C OMPLEXITY - THEORETIC F OUNDATIONS OF S TEGANOGRAPHY AND C OVERT C OMPUTATION Daniel Apon

T ODAY ’ S T ALK Portrait of an invisible cake. Hopefully we have a good handle on this! Alice and Bob want to jointly compute a function without giving away their secrets! We’re baking a steganographic cake! Ingredients: Normal cryptographic notions Secure multi-party computation And in the process we answer one of life’s ultimate questions! How to find out if “he” or “she” is romantically interested in you, without risking embarrassment! f(x a, x b ) = ?

W HAT IS S TEGANOGRAPHY ? See us? We’re not doing anything out of the ordinary! I sure hope Ward didn’t notice!

Now, onto the technical fun stuff!

P RELIMINARIES U(·) = uniform distribution over strings, functions, or finite sets Given a distribution C over support X, the minimum entropy of C is:

P RELIMINARIES The statistical distance between two distributions C and D with joint support X is: Two sequences of distributions, {C k } k and {D k } k, are computationally indistinguishable (C ≈ D), if for any PPT adversary A: is negligible in k.

P RELIMINARIES A family of functions F k (·) is called pseudorandom if for is ≤ ε, for some negligible quantity ε.

P RELIMINARIES An cryptosystem E is called indistinguishable from random under chosen plaintext attack if for is ≤ ε, for some negligible quantity ε.

P RELIMINARIES A channel C h is a distribution on bit sequences with time-stamped bits, conditioned on the channel history h. Assume over blocks (e.g. symbols) of channel bits b: Sometimes we think of channels as one-way, sometimes as bidirectional, and sometimes as supporting broadcast messages only. (They all behave pretty much how you’d expect!)

S TEGANOGRAPHY Steganographic theory and an explicit construction of a steganographic system

S TEGANOGRAPHY Intuitively, steganographic secrecy results from messages that are indistinguishable from arbitrary distributions First, we need a way to encode messages to achieve arbitrary indistinguishability Then, we want to compose our new idea with canonical cryptographic themes to produce a functional steganographic system

S TEGANOGRAPHY A stegosystem is a pair of probabilistic algorithms (SE, SD) such that: SE M takes as input a key {0,1} k, a hiddentext bit-string {0,1}*, a message history h, and a sampling oracle M(h) and returns a sequence of blocks c (the stegotext) from the support of C h SD M takes as input a key K, a stegotext c, a message history h, a sampling oracle M(h), and returns a hiddentext m.

S TEGANOGRAPHY Finally, there must be a polynomial p(k) > k such that SE M and SE D also satisfy the following relationship:

S TEGANOGRAPHY The Rejection Sampling function:

S TEGANOGRAPHY

Lemma. The probability of failure of RS in the S1 procedure is bounded from above by 3/8 + ε. Let the channel in question have symbols {S 1, …, S k } and assign each symbol the occurrence probabilities {p 1, …, p k } respectively. Play the following bit-wise RS-based game: 1. Draw S a from the channel. If F(N, S a ) is correct, output S a. 2. Otherwise, draw S b from the channel and output S b.

S TEGANOGRAPHY How often do we “win”? Let S E denote the result of this game. Let D denote the event of a non-collision (when the two symbols drawn are different). Note that two successful outcomes are possible here: 1. The first symbol drawn maps to 0 (success). (1/2) 2. The first symbol maps to 1 (failure), but the second symbol drawn is a different symbol that maps to 0. (1/4 Pr[D])

S TEGANOGRAPHY Summing over the probabilities of each of these events gives: Let S i be a symbol with the greatest occurrence probability. Then,

S TEGANOGRAPHY And finally, which bounds RS’s probability of failure at 3/8 + ε, which proves the lemma.

S TEGANOGRAPHY Finally, we employ an error-correcting code to recover from RS’s chance to fail. Intuitively, we’re equating sending messages over a noisy channel with the act of sending stegotexts when RS makes mistakes. Basically, we pad redundant parity data into our messages so that the message gets through (with overwhelming probability)! A code with a stretch of 2n will correct for an error rate of up to 1/2. The well-known Hadamard code could easily be adapted here.

S TEGANOGRAPHY Theorem. If F K is pseudorandom, then S1 is universally steganographically secret against chosen hiddentext attacks.

C OVERT C OMPUTATION Covert computation theory, encryption transformations between distributions, and an informal construction of a two-party covert computation protocol

Would you like to run a covert protocol to determine if we are both members of a secret, zombie army? Um… !! C OVERT C OMPUTATION

STEP 1: First, we design a covert computation protocol over the uniform channel U. STEP 2: Then, we develop a technique to transform any stegosystem over the uniform channel into a stegosystem over an arbitrary channel B. At the end, we have a covert computation protocol over the channel we’re interested in! This is an important improvement in the overall strategy, because it modularizes and simplifies the design of covert protocols!

