on the cryptographic complexity of the worst functions amos beimel (bgu) yuval ishai (technion)...
Post on 17-Jan-2016
228 Views
Preview:
TRANSCRIPT
On the Cryptographic Complexity of the Worst Functions
Amos Beimel (BGU)Yuval Ishai (Technion) Ranjit Kumaresan (Technion)Eyal Kushilevitz (Technion)
How Bad are the Worst Functions?Function class FN of all functions f : [N][N] {0,1}
This work: Cryptographic complexity of the worst functions
Standard Complexity Theoretic Measures
• Circuit complexity• (N2/log N)
[Sha48,Lup58]• 2-party communication
complexity• (log N) [Yao79]
Information-theoreticCryptography
• Communication complexity• Randomness complexity
Model
Security Model• Information-theoretic
• Unbounded adversaries• Statistical/perfect security
• Semi-honest adversary • No deviation from protocol
Functions• Function class FN : Class of
all two argument functions f : [N] [N] {0,1}
• Interested in worst f FN
Crypto Primitives• Secure Computation
• Various models• Communication/randomness
• Secret Sharing• Share complexity
Secure ComputationWhat is Known?
Information Theoretic Security• Honest majority [RB89,BGW88]• 2-party in the OT-hybrid or
preprocessing model [Kil88,Bea95]• Impossible in plain model [Kus89]
• Private Simultaneous Messages [FKN94]
x
f1(x,y)
y
f2(x,y)
• Best upper bounds linear in N– Sublinear if big honest majority [BFKR90,IK04]
• Counting arguments yield weak lower bounds
Can communication complexity be made logarithmic in N?
2-Party Secure Computation (2PC)
Information Theoretic Security• Impossible in plain model [Kus89]• OT-hybrid/preprocessing model• Popular protocols [GMW87, Y86]
Information-theoretic garbled circuits [Yao86]
• Depends on circuit structure• Quadratic in formula
depth• Exponential in depth
overhead for circuits
GMW [GMW87]• Gate-by-gate evaluation
of given circuit• #OTs required:
Twice #AND gates• Communication cost:
Twice #AND gates
x
f1(x,y)
y
f2(x,y)
What is Known?
OT-Hybrid Model
x0 , x1
???
b
xb
OT Extension• Impossible in information
theoretic setting [Bea97]• OT as an “atomic currency”
Pre-computation• Random OT correlations
can be “corrected” [Bea95]
Complete• Given ideal OT oracle, can
get information theoretic 2-party secure computation [Kil88,GV88]
d = c b
z0 = x0yd
z1 = x1y1-d
y0 , y1 c, yc
zbyc
x0 , x1 b
x0 , x1 b
xb
Oblivious Transfer [Rab81,EGL85]
*Slide created before revelations
OT ComplexityOT Complexity of a function f
Number of (bit) OTs required to securely evaluate f
This work: O(N2/3) OT complexity
??? f(x,y)
x yf(x,1)f(x,2)
. .
f(x,N)
y
Circuit based 2PC: • O(N2/log N) [GMW87] Truth-table based 2PC: • O(N) via1-out-of-N OT
• 1-out-of-N OT from O(N) 1-out-of-2 OTs [BCR86]
• Let FN be the class of all 2-party f : [N] [N] {0,1}
• What is the OT complexity of the worst function in FN?
Preprocessing Model
Correlated Randomness• Independent of inputs• May depend on f
Correlated Randomness
Offline Phase
Online Phase
x
rBrA
y
rBrA
f(x,y) f(x,y)
OT Correlations• Special case
• Pre-computed OTs• “Simpler” correlations
• Indep. of function
Correlated Randomness Complexity
Correlated Randomness Complexity of a function fSize of correlated randomness required to securely evaluate f
O(log N) online communication [IKMOP13]• Correlated randomness: O(N2)Truth-table based 2PC: O(N)• Via 1-out-of-N OT [BCR86]
This work: 2Õ(log N) correlated randomness
• Let FN be the class of all 2-party f : [N] [N] {0,1}
• Correlated randomness complexity of the worst function in FN?
