the exact round complexity
play

The Exact Round Complexity of Secure Computation Antigoni - PowerPoint PPT Presentation

Dec 20, 2022 •194 likes •750 views

The Exact Round Complexity of Secure Computation Antigoni Polychroniadou (Aarhus University) joint work with Sanjam Garg, Pratyay Mukherjee (UC Berkeley), Omkant Pandey (Drexel University) Background: Secure Multi-Party Computation x 1 f(x 1 ,

  1. The Exact Round Complexity of Secure Computation Antigoni Polychroniadou (Aarhus University) joint work with Sanjam Garg, Pratyay Mukherjee (UC Berkeley), Omkant Pandey (Drexel University)

  2. Background: Secure Multi-Party Computation x 1 f(x 1 , x 2 , x 3 , x 4 ) = (y 1, y 2 ,y 3 ,y 4 ) x 1 x 1 y 4 y 1 x 4 Goal: π Correctness: Everyone computes f(x 1 ,…, x 4 ) Adversary : Security: Nothing else but the output is revealed PPT x 2 y 3 Malicious Static y 2 x 3

  3. Motivating Questions Lower bounds on the round complexity of secure protocols. Construct optimal round secure protocols.

  4. State of the Art: Information-Theoretic Setting Communication Round Complexity Complexity O(n|C|) O(depth C )

  5. State of the Art: Information-Theoretic Setting Communication Round Complexity Complexity Ω (n|C|) [DN P R16] Ω (depth C ) [DN P R16] Novel approach must be found to construct O(1) round protocols (that beat the complexities of BGW, CCD, GMW, SPDZ etc.)

  6. State of the Art: Computational Setting Communication Round Complexity Complexity 2PC MPC <<|C| FHE

  7. State of the Art: Computational Setting Round Complexity 2PC MPC 5 rounds [KO04,ORS15] O(1)* No CRS No Preprocessing *[BMR90,KOS03,Pas04,DI05,DI06,PPV08,IPS08,Wee10,Goy11,LP11,GLOV12]

  8. State of the Art: Computational Setting Round Complexity 2PC MPC 5 rounds [KO04,ORS15] O(1) What is the exact round complexity of secure MPC?

  9. Standard Communication Model for MPC Simultaneous Message Exchange Channel

  10. Standard Communication Model for MPC Simultaneous Message Exchange Channel

  11. Standard Communication Model for MPC Simultaneous Message Exchange Channel

  12. Standard Communication Model for MPC Simultaneous Message Exchange Channel

  13. Communication Model for 2PC Non-Simultaneous Message Exchange Channel There are mutual dependencies between the two messages

  14. State of the Art: Computational Setting Round Complexity 2PC MPC 5 rounds [KO04] O(1) What is the exact round complexity of secure MPC ? How many simultaneous message exchange rounds are necessary for 2PC ?

  15. Our Results Round Complexity 2PC MPC 5 rounds [KO04] O(1) • (3-round Impossibility) : There does not exist a 3-round protocol for the two-party coin-flipping functionality.

  16. Our Results Round Complexity 2PC MPC max(4,k+1) 1 O(1) 1 k-round NMCOM Suppose that there exists a k-round NMCOM scheme; then • (2PC) : there exists a max(4, k + 1)-round protocol for securely realizing every two- party functionality. The use of NMCOM is not a coincidence [LPV09,Goy11,LP11,LPTV10,GLOV12]

  17. Our Results Round Complexity 2PC MCF* max(4,k+1) 1 max(4,k+1) 1 k-round NMCOM Suppose that there exists a k-round NMCOM scheme; then • (2PC) : there exists a max(4, k + 1)-round protocol for securely realizing every two- party functionality; • (MPC) : there exists a max(4, k + 1)-round protocol for securely realizing the multi- party coin-flipping functionality.

