Presentation is loading. Please wait.

Presentation is loading. Please wait.

1/48 Round-Optimal Secure Two-Party Computation Jonathan Katz U. Maryland Rafail Ostrovsky U.C.L.A.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1/48 Round-Optimal Secure Two-Party Computation Jonathan Katz U. Maryland Rafail Ostrovsky U.C.L.A."— Presentation transcript:

1 1/48 Round-Optimal Secure Two-Party Computation Jonathan Katz U. Maryland Rafail Ostrovsky U.C.L.A.

2 2/48 Motivation Round complexity is a central measure of protocol efficiency. Minimizing the number of rounds is often important in practice. Lower and upper bounds have deepened our understanding of various tasks…

3 3/48 For example… ZK [FS89, GO94, GK96a, GK96b, BLV03, etc.], NIZK [BFM88, etc.], WI [FS89,DN00,BOV03] Concurrent ZK [DNS98, KPR01, CKPR01, PRS02] Commitment, identification schemes, … … 2-party and multi-party computation [BMR90, IK00, GIKR01, L01, KOS03, etc.]

4 4/48 This work We concentrate on secure two-party computation –Encompasses many functionalities of independent interest (e.g., ZK) –Important “special case” of MPC without honest majority Interestingly, exact round complexity of 2PC was not previously known!

5 5/48 This work (1) We exactly characterize black-box round complexity of secure 2PC! THM1: Impossibility result for any black-box 4-round coin-tossing (also XOR, other functionalities…)

6 6/48 This work (2) THM2: 5-round secure 2PC protocol for any functionality, based on trapdoor perms* (e.g. RSA, Rabin) or Homomorphic Encryption (e.g. DDH).

7 7/48 This work (3) THM3: 5-round secure 2PC protocol an adaptive adversary corrupting any one party without erasure in 5 rounds.

8 8/48 Prior work (2PC) Honest-but-curious setting –4 rounds using trapdoor perms. [Yao86] –3 rounds using number-theoretic assumptions (optimal) [Folklore] Malicious case –“Compiler” for any protocol secure in honest-but-curious setting [GMW87] –Round complexity?

9 9/48 Round complexity of 2PC? Upper bounds –O(k) rounds [GMW87] –O(1) rounds [Lindell01] Unspecified, but roughly 20-30 rounds Lower bounds (black-box) –No 3-round ZK [GK96] –No 3-round coin-tossing [Lindell01]

10 10/48 Security definition We use the standard definitions of [GMW87, GL90, MR91, Ca00]

11 11/48 Theorem 1 No secure (black-box) 4-round protocol for flipping  (log k) coins –This rules out 4-round protocols for other functionalities as well (e.g., XOR) (Note: 3-round protocols for O(log k) coins do exist [Bl82, GMW87]) Details: see paper!

12 12/48 THM2: A 5-round protocol for secure two-party computation (for malicious adversary) We construct a 5-round protocol where we “force”’ good behavior on both sides and can “simulate” malicious Adv view from both sides…

13 13/48 Somewhat easier task [folklore]: k-round with one player learning the output  (k+1)-round with both players learning the outputs the output in the k th round includes encrypted and MAC’ed output for other player. SO: we need a 4-round protocol where, say, player 1 gets the output.

14 14/48 observation It suffices to consider deterministic functionalities. Rest of the talk: we show a 4-round protocol tolerating malicious players where player 1 learns the output.

15 15/48 Rest of the talk 3-round protocol for semi-honest players Background tools Some of our new techniques Our 4-round protocol (if time permits) Proof of security (if time permits) Modifications needed for Dynamic Adv. Conclusions.

16 16/48 Recall: 1-2-OT [EGL] Sender has (v 0, v 1 ); Receiver has b, 1-2-OT: Receiver gets v b Sender gets nothing

17 17/48 Semi-honest 1-2-OT [EGL,GMW] 1.S: generate td perm. (f, f -1 ); send f 2.R: y b = f(z b ), y 1-b rand; send (y 0, y 1 ) 3.S: send u i = h(f -1 (y i ))  v i, for i=0,1 4.R computes v b = h(z b )  u b Note: extends easily for strings in semi-honest setting

18 18/48 Yao’s “garbled circuit” Algorithms (Y 1, Y 2 ) s.t.: –Y 1 (y) outputs “circuit” C, input-wire labels {Z i,b }, –[C “represents” F(.,y)] –Y 2 (C, Z 1,x 1, …, Z k,x k ) outputs v Correctness: v = F(x, y)

19 19/48 3-round semi-honest 2PC 1.Player 2 sends Yao’s C, f for OT 2.Player 1 sends OT pairs {(y i,0, y i,1 )} 3.Player 2 sends {(u i,0, u i,1 )} to Player 1. Player 1 recovers v.

