Presentation is loading. Please wait.

Presentation is loading. Please wait.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Similar presentations


Presentation on theme: "Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA."— Presentation transcript:

1 Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA

2 Minicrypt Cryptomania OWF KA PRGSIGNENCPRFCOMMITZK PKEOT TDP

3

4 More general than you might think… –encryption, commitment, ZK, coin-flipping, signatures can be captured as special cases. This talk: secure function evaluation –Two or more parties holding inputs x i –Parties wish to compute f(x 1,x 2,…) without revealing inputs to each other –Several variants Honest majority vs. two-party / no honest majority Computational vs. unconditional security Semi-honest vs. malicious parties Standalone vs. UC Secure Computation

5 No honest majority –OT computationally secure MPC [Yao86,GMW87] Ideal OT Unconditional, UC MPC [Kil88,IPS08] –MPC for nontrivial f OT [CK89,KKMO94,BIM99,HNRR04] Honest majority, secure channels –Unconditional MPC [BGW88,CCD88,RB89] Feasibility Results Inputs: Alice (s 0,s 1 ) Bob c Bob outputs s c

6 The Two-Party Case Alice Bob xy f(x,y) PPT PPT S Bob x,y, |x|=|y| S Bob (y) c View Bob (x,y) PPT S Alice x,y, |x|=|y| S Alice (x,f(x,y)) c View Alice (x,y)

7 The Two-Party Case Alice Bob xy f(x,y) k PPT S Bob p x k,y k S Bob (1 k,y k ) c View Bob (1 k,x k,y k ) PPT S Alice p x k,y k S Alice (1 k,x k,f(x k,y k )) c View Alice (1 k,x k,y k )

8 A lot of work on practical efficiency This talk: asymptotic efficiency –May also be relevant to practice –Theory beats heuristics Efficiency measures –Communication complexity –Computational complexity –Round complexity Question: given function f and security parameter k –How far can we push each efficiency measure? –Under what assumptions? Efficiency of Secure Computation

9 Round Complexity Alice Bob xy f(x,y) 2-message OT necessary (for general f) Is it also sufficient? Cryptomania

10 Enc(y) Randomized Encoding [Yao86,…,IK00,AIK04] g is a randomized encoding of f –Nontrivial relaxation of computing f Hope: –g can be simpler than f (meaning of simpler determined by application) –g can be used as a substitute for f xy f Enc(y)x g r decoder simulator Dec(g(x,r)) = f(x) Sim(f(x)) g(x,r)

11 Notions of Simplicity Decomposable encoding g((x 1,…,x n ),r)=(g 1 (x 1,r),…,g n (x n,r)) x r 2-Decomposable encoding g((x,y),r)=(g x (x,r),g y (y,r)) y NC 0 encoding Output locality c Low-degree encoding Algebraic degree d over F x r

12 Decomposable Encoding g((x 1,…,x n ),r)=(g 1 (x 1,r),…,g n (x n,r)) Application: Parallel reduction of secure 2-party computation to OT g((x,y),r)=(g 1 (x 1,r),…,g n (x n,r), g y (y,r)) Alice Bob xy r g y (y,r) f(x,y) OT x1x1 g 1 (x 1,r) g 1 (0,r) g 1 (1,r) g n (0,r) g n (1,r) xnxn g n (x n,r) More effort if Bob can be malicious

13 Notions of Simplicity Decomposable encoding g((x 1,…,x n ),r)=(g 1 (x 1,r),…,g n (x n,r)) x r 2-Decomposable encoding g((x,y),r)=(g x (x,r),g y (y,r)) y NC 0 encoding Output locality c Low-degree encoding Algebraic degree d over F x r

14 Notions of Simplicity Decomposable encoding g((x 1,…,x n ),r)=(g 1 (x 1,r),…,g n (x n,r)) x r 2-Decomposable encoding g((x,y),r)=(g x (x,r),g y (y,r)) y NC 0 encoding Output locality c Low-degree encoding Algebraic degree d over F x r A minimal model for secure computation [FKN94] Alice Bob xy Carol r f(x,y) g y (y,r) g x (x,r)

15 Notions of Simplicity Decomposable encoding g((x 1,…,x n ),r)=(g 1 (x 1,r),…,g n (x n,r)) x r 2-Decomposable encoding g((x,y),r)=(g x (x,r),g y (y,r)) y NC 0 encoding Output locality c Low-degree encoding Algebraic degree d over F x r Randomizing polynomials [IK00,…] round-efficient secure multi-party computation

16 Notions of Simplicity Decomposable encoding g((x 1,…,x n ),r)=(g 1 (x 1,r),…,g n (x n,r)) x r 2-Decomposable encoding g((x,y),r)=(g x (x,r),g y (y,r)) y NC 0 encoding Output locality c Low-degree encoding Algebraic degree d over F x r Cryptography in NC 0 [AIK04,…] OWF

