Presentation is loading. Please wait.

Presentation is loading. Please wait.

Completeness in Two-Party Secure Computation – A Computational View

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Completeness in Two-Party Secure Computation – A Computational View"— Presentation transcript:

1 Completeness in Two-Party Secure Computation – A Computational View
Danny Harnik Moni Naor Omer Reingold Alon Rosen AT&T IAS MIT Weizmann Institute of Science

2 Secure Function Evaluation (SFE) of a Function f
Alice x Bob y f(x,y) Alice learns “nothing else” Bob learns “nothing”

3 Secure Function Evaluation
General framework that captures many cryptographic tasks. SFE for any poly-time f - key achievement in cryptography. Many possible definitions and settings. We concentrate on a specific setting: Asymmetric version (only Alice gets output). Deterministic functions (vs. prob. functionality). Computational security definitions (vs. information theoretic). Simulation based. Semi-Honest parties Can use GMW compiler for malicious model. The GMW91 version does mention OT. Only the proceedings version of GMW 86 does. We could also refer to Oded.

4 Oblivious Transfer Introduced by Rabin (Noisy-OT)
Several equivalent flavors. 1-2 OT [EGL85] – Sender has two bits b0, b1 and Receiver has choice bit c Receiver learns bc but not b1-c Sender learns nothing of c. Can view 1-2 OT as an asymmetric SFE protocol of the function OT(c; b0, b1) = bc

5 The Power of OT This is a Completeness behavior.
Given an OT protocol, one can construct an SFE for any efficiently computable function f . [Yao, GMW, Kilian … ] This is a Completeness behavior. There are several places where the order of describing things is a bit problematic Completeness and reductions are one such case. Perhaps it is better to first say what OT can do, then Say that we want to call this property completeness and then move one to the definitions

6 Reductions & Completeness
A function g securely reduces to f if an SFE for g can be constructed using calls to an ideal box for evaluating f. f(x’,y’) x f(x’’,y’’) y g(x,y) Lots of question regarding the notion of reduction. Should it be bb? f is SFE-Complete if every poly-time function g securely reduces to f.

7 SFE-Completeness SFE-Complete Eff-SFE Polynomial-time functions f(x,y)

8 Main Result Introduce a computational criterion for completeness called Row Non-Transitivity. Main Theorem If f is Row Non-Transitive then it is SFE-Complete. If f is Row Transitive then it is in Eff-SFE unconditionally.

9 Corollary: Complete Classification
Essentially all “nice” functions are either SFE-Complete or have an efficient SFE protocol.

10 Previous Work SFE-Completeness discussed in:
[CK91, Kush92, Kil91, KMO94, BMM99, Kil00] Beimel, Chor, Kilian, Kushilevitz, Malkin, Micali, Ostrovsky Mostly studied under Information Theoretic security definitions. Strong results in form of combinatorial criteria. Most works consider functions with a constant or small domain size ( “Crypto-gates”). Avoid computational issues.

11 Insecure Minor [Beimel, Malkin & Micali 99]
A function f(.,.) is said to contain an Insecure Minor if there are inputs x0, x1, y0, y1 such that : Where b  c.

12  Full characterization of Crypto-gates.
. . . Insecure Minor [BMM] If a function f(.,.) contains an insecure minor then f is SFE-complete. Otherwise f has an SFE protocol (f is “trivial”).  Full characterization of Crypto-gates.  Surprising “all or nothing” behavior. Also discussed computational definitions

13 What next? Completeness: functions with insecure minor still complete
Does the insecure minor characterization work for functions over a large domain? Completeness: functions with insecure minor still complete Same reduction. Unconditional SFE: ...

14 Example 1: one-to-one functions
Consider one-to-one functions Do not contain an insecure minor. Unconditional SFE for 1-1 function f(x,y): Bob sends y to Alice. Alice calculates f(x,y). Security: given f(x,y) a simulator can find y (since f is 1-1). But the simulator might not be efficient for functions on large domain!

15 Example 2: No insecure minor but still complete
Let g be a 1-1 One-Way function. Consider the following function : f(c, y0, y1) = (c, yc, g(y1-c) ) x y f is 1-1 and hence has no insecure minor. Claim: f is SFE-Complete !

16 1-2-OT using SFE for f Alice Bob c b0,b1 1-2-OT 2. Call f(c, y0, y1)
1. Choose random y0, y1 (c, yc, g(y1-c) ) 3. h(y0)b0, h(y1)b1 4. Alice calculates bc *h is a hardcore bit of g

17 Summary of the state in Computational Setting
Functions with Insecure Minor: SFE-Complete Functions with no Insecure Minor: Some have trivial SFE. Some are Complete Is there a simple characterization of SFE-Complete functions and of functions with unconditional SFE? Characterization by row non-transitivity. How do these sets relate? All or nothing behavior? All `nice’ functions are either complete or have Efficient SFE.

