1/48 Round-Optimal Secure Two-Party Computation Jonathan Katz U. Maryland Rafail Ostrovsky U.C.L.A.

2/48 Motivation Round complexity is a central measure of protocol efficiency. Minimizing the number of rounds is often important in practice. Lower and upper bounds have deepened our understanding of various tasks…

3/48 For example… ZK [FS89, GO94, GK96a, GK96b, BLV03, etc.], NIZK [BFM88, etc.], WI [FS89,DN00,BOV03] Concurrent ZK [DNS98, KPR01, CKPR01, PRS02] Commitment, identification schemes, … … 2-party and multi-party computation [BMR90, IK00, GIKR01, L01, KOS03, etc.]

4/48 This work We concentrate on secure two-party computation –Encompasses many functionalities of independent interest (e.g., ZK) –Important “special case” of MPC without honest majority Interestingly, exact round complexity of 2PC was not previously known!

5/48 This work (1) We exactly characterize black-box round complexity of secure 2PC! THM1: Impossibility result for any black-box 4-round coin-tossing (also XOR, other functionalities…)

6/48 This work (2) THM2: 5-round secure 2PC protocol for any functionality, based on trapdoor perms* (e.g. RSA, Rabin) or Homomorphic Encryption (e.g. DDH).

7/48 This work (3) THM3: 5-round secure 2PC protocol an adaptive adversary corrupting any one party without erasure in 5 rounds.

8/48 Prior work (2PC) Honest-but-curious setting –4 rounds using trapdoor perms. [Yao86] –3 rounds using number-theoretic assumptions (optimal) [Folklore] Malicious case –“Compiler” for any protocol secure in honest-but-curious setting [GMW87] –Round complexity?

9/48 Round complexity of 2PC? Upper bounds –O(k) rounds [GMW87] –O(1) rounds [Lindell01] Unspecified, but roughly rounds Lower bounds (black-box) –No 3-round ZK [GK96] –No 3-round coin-tossing [Lindell01]

10/48 Security definition We use the standard definitions of [GMW87, GL90, MR91, Ca00]

11/48 Theorem 1 No secure (black-box) 4-round protocol for flipping  (log k) coins –This rules out 4-round protocols for other functionalities as well (e.g., XOR) (Note: 3-round protocols for O(log k) coins do exist [Bl82, GMW87]) Details: see paper!

12/48 THM2: A 5-round protocol for secure two-party computation (for malicious adversary) We construct a 5-round protocol where we “force”’ good behavior on both sides and can “simulate” malicious Adv view from both sides…

13/48 Somewhat easier task [folklore]: k-round with one player learning the output  (k+1)-round with both players learning the outputs the output in the k th round includes encrypted and MAC’ed output for other player. SO: we need a 4-round protocol where, say, player 1 gets the output.

14/48 observation It suffices to consider deterministic functionalities. Rest of the talk: we show a 4-round protocol tolerating malicious players where player 1 learns the output.

15/48 Rest of the talk 3-round protocol for semi-honest players Background tools Some of our new techniques Our 4-round protocol (if time permits) Proof of security (if time permits) Modifications needed for Dynamic Adv. Conclusions.

16/48 Recall: 1-2-OT [EGL] Sender has (v 0, v 1 ); Receiver has b, 1-2-OT: Receiver gets v b Sender gets nothing

17/48 Semi-honest 1-2-OT [EGL,GMW] 1.S: generate td perm. (f, f -1 ); send f 2.R: y b = f(z b ), y 1-b rand; send (y 0, y 1 ) 3.S: send u i = h(f -1 (y i ))  v i, for i=0,1 4.R computes v b = h(z b )  u b Note: extends easily for strings in semi-honest setting

18/48 Yao’s “garbled circuit” Algorithms (Y 1, Y 2 ) s.t.: –Y 1 (y) outputs “circuit” C, input-wire labels {Z i,b }, –[C “represents” F(.,y)] –Y 2 (C, Z 1,x 1, …, Z k,x k ) outputs v Correctness: v = F(x, y)

19/48 3-round semi-honest 2PC 1.Player 2 sends Yao’s C, f for OT 2.Player 1 sends OT pairs {(y i,0, y i,1 )} 3.Player 2 sends {(u i,0, u i,1 )} to Player 1. Player 1 recovers v.

