On the Structure of Unconditional UC Hybrid Protocols Mike Rosulek - - PowerPoint PPT Presentation

On the Structure of Unconditional UC Hybrid Protocols

Mike Rosulek (Oregon State University) and Morgan Shirley (University of Toronto)

Problem Statement & Summary of Results

Our Parameters

• 2-Party functions
• Finite and fjxed truth

tables

• Symmetric
• UC Security
• Security with abort
• Information theoretic

0 2 1 120 201

A B

x y f(x, y) x y 2 2 1 1

Our Parameters

• 2-Party functions
• Finite and fjxed truth

tables

• Symmetric
• UC Security
• Security with abort
• Information theoretic

0 2 1 120 201

A B

x y f(x, y)

2-Party SFEs with Information- Theoretic UC Security

Either:

2-Party SFEs with Information- Theoretic UC Security

Either:

Trivial!

0 1 001

2-Party SFEs with Information- Theoretic UC Security

Either:

Trivial! Impossible!

0 1 001

(literally everything interesting)

2-Party SFEs with Information- Theoretic UC Security

Either:

Trivial! Impossible!

0 1 001

(literally everything interesting)

We'd like to differentiate functionalities on the right side

Canetti, Kushilevitz and Lindell EUROCRYPT 2003 Prabhakaran and Rosulek CRYPTO 2008

Hybrid World

Reductions

• A way to defjne complexity
• A function f reduces to a function g if there exists

a g-hybrid protocol for f that has UC security

f ⊑ g

Goal: completely classify when f and g reduce to each other

Completeness

• Complete g: every f reduces to g
• Kilian1 shows a necessary and suffjcient condition

for completeness

• 1. In 23rd ACM STOC, 1991

1 11

2-Party SFEs with Information- Theoretic UC Security

Trivial! Complete

0 1 001 1 11

Reduces to everything Everything reduces to

2-Party SFEs with Information- Theoretic UC Security

Trivial! Complete

0 1 001 1 11

Reduces to everything Everything reduces to

Neither

2-Party SFEs with Information- Theoretic UC Security

Trivial! Complete

0 1 001 1 11

Reduces to everything Everything reduces to

Neither

0 1 001 110

2-Party SFEs with Information- Theoretic UC Security

Trivial! Complete

0 1 001 1 11

Reduces to everything Everything reduces to

Neither

0 1 001 110

Some reductions studied between decomposable functions (e.g. Maji, Prabhakaran, Rosulek TCC 2009)

2-Party SFEs with Information- Theoretic UC Security

Trivial! Complete

0 1 001 1 11

Reduces to everything Everything reduces to

Neither

0 1 001 110 1 2 1 452 433

Some reductions studied between decomposable functions (e.g. Maji, Prabhakaran, Rosulek TCC 2009)

2-Party SFEs with Information- Theoretic UC Security

Trivial! Complete

0 1 001 1 11

Reduces to everything Everything reduces to

Neither

0 1 001 110 1 2 1 452 433

Some reductions studied between decomposable functions (e.g. Maji, Prabhakaran, Rosulek TCC 2009)

?

Main Theorem (almost)

When f and g are incomplete, if f g ⊑ then:

– f

g ⊑ via a single-round deterministic protocol

Main Theorem (almost)

When f and g are incomplete, if f g ⊑ then:

– f

g ⊑ via a single-round deterministic protocol

*

*With a few edge cases

Edge case: Unilateral functions

1 1 1 233 233

• At least one row (or

column) constant!

• One party might know

the output before the protocol begins

Main Theorem (almost)

When f and g are incomplete, if f g ⊑ then:

– f

g ⊑ via a single-round deterministic protocol

Main Theorem (almost)

When f and g are incomplete and f is non- unilateral, if f g ⊑ then:

– f

g ⊑ via a single-round deterministic protocol

Number of rounds required in a g-hybrid protocol for f

Number of protocol rounds necessary (for incomplete and non-unilateral f and g)

1

...

Number of rounds required in a g-hybrid protocol for f

Number of protocol rounds necessary (for incomplete and non-unilateral f and g)

1 ω(log κ)

...

Main Theorem (almost)

When f and g are incomplete and f is non- unilateral, if f g ⊑ then:

– f

g ⊑ via a single-round deterministic protocol

Main Theorem

When f and g are incomplete and f is non- unilateral, if f g ⊑ via a (worst-case) log-round protocol:

– f

g ⊑ via a single-round deterministic protocol

Main Theorem

When f and g are incomplete and f is non- unilateral, the following are equivalent:

– f

g ⊑ via a (worst-case) log-round protocol

– f

g ⊑ via a single-round deterministic protocol

– f embeds in g

Main Theorem

When f and g are incomplete and f is non- unilateral, the following are equivalent:

– f

g ⊑ via a (worst-case) log-round protocol

– f

g ⊑ via a single-round deterministic protocol

– f embeds in g

These edge cases are necessary

Embedding

What would a single-round reduction look like?

