![Page 1: Non-Interactive Secure Computation from One-Way Functions · Secure Two Party Computation P 1 P 2 Input x Input y Function f Goal: Both parties wish to run a protocol at the end of](https://reader034.vdocuments.site/reader034/viewer/2022050211/5f5d606e8e9cd67a8f3c88bb/html5/thumbnails/1.jpg)
Non-InteractiveSecureComputationfromOne-WayFunctions
SaikrishnaBadrinarayanan Abhishek Jain(UCLA) (JHU)
Rafail Ostrovsky IvanVisconti(UCLA) (UniversityofSalerno)
![Page 2: Non-Interactive Secure Computation from One-Way Functions · Secure Two Party Computation P 1 P 2 Input x Input y Function f Goal: Both parties wish to run a protocol at the end of](https://reader034.vdocuments.site/reader034/viewer/2022050211/5f5d606e8e9cd67a8f3c88bb/html5/thumbnails/2.jpg)
SecureTwoPartyComputation
P1 P2
Inputx Inputy
Functionf
Goal:Bothpartieswishtorunaprotocolattheendofwhichtheybothlearntheoutputofthefunctionontheirjointinputs.
![Page 3: Non-Interactive Secure Computation from One-Way Functions · Secure Two Party Computation P 1 P 2 Input x Input y Function f Goal: Both parties wish to run a protocol at the end of](https://reader034.vdocuments.site/reader034/viewer/2022050211/5f5d606e8e9cd67a8f3c88bb/html5/thumbnails/3.jpg)
SecureTwoPartyComputation
P1 P2
Inputx Inputy
Functionf
Security:Informally,adversaryshouldnotlearnanythingaboutyotherthanf(x,y)!
![Page 4: Non-Interactive Secure Computation from One-Way Functions · Secure Two Party Computation P 1 P 2 Input x Input y Function f Goal: Both parties wish to run a protocol at the end of](https://reader034.vdocuments.site/reader034/viewer/2022050211/5f5d606e8e9cd67a8f3c88bb/html5/thumbnails/4.jpg)
UC-SecureComputation[Canetti01]
P1 P2Inputx1 Inputx2
P3Inputz3
Inputy1
Inputy3
Inputz2
P4
Inputw4
Inputw2
Manysessionsareexecutedinparallel
Functionf
Functiong Functionp
![Page 5: Non-Interactive Secure Computation from One-Way Functions · Secure Two Party Computation P 1 P 2 Input x Input y Function f Goal: Both parties wish to run a protocol at the end of](https://reader034.vdocuments.site/reader034/viewer/2022050211/5f5d606e8e9cd67a8f3c88bb/html5/thumbnails/5.jpg)
UC-SecureComputation[Canetti01]
P1 P2Inputx1 Inputx2
P3Inputz3
Inputy1
Inputy3
Inputz2
P4
Inputw4
Inputw2
Informally,adversaryshouldnotlearnanythingotherthanfunctionoutputs!
Functionf
Functiong Functionp
![Page 6: Non-Interactive Secure Computation from One-Way Functions · Secure Two Party Computation P 1 P 2 Input x Input y Function f Goal: Both parties wish to run a protocol at the end of](https://reader034.vdocuments.site/reader034/viewer/2022050211/5f5d606e8e9cd67a8f3c88bb/html5/thumbnails/6.jpg)
Continued..
• Numerousapplications• Unfortunately,impossibletoconstructwithoutasetup
assumption!
![Page 7: Non-Interactive Secure Computation from One-Way Functions · Secure Two Party Computation P 1 P 2 Input x Input y Function f Goal: Both parties wish to run a protocol at the end of](https://reader034.vdocuments.site/reader034/viewer/2022050211/5f5d606e8e9cd67a8f3c88bb/html5/thumbnails/7.jpg)
SetupAssumptions• CommonReferenceString[Canetti-Lindell-
Ostrovsky-Sahai 02]
• PhysicalAssumptions– HardwareTokens[Katz07]
– PhysicallyUncloneable Functions(PUFs)
Focusofthispaper
![Page 8: Non-Interactive Secure Computation from One-Way Functions · Secure Two Party Computation P 1 P 2 Input x Input y Function f Goal: Both parties wish to run a protocol at the end of](https://reader034.vdocuments.site/reader034/viewer/2022050211/5f5d606e8e9cd67a8f3c88bb/html5/thumbnails/8.jpg)
HardwareTokens[Katz07]
• Apieceofhardwarethatcanevaluateanyfunction(embeddedinsideit)oninputqueries.
