better 2-round adaptive mpc - boston universitydkr’15 n 4 owf io gp’15 n 2 tdp subexp. io. q1:...
TRANSCRIPT
![Page 1: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/1.jpg)
Better 2-round adaptive MPC
Ran Canetti, Oxana Poburinnaya, Muthuramakrishnan Venkitasubramaniam
![Page 2: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/2.jpg)
Secure Multiparty Computation[Yao’82]
2
f(x1, x2, x3)
x1
x2x3
![Page 3: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/3.jpg)
Secure Multiparty Computation[Yao’82]
3
f(x1, x2, x3)
x1
x2x3
Correctness: every party learns y = f(x1, x2, x3)Security: even if a party is dishonest, it only learns the output y, but nothing else
![Page 4: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/4.jpg)
Our results :
2 round fully adaptive MPC with useful properties (randomness-hiding, RAM-efficient, global CRS...)
Semi-honest case
![Page 5: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/5.jpg)
Our results :
GP’15 2 round fully adaptive MPC becomes RAM-efficient
Semi-honest case
malicious case
2 round fully adaptive MPC with useful properties (randomness-hiding, RAM-efficient, global CRS...)
![Page 6: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/6.jpg)
Our results :
ZK proofs with RAM efficiency
GP’15 2 round fully adaptive MPC becomes RAM-efficient
plug into GP’15
Semi-honest case
malicious case
2 round fully adaptive MPC with useful properties (randomness-hiding, RAM-efficient, global CRS...)
![Page 7: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/7.jpg)
Static vs Adaptive Security
7
f(x1, x2, x3)
x1
x2x3
when do parties become dishonest?
Static security:a set of dishonest parties is fixed
before the protocol starts
![Page 8: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/8.jpg)
Static vs Adaptive Security
8
f(x1, x2, x3)
x1
x2x3
when do parties become dishonest?
Static security:a set of dishonest parties is fixed
before the protocol starts
f(x1, x2, x3)
x1
x2x3
Adaptive security:parties may become dishonest
during the execution of the protocol
![Page 9: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/9.jpg)
Static vs Adaptive Security
9
f(x1, x2, x3)
x1
x2x3
when do parties become dishonest?
Static security:a set of dishonest parties is fixed
before the protocol starts
f(x1, x2, x3)
x1
x2x3
Adaptive security:parties may become dishonest
during the execution of the protocol
![Page 10: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/10.jpg)
Static vs Adaptive Security
10
f(x1, x2, x3)
x1
x2x3
when do parties become dishonest?
Static security:a set of dishonest parties is fixed
before the protocol starts
f(x1, x2, x3)
x1
x2x3
Adaptive security:parties may become dishonest
during the execution of the protocol
![Page 11: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/11.jpg)
Adaptive Security of MPC
Adaptive corruptions:adversary can decide who to corrupt adaptively during the execution
Adaptive corruptions:adversary can decide who to corrupt adaptively during the execution
![Page 12: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/12.jpg)
Adaptive corruptions:adversary can decide who to corrupt adaptively during the execution
Simulator:1. simulate communication (without knowing x1, …, xn)
Adaptive Security of MPC
![Page 13: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/13.jpg)
Adaptive Security of MPC
Adaptive corruptions:adversary can decide who to corrupt adaptively during the execution
Simulator:1. simulate communication (without knowing x1, …, xn)
![Page 14: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/14.jpg)
Adaptive Security of MPC
Adaptive corruptions:adversary can decide who to corrupt adaptively during the execution
Simulator:1. simulate communication (without knowing x1, …, xn)
![Page 15: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/15.jpg)
Adaptive Security of MPC
xi ri
xj rj
