on the structure of unconditional uc hybrid protocols
play

On the Structure of Unconditional UC Hybrid Protocols Mike Rosulek - PowerPoint PPT Presentation

On the Structure of Unconditional UC Hybrid Protocols Mike Rosulek (Oregon State University) and Morgan Shirley (University of Toronto) Problem Statement & Summary of Results Our Parameters f(x, y) y x 2-Party functions A B


  1. On the Structure of Unconditional UC Hybrid Protocols Mike Rosulek (Oregon State University) and Morgan Shirley (University of Toronto)

  2. Problem Statement & Summary of Results

  3. Our Parameters f(x, y) y x ● 2-Party functions A B ● Finite and fjxed truth tables y 0 1 2 ● Symmetric 0 2 1 0 ● UC Security 120 x 1 201 ● Security with abort 2 ● Information theoretic

  4. Our Parameters f(x, y) y x ● 2-Party functions A B ● Finite and fjxed truth tables ● Symmetric 0 2 1 ● UC Security 120 201 ● Security with abort ● Information theoretic

  5. 2-Party SFEs with Information- Theoretic UC Security Either:

  6. 2-Party SFEs with Information- Theoretic UC Security Either: Trivial! 0 1 0 001

  7. 2-Party SFEs with Information- Theoretic UC Security Either: Trivial! Impossible! 0 1 0 (literally everything interesting) 001

  8. 2-Party SFEs with Information- Theoretic UC Security Either: Trivial! Impossible! 0 1 0 (literally everything interesting) 001 We'd like to differentiate functionalities on the right side Canetti, Kushilevitz and Lindell EUROCRYPT 2003 Prabhakaran and Rosulek CRYPTO 2008

  9. Hybrid World

  10. Reductions ● A way to defjne complexity ● A function f reduces to a function g if there exists a g -hybrid protocol for f that has UC security f ⊑ g

  11. Goal: completely classify when f and g reduce to each other

  12. Completeness ● Complete g : every f reduces to g ● Kilian 1 shows a necessary and suffjcient condition for completeness 0 1 11 1. In 23 rd ACM STOC , 1991

  13. 2-Party SFEs with Information- Theoretic UC Security Trivial! Complete 0 1 0 0 1 001 11 Everything Reduces to reduces to everything

  14. 2-Party SFEs with Information- Theoretic UC Security Neither Trivial! Complete 0 1 0 0 1 001 11 Everything Reduces to reduces to everything

  15. 2-Party SFEs with Information- Theoretic UC Security Neither Trivial! Complete 0 1 0 0 1 0 0 1 001 001 11 110 Everything Reduces to reduces to everything

  16. 2-Party SFEs with Information- Theoretic UC Security Neither Trivial! Complete 0 1 0 0 1 0 0 1 001 001 11 110 Everything Reduces to reduces to everything Some reductions studied between decomposable functions (e.g. Maji, Prabhakaran, Rosulek TCC 2009)

  17. 2-Party SFEs with Information- Theoretic UC Security Neither Trivial! Complete 1 2 1 0 1 0 0 1 0 0 1 452 001 001 11 433 110 Everything Reduces to reduces to everything Some reductions studied between decomposable functions (e.g. Maji, Prabhakaran, Rosulek TCC 2009)

  18. 2-Party SFEs with Information- Theoretic UC Security Neither Trivial! Complete 1 2 1 0 1 0 0 1 0 0 1 452 001 001 11 433 110 Everything Reduces to reduces to everything ? Some reductions studied between decomposable functions (e.g. Maji, Prabhakaran, Rosulek TCC 2009)

  19. Main Theorem (almost) When f and g are incomplete , if f ⊑ then: g – f g via a single-round deterministic protocol ⊑

  20. Main Theorem (almost) When f and g are incomplete , if f ⊑ then: g – f g via a single-round deterministic protocol ⊑ * *With a few edge cases

  21. Edge case: Unilateral functions ● At least one row (or column) constant! ● One party might know 1 1 1 the output before the 233 protocol begins 233

  22. Main Theorem (almost) When f and g are incomplete , if f ⊑ then: g – f g via a single-round deterministic protocol ⊑

  23. Main Theorem (almost) When f and g are incomplete and f is non- unilateral , if f ⊑ then: g – f g via a single-round deterministic protocol ⊑

  24. Number of rounds required in a g -hybrid protocol for f ... 1 Number of protocol rounds necessary (for incomplete and non-unilateral f and g )

  25. Number of rounds required in a g -hybrid protocol for f ... ω(log κ) 1 Number of protocol rounds necessary (for incomplete and non-unilateral f and g )

  26. Main Theorem (almost) When f and g are incomplete and f is non- unilateral , if f ⊑ then: g – f g via a single-round deterministic protocol ⊑

  27. Main Theorem When f and g are incomplete and f is non- unilateral , if f ⊑ via a (worst-case) log-round g protocol: – f g via a single-round deterministic protocol ⊑

