1. page 1 Efficient Two-Party Secure Computation on Committed Inputs Stanislaw Jarecki, UC Irvine Vitaly Shmatikov, UT Austin

2. page 2 1.Committed Oblivious Transfer of Bitstrings [String-COT] O(1) modular exponentiations per player 2 rounds + proofs (single message in R.O.M. if commitments public) Universally Composable in Common Reference String [CRS] model 2.Secure Two-Party Computation [2PC] on Committed Inputs O(g) modular exponentiations, where g = # gates in the circuit round complexity, UC in CRS, as above Technical Contribution of General Interest: Encryption with Verifiable Plaintexts and Keys, i.e.: Encryption with efficient Zero-Knowledge Proof for relation: {( E, C m, C k ) s.t. E encrypts m committed in C m under key k committed in C k } Our Contributions

3. page 3 1.Committed Oblivious Transfer of Bitstrings [String-COT] O(1) modular exponentiations per player 2 rounds + proofs (single message in R.O.M. if commitments public) Universally Composable in Common Reference String [CRS] model 2.Secure Two-Party Computation [2PC] on Committed Inputs O(g) modular exponentiations, where g = # gates in the circuit round complexity, UC in CRS, as above Main Technical Contribution of General Interest: Encryption with Verifiable Plaintexts and Keys, i.e.: Encryption with efficient Zero-Knowledge Proof for relation: {( E, C m, C k ) s.t. E encrypts m committed in C m under key k committed in C k } Our Contributions Contribution for both COT and 2PC is in efficiency. (and provable universal composability of an efficient construction) Quick comparison of constant-round 2PC protocols: Yao’86: O(g) symmetric-key operations,passive adv. Yao + Generic ZKP’s:poly(k,g) operations,malicious adv. [P’03,MF’06,KS’06,LP’07,W’07] Cut & Choose Proofs: O(kg) symmetric-key ops., malicious adv. [Here]: Efficient ZKP per gate:O(g) public-key operations, malicious adv.

4. page 4 1.Committed Oblivious Transfer of Bitstrings [String-COT] O(1) modular exponentiations per player 2 rounds + proofs (single message in R.O.M. if commitments public) Universally Composable in Common Reference String [CRS] model 2.Secure Two-Party Computation [2PC] on Committed Inputs O(g) modular exponentiations, where g = # gates in the circuit round complexity, UC in CRS, as above Main Technical Contribution of General Interest: Encryption with Verifiable Plaintexts and Keys, i.e.: Encryption with efficient Zero-Knowledge Proof for relation: {( E, C m, C k ) s.t. E encrypts m committed in C m under key k committed in C k } Our Contributions Contribution for both COT and 2PC is in efficiency. (and provable universal composability of an efficient construction) Quick comparison of constant-round 2PC protocols: Yao’86: O(g) symmetric-key operations,passive adv. Yao + Generic ZKP’s:poly(k,g) operations,malicious adv. [P’03,MF’06,KS’06,LP’07,W’07] Cut & Choose Proofs: O(kg) symmetric-key ops., malicious adv. [Here]: Efficient ZKP per gate:O(g) public-key operations, malicious adv.

5. page 5 Talk Outline Overview of the results: Committed Oblivious Transfer on Strings General Secure Two-Party Computation on Committed Inputs Applications Committed Secure Computation Committed String-OT Comparison with previous results Technical Discussion: Public Key Encryption with Efficient Zero-Knowledge Proof for Verifiability of both the Plaintext and the Key Extensions, Open Questions

6. page 6 Universally Composable Secure Two-Party Computation on Committed Inputs: DefinitionPicture

7. page 7 C A1 (x A2 ) Commit(x A1 ) Commit(x A2 ) Commitment properties: Binding: x i ’s cannot be substituted after C i is sent Hiding: x i ’s remain hidden from other players (Can be implemented e.g. with Public Key Encryption) Commit(x B1 ) Commit(x B2 ) (x A1 ) Universally Composable Secure Two-Party Computation on Committed Inputs Alice Bob C A2 (x B1 )C B1 (x B2 )C B2 Public Board

