Input-Indistinguishable Computation Silvio MicaliMIT Rafael PassCornell Alon RosenHarvard
Definitions vs. Protocols Crypto in the 20 th century – protocols -> definitions Crypto in the 21 st century – definitions -> protocols This talk: New definition (input-indistinguishable computation) 1.For secure two-party computation (malicious). 2.Definition is “ simulation free. ” 3.Inspired by witness indistinguishability. New protocol 1.Concurrency without trusted set-up. 2.Standard complexity assumptions. Our motivation is “ protocol driven. ’’ We do not achieve “ holy grail ” of cryptography (yet) … x x
To reach balance: 1.Establish feasibility. 2.Improve efficiency. 3.Weaken hardness assumption. See if can satisfy a stronger definition (stronger adversary)... Modern Crypto Methodology Need to convince that: 1.Definition is meaningful. 2.Adversary is realistic. 3.Assumption is reasonable. Delicate balance Define security (what it means to break the scheme). Specify adversary in terms of: 1.computational power, 2.access to scheme. Construct scheme and prove that breaking it implies solving (assumed) computationally hard problem (e.g. factoring).
YES WELL… If you believe Factoring/DL are hard. IDEAL REAL PPT B* PPT S Secure Two-Party Computation Alic e Bob 1.Is definition meaningful? 2.Is adversary realistic? 3.Is assumption reasonable? … Theorem [Yao, GMW,Kil]: Assuming OT protocol, every efficient two-party function can be securely computed.
1.Is definition meaningful? 2.Is adversary realistic? 3.Is assumption reasonable? IDEAL REAL UC/General/Self Composition [C,L03,L04] A B A A A A B B B A B A A A A B B B YES Maybe, if we just had a protocol… Theorem [CKL, L03, L04]: For most “interesting’’ functions definitions of UC/General/Self composition cannot be achieved.
Theorems [CLOS, BCNP, CDPW]: Assuming OT, every efficient two-party function can be securely (UC) computed with some form of trusted set-up. Reference String 1.Meaningful? 2.Realistic? IDEAL REAL Set-Up Assumptions B A A A B B A A A B
YES in many cases [BS] very sensitive to security parameters [PS] non-standard assumptions Theorems [PS,BS]: Assuming subexp-hardness (and OT), every eff. two-party function can be securely computed with quasi-poly simulator. IDEAL REAL Super-Polynomial Time Simulation [P03] A B A A A A B B B A B A A A A B B B PPT B* P super PT S 1.Is definition meaningful? 2.Is adversary realistic? 3.Is assumption reasonable?
Super-polynomial time simulation (SPS) is very appealing: 1. Yields meaningful security guarantee. 2. Handles a realistic adversary. 3. Has the potential of being realized a. Under standard assumptions. b. Without constraints on security parameters. But coming up with such a protocol is still open. We give a definition that can be realized: a.Under standard assumptions. b.Without constraints on security parameters. c.In face of unbounded number of concurrent executions. Definition: Any protocol (A,B) is secure. Super-Polynomial Time Simulation d. Is (arguably) meaningful for many interesting functions. e. May lead to solution that admits unbounded simulation.
ALL inputs of A compatible with output of B* “EQUALLY LIKELY” To distinguish x 0,x 1 must use y* s.t. F(x 0,y*) ≠ F(x 1,y*) 1.Trivial if single-input per output 2.Generalization of Witness-Indist [FS90] Input-Indistinguishable Computation 1. Correctness. 2. Input-Independence 3. Input-Indistinguishability Privacy What is y*? Implicit input function IN(view B* ) = y* Consider 1.honest A with input x 2.malicious B* with input y 3.B* should get output.
Witness Indistinguishability [FS90] Prover Verifier view(w) = V*’s view of the interaction when P uses w Witness Indistinguishability: for PPT V*, w 0, w 1 view(w 0 ) view(w 1 ) WI property “well-behaved’’ under concurrent composition
Interactive Proofs vs. Two-Party Computation V* has no inputB* has input y V* output is 0/1B* output is F(x,y*) P input “hard” to computeA input can be finite P V* A B*
Implicit Input Function Implicit input function IN B : 1.defined on B*’s view of the interaction. 2.Wlog view depends only on x and on randomness of A 3.Well defined for all possible views. Notation: for PPT B*, x y* <- IN B (view(x)) Consistency: Output of A = F(x,y*) Output delivery message: there exists a round in protocol s.t. 1.Implicit input is fully defined from view so far, but 2.no “information’’ about output has been released yet. Implicit input and output round are implicit in ideal/real like definitions, but not required explicitly!
