Signature Redacted

On Foundations of Public-Key Encryption and Secret Sharing

by Akshay Dhananjai Degwekar

B.Tech., Indian Institute of Technology Madras (2014) S.M., Massachusetts Institute of Technology (2016)

Submitted to the Department of Electrical Engineering and Computer Science in partial fulfillment of the requirements for the degree of

Doctor of Philosophy

at the

MASSACHUSETTS INSTITUTE OF TECHNOLOGY

September 2019

Author ...... Department of Electrical Engineering and Computer Science June 28, 2019 Signature redacted

Certified by...... VWi dVaikuntanathan

Associate Professor of Electrical Engineering and Computer Science Thesis Supervisor

Signature redacted A ccepted by ...... MASSACLislie 6jp lodziejski OF EHs o fTE Professor of Electrical Engineering and Computer Science Students Committee on Graduate OCT Chair, Department

LIBRARIES c,

On Foundations of Public-Key Encryption and Secret Sharing by Akshay Dhananjai Degwekar

Submitted to the Department of Electrical Engineering and Computer Science on June 28, 2019, in partial fulfillment of the requirements for the degree of Doctor of Philosophy

Abstract

Since the inception of Cryptography, Information theory and Coding theory have influenced cryptography in myriad ways including numerous information-theoretic notions of security in secret sharing, multiparty computation and statistical zero knowledge; and by providing a large toolbox used extensively in cryptography. This thesis addresses two questions in this realm: Leakage Resilience of Secret Sharing Schemes. We show that classical secret sharing schemes like Shamir secret sharing and additive secret sharing over prime order fields are leakage resilient. Leakage resilience of secret sharing schemes is closely related to locally repairable codes and our results can be viewed as impossibility results for local recovery over prime order fields. As an application of the result, we show the leakage resilience of a variant of the Goldreich-Micali-Wigderson protocol. From Laconic Statistical Zero Knowledge Proofs to Public Key Encryption. Languages with statistical zero knowledge proofs that are also average-case hard have been used to construct various cryptographic primitives. We show that hard languages with laconic SZK proofs, that is proof systems where the communication from the prover to the verifier is small, imply public key encryption.

Thesis Supervisor: Vinod Vaikuntanathan Title: Associate Professor of Electrical Engineering and Computer Science

3 4 Acknowledgments

It takes a village to raise a child, hence I have many people to be thankful for. First and foremost, I would like to thank my adviser Vinod Vaikuntanathan for his advice, encouragement and support. I continue to be amazed by his amazing work ethic and the ability to come up with superb questions at the push of a button. I would like to thank my committee Ron Rivest and Yael Kalai, my academic supervisor Silvio Micali, and Shafi Goldwasser. I had a fantastic set of collaborators at MIT and beyond. This thesis would not have been possible without them. I would like to thank Fabrice Benhamouda, Itay Berman, Nir Bitansky, Yuval Ishai, Tal Rabin, Ron Rothblum, Vinod Vaikuntanathan, and Prashant Nalini Vasudevan for making research fun. I spent a very enjoyable summer at IBM Research. I would like to thank the crypto group: Tal, Shai, Craig, Hugo, Charanjit and Fabrice. for their hospitality. I would like to thank Alon, Elette and Tal for a great winter in Israel at IDC Herzliya. The Crypto and TOC group at MIT have been a wonderful home for the last five years. I would like to thank the admins Debbie, Joanne, Linda, Rebecca and Patrice for their help. Grad school would not have been so much fun without the residents of the 5th and 6th floor, especially, Itay. Sam, Madalina. Prashant, Govind. Adam, Ron, Tianren, Prabhanjan, Mohammad, Pritish, Nishanth, Michael, Manolis, AlexRobin,Daniel.Nir, Omer. Katerina, Justin, Aloni, Saleet. Rio, Srini, Sergey, Saeed, Logan, Kai, Andrew and Lisa to name a few. Finally I am extremely grateful for my family: my parents., Vidya and Dhananjai; Aditya and Siddhi; and lastly my twin Anand.

5 6 Contents

1 Introduction 9 1.1 A Brief Survey of Information-theoretic Cryptography ...... 10 1.2 Leakage Resilience of Secret Sharing Schemes...... 12 1.3 From Laconic Statistical Zero Knowledge to Public Key Encryption. .... 13 1.4 O rganization ...... 15 1.4.1 Works Not Included in This Thesis ...... 15

2 Leakage Resilience of Secret Sharing Schemes 17 2.1 Introduction ...... 17 2.1.1 O ur R esults ...... 18 2.1.2 Related Work ...... 21 2.2 Overview of theTechniques ...... 23 2.2.1 Leakage Resilience of Secret Sharing Schemes ...... 23 2.2.2 Application to Leakage Resilience of MPC protocols . .. . 27 2.2.3 On Local Share Conversion ...... 29 2.2.4 Additive Combinatorics Context ...... 31 2.3 Prelim inaries ...... 32 2.3.1 Linear Codes ...... 32 2.3.2 Linear Secret Sharing Schemes ...... 33 2.3.3 Fourier Analysis ...... 34 2.4 On Leakage Resilience of Secret Sharing Schemes ...... 36 2.4.1 Definitions and Basic Properties ...... 36 2.4.2 Leakage Resilience of Additive and Shamir's Secret Sharing Schemes 37 2.4.3 Proofs of Theorems 2.4.5. 2.4.6, and 2.4.7 ...... 43 2.5 Leakage Resilience of GMW with preprocessing ...... 53 2.5.1 Security Definitions ...... 54 2.5.2 GMW with Shared Product Preprocessing ...... 55 2.5.3 Proof of Private-Outputs Local Leakage Resilience (Theorem 2.5.5) 58 2.5.4 Proof of Public-Outputs Local Leakage Resilience (Theorem 2.5.6) 60 2.6 On the Impossibility of Local Share Conversion ...... 61 2.6.1 M ore Fourier Analysis ...... 63 2.6.2 On Additive Secret Sharing: Proof of Theorem 2.6.5 ...... 64 2.6.3 On Shamir's Secret Sharing: Proof of Theorem 2.6.6 ...... 66 2.6.4 Proof of Lemm a 2.6.10 ...... 68

7 3 From Laconic SZK to Public Key Encryption 75 3.1 O verview ...... 75 3.1.1 O ur Results ...... 76 3.1.2 Related Works ...... 80 3.1.3 Techniques ...... 81 3.1.4 O rganization ...... 89 3.2 Prelim inaries ...... 90 3.2.1 Public Key Encryption ...... 90 3.2.2 Universal Hashing ...... 91 3.2.3 Entropy and Divergence ...... 91 3.2.4 Pseudoentropy ...... 94 3.3 The Assumption and Main Theorem ...... 96 3.4 From Laconic SZK to Trapdoor Pseudoentropy Generator ...... 99 3.4.1 Construction of Trapdoor Pseudoentropy Generator ...... 100 3.4.2 Correctness - Proving Lemma 3.4.4 ...... 103 3.4.3 Pseudoentropy - Proving Lemma 3.4.5 ...... 106 3.5 From Trapdoor Pseudoentropy Generator to Public-Key Encryption .... 111 3.5.1 Technical Tools ...... 112 3.5.2 Construction of Weak PKE ...... 115 3.5.3 Correctness - Proving Lemma 3.5.11 ...... 118 3.5.4 Security - Proving Lemma 3.5.12 ...... 122 3.5.5 Implementing the Approximation Algorithm Ent ...... 125 3.5.6 Proving Lemma 3.5.1 ...... 129 3.6 Extensions ...... 131 3.6.1 A Weaker Assumption ...... 131 3.6.2 A Complexity-Theoretic Characterization of PKE ...... 134 3.6.3 Oblivious Transfer ...... 137 3.7 Comparing Assumptions ...... 142 3.7.1 Lossy Encryption ...... 142 3.7.2 Learning Parities with Noise ...... 144 3.7.3 Assumptions from [ABW1O] ...... 145 3.8 M issing Proofs ...... 149 3.8.1 Proving Lemma 3.5.7 ...... 149 3.8.2 Proving Lemma 3.5.9 ...... 150

A Appendices 165 A.1 Proofsof UsefulBounds ...... 165

8 Chapter 1

Introduction

The last four decades of research in the theory of cryptography has produced a host of fantastic notions, from public-key encryption [DH76, RSA78, GM82]. multi-party computation [BGW88, GMW87] and zero-knowledge proofs [GMR85] in the 1980s, to fully homomorphic encryption [RAD78, GenO9, BV11] and program obfuscation [BGI+01, GGH+13, SW14] in the modern day. Information theory and Coding theory have played a pivotal role in these developments. Even the first rigorous definition of secrecy, by Shannon, was an information-theoretic one [Sha48]. Information theory arises in cryptography in the following somewhat distinct flavors.

1. Information-theoreticNotions of Security. A sizable minority of cryptographic primitives are defined, not with computational, but information theoretic security notions. Examples of such definitions include information-theoretically secure multiparty computation and statistical zero-knowledge proofs.

2. Cryptographic Constructions with an Information-theoretic Core. Various advanced cryptographic constructions are obtained by compiling information-theoretically secure primitive, often in a restricted idealized model, using lighter primitives.

3. Tools and Techniques. Ideas from information theory and coding theory are extensively used in cryptography.

In this thesis we address two questions in this realm, the first pertains to notions of information theoretic security and the second to constructing public key encryption via the paradigm above.

1. Leakage Resilience of Classical Secret Sharing Schemes: Are classical secret sharing schemes like additive secret sharing and Shamir secret sharing leakage resilient? As we detail below, this question concerns information-theoretic multiparty computation and leakage resilience with very close connections to locally repairable codes, a coding theory primitive.

2. From Statistical Zero-Knowledge Proofs (SZK) to Public-Key Encryption: Which general complexity theoretic assumptions imply public key encryption? We show that hard languages with laconic SZK proofs suffice to construct public key encryption.

9 All decisional assumptions known to imply public key encryption also have such proof systems. The construction relies on the computational notions of entropy developed in the study of pseudorandomness [HILL99, VZ12].

We start by giving an overview of information-theoretic methods in cryptography and then describe in more detail the motivation behind the problems addressed and their connections to cryptography and information theory.

1.1 A Brief Survey of Information-theoretic Cryptography

Information-theoretic Notions of Security.

Providing security against computationally bounded adversaries is a cornerstone of modern cryptography. Indeed, for various cryptographic primitives like public-key encryption, information-theoretic security is unachievable. But, a sizable minority of cryptographic tasks like multi-party computation, statistical zero-knowledge, private information retrieval and leakage resilience do have information-theoretic notions of security. Furthermore, often information-theoretic proofs in idealized models are given as heuristic proofs of security for various constructions. We describe these in detail below.

Secret Sharing & Multiparty Computation. In multiparty computation (MPC) [Yao86, GMW87, BGW88, CCD88], various parties wish to compute a joint function on their secret inputs, while revealing nothing but the output of the computation. In settings where multiple parties exist, it is possible to guarantee information-theoretic security: that is, a computationally unbounded adversary that does not control a majority of the parties does not violate the privacy of the other parties. That is, the underlying secret is protected from all adversaries who see or control a minority of the participants. There is a large body of work that in this area that improves on the seminal works described above in various ways including reducing the round complexity, and the communication. Secret sharing schemes [Bla79, Sha79) form the backbone of all information-theoretic MPC protocols. These allow a party, the "dealer", the ability to distribute an encoding of a secret to multiple parties so that a certain quorum of parties have to pool their data to recover the secret. Many secret sharing schemes have additional properties, such as homomorphisms and rerandomizability that facilitate their use in various cryptographic applications. See the survey by Beimel for more details [Beil1].

Statistical Zero Knowledge Proofs. Statistical Zero Knowledge Proofs [GMR85, Vad99) are zero knowledge proof systems where soundness holds against computationally unbounded provers and zero-knowledge simulation is statistical. The class of problems with Statistical Zero Knowledge proofs has complete problems [SV03, GSV98]. Even more interestingly, these complete problems characterize the class in terms of properties of distributions, such as the entropy and distance between distributions, and have no "cryptographic elements" such as interactive proofs and zero-knowledge. A more recent work describes more complete problems for SZK, also in terms of various notions of distances between distributions [BDRV19].

10 The hardness of problems with statistical zero knowledge proofs can be used to construct various cryptographic primitives. These proofs fall in to the paradigm of having an information-theoretic core with cryptographic glue. Statistical Zero Knowledge proofs have an instance-dependent flavor: the zero-knowledge property only has to hold for instances in the language while soundness has to hold for instances outside. These two properties are combined using average-case hardness. This is crucial because SZK proofs exist trivially for problems in BPP: the verifier computes the language by itself. We describe this in more detail in the next section.

Heuristic Security in Idealized Models. Idealized models such as the random oracle model [BR93] and generic group model are used to argue heuristic security of various primitives. Fiat and Shamir [FS86] who showed that interaction can be eliminated from public coin interactive protocols in the random oracle model. Impossibility of reductions between cryptographic primitives in such idealized models has also given rise to a large body of work on black-box separations that aim to separate and classify cryptographic primitives. The most famous of such separations, due to Impagliazzo and Rudich [R89], shows that public-key encryption cannot be obtained from one-way functions via black-box reductions.

Cryptographic Constructions with an Information-theoretic Core.

Many cryptographic constructions can be viewed as an information-theoretic "core" held together using cryptographic "glue". In these constructions, an advanced cryptographic primitive is obtained by constructing an information-theoretic object and then compiling it using a basic cryptographic primitive. zero-knowledge proofs obtained from multiparty computation protocols [IKOS07]; and constructions of functional, predicate and attribute based encryption schemes where an underlying conditional disclosure of secret protocol is combined with bilinear maps in the construction.

Probabilistically Checkable Proofs and Delegation. Since the seminal work of Kil- lian [Kil92], most schemes for delegating computation are consist of information theoretic object, a probabilistically checkable proof, is compiled using commitments of various sorts. A probabilistically checkable proof [AS98, FGL+91, AL1+98] is an NP proof that allows the verifier to accept or reject the instance using only a small number of queries to the proof. Various variants of PCPs are used in these constructions. The early works by Kil- lian [Kil92] and Micali [Mic94] used standard PCPs, works striving for concrete efficiency use linear PCPs [IK007., GGPR13, BCI+13, BSCG+13] with bilinear maps. More recently Kalai, Raz and Rothblum used no-signalling PCPs along with PIR [KR.R14] to construct a one-round proof of argument in the standard model.

SZK and Instance-dependent Primitives. More pertinent to this thesis are the instance- dependent primitives. These primitives often arise in the study of statistical zero knowledge proof systems. In instance-dependent primtives, the construction gets as auxiliary input, an instance from some language. And the behavior of the primitive varies drastically based on weather the instance is in the language or not. An example of such a primitive is an instance-dependent commitment [OV08]: the commitment is statistically hiding when the

11 instance is in the language and statistically binding otherwise. Achieving both these properties simultaneously is impossible The verifier accepts on Yes instances while rejects the on No instances. Such instance-dependent protocols are trivial for computationally easy languages. Such an instance-dependent commitment is compiled in to a regular cryptographic commitment by leveraging average-case hardness.

The Information Theory & Coding Theory Toolkit.

Various tools from Information theory and Coding Theory are extensively used in cryptography. Notable examples include entropy and computational measures of entropy in pseudorandomness [HILL99, HRVW09, HNO+09, VZ12]; error-correcting codes in secret- sharing and multiparty computation [BGW88, Sha79, CGKS98] and various amplification theorems [DNR04, HR05]; other distance measures like KL divergence in parallel repetition theorems [CP15], and Renyi divergences in lattices [BGM+16, BLRL+18].

1.2 Leakage Resilience of Secret Sharing Schemes.

We consider the following basic question:

To what extent are standard secret sharing schemes like additive secret sharing and Shamir secret sharing resilient to leakage?

Motivation. Side-channel attacks, both old [Koc96, KJJ99] and new [KGG+18, LSG+18] can be devastating. A large body of work on the theory of leakage-resilient cryptography (cf. [Riv97, MRO4, DPO8, AGV09]) studies the possibility of constructing cryptographic schemes that remain secure in the presence of partial leakage of the internal state. One prominent direction of investigation has been designing leakage-resilient cryptographic protocols for general computations [ISW03, FRR+10, DF12, GR15, GIM+16]. The starting point for most of these works is the observation that some standard cryptographic schemes are vulnerable to very simple types of leakage. Moreover, analyzing the leakage resilience of others seems difficult. This motivates the design of new cryptographic schemes that deliver strong provable leakage resilience guarantees. Here, we forgo designing special-purpose leakage-resilient schemes and focus on studying the properties of classical schemes like Shamir secret sharing. We do so for a couple of reasons: (1) these schemes are the foundations of most multiparty computation protocols like the BGW and GMW protocols [BGW88, GMW87]; (2) potentially, we can get leakage-reslience for free; (3) classical secret sharing schemes and MPC protocols have useful properties, like homomorphisms, which the specially designed leakage-resilient schemes are not known to achieve.

Leakage Model and Locally Repairable Codes. We focus on a simple information theoretic leakage model, dubbed local leakage, where the adversary can apply an arbitrary function of a bounded output length to the secret state of each party, but cannot otherwise learn joint information about the states. This model is closely related to other common leakage models like the bounded communication leakage of Micali and Reyzin [MR04]. See Section 2.1.2 for more details.

12 This leakage model is closely related to the model of locally repairable codes in coding theory. In this setting, the data is stored redundantly across servers so that, if a server fails, the data on that server can be efficiently recovered with very little communication from the other servers. This is akin to the local leakage model, where the secret is stored on a virtual server and the adversary wants to recover it from the other visible servers with minimal leakage.

Results. We show that additive secret sharing schemes and high-threshold instances of Shamir's secret sharing scheme are secure under local leakage attacks when the underlying field is of a large prime order and the number of parties is sufficiently large. This should be contrasted with the fact that any linear secret sharing scheme over a small characteristic field is clearly insecure under local leakage attacks, regardless of the number of parties. Our results are obtained via tools from Fourier analysis and additive combinatorics. A representative parameter setting of our result would be: Theorem (Informal) 1.2.1. For large n, 9n/10-out-of-n Shamir secret sharing over, a prime orderfield Fy, is 1-bit leakage resilient. That is, the secret is hidden from an adversary that can leak any 1-bitfunction from each of the shares. This should be contrasted with the work of Guruswami and Wootters [GW17], on the repairability of Reed-Solomon codes, which showed that full recovery of a multi-bit secret is possible, in some settings, by leaking only one bit from each share. An informal statement of their result in terms of secret sharing follows:

Theorem (Informal) 1.2.2 (Guruswami and Wootters [GW17]). Let n = 2 k. There exist 1-bit leakage functions for n/2-out-of-(n - 1) Shamir secret sharing over F, that allow the adversary to recover the entire secret. This work shows that some natural linear secret sharing schemes miserably fail to offer local leakage resilience over fields of characteristic 2, in that leaking only one bit from each share is sufficient to fully recover a multi-bit secret. These results show a "duality" between leakage resilience and local repairability, where positive results for leakage resilience serve as impossibility results for repairability and vice versa.

Applications. We present two types of applications of the above results and techniques. As a positive application, we show that the "GMW protocol" for honest-but-curious parties, when implemented using shared products of random field elements (so-called "Beaver Triples"), is resilient in the local leakage model for sufficiently many parties and over certain fields. This holds even when the adversary has full access to a constant fraction of the views. As a negative application, we rule out multi-party variants of the share conversion scheme used in the 2-party homomorphic secret sharing scheme of Boyle et al. [BGI16].

1.3 From Laconic Statistical Zero Knowledge to Public Key Encryption.

Underlying symmetric key encryption is a centuries-old idea: shared secrets enable secure communication. This idea takes many forms: the Caeser cipher, the unconditionally secure

13 one-time pads, fast heuristic constructions like AES, and a multitude of candidates based on the hardness of a variety of problems. The discovery of public-key encryption, by Diffie and Hellman [DH76] and Rivest, Shamir and Adleman [RSA78], has revolutionized the field by giving us the ability to communicate securely without any shared secrets. Needless to say, this capability is one of the cornerstones of secure communication in today's online world. As is typically the case in cryptography, we are currently very far from establishing the security of public-key cryptography unconditionally. Rather, to establish security, we rely on certain computational intractability assumptions. Despite four decades of extensive research, we currently only know constructions of public-key encryption from a handful of assumptions, most notably assumptions related to the hardness of factoring, finding discrete logarithms and computational problems related to lattices (as well as a few more exotic assumptions). One of the central open problems in cryptography is to place public-key encryption on firmer complexity-theoretic grounding, ideally by constructing public key encryption from the minimal assumption that one-way functions exist. However, the celebrated work of Impagliazzo and Rudich [IR89] shows a significant barrier toward such a result. Given that, a basic question that we would like to resolve is the following:

From what general complexity-theoretic assumptions can we construct public-key cryptography?

Our motivation for asking this question are two-fold. First, we seek to understand: Why is it the case that so few assumptions give us public-key encryption? What kind of 'structured hardness' is required? Secondly, we hope that this understanding can guide the search for new concrete problems that yield public key encryption.

Results. We construct a PKE scheme from a natural general complexity-theoretic assumption. More specifically, we construct PKE assuming the existence of an average-case hard language in NP that also has an honest-verifier SZK argument-system in which the honest prover is efficient and laconic. That is, messages that the prover sends should be efficiently computable (given the NP witness) and short (i.e., of sufficiently sub-logarithmic length). Languages in NP with such laconic SZK protocols are known from a variety of computational assumption (e.g., Quadratic Residuocity, Decisional Diffie-Hellman, Learning with Errors, etc.). Thus, our main result can also be viewed as giving a common framework for constructing PKE which, in particular, captures many of the assumptions that were already known to yield PKE. We also show several extensions of our result. First. we show that a strengthening of our assumption also yields a (2-message) oblivious transfer protocol. Second, that a certain (less natural) weakening of the assumption is actually equivalent to PKE, thereby giving a complexity-theoretic characterization of PKE.

Connections. These constructions heavily rely on computational notions of entropy developed in the study of cryptographic pseudorandomness [HILL99, VZ12].

1[1R89] construct an oracle relative to which one-way functions (and even permutations) exist, but public-key encryption does not. Thus, no construction of public-key encryption from one-way functions can be black-box.

14 These results add to the deep connections between hard problems in SZK and cryptography. Ostrovsky [Ost9l] showed that the existence of a language in SZK with average-case hardness implies the existence of one-way functions. Our result can be interpreted as an extension of Ostrovsky's result: By assuming additional structure on the underlying SZK protocol. we construct a public-key encryption scheme. In fact, some of the ideas underlying our construction are inspired by Ostrovsky's one-way function. There are other results known in this vein: Ong and Vadhan [OV08] showed how to construct constant round statistically hiding commitments from SZK hardness. Berman et al. [BDRV18b] showed that the hardness some Entropy difference problems implies multi- collision resistant hash functions, a weaker form of collision resistant hash functions. Sim- ilarly, [KY18] showed that average-case hardness of problems in SZK implies distribution collision resistant hash functions, another weakening of collision resistance. In the other direction, some cryptographic primitives like homomorphic encryption [BL13], lossy encryption and PIR (computational private information retrieval) [LV16] imply the existence of average-case hard problems in SZK. We also mention that many other primitives, such as one-way functions, public-key encryption and oblivious transfer do not imply the existence of average-case hard problems in SZK (under black-box reductions) [BDV17].

1.4 Organization

The thesis consists of two chapters each devoted to the results described above. In Chap- ter 2, we describe our results on leakage resilience of secret sharing schemes and its applications. The chapter starts with a detailed overview in Section 2.1. In Chapter 3, we describe our assumption and the resulting construction of public key encryption. We also describe a strengthening of the assumption that implies oblivious transfer and a weakening that is equivalent to public-key encryption. This chapter also starts with an overview in Section 3.1. This thesis is based on the following two papers:

1. Fabrice Benhamouda, Akshay Degwekar. Yuval Ishai. and Tal Rabin. On the Local Leakage Resilience of Linear Secret Sharing Schemes. In Advances in Cryptology - CRYPTO 2018, 2018.2

2. Itay Berman, Akshay Degwekar. Ron D. Rothblum, and Prashant Nalini Vasudevan. From Laconic Zero-Knowledge to Public-Key Cryptography. In Advances in Cryptol- ogy - CRYPTO 2018, 2018.3

1.4.1 Works Not Included in This Thesis

The following research, also performed during the PhD was not included in the thesis.

1. Nir Bitansky, Akshay Degwekar. On the Complexity of Collision Resistant Hash Functions: New and Old Black-Box Separations. Manuscript, 2019.

2Chapter 2 is based on [BDIR19]. An extended abstract version of [BI)IR19] was published at CRYPTO 2018 as (@IACR 10.1007/978-3-319-96884-1-18). 3 Chapter 3 is based on [BDRV17]. An extended abstract version of [BDRV17] was published at CRYPTO 2018 as [BDRV18a] (@IACR 10.1007/978-3-319-96878-0-23).

15 2. Itay Berman, Akshay Degwekar, Ron D. Rothblum, Prashant Nalini Vasudevan. Sta- tistical Difference Beyond the Polarizing Regime. Manuscript, 2019.

3. Akshay Degwekar, Preetum Nakkiran, Vinod Vaikuntanathan. Computational Lim- itations in Robust Classification and Win-Win Results. In Conference on Learning Theory - COLT 2019, 2019.

4. Itay Berman, Akshay Degwekar, Ron D. Rothblum, Prashant Nalini Vasudevan: Multi-Collision Resistant Hash Functions and Their Applications. Annual Inter- national Conference on the Theory and Applications of Cryptographic Techniques - EUROCRYPT 2018,2018.

5. Nir Bitansky, Akshay Degwekar, Vinod Vaikuntanathan: Structure vs. Hardness Through the Obfuscation Lens. In Advances in Cryptology - CRYPTO 2017,2017.

6. Akshay Degwekar, Vinod Vaikuntanathan, Prashant Nalini Vasudevan: Fine-Grained Cryptography. In Advances in Cryptology - CRYPTO 2016, 2016.

16 Chapter 2

Leakage Resilience of Secret Sharing Schemes

2.1 Introduction

The recent attacks of Meltdown and Spectre [KGG+18. LSG+18] have brought back to the forefront the question of side-channel leakage and its effects. Starting with the early works of Kocher et al. [Koc96, KJJ99], side-channel attacks have demonstrated vulnerabilities in cryptographic primitives. Moreover, there are often inherent tradeoffs between efficiency and leakage resilience, where optimizations increase the susceptibility to side-channel attacks. A large body of work on the theory of leakage-resilient cryptography (cf. [BBR88, BBCM95, Riv97, DSS01, CDH+00, MR4, DP08, AGV09]) studies the possibility of constructing cryptographic schemes that remain secure in the presence of partial leakage of the internal state. One prominent direction of investigation has been designing leakage-resilient cryptographic protocols for general computations [ISW03, FRR+10, DF12, Rot12, GR15, GIMJ+16]. The starting point for most of these works is the observation that some standard cryptographic schemes are vulnerable to very simple types of leakage. Moreover, analyzing the leakage resilience of others seems difficult. This motivates the design of new cryptographic schemes that deliver strong provable leakage resilience guarantees. In this work, we forgo designing special-purpose leakage-resilient schemes and focus on studying the properties of existing common designs. We want to understand:

To what extent are standard cryptographic schemes leakage resilient?

We restrict our attention to linearsecret sharing schemes and secure multiparty computation (MPC) protocols that build on them. In particular, we would like to understand the leakage resilience properties of the most commonly used secret sharing schemes, like additive secret sharing and Shamir's scheme, as well as simple MPC protocols that rely on them. Analyzing existing schemes has a big advantage, as it can potentially allow us to enjoy their design benefits while at the same time enjoying a strong leakage-resilience guarantee. Indeed, classical secret sharing schemes and MPC protocols have useful properties which the specially designed leakage-resilient schemes are not known to achieve. For instance, linear

17 secret sharing schemes can be manipulated via additive (and sometimes multiplicative) homomorphism, and standard MPC protocols can offer resilience to faults and to a large number of fully corrupted servers. Finally, classical schemes are typically more efficient than special-purpose leakage-resilient schemes.

Local Leakage. We study leakage resilience under a simple and natural model of local leakage attacks. To motivate the model, consider servers sharing some secret data and possibly performing some computation on their shares. The local leakage model has the following three properties: (1) The attacker can leak information about each server's state locally, independently of the other servers' states; this is justified by physical separation. (2) Only a few bits of information can be leaked about the internal state of each server; this is justified by the limited precision of measurements of physical quantities such as time or power. (3) The leakage is adversarial, in the sense that the adversary can decide what function of the secret state to leak. This is due to the fact that the adversary may have permission to legally execute programs on the server or have other forms of influence that can somewhat control the environment. The local leakage model we consider is closely related to other models that were considered in the literature under the names "only computation leaks" (OCL) [MR04, BDL14, GR15, DLZ15], "intrusion resilience" [DP07], or "bounded communication leakage" [GIM+16]. These alternative models are typically more general in that they allow the leakage to be adaptive, or computable by an interactive protocol, whereas the leakage model we consider is non-adaptive. Despite its apparent simplicity, our local leakage model can be quite powerful and enable very damaging attacks. In particular, in any linear secret sharing scheme over a field F 2 k of characteristic 2, an adversary can learn a bit of the secret by leaking just one bit from each share. Surprisingly, in the case of Shamir's scheme, full recovery of a multi-bit secret is possible, in some settings, by leaking only one bit from each share [GW17]. Some of the most efficient implementations of MPC protocols (such as the ones in [DPSZ12, KOS16, AFL+16]) are based on secret sharing schemes over F2 k and are thus susceptible to such an attack. As mentioned earlier, most prior works on leakage-resilient cryptography (see Sec- tion 2.1.2 below) design special-purpose leakage-resilient schemes. These works have left open the question of analyzing (variants of) standard schemes and protocols. Such an analysis is motivated by the hope to obtain better efficiency and additional security features.

2.1.1 Our Results

We obtain three kinds of results. First, we analyze the local leakage resilience of linear secret sharing schemes. Then, we apply these results to prove the leakage resilience of some natural MPC protocols. Finally, we present a somewhat unexpected application of these techniques to rule out the existence of certain local share conversion schemes. Our results are based on Fourier analysis techniques developed in the context of additive combinatorics. See Section 2.1.2 for details. We now give a more detailed overview of these results.

Leakage resilience of linear secret sharing schemes. In a linear secret sharing scheme over a finite field F, the secret is an element s E F and the share obtained by each party consists of one or more linear combinations of s and some random field elements. Two

18 commonly used linear secret sharing schemes are the additive scheme, where the shares are random field elements that add up to the secret. and Shamir's scheme, where the shares are evaluations of a random degree-bounded polynomial whose free coefficient is equal to the secret. We consider a scenario where n parties hold a linear secret sharing of either so or si specified by the adversary A. (Due to linearity, we can assume without loss of generality that so = 0 and si = 1.) The adversary can also specify arbitrary leakage functions that output from each party's share m bits of leakage. The adversary's goal is to determine if the secret shared is so or si. In this setting, we prove the following theorems. Theorem 2.1.1 (Informally, Additive Secret Sharing). Additive secret sharing scheme over

FP is local leakage resilient even when up to log2 (p)-1 bits (namely, all but one bit) are leaked from every share. Concretely, the adversary's distinguishing advantage, in distinguishing 2 between any two secrets, is at most p 2 -Q(n/p ) where n is the number of parties. In particular, when p is fixed and n tends to infinity, the advantage is 2-0(n). For a more precise statement see Corollaries 2.4.8, 2.4.10, and 2.4.11. There are many other parameter settings possible, for example if p > n, then additive secret sharing is leakage resilient when (logp)/4 bits are leaked from each share. The adversary's advantage degrades as 2-9(V). In contrast to the theorem above, if the additive secret sharing were

over F2 k, the adversary could distinguish between the two secrets by just leaking the least significant bit of each share and adding those up to reveal the least significant bit of the secret. We show the following result for Shamir's secret sharing. Theorem 2.1.2 (Informally, Shamir's Secret Sharing). Let p > n be a prime, where n is the number of parties. Then, (nt)-Shamir'ssecret sharing1 over Fp is local leakage resilient for the following parameters: 1. t = an for some constant a <1 when a constant number of bits are leaked from each

share. The adversary's advantage degrades as 2 -- (n). When 1 bit is leaked, a =0.85 suffices. 4 2.t =n-n 1/ when a quarter of the bits ((log p)/4 of log p) are leaked from every share, where n < p < 2n. The adversary's advantage degrades as 2-9(").

For a more precise statement see Corollaries 2.4.9, 2.4.12, and 2.4.13. Shamir's secret sharing is typically used with threshold t = n/2 or t = n/3, in which case the above result is not applicable. While we cannot prove local leakage resilience, we do not know of attacks in this parameter regime. We conjecture the following:

Conjecture 2.1.3 (Shamir's Secret Sharing). For large enough n, (n, t = an)-Shamir's secret sharing is 1-bit local leakage resilient for any constant a > 0.

Observe that proving the conjecture for a specific constant a immediately implies the conjecture for any constant a' > a. This follows from the fact that (n, an)-Shamir's shares can be locally converted to random (n, a'n)-Shamir's shares for a' > a.2

'In the whole paper, a (n, t)-Shamir's secret sharing scheme or Shamir's secret sharing scheme with (reconstruction) threshold t uses polynomials of degree t - 1, so that the secret cannot be recovered from a collusion of less t parties. The secret can be recovered from the shares of t parties. 2 This can be done by locally adding shares of an arbitrary (n, a'n)-Shamir's sharing of 0 to the given (n, an)-Shamir's shares for a' > a.

19 Application to leakage-resilient MPC. We use the leakage resilience of linear secret sharing schemes to show that the honest-but-curious variant of the GMW [GMW87] protocol with a "Beaver Triples" setup [Bea9l] (that we call GMW with shared product preprocessing) is local leakage resilient. For the MPC setting, we modify the leakage model as follows to allow for a stronger adversary. The adversary A is allowed to corrupt a fraction of the parties, see their shares and views of the entire protocol execution. In addition, A specifies local leakage functions for the non-corrupted parties and receives the corresponding leakage on their individual views. The honest-but-curious GMW protocol with shared product preprocessing works as follows. The parties wish to evaluate an arithmetic circuit C on an input x. The parties receive random shares of the input x under a linear secret sharing scheme and random shares of Beaver triples under the same scheme.3 The protocol proceeds gate by gate where the parties maintain a secret sharing of the value at each gate. For input, addition and inverse (-1) gates, parties locally manipulate their existing shares to generate the shares for these gates. For multiplication gates, where we multiply zi and z2 to get z, the parties first construct zi - a and z2 - b by broadcasting the differences of the shares of the inputs and of the shares of a and b from a fresh Beaver triple (a, b, ab). Then the parties can locally construct a secret sharing of z = zi - Z2 by using the following relation:

z = (zi - a)(z2 - b) + a(z2 - b) + b(zi - a) + ab .

We show that when the underlying secret sharing scheme is local leakage resilient, this protocol can also tolerate local leakage. We can prove leakage resilience in a simulation- based definition. See Section 2.5 for details. Informally, when the additive secret sharing scheme is used, we show the following.

Theorem 2.1.4 (Informally, Leakage Resilience of GMW). For any prime p, the GMW protocol with shared product preprocessing and additive secret sharing over F, is local leakage resilient. The adversary can corrupt n/2 parties, learn their entire state and, then locally leak a constant number of bits each from all the uncorrupted parties. The adversary's distinguishing advantage for this attack is 2-Q"L

On the impossibility of local share conversion. In the problem of local share conversion [CDI05, BIKO12],n parties hold a share of a secret s under a secret sharing scheme £. Their goal is to locally, without interaction, convert their shares to shares of a related secret s' under a different secret sharing scheme £' such that (s, s') satisfy a pre-specified relation R. We assume R is not trivial in the sense that it is not permissible to map shares of every secret s to shares of a fixed constant. Local share conversion has been used to design protocols for Private Information Retrieval [BIK012]. More recently, different kinds of local share conversion were used to construct Homomorphic Secret Sharing (HSS) schemes [BGI16, DHRW16, FGJ17]. Using techniques similar to the ones for leakage resilience, we rule out certain nontrivial instances of local share conversion. We first state our results and then discuss their relevance to constructions of HSS schemes.

3 A Beaver triple consists of (a, b, ab) where a, b are randomly chosen field elements.

20 Theorem 2.1.5 (Informally, Impossibility of Local Share Conversion). Three-party additive secret sharing over FP, for any prime p > 2, cannot be converted to additive secret sharing over F2, with constant success probability (> 5/6), for any non-trivial relation R on the secrets.

The proof of this result uses a Fourier analysis technique similar to the analysis of the Blum-Luby-Rubinfeld linearity test [BLR93]. We also show a similar impossibility result for Shamir's secret sharing. This result relies crucially on a technique by Green and Tao [GT10]. We elaborate more in Section 2.2. See Theorems 2.6.5 and 2.6.6 for the precise general statements.

Relevance to HSS Schemes. At the heart of the DDH-based 2-party HSS scheme of Boyle et al. [BGI16] and its Paillier-based variant of Fazio et al. [FGJI17] is an efficient local share conversion algorithm of the following special form. The two parties hold shares g' and gy respectively of b E{0, 1}, such that g g- gY. The conversion algorithm enables them to locally compute additive shares of the bit b over the integers Z, with small (inverse polynomial) failure probability. Note that this implies similar conversion to additive sharing over F2 . One approach to constructing 3-party HSS schemes would be to generalize this local share conversion scheme to 3 parties, i.e., servers holding random g, g and g respectively, such that g g X. gY - gz, can locally convert these shares to additive shares of the bit b over integers. We rule out this approach by showing that even when given the exponents x. y and z in the clear (i.e. x + y + z = b over Fp), locally computing additive shares of b over F2 (or the integers) with small failure probability is impossible. A similar share conversion from (noisy) additive sharing over Fp to additive sharing over F 2 was used by Dodis et al. [DHRW16] (and recently by Boyle et al. [BKS19]) to obtain an LWE-based construction of 2-party HSS and spooky encryption. However, in this case there is an alternative route of reducing the multiparty case to the 2-party case. Our negative result only rules out a direct generalization of the 2-party solution to the multi-party case.

2.1.2 Related Work

Our work was inspired by the surprising result of Guruswami and Wootters [GW17] mentioned above. This work turned attention to the fact that some natural linear secret sharing schemes miserably fail to offer local leakage resilience over fields of characteristic 2, in that leaking only one bit from each share is sufficient to fully recover a multi-bit secret. The traditional "leakage" model considered in multiparty cryptography allows the adversary to fully corrupt up to t parties and learn their entire secret state. This t-bounded leakage model motivated secret sharing schemes designed to protect information [Sha79. Bla79] and secure multiparty computation (MPC) protocols designed to protect computation [Yao86., GMW87, BGW88, CCD88]. The same leakage model was also considered at the hardware level, where parties are replaced by atomic gates [ISW3]. The t-bounded leakage considered in all these works is quite different from the local leakage model we consider: we allow partialleakage from every secret state, whereas the t-bounded model allows full leakage from up to t secret states. While resilience to t-bounded leakage was shown to imply resilience to certain kinds of "noisy leakage" [FRR+10, DDF14] or "low-complexity leakage" [BIVW16], it clearly does not imply local leakage resilience in general. Indeed,

21 additive secret sharing over F2k is highly secure in the t-bounded model and yet is totally insecure in the local leakage model.

The literature on leakage-resilient cryptography is extensive, thus we discuss a few of the most relevant works. Secret-sharing schemes that offer local leakage resilience were first constructed by Dziembowski and Pietrzak [DP07]. Their scheme involved an interactive reconstruction procedure, which was needed for allowing the reconstruction to access only small part of the shares. Simpler constructions (without the latter efficiency feature) were proposed by Davi et al. [DDV1O]. In particular, they presented a simple two-party scheme based on any two-source extractor, such as the inner-product extractor. For stronger or more general constructions of leakage-resilient secret-sharing schemes, see the recent works of Goyal and Kumar [GK18], Srinivasan and Vasudevan [SV18], and Kumar et al. [KMS18] and references therein. All the above works design specialized (and non-linear) secret- sharing schemes that have strong leakage resilience properties. In contrast, we are interested in exploring the leakage resilience of standard (linear) schemes.

Subsequent to our work, Nielsen and Simkin [NS19] studied the question of leakage resilience of Shamir's secret sharing, and more generally information theoretic secret sharing schemes. They show that, in the local leakage model, when the total number of bits leaked exceeds total entropy of all the shares jointly, the secret is revealed. In our results, the total entropy of the shares is significantly higher than the total bits leaked. Closing this gap and showing either better leakage resilience or better attacks remains an open question.

We turn to survey some relevant works on leakage-resilient MPC. Boyle et al. [BGK11] consider the problem of leakage-resilient coin-tossing and reduce it to a certain kind of leakage-resilient verifiable secret sharing. Here too, a new construction of (nonlinear) secret sharing is developed in order to achieve these results.

Goldwasser and Rothblum [GR15] give a general transformation that takes any algorithm and creates a related algorithm that computes the same function and can tolerate leakage. This approach can be viewed as a special-purpose MPC protocol for a constant number of parties that offers local leakage resilience (and beyond) [BDL14]. However, this construction is quite involved and offers poor concrete leakage resilience and efficiency overhead.

Most relevant to our MPC-related results is the recent work of Goyal et al. [GIM+16] on leakage-resilient secure two-party computation (see also [GIW17]). This work analyzes the resilience of a GMW-style protocol under a similar (in fact, more general) type of leakage to the local leakage model we consider. One key difference is that the protocol from [GIM+16] modifies the underlying circuit (incurring a considerable overhead) whereas we apply the GMW protocol to the original circuit. Also, our approach applies to a large number of parties of which a large fraction can be entirely corrupted, whereas the construction in [GIM+16] is restricted to the two-party setting.

Our results use techniques developed in the context of additive combinatorics. See Tao and Vu [TV06] for an exposition on Fourier analysis methods used in additive combinatorics. The works most relevant to ours are works by Green and Tao [GT10] and follow-ups by Gowers and Wolf [GW10, GW11a, GW11b]. The relation of these works and their techniques to ours is discussed in Section 2.2.4.

11 1" 7a WIPIR."W"W" 1"11RIPPRIP, 2.2 Overview of the Techniques

2.2.1 Leakage Resilience of Secret Sharing Schemes

Very simple local leakage attacks exist for linear secret sharing schemes over small characteristic fields. These attacks stem from the existence of small additive subgroups in these fields. This gives rise to the hope that linear schemes over fields of prime order, that lack such subgroups, are leakage resilient. We start by considering the simpler case of additive secret sharing.

Additive secret sharing. We define AddSh(s) to be a function that outputs random shares s(1), .. , s(') such that E s(M = S. Let r = T(1),T(2),. .. ,T(n) be some leakage functions. We want to show that for all secrets so, si E F, the leakage distributions are statistically close. That is,

{ir(s) s <- AddSh(so)} {r-(s) : s 4- AddSh(si)} ,

where r(s) = T()(s(l)) ... ,( )(s(n)) is the total leakage the adversary sees on the shares s = s (), s (2), .. . (n).

We know that there is a local leakage attack onF2k: simply leak the least significant bit (Isb) from all the parties and add the outputs to reconstruct the Isb of the secret. What

enables the attack on F 2 while F, is unaffected? To understand this difference, it is instructive to start with an example. Let us consider

additive secret sharing overF2 k for 3 parties. We know that,

1 2 Isb(s) = Isb(s( ) + Isb(s( )) + Isb(s( 3 ))

This attack works because F2k has many subgroups that are closed under addition. Let 1 1 Ao = Isb- () and Ai = Isb- (1). The set Ao is an additive subgroup of F2 k and A 1 is a

coset of Ao. Furthermore, the Isb function is a homomorphism from F 2 k to the quotient group4 F 2k/Ao. The Isb leakage tells us which coset each share s() is in. Then by adding these leakages, we can infer whether s E Ao or s E A, (i.e., to which coset it belongs). Let us consider the analogous situation over Fp for a prime p. The group F, does not have any subgroups. In fact, it has an opposite kind of expansion property: that adding any two sets results in a larger set.

Theorem 2.2.1 (Cauchy-Davenport Inequality). Let A, B CF. Let A+B ={a + b: a E A and b E B}. Then, |A + B|> min(p,|JA| +|B|--1).

So, if we secret shared a random secret over F and got back leakage output indicating that s) E Bi, S(2) B2 ,and(3)B3 ,we can infer that s E Bi + B2+ B3 . But because of this expansion property, the set Bi + B2+ B 3 is a lot larger than the sets Bi's individually.

This is in contrast to the F 2 case where e.g. Ao + Ai was the same size as Ao.

4 To recall, in the quotient group F2 :/Ao, the elements are the cosetsA 0, A 1 . The sum of two cosets is the coset formed by the sum of elements of the first coset with elements of the second coset. Concretely, we have Ao + Ao = Ao, Ao + A1 = A 1 , and A 1 + A 1 = A 0 .

23 This gives an idea of why the Isb attack does not work. Some information is lost because of expansion. This is not sufficient for us though. What we need to show is stronger. We want to show that even given the leakage, the secret is almost completely hidden. This is a more "distributional" statement.

We model it as follows: Let us say that we have n parties where party j holds the share s(A. The adversary A has specified leakage functions r(j) : F -+ {0, 1}' and received back the leakage e = £1, f2, - - ., fn where £e = r(J)(s(J)): the leakage on the j-th share. We want to show that even conditioned on this leakage, the probability that the secret was so vs si is close to a half. That is, we want to show the following:

Pr [r(s) =.e] a Pr [r(s) = -]. (2.1) s<-AddSh(so) s<-AddSh(sj)

Below. we will sketch an argument showing that leaking from the additive shares of 0 is statistically close to leaking from a vector of uniformly random elements: if U is the uniform distribution over F",

Pr [r(s) = ] ~ Pr [-r(u)= . (2.2) s<-AddSh(O) u+-U

This argument is not specific to 0 and shows that additive secret sharing is local leakage resilient. More precisely, from Eq. (2.2), Eq. (2.1) follows by a simple hybrid argument as shares of any other secret s are simply shares of 0 with the secret s added to the first party's share. That is. let ei = (1, 0, 0, . .. 0),

{s + s - ei : s <- AddSh(0)} -- {y : y +- AddSh(s)}

We want to understand the probability of getting a particular value of leakage under both the uniform distribution and the additive shares of 0. To understand this probability better, let us consider the following operator:

2 A(fi, f2,.., =,f,) E [)f(s(1) - (s( )) ... fn(s (n) s<-AddSh(0)

By picking the functions fj's appropriately, we can model the probability of getting a particular value of leakage under the secret sharing. Define le : F, - {0, 1} as follows: 1 ,(s) = 1 if the output of the leakage function r(j) on input s is£f, i.e., T(j)(S) = £f and, 0 otherwise. Notice that we can write the probability of leakage output being£ in terms of the operator A as follows,

1 Pr [r(s) = £] = A(1 1 ,e ,-. ,lin) s<-AddSh(0) 2

The probability of the leakage being £ on the uniform distribution is simply a product of the expectations:

2 Pr [-r(u) =£] = E [11(u)]= E [li(u(1)) - 1/ (u( ). . . 1,n (u(n)) u<-U u<-U u L 2

ww" -001"'INI I

1 2 where1p(u) =1 1(u( )) 1/ 2 (U( )) .. I,"(. ((n)). So, we want to show:

A(1Ij, 1f2, - ,ln E [11/(u)] + E. wuU

The tool we use to bound the difference IA(le) - EuU[1e(u)] is Fourier analysis. At the heart of this is the Poisson summation formula for the A operator: the Fourier spectrum of A takes a form highly similar to the definition of A as follows. For A defined over a linear code C:

A(fi, f2, ... fn) = E[ fi(s1)) ... fn(S(n))

A can be equivalently represented on the dual code C' (see Lemma 2.4.16) as.,

= fi(ai) -f2(a2) ..- fn(an), dECC with the 'Fourier coefficients' f^(a) E2 F,[f(x)- wox] where w = exp(27ri/p) is a root of unity. Observe that as 1^(0) = Ex[1f(x)]. So, Eu, U[1,e(u)] = 1 (0) -1 (0) -- 1,(0) is the term corresponding to the all-zeros codeword in the dual code. Hence, the error term we have to bound is the following:

A(l~e) - E [1-(u)] I=f (ai) E(a) ... 1e(an). (2.3) u<-U

Note that, at this point, it is interesting to observe how the presence of subgroups (over

F2k) and the lack thereof (over F,) manifests itself. Over F2k because of the non-trivial subgroups, these non-zero Fourier coefficients can be large and hence the error term is not small. On the other hand, over F,. we can show that each non-zero Fourier coefficient is strictly smaller than the zero-th coefficient and noticeably so. This lets us bound the error term. First we elaborate on the large Fourier coefficient over F2 k and we some intuition for bounds on F,.

