Secure Computation (Lecture 9-10) Arpita Patra
Recap >> MPC with honest majority in i.t. settings > Protocol using (n,t)-sharing, proof of security--- Feasibility Result > Efficiency: Offline-online paradigm, Reduction of online phase to secret using raw material Various Raw materials Randomness extraction techniques Linear Overhead MPC >> Comp. MPC with n>= 2t+1 is useful (CDN)
Impossibility of i.t MPC with n<=2t >> Do you first see that the protocols that we discussed so far will not work? >> Generating triple sharing >> Multiplication gate >> Functions consisting of linear gates: no problem >> (n,(2t,t))-sharing >> Impossibility of i.t. for any function
Impossibility of i.t MPC with n=2 for multiplication of bits P0P0 P1P1 b0b0 b1b1 m0m0 m1m1 m2m2 m3m3 m 2i m 2i T (b 0, b 1 ) Random variable over the random choice of the parties b 0 b 1 r0r0 r1r1
Impossibility of i.t MPC with n=2 for multiplication of bits P0P0 P1P1 b0b0 b1b1 m0m0 m1m1 m2m2 m3m3 m 2i m 2i T (b 0, b 1 ) If b 0 = 0, then T (b 0, b 1 ) should leak nothing about b 1. Otherwise corrupted P 0 can learn b 1 Breach in perfect secrecy We show P 0 can learn b 1 even when b 0 =0 and thus breach in perfect secrecy
Impossibility of i.t MPC with n=2 for multiplication of bits P0P0 P1P1 b0b0 b1b1 m0m0 m1m1 m2m2 m3m3 m 2i m 2i T (b 0, b 1 ) If b 1 = 0, then T (b 0, b 1 ) should leak nothing about b 0. b 0 = 0, r 0 b 0 = 1, r 1
Impossibility of i.t. MPC with n=2 for multiplication of bits P0P0 P1P1 b 0 = 0 b1b1 m0m0 m1m1 m2m2 m3m3 m 2i m 2i T (b 0, b 1 ) If b 1 = 0, there exists r 1 so that T (b 0, b 1 ) is consistent with (b 0 =1, r 1 ) If b 1 = 1, there can NOT exist r 1 so that T (b 0, b 1 ) is consistent with (b 0 =1, r 1 ) b 1 = ?? r0r0 b 0 b 1
Impossibility of i.t. MPC with n=2 for multiplication of bits P0P0 P1P1 b 0 = 0, r 0 b 1 = 1 m0m0 m1m1 m2m2 m3m3 m 2i m 2i T (b 0, b 1 ) b 0 b 1 = 0 b 0 = 1, r 1 Same transcript - > same output!! No correctness! But output should be 1 But since the protocol is correct……
Impossibility of i.t. MPC with n=2 for multiplication of bits P0P0 P1P1 b 0 = 0 b1b1 m0m0 m1m1 m2m2 m3m3 m 2i m 2i T (b 0, b 1 ) Adversary’s algorithm to find b 1 : 1. Try to find a randomness r 1 so that T (b 0, b 1 ) is consistent with (b 0 =1, r 1 ) 2. If found output b 1 = 0 else output b 1 = 1
OT is impossible information theoretically. We get something for free x1x1 P1P1 P2P2 x2x2 1-out-of-2 OT 0 x1x1 x2x2 x1x2x1x2
Secure Computation with Dishonest Majority Boolean Circuit (AND ( ), NOT( ), XOR (+)) Arithmetic Circuit over finite field (Addition (+) and Multiplication ( )) x1x1 x2x2 x3x3 x4x4 + f(x 1, x 2, x 3, x 4 ); inputs are field elements x1x1 x2x2 x3x3 x4x4 f(x 1, x 2, x 3, x 4 ); inputs are bits + OT Homomorphic / Semi-homomorphic Encryption Constant Round Protocols No Constant Round Protocols
1-out-of-2 Oblivious Transfer S Message Transfer: R m S R m0m1m0m1 b mbmb m S does not know b R does not know m 1-b 1-out-of-2 OT m0m0 m1m1 b mbmb
Ideal Functionality for OT.mbmb m0m1m0m1 b
