two round information-theoretic mpc with malicious...
TRANSCRIPT
Two Round Information-Theoretic MPC with Malicious Security
Prabhanjan Ananth Arka Rai Choudhuri Aarushi Goel Abhishek Jain
TPMPC 2019
Adversarial Model
Adversarial Model
Malicious Adversary
Adversarial Model
Malicious Adversary
Corrupts < "/2 parties (Honest Majority)
Honest Majority MPC
Honest Majority MPCInformation-Theoretic security is possible.
[Ben-Or, Goldwasser, Widgerson’88]
Typically UC secureSimulation proofs are typically straight-line
Round complexity lower bounds for dishonest majority do not apply 4 rounds necessary for dishonest majority in the plain model [Garg- Mukherjee-Pandey-Polychroniadou16]
Clean ConstructionsUse lightweight tools such as garbling and secret-sharing
Honest Majority MPCInformation-Theoretic security is possible.
[Ben-Or, Goldwasser, Widgerson’88]
Typically UC secureSimulation proofs are typically straight-line
Round complexity lower bounds for dishonest majority do not apply 4 rounds necessary for dishonest majority in the plain model [Garg- Mukherjee-Pandey-Polychroniadou16]
Clean ConstructionsUse lightweight tools such as garbling and secret-sharing
Honest Majority MPCInformation-Theoretic security is possible.
[Ben-Or, Goldwasser, Widgerson’88]
Typically UC secureSimulation proofs are typically straight-line
Round complexity lower bounds for dishonest majority do not apply 4 rounds necessary for dishonest majority in the plain model [Garg- Mukherjee-Pandey-Polychroniadou16]
Clean ConstructionsUse lightweight tools such as garbling and secret-sharing
Honest Majority MPCInformation-Theoretic security is possible.
[Ben-Or, Goldwasser, Widgerson’88]
Typically UC secureSimulation proofs are typically straight-line
Round complexity lower bounds for dishonest majority do not apply 4 rounds necessary for dishonest majority in the plain model [Garg- Mukherjee-Pandey-Polychroniadou16]
Clean ConstructionsUse lightweight tools such as garbling and secret-sharing
Honest Majority MPC: Applications
Useful for constructing efficient ZK-protocols.
Honest Majority MPC: Applications
(Courtesy: Sergey Gorbunov’s talk)
History of IT-MPC
Round Complexity
Class of Functions
Corruption Threshold
Adversary
[BGW’88] > # of multiplications
P/Poly t<n/2 Malicious
[BB’89, IK’00, AIK’06]
constant NC1 t<n/2 Malicious
[IKP’10] 2 NC1 t<n/3 Malicious[GIS’18, ABT’18] 2 NC1 t<n/2 Semi-honest
Security with selective abort
Our Results
Round Complexity Class of Functions Corruption Threshold Adversary2 NC1 t<n/2 Malicious
Security with Abort over Broadcast + P2P
Security with Selective Abort over P2P
Our Results
Round Complexity Class of Functions Corruption Threshold Adversary2 NC1 t<n/2 Malicious
Security with Abort over Broadcast + P2P
Security with Selective Abort over P2P
Concurrent Work [ABT19]
Consider security with selective abort.
This Talk
Round Complexity Class of Functions Corruption Threshold Adversary2 NC1 t<n/2 Malicious
Security with Abort over Broadcast + P2P
Security with Selective Abort over P2P
Our Strategy
2 Round IT-MPC(Privacy with Knowledge of
Outputs)
2 Round IT-MPC(Security with Abort)
Broadcast + P2P
Broadcast + P2P
Constant Round IT-MPC(Security with Abort)
Broadcast + P2P
Round Compression
Security Upgrade
Security with Abort
Party 1
Party 2
Party 3
Trusted Party
!
