to securely compute f
play

to securely compute f ? Mike Rosulek | | CRYPTO 2012 . B : B X is an - PowerPoint PPT Presentation

Dec 27, 2022 •95 likes •742 views

Q: Must you know the code of f to securely compute f ? Mike Rosulek | | CRYPTO 2012 . B : B X is an algorithm for Y Black-box: Non-black-box: Algorithm for Y depends on code of algorithm for X . Pervasive question since [ImpagliazzoRudich89] : .

  1. Q: Must you know the code of f to securely compute f ? Mike Rosulek | | CRYPTO 2012 .

  2. B : B X is an algorithm for Y Black-box: Non-black-box: Algorithm for Y depends on code of algorithm for X . Pervasive question since [ImpagliazzoRudich89] : . . . When do black-box constructions exist? . . . . . Black-box constructions tend to be more practical (efficient & modular). black-box reductions . Reduction . . . X has an algorithm ⇒ Y has an algorithm . . . . . .

  3. . Pervasive question since [ImpagliazzoRudich89] : . . . When do black-box constructions exist? . . . . . Black-box constructions tend to be more practical (efficient & modular). black-box reductions . Reduction . . . X has an algorithm ⇒ Y has an algorithm Black-box: ∃ B : B X is an algorithm for Y Non-black-box: Algorithm for Y depends on code of algorithm for X . . . . . .

  4. Black-box constructions tend to be more practical (efficient & modular). black-box reductions . Reduction . . . X has an algorithm ⇒ Y has an algorithm Black-box: ∃ B : B X is an algorithm for Y Non-black-box: Algorithm for Y depends on code of algorithm for X . . . . . . Pervasive question since [ImpagliazzoRudich89] : . . . When do black-box constructions exist? . . . . . .

  5. black-box reductions . Reduction . . . X has an algorithm ⇒ Y has an algorithm Black-box: ∃ B : B X is an algorithm for Y Non-black-box: Algorithm for Y depends on code of algorithm for X . . . . . . Pervasive question since [ImpagliazzoRudich89] : . . . When do black-box constructions exist? . . . . . Black-box constructions tend to be more practical (efficient & modular). .

  6. secure computation. . . Several parties wish to carry out an agreed-upon computation. ◮ Parties have individual inputs / output ◮ Security guarantees: ◮ Privacy (learn no more than your prescribed output) ◮ Input independence ◮ Output consistency, etc.. ◮ Parties are mutually distrusting, some possibly malicious .

  7. . BB . BB ? . trapdoor function . . secure protocol for evaluating f f . Protocol can be black-box in its usage of underlying primitives! [Ishai+06, LindellPinkas07, Haitner08, IshaiPrabhakaranSahai08, Choi+09, PassWee09, ..] What about usage of f? Typical approach (since [Yao86,GMW87] ): Express f as a circuit, and evaluate it gate-by-gate — non-black-box! black-box secure computation . Typical theorem statement: . . . If trapdoor functions exist, then for every f , there is a secure (in some model) protocol for evaluating f . . . . . . .

  8. BB . . BB ? Protocol can be black-box in its usage of underlying primitives! [Ishai+06, LindellPinkas07, Haitner08, IshaiPrabhakaranSahai08, Choi+09, PassWee09, ..] What about usage of f? Typical approach (since [Yao86,GMW87] ): Express f as a circuit, and evaluate it gate-by-gate — non-black-box! black-box secure computation . Typical theorem statement: . . . If trapdoor functions exist, then for every f , there is a secure (in some model) protocol for evaluating f . . . . . . . trapdoor function . . secure protocol for evaluating f f . .

  9. BB ? . What about usage of f? Typical approach (since [Yao86,GMW87] ): Express f as a circuit, and evaluate it gate-by-gate — non-black-box! black-box secure computation . Typical theorem statement: . . . If trapdoor functions exist, then for every f , there is a secure (in some model) protocol for evaluating f . . . . . . . . BB � trapdoor function . . secure protocol for evaluating f f . Protocol can be black-box in its usage of underlying primitives! ◮ [Ishai+06, LindellPinkas07, Haitner08, IshaiPrabhakaranSahai08, Choi+09, PassWee09, ..] .

