Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Exact Round Complexity of Secure Computation

Published byHannah Campbell Modified over 6 years ago

Similar presentations

Presentation on theme: "The Exact Round Complexity of Secure Computation"— Presentation transcript:

1 The Exact Round Complexity of Secure Computation
EUROCRYPT 2016 The Exact Round Complexity of Secure Computation Antigoni Polychroniadou (Aarhus University) joint work with Sanjam Garg, Pratyay Mukherjee (UC Berkeley), Omkant Pandey (Drexel University)

2 Background: Secure Multi-Party Computation
f(x1, x2, x3, x4) = (y1, y2 ,y3 ,y4 ) x1 x1 x1 y4 y1 x4 Goal: Correctness: Everyone computes f(x1,…,x4) Security: Nothing else but the output is revealed π Adversary: PPT Malicious x2 y3 Static y2 x3

3 Motivating Questions Lower bounds on the round complexity of secure protocols. Construct optimal round secure protocols.

4 State of the Art: Information-Theoretic Setting
Round Complexity of gate-by-gate protocols Ω(depthC) [DNP16]

5 State of the Art: Computational Setting
Round Complexity 2PC MPC 5 rounds [KO04,ORS15] O(1)* *[BMR90,KOS03,Pas04,DI05,DI06,PPV08,IPS08,Wee10,Goy11,LP11,GLOV12]

6 State of the Art: Computational Setting
Round Complexity 2PC MPC 5 rounds [KO04,ORS15] O(1) What is the exact round complexity of secure MPC?

7 Standard Communication Model for MPC
Simultaneous Message Exchange Channel

8 Standard Communication Model for MPC
Simultaneous Message Exchange Channel

9 Standard Communication Model for MPC
Simultaneous Message Exchange Channel

10 Standard Communication Model for MPC
Simultaneous Message Exchange Channel

11 Communication Model for 2PC
Non-Simultaneous Message Exchange Channel There are mutual dependencies between the two messages

12 State of the Art: Computational Setting
Round Complexity 2PC MPC 5 rounds [KO04] O(1) What is the exact round complexity of secure MPC? How many simultaneous message exchange rounds are necessary for 2PC?

13 Our Results Round Complexity 2PC MPC max(4,k+1)1 O(1)
1 k-round NMCOM Suppose that there exists a k-round NMCOM scheme; then (2PC): there exists a max(4, k + 1)-round protocol for securely realizing every two-party functionality. The use of NMCOM is not a coincidence [LPV09,Goy11,LP11,LPTV10,GLOV12]

14 Our Results Round Complexity 2PC MCF* max(4,k+1)1 max(4,k+1)
1 k-round NMCOM Suppose that there exists a k-round NMCOM scheme; then (2PC): there exists a max(4, k + 1)-round protocol for securely realizing every two-party functionality; (MPC): there exists a max(4, k + 1)-round protocol for securely realizing the multi-party coin-flipping functionality.

15 Our Results Round Complexity 2PC MCF* max(4,k+1)1 max(4,k+1)
1 k-round NMCOM Suppose that there exists a k-round NMCOM scheme; then (2PC): there exists a max(4, k + 1)-round protocol for securely realizing every two-party functionality; (MPC): there exists a max(4, k + 1)-round protocol for securely realizing the multi-party coin-flipping functionality. Four rounds are both necessary and sufficient for both the results based on 3-round NMCOMs [PPV08,GPR16,COSV16].

16 Outline Lower bound on the two-party coin-flipping.
4-round 2PC protocol.

17 Our Results Theorem 1. There does not exist a 3-round protocol for the two-party coin-flipping functionality for tossing ω(log λ) coins, with a black-box simulation, in the simultaneous message exchange model. where λ is the security parameter

18 Contradict the result of [KO04]
Suppose that there exists a protocol which realizes simulatable coin- flipping in 3 rounds. Proof (sketch) Rescheduled Contradict the result of [KO04]

19 Contradict the result of [KO04]
Suppose that there exists a protocol which realizes simulatable coin- flipping in 3 rounds. Proof (sketch) Rescheduled Contradict the result of [KO04]

20 Contradict the result of [KO04]
Suppose that there exists a protocol which realizes simulatable coin- flipping in 3 rounds. Proof (sketch) Rescheduled Contradict the result of [KO04]

21 Contradict the result of [KO04]
Suppose that there exists a protocol which realizes simulatable coin- flipping in 3 rounds. Proof (sketch) P1 P2 Rescheduled Contradict the result of [KO04]

22 Our Results Theorem 2. There does not exist a 4-round protocol for the two-party coin-flipping functionality for tossing ω(log λ) coins, with a black-box simulation, in the simultaneous message exchange model, with at least one unidirectional round. where λ is the security parameter

23 Our Results Theorem 2. There does not exist a 4-round protocol for the two-party coin-flipping functionality for tossing ω(log λ) coins, with a black-box simulation, in the simultaneous message exchange model, with at least one unidirectional round. where λ is the security parameter

24 Is it still 5 rounds with simultaneous transmission?
Our Approach for 2PC Starting point: Katz-Ostrovsky (KO) protocol [KO04] which is a 4-round protocol for only one-sided functionalities and 5-round for two sided functionalities. Is it still 5 rounds with simultaneous transmission? 5-round [KO04]:

25 Our Approach for 2PC Starting point: Katz-Ostrovsky (KO) protocol [KO04] which is a 4-round protocol for only one-sided functionalities and 5-round for two sided functionalities. Is it still 5 rounds with simultaneous transmission? 4-round attempt: Such a 4-round protocol fails due to Theorem 2.

