IACR Cryptol. ePrint Arch.最新文献

{"title":"Efficient isochronous fixed-weight sampling with applications to NTRU","authors":"Décio Luiz Gazzoni Filho, Tomás Recio, Julio López Hernandez","doi":"10.62056/a6n59qgxq","DOIUrl":"https://doi.org/10.62056/a6n59qgxq","url":null,"abstract":"We present a solution to the open problem of designing a linear-time, unbiased and timing attack-resistant shuffling algorithm for fixed-weight sampling. Although it can be implemented without timing leakages of secret data in any architecture, we illustrate with ARMv7-M and ARMv8-A implementations; for the latter, we take advantage of architectural features such as NEON and conditional instructions, which are representative of features available on architectures targeting similar systems, such as Intel. Our proposed algorithm improves asymptotically upon the current approach based on constant-time sorting networks (\u0000 \u0000 O\u0000 (\u0000 n\u0000 )\u0000 \u0000 versus \u0000 \u0000 O\u0000 (\u0000 n\u0000 \u0000 log\u0000 2\u0000 \u0000 n\u0000 )\u0000 \u0000 ), and an implementation of the new algorithm applied to NTRU is also faster in practice, by a factor of up to \u0000 \u0000 6.91\u0000  \u0000 (\u0000 591\u0000 %\u0000 )\u0000 \u0000 on ARMv8-A cores and \u0000 \u0000 12.89\u0000  \u0000 (\u0000 1189\u0000 %\u0000 )\u0000 \u0000 on the Cortex-M4; it also requires fewer uniform random bits. This translates into performance improvements for NTRU encapsulation, compared to state-of-the-art implementations, of up to 50% on ARMv8-A cores and 72% on the Cortex-M4, and small improvements to key generation (up to 2.7% on ARMv8-A cores and 6.1% on the Cortex-M4), with negligible impact on code size and a slight improvement in RAM usage for the Cortex-M4.","PeriodicalId":13158,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"119 17","pages":"548"},"PeriodicalIF":0.0,"publicationDate":"2024-07-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141667708","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Synchronous Distributed Key Generation without Broadcasts","authors":"Nibesh Shrestha, Adithya Bhat, Aniket Kate, Kartik Nayak","doi":"10.62056/ayfhsgvtw","DOIUrl":"https://doi.org/10.62056/ayfhsgvtw","url":null,"abstract":"<jats:p> Distributed key generation (DKG) is a key building block in developing many efficient threshold cryptosystems. This work initiates the study of communication complexity and round complexity of DKG protocols over a point-to-point (bounded) synchronous network. Our key result is the first synchronous DKG protocol for discrete log-based cryptosystems with <mml:math xmlns:mml=\"http://www.w3.org/1998/Math/MathML\">\u0000 <mml:mrow>\u0000 <mml:mi>O</mml:mi>\u0000 <mml:mo stretchy=\"false\">(</mml:mo>\u0000 <mml:mi>κ</mml:mi>\u0000 <mml:msup>\u0000 <mml:mi>n</mml:mi>\u0000 <mml:mn>3</mml:mn>\u0000 </mml:msup>\u0000 <mml:mo stretchy=\"false\">)</mml:mo>\u0000 </mml:mrow>\u0000 </mml:math> communication complexity (<mml:math xmlns:mml=\"http://www.w3.org/1998/Math/MathML\">\u0000 <mml:mrow>\u0000 <mml:mi>κ</mml:mi>\u0000 </mml:mrow>\u0000 </mml:math> denotes a security parameter) that tolerates any <mml:math xmlns:mml=\"http://www.w3.org/1998/Math/MathML\">\u0000 <mml:mrow>\u0000 <mml:mi>t</mml:mi>\u0000 <mml:mo><</mml:mo>\u0000 <mml:mi>n</mml:mi>\u0000 <mml:mo>/</mml:mo>\u0000 <mml:mn>2</mml:mn>\u0000 </mml:mrow>\u0000 </mml:math> Byzantine faults among <mml:math xmlns:mml=\"http://www.w3.org/1998/Math/MathML\">\u0000 <mml:mrow>\u0000 <mml:mi>n</mml:mi>\u0000 </mml:mrow>\u0000 </mml:math> parties. We present two variants of the protocol: (i) a protocol with worst-case <mml:math xmlns:mml=\"http://www.w3.org/1998/Math/MathML\">\u0000 <mml:mrow>\u0000 <mml:mi>O</mml:mi>\u0000 <mml:mo stretchy=\"false\">(</mml:mo>\u0000 <mml:mi>κ</mml:mi>\u0000 <mml:msup>\u0000 <mml:mi>n</mml:mi>\u0000 <mml:mn>3</mml:mn>\u0000 </mml:msup>\u0000 <mml:mo stretchy=\"false\">)</mml:mo>\u0000 </mml:mrow>\u0000 </mml:math> communication and <mml:math xmlns:mml=\"http://www.w3.org/1998/Math/MathML\">\u0000 <mml:mrow>\u0000 <mml:mi>O</mml:mi>\u0000 <mml:mo stretchy=\"false\">(</mml:mo>\u0000 <mml:mi>t</mml:mi>\u0000 <mml:mo stretchy=\"false\">)</mml:mo>\u0000 </mml:mrow>\u0000 </mml:math> rounds, and (ii) a protocol with expected <mml:math xmlns:mml=\"http://www.w3.org/1998/Math/MathML\">\u0000 <mml:mrow>\u0000 <mml:mi>O</mml:mi>\u0000 <mml:mo stretchy=\"false\">(</mml:mo>\u0000 <mml:mi>κ</mml:mi>\u0000 <mml:msup>\u0000 <mml:mi>n</mml:mi>\u0000 <mml:mn>3</mml:mn>\u0000 </mml:msup>\u0000 <mml:mo stretchy=\"false\">)</mml:mo>\u0000 </mml:mrow>\u0000 </mml:math> communication and expected constant rounds. In the process of achieving our results, we design (1) a novel weak gradecast protocol with ","PeriodicalId":13158,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"116 39","pages":"1635"},"PeriodicalIF":0.0,"publicationDate":"2024-07-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141666566","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"An