1 / 25

COVERT TWO-PARTY COMPUTATION

LUIS VON AHN. COVERT TWO-PARTY COMPUTATION. CARNEGIE MELLON UNIVERSITY. JOINT WORK WITH NICK HOPPER JOHN LANGFORD. HAVE YOU EVER. WANTED TO BRIBE AN OFFICER?. WANTED TO STAGE A COUP D’ETAT TO OVERTHROW THE PRESIDENT?. BEEN IN LOVE BUT DIDN’T HAVE THE GUTS TO CONFRONT THE PERSON?.

darren
Download Presentation

COVERT TWO-PARTY COMPUTATION

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. LUIS VON AHN COVERT TWO-PARTY COMPUTATION CARNEGIE MELLON UNIVERSITY JOINT WORK WITH NICK HOPPER JOHN LANGFORD

  2. HAVE YOU EVER WANTED TO BRIBE AN OFFICER? WANTED TO STAGE A COUP D’ETAT TO OVERTHROW THE PRESIDENT? BEEN IN LOVE BUT DIDN’T HAVE THE GUTS TO CONFRONT THE PERSON? WANTED TO COLLUDE WITH ANOTHER PLAYER TO CHEAT IN A CARD GAME? INFILTRATED A TERRORIST CELL?

  3. ALLOWS TWO PARTIES WITH SECRET INPUTS X AND Y TO LEARN F(X,Y) BUT NOTHING ELSE COVERT PARTY 1 PARTY 2 TWO-PARTY COMPUTATION X Y F(  ,  ) F(  ,  ) F(X,Y) F(X,Y)

  4. LET’S NOT GET MARRIED 1 IF X>Y 0 OTHERWISE F(X,Y) = JEN BEN $45 MILLION $32 MILLION F(X,Y)=1

  5. I DON’T WANT HIM TO KNOW THAT I LIKE HIM UNLESS HE LIKES ME TOO! WHAT SHOULD I DO? I LIKE HIM, BUT I’M SHY! BRITNEY SPEARS ME

  6. WE’LL USE TWO-PARTY COMPUTATION IF HE DOESN’T, THEN F(X,Y) = 0 SO HE WON’T KNOW THAT I LIKE HIM 1 MEANS “YES” 0 MEANS “NO” IF HE LIKES ME, WE WILL BOTH FIND OUT IF X,Y ARE BITS, LET F(X,Y) = X AND Y F(X,Y) = X AND Y LET’S FIGURE OUT IF WE LIKE EACH OTHER

  7. COVERT TWO-PARTY COMPUTATION EXTERNAL COVERTNESS NO OUTSIDE OBSERVER CAN TELL IF THE TWO PARTIES ARE RUNNING A COMPUTATION OR JUST COMMUNICATING AS NORMAL INTERNAL COVERTNESS AFTER LEARNING F(X,Y), EACH PARTY CAN ONLY TELL WHETHER THE OTHER PARTICIPATED IF THEY CAN DISTINGUISH F(X,Y) FROM RANDOM BITS

  8. YOU LEFT IT NEXT TO MY GRENADES THE AXIS OF EVIL SHALL PREVAIL! I GUESS I CAN USE MY BAZOOKA HAVE YOU SEEN MY AK-47? THE WAR ON TERROR HE WORKS FOR MI-6 CIA AGENT HE WORKS FOR CIA MI-6 AGENT

  9. HE WORKS FOR MI-6 HE WORKS FOR CIA THE WAR ON TERROR THE UTTERANCES CONTAINED A COVERT TWO-PARTYCOMPUTATION THE FUNCTION F VERIFIED THE CREDENTIALS SINCE BOTH WERE VALID, IT OUTPUT 1K X WAS A CREDENTIAL SIGNED BY CIA AND Y WAS SIGNED BY MI-6 FOR ANY OTHER INPUTS, F OUTPUTS A RANDOM VALUE

  10. COVERT TWO-PARTY COMPUTATION EXTERNAL COVERTNESS NO OUTSIDE OBSERVER CAN TELL IF THE TWO PARTIES ARE RUNNING A COMPUTATION OR JUST COMMUNICATING AS NORMAL CANNOT BE DONE WITH STANDARD TWO-PARTY COMPUTATION INTERNAL COVERTNESS AFTER LEARNING F(X,Y), EACH PARTY CAN ONLY TELL WHETHER THE OTHER PARTICIPATED IF THEY CAN DISTINGUISH F(X,Y) FROM RANDOM BITS

