simple, black-box constructions of adaptively secure protocols
DESCRIPTION
Simple, Black-Box Constructions of Adaptively Secure Protocols. Seung Geol Choi Columbia University. joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University), and Hoeteck Wee (Queens College, CUNY). Outline. Motivation Our Work Our Compiler Comp. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Simple, Black-Box Constructions of Adaptively Secure Protocols](https://reader030.vdocument.in/reader030/viewer/2022033100/56815a8d550346895dc80241/html5/thumbnails/1.jpg)
Simple, Black-Box Constructions of Adaptively Secure Protocols
joint work withDana Dachman-Soled (Columbia University),
Tal Malkin (Columbia University), and Hoeteck Wee (Queens College, CUNY)
Seung Geol Choi Columbia University
![Page 2: Simple, Black-Box Constructions of Adaptively Secure Protocols](https://reader030.vdocument.in/reader030/viewer/2022033100/56815a8d550346895dc80241/html5/thumbnails/2.jpg)
2
Outline
• Motivation• Our Work• Our Compiler
– Comp
![Page 3: Simple, Black-Box Constructions of Adaptively Secure Protocols](https://reader030.vdocument.in/reader030/viewer/2022033100/56815a8d550346895dc80241/html5/thumbnails/3.jpg)
3
Outline
• Motivation• Our Work• Our Compiler
– Comp
![Page 4: Simple, Black-Box Constructions of Adaptively Secure Protocols](https://reader030.vdocument.in/reader030/viewer/2022033100/56815a8d550346895dc80241/html5/thumbnails/4.jpg)
Criteria of adversarial corruptionin Multi-party Computation (MPC)
• Semi-honest vs. Malicious– semi-honest: corrupted parties should behave
honestly– malicious: they can behave arbitrarily
• How many parties can be corrupted?– Honest majority vs. honest minority.
• Static vs. Adaptive– static: adv corrupts parties at the outset– adaptive [CFGN96]: during the protocol adaptively
![Page 5: Simple, Black-Box Constructions of Adaptively Secure Protocols](https://reader030.vdocument.in/reader030/viewer/2022033100/56815a8d550346895dc80241/html5/thumbnails/5.jpg)
Adaptively Secure OT - Simulator(s0, s1) ReceiverSender
m1m2m3
srOutput
r
Corrupt Sender
Bad SimulationPick (s0, s1), r, rand for S & R randomly and execute the protocol honestly w/ these values.
Given the actual input (s0’, s1’), Sim is unable to patch rand for S consistent w/ the transcript & the input
No Corruption
![Page 6: Simple, Black-Box Constructions of Adaptively Secure Protocols](https://reader030.vdocument.in/reader030/viewer/2022033100/56815a8d550346895dc80241/html5/thumbnails/6.jpg)
MPC (malicious majority) and OT -- Roughly
• Non-black-box– Basically everything is known: use ZK, e.g.,– Static: from semi-honest OT [GMW87] (stand-alone)– Adaptive: from semi-honest OT with FCOM [CLOS02] (UC)
• Black-box – Static: from semi-honest OT [K88,IKLP06,H08] (stand-
alone)– Adaptive: from malicious OT [IPS08] (UC) But, malicious OT [B98, CLOS02, KO04] has
non-black-box access to the underlying primitive.
