1. No category

On the Exact Round Complexity of Self-Composable Two

On the Exact Round Complexity of
Self-Composable Two-Party Computation
Sanjam Garg
Susumu Kiyoshima
Omkant Pandey
Copyright©2017 NTT corp. All Rights Reserved.
1/26
Outline
1. Introduction
2. Our Result
3. Our Techniques
Copyright©2017 NTT corp. All Rights Reserved.
2/26
Secure Two-Party Computation (2PC)
Goal: Two parties jointly compute arbitrary function
P1
P2
Goal: compute
Security: Correctness, Privacy, Input independence, ...
Copyright©2017 NTT corp. All Rights Reserved.
3/26
Security Definition of 2PC
▶
Secure ⇔ ∀ malicious adv A, ∃ simulator S s.t.
P1
P1
Real
Ideal
Guarantee: Real is as secure as Ideal
Copyright©2017 NTT corp. All Rights Reserved.
4/26
Concurrently Secure 2PC
▶
Two parties might join many sessions concurrently
(possibly with other parties)
P3
P1
▶
P2
Concurrent setting is more general, realistic, ...
Copyright©2017 NTT corp. All Rights Reserved.
5/26
How to achieve Concurrent 2PC
Difficulty:
•
impossible to achieve in plain model [CKL03, Lin04]
Bypass: Relaxed security definitions
•
•
•
•
Super-polynomial-time simulation (SPS) [Pas03,PS04,BS05, ...]
Angel-based UC [PS04,MMY06,CLP10, ...]
Input indistinguishability [MPR06,GGJS10]
Multiple ideal-query [GJO10,GJ13,CGJ15]
Copyright©2017 NTT corp. All Rights Reserved.
6/26
SPS security of Concurrent 2PC
▶
Simulator can run in super-poly time
P1
P1
Real
Ideal
Guarantee: Any attack can be simulated in Ideal
in super-poly time
⇒ OK if Ideal is secure against super-poly adv
Copyright©2017 NTT corp. All Rights Reserved.
7/26
What is Known
about Concurrent SPS 2PC
Asymptotic round complexity is well studied
P1
▶
P2
}
how many?
(asymptotically)
We have constant-round concurrent SPS 2PC
under standard assumptions [GGJS12]
(trapdoor permutations & collision-resistant hash)
Copyright©2017 NTT corp. All Rights Reserved.
8/26
What is Unknown
about Concurrent SPS 2PC
Exact round complexity is not well studied
P1
P2
}
how many?
(exactly)
▶
In concurrent SPS, large constant (≥ 20) [GGJS12]
▶
In stand-alone, only 5 (optimal)!
[KO04, ORS15]
Copyright©2017 NTT corp. All Rights Reserved.
9/26
The Problem We Studied
Can we get concurrently secure SPS 2PC
with good exact round complexity?
Copyright©2017 NTT corp. All Rights Reserved.
10/26
Outline
1. Introduction
2. Our Result
3. Our Techniques
Copyright©2017 NTT corp. All Rights Reserved.
11/26
Our Result
5-round concurrently secure SPS 2PC
(i.e., same round complexity as standalone case [KO04])
Assumption:
▶
3-round non-malleable commitment w/ extractability property
+ standard crypo primitives (TDP and lossy encryption)
Note: Such non-malleable commitment exists under quasi-poly OWP [GRP16]
Copyright©2017 NTT corp. All Rights Reserved.
12/26
Remarks on Our Result
4 Round complexity can be decreased to 4
if only one party gets output
4 Assumptions can be weakened to poly-hard ones
if round complexity is increased to 7
8 We don’t know whether 5 is optimal
Copyright©2017 NTT corp. All Rights Reserved.
13/26
Outline
1. Introduction
2. Our Result
3. Our Techniques
Copyright©2017 NTT corp. All Rights Reserved.
14/26
Bad News /: Our 2PC is Quite Complex
▶
We carefully combine following primitives:
•
garbled circuit
•
trapdoor permutation
•
4-round ZK argument
by Feige & Shamir [FS90]
•
ZAP
•
lossy encryption
•
symmetric-key encryption
•
MAC
•
non-interactive
commitment
•
3-round extractable
commitment
•
3-round non-malleable
commitment
•
equivocal commitment
by Katz & Ostrovsky [KO04]
Copyright©2017 NTT corp. All Rights Reserved.
15/26
So, Let’s Focus on Simple Setting
▶
In this talk, we focus on the following setting
•
Only one party gets output
▶
•
Add 1 round if both parties get outputs
Each party has fixed role
▶
Add non-malleable com if roles are interchangeable
P1
P2
Copyright©2017 NTT corp. All Rights Reserved.
16/26
Overall Approach
▶
We already have:
1. 4-round 2PC protocol in stand-alone setting [KO04]
2. compiler from stand-alone 2PC to concurrent
SPS 2PC [GGJS12]
Let’s combine them!
Copyright©2017 NTT corp. All Rights Reserved.
17/26
Concurrent SPS Compiler of [GGJS12] (1/3)
Compiler & simulator are simple:
Compiler: Add trapdoor setup phase & WI proofs
P1
trapdoor
setup
WIPOK
P2
Prove:
I'm honest in
I know trapdoor
, or
Simulator: Extract trapdoor by brute force &
use it in WI proof
Copyright©2017 NTT corp. All Rights Reserved.
