Presentation is loading. Please wait.

Presentation is loading. Please wait.

COVERT TWO-PARTY COMPUTATION LUIS VON AHN CARNEGIE MELLON UNIVERSITY JOINT WORK WITH NICK HOPPER JOHN LANGFORD.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "COVERT TWO-PARTY COMPUTATION LUIS VON AHN CARNEGIE MELLON UNIVERSITY JOINT WORK WITH NICK HOPPER JOHN LANGFORD."— Presentation transcript:

1 COVERT TWO-PARTY COMPUTATION LUIS VON AHN CARNEGIE MELLON UNIVERSITY JOINT WORK WITH NICK HOPPER JOHN LANGFORD

2 HAVE YOU EVER BEEN IN LOVE BUT DIDN’T HAVE THE GUTS TO CONFRONT THE PERSON? WANTED TO BRIBE AN OFFICER? WANTED TO COLLUDE WITH ANOTHER PLAYER TO CHEAT IN A CARD GAME? WANTED TO STAGE A COUP D’ETAT TO OVERTHROW THE PRESIDENT? INFILTRATED A TERRORIST CELL?

3 F( ,  ) TWO-PARTY COMPUTATION COVERT ALLOWS TWO PARTIES WITH SECRET INPUTS X AND Y TO LEARN F(X,Y) BUT NOTHING ELSE F( ,  ) PARTY 1PARTY 2 XY F(X,Y)

4 F(X,Y) = 1 IF X>Y 0 OTHERWISE $45 MILLION$32 MILLION F(X,Y)=1 LET’S NOT GET MARRIED JENBEN

5 BRITNEY SPEARS I DON’T WANT HIM TO KNOW THAT I LIKE HIM UNLESS HE LIKES ME TOO! I LIKE HIM, BUT I’M SHY! WHAT SHOULD I DO? ME

6 WE’LL USE TWO- PARTY COMPUTATION IF HE DOESN’T, THEN F(X,Y) = 0 SO HE WON’T KNOW THAT I LIKE HIM IF HE LIKES ME, WE WILL BOTH FIND OUT 1 MEANS “YES” 0 MEANS “NO” IF X,Y ARE BITS, LET F(X,Y) = X AND Y LET’S FIGURE OUT IF WE LIKE EACH OTHER

7 COVERT TWO-PARTY COMPUTATION AFTER LEARNING F(X,Y), EACH PARTY CAN ONLY TELL WHETHER THE OTHER PARTICIPATED IF THEY CAN DISTINGUISH F(X,Y) FROM RANDOM BITS EXTERNAL COVERTNESS INTERNAL COVERTNESS NO OUTSIDE OBSERVER CAN TELL IF THE TWO PARTIES ARE RUNNING A COMPUTATION OR JUST COMMUNICATING AS NORMAL

8 THE WAR ON TERROR I GUESS I CAN USE MY BAZOOKA HAVE YOU SEEN MY AK-47? YOU LEFT IT NEXT TO MY GRENADES THE AXIS OF EVIL SHALL PREVAIL! MI-6 AGENT CIA AGENT HE WORKS FOR CIA HE WORKS FOR MI-6

9 THE WAR ON TERROR HE WORKS FOR CIA HE WORKS FOR MI-6 THE UTTERANCES CONTAINED A COVERT TWO-PARTY COMPUTATION THE FUNCTION F VERIFIED THE CREDENTIALS SINCE BOTH WERE VALID, IT OUTPUT 1 K X WAS A CREDENTIAL SIGNED BY CIA AND Y WAS SIGNED BY MI-6 FOR ANY OTHER INPUTS, F OUTPUTS A RANDOM VALUE

10 COVERT TWO-PARTY COMPUTATION AFTER LEARNING F(X,Y), EACH PARTY CAN ONLY TELL WHETHER THE OTHER PARTICIPATED IF THEY CAN DISTINGUISH F(X,Y) FROM RANDOM BITS EXTERNAL COVERTNESS INTERNAL COVERTNESS NO OUTSIDE OBSERVER CAN TELL IF THE TWO PARTIES ARE RUNNING A COMPUTATION OR JUST COMMUNICATING AS NORMAL CANNOT BE DONE WITH STANDARD TWO-PARTY COMPUTATION

11 WHO KNOWS WHAT? WE ASSUME THAT BOTH PARTIES KNOW THE FUNCTION THEY WISH TO EVALUATE BOTH KNOW WHICH ROLE THEY ARE TO PLAY IN THE EVALUATION BOTH KNOW WHEN TO START COMPUTING

12 ORDINARY COMMUNICATION MESSAGES ARE DRAWN FROM A SET D TIME PROCEEDS IN DISCRETE TIMESTEPS EACH PARTY MAINTAINS A HISTORY h OF ALL DOCUMENTS THEY SENT AND RECEIVED TO EACH PARTY P, WE ASSOCIATE A FAMILY OF PROBABILITY DISTRIBUTIONS ON D: {B h P }

13 P1P2 h P1 D 1 ← B P1 h P1 h P2 D 2 ← B P2 h P2 h P1 = h P1 + (D 1,D 2 )h P2 = h P2 + (D 2,D 1 ) D ’ 1 ← B P1 h P1  ← B P2 h P2 D1D1 D2D2 D’1D’1 t0t0 t1t1

