page 1 efficient two-party secure computation on committed inputs stanislaw jarecki, uc irvine...
TRANSCRIPT
page 1
Efficient Two-PartySecure Computation
onCommitted Inputs
Stanislaw Jarecki, UC IrvineVitaly Shmatikov, UT Austin
page 2
1. Committed Oblivious Transfer of Bitstrings [String-COT]• O(1) modular exponentiations per player
• 2 rounds + proofs (single message in R.O.M. if commitments public)
• Universally Composable in Common Reference String [CRS] model
2. Secure Two-Party Computation [2PC] on Committed Inputs• O(g) modular exponentiations, where g = # gates in the circuit
• round complexity, UC in CRS, as above
Technical Contribution of General Interest:
• Encryption with Verifiable Plaintexts and Keys,i.e.:Encryption with efficient Zero-Knowledge Proof for relation:
{(E, Cm, Ck) s.t. E encrypts m committed in Cm under key k committed in Ck }
Our Contributions
page 3
1. Committed Oblivious Transfer of Bitstrings [String-COT]• O(1) modular exponentiations per player
• 2 rounds + proofs (single message in R.O.M. if commitments public)
• Universally Composable in Common Reference String [CRS] model
2. Secure Two-Party Computation [2PC] on Committed Inputs• O(g) modular exponentiations, where g = # gates in the circuit
• round complexity, UC in CRS, as above
Main Technical Contribution of General Interest:
• Encryption with Verifiable Plaintexts and Keys,i.e.:Encryption with efficient Zero-Knowledge Proof for relation:
{(E, Cm, Ck) s.t. E encrypts m committed in Cm under key k committed in Ck }
Our Contributions
Contribution for both COT and 2PC is in efficiency.(and provable universal composability of an efficient construction)
Quick comparison of constant-round 2PC protocols:
Yao’86: O(g) symmetric-key operations, passive adv.
Yao + Generic ZKP’s: poly(k,g) operations, malicious adv.
[P’03,MF’06,KS’06,LP’07,W’07]Cut & Choose Proofs: O(kg) symmetric-key ops., malicious adv.
[Here]: Efficient ZKP per gate: O(g) public-key operations, malicious adv.
page 4
1. Committed Oblivious Transfer of Bitstrings [String-COT]• O(1) modular exponentiations per player
• 2 rounds + proofs (single message in R.O.M. if commitments public)
• Universally Composable in Common Reference String [CRS] model
2. Secure Two-Party Computation [2PC] on Committed Inputs• O(g) modular exponentiations, where g = # gates in the circuit
• round complexity, UC in CRS, as above
Main Technical Contribution of General Interest:
• Encryption with Verifiable Plaintexts and Keys,i.e.:Encryption with efficient Zero-Knowledge Proof for relation:
{(E, Cm, Ck) s.t. E encrypts m committed in Cm under key k committed in Ck }
Our Contributions
Contribution for both COT and 2PC is in efficiency.(and provable universal composability of an efficient construction)
Quick comparison of constant-round 2PC protocols:
Yao’86: O(g) symmetric-key operations, passive adv.
Yao + Generic ZKP’s: poly(k,g) operations, malicious adv.
[P’03,MF’06,KS’06,LP’07,W’07]Cut & Choose Proofs: O(kg) symmetric-key ops., malicious adv.
[Here]: Efficient ZKP per gate: O(g) public-key operations, malicious adv.
