Completeness in Two-Party Secure Computation Revisited Danny Harnik Moni Naor Omer Reingold Alon Rosen Weizmann Institute of Science AT&T IAS

Secure Function Evaluation (SFE) of a Function f f(x,y) Alice learns “nothing else” Bob learns “nothing” Alice x Bob y

Many possible definitions and settings. We concentrate on a specific setting: Asymmetric version ( only Alice gets output ). Deterministic functions ( vs. prob. functionality) Computational security definitions. Definition via simulation. Honest but curious model. Can use compiler of [GMW86] for malicious model. Secure Function Evaluation General framework that captures many cryptographic tasks. SFE for any poly-time f - key achievement in cryptography.

Oblivious Transfer Rabin-OT (Noisy-OT) - Sender has bit b. Receiver learns b with probability 1/2. Sender doesn’t know if bit was received. 1-2 OT [EGL85] - Sender has two bits b 0, b 1 and Receiver has choice bit c. Receiver learns b c but not b 1-c. Sender learns nothing of c. Can view as an asymmetric SFE protocol. Equivalence between them showed by Crépeau 87. Many variants are “information theoretic” equivalent. Several equivalent flavors:

1-2 Oblivious Transfer bcbc Alice learns nothing about b 1-c Bob learns nothing about c Alice c Bob b 0,b 1

Completeness of OT OT is Complete for SFE. [Yao, GMW, Kilian] What does Complete mean? SFE for any efficiently computable function f can be constructed using “solely” a protocol for OT. Several constructions for OT exist, relying on various computational assumptions (PKC). Not the focus of this talk.

SFE-Completeness g securely reduces to f if an SFE for g can be constructed using an SFE protocol for f. f is SFE-Complete if every poly-time function g securely reduces to f. To show that f is complete, enough to show a reduction from OT to f. xy g(x,y) f(x’,y’)

SFE Complete - Questions Are there other complete functions? Is there a “nice” classification of all the complete functions? Are there functions that have “trivial” SFE protocols (under no assumption)? Are there functions that are neither complete nor trivial?

Main Result Introduce a computational criterion for completeness called Row Non-Transitivity. Main Theorem If f is Row Non-Transitive then it is SFE- Complete. If f is Row Transitive then there is a trivial SFE protocol for f.

Corollary: Complete Classification Essentially all “nice” functions are either SFE-Complete or have a trivial SFE protocol.

Previous Work SFE-Completeness discussed in: [CK91, Kush92, Kil91, KMO94, BMM99, Kil00] Beimel, Chor, Kilian, Kushilevitz, Malkin, Micali, Ostrovsky Mostly studied under Information Theoretic security definitions. Strong results in form of combinatorial criteria. Insecure Minor, Imbedded Or Most works consider finite functions (i.e. functions on constant domain size)

Imbedded OR [Kilian91] A function f(.,.) is said to contain an Imbedded OR if there are inputs x 0, x 1, y 0, y 1 such that : Where a  b.

Insecure Minor [Beimel, Malkin & Micali 99] A function f(.,.) is said to contain an Insecure Minor if there are inputs x 0, x 1, y 0, y 1 such that : Where b  c.

... Insecure Minor [BMM] If a finite function f(.,.) contains an insecure minor then f is complete. Otherwise f has an SFE protocol (f is “trivial”).  Full characterization of finite functions.  Surprising “all or nothing” behavior.

What about non-finite functions? Does the insecure minor characterization work when the domain is large? Completeness:  Same reduction. Triviality:...

Example 1: one-to-one functions Consider one-to-one functions Do not contain an insecure minor. Trivial SFE for 1-1 function f(x,y): Bob sends y to Alice. Alice calculates f(x,y). Security: given f(x,y) a simulator can find y (since f is 1-1). But the simulator might not be efficient for functions on large domain!

General Functions Protocol itself may not be efficient for general functions (not only the simulator).

Example 2: A “trivial” function that is complete Let g be a 1-1 One-Way function. Consider the following function : f(c, y 0, y 1 ) = (c, y c, g(y 1-c ) ) xy f is 1-1 and hence has no insecure minor. Claim: f is SFE-Complete ! Note: 1-1 one-way functions are not known to imply the existence of OT (BB separation Impagliazzo Rudich).

1-2-OT from SFE for f (c, y c, g(y 1-c ) ) 4. Alice calculates b c 1. Choose random y 0, y 1 2. SFE for f(c, y 0, y 1 ) 3. h(y 0 )  b 0, h(y 1 )  b OT * h is a hardcore bit of g Alice c Bob b 0,b 1

f(c, y 0, y 1 ) = (c, y c, g(y 1-c ) ) 1-2-OT using an SFE for f: Bob chooses random y 0, y 1. Run SFE for f(c, y 0, y 1 ). Alice gets output. Bob sends h(y 0 )  b 0 and h(y 1 )  b 1. Alice calculates b c.  Bob can’t learn c.  Alice can learn b 1-c.

Open Questions in the Computational Setting Is there a simple characterization of SFE-Complete functions and of trivial functions? How do these sets relate? All or nothing? Yes. Almost tight.

Row Non-Transitivity A function f(.,.) is (Computational) Row Non-Transitive if: for some x 0, x 1 and D y it is (somewhat) hard to calculate f(x 1,y) given x 0, x 1 and f(x 0,y) for y  r D y. A function f(.,.) is (Computational) Row Transitive if: for all x 0, x 1 and y it is easy to calculate f(x 1,y) given x 0, x 1 and f(x 0,y).