Adaptive corruptions:adversary can decide who to corrupt adaptively during the execution
Simulator:1. simulate communication (without knowing x1, …, xn)2. simulate ri of corrupted parties, consistent with
communication and xi
![Page 16: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/16.jpg)
Example: Adaptively Secure Encryption (NCE)
Adaptive corruptions:adversary can decide who to corrupt adaptively during the execution
Simulator:
c = Enc(m; r)
16
![Page 17: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/17.jpg)
Adaptive corruptions:adversary can decide who to corrupt adaptively during the execution
17
Example: Adaptively Secure Encryption (NCE)
dummy cs
Simulator:1. Sim() → cs, state
![Page 18: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/18.jpg)
Adaptive corruptions:adversary can decide who to corrupt adaptively during the execution
dummy cs
18
Example: Adaptively Secure Encryption (NCE)
rEnc k
Simulator:1. Sim() → cs, state2. Sim(state, m) → rs
Enc, ks
![Page 19: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/19.jpg)
Adaptive corruptions:adversary can decide who to corrupt adaptively during the execution
dummy cs
possible for a non-committing encryption (NCE)
19
Example: Adaptively Secure Encryption (NCE)
rEnc k
Adv gets:- either real (r, k, c = Enck(m; r))- or fake (rs
Enc, ks, cs)
Simulator:1. Sim() → cs, state2. Sim(state, m) → rs
Enc, ks
![Page 20: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/20.jpg)
Full Adaptive Security
Full adaptive security:● No erasures
![Page 21: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/21.jpg)
Full Adaptive Security
Full adaptive security:● No erasures● Security even when all parties are corrupted
![Page 22: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/22.jpg)
Full Adaptive Security
Full adaptive security:● No erasures● Security even when all parties are corrupted
![Page 23: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/23.jpg)
Full Adaptive Security
Full adaptive security:● No erasures● Security even when all parties are corrupted
Until 2015: # of rounds ~ depth of circuit (CLOS02)
Constant round protocols: CGP15, DKR15, GP15.
![Page 24: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/24.jpg)
← the only 2 round MPC
*need a CRS even for HBC case!
Full Adaptive Security: state of the art, semi-honest# of
parties# of
roundsassumptions
CGP’15 2 2 OWF subexp iO
DKR’15 n 4 OWF iO
GP’15 n 2 TDP subexp. iO
![Page 25: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/25.jpg)
Q1: can we build 2 round MPC with global (non-programmable) CRS?
Full Adaptive Security: state of the art, semi-honest# of
parties# of
roundsassumptions
CGP’15 2 2 OWF subexp iO
DKR’15 n 4 OWF iO
GP’15 n 2 TDP subexp. iO
![Page 26: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/26.jpg)
Q1: can we build 2 round MPC with global (non-programmable) CRS?
local CRS
Full Adaptive Security: state of the art, semi-honest# of
parties# of
roundsassumptions global CRS
CGP’15 2 2 OWF subexp iO
+
DKR’15 n 4 OWF iO
+
GP’15 n 2 TDP subexp. iO
-(even in HBC case)
![Page 27: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/27.jpg)
local CRS
Q1: can we build 2 round MPC with global (non-programmable) CRS?
Full Adaptive Security: state of the art, semi-honest# of
parties# of
roundsassumptions global CRS
CGP’15 2 2 OWF subexp iO
+
DKR’15 n 4 OWF iO
+
GP’15 n 2 TDP subexp. iO
-(even in HBC case)
![Page 28: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/28.jpg)
Q1: can we build 2 round MPC with global (non-programmable) CRS?
local CRS 1 local CRS 2
Full Adaptive Security: state of the art, semi-honest# of
parties# of
roundsassumptions global CRS
CGP’15 2 2 OWF subexp iO
+
DKR’15 n 4 OWF iO
+
GP’15 n 2 TDP subexp. iO
-(even in HBC case)
![Page 29: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/29.jpg)
Q1: can we build 2 round MPC with global (non-programmable) CRS?