page 5
Talk Outline
• Overview of the results:• Committed Oblivious Transfer on Strings• General Secure Two-Party Computation on Committed Inputs
• Applications • Committed Secure Computation • Committed String-OT
• Comparison with previous results
• Technical Discussion:Public Key Encryption with Efficient Zero-Knowledge Proof for Verifiability of both the Plaintext and the Key
• Extensions, Open Questions
page 6
Universally Composable Secure Two-Party Computation on Committed Inputs:Definitio
nPicture
page 7
CA1
(xA2)
Commit(xA1)
Commit(xA2)
Commitment properties:
Binding: xi’s cannot be substituted after Ci is sent
Hiding:xi’s remain hidden from other players
(Can be implemented e.g. with Public Key Encryption)
Commit(xB1)
Commit(xB2)
(xA1)
Universally Composable Secure Two-Party Computation on Committed Inputs
Alice
Bob
CA2
(xB1)CB1
(xB2)CB2
Public Board
page 8
Commit(xA1)
Commit(xA2)
Non-Malleable [NM] Commitments:
Bob’s messages cannot depend on Alice’s messages
(can be done with CCA-Secure Encryption, in CRS)
Commit(xB1)
Commit(xB2)
CA1
CA2
(xA1)Alice
Bob
Universally Composable Secure Two-Party Computation on Committed Inputs
CA2 (xA2)
(xB1)CB1
(xB2)CB2
Public Board
page 9
AliceCompute( [ ] with Bob,CA1,CB1)
Bob
(xA1)
xA1 xB1
F(xA1,xB1)
F(xA1,xB1)
Universally Composable Secure Two-Party Computation on Committed Inputs
(xA2)
(xB1)
(xB2)
Properties of 2P Secure Computation (Obl.Circ.Eval.) on Committed Inputs:
• Bob learns only output F(xA,xB), nothing else about Alice’s input xA
• Alice learns nothing
• values xA, xB in the computation are committed in CA, CB
Public Board
page 10
Alice
Bob
(xA1)
Compute( [ ] with Alice)
F(xA1,xB1)
F(xA1,xB1)
Universally Composable Secure Two-Party Computation on Committed Inputs
Properties of 2P Secure Computation (Obl.Circ.Eval.) on Committed Inputs:
• Bob learns only output F(xA,xB), nothing else about Alice’s input xA
• Alice learns nothing
• values xA, xB in the computation are committed in CA, CB
(xA2)
(xB1)
(xB2)
=> Two-sided computation on same inputs (with abort)
Compute( [ ] with Bob)
Public Board
page 11
Alice
Bob
(xA1)
Examples of circuits:
= Equality(xA,xB): outputs 1 if xA = xB, 0 otherwise= `Less or Equal’(xA,xB): outputs 1 if integer xA ≤ xB, 0 o/w= F(xA,xB) = intersection of sets represented by xA,xB
= F(xA,xB) = median value in the union of setsIt can be any circuit !!
Universally Composable Secure Two-Party Computation on Committed Inputs
Benefit of computation on committed inputs: Ensuring consistency between
computations of several circuits on same data
(xA2)
(xB1)
(xB2)
Compute( [ ])
Compute( [ ])
Compute( [ ])
Compute( [ ])
page 12
F(xA1,xB1)
Alice
Bob
(xA1)
Dorothy
Compute( [ ] with Dorothy)
(xD1)Commit(xD1)
F(xD1,xB1)
Consistency Across Protocol Instances Ex.1: Multi-Player Example
(xB1)
Compute( [ ] with Alice)
page 13
Alice
Bob
(xA1)
Commit(xA3)
Compute( [ ] w/ Alice)
xA1 xA3 xB1
F(xA1,xA3,xB1)General Benefit of UC Committed 2PC: Ensuring consistency between
sub-protocols in any distributed algorithm Some computation can be local (“insecure” but fast), while commitments keep the overall protocol consistent
(xA3)
(xB1)
Compute( [ ] with Alice)
F(xA1,xB1)
xA3 = output of Alice’s local computation given F(xA1,xB1)
Consistency Across Protocol Instances: Ex.2: Security with some local computation off-line
page 14
Consistency Across Protocol Instances: Ex.3: Solution to the “Abort & Re-start” Problem
Protocols that use 2PC / OT without committed inputscan be insecure against abort & re-start:
A malicious player can effectively execute several instances of the protocol, each on different inputs.
