1 / 33

Two-Round Adaptively Secure Protocols from Standard Assumptions

Two-Round Adaptively Secure Protocols from Standard Assumptions. Fabrice Benhamouda (IBM) Huijia (Rachel) Lin (UCSB) Antigoni Polychroniadou (Cornell Tech) Muthuramakrishnan Venkitasubramaniam ( University of Rochester). UC. Secure Multi-Party Computation.

read
Download Presentation

Two-Round Adaptively Secure Protocols from Standard Assumptions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Two-Round Adaptively Secure Protocols from Standard Assumptions Fabrice Benhamouda (IBM) Huijia(Rachel) Lin (UCSB) Antigoni Polychroniadou (Cornell Tech) MuthuramakrishnanVenkitasubramaniam (University of Rochester)

  2. UC Secure Multi-Party Computation f(x1, x2, x3, x4) = (y1, y2 ,y3 ,y4 ) x1 x1 x1 y4 y1 x4 • Goal: • Correctness: Everyone computes f(x1,…,x4) • Security: Nothing else but the output is revealed Adversary PPT Malicious Adaptive x2 y3 y2 x3

  3. Static vs. Adaptive Adversaries Static Corruption … Corrupt only on the onset of π … … Adaptive Corruption … Corrupt adaptively during the executionof π

  4. Static vs. Adaptive Adversaries • Dealersecret shares s among O(√n)random parties and publishes the set of such parties s=(s1,s2) s1 s2 Static vs. Adaptive Learns s

  5. Adaptive Corruption of all parties Crucial in the composition of protocols. • If adversary corrupts all m parties in πinner,wherem<n,security ofπoutershould still hold. n-party protocol πouter m-party protocol πinner

  6. Adaptive vs. Semi-Adaptive Adversaries Semi-Adaptive Corruption … Static corruption of one party and adaptive corruption of the other party …

  7. State-of-the-art for Malicious MPC In the CRS model Partial Solutions for constant-round adaptive protocols: • UsingIndist. Obf.[GP15,DKR15,CGP15]

  8. State-of-the-art for Malicious MPC In the CRS model Partial Solutions for constant-round adaptive protocols: • UsingIndist. Obf.[GP15,DKR15,CGP15]

  9. Our Goal 2-round adaptive MPC From standard assumptions 2-round adaptive OT

  10. Our Results Theorem (informal) O(1)-round malicious adaptive MPC + 2-round malicious adaptive OT 2-roundmalicious adaptive UC MPC  Corollary (informal) LWE/QR/DDH  2-round malicious adaptive UC OT LWE/QR/DDH  2-round malicious adaptive UC MPC

  11. Tools for Static 2-round MPC [BL18] Arbitrary round static MPC Garbled circuits Arbitrary round malicious static MPC 2-round malicious static OT NIZK

  12. Tools for Adaptive 2-round MPC EquivocalGarbled circuits Constant round malicious adaptive MPC 2-round malicious adaptiveOT ? 3-round adaptive malicious MPC from DDH [ABP17] 2-round adaptive malicious OT from iO [GP15]

  13. Adaptive 2-round Oblivious Transfer 2-round malicious adaptive OT 3 2 2-round semi-adaptive malicious OT 2-round sender-semi-adaptive malicious OT 1 sender & receiver oblivious sampleability 2-round static malicious OT with: LWE/QR/DDH

  14. Adaptive 2-round Oblivious Transfer 2-round malicious adaptive OT 3 2 2-round semi-adaptive malicious OT 2-round sender-semi-adaptive malicious OT 1 This talk sender & receiver oblivious sampleability 2-round static malicious OT with: LWE/QR/DDH

  15. 2-round Sender-semi-adaptive Malicious OT Theorem (informal) UC static malicious OT with sender oblivious sampleability sender-semi-adaptive malicious UC OT 

  16. Definition: 2-round OT m0,m1 b R S OT1(b) OT2(m0,m1) mb • Goal: • The Sender should not learn b • The Receiver should not learn m1-b

  17. 2-round Sender-semi-adaptive Malicious OT Building block: Let OT=(OT1,OT2) be a UC staticmalicious OT m0,m1 b R S OT1(b) OT2(m0,m1)

