Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Cross-Domain Secure Computation Chongwon Cho (HRL Laboratories) Sanjam Garg (IBM T.J. Watson) Rafail Ostrovsky (UCLA)

Published byEmily Smith Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Cross-Domain Secure Computation Chongwon Cho (HRL Laboratories) Sanjam Garg (IBM T.J. Watson) Rafail Ostrovsky (UCLA)"— Presentation transcript:

1 1 Cross-Domain Secure Computation Chongwon Cho (HRL Laboratories) Sanjam Garg (IBM T.J. Watson) Rafail Ostrovsky (UCLA)

2 2 Secure Computation [Yao, GMW] Alice and Bob – Alice holds input x. – Bob holds input y. Goal Goal: jointly compute F(x,y) = z Security Security: after joint computation, – Alice does not know anything about y. – Bob does not know anything about x.

3 3 Secure Computation [GMW] Functionality F(x,y) Protocol Xy Real world Ideal World zz F (x,y) = z z z Xy

4 4 Secure Computation [GMW] For any PPT adversary A in real world We have PPT adversary S in ideal world Xy Real world Ideal World zz F (x,y) = z z z Xy ≡

5 5 (Black-box) Simulator S Has Black-box access to A Rewinds A for successful simulation S A

6 6 Tough life in Internet world Many copies of (the same) protocol are executed. Does a stand-alone secure protocol remains secure in the internet world?

7 7 Concurrent Security [DDN92, DNS98] Concurrent adversary A : – Can interact with honest parties in multiple executions of protocol. – Malicious scheduling of messages. Simulation-based security definition: – For all concurrent adversary A in real world, an ideal world adversary S exists outputting a view just looking like the view of A in the real world.

8 8 Dark Side of Concurrent security In the plain model (without help), – Requires ω(log n) rounds for concurrent ZK with black- box simulation [CKPR01] – Impossibility results for multi-party computation [Lin04, BPS06, Goy12, AGJ+12, GKOV12] Why so tough to construct concurrently secure protocols? – Rewinding is problematic in concurrent setting. – Simulator needs to recursively rewind the nested sessions – Simulation time blown up

9 9 Avoiding the trouble Trusted party setup (CRS, …) [CF01, CLOS02, …] – A single trusted entity – Trusted by every party Public-Key registration (BPK) [CGGM02, …] – A single entity registers public keys of parties – No trust needed – Bounds the number of sessions to rewind Key authorization [BCNP04, …] – Resembles public key authorization infrastructure Relaxation of simulation requirement – Super-polynomial time simulation [Pas03,PS04,BS05, GGJS11]

10 10 Overview of Our Results A new set-up model introduced, called the Cross-Domain (CD) model. (Positive) In this new model, we provide a constant-round concurrently secure protocol with Black-box simulation. (Negative) We provide impossibility result which characterizes the feasibility of concurrently secure computation better.

11 11 Motivating Scenario Trust Do NOT Trust Trust Can Amazon perform Concurrently Secure MPC with Google while using arbitrary number of physically distinct servers?

12 12 Cross-Domain (CD) Model Each domain defined by each Key Certificate Authority (KCA). Each party belongs to a single domain. KCA KCA Domain 2 Domain 1

13 13 Cross-Domain (CD) Model Each party trusts only its own KCA (doesn’t even talk to other KCA). Each party obtains a certificate on own public key (Signature on the public key). KCA KCA Domain 2 Domain 1 pk Sig(pk,sk 1 ) (sk 1,vk 1 )(sk 2,vk 2 ) I want to compute some function with a guy in domain 2! Here is my public key!

14 14 Cross-Domain (CD) Model KCAs exchanges their verification keys. Then, each KCA distributes the obtained verification keys to its domain entities. KCA KCA Domain 2 Domain 1 Sig(pk,sk 1 ) (sk 1,vk 1 )(sk 2,vk 2 ) vk 1 vk 2 vk 1 vk 2 Hey! One of my client wants to talk to one of your clients. Give me one verification key to be used. Thanks.

