Download presentation
Presentation is loading. Please wait.
1
COVERT TWO-PARTY COMPUTATION LUIS VON AHN CARNEGIE MELLON UNIVERSITY JOINT WORK WITH NICK HOPPER JOHN LANGFORD
2
HAVE YOU EVER BEEN IN LOVE BUT DIDN’T HAVE THE GUTS TO CONFRONT THE PERSON? WANTED TO BRIBE AN OFFICER? WANTED TO COLLUDE WITH ANOTHER PLAYER TO CHEAT IN A CARD GAME? WANTED TO STAGE A COUP D’ETAT TO OVERTHROW THE PRESIDENT? INFILTRATED A TERRORIST CELL?
3
F( , ) TWO-PARTY COMPUTATION COVERT ALLOWS TWO PARTIES WITH SECRET INPUTS X AND Y TO LEARN F(X,Y) BUT NOTHING ELSE F( , ) PARTY 1PARTY 2 XY F(X,Y)
4
F(X,Y) = 1 IF X>Y 0 OTHERWISE $45 MILLION$32 MILLION F(X,Y)=1 LET’S NOT GET MARRIED JENBEN
5
BRITNEY SPEARS I DON’T WANT HIM TO KNOW THAT I LIKE HIM UNLESS HE LIKES ME TOO! I LIKE HIM, BUT I’M SHY! WHAT SHOULD I DO? ME
6
WE’LL USE TWO- PARTY COMPUTATION IF HE DOESN’T, THEN F(X,Y) = 0 SO HE WON’T KNOW THAT I LIKE HIM IF HE LIKES ME, WE WILL BOTH FIND OUT 1 MEANS “YES” 0 MEANS “NO” IF X,Y ARE BITS, LET F(X,Y) = X AND Y LET’S FIGURE OUT IF WE LIKE EACH OTHER
7
COVERT TWO-PARTY COMPUTATION AFTER LEARNING F(X,Y), EACH PARTY CAN ONLY TELL WHETHER THE OTHER PARTICIPATED IF THEY CAN DISTINGUISH F(X,Y) FROM RANDOM BITS EXTERNAL COVERTNESS INTERNAL COVERTNESS NO OUTSIDE OBSERVER CAN TELL IF THE TWO PARTIES ARE RUNNING A COMPUTATION OR JUST COMMUNICATING AS NORMAL
8
THE WAR ON TERROR I GUESS I CAN USE MY BAZOOKA HAVE YOU SEEN MY AK-47? YOU LEFT IT NEXT TO MY GRENADES THE AXIS OF EVIL SHALL PREVAIL! MI-6 AGENT CIA AGENT HE WORKS FOR CIA HE WORKS FOR MI-6
9
THE WAR ON TERROR HE WORKS FOR CIA HE WORKS FOR MI-6 THE UTTERANCES CONTAINED A COVERT TWO-PARTY COMPUTATION THE FUNCTION F VERIFIED THE CREDENTIALS SINCE BOTH WERE VALID, IT OUTPUT 1 K X WAS A CREDENTIAL SIGNED BY CIA AND Y WAS SIGNED BY MI-6 FOR ANY OTHER INPUTS, F OUTPUTS A RANDOM VALUE
10
COVERT TWO-PARTY COMPUTATION AFTER LEARNING F(X,Y), EACH PARTY CAN ONLY TELL WHETHER THE OTHER PARTICIPATED IF THEY CAN DISTINGUISH F(X,Y) FROM RANDOM BITS EXTERNAL COVERTNESS INTERNAL COVERTNESS NO OUTSIDE OBSERVER CAN TELL IF THE TWO PARTIES ARE RUNNING A COMPUTATION OR JUST COMMUNICATING AS NORMAL CANNOT BE DONE WITH STANDARD TWO-PARTY COMPUTATION
11
WHO KNOWS WHAT? WE ASSUME THAT BOTH PARTIES KNOW THE FUNCTION THEY WISH TO EVALUATE BOTH KNOW WHICH ROLE THEY ARE TO PLAY IN THE EVALUATION BOTH KNOW WHEN TO START COMPUTING
12
