Page 1 Efficient Two-Party Secure Computation on Committed Inputs Stanislaw Jarecki, UC Irvine Vitaly Shmatikov, UT Austin.

Slides:



Advertisements
Similar presentations
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Advertisements

Secure Evaluation of Multivariate Polynomials
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
7. Asymmetric encryption-
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
A Designer’s Guide to KEMs Alex Dent

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.
1 Cross-Domain Secure Computation Chongwon Cho (HRL Laboratories) Sanjam Garg (IBM T.J. Watson) Rafail Ostrovsky (UCLA)
Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.
1 CIS 5371 Cryptography 8. Asymmetric encryption-.
Practical Covert Authentication Stanislaw Jarecki University of California at Irvine Public Key Cryptography 2014.
Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols By Stephen Hall.
Adaptively Secure Broadcast, Revisited
8. Data Integrity Techniques
Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall
Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.
The RSA Algorithm Rocky K. C. Chang, March
Multi-Client Non-Interactive Verifiable Computation Seung Geol Choi (Columbia U.) Jonathan Katz (U. Maryland) Ranjit Kumaresan (Technion) Carlos Cid (Royal.
Cryptography Lecture 8 Stefan Dziembowski
CS573 Data Privacy and Security
Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN.
Efficient and Robust Private Set Intersection and multiparty multivariate polynomials Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung.
Secure Computation of the k’th Ranked Element Gagan Aggarwal Stanford University Joint work with Nina Mishra and Benny Pinkas, HP Labs.
10/1/2015 9:38:06 AM1AIIS. OUTLINE Introduction Goals In Cryptography Secrete Key Cryptography Public Key Cryptograpgy Digital Signatures 2 10/1/2015.
Public-Key Cryptography CS110 Fall Conventional Encryption.
Topic 22: Digital Schemes (2)
On the Practical Feasibility of Secure Distributed Computing A Case Study Gregory Neven, Frank Piessens, Bart De Decker Dept. of Computer Science, K.U.Leuven.
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
Slide 1 Vitaly Shmatikov CS 380S Yao’s Protocol. slide Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert.
Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.
Slide 1 Yao’s Protocol. slide Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert the function into a boolean.
Improved Non-Committing Encryption with Application to Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia Univ.), Tal Malkin (Columbia.
Introduction to Modern Cryptography Sharif University Spring 2015 Data and Network Security Lab Sharif University of Technology Department of Computer.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
1 Secure Multi-party Computation Minimizing Online Rounds Seung Geol Choi Columbia University Joint work with Ariel Elbaz(Columbia University) Tal Malkin(Columbia.
15-499Page :Algorithms and Applications Cryptography I – Introduction – Terminology – Some primitives – Some protocols.
Non-Interactive Verifiable Computing August 5, 2009 Bryan Parno Carnegie Mellon University Rosario Gennaro, Craig Gentry IBM Research.
Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.
Efficient Private Matching and Set Intersection Mike Freedman, NYU Kobbi Nissim, MSR Benny Pinkas, HP Labs EUROCRYPT 2004.
Introduction to Elliptic Curve Cryptography CSCI 5857: Encoding and Encryption.
RSA Pubic Key Encryption CSCI 5857: Encoding and Encryption.
Verifiable Threshold Secret Sharing and Full Fair Secure Two-party Computation YE Jian-wei March 7, 2009.
Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.
Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.
Topic 36: Zero-Knowledge Proofs
Carmit Hazay (Bar-Ilan University, Israel)
Committed MPC Multiparty Computation from Homomorphic Commitments
The first Few Slides stolen from Boaz Barak
Course Business I am traveling April 25-May 3rd
Malicious-Secure Private Set Intersection via Dual Execution
Oblivious Transfer.
Presentation transcript:

page 1 Efficient Two-Party Secure Computation on Committed Inputs Stanislaw Jarecki, UC Irvine Vitaly Shmatikov, UT Austin