15 15 Cross-Domain (CD) Model New parties can be introduced into on-going computation anytime. – No bound on the number of parties Once a party is corrupted in a domain, we assume that all parties are corrupted in that domain. KCA KCA Domain 2 Domain 1 Sig(pk,sk 1 ) (sk 1,vk 1 )(sk 2,vk 2 ) vk 2 vk 1 vk 2  No security guarantee among the parties in the same domain

16 16 Cross-Domain (CD) Model The security is guaranteed between parties across distinct domains. Each party can register multiple keys. No bound on the number of players No security guarantee among the parties in the same domain

17 17 Comparisons to other models Bare-Public key model [CGGM02] – No key registration allowed during the main execution – (CD model) No synchronization barrier Bounded Player model [GJORV13] – Bound on the number of parties – (CD model) No bound on number of parties

18 18 Generalization of BPK model A special case of CD model is equivalent to the BPK model We show: π concurrently securely realizes any F in a special case of CD model if and only if π’ exists concurrently securely realizing F in the BPK model

19 19 Main Theorems In the CD model, we showed: – (Positive) If N domains exist, then an M-party constant-round concurrently secure protocol exists where at least one party from each domain participate in the secure computation (Black-Box Simulation). – (Negative) If N+1 domains exist, no concurrently secure protocol exists where the parties come from only N domains.

20 20 KCA KCA Domain 2 Domain 1 (sk 1,vk 1 )(sk 2,vk 2 ) vk 2 vk 1 Sig(pk 1,sk 1 ) vk 2 Sig(pk 2,sk 2 ) vk 1 Send Com(valid_Cert)……….then……. Intuition on the constant round protocol

21 21 Intuition on the constant round protocol KCA KCA Domain 2 Domain 1 (sk 1,vk 1 )(sk 2,vk 2 ) vk 2 vk 1 Sig(pk 1,sk 1 ) vk 2 Sig(pk 2,sk 2 ) vk 1 Send Com(valid_Cert)……….then……. The content in Com is never opened!! Prove that the Certificate just sent in Commitment is a valid signature w.r.t vk 1. or Prove that the signature just sent in Commitment is a valid signature w.r.t. vk 2.

22 Simulation Intuitions Once simulator S successfully extracts (by rewinding) a signature of a single party in the other domain…then….. S can use the extracted signature to simulate all other parties for the domain Real adversaries cannot do the same by the security of signature scheme (e.g., existential unforgeability). The analysis of simulator’s time complexity based on [Ros03] – Expected Probabilistic Polynomial Time

23 23 Impossibility of cross-domain secure computation We prove: – In the CD model, concurrently secure Oblivious Transfer (OT) protocol for two domains is not secure with three domains with fixed role and static inputs.

24 24 High-level Proof of Impossibility Proof resembles the previous impossibility results of [AGJ+12] and [GKOV12] Chosen Protocol Attack [BPS06]: For every protocol π concurrently securely realizing OT, there exists π’ such that… π’ := π + (some gadget) Running π and π ’ concurrently  the composition of π and π’ not secure in the static input setting There exist an adversarial strategy and input configuration for parties where any PPT simulator cannot simulate

25 25 High-level Proof of Impossibility The simplest setting considered – Three parties and three domains KCA Domain 1 KCA Domain 2 KCA Domain 3 π’π’ π This adversary can NOT be simulated! [BPS06] But this is not impossibility for concurrent composition (self composition)

26 26 Final Step towards the impossibility KCA Domain 1 KCA Domain 2 KCA Domain 3 π’π’ K 1,0, k 1,1 K 2,0, k 2,1 π π Yao’s Garbled Circuit w.r.t π’ given as input Need Keys for Evaluation! Keys for Evaluation as inputs

27 27 Open Problems Better model reflecting the practice Compact protocol with smaller constant rounds Compact protocol with smaller constant rounds What information in concurrent computation is leaked? What information in concurrent computation is leaked?

28 28 THANK YOU

Download ppt "1 Cross-Domain Secure Computation Chongwon Cho (HRL Laboratories) Sanjam Garg (IBM T.J. Watson) Rafail Ostrovsky (UCLA)"

Similar presentations

Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.

Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.

1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),

Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),
Survey: Secure Composition of Multiparty Protocols Yehuda Lindell Bar-Ilan University.

Survey: Secure Composition of Multiparty Protocols Yehuda Lindell Bar-Ilan University.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.

Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Similar presentations

Ads by Google