Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Exact Round Complexity of Secure Computation

Published byCornelia Webster Modified over 7 years ago

Similar presentations

Presentation on theme: "The Exact Round Complexity of Secure Computation"— Presentation transcript:

1 The Exact Round Complexity of Secure Computation
EUROCRYPT 2016 The Exact Round Complexity of Secure Computation Antigoni Polychroniadou (Aarhus University) joint work with Sanjam Garg, Pratyay Mukherjee (UC Berkeley), Omkant Pandey (Drexel University)

2 Background: Secure Multi-Party Computation
f(x1, x2, x3, x4) = (y1, y2 ,y3 ,y4 ) x1 x1 x1 y4 y1 x4 Goal: Correctness: Everyone computes f(x1,…,x4) Security: Nothing else but the output is revealed π Adversary: PPT Malicious x2 y3 Static y2 x3

3 Motivating Questions Lower bounds on the round complexity of secure protocols. Construct optimal round secure protocols.

4 State of the Art: Information-Theoretic Setting
Communication Complexity Round Complexity O(n|C|) O(depthC)

5 State of the Art: Information-Theoretic Setting
Communication Complexity Round Complexity Ω(n|C|) [DNPR16] Ω(depthC) [DNPR16] Novel approach must be found to construct O(1) round protocols (that beat the complexities of BGW, CCD, GMW, SPDZ etc.)

6 State of the Art: Computational Setting
Communication Complexity Round Complexity <<|C| 2PC MPC FHE

7 State of the Art: Computational Setting
Round Complexity 2PC MPC 5 rounds [KO04,ORS15] O(1)* No CRS No Preprocessing *[BMR90,KOS03,Pas04,DI05,DI06,PPV08,IPS08,Wee10,Goy11,LP11,GLOV12]

8 State of the Art: Computational Setting
Round Complexity 2PC MPC 5 rounds [KO04,ORS15] O(1) What is the exact round complexity of secure MPC?

9 Standard Communication Model for MPC
Simultaneous Message Exchange Channel

10 Standard Communication Model for MPC
Simultaneous Message Exchange Channel

11 Standard Communication Model for MPC
Simultaneous Message Exchange Channel

12 Standard Communication Model for MPC
Simultaneous Message Exchange Channel

13 Communication Model for 2PC
Non-Simultaneous Message Exchange Channel There are mutual dependencies between the two messages

14 State of the Art: Computational Setting
Round Complexity 2PC MPC 5 rounds [KO04] O(1) What is the exact round complexity of secure MPC? How many simultaneous message exchange rounds are necessary for 2PC?

15 Our Results Round Complexity 2PC MPC 5 rounds [KO04] O(1)
(3-round Impossibility): There does not exist a 3-round protocol for the two-party coin-flipping functionality.

16 Our Results Round Complexity 2PC MPC max(4,k+1)1 O(1)
1 k-round NMCOM Suppose that there exists a k-round 3-robust NMCOM scheme; then (2PC): there exists a max(4, k + 1)-round protocol for securely realizing every two-party functionality. The use of NMCOM is not a coincidence [LPV09,Goy11,LP11,LPTV10,GLOV12]

17 Our Results Round Complexity 2PC MCF* max(4,k+1)1 max(4,k+1)
1 k-round NMCOM Suppose that there exists a k-round 3-robust NMCOM scheme; then (2PC): there exists a max(4, k + 1)-round protocol for securely realizing every two-party functionality; (MPC): there exists a max(4, k + 1)-round protocol for securely realizing the multi-party coin-flipping functionality.

18 Our Results Round Complexity 2PC MCF* max(4,k+1)1 max(4,k+1)
1 k-round NMCOM Suppose that there exists a k-round 3-robust NMCOM scheme; then (2PC): there exists a max(4, k + 1)-round protocol for securely realizing every two-party functionality; (MPC): there exists a max(4, k + 1)-round protocol for securely realizing the multi-party coin-flipping functionality. Four rounds are both necessary and sufficient for both the results based on 3-round NMCOMs [PPV08,GPR16,COSV16]?

19 Outline Lower bound on the two-party coin-flipping.
4-round 2PC protocol.

20 Our Results Theorem 1. There does not exist a 3-round protocol for the two-party coin-flipping functionality for tossing ω(log λ) coins, with a black-box simulation, in the simultaneous message exchange model. where λ is the security parameter

21 Contradict the result of [KO04]
Suppose that there exists a protocol which realizes simulatable coin- flipping in 3 rounds. Proof (sketch) Inner Simulator Rescheduled Contradict the result of [KO04]

22 Contradict the result of [KO04]
Suppose that there exists a protocol which realizes simulatable coin- flipping in 3 rounds. Proof (sketch) Inner Simulator Rescheduled Contradict the result of [KO04]

