Pratik Sarkar - Academia.edu (original) (raw)
Papers by Pratik Sarkar
arXiv (Cornell University), Nov 6, 2023
Proceedings on Privacy Enhancing Technologies, Jul 1, 2024
Lecture Notes in Computer Science, 2022
International journal of computer applications, Sep 18, 2013
IACR Cryptology ePrint Archive, 2017
Lecture Notes in Computer Science, 2022
Lecture Notes in Computer Science, 2020
Lecture Notes in Computer Science, 2023
Lecture Notes in Computer Science, 2021
We study Multi-party computation (MPC) in the setting of subversion, where the adversary tampers ... more We study Multi-party computation (MPC) in the setting of subversion, where the adversary tampers with the machines of honest parties. Our goal is to construct actively secure MPC protocols where parties are corrupted adaptively by an adversary (as in the standard adaptive security setting), and in addition, honest parties' machines are compromised. The idea of reverse firewalls (RF) was introduced at EUROCRYPT'15 by Mironov and Stephens-Davidowitz as an approach to protecting protocols against corruption of honest parties' devices. Intuitively, an RF for a party P is an external entity that sits between P and the outside world and whose scope is to sanitize P's incoming and outgoing messages in the face of subversion of their computer. Mironov and Stephens-Davidowitz constructed a protocol for passively-secure two-party computation. At CRYPTO'20, Chakraborty, Dziembowski and Nielsen constructed a protocol for secure computation with firewalls that improved on this result, both by extending it to multi-party computation protocol, and considering active security in the presence of static corruptions. In this paper, we initiate the study of RF for MPC in the adaptive setting. We put forward a definition for adaptively secure MPC in the reverse firewall setting, explore relationships among the security notions, and then construct reverse firewalls for MPC in this stronger setting of adaptive security. We also resolve the open question of Chakraborty, Dziembowski and Nielsen by removing the need for a trusted setup in constructing RF for MPC. Towards this end, we construct reverse firewalls for adaptively secure augmented coin tossing and adaptively secure zero-knowledge protocols and obtain a constant round adaptively secure MPC protocol in the reverse firewall setting without setup. Along the way, we propose a new multi-party adaptively secure coin tossing protocol in the plain model, that is of independent interest.
Proceedings 2017 Network and Distributed System Security Symposium, 2017
Oblivious Transfer (OT) is one of the most fundamental cryptographic primitives with widespread a... more Oblivious Transfer (OT) is one of the most fundamental cryptographic primitives with widespread application in general secure multi-party computation (MPC) as well as in a number of tailored and special-purpose problems of interest such as private set intersection (PSI), private information retrieval (PIR), contract signing to name a few. Often the instantiations of OT require prohibitive communication and computation complexity. OT extension protocols are introduced to compute a very large number of OTs referred as extended OTs at the cost of a small number of OTs referred as seed OTs. We present a fast OT extension protocol for small secrets in active setting. Our protocol when used to produce 1-out-of-n OTs outperforms all the known actively secure OT extensions. Our protocol is built on the semi-honest secure extension protocol of Kolesnikov and Kumaresan of CRYPTO'13 (referred as KK13 protocol henceforth) which is the best known OT extension for short secrets. At the heart of our protocol lies an efficient consistency checking mechanism that relies on the linearity of Walsh-Hadamard (WH) codes. Asymptotically, our protocol adds a communication overhead of O(µ log κ) bits over KK13 protocol irrespective of the number of extended OTs, where κ and µ refer to computational and statistical security parameter respectively. Concretely, our protocol when used to generate a large enough number of OTs adds only 0.011-0.028% communication overhead and 4-6% runtime overhead both in LAN and WAN over KK13 extension. The runtime overheads drop below 2% when in addition the number of inputs of the sender in the extended OTs is large enough. As an application of our proposed extension protocol, we show that it can be used to obtain the most efficient PSI protocol secure against a malicious receiver and a semi-honest sender.
