1 / 32

Efficient Two-Party Secure Computation on Committed Inputs

Efficient Two-Party Secure Computation on Committed Inputs. Stanislaw Jarecki , UC Irvine Vitaly Shmatikov, UT Austin. Our Contributions. Committed Oblivious Transfer of Bitstrings [String-COT] O(1) modular exponentiations per player

regan-rutledge
Download Presentation

Efficient Two-Party Secure Computation on Committed Inputs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Efficient Two-Party Secure Computation on Committed Inputs Stanislaw Jarecki, UC Irvine Vitaly Shmatikov, UT Austin

  2. Our Contributions • Committed Oblivious Transfer of Bitstrings [String-COT] • O(1) modular exponentiations per player • 2 rounds + proofs (single message in R.O.M. if commitments public) • Universally Composable in Common Reference String [CRS] model • Secure Two-Party Computation [2PC] on Committed Inputs • O(g) modular exponentiations, where g = # gates in the circuit • round complexity, UC in CRS, as above Technical Contribution of General Interest: • Encryption with Verifiable Plaintexts and Keys, i.e.: Encryption with efficient Zero-Knowledge Proof for relation: {(E, Cm, Ck) s.t. E encrypts m committed in Cm under key k committed in Ck}

  3. Our Contributions • Committed Oblivious Transfer ofBitstrings [String-COT] • O(1) modular exponentiations per player • 2 rounds + proofs (single message in R.O.M. if commitments public) • Universally Composable in Common Reference String [CRS] model • Secure Two-Party Computation [2PC] on Committed Inputs • O(g) modular exponentiations, where g = # gates in the circuit • round complexity, UC in CRS, as above Main Technical Contribution of General Interest: • Encryption with Verifiable Plaintexts and Keys, i.e.: Encryption with efficient Zero-Knowledge Proof for relation: {(E, Cm, Ck) s.t. E encrypts m committed in Cm under key k committed in Ck} Contribution for both COT and 2PC is inefficiency. (and provable universal composability of an efficient construction) Quick comparison of constant-round 2PC protocols: Yao’86:O(g) symmetric-key operations,passive adv. Yao + Generic ZKP’s: poly(k,g) operations,malicious adv. [P’03,MF’06,KS’06,LP’07,W’07] Cut & Choose Proofs: O(kg) symmetric-key ops., malicious adv. [Here]:Efficient ZKP per gate: O(g) public-key operations, malicious adv.

  4. Our Contributions • Committed Oblivious Transfer of Bitstrings [String-COT] • O(1) modular exponentiations per player • 2 rounds + proofs (single message in R.O.M. if commitments public) • Universally Composable in Common Reference String [CRS] model • Secure Two-Party Computation [2PC] on Committed Inputs • O(g) modular exponentiations, where g = # gates in the circuit • round complexity, UC in CRS, as above Main Technical Contribution of General Interest: • Encryption with Verifiable Plaintexts and Keys, i.e.: Encryption with efficient Zero-Knowledge Proof for relation: {(E, Cm, Ck) s.t. E encrypts m committed in Cm under key k committed in Ck} Contribution for both COT and 2PC is in efficiency. (and provable universal composability of an efficient construction) Quick comparison of constant-round 2PC protocols: Yao’86:O(g) symmetric-key operations,passive adv. Yao + Generic ZKP’s: poly(k,g) operations,malicious adv. [P’03,MF’06,KS’06,LP’07,W’07] Cut & Choose Proofs: O(kg) symmetric-key ops., malicious adv. [Here]:Efficient ZKP per gate: O(g) public-key operations, malicious adv.

