-
Must the Communication Graph of MPC Protocols be an Expander?
Authors:
Elette Boyle,
Ran Cohen,
Deepesh Data,
Pavel Hubáček
Abstract:
Secure multiparty computation (MPC) on incomplete communication networks has been studied within two primary models: (1) Where a partial network is fixed a priori, and thus corruptions can occur dependent on its structure, and (2) Where edges in the communication graph are determined dynamically as part of the protocol. Whereas a rich literature has succeeded in map** out the feasibility and lim…
▽ More
Secure multiparty computation (MPC) on incomplete communication networks has been studied within two primary models: (1) Where a partial network is fixed a priori, and thus corruptions can occur dependent on its structure, and (2) Where edges in the communication graph are determined dynamically as part of the protocol. Whereas a rich literature has succeeded in map** out the feasibility and limitations of graph structures supporting secure computation in the fixed-graph model (including strong classical lower bounds), these bounds do not apply in the latter dynamic-graph setting, which has recently seen exciting new results, but remains relatively unexplored.
In this work, we initiate a similar foundational study of MPC within the dynamic-graph model. As a first step, we investigate the property of graph expansion. All existing protocols (implicitly or explicitly) yield communication graphs which are expanders, but it is not clear whether this is inherent. Our results consist of two types (for constant fraction of corruptions):
* Upper bounds: We demonstrate secure protocols whose induced communication graphs are not expander graphs, within a wide range of settings (computational, information theoretic, with low locality, even with low locality and adaptive security), each assuming some form of input-independent setup.
* Lower bounds: In the plain model (no setup) with adaptive corruptions, we demonstrate that for certain functionalities, no protocol can maintain a non-expanding communication graph against all adversarial strategies. Our lower bound relies only on protocol correctness (not privacy), and requires a surprisingly delicate argument.
More generally, we provide a formal framework for analyzing the evolving communication graph of MPC protocols, giving a starting point for studying the relation between secure computation and further, more general graph properties.
△ Less
Submitted 21 June, 2023; v1 submitted 19 May, 2023;
originally announced May 2023.
-
PPP-Completeness and Extremal Combinatorics
Authors:
Romain Bourneuf,
Lukáš Folwarczný,
Pavel Hubáček,
Alon Rosen,
Nikolaj Ignatieff Schwartzbach
Abstract:
Many classical theorems in combinatorics establish the emergence of substructures within sufficiently large collections of objects. Well-known examples are Ramsey's theorem on monochromatic subgraphs and the Erdős-Rado sunflower lemma. Implicit versions of the corresponding total search problems are known to be PWPP-hard; here "implici" means that the collection is represented by a poly-sized circ…
▽ More
Many classical theorems in combinatorics establish the emergence of substructures within sufficiently large collections of objects. Well-known examples are Ramsey's theorem on monochromatic subgraphs and the Erdős-Rado sunflower lemma. Implicit versions of the corresponding total search problems are known to be PWPP-hard; here "implici" means that the collection is represented by a poly-sized circuit inducing an exponentially large number of objects.
We show that several other well-known theorems from extremal combinatorics - including Erdős-Ko-Rado, Sperner, and Cayley's formula - give rise to complete problems for PWPP and PPP. This is in contrast to the Ramsey and Erdős-Rado problems, for which establishing inclusion in PWPP has remained elusive. Besides significantly expanding the set of problems that are complete for PWPP and PPP, our work identifies some key properties of combinatorial proofs of existence that can give rise to completeness for these classes.
Our completeness results rely on efficient encodings for which finding collisions allows extracting the desired substructure. These encodings are made possible by the tightness of the bounds for the problems at hand (tighter than what is known for Ramsey's theorem and the sunflower lemma). Previous techniques for proving bounds in TFNP invariably made use of structured algorithms. Such algorithms are not known to exist for the theorems considered in this work, as their proofs "from the book" are non-constructive.
△ Less
Submitted 11 September, 2022;
originally announced September 2022.