Private Simultaneous Messages (PSM)
r
Model [FKN94]• Multiple clients
• Share randomness• Single referee• Non-interactive• Referee learns only f(x,y)• No collusionx yr
f (x,y)
Why PSM?• Minimal model of secure computation [FKN94]• Applications in round-efficient protocol design [IKP10]• Connections to secret sharing! [BI01]
What is Known?
f(x,1)f(x,2)
. .
f(x,N)
[FKN94,IK97]• Efficient for f with
small formulas, branching programs
• Worst case f : O(N)• Lower bound: 3logN-4
f(x,1+s) + r1
f(x,2+s) + r2
. .
f(x,N+s) + rN
y-s, ry-s
f(x,y)
PSM ComplexityPSM Complexity of a function f
Communication complexity of PSM protocol for f
This work: O(N) PSM complexity
rx yr
r = s, (r1, …, rN)
• What is the PSM complexity of the worst function in FN?
Secret Sharing
Model • External dealer + n parties• Dealer has input secret s
• Sends “shares” to parties• Then, inactive
• Access structure• Set of “authorized” subsets
• Secret hidden from unauth. subsets• Any auth. subset can reconstruct s
What is Known?
Poly(n) share complexity for every n-party access structure?
Share ComplexitySize of each share
• Best upper bound: 2O(n) [BL90,Bri89,KW93]• Best lower bound: (n/log n) [Csi97]
Share Complexity
Forbidden Graph [SS97]• Graph G = (V,E) with |V| = N• Authorized subsets:
• Sets {u,v} with (u,v) E• Any set of size 3
Forbidden Graph Access Structures
• Naïve solution: O(N) [SS97,BL90]• O(N/log N) share complexity [BDGV96,EP97,Bub86]
This work: O(N) share complexity
• What is the share complexity of the worst N-vertex graph?
Talk Outline• Main Technical Tool – PIR
• OT Complexity
• Correlated Randomness Complexity
• PSM Complexity
• Share Complexity for Forbidden Graphs
Private Information RetrievalModel [CGKS95]
• Single client• Multiple servers• Each server has same DB
• Size of DB = N (bits)• DB unknown to client
• Client input: index i [N]• Privately retrieve DB[ i ]• No collusion among servers• Goal: min. communication
i
DB DB
Query generation• (q1, q2) Q(i , r)
Answer generation• ak A( k, qk , DB)
Reconstruction• z R(i , r, a1, a2)
Best Known PIR Schemes2-server: O(N1/3) [CGKS95]
3-server: 2Õ(log N) [Yek07,Efr09]
rq1
a1 a2
q2
q1 q2
a1 a2z
Talk Outline• Main Technical Tool – PIR
• OT Complexity– Upper bound: O(N2/3)
• Correlated Randomness Complexity
• PSM Complexity
• Share Complexity for Forbidden Graphs
2-server PIR
OT-Hybrid Model (Recap)
• Let FN be the class of all 2-party f : [N] [N] {0,1}
• What is the OT complexity of the worst function in FN?
OT Complexity of a function fNumber of (bit) OTs required to securely evaluate f
• Circuit based 2PC for worst f : • O(N2/log N) [GMW87]
• Truth-table based 2PC for worst f : • O(N), 1-out-of-N OT [BCR86]
• OT is “complete”• Pre-computation• No OT extension
x0 , x1 b
xb
O(N2/3) Upper Bound on OT Complexity
Notation• PIR Algorithms: Q, A, R
• (q1, q2) Q(i , r) • ak A( k, qk , DB) • z R(i , r, a1, a2)
• Circuit for alg. B: C(B)• |C(B)|= #ANDs in C(B)
Via 2-server PIR
x yr1 r2
q1 q2
GMW(C(Q’))
Q’ = Q(x||y, r1r2)
R’ = R(x||y, r1r2, a1, a2)
x yr1 r2
GMW(C(R’))
a1 = A(1, q1, f ) a2 = A(2, q2, f )
a1 a2
f(x,y) f(x,y)
High-level ideaUse 2 party secure computation to emulate client + 2 PIR servers• DB = truth table of f• Client query = x||y
O(N2/3) Upper Bound on OT Complexity
Efficiency• 2-server PIR [CGKS95]• |C(Q)|=|C(R)|= O(N2/3)• By property of GMW:
• O(N2/3) OT comp. • O(N2/3) communication
Via 2-server PIR
x yr1 r2
q1 q2
GMW(C(Q’))
Q’ = Q(x||y, r1r2)
R’ = R(x||y, r1r2, a1, a2)
