1/48 Round-Optimal Secure Two-Party Computation Jonathan Katz U. Maryland Rafail Ostrovsky U.C.L.A.
2/48 Motivation Round complexity is a central measure of protocol efficiency. Minimizing the number of rounds is often important in practice. Lower and upper bounds have deepened our understanding of various tasks…
3/48 For example… ZK [FS89, GO94, GK96a, GK96b, BLV03, etc.], NIZK [BFM88, etc.], WI [FS89,DN00,BOV03] Concurrent ZK [DNS98, KPR01, CKPR01, PRS02] Commitment, identification schemes, … … 2-party and multi-party computation [BMR90, IK00, GIKR01, L01, KOS03, etc.]
4/48 This work We concentrate on secure two-party computation –Encompasses many functionalities of independent interest (e.g., ZK) –Important “special case” of MPC without honest majority Interestingly, exact round complexity of 2PC was not previously known!
5/48 This work (1) We exactly characterize black-box round complexity of secure 2PC! THM1: Impossibility result for any black-box 4-round coin-tossing (also XOR, other functionalities…)
6/48 This work (2) THM2: 5-round secure 2PC protocol for any functionality, based on trapdoor perms* (e.g. RSA, Rabin) or Homomorphic Encryption (e.g. DDH).
7/48 This work (3) THM3: 5-round secure 2PC protocol an adaptive adversary corrupting any one party without erasure in 5 rounds.
8/48 Prior work (2PC) Honest-but-curious setting –4 rounds using trapdoor perms. [Yao86] –3 rounds using number-theoretic assumptions (optimal) [Folklore] Malicious case –“Compiler” for any protocol secure in honest-but-curious setting [GMW87] –Round complexity?
9/48 Round complexity of 2PC? Upper bounds –O(k) rounds [GMW87] –O(1) rounds [Lindell01] Unspecified, but roughly rounds Lower bounds (black-box) –No 3-round ZK [GK96] –No 3-round coin-tossing [Lindell01]
10/48 Security definition We use the standard definitions of [GMW87, GL90, MR91, Ca00] This will be an informal review, focusing on a static adversary
11/48 Set-up Functionality F = (F 1, F 2 ), possibly randomized; player P i gets F i (x, y) In real world, players execute a protocol to compute F In ideal world, a trusted party computes F for the players
12/48 Ideal model Players send x, y to TTP –Malicious player can send any value it likes; honest party sends its input value –If no value sent, a default value is used TTP chooses uniformly-random r; sends v 1 = F 1 (x, y; r) to P 1 –If P 1 aborts, TTP sends v 2 = to P 2 –Else, TTP sends v 2 = F 2 (x, y; r) to P 2
13/48 Ideal model Let View i denote the view of P i Let (B 1, B 2 ) be strategies Define IDEAL = (B 1 (View 1 ), B 2 (View 2 )) –Note: for B i honest, B i (View i ) = v i
14/48 Real model Players execute protocol… Let (A 1, A 2 ) be strategies Define REAL = (A 1 (View 1 ), A 2 (View 2 )) –Again, if A i honest, then A i (View i ) = v i
15/48 Security… A pair of strategies is admissible if at least one is honest Protocol is secure if for all admissible PPT (A 1, A 2 ) in the real world, there exist admissible expected poly-time (B 1, B 2 ) in ideal world such that REAL and IDEAL are comp. indistinguishable –Even with auxiliary inputs…
16/48 Black-box security The definition of security requires: (malicious) A i, (malicious) B i, s.t. B i satisfies the condition…. Black-box security imposes stronger requirement: (S 1, S 2 ), (malicious) A i, (malicious) B i =S i A i satisfies the condition…
17/48 More formally… For malicious A 1, define B 1 as follows: –B 1 (x, z; r, r’) = S 1 A 1 (x, z; r) (x; r’) –S 1 not given auxiliary input z Exp. running time of S 1 is a fixed polynomial, independent of A 1 –But running time of B 1 depends on A 1 –The above formulation avoids some technical problems…
18/48 Lower bound
