Our results Assuming 4 round oblivious transfer (OT), there exists a 4 round MPC protocol. OT: Indistinguishability security against malicious sender, and extraction of receiver bit. OT protocols satisfying such properties are indeed known. 11
Protecting the 4 th round message 12
Challenge: Enforcing Honest Behavior π Any 4 round protocol computing a function π . 13
Challenge: Enforcing Honest Behavior π Rushing adversary May decide not to send its message after it sees Bobβs message. 14
Challenge: Enforcing Honest Behavior π Rushing adversary May decide not to send its message after it sees Bobβs message. 14
Challenge: Enforcing Honest Behavior π Rushing adversary May decide not to send its message after it sees Bobβs message. output Only Alice learns the output. 14
Challenge: Enforcing Honest Behavior identity Rushing adversary May decide not to send its message after it sees Bobβs message. output 15
Challenge: Enforcing Honest Behavior identity Rushing adversary May decide not to send its message after it sees Bobβs message. Bobβs input 16
Challenge: Enforcing Honest Behavior identity Rushing adversary Donβt send fourth round message unless May decide not to Alice proves honest send its message after behavior. it sees Bobβs message. Bobβs input 16
Challenge: Enforcing Honest Behavior Typical approach: Donβt send fourth round message unless Alice convinces Bob of honest behavior Alice proves honest behavior. via zero-knowledge proof before Bob sends his fourth round message. identity Bobβs input 17
Challenge: Enforcing Honest Behavior Typical approach: Donβt send fourth round message unless Alice convinces Bob of honest behavior Alice proves honest behavior. via zero-knowledge proof before Bob sends his fourth round message. identity Requires 3 round zero-knowledge proofs [Goldreich- Krawczykβ96]: Impossible with Black-box simulation. Bobβs input 17
Challenge: Enforcing Honest Behavior Typical approach: Donβt send fourth round message unless Alice convinces Bob of honest behavior Alice proves honest behavior. via zero-knowledge proof before Bob sends his fourth round message. identity Requires 3 round zero-knowledge proofs [Goldreich- Krawczykβ96]: Impossible with Black-box simulation. Bobβs input Many other challenges, but for this talk, we focus on solving this challenge. 17
Interactive Multiparty Conditional Disclosure of Secret (MCDS) 18
Conditional Disclosure of Secrets (CDS) 19
Conditional Disclosure of Secrets (CDS) message 20
Conditional Disclosure of Secrets (CDS) message message 20
Conditional Disclosure of Secrets (CDS) message message witness + 20
Conditional Disclosure of Secrets (CDS) message message witness message = + If witness satisfies specified condition. 20
Conditional Disclosure of Secrets (CDS) message message witness message = + If witness satisfies specified condition. [Gertner-Ishai-Kushilevitz-Malkin98, Aiello-Ishai-Reingold01] 20
CDS as safety net π 21
CDS as safety net π 22
CDS as safety net π βI behaved honestlyβ 22
CDS as safety net π βI behaved honestlyβ How do we prove honest behavior? 22
CDS as safety net π input and randomness 23
CDS as safety net π input and randomness Does this work with more than 2 parties? 23
CDS as safety net 24
CDS as safety net input and randomness input and randomness 25
CDS as safety net input and randomness input and randomness 26
CDS as safety net everyone behaved honestly everyone behaved honestly 27
CDS as safety net Want a public witness at the end of the fourth everyone behaved round. honestly Use 4 round zero- knowledge proofs. everyone behaved honestly 27
CDS as safety net Want a public witness at the end of the fourth π π΅ π πΆ round. π π΅ π πΆ Use 4 round zero- knowledge proofs. π π΅ π πΆ 28
Implementing CDS? We want to build a CDS based on OT. π π΅ π πΆ Only known non-interactive π π΅ π πΆ realization is Witness Encryption, which is known assuming Indistinguishability Obfuscation (iO). π π΅ π πΆ 29
Interactive Multiparty CDS (MCDS) 30
