Round-Preserving Parallel Composition of Probabilistic-Termination Cryptographic Protocols

Transcription

1 Round-Preserving Parallel Composition o Probabilistic-Termination Cryptographic Protocols [ICALP 17] Ran Cohen (TAU) Sandro Coretti (NYU) Juan Garay (Yahoo Research) Vassilis Zikas (RPI)

2 2 Secure Multiparty Computation

3 3 Ideal World

4 Real/Ideal Paradigm 4

5 Broadcast is Good or MPC Every unction can be computed with guaranteed output delivery (honest majority) Round complexity depends only on (unconditional) Constant-round protocols (OWF) Optimal three-round protocols (FHE) 5

6 Broadcast is Very Good or MPC Parallel composition preserves round complexity I r-round π is secure under parallel composition poly-many parallel executions o π in r rounds 6

7 What i Broadcast Doesn t Exist?

8 Use Broadcast Protocols Trusted setup required or broadcast t n/3 (PKI/inormation-theoretic signatures) Some unctions can be comp. without setup [C-Lindell 14, C-Haitner-Omri-Rotem 16] 8

9 Termination o Broadcast Protocols Protocols with simultaneous termination require t + 1 rounds [Fischer-Lynch 82, Dolev-Reischuk-Strong 90] Exp. constant round probabilistic termination [Feldman-Micali 88, Fitzi-Garay 03, Katz-Koo 06, Micali 17] Termination round not a priori known Non-simultaneous termination Naïve parallel composition not round preserving 9

10 Naïve Parallel Composition Protocol with expected O 1 rounds (geometric dist.) n parallel instances take Θ(log n) rounds Example: Coin lipping Stand-alone coin lip: Pr heads = 1/2 output is heads in expected 2 rounds Flipping in parallel n coins, each coin until heads expected log n rounds 10

11 Parallel Composition o Broadcast Expected constant round parallel broadcast [BenOr-ElYaniv 03, Fitzi-Garay 03, Katz-Koo 06] Composable parallel bcast [C-Coretti-Garay-Zikas 16] Recipe or MPC: same exp. round complexity as in broadcast model 1) Construct protocol assuming broadcast channel 2) Instantiate bcast channel using PT parallel bcast 11

12 Parallel Composition o Broadcast Expected constant round parallel broadcast [BenOr-ElYaniv 03, Fitzi-Garay 03, Katz-Koo 06] Composable parallel bcast [C-Coretti-Garay-Zikas 16] Recipe or MPC: 12 same exp. round complexity as in broadcast model 1) Construct protocol assuming broadcast channel 2) Instantiate bcast channel using PT parallel bcast Problem: Solutions or broadcast crucially rely on its privacy-ree nature The MPC protocol has probabilistic termination (Naïve parallel composition not round preserving)

13 Main Question Can parallel composition o arbitrary PT protocols be round-preserving? 13

14 Main Question Can parallel composition o arbitrary PT protocols be round-preserving? In a black-box way? BB w.r.t. unctionality [Rosulek 12, IKPSY 16] BB w.r.t. protocol (next-message unction) 14

15 Common Terminology

16 Synchronous MPC [KMTZ 13, CCGZ 16] Ideal world captures round complexity o π Trusted party samples r term D = D π Parties continuously ask or output (receive by r term ) S can instruct early delivery or speciic parties 16

17 Functionally BB Protocols Traditional MPC: all parties know 17

18 Functionally BB Protocols Traditional MPC: all parties know FBB protocol is deined or unction class F = 1,, N Parties have oracle access to F (Z, A, S know ) 18

19 Functionally BB Protocols Traditional MPC: all parties know Protocol π is FBB protocol or F FBB protocol is deined or unction class F = 1,, N i F protocol π Parties have oracle access securely computes to F (Z, A, S know ) 19

20 Impossibility o FBB Protocols Theorem [Ishai-Kushilevitz-Prabhakaran-Sahai-Yu 16]: 2-party unction class F such that no FBB protocol computes F acing semi-honest adversary Proo intuition: The unction class F = α α 0,1 κ deined as α x 1, x 2 = 1, x 1 x 2 = α 0, x 1 x 2 α 20