Explicit High-Moment Forking Lemma and its Applications to the Concrete Security of Multi-Signatures","authors":"Gil Segev, Liat Shapira","doi":"10.62056/a6qj89n4e","DOIUrl":"https://doi.org/10.62056/a6qj89n4e","url":null,"abstract":"In this work we first present an explicit forking lemma that distills the information-theoretic essence of the high-moment technique introduced by Rotem and Segev (CRYPTO '21), who analyzed the security of identification protocols and Fiat-Shamir signature schemes. Whereas the technique of Rotem and Segev was particularly geared towards two specific cryptographic primitives, we present a stand-alone probabilistic lower bound, which does not involve any underlying primitive or idealized model. The key difference between our lemma and previous ones is that instead of focusing on the tradeoff between the worst-case or expected running time of the resulting forking algorithm and its success probability, we focus on the tradeoff between higher moments of its running time and its success probability.\u0000 Equipped with our lemma, we then establish concrete security bounds for the BN and BLS multi-signature schemes that are significantly tighter than the concrete security bounds established by Bellare and Neven (CCS '06) and Boneh, Drijvers and Neven (ASIACRYPT '18), respectively. Our analysis does not limit adversaries to any idealized algebraic model, such as the algebraic group model in which all algorithms are assumed to provide an algebraic justification for each group element they produce. Our bounds are derived in the random-oracle model based on the standard-model second-moment hardness of the discrete logarithm problem (for the BN scheme) and the computational co-Diffie-Hellman problem (for the BLS scheme). Such second-moment assumptions, asking that the success probability of any algorithm in solving the underlying computational problems is dominated by the second moment of the algorithm's running time, are particularly plausible in any group where no better-than-generic algorithms are currently known.","PeriodicalId":13158,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":" 5","pages":"934"},"PeriodicalIF":0.0,"publicationDate":"2024-07-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141668882","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Decentralized Multi-Client Functional Encryption with Strong Security","authors":"K. Nguyen, David Pointcheval, Robert Schädlich","doi":"10.62056/andkp2fgx","DOIUrl":"https://doi.org/10.62056/andkp2fgx","url":null,"abstract":"Decentralized Multi-Client Functional Encryption (DMCFE) extends the basic functional encryption to multiple clients that do not trust each other. They can independently encrypt the multiple plaintext-inputs to be given for evaluation to the function embedded in the functional decryption key, defined by multiple parameter-inputs. And they keep control on these functions as they all have to contribute to the generation of the functional decryption keys. Tags can be used in the ciphertexts and the keys to specify which inputs can be combined together. As any encryption scheme, DMCFE provides privacy of the plaintexts. But the functions associated to the functional decryption keys might be sensitive too (e.g. a model in machine learning). The function-hiding property has thus been introduced to additionally protect the function evaluated during the decryption process.\u0000 In this paper, we provide new proof techniques to analyze a new concrete construction of function-hiding DMCFE for inner products, with strong security guarantees: the adversary can adaptively query multiple challenge ciphertexts and multiple challenge keys, with unbounded repetitions of the same tags in the ciphertext-queries and a fixed polynomially-large number of repetitions of the same tags in the key-queries. Previous constructions were proven secure in the selective setting only.","PeriodicalId":13158,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"114 49","pages":"764"},"PeriodicalIF":0.0,"publicationDate":"2024-07-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141668212","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Optimizing and Implementing Fischlin's Transform for UC-Secure Zero-Knowledge","authors":"Yi-Hsiu Chen, Yehuda Lindell","doi":"10.62056/a66chey6b","DOIUrl":"https://doi.org/10.62056/a66chey6b","url":null,"abstract":"Fischlin's transform (CRYPTO 2005) is an alternative to the Fiat-Shamir transform that enables straight-line extraction when proving knowledge. In this work we focus on the problem of using the Fischlin transform to construct UC-secure zero-knowledge from Sigma protocols, since UC security – that guarantees security under general concurrent composition – requires straight-line (non-rewinding) simulators. We provide a slightly simplified transform that is much easier to