Presentation is loading. Please wait.

Presentation is loading. Please wait.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Published byLacey Reid Modified over 10 years ago

Similar presentations

Presentation on theme: "Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA."— Presentation transcript:

1 Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA

2 Minicrypt Cryptomania OWF KA PRGSIGNENCPRFCOMMITZK PKEOT TDP

3

4 More general than you might think… –encryption, commitment, ZK, coin-flipping, signatures can be captured as special cases. This talk: secure function evaluation –Two or more parties holding inputs x i –Parties wish to compute f(x 1,x 2,…) without revealing inputs to each other –Several variants Honest majority vs. two-party / no honest majority Computational vs. unconditional security Semi-honest vs. malicious parties Standalone vs. UC Secure Computation

5 No honest majority –OT computationally secure MPC [Yao86,GMW87] Ideal OT Unconditional, UC MPC [Kil88,IPS08] –MPC for nontrivial f OT [CK89,KKMO94,BIM99,HNRR04] Honest majority, secure channels –Unconditional MPC [BGW88,CCD88,RB89] Feasibility Results Inputs: Alice (s 0,s 1 ) Bob c Bob outputs s c

6 The Two-Party Case Alice Bob xy f(x,y) PPT PPT S Bob x,y, |x|=|y| S Bob (y) c View Bob (x,y) PPT S Alice x,y, |x|=|y| S Alice (x,f(x,y)) c View Alice (x,y)

7 The Two-Party Case Alice Bob xy f(x,y) k PPT S Bob p x k,y k S Bob (1 k,y k ) c View Bob (1 k,x k,y k ) PPT S Alice p x k,y k S Alice (1 k,x k,f(x k,y k )) c View Alice (1 k,x k,y k )

8 A lot of work on practical efficiency This talk: asymptotic efficiency –May also be relevant to practice –Theory beats heuristics Efficiency measures –Communication complexity –Computational complexity –Round complexity Question: given function f and security parameter k –How far can we push each efficiency measure? –Under what assumptions? Efficiency of Secure Computation

9 Round Complexity Alice Bob xy f(x,y) 2-message OT necessary (for general f) Is it also sufficient? Cryptomania

10 Enc(y) Randomized Encoding [Yao86,…,IK00,AIK04] g is a randomized encoding of f –Nontrivial relaxation of computing f Hope: –g can be simpler than f (meaning of simpler determined by application) –g can be used as a substitute for f xy f Enc(y)x g r decoder simulator Dec(g(x,r)) = f(x) Sim(f(x)) g(x,r)

11 Notions of Simplicity Decomposable encoding g((x 1,…,x n ),r)=(g 1 (x 1,r),…,g n (x n,r)) x r 2-Decomposable encoding g((x,y),r)=(g x (x,r),g y (y,r)) y NC 0 encoding Output locality c Low-degree encoding Algebraic degree d over F x r

12 Decomposable Encoding g((x 1,…,x n ),r)=(g 1 (x 1,r),…,g n (x n,r)) Application: Parallel reduction of secure 2-party computation to OT g((x,y),r)=(g 1 (x 1,r),…,g n (x n,r), g y (y,r)) Alice Bob xy r g y (y,r) f(x,y) OT x1x1 g 1 (x 1,r) g 1 (0,r) g 1 (1,r) g n (0,r) g n (1,r) xnxn g n (x n,r) More effort if Bob can be malicious

13 Notions of Simplicity Decomposable encoding g((x 1,…,x n ),r)=(g 1 (x 1,r),…,g n (x n,r)) x r 2-Decomposable encoding g((x,y),r)=(g x (x,r),g y (y,r)) y NC 0 encoding Output locality c Low-degree encoding Algebraic degree d over F x r

14 Notions of Simplicity Decomposable encoding g((x 1,…,x n ),r)=(g 1 (x 1,r),…,g n (x n,r)) x r 2-Decomposable encoding g((x,y),r)=(g x (x,r),g y (y,r)) y NC 0 encoding Output locality c Low-degree encoding Algebraic degree d over F x r A minimal model for secure computation [FKN94] Alice Bob xy Carol r f(x,y) g y (y,r) g x (x,r)

15 Notions of Simplicity Decomposable encoding g((x 1,…,x n ),r)=(g 1 (x 1,r),…,g n (x n,r)) x r 2-Decomposable encoding g((x,y),r)=(g x (x,r),g y (y,r)) y NC 0 encoding Output locality c Low-degree encoding Algebraic degree d over F x r Randomizing polynomials [IK00,…] round-efficient secure multi-party computation

16 Notions of Simplicity Decomposable encoding g((x 1,…,x n ),r)=(g 1 (x 1,r),…,g n (x n,r)) x r 2-Decomposable encoding g((x,y),r)=(g x (x,r),g y (y,r)) y NC 0 encoding Output locality c Low-degree encoding Algebraic degree d over F x r Cryptography in NC 0 [AIK04,…] OWF