  28. Main Theorem When f and g are incomplete and f is non- unilateral , the following are equivalent: – f ⊑ via a (worst-case) log-round protocol g – f g via a single-round deterministic protocol ⊑ – f embeds in g

  29. Main Theorem When f and g are incomplete and f is non- unilateral , the following are equivalent: – f ⊑ via a (worst-case) log-round protocol g – f g via a single-round deterministic protocol ⊑ – f embeds in g These edge cases are necessary

  30. Embedding

  31. What would a single-round reduction look like?

  32. What would a single-round reduction look like? A B g g g

  33. What would a single-round reduction look like? A B A B g or g A B g g

  34. What would a single-round reduction look like? A B A B g or g A B g g

  35. Embedding: Correctness ● Each party sends a g -input based on their f -input ● The g -output maps back to an f -output ● Intuitively: f appears as sub-matrix* in g g f 1 2 1 7 1 2 1 452 7 452 433 7 433 8889 *Perhaps with some rearrangement and relabelling

  36. Embedding: Security 13 1 5 3 g can't reveal too 14 146 much information 24 247 13 1 3 3 There are no 24 224 ambiguous g -inputs

  37. Embedding: Security 13 1 5 3 g can't reveal too 14 146 much information 24 247 13 1 3 3 There are no 24 224 ambiguous g -inputs

  38. Embedding: Security 13 1 5 3 g can't reveal too 14 146 much information 24 247 13 1 3 3 There are no 24 224 ambiguous g -inputs

  39. Embedding: Security 13 1 5 3 g can't reveal too 14 146 much information 24 247 13 1 3 3 There are no 24 224 ambiguous g -inputs

  40. Embedding: Security 13 1 5 3 g can't reveal too 14 146 much information 24 247 13 1 3 3 There are no 24 224 ambiguous g -inputs

  41. Embedding: Security 13 1 5 3 g can't reveal too 14 146 much information 24 247 13 1 3 3 There are no 24 224 ambiguous g -inputs

  42. Embedding: Security 13 1 5 3 g can't reveal too 14 146 much information 24 247 13 1 3 3 There are no 24 224 ambiguous g -inputs

  43. Embedding: Security 13 1 5 3 g can't reveal too 14 146 much information 24 247 13 1 3 3 There are no 24 224 ambiguous g -inputs

  44. Embedding ● Defjnition basically follows this intuition – If there's an embedding, there's a single-round protocol – If there's a single-round protocol, there's an embedding

  45. Main Theorem When f and g are incomplete and f is non- unilateral , the following are equivalent: – f ⊑ via a (worst-case) log-round protocol g – f g via a single-round deterministic protocol ⊑ – f embeds in g

  46. Main Theorem When f and g are incomplete and f is non- unilateral , the following are equivalent: – f ⊑ via a (worst-case) log-round protocol g – f g via a single-round deterministic protocol ⊑ – f embeds in g

  47. Main Theorem When f and g are incomplete and f is non- unilateral , the following are equivalent: – f ⊑ via a (worst-case) log-round protocol g – f g via a single-round deterministic protocol ⊑ – f embeds in g

  48. Collapse a protocol to a single round

  49. Frontiers g g g g g g g g g g

  50. Frontiers Property: Alice's simulator has extracted ✗ ✗ ✔ g g ✗ ✔ ✔ ✔ g g g ✔ ✔ ✔ ✔ ✔ ✔ ✗ ✗ g g g g g

  51. Frontiers Property: Alice's simulator has extracted ✗ ✗ ✔ g g ✗ ✔ ✔ ✔ g g g ✔ ✔ ✔ ✔ ✔ ✔ ✗ ✗ g g g g g

  52. Our Frontiers ● F A-ext – Alice's simulator has extracted ● F A-out – Alice thinks the output is fjxed (regardless of Bob's input) ● Similar frontiers defjned for Bob – F B-ext – F B-out

  53. Idea: Give me any secure, correct protocol for ⊑ f g. I can say something about the frontiers.

  54. Frontiers F A-ext F B-ext F B-out g g F A-out g g g g g g g g

  55. Frontiers F A-ext F B-ext F B-out g g F A-out g g g g g g g g

  56. Frontiers BAD! F A-ext F B-ext F B-out g g F A-out g g g g g g g g

  57. Frontiers F A-ext F B-ext F B-out g g F A-out g g g g g g g g

  58. Frontiers F A-ext BAD! F B-ext F B-out g g F A-out g g g g g g g g

  59. Frontiers F A-ext BAD! F B-ext F B-out g g F A-out g g g g g g g g This is where we need f to be non-unilateral

  60. Cycle of Inequalities ● F A-ext not before F B-out ● F A-out not before F A-ext ● F B-ext not before F A-out ● F B-out not before F B-ext ● So they all happen at the same time! ● Must happen due to a call to g

  61. Instantaneous Property g g g g g g g g g g

  62. Instantaneous Property Before: no information shared g g g g g g g g g g Error (small) After: output of f is known

  63. Instantaneous Property Before: no information shared g g g g Error (small)

Recommend


More recommend