![Page 7: Simple, Black-Box Constructions of Adaptively Secure Protocols](https://reader030.vdocument.in/reader030/viewer/2022033100/56815a8d550346895dc80241/html5/thumbnails/7.jpg)
Goal
• Achieve MPC– adaptive, malicious majority– black-box (BB) access to lower primitives
• Of theoretical interest• Arguably more efficient: avoid general NP reductions
incurred by ZK proofs.– constant-round
![Page 8: Simple, Black-Box Constructions of Adaptively Secure Protocols](https://reader030.vdocument.in/reader030/viewer/2022033100/56815a8d550346895dc80241/html5/thumbnails/8.jpg)
8
Outline
• Motivation• Our Work• Our Compiler
– Comp
![Page 9: Simple, Black-Box Constructions of Adaptively Secure Protocols](https://reader030.vdocument.in/reader030/viewer/2022033100/56815a8d550346895dc80241/html5/thumbnails/9.jpg)
Main ResultUC, adaptive
semi-honest bit OT
UC, adaptive
malicious string OT
in FCOM hybrid
Compiler
• Black-box
• constant multiplicative blow-up in rounds
Improvement over [IKLP06,H08] :
UC and adaptive
![Page 10: Simple, Black-Box Constructions of Adaptively Secure Protocols](https://reader030.vdocument.in/reader030/viewer/2022033100/56815a8d550346895dc80241/html5/thumbnails/10.jpg)
BB Implications – UC & Adaptive
constant-round semi-honest bit OT
Trapdoor simulatable
cryptosystem
DDHRSA
FactoringLWE
[CDMW09, CLOS02]
this work:
• in FCOM hybrid- MPC allowing corruption of any
number of parties- constant-round MPC allowing
corruption of n-1 parties
[IPS08]
malicious string OT in FCOM hybrid
![Page 11: Simple, Black-Box Constructions of Adaptively Secure Protocols](https://reader030.vdocument.in/reader030/viewer/2022033100/56815a8d550346895dc80241/html5/thumbnails/11.jpg)
Our MPC Construction
• FCOM hybrid: Can be combined with existing results under various setup – e.g., [CLOS02, BCNP04, CDPW07, K07]. Usually
start by how to UC realize FCOM.
[CLOS02] [IPS08] ours#rounds for n,
(n-1) corruptionsO(depth)O(depth)
O(depth)O(1)
O(depth)O(1)
hybrid FCOM FOT FCOM
BB/non-BB non-BB BB BB
![Page 12: Simple, Black-Box Constructions of Adaptively Secure Protocols](https://reader030.vdocument.in/reader030/viewer/2022033100/56815a8d550346895dc80241/html5/thumbnails/12.jpg)
• UC, adaptive in FCOM hybrid- MPC allowing corruption of any
number of parties- constant-round MPC allowing
corruption of n-1 parties
• stand-alone, adaptive
BB Implications - Stand-aloneUC, adaptive,
constant-round semi-honest bit OT
Trapdoor simulatable
cryptosystem
DDHRSA
FactoringLWE
[CDMW09, CLOS02]
this work:
[IPS08]
malicious string OT in FCOM hybrid
[PW09]
- constant-round malicious string OT
[PW09]
![Page 13: Simple, Black-Box Constructions of Adaptively Secure Protocols](https://reader030.vdocument.in/reader030/viewer/2022033100/56815a8d550346895dc80241/html5/thumbnails/13.jpg)
Our Work - Summary
• Adaptively secure MPC: UC in FCOM hybrid / stand-alone - allowing corruption of any number of
parties- allowing corruption of n-1 parties in
constant-round
UC, adaptivesemi-honest bit OT
UC, adaptivemalicious string OT
in FCOM hybridCompiler
MPC
stand-alone, adaptive constant-round malicious string OT String OT
![Page 14: Simple, Black-Box Constructions of Adaptively Secure Protocols](https://reader030.vdocument.in/reader030/viewer/2022033100/56815a8d550346895dc80241/html5/thumbnails/14.jpg)
14
Outline
• Motivation• Our Work• Our Compiler
– Comp
![Page 15: Simple, Black-Box Constructions of Adaptively Secure Protocols](https://reader030.vdocument.in/reader030/viewer/2022033100/56815a8d550346895dc80241/html5/thumbnails/15.jpg)
Previous Work: Stand-alone & Static case
semi-honest bit OT
malicious OT
Haitner [H08]
defensible bit OT
Ishai,Kushilevitz,Lindell, and Petrank
[IKLP06]
eTDP, homomorphic enc
[K88]MPC
![Page 16: Simple, Black-Box Constructions of Adaptively Secure Protocols](https://reader030.vdocument.in/reader030/viewer/2022033100/56815a8d550346895dc80241/html5/thumbnails/16.jpg)
Our Compiler - 1
• Basically, [H08]+[IKLP06].• Insight
– View [H08] + [IKLP06] as GMW Compiler • With ZK proof replaced with cut-and-choose technique.