Input-Indistinguishable Computation (A,B) securely computes F w.r.t A if implicit input function IN B s.t. Completeness: in honest execution of (A,B) inputs = x,y output = F(x,y) Input-Independence: for PPT B*, x 0, x 1 IN B (view(x 0 )) IN B (view(x 1 )) Input-Indistinguishability: for PPT B*, x 0, x 1 y* <- IN B (view) B* can only “distinguish” x 0 and x 1 when F(x 0,y*) ≠ F(x 1,y*) B* received output in the protocol
Input-Indistinguishable Computation (A,B) securely computes F w.r.t A if implicit input function IN B s.t. Completeness: in honest execution of (A,B) inputs = x,y output = F(x,y) Input-Indist. and Indep.: For PPT B*, x 0, x 1 Expt 0 (x 0, x 1 ) Expt 1 (x 0, x 1 ) Expt i (x 0,x 1 ): view view of B* in execution with A(x i ) y* IN B (view) If output = true and F(x 0,y*) ≠ F(x 1,y*) Otherwise (y*,view)
Example Oblivious transfer function. F((s 0,s 1 ),c) = s c (So x= (s 0,s 1 ) and y=c.) Input independence: c is (computationally) independent of (s 0,s 1 ). Input indistinguishability: Given s c* as output, and view((s 0,s 1 )), the input s 1-c* could take any value. Very meaningful.
Concurrent Input Indistinguishable Computation (A,B) securely computes F w.r.t A if implicit input function IN B s.t. Completeness: in honest execution of (A,B) inputs = x,y output = F(x,y) Concurrent Inp-Indist. and Indep.: For PPT B*, x 0, x 1 Expt 0 (x 0, x 1 ) Exp 1 (x 0, x 1 ) Basic Concurrency: 1.Same Protocol (self composition) 2. fixed inputs sequences 3.Can be extended to handle arbitrary corruptions.
Composibility Unlike WI (and UC) input-indistiguishability does not compose in general. There exist protocols that are 1.stand-alone input indistinguishable, but 2.not concurrent input indistinguishable (even for two executions). The problem is the potential malleability of (A,B). Any solution must take malleability into consideration. Turns out that insuring non-malleability is sufficient!
Main Theorem Theorem: Suppose there exist (trapdoor) claw-free permutations. Then for any efficient 2-party function F, there exists a concurrent input-indistinguishable protocol for computing F. Trapdoor claw-free permutations: 1.Required for OT, CRH, perfectly hiding commitments. 2.Follow from hardness of Factoring/DL.
Yao’s protocol secure against honest-but-curious. Compile a’ la GMW, but: 1.Instead of normal ZK, NMZK protocols of [P04][PR05] 1.Instructions of NMZK depend on identity of prover. 2.Different provers have different identities. 2.Provable Determinism [LMS04]: once first message sent, only one possible continuation (except for ZK). 3.And some more… Let (A,B) denote resulting protocol. High-Level Idea of Protocol
Lemma: (A,B) is (stand-alone) ideal/real secure. Lemma: Stand-alone ideal/real -> stand-alone inp.-ind. 1.Implicit input is the value fed to trusted party. 2.Requires augmenting outputs of ideal/real w/ input of B*. 3.Relies on existence of output delivery message. 4.B*,D breaking inp.-ind. -> B**,D breaking ideal/real. Lemma: (A,B) stand-alone inp.-ind. -> (A,B) conc. inp.-ind. 1.Implicit inputs same as in stand-alone. 2.Interplay between Hybrid argument and Simulation 3.Mixture of Black-box and Non black-box [PR05]. Analysis
One-many Simulation-Extractable ZK [PR05] B* Left interaction: simulate only one ZK execution. Right interaction: concurrently extract witnesses from many executions. ZK ID ZK ID2 ~ ZK ID1 ~ ZK IDm ~ ww ~ wmwm ~ ww ~ S
(view,y*) Concurrent -> Stand-Alone Assume existence of concurrent adversary B*, and x, x s.t. corresponding EXPT can be distinguished. Construct B** that violates stand-alone inp.-ind. Of (A,B). B* x2x2 x1x1 xmxm x1x1 x2x2 xmxm -
Concurrent -> Stand-Alone M xixi x1x1 or x i xmxm Using a hybrid argument. Only need to simulate the ZK proof in the ith execution. Requires to extract all y*. B**
Comparison Meaningful definition Realistic adversary Reasonable assumption Stand-Alone YESNOYES UC YES NO SPS [BS] YES* potential YES*YES This work YES**YES
Summary Zero-knowledge (simulation paradigm) seems to have “ hit the wall ” with respect to protocol composition. Maybe [Goldreich Micali Wigderson87] has made us “ too ambitious …” Perhaps we should 1.Give up in meaningfulness of definitions. a)Super polynomial-time simulators [P03, PS04, BS05]. b)Based on indistinguishability [FS90]. 2.Give up in generality of definitions. a)Be meaningful only in specific cases. b)Secure protocols for specific tasks [PR05,BPS06].
Thank You!