20/48 Malicious 2PC? Standard method [GMW87] increases round-complexity: –Coin tossing into the well to fix random tapes of players; –Players commit to their inputs; –ZK arguments of correctness after every round; High round complexity of compilation

21/48 Malicious 2PC in 4 rounds Our goal: do everything in 4 rounds, (player 1 gets the output) forcing “good” behavior from both sides! Intuition: do everything “as early as possible” but …things “don’t fit” – we need new tricks to cram it all.. Surprise: we must “delay” proofs to make it work.

22/48 Reminder:3-Round WI proofs [FS] P claims that graph G has a HC P  V: commit n cycle graphs C 1..C n V  P: random n-bit string Q P  V: for each bit of Q, either –open entire matrix C i OR –show perm of G onto C i open non-edges of G in C i.

23/48 OBSERVATION Graph G can be determined in the last round. –IF G is determined in the 1 st round  this is WI proof of knowledge –IF G is determined in the 3 rd round  this is only a WI proof, but it is still sound!

24/48 NEW PROPERTIES FOR 3- ROUND WI-PROOF Player1 Round1 ST1 Player2 round2 Round3: ST2 ST1 & ST2

25/48 Next: [FS] 4-round ZK Q can we get similar result for [FS] 4- round ZK argument?

26/48 [FS] 4-round ZK argument: 2 interleaved WI-proofs Verifier round1 Prover round2 round3 round4

27/48 [FS] 4-round ZK-argument 2 interleaved WI proofs: P  V: gives y 1,y 2 s.t. f(a 1 )=y 1,f(a 2 )=y 2 and WI proof of this fact (3 rounds) P  V: WI proof of witness w that x is in L or w is one of the a’s (starting on the 2 nd round). Total of 4 rounds. Proof of knowledge; also ZK.

28/48 New FS properties needed: Observation: In FS, prover needs to determine the statement in the second round. Goal: to defer parts of statement to last (4 th ) round. Previous ideas are not sufficient…

29/48 Technical lemma - we extend [FS] to FS’ so that: FS’ is a 4-round Zero-knowledge argument where statements can be “Postponed”. FS’ define conjunctive parts of statement in the second round (with knowledge extraction) and part of statement in the 4 th round (without extraction but still sound!) It is of independent interest (requires equivocal commitment, some other tools)

30/48 [FS] 4-round ZK argument: 2 interleaved WI-proofs Verifier Round1 Prover round2Det. ST1 round3 round4 Proof: ST 1 & ST 2 Det. ST2

31/48 OUR PROTOCOL PROOF-FLOWS Player1 round1 Player2 round2FS’: ST1 Round3: ST-WI round4FS’: ST2

32/48 Simulation on both sides? we need more tools… Malicious player 2 gains nothing by using non-random tape in Yao. Player 1 cannot freely choose his random tape, but full-blown coin-tossing is not necessary (i.e., we don’t need simulatability on both sides) Player 2 has to commit Yao’s garbled circuit in round 2, but the simulator need to open it arbitrary, so use equivocal comm.

33/48 Equivocal commitments (Informal): in real execution, sender committed to a single value; in simulation, can open arbitrarily Construction: Equiv(b) = Com(b 0 ), Com’(b 1 ) ZK argument that b 0 = b 1 Open by opening either b 0 or b 1 Can “fold” ZK argument into larger statement already used in 4 th round of FS’

34/48 And now… the 4-round protocol… (only 4 slides, 1 msg per slide)

35/48 Round 1: P1(x)  P2(y) P1 commits {(r i,0, r i,1 )}; (random) starts 3-round WI PoK of either r i,0 or r i,1 ; Starts FS’ 1 (statement TBA by P2 partly in round 2, partly in round 4)

