Two-Round Adaptively Secure Protocols from Standard Assumptions

Slides:



Advertisements
Similar presentations
Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.
Advertisements

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto
Secure Evaluation of Multivariate Polynomials
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Muthuramakrishnan Venkitasubramaniam WORKSHOP: THEORY AND PRACTICE OF SECURE MULTIPARTY COMPUTATION Adaptive UC from New Notions of Non-Malleability Adaptive.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Oblivious Transfer based on the McEliece Assumptions
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Jointly Restraining Big Brother: Using cryptography to reconcile privacy with data aggregation Ran Canetti IBM Research.
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Two Round MPC via Multi-Key FHE Daniel Wichs (Northeastern University) Joint work with Pratyay Mukherjee.
Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.
1 Cross-Domain Secure Computation Chongwon Cho (HRL Laboratories) Sanjam Garg (IBM T.J. Watson) Rafail Ostrovsky (UCLA)
Adaptively Secure Broadcast, Revisited
How to play ANY mental game
A Linear Lower Bound on the Communication Complexity of Single-Server PIR Weizmann Institute of Science Israel Iftach HaitnerJonathan HochGil Segev.
GARBLED CIRCUITS CHECKING GARBLED CIRCUITS MORE EFFICIENT AND SECURE TWO-PARTY COMPUTATION Payman Mohassel Ben Riva University of Calgary Tel Aviv University.
Page 1 Efficient Two-Party Secure Computation on Committed Inputs Stanislaw Jarecki, UC Irvine Vitaly Shmatikov, UT Austin.
Improved Non-Committing Encryption with Application to Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia Univ.), Tal Malkin (Columbia.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
1 Secure Multi-party Computation Minimizing Online Rounds Seung Geol Choi Columbia University Joint work with Ariel Elbaz(Columbia University) Tal Malkin(Columbia.
Non-Interactive Verifiable Computing August 5, 2009 Bryan Parno Carnegie Mellon University Rosario Gennaro, Craig Gentry IBM Research.
Secure Computation (Lecture 2) Arpita Patra. Vishwaroop of MPC.
Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.
Secure Computation Lecture Arpita Patra. Recap > Shamir Secret-sharing > BGW Protocol based on secret-sharing > Offline/Online phase > Creating.
Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/08/08 CRYP-106 Efficient Fully-Simulatable Oblivious Transfer.
Secure Computation (Lecture 9-10) Arpita Patra. Recap >> MPC with honest majority in i.t. settings > Protocol using (n,t)-sharing, proof of security---
Verifiable Distributed Oblivious Transfer and Mobile-agent Security Speaker: Sheng Zhong (joint work with Yang Richard Yang) Yale University.
Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.
Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.
A Fixed-key Blockcipher
Topic 36: Zero-Knowledge Proofs
The Exact Round Complexity of Secure Computation
The Exact Round Complexity of Secure Computation
Lower Bounds on Assumptions behind Indistinguishability Obfuscation
Carmit Hazay (Bar-Ilan University, Israel)
Adaptively Secure Multi-Party Computation from LWE (via Equivocal FHE)
Fast Actively Secure OT Extension For Short Secrets
Foundations of Secure Computation
TCC 2016-B Composable Security in the Tamper-Proof Hardware Model under Minimal Complexity Carmit Hazay Bar-Ilan University, Israel Antigoni Ourania.
Committed MPC Multiparty Computation from Homomorphic Commitments
Laconic Oblivious Transfer and its Applications
Oblivious Transfer and GMW MPC
Digital signatures.
The first Few Slides stolen from Boaz Barak
Course Business I am traveling April 25-May 3rd
Gate Evaluation Secret Sharing and Secure Two-Party Computation
Four-Round Secure Computation without Setup
Unconditional One Time Programs and Beyond
Cryptography for Quantum Computers
Multi-Party Computation: Second year
Fiat-Shamir for Highly Sound Protocols is Instantiable
Malicious-Secure Private Set Intersection via Dual Execution
MPC Scenario 1. “Privacy-protected contingency tables”
Fast Secure Computation for Small Population over the Internet
Limits of Practical Sublinear Secure Computation
Oblivious Transfer.
Identity Based Encryption from the Diffie-Hellman Assumption
ITIS 6200/8200 Chap 5 Dr. Weichao Wang.
A Light-weight Oblivious Transfer Protocol Based on Channel Noise
Presentation transcript:

