1 / 56

Secure two-party computation : a visual way

Secure two-party computation : a visual way. b y Paolo D’Arco and Roberto De Prisco. Challenging Research Task. Design of secure protocols which can be used by people. without the aid of a computer without cryptographic knowledge.

deidra
Download Presentation

Secure two-party computation : a visual way

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securetwo-partycomputation: a visual way by Paolo D’Arco and Roberto De Prisco

  2. ChallengingResearch Task • Design ofsecureprotocolswhich can beusedby people • without the aidof a computer • withoutcryptographicknowledge …whencomputers are notavailable or, forpsycological or social reasons, people feeluncomfortabletointeract or trust a computer

  3. In thispaper… • Bymergingtogether in a suitableway • Yao’sgarbledcircuitconstruction (‘80) • Naorand Shamir’svisualcryptography (‘90) • we put forwarda novelmethodforperformingsecuretwo-partycomputationthrougha pure physicalprocess.

  4. OurMainResult Theorem1. Everytwo-partycomputationrepresentablebymeansof a booleanfunctionf(·,·) can beperformedpreserving the privacy of the inputsx and ythrough a pure physicalvisualevaluationprocess.

  5. Yao’sConstruction • [Yao, FOCS 1986]

  6. Computationas a circuit The booleanfunctionf(·,·) isrepresentedthrough a booleancircuit C(·,·) forwhich, foreachx,y, itholdsthatC(x,y) = f(x,y) And And Or

  7. Computationas a circuit The booleanfunctionf(·,·) isrepresentedthrough a booleancircuit C(·,·) forwhich, foreachx,y, itholdsthatC(x,y) = f(x,y) 1 1 0 1 Given the input values, the output iseasilyobtainedbyevaluating the circuitgates, i.e., And, OR and Notbit-by-bitoperations. And And Or

  8. Computationas a circuit The booleanfunctionf(·,·) isrepresentedthrough a booleancircuit C(·,·) forwhich, foreachx,y, itholdsthatC(x,y) = f(x,y) 1 1 0 1 Given the input values, the output iseasilyobtainedbyevaluating the circuitgates, i.e., And, OR and Notbit-by-bitoperations. And And 0 1 Or

  9. Computationas a circuit The booleanfunctionf(·,·) isrepresentedthrough a booleancircuit C(·,·) forwhich, foreachx,y, itholdsthatC(x,y) = f(x,y) 1 1 0 1 Given the input values, the output iseasilyobtainedbyevaluating the circuitgates, i.e., And, OR and Notbit-by-bitoperations. Inputs are in clear. Computations are in clear. No Privacy. And And 0 1 Or 1

  10. Usingrandomvalues Yao’s idea istouse the circuitas a conceptual guidefor the computationwhich, insteadofAnd, Or and Notoperations on bits, becomes a sequenceofdecryptionsofciphertexts K1,0, K1,1 K2,0, K2,1 To the wires are associatedrandomvalues (cryptographickeys), whichsecretlyrepresent the bits0 and 1 Or K3,0, K3,1

  11. Gatetables (Enc(K, ), Dec(K, )) symmetric encryption algorithm The fourdoubleencryptions are stored in a randomorder. A gateevaluationends up in a “correct” doubledecryption.