  18. Our Results Round Complexity 2PC MCF* max(4,k+1) 1 max(4,k+1) 1 k-round NMCOM Suppose that there exists a k-round NMCOM scheme; then • (2PC) : there exists a max(4, k + 1)-round protocol for securely realizing every two- Four rounds are both necessary party functionality; and sufficient for both the results • (MPC) : there exists a max(4, k + 1)-round protocol for securely realizing the multi- based on 3-round NMCOMs party coin-flipping functionality. [PPV08,GPR16,COSV16].

  19. Outline 1. Lower bound on the two-party coin-flipping. 2. 4-round 2PC protocol.

  20. Our Results Theorem 1. There does not exist a 3-round protocol for the two- party coin-flipping functionality • for tossing ω (log λ ) coins, • with a black-box simulation, • in the simultaneous message exchange model. where λ is the security parameter

  21. Suppose that there exists a protocol which realizes simulatable coin- Proof (sketch) flipping in 3 rounds. Rescheduled Contradict the result of [KO04]

  22. Suppose that there exists a protocol which realizes simulatable coin- Proof (sketch) flipping in 3 rounds. Rescheduled Contradict the result of [KO04]

  23. Suppose that there exists a protocol which realizes simulatable coin- Proof (sketch) flipping in 3 rounds. Rescheduled Contradict the result of [KO04]

  24. Suppose that there exists a protocol which realizes simulatable coin- Proof (sketch) flipping in 3 rounds. P 1 P 2 Rescheduled m 1 m 1 m 2 m 2 m 3 m 3 Contradict the result of [KO04]

  25. Our Results Theorem 2. There does not exist a 4-round protocol for the two- party coin-flipping functionality • for tossing ω (log λ ) coins, • with a black-box simulation, • in the simultaneous message exchange model, • with at least one unidirectional round.

  26. Our Results Theorem 2. There does not exist a 4-round protocol for the two- party coin-flipping functionality • for tossing ω (log λ ) coins, • with a black-box simulation, • in the simultaneous message exchange model, • with at least one unidirectional round.

  27. Our Approach for 2PC Starting point: Katz-Ostrovsky (KO) protocol [KO04] which is a 4-round protocol for only one-sided functionalities and 5-round for two sided Is it still 5 functionalities. rounds with simultaneous transmission? 5-round [KO04] :

  28. Our Approach for 2PC Starting point: Katz-Ostrovsky (KO) protocol [KO04] which is a 4-round protocol for only one-sided functionalities and 5-round for two sided Is it still 5 functionalities. rounds with simultaneous transmission? 4-round attempt: Such a 4-round protocol fails due to Theorem 2.

  29. Our Approach for 2PC Must use the simultaneous message exchange channel in each round; Fails due to malleability and input consistency Run two executions of a 4-round protocol (in which only one issues. party learns the output) in “opposite” directions.

  30. Our Approach for 2PC Simultaneous Executions 3-round NMCOM … 4-round 2PC

  31. max(4, k + 1)-round 2PC protocols Theorem 3. TDP + k-round (parallel) NMCOM  max(4, k + 1) -round 2PC protocol • with black-box simulation, • in the presence of a malicious adversary, • in the simultaneous message exchange model.

  32. Tools for our 2PC Protocol Equicoval COM 3-round Parallel Garble Circuits NMCOM 4-round 2PC Protocol Input-delayed Semi-Honest ZK Argument* OT Input-delayed WIPOK

  33. Tools for our 2PC Protocol Equicoval COM 3-round Parallel Garble Circuits NMCOM 4-round 2PC Protocol Input-delayed Semi-Honest ZK Argument* OT Input-delayed WIPOK

  34. Garble Circuit Construction [Yao80] Boolean Circuit C Garbled Circuit GC Z 1,0 , Z 1,1 x 1 Z 2,0 , Z 2,1 x 2 GC x 2 Z 3,0 , Z 3,1 x 3 Z 4,0 , Z 4,1 Pairs of λ - bit keys