23 Contradict the result of [KO04]
Suppose that there exists a protocol which realizes simulatable coin- flipping in 3 rounds. Proof (sketch) Inner Simulator Rescheduled Contradict the result of [KO04]

24 Contradict the result of [KO04]
Suppose that there exists a protocol which realizes simulatable coin- flipping in 3 rounds. Proof (sketch) Inner Simulator P1 P2 Rescheduled Contradict the result of [KO04]

25 Our Results Theorem 2. There does not exist a 4-round protocol for the two-party coin-flipping functionality for tossing ω(log λ) coins, with a black-box simulation, in the simultaneous message exchange model, with at least one unidirectional round. where λ is the security parameter

26 Our Results Theorem 2. There does not exist a 4-round protocol for the two-party coin-flipping functionality for tossing ω(log λ) coins, with a black-box simulation, in the simultaneous message exchange model, with at least one unidirectional round. where λ is the security parameter

27 Is it still 5 rounds with simultaneous transmission?
Our Approach for 2PC Starting point: Katz-Ostrovsky (KO) protocol [KO04] which is a 4-round protocol for only one-sided functionalities and 5-round for two sided functionalities. Is it still 5 rounds with simultaneous transmission? 5-round [KO04]:

28 Our Approach for 2PC Starting point: Katz-Ostrovsky (KO) protocol [KO04] which is a 4-round protocol for only one-sided functionalities and 5-round for two sided functionalities. Is it still 5 rounds with simultaneous transmission? 4-round attempt: Such a 4-round protocol fails due to Theorem 2.

29 Our Approach for 2PC Must use the simultaneous message exchange channel in each round; Fails due to malleability and input consistency issues. Run two executions of a 4-round protocol (in which only one party learns the output) in “opposite” directions.

30 Simultaneous Executions 3-round NMCOM … 4-round 2PC
Our Approach for 2PC Simultaneous Executions 3-round NMCOM … 4-round 2PC

31 max(4, k + 1)-round 2PC protocols
Theorem 3. TDP + k-round (parallel) NMCOM  max(4, k + 1)-round 2PC protocol 3-robust with black-box simulation, in the presence of a malicious adversary, in the simultaneous message exchange model.

32 Tools for our 2PC Protocol
Equivocal COM 3-round Parallel 3-robust NMCOM Garble Circuits 4-round 2PC Protocol Input-delayed ZK Argument* Semi-Honest OT Input-delayed WIPOK

33 Tools for our 2PC Protocol
Equivocal COM 3-round Parallel 3-robust NMCOM Garble Circuits 4-round 2PC Protocol Input-delayed ZK Argument* Semi-Honest OT Input-delayed WIPOK

34 Garble Circuit Construction [Yao80]
Boolean Circuit C Garbled Circuit GC GC Z1,0, Z1,1 x1 x2 Z2,0, Z2,1 x2 Z3,0, Z3,1 x3 Z4,0, Z4,1 Pairs of λ-bit keys

35 Garble Circuit Construction [Yao80]
Boolean Circuit C Garbled Circuit GC GC Z1,1 Z1,0 x1 x2 Z2,0 Z2,1 x2 x3 Z3,0 Z3,1 Z4,0 Z4,1 Pairs of λ-bit keys Decoder

36 Semi-Honest Secure 2PC

37 Semi-Honest Secure 2PC

38 ( , , ) 3-round SH 2PC: S1 S2 S3 S1 S2 S3

39 Our 2PC Protocol

40 Our 2PC Protocol

41 Our 2PC Protocol ( , , ) ( , , ) ( , , ) ( , , , ) 3-round SH 2PC:
( , , ) 3-round SH 2PC: S1 S2 S3 ( , , ) 3-round NMCOM: nm1 nm2 nm3 ( , , ) 3-round ΠWIPOK: p1 p2 p3 ( , , , ) 4-round ΠFS: fs1 fs2 fs3 fs4

42 Our 2PC Protocol r’ fs1 p1 nm1 fs2 p2 nm2 S1 CGC CZ fs3 p3 nm3 S’2 fs4

43 Our 2PC Protocol r’ fs1 p1 nm1 fs2 p2 nm2 S1 CGC CZ fs3 p3 nm3 S’2 fs4

44 Proof Systems 3-round ΠWIPOK public-coin, witness-indistinguishable proof-of-knowledge [FLS99] for NP (st1 ∧st2) 4-round ΠFS zero-knowledge argument-of knowledge protocol [FS90] for NP (thm) based on NMCOM and ΠWIPOK. 1st ΠWIPOK: V sets t1=f(w1), t2=f(w2) and proves knowledge of a w for t1 ∨ t2 2nd ΠWIPOK: P proves knowledge of a witness to thm ∨(t1 ∨ t2 )

