Secure Computation Lecture 11-12

Arpita Patra

Recap

>> MPC with dishonest majority over Boolean circuit- [GMW87]

> Oblivious Transfer (from CPA secure PKE with key samplability)

> (n,n)-sharing

> Protocol for 2PC

Inputs are (2,2)-shared

Maintain invariant for every gate

XOR and NOT are free

AND gate evaluation needs two 1-out-of-2 OTs/ one 1-out-of 4 OT

> Extension to MPC (n-party case)

> Security Proof

>> Impossibility for i.t MPC with n<= 2t

Extension to Multiparty Case

To compute (2,2)-secret sharing of xiyj

>> Use (n,n) secret sharing instead of (2,2)-secret sharing

>> XOR and NOT gate evaluation extend in natural way in n party case

>> AND gate evaluation:

xy = (x1+x2 + ……+ xn) (y1+ y2 + ……+ yn)

= n summands that can be locally computed of the form (x1y1, ……, xnyn )

+

(n2-n) summands that need 1-out-of-2 OT for (2,2)-sharing ( x1y2 , y1x2 etc)

1-out-of-2OT

ri

ri + xi

yj

ri + xiyj

PiPj

AND Gate Evaluation

P0Pn

x0 xn

y0 yn

y

x

Two cross summands xiyj and yixj

Pi

xi

yi

Pj

xj

yj

1-out-of-2OT

ri

ri + xi

yj

ri + xiyj

1-out-of-2OT

yi

rj+ yixj

rj

rj + xj

Pi ‘s share: his summand + 2 shares of two cross terms (for every other party) >> Security will hold even in the presence of (n-1) corruptions. Adv will have no info about the shares held by the sole honest party (reduces to OT security)

OT is Complete for Secure Computation

>> the security of GMW is information-theoretic assuming ideal realization of OT.

>> the security of GMW relies on crypto only inside the OTs.

>> If OT can be realized i.t settings then secure computation via GMW can be done in i.t. settings.

>> Unconventional setting (noisy channel) where OT can be realized in i.t. security

Efficiency

Computation Complexity: O(n2cAND) PKE operations

Multiplication gate computation: O(1) PKE operation [1 PKE Op = one Gen, one Enc, one Dec]

Goal: O(n2cAND) SKE operations in offline phase

I.T online phase with no operations other than bit XOR. Round Complexity: O(d); d = multiplicative depth of the circuitGoal: Constant? Yes, will be discussed soon

>> Computation Complexity ≥ Communication Complexity (the parties will send subset of what it computes)

>> Unlike i.t. settings computation complexity matters here as we usually work on huge algebraic structures to maintain security

I.T settings: k > log n (perfect security) k > 40 (statistical security)

Comp. settings: k > 128 (symmetric key) k > 3248 (public key)

Efficiency

Computation Complexity: O(n2cAND) PKE operations

Goal: O(n2cAND) SKE operations in offline phase

I.T online phase with no operations other than bit XOR.

Step 1: O(n2cAND) OTs (PKE operations) in offline phase

I.T online phase with no operations other than bit XOR.

Step 2: O(n2cAND) SKE operations + k OTs in offline phase

I.T online phase with no operations other than bit XOR.

Preprocessing of OT

>> Can we run OTs on random inputs in the offline phase and use during online phase..

1-out-of-2OT

r0

r1

c

rc

P0P1

Preprocessing on Random Inputs

Computation in Online Phasem0

m1

b

mbz = b + c

If z = 0

y0 = m0 + r0 y1 = m1 + r1

If z = 1

y0 = m0 + r1y1 = m1 + r0 y0 , y1 mb = yb + rc

GMW in Offline/Online Setting

>> cAND OT operations in the offline phase.

Offline Phase

Online Phase

>> Cheap XOR operations in the online phase.

>> cAND PKE operations

>> Goal: cAND SKE operations + k OT operations (via OT-extension)

>> Information theoretic!!

