320 likes | 449 Views
Efficient Two-Party Secure Computation on Committed Inputs. Stanislaw Jarecki , UC Irvine Vitaly Shmatikov, UT Austin. Our Contributions. Committed Oblivious Transfer of Bitstrings [String-COT] O(1) modular exponentiations per player
E N D
Efficient Two-Party Secure Computation on Committed Inputs Stanislaw Jarecki, UC Irvine Vitaly Shmatikov, UT Austin
Our Contributions • Committed Oblivious Transfer of Bitstrings [String-COT] • O(1) modular exponentiations per player • 2 rounds + proofs (single message in R.O.M. if commitments public) • Universally Composable in Common Reference String [CRS] model • Secure Two-Party Computation [2PC] on Committed Inputs • O(g) modular exponentiations, where g = # gates in the circuit • round complexity, UC in CRS, as above Technical Contribution of General Interest: • Encryption with Verifiable Plaintexts and Keys, i.e.: Encryption with efficient Zero-Knowledge Proof for relation: {(E, Cm, Ck) s.t. E encrypts m committed in Cm under key k committed in Ck}
Our Contributions • Committed Oblivious Transfer ofBitstrings [String-COT] • O(1) modular exponentiations per player • 2 rounds + proofs (single message in R.O.M. if commitments public) • Universally Composable in Common Reference String [CRS] model • Secure Two-Party Computation [2PC] on Committed Inputs • O(g) modular exponentiations, where g = # gates in the circuit • round complexity, UC in CRS, as above Main Technical Contribution of General Interest: • Encryption with Verifiable Plaintexts and Keys, i.e.: Encryption with efficient Zero-Knowledge Proof for relation: {(E, Cm, Ck) s.t. E encrypts m committed in Cm under key k committed in Ck} Contribution for both COT and 2PC is inefficiency. (and provable universal composability of an efficient construction) Quick comparison of constant-round 2PC protocols: Yao’86:O(g) symmetric-key operations,passive adv. Yao + Generic ZKP’s: poly(k,g) operations,malicious adv. [P’03,MF’06,KS’06,LP’07,W’07] Cut & Choose Proofs: O(kg) symmetric-key ops., malicious adv. [Here]:Efficient ZKP per gate: O(g) public-key operations, malicious adv.
Our Contributions • Committed Oblivious Transfer of Bitstrings [String-COT] • O(1) modular exponentiations per player • 2 rounds + proofs (single message in R.O.M. if commitments public) • Universally Composable in Common Reference String [CRS] model • Secure Two-Party Computation [2PC] on Committed Inputs • O(g) modular exponentiations, where g = # gates in the circuit • round complexity, UC in CRS, as above Main Technical Contribution of General Interest: • Encryption with Verifiable Plaintexts and Keys, i.e.: Encryption with efficient Zero-Knowledge Proof for relation: {(E, Cm, Ck) s.t. E encrypts m committed in Cm under key k committed in Ck} Contribution for both COT and 2PC is in efficiency. (and provable universal composability of an efficient construction) Quick comparison of constant-round 2PC protocols: Yao’86:O(g) symmetric-key operations,passive adv. Yao + Generic ZKP’s: poly(k,g) operations,malicious adv. [P’03,MF’06,KS’06,LP’07,W’07] Cut & Choose Proofs: O(kg) symmetric-key ops., malicious adv. [Here]:Efficient ZKP per gate: O(g) public-key operations, malicious adv.
