robust transforming combiners from io
play

Robust Transforming Combiners from iO to Functional Encryption - PowerPoint PPT Presentation

Robust Transforming Combiners from iO to Functional Encryption Prabhanjan Ananth Aayush Jain Amit Sahai Since 2013 Two-Round (Adaptive) Multi-Party Computation Instantiating Random Oracles Non-Interactive Multi-party Key


  1. Removing dependency on x: Idea 2 “Encrypt Inputs” [ BV’15] • Consider a “special” circuit garbling scheme with an additional property.

  2. Removing dependency on x: Idea 2 “Encrypt Inputs” [ BV’15] • Consider a “special” circuit garbling scheme with an additional property. For any equivalent circuits C 0 and C 1 Eval([C 0 ],*) ≅ Eval([C 1 ],*)

  3. Removing dependency on x: Idea 2 “Encrypt Inputs” [ BV’15] • Consider a “special” circuit garbling scheme with an additional property. For any equivalent circuits C 0 and C 1 Eval([C 0 ],*) ≅ Eval([C 1 ],*) • Such garbled circuits can be constructed from one-way functions.

  4. Combining Ideas

  5. Combining Ideas 1. Use the modified obfuscator to obfuscate Eval([C],*) 2. Release the encoding key MSK to the evaluator.

  6. Combining Ideas For any x, Pr {coins(P)} [C*(x)=C(x)] ≥ 1 -2/k 1. Use the modified obfuscator to obfuscate Eval([C],*) 2. Release the encoding key MSK to the evaluator.

  7. Combining Ideas For any x, Pr {coins(P)} [C*(x)=C(x)] ≥ 1 -2/k 1. Use the modified obfuscator to obfuscate Eval([C],*) 2. Release the encoding key MSK to the evaluator. Perform BPP Amplification to get almost correctness

  8. Theorem 2: Combining iO IDEA:

  9. Theorem 2: Combining iO IDEA: • No candidate should get the circuit in the clear.

  10. Theorem 2: Combining iO IDEA: • No candidate should get the circuit in the clear. • Every candidate should get a secret share of circuit C.

  11. Theorem 2: Combining iO IDEA: • No candidate should get the circuit in the clear. • Every candidate should get a secret share of circuit C. • On every input x, the candidates “jointly compute” C(x)

  12. Theorem 2: Combining iO IDEA: • No candidate should get the circuit in the clear. • Every candidate should get a secret share of circuit C. • On every input x, the candidates “jointly compute” C(x) How to do this?

  13. Theorem 2: Combining iO IDEA: • No candidate should get the circuit in the clear. • Every candidate should get a secret share of circuit C. • On every input x, the candidates “jointly compute” C(x) How to do Use MPC this? Techniques!

  14. Approach of AJNSY’16

  15. Approach of AJNSY’16 • Let C be the circuit to be obfuscated.

  16. Approach of AJNSY’16 • Let C be the circuit to be obfuscated. • Use a non-interactive MPC.

  17. Approach of AJNSY’16 • Let C be the circuit to be obfuscated. • Use a non-interactive MPC. • Secret share circuit C into C 1 ,…,C N. Treat C i as input to P i.

  18. Approach of AJNSY’16 • Let C be the circuit to be obfuscated. • Use a non-interactive MPC. • Secret share circuit C into C 1 ,…,C N. Treat C i as input to P i. • Obfuscate the circuit containing C i and the pre-processed state using candidate P i

  19. Approach of AJNSY’16 • Let C be the circuit to be obfuscated. • Use a non-interactive MPC. • Secret share circuit C into C 1 ,…,C N. Treat C i as input to P i. • Obfuscate the circuit containing C i and the pre-processed state using candidate P i MPC satisfying such properties are based on assumptions such as LWE/DDH [MW’16,BGI’17]

  20. Approach of AJNSY’16 • Let C be the circuit to be obfuscated. • Use a non-interactive MPC. • Secret share circuit C into C 1 ,…,C N. Treat C i as input to P i. • Obfuscate the circuit containing C i and the pre-processed state using candidate P i MPC satisfying such properties are based on assumptions such as LWE/DDH [MW’16,BGI’17] Can we weaken assumptions by relying on interactive MPC?

  21. Our Approach

  22. Our Approach

  23. Our Approach Secret share circuit to (C 1 ,..,C N ) using additive • secret sharing.

  24. Our Approach Secret share circuit to (C 1 ,..,C N ) using additive • secret sharing. Treat each candidate as a party in interactive MP • Cprotocol.

  25. Our Approach Secret share circuit to (C 1 ,..,C N ) using additive • secret sharing. Treat each candidate as a party in interactive MP • Cprotocol. Run the MPC protocol for U(C 1 +…+C N , x) to learn • C(x)

  26. How to evaluate MPC?

  27. How to evaluate MPC? Using candidate P i obfuscate NextMsg(C i, , *) •

  28. How to evaluate MPC? Using candidate P i obfuscate NextMsg(C i, , *) •

  29. How to evaluate MPC? Using candidate P i obfuscate NextMsg(C i, , *) • P 1 .Obf P 2 .Obf

  30. How to evaluate MPC? Using candidate P i obfuscate NextMsg(C i, , *) • P 1 .Obf NextMsg 1 (C 1,* ) P 2 .Obf NextMsg 2 (C 2,* )

  31. How to evaluate MPC? Using candidate P i obfuscate NextMsg(C i, , *) • P 1 .Obf We need exponentially many OTs. NextMsg 1 (C 1,* ) P 2 .Obf NextMsg 2 (C 2,* )

  32. (Random) OT P 2 P 1

  33. (Random) OT P 2 P 1 (r 0 ,r 1 )

  34. (Random) OT P 2 P 1 (r 0 ,r 1 ) b

  35. (Random) OT P 2 P 1 (r 0 ,r 1 ) (r 0 ,r 1 ) b

  36. (Random) OT P 2 P 1 (r 0 ,r 1 ) (r 0 ,r 1 ) (b,r b ) b

  37. How to Implement OT?

  38. How to Implement OT? • Use any OT protocol? Assumptions are stronger.

  39. How to Implement OT? • Use any OT protocol? Assumptions are stronger. • Pre-process random OTs. Exponential pre- processing required.

  40. How to Implement OT? • Use any OT protocol? Assumptions are stronger. • Pre-process random OTs. Exponential pre- processing required. • Use PRF keys to generate OTs on the fly.

  41. Using PRF keys

  42. Using PRF keys K 12 P 2 .Obf NextMsg 2 (C 2,* )

  43. Using PRF keys K 12 K 12 NextMsg 1 (C 1,* ) P 2 .Obf NextMsg 2 (C 2,* ) P 1 .Obf

  44. Using PRF keys But the PRF key K i,j is obfuscated individually by both candidates P i and P j K 12 K 12 NextMsg 1 (C 1,* ) P 2 .Obf NextMsg 2 (C 2,* ) P 1 .Obf

  45. Using PRF keys But the PRF key K i,j is obfuscated individually by both candidates P i and P j K 12 K 12 NextMsg 1 (C 1,* ) P 2 .Obf NextMsg 2 (C 2,* ) P 1 .Obf

Recommend


More recommend