On Foundations of Public-Key Encryption and Secret Sharing by Akshay Dhananjai Degwekar B.Tech., Indian Institute of Technology Madras (2014) S.M., Massachusetts Institute of Technology (2016) Submitted to the Department of Electrical Engineering and Computer Science in partial fulfillment of the requirements for the degree of Doctor of Philosophy at the MASSACHUSETTS INSTITUTE OF TECHNOLOGY September 2019 @Massachusetts Institute of Technology 2019. All rights reserved. Signature redacted Author ............................................ Department of Electrical Engineering and Computer Science June 28, 2019 Signature redacted Certified by....................................... VWi dVaikuntanathan Associate Professor of Electrical Engineering and Computer Science Thesis Supervisor Signature redacted A ccepted by . ......... ...................... MASSACLislie 6jp lodziejski OF EHs o fTE Professor of Electrical Engineering and Computer Science Students Committee on Graduate OCT Chair, Department LIBRARIES c, On Foundations of Public-Key Encryption and Secret Sharing by Akshay Dhananjai Degwekar Submitted to the Department of Electrical Engineering and Computer Science on June 28, 2019, in partial fulfillment of the requirements for the degree of Doctor of Philosophy Abstract Since the inception of Cryptography, Information theory and Coding theory have influenced cryptography in myriad ways including numerous information-theoretic notions of security in secret sharing, multiparty computation and statistical zero knowledge; and by providing a large toolbox used extensively in cryptography. This thesis addresses two questions in this realm: Leakage Resilience of Secret Sharing Schemes. We show that classical secret sharing schemes like Shamir secret sharing and additive secret sharing over prime order fields are leakage resilient. Leakage resilience of secret sharing schemes is closely related to locally repairable codes and our results can be viewed as impossibility results for local recovery over prime order fields. As an application of the result, we show the leakage resilience of a variant of the Goldreich-Micali-Wigderson protocol. From Laconic Statistical Zero Knowledge Proofs to Public Key Encryption. Languages with statistical zero knowledge proofs that are also average-case hard have been used to construct various cryptographic primitives. We show that hard languages with laconic SZK proofs, that is proof systems where the communication from the prover to the verifier is small, imply public key encryption. Thesis Supervisor: Vinod Vaikuntanathan Title: Associate Professor of Electrical Engineering and Computer Science 3 4 Acknowledgments It takes a village to raise a child, hence I have many people to be thankful for. First and foremost, I would like to thank my adviser Vinod Vaikuntanathan for his advice, encouragement and support. I continue to be amazed by his amazing work ethic and the ability to come up with superb questions at the push of a button. I would like to thank my committee Ron Rivest and Yael Kalai, my academic supervisor Silvio Micali, and Shafi Goldwasser. I had a fantastic set of collaborators at MIT and beyond. This thesis would not have been possible without them. I would like to thank Fabrice Benhamouda, Itay Berman, Nir Bitansky, Yuval Ishai, Tal Rabin, Ron Rothblum, Vinod Vaikuntanathan, and Prashant Nalini Vasudevan for making research fun. I spent a very enjoyable summer at IBM Research. I would like to thank the crypto group: Tal, Shai, Craig, Hugo, Charanjit and Fabrice. for their hospitality. I would like to thank Alon, Elette and Tal for a great winter in Israel at IDC Herzliya. The Crypto and TOC group at MIT have been a wonderful home for the last five years. I would like to thank the admins Debbie, Joanne, Linda, Rebecca and Patrice for their help. Grad school would not have been so much fun without the residents of the 5th and 6th floor, especially, Itay. Sam, Madalina. Prashant, Govind. Adam, Ron, Tianren, Prabhanjan, Mohammad, Pritish, Nishanth, Michael, Manolis, AlexRobin,Daniel.Nir, Omer. Katerina, Justin, Aloni, Saleet. Rio, Srini, Sergey, Saeed, Logan, Kai, Andrew and Lisa to name a few. Finally I am extremely grateful for my family: my parents., Vidya and Dhananjai; Aditya and Siddhi; and lastly my twin Anand. 5 6 Contents 1 Introduction 9 1.1 A Brief Survey of Information-theoretic Cryptography .. .... ..... 10 1.2 Leakage Resilience of Secret Sharing Schemes. ..... ..... .... ... 12 1.3 From Laconic Statistical Zero Knowledge to Public Key Encryption. .... 13 1.4 O rganization .... ..... ...... ..... ..... ...... .... 15 1.4.1 Works Not Included in This Thesis .. ..... ..... ..... .. 15 2 Leakage Resilience of Secret Sharing Schemes 17 2.1 Introduction . ... .... ... ... ... .... ... ... ... 