reusable non interactive secure computation
play

Reusable Non-Interactive Secure Computation Melissa Chase (MSR - PowerPoint PPT Presentation

Reusable Non-Interactive Secure Computation Melissa Chase (MSR Redmond) Yevgeniy Dodis (NYU) Yuval Ishai (Technion) Daniel Kraschewski (TNG Technology Consulting) Tianren Liu (MIT UW) Rafail Ostrovsky (UCLA) Vinod Vaikuntanathan


  1. How to Lift One-shot Security to Reusability S R a i , b i x i ˜ rOLE a i ˜ x i + b i y x f ( x , y )

  2. How to Lift One-shot Security to Reusability S R a i , b i x i ˜ rOLE a i ˜ x i + b i y x f ( x , y )

  3. How to Lift One-shot Security to Reusability S R a i , b i x i ˜ rOLE a i ˜ x i + b i /// y / x f ( x , y )

  4. How to Lift One-shot Security to Reusability S R a i , b i x i ˜ rOLE a i ˜ x i + b i /// y / x ◮ UC-security : ∃ an efficient simulator S f ( x , y ∗ ) S ( a 1 , b 1 , a 2 , b 2 ,... ) → y ∗

  5. How to Lift One-shot Security to Reusability S R a i , b i x i ˜ rOLE a i ˜ x i + b i /// y / x ◮ UC-security : ∃ an efficient simulator S f ( x , y ∗ ) S ( a 1 , b 1 , a 2 , b 2 ,... ) → y ∗ ◮ No Abort (optional): When abnormal behavior was detected, output f ( x , 0)

  6. How to Lift One-shot Security to Reusability S R a i , b i x i ˜ rOLE a i ˜ x i + b i /// y / x ◮ UC-security : ∃ an efficient simulator S f ( x , y ∗ ) S ( a 1 , b 1 , a 2 , b 2 ,... ) → y ∗ ◮ No Abort (optional): When abnormal behavior was detected, output f ( x , 0) ◮ Difficulty : distribution y ∗ = ⇒ f ( x , y ∗ ) has entropy in ideal world = ⇒ leak information of receiver’s randomness in real world

  7. How to Lift One-shot Security to Reusability S R a i , b i x i ˜ rOLE a i ˜ x i + b i /// y / x ◮ UC-security : ∃ an efficient simulator S f ( x , y ∗ ) S ( a 1 , b 1 , a 2 , b 2 ,... ) → y ∗ ◮ No Abort (optional): When abnormal behavior was detected, output f ( x , 0) ◮ Difficulty : distribution y ∗ = ⇒ f ( x , y ∗ ) has entropy in ideal world = ⇒ leak information of receiver’s randomness in real world

  8. How to Lift One-shot Security to Reusability S R a i , b i x i ˜ rOLE a i ˜ x i + b i /// y / x ◮ UC-security : ∃ an efficient simulator S f ( x , y ∗ ) S ( a 1 , b 1 , a 2 , b 2 ,... ) → y ∗ ◮ No Abort (optional): When abnormal behavior was detected, output f ( x , 0) ◮ Difficulty : distribution y ∗ = ⇒ f ( x , y ∗ ) has entropy in ideal world = ⇒ leak information of receiver’s randomness in real world

  9. How to Lift One-shot Security to Reusability S R a i , b i x i ˜ rOLE a i ˜ x i + b i /// y / x ◮ UC-security : ∃ an efficient simulator S f ( x , y ∗ ) S ( a 1 , b 1 , a 2 , b 2 ,... ) → y ∗ ◮ No Abort (optional): When abnormal behavior was detected, output f ( x , 0) ◮ Difficulty : distribution y ∗ = ⇒ f ( x , y ∗ ) has entropy in ideal world = ⇒ leak information of receiver’s randomness in real world ◮ “Strong” UC-security = ⇒ Reusability The simulator is deterministic

  10. Overview: rNISC in rOLE-hybrid model S R y ∈ F n x ∈ F n ◮ Assume f is an arithmetic NC 1 circuit or an arithmetic branching program over F ◮ [IK’02,AIK’14] encode y �→ ( A , b ) s.t. Ax + b reveals f ( x , y ) and nothing else ◮ Against malicious sender: detect if ( A , b ) is honestly generated, i.e. satisfies some simple arithmetic constraints � Ax + b , if ( A , b ) satisfies constraints Certified rOLE → ⊥ , otherwise

