to as tech giants) provide service to extremely large numbers of users. The service provider is often interested in computing various data analyses over the private data of its users, which in turn have their incentives to cooperate, but do not necessarily trust the service provider.

In this work, we introduce the Gulliver multi-party computation model (GMPC) to realistically capture the above scenario. The GMPC model considers a single highly powerful party, called the server or Gulliver, that is connected to n users over a star topology network (alternatively formulated as a full network, where the server can block any message). The users are significantly less powerful than the server, and, in particular, should have both computation and communication complexities that are polylogarithmic in n. Protocols in the GMPC model should be secure against malicious adversaries that may corrupt a subset of the users and/or the server.

Designing protocols in the GMPC model is a delicate task, since users can only hold information about polylog(n) other users (and, in particular, can only communicate with polylog(n) other users). In addition, the server can block any message between any pair of honest parties. Thus, reaching an agreement becomes a challenging task. Nevertheless, we design generic protocols in the GMPC model, assuming that at most α<1/6 fraction of the users may be corrupted (in addition to the server). Our main contribution is a variant of Feige’s committee election protocol [FOCS 1999] that is secure in the GMPC model. Given this tool we show:

1. Assuming fully homomorphic encryption (FHE), any computationally efficient function with O(n · polylog(n))-size output can be securely computed in the GMPC model.

2. Any function that can be computed by a circuit of O(polylog(n)) depth, O(n · polylog(n)) size, and bounded fan-in and fan-out can be securely computed in the GMPC model without assuming FHE.

3. In particular, sorting can be securely computed in the GMPC model without assuming FHE. This has important applications for the shuffle model of differential privacy, and resolves an open question of Bell et al. [CCS 2020].

## Three Party Secure Computation with Friends and Foes

###### 2023

Bar Alon, Amos Beimel, and Eran Omri

TCC 2023

In secure multiparty computation (MPC), the goal is to allow a set of mutually distrustful parties to compute some function of their private inputs in a way that preserves security properties, even in the face of adversarial behavior by some of the parties. However, classical security definitions do not pose any privacy restrictions on the view of honest parties. Thus, if an attacker adversarially leaks private information to \emph{honest} parties, it does not count as a violation of privacy. This is arguably undesirable, and in real-life scenarios, it is hard to imagine that possible users would agree to have their private information revealed, even if only to other honest parties.

To address this issue, Alon et al.~[CRYPTO 20] introduced the notion of *security with friends and foes* (FaF security). In essence, (t,h)-FaF security requires that a malicious adversary corrupting up to t parties cannot help a coalition of h semi-honest parties to learn anything beyond what they can learn from their inputs and outputs (combined with the input and outputs of the malicious parties). They further showed that (t,h)-FaF security with n parties is achievable for any functionality if 2t+h<n, and for some functionality, (t,h)-FaF security is impossible assuming 2t+h≥n. A remaining important open problem is to characterize the set of n-party functionalities that can be computed with (t,h)-FaF security assuming 2t+h≥n.

In this paper, we focus on the special, yet already challenging, case of (1,1)-FaF security for three-party, 2-ary (two inputs), symmetric (all parties output the same value) functionalities. We provide several positive results, a lower bound on the round complexity, and an impossibility result. In particular, we prove the following.

1. We identify a large class of three-party Boolean symmetric 2-ary functionalities that can be computed with (1,1)-FaF full security.

2. We identify a large class of three-party (possibly non-Boolean) symmetric 2-ary functionalities, for which no O(log κ)-round protocol computes them with (1,1)-FaF full security. This matches the round complexity of our positive results for various interesting functionalities, such as equality of strings.

## On Secure Computation of Solitary Output Functionalities With and Without Broadcast

###### 2023

Bar Alon and Eran Omri

TCC 2023

Solitary output secure computation models scenarios, where a single entity wishes to compute a function over an input that is distributed among several mutually distrusting parties. The computation should guarantee some security properties, such as correctness, privacy, and guaranteed output delivery. Full security captures all these properties together. This setting is becoming very important, as it is relevant to many real-world scenarios, such as service providers wishing to learn some statistics on the private data of their users.

In this paper, we study full security for solitary output three-party functionalities in the point-to-point model (without broadcast) assuming at most a single party is corrupted. We give a characterization of the set of three-party Boolean functionalities and functionalities with up to three possible outputs (over a polynomial-size domain) that are computable with full security in the point-to-point model against a single corrupted party. We also characterize the set of three-party functionalities (over a polynomial-size domain) where the output receiving party has no input. Using this characterization, we identify the set of parameters that allow certain functionalities related to private set intersection to be securely computable in this model.

Our main technical contribution is a reinterpretation of the hexagon argument due to Fischer et al. [Distributed Computing ’86]. While the original argument relies on the agreement property (i.e., all parties output the same value) to construct an attack, we extend the argument to the solitary output setting, where there is no agreement. Furthermore, using our techniques, we were also able to advance our understanding of the set of solitary output three-party functionalities that can be computed with full security, assuming broadcast but where two parties may be corrupted. Specifically, we extend the set of such functionalities that were known to be computable, due to Halevi et al. [TCC ’19].

