Master’s Thesis Presentation • Cryptography, Security, and Privacy (CrySP) • Laconic and Private Evaluation of Branching Programs from the Diffie-Hellman Assumption

Wednesday, March 20, 2024 1:30 pm - 2:30 pm EDT (GMT -04:00)

Please note: This master’s thesis presentation will take place in DC 2314 and online.

Alice Murphy, Master’s candidate
David R. Cheriton School of Computer Science

Supervisor: Professor Mohammad Hajiabadi

Secure two-party computation (2PC) enables two parties to compute a function f on their joint inputs while keeping their inputs private. Laconic cryptography is a special type of 2PC in which this is done with asymptotically optimal communication in only two rounds of communication. The party who sends the first message is called the receiver and the party who replies with the second message is called the sender. Laconic cryptography considers the case of asymmetric input sizes, where the receiver’s input is much larger than the sender’s input or vice versa. As such, the size of the messages sent cannot depend on the size of the larger input. For example, if xR is the receiver’s input, xS is the sender’s input, and |xR| ≫ |xS|, then the protocol’s communication cost cannot depend on |xR|, but it may depend on |xS|.

Previous works have shown protocols can be built for laconic oblivious transfer (OT) [Cho et al. CRYPTO 2017] and laconic private set intersection (PSI) [Alamati et al. TCC 2021] from the Diffie-Hellman assumption. Quach, Wee, and Wichs [FOCS 2018] give a construction for laconic 2PC for general functionalities based on the Learning with Noise (LWE) assumption.

In this work, we bridge the gap by giving a laconic protocol for the evaluation of branching programs (BPs) from the Diffie-Hellman assumption. In this setting, the receiver holds a large branching program BP and the sender holds a short input x. Our protocol allows the receiver to learn x if and only if BP(x) = 1, and nothing more. The communication only grows with the size of x and the depth of BP, and does not further depend on the size of BP. Our construction can be used to realize PSI and private set union (PSU) functionalities and can handle unbalanced BPs and BPs with wildcards. This flexibility allows for the potential of PSI and PSU with fuzzy matching.