Round-Optimal Secure Two-Party Computation

1. Round-Optimal Secure Two-Party Computation Jonathan Katz U. Maryland Rafail Ostrovsky U.C.L.A. 1/48

2. Motivation • Round complexity is a central measure of protocol efficiency. • Minimizing the number of rounds is often important in practice. • Lower and upperbounds have deepened our understanding of various tasks… 2/48

3. For example… • ZK [FS89, GO94, GK96a, GK96b, BLV03, etc.], NIZK [BFM88, etc.], WI [FS89,DN00,BOV03] • Concurrent ZK [DNS98, KPR01, CKPR01, PRS02] • Commitment, identification schemes, … • … • 2-party and multi-party computation [BMR90, IK00, GIKR01, L01, KOS03, etc.] 3/48

4. This work • We concentrate on secure two-party computation • Encompasses many functionalities of independent interest (e.g., ZK) • Important “special case” of MPC without honest majority • Interestingly, exact round complexity of 2PC was not previously known! 4/48

5. This work (1) • We exactly characterize black-box round complexity of secure 2PC! • THM1: Impossibility result for any black-box 4-round coin-tossing (also XOR, other functionalities…) 5/48

6. This work (2) • THM2: 5-round secure 2PC protocol for any functionality, based on trapdoor perms* (e.g. RSA, Rabin) or Homomorphic Encryption (e.g. DDH). 6/48

7. This work (3) • THM3: 5-round secure 2PC protocol an adaptive adversary corrupting any one party without erasure in 5 rounds. 7/48

8. Prior work (2PC) • Honest-but-curious setting • 4 rounds using trapdoor perms. [Yao86] • 3 rounds using number-theoretic assumptions (optimal) [Folklore] • Malicious case • “Compiler” for any protocol secure in honest-but-curious setting [GMW87] • Round complexity? 8/48

9. Round complexity of 2PC? • Upper bounds • O(k) rounds [GMW87] • O(1) rounds [Lindell01] • Unspecified, but roughly 20-30 rounds • Lower bounds (black-box) • No 3-round ZK [GK96] • No 3-round coin-tossing [Lindell01] 9/48

10. Security definition • We use the standard definitions of [GMW87, GL90, MR91, Ca00] 10/48

11. Theorem 1 • No secure (black-box) 4-round protocol for flipping (log k) coins • This rules out 4-round protocols for other functionalities as well (e.g., XOR) • (Note: 3-round protocols for O(log k) coins do exist [Bl82, GMW87]) • Details: see paper! 11/48

12. THM2: A 5-round protocol for secure two-party computation (for malicious adversary) We construct a 5-round protocol where we “force”’ good behavior on both sides and can “simulate” malicious Adv view from both sides… 12/48

13. Somewhat easier task • [folklore]: k-round with one player learning the output  (k+1)-round with both players learning the outputs • the output in the kth round includes encrypted and MAC’ed output for other player. • SO: we need a 4-round protocol where, say, player 1 gets the output. 13/48

14. observation It suffices to consider deterministic functionalities. Rest of the talk: we show a 4-round protocol tolerating malicious players where player 1 learns the output. 14/48

15. Rest of the talk • 3-round protocol for semi-honest players • Background tools • Some of our new techniques • Our 4-round protocol (if time permits) • Proof of security (if time permits) • Modifications needed for Dynamic Adv. • Conclusions. 15/48

16. Recall: 1-2-OT [EGL] • Sender has (v0, v1); • Receiver has b, 1-2-OT: • Receiver gets vb • Sender gets nothing 16/48

17. Semi-honest 1-2-OT [EGL,GMW] • S: generate td perm. (f, f-1); send f • R: yb = f(zb), y1-b rand; send (y0, y1) • S: send ui = h(f-1(yi))vi, for i=0,1 • R computes vb = h(zb)ub Note: extends easily for strings in semi-honest setting 17/48

18. Yao’s “garbled circuit” • Algorithms (Y1, Y2) s.t.: • Y1(y) outputs “circuit” C, input-wire labels {Zi,b}, • [C “represents” F(.,y)] • Y2(C, Z1,x1, …, Zk,xk) outputs v Correctness: v = F(x, y) 18/48

19. 3-round semi-honest 2PC • Player 2 sends Yao’s C, f for OT • Player 1 sends OT pairs {(yi,0, yi,1)} • Player 2 sends {(ui,0, ui,1)} to Player 1. Player 1 recovers v. 19/48

20. Malicious 2PC? • Standard method [GMW87] increases round-complexity: • Coin tossing into the well to fix random tapes of players; • Players commit to their inputs; • ZK arguments of correctness after every round; High round complexity of compilation 20/48

21. Malicious 2PC in 4 rounds • Our goal: do everything in 4 rounds, (player 1 gets the output) forcing “good” behavior from both sides! • Intuition: do everything “as early as possible” but …things “don’t fit” – we need new tricks to cram it all.. • Surprise: we must “delay” proofs to make it work. 21/48

22. Reminder:3-Round WI proofs [FS] P claims that graph G has a HC • PV: commit n cycle graphs C1..Cn • VP: random n-bit string Q • PV: for each bit of Q, either • open entire matrix Ci OR • show perm of G onto Ci open non-edges of G in Ci. 22/48

23. OBSERVATION • Graph G can be determined in the last round. • IF G is determined in the 1st round  this is WI proof of knowledge • IF G is determined in the 3rd round  this is only a WIproof, but it is still sound! 23/48