local CRS 1 local CRS 2 global CRS
Full Adaptive Security: state of the art, semi-honest# of
parties# of
roundsassumptions global CRS
CGP’15 2 2 OWF subexp iO
+
DKR’15 n 4 OWF iO
+
GP’15 n 2 TDP subexp. iO
-(even in HBC case)
![Page 30: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/30.jpg)
Full Adaptive Security: state of the art, semi-honest# of
parties# of
roundsassumptions global CRS randomness
hiding
CGP’15 2 2 OWF subexp iO
+ +
DKR’15 n 4 OWF iO
+ +
GP’15 n 2 TDP subexp. iO
-(even in HBC case)
-
Q2: can we achieve randomness hiding? (Evaluation of f(x1, …, xn; r) hides r even if everyone is corrupted)
choose N = pq
nobody knows p, q
![Page 31: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/31.jpg)
Full Adaptive Security: state of the art, semi-honest# of
parties# of
roundsassumptions global CRS randomness
hidingsupports
RAM
CGP’15 2 2 OWF subexp iO
+ + -
DKR’15 n 4 OWF iO
+ + -
GP’15 n 2 TDP subexp. iO
-(even in HBC case)
- -
Q3: can we use the fact that f is a succinct RAM program?
![Page 32: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/32.jpg)
Q4: can we build 2 round MPC from weaker assumptions? (e.g. remove the need for subexp. iO)
Full Adaptive Security: state of the art, semi-honest# of
parties# of
roundsassumptions global CRS randomness
hidingsupports
RAM
CGP’15 2 2 OWF subexp iO
+ + -
DKR’15 n 4 OWF iO
+ + -
GP’15 n 2 TDP subexp. iO
-(even in HBC case)
- -
![Page 33: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/33.jpg)
Full Adaptive Security# of
parties# of
roundsassumptions global CRS randomness
hidingsupports
RAM
CGP’15 2 2 OWF subexp iO
+ + -
DKR’15 n 4 OWF iO
+ + -
GP’15 n 2 TDP subexp. iO
-(even in HBC case)
- -
This work n 2 OWF iO
+ + +
![Page 34: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/34.jpg)
Full Adaptive Security# of
parties# of
roundsassumptions global CRS randomness
hidingsupports
RAM
CGP’15 2 2 OWF subexp iO
+ + -
DKR’15 n 4 OWF iO
+ + -
GP’15 n 2 TDP subexp. iO
-(even in HBC case)
- -
This work n 2 OWF iO
+ + +
HPV’16 2 2 hardware tokensOWF
no CRS - -
CPV’16 2(n)
2(const)
NCE* no CRS - -
Subsequent work
![Page 35: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/35.jpg)
Part I: HBC protocol with global CRS
![Page 36: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/36.jpg)
First attempt
x1 x2 xn...
PK
xi = EncPK(xi)
![Page 37: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/37.jpg)
First attempt
x1 x2 xn...
PK,- decrypt each using SK- output f(x1, …, xn)
xi = EncPK(xi)obfuscated
![Page 38: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/38.jpg)
First attempt
x1 x2 xn...
- decrypt each using SK- output f(x1, …, xn)
xi = EncPK(xi)
- decrypt each using SK- output f(x1, …, xn)
x1 x2 xn...
y = f(x1, x2, …, xn)
PK,
obfuscated
![Page 39: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/39.jpg)
First attempt
x1 x2 xn...
- decrypt each using SK- output f(x1, …, xn)
xi = EncPK(xi)
- decrypt each using SK- output f(x1, …, xn)
x1 x2’ xn...
y’ = f(x1, x2’…, xn)
PK,
obfuscated
![Page 40: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/40.jpg)
Our protocolPK
= EncPK(xi||ri|| ... )
x1 x2 xn...
xi = Commit(xi; ri)
x1r1 x2r2 xnrn
...
xiri
![Page 41: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/41.jpg)
Our protocol
= EncPK(xi||ri|| ... )
x1 x2 xn...
xi = Commit(xi; ri)
x1r1 x2r2 xnrn
...
- decrypt each using SK- check that are the same in each - verify each - output f(x1, …, xn)
xiri
PK,
![Page 42: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/42.jpg)
Our protocol
x1r1 x2r2 xnrn
...