Two-Round Adaptively Secure Protocols from Standard Assumptions Fabrice Benhamouda (IBM) Huijia (Rachel) Lin (UCSB) Antigoni Polychroniadou (Cornell Tech) Muthuramakrishnan Venkitasubramaniam (University of Rochester)

Secure Multi-Party Computation UC f(x1, x2, x3, x4) = (y1, y2 ,y3 ,y4 ) x1 x1 x1 y4 y1 x4 Goal: Correctness: Everyone computes f(x1,…,x4) Security: Nothing else but the output is revealed Adversary PPT Malicious Adaptive x2 y3 y2 x3

Static vs. Adaptive Adversaries Static Corruption … Corrupt only on the onset of π … … Adaptive Corruption Corrupt adaptively during the execution of π …

Static vs. Adaptive Adversaries Dealer secret shares s among O(√n) random parties and publishes the set of such parties s=(s1,s2) s1 s2 Static vs. Adaptive Learns s

Adaptive Corruption of all parties Crucial in the composition of protocols. If adversary corrupts all m parties in πinner, where m<n, security of πouter should still hold. n-party protocol πouter m-party protocol πinner

Adaptive vs. Semi-Adaptive Adversaries Semi-Adaptive Corruption … Static corruption of one party and adaptive corruption of the other party …

State-of-the-art for Malicious MPC In the CRS model State-of-the-art for Malicious MPC Static Adaptive 2 rounds [BL18,GS18] O(depth) rounds [CLOS02] Partial Solutions for constant-round adaptive protocols: Using Indist. Obf. [GP15,DKR15,CGP15]

State-of-the-art for Malicious MPC In the CRS model State-of-the-art for Malicious MPC Static Adaptive 2 rounds [BL18,GS18] O(1) rounds [CPV17] Partial Solutions for constant-round adaptive protocols: Using Indist. Obf. [GP15,DKR15,CGP15]

From standard assumptions Our Goal 2-round adaptive MPC From standard assumptions 2-round adaptive OT

2-round malicious adaptive UC MPC Our Results Theorem (informal) O(1)-round malicious adaptive MPC + 2-round malicious adaptive OT 2-round malicious adaptive UC MPC  Corollary (informal) LWE/QR/DDH  2-round malicious adaptive UC OT LWE/QR/DDH  2-round malicious adaptive UC MPC

Arbitrary round static MPC Tools for Static 2-round MPC [BL18] Arbitrary round static MPC Garbled circuits Arbitrary round malicious static MPC 2-round malicious static OT NIZK

EquivocalGarbled circuits Tools for Adaptive 2-round MPC EquivocalGarbled circuits Constant round malicious adaptive MPC 2-round malicious adaptive OT ? 3-round adaptive malicious MPC from DDH [ABP17] 2-round adaptive malicious OT from iO [GP15]

Adaptive 2-round Oblivious Transfer 2-round malicious adaptive OT 3 2-round semi-adaptive malicious OT 2 2-round sender-semi-adaptive malicious OT 1 sender & receiver oblivious sampleability 2-round static malicious OT with: LWE/QR/DDH

Adaptive 2-round Oblivious Transfer 2-round malicious adaptive OT 3 2-round semi-adaptive malicious OT 2 This talk 2-round sender-semi-adaptive malicious OT 1 sender & receiver oblivious sampleability 2-round static malicious OT with: LWE/QR/DDH

 2-round Sender-semi-adaptive Malicious OT Theorem (informal) UC static malicious OT with sender oblivious sampleability sender-semi-adaptive malicious UC OT 

Definition: 2-round OT R S OT1(b) OT2(m0,m1) m0,m1 b Goal: mb In an OT protocol we have a sender and a receiver mb Goal: The Sender should not learn b The Receiver should not learn m1-b

R S 2-round Sender-semi-adaptive Malicious OT OT1(b) OT2(m0,m1) m0,m1 Building block: Let OT=(OT1, OT2) be a UC static malicious OT m0,m1 b R S OT1(b) OT2(m0,m1)

Not possible to explain OT2 for m1-b 2-round Sender-semi-adaptive Malicious OT Building block: Let OT=(OT1, OT2) be a UC static malicious OT m0,m1 b R S OT1(b) Sim OT2(mb) Problem Not possible to explain OT2 for m1-b