page 2 1.Committed Oblivious Transfer of Bitstrings [String-COT] O(1) modular exponentiations per player 2 rounds + proofs (single message in R.O.M. if commitments public) Universally Composable in Common Reference String [CRS] model 2.Secure Two-Party Computation [2PC] on Committed Inputs O(g) modular exponentiations, where g = # gates in the circuit round complexity, UC in CRS, as above Technical Contribution of General Interest: Encryption with Verifiable Plaintexts and Keys, i.e.: Encryption with efficient Zero-Knowledge Proof for relation: {( E, C m, C k ) s.t. E encrypts m committed in C m under key k committed in C k } Our Contributions

page 3 1.Committed Oblivious Transfer of Bitstrings [String-COT] O(1) modular exponentiations per player 2 rounds + proofs (single message in R.O.M. if commitments public) Universally Composable in Common Reference String [CRS] model 2.Secure Two-Party Computation [2PC] on Committed Inputs O(g) modular exponentiations, where g = # gates in the circuit round complexity, UC in CRS, as above Main Technical Contribution of General Interest: Encryption with Verifiable Plaintexts and Keys, i.e.: Encryption with efficient Zero-Knowledge Proof for relation: {( E, C m, C k ) s.t. E encrypts m committed in C m under key k committed in C k } Our Contributions Contribution for both COT and 2PC is in efficiency. (and provable universal composability of an efficient construction) Quick comparison of constant-round 2PC protocols: Yao’86: O(g) symmetric-key operations,passive adv. Yao + Generic ZKP’s:poly(k,g) operations,malicious adv. [P’03,MF’06,KS’06,LP’07,W’07] Cut & Choose Proofs: O(kg) symmetric-key ops., malicious adv. [Here]: Efficient ZKP per gate:O(g) public-key operations, malicious adv.

page 4 1.Committed Oblivious Transfer of Bitstrings [String-COT] O(1) modular exponentiations per player 2 rounds + proofs (single message in R.O.M. if commitments public) Universally Composable in Common Reference String [CRS] model 2.Secure Two-Party Computation [2PC] on Committed Inputs O(g) modular exponentiations, where g = # gates in the circuit round complexity, UC in CRS, as above Main Technical Contribution of General Interest: Encryption with Verifiable Plaintexts and Keys, i.e.: Encryption with efficient Zero-Knowledge Proof for relation: {( E, C m, C k ) s.t. E encrypts m committed in C m under key k committed in C k } Our Contributions Contribution for both COT and 2PC is in efficiency. (and provable universal composability of an efficient construction) Quick comparison of constant-round 2PC protocols: Yao’86: O(g) symmetric-key operations,passive adv. Yao + Generic ZKP’s:poly(k,g) operations,malicious adv. [P’03,MF’06,KS’06,LP’07,W’07] Cut & Choose Proofs: O(kg) symmetric-key ops., malicious adv. [Here]: Efficient ZKP per gate:O(g) public-key operations, malicious adv.

page 5 Talk Outline Overview of the results: Committed Oblivious Transfer on Strings General Secure Two-Party Computation on Committed Inputs Applications Committed Secure Computation Committed String-OT Comparison with previous results Technical Discussion: Public Key Encryption with Efficient Zero-Knowledge Proof for Verifiability of both the Plaintext and the Key Extensions, Open Questions

page 6 Universally Composable Secure Two-Party Computation on Committed Inputs: DefinitionPicture

page 7 C A1 (x A2 ) Commit(x A1 ) Commit(x A2 ) Commitment properties: Binding: x i ’s cannot be substituted after C i is sent Hiding: x i ’s remain hidden from other players (Can be implemented e.g. with Public Key Encryption) Commit(x B1 ) Commit(x B2 ) (x A1 ) Universally Composable Secure Two-Party Computation on Committed Inputs Alice Bob C A2 (x B1 )C B1 (x B2 )C B2 Public Board

page 8 Commit(x A1 ) Commit(x A2 ) Non-Malleable [NM] Commitments: Bob’s messages cannot depend on Alice’s messages (can be done with CCA-Secure Encryption, in CRS) Commit(x B1 ) Commit(x B2 ) C A1 C A2 (x A1 ) Alice Bob Universally Composable Secure Two-Party Computation on Committed Inputs C A2 (x A2 ) (x B1 )C B1 (x B2 )C B2 Public Board

