Two-party computation By Shuoyao Zhao 2018.1.4 1 Problem - PowerPoint PPT Presentation

Two-party computation By Shuoyao Zhao 2018.1.4 1

Problem Abstraction Bob Alice Public function f y Î {0,1} t x Î {0,1} s Holds Holds z = f(x, y) Reveal z Security but nothing more ! requirement: 2

Ideally, with a Trusted Party z = f ( x , y ) x y z z 3

In the Real World z = f ( x , y ) Secure computation enables this! x y …… z z f ( x , y ) f ( x , y ) but nothing more ! but nothing more ! 4

A Binary Gate (Evaluator) Bob Alice 0 NAND 0 x =0 y =0 B A NAND Z [Yao, FOCS’86 ] 5

A Binary Gate (Evaluator) Bob Alice (Generator) a 0 B A a 1 a 0 , a 1 are random bit strings NAND Z [Yao, FOCS’86 ] 6

A Binary Gate Alice (Generator) a 0 b 0 B A a 1 b 1 a 0 , a 1 , b 0 , b 1 , z 0 , z 1 are independent random bit strings NAND Z z 0 z 1 [Yao, FOCS’86 ] 7

A Binary Gate Alice (Generator) a 0 b 0 keys messages B A a 1 b 1 Enc a 0 , b 0 ( z 1 ) Enc a 0 , b 1 ( z 1 ) NAND Enc a 1 , b 0 ( z 1 ) Enc a 1 , b 1 ( z 0 ) Z z 0 z 1 [Yao, FOCS’86 ] 8

A Binary Gate Alice (Generator) a 0 b 0 B A a 1 b 1 Enc a 0 , b 0 ( z 1 ) Enc a 0 , b 1 ( z 1 ) AND Enc a 1 , b 0 ( z 1 ) Enc a 1 , b 1 ( z 0 ) Z z 0 z 1 [Yao, FOCS’86 ] 9

A Binary Gate (Evaluator) Bob Alice (Generator) a 0 b 0 B A a 1 b 1 Enc a 0 , b 0 ( z 1 ) Enc a 0 , b 1 ( z 1 ) NAND Enc a 1 , b 0 ( z 1 ) Enc a 1 , b 1 ( z 0 ) Z z 0 z 1 [Yao, FOCS’86 ] 10

Prevent the Leak (Evaluator) Alice (Generator) Bob a 0 b 0 ✗ Enc a 1 , b 1 ( z 0 ) Enc a 1 , b 1 ( z 0 ) ✗ Enc a 1 , b 0 ( z 1 ) Enc a 1 , b 0 ( z 1 ) ✗ Enc a 0 , b 1 ( z 1 ) Enc a 0 , b 1 ( z 1 ) ✔ Enc a 0 , b 0 ( z 1 ) Enc a 0 , b 0 ( z 1 ) [Yao, FOCS’86 ] 11

Transferring b 0 obliviously (Evaluator) Alice (Generator) Bob y =0 b 0 Oblivious b 0 b 1 Transfer 12

Transferring b 0 obliviously (Evaluator) Alice (Generator) Bob y b 0 Oblivious Transfer b 1 b y Output [Naor-Pinkas, SODA’00 ] 13

Security of NPOT • Receiver’s Privacy – h is uniformly random, independent of y • Sender’s Privacy – Receiver cannot learn b y as it doesn’t know log g C Output 14

Paper • A Proof of Security of Yao’s Protocol for Two - Party Computation Author: Yehuda Lindell , Benny Pinkas 15

The differences • f (x,y) = (f 1 (x,y),f 2 (x,y)) • Description of Garbled gate 16

Parameter table Symbol Meaning g(α,β) Circuit-output gate 𝑥 𝑗 , ex: 𝑥 1 Circuit-output wire 0,1 Corresponding real values 0 , 𝑙 𝑥 1 𝑙 𝑥 Random keys 0 ) (0, 𝑙 𝑥 Output decryption tables 0 )) 𝐹 𝑙 1 0 (𝐹 𝑙 2 0 (𝑙 3 Garbled computation box 𝐹 1 , 𝐹 2 , 𝐹 3 , 𝐹 4 Garbled computation table Each pair of keys open only one box for each gate!!!