Large coefficients over F2k. Each Fourier basis function over F 2k is indexed by a vector

SE {,1}kand the Fourier coefficient for a is given by f() Ek0f= [f5M(-(2k Over F2k, non-zero Fourier coefficients can be as large as the zero-th coefficient, which is always the largest for binary valued functions. To use the running example, in the case of the Isb function, let rU) = Isb and consider the 11,b=1 to be the function which returns 1 if the 1sb is1 and 0 otherwise. So, 11sb=1 is 1 on the set Ai and 0 on A. The non-zero Fourier coefficient indexed by ek = (0, 0,... 0, 1) E {0,1} is as large as the zero-th Fourier coefficient since: ilsb=1(0) = EX[1Isb=1()] 0.5 as half of the inputs satisfy Isb = 1, and also, iisb=1(ek) = Ey[11sb=1(5) - (-1)Xk] -

)(-1)]= -0.5 because when11sb1(x)= 1, thenX= 1and 1sb=l1() ).(-1)Xk - -1. So, these two Fourier coefficients are equally large in magnitude. Hence the error term can be quite large.

5We abuse notation and sometimes consider elements of F2k as vectors in F.

25 Bounding Fourier Coefficients on Fp. Back to the prime order setting (i.e., the setting on which we focus), we want to bound l.(a) for non-zero a C F . For now, let us consider a single leakage function T : F- {0, 1}m. Observe that T partitions F, in to 2' sets 1 A 1 ,A 2 ,.. ., A 2m where each Ae= 1f (1) = {x E F, : T(x) £}. For simplicity, assume that each set Ai is approximately of size p/2 m (actually, this is the hardest case). We want to understand,

lf (a)= [1f (y) .w]= ZayA]W Y<-Fp P

1^ (0) = EaEA 0-a > I(a)|^A/p for all a # 0. Sums of the form EbEB are maximized when the set B is an interval (see Lemma 2.3.11 and Fig. 2-la). Leveraging this, we can show that there is a constant cm < 1 such that,

max|1^r (a)| < cm . |Ae l/p. af0

As written. this equation is only true for sets of size p/2m but arguments based on convexity allow us to plug this back into Eq. (2.3) and show that, 1 SD(-r(C),-r(U)) -. C . C- 2 where SD denotes the statistical distance between the two distributions, r(C)= {r(s) : s - r(U) = {Ir(s) : s <- U} (with U being the uniform distribution over F"). and t is the minimum distance of the dual code CL. Formally, the theorem is stated in Theorem 2.4.5. The factor IC' Icomes from summing over all dual codewords after using the triangle inequality. When applied to the code C = AddSh(0), we have |C'= p and t = n, and this implies that additive secret sharing is leakage resilient, proving Theorem 2.1.1. We can also apply the result to Reed Solomon Codes, the codes underlying (n, t)-Shamir's secret sharing. In this case, |C - = pf-t+1 and hence this proof works only when n - t = O(n/ log p) because we need c'« p t. Furthermore, this bound has a peculiar character that it becomes worse as the prime used increases. 6 This is unnatural. Till now, we have utilized the fact that the largest non-zero Fourier coefficient is bounded away from the zero-th Fourier coefficient. To improve our bound, we next utilize another fact about Fourier coefficients: most non-zero Fourier coefficients are a lot smaller than the largest one. For an illustration of this fact, see Fig. 2-1b. In particular, Parseval's identity (Theorem 2.3.9(a)) implies that for any set A,

|1A|| = Z |A(a)|2= E [1A(y) 2 _ aEFP - FP p

Hence, an "average" non-zero Fourier coefficient is of size approximately IA/p, a size lot smaller than cmIAI/p, the maximum possible. We want to leverage this fact. And the way to do so is Cauchy-Schwarz inequality. We describe the idea in the case of additive secret sharing. In the general case. the manipulations are more involved. In the case of additive secret sharing, the dual code C'L= a : a E F . Roughly speaking, we can bound the sum

6 While the constant cm has a some dependence on p, it decreases as p increases, it is dwarfed by the p"n-t term.

26 A = {0, 1, 2, 3} A ={0, 1, 2, 3}

4 ZaEAa

9 1/3

B= {4,58, 10}

(a) Fourier Sums are maximized for intervals. (b) Fourier Coefficients for A = {0,1, 2, 3} over

(The scaling by 4 of the sums is for convenience.) F 13 .

Figure 2-1: Illustrations of Fourier Sums and Coefficients from Eq. (2.3) as,

1i(a) •1(a) -.. 1et(a) I|1||2 ' lll1|2 -maxI1e,(a)| . max|1j.(a)| aEFp\{0} 0

This allows us to derive a sharper bound on the error, showing that for additive secret 2 sharing SD(r(C), r(U)) 5 .1 2' . c,- . And for general MDS codes, we can show a similar result that: For an [n, t -1, n - t +2] code C (i.e., C is a linear subspace of F" of dimension t - 1 and such that the Hamming weight of any non-zero vector of C is at least n - t + 2),

SD(-r(C), r(U)),<-<"- . - "2 2

This bound has two desirable properties: first of all, it does not become worse as the prime increases, and secondly, it allows us to show that Shamir's secret sharing is leakage resilient when t = cn for some constant c. For more precise statements and parameters see Section 2.4.2.

2.2.2 Application to Leakage Resilience of MPC protocols

Given the leakage resilience of additive secret sharing over F,, we can show that the following honest-but-curious variant of the GMW protocol [GMW87] (GMW with shared product preprocessing) using Beaver Triples [Bea9] is leakage resilient. The protocol is described in Fig. 2-2. Recall that in our leakage model, the adversary A is allowed to corrupt a fraction of the parties, see their views of the entire protocol execution and then specify leakage functions -r for the non-corrupted parties and receive this leakage on their individual views. We consider two settings, the first being with private outputs where the adversary does

27 GMW Protocol with Shared Product Preprocessing Setup: Given an arithmetic circuit C over field F computing f. C has gates from the basis B = {+, x, -1} where the -- 1 gate negates the input. We also have input gates that read a field element from the input.

Input Encoding: On input Y, randomly secret share Y using additive secret sharing, i.e., (1(2), .,(n) +- AddSh(Y). Party j gets (i). Randomness: Let Gx be the set of multiplication gates in C. For each multiplication gateginGx, generate a Beaver triple: as-AddSh(a), b - AddSh(bg) and (ab)9 - AddSh(ag - bg) for ag, bg +- F.

Protocol II: Party j receives an input X(0) and randomness (a b) bb)gex. The parties traverse the gates in the circuit C in a predetermined order where every gate is

traversed only after its input gates. Let z9 denote the secret sharing of the value z9 at gate g. For each gate, the parties do the following: 1. If gate g is not a multiplication gate, the parties locally generate:

xi if g is an input gate reading xi

z= -z 9 1 if g is a - gate with input gi

z9 + z9 2 if g is a + gate with inputs gi and 92

2. If gis a multiplication gate, with inputs gi andg2, then the parties do the following:

(a) Locally compute a' =zg - ag and b' = z92 - bg and broadcast these values. (b) Receive the corresponding values from other parties.

(c) Locally compute zg- ag and z9 2 - bg by adding all the values received. (d) Locally compute zg (zgl - ag)(z9 2 - b,).1+(zg1 -a g ).bg+ag -(z92 - bg)+(ab)g where 1 a fixed secret sharing of the value 1.

Figure 2-2: GMW Protocol with Shared Product Preprocessing not see the output of the non-corrupted parties and the second with public outputs where the parties broadcast their output shares at the end to reconstruct the final output and the adversary sees them. In both models, we show that the adversary's view (i.e., the views of the corrupted parties and the leakage on all the uncorrupted parties' views) can be simulated by a simulator which gets nothing (in the private-outputs setting) or gets all the shares of the output (in the public-outputs setting). To prove the result, we need two ingredients: (a) the leakage resilience of additive secret sharing over F, and, (b) a lemma formalizing the following intuition: In the GMW protocol, each party learns a share of a secret sharing of the value at each gate in the circuit and nothing more. The first ingredient we have shown above, and we now describe the second. In Lemmas 2.5.8 and 2.5.9, we formally state and prove this intuition in both the private- outputs and public-outputs setting and here we provide an informal statement.

Lemma 2.2.2 (Informal). On an input , let zg denote the value at multiplication gate g E G .The joint view of any subsetE of the parties, view(e), can be simulated given their

...... shares of the inputs and of the values at each multiplication gate:

ve(8) (X) = S i M(-(E), (Z (8) ) .)

Given the lemma, proving local leakage resilience in the private-outputs setting is a hybrid argument. Because of the lemma, the adversary can leak from party j a function of (i) and (z )go,. The simulator LeakSim, not knowing the input 7, picks random values 7',(Z')g instead, secret shares them and then leaks from these values according to the leakage functions r) specified by A. Then we show that these two distributions are close to each other. If the local leakage can distinguish between the two distributions, then we can use them to construct leakage functions that violate the local leakage resilience of a single instance of the underlying secret sharing scheme. Because of the homomorphic properties of the secret sharing schemes, this transformation is lossless and does not degrade with circuit size as a hybrid argument would. The proof in the public-outputs setting has a subtlety that the adversary sees not only the local leakage from the uncorrupted parties, but also their final outputs. In this case, we first observe that the final output is a fixed linear function of the circuit values z9 of the multiplication gates and of the input values xi. Using this observation, the simulator picks the shares of the multiplication gates conditioned on the output values seen. And we can show a similar reduction to the local leakage resilience of the underlying secret sharing scheme. This proves Theorem 2.1.4.

2.2.3 On Local Share Conversion

In this section, we sketch the techniques used to show Theorem 2.1.5: that three-party additive secret sharing over Fp, for any prime p > 2, cannot be converted to additive secret sharing over F2 , even with a small error, for any non-trivial relation R on the secrets. Our results on impossibility of local share conversion are derived by viewing the output of the share conversion schemes as leakage on the original shares, where the adversary instead of being able to do arbitrary computation, can only add the leakage outputs over

F2 -

Impossibility of Share Conversion of Additive Secret Sharing from Fp to F2. We start with the impossibility of local share conversion of additive secret sharings from FP to

F2 for any non-trivial relation R on the secrets.7 The analysis is inspired by Fourier analysis reinterpretations of linearity testing [BLR93] and group homomorphism testing [BCL08].

Assume that gi, 92,93 : Fp -+ F 2 form a 3-party local share conversion scheme for additive secret sharing for some relation R where shares of 0 in Fp have to be mapped to shares of 0 in F2 and shares of 1 in Fp have to be mapped to shares of 1 in F2 (with high probability, say 99%).8 That is, if Xi + X2 + X3 = b, then gi(Xi) + 92(X2) + g3(X3) = b for b E {0, 1}. It is convenient for us to define the real-valued analogues Gi(x) = (--1)9i W. At

7 A relation is trivial if no matter what secret is shared, a constant output by the conversion scheme would satisfy correctness. Or put another way, in a non-trivial relation R, there exist so and si such that so has to be mapped to 0 and si has to be mapped to 1 by the relation R. 8 We consider more general case in Section 2.6 which also tolerates a higher error probability of 1/6.

29 the heart of this proof is the following operator:

A(G 1 , G2 , G 3 ) = E [Gi(xi) -G2 (X ) - G3(X3)] x<-AddSh(O) 2

The first observation is that if shares of 0 over F, are mapped to shares of 0 over F2 with high probability (say 99%), then the value of this operator is quite high as,

A(Gi, G 2, G3 ) = 1 - 2. Pr [g1(X) + g2(2) + g3(3) # 0] > 0.98 . x<-AddSh(O)

The crux of the argument is an 'inverse theorem' style lemma (Lemma 2.6.9) which characterizes functions G 1's that result in a large value for A. Lemma 2.6.9 shows that if A(G 1, G 2 , G3 ) is high, then each of the functions G1, G2 and G3 are 'almost' constant functions,i.e.,formostx's,Gi(x) is the same fixed value. Given this lemma, the impossibility result follows. Because the functions G's (and hence gi's) are almost always constant, even given secret shares of 1 as input, they would still output shares of 0 as output. To complete the proof, we need to argue that G1 is an almost constant function. This proof has two parts: the first part which is generic to any field F is to show that if A is large, then G1 has a large Fourier coefficient. In the second part, we show that if G1 has a large Fourier coefficient, then G 1 is an almost constant function. This part is specific to F.

To show the first part, we rewrite A(G 1 , G2, G3) over the Fourier basis (using Lemma 2.4.16) to get

A(G 1 , G2 , G3)= i(a). G2(a) - 03(a) aEFp this follows from Lemma 2.4.16 as the dual code of additive shares of 0 is the code generated by the all-ones vector. We can now use Cauchy-Schwarz inequality with the fact that Ea Ci(a)12 = 1 to get that,

a a

This implies that IG1|c is large. Now we show the second part, which is specific to F,. We need to show that G1 is almost constant function. We want to show that if some Fourier coefficient of G1 is large (larger than 2), then it has to be the zero-th coefficient. The zero-th coefficient measures the bias of G1: if the coefficient is small, then G1 is close to balanced, and if this coefficient is large. then G1 is an almost constant function. Although proving this for all primes is somewhat tedious (see Lemma 2.6.7), the intuition is easy to grasp. Let p = 3 and w = exp(27ri/3) be a root of unity. A non-zero Fourier coefficient of

G1 takes the following form: G 1 (a) = ExEF3 [Gi(x) . wax] for a = 0. Because G1 takes values in {-1, 1} and wax takes all values {1, W, W2}, these two functions cannot be too correlated. And hence the Fourier coefficient cannot be too large: IG(a)| < 2/3. This completes the proof.

The Impossibility of Share Conversion from Shamir's Secret Sharing from F, to

Additive Sharing on F2. We now briefly discuss the techniques used to prove the result on local conversion of (n, t)-Shamir's secret sharing over F for (n + 3)/2 < t < n. Again

30 consider a relation R where Shamir's shares of 0 over F, have to be mapped to additive shares of 0 over F2 and Shamir's shares of 1 have to be mapped to additive shares of 1 over F 2 . Let gi, 92, ... , gnbe the local share conversion functions used. We want to follow a similar strategy: first show that the corresponding function Gi = (- 1 )gi has a large Fourier coefficient. Then, similar to the additive secret sharing proof, show that if Gi has a large Fourier coefficient, then Gi is 'almost constant' and hence derive a contradiction. In the first part, we want to use the fact that Shamir's shares of 0 over F, are converted to additive shares of 0 over F2 to infer that G1 (say) has a large Fourier coefficient. This is proved in Lemma 2.6.10. The proof is a specialized case of the work of Green and Tao [GT10]. In the proof, the value of an appropriately defined operator A:

A(G1, G2, Gn) = E [GI(si) - G2 (s 2 ) ... Gn(sn)] s<-ShaShp,n,t(s)

(where s <- ShaShp,,t(s) is a random (n, t)-Shamir's secret sharing of s) is bound by the 2 "Gowers' Uniformity Norm" (the U norm) of the function G 1 . Then using a connection 2 between the U norm and Fourier bias, we can derive that G1 has a large Fourier coefficient. For details see Section 2.6.

2.2.4 Additive Combinatorics Context

We provide some context for these techniques. Such A style operators have been studied quite a bit in number theory. They can be used to represent many fascinating questions about the distribution of prime numbers. To give some examples. What is the density of three-term arithmetic progressions in primes? is a question about the operator A = Ex,d[1p(x). lp(x + d) - lp(x + 2d)] where lp is 1 if x is a prime and 0 otherwise. Also, the twin primes conjecture can be framed in terms of the operator A = Ex[lp(x) . lp(x + 2)]. Green and Tao [GT10] and subsequent works by Wolf and Gowers [GW10. GW11a, GW11b] tried to understand the following question: let L1 , L2 , ... ,Lm be linear equations from Fn to F. Can we bound the following expectation:

A(fi,f2,.. .,fm)= E [fi(Li(1)). f 2 (L 2 (1))... fm(Lm())]?

This is a very general question. And roughly speaking, they give the following answer. These works define two measures of complexity (termed as Cauchy-Schwarz Complexity and True Complexity respectively) and show that if a system of linear equations has complexity k, then, 9 A(fi, f2, ... , fm) < C - min ||fillya where |fillfUk is the k-th order Gowers' Uniformity Norm [Gow01]. This method of bounding A by the Gowers' norm has been very influential in number theory. This method is what we use to prove the results on Shamir's secret sharing. We first bound an appropriately defined operator A by the Gowers' U 2 norm and then exploit a connection between the U 2 and Fourier analysis. Such a technique does not suffice to give desired results in the case of

9 Both complexity measures do not assign complexity to all possible linear forms. To give an example, the linear form (Li(x) = x, L2 (x) = x+2), which corresponds to the twin primes conjecture, is not assigned a complexity value and the twin primes conjecture is still open.

31 leakage resilience of (n, t = an)-Shamir's secret sharing for two reasons (for some constant a > 0). The first reason is that the constant C derived from this method is often extremely large and has an exponential dependence on the number of equations m. Also the second reason is that in our setting, the functions fi's are chosen by the adversary. So, showing that ||fillk is small is either very challenging or just not true for some adversarially chosen functions fi's. On the other hand, we do not know how to translate this into an local leakage attack on Shamir's secret sharing either and hence a strong win-win result eludes us.

2.3 Preliminaries

We denote by C the field of complex numbers, by SD the statistical distance (or total variation distance), and by = the equality of distributions. For a vector space F', we define U = Un to be the uniform distribution over F'. For any finite set S. x <- S denotes the fact of sampling an independent element x uniformly from S. For any positive integer n, the set [In] is the integer interval {1, ... , n}. As we are using extensively codes, we use the conventions of coding theory: vectors are always row vectors.

2.3.1 Linear Codes

Secret sharing schemes are closely related to linear codes, that we define next.

Definition 2.3.1 (Linear Code). A subset C C F" is an[n, k, d] linear code over field F if C is a subspace of Fn of dimension k such that: for allF E C\{}, HammingDistance() ;> d (i.e., the minimum Hamming distance between two elements of the code is at least d). A code is called Maximum Distance Separable (MDS) if n - k + 1 = d. The dual code of the code C is defined as C' = {f 'E : VY E C, (Ay )= 0}. A generator matrix for an [n, k,d] linear code is a matrix G E Fkx such that its rows form a basis C, or in other words: ={iE F": 3 E F, '= F - G}. A parity check matrix H of C is a generator matrix of the dual code C'.

Proposition 2.3.2. The dual code CL of an[in, k,d] MDS code C is itself an MDS code with parameters[In, n - k, k + 1].

Example 2.3.3 (Generalized Reed Solomon Code). An [n, k, n - k + 1] generalized Reed

Solomon code over IF such that |FI > n interprets a message di E Fk as p(x) = m1 + m 2 x + -+mkx- and encodes it as (uip(ai),u2p(a 2 ),- ,unp(an)) where A = {ai, a 2 .. . , an} F is a fixed set of n distinct evaluation points and ui, . . . , u, E F, are non-zero coefficients. Generalized Reed Solomon codes are MDS. Moreover, the dual code of such a code C is itself a [in, n - k, k + 1] generalized Reed Solomon code C' over F with the same evaluation points and the coefficients vi = u71

1Iy (ai - aj)- for i E [n - k]. Indeed given messages p(x) = m1 + m 2 x + mkrk-x and q(x) = m'+m'x+- - +m'_kxn-k-1, the inner product of the corresponding codewords for C and C' is: n n uivip(ai)q(ai) = H: - p(al)q(ai) i=1fl1 a 3 )

32 which is the Lagrange interpolation of the coefficient zn- of p(x)q(x), namely 0. This proves that C' is the dual code of C.

2.3.2 Linear Secret Sharing Schemes

We recall the definition of (threshold) secret sharing schemes.

Definition 2.3.4 (Secret Sharing Scheme). An (n, t)-secret sharing scheme over field F is defined by a pair (Share, Rec) where Share is a randomized mapping of an input s e F to shares for each party s = (s(1),S(2),... , s(')) and the reconstruction algorithm Rec is a function mapping a set A C [n] and the corresponding shares S(A) = (s to a secret s c F, such that the following properties hold:

1. Reconstruction. Rec(A,s(A)) outputs the secret s for all sets A C [n] where |A| > t. 2. Security. For any set A such that |A < t, the joint distribution of shares received by the subset of parties A, S(A) =(s ))A where s - Share(s), is independent of the secret s.

We extend secret sharing schemes to handle vectors of secrets naturally as follows. If (Share, Rec) is a secret sharing scheme and if F is a vector of k secrets, we define:

- (s, ... , s)) +- Share(s) where Vi E [k], (s(,... , s ) Share(si)

S(si, ... ,s) = Rec(A, S)) where Vi E [k], si = Rec(A, s ) where s-A) = (s ,..., s) and s(A) s An important particular case of secret sharing scheme are linear secret sharing schemes. Actually all the schemes we consider in this paper are linear.

Definition 2.3.5. An (n, t)-secret sharing scheme (Share, Rec) over a finite field F is linear if

1. the codomain of Share is the vector space (F,)", for some positive integer £ (i.e., each share is a vector of£ field elements), 2. for any s E F, Share(s) is uniformly distributed over an affine subspace of (FV)n, 3. for any Ao, A, so, si E F: { so+ Share(so)' Aoso + Asi : = Share(s) Share(Aoso +Asi). si + Share(si)

Let us now recall the two classical linear secret sharing schemes we are using. Example 2.3.6 (Additive Secret Sharing (AddShn, AddRecn)). The additive secret sharing scheme (AddShn, AddRecn) for n parties over a field F is a linear (n, n)-secret sharing scheme defined as follows. Shares AddSh,(s) = s of a secret s E F are generated as follows: (s(1), ,("-1)) F-1. and s(n) = s - (s(1) +.- + s(n-1)). The reconstruction of s from s is done as follows: AddRecn(s) = s(1) + ... + s(n). Example 2.3.7 (Shamir's Secret Sharing (ShaShn,t, ShaRecn,t)). The Shamir's secret sharing scheme (ShaShn,t, ShaRecnt) of n parties and threshold t over a field F (with |F| > n) is a

33 linear (n, t)-secret sharing scheme defined as follows. Let al, . . . ,, E F \ {O} be n distinct arbitrary non-zero field elements. Shares ShaShn,t(s) = s of a secret s E F are generated as follows: generate a uniformly random polynomial P of degree at most t - 1 over F with constant coefficient s (i.e., P(O) = s), the share s() is s(i) = P(aj). Given shares s(A) with A C[In] and JAl > t, the reconstruction works as follows: it computes the Lagrange coefficients A = ] A\j(i/(ai - a)) and output ShaReca,t(A, s(A)) = jEA Ajsi E IF.

2.3.3 Fourier Analysis

In this section, we present the notion of Fourier coefficients of a function and some of its properties. Most of the calculations needed about Fourier coefficients are deferred to the corresponding sections for the ease of readability. For an excellent survey on how Fourier Analytic methods are used in Additive Combinatorics, see [Gre07]. Let G be any finite Abelian group. A character is a homomorphism x : G -+ C from the group G to C, i.e., X(a + b) = X(a) - X(b) for all a, b E G. For any finite Abelian group G, the set of characters G is a group (under the operation point-wise product) isomorphic to G. The reader should note that while we define Fourier coefficients in generality, we would be primarily use Fourier analysis on the groups Fp for some prime p. Definition 2.3.8 (Fourier Coefficients). For functions f : G -+ C, the Fourier basis is composed of the group G of characters x : G -+ C. We define the Fourier coefficient f(x) corresponding to a characterx as

f (X) = E [f (x) . X(x)] E C.

As we will use Fourier analysis on the additive group F., we describe the Fourier characters over FP. Let w = exp(27ri/p) be a primitive p-th root of unity. Then, the characters for F, are given by Xa(x) = o" where a E Fp. We sometimes abuse notation and write f(a) instead of f(xa). We follow the "standard" notation in additive combinatorics. In this notation, when working on the group G, the Haar measure is used which assigns the weight |G|1 to every EGand when working on G, the counting measure is used which assigns the weight 1 to every a E G. Using these measures generally eliminates the need for normalization. So. when we talk about norms, these will always be taken with respect to the underlying measure. That is,

2 If1 = E[lf (x)] whereas IIf|2 = SIf^(a)12)1/

We note that the Fourier Transform has the following properties. These follow easily from the orthogonality relation on the characters: wxis p when a = 0 and 0 otherwise.

Theorem 2.3.9. Let f, g : G -- C be two functions. Let G denote the group of characters of G. The following hold:

(a) (Parseval's identity) We have,

(x) [ f (x) • g(x)= f(x) Xx-

34 In particular, If|2 If112 where f|2= Ex<-G f(Id2 Iard 2 Ex f(x)

(b) (Fourier Inversion Formula) For any x G, f(x) = Ef xE ) - X()-

Finally, we introduce the notion of bias. A function is biased if it is highly correlated with some Fourier character.

Definition 2.3.10 (Bias). For a function f : G -* C, the bias of f is defined as,

bias(f) = ||f^||0 = maxIf^(x)I xeA;

We need a calculation on certain sums of roots of unity. Let A be a subset of Zk. And 2 let -y= ei. ,/k. We want to bound sums of the form A = ExCA -i. We state and prove the Lemma below. We will use the lemma to show that non-trivial Fourier coefficients of certain functions have to be smaller than the trivial one.

Lemma 2.3.11. Let k be a positive integer. Let (k :[0,k] -+ R> 0 be defined as C(x) = sin(xr/k) with (k(0) = 0. Let A C Zk of size t. Let A* {0, 1,... ,t - 1}. Then A* sin7rt/k

sin(7r/k)

We will show that the sum is maximized when A is an interval. The proof of the claim is an extremal argument. If an element does not lie in the direction of the sum, we can remove it and add something in the direction to increase the norm.

Proof. First, the fact that ^A* = (k(t) is derived using a basic trigonometry calculation:

A* = t-1 = _ _ _ - 2_ sin(7rt/k) _ _ _ . |= 11 2 sin(Tr/k) ' where the last equality follows from the fact that the angle between 7Y and -1 is (7r - 2tr/k) and hence, lyt - 1| = 2cos((7r - 2tr/k)/2) = 2sin(7rt/k).

Let us now show that the sum is indeed maximum when A = A*. An interval [a, b) over Z, consists of the elements {a mod q, a + 1 mod q, . .. , b - 1 mod q}. Note that the intervals [a, b) and [b, a) are distinct. Observe that for any two intervals A, B of the same size, yA= yk T for some k E Z hence y and B have the same magnitude. set A/ 1~ C mfsz -A-aude. LetACZ of size tsuch that y is maximum. We want to prove that A- A*. The cases when t = 0 or p are vacuously true. If A is an interval, i.e., a set of the form above, we are done. Else, we want to show that there exists an interval A' of same size,such that I-yA1K IyAI Let( = A - EaEA a. We have I~ ;> 7^* I> 0. We consider the interval A' [a',a'+ t) consisting of all the roots of unity most 'aligned' with (. That is, a' is chosen as:

a E argmax / o7 , a'EZp,A'=[a',a'+t)

35 where o is the complex dot product. 10 Equivalently, the interval A'= [a, a+t) is the interval of size t such that, for all a E A' and b E {0,1..., k - 1} \ A', a > b0 .

Let us now show that A1 ^ 1|YA'|. For that. let B C Zk be a set of size t such that us prove (| = |-^| -- B and the size of the intersection of A' and B is maximum. Let that B = A', which will conclude the proof. Pick a E A'\ B and b E B \ A'. Consider the set B' = (B \ {b}) U {a}. We remark that the intersection of A' and B' is larger than the intersection of A' and B. Let us now prove that lyB'| 2! BI ,which is a contradiction (B was not the set of size t with the largest sum and the largest interesection with A'). Observe that B' _ - b + Ya. And as (o ya > 0y, g 0 (ga -_ b) 0. Hence, cos 0 > 0 where 0 is the angle between and (-,a- Yb). This implies that 0 E [-7r/2,7r/2] and hence |( - yb +-a + (a _ b)> And the result follows. 1

2.4 On Leakage Resilience of Secret Sharing Schemes

2.4.1 Definitions and Basic Properties

We consider a model of leakage where the adversary can first choose a subset of e C [n] parties and get their full shares and then leak m bits each from all the shares of all the (other) parties. Formally, what is learned by the adversary on a sharing s is the following:

Leake,, = (s(e), (T(i)(S(E), S(i)))iE[n) (2.4) where r = (T(1), (2) T(n)) is a family of n leakage functions that output m bits and s(8) - (sUj) are the complete shares of the parties corrupted. The adversary can choose the functions r arbitrarily.

Definition 2.4.1 (Local Leakage Resilient). Let E be a subset of [n]. A secret sharing scheme (Share, Rec) is said to be (8, m, E)-local leakage resilient (or (6, m, E)-LL resilient for short) if for every leakage function family -= (T(), (2) T(')) where TU) has an m-bit output, and for every pair of secrets so, Si,

SD({Leake,,(s) : s -- Share(so)}, {Leake,,(s) :s - Share(si)}) < e

A secret sharing scheme (Share, Rec) is said to be (9,m,E)-LL resilient if it is (E,m,e)-LL resilient for any subset E C [n] of size at most9.

Remark 2.4.2. We remark that we can consider an equivalent definition where for each distribution D of leakage function family -r = (T(I), T(2) . ( ): {D 1 s <- Share(so) T L:s <- Share(si)l.> SD Leake,,(s) : , Leake,,(s) : s - D

Observe that a (n, t)-secret sharing scheme is (t, 0, 0)-Local Leakage resilient: that is, complete access to the shares of t parties and no information about the others.

0 1 Z1 0 Z2 = X1X2 + yly2 where Zb = Xb + i - Yb is the dot product of zi andZ2. Equivalently, zi 0 z2

IzilIz2 1cos Owhere 0 is the angle between z1 andz2.

36 Note that in the leakage model, the adversary is not allowed to adaptively choose the leakage functions. As discussed in the introduction, this is a very meaningful and well- motivated leakage model. Next, we demonstrate some attacks in this model. In particular, we formalize the observation that linear secret sharing schemes over small characteristic fields are not local leakage resilient. Example 2.4.3 (Attack on Schemes Over Small Characteristic Fields). Over fields of small

characteristic like F2k that have many additive subgroups, secret sharing schemes with linear reconstruction are not local leakage resilient even for 1-bit leakage. We give some examples of such attacks. They are not hard to generalize. Let s E F2 k be the secret that is shared

among n-parties as shares (S(1), s(2), , 5 (n)). Consider the following attacks: • Additive Secret Sharing. The adversary can locally leak the least significant bit of each share s(J). Adding them up, the adversary can reconstruct the least significant bit of s. 1 " Shamir's Secret Sharing. For a similar attack, observe that s = Ais( ) + A 2s(2) + ... + Ans(n) where Aj's are fixed Lagrange coefficients. So to attack the scheme, the adversary locally multiplies the share s() with Aj and leaks the least significant bit. This again reveals the least significant bit of s. The recent work of Guruswami and Wootters [GW17] shows how such leakage can be used to even completely reconstruct .s,in some settings.

Example 2.4.4 (Attack on Few Parties). If the number of parties n is a constant, then the additive secret sharing over F, is not LL-resilient. The adversary can distinguish between secrets < p/2 and > p/2 by local leakage. The adversary locally leaks (3)(()) = I if the share s(i) < p/(2n) (seeing the share as integer in {0,...,p - 1}). If all the leakages output 1, the adversary can conclude that the secret s = s(1) + ... + s(n) < p/2. On the other hand, if the secret is larger than p/2, then all the leakage outputs will never be 1 simultaneously. In the < p/2 case, the probability of all the secrets being < p/2n is about (1/2n)", a constant. Similar attacks can also be performed on Shamir's secret sharing. We stress that this is not the most effective attack, but it is an attack nonetheless. This attack is similar to the one in [KP10, Footnote 8].

2.4.2 Leakage Resilience of Additive and Shamir's Secret Sharing Schemes

We are now in a position to state the main technical result of this section. That, no family of local leakage functions can distinguish between shares picked from a 'good' linear code and uniformly random shares. We then apply these results to get local leakage resilience for additive and Shamir's secret sharing schemes.

Main Technical Theorem: Leakage Resilience of Linear Codes

We describe two versions of our bounds: they differ in their dependence on the underlying prime p. The first bound has tighter constants but a worse dependence on the prime while the latter bound, the bound on the distinguishing advantage does not degrade with increasing primes.

Theorem 2.4.5. Let CC F" be any [n, t - 1, n - t + 2] linear code. Let r = (r(), r(2), T(n)) be any family of leakage functions where r() : F, {0, 1}m. Let cm= 2'sin(7r/2) < 1

37 (when 2' < p). Then, SD(-r (C), -r(Un)) :5 j .pn-t+ 1 -ctm where Un is the uniform distribution on F" and:

-r(C) = {(()(xi))E[] : -- C and r(Un) (((z)) : i- Un}

The bound above is not tight. In particular, the pn-'+1 factor leads to an unnatural situation where our bounds become worse as the prime increases. To give some intuition about what parameters it can support, if a bit is leaked from each share, i.e., m = 1, then cm is a constant and hence the statistical distance is bound as (n-t+l)ogp. cm then we can set n - t ~ O(n/logp) and the distance is negligible. But we cannot set n - t = Q(n). Next, we describe stronger bounds removing this dependence in p: the pf-t+1 dependence is replaced by a (20(m))(n-t) style term. This gives the "natural interpretation" in that our bounds get stronger as the prime p increases, since the cm term decreases as p increases. The key idea behind this proof is using Cauchy-Schwarz inequality to reduce the number of terms we need to bound. The constant here is not very optimized, but it suffices.

Theorem 2.4.6. Let C C Fn be any [n, t-1, n-t+2] linear code. Let r= (T(1), T(2) .. T(n)) 4 be any family of leakage functions where r(j) : F, - {0, 1}. Let c'm= 2msin(r/2m+/2 m) Then, 2t-n-2 SD(r(C), r(Un)) < . 2 (5m+1)n-t)+m (c') 2 where Un is the uniform distribution on F".

In the case of additive secret sharing, we can improve the constants more, and the proof serves as an instructive warmup for the proof of Theorem 2.4.6. We state the bound below.

Theorem 2.4.7. [Additive Secret Sharing] Let CC F" be the code generated by AddSh(O). Let = (T(), T( 2 ), T(n)) be any family of leakage functions where r() : F {0, 1}m Let cm 2'sin(7r/2 m ) < 1 (when 2" < p). Then, psin(ir/p) SD(r-(C), -r(Un))< . 2" . cnm 2 mn where Un is the uniform distribution on F>.

We remark that a slightly weaker version of Theorem 2.4.7 above can be obtained by invoking Theorem 2.4.6 on the [n, n - 1, 2] code C generated by AddSh(0) (t = n). More precisely we would get:

SD(-r(C), -r(Un))< 2"`1 - (c')n-2 which is almost the same bound except cm is replaced by the slightly larger constant c'm-

Local Leakage Resilience of Additive and Shamir's Secret Sharing Schemes

Additive Secret Sharing. We observe that Theorems 2.4.5 to 2.4.7 yield the following two corollaries for additive secret sharing and Shamir's secret sharing. We first prove the

I'll I I I - -., . 1 11 1.. 1 1 P a

corollaries assuming Theorems 2.4.5 to 2.4.7 and then prove these theorems next. We describe example parameter settings in Section 2.4.2. Let cm and c' be defined as follows: For 2' < p.

m m 4 2 sin(7r/2 ) , 2' sin(7r/2' + 7r/2 m) cm= and c = " psin(7r/p) m p sin(7r/p)

Corollary 2.4.8 (Leakage Resilience of Additive Secret Sharing). The additive secret sharing AddShn for n parties is (0,m,E)-LL resilient where:

E = 2"n - cn- o2 E = p .cn- M or m

Proof. This corollary follows from Theorems 2.4.5 and 2.4.7 the following claim after remarking that, when 0 parties reveal their share, an additive secret sharing with n parties becomes a random additive secret sharing with n - 0 parties.

Claim 2.4.8.1. Let -r = (TM), T(2) **T(n)) be any family of m-bit output leakage functions. Let cm = 2'sin(ir/) < 1 (when 2m < p). Then for all secrets so, s1 E Fp,

SD(-r(AddSh,,(so)), -r(AddSh,,(si))) < p - cM

Proof. The proof is a simple hybrid argument. Let C be the support of AddSh(). Note that C is an [n, n - 1, 2] linear code and AddSh(0) is uniformly distributed on C. Also note that the distribution AddSh(s) is a coset of AddSh(O), i.e., AddSh(s) can be obtained by first sampling x <- AddSh() and then adding a fixed vector s - e = (s, 0, 0, ... , 0) to x. So, for any secret s.

SD(r(AddSh(s)), r(U,)) = SD(Tr(AddSh() + se), r(U,)) = SD(T'(AddSh()), r'(Un - se)) 1 whereTr'( )() = T(1)(x+s) and -r'(j)=T(j) forj> 1. = SD(T'(AddSh()), -r'(Un))

Using triangle inequality, we can complete the proof:

SD(r(AddSh(so)), r(AddSh(si))) < SD(r(AddSh(so)), r(U,)) + SD(r(Un), r(AddSh(si)))

p . c' or 2' . cnm 2 where the last line follows from either Theorem 2.4.5 or Theorem 2.4.7.

This concludes the proof of Corollary 2.4.8.

Shamir's Secret Sharing. Next we argue the corresponding statement for Shamir's secret sharing.

Corollary 2.4.9 (Leakage Resilience of Shamir's secret sharing). The (n, t)-Shamir's secret

39 sharing scheme ShaShn,t is (0,m,F)-LL resilient where:

=-t+ cm or E = 2 (5m+1)(n-t)m(c 2tno2

Proof. This corollary follows from the following lemma after remarking that, when 6 parties reveal their share, a Shamir's secret sharing ShaShn,t(s) on the remaining n - 6 parties is an still an MDS code, up to an additive shift. We prove this claim first and then finish the proof.

Claim 2.4.9.1. For Shamir's secret sharing scheme ShaShn,t of n parties and threshold t over a field F (with IFI > n), let EC C[n] be a set of 6 < t parties. Consider the following experiment where for a given secret s, n shares s = ShaShn,t(s) are generated and the shares for parties in E leaked. Let the leaked values be x(e). Let ShaShn,t(s)|(E (e) be the distribution on shares conditioned on the revealed values s(E) being x(E). Then, there exists an [n- 6,t- 1- 6,n- t+2] MDS code CCF"-0 and a shift vectorb E Fn such that,

ShaShn,t(s)Ie)(e)= {(y(9)|0(8) + b : y - C}

where (y()| 0 (8)) denotes a vector where the positions in E are 0 while the positions ine are filled by y.

Given the claim, the proof follows. The adversary sees s(E) for the 6 parties corrupted. Then, the adversary specifies leakage functions r(e)- (i))abe any family of m-bit output leakage functions. We bound SD(Tre(ShaShn,t(s)(e)), r(Un)) and use the triangle inequality to complete the proof and lose a factor of 2 as above. Observe that,

SD(r(6)(ShaShn,t(s)(6)), r(Un)) SD(-r(g)(C+b(5)),r(Un))

1 . . pn-t+ . cm 0 or - 2 (5m+1)(n-t)+m . (C' n-0-2 2 2 where the equality follows from Claim 2.4.9.1 and the inequality follows from Theorems 2.4.5 and 2.4.6. Next, we prove the claim to finish the proof.

Proof of Claim 2.4.9.1. The proof follows from considering alternate ways of sampling the conditional distribution.

ShaShn,t(s)I(e)e) = ShaShn,t(0)I 5(e>)e_8) 8ie) + s1 where 1 E Fn is the vector 1 = (1, ... , 1). This follows because ShaShn,t(s) = ShaShn,t(O)+ s. For the next transformation, pick a polynomial p of degree at most 6 - 1 < t such that p when evaluated at points in E evaluates to x(9 ). Let p denote the evaluation of p at the evaluation points of Shamir's secret sharing. Then,

= ShaShn,t(0)|,(e) 0+ p + (s - p(0)) . 1

The last equivalence follows from observing that p is a polynomial of degree < t - 1 and a Shamir's sharing is obtained from a random degree-(t - 1) polynomial. Hence an element of the right-hand-side distribution is a Shamir's sharing of s. Note that ShaShn,t(0)I,(e)o

40 a

has a clean characterization as follows: sample a random polynomial q of degree t - 0 - 1 such that q(O) 0, consider the augmented polynomial q'(x) = q ]lie(x - aj) of degree

t - 1 where A {ai, a 2 , ... , an} is the set of evaluation points for Shamir's secret sharing scheme. Finally the codeword is the evaluations of q' on A. This characterization allows us to see that ShaSh,t(0)|t(eo is an [n,t-- 1,n- t+2] code. Now we are done. Consider C to be the restriction of ShaShn,t(0)Is(e)o to e and the shift b = p+ (s -p(0)).1. Code C is an [n -6, t -0 -1, n - t+2] code because all the points excluded are 0 and hence do not affect the distance. This completes the argument. D

Example Parameter Settings

Let us now simplify the bounds for some specific parameter settings. All the statements in this section assumes that the parameters n, p, m, , e are functions of some implicit parameter A E N.

Additive Secret Sharing. The following corollary shows that for additive secret sharings, if a constant number of bits is leaked per share (m = 0(1)), as long as the prime order p is larger than 2' (i.e., not all the bits are leaked), if n - 0 goes to infinity, the adversary advantage goes to 0 exponentially fast in n - 0.

Corollary 2.4.10 (Additive Secret Sharing with Constant-Size Leakage). If m = 0(1), p > 2m, the additive secret sharing AddShn for n parties is (0,m,e)-LL resilient where

Proof. Since cm < 1 as soon as p > 2', there exists a constant c > 0 such that cm <_ 2 for all the values of the implicit parameter A E N. Corollary 2.4.8 implies that the additive secret sharing AddShn is (0,m, e)-LL resilient when:

E = 2m . cm-2 < 2m-c(n-0-2) = 2 -Q(n-0).

The following corollary shows in particular that for additive secret sharings, if all-but- 2 one bit is leaked per share (m = [log2 p - 1]), and n - 0 = Q(p log p), the scheme is E = 1/3-LL resilient.

Corollary 2.4.11 (Additive Secret Sharing with All-but-One Bit of Leakage). Let r/ > 0

be a constant. If p goes to infinity, 0 < n - 2, and m = [log2 P -i1, then the additive secret sharing AddShn for n parties is (0,m,e)-LL resilient where = 2m-n(n-o)/p2 .

The corollary is actually stronger than the informal statement above, as it holds even if "less than a bit" is not leaked (more precisely if the remaining min-entropy of each share is r/).

41 Proof. We have:

m 2m /7r sin(7r/2 ) p/7r sin(7r/p) 3 2m( 7r _7r (1 1 2 2+- +

2 622m 24 .m 6 p (1p4

1 62 .2(242' 1) + 0

where the inequality comes from the fact that 2m p/ 2 7. We denote by c the constant = 7r2(227 - c 1)/(6 log 2) > 0. where log corresponds to the natural logarithm (while log 2 corresponds to the logarithm in base 2). From the inequality log(1+ x) < x for x > -1, we have:

c log Cm < 2 +O --. (2.5) 2 p (pI

Finally, Corollary 2.4.8 implies that the additive secret sharing AddShn is (0, m, E)-LL resilient when:

2+0((n-O)/p') E = 2 m - cn--2 < 2 m-(n--2)c/p

where the inequality comes Eq. (2.5). When the implicit parameter A is large enough,p is small enough and the term O((n - 0)/p4) in the inequality above is less than (n - 0 - 2)- c/(2p2 ). Thus, for large enough implicit parameter:

e m(n-0-2).c/(2p2)

This concludes the proof. El

Shamir's Secret Sharing. The following corollary shows that for Shamir's secret sharings, if a constant number of bits is leaked per share (m = 0(1)) and a constant number of shares are completely leaked (6 = 0(1)), there exists a < 1, such that if t > an and if n goes to infinity, the adversary advantage goes to 0 exponentially fast in n.

Corollary 2.4.12 (Shamir's Secret Sharing with Constant-Size Leakage). If m = 0(1), 0 = 0(1), and n goes to infinity, there exists a < 1, such that the Shamir's secret sharing scheme ShaShn,t for n parties and threshold t > an is (0,m,E)-LL resilient where e 2-Q()

Proof. When the implicit parameter A E N is large enough, p > n is large, and c' 2-c for some constant c > 0. Corollary 2.4.9 implies that the additive secret sharing AddShn is

&I , I , 11 I I Akii - I I , -- 6 o ia - 1 11 AWIh_ ... - - ...... '.: " I , - Nil-awlild ...... -- am (0, m, e)-LL resilient where:

-5 2m+1)(n-t)+m . (C'm)2t-n-0-2 (2.6)

< 2 (5m+1)(n-t)+m-c(2t-n-0-2) (2.7) < (5m+1+c)n-(5m+1+2c)t+m+c+2c (2.8)

Hence choosing a > (5m + 1+ c)/(5m + 1 + 2c) but still a < 1, if t >an, we have:

-(n) E< 2 ((5m+1+c)-a(5m+1+2c))n+m+c6+2c< because ((5m + 1 + c) - a(5m + 1 + 2c)) is a negative constant and m + c-= 0(1). E

Corollary 2.4.13 (Shamir's Secret Sharing with Constant-Fraction Leakage). Let 0 = 0(1). For sufficiently large n, for n < p < 2n and m = ((logp)/4, the Shamir's secret sharing scheme ShaShn,tfor n parties and threshold t > n - n1/4 is (0,m,E)-LL resilient where E = 2-Q( E).