  11. Overview: rNISC in rOLE-hybrid model S R y ∈ F n x ∈ F n ◮ Assume f is an arithmetic NC 1 circuit or an arithmetic branching program over F ◮ [IK’02,AIK’14] encode y �→ ( A , b ) s.t. Ax + b reveals f ( x , y ) and nothing else ◮ Against malicious sender: detect if ( A , b ) is honestly generated, i.e. satisfies some simple arithmetic constraints � Ax + b , if ( A , b ) satisfies constraints Certified rOLE → ⊥ , otherwise

  12. Overview: rNISC in rOLE-hybrid model S R A , b x rOLE Ax + b y ∈ F n x ∈ F n ◮ Assume f is an arithmetic NC 1 circuit or an arithmetic branching program over F ◮ [IK’02,AIK’14] encode y �→ ( A , b ) s.t. Ax + b reveals f ( x , y ) and nothing else ◮ Against malicious sender: detect if ( A , b ) is honestly generated, i.e. satisfies some simple arithmetic constraints � Ax + b , if ( A , b ) satisfies constraints Certified rOLE → ⊥ , otherwise

  13. Overview: rNISC in rOLE-hybrid model S R A , b x rOLE Ax + b y ∈ F n x ∈ F n ◮ Assume f is an arithmetic NC 1 circuit or f ( x , y ) an arithmetic branching program over F ◮ [IK’02,AIK’14] encode y �→ ( A , b ) s.t. Ax + b reveals f ( x , y ) and nothing else ◮ Against malicious sender: detect if ( A , b ) is honestly generated, i.e. satisfies some simple arithmetic constraints � Ax + b , if ( A , b ) satisfies constraints Certified rOLE → ⊥ , otherwise

  14. Overview: rNISC in rOLE-hybrid model S R A , b x rOLE Ax + b y ∈ F n x ∈ F n ◮ Assume f is an arithmetic NC 1 circuit or f ( x , y ) an arithmetic branching program over F ◮ [IK’02,AIK’14] encode y �→ ( A , b ) s.t. Ax + b reveals f ( x , y ) and nothing else ◮ Against malicious sender: detect if ( A , b ) is honestly generated, i.e. satisfies some simple arithmetic constraints � Ax + b , if ( A , b ) satisfies constraints Certified rOLE → ⊥ , otherwise

  15. Overview: rNISC in rOLE-hybrid model S R A , b x Certified rOLE � Ax + b ⊥ y ∈ F n x ∈ F n ◮ Assume f is an arithmetic NC 1 circuit or f ( x , y ) an arithmetic branching program over F ◮ [IK’02,AIK’14] encode y �→ ( A , b ) s.t. Ax + b reveals f ( x , y ) and nothing else ◮ Against malicious sender: detect if ( A , b ) is honestly generated, i.e. satisfies some simple arithmetic constraints � Ax + b , if ( A , b ) satisfies constraints Certified rOLE → ⊥ , otherwise

  16. Overview: rNISC in rOLE-hybrid model S R A , b x Certified rOLE � Ax + b ⊥ y ∈ F n x ∈ F n ◮ Assume f is an arithmetic NC 1 circuit or f ( x , y ) an arithmetic branching program over F ◮ [IK’02,AIK’14] encode y �→ ( A , b ) s.t. Ax + b reveals f ( x , y ) and nothing else ◮ Against malicious sender: detect if ( A , b ) is honestly generated, i.e. satisfies some simple arithmetic constraints � Ax + b , if ( A , b ) satisfies constraints Certified rOLE → ⊥ , otherwise

  17. Certified rOLE S R

  18. Certified rOLE S R a 1 , b 1 x 1 rOLE a 1 x 1 + b 1 a 2 , b 2 x 2 rOLE a 2 x 2 + b 2 a 3 , b 3 x 3 rOLE a 3 x 3 + b 3 . . .

  19. Certified rOLE Certified rOLE S R a 1 , b 1 x 1 rOLE a 1 x 1 + b 1 a 2 , b 2 x 2 rOLE a 2 x 2 + b 2 a 3 , b 3 x 3 rOLE a 3 x 3 + b 3 . . .

  20. Certified rOLE Certified rOLE S R a 1 , b 1 x 1 rOLE a 1 x 1 + b 1 a 2 , b 2 x 2 rOLE a 2 x 2 + b 2 a 3 , b 3 x 3 rOLE a 3 x 3 + b 3 . . . ◮ Sender can prove ( a 1 , b 1 , a 2 , b 2 ,... ) satisfies arithmetic constraints

  21. Certified rOLE Certified rOLE S R a 1 , b 1 x 1 rOLE a 1 x 1 + b 1 a 2 , b 2 x 2 rOLE a 2 x 2 + b 2 a 3 , b 3 x 3 rOLE a 3 x 3 + b 3 . . . ◮ Sender can prove ( a 1 , b 1 , a 2 , b 2 ,... ) satisfies arithmetic constraints ◮ Side product: reusable DV-NIZK in rOLE-hybrid model.

