560 likes | 755 Vues
Secure two-party computation : a visual way. b y Paolo D’Arco and Roberto De Prisco. Challenging Research Task. Design of secure protocols which can be used by people. without the aid of a computer without cryptographic knowledge.
E N D
Securetwo-partycomputation: a visual way by Paolo D’Arco and Roberto De Prisco
ChallengingResearch Task • Design ofsecureprotocolswhich can beusedby people • without the aidof a computer • withoutcryptographicknowledge …whencomputers are notavailable or, forpsycological or social reasons, people feeluncomfortabletointeract or trust a computer
In thispaper… • Bymergingtogether in a suitableway • Yao’sgarbledcircuitconstruction (‘80) • Naorand Shamir’svisualcryptography (‘90) • we put forwarda novelmethodforperformingsecuretwo-partycomputationthrougha pure physicalprocess.
OurMainResult Theorem1. Everytwo-partycomputationrepresentablebymeansof a booleanfunctionf(·,·) can beperformedpreserving the privacy of the inputsx and ythrough a pure physicalvisualevaluationprocess.
Yao’sConstruction • [Yao, FOCS 1986]
Computationas a circuit The booleanfunctionf(·,·) isrepresentedthrough a booleancircuit C(·,·) forwhich, foreachx,y, itholdsthatC(x,y) = f(x,y) And And Or
Computationas a circuit The booleanfunctionf(·,·) isrepresentedthrough a booleancircuit C(·,·) forwhich, foreachx,y, itholdsthatC(x,y) = f(x,y) 1 1 0 1 Given the input values, the output iseasilyobtainedbyevaluating the circuitgates, i.e., And, OR and Notbit-by-bitoperations. And And Or
Computationas a circuit The booleanfunctionf(·,·) isrepresentedthrough a booleancircuit C(·,·) forwhich, foreachx,y, itholdsthatC(x,y) = f(x,y) 1 1 0 1 Given the input values, the output iseasilyobtainedbyevaluating the circuitgates, i.e., And, OR and Notbit-by-bitoperations. And And 0 1 Or
Computationas a circuit The booleanfunctionf(·,·) isrepresentedthrough a booleancircuit C(·,·) forwhich, foreachx,y, itholdsthatC(x,y) = f(x,y) 1 1 0 1 Given the input values, the output iseasilyobtainedbyevaluating the circuitgates, i.e., And, OR and Notbit-by-bitoperations. Inputs are in clear. Computations are in clear. No Privacy. And And 0 1 Or 1
Usingrandomvalues Yao’s idea istouse the circuitas a conceptual guidefor the computationwhich, insteadofAnd, Or and Notoperations on bits, becomes a sequenceofdecryptionsofciphertexts K1,0, K1,1 K2,0, K2,1 To the wires are associatedrandomvalues (cryptographickeys), whichsecretlyrepresent the bits0 and 1 Or K3,0, K3,1
Gatetables (Enc(K, ), Dec(K, )) symmetric encryption algorithm The fourdoubleencryptions are stored in a randomorder. A gateevaluationends up in a “correct” doubledecryption.
Garbled Circuit Construction K1,0, K1,1 K2,0, K2,1 K0,0, K0,1 K3,0, K3,1 G1 G2 K4,0, K4,1 K5,0, K5,1 G3 K6,0, K6,1
Circuit evaluation Alice (0,0) Bob (0,1) K1,0 K2,0 K0,0 K3,1 G1 G2 G3
Circuit evaluation Alice (0,0) Bob (0,1) K1,0 K2,0 K0,0 K3,1 G1 G2 G3
Circuit evaluation Alice (0,0) Bob (0,1) K1,0 K2,0 K0,0 K3,1 G1 G2 K4,0 K5,0 G3
Circuit evaluation Alice (0,0) Bob (0,1) K1,0 K2,0 K0,0 K3,1 G1 G2 K4,0 K5,0 G3
Circuit evaluation K1,0 K2,0 K0,0 K3,1 G1 G2 K4,0 K5,0 G3 K6,0
Circuit evaluation K1,0 K2,0 K0,0 K3,1 G1 G2 K4,0 K5,0 G3 = 0 K6,0 … the map (circuit-output key, value) is public …
Circuit evaluation K1,0 K2,0 K0,0 K3,1 G1 G2 K4,0 K5,0 G3 = 0 K6,0 … the map (circuit-output key, value) is public … The evalutiondoesnotreleaseany information about the input bits
Howtouse the garbledcircuit? Idea: Alice constructs the garbledcircuit. Bob getsit, Alice’skeys and …performs the computation. But…whataboutBob’skeys? Bob cannotcommunicatehis input bits… (privacy lost!) Does Alice sendallofthem? Toomuch… Bob can computeC(x,y) forallpossibley.
Oblivious Transfer Bob secretlygets the keysforeachofhis input bits (and onlyforthosebits) Bob getseitherKi,0orKi,1 (accordingtob) and no information on the other. Alice doesnotknowwhich secret Bob hasobtained.