17 Basic Facts If we dont care about efficiency, every f has a perfect, decomposable encoding g with –degree 3 over F 2 (generalizes to arbitrary rings) –output locality 4 Negative result: degree 3 is optimal over finite fields, assuming perfect privacy [IK00] –Big fields can be tricky: g(x,r)= ( 2 i x i + c) r 2 mod p Open –degree 2 with statistical or computational privacy? 2-round MPC with t { "@context": "http://schema.org", "@type": "ImageObject", "contentUrl": "http://images.slideplayer.com/7/1654651/slides/slide_17.jpg", "name": "Basic Facts If we dont care about efficiency, every f has a perfect, decomposable encoding g with –degree 3 over F 2 (generalizes to arbitrary rings) –output locality 4 Negative result: degree 3 is optimal over finite fields, assuming perfect privacy [IK00] –Big fields can be tricky: g(x,r)= ( 2 i x i + c) r 2 mod p Open –degree 2 with statistical or computational privacy.", "description": "2-round MPC with t

18 Degree-3 Encoding for Branching Programs BP(x)=det(L(x)), where L is a degree-1 mapping which outputs matrices of a special form. Encoding: 1 $ $ $ 0 1 $ $ 0 0 1 $ 0 0 0 1 * * * * -1 * * * 0 -1 * * 0 0 -1 * 1 0 0 $ 0 1 0 $ 0 0 1 $ 0 0 0 1 g(x,r 1,r 2 )= R 1 (r 1 ) L(x) R 2 (r 2 )

19 Complexity of Randomized Encoding Computational privacy –OWFs exist Decomposable encoding for a circuit C of length O(k |C|) Yaos garbled circuit technique [Yao86] Yields 2-message secure protocols from 2-message OT –Easy PRG (say, PRG in NC 1 ) NC 0 encoding of length |C| poly(k) [AIK05] Assumption implied by factoring, discrete log, lattice assumptions Primitive X exists X exists in NC 0 under Easy PRG assumption Perfect privacy –Efficient NC 0 encodings for formulas, branching programs [Kil88,FKN94,IK00,AIK04,…] –Capture complexity classes NC 1, NL/poly, L/poly

20 Open Complexity Questions No nontrivial lower bounds… Computational privacy –OWF efficient NC 0 encoding for circuits? Crypto implies crypto in NC 0 ! –Decomposable encoding of size O(|C|)? –Arithmetic garbled circuit? Perfect / statistical privacy –Efficient encoding for circuits? Constant-round unconditionally secure MPC for P? [BMR90] Relation with other questions? –Great LDC poly-communication protocols for unbounded parties –Better overhead for concrete representations

21 Back to Secure Computation Recap: Two-message secure protocol for f(x,y) –Assumes 2-message OT –O(k |C|) communication –poly(k) |C| computation Better assumption? No Better rounds? No Better computation? –PRG G:{0,1} n {0,1} n^2 in NC 0 constant overhead [IKOS08] –Not implied by standard assumptions –Semi-explicit candidate in [MST03] Better communication? –Rest of talk

22 Life After the Bomb Gentry 09: fully homomorphic encryption scheme –Enc pk (x), C Enc(C(x)) –Size of encrypted output independent of |C|,|x|! –Can hide C,x (even given sk) –Can make encrypted input size |x|+poly(k) –Corollaries Secure evaluation of f(x,y) with |input|+|output|·poly(k) bits General protocol compiler with poly(k) communication overhead –poly-time version of [NN01] –Big poly(k) computational overhead What is left to be done? –Assumptions –Better communication complexity?

23 Communication Complexity Sometimes life is a long sequence of finite tasks… –Circuit size = O(|output|) –In this case, still need poly(k) bits per gate [IKOS08]: –O(1) communication (and computation) per gate –Under exotic crypto in NC 0 assumption [IKOS09]: –O(1) communication, poly(k) computation per gate –Under -Hiding Assumption [CMS99,GR05] Allows generating (G,g) such that m | ord(g) but m is hidden

24 Assumptions Weaker results under weaker assumptions? –Beat circuit size bound for useful function classes? General problem: compute a program P on an encrypted input c Enc(x) Two sources of non-triviality –Encrypted output hides P –Encrypted output is shorter than |P| Good solutions for useful classes of P –Linear functions: standard homomorphic encryption –Truth tables: PIR [CGKS95,KO97,CMS99,…] –Degree-2 polynomials [BGN05] –Length-bounded branching programs [NN01,IP07]

25 Observation –most natural candidates for average-case hard problems imply one-way functions –most natural candidates for one-way functions imply public-key encryption typically shown in an ad-hoc way –Are we just lucky? Thesis –Hardness + structure world upgrade –Concrete instantiation inspired by [KO97,BIKM99,DMO00,IKO05,HN06] Defined via communication complexity of secure computation Relevance to Impagliazzos Worlds

26 Most instances of f,X,Y are hard. What if Alice can send Bob c R Enc(x) for free? Bob computationally bounded, Alice bounded or unbounded. Efficiency of secure computation with security against Bob –Generalizes PIR, homomorphic encryption Communication Complexity Alice Bob x Xy Y f(x,y) How many bits should be communicated to compute f whp?