x yr1 r2
GMW(C(R’))
a1 = A(1, q1, f ) a2 = A(2, q2, f )
a1 a2
f(x,y) f(x,y)
Privacy• Privacy of GMW• Privacy of 2-server PIR
• Query does not leak additional info
More Applications• Honest majority secure computation
– Efficient in circuit size [RB89,BGW88]– Specific setting: n = 3 parties with at most 1 corruption– Communication 2Õ(log N) via 3-server PIR
• “ - Secure Sampling” from joint distribution D [PP12]– Protocol lets Alice & Bob to sample (x,y) from D
• Alice knows nothing about y (over what is implied by D)• Bob knows nothing about x (over what is implied by D)
– Rate of secure sampling D [N] [N] from OT– New upper bound: O(N2/3 poly(log N, 1/))
Talk Outline• Main Technical Tool – PIR
• OT Complexity– Upper bound: O(N2/3)
• Correlated Randomness Complexity– Upper bound: 2Õ( log N)
• PSM Complexity
• Share Complexity for Forbidden Graphs
2-server PIR
3-server PIR
Preprocessing Model (Recap)Correlated Randomness
Offline Phase Correlated Randomness• Independent of inputs• May depend on f• OT correlations special case
Online Phase
x y
rBrA
f(x,y) f(x,y)
rBrA
Correlated Randomness Complexity of a function f
Size of correlated randomness required to securely evaluate f
Truth-table based 2PC: O(N)• Via 1-out-of-N OT [BCR86]
Correlated randomness complexity of the worst function in FN?
Correlated Randomness Complexity:
Via 3-server PIR2O(log N) Upper Bound
Offline Phase
Key Observation• Individual PIR query
independent of input• Q = (Q1,2 , Q3)
• (q1, q2) Q1,2(i, r)• q3 Q3 (r)
High-level ideaUse 2 party secure computation to emulate client + 3 PIR servers• DB = truth table of f• Client query = x||y
r1 r2
r1 r2
q3=Q3(r1 r2)
a3 = A(3, q3, f )
a3,1 a3,2
a3 = a3,1a3,2
OTA OTB
a3,1 OTA OTB a3,2
Correlated Randomness Complexity:2O(log N) Upper Bound
x y
q1 q2
GMW(C(Q’))
Q’ = Q1,2(x||y, r1r2)
R’ = R(x||y, r1r2, a1, a2, a3,1a3,1)
x y
GMW(C(R’))
a1 = A(1, q1, f ) a2 = A(2, q2, f )
a1 a2
f(x,y) f(x,y)
r1 r2
r1 r2a3,1 a3,2
Online Phase
Correlated Randomness• Shares of randomness for
PIR query generation alg.• Shares of answer to third
PIR query• OT correlations for GMW
Notation• PIR Algorithms: Q, A, R• Circuit for alg. B: C(B)• |C(B)|= #ANDs in C(B)
Correlated Randomness Complexity:2O(log N) Upper Bound
x y
q1 q2
GMW(C(Q’))
Q’ = Q1,2(x||y, r1r2)
R’ = R(x||y, r1r2, a1, a2, a3,1a3,1)
x y
GMW(C(R’))
a1 = A(1, q1, f ) a2 = A(2, q2, f )
a1 a2
f(x,y) f(x,y)
r1 r2
r1 r2a3,1 a3,2
a3,1 a3,2
Efficiency• 3-server PIR [Efr09]• |C(Q)|=|C(R)|=2Õ(log N)
• By property of GMW:• 2Õ(log N) OT correlations • 2Õ(log N) communication
• Correlated rand.: 2Õ(log N)
Privacy• Additive secret sharing• Privacy of GMW• Privacy of 3-server PIR
• Query does not leak additional info
Improving the Bounds?
• (OT + communication) complexity of 2PC– Bounded by communication complexity of 2-server PIR
• Client shares its input, then acts as OT oracle
• (Cor. Rand. + communication) complexity of 2PC – Bounded by communication comp. of 3-server PIR [IKM+13]
• 3rd server provides correlated randomness to servers 1 & 2
• Qualitative explanation of difference in efficiency – 2-server PIR ~ 2PC with OT preprocessing– 3-server PIR ~ 2PC with arbitrary preprocessing
Summary• Main Technical Tool – PIR
• OT Complexity– Upper bound: O(N2/3)
• Correlated Randomness Complexity– Upper bound: 2Õ( log N)
• PSM Complexity– Upper bound: O(N)
• Share Complexity for Forbidden Graphs– Upper bound: O(N)
2-server PIR
3-server PIR
4-server PIR
Using PSM above
Thank You!