  5. Talk Outline • Overview of the results: • Committed Oblivious Transfer on Strings • General Secure Two-Party Computation on Committed Inputs • Applications • Committed Secure Computation • Committed String-OT • Comparison with previous results • Technical Discussion: Public Key Encryption with Efficient Zero-Knowledge Proof for Verifiability of both the Plaintext and the Key • Extensions, Open Questions

  6. Universally Composable Secure Two-Party Computation on Committed Inputs: Definition Picture

  7. Commit(xB2) Commit(xA1) Commit(xA2) Commit(xB1) Universally Composable Secure Two-Party Computation on Committed Inputs Public Board Alice CA1 (xA1) CA2 (xA2) Bob CB1 (xB1) CB2 (xB2) Commitment properties: Binding: xi’s cannot be substituted after Ci is sent Hiding: xi’s remain hidden from other players (Can be implemented e.g. with Public Key Encryption)

  8. Commit(xA1) Commit(xA2) Commit(xB1) Commit(xB2) Universally Composable Secure Two-Party Computation on Committed Inputs Public Board Alice CA1 (xA1) CA2 CA2 (xA2) Bob CB1 (xB1) CB2 (xB2) Non-Malleable [NM] Commitments: Bob’s messages cannot depend on Alice’s messages (can be done with CCA-Secure Encryption, in CRS)

  9. Universally Composable Secure Two-Party Computation on Committed Inputs Public Board Alice Compute( [ ] with Bob,CA1,CB1) (xA1) (xA2) F(xA1,xB1) Bob (xB1) F(xA1,xB1) (xB2) xA1 xB1 • Properties of 2P Secure Computation (Obl.Circ.Eval.) on Committed Inputs: • Bob learns only output F(xA,xB), nothing else about Alice’s input xA • Alice learns nothing • values xA, xB in the computation are committed in CA, CB

  10. Compute( [ ] with Alice) Universally Composable Secure Two-Party Computation on Committed Inputs Public Board Alice Compute( [ ] with Bob) (xA1) (xA2) F(xA1,xB1) Bob (xB1) F(xA1,xB1) (xB2) • Properties of 2P Secure Computation (Obl.Circ.Eval.) on Committed Inputs: • Bob learns only output F(xA,xB), nothing else about Alice’s input xA • Alice learns nothing • values xA, xB in the computation are committed in CA, CB => Two-sided computation on same inputs (with abort)

  11. Benefit of computation on committed inputs: • Ensuring consistency between computations of several circuits on same data Universally Composable Secure Two-Party Computation on Committed Inputs Alice Compute( [ ]) (xA1) (xA2) Compute( [ ]) Compute( [ ]) Compute( [ ]) Bob (xB1) (xB2) Examples of circuits: = Equality(xA,xB): outputs 1 if xA = xB, 0 otherwise = `Less or Equal’(xA,xB): outputs 1 if integer xA ≤ xB, 0 o/w = F(xA,xB) = intersection of sets represented by xA,xB = F(xA,xB) = median value in the union of sets It can be any circuit !!

  12. Commit(xD1) Compute( [ ] with Alice) F(xA1,xB1) F(xD1,xB1) Consistency Across Protocol Instances Ex.1: Multi-Player Example Alice (xA1) Bob (xB1) Compute( [ ] with Dorothy) Dorothy (xD1)

  13. Commit(xA3) Compute( [ ] w/ Alice) Compute( [ ] with Alice) F(xA1,xA3,xB1) xA1 xA3 xB1 Consistency Across Protocol Instances: Ex.2: Security with some local computation off-line F(xA1,xB1) Alice (xA1) xA3 = output of Alice’s local computation given F(xA1,xB1) (xA3) Bob (xB1) • General Benefit of UC Committed 2PC: • Ensuring consistency between sub-protocols in any distributed algorithm • Some computation can be local (“insecure” but fast), while commitments keep the overall protocol consistent

  14. Consistency Across Protocol Instances: Ex.3: Solution to the “Abort & Re-start” Problem Protocols that use 2PC / OT without committed inputs can be insecure against abort & re-start: A malicious player can effectively execute several instances of the protocol, each on different inputs. In practice protocols must allow re-start in case of communication or hardware faults…

  15. Talk Outline • Statement of the results: • Committed Oblivious Transfer on Strings • General Secure Two-Party Computation on Committed Inputs • Applications • Committed Secure Computation • Committed String-OT • Comparison with previous results • Technical Discussion: Public Key Encryption with Efficient Zero-Knowledge Proof for Verifiability of both the Plaintext and the Key • Extensions, Open Questions