Security with Abort
!1
!2
!3Party 1
Party 2
Party 3
Trusted Party
%
Security with Abort
!1
!2
!3
% = '(!1, !2, !3)
Party 1
Party 2
Party 3
Trusted Party
'
Security with Abort
!1
!2
!3
% = '(!1, !2, !3)
%’ = % ,- ⊥Party 1
Party 2
Party 3
Trusted Party
'
Security with Abort
!1
!2
!3
% = '(!1, !2, !3)
%’ = % ,- ⊥
%’
%’Party 1
Party 2
Party 3
Trusted Party
'
Security with Abort
Privacy!2 and !3 remain hidden
$
Security with Abort
Privacy!2 and !3 remain hidden
Output CorrectnessHonest Parties either output
$ !%, !', !( or ⊥
$
Privacy with Knowledge of Outputs
Privacy!2 and !3 remain hidden
Output CorrectnessHonest Parties either output
$ !%, !', !( or ⊥
$
First Step
2 Round IT-MPC(Privacy with Knowledge of
Outputs)
2 Round IT-MPC(Security with Abort)
Broadcast + P2P
Broadcast + P2P
Constant Round IT-MPC(Security with Abort)
Broadcast + P2P
Round Compression
Security Upgrade
Using Signed Outputs [IKP10]
!"1"2"3
& = ! ("), "+, ",)
Using Signed Outputs [IKP10]
!′#1, &'(, )'(
* = ! (#(, #-, #.)
#-,&'-, )'-#., &'., )'.
(&'(,0( = 1234 (*, )'1))(&'-,0- = 1234 (*, )'-))(&'.,0. = 1234 (*, )'.))
!", $%", &%"', (), $%) , (", $%" , ((+, $%+)
Party 2Trusted Party
Security with abort: Using Signed Outputs
-./01'(', (", $%")1’
-./01'(', (), $%))
-./01'(', (+, $%+)
!", $%", &%"', (), $%) , (", $%" , ((+, $%+)
Party 2Trusted Party
Security with abort: Using Signed Outputs
-’
Accept if all 3 verify
./01-'(', (", $%")
./01-'(', (), $%))
./01-'(', (+, $%+)
Security with abort: Using Signed Outputs
!", $%", &%"', (), $%) , (", $%" , ((+, $%+)
Party 2Trusted Party
-’
Accept if all 3 verify
./01-'(', (", $%")
./01-'(', (), $%))
./01-'(', (+, $%+)
Digital signatures require one-way functions
Security with abort: Using Signed Outputs
!", $%", &%"', (), $%) , (", $%" , ((+, $%+)
Party 2Trusted Party
-’
Accept if all 3 verify
./01-'(', (", $%")
./01-'(', (), $%))
./01-'(', (+, $%+)
Digital signatures require one-way functions
MACs are not sufficient
Security with abort: Using Signed Outputs
!", $%", &%"', (), $%) , (", $%" , ((+, $%+)
Party 2Trusted Party
-’
Accept if all 3 verify
./01-'(', (", $%")
./01-'(', (), $%))
./01-'(', (+, $%+)
Digital signatures require one-way functions
How can we do it information theoretically?
MACs are not sufficient
Our Tool: Multi-Key MAC
!"
!#
!$%
Our Tool: Multi-Key MAC
! = #. %&'( ), +,, +-, +.
+,
+-
+.)
Our Tool: Multi-Key MAC
!
!
!
! = #. %&'( ), +,, +-, +.
)
Our Tool: Multi-Key MAC!.#$%&'( (*, ,, -.)
!. #$%&'( (*, ,, -0)
!. #$%&'( (*, ,, -1)
,
,
,
, = !. 3&45 *, -., -0, -1
*
Our Tool: Multi-Key MAC (Correctness)
YES
YES
YES
!.#$%&'( (*, ,, -.)
!. #$%&'( (*, ,, -0)
!. #$%&'( (*, ,, -1)
,
,
,
, = !. 3&45 *, -., -0, -1
*
Our Tool: Multi-Key MAC (Security)
!, "#, "%& = (. *+,- !, "., "#, "%
&".
Our Tool: Multi-Key MAC (Security)
!, "#, "%& = (. *+,- !, "., "#, "%
&".
