Carmit Hazay (Bar-Ilan University, Israel)

Slides:

Advertisements

Similar presentations

Coin Tossing With A Man In The Middle Boaz Barak.

Advertisements

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Secure Evaluation of Multivariate Polynomials

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.

Muthuramakrishnan Venkitasubramaniam WORKSHOP: THEORY AND PRACTICE OF SECURE MULTIPARTY COMPUTATION Adaptive UC from New Notions of Non-Malleability Adaptive.

Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)

GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

Impossibility Results for Concurrent Two-Party Computation Yehuda Lindell IBM T.J.Watson.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Jointly Restraining Big Brother: Using cryptography to reconcile privacy with data aggregation Ran Canetti IBM Research.

1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.

On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

Rafael Pass Cornell University Constant-round Non-malleability From Any One-way Function Joint work with Huijia (Rachel) Lin.

Rafael Pass Cornell University Constant-round Non-malleability From Any One-way Function Joint work with Huijia (Rachel) Lin.

Black-Box Garbled RAM Sanjam Garg UC Berkeley Based on join works with

Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.

1 Cross-Domain Secure Computation Chongwon Cho (HRL Laboratories) Sanjam Garg (IBM T.J. Watson) Rafail Ostrovsky (UCLA)

Adaptively Secure Broadcast, Revisited

Multi-Client Non-Interactive Verifiable Computation Seung Geol Choi (Columbia U.) Jonathan Katz (U. Maryland) Ranjit Kumaresan (Technion) Carlos Cid (Royal.

A Linear Lower Bound on the Communication Complexity of Single-Server PIR Weizmann Institute of Science Israel Iftach HaitnerJonathan HochGil Segev.

Improved Non-Committing Encryption with Application to Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia Univ.), Tal Malkin (Columbia.

On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.

1 Secure Multi-party Computation Minimizing Online Rounds Seung Geol Choi Columbia University Joint work with Ariel Elbaz(Columbia University) Tal Malkin(Columbia.

1 Information Security – Theory vs. Reality , Winter Lecture 10: Garbled circuits and obfuscation Eran Tromer Slides credit: Boaz.

Rational Cryptography Some Recent Results Jonathan Katz University of Maryland.

Non-Interactive Verifiable Computing August 5, 2009 Bryan Parno Carnegie Mellon University Rosario Gennaro, Craig Gentry IBM Research.

Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.

Universally Composable computation with any number of faults Ran Canetti IBM Research Joint works with Marc Fischlin, Yehuda Lindell, Rafi Ostrovsky, Tal.

Feasibility and Completeness of Cryptographic Tasks in the Quantum World Hong-Sheng Zhou (U. Maryland) Joint work with Jonathan Katz (U. Maryland) Fang.

6.897: Selected Topics in Cryptography Lectures 11 and 12 Lecturers: Ran Canetti, Ron Rivest Scribes?

Secure Computation (Lecture 9-10) Arpita Patra. Recap >> MPC with honest majority in i.t. settings > Protocol using (n,t)-sharing, proof of security---

1 / 23 Efficient Garbling from A Fixed-key Blockcipher Applied MPC workshop February 20, 2014 Mihir Bellare UC San Diego Viet Tung Hoang UC San Diego Phillip.

Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.

Efficient Leakage Resilient Circuit Compilers

Garbling Techniques David Evans

A Fixed-key Blockcipher

Topic 36: Zero-Knowledge Proofs

The Exact Round Complexity of Secure Computation

The Exact Round Complexity of Secure Computation

Lower Bounds on Assumptions behind Indistinguishability Obfuscation

Adaptively Secure Multi-Party Computation from LWE (via Equivocal FHE)

Fast Actively Secure OT Extension For Short Secrets

On the Size of Pairing-based Non-interactive Arguments

TCC 2016-B Composable Security in the Tamper-Proof Hardware Model under Minimal Complexity Carmit Hazay Bar-Ilan University, Israel Antigoni Ourania.

Foundations of Secure Computation

HOP: Hardware makes Obfuscation Practical Kartik Nayak

Committed MPC Multiparty Computation from Homomorphic Commitments

Laconic Oblivious Transfer and its Applications

Course Business I am traveling April 25-May 3rd

Secure Multiparty RAM Computation in Constant Rounds

Four-Round Secure Computation without Setup

Unconditional One Time Programs and Beyond

Cryptography for Quantum Computers

Multi-Party Computation: Second year

Alessandra Scafuro Practical UC security Black-box protocols

Provable Security at Implementation-level

Malicious-Secure Private Set Intersection via Dual Execution

Fast Secure Computation for Small Population over the Internet

Limits of Practical Sublinear Secure Computation

Two-Round Adaptively Secure Protocols from Standard Assumptions

Compact Adaptively Secure ABE for NC1 from k-Lin

Cryptography Lecture 8 Arpita Patra © Arpita Patra.