Preliminary Version: www.cs.umd.edu/~ranjit/BIKK.pdfSlides: www.cs.umd.edu/~ranjit/BIKK.pptx
Talk Outline• Main Technical Tool – PIR
• OT Complexity– Upper bound: O(N2/3)
• Correlated Randomness Complexity– Upper bound: 2Õ( log N)
• PSM Complexity– Upper bound: O(N)
• Share Complexity for Forbidden Graphs– Upper bound: O(N)
2-server PIR
3-server PIR
4-server PIR
Using PSM above
Share Complexity (Recap)Forbidden Graph Access Structures
• O(N/log N) share complexity [DPGV96,EP97,B86]
Share ComplexitySize of each share
Model • External dealer + n parties• Dealer inactive after sending “shares”• Access structure: “authorized” subsets
Forbidden Graph [SS97]• Graph G = (V,E) with |V| = N• Authorized subsets:
• Sets {u,v} with (u,v) E• Any set of size 3
• What is the share complexity of the worst N-vertex graph?
Bipartite CaseForbidden Bipartite Graph
• Graph G = (L,R,E) with |L| = |R| = N• Authorized subsets:
• {x,y} with x L, y R, (x,y) E• Any set of size 3
• G associated with f :[N][N] {0,1}
Secret Sharing• Share s using 3-out-of-2N
Shamir secret sharing• Also secret share s = sL sR s’
• Send sL to x L• Send sR to y R• How to share s’ ?
PSM & Secret Sharing
PSM NotationShared rand. : rAlice with input x • Message: Af (x,r)Bob with input y• Message: Bf (y,r)
Secret Sharing Scheme for s’
If dealer input s’ = 0• x L : Af (x0,r) • y R : Bf (y0,r)If dealer input s’ = 1• x L : Af (x ,r) • y R : Bf (y ,r)
High-level IdeaShares :• PSM messagesReconstruction :• PSM reconstructionAf (x,r) Bf (y,r)
r
x L y R
Good for s’ = 1
For s’ = 0Pick some x0, y0 s.t f (x0 , y0) = 0
Forbidden Graph Access Structures
• From Bipartite to General Graphs– Decomposed into log N bipartite graphs– Apply standard techniques [BL90,Sti94]
• Forbidden graph access structures – O(N) share complexity– Via O(N) PSM
• Scheme is non-linear (?)– Matches best known lower bound for linear
schemes: (N) [Min12]
Summary• Cryptographic complexity of worst functions
– Main Technical Tool - PIR
• OT Complexity– Upper bound: O(N2/3)
• Correlated Randomness Complexity– Upper bound: 2Õ( log N)
• PSM Complexity– Upper bound: O(N)
• Share Complexity for Forbidden Graphs– Upper bound: O(N)
2-server PIR
3-server PIR
4-server PIR
Using PSM above
Thank You!
