Presentation is loading. Please wait.

Presentation is loading. Please wait.

COVERT TWO-PARTY COMPUTATION LUIS VON AHN CARNEGIE MELLON UNIVERSITY JOINT WORK WITH NICK HOPPER JOHN LANGFORD.

Similar presentations


Presentation on theme: "COVERT TWO-PARTY COMPUTATION LUIS VON AHN CARNEGIE MELLON UNIVERSITY JOINT WORK WITH NICK HOPPER JOHN LANGFORD."— Presentation transcript:

1 COVERT TWO-PARTY COMPUTATION LUIS VON AHN CARNEGIE MELLON UNIVERSITY JOINT WORK WITH NICK HOPPER JOHN LANGFORD

2 HAVE YOU EVER BEEN IN LOVE BUT DIDN’T HAVE THE GUTS TO CONFRONT THE PERSON? WANTED TO BRIBE AN OFFICER? WANTED TO COLLUDE WITH ANOTHER PLAYER TO CHEAT IN A CARD GAME? WANTED TO STAGE A COUP D’ETAT TO OVERTHROW THE PRESIDENT? INFILTRATED A TERRORIST CELL?

3 F( ,  ) TWO-PARTY COMPUTATION COVERT ALLOWS TWO PARTIES WITH SECRET INPUTS X AND Y TO LEARN F(X,Y) BUT NOTHING ELSE F( ,  ) PARTY 1PARTY 2 XY F(X,Y)

4 F(X,Y) = 1 IF X>Y 0 OTHERWISE $45 MILLION$32 MILLION F(X,Y)=1 LET’S NOT GET MARRIED JENBEN

5 BRITNEY SPEARS I DON’T WANT HIM TO KNOW THAT I LIKE HIM UNLESS HE LIKES ME TOO! I LIKE HIM, BUT I’M SHY! WHAT SHOULD I DO? ME

6 WE’LL USE TWO- PARTY COMPUTATION IF HE DOESN’T, THEN F(X,Y) = 0 SO HE WON’T KNOW THAT I LIKE HIM IF HE LIKES ME, WE WILL BOTH FIND OUT 1 MEANS “YES” 0 MEANS “NO” IF X,Y ARE BITS, LET F(X,Y) = X AND Y LET’S FIGURE OUT IF WE LIKE EACH OTHER

7 COVERT TWO-PARTY COMPUTATION AFTER LEARNING F(X,Y), EACH PARTY CAN ONLY TELL WHETHER THE OTHER PARTICIPATED IF THEY CAN DISTINGUISH F(X,Y) FROM RANDOM BITS EXTERNAL COVERTNESS INTERNAL COVERTNESS NO OUTSIDE OBSERVER CAN TELL IF THE TWO PARTIES ARE RUNNING A COMPUTATION OR JUST COMMUNICATING AS NORMAL

8 THE WAR ON TERROR I GUESS I CAN USE MY BAZOOKA HAVE YOU SEEN MY AK-47? YOU LEFT IT NEXT TO MY GRENADES THE AXIS OF EVIL SHALL PREVAIL! MI-6 AGENT CIA AGENT HE WORKS FOR CIA HE WORKS FOR MI-6

9 THE WAR ON TERROR HE WORKS FOR CIA HE WORKS FOR MI-6 THE UTTERANCES CONTAINED A COVERT TWO-PARTY COMPUTATION THE FUNCTION F VERIFIED THE CREDENTIALS SINCE BOTH WERE VALID, IT OUTPUT 1 K X WAS A CREDENTIAL SIGNED BY CIA AND Y WAS SIGNED BY MI-6 FOR ANY OTHER INPUTS, F OUTPUTS A RANDOM VALUE

10 COVERT TWO-PARTY COMPUTATION AFTER LEARNING F(X,Y), EACH PARTY CAN ONLY TELL WHETHER THE OTHER PARTICIPATED IF THEY CAN DISTINGUISH F(X,Y) FROM RANDOM BITS EXTERNAL COVERTNESS INTERNAL COVERTNESS NO OUTSIDE OBSERVER CAN TELL IF THE TWO PARTIES ARE RUNNING A COMPUTATION OR JUST COMMUNICATING AS NORMAL CANNOT BE DONE WITH STANDARD TWO-PARTY COMPUTATION

11 WHO KNOWS WHAT? WE ASSUME THAT BOTH PARTIES KNOW THE FUNCTION THEY WISH TO EVALUATE BOTH KNOW WHICH ROLE THEY ARE TO PLAY IN THE EVALUATION BOTH KNOW WHEN TO START COMPUTING