OT from CPA-secure PKE with Public Key Samplability [EvenGoldreichLempel85] >> A public-key encryption scheme is a collection of 3 PPT algorithms = (Gen, Enc, Dec) Gen 1n1n pk, sk {0, 1} n Syntax: (pk, sk) Gen(1 n ) Enc m Mc pk Syntax: c Enc pk (m) Randomized algo Dec cm sk Syntax: m:= Dec sk (c) Except with a negligible probability over (pk, sk) output by Gen(1 n ), we require the following for every (legal) plaintext m Dec sk (Enc pk (m)):= m Randomized Algo Deterministic (w.l.o.g)
CPA Security = (Gen, Enc, Dec) I can break Let me verify m 0, m 1, |m 0 |=|m 1 | Gen(1 n ) b {0, 1} c Enc pk (m b ) b’ {0, 1} (Attacker’s guess about encrypted message) Game Output b = b’ attacker won b b’ attacker lost Indistinguishability experiment PubK (n) A, cpa PPT A pk, sk pk In the real-world, everyone including the attacker will have the public key pk is CPA-secure if for every PPT attacker A taking part in the above experiment, the probability that A wins the experiment is at most negligibly better than ½ ½ + negl(n) Pr PubK (n) A, cpa = 1
PKE with Public Key Samplability >> A public-key encryption scheme is a collection of 5 PPT algorithms = (Gen, Enc, Dec, oGen, fGen) oGen 1n1n pk, rSyntax: (pk, r) oGen(1 n ) fGen pk: (pk,sk) Gen(1 n ) r’ Syntax: r’ fGen(pk) (pk,r’) and (pk,r) looks indistinguishable
Key Samplability = (Gen, Enc, Dec, oGen, fGen) I can break b {0, 1} b’ {0, 1} Game Output b = b’ attacker won b b’ attacker lost Indistinguishability experiment PubK (n) A, ksamp PPT A (pk, sk) Gen(1 n ) r fGen(pk) (pk,r) is key-samplable if for every PPT attacker A taking part in the above experiment, the probability that A wins the experiment is at most negligibly better than ½ ½ + negl(n) Pr PubK (n) A, ksamp = 1 (pk, r) oGen(1 n )
ElGamal PKE Enc pk (m) c 1 = g y for random y c 2 = h y.. m c= (c 1,c 2 ) Dec sk (c) c 2 / (c 1 ) x = c 2. [(c 1 ) x ] -1 Gen(1 n ) (G, o, q, g) h = g x. For random x pk= (G,o,q,g,h), sk = x
1-out-of-2 Oblivious Transfer S R m0m1m0m1 b S does not know b R does not know m 1-b (pk b, sk b ) Gen(1 n ) (pk 1-b, r 1-b ) oGen(1 n ) (pk 0,pk 1 ) c 0 Enc pk0 (m 0 ) c 1 Enc pk1 (m 1 ) (c 0,c 1 ) m b Dec skb (m b )
Security for the Receiver S R m0m1m0m1 b (pk b, sk b ) Gen(1 n ) (pk 1-b, r 1-b ) oGen(1 n ) (pk 0,pk 1 ) c 0 Enc pk0 (m 0 ) c 1 Enc pk1 (m 1 ) (c 0,c 1 ) m b Dec skb (m b ) View S Real (m 0,m 1,b,k ) = {m 0,m 1,pk 0,pk 1,r S 0,r S 1 } S SIM S m0m1m0m1 m0m1m0m1 (pk 0, sk 0 ) Gen(1 n ) (pk 1, sk 1 ) Gen(1 n ) (pk 0,pk 1 ) c 0 Enc pk0 (m 0 ) c 1 Enc pk1 (m 1 ) (c 0,c 1 ) View S Ideal (m 0,m 1,b,k ) = {m 0,m 1,pk 0,pk 1, r S 0,r S 1 } = {m 0,m 1,pk b,pk 1-b, r S 0,r S 1 } Easy Reduction to ksamp security of the PKE!!
Indistinguishability of Real and Ideal View Theorem. If is ksamp-secure, then our OT provides receiver security according to real world/ideal world paradigm. Proof: Assume OT does not provide receiver security D, p(n): ½ + 1/p(n) Pr D(View S Real (m 0,m 1,b,k) =1) - > D A (pk,r) b’ {0, 1} (pk,r) by oGen or (Gen,fGen) m 0,m 1,pk 0,pk 1,r S 0,r S 1 m 0,m 1 (pk b, sk b ) Gen(1 n ) D(View S Ideal (m 0,m 1,b,k) =1) {m 0,m 1,pk b,pk 1-b,r S 0,r S 1 } pk 1-b = pk r S 0,r S 1 b’ {0, 1} If b is guessed correctly, then A emulates Real/Idea View -> A breaks ksamp security with non-negligible advantage (PKE is not ksamp-secure) -> Contradiction