17 2.1.1 O ur R esults .... .... .... .... .... ..... 18 2.1.2 Related Work . .... .... ..... .... .... ... 21 2.2 Overview of theTechniques .. ... .... .... .... .... 23 2.2.1 Leakage Resilience of Secret Sharing Schemes .... ... 23 2.2.2 Application to Leakage Resilience of MPC protocols . .. 27 2.2.3 On Local Share Conversion .. ... .... ... .... 29 2.2.4 Additive Combinatorics Context . .... ... .... .. 31 2.3 Prelim inaries . .... .... .... ... .... .... .... 32 2.3.1 Linear Codes . .... .... ..... .... .... ... 32 2.3.2 Linear Secret Sharing Schemes ... .... .... .... 33 2.3.3 Fourier Analysis .... ...... ..... ..... ... 34 2.4 On Leakage Resilience of Secret Sharing Schemes ... ... ... 36 2.4.1 Definitions and Basic Properties .. .... ... .... 36 2.4.2 Leakage Resilience of Additive and Shamir's Secret Sharing Schemes 37 2.4.3 Proofs of Theorems 2.4.5. 2.4.6, and 2.4.7 .... .... 43 2.5 Leakage Resilience of GMW with preprocessing .... .... .. 53 2.5.1 Security Definitions ..... .... .... .... .... 54 2.5.2 GMW with Shared Product Preprocessing .. .. .. ... 55 2.5.3 Proof of Private-Outputs Local Leakage Resilience (Theorem 2.5.5) 58 2.5.4 Proof of Public-Outputs Local Leakage Resilience (Theorem 2.5.6) 60 2.6 On the Impossibility of Local Share Conversion . .... .... .... 61 2.6.1 M ore Fourier Analysis .. ..... .... ..... .... .... 63 2.6.2 On Additive Secret Sharing: Proof of Theorem 2.6.5 .. .... 64 2.6.3 On Shamir's Secret Sharing: Proof of Theorem 2.6.6 .... ... 66 2.6.4 Proof of Lemm a 2.6.10 . ..... .... ..... ..... .... 68 7 3 From Laconic SZK to Public Key Encryption 75 3.1 O verview . ......... .. ......... .. 75 3.1.1 O ur Results .. .. ......... ........ ..... 76 3.1.2 Related Works ......... ............. ........ 80 3.1.3 Techniques ....... ......................... 81 3.1.4 O rganization ................ ............... 89 3.2 Prelim inaries ........... ..................... ... 90 3.2.1 Public Key Encryption ..................... ..... 90 3.2.2 Universal Hashing ....................... ..... 91 3.2.3 Entropy and Divergence .... ............. ........ 91 3.2.4 Pseudoentropy .......... .................... 94 3.3 The Assumption and Main Theorem ...... ................ 96 3.4 From Laconic SZK to Trapdoor Pseudoentropy Generator .......... 99 3.4.1 Construction of Trapdoor Pseudoentropy Generator . 100 3.4.2 Correctness - Proving Lemma 3.4.4 ............. 103 3.4.3 Pseudoentropy - Proving Lemma 3.4.5 ........ ........ 106 3.5 From Trapdoor Pseudoentropy Generator to Public-Key Encryption .... 111 3.5.1 Technical Tools ............... ............... 112 3.5.2 Construction of Weak PKE ..... .................. 115 3.5.3 Correctness - Proving Lemma 3.5.11 .... ............ 118 3.5.4 Security - Proving Lemma 3.5.12 ........... ........ 122 3.5.5 Implementing the Approximation Algorithm Ent ........... 125 3.5.6 Proving Lemma 3.5.1 ....... ............. ...... 129 3.6 Extensions .......................... ........... 131 3.6.1 A Weaker Assumption ........ .................. 131 3.6.2 A Complexity-Theoretic Characterization of PKE ... ........ 134 3.6.3 Oblivious Transfer ........ 137 3.7 Comparing Assumptions ............ ............. .... 142 3.7.1 Lossy Encryption ................... .......... 142 3.7.2 Learning Parities with Noise ... ............. ...... 144 3.7.3 Assumptions from [ABW1O] ........ ............... 145 3.8 M issing Proofs .................................. 149 3.8.1 Proving Lemma 3.5.7 ..................... ..... 149 3.8.2 Proving Lemma 3.5.9 .. ............. ........... 150 A Appendices 165 A.1 Proofsof UsefulBounds ........ ..................... 165 8 Chapter 1 Introduction The last four decades of research in the theory of cryptography has produced a host of fantastic notions, from public-key encryption [DH76, RSA78, GM82]. multi-party compu- tation [BGW88, GMW87] and zero-knowledge proofs [GMR85] in the 1980s, to fully homo- morphic encryption [RAD78, GenO9, BV11] and program obfuscation [BGI+01, GGH+13, SW14] in the modern day. Information theory and Coding theory have played a pivotal role in these developments. Even the first rigorous definition of secrecy, by Shannon, was an information-theoretic one [Sha48]. Information theory arises in cryptography in the following somewhat distinct flavors. 1. Information-theoreticNotions of Security. A sizable minority of cryptographic primi- tives are defined, not with computational, but information theoretic security notions. Examples of such definitions include information-theoretically secure multiparty com- putation and statistical zero-knowledge proofs. 2. Cryptographic Constructions with an Information-theoretic Core. Various advanced cryptographic constructions are obtained by compiling information-theoretically