Non-Interactive Secure Computation from One-Way Functions - - PowerPoint PPT Presentation

non interactive secure computation from one way functions
SMART_READER_LITE
LIVE PREVIEW

Non-Interactive Secure Computation from One-Way Functions - - PowerPoint PPT Presentation

Apr 17, 2023 231 likes •443 views

Non-Interactive Secure Computation from One-Way Functions Saikrishna Badrinarayanan Abhishek Jain (UCLA) (JHU) Rafail Ostrovsky Ivan Visconti (UCLA) (University of Salerno) Secure Two Party Computation Function f Input x Input y P 2 P 1

slide-1
SLIDE 1

Non-Interactive Secure Computation from One-Way Functions

Saikrishna Badrinarayanan Abhishek Jain (UCLA) (JHU) Rafail Ostrovsky Ivan Visconti (UCLA) (University of Salerno)

slide-2
SLIDE 2

Secure Two Party Computation

P1 P2 Input x Input y Function f Goal: Both parties wish to run a protocol at the end of which they both learn the output

  • f the function on their joint inputs.
slide-3
SLIDE 3

Secure Two Party Computation

P1 P2 Input x Input y Function f Security: Informally, adversary should not learn anything about y other than f(x, y) !

slide-4
SLIDE 4

UC-Secure Computation [Canetti 01]

P1 P2 Input x1 Input x2 P3 Input z3 Input y1 Input y3 Input z2 P4 Input w4 Input w2 Many sessions are executed in parallel Function f Function g Function p

slide-5
SLIDE 5

UC-Secure Computation [Canetti 01]

P1 P2 Input x1 Input x2 P3 Input z3 Input y1 Input y3 Input z2 P4 Input w4 Input w2 Informally, adversary should not learn anything other than function outputs! Function f Function g Function p

slide-6
SLIDE 6

Continued..

  • Numerous applications
  • Unfortunately, impossible to construct without a setup

assumption!

slide-7
SLIDE 7

Setup Assumptions

  • Common Reference String [Canetti-Lindell-

Ostrovsky-Sahai 02]

  • Physical Assumptions

– Hardware Tokens [Katz 07] – Physically Uncloneable Functions (PUFs)

Focus of this paper

slide-8
SLIDE 8

Hardware Tokens [Katz07]

  • A piece of hardware that can evaluate any function

(embedded inside it) on input queries.

  • Physical manifestation of ideal obfuscation?
  • Difference: Need the hardware object in hand to be able to

query and recover output.

Input x Output f(x)

Function f

slide-9
SLIDE 9

Types of Hardware Tokens

  • Stateless:

– Honest token does not have any memory across invocations.

  • Stateful:

– Token can maintain memory. – Harder to design such tokens. – Easier to design protocols using them.

Focus of this talk

Challenge: Adversarial tokens can be stateful!

slide-10
SLIDE 10

Motivating Scenario

Input: DNA Data x Encrypt (x) Encrypt f(x)

Decrypt and learn f(x) = list of relatives

Goal: Alice wants to publish an encryption of her private DNA data to an organization that can compute the set of relatives of a given DNA sample.

Security requirement: Alice’s private data and company’s data should be hidden.

Reusable message Input: DNA matching algorithm

slide-11
SLIDE 11

Non-interactive secure computation (NISC)

[IKOPS’11]

  • Formalizes the scenario in the previous slide.

Input: x Encrypt (x) Input: y Encrypt f(x, y) Decrypt and learn f(x, y)

Security requirement: as in standard two party computation

Reusable message for input x

slide-12
SLIDE 12

Prior work

  • [IKOPS11] : NISC in OT Hybrid model.
  • [AMPR14,MR17] : NISC in CRS model from OT + one

way functions.

  • [CJS14]: UC-secure NISC in Global Random Oracle

model from OT + one way functions.

  • [BGISW17]: NISC in plain model from sub-exponentially

secure OT + one way functions.

slide-13
SLIDE 13

Question

  • Can we achieve NISC from the minimal

assumption of One-Way Functions?

  • Further, can we achieve UC security?
slide-14
SLIDE 14

Our Result

  • UC-secure non-interactive secure computation

assuming one-way functions using a single stateless hardware token.

  • Optimal in terms of assumptions and

number of tokens.

  • Achieves UC security unlike all prior

work except CJS14.

slide-15
SLIDE 15

Our Results: Corollary

  • Two message UC-secure two party

computation where both parties receive

  • utput, assuming one way functions using a

single stateless hardware token.

slide-16
SLIDE 16

Techniques

slide-17
SLIDE 17

Token direction: Prior works

Receiver: input x Sender: input y

. . .

Issues in our setting:

1. Need a fresh token for each new interaction with a fixed reusable receiver message. 2. All prior works require atleast two rounds of interaction after sender token.

In all prior works, token sent by the sender.

slide-18
SLIDE 18

Solution: Token from Receiver

Receiver: input x Sender: input y

message

Reusable

x

slide-19
SLIDE 19

Main Challenge: Resetting Attacks

  • 1. How to prevent sender from resetting the token and trying

different inputs y?

  • 2. Need the receiver to authenticate the sender’s input to the

token before it processed by the token.

  • 3. But that will take at least 2 rounds!

Solution:

  • 1. We allow the sender to reset the token!
  • 2. However, token is carefully designed to perform only

“encrypted” computation that is later decrypted by the receiver.

  • 3. Hence, even on trying different inputs, sender doesn’t

learn anything meaningful from the token.

slide-20
SLIDE 20

Other Challenges

  • Selective abort attacks.
  • Subliminal channel information through

token.

  • Achieving straight line simulation to get UC

security.

  • Please refer to the paper for more

details! https://eprint.iacr.org/2018/1020

slide-21
SLIDE 21