We introduce a new primitive, called trapdoor hash junctions (TDK), which are hash functions H : {0, 1}~n → {0, 1}~λ with additional trapdoor function-like properties. Specifically, given an index i ∈ [n], TDHs allow for sampling an encoding key ek (that hides i) along with a corresponding trapdoor. Furthermore, given H(x), a hint value E(ek,x), and the trapdoor corresponding to ek, the ith bit of x can be efficiently recovered. In this setting, one of our main questions is: How small can the hint value E(ek, x) be? We obtain constructions where the hint is only one bit long based on DDH, QR, DCR, or LWE. This primitive opens a floodgate of applications for low-communication secure computation. We mainly focus on two-message protocols between a receiver and a sender, with private inputs x and y, resp., where the receiver should learn f(x,y). We wish to optimize the (download) rate of such protocols, namely the asymptotic ratio between the size of the output and the sender's message. Using TDHs, we obtain: 1. The first protocols for (two-message) rate-1 string OT based on DDH, QR, or LWE. This has several useful consequences, such as: (a) The first constructions of PIR with communication cost poly-logarithmic in the database size based on DDH or QR. These protocols are in fact rate-1 when considering block PIR. (b) The first constructions of a semi-compact homomorphic encryption scheme for branching programs, where the encrypted output grows only with the program length, based on DDH or QR. (c) The first constructions of lossy trapdoor functions with input to output ratio approaching 1 based on DDH, QR or LWE. (d) The first constant-rate LWE-based construction of a 2-message "statistically sender-private" OT protocol in the plain model. 2. The first rate-1 protocols (under any assumption) for n parallel OTs and matrix-vector products from DDH, QR or LWE. We further consider the setting where / evaluates a RAM program y with running time T |x| on x. We obtain the first protocols with communication sublinear in the size of x, namely T • /|x| or T • /|x|, based on DDH or, resp., pairings (and correlated-input secure hash functions).
展开▼
机译:我们引入了一个称为陷阱门哈希结(TDK)的新原语,该哈希函数是哈希函数H:{0,1}〜n→{0,1}〜λ,具有类似陷阱门函数的特性。具体而言,给定索引i∈[n],TDH允许对编码关键字ek(隐藏i)以及相应的活板门进行采样。此外,给定H(x),提示值E(ek,x)和对应于ek的活板门,可以有效地恢复x的第i位。在这种情况下,我们的主要问题之一是:提示值E(ek,x)可以有多小?根据DDH,QR,DCR或LWE,我们获得了提示只有一位长的构造。此原语为低通信安全计算打开了应用程序的闸门。我们主要关注接收者和发送者之间的两种消息协议,分别带有私有输入x和y,其中接收者应该学习f(x,y)。我们希望优化此类协议的(下载)速率,即输出大小与发送者消息之间的渐近比率。使用TDH,我们获得:1.基于DDH,QR或LWE的(双消息)速率为1的字符串OT的第一个协议。这产生了一些有用的结果,例如:(a)在DDD或QR的基础上,具有数据库大小的通信成本是多对数的PIR的第一个构造。当考虑块PIR时,这些协议实际上是1。 (b)用于分支程序的半紧凑同态加密方案的第一种结构,其中基于DDH或QR,加密输出仅随程序长度增长。 (c)基于DDH,QR或LWE的投入产出比接近1的有损活板门功能的首批构造。 (d)在普通模型中,第一个基于恒定速率LWE的2消息“统计发送者-私有” OT协议的构造。 2.用于n个并行OT和DDH,QR或LWE的矩阵矢量乘积的第一个速率1协议(在任何假设下)。我们进一步考虑以下设置:/以运行时间T << | x |评估RAM程序y。在x上。我们获得了具有x大小的亚线性通信的第一个协议,即T•/ | x |。或T•/ | x |,基于DDH或配对(以及相关输入的安全哈希函数)。
展开▼