The proof relies on the following bound for cm proved in Appendix A.1:

Proposition 2.4.14. Let m > 1 and p > 2 be two integers. Let cm = 2'sin(7r/2)p sin(7r/p) . We have: 1 4 log cm- 2 2m+1 +-

Corollary 2.4.13. Corollary 2.4.9 implies that Shamir's secret sharing is leakage resilient 1 wherewher E =pn-t+ cm.c Hence by Proposition 2.4.14, for m = [(logp)/4] we get that logcm 5 (-og)+- 4 < - for large enough n < p. We have:

1 _ n-t+1 cm logp-(n-t+1)-(t-0) I en - t

To complete the proof, observe that.logp < lo9P- -/n/16 for large enough n_ 1/ 3 X/pj n1/4 3 V/p5 < n as / < 29/. P < and 0 0(1). Hence, E 2-V/16 as desired. E

2.4.3 Proofs of Theorems 2.4.5, 2.4.6, and 2.4.7

The proofs of all three statements follow a very similar outline. We describe the common parts of the proof and then specialize the proofs as required. For a linear code C and leakage functions -r = (7(),,r,..., T())our overarching goal is to bound the statistical distance SD(-r(C), r(Un)). The first part of the proof common to all the theorems is to write this statistical distance in a Fourier representation. The second part, which is specialized, uses different methods to bound this statistical distance.

Lemma 2.4.15. Let C C Fp be any [n, t - 1, n - t + 2] linear code. Let -r= (TI), r(2), r(')) be any family of leakage functions where rO) : F 4 {0, 1}m. We abuse notation and define 11j(x) = 1 if r(j)(x) = £j and 0 otherwise. We then have

SD(r(C), r(Un)) = 13El a) . £e{o,1}mxn ECsL\{6} i

43 Before proving the lemma, we want to briefly describe how the proofs of Theorems 2.4.5 to 2.4.7 follow. The three theorems apply different bounds for the Fourier expression above. Theorem 2.4.5 has the simplest proof, which consists of bounding each of the terms 1 (aj) and then invoking convexity. But the proof yields a dependence on the number of terms (p"-t) which is undesirable. This can be improved by using Cauchy-Schwarz inequality. This is done in Theorem 2.4.7 and Theorem 2.4.6. The case of additive secret sharing (Theorem 2.4.7) serves as a warm-up for the more intricate proof of Theorem 2.4.6. We start by proving Lemma 2.4.15. Recall that w = exp(27ri/p) is a primitive p-th root of unity.

Proof of Lemma 2.4.15. We start by proving the Poisson Summation Formula for linear codes C. It shows that the expectation of product of functions over a code can be represented as a sum of products over the dual code. Then we show how this can prove the lemma.

Lemma 2.4.16 (Poisson Summation Formula). Let p > 2 be a prime. Let CC Fn be a linear code with dual code is C. Let f1, f2,... , fn Fp -+ C be functions. Let A be defined as follows: A(fi, f2, . .. ,fn) = E [fl(x1) f2(x2) .- fn(n) where ' = (x 1, x2 ,... ,xn). Then, the following holds:

A(fi, f2, .,fn)= Z fi(ai) . f^2(a2) ... - (an) 56C± where 5 = (ai,a2, ... , an) E F.

Proof of Poisson Summation Formula (Lemma 2.4.16). The proof is a calculation that uses the fact that for any fixed 0. the inner product (X, a), where z <- C, is always 0 when a E C and uniformly random otherwise.

(Xi) E[lfi (i)J = E ]fi(ai)Xa i . C i a EFp

= LE f^(ai)X (xzi) (EFn i

- (ai) - E W SEFn i Z-

= (f (ai), 6EC' i where the first equality follows from the Fourier Inversion Formula (Theorem 2.3.9(b)), the third equality follows because Xai(x) = waix and the last equality follows because Ez<-C )= 1 if I E C and 0 otherwise. L

44 Equipped with Lemma 2.4.16, we now prove Lemma 2.4.15. This proof primarily spe- cializes the Poisson Summation formula to the specific case of leakage functions. Note that given any output leakage value£= (£1,... , £, 1),

Pr (i)= = .E [11 (xI) . 1f 2 (x2) - f, (n)] xe-C L- =f 3 x+- C

This is simply saying that l,(xi) indicates whether the leakage from the share xi is the corresponding value £f. Hence, we have:

SD(r(C), r(Un)) Ec 1 (xj) - E[1 ,(xJ)

'Ej~~ ( g), U fj(j i E -

where the second equality follows from Poisson Summation (Lemma 2.4.16), the third equal- 1 ity follows from the fact that E[H J 3 (x)] = j (I(T()) (fj)|/P) = jj 1 (0). This completes the proof of Lemma 2.4.15. 3

Proof of Theorem 2.4.5

We recall Theorem 2.4.5 below.

Theorem 2.4.5. Let CC Fn be any [n, t -1, n - t+2] linear code. Let r = (r(1), T(2), T(n)) be any family of leakage functions where :F,- {0,1}m. Let cm =2'sin(r2 m ) < 1 (when 2' < p). Then, SD(r(C), r(Un)) < . pn-t+l cm where Un is the uniform distribution on Fn and:

r(C)= {(r ()(xi))E] : - C} and r(Un) {( (i)(Xi)) : -Un .

In Lemma 2.4.15, we represented the statistical distance SD(r(C), r(Un)) in terms of Fourier coefficients of some characteristic functions of the leakage. Next, in Lemma 2.4.17, we show bounds on these Fourier coefficients, which then allows us to complete the proof of Theorem 2.4.5.

Lemma 2.4.17. Let m be some positive real number such that 2 m is an integer. Let

45 Cm psin(r/p) . For any sets A1 , A 2 ,..., A 2 CIF, such thatjA|=p,wehave:

2m I 1-A (a)

where lA: Fp -+ {0,1} is the characteristicfunction of the set A C Fp (i.e.,1A(x)= 1if x E A and 0 otherwise).

Proof. This proof relies on Lemma 2.3.11 and uses concavity to argue about partitions. The case a = 0 follows directly from the following fact:

lA(0) =E[1A(X) .wOx] = JAl/p .

Let us now focus on the case a , 0. Recall that (x) = sin (7r/k) Let ti= Ai. As a$ 0, observe that iA(a) = Ex[1A(x) .wax -1 . P aA where w exp(i) and aA = {ax : x E A} has the same size as A. We have:

p 1 (a) waA sin(r/p) sin(rti/p) i i i i (rp 1 2m sin(ir/2m ) <- 2' . sin(7r/2) = p . . = p cm sin(7r/p) p sin(7r/p) where the first inequality follows from Lemma 2.3.11, the second inequality follows from the concavity of the sin(.) function between [0, 7r] and hence the function is maximized when all t = p/2m . l

Completing the Proof. At this point, given Lemmas 2.4.15 and 2.4.17 we can complete the proof of Theorem 2.4.5.

Proof of Theorem 2.4.5. We recall that we abuse notation and define 1 (x) =1-1(fj). We can express the statistical distance as follows:

SD(r(C), r(Un)) = fll j (aj)

<-5~ 5j f~(a)

d ec {}JJIi fj

46 where the first equality comes from Lemma 2.4.15 and the first inequality follows from the triangle inequality. To complete the proof,we bound E 1 (ay) using Lemma 2.4.17 and get:

1 cHW(d)

Warm-Up: Proof of Theorem 2.4.7

Next, we prove stronger bounds on additive secret sharing (Theorem 2.4.7). This serves as a warm-up to the general result (Theorem 2.4.6). We start by recalling Theorem 2.4.7.

Theorem 2.4.7. [Additive Secret Sharing] Let CC Fn be the code generated by AddSh(O). Let r= (T(1), (2), . .. T(n)) be any family of leakage functions where 7- ) : F,-+ {O, 1}m Let cm 2'sin(T/2) < 1 (when 2m < p). Then, psin(7r/p) (

SD(-r(C), -r(U,)) < -.2. -m2 where Un is the uniform distribution on F".

For the proof, we need a bound on Fourier coefficients. Hence, we start by stating and proving the following corollary of Lemma 2.4.17.

Lemma 2.4.18. Let m be some positive real such that 2m is an integer. Let cm = 2' sin(r/2m) For any sets A 1 , A 2 ,. .. , A m g Yv, such that p sin(7r/p) 2 .2j Ai= p, we have:

2m max 1A(a)

Proof. We remark that for a , 0: 1(a) = p-. -A. Hence. for any i E [2m]. there exists a such that: max 1A(a) = (ai) = -1 . W a 1AceAj a0 i 1A

We conclude using Lemma 2.4.17 on a = 1 and the sets a 1 A...., 2mA 2m . E

Proof of Theorem 2.4.7. We recall that we abuse notation and define 1 e,(x) = 11 (£). We can express the statistical distance as follows thanks to Lemma 2.4.15:

S D(-r (C), -r(Un)) = 1 ( 2 sEH\{c} j

47 As the dual code of C is the linear code generated by (theall-onesvector),we get that the sum is equivalently,

l2 (ae) -12a --- 1 (a) j a$O Now, we use Cauchy-Shwarz to get that, 1 - 1 1f2 -max 1,(a) .- max e,(a) 22 2 a L a0O 1 1 x1r~a) --- ( a1 () i1 f2 f3 fn

To complete the proof we use the following claim.

Claim 2.4.18.1. For any jE[n], Ergod 4 1 2m/222

Proof. We have 1 = ||11 2 = Pra<:-F0 'i(a) 1Furthermore the events [i-.(a) = 1] are pairwise disjoints for j E {0,1}m, and EEo,1m Pr,_, [1 (a) =1] = 1. Thus:

1 ~= ~Pr[1fj (a) = 1] 2m. - Pr [ie (a) = 1] = 2m/2 izo,} 2 :Sm m <- where the inequality comes from the concavity of x D9/2.

To complete the proof,observe that E maxao 1 (a) cm by Lemma 2.4.18. This implies:

SD(-r(C), -r(Un)) < - 2m/2 -22m/2 - cnm 2 2 l

Proof of Theorem 2.4.6

We turn towards proving Theorem 2.4.6. The strategy again is to use Cauchy-Schwarz. Now we need a significantly more delicate variant of Lemma 2.4.18. We start by recalling the theorem.

2 Theorem 2.4.6. Let CC F" be any [n, t-1, n-t+2] linear code. Let r= (r(1), T( ), ... , (n)) 4 where ) : F- {0,1}1. Let c'= 2' sin(|r/2 +7r/2 m) be any family of leakage functions Mpsin(ir/p) Then,

SD~ir(C), r(U)) - 2 (5m+1)(n-t)+m . (cm)2t-n-2 2 where Un is the uniform distribution on F".

Let us now prove Theorem 2.4.6. We start by a lemma that uses the Cauchy-Schwarz inequality to get rid of the sum over all codewords in C' in the proof of Theorem 2.4.5 and hence remove the dependence on p, at the expense of a factor 2m(n-t+1)-1 and a more

48 complicated expression involving some maximum over all codewords in CL. Then, we will show a bound on that expression. We begin by describing a property of all MDS Codes.

Proposition 2.4.19. An [n, k,d] linear code C is an MDS code if and only if every set of n - k columns of its parity check matrix H E F(n-k)xnp are linearly independent.

Proof. The code C exactly consists of all codewords - such that HY= 0. If there exists a set of n - k columns of H that are not linearly independent, then there exists a vector V of Hamming weight at most n - k such that H= 0. Thus the minimum distance d of C is at most n - k and C is not MDS. Conversely, if C is not an MDS code, it contains a vector V of Hamming weight at most n - k and the set of (at most n - k) columns of H corresponding to the non-zero coefficients of - are not linearly independent. E

Lemma 2.4.20. Let C be an [n,t - 1,n - t + 2] linear MDS code with parity check matrix H. Partition the indices of the columns of H into [n] = I,1 U 2 U13 where 1, 12 have size n-t+1 each. Let {h } be the family of the columns of H. Let m be a positive integer. Let -r = (T(1),T(2), ...I'r(n)) be any family of leakage functions where rO) : F {0,1}m. We abuse notation and define 11,(x) = 1 if T(x) = £j and 0 otherwise. We then have:

1 - t~ SD(-r(C), r(U)) < - mn-t+1) - max -. - 2 2 1 11jj((i, hj)) E EFn-m\{ 6}1er

where {£5} 3 E {0, 1}13n\2

The core of the proof is the following lemma which aims at bounding the Fourier expression

I: max i13 ((13, hj))

{3 }jEI 3

Lemma 2.4.21. Let D C F be any code of distance at least d. Let 7 = (T(1),7(2), (k) be any family of leakage functions where ) : F,-+ {0,1}"m. We abuse notation and define

4 1fj(x) = 1 if T(j)(X) = £j and 0 otherwise. Let c' 2m sin(/2m+i/2 m) . We then have: m p sin(7r/p)

ax ri (aj) 2 (4m+1)-(k-d) -i

*E({0,1}m)k j=1

We first finish the proof of Theorem 2.4.6 assuming Lemmas 2.4.20 and 2.4.21 and then prove the lemmas.

Proof of Theorem 2.4.6. Let k = 1131= 2t - n -2. Let D ={{x} : C}C F. As C1 is an [n,n-t+1,t] code, D is a [k,k',d] code,such that k' t-(n-k)

49 code (hence, k - d < n - t). We then use Lemma 2.4.20 followed by Lemma 2.4.21 to get:

SD(-(C),-r(Un)) . 2 n max J ((,hj)) {2 E3 n-t+ EI3

c'k - 2. nn-t+1) • (4m+1)-(k-d) . c'k < I . 2 (5m+)(n-t)+m. 2 m-- 2m.

This concludes the proof of Theorem 2.4.6. 0

Next we prove the two lemmas. The first one is applying Cauchy-Schwarz on subsets of coordinates I1 and 12 and the second bounds Fourier coefficients.

Proof of Lemma 2.4.20. By Lemma 2.4.15, we can express the statistical distance as follows:

SD(-r(C), -r(Un))

2 E sE 1(aj) ,FdECL\{O }j

H I(( ,j)) I En-t+1

1{ ((O, j)) . f 1 ((, Ky))

9EFn-t+1 (16) ¶jEI1 (jEI2UI3

2 2

1 ((13, hj)) - E 1g (# h) ECFn-t+1gl E1 E t+ gd)EI2UI3 I E fJ1 ( Q-) )IZ f ( 2 1 ((5/, hj) -f 0 1 (,j))•. max li 1 (# j)), 9EFn-t+1gl j4i EFn-t+1g(J} jEI2 /YEFP jEI3 where the first inequality comes from the Cauchy-Schwarz inequality.

Since { i} is a basis of F(+t-1) x i from Proposition 2.4.19, the function / E Fn-t+ {(0, hj)} E Fn-t+1 is bijective. We can then write

1..2 1- (e 122 1( - - )2 1 ((3, hj)) =l 13 (aj) 1 ( = e1 2 /eFn-t+1\{} jEII {ajljE i EFn-t+ljEIi jEli aEFp jEli

50 The same holds when Ii is replaced by I2 and we thus have:

SD(r(C), (Un)) - E fj max 1 (# ,hj)) C jEI1UI2 2 vFlt+1

= -f max ljI ((13, hj)) 2 2 EFn- \{6 ij(EiU2 j {fj}jC1 P E13

!. 1U'U 2 2 1m/2 max Q1tj,((#3,hj)),

{2} EI E t+1 jEI3 where the last inequality comes from Claim 2.4.18.1 and where I U 121 is the cardinal of

I1 U 12 . We conclude by using the fact that II1 U 121 = 2 • (n - t + 1).

We now prove Lemma 2.4.21.

Proof of Lemma 2.4.21. We want to bound:

k 77 = : max fJ1 ?,(aj). m £e({o,1} k _ED\0}

When all the non-zero vectors cE D have no zero coefficients, bounding r is easy, as we can write r < ] E max, Ao 1 (ay) and proceed as before using Lemma 2.4.18 as in Theorem 2.4.7. The issue is that when this is not the case, each term of the sum might be maximized by a vector a with different positions of the 0 coefficients. When a = 0, Ztje{o,1}m1 ,(0) = 1, hence bounding r/ requires a more careful analysis. To handle this, we introduce a different bound for |1 (aj)|, one that allows us to control for this issue of the positions of the zero coefficients being different for different terms. We introduce the bound ( below. The key difference between ( and ( is that ( is bounded below. This allows us to bound the multiplicative gap between the case when a = 0 and otherwise.

Lemma 2.4.22. Let (p(x) = max((p(x)/p, 2-(4m+1)). Then ( has the following properties: 1. Bounds non-zero Fourier coefficients. For every set A of size t and a$# 0,

|IIA(a)|I _ (p~t .

2. Bounds zero Fourier coefficients multiplicatively. For every set A of size t,

liA(0)| 24m,+1 . (P(t).

3. (p is bounded over partitions. Let A1, A 2,... A 2 . be any partition of Z,. Then,

We first prove Lemma 2.4.21 assuming Lemma 2.4.22 and then prove Lemma 2.4.22. The following calculation proves Lemma 2.4.21. The key idea in this calculation is that

51 due to the definition of (, the max over codewords reduces to counting how many zeros the codeword has, and this is k - d. We need some notation: let us set t ,j I=r1(£j)I and indicator l(aj) equal to 1 when a= 0 and 0 otherwise.

k k - (24m+11o(aj) max fi(%) max fl (t, 3 ) 1 IE({o,1})k ED ED{O} k k E>3 JJ (tij,j) . max J7(24m+11O(a) e({O1}m)k j=1 dED\{O}jj1 k < E 2(4m+1)-(k-d) . . ij) e({O,1})k j= k

2(4m+1).(k-d) . E3(t 3 ,) j=1 E{O,1} k " (4m+l).(k-d) - I' j= 1 "2(4m+1) (k-d) -ci , where the first inequality follows from using Lemma 2.4.22 parts (1 2) with a 0 and a = 0 respectively; the first equality is a rearrangement; the second inequality follows from observing that D is a code with distance at least d and hence can only have at most k - d zeros; the second equality is a rearrangement; and the third inequality follows from Lemma 2.4.22 part (3) with the partition, {.1( j)} . E

We now prove Lemma 2.4.22.

Proof of Lemma 2.4.22. We prove thethree parts in the three claims below. The first two claims follow from the definition easily while the last claim requires a computation similar to Lemma 2.4.17 involving concavity.

Claim 2.4.22.1 (Part 1). Bounds non-zero Fourier coefficients. For every set A of size t and a $ 0, |1 (a)|I < (p (t). From Lemmas 2.3.11 and 2.4.17, we know that 1lA(a) = IwQ|/p (p(t)/p. The claim follows as, (p(t) = max((p(t)/p,24m+1).

Claim 2.4.22.2 (Part 2). Bounds zero Fourier coefficients. For every set A of size t and a 5 0, lil(0)| 54+1 . g ()

This follows from the observation that 24m+1. ((t) > 1 as (p(t) 2 4m1and that lI(0)I 1.

52 Claim 2.4.22.3. (p is bounded over partitions. Let A 1 , A 2 ,..., A 2m be any partition of ZP. Then, ((|Ai|)< c'

Proof. This claim is a consequence of the concavity of the sine function. We start by 4 4 observing that (,(p/2 m)/p sin(7r/2psin(7r/p)- m) > 2-(4m+1). The inequality comes from sin(r/p) < 7r/p < 4/p and sin(7r/24m) > (2/7r) -(7r/2 4m). Hence, ((t) max(2-( 4m+l),P(t)p) < max(Cp(p/24m) /p, (y(t)/p) = p(max(t, p/ 24 n)) /p.

We are now in a position to complete the proof. Let t1 , t 2 ,... t 2m be the sizes of the

sets A1 ,... A 2 m . Then,

<(~l= p(ti) , / 4))/

sin(7r - max(ti, p/2 4 m)/p) p sin(7r/p)

= n/ -sin(7r. max(ti, p/2 4 m)/p) p sin(7r/1p)

where the first inequality was described above, the second inequality comes from the concavity of the sine function in [0,7r], the third inequality comes from the fact that E max(ti, p/24m) < E (ti + p/2 4m) i p + 2m -p/2 4 m.

This concludes the proof of Lemma 2.4.22 and hence Lemma 2.4.21.

2.5 Leakage Resilience of GMW with preprocessing

In this section, we describe an application of the results on leakage resilience of secret sharing to MPC protocols. Here too. our goal is to show that natural MPC protocols that are based on linear secret sharing achieve local leakage resilience. Concretely, we show that a variant of the GMW protocol [GMW87] with preprocessing is leakage resilient. We start by defining the notion of MPC protocols with input preprocessing. Then describe our security definitions and our results. We consider arithmetic circuits over a field F over a basisB= {, x, -1} where the -1 gate negates the input. For convenience, we have input gates that read a field element from the input. The following definition of an MPC protocol is adapted from [GIM+16] (Definition 3).

Definition 2.5.1 (n-party protocol with encoded input and output). An n-party protocol for f : F'i-+ Fnout is defined by II = (I, R, M, 0), where:

53 * Input Encoder. I : F"in -+ (Ffin)" is a randomized input encoder circuit, which maps an input Y for f to a tuple of protocol inputs - = (W(1),X(2) x(n)) one for each party. • Randomness. R = (R(l), R(2),.. R") are distributions over Fnr that capture the random inputs of the parties. They are assumed to be correlated due to preprocessing. . M - (M(1), M(2),..., M(n)) are deterministic next message functions where M ) determines the next message sent by party j as a function of its input (i), random input r(i), and the sequence of messages received in the previous rounds. Messages are sent in rounds where each party sends a message to possibly every other party. After a predetermined number of rounds, the function MW returns a local output y ) Fout for party j. •0 (F out ) " -+ Fn°t is a deterministic output decoder circuit, which maps a tuple of

protocol outputs § = (Q1),.. . ,l")) to an output ' of f. For Y E Fin, we denote by U() the output ofU on input5, namely the result of applying the input encoder I to Y, interacting as specified by R, M, and applying the output decoder 0 to the vector of protocol outputs. We say that 11 correctly computes f : F"i - Fout if for every input zF E Fni, we have Pr[U(Y) = f(1)] 1. We denote by view(Y) thejoint distribution(view( 1 )(!),... ,view(")()) obtained by running U on input5, where view(j) includes the encoded input (i), the random input rU) (sampled from R(i)), and the sequence of messages received by party j. (The messages sent by party j as well as its output y- ) are uniquely determined by view(s).)

We denote by out() the joint distribution of the outputs .

2.5.1 Security Definitions

The definition we consider uses the simulation paradigm. We only consider an honest-but- curious definition, albeit one where the adversary can leak information from the views of the uncorrupted parties. We consider two security notions: private-outputs local leakage resilience and public-outputs local leakage resilience. In the private-outputs case, the adversary does not learn the local outputs y-0) of non- corrupted parties nor the output ' = U(). This would model the setting where a client wants to delegate some computation f(Y) to some leaky parties: the client secret-shares 5 intox, sends eachshare(i)tothepartyj,the parties run the protocol H, and each partyj sends back its output share y(J) to the client. In the public-outputs case, the adversary learns all the local outputs f of all the parties (and in particular learns the output= 0(f) = H()). This models a setting where at the end of the computation, the parties would broadcast their local outputs y-p) to jointly reconstruct the output .

Definition 2.5.2 (Private-Outputs Local Leakage Resilient Protocol). We say that U is (8, m, E)-private-outputs local leakage resilient for f (or (E, m, e)-priv-LL-resilient for short) if H correctly computes f, and the following security requirement holds. For any family of 1 local leakage functions -= (T( ), (2), ... , F(n)) where T(i) is a function that outputs m bits, there exists a simulator LeakSime,f such that, for any input Fwe have

SD (Leake,f(view(Y)), LeakSime,f ()) < E.

54 We say that l is(9, m, E)-priv-LL-resilient if His (8,m, E)-LL-resilientfor all subsets E C [n] of at most size 9.

We recall that Leak is defined in Eq. (2.4) on page 36.

Definition 2.5.3 (Public-Outputs Local Leakage Resilient Protocol). We say that H is (8, m, E)-public-outputs local leakage resilient for f (or (8, m, E)-pub-LL-resilient for short) if U correctly computes f, and the following security requirement holds. For any family of local leakage functions -r =((1), (2). T (n)) whereT70) is a function that outputs m bits, there exists a simulator LeakSime,f such that, for any input X C ,we have

SD ((out(Y), Leake,f(view())), Lea kSime,(f(5))) < E.

We say that U is (,m,e)-pub-LL-resilient if U is (8,m,)-pub-LL-resilient for all subsets EC [n] of at most size9.

Both definitions model a protocol executed in the presence of a real-world adversary A that may corrupt a subset e of the parties. The adversary learns the entire view of corrupted parties (and in the second case, also the output of all parties). As we consider semi-honest corruptions, the adversary can only observe their views but does not modify the messages they send. The adversary also leaks independently m bits from each party. Note that the classical notion of security against semi-honest adversaries corrupting at most 0 parties is equivalent to (, 0, E)-priv-LL-resilient.

2.5.2 GMW with Shared Product Preprocessing

Notation. Let f be a function computed by a given circuit C. Let G be the set of all gates in C and Gx be the set of multiplication gates in C. For any inputS, let zg denote the value at gate g E G in the circuit C when the input is Y. In Fig. 2-3, we describe a variant of the GMW [GMW87] protocol based on the ideas of Beaver triples [Bea9l] that we call GMW with shared product preprocessing. The protocol works with any linear secret sharing. We show that if the underlying linear secret sharing is local leakage resilient, then the protocol is pub-LL-resilient and priv-LL-resilient. Let us first prove correctness.

Proposition 2.5.4 (Correctness). The protocol U in Fig. 2-3 on any input z correctly computes f(1).

Proof. To prove correctness, we show that at every gate g, the parties maintain a linear secret sharing of the value zg. This is easy to verify for the addition, -1 and input gates. We will only do the verification for the multiplication case. Consider any multiplication gate g with input gates gi, 92. Assume that the parties have a valid secret sharing z9, and z92 of values z9 1 and zg2 respectively. Pick any valid Beaver triple (ag, bg, (ab)g). We need to show that zg as computed is a valid secret sharing of zg = Zg1 Zg2 . We remark that:

Zg = (zgi - ag)(z2 - bg) - 1+ (zgl - ag) . b + ag - (z92 - bg) + (ab)g

55 GMW with Shared Product Preprocessing for computing f with circuit C on field F Parameters: n the number of parties. (Share, Rec) a secret sharing scheme for n parties. 1 an arbitary sharing of 1. Input Encoder I(s): Output Decoder I(f): 1. Sample x +- Share(Y). 1.Output '= Rec(f) 2. Output x. Randomness R(C): 1. For each multiplication gate g in C, (a) Generate ag, bg +- F. (b) Generate ag <- Share(ag), bg <- Share(bg), and (ab)g <- Share(ag bg).

(c) Append to r(j) the tuple (ab,(ab) 2. Output r = (r (1 ),,.. , r(n)). Protocol run by Party j (defining M()) 1. Set state(j) = (n, C, ()). 2. Iterate over gates in C in fixed topological order such that for every gate, its input gates are visited before the gate. And run the subprotocol "Process Gate" below. 3. Output z : the share of the output gate gout. Process Gate g: 1. If gate g is (a) an input gate with input xi, or. (b)a(-1) gate with input from gate

',or.(c)a+gatewithinputs91,92, then, set z as follows:

(U) if g is an input gate (0) U~) z9 - z ifgisa -1 gate

zg1 + Z 2 if g is a + gate

and appendz to the list state(j). 2. If g is a x gate, with input gates gi and 92, then do the following:

(a) Compute ag = Zg - ag and b0 = z(j - b0 and broadcast these values. (b) Receive the corresponding values from other parties.

(c) Compute zg, - ag and zg2 - b. from all the values received, using the reconstruction algorithm Rec. (d) Compute z U) = (zgl - ag) - bg).1(U)+(zgl - ag) -b) +a(z2 bg)+(ab) ,

where 1 () is the j-th share of an arbitrary sharing 1 of 1. (e) Append z/ and (ab (ab)')tostate)

Figure 2-3: GMW Protocol with Shared Product Preprocessing

56 By linearity zg is a secret sharing of:

(Zgi - ag)(zg 2 - bg) . 1 + (zg1 - ag) - b + ag . (z92 - bg) +ag bg Zg1 Zg2 . (2.9)

This concludes the proof.

We have the following security theorems.

Theorem 2.5.5. If the linear secret sharing scheme (Share, Rec) is (E, m, E)-LL-resilient then the protocol H in Fig. 2-3 is (0,m,E)-priv-LL-resilient.

Theorem 2.5.6. If the linear secret sharing scheme (Share, Rec) is (,m,E)-LL-resilient then the protocol H in Fig. 2-3 is (E, m,E)-pub-LL-resilient.

Since an (n, t)-secret sharing scheme is (t, 0, 0)-LL-resilient, when instantiated with an (n, t)-secret sharing scheme. the protocol is (t, 0, 0)-priv-LL resilient and thus secure against a semi-honest adversary corrupting up to t parties. Before we prove Theorems 2.5.5 and 2.5.6, let us state the following lemma.

Lemma 2.5.7 (Parallel Composition of LL-Resilience). If (Share, Rec) is a (E, m,e)-LL- 2 resilient linearsecret sharing scheme, then for any leakage function family r= (r(), ( ), ... , where -rU) has an m-bit output, and for any Y, Ek.

SD ({ Leake,,(f) : f- Share(W)}, {Leake,,(f') : +- Share()}) < E.

Note that the bound on statistical distance does not degrade with the size of the vectors.

Note that this lemma allows us to avoid using a union bound in our theorems and hence avoid losing a factor of the number of multiplication gates.

Proof. This proof is a reduction showing that if local leakage can distinguish between g and 7 then we can use this to also break the local leakage resilience of the underlying linear secret sharing scheme and distinguish between any two secrets s f s'. The proof follows from the observation that given shared randomness, the parties can locally, without interaction convert shares of s and s' to random shares of vectors ' and y respectively. This holds for any linear secret sharing scheme. For contradiction, assume that there exist , and m-bit leakage functions r such that

SD(Leake,,(f), Leake,,(f')) > E.

Consider any two secrets s f s' C F. We will show that the scheme Share, Rec is not local leakage resilient for these two secrets.

As s , s', for every i, there exist constants i, o E F such thatA 1 - s+ io = yj and i1 - s' + Ao = y/. So, to do a local share conversion, the parties given share x of either s or s' do the following: Set yi = A1 . x + Ai,o where Ai,o - Share(Aio) generated using the shared randomness. That is. party jlocally computes the share: z = Aix(j) + P) where x(C is the input share given to party jand P) is the share ofA, generated using common randomness.

57 Because of the linearity of the secret sharing scheme, The distribution 'locally generated by the parties is identical to the distribution of fresh shares f <- Share(y) if the input x was a sharingof sor is identical to y' +- Share(y) if the underlying secret encoded was s'. So, using this reduction gives a local leakage attack to distinguish between the shares of s and s' and hence a contradiction.

2.5.3 Proof of Private-Outputs Local Leakage Resilience (Theorem 2.5.5) To prove the private-outputs local leakage resilience (Theorem 2.5.5), we first start with a lemma that characterizes what information the parties see, both individually and jointly. Informally, we show that, when the protocol evaluates the circuit C on input Y, the view of each party (or any subset of parties) can be simulated given a set of common random values and the party's share in a sharing of each output of a multiplication gate. Then, the leakage resilience of the secret sharing scheme allows us to replace the secret sharings used by the simulator by secret sharings of any arbitrary value.

Lemma 2.5.8. There exists simulator S such that for every input Y, the following two distributions are identical.

x +- Share() (zg<- Share(zg))G.

view (Y) (S uj, z) (zj), a'/, b') ) (a' b'l - F)g x - (a') <-Share(a)) (b'+- Share(b'))gex

Assuming Lemma 2.5.8. the proof of Theorem 2.5.5 (private-outputs-LL-resilience of H) is immediate.

Proof of Theorem 2.5.5. Correctness comes from Proposition 2.5.4, while LL-resilience follows directly by combining Lemma 2.5.8 with Lemma 2.5.7: the simulator LeakSim() samples secret sharings ' <- Share() and (zg +- Share())gG.aswellas(as,b'<- Share(a', b'))g x (with ag, bg +- F) and returns

Lea kE) (Soj, x() (zf) a', b'l a

Proof of Lemma 2.5.8. We describe the simulator and show perfect simulation. Each party's view is described by the internal state state and the messages received. Roughly speaking, for a multiplication gate g with inputs gi and 92, the common vectors a' and b correspond to the values zg1 - a and zg 2 - b that are publicly broadcast. Given these values and the party's shares of z9 1 and zg 2 , the simulator can construct the Beaver triple via a simple computation. The simulator proceeds gate by gate reconstructing the views of each party. We describe the simulator in Fig. 2-4. We now have to show that the simulator perfectly simulates the view of all n-parties in the protocol II. We will show that for every possible communication (as, b')G and

58 Simulator S(j, (J, (z), a', b')

1. Set state@ = (n, C, £(). 2. Iterate over the gates of C in the same order as the protocol. On each gate, do the following: (a) If gate g is (a) an input gate with input xi, or, (b) a (-1) gate with input from gate g', or, (c)a+gatewithinputs9g,92.then, set z0 as follows:

if g is an input gate z )= -Z if g is a - gate (0) 0) Z9 1 + Z 2 if g is a + gate

(b) If g is a x gate, with input gates gi and 92. then do the following: i. Set broadcast message to be (a'0), ) ii. Set received messages to be (a , bg )0 iii. Set Beaver triple as:ag zg 1 a b zg - bg,and (ab)g = z/j -- (E, a'(j')) - (X(, b'9j')) -10) - (X(, a ~') . b) - a ( , b'l0j ).

Figure 2-4: Simulator for Lemma 2.5.8 wire-label sharing obtained in the protocol, there exists a unique set of valid Beaver triples that give rise to this communication and state pattern and vice versa. This proof proceeds by induction. Let state = (state()P)E[l be the joint distributions of the states of the parties in the protocol. As the base case, observe that before any gate is processed, the state in both the simulator and the actual parties is identical. For each party, it consists of the description of the circuit and the secret shares of the input.

Inductive Step. In the induction step, let us observe the joint state state after one more gate is processed. We naturally have two cases: if the gate is not a multiplication gate and if the gate is a multiplication gate. Case 1. Not a Multiplication Gate. In this case, there is no interaction and each party simply appends the value z to their state. As this process is deterministic and both the protocol and the simulator use identical procedures to generate the value, if the distribution of state was identical before processing this gate, it stays identical afterwards. Case 2. Multiplication Gate. In this case, the simulator is processing a multiplication gate g with inputs gi and 92. In this case, we need to show that the input shares, the communication, the Beaver triple and the output share are consistently distributed in the actual protocol and the simulation. We remark that in the real world, we have:

a =z -ag b' = zg 2 -b = a'b'-a, -bg+ag-b' + (ab)g where ag., bg, and (ab)g are independent secret sharings of the values ag, bg, agbg. Thus, by the linearity property of the secret sharing, a' b', and zg are independent secret sharings

59 zg of the values a' = zg - ag, b = z9 2 -b, and z9 = Zg1 2 (see Eq. (2.9) for this latter value). Furthermore, as a and b are independently and uniformly random, so are a' and b. We conclude by remarking that the simulation sets:

ag = Z 9-a'/ gl byb 9 =Z zg-b'/9 2 b9 (ab)g= -a'b'-1-a', .b- ag .b+z and these three equations are equivalent to the ones above for the real world.

2.5.4 Proof of Public-Outputs Local Leakage Resilience (Theorem 2.5.6)

To prove the public-outputs local leakage resilience (Theorem 2.5.6), we extend Lemma 2.5.8 to take into account the output shares.

Lemma 2.5.9. There exists a simulator S' such that for every input Y, the following two distributions are identical:

(out(), view(:)) y= f(Y); ' <- Share(f) x+- Share(S)

0).\) (z 9 - Share(zg))gEG

y(;,- (YS'(jf(i),(z/),a',b'G )) )(jEn]g9 9 gEGx (a' - Share(a' )) (b' +-- Share(b'g)gGx

Assuming Lemma 2.5.9, the proof of Theorem 2.5.5 (pub-LL-resilience of H) is immediate.

Proof of Theorem 2.5.5. Correctness comes from Proposition 2.5.4, while LL-resilience follows directly by combining Lemma 2.5.9 with Lemma 2.5.7: the simulator LeakSim(g) samples secret sharings f <- Share(g), 5<- Share(), and (zg <- Share(O)) as well as (aW, b'- Share(a', b'))G (with ag, b- F) and returns

f, Leake),- (S'(j, f-, XW), (zU),I a' , b') )

Proof of Lemma 2.5.9. We start by remarking that if each output yi is an output zgi of a x gate gi (and all the outputs correspond to distinct gates), then the simulator S' is (U) straightforward: it just runs the simulator S from Lemma 2.5.8 where z is replaced by yi) (and the inputs zgi are not used by S'), i.e.:

S'(j, ,(i), (z W), a, b) )= S(j, 0), (z i), a', b'g)

60 with y if g = gi for some , zg otherwise. However, in general the outputs y can be any linear combination inputs xi or output of x gate zg (g E Gx). More formally, we can write y= (X,(zg) ) where D is a linear map. In a real execution of 1, we also have for all j E [n]: y = 1((0), (z))ge~x).Using Gaussian elimination, we can show that there exists a subset A C [nin], a subset B C Gx, and a linear application % such that, for all j E [n]:

((xi))iCA, (z9))EB)= 'P(

S'(j, f, (),(0), ab ) = S (j,z'i,(z Wa ,b) with

((x/i(j))CA(Z)g) = yj),(~iA(.,)-p

(x) ,(( )(x, (z ) .

This concludes the proof. (We remark that the simulator S'does not use x for i E A. not z4 for g E B, but instead derive these values from f, P) for i E A, and z for g E B.) E

2.6 On the Impossibility of Local Share Conversion

We start by defining Local Share Conversion. This section has two differences in notation. First, as we will only be dealing with singleton secrets and not vectors, we will use the subscript notation to avoid clutter. That is, when we say s = (si, S2, .. , sn) we mean that si is held by party i. The second change is that because our results concern share conversion on schemes on F, and F2 , we will be careful about the ambient field of the secret sharing scheme and write it explicitly, e.g., AddShP instead of AddSh as earlier.

Definition 2.6.1 (Local Share Conversion, adapted from [BIK012]). Consider two n-party secret sharing schemes £ = (Share, Rect) and L' = (ShareL, Rec) be over the domains of secrets F and F' respectively, and let R C F x F' be a relation such that for every secret s E F, there exists at least one secret s' E F' such that (s, s') E R. We say that L is locally convertible to L', with error probability E, with respect to R if there exist local conversion functions g1, g2,..., k : F -+ F' such that, for every s E F,

Pr [(gl (s), 92 (S2),. .. ,gn(sn)) C Share (s') where (s, s') E R > 1- s -Sharer:(s) where s = (si,S2,..., sn) is a random secret share of s and (gi(si),92(S2),...,gn(sn)) E

61 Sharee(s') indicates that (g1(s1),92(s2),.. .,gn(sn)) is a valid, not necessarily random, secret sharing of s' under L'.

Note that the definition given is weaker than the definition in [BIKO12] in the sense that we allow the share conversion scheme to be correct "only with high probability" and not "always correct." Because our results are impossibility results on local share conversion, ruling out the aforementioned definition only makes our results stronger. To state our impossibility results, we first define the notion of a non-trivial relation. Roughly speaking, a relation is trivial if it would no matter what secret is shared, it would be acceptable to output a fixed value by each party. We focus on local share conversion problems where the players have to convert secret sharing schemes over F, to schemes over IF2 -

Definition 2.6.2. A relation R CIF, x IF2 is non-trivial if it satisfies the following: 1. Zero gets mapped to zero. That is, (0,0) E R and (0,1) R. 2. Some non-zero element does not get mapped to zero. That is, there exists a E FF such that (a,0) g R and (a,1) E R.

Note that. in this definition, the requirement that 0 gets mapped to 0 is just for convenience. It would suffice to say that there exists an a that has to be mapped to 0 and b that has to be mapped to 1. We begin by noting that non-trivial share-conversion schemes from

F2 » to F2 for n-parties for all n > 2; and from F, to F2 for two parties. Example 2.6.3 (Non-Trivial Two-Party Share Conversion). Consider a non-trivial relation R where 0 and 1 have to be mapped to themselves and all other inputs can be arbitrarily mapped. Then the following scheme is a local share conversion from the additive secret sharing AddShp over F, to the additive secret sharing AddSh 2 over F2 : gi(x) on input X E F views x as an integer between 0 to p - 1 and outputs x mod 2. The function g2 is defined as g2() = gi(-x). This local share conversion scheme works because when sharing 0, the two shares are x and -x. Hence the output would be the same. On the other hand, when sharing 1, the two shares are x and -(x +1). Hence, with high probability, the outputs will be different from each other.

Local share-conversion schemes exist for a variety of non-trivial relations over F2 - for additive secret sharing. This is enabled by the fact that F2. as an additive group has many subgroups.

Example 2.6.4 (Share Conversion over F2 4).Let f : F2 a- F2 be an F 2-linear function (looking at F 2. as a vector space over F 2), i.e., f(x + y) = f(x) + f(y). Consider the relation R where a has to be mapped to f(a) for every a. The following share conversion scheme exists for R: gi(x) outputs f(x). As f is linear, Ei gi(si)= E f(si) = f(s) where s is an additive secret sharing of s.

The example can also be generalized to Shamir's secret sharing over F2T. We now state our results.

On Additive Secret Sharing. We show that any three-party Additive Secret Sharing over F, for any prime p > 2 is not locally convertible to an additive secret sharing over F2 for any non-trivial relation R.

62 Theorem 2.6.5. Let n > 3. For any non-trivial relation R and for any local conversion scheme gi, g2, ,gn : F, '- F2 , there exists an element s E F, such that,

s+-AddShp(s) Zz(s) R]> 6(s

As mentioned in the introduction, this result rules out a possible approach to constructing multiparty Homomorphic Secret Sharing schemes in the spirit Boyle, Gilboa and Ishai [BGI16] where one first obtains a multiplicative secret sharing of a bit b over a DDH group G. That is. g- g - gy where the parties hold x and y respectively and then convert the shares locally to additive shares of b over Z. The generalized approach to constructing 3-party HSS schemes would also first construct a similar multiplicative sharing of the bit b but among 3 parties, and then transform it to additive shares. The proof for this impossibility result is reminiscent of the Fourier analysis proofs of the Blum-Luby-Rubinfeld Linearity test [BLR93, BCLR08].

On Shamir's Secret Sharing. We can show a similar impossibility result for share conversion from Shamir's secret sharing to additive secret sharing as well.

Theorem 2.6.6. Let n > 3. The (n,t)-Shamir's secret sharing scheme, for (n+ 3)/2< t < n, over Fp is not locally convertible to an additive secret sharing over F2 for any non-trivial relation R. That is, for any non-trivial relation R and local conversion scheme g1, g2, - gn : Fp - F 2 , there exists s C Fp such that,

Pr (s, gi (si)) R > I s<--ShaShp(s) II max(6, n + 1)

The key technique in this proof is derived from the breakthrough work of Green and Tao [GT10) which involves using Gowers' Uniformity Norm to bound the success probability of the share conversion scheme.

Outline. To prove both the theorems, we first describe some Fourier analysis properties in Section 2.6.1 and then prove Theorems 2.6.5 and 2.6.6 in Sections 2.6.2 and 2.6.3 respectively.

2.6.1 More Fourier Analysis

In the next lemma, we show that any function F from Fp to {-1, 1} cannot be too correlated with any non-zero character. The implication of this lemma is an 'inverse theorem' that if the bias of a function F is greater than 2/3, then F is highly correlated with the trivial character Xo which is always 1.

Lemma 2.6.7. Let F :F {-1, 1} for prime p > 2 be a function. Then, IF(a)I , for all a ? 0.

This proof relies on the fact that the function F only takes values in {-1, 1} while every 2 1 non-zero character of F, takes all the values in the set {1,W,w .. wP- }. (Recall that

63 w = exp(27ri/p) is a primitive p-th root of unity.) Hence the character and the function F cannot be too correlated.

Proof. This proof uses Lemma 2.3.11. Let y = e/P. ThenP= -1 and Y2 = w. Also, 2 F(x). wax E {Y axIY2ax+P}. So, we can bound the Fourier coefficient F(a) as follows:

2 _YCeX F(ae) = [F(x) - ax] < max > ax+p-zx < max re{o,1}P p AC{O,1,...,2p-1} p X ~~ IA|=p E where the first inequality follows from the fact that F() w { E y2ax y2ax+p} and the sec-

2 ond inequality follows from the fact that if x ' (mod p) thethehe two sets {2o, , Y ax+pI and {y2a', 72ax'+P} are disjoint and hence no value repeats in the sum. Lemma 2.3.11 implies that this value is bounded by p-1 (2p(p) Sinrp/(2p))= This value psin(7r/(2p)) p sin(7r/(2p)) is monotonically decreasing and is 2/3 for p = 3.

Lemma 2.6.8. Let F : F- {-1, 1} be a function. If|F(0)I> 1-E, then for every a E F,,

Pr[F(x) = F(x + a)] > 1-E

A balanced function has F(0) = 0. When this quantity is large, the function has to be very unbalanced and nearly a constant. The lemma quantifies this.

Proof. Assume that F(0) > 1 - c. The other case is analogous. We use the relationship between F(0) and the expectation to prove the lemma.

1 - e < F(0) = E[F(x)] X = Pr[F(x) = 1] - Pr[F(x) = -1] x x = Pr[F(x) = 1] - (1 - Pr[F(x) = 1]) x X where the first equality follows from the definition of F(O). Hence, it holds that, Prx[F(x)= 1]> 1 - E/2. Next, we use the union bound to prove the lemma:

Pr[F(x) = F(x + a)] > Pr[F(x) = 1A F(x + a) = 1]

> Pr[F(x) = 1] - Pr[F(x + a)#1] x X >1---=1-c 2 2 as Prx[F(x+ a) $ 1] = Prx[F(x) = 1]. E

2.6.2 On Additive Secret Sharing: Proof of Theorem 2.6.5

In this section, we prove Theorem 2.6.5. We first recall it below.

64 Theorem 2.6.5. Let n > 3. For any non-trivial relation R and for any local conversion scheme g1,9, ... ,gn : Fp - F 2 , there exists an element s e F such that,

Pr (s, gi(si)) R > . s+-AddShp(s) 6

The main ingredient of this proof is the following 'inverse theorem' style lemma which says that if the{gi} functions locally convert additive shares of 0 over Fp into additive shares of 0 over F2 , then the function gi (or any other gi) is almost always constant.

Lemma 2.6.9. Let n > 3,e < 1/6. Letgi, 92, .. ., gn : F, -+ F2 be functions. If,

Pr g: i(si) f 0 < C, (2.10) s+-AddShp() ( where s = (si,..., s), then for every a C F, Pr [g1(x) = gi(x + a)] > 1 - 2e. (2.11)

First. assuming Lemma 2.6.9 we prove Theorem 2.6.5. Then we prove Lemma 2.6.9 itself. To prove Theorem 2.6.5, we leverage the fact that g1 is almost always constant to argue that additive shares of any element s E F, will also be converted to additive shares of 0; thus deriving a contradiction to the non-triviality of the relation R.

Proof of Theorem 2.6.5 assuming Lemma 2.6.9. Let e = 1/6. Let us assume that the local share conversion algorithms are correct on shares of zero, i.e.,

(2.12) s Pg-AddSh(O)[zi(si) f ]< eP.

