1/48 round-optimal secure two-party computation jonathan katz u. maryland rafail ostrovsky u.c.l.a
Post on 20-Dec-2015
216 views
TRANSCRIPT
2/48
Motivation
• Round complexity is a central measure of protocol efficiency.
• Minimizing the number of rounds is often important in practice.
• Lower and upper bounds have deepened our understanding of various tasks…
3/48
For example…• ZK [FS89, GO94, GK96a, GK96b, BLV03, etc.],
NIZK [BFM88, etc.], WI [FS89,DN00,BOV03]
• Concurrent ZK [DNS98, KPR01, CKPR01, PRS02]
• Commitment, identification schemes, …
• …
• 2-party and multi-party computation [BMR90, IK00, GIKR01, L01, KOS03, etc.]
4/48
This work• We concentrate on secure two-party
computation– Encompasses many functionalities of
independent interest (e.g., ZK)– Important “special case” of MPC
without honest majority
• Interestingly, exact round complexity of 2PC was not previously known!
5/48
This work (1)
• We exactly characterize black-box round complexity of secure 2PC!
• THM1: Impossibility result for any black-box 4-round coin-tossing (also XOR, other functionalities…)
6/48
This work (2)
• THM2: 5-round secure 2PC protocol for any functionality, based on trapdoor perms* (e.g. RSA, Rabin) or Homomorphic Encryption (e.g. DDH).
7/48
This work (3)
• THM3: 5-round secure 2PC protocol an adaptive adversary corrupting any one party without erasure in 5 rounds.
8/48
Prior work (2PC)
• Honest-but-curious setting– 4 rounds using trapdoor perms.
[Yao86]– 3 rounds using number-theoretic
assumptions (optimal) [Folklore]
• Malicious case– “Compiler” for any protocol secure in
honest-but-curious setting [GMW87]– Round complexity?
9/48
Round complexity of 2PC?
• Upper bounds– O(k) rounds [GMW87]– O(1) rounds [Lindell01]
• Unspecified, but roughly 20-30 rounds
• Lower bounds (black-box)– No 3-round ZK [GK96]– No 3-round coin-tossing [Lindell01]
10/48
Security definition• We use the standard definitions of
[GMW87, GL90, MR91, Ca00]
• This will be an informal review, focusing on a static adversary
11/48
Set-up
• Functionality F = (F1, F2), possibly
randomized; player Pi gets Fi(x, y)
• In real world, players execute a protocol to compute F
• In ideal world, a trusted party computes F for the players
12/48
Ideal model
• Players send x, y to TTP– Malicious player can send any value it
likes; honest party sends its input value– If no value sent, a default value is used
• TTP chooses uniformly-random r; sends v1 = F1(x, y; r) to P1
– If P1 aborts, TTP sends v2 = to P2
– Else, TTP sends v2 = F2(x, y; r) to P2
13/48
Ideal model
• Let Viewi denote the view of Pi
• Let (B1, B2) be strategies
• Define IDEAL = (B1(View1),
B2(View2))
– Note: for Bi honest, Bi(Viewi) = vi
14/48
Real model
• Players execute protocol…
• Let (A1, A2) be strategies
• Define REAL = (A1(View1),
A2(View2))
– Again, if Ai honest, then Ai(Viewi) = vi
15/48
Security…
• A pair of strategies is admissible if at least one is honest
• Protocol is secure if for all admissible PPT (A1, A2) in the real world, there exist
admissible expected poly-time (B1, B2)
in ideal world such that REAL and IDEAL are comp. indistinguishable– Even with auxiliary inputs…
16/48
Black-box security
• The definition of security requires: (malicious) Ai, (malicious) Bi, s.t.
Bi satisfies the condition….
• Black-box security imposes stronger requirement: (S1, S2), (malicious) Ai, (malicious)
Bi =SiAi satisfies the condition…
17/48
More formally…
• For malicious A1, define B1 as follows:– B1(x, z; r, r’) = S1
A1(x, z; r)(x; r’)– S1 not given auxiliary input z
• Exp. running time of S1 is a fixed polynomial, independent of A1
– But running time of B1 depends on A1
– The above formulation avoids some technical problems…
19/48
Theorem 1
• No secure (black-box) 4-round protocol for flipping (log k) coins– This rules out 4-round protocols for
other functionalities as well (e.g., XOR)
• (Note: 3-round protocols for O(log k) coins do exist [Bl82, GMW87])
• Details: (next)
20/48
Intuition
• W.l.o.g., P2 sends the first message
• No way to simulate for a malicious P1 who aborts “very often”
– Sending different msg1 doesn’t help
• P1 starts over with “new randomness” [GK]
– Sending different msg3 doesn’t help
• P1 anyway aborts “very often”
21/48
Proof details I
• Let s() be the expected r.t. of S1
• Define A1 as follows:– Use msg1 to define random string for an
“honest” execution of the protocol (using O(s)-wise independent hash function)
– After msg3, compute coin c; abort unless first (3log s) bits of c are 0
– Note: here we use |c| = (log k)
22/48
Proof details II
• REAL is “non-aborting” with noticeable probability 1/s3
• Thus, IDEAL must be “non-aborting” with roughly the same probability
• Conditioned on “good” coin from TTP, S1 must “force” A1 not to abort with probability essentially 1
23/48
Proof details III
• Run S1 for at most 2s steps– Now, strict poly-time– Conditioned on “good” coin from TTP,
“forces” A1 not to abort with probability essentially 1/2
24/48
Proof details IV
• Define A2 as follows:
– Feed “good” coin to S1; guess i, j
– Send ith query of S1 to P1 as msg1, return msg2 to S1
– Send jth query of S1 to P1 as msg2
– Answer other queries of S1 internally, by either aborting or playing the role of A1
25/48
Proof details V
• Analysis:– Conditioned on “correct” guesses of
i, j, honest player P1 outputs “good” coin with probability essentially 1/2
– Probability of correct guess > 1/4s2
– So probability that honest P1 outputs “good” coin is at least 1/8s2 > 1/s3
– A2 noticeably biases the coin!