Modeling Adversaries Semi-Honest Malicious/Active Absolutely no restriction (Honest-but-curious) on polynomial time Always follow the adversaries protocol but tries to learn extra from the execution transcripts 18

Definition(1) • Let 𝑔 = (𝑔 1 , 𝑔 2 ) be a probabilistic polynomial- time functionality, and let π be a two-party protocol for computing f . • The view of the i_th party (i ∈ {1, 2}) during an execution of π on ( x,y) is denoted: 𝑤𝑗𝑓𝑥 i π (𝑦, 𝑧) = (𝑦, 𝑠 𝑗 , 𝑛 1 𝑗 , … , 𝑛 𝑢 𝑗 ) where 𝑠 𝑗 equals the contents of the i_th 𝑗 represents party’s internal random tape, and 𝑛 𝑘 the j_th message that it received. 19

Definition(2) • The output of the i_th party during an execution of π on ( x,y) is denoted π (𝑦, 𝑧) and can be computed from its 𝑝𝑣𝑢𝑞𝑣𝑢 𝑗 own view of the execution. Denote: π 𝑦, 𝑧 , 𝑝𝑣𝑢𝑞𝑣𝑢 2 π 𝑦, 𝑧 𝑝𝑣𝑢𝑞𝑣𝑢 π 𝑦, 𝑧 = 𝑝𝑣𝑢𝑞𝑣𝑢 1 Differ from f(x,y) 20

Definition(3) • Definition 1 ： Let 𝑔 = (𝑔 1 , 𝑔 2 ) be a functionality. We say that π securely computes f in the presence of static semi-honest adversaries if there exist probabilistic polynomial-time algorithms 𝑇 1 and 𝑇 2 such that: 𝐷 {(𝑤𝑗𝑓𝑥 1 π 𝑦, 𝑧 , 𝑝𝑣𝑢𝑞𝑣𝑢 π 𝑦, 𝑧 )} 𝑦,𝑧∈ 0,1 ∗ 𝑇 1 𝑦, 𝑔 1 𝑦, 𝑧 , 𝑔 𝑦, 𝑧 𝑦,𝑧∈ 0,1 ∗ ֞ And: 𝐷 {(𝑤𝑗𝑓𝑥 2 π 𝑦, 𝑧 , 𝑝𝑣𝑢𝑞𝑣𝑢 π 𝑦, 𝑧 )} 𝑦,𝑧∈ 0,1 ∗ 𝑇 2 𝑧, 𝑔 2 𝑦, 𝑧 , 𝑔 𝑦, 𝑧 𝑦,𝑧∈ 0,1 ∗ ֞ 21

Definition(4) • A Simpler Formulation for Deterministic Functionalities: In the case that the functionality f is deterministic, a simpler definition can be used. Specifically, we do not need to consider the joint distribution of the simulator’s output with the protocol output. Rather, we separately require that: 𝑝𝑣𝑢𝑞𝑣𝑢 π 𝑦, 𝑧 = 𝑔(𝑦, 𝑧) And in addition, that there exist S1 and S2 such that: 𝐷 {𝑤𝑗𝑓𝑥1 π 𝑦, 𝑧 } 𝑦,𝑧∈ 0,1 ∗ } 𝑦,𝑧∈ 0,1 ∗ ֞ {𝑇 1 𝑦, 𝑔 1 𝑦, 𝑧 𝐷 {𝑤𝑗𝑓𝑥 2 π 𝑦, 𝑧 } 𝑦,𝑧∈ 0,1 ∗ } 𝑦,𝑧∈ 0,1 ∗ ֞ {𝑇 2 𝑧, 𝑔 2 𝑦, 𝑧 22

Definition(5) • Deterministic Same-Output Functionalities We say that a functionality f = (f1,f2) is same- output if f1 = f2. • In our presentation, we will show how to securely compute deterministic same output functionalities only. This suffices for obtaining secure protocols for arbitrary probabilistic functionalities. 23

Definition(6) • Proof of the last slide: From deterministic Functionalities to probabilistic polynomial-time: f ’ ((x,r) , (y,s)) = f (x , y , r ⊕ s) Deterministic Same-Output Functionalities : f ’ ((x,r) , (y,s)) = f 1 (x,y) ⊕ r||f 2 (x,y) ⊕ s 24

Tools — private-key encryption (1) • Let (G,E,D) be a private-key encryption scheme and denote the range of a key in the scheme by: , 𝑦 ∈ {0,1} 𝑜 𝑆𝑏𝑜𝑕𝑓𝑜 𝑙 = 𝐹 𝑙 𝑦 25

Tools — private-key encryption (2) • We say that (G,E,D) has an elusive range if for every probabilistic polynomial time machine A, every polynomial p(·), and all sufficiently large n, 𝑄𝑠 𝑙←𝐻(1 𝑜 ) 𝐵 1 𝑜 ∈ 𝑆𝑏𝑜𝑕𝑓𝑜 𝑙 1 < 𝑞(𝑜) 26