understand, and present algorithmic and implementation optimizations that significantly improve the running time. It appears that the main obstacles to the use of Fischlin in practice is its computational cost and implementation complexity (with multiple parameters that need to be chosen). We provide clear guidelines and a simple methodology for choosing parameters, and show that with our optimizations the running-time is far lower than expected. For just one example, on a 2023 MacBook, the cost of proving the knowledge of discrete log with Fischlin is only 0.41ms (on a single core). This is 15 times slower than plain Fiat-Shamir on the same machine, which is a significant multiple but objectively not significant in many applications. We also extend the transform so that it can be applied to batch proofs, and show how this can be much more efficient than individually proving each statement. We hope that this paper will both encourage and help practitioners implement the Fischlin transform where relevant.","PeriodicalId":13158,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"104 29","pages":"526"},"PeriodicalIF":0.0,"publicationDate":"2024-07-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141667407","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Randomness Generation for Secure Hardware Masking - Unrolled Trivium to the Rescue","authors":"Gaëtan Cassiers, Loïc Masure, Charles Momin, Thorben Moos, A. Moradi, François-Xavier Standaert","doi":"10.62056/akdkp2fgx","DOIUrl":"https://doi.org/10.62056/akdkp2fgx","url":null,"abstract":"Masking is a prominent strategy to protect cryptographic implementations against side-channel analysis. Its popularity arises from the exponential security gains that can be achieved for (approximately) quadratic resource utilization. Many variants of the countermeasure tailored for different optimization goals have been proposed. The common denominator among all of them is the implicit demand for robust and high entropy randomness. Simply assuming that uniformly distributed random bits are available, without taking the cost of their generation into account, leads to a poor understanding of the efficiency vs. security tradeoff of masked implementations. This is especially relevant in case of hardware masking schemes which are known to consume large amounts of random bits per cycle due to parallelism. Currently, there seems to be no consensus on how to most efficiently derive many pseudo-random bits per clock cycle from an initial seed and with properties suitable for masked hardware implementations. In this work, we evaluate a number of building blocks for this purpose and find that hardware-oriented stream ciphers like Trivium and its reduced-security variant Bivium B outperform most competitors when implemented in an unrolled fashion. Unrolled implementations of these primitives enable the flexible generation of many bits per cycle, which is crucial for satisfying the large randomness demands of state-of-the-art masking schemes. According to our analysis, only Linear Feedback Shift Registers (LFSRs), when also unrolled, are capable of producing long non-repetitive sequences of random-looking bits at a higher rate per cycle for the same or lower cost as Trivium and Bivium B. Yet, these instances do not provide black-box security as they generate only linear outputs. We experimentally demonstrate that using multiple output bits from an LFSR in the same masked implementation can violate probing security and even lead to harmful randomness cancellations. Circumventing these problems, and enabling an independent analysis of randomness generation and masking, requires the use of cryptographically stronger primitives like stream ciphers. As a result of our studies, we provide an evidence-based estimate for the cost of securely generating \u0000 \u0000 n\u0000 \u0000 fresh random bits per cycle. Depending on the desired level of black-box security and operating frequency, this cost can be as low as \u0000 \u0000 20\u0000 n\u0000 \u0000 to \u0000 \u0000 30\u0000 n\u0000 \u0000 ASIC gate equivalents (GE) or \u0000 \u0000 3\u0000 n\u0000 \u0000 to \u0000 \u0000 4\u0000 n\u0000 \u0000 FPGA look-up tables (LUTs), where \u0000 \u0000 n\u0000 \u0000 is the number of random bits required. Our results demonstrate that the cost per bit is (sometimes significantly) lower than estimated in previous works, incentivizing parallelism whenever exploitable. This provides further motivation to potentially move low randomness usage from a primary to a secondary design goal in hardware masking research.","PeriodicalId":13158,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":" 1236","pages":"1134"},"PeriodicalIF":0.0,"publicationDate":"2024-07-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141668897","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Communication-Efficient Multi-Party Computation for RMS Programs","authors":"Thomas Attema, Aron