8. page 8 Commit(x A1 ) Commit(x A2 ) Non-Malleable [NM] Commitments: Bob’s messages cannot depend on Alice’s messages (can be done with CCA-Secure Encryption, in CRS) Commit(x B1 ) Commit(x B2 ) C A1 C A2 (x A1 ) Alice Bob Universally Composable Secure Two-Party Computation on Committed Inputs C A2 (x A2 ) (x B1 )C B1 (x B2 )C B2 Public Board

9. page 9 Alice Compute( [ ] with Bob,C A1,C B1 ) Bob (x A1 ) x A1 x B1 F (x A1,x B1 ) Universally Composable Secure Two-Party Computation on Committed Inputs (x A2 ) (x B1 ) (x B2 ) Properties of 2P Secure Computation (Obl.Circ.Eval.) on Committed Inputs: Bob learns only output F(x A,x B ), nothing else about Alice’s input x A Alice learns nothing values x A, x B in the computation are committed in C A, C B Public Board

10. page 10 Alice Bob (x A1 ) Compute( [ ] with Alice) F (x A1,x B1 ) Universally Composable Secure Two-Party Computation on Committed Inputs Properties of 2P Secure Computation (Obl.Circ.Eval.) on Committed Inputs: Bob learns only output F(x A,x B ), nothing else about Alice’s input x A Alice learns nothing values x A, x B in the computation are committed in C A, C B (x A2 ) (x B1 ) (x B2 ) => Two-sided computation on same inputs (with abort) Compute( [ ] with Bob) Public Board

11. page 11 Alice Bob (x A1 ) Examples of circuits: = Equality(x A,x B ): outputs 1 if x A = x B, 0 otherwise = `Less or Equal’(x A,x B ): outputs 1 if integer x A ≤ x B, 0 o/w = F(x A,x B ) = intersection of sets represented by x A,x B = F(x A,x B ) = median value in the union of sets It can be any circuit !! Universally Composable Secure Two-Party Computation on Committed Inputs Benefit of computation on committed inputs:  Ensuring consistency between computations of several circuits on same data (x A2 ) (x B1 ) (x B2 ) Compute( [ ])

12. page 12 F (x A1,x B1 ) Alice Bob (x A1 ) Dorothy Compute( [ ] with Dorothy) (x D1 ) Commit(x D1 ) F (x D1,x B1 ) Consistency Across Protocol Instances Ex.1: Multi-Player Example (x B1 ) Compute( [ ] with Alice)

13. page 13 Alice Bob (x A1 ) Commit(x A3 ) Compute( [ ] w/ Alice) x A1 x A3 x B1 F (x A1,x A3,x B1 ) General Benefit of UC Committed 2PC:  Ensuring consistency between sub-protocols in any distributed algorithm  Some computation can be local (“insecure” but fast), while commitments keep the overall protocol consistent (x A3 ) (x B1 ) Compute( [ ] with Alice) F (x A1,x B1 ) x A3 = output of Alice’s local computation given F (x A1,x B1 ) Consistency Across Protocol Instances: Ex.2: Security with some local computation off-line

14. page 14 Consistency Across Protocol Instances: Ex.3: Solution to the “Abort & Re-start” Problem Protocols that use 2PC / OT without committed inputs can be insecure against abort & re-start: A malicious player can effectively execute several instances of the protocol, each on different inputs. In practice protocols must allow re-start in case of communication or hardware faults…

15. page 15 Talk Outline Statement of the results: Committed Oblivious Transfer on Strings General Secure Two-Party Computation on Committed Inputs Applications Committed Secure Computation Committed String-OT Comparison with previous results Technical Discussion: Public Key Encryption with Efficient Zero-Knowledge Proof for Verifiability of both the Plaintext and the Key Extensions, Open Questions

16. page 16 Universally Composable Committed String-OT 1.Alice learns m b s.t. m b is committed in C mb b is committed in C b 2.Alice learns nothing about m b 3.Bob learns nothing Alice: bit b Bob: strings m 0,m 1 mbmb ┴ Common Input: Commitments C b, ( C m0, C m1 ) UC String-COT is like UC two-party secure computation but the only computed function is String-OT Crepeau’86 introduced COT s.t. Alice gets (de) commitment of C b, not just m b (our construction can support this too)

