Round Optimal Secure Multiparty Computation from Minimal Assumptions - - PowerPoint PPT Presentation
Round Optimal Secure Multiparty Computation from Minimal Assumptions Arka Rai Choudhuri Michele Ciampi Vipul Goyal Johns Hopkins University The University of Edinburgh Carnegie Mellon University and NTT Research Abhishek Jain Rafail
Arka Rai Choudhuri
Johns Hopkins University
Michele Ciampi
The University of Edinburgh
Vipul Goyal
Carnegie Mellon University and NTT Research
1
TCC 2020 Abhishek Jain
Johns Hopkins University
Rafail Ostrovsky
University of California Los Angeles
[Yaoβ86, Goldreich-Micali-Wigdersonβ87]
π§ = π(π¦1, π¦2, π¦3, π¦4) π¦1 π¦2 π¦3 π¦4
[Yaoβ86, Goldreich-Micali-Wigdersonβ87]
π§ = π(π¦1, π¦2, π¦3, π¦4) π¦1 π¦2 π¦3 π¦4 π§ π§ π§ π§
[Yaoβ86, Goldreich-Micali-Wigdersonβ87]
π§ = π(π¦1, π¦2, π¦3, π¦4) π¦1 π¦2 π¦3 π¦4 π§ π§ π§ π§
A round constitutes of every participant sending a message.
[Yaoβ86, Goldreich-Micali-Wigdersonβ87]
π§ = π(π¦1, π¦2, π¦3, π¦4) π¦1 π¦2 π¦3 π¦4 π§ π§ π§ π§
A round constitutes of every participant sending a message. Goal: For efficiency, minimize rounds of interaction.
π§ = π(π¦1, π¦2, π¦3, π¦4) π¦1 π¦2 π¦3 π¦4 π§ π§ π§ π§
Misbehaving participants should not learn anything beyond the output of the function.
π§ = π(π¦1, π¦2, π¦3, π¦4) π¦1 π¦2 π¦3 π¦4 π§ π§ π§ π§
π§ = π(π¦1, π¦2, π¦3, π¦4) π¦1 π¦2 π¦3 π¦4 π§ π§ π§ π§
real world
π§ = π(π¦1, π¦2, π¦3, π¦4) π¦1 π¦2 π¦3 π¦4 π§ π§ π§ π§
real world ideal world
π§ = π(π¦1, π¦2, π¦3, π¦4) π¦1 π¦2 π¦3 π¦4 π§ π§ π§ π§ π¦1 π¦2 π¦3 π¦4 π
real world ideal world
π§ = π(π¦1, π¦2, π¦3, π¦4) π¦1 π¦2 π¦3 π¦4 π§ π§ π§ π§ π¦1 π¦2 π¦3 π¦4 π§ π§ π§ π§ π
real world ideal world
π§ = π(π¦1, π¦2, π¦3, π¦4) π¦1 π¦2 π¦3 π¦4 π§ π§ π§ π§ π¦1 π¦2 π¦3 π¦4 π§ π§ π§ π§ π
real world ideal world
π§ = π(π¦1, π¦2, π¦3, π¦4) π¦1 π¦2 π¦3 π¦4 π§ π§ π§ π§ π¦1 π¦2 π¦3 π¦4 π§ π§ π§ π§ π
real world ideal world
π§ = π(π¦1, π¦2, π¦3, π¦4) π¦1 π¦2 π¦3 π¦4 π§ π§ π§ π§ π¦1 π¦2 π¦3 π¦4 π§ π§ π§ π§ π
real world ideal world
π§ = π(π¦1, π¦2, π¦3, π¦4) π¦1 π¦2 π¦3 π¦4 π§ π§ π§ π§ π¦1 π¦2 π¦3 π¦4 π§ π§ π§ π§ π
real world ideal world
π§ = π(π¦1, π¦2, π¦3, π¦4) π¦1 π¦2 π¦3 π¦4 π§ π§ π§ π§ π¦1 π¦2 π¦3 π¦4 π§ π§ π§ π§ π
real world ideal world
Computational security.