van Baarsen, Stefan van den Berg, Pedro Capitão, Vincent Dunning, Lisa Kohl","doi":"10.62056/ab0lmp-3y","DOIUrl":"https://doi.org/10.62056/ab0lmp-3y","url":null,"abstract":"Despite much progress, general-purpose secure multi-party computation (MPC) with active security may still be prohibitively expensive in settings with large input datasets. This particularly applies to the secure evaluation of graph algorithms, where each party holds a subset of a large graph. Recently, Araki et al. (ACM CCS '21) showed that dedicated solutions may provide significantly better efficiency if the input graph is sparse. In particular, they provide an efficient protocol for the secure evaluation of “message passing” algorithms, such as the PageRank algorithm. Their protocol's computation and communication complexity are both \u0000 \u0000 \u0000 \u0000 O\u0000 \u0000 ~\u0000 \u0000 (\u0000 M\u0000 ·\u0000 B\u0000 )\u0000 \u0000 instead of the \u0000 \u0000 O\u0000 (\u0000 \u0000 M\u0000 2\u0000 \u0000 )\u0000 \u0000 complexity achieved by general-purpose MPC protocols, where \u0000 \u0000 M\u0000 \u0000 denotes the number of nodes and \u0000 \u0000 B\u0000 \u0000 the (average) number of incoming edges per node. On the downside, their approach achieves only a relatively weak security notion; \u0000 \u0000 1\u0000 \u0000 -out-of-\u0000 \u0000 3\u0000 \u0000 malicious security with selective abort.\u0000 In this work, we show that PageRank can instead be captured efficiently as a restricted multiplication straight-line (RMS) program, and present a new actively secure MPC protocol tailored to handle RMS programs. In particular, we show that the local knowledge of the participants can be leveraged towards the first maliciously-secure protocol with communication complexity linear in \u0000 \u0000 M\u0000 \u0000 , independently of the sparsity of the graph. We present two variants of our protocol. In our communication-optimized protocol, going from semi-honest to malicious security only introduces a small communication overhead, but results in quadratic computation complexity \u0000 \u0000 O\u0000 (\u0000 \u0000 M\u0000 2\u0000 \u0000 )\u0000 \u0000 . In our balanced protocol, we still achieve a linear communication complexity \u0000 \u0000 O\u0000 (\u0000 M\u0000 )\u0000 \u0000 , although with worse constants, but a significantly better computational complexity scaling with \u0000 \u0000 O\u0000 (\u0000 M\u0000 ·\u0000 B\u0000 )\u0000 \u0000 . Additionally, our protocols achieve security with identifiable abort and can tolerate up to \u0000 \u0000 n\u0000 −\u0000 1\u0000 \u0000 corruptions.","PeriodicalId":13158,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":" 10","pages":"568"},"PeriodicalIF":0.0,"publicationDate":"2024-07-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141668459","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"A Long Tweak Goes a Long Way: High Multi-user Security Authenticated Encryption from Tweakable Block Ciphers","authors":"Benoît Cogliati, Jérémy Jean, Thomas Peyrin, Y. Seurin","doi":"10.62056/a3qjp2fgx","DOIUrl":"https://doi.org/10.62056/a3qjp2fgx","url":null,"abstract":"We analyze the multi-user (mu) security of a family of nonce-based authentication encryption (nAE) schemes based on a tweakable block cipher (TBC). The starting point of our work is an analysis of the mu security of the SCT-II mode which underlies the nAE scheme Deoxys-II, winner of the CAESAR competition for the defense-in-depth category. We extend this analysis in two directions, as we detail now.\u0000 First, we investigate the mu security of several TBC-based variants of the counter encryption mode (including CTRT, the encryption mode used within SCT-II) that differ by the way a nonce, a random value, and a counter are combined as tweak and plaintext inputs to the TBC to produce the keystream blocks that will mask the plaintext blocks. Then, we consider the authentication part of SCT-II and study the mu security of the nonce-based MAC Nonce-as-Tweak (NaT) built from a TBC and an almost universal (AU) hash function. We also observe that the standard construction of an AU hash function from a (T)BC can be proven secure under the assumption that the underlying TBC is unpredictable rather than pseudorandom, allowing much better conjectures on the concrete AU advantage. This allows us to derive the mu security of the family of nAE modes obtained by combining these encryption/MAC building blocks through the NSIV composition method.