Presentation is loading. Please wait.

Presentation is loading. Please wait.

Two-Round Adaptively Secure Protocols from Standard Assumptions

Published byAlfred Breiner Modified over 5 years ago

Similar presentations

Presentation on theme: "Two-Round Adaptively Secure Protocols from Standard Assumptions"— Presentation transcript:

1 Two-Round Adaptively Secure Protocols from Standard Assumptions
Fabrice Benhamouda (IBM) Huijia (Rachel) Lin (UCSB) Antigoni Polychroniadou (Cornell Tech) Muthuramakrishnan Venkitasubramaniam (University of Rochester)

2 Secure Multi-Party Computation
UC f(x1, x2, x3, x4) = (y1, y2 ,y3 ,y4 ) x1 x1 x1 y4 y1 x4 Goal: Correctness: Everyone computes f(x1,…,x4) Security: Nothing else but the output is revealed Adversary PPT Malicious Adaptive x2 y3 y2 x3

3 Static vs. Adaptive Adversaries
Static Corruption Corrupt only on the onset of π Adaptive Corruption Corrupt adaptively during the execution of π

4 Static vs. Adaptive Adversaries
Dealer secret shares s among O(√n) random parties and publishes the set of such parties s=(s1,s2) s1 s2 Static vs Adaptive Learns s

5 Adaptive Corruption of all parties
Crucial in the composition of protocols. If adversary corrupts all m parties in πinner, where m<n, security of πouter should still hold. n-party protocol πouter m-party protocol πinner

6 Adaptive vs. Semi-Adaptive Adversaries
Semi-Adaptive Corruption Static corruption of one party and adaptive corruption of the other party

7 State-of-the-art for Malicious MPC
In the CRS model State-of-the-art for Malicious MPC Static Adaptive 2 rounds [BL18,GS18] O(depth) rounds [CLOS02] Partial Solutions for constant-round adaptive protocols: Using Indist. Obf. [GP15,DKR15,CGP15]

8 State-of-the-art for Malicious MPC
In the CRS model State-of-the-art for Malicious MPC Static Adaptive 2 rounds [BL18,GS18] O(1) rounds [CPV17] Partial Solutions for constant-round adaptive protocols: Using Indist. Obf. [GP15,DKR15,CGP15]

9 From standard assumptions
Our Goal 2-round adaptive MPC From standard assumptions 2-round adaptive OT

10 2-round malicious adaptive UC MPC
Our Results Theorem (informal) O(1)-round malicious adaptive MPC + 2-round malicious adaptive OT 2-round malicious adaptive UC MPC Corollary (informal) LWE/QR/DDH  2-round malicious adaptive UC OT LWE/QR/DDH  2-round malicious adaptive UC MPC

11 Arbitrary round static MPC
Tools for Static 2-round MPC [BL18] Arbitrary round static MPC Garbled circuits Arbitrary round malicious static MPC 2-round malicious static OT NIZK

12 EquivocalGarbled circuits
Tools for Adaptive 2-round MPC EquivocalGarbled circuits Constant round malicious adaptive MPC 2-round malicious adaptive OT ? 3-round adaptive malicious MPC from DDH [ABP17] 2-round adaptive malicious OT from iO [GP15]

13 Adaptive 2-round Oblivious Transfer
2-round malicious adaptive OT 3 2-round semi-adaptive malicious OT 2 2-round sender-semi-adaptive malicious OT 1 sender & receiver oblivious sampleability 2-round static malicious OT with: LWE/QR/DDH

14 Adaptive 2-round Oblivious Transfer
2-round malicious adaptive OT 3 2-round semi-adaptive malicious OT 2 This talk 2-round sender-semi-adaptive malicious OT 1 sender & receiver oblivious sampleability 2-round static malicious OT with: LWE/QR/DDH

15  2-round Sender-semi-adaptive Malicious OT Theorem (informal)
UC static malicious OT with sender oblivious sampleability sender-semi-adaptive malicious UC OT

16 Definition: 2-round OT R S OT1(b) OT2(m0,m1) m0,m1 b Goal: mb
In an OT protocol we have a sender and a receiver mb Goal: The Sender should not learn b The Receiver should not learn m1-b

17 R S 2-round Sender-semi-adaptive Malicious OT OT1(b) OT2(m0,m1) m0,m1
Building block: Let OT=(OT1, OT2) be a UC static malicious OT m0,m1 b R S OT1(b) OT2(m0,m1)

18 Not possible to explain OT2 for m1-b
2-round Sender-semi-adaptive Malicious OT Building block: Let OT=(OT1, OT2) be a UC static malicious OT m0,m1 b R S OT1(b) Sim OT2(mb) Problem Not possible to explain OT2 for m1-b

19 R S Sim 2-round Sender-semi-adaptive Malicious OT OT1(b) OT2(m0,0)
Building block: Let OT=(OT1, OT2) be a UC static malicious OT with Sender Sampleability m0,m1 b=0 R S OT1(b) Sim OT2(m0,0) OT2(m0,1) Problem Not possible to obliviously sample one-out-of-two OT2 wrt. m0 in the real world

20 R S 2-round Sender-semi-adaptive Malicious OT OT1(b) OT2($,m1)
Building block: Let OT=(OT1, OT2) be a UC static malicious OT with Sender Sampleability m0,m1 b=0 S R OT1(b) OT2($,m1) OT2(m0,$) OT2(.) OT2(.)