As R is a non-trivial relation. there exists an s' E F such that (s',0) R and (s', 1) E R. To prove the theorem, it suffices to show that,

I Pr 1)[ gi(s'1) = 0 > E. s'<-AddShp(s') I]

Note that the distribution {(si + s', 2,- , sn) : (si, S2, ... , sO) -AddShp(0)} is identically distributed to AddShp(s'). Hence,

Pr -gi(s')0 Pr gi(si +s') + g(si) 0 s'<-AddSh(s') s+-AddShp(O) + 2

nF- > Pr (gi(si + s') = gi(si)) A gi(si) = 0 s<-AddShp(0)L i=1

> Pr [gi(s1 + s') = gi(si)] - PrgZ(s2)#0 s<--AddShp (0) s<-AddShp(0) [:9 s) 0

> 1 - 3E > e where the second inequality follows from the union bound, the third inequality from Lemma 2.6.9

65 and Eq. (2.12). This gives us the required contradiction. 0

We now prove Lemma 2.6.9. In the proof of Lemma 2.6.9, we first represent the success probability of the share-conversion scheme in terms of the Fourier spectrum of the functions in the share-conversion scheme. We use this to infer that each of the share-conversion functions has a 'large' Fourier coefficient and use that to deduce that this share-conversion function is almost constant. As mentioned earlier, this analysis is reminiscent of the fourier analytic proof of the Blum, Luby, and Rubinfeld linearity test [BLR,93] and group homomorphism testing of Ben-or, Coppersmith, Luby, and Rubinfeld [BCLR08].

Proof of Lemma 2.6.9. It would be convenient for us to define real-valued functions Gi

F, - R as Gi(x) = (- 1 )gi(x). Restated in terms of Gj's, Eq. (2.10) is equivalent to,

A(G 1 , G 2 , ... , G,) = E [GI(si) .. .Gn(sn)] > 1 - 2e s+-AddShp(O)

Using Lemma 2.4.16, and noting that additive shares of 0 form a linear code with the dual code generated by the all-ones vector 1, we get that,

1 - 2e < E [G1(si) --. Gn(sn)] s<-AddShp(O)

061S(a) G 2 (a) . (a) aEFp

i 111 . llG21,- IGn-211oI |n-i ||l lI I212

where the first equality follows from Lemma 2.4.16, the subsequent inequality follows from the Cauchy-Schwarz inequality and the final inequality follows from the fact that: for each i E [n],I||GjIL2 = ||GjIl2 I 1 and ||GjI, < 1. This implies that IIGilI, > 1 - 2e > 2/3. Lemma 2.6.7 implies that for any a # 0, IGi(a)I 2/3. Hence IG1(0) > 1 - 2e. Combining this with Lemma 2.6.8 shows that, for all a E Fp: Pr[G1(x) = G1(x + a)] > 1 - 2E.

This completes the proof as G1(x) = Gi(x + a) a gi(x) = gi(x + a). E

Note that this proof breaks down for two parties because using Cauchy-Shwarz does not let us infer that |Gi, is large for either i's. This proof does generalize to other settings for example for share conversion from F to Fq for q < p. Though the error bound degrades with an exponential dependence in q.

2.6.3 On Shamir's Secret Sharing: Proof of Theorem 2.6.6

In this section, we prove Theorem 2.6.6. We recall the theorem below.

Theorem 2.6.6. Let n > 3. The (n,t)-Shamir's secret sharing scheme, for (n + 3)/2< t< n, over F , is not locally convertible to an additive secret sharing over F2 for any

66 non-trivial relation R. That is, for any non-trivial relation R and local conversion scheme

91,92,. .,gn : F, -+ F 2 , there exists s C F, such that,

Pr (s, gi(si)) R > s+-ShaShp(s) I max(6, n + 1)

This is also a two step proof. The difficult step is proving an inverse theorem and then using it is relatively simple. The inverse theorem was proved in Green and Tao's breakthrough work [GT10]. While Green and Tao prove a more general result, we include for convenience, a proof for the specialized case of Shamir's secret sharing. We state the inverse theorem below.

Lemma 2.6.10 (Inverse Theorem for Shamir's Secret Sharing). Let n, t > 3 be two integers, such that t n 2t - 3. Let e 1/6. Let g1, g2, ... , gn Fp - F 2 be functions such that,

Pr gi(si) =A 0 < C (2.13) s+-ShaShp,n,t(0). where s = (si,...,s,), then for every a C F,

Pr [gi(x) = gi(x + a)] > 1 - 2e. x+-Fp

We will first prove Theorem 2.6.6 assuming Lemma 2.6.10 and then prove the lemma.

Proof of Theorem 2.6.6. Let e = 1/max(6, n + 1). Let us assume that the local share conversion algorithms are correct on Shamir's shares of zero, i.e.

Pr gZEs) 0] e (2.14) s<-ShaShylnje (0) 9 s)

As R is a non-trivial relation, there exists an s' E F, such that (s', 0) R and (s', 1) E R. To prove the theorem, it suffices to show that,

Pr g[ (s=0]> e, s'+--ShaShp,njt(s') i where s' = (s,... ,s'). Let q = (q1, q2, -.- ,)be a secret sharing of s' that has the first t - 1 shares equal to 0. Such a sharing exists. Because the Shamir's secret shares of s' are a coset of the Shamir's secret shares of 0, the distribution {s + q: s +- ShaShp,t(0)}is

67 identically distributed to ShaSh ,4,t(s'). Hence,

- - n Pr gi (s') 0 Pr gig(si + qi) = 0 s'<-ShaSh,",t(s')L s ShaShp,n, t(0)[i

2 Pr (Vi E {t,... , n},gi(si + qi)= gi(si))A gj(sg~i) =)] s<-ShaShP,n't (0) 1

n > 1- Pr [g(si + qi) gi(si)] i=t s<-ShaShp,',,t(0)

- Pr Y gi (si) : 0 s+-ShaShp,n, t (0) [i > 1- (n - t + 1) .(2e) - e = 1+ (-2n + 2t - 3) - e 2 1 + (-2n + n) -

where the second inequality follows from the union bound, the third inequality follows from Lemma 2.6.10 and Eq. (2.14), and the last inequality follows from the fact that E < n. This concludes the proof.

2.6.4 Proof of Lemma 2.6.10

Proving Lemma 2.6.10 requires some new notions. In particular, the notion of the Gowers' Uniformity Norm.

Gowers' Uniformity Norm

The Gowers' Uniformity Norm was defined by Gowers in [Gow01l to give an alternate Szemer di's Theorem. This notion has been very influential in additive combinatorics.

Definition 2.6.11 (Gowers' U2 Norm). Let f : G C be a function. The Gowers' U2 Norm or the Uniformity Norm of f, denoted by ||f|u2 is defined as follows:

||f||42= E [f(x)-f(x- a).f(x- b).f(x- a- b)] x,a,b+-GL

We will deal only with real-valued functions and hence usually ignore the conjugates in this paper. Higher-order analogues of the Gowers' Norms can be defined analogously, but we do not need them in the paper. Before recalling properties of the Gowers' norms, we define the non-standard operator* 11 as in [Gre07]. Let f : G - C and g : G -+ C be two functions. The function f *g : G - C is defined by: (f * g)(y) = E [f(x)-g(x

We recall the following lemma from [Gow0l].

1 As in [GreO7], we do not need to use the standard convolution, which is normally defined as f*g : G -+ C, (f *g)(y) = Exr[f (x) . g(y - x)].

68 Lemma 2.6.12. Let f : G -+ C and g : G -+ C be two functions. Then we have:

f*g=f-9 -

Proof. We have:

(f *g)()= E[ f(X) -g(z - y) -WY] X,yEG

=E [f(z) . wax . g(x - y) - Wa(x-Y) x'yEGL

=E [f(z) - W X .g(z) . wczI X,zEGL

Theorem 2.6.13 (Properties of the Gowers' Norms). Let f : G - C be a function.

(a) (Alternate Definition of U2 .) The Gowers' Norm of a function is alternately defined as:

|f||4 2= E Ef (y + Z) - f (y + z') - f (' + z) - f (y' + z') Yy',z'z'<-GL (b) (Connection to Fourier Coefficients.)

2 = |1f * f|| = f 2 = ||f||1 2 4

2 (c) (Inverse Theorem for U Norm.) If ||f lU2 > 6 and |1f||2 < 1, then,

bias(f) = f 2 62

Proof. These properties are proven for example in the proof of Proposition 1.9 of [Gre07] and in [Gow01].

Proof of Theorem 2.6.13(a). If we write x = y + z., a = z - z', b = y - y', then: x = y + z, -- a = y + z', x- br= y'+z, x -a -b= y'+z'. Furthermore, if y', z z' Zare four independent uniform random variables in G, then x, a, b are three independent uniform random variables in G.

69 Proof of Theorem 2.6.13(b). The first equality of the proposition comes from:

If||1 2= E [f(y + z) f (y + z') - f (y'+ z) f (y' + z') yyz,z'+-G E, 21 = E E EGf (y +z) -f (y+z'

= E E[f(y)-f(y-z+z') zz'<-G y+-Gj

= [(f * f)(z - z')] = If * f . zz'+-G

The second equality of the proposition comes from Theorem 2.3.9(a). The third equality of the proposition comes from:

2 f * f 2 f .2 2 =xEG[f(x)xG4 ] = where the first equality comes from Lemma 2.6.12.

Proof of Theorem 2.6.13(c). We have:

p2 64| 1l 14 4

Proof of Lemma 2.6.10

We now prove Lemma 2.6.10. This proof is specialized to the case of Shamir's sharing from the work of Green and Tao's [GT1O] which proves a more general result.

Proof of Lemma 2.6.10. As before. it would be convenient for us to define real-valued functions Gi : Fp -- R as Gi(x) = (- 1)9i(x). Restated in terms of Gj's, Eq. (2.13) is equivalent to,

E [7Gi(si) > 1 - 2e. (2.15) s+--ShaShpln ,t(0)

Proof Outline.

1. We will consider the linear code generated by ShaShp,n,t(0) (a generalized Reed- Solomon Code). We will write the generator matrix of the code in a suitable 'normal- ized form.' 2. The Cauchy-Schwartz inequality will enable us to upper-bound the expectation in Eq. (2.15) by the Gowers' norm of the functions Gj's. Hence implying that Gj's have a high Gowers' norm. 3. Finally, invoking the inverse theorem for Gowers' norm will complete the proof.

70 Claim 2.6.13.1. There exists a matrix M (E F - such that the linear code generated by ShaShp,n,t(0) is generated by M i.e.,

ShaShp,n,t(0) M :+- , and M has the following form: 1 t-2 n-t+1

/ U 0 ... 0 * ... *

U2 * ... * 0 ... 0 M L731* --- * , (2.16)

where u1 ,U2 are non-zero elements of Fp, and each "is an element in F (not necessarily all equal).

Proof. Let A {ai, a2,..., an} be the n distinct evaluation points used in Shamir's secret sharing (0 ( A). Let qi and q2 be the following polynomials:

qi(x) = X- (X - a2) -(X - a2) -.-. (X- at-1), q2(x) = x .(x -- at) -(X - at) -..- (X- an) .

The number of factors (x - a) in qi is n - t + 1 <2t - 3 - t + 1 = t - 2. Hence both polynomials qi and q2 have degree at most t - 1and the following vectors are valid Shamir's secret sharing of 0:

mi = (qi(ai), qi(a2), ... ,qi(an)),

m2 = (q2(a1), q2(a2),... , q2(an))

Let us write ui = qi(ai) : 0 and u 2 = q2( 2 ) , 0. The two vectors mi and m 2 are of the form:

mi= (i, 0,. ... , 0, *,...,* M 2 = (ui, *, ..- 1- *, 0, ..., 0) .

We conclude the proof by remarking that these two vectors are linearly independent and hence can be completed into a full basis of ShaShp,n,t(0). E

Remark 2.6.14. We remark that the above claim requires n < 2t - 3. If n > 2t - 3, the second row would need to have n - t + I1 > t - 2 zeros, which is impossible as not all its coefficients are zero: u2 # 0. (Recall that a Shamir's secret sharing of 0 has at most t - 1 shares equal to 0, unless all the shares are 0.)

Claim 2.6.14.1 (Cauchy-Schwarz Argument). Let G1,G2,...,Gn : F, - C such that jG|| K 1 for all i. Then,

E Gi (xi) < min ||IGilly . x+--ShaShp,n ,t(0) I Z

71 jy/[h~yj )/

Proof. We will prove that the left-hand side is at most IG1||U2. The other cases are true by symmetry. Using the matrix M from Claim 2.6.13.1, we write the left-hand side as:

x<--ShaShp,nE [ Gi(xi)] = E [n Gi(K((,g)1 ,t(0) g -F,- 4 where M() is the i-th column of M. We remark that if we write = -M, then x=

To prove the claim, it is beneficial to separate the variables y1 and Y2 from the rest. As a shorthand, we omit the dependence on y3,..., yt-1 and write:

h(yi, y2) G1 & , g t-1 bi = G1 1( Gi( i=2

b2 (Y2 )= 1IGi (

We indeed remark that bi(yi) and b2 (y2) do not depend on Y2 and y1 respectively, by definition of M (see Eq. (2.16)). Furthermore, we use b to indicate that these functions are bounded by 1.

So, our product can be written as follows:

[h(yi, y ) - bi(yi) - b2 (2] x+--Sh aShp,nje(0)E x a I Gi(i) = 3, --E-,Yt -_Y1[E1y,2 2

We now link this product to the Gowers' norm of the function h via repeated use of Cauchy- Schwarz inequality. Using Cauchy-Schwarz on Y2, we get:

1 1

E [h(yi, 2y). bi(yi) .b2(2)](E [E[h(yi, y2). bi(y)]2 (E[b 2(2)2)

2 Boundedness of b2 implies that EY2 [b 2(y2 ) ] 1.Rearrangingtheterms,we get that,

E [hyy)-h(y,1 Y2) - bi (yi) . bi (y')]

72 Applying Cauchy-Schwarz on y1, y' along with boundedness. we get that.

1 1 " YE E [h(yi, Y2) .h(y', Y2)] E, [b,1(y1)2 . bi (y/ )2

" EE [h(yi,y , Y2y2) 2) 1,

< 1, E29 [h(y1, Y2) * h(y', Y2) 1 , y') - h~y'l, y2)

f 1G|U 2 where the last equality follows from the fact that h is real-valued, Theorem 2.6.13(a) and that G1 and h are related to each other by a linear change of variables. Indeed, for every fixed y,, yt-1, it holds that h(yi, Y2) = G 1 (Uiyiu + 22 + E_ M,1) and ui, u2 / 0. Hence,

E[h (yi, Y2) h(y', Y2) -h (yi, y') - h (y/, yt)] Y1,Y'Y, 2 E [G1(y1 + Y2) - G1(y' + Y2) - G1(y1 + y') - G1(y' + y')]. Y1,Y 1 ,Y2,Y 2

This concludes the proof of Claim 2.6.14.1. E

We can now prove Lemma 2.6.10. Claim 2.6.14.1 and Eq. (2.15) imply that ||G1||J2 > 1 - c. We need to relate the Gowers' Norm to the Fourier bias. Using Theorem 2.6.13(c), we get that, bias(G) > (1 - e)2 > 1 - 2E.

This implies that 1 > 1 - 2E ;> 2/3. as E < 1/6. Lemma 2.6.7 implies that for any a#0, G1 (a) 2/3. Hence G1 (0) > 1 - 2c. Combining this with Lemma 2.6.8 shows that, Pr[G1(x) = G1(x + a)] > 1 - 2e.

This completes the proof of Lemma 2.6.10 as Gi(x) = G1(x+a) ---- gi(x) = gi(x+a). E

73 74 Chapter 3

From Laconic SZK to Public Key Encryption

3.1 Overview

Underlying symmetric key encryption is a centuries-old idea: shared secrets enable secure communication. This idea takes many forms: the Caeser cipher, the unconditionally secure one-time pads, fast heuristic constructions like AES. and a multitude of candidates based on the hardness of a variety of problems. The discovery of public-key encryption, by Diffie and Hellman [DH76] and Rivest, Shamir and Adleman [RSA78], was revolutionary as it gave us the ability to communicate securely without any shared secrets. Needless to say, this capability is one of the cornerstones of secure communication in today's online world. As is typically the case in cryptography, we are currently very far from establishing the security of public-key cryptography unconditionally. Rather, to establish security, we rely on certain computational intractability assumptions. Despite four decades of extensive research, we currently only know constructions of public-key encryption from a handful of assumptions, most notably assumptions related to the hardness of factoring, finding discrete logarithms and computational problems related to lattices (as well as a few more exotic assumptions). One of the central open problems in cryptography is to place public-key encryption on firmer complexity-theoretic grounding, ideally by constructing public-key encryption from the minimal assumption that one-way functions exist. Such a result seems well beyond current techniques, and by the celebrated result of Impagliazzo and Rudich [R89] requires a non-blackbox approach. Given that, a basic question that we would like to resolve is the following:

From what general complexity-theoretic assumptions can we construct public-key cryptography?

Our motivation for asking this question is twofold. First, we seek to understand: Why is it the case that so few assumptions give us public-key encryption? What kind of "structured hardness" is required? Secondly, we hope that this understanding can guide the search for new concrete problems that yield public-key encryption.

75 3.1.1 Our Results

Our main result is a construction of a public-key encryption scheme from a general complexity- theoretic assumption: namely, the existence of a cryptographically hard language £ E NP that has a laconic (honest-verifier) statistical zero-knowledge argument-system. We first discuss the notions mentioned above, and then proceed to state the main result more precisely (yet still informally). By a cryptographically hard language we mean an NP language that is average-case hard with a solved instance generator.1 A proof-system is laconic [GH98, GVW02] if the number of bits sent from the prover to the verifier is very small.2 An argument-system is similar to an interactive proof, except that soundness is only required to hold against computationally bounded (i.e., polynomial time) cheating provers. Honest verifier zero-knowledge means that the honest verifier learns no more in the interaction than the fact that x E £ (i.e., the verifier can simulate the honest interaction by itself). Thus, our main result can be stated as follows:

Theorem (Informal) 3.1.1 (Informally Stated, see Theorem 3.3.6). Assume that there exists a cryptographically hard language £ E NP with an r-round statistical honest-verifier zero-knowledge argument-system, with constant soundness, that satisfies the following two requirements:

• Efficient Prover: The honest prover strategy can be implemented in polynomial-time, given the NP witness.3

• Laconic Prover: The prover sends at most q bits in each of the r rounds, such that r2 . qa = O(logn), where n is the input length.

Then, there exists a public-key encryption (PKE) scheme.

We emphasize that requiring only honest-verifier zero-knowledge (rather than full- fledged zero-knowledge) and computational soundness (i.e., an argument-system) weakens our assumption, and therefore only strengthens our main result. We also comment that we can handle provers that are less laconic (i.e., send longer messages) by assuming that the language L is sub-exponentially hard. Lastly, we remark the assumption in Theorem (In- formal) 3.1.1 may be viewed as a generalization of the notion of hash proof systems [CS02]. We discuss this point in more detail in Section 3.1.2.

'Loosely speaking, a solved-instance generator for an average-case hard language L E NP is an algorithm that generates samples (x, w) E Z (where 1Z is the NP relation) and where x is distributed according to the average-case hard distribution restricted to YES instances. 2 Laconic proof-systems with constant soundness and very short communication (e.g., just a single bit) are indeed known. As a matter of fact, many of the known hard problems that are known to yield public-key encryption schemes have such laconic SZK proof-systems (see Section 3.1.1 and Section 3.7). 3 In the context of argument-systems (in contrast to general interactive proofs), the assumption that the honest prover is efficient goes without saying. Nevertheless, we wish to emphasize this point here. 4 As a matter of fact, hash proof systems can be viewed as a special case of our assumption in which the (honest) prover is deterministic or, equivalently, sends only a single bit. In contrast, we handle arbitrary randomized provers (that are sufficiently laconic) and indeed most of the technical difficulty arises from handling this more general setting. See additional details in Section 3.1.2.

76 Instantiations

Many concrete assumptions (which are already known to yield public-key encryption schemes) imply the conditions of Theorem (Informal) 3.1.1. First, number-theoretic assumptions such as Quadratic Residuosity (QR) and Decisional Diffie-Hellman (DDH) can be shown to imply the existence of a cryptographically hard NP language with a laconic and efficient SZK argument-system and therefore satisfy the conditions of Theorem (Informal) 3.1.1 (these and the other implications mentioned below are proven in Section 3.7). We can also capture assumptions related to lattices and random linear codes by slightly relaxing the conditions of Theorem (Informal) 3.1.1. Specifically, Theorem (Informal) 3.1.1 holds even if we relax the completeness, soundness and zero-knowledge conditions of the argument-system to hold only for most (but not necessarily all) of the instances (chosen from the average-case hard distribution). We call arguments with these weaker properties average-case SZK arguments. It is not hard to see that lossy encryption [PVW08 BHY09] yields such an average-case laconic and efficient zero-knowledge argument-system. Recall that a PKE scheme is lossy if its public-keys are indistinguishable from so-called "lossy keys" such that a ciphertext generated using such a lossy key does not contain information about the underlying plaintext. Consider the following proof-system for the language consisting of all valid public-keys: given an allegedly valid public-key, the verifier sends to the prover an encryption of a random bit b and expects to get in response the value b. It is not hard to see that this protocol is a laconic and efficient average-case SZK argument-system. Many concrete assumptions yield cryptographically hard languages with average-case laconic and efficient SZK arguments (whether via lossy encryption or directly). Most notably, Learning With Errors (LWE) [Reg05], Learning Parity with Noise (LPN) with small errors [Ale03] and most of the assumptions used by Applebaum et al. [ABW10] to construct PKE. all imply the existence of such languages. Thus, Theorem (Informal) 3.1.1 gives a common framework for constructing public- key encryption based on a variety of different intractability assumptions (all of which were already known to yield public-key encryption via a variety of somewhat ad hoc techniques), see also Fig. 3-1. One notable hardness assumption that we do not know to imply our assumption (even the average-case variant) is integer factorization (and the related RSA assumption). We consider a further weakening of our assumption that captures also the factoring and RSA assumptions. As a matter of fact, we show that this further relaxed assumption is actually equivalent to the existence of a public-key encryption scheme. We discuss this in more detail in Section 3.1.1.

Perspective - From SZK-Hardness to Public-Key Encryption

As noted above, one of the central goals in cryptography is to base public-key encryption on a general notion of structured hardness. A natural candidate for such structure is the class SZK of statistical zero-knowledge proofs, since many of the assumptions that are known to yield public-key encryption have SZK proof-systems. Indeed, it is enticing to believe that the following conjecture holds:

77 QR

DDH

Our Asumpion:Thm. 3.1.1 Public-Key LWE ======>Laconic SZK Argument-System for -..-'4Cryptographically Hard NP Language Ecyto LPN-

[ABW1O]*

Figure 3-1: Instantiations of our assumption. Dashed arrows means that we only obtain average-case completeness, soundness and zero-knowledge. The (*) sign means that most, but not all, assumptions from [ABW10] imply our assumption.

Conjecture 3.1.2. Assume that there exists a cryptographically-hard language £ E NP n SZK. Then, there exists a public-key encryption scheme.

(Here by SZK we refer to the class of languages having statistical zero-knowledge proof- systems rather than argument-systems as in Theorem (Informal) 3.1.1. Assuming this additional structure only makes Conjecture 3.1.2 weaker and therefore easier to prove.) Proving Conjecture 3.1.2 would be an outstanding breakthrough in cryptography. For instance, it would allow us to base public-key cryptography on the intractability of the discrete logarithm (DLOG) problem,5 since (a decision problem equivalent to) DLOG has a perfect zero-knowledge proof-system 6 [GK93], or under the plausible quasi-polynomial average-case 7 hardness of the graph isomorphism problem (via the perfect zero-knowledge protocol of [GMW87]). We view Theorem (Informal) 3.1.1 as an initial step toward proving Conjecture 3.1.2. At first glance, it seems that Theorem (Informal) 3.1.1 must be strengthened in two ways in order to establish Conjecture 3.1.2. Namely, we need to get rid of the requirements that the (honest) prover is (1) efficient and (2) laconic. However, it turns out that it suffices to remove only one of these restrictions, no matter which one, in order to obtain Conjecture 3.1.2. We discuss this next.

Handling Inefficient Provers. Sahai and Vadhan [SV03] showed a problem, called statistical distance, which is both (1) complete for SZK, and (2) has an extremely laconic honest-verifier statistical zero-knowledge proof in which the prover only sends a single bit (with constant soundness error). The immediate implication is that any SZK protocol can be compressed to one in which the prover sends only a single bit.

5 Public-key schemes based on assumptions related to discrete log such as the decisional (or even computational) Diffie Hellman assumption are known to exist. Nevertheless, basing public-key encryption solely on the hardness of discrete log has been open since the original work of Diffie and Hellman[DH76]. 6 rThat proof-system is actually laconic but it is unclear how to implement the prover efficiently. 7 Graph isomorphism is in fact known to be solvable in polynomial-time for many natural distributions, and the recent breakthrough result of Babai [Babl6] gives a quasi-polynomial worst-case algorithm. Nev- ertheless, it is still plausible that Graph Isomorphism is average-case quasi-polynomially hard (for some efficiently samplable distribution).

78 Unfortunately, the foregoing transformation does not seem to maintain the computational efficiency of the prover. Thus, removing the requirement that the prover is efficient from Theorem (Informal) 3.1.1 (while maintaining the laconism requirement) would establish Conjecture 3.1.2.

Handling Non-Laconic Provers. Suppose that we managed to remove the laconism requirement from Theorem (Informal) 3.1.1 and only required the prover to be efficient. It turns out that the latter would actually imply an even stronger result than Conjecture 3.1.2. Specifically, assuming only the existence of one-way functions, Haitner et al. [HNO+09] construct (non-laconic) statistical zero-knowledge arguments for any NP language, with an efficient prover. Thus, removing the laconism requirement from Theorem (Informal) 3.1.1 would yield public-key encryption based merely on the existence of one-way functions. In fact, even a weaker result would yield Conjecture 3.1.2. Suppose we could remove the laconism requirement from Theorem (Informal) 3.1.1 while insisting that the proof- system has statistical soundness (rather than computational). Such a result would yield Conjecture 3.1.2 since Nguyen and Vadhan [NV06] showed that every language in N P n SZK has an SZK protocol in which the prover is efficient (given the NP witness). To summarize, removing the laconism requirement from Theorem (Informal) 3.1.1, while still considering an argument-system, would yield public-key encryption from one-way functions (via [HNO+09]). On the other hand, removing the laconism requirement while insisting on statistical soundness would yield Conjecture 3.1.2 (via [NV06]). (Note that neither the [NV06] nor [HNO+09] proof-systems are laconic, so they too cannot be used directly together with Theorem (Informal) 3.1.1 to prove Conjecture 3.1.2.)

Extensions

We also explore the effect of strengthening and weakening our assumption. A natural strengthening gives us oblivious transfer, and as mentioned above, a certain weakening yields a complete complexity-theoretic characterization of public-key encryption.

A Complexity-Theoretic Characterization. The assumption from which we construct public-key encryption (see Theorem (Informal) 3.1.1) requires some underlying hard decision problem. In many cryptographic settings, however, it seems more natural to consider hardness of search problems (e.g., integer factorization). Thus, we wish to explore the setting of laconic SZK arguments when only assuming the hardness of computing a witness for an instance sampled from a solved instance generator. Namely, an NP relation for which it is hard, given a random instance, to find a corresponding witness. We introduce a notion of (computationally sound) proof-systems for such NP search problems, which we call arguments of weak knowledge (AoWK). Loosely speaking, this argument-system convinces the verifier that the prover with which it is interacting has at least some partial knowledge of some witness. Or in other words, no efficient cheating prover can convince the verifier to accept given only the input. We further say that an AoWK is zero-knowledge if the verifier learns nothing beyond the fact that the prover has the witness. We show that Theorem (Informal) 3.1.1 still holds under the weaker assumption that there is an efficient and laconic SZK-AoWK (with respect to some hard solved instance generator). Namely, the latter assumption implies the existence of PKE. Furthermore, we

79 also show that the same assumption is also implied by any PKE scheme, thus establishing an equivalence between the two notions which also yields a certain complexity-theoretic characterization of public-key encryption.

Oblivious Transfer. Oblivious Transfer (OT) is a fundamental cryptographic primitive, which is complete for the construction of general secure multiparty computation (M PC) protocols [GMW87, Kil88]. We show that by making a slightly stronger assumption, Theorem (Informal) 3.1.1 can extended to yield a (two-message) semi-honest OT protocol. For our OT protocol, in addition to the conditions of Theorem (Informal) 3.1.1, we need to further assume that there is a way to sample instances x such that it is hard to tell whether x E 1 or x 0 1 even given the coins of the sampling algorithm.' We refer to this property as enhanced cryptographic hardness in analogy to the notion of enhanced trapdoor permutations (see further discussion in Section 3.6.3).

3.1.2 Related Works

Cryptography and Hardness of SZK. Ostrovsky [Ost9] showed that the existence of a language in SZK with average-case hardness implies the existence of one-way functions. Our result can be interpreted as an extension of Ostrovsky's result: By assuming additional structure on the underlying SZK protocol, we construct a public-key encryption scheme. In fact, some of the ideas underlying our construction are inspired by Ostrovsky's one-way function. Average-case SZK hardness also implies constant-round statistically hiding commitments [OV08], a primitive not implied by one-way functions in a black-box way [HHRS15]. Assuming the existence of an average-case hard language in a subclass of SZK (i.e., oflan- guages having perfect randomized encodings), Applebaum and Raykov [AR16] construct Collision Resistant Hash functions. In the other direction, some cryptographic primitives like homomorphic encryption [BL13], lossy encryption and PIR (computational private information retrieval) [LV16] imply the existence of average-case hard problems in SZK. 9 We also mention that many other primitives, such as one-way functions, public-key encryption and oblivious transfer do not imply the existence of average-case hard problems in SZK (under black-box reductions) [BDV16].

Hash Proof-Systems. Hash Proof-Systems, introduced by Cramer and Shoup [CS02], are a cryptographic primitive which, in a nutshell, can be described as a cryptographically hard language in NP with a one-round SZK protocol in which the honest prover is efficient given the NP witness and deterministic (and without loss of generality sends only a single bit). This is precisely what we assume for our main result except that we can handle randomized provers that send more bits of information (and the protocol can be multi- round). This special case of deterministic provers is significantly simpler to handle (and

81n particular, the sampling algorithm that tosses a coin b E{0, 1}and outputs x E £ if b = 0 and x 0£ otherwise does not satisfy the requirement (since the value of b reveals whether x E L). 9 0n a somewhat related note, we mention that combining [BL13] with our result gives a construction of public-key encryption from symmetric-key additively homomorphic encryption. This was already shown in [Rot11] via a direct construction.

80 will serve as a warmup when describing our techniques). Our main technical contribution is handling arbitrary randomized provers. Public-key encryption schemes have been shown to imply the existence of certain weak hash proof-systems [HLWW16]. Hash proof-systems were also shown in [GOVW12] to yield resettable statistical zero-knowledge proof-systems.

Laconic Provers. A study of interactive proofs in which the prover is laconic (i.e., trans- mits few bits to the verifier) was initiated by Goldreich and Histad [GH98] and was further explored by Goldreich, Vadhan and Wigderson [GVW02]. These works focus on general interactive proofs (that are not necessarily zero-knowledge) and their main results are that laconic interactive proofs are much weaker than general (i.e., non-laconic) interactive proofs.

3.1.3 Techniques

To illustrate the techniques used, we sketch the proof of a slightly simplified version of Theorem (Informal) 3.1.1. Specifically, we construct a PKE given a cryptographically hard language L with a single-round efficient-prover and laconic SZK argument-system (we shall briefly mention the effect of more rounds where it is most relevant). For simplicity, we also assume that the SZK protocol has perfect completeness and zero-knowledge. In the actual construction, given in the technical sections, we handle constant completeness error, negligible simulation error, and more rounds of interaction. Lastly, since we find the presentation more appealing, rather than presenting a public-key scheme, we construct a single-round key-agreement protocol. 10 Any such protocol can be easily transformed into a public-key encryption scheme. Let £ E NP be a cryptographically hard language with an SZK argument-system with prover P, verifier V and simulator Sim. We assume that the argument-system has perfect completeness, no simulation error and soundness error s, for some s > 0. Let Ye be a solved-instance generator for £ producing samples of the form (x, w), where x E L and w is a valid witness for x. The fact that £ is cryptographically hard means that there exists a sampler NL that generates NO instances for L that are computationally indistinguishable from the YES instances generated by Yr.

Deterministic Prover. As a warmup, we assume first that the honest prover in the SZK argument-system is deterministic. As will be shown below, this case is significantly easier to handle than the general case, but it is a useful step toward our eventual protocol. We construct a key-agreement protocol between Alice and Bob as follows. First Alice generates a solved instance-witness pair (x, w) +- Yr. Alice then sends x across to Bob. Bob runs the simulator Sim(x) to generate a transcript (a',b', r'), where a' corresponds to the verifier's message, b' corresponds to the prover's message and r' correspond to the simulated random string for the verifier." Bob sends the first message a' across to Alice. Bob then outputs the simulated second message b'. Alice uses the witness w to generate

1 0Loosely speaking, a key agreement protocol allows Alice and Bob to agree on a common key that is unpredictable to an external observer that has wire tapped their communication lines. "Throughout this paper, we use the convention that primed symbols are for objects associated with a simulated (rather than real) execution of the protocol.

81 the prover's response b (i.e., the prover P's actual response given the message a' from the verifier) and outputs b. The protocol is also depicted in Fig. 3-2.

Alice Bob

(x, W) <- YL X (a',I b', r') <- Sim(x)

Outputb =P(x,w,a') a' Output b'

Figure 3-2: Key Agreement from Deterministic Provers

To argue that Fig. 3-2 constitutes a key-agreement protocolweneedtoshowthatAlice and Bob output the same value, and that no efficient eavesdropper Eve (who only sees their messages) can predict this output with good probability. That they agree on the same value follows from the fact that the prover is deterministic and the simulation is perfect. More specifically, since the simulation is perfect, the distribution of the simulated verifier's message a' is the same as that of the actual verifier's message; and now since the prover is deterministic, given (x,w,a'),theprover'sresponse b, which is also Alice's output, is fixed. Since the simulation is perfect and x E L, if the simulator outputs (a', b', r'). then b', which is Bob's output, is necessarily equal to b. Next, we show that any eavesdropper Eve who is able to guess Bob's output in the protocol can be used to break the cryptographic hardness of £. Suppose Eve is able to guess Bob's output in the protocol with probability p. This means that given only x and a'. where (a', b', r') is produced by the simulator Sim(x). Eve is able to find the message b:

Pr [b' = b" where b"+- Eve(x, a')] = p. (X,-.)<--YC (a',b',r')<-Sim(x)

As the SZK argument has perfect completeness, and the simulation is also perfect, the transcripts produced by the simulator (on YES instances) are always accepted by the verifier. As Eve is able to produce the same prover messages as the simulator, her messages will also be accepted by the verifier. Namely,

Pr [V(x, a', b"; r') = 1 where b"+- Eve(x, a')] > p. (X,-) <-YL (a',b',r')<-Sim(x)

Again using the fact that the simulation is perfect, we can replace the simulated message a' and simulated coin tosses r' with a verifier message a and coins r generated by a real execution of the protocol:

Pr [V(x, a, "; r) = 1 where b" - Eve(x, a)] 2 p. (x,-)<--Yc a<-V(x;r)

Recall that NL samples no-instances that are computationally indistinguishable from the YES instances generated by Yr. If x had been a NO instance sampled using NL, then the (computational) soundness of the SZK argument implies that the verifier would reject

82 with probability 1 - s:

Pr [V(x, a, b"; r)= 1where b" - Eve(x, a)] < s, xe-Nr a<-V(x;r) where s is the soundness error. If p is larger than s by a non-negligible amount, then we have a distinguisher. contradicting the cryptographic hardness ofL. So. no efficient eavesdropper can recover the agreed output value with probability noticeably more than s, the soundness error of the SZK argument. Notice that so far we have only guaranteed that the probability of success of the eavesdropper is s, which may be as large as a constant (rather than negligible)." Nevertheless, using standard amplification techniques (specifically those of Holenstein and Renner [HR05]) we can compile the latter to a full-fledged key-agreement protocol.

Randomized Prover. So far we have handled deterministic provers. But what happens if the prover were randomized? Agreement is now in jeopardy as the prover's message b is no longer completely determined by the instance x and the verifier's message a. Specifically, after Alice receives the simulated verifier message a' from Bob, she still does not know the value of b' that Bob obtained from the simulator - if she ran P(x, w, a'), she could get one of several possible b's, any of which could be the correct b'. Roughly speaking, Alice only has access to the distribution from which b' was sampled (but not to the specific value that was sampled). Eve, however, has even less to work with than Alice; we can show, by an approach similar to (but more complex than) the one we used to show that no polynomial-time eavesdropper can guess b' in the deterministic prover case, that no polynomial-time algorithm can sample from any distribution that is close to the true distribution of b' for most x's and a's. We make use of this asymmetry between Alice and Eve in the knowledge of the distribution of b' (given x and a) to perform key agreement. We do so by going through an intermediate useful technical abstraction, which we call a Trapdoor Pseudoentropy Genera- tor, that captures this asymmetry. We first construct such a generator, and then show how to use any such generator to do key agreement.

Trapdoor Pseudoentropy Generator. A distribution is said to possess pseudoentropy [HILL99] if it is computationally indistinguishable from another distribution that has higher entropy 1 3. We will later claim that in the protocol in Fig. 3-2 (when used with a randomized prover), the distribution of b' has some pseudoentropy for the eavesdropper who sees only x and a'. In contrast, Alice, who knows the witness w, can sample from the distribution that b was drawn from. This set of properties is what is captured by our notion of a trapdoor pseudoentropy generator. A trapdoor pseudoentropy generator consists of three algorithms. The key generation algorithm KeyGen outputs a public and secret key pair (pk, sk). The encoding, given a

2 1 This error can be made negligible by parallel repetition [BIN97] (recall that parallel repetition preserves honest-verifier zero-knowledge). Doing so however makes the prover's messages longer. While this is not an issue when dealing with deterministic provers, it will prove to be problematic in the general case of a randomized prover. 3 1 By default, the measure of entropy employed is that of Shannon entropy. The Shannon entropy of a variable X given Y is defined as: H(X|Y) = Ev [- E Pr[X = xzy] -log(Pr[X = xly])].

83 public key pk, outputs a pair of strings (U, v), where we call u the public message and v the private message. 14 The decoding algorithm Dec, given as input the corresponding secret key and the public message u, outputs a value v'. These algorithms are required to satisfy the following properties (simplified here for convenience):

* Correctness: The distributions of v and v' are identical, given pk, sk, and u. " Pseudoentropy: The distribution of v has some pseudoentropy given pk and u.

Correctness here only means that the secret key can be used to sample from the distribution of the private message v corresponding to the given public message u. This captures the weaker notion of agreement observed in the protocol earlier when Alice had sampling access to the distribution of Bob's output. The pseudoentropy requirement says that without knowledge of the secret key, the private message v seems to have more entropy - it looks "more random" than it actually is. This is meant to capture the asymmetry of knowledge between Alice and Eve mentioned earlier.

Constructing a Trapdoor Pseudoentropy Generator. Our construction of a trapdoor pseudoentropy generator is described in Fig. 3-3. It is an adaptation of the earlier key exchange protocol for deterministic provers (from Fig. 3-2). The public key is an instance x in the language L and the corresponding secret key is a witness w for x - these are sampled using the solved-instance generator. To encode with public key x, the simulator from the SZK argument for £ is run on x and the simulated verifier message a' is set to be the public message, while the simulated prover message b' is the private message. To decode given x, w and a', the actual prover is run with this instance, witness and verifier message, and the response it generates is output.

KeyGen Enc(pk = x) Dec(pk = x, sk = w, u = a') 1. Sample (x, w) <- YL 1. Sample (a', b', r) <- 1. Sample v' 2. Output (pk = x, sk Sim(x) P(x, w, a') w) 2. Output (u = a', = 2. Output v' b')

Figure 3-3: Trapdoor Pseudoentropy Generator

Now we argue that this is a valid pseudoentropy generator. Since we will need to be somewhat precise, for the rest of this section, we introduce the jointly-distributed random variables X, A and B, where X represents the instance(sampledfromYr),Arepresents the verifier's message (with respect to X), and B represents the prover's response (with respect to X and A). Note that since the simulation in the SZK argument is perfect, A and B represent the distributions of the messages output by the simulator as well. The correctness of our construction follows from the perfect zero knowledge of the underlying SZK argument - the private message v produced by Enc here is the simulated prover's

1 4 We refer to this procedure as an encoding algorithm because we think of the public message as an encoding of the private message.

84 message b', while the output of Dec is the actual prover's response b with the same instance and verifier's message. Both of these have the same distribution, which corresponds to that of B conditioned on X = x and A = a'. In order to satisfy the pseudoentropy condition, the variable B needs to have some pseudoentropy given X and A. What we know, as mentioned earlier, is that B is unpredictable given X and A - that no polynomial-time algorithm, givenx anda',can sample from a distribution close to that of the corresponding prover's message b. Towards this end, we will use a result of Vadhan and Zheng [VZ12], who give a tight equivalence between unpredictability and pseudoentropy. Applied to our case, their results say what we want - that the variable B has additional pseudoentropy log(1/s) given X and A, where s is the soundness error from the SZK argument. More precisely, there exists a variable C such that:

(X, A, B) ~c (X, A, C) and H(CIX, A) > H(BIX, A) + log(1/s), (3.1) where the above expressions refer to Shannon entropy. The result of Vadhan and Zheng applies only when the variable B has a polynomial-sized domain, which holds since the proof-system is laconic (this is the first out of several places in which we use the laconism of the proof-system). The above shows that the construction in Fig. 3-3 is indeed a trapdoor pseudoentropy generator. Finally, and this will be crucial ahead, note that the private message produced by Enc is short (i.e., the same length as the prover's message in the SZK argument we started with). In the case of an SZK protocol withr rounds, the above construction would be modified as follows. The encoder Enc samples a transcript from Sim(x). picks i E [r] at random., sets the public message u to be all the messages in the transcript upto the verifier's message in the ith round, and the private message v to be the prover's message in the ith of the transcript. The decoder Dec samples ' by running the prover on the partial transcript u to get the actual prover's response in the ith round." Zero knowledge ensures that v' and v are distributed identically, and unpredictability arguments similar to the ones above tell us that ' has pseudoentropy at least log(1/s)/r.

From Laconic Trapdoor Pseudoentropy Generator to Key Agreement. Next, given a trapdoor pseudoentropy generator, such as the one in Fig. 3-3, we show how to construct a single-round key agreement protocol. We start with a pseudoentropy generator in which the public key is pk, the private key is sk, the public message is u, the private message is v, and the output of Dec is v'. The random variables corresponding to these are the same symbols in upper case. v andv' come from the distribution Vpk, (V conditioned on PK = pk and U = u), and V has additional pseudo-Shannon-entropy r given PK and U, where r/ can be thought of as a constant (r/ was log(1/s) in the foregoing construction). In the key agreement protocol, first Alice samples a key pair (pk, sk) for the pseudoentropy generator and sends the public key pk to Bob. Bob runs (u, v) +- Enc(pk), keeps the private message v and sends the public message u to Alice. We would like for Alice and Bob to agree on the string v. In order for this to be possible, Bob needs to send more information to Alice so as to specify the specific v that was sampled from Vpk,u. A natural

1 5 For simplicity, assume that the prover is stateless so it can be run on a partial transcript. In the actual proof we handle stateful provers as well.

85 idea is for Bob to send, along with the message u, a hash h(v) of v, where h is a sampled from a pairwise independent hash function family W. Alice, on receiving the hash function h and the hash value h(v) uses rejection sampling to find v. She can sample freely from the distribution Vpk,u by running Dec(sk, u) because she knows the secret key sk of the pseudoentropy generator and the public message u. She keeps drawing samples v' from Vp,,, until she finds one that hashes to h(v). Note that this brute force search is only feasible if the number of strings in the support of V is small, which is the case if the number of bits in v is small - considering the big picture, this is one of the reasons we want the the prover from the SZK argument to be laconic. The main question now is how to set the length of the hash function. On the one hand, having a long hash helps agreement, as more information is revealed to Alice about v. On the other hand, security demands a short hash that does not leak "too much" information about v. For agreement, roughly speaking, if the hash length were more than themax-entropy 1 6 of V given PK and U, which we denote by Hmax(VIPK, U), then the set of possible prover responses is being hashed to a set of comparable size, so with good probability, the hash value h(v) will have a unique pre-image, which Alice can identify. For security we would like to argue, using the Leftover Hash Lemma, that to any eavesdropper h(v) looks uniformly random given (pk, u, h). This would be true if the hash length were less than the min-entropy'7 of V given PK and U, which we denote by Hmin(VIPK, U). Unfortunately, both of the above conditions cannot hold simultaneously because the min- entropy is upper-bounded by the max-entropy. The crucial observation at this point is that Eve is computationally bounded. Hence, a computational analogue of high min-entropy, which we will call pseudo-min-entropy, would suffice for security. Concretely, consider a random variable C such that (PK, U, C) is computationally indistinguishable from (PK, U, V). Furthermore, suppose that the min- entropy of C given PK and U is considerably larger than the hash length. We can then use the Leftover Hash Lemma to argue that h(V) looks uniform to efficient eavesdroppers:

(PK, U, h, h(V)) ~ c (PK, U, h, h(C) ~ (PK, U, h, R) where R is the uniform distribution over the range of h. The benefit of this observation is that, since C is only required to be computationally close and not statistically close to V. the min-entropy of C given PK and U could be much larger than that of V given PK and U. And if we can find a C such that Hmin(CIPK, U) is sufficiently larger than Hmax(V|PK, U), then we will indeed be able to choose a hash length that is both large enough for agreement and small enough for security. Also notice that for the agreement to work, it is not necessary for the hash length to be larger than the max-entropy of V (given PK and U) itself - instead, if there was another variable D such that (PK, U, D) is statistically close to (PK, U, V), and also Alice is somehow able to sample from D given PK = pk and U = u. then it is sufficient for the hash to be longer than Hmax(DIPK, U). Given such a variable, Bob will operate as he did earlier, but Alice can assume that he is actually sampling from Dpk,u instead of Vp,,, and

16 The max entropy corresponds to the logarithm of the support size. The conditional max entropy of a random variable X given Y is defined as: Hma(X IY) = max. log(ISupp(XIY = y)|). 1 7 The min-entropy of a variable X given Y is defined as: Hm(XIY) = - log(maxy Pr[X= = y]).

86 since these two distributions are close most of the time, the probability of Alice's subsequent computation going wrong is small. This helps us because now we might be able to find such a D that has lower max-entropy given PK and U than V, and then Hmin(CIPK, U) would only have to be larger than this. Following these observations, we set ourselves the following objective: find variables C and D such that:

(PK, U, D) 1s (PK, U, V) (PK, U, C) and Hmax(D IPK,U) < Hmin (CIPK, U) (3.2)

What we do know about V is that it has some pseudo-Shannon-entropy given PK and U. That is, there is a variable C such that:

(PK, U, V) ~c (PK, U, C) and H(CIPK, U) > H(VIPK, U) +r (3.3)

The rest of our construction deals with using this pseudo-Shannon-entropy to achieve the objectives above. This we do using a technique from Information Theory dating back to Shannon [Sha48) which is often referred to in the cryptography literature as flattening of distributions, which we describe next. We note that this technique has found use in cryptography before [HILL99, GV99, SV03].