14 WE ASSUME THAT DDH IS HARD: GIVEN g x, g y PARTIES CAN’T EFFICIENTLY DISTINGUISH g xy FROM g z

15 WE SHOW THAT COVERT TWO-PARTY COMPUTATION IS POSSIBLE AGAINST HONEST-BUT-CURIOUS ADVERSARIES IN THE RO MODEL, FAIR COVERT TWO-PARTY COMPUTATION IS POSSIBLE AGAINST MALICIOUS ADVERSARIES

16 ROADMAP USE STEGANOGRAPHY TO SHOW THAT IT IS ENOUGH THAT ALL MESSAGES BE INDISTINGUISHABLE FROM UNIFORM SHOW A TWO-PARTY COMPUTATION PROTOCOL FOR WHICH ALL MESSAGES ARE INDISTINGUISHABLE FROM UNIFORM 1 2

17 BASIC-ENCODE INPUT: H  H, TARGET C, BOUND K LET J = 0 REPEAT: SAMPLE S ← D, INCREMENT J UNTIL H(S) = C OR J > K OUTPUT: S LET D BE A DISTRIBUTION ON D AND H BE A PAIRWISE INDEPENDENT FAMILY OF HASH FUNCTIONS ALLOWS SENDING C ENCODED IN SOMETHING THAT COMES FROM D UNIFORM PROPER SIZE ENOUGH MIN ENTROPY … THEN THE DISTRIBUTION ON S IS STA- TISTICALLY INDISTINGUISHABLE FROM D IF

18 OOPS! I DID IT AGAIN 001 LOOKS UNIFORM BASIC-ENCODEBASIC-ENCODE LOOKS NORMAL

19 ROADMAP USE STEGANOGRAPHY TO SHOW THAT IT IS ENOUGH THAT ALL MESSAGES BE INDISTINGUISHABLE FROM UNIFORM SHOW A TWO-PARTY COMPUTATION PROTOCOL FOR WHICH ALL MESSAGES ARE INDISTINGUISHABLE FROM UNIFORM 1 2

20 COVERT OBLIVIOUS TRANSFER IT IS POSSIBLE TO MODIFY AN OBLIVIOUS TRANSFER SCHEME BY NAOR AND PINKAS SO THAT ALL MESSAGES ARE INDISTINGUI- SHABLE FROM UNIFORM RANDOM BITS OT UNIFORM

21 THE MODIFIED NAOR-PINKAS OT PLUGGED INTO YAO’S “GARBLED CIRCUIT” GIVES A SCHEME WITH MESSAGES THAT ARE INDISTINGUISHABLE FROM UNIFORM + YAO OT

22 F(X,Y)=1 OOPS! MALLICIOUS ADVERSARIES CAN BREAK THIS PROTOCOL YOU’RE SO SMART BRITNEY! MATH IS FUN! WE CANNOT SIMPLY USE ZK TO FIX IT

23 THE END

24 COMPETITOR COOPERATION TWO COMPETING ONLINE RETAILERS ARE COMPROMISED BY A HACKER NEITHER CAN CATCH THE HACKER BY THEMSELVES HOWEVER, NEITHER WILL ADMIT THAT THEY WERE HACKED UNLESS THE OTHER WAS HACKED TOO

25 PARTY P CAN DRAW FROM B P h FOR ANY PLAUSIBLE h ADVERSARY KNOWS B P h FOR ANY P, h WE ASSUME THAT DDH IS HARD: GIVEN g x, g y PARTIES CAN’T EFFICIENTLY DISTINGUISH g xy FROM g z

Download ppt "COVERT TWO-PARTY COMPUTATION LUIS VON AHN CARNEGIE MELLON UNIVERSITY JOINT WORK WITH NICK HOPPER JOHN LANGFORD."

Similar presentations

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Joe Kilian NEC Laboratories, America Aladdin Workshop on Privacy in DATA March 27, 2003.

Joe Kilian NEC Laboratories, America Aladdin Workshop on Privacy in DATA March 27, 2003.
Secure Computation Slides stolen from Joe Kilian & Vitali Shmatikov Boaz Barak.

Secure Computation Slides stolen from Joe Kilian & Vitali Shmatikov Boaz Barak.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Cheat-Proof Playout for Centralized and Distributed Online Games By Nathaniel Baughman and Brian Levine (danny perry)

Cheat-Proof Playout for Centralized and Distributed Online Games By Nathaniel Baughman and Brian Levine (danny perry)
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.

Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.

1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
C OMPLEXITY - THEORETIC F OUNDATIONS OF S TEGANOGRAPHY AND C OVERT C OMPUTATION Daniel Apon.

C OMPLEXITY - THEORETIC F OUNDATIONS OF S TEGANOGRAPHY AND C OVERT C OMPUTATION Daniel Apon.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
Games of probability What are my chances?. Roll a single die (6 faces). –What is the probability of each number showing on top? Activity 1: Simple probability:

Games of probability What are my chances?. Roll a single die (6 faces). –What is the probability of each number showing on top? Activity 1: Simple probability:
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Similar presentations

Ads by Google