Presentation is loading. Please wait.

Presentation is loading. Please wait.

Input-Indistinguishable Computation Silvio MicaliMIT Rafael PassCornell Alon RosenHarvard.

Published bySpencer Willis Modified over 9 years ago

Similar presentations

Presentation on theme: "Input-Indistinguishable Computation Silvio MicaliMIT Rafael PassCornell Alon RosenHarvard."— Presentation transcript:

1 Input-Indistinguishable Computation Silvio MicaliMIT Rafael PassCornell Alon RosenHarvard

2 Definitions vs. Protocols Crypto in the 20 th century – protocols -> definitions Crypto in the 21 st century – definitions -> protocols This talk: New definition (input-indistinguishable computation) 1.For secure two-party computation (malicious). 2.Definition is “ simulation free. ” 3.Inspired by witness indistinguishability. New protocol 1.Concurrency without trusted set-up. 2.Standard complexity assumptions. Our motivation is “ protocol driven. ’’ We do not achieve “ holy grail ” of cryptography (yet) … x x

3 To reach balance: 1.Establish feasibility. 2.Improve efficiency. 3.Weaken hardness assumption. See if can satisfy a stronger definition (stronger adversary)... Modern Crypto Methodology Need to convince that: 1.Definition is meaningful. 2.Adversary is realistic. 3.Assumption is reasonable. Delicate balance Define security (what it means to break the scheme). Specify adversary in terms of: 1.computational power, 2.access to scheme. Construct scheme and prove that breaking it implies solving (assumed) computationally hard problem (e.g. factoring).

4 YES WELL… If you believe Factoring/DL are hard. IDEAL REAL  PPT B*   PPT S Secure Two-Party Computation Alic e Bob 1.Is definition meaningful? 2.Is adversary realistic? 3.Is assumption reasonable? … Theorem [Yao, GMW,Kil]: Assuming OT protocol, every efficient two-party function can be securely computed.

5 1.Is definition meaningful? 2.Is adversary realistic? 3.Is assumption reasonable? IDEAL REAL  UC/General/Self Composition [C,L03,L04] A B A A A A B B B A B A A A A B B B YES Maybe, if we just had a protocol… Theorem [CKL, L03, L04]: For most “interesting’’ functions definitions of UC/General/Self composition cannot be achieved.

6 Theorems [CLOS, BCNP, CDPW]: Assuming OT, every efficient two-party function can be securely (UC) computed with some form of trusted set-up. Reference String 1.Meaningful? 2.Realistic? IDEAL REAL  Set-Up Assumptions B A A A B B A A A B

7 YES in many cases [BS] very sensitive to security parameters [PS] non-standard assumptions Theorems [PS,BS]: Assuming subexp-hardness (and OT), every eff. two-party function can be securely computed with quasi-poly simulator. IDEAL REAL  Super-Polynomial Time Simulation [P03] A B A A A A B B B A B A A A A B B B  PPT B*  P super PT S 1.Is definition meaningful? 2.Is adversary realistic? 3.Is assumption reasonable?

8 Super-polynomial time simulation (SPS) is very appealing: 1. Yields meaningful security guarantee. 2. Handles a realistic adversary. 3. Has the potential of being realized a. Under standard assumptions. b. Without constraints on security parameters. But coming up with such a protocol is still open. We give a definition that can be realized: a.Under standard assumptions. b.Without constraints on security parameters. c.In face of unbounded number of concurrent executions. Definition: Any protocol (A,B) is secure. Super-Polynomial Time Simulation d. Is (arguably) meaningful for many interesting functions. e. May lead to solution that admits unbounded simulation.

9 ALL inputs of A compatible with output of B* “EQUALLY LIKELY” To distinguish x 0,x 1 must use y* s.t. F(x 0,y*) ≠ F(x 1,y*) 1.Trivial if single-input per output 2.Generalization of Witness-Indist [FS90] Input-Indistinguishable Computation 1. Correctness. 2. Input-Independence 3. Input-Indistinguishability Privacy What is y*? Implicit input function IN(view B* ) = y* Consider 1.honest A with input x 2.malicious B* with input y 3.B* should get output.

