1 / 35

Completeness in Two-Party Secure Computation – A Computational View

Completeness in Two-Party Secure Computation – A Computational View. Danny Harnik Moni Naor Omer Reingold Alon Rosen. AT&T IAS MIT. Weizmann Institute of Science. Alice. Bob. x. y. Secure Function Evaluation (SFE) of a Function f. f(x,y). Alice learns “nothing else”.

eudora
Télécharger la présentation

Completeness in Two-Party Secure Computation – A Computational View

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Completeness in Two-Party Secure Computation – A Computational View Danny Harnik Moni Naor Omer Reingold Alon Rosen AT&T IAS MIT Weizmann Institute of Science

  2. Alice Bob x y Secure Function Evaluation (SFE) of a Function f f(x,y) Alice learns “nothing else” Bob learns “nothing”

  3. Secure Function Evaluation • General framework that captures many cryptographic tasks. • SFE for any poly-time f - key achievement in cryptography. • Many possible definitions and settings. We concentrate on a specific setting: • Asymmetric version (only Alice gets output). • Deterministic functions (vs. prob. functionality). • Computational security definitions (vs. information theoretic). Simulation based. • Semi-Honest parties • Can use GMW compiler for malicious model.

  4. Oblivious Transfer • Introduced by Rabin (Noisy-OT) • Several equivalent flavors. • 1-2 OT [EGL85] – Sender has two bits b0, b1 and Receiver has choice bit c. Receiver learns bc but not b1-c. Sender learns nothing of c. • Can view 1-2 OT as an asymmetric SFE protocol of the function OT(c; b0, b1) = bc

  5. The Power of OT • Given an OT protocol, one can construct an SFE for any efficiently computable function f . [Yao, GMW, Kilian … ] This is a Completeness behavior.

  6. f(x’,y’) f(x’’,y’’) Reductions & Completeness • A function g securely reduces to f ifan SFE for g can be constructed using calls to an ideal box for evaluating f. x y g(x,y) • f is SFE-Complete if every poly-time function g securely reduces to f.

  7. Eff-SFE SFE-Completeness SFE-Complete Polynomial-time functions f(x,y)

  8. Main Result • Introduce a computational criterion for completeness called Row Non-Transitivity. Main Theorem • If f is Row Non-Transitive then it is SFE-Complete. • If f is Row Transitive then it is in Eff-SFE unconditionally.

  9. Corollary: Complete Classification • Essentially all “nice” functions are either SFE-Complete or have an efficient SFE protocol.

  10. Previous Work • SFE-Completeness discussed in: [CK91, Kush92, Kil91, KMO94, BMM99, Kil00] Beimel, Chor, Kilian, Kushilevitz, Malkin, Micali, Ostrovsky • Mostly studied under Information Theoretic security definitions. • Strong results in form of combinatorial criteria. • Most works consider functions with a constant or small domain size ( “Crypto-gates”). • Avoid computational issues.

  11. Insecure Minor [Beimel, Malkin & Micali 99] • A function f(.,.) is said to contain an Insecure Minor if there are inputs x0, x1, y0, y1 such that : Where b  c.

  12. . . . Insecure Minor[BMM] • If a function f(.,.) contains an insecure minor then f is SFE-complete. • Otherwise f has an SFE protocol (f is “trivial”).  Full characterization of Crypto-gates.  Surprising “all or nothing” behavior. Also discussed computational definitions

  13. What next? Does the insecure minor characterization work for functions over a large domain? • Completeness: functions with insecure minor still complete • Same reduction. • Unconditional SFE: ...

  14. Example 1: one-to-one functions • Consider one-to-one functions • Do not contain an insecure minor. • Unconditional SFE for 1-1 function f(x,y): • Bob sends y to Alice. • Alice calculates f(x,y). • Security: given f(x,y) a simulator can find y (since f is 1-1). But the simulator might not be efficient for functions on large domain!

  15. x y Example 2: No insecure minor but still complete • Let g be a 1-1 One-Way function. • Consider the following function : f(c, y0, y1) = (c, yc, g(y1-c) ) f is 1-1 and hence has no insecure minor. • Claim: f is SFE-Complete !

  16. Alice Bob c b0,b1 2. Call f(c, y0, y1) 3. h(y0)b0, h(y1)b1 1-2-OT using SFE for f 1-2-OT 1. Choose random y0, y1 (c, yc, g(y1-c) ) 4. Alice calculates bc *h is a hardcore bit of g

  17. Summary of the state in Computational Setting • Functions with Insecure Minor: SFE-Complete • Functions with no Insecure Minor: • Some have trivial SFE. • Some are Complete • Is there a simple characterization of SFE-Complete functions and of functions with unconditional SFE? Characterization by row non-transitivity. • How do these sets relate? All or nothing behavior? All `nice’ functions are either complete or have Efficient SFE.