  16. Commitments Cb , (Cm0 , Cm1) Common Input: Alice: bit b Bob: strings m0,m1 mb ┴ Universally Composable Committed String-OT UC String-COT is like UC two-party secure computation but the only computed function is String-OT Crepeau’86 introduced COT s.t. Alice gets (de) commitment of Cb, not just mb (our construction can support this too) • Alice learns mb s.t. • mbis committed in Cmb • bis committed in Cb • Alice learns nothing about mb • Bob learns nothing

  17. Applications of Committed String-OT (Ex.1):Ensuring Consistency across Calls to OT OT is a sub-procedure in General Secure Computation Protocols [the original motivation for Committed OT by Crepeau] • Interactive Secure 2-Party Computation [GV’87]: • Players secret-share all their input bits • Gate computation (shared input bits → shared output bit) via Bit-OT Tool: Committed Bit-OT • 2-round Secure 2-Party Computation (“Garbled Circuit” [Yao’86]): • Sender S creates two keys per each wire • For each gate, S encrypts appropriate output wire keys with appropriate input wire keys • S performs String-OT on keys corresponding to R’s input wires Tool: Committed String-OT

  18. Applications of Committed String-OT (Ex.2):Privacy, E-Cash, Escrow, … 1. Privacy applications: • oblivious transfer of one key out of a set of keys • same for signatures, decryptions, … 2. Support for probabilistic systems: • probabilistic escrow of information (keys, signatures, plaintexts) • probabilistic payment of digital cash • … What’s needed in such applications? • OT on values with proven properties (key, coin, signature, …) Done in 2 steps: • perform an OT on the committed string value (e.g. a key) • prove correctness of the committed value (efficient proofs for such statements exist for many cryptographic schemes)

  19. Talk Outline • Statement of the results: • Committed Oblivious Transfer on Strings • General Secure Two-Party Computation on Committed Inputs • Applications of Committed Secure Computation / Committed String-OT • Comparisons with previous results on COT and 2PC • Technical Discussion: Public Key Encryption with Efficient Zero-Knowledge Proof for Verifiability of both Plaintexts and Keys • Extensions, Open Questions

  20. Our Contributions vs. Previous Work:(1) Committed OT on Bitstrings • O(1) modular exponentiations per player • exponentiations modulo n2 where n is a strong RSA modulus, |n2| = 2000 bits • 500-bit exponents • Round complexity: 2 rounds + proofs (e.g. one/two rounds in R.O.M.) • Security under Decisional Composite Residuosity Assumption [DCR] • Universal Composability in Common Reference String model [CRS] • static adversary • CRS includes modulus n and a few group elements, |CRS| ≈ 10 |n| Towards efficient String-COT: [NP’00, AIR’01] String-OT O(1) exp’s, DDH Assumption [Cre’89] Bit/String-COT Ω(k3) Bit/String-OT’s [CvdGT’95] Bit-COT Ω(k) Bit-OT’s [GMY’04] Bit-COT O(1) exp’s, DDH [CC’00] String-COT O(k) exp’s, DDH [Here]String-COTO(1) exp’s, DCR

  21. Our Contributions vs. Previous Work:(2) Secure 2PC on Committed Inputs • Security under DCR and Strong RSA Assumptions • O(g) modular exponentiations, where g = # gates in the Circuit • Round complexity: 2 rounds + proofs (e.g. one/two rounds in R.O.M.) • Universal Composability in the CRS model Towards efficient constant-round Secure Two-Party Computation (2PC): Passive Security: • [Yao’86] O(g) symmetric-key op’s Malicious Security using ZKP’s for NP-complete languages: • [GMW,…,Lin’03,KO’04] poly(g, k) op’s Malicious Security without generic ZKP’s: • [DI’05], multi-party computation, O(n2 g) PRG’s + VSS’s • [CC’00], cut & choose gate-specific ZKP’s, O(kg) exp’s, DDH • [Pin’03, MF’06, KS’06, LP’07, W’07], cut & choose on the whole garbled circuit, O(kg) symmetric-key op’s • [Here], efficient gate-specific ZKP’s, O(g) exp’s, DCR + Strong RSA