17 Basic Facts If we dont care about efficiency, every f has a perfect, decomposable encoding g with –degree 3 over F 2 (generalizes to arbitrary rings) –output locality 4 Negative result: degree 3 is optimal over finite fields, assuming perfect privacy [IK00] –Big fields can be tricky: g(x,r)= ( 2 i x i + c) r 2 mod p Open –degree 2 with statistical or computational privacy? 2-round MPC with t<n/2 semi-honest parties –output locality 3? Crypto with optimal output locality from general assumptions

18 Degree-3 Encoding for Branching Programs BP(x)=det(L(x)), where L is a degree-1 mapping which outputs matrices of a special form. Encoding: 1 $ $ $ 0 1 $ $ 0 0 1 $ 0 0 0 1 * * * * -1 * * * 0 -1 * * 0 0 -1 * 1 0 0 $ 0 1 0 $ 0 0 1 $ 0 0 0 1 g(x,r 1,r 2 )= R 1 (r 1 ) L(x) R 2 (r 2 )

19 Complexity of Randomized Encoding Computational privacy –OWFs exist Decomposable encoding for a circuit C of length O(k |C|) Yaos garbled circuit technique [Yao86] Yields 2-message secure protocols from 2-message OT –Easy PRG (say, PRG in NC 1 ) NC 0 encoding of length |C| poly(k) [AIK05] Assumption implied by factoring, discrete log, lattice assumptions Primitive X exists X exists in NC 0 under Easy PRG assumption Perfect privacy –Efficient NC 0 encodings for formulas, branching programs [Kil88,FKN94,IK00,AIK04,…] –Capture complexity classes NC 1, NL/poly, L/poly

20 Open Complexity Questions No nontrivial lower bounds… Computational privacy –OWF efficient NC 0 encoding for circuits? Crypto implies crypto in NC 0 ! –Decomposable encoding of size O(|C|)? –Arithmetic garbled circuit? Perfect / statistical privacy –Efficient encoding for circuits? Constant-round unconditionally secure MPC for P? [BMR90] Relation with other questions? –Great LDC poly-communication protocols for unbounded parties –Better overhead for concrete representations

21 Back to Secure Computation Recap: Two-message secure protocol for f(x,y) –Assumes 2-message OT –O(k |C|) communication –poly(k) |C| computation Better assumption? No Better rounds? No Better computation? –PRG G:{0,1} n {0,1} n^2 in NC 0 constant overhead [IKOS08] –Not implied by standard assumptions –Semi-explicit candidate in [MST03] Better communication? –Rest of talk

22 Life After the Bomb Gentry 09: fully homomorphic encryption scheme –Enc pk (x), C Enc(C(x)) –Size of encrypted output independent of |C|,|x|! –Can hide C,x (even given sk) –Can make encrypted input size |x|+poly(k) –Corollaries Secure evaluation of f(x,y) with |input|+|output|·poly(k) bits General protocol compiler with poly(k) communication overhead –poly-time version of [NN01] –Big poly(k) computational overhead What is left to be done? –Assumptions –Better communication complexity?

23 Communication Complexity Sometimes life is a long sequence of finite tasks… –Circuit size = O(|output|) –In this case, still need poly(k) bits per gate [IKOS08]: –O(1) communication (and computation) per gate –Under exotic crypto in NC 0 assumption [IKOS09]: –O(1) communication, poly(k) computation per gate –Under -Hiding Assumption [CMS99,GR05] Allows generating (G,g) such that m | ord(g) but m is hidden

24 Assumptions Weaker results under weaker assumptions? –Beat circuit size bound for useful function classes? General problem: compute a program P on an encrypted input c Enc(x) Two sources of non-triviality –Encrypted output hides P –Encrypted output is shorter than |P| Good solutions for useful classes of P –Linear functions: standard homomorphic encryption –Truth tables: PIR [CGKS95,KO97,CMS99,…] –Degree-2 polynomials [BGN05] –Length-bounded branching programs [NN01,IP07]

25 Observation –most natural candidates for average-case hard problems imply one-way functions –most natural candidates for one-way functions imply public-key encryption typically shown in an ad-hoc way –Are we just lucky? Thesis –Hardness + structure world upgrade –Concrete instantiation inspired by [KO97,BIKM99,DMO00,IKO05,HN06] Defined via communication complexity of secure computation Relevance to Impagliazzos Worlds

26 Most instances of f,X,Y are hard. What if Alice can send Bob c R Enc(x) for free? Bob computationally bounded, Alice bounded or unbounded. Efficiency of secure computation with security against Bob –Generalizes PIR, homomorphic encryption Communication Complexity Alice Bob x Xy Y f(x,y) How many bits should be communicated to compute f whp?