## On Perfectly Secure Two-Party Computation for Symmetric Functionalities with Correlated Randomness

###### 2022

Bar Alon, Olga Nissenbaum, Eran Omri, Anat Paskin-Cherniavsky, and Arpita Patra

TCC 2022

A multiparty computation protocol is *perfectly secure* for some function f if it perfectly emulates an ideal computation of f. Thus, perfect security is the strongest and most desirable notion of security, as it guarantees security in the face of any adversary and eliminates the dependency on any security parameter. Ben-Or et al. [STOC '88] and Chaum et al. [STOC '88] showed that any function can be computed with perfect security if strictly less than one-third of the parties can be corrupted. For two-party sender-receiver functionalities (where only one party receives an output), Ishai et al. [TCC '13] showed that any function can be computed with perfect security in the correlated randomness model. Unfortunately, they also showed that perfect security cannot be achieved in general for two-party functions that give outputs to both parties (even in the correlated randomness model).

We study the feasibility of obtaining perfect security for deterministic symmetric two-party functionalities (i.e., where both parties obtain the same output) in the face of malicious adversaries. We explore both the plain model as well as the correlated randomness model. We provide positive results in the plain model, and negative results in the correlated randomness model. As a corollary, we obtain the following results.

1. We provide a characterization of symmetric functionalities with (up to) four possible outputs that can be computed with perfect security. The characterization is further refined when restricted to three possible outputs and to Boolean functions. All characterizations are the same for both the plain model and the correlated randomness model.

2. We show that if a functionality contains an embedded XOR or an embedded AND, then it cannot be computed with perfect security (even in the correlated randomness model).

## Round Efficient Secure Multiparty Quantum Computation with

Identifiable Abort

###### 2021

Bar Alon, Hao Chung, Kai-Min Chung, Mi-Ying Huang, Yi Lee, and Yu-Ching Shen

CRYPTO 2021

A recent result by Dulek et al. (EUROCRYPT 2020) showed a secure protocol for computing any quantum circuit even without the presence of an honest majority. Their protocol, however, is susceptible to a “denial of service” attack and allows even a single corrupted party to force an abort. We propose the first quantum protocol that admits security-with-identifiable-abort, which allows the honest parties to agree on the identity of a corrupted party in case of an abort. Additionally, our protocol is the first to have the property that the number of rounds where quantum communication is required is independent of the circuit complexity. Furthermore, if there exists a post-quantum secure classical protocol whose round complexity is independent of the circuit complexity, then our protocol has this property as well. Our protocol is secure under the assumption that classical quantum-resistant fully homomorphic encryption schemes with decryption circuit of logarithmic depth exist. Interestingly, our construction also admits a reduction from quantum fair secure computation to classical fair secure computation.

## On the Power of an Honest Majority in Three-Party Computation Without Broadcast

###### 2020

Bar Alon, Ran Cohen, Eran Omri, and Tom Suad

TCC 2020

Fully secure multiparty computation (MPC) allows a set of parties to compute some function of their inputs, while guaranteeing correctness, privacy, fairness, and output delivery. Understanding the necessary and sufficient assumptions that allow for fully secure MPC is an important goal. Cleve (STOC ’86) showed that full security cannot be obtained in general without an honest majority. Conversely, by Rabin and Ben-Or (STOC ’89), assuming a broadcast channel and an honest majority enables a fully secure computation of any function. Our goal is to characterize the set of functionalities that can be computed with full security, assuming an honest majority, but no broadcast. This question was fully answered by Cohen et al. (TCC ’16) – for the restricted class of symmetric functionalities (where all parties receive the same output). Instructively, their results crucially rely on agreement and do not carry over to general asymmetric functionalities. In this work, we focus on the case of three-party asymmetric functionalities, providing a variety of necessary and sufficient conditions to enable fully secure computation. An interesting use-case of our results is server-aided computation, where an untrusted server helps two parties to carry out their computation. We show that without a broadcast assumption, the resource of an external non-colluding server provides no additional power. Namely, a functionality can be computed with the help of the server if and only if it can be computed without it. For fair coin tossing, we further show that the optimal bias for three-party (server-aided) r-round protocol remains Θ(1/r) (as in the two-party setting).

## MPC with Friends and Foes

###### 2020

Bar Alon, Eran Omri, and Anat Paskin-Cherniavsky

CRYPTO 2020

Classical definitions for secure multiparty computation assume the existence of a single adversarial entity controlling the set of corrupted parties. Intuitively, the definition requires that the view of the adversary, corrupting t parties, in a real-world execution can be simulated by an adversary in an ideal model, where parties interact only via a trusted-party. No restrictions, however, are imposed on the view of honest parties in the protocol, thus, if honest parties obtain information about the private inputs of other honest parties – it is not counted as a violation of privacy. This is arguably undesirable in many situations that fall into the MPC framework. Nevertheless, there are secure protocols (e.g., the 2-round multiparty protocol of Ishai et al. [CRYPTO 2010] tolerating a single corrupted party) that instruct the honest parties to reveal their private inputs to all other honest parties (once the malicious party is somehow identified).