Lecture Notes in Computer Science, 2020
Oblivious Transfer (OT) is an important building block for multi-party computation (MPC). Since O... more Oblivious Transfer (OT) is an important building block for multi-party computation (MPC). Since OT requires expensive publickey operations, efficiency-conscious MPC protocols use an OT extension (OTE) mechanism [Beaver 96, Ishai et al. 03] to provide the functionality of many independent OT instances with the same sender and receiver, using only symmetric-key operations plus few instances of some base OT protocol. Consequently there is significant interest in constructing OTE friendly protocols, namely protocols that, when used as base-OT for OTE, result in extended OT that are both round-efficient and costefficient. We present the most efficient OTE-friendly protocol to date. Specifically:-Our base protocol incurs only 3 exponentiations per instance.-Our base protocol results in a 3 round extended OT protocol.-The extended protocol is UC secure in the Observable Random Oracle Model (ROM) under the CDH assumption. For comparison, the state of the art for base OTs that result in 3-round OTE are proven only in the programmable ROM, and require 4 exponentiations under Interactive DDH or 6 exponentiations under DDH [Masney-Rindal 19]. We also implement our protocol and benchmark it against the Simplest OT protocol [Chou and Orlandi, Latincrypt 2015], which is the most efficient and widely used OT protocol but not known to suffice for OTE. The computation cost is roughly the same in both cases. Interestingly, our base OT is also 3 rounds. However, we slightly modify the extension mechanism (which normally adds a round) so as to preserve the number of rounds in our case. OTs" and O(m) symmetric-key operations, where κ is the computational security parameter. This yields a large number of OTs at the cost of O(1) symmetric key operations. The state-of-the-art protocol for malicious OT extension [KOS15] can compute more than ten million OTs per second in a high bandwidth network setting. As such, it appears that the problem of constructing efficient OT extension has been resolved. However, some challenges remain. First, we note that the cost of the base OTs remains a significant consideration when m is only moderately larger than κ and security against all-but-one corruption is needed. For instance, Wang et al. [WRK17] reported that in their implemention of a malicious 128party computation tolerating 127-party corruption in the WAN setting, it takes about 140 seconds to securely evaluate an AES circuit, where 80 seconds (more than 55% of the total cost!) are spent on computing base OTs. Another challenge is the number of rounds. Ideally, we would like to obtain extended OT with only two rounds. However, here we have only two known solutions: The original OT extension pf Beaver [Bea96] which is highly inefficient due to non-black-box use of the underlying symmetric-key primitives, and the Boyle et al. [BCG + 19] two-round OT extension, based on the Learning Parity with Noise (LPN) assumption, whose performance is better than IKNP-like OT extension only when the network bandwidth is low (≈100 Mbps). The other approach taken in the literature is to apply a black-box OT extension (such as that of [KOS15]) to some base OT. This method, however results in an additional round. In fact, recent result by Garg et al. [GMMM18] shows that this is inevitable, namely (n + 1) rounds for OT extension are necessary if an n-round base OT is used. Thus, this approach seems to result in extended OT protocols with three or more rounds. Furthermore, the state-of-the-art two-round OT protocols are much slower than the best three-round OT protocols. For example, the two-round OT by Peikert et al. [PVW08] requires 11 exponentiations. More recently, [MR19] proposed an OT that requires 6 exponentiations under standard DDH assumption or 4 exponentiations under non-standard IDDH assumption. This means that even three-round extended OT protocols, obtained in this way, are less than optimally efficient. Another set of challenges revolves around the level of security obtained and the assumptions used. Chou and Orlandi [CO15] proposed a base-OT protocol with malicious security (dubbed as COOT). The work of [HL17] proposed a similar protocol. However, it has been shown [BPRS17, GIR17, LM18] that this protocol and [HL17] cannot be proven secure with simulation-based security because a simulator cannot extract a corrupt receiver's choice bit. There have been some works [BPRS17, DKLs18] trying to fix this issue, but all of them require either much more computation or higher round complexity. Masny and Rindal [MR19] recently proposed a UC-secure OT in the programmable random oracle model (ROM). Their performance is slightly worse than COOT under non-standard notion of interactive version of the Decisional Diffie Hellman (IDDH) assumption and much worse under Decisional Diffie Hellman (DDH) assumption.
Structural Information and Communication Complexity, 2018
Fault-tolerant distributed consensus is a fundamental problem in secure distributed computing. In... more Fault-tolerant distributed consensus is a fundamental problem in secure distributed computing. In this work, we consider the problem of distributed consensus in directed graphs tolerating crash failures. Tseng and Vaidya (PODC’15) presented necessary and sufficient condition for the existence of consensus protocols in directed graphs. We improve the round and communication complexity of their protocol. Moreover, we prove that our protocol requires the optimal number of communication rounds, required by any protocol belonging to a restricted class of crash-tolerant consensus protocols in directed graphs.