18 Row Non-Transitivity f y x0 Hard x1

19 Row Non-Transitivity A function f(.,.) is (Computational) Row Non-Transitive if: for some x0, x1 and a distribution Dy it is (somewhat) hard to calculate f(x1,y) given x0, x1 and f(x0,y) for yr Dy. Prob < 1 - 1/poly A function f(.,.) is (Computational) Row Transitive if: for all x0, x1 and y it is easy to calculate f(x1,y) given x0, x1 and f(x0,y). We must say that there is a distribution on y otherwise it is so confusing that people can understand. We should also say that hard is somewhat hard since we refer to it later. Prob =1 Note: There is a small gap between the two criteria.

20 Illustration of Row Non-Transitivity
x0 ? Hard x1 May be hard in both directions… Note: A different notion than OWF. Must find specific value, not any consistent value…

21 { Examples Row Transitive : Row Non-Transitive : Computational
f(x,y) = y f(x,y) = x + y f(x,y) = x  g(y) Row Non-Transitive : Computational let g be a OWF, f(x, y) = { y if x=1 g(y) if x=0 Under CDH assumption, p prime, f(g, y) = gy Mod p

22 Row Non-Transitive example – information theoretic
Insecure Minor  Row Non-Transitive y chosen uniformly from {y0,y1}  C: Pr[ C[x0, x1, f(x0, y)] = f(x1, y) ]  ½

23 Main Theorem Completeness: If a function f(.,.) is
row non-transitive efficiently computable then f is SFE-Complete. Unconditional SFE: If function f(.,.) is row transitive then f has an efficient SFE (with no further assumptions).

24 Unconditional SFE for row transitive f
Alice x Bob y SFE for f x’, f(x’, y) Calculate f(x,y) Choose input x’ Security: Bob learns nothing. Simulating Alice’s view: choose x’ and calculate f(x’,y) from f(x,y).

25 Completeness Proof sketch
Use two rows to pass secret. Value at one row is known, the other is “unknown” (due to the row non-transitivity). this determines what secret is transferred. Technical notes: Use of GL hardcore bit. First create a weak version of OT. Use Yao XOR lemma to amplify hardness.

26 Insecure Minor Row Non-Transitivity Complete Eff-SFE
Efficiently computable functions f(x,y)

27 Semi Honest vs Malicious
If OWF guaranteed to exist: use GMW transformation. Properties of row non-transitive functions remain. If OWF not guaranteed: Completeness Theorem holds. Unconditional SFE: Not necessarily. Note: Complete functions are different in Info-Theoretic [BMM99] vs. [Kil00]

28 Complexity Discussion
OT exists (Cryptomania in [Impagliazzo 95])  SFE-Complete = Eff-SFE OT doesn’t exist but OWF do ( Minicrypt in [Imp95]): Minicrypt (OWF) Cryptomania (OT) ? Are there intermediate assumptions? Our results: As far as SFE goes, no additional (nice) worlds between Minicrypt & Cryptomania !

29 Possible Applications?
Framework for constructing OT protocols. Example: f(g,y) = gy mod p. Has unconditional SFE: g y 2. gr 1. Choose random r 3. gry 4. Calculate gy = b 1/r Row non-transitive under CDH assumption.

30 . . . Possible Applications?
Use reduction to construct OT: 1-2-OT c b 1. Choose random r, g0, g1 1. Choose random y 2. g0, g1, gcr 3. Calculate z=gcry 4. z, h(g0y)b0 h(g1y)b1 5. Calculate gcy = z 1/r and the bit bc What did we get? A scheme similar to [Bellare & Micali 89]!

31 Further Work ? Construct a new OT protocol using framework
Symmetric SFE Probabilistic Functionalities.

32 Further Issues : Symmetric SFE
“All or nothing” result for Boolean functions [CK89, Kil91]. Gap in information theoretic world [Kush92] Completeness for crypto-gates iff contains Imbedded Or [Kil91]: Does not hold for large domain functions! Consider the following complete function: f((c, x0, x1), (y0, y1)) = (x0  yc, x1  g(y1-c)) g one-way 1-1 function

33 Further Issues: Probabilistic functionalities
Probabilistic functionality (as opposed to deterministic functions) Some criteria for completeness in [Kil00]. Anything possible if OT exists What if no OT? Any useful weaker assumptions?

34 Summary: Showed that combinatorial criteria do not generalize to large domain functions. Introduced alternative computational criteria for completeness & triviality. Surprising “All or nothing” nature remains.

35 Thank You

36 SFE - Definition A poly-time protocol  is a secure function evaluation (SFE) of a poly-time function f if: Correctness:  x,y (x,y) = f(x,y) Security: There exists a PPTM SA s.t.: {SA(x,f(x,y)) }x,y c {viewA (x,y)}x,y There exists a PPTM SB s.t.: {SB(y) }x,y c {viewB (x,y)}x,y Lots of question regarding the notion of reduction. Should it be bb?