"#
!/, &’
(.012+34 (!′, &′, "#)NO
Our Tool: Multi-Key MAC (Security)
!, "#, "%& = ()*+ !, ",, "#, "%
&",
"#
!-, &’
..012)34 (!′, &′, "#)NO
An adversary cannot output any valid message-signature pair other than the
one it received
Security with Abort: Using Multi-Key MAC
!′#1, &' ( = ! (#', #+, #,)#+, &+#,, &,
. = /. 1234 ((, &1, &2, &3)
!", $"%, &
Party 2Trusted Party
Security with Abort: Using Multi-Key MAC
'.)*+,-%(%, &, $")
-’
Security with abort: Using Multi-Key MAC
IF !, # = %′((()*)), ((,, *,), ((-, *-))
(,, *,
!, #
Honest Party 2Trusted Party
(-, *-
!, #
Honest Party 3
%′
Security with abort: Using Multi-Key MAC
!.#$%&'(((, +, ,-)!. #$%&'(((, +, ,/ )
0-, ,-
(, +
Honest Party 2Trusted Party
0/, ,/
(, +
Honest Party 3
YES YES
IF (, + = '′((03,3), (0-, ,-), (0/, ,/))
'′
Security with abort: Using Multi-Key MAC
!", $"
%, &
Honest Party 2Trusted Party
!', $'
%, &
Honest Party 3
IF %, & ≠ )′((!,$,), (!", $"), (!', $'))
)′
Security with abort: Using Multi-Key MAC
Honest Party 2
!", $"
%, &
Honest Party 2Trusted Party
!', $'
%, &
Honest Party 3
NONO
(.*+,-.%(%, &, $")(. *+,-.%(%, &, $' ) IF %, & ≠ .′((!3$3), (!", $"), (!', $'))
.′
Recall: Our Strategy
2 Round IT-MPC(Privacy with Knowledge of
Outputs)
2 Round IT-MPC(Security with Abort)
Broadcast + P2P
Broadcast + P2P
Constant Round IT-MPC(Security with Abort)
Broadcast + P2P
Using Multi-Key MAC
Round Compression
Security Upgrade
Security Upgrade Using Multi-Key MAC
Second Step
2 Round IT-MPC(Privacy with Knowledge of
Outputs)
2 Round IT-MPC(Security with Abort)
Broadcast + P2P
Broadcast + P2P
Constant Round IT-MPC(Security with Abort)
Broadcast + P2P
Round Compression
Technique: Round Compression
Interactive secure MPC
2 round secure MPC
[GGHR’13]Indistinguishability Obfuscation
[GLS’15]Witness Encryption + Garbled circuits
[GS’17]Bilinear Maps + Garbled circuits
[GS’18, BL’18]OT + Garbled Circuits
[ACGJ’18] Garbled circuits
Initial Idea
Interactive secure MPC
2 round secure MPC
[GGHR’13]Indistinguishability Obfuscation
[GLS’15]Witness Encryption + Garbled circuits
[GS’17]Bilinear Maps + Garbled circuits
[GS’18, BL’18]OT + Garbled Circuits
[ACGJ’18] Garbled circuits
Replace garbled circuits with Information-theoretic garbled circuits
(IT-GC)
Round Compression Template
!"#$
...
Interactive secure MPC 2 round secure MPC
!"#%!"#&
Commit Inputs
'( !"#$ , '( !"#% , . .
Round Compression Template
!"#$
...
Interactive secure MPC 2 round secure MPC
!"#%!"#&
Commit Inputs
'( !"#$ , '( !"#% , . .
'( !"#%
After Round 2
'( !"#$
'( !"#%
'( !"#$
Party 1 Party 2
.
.
.
.
.
.
...
...
Round Compression Template: After Round 2
!" #$%&
!" #$%' !" #$%'
Party 1 Party 2
Round Compression Template: After Round 2!" #$%&
!" #$%' !" #$%'
Party 1 Party 2
Statistically secure multi-party helper protocol for
OT functionality
Wire Labels 1st Message of Party 2
Wire Labels for 1st Message of Party 2
Initial Idea: Doesn’t Work
Interactive secure MPC
2 round secure MPC
[GGHR’13]Indistinguishability Obfuscation
[GLS’15]Witness Encryption + Garbled circuits
[GS’17]Bilinear Maps + Garbled circuits
[GS’18, BL’18]OT + Garbled Circuits
[ACGJ’18] Garbled circuits
Replace garbled circuits with Information-theoretic garbled circuits
(IT-GC)
ProblemSize of the input wire labels in IT-GC grows exponentially in the depth of
the circuit being garbled.
