Completeness in Two-Party Secure Computation – A Computational View Danny Harnik Moni Naor Omer Reingold Alon Rosen AT&T IAS MIT Weizmann Institute of Science
Secure Function Evaluation (SFE) of a Function f Alice x Bob y f(x,y) Alice learns “nothing else” Bob learns “nothing”
Secure Function Evaluation General framework that captures many cryptographic tasks. SFE for any poly-time f - key achievement in cryptography. Many possible definitions and settings. We concentrate on a specific setting: Asymmetric version (only Alice gets output). Deterministic functions (vs. prob. functionality). Computational security definitions (vs. information theoretic). Simulation based. Semi-Honest parties Can use GMW compiler for malicious model. The GMW91 version does mention OT. Only the proceedings version of GMW 86 does. We could also refer to Oded.
Oblivious Transfer Introduced by Rabin (Noisy-OT) Several equivalent flavors. 1-2 OT [EGL85] – Sender has two bits b0, b1 and Receiver has choice bit c. Receiver learns bc but not b1-c. Sender learns nothing of c. Can view 1-2 OT as an asymmetric SFE protocol of the function OT(c; b0, b1) = bc
The Power of OT This is a Completeness behavior. Given an OT protocol, one can construct an SFE for any efficiently computable function f . [Yao, GMW, Kilian … ] This is a Completeness behavior. There are several places where the order of describing things is a bit problematic Completeness and reductions are one such case. Perhaps it is better to first say what OT can do, then Say that we want to call this property completeness and then move one to the definitions
Reductions & Completeness A function g securely reduces to f if an SFE for g can be constructed using calls to an ideal box for evaluating f. f(x’,y’) x f(x’’,y’’) y g(x,y) Lots of question regarding the notion of reduction. Should it be bb? f is SFE-Complete if every poly-time function g securely reduces to f.
SFE-Completeness SFE-Complete Eff-SFE Polynomial-time functions f(x,y)
Main Result Introduce a computational criterion for completeness called Row Non-Transitivity. Main Theorem If f is Row Non-Transitive then it is SFE-Complete. If f is Row Transitive then it is in Eff-SFE unconditionally.
Corollary: Complete Classification Essentially all “nice” functions are either SFE-Complete or have an efficient SFE protocol.
Previous Work SFE-Completeness discussed in: [CK91, Kush92, Kil91, KMO94, BMM99, Kil00] Beimel, Chor, Kilian, Kushilevitz, Malkin, Micali, Ostrovsky Mostly studied under Information Theoretic security definitions. Strong results in form of combinatorial criteria. Most works consider functions with a constant or small domain size ( “Crypto-gates”). Avoid computational issues.
Insecure Minor [Beimel, Malkin & Micali 99] A function f(.,.) is said to contain an Insecure Minor if there are inputs x0, x1, y0, y1 such that : Where b c.
Full characterization of Crypto-gates. . . . Insecure Minor [BMM] If a function f(.,.) contains an insecure minor then f is SFE-complete. Otherwise f has an SFE protocol (f is “trivial”). Full characterization of Crypto-gates. Surprising “all or nothing” behavior. Also discussed computational definitions
What next? Completeness: functions with insecure minor still complete Does the insecure minor characterization work for functions over a large domain? Completeness: functions with insecure minor still complete Same reduction. Unconditional SFE: ...
Example 1: one-to-one functions Consider one-to-one functions Do not contain an insecure minor. Unconditional SFE for 1-1 function f(x,y): Bob sends y to Alice. Alice calculates f(x,y). Security: given f(x,y) a simulator can find y (since f is 1-1). But the simulator might not be efficient for functions on large domain!
Example 2: No insecure minor but still complete Let g be a 1-1 One-Way function. Consider the following function : f(c, y0, y1) = (c, yc, g(y1-c) ) x y f is 1-1 and hence has no insecure minor. Claim: f is SFE-Complete !
1-2-OT using SFE for f Alice Bob c b0,b1 1-2-OT 2. Call f(c, y0, y1) 1. Choose random y0, y1 (c, yc, g(y1-c) ) 3. h(y0)b0, h(y1)b1 4. Alice calculates bc *h is a hardcore bit of g
Summary of the state in Computational Setting Functions with Insecure Minor: SFE-Complete Functions with no Insecure Minor: Some have trivial SFE. Some are Complete Is there a simple characterization of SFE-Complete functions and of functions with unconditional SFE? Characterization by row non-transitivity. How do these sets relate? All or nothing behavior? All `nice’ functions are either complete or have Efficient SFE.