26 Our Approach for 2PC Must use the simultaneous message exchange channel in each round; Fails due to malleability and input consistency issues. Run two executions of a 4-round protocol (in which only one party learns the output) in “opposite” directions.

27 Simultaneous Executions 3-round NMCOM … 4-round 2PC
Our Approach for 2PC Simultaneous Executions 3-round NMCOM … 4-round 2PC

28 max(4, k + 1)-round 2PC protocols
Theorem 3. TDP + k-round (parallel) NMCOM  max(4, k + 1)-round 2PC protocol + 3-robust with black-box simulation, in the presence of a malicious adversary, in the simultaneous message exchange model.

29 Tools for our 2PC Protocol
Equicoval COM 3-round Parallel NMCOM Garble Circuits 4-round 2PC Protocol Input-delayed ZK Argument* Semi-Honest OT Input-delayed WIPOK

30 Tools for our 2PC Protocol
Equicoval COM 3-round Parallel NMCOM Garble Circuits 4-round 2PC Protocol Input-delayed ZK Argument* Semi-Honest OT Input-delayed WIPOK

31 Garble Circuit Construction [Yao80]
Boolean Circuit C Garbled Circuit GC GC Z1,0, Z1,1 x1 x2 Z2,0, Z2,1 x2 Z3,0, Z3,1 x3 Z4,0, Z4,1 Pairs of λ-bit keys

32 Garble Circuit Construction [Yao80]
Boolean Circuit C Garbled Circuit GC GC Z1,0 Z1,1 x1 x2 Z2,0 Z2,1 x2 x3 Z3,0 Z3,1 Z4,0 Z4,1 Pairs of λ-bit keys Decoder

33 Garble Circuit Construction [Yao80]
Boolean Circuit C Garbled Circuit GC GC Z1,0 Z1,1 x1 x2 Z2,0 Z2,1 x2 x3 Z3,0 Z3,1 Z4,0 Z4,1 Pairs of λ-bit keys Simulator

34 Semi-Honest Secure 2PC

35 Semi-Honest Secure 2PC

36 Our 2PC Protocol

37 Our 2PC Protocol

38 Needed Proof Systems 3-round ΠWIPOK public-coin, witness-indistinguishable proof-of-knowledge [FLS99] for NP 4-round ΠFS zero-knowledge argument-of knowledge protocol [FS90] for NP based on NMCOM and ΠWIPOK. 1st ΠWIPOK: V sets and proves knowledge of a for 2nd ΠWIPOK: P proves knowledge of a witness to

39 Needed Proof Systems 3-round ΠWIPOK public-coin, witness-indistinguishable proof-of-knowledge [FLS99] for NP 4-round ΠFS zero-knowledge argument-of knowledge protocol [FS90] for NP based on NMCOM and ΠWIPOK. Crucial change: 1st ΠWIPOK: V sets and proves knowledge of 2nd ΠWIPOK: P proves knowledge of a witness to

40 Input-Delayed Proof Systems
Needed Proof Systems 3-round ΠWIPOK public-coin, witness-indistinguishable proof-of-knowledge [FLS99] for NP 4-round ΠFS zero-knowledge argument-of knowledge protocol [FS90] for NP based on NMCOM and ΠWIPOK. 1st ΠWIPOK: V sets and proves knowledge of 2nd ΠWIPOK: P proves knowledge of a witness to Crucial change: Input-Delayed Proof Systems

41 Our 2PC Protocol

42 Our 2PC Protocol

43 Tools for our Coin-Flipping Protocol
Equicoval COM 3-round Parallel NMCOM 4-round 2PC Protocol Input delayed ZK Argument* Extractable COM

44 Conclusion Round Complexity 2PC MCF* max(4,k+1)1 max(4,k+1)
1 k-round NMCOM Suppose that there exists a k-round NMCOM scheme; then (2PC): there exists a max(4, k + 1)-round protocol for securely realizing every two-party functionality; (MPC): there exists a max(4, k + 1)-round protocol for securely realizing the multi-party coin-flipping functionality. Four rounds are both necessary and sufficient for both the results based on the 3-round NMCOM of [GPR16].

45 Open Problems Crypto Assumption Plain Model CRS Model MPC protocols Semi-Honest ΟΤ O(1) rounds [BMR90…] 4 rounds [GMW87+AIK05] LWE 6 rounds [this work] 2 rounds [MW15] iO 4 rounds [HPW16] 2 rounds [GGHR14] Can we get optimal-round static MPC protocols from different/weaker assumptions?

46 Thank you!

Download ppt "The Exact Round Complexity of Secure Computation"

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Coin Tossing With A Man In The Middle Boaz Barak.

Coin Tossing With A Man In The Middle Boaz Barak.
Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.

Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.

1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.
Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),

Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Isolated PoK and Isolated ZK Ivan Damgård, Jesper Buus Nielsen and Daniel Wichs.

Isolated PoK and Isolated ZK Ivan Damgård, Jesper Buus Nielsen and Daniel Wichs.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.

On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Impossibility Results for Concurrent Two-Party Computation Yehuda Lindell IBM T.J.Watson.

Impossibility Results for Concurrent Two-Party Computation Yehuda Lindell IBM T.J.Watson.

Similar presentations

Ads by Google