240 likes | 347 Views
Simple, Black-Box Constructions of Adaptively Secure Protocols. Seung Geol Choi Columbia University. joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University), and Hoeteck Wee (Queens College, CUNY). Outline. Motivation Our Work Our Compiler Comp.
E N D
Simple, Black-Box Constructions of Adaptively Secure Protocols Seung Geol Choi Columbia University joint work withDana Dachman-Soled (Columbia University), Tal Malkin (Columbia University), and Hoeteck Wee (Queens College, CUNY)
Outline • Motivation • Our Work • Our Compiler • Comp
Outline • Motivation • Our Work • Our Compiler • Comp
Criteria of adversarial corruptionin Multi-party Computation (MPC) • Semi-honest vs. Malicious • semi-honest: corrupted parties should behave honestly • malicious: they can behave arbitrarily • How many parties can be corrupted? • Honest majority vs. honest minority. • Static vs. Adaptive • static: adv corrupts parties at the outset • adaptive [CFGN96]: during the protocol adaptively
(s0, s1) Sender Receiver r m1 m2 m3 sr Output Adaptively Secure OT - Simulator No Corruption Corrupt Sender Bad SimulationPick (s0, s1), r, rand for S & R randomly and execute the protocol honestly w/ these values. Given the actual input (s0’, s1’), Sim is unable to patch rand for S consistent w/ the transcript & the input
MPC (malicious majority) and OT -- Roughly • Non-black-box • Basically everything is known: use ZK, e.g., • Static: from semi-honest OT[GMW87] (stand-alone) • Adaptive: from semi-honest OT with FCOM [CLOS02] (UC) • Black-box • Static: from semi-honest OT[K88,IKLP06,H08] (stand-alone) • Adaptive: from malicious OT [IPS08] (UC) But, malicious OT [B98, CLOS02, KO04] has non-black-box access to the underlying primitive.
Goal • Achieve MPC • adaptive, malicious majority • black-box (BB) access to lower primitives • Of theoretical interest • Arguably more efficient: avoid general NP reductions incurred by ZK proofs. • constant-round
Outline • Motivation • Our Work • Our Compiler • Comp
Main Result UC, adaptive semi-honest bit OT • Black-box • constant multiplicative blow-up in rounds Compiler Improvement over [IKLP06,H08] : UC and adaptive UC, adaptive malicious string OT in FCOM hybrid
BB Implications – UC & Adaptive Trapdoor simulatable cryptosystem constant-round semi-honest bitOT [CDMW09, CLOS02] DDHRSAFactoringLWE • in FCOMhybrid - MPC allowing corruption of any number of parties - constant-round MPC allowing corruption of n-1 parties this work: malicious string OT in FCOM hybrid [IPS08]
Our MPC Construction • FCOM hybrid: Can be combined with existing results under various setup • e.g., [CLOS02, BCNP04, CDPW07, K07]. Usually start by how to UC realize FCOM.
BB Implications - Stand-alone UC, adaptive, constant-round semi-honest bitOT Trapdoor simulatable cryptosystem [CDMW09, CLOS02] DDHRSAFactoringLWE • UC, adaptive in FCOMhybrid - MPC allowing corruption of any number of parties - constant-round MPC allowing corruption of n-1 parties this work: malicious string OT in FCOM hybrid • stand-alone, adaptive [IPS08] [PW09] [PW09] • - constant-round maliciousstring OT
Our Work - Summary UC, adaptive semi-honest bit OT UC, adaptive malicious string OT in FCOM hybrid Compiler • Adaptively secure MPC: UC in FCOMhybrid / stand-alone - allowing corruption of any number of parties • allowing corruption of n-1 parties in constant-round MPC stand-alone, adaptive constant-round maliciousstring OT String OT
Outline • Motivation • Our Work • Our Compiler • Comp
Previous Work: Stand-alone & Static case semi-honest bit OT Haitner [H08] defensible bit OT eTDP, homomorphic enc Ishai,Kushilevitz,Lindell, and Petrank[IKLP06] malicious OT MPC [K88]
Our Compiler - 1 • Basically, [H08]+[IKLP06]. • Insight • View [H08] + [IKLP06] as GMW Compiler • With ZK proof replaced with cut-and-choose technique. • Our presentation doesn’t need the notion of defensible OT.
semi-honest semi-honest [H08] : Commit input & randomness at the outset Our Compiler - 2 • Has two modules • Comp: boost receiver-side security (for string) • OT-Reversal [WW06]: reverse the role of sender and receiver (for bit) Our Compiler sender receiver [IKLP06] Starting protocol semi-honest semi-honest defensible defensible Apply Comp semi-honest malicious defensible Apply OT-Reversal malicious semi-honest defensible Parallel executions Apply Comp malicious malicious
Outline • Motivation • Our Work • Our Compiler • Comp
Comp(¦) I. Run con-tossing in the well using FCOM to fix R’s input & rand for Phase II. [H08] II. Run 2n executions of ¦in parallel w/ R using input & rand generated in Phase I. III. R opens commitments in Phase I for n random OT execs. [IKLP06] Cut & Choose IV. Apply combiner to the rest of n executions.
UC Security in Comp • Straight-line simulation • Extract receiver’s input in a straight-line manner w/ info from Phase I.
(s0, s1) Sender Receiver r m1 m2 m3 sr Output Adaptively Secure OT - Simulator No Corruption Corrupt Sender Upon corruption, Sim has to patch rand for S consistent w/ the transcript & the given input
Simulation in Comp –Achieving Adaptive Security • Extract R’s input & rand. in Phase I w/ FCOM • For i-th OT execution ¦i: • Run simulator for ¦i(SIMi) until the R behaves consistently w/ the commitments. • Inconsistent R: “corrupt S” on SIMi(input & rand of S in ¦i is fixed). Follow spec. of ¦ w/ this fixed info. • Patching the S’s overall rand. • If R behaved honestly in some ¦j, can patch using SIMj : with high probability there is at least one such j. • Use adaptive security of ¦: • Guaranteed as long as R behaves honestly
Conclusion UC, adaptive semi-honest bit OT UC, adaptive malicious string OT in FCOM hybrid Compiler • Adaptively secure MPC: UC in FCOMhybrid / stand-alone - allowing corruption of any number of parties • allowing corruption of n-1 parties in constant-round MPC stand-alone, adaptive constant-round maliciousstring OT String OT