  10. black-box secure computation . Typical theorem statement: . . . If trapdoor functions exist, then for every f , there is a secure (in some model) protocol for evaluating f . . . . . . . . BB � trapdoor function . . secure protocol for evaluating f f . . BB ? Protocol can be black-box in its usage of underlying primitives! ◮ [Ishai+06, LindellPinkas07, Haitner08, IshaiPrabhakaranSahai08, Choi+09, PassWee09, ..] What about usage of f? Typical approach (since [Yao86,GMW87] ): ◮ Express f as a circuit, and evaluate it gate-by-gate — non-black-box! .

  11. the model .

  12. If protocol uses trusted setup, then same setup for all f ! FBB secure evaluation of is trivial if: (protocol could “know” code of f ) is exactly learnable via oracle queries (learn code of f , then proceed in non-black-box way) the model (2-party SFE) Let C be a class of 2-input functions. . Definition . . . Functionality-black-box (FBB) secure evaluation of C means: ◮ ∃ oracle machines π A , π B : ◮ ∀ f ∈ C : ◮ π f A ( x ) ⇄ π f B ( y ) is a secure protocol for evaluating f ( x , y ) . . . . . .

  13. FBB secure evaluation of is trivial if: (protocol could “know” code of f ) is exactly learnable via oracle queries (learn code of f , then proceed in non-black-box way) the model (2-party SFE) Let C be a class of 2-input functions. . Definition . . . Functionality-black-box (FBB) secure evaluation of C means: ◮ ∃ oracle machines π A , π B : ◮ ∀ f ∈ C : ◮ π f A ( x ) ⇄ π f B ( y ) is a secure protocol for evaluating f ( x , y ) If protocol uses trusted setup, then same setup for all f ∈ C ! . . . . . .

  14. the model (2-party SFE) Let C be a class of 2-input functions. . Definition . . . Functionality-black-box (FBB) secure evaluation of C means: ◮ ∃ oracle machines π A , π B : ◮ ∀ f ∈ C : ◮ π f A ( x ) ⇄ π f B ( y ) is a secure protocol for evaluating f ( x , y ) If protocol uses trusted setup, then same setup for all f ∈ C ! . . . . . FBB secure evaluation of C is trivial if: ◮ |C| = 1 (protocol could “know” code of f ) ◮ C is exactly learnable via oracle queries (learn code of f , then proceed in non-black-box way) .

  15. autoreducibility .

  16. . Basic Definition . . . L is autoreducible if there exists efficient M : 1. M L x L x 2. M doesn’t simply query its oracle on x . . . . . autoreducibility How much “structure” does a set/function L have? .

  17. autoreducibility How much “structure” does a set/function L have? . Basic Definition . . . L is autoreducible if there exists efficient M : 1. M L ( x ) = L ( x ) 2. M doesn’t simply query its oracle on x . . . . . .

  18. dlog g x : // find d such that g d x ord g . 1. Choose a n , where n g a 2. Output: dlog g x a (mod n) . “Instance-hiding” autoreducible [BeaverFeigenbaum90] . . . Oracle queries of M L x distributed independent of x . . . . . . autoreducibility examples Discrete log problem in � g � is autoreducible: .

  19. . “Instance-hiding” autoreducible [BeaverFeigenbaum90] . . . Oracle queries of M L x distributed independent of x . . . . . . autoreducibility examples Discrete log problem in � g � is autoreducible: dlog g ( x ) : // find d such that g d = x 1. Choose a ← Z n , where n = ord ( g ) . 2. Output: dlog g ( x · g a ) − a (mod n) .

  20. . “Instance-hiding” autoreducible [BeaverFeigenbaum90] . . . Oracle queries of M L x distributed independent of x . . . . . . autoreducibility examples Discrete log problem in � g � is autoreducible: dlog g ( x ) : // find d such that g d = x 1. Choose a ← Z n , where n = ord ( g ) . 2. Output: dlog g ( x · g a ) − a (mod n) .

  21. autoreducibility examples Discrete log problem in � g � is instance-hiding autoreducible: dlog g ( x ) : // find d such that g d = x 1. Choose a ← Z n , where n = ord ( g ) . 2. Output: dlog g ( x · g a ) − a (mod n) . “Instance-hiding” autoreducible [BeaverFeigenbaum90] . . . Oracle queries of M L ( x ) distributed independent of x . . . . . . .

