secure computation lecture 11-12 arpita patra. recap >> mpc with dishonest majority over...
TRANSCRIPT
Secure Computation Lecture 11-12
Arpita Patra
Recap
>> MPC with dishonest majority over Boolean circuit- [GMW87]
> Oblivious Transfer (from CPA secure PKE with key samplability)
> (n,n)-sharing
> Protocol for 2PC
Inputs are (2,2)-shared
Maintain invariant for every gate
XOR and NOT are free
AND gate evaluation needs two 1-out-of-2 OTs/ one 1-out-of 4 OT
> Extension to MPC (n-party case)
> Security Proof
>> Impossibility for i.t MPC with n<= 2t
Extension to Multiparty Case
To compute (2,2)-secret sharing of xiyj
>> Use (n,n) secret sharing instead of (2,2)-secret sharing
>> XOR and NOT gate evaluation extend in natural way in n party case
>> AND gate evaluation:
xy = (x1+x2 + ……+ xn) (y1+ y2 + ……+ yn)
= n summands that can be locally computed of the form (x1y1, ……, xnyn )
+
(n2-n) summands that need 1-out-of-2 OT for (2,2)-sharing ( x1y2 , y1x2 etc)
1-out-of-2OT
ri
ri + xi
yj
ri + xiyj
PiPj
AND Gate Evaluation
P0Pn
x0 xn
y0 yn
y
x
Two cross summands xiyj and yixj
Pi
xi
yi
Pj
xj
yj
1-out-of-2OT
ri
ri + xi
yj
ri + xiyj
1-out-of-2OT
yi
rj+ yixj
rj
rj + xj
Pi ‘s share: his summand + 2 shares of two cross terms (for every other party) >> Security will hold even in the presence of (n-1) corruptions. Adv will have no info about the shares held by the sole honest party (reduces to OT security)
OT is Complete for Secure Computation
>> the security of GMW is information-theoretic assuming ideal realization of OT.
>> the security of GMW relies on crypto only inside the OTs.
>> If OT can be realized i.t settings then secure computation via GMW can be done in i.t. settings.
>> Unconventional setting (noisy channel) where OT can be realized in i.t. security
Efficiency
Computation Complexity: O(n2cAND) PKE operations
Multiplication gate computation: O(1) PKE operation [1 PKE Op = one Gen, one Enc, one Dec]
Goal: O(n2cAND) SKE operations in offline phase
I.T online phase with no operations other than bit XOR. Round Complexity: O(d); d = multiplicative depth of the circuitGoal: Constant? Yes, will be discussed soon
>> Computation Complexity ≥ Communication Complexity (the parties will send subset of what it computes)
>> Unlike i.t. settings computation complexity matters here as we usually work on huge algebraic structures to maintain security
I.T settings: k > log n (perfect security) k > 40 (statistical security)
Comp. settings: k > 128 (symmetric key) k > 3248 (public key)
Efficiency
Computation Complexity: O(n2cAND) PKE operations
Goal: O(n2cAND) SKE operations in offline phase
I.T online phase with no operations other than bit XOR.
Step 1: O(n2cAND) OTs (PKE operations) in offline phase
I.T online phase with no operations other than bit XOR.
Step 2: O(n2cAND) SKE operations + k OTs in offline phase
I.T online phase with no operations other than bit XOR.
Preprocessing of OT
>> Can we run OTs on random inputs in the offline phase and use during online phase..
1-out-of-2OT
r0
r1
c
rc
P0P1
Preprocessing on Random Inputs
Computation in Online Phasem0
m1
b
mbz = b + c
If z = 0
y0 = m0 + r0 y1 = m1 + r1
If z = 1
y0 = m0 + r1y1 = m1 + r0 y0 , y1 mb = yb + rc
GMW in Offline/Online Setting
>> cAND OT operations in the offline phase.
Offline Phase
Online Phase
>> Cheap XOR operations in the online phase.
>> cAND PKE operations
>> Goal: cAND SKE operations + k OT operations (via OT-extension)
>> Information theoretic!!