π§ = π(π¦1, π¦2, π¦3, π¦4) π¦1 π¦2 π¦3 π¦4 π§ π§ π§ π§ π¦1 π¦2 π¦3 π¦4 π§ π§ π§ π§ π
real world ideal world
Computational security. Malicious adversaries with dishonest majority.
π§ = π(π¦1, π¦2, π¦3, π¦4) π¦1 π¦2 π¦3 π¦4 π§ π§ π§ π§ π¦1 π¦2 π¦3 π¦4 π§ π§ π§ π§ π
real world ideal world
Computational security. Malicious adversaries with dishonest majority. Black-box simulation.
π§ = π(π¦1, π¦2, π¦3, π¦4) π¦1 π¦2 π¦3 π¦4 π§ π§ π§ π§ π¦1 π¦2 π¦3 π¦4 π§ π§ π§ π§ π
real world ideal world
Computational security. Malicious adversaries with dishonest majority. Black-box simulation. No trusted setup.
9
21
21
[Yao86, Goldreich- Micali- Wigderson87]
21
[Yao86, Goldreich- Micali- Wigderson87] [Beaver-Micali- Rogaway90] constant round
21
[Yao86, Goldreich- Micali- Wigderson87] [Beaver-Micali- Rogaway90] [Katz-Ostrovsky- Smith03] constant round
21
[Yao86, Goldreich- Micali- Wigderson87] [Beaver-Micali- Rogaway90] [Katz-Ostrovsky- Smith03] [Katz-Ostrovsky04] 4 message impossible for 2PC constant round
21
[Yao86, Goldreich- Micali- Wigderson87] [Beaver-Micali- Rogaway90] [Katz-Ostrovsky- Smith03] [Katz-Ostrovsky04] 4 message impossible for 2PC constant round
21
[Yao86, Goldreich- Micali- Wigderson87] [Beaver-Micali- Rogaway90] [Katz-Ostrovsky- Smith03] [Katz-Ostrovsky04] 4 message impossible for 2PC constant round
21
[Yao86, Goldreich- Micali- Wigderson87] [Beaver-Micali- Rogaway90] [Katz-Ostrovsky- Smith03] [Katz-Ostrovsky04] 4 message impossible for 2PC constant round
21
[Yao86, Goldreich- Micali- Wigderson87] [Beaver-Micali- Rogaway90] [Katz-Ostrovsky- Smith03] [Katz-Ostrovsky04] 4 message impossible for 2PC constant round 5 message protocol for 2PC
21
[Yao86, Goldreich- Micali- Wigderson87] [Beaver-Micali- Rogaway90] [Katz-Ostrovsky- Smith03] [Katz-Ostrovsky04] [Pass04, Smith03, Pass04, Pass Wee10, Wee10, Goyal11] 4 message impossible for 2PC constant round 5 message protocol for 2PC
21
[Yao86, Goldreich- Micali- Wigderson87] [Beaver-Micali- Rogaway90] [Katz-Ostrovsky- Smith03] [Katz-Ostrovsky04] [Pass04, Smith03, Pass04, Pass Wee10, Wee10, Goyal11] [Garg-Mukherjee- Pandey- Polychroniadou16] 4 message impossible for 2PC constant round 5 message protocol for 2PC
21
[Yao86, Goldreich- Micali- Wigderson87] [Beaver-Micali- Rogaway90] [Katz-Ostrovsky- Smith03] [Katz-Ostrovsky04] [Pass04, Smith03, Pass04, Pass Wee10, Wee10, Goyal11] [Garg-Mukherjee- Pandey- Polychroniadou16] 4 message impossible for 2PC 3 round impossible for MPC constant round 5 message protocol for 2PC
21
[Yao86, Goldreich- Micali- Wigderson87] [Beaver-Micali- Rogaway90] [Katz-Ostrovsky- Smith03] [Katz-Ostrovsky04] [Pass04, Smith03, Pass04, Pass Wee10, Wee10, Goyal11] [Garg-Mukherjee- Pandey- Polychroniadou16] 4 message impossible for 2PC 3 round impossible for MPC 5 round protocol assuming iO constant round 5 message protocol for 2PC
21