36/48 Round 2: P1(x)  P2(y) P2 Sends challenge for WI PoK P2 Sends trapdoor perm {f i,b } for OT, and random values {r’ i,b }; P2 commits to input-wire labels for Yao Equiv. commitment to Yao’s garbled C(y); FS’ 2 (proving correctness as part of the statement), part to be determined now, part in fourth round

37/48 Round 3: P1(x)  P2(y) For each bit i of input x, set (for OT): –y i,x i = f i,x i (z); –y i, 1-x i = r i,1-xi  r’ i,1-xi ; WI PoK (final round 3), where the statement includes the fact that one of y’s is correctly computed for each i. FS’ (round 3)

38/48 Round 4: P1(x)  P2(y) Complete OT (i.e. P2 inverts f’s and xor’s with Yao’s input wires), sends these to P1 FS’ final (4 th) round, where P2 proves correctness of all its steps, including OT of this round. P2 Decommits equiv-commit of Yao’s circuit, so that P1 can compute!

39/48 SIMULATION FOR CHEATING P2 Simulating view of ADV-P2 interacting with SIM1

40/48 SIM  ADV-P2 SIM commits {(r i,0, r i,1 )}; (random) starts 3-round WI PoK of either r i,0 or r i,1 ; Starts FS’ 1 (statement TBA by P2 partly in round 2, partly in round 4) Easy to simulate, we don’t need to know x.

41/48 Round 2: SIM  ADV-P2 Sends whatever it wants to SIM

42/48 Round 3: SIM  ADV-P2 For each bit i of input x, set (for OT): –y i,x i = r i,xi  r’ i,xi ; –y i, 1-x i = r i,1-xi  r’ i,1-xi ; PoK (final round 3), is easy, since it’s a true statement by the simulator. FS’ (round 3) (play honestly)

43/48 Round 4: SIM  ADV-P2 Sends whatever it wants. If all valid, we re-wind, and extract y (using the fact that the msg commitment in the second round is a proof of knowledge, so we can extract) Now, send y to the trusted party and we are done, and player 1 gets his output.

44/48 SIMULATION FOR CHEATING P1 (simulating view of ADV-P1 interacting with the SIM2)

45/48 ADV-P1  SIM Sends whatever it wants

46/48 ADV-P1  SIM SIM send to P1 trapdoor perm {f i,b } for OT, and random values {r’ i,b }; as before SIM commits to garbage (instead of input-wire labels for Yao) SIM equiv. commitment to garbage (instead of Yao’s garbled C(y); ) For FS’ 2 use ZK simulator (proving correctness as part of the statement), part to be determined now, part in fourth round

47/48 Round 3: ADV-P1  SIM Adv sends whatever it wants

48/48 ADV-P1  SIM If all proofs in 3 rd round are OK,rewinds and extracts half of r’s from first round After extraction, can get ADV-P1 OT input values, this defines his input x. Send x to trusted party, get the output. (cont on next slide)

49/48 ADV-P1  SIM Now, simulate the Yao’s circuit, and de-comment equivocal commitment of Yao as needed, and prepare OT answers as needed. Continue using ZK simulator for FS’

50/48 Handling adaptive adversaries

51/48 Overview No erasure of [BH]. Use adaptively-secure encryption to encrypt each round (a la [CFGN96]) –We avoid expensive key-generation phase (using stronger assumptions: –Assume simulatable cryptosystem [Damgard- Nielsen 2000] –Maintain round complexity by not encrypting the first round

52/48 Adaptively-secure encryption To encrypt a single bit v: –Receiver generates {(pk i,b )} but only knows secret key for one of each pair –Sender computes {(C i,b )} where, in each pair, one ciphertext is random and one is an encryption of v –Receiver decrypts using keys he knows; takes majority

53/48 CONCLUSIONS FOR BB-simulation, we completely closed 2-party round-complexity: (both upper and lower bounds =5) for ANY 2-party computation! Gap for non-BB-simulation: either 4 or 5 rounds (we need at least 4 rounds even for non-BB), but 4 or 5 is still open…