Interactive Multiparty CDS (MCDS) Oblivious Transfer (OT) 30
Interactive Multiparty CDS (MCDS) Oblivious Transfer (OT) Garbled Circuit 30
Interactive Multiparty CDS (MCDS) Oblivious Transfer (OT) Garbled Circuit 31
Interactive Multiparty CDS (MCDS) 1-out-of-2 OT [Even-Goldreich- Lempelβ82] Oblivious Transfer (OT) Garbled Circuit receiver sender π π¦ 0 , π¦ 1 32
Interactive Multiparty CDS (MCDS) 1-out-of-2 OT [Even-Goldreich- Lempelβ82] Oblivious Transfer (OT) Garbled Circuit receiver sender π π¦ 0 , π¦ 1 π¦ π 32
Interactive Multiparty CDS (MCDS) Oblivious Transfer (OT) input circuit Garbled Circuit 33
Interactive Multiparty CDS (MCDS) Oblivious Transfer (OT) input circuit Garbled Circuit garble input 33
Interactive Multiparty CDS (MCDS) Oblivious Transfer (OT) input circuit Garbled Circuit garble input 34
Interactive MCDS witness message Input: witness if witness satisfies condition, output message receiver sender 35
Interactive MCDS witness message receiver sender 36
Interactive MCDS witness message receiver sender 37
Interactive MCDS witness message receiver sender 38
Interactive MCDS witness message receiver sender 39
Interactive MCDS to protect 4 th round 40
Interactive MCDS to protect 4 th round β― π 1 π 2 π 3 40
Interactive MCDS to protect 4 th round garbled circuit β― π 1 π 2 π 3 41
Interactive MCDS to protect 4 th round OT garbled circuit β― π 1 π 2 π 3 41
Interactive MCDS to protect 4 th round OT OT receiver input must be decided by the 3rd round of the OT. garbled circuit β― π 1 π 2 π 3 41
Interactive MCDS to protect 4 th round OT OT receiver input must be decided by the 3rd round of the OT. garbled circuit β― π 1 π 2 π 3 Requires 3 round zero-knowledge proofs! 41
Weakened Requirement from ZK proof? OT garbled circuit π 1 π 2 π 3 β― Requires 3 round zero-knowledge proofs! 42
Weakened Requirement from ZK proof? OT 1. ZK in the simultaneous message model. garbled circuit π 1 π 2 π 3 β― Requires 3 round zero-knowledge proofs! 42
Weakened Requirement from ZK proof? OT 1. ZK in the simultaneous message model. 2. The third round of the ZK garbled proof hidden until the fourth circuit π 1 π 2 π 3 β― round of MPC. Remains hidden if Bob aborts in the Requires 3 round zero-knowledge proofs! third round. Essentially repurposing a three round protocol to work in four rounds. 42
Weakened Requirement from ZK proof? OT 1. ZK in the simultaneous message model. 2. The third round of the ZK garbled proof hidden until the fourth circuit π 1 π 2 π 3 β― round of MPC. Remains hidden if Bob aborts in the Requires 3 round zero-knowledge proofs! third round. Essentially repurposing a three round protocol to work in four rounds. Promise Zero-Knowledge [Badrinarayanan-Goyal-Jain-Kalai-Khurana-Sahai18] Assuming OT, there exists a 3 round zero-knowledge protocol in the simultaneous message model secure against verifiers who do not abort. 42
Weakened Requirement from ZK proof? OT 1. ZK in the simultaneous interactive message model. MCDS 2. The third round of the ZK proof hidden until the fourth π 1 π 2 π 3 β― round of MPC. Promise ZK Remains hidden if Bob aborts in the third round. Essentially repurposing a three round protocol to work in four rounds. Promise Zero-Knowledge [Badrinarayanan-Goyal-Jain-Kalai-Khurana-Sahai18] Assuming OT, there exists a 3 round zero-knowledge protocol in the simultaneous message model secure against verifiers who do not abort. 43
Putting it together in the multiparty setting π π΅ π πΆ π π΅ π πΆ π π΅ π πΆ 44
Putting it together in the multiparty setting π πΆ interactive MCDS π π΅ 45
Putting it together in the multiparty setting Receive Carolβs fourth π πΆ round message if interactive Promise ZK proofs of MCDS Alice and Bob verify. Nobody receives Carolβs π π΅ message if even one party cheats. 45
Towards a Full Protocol Many moving components in the final protocol. 46
Towards a Full Protocol Many moving components in the final protocol. Non-malleability challenges in limited rounds. 46
Recommend
More recommend