Row Non-Transitivity f y x0 Hard x1
Row Non-Transitivity A function f(.,.) is (Computational) Row Non-Transitive if: for some x0, x1 and a distribution Dy it is (somewhat) hard to calculate f(x1,y) given x0, x1 and f(x0,y) for yr Dy. Prob < 1 - 1/poly A function f(.,.) is (Computational) Row Transitive if: for all x0, x1 and y it is easy to calculate f(x1,y) given x0, x1 and f(x0,y). We must say that there is a distribution on y otherwise it is so confusing that people can understand. We should also say that hard is somewhat hard since we refer to it later. Prob =1 Note: There is a small gap between the two criteria.
Illustration of Row Non-Transitivity x0 ? Hard x1 May be hard in both directions… Note: A different notion than OWF. Must find specific value, not any consistent value…
{ Examples Row Transitive : Row Non-Transitive : Computational f(x,y) = y f(x,y) = x + y f(x,y) = x g(y) Row Non-Transitive : Computational let g be a OWF, f(x, y) = { y if x=1 g(y) if x=0 Under CDH assumption, p prime, f(g, y) = gy Mod p
Row Non-Transitive example – information theoretic Insecure Minor Row Non-Transitive y chosen uniformly from {y0,y1} C: Pr[ C[x0, x1, f(x0, y)] = f(x1, y) ] ½
Main Theorem Completeness: If a function f(.,.) is row non-transitive efficiently computable then f is SFE-Complete. Unconditional SFE: If function f(.,.) is row transitive then f has an efficient SFE (with no further assumptions).
Unconditional SFE for row transitive f Alice x Bob y SFE for f x’, f(x’, y) Calculate f(x,y) Choose input x’ Security: Bob learns nothing. Simulating Alice’s view: choose x’ and calculate f(x’,y) from f(x,y).
Completeness Proof sketch Use two rows to pass secret. Value at one row is known, the other is “unknown” (due to the row non-transitivity). this determines what secret is transferred. Technical notes: Use of GL hardcore bit. First create a weak version of OT. Use Yao XOR lemma to amplify hardness.
Insecure Minor Row Non-Transitivity Complete Eff-SFE Efficiently computable functions f(x,y)
Semi Honest vs Malicious If OWF guaranteed to exist: use GMW transformation. Properties of row non-transitive functions remain. If OWF not guaranteed: Completeness Theorem holds. Unconditional SFE: Not necessarily. Note: Complete functions are different in Info-Theoretic [BMM99] vs. [Kil00]
Complexity Discussion OT exists (Cryptomania in [Impagliazzo 95]) SFE-Complete = Eff-SFE OT doesn’t exist but OWF do ( Minicrypt in [Imp95]): Minicrypt (OWF) Cryptomania (OT) ? Are there intermediate assumptions? Our results: As far as SFE goes, no additional (nice) worlds between Minicrypt & Cryptomania !
Possible Applications? Framework for constructing OT protocols. Example: f(g,y) = gy mod p. Has unconditional SFE: g y 2. gr 1. Choose random r 3. gry 4. Calculate gy = b 1/r Row non-transitive under CDH assumption.
. . . Possible Applications? Use reduction to construct OT: 1-2-OT c b 1. Choose random r, g0, g1 1. Choose random y 2. g0, g1, gcr 3. Calculate z=gcry 4. z, h(g0y)b0 h(g1y)b1 5. Calculate gcy = z 1/r and the bit bc What did we get? A scheme similar to [Bellare & Micali 89]!
Further Work ? Construct a new OT protocol using framework Symmetric SFE Probabilistic Functionalities.
Further Issues : Symmetric SFE “All or nothing” result for Boolean functions [CK89, Kil91]. Gap in information theoretic world [Kush92] Completeness for crypto-gates iff contains Imbedded Or [Kil91]: Does not hold for large domain functions! Consider the following complete function: f((c, x0, x1), (y0, y1)) = (x0 yc, x1 g(y1-c)) g one-way 1-1 function
Further Issues: Probabilistic functionalities Probabilistic functionality (as opposed to deterministic functions) Some criteria for completeness in [Kil00]. Anything possible if OT exists What if no OT? Any useful weaker assumptions?
Summary: Showed that combinatorial criteria do not generalize to large domain functions. Introduced alternative computational criteria for completeness & triviality. Surprising “All or nothing” nature remains.
Thank You
SFE - Definition A poly-time protocol is a secure function evaluation (SFE) of a poly-time function f if: Correctness: x,y (x,y) = f(x,y) Security: There exists a PPTM SA s.t.: {SA(x,f(x,y)) }x,y c {viewA (x,y)}x,y There exists a PPTM SB s.t.: {SB(y) }x,y c {viewB (x,y)}x,y Lots of question regarding the notion of reduction. Should it be bb?