[Yao86, Goldreich- Micali- Wigderson87] [Beaver-Micali- Rogaway90] [Katz-Ostrovsky- Smith03] [Katz-Ostrovsky04] [Pass04, Smith03, Pass04, Pass Wee10, Wee10, Goyal11] [Garg-Mukherjee- Pandey- Polychroniadou16] 4 message impossible for 2PC 3 round impossible for MPC 5 round protocol assuming iO [Ananth-C-Jain17, Brakerski-Halevi- Polychroniadou17] 4 round protocol subexponential assumptions constant round 5 message protocol for 2PC
21
[Yao86, Goldreich- Micali- Wigderson87] [Beaver-Micali- Rogaway90] [Katz-Ostrovsky- Smith03] [Katz-Ostrovsky04] [Pass04, Smith03, Pass04, Pass Wee10, Wee10, Goyal11] [Garg-Mukherjee- Pandey- Polychroniadou16] 4 message impossible for 2PC 3 round impossible for MPC 5 round protocol assuming iO [Ananth-C-Jain17, Brakerski-Halevi- Polychroniadou17] 4 round protocol subexponential assumptions [Badrinarayanan- Goyal-Jain-Kalai- Khurana-Sahai18, Halevi-Hazay- Polychroniadou- Venkitasubramaniam 18] 4 round protocol strong number theoretic assumptions constant round 5 message protocol for 2PC
21
[Yao86, Goldreich- Micali- Wigderson87] [Beaver-Micali- Rogaway90] [Katz-Ostrovsky- Smith03] [Katz-Ostrovsky04] [Pass04, Smith03, Pass04, Pass Wee10, Wee10, Goyal11] [Garg-Mukherjee- Pandey- Polychroniadou16] 4 message impossible for 2PC 3 round impossible for MPC 5 round protocol assuming iO [Ananth-C-Jain17, Brakerski-Halevi- Polychroniadou17] 4 round protocol subexponential assumptions [Badrinarayanan- Goyal-Jain-Kalai- Khurana-Sahai18, Halevi-Hazay- Polychroniadou- Venkitasubramaniam 18] 4 round protocol strong number theoretic assumptions [Kilian88] Oblivious Transfer (OT) necessary and sufficient for MPC constant round 5 message protocol for 2PC
21
[Yao86, Goldreich- Micali- Wigderson87] [Beaver-Micali- Rogaway90] [Katz-Ostrovsky- Smith03] [Katz-Ostrovsky04] [Pass04, Smith03, Pass04, Pass Wee10, Wee10, Goyal11] [Garg-Mukherjee- Pandey- Polychroniadou16] 4 message impossible for 2PC 3 round impossible for MPC 5 round protocol assuming iO [Ananth-C-Jain17, Brakerski-Halevi- Polychroniadou17] 4 round protocol subexponential assumptions [Badrinarayanan- Goyal-Jain-Kalai- Khurana-Sahai18, Halevi-Hazay- Polychroniadou- Venkitasubramaniam 18] 4 round protocol strong number theoretic assumptions [Kilian88] [Benhamouda-Lin18] Oblivious Transfer (OT) necessary and sufficient for MPC π-round OT β π- round MPC, π β₯ π constant round 5 message protocol for 2PC
11
Assuming 4 round oblivious transfer (OT), there exists a 4 round MPC protocol.
11
Assuming 4 round oblivious transfer (OT), there exists a 4 round MPC protocol.
OT: Indistinguishability security against malicious sender, and extraction of receiver bit.
OT protocols satisfying such properties are indeed known.
12
13
π
Any 4 round protocol computing a function π.
14
π
Rushing adversary
May decide not to send its message after it sees Bobβs message.
14
π
Rushing adversary
May decide not to send its message after it sees Bobβs message.
14
π
Rushing adversary
May decide not to send its message after it sees Bobβs message.
Only Alice learns the
15
identity
Rushing adversary
May decide not to send its message after it sees Bobβs message.
Bobβs input
16
identity
Rushing adversary
May decide not to send its message after it sees Bobβs message.