In this paper, we put forth a new security notion, which we call FaF-security, extending the classical notion. In essence, (t, h^∗)-FaF-security requires the view of a subset of up to h^∗ honest parties to also be simulatable in the ideal model (in addition to the view of the malicious adversary, corrupting up to t parties). This property should still hold, even if the adversary leaks information to honest parties by sending them non-prescribed messages. We provide a thorough exploration of the new notion, investigating it in relation to a variety of existing security notions. We further investigate the feasibility of achieving FaF-security and show that every functionality can be computed with (computational) (t, h^∗)-FaF full-security, if and only if 2t + h^∗ < m. Interestingly, the lower-bound result actually shows that even fair FaF-security is impossible in general when 2t + h^∗ ≥ m (surprisingly, the view of the malicious attacker is not used as the trigger for the attack).

We also investigate the optimal round complexity for (t, h^∗)-FaF-secure protocols and give evidence that the leakage of private inputs of honest parties in the protocol of Ishai et al. [CRYPTO 2010] is inherent.

Finally, we investigate the feasibility of statistical/perfect FaF-security, employing the viewpoint used by Fitzi et al. [ASIACRYPT 1999] for mixed-adversaries.

## On Perfectly Secure 2PC in the OT-Hybrid Model

###### 2019

Bar Alon and Anat Paskin-Cherniavsky

TCC 2019

A well known result by Kilian (ACM 1988) asserts that general secure two computation (2PC) with statistical security, can be based on OT. Specifically, in the client-server model, where only one party – the client – receives an output, Kilian’s result shows that given the ability to call an ideal oracle that computes OT, two parties can securely compute an arbitrary function of their inputs with unconditional security. Ishai et al. (EUROCRYPT 2011) further showed that this can be done efficiently for every two-party functionality in NC^1 in a single round. However, their results only achieve statistical security, namely, it is allowed to have some error in security. This leaves open the natural question as to which client-server functionalities can be computed with perfect security in the OT-hybrid model, and what is the round complexity of such computation. So far, only a handful of functionalities were known to have such protocols. In addition to the obvious theoretical appeal of the question towards better understanding secure computation, perfect, as opposed to statistical reductions, may be useful for designing secure multiparty protocols with high concrete efficiency, achieved by eliminating the dependence on a security parameter. In this work, we identify a large class of client-server functionalities f : X ×Y → {0, 1}, where the server’s domain X is larger than the client’s domain Y, that have a perfect reduction to OT. Furthermore, our reduction is 1-round using an oracle to secure evaluation of many parallel invocations of 1-out-of-2 bit OT, as done by Ishai et al. (EUROCRYPT 2011). Interestingly, the set of functions that we are able to compute was previously identified by Asharov (TCC 2014) in the context of fairness in two-party computation, naming these functions full-dimensional. Our result also extends to randomized non-Boolean functions f : X × Y → {0, . . . , k − 1} satisfying |X|>(k−1) · |Y|.

## Almost-Optimally Fair Multiparty Coin-Tossing with Nearly Three-Quarters Malicious

###### 2016

Bar Alon and Eran Omri

TCC 2016b

An α-fair coin-tossing protocol allows a set of mutually distrustful parties to generate a uniform bit, such that no efficient adversary can bias the output bit by more than α. Cleve [STOC 1986] has shown that if half of the parties can be corrupted, then, no r-round coin-tossing protocol is o(1/r)-fair. For over two decades the best known m-party protocols, tolerating up to t ≥ m/2 corrupted parties, were only O(t/√r)-fair. In a surprising result, Moran, Naor, and Segev [TCC 2009] constructed an r-round two-party O(1/r)-fair coin-tossing protocol, i.e., an optimally fair protocol. Beimel, Omri, and Orlov [Crypto 2010] extended the result of Moran et al. to the multiparty setting where strictly fewer than 2/3 of the parties are corrupted. They constructed a (2^(2^k))/r-fair r-round m-party protocol, tolerating up to t=(m+k)/2 corrupted parties.

Recently, in a breakthrough result, Haitner and Tsfadia [STOC 2014] constructed an O(log^3 (r)/r)-fair (almost optimal) three-party cointossing protocol. Their work brought forth a combination of novel techniques for coping with the difficulties of constructing fair coin-tossing protocols. Still, the best coin-tossing protocols for the case where more than 2/3 of the parties may be corrupted (and even when t=2m/3, where m>3) were θ(1/√r)-fair. We construct an O(log^3 (r)/r)-fair mparty coin-tossing protocol, tolerating up to t corrupted parties, whenever m is constant and t<3m/4.