21 R S Sim 2-round Sender-semi-adaptive Malicious OT OT1(b) OT2($,0)
Building block: Let OT=(OT1, OT2) be a UC static malicious OT with Sender Sampleability m0,m1 b=0 S R OT1(b) Sim OT2($,0) OT2(m0,$) OT2($,1) OT2(.)

22 R S 2-round Sender-semi-adaptive Malicious OT OT1(b) OT2($,m1)
Building block: Let OT=(OT1, OT2) be a UC static malicious OT with Sender Sampleability m0,m1 b=0 S R OT1(b) OT2($,m1) OT2(m0,$) OT2(.) OT2(.)

23 R S 2-round Sender-semi-adaptive Malicious OT OT1(b) OT2($,m1)
Building block: Let OT=(OT1, OT2) be a UC static malicious OT with Sender Sampleability m0,m1 b=0 S R OT1(b) OT2($,m1) OT2(m0,$) OT2(.) OT2(.) Problem with correctness Which OT output is the right one?

24 R S 2-round Sender-semi-adaptive Malicious OT OT1(b) OT2($,rm1)
Building block: Let OT=(OT1, OT2) be a UC static malicious OT with Sender Sampleability m0,m1 b=0 S R OT1(b) OT2($,rm1) OT2(rm0,$) OT2(.) OT2(.) rm0, rm1

25 Adaptive 2-round Oblivious Transfer
2-round malicious adaptive OT 3 2-round semi-adaptive malicious OT 2 This talk 2-round sender-semi-adaptive malicious OT 1 sender & receiver oblivious sampleability 2-round static malicious OT with: LWE/QR/DDH

26 oblivious sampleability
Adaptive 2-round Oblivious Transfer Hash proof systems with projection key oblivious sampleability 2-round malicious adaptive OT 3 Encryption scheme with ciphertext oblivious sampleability 2-round semi-adaptive malicious OT 2 This talk 2-round sender-semi-adaptive malicious OT 1 sender & receiver oblivious sampleability 2-round static malicious OT with: LWE/QR/DDH

27 sender-semi-adaptive oblivious sampleability
Adaptive 2-round Oblivious Transfer 2-round malicious adaptive OT 3 2-round semi-adaptive malicious OT 2 2-round sender-semi-adaptive malicious OT with oblivious sampleability Equivocal garbled circuits This talk 2-round sender-semi-adaptive malicious OT 1 sender & receiver oblivious sampleability 2-round static malicious OT with: Non-interactive equivocal commitment LWE/QR/DDH

28 Adaptive 2-round Oblivious Transfer
2-round malicious adaptive OT 3 2-round semi-adaptive malicious OT 2 2-round semi-adaptive malicious OT This talk 2-round sender-semi-adaptive malicious OT 1 Augmented non-committing encryption sender & receiver oblivious sampleability 2-round static malicious OT with: LWE/QR/DDH

29 From standard assumptions
Our Results 2-round adaptive MPC From standard assumptions 2-round adaptive OT LWE/QR/DDH  2-round malicious adaptive UC OT LWE/QR/DDH  2-round malicious adaptive UC MPC

30 Open Problems Efficient adaptive 2-round MPC
Adaptive Laconic Function evaluation 4-round adaptive MPC in the plain model

31 Thank you!

32 Transformation 3 Tools 3 2-round semi-adaptive malicious OT Augmented
2-round malicious adaptive OT 3 2-round semi-adaptive malicious OT Augmented non-committing encryption

33 R S 2-round Malicious Adaptive OT OT2(b) pk0,pk1 OT2(m0+r0) OT2(m1+r1)
m0,m1 b S R OT2(b) pk0,pk1 OT2(m0+r0) OT2(m1+r1) NCE(pk0,r0) OT2(pk1,r1)

Download ppt "Two-Round Adaptively Secure Protocols from Standard Assumptions"

Similar presentations

Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.

Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto

Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Muthuramakrishnan Venkitasubramaniam WORKSHOP: THEORY AND PRACTICE OF SECURE MULTIPARTY COMPUTATION Adaptive UC from New Notions of Non-Malleability Adaptive.

Muthuramakrishnan Venkitasubramaniam WORKSHOP: THEORY AND PRACTICE OF SECURE MULTIPARTY COMPUTATION Adaptive UC from New Notions of Non-Malleability Adaptive.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),

Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Oblivious Transfer based on the McEliece Assumptions

Oblivious Transfer based on the McEliece Assumptions
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110 100100101010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100101

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Jointly Restraining Big Brother: Using cryptography to reconcile privacy with data aggregation Ran Canetti IBM Research.

Jointly Restraining Big Brother: Using cryptography to reconcile privacy with data aggregation Ran Canetti IBM Research.
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.

1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

Similar presentations

Ads by Google