Bobβs input
16
identity
Donβt send fourth round message unless Alice proves honest behavior.
Rushing adversary
May decide not to send its message after it sees Bobβs message.
Donβt send fourth round message unless Alice proves honest behavior.
Bobβs input
17
identity
Typical approach: Alice convinces Bob of honest behavior via zero-knowledge proof before Bob sends his fourth round message.
Donβt send fourth round message unless Alice proves honest behavior.
Bobβs input
17
identity
Typical approach: Alice convinces Bob of honest behavior via zero-knowledge proof before Bob sends his fourth round message. Requires 3 round zero-knowledge proofs [Goldreich-Krawczykβ96]: Impossible with Black-box simulation.
Donβt send fourth round message unless Alice proves honest behavior.
Bobβs input
17
identity
Many other challenges, but for this talk, we focus on solving this challenge. Typical approach: Alice convinces Bob of honest behavior via zero-knowledge proof before Bob sends his fourth round message. Requires 3 round zero-knowledge proofs [Goldreich-Krawczykβ96]: Impossible with Black-box simulation.
18
19
20
message
message
20
message
message
20
witness + message
message
20
witness message + =
If witness satisfies specified condition.
message
message
20
witness message + =
If witness satisfies specified condition. [Gertner-Ishai-Kushilevitz-Malkin98, Aiello-Ishai-Reingold01]
message
21
π
22
π
22
βI behaved honestlyβ
π
22
βI behaved honestlyβ
How do we prove honest behavior?
π
23
input and randomness
π
23
input and randomness
Does this work with more than 2 parties?
π
24
25
input and randomness input and randomness
26
input and randomness input and randomness
27
everyone behaved honestly everyone behaved honestly
27
everyone behaved honestly everyone behaved honestly
Want a public witness at the end of the fourth round.
28
Want a public witness at the end of the fourth round.
ππ΅ ππΆ ππ΅ ππΆ ππ΅ ππΆ
29
ππ΅ ππΆ ππ΅ ππΆ ππ΅ ππΆ
We want to build a CDS based on OT. Only known non-interactive realization is Witness Encryption, which is known assuming Indistinguishability Obfuscation (iO).
30
Oblivious Transfer (OT)
30
Oblivious Transfer (OT) Garbled Circuit
30
Oblivious Transfer (OT) Garbled Circuit
31
Oblivious Transfer (OT) Garbled Circuit
32
receiver sender
π π¦0, π¦1 1-out-of-2 OT [Even-Goldreich-Lempelβ82]
Oblivious Transfer (OT) Garbled Circuit
32
receiver sender
π π¦0, π¦1 π¦π 1-out-of-2 OT [Even-Goldreich-Lempelβ82]
Oblivious Transfer (OT) Garbled Circuit
33
circuit input
Oblivious Transfer (OT) Garbled Circuit
33
circuit input input garble
Oblivious Transfer (OT) Garbled Circuit
34
circuit garble input input
35
Input: witness if witness satisfies condition,
receiver sender witness message
36
receiver sender witness message
37
receiver sender witness message
38
receiver sender witness message
39
receiver sender witness message
40
40
π1 π2 π3
β―
41
π1 π2 π3
β―
garbled circuit
41
π1 π2 π3
β―
garbled circuit
OT
41
π1 π2 π3
β―
garbled circuit
OT OT receiver input must be decided by the 3rd round
41
π1 π2 π3
β―
garbled circuit
Requires 3 round zero-knowledge proofs! OT OT receiver input must be decided by the 3rd round
42
π1 π2 π3
β―
garbled circuit
OT
Requires 3 round zero-knowledge proofs!
42
π1 π2 π3
β―
garbled circuit
OT
Requires 3 round zero-knowledge proofs!
message model.
42
π1 π2 π3
β―
garbled circuit
OT
Requires 3 round zero-knowledge proofs!
message model.
proof hidden until the fourth round of MPC.
Remains hidden if Bob aborts in the third round. Essentially repurposing a three round protocol to work in four rounds.
