1 / 24

Simple, Black-Box Constructions of Adaptively Secure Protocols

Simple, Black-Box Constructions of Adaptively Secure Protocols. Seung Geol Choi Columbia University. joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University), and Hoeteck Wee (Queens College, CUNY). Outline. Motivation Our Work Our Compiler Comp.

janna
Download Presentation

Simple, Black-Box Constructions of Adaptively Secure Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Simple, Black-Box Constructions of Adaptively Secure Protocols Seung Geol Choi Columbia University joint work withDana Dachman-Soled (Columbia University), Tal Malkin (Columbia University), and Hoeteck Wee (Queens College, CUNY)

  2. Outline • Motivation • Our Work • Our Compiler • Comp

  3. Outline • Motivation • Our Work • Our Compiler • Comp

  4. Criteria of adversarial corruptionin Multi-party Computation (MPC) • Semi-honest vs. Malicious • semi-honest: corrupted parties should behave honestly • malicious: they can behave arbitrarily • How many parties can be corrupted? • Honest majority vs. honest minority. • Static vs. Adaptive • static: adv corrupts parties at the outset • adaptive [CFGN96]: during the protocol adaptively

  5. (s0, s1) Sender Receiver r m1 m2 m3 sr Output Adaptively Secure OT - Simulator No Corruption Corrupt Sender Bad SimulationPick (s0, s1), r, rand for S & R randomly and execute the protocol honestly w/ these values. Given the actual input (s0’, s1’), Sim is unable to patch rand for S consistent w/ the transcript & the input

  6. MPC (malicious majority) and OT -- Roughly • Non-black-box • Basically everything is known: use ZK, e.g., • Static: from semi-honest OT[GMW87] (stand-alone) • Adaptive: from semi-honest OT with FCOM [CLOS02] (UC) • Black-box • Static: from semi-honest OT[K88,IKLP06,H08] (stand-alone) • Adaptive: from malicious OT [IPS08] (UC) But, malicious OT [B98, CLOS02, KO04] has non-black-box access to the underlying primitive.

  7. Goal • Achieve MPC • adaptive, malicious majority • black-box (BB) access to lower primitives • Of theoretical interest • Arguably more efficient: avoid general NP reductions incurred by ZK proofs. • constant-round

  8. Outline • Motivation • Our Work • Our Compiler • Comp

  9. Main Result UC, adaptive semi-honest bit OT • Black-box • constant multiplicative blow-up in rounds Compiler Improvement over [IKLP06,H08] : UC and adaptive UC, adaptive malicious string OT in FCOM hybrid

  10. BB Implications – UC & Adaptive Trapdoor simulatable cryptosystem constant-round semi-honest bitOT [CDMW09, CLOS02] DDHRSAFactoringLWE • in FCOMhybrid - MPC allowing corruption of any number of parties - constant-round MPC allowing corruption of n-1 parties this work: malicious string OT in FCOM hybrid [IPS08]

  11. Our MPC Construction • FCOM hybrid: Can be combined with existing results under various setup • e.g., [CLOS02, BCNP04, CDPW07, K07]. Usually start by how to UC realize FCOM.

  12. BB Implications - Stand-alone UC, adaptive, constant-round semi-honest bitOT Trapdoor simulatable cryptosystem [CDMW09, CLOS02] DDHRSAFactoringLWE • UC, adaptive in FCOMhybrid - MPC allowing corruption of any number of parties - constant-round MPC allowing corruption of n-1 parties this work: malicious string OT in FCOM hybrid • stand-alone, adaptive [IPS08] [PW09] [PW09] • - constant-round maliciousstring OT

  13. Our Work - Summary UC, adaptive semi-honest bit OT UC, adaptive malicious string OT in FCOM hybrid Compiler • Adaptively secure MPC: UC in FCOMhybrid / stand-alone - allowing corruption of any number of parties • allowing corruption of n-1 parties in constant-round MPC stand-alone, adaptive constant-round maliciousstring OT String OT

  14. Outline • Motivation • Our Work • Our Compiler • Comp

  15. Previous Work: Stand-alone & Static case semi-honest bit OT Haitner [H08] defensible bit OT eTDP, homomorphic enc Ishai,Kushilevitz,Lindell, and Petrank[IKLP06] malicious OT MPC [K88]

  16. Our Compiler - 1 • Basically, [H08]+[IKLP06]. • Insight • View [H08] + [IKLP06] as GMW Compiler • With ZK proof replaced with cut-and-choose technique. • Our presentation doesn’t need the notion of defensible OT.

  17. semi-honest semi-honest [H08] : Commit input & randomness at the outset Our Compiler - 2 • Has two modules • Comp: boost receiver-side security (for string) • OT-Reversal [WW06]: reverse the role of sender and receiver (for bit) Our Compiler sender receiver [IKLP06] Starting protocol semi-honest semi-honest defensible defensible Apply Comp semi-honest malicious defensible Apply OT-Reversal malicious semi-honest defensible Parallel executions Apply Comp malicious malicious

  18. Outline • Motivation • Our Work • Our Compiler • Comp

  19. Comp(¦) I. Run con-tossing in the well using FCOM to fix R’s input & rand for Phase II. [H08] II. Run 2n executions of ¦in parallel w/ R using input & rand generated in Phase I. III. R opens commitments in Phase I for n random OT execs. [IKLP06] Cut & Choose IV. Apply combiner to the rest of n executions.

  20. UC Security in Comp • Straight-line simulation • Extract receiver’s input in a straight-line manner w/ info from Phase I.

  21. (s0, s1) Sender Receiver r m1 m2 m3 sr Output Adaptively Secure OT - Simulator No Corruption Corrupt Sender Upon corruption, Sim has to patch rand for S consistent w/ the transcript & the given input

  22. Simulation in Comp –Achieving Adaptive Security • Extract R’s input & rand. in Phase I w/ FCOM • For i-th OT execution ¦i: • Run simulator for ¦i(SIMi) until the R behaves consistently w/ the commitments. • Inconsistent R: “corrupt S” on SIMi(input & rand of S in ¦i is fixed). Follow spec. of ¦ w/ this fixed info. • Patching the S’s overall rand. • If R behaved honestly in some ¦j, can patch using SIMj : with high probability there is at least one such j. • Use adaptive security of ¦: • Guaranteed as long as R behaves honestly

  23. Conclusion UC, adaptive semi-honest bit OT UC, adaptive malicious string OT in FCOM hybrid Compiler • Adaptively secure MPC: UC in FCOMhybrid / stand-alone - allowing corruption of any number of parties • allowing corruption of n-1 parties in constant-round MPC stand-alone, adaptive constant-round maliciousstring OT String OT

  24. Thank you

More Related