  35. Garble Circuit Construction [Yao80] Boolean Circuit C Garbled Circuit GC Z 1,1 Z 1,0 x 1 x 2 Z 2,0 Z 2,1 GC x 2 x 3 Z 3,0 Z 3,1 Z 4,1 Z 4,0 Pairs of λ - bit keys Decoder

  36. Semi-Honest Secure 2PC

  37. Semi-Honest Secure 2PC

  38. ( , , ) 3-round SH 2PC: S 1 S 2 S 3 S 1 S 2 S 3

  39. Our 2PC Protocol

  40. Our 2PC Protocol

  41. Our 2PC Protocol ( , , ) 3-round SH 2PC: S 1 S 2 S 3 ( , , ) 3-round NMCOM: nm 1 nm 2 nm 3 ( , , ) 3-round Π WIPOK : p 1 p 2 p 3 ( , , , ) 4-round Π FS : fs 1 fs 2 fs 3 fs 4

  42. Our 2PC Protocol fs 1 p 1 nm 1 fs 2 nm 2 S 1 C Z r’ p 2 C GC fs 3 p 3 nm 3 S’ 2 fs 4 S 1 GC

  43. Our 2PC Protocol fs 1 p 1 nm 1 fs 2 nm 2 S 1 C Z r’ p 2 C GC fs 3 p 3 nm 3 S’ 2 fs 4 S 1 GC

  44. Proof Systems • 3-round Π WIPOK public-coin, witness-indistinguishable proof- of-knowledge [FLS99] for NP (st 1 ∧ st 2 ) • 4-round Π FS zero-knowledge argument-of knowledge protocol [FS90] for NP ( thm ) based on NMCOM and Π WIPOK . 1 st Π WIPOK : V sets t 1 =f(w 1 ), t 2 =f(w 2 ) and proves knowledge of a w for t 1 ∨ t 2 2 nd Π WIPOK : P proves knowledge of a witness to thm ∨ ( t 1 ∨ t 2 )

  45. Proof Systems • 3-round Π WIPOK public-coin, witness-indistinguishable proof- of-knowledge [FLS99] for NP (st 1 ∧ st 2 ) • 4-round Π FS zero-knowledge argument-of knowledge protocol [FS90] for NP ( thm ) based on NMCOM and Π WIPOK . 1 st Π WIPOK : V sets t 1 =nm σ1 , t 2 =nm σ2 Crucial Change and proves knowledge of a w for t 1 ∨ t 2 2 nd Π WIPOK : P proves knowledge of a witness to thm ∨ ( t 1 ∨ t 2 )

  46. Proof Systems • 3-round Π WIPOK public-coin, witness-indistinguishable proof- of-knowledge [FLS99] for NP (st 1 ∧ st 2 ) • 4-round Π FS zero-knowledge argument-of knowledge protocol [FS90] for NP ( thm ∧ thm ’ ) based on NMCOM and Π WIPOK . 1 st Π WIPOK : V sets t 1 =nm σ1 , t 2 =nm σ2 and proves knowledge of a w for t 1 ∨ t 2 2 nd Π WIPOK : P proves knowledge of a witness to thm ∨ ( t 1 ∨ t 2 ) Input-Delayed Proof Systems

  47. Our 2PC Protocol fs 1 p 1 nm 1 fs 2 nm 2 S 1 C Z r’ p 2 C GC fs 3 p 3 nm 3 S’ 2 fs 4 S 1 GC Simulation Soundness

  48. Tools for our Coin-Flipping Protocol Equicoval COM 3-round Parallel NMCOM 4-round 2PC Protocol Input delayed ZK Argument* Extractable COM

  49. Conclusion Round Complexity 2PC MPC 5 rounds [KO04] O(1) • (3-round Impossibility) : There does not exist a 3-round protocol for the two-party coin-flipping functionality.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

On the Exact Round Complexity of Secure Three-Party Computation Arpita Patra, Divya Ravi Indian