Reducing OT to Symmetric Key Operations via OT Extension
>> OTs are intrinsically expensive- usually based on public key primitives
PRG
>> Millions of OTs are needed (think of distributed AES encryption)
>> Small no. X many no. X
> PRG: Truly Random short Seed huge (pseudo-)random string
> Hybrid Encryption: one instance of PKE many instances of PKE @ SKE operations
>> X (task/object): executing/generating X is not very efficient
None of this sort can be i.t.
s R {0,1}k PRG(s) {0,1}poly(k)
HEPKE
PKE
PKE
PKE
@ cheap op
@ cheap SKE
OT Extension
>> Small no. X many no. X
> OT Extension: k OTs poly(k) OTs
>> X: generating X is not very efficient
None of this sort can be i.t.
OT Extension@ cheap SKE
OT1
OT2
OTk
OT1
OT2
OT3
OTpoly(k)
>> OT Ext is not possible information theoretically [Bea96]
>> OT Ext with log(k) seed OTs implies OT from scratch [LZ13]
>> OT Ext implies OWF [LZ13]
Reduces the cost of OT to O(1)SKE operations
Roadmap for Building OT Extension [IKNP03]
OT1
OT2
OTk
OT1
OT2
OT3
OTm
k bit inpu
ts
OT1
OT2
OTk
m (=poly(k)) > k bit inputs
l bit inpu
tsr10
r11
r20
r21
r30
r31
rm0
rm1
b1
b2
b3
bm
r1 b1
r2 b2
rm bm
r3 b3
Cost for transformation
Cost for transformation
OT
k bit inpu
ts
m bit inputs
Transformation I: Domain Extension
k0
k1
b
kb
P0P1
m0
m1
y0 = G(k0) + m0
y1 = G(k1) + m1
PRG G: {0,1}k -> {0,1}m=poly(k)
y0 , y1 mb = G(kb) + yb
Transformation II: OT Extension
B= [b1,…bm]
P0P1
T= [T1
T2
.
Tm]
Q= [Q1 = T1 (if b1 = 0) / T1 + S (otherwise)
Q2 = T2 (if b2 = 0) / T2 + S (otherwise)
Qm = Tm (if bm = 0) / Tm + S (otherwise)]
r10
r11
r20
r21
rm0
rm1
r1 b1
r2 b2
rm bm
Random S is known to P0 only |Ti| = k
Transformation II: OT Extension
B= [b1,…bm]
P0P1
y10 = Q1 + r10
y11 = Q1 + S + r11
(y10 , y11 )…….. (ym0 , ym1 )
r1 b1 = T1 + y1 b1
r10
r11
r20
r21
rm0
rm1
T= [T1
T2
.
Tm]
ym0 = Qm + rm0
ym1 = Qm + S + rm1 rm bm = Tm + ym bm
Q= [Q1 = T1 (if b1 = 0) / T1 + S (otherwise)
Q2 = T2 (if b2 = 0) / T2 + S (otherwise)
Qm = Tm (if bm = 0) / Tm + S (otherwise)]
There’s a Big Bug!
Transformation II: OT Extension
B= [b1,…bm]
P0P1
(y10 , y11 )…….. (ym0 , ym1 )
r1 b1 = T1 + y1 b1
r10
r11
r20
r21
rm0
rm1
T= [T1
T2
.
Tk]
rm bm = Tm + ym bm
Q= [Q1 = T1 (if b1 = 0) / T1 + S (otherwise)
Q2 = T2 (if b2 = 0) / T2 + S (otherwise)
Qm = Tm (if bm = 0) / Tm + S (otherwise)]
Correlation Robust H: [m] × {0,1}k -> {0,1}l
y10 = H(1,Q1) + r10
y11 = H(1,Q1 + S) + r11
ym0 = H(m,Qm) + rm0
ym1 = H(m,Qm + S) + rm1
Given random and independent S, T1 ….. Tm , the joint distribution{H(T1 + S),…. H(Tm + S), T1 …..Tm } must be pseudo-random
Cryptographic Hash function: SHA 1/2/3, RC4
Transformation II: OT Extension
B= [b1,…bm]
P0P1
(y10 , y11 )…….. (ym0 , ym1 )
r1 b1 = T1 + y1 b1
r10
r11
r20
r21
rm0
rm1
T= [T1
T2
.