17. page 17 OT is a sub-procedure in General Secure Computation Protocols [the original motivation for Committed OT by Crepeau] 1.Interactive Secure 2-Party Computation [GV’87]: Players secret-share all their input bits Gate computation (shared input bits → shared output bit) via Bit-OT Tool: Committed Bit-OT 2.2-round Secure 2-Party Computation (“Garbled Circuit” [Yao’86]): Sender S creates two keys per each wire For each gate, S encrypts appropriate output wire keys with appropriate input wire keys S performs String-OT on keys corresponding to R’s input wires Tool: Committed String-OT Applications of Committed String-OT (Ex.1): Ensuring Consistency across Calls to OT

18. page 18 1. Privacy applications: –oblivious transfer of one key out of a set of keys –same for signatures, decryptions, … 2. Support for probabilistic systems: –probabilistic escrow of information (keys, signatures, plaintexts) –probabilistic payment of digital cash –…–… What’s needed in such applications? –OT on values with proven properties (key, coin, signature, …) Done in 2 steps: –perform an OT on the committed string value (e.g. a key) –prove correctness of the committed value (efficient proofs for such statements exist for many cryptographic schemes) Applications of Committed String-OT (Ex.2): Privacy, E-Cash, Escrow, …

19. page 19 Statement of the results: Committed Oblivious Transfer on Strings General Secure Two-Party Computation on Committed Inputs Applications of Committed Secure Computation / Committed String-OT Comparisons with previous results on COT and 2PC Technical Discussion: Public Key Encryption with Efficient Zero-Knowledge Proof for Verifiability of both Plaintexts and Keys Extensions, Open Questions Talk Outline

20. page 20  O(1) modular exponentiations per player exponentiations modulo n 2 where n is a strong RSA modulus, |n 2 | = 2000 bits 500-bit exponents  Round complexity: 2 rounds + proofs (e.g. one/two rounds in R.O.M.)  Security under Decisional Composite Residuosity Assumption [DCR]  Universal Composability in Common Reference String model [CRS] static adversary CRS includes modulus n and a few group elements, |CRS| ≈ 10 |n| Towards efficient String-COT: [NP’00, AIR’01]String-OTO(1) exp’s, DDH Assumption [Cre’89]Bit/String-COTΩ(k 3 ) Bit/String-OT’s [CvdGT’95]Bit-COTΩ(k) Bit-OT’s [GMY’04]Bit-COTO(1) exp’s, DDH [CC’00]String-COTO(k) exp’s, DDH [Here]String-COTO(1) exp’s, DCR Our Contributions vs. Previous Work: (1) Committed OT on Bitstrings

21. page 21  Security under DCR and Strong RSA Assumptions  O(g) modular exponentiations, where g = # gates in the Circuit  Round complexity: 2 rounds + proofs (e.g. one/two rounds in R.O.M.)  Universal Composability in the CRS model Towards efficient constant-round Secure Two-Party Computation (2PC): Passive Security: -[Yao’86]O(g) symmetric-key op’s Malicious Security using ZKP’s for NP-complete languages: -[GMW,…,Lin’03,KO’04]poly(g, k) op’s Malicious Security without generic ZKP’s: -[DI’05], multi-party computation, O(n 2 g) PRG’s + VSS’s -[CC’00], cut & choose gate-specific ZKP’s, O(kg) exp’s, DDH -[Pin’03, MF’06, KS’06, LP’07, W’07], cut & choose on the whole garbled circuit, O(kg) symmetric-key op’s -[Here], efficient gate-specific ZKP’s, O(g) exp’s, DCR + Strong RSA Our Contributions vs. Previous Work: (2) Secure 2PC on Committed Inputs

22. page 22 Statement of the results: Committed Oblivious Transfer on Strings General Secure Two-Party Computation on Committed Inputs Applications of Committed Secure Computation / Committed String-OT Comparison with previous results Technical Discussion: Public Key Encryption with Efficient Zero-Knowledge Proof for Verifiability of both the Plaintext and the Key Extensions, Open Questions Talk Outline