Flattening and Typical Sets. The central idea here is that if we start with a distribution that has Shannon entropy ( and repeat it k times, then the new distribution is close to being uniform on a set whose size is roughly 2k*. This set is called the typical set; it consists of all elements whose probability is close to 2-kC. In our case, consider the distribution (PKk, Uk, Vk), which is the k-fold product repetition of (PK, U, V). Roughly speaking, we define the typical set of Vk conditioned on any (pk, u) in the support 8 of (PKk, Uk) as follows 9 :

TVkjpk,u= {v : Pr[Vk = V (PKk, U) - (pk, u)] 2 -k H(VIPKU)

Considering the typical set is useful for several reasons. On the one hand, the typical set is quite small (roughly 2 kH(VIPKU)) in size, which means that any distribution supported within it has somewhat low max-entropy. On the other hand, there is an upper bound on the probability of any element that occurs in it, which could be useful in lower bounding min-entropy, which is what we want to do. The most important property of the typical set it that it contains most of the probability mass of the conditional repeated distribution. That is, for most (pk, u, v) sampled from (PKk, Uk, Vk), it holds that v lies in the typical set conditioned on (pk, u); quantitatively, Holenstein and Renner [HR11] show the following:

Pr kkvk ) V TVk ipku] < 2Q2(k/q2) (3.4) (pk,u,v)<-(PKkUyk

18The support of (PKk, Uk) consists of vectors with k elements. We represent vectors by bold symbols, e.g., v. 1 9The actual definition quantifies how different from 2H-k the probability is allowed to be.

87 where q is the number of bits in each sample from V. Recall that in our earlier construction of the trapdoor pseudoentropy generator, this corresponds to the length of the prover's message in the SZK argument we started with. We want the above quantity to be quite small, which requires that k » q 2 . This is one of the considerations in our ultimate choice of parameters, and is another reason we want the prover's messages to not be too long.

Back to PKE Construction. We shall use the above facts to now show that Vk has pseudo-min-entropy given PKk and Uk. Let C be the random variable from the expression (3.3) above that we used to show that V has pseudo-Shannon-entropy. After repetition, we have that:

(PKk,Uk,V k) (PKk,Uk,C ) and H(Ck|PKk,Uk)=k - H(C|PK,U) > k - (H(VIPK,U) + 71).

Next, consider the variable C' that is obtained by restricting, for each pk and u, the variable Ok to its typical set conditioned on (pk, u). By applying the bound of Holenstein and Renner (3.4) with an appropriate choice of k, we infer that:

(PKk,Uk,Ck) _(PKk,Uk,C').

Further. the upper bound on the probabilities of elements in the typical set tells us that C' has high min-entropy 2 0 given PKk and Uk:

Hmin(C'IPKk,Uk) x H (Ck|PKk,Uk) > k . (H(VIPK,U) + -).

Putting the above few expressions together tells us that Vk has some pseudo-min-entropy given PKk and Uk, which is in fact somewhat more than its Shannon entropy:

(PKk,Uk,Vk) (PKkUkC') and Hmin(C'PKk,Uk) ;> H(Vk|PKk,Uk)+k -7. (3.5) This satisfies our objective of getting a variable - Vk here - that has high pseudo-min- entropy (given PKk and Uk). Our goal is now to find another variable that is statistically close to Vk given PKk and Uk, and also has small max-entropy given PKk and Uk. We do this using the same approach as above. Consider the variable V' that is constructed from Vk in the same way C' was from Ck - for each (pk, u), restrict Vk to its typical set conditioned on (pk, u). Again, bound (3.4) tells us that the new distribution is close to the old one. And also, because of the upper bound on the size of the typical set, we have an upper bound on the max-entropy 21 of V' given PKk and Uk.

(PKk,Uk,Vk) ~s (PKk,UkV') and Hmax(V'IPKk,Uk)

Putting together expressions (3.5) and (3.6), we find that the relationship we want

2 OHmi(C'|PKk, U) could actually be slightly less than the approximate lower bound presented here because there is some slack allowed in the definition of the typical set - it can contain elements whose probabilities are slightly larger than 2-k H(CPK,U). We need to pick this slack carefully - if it is too large, C' loses its min-entropy, and if it is too small the typical set also becomes too small and the bound in (3.4), which actually depends on this slack, becomes meaningless. This is another constraint on our choice of parameters. 2 'The same caveats as in Footnote 20 regarding the min-entropy of C' apply here as well.

88 Alice Bob

{(pki, ski) +- KeyGen}iE[k] pk = (pki, pk2 . pkk,) {(ui, vi) +- Enc(pki)}ie[k]

Use the samplers {Dec(pki, ski, ui)} to recover

the distribution of Vk conditioned on (pk, u). Find v' such that: u, h, h(v) h +-'H 1. v' is in the typical set of this distribution 2. h(v') = h(v) Output v' Output v

Figure 3-4: Key Agreement from Trapdoor Pseudoentropy Generator

between these entropies of C' and V' is indeed satisfied:

Hmin(C'|PKk,Uk) > Hma(V'|PKk,Uk) + k .

To summarize, we manage to meet the conditions of expression (3.2) with respect to (PKk, Uk, Vk) (instead of (PK, U, V)) with C' taking the role of C and V' taking the role of D. We can now finally fix the length of our hash - call it f - to be between Hmax(V'IPKk, Uk) and Hmin(C'|PKk, Uk), which can be done by setting it to a value between H(VkPKk, Uk) and H(VkIPK , Uk) + k for an appropriate k, and emulate the earlier protocol. We will be able to use the Leftover Hash Lemma as desired to argue security and use the low max-entropy of V' to argue agreement. The final key agreement protocol from a trapdoor pseudoentropy generator is presented in Fig. 3-4.

How Laconic? To examine how long the prover's message can be, lets recall the restrictions of our construction. First, we need both parties to be efficient. While Bob is clearly efficient, Alice performs an exhaustive search over the domain of possible prover messages. The size of this domain is 2q*k because the parties repeat the underlying protocol k times and the length of each prover's message is q bits. For Alice to be efficient, this domain has to be polynomial-sized, requiring that q - k = O(logn), where n is the input length. Sec- ond, we need that the concentration bound for the typical set (Eq. (3.4)) to be meaningful; that is, we need k/q 2 to be at least a constant. Together, these imply that q3 needs to be O(logn). Lastly, this setting of parameters also suffices for the [VZ12] result that we used in Eq. (3.1).

3.1.4 Organization

In Section 3.2 we describe notions from cryptography and information theory that we need. In Section 3.3 we formally describe and state our assumption and our main theorem. In Section 3.4 we define and construct a trapdoor pseudoentropy generator. In Section 3.5 we use the latter to construct a public-key encryption. In Section 3.6 we describe various

89 extensions: that certain relaxations of our assumption also yield public-key encryption, that a mild strengthening of our assumptions yields a single-round oblivious transfer protocol, and that many concrete assumptions used to construct public-key encryption in the past also imply our assumptions.

3.2 Preliminaries

In this section we recall notions from cryptography and information theory that will be used throughout this work.

Notation and Conventions. We use lowercase letters for values, uppercase for random variables, uppercase calligraphic letters (e.g., U) to denote setsboldfaceforvectors(e.g., x), and uppercase sans-serif (e.g., A) for algorithms (i.e., Turing Machines). All logarithms considered here are in base two. Given a probabilistic polynomial-time algorithm A. we let A(x; r) be an execution of A on input x given randomness r. We let poly denote the set all polynomials. A function v: N -* [0, 1] is negligible,denoted v(n) = negl(n), if v(n) < l/p(n) for every p E poly and large enough n. Given a random variable X, we write x <- X to indicate that x is selected according to X. Similarly.,given a finite set S, we let s +- S denote that s is selected according to the uniform distribution on S. We adopt the convention that when the same random variable occurs several times in an expression, all occurrences refer to a single sample. For example, Pr[f(X) = X] is defined to be the probability that when x <- X, we have f(x) = x. We write Un to denote the random variable distributed uniformly over {0, 1}. The support of a distribution D over a finite set U, denoted Supp(D), is defined as {u E U :D(u) > 0}. The statistical distance of two distributions P and Q over a finite set U, denoted as SD(P, Q), is defined as maxscu|P(S) - Q(S)J = 21 E |P(u) - Q(u)|. The data-processing inequality for statistical distance states that for any randomized procedure F, it holds that SD(F(P), F(Q)) <; SD(P, Q). The k-fold product repetition of a random variable X is the random variable Xk such that for every x = (x 1 ,..., Xk), it holds that Pr[Xk - x]=- I Pr[X = xi]. For sake of notational convenience, for jointly distributed random variables (X1 ,..., Xe), we use (X ,...,Xf) to denote the k-fold product repetition (X1,...,X).

3.2.1 Public Key Encryption

In this section, we recall the definition of semantic-security [GM84] for public-key encryption (PKE). We shall restrict our attention to bit-encryption schemes (i.e., schemes in which only single bit messages are encrypted) and note that the latter implies full-fledged public-key encryption (c.f., [Gol09]). Our definition includes parameters a and # which correspond, respectively, to the correctness and security errors.

Definition 3.2.1 (Public Key Encryption). An a-correct #-secure public key encryption scheme is a tuple of probabilisticpolynomial-time algorithms (Gen, Enc, Dec) where Gen(1') outputs a pair of keys (pk,sk), the encryption algorithm Enc(1', pk,a) outputs a ciphertext ct (given the message - E {0,1} and the public key pk) and the decryption algorithm

90 Dec(1',sk,ct) returns a decrypted message (given the secret key sk and the ciphertext ct). The scheme satisfies the following properties:

• Correctness: For all sufficiently large CG N:

1 + a(i') Pr [Dec (1', sk, Enc(1, pk, o-)) = o] > 2 '

where the probability is overo-- {0, 1}, (pk, sk) +- Gen(1') and the randomness of Enc and Dec.

• Semantic Security: For every probabilistic polynomial-time adversary A and sufficiently large r G N, it holds that

Pr [A (1, pk, Enc(1', pk, o-)) = -] < 2 '

where the above probability is over a- {0, 1}, (pk, sk)+- Gen(1') and the randomness of Enc and A.

If a scheme is a-correct/-secure for some constants a > > 0, then we say the scheme is a weak public-key encryption scheme. If such a scheme is (1 - 1/c)-correct (1/nc)-secure for every c > 0, we say that it is a semantically secure public-key encryption scheme.

For some parameters of a and . weak public-key encryption schemes can be amplified to semantically secure public-key encryption schemes

Theorem 3.2.2 ([HR05. Theorem 6]). Let a and / be constants such that a2 > 0. If there exists an a-correct -secure public-key encryption scheme, then there exists a semantically secure public-key encryption scheme.

3.2.2 Universal Hashing

Universal hash functions are used extensively in complexity theory and cryptography.

Definition 3.2.3 (Universal Hash Function). A family of functions W= {h : [N] -- [M]} is Universal if for every distinct x 1 ,x 2 E [N], it holds that

_1 Pr h<-L [h(xi) = h(x2 )] - MM

Fact 3.2.4 (c.f. [Vad12. Theorem 3.26]). For every n, m C N, there exists a family of universal hash functions Wn,m = {h: {0, 1}n -+ {0, 1}m} where a random function from Wnm can be selected using max(m, n) + m bits, and given a description of h E n.m and x G {0,1}, the value h(x) can be evaluated in time poly(n,m).

3.2.3 Entropy and Divergence

Concepts from information theory, including various notions of entropy, play a pivotal role in this paper.

91 Definition 3.2.5 (Shannon, Conditional, and Min Entropies). Let X be a random variable taking values in a discrete alphabet X. The entropy of X is defined as

H(X) = E( Pr[X = x] -log( P[ = x x[ [Pr[Xl=x]) - rX=x xESupp(X) P[ ]

Let Y be a random variable taking values in a discrete alphabetY, which isjointly distributed with X. The conditional entropy of X givenY is defined as

H(XIY) = E [H(XIY = y)) = E log y<--v (x,y)<-(XY) [Pr[X = x | Y = y]

Finally, the min-entropy of X is defined as

Hoc (X) = min XEX log \P[~]Pr[X = x]

We recall some basic facts about entropy.

Fact 3.2.6 (Chain Rule for Entropy). For anyjointly distributed random variables X and Y it holds that H(X,Y)= H(X)+ H(YlX).

Fact 3.2.7 (Conditioning does not Increase Entropy). For anyjointly distributed random variables X and Y it holds that H(XIY)

Fact 3.2.8 ([Vad99, Fact 3.3.9]). For any two random variables X and Y, taking values in U, it holds that

IH(X) - H(Y)| log(|UI) - y + h(y), where-y= SD(X, Y) and h(p) = p - log(1/p) + (1 - p) - log(1/(1 - p)) is the binary entropy function.

Fact 3.2.9. For any threejointly distributed random variables X, Y and Z, such that X and Y take values inU, it holds that

IH(XIZ) - H(YIZ)

Proof. Let 7z= SD((XIZ = z), (YjZ = z)). It holds that

H(XIZ) - H(YIZ) = E [H(XIZ= z) - H(YIZ = z)] z<-Z E [log(|UI).7z + h(-yz)] z<-Z = log(lUI)- E [yz] + E [h(yz)] z+-Z z<-Z

log(JUI) -Ez<--Z [7] + h (z<-ZE [7z) =log(IUI) -y7 + h(-y),

92 where the first inequality follows from Fact 3.2.8, the second inequality follows from Jensen's inequality on the concave function h(-) (i.e.. the binary entropy function), and the last equality follows from the fact that Ez<-z[7] = .We can bound H(YIZ) -H(XIZ) similarly and Fact 3.2.9 follows. 0

We use Divergence to measure "distance" between distributions (or random variables).

Definition 3.2.10 (Divergence (aka Kullback-Leibler divergence, aka relative entropy)). Let X and Y be random variables taking values in a discrete alphabet X. The divergence from X to Y is defined as

KL(XIIY)= Pr[X = x] . log(Pr[X x or oo if Pr[X = x] > 0 = Pr[Y = x] for somex E X, with the convention that 0 log= 0. For p, q E [0, 1], the binary divergence from p to q is defined as KL(p|q) = KL(XIIY), for X ~ Bernoulli(p) and Y ~ Bernoulli(q).

The following facts are well-known:

Fact 3.2.11 (Chain Rule for Divergence, see [PW16, Theorem 2.2(4)]). It holds that

KL(X 1,X 2,... ,Xk|IY,Y 2 ,... ,Yk)= E B[KL(XlXi-1_xj|Yjly-1_x)] i=1 k E [KL(XXi-ijYixi-i)], i1 where X' = (X1 , . .. , X) and Y' = (Y1,. ..,Y).

Fact 3.2.12 (Data-Processing for Divergence, see [PW16, Theorem 2.2(6)]). For any (possibly randomized) process P, it holds that

KL(P(X)IIP(Y)) < KL(X|Y).

The following two facts relate to the binary divergence function as defined above. Using the fact that the mapping (p, q) - KL(plq) is convex (see [PW16. Theorem 4.1]) and its minimum is attained at the line p = q it follows that:

Fact 3.2.13. For every 1 > p p' > q' q > 0, it holds that

KL(p'ljq') < KL(pjlq), and equality holds iff p = p' and q = q'.

Finally, we note that slightly increasing the second argument for the binary divergence function does not change its value by much.

Fact 3.2.14. For every p,q E (0,1) and 7 E [0,1 - q), it holds that

KL(p||q) - KL(pj|q+y) 2 .- - 7. q

93 Proof. Straightforward calculations show that

KL(p||1q) - KL(p||Iq + -y) = p - log -E + (1 -- p) - log )

- p - log - (1 - p) - log - q+ 1I- (q +)

=p-logq+ ) + (1 - p) log q--y)

p - log (I+) q) <2p q where the first inequality follows by removing negative terms and the second since log(1 + x) 2x for any x > 0. D

3.2.4 Pseudoentropy

Intuitively, a distribution Y has pseudoentropy if there exists a high-entropy distribution Z that is indistinguishable from Y. We are interested in conditional pseudoentropy, which refers to a joint distribution (X, Y), and stipulates the existence of a distribution Z,jointly distributed with (X, Y), such that (1) ZX has high (conditional) entropy, and (2) (X, Y) is computationally indistinguishable from (X, Z). When considering non-uniform adversaries, the intuition translates directly into a definition. In the uniform case, however, the definition is slightly more complicated. Since, we prefer to show uniform reductions, we present that definition, and discuss why the additional complications immediately after the definition.

Definition 3.2.15 (Conditional Pseudoentropy (c.f. [VZ12. Definition 2.12])). Let t = t(,) E N, E = E(n) E [0,1] and m = m() > 0. Let X = {XI}xEN and Y = {Y}N be sequences of random variables such that X, and Y, are jointly distributed over X, x Y,. We say that Y has (t, E) conditional pseudoentropy at least m given X if for every oracle- aided probabilistic algorithm A that on input (1K,x, y) runs in time t(r,), there is a sequence of random variables Z = {ZK}ENover y,, jointly distributed with X,Y, such that the following hold for large enough, z EN:

1. H(ZulX,) 2 m(x,);

2. Let Ox,y,z denote an oracle that returns random independent samples from (X ,Y, Z ) when queried, where (X,,Y,, Z) are identically distributed as (X,,Y, Z). Then, it holds that

Pr[AxArIz (1K, XK, Y)= I]- Pr [AOx-Y-rZ (1, XK, Z') = I] I (n),

where the above probabilities are over X,Y, Z, the random coins of A and the samples generated by Ox',y,z.

We say that Y has conditional pseudoentropy at least m given X if for every constant c > 0, Y has (n°, 1|,c) conditional pseudoentropy at least m - 1|i, given X.

94 The reason that the oracle samples from (X', Y', Z') (and not (X, Y, Z)) is to emphasize its samples are independent from the inputs given to the distinguisher A (namely (X, Y, Z)). The reason to give the distinguisher oracle access to samples from the distributions is to ensure that repetition preserves pseudoentropy. Intuitively, assume that X is indistinguishable from Y and H(Y) > m, namely X has pseudoentropy at least m. We would like that if

(X 1, X 2 ) are independent copies of X, they would have pseudoentropy at least 2m. Namely we would like that (Xi, X 2 ) are indistinguishable from (Y, Y2 ). However, to prove this one must have the ability to sample from X and Y. See [VZ12] for additional discussion. Lastly, following [VZ12]. Definition 3.2.15 allows the distribution Z to depend on the adversary A. We will use the fact that if (X, Y) are statistically close to (,) and Y has high conditional pseudoentropy given X, then also Y has high conditional pseudoentropy given X.

Proposition 3.2.16. Let X = {X, ssN, XE EN, ,},EN be sequences of random variables such that X, and YK arejointly distributed over X, x Y, and the same for X, andY,. Assume log(|X| - |Y,|) = poly(,), SD ((X, Y), (Zk, f) )negl(s,) and Y has conditional pseudoentropy at least m = m(%) given X. Then also Y has conditionalpseudoentropy at least m = m(h) given X.

Since the proof of this statement is not completely straightforward, we give it in full here.

Proof. Assume toward a contradiction that P does not have conditional pseudoentropy at least m = m(r) given X. Namely that there exists > 0 and an algorithm A running in time ti such that for every sequence of random variables Z = {Z,},EN there exists an infinite index-set A C N such that for every , E A. if H(Z,|X) > m(,) - 1/sc then

Pr A Z1 Pr A 0 1 > (3.7)

We use A to break the conditional pseudoentropy of Y given X. Fix c > a to be determined by the analysis and let Z = {Z,}, be a sequence of random variables jointly distibuted with X, Y such that H(ZIX,) > m(,) - 1/° ,,for large enough , E N. Let F,(x, y) be the random process that samples from Z, conditioned on XK = x and Y, = y. Namely (X,, Y, Zn) = (X, IY, Fr,(X, Yr)). Let Z= {Z}EN be a sequence of random variables jointly distributed with X, Ysuch that Z, F(Z, iY). Fix large enough K E N (which we omit from the notation). It holds that

SD ((X, Y, Z), (k, , Z) ) SD ((X, Y), (X, ?) = negl(n), where the inequality follows from data-processing inequality for statistical distance (on the random process that takes (x, y) and outputs (x, y, F(x, y))). Using the above, we argue that the entropy of ZjZ is high. Using Facts 3.2.6, 3.2.8 it

95 holds that

H(ZIZ) - H(ZIX) H(X, Z) - H(X, Z) + H(Z) - H(X)

H(Z1) > m - 1/,c- negl(s) m - 1/ .

Hence, Eq. (3.7) holds with respect to Z. Using again that SD((X, Y, Z), ( X, Z)) = negl(r,), and since A runs in polynomial time (and thus can make at most polynomially many queries to its oracle), it holds that

Pr AOxYrI (1r, X,,Y)= 1 - Pr [AOx Yz (I1, X,,Z,)= I

2 Pr (, =A1 P 1 - PrA = - poly(s) negl(ti) 1 2 - - negl(r,) 1 KC

Setting c to be large enough so that A runs in sc time, we conclude that Y does not have (Kc, 1/Kc) conditional pseudoentropy at least m - / 1 C given X, a contradiction to the assumption. E

3.3 The Assumption and Main Theorem

In this section, we specify our assumption on the existence of laconic zero-knowledge proof- systems (which we will later show to imply public-key encryption). To do so, we first introduce some necessary definitions and notations. Throughout this section (and beyond), we use £ to denote an NP language with witness relation R. We use YL and NL to denote probabilistic polynomial-time algorithms that are to be seen as sampling algorithms for YES and NO instances of L. More specifically, the sampler Yr(1) outputs samples of the form (x, w) such that with all but negligible probability (in '), it holds that (x, w) E RL. We call Yr a solved instance generator. On the other hand, Nr(1) outputs samples x such that with all but negligible probability, x We shall not rely on the fact that the NO sampler NC is an efficient algorithm. Still we find it easier to present it as such for symmetry with YL (which must be efficient). We shall be concerned with properties of the tuple (L, YL, NC) - the language L equipped with (efficiently sampleable) distributions over its YES and NO instances (where YES instances come with corresponding witnesses). Since the choice of YES and NO distributions is always clear from the context, we often simply refer to the above tuple as the language (although we actually mean the language L with these specific distributions over its instances). We start by defining what we mean when we say that such a language is cryptographically

96 hard.

Definition 3.3.1 (Cryptographic Hardness). Let t = t(K) E N and E = E(s) E [0, 1]. The language (,Ye,NC) is (t,E)-cryptographically hard if Yr is a solved instance generator, and for every probabilistic algorithm A that on input (1',x) runs in time t(ri) and for all sufficiently large r E N it holds that:

Pr [A(1n, x) = 1] - Pr [A(1', x) = 1] < E(K). (x,-)<--YL(1 ) x+--Nc(1-)

We say that (, YL, NL) is cryptographically hard if it is (c, 1/ c)-hard for every constant c > 0.

Being cryptographicallyhard is a stronger requirement than the usual notion of average- case hardness (the latter means that it is hard to distinguish a random YES instance from a random NO instance). Specifically, cryptographic hardness requires both (1) average-case hardness and (2) the existence of a solved instance generator (wrt the average-case hard distribution). In particular, the existence of a cryptographically hard language is equivalent to the existence of one-way functions.2 2 As noted above, when we say that the language £ is cryptographically hard we are actually implicitly referring to the sampling algorithms Yr and NL. Next we define honest-verifier statistical zero-knowledge (SZK) arguments, which are similar to statistical honest-verifier zero-knowledge proofs but the soundness condition is only required to hold against malicious provers that run in polynomial-time. We remark that since we will be using the existence of SZK arguments to construct other objects, both the relaxations that we employ (namely requiring only computational soundness and honest verifier zero knowledge) only strengthen our results. Below, we use (P, V)(1, x) to refer to the transcript of an execution of an interactive protocol with prover P and verifier V on input (1K, x). We also use (P(w), V)(1K, x) to denote a similar execution where the prover is additionally given a witness w as an auxiliary input. In both cases, we sometimes also use the same notation to refer to the result (i.e., verifier's output) of such an execution - the appropriate interpretation will be clear from context.

Definition 3.3.2 (SZK Arguments). Letc= c(K) E [0, 1] and s = s(K) C [0, 1]. An interactive protocol (P,V) is an Honest Verifier SZK Argument with completeness error c and soundness error s for a language L E NP, with witness relation R£, if the following properties hold:

Efficiency: Both P and V are probabilisticpolynomial-time algorithms.

2 2 That YES instances are indistinguishable from NO instances implies that it is hard to compute a witness for a YES instance. Given this, a function that takes coins for YL and outputs the instance (but not the witness) generated by Yr is one-way (c.f., [GoO8, Proposition 7.2]). For the other direction, assuming that one-way functions exist implies the existence of a linear-stretch pseudorandom generators (PRG) G [HILL99]. The language that is cryptographically hard contains those strings that are in the range of G. The solved instance generator samples a random string r and outputs G(r) as the input and r as the witness. The corresponding NO distribution is that of a random string in the range of the PRG.

97 o Completeness: For any (x, w) E R£, and all large enough ,:

Pr[(P(w), V)(1', x) accepts] > 1 - c(K),

where the parameter c is called the completeness error.

" Soundness: For any probabilistic polynomial-time cheating prover P*, any x ( L, and large enough ,:

Pr[(P*, V)(I, x) accepts] s(K),

where the parameters is called the soundness error.

" Honest Verifier Statistical Zero Knowledge: There is a probabilisticpolynomial- time algorithm Sim (called the simulator) that when given any x C L simulates the transcript of the interactive proof on input x. That is, for any (x,w) 1R£ and for all sufficiently large r:

SD((P(w), V)(14, x), Sim(14, x))

Note that our definition only deals with NP languages and requires that the prover is efficient. Typically, when defining an SZK proof (rather than argument) this is not done, and the honest prover is allowed to be computationally unbounded. However, this is the natural choice since we focus on argument systems (where the soundness requirement is only against malicious provers that are also efficient). Remark 3.3.3 (Restricted-view Simulation). For our main result, it suffices that the simulator only simulates the transcript of the interactive proof and not the random-coins of the verifier. The standard definition of simulation is stronger - it also requires that the simulator output random-coins for the verifier that are consistent with the transcript. Ostrovsky [Ost9] called the weaker notion restricted-view simulation, and showed that average-case hard languages with honest-verifier SZK proofs with restricted-view simulation (without efficient provers) imply the existence of one-way functions. We will be dealing with SZK arguments that have additional properties captured by the next definition. Recall that a round in an interactive proof is a pair of messages, the first one (possibly empty) from V to P, and the next the other way.

Definition 3.3.4 (Laconism). Let q = q() G N and r = r() E N. An interactive protocol (P,V) is said to be r-round and q-laconic if it has at most r() rounds, and each message from P to V is at most q() bits long when run on any input (1,x), for large enough K.

We can now state our main assumption as follows.

Assumption 3.3.5. There exists a cryptographically hard language (4,Y£, N£) for which there is an r-round and q-laconic honest-verifier SZK argument with completeness error c and soundness error s such that:

• There is a constant 3 > 0 such that 1 - c(s) > s() +/0, for large enough V E N.

" q and r are such that r2 . = (log')).

98 Our main result is given in the next theorem.

Theorem 3.3.6 (PKE from Laconic SZK). If Assumption 3.3.5 holds, then there exists a public-key encryption scheme.

In Sections 3.4 and 3.5 we show how to use Assumption 3.3.5 to construct a public- key encryption scheme. The formal proof of Theorem 3.3.6 is given in the beginning of Section 3.5. In Section 3.6, we consider two relaxations of Assumption 3.3.5 - namely, Assumptions 3.6.2 and 3.6.6 - each of which still suffices for our construction of PKE; we then compare other concrete assumptions that have been used in the past to construct public-key encryption to these weaker assumptions.

3.4 From Laconic SZK to Trapdoor Pseudoentropy Generator

In this section we show that if Assumption 3.3.5 is true - that is, there exists a cryptographically hard NP language with a laconic (honest-verifier) statistical zero-knowledge argument-system - then there exists a "trapdoor pseudoentropy generator", which we define next. This notion turns out to be a useful technical abstraction and will be used later, in Section 3.5, to construct a public-key encryption scheme. Classic pseudoentropy generators, first introduced in the work of [HILL99], are algorithms whose output distribution has pseudoentropy. That is, the output distribution of the algorithm (given a uniformly random seed) is statistically close to a distribution that had high entropy. Pseudoentropy generators play a central role in the construction of pseudorandom generators from (general) one-way functions [HILL99, HRV13, VZ12]. Trapdoor pseudoentropy generators extend the classic notion of pseudoentropy generators to the "public-key settings". Such generators consist of three algorithms. The first algorithm generates a pair of keys, one public and one secret. The second algorithm, which we think of as an encoder, gets the public key as input and generates a distribution which has high pseudoentropy, even to an observer who has the public key but not to one that has the secret-key. Indeed, to a party holding the secret key the output distribution of the encoder "looks" less random. This is captured by the third algorithm, the decoder, that samples elements from a distribution close to that of the encoder - given the secret key. We proceed to the actual definition, that realize the above discussion but for conditional distributions.

Definition 3.4.1 (Trapdoor Pseudoentropy Generator). Let K be a security parameter, = e(K) C [0,1] and n = n() > 0. An n-entropic, trapdoor pseudoentropy generator scheme with correctness error E is a tuple of probabilistic polynomial-time algorithms (KeyGen, Enc, Dec) where KeyGen(1') outputs a pair of keys (pk,sk), the encoding algorithm Enc(1', pk) outputs a pair of messages (u,v) and the decoding algorithm Dec(1', sk,u) outputs a message v'. The scheme satisfies the following properties with respect to the jointly distributed sequences of random variable PK = {PK4},6N, SK = {SKn},N, U = {Un},6NV= { E and V' = {V'},EN, where (PK,, SK,) <- KeyGen(1'), (U,, V) <- Enc(1", PK,) and V'+- Dec(1", PK, SK, U):

•Correctness (of Decoding): For all sufficiently large K E N:

SD ((PK,, SK, U, ,Vs),(PK, SK., U,, V')) < E(K).

99 •Pseudoentropy: V has conditional pseudoentropy 2 at least H(VIPK,U) + n given PKU.

An n-entropic trapdoorpseudoentropy generator scheme is q-laconic, for q = q(K) N with q > n, if the output of the decoding algorithm (i.e., v') and the private message of the encoding algorithm are at most q(rc)-bit long strings.24

We refer to the first message of the encoding algorithm (i.e., u) as its public message and to the second message (i.e., v) as its private message.

Remark 3.4.2 (Accessible Entropy). Another possible way to define the correctness property of a trapdoor pseudoentropy generator is in terms of accessible entropy [HRVW09). Roughly, such a definition would require that for the decoder (who has the secret-key), the entropy of V is much less than for an efficient external eavesdropper (with only the public key). That is, that V has low accessible entropy to the decoder with the secret-key and high pseudoentropy to an efficient external eavesdropper. Such a definition, however, will (slightly) complicate our proof, so we chose to define the correctness in terms of statistical distance. The main result of this section is to show that Assumption 3.3.5 implies the existence of a trapdoor pseudoentropy generator.

Lemma 3.4.3. Assume that Assumption 3.3.5 holds for a language £ with an r-round q- laconic SZK argument-system with completeness error c and soundness error s, such that c, s > 0 are constants. Then for every p = poly(x) that is computable in poly() time, there exists a q-laconic, (KL(1 - c|Is)/r)-entropictrapdoor pseudoentropy generator scheme with correctness error (1/p).

In Section 3.5 we show a generic transformation from trapdoor pseudoentropy generators to public-key encryption. Together with Lemma 3.4.3, this establishes the proof of our main result that laconic SZK argument-system for cryptographically hard NP language implies the existence of public-key encryption (Theorem 3.3.6).

Section Outline. The rest of this section is devoted to the proof of Lemma 3.4.3. In Section 3.4.1, we give the construction of our trapdoor pseudoentropy generator scheme. We also state two lemmas showing, respectively, the correctness and pseudoentropy of the construction. We prove the correctness lemma in Section 3.4.2 and the pseudoentropy lemma in Section 3.4.3.

3.4.1 Construction of Trapdoor Pseudoentropy Generator

In this section, we describe our trapdoor pseudoentropy generator. Since the security parameter K will always be clear from the context, in the following we usually omit it from the notation (e.g., we will refer to the random variable X even though we actually mean XA).-

2 3 Roughly speaking, a random variable B has pseudoentropy at least m if for every efficient algorithm A there exists a random variable Z with H(Z) > m and A cannot distinguish between B and Z. See Definition 3.2.15 and the discussion that follows. 2 4 The restriction to q > n is simply because the entropy is bounded by the length of the string.

100 Recall that Assumption 3.3.5 stipulates that there exists an cryptographically hard language £ E NP with an r-round q-laconic SZK argument system (P, V, Sim), with completeness error c and soundness error s. We use (Ye, NL) to denote the sampling algorithms for which the language is cryptographically hard, where YL is a solved instance generator and NL samples NO instances (with all but negligible probability).

Construction. In addition to the above parameters, our construction also depends on a polynomial p = poly() such that p(n) is computable in poly(K) time. This parameter will control the correctness error of the scheme. We begin with an overview of the construction (a formal description follows).

Key Generation: The public key is a yes-instance x. The secret key is w. the corresponding witness for x.

Encoding (x): First, sample a full transcript of interaction using the simulator Sim(x). Second, choose a random round i +- [r] and set b' to be the i-th message the prover sent in the transcript and c'- to be the transcript up to b' (including the verifier's message in the i-th round and precluding b'). Output (i, c'-) as the public message and b' as the private message. 2 5

Decoding (w, (i, c'~)): To decode, we use the prover to generate its next message in an interaction consistent with the partial transcript c'-. The decoder generates fresh coin tosses p for P that are consistent with c'-. This is done via rejection sampling. Namely, Dec repeatedly chooses a random string p and checks whether given p and the verifier's messages in c'-. the prover P would have sent the prover's messages in c'-. Once it finds such a random string p, it computes the next message function of P given random coins p and the transcript c'. To avoid running for too long, the decoder only runs 2rq -p iterations of the rejection sampling. If it fails to find consistent coins, the decoder outputs an arbitrary q-bit string (e.g., the all-zero string).

The formal description of the trapdoor pseudoentropy generator scheme is given in Fig. 3-5. Throughout this section we fix all the above parameters and denote

(KeyGen, Enc, Dec) = (KeyGen, Enc, Dec)p,yc,P7v)sim,r,q

We next state two lemmas which establish the correctness and pseudoentropy properties of the scheme, respectively. To do so, we first introduce random variables corresponding to a random execution of the argument-system for £. As usual, the following sequences of random variables are indexed by K E N, but for brevity we omit , from the notations, and also from the arguments that Enc and Dec take. Let (X, W) be an input- witness pair chosen according to the solved instance generator YL. Let Ai (resp., Bi) be the i-th message sent by V (resp., P) in a random execution of the protocol on input X (where P also gets access to W). We denote the transcript of the protocol (P, V) by

(P(W), V)(X) = (A1, B1 , A 2 , B2 ... Ar, Br), and the transcript generated by the simulator as Sim(X) = (A', B' ... , A' B').

2 5 Here and below we use the prime symbol (e.g., b') to hint that a value was generated by the simulator rather than an actual execution.

101 (KeyGen, Enc, Dec)p,yc,P,v,sim,r,q

Parameters: p = poly(i'). Algorithms: " Yr: Solved instance generator for C E NP. * (P,V, Sim): r(r)-round q(r)-laconic SZK argument system for C

KeyGen(1K) 1. Sample (x, w) +- Y (1) 2. Set pk= x andsk= w 3. Output (pk, sk)

Enc(1', pk) 1. Interpret pk = x 2. Sample (a', b . a',,).... b') - Sim(1 ,x)

3. Sample i *- [r] 4. Set c'- = (a', b',..., b'-1 a') 5. Set u = (i, c'-) and v = b' 6. Output (u, v)

Dec(1K, pk, sk, u)

1. Interpret pk= x, sk = w and u = (i, c'-), where c'- (a',b', .. . ,a 1, b' 1, a)

2. Repeat for 2 . 2 -.') p(r,) times (a) Sample p, coins for P, at random (b) For every j E [i], set b= P(1, x, w, (a', bi,..., a b_,a );p) (c) If (bi, ... , bii)= (b',..., b';i), then set v' = bi and abort the loop 3. If v' was not set until now, set it to - 4. Output v'

Figure 3-5: Trapdoor Pseudoentropy Generator from Laconic Zero-Knowledge

For a round i E [r], we denote the partial transcript up to (and including) round i by Ci = (A 1 , BI,..., Ai, Bi). We use C- to denote a random variable that is identical to C. except it is missing the i-th message of the prover (but includes the i's message of the verifier), namely C- = (Ai, B 1,..., Bi 1 , Ai). The partial transcripts C andC are similarly defined with respect to the simulated transcript (A', B',..., A', B,). We also let I +- [r] be a uniformly distributed integer in [r], which corresponds to a random round. Finally, we denote by B' the output of Dec(X, W, I, C'-).

Lemma 3.4.4 (correctness). For large enough r E N, it holds that

SD ((X, W,I, CB),(X,W,I,CW,~ ~ ~ 1C-

Lemma 3.4.5 (pseudoentropy). The random variable B' has conditional pseudoentropy at least H(B'IX, I, C') +-1-. KL(1 - clIs) given (X, I, C').

Lemmas 3.4.4 and 3.4.5 are proven in Sections 3.4.2 and 3.4.3, respectively. Together,

102 they immediately yield Lemma 3.4.3.

Proof of Lemma 3.4.3 (given Lemmas 3.4.4 and 3.4.5). By Lemmas 3.4.4 and 3.4.5, the correctness error of the trapdoor pseudoentropy generator scheme (KeyGen, Enc, Dec) is (1/p) and the scheme is ( . KL(1 - clIs))-entropic. Moreover, it is easy to verify that the running times of KeyGen, Enc and Dec are all polynomials in K (since the prover is efficient given the witness) and that the scheme is q-laconic. D

3.4.2 Correctness - Proving Lemma 3.4.4

The proof of Lemma 3.4.4 follows from the statistical zero-knowledge property of the argument-system and from the following analysis which shows that the distribution generated by Dec is close to that generated by the prover's next message.

Let 51 be the output of Dec(X, W, I, C); that is, b 1 is similar to B, except that Dec gets as input a partial transcript sampled from the original protocol rather than a simulated one

Claim 3.4.5.1. It holds that:

SD ((X, W, I, C , B,), (X, W, I, CI , 5,)) < 2p(K)

Before proving Claim 3.4.5.1, let us use it to prove Lemma 3.4.4.

Proof of Lemma 3.4.4 (given Claim 3.4.5.1). The following holds for large enough , E N. By the zero-knowledge property of the argument system it holds that, 26

SD ((X, W, I, C --, B'), (X, W, I, C , B)) = SD ((X, W, I, Cj), (X, W, I, CI)) (3.8) < SD ((X, W, C), (X, W, Cr)) = SD((X, W, (P(W), V)(X)), (X, W, Sim(X))) = E [SD((P(w), V)(x), Sim(x))) (x,w)+-Yc = negl(n), where the inequality follows from the data-processing inequality for statistical distance on the randomized procedure that takes (x, w, cr) (i.e., an instance, witness and a complete transcript), chooses i +-- [r] at random and outputs (x,w, i,c)(i.e., the partial transcript of cr up to round i). Moreover, note that 1 andB5 can be viewed as being generated by applying the same randomized function on (X, W, I, C) and (X, W, I, C--). respectively. Hence, the data-processing inequality for statistical distance yields that

SD ((X, W, I, C-, 51),7 (X, W, I, Cj--, 5f)) :! SD ((X, W, I, CI ), (X, W, I, C1--))

26 Note that we only need the zero-knowledge to hold on average for a random instance-witness pair; see Section 3.6.1 for more details.

103 Using once again the zero-knowledge property of the argument-system and similar calculations to Eq. (3.8), it holds that

SD ((X, W, I, Cr-, 5,), (X, W, I, C,'-, 5')) negl (r,). (3.9)

Putting Eqs. (3.8) and (3.9) together with Claim 3.4.5.1 and using the triangle inequality for statistical distance, we have that

SD ((X, W, I, Cj-, B'), (X, W, I, C - 53) + negl() , as required. E

Remark 3.4.6 (On the need for statistical zero-knowledge). The proof of Lemma 3.4.4 is in fact the only place we use that the argument-system is statistical zero-knowledge (rather than merely computational zero-knowledge). Specifically, we need that the simulator's output is indistinguishable from the protocol's transcript even to an eavesdropper who knows a witness for the input. This is not necessarily the case for computational zero- knowledge proof systems, but holds for statistical ones.

It is left to prove Claim 3.4.5.1.

Proof of Claim 3.4.5.1. We say that Dec fails if it sets v' to be _L in Step 3. Assume, for sake of the analysis., that Dec never fails but merely keep running the loop again and again. That is, Dec keeps entering the loop in Step 2 until it finds random coins p that are consistent with the partial transcript it was given. In such case. by the principle of deferred decision, it holds that (X, W, I, C, 1 ) is identically distributed as (X, W, I, C , BI). Hence, when considering the actual algorithm Dec, it holds that

SD ((X, W, I, C, BI), (X, W, I,7 C,- 5)) < Pr [Dec(X, W, I, C ) fails].

In the rest of the proof we bound the probability that Dec fails. Fix an instance-witness pair (x, w) and a round i e [r]. We bound the failure probability with respect to these fixed values, and the claim follows. Let c be the partial transcript of the interaction thus far, including the i-th message sent by the verifier but not that sent by the prover (in this claim we only care about such transcripts, so for ease of notation, we omit the "-" symbol from the superscript of c-). Let cv be the part of the transcript corresponding to messages sent by the verifier and let cp be the part of the transcript corresponding to messages sent by the prover. Since the proof-system is q-laconic, it holds that cp E {o,1 }(i-1)q Let S(cp, cv) be a random variable counting the number of iterations of the loop until finding these random coins. Let C = (Cp, CV) be a partial transcript of a random execution of (P(w),V)(x). Our goal is to show that

E[S(Cp, Cv)]< 2' (3.10)

Having shown the above equation, the claim follows by Markov's inequality and since Dec only fails if the number of iterations is larger than 2p - 2r qtimes.

104 Fix a transcript cv of messages from the verifier to the prover up to round i and let Qc Pr[Cp= cp Cv= cv],for every cp. That is,(Qc) e i}(_1Y is the distribution of Cp(Cv = cv), a random variable corresponding to the transcript of messages sent by the prover in a random execution of the protocol in which the verifier's transcript is fixed to cv.

Claim 3.4.6.1. In each iteration of the Dec algorithm (i.e., Step 2 of Dec), given a partial transcript c = (cp,cv) as input, the algorithm succeeds in finding consistent random coins with probability Qc,.

Proof. The proof follows from the fact that conditioned on an execution of the protocol generating a given transcript, the two parties' coins are a product distribution. Details follow. Let c = (cp, cv) be a partial transcript up to round i and consider the following set

RC = {(pp, pv) : (P(wi pP), V(pv))(x)1,...,i = c}.

Namely, Rc is the set of coins for the parties that are consistent with the partial transcript c. Note that if (Pi, P2) E Rc and (p', p') E c, then it must be that (pi, p') E Rc. Thus, it holds that Rc = Rc,p x Rc,, where Rc,p is a subset of Rp - all possible coins for P, and Rc,v is a subset of Rv - all possible coins for V. It follows that

QcP = Pr[Cp = cp I Cv= cv] Pr [p E Rcp]. P RP

Finally, by construction, Dec samples p -Rp and checks if P(x,w;p) generates the messages cp, when given cv as V's messages. Such randomness p satisfies the latter condition if and only if p E Rc,P. Hence, the probability of success in each iteration is exactly Prp<_nz[p RCp -

Claim 3.4.6.1 implies that S(cp,cv) is a geometric random variable with parameter Qc . The expected value of such a random variable is 1/Qcp. It follows that

E[S(Cp, CV) ICv = cv] = c. E[S(cp, cv)] cpESupp(CplCV=cV)

cpESupp(CplCv=cV)

= Supp(Cp I CV = cv)

Finally, it holds that

E[S(Cp, Cv)]= cvE [E[S(CP, CV) | CV = cv]< E [2 ] = 2 rq. cv<-Cv cvflCv

The claim follows. E

105 3.4.3 Pseudoentropy - Proving Lemma 3.4.5

We will establish the pseudoentropy of the scheme in two steps. First, we will show that the prover's next message function in the argument-system is unpredictable. This follows from the fact that if were predictable in the case that x E L, then either it is similarly predictable in the case that x 0 L (in which case we break soundness) or we get a distinguisher between the case that x E £ or x £ (thereby breaking the cryptographic hardness of L). Our second step is to show that unpredictability of the prover's messages implies pseudoentropy. We show this using the framework of Vadhan and Zheng [VZ12], which we review next. After this review, we go back, in Section 3.4.3, to proving Lemma 3.4.5.

Unpredictablility and Pseudoentropy

In order to show the pseudoentropy of our construction, we will leverage certain known connections between unpredictability and pseudorandomness. To that end, we use the framework of Vadhan and Zheng [VZ12] who consider a joint distribution (Z, B) and define the unpredictability of B given Z as the inability of any efficient algorithm to generate a sample from a distribution that is close to BIZ in the KL-divergence measure. Definition 3.4.7 (KL-hard for sampling [VZ12, Definition 3.5]). Let t = t() E N and E = E(r) E [0,1]. Let Z = {Z},EN and B = {B eN be sequences of random variables such that Z, and B, are jointly distributed for every , E N. We say that B is (t,)-KL-hard for sampling given Z if for every oracle-aided probabilistic sampling algorithm D that on input (1', -) runs in time t(), for large enough K E N, it holds that

KL ((Z,, B) (Z,D0 z ,B%(1,Z)) >De4K),

where OZB, denotes an oracle that gives a random sample from (Z' , B') when queried, where (Z' B' ) are identically distributed as (Z, B,).

For the necessity of the sampling oracle (and its notation) see the discussion following Definition 3.2.15. The work of Vadhan and Zheng [VZ12] shows a tight characterization of pseudoentropy in terms of the foregoing notion of unpredictability (i.e., KL-hard for sampling). We only need one of the directions of their theorem, which we state below. Theorem 3.4.8 (KL-hardness implies conditional pseudoentropy [VZ12, Lemma 3.7 and Theorem 3.11]). Let t = t() E N, E = E(6) E (0, 1], 7 = y(,) E (0, 1], Q = Q(r) E N and p = p(x) E N such that p = poly(A), and such that all the above parameters are computable in time poly(n). Let (Z, B) be jointly distributed{0,}P() x [Q(r')]-valued random variables and let Z = {ZK}KN and B = {B,}KEN. If B is (t,y)-KL hard for sampling given Z, then B has (t', E) conditionalpseudoentropyat least H(B|Z)+--, fort' - t()/poly(,, Q,11E). Note that this theorem is applicable when Q, the support size of B is rather small. In particular, we will only use this theorem for Q which is polynomially bounded. Vadhan and Zheng [VZ12] used Theorem 3.4.8 to show that if f : {0, 1} -+ {0, 1} is one-way, then Un has O(log n) bits of pseudoentropy given f(U,). We will use Theorem 3.4.8 to show that the prover's messages in a laconic SZK argument, with soundness s, has roughly O(log(1/s)) bits of pseudoentropy.2 7

2 7 The above holds when the argument-system has perfect completeness. In case completeness is imperfect

106 Back to the Proof of Lemma 3.4.5

We need to show that the simulated prover's next message has high pseudoentropy given a random partial simulated transcript. The proof takes the following steps:

1. In Lemma 3.4.9 we show that for a random round, the prover's message in the argument-system is "KL-unpredictable", given the instance and the transcript thus far. Namely, that BI is KL-hard for sampling given X, I, Cr (according to Defini- tion 3.4.7);

2. In Lemma 3.4.10 we use Vadhan and Zheng's [VZ12] framework (via Theorem 3.4.8) to show that BI has high pseudo entropy given X, I, C-;

3. Finally, using the zero-knowledge property of the argument-system, we argue that B' (i.e., the next message produced by the simulator) has high pseudo entropy given X, I, C-.