20 20/48 Malicious 2PC? Standard method [GMW87] increases round-complexity: –Coin tossing into the well to fix random tapes of players; –Players commit to their inputs; –ZK arguments of correctness after every round; High round complexity of compilation

21 21/48 Malicious 2PC in 4 rounds Our goal: do everything in 4 rounds, (player 1 gets the output) forcing “good” behavior from both sides! Intuition: do everything “as early as possible” but …things “don’t fit” – we need new tricks to cram it all.. Surprise: we must “delay” proofs to make it work.

22 22/48 Reminder:3-Round WI proofs [FS] P claims that graph G has a HC P  V: commit n cycle graphs C 1..C n V  P: random n-bit string Q P  V: for each bit of Q, either –open entire matrix C i OR –show perm of G onto C i open non-edges of G in C i.

23 23/48 OBSERVATION Graph G can be determined in the last round. –IF G is determined in the 1 st round  this is WI proof of knowledge –IF G is determined in the 3 rd round  this is only a WI proof, but it is still sound!

24 24/48 NEW PROPERTIES FOR 3- ROUND WI-PROOF Player1 Round1 ST1 Player2 round2 Round3: ST2 ST1 & ST2

25 25/48 Next: [FS] 4-round ZK Q can we get similar result for [FS] 4- round ZK argument?

26 26/48 [FS] 4-round ZK argument: 2 interleaved WI-proofs Verifier round1 Prover round2 round3 round4

27 27/48 [FS] 4-round ZK-argument 2 interleaved WI proofs: P  V: gives y 1,y 2 s.t. f(a 1 )=y 1,f(a 2 )=y 2 and WI proof of this fact (3 rounds) P  V: WI proof of witness w that x is in L or w is one of the a’s (starting on the 2 nd round). Total of 4 rounds. Proof of knowledge; also ZK.

28 28/48 New FS properties needed: Observation: In FS, prover needs to determine the statement in the second round. Goal: to defer parts of statement to last (4 th ) round. Previous ideas are not sufficient…

29 29/48 Technical lemma - we extend [FS] to FS’ so that: FS’ is a 4-round Zero-knowledge argument where statements can be “Postponed”. FS’ define conjunctive parts of statement in the second round (with knowledge extraction) and part of statement in the 4 th round (without extraction but still sound!) It is of independent interest (requires equivocal commitment, some other tools)

30 30/48 [FS] 4-round ZK argument: 2 interleaved WI-proofs Verifier Round1 Prover round2Det. ST1 round3 round4 Proof: ST 1 & ST 2 Det. ST2

31 31/48 OUR PROTOCOL PROOF-FLOWS Player1 round1 Player2 round2FS’: ST1 Round3: ST-WI round4FS’: ST2

32 32/48 Simulation on both sides? we need more tools… Malicious player 2 gains nothing by using non-random tape in Yao. Player 1 cannot freely choose his random tape, but full-blown coin-tossing is not necessary (i.e., we don’t need simulatability on both sides) Player 2 has to commit Yao’s garbled circuit in round 2, but the simulator need to open it arbitrary, so use equivocal comm.

33 33/48 Equivocal commitments (Informal): in real execution, sender committed to a single value; in simulation, can open arbitrarily Construction: Equiv(b) = Com(b 0 ), Com’(b 1 ) ZK argument that b 0 = b 1 Open by opening either b 0 or b 1 Can “fold” ZK argument into larger statement already used in 4 th round of FS’

34 34/48 And now… the 4-round protocol… (only 4 slides, 1 msg per slide)

35 35/48 Round 1: P1(x)  P2(y) P1 commits {(r i,0, r i,1 )}; (random) starts 3-round WI PoK of either r i,0 or r i,1 ; Starts FS’ 1 (statement TBA by P2 partly in round 2, partly in round 4)

36 36/48 Round 2: P1(x)  P2(y) P2 Sends challenge for WI PoK P2 Sends trapdoor perm {f i,b } for OT, and random values {r’ i,b }; P2 commits to input-wire labels for Yao Equiv. commitment to Yao’s garbled C(y); FS’ 2 (proving correctness as part of the statement), part to be determined now, part in fourth round

37 37/48 Round 3: P1(x)  P2(y) For each bit i of input x, set (for OT): –y i,x i = f i,x i (z); –y i, 1-x i = r i,1-xi  r’ i,1-xi ; WI PoK (final round 3), where the statement includes the fact that one of y’s is correctly computed for each i. FS’ (round 3)

38 38/48 Round 4: P1(x)  P2(y) Complete OT (i.e. P2 inverts f’s and xor’s with Yao’s input wires), sends these to P1 FS’ final (4 th) round, where P2 proves correctness of all its steps, including OT of this round. P2 Decommits equiv-commit of Yao’s circuit, so that P1 can compute!

