On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.

Slides:



Advertisements
Similar presentations
Polylogarithmic Private Approximations and Efficient Matching
Advertisements

Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)
Private Inference Control
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.
Secure Evaluation of Multivariate Polynomials
Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.
Oblivious Branching Program Evaluation
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
Outsourcing Private RAM Computation Daniel Wichs Northeastern University with: Craig Gentry, Shai Halevi, Mariana Raykova.
TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Oblivious Transfer based on the McEliece Assumptions
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.
A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Private Analysis of Data Sets Benny Pinkas HP Labs, Princeton.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
ON THE PROVABLE SECURITY OF HOMOMORPHIC ENCRYPTION Andrej Bogdanov Chinese University of Hong Kong Bertinoro Summer School | July 2014 based on joint work.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Two Round MPC via Multi-Key FHE Daniel Wichs (Northeastern University) Joint work with Pratyay Mukherjee.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
Multi-Client Non-Interactive Verifiable Computation Seung Geol Choi (Columbia U.) Jonathan Katz (U. Maryland) Ranjit Kumaresan (Technion) Carlos Cid (Royal.
Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University.
Secure Computation of the k’th Ranked Element Gagan Aggarwal Stanford University Joint work with Nina Mishra and Benny Pinkas, HP Labs.
Provable Unlinkability Against Traffic Analysis Amnon Ta-Shma Joint work with Ron Berman and Amos Fiat School of Computer Science, Tel-Aviv University.
Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.
Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.
Improved Non-Committing Encryption with Application to Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia Univ.), Tal Malkin (Columbia.
Foundations of Cryptography Lecture 6 Lecturer: Moni Naor.
Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized.
Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.
Password Mistyping in Two-Factor Authenticated Key Exchange Vladimir KolesnikovCharles Rackoff Bell LabsU. Toronto ICALP 2008.
1 Secure Multi-party Computation Minimizing Online Rounds Seung Geol Choi Columbia University Joint work with Ariel Elbaz(Columbia University) Tal Malkin(Columbia.
Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond
1 Information Security – Theory vs. Reality , Winter Lecture 10: Garbled circuits and obfuscation Eran Tromer Slides credit: Boaz.
Merkle trees Introduced by Ralph Merkle, 1979 An authentication scheme
Non-Interactive Verifiable Computing August 5, 2009 Bryan Parno Carnegie Mellon University Rosario Gennaro, Craig Gentry IBM Research.
Secure Conjunctive Keyword Search Over Encrypted Data Philippe Golle Jessica Staddon Palo Alto Research Center Brent Waters Princeton University.
Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.
Based on work with: Sergey Gorbunov and Vinod Vaikuntanathan Homomorphic Commitments & Signatures Daniel Wichs Northeastern University.
TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)
Introduction to Obfuscation Mohammad Mahmoody University of Virginia *some slides borrowed from abhi shelat.
Secure Computation (Lecture 9-10) Arpita Patra. Recap >> MPC with honest majority in i.t. settings > Protocol using (n,t)-sharing, proof of security---
Efficient Private Matching and Set Intersection Mike Freedman, NYU Kobbi Nissim, MSR Benny Pinkas, HP Labs EUROCRYPT 2004.
CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016.
1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM.
Jonathan Katz University of Maryland Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/08/08 CRYP-108 Aggregate Message- Authentication.
Secure Computation with Minimal Interaction, Revisited Yuval Ishai (Technion) Ranjit Kumaresan (MIT) Eyal Kushilevitz (Technion) Anat Paskin-Cherniavsky.
CS555Spring 2012/Topic 151 Cryptography CS 555 Topic 15: HMAC, Combining Encryption & Authentication.
Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.
Bounded key-dependent message security
Topic 36: Zero-Knowledge Proofs
The Exact Round Complexity of Secure Computation
Laconic Oblivious Transfer and its Applications
Topic 14: Random Oracle Model, Hashing Applications
Verifiable Oblivious Storage
Four-Round Secure Computation without Setup
Cryptography for Quantum Computers
Rishab Goyal Venkata Koppula Brent Waters
Presentation transcript:

On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček

Secure Function Evaluation (SFE) Alice and Bob have inputs x A, x B. Goal: Bob learns y= f(x A, x B ). Nothing else is revealed to Alice or Bob (simulation). Alice (x A ) Bob (x B ) … Output: y=f(x A, x B )

Communication Complexity of SFE Alice and Bob have inputs x A, x B. Bob learns y=f(x A, x B ).

Motivating Examples Alice has short key k for pseudorandom function (PRF) F. Bob has no input, and Bob should learn F k (1),…,F k (n). Can we get communication complexity < n ? Alice has secret decryption key k, Bob has a large encrypted database Enc k (DB) and Bob should learn DB. Can we get communication complexity < |DB| ?

Overview of Our Results Negative: In any general SFE scheme in the fully malicious setting, the communication complexity must exceed output size. Extends to “honest-but-deterministic” setting: corrupted party follows protocol but does not use randomness (random tape = 0*). Positive: Construct a general SFE scheme in the honest- but-curious setting whose communication matches the best insecure protocol (independent of output size). Relies on heavy hammers: indistinguishability obfuscation and FHE.

Negative Result: Background Our negative result generalizes an incompressibility argument used in several prior works to get lower bounds for garbled circuit and functional encryption. [AIKW13, AGVW13, DIJ+13, GGJS13, GHRW14] All these prior results follow as simple corollaries - would imply SFE with small communication.