  12. Garbled Circuit Construction K1,0, K1,1 K2,0, K2,1 K0,0, K0,1 K3,0, K3,1 G1 G2 K4,0, K4,1 K5,0, K5,1 G3 K6,0, K6,1

  13. Circuit evaluation Alice (0,0) Bob (0,1) K1,0 K2,0 K0,0 K3,1 G1 G2 G3

  14. Circuit evaluation Alice (0,0) Bob (0,1) K1,0 K2,0 K0,0 K3,1 G1 G2 G3

  15. Circuit evaluation Alice (0,0) Bob (0,1) K1,0 K2,0 K0,0 K3,1 G1 G2 K4,0 K5,0 G3

  16. Circuit evaluation Alice (0,0) Bob (0,1) K1,0 K2,0 K0,0 K3,1 G1 G2 K4,0 K5,0 G3

  17. Circuit evaluation K1,0 K2,0 K0,0 K3,1 G1 G2 K4,0 K5,0 G3 K6,0

  18. Circuit evaluation K1,0 K2,0 K0,0 K3,1 G1 G2 K4,0 K5,0 G3 = 0 K6,0 … the map (circuit-output key, value) is public …

  19. Circuit evaluation K1,0 K2,0 K0,0 K3,1 G1 G2 K4,0 K5,0 G3 = 0 K6,0 … the map (circuit-output key, value) is public … The evalutiondoesnotreleaseany information about the input bits

  20. Howtouse the garbledcircuit? Idea: Alice constructs the garbledcircuit. Bob getsit, Alice’skeys and …performs the computation. But…whataboutBob’skeys? Bob cannotcommunicatehis input bits… (privacy lost!) Does Alice sendallofthem? Toomuch… Bob can computeC(x,y) forallpossibley.

  21. Oblivious Transfer Bob secretlygets the keysforeachofhis input bits (and onlyforthosebits) Bob getseitherKi,0orKi,1 (accordingtob) and no information on the other. Alice doesnotknowwhich secret Bob hasobtained.

  22. Yao’sProtocol • Alice • constructs the garbledcircuit • sendsto Bob • the garbledcircuit (tables) • the keysassociatedtoherinput-wirebits • the correspondencebetween the keysassociatedto the circuit-outputwires and the bits0 and 1. • runwith Bob ninstancesof the OT protocoltoenable Bob torecover the nkeysassociatedtohisinput-wirebits • Bob evaluates the circuit (and communicates the resultto Alice)

  23. Kolesnikov’sapproach: secret sharing [Asiacrypt 2005] extending the ideasofIshai&Kushilevitz [ICALP2002] Insteadofusing a tablewithfourdoubleencryptions, use secret sharing lsh0 rsh0 lsh1 rsh1 And Eachcombinationof the sharesgives s0 or s1 s0 s1

  24. GateEquivalent Secret Sharing if b=0 if b=1 bR0 s0R0 |s0R1 s0R1 |s0R0 s0R0 |s1R1 s1R1 |s0R0 bR1 And • denotesxorbitwise • s0,s1, R0, R1 are bitstrings • bis a single bit s0 s1

  25. GateEquivalent Secret Sharing 0R0 s0R0 |s0R1 s0R0 |s1R1 1R1 And • denotesxorbitwise • s0,s1, R0, R1 are bitstrings • bis a single bit s0 s1

  26. Full Protocol: Recursivesharing 1V0 (s0R0 |s0R1)V1|(s0R0 |s0R1)V0 0T0 0R0T0 |0R0T1 (s0R0 |s1R1)V1|(s0R0 |s0R1)V0 0V1 1T1 0R0T0 |1R1T1 And And 0R0 s0R0 |s0R1 1R1 s0R0 |s1R1 Or s0 s1

  27. Observations An explicitrepresentation (garbledcircuit) isnotneededanymore, the circuitisimplicitlypresents in the input shares 0T0 0R0T0 |0R0T1 1V0 (s0R0 |s0R1)V1|(s0R0 |s0R1)V0 1T1 0R0T0 |1R1T1 0V1 (s0R0 |s1R1)V1|(s0R0 |s0R1)V0 Kolesnikovuses secret sharingforoptimizationissues

  28. Idea… • …but a secret sharingscheme can berealizedalsothrough a physicalprocesswhich • represents the secret asanimage • prints the shares on transparencies and • reconstructs the secret bysuperposingthe transparencies and using the humanvisual system