On the Exact Round Complexity of Secure Three-Party Computation Arpita Patra, Divya Ravi Indian

On the Exact Round Complexity of Secure Three-Party Computation Arpita Patra, Divya Ravi Indian Institute of Science CRYPTO 2018 Our Objective What is the exact round complexity of 3-party protocols with honest majority under the following

446 views • 10 slides
Round elimination in exact communication complexity Teresa Piovesan Joint work with et, Harry

Round elimination in exact communication complexity Teresa Piovesan Joint work with et, Harry

Round elimination in exact communication complexity Teresa Piovesan Joint work with et, Harry Buhrman, Debbie Leung + Jop Bri &amp; Florian Speelman ( + University of Waterloo) 20 th Combinatorial Optimization Workshop Aussois, 6 January 2016

870 views • 66 slides
On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek

On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek

On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018 Round-Complexity of ZK-Proofs for NP 2 Round-Complexity of ZK-Proofs for NP 2 Round-Complexity of ZK-Proofs for NP

835 views • 56 slides
1. CDH and DDH One of the most important goals in Cryptography is to identify the exact complexity

1. CDH and DDH One of the most important goals in Cryptography is to identify the exact complexity

1. CDH and DDH One of the most important goals in Cryptography is to identify the exact complexity assumptions used by cryptographic protocols. CDH is where the Modern Cryptography originated. CDH implies difficulty of computing discrete

243 views • 23 slides
On the complexity of approximating exact Fixed Points: Nash Equilibria, Stochastic Games, and

On the complexity of approximating exact Fixed Points: Nash Equilibria, Stochastic Games, and

On the complexity of approximating exact Fixed Points: Nash Equilibria, Stochastic Games, and Recursive Markov Chains Kousha Etessami Mihalis Yannakakis U. of Edinburgh Columbia U. Algorithmic Game Theory Workshop, Warwick March 26, 2007 1

428 views • 21 slides
Toy Example Toy Example Toy Example Toy Example Toy Example D 1 weak classifiers = vertical or

Toy Example Toy Example Toy Example Toy Example Toy Example D 1 weak classifiers = vertical or

Toy Example Toy Example Toy Example Toy Example Toy Example D 1 weak classifiers = vertical or horizontal half-planes Round 1 Round 1 Round 1 Round 1 Round 1 h 1 D 2 &quot; 1 =0.30 ! =0.42 1 Round 2 Round 2 Round 2 Round 2 Round

188 views • 5 slides
ROUND COMPLEXITY LOWER BOUND OF ISC PROTOCOL IN THE PARALLELIZABLE MODEL Huijing Gong CMSC 858F

ROUND COMPLEXITY LOWER BOUND OF ISC PROTOCOL IN THE PARALLELIZABLE MODEL Huijing Gong CMSC 858F

ROUND COMPLEXITY LOWER BOUND OF ISC PROTOCOL IN THE PARALLELIZABLE MODEL Huijing Gong CMSC 858F Overview Background Byzantine Generals Problem Network Model w/o Pre-existing Setup ISC Protocol in Parallelizable Model ISC,

841 views • 17 slides
BEST OF EXACT GLOBE Jos Suijkens Michiel Beek Best of Exact Globe 2 Agenda 1. A fresh look for

BEST OF EXACT GLOBE Jos Suijkens Michiel Beek Best of Exact Globe 2 Agenda 1. A fresh look for

BEST OF EXACT GLOBE Jos Suijkens Michiel Beek Best of Exact Globe 2 Agenda 1. A fresh look for Exact Globe 2. Increased efficiency with Analytical Accounting 3. High level to detail 4. Pivot analyses, flexible reporting 5. ExactA: Auditing made

626 views • 36 slides
Complexity of Circuit Satisfiability Ramamohan Paturi University of California, San Diego

Complexity of Circuit Satisfiability Ramamohan Paturi University of California, San Diego