Tools — private-key encryption (3) • We say that (G,E,D) has an efficiently verifiable range if there exists a probabilistic polynomial-time machine M such that : M(k,c) = 1 if and only if c ∈ Rangen(k) 27

Tools — private-key encryption (4) • Construction: • Let 𝐺 = {𝑔 𝑙 } be a family of pseudorandom 𝑙 : {0,1} 𝑜 → {0,1} 2𝑜 for k ∈ functions, where 𝑔 {0,1} 𝑜 . Then, define: 𝑙 𝑠 ⨁(𝑦| 0 𝑜 } 𝐹 𝑙 𝑦 = {𝑠, 𝑔 This 𝐹 𝑙 has an efficiently verifiable range. Proof: 𝑔 𝑙 𝑦 and 𝑔 𝑠𝑏𝑜𝑒 𝑦 is indistinguishable. 28

Tools — private-key encryption (5) • Other properties needed for ( G,E,D): • For every two (known) vectors of messages x and y, no polynomial-time adversary can distinguish an encryption of the vector x from an encryption of the vector y. • an encryption under one key will fall in the range of an encryption under another key with negligible probability. Easy to fulfill. 29

Proof of correctness(1) • If 𝐹 𝑙 (𝑦) has an efficiently verfiable range , then the Yao’s Two -Party Protocol constructed by 𝐹 𝑙 (𝑦) is correct. 0 , 𝑙 2 0 , 𝑙 1 1 , 𝑙 2 1 , 𝑙 3 are • All we need is to prove: if 𝑙 1 uniformly independently chosen, then: 1 0 , 𝑙 2 0 Pr 𝐹 𝑙 1 𝐹 𝑙 2 𝑘 𝑙 3 ∈ 𝑆𝑏𝑜𝑕𝑓𝑜 𝑙 1 < 𝑗 𝑞(𝑜) For each (i,j)=(0,1),(1,0),(1,1) 30

Proof of correctness(2) (1) i=0, j=1: 0 , 𝑙 2 0 Pr 𝐹 𝑙 1 0 𝐹 𝑙 2 1 𝑙 3 ∈ 𝑆𝑏𝑜𝑕𝑓𝑜 𝑙 1 = 1 0 1 𝑙 3 ∈ 𝑆𝑏𝑜𝑕𝑓𝑜 𝑙 2 Pr 𝐹 𝑙 2 < 𝑞(𝑜) (2)i=1: 0 , 𝑙 2 0 1 𝐹 𝑙 2 Pr 𝐹 𝑙 1 𝑘 𝑙 3 ∈ 𝑆𝑏𝑜𝑕𝑓𝑜 𝑙 1 ≤ 1 0 Pr 𝐹 𝑙 1 1 𝑙′ ∈ 𝑆𝑏𝑜𝑕𝑓𝑜 𝑙 1 < 𝑞(𝑜) 31

Transferring b 0 obliviously (Evaluator) Alice (Generator) Bob y b 0 Oblivious Transfer (f,t) is a permutation-trapdoor pair in a b 1 b y family of enhanced trapdoor permutation and B() is a hard-core of f 𝑥 0 , 𝑥 1 𝑤 𝑧 ← 𝐸 𝑔 , 𝑥 𝑧 = 𝑔(𝑤 𝑧 ) 𝑤 0 = 𝑔 −1 𝑥 0 𝑥 1−𝑧 ← 𝑊 𝑔 𝑤 1 = 𝑔 −1 𝑥 1 𝑛 0 = 𝐶 𝑤 0 ⨁𝑐 0 𝑛 0 , 𝑛 1 𝑛 1 = 𝐶 𝑤 1 ⨁𝑐 1 𝑐 𝑧 = 𝐶 𝑤 𝑧 ⨁𝑐 𝑧 Bob have no information of t (the trapdoor), means (f,t) should be sampled by Alice and then be sent to Bob. 32

Tools — OT • About: 𝑥 1−𝑧 ← 𝑊 𝑔 • An enhanced trapdoor permutation has the property that it is possible to sample from the range, so that given the coins used for sampling. • The comparison of two Ots: 𝑤 𝑧 ← 𝐸 𝑔 , 𝑥 𝑧 = 𝑔 𝑤 𝑧 , 𝑥 1−𝑧 ← 𝑊 𝑔 VS ℎ 𝑧 ← 𝑕 𝑙 , ℎ 1−𝑧 ← 𝐷𝑕 −𝑙 33

Transferring b 0 obliviously (Evaluator) Alice (Generator) Bob y b 0 Oblivious Transfer b 1 b y Output [Naor-Pinkas, SODA’00 ] 34