Constant-Round Adaptively Secure Protocols in the Tamper-Proof Hardware Model Carmit Hazay (Bar-Ilan University, Israel) Antigoni Ourania Polychroniadou (Cornell University, New York) Muthuramakrishnan Venkitasubramaniam (University of Rochester, New York)
Secure Communications over the Internet
Secure Communications over the Internet
Introduction of Secure Multi-Party Computation [Yao82,GMW87,BGW88, CCD88…]
Secure Multi-Party Computation UC f(x1, x2, x3, x4) = (y1, y2 ,y3 ,y4 ) x1 x1 x1 y4 y1 x4 Goal: Correctness: Everyone computes f(x1,…,x4) Security: Nothing else but the output is revealed Adversary PPT Malicious Adaptive x2 y3 y2 x3
… … … … Static Corruption Adaptive Corruption Corrupt only on the onset of π … … Adaptive Corruption Corrupt adaptively during the execution of π …
Adaptive Corruption of all parties Crucial in the composition of protocols. Consider an n-party protocol πouter which invokes an m-party protocol πinner where n>m. Consider an adversary that may corrupt all m parties in πinner . Then security of πouter should still hold. n-party protocol πouter m-party protocol πinner
State-of-the-art for MPC protocols STATIC Two-party computation Multiparty computation Malicious 5 rounds [KO04] O(1) rounds [LP11,G11] ADAPTIVE Two-party computation Multiparty computation Malicious O(d) rounds [GMW86] O(d) rounds [CLOS02] O(1) O(d) * d is depth of circuit implementing f Does the round complexity for adaptive security need to depend on depth?
Open Problem: What is the round complexity of adaptive MPC based on standard assumptions? using setup?
Partial Solutions for constant round protocols Open Problem: What is the round complexity of adaptive MPC based on standard assumptions? using setup? Partial Solutions for constant round protocols Using Indist. Obf., in Common Ref. String [GP15,DKR15,CGP15,CPV17a]
Open Problem: What is the round complexity of adaptive MPC based on standard assumptions? using setup? Main Theorem (this work): Assuming OWFs, O(1)-round adaptively secure 2PC in the Tamper Proof Hardware Model Black-box in OWFs Fully composable: Security in the GUC Framework [HPV16] Decentralized trust Previous works require stateful tokens and O(d) rounds [GISVW10,DMRV13]
Hardware Tamper-Proof Token Model Decentralized Trust I.e. Intel’s “SGX” Stateless Tokens Stateful Tokens x c f b0,b1 f(x) bc GOOD NOT SO GOOD Requires non-volatile memory
Hardware Tamper-Proof Token Model Attacker capability x f f(x) Transfer Tokens Inject malicious code
Hardware Tamper-Proof Token Model Adaptive Attacker capability Corrupt Post Execution Π P Global UC Functionality Fglobal of [HPV16] is sufficient P
Our Results Theorem (Informal) Assuming OWFs, realize any (well-formed) two-party functionality via O(1)-round construction with GUC-security in the Fglobal-hybrid against malicious & adaptive adversaries Follow Yao-based approach to secure 2-party computation: Adaptive GUC-Oblivious Transfer protocol in the Fglobal-hybrid Adaptive GUC-Commitment Scheme in the the Fglobal-hybrid Equivocating Yao’s GCs in the Fglobal-hybrid This Talk
Garble Circuit Construction [Yao80] Boolean Circuit C Garbled Circuit GC GC L1,0, L1,1 x1 x2 L2,0, L2,1 x4 L3,0, L3,1 x3 L4,0, L4,1 Pairs of λ-bit labels
Garble Circuit Construction [Yao80] Boolean Circuit C Garbled Circuit GC GC L1,0, L1,1 x1 x2 L2,0, L2,1 x2 x3 L3,0, L3,1 L4,0, L4,1 Pairs of λ-bit keys Decoder
Token-based Garble Circuits Garbled Circuit GC L1,0, L1,1 L2,0, L2,1 L3,0, L3,1 L4,0, L4,1
How to Equivocate Garble Circuits Sim Garbled Circuit GC Sender’s input is unknown L1,0, L1,1 R S L2,0, L2,1 L3,0, L3,1 L4,0, L4,1 Sender’s input is Known!
How to Equivocate Garble Circuits Garbled Circuit GC Sender’s input is unknown Sim Fake P P’ Fake P P R S Simulator cannot program the token after its creation Sender’s input is Known! Fake P Real P
How to Equivocate Garble Circuits Sim Fake P Best case Both labels are active R S Active labels Fake P Real P
How to Equivocate Garble Circuits Sim Fake P One label is active R S Active labels Subliminal mechanishm Fake P Real P Inactive labels as
How to Equivocate Garble Circuits Sim Fake P One label is active R S Active labels Subliminal mechanishm Fake P Real P Inactive labels as
Summary Designed constant-round adaptive 2PC protocols with stateless tokens: OWFs (minimal [GISVW10]) GUC security Interesting corollaries to the Global Random Oracle (GRO) model [CJS15]: First adaptively secure protocols with GUC security in GRO model Inspiration for an upcoming result in the plain model [CPV17b]!
Thank you!