What would a single-round reduction look like?

g

A B

g g

What would a single-round reduction look like?

g

A B

g g

A B

g

A B

• r

What would a single-round reduction look like?

g

A B

g g

A B

g

A B

• r

Embedding: Correctness

• Each party sends a g-input based on their f-input
• The g-output maps back to an f-output
• Intuitively: f appears as sub-matrix* in g

1 2 1 452 433 1 2 1 452 433 7 7 7 8889

*Perhaps with some rearrangement and relabelling

f g

Embedding: Security

g can't reveal too much information There are no ambiguous g-inputs

1 5 3 146 247 13 14 24 1 3 3 224 13 24

Embedding: Security

g can't reveal too much information There are no ambiguous g-inputs

1 5 3 146 247 13 14 24 1 3 3 224 13 24

Embedding: Security

g can't reveal too much information There are no ambiguous g-inputs

1 5 3 146 247 13 14 24 1 3 3 224 13 24

Embedding: Security

g can't reveal too much information There are no ambiguous g-inputs

1 5 3 146 247 13 14 24 1 3 3 224 13 24

Embedding: Security

g can't reveal too much information There are no ambiguous g-inputs

1 5 3 146 247 13 14 24 1 3 3 224 13 24

Embedding: Security

g can't reveal too much information There are no ambiguous g-inputs

1 5 3 146 247 13 14 24 1 3 3 224 13 24

Embedding: Security

g can't reveal too much information There are no ambiguous g-inputs

1 5 3 146 247 13 14 24 1 3 3 224 13 24

Embedding: Security

g can't reveal too much information There are no ambiguous g-inputs

1 5 3 146 247 13 14 24 1 3 3 224 13 24

Embedding

• Defjnition basically follows this intuition

– If there's an embedding, there's a single-round

protocol

– If there's a single-round protocol, there's an

embedding

Main Theorem

When f and g are incomplete and f is non- unilateral, the following are equivalent:

– f

g ⊑ via a (worst-case) log-round protocol

– f

g ⊑ via a single-round deterministic protocol

– f embeds in g

Main Theorem

When f and g are incomplete and f is non- unilateral, the following are equivalent:

– f

g ⊑ via a (worst-case) log-round protocol

– f

g ⊑ via a single-round deterministic protocol

– f embeds in g

Main Theorem

When f and g are incomplete and f is non- unilateral, the following are equivalent:

– f

g ⊑ via a (worst-case) log-round protocol

– f

g ⊑ via a single-round deterministic protocol

– f embeds in g

Collapse a protocol to a single round

Frontiers

g g g g g g g g g g

Frontiers

g

✗

g

✗

g

✗ ✗ ✗

g

✔

g

✔ ✔

g

✔

g

✔

g

✔ ✔

g

✔ ✔

g

✔

Property: Alice's simulator has extracted

Frontiers

g

✗

g

✗

g

✗ ✗ ✗

g

✔

g

✔ ✔

g

✔

g

✔

g

✔ ✔

g

✔ ✔

g

✔

Property: Alice's simulator has extracted

Our Frontiers

• FA-ext – Alice's simulator has extracted
• FA-out – Alice thinks the output is fjxed (regardless
• f Bob's input)
• Similar frontiers defjned for Bob

– FB-ext – FB-out

Idea: Give me any secure, correct protocol for f

• g. I can say something about the frontiers.

⊑

Frontiers

g g g g g g g g g g

FA-ext FB-ext FB-out FA-out

Frontiers

g g g g g g g g g g

FA-ext FB-ext FB-out FA-out

Frontiers

g g g g g g g g g g

FA-ext FB-ext FB-out FA-out

BAD!

Frontiers

g g g g g g g g g g

FA-ext FB-ext FB-out FA-out

Frontiers

g g g g g g g g g g

FA-ext FB-ext FB-out FA-out

BAD!

Frontiers

g g g g g g g g g g

FA-ext FB-ext FB-out FA-out

BAD!

This is where we need f to be non-unilateral

Cycle of Inequalities

• FA-ext not before FB-out
• FA-out not before FA-ext
• FB-ext not before FA-out
• FB-out not before FB-ext
• So they all happen at the same time!
• Must happen due to a call to g

Instantaneous Property

g g g g g g g g g g

Instantaneous Property

g g g g g g g g g g

Before: no information shared After: output of f is known Error (small)

Instantaneous Property

g g g g

Before: no information shared Error (small)

Protocol Tree

• Protocol has simulation error ε

g g g g g g g

O(log κ)

Protocol Tree

• Simulation error = ???

g g g g g g g

O(log κ)

g

Protocol Tree

• Simulation error = ???

g g g g g g

O(log κ)

If the simulation error is low enough (small constant), then this is a valid protocol!

g g

Protocol Tree

• Protocol has simulation error ε

g g g g g g g

O(log κ)

Error ≥ 1/c

If all of these final-round calls are not valid single-round protocols, it must be very unlikely to get to the final round!

Protocol Tree

• Protocol has simulation error ε

g g g g g g g

O(log κ)

Error ≥ 1/c

Protocol Tree

• Protocol has simulation error cε

g g g

O(log κ)

Protocol Tree

• Protocol has simulation error c2ε

g

O(log κ)

Collapse to a single round

• Either we found a single-round protocol, or we

repeated O(log κ) times

• Simulation error of the protocol truncating at the

fjrst round is cO(log κ)ε = poly(κ)ε, which is negligible

• So this single-round protocol is a valid protocol

for f g ⊑

Main Theorem

When f and g are incomplete and f is non- unilateral, the following are equivalent:

– f

g ⊑ via a (worst-case) log-round protocol

– f

g ⊑ via a single-round deterministic protocol

– f embeds in g

What would a protocol with ω(log κ) rounds look like?

A 2 1 3A4 65A A 2 1 3A4 65A B 2 1 4B3 56B C 2 1 3C4 65C D 2 1 3D4 65D D 2 1 4D3 56D C 4 1 6C2 35C E 4 1 6E2 35E 4 E 1 E62 5E3 A B A CDD CEE

⊑

• The smallest counterexample we could fjnd!
• No embedding (so no single round protocol)
• Expected number of rounds is constant (3)
• To achieve negligible error, ω(log κ) rounds are required!

Future Work: Fix the edge cases

• Unilateral functions

– Conjecture: we only ever need to add 1 round

• Super-logarithmic protocols

– Hard to construct examples – A general characterization would be

interesting

Questions?