Talk Outline • Overview of the results: • Committed Oblivious Transfer on Strings • General Secure Two-Party Computation on Committed Inputs • Applications • Committed Secure Computation • Committed String-OT • Comparison with previous results • Technical Discussion: Public Key Encryption with Efficient Zero-Knowledge Proof for Verifiability of both the Plaintext and the Key • Extensions, Open Questions
Universally Composable Secure Two-Party Computation on Committed Inputs: Definition Picture
Commit(xB2) Commit(xA1) Commit(xA2) Commit(xB1) Universally Composable Secure Two-Party Computation on Committed Inputs Public Board Alice CA1 (xA1) CA2 (xA2) Bob CB1 (xB1) CB2 (xB2) Commitment properties: Binding: xi’s cannot be substituted after Ci is sent Hiding: xi’s remain hidden from other players (Can be implemented e.g. with Public Key Encryption)
Commit(xA1) Commit(xA2) Commit(xB1) Commit(xB2) Universally Composable Secure Two-Party Computation on Committed Inputs Public Board Alice CA1 (xA1) CA2 CA2 (xA2) Bob CB1 (xB1) CB2 (xB2) Non-Malleable [NM] Commitments: Bob’s messages cannot depend on Alice’s messages (can be done with CCA-Secure Encryption, in CRS)
Universally Composable Secure Two-Party Computation on Committed Inputs Public Board Alice Compute( [ ] with Bob,CA1,CB1) (xA1) (xA2) F(xA1,xB1) Bob (xB1) F(xA1,xB1) (xB2) xA1 xB1 • Properties of 2P Secure Computation (Obl.Circ.Eval.) on Committed Inputs: • Bob learns only output F(xA,xB), nothing else about Alice’s input xA • Alice learns nothing • values xA, xB in the computation are committed in CA, CB
Compute( [ ] with Alice) Universally Composable Secure Two-Party Computation on Committed Inputs Public Board Alice Compute( [ ] with Bob) (xA1) (xA2) F(xA1,xB1) Bob (xB1) F(xA1,xB1) (xB2) • Properties of 2P Secure Computation (Obl.Circ.Eval.) on Committed Inputs: • Bob learns only output F(xA,xB), nothing else about Alice’s input xA • Alice learns nothing • values xA, xB in the computation are committed in CA, CB => Two-sided computation on same inputs (with abort)
Benefit of computation on committed inputs: • Ensuring consistency between computations of several circuits on same data Universally Composable Secure Two-Party Computation on Committed Inputs Alice Compute( [ ]) (xA1) (xA2) Compute( [ ]) Compute( [ ]) Compute( [ ]) Bob (xB1) (xB2) Examples of circuits: = Equality(xA,xB): outputs 1 if xA = xB, 0 otherwise = `Less or Equal’(xA,xB): outputs 1 if integer xA ≤ xB, 0 o/w = F(xA,xB) = intersection of sets represented by xA,xB = F(xA,xB) = median value in the union of sets It can be any circuit !!
Commit(xD1) Compute( [ ] with Alice) F(xA1,xB1) F(xD1,xB1) Consistency Across Protocol Instances Ex.1: Multi-Player Example Alice (xA1) Bob (xB1) Compute( [ ] with Dorothy) Dorothy (xD1)
Commit(xA3) Compute( [ ] w/ Alice) Compute( [ ] with Alice) F(xA1,xA3,xB1) xA1 xA3 xB1 Consistency Across Protocol Instances: Ex.2: Security with some local computation off-line F(xA1,xB1) Alice (xA1) xA3 = output of Alice’s local computation given F(xA1,xB1) (xA3) Bob (xB1) • General Benefit of UC Committed 2PC: • Ensuring consistency between sub-protocols in any distributed algorithm • Some computation can be local (“insecure” but fast), while commitments keep the overall protocol consistent
Consistency Across Protocol Instances: Ex.3: Solution to the “Abort & Re-start” Problem Protocols that use 2PC / OT without committed inputs can be insecure against abort & re-start: A malicious player can effectively execute several instances of the protocol, each on different inputs. In practice protocols must allow re-start in case of communication or hardware faults…