The proofs of the first two steps are inspired by [VZ12, Section 4], where - as we mentioned above - it is shown that even given a random output of a one-way function, a random input (that the function maps to the given output) still has (relatively) high pseudoentropy. Interestingly, these steps can be interpretated as an application of [VZ12]'s result to Ostrovsky's [Ost9] one-way function. 2 8 We proceed to accomplish the first step in the above outline. (In order to be more precise, in the next lemma we assume specific parameters for the cryptographic hardness of the language £.)

Lemma 3.4.9. Let c = c(n) E [0, 1], s = s(,) E (0, 1] and - = 7y(,) [0, 1]. Let r = r(s) E N,and let t = t(A) E N be polynomially bounded. Assume that

1. L is a (t, 7)-cryptographically hard language;

2. (P,V) is an r-round interactive argument system for L with completeness error c, soundness error s; and

3. 1 - c > s +y, for all sufficiently large values of the security parameter CE N.

Then, there is a polynomial p such that for thefunction t'(x) = t(I)/p(), the distribution B1 is (t', -KL(1 - cIs +-y))-KL-hard for sampling given (X, I,C-).

Proof. Assume toward a contradiction that for any polynomial p and t'(r,) = t()/p(s), the distribution BI is not (t', KL(1 - cf|s + y)/r)-KL-hard for sampling given (I, X, C).29 Recall that we use OI',x/,c/ to denote an oracle that generates a random round I' E [r], a random yes instance X' <- Yr(1') and a random transcript C,, of the argument system up to round I' with respect to the instance X' (namely, (I', X', C,) are identically distributed as (I, X, C)). the amount of pseudoentropy will be slightly different. 28Recall that Ostrovsky [Ost9l]'s one-way function maps an instance x, randomness p for the simulator and a round i to the transcript up to round i generated by Sim(x; p). 2 9Observe that we have switched the order of X and I. This minor change in notation is clearly equivalent but slightly more convenient for the current proof.

107 Fix some polynomial p, which will be specified below. Our assumption implies that there exists an infinite set of indices A C N and an oracle-aided algorithm D that on input (1,i,x,c) runs in time t'(s) = t(ni)/p(r) such that for every , E A, it holds that:

KL ((I, X, C7), B, (I, X, C-),D '' (1 , X, C ) . KL(1 - c()||s() + -y(n)). (3.11)

We use D to construct a distinguisher D' that breaks the cryptographic hardness of L. Roughly speaking, D' executes the interactive argument between the honest-verifier and a prover based on D. The distinguisher D' accepts if and only if the verifier accepts. On YES- instances, Eq. (3.11) yields that D's outputs are close to the prover's actual responses, and so the verifier accepts with high probability. On the other hand, on NO-instances, D can be viewed as a cheating prover strategy and so, by the soundness of the argument system, the verifier will reject with high probability. Thus, D' distinguishes between YES-instances and NO-instances efficiently. The actual proof below follows this intuition, while taking into account that Eq. (3.11) only guarantees that D's generates messages that are "close" to the prover's messages for a random round I. Fix a sufficiently large K E A. To avoid cluttering the notation, in the sequel we omit r,. Consider the following distinguisher for breaking the cryptographic hardness of £.

D' on input x: 1. Sample uniformly random coins for V, denoted by p 2. Set co to be the empty string (corresponding to an empty transcript) 3. Repeat for i 1 to r:

(a) Set ai- V(x, ci- 1 ; p). That is, generate the i-th message ai of V given the partial transcript ci_1 for rounds1, ... , i - 1 and random coins p 0 (b) Set zi- D ,x',' (i, x, ci_1, ai) (c) Set ci= (ci_1, ai, zi) 4. Output 1 if V(x, cr; p) accepts, and 0 otherwise

First, observe that the oracle Orr,x,C, can be implemented in poly(i) time - sample (X', W') - Yr and I' +- [r], and return X' and the first I' rounds of (P(W'), V)(X'). It follows that there exists a polynomial u, independent of D', such that D' can be implemented in t'(i) - u(Q) time. Set p = u. Hence, D' runs in time t(s). Next, we show that D' can distinguish between instances that belong to L from ones that do not with gap at least . We first consider NO-instances.

Claim 3.4.9.1 (D' on NO-instances). It holds that

Pr D'() = 1] s, (3.12) where X( - N£ and the probability is also over the randomness of D'.

Proof. Observe that D'(Z) emulates an interaction between the honest-verifier of the argument system and a "cheating prover" (as specified by D) on a random NO-instance. Recall

108 that the running time of D' is t(n) which was assumed to be polynomial. The claim follows from the computational soundness of V.3 0

Next we consider YES-instances.

Claim 3.4.9.2 (D' on YES-instances). It holds that

Pr [D'(X) = 1] > s +, where X - Y£ and the probability is also over the randomness of D'.

Proof. Denote by Zi the message chosen by D in the i'th execution of Step 3b of D'(X). Analogously to the definitions of Ci and C-., we define Ci = (AiZi,, ... , Aj, Zj) and C, (A 1, Zi,. . ., Zi1, A). We begin by showing that real transcripts (i.e., Cr) look "close" to those generated by D' (i.e., r). By the chain rule for divergence (Fact 3.2.11) it holds that

KL (X, Cr X, Or) = KL(X, A1,B1, .. . ,Ar, Br||XA1, Zi, ... , Ar, Zr) r = E KL(Bx=x,c =c Zijx=x,-=c)] i=1 (x,cj)<--(X,Ci- )2 r = KL(X, C7, B X, C, Zi), i=1 where we use the chain rule in both of the last two equalities. Another application of the chain rule yields that

KL (X, C,-, Bi X, C-, Z) =r-KL (I, X, C7, Bi I, X, C7, Z) i=1

Sr. KL (I, X, C, BI, X, C , D''V'r (I,X, C))

KL (X, Cr X, Or) < KL(1 - clIs +7). (3.13)

Eq. (3.13) shows that a transcript simulated by D'(X) is close (in the KL divergence sense) to a transcript of an honest execution of the protocol on X. In the rest of the proof we use the completeness guarantee of the argument system to show that D'(X) outputs 1 with high probability. Consider the following (inefficient) random process F:

F on input (x, c = (ai, bi, ... , ar, br)): 1. Sample random coins for V, denoted by p, conditioned on ai = V(x, ci_ 1 ; p) for every i E [r]. where ci = (ai, b,..., aj, bi) (abort if no such p exist) 3 0 In fact, the very same proof also shows that this claim holds even if the soundness guarantee was only average-case. See further discussion in Section 3.6.1.

109 2. Output 1 if V(x, c; p) accepts, and 0 otherwise

We emphasize that F is an inefficient process which will only be used for the analysis. By the data-processing inequality for divergence (Fact 3.2.12) it holds that:

KL (X, Cr X, Or) KL (F(X, Cr) F (X, Or) ). (3.14)

Define 6 := Pr [F(X, Cr) = 1] and 6' := Pr [F (X, 1] . Combining Eqs. (3.13) and (3.14) we obtain that

KL(616') < KL(1 - cIls +y).

By assumption, 1 - c > s +-,and it is easy to verify that

6=Pr[F(X,Cr)= 1] = Pr[out((P(W), V)(X)) = accept]

E Pr[out((P(w), V)(x)) = accept] (x,w)+-YC > 1 - c, where the inequality follows from the completeness condition of (P,V). 3 ' Thus, by an application of Fact 3.2.13 we obtain that 6' > s + y. Finally, by definition of F and the principle of deferred decisions,

Pr[D'(X) = 1] = Pr [F(X,r)= 1]= ' s + , (3.15) which concludes the proof of the claim. E

Claims 3.4.9.1 and 3.4.9.2 show that D' distinguishes between NO-instances and YES- instances with gap -y. Since D' runs in time t(s), we obtain a contradiction to the (t, Y)- cryptographic hardness of £. This completes the proof of Lemma 3.4.9. El

Lemma 3.4.9 shows that BI is KL-hard to sample given X, I, C. As our next step, we derive the implication that Br has additional KL(1 - cl|s)/r bits of pseudoentropy given X, I, Cr.

Lemma 3.4.10. B1 has conditionalpseudoentropy at least H(BIX, I, C )+KL(1 - cls)/r given (X, I, C).

Proof. To prove the lemma, we need to show that BI has (d, / d) conditional pseudoentropy at least

H(BIX, I, C) + KL(1 - cls)/r - 1/Kd given X, I, C, for every constant d > 0.

3 1Similarly to the case in Claim 3.4.9.1, this holds even if the completeness guarantee was only average- case. See Section 3.6.1.

110 I

Fix a constant d > 0, let 7 1 /Ci for some sufficiently large constant ci > 0 such that the following two equations hold: 1 - c > s + , and /,d > 2(1 - c). 7y/(s . r). Since by assumption c, s > 0 are constants and r = poly(K), such ci exists. Since £ is cryptographically hard, in particular, it is also (r1, 1/s1)-cryptographically hard. Thus. Lemma 3.4.9 yields that BI is (C1-c2, KL(1 - clIs + y)/r)-KL-hard for sampling given X, I, C1, for some constant c2 > 0. Furthermore, since the argument system for L isO(log r,)-laconic, it follows that Bis [c]-valued random variable (i.e., it has a support of size nC3) for some constant c3 > 0. Theorem 3.4.8 now yields that BI has (t', 1/Kd - 2(1 - c) - 7y/s) conditional pseudoentropy at least

KL(1 H(Bi |X, I, CI) + - clIs + 7) - a-2(1l )-7/s.r

given X, I, CI, for t'(r,) (C1-c2)/c4-c and some constants c4, c5 > 0.

Note that c 2 ,C4 and C5 are independent of ci. Thus, we can set ci such that cl > (d + c5 ) - c4 + c 2. It follows that t'() > d. for every , E N. Finally, Fact 3.2.14 yields that KL(1 - clIs + y) + 2(1 - c) .y/s > KL(1 - c|Is). We conclude that Br has (d 1 /ld) conditional pseudoentropy at least H(BIX, I,C) + KL(1 - clIs)/r - 1/d given X, 1, C, as required. l

We are now ready to formally prove Lemma 3.4.5.

Proof of Lemma 3.4.5. Immediately follows from Lemma 3.4.10, Proposition 3.2.16 and from the zero-knowledge property of the argument-system. E]

3.5 From Trapdoor Pseudoentropy Generator to Public-Key Encryption

In this section we show a general transformation from laconic trapdoor pseudoentropy generator to public-key encryption. Combined with the results of Section 3.4 we obtain our main result.

Lemma 3.5.1. Let , E N be a security parameter and let y = -y() E [0,1], q = q() EN and n = n(K) > 0 with n(K) C (0,q(')]. Assume that there exists a q-laconic n-entropic trap- 3 2 door pseudoentropy generatorscheme with correctness error - such that, q /n = O(log(i-)) and - = o(n2 / 2 ). Then, there exists a public-key encryption scheme.

Lemma 3.5.1 together with the main result of Section 3.4 (Lemma 3.4.3) immediately yield our main theorem.

Proof of Theorem 3.3.6 (given Lemma 3.5.1). Assume Assumption 3.3.5 holds for a language £ with an r-round q-laconic SZK argument-system with completeness error c, sound- 2 ness error s such that r . q3 - O(log(K)). Further assume, without loss of generality, that c, s > 0 are constants (otherwise, c or s are vanishing, and we can set them to be any small constant we like). Set p(is)= ir. By Lemma 3.4.3, there exists a q-laconic n-entropic trapdoor pseudoentropy generator scheme with correctness error 1/K, for n = (KL(1 - c||s)/r). Since we

111 assumed that r2 . 3 O(log()) and that c and s are constants, it holds that

r 2 = (log(K)) and n2 KL(1 c1|s)2 n2 KL(1- c11s)2 q2 O2 r2

Thus, Lemma 3.5.1 yields the existence of public-key encryption.

The rest of the section is dedicated to proving Lemma 3.5.1. We first only establish the existence of a weak public-key encryption scheme - an encryption scheme whose correctness and security errors are constants rather than negligible. To obtain a full-fledged (i.e., semantically-secure) scheme we rely on a general amplification result due to Holenstein and Renner [HR05] (given in Theorem 3.2.2).

Section Outline. In Section 3.5.1 we present the technical tools used in our construction. In particular, we define the notion of typical set and that of smooth min-entropy. In Section 3.5.2, we give the construction of our weak public-key encryption scheme. We also state two lemmas showing, respectively, the security and correctness of the construction. We prove the correctness lemma in Section 3.5.3 and the security lemma in Section 3.5.4. Actually, the construction in Section 3.5.2 assumes we have access to (an approximation of) some statistical property of the underlying hard language. In Section 3.5.5 we get rid of this assumption by showing an algorithm to estimate the required statistical property. Finally, in Section 3.5.6, we formally prove Lemma 3.5.1.

3.5.1 Technical Tools

In this section we present the technical tools used to prove Lemma 3.5.1.

Typical Sets and Flattening Distributions

At the heart of our construction lies the notion of a typical set for repeated samples of a random variable. Loosely speaking, for a k-fold product repetition of a random variable B. the typical set contains the values whose probability mass is close to 2

Definition 3.5.2 (Typical Set). Let B be a random variable over B, let k E N and 6 E [0, log(IBI)]. The -typical set of Bk is defined as

T6= { Bk: Pr[Bk b][-k.(H(B)+6) -k-(H(B)-6)

We will care about the typical set of the k-fold product repetition of a random variable B, jointly distributed with an additional random variable Z.

Definition 3.5.3 (Conditional Typical Set). Let (Z, B) be a joint distribution over Z x B and let (Zk,Bk) be its k-fold product distribution (for some k E N). For a fixed z E Supp(Zk) and 6 > 0, the6-typical set of Bkjz is defined as

T 6klZ= b E Supp(Bk) : Pr[Bk = bZk = z] E [ 2 ~k-(H(BZ)+6) 2 -k-(H(BZ)-6)

112 We emphasize that the range of values that Pr[Bk = blZk = z] is allowed to have (to be in the typical set) depends on H(BIZ) (rather than H(BIZ= z)). By definition, the typical set is close to "uniform" - the probability mass of each

element is close to 2 -k-H(BIZ). In addition, since Pr[Bk= blZk = z] 2 -k-(H(B|Z)+6) for

every b E T'kz it holds that the typical set is relatively small: T1AkIz < 2 k-(H(BZ)+6). An extremely useful property of the typical set of a k-fold product repetition is that most of the probability mass actually lies inside the typical set, as shown by the following lemma:

Lemma 3.5.4 ([HR11, Theorem 2]). Let (Z, B) be ajoint distribution over Z x B and let (Zk, Bk) be its k-fold product distribution (for some k E N). For any 6 E [0,log(|BI)] it holds that

k-62 2 Pr [b 1Z Tkz < 2 - 221og (113+3) (z,b)<-(Zk,Bk) B

Loosely speaking, this means that for sufficiently large k. the k-fold product repetition

of a random variable B looks like a uniform distribution over a set of size 2 k-H(B). This result is commonly referred to in the literature on SZK as the "flattening" of a distribution (e.g., [GV99]), and in the literature of information theory as the "Asymptotic Equipartition Property".

Smooth Min-Entropy

We next introduce the notion of smooth conditional min entropy. Loosely speaking this notion means that the conditional distribution is statistically close to a distribution with high min-entropy. We formalize this notion below.

Definition 3.5.5 (E-Smooth Conditional Min-Entropy [RW05]). Let X and Y be (jointly) distributed random variables over X x Y and let E > 0. The E-smooth min-entropy of X given Y is defined as lo( 1 H' (X|IY) = max min min log 0( Y Ey ESupp(Y) xGX Pr[X = x A ElY = y]

where the maximum ranges over all events E with Pr[E] > 1 - E.

The distribution close to X with a high min-entropy is the distribution X conditioned on the event E. Next, we state a result due to Holenstein and Renner [HR11] which shows that the k-fold repetition of a distribution (X, Y) has smooth conditional min-entropy close to the conditional Shannon entropy (and not conditional min-entropy).

Theorem 3.5.6 ([HR11, Theorem 1]). Let (Xk,yk) be the k-fold product repetition of (X,Y) overXk x yk. Then, for any 6 > 0

HE(Xkk) > k - (H(XIY) - 6),

k62 2 wherece= 2 21og i+3>

113 (Theorem 3.5.6 is proven via the notion of typical sets and is in fact a corollary of Lemma 3.5.4.) In our security proof, we shall use the leftover hash lemma [HILL99]. Below, we state a variant that only needs high E-smooth min-entropy (rather than standard min-entropy). Lemma 3.5.7 (Leftover Hash Lemma for E-Smooth Min-Entropy (c.f., [RW05, Theorem 1])). Let ' = {h: {,1} -+ {0, 1}"} be a family of universal hash functions. Then, for any jointly distributed random variables X and Y, such that X is distributed over{0,1}", it holds that

H- (Y) . 2m SD ((H(X), H, Y), (U2, H, Y)) < E + .2- where H <- W and U is distributed uniformly over{0,1}m.

For sake of completeness, and since the actual statement of [RW05, Theorem 1] does not directly refer to universal hash functions, we give a full proof of Lemma 3.5.7 in Section 3.8.1. We also need the computational variant of E-smooth min-entropy, which is a natural extension of conditional pseudoentropy (Definition 3.2.15).

Definition 3.5.8 (Pseudo E-smooth min-entropy). Let t = t(s) E N, y= y(s) E [0, 1], E = E(i) E [0, 1] and m = m() E R;>o. Let X = {XK},EN andY = {JEN be sequences of random variables such that X, and Y, are jointly distributed over X x Y, for every r E N. We say that X has (t,y) conditional pseudo E-smooth min-entropy at least m given Y if for every probabilistic algorithm A that on input (1',x, y) runs in time t(), there are sequences of random variables {ZK}EN over X, jointly distributed with X,Y, such that the following hold for large enough , E N: 1.H' (ZKLYK) m();

2. It holds that

Pr[A(1K, X, Y,) = 1] - Pr[A(1, Z, Y,) = 1] Q~)

where the above probabilities are over X,,Y,, Z, and the random coins of A.

We say that X has conditional pseudo E-smooth min-entropy at least m given Y iffor every constant c > 0, the random variable X has (°,n°) conditional pseudo E-smooth min- entropy at least m - 1/C given Y.

The next lemma shows how conditional pseudo-entropy can be transformed into conditional pseudo E-smooth min-entropy by repetition. This is a fairly standard technique in the literature of constructing pseudorandom generators from any one-way functions (e.g, [HILL99, HRV13, VZ12]), and enables the use of the Leftover Hash Lemma in our application.

Lemma 3.5.9. Let X = {XK}SN andY= {Y} KNbe sequences of random variables such that X, and Y, are jointly distributed over X x Yx, for every , E N. Assume X has conditionalpseudo entropy at least H(XIY )+ n given Y, for n= n(s) > 0. Then, for any 6 = 6(n) C [0,log(IX)] and every polynomial k = k(i,), the sequence Xk has conditional pseudo E-smooth min-entropy at least k - (H(XIY) + n - 6) given yk, for k-62 2 E = 2 21og (1X+3), where (Xk, yk) are the k-fold product repetition of (X,Y).

114 Since previous statements transforming pseudo-entropy into a computational notion of min-entropy did not explicitly refer to the notion of E-smooth min-entropy, we give a full proof of Lemma 3.5.9 in Section 3.8.2.

3.5.2 Construction of Weak PKE

In this section, we describe our weak public-key encryption scheme. As usual, since the security parameter K will always be clear from the context, in the following we omit it from the notation. Assume that there exists a q-laconic n-entropic trapdoor pseudoentropy generator scheme (KeyGen', Enc', Dec') with correctness error y. We first introduce (jointly distributed) random variables corresponding to a random execution of the trapdoor pseudoentropy generator scheme. Let (PK, SK) be a public-key secret-key pair chosen by a random execution of KeyGen'(1 ). Let (U, V) be the messages returned by a random execution of Enc'(PK). Finally, let V' be the message returned by a random execution of Dec'(PK, SK, U). As we previously mentioned, our weak public-key encryption scheme requires some access to some statistical property of the pseudoentropy generator scheme. We will later show how to efficiently estimate this property (in Section 3.5.5). Specifically, we require access to (an approximation of) the entropy of the decoder's message given the public key, secret key and the encoder's public message.

Definition 3.5.10. Let ( = (r) ;> 0 and let Ent(1") be an algorithm whose output is always in [0, q()]. We say that Ent (-approximates the entropy of Dec"s message if

Ent(14) - H(V'lPK,SK,U) < ((), for large enough K E N.

For now we will simply assume such an estimator Ent exists. Later, in Section 3.5.5, we will show how to efficiently implement Ent (by strongly relying on the laconism of the scheme).

Construction of Weak PKE. Our construction of a weak PKE depends on two parameters, k = k() E N and J = 6(r,) E [0, q]. The parameter J, which corresponds to the slackness in the definition of the typical set, will depend on the amount of pseudoentropy the encoder's private message has (i.e., n bits). The parameter k, which corresponds to the number of repetitions that we need of the underlying trapdoor pseudoentropy generator scheme, will depend on J and q. Let Ent be an estimation algorithm defined above (see Definition 3.5.10), where the approximation factor is 6/4. We begin with an overview of the construction (a formal description follows).

Keys: The public key is a vector of public keys of the underlying pseudoentropy generator scheme pk = (pki,..., pkk) and a number f = Ent(1K). The secret key is a vector sk = (ski, ... , skk) of the corresponding secret-keys of the underlying pseudoentropy generator scheme.

115 Encryption of bit a: For every j E [k] sample (uy, vy) +- Enc'(pkj). Set u= (ui, .. ,Uk) and v = (vI, .. . , v). Next, sample a universal hash function h: {0, 1}k*q {f0, 1k+6) The ciphertext consists of u, h, h(v), a random bit-vector s and a mask of the bit o- with (s)v (the latter is the inner product of v with s), which we denote by a'= oED(s)v.

Decryption of (u, h, h(v), s, a'): Repeatedly sample v' = (v', ... ,v), where v- Dec'(pki, skius), until h(v') = h(v) (namely, do rejection sampling to find the first vector v' that matches the hash value given). If no such v' is found, abort. Otherwise, output a' G (s)v'.

The formal description of the weak public-key encryption scheme is given in Fig. 3-6. Throughout this section we fix all the parameters as discussed above and denote

(KeyGen, Enc, Dec) = (KeyGen, Enc, Dec),k,q,KeyGen',Enc',Dec',Ent-

Below we state the correctness and security lemmas, establishing these properties for our encryption scheme. The proofs of these lemmas are given in Sections 3.5.3 and 3.5.4, respectively. It is not yet clear that the current construction is efficient since it requires access to the entropy approximator algorithm (which we have not yet implemented). In Section 3.5.5 we show how to efficiently implement this approximator and in Section 3.5.6 we use this implementation with the following lemmas to argue that our construction is a public-key encryption scheme.

Lemma 3.5.11 (weak correctness). If k.6 2 > 21000-q 2 and k-y < 2-6, then for sufficiently large c E N it holds that

Pr[Dec(1, sk, Enc(1', pk, a)) = a] > 1 - 2 where the probability is over a+- {0,1}, (pk,sk) - KeyGen(1'), and the randomness of Dec and Enc.

At a (very) high level, to prove the above lemma we show that the decryption algorithm manages to find v, the value the encryption algorithm used to mask the encrypted bit, with (constant) high probability. To do so we rely on the correctness property of the underlying trapdoor pseudoentropy generator.

Lemma 3.5.12 (weak security). If k. (n - 36) > 14, k .62 > 140q2 and 16(q+2)2. < 962, then for every polynomial time adversary A and sufficiently large , E N it holds that

Pr[A(1, pk, Enc(1', pk, a)) = a] < 1 + -5 2 where the probability is over o- {, 1}, (pk, .) KeyGen(16) and the randomness of Enc and A.

At a high level, to prove the above lemma we use the pseudoentropy of the underlying trapdoor pseudoentropy generator scheme to argue (together with the Leftover Hash Lemma) that the encrypted bit looks random to an adversary that does not have the secret key.

116 (KeyGen, Enc, Dec)6,k,q,KeyGen',Enc',Dec',EntHist

Parameters: 6 = 6(r) E [0, q(,)], k = k() E N with k = poly(s,), with k() - 6(r,) > 32. Algorithms: " (KeyGen', Enc', Dec'): q(,)-laconic n(is)-entropic trapdoor pseudoentropy generator scheme with correctness error y(s) " Ent: (6/4)-approximator for the entropy of V' given PK, SK, U

KeyGen(1') 1. For j E [k], sample (pkj, skj) <- KeyGen'(1') 2. Set f = Ent(1) 3. Set pk = ((pk, .. ., pkk), f) and sk = (ski, . . ., skk) 4. Output (pk, sk)

Enc(1', pk, a) 1. Compute 3 = 6(r), k = k(%) and q = q(K) 2. Interpret pk = ((pki,.. ., pkk),C) 3. For j E [k], sample ( , v)+- Enc'(1r, pk) 4. Set u = (Ui,..., Uk) and v =(vi,... , vk) 5. Sampleh- 'h.q,mand s <- {o, 1 }k*. for m [k -( + 6)J 6. Output ct = (u, h, h(v), s, ae(s)v)

Dec(1', pk, sk, ct) 1. Compute 6 = 6(r), k = k(') and q = q(K) 2. Interpret pk = ((pkl,..., pkk),I). sk = (ski,...,skk) and ct = ((Ui I. - ,uk), h, z, s,') 3. Repeat 2 10-k-(e+6/2) many times: (a) Compute v = (v 1 ,..., vk) E{0, 1}k-q where vi +- Dec'(pki, ski, ui) for all i. (b) If h(v) = z, then set v' = v and exit the loop. 4. If v' was not set, output -. Otherwise, Output o'( (s)v'.

"See Definition 3.5.10. Recall that (PK, SK) are a pair of random keys chosen by KeyGen', U is a random public message chosen by Enc'(PK) and V' is a random output of Dec'(PK,SK, U).

Figure 3-6: Public-Key Encryption from Trapdoor Pseudoentropy Generator

117 By these two lemmas, a decryptor who has the secret-key can decrypt with probability that is close to 1, whereas an adversary, that only has the public key, can only decrypt with probability that is close to 1/2.

3.5.3 Correctness - Proving Lemma 3.5.11

We need to show that with high probability over the randomness of KeyGen, Enc and Dec, the decryption algorithm Dec returns the same value that was encrypted. Fix large enough K E N and aoE 0, 1} and let 6= 6(r), k = k(i), q = q(Q) and -y = -y(). Let L <- Ent(1), M = [k - (L+6)],H+-+ 7 .6, andS- {0, 1}_. By construction. our goal is to show that

Pr [Dec (PKk, L, SKk, Uk,H, H(Vk), S, a E (S, Vk)) = ] > 1 - 2-, (3.16) where recall that (PKk, SKk, Uk, Vk) are the k-fold product repetition of (PK, SK) <- KeyGen'(1') and (U, V) <- Enc'(PK). Also recall that V' +- Dec'(PK, SK, U) is a jointly distributed random variable. Finally, recall that the public-key for our encryption scheme is the pair (PKk, L) (and thus L appear next to PKk in the above expression). Our first step is to replace Vk with V'k in the above equation. Since the correctness error of the underlying trapdoor pseudoentropy generator is at most y and by the triangle inequality for statistical distance, it holds that

SD((PKk,SKk,Uk,Vk), (PKk, SKk,Uk,Vk) )k SD((PK, SK,U,V), (PK,SK,U,V'))

<2-6 where the last inequality follows from the assumption of the lemma. Combined with Eq. (3.16) we obtain that

Pr [Dec(PKk, L, SKk, Uk, H, H(Vk), S, oa E(S, Vk)) = o] (3.17) > Pr [Dec(PKk, L, SKk,Uk, H, H(Vk), S, (S,V'k))= -]- 26

Eq. (3.17) allows us to think, for sake of the analysis, that the encryption algorithm Enc, rather than sampling using Enc' alone, samples the public message using Enc'- namely (u, -) +- Enc'(pk), and then the private message using Dec' and the secret-key (which it does not have) - namely v' <- Dec'(pk, sk, u). The rest of the proof proceeds as follows: First, we show that the message v' sampled by the encryption algorithm (according to our new understanding of the encryption algorithm) is "typical", namely its probability mass is not too small. Put differently, v' belongs to the typical set. Second, we show that h is injective over the typical set. This holds by our choice for the output length of h and since the typical set cannot be too large. Third, we show that the rejection sampling done in Step 3 of Dec - if successful (that is, exits the loop via Step 3b) - returns v' with high probability. Indeed, since h is injective over the typical set, every v" with h(v") = h(v') cannot belong to the typical set, namely, must be sampled with only low probability. Finally, we argue that since there exists a typical element that hashes to h(v') - namely v' itself - the rejection sampling succeeds with high probability.

118 Our first step is to show that with high probability v' belongs to the typical set. This is established in the following claim:

Claim 3.5.12.1 (w.h.p. v' belongs to the typical set).

[V 7.4/4] k 6 Pr [v k(q Tk 2 (pk,sk,u,v')<-(PKk,SK,Uk,V'k) V'klpk,sk,u

Proof. Applying Lemma 3.5.4 with Z (PK, SK, U). B = V', k and 6/4 yields that

k(6/4)2 . Pr [V' ( T/42-2 21og(2q+3 (pk,sk,u,v')<-(PKk,SKk,Uk,Vk)[V 'k~pksku

The claim follows since log 2 (2q +3) < 10- q2 for q > 1 and since we assumed (in the statement of Lemma 3.5.11) that 1 < k - 62 /(3000q 2 ). E

Next we show that with high probability there is a unique value inside the typical set that hashes to a given value.

Claim 3.5.12.2 (only v' hashes to h(v')). Assume v' E Supp(V/k), f E Supp(L) and let m = [k - (f + 6)]. Then, it holds that

Pr [ v E k ku such that v 4v and h(v) = h(v') < 2-k6/4

Proof. Note that the size of the typical set is small. Specifically, it holds that

T/4 k- (H(V'| PK,SK,U) +6/4) ( g v/klpksk,u <

< 2 k-(e+6/2) where the first inequality follows since every element in the typical set has probability mass at least 2-k-(H(V'PK,SK,U)+6/4) and the second follows from the assumption that the Ent algorithm (6/4)-approximates the entropy H(V'IPK, SK, U). Next, we use the properties of universal hashing to derive the claim. Intuitively, since our hash output is k - (f+6) bits long, the size of the output domain is larger than that of the typical set by a factor of at least2 k(/2). We can now apply a union bound to prove an upper bound on the collision probability. Formally, let v v' with v E pksku. Since h is chosen from a family of universal hash functions, it holds that Prh<- k.,m[h(v) = h(v')] set yields that: 2 [k(+)J.Applying the union bound over the typical

7-1/4 scta / hv)V/kpk,sk,u Pr / and h(v)= h(v') h< q,m v 6 'k pk,sk,u such that v V

2 k-(+6/2)

< 2-k-6/2+1.

The claim now follows since by assumption 1

119 The next claim shows that if the rejection sampling succeeds, it returns an element in the typical set with high probability. It does so by showing that the output distribution of the rejection sampling is identical to that of Dec. Let W be the random variable, jointly distributed with PKk,SKk, U, V'k, L, H and S, distributed as the value of v' at the end of the loop in Step 3 in a random execution of Dec(PK, L, SK, Uk, H, H(V'k), S, o- ( (S, Vk)). Let RejSampFail be the event that the rejection sampling in Step 3 fails in the same random execution of Dec, i.e., no v that hashes to the given hash value is found in all the iterations.

Claim 3.5.12.3 (v' and v are identically distributed when rejection sampling succeeds). Let (pk, sk, u) E Supp(PKk, SKk, Uk). Then,

(V'/ kPKk=pk,SKk=sk,Uk=u) - (WIPKk=pk,SKk=sk,Uk=u,,RejSampFail)-

Proof. The proof of this claim follows from the fact that for any random variable A and any function f taking values in Supp(A), sampling from A can be done by first sampling b 4- f(A) and then Alf(A)=b- Fix h E Supp(H) and let z +- h(V'k). Since we conditioned on -,RejSampFail, the principle of deferred decision and the definition of Dec imply that

(W IPKk=pk,SKk=sk,Uk=u,H=h,,RejampFaiI) (V/k IPKk=pk,SKk=sk,Uk=u,H=h,h(V'k)=Z).

Since the above holds for any fixing of h, the claim follows.

The final claim before proving Lemma 3.5.11 show that if v' belongs to the typical set, then the rejection sampling succeeds.

Claim 3.5.12.4. It holds that,

Pr RejSampFail V/k E2PKk,SKk,Uk -10

(A note about notation: in the term V'kE PKkSKkUk" the first Vk that appears to the left of the "E" symbol and PK, SK, Uk are all random variables part of the joint distribution over which the probability is taken. However, the second V'k that appear in the subscript of the typical set is not a random variable, but rather a part of our notation of the typical set of the random variable Vk. Until now we managed to avoid this notation overload by restricting the probability space to only be over the random variables (PKk, SKk, Uk, V'k), for example as we did in Claim 3.5.12.1. Here and below. it will be more convenient not to restrict the probability space.)

Proof. Fix any (pk, sk, u, v') E Supp(PK, SK, Uk, Vk) such that v' E klpk,sk,u and any (f, h, s) E Supp(L, H, S). Consider a random execution of Dec with these fixed values. By construction, the probability of a single iteration of the loop in Step 3 succeeding is given by, Pr [h(v) = h(v')]. v<-V'kpk,sk,u

120 It holds that.

Pr [h(v) = h(v')] Pr [v = v'] v<-V'klpk,sk,u v+--V'k pk,sk,u

> 2 -k(H(V'|PK,SK,U)+6/4) > k(f+/2)

where the second inequality follows since v' and from the definition of the typical set (Definition 3.5.3). and the third inequality follows from the assumption that the Ent algorithm (6/4)-approximates the entropy H(V'IPK, SK, U).

So, the failure probability of each loop iteration is at most 1 - 2 -k(1+6/2). Hence, the probability that all 210-k-(e+6/2) independent iterations fail is at most

1 -2 2-k(f+6/2) )(210'k-(i+6/2)) < -101

where we used that (1 - +) < e-1 < 21.

The claim now follows since the above failure probability holds for any fixing of (pk, sk, u, v') such that v' E $/kpk,sk,u and (, h, s).

Equipped with Claims 3.5.12.1 to 3.5.12.4 we can now complete the proof of Lemma 3.5.11. We say that the event Coll occurs when H(Vk) has at least two pre-images inside the typical 1 set; that is. r Vk4 0H- (H(V'k)) > 2. (Here and below we again overload the notation of "V'k"; see the text following Claim 3.5.12.4 for a discussion.) By construction it holds that,

V'k E k 6V4 A-,RejSampFail Pr Dec(PKk, L, SKk,Uk, H, H(V'k), S, (S,V'))- V'k|PKkSKk,Uk A AW E ,k|PKk,SKk,Uk-

Indeed, -Coll implies that there is only one element in the typical set that hashes to the given value, while -RejSampFail implies that both V'k and W hash to that value. Since we also condition on both V'k and W being in the typical set, they must be equal. Finally, by construction, that V'k and W are equal implies that the decryption algorithm will succeed in decrypting the message correctly.

121 Hence,

Pr [Dec (PKk, L, SKk, Uk, H, H(V'k), S, o- , (S, V/k)) =-] (3.19)

Pr(V'kC v6 PKk,SKk,Uk AWC'h%$k PKk,SKk,UkACiAie mpFai|]

,k >1-Pr W - Pr[Col I- Pr[VkAkk P VRejSampFai|l [1 VklPKk,SK,Uj L k PKk,SKk,Uk L vlkPKk,SK,Uj[ v/kIPKk,sKk,Ukj

Pr[RejSampFailIV/k'T , P,sKk,Uk 1 -2- Pr [v'~ Tu' 2 -k /4 - 2-10

(pk,sk,u,v')+--(PKk,SKkUkV'k)[V V k lpk,sk,u

2 1 - k) 1 _ > 1-2-20072 -2--2108

> 1 - 2-15+1 _ -8 _2-10 >1- 2-6, where (*) follows from Claims 3.5.12.2 to 3.5.12.4 and (**) follows by the assumptions that 7 < k. 6 2 /3000q2 and k -6 > 32. Combining Eq. (3.19) with Eq. (3.17) implies that Eq. (3.16) holds. That is,

Pr [Dec (PK, L, SK, Uk, H, H(Vk), S, o- @ (S, Vk)) = a]1- 2--.

This concludes the proof of Lemma 3.5.11.

3.5.4 Security Proving Lemma 3.5.12

The proof relies on the fact that by assumption, V, a random private message of the encoder of the underlying trapdoor pseudoentropy generator, has pseudoentropy given PK and U, a random public key and public message of the encoder of the underlying trapdoor pseudoentropy generator, respectively. By repetition., we can convert this pseudoentropy into pseudo min-entropy.

Claim 3.5.12.5. The conditional pseudo E-smooth min-entropy of Vk, given PKk,Uk is 2 k6 at least k - (H(VIPK,U)+ n -6) where E = 2-2. Proof. By assumption. V has conditional pseudoentropy at least H(VIPK, U) + n given PK, U. Lemma 3.5.9 yields that Vk has conditional pseudo E'-smooth min-entropy at least k(52 2 2 k . (H(VIPK, U) + n - 6) given PK , for E' = 2 21-g2(2q+3). Since 2 log (2 + 3) < 20q for q > 1, it holds that E>e 6'. The claim follows since the E-smooth min-entropy increases with E (i.e., H (Z) H (Z)). D

Using the above claim we turn to prove Lemma 3.5.12 which shows that our encryption scheme is weakly secure. The proof follows from the leftover hash lemma and the pseudo min-entropy of Vk|PKk,Uk.

Proof of Lemma 3.5.12. The proof is by a reduction. Given an algorithm A that can decrypt with good probability, we construct a distinguisher A that distinguishes between

122 Vk and any random variable with high conditional E-smooth min-entropy. This contradicts Claim 3.5.12.5.

Fix large enough r E N and 32o E {0, 1} and let 6 = 3(r), k = k(), q = q y).y = (

and n = n(). Let L +- Ent(1'), M = [k - (L + 6)], H +- 'k.q,M andfV- {0, 1}k.q Assume toward a contradiction that the statement does not hold. Namely that there exists a polynomial time algorithm A, an infinite index set A C N such that for every V E A, it holds that

Pr[A(pk, Enc(pk, a)) = o] = Pr [A(PKkL, U, H, H(Vk), S, o (S, Vk))= o (3.20) 1 > - + 2

Moreover, by the assumptions of the lemma it holds that k - (n/2 - 1.56) > 7 andk 2 >7. - 20q7 - Thus

S1 32o 1 2-5 > 2-7 + 2-7 + > 2 -k.(n/2-1.56) - 2-0q7 + ,

for large enough K E N and some c > 0. Thus, for for large enough r E A, it also holds that

1k-(52 Pr [A (PKk, L, Uk, H, H(Vk), S, e (S)Vk)- 2 + 2 -k-(n/2-1.56) - 2 20q2 + 1. (3.21)

k-62 Let E = 2 i57. We use A to break the conditional pseudo E-smooth min-entropy of Vk. Or, in other words, to distinguish between Vk and any random variable with E-smooth min-entropy at least k . (H(VIPK, U)-+n - 6). Intuitively, Eq. (3.21) yields that A can recover the encrypted bit o with "high" probability when it is masked by Vk (namely., recovering o from o- (S)Vk and S). In contrast, we next show that when o is encrypted using a random variable whose E-smooth min-entropy at least k - (H(VIPK, U) + n - 6), the algorithm A can only recover o- with "small" probability. Thus A breaks the conditional pseudo E-smooth min-entropy of Vk.

Formally, let Z = {Z,}, be an sequence of random variables over {0, 1}kq such that

H( ZPKk, Uk) > k (H(UIPK, U) + n - 6) - (3.22) Sk .(H(UIPK, U) + n - 6) - 1,

for large enough K E N and for some c' > 0 to be determined by the analysis. Fix £ C Supp(L) and let m = Lk - ([ + 3)]. By the (generalized) leftover hash lemma (Lemma 3.5.7), Eq. (3.22) and since concatenating the inner product to a universal hash function is also a

3 2 As in the correctness proof, we prove (the stronger statement) that the correctness of the decryption holds for any enceypted bit - {0, 1}, rather than a randomly chosen one.

123 universal hash function 33 it holds that

Pr [A (PK,,U,H, S,H(Z), a c (S)Z) = (3.23)

Pr[A (PK,EUkH, S, Rm, a e RI) = o]+ 2-(( ,)+ ). + 2 whereRm+- {0, 1} andR1 <- {0,1}. Recall that by the assumption on Ent, it holds that f < H(V'IPK, SK, U) + 6/4. More- over, since by assumption SD((PK, SK, U, V), (PK, SK, U, V')) < y and the pseudoentropy generator scheme is q-laconic, Fact 3.2.9 yields that

H(V'|PK, SK,U) < H(V|PK,SK,U) +q -+ h(y) H(VIPK, SK,U) + q - y +2 < H(V|PK,SK,U)+ 36/4, where the second inequality follows since h() < 25 for every Y E [0, 1] and the third inequality follows from the assumption of the lemma that imply q - + 2 < (q + 2) < 36/4. It follows that for large enough ,,

Furthermore, observe that

Pr [A (PKk, f, Uk, H,S,Rm,eoRi) = ]=Pr[A(PKk,f,Uk,H,S,Rm,R1)= a= (3.25)

Plugging Eqs. (3.24) and (3.25) into Eq. (3.23) yields that

Pr[A(PKk, ,Uk,H,S,H(Z),a±E(S)Z) =a < 1+ 2 -k.(n/2-1.56) +. (3.26)

Consider the distinguisher Athat on input (1, pk, u, v) sets f = Ent(1l) and m=

Lk -(f + 6)], samples h+- '.q,m, S {- , 1 }k-q and a <- {0, 1}. and outputs 1 iff A(pk, f, u, h, s, h(v),ao (s)v a. By construction, Eqs. (3.21) and (3.26) it holds that

Pr A(PKk, Uk,Vk) = 1 - Pr [A(PKk, Uk,Z) = 1 > (3.27) for large enough CE A. Finally, since the running times of A and Ent are polynomials, there exists d > 0 such that A's running time is at most d. Set c' = max{c, d}. We conclude that Vk does not have (rc', 1/ 1 c) conditional pseudo -smooth min-entropy at least k .(H(VIPK, U) + n - 6) given PKk, Uk. a contradiction to Claim 3.5.12.5. Thus, there cannot exist an adversary A as above for the encryption scheme. This concludes the proof of Lemma 3.5.12. 11

3 3 Namely, the function h'(x) = (h(x), (r)x), where h E 'Hqk,m and r E {o, 1 }qk, is a universal hash function.

124 3.5.5 Implementing the Approximation Algorithm Ent

In Sections 3.5.2 to 3.5.4 we constructed and proved the correctness and security of a weak PKE scheme. assuming the existence of an algorithm approximating a statistical property of the trapdoor pseudoentropy generator. In this section, we show how to efficiently implement the needed approximation algorithm. Recall that the required algorithm (see Definition 3.5.10) is meant to approximate the entropy of the decoder's message in the underlying pseudoentropy generator scheme, given the public key, the secret key and the encoder's public message. We show how to implement such an entropy approximator for general random variables, assuming they can be sampled in a way that satisfy some efficiency requirements and have sufficiently small support. Naturally, the keys and the messages of the underlying pseudoentropy generator scheme satisfy these requirements. To describe the algorithm for estimating entropy, first we describe an algorithm that approximates the probability mass function - which we call the histogram, of an efficiently samplable distribution. The algorithm will approximate the histogram by repeatedly sampling from the distribution and returning the empirical distribution constructed from these samples. Indeed, the key fact that we will use is that the support size of the distribution is small (namely, polynomial in the security parameter). Note that such an algorithm can be used also to approximate the entropy of the distribution as well. In fact, this is how we implement the algorithm for approximating the entropy.

Lemma 3.5.13. Let X = {X,},, and Y = {YsYI,, be sequences of random variables such that X, and Y, are jointly distributed over X, x Y. Assume that for every y E Supp(Y), it is possible to sample from the distribution (X,|(Y = y)) in poly(,) time. Finally, let e,6: N -+ [0,1 be such that e = e(') and 6(n) = 6 are computable in poly(,) time. Then, there exists a randomized algorithm Hist - Hist(XY' ,'E that when given input of the form (1',y), for y E Supp(Y), runs in time poly(, X,1/(),log(1/(i'))) and returns a vector representing a distribution over X, such that for all sufficiently large K it holds that

Pr [SD(Q, (X I(Yr,= y))) >e(<)] <;o~). Q<-Hist(1K,y)

Proof. The algorithm Hist simply returns the empirical distribution of X|(Y= y).

Hist(X,Y,O,') on input (1K , y): 1. Set E = E(r), 6 = 6(r) and let X = X, X = X, and Y = Y, 2. For every x E X, set P= 0 3. Repeat N - times: (a) Sample x <- (X|Y = y). (b) Set Px = Px + 1. 4. Return the vector (P/N)xeX.

It is easy to verify that the running time of Hist(XY,) is poly(s, JXJ, 1/E(i'), log(1/())). Indeed, computing E = E(s) and 6(r), and sampling from (X|Y = y) can be done in poly(K) time and the loop has 0(-IX+1(1/6) iterations.

125 The correctness of the algorithm follows immediately from the following fact, showing that computing the empirical distribution from large enough number of samples approximates the original distribution well.

Fact 3.5.14 (Folklore (see, e.g.. [Gol17. Exercise 11.4])). Let P be a distribution over n

elements and let # be the empirical distribution obtained from taking N samples P1 ,..., PN from P, namely, P(i) = I{: P = i}jN. Then, if N n+lg(1/6),itholdsthat

Pr SD (P, P) F <6.

The following proof was communicating to us by John Wright [Wril7].

Proof. Assume without loss of generality that the distribution P is over the elements [n]= {1, 2, ... , n}. By definition, SD (P, > ) if and only if 3S [In] such that P(S)-P(S) .

Fix S C [n]. Since P is the empirical distribution obtained from taking N samples from P, it easy to see thatP(S) is identically distributed as (Zi + + ZN)/N, where each Zi is independent Bernoulli random variable which is 1 with probability P(S) and 0 otherwise. Hence,

2 Pr [(S) - P(S) F = Pr N 3Z 2 P(S)+

Pr SD (P, P) g E = Pr [S C [n): P(S) - P(S) > E

< Pr[P(S) - P(S) > E SC[n]

< 61 where the last inequality follows since N [(n + log(1/))/(2E 2)]. D

Applying Fact 3.5.14 with n = IXI, e and 6 completes the proof of Lemma 3.5.13. D

We now turn to the main task of estimating the entropy of a random variable X, given another random variable Y; that is, approximating H(XIY). Our algorithm will repeatedly call the previous algorithm (Hist) to get approximations for the distribution X|(Y = y), for randomly sampled y's, and compute the entropy with respect to each such y based on these approximations. Since the entropy with respect to each y is bounded by the logarithm of the support size, Hoeffding's inequality tells us that the average of these entropies is concentrated around H(XIY). Hence, the average of the above entropies approximates the original entropy well.

