Additive Conditional Disclosure of Secrets Sven Laur swen@math.ut.ee Helsinki University of Technology
Motivation Consider standard two-party computation protocol. x f 1 (x, y) m 1 m2 m r 1 mr f 2 (x, y) y TCS Forum talk, November 19, 2004 1
Standard goals of secure two-party computation The inputs and outputs should remain private: Charlie should learn nothing except x and f 1 (x, y). Lucy should learn nothing except y and f 2 (x, y). The outputs should be correct: Charlie should really obtain f 1 (x, y). Lucy should really obtain f 2 (x, y). The protocol should be fair: Charlie and Lucy should both obtain outputs or none of them. TCS Forum talk, November 19, 2004 2
Secure evaluation of intersection cardinality Charlie Lucy Characteristic vector Characteristic vector x = (x 1, x 2,..., x n ). y = (y 1, y 2,..., y n ). Compute (pk, sk) Gen. Form a vector c = (E(x 1 ), E(x 2 ),..., E(x n )). Output Dec(d) = X Y pk c d Store the public key pk. Compute answer d = c y 1 1 cy 2 2 cy n n E(0) = E(x 1 y 1 + x 2 y 2 + x n y n ). Output TCS Forum talk, November 19, 2004 3
What if Charlie is malicious? If Charlie sends invalid vector c = (E(1),E(2),E(4),...E(2 n )), then the return value d = E(1y 1 + 2y 2 + 4y 3 + + 2 n y n ) and Charlie can reveal Dec(d) = y n... y 2 y 1 = y. TCS Forum talk, November 19, 2004 4
Standard way to achieve privacy and correctness 1. Device a protocol Π that is secure in semihonest model: + Both parties follow the protocol, but try to extract additional information 2. Extend the protocol Π by forcing semihonest behaviour: + Both parties commit their inputs x and y. + For each message m i of the protocol Π the sender adds a zeroknowledge proof PK(m i ) that m i was correctly formed. TCS Forum talk, November 19, 2004 5
Extended protocol x f 1 (x, y) Com(x) Com(y) m 1 PK(m 1 )..... f 2 (x, y) y TCS Forum talk, November 19, 2004 6
Some properties of extended protocols Standard zero-knowledge proofs have at least four rounds: The extended protocol has a large communicational overhead. The extended protocol has a large overhead in rounds. We can use non-interactive zero-knowledge proofs (NIZK): + Proofs will be relatively short binary strings. + The number of rounds do not increase. The security properties of NIZK are essentially unknown. All proofs are valid in the random oracle model. All proofs are valid in the common reference string model. TCS Forum talk, November 19, 2004 7
What if correctness is infeasible? x f 1 (x, y) m 1 m2 m r 1 mr y TCS Forum talk, November 19, 2004 8
When correctness requirement is questionable? Lucy s input might be so large that ZK proofs are huge. Charlie computes a predicate P(x, y) and there are wild cards y 0 : x P(x, y 0 ) = 0 y 1 : x P(x, y 1 ) = 1. External reasons force Lucy to act in a semihonest way, for example commercial reputation, laws forced by government organisations. TCS Forum talk, November 19, 2004 9
Informal definition of privacy Charlie should learn f 1 (x, y) only if + input x is in the valid range X; + all messages m i follow protocol specification. Charlie should learn nothing if x / X or some m i is malformed. Lucy should learn f 2 (x, y) =, i.e. nothing. x f 1 (x, y) y TCS Forum talk, November 19, 2004 10
Binding conditional disclosure of secrets (CDS) s m i CDS1(m i ) CDS2(m i ) x, m 1,..., m i m 1,..., m i 1...... s {0,1}n Charlie learns secret s only if the message m i is formed correctly. TCS Forum talk, November 19, 2004 11
Additive conditional disclosure of secrets (ACDS) s E(x) x CDS1(m i ) CDS2(m i )...... s {0,1}n Charlie learns secret s only if the input x is in valid set X. TCS Forum talk, November 19, 2004 12
