On Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan)

Transcription

1 On Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan)

2 Secure Multiparty Computation (MPC)

3 Ideal World/ Functionality

4 Simulation-Based Security

5 Simulation-Based Security

6 Simulation-Based Security

7 Simulation-Based Security

8 Simulation-Based Security

9 Corrupting All Parties

10 Corrupting All Parties

11 Corrupting All Parties

12 Corrupting All Parties

13 Modeling Adaptive Security Modular Composition [Canetti 00] Sequential composition Universal Composition [Canetti 01] Concurrent composition Synchronous protocols (Mostly) non-interactive environment Inputs are given statically before the computation Asynchronous protocols Interactive environment Inputs are given dynamically during the computation

14 Feasibility Result [CLOS 02] 1. Semi-honest protocol in the plain model Round complexity is O d d= depth of the circuit 2. Semi-honest to malicious compiler in CRS model Round complexity blows up by constant factor 3. Malicious protocol in CRS model Round complexity is O d CRS CRS compiler Semi-honest Malicious

15 Constant-Round Protocols Constant-round adaptive MPC [CGP 15] [DKR 15] [GP 15] In the CRS model, also for the semi-honest case CRS contains obfuscated program that gets the circuit as input The size of the CRS grows with the size of the circuit Constant-round in RAM model [CP 16] The size of the CRS grows with the size of the inputs CRS

16 Protocols with Short CRS Semi-honest setting No CRS (plain model) Malicious setting CRS independent of the circuit (depends only on security parameter) Can use [CLOS 02] compiler

17 Outline 1. Non-Interactive NCE in UC framework 2. Protocols with round complexity independent of circuit 3. Constant-round protocols for class of functions

18 Non-Interactive Non-Committing Encryption

19 Non-Interactive Non-Committing Encryption

20 Secure Message Transmission (SMT) m m m

21 Secure Message Transmission (SMT) m m Upon corruption reveal m m

22 Statically Secure Protocol pk Gen 1 κ c Enc pk, m Use public-key encryption (PKE) Simulation: Both parties are honest, encrypt 0 One party corrupted, S learns m and encrypts m PKE can be defined as a non-interactive (2-round) protocol statically realizes F SMT

23 Adaptive Corruptions Using PKE simulation fails when parties start honest [CFGN 96] defined Non-Committing Encryption (NCE) as n-party protocol that adaptively realizes F SMT [DN 00] defined strong NCE as 2-party protocol that adaptively realizes F SMT (in [Canetti 00]) Both definitions and constructions are interactive Can define non-interactive NCE as 2-round protocol [CLOS 02] provided a simpler definition

24 Non-Interactive NCE Definition: A PKE scheme Gen, Enc, Dec with algorithm Sim is non-interactive NCE if m 0,1 the distributions are comp. indistinguishable Honest view of encryption of m pk, c, r G, r E pk = Gen 1 κ ; r G, c = Enc pk, m; r E Simulated encryption explained for m pk, c, ρ G m, ρ E m pk, c, ρ G 0, ρ E 0, ρ G 1, ρ E 1 Sim 1 κ

25 Non-Interactive NCE (2) IDEAL REAL pk pk Gen r G pk c Enc m; r E c c m m pk, c, ρ 0 G, ρ 0 E, ρ 1 G, ρ 1 E Sim 1 κ

26 Non-Interactive NCE (2) IDEAL REAL pk pk Gen r G pk c Enc m; r E c c m m pk, c, ρ m m G, ρ E pk, c, r G, r E pk, c, ρ 0 G, ρ 0 E, ρ 1 G, ρ 1 E Sim 1 κ

27 Problem Simulation is valid if inputs are given before the computation begins (as in modular composition) In UC inputs are dynamically generated Need to simulate corruptions before inputs are given

28 Problem Simulation is valid if inputs are given before the computation begins (as in modular composition) In UC inputs are dynamically generated Need to simulate corruptions before inputs are given pk Gen r G pk