Lemma 3.5.15. Let X= {X,},,N and Y = {Y},eN be sequences of random variables such that X, and Y, are jointly distributed over X, x YK. Assume that it is possible to

126 sample from Y, in poly(K) time, and that for every y E Supp(Yl), it is also possible to sample from the distribution (XI(Y, = y)) in poly(,) time. Finally, let E = E(,) > 0 and 6 = 6(r) E (0,1] be computable in poly(n) time. Then, there exists a randomized algorithm Ent = Ent(xY'F,'e) that on input 1' runs in time poly(%,JX:,1/E(i'),1/6(K)) and outputs a number in [0,og(|XI)] such that the following holds for large enough K G N.

Pr[JEnt(1') - H(X,|Y)I> E] <.

Proof. Consider the following algorithm.

Ent(x'',') on input (1K): 1. Set E= E(K), 3 = 6(K) and let X = X, X= X, and Y =Y,

2. Sets'= 4(og( E2)+2)2J, T= 1°g(4 (X ) and ' = min{,s'} 3. For i = 1 to T: (a) Sample yj<- Y (b) Sample P+- Hist(XY,'61 1)(1, yi) (c) Set Zi = H(P)= xE Pi(x) . log(1/Pi(x)) 4. Return 1 . ET 1 Z,

We first argue correctness and then analyze the running time. Fix a sufficiently large , E N. In the sequel we omit K from the notation. We think of Zi as a random variable over the probability space of choosing yj <- Y and the randomness of Hist used to generate Pi. Let Wi be a random variable coupled with Zi as follows: Wi takes the value of H(X|Y = yi) for yj being the value sampled at step 3a in the i'th iteration of the loop. It holds that E[W] = H(XIY) for every i E [T]. Hence. our goal is to bound

Pr Ent(x E,6)(1K) - H(XIY) > E = Pr [ Z - T>3E[Wj] > E Pr 2 - E[W] >El .. i=1 i=1 . where Z=T j_ 1 Zi. and =T jE Wi. Let Pi the distribution of the random variable (XIY = yi), where yj is again the value sampled at step 3a in the i'th iteration of the loop. It holds that

Pr [Z-E[W] >E < Pr 2-E[w] >E Vi:SD(P<, ) 3'] _T (Y1 .. YT) 4yT (l.-Y)

P1 P1, .. .,PT (3.28)

+ P, Pr [i: SD (P, > '

By Lemma 3.5.13 and the union bound it holds that

Pr [i: SD (P 0,) > '1

In order to bound the first term in the right-hand side of Eq. (3.28), we need to show

127 that if Pi and Pi are close, then so are Zi and Wi. We abuse notation and let Pi and P denote also random variables chosen according to the distributions Pi and Pi, respectively. It holds that Zi = H(Pi) and Wi = H(P). Assume for now that Vi: SD (Pi, P) < 6'. Using the fact that small statistical distance implies small entropy difference (Fact 3.2.8), it holds that

Z-E[W] = Z-E[W]+V-W-W

T W - E[W] + - |Zi -Wil Ti=1

TK - E[W] + 1og(XI) .6'+ h(6')

KV-E[W] + log(IX I)6' + h(6'), where the second inequality follows from Fact 3.2.8 (recall that h(p) = plog(1/p) + (1 - p) log(1/(1 - p)) is the binary entropy function). Since h(p) < 2v for any p E [0, 1]., we have log(IX|) .6'+ h(6') 5 log(IXI) -6'+ 2v' < log(IX|) -V + 2v/= o6'(log(IX|) + 2)2 < E/2, where the last inequality follows since 6' < E' and from the choice of E'. Thus, it holds that

Pr 2 - E[W] > E Vi: SD (Pi, Pi) 6'] Pr W - E[WI > E - log(IXI) .6' - h(')

E/2], where the first inequality follows from the coupling of Zi and Wi and from Fact 3.2.8. To bound the last term we use Hoeffding's inequality:

Fact 3.5.16 (Hoeffding's inequality). Let W1,..., W be independent random variables bounded in the interval [ai,bi]. Let n = j=1 W. Then, for any E > 0 it holds that

2n 262 Pr 1 V - E[TV] > E< 2.-2 F=--"n .

All in all, we get that

T(e/2)2 Pr[|Ent(1') - H(XIY) > E] 22 -g2 xD + T -6' 6/2 +6/2 =6, where the second inequality follows from the choice of T and 6'. As for the running time, computing 6 =6(r) and sampling from Y are done in poly(n). Computing Zi can be done in poly(IXI) time. By construction T = polylog(IXI,1/6) - poly(1/e) and 6' = 1/poly(log(|X|), 1/), and thus 6'= 1/poly(|X|, 1/F, 1/6). Finally, every call to HistxY,6 ,6 ') takes poly(z,|X,1/6') = poly(r,,X,1/E,1/6) time. All in all, the

128 running time is thus poly(s, X|, 1/E, 1/6), as required. I]

3.5.6 Proving Lemma 3.5.1 Equipped with the results of Sections 3.5.3 to 3.5.5, we are now ready to prove Lemma 3.5.1. Namely, constructing a public-key encryption scheme based on the existence of a suitable trapdoor pseudoentropy generator. We begin with a brief overview of the proof. Our first step is to show that the scheme outlined in Fig. 3-6 is a weak PKE scheme. Recall that our construction is parameterized by k and 6, where the former determines the number of repetitions and the latter determines the output length of the hash function. The construction also require access to an approximation algorithm. The proof sets k and J and instantiates a weak version of the approximation algorithm such that: (1) the conditions in the weak correctness lemma (Lemma 3.5.11) and the weak security lemma (Lemma 3.5.12) are satisfied; (2) the loss from only implementing the weak version of the approximating algorithm is small; and (3) the running time of all the algorithms is polynomial in the security parameter K. We set 6 = 0(n) and k = Q(q2/6 2 ). This setting indeed satisfies the conditions of the weak correctness and security lemmas. As for the approximation algorithms, we require 0(6)-approximation for the entropy of the decoder's message in the pseudoentropy generator scheme. Since k - q = O(q3/n2) = O(log(r)) and 6 = 0(n) = 1/ log(%), we can implement such approximation algorithms whose running times is poly(K) (Section 3.5.5). As for the running times of the algorithms of the PKE scheme, it is easy to see that the key-generation algorithm KeyGen and the encryption algorithm Enc run in polynomial time. As for the decryption algorithm Dec, its running time is exponential in k . q. Since k - q = O(log(x)), Dec's running time is also poly(K). After establishing the existence of a weak public-key encryption scheme we use the amplification result of Holenstein and Renner [HR05] to obtain a full-fledged semantically- secure public-key encryption scheme. We now proceed to the formal proof.

Proof of Lemma 3.5.1. Let y = -y(K) E [0, 1], q = q() N and n = n(K) > 0 such that n < q. q 3/ 2 = O(log(s)) and -y = o(n2/q 2 ). Let (KeyGen', Enc', Dec') be a q-laconic n-entropic trapdoor pseudoentropy generator scheme with correctness error = -y. Let PK= {PK,},t, SK = {SKI,}CN, U = {UK}EN and V {V'}EN be sequences of jointly distributed random varialbes defined as (PK,,SK,) +- KeyGen'(1'), (Ur, .)+- Enc(1', PK,) and V' <- Dec(1', PK, SK,). 3 2 Set 6 = n/6 and k = . Note that 6 E [0, q], k - q = O(q / )= O(log(K)) and k - ;> 32. Let Ent = Ent(V',(PK,SK,U),6/4,1/), be the algorithm from Lemma 3.5.15. Finally, let

(KeyGen, Enc, Dec) = (KeyGen, Enc, Dec)6,k,q,KeyGen',Enc',Dec',E9'

We show that (KeyGen, Enc, Dec) is a (7/8)-correct (1/15)-secure public-key encryption scheme; that is, the decryption succeeds with probability 0.5+0.5-(7/8), any adversary can decrypt without the secret-key with probability at most 0.5+0.5.(1/15) and the algorithms (KeyGen, Enc, Dec) all run in poly(,) time. (See Definition 3.2.1.)

129 Correctness. Clearly, the setting of k and 6 satisfies that k .62 > 21000 -q 2. Furthermore, k- = 0(2. = o(1). At this point we would like to use Lemma 3.5.11. However, recall that in proving Lemma 3.5.11 we assumed that the approximation algorithm always satisfied Definition 3.5.10. However, Lemma 3.5.15 guarantees this to hold for Ent only with high probability. To overcome this issue we use the fact that the scheme makes only a single oracle call to Ent.

Formally, let E1 be the event that Ent returns a value that satisfies Definition 3.5.10. By the setting of parameters above, it holds that Pr[-,E] 1/1. Then, for large enoughn, Lemma 3.5.11 yields that

Pr[Dec(1', sk, Enc(1', sk, pk, o))= o-a] Pr[Dec(1', sk, Enc(1, sk, pk, a))= a|Ei] - Pr[-,E1]

>1-2 _ (_)

1 1 15 (1)

2 2 16 K 1 1 7 2 2 8' as required.

Security. We start by showing that the setting of k and 6 satisfies the conditions of Lemma 3.5.12. Clearly, the setting of k and 6 satisfy that k.6 2 > 120-q 2 and k-(n-36) 2 14. 2 To see that 16(q + 2)2. <962 for large enough r, note that 16(q + 2)2 . - o(n ) while 62- Q(2) Similar to the correctness case, let Ei be the event that Ent returns a value that satisfy Definition 3.5.10. Lemma 3.5.12 now yields that for every polynomial-time algorithm A and sufficiently large r, it holds that

Pr[A(1', pk, Enc(1', pk, a))= a] Pr[A(1', pk, Enc(1', pk, a))= oJEi] + Pr[-,E1] 1 1 < - + 2-5 + - 2K 1 11 1 2 2 16 <2±2 15 as required.

Running Times. We begin by showing that the running time of Ent is polynomial. Indeed, since the trapdoor pseudoentropy generator is q-laconic, and since q = O(log(r)). it holds that Supp(V') = poly(). Moreover, since by assumption KeyGen' and Enc' run in poly(K) time, sampling from (PK, SK, U) can be done inpoly(K) time: simply call (pk, sk) <- KeyGen'(1') and (u, .) +- Enc'(pk), and output (pk, sk, u). Finally, using that by assumption Dec also run inpoly(K) time, we can also sample from V'l(PK = pk, SK = sk, U = u) for every (pk, sk, u) E Supp(PK, SK, U): simply output Dec'(pk, sk, u). Hence, Ent runs in

130 poly(r,) time. We can now show that the algorithms of the encryption scheme are also polynomial-time.

" KeyGen makes k calls to KeyGen' and a single oracle call to Ent and thus run in poly(r) time.

• Enc makes k calls to Enc' and samples and evaluates a universal hash function from 'k.q,m. where m = [k - (f+6)]. for f < q. By Fact 3.2.4 sampling and evaluating such hash function can be done in polylog(.), and thus the running time of Enc is poly(r,).

" Dec makes k - 2 10-k(+6) calls to Dec' and evaluates the hash function 2 10-k('+6) times. As both f and 6 are less than q and k-q = O(logn), the running time of Dec is poly(r). We have shown that (KeyGen, Enc, Dec) is (7/8)-correct (1/15)-secure public-key encryption scheme. Since (7/8)2 > 1/15, the amplification resultof Holenstein and Renner [HR05] (given in Theorem 3.2.2) yields that there exists public-key encryption scheme. 1

3.6 Extensions

In this section, we exhibit two relaxations of Assumption 3.3.5 that are suffice for our construction of PKE. The first relaxation. discussed in Section 3.6.1. is implied by several concrete assumptions that have been used in the past to construct PKE. and the other, discussed in Section 3.6.2, turns out to be equivalent to the existence of PKE itself, leading to a complexity-theoretic characterization of the same. Lastly, in Section 3.6.3, also show how Assumption 3.3.5 can be strengthened to yield a (two-message) oblivious transfer protocol.

3.6.1 A Weaker Assumption

Recall that £ is a language in NP with witness relation Rj, and YL and NL are sampling algorithms that output, with all but negligible probability, samples of the form (x, w) E 7Z and x V L respectively. Towards weakening Assumption 3.3.5, which we used earlier to construct PKE, we define a more general variant of SZK arguments by relaxing the requirements in its definition to only hold on average. For instance, we earlier required that for any E C£ and witness w for it, the prover P that knows w can make the verifier V accept with high probability. Instead, we will now require this to hold only with high probability over the (x, w) pairs produced by YC. (In particular, there may exist some rare (X, w) E IZ for which P is unable to make V accept.) Similarly, the soundness condition is relaxed to only require that security against cheating provers hold with high probability over the z's produced by NL - there may be some x V L where a malicious prover P* is able to make V accept, but these are rare. Zero- knowledge is also relaxed and is required to hold only with high probability over the z's produced by Ye. We refer to this notion as average-case SZK (ASZK).

Definition 3.6.1 (ASZK Arguments). Let c, s: N - [0,1]. An interactive proof system (P, V) is an Average-case Statistical Zero Knowledge (ASZK) argument (against honest verifiers) for (L,Yr, Nr) with completeness error c and soundness error s if the following properties hold:

131 • Efficiency: Both P and V are probabilistic polynomial-time algorithms.

• Completeness: For all large enough n:

Pr [(P(w), V)(1', x) accepts] > 1 - c(K). (x,W)<-Y1C(l6)

" Soundness: For any, possibly malicious, polynomial-time P* and all large enough

Pr [(P*, V)(1', x) accepts] < s(K). x<--N r (16)

" Honest Verifier Statistical Zero Knowledge: There is a polynomial-time algorithm Sim, called the simulator, such that for random (x,w) +- Yc(1), the simulator Sim simulates the transcript of the interactive proof given x. That is, the following holds for all large enough /:

E [SD((P(w), V)(1', x), Sim(1', x))] < negl(ri). (x,w)<-YL

Note that since YL and NL are concentrated on instances in and not inL respectively, any protocol that is an SZK argument for £ is also an ASZK argument for (4, YC, NL) with the correctness. soundness and simulation errors degraded by a negligible additive factor. We will still require our arguments to be laconic - that the number of rounds and the size of the prover's messages be small. We state our next assumption as follows.

Assumption 3.6.2. There exists a language CL NP with associated distributions over instances (Y, Nr), and a constant a < 1/2 such that:

1. (, YL, NL) is (poly, a)-cryptographicallyhard.

2. There is an r-round q-laconic honest-verifier ASZK argument for (4,Yr, NL) with completeness error c and soundness error s such that:

• There is a constant 3 > 0 such that for large enough s: 1 - c(t) > s()+a+3.

2 • q and r are such that r . = O0(log (r)).

Notice that we have weakened Assumption 3.3.5 in two ways. First, where we earlier required SZK arguments, now we only require ASZK arguments. As noted earlier, SZK arguments are themselves also ASZK arguments with almost the same correctness, soundness and simulation errors. Second, we relax requirements of the cryptographic hardness of L. In Assumption 3.3.5 we required that (£, YC, NC) be cryptographically hard - that no polynomial-time algorithm be able to distinguish between Yr and NL with non-negligible advantage. In As- sumption 3.6.2, however, we only require that this advantage be less than a fixed constant a that satisfies certain properties in relation to the completeness and soundness errors. Despite being weaker, Assumption 3.6.2 suffices, with very few changes to the proofs in Sections 3.4 and 3.5. for our construction of a PKE.

132

...... Theorem 3.6.3. If Assumption 3.6.2 holds, then there exists a PKE scheme.

Proof Sketch. We show how to modify the statement and proof of Lemma 3.4.3 and the proof of Theorem 3.3.6 so they can be applied with Assumption 3.6.2 (instead of Assump- tion 3.3.5). The proof of Lemma 3.5.1 remains unchanged. In the statements and proof of Lemma 3.4.3, KL(1 - c|ls) is replaced with KL(1 - c|Is + a), where a is the cryptographic hardness parameter from Assumption 3.6.2. The construction proving Lemma 3.4.3 is the same as in Fig. 3-5. The proof is almost the same as in Section 3.4, except for the following changes:

1. The proof of Lemma 3.4.4 remains the same. It uses the zero-knowledge of the argument-system, but only assumes it to be average-case; see Footnote 26. 2. In Lemma 3.4.9, the hypothesis would only require an interactive argument system whose completeness and soundness hold on average. The proof of this lemma would then work as is, except the guarantees of the algorithm F defined there now only hold on average.

3. In the statements of Lemma 3.4.10, KL(1 - cI|s) is replaced with KL(1 - cl|s + a), where a is the cryptographic hardness parameter from Assumption 3.6.2. In the proof of that lemma we make the following changes (all variables are in the context of that proof): We set -y = 1/poly such that 1 - c > s+a+- and 1/sd > 2(1--c) . Using that £ is (poly, a)-cryptographically hard, and applying Lemma 3.4.9 with soundness error s + a, we get that BI has (poly, 1/K d 2(1-c)iy conditional pseudoentropy at

least H(BI|X, I, Cr) + KL(1 - cls + a + -y)/r - (/d ,_(s+a).r2(1-c) TelsThelaststepof tpo "getting rid" of the dependency in - is done as in the proof of Lemma 3.4.10. 4. In the proof of Lemma 3.4.3, KL(1 - cj|s) is replaced with KL(1 - c|Is + a).

Finally, as for the proof of Theorem 3.3.6 (given in the beginning of Section 3.5), KL(1 - clIs) is again replaced with KL(1 - cIs + a). That proof only used that KL(1 - cIs) is a constant (or chose it to be a constant with out loss of generality), and the same holds for KL(1 - clIs + a). l

We next argue that Assumption 3.6.2 implies most of the assumptions that are already known to imply PKE. Specifically, Assumption 3.6.2 is implied by each of the following assumptions (with whatever respective parameters are known to imply public-key encryption):

" Quadratic Residuosity " Decisional Diffie-Hellman • Learning Parity with Noise • Learning With Errors *Combinations of the LIN, DUE. and DSF assumptions from [ABW10]

The definition of the above assumptions, requisite references" and explanations of how they imply our assumption are given in Section 3.7. There are some important assumptions, however, that give public-key encryption but which we do not know to imply As- sumption 3.6.2, such as the hardness of factoring and the computational Diffie-Hellman

133 assumption. Another is the 3LIN assumption from [ABW10]. It would be interesting to understand what distinguishes these assumptions from the ones in the list above.

3.6.2 A Complexity-Theoretic Characterization of PKE

In this section we present a complexity-theoretic characterization of public key encryption; that is, a complexity-theoretic assumption that is equivalent to the existence of public-key encryption schemes. We also show that a relaxed version of this assumption (which we get by removing a laconism condition) is equivalent to the existence of one-way functions. Up to this point we showed the existence of public-key encryption from assumptions that require some underlying hard decision problem (Assumptions 3.3.5 and 3.6.2). Specifically, an NP language for which it was hard to distinguish between instances that are in the language to those that are not in the language. In many cryptographic settings, however, it seems more natural to consider hardness of search problems. For example, the hardness of computing a secret-key corresponding to a known public-key or the hardness of finding a the pre-image of random element for a one-way function. To get our complexity-theoretic characterization we will focus on search problems. In- stead of assuming the existence of two sampling algorithms Y and N that sample YES and NO instances, respectively, we assume the existence of a single solved instance generator G (we use G to denote the solved instance generator instead of Y to emphasize that we are no longer considering a language membership problem). We would like to fit this generator into the framework of statistical zero-knowledge arguments we used thus far. Specifically, we need to define what does a statistical zero-knowledge argument-system wrt search problems. The completeness property of argument-systems carries over smoothly to our current setting. It holds with respect to a random instance-witness pair sampled from G (in the same way that this property is defined with respect to Y in Assumption 3.6.2). The main challenge lies in defining soundness. Standard argument-systems require the verifier to reject inputs that are not in the language. But now we do no longer have a notion of NO inputs. 3 4 To define soundness, we take an approach related to Proofs of Knowledge (PoK) [GMR85, BG92]. In a PoK, not only is the verifier convinced that the instance is in the language, but also that the prover knows a witness to this affect. This "knowledge" is captured in a form of an efficient extractor that can retrieve the witness given black-box access to the prover's strategy. In our definition, the soundness property is replaced by what we refer to as an Argument of Weak Knowledge (AoWK) property, which requires that an efficient prover without access to a witness, cannot convince the verifier to accept, even though the input was generated by the solved instance generator. This is a weakening of the notion of Argument of Knowledge (AoK. where, in contrast to PoK, the extractor is only required to work with respect to efficient provers). Indeed, we do not require the ability to extract a witness from the prover, but only the inability to convince the verifier without one. Observe that no guarantee is given against provers who have partial access to the witness. Lastly, we want to define the zero-knowledge property. In the standard setting, satisfying this property roughly translates into ensuring that the verifier learns nothing beyond the

3 4 Moreover, it may be that every string x is in the support of G. Consider, e.g., the task of inverting a one-way permutation over{o, 1}

134 fact that the input is in the language. Again we face the issue that we no longer have a language. In this case. however, the solution is simple. In our definition, satisfying the zero-knowledge property roughly translates into ensuring that the verifier learns nothing beyond the fact that the prover knows a witness. The formal definition naturally follows the simulation paradigm, and is in fact identical to way that this property is defined in Assumption 3.6.2.

Definition 3.6.4 (ASZK Arguments of Weak Knowledge). Let c, s: N -+ [0, 1]. An interactive proof system (P, V) is an Average-case Statistical Zero Knowledge (ASZK) Argument of Weak Knowledge (AoWK) (against honest verifiers) for G with completeness error c and soundness error s if the following properties hold:

• Efficiency: Both P and V are probabilisticpolynomial-time algorithms.

• Completeness: For all large enough K:

Pr [(P(w), V)(1', x) accepts] > 1 - c(K) (x,w)<--G(lN)

" Argument of Weak Knowledge: For any, possibly malicious, polynomial-time P* and all large enough r:

Pr [(P*, V)(1', x) accepts] < s() (x, - G(1 K)

• Honest Verifier Statistical Zero Knowledge: There is a polynomial-time algorithm Sim, called the simulator, such that for (x,w) <- G(1"), the simulator Sim simulates the transcript of the interactive proof given just x. That is, the following holds for all large enough r:

E [SD((P(w), V)(1', x), Sim(1', x))] < negl(x). (x,w)<-G(1s-)

Remark 3.6.5 (Worst-case AoWK). The above definition considers average-case notions of completeness, weak knowledge and zero knowledge. This fact does not seem inherent to the notion of arguments of weak knowledge and in fact, we find the worst-case variant to be more natural. However, for our results it is important that we focus on the average-case variant. We leave the study of the worst-case variant to future research. The existence of an ASZK argument of weak knowledge for G immediately implies that it is hard to compute a witness for a random instance. Indeed, if this would not be the case, then a cheating prover can find such a witness and run the honest prover with this witness to convince the verifier, breaking the argument of weak knowledge property. We are now ready to state our assumption and show its equivalence to public-key encryption.

Assumption 3.6.6. There is an r-round q-laconic honest-verifier ASZK argument of weak knowledge for a solved instance generator G with completeness error c and soundness error s such that:

• There is a constant > 0 such that for large enough r: 1 - c(i') > s(') + /; and

135 2 3 * q and r are such that r . q = O(log(i)).

Theorem 3.6.7. Assumption 3.6.6 is equivalent to the existence of public-key encryption schemes.

Proof Sketch. A key observation is that in the proof of Theorem 3.6.3 we never really used the existence of an underlying language L. Instead, we used the sampling algorithms Y and N. Hence, given a solved instance generator G we can define Y = G, and N to output x such that (x, w) <- G. Note that Y and N actually produce the same distribution over the instances (and thus cannot describe a language). It follows that (Y, N) satisfy the conditions of Assumption 3.6.2 (with a = 0), and thus one direction of Theorem 3.6.7 follows from Theorem 3.6.3. It is left to show that PKE implies Assumption 3.6.6. Suppose there exists a PKE scheme (KeyGen, Enc, Dec). We define the solved instance generator G to be the same as KeyGen, outputting pk as the instance and sk as the witness. An ASZK-AoWK for G is presented in Figure 3-7.

P(pk, sk) V(pk)

b- {O, 1}

c c Enc(1, pk, b)

b' <- Dec(1', sk, c) b' Accept if b = b'

Figure 3-7: ASZK argument of weak knowledge for G

The completeness of this protocol follows from the correctness of the encryption scheme, and argument of weak knowledge follows from semantic security. These imply that the completeness error is negligible and the soundness error is only negligibly more than 1/2. The simulator, on input pk, runs the verifier V that generates b and c. It then sets the prover's message to be b itself and outputs (b, c, b) as the transcript. The distance of this distribution from the actual transcript is now exactly the probability that P does not guess b correctly. Thus the simulation error is the same as the completeness error, which is negligible. The laconism follows immediately from the structure of the protocol. This complete the proof of the second direction and Theorem 3.6.7 follows. E

Interestingly, when we remove the laconism requirement from Assumption 3.6.6, then the resulting primitive is equivalent to the existence of one-way functions.

Proposition 3.6.8. The following two statements are equivalent:

• There is an r-round q-laconic honest-verifier ASZK argument of weak knowledge for a solved instance generator G with completeness error c and soundness error s such that 1 - c() > s(r,) + for some constant B> 0 and large enough r,.

• One-way functions exist.

136 Theorem 3.6.7 and Proposition 3.6.8 illustrate again (and perhaps more clearly) what we argued in Section 3.1.1 - that removing the laconism requirement from our assumption would prove that the existence of one-way functions implies that of public-key encryptions.

Proof Sketch. As we argued above, the existence of an ASZK-AoWK for G implies that it is hard to find a witness for a random instance. Specifically, consider the function f(r) = G(r)1, where r are coins for G and G(r)1 denotes the instance generated by G when it is run with r set to its random coins. We claim that f is a distributional one-way function.3 5 Indeed, suppose there exists an efficient inverter that given a random instance x can find a pre-image of f that is 3-close to a random pre-image. Namely. it finds almost random coins for G that generate x (together with an almost random witness w). We can construct a prover strategy that, given x, runs this inverter to find aI3-close-to-random witness wand then runs the honest prover strategy with respect to (x,w). By completeness, we know that the foregoing prover strategy will convince the verifier with probability 1 - c -# > s, a contradiction to the argument of weak knowledge property of the protocol. Hence, f is a distributional one-way function. A distributional one-way function can be transformed into full-fledged one-way function (see [IL89, Lemma 1]). Thus, the existence of ASZK-AoWK implies the existence of a one-way function. As for the other direction, consider the relation (f(x), x), such that f is a one-way function. Clearly this relation is an NP relation. It follows from [HNO+09) that any NP relation has a statistical zero-knowledge argument of knowledge with an efficient prover, assuming the existence of one-way functions. Hence, we can define G to output the pair (f(x), x) for a random x. The argument-system for the relation (f(x), x) is in fact ASZK- AoWK for G. Indeed. it is immediate that the argument-system satisfies the correctness and zero-knowledge conditions. To show that it is also an argument of weak knowledge assume the contrary. Namely, that there exists an efficient cheating prover that convince the verifier to accept with high probability without knowing the witness. Since the argument-system is an argument of knowledge, we can efficiently extract the witness from such a cheating prover. This witness is a pre-image of a random output of f, a contradiction to f being one-way. E

3.6.3 Oblivious Transfer

In this section, we show how (a mild strengthening of) Assumption 3.3.5 yields a 2-message semi-honest oblivious transfer (OT) protocol. Using the classical protocol of Goldreich, Micali and Wigderson [GMW87], this yields general purpose secure multiparty computation from the same assumption. In order to construct an OT scheme, we need to strengthen the notion of cryptographic hardness, which we used in our construction of PKE. The reason is that we would like one of the parties to sample a random instance x in a way that does not reveal whether x belongs to L or not. Note that, even in the semi-honest case that we consider here, the party that samples x has access not only to x but also to the random coins that sampled

3 5 A polynomial-time computable function f: {0,1}" -+ {0,1}() is distributional one-way if for some polynomial p and every efficient algorithm A it holds that SD((X, f(X)), (A(f(X)), f(X))) > 1/p(n) for sufficiently large n, where X is uniform in {0,1}1.

137 x. In particular, if we used the naive sampler that samples x - YL with probability 1/2 and x <- NL with probability 1/2, the choice of which of the two distributions was sampled reveals whether x E L. Thus, we need a stronger definition of cryptographic hardness in which the adversary trying to determine whether x C £, sees not only the instance but also the random coins that sampled it. A closely related issue comes in the classical construction of OT from trapdoor permutations [EGL85]. It was resolved in that context by requiring a form of "enhanced" sampling, in which elements can be sampled from the domain of the permutation so that the coins of the sampling algorithm do not reveal the inverse (see [Go9, Appendix C.1] or [GR13] for further discussion). In direct analogy, our strengthening of cryptographic hardness also introduces an enhanced sampling condition. Namely, that there is a way to sample an instance x such that no efficient adversary, even given the random coins of the sampler, can distinguish whether x E £ or x C £ (except with negligible advantage). Analogous to our PKE construction, we only construct weak semi-honest 1-round OT protocol. Weak OT means that the correctness and security errors are small constants, rather than being negligible. To get a a full-fledged OT protocol, we use known amplification techniques (e.g., [Wul07]). First we formalize the notion of weak oblivious transfer that we need. The definition is adapted from [Wul07].

Definition 3.6.9 (Weak OT). An (E1,E2, E 3)-Weak Oblivious Transfer is a two-party protocol, between a sender S and a receiver R. The sender is given as input a security parameter 1' as well as two inputsoo,1 E {0,1} and the receiver gets as input 1' and a bit # E{0,1}. An (E1,E2,E3)-WOT has the following properties:

1. Correctness: The receiver learnsop with probability at least 1 - E1, where the probability is over the randomness of both the sender and the receiver.

2. Sender's Privacy: For any probabilistic polynomial time algorithm R*, for any choices of oo, ai, # E {0, 1} and sufficiently large , E N,

1 + 62 Pr[R*(viewR(1, U0, o 1 , 0))= i-31 < 2

where viewR corresponds to the honest receiver's view. Namely, the index 0, his private randomness, and the transcript.

3. Receiver's Privacy: For any probabilistic polynomial time algorithm S*, for any choices of ao, o1, 3E {0, 1} and sufficiently large E N,

1 + 63 Pr[S*(views(1, ao, ai,)) =3] < 2 2

where views corresponds to the honest sender's view. Namely, 0-0 ,o1, his private randomness, and the transcript.

We now turn to defining our notion of enhanced cryptographic hardness.

Definition 3.6.10 (Enhanced Cryptographic Hardness). Let t = t(') C N and E = E(K) E [0, 1]. The tuple (L, YL, NL, OC) is (t, E)-enhanced cryptographically hard if the following properties hold.

138

I 1, 11-7: Twp"""_ 1.1.7 111Pro 001ORM, "' "--77,TMFFM1MW MMMMMjMMTM_, T! M 4 W"W" 1. Cryptographic Hardness: (L, YL, NL)is (t, E)-cryptographically hard.

2. Correctness: The samplerOr is a probabilisticpolynomial-time algorithm such that

SD(Or(1'), x0) < negl(s,)

where x, is generated by first sampling (xo,wo) <- Y(1') and x +- N (1') and outputting x0 for randomly chosen § +- {0,1}.

3. Enhanced Indistinguishability: For every probabilistic polynomial-time adversary A that on input (1r,s) runs in time t() and all sufficiently large r G N:

1 Pr[A(1', s)= L(O(1; s))] < -I+ E() 2

where s is a uniformly random string and OC (1'; s) indicates that the oblivious sampler Or is run with randomness s; and £(x) = 1 if and only if x E L and the probability is also over the random coins of A.

We say that the (£,YL, NL) is enhanced cryptographically hard if it is (c,1/c)-hardfor every constant c > 0.

Remark 3.6.11 (Doubly Enhanced Cryptographic Hardness). It is natural to also consider a "doubly enhanced" variant of cryptographic hardness, in analogy to doubly-enhanced trapdoor permutations (see [GR13]). However, since we do not require this notion for our construction, we avoid doing so in this work. Using the foregoing notion of enhanced cryptographic hardness, we are ready to state our result on the existence of weak OT (which we shall later amplify to full fledged OT).

Lemma 3.6.12 (Weak Oblivious Transfer). Assuming that there exists a language £ that satisfies Assumption 3.3.5 and, moreover, is enhanced cryptographicallyhard (as in Defini- tion 3.6.10), then there exists a 1-round (2-4, 2-4, negl(,))-weak oblivious transfer protocol.

Proof sketch. This proof builds on the construction of the weak public key encryption scheme in Theorem 3.3.6. Let (KeyGen, Enc, Dec) be the the weak public-key encryption scheme from Fig. 3-6. Our OT protocol is reminiscent of the construction of Oblivious Transfer from Lossy encryption. The receiver samples two public keys - one real public key along with its secret key and a fake public key whose ciphertexts it cannot decrypt. The real public key is generated by KeyGen. It consists of a tuple of yes-instances sampled by YL along with f. an estimate on the entropy of the distribution (see discussion in Sec- tion 3.5). The fake public key on the other hand consists of obliviously sampled instances using OL. The receiver sends the real public key as pkg for the receiver's input # and the fake public key as pki-p. The sender now encrypts his inputs -o, 1 with the corresponding public keys and sends the ciphertexts (cto, cti) across. The receiver can then decrypt cts using the secret key. In lossy encryption, the fake public key is a lossy key. In that case, the ciphertext cti_ reveals no information about senders second input o-. In our case, the fake public key is a tuple of instances x sampled using the sampler O. We show that an efficient sender cannot decrypt messages encrypted with such fake public keys. The oblivious transfer protocol is described in Fig. 3-8.

139 OblGen(l'; s = (Si, s2, . . .,) 1. For j C [k], sample Y + Oi (16; sg) 2. Set R= (Y1,... zk) 3. Output (R)

1-Round Oblivious Transfer Protocol

S( 1, o-0, o-1) R(1I # pk = (x, f), sk <- KeyGen(1') (pko, pki) Sample s = (si, S2,... , Sk) at random. x <-- OblGen(14; s), pk = (i, f)

Set pk, = pk, pk-,1 = pk.

cti = Enc(pki, o-) cto, cti Output Dec(sk, ctp)

Figure 3-8: A Weak Oblivious Transfer Protocol

We need to prove that our protocol satisfies the three properties of weak OT. These are summarized in the following three claims.

Claim 3.6.12.1 (Correctness). The receiver learns the value o with probability at least 1-2-5

Proof Sketch. This follows from the correctness of the encryption scheme (see Lemma 3.5.11).

Claim 3.6.12.2 (Receiver's Privacy). For any probabilisticpolynomial time algorithm S*, for any choices of oo, o-, 3 E 0, 1} and sufficiently large , E N, 1 Pr[S*(views(1I, oo,-,))= a], < + negl(r,) 2

Proof Sketch. To recover #, the honest-but-curious sender has to determine which instance was sampled using the enhanced sampler Or and which instance was sampled using the Yr sampler. From the correctness property of the enhanced sampling (Definition 3.6.10), the distribution on yes-instances generated by Or is statistically close to those generated by Y. So, to distinguish between the two, the adversary has to distinguish between the no-instances sampled by O and Y. This is equivalent to distinguishing between outputs of Yr and NC. No efficient adversary can distinguish between the two due to the (standard) cryptographic hardness of £.

Lemma 3.6.13 (Sender's Privacy). For any probabilisticpolynomial-time algorithm R*, for any choices of oo, a-1, # E {0, 1} and sufficiently large r E N,

1 - Pr[R*(viewR(1,o, Uo1, ))= -._ < - + 2- 2

140 Proof Sketch. We need to show that the receiver, even given the random coins for sampling the fake public key x, cannot decrypt (with high probability). Namely, prove the following.

Claim 3.6.13.1 (Weak security for OT). For every polynomial time adversary R*, it holds

Pr R* (1, pk, Enc(l, pk, o), s = o< +2 -5 1~ ] 1 2

where the above probability is overo-- {0,1}, s andpk sampled according to the real receiver R's distribution, the randomness of Enc and R*.

Note that the honest-but-curious receiver R* also gets access to s, the randomness the real receiver R used to sample pk. The proof of Claim 3.6.13.1 is similar to the proof of the security of the encryption scheme (Lemma 3.5.12). Specifically, the latter proof relies on the pseudoentropy of the encoder's public message in the public-key pseudoentropy generator, which in turn relies on the KL-unpredictability of a random prefix in the argument-system for the language £. Finally, this unpredictability was based on the cryptographic hardness of the language and the soundness of the argument-system (Lemma 3.4.5). To prove Claim 3.6.13.1 we require a stronger statement than Lemma 3.4.5, and to achieve this we use the enhanced cryptographic hardness of £ (rather than the standard cryptographic hardness). Specifically, we have the following lemma, analogous to Lemma 3.4.9, which is the core of the proof of Lemma 3.4.5 (see the text next to Lemma 3.4.9 for more explanations about the notations).

Claim 3.6.13.2. Let c = c(s) E [0, 1], s = s(i,) E (0, 1] and y= '(y) E [0, 1]. Let r = r() E N, and let t = t(A) E N be polynomially bounded. Assume that

1. L is a (t,y)-enhanced cryptographically hard language;

2. (P,V) is an r-round interactive argument system for £ with completeness error c soundness error s; and

3. 1 - c > s +y, for all sufficiently large values of the security parameter K E N.

Then, there is a polynomial p such that for the function t'() = t(r)/p(x,), the distribution B 1 is (t', -KL(1 - cls +-y))-KL-hard for sampling given (X, S, I,C-) where S represents the randomness used for sampling X.

The proof of Claim 3.6.13.2 is identical to the proof of Lemma 3.4.9 except that we invoke the enhanced cryptographic hardness to show that the prover's message is hard to predict even given the random coins of the oblivious sampler. If the adversary could predict the prover's next message, we can use this adversary as a cheating prover along with the verifier V to distinguish between the Yes and No instances sampled by the oblivious sampler Or. Given Claim 3.6.13.2, the proof of Claim 3.6.13.1 follows similar lines to those of the proof of Lemma 3.5.12, where we also include the randomness used to sample the instances where needed.

This concludes the proof of Lemma 3.6.12.

141 As a corollary, we get a 1-round OT protocol by generic amplification technique of [Wul07]. Corollary 3.6.14. Assuming that there exists a language L that satisfies Assumption 3.3.5 (i.e. cryptographically hard language with a laconic SZK argument) and, moreover, L is enhanced cryptographically hard. Then, there exists a 1-round oblivious transfer protocol.

3.7 Comparing Assumptions

In this section, we compare various concrete assumptions used in the past to construct public-key encryption to the generic complexity-theoretic assumptions we use. We will mostly be concerned with Assumption 3.6.2, which is stated again below for convenience, and which we show to be implied by a number of these concrete assumptions. We also briefly discuss other concrete assumptions that are known to imply public-key encryption but for which we do not know whether they imply Assumption 3.6.2. Assumption 3.6.2. There exists a language L E NP with associated distributions over instances (Y, NL), and a constant a < 1/2 such that:

1. (£, Y, NL) is (poly, a)-cryptographicallyhard. 2. There is an r-round q-laconic honest-verifier ASZK argument for (L,Yr, N£) with completeness error c and soundness error s such that:

• There is a constant 3 > 0 such that for large enough r: 1 - c(') > s(') +a+ . • q and r are such that r2 . = O(og(K)). In each case, we first state the assumption, define the relevant language L and distributions YL and NC, and prove that the assumption implies that (4,YC, NL) is cryptographically hard. We then present a laconic ASZK argument for (L, YL, NL) and prove its completeness, soundness and zero-knowledge, again using the assumption. In all of the SZK argument systems we construct the verifier chooses at random a bit b, encrypts it and sends the ciphertext to the prover. The prover decrypts the ciphertext to a bit b' and sends it to the verifier, which accepts if b' = b. This is not surprising since all the concrete assumptions here imply public-key encryption schemes, and we already saw in Section 3.6.2 that any such scheme implies an argument system with this structure.

Section Organization. In Section 3.7.1 we show that Lossy encryption schemes imply Assumption 3.6.2 (in fact, they imply the even stronger version, Assumption 3.3.5). In Section 3.7.2 we show that Learning Parity with Noise (LPN) implies Assumption 3.6.2. Finally, in Section 3.7.3 we show that two assumptions made in [ABW10] also imply As- sumption 3.6.2.

3.7.1 Lossy Encryption

Lossy Encryption [PVW08, BHY09] schemes have two modes of operation: the real and the lossy mode. In the real mode, it behaves like a semantically secure public key encryption scheme while in the lossy mode, the ciphertexts contain no information about the message encoded.

142 Definition 3.7.1 (Lossy Encryption). A Lossy Encryption scheme is a tuple of probabilistic polynomial-time algorithms (Gen, Enc, Dec) where the Gen(1', mode) has two modes. A real mode where it behaves like a semantically secure encryption scheme and a lossy mode that produces fake public keys. In the real mode, it outputs a pair of keys (pk,sk). In the lossy mode, it outputs a lossy public key pk. The encryption algorithm Enc(pk,o) outputs ciphertexts ct given the message and the public key and the decryption algorithm Dec(sk,ct) returns a decrypted message given the secret key and the ciphertext. The encryption scheme satisfies the following two additional properties:

• Key Indistinguishability: Real public keys are indistinguishablefrom lossy public keys. That is,

{pk where (pk, sk) <- Gen(1', real)}, ~c {pk where pk - Gen(1', lossy)} K.

• Lossy Encryption: Encryption using the lossy key completely loses information about the message encrypted. That is, output distributions of encryptions of 0 and 1, under lossy keys, are statistically indistinguishable. For every pk - Gen(1',lossy),

Enc(pk,0) Enc(pk,1)

where the randomness is over the coins of the Enc algorithm.

Lossy encryption schemes can be constructed from various number theoretic assumptions like Quadratic Residuosity 36 [GM82], Decisional Diffie Hellman [NP1, PVW08, BHY09] and standard lattice assumptions (e.g. LWE) [Rego05 PVW08]. Assume that (Gen, Enc, Dec) is a lossy encryption scheme. We show that Assump- tion 3.6.2 holds. In fact, lossy encryption scheme implies the stronger Assumption 3.3.5. The language £ and its associated distributions are defined as follows:

- £ consists of all possible public-keys that can be generated by Gen in the real mode, i.e., £ = {pk: isk, (pk, sk) E Supp(Gen(1, real))}.

- Y (1') runs Gen in the real mode, i.e., Gen(1', real).

- Nr(1') runs Gen in the lossy mode, i.e., Gen(1', lossy).

It immediately follows that £ is cryptographically hard. An SZK proof for (£, Yr, NC) is presented in Fig. 3-9. It is again easy to verify that the proof system has perfect completeness (assuming the underlying encryption scheme has no decryption errors), soundness error 1/2+ neg(K), and is honest-verifier zero-knowledge.

3 6 A variant of the Goldwasser-Micali scheme can be shown to be lossy. Let the public key be (N, o, xi) where xO is a random quadratic residue and xi is a random non-residue with Jacobi symbol +1. To encrypt -, output X, - r2 where r +- ZN. The corresponding lossy key would be (N,,i-) where both ?5 and F are random quadratic residues. 3 7 As a matter of fact, it implies an SZK proof, rather than just an argument.

143 P(pk, sk) V(pk)

a = Enc(pk, b) b - {0, 1}

' = Dec(sk, a) b' Accept if b = b

Figure 3-9: Laconic Proofs from Lossy Encryption

3.7.2 Learning Parities with Noise

The problem of learning parities with noise (LPN) (or, equivalently, of decoding random linear codes) has found extensive use in cryptography [Pie12]. The hardness of a variant of this problem was used by Alekhnovich [Ale03] to construct a public-key encryption scheme. This hardness assumption is paraphrased below. Let m = 2n and for any 6 E [0, 1]. letXm,5 6 represents the uniform distribution over vectors in {0, 1}m of Hamming weight m . Recall that two distributions are (poly, e)-hard to distinguish if no polynomial-time algorithm has advantage more thane in distinguishing between them.

Assumption 3.7.2 (LPN). There is a constant 6 < 1/2 such that the following two distributions are(poly, 1)-hard to distinguish:

" (A, As + e), where A <- {0, 1}mxn, s _ {0,l}, and e-

* (A, u), where A +-{0, 1}mxn and u +- {0, 1}m.

Let 6 be the constant that is promised by the above assumption. The language £ and its associated distributions are defined as follows:

- £ consists of all pairs (A, As + e) where e has Hamming weight n6 . Notice that L is in NP because the vector e serves as a witness that there is an s such that (A, As+e) is contained in L.

- Y,(1') picks random A <- {0,1}mxn, s*- { }0,1}, and e +- Xm,6, and outputs (A, As + e) as the instance and e as the corresponding witness.

- NL(14) picks random A <- {0, 1}mx", u <- {0, 1}m and outputs the instance (A, u).

Our choice of the language and distributions above is such that the LPN assumption immediately implies that (L, Ye, NL) is (poly, 1)-hard. An ASZK argument for (£, YE, N) is presented in Figure 3-10. The various properties required of this protocol are shown as follows:

- Completeness: If v = As + e for some s and e of Hamming weight n 6 , then y E Ker(Alv) implies that (y)e = 0. So, in the case b = 0, it holds that (e)z = (e)y + (e)e' = (e)e'. As both e and e' have Hamming weight n6 = o(mi/ 2 ) and are chosen at random, the probability that (e)e' = 1 is o(1). On the other hand, when b = 1, (e)z is unbiased. So P can guess b with constant advantage.

144 P (A, v, e) V (A, v)

y Ker(Alv), e' Xm,3 b -{0, 1} If b = 0, z = y + e' Else, z <- {0, 1}m z

b' = (e)z

b' 0 Accept if b = b'

Figure 3-10: ASZK argument for LPN

- Soundness: If v is a uniformly random vector, then the matrix (Alv) is completely random. The kernel of this matrix, in turn, can be written as the span of (m - n - 1) uniformly random vectors in {0, 1}m. That is, in the case b = 1. it holds that z = y + e'= Bs'+ e' for a uniformly random matrix B {o, 1}mXmm-n-1). And in the case b =0, z is a uniformly random vector. These are the two distributions that the LPN assumption says are indistinguishable. So any malicious prover has advantage at most 1/n( 1 ) in guessing b correctly.

- Honest Verifier Statistical Zero-Knowledge: The simulator Sim, on input (A,v), first runs V, which selects b and z. It then sets the prover's message to also be b, and outputs (b, z, b) as the transcript. The distance of this distribution from the actual transcript is now exactly the probability that P does not guess b correctly. Thus the simulation error is the same as the completeness error, which is a constant less than 1/2.