  22. Certified rOLE Certified rOLE S R a 1 , b 1 x 1 rOLE a 1 x 1 + b 1 a 2 , b 2 x 2 rOLE a 2 x 2 + b 2 a 3 , b 3 x 3 rOLE a 3 x 3 + b 3 . . . ◮ Sender can prove ( a 1 , b 1 , a 2 , b 2 ,... ) satisfies arithmetic constraints ◮ Side product: reusable DV-NIZK in rOLE-hybrid model.

  23. Certified rOLE Certified rOLE S R a 1 , b 1 x 1 rOLE a 1 x 1 + b 1 a 2 , b 2 x 2 rOLE a 2 x 2 + b 2 a 3 , b 3 x 3 rOLE a 3 x 3 + b 3 . . . ◮ Sender can prove ( a 1 , b 1 , a 2 , b 2 ,... ) satisfies arithmetic constraints a i = a j for some ( i , j ) for general constraints → see eprint ◮ Side product: reusable DV-NIZK in rOLE-hybrid model.

  24. Certified rOLE Certified rOLE S R . . . x i + r ′ ) + ( a ˆ x i + b + r ′ ) ax i + b = ( aw + r ) · ˆ x i − ( r ˆ ˆ

  25. Certified rOLE Certified rOLE S R w rOLE w ← F . . . x i + r ′ ) + ( a ˆ x i + b + r ′ ) ax i + b = ( aw + r ) · ˆ x i − ( r ˆ ˆ

  26. Certified rOLE Certified rOLE S R a , r w rOLE aw + r r ← F w ← F . . . x i + r ′ ) + ( a ˆ x i + b + r ′ ) ax i + b = ( aw + r ) · ˆ x i − ( r ˆ ˆ

  27. Certified rOLE Certified rOLE S R a , r w rOLE aw + r r ← F w ← F . . . x i + r ′ ) + ( a ˆ x i + b + r ′ ) ax i + b = ( aw + r ) · ˆ x i − ( r ˆ ˆ Commitment( a )

  28. Certified rOLE Certified rOLE S R a , r w rOLE aw + r r ← F w ← F . . . x i + r ′ ) + ( a ˆ x i + b + r ′ ) ax i + b = ( aw + r ) · ˆ x i − ( r ˆ ˆ Target Commitment( a )

  29. Certified rOLE Certified rOLE S R a , r w rOLE aw + r r ← F w ← F x i ˆ x i ← F ˆ rOLE ˆ ˆ x i = x i − w ˆ x i rOLE . . . x i + r ′ ) + ( a ˆ x i + b + r ′ ) ax i + b = ( aw + r ) · ˆ x i − ( r ˆ ˆ Target Commitment( a )

  30. Certified rOLE Certified rOLE S R a , r w rOLE aw + r r ← F w ← F r , r ′ r ′ ← F x i ˆ x i ← F ˆ rOLE x i + r ′ r ˆ ˆ a , b + r ′ ˆ x i = x i − w ˆ x i rOLE a ˆ x i + b + r ′ ˆ . . . x i + r ′ ) + ( a ˆ x i + b + r ′ ) ax i + b = ( aw + r ) · ˆ x i − ( r ˆ ˆ Target Commitment( a )

  31. Certified rOLE Certified rOLE S R a , r w rOLE aw + r r ← F w ← F r , r ′ r ′ ← F x i ˆ x i ← F ˆ rOLE x i + r ′ r ˆ ˆ a , b + r ′ ˆ x i = x i − w ˆ x i rOLE a ˆ x i + b + r ′ ˆ . . . x i + r ′ ) + ( a ˆ x i + b + r ′ ) ax i + b = ( aw + r ) · ˆ x i − ( r ˆ ˆ Target Commitment( a ) rOLE outputs

  32. Certified rOLE Certified rOLE S R a , r w rOLE aw + r r ← F w ← F r , r ′ r ′ ← F x i ˆ x i ← F ˆ rOLE x i + r ′ r ˆ ˆ a , b + r ′ ˆ x i = x i − w ˆ x i rOLE a ˆ x i + b + r ′ ˆ . . . x i + r ′ ) + ( a ˆ x i + b + r ′ ) ax i + b = ( aw + r ) · ˆ x i − ( r ˆ ˆ Target Commitment( a ) rOLE outputs