\u0000 Some of these modes require an underlying TBC with a larger tweak length than what is usually available for existing ones. We then show the practicality of our modes by instantiating them with two new TBC constructions, Deoxys-TBC-512 and Deoxys-TBC-640, which can be seen as natural extensions of the Deoxys-TBC family to larger tweak input sizes. Designing such TBCs with unusually large tweaks is prone to pitfalls: Indeed, we show that a large-tweak proposal for SKINNY published at EUROCRYPT 2020 presents an inherent construction flaw. We therefore provide a sound design strategy to construct large-tweak TBCs within the Superposition Tweakey (STK) framework, leading to new Deoxys-TBC and SKINNY variants. We provide software benchmarks indicating that while ensuring a very high security level, the performances of our proposals remain very competitive.","PeriodicalId":13158,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"119 19","pages":"846"},"PeriodicalIF":0.0,"publicationDate":"2024-07-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141667706","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"PRAC: Round-Efficient 3-Party MPC for Dynamic Data Structures","authors":"Sajin Sasy, Adithya Vadapalli, Ian Goldberg","doi":"10.56553/popets-2024-0100","DOIUrl":"https://doi.org/10.56553/popets-2024-0100","url":null,"abstract":"We present Private Random Access Computations (PRAC), a 3-party Secure Multi-Party Computation (MPC) framework to support random-access data structure algorithms for MPC with efficient communication in terms of rounds and bandwidth. PRAC extends the state-of-the-art DORAM Duoram with a new implementation, more flexibility in how the DORAM memory is shared, and support for Incremental and Wide DPFs. We then use these DPF extensions to achieve algorithmic improvements in three novel oblivious data structure protocols for MPC. PRAC exploits the observation that a secure protocol for an algorithm can gain efficiency if the protocol explicitly reveals information leaked by the algorithm inherently. We first present an optimized binary search protocol that reduces the bandwidth from O(lg² n) to O(lg n) for obliviously searching over n items. We then present an oblivious heap protocol with rounds reduced from O(lg n) to O(lg lg n) for insertions, and bandwidth reduced from O(lg² n) to O(lg n) for extractions. Finally, we also present the first oblivious AVL tree protocol for MPC where no party learns the data or the structure of the AVL tree, and can support arbitrary insertions and deletions with O(lg n) rounds and bandwidth. We experimentally evaluate our protocols with realistic network settings for a wide range of memory sizes to demonstrate their efficiency. For instance, we observe our binary search protocol provides >27× and >3× improvements in wall-clock time and bandwidth respectively over other approaches for a memory with 2^26 items; for the same setting our heap's extract-min protocol achieves >31× speedup in wall-clock time and >13× reduction in bandwidth.","PeriodicalId":13158,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"19 1","pages":"1897"},"PeriodicalIF":0.0,"publicationDate":"2024-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141704091","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"CheckOut: User-Controlled Anonymization for Customer Loyalty Programs","authors":"Matthew Gregoire, Rachel Thomas, Saba Eskandarian","doi":"10.56553/popets-2024-0076","DOIUrl":"https://doi.org/10.56553/popets-2024-0076","url":null,"abstract":"To resist the regimes of ubiquitous surveillance imposed upon us in every facet of modern life, we need technological tools that subvert surveillance systems. Unfortunately, while cryptographic tools frequently demonstrate how we can construct systems that safeguard user privacy, there is limited motivation for corporate entities engaged in surveillance to adopt these tools, as they often clash with profit incentives. This paper demonstrates how, in one particular aspect of everyday life -- customer loyalty programs -- users can subvert surveillance and attain anonymity, without necessitating any cooperation or modification in the behavior of their surveillors. We present the CheckOut system, which allows users to coordinate large anonymity sets of shoppers to hide the identity and purchasing habits of each particular user in the crowd. CheckOut scales up and systematizes past efforts to subvert loyalty surveillance, which have been primarily ad-hoc and manual affairs where customers physically swap loyalty cards to mask their real identities. CheckOut allows increased scale while ensuring that the necessary computing infrastructure does not itself become a new centralized point of privacy failure. Of particular importance to our scheme is a protocol for loyalty programs that offer reward points, where we demonstrate how CheckOut can assist users in paying each other back for loyalty points accrued while using each others' loyalty accounts. We present two different mechanisms to facilitate redistributing rewards points, offering trade-offs in functionality, performance, and security.","PeriodicalId":13158,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"95 1","pages":"475"},"PeriodicalIF":0.0,"publicationDate":"2024-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141699157","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}