Security for the Sender S R m0m1m0m1 b (pk b, sk b ) Gen(1 n ) (pk 1-b, r 1-b ) oGen(1 n ) (pk 0,pk 1 ) c 0 Enc pk0 (m 0 ) c 1 Enc pk1 (m 1 ) (c 0,c 1 ) m b Dec skb (m b ) View R Real (m 0,m 1,b,k ) = {b,m b,pk b,r b,pk 1-b, r 1-b, c 0,c 1 } SIM R bmbbmb b (pk 0,pk 1 ) c b Enc pkb (m b ) c 1-b Enc pk 1-b (0 k ) (c 0,c 1 ) R (pk b, sk b ) Gen(1 n ) (pk 1-b, r 1-b ) oGen(1 n ) m b Dec skb (m b ) View R Ideal (m 0,m 1,b,k ) = {b,m b,pk b,r b,pk 1-b, r 1-b, c b,c 1-b } Reduction to CPA does not work as c 1-b is encrypted using a public key generated by oGen NOT Gen
Security proof via Hybrid Arguments View R Real (m 0,m 1,b,k ) = {b,m b,pk b,r b,pk 1-b, r 1-b, c b,c 1-b } View R Ideal (m 0,m 1,b,k ) = {b,m b,pk b,r b,pk 1-b, r 1-b, c b,c 1-b } View R Hybrid1 (m 0,m 1,b,k ) = {b,m b,pk b,r b,pk 1-b, r 1-b, c b,c 1-b } (pk b, sk b ) Gen(1 n ) (pk 1-b, r 1-b ) oGen(1 n ) (pk b, sk b ) Gen(1 n ) (pk 1-b, r 1-b ) oGen(1 n ) (pk b, sk b ) Gen(1 n ) (pk 1-b, sk 1-b ) Gen(1 n ) c b Enc pkb (m b ) c 1-b Enc pk 1-b (0 k ) c b Enc pkb (m 0 ) c 1-b Enc pk1-b (m 1-b ) r 1-b fGen(pk 1-b ) c b Enc pkb (m b ) c 1-b Enc pk 1-b (m 1-b ) View R Hybrid2 (m 0,m 1,b,k ) = {b,m b,pk b,r b,pk 1-b, r 1-b, c b,c 1-b } (pk b, sk b ) Gen(1 n ) (pk 1-b, sk 1-b ) Gen(1 n ) r 1-b fGen(pk 1-b ) c b Enc pkb (m b ) c 1-b Enc pk 1-b (0 k ) ksamp security CPA security ksamp security
More OTs CT3 [PVW08] A Framework for Efficient and Composable Oblivious Transfer
GMW87 [GMW87]: How to Play any Mental Game or A Completeness Theorem for Protocols with Honest Majority. STOC 1987.STOC Over Binary circuits
(n,n) - Secret Sharing for Semi-honest Adversaries Secret x is (n,n) if x2x2 x3x3 x n x1x1 … P1P1 P2P2 PnPn P3P3 x = x 1 + x 2 + ….. + x n ; shares are random; all are bits; + is + mod 2 Linearity is satisfied!!
GMW87 x1x1 x2x2 x3x3 x4x4 y
1.(n, n)- secret share each input y Find (n, n)-sharing of each intermediate value XOR gate: Non-Interactive P0P0 P1P1 x0x0 x1x1 y0y0 y1y1 y y=y0 + y1y=y0 + y1 x=x 0 + x 1 x + y =( x 0 + y 0 ) + ( x 1 + y 1 ) x
GMW87 1.(n, n)- secret share each input y Find (n, n)-sharing of each intermediate value NOT gate: Non-Interactive (One party flips the bit) P0P0 P1P1 x0x0 x1x1 x= x 0 + x 1
GMW87 1.(n, n)- secret share each input y Find (n, n)-sharing of each intermediate value XOR gate: Non-Interactive NOT gate: Non-Interactive (One party flips the bit) AND gate: Interactive (OT)
GMW87- AND Gate Evaluation P0P0 P1P1 x0x0 x1x1 y0y0 y1y1 y y=y0 + y1y=y0 + y1 x=x 0 + x 1 x y = ( x 0 +x 1 ) ( y 0 + y 1 ) = x 0 y 0 + x 0 y 1 + y 0 x 1 + x 1 y 1 x 1-out-of-2 OT 0 x0x0 y1y1 x0y1x0y1 1-out-of-2 OT y0y0 y0x1y0x1 0 x1x1 x 0 y 0 + y 0 x 1 x 0 y 1 + x 1 y 1 Leaks information from the partial product !!
GMW87- AND Gate Evaluation P0P0 P1P1 x0x0 x1x1 y0y0 y1y1 y y=y0 + y1y=y0 + y1 x=x 0 + x 1 x y = ( x 0 +x 1 ) ( y 0 + y 1 ) = x 0 y 0 + x 0 y 1 + y 0 x 1 + x 1 y 1 x 1-out-of-2 OT r0r0 r 0 + x 0 y1y1 1-out-of-2 OT y0y0 r 1 + y 0 x 1 r1r1 r 1 + x 1 x 0 y 0 + r 0 + (r 1 + y 0 x 1 ) (r 0 + x 0 y 1 )+ r 1 + x 1 y 1 r 0 + x 0 y 1
GMW87 1.(n, n)- secret share each input y Find (n, n)-sharing of each intermediate value XOR gate: Non-Interactive NOT gate: Non-Interactive (One party flips the bit) AND gate: Interactive (OT) 3. Reconstruct y by exchanging the shares
Extension to Multiparty and 2 party Security Proof On the board.