= EncPK(xi||ri|| ... )
- decrypt each using SK- check that are the same in each - verify each - output f(x1, …, xn)
y = f(x1, x2, …, xn)
x1 x2 xn...
xi = Commit(xi; ri)
x1r1 x2r2 xnrn
...
- decrypt each using SK- check that are the same in each - verify each - output f(x1, …, xn)
xiri
PK,
![Page 43: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/43.jpg)
Our protocol
x1r1 x2’r2’ xnrn
...
= EncPK(xi||ri|| ... )
- decrypt each using SK- check that are the same in each - verify each - output f(x1, …, xn)
⊥
x1 x2 xn...
xi = Commit(xi; ri)
x1r1 x2r2 xnrn
...
- decrypt each using SK- check that are the same in each - verify each - output f(x1, …, xn)
xiri
PK,
![Page 44: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/44.jpg)
Our protocol
x1r1 x2’r2’ xnrn
...
= EncPK(xi||ri|| ... )
- decrypt each using SK- check that are the same in each - verify each - output f(x1, …, xn)
⊥
x1 x2 xn...
xi = Commit(xi; ri)
x1r1 x2r2 xnrn
...
- decrypt each using SK- check that are the same in each - verify each - output f(x1, …, xn)
each completely determines x1, …, xn and therefore y. xiri
The adversary cannot mix and match encryptions
xiri
PK,
![Page 45: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/45.jpg)
Wanted: Encryption
x1 x2 xn...
x1r1 x2r2 xnrn
...
- decrypt each using SK- check that are the same in each - verify each - output f(x1, …, xn)
Problem: cannot use security of encryption
since SK is in the program
PK,
![Page 46: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/46.jpg)
x1 x2 xn...
...
- decrypt each using SK- check that are the same in each - verify each - output f(x1, …, xn)
Problem: cannot use security of encryption
since SK is in the program
PK,
Wanted: Encryption
![Page 47: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/47.jpg)
x1 x2 xn...
...
- decrypt each using SK- check that are the same in each - verify each - output f(x1, …, xn)
Problem: cannot use security of encryption
since SK is in the program
PK
m
c = Enc(m) or simulated c
GM
PK, SK
Adv
PK,
Wanted: Encryption
![Page 48: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/48.jpg)
x1 x2 xn...
...
- decrypt each using SK- check that are the same in each - verify each - output f(x1, …, xn)
Problem: cannot use security of encryption
since SK is in the program
PK
m
c = Enc(m) or simulated c, SK
GM
PK, SK
Adv
PK,
Wanted: Encryption
![Page 49: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/49.jpg)
x1 x2 xn...
...
- decrypt each using SK- check that are the same in each - verify each - output f(x1, …, xn)
Problem: cannot use security of encryption
since SK is in the program
PK
m
c = Enc(m) or simulated c, SK{c}
GM
PK, SK
Adv
PK,
Wanted: Encryption
![Page 50: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/50.jpg)
PRE
x1 x2 xn...
...
- decrypt each using SK- check that are the same in each - verify each - output f(x1, …, xn)
Problem: cannot use security of encryption
since SK is in the program
PK
m
c = Enc(m) or simulated c, SK{c}
GM
PK, SK
Adv
Solution: Puncturable randomized encryption (PRE)
(from iO and OWFs)
Property:simulation-secure
even when almost all SK is known
PK,
![Page 51: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/51.jpg)
Achieving globality and full adaptive security
PK...
...SK{ }
Simulation: not global
![Page 52: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/52.jpg)
Achieving globality and full adaptive security
PK...
...SK{ }
Simulation: not global
Solution: Modify the protocol to sample PK, during the execution.
PK
x1 x2 xn...
x1x2 xn...
SK
SK
KSW’14CPR’16
![Page 53: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/53.jpg)
Achieving globality and full adaptive security
PK...
...SK{ }
Simulation: not global
Solution: Modify the protocol to sample PK, during the execution.
PK
x1 x2 xn...
x1x2 xn...
SK
SK PK SK
x1 x2 xn...
x1x2 xn...