Consider a keyed list access ACDS from oblivious transfer Charlie Sally y 1 s y 2. s. y i y i. s. s Charlie invokes oblivious transfer protocol to retrieve: L[y i ] = s if y i X, L[y i ] = if y i / X. y k TCS Forum talk, November 19, 2004 13
Simple ACDS protocol Charlie Sally Input x. Compute (pk, sk) Gen. pk Secret s and set of valid values X = {y 1,..., y k }. Store the public key pk. Send a query c = E(x) For x = y i0 output Dec(d i0 ) = s c Compute answers d i = (c E( y i )) t i E(s) d 1,...,d k = E(t i (x y i ) + s) Output E(x) TCS Forum talk, November 19, 2004 14
Spectacular failure of homomorphic OT The message space of Pallier encryption scheme is Z p q for primes p, q P. If Charlie sends E(x) such that x y 1 mod p and x y 2 mod q then Dec(d 1 ) t 1 (x y 1 ) + s mod pq Dec(d 1 ) s mod p Dec(d 2 ) t 1 (x y 2 ) + s mod pq Dec(d 2 ) s mod q and Charlie can restore secret even if x / X. TCS Forum talk, November 19, 2004 15
What is wrong here!? If gcd(x y i, pq) = 1 then every thing is OK Pr [Dec(d i ) = t i (x y i ) + s = u] = 1 pq. Otherwise we have a distribution with large steps. s s + p s + 2p s + (q 1)p Pr Z p q TCS Forum talk, November 19, 2004 16
Information-theoretical solution We choose many different shifts for a single s and send s+ instead. Then large bumps cancel out. If is such a set that the distribution mod p and mod q is close to uniform, then is close to uniform. t i (x y i ) + s +, t i Z p q x y i TCS Forum talk, November 19, 2004 17
Precise construction We choose l such that desired security level. m2 l 2 min{p,q} 2 λ, where k = X and 2 λ is The message space reduces s {0, 1} l. The random shifts are = { 0,2 l,2 2 l,3 2 l,... r 2 l}, r 2 l < pq < (r + 1)2 l. Charlie can restore s (Dec(d i0 ) mod pq) mod 2 l s + mod 2 l s mod 2 l. TCS Forum talk, November 19, 2004 18
Computationally secure solution Information theoretical solution has a low throughput. We can use roughly 25% 40% of the message space size for the standard Pallier encryption scheme with 512 bit primes. If we require only computational privacy we can do significantly better. Trivial solution ( E IT encoded key k ) and SymEnc k (s) Can compress it all into a single encryption? Cleverly encoded 128 bit key k SymEnc k (s) TCS Forum talk, November 19, 2004 19
Now recall the idea of CDS s m i CDS1(m i ) CDS2(m i ) x, m 1,..., m i m 1,..., m i 1...... s {0,1}n Charlie learns secret s only if the message m i is formed correctly. TCS Forum talk, November 19, 2004 20
Privacy through binding CDS m 1, m 3,..., m... r 1 x f 1 (x, y) CDS1(m 1 ) m 2,CDS2(m 1 ) CDS1(m r 1 ) CDS2(m r 1 ) m r s r 1 m 1 m2 m r 1 mr y s 1, s 3,..., s... r 1 TCS Forum talk, November 19, 2004 21
Formal specification In the semihonest protocol Π Charlie sends messages m 1, m 3,..., m r 1. Secure transformation For each odd message m i Charlie and Lucy execute a binding CDS scheme such that Charlie obtains a secret s i iff m i is valid; Lucy can compute message m i from protocol transcript. Lucy uses restored m i and follows the original protocol Π. Lucy sends m r s 1 s r 1 as last message. Charlie can restore m r iff m 1, m 3,..., m r 1 were correctly formed. TCS Forum talk, November 19, 2004 22
Alternative viewpoint to padding schemes in ACDS We used special kind of padding scheme to prevent malicious behaviour. Plaintext awareness transformations use also padding that fix a very restricted input format. Actually, the constructed padding schemes achieve plain-text awareness under very restricted conditions. Adversary is allowed to: do homomorphic operations; choose a random cryptogram; choose a random cryptogram of p; choose a random cryptogram of q; TCS Forum talk, November 19, 2004 23