On the Structure of Unconditional UC Hybrid Protocols Mike Rosulek (Oregon State University) and Morgan Shirley (University of Toronto)
Problem Statement & Summary of Results
Our Parameters f(x, y) y x ● 2-Party functions A B ● Finite and fjxed truth tables y 0 1 2 ● Symmetric 0 2 1 0 ● UC Security 120 x 1 201 ● Security with abort 2 ● Information theoretic
Our Parameters f(x, y) y x ● 2-Party functions A B ● Finite and fjxed truth tables ● Symmetric 0 2 1 ● UC Security 120 201 ● Security with abort ● Information theoretic
2-Party SFEs with Information- Theoretic UC Security Either:
2-Party SFEs with Information- Theoretic UC Security Either: Trivial! 0 1 0 001
2-Party SFEs with Information- Theoretic UC Security Either: Trivial! Impossible! 0 1 0 (literally everything interesting) 001
2-Party SFEs with Information- Theoretic UC Security Either: Trivial! Impossible! 0 1 0 (literally everything interesting) 001 We'd like to differentiate functionalities on the right side Canetti, Kushilevitz and Lindell EUROCRYPT 2003 Prabhakaran and Rosulek CRYPTO 2008
Hybrid World
Reductions ● A way to defjne complexity ● A function f reduces to a function g if there exists a g -hybrid protocol for f that has UC security f ⊑ g
Goal: completely classify when f and g reduce to each other
Completeness ● Complete g : every f reduces to g ● Kilian 1 shows a necessary and suffjcient condition for completeness 0 1 11 1. In 23 rd ACM STOC , 1991
2-Party SFEs with Information- Theoretic UC Security Trivial! Complete 0 1 0 0 1 001 11 Everything Reduces to reduces to everything
2-Party SFEs with Information- Theoretic UC Security Neither Trivial! Complete 0 1 0 0 1 001 11 Everything Reduces to reduces to everything
2-Party SFEs with Information- Theoretic UC Security Neither Trivial! Complete 0 1 0 0 1 0 0 1 001 001 11 110 Everything Reduces to reduces to everything
2-Party SFEs with Information- Theoretic UC Security Neither Trivial! Complete 0 1 0 0 1 0 0 1 001 001 11 110 Everything Reduces to reduces to everything Some reductions studied between decomposable functions (e.g. Maji, Prabhakaran, Rosulek TCC 2009)
2-Party SFEs with Information- Theoretic UC Security Neither Trivial! Complete 1 2 1 0 1 0 0 1 0 0 1 452 001 001 11 433 110 Everything Reduces to reduces to everything Some reductions studied between decomposable functions (e.g. Maji, Prabhakaran, Rosulek TCC 2009)
2-Party SFEs with Information- Theoretic UC Security Neither Trivial! Complete 1 2 1 0 1 0 0 1 0 0 1 452 001 001 11 433 110 Everything Reduces to reduces to everything ? Some reductions studied between decomposable functions (e.g. Maji, Prabhakaran, Rosulek TCC 2009)
Main Theorem (almost) When f and g are incomplete , if f ⊑ then: g – f g via a single-round deterministic protocol ⊑
Main Theorem (almost) When f and g are incomplete , if f ⊑ then: g – f g via a single-round deterministic protocol ⊑ * *With a few edge cases
Edge case: Unilateral functions ● At least one row (or column) constant! ● One party might know 1 1 1 the output before the 233 protocol begins 233
Main Theorem (almost) When f and g are incomplete , if f ⊑ then: g – f g via a single-round deterministic protocol ⊑
Main Theorem (almost) When f and g are incomplete and f is non- unilateral , if f ⊑ then: g – f g via a single-round deterministic protocol ⊑
Number of rounds required in a g -hybrid protocol for f ... 1 Number of protocol rounds necessary (for incomplete and non-unilateral f and g )
Number of rounds required in a g -hybrid protocol for f ... ω(log κ) 1 Number of protocol rounds necessary (for incomplete and non-unilateral f and g )
Main Theorem (almost) When f and g are incomplete and f is non- unilateral , if f ⊑ then: g – f g via a single-round deterministic protocol ⊑
Main Theorem When f and g are incomplete and f is non- unilateral , if f ⊑ via a (worst-case) log-round g protocol: – f g via a single-round deterministic protocol ⊑
Main Theorem When f and g are incomplete and f is non- unilateral , the following are equivalent: – f ⊑ via a (worst-case) log-round protocol g – f g via a single-round deterministic protocol ⊑ – f embeds in g
Main Theorem When f and g are incomplete and f is non- unilateral , the following are equivalent: – f ⊑ via a (worst-case) log-round protocol g – f g via a single-round deterministic protocol ⊑ – f embeds in g These edge cases are necessary
Embedding
What would a single-round reduction look like?