Yao’sProtocol • Alice • constructs the garbledcircuit • sendsto Bob • the garbledcircuit (tables) • the keysassociatedtoherinput-wirebits • the correspondencebetween the keysassociatedto the circuit-outputwires and the bits0 and 1. • runwith Bob ninstancesof the OT protocoltoenable Bob torecover the nkeysassociatedtohisinput-wirebits • Bob evaluates the circuit (and communicates the resultto Alice)
Kolesnikov’sapproach: secret sharing [Asiacrypt 2005] extending the ideasofIshai&Kushilevitz [ICALP2002] Insteadofusing a tablewithfourdoubleencryptions, use secret sharing lsh0 rsh0 lsh1 rsh1 And Eachcombinationof the sharesgives s0 or s1 s0 s1
GateEquivalent Secret Sharing if b=0 if b=1 bR0 s0R0 |s0R1 s0R1 |s0R0 s0R0 |s1R1 s1R1 |s0R0 bR1 And • denotesxorbitwise • s0,s1, R0, R1 are bitstrings • bis a single bit s0 s1
GateEquivalent Secret Sharing 0R0 s0R0 |s0R1 s0R0 |s1R1 1R1 And • denotesxorbitwise • s0,s1, R0, R1 are bitstrings • bis a single bit s0 s1
Full Protocol: Recursivesharing 1V0 (s0R0 |s0R1)V1|(s0R0 |s0R1)V0 0T0 0R0T0 |0R0T1 (s0R0 |s1R1)V1|(s0R0 |s0R1)V0 0V1 1T1 0R0T0 |1R1T1 And And 0R0 s0R0 |s0R1 1R1 s0R0 |s1R1 Or s0 s1
Observations An explicitrepresentation (garbledcircuit) isnotneededanymore, the circuitisimplicitlypresents in the input shares 0T0 0R0T0 |0R0T1 1V0 (s0R0 |s0R1)V1|(s0R0 |s0R1)V0 1T1 0R0T0 |1R1T1 0V1 (s0R0 |s1R1)V1|(s0R0 |s0R1)V0 Kolesnikovuses secret sharingforoptimizationissues
Idea… • …but a secret sharingscheme can berealizedalsothrough a physicalprocesswhich • represents the secret asanimage • prints the shares on transparencies and • reconstructs the secret bysuperposingthe transparencies and using the humanvisual system
VisualCryptography • [Naor&Shamir 1994, Kafri&Karen 1987]
VisualCryptography (2,2)-VCS share 1 secret image superposition share 2
ProbabilisticSchemes errorprobability choosing at random superposition (logical or) share 1 secret pixel + + share 2 Prob = 1/2 choosing at random superposition (logical or) share 1 secret pixel + + share 2 Prob = 1
DeterministicSchemes pixel expansion choosing at random superposition share 1 + + secret pixel share 2 choosing at random share 1 superposition secret pixel + + share 2
…butvisualcryptographydoesnotrealizexor! 1R0 s0R1 |s0R0 s1R1 |s0R0 0R1 …xor!!! And • denotesxorbitwise • s0,s1, R0, R1 are bitstrings • bis a single bit s0 s1 … a closer look: allweneedis secret reconstructability …Kolesnikov’sconstructionis a special caseof a generalconstruction…
Multisecretsharingschemes sh2 … |s0R1 … |s1R1 bR1 sh3 sh1 Rec( sh1 , sh2) = s0 R1 s0R1 = s0 R1 s1R1 = s1 And Rec( sh1 , sh3) = s1 s0 s1 The construction in generalform can bedescribed in termsoftwomultisecretsharingschemesfor a set ofthreeparticipants and twosecrets
GateEquivalentVisual Secret Sharing vlsh0 vrsh0 Eachcombinationof the visualsharesvisuallyreconstructsimage I0 or image I1 e.g., Rec(vlsh0, vrsh0)=I0 . . . Rec(vlsh1, vrsh1)=I1 vlsh1 vrsh1 And I0 I1 We can do itbyusingtwoinstancesof a visualmulti-secretsharingscheme (see the paperforconstructions and details…)
PhysicalOblivious Transfer Assumption: Indistinguishableenvelopesexist
PhysicalOblivious Transfer Two-roundprotocol 1 Preparestwo envelopeswith the visualshares 0 1
PhysicalOblivious Transfer Two-roundprotocol 1 Preparestwo envelopeswith the visualshares 0 handsto Bob 1 2 0 1
PhysicalOblivious Transfer Two-roundprotocol 1 Preparestwo envelopeswith the visualshares 0 3 handsto Bob 1 Turnshisshouldersto Alice Takes the oneof interest Removes the post-it from the other 2 0 1 0 gives back keeps 1
PhysicalOblivious Transfer Two-roundprotocol 1 Preparestwo envelopeswith the visualshares 0 3 handsto Bob 1 Turnshissholdersto Alice Takes the oneof interest Removes the post-it from the other 2 0 1 0 gives back handsto Alice keeps 1 4
PhysicalOblivious Transfer Two-roundprotocol 1 Preparestwo envelopeswith the visualshares 0 3 handsto Bob 1 Turnshissholdersto Alice Takes the oneof interest Removes the post-it from the other 2 0 1 0 Destroysit under Bob’s surveillance gives back handsto Alice keeps 1 4 5
VTPC Protocol • Alice constructs the visualsharesassociatedto the input wires • Sendsto Bob the sharesassociatedtoher input bits • Runwith Bob ninstancesof the physical OTprotocoltoenable Bob torecover the nvisualsharesassociatedtohis input bits • Bob visuallyevaluates the circuit (and communicates the resultto Alice)
VisualEvaluation An example
y2 y3 x2 x3 G6 G7 y1 x1 f(x,y)=(x1+y1)[(x2y2)(x3+y3)] G3 G2 Booleanfunction G1 Chosenimagesfor bit representation 0 1
y2 y3 x2 x3 G6 G7 y1 x1 G3 G2 G1 Input sharesconstructedby Alice through the VTPC protocol
y2 y3 x2 x3 G6 G7 y1 x1 G3 G2 G1 Sharesheldby Bob after the OT protocols, assuming x=011 and y=110