10 Witness Indistinguishability [FS90] Prover Verifier view(w) = V*’s view of the interaction when P uses w Witness Indistinguishability: for  PPT V*,  w 0, w 1 view(w 0 )  view(w 1 ) WI property “well-behaved’’ under concurrent composition

11 Interactive Proofs vs. Two-Party Computation V* has no inputB* has input y V* output is 0/1B* output is F(x,y*) P input “hard” to computeA input can be finite P V* A B*

12 Implicit Input Function Implicit input function IN B : 1.defined on B*’s view of the interaction. 2.Wlog view depends only on x and on randomness of A 3.Well defined for all possible views. Notation: for  PPT B*,  x y* <- IN B (view(x)) Consistency: Output of A = F(x,y*) Output delivery message: there exists a round in protocol s.t. 1.Implicit input is fully defined from view so far, but 2.no “information’’ about output has been released yet. Implicit input and output round are implicit in ideal/real like definitions, but not required explicitly!

13 Input-Indistinguishable Computation (A,B) securely computes F w.r.t A if  implicit input function IN B s.t. Completeness: in honest execution of (A,B) inputs = x,y  output = F(x,y) Input-Independence: for  PPT B*,  x 0, x 1 IN B (view(x 0 ))  IN B (view(x 1 )) Input-Indistinguishability: for  PPT B*,  x 0, x 1 y* <- IN B (view) B* can only “distinguish” x 0 and x 1 when F(x 0,y*) ≠ F(x 1,y*) B* received output in the protocol

14 Input-Indistinguishable Computation (A,B) securely computes F w.r.t A if  implicit input function IN B s.t. Completeness: in honest execution of (A,B) inputs = x,y  output = F(x,y) Input-Indist. and Indep.: For  PPT B*,  x 0, x 1 Expt 0 (x 0, x 1 )  Expt 1 (x 0, x 1 ) Expt i (x 0,x 1 ): view  view of B* in execution with A(x i ) y*  IN B (view) If output = true and F(x 0,y*) ≠ F(x 1,y*)  Otherwise (y*,view)

15 Example Oblivious transfer function. F((s 0,s 1 ),c) = s c (So x= (s 0,s 1 ) and y=c.) Input independence: c is (computationally) independent of (s 0,s 1 ). Input indistinguishability: Given s c* as output, and view((s 0,s 1 )), the input s 1-c* could take any value. Very meaningful.

16 Concurrent Input Indistinguishable Computation (A,B) securely computes F w.r.t A if  implicit input function IN B s.t. Completeness: in honest execution of (A,B) inputs = x,y  output = F(x,y) Concurrent Inp-Indist. and Indep.: For  PPT B*,  x 0, x 1 Expt 0 (x 0, x 1 )  Exp 1 (x 0, x 1 ) Basic Concurrency: 1.Same Protocol (self composition) 2.  fixed inputs sequences 3.Can be extended to handle arbitrary corruptions.

17 Composibility Unlike WI (and UC) input-indistiguishability does not compose in general. There exist protocols that are 1.stand-alone input indistinguishable, but 2.not concurrent input indistinguishable (even for two executions). The problem is the potential malleability of (A,B). Any solution must take malleability into consideration. Turns out that insuring non-malleability is sufficient!

18 Main Theorem Theorem: Suppose there exist (trapdoor) claw-free permutations. Then for any efficient 2-party function F, there exists a concurrent input-indistinguishable protocol for computing F. Trapdoor claw-free permutations: 1.Required for OT, CRH, perfectly hiding commitments. 2.Follow from hardness of Factoring/DL.