21 Impossibility o FBB Protocols For random α, x 1, x 2 consider protocol π α Following events occur with negl probability: A party queries α with p, q s.t. p q = α A party queries α with p, q s.t. p q = x 1 x 2 All oracle queries in π α return 0 Consider coupled experiment with α = x 1 x 2 For random coins such that events don t occur all oracle queries in π α also return 0 both π α and π α output the same value 21 output 0 except negl output 1 except negl

22 Parallel Composition o Functions Given n-party unctions 1, 2,, m denote by 1 2 m the ollowing unction: Each P i has input x i = x 1 i, x 2 m i,, x i Output is y = y 1, y 2,, y m 1 x 1 1, x 2 1,, x n 1 m x 1 m, x 2 m,, x n m 2 x 1 2, x 2 2,, x n 2 22

23 FBB Parallel Composition

24 Semi-Honest FBB Protocol Theorem 1: Let F 1,, F m be deterministic unction classes Consider F 1,, F m -hybrid model that j computes the unction j F j with expected constant round complexity μ Then FBB protocol or F 1 F m with expected constant round complexity 24

25 Semi-Honest FBB Protocol 1 2 m r l l m 1 m l 1) Parties invoke l instances o each j 2) Each P i sends x i j to all instances o j and asks output or r rounds parameters 3) I some P i received output y j or each j distribute y 1,, y m and halt, otherwise restart 25

26 Semi-Honest FBB Protocol 1 2 m r l l m 1 m l Proo intuition: Correctness Privacy: corrupt parties always use the same input values (semi-honest) Round complexity: or l = Ω log m and constant r > μ, the expected number o restarts is constant (Markov) 26

27 What About Malicious? The previous protocol is not secure or malicious The adversary can send dierent x i j and x i j to j and learn multiple outputs This is inherent or batched-parallel composition protocols All parties use original inputs x k 1,, x k n to the trusted party Possibly in dierent rounds ρ and ρ Possibly or computing dierent j and j 27 in two calls

28 Malicious FBB Protocol Theorem 2: Let m = O κ n-party unction classes F 1,, F m s.t. i π computes F 1 F m in F 1,, F m -hybrid model (with exp. 2 rounds, geometric dist.) then, acing a single malicious corrupted party: π must call each F i at least once I π is naïve parallel composition not round preserving (log κ) until some get output call each F j until all parties get output π is not batched-parallel composition protocol 28 using same inputs in two calls

29 Proo Intuition Deine F 1 = = F m = α α 0,1 κ where α x 1, x 2, λ,, λ = x 2, x 1, α,, α, x 1 x 2 = α 0 κ, 0 κ,, 0 κ, x 1 x 2 α Naïve composition ails or geometric dist. No FBB protocol (without invoking trusted party) extending [IKPSY 16] No batched-parallel protocol 29 See the paper or details

30 Protocol-BB Parallel Composition

31 Protocol-BB Parallel Composition Theorem 3: Let PT protocols π 1,, π m realizing 1,, m Then π = compiler π 1,, π m realizes 1 m Round preserving E π = O max i E π i Black-box w.r.t. protocols π 1,, π m 31 The compiler doesn t know the code o π i (oracle access to next-message unction)

32 Protocol Compiler π 1 π 2 π m r 32

33 Prevent Multiple Inputs r 33 Use Setup, Commit, then Prove unctionality with a tweak [Canetti-Lindell-Ostrovsky-Sahai 02] [Ishai-Ostrovsky-Zikas 14]

34 Prevent Multiple Inputs Setup (correlated randomness) Commit (to inputs) Prove consistency in ZK r Prove consistency in ZK Prove consistency in ZK Prove consistency in ZK 34 Use Setup, Commit, then Prove unctionality with a tweak [Canetti-Lindell-Ostrovsky-Sahai 02] [Ishai-Ostrovsky-Zikas 14]

35 Some Challenges 1-to-many ZK black-box in π 1,, π m (based [IKOS 07]) Adjust [IOZ 14] to security without abort (t < n/2) Recover rom invalid ZK proos without: 1) Breaching privacy (A might have learned output) 2) Blowing up round complexity Implement the Setup in constant rounds (use only correlated randomness or broadcast) Reactive unctionalities with probabilistic termination See the paper or details 35

36 Summary We study parallel composition o PT protocols Functionally black-box (FBB) protocols No round-preserving FBB parallel composition (using known techniques) Round-preserving FBB parallel composition with semi-honest security Black-box w.r.t. protocols Round-preserving compiler or parallel composition 36