COVERT TWO-PARTY COMPUTATION LUIS VON AHN CARNEGIE MELLON UNIVERSITY JOINT WORK WITH NICK HOPPER JOHN LANGFORD.

Slides:



Advertisements
Similar presentations
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Advertisements

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Joe Kilian NEC Laboratories, America Aladdin Workshop on Privacy in DATA March 27, 2003.
Secure Computation Slides stolen from Joe Kilian & Vitali Shmatikov Boaz Barak.
Secure Multiparty Computations on Bitcoin
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Cheat-Proof Playout for Centralized and Distributed Online Games By Nathaniel Baughman and Brian Levine (danny perry)
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
C OMPLEXITY - THEORETIC F OUNDATIONS OF S TEGANOGRAPHY AND C OVERT C OMPUTATION Daniel Apon.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
Games of probability What are my chances?. Roll a single die (6 faces). –What is the probability of each number showing on top? Activity 1: Simple probability:
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
COVERT MULTI-PARTY COMPUTATION YINMENG ZHANG ALADDIN REU 2005 LUIS VON AHN MANUEL BLUM.
Explorations in Anonymous Communication Andrew Bortz with Luis von Ahn Nick Hopper Aladdin Center, Carnegie Mellon University, 8/19/2003.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Oblivious Transfer based on the McEliece Assumptions
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.
HOW TO PLAN A COUP D’ETAT COVERT MULTI-PARTY COMPUTATION YINMENG ZHANG ALADDIN REU 2005 LUIS VON AHN MANUEL BLUM.
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
How to Ask Someone Out Eric Price. Just Do It Get her alone.
Aladdin Center, Carnegie Mellon University Deniable and Traceable Anonymity Andrew Bortz Joint work with: Luis von Ahn Nick Hopper Kevin O’Neill (Cornell)
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Anonymous Communication Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University.
Privacy Preserving Learning of Decision Trees Benny Pinkas HP Labs Joint work with Yehuda Lindell (done while at the Weizmann Institute)
K-Anonymous Message Transmission Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University.
Foundations of Cryptography Lecture 9 Lecturer: Moni Naor.
Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
1 Cross-Domain Secure Computation Chongwon Cho (HRL Laboratories) Sanjam Garg (IBM T.J. Watson) Rafail Ostrovsky (UCLA)
Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols By Stephen Hall.
8. Data Integrity Techniques
How to play ANY mental game
Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University.
Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/09/08 CRYP-202 Legally-Enforceable Fairness in Secure Two-Party Computation.
Secure Computation of the k’th Ranked Element Gagan Aggarwal Stanford University Joint work with Nina Mishra and Benny Pinkas, HP Labs.
Slide 1 Vitaly Shmatikov CS 380S Introduction to Secure Multi-Party Computation.
Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.
Slide 1 Yao’s Protocol. slide Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert the function into a boolean.
Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.
Based on Schneier Chapter 5: Advanced Protocols Dulal C. Kar.
Introduction to Modern Cryptography Sharif University Spring 2015 Data and Network Security Lab Sharif University of Technology Department of Computer.
Feelings Everybody has feelings. Feelings Everybody has Feelings! There are many ways to feel! Can you look at someone and know how they feel? Angry Sad.
Privacy Preserving Data Mining Yehuda Lindell Benny Pinkas Presenter: Justin Brickell.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
Security CS Introduction to Operating Systems.
Rational Cryptography Some Recent Results Jonathan Katz University of Maryland.
Secure Computation (Lecture 2) Arpita Patra. Vishwaroop of MPC.
Strong Conditional Oblivious Transfer and Computing on Intervals Vladimir Kolesnikov Joint work with Ian F. Blake University of Toronto.
Multi-Party Proofs and Computation Based in part on materials from Cornell class CS 4830.
Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/08/08 CRYP-106 Efficient Fully-Simulatable Oblivious Transfer.
Efficient Private Matching and Set Intersection Mike Freedman, NYU Kobbi Nissim, MSR Benny Pinkas, HP Labs EUROCRYPT 2004.
Verifiable Threshold Secret Sharing and Full Fair Secure Two-party Computation YE Jian-wei March 7, 2009.
Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.
Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.
Topic 36: Zero-Knowledge Proofs
Modern symmetric-key Encryption
The first Few Slides stolen from Boaz Barak
Course Business I am traveling April 25-May 3rd
Diffie/Hellman Key Exchange
ITIS 6200/8200 Chap 5 Dr. Weichao Wang.
Presentation transcript:

