A Bound For Multiparty Secret Key Agreement And Implications For A Problem Of Secure Computing. Himanshu Tyagi and Shun Watanabe

Size: px

Start display at page:

Download "A Bound For Multiparty Secret Key Agreement And Implications For A Problem Of Secure Computing. Himanshu Tyagi and Shun Watanabe"

Julian Howard
5 years ago
Views:

1 A Bound For Multiparty Secret Key Agreement And Implications For A Problem Of Secure Computing Himanshu Tyagi and Shun Watanabe

2 Multiparty Secret Key Agreement COMMUNICATION NETWORK F X 1 X 2 X m K 1 K 2 Party i computes K i (X i,f) K; K m Eavesdropper observes F,Z K 1,...,K m constitute an (ǫ,δ)-secret key of length logk if P(K 1 = K 2 =... = K m ) 1 ǫ, :Recoverability 1 2 P K 1 FZ P unif P FZ 1 δ, :Secrecy 1

3 Alternative Definition of a Secret Key K 1,...,K m constitute an ǫ-secret key of length logk if 1 2 P K 1 K 2...K mfz P unif,m P FZ 1 ǫ, where P unif,m (k 1,...,k m ) = 1 K ½(k 1 =...k m ). 2

4 Alternative Definition of a Secret Key K 1,...,K m constitute an ǫ-secret key of length logk if 1 2 P K 1 K 2...K mfz P unif,m P FZ 1 ǫ, where P unif,m (k 1,...,k m ) = 1 K ½(k 1 =...k m ). Lemma (ǫ, δ)-sk (ǫ + δ)-sk, and conversely, ǫ-sk (ǫ, ǫ)-sk. 2

5 Multiparty Secret Key Agreement COMMUNICATION NETWORK F X 1 X 2 X m K 1 K 2 K m K 1,...,K m constitute an ǫ-secret key of length logk if Definition 1 2 P K 1 K 2...K mfz P unif,m P FZ 1 ǫ. S ǫ (X 1,...,X m Z) maximum length of an ǫ-secret key 3

6 Upper bound for S ǫ (X 1,...,X m Z)

7 No Correlation No Secret Key If X 1 and X 2 are independent conditioned on Z: S ǫ (X 1,X 2 Z) 0 5

8 No Correlation No Secret Key If X 1 and X 2 are independent conditioned on Z: S ǫ (X 1,X 2 Z) 0 If for some partition π = {π 1,...,π k } of {1,...,m}, X π1,...,x πk are independent conditioned on Z: S ǫ (X 1,...,X m Z) 0 5

9 No Correlation No Secret Key If X 1 and X 2 are independent conditioned on Z: S ǫ (X 1,X 2 Z) 0 If for some partition π = {π 1,...,π k } of {1,...,m}, X π1,...,x πk are independent conditioned on Z: S ǫ (X 1,...,X m Z) 0 Bound S ǫ (X 1,...,X m Z) in terms of how far is P X1,...,X mz is from a conditionally independent distribution 5

10 Digression: Binary Hypothesis Testing Consider the following binary hypothesis testing problem: Define H0 : X P vs. H1 : X Q β ǫ (P,Q) inf Q(x)T(0 x), x X where the inf is over all random tests T : X {0, 1} s.t. P(x)T(1 x) ǫ. x X 6

11 Digression: Binary Hypothesis Testing Consider the following binary hypothesis testing problem: Define H0 : X P vs. H1 : X Q β ǫ (P,Q) inf Q(x)T(0 x), x X where the inf is over all random tests T : X {0, 1} s.t. P(x)T(1 x) ǫ. x X Data processing. For every stochastic matrix W : X Y β ǫ (P,Q) β ǫ (PW,QW) 6

12 Reduction Argument Given a partition π = {π 1,...,π k } of {1,...,m} Let Q(x 1,...,x m z) = k i=1 Q(x π i z) For the binary hypothesis testing: H0 : X 1,...,X m,z P, H1 : X 1,...,X m,z Q, consider the degraded observations K 1,...,K m,f,z. 7