-
On Search Complexity of Discrete Logarithm
Authors:
Pavel Hubáček,
Jan Václavek
Abstract:
In this work, we study the discrete logarithm problem in the context of TFNP - the complexity class of search problems with a syntactically guaranteed existence of a solution for all instances. Our main results establish that suitable variants of the discrete logarithm problem are complete for the complexity class PPP, respectively PWPP, i.e., the subclasses of TFNP capturing total search problems…
▽ More
In this work, we study the discrete logarithm problem in the context of TFNP - the complexity class of search problems with a syntactically guaranteed existence of a solution for all instances. Our main results establish that suitable variants of the discrete logarithm problem are complete for the complexity class PPP, respectively PWPP, i.e., the subclasses of TFNP capturing total search problems with a solution guaranteed by the pigeonhole principle, respectively the weak pigeonhole principle. Besides answering an open problem from the recent work of Sotiraki, Zampetakis, and Zirdelis (FOCS'18), our completeness results for PPP and PWPP have implications for the recent line of work proving conditional lower bounds for problems in TFNP under cryptographic assumptions. In particular, they highlight that any attempt at basing average-case hardness in subclasses of TFNP (other than PWPP and PPP) on the average-case hardness of the discrete logarithm problem must exploit its structural properties beyond what is necessary for constructions of collision-resistant hash functions.
Additionally, our reductions provide new structural insights into the class PWPP by establishing two new PWPP-complete problems. First, the problem DOVE, a relaxation of the PPP-complete problem PIGEON. DOVE is the first PWPP-complete problem not defined in terms of an explicitly shrinking function. Second, the problem CLAW, a total search problem capturing the computational complexity of breaking claw-free permutations. In the context of TFNP, the PWPP-completeness of CLAW matches the known intrinsic relationship between collision-resistant hash functions and claw-free permutations established in the cryptographic literature.
△ Less
Submitted 5 September, 2021; v1 submitted 6 July, 2021;
originally announced July 2021.
-
Stronger Lower Bounds for Online ORAM
Authors:
Pavel Hubáček,
Michal Koucký,
Karel Král,
Veronika Slívová
Abstract:
Oblivious RAM (ORAM), introduced in the context of software protection by Goldreich and Ostrovsky [JACM'96], aims at obfuscating the memory access pattern induced by a RAM computation. Ideally, the memory access pattern of an ORAM should be independent of the data being processed. Since the work of Goldreich and Ostrovsky, it was believed that there is an inherent $ Ω(\log n) $ bandwidth overhead…
▽ More
Oblivious RAM (ORAM), introduced in the context of software protection by Goldreich and Ostrovsky [JACM'96], aims at obfuscating the memory access pattern induced by a RAM computation. Ideally, the memory access pattern of an ORAM should be independent of the data being processed. Since the work of Goldreich and Ostrovsky, it was believed that there is an inherent $ Ω(\log n) $ bandwidth overhead in any ORAM working with memory of size $ n $. Larsen and Nielsen [CRYPTO'18] were the first to give a general $ Ω(\log n) $ lower bound for any online ORAM, i.e., an ORAM that must process its inputs in an online manner.
In this work, we revisit the lower bound of Larsen and Nielsen, which was proved under the assumption that the adversarial server knows exactly which server accesses correspond to which input operation. We give an $Ω(\log n) $ lower bound for the bandwidth overhead of any online ORAM even when the adversary has no access to this information. For many known constructions of ORAM this information is provided implicitly as each input operation induces an access sequence of roughly the same length. Thus, they are subject to the lower bound of Larsen and Nielsen. Our results rule out a broader class of constructions and specifically, they imply that obfuscating the boundaries between the input operations does not help in building a more efficient ORAM.
As our main technical contribution and to handle the lack of structure, we study the properties of access graphs induced naturally by the memory access pattern of an ORAM computation. We identify a particular graph property that can be efficiently tested and that all access graphs of ORAM computation must satisfy with high probability. This property is reminiscent of the Larsen-Nielsen property but it is substantially less structured; that is, it is more generic.
△ Less
Submitted 23 September, 2019; v1 submitted 8 March, 2019;
originally announced March 2019.
-
ARRIVAL: Next Stop in CLS
Authors:
Bernd Gärtner,
Thomas Dueholm Hansen,
Pavel Hubáček,
Karel Král,
Hagar Mosaad,
Veronika Slívová
Abstract:
We study the computational complexity of ARRIVAL, a zero-player game on $n$-vertex switch graphs introduced by Dohrau, Gärtner, Kohler, Matoušek, and Welzl. They showed that the problem of deciding termination of this game is contained in $\text{NP} \cap \text{coNP}$. Karthik C. S. recently introduced a search variant of ARRIVAL and showed that it is in the complexity class PLS. In this work, we s…
▽ More
We study the computational complexity of ARRIVAL, a zero-player game on $n$-vertex switch graphs introduced by Dohrau, Gärtner, Kohler, Matoušek, and Welzl. They showed that the problem of deciding termination of this game is contained in $\text{NP} \cap \text{coNP}$. Karthik C. S. recently introduced a search variant of ARRIVAL and showed that it is in the complexity class PLS. In this work, we significantly improve the known upper bounds for both the decision and the search variants of ARRIVAL.