The simulation error being as large as a constant is insufficient for our constructions, but the error in this case can be made negligible by modifying the protocol as follows. V picks the bit b and generates, say log2 n different z's for this b, with independently chosen y's and e"s if necessary. It sends them all over and asks P to guess b. P runs as it did in the above protocol for each z, takes the majority of the results and sends that as its guess. This makes the completeness error (and hence simulation error) negligible, while still keeping the soundness error below 1/2+ 1/n

3.7.3 Assumptions from [ABW10]

Applebaum et. al. [ABW1O construct three public-key encryption schemes based on the average-case hardness of various combinatorial problems. They formulate three assumptions and use different combinations and instantiations of these in their constructions. We show that in two out of these three cases the set of assumptions used implies Assumption 3.6.2. We shall state the assumptions from [ABW1O] with some admissible simplifications for ease of illustration. 38

38For Assumption 3.7.3, stated below, Applebaum et al. actually assume the hardness of a related search

145 The first assumption, called LLIN, concerns solving a noisy system of linear equations. Given integers m, n and d, let M,,n,d denote the distribution over matrices in{0,1}mxn sampled by picking each row to be a random vector in {o, 1} of Hamming weight d. For cE[0, 1], denote by Ber" the distribution over vectors in {0, 1}m where each bit is set to 1 with probability e. The assumption LLIN, parametrised by m, d, and e, which we will later instantiate as functions of n (the security parameter), is as below.

Assumption 3.7.3 (LLIN(m, d, e)). Consider the m x n matrix A <- Mm,n,d, vectors s, v- {0,1}, e +- Ber4, and bit b +- {0,1}. There is a constant y < 1/2 such that the following distributions are (poly, p)-hard to distinguish:

• (A, As + e, v, (v)s)

" (A, As + e, v, b)

Typically, a matrix from Mm,n,d will be such that any small set of rows is linearly independent. In order to state the next assumption, we will consider picking a matrix from Mm,,d and planting a small linear dependency among its rows. Let Mm,n,d n be the distribution over {0, l}mxn x {0, 1}m that is sampled as follows:

1. Sample matrices A from Mm,n,d, and B from Mq,q/3,d. 2. Pick a random q x n sub-matrix of A that contains its last row. Call this sub-matrix S. 3. Embed the columns of B as a randomly chosen subset of q/3 columns in S, and set all other entries in S to 0. Call the matrix thus obtained A. 4. Notice that because of the dimensions of B, there is a vector tA such that t A = 0, that has Hamming weight at most q/3. and its last coordinate is 1. This is the t& expresses the last row of the embedded B as a linear combination of its other rows. 5. Output (A, tA).

The next assumption, called DUE, states that this planting of a small linear dependence cannot be detected by polynomial-time algorithms.

Assumption 3.7.4 (DUE(m,d,q)). There is a small constant a < 1/2 such that the following distributions are are (poly, a)-hard to distinguish:

" A +- Mm,n,d

* A, where (A, tA) +- Mm,n,d The first combination of assumptions we will consider that was used in [ABW10] is that there exists a constant d and functions m(n) = 0(n), q(n) = o(n), and c(n) = o(1/q(n)) such that both LLIN(m, d, E) and DUE(m, d, q) are true. In order to relate this to Assump- tion 3.6.2, we formulate the following language and distributions:

- £ consists of A such that there is a set of at most q rows that are linearly dependent. L is in NP because such a set of rows acts as a witness. problem and show, by means of a non-trivial reduction, that the assumption stated here is implied by it, and proceed to use this simpler assumption in their constructions.

146 Yr(1) is Mmn, with A as the instance mn,d. and tA as the witness. NL(1n) is Mm,n,d.

By our choice of the distributions, DU E(m, d, q) immediately implies that (£, Y, Nc) is (poly, a)-hard. An ASZK argument for (L, YL, NL) is presented in Figure 3-11.

P(A, tA) V(A)

s -{O, 1}, e - Ber" z As+e b {O, 1} If b = 1: flip the last bit of z z

b = (tA)z

b' ' Accept if b= '

Figure 3-11: ASZK argument for LLIN+DUE

The various properties required of this protocol are shown as follows:

- Completeness: If the instance A happens to be drawn from Y then, using the fact that tT A = 0, and that the last bitof t is 1. we have the following relations:

(tA)z = (tA)As + e (tA e + b

As each entry in e is1 with probability c, with all but negligible probability, the Hamming weight of e is at most 100 -m -e = o(m/q). As the Hamming weight of tA is at most q, the probability that (tA)e = 1 is o(1). Thus, with all but o(1) probability, P guesses b correctly.

- Soundness: The assumption LLIN(m - 1, d, e), when applied with the last row of the instance A as the vector v there, immediately implies that the last bit of z is (poly, p)- hard to distinguish from random. Thus, a malicious prover cannot guess b correctly with advantage more than this p promised by the assumption.

- Statistical Zero-Knowledge: The simulator Sim, on input A, first runs V, which selects s, e, b, and z. It then sets the prover's message to also be b, and outputs (s, e, b, z, b) as the transcript. The distance of this distribution from the actual transcript is now exactly the probability that P does not guess b correctly. Thus the simulation error is the same as the completeness error, which is o(1).

Having shown that Assumption 3.6.2 is implied by the above combination of LLIN and DUE, we next introduce the other assumption used in [ABW10], called DSF. Given any function f : {, I}d _ {0, 1} and a matrix A E{0, 1}m' each of whose rows has Hamming weight d, we define the composite function fA : {0, 1} -+ {0, 1}' where the

147 ith output bit of fA(x) is obtained by evaluating f on the bits of x corresponding to the positions in the ith row of A that are 1.

Assumption 3.7.5 (DSF(m, d, e)). There exists a function f : {0, 1 }d {0, 1} such that the following distributions are (poy,,e)-hard to distinguish:

" (A, u), where A <- Mm,n,d, U +- {0, 1}m

" (A, fA(u)), where A+- Mm,n,d, u <- {0, 1}.

The next combination of assumptions used in [ABW10]is that there is a constant d, and functions m(n) = w(n), q(n) = e(log n) and e(n) < 1/10 such that DUE(m, d, q) and DSF(m, d, E) are true. Let f be the function that is promised by DSF. We use the same language £ and distributions YC and NC that we did earlier, only with the values of m, d and q that come up here and that in YC, instead of tAwe use the set S of rows where the matrix B was embedded when sampling Mm,n,d as witness. DUE(m, d, q) again implies that (L, YL, NL) is (poly, ao)-hard. An ASZK argument for (£, YL, NL) is presented in Figure 3-12.

P(A, S) V(A)

x<- {0, I} r +- 0, 1}'" b +- {0, 1} z fA(x) + b - r z

(see completeness argument)

b' Accept if b = b'

Figure 3-12: ASZK argument for DSF+DUE

The various properties required of this protocol are shown as follows:

- Completeness: The prover P, since it knows S, knows a set of q bits of the output of fA that depend on less than q/3 = E(log n) bits of its input. It goes through all possible settings of these bits and checks whether the respective values of all these output bits of fA agree with the corresponding bits in z. If it finds a setting where they do agree, it sets b = 0, else b' = 1.

When b = 0, P will always find that b'= 0. When b = 1, for any value of x, there

are at most 2q/3 - 2 m-q values of r that will make P guess b' = 0. Thus, except with probability at most 2-2q/3 - o(1), P will guess b' = 0.

- Soundness: The assumption DSF(m, d, e) immediately implies that a malicious prover cannot guess b correctly except with advantage e.

148

...... Statistical Zero-Knowledge: The simulator Sim, on input A, first runs V, which selects x. r, b, and z. It then sets the prover's message to also be b, and outputs (x, r, b, z, b) as the transcript. The distance of this distribution from the actual transcript is now exactly the probability that P does not guess b correctly. Thus the simulation error is the same as the completeness error, which is o(1).

3.8 Missing Proofs

3.8.1 Proving Lemma 3.5.7

In this section we prove Lemma 3.5.7, restated below for convenience.

Lemma 3.5.7 (Leftover Hash Lemma for E-Smooth Min-Entropy (c.f., [RW05, Theorem 1])). Let R = {h: {0,1}- {0,1}'} be a family of universal hash functions. Then, for any jointly distributed random variables X and Y, such that X is distributed over{0,1}", it holds that

SD((H(X), H, Y), (Um, H, Y)) ± I. 2 - HV2 o(X|Y) .2m

where H +- W and U, is distributed uniformly over{0,1}"n.

The proof of Lemma 3.5.7 is similar to that of [DORS08, Lemma 2.4] which considers a different notion of pseudo min-entropy which they call "Average Min-Entropy".

Proof. Fix E > 0 and let E be the event such that Pr[E] > 1 - E and

H(XIY) = min min log 1 yESupp(Y) xEX Pr[(X = x) A E I Y = y]

Let IE be an indicator random variable for whether the event E occurred and let Xy,b (XIY = y, IE = b). Then,

SD ((H(X), H, Y), (Un, H, Y) ) SD ((H(X), H, Y, IE), (Um, H, Y, IE) (3.29)

- E SD ((H(Xy,b), H), (Urn, H) (y, b)+<-(Y, IE)I)I

Pr[E] - E SD ((H(Xy,1), H), (Um, H) + Pr[-E], where the first inequality follows from data-processing for statistical distance. At this point we would like to use the original leftover-hash lemma, stated next.

Lemma 3.8.1 ([HILL99, Lemma 4.8]). Let W = {h: {0, 1}n {0, 1}'} be a family of universal hash functions. Then, for any random variable X distributed over {0,1}", and the random variable H +- W, it holds that

. 2m SD ((H(X), H), (Um, H) -t2r- Ho(X) where Um is distributed uniformly over { 0, 1}"m.

149 Plugging Lemma 3.8.1 into Eq. (3.29) yields that

SD ((H(X), H, Y), (Um, H, Y)) < Pr[E] . E [. 2- Ho ) .2m (3.30) y+-YIE .2

<_ . 2 Pr[E] . E [2 -Hoo(Xy,)] 2 ya-YJE where the last inequality follows from Jensen's inequality and since square-root is concave. Let y E Supp(Y|E). Then,

H...(Xy,1 =HO(X IY = y, E) (3.31)

=min log1 xEX Pr[X = xY =y, E]

=minlog Pr[EY =y] xGx Pr[X = x, E|Y = y] log Pr[EjY = y] + min log 1 X Pr[X= x, EIY=y1 1 logPrIEIY= y]+ min mm log yESupp(Y) XEX Pr[X = x, ElY = y] -log Pr[EIY = y] + H (XIY).

Plugging Eq. (3.31) into Eq. (3.30) yields that

SD • ((H(X),I H, Y), (Um, H, Y)< 2 m . Y(E y] •) 3Pr[E3Y (3.32)

•.2m .yE Pr[E] = / 2 -Ho(XY) +6E. 2 y+--Y|E Pr[E|Y = y]_

Finally, noting that

E Pr[E] 1 Pr[Y = yIE] . Pr[E] y<-YIE [Pr[EIY = y] = Pr[E|Y =y] yeSupp(YlE) Pr[Y = y, E] Pr[Y = y, E]/ Pr[Y = y] yESupp(YIE) Pr[Y = y] yESupp(YIE) <1 completes the proof. E

3.8.2 Proving Lemma 3.5.9

In this section we prove Lemma 3.5.9 restated below for convenience.

150 Lemma 3.5.9. Let X = {X,},6N and Y - Y},6eN be sequences of random variables such that X, and Y, are jointly distributed over X, x Y, for every r E N. Assume X has conditional pseudo entropy at least H(XIY)+ n given Y, for n = n() > 0. Then, for any 6 = 6(') E [0,log(|X,|)] and every polynomial k = k(Q), the sequence Xk has conditional pseudo E-smooth min-entropy at least k - (H(XIY) + n - 6) given Yk, for k-62 2 -=2 (IX1+3) , where (Xk,Yk ) are the k-fold product repetition of (X,Y).

Proof. Assume toward a contradiction that there exist 6 and k such that Xk does not have conditional pseudo E-smooth min-entropy at least k - (H(YX) + n - 6) given yk. Namely, there exists c > 0 and an C-time algorithm D such that for every {Z},eN over y } with H (ZIY ( > k( ) - (H(Xr|Ys) + n(s) - 6()) - 1/K for large enough K E N, there exists an infinite index set I C N such that for every , E I it holds that

Pr [D 1(, I", Y) = 1] - Pr [D ZC Y-" = (3.33) >14

We use D to show that X does not have high pseudoentropy given Y, in contradiction to our assumption. Consider the following algorithm for the latter task, and recall that such algorithm also has access to an oracle that outputs three samples (one from X., one from Y and one from a distribution that has high e-smooth min-entropy; see ahead).

D on input (1I, x, y): Oracle: 0 outputs 3 values Operation: 1. Set k = k(s).

2. Make k calls to the oracle 0 and let (xj, yj, z y) be the oracle's output for the j'th call. 3. Sample i +- [k], and set y = (yi, .. -. 1 , y i yi+ 1, ..--,yk) and h = (x1, . .., xi_1, x, zi+1, -.-- ,zk). 4. Output D(1', h, y).

We show thatD distinguishes between (X, Y) and (Z, Y), for any Z that has sufficiently high pseudoentropy given Y.

Let c' > 0 be a constant to be determined by the analysis and let Z = {ZK},EN be a sequence of random variables over {X,},N jointly distributed with X,Y such that H(ZKIY) ;> H(XIY,) + n() - 1/°' for large enough C N. Fix a sufficiently large value , E I. To avoid cluttering, we omit K from the notation. By a standard hybrid argument, it holds that 39

Pr UIx', z'(X, Y) = I - Pr[OxI',',z'(Z, Y) = 1] (3.34)

- Pr[D(Xk,Yk) = 1] - Pr[D(Zk,Yk) =1.

3 9 Recall that the oracle Oxl,y,zl returns random samples (jointly) distributed according to (X, Y, Z). See Definition 3.2.15.

151 By Theorem 3.5.6, it holds that

H (Zk|Yk) > k - (H(XIY) + n - 1/r' - 6= k - (H(XIY) + n -,6) - k/r°',

k-62 2 where =2 21-g (IxI+3) Let c" > 0 be the minimal integer such that k/c" <1/rc. Eqs. (3.33) and (3.34) now yield that

Pr[I (X, Y) = 1 - Pr D'' (Z, Y) = 1> k . c '

Finally, since k = poly(n), there exists > 0 such that D's running time is at most sz. Set c' = max{c", }. We have that X does not have (c', I/rC')-conditional pseudoentropy at least H(XfY) + n - 1/,'' given Y, a contradiction to pseudoentropy of X given Y. El

152

...... Bibliography

[ABW10] Benny Applebaum, Boaz Barak, and Avi Wigderson. Public-key cryptography from different assumptions. In Proceedings of the 42nd ACM Symposium on Theory of Computing, STOC 2010, Cambridge, Massachusetts, USA, 5-8 June 2010, pages 171-180, 2010.

[AFL+16] Toshinori Araki, Jun Furukawa, Yehuda Lindell, Ariel Nof, and Kazuma Ohara. High-throughput semi-honest secure three-party computation with an honest majority. In CCS, 2016.

[AGV09] Adi Akavia, Shafi Goldwasser, and Vinod Vaikuntanathan. Simultaneous hard- core bits and cryptography against memory attacks. In TC 2009.

[Ale03] Michael Alekhnovich. More on average case vs approximation complexity. In 44th Symposium on Foundations of Computer Science (FOCS 2003), 11-14 October 2003, Cambridge, MA, USA, Proceedingspages298-307. IEEE Com- puter Society, 2003.

[ALM+98] Sanjeev Arora, Carsten Lund, Rajeev Motwani, Madhu Sudan, and Mario Szegedy. Proof verification and the hardness of approximation problems. Jour- nal of the ACM (JACM), 45(3):501-555, 1998.

[AR16] Benny Applebaum and Pavel Raykov. On the relationship between statistical zero-knowledge and statistical randomized encodings. In Annual Cryptology Conference, pages 449-477. Springer, 2016.

[AS98] Sanjeev Arora and Shmuel Safra. Probabilistic checking of proofs: A new characterization of np. Journal of the ACM (JACM), 45(1):70-122, 1998.

[Bab16] Laszl6 Babai. Graph isomorphism in quasipolynomial time [extended abstract]. In Proceedings of the 48th Annual ACM SIGACT Symposium on Theory of Computing, STOC 2016, Cambridge, MA, USA, June 18-21, 2016, pages 684- 697, 2016.

[BBCM95] Charles H. Bennett, Gilles Brassard, Claude Cr'peau, and Ueli M. Mau- rer. Generalized privacy amplification. IEEE Trans. Information Theory, 41(6):1915-1923, 1995.

[BBR88] Charles H. Bennett, Gilles Brassard, and Jean-Marc Robert. Privacy amplification by public discussion. SIAM J. Comput., 17(2):210-229, 1988.

153 [BCI+13] Nir Bitansky, Alessandro Chiesa, Yuval Ishai, Omer Paneth, and Rafail Os- trovsky. Succinct non-interactive arguments via linear interactive proofs. In Theory of Cryptography Conference, pages 315-333. Springer, 2013.

[BCLR08] Michael Ben-Or, Don Coppersmith, Michael Luby, and Ronitt Rubinfeld. Non-Abelian Homomorphism Testing, and Distributions close to their Self- Convolutions. Random Struct. Algorithms, 2008.

[BDIR18a] Fabrice Benhamouda, Akshay Degwekar, Yuval Ishai, and Tal Rabin. On the local leakage resilience of linear secret sharing schemes. In Advances in Cryp- tology - CRYPTO 2018, 2018.

[BDIR18b] Fabrice Benhamouda, Akshay Degwekar, Yuval Ishai, and Tal Rabin. On the local leakage resilience of linear secret sharing schemes. In Hovav Shacham and Alexandra Boldyreva, editors, Advances in Cryptology - CRYPTO 2018 - 38th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2018, Proceedings, Part I, volume 10991 of Lecture Notes in Computer Science, pages 531-561. Springer, 2018.

[BDIR19] Fabrice Benhamouda, Akshay Degwekar, Yuval Ishai, and Tal Rabin. On the local leakage resilience of linear secret sharing schemes. IA CR Cryptology ePrint Archive, 653, 2019.

[BDL14] Nir Bitansky, Dana Dachman-Soled, and Huijia Lin. Leakage-tolerant computation with input-independent preprocessing. In CRYPTO, 2014.

[BDRV17] Itay Berman, Akshay Degwekar, Ron Rothblum, and Prashant Nalini Vasude- van. From laconic zero-knowledge to public-key cryptography. Electronic Col- loquium on Computational Complexity (ECCC), 24:172, 2017.

[BDRV18a] Itay Berman, Akshay Degwekar, Ron D. Rothblum. and Prashant Nalini Va- sudevan. From Laconic Zero-Knowledge to Public-Key Cryptography. In Ad- vances in Cryptology - CRYPTO 2018, 2018.

[BDRV18b] Itay Berman, Akshay Degwekar, Ron D. Rothblum, and Prashant Nalini Va- sudevan. Multi-Collision Resistant Hash Functions and Their Applications. 2018.

[BDRV19] Itay Berman, Akshay Degwekar, Ron D. Rothblum. and Prashant Nalini Va- sudevan. Statistical Difference Beyond the Polarizing Regime. Electronic Col- loquium on Computational Complexity (ECCC), 26:38, 2019.

[BDV16] Nir Bitansky, Akshay Degwekar, and Vinod Vaikuntanathan. Structure vs hardness through the obfuscation lens. IACR Cryptology ePrint Archive, 2016:574, 2016.

[BDV17] Nir Bitansky, Akshay Degwekar, and Vinod Vaikuntanathan. Structure vs Hardness through the Obfuscation Lens. In CRYPTO 2017, 2017.

[Bea9] Donald Beaver. Efficient multiparty protocols using circuit randomization. In CRYPTO, 1991.

154 [Beill] Amos Beimel. Secret-sharing schemes: a survey. In International Conference on Coding and Cryptology, pages 11-46. Springer, 2011.

[BG92] Mihir Bellare and Oded Goldreich. On defining proofs of knowledge. In Ad- vances in Cryptology - CRYPTO '92, 12th Annual International Cryptology Conference, Santa Barbara, California, USA, August 16-20, 1992, Proceedings, pages 390-420, 1992.

[BGI+01] Boaz Barak, Oded Goldreich, Russell Impagliazzo, Steven Rudich, Amit Sahai, Salil P. Vadhan, and Ke Yang. On the (im)possibility of obfuscating programs. In Joe Kilian, editor, Advances in Cryptology - CRYPTO 2001, 21st Annual InternationalCryptology Conference, Santa Barbara, California, USA, August 19-23, 2001, Proceedings,volume 2139 of Lecture Notes in Computer Science, pages 1-18. Springer, 2001.

[BGI16] Elette Boyle, Niv Gilboa, and Yuval Ishai. Breaking the Circuit Size Barrier for Secure Computation under DDH. In CRYPTO, 2016.

[BGK11] Elette Boyle, Shafi Goldwasser, and Yael Tauman Kalai. Leakage-resilient coin tossing. In Distributed Computing, 2011.

[BGM+16] Andrej Bogdanov. Siyao Guo, Daniel Masny, Silas Richelson, and Alon Rosen. On the hardness of learning with rounding over small modulus. In Theory of Cryptography Conference, pages 209-224. Springer, 2016.

[BGW88] Michael Ben-Or, Shafi Goldwasser, and Avi Wigderson. Completeness The- orems for Non-Cryptographic Fault-Tolerant Distributed Computation (Ex- tended Abstract). In STOC, 1988.

[BHY09] Mihir Bellare, Dennis Hofheinz, and Scott Yilek. Possibility and impossibility results for encryption and commitment secure under selective opening. In EUROCRYPT, pages 1-35, 2009.

[BIKO12] Amos Beimel, Yuval Ishai, Eyal Kushilevitz, and Ilan Orlov. Share Conversion and Private Information Retrieval. In CCC, 2012.

[BIN97] Mihir Bellare. Russell Impagliazzo, and Moni Naor. Does parallel repetition lower the error in computationally sound protocols? In 38th Annual Symposium on Foundations of Computer Science, FOCS '97, Miami Beach, Florida, USA, October 19-22, 1997, pages 374-383, 1997.

[BIVW16] Andrej Bogdanov, Yuval Ishai, Emanuele Viola, and Christopher Williamson. Bounded indistinguishability and the complexity of recovering secrets. In CRYPTO 2016, PartIII, pages 593-618, 2016.

[BKS19] Elette Boyle, Lisa Kohl. and Peter Scholl. Homomorphic secret sharing from lattices without FHE. IACR Cryptology ePrint Archive, 2019:129, 2019. To appear in Eurocrypt 2019.

155 [BL13] Andrej Bogdanov and Chin Ho Lee. Limits of provable security for homomorphic encryption. In Ran Canetti and Juan A. Garay, editors, Advances in Cryptology - CRYPTO 2013 - 33rd Annual Cryptology Conference, Santa Barbara, CA, USA, August 18-22, 2013. Proceedings, Part I, volume 8042 of Lecture Notes in Computer Science, pages111-128.Springer,2013.

[Bla79] G.R. Blakley. Safeguarding cryptographic keys. In AFIPS National Computer Conference, 1979.

[BLR93] Manuel Blum, Michael Luby, and Ronitt Rubinfeld. Self-Testing/Correcting with Applications to Numerical Problems. J. Comput. Syst. Sci., 1993.

[BLRL+18] Shi Bai, Tancrede Lepoint, Adeline Roux-Langlois, Amin Sakzad, Damien Stehle, and Ron Steinfeld. Improved security proofs in lattice-based cryptography: using the renyi divergence rather than the statistical distance. Journal of Cryptology, 31(2):610-640, 2018.

[BR93] Mihir Bellare and Phillip Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In CCS '93, pages 62-73, 1993.

[BSCG+13] Eli Ben-Sasson, Alessandro Chiesa, Daniel Genkin, Eran Tromer, and Madars Virza. Snarks for c: Verifying program executions succinctly and in zero knowledge. In Annual Cryptology Conference, pages 90-108. Springer, 2013.

[BV11] Zvika Brakerski and Vinod Vaikuntanathan. Efficient fully homomorphic encryption from (standard) LWE. In Rafail Ostrovsky, editor, FOCS, pages 97- 106. IEEE. 2011. Invited to SIAM Journal on Computing.

[CCD88] David Chaum, Claude Cr6peau. and Ivan Damgird. Multiparty unconditionally secure protocols (extended abstract). In STOC. 1988.

[CDH+00] Ran Canetti, Yevgeniy Dodis, Shai Halevi, Eyal Kushilevitz. and Amit Sahai. Exposure-resilient functions and all-or-nothing transforms. In International Conference on the Theory and Applications of Cryptographic Techniquespages 453-469. Springer, 2000.

[CDI05] Ronald Cramer, Ivan Damgird, and Yuval Ishai. Share Conversion, Pseudoran- dom Secret-Sharing and Applications to Secure Computation. In TCC 2005, 2005.

[CGKS98] Benny Chor, Oded Goldreich, Eyal Kushilevitz, and Madhu Sudan. Private information retrieval. JACM, 45(6):965-982, 1998.

[CP15] Kai-Min Chung and Rafael Pass. Tight parallel repetition theorems for public- coin arguments using kl-divergence. In Theory of Cryptography - 12th Theory of Cryptography Conference, TCC 2015, Warsaw, Poland, March 23-25, 2015, Proceedings, PartII, pages 229-246, 2015.

[CS02] Ronald Cramer and Victor Shoup. Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In Advances in

156

limp Cryptology - EUROCRYPT 2002, International Conference on the Theory and Applications of Cryptographic Techniques, Amsterdam, The Netherlands, April 28 - May 2, 2002, Proceedings, pages 45-64, 2002.

[DDF14] Alexandre Duc, Stefan Dziembowski, and Sebastian Faust. Unifying leakage models: From probing attacks to noisy leakage. In EUROCRYPT, 2014.

[DDV10] Francesco Davi, Stefan Dziembowski, and Daniele Venturi. Leakage-resilient storage. In Security and Cryptography for Networks, 7th International Con- ference, SCN 2010, Amalfi, Italy, September 13-15, 2010. Proceedings, pages 121-137,2010.

[DF12] Stefan Dziembowski and Sebastian Faust. Leakage-resilient circuits without computational assumptions. In TCC 2012, pages 230-247, 2012.

[DH76] Whitfield Diffie and Martin E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, 22(6):644-654, 1976.

[DHRW16] Yevgeniy Dodis, Shai Halevi, Ron D. Rothblum, and Daniel Wichs. Spooky encryption and its applications. In CRYPTO 2016, PartIII, pages 93-122, 2016.

[DLZ15] Dana Dachman-Soled, Feng-Hao Liu, and Hong-Sheng Zhou. Leakage-resilient circuits revisited - optimal number of computing components without leak-free hardware. In EUROCRYPT 2015.

[DNR04] Cynthia Dwork, Moni Naor, and Omer Reingold. Immunizing encryption schemes from decryption errors. In Christian Cachin and Jan Camenisch, editors, Advances in Cryptology - EUROCRYPT 2004, International Confer- ence on the Theory and Applications of Cryptographic Techniques, Interlaken, Switzerland, May 2-6, 2004, Proceedings, volume 3027 of Lecture Notes in Com- puter Science, pages 342-360. Springer, 2004.

[DORS08] Yevgeniy Dodis.,Rafail Ostrovsky, Leonid Reyzin, and Adam D. Smith. Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. SIAM J. Comput., 38(1):97-139. 2008.

[DP07] Stefan Dziembowski and Krzysztof Pietrzak. Intrusion-resilient secret sharing. In FOCS, 2007.

[DP08] Stefan Dziembowski and Krzysztof Pietrzak. Leakage-resilient cryptography. In FOCS, 2008.

[DPSZ12] Ivan Damgird, Valerio Pastro, Nigel P. Smart, and Sarah Zakarias. Multiparty computation from somewhat homomorphic encryption. In CRYPTO, 2012.

[DSS01] Yevgeniy Dodis, Amit Sahai, and Adam Smith. On perfect and adaptive security in exposure-resilient cryptography. In International Conference on the Theory and Applications of Cryptographic Techniquespages 301-324. Springer, 2001.

157 [EGL85] Shimon Even., Oded Goldreich, and Abraham Lempel. A randomized protocol for signing contracts. Communications of the ACM, 28(6):637-647, 1985.

[FGJI17] Nelly Fazio, Rosario Gennaro, Tahereh Jafarikhah, and William E. Skeith III. Homomorphic secret sharing from paillier encryption. In ProvSec 2017, pages 381-399,2017.

[FGL+91] Uriel Feige, Shafi Goldwasser, Liszl6 LovAsz, Shmuel Safra, and Mario Szegedy. Approximating clique is almost np-complete. In [1991] Proceedings 32nd An- nual Symposium of Foundations of Computer Science, pages 2-12. IEEE,1991.

[FRR+10] Sebastian Faust, Tal Rabin, Leonid Reyzin, Eran Tromer, and Vinod Vaikun- tanathan. Protecting Circuits from Leakage: the Computationally-Bounded and Noisy Cases. In EUROCRYPT, 2010.

[FS86] Amos Fiat and Adi Shamir. How to prove yourself: Practical solutions to identification and signature problems. In CRYPTO '86, pages186-194, 1986.

[Gen09] Craig Gentry. Fully homomorphic encryption using ideal lattices. In STOC, pages 169-178, 2009.

[GGH+13] Sanjam Garg. Craig Gentry. Shai Halevi, Mariana Raykova, Amit Sahai, and Brent Waters. Candidate indistinguishability obfuscation and functional encryption for all circuits. In 54th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2013, 26-29 October, 2013, Berkeley, CA, USA, pages 40-49. IEEE Computer Society, 2013.

[GGPR13] Rosario Gennaro, Craig Gentry, Bryan Parno, and Mariana Raykova. Quadratic span programs and succinct nizks without pcps. In Annual Interna- tional Conference on the Theory and Applications of Cryptographic Techniques, pages 626-645. Springer, 2013.

[GH98] Oded Goldreich and Johan Histad. On the complexity of interactive proofs with bounded communication. Inf. Process. Lett., 67(4):205-214, 1998.

[GIM+16] Vipul Goyal, Yuval Ishai, Heanta K. Maji, Amit Sahai, and Alexander A. Sherstov. Bounded-Communication Leakage Resilience via Parity-Resilient Circuits. In FOCS 2016.

[GIW17] Daniel Genkin, Yuval Ishai, and Mor Weiss. How to construct a leakage-resilient (stateless) trusted party. In TCC, 2017.

[GK93] Oded Goldreich and Eyal Kushilevitz. A perfect zero-knowledge proof system for a problem equivalent to the discrete logarithm. Journal of Cryptology, 6(2):97-116, 1993.

[GK18] Vipul Goyal and Ashutosh Kumar. Non-malleable secret sharing. In STOC, 2018.

158 [GM82] Shafi Goldwasser and Silvio Micali. Probabilistic encryption and how to play mental poker keeping secret all partial information. In Harry R. Lewis, Bar- bara B. Simons. Walter A. Burkhard. and Lawrence H. Landweber. editors. Proceedings of the 14th Annual ACM Symposium on Theory of Computing, May 5-7, 1982, San Francisco, California, USA. pages 365-377. ACM, 1982.

[GM84] Shafi Goldwasser and Silvio Micali. Probabilistic encryption. J. Comput. Syst. Sci., 28(2):270-299, 1984.

[GMR85] Shafi Goldwasser, Silvio Micali. and Charles Rackoff. The knowledge complexity of interactive proof-systems (extended abstract). In Robert Sedgewick editor, Proceedings of the 17th Annual ACM Symposium on Theory of Com- puting, May 6-8, 1985, Providence, Rhode Island, USA.pages 291-304. ACM. 1985.

[GMW87] Oded Goldreich. Silvio Micali, and Avi Wigderson. How to Play any Mental Game or A Completeness Theorem for Protocols with Honest Majority. In STOC 1987, 1987.

[Gol8] Oded Goldreich. Computational complexity - a conceptual perspective. Cam- bridge University Press. 2008.

[Gol09] Oded Goldreich. Foundations of cryptography: volume 2, basic applications. Cambridge university press, 2009.

[Gol17] Oded Goldreich. Introduction to Property Testing. forthcoming (http: //www. wisdom.weizmann.ac.l/~oded/pt-intro.html),2017.

[GOVW12] Sanjam Garg, Rafail Ostrovsky. Ivan Visconti. and Akshay Wadia. Resettable statistical zero knowledge. In Ronald Cramer. editor, Theory of Cryptography - 9th Theory of Cryptography Conference, TCC 2012, Taormina, Sicily, Italy, March 19-21, 2012. Proceedings,volume 7194 of Lecture Notes in Computer Science, pages 494-511. Springer, 2012.

[Gow0] William T Gowers. A new proof of Szemer6di's theorem. Geometric and Func- tional Analysis. 2001.

[GR13] Oded Goldreich and Ron D. Rothblum. Enhancements of trapdoor permutations. Journal of cryptology. 26(3):484-512. 2013.

[GR15] Shafi Goldwasser and Guy N. Rothblum. How to compute in the presence of leakage. SICOMP, 2015.

[Gre07] Ben Green. Montreal notes on Quadratic Fourier Analysis. Additive combinatorics. 2007.

[GSV98] Oded Goldreich. Amit Sahai. and Salil Vadhan. Honest-verifier statistical zero- knowledge equals general statistical zero-knowledge. In Proceedings of the thir- tieth annual ACM symposium on Theory of computing.pages 399-408. ACM 1998.

159 [GT10] Benjamin Green and Terence Tao. Linear Equations in Primes. Annals of Mathematics. 2010.

[GV99] Oded Goldreich and Salil P. Vadhan. Comparing entropies in statistical zero knowledge with applications to the structure of SZK. In Proceedings of the 14th Annual IEEE Conference on Computational Complexity, Atlanta, Geor- gia, USA, May 4-6, 1999, page 54, 1999.

[GVW02) Oded Goldreich, Salil Vadhan, and Avi Wigderson. On interactive proofs with a laconic prover. Computational Complexity, 11(1-2):1-53, 2002.

[GW10] William T Gowers and Julia Wolf. The True Complexity of a System of Linear Equations. Proceedings of the London Mathematical Society, 2010.

[GW11a] William T Gowers and Julia Wolf. Linear Forms and Higher-Degree Uniformity for Functions On F,. Geometric and Functional Analysis, 2011.

[GW11b] William T Gowers and Julia Wolf. Linear Forms and Quadratic Uniformity for Functions on Fn. Mathematika, 2011.

[GW17] Venkatesan Guruswami and Mary Wootters. Repairing reed-solomon codes. IEEE Trans. Information Theory, 2017.

[HHRS15] Iftach Haitner, Jonathan J Hoch, Omer Reingold, and Gil Segev. Finding collisions in interactive protocols-tight lower bounds on the round and communication complexities of statistically hiding commitments. SIAM Journal on Computing, 44(1):193-242, 2015.

[HILL99] Johan Hastad, Russell Impagliazzo, Leonid A. Levin, and Michael Luby. A pseudorandom generator from any one-way function. SIAM J. Comput., 28(4):1364-1396, 1999.

[HLWW16] Carmit Hazay. Adriana L6pez-Alt, Hoeteck Wee, and Daniel Wichs. Leakage- resilient cryptography from minimal assumptions. J. Cryptology, 29(3):514- 551, 2016.

[HNO+09] Iftach Haitner, Minh-Huyen Nguyen. Shien Jin Ong, Omer Reingold, and Salil P. Vadhan. Statistically hiding commitments and statistical zero- knowledge arguments from any one-way function. SIAM J. Comput., 39(3):1153-1218. 2009.

[HR05] Thomas Holenstein and Renato Renner. One-way secret-key agreement and applications to circuit polarization and immunization of public-key encryption. In Advances in Cryptology - CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 14-18, 2005, Proceedings, pages 478-493, 2005.

[HR11] Thomas Holenstein and Renato Renner. On the randomness of independent ex- periments. IEEE Transactions on Information Theory, 57(4):1865-1871,2011.

160 i

[HRV13] Iftach Haitner, Omer Reingold, and Salil P. Vadhan. Efficiency improvements in constructing pseudorandom generators from one-way functions. SIAM J. Comput., 42(3):1405-1430, 2013.

[HRVW09] Iftach Haitner, Omer Reingold, Salil P. Vadhan, and Hoeteck Wee. Inaccessible entropy. In Proceedings of the 41st Annual ACM Symposium on Theory of Computing, STOC 2009, Bethesda, MD, USA, May 31 - June 2, 2009,pages 611-620,2009.

[IK007] Yuval Ishai, Eyal Kushilevitz, and Rafail Ostrovsky. Efficient arguments without short pcps. In Conference on Computational Complexity (CCC'07), 2007.

[IKOS07] Yuval Ishai. Eyal Kushilevitz, Rafail Ostrovsky. and Amit Sahai. Zero- knowledge from Secure Multiparty Computation. In Symposium on Theory of computing, 2007.

[IL89] Russell Impagliazzo and Michael Luby. One-way functions are essential for complexity based cryptography (extended abstract). In 30th Annual Symposium on Foundations of Computer Science, Research Triangle Park, North Carolina, USA, 30 October - 1 November 1989, pages 230-235, 1989.

[IR891 Russell Impagliazzo and Steven Rudich. Limits on the provable consequences of one-way permutations. In Proceedings of the twenty-first annual ACM symposium on Theory of computing, pages 44-61. ACM, 1989.

[ISW03] Yuval Ishai. Amit Sahai. and David A. Wagner. Private circuits: Securing hardware against probing attacks. In CRYPTO, 2003.

[KGG+18] Paul Kocher, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yu- val Yarom. Spectre attacks: Exploiting speculative execution. ArXiv e-prints, January 2018.

[Kil88] Joe Kilian. Founding crytpography on oblivious transfer. In Proceedings of the twentieth annual ACM symposium on Theory of computing, pages 20-31. ACM, 1988.

[Kil92] Joe Kilian. A note on efficient zero-knowledge proofs and arguments. In Sym- posium on Theory of Computing, 1992.

[KJJ99] Paul C. Kocher, Joshua Jaffe, and Benjamin Jun. Differential power analysis. In CRYPTO, 1999.

[KMS18] Ashutosh Kumar, Raghu Meka, and Amit Sahai. Leakage-resilient secret sharing. Electronic Colloquium on Computational Complexity (ECCC), 25:200, 2018.

[Koc96] Paul C. Kocher. "Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems". In CRYPTO, 1996.

161 -- NMI

[KOS16] Marcel Keller. Emmanuela Orsini. and Peter Scholl. MASCOT: Faster Mali- cious Arithmetic Secure Computation with Oblivious Transfer. In CCS. 2016.

[KP10] Eike Kiltz and Krzysztof Pietrzak. Leakage Resilient ElGamal Encryption. In ASIACRYPT. 2010.

[KRR14] Yael Tauman Kalai. Ran Raz. and Ron D Rothblum. How to delegate computations: the power of no-signaling proofs. In Proceedings of the forty-sixth annual A CM symposium on Theory of computing. pages 485-494. ACM, 2014.

[KY18] Ilan Komargodski and Eylon Yogev. On distributional collision resistant hashing. In CRYPTO 2018,2018.

[LSG+18] Moritz Lipp, Michael Schwarz. Daniel Gruss. Thomas Prescher, Werner Haas. Stefan Mangard. Paul Kocher. Daniel Genkin. Yuval Yarom, and Mike Ham- burg. Meltdown. ArXiv e-prints. 2018.

[LV16] Tianren Liu and Vinod Vaikuntanathan. On basing private information retrieval on np-hardness. In Eyal Kushilevitz and Tal Malkin, editors. Theory of Cryptography - 13th International Conference, TCC 2016-A, Tel Aviv, Israel, January 10-13, 2016, Proceedings, Part I. volume 9562 of Lecture Notes in Computer Science. pages 372-386. Springer. 2016.

[Mic94] Silvio Micali. Cs proofs. In FOCS. IEEE. 1994.

[MR04] Silvio Micali and Leonid Reyzin. Physically observable cryptography (extended abstract). In TCC. 2004.

[NP01] Moni Naor and Benny Pinkas. Efficient oblivious transfer protocols. In Pro- ceedings of the twelfth annual ACM-SIAM symposium on Discrete algorithms. pages 448-457. Society for Industrial and Applied Mathematics, 2001.

[NS19] Jesper Buus Nielsen and Mark Simkin. Lower Bounds for Leakage-Resilient Secret Sharing. Cryptology ePrint Archive, Report 2019/181, 2019. https: //eprint.iacr.org/2019/181.

[NV06] Minh-Huyen Nguyen and Salil P. Vadhan. Zero knowledge with efficient provers. In Proceedings of the 38th Annual ACM Symposium on Theory of Computing, Seattle, WA, USA, May 21-23, 2006. pages 287-295, 2006.

[Ost9l] Rafail Ostrovsky. One-way functions, hard on average problems, and statistical zero-knowledge proofs. In Proceedings of the Sixth Annual Structure in Complexity Theory Conference, Chicago, Illinois, USA, June 30 - July 3, 1991, pages 133-138. 1991.

[OV08] Shien Jin Ong and Salil P. Vadhan. An equivalence between zero knowledge and commitments. In Theory of Cryptography, Fifth Theory of Cryptography Conference, TCC 2008, New York, USA, March 19-21, 2008., pages 482-500. 2008.

162 [Pie12] Krzysztof Pietrzak. Cryptography from learning parity with noise. In Maria BielikovA.GerhardFriedrichGeorg Gottlob. Stefan Katzenbeisser, and Gy6rgy Turin. editors. SOFSEM 2012: Theory and Practice of Computer Science - 38th Conference on Current Trends in Theory and Practice of Computer Sci- ence, Spindler'v Ml'n, Czech Republic, January 21-27, 2012. Proceedings, volume 7147 of Lecture Notes in Computer Science. pages 99-114. Springer. 2012.

[PVW08] Chris Peikert. Vinod Vaikuntanathan. and Brent Waters. A framework for efficient and composable oblivious transfer. In CRYPTO. pages 554-571. 2008.

[PW16] Yury Polyanskiy and Yihong Wu. Lecture notes on information theory. Avail- able at: http://people.lids.mit.edu/yp/homepage/data/itlecturesv4. pdf. 2016.

[RAD78] R. Rivest, L. Adleman, and M. Dertouzos. On data banks and privacy homomorphisms. In Foundations of Secure Computation, pages 169-177. Academic Press. 1978.

[Reg05] Oded Regev. On lattices, learning with errors. random linear codes. and cryptography. In Harold N. Gabow and Ronald Fagin. editors. Proceedings of the 37th Annual ACM Symposium on Theory of Computing, Baltimore, MD, USA, May 22-24, 2005. pages 84-93. ACM. 2005.

[Riv97] Ronald L Rivest. All-or-nothing encryption and the package transform. In International Workshop on Fast Software Encryption.pages 210-218. Springer. 1997.

[Rot11] Ron Rothblum. Homomorphic encryption: From private-key to public-key. In Theory of Cryptography Conference., pages 219-234. Springer. 2011.

[Rot12] Guy N. Rothblum. How to compute under ${\cal{AC}}^{\sf0}$ leakage without secure hardware. In Advances in Cryptology - CRYPTO 2012 - 32nd An- nual Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2012. Proceedings.,pages 552-569. 2012.

[RSA78] Ronald L. Rivest. Adi Shamir. and Leonard M. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM, 21(2):120-126. 1978.

[RW05] Renato Renner and Stefan Wolf. Simple and tight bounds for information reconciliation and privacy amplification. In Advances in Cryptology - ASI- ACRYPT 2005, 11th International Conference on the Theory and Application of Cryptology and Information Security, Chennai, India, December 4-8, 2005, Proceedings.pages 199-216. 2005.

[Sha48] C. E. Shannon. A mathematical theory of communication. The Bell System Technical Journal. 27(3):379-423, July 1948.

[Sha79] Adi Shamir. How to share a secret. Commun. ACM, 1979.

163 [SV03] Amit Sahai and Salil Vadhan. A complete problem for statistical zero knowledge. Journal of the ACM (JACM), 50(2):196-249, 2003.

[SV18] Akshayaram Srinivasan and Prashant Nalini Vasudevan. Leakage resilient secret sharing and applications. IACR Cryptology ePrint Archive, 2018:1154, 2018.

[SW14] Amit Sahai and Brent Waters. How to use indistinguishability obfuscation: deniable encryption, and more. In David B. Shmoys, editor, Symposium on Theory of Computing, STOC 2014, New York, NY, USA, May 31 - June 03, 2014., pages 475-484. ACM, 2014.

[TV06] Terence Tao and Van H Vu. Additive combinatorics. Cambridge University Press, 2006.

[Vad99] Salil Pravin Vadhan. A study of statistical zero-knowledge proofs. PhD thesis, Massachusetts Institute of Technology, 1999.

[Vad12] SalilP. Vadhan. Pseudorandomness. Foundations and Trends in Theoretical Computer Science, 7(1-3):1-336, 2012.

[VZ12] Salil Vadhan and Colin Jia Zheng. Characterizing pseudoentropy and simplify- ing pseudorandom generator constructions. In Proceedings of the forty-fourth annual A CM symposium on Theory of computing, pages 817-836. ACM, 2012.

[Wri17] John Wright. Personal communication, 2017.

[Wul07] Jirg Wullschleger. Oblivious-transfer amplification. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 555-572. Springer, 2007.

[Yao86] Andrew Chi-Chih Yao. How to Generate and Exchange Secrets (Extended Abstract). In FOCS, 1986.

164 Appendix A

Appendices

A.1 Proofs of Useful Bounds

In this section, we prove Proposition 2.4.14 and the following related bound.

4 Proposition A.1.1. Let m > 1 and p > 2 be two integers. Let c' - 2m sin7r/2m+ /2 m) M psin(7r/p) We have: 1 4 logc' i 22m+2 + ,g

To prove these two propositions, we start by studying the functionr R>o - R defined by: x Tr = - sin- r/(x) 7r x

Claim A.1.1.1. For any x > 1, we have:

1 log 7(x)<-2x ) 2x2-

Proof. We have:

x/ 7 3 52 74 16 7 irx 6x3 5!x5 6x2 +5!X4 2x 2

We conclude using concavity of u-+ log(1+u), namely the fact that it implies that log(1+ u) < u. D

Claim A.1.1.2. For any y > 2, we have:

1 4 log < - r/(y) -- y2

Proof. We have:

r/(y) > 2 7r y 6y

165 Then:

1 1 1 r 2 1 1<1 7(y)- 1-3y2

where the last inequality comes from the convexity ofu + I and the fact that it implies that 1 < 4u - 2(u - j) = 1 + 2u for 0 < u 1/2 (the curve is below its chord). We conclude using again the concavity of u - log(1 + u). D

We can now prove Propositions 2.4.14 and A.1.1.

Proof of Proposition 2.4.14. Using Claims A.1.1.1 and A.1.1.2, we have:

1 4 log cm = 1 log772I(P) = log77(2tm) +log2m++(P) + -'

This concludes the proof. 0

Proof of Proposition A.1.1. Let us start with the case m 1. We conclude as follows:

2"/r-sin(ir /2"m + 7r/24m) 1 4 log c' = log () = log(2'/7r.sin(7r/2"+7r/2 4m))+log 22m1+ 2 TI~~7(p) 9 - TT +p2

where the last inequality comes from Claim A.1.1.2 and the fact that for m = 1, log(2'/7r- sin(7r/2 m + 7r/24m)) ~ -0.47. Let us now suppose that m > 2. Let us define:

1 24m 2 m 2T 23 + 12"

We have:

1 1 1 4 log f 2 (a). c'= log ( a g-q(p) log 1 + 23m) log7(a)- log3 (p) 2 22 + 2 where the inequality comes from the concavity of u - log(1 + u) and Claims A.1.1.1 and A.1.1.2. We conclude by remarking that:

1 1 1 1 1 1 1 2 a. 22m 22m+2 22m+1 22m+2' where the second inequality comes from the fact that 2m + 2 < 3m when m > 2. E

166