  22. Talk Outline • Statement of the results: • Committed Oblivious Transfer on Strings • General Secure Two-Party Computation on Committed Inputs • Applications of Committed Secure Computation / Committed String-OT • Comparison with previous results • Technical Discussion: Public Key Encryption with Efficient Zero-Knowledge Proof for Verifiability of both the Plaintext and the Key • Extensions, Open Questions

  23. k k k ,k ,k ,k 0 0 0 1 1 1 Invariant: z z z z z z G G For every wire w, Receiver R learns one key in {k ,k }, 0 1 w w k k k ,k ,k ,k k k k ,k ,k ,k 0 0 0 1 1 0 0 1 1 1 1 0 but doesn ’ t learn which one! v v v v v v w w w w w w Yao’s Garbled Circuit Construction 2. For each gate, S sends to R a table: 1. For each circuit wire w, Sender S picks a pair of keys º k “ bit 0 on wire w ” 0 • Strategy towards 2PC with O(1) exp’s / gate • S commits to each key • S proves circuit is properly garbled: • each ciphertext formed correctly • […other proofs…] • S performs String-COT for R’s input keys w º k “ bit 1 on wire w ” 1 w 3. For each R’s input wire, transfer the right key using String-OT: OT [ R(b) , S(k0,k1) ] → kb • Encryption of kz0 under keys kw0,kv0 • Encryption of kz0 under keys kw0,kv1 • Encryption of kz0 under keys kw1,kv0 • Encryption of kz1under keys kw1,kv1

  24. k k k ,k ,k ,k 0 0 0 1 1 1 Invariant: z z z z z z G G For every wire w, Receiver R learns one key in {k ,k }, 0 1 w w k k k ,k ,k ,k k k k ,k ,k ,k 0 0 0 1 1 0 0 1 1 1 1 0 but doesn ’ t learn which one! v v v v v v w w w w w w Yao’s Garbled Circuit Construction Closer Look: Proof of ciphertext correctness 2. For each gate, S sends to R a table: 1. For each circuit wire w, Sender S picks a pair of keys º k “ bit 0 on wire w ” 0 • Strategy towards 2PC with O(1) exp’s / gate • S commits to each key • S proves circuit is properly garbled: • each ciphertext formed correctly • […other proofs…] • S performs String-COT for R’s input keys w º k “ bit 1 on wire w ” 1 w 3. For each R’s input wire, transfer the right key using String-OT: OT [ R(b) , S(k0,k1) ] → kb • Encryption of kz0 under keys kw0,kv0 • Encryption of kz0 under keys kw0,kv1 • Encryption of kz0 under keys kw1,kv0 • Encryption of kz1under keys kw1,kv1

  25. Invariant: For every wire w, Receiver R learns one key in {k ,k }, 0 1 w w but doesn ’ t learn which one! Yao’s Garbled Circuit Construction Closer Look: Proof of ciphertext correctness 2. For each gate, S sends to R a table: 1. For each circuit wire w, Sender S picks a pair of keys º k “ bit 0 on wire w ” 0 • Strategy towards 2PC with O(1) exp’s / gate • S commits to each key • S proves circuit is properly garbled: • each ciphertext formed correctly • […other proofs…] • S performs String-COT for R’s input keys w º k “ bit 1 on wire w ” 1 w k k k ,k ,k ,k 0 0 0 1 1 1 z z z z z z G G k k k ,k ,k ,k k k k ,k ,k ,k 0 0 0 1 1 1 0 0 0 1 1 1 v v v v v v w w w w w w 3. For each R’s input wire, transfer the right key using String-OT: OT [ R(b) , S(k0,k1) ] → kb • Encryption of kz0 under keys kw0,kv0 • Encryption of kz0 under keys kw0,kv1 • Encryption of kz0 under keys kw1,kv0 • Encryption of kz1under keys kw1,kv1

  26. Need Efficient ZKP for relation R = { (E, Cm, Ck) } s.t. 1. E = Enc [ m ; k ] 2. m is committed in Cm 3. k is committed in Ck Yao’s Garbled Circuit Construction Closer Look: Proof of ciphertext correctness Simplify to standard (one-key) encryption: º k “ bit 0 on wire w ” 0 w º k “ bit 1 on wire w ” 1 w k k k ,k ,k ,k 0 0 0 1 1 1 z z z z z z G G k k k ,k ,k ,k k k k ,k ,k ,k 0 0 0 1 1 1 0 0 0 1 1 1 v v v v v v w w w w w w • Encryption of kz0 under keys kw0,kv0