Presentation transcript:

Constant-Round Adaptively Secure Protocols in the Tamper-Proof Hardware Model Carmit Hazay (Bar-Ilan University, Israel) Antigoni Ourania Polychroniadou (Cornell University, New York) Muthuramakrishnan Venkitasubramaniam (University of Rochester, New York)

Secure Communications over the Internet

Secure Communications over the Internet

Introduction of Secure Multi-Party Computation [Yao82,GMW87,BGW88, CCD88…]

Secure Multi-Party Computation UC f(x1, x2, x3, x4) = (y1, y2 ,y3 ,y4 ) x1 x1 x1 y4 y1 x4 Goal: Correctness: Everyone computes f(x1,…,x4) Security: Nothing else but the output is revealed Adversary PPT Malicious Adaptive x2 y3 y2 x3

… … … … Static Corruption Adaptive Corruption Corrupt only on the onset of π … … Adaptive Corruption Corrupt adaptively during the execution of π …

Adaptive Corruption of all parties Crucial in the composition of protocols. Consider an n-party protocol πouter which invokes an m-party protocol πinner where n>m. Consider an adversary that may corrupt all m parties in πinner . Then security of πouter should still hold. n-party protocol πouter m-party protocol πinner

State-of-the-art for MPC protocols STATIC Two-party computation Multiparty computation Malicious 5 rounds [KO04] O(1) rounds [LP11,G11] ADAPTIVE Two-party computation Multiparty computation Malicious O(d) rounds [GMW86] O(d) rounds [CLOS02] O(1) O(d) * d is depth of circuit implementing f Does the round complexity for adaptive security need to depend on depth?

Open Problem: What is the round complexity of adaptive MPC based on standard assumptions? using setup?

Partial Solutions for constant round protocols Open Problem: What is the round complexity of adaptive MPC based on standard assumptions? using setup? Partial Solutions for constant round protocols Using Indist. Obf., in Common Ref. String [GP15,DKR15,CGP15,CPV17a]

Open Problem: What is the round complexity of adaptive MPC based on standard assumptions? using setup? Main Theorem (this work): Assuming OWFs, O(1)-round adaptively secure 2PC in the Tamper Proof Hardware Model Black-box in OWFs Fully composable: Security in the GUC Framework [HPV16] Decentralized trust Previous works require stateful tokens and O(d) rounds [GISVW10,DMRV13]

Hardware Tamper-Proof Token Model Decentralized Trust I.e. Intel’s “SGX” Stateless Tokens Stateful Tokens x c f b0,b1 f(x) bc GOOD NOT SO GOOD Requires non-volatile memory

Hardware Tamper-Proof Token Model Attacker capability x f f(x) Transfer Tokens Inject malicious code

Hardware Tamper-Proof Token Model Adaptive Attacker capability Corrupt Post Execution Π P Global UC Functionality Fglobal of [HPV16] is sufficient P

Our Results Theorem (Informal) Assuming OWFs, realize any (well-formed) two-party functionality via O(1)-round construction with GUC-security in the Fglobal-hybrid against malicious & adaptive adversaries Follow Yao-based approach to secure 2-party computation: Adaptive GUC-Oblivious Transfer protocol in the Fglobal-hybrid Adaptive GUC-Commitment Scheme in the the Fglobal-hybrid Equivocating Yao’s GCs in the Fglobal-hybrid This Talk

Garble Circuit Construction [Yao80] Boolean Circuit C Garbled Circuit GC GC L1,0, L1,1 x1 x2 L2,0, L2,1 x4 L3,0, L3,1 x3 L4,0, L4,1 Pairs of λ-bit labels

Garble Circuit Construction [Yao80] Boolean Circuit C Garbled Circuit GC GC L1,0, L1,1 x1 x2 L2,0, L2,1 x2 x3 L3,0, L3,1 L4,0, L4,1 Pairs of λ-bit keys Decoder

Token-based Garble Circuits Garbled Circuit GC L1,0, L1,1 L2,0, L2,1 L3,0, L3,1 L4,0, L4,1

How to Equivocate Garble Circuits Sim Garbled Circuit GC Sender’s input is unknown L1,0, L1,1 R S L2,0, L2,1 L3,0, L3,1 L4,0, L4,1 Sender’s input is Known!

How to Equivocate Garble Circuits Garbled Circuit GC Sender’s input is unknown Sim Fake P P’ Fake P P R S Simulator cannot program the token after its creation Sender’s input is Known! Fake P Real P

How to Equivocate Garble Circuits Sim Fake P Best case Both labels are active R S Active labels Fake P Real P

How to Equivocate Garble Circuits Sim Fake P One label is active R S Active labels Subliminal mechanishm Fake P Real P Inactive labels as

How to Equivocate Garble Circuits Sim Fake P One label is active R S Active labels Subliminal mechanishm Fake P Real P Inactive labels as

Summary Designed constant-round adaptive 2PC protocols with stateless tokens: OWFs (minimal [GISVW10]) GUC security Interesting corollaries to the Global Random Oracle (GRO) model [CJS15]: First adaptively secure protocols with GUC security in GRO model Inspiration for an upcoming result in the plain model [CPV17b]!

Thank you!