Tk]
rm bm = Tm + ym bm
Q= [Q1 = T1 (if b1 = 0) / T1 + S (otherwise)
Q2 = T2 (if b2 = 0) / T2 + S (otherwise)
Qm = Tm (if bm = 0) / Tm + S (otherwise)]
Random Function H: [m] × {0,1}k -> {0,1}l
y10 = H(1,Q1) + r10
y11 = H(1,Q1 + S) + r11
ym0 = H(m,Qm) + rm0
ym1 = H(m,Qm + S) + rm1
Every time query an input: same outputNew input: output is completely random in the rangeEvery RO is Correlation-Robust (HR) Hash function
A little diversion to RO Model
Random Function H: [m] × {0,1}k -> {0,1}l
>> Love and hate relationship with this model
>> Many protocols have proof in RO model which otherwise does not have any proof.
>> Protocol analyzed for Security: Hash functions replaced with RO box.
>> Proof is for any good?: Existence of such a proof implies the real protocol go wrong only when hash function does not simulate RO. Some proof better than no proof
>> Real protocol: RO replaced with hash functions
>> Examples: RSA-OEAP (practically in use). CCA-secure extension of RSA
>> Finding proof under relatively realistic assumption (e.g. CR) than RO has been very challenging and considered to be great achievement!!
Transformation II: OT Extension
B= [b1,…bm]
P0P1
T= [T1
T2
.
Tm]
Q= [Q1 = T1 (if b1 = 0) / T1 + S (otherwise)
Q2 = T2 (if b2 = 0) / T2 + S (otherwise)
Qm = Tm (if bm = 0) / Tm + S (otherwise)]
r10
r11
r20
r21
rm0
rm1
r1 b1
r2 b2
rm bm
Random S is known to P0 only |Ti| = k
Transformation II: OT Extension
B= [b1,…bm]
P0P1
r10
r11
r20
r21
rm0
rm1
OT1
s1
Q1
T1
T1 +
B
OT2
OTk
T is a {0,1}m.k matrixT = [T1 , …..Tk]T= [T1
T2
.
Tm]
T2
T2 +
B
Tk
Tk + B
s2
sk
Q2
Qk
Q is a {0,1}m.k matrixQ = [Q1 , …..Qk]Q= [Q1
Q2
.
Qm]
m bit inputs
Transformation II: OT Extension
B= [b1,…bm]
P0P1
OT1
s1
Q1
T1
T1 +
B
OT2
OTk
T is a {0,1}m.k matrixT = [T1 , …..Tk]T= [T1
T2
.
Tm]
T2
T2 +
B
Tk
Tk + B
s2
sk
Q2
Qk
Q= [Q1 = T1 (if b1 = 0) / T1 + S (otherwise)
T[1,1] + s1
Q2 = T2 (if b2 = 0) / T2 + S (otherwise)
Qm = Tm (if bm = 0) / Tm + S (otherwise)]
T[1,2] + s2
T[1,k] + sk
T[1,1]
T[1,2]
T[1,k]
Transformation II: Putting everything together
B= [b1,…bm]
P0P1
y10 = H(1,Q1) + r10
y11 = H(1,Q1 + S) + r11
(y10 , y11 )…….. (ym0 , ym1 )
r1 b1 = H(1,T1) + y1 b1
r10
r11
r20
r21
rm0
rm1
OT1
s1
Q1
T1
T1 +
B
OT2
OTk
T is a {0,1}m.k matrixT = [T1 , …..Tk]T= [T1
T2
.
Tk]
T2
T2 +
B
Tk
Tk + B
s2
sk
Q2
Qk
Q is a {0,1}m.k matrixQ = [Q1 , …..Qk]Q= [Q1
Q2
.
Qk]
ym0 = H(m,Qm) + rm0
ym1 = H(1,Qm + S) + rm1 rm bm = H(m,Tm) + ym bm
Roadmap for Building OT Extension [IKNP03]
OT1
OT2
OTk
OT1
OT2
OT3
OTm
k bit inpu
ts
OT1
OT2
OTk
m (=poly(k)) > k bit inputs
l bit inpu
tsr10
r11
r20
r21
r30
r31
rm0
rm1
b1
b2
b3
bm
r1 b1
r2 b2
rm bm
r3 b3
Security For Receiver
B= [b1,…bm]
P0P1
y10 = H(1,Q1) + r10
y11 = H(1,Q1 + S) + r11
(y10 , y11 )…….. (ym0 , ym1 )
r1 b1 = H(1,T1) + y1 b1
r10
r11
r20
r21
rm0
rm1
OT1
s1
Q1
T1
T1 +
B
OT2
OTk
T is a {0,1}m.k matrixT = [T1 , …..Tk]T= [T1
T2
.