  22. semi-honest adversaries .

  23. 2. M ’s queries to left oracle “don’t depend on” y 3. M ’s queries to right oracle “don’t depend on” x Discussion: Same M must work for every f . Distinction between x and y . . Theorem . . . FBB secure computation of is possible in ot -hybrid (against semi-honest adversaries) if and only if is 2-hiding autoreducible . . . . . characterization . Definition . . . A class C is 2-hiding autoreducible if there exists efficient M : 1. M f , f ( x , y ) = f ( x , y ) , for all f ∈ C . . . . . .

  24. Discussion: Same M must work for every f . Distinction between x and y . . Theorem . . . FBB secure computation of is possible in ot -hybrid (against semi-honest adversaries) if and only if is 2-hiding autoreducible . . . . . characterization . Definition . . . A class C is 2-hiding autoreducible if there exists efficient M : 1. M f , f ( x , y ) = f ( x , y ) , for all f ∈ C 2. M ’s queries to left oracle “don’t depend on” y 3. M ’s queries to right oracle “don’t depend on” x . . . . . .

  25. . Theorem . . . FBB secure computation of is possible in ot -hybrid (against semi-honest adversaries) if and only if is 2-hiding autoreducible . . . . . characterization . Definition . . . A class C is 2-hiding autoreducible if there exists efficient M : 1. M f , f ( x , y ) = f ( x , y ) , for all f ∈ C 2. M ’s queries to left oracle “don’t depend on” y 3. M ’s queries to right oracle “don’t depend on” x . . . . . Discussion: ◮ Same M must work for every f ∈ C . ◮ Distinction between x and y . .

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Generic Architecture Architecture Generic for Securely Securely Managing Managing for

Generic Architecture Architecture Generic for Securely Securely Managing Managing for

Trusted Architecture for Trusted Architecture for Securely Shared Services Securely Shared Services Generic Architecture Architecture Generic for Securely Securely Managing Managing for Employability & Healthcare Employability &

161 views • 14 slides
Generic Architecture Architecture Generic to Securely Securely Manage Manage to

Generic Architecture Architecture Generic to Securely Securely Manage Manage to

Trusted Architecture for Trusted Architecture for Securely Shared Services Securely Shared Services Generic Architecture Architecture Generic to Securely Securely Manage Manage to Employability, Healthcare & Employability, Healthcare

813 views • 16 slides
Disaster Preparedness Checklist General Preparedness Secure your roof: - Ensure roof is securely

Disaster Preparedness Checklist General Preparedness Secure your roof: - Ensure roof is securely

Disaster Preparedness Checklist General Preparedness Secure your roof: - Ensure roof is securely fixed to walls - Ensure that galvanized sheets are in good order & securely fastened - Seal spaces between roof & supports Secure windows

178 views • 3 slides
1 1 easy to compute , 1 easy to compute 2

1 1 easy to compute , 1 easy to compute 2

1 1 easy to compute , 1 easy to compute 2 easy to compute 2 easy to compute 2 unbiased biased estimator 3

609 views • 15 slides
Alice and Bob want to communicate securely Achieve confidentiality and

Alice and Bob want to communicate securely Achieve confidentiality and

Alice and Bob want to communicate securely Achieve confidentiality and integrity/authenticity Both know each others public key Example: A->B: E Bob (M), S Alice (M) Works, but expensive Recall hybrid encryption

488 views • 16 slides
Firecracker How to Securely Run Thousands of Workloads on a Single Host What is Firecracker? -

Firecracker How to Securely Run Thousands of Workloads on a Single Host What is Firecracker? -

Firecracker How to Securely Run Thousands of Workloads on a Single Host What is Firecracker? - Open Source Project - Virtual Machine Monitor (VMM) - Runs on top of KVM - Security and isolation of VMs - Speed and density of container - Low

697 views • 30 slides
Multi Party secure communication C D A B E F N parties want to communicate securely with

Multi Party secure communication C D A B E F N parties want to communicate securely with