  18. 2-round Sender-semi-adaptive Malicious OT Building block: Let OT=(OT1,OT2) be a UC staticmalicious OT m0,m1 b R S OT1(b) Sim OT2(mb) Problem Not possible to explain OT2 for m1-b

  19. 2-round Sender-semi-adaptive Malicious OT Building block: Let OT=(OT1,OT2) be a UC staticmalicious OT with Sender Sampleability m0,m1 b=0 R S OT1(b) Sim OT2(m0,0) OT2(m0,1) Problem Not possible to obliviously sample one-out-of-two OT2wrt. m0 in the real world

  20. 2-round Sender-semi-adaptive Malicious OT Building block: Let OT=(OT1,OT2) be a UC staticmalicious OT with Sender Sampleability m0,m1 b=0 R S OT1(b) OT2($,m1) OT2(m0,$) OT2(.) OT2(.)

  21. 2-round Sender-semi-adaptive Malicious OT Building block: Let OT=(OT1,OT2) be a UC staticmalicious OT with Sender Sampleability m0,m1 b=0 R S OT1(b) Sim OT2(m0,$) OT2($,0) OT2($,1) OT2(.)

  22. 2-round Sender-semi-adaptive Malicious OT Building block: Let OT=(OT1,OT2) be a UC staticmalicious OT with Sender Sampleability m0,m1 b=0 R S OT1(b) OT2(m0,$) OT2($,m1) OT2(.) OT2(.)

  23. 2-round Sender-semi-adaptive Malicious OT Building block: Let OT=(OT1,OT2) be a UC staticmalicious OT with Sender Sampleability m0,m1 b=0 R S OT1(b) OT2(m0,$) OT2($,m1) OT2(.) OT2(.) Problemwith correctness Which OT output is the right one?

  24. 2-round Sender-semi-adaptive Malicious OT Building block: Let OT=(OT1,OT2) be a UC staticmalicious OT with Sender Sampleability m0,m1 b=0 R S OT1(b) OT2($,rm1) OT2(rm0,$) OT2(.) rm0, rm1 OT2(.)

  25. Adaptive 2-round Oblivious Transfer 2-round malicious adaptive OT 3 2 2-round semi-adaptive malicious OT This talk 2-round sender-semi-adaptive malicious OT 1 sender & receiver oblivious sampleability 2-round static malicious OT with: LWE/QR/DDH

  26. Adaptive 2-round Oblivious Transfer Hash proof systems with projection key oblivious sampleability 2-round malicious adaptive OT 3 Encryption scheme with ciphertext oblivious sampleability 2 2-round semi-adaptive malicious OT This talk 2-round sender-semi-adaptive malicious OT 1 sender & receiver oblivious sampleability 2-round static malicious OT with: LWE/QR/DDH

  27. Adaptive 2-round Oblivious Transfer Equivocal garbled circuits 2-round malicious adaptive OT 3 2 2-round semi-adaptive malicious OT 2-round sender-semi-adaptive malicious OT with oblivious sampleability This talk 2-round sender-semi-adaptive malicious OT 1 sender & receiver oblivious sampleability Non-interactive equivocal commitment 2-round static malicious OT with: LWE/QR/DDH

  28. Adaptive 2-round Oblivious Transfer 2-round malicious adaptive OT 3 2 2-round semi-adaptive malicious OT 2-round semi-adaptive malicious OT This talk 2-round sender-semi-adaptive malicious OT 1 Augmented non-committing encryption sender & receiver oblivious sampleability 2-round static malicious OT with: LWE/QR/DDH

  29. Our Results 2-round adaptive MPC From standard assumptions 2-round adaptive OT LWE/QR/DDH  2-round malicious adaptive UC OT LWE/QR/DDH  2-round malicious adaptive UC MPC

  30. Open Problems • Efficient adaptive 2-round MPC • Adaptive Laconic Function evaluation • 4-round adaptive MPC in the plain model

  31. Thank you!

  32. Transformation 3 Tools 2-round malicious adaptive OT 3 2-round semi-adaptive malicious OT Augmented non-committing encryption

  33. 2-round Malicious Adaptive OT m0,m1 b R S OT2(b) pk0,pk1 OT2(m0+r0) OT2(m1+r1) NCE(pk0,r0) OT2(pk1,r1)

More Related