Reducing OT to Symmetric Key Operations via OT Extension

>> OTs are intrinsically expensive- usually based on public key primitives

PRG

>> Millions of OTs are needed (think of distributed AES encryption)

>> Small no. X many no. X

> PRG: Truly Random short Seed huge (pseudo-)random string

> Hybrid Encryption: one instance of PKE many instances of PKE @ SKE operations

>> X (task/object): executing/generating X is not very efficient

None of this sort can be i.t.

s R {0,1}k PRG(s) {0,1}poly(k)

HEPKE

PKE

PKE

PKE

@ cheap op

@ cheap SKE

OT Extension

>> Small no. X many no. X

> OT Extension: k OTs poly(k) OTs

>> X: generating X is not very efficient

None of this sort can be i.t.

OT Extension@ cheap SKE

OT1

OT2

OTk

OT1

OT2

OT3

OTpoly(k)

>> OT Ext is not possible information theoretically [Bea96]

>> OT Ext with log(k) seed OTs implies OT from scratch [LZ13]

>> OT Ext implies OWF [LZ13]

Reduces the cost of OT to O(1)SKE operations

Roadmap for Building OT Extension [IKNP03]

OT1

OT2

OTk

OT1

OT2

OT3

OTm

k bit inpu

ts

OT1

OT2

OTk

m (=poly(k)) > k bit inputs

l bit inpu

tsr10

r11

r20

r21

r30

r31

rm0

rm1

b1

b2

b3

bm

r1 b1

r2 b2

rm bm

r3 b3

Cost for transformation

Cost for transformation

OT

k bit inpu

ts

m bit inputs

Transformation I: Domain Extension

k0

k1

b

kb

P0P1

m0

m1

y0 = G(k0) + m0

y1 = G(k1) + m1

PRG G: {0,1}k -> {0,1}m=poly(k)

y0 , y1 mb = G(kb) + yb

Transformation II: OT Extension

B= [b1,…bm]

P0P1

T= [T1

T2

.

Tm]

Q= [Q1 = T1 (if b1 = 0) / T1 + S (otherwise)

Q2 = T2 (if b2 = 0) / T2 + S (otherwise)

Qm = Tm (if bm = 0) / Tm + S (otherwise)]

r10

r11

r20

r21

rm0

rm1

r1 b1

r2 b2

rm bm

Random S is known to P0 only |Ti| = k

Transformation II: OT Extension

B= [b1,…bm]

P0P1

y10 = Q1 + r10

y11 = Q1 + S + r11

(y10 , y11 )…….. (ym0 , ym1 )

r1 b1 = T1 + y1 b1

r10

r11

r20

r21

rm0

rm1

T= [T1

T2

.

Tm]

ym0 = Qm + rm0

ym1 = Qm + S + rm1 rm bm = Tm + ym bm

Q= [Q1 = T1 (if b1 = 0) / T1 + S (otherwise)

Q2 = T2 (if b2 = 0) / T2 + S (otherwise)

Qm = Tm (if bm = 0) / Tm + S (otherwise)]

There’s a Big Bug!

Transformation II: OT Extension

B= [b1,…bm]

P0P1

(y10 , y11 )…….. (ym0 , ym1 )

r1 b1 = T1 + y1 b1

r10

r11

r20

r21

rm0

rm1

T= [T1

T2

.

Tk]

rm bm = Tm + ym bm

Q= [Q1 = T1 (if b1 = 0) / T1 + S (otherwise)

Q2 = T2 (if b2 = 0) / T2 + S (otherwise)

Qm = Tm (if bm = 0) / Tm + S (otherwise)]

Correlation Robust H: [m] × {0,1}k -> {0,1}l

y10 = H(1,Q1) + r10

y11 = H(1,Q1 + S) + r11

ym0 = H(m,Qm) + rm0

ym1 = H(m,Qm + S) + rm1

Given random and independent S, T1 ….. Tm , the joint distribution{H(T1 + S),…. H(Tm + S), T1 …..Tm } must be pseudo-random

Cryptographic Hash function: SHA 1/2/3, RC4

Transformation II: OT Extension

B= [b1,…bm]

P0P1

(y10 , y11 )…….. (ym0 , ym1 )

r1 b1 = T1 + y1 b1

r10

r11

r20

r21

rm0

rm1

T= [T1

T2

.