Tk]
T2
T2 +
B
Tk
Tk + B
s2
sk
Q2
Qk
Q is a {0,1}m.k matrixQ = [Q1 , …..Qk]Q= [Q1
Q2
.
Qk]
ym0 = H(m,Qm) + rm0
ym1 = H(1,Qm + S) + rm1 rm bm = H(m,Tm) + ym bm
Reduces to the sender’s security of OT1 …OTk
Security For Sender
B= [b1,…bm]
P0P1
y10 = H(1,Q1) + r10
y11 = H(1,Q1 + S) + r11
(y10 , y11 )…….. (ym0 , ym1 )
r1 b1 = H(1,T1) + y1 b1
r10
r11
r20
r21
rm0
rm1
OT1
s1
Q1
T1
T1 +
B
OT2
OTk
T is a {0,1}m.k matrixT = [T1 , …..Tk]T= [T1
T2
.
Tk]
T2
T2 +
B
Tk
Tk + B
s2
sk
Q2
Qk
Q is a {0,1}m.k matrixQ = [Q1 , …..Qk]Q= [Q1
Q2
.
Qk]
ym0 = H(m,Qm) + rm0
ym1 = H(1,Qm + S) + rm1 rm bm = H(m,Tm) + ym bm
Reduces to the receiver’s security of OT1 …OTk
Reduces to the security of RO except with S=0
[IKNP03]: Yuval Ishai, Joe Kilian, Kobbi Nissim, and Erez Petrank. Extending oblivious transfers efficiently. In CRYPTO ,pages 145–161, 2003.
Chalk & Talk
CT4: [KK13] Vladimir Kolesnikov and Ranjit Kumaresan. Improved ot extension for transferring short secrets. In CRYPTO(2), pages 54–70, 2013.
Open problem:
IKNP03 has been extended for malicious security with almost the same cost
Doing the same for KK13 is an interesting open question.Practical Project:
Implement the best known OT extension!
1-out-of-4 OT from 1-out-of-2 OT
S Rm00
m01
m10
m11
b0
b1
Deck b1Deck’ b0(cb0 b1 )
c00 Enck0(Enck’0(m00))
c01 Enck0(Enck’1(m01))
(c00,c01, c10,c11)
1-out-of-2OT
k0
k1
b0
kb0
k0, k1 : key for SKE with C = M
1-out-of-2OT
k’0
k’1
b1
k’b1
c10 Enck1(Enck’0(m10))
c11 Enck1(Enck’1(m11))
Motivating Yao
Computation Complexity: O(n2cAND) SKE operations + k OTs in offline phase
I.T online phase with no operations other than bit XOR.
Round Complexity: O(d); d = multiplicative depth of the circuit
Computation Complexity: k OTs in offline phase
O(c) SKE operations for every gate in online phase.
Round Complexity: two rounds
Many application requires less interaction!
Yao is only for two parties!! And does not extend to n-party unlike GMW87
Constant Round Protocol 2-party protocol- [Yoa82]
Garbled Circuit / Scrambled Circuit / Encrypted circuit: Phenomenal Idea!
Andrew Chi-Chih Yao. Protocols for secure computations (extended abstract). In FOCS , pages 160–164, 1982.
Yehuda Lindell, Benny Pinkas: A Proof of Security of Yao's Protocol for Two-Party Computation. J. Cryptology 22(2): 161-188 (2009)
Looking Ahead and a few open problems…
>> Garbled circuit is still an active area of research. How concisely we can construct garbled circuit? Application in verifiable computation..open problems
>> Yao’s 2PC protocol is so asymmetric that it took a decade to extend Yao for multiparty [BMR90] (note unlike GMW it is not easy to extend for n-party)
>> [BMR90] does it for honest majority. Another two decades for dishonest majority setting [LPSY15]
>> [BMR90] and [LPSY15] could not extend the optimizations done for Yao’s garbled circuit. ..open problem
>> Non-interactive Secure Computation: Yao leads to 2-round protocol (non-interactive). Extended for malicious. Not as efficient as malicious 2PC with constant rounds ..open problem
>> Heated Argument: GMW or Yao?