IACR Cryptol. ePrint Arch., 2018
Zero-knowledge (ZK) protocols are undoubtedly among the central primitives in cryptography, lendi... more Zero-knowledge (ZK) protocols are undoubtedly among the central primitives in cryptography, lending their power to numerous applications such as secure computation, voting, auctions, and anonymous credentials to name a few. The study of efficient ZK protocols for non-algebraic statements has seen rapid progress in recent times, relying on secure computation techniques. The primary contribution of this work lies in constructing efficient UC-secure constant round ZK protocols from garbled circuits that are secure against adaptive corruptions, with communication linear in the size of the statement. We begin by showing that the practically efficient ZK protocol of Jawurek et al. (CCS 2013) is adaptively secure when the underlying oblivious transfer (OT) satisfies a mild adaptive security guarantee. We gain adaptive security with little to no overhead over the static case. A conditional verification technique is then used to obtain a three-round adaptively secure zero-knowledge argument ...
IACR Cryptol. ePrint Arch., 2018
Fault-tolerant distributed consensus is a fundamental problem in secure distributed computing. In... more Fault-tolerant distributed consensus is a fundamental problem in secure distributed computing. In this work, we consider the problem of distributed consensus in directed graphs tolerating crash failures. Tseng and Vaidya (PODC’15) presented necessary and sufficient condition for the existence of consensus protocols in directed graphs. We improve the round and communication complexity of their protocol. Moreover, we prove that our protocol requires the optimal number of communication rounds, required by any protocol belonging to a restricted class of crash-tolerant consensus protocols in directed graphs.
Lecture Notes in Computer Science, 2021
IACR Cryptol. ePrint Arch., 2017
Adaptive security embodies one of the strongest notions of security that allows an adversary to c... more Adaptive security embodies one of the strongest notions of security that allows an adversary to corrupt parties at any point during protocol execution and gain access to its internal state. Since it models real-life situations such as “hacking”, efficient adaptively-secure multiparty computation (MPC) protocols are desirable. Such protocols demand primitives such as oblivious transfer (OT) and commitment schemes that are adaptively-secure as building blocks. Efficient realizations of these primitives have been found to be challenging, especially in the no erasure model. We make progress in this direction and provide efficient constructions that are Universally-Composable in the random oracle model. Oblivious Transfer. We present the first round optimal framework for building adaptively-secure OT in the programmable random oracle (PRO) model, relying upon the framework of Peikert et al. (Crypto 2008). When instantiated with Decisional Diffie Hellman assumption, it incurs a minimal co...
arXiv (Cornell University), Nov 6, 2023
Proceedings on Privacy Enhancing Technologies, Jul 1, 2024
Lecture Notes in Computer Science, 2022
International journal of computer applications, Sep 18, 2013
IACR Cryptology ePrint Archive, 2017
Lecture Notes in Computer Science, 2022
Lecture Notes in Computer Science, 2020
Lecture Notes in Computer Science, 2023
Lecture Notes in Computer Science, 2021
We study Multi-party computation (MPC) in the setting of subversion, where the adversary tampers ... more We study Multi-party computation (MPC) in the setting of subversion, where the adversary tampers with the machines of honest parties. Our goal is to construct actively secure MPC protocols where parties are corrupted adaptively by an adversary (as in the standard adaptive security setting), and in addition, honest parties' machines are compromised. The idea of reverse firewalls (RF) was introduced at EUROCRYPT'15 by Mironov and Stephens-Davidowitz as an approach to protecting protocols against corruption of honest parties' devices. Intuitively, an RF for a party P is an external entity that sits between P and the outside world and whose scope is to sanitize P's incoming and outgoing messages in the face of subversion of their computer. Mironov and Stephens-Davidowitz constructed a protocol for passively-secure two-party computation. At CRYPTO'20, Chakraborty, Dziembowski and Nielsen constructed a protocol for secure computation with firewalls that improved on this result, both by extending it to multi-party computation protocol, and considering active security in the presence of static corruptions. In this paper, we initiate the study of RF for MPC in the adaptive setting. We put forward a definition for adaptively secure MPC in the reverse firewall setting, explore relationships among the security notions, and then construct reverse firewalls for MPC in this stronger setting of adaptive security. We also resolve the open question of Chakraborty, Dziembowski and Nielsen by removing the need for a trusted setup in constructing RF for MPC. Towards this end, we construct reverse firewalls for adaptively secure augmented coin tossing and adaptively secure zero-knowledge protocols and obtain a constant round adaptively secure MPC protocol in the reverse firewall setting without setup. Along the way, we propose a new multi-party adaptively secure coin tossing protocol in the plain model, that is of independent interest.