Complexity of Circuit Satisfiability Ramamohan Paturi University of California, San Diego jointly with Pavel Pudl ak, Czech Academy of Sciences November 9, 2009 Paturi/Pudl ak Complexity of Circuit Satisfiability Overview Exact

1.16k views • 73 slides
Most traditional stories are like a round, crocheted potholder. The storyteller goes round and

Most traditional stories are like a round, crocheted potholder. The storyteller goes round and

Alberta Jones Assistant Professor, School of Education, U of A Southeast Ph.D. Candidate-Indigenous Studies, U of A Fairbanks June, 2016 Most traditional stories are like a round, crocheted potholder. The storyteller goes round and round

575 views • 20 slides
Exact Algorithms for Finding Well-Connected 2-Clubs in Sparse Real-World Graphs: Theory and

Exact Algorithms for Finding Well-Connected 2-Clubs in Sparse Real-World Graphs: Theory and

Exact Algorithms for Finding Well-Connected 2-Clubs in Sparse Real-World Graphs: Theory and Experiments Andr e Nichterlein Algorithmics and Computational Complexity, Faculty IV, TU Berlin Shonan Meeting 144, March 5th Based on joint work

581 views • 16 slides
Complexity of DLs RWTH Aachen 1 Germany Complexity of DLs: Overview of the Complexity of

Complexity of DLs RWTH Aachen 1 Germany Complexity of DLs: Overview of the Complexity of

Complexity of DLs RWTH Aachen 1 Germany Complexity of DLs: Overview of the Complexity of Concept Consistency P (co-)NP PSpace ExpTime NExpTime ALC reg ALUN (NP) ALCN add regular roles without , (wrt acyc. TBoxes) ALC u only A ALN

745 views • 16 slides
th An rs 4 th Ame Ameri rican Le Legion Riders Annual Sum Summit Merry-Go-Round Round

th An rs 4 th Ame Ameri rican Le Legion Riders Annual Sum Summit Merry-Go-Round Round

th An rs 4 th Ame Ameri rican Le Legion Riders Annual Sum Summit Merry-Go-Round Round Robin Unity Ride District Patch Sonny Decker &amp; Jeff Hawk Merry-Go-Round &amp; The Round Robin These month-long events are intended for our

841 views • 22 slides
Algebraic Tools for Exact Geometric Computing I - Exact Arithmetic and Filtering Michael Hemmer

Algebraic Tools for Exact Geometric Computing I - Exact Arithmetic and Filtering Michael Hemmer

Algebraic Tools for Exact Geometric Computing I - Exact Arithmetic and Filtering Michael Hemmer School of Computer Science - University of Tel Aviv 2010, Tel Aviv Michael Hemmer Exact Arithmetic and Filtering Outline Motivate Exact

1.37k views • 71 slides
Toy Example Toy Example Toy Example Toy Example Toy Example D 1 weak classifiers = vertical or

Toy Example Toy Example Toy Example Toy Example Toy Example D 1 weak classifiers = vertical or

Toy Example Toy Example Toy Example Toy Example Toy Example D 1 weak classifiers = vertical or horizontal half-planes Round 1 Round 1 Round 1 Round 1 Round 1 h 1 D 2

210 views • 7 slides
RISC-V: Emulation and Rich, Non-Intrusive Analytics Address Verification Complexity Embedded

RISC-V: Emulation and Rich, Non-Intrusive Analytics Address Verification Complexity Embedded

RISC-V: Emulation and Rich, Non-Intrusive Analytics Address Verification Complexity Embedded World | 27 Feb 2018 UltraSoC: Corporate Overview Tier-1 VC-funded start-up Automotive Recently completed round D ($6M) ARMv8 Founded 2009

557 views • 32 slides
Fast Matrix Product Algorithms: From Theory To Practice Thomas Sibut-Pinote Inria, Ecole