In practice protocols must allow re-start in case ofcommunication or hardware faults…
page 15
Talk Outline
• Statement of the results:• Committed Oblivious Transfer on Strings• General Secure Two-Party Computation on Committed Inputs
• Applications • Committed Secure Computation • Committed String-OT
• Comparison with previous results
• Technical Discussion:Public Key Encryption with Efficient Zero-Knowledge Proof for Verifiability of both the Plaintext and the Key
• Extensions, Open Questions
page 16
Universally Composable Committed String-OT
1. Alice learns mb s.t.• mb is committed in Cmb
• b is committed in Cb
2. Alice learns nothing about mb
3. Bob learns nothing
Alice: bit b Bob: strings m0,m1
mb ┴
Common Input:Commitments Cb , (Cm0 , Cm1)
UC String-COT is like UC two-party secure computation
but the only computed function is String-OT
Crepeau’86 introduced COT s.t.Alice gets (de) commitment of Cb,
not just mb
(our construction can support this too)
page 17
OT is a sub-procedure in General Secure Computation Protocols[the original motivation for Committed OT by Crepeau]
1. Interactive Secure 2-Party Computation [GV’87]:• Players secret-share all their input bits• Gate computation (shared input bits → shared output bit) via Bit-
OT
Tool: Committed Bit-OT
2. 2-round Secure 2-Party Computation (“Garbled Circuit” [Yao’86]):• Sender S creates two keys per each wire• For each gate, S encrypts appropriate output wire keys
with appropriate input wire keys• S performs String-OT on keys corresponding to R’s input wires
Tool: Committed String-OT
Applications of Committed String-OT (Ex.1):Ensuring Consistency across Calls to OT
page 18
1. Privacy applications:– oblivious transfer of one key out of a set of keys– same for signatures, decryptions, …
2. Support for probabilistic systems:– probabilistic escrow of information (keys, signatures, plaintexts)– probabilistic payment of digital cash– …
What’s needed in such applications?– OT on values with proven properties (key, coin, signature, …)
Done in 2 steps:– perform an OT on the committed string value (e.g. a key)– prove correctness of the committed value
(efficient proofs for such statements exist for many cryptographic schemes)
Applications of Committed String-OT (Ex.2):Privacy, E-Cash, Escrow, …
page 19
• Statement of the results:• Committed Oblivious Transfer on Strings
• General Secure Two-Party Computation on Committed Inputs
• Applications of Committed Secure Computation / Committed String-OT
• Comparisons with previous results on COT and 2PC
• Technical Discussion:Public Key Encryption with Efficient Zero-Knowledge Proof for Verifiability of both Plaintexts and Keys
• Extensions, Open Questions
Talk Outline
page 20
O(1) modular exponentiations per player• exponentiations modulo n2 where n is a strong RSA modulus, |n2| = 2000 bits
• 500-bit exponents
Round complexity: 2 rounds + proofs (e.g. one/two rounds in R.O.M.) Security under Decisional Composite Residuosity Assumption [DCR] Universal Composability in Common Reference String model [CRS]
• static adversary
• CRS includes modulus n and a few group elements, |CRS| ≈ 10 |n|
Towards efficient String-COT:
[NP’00, AIR’01] String-OT O(1) exp’s, DDH Assumption
[Cre’89] Bit/String-COT Ω(k3) Bit/String-OT’s[CvdGT’95] Bit-COT Ω(k) Bit-OT’s
[GMY’04] Bit-COT O(1) exp’s, DDH[CC’00] String-COT O(k) exp’s, DDH
[Here] String-COT O(1) exp’s, DCR
Our Contributions vs. Previous Work:(1) Committed OT on Bitstrings
page 21
Security under DCR and Strong RSA Assumptions O(g) modular exponentiations, where g = # gates in the Circuit Round complexity: 2 rounds + proofs (e.g. one/two rounds in R.O.M.) Universal Composability in the CRS model
Towards efficient constant-round Secure Two-Party Computation (2PC):
Passive Security:- [Yao’86] O(g) symmetric-key op’s
Malicious Security using ZKP’s for NP-complete languages:- [GMW,…,Lin’03,KO’04] poly(g, k) op’s
Malicious Security without generic ZKP’s:- [DI’05], multi-party computation,
O(n2 g) PRG’s + VSS’s- [CC’00], cut & choose gate-specific ZKP’s,
O(kg) exp’s, DDH- [Pin’03, MF’06, KS’06, LP’07, W’07], cut & choose on the whole garbled circuit,
O(kg) symmetric-key op’s- [Here], efficient gate-specific ZKP’s,
O(g) exp’s, DCR + Strong RSA
Our Contributions vs. Previous Work:(2) Secure 2PC on Committed Inputs
page 22
• Statement of the results:• Committed Oblivious Transfer on Strings
• General Secure Two-Party Computation on Committed Inputs
• Applications of Committed Secure Computation / Committed String-OT
• Comparison with previous results
• Technical Discussion:Public Key Encryption with Efficient Zero-Knowledge Proof for Verifiability of both the Plaintext and the Key
• Extensions, Open Questions
Talk Outline
page 23
Yao’s Garbled Circuit Construction
1. For each circuit wire w, Sender S picks a pair of keyskw
0“bit 0 on wire w”kw
1“bit 1 on wire w”
G
kw0,kw
1 kv0,kv
1
kz0,kz
1
G
kw0,kw
1 kv0,kv
1
kz0,kz
1
kw0,kw
1 kv0,kv
1
kz0,kz
1Invariant:
For every wire w, Receiver R learns one keyin {kw0,kw
1}, but doesn’t learnwhich one!