Proceedings 2017 Network and Distributed System Security Symposium, 2017
Oblivious Transfer (OT) is one of the most fundamental cryptographic primitives with widespread a... more Oblivious Transfer (OT) is one of the most fundamental cryptographic primitives with widespread application in general secure multi-party computation (MPC) as well as in a number of tailored and special-purpose problems of interest such as private set intersection (PSI), private information retrieval (PIR), contract signing to name a few. Often the instantiations of OT require prohibitive communication and computation complexity. OT extension protocols are introduced to compute a very large number of OTs referred as extended OTs at the cost of a small number of OTs referred as seed OTs. We present a fast OT extension protocol for small secrets in active setting. Our protocol when used to produce 1-out-of-n OTs outperforms all the known actively secure OT extensions. Our protocol is built on the semi-honest secure extension protocol of Kolesnikov and Kumaresan of CRYPTO'13 (referred as KK13 protocol henceforth) which is the best known OT extension for short secrets. At the heart of our protocol lies an efficient consistency checking mechanism that relies on the linearity of Walsh-Hadamard (WH) codes. Asymptotically, our protocol adds a communication overhead of O(µ log κ) bits over KK13 protocol irrespective of the number of extended OTs, where κ and µ refer to computational and statistical security parameter respectively. Concretely, our protocol when used to generate a large enough number of OTs adds only 0.011-0.028% communication overhead and 4-6% runtime overhead both in LAN and WAN over KK13 extension. The runtime overheads drop below 2% when in addition the number of inputs of the sender in the extended OTs is large enough. As an application of our proposed extension protocol, we show that it can be used to obtain the most efficient PSI protocol secure against a malicious receiver and a semi-honest sender.
Lecture Notes in Computer Science, 2020
Oblivious Transfer (OT) is an important building block for multi-party computation (MPC). Since O... more Oblivious Transfer (OT) is an important building block for multi-party computation (MPC). Since OT requires expensive publickey operations, efficiency-conscious MPC protocols use an OT extension (OTE) mechanism [Beaver 96, Ishai et al. 03] to provide the functionality of many independent OT instances with the same sender and receiver, using only symmetric-key operations plus few instances of some base OT protocol. Consequently there is significant interest in constructing OTE friendly protocols, namely protocols that, when used as base-OT for OTE, result in extended OT that are both round-efficient and costefficient. We present the most efficient OTE-friendly protocol to date. Specifically:-Our base protocol incurs only 3 exponentiations per instance.-Our base protocol results in a 3 round extended OT protocol.-The extended protocol is UC secure in the Observable Random Oracle Model (ROM) under the CDH assumption. For comparison, the state of the art for base OTs that result in 3-round OTE are proven only in the programmable ROM, and require 4 exponentiations under Interactive DDH or 6 exponentiations under DDH [Masney-Rindal 19]. We also implement our protocol and benchmark it against the Simplest OT protocol [Chou and Orlandi, Latincrypt 2015], which is the most efficient and widely used OT protocol but not known to suffice for OTE. The computation cost is roughly the same in both cases. Interestingly, our base OT is also 3 rounds. However, we slightly modify the extension mechanism (which normally adds a round) so as to preserve the number of rounds in our case. OTs" and O(m) symmetric-key operations, where κ is the computational security parameter. This yields a large number of OTs at the cost of O(1) symmetric key operations. The state-of-the-art protocol for malicious OT extension [KOS15] can compute more than ten million OTs per second in a high bandwidth network setting. As such, it appears that the problem of constructing efficient OT extension has been resolved. However, some challenges remain. First, we note that the cost of the base OTs remains a significant consideration when m is only moderately larger than κ and security against all-but-one corruption is needed. For instance, Wang et al. [WRK17] reported that in their implemention of a malicious 128party computation tolerating 127-party corruption in the WAN setting, it takes about 140 seconds to securely evaluate an AES circuit, where 80 seconds (more than 55% of the total cost!) are spent on computing base OTs. Another challenge is the number of rounds. Ideally, we would like to obtain extended OT with only two rounds. However, here we have only two known solutions: The original OT extension pf Beaver [Bea96] which is highly inefficient due to non-black-box use of the underlying symmetric-key primitives, and the Boyle et al. [BCG + 19] two-round OT extension, based on the Learning Parity with Noise (LPN) assumption, whose performance is better than IKNP-like OT extension only when the network bandwidth is low (≈100 Mbps). The other approach taken in the literature is to apply a black-box OT extension (such as that of [KOS15]) to some base OT. This method, however results in an additional round. In fact, recent result by Garg et