29 Problem Simulation is valid if inputs are given before the computation begins (as in modular composition) In UC inputs are dynamically generated Need to simulate corruptions before inputs are given pk pk Gen r G pk pk, c, ρ 0 G, ρ 0 E, ρ 1 G, ρ 1 E Sim 1 κ

30 Problem Simulation is valid if inputs are given before the computation begins (as in modular composition) In UC inputs are dynamically generated Need to simulate corruptions before inputs are given pk pk Gen r G pk pk, r G pk, c, ρ 0 G, ρ 0 E, ρ 1 G, ρ 1 E Sim 1 κ

31 Problem Simulation is valid if inputs are given before the computation begins (as in modular composition) In UC inputs are dynamically generated Need to simulate corruptions before inputs are given pk pk Gen r G pk pk, ρ G 0 pk, r G pk, c, ρ 0 G, ρ 0 E, ρ 1 G, ρ 1 E Sim 1 κ

32 Problem Simulation is valid if inputs are given before the computation begins (as in modular composition) In UC inputs are dynamically generated Need to simulate corruptions before inputs are given pk pk Gen r G pk m = 1 m = 1 pk, ρ G 0 pk, r G pk, c, ρ 0 G, ρ 0 E, ρ 1 G, ρ 1 E Sim 1 κ

33 Problem Simulation is valid if inputs are given before the computation begins (as in modular composition) In UC inputs are dynamically generated Need to simulate corruptions before inputs are given pk pk Gen r G pk c Enc m; r E c m = 1 m = 1 pk, ρ G 0 pk, r G, c, r E pk, c, ρ 0 G, ρ 0 E, ρ 1 G, ρ 1 E Sim 1 κ

34 Problem Once pk, ρ 0 G (or ρ 1 G ) are fixed, c is committing c won t decrypt to random m with noticeable prob. pk pk Gen r G pk c Enc m; r E c m = 1 m = 1 pk, ρ G 0 pk, r G, c, r E pk, c, ρ 0 G, ρ 0 E, ρ 1 G, ρ 1 E Sim 1 κ

35 Adjust the Simulation Simulation of c only after sender activated with m S learns m from ideal functionality (receiver corrupt) S encrypts c Enc pk, m; r E pk pk Gen r G pk c Enc m; r E c m = 1 m = 1 pk, ρ G 0 pk, r G, c, r E pk, c, ρ 0 G, ρ 0 E, ρ 1 G, ρ 1 E Sim 1 κ

36 Adjust the Simulation Simulation of c only after sender activated with m S learns m from ideal functionality (receiver corrupt) S encrypts c Enc pk, m; r E pk pk Gen r G pk c Enc m; r E c c m = 1 m = 1 0 pk, ρ G, c, r E pk, r G, c, r E pk, c, ρ 0 G, ρ 0 E, ρ 1 G, ρ 1 E Sim 1 κ

37 Adjust the Simulation (2) We show how to combine committing and non-committing ciphertexts in simulation Thm: If non-interactive NCE exists, then F SMT can be adaptively UC realized in 2 rounds pk pk Gen r G pk c Enc m; r E c c m = 1 m = 1 pk, ρ G 0, c, r E pk, r G, c, r E pk, c, ρ 0 G, ρ 0 E, ρ 1 G, ρ 1 E Sim 1 κ

38 Application: Oblivious Transfer (OT) m 0, m 1 c m c Augmented NCE: Oblivious sampling of public keys pk OGen 1 κ Invertible sampling pk, r pk = OGen 1 κ ; r pk, OGen 1 pk pk Gen 1 κ

39 Adaptive OT [CLOS 02] m 0, m 1 pk c Gen 1 κ pk 1 c OGen 1 κ c c 0 Enc pk 0, m 0 Simulation (semi-honest) c 1 Enc pk 1, m 1 m c S simulate using pk 0, c 0, ρ 0 0,G, ρ 0 0,E, ρ 1 1 0,G, ρ 0,E Sim 1 κ pk 1, c 1, ρ 0 1,G, ρ 0 1,E, ρ 1 1 1,G, ρ 1,E Sim 1 κ