COVERT TWO-PARTY COMPUTATION LUIS VON AHN CARNEGIE MELLON UNIVERSITY JOINT WORK WITH NICK HOPPER JOHN LANGFORD

HAVE YOU EVER BEEN IN LOVE BUT DIDN’T HAVE THE GUTS TO CONFRONT THE PERSON? WANTED TO BRIBE AN OFFICER? WANTED TO COLLUDE WITH ANOTHER PLAYER TO CHEAT IN A CARD GAME? WANTED TO STAGE A COUP D’ETAT TO OVERTHROW THE PRESIDENT? INFILTRATED A TERRORIST CELL?

F( ,  ) TWO-PARTY COMPUTATION COVERT ALLOWS TWO PARTIES WITH SECRET INPUTS X AND Y TO LEARN F(X,Y) BUT NOTHING ELSE F( ,  ) PARTY 1PARTY 2 XY F(X,Y)

F(X,Y) = 1 IF X>Y 0 OTHERWISE $45 MILLION$32 MILLION F(X,Y)=1 LET’S NOT GET MARRIED JENBEN

BRITNEY SPEARS I DON’T WANT HIM TO KNOW THAT I LIKE HIM UNLESS HE LIKES ME TOO! I LIKE HIM, BUT I’M SHY! WHAT SHOULD I DO? ME

WE’LL USE TWO- PARTY COMPUTATION IF HE DOESN’T, THEN F(X,Y) = 0 SO HE WON’T KNOW THAT I LIKE HIM IF HE LIKES ME, WE WILL BOTH FIND OUT 1 MEANS “YES” 0 MEANS “NO” IF X,Y ARE BITS, LET F(X,Y) = X AND Y LET’S FIGURE OUT IF WE LIKE EACH OTHER

COVERT TWO-PARTY COMPUTATION AFTER LEARNING F(X,Y), EACH PARTY CAN ONLY TELL WHETHER THE OTHER PARTICIPATED IF THEY CAN DISTINGUISH F(X,Y) FROM RANDOM BITS EXTERNAL COVERTNESS INTERNAL COVERTNESS NO OUTSIDE OBSERVER CAN TELL IF THE TWO PARTIES ARE RUNNING A COMPUTATION OR JUST COMMUNICATING AS NORMAL

THE WAR ON TERROR I GUESS I CAN USE MY BAZOOKA HAVE YOU SEEN MY AK-47? YOU LEFT IT NEXT TO MY GRENADES THE AXIS OF EVIL SHALL PREVAIL! MI-6 AGENT CIA AGENT HE WORKS FOR CIA HE WORKS FOR MI-6

THE WAR ON TERROR HE WORKS FOR CIA HE WORKS FOR MI-6 THE UTTERANCES CONTAINED A COVERT TWO-PARTY COMPUTATION THE FUNCTION F VERIFIED THE CREDENTIALS SINCE BOTH WERE VALID, IT OUTPUT 1 K X WAS A CREDENTIAL SIGNED BY CIA AND Y WAS SIGNED BY MI-6 FOR ANY OTHER INPUTS, F OUTPUTS A RANDOM VALUE

COVERT TWO-PARTY COMPUTATION AFTER LEARNING F(X,Y), EACH PARTY CAN ONLY TELL WHETHER THE OTHER PARTICIPATED IF THEY CAN DISTINGUISH F(X,Y) FROM RANDOM BITS EXTERNAL COVERTNESS INTERNAL COVERTNESS NO OUTSIDE OBSERVER CAN TELL IF THE TWO PARTIES ARE RUNNING A COMPUTATION OR JUST COMMUNICATING AS NORMAL CANNOT BE DONE WITH STANDARD TWO-PARTY COMPUTATION

WHO KNOWS WHAT? WE ASSUME THAT BOTH PARTIES KNOW THE FUNCTION THEY WISH TO EVALUATE BOTH KNOW WHICH ROLE THEY ARE TO PLAY IN THE EVALUATION BOTH KNOW WHEN TO START COMPUTING