27 Cryptomania x c x Minicrypt x c x Pessiland ? c x Algorithmica x c x Types of Encryption samplable pksk

28 How to Get an Upgrade Need: poly-time computable f(x,y) and input distributions X,Y such that: –f has high communication complexity on X Y Low communication error > 1/poly(n) –f has lower communication complexity when c R Enc(x) is created by Alice and given to Bob. Possibly with small error Then Enc can be upgraded Weak homomorphic property

29 Candidate f,X,Y f(x,y)= x i y i mod 2 –X,Y uniform on {0,1} n –Hard for interactive protocols with n-O(1) communication [Yao,Vaz,CG] f(x,y)= x i y i –Y uniform on {0,1} n, X uniform of weight 1 –Hard for non-interactive Bob Alice protocols with n-1 bits of communication

30 Minicrypt Cryptomania+ Given: –symmetric encryption (Gen,Enc,Dec) –weakly homomorphic for (f,X,Y) with bounded Alice Goal: Build public-key encryption (Gen,Enc,Dec) Alice Bob x Xy Y f(x,y) c=Enc sk (x) d=Bob(c,y) Alice(sk,d,x) sk Gen Multi-round protocol KA

31 Minicrypt Cryptomania+ Gen –sk Gen; x X; c Enc sk (x) –pk = (c,x) Enc pk (b) –y Y –Output (Bob(c,y), b f(x,y)) Dec sk (d,e) –Recover f(x,y) from (d,sk) using Alices algorithm –Output e f(x,y) Security: using hybrid game with c Enc sk (x) –Predicting f(x,y) from (c,x,Bob(c,y)) is impossible unconditionally –Hybrid game computationally indistinguishable from real game Implies 2-message OT with statistical security for Sender

32 Example: Kids Encryption PKE Let p = public k-bit prime –sk R Z p –Enc sk (b)= (2r+b) sk mod p r R [0, p/(4k)] –Dec sk (c) = ((c sk -1 ) mod p) mod 2 –Enc sk (x)=Enc sk (x 1 ) … Enc sk (x n ) Weak homomorphism: –Let x,y {0,1} 2k –Given c=(c 1,…,c 2k ) Enc sk (x) and y, Bob(c,y)= y i c i allows Alice to decode x i c i

33 Example: LWE PKE Decisional LWE: (M,Mr+e) is pseudorandom –M,x random over Z q –e random with small entries Symmetric encryption: –sk = random r –Enc sk (x)=(M,Mx+e+ q/2 x) Weak homomorphism –By adding rows, as long as e i << q

34 Pessiland Minicrypt+ Given: –Pessiland Encryption Enc –Enc is weakly homomorphic for (f,X,Y) with unbounded Alice –(f,X,Y) is nontrivial: for any distinct y,y, Pr x X f(x,y)=f(x,y)<1-1/poly Goal: Build a collision-resistant hash function Construction –Key generation: c Enc –Hashing: h c (y)=Bob(c,y) –Collision resistance: h c (y)=h c (y) f(x,y)=f(x,y) for x=Dec(c) nontrivial info on x

35 Failed Attempt: LPN CRHF Assumption: (M,Mr+e) is pseudorandom –M,r random over Z 2, e random with low Hamming weight –Similar to LWE but over binary field –Follows from hardness of search problem Implies symmetric encryption n 1/2- -noise LPN implies PKE [Ale03] –Also 2-message OT Not known to imply CRHF Explanation –Homomorphism limited by dimension –In case of LWE, field size gives extra degree of freedom

36 Summary Under standard assumptions –Constant rounds –poly(k) communication and computation per gate Pushing communication to an extreme –Fully homomorphic encryption Secure communication poly(k) insecure communication Same round complexity – -hiding assumption O(1) communication per gate O(depth) rounds –Both expensive in computation Pushing computation to an extreme –poly-stretch PRG in NC 0 O(1) computation per gate O(depth) rounds

37 Concluding Remarks Ambitious goals call for nonstandard assumptions. –especially when no heuristics are available Does nonstandard mean more risky? –Factoring requires super-polynomial time vs. –A random NC 0 function is exponentially hard to invert

Download ppt "Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA."

Similar presentations

Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.

Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.
Asymptotically Optimal Communication for Torus- Based Cryptography David Woodruff MIT Joint work with Marten van Dijk Philips/MIT.

Asymptotically Optimal Communication for Torus- Based Cryptography David Woodruff MIT Joint work with Marten van Dijk Philips/MIT.
Impagliazzos Worlds in Arithmetic Complexity: A Progress Report Scott Aaronson and Andrew Drucker MIT 100% QUANTUM-FREE TALK (FROM COWS NOT TREATED WITH.

Impagliazzos Worlds in Arithmetic Complexity: A Progress Report Scott Aaronson and Andrew Drucker MIT 100% QUANTUM-FREE TALK (FROM COWS NOT TREATED WITH.
1 Cryptography: on the Hope for Privacy in a Digital World Omer Reingold VVeizmann and Harvard CRCS.

1 Cryptography: on the Hope for Privacy in a Digital World Omer Reingold VVeizmann and Harvard CRCS.
Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)

Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)
Private Inference Control

Private Inference Control
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:

A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:
Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
Secure Computation of Linear Algebraic Functions

Secure Computation of Linear Algebraic Functions
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Lecturer: Moni Naor Foundations of Cryptography Lecture 15: Oblivious Transfer and Secure Function Evaluation.

Lecturer: Moni Naor Foundations of Cryptography Lecture 15: Oblivious Transfer and Secure Function Evaluation.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.

1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

Similar presentations

Ads by Google