45 Proof Systems 3-round ΠWIPOK public-coin, witness-indistinguishable proof-of-knowledge [FLS99] for NP (st1 ∧st2) 4-round ΠFS zero-knowledge argument-of knowledge protocol [FS90] for NP (thm) based on NMCOM and ΠWIPOK. 1st ΠWIPOK: V sets t1=nmσ1, t2=nmσ2 and proves knowledge of a w for t1 ∨ t2 2nd ΠWIPOK: P proves knowledge of a witness to thm ∨(t1 ∨ t2 ) Crucial Change

46 Input-Delayed Proof Systems
3-round ΠWIPOK public-coin, witness-indistinguishable proof-of-knowledge [FLS99] for NP (st1 ∧st2) 4-round ΠFS zero-knowledge argument-of knowledge protocol [FS90] for NP (thm ∧ thm’ ) based on NMCOM and ΠWIPOK. 1st ΠWIPOK: V sets t1=nmσ1, t2=nmσ2 and proves knowledge of a w for t1 ∨ t2 2nd ΠWIPOK: P proves knowledge of a witness to thm ∨(t1 ∨ t2 ) Input-Delayed Proof Systems

47 Our 2PC Protocol Simulation Soundness r’ fs1 p1 nm1 fs2 p2 nm2 S1 CGC
CZ r’ fs3 p3 nm3 S’2 fs4 S1 GC Simulation Soundness

48 Simulation Soundness C R M ( u, view )

49 Simulation Soundness C R M ( σ1 , view )

50 Tools for our Coin-Flipping Protocol
Equivocal COM 3-round Parallel 3-robust NMCOM 4-round 2PC Protocol Input delayed ZK Argument* Extractable COM

51 Conclusion Round Complexity 2PC MPC 5 rounds [KO04] O(1)
(3-round Impossibility): There does not exist a 3-round protocol for the two-party coin-flipping functionality.

52 Conclusion Round Complexity 2PC MCF* max(4,k+1)1 max(4,k+1)
1 k-round NMCOM Suppose that there exists a k-round 3-robust NMCOM scheme; then (2PC): there exists a max(4, k + 1)-round protocol for securely realizing every two-party functionality; (MPC): there exists a max(4, k + 1)-round protocol for securely realizing the multi-party coin-flipping functionality. Four rounds are both necessary and sufficient for both the results based on the 3-robust NMCOM of [PPV08].

53 4-round 2PC protocols + + Theorem [GMPP16]
TDP + k-round (parallel) NMCOM  max(4, k + 1)-round 2PC protocol 3-robust with black-box simulation, in the presence of a malicious adversary, in the simultaneous message exchange model. [GMPP16]: TDP + 3-round NMCOM [COSV16] 2-round NMCOM [PVV08]  4-round 2PC protocol Complexity Leveraging Adaptive OWF [HPV16]: TDP + 4-round NMCOM* [GRRV14] OWF  4-round 2PC protocol

54 4-round MPC protocols + + + [GMPP16]: TDP LWE  6-round MPC protocol
iO  5-round MPC protocol [HPV16]: TDP + iO  4-round MPC protocol*

55 Open Problems Crypto Assumption Plain Model CRS Model MPC protocols Semi-Honest ΟΤ O(1) rounds [BMR90…] 4 rounds [GMW87+AIK05] LWE 6 rounds [this work] 2 rounds [MW15] iO 4 rounds [HPV16] 2 rounds [GGHR14] Can we get optimal-round static MPC protocols from different/weaker assumptions?

56 Thank you!

57 Round Complexity and Assumptions
Crypto Assumption Plain Model CRS Model Static MPC protocols Semi-Honest ΟΤ O(1) rounds [BMR90…] 4 rounds [GMW87+AIK05] LWE 6 rounds [GMPP16] 2 rounds [MW15] iO 4 rounds [HPW16] 2 rounds [GGHR14] Adaptive MPC protocols Semi-Honest OT O(1)1 [IPS08]; O(depthC)2 [CLOS02, GS12, DMRV13, V14] LWE O(1) 1 rounds [DPR16] 3 rounds 1 [DPR16] iO O(depthC)[GP15+CLOS02] 2 rounds 2 [GP15] 1 n-1 adaptive corruptions. 2 n adaptive corruptions.

Download ppt "The Exact Round Complexity of Secure Computation"

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.

On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Coin Tossing With A Man In The Middle Boaz Barak.

Coin Tossing With A Man In The Middle Boaz Barak.
Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.

Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.

1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.
Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),

Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Isolated PoK and Isolated ZK Ivan Damgård, Jesper Buus Nielsen and Daniel Wichs.

Isolated PoK and Isolated ZK Ivan Damgård, Jesper Buus Nielsen and Daniel Wichs.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.

On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.

Similar presentations

Ads by Google