Gen(rgen)
, rgen
![Page 54: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/54.jpg)
How to make the protocol RAM-efficientIshai-Kushilevitz paradigm: use MPC to evaluate garbling:
F(x1, …, xn; r) = garbled f, garbled x1, …, xn.
![Page 55: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/55.jpg)
How to make the protocol RAM-efficientIshai-Kushilevitz paradigm: use MPC to evaluate garbling:
F(x1, …, xn; r) = garbled f, garbled x1, …, xn.
Any MPC protocolRAM-efficient
garbling (e.g. CH’16)
RAM-efficient protocol
![Page 56: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/56.jpg)
How to make the protocol RAM-efficientIshai-Kushilevitz paradigm: use MPC to evaluate garbling:
F(x1, …, xn; r) = garbled f, garbled x1, …, xn.
Any MPC protocolRAM-efficient
garbling (e.g. CH’16)
RAM-efficient protocol
Only works for n-1 corruptions!
![Page 57: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/57.jpg)
How to make the protocol RAM-efficientIshai-Kushilevitz paradigm: use MPC to evaluate garbling:
F(x1, …, xn; r) = garbled f, garbled x1, …, xn.
Any MPC protocolRAM-efficient
garbling (e.g. CH’16)
RAM-efficient protocol
Only works for n-1 corruptions!For full adaptive security:
randomness-hiding MPC protocol
RAM-efficient garbling
(e.g. CH’16)
RAM-efficient protocol
![Page 58: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/58.jpg)
Our results :
NIZK with RAM efficiency
2 round fully adaptive MPC with nice properties (randomness-hiding, RAM-efficient, global CRS...)
GP’15 2 round fully adaptive MPC becomes RAM-efficient
plug into GP’15
Semi-honest case
malicious case
![Page 59: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/59.jpg)
Part II: Making GP’15 RAM-efficient
![Page 60: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/60.jpg)
GP’15 doesn’t hide randomness
Any randomness-hiding
MPC protocol
RAM-efficient garbling
(e.g. CH’16)
RAM-efficient protocol
Part II: Making GP’15 RAM-efficient
![Page 61: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/61.jpg)
Malicious case: achieving RAM-efficiency
Theorem (Garg-Polychroniadou’15):subexponential IO+TDPs → malicious MPC (2 round, fully adaptive)
![Page 62: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/62.jpg)
Theorem (Garg-Polychroniadou’15):subexponential IO for RAM +TDPs → malicious MPC for RAM? (2 round, fully adaptive)
Malicious case: achieving RAM-efficiency
![Page 63: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/63.jpg)
Theorem (Garg-Polychroniadou’15):subexponential IO for RAM +TDPs + statistically-sound NIZK for RAM→ malicious MPC for RAM (2 round, fully adaptive)
Malicious case: achieving RAM-efficiency
didn’t have before...
![Page 64: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/64.jpg)
![Page 65: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/65.jpg)
![Page 66: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/66.jpg)
RAM-efficient NIZK
f(x):For i = 1… 100000000 do {}
![Page 67: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/67.jpg)
RAM-efficient NIZK
f(x):For i = 1… 100000000 do {}
- |proof| ~ |f|RAM
![Page 68: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/68.jpg)
- |proof| ~ |f|RAM - done [Gen09, Gro11]: - |proof| ~|w|
Prior work on RAM-efficient NIZK
f(x):For i = 1… 100000000 do {}
![Page 69: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/69.jpg)
- |proof| ~ |f|RAM - done [Gen09, Gro11]: - |proof| ~|w|- Verify ~ circuit compexity of f
Verify proof for “f(x 1..xn)=y,...”......
Obfuscated program in GP’15:
Prior work on RAM-efficient NIZK
f(x):For i = 1… 100000000 do {}
![Page 70: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/70.jpg)
- |proof| ~ |f|RAM - done- Verification complexity ~ RAM complexity of f - ?