26/48
Implications
• No 4-round (black-box) protocol for general secure computation– Note: Could also derive from [GK]…– …but our techniques rule out 4-round
protocols for wider class of functions
27/48
THM2: A 5-round protocol forsecure two-party computation
(for malicious adversary)
We construct a 5-round protocol where we “force”’
good behavior on both sidesand can “simulate”
malicious Adv view from both sides…
28/48
Somewhat easier task• [folklore]: k-round with one player
learning the output (k+1)-round with both players learning the outputs
• the output in the kth round includes encrypted and MAC’ed output for other player.
• SO: we need a 4-round protocol where, say, player 1 gets the output.
29/48
observation
It suffices to consider deterministic functionalities.
Rest of the talk: we show a 4-round protocol tolerating malicious players where player 1 learns the output.
30/48
Rest of the talk• 3-round protocol for semi-honest players
• Background tools
• Some of our new techniques
• Our 4-round protocol (if time permits)
• Proof of security (if time permits)
• Modifications needed for Dynamic Adv.
• Conclusions.
31/48
Recall: 1-2-OT [EGL]
• Sender has (v0, v1);
• Receiver has b,
1-2-OT:
• Receiver gets vb
• Sender gets nothing
32/48
Semi-honest 1-2-OT [EGL,GMW]
1. S: generate td perm. (f, f-1); send f
2. R: yb = f(zb), y1-b rand; send (y0, y1)
3. S: send ui = h(f-1(yi))vi, for i=0,1
4. R computes vb = h(zb)ub
Note: extends easily for strings in
semi-honest setting
33/48
Yao’s “garbled circuit”
• Algorithms (Y1, Y2) s.t.:
– Y1(y) outputs “circuit” C, input-wire labels {Zi,b},
– [C “represents” F(.,y)]
– Y2(C, Z1,x1, …, Zk,xk
) outputs v
Correctness: v = F(x, y)
34/48
3-round semi-honest 2PC
1. Player 2 sends Yao’s C, f for OT
2. Player 1 sends OT pairs {(yi,0, yi,1)}
3. Player 2 sends {(ui,0, ui,1)} to Player
1.
Player 1 recovers v.
35/48
Malicious 2PC?
• Standard method [GMW87] increases round-complexity:– Coin tossing into the well to fix
random tapes of players;– Players commit to their inputs;– ZK arguments of correctness after
every round;High round complexity of compilation
36/48
Malicious 2PC in 4 rounds
• Our goal: do everything in 4 rounds, (player 1 gets the output) forcing “good” behavior from both sides!
• Intuition: do everything “as early as possible” but …things “don’t fit” – we need new tricks to cram it all..
• Surprise: we must “delay” proofs to make it work.
37/48
Reminder:3-Round WI proofs [FS]
P claims that graph G has a HC
• PV: commit n cycle graphs C1..Cn
• VP: random n-bit string Q
• PV: for each bit of Q, either – open entire matrix Ci OR – show perm of G onto Ci open non-
edges of G in Ci.
38/48
OBSERVATION
• Graph G can be determined in the last round.– IF G is determined in the 1st round
this is WI proof of knowledge– IF G is determined in the 3rd round
this is only a WI proof, but it is still sound!
42/48
[FS] 4-round ZK-argument
2 interleaved WI proofs:
• PV: gives y1,y2 s.t. f(a1)=y1,f(a2)=y2 and WI proof of this fact (3 rounds)
• PV: WI proof of witness w that x is in L or w is one of the a’s (starting on the 2nd round). Total of 4 rounds.
Proof of knowledge; also ZK.
43/48
New FS properties needed:
• Observation: In FS, prover needs to determine the statement in the second round.
• Goal: to defer parts of statement to last (4th) round.