Negative Result Alice has short key k for PRF F with 1-bit output. Bob has no input, Bob should learn y= (F k (1),…,F k (n)).

Negative Result: Generalization I In any SFE, the communication from Alice to Bob must exceed the Yao incompressibility entropy of y =f(x A,x B ) for the worst-case choice of fixed x B and distribution x A. Definition: X has > k bits of Yao incompressibility entropy if it cannot be efficiently compressed to k bits.

Negative Result: Generalization II Can we have an offline/online* protocol with small online communication, independent of output size? *offline phase executed before parties know their inputs. Not if the offline phase has to be simulated first, before simulator knows input/output of corrupted party. e.g., inputs are chosen adaptively after offline phase. ( Yes otherwise: can use Yao garbled circuits. )

Overcoming the Negative Result Simulator gets Bob’s output y, must produce view B which is enough to reconstruct y. Cannot be too small, else compression of y.

Positive Result: Simplified Goal As a start let’s focus on above task, later generalize to any SFE. Goal: – Security against honest-but-curious Bob. – Communication complexity << n. Alice has short key k for PRF F with 1-bit output. Bob has no input, Bob should learn y= (F k (1),…,F k (n)).

Attempt I Alice has short key k for PRF F with 1-bit output. Bob has no input, Bob should learn y= (F k (1),…,F k (n)).

Our Scheme (Almost) Alice has short key k for PRF F with 1-bit output. Bob has no input, Bob should learn y= (F k (1),…,F k (n)). // needs r i to run, ignores it otherwise.

ProtocolSimulation

Def: Somewhere Stat Binding (SSB) Hash

Hybrid j j=0 j=n

Hybrid j Hybrid j +.5 Hybrid j+1 SSB hash key hk computationally hides binding index

Constructing SSB Hash r0r0 r1r1 r2r2 r3r3 r4r4 r5r5 r6r6 r7r7 Relies on a combination of fully-homomorphic enc (FHE) and Merkle Trees.

Constructing SSB Hash r0r0 r1r1 r2r2 r3r3 r4r4 r5r5 r6r6 r7r7 b 1 = 0 b 2 = 1 b 3 = 1 j =b 1 b 2 b 3 in binary hash key hk encrypts a path to the binding index.

Constructing SSB Hash r0r0 r1r1 r2r2 r3r3 r4r4 r5r5 r6r6 r7r7 Hashing associates ctext with each node, output root Leafs are encryptions of data bits (randomness 0s) Nodes at level t: homomorphically get an encryption of the data of left or right child depending on bit b t. [r 1 ] [r 3 ] [r 5 ][r 7 ] [r 3 ] [r 7 ]

Constructing SSB Hash r0r0 r1r1 r2r2 r3r3 r4r4 r5r5 r6r6 r7r7 To open location i, give ciphertexts for all sibling on path from root to i. To verify, recompute root. [r 1 ] [r 3 ] [r 5 ][r 7 ] [r 3 ] [r 7 ] [r 3 ]

Constructing SSB Hash r0r0 r1r1 r2r2 r3r3 r4r4 r5r5 r6r6 r7r7 Problem: adversary can choose invalid ctexts in the opening. No correctness in homomorphic evaluation. [r 1 ] [r 3 ] [r 5 ][r 7 ] [r 3 ] [r 7 ] [r 3 ]

Constructing SSB Hash r0r0 r1r1 r2r2 r3r3 r4r4 r5r5 r6r6 r7r7 [r 1 ] [r 3 ] [r 5 ][r 7 ] [r 3 ] [r 7 ] [r 3 ] Problem: adversary can choose invalid ctexts in the opening. No correctness in homomorphic evaluation. Solution: Use the ideas of “bootstrapping”. Homomorphic evaluation is only over ctexts in hk.

Review: Scheme for PRF Evaluation Alice has short key k for PRF F with 1-bit output. Bob has no input, Bob should learn y= (F k (1),…,F k (n)).

Toward General SFE So far: communication-efficient SFE for PRF evaluation. Next: leverage these ideas to get a general SFE. Step 1: A communication-efficient SFE for decryption – Alice has secret decryption key sk. – Bob has a large encrypted database Enc pk (DB). Should learn DB. Essentially same idea as our PRF evaluation scheme. Step 2: From SFE for decryption to general SFE (black-box).

SFE for Decryption Security proof: same ideas as In the PRF case.

General Honest-but-Curious SFE Alice has input x A, Bob has input x B and Bob should learn f(x A, x B ) Communication: O(|x A |)

General Honest-but-Curious SFE II Alice has input x A, Bob has input x B and Bob should learn f(x A, x B )

Summary: Positive Results In the honest-but-curious setting, communication complexity of SFE matches that of insecure protocols (security is free). Same ideas give a communication efficient protocol in the malicious setting in the common random string (CRS) model. – The simulator can choose CRS after knowing input/output of corrupted party.

Communication-Efficient SFE vs. Obfuscation VBB* : can simulate obfuscated circuit given black-box access to C.

Conclusions In general SFE, communication has to exceed output size in the malicious setting or even honest-but-deterministic setting, but not in the honest-but-curious setting. – Does positive result require iO? Or can we do it under better assumptions? – Could we get communication-efficient SFE in the malicious setting with some weaker security than simulation? New tool: somewhere statistically binding (SSB) hash. – Other applications?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.