39 39/48 SIMULATION FOR CHEATING P2 Simulating view of ADV-P2 interacting with SIM1

40 40/48 SIM  ADV-P2 SIM commits {(r i,0, r i,1 )}; (random) starts 3-round WI PoK of either r i,0 or r i,1 ; Starts FS’ 1 (statement TBA by P2 partly in round 2, partly in round 4) Easy to simulate, we don’t need to know x.

41 41/48 Round 2: SIM  ADV-P2 Sends whatever it wants to SIM

42 42/48 Round 3: SIM  ADV-P2 For each bit i of input x, set (for OT): –y i,x i = r i,xi  r’ i,xi ; –y i, 1-x i = r i,1-xi  r’ i,1-xi ; PoK (final round 3), is easy, since it’s a true statement by the simulator. FS’ (round 3) (play honestly)

43 43/48 Round 4: SIM  ADV-P2 Sends whatever it wants. If all valid, we re-wind, and extract y (using the fact that the msg commitment in the second round is a proof of knowledge, so we can extract) Now, send y to the trusted party and we are done, and player 1 gets his output.

44 44/48 SIMULATION FOR CHEATING P1 (simulating view of ADV-P1 interacting with the SIM2)

45 45/48 ADV-P1  SIM Sends whatever it wants

46 46/48 ADV-P1  SIM SIM send to P1 trapdoor perm {f i,b } for OT, and random values {r’ i,b }; as before SIM commits to garbage (instead of input-wire labels for Yao) SIM equiv. commitment to garbage (instead of Yao’s garbled C(y); ) For FS’ 2 use ZK simulator (proving correctness as part of the statement), part to be determined now, part in fourth round

47 47/48 Round 3: ADV-P1  SIM Adv sends whatever it wants

48 48/48 ADV-P1  SIM If all proofs in 3 rd round are OK,rewinds and extracts half of r’s from first round After extraction, can get ADV-P1 OT input values, this defines his input x. Send x to trusted party, get the output. (cont on next slide)

49 49/48 ADV-P1  SIM Now, simulate the Yao’s circuit, and de-comment equivocal commitment of Yao as needed, and prepare OT answers as needed. Continue using ZK simulator for FS’

50 50/48 Handling adaptive adversaries

51 51/48 Overview No erasure of [BH]. Use adaptively-secure encryption to encrypt each round (a la [CFGN96]) –We avoid expensive key-generation phase (using stronger assumptions: –Assume simulatable cryptosystem [Damgard- Nielsen 2000] –Maintain round complexity by not encrypting the first round

52 52/48 Adaptively-secure encryption To encrypt a single bit v: –Receiver generates {(pk i,b )} but only knows secret key for one of each pair –Sender computes {(C i,b )} where, in each pair, one ciphertext is random and one is an encryption of v –Receiver decrypts using keys he knows; takes majority

53 53/48 CONCLUSIONS FOR BB-simulation, we completely closed 2-party round-complexity: (both upper and lower bounds =5) for ANY 2-party computation! Gap for non-BB-simulation: either 4 or 5 rounds (we need at least 4 rounds even for non-BB), but 4 or 5 is still open…

Download ppt "1/48 Round-Optimal Secure Two-Party Computation Jonathan Katz U. Maryland Rafail Ostrovsky U.C.L.A."

Similar presentations

Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Coin Tossing With A Man In The Middle Boaz Barak.

Coin Tossing With A Man In The Middle Boaz Barak.
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Lecturer: Moni Naor Foundations of Cryptography Lecture 15: Oblivious Transfer and Secure Function Evaluation.

Lecturer: Moni Naor Foundations of Cryptography Lecture 15: Oblivious Transfer and Secure Function Evaluation.
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),

Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Isolated PoK and Isolated ZK Ivan Damgård, Jesper Buus Nielsen and Daniel Wichs.

Isolated PoK and Isolated ZK Ivan Damgård, Jesper Buus Nielsen and Daniel Wichs.
Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.

Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Similar presentations

Ads by Google