[SZ13] Thomas Schneider, Michael Zohner: GMW vs. Yao? Efficient Secure Two-Party Computation with Low Depth Circuit. Financial Cryptography 2013: 275-292http://fc13.ifca.ai/proc/8-3.pdf
Yao’s Garbled Circuit
It enables one to evaluate a circuit without knowing the inputs to the circuit
x1 x2 x3 x4
f(x1, x2, x3, x4)
+
Step 1: Every wire is associated with a pair of identical looking keys.
0 1
No information about the associated bit can be inferred from a key corresponding to a wire
Garbling of wires complete!
Yao’s Garbled Circuit
+
Yao’s Garbled Circuit
Step 2: Every two input gate is associated with four doubly locked boxes
Each pair of input wire keys (one from each input wire) will open one and only one box.
What’s there in the boxes?- Appropriate gate output wire key.
Assume AND gate:
1st input wire
2nd Input wire Output wire
Key for 0 Key for 0 Key for 0
Key for 0 Key for 1 Key for 0
Key for 1 Key for 0 Key for 0
Key for 1 Key for 1 Key for 1
Boxes are randomly permutated
Yao’s Garbled Circuit
Step 2: Every two input gate is associated with four doubly locked boxes
Each pair of input wire keys (one from each input wire) will open one and only box.
What’s there in the boxes?- Appropriate gate output wire key.
Assume XOR gate:
1st input wire
2nd Input wire Output wire
Key for 0 Key for 0 Key for 0
Key for 0 Key for 1 Key for 1
Key for 1 Key for 0 Key for 1
Key for 1 Key for 1 Key for 0
Yao’s Garbled Circuit
Step 2: Every one input gate is associated with two doubly locked boxes
Each input wire key will open exactly one box.
What’s there in the boxes?- Appropriate gate output wire key.
Assume NOT gate:
Input wire Output wire
Key for 0 Key for 1
Key for 1 Key for 0
Yao’s Garbled Circuit
It enables one to evaluate a circuit without knowing the inputs to the circuit. x1 x2 x3 x4
f(x1, x2, x3, x4)
+
Step 1: Every wire is associated with a pair of identical looking keys.
Step 2: Every two input gate is associated with four doubly locked boxes (in randomly permuted order) so that each pair of keys (one from each input wire) will open one and only one box.Garbled Circuit: Pairs of keys for all the wires in the circuit + four/two locked boxes for each gate
Yao’s Garbled Circuit
It enables one to evaluate a circuit without knowing the inputs to the circuit. x1 x2 x3 x4
f(x1, x2, x3, x4)
+
Garbled Circuit: Pairs of keys for all the wires in the circuit + four/two locked boxes for each gate+ meaning of the output wire keys
1. Give input keys corresponding to the inputs and the locked boxes for all the gates in the circuit. 2. For every gate, exactly one box can be opened and the key corresponding to the output value for the inputs can be obtained3. For the output gate, the key corresponding to the output value for given inputs can be obtained.Output
Physical Keys: Keys of SKE
Locked boxes: Encryptions
Doubly Locked boxes: Double Encryptions
Yao’s 2 Party Protocol
Y = (y1,y2,…yk )P0P1X = (x1,x2,…xk )
Circuit Constructor Circuit Evaluator
1. Construct a Garbled Circuit for Circuit C: Pairs of keys for all the wires in the circuit + four/two locked boxes for each gate+ meaning of the output wire keys
Keys corresponding to X = (x1,x2,…xk
) and the locked boxes of all the gates + meaning of the output wire keys
OT1k0
w1
k1w1
y1
OTk
ky1w1
k0wk
k1wk
yk
kykwk
Evaluate the garbled circuit with the given input keys and interpret the output Z using+ meaning of the output wire keys
Z
Chalk & Talk
CT6: [SZ13] Thomas Schneider, Michael Zohner: GMW vs. Yao? Efficient Secure Two-Party Computation with Low Depth Circuit. Financial Cryptography 2013: 275-292http://fc13.ifca.ai/proc/8-3.pdf
CT5: [BMR90]Donald Beaver, Silvio Micali, Phillip Rogaway:The Round Complexity of Secure Protocols (Extended Abstract). STOC 1990: 503-513.http://web.cs.ucla.edu/~rafail/TEACHING/SPRING-2004/WEB-RESOURCES/BMR.pdf