1 Key Establishment Chester Rebeiro IIT Madras 2 Multi Party secure communication C D A B E F N parties want to communicate securely with each other (N=6 in this figure) If U sends a message to V (U V and U,V {a,b,c,d,e,f})

721 views • 55 slides
MULTI-GPU PROGRAMMING MODELS Jiri Kraus, Senior Devtech Compute Jan Stephan, Intern Devtech

MULTI-GPU PROGRAMMING MODELS Jiri Kraus, Senior Devtech Compute Jan Stephan, Intern Devtech

MULTI-GPU PROGRAMMING MODELS Jiri Kraus, Senior Devtech Compute Jan Stephan, Intern Devtech Compute MOTIVATION Why use multiple GPUs? Need to compute larger, e.g. bigger networks, car models, Need to compute faster, e.g. weather

1.28k views • 70 slides
AWS Hosted Services 2 Compute Cloud Compu2ng Spring

AWS Hosted Services 2 Compute Cloud Compu2ng Spring

Cloud Computing ECPE 276 AWS Hosted Services 2 Compute Cloud Compu2ng Spring 2016 3 Compute Options 1. Amazon Elas2c Compute Cloud

381 views • 37 slides
Cyber@UC Meeting 61 Running a Linux box securely If Youre New! Join our Slack:

Cyber@UC Meeting 61 Running a Linux box securely If Youre New! Join our Slack:

Cyber@UC Meeting 61 Running a Linux box securely If Youre New! Join our Slack: ucyber.slack.com SIGN IN! (Slackbot will post the link in #general) Feel free to get involved with one of our committees: Content Finance Public

297 views • 11 slides
Tw Two-round Secu cure MPC from Mi Mini nimal Assum umptions ns Sanjam Garg Akshayaram

Tw Two-round Secu cure MPC from Mi Mini nimal Assum umptions ns Sanjam Garg Akshayaram

Tw Two-round Secu cure MPC from Mi Mini nimal Assum umptions ns Sanjam Garg Akshayaram Srinivasan University of California, Berkeley Eurocrypt 2018 Secure Two-Party Computation [Yao 86] Securely compute ( " , #

286 views • 24 slides
Securely Moving Your Business Into the Cloud Alex Stamos Partner

Securely Moving Your Business Into the Cloud Alex Stamos Partner

Securely Moving Your Business Into the Cloud Alex Stamos Partner Takeaways Current conventional wisdom on cloud computing is missing the point You cannot

793 views • 37 slides
Objectives Euclidean Algorithm to compute gcd (Greatest Common Divisor) to compute

Objectives Euclidean Algorithm to compute gcd (Greatest Common Divisor) to compute

More Number Theoretic Results Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Euclidean Algorithm to compute gcd (Greatest

151 views • 14 slides
Constant-Overhead Secure Computation using Preprocessing Ivan Damgrd, Sarah Zakarias Aarhus

Constant-Overhead Secure Computation using Preprocessing Ivan Damgrd, Sarah Zakarias Aarhus

Constant-Overhead Secure Computation using Preprocessing Ivan Damgrd, Sarah Zakarias Aarhus University, Denmark Multiparty Computation Goal: Compute circuit UC-securely Unlike previous talk: I Interested in d i complexity of protocol

462 views • 21 slides
OPEN COMPUTE BRIEF 7x24 Exchange Carolinas Chapter 2017 Winter Meeting AGENDA Open

OPEN COMPUTE BRIEF 7x24 Exchange Carolinas Chapter 2017 Winter Meeting AGENDA Open

OPEN COMPUTE BRIEF 7x24 Exchange Carolinas Chapter 2017 Winter Meeting AGENDA Open Compute Project History & Definition General Open Compute Server & Rack Overview Detailed Open Compute Compliant Rack Overview The

473 views • 19 slides
Securely accessing remote sensors in critical infrastructures. SUPERVISORS: RESEARCH PROJECT 2

Securely accessing remote sensors in critical infrastructures. SUPERVISORS: RESEARCH PROJECT 2

Securely accessing remote sensors in critical infrastructures. SUPERVISORS: RESEARCH PROJECT 2 CEDRIC BOTH PAVLOS LONTORFOS JEROEN DO BOER 1 SECURITY AND NETWORK ENGINEERING The use of sensors Transportation Power grid networks