19 Yao’s protocol secure against honest-but-curious. Compile a’ la GMW, but: 1.Instead of normal ZK, NMZK protocols of [P04][PR05] 1.Instructions of NMZK depend on identity of prover. 2.Different provers have different identities. 2.Provable Determinism [LMS04]: once first message sent, only one possible continuation (except for ZK). 3.And some more… Let (A,B) denote resulting protocol. High-Level Idea of Protocol

20 Lemma: (A,B) is (stand-alone) ideal/real secure. Lemma: Stand-alone ideal/real -> stand-alone inp.-ind. 1.Implicit input is the value fed to trusted party. 2.Requires augmenting outputs of ideal/real w/ input of B*. 3.Relies on existence of output delivery message. 4.B*,D breaking inp.-ind. -> B**,D breaking ideal/real. Lemma: (A,B) stand-alone inp.-ind. -> (A,B) conc. inp.-ind. 1.Implicit inputs same as in stand-alone. 2.Interplay between Hybrid argument and Simulation 3.Mixture of Black-box and Non black-box [PR05]. Analysis

21 One-many Simulation-Extractable ZK [PR05] B* Left interaction: simulate only one ZK execution. Right interaction: concurrently extract witnesses from many executions. ZK ID ZK ID2 ~ ZK ID1 ~ ZK IDm ~ ww ~ wmwm ~ ww ~ S

22 (view,y*) Concurrent -> Stand-Alone Assume existence of concurrent adversary B*, and x, x s.t. corresponding EXPT can be distinguished. Construct B** that violates stand-alone inp.-ind. Of (A,B). B* x2x2 x1x1 xmxm x1x1 x2x2 xmxm   -

23 Concurrent -> Stand-Alone M xixi x1x1 or x i xmxm Using a hybrid argument. Only need to simulate the ZK proof in the ith execution. Requires to extract all y*. B**

24 Comparison Meaningful definition Realistic adversary Reasonable assumption Stand-Alone YESNOYES UC YES NO SPS [BS] YES* potential YES*YES This work YES**YES

25 Summary Zero-knowledge (simulation paradigm) seems to have “ hit the wall ” with respect to protocol composition. Maybe [Goldreich Micali Wigderson87] has made us “ too ambitious …” Perhaps we should 1.Give up in meaningfulness of definitions. a)Super polynomial-time simulators [P03, PS04, BS05]. b)Based on indistinguishability [FS90]. 2.Give up in generality of definitions. a)Be meaningful only in specific cases. b)Secure protocols for specific tasks [PR05,BPS06].

26 Thank You!

Download ppt "Input-Indistinguishable Computation Silvio MicaliMIT Rafael PassCornell Alon RosenHarvard."

Similar presentations

Dov Gordon & Jonathan Katz University of Maryland.

Dov Gordon & Jonathan Katz University of Maryland.
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Coin Tossing With A Man In The Middle Boaz Barak.

Coin Tossing With A Man In The Middle Boaz Barak.
Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.

Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.

Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Muthuramakrishnan Venkitasubramaniam WORKSHOP: THEORY AND PRACTICE OF SECURE MULTIPARTY COMPUTATION Adaptive UC from New Notions of Non-Malleability Adaptive.

Muthuramakrishnan Venkitasubramaniam WORKSHOP: THEORY AND PRACTICE OF SECURE MULTIPARTY COMPUTATION Adaptive UC from New Notions of Non-Malleability Adaptive.
1 Vipul Goyal Microsoft Research India Non-Black-Box Simulation in the Fully Concurrent Setting.

1 Vipul Goyal Microsoft Research India Non-Black-Box Simulation in the Fully Concurrent Setting.
Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),

Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),
Survey: Secure Composition of Multiparty Protocols Yehuda Lindell Bar-Ilan University.

Survey: Secure Composition of Multiparty Protocols Yehuda Lindell Bar-Ilan University.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.

Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.

On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.
Nir Bitansky and Omer Paneth. Interactive Proofs.

Nir Bitansky and Omer Paneth. Interactive Proofs.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Similar presentations

Ads by Google