Full Definition of Row Non-Transitivity A function f(.,.) is Computational Row Non-Transitive if there exist Samplable distributions Dx, Dy A polynomial p(.) such that for any polynomial-size Cn and all but finitely many n’s. Probability taken over x0,x1Dx and yDy. Pr[ Cn(x0, x1, f(x0, y)) = f(x1, y) ] < 1-1/p(n)
Further Issues: Probabilistic functionalities Probabilistic functionality (as opposed to deterministic functions) Some criteria for completeness in [Kil00]. Anything possible if OT exist What if no OT? Interesting even when neither party has an input (IOS)!
<x,r> <x, rei> = xi Why the GL bit GL(x,r) = <x, r> Essential property: <x,r> <x, rei> = xi General purpose, independent of the actual function. For other hardcore predicates to work need similar properties. Lots of question regarding the notion of reduction. Should it be bb?
Can the Gap be closed? Possible to narrow the gap by relaxing the definitions of SFE. Can the gap be closed altogether ? Not clear. Example: f(x,y) = y f(x,y) = OT(x,y) |y| n Too short - Low security Too long - High running time
Trivial Protocol in Malicious Model The protocol: Bob sends f(x’,y) to Alice. Alice cannot cheat. Bob might send a value with no pre-image. Example: f(x,y) = g(y) What if Bob can send z such that he doesn’t know y for which z=g(y). We assume there is no OWF. Suppose Bob convinces Alice he follows the protocol. Implies ZK POK that Bob knows y. By [Ostrovsky Wigderson] this means OWF exist.
Possible Applications? Provides a tool for proving easily that a function is complete Example: f(x,y)=(x+y)3 mod N. Factorization of N unknown. Is it complete? Trivial? Note: “almost” a permutation for x and for y Assuming RSA is hard - f is row non-transitive f is complete.
Imbedded OR [Kilian91] A function f(.,.) is said to contain an Imbedded OR if there are inputs x0, x1, y0, y1 such that : Where a b.
1-2 Oblivious Transfer Alice Bob bc c b0,b1 Alice learns nothing about b1-c Bob learns nothing about c
SFE-Completeness Questions What other functions are complete? Is there a “nice” classification of all the complete functions? What functions are unconditionally in Eff-SFE (without any hardness assumptions) ? Are there functions that are neither complete nor have efficient SFE?
Completeness Sketch Using an SFE for f we construct a Naive-OT protocol. Naive-OT is an SFE of the function: f(c, b) = { b if c=1 if c=0 In the Semi-Honest model this is equivalent to Rabin OT & 1-2 OT.
Completeness Sketch: Naive-OT from SFE for f Alice c Bob b 2. x0, x1 1. Choose x0, x1, y 3. Call f(xc, y) f(xc, y) 4. h(f(x1,y))b 5. If c=1 calculate b * h is the GL hardcore bit
Security of the Protocol Easy to argue: Bob learns nothing because only sends messages. Should argue: Alice learns nothing if c=0, or this will contradict the hardness of the hardcore bit.
Technical Issues Somewhat non-standard use of the GL hardcore bit - Not a one-way function (could be hard both ways). Need “strong hardness” of function for hardcore bit proof. Our hardness definition is weak. Standard hardness amplification relies heavily on one-wayness.
Solutions Only claim that a GL bit is “weakly” hard Cannot predict with probability better than 9/10. The protocol described implements a relaxed version of naive-OT that we call Weak-OT. Show how to construct OT from Weak-OT Via amplification using Yao’s Xor Lemma. This is important to the paper as well: we should say what is the property of the function h which we need and which is sufficient for our purpose. People specifically wanted to know what so special about GL.
Questions in the Computational Setting Characterization by row non-transitivity. All `nice’ functions are either complete or have Efficient SFE. Is there a simple characterization of SFE-Complete functions and of functions with unconditional SFE? How do these sets relate? All or nothing?
Semi Honest vs Malicious If OWF guaranteed to exist: use GMW transformation. Properties of row non-transitive functions remain. Note: Does not work when SFE done by “magic” (third party, quantum, noisy channels, etc..) If OWF not guaranteed: Completeness Theorem: Semi-honest SFE of a row non-transitive f Semi-honest OT One-way functions [Impagliazzo Luby] Malicious SFE Unconditional SFE: Possible to cheat in trivial protocols?
… Semi Honest vs Malicious In contrast, in the information theoretic case: The set of SFE-Complete crypto-gates is different for: Semi-Honest [BMM] Malicious [Kilian 2000] Example: Or function complete in the semi-honest world not complete in the malicious world.