Illustration of row non transitivity x0x0 x1x1 y Hard f

Main Theorem Completeness: If a function f(.,.) is row non-transitive efficiently computable then f is SFE-Complete. Triviality: If function f(.,.) is row transitive efficiently computable then f has a trivial SFE. Note: There is a small gap between the two criteria. Why? Hard and easy not complementary…

Trivial SFE for row transitive f Calculate f(x,y)Choose input x’ x’, f(x’, y) SFE for f Security: Bob learns nothing. Simulating Alice’s view: choose x’ and calculate f(x’,y) from f(x,y). Alice x Bob y

Completeness Sketch Using an SFE for f we construct a Naive-OT protocol. Naive-OT is an SFE of the function: f(c, b) = { b if c=1  if c=0 Recall: f is row non-transitive if there are choices of x 0, x 1, y such that it is hard to calculate f(x 1,y) given x 0, x 1 and f(x 0,y).

Completeness Sketch: Naive-OT from SFE for f f(x c, y) 5. If c=1 calculate b Alice c Bob b 3. SFE for f(x c, y) 4. h(f(x 1,y))  b * h is the GL hardcore bit 1. Choose x 0, x 1, y 2. x 0, x 1

Security of the Protocol Easy to argue: Bob learns nothing because only receives information via the SFE protocol. Should argue: Alice learns nothing if c=0, or this will contradict the hardness of the hardcore bit.

Technical Issues Somewhat non-standard use of the hardcore bit - Not a one-way function: could be hard both ways Need “strong hardness” of function for hardcore bit proof Our hardness is defined as weak Standard hardness amplification relies strongly on one-wayness.

Solutions Only claim that a GL bit is “weakly” hard Cannot predict with probability better than 9/10. Introduce a relaxed version (implementation) of naive-OT that we call Weak-OT. Show how to construct OT from Weak-OT Via amplification using Yao’s Xor Lemma.

Full Definition of Non-transitivity A function f(.,.) is Computational Row Non- Transitive if there exist Samplable distributions D x, D y A polynomial p(.) such that for every PPTM M and all but finitely many n’s. Pr[ M(x 0, x 1, f(x 0, y)) = f(x 1, y) ] < 1-1/p(n)

Insecure Minor  Non-Transitive D x uniform on {x 0,x 1 } D y uniform on {y 0,y 1 }  PPTM M: Pr[ M(x 0, x 1, f(x 0, y)) = f(x 1, y) ]  ½

Meaning of this Result Quantity Complexity Application

Insecure Minor Complete Trivial Row Non-Transitivity Efficiently computable functions f(x,y)

Complexity Discussion OT exists (Cryptomania in [Impagliazzo 95])  SFE-C = Eff-SFE OT doesn’t exist but OWF do ( Minicrypt in [Imp95]) : Are there intermediate assumptions? Assumptions of type “function f has an SFE protocol” ? Our results: As far as SFE goes, no additional worlds between Minicrypt & Cryptomania ! Minicrypt (OWF) Cryptomania (OT) ?

Possible Applications? Provides a tool for proving easily that a function is complete Example: f(x,y)=(x+y) 3 mod N. Factorization of N unknown Is it complete? Trivial? Note: “almost” a permutation for x and for y Assuming RSA is hard - f is row non-transitive  f is complete.

... Possible Applications? Framework for constructing OT protocols. Example: f(g,y) = g y mod p. Has SFE under CDH assumption: 1. Choose random r gy 2. a = g r 3. b = g ry 4. Calculate g y = b 1/r

... Possible Applications? Use reduction to construct OT: Naive-OT cb 2. g 0, g 1, g c r 4. z, h(g 1 y )  b 5. If c=1 calculate g 1 y = z 1/r and the bit b 3. Calculate z=g c ry 1. Choose random r, g 0, g 1 1. Choose random y What did we get? A scheme similar to [Bellare & Micali 89]!

Can the Gap be closed? Possible to narrow the gap by relaxing the definitions of SFE. Can the gap be closed altogether ? Not clear. Example: f(x,y) = OT(x,y)f(x,y) = y |y| n Too short - Low security Too long - High running time

Further Issues : Symmetric SFE “All or nothing” result for Boolean functions [CK89, Kil91]. Gap in finite functions world [Kush92] Completeness for finite functions iff contains Imbedded Or [Kil91]: Does not hold for non-finite functions! Consider the following complete function: f((c, x 0, x 1 ), (y 0, y 1 )) = (x 0  y c, x 1  g(x 1-c )) g one-way 1-1 function

Further Issues: Probabilistic functionalities Probabilistic functionality (not deterministic functions) Some criteria for completeness in [Kil 00]. Interesting even when neither party has an input (IOS)! Does not have an interesting information theoretic analogue

Further Issues: semi honest vs malicious BMM: Use GMW86 transformation GMW transformation requires one-way functions Exist in Minicrypt and above SFE of a row non-transitive f implies Honest OT One-way functions [Impagliazzo Luby] Argument does not work when SFE done by magic (quantum, noisy channels, etc..) What about cheating in trivial protocols? In contrast Kilian 2000: for finite functions Complete SFE are not the same for Honest and Curious Malicious