Tk]

rm bm = Tm + ym bm

Q= [Q1 = T1 (if b1 = 0) / T1 + S (otherwise)

Q2 = T2 (if b2 = 0) / T2 + S (otherwise)

Qm = Tm (if bm = 0) / Tm + S (otherwise)]

Random Function H: [m] × {0,1}k -> {0,1}l

y10 = H(1,Q1) + r10

y11 = H(1,Q1 + S) + r11

ym0 = H(m,Qm) + rm0

ym1 = H(m,Qm + S) + rm1

Every time query an input: same outputNew input: output is completely random in the rangeEvery RO is Correlation-Robust (HR) Hash function

A little diversion to RO Model

Random Function H: [m] × {0,1}k -> {0,1}l

>> Love and hate relationship with this model

>> Many protocols have proof in RO model which otherwise does not have any proof.

>> Protocol analyzed for Security: Hash functions replaced with RO box.

>> Proof is for any good?: Existence of such a proof implies the real protocol go wrong only when hash function does not simulate RO. Some proof better than no proof

>> Real protocol: RO replaced with hash functions

>> Examples: RSA-OEAP (practically in use). CCA-secure extension of RSA

>> Finding proof under relatively realistic assumption (e.g. CR) than RO has been very challenging and considered to be great achievement!!

Transformation II: OT Extension

B= [b1,…bm]

P0P1

T= [T1

T2

.

Tm]

Q= [Q1 = T1 (if b1 = 0) / T1 + S (otherwise)

Q2 = T2 (if b2 = 0) / T2 + S (otherwise)

Qm = Tm (if bm = 0) / Tm + S (otherwise)]

r10

r11

r20

r21

rm0

rm1

r1 b1

r2 b2

rm bm

Random S is known to P0 only |Ti| = k

Transformation II: OT Extension

B= [b1,…bm]

P0P1

r10

r11

r20

r21

rm0

rm1

OT1

s1

Q1

T1

T1 +

B

OT2

OTk

T is a {0,1}m.k matrixT = [T1 , …..Tk]T= [T1

T2

.

Tm]

T2

T2 +

B

Tk

Tk + B

s2

sk

Q2

Qk

Q is a {0,1}m.k matrixQ = [Q1 , …..Qk]Q= [Q1

Q2

.

Qm]

m bit inputs

Transformation II: OT Extension

B= [b1,…bm]

P0P1

OT1

s1

Q1

T1

T1 +

B

OT2

OTk

T is a {0,1}m.k matrixT = [T1 , …..Tk]T= [T1

T2

.

Tm]

T2

T2 +

B

Tk

Tk + B

s2

sk

Q2

Qk

Q= [Q1 = T1 (if b1 = 0) / T1 + S (otherwise)

T[1,1] + s1

Q2 = T2 (if b2 = 0) / T2 + S (otherwise)

Qm = Tm (if bm = 0) / Tm + S (otherwise)]

T[1,2] + s2

T[1,k] + sk

T[1,1]

T[1,2]

T[1,k]

Transformation II: Putting everything together

B= [b1,…bm]

P0P1

y10 = H(1,Q1) + r10

y11 = H(1,Q1 + S) + r11

(y10 , y11 )…….. (ym0 , ym1 )

r1 b1 = H(1,T1) + y1 b1

r10

r11

r20

r21

rm0

rm1

OT1

s1

Q1

T1

T1 +

B

OT2

OTk

T is a {0,1}m.k matrixT = [T1 , …..Tk]T= [T1

T2

.

Tk]

T2

T2 +

B

Tk

Tk + B

s2

sk

Q2

Qk

Q is a {0,1}m.k matrixQ = [Q1 , …..Qk]Q= [Q1

Q2

.

Qk]

ym0 = H(m,Qm) + rm0

ym1 = H(1,Qm + S) + rm1 rm bm = H(m,Tm) + ym bm

Roadmap for Building OT Extension [IKNP03]

OT1

OT2

OTk

OT1

OT2

OT3

OTm

k bit inpu

ts

OT1

OT2

OTk

m (=poly(k)) > k bit inputs

l bit inpu

tsr10

r11

r20

r21

r30

r31

rm0

rm1

b1

b2

b3

bm

r1 b1

r2 b2

rm bm

r3 b3

Security For Receiver

B= [b1,…bm]

P0P1

y10 = H(1,Q1) + r10

y11 = H(1,Q1 + S) + r11

(y10 , y11 )…….. (ym0 , ym1 )

r1 b1 = H(1,T1) + y1 b1

r10

r11

r20

r21

rm0

rm1

OT1

s1

Q1

T1

T1 +

B

OT2

OTk

T is a {0,1}m.k matrixT = [T1 , …..Tk]T= [T1

T2

.