40 Adaptive OT [CLOS 02] m 0, m 1 pk c Gen 1 κ pk 1 c OGen 1 κ c c 0 Enc pk 0, m 0 Simulation (semi-honest) c 1 Enc pk 1, m 1 m c S simulate using pk 0, c 0, ρ 0 0,G, ρ 0 0,E, ρ 1 1 0,G, ρ 0,E Sim 1 κ pk 1, c 1, ρ 0 1,G, ρ 0 1,E, ρ 1 1 1,G, ρ 1,E Sim 1 κ Upon receiver corruption, S learns c, m c and provides m randomness ρ c c,g

41 Adaptive OT [CLOS 02] m 0, m 1 pk c Gen 1 κ pk 1 c OGen 1 κ c c 0 Enc pk 0, m 0 Simulation (semi-honest) c 1 Enc pk 1, m 1 m c S simulate using pk 0, c 0, ρ 0 0,G, ρ 0 0,E, ρ 1 1 0,G, ρ 0,E Sim 1 κ pk 1, c 1, ρ 0 1,G, ρ 0 1,E, ρ 1 1 1,G, ρ 1,E Sim 1 κ Upon receiver corruption, S learns c, m c and provides m randomness ρ c c,g See the paper for details input & output

42 Round Complexity Independent of C

43 Indistinguishability Obfuscation (io) C 1 C 2 io C 1 io C 2 Candidate construction [GGHRSW 13] Nice property: the depth of the obfuscation circuit is independent of the circuit to obfuscate

44 Non-Committing io Γ = C 1 C 2 C 3 C 4 All circuits are functionally equivalent Def: io, Sim 1, Sim 2 is non-committing io for Γ if Sim 1 generates canonical obf. circuit C for Γ Given any C Γ, Sim 2 can explain C as io C C C 2 C Sim 2 C, C 2 io C 2 ; r C 2 r

45 Bad news: If NCiO for circuits exists poly-time solution to circuit equivalence (co-np) polynomial hierarchy collapses Good news: Non-Committing io (2) Circuit equivalence is easy for constant circuits (no input wires) Thm: If NCiO for constant circuits exists then adaptive SFE protocol with short CRS whose round complexity is independent of C

46 Protocol Idea x 1 x 2 x 1, r 1 1. Circuit C 1 : hard-wire x 1, x 2 to C 2. Obfuscate C 2 = io C 1 ; r 1 r 2 x 2, r 2 C 2 C2

47 Protocol Idea x 1 x 2 x 1, r 1 1. Circuit C 1 : hard-wire x 1, x 2 to C 2. Obfuscate C 2 = io C 1 ; r 1 r 2 x 2, r 2 C 2 Simulation idea C2 1 st corruption: learn x 1, y and randomly sample r 1 Compute C Sim 1 obfuscated constant circuit with output y

48 Protocol Idea x 1 x 2 x 1, r 1 1. Circuit C 1 : hard-wire x 1, x 2 to C 2. Obfuscate C 2 = io C 1 ; r 1 r 2 x 2, r 2 C 2 Simulation idea C2 1 st corruption: learn x 1, y and randomly sample r 1 Compute C Sim 1 obfuscated constant circuit with output y 2 nd corruption: learn x 2, y and compute C 1 (using C, x 1, x 2 ) Compute r Sim 2 C, C 1 and set r 2 = r r 1

49 Constant Round for One-Sided Poly-Size Domain

50 Constant-Round Protocol Thm: Assume adaptively secure OT exist f is deterministic 2-party functionality x 1 D 0,1 n, D = poly n x 2 0,1 n Then f can be adaptively realized with short CRS in constant number of rounds Optimistic view: feasibility result Pessimistic view: to rule out constant-round protocols in general, consider super-poly domain or randomized functions

51 Summary 1. How to simulate non-interactive NCE in UC 2. NCiO is complete for round complexity ind. of circuit 3. Constant-round protocols for class of functions Open questions: Does NCiO for constant circuits exist? Find more functions that have constant-round protocols with short CRS