42
π1 π2 π3
β―
garbled circuit
OT
Requires 3 round zero-knowledge proofs!
message model.
proof hidden until the fourth round of MPC.
Remains hidden if Bob aborts in the third round. Essentially repurposing a three round protocol to work in four rounds.
Promise Zero-Knowledge [Badrinarayanan-Goyal-Jain-Kalai-Khurana-Sahai18]
Assuming OT, there exists a 3 round zero-knowledge protocol in the simultaneous message model secure against verifiers who do not abort.
43
π1 π2 π3
β―
OT
message model.
proof hidden until the fourth round of MPC.
Remains hidden if Bob aborts in the third round. Essentially repurposing a three round protocol to work in four rounds.
Promise Zero-Knowledge [Badrinarayanan-Goyal-Jain-Kalai-Khurana-Sahai18]
Assuming OT, there exists a 3 round zero-knowledge protocol in the simultaneous message model secure against verifiers who do not abort.
interactive
MCDS
Promise ZK
44
ππ΅ ππΆ ππ΅ ππΆ ππ΅ ππΆ
45
ππ΅ ππΆ interactive
MCDS
45
ππ΅ ππΆ interactive
MCDS Receive Carolβs fourth round message if Promise ZK proofs of Alice and Bob verify.
Nobody receives Carolβs message if even one party cheats.
Many moving components in the final protocol.
46
Many moving components in the final protocol. Non-malleability challenges in limited rounds.
46
Many moving components in the final protocol. Non-malleability challenges in limited rounds. Black-box simulation requires rewinding the adversary.
Eg: used to extract adversaryβs input. Primitives need to be secure in the presence of rewinds.
46
Many moving components in the final protocol. Non-malleability challenges in limited rounds. Black-box simulation requires rewinding the adversary.
Eg: used to extract adversaryβs input. Primitives need to be secure in the presence of rewinds.
46
[New!] Assuming regular OT, we construct an OT protocol that retains security guarantees in the presence of a bounded number of rewinds.
High level idea
47
48
challenger
Regular challenger-adversary game
49
challenger
π
π
π β [π + 1]
Bounded rewind challenger-adversary game
50
receiver sender
π π¦0, π¦1
Receiver input should be hidden from an adversarial sender that can rewind the receiver once.
51
receiver sender
π π¦0, π¦1
Run two parallel copies of the OT. The receiver picks a random OT in the third round to proceed.
52
receiver sender
π π¦0, π¦1
Run two parallel copies of the OT. The receiver picks a random OT in the third round to proceed.
52
receiver sender
π π¦0, π¦1
Run two parallel copies of the OT. The receiver picks a random OT in the third round to proceed.
52
receiver sender
π π¦0, π¦1
Run two parallel copies of the OT. The receiver picks a random OT in the third round to proceed.
53
receiver sender
π π¦0, π¦1
Challenger can use a different instance in the two executions (one rewind).
54
receiver sender
π π¦0, π¦1
Challenger can use a different instance in the two executions (one rewind).
Leads to biased transcripts!
Challengerβs choice in one execution determines the choice in the other.
55
receiver sender
π = π1 β π2 π¦0, π¦1
High level idea: secret share receiver input
55
receiver sender
π = π1 β π2 π¦0, π¦1
π1 High level idea: secret share receiver input
55
receiver sender
π = π1 β π2 π¦0, π¦1
π1 π2 High level idea: secret share receiver input
55
receiver sender
π = π1 β π2 π¦0, π¦1
π1 π2 In each execution, the challenger independently samples which instance to use for every index.
Secure if at least one index results in two different executions. Can be amplified.
High level idea: secret share receiver input
56
receiver sender
π = π1 β π2 π¦0, π¦1
π1 π2 In each execution, the challenger independently samples which instance to use for every index.
Secure if at least one index results in two different executions. Can be amplified. High level idea: details missing.
High level idea: secret share receiver input
57
Assuming 4 round oblivious transfer (OT), there exists a 4 round MPC protocol.
Arka Rai Choudhuri achoud@cs.jhu.edu
58
Assuming 4 round oblivious transfer (OT), there exists a 4 round MPC protocol.