Tk]

T2

T2 +

B

Tk

Tk + B

s2

sk

Q2

Qk

Q is a {0,1}m.k matrixQ = [Q1 , …..Qk]Q= [Q1

Q2

.

Qk]

ym0 = H(m,Qm) + rm0

ym1 = H(1,Qm + S) + rm1 rm bm = H(m,Tm) + ym bm

Reduces to the sender’s security of OT1 …OTk

Security For Sender

B= [b1,…bm]

P0P1

y10 = H(1,Q1) + r10

y11 = H(1,Q1 + S) + r11

(y10 , y11 )…….. (ym0 , ym1 )

r1 b1 = H(1,T1) + y1 b1

r10

r11

r20

r21

rm0

rm1

OT1

s1

Q1

T1

T1 +

B

OT2

OTk

T is a {0,1}m.k matrixT = [T1 , …..Tk]T= [T1

T2

.

Tk]

T2

T2 +

B

Tk

Tk + B

s2

sk

Q2

Qk

Q is a {0,1}m.k matrixQ = [Q1 , …..Qk]Q= [Q1

Q2

.

Qk]

ym0 = H(m,Qm) + rm0

ym1 = H(1,Qm + S) + rm1 rm bm = H(m,Tm) + ym bm

Reduces to the receiver’s security of OT1 …OTk

Reduces to the security of RO except with S=0

[IKNP03]: Yuval Ishai, Joe Kilian, Kobbi Nissim, and Erez Petrank. Extending oblivious transfers efficiently. In CRYPTO ,pages 145–161, 2003.

Chalk & Talk

CT4: [KK13] Vladimir Kolesnikov and Ranjit Kumaresan. Improved ot extension for transferring short secrets. In CRYPTO(2), pages 54–70, 2013.

Open problem:

IKNP03 has been extended for malicious security with almost the same cost

Doing the same for KK13 is an interesting open question.Practical Project:

Implement the best known OT extension!

1-out-of-4 OT from 1-out-of-2 OT

S Rm00

m01

m10

m11

b0

b1

Deck b1Deck’ b0(cb0 b1 )

c00 Enck0(Enck’0(m00))

c01 Enck0(Enck’1(m01))

(c00,c01, c10,c11)

1-out-of-2OT

k0

k1

b0

kb0

k0, k1 : key for SKE with C = M

1-out-of-2OT

k’0

k’1

b1

k’b1

c10 Enck1(Enck’0(m10))

c11 Enck1(Enck’1(m11))

Motivating Yao

Computation Complexity: O(n2cAND) SKE operations + k OTs in offline phase

I.T online phase with no operations other than bit XOR.

Round Complexity: O(d); d = multiplicative depth of the circuit

Computation Complexity: k OTs in offline phase

O(c) SKE operations for every gate in online phase.

Round Complexity: two rounds

Many application requires less interaction!

Yao is only for two parties!! And does not extend to n-party unlike GMW87

Constant Round Protocol 2-party protocol- [Yoa82]

Garbled Circuit / Scrambled Circuit / Encrypted circuit: Phenomenal Idea!

Andrew Chi-Chih Yao. Protocols for secure computations (extended abstract). In FOCS , pages 160–164, 1982.

Yehuda Lindell, Benny Pinkas: A Proof of Security of Yao's Protocol for Two-Party Computation. J. Cryptology 22(2): 161-188 (2009)

Looking Ahead and a few open problems…

>> Garbled circuit is still an active area of research. How concisely we can construct garbled circuit? Application in verifiable computation..open problems

>> Yao’s 2PC protocol is so asymmetric that it took a decade to extend Yao for multiparty [BMR90] (note unlike GMW it is not easy to extend for n-party)

>> [BMR90] does it for honest majority. Another two decades for dishonest majority setting [LPSY15]

>> [BMR90] and [LPSY15] could not extend the optimizations done for Yao’s garbled circuit. ..open problem

>> Non-interactive Secure Computation: Yao leads to 2-round protocol (non-interactive). Extended for malicious. Not as efficient as malicious 2PC with constant rounds ..open problem

>> Heated Argument: GMW or Yao?