13 Reduction Argument Given a partition π = {π 1,...,π k } of {1,...,m} Let Q(x 1,...,x m z) = k i=1 Q(x π i z) For the binary hypothesis testing: H0 : X 1,...,X m,z P, H1 : X 1,...,X m,z Q, consider the degraded observations K 1,...,K m,f,z. Let W K1...K mf X 1...X mz represent the protocol. 7

14 Reduction Argument Consider the degraded binary hypothesis testing: H0 : K 1,...,K m,f,z P K1...,K mfz = PW H1 : K 1,...,K m,f,z Q K1...,K mfz = QW Consider a test with the acceptance region A defined by: { } P unif,m (K 1,...,K m ) A log Q K1...K m FZ(K 1...K m F,Z) λ π where λ π = ( π 1)log K π log(1/η) 8

15 Reduction Argument Consider the degraded binary hypothesis testing: H0 : K 1,...,K m,f,z P K1...,K mfz = PW H1 : K 1,...,K m,f,z Q K1...,K mfz = QW Consider a test with the acceptance region A defined by: { } P unif,m (K 1,...,K m ) A log Q K1...K m FZ(K 1...K m F,Z) λ π where λ π = ( π 1)log K π log(1/η) Likelihood ratio test with P K1...K m FZ replaced by P unif,m - recall: 1 2 P K 1 K 2...K mfz P unif,m P FZ 1 ǫ 8

16 Reduction Argument Missed Detection: Q K1...K mfz(a) K 1 π η π False Alarm: P K1...K mfz(a c ) ǫ+η 9

17 Reduction Argument Missed Detection: Q K1...K mfz(a) K 1 π η π - easy False Alarm: P K1...K mfz(a c ) ǫ+η - requires work Lemma (Reduction) For every 0 ǫ < 1 and 0 < η < 1 ǫ, S ǫ (X 1,...,X m Z) 1 π 1 [ logβ ǫ+η(pw,qw)+ π log(1/η)]. 9

18 Reduction Argument Missed Detection: Q K1...K mfz(a) K 1 π η π - easy False Alarm: P K1...K mfz(a c ) ǫ+η - requires work Lemma (Reduction) For every 0 ǫ < 1 and 0 < η < 1 ǫ, S ǫ (X 1,...,X m Z) 1 π 1 [ logβ ǫ+η(pw,qw)+ π log(1/η)]. By data processing: β ǫ+η (PW,QW) β ǫ+η (P,Q) 9

19 Conditional Independence Testing Bound Theorem For every 0 ǫ < 1 and 0 < η < 1 ǫ, S ǫ (X 1,...,X m Z) 1 π 1 [ logβ ǫ+η(p,q)+ π log(1/η)], where k Q(x 1,...,x m z) = Q(x πi z). i=1 For two parties: S ǫ (X 1,X 2 Z) logβ ǫ+η ( PX1 X 2 Z,P X1 ZP X2 ZP Z ) +2log(1/η) 10

20 Conditional Independence Testing Bound Theorem For every 0 ǫ < 1 and 0 < η < 1 ǫ, S ǫ (X 1,...,X m Z) 1 π 1 [ logβ ǫ+η(p,q)+ π log(1/η)], where k Q(x 1,...,x m z) = Q(x πi z). i=1 For two parties: S ǫ (X 1,X 2 Z) logβ ǫ+η ( PX1 X 2 Z,P X1 ZP X2 ZP Z ) +2log(1/η) Connections to meta-converse of Polyanskiy, Poor, and Vérdu 10

21 Implications of the Upper Bound

22 1. Strong Converse for Secret Key Agreement [Maurer 93] [Ahlswede-Csiszár 93] [Csiszar-Narayan 04] Consider IID observations X 1,...,X m X n 1,...,Xn m, Z = (ǫ,δ)-secret Key Capacity: C ǫ,δ := liminf n Secret Key Capacity: C := inf ǫ,δ C ǫ,δ. 1 n S ǫ,δ(x n 1,...,X n m) 12