  11. WHO KNOWS WHAT? WE ASSUME THAT BOTH PARTIES KNOW THE FUNCTION THEY WISH TO EVALUATE BOTH KNOW WHICH ROLE THEY ARE TO PLAY IN THE EVALUATION BOTH KNOW WHEN TO START COMPUTING

  12. ORDINARY COMMUNICATION MESSAGES ARE DRAWN FROM A SET D TIME PROCEEDS IN DISCRETE TIMESTEPS EACH PARTY MAINTAINS A HISTORY h OF ALL DOCUMENTS THEY SENT AND RECEIVED TO EACH PARTY P, WE ASSOCIATE A FAMILY OF PROBABILITY DISTRIBUTIONS ON D: {BhP}

  13. D’1← BP1 D1← BP1 ← BP2 D2← BP2 hP1 hP1 hP2 hP2 P1 P2 hP1 hP2 D1 t0 D2 hP1 = hP1 + (D1,D2) hP2 = hP2 + (D2,D1) D’1 t1

  14. WE ASSUME THAT DDH IS HARD:GIVEN gx, gy PARTIES CAN’T EFFICIENTLY DISTINGUISH gxy FROM gz

  15. WE SHOW THAT COVERT TWO-PARTY COMPUTATION IS POSSIBLE AGAINST HONEST-BUT-CURIOUS ADVERSARIES IN THE RO MODEL, FAIR COVERT TWO-PARTY COMPUTATION IS POSSIBLE AGAINST MALICIOUS ADVERSARIES

  16. ROADMAP 1 USE STEGANOGRAPHY TO SHOW THAT IT IS ENOUGH THAT ALL MESSAGES BE INDISTINGUISHABLE FROM UNIFORM 2 SHOW A TWO-PARTY COMPUTATION PROTOCOL FOR WHICH ALL MESSAGES ARE INDISTINGUISHABLE FROM UNIFORM

  17. INPUT:HH, TARGET C, BOUND K LETJ = 0 REPEAT: SAMPLES←D, INCREMENTJ UNTILH(S) = C OR J > K OUTPUT:S BASIC-ENCODE PROPER SIZE LET D BE A DISTRIBUTION ON D AND H BE A PAIRWISE INDEPENDENT FAMILY OF HASH FUNCTIONS UNIFORM ENOUGH MIN ENTROPY … THEN THE DISTRIBUTION ON S IS STA-TISTICALLY INDISTINGUISHABLE FROM D IF ALLOWS SENDING C ENCODED IN SOMETHING THAT COMES FROM D

  18. BASIC - ENC ODE LOOKS UNIFORM LOOKS NORMAL OOPS! I DID IT AGAIN 001

  19. ROADMAP 1 USE STEGANOGRAPHY TO SHOW THAT IT IS ENOUGH THAT ALL MESSAGES BE INDISTINGUISHABLE FROM UNIFORM 2 SHOW A TWO-PARTY COMPUTATION PROTOCOL FOR WHICH ALL MESSAGES ARE INDISTINGUISHABLE FROM UNIFORM

  20. OT COVERT OBLIVIOUS TRANSFER IT IS POSSIBLE TO MODIFY AN OBLIVIOUS TRANSFER SCHEME BY NAOR AND PINKAS SO THAT ALL MESSAGES ARE INDISTINGUI-SHABLE FROM UNIFORM RANDOM BITS UNIFORM

  21. OT THE MODIFIED NAOR-PINKAS OT PLUGGED INTO YAO’S “GARBLED CIRCUIT” GIVES A SCHEME WITH MESSAGES THAT ARE INDISTINGUISHABLE FROM UNIFORM YAO +

  22. OOPS! MALLICIOUS ADVERSARIES CAN BREAK THIS PROTOCOL YOU’RE SO SMART BRITNEY! WE CANNOT SIMPLY USE ZK TO FIX IT MATH IS FUN! F(X,Y)=1 F(X,Y)=1

  23. THE END

  24. COMPETITOR COOPERATION TWO COMPETING ONLINE RETAILERS ARE COMPROMISED BY A HACKER NEITHER CAN CATCH THE HACKER BY THEMSELVES HOWEVER, NEITHER WILL ADMIT THAT THEY WERE HACKED UNLESS THE OTHER WAS HACKED TOO

  25. WE ASSUME THAT PARTY P CAN DRAW FROM BPh FOR ANY PLAUSIBLE h ADVERSARY KNOWS BPh FOR ANY P, h DDH IS HARD:GIVEN gx, gy PARTIES CAN’T EFFICIENTLY DISTINGUISH gxy FROM gz

More Related