page 9 Alice Compute( [ ] with Bob,C A1,C B1 ) Bob (x A1 ) x A1 x B1 F (x A1,x B1 ) Universally Composable Secure Two-Party Computation on Committed Inputs (x A2 ) (x B1 ) (x B2 ) Properties of 2P Secure Computation (Obl.Circ.Eval.) on Committed Inputs: Bob learns only output F(x A,x B ), nothing else about Alice’s input x A Alice learns nothing values x A, x B in the computation are committed in C A, C B Public Board

page 10 Alice Bob (x A1 ) Compute( [ ] with Alice) F (x A1,x B1 ) Universally Composable Secure Two-Party Computation on Committed Inputs Properties of 2P Secure Computation (Obl.Circ.Eval.) on Committed Inputs: Bob learns only output F(x A,x B ), nothing else about Alice’s input x A Alice learns nothing values x A, x B in the computation are committed in C A, C B (x A2 ) (x B1 ) (x B2 ) => Two-sided computation on same inputs (with abort) Compute( [ ] with Bob) Public Board

page 11 Alice Bob (x A1 ) Examples of circuits: = Equality(x A,x B ): outputs 1 if x A = x B, 0 otherwise = `Less or Equal’(x A,x B ): outputs 1 if integer x A ≤ x B, 0 o/w = F(x A,x B ) = intersection of sets represented by x A,x B = F(x A,x B ) = median value in the union of sets It can be any circuit !! Universally Composable Secure Two-Party Computation on Committed Inputs Benefit of computation on committed inputs:  Ensuring consistency between computations of several circuits on same data (x A2 ) (x B1 ) (x B2 ) Compute( [ ])

page 12 F (x A1,x B1 ) Alice Bob (x A1 ) Dorothy Compute( [ ] with Dorothy) (x D1 ) Commit(x D1 ) F (x D1,x B1 ) Consistency Across Protocol Instances Ex.1: Multi-Player Example (x B1 ) Compute( [ ] with Alice)

page 13 Alice Bob (x A1 ) Commit(x A3 ) Compute( [ ] w/ Alice) x A1 x A3 x B1 F (x A1,x A3,x B1 ) General Benefit of UC Committed 2PC:  Ensuring consistency between sub-protocols in any distributed algorithm  Some computation can be local (“insecure” but fast), while commitments keep the overall protocol consistent (x A3 ) (x B1 ) Compute( [ ] with Alice) F (x A1,x B1 ) x A3 = output of Alice’s local computation given F (x A1,x B1 ) Consistency Across Protocol Instances: Ex.2: Security with some local computation off-line

page 14 Consistency Across Protocol Instances: Ex.3: Solution to the “Abort & Re-start” Problem Protocols that use 2PC / OT without committed inputs can be insecure against abort & re-start: A malicious player can effectively execute several instances of the protocol, each on different inputs. In practice protocols must allow re-start in case of communication or hardware faults…

page 15 Talk Outline Statement of the results: Committed Oblivious Transfer on Strings General Secure Two-Party Computation on Committed Inputs Applications Committed Secure Computation Committed String-OT Comparison with previous results Technical Discussion: Public Key Encryption with Efficient Zero-Knowledge Proof for Verifiability of both the Plaintext and the Key Extensions, Open Questions

page 16 Universally Composable Committed String-OT 1.Alice learns m b s.t. m b is committed in C mb b is committed in C b 2.Alice learns nothing about m b 3.Bob learns nothing Alice: bit b Bob: strings m 0,m 1 mbmb ┴ Common Input: Commitments C b, ( C m0, C m1 ) UC String-COT is like UC two-party secure computation but the only computed function is String-OT Crepeau’86 introduced COT s.t. Alice gets (de) commitment of C b, not just m b (our construction can support this too)