23 1. Strong Converse for Secret Key Agreement [Maurer 93] [Ahlswede-Csiszár 93] [Csiszar-Narayan 04] Consider IID observations X 1,...,X m X n 1,...,Xn m, Z = (ǫ,δ)-secret Key Capacity: C ǫ,δ := liminf n Secret Key Capacity: Theorem For 0 < ǫ,δ with ǫ+δ < 1, C := inf ǫ,δ C ǫ,δ. C ǫ,δ = C, 1 n S ǫ,δ(x n 1,...,X n m) and for all ǫ+δ 1, C ǫ,δ =. 12

24 2. Information Theoretically Secure OT X 1 K 0, K 1 F X 2 B ˆK K B [Even-Goldreich-Lempel 85],..., [Nascimento-Winters 06] ( ) Reliability: P ˆK KB ǫ Security 1: 1 2 P BK 0 K 1 X 1 F P B P K0 K 1 X 1 F 1 δ 1 Security 2: 1 P KB BX 2 2 F P KB P BX2 F 1 δ 2 13

25 2. Information Theoretically Secure OT X 1 K 0, K 1 F X 2 B ˆK K B [Even-Goldreich-Lempel 85],..., [Nascimento-Winters 06] ( ) Reliability: P ˆK KB ǫ Security 1: 1 2 P BK 0 K 1 X 1 F P B P K0 K 1 X 1 F 1 δ 1 Security 2: 1 P KB BX 2 2 F P KB P BX2 F 1 δ 2 How large can the length l of OT be? 13

26 Bounds on the Efficiency of OT Theorem (Reduction of SK Agreement to OT) For an (ǫ,δ 1,δ 2 )-OT of length l l< min{s ǫ+δ1 +2δ 2 (X 1,X 2 ), S ǫ+δ1 +2δ 2 (X 1,(X 1,X 2 ) X 2 )} 14

27 Bounds on the Efficiency of OT Theorem (Reduction of SK Agreement to OT) For an (ǫ,δ 1,δ 2 )-OT of length l l< min{s ǫ+δ1 +2δ 2 (X 1,X 2 ), S ǫ+δ1 +2δ 2 (X 1,(X 1,X 2 ) X 2 )} OT Capacity (for IID observations): Maximum rate (l/n) of OT length (with δ 1n,δ 2n 0) C ǫ (X 1,X 2 ) min{i(x 1 X 2 ),H(X 1 X 2 )} Strong version of the Ahlswede-Csiszár upper bound 14

28 3. Information Theoretic Bit Commitment Commit X 1 X 2 F K Reveal X 1 X 2 K F K,X 1? Party 2 constructs a test T for the hypothesis: Secret is k" Recovery: P(T(K,X 1,X 2,F) = 1) ǫ Security: 1 2 P KX 2 F P K P X2 F 1 δ 1 Binding: P(T(K,X 1,X 2,F) = 0,K K) δ 2 15

29 3. Information Theoretic Bit Commitment Commit X 1 X 2 F K Reveal X 1 X 2 K F K,X 1? Party 2 constructs a test T for the hypothesis: Secret is k" Recovery: P(T(K,X 1,X 2,F) = 1) ǫ Security: 1 2 P KX 2 F P K P X2 F 1 δ 1 Binding: P(T(K,X 1,X 2,F) = 0,K K) δ 2 How large can the length l of BC be? 15

30 Bound on the Efficiency of BC Theorem (Reduction of SK Agreement to BC) For an (ǫ,δ 1,δ 2 )-BC of length l, l< S ǫ+δ1 +δ 2 (X 1,(X 1,X 2 ) X 2 ) 16

