Simple, Black-Box Constructions of Adaptively Secure Protocols

joint work withDana Dachman-Soled (Columbia University),

Tal Malkin (Columbia University), and Hoeteck Wee (Queens College, CUNY)

Seung Geol Choi Columbia University

2

Outline

• Motivation• Our Work• Our Compiler

– Comp

3

Outline

• Motivation• Our Work• Our Compiler

– Comp

Criteria of adversarial corruptionin Multi-party Computation (MPC)

• Semi-honest vs. Malicious– semi-honest: corrupted parties should behave

honestly– malicious: they can behave arbitrarily

• How many parties can be corrupted?– Honest majority vs. honest minority.

• Static vs. Adaptive– static: adv corrupts parties at the outset– adaptive [CFGN96]: during the protocol adaptively

Adaptively Secure OT - Simulator(s0, s1) ReceiverSender

m1m2m3

srOutput

r

Corrupt Sender

Bad SimulationPick (s0, s1), r, rand for S & R randomly and execute the protocol honestly w/ these values.

Given the actual input (s0’, s1’), Sim is unable to patch rand for S consistent w/ the transcript & the input

No Corruption

MPC (malicious majority) and OT -- Roughly

• Non-black-box– Basically everything is known: use ZK, e.g.,– Static: from semi-honest OT [GMW87] (stand-alone)– Adaptive: from semi-honest OT with FCOM [CLOS02] (UC)

• Black-box – Static: from semi-honest OT [K88,IKLP06,H08] (stand-

alone)– Adaptive: from malicious OT [IPS08] (UC) But, malicious OT [B98, CLOS02, KO04] has

non-black-box access to the underlying primitive.

Goal

• Achieve MPC– adaptive, malicious majority– black-box (BB) access to lower primitives

• Of theoretical interest• Arguably more efficient: avoid general NP reductions

incurred by ZK proofs.– constant-round

8

Outline

• Motivation• Our Work• Our Compiler

– Comp

Main ResultUC, adaptive

semi-honest bit OT

UC, adaptive

malicious string OT

in FCOM hybrid

Compiler

• Black-box

• constant multiplicative blow-up in rounds

Improvement over [IKLP06,H08] :

UC and adaptive

BB Implications – UC & Adaptive

constant-round semi-honest bit OT

Trapdoor simulatable

cryptosystem

DDHRSA

FactoringLWE

[CDMW09, CLOS02]

this work:

• in FCOM hybrid- MPC allowing corruption of any

number of parties- constant-round MPC allowing

corruption of n-1 parties

[IPS08]

malicious string OT in FCOM hybrid

Our MPC Construction

• FCOM hybrid: Can be combined with existing results under various setup – e.g., [CLOS02, BCNP04, CDPW07, K07]. Usually

start by how to UC realize FCOM.

[CLOS02] [IPS08] ours#rounds for n,

(n-1) corruptionsO(depth)O(depth)

O(depth)O(1)

O(depth)O(1)

hybrid FCOM FOT FCOM

BB/non-BB non-BB BB BB

• UC, adaptive in FCOM hybrid- MPC allowing corruption of any

number of parties- constant-round MPC allowing

corruption of n-1 parties

• stand-alone, adaptive

BB Implications - Stand-aloneUC, adaptive,

constant-round semi-honest bit OT

Trapdoor simulatable

cryptosystem

DDHRSA

FactoringLWE

[CDMW09, CLOS02]

this work:

[IPS08]

malicious string OT in FCOM hybrid

[PW09]

- constant-round malicious string OT

[PW09]

Our Work - Summary

• Adaptively secure MPC: UC in FCOM hybrid / stand-alone - allowing corruption of any number of

parties- allowing corruption of n-1 parties in

constant-round

UC, adaptivesemi-honest bit OT

UC, adaptivemalicious string OT

in FCOM hybridCompiler

MPC

stand-alone, adaptive constant-round malicious string OT String OT

14

Outline

• Motivation• Our Work• Our Compiler

– Comp

Previous Work: Stand-alone & Static case

semi-honest bit OT

malicious OT

Haitner [H08]

defensible bit OT

Ishai,Kushilevitz,Lindell, and Petrank

[IKLP06]

eTDP, homomorphic enc

[K88]MPC

Our Compiler - 1

• Basically, [H08]+[IKLP06].• Insight

– View [H08] + [IKLP06] as GMW Compiler • With ZK proof replaced with cut-and-choose technique.

– Our presentation doesn’t need the notion of defensible OT.

Our Compiler - 2• Has two modules

– Comp: boost receiver-side security (for string)– OT-Reversal [WW06]: reverse the role of sender

and receiver (for bit)

maliciousmaliciousApply Compsemi-honestmaliciousApply OT-Reversal

malicioussemi-honestApply Compsemi-honestsemi-honestStarting protocol

receiver senderOur Compiler

defensibledefensible

defensibledefensible[IKLP06]

[H08] : Commit input & randomness at the outsetsemi-honest semi-honest

Parallel executions

18

Outline

• Motivation• Our Work• Our Compiler

– Comp

I. Run con-tossing in the well using FCOM

to fix R’s input & rand for Phase II.

II. Run 2n executions of ¦ in parallel w/ R using input & rand generated in Phase I.

III. R opens commitments in Phase I for n random OT execs.

IV. Apply combiner to the rest of n executions.

Comp(¦)

[H08]

[IKLP06]

Cut & Choose

UC Security in Comp

• Straight-line simulation– Extract receiver’s input in a straight-line manner

w/ info from Phase I.

Adaptively Secure OT - Simulator(s0, s1) ReceiverSender

m1m2m3

srOutput

r

Corrupt Sender

Upon corruption, Sim has to patch rand for S consistent w/ the transcript & the given input

No Corruption

Simulation in Comp – Achieving Adaptive Security

1. Extract R’s input & rand. in Phase I w/ FCOM

2. For i-th OT execution ¦i:• Run simulator for ¦i (SIMi) until the R behaves

consistently w/ the commitments. • Inconsistent R: “corrupt S” on SIMi (input & rand of S

in ¦i is fixed ). Follow spec. of ¦ w/ this fixed info.

3. Patching the S’s overall rand.• If R behaved honestly in some ¦j, can patch using SIMj :

with high probability there is at least one such j.

Use adaptive security of ¦: Guaranteed as long as R behaves honestly

Conclusion

• Adaptively secure MPC: UC in FCOM hybrid / stand-alone - allowing corruption of any number of

parties- allowing corruption of n-1 parties in

constant-round

UC, adaptivesemi-honest bit OT

UC, adaptivemalicious string OT

in FCOM hybridCompiler

MPC

stand-alone, adaptive constant-round malicious string OT String OT

Thank you