– Our presentation doesn’t need the notion of defensible OT.
![Page 17: Simple, Black-Box Constructions of Adaptively Secure Protocols](https://reader030.vdocument.in/reader030/viewer/2022033100/56815a8d550346895dc80241/html5/thumbnails/17.jpg)
Our Compiler - 2• Has two modules
– Comp: boost receiver-side security (for string)– OT-Reversal [WW06]: reverse the role of sender
and receiver (for bit)
maliciousmaliciousApply Compsemi-honestmaliciousApply OT-Reversal
malicioussemi-honestApply Compsemi-honestsemi-honestStarting protocol
receiver senderOur Compiler
defensibledefensible
defensibledefensible[IKLP06]
[H08] : Commit input & randomness at the outsetsemi-honest semi-honest
Parallel executions
![Page 18: Simple, Black-Box Constructions of Adaptively Secure Protocols](https://reader030.vdocument.in/reader030/viewer/2022033100/56815a8d550346895dc80241/html5/thumbnails/18.jpg)
18
Outline
• Motivation• Our Work• Our Compiler
– Comp
![Page 19: Simple, Black-Box Constructions of Adaptively Secure Protocols](https://reader030.vdocument.in/reader030/viewer/2022033100/56815a8d550346895dc80241/html5/thumbnails/19.jpg)
I. Run con-tossing in the well using FCOM
to fix R’s input & rand for Phase II.
II. Run 2n executions of ¦ in parallel w/ R using input & rand generated in Phase I.
III. R opens commitments in Phase I for n random OT execs.
IV. Apply combiner to the rest of n executions.
Comp(¦)
[H08]
[IKLP06]
Cut & Choose
![Page 20: Simple, Black-Box Constructions of Adaptively Secure Protocols](https://reader030.vdocument.in/reader030/viewer/2022033100/56815a8d550346895dc80241/html5/thumbnails/20.jpg)
UC Security in Comp
• Straight-line simulation– Extract receiver’s input in a straight-line manner
w/ info from Phase I.
![Page 21: Simple, Black-Box Constructions of Adaptively Secure Protocols](https://reader030.vdocument.in/reader030/viewer/2022033100/56815a8d550346895dc80241/html5/thumbnails/21.jpg)
Adaptively Secure OT - Simulator(s0, s1) ReceiverSender
m1m2m3
srOutput
r
Corrupt Sender
Upon corruption, Sim has to patch rand for S consistent w/ the transcript & the given input
No Corruption
![Page 22: Simple, Black-Box Constructions of Adaptively Secure Protocols](https://reader030.vdocument.in/reader030/viewer/2022033100/56815a8d550346895dc80241/html5/thumbnails/22.jpg)
Simulation in Comp – Achieving Adaptive Security
1. Extract R’s input & rand. in Phase I w/ FCOM
2. For i-th OT execution ¦i:• Run simulator for ¦i (SIMi) until the R behaves
consistently w/ the commitments. • Inconsistent R: “corrupt S” on SIMi (input & rand of S
in ¦i is fixed ). Follow spec. of ¦ w/ this fixed info.
3. Patching the S’s overall rand.• If R behaved honestly in some ¦j, can patch using SIMj :
with high probability there is at least one such j.
Use adaptive security of ¦: Guaranteed as long as R behaves honestly
![Page 23: Simple, Black-Box Constructions of Adaptively Secure Protocols](https://reader030.vdocument.in/reader030/viewer/2022033100/56815a8d550346895dc80241/html5/thumbnails/23.jpg)
Conclusion
• Adaptively secure MPC: UC in FCOM hybrid / stand-alone - allowing corruption of any number of
parties- allowing corruption of n-1 parties in
constant-round
UC, adaptivesemi-honest bit OT
UC, adaptivemalicious string OT
in FCOM hybridCompiler
MPC
stand-alone, adaptive constant-round malicious string OT String OT
![Page 24: Simple, Black-Box Constructions of Adaptively Secure Protocols](https://reader030.vdocument.in/reader030/viewer/2022033100/56815a8d550346895dc80241/html5/thumbnails/24.jpg)
Thank you