Fast Matrix Product Algorithms: From Theory To Practice Thomas Sibut-Pinote Inria, Ecole

Introduction and Definitions The -theorem Pans aggregation tables and the -theorem Software Implementation Conclusion Fast Matrix Product Algorithms: From Theory To Practice Thomas Sibut-Pinote Inria, Ecole Polytechnique, France

681 views • 38 slides
Kronecker coefficients: bounds and complexity Igor Pak, UCLA Triangle Lectures in Combinatorics,

Kronecker coefficients: bounds and complexity Igor Pak, UCLA Triangle Lectures in Combinatorics,

Kronecker coefficients: bounds and complexity Igor Pak, UCLA Triangle Lectures in Combinatorics, November 14, 2020 Basic Definitions Let denote character of S n associated with n . g ( , , ) are defined by: Kronecker

276 views • 11 slides
Efficiency and Computational Complexity (Part 2) Rate of growth of functions

Efficiency and Computational Complexity (Part 2) Rate of growth of functions

Efficiency and Computational Complexity (Part 2) Rate of growth of functions Source:https://ocw.mit.edu/courses/electrical-engineering-and-computer-science/6-0001-introduction-to-computer- 2

765 views • 35 slides
I-Complexity and Discrete Towards Precise . . . Derivative of Logarithms: Our Result Proof A

I-Complexity and Discrete Towards Precise . . . Derivative of Logarithms: Our Result Proof A

Kolmogorov Complexity Need for Approximate . . . I-Complexity Good Properties of I- . . . I-Complexity and Discrete Towards Precise . . . Derivative of Logarithms: Our Result Proof A Group-Theoretic Acknowledgments References Explanation

481 views • 12 slides
Models of complexity growth and random quantum circuits Nick Hunter-Jones Perimeter Institute

Models of complexity growth and random quantum circuits Nick Hunter-Jones Perimeter Institute

Models of complexity growth and random quantum circuits Nick Hunter-Jones Perimeter Institute June 25, 2019 Yukawa Institute for Theoretical Physics Based on: [Kueng, NHJ, Chemissany, Brand ao, Preskill], 1907.hopefully soon [NHJ],

790 views • 36 slides
On the Complexity of Computing the k -Metric Dimension of Graphs ISMAEL GONZALEZ YERO Department

On the Complexity of Computing the k -Metric Dimension of Graphs ISMAEL GONZALEZ YERO Department

On the Complexity of Computing the k -Metric Dimension of Graphs ISMAEL GONZALEZ YERO Department of Mathematics, EPS Algeciras University of C adiz, Spain ismael.gonzalez@uca.es Joint work with Alejandro Estrada-Moreno and Juan A. Rodr

1.28k views • 88 slides
Graph Streaming and Sketching Lecture 19 Nov 5, 2020 Chandra (UIUC) CS498ABD 1 Fall 2020 1

Graph Streaming and Sketching Lecture 19 Nov 5, 2020 Chandra (UIUC) CS498ABD 1 Fall 2020 1

CS 498ABD: Algorithms for Big Data Graph Streaming and Sketching Lecture 19 Nov 5, 2020 Chandra (UIUC) CS498ABD 1 Fall 2020 1 / 1 Graphs G = ( V , E ) is an undirected graph n = | V | and m = | E | Edges e 1 , e 2 , . . . , e m seen as a

929 views • 50 slides
On (2 k , k )-connected graphs Zolt an Szigeti Combinatorial Optimization Group Laboratoire

On (2 k , k )-connected graphs Zolt an Szigeti Combinatorial Optimization Group Laboratoire

On (2 k , k )-connected graphs Zolt an Szigeti Combinatorial Optimization Group Laboratoire G-SCOP INP Grenoble, France 11 septembre 2015 Joint work with : Olivier Durand de Gevigney Z. Szigeti (G-SCOP, Grenoble) On (2 k , k ) -connected

1.12k views • 100 slides

More recommend