  18. y x0 Hard x1 Row Non-Transitivity f

  19. Prob < 1 - 1/poly Prob =1 Row Non-Transitivity • A function f(.,.) is (Computational) Row Non-Transitive if: for some x0, x1 and a distribution Dy it is (somewhat) hard to calculate f(x1,y) given x0, x1 and f(x0,y) for yr Dy. • A function f(.,.) is (Computational) Row Transitive if: for all x0, x1 and y it is easy to calculate f(x1,y) given x0, x1 and f(x0,y). Note: There is a small gap between the two criteria.

  20. y x0 ? Hard x1 Must find specific value, not any consistent value… Note: A different notion than OWF. May be hard in both directions… Illustration of Row Non-Transitivity f

  21. { y if x=1 f(x, y) = g(y) if x=0 Examples • Row Transitive : • f(x,y) = y • f(x,y) = x + y • f(x,y) = x  g(y) • Row Non-Transitive : Computational • let g be a OWF, • Under CDH assumption, p prime, f(g, y) = gy Mod p

  22. Row Non-Transitive example – information theoretic Insecure Minor  Row Non-Transitive • y chosen uniformly from {y0,y1} •  C: Pr[ C[x0, x1, f(x0, y)] = f(x1, y) ]  ½

  23. Main Theorem • Completeness: If a function f(.,.) is • row non-transitive • efficiently computable then f is SFE-Complete. • Unconditional SFE: If function f(.,.) is • row transitive • efficiently computable then f has an efficient SFE (with no further assumptions).

  24. Alice Bob x y x’, f(x’, y) Unconditional SFE for row transitive f SFE for f Calculate f(x,y) Choose input x’ Security: • Bob learns nothing. • Simulating Alice’s view: choose x’ and calculate f(x’,y) from f(x,y).

  25. Completeness Proof sketch • Use two rows to pass secret. • Value at one row is known, the other is “unknown” (due to the row non-transitivity). • this determines what secret is transferred. Technical notes: • Use of GL hardcore bit. • First create a weak version of OT. • Use Yao XOR lemma to amplify hardness.

  26. Insecure Minor Row Non-Transitivity Complete Eff-SFE Efficiently computable functions f(x,y)

  27. Semi Honest vs Malicious If OWF guaranteed to exist: use GMW transformation. If OWF not guaranteed: • Completeness Theorem holds. • Unconditional SFE: Not necessarily. • Note: Complete functions are different in Info-Theoretic • [BMM99] vs. [Kil00] • Properties of row non-transitive functions remain.

  28. Cryptomania (OT) ? Minicrypt (OWF) Complexity Discussion • OT exists(Cryptomania in [Impagliazzo 95])  SFE-Complete = Eff-SFE • OT doesn’t exist but OWF do ( Minicrypt in [Imp95]): • Are there intermediate assumptions? Our results: As far as SFE goes, no additional (nice) worlds between Minicrypt & Cryptomania !

  29. g y 2. gr 3. gry Row non-transitive under CDH assumption. Possible Applications? • Framework for constructing OT protocols. • Example: f(g,y) = gy mod p. • Has unconditional SFE: 1. Choose random r 4. Calculate gy = b 1/r

  30. 1. Choose random r, g0, g1 1. Choose random y 2. g0, g1, gcr 4. z, h(g0y)b0 h(g1y)b1 c b . . . Possible Applications? • Use reduction to construct OT: 1-2-OT 3. Calculate z=gcry 5. Calculate gcy = z 1/r and the bit bc • What did we get? A scheme similar to [Bellare & Micali 89]!

  31. Further Work ? • Construct a new OT protocol using framework • Symmetric SFE • Probabilistic Functionalities.

  32. Further Issues : Symmetric SFE • “All or nothing” result for Boolean functions [CK89, Kil91]. • Gap in information theoretic world [Kush92] • Completeness for crypto-gates iff contains Imbedded Or [Kil91]: • Does not hold for large domain functions! Consider the following complete function: f((c, x0, x1), (y0, y1)) = (x0  yc, x1  g(y1-c)) g one-way 1-1 function

  33. Further Issues: Probabilistic functionalities • Probabilistic functionality (as opposed to deterministic functions) • Some criteria for completeness in [Kil00]. • Anything possible if OT exists • What if no OT? Any useful weaker assumptions?

  34. Summary: • Showed that combinatorial criteria do not generalize to large domain functions. • Introduced alternative computational criteria for completeness & triviality. • Surprising “All or nothing” nature remains.

  35. Thank You

More Related