2. For each gate, S sends to R a table:
Encryption of kz0 under keys
kw0,kv
0
Encryption of kz0 under keys
kw0,kv
1
Encryption of kz0 under keys
kw1,kv
0
Encryption of kz1 under keys
kw1,kv
1
3. For each R’s input wire,transfer the right key using String-OT:OT [ R(b) , S(k0,k1) ] → kb
Strategy towards 2PC with O(1) exp’s / gate1. S commits to each key2. S proves circuit is properly garbled:
• each ciphertext formed correctly• […other proofs…]
3. S performs String-COT for R’s input keys
page 24
Yao’s Garbled Circuit Construction Closer Look: Proof of ciphertext correctness
1. For each circuit wire w, Sender S picks a pair of keyskw
0“bit 0 on wire w”kw
1“bit 1 on wire w”
G
kw0,kw
1 kv0,kv
1
kz0,kz
1
G
kw0,kw
1 kv0,kv
1
kz0,kz
1
kw0,kw
1 kv0,kv
1
kz0,kz
1Invariant:
For every wire w, Receiver R learns one keyin {kw0,kw
1}, but doesn’t learnwhich one!
2. For each gate, S sends to R a table:
Encryption of kz0 under keys
kw0,kv
0
Encryption of kz0 under keys
kw0,kv
1
Encryption of kz0 under keys
kw1,kv
0
Encryption of kz1 under keys
kw1,kv
1
3. For each R’s input wire,transfer the right key using String-OT:OT [ R(b) , S(k0,k1) ] → kb
Strategy towards 2PC with O(1) exp’s / gate1. S commits to each key2. S proves circuit is properly garbled:
• each ciphertext formed correctly• […other proofs…]
3. S performs String-COT for R’s input keys
page 25
Yao’s Garbled Circuit Construction Closer Look: Proof of ciphertext correctness
1. For each circuit wire w, Sender S picks a pair of keyskw
0“bit 0 on wire w”kw
1“bit 1 on wire w”
G
kw0,kw
1 kv0,kv
1
kz0,kz
1
G
kw0,kw
1 kv0,kv
1
kz0,kz
1
kw0,kw
1 kv0,kv
1
kz0,kz
1Invariant:
For every wire w, Receiver R learns one keyin {kw0,kw
1}, but doesn’t learnwhich one!
2. For each gate, S sends to R a table:
Encryption of kz0 under keys
kw0,kv
0
Encryption of kz0 under keys
kw0,kv
1
Encryption of kz0 under keys
kw1,kv
0
Encryption of kz1 under keys
kw1,kv
1
3. For each R’s input wire,transfer the right key using String-OT:OT [ R(b) , S(k0,k1) ] → kb
Strategy towards 2PC with O(1) exp’s / gate1. S commits to each key2. S proves circuit is properly garbled:
• each ciphertext formed correctly• […other proofs…]
3. S performs String-COT for R’s input keys
page 26
Yao’s Garbled Circuit Construction Closer Look: Proof of ciphertext correctness
kw0“bit 0 on wire w”
kw1“bit 1 on wire w”
G
kw0,kw
1 kv0,kv
1
kz0,kz
1
G
kw0,kw
1 kv0,kv
1
kz0,kz
1
kw0,kw
1 kv0,kv
1
kz0,kz
1
Encryption of kz0 under keys
kw0,kv
0
Simplify to standard (one-key) encryption:
Need Efficient ZKP for relation
R = { (E, Cm, Ck) } s.t.