Preliminary Version: www.cs.umd.edu/~ranjit/BIKK.pdfSlides: www.cs.umd.edu/~ranjit/BIKK.pptx
Talk Outline• Main Technical Tool – PIR
• OT Complexity– Upper bound: O(N2/3)
• Correlated Randomness Complexity– Upper bound: 2Õ( log N)
• PSM Complexity– Upper bound: O(N)
• Share Complexity for Forbidden Graphs
2-server PIR
3-server PIR
4-server PIR
PIR Examples [CGKS95]
i
DB DB
A(1,T1)
2d server PIR with O(N1/d) communication
T cT{c}, if c TT \{c}, if c T
PIR Answers
DB[ j ] j T
A(2,T2)
z = A(1,T1) A(2,T2)
T1 T2
T1PIR Queries
• T1 R [N]• T2 = T1 i
T2
Efficiency• Client Server j : O(N) bits• Server j Client : 1 bit
PIR Examples [CGKS95]
i
DB DB
A(1, T00...0)
2d server PIR with O(N1/d) communication
PIR Answers
DB[k1,…, kd] k1T1’,…,kdTd’
DB as d-dim. hypercubeIndex i (i1, … , id)• Binary rep of (i -1) A(2d,T11…1)
z = A(1,T00..0) A(2d,T11..1 )
S1 S2d
T00...0
Efficiency• Client Server j : O(dN1/d) bits• Server j Client : 1 bit
PIR QueriesPick (T1 , … , Td) R [N1/d]d
Server k : Query T • (T1(k1 i1), … ,Td(kd id))
where k (k1,…, kd)
k1 , … , kd
dT11…1
Reducing the #Servers [CGKS95]
Key ObservationAny server can emulate d other
servers with cost O(N1/d)
Example: 2-server O(N1/3) PIRServer 1: Query T000 = (T1 , T2 , T3)List “potential” queries for T100: (T1t, T2 , T3) for t [N1/3]Similarly for T010: (T1, T2t, T3) & T001: (T1, T2, T3t)
Answer query & 3N1/3 “potential” queriesServer 2: Query T111 =(T1 i1, T2 i2, T3 i3)List “potential” queries for T011 ,T101 , T110
Answer query & 3N1/3 “potential” queriesClient picks correct answer in each answer list and XORs them
Query T for Server k(T1(k1 i1), … ,Td(kd id))
where k ( k1,…, kd)
k1 , … , kd
Private Simultaneous Messages (Recap)Model [FKN94]
• Single referee• Two (or more) clients• Non-interactive• Referee learns only f(x,y)• Clients share randomness
• Unknown to referee• All parties know f• No collusion
rx yr
f(x,y)
PSM Complexity of a function fCommunication complexity of PSM protocol for f
Efficient for small-depth formulaeWorst case f : O(N) [FKN94]
• What is the PSM complexity of the worst function in FN?
O(N) Upper Bound on PSM ComplexityVia 4-server PIR
Key Observation• Index i (i1 , i2 , i3 , i4)• Input x specifies i1, i2
• Input y specifies i3, i4
• 15 of 16 servers emulated by clients
High-level ideaClients use shared randomness & referee’s help to emulate client + 3 PIR servers in 4-server PIR scheme of [CGKS95]• DB = truth table of f• Client query i = x||y
4-server PIR [CGKS95]Obtained by collapsing basic
16-server O(N1/4) PIR scheme
rx yr
f(x,y)
Query + Answer GenerationAlice knows T1 i1 , T2 i2
• Answers for T**00
• “Potential” answers for T**01, T**10
Bob knows T3 i3 , T4 i4
• Answers for T00**
• “Potential” answers for T01**, T10**
Missing query T1111 equals• (T1 i1 , T2 i2, T3 i3 , T4 i4)Answer to T1111 computed by referee
O(N) Upper Bound on PSM ComplexityVia 4-server PIR
Query T for Server k(T1(k1 i1), … ,T4(k4 i4))
where k ( k1,…, k4)
k1 , … , kd
x yT0000=(T1,…,T4)i1 i2 i3 i4
T**00 T00**T1 i1 T2 i2 T3 i3 T4 i4
T**01 T**10 T01** T10**
T1111
Key Observation• i (i1 , i2 , i3 , i4)• x specifies i1, i2
• y specifies i3, i4
Query + Answer Generation
• Answers for T**00,T00**
• “Potential” answers for T**01, T**10 , T01**, T10**
• Referee answers T1111
O(N) Upper Bound on PSM ComplexityVia 4-server PIR
ReconstructionSelecting from “potential” answer list• Use known PSM (small-depth circuit)• PSM outputs XOR of these 15 answers Remaining answer computed by referee• Finally, XORs this with PSM output
Referee’s reconstruction function is “non-universal”
Summary• Cryptographic complexity of worst functions
– Main Technical Tool - PIR
• OT Complexity– Upper bound: O(N2/3)
• Correlated Randomness Complexity– Upper bound: 2Õ( log N)
• PSM Complexity– Upper bound: O(N)
• Share Complexity for Forbidden Graphs– Upper bound: O(N)
2-server PIR
3-server PIR
4-server PIR
Using PSM above
Thank You!
Preliminary Version: www.cs.umd.edu/~ranjit/BIKK.pdfSlides: www.cs.umd.edu/~ranjit/BIKK.pptx
The research leading to these results has received funding from the European Union's Seventh Framework
Programme (FP7/2007-2013) under grant agreement no. 259426 – ERC – Cryptography and Complexity
top related