12 ORDINARY COMMUNICATION MESSAGES ARE DRAWN FROM A SET D TIME PROCEEDS IN DISCRETE TIMESTEPS EACH PARTY MAINTAINS A HISTORY h OF ALL DOCUMENTS THEY SENT AND RECEIVED TO EACH PARTY P, WE ASSOCIATE A FAMILY OF PROBABILITY DISTRIBUTIONS ON D: {B h P }

13 P1P2 h P1 D 1 ← B P1 h P1 h P2 D 2 ← B P2 h P2 h P1 = h P1 + (D 1,D 2 )h P2 = h P2 + (D 2,D 1 ) D ’ 1 ← B P1 h P1  ← B P2 h P2 D1D1 D2D2 D’1D’1 t0t0 t1t1

14 WE ASSUME THAT DDH IS HARD: GIVEN g x, g y PARTIES CAN’T EFFICIENTLY DISTINGUISH g xy FROM g z

15 WE SHOW THAT COVERT TWO-PARTY COMPUTATION IS POSSIBLE AGAINST HONEST-BUT-CURIOUS ADVERSARIES IN THE RO MODEL, FAIR COVERT TWO-PARTY COMPUTATION IS POSSIBLE AGAINST MALICIOUS ADVERSARIES

16 ROADMAP USE STEGANOGRAPHY TO SHOW THAT IT IS ENOUGH THAT ALL MESSAGES BE INDISTINGUISHABLE FROM UNIFORM SHOW A TWO-PARTY COMPUTATION PROTOCOL FOR WHICH ALL MESSAGES ARE INDISTINGUISHABLE FROM UNIFORM 1 2

17 BASIC-ENCODE INPUT: H  H, TARGET C, BOUND K LET J = 0 REPEAT: SAMPLE S ← D, INCREMENT J UNTIL H(S) = C OR J > K OUTPUT: S LET D BE A DISTRIBUTION ON D AND H BE A PAIRWISE INDEPENDENT FAMILY OF HASH FUNCTIONS ALLOWS SENDING C ENCODED IN SOMETHING THAT COMES FROM D UNIFORM PROPER SIZE ENOUGH MIN ENTROPY … THEN THE DISTRIBUTION ON S IS STA- TISTICALLY INDISTINGUISHABLE FROM D IF

18 OOPS! I DID IT AGAIN 001 LOOKS UNIFORM BASIC-ENCODEBASIC-ENCODE LOOKS NORMAL

19 ROADMAP USE STEGANOGRAPHY TO SHOW THAT IT IS ENOUGH THAT ALL MESSAGES BE INDISTINGUISHABLE FROM UNIFORM SHOW A TWO-PARTY COMPUTATION PROTOCOL FOR WHICH ALL MESSAGES ARE INDISTINGUISHABLE FROM UNIFORM 1 2

20 COVERT OBLIVIOUS TRANSFER IT IS POSSIBLE TO MODIFY AN OBLIVIOUS TRANSFER SCHEME BY NAOR AND PINKAS SO THAT ALL MESSAGES ARE INDISTINGUI- SHABLE FROM UNIFORM RANDOM BITS OT UNIFORM

21 THE MODIFIED NAOR-PINKAS OT PLUGGED INTO YAO’S “GARBLED CIRCUIT” GIVES A SCHEME WITH MESSAGES THAT ARE INDISTINGUISHABLE FROM UNIFORM + YAO OT

22 F(X,Y)=1 OOPS! MALLICIOUS ADVERSARIES CAN BREAK THIS PROTOCOL YOU’RE SO SMART BRITNEY! MATH IS FUN! WE CANNOT SIMPLY USE ZK TO FIX IT

23 THE END

24 COMPETITOR COOPERATION TWO COMPETING ONLINE RETAILERS ARE COMPROMISED BY A HACKER NEITHER CAN CATCH THE HACKER BY THEMSELVES HOWEVER, NEITHER WILL ADMIT THAT THEY WERE HACKED UNLESS THE OTHER WAS HACKED TOO

25 PARTY P CAN DRAW FROM B P h FOR ANY PLAUSIBLE h ADVERSARY KNOWS B P h FOR ANY P, h WE ASSUME THAT DDH IS HARD: GIVEN g x, g y PARTIES CAN’T EFFICIENTLY DISTINGUISH g xy FROM g z


Download ppt "COVERT TWO-PARTY COMPUTATION LUIS VON AHN CARNEGIE MELLON UNIVERSITY JOINT WORK WITH NICK HOPPER JOHN LANGFORD."

Similar presentations


Ads by Google