  33. Certified rOLE Certified rOLE S R a , r w rOLE r , r ′ ˆ x i r , r ′ ← F rOLE w , ˆ x i ← F a , b + r ′ ˆ x i = x i − w ˆ ˆ x i rOLE x i + r ′ ) + e ( a ˆ x i + b + r ′ ) ax i + b = ( aw + r ) · ˆ x i − ( r ˆ ˆ Target Commitment( a ) rOLE outputs

  34. Certified rOLE Certified rOLE S R a , r w rOLE r , r ′ ˆ x i r , r ′ ← F rOLE w , ˆ x i ← F a , b + r ′ ˆ x i = x i − w ˆ ˆ x i rOLE x i + r ′ ) + e ( a ˆ x i + b + r ′ ) ax i + b = ( aw + r ) · ˆ x i − ( r ˆ ˆ Target Commitment( a ) rOLE outputs ◮ Correctness: Above equation.

  35. Certified rOLE Certified rOLE S R a , r w rOLE r , r ′ ˆ x i r , r ′ ← F rOLE w , ˆ x i ← F a , b + r ′ ˆ x i = x i − w ˆ ˆ x i rOLE x i + r ′ ) + e ( a ˆ x i + b + r ′ ) ax i + b = ( aw + r ) · ˆ x i − ( r ˆ ˆ Target Commitment( a ) rOLE outputs ◮ Correctness: Above equation. x i + ˆ ◮ UC-secure against Receiver: x i := w ˆ x i . ˆ

  36. Certified rOLE Certified rOLE S R a , r w rOLE r , r ′ ˆ x i r , r ′ ← F rOLE w , ˆ x i ← F a , b + r ′ ˆ ˆ x i = x i − w ˆ x i rOLE x i + r ′ ) + e ( a ˆ x i + b + r ′ ) ax i + b = ( aw + r ) · ˆ x i − ( r ˆ ˆ Target Commitment( a ) rOLE outputs ◮ Correctness: Above equation. x i + ˆ ◮ UC-secure against Receiver: x i := w ˆ x i . ˆ ◮ “Strong” UC-secure against Sender:

  37. Certified rOLE Certified rOLE S R a , r w rOLE r , r ′ ˆ x i r , r ′ ← F rOLE w , ˆ x i ← F a , b + r ′ ˆ ˆ x i = x i − w ˆ x i rOLE x i + r ′ ) + e ( a ˆ x i + b + r ′ ) ax i + b = ( aw + r ) · ˆ x i − ( r ˆ ˆ Target Commitment( a ) rOLE outputs ◮ Correctness: Above equation. x i + ˆ ◮ UC-secure against Receiver: x i := w ˆ x i . ˆ ◮ “Strong” UC-secure against Sender:

  38. Certified rOLE Certified rOLE S R a , r w rOLE r , r ′ ˆ x i r , r ′ ← F rOLE w , ˆ x i ← F a , b + r ′ ˆ ˆ x i = x i − w ˆ x i rOLE x i + r ′ ) + e ( a ˆ x i + b + r ′ ) ax i + b = ( aw + r ) · ˆ x i − ( r ˆ ˆ Target Commitment( a ) rOLE outputs ◮ Correctness: Above equation. x i + ˆ ◮ UC-secure against Receiver: x i := w ˆ x i . ˆ ◮ “Strong” UC-secure against Sender: Deviate = ⇒ random output

  39. Certified rOLE Certified rOLE S R a , r w rOLE r , r ′ ˆ x i r , r ′ ← F rOLE w , ˆ x i ← F a , b + r ′ ˆ ˆ x i = x i − w ˆ x i rOLE x i + r ′ ) + e ( a ˆ x i + b + r ′ ) ax i + b = ( aw + r ) · ˆ x i − ( r ˆ ˆ Target Commitment( a ) rOLE outputs ◮ Correctness: Above equation. x i + ˆ ◮ UC-secure against Receiver: x i := w ˆ x i . ˆ ◮ “Strong” UC-secure against Sender: Deviate = ⇒ random output not yet

  40. Our Results NEW primitive: Oblivious linear function evaluation (OLE) S R a , b ∈ F x ∈ F get ax + b ∈ F Theorem 2 Theorem 3 An information-theoretical An UC-secure 2-msg reusable UC-secure reusable NISC OLE protocol in the CRS setting, protocol in rOLE-hybrid model. under Paillier assumption.