What would a single-round reduction look like? A B g g g
What would a single-round reduction look like? A B A B g or g A B g g
What would a single-round reduction look like? A B A B g or g A B g g
Embedding: Correctness ● Each party sends a g -input based on their f -input ● The g -output maps back to an f -output ● Intuitively: f appears as sub-matrix* in g g f 1 2 1 7 1 2 1 452 7 452 433 7 433 8889 *Perhaps with some rearrangement and relabelling
Embedding: Security 13 1 5 3 g can't reveal too 14 146 much information 24 247 13 1 3 3 There are no 24 224 ambiguous g -inputs
Embedding: Security 13 1 5 3 g can't reveal too 14 146 much information 24 247 13 1 3 3 There are no 24 224 ambiguous g -inputs
Embedding: Security 13 1 5 3 g can't reveal too 14 146 much information 24 247 13 1 3 3 There are no 24 224 ambiguous g -inputs
Embedding: Security 13 1 5 3 g can't reveal too 14 146 much information 24 247 13 1 3 3 There are no 24 224 ambiguous g -inputs
Embedding: Security 13 1 5 3 g can't reveal too 14 146 much information 24 247 13 1 3 3 There are no 24 224 ambiguous g -inputs
Embedding: Security 13 1 5 3 g can't reveal too 14 146 much information 24 247 13 1 3 3 There are no 24 224 ambiguous g -inputs
Embedding: Security 13 1 5 3 g can't reveal too 14 146 much information 24 247 13 1 3 3 There are no 24 224 ambiguous g -inputs
Embedding: Security 13 1 5 3 g can't reveal too 14 146 much information 24 247 13 1 3 3 There are no 24 224 ambiguous g -inputs
Embedding ● Defjnition basically follows this intuition – If there's an embedding, there's a single-round protocol – If there's a single-round protocol, there's an embedding
Main Theorem When f and g are incomplete and f is non- unilateral , the following are equivalent: – f ⊑ via a (worst-case) log-round protocol g – f g via a single-round deterministic protocol ⊑ – f embeds in g
Main Theorem When f and g are incomplete and f is non- unilateral , the following are equivalent: – f ⊑ via a (worst-case) log-round protocol g – f g via a single-round deterministic protocol ⊑ – f embeds in g
Main Theorem When f and g are incomplete and f is non- unilateral , the following are equivalent: – f ⊑ via a (worst-case) log-round protocol g – f g via a single-round deterministic protocol ⊑ – f embeds in g
Collapse a protocol to a single round
Frontiers g g g g g g g g g g
Frontiers Property: Alice's simulator has extracted ✗ ✗ ✔ g g ✗ ✔ ✔ ✔ g g g ✔ ✔ ✔ ✔ ✔ ✔ ✗ ✗ g g g g g
Frontiers Property: Alice's simulator has extracted ✗ ✗ ✔ g g ✗ ✔ ✔ ✔ g g g ✔ ✔ ✔ ✔ ✔ ✔ ✗ ✗ g g g g g
Our Frontiers ● F A-ext – Alice's simulator has extracted ● F A-out – Alice thinks the output is fjxed (regardless of Bob's input) ● Similar frontiers defjned for Bob – F B-ext – F B-out
Idea: Give me any secure, correct protocol for ⊑ f g. I can say something about the frontiers.
Frontiers F A-ext F B-ext F B-out g g F A-out g g g g g g g g
Frontiers F A-ext F B-ext F B-out g g F A-out g g g g g g g g
Frontiers BAD! F A-ext F B-ext F B-out g g F A-out g g g g g g g g
Frontiers F A-ext F B-ext F B-out g g F A-out g g g g g g g g
Frontiers F A-ext BAD! F B-ext F B-out g g F A-out g g g g g g g g
Frontiers F A-ext BAD! F B-ext F B-out g g F A-out g g g g g g g g This is where we need f to be non-unilateral
Cycle of Inequalities ● F A-ext not before F B-out ● F A-out not before F A-ext ● F B-ext not before F A-out ● F B-out not before F B-ext ● So they all happen at the same time! ● Must happen due to a call to g
Instantaneous Property g g g g g g g g g g
Instantaneous Property Before: no information shared g g g g g g g g g g Error (small) After: output of f is known
Instantaneous Property Before: no information shared g g g g Error (small)
Recommend
More recommend