[Gen09, Gro11]: - |proof| ~|w|- Verify ~ circuit compexity of f
Verify proof for “f(x 1..xn)=y,...”......
Obfuscated program in GP’15:
Prior work on RAM-efficient NIZK
f(x):For i = 1… 100000000 do {}
![Page 71: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/71.jpg)
Malicious case
Theorem (Our work):Garbled RAM + NIZK proofs for circuits → statistically-sound NIZK for RAM.
Theorem (Garg-Polychroniadou’15):subexponential IO for RAM + TDPs+ statistically-sound NIZK for RAM→ malicious MPC for RAM (2 round, fully adaptive)
![Page 72: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/72.jpg)
Malicious case
Theorem (Our work):Garbled RAM + NIZK proofs for circuits → statistically-sound NIZK for RAM.
Theorem (Garg-Polychroniadou’15):subexponential IO for RAM + TDPs+ statistically-sound NIZK for RAM→ malicious MPC for RAM (2 round, fully adaptive)
Corollary:Subexp. iO+TDPs → malicious MPC for RAM (2 round, fully adaptive)
![Page 73: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/73.jpg)
NIZK + Garbled RAM → NIZK for RAMAttempt 1
Prover Verifier
x ∊ Lw
x ∊ L
Convince that ∃w such that R(x; w) = 1
![Page 74: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/74.jpg)
NIZK + Garbled RAM → NIZK for RAMAttempt 1
Convince that ∃w such that R(x; w) = 1
R →
x, w →
R(*,*)
x, w
Prover Verifier
x ∊ Lw
x ∊ L
garbled RAM:- allows to compute R(x; w)- hides R, x, w- RAM-efficient
![Page 75: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/75.jpg)
NIZK + Garbled RAM → NIZK for RAMAttempt 1
Convince that ∃w such that R(x; w) = 1
Proof = R(*,*) x, w
Accept if Eval( ) = 1R(*,*) x, w
Prover Verifier
x ∊ Lw
x ∊ L
R →
x, w →
R(*,*)
x, w
garbled RAM:- allows to compute R(x; w)- hides R, x, w- RAM-efficient
![Page 76: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/76.jpg)
NIZK + Garbled RAM → NIZK for RAMAttempt 1
Proof = R(*,*) x, w
Accept if Eval( ) = 1R(*,*) x, w
Prover Verifier
x ∊ Lw
x ∊ L
Convince that ∃w such that R(x; w) = 1
R →
x, w →
R(*,*)
x, w ● Verifier doesn’t learn anything about w
garbled RAM:- allows to compute R(x; w)- hides R, x, w- RAM-efficient
![Page 77: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/77.jpg)
NIZK + Garbled RAM → NIZK for RAMAttempt 1
Proof = R(*,*) x, w
Accept if Eval( ) = 1R(*,*) x, w
● Verifier doesn’t learn anything about w● Malicious prover can garble R ≡ 1
Prover Verifier
x ∊ Lw
x ∊ L
Convince that ∃w such that R(x; w) = 1
R →
x, w →
R(*,*)
x, w
garbled RAM:- allows to compute R(x; w)- hides R, x, w- RAM-efficient
![Page 78: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/78.jpg)
NIZK + Garbled RAM → NIZK for RAMAttempt 2
Prover Verifier
x ∊ Lw
R(*,*) x, w
Accept if Eval( ) = 1R(*,*) x, w
NIZK proof: “garbling done correctly, for correct R and x”
and if NIZK verifies.
Convince that ∃w such that R(x; w) = 1
R →
x, w →
R(*,*)
x, w
x ∊ L
![Page 79: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/79.jpg)
NIZK + Garbled RAM → NIZK for RAMAttempt 2
Prover Verifier
x ∊ Lw
R(*,*) x, w
Accept if Eval( ) = 1R(*,*) x, w
NIZK proof: “garbling done correctly, for correct R and x”
and if NIZK verifies.