19/48 Theorem 1 No secure (black-box) 4-round protocol for flipping (log k) coins –This rules out 4-round protocols for other functionalities as well (e.g., XOR) (Note: 3-round protocols for O(log k) coins do exist [Bl82, GMW87]) Details: (next)
20/48 Intuition W.l.o.g., P 2 sends the first message No way to simulate for a malicious P 1 who aborts “very often” –Sending different msg 1 doesn’t help P 1 starts over with “new randomness” [GK] –Sending different msg 3 doesn’t help P 1 anyway aborts “very often”
21/48 Proof details I Let s() be the expected r.t. of S 1 Define A 1 as follows: –Use msg 1 to define random string for an “honest” execution of the protocol (using O(s)-wise independent hash function) –After msg 3, compute coin c; abort unless first (3log s) bits of c are 0 –Note: here we use |c| = (log k)
22/48 Proof details II REAL is “non-aborting” with noticeable probability 1/s 3 Thus, IDEAL must be “non-aborting” with roughly the same probability Conditioned on “good” coin from TTP, S 1 must “force” A 1 not to abort with probability essentially 1
23/48 Proof details III Run S 1 for at most 2s steps –Now, strict poly-time –Conditioned on “good” coin from TTP, “forces” A 1 not to abort with probability essentially 1/2
24/48 Proof details IV Define A 2 as follows: –Feed “good” coin to S 1 ; guess i, j –Send i th query of S 1 to P 1 as msg 1, return msg 2 to S 1 –Send j th query of S 1 to P 1 as msg 2 –Answer other queries of S 1 internally, by either aborting or playing the role of A 1
25/48 Proof details V Analysis: –Conditioned on “correct” guesses of i, j, honest player P 1 outputs “good” coin with probability essentially 1/2 – Probability of correct guess > 1/4s 2 –So probability that honest P 1 outputs “good” coin is at least 1/8s 2 > 1/s 3 –A 2 noticeably biases the coin!
26/48 Implications No 4-round (black-box) protocol for general secure computation –Note: Could also derive from [GK]… –…but our techniques rule out 4-round protocols for wider class of functions
27/48 THM2: A 5-round protocol for secure two-party computation (for malicious adversary) We construct a 5-round protocol where we “force”’ good behavior on both sides and can “simulate” malicious Adv view from both sides…
28/48 Somewhat easier task [folklore]: k-round with one player learning the output (k+1)-round with both players learning the outputs the output in the k th round includes encrypted and MAC’ed output for other player. SO: we need a 4-round protocol where, say, player 1 gets the output.
29/48 observation It suffices to consider deterministic functionalities. Rest of the talk: we show a 4-round protocol tolerating malicious players where player 1 learns the output.
30/48 Rest of the talk 3-round protocol for semi-honest players Background tools Some of our new techniques Our 4-round protocol (if time permits) Proof of security (if time permits) Modifications needed for Dynamic Adv. Conclusions.
31/48 Recall: 1-2-OT [EGL] Sender has (v 0, v 1 ); Receiver has b, 1-2-OT: Receiver gets v b Sender gets nothing
32/48 Semi-honest 1-2-OT [EGL,GMW] 1.S: generate td perm. (f, f -1 ); send f 2.R: y b = f(z b ), y 1-b rand; send (y 0, y 1 ) 3.S: send u i = h(f -1 (y i )) v i, for i=0,1 4.R computes v b = h(z b ) u b Note: extends easily for strings in semi-honest setting
33/48 Yao’s “garbled circuit” Algorithms (Y 1, Y 2 ) s.t.: –Y 1 (y) outputs “circuit” C, input-wire labels {Z i,b }, –[C “represents” F(.,y)] –Y 2 (C, Z 1,x 1, …, Z k,x k ) outputs v Correctness: v = F(x, y)
34/48 3-round semi-honest 2PC 1.Player 2 sends Yao’s C, f for OT 2.Player 1 sends OT pairs {(y i,0, y i,1 )} 3.Player 2 sends {(u i,0, u i,1 )} to Player 1. Player 1 recovers v.