• Physicalmanifestationofidealobfuscation?• Difference:Needthehardwareobjectinhandtobeableto
queryandrecoveroutput.
Inputx Outputf(x)Functionf
![Page 9: Non-Interactive Secure Computation from One-Way Functions · Secure Two Party Computation P 1 P 2 Input x Input y Function f Goal: Both parties wish to run a protocol at the end of](https://reader034.vdocuments.site/reader034/viewer/2022050211/5f5d606e8e9cd67a8f3c88bb/html5/thumbnails/9.jpg)
TypesofHardwareTokens
• Stateless:– Honesttokendoesnothaveanymemoryacrossinvocations.
• Stateful:– Tokencanmaintainmemory.– Hardertodesignsuchtokens.– Easiertodesignprotocolsusingthem.
Focusofthistalk
Challenge:Adversarialtokenscanbestateful!
![Page 10: Non-Interactive Secure Computation from One-Way Functions · Secure Two Party Computation P 1 P 2 Input x Input y Function f Goal: Both parties wish to run a protocol at the end of](https://reader034.vdocuments.site/reader034/viewer/2022050211/5f5d606e8e9cd67a8f3c88bb/html5/thumbnails/10.jpg)
MotivatingScenario
Input:DNADatax
Encrypt(x)
Encryptf(x)
Decryptandlearnf(x)=listofrelativesGoal:Alicewantstopublishanencryptionofher
privateDNAdatatoanorganizationthatcancomputethesetofrelativesofagivenDNAsample.
Securityrequirement:Alice’sprivatedataandcompany’sdatashouldbehidden.
Reusablemessage
Input:DNAmatchingalgorithm
![Page 11: Non-Interactive Secure Computation from One-Way Functions · Secure Two Party Computation P 1 P 2 Input x Input y Function f Goal: Both parties wish to run a protocol at the end of](https://reader034.vdocuments.site/reader034/viewer/2022050211/5f5d606e8e9cd67a8f3c88bb/html5/thumbnails/11.jpg)
Non-interactivesecurecomputation(NISC)[IKOPS’11]
• Formalizesthescenariointhepreviousslide.
Input:xEncrypt(x)
Input:y
Encryptf(x,y)
Decryptandlearnf(x,y)
Securityrequirement:asinstandardtwopartycomputation
Reusablemessageforinputx
![Page 12: Non-Interactive Secure Computation from One-Way Functions · Secure Two Party Computation P 1 P 2 Input x Input y Function f Goal: Both parties wish to run a protocol at the end of](https://reader034.vdocuments.site/reader034/viewer/2022050211/5f5d606e8e9cd67a8f3c88bb/html5/thumbnails/12.jpg)
Priorwork
• [IKOPS11]:NISCinOTHybridmodel.• [AMPR14,MR17]: NISCinCRSmodelfromOT+onewayfunctions.
• [CJS14]:UC-secureNISCinGlobalRandomOraclemodelfromOT+onewayfunctions.
• [BGISW17]:NISCinplainmodelfromsub-exponentiallysecureOT+onewayfunctions.
![Page 13: Non-Interactive Secure Computation from One-Way Functions · Secure Two Party Computation P 1 P 2 Input x Input y Function f Goal: Both parties wish to run a protocol at the end of](https://reader034.vdocuments.site/reader034/viewer/2022050211/5f5d606e8e9cd67a8f3c88bb/html5/thumbnails/13.jpg)
Question
• CanweachieveNISCfromtheminimalassumptionofOne-WayFunctions?
• Further,canweachieveUCsecurity?
![Page 14: Non-Interactive Secure Computation from One-Way Functions · Secure Two Party Computation P 1 P 2 Input x Input y Function f Goal: Both parties wish to run a protocol at the end of](https://reader034.vdocuments.site/reader034/viewer/2022050211/5f5d606e8e9cd67a8f3c88bb/html5/thumbnails/14.jpg)
OurResult
• UC-securenon-interactivesecurecomputationassumingone-wayfunctionsusingasinglestatelesshardwaretoken.