Convince that ∃w such that R(x; w) = 1
R →
x, w →
R(*,*)
x, w
x ∊ L
short (~|R|RAM)
![Page 80: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/80.jpg)
NIZK + Garbled RAM → NIZK for RAMAttempt 2
Prover Verifier
x ∊ Lw
R(*,*) x, w
Accept if Eval( ) = 1R(*,*) x, w
NIZK proof: “garbling done correctly, for correct R and x”
and if NIZK verifies.
Convince that ∃w such that R(x; w) = 1
R →
x, w →
R(*,*)
x, w
x ∊ L
● Verifier doesn’t learn anything about w●
![Page 81: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/81.jpg)
NIZK + Garbled RAM → NIZK for RAMAttempt 2
Prover Verifier
x ∊ Lw
R(*,*) x, w
Accept if Eval( ) = 1R(*,*) x, w
NIZK proof: “garbling done correctly, for correct R and x”
and if NIZK verifies.
Convince that ∃w such that R(x; w) = 1
R →
x, w →
R(*,*)
x, w
x ∊ L
● Verifier doesn’t learn anything about w● garbling: for most random coins of garbling, correctness holds.
![Page 82: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/82.jpg)
NIZK + Garbled RAM → NIZK for RAMAttempt 2
Prover Verifier
x ∊ Lw
R(*,*) x, w
Accept if Eval( ) = 1R(*,*) x, w
NIZK proof: “garbling done correctly, for correct R and x”
and if NIZK verifies.
Convince that ∃w such that R(x; w) = 1
R →
x, w →
R(*,*)
x, w
x ∊ L
● Verifier doesn’t learn anything about w● garbling: for most random coins of garbling, correctness holds.● what if for some r garbling always garbles R ≡ 1
![Page 83: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/83.jpg)
NIZK + Garbled RAM → NIZK for RAMAttempt 2
Prover Verifier
x ∊ Lw
R(*,*) x, w
Accept if Eval( ) = 1R(*,*) x, w
NIZK proof: “garbling done correctly, for correct R and x”
and if NIZK verifies.
Convince that ∃w such that R(x; w) = 1
R →
x, w →
R(*,*)
x, w
x ∊ L
● Verifier doesn’t learn anything about w● No coin tossing - need perfectly correct garbled RAM● Currently do not have garbled RAM with perfect correctness
![Page 84: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/84.jpg)
NIZK + Garbled RAM → NIZK for RAMAttempt 2
Prover Verifier
x ∊ Lw
R(*,*) x, w
Accept if Eval( ) = 1R(*,*) x, w
NIZK proof: “garbling done correctly, for correct R and x”
and if NIZK verifies.
Convince that ∃w such that R(x; w) = 1
R →
x, w →
R(*,*)
x, w
x ∊ L
● Verifier doesn’t learn anything about w● CH15 garbled RAM satisfies perfect correctness with abort - enough
![Page 85: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/85.jpg)
NIZK + Garbled RAM → NIZK for RAMAttempt 2
Prover Verifier
x ∊ Lw
R(*,*) x, w
Accept if Eval( ) = 1R(*,*) x, w
NIZK proof: “garbling done correctly, for correct R and x”
and if NIZK verifies.
Convince that ∃w such that R(x; w) = 1
R →
x, w →
R(*,*)
x, w
x ∊ L
● Verifier doesn’t learn anything about w● CH15 garbled RAM satisfies perfect correctness with abort - enough● evaluator either gets correct output, or rejects
![Page 86: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/86.jpg)
Summary: two round adaptively secure protocols
Semi-honest case:● global CRS● supports RAM● randomness-hiding (e.g. N = pq)
Malicious case (GP15 + our RAM efficient NIZK):● RAM-efficient
![Page 87: Better 2-round adaptive MPC - Boston UniversityDKR’15 n 4 OWF iO GP’15 n 2 TDP subexp. iO. Q1: can we build 2 round MPC with global (non-programmable) CRS? Full Adaptive Security:](https://reader036.vdocument.in/reader036/viewer/2022071503/6122da6b3710e646e15a9aa7/html5/thumbnails/87.jpg)
Questions?