  27. Need Efficient ZKP for relation R = { (E, Cm, Ck) } s.t. 1. E = Enc [ m ; k ] 2. m is committed in Cm 3. k is committed in Ck Efficient Encryption withmessage and key verifiability 1. Assume commitment (to value ‘a’) is of the form Ca = ga (or Ca = ga hr ) for some multiplicative group <g> 2. Assume encryption also has both plaintext and key in the exponent, e.g. E = Enc[ m ; k ] = αmβk where <α> , <β> are disjoint subgroups of some group Can be done with Paillier encryption [Camenisch-Shoup’03]: α generates subgroup of order n, β generates subgroup of order φ(n), in group of order φ(n2)=n*φ(n) [multiplicative group of residues mod n2] ZKPR is a proof of equalities between discrete-log representations: 1. (m , k) = Rep( (α, β) , E) 2. m = DL( g, Cm ) 3. k = DL( g, Ck )

  28. Efficient Encryption withmessage and key verifiability Cm = gm Ck = gk The ZKP of “equality of m”: DL(g,Cm)=Rep(α,E) The ZKP of “equality of k”: DL(g,Ck)=Rep(β,E) E = αmβk #α = n , #β = φ(n) #g = whatever is convenient problem if #g ≠ #β problem if #g ≠ #α ZKPR is a proof of equalities between discrete-log representations: 1. (m , k) = Rep( (α, β) , E) 2. m = DL( g, Cm ) 3. k = DL( g, Ck ) Each (Representation=DL) proof is an extension of standard ZKPK-of-DL, except if the orders involved (#g vs. #α) and (#g vs. #β) are: (1) unknown (2) unequal

  29. Efficient Encryption withmessage and key verifiability Cm = gm Ck = gk The ZKP of “equality of m”: DL(g,Cm)=Rep(α,E) The ZKP of “equality of k”: DL(g,Ck)=Rep(β,E) E = αmβk #α = n , #β = φ(n) #g = whatever is convenient problem if #g ≠ #β problem if #g ≠ #α • If orders not equal then responses must be computed over integers • (linear equations involving secrets) • Efficient Zero-Knowledge of DLEQ known only if secret << (both orders) Why? • Known DLEQ(gx,hx) proofs for groups with unknown order leak c*x+r over integers, for public challenge c, and random secret pad r • x is statistically hidden only if r > c*x*280 • r > x*2160(since c ≈ 280) • To avoid wrap-around we need c*x+r < (orders of g and h) • x * 2160 < (orders of g and h)

  30. Efficient Encryption withmessage and key verifiability Cm = gm Ck = gk The ZKP of “equality of m”: DL(g,Cm)=Rep(α,E) The ZKP of “equality of k”: DL(g,Ck)=Rep(β,E) E = αmβk #α = n , #β = φ(n) #g = whatever is convenient problem if #g ≠ #β problem if #g ≠ #α • If orders not equal then responses must be computed over integers • (linear equations involving secrets) • Efficient Zero-Knowledge of DLEQ only if secret << (both orders) • Either m or k must be << |φ(n)| ≈ |n| • But m’s and k’s are interchangeable in Yao’s garbled circuit construction! • Need Camenisch-Shoup encryption with shorter keys (k ≈ ¾ |n|) • [Hastad-Schrift-Shamir]: exponentiation mod n hides |n|/2 bits • using ½ |n| - long keys is indistinguishable from |n|-long keys • same holds for the φ(n)-order subgroup, where [CS] keys live

  31. Summary and some open questions Summary: • Efficient UC-Secure computation on committed inputs with O( |Circuit| ) public key op.’s • Fast committed String-OT • Encryption with efficient verifiability for both messages and keys Some questions: • Handling adaptive corruptions? • Weakening assumptions on the RSA modulus? • Efficient String-COT and Committed-2PC without CRS? • Verifiable Encryption for committed plaintexts and/or keys, for moduli smaller than |n2|=2000 bits?

  32. Thank You!

More Related