Talk Outline • Statement of the results: • Committed Oblivious Transfer on Strings • General Secure Two-Party Computation on Committed Inputs • Applications • Committed Secure Computation • Committed String-OT • Comparison with previous results • Technical Discussion: Public Key Encryption with Efficient Zero-Knowledge Proof for Verifiability of both the Plaintext and the Key • Extensions, Open Questions
Commitments Cb , (Cm0 , Cm1) Common Input: Alice: bit b Bob: strings m0,m1 mb ┴ Universally Composable Committed String-OT UC String-COT is like UC two-party secure computation but the only computed function is String-OT Crepeau’86 introduced COT s.t. Alice gets (de) commitment of Cb, not just mb (our construction can support this too) • Alice learns mb s.t. • mbis committed in Cmb • bis committed in Cb • Alice learns nothing about mb • Bob learns nothing
Applications of Committed String-OT (Ex.1):Ensuring Consistency across Calls to OT OT is a sub-procedure in General Secure Computation Protocols [the original motivation for Committed OT by Crepeau] • Interactive Secure 2-Party Computation [GV’87]: • Players secret-share all their input bits • Gate computation (shared input bits → shared output bit) via Bit-OT Tool: Committed Bit-OT • 2-round Secure 2-Party Computation (“Garbled Circuit” [Yao’86]): • Sender S creates two keys per each wire • For each gate, S encrypts appropriate output wire keys with appropriate input wire keys • S performs String-OT on keys corresponding to R’s input wires Tool: Committed String-OT
Applications of Committed String-OT (Ex.2):Privacy, E-Cash, Escrow, … 1. Privacy applications: • oblivious transfer of one key out of a set of keys • same for signatures, decryptions, … 2. Support for probabilistic systems: • probabilistic escrow of information (keys, signatures, plaintexts) • probabilistic payment of digital cash • … What’s needed in such applications? • OT on values with proven properties (key, coin, signature, …) Done in 2 steps: • perform an OT on the committed string value (e.g. a key) • prove correctness of the committed value (efficient proofs for such statements exist for many cryptographic schemes)
Talk Outline • Statement of the results: • Committed Oblivious Transfer on Strings • General Secure Two-Party Computation on Committed Inputs • Applications of Committed Secure Computation / Committed String-OT • Comparisons with previous results on COT and 2PC • Technical Discussion: Public Key Encryption with Efficient Zero-Knowledge Proof for Verifiability of both Plaintexts and Keys • Extensions, Open Questions
Our Contributions vs. Previous Work:(1) Committed OT on Bitstrings • O(1) modular exponentiations per player • exponentiations modulo n2 where n is a strong RSA modulus, |n2| = 2000 bits • 500-bit exponents • Round complexity: 2 rounds + proofs (e.g. one/two rounds in R.O.M.) • Security under Decisional Composite Residuosity Assumption [DCR] • Universal Composability in Common Reference String model [CRS] • static adversary • CRS includes modulus n and a few group elements, |CRS| ≈ 10 |n| Towards efficient String-COT: [NP’00, AIR’01] String-OT O(1) exp’s, DDH Assumption [Cre’89] Bit/String-COT Ω(k3) Bit/String-OT’s [CvdGT’95] Bit-COT Ω(k) Bit-OT’s [GMY’04] Bit-COT O(1) exp’s, DDH [CC’00] String-COT O(k) exp’s, DDH [Here]String-COTO(1) exp’s, DCR