al. [GMMM18] shows that this is inevitable, namely (n + 1) rounds for OT extension are necessary if an n-round base OT is used. Thus, this approach seems to result in extended OT protocols with three or more rounds. Furthermore, the state-of-the-art two-round OT protocols are much slower than the best three-round OT protocols. For example, the two-round OT by Peikert et al. [PVW08] requires 11 exponentiations. More recently, [MR19] proposed an OT that requires 6 exponentiations under standard DDH assumption or 4 exponentiations under non-standard IDDH assumption. This means that even three-round extended OT protocols, obtained in this way, are less than optimally efficient. Another set of challenges revolves around the level of security obtained and the assumptions used. Chou and Orlandi [CO15] proposed a base-OT protocol with malicious security (dubbed as COOT). The work of [HL17] proposed a similar protocol. However, it has been shown [BPRS17, GIR17, LM18] that this protocol and [HL17] cannot be proven secure with simulation-based security because a simulator cannot extract a corrupt receiver's choice bit. There have been some works [BPRS17, DKLs18] trying to fix this issue, but all of them require either much more computation or higher round complexity. Masny and Rindal [MR19] recently proposed a UC-secure OT in the programmable random oracle model (ROM). Their performance is slightly worse than COOT under non-standard notion of interactive version of the Decisional Diffie Hellman (IDDH) assumption and much worse under Decisional Diffie Hellman (DDH) assumption.
Structural Information and Communication Complexity, 2018
Fault-tolerant distributed consensus is a fundamental problem in secure distributed computing. In... more Fault-tolerant distributed consensus is a fundamental problem in secure distributed computing. In this work, we consider the problem of distributed consensus in directed graphs tolerating crash failures. Tseng and Vaidya (PODC’15) presented necessary and sufficient condition for the existence of consensus protocols in directed graphs. We improve the round and communication complexity of their protocol. Moreover, we prove that our protocol requires the optimal number of communication rounds, required by any protocol belonging to a restricted class of crash-tolerant consensus protocols in directed graphs.
IACR Cryptol. ePrint Arch., 2018
Zero-knowledge (ZK) protocols are undoubtedly among the central primitives in cryptography, lendi... more Zero-knowledge (ZK) protocols are undoubtedly among the central primitives in cryptography, lending their power to numerous applications such as secure computation, voting, auctions, and anonymous credentials to name a few. The study of efficient ZK protocols for non-algebraic statements has seen rapid progress in recent times, relying on secure computation techniques. The primary contribution of this work lies in constructing efficient UC-secure constant round ZK protocols from garbled circuits that are secure against adaptive corruptions, with communication linear in the size of the statement. We begin by showing that the practically efficient ZK protocol of Jawurek et al. (CCS 2013) is adaptively secure when the underlying oblivious transfer (OT) satisfies a mild adaptive security guarantee. We gain adaptive security with little to no overhead over the static case. A conditional verification technique is then used to obtain a three-round adaptively secure zero-knowledge argument ...
IACR Cryptol. ePrint Arch., 2018
Fault-tolerant distributed consensus is a fundamental problem in secure distributed computing. In... more Fault-tolerant distributed consensus is a fundamental problem in secure distributed computing. In this work, we consider the problem of distributed consensus in directed graphs tolerating crash failures. Tseng and Vaidya (PODC’15) presented necessary and sufficient condition for the existence of consensus protocols in directed graphs. We improve the round and communication complexity of their protocol. Moreover, we prove that our protocol requires the optimal number of communication rounds, required by any protocol belonging to a restricted class of crash-tolerant consensus protocols in directed graphs.
Lecture Notes in Computer Science, 2021
IACR Cryptol. ePrint Arch., 2017
Adaptive security embodies one of the strongest notions of security that allows an adversary to c... more Adaptive security embodies one of the strongest notions of security that allows an adversary to corrupt parties at any point during protocol execution and gain access to its internal state. Since it models real-life situations such as “hacking”, efficient adaptively-secure multiparty computation (MPC) protocols are desirable. Such protocols demand primitives such as oblivious transfer (OT) and commitment schemes that are adaptively-secure as building blocks. Efficient realizations of these primitives have been found to be challenging, especially in the no erasure model. We make progress in this direction and provide efficient constructions that are Universally-Composable in the random oracle model. Oblivious Transfer. We present the first round optimal framework for building adaptively-secure OT in the programmable random oracle (PRO) model, relying upon the framework of Peikert et al. (Crypto 2008). When instantiated with Decisional Diffie Hellman assumption, it incurs a minimal co...