27 Cryptomania x c x Minicrypt x c x Pessiland ? c x Algorithmica x c x Types of Encryption samplable pksk

28 How to Get an Upgrade Need: poly-time computable f(x,y) and input distributions X,Y such that: –f has high communication complexity on X Y Low communication error > 1/poly(n) –f has lower communication complexity when c R Enc(x) is created by Alice and given to Bob. Possibly with small error Then Enc can be upgraded Weak homomorphic property

29 Candidate f,X,Y f(x,y)= x i y i mod 2 –X,Y uniform on {0,1} n –Hard for interactive protocols with n-O(1) communication [Yao,Vaz,CG] f(x,y)= x i y i –Y uniform on {0,1} n, X uniform of weight 1 –Hard for non-interactive Bob Alice protocols with n-1 bits of communication

30 Minicrypt Cryptomania+ Given: –symmetric encryption (Gen,Enc,Dec) –weakly homomorphic for (f,X,Y) with bounded Alice Goal: Build public-key encryption (Gen,Enc,Dec) Alice Bob x Xy Y f(x,y) c=Enc sk (x) d=Bob(c,y) Alice(sk,d,x) sk Gen Multi-round protocol KA

31 Minicrypt Cryptomania+ Gen –sk Gen; x X; c Enc sk (x) –pk = (c,x) Enc pk (b) –y Y –Output (Bob(c,y), b f(x,y)) Dec sk (d,e) –Recover f(x,y) from (d,sk) using Alices algorithm –Output e f(x,y) Security: using hybrid game with c Enc sk (x) –Predicting f(x,y) from (c,x,Bob(c,y)) is impossible unconditionally –Hybrid game computationally indistinguishable from real game Implies 2-message OT with statistical security for Sender

32 Example: Kids Encryption PKE Let p = public k-bit prime –sk R Z p –Enc sk (b)= (2r+b) sk mod p r R [0, p/(4k)] –Dec sk (c) = ((c sk -1 ) mod p) mod 2 –Enc sk (x)=Enc sk (x 1 ) … Enc sk (x n ) Weak homomorphism: –Let x,y {0,1} 2k –Given c=(c 1,…,c 2k ) Enc sk (x) and y, Bob(c,y)= y i c i allows Alice to decode x i c i

33 Example: LWE PKE Decisional LWE: (M,Mr+e) is pseudorandom –M,x random over Z q –e random with small entries Symmetric encryption: –sk = random r –Enc sk (x)=(M,Mx+e+ q/2 x) Weak homomorphism –By adding rows, as long as e i << q

34 Pessiland Minicrypt+ Given: –Pessiland Encryption Enc –Enc is weakly homomorphic for (f,X,Y) with unbounded Alice –(f,X,Y) is nontrivial: for any distinct y,y, Pr x X f(x,y)=f(x,y)<1-1/poly Goal: Build a collision-resistant hash function Construction –Key generation: c Enc –Hashing: h c (y)=Bob(c,y) –Collision resistance: h c (y)=h c (y) f(x,y)=f(x,y) for x=Dec(c) nontrivial info on x

35 Failed Attempt: LPN CRHF Assumption: (M,Mr+e) is pseudorandom –M,r random over Z 2, e random with low Hamming weight –Similar to LWE but over binary field –Follows from hardness of search problem Implies symmetric encryption n 1/2- -noise LPN implies PKE [Ale03] –Also 2-message OT Not known to imply CRHF Explanation –Homomorphism limited by dimension –In case of LWE, field size gives extra degree of freedom

36 Summary Under standard assumptions –Constant rounds –poly(k) communication and computation per gate Pushing communication to an extreme –Fully homomorphic encryption Secure communication poly(k) insecure communication Same round complexity – -hiding assumption O(1) communication per gate O(depth) rounds –Both expensive in computation Pushing computation to an extreme –poly-stretch PRG in NC 0 O(1) computation per gate O(depth) rounds

37 Concluding Remarks Ambitious goals call for nonstandard assumptions. –especially when no heuristics are available Does nonstandard mean more risky? –Factoring requires super-polynomial time vs. –A random NC 0 function is exponentially hard to invert


Download ppt "Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA."

Similar presentations


Ads by Google