23. page 23 Yao’s Garbled Circuit Construction 1. For each circuit wire w, Sender S picks a pair of keys k w 0  “bit 0 on wire w” k w 1  “bit 1 on wire w” G k w 0,k w 1 k v 0 v 1 k z 0 z 1 G k w 0 w 1 k v 0 v 1 k z 0 z 1 k w 0 w 1 k v 0 v 1 k z 0 z 1 Invariant: For every wire w, Receiver R learns one keyin {k w 0,k w 1 }, butdoesn’t learnwhich one! 2. For each gate, S sends to R a table: Encryption of k z 0 under keys k w 0,k v 0 Encryption of k z 0 under keys k w 0,k v 1 Encryption of k z 0 under keys k w 1,k v 0 Encryption of k z 1 under keys k w 1,k v 1 3. For each R’s input wire, transfer the right key using String-OT: OT [ R(b), S(k 0,k 1 ) ] → k b Strategy towards 2PC with O(1) exp’s / gate 1.S commits to each key 2.S proves circuit is properly garbled: each ciphertext formed correctly […other proofs…] 3.S performs String-COT for R’s input keys

24. page 24 Yao’s Garbled Circuit Construction Closer Look: Proof of ciphertext correctness 1. For each circuit wire w, Sender S picks a pair of keys k w 0  “bit 0 on wire w” k w 1  “bit 1 on wire w” G k w 0,k w 1 k v 0 v 1 k z 0 z 1 G k w 0 w 1 k v 0 v 1 k z 0 z 1 k w 0 w 1 k v 0 v 1 k z 0 z 1 Invariant: For every wire w, Receiver R learns one keyin {k w 0,k w 1 }, butdoesn’t learnwhich one! 2. For each gate, S sends to R a table: Encryption of k z 0 under keys k w 0,k v 0 Encryption of k z 0 under keys k w 0,k v 1 Encryption of k z 0 under keys k w 1,k v 0 Encryption of k z 1 under keys k w 1,k v 1 3. For each R’s input wire, transfer the right key using String-OT: OT [ R(b), S(k 0,k 1 ) ] → k b Strategy towards 2PC with O(1) exp’s / gate 1.S commits to each key 2.S proves circuit is properly garbled: each ciphertext formed correctly […other proofs…] 3.S performs String-COT for R’s input keys

25. page 25 Yao’s Garbled Circuit Construction Closer Look: Proof of ciphertext correctness 1. For each circuit wire w, Sender S picks a pair of keys k w 0  “bit 0 on wire w” k w 1  “bit 1 on wire w” G k w 0,k w 1 k v 0 v 1 k z 0 z 1 G k w 0 w 1 k v 0 v 1 k z 0 z 1 k w 0 w 1 k v 0 v 1 k z 0 z 1 Invariant: For every wire w, Receiver R learns one keyin {k w 0,k w 1 }, butdoesn’t learnwhich one! 2. For each gate, S sends to R a table: Encryption of k z 0 under keys k w 0,k v 0 Encryption of k z 0 under keys k w 0,k v 1 Encryption of k z 0 under keys k w 1,k v 0 Encryption of k z 1 under keys k w 1,k v 1 3. For each R’s input wire, transfer the right key using String-OT: OT [ R(b), S(k 0,k 1 ) ] → k b Strategy towards 2PC with O(1) exp’s / gate 1.S commits to each key 2.S proves circuit is properly garbled: each ciphertext formed correctly […other proofs…] 3.S performs String-COT for R’s input keys

26. page 26 Yao’s Garbled Circuit Construction Closer Look: Proof of ciphertext correctness k w 0  “bit 0 on wire w” k w 1  “bit 1 on wire w” G k w 0,k w 1 k v 0 v 1 k z 0 z 1 G k w 0 w 1 k v 0 v 1 k z 0 z 1 k w 0 w 1 k v 0 v 1 k z 0 z 1 Encryption of k z 0 under keys k w 0,k v 0 Simplify to standard (one-key) encryption: Need Efficient ZKP for relation R = { ( E, C m, C k ) } s.t. 1. E = Enc [ m ; k ] 2. m is committed in C m 3. k is committed in C k