page 17 OT is a sub-procedure in General Secure Computation Protocols [the original motivation for Committed OT by Crepeau] 1.Interactive Secure 2-Party Computation [GV’87]: Players secret-share all their input bits Gate computation (shared input bits → shared output bit) via Bit-OT Tool: Committed Bit-OT 2.2-round Secure 2-Party Computation (“Garbled Circuit” [Yao’86]): Sender S creates two keys per each wire For each gate, S encrypts appropriate output wire keys with appropriate input wire keys S performs String-OT on keys corresponding to R’s input wires Tool: Committed String-OT Applications of Committed String-OT (Ex.1): Ensuring Consistency across Calls to OT

page Privacy applications: –oblivious transfer of one key out of a set of keys –same for signatures, decryptions, … 2. Support for probabilistic systems: –probabilistic escrow of information (keys, signatures, plaintexts) –probabilistic payment of digital cash –…–… What’s needed in such applications? –OT on values with proven properties (key, coin, signature, …) Done in 2 steps: –perform an OT on the committed string value (e.g. a key) –prove correctness of the committed value (efficient proofs for such statements exist for many cryptographic schemes) Applications of Committed String-OT (Ex.2): Privacy, E-Cash, Escrow, …

page 19 Statement of the results: Committed Oblivious Transfer on Strings General Secure Two-Party Computation on Committed Inputs Applications of Committed Secure Computation / Committed String-OT Comparisons with previous results on COT and 2PC Technical Discussion: Public Key Encryption with Efficient Zero-Knowledge Proof for Verifiability of both Plaintexts and Keys Extensions, Open Questions Talk Outline

page 20  O(1) modular exponentiations per player exponentiations modulo n 2 where n is a strong RSA modulus, |n 2 | = 2000 bits 500-bit exponents  Round complexity: 2 rounds + proofs (e.g. one/two rounds in R.O.M.)  Security under Decisional Composite Residuosity Assumption [DCR]  Universal Composability in Common Reference String model [CRS] static adversary CRS includes modulus n and a few group elements, |CRS| ≈ 10 |n| Towards efficient String-COT: [NP’00, AIR’01]String-OTO(1) exp’s, DDH Assumption [Cre’89]Bit/String-COTΩ(k 3 ) Bit/String-OT’s [CvdGT’95]Bit-COTΩ(k) Bit-OT’s [GMY’04]Bit-COTO(1) exp’s, DDH [CC’00]String-COTO(k) exp’s, DDH [Here]String-COTO(1) exp’s, DCR Our Contributions vs. Previous Work: (1) Committed OT on Bitstrings

page 21  Security under DCR and Strong RSA Assumptions  O(g) modular exponentiations, where g = # gates in the Circuit  Round complexity: 2 rounds + proofs (e.g. one/two rounds in R.O.M.)  Universal Composability in the CRS model Towards efficient constant-round Secure Two-Party Computation (2PC): Passive Security: -[Yao’86]O(g) symmetric-key op’s Malicious Security using ZKP’s for NP-complete languages: -[GMW,…,Lin’03,KO’04]poly(g, k) op’s Malicious Security without generic ZKP’s: -[DI’05], multi-party computation, O(n 2 g) PRG’s + VSS’s -[CC’00], cut & choose gate-specific ZKP’s, O(kg) exp’s, DDH -[Pin’03, MF’06, KS’06, LP’07, W’07], cut & choose on the whole garbled circuit, O(kg) symmetric-key op’s -[Here], efficient gate-specific ZKP’s, O(g) exp’s, DCR + Strong RSA Our Contributions vs. Previous Work: (2) Secure 2PC on Committed Inputs

page 22 Statement of the results: Committed Oblivious Transfer on Strings General Secure Two-Party Computation on Committed Inputs Applications of Committed Secure Computation / Committed String-OT Comparison with previous results Technical Discussion: Public Key Encryption with Efficient Zero-Knowledge Proof for Verifiability of both the Plaintext and the Key Extensions, Open Questions Talk Outline