  41. Our Results NEW primitive: Oblivious linear function evaluation (OLE) S R a , b ∈ F x ∈ F get ax + b ∈ F Theorem 2 Theorem 3 An information-theoretical An UC-secure 2-msg reusable UC-secure reusable NISC OLE protocol in the CRS setting, protocol in rOLE-hybrid model. under Paillier assumption.

  42. rOLE from Paillier Dual-mode (similar to OT from [PVW’08] ) Mode I Mode II S R S R crs ← D 1 crs ← D 2 a , b x a , b x

  43. rOLE from Paillier Dual-mode (similar to OT from [PVW’08] ) Mode I Mode II S R S R crs ← D 1 crs ← D 2 a , b x a , b x Enc ( x )

  44. rOLE from Paillier Dual-mode (similar to OT from [PVW’08] ) Mode I Mode II S R S R crs ← D 1 crs ← D 2 a , b x a , b x Enc ( x ) Enc ( a − r ) Enc ( b + rx )

  45. rOLE from Paillier Dual-mode (similar to OT from [PVW’08] ) Mode I Mode II S R S R crs ← D 1 crs ← D 2 a , b x a , b x Enc ( x ) Enc ( a − r ) Enc ( b + rx ) Efficient simulator against unbounded malicious receiver

  46. rOLE from Paillier Dual-mode (similar to OT from [PVW’08] ) Mode I Mode II S R S R crs ← D 1 crs ← D 2 a , b x a , b x Enc ( x ) Enc ( 0 ) Enc ( a − r ) Enc ( b + rx ) Efficient simulator against unbounded malicious receiver

  47. rOLE from Paillier Dual-mode (similar to OT from [PVW’08] ) Mode I Mode II S R S R crs ← D 1 crs ← D 2 a , b x a , b x Enc ( x ) Enc ( 0 ) Enc ( a − r ) Enc ( ) a Enc ( b + rx ) Enc ( b ) Efficient simulator against unbounded malicious receiver

  48. rOLE from Paillier Dual-mode (similar to OT from [PVW’08] ) Mode I Mode II S R S R crs ← D 1 crs ← D 2 a , b x a , b x Enc ( x ) Enc ( 0 ) Enc ( a − r ) Enc ( ) a Enc ( b + rx ) Enc ( b ) Efficient simulator against Efficient simulator against unbounded malicious receiver unbounded malicious sender

  49. rOLE from Paillier Dual-mode (similar to OT from [PVW’08] ) D 1 is indistinguishable from D 2 Mode I Mode II S R S R crs ← D 1 crs ← D 2 a , b x a , b x Enc ( x ) Enc ( 0 ) Enc ( a − r ) Enc ( ) a Enc ( b + rx ) Enc ( b ) Efficient simulator against Efficient simulator against unbounded malicious receiver unbounded malicious sender

  50. Paillier Encryption Scheme KeyGen public key, trapdoor

  51. Paillier Encryption Scheme KeyGen public key, trapdoor x Encrypt Enc r ( x ) Decrypt x randomness r trapdoor

  52. Paillier Encryption Scheme KeyGen public key, trapdoor x Encrypt Enc r ( x ) Decrypt x randomness r trapdoor Enc 0 ( x ) Decrypt x

  53. Paillier Encryption Scheme KeyGen public key, trapdoor x Encrypt Enc r ( x ) Decrypt x randomness r trapdoor Enc 0 ( x ) Decrypt x Enc r ( x ) · Enc s ( y ) = Enc r + s ( x + y )

  54. rOLE from Paillier S R a , b x

  55. rOLE from Paillier CRS (Mode I) S R h = Enc 0 ( 1 ) w = Enc α ( 0 ) W 0 = Enc β ( 1 ) a , b x

  56. rOLE from Paillier CRS (Mode I) S R h = Enc 0 ( 1 ) w = Enc α ( 0 ) W 0 = Enc β ( 1 ) a , b x sample sk W 1 = w sk W x 0 = Enc x β + α · sk ( x )

  57. rOLE from Paillier CRS (Mode I) S R h = Enc 0 ( 1 ) w = Enc α ( 0 ) W 0 = Enc β ( 1 ) a , b x sample r sample sk W 1 = w sk W x 0 = Enc x β + α · sk ( x ) v = w r = Enc r α ( 0 ) V 0 = h a W − r = Enc − r β ( a − r ) 0 V 1 = h b W r 1 = Enc rx β + r α · sk ( b + rx )

Recommend


More recommend