R S Sim 2-round Sender-semi-adaptive Malicious OT OT1(b) OT2(m0,0) Building block: Let OT=(OT1, OT2) be a UC static malicious OT with Sender Sampleability m0,m1 b=0 R S OT1(b) Sim OT2(m0,0) OT2(m0,1) Problem Not possible to obliviously sample one-out-of-two OT2 wrt. m0 in the real world

R S 2-round Sender-semi-adaptive Malicious OT OT1(b) OT2($,m1) Building block: Let OT=(OT1, OT2) be a UC static malicious OT with Sender Sampleability m0,m1 b=0 S R OT1(b) OT2($,m1) OT2(m0,$) OT2(.) OT2(.)

R S Sim 2-round Sender-semi-adaptive Malicious OT OT1(b) OT2($,0) Building block: Let OT=(OT1, OT2) be a UC static malicious OT with Sender Sampleability m0,m1 b=0 S R OT1(b) Sim OT2($,0) OT2(m0,$) OT2($,1) OT2(.)

R S 2-round Sender-semi-adaptive Malicious OT OT1(b) OT2($,m1) Building block: Let OT=(OT1, OT2) be a UC static malicious OT with Sender Sampleability m0,m1 b=0 S R OT1(b) OT2($,m1) OT2(m0,$) OT2(.) OT2(.)

R S 2-round Sender-semi-adaptive Malicious OT OT1(b) OT2($,m1) Building block: Let OT=(OT1, OT2) be a UC static malicious OT with Sender Sampleability m0,m1 b=0 S R OT1(b) OT2($,m1) OT2(m0,$) OT2(.) OT2(.) Problem with correctness Which OT output is the right one?

R S 2-round Sender-semi-adaptive Malicious OT OT1(b) OT2($,rm1) Building block: Let OT=(OT1, OT2) be a UC static malicious OT with Sender Sampleability m0,m1 b=0 S R OT1(b) OT2($,rm1) OT2(rm0,$) OT2(.) OT2(.) rm0, rm1

Adaptive 2-round Oblivious Transfer 2-round malicious adaptive OT 3 2-round semi-adaptive malicious OT 2 This talk 2-round sender-semi-adaptive malicious OT 1 sender & receiver oblivious sampleability 2-round static malicious OT with: LWE/QR/DDH

oblivious sampleability Adaptive 2-round Oblivious Transfer Hash proof systems with projection key oblivious sampleability 2-round malicious adaptive OT 3 Encryption scheme with ciphertext oblivious sampleability 2-round semi-adaptive malicious OT 2 This talk 2-round sender-semi-adaptive malicious OT 1 sender & receiver oblivious sampleability 2-round static malicious OT with: LWE/QR/DDH

sender-semi-adaptive oblivious sampleability Adaptive 2-round Oblivious Transfer 2-round malicious adaptive OT 3 2-round semi-adaptive malicious OT 2 2-round sender-semi-adaptive malicious OT with oblivious sampleability Equivocal garbled circuits This talk 2-round sender-semi-adaptive malicious OT 1 sender & receiver oblivious sampleability 2-round static malicious OT with: Non-interactive equivocal commitment LWE/QR/DDH

Adaptive 2-round Oblivious Transfer 2-round malicious adaptive OT 3 2-round semi-adaptive malicious OT 2 2-round semi-adaptive malicious OT This talk 2-round sender-semi-adaptive malicious OT 1 Augmented non-committing encryption sender & receiver oblivious sampleability 2-round static malicious OT with: LWE/QR/DDH

From standard assumptions Our Results 2-round adaptive MPC From standard assumptions 2-round adaptive OT LWE/QR/DDH  2-round malicious adaptive UC OT LWE/QR/DDH  2-round malicious adaptive UC MPC

Open Problems Efficient adaptive 2-round MPC Adaptive Laconic Function evaluation 4-round adaptive MPC in the plain model

Thank you!

Transformation 3 Tools 3 2-round semi-adaptive malicious OT Augmented 2-round malicious adaptive OT 3 2-round semi-adaptive malicious OT Augmented non-committing encryption

R S 2-round Malicious Adaptive OT OT2(b) pk0,pk1 OT2(m0+r0) OT2(m1+r1) m0,m1 b S R OT2(b) pk0,pk1 OT2(m0+r0) OT2(m1+r1) NCE(pk0,r0) OT2(pk1,r1)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.