C OVERT C OMPUTATION : S TEP 1 To design a covert computation protocol over U, we will begin with two cryptographic primitives: 2. Yao’s Protocol for secure multi-party computation 1. Oblivious Transfer

C OVERT C OMPUTATION : S TEP 1 Oblivious Transfer m1m1 m2m2 mnmn … I want m i. …whatever it is!

C OVERT C OMPUTATION : S TEP 1 Oblivious Transfer 1. Alice generates RSA keys, including modulus N, the public exponent e, and the private exponent d, picks two random messages x 0 and x 1, and sends N, e, x 0, and x 1 to Bob. 2. Bob picks random message k, encrypts k, and adds x b to the encryption of k, modulo N, and sends the result v to Alice. 3. Alice computes k 0 to be the decryption of v - x 0 and k 1 to be the decryption of v - x 1 and sends m 0 + k 0 and m 1 + k 1 to Bob. 4. Bob knows k b and so subtracts this from the corresponding messages, obtaining m b from one of them.

C OVERT C OMPUTATION : S TEP 1 Yao’s Protocol xaxa But I want to know f(x a, x b )!! xbxb I can’t tell you what x a is. And I can’t tell you what x b is… Ah ha! f(x a, x b )!!

C OVERT C OMPUTATION : S TEP 1 Yao’s Protocol Assume f can be expressed as a combinatorial circuit that Bob knows. (WLOG, all gates have 2-fan-out.) 1. Bob assigns two uniformly random k-bit values each wire W of the circuit, representing the wire holding the value 0 or 1, respectively. 2. Then Bob assigns a random permutation π i over {0,1} to each wire. If a wire W i originally had value b i, then it now has “garbled” value: 3. To each gate g, Bob assigns a unique identifier I g and a table T g. 4. Each gate g then uses a pseudorandom function F to “garble” its own functionality as follows:

C OVERT C OMPUTATION : S TEP 1 Yao’s Protocol Yao’s Garbled Tables That is, each T g outputs the XOR of a pseudorandom function applied to the two values of the “garbled” input wires and the value of the “garbled” output wire. The result is a bit string that is indistinguishable from random but that is uniquely identifiable and re-usable within the context of a specific execution of Yao’s protocol.

C OVERT C OMPUTATION : S TEP 1 Yao’s Protocol Then to compute f: 1. Bob computes garbled tables T g and sends them to Alice. 2. As Alice computes the necessary values of each circuit input wire i, Bob and Alice perform an oblivious transfer, with Bob playing the role of sender. Alice learns the uniformly random string that represents the true value, 0 or 1 respectively, for the wire she is interested in. 3. At the end of the protocol (determined by the number of gates in the circuit), Bob applies π -1 to the final output string to learn the value of the computed function.

C OVERT C OMPUTATION : S TEP 1 Finally, we define a new protocol COVERT-YAO that is Yao’s Protocol with the modification that all messages sent through oblivious transfers or elsewhere through Yao’s protocol are steganographically encoded over the uniform channel by being run through a stegosystem prior to being transmitted. Theorem. The COVERT-YAO protocol covertly realizes any functionality f for the uniform channel, U.

C OVERT C OMPUTATION : S TEP 2 Now we need to develop a transformation algorithm that, given as input a covert computation protocol for the uniform channel U, outputs a covert computation protocol for an arbitrary channel B. The first step is to recall the details of our previous stegosystem, and reword its description in terms of hash functions.

C OVERT C OMPUTATION : S TEP 2 Let denote a pair-wise independent family of hash functions H: D {0,1} c. Let denote an arbitrary distribution with support D. Let m be the message length, let c be the encryption of hiddentext messages by an appropriate error-correcting code, and let k be an iteration bound. Then we can reformulate S1 as follows:

C OVERT C OMPUTATION : S TEP 2

Lemma. Let H. Then we have: That is, the statistical distance between the channel and the output of Encode is negligible. Or in other words, the two distributions are statistically indistinguishable.

C OVERT C OMPUTATION : S TEP 2 Therefore, we can covertly transmit over B by applying Encode at the end of any message-generating process to covert the distribution of bits sent to be statistically indistinguishable from other messages in B. And so we can define the protocol as:

C OVERT C OMPUTATION : S TEP 2

And now, the big finish! Theorem. If ∏ covertly realizes the functionality f for the uniform channel, then ∑ ∏ covertly realizes f for the bidirectional channel B. Corollary. COVERT-YAO is a universal, two-party covert computation protocol.

Questions?