31 Bound on the Efficiency of BC Theorem (Reduction of SK Agreement to BC) For an (ǫ,δ 1,δ 2 )-BC of length l, l< S ǫ+δ1 +δ 2 (X 1,(X 1,X 2 ) X 2 ) Efficiency of reduction of BC to OT Given n-length OT: X 1 K 0,K 1 X 2 K B,B. The possible length l of BC is bounded as: l n+o(log(1 ǫ δ 1 δ 2 )) 16

32 Bound on the Efficiency of BC Theorem (Reduction of SK Agreement to BC) For an (ǫ,δ 1,δ 2 )-BC of length l, l< S ǫ+δ1 +δ 2 (X 1,(X 1,X 2 ) X 2 ) Efficiency of reduction of BC to OT Given n-length OT: X 1 K 0,K 1 X 2 K B,B. The possible length l of BC is bounded as: l n+o(log(1 ǫ δ 1 δ 2 )) Improves a bound of [Ranellucci et. al. 11] 16

33 Bound on the Efficiency of BC Theorem (Reduction of SK Agreement to BC) For an (ǫ,δ 1,δ 2 )-BC of length l, l< S ǫ+δ1 +δ 2 (X 1,(X 1,X 2 ) X 2 ) [Nascimento-Winters-Imai 03] BC capacity C = H(X 1 X 2 ) Strong converse for BC capacity C ǫ,δ1,δ 2 (X 1,X 2 ) H(X 1 X 2 ), ǫ+δ 1 +δ 2 < 1 16

34 4. Secure Computing with Trusted Parties Parties are trusted, the communication channel is not COMMUNICATION NETWORK F X 1 X 2 X m Party i computes G i (X i,f); g g g A function g is (ǫ,δ)-secure computable if Eavesdropper observes F,Z P(G 1 = G 2 =... = G m = g(x 1,...,X m )) 1 ǫ, :Recoverability 1 2 P GFZ P G P FZ 1 δ, :Secrecy 17

35 Characterization of securely computable functions [Tyagi-Gupta-Narayan 11] IID case with Z = A function g is secure computable (asymptotically) iff H(G) C 18

36 Characterization of securely computable functions [Tyagi-Gupta-Narayan 11] IID case with Z = A function g is secure computable (asymptotically) iff H(G) C A single-shot necessary condition Theorem If a function g is (ǫ, δ)-secure computable, then H ξ min (P 1 G)< π 1 logβ ( ) ǫ+δ+2ξ PXM Z,Q XM Z, where k Q(x 1,...,x m z) = Q(x πi z). i=1 18

37 In Closing... We derived converse results for IT cryptography, which are valid for the single-shot case 19

38 In Closing... We derived converse results for IT cryptography, which are valid for the single-shot case Key idea: Reduction of hypothesis testing to crypto primitives 19

39 In Closing... We derived converse results for IT cryptography, which are valid for the single-shot case Key idea: Reduction of hypothesis testing to crypto primitives By observing the outputs of any IT secure crypto primitive we can measure the correlation in the observations 19

40 In Closing... We derived converse results for IT cryptography, which are valid for the single-shot case Key idea: Reduction of hypothesis testing to crypto primitives By observing the outputs of any IT secure crypto primitive we can measure the correlation in the observations H. Tyagi and S. Watanabe, Converses for secret key agreement and secure computing, arxiv: ,

41 In Closing... We derived converse results for IT cryptography, which are valid for the single-shot case Key idea: Reduction of hypothesis testing to crypto primitives By observing the outputs of any IT secure crypto primitive we can measure the correlation in the observations H. Tyagi and S. Watanabe, Converses for secret key agreement and secure computing, arxiv: , 2014 How close do efficient schemes come to these performance bounds?? 19

Converses For Secret Key Agreement and Secure Computing

Converses For Secret Key Agreement and Secure Computing Himanshu Tyagi and Shun Watanabe Abstract We consider information theoretic secret key agreement and secure function computation by multiple parties