24. NEW PROPERTIES FOR 3-ROUND WI-PROOF 24/48

25. Next: [FS] 4-round ZK • Q can we get similar result for [FS] 4-round ZK argument? 25/48

26. [FS] 4-round ZK argument: 2 interleaved WI-proofs 26/48

27. [FS] 4-round ZK-argument 2 interleaved WI proofs: • PV: gives y1,y2 s.t. f(a1)=y1,f(a2)=y2 and WI proof of this fact (3 rounds) • PV: WI proof of witness w that x is in L or w is one of the a’s (starting on the 2nd round). Total of 4 rounds. Proof of knowledge; also ZK. 27/48

28. New FS properties needed: • Observation: In FS, prover needs to determine the statement in the second round. • Goal: to defer parts of statement to last (4th) round. Previous ideas are not sufficient… 28/48

29. Technical lemma - we extend [FS] to FS’ so that: • FS’ is a 4-round Zero-knowledge argument where statements can be “Postponed”. • FS’ define conjunctive parts of statement in the second round (with knowledge extraction) and part of statement in the 4th round (without extraction but still sound!) • It is of independent interest (requires equivocal commitment, some other tools) 29/48

30. [FS] 4-round ZK argument: 2 interleaved WI-proofs 30/48

31. OUR PROTOCOL PROOF-FLOWS 31/48

32. Simulation on both sides? we need more tools… • Malicious player 2 gains nothing by using non-random tape in Yao. • Player 1 cannot freely choose his random tape, but full-blown coin-tossing is not necessary (i.e., we don’t need simulatability on both sides) • Player 2 has to commit Yao’s garbled circuit in round 2, but the simulator need to open it arbitrary, so use equivocal comm. 32/48

33. Equivocal commitments • (Informal): in real execution, sender committed to a single value; in simulation, can open arbitrarily • Construction: Equiv(b) = Com(b0), Com’(b1)ZK argument that b0 = b1Open by opening either b0 or b1 • Can “fold” ZK argument into larger statement already used in 4th round of FS’ 33/48

34. And now… the 4-round protocol… (only 4 slides, 1 msg per slide) 34/48

35. Round 1: P1(x)P2(y) • P1 commits {(ri,0, ri,1)}; (random) • starts 3-round WI PoK of either ri,0 or ri,1; • Starts FS’1 (statement TBA by P2 partly in round 2, partly in round 4) 35/48

36. Round 2: P1(x)  P2(y) • P2 Sends challenge for WI PoK • P2 Sends trapdoor perm {fi,b} for OT, and random values {r’i,b}; • P2 commits to input-wire labels for Yao • Equiv. commitment to Yao’s garbled C(y); • FS’2 (proving correctness as part of the statement), part to be determined now, part in fourth round 36/48

37. Round 3: P1(x)  P2(y) • For each bit i of input x, set (for OT): • yi,xi = fi,xi(z); • yi,1-xi = ri,1-xir’i,1-xi; • WI PoK (final round 3), where the statement includes the fact that one of y’s is correctly computed for each i. • FS’ (round 3) 37/48

38. Round 4: P1(x)  P2(y) • Complete OT (i.e. P2 inverts f’s and xor’s with Yao’s input wires), sends these to P1 • FS’ final (4th) round, where P2 proves correctness of all its steps, including OT of this round. • P2 Decommits equiv-commit of Yao’s circuit, so that P1 can compute! 38/48

39. SIMULATION FOR CHEATING P2 Simulating view of ADV-P2 interacting with SIM1 39/48

40. SIMADV-P2 • SIM commits {(ri,0, ri,1)}; (random) • starts 3-round WI PoK of either ri,0 or ri,1; • Starts FS’1 (statement TBA by P2 partly in round 2, partly in round 4) Easy to simulate, we don’t need to know x. 40/48

41. Round 2: SIMADV-P2 • Sends whatever it wants to SIM 41/48

42. Round 3: SIM ADV-P2 • For each bit i of input x, set (for OT): • yi,xi = ri,xir’i,xi; • yi,1-xi = ri,1-xir’i,1-xi; • PoK (final round 3), is easy, since it’s a true statement by the simulator. • FS’ (round 3) (play honestly) 42/48

43. Round 4: SIMADV-P2 • Sends whatever it wants. • If all valid, we re-wind, and extract y (using the fact that the msg commitment in the second round is a proof of knowledge, so we can extract) • Now, send y to the trusted party and we are done, and player 1 gets his output. 43/48

44. SIMULATION FOR CHEATING P1 (simulating view of ADV-P1 interacting with the SIM2) 44/48

45. ADV-P1  SIM • Sends whatever it wants 45/48

46. ADV-P1 SIM • SIM send to P1 trapdoor perm {fi,b} for OT, and random values {r’i,b}; as before • SIM commits to garbage (instead of input-wire labels for Yao) • SIM equiv. commitment to garbage (instead of Yao’s garbled C(y); ) • For FS’2 use ZK simulator (proving correctness as part of the statement), part to be determined now, part in fourth round 46/48

47. Round 3: ADV-P1 SIM • Adv sends whatever it wants 47/48

48. ADV-P1  SIM • If all proofs in 3rd round are OK,rewinds and extracts half of r’s from first round • After extraction, can get ADV-P1 OT input values, this defines his input x. • Send x to trusted party, get the output. (cont on next slide) 48/48

49. ADV-P1  SIM • Now, simulate the Yao’s circuit, and de-comment equivocal commitment of Yao as needed, and prepare OT answers as needed. • Continue using ZK simulator for FS’ 49/48

50. Handling adaptive adversaries 50/48