Previous ideas are not sufficient…
44/48
Technical lemma - we extend [FS] to FS’ so that:
• FS’ is a 4-round Zero-knowledge argument where statements can be “Postponed”.
• FS’ define conjunctive parts of statement in the second round (with knowledge extraction) and part of statement in the 4th round (without extraction but still sound!)
• It is of independent interest (requires equivocal commitment, some other tools)
45/48
[FS] 4-round ZK argument: 2 interleaved WI-proofs
Verifier
Round1
Prover
round2 Det. ST1
round3
round4 Proof: ST1& ST2 Det. ST2
47/48
Simulation on both sides? we need more tools…
• Malicious player 2 gains nothing by using non-random tape in Yao.
• Player 1 cannot freely choose his random tape, but full-blown coin-tossing is not necessary (i.e., we don’t need simulatability on both sides)
• Player 2 has to commit Yao’s garbled circuit in round 2, but the simulator need to open it arbitrary, so use equivocal comm.
48/48
Equivocal commitments• (Informal): in real execution, sender committed
to a single value; in simulation, can open arbitrarily
• Construction: Equiv(b) = Com(b0), Com’(b1)ZK argument that b0 = b1
Open by opening either b0 or b1
• Can “fold” ZK argument into larger statement already used in 4th round of FS’
50/48
Round 1: P1(x)P2(y)
• P1 commits {(ri,0, ri,1)}; (random)
• starts 3-round WI PoK of either ri,0 or ri,1;
• Starts FS’1 (statement TBA by P2
partly in round 2, partly in round 4)
51/48
Round 2: P1(x) P2(y)
• P2 Sends challenge for WI PoK
• P2 Sends trapdoor perm {fi,b} for OT, and random values {r’i,b};
• P2 commits to input-wire labels for Yao
• Equiv. commitment to Yao’s garbled C(y);
• FS’2 (proving correctness as part of the statement), part to be determined now, part in fourth round
52/48
Round 3: P1(x) P2(y)
• For each bit i of input x, set (for OT):– yi,xi
= fi,xi(z);
– yi,1-xi = ri,1-xir’i,1-xi;
• WI PoK (final round 3), where the statement includes the fact that one of y’s is correctly computed for each i.
• FS’ (round 3)
53/48
Round 4: P1(x) P2(y)
• Complete OT (i.e. P2 inverts f’s and xor’s with Yao’s input wires), sends these to P1
• FS’ final (4th) round, where P2 proves correctness of all its steps, including OT of this round.
• P2 Decommits equiv-commit of Yao’s circuit, so that P1 can compute!
55/48
SIMADV-P2
• SIM commits {(ri,0, ri,1)}; (random)
• starts 3-round WI PoK of either ri,0 or ri,1;
• Starts FS’1 (statement TBA by P2 partly in round 2, partly in round 4)
Easy to simulate, we don’t need to know x.
57/48
Round 3: SIM ADV-P2
• For each bit i of input x, set (for OT):– yi,xi
= ri,xir’i,xi;
– yi,1-xi = ri,1-xir’i,1-xi;
• PoK (final round 3), is easy, since it’s a true statement by the simulator.
• FS’ (round 3) (play honestly)
58/48
Round 4: SIMADV-P2
• Sends whatever it wants.
• If all valid, we re-wind, and extract y (using the fact that the msg commitment in the second round is a proof of knowledge, so we can extract)
• Now, send y to the trusted party and we are done, and player 1 gets his output.
61/48
ADV-P1 SIM
• SIM send to P1 trapdoor perm {fi,b} for OT, and random values {r’i,b}; as before
• SIM commits to garbage (instead of input-wire labels for Yao)
• SIM equiv. commitment to garbage (instead of Yao’s garbled C(y); )
• For FS’2 use ZK simulator (proving correctness as part of the statement), part to be determined now, part in fourth round
63/48
ADV-P1 SIM
• If all proofs in 3rd round are OK,rewinds and extracts half of r’s from first round
• After extraction, can get ADV-P1 OT input values, this defines his input x.
• Send x to trusted party, get the output. (cont on next slide)
64/48
ADV-P1 SIM
• Now, simulate the Yao’s circuit, and de-comment equivocal commitment of Yao as needed, and prepare OT answers as needed.
• Continue using ZK simulator for FS’
66/48
Overview
• No erasure of [BH].
• Use adaptively-secure encryption to encrypt each round (a la [CFGN96])– We avoid expensive key-generation phase
(using stronger assumptions: – Assume simulatable cryptosystem
[Damgard-Nielsen 2000]
– Maintain round complexity by not encrypting the first round
67/48
Adaptively-secure encryption
• To encrypt a single bit v:– Receiver generates {(pki,b)} but only
knows secret key for one of each pair
– Sender computes {(Ci,b)} where, in each pair, one ciphertext is random and one is an encryption of v
– Receiver decrypts using keys he knows; takes majority