[SZ13] Thomas Schneider, Michael Zohner: GMW vs. Yao? Efficient Secure Two-Party Computation with Low Depth Circuit. Financial Cryptography 2013: 275-292http://fc13.ifca.ai/proc/8-3.pdf

Yao’s Garbled Circuit

It enables one to evaluate a circuit without knowing the inputs to the circuit

x1 x2 x3 x4

f(x1, x2, x3, x4)

+

Step 1: Every wire is associated with a pair of identical looking keys.

0 1

No information about the associated bit can be inferred from a key corresponding to a wire

Garbling of wires complete!

Yao’s Garbled Circuit

+

Yao’s Garbled Circuit

Step 2: Every two input gate is associated with four doubly locked boxes

Each pair of input wire keys (one from each input wire) will open one and only one box.

What’s there in the boxes?- Appropriate gate output wire key.

Assume AND gate:

1st input wire

2nd Input wire Output wire

Key for 0 Key for 0 Key for 0

Key for 0 Key for 1 Key for 0

Key for 1 Key for 0 Key for 0

Key for 1 Key for 1 Key for 1

Boxes are randomly permutated

Yao’s Garbled Circuit

Step 2: Every two input gate is associated with four doubly locked boxes

Each pair of input wire keys (one from each input wire) will open one and only box.

What’s there in the boxes?- Appropriate gate output wire key.

Assume XOR gate:

1st input wire

2nd Input wire Output wire

Key for 0 Key for 0 Key for 0

Key for 0 Key for 1 Key for 1

Key for 1 Key for 0 Key for 1

Key for 1 Key for 1 Key for 0

Yao’s Garbled Circuit

Step 2: Every one input gate is associated with two doubly locked boxes

Each input wire key will open exactly one box.

What’s there in the boxes?- Appropriate gate output wire key.

Assume NOT gate:

Input wire Output wire

Key for 0 Key for 1

Key for 1 Key for 0

Yao’s Garbled Circuit

It enables one to evaluate a circuit without knowing the inputs to the circuit. x1 x2 x3 x4

f(x1, x2, x3, x4)

+

Step 1: Every wire is associated with a pair of identical looking keys.

Step 2: Every two input gate is associated with four doubly locked boxes (in randomly permuted order) so that each pair of keys (one from each input wire) will open one and only one box.Garbled Circuit: Pairs of keys for all the wires in the circuit + four/two locked boxes for each gate

Yao’s Garbled Circuit

It enables one to evaluate a circuit without knowing the inputs to the circuit. x1 x2 x3 x4

f(x1, x2, x3, x4)

+

Garbled Circuit: Pairs of keys for all the wires in the circuit + four/two locked boxes for each gate+ meaning of the output wire keys

1. Give input keys corresponding to the inputs and the locked boxes for all the gates in the circuit. 2. For every gate, exactly one box can be opened and the key corresponding to the output value for the inputs can be obtained3. For the output gate, the key corresponding to the output value for given inputs can be obtained.Output

Physical Keys: Keys of SKE

Locked boxes: Encryptions

Doubly Locked boxes: Double Encryptions

Yao’s 2 Party Protocol

Y = (y1,y2,…yk )P0P1X = (x1,x2,…xk )

Circuit Constructor Circuit Evaluator

1. Construct a Garbled Circuit for Circuit C: Pairs of keys for all the wires in the circuit + four/two locked boxes for each gate+ meaning of the output wire keys

Keys corresponding to X = (x1,x2,…xk

) and the locked boxes of all the gates + meaning of the output wire keys

OT1k0

w1

k1w1

y1

OTk

ky1w1

k0wk

k1wk

yk

kykwk

Evaluate the garbled circuit with the given input keys and interpret the output Z using+ meaning of the output wire keys

Z

Chalk & Talk

CT6: [SZ13] Thomas Schneider, Michael Zohner: GMW vs. Yao? Efficient Secure Two-Party Computation with Low Depth Circuit. Financial Cryptography 2013: 275-292http://fc13.ifca.ai/proc/8-3.pdf

CT5: [BMR90]Donald Beaver, Silvio Micali, Phillip Rogaway:The Round Complexity of Secure Protocols (Extended Abstract). STOC 1990: 503-513.http://web.cs.ucla.edu/~rafail/TEACHING/SPRING-2004/WEB-RESOURCES/BMR.pdf