ORDINARY COMMUNICATION MESSAGES ARE DRAWN FROM A SET D TIME PROCEEDS IN DISCRETE TIMESTEPS EACH PARTY MAINTAINS A HISTORY h OF ALL DOCUMENTS THEY SENT AND RECEIVED TO EACH PARTY P, WE ASSOCIATE A FAMILY OF PROBABILITY DISTRIBUTIONS ON D: {B h P }

P1P2 h P1 D 1 ← B P1 h P1 h P2 D 2 ← B P2 h P2 h P1 = h P1 + (D 1,D 2 )h P2 = h P2 + (D 2,D 1 ) D ’ 1 ← B P1 h P1  ← B P2 h P2 D1D1 D2D2 D’1D’1 t0t0 t1t1

WE ASSUME THAT DDH IS HARD: GIVEN g x, g y PARTIES CAN’T EFFICIENTLY DISTINGUISH g xy FROM g z

WE SHOW THAT COVERT TWO-PARTY COMPUTATION IS POSSIBLE AGAINST HONEST-BUT-CURIOUS ADVERSARIES IN THE RO MODEL, FAIR COVERT TWO-PARTY COMPUTATION IS POSSIBLE AGAINST MALICIOUS ADVERSARIES

ROADMAP USE STEGANOGRAPHY TO SHOW THAT IT IS ENOUGH THAT ALL MESSAGES BE INDISTINGUISHABLE FROM UNIFORM SHOW A TWO-PARTY COMPUTATION PROTOCOL FOR WHICH ALL MESSAGES ARE INDISTINGUISHABLE FROM UNIFORM 1 2

BASIC-ENCODE INPUT: H  H, TARGET C, BOUND K LET J = 0 REPEAT: SAMPLE S ← D, INCREMENT J UNTIL H(S) = C OR J > K OUTPUT: S LET D BE A DISTRIBUTION ON D AND H BE A PAIRWISE INDEPENDENT FAMILY OF HASH FUNCTIONS ALLOWS SENDING C ENCODED IN SOMETHING THAT COMES FROM D UNIFORM PROPER SIZE ENOUGH MIN ENTROPY … THEN THE DISTRIBUTION ON S IS STA- TISTICALLY INDISTINGUISHABLE FROM D IF

OOPS! I DID IT AGAIN 001 LOOKS UNIFORM BASIC-ENCODEBASIC-ENCODE LOOKS NORMAL

ROADMAP USE STEGANOGRAPHY TO SHOW THAT IT IS ENOUGH THAT ALL MESSAGES BE INDISTINGUISHABLE FROM UNIFORM SHOW A TWO-PARTY COMPUTATION PROTOCOL FOR WHICH ALL MESSAGES ARE INDISTINGUISHABLE FROM UNIFORM 1 2

COVERT OBLIVIOUS TRANSFER IT IS POSSIBLE TO MODIFY AN OBLIVIOUS TRANSFER SCHEME BY NAOR AND PINKAS SO THAT ALL MESSAGES ARE INDISTINGUI- SHABLE FROM UNIFORM RANDOM BITS OT UNIFORM

THE MODIFIED NAOR-PINKAS OT PLUGGED INTO YAO’S “GARBLED CIRCUIT” GIVES A SCHEME WITH MESSAGES THAT ARE INDISTINGUISHABLE FROM UNIFORM + YAO OT

F(X,Y)=1 OOPS! MALLICIOUS ADVERSARIES CAN BREAK THIS PROTOCOL YOU’RE SO SMART BRITNEY! MATH IS FUN! WE CANNOT SIMPLY USE ZK TO FIX IT

THE END

COMPETITOR COOPERATION TWO COMPETING ONLINE RETAILERS ARE COMPROMISED BY A HACKER NEITHER CAN CATCH THE HACKER BY THEMSELVES HOWEVER, NEITHER WILL ADMIT THAT THEY WERE HACKED UNLESS THE OTHER WAS HACKED TOO

PARTY P CAN DRAW FROM B P h FOR ANY PLAUSIBLE h ADVERSARY KNOWS B P h FOR ANY P, h WE ASSUME THAT DDH IS HARD: GIVEN g x, g y PARTIES CAN’T EFFICIENTLY DISTINGUISH g xy FROM g z

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.