  29. VisualCryptography • [Naor&Shamir 1994, Kafri&Karen 1987]

  30. VisualCryptography (2,2)-VCS share 1 secret image superposition share 2

  31. ProbabilisticSchemes errorprobability choosing at random superposition (logical or) share 1 secret pixel + + share 2 Prob = 1/2 choosing at random superposition (logical or) share 1 secret pixel + + share 2 Prob = 1

  32. DeterministicSchemes pixel expansion choosing at random superposition share 1 + + secret pixel share 2 choosing at random share 1 superposition secret pixel + + share 2

  33. …butvisualcryptographydoesnotrealizexor! 1R0 s0R1 |s0R0 s1R1 |s0R0 0R1 …xor!!! And • denotesxorbitwise • s0,s1, R0, R1 are bitstrings • bis a single bit s0 s1 … a closer look: allweneedis secret reconstructability …Kolesnikov’sconstructionis a special caseof a generalconstruction…

  34. Multisecretsharingschemes sh2 … |s0R1 … |s1R1 bR1 sh3 sh1 Rec( sh1 , sh2) = s0 R1 s0R1 = s0 R1 s1R1 = s1 And Rec( sh1 , sh3) = s1 s0 s1 The construction in generalform can bedescribed in termsoftwomultisecretsharingschemesfor a set ofthreeparticipants and twosecrets

  35. GateEquivalentVisual Secret Sharing vlsh0 vrsh0 Eachcombinationof the visualsharesvisuallyreconstructsimage I0 or image I1 e.g., Rec(vlsh0, vrsh0)=I0 . . . Rec(vlsh1, vrsh1)=I1 vlsh1 vrsh1 And I0 I1 We can do itbyusingtwoinstancesof a visualmulti-secretsharingscheme (see the paperforconstructions and details…)

  36. An example

  37. An example

  38. An example

  39. Input shares - Circuit representation

  40. PhysicalOblivious Transfer Assumption: Indistinguishableenvelopesexist

  41. PhysicalOblivious Transfer Two-roundprotocol 1 Preparestwo envelopeswith the visualshares 0 1

  42. PhysicalOblivious Transfer Two-roundprotocol 1 Preparestwo envelopeswith the visualshares 0 handsto Bob 1 2 0 1

  43. PhysicalOblivious Transfer Two-roundprotocol 1 Preparestwo envelopeswith the visualshares 0 3 handsto Bob 1 Turnshisshouldersto Alice Takes the oneof interest Removes the post-it from the other 2 0 1 0 gives back keeps 1

  44. PhysicalOblivious Transfer Two-roundprotocol 1 Preparestwo envelopeswith the visualshares 0 3 handsto Bob 1 Turnshissholdersto Alice Takes the oneof interest Removes the post-it from the other 2 0 1 0 gives back handsto Alice keeps 1 4

  45. PhysicalOblivious Transfer Two-roundprotocol 1 Preparestwo envelopeswith the visualshares 0 3 handsto Bob 1 Turnshissholdersto Alice Takes the oneof interest Removes the post-it from the other 2 0 1 0 Destroysit under Bob’s surveillance gives back handsto Alice keeps 1 4 5

  46. VTPC Protocol • Alice constructs the visualsharesassociatedto the input wires • Sendsto Bob the sharesassociatedtoher input bits • Runwith Bob ninstancesof the physical OTprotocoltoenable Bob torecover the nvisualsharesassociatedtohis input bits • Bob visuallyevaluates the circuit (and communicates the resultto Alice)

  47. VisualEvaluation An example

  48. y2 y3 x2 x3 G6 G7 y1 x1 f(x,y)=(x1+y1)[(x2y2)(x3+y3)] G3 G2 Booleanfunction G1 Chosenimagesfor bit representation 0 1

  49. y2 y3 x2 x3 G6 G7 y1 x1 G3 G2 G1 Input sharesconstructedby Alice through the VTPC protocol

  50. y2 y3 x2 x3 G6 G7 y1 x1 G3 G2 G1 Sharesheldby Bob after the OT protocols, assuming x=011 and y=110

More Related