• Optimalintermsofassumptionsandnumberoftokens.
• AchievesUCsecurityunlikeallpriorworkexceptCJS14.
![Page 15: Non-Interactive Secure Computation from One-Way Functions · Secure Two Party Computation P 1 P 2 Input x Input y Function f Goal: Both parties wish to run a protocol at the end of](https://reader034.vdocuments.site/reader034/viewer/2022050211/5f5d606e8e9cd67a8f3c88bb/html5/thumbnails/15.jpg)
OurResults:Corollary
• TwomessageUC-securetwopartycomputationwherebothpartiesreceiveoutput,assumingonewayfunctions usingasinglestatelesshardwaretoken.
![Page 16: Non-Interactive Secure Computation from One-Way Functions · Secure Two Party Computation P 1 P 2 Input x Input y Function f Goal: Both parties wish to run a protocol at the end of](https://reader034.vdocuments.site/reader034/viewer/2022050211/5f5d606e8e9cd67a8f3c88bb/html5/thumbnails/16.jpg)
Techniques
![Page 17: Non-Interactive Secure Computation from One-Way Functions · Secure Two Party Computation P 1 P 2 Input x Input y Function f Goal: Both parties wish to run a protocol at the end of](https://reader034.vdocuments.site/reader034/viewer/2022050211/5f5d606e8e9cd67a8f3c88bb/html5/thumbnails/17.jpg)
Tokendirection:Priorworks
Receiver:inputxSender:inputy
.
.
.
Issuesinoursetting:1. Needafreshtokenforeachnewinteractionwitha
fixedreusablereceivermessage.2. Allpriorworksrequireatleast tworoundsof
interactionaftersendertoken.
Inallpriorworks,tokensentbythesender.
![Page 18: Non-Interactive Secure Computation from One-Way Functions · Secure Two Party Computation P 1 P 2 Input x Input y Function f Goal: Both parties wish to run a protocol at the end of](https://reader034.vdocuments.site/reader034/viewer/2022050211/5f5d606e8e9cd67a8f3c88bb/html5/thumbnails/18.jpg)
Solution:TokenfromReceiver
Receiver:inputxSender:inputy
message
Reusablex
![Page 19: Non-Interactive Secure Computation from One-Way Functions · Secure Two Party Computation P 1 P 2 Input x Input y Function f Goal: Both parties wish to run a protocol at the end of](https://reader034.vdocuments.site/reader034/viewer/2022050211/5f5d606e8e9cd67a8f3c88bb/html5/thumbnails/19.jpg)
MainChallenge:ResettingAttacks
1. Howtopreventsenderfromresettingthetokenandtryingdifferentinputsy?
2. Needthereceivertoauthenticatethesender’sinputtothetokenbeforeitprocessedbythetoken.
3. Butthatwilltakeatleast2rounds!
Solution:1. Weallowthesendertoresetthetoken!2. However,tokeniscarefullydesignedtoperformonly
“encrypted”computationthatislaterdecryptedbythereceiver.
3. Hence,evenontryingdifferentinputs,senderdoesn’tlearnanythingmeaningfulfromthetoken.
![Page 20: Non-Interactive Secure Computation from One-Way Functions · Secure Two Party Computation P 1 P 2 Input x Input y Function f Goal: Both parties wish to run a protocol at the end of](https://reader034.vdocuments.site/reader034/viewer/2022050211/5f5d606e8e9cd67a8f3c88bb/html5/thumbnails/20.jpg)
OtherChallenges
• Selectiveabortattacks.• Subliminalchannelinformationthroughtoken.
• AchievingstraightlinesimulationtogetUCsecurity.
• Pleaserefertothepaperformoredetails!https://eprint.iacr.org/2018/1020
![Page 21: Non-Interactive Secure Computation from One-Way Functions · Secure Two Party Computation P 1 P 2 Input x Input y Function f Goal: Both parties wish to run a protocol at the end of](https://reader034.vdocuments.site/reader034/viewer/2022050211/5f5d606e8e9cd67a8f3c88bb/html5/thumbnails/21.jpg)