35/48 Malicious 2PC? Standard method [GMW87] increases round-complexity: –Coin tossing into the well to fix random tapes of players; –Players commit to their inputs; –ZK arguments of correctness after every round; High round complexity of compilation
36/48 Malicious 2PC in 4 rounds Our goal: do everything in 4 rounds, (player 1 gets the output) forcing “good” behavior from both sides! Intuition: do everything “as early as possible” but …things “don’t fit” – we need new tricks to cram it all.. Surprise: we must “delay” proofs to make it work.
37/48 Reminder:3-Round WI proofs [FS] P claims that graph G has a HC P V: commit n cycle graphs C 1..C n V P: random n-bit string Q P V: for each bit of Q, either –open entire matrix C i OR –show perm of G onto C i open non-edges of G in C i.
38/48 OBSERVATION Graph G can be determined in the last round. –IF G is determined in the 1 st round this is WI proof of knowledge –IF G is determined in the 3 rd round this is only a WI proof, but it is still sound!
39/48 NEW PROPERTIES FOR 3- ROUND WI-PROOF Player1 Round1 ST1 Player2 round2 Round3: ST2 ST1 & ST2
40/48 Next: [FS] 4-round ZK Q can we get similar result for [FS] 4- round ZK argument?
41/48 [FS] 4-round ZK argument: 2 interleaved WI-proofs Verifier round1 Prover round2 round3 round4
42/48 [FS] 4-round ZK-argument 2 interleaved WI proofs: P V: gives y 1,y 2 s.t. f(a 1 )=y 1,f(a 2 )=y 2 and WI proof of this fact (3 rounds) P V: WI proof of witness w that x is in L or w is one of the a’s (starting on the 2 nd round). Total of 4 rounds. Proof of knowledge; also ZK.
43/48 New FS properties needed: Observation: In FS, prover needs to determine the statement in the second round. Goal: to defer parts of statement to last (4 th ) round. Previous ideas are not sufficient…
44/48 Technical lemma - we extend [FS] to FS’ so that: FS’ is a 4-round Zero-knowledge argument where statements can be “Postponed”. FS’ define conjunctive parts of statement in the second round (with knowledge extraction) and part of statement in the 4 th round (without extraction but still sound!) It is of independent interest (requires equivocal commitment, some other tools)
45/48 [FS] 4-round ZK argument: 2 interleaved WI-proofs Verifier Round1 Prover round2Det. ST1 round3 round4 Proof: ST 1 & ST 2 Det. ST2
46/48 OUR PROTOCOL PROOF-FLOWS Player1 round1 Player2 round2FS’: ST1 Round3: ST-WI round4FS’: ST2
47/48 Simulation on both sides? we need more tools… Malicious player 2 gains nothing by using non-random tape in Yao. Player 1 cannot freely choose his random tape, but full-blown coin-tossing is not necessary (i.e., we don’t need simulatability on both sides) Player 2 has to commit Yao’s garbled circuit in round 2, but the simulator need to open it arbitrary, so use equivocal comm.