Our Contributions vs. Previous Work:(2) Secure 2PC on Committed Inputs • Security under DCR and Strong RSA Assumptions • O(g) modular exponentiations, where g = # gates in the Circuit • Round complexity: 2 rounds + proofs (e.g. one/two rounds in R.O.M.) • Universal Composability in the CRS model Towards efficient constant-round Secure Two-Party Computation (2PC): Passive Security: • [Yao’86] O(g) symmetric-key op’s Malicious Security using ZKP’s for NP-complete languages: • [GMW,…,Lin’03,KO’04] poly(g, k) op’s Malicious Security without generic ZKP’s: • [DI’05], multi-party computation, O(n2 g) PRG’s + VSS’s • [CC’00], cut & choose gate-specific ZKP’s, O(kg) exp’s, DDH • [Pin’03, MF’06, KS’06, LP’07, W’07], cut & choose on the whole garbled circuit, O(kg) symmetric-key op’s • [Here], efficient gate-specific ZKP’s, O(g) exp’s, DCR + Strong RSA
Talk Outline • Statement of the results: • Committed Oblivious Transfer on Strings • General Secure Two-Party Computation on Committed Inputs • Applications of Committed Secure Computation / Committed String-OT • Comparison with previous results • Technical Discussion: Public Key Encryption with Efficient Zero-Knowledge Proof for Verifiability of both the Plaintext and the Key • Extensions, Open Questions
k k k ,k ,k ,k 0 0 0 1 1 1 Invariant: z z z z z z G G For every wire w, Receiver R learns one key in {k ,k }, 0 1 w w k k k ,k ,k ,k k k k ,k ,k ,k 0 0 0 1 1 0 0 1 1 1 1 0 but doesn ’ t learn which one! v v v v v v w w w w w w Yao’s Garbled Circuit Construction 2. For each gate, S sends to R a table: 1. For each circuit wire w, Sender S picks a pair of keys º k “ bit 0 on wire w ” 0 • Strategy towards 2PC with O(1) exp’s / gate • S commits to each key • S proves circuit is properly garbled: • each ciphertext formed correctly • […other proofs…] • S performs String-COT for R’s input keys w º k “ bit 1 on wire w ” 1 w 3. For each R’s input wire, transfer the right key using String-OT: OT [ R(b) , S(k0,k1) ] → kb • Encryption of kz0 under keys kw0,kv0 • Encryption of kz0 under keys kw0,kv1 • Encryption of kz0 under keys kw1,kv0 • Encryption of kz1under keys kw1,kv1
k k k ,k ,k ,k 0 0 0 1 1 1 Invariant: z z z z z z G G For every wire w, Receiver R learns one key in {k ,k }, 0 1 w w k k k ,k ,k ,k k k k ,k ,k ,k 0 0 0 1 1 0 0 1 1 1 1 0 but doesn ’ t learn which one! v v v v v v w w w w w w Yao’s Garbled Circuit Construction Closer Look: Proof of ciphertext correctness 2. For each gate, S sends to R a table: 1. For each circuit wire w, Sender S picks a pair of keys º k “ bit 0 on wire w ” 0 • Strategy towards 2PC with O(1) exp’s / gate • S commits to each key • S proves circuit is properly garbled: • each ciphertext formed correctly • […other proofs…] • S performs String-COT for R’s input keys w º k “ bit 1 on wire w ” 1 w 3. For each R’s input wire, transfer the right key using String-OT: OT [ R(b) , S(k0,k1) ] → kb • Encryption of kz0 under keys kw0,kv0 • Encryption of kz0 under keys kw0,kv1 • Encryption of kz0 under keys kw1,kv0 • Encryption of kz1under keys kw1,kv1
Invariant: For every wire w, Receiver R learns one key in {k ,k }, 0 1 w w but doesn ’ t learn which one! Yao’s Garbled Circuit Construction Closer Look: Proof of ciphertext correctness 2. For each gate, S sends to R a table: 1. For each circuit wire w, Sender S picks a pair of keys º k “ bit 0 on wire w ” 0 • Strategy towards 2PC with O(1) exp’s / gate • S commits to each key • S proves circuit is properly garbled: • each ciphertext formed correctly • […other proofs…] • S performs String-COT for R’s input keys w º k “ bit 1 on wire w ” 1 w k k k ,k ,k ,k 0 0 0 1 1 1 z z z z z z G G k k k ,k ,k ,k k k k ,k ,k ,k 0 0 0 1 1 1 0 0 0 1 1 1 v v v v v v w w w w w w 3. For each R’s input wire, transfer the right key using String-OT: OT [ R(b) , S(k0,k1) ] → kb • Encryption of kz0 under keys kw0,kv0 • Encryption of kz0 under keys kw0,kv1 • Encryption of kz0 under keys kw1,kv0 • Encryption of kz1under keys kw1,kv1