1. E = Enc [ m ; k ] 2. m is committed in Cm
3. k is committed in Ck
page 27
Efficient Encryption withmessage and key verifiability
1. Assume commitment (to value ‘a’) is of the formCa = ga (or Ca = ga hr )
for some multiplicative group <g>
2. Assume encryption also has both plaintext and key in the exponent, e.g.
E = Enc[ m ; k ] = αm βk
where <α> , <β> are disjoint subgroups of some groupCan be done with Paillier encryption [Camenisch-Shoup’03]:α generates subgroup of order n, β generates subgroup of order φ(n),in group of order φ(n2)=n*φ(n) [multiplicative group of residues mod n2]
Need Efficient ZKP for relation
R = { (E, Cm, Ck) } s.t.
1. E = Enc [ m ; k ] 2. m is committed in Cm
3. k is committed in Ck
ZKPR is a proof of equalities between discrete-log representations:
1. (m , k) = Rep( (α, β) , E)2. m = DL( g, Cm )3. k = DL( g, Ck )
page 28
Efficient Encryption withmessage and key verifiability
ZKPR is a proof of equalities between discrete-log representations:
1. (m , k) = Rep( (α, β) , E)2. m = DL( g, Cm )3. k = DL( g, Ck )
Each (Representation=DL) proof is an extension of standard ZKPK-of-DL, except if the orders involved (#g vs. #α) and (#g vs. #β) are:
(1) unknown (2) unequal
Cm = gm
E = αm βk
Ck = gk
#α = n , #β = φ(n)#g = whatever is convenient
The ZKP of “equality of m”:DL(g,Cm)=Rep(α,
E)
The ZKP of “equality of k”:
DL(g,Ck)=Rep(β,E)
problem if
#g ≠ #α
problem if
#g ≠ #β
page 29
Efficient Encryption withmessage and key verifiability
Cm = gm
E = αm βk
Ck = gk
#α = n , #β = φ(n)#g = whatever is convenient
The ZKP of “equality of k”:
DL(g,Ck)=Rep(β,E)
The ZKP of “equality of m”:DL(g,Cm)=Rep(α,
E)
• If orders not equal then responses must be computed over integers(linear equations involving secrets)
Efficient Zero-Knowledge of DLEQ known only if secret << (both orders)Why?1. Known DLEQ(gx,hx) proofs for groups with unknown order
leak c*x+r over integers, for public challenge c, and random secret pad r x is statistically hidden only if r > c*x*280
r > x*2160 (since c ≈ 280)2. To avoid wrap-around we need c*x+r < (orders of g and h)
x * 2160 < (orders of g and h)
problem if
#g ≠ #α
problem if
#g ≠ #β
page 30
Efficient Encryption withmessage and key verifiability
Cm = gm
E = αm βk
Ck = gk
#α = n , #β = φ(n)#g = whatever is convenient
The ZKP of “equality of k”:
DL(g,Ck)=Rep(β,E)
The ZKP of “equality of m”:DL(g,Cm)=Rep(α,
E)
• If orders not equal then responses must be computed over integers(linear equations involving secrets)
Efficient Zero-Knowledge of DLEQ only if secret << (both orders) Either m or k must be << |φ(n)| ≈ |n|• But m’s and k’s are interchangeable in Yao’s garbled circuit
construction! Need Camenisch-Shoup encryption with shorter keys (k ≈ ¾ |n|)
• [Hastad-Schrift-Shamir]: exponentiation mod n hides |n|/2 bits
using ½ |n| - long keys is indistinguishable from |n|-long keys same holds for the φ(n)-order subgroup, where [CS] keys live
problem if
#g ≠ #α
problem if
#g ≠ #β
page 31
Summary:• Efficient UC-Secure computation on committed inputs
with O( |Circuit| ) public key op.’s• Fast committed String-OT• Encryption with efficient verifiability for both messages
and keys
Some questions:• Handling adaptive corruptions?• Weakening assumptions on the RSA modulus?• Efficient String-COT and Committed-2PC without CRS?• Verifiable Encryption for committed plaintexts and/or
keys, for moduli smaller than |n2|=2000 bits?
Summary and some open questions
page 32
Thank You!