37 Full Definition of Row Non-Transitivity
A function f(.,.) is Computational Row Non-Transitive if there exist Samplable distributions Dx, Dy A polynomial p(.) such that for any polynomial-size Cn and all but finitely many n’s. Probability taken over x0,x1Dx and yDy. Pr[ Cn(x0, x1, f(x0, y)) = f(x1, y) ] < 1-1/p(n)

38 Further Issues: Probabilistic functionalities
Probabilistic functionality (as opposed to deterministic functions) Some criteria for completeness in [Kil00]. Anything possible if OT exist What if no OT? Interesting even when neither party has an input (IOS)!

39 <x,r> <x, rei> = xi
Why the GL bit GL(x,r) = <x, r> Essential property: <x,r> <x, rei> = xi General purpose, independent of the actual function. For other hardcore predicates to work need similar properties. Lots of question regarding the notion of reduction. Should it be bb?

40 Can the Gap be closed? Possible to narrow the gap by relaxing the definitions of SFE. Can the gap be closed altogether ? Not clear. Example: f(x,y) = y f(x,y) = OT(x,y) |y| n Too short - Low security Too long - High running time

41 Trivial Protocol in Malicious Model
The protocol: Bob sends f(x’,y) to Alice. Alice cannot cheat. Bob might send a value with no pre-image. Example: f(x,y) = g(y) What if Bob can send z such that he doesn’t know y for which z=g(y). We assume there is no OWF. Suppose Bob convinces Alice he follows the protocol. Implies ZK POK that Bob knows y. By [Ostrovsky Wigderson] this means OWF exist.

42 Possible Applications?
Provides a tool for proving easily that a function is complete Example: f(x,y)=(x+y)3 mod N. Factorization of N unknown. Is it complete? Trivial? Note: “almost” a permutation for x and for y Assuming RSA is hard - f is row non-transitive  f is complete.

43 Imbedded OR [Kilian91] A function f(.,.) is said to contain an Imbedded OR if there are inputs x0, x1, y0, y1 such that : Where a  b.

44 1-2 Oblivious Transfer Alice Bob bc c b0,b1
Alice learns nothing about b1-c Bob learns nothing about c

45 SFE-Completeness Questions
What other functions are complete? Is there a “nice” classification of all the complete functions? What functions are unconditionally in Eff-SFE (without any hardness assumptions) ? Are there functions that are neither complete nor have efficient SFE?

46 Completeness Sketch Using an SFE for f we construct a Naive-OT protocol. Naive-OT is an SFE of the function: f(c, b) = { b if c=1  if c=0 In the Semi-Honest model this is equivalent to Rabin OT & 1-2 OT.

47 Completeness Sketch: Naive-OT from SFE for f
Alice c Bob b 2. x0, x1 1. Choose x0, x1, y 3. Call f(xc, y) f(xc, y) 4. h(f(x1,y))b 5. If c=1 calculate b * h is the GL hardcore bit

48 Security of the Protocol
Easy to argue: Bob learns nothing because only sends messages. Should argue: Alice learns nothing if c=0, or this will contradict the hardness of the hardcore bit.

49 Technical Issues Somewhat non-standard use of the GL hardcore bit - Not a one-way function (could be hard both ways). Need “strong hardness” of function for hardcore bit proof. Our hardness definition is weak. Standard hardness amplification relies heavily on one-wayness.

50 Solutions Only claim that a GL bit is “weakly” hard
Cannot predict with probability better than 9/10. The protocol described implements a relaxed version of naive-OT that we call Weak-OT. Show how to construct OT from Weak-OT Via amplification using Yao’s Xor Lemma. This is important to the paper as well: we should say what is the property of the function h which we need and which is sufficient for our purpose. People specifically wanted to know what so special about GL.

51 Questions in the Computational Setting
Characterization by row non-transitivity. All `nice’ functions are either complete or have Efficient SFE. Is there a simple characterization of SFE-Complete functions and of functions with unconditional SFE? How do these sets relate? All or nothing?

52 Semi Honest vs Malicious
If OWF guaranteed to exist: use GMW transformation. Properties of row non-transitive functions remain. Note: Does not work when SFE done by “magic” (third party, quantum, noisy channels, etc..) If OWF not guaranteed: Completeness Theorem: Semi-honest SFE of a row non-transitive f  Semi-honest OT  One-way functions [Impagliazzo Luby]  Malicious SFE Unconditional SFE: Possible to cheat in trivial protocols?

53 … Semi Honest vs Malicious
In contrast, in the information theoretic case: The set of SFE-Complete crypto-gates is different for: Semi-Honest [BMM] Malicious [Kilian 2000] Example: Or function complete in the semi-honest world not complete in the malicious world.

Download ppt "Completeness in Two-Party Secure Computation – A Computational View"

Similar presentations

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Foundations of Cryptography Lecture 3 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 3 Lecturer: Moni Naor.
Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.

Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:

Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto

Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto
1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.

1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner www.wisdom.weizmann.ac.il/~iftachh WEIZMANN INSTITUTE.

Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner WEIZMANN INSTITUTE.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Similar presentations

Ads by Google