page 23 Yao’s Garbled Circuit Construction 1. For each circuit wire w, Sender S picks a pair of keys k w 0  “bit 0 on wire w” k w 1  “bit 1 on wire w” G k w 0,k w 1 k v 0 v 1 k z 0 z 1 G k w 0 w 1 k v 0 v 1 k z 0 z 1 k w 0 w 1 k v 0 v 1 k z 0 z 1 Invariant: For every wire w, Receiver R learns one keyin {k w 0,k w 1 }, butdoesn’t learnwhich one! 2. For each gate, S sends to R a table: Encryption of k z 0 under keys k w 0,k v 0 Encryption of k z 0 under keys k w 0,k v 1 Encryption of k z 0 under keys k w 1,k v 0 Encryption of k z 1 under keys k w 1,k v 1 3. For each R’s input wire, transfer the right key using String-OT: OT [ R(b), S(k 0,k 1 ) ] → k b Strategy towards 2PC with O(1) exp’s / gate 1.S commits to each key 2.S proves circuit is properly garbled: each ciphertext formed correctly […other proofs…] 3.S performs String-COT for R’s input keys

page 24 Yao’s Garbled Circuit Construction Closer Look: Proof of ciphertext correctness 1. For each circuit wire w, Sender S picks a pair of keys k w 0  “bit 0 on wire w” k w 1  “bit 1 on wire w” G k w 0,k w 1 k v 0 v 1 k z 0 z 1 G k w 0 w 1 k v 0 v 1 k z 0 z 1 k w 0 w 1 k v 0 v 1 k z 0 z 1 Invariant: For every wire w, Receiver R learns one keyin {k w 0,k w 1 }, butdoesn’t learnwhich one! 2. For each gate, S sends to R a table: Encryption of k z 0 under keys k w 0,k v 0 Encryption of k z 0 under keys k w 0,k v 1 Encryption of k z 0 under keys k w 1,k v 0 Encryption of k z 1 under keys k w 1,k v 1 3. For each R’s input wire, transfer the right key using String-OT: OT [ R(b), S(k 0,k 1 ) ] → k b Strategy towards 2PC with O(1) exp’s / gate 1.S commits to each key 2.S proves circuit is properly garbled: each ciphertext formed correctly […other proofs…] 3.S performs String-COT for R’s input keys

page 25 Yao’s Garbled Circuit Construction Closer Look: Proof of ciphertext correctness 1. For each circuit wire w, Sender S picks a pair of keys k w 0  “bit 0 on wire w” k w 1  “bit 1 on wire w” G k w 0,k w 1 k v 0 v 1 k z 0 z 1 G k w 0 w 1 k v 0 v 1 k z 0 z 1 k w 0 w 1 k v 0 v 1 k z 0 z 1 Invariant: For every wire w, Receiver R learns one keyin {k w 0,k w 1 }, butdoesn’t learnwhich one! 2. For each gate, S sends to R a table: Encryption of k z 0 under keys k w 0,k v 0 Encryption of k z 0 under keys k w 0,k v 1 Encryption of k z 0 under keys k w 1,k v 0 Encryption of k z 1 under keys k w 1,k v 1 3. For each R’s input wire, transfer the right key using String-OT: OT [ R(b), S(k 0,k 1 ) ] → k b Strategy towards 2PC with O(1) exp’s / gate 1.S commits to each key 2.S proves circuit is properly garbled: each ciphertext formed correctly […other proofs…] 3.S performs String-COT for R’s input keys

page 26 Yao’s Garbled Circuit Construction Closer Look: Proof of ciphertext correctness k w 0  “bit 0 on wire w” k w 1  “bit 1 on wire w” G k w 0,k w 1 k v 0 v 1 k z 0 z 1 G k w 0 w 1 k v 0 v 1 k z 0 z 1 k w 0 w 1 k v 0 v 1 k z 0 z 1 Encryption of k z 0 under keys k w 0,k v 0 Simplify to standard (one-key) encryption: Need Efficient ZKP for relation R = { ( E, C m, C k ) } s.t. 1. E = Enc [ m ; k ] 2. m is committed in C m 3. k is committed in C k