ORDINARY COMMUNICATION MESSAGES ARE DRAWN FROM A SET D TIME PROCEEDS IN DISCRETE TIMESTEPS EACH PARTY MAINTAINS A HISTORY h OF ALL DOCUMENTS THEY SENT AND RECEIVED TO EACH PARTY P, WE ASSOCIATE A FAMILY OF PROBABILITY DISTRIBUTIONS ON D: {B h P }
13
P1P2 h P1 D 1 ← B P1 h P1 h P2 D 2 ← B P2 h P2 h P1 = h P1 + (D 1,D 2 )h P2 = h P2 + (D 2,D 1 ) D ’ 1 ← B P1 h P1 ← B P2 h P2 D1D1 D2D2 D’1D’1 t0t0 t1t1
14
WE ASSUME THAT DDH IS HARD: GIVEN g x, g y PARTIES CAN’T EFFICIENTLY DISTINGUISH g xy FROM g z
15
WE SHOW THAT COVERT TWO-PARTY COMPUTATION IS POSSIBLE AGAINST HONEST-BUT-CURIOUS ADVERSARIES IN THE RO MODEL, FAIR COVERT TWO-PARTY COMPUTATION IS POSSIBLE AGAINST MALICIOUS ADVERSARIES
16
ROADMAP USE STEGANOGRAPHY TO SHOW THAT IT IS ENOUGH THAT ALL MESSAGES BE INDISTINGUISHABLE FROM UNIFORM SHOW A TWO-PARTY COMPUTATION PROTOCOL FOR WHICH ALL MESSAGES ARE INDISTINGUISHABLE FROM UNIFORM 1 2
17
BASIC-ENCODE INPUT: H H, TARGET C, BOUND K LET J = 0 REPEAT: SAMPLE S ← D, INCREMENT J UNTIL H(S) = C OR J > K OUTPUT: S LET D BE A DISTRIBUTION ON D AND H BE A PAIRWISE INDEPENDENT FAMILY OF HASH FUNCTIONS ALLOWS SENDING C ENCODED IN SOMETHING THAT COMES FROM D UNIFORM PROPER SIZE ENOUGH MIN ENTROPY … THEN THE DISTRIBUTION ON S IS STA- TISTICALLY INDISTINGUISHABLE FROM D IF
18
OOPS! I DID IT AGAIN 001 LOOKS UNIFORM BASIC-ENCODEBASIC-ENCODE LOOKS NORMAL
19
ROADMAP USE STEGANOGRAPHY TO SHOW THAT IT IS ENOUGH THAT ALL MESSAGES BE INDISTINGUISHABLE FROM UNIFORM SHOW A TWO-PARTY COMPUTATION PROTOCOL FOR WHICH ALL MESSAGES ARE INDISTINGUISHABLE FROM UNIFORM 1 2
20
COVERT OBLIVIOUS TRANSFER IT IS POSSIBLE TO MODIFY AN OBLIVIOUS TRANSFER SCHEME BY NAOR AND PINKAS SO THAT ALL MESSAGES ARE INDISTINGUI- SHABLE FROM UNIFORM RANDOM BITS OT UNIFORM
21
THE MODIFIED NAOR-PINKAS OT PLUGGED INTO YAO’S “GARBLED CIRCUIT” GIVES A SCHEME WITH MESSAGES THAT ARE INDISTINGUISHABLE FROM UNIFORM + YAO OT
22
F(X,Y)=1 OOPS! MALLICIOUS ADVERSARIES CAN BREAK THIS PROTOCOL YOU’RE SO SMART BRITNEY! MATH IS FUN! WE CANNOT SIMPLY USE ZK TO FIX IT
23
THE END
24
COMPETITOR COOPERATION TWO COMPETING ONLINE RETAILERS ARE COMPROMISED BY A HACKER NEITHER CAN CATCH THE HACKER BY THEMSELVES HOWEVER, NEITHER WILL ADMIT THAT THEY WERE HACKED UNLESS THE OTHER WAS HACKED TOO
25
PARTY P CAN DRAW FROM B P h FOR ANY PLAUSIBLE h ADVERSARY KNOWS B P h FOR ANY P, h WE ASSUME THAT DDH IS HARD: GIVEN g x, g y PARTIES CAN’T EFFICIENTLY DISTINGUISH g xy FROM g z
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.