48/48 Equivocal commitments (Informal): in real execution, sender committed to a single value; in simulation, can open arbitrarily Construction: Equiv(b) = Com(b 0 ), Com’(b 1 ) ZK argument that b 0 = b 1 Open by opening either b 0 or b 1 Can “fold” ZK argument into larger statement already used in 4 th round of FS’
49/48 And now… the 4-round protocol… (only 4 slides, 1 msg per slide)
50/48 Round 1: P1(x) P2(y) P1 commits {(r i,0, r i,1 )}; (random) starts 3-round WI PoK of either r i,0 or r i,1 ; Starts FS’ 1 (statement TBA by P2 partly in round 2, partly in round 4)
51/48 Round 2: P1(x) P2(y) P2 Sends challenge for WI PoK P2 Sends trapdoor perm {f i,b } for OT, and random values {r’ i,b }; P2 commits to input-wire labels for Yao Equiv. commitment to Yao’s garbled C(y); FS’ 2 (proving correctness as part of the statement), part to be determined now, part in fourth round
52/48 Round 3: P1(x) P2(y) For each bit i of input x, set (for OT): –y i,x i = f i,x i (z); –y i, 1-x i = r i,1-xi r’ i,1-xi ; WI PoK (final round 3), where the statement includes the fact that one of y’s is correctly computed for each i. FS’ (round 3)
53/48 Round 4: P1(x) P2(y) Complete OT (i.e. P2 inverts f’s and xor’s with Yao’s input wires), sends these to P1 FS’ final (4 th) round, where P2 proves correctness of all its steps, including OT of this round. P2 Decommits equiv-commit of Yao’s circuit, so that P1 can compute!
54/48 SIMULATION FOR CHEATING P2 Simulating view of ADV-P2 interacting with SIM1
55/48 SIM ADV-P2 SIM commits {(r i,0, r i,1 )}; (random) starts 3-round WI PoK of either r i,0 or r i,1 ; Starts FS’ 1 (statement TBA by P2 partly in round 2, partly in round 4) Easy to simulate, we don’t need to know x.
56/48 Round 2: SIM ADV-P2 Sends whatever it wants to SIM
57/48 Round 3: SIM ADV-P2 For each bit i of input x, set (for OT): –y i,x i = r i,xi r’ i,xi ; –y i, 1-x i = r i,1-xi r’ i,1-xi ; PoK (final round 3), is easy, since it’s a true statement by the simulator. FS’ (round 3) (play honestly)
58/48 Round 4: SIM ADV-P2 Sends whatever it wants. If all valid, we re-wind, and extract y (using the fact that the msg commitment in the second round is a proof of knowledge, so we can extract) Now, send y to the trusted party and we are done, and player 1 gets his output.
59/48 SIMULATION FOR CHEATING P1 (simulating view of ADV-P1 interacting with the SIM2)
60/48 ADV-P1 SIM Sends whatever it wants
61/48 ADV-P1 SIM SIM send to P1 trapdoor perm {f i,b } for OT, and random values {r’ i,b }; as before SIM commits to garbage (instead of input-wire labels for Yao) SIM equiv. commitment to garbage (instead of Yao’s garbled C(y); ) For FS’ 2 use ZK simulator (proving correctness as part of the statement), part to be determined now, part in fourth round
62/48 Round 3: ADV-P1 SIM Adv sends whatever it wants
63/48 ADV-P1 SIM If all proofs in 3 rd round are OK,rewinds and extracts half of r’s from first round After extraction, can get ADV-P1 OT input values, this defines his input x. Send x to trusted party, get the output. (cont on next slide)
64/48 ADV-P1 SIM Now, simulate the Yao’s circuit, and de-comment equivocal commitment of Yao as needed, and prepare OT answers as needed. Continue using ZK simulator for FS’
65/48 Handling adaptive adversaries
66/48 Overview No erasure of [BH]. Use adaptively-secure encryption to encrypt each round (a la [CFGN96]) –We avoid expensive key-generation phase (using stronger assumptions: –Assume simulatable cryptosystem [Damgard- Nielsen 2000] –Maintain round complexity by not encrypting the first round
67/48 Adaptively-secure encryption To encrypt a single bit v: –Receiver generates {(pk i,b )} but only knows secret key for one of each pair –Sender computes {(C i,b )} where, in each pair, one ciphertext is random and one is an encryption of v –Receiver decrypts using keys he knows; takes majority
68/48 CONCLUSIONS FOR BB-simulation, we completely closed 2-party round-complexity: (both upper and lower bounds =5) for ANY 2-party computation! Gap for non-BB-simulation: either 4 or 5 rounds (we need at least 4 rounds even for non-BB), but 4 or 5 is still open…