27. page 27 Efficient Encryption with message and key verifiability 1. Assume commitment (to value ‘a’) is of the form C a = g a (or C a = g a h r ) for some multiplicative group 2. Assume encryption also has both plaintext and key in the exponent, e.g. E = Enc[ m ; k ] = α m β k where, are disjoint subgroups of some group Can be done with Paillier encryption [Camenisch-Shoup’03]: α generates subgroup of order n, β generates subgroup of order φ(n), in group of order φ(n 2 )=n*φ(n) [multiplicative group of residues mod n 2 ] Need Efficient ZKP for relation R = { ( E, C m, C k ) } s.t. 1. E = Enc [ m ; k ] 2. m is committed in C m 3. k is committed in C k ZKP R is a proof of equalities between discrete-log representations: 1. (m, k)= Rep( (α, β), E ) 2. m= DL( g, C m ) 3. k = DL( g, C k )

28. page 28 Efficient Encryption with message and key verifiability ZKP R is a proof of equalities between discrete-log representations: 1. (m, k)= Rep( (α, β), E ) 2. m= DL( g, C m ) 3. k = DL( g, C k ) Each (Representation=DL) proof is an extension of standard ZKPK-of-DL, except if the orders involved (#g vs. #α) and (#g vs. #β) are: (1) unknown(2) unequal C m = g m E = α m β k C k = g k #α = n, #β = φ(n) #g = whatever is convenient The ZKP of “equality of m”: DL(g,C m )=Rep(α, E ) The ZKP of “equality of k”: DL(g,C k )=Rep( β, E ) problem if #g ≠ #α problem if #g ≠ #β

29. page 29 Efficient Encryption with message and key verifiability C m = g m E = α m β k C k = g k #α = n, #β = φ(n) #g = whatever is convenient The ZKP of “equality of k”: DL(g,C k )=Rep( β, E ) The ZKP of “equality of m”: DL(g,C m )=Rep(α, E ) If orders not equal then responses must be computed over integers (linear equations involving secrets)  Efficient Zero-Knowledge of DLEQ known only if secret << (both orders) Why? 1.Known DLEQ(g x,h x ) proofs for groups with unknown order leak c * x+r over integers, for public challenge c, and random secret pad r  x is statistically hidden only if r > c * x * 2 80  r > x * 2 160 (since c ≈ 2 80 ) 2.To avoid wrap-around we need c * x+r < (orders of g and h)  x * 2 160 < (orders of g and h) problem if #g ≠ #α problem if #g ≠ #β

30. page 30 Efficient Encryption with message and key verifiability C m = g m E = α m β k C k = g k #α = n, #β = φ(n) #g = whatever is convenient The ZKP of “equality of k”: DL(g,C k )=Rep( β, E ) The ZKP of “equality of m”: DL(g,C m )=Rep(α, E ) If orders not equal then responses must be computed over integers (linear equations involving secrets)  Efficient Zero-Knowledge of DLEQ only if secret << (both orders)  Either m or k must be << |φ(n)| ≈ |n| But m’s and k’s are interchangeable in Yao’s garbled circuit construction!  Need Camenisch-Shoup encryption with shorter keys (k ≈ ¾ |n|) [Hastad-Schrift-Shamir]: exponentiation mod n hides |n|/2 bits  using ½ |n| - long keys is indistinguishable from |n|-long keys  same holds for the φ(n)-order subgroup, where [CS] keys live problem if #g ≠ #α problem if #g ≠ #β

31. page 31 Summary: Efficient UC-Secure computation on committed inputs with O( |Circuit| ) public key op.’s Fast committed String-OT Encryption with efficient verifiability for both messages and keys Some questions: Handling adaptive corruptions? Weakening assumptions on the RSA modulus? Efficient String-COT and Committed-2PC without CRS? Verifiable Encryption for committed plaintexts and/or keys, for moduli smaller than |n 2 |=2000 bits? Summary and some open questions

32. page 32 Thank You!