New Impossibility Results for Concurrent Composition and a - - PowerPoint PPT Presentation

new impossibility results for concurrent composition
SMART_READER_LITE
LIVE PREVIEW

New Impossibility Results for Concurrent Composition and a - - PowerPoint PPT Presentation

Apr 05, 2024 205 likes •370 views

New Impossibility Results for Concurrent Composition and a Non-Interactive Completeness Theorem for Secure Computation Abishek Kumarasubramanian Secure Computation [Yao,GMW] Security guarantee only Corrupted party learns no when protocol runs

slide-1
SLIDE 1

New Impossibility Results for Concurrent Composition and a Non-Interactive Completeness Theorem for Secure Computation

Abishek Kumarasubramanian

slide-2
SLIDE 2

Secure Computation [Yao,GMW]

x y Π f(x,y) Corrupted party learns no more than protocol output Security guarantee only when protocol runs in isolation

slide-3
SLIDE 3

Today’s World is Concurrent

slide-4
SLIDE 4

Overall Question

Can we design protocols that remain secure even when executed concurrently?

Stand-alone security does not imply security under concurrent composition [DDN92,DNS98]

slide-5
SLIDE 5

Positive Results

  • If we are willing to make global trust assumptions,

then general positive results known [CF01,CLOS…]

  • Alternatively, can relax the security definition to
  • btain positive results [Pass03,PS04,BS05,MPR06]

No general positive result in the plain model

slide-6
SLIDE 6

Negative Result?

  • Broad impossibility results known in the plain model

[CF01, CKL03, Lin03, Lin04, BPS06]

There are still important gaps in our understanding

slide-7
SLIDE 7

Paper 1 - [Agrawal-Goyal-Jain-Prabhakaran-Sahai]

Motivation – Fixed Roles

Is concurrently secure Oblivious Transfer possible? [Lin08]

Client 1 Client 2 Client 3

  • Positive results for concurrent zero-knowledge [RK99,KP01,PRS02]
  • Impossibility for some functionalities [Lin04]
slide-8
SLIDE 8

Client 1 X1 Client 2 X2 Client 3 X3

Impossibility results for two very specific (somewhat contrived) functionalities [BPS06,Goy12]

Y1 Y2 Y3

Paper 2 - [Garg-K-Ostrovsky-Visconti]

Motivation – Fixed Input

slide-9
SLIDE 9

Core Result

[Agrawal-Goyal-Jain-Prabhakaran-Sahai] [Garg-K-Ostrovsky-Visconti]

  • Concurrent self composition impossible for Oblivious

Transfer

  • in both fixed input, fixed role settings
slide-10
SLIDE 10

Extensions

  • [Garg-K-Ostrovsky-Visconti]
  • Concurrent composition impossible for all non trivial

asymmetric and symmetric functionalities

  • General stateless secure computation [GS09,GM11] is

impossible

  • [Agrawal-Goyal-Jain-Prabhakaran-Sahai]
  • Non-interactive completeness theorem for non trivial

asymmetric functionalities

  • subsumes result of [Kil00]
  • corollary: concurrent composition impossibility

for non trivial asymmetric functionalities

slide-11
SLIDE 11

Oblivious Transfer

Ideal World Real world

s0,s1 b

ΠOT

slide-12
SLIDE 12

Chosen Protocol Attack

Alice Dave Bob

s0, s1 b, s0, s1 ΠOT ΠOT

if output = sb

send s1-b

Bob merely forwards messages; successfully learns s1-b always

slide-13
SLIDE 13

Chosen Protocol Attack…

Alice Dave Bob

b, s0, s1 ΠOT

if output = sb

send s1-b

Bob fails Dave’s test with prob. 1/2 ; so learns s1-b with prob. 1/2

s0, s1

slide-14
SLIDE 14

From Chosen Protocol Attack to Impossibility

  • f Concurrent OT

replace with garbled circuits computing his next msg function

. . . . .

Keys for garbled circuits Obtained by more OT concurrent executions

Dave Bob Alice

slide-15
SLIDE 15

Complete Proof

Full version 1 2 Full versions!

slide-16
SLIDE 16

Thank you! And Questions!

Many thanks to Abhishek Jain and Shweta Agrawal for the slides Only 1/3 of the blame goes to me!