Paper 2023/1006

Reusable Secure Computation in the Plain Model

Vipul Goyal, NTT Research, Carnegie Mellon University
Akshayaram Srinivasan, Tata Institute of Fundamental Research
Mingyuan Wang, University of California, Berkeley
Abstract

Consider the standard setting of two-party computation where the sender has a secret function $f$ and the receiver has a secret input $x$ and the output $f(x)$ is delivered to the receiver at the end of the protocol. Let us consider the unidirectional message model where only one party speaks in each round. In this setting, Katz and Ostrovsky (Crypto 2004) showed that at least four rounds of interaction between the parties are needed in the plain model (i.e., no trusted setup) if the simulator uses the adversary in a black-box way (a.k.a. black-box simulation). Suppose the sender and the receiver would like to run multiple sequential iterations of the secure computation protocol on possibly different inputs. For each of these iterations, do the parties need to start the protocol from scratch and exchange four messages? In this work, we explore the possibility of \textit{amortizing} the round complexity or in other words, \textit{reusing} a certain number of rounds of the secure computation protocol in the plain model. We obtain the following results. 1. Under standard cryptographic assumptions, we construct a four-round two-party computation protocol where (i) the first three rounds of the protocol could be reused an unbounded number of times if the receiver input remains the same and only the sender input changes, and (ii) the first two rounds of the protocol could be reused an unbounded number of times if the receiver input needs to change as well. In other words, the sender sends a single additional message if only its input changes, and in the other case, we need one message each from the receiver and the sender. The number of additional messages needed in each of the above two modes is optimal and, additionally, our protocol allows arbitrary interleaving of these two modes. 2. We also extend these results to the multiparty setting (in the simultaneous message exchange model) and give round-optimal protocols such that (i) the first two rounds could be reused an unbounded number of times if the inputs of the parties need to change and (ii) the first three rounds could be reused an unbounded number of times if the inputs remain the same but the functionality to be computed changes. As in the two-party setting, we allow arbitrary interleaving of the above two modes of operation.

Metadata
Available format(s)
PDF
Category
Foundations
Publication info
A minor revision of an IACR publication in CRYPTO 2023
Keywords
Reusable secure computationplain modelround optimalreusable zero-knowledgereusable oblivious transfer
Contact author(s)
vipul @ cmu edu
akshayram1993 @ gmail com
mingyuan @ berkeley edu
History
2023-06-29: approved
2023-06-28: received
See all versions
Short URL
https://ia.cr/2023/1006
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2023/1006,
      author = {Vipul Goyal and Akshayaram Srinivasan and Mingyuan Wang},
      title = {Reusable Secure Computation in the Plain Model},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/1006},
      year = {2023},
      url = {https://eprint.iacr.org/2023/1006}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.