page 27 Efficient Encryption with message and key verifiability 1. Assume commitment (to value ‘a’) is of the form C a = g a (or C a = g a h r ) for some multiplicative group 2. Assume encryption also has both plaintext and key in the exponent, e.g. E = Enc[ m ; k ] = α m β k where, are disjoint subgroups of some group Can be done with Paillier encryption [Camenisch-Shoup’03]: α generates subgroup of order n, β generates subgroup of order φ(n), in group of order φ(n 2 )=n*φ(n) [multiplicative group of residues mod n 2 ] Need Efficient ZKP for relation R = { ( E, C m, C k ) } s.t. 1. E = Enc [ m ; k ] 2. m is committed in C m 3. k is committed in C k ZKP R is a proof of equalities between discrete-log representations: 1. (m, k)= Rep( (α, β), E ) 2. m= DL( g, C m ) 3. k = DL( g, C k )

page 28 Efficient Encryption with message and key verifiability ZKP R is a proof of equalities between discrete-log representations: 1. (m, k)= Rep( (α, β), E ) 2. m= DL( g, C m ) 3. k = DL( g, C k ) Each (Representation=DL) proof is an extension of standard ZKPK-of-DL, except if the orders involved (#g vs. #α) and (#g vs. #β) are: (1) unknown(2) unequal C m = g m E = α m β k C k = g k #α = n, #β = φ(n) #g = whatever is convenient The ZKP of “equality of m”: DL(g,C m )=Rep(α, E ) The ZKP of “equality of k”: DL(g,C k )=Rep( β, E ) problem if #g ≠ #α problem if #g ≠ #β

page 29 Efficient Encryption with message and key verifiability C m = g m E = α m β k C k = g k #α = n, #β = φ(n) #g = whatever is convenient The ZKP of “equality of k”: DL(g,C k )=Rep( β, E ) The ZKP of “equality of m”: DL(g,C m )=Rep(α, E ) If orders not equal then responses must be computed over integers (linear equations involving secrets)  Efficient Zero-Knowledge of DLEQ known only if secret << (both orders) Why? 1.Known DLEQ(g x,h x ) proofs for groups with unknown order leak c * x+r over integers, for public challenge c, and random secret pad r  x is statistically hidden only if r > c * x * 2 80  r > x * (since c ≈ 2 80 ) 2.To avoid wrap-around we need c * x+r < (orders of g and h)  x * < (orders of g and h) problem if #g ≠ #α problem if #g ≠ #β

page 30 Efficient Encryption with message and key verifiability C m = g m E = α m β k C k = g k #α = n, #β = φ(n) #g = whatever is convenient The ZKP of “equality of k”: DL(g,C k )=Rep( β, E ) The ZKP of “equality of m”: DL(g,C m )=Rep(α, E ) If orders not equal then responses must be computed over integers (linear equations involving secrets)  Efficient Zero-Knowledge of DLEQ only if secret << (both orders)  Either m or k must be << |φ(n)| ≈ |n| But m’s and k’s are interchangeable in Yao’s garbled circuit construction!  Need Camenisch-Shoup encryption with shorter keys (k ≈ ¾ |n|) [Hastad-Schrift-Shamir]: exponentiation mod n hides |n|/2 bits  using ½ |n| - long keys is indistinguishable from |n|-long keys  same holds for the φ(n)-order subgroup, where [CS] keys live problem if #g ≠ #α problem if #g ≠ #β

page 31 Summary: Efficient UC-Secure computation on committed inputs with O( |Circuit| ) public key op.’s Fast committed String-OT Encryption with efficient verifiability for both messages and keys Some questions: Handling adaptive corruptions? Weakening assumptions on the RSA modulus? Efficient String-COT and Committed-2PC without CRS? Verifiable Encryption for committed plaintexts and/or keys, for moduli smaller than |n 2 |=2000 bits? Summary and some open questions

page 32 Thank You!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.