Need Efficient ZKP for relation R = { (E, Cm, Ck) } s.t. 1. E = Enc [ m ; k ] 2. m is committed in Cm 3. k is committed in Ck Yao’s Garbled Circuit Construction Closer Look: Proof of ciphertext correctness Simplify to standard (one-key) encryption: º k “ bit 0 on wire w ” 0 w º k “ bit 1 on wire w ” 1 w k k k ,k ,k ,k 0 0 0 1 1 1 z z z z z z G G k k k ,k ,k ,k k k k ,k ,k ,k 0 0 0 1 1 1 0 0 0 1 1 1 v v v v v v w w w w w w • Encryption of kz0 under keys kw0,kv0
Need Efficient ZKP for relation R = { (E, Cm, Ck) } s.t. 1. E = Enc [ m ; k ] 2. m is committed in Cm 3. k is committed in Ck Efficient Encryption withmessage and key verifiability 1. Assume commitment (to value ‘a’) is of the form Ca = ga (or Ca = ga hr ) for some multiplicative group <g> 2. Assume encryption also has both plaintext and key in the exponent, e.g. E = Enc[ m ; k ] = αmβk where <α> , <β> are disjoint subgroups of some group Can be done with Paillier encryption [Camenisch-Shoup’03]: α generates subgroup of order n, β generates subgroup of order φ(n), in group of order φ(n2)=n*φ(n) [multiplicative group of residues mod n2] ZKPR is a proof of equalities between discrete-log representations: 1. (m , k) = Rep( (α, β) , E) 2. m = DL( g, Cm ) 3. k = DL( g, Ck )
Efficient Encryption withmessage and key verifiability Cm = gm Ck = gk The ZKP of “equality of m”: DL(g,Cm)=Rep(α,E) The ZKP of “equality of k”: DL(g,Ck)=Rep(β,E) E = αmβk #α = n , #β = φ(n) #g = whatever is convenient problem if #g ≠ #β problem if #g ≠ #α ZKPR is a proof of equalities between discrete-log representations: 1. (m , k) = Rep( (α, β) , E) 2. m = DL( g, Cm ) 3. k = DL( g, Ck ) Each (Representation=DL) proof is an extension of standard ZKPK-of-DL, except if the orders involved (#g vs. #α) and (#g vs. #β) are: (1) unknown (2) unequal
Efficient Encryption withmessage and key verifiability Cm = gm Ck = gk The ZKP of “equality of m”: DL(g,Cm)=Rep(α,E) The ZKP of “equality of k”: DL(g,Ck)=Rep(β,E) E = αmβk #α = n , #β = φ(n) #g = whatever is convenient problem if #g ≠ #β problem if #g ≠ #α • If orders not equal then responses must be computed over integers • (linear equations involving secrets) • Efficient Zero-Knowledge of DLEQ known only if secret << (both orders) Why? • Known DLEQ(gx,hx) proofs for groups with unknown order leak c*x+r over integers, for public challenge c, and random secret pad r • x is statistically hidden only if r > c*x*280 • r > x*2160(since c ≈ 280) • To avoid wrap-around we need c*x+r < (orders of g and h) • x * 2160 < (orders of g and h)
Efficient Encryption withmessage and key verifiability Cm = gm Ck = gk The ZKP of “equality of m”: DL(g,Cm)=Rep(α,E) The ZKP of “equality of k”: DL(g,Ck)=Rep(β,E) E = αmβk #α = n , #β = φ(n) #g = whatever is convenient problem if #g ≠ #β problem if #g ≠ #α • If orders not equal then responses must be computed over integers • (linear equations involving secrets) • Efficient Zero-Knowledge of DLEQ only if secret << (both orders) • Either m or k must be << |φ(n)| ≈ |n| • But m’s and k’s are interchangeable in Yao’s garbled circuit construction! • Need Camenisch-Shoup encryption with shorter keys (k ≈ ¾ |n|) • [Hastad-Schrift-Shamir]: exponentiation mod n hides |n|/2 bits • using ½ |n| - long keys is indistinguishable from |n|-long keys • same holds for the φ(n)-order subgroup, where [CS] keys live
Summary and some open questions Summary: • Efficient UC-Secure computation on committed inputs with O( |Circuit| ) public key op.’s • Fast committed String-OT • Encryption with efficient verifiability for both messages and keys Some questions: • Handling adaptive corruptions? • Weakening assumptions on the RSA modulus? • Efficient String-COT and Committed-2PC without CRS? • Verifiable Encryption for committed plaintexts and/or keys, for moduli smaller than |n2|=2000 bits?