Initial Idea: Doesn’t Work
Interactive secure MPC
2 round secure MPC
[GGHR’13]Indistinguishability Obfuscation
[GLS’15]Witness Encryption + Garbled circuits
[GS’17]Bilinear Maps + Garbled circuits
[GS’18, BL’18]OT + Garbled Circuits
[ACGJ’18] Garbled circuits
Replace garbled circuits with Information-theoretic garbled circuits
(IT-GC)
ProblemSize of the input wire labels in IT-GC grows exponentially in the depth of
the circuit being garbled.
No. of garbled circuits generated per-party ≥ |#|
Initial Idea: Doesn’t Work
Interactive secure MPC
2 round secure MPC
[GGHR’13]Indistinguishability Obfuscation
[GLS’15]Witness Encryption + Garbled circuits
[GS’17]Bilinear Maps + Garbled circuits
[GS’18, BL’18]OT + Garbled Circuits
[ACGJ’18] Garbled circuits
Replace garbled circuits with Information-theoretic garbled circuits
(IT-GC)
ProblemSize of the input wire labels in IT-GC grows exponentially in the depth of
the circuit being garbled.
No. of garbled circuits generated per-party ≥ |#|
Size of bottom-most garbled circuits is exp( # )
Our Approach!" #$%&
!" #$%' !" #$%'
Party 1 Party 2
Statistically secure multi-party helper protocol for
OT functionality
Wire Labels1st Message of Party 2
Wire Labels for 1st Message of Party 2
(&
Inspired by the approach used in [BL’18]
Our Approach!" #$%&
!" #$%' !" #$%'
Party 1 Party 2
Statistically secure multi-party helper protocol forOT functionality OT
functionality
Wire Labels
Wire Labels for 1st Message of Party 2
() *', #$%' *&
*&
Our ApproachDesign a 2 round helper protocol for
!" #$, &'($ #)*+ &'()
*+ &'($ *+ &'($
Party 1 Party 2
Helper Protocol for OT functionality
Wire Labels
Wire Labels for 1st Message of Party 2
!" #$, &'() #)
#)
Statistically secure multi-party helper protocol forOT functionality OT
functionality!" #$, &'($ #)
Challenges in Designing such a protocol
2 Round MPC Template using a 2 Round Helper Protocol
1st round of Helper Protocol (implicitly commits to inputs)
2nd round of Helper Protocol & !" #$%& , !" #$%( , . .R 2
R 1
Challenges in Designing such a protocol
R 1
R 2
Inputs of Adversary
Output y
Trusted Party
Simulator
Adversary
A
A
Malicious Security
Challenges in Designing such a protocol
R 1
R 2
Inputs of Adversary
Output y
Trusted Party
Outer Simulator
OuterAdversary
Inner Simulator
A
BA
InnerAdversary
B
Malicious Security using helper protocol
Challenges in Designing such a protocol
R 1
R 2
Inputs of Adversary
Output y
Trusted Party
Outer Simulator
OuterAdversary
Inner Simulator
A
BA
InnerAdversary
B
Need to extract the inputs from inner adversary
Malicious Security using helper protocol
Challenges in Designing such a protocol
R 1
R 2
Inputs of Adversary
Output y
Trusted Party
Outer Simulator
OuterAdversary
Inner Simulator
A
BA
InnerAdversary
B
Need to extract the inputs from inner adversary
For Malicious Security
How to design a 2 round maliciously secure helper protocol for this functionality?
Our Solution
Properties:!"#$ is not known in the first round.
Party 1 Party 2
HONEST Nothing beyond the output is leaked Nothing beyond !"#%('$) is leaked
CORRUPT Simulator can extract '% Simulator can extract !"#%('$)
A two-round helper MPC protocol for 2 input delayed-function )* '%, !"#% '$
This asymmetric weaker security suffices!
Conclusion
2 Round IT-MPC(Privacy with Knowledge of
Outputs)
2 Round IT-MPC(Security with Abort)
Broadcast + P2P
Broadcast + P2P
Constant Round IT-MPC(Security with Abort)
Broadcast + P2P
Conclusion
2 Round IT-MPC(Security with Selective Abort)
P2P
2 Round IT-MPC(Privacy with Knowledge of
Outputs)
2 Round IT-MPC(Security with Abort)
Broadcast + P2P
Broadcast + P2P
Constant Round IT-MPC(Security with Abort)
Broadcast + P2P