First, we resolve a question suggested by Dohrau et al. and show that the decision variant of ARRIVAL is in $\text{UP} \cap \text{coUP}$. Second, we prove that the search variant of ARRIVAL is contained in CLS. Third, we give a randomized $\mathcal{O}(1.4143^n)$-time algorithm to solve both variants.
Our main technical contributions are (a) an efficiently verifiable characterization of the unique witness for termination of the ARRIVAL game, and (b) an efficient way of sampling from the state space of the game. We show that the problem of finding the unique witness is contained in CLS, whereas it was previously conjectured to be FPSPACE-complete. The efficient sampling procedure yields the first algorithm for the problem that has expected runtime $\mathcal{O}(c^n)$ with $c<2$.
△ Less
Submitted 21 February, 2018;
originally announced February 2018.
-
When Can Limited Randomness Be Used in Repeated Games?
Authors:
Pavel Hubáček,
Moni Naor,
Jonathan Ullman
Abstract:
The central result of classical game theory states that every finite normal form game has a Nash equilibrium, provided that players are allowed to use randomized (mixed) strategies. However, in practice, humans are known to be bad at generating random-like sequences, and true random bits may be unavailable. Even if the players have access to enough random bits for a single instance of the game the…
▽ More
The central result of classical game theory states that every finite normal form game has a Nash equilibrium, provided that players are allowed to use randomized (mixed) strategies. However, in practice, humans are known to be bad at generating random-like sequences, and true random bits may be unavailable. Even if the players have access to enough random bits for a single instance of the game their randomness might be insufficient if the game is played many times.
In this work, we ask whether randomness is necessary for equilibria to exist in finitely repeated games. We show that for a large class of games containing arbitrary two-player zero-sum games, approximate Nash equilibria of the $n$-stage repeated version of the game exist if and only if both players have $Ω(n)$ random bits. In contrast, we show that there exists a class of games for which no equilibrium exists in pure strategies, yet the $n$-stage repeated version of the game has an exact Nash equilibrium in which each player uses only a constant number of random bits.
When the players are assumed to be computationally bounded, if cryptographic pseudorandom generators (or, equivalently, one-way functions) exist, then the players can base their strategies on "random-like" sequences derived from only a small number of truly random bits. We show that, in contrast, in repeated two-player zero-sum games, if pseudorandom generators \emph{do not} exist, then $Ω(n)$ random bits remain necessary for equilibria to exist.
△ Less
Submitted 5 July, 2015;
originally announced July 2015.
-
Cryptographically Blinded Games: Leveraging Players' Limitations for Equilibria and Profit
Authors:
Pavel Hubáček,
Sunoo Park
Abstract:
In this work we apply methods from cryptography to enable any number of mutually distrusting players to implement broad classes of mediated equilibria of strategic games without the need for trusted mediation.
Our implementation makes use of a (standard) pre-play "cheap talk" phase, in which players engage in free and non-binding communication prior to playing in the original game. In our cheap…
▽ More
In this work we apply methods from cryptography to enable any number of mutually distrusting players to implement broad classes of mediated equilibria of strategic games without the need for trusted mediation.
Our implementation makes use of a (standard) pre-play "cheap talk" phase, in which players engage in free and non-binding communication prior to playing in the original game. In our cheap talk phase, the players execute a secure multi-party computation protocol to sample an action profile from an equilibrium of a "cryptographically blinded" version of the original game, in which actions are encrypted. The essence of our approach is to exploit the power of encryption to selectively restrict the information available to players about sampled action profiles, such that these desirable equilibria can be stably achieved. In contrast to previous applications of cryptography to game theory, this work is the first to employ the paradigm of using encryption to allow players to benefit from hiding information \emph{from themselves}, rather than from others; and we stress that rational players would \emph{choose} to hide the information from themselves.
△ Less
Submitted 13 November, 2014;
originally announced November 2014.