729 views • 24 slides
The sum of observables on a -distributive lattice effect algebra Ji r Janda, Yongming

The sum of observables on a -distributive lattice effect algebra Ji r Janda, Yongming

The sum of observables on a -distributive lattice effect algebra Ji r Janda, Yongming Li 1 / 61 Effect algebras Definition (Foulis, Bennett, 1994) A partial algebra ( E ; , 0 , 1) is called an effect algebra if 0, 1 are two

722 views • 59 slides
UMBC L A N R Y D A B M A L F T U M B C I O M 1 (Mar. 1, 2002) Y O T R I

UMBC L A N R Y D A B M A L F T U M B C I O M 1 (Mar. 1, 2002) Y O T R I

Systems Design & Programming 80x86 Assembly IV CMPE 310 Intel Assembly UMBC L A N R Y D A B M A L F T U M B C I O M 1 (Mar. 1, 2002) Y O T R I E S R C E O V U I N N U T Y 1 6 9 6 Systems Design

560 views • 11 slides
TaCLe Learning constraints in spreadsheets and tabular data Samuel Kolb, Sergey Paramonov, Tias

TaCLe Learning constraints in spreadsheets and tabular data Samuel Kolb, Sergey Paramonov, Tias

TaCLe Learning constraints in spreadsheets and tabular data Samuel Kolb, Sergey Paramonov, Tias Guns, Luc De Raedt September 6, 2017 1 / 29 Inspiration: Flash-fill 2 / 29 Inspiration: Flash-fill 2 / 29 Inspiration: Flash-fill 2 / 29

808 views • 51 slides
Gorman-Lancaster Approach to Estimating Demand for New Good Gorman (1956, 1980) and Lancaster

Gorman-Lancaster Approach to Estimating Demand for New Good Gorman (1956, 1980) and Lancaster

Econ 350 Gorman-Lancaster Approach to Estimating Demand for New Good Gorman (1956, 1980) and Lancaster (1966, 1971) consider the problem of estimat- ing the demand for a new good. Goods X Characteristics Z Goods are packages of underlying

663 views • 28 slides
Logistic Regression: MLE vs. OLS3 in Excel2013 25 Aug 2016 V0H V0H V0H Schield MLE vs.

Logistic Regression: MLE vs. OLS3 in Excel2013 25 Aug 2016 V0H V0H V0H Schield MLE vs.

Logistic Regression: MLE vs. OLS3 in Excel2013 25 Aug 2016 V0H V0H V0H Schield MLE vs. OLS3-Based Logistic Excel 2013 1 Schield MLE vs. OLS3-Based Logistic Excel 2013 2 Logistic Regression: Background & Goals MLE vs. OLS3 in Excel 2013

216 views • 21 slides
Exchange and ordering Stephen Blundell University of Oxford 2015 European School of

Exchange and ordering Stephen Blundell University of Oxford 2015 European School of

25/08/2015 Books Magnetism in Condensed Matter, S.J. Blundell, OUP (2001) Magnetism and Magnetic Materials, J.M.D. Coey, CUP (2009) Basic aspects of the quantum theory of magnetism, D.I. Khomskii, CUP(2010) Magnetism: A Very Short

445 views • 9 slides
Algebraic Properties of ln( x ) We can derive algebraic properties of our new function f ( x ) =

Algebraic Properties of ln( x ) We can derive algebraic properties of our new function f ( x ) =

Algebraic Properties of ln( x ) We can derive algebraic properties of our new function f ( x ) = ln( x ) by comparing derivatives. We can in turn use these algebraic rules to simplify the natural logarithm of products and quotients. If a and b are

182 views • 5 slides
Providing Flexible Consistency Levels with Manhattan at Twitter Boaz Avital @bx BOAZ AVITAL

Providing Flexible Consistency Levels with Manhattan at Twitter Boaz Avital @bx BOAZ AVITAL

Providing Flexible Consistency Levels with Manhattan at Twitter Boaz Avital @bx BOAZ AVITAL Tech Lead, Core Storage @bx M A N H AT TA N USING MANHATTAN Self service creation of applications and datasets Large multitenant clusters

933 views • 44 slides

More recommend