18/26
Concurrent SPS Compiler of [GGJS12] (2/3)
Showing indistinguishability is hard:
Real:
IND?
Naive reduction run in super-poly time
when emulating simulator internally
Ideal: Simulator obtain trapdoor in super-poly time
Copyright©2017 NTT corp. All Rights Reserved.
19/26
Concurrent SPS Compiler of [GGJS12] (3/3)
Key idea by [GGJS12]: Let’s consider poly-time hybrid!
Real:
Hybrid: Simulator obtain trapdoor in poly time
via rewinding extraction
Ideal: Simulator obtain trapdoor in super-poly time
Copyright©2017 NTT corp. All Rights Reserved.
20/26
Concurrent SPS Compiler of [GGJS12] (3/3)
Key idea by [GGJS12]: Let’s consider poly-time hybrid!
Real:
Hybrid: Simulator obtain trapdoor in poly time
via rewinding extraction
IND
Only difference is extraction
(brute-force v.s. rewinding)
Ideal: Simulator obtain trapdoor in super-poly time
Copyright©2017 NTT corp. All Rights Reserved.
20/26
Concurrent SPS Compiler of [GGJS12] (3/3)
Key idea by [GGJS12]: Let’s consider poly-time hybrid!
Real:
IND
Reduction works
because both are poly-time
Hybrid: Simulator obtain trapdoor in poly time
via rewinding extraction
IND
Only difference is extraction
(brute-force v.s. rewinding)
Ideal: Simulator obtain trapdoor in super-poly time
Copyright©2017 NTT corp. All Rights Reserved.
20/26
4-round 2PC by [KO04]
+ Compiler by [GGJS12]
Designing super-poly-time simulator is easy:
KO protocol: semi-honest 2PC + coin-tossing
+ WIPOK/ZKAOK
P1
WI1
coin1
WI2
coin2
2PC1
ZK2
WI3
coin3
2PC2
ZK3
2PC3
ZK4
ZK1
P2
Simulator: extract witness from WIPOK/ZKAOK
Copyright©2017 NTT corp. All Rights Reserved.
21/26
4-round 2PC by [KO04]
+ Compiler by [GGJS12]
Showing indistinguishability is hard:
Real:
IND?
Hybrid: Simulator obtain trapdoor in poly time
via rewinding extraction
Ideal: Simulator obtain trapdoor in super-poly time
Copyright©2017 NTT corp. All Rights Reserved.
22/26
On IND between Real and Hybrid
WIPOK
P1
coin-tossing
+
2PC
ZK1
ZK2
ZK3
WI1
WI2
WI3
coin-tossing
+
2PC
ZKAOK
ZK4
session 1
session2
Copyright©2017 NTT corp. All Rights Reserved.
23/26
On IND between Real and Hybrid
WIPOK
P1 simulated
coin-tossing
+
2PC
ZK1
ZK2
ZK3
WI1
WI2
WI3
simulated
session 1
(simulated)
coin-tossing
+
2PC
ZKAOK
ZK4
witness
extraction
session2
Copyright©2017 NTT corp. All Rights Reserved.
23/26
On IND between Real and Hybrid
WIPOK
P1 simulated
coin-tossing
+
2PC
WI no longer holds!
(because WI2 and WI3 are rewound)
ZK1
ZK2
ZK3
WI1
WI2
WI3
simulated
session 1
(simulated)
coin-tossing
+
2PC
ZKAOK
ZK4
witness
extraction
session2
Copyright©2017 NTT corp. All Rights Reserved.
23/26
On IND between Real and Hybrid
WIPOK
P1 simulated
coin-tossing
+
2PC
WI no longer holds!
(because WI2 and WI3 are rewound)
ZK1
ZK2
ZK3
WI1
WI2
WI3
simulated
session 1
(simulated)
▶
coin-tossing
+
2PC
ZKAOK
ZK4
witness
extraction
session2
Wanted: WIPOK that is ”WI” under rewinding
•
Resettable WI is incompatible with POK...
Copyright©2017 NTT corp. All Rights Reserved.
23/26
Our Solution
Observation:
We need to change witness only on ”main thread”!
In Hybrid:
WI1
witness used here
need to be changed
▶
WI2
WI2
WI2
WI3
WI3
WI3
witness used here
can remain same as before
This is because Ideal has only main thread
•
We use rewinding only in Hybrid
Copyright©2017 NTT corp. All Rights Reserved.
24/26
Our Solution
Observation:
We need to change witness only on ”main thread”!
In Hybrid:
WI1
witness used here
need to be changed
▶
WI2
WI2
WI2
WI3
WI3
WI3
witness used here
can remain same as before
By combining ZAP and extractable commitment,
we obtain WIPOK that is WI in above setting
Copyright©2017 NTT corp. All Rights Reserved.
24/26
Other Technicalities
1. IND between Ideal and Hybrid:
•
Not trivial
(Rewinding and brute-force can extract different values)
⇒ We use lossy encryption to solve the problem
2. Interchangeable role
•
We use non-malleable commitment and statistically
secure primitives in standard way [BPS06]
Copyright©2017 NTT corp. All Rights Reserved.
25/26
Summary
Our Result:
5-round concurrently secure SPS 2PC
(i.e., same round complexity as standalone case [KO04])
Assumption:
▶
3-round non-malleable commitment w/ extractability property
+ standard crypo primitives (TDP and lossy encryption)
Note: Such non-malleable commitment exists under quasi-poly OWP [GRP16]
Copyright©2017 NTT corp. All Rights Reserved.
26/26
Appendix

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz