Transcript Lecture 13 Two-Party Computation Protocols Stefan Dziembowski www.dziembowski.net MIM UW 11.01.13 ver 1.0 Plan 1. 2. 3. 4. Motivation Definitions Information-theoretic impossibility Constructions 1. oblivious transfer 2.

Lecture 13
Two-Party Computation Protocols
Stefan Dziembowski
www.dziembowski.net
MIM UW
11.01.13
ver 1.0
Plan
1.
2.
3.
4.
Motivation
Definitions
Information-theoretic impossibility
Constructions
1. oblivious transfer
2. computing general circuits
5. Applications
A love problem
A :=
0 if Alice doesn’t love Bob
1
if Alice loves Bob
B :=
They want to learn the value of
f(A,B) := A and B
0 if Bob doesn’t love Alice
1
if Bob loves Alice
Solution?
A
B
computes
A and B
locally
computes
A and B
locally
Problem
If A = 0 and B = 1 then Bob knows that Alice loves him while he doesn’t!
If B = 1 and A = 0 then Alice knows that Bob loves him while she doesn’t!
Solution?
A
A and B
B
trusted
party
computes
A and B
A and B
Alice and Bob learn only the value of f(A,B) = A and B.
Of course: if A = B = 1 then f(A,B) = 1 and there is no secret to protect.
But, e.g., if A = 0 and B = 1 then f(A,B) = 0 then Alice will not know the
value of B.
Question: Is it possible to compute f without a trusted party?
Another example:
“the millionaire’s problem”
A := how much money Abramovich
has
f(A,B) :=
B := how much money Berlusconi has
“Abramovich” if A > B
“equal”
if A = B
“Berlusconi” if A < B
How to solve this problem?
Can they compute f in a secure way?
(secure = “only the output is revealed”)
Of course, they do not trust any “third party”.
Answer
It turns out that:
in both cases, there exists a cryptographic protocol that
allows A and B to compute f in a secure way.
Moreover:
In general, every poly-time computable function f can be
computed securely by two-parties.
Of course, this has to be defined...
(assuming some problems are computationally hard)
Plan
1.
2.
3.
4.
Motivation
Definitions
Information-theoretic impossibility
Constructions
1. oblivious transfer
2. computing general circuits
5. Applications
What do we mean by a “secure function
evaluation”?
In general, the definition is complicated, and we will not present it here.
Main idea: suppose we have a function f: {0,1}* × {0,1}* → {0,1}*
A
B
protocol
π
f(A,B)
f(A,B)
Each of the parties may try to:
• learn something about the input of the other party, or
• disturb the output of the protocol.
What do we mean by a “secure
function evaluation”?
“real” scenario
A
“ideal” scenario
B
A
B
A
protocol
π
f(A,B)
f(A,B)
f(A,B)
f(A,B)
A malicious participant (Alice or Bob) should not be able to
• learn more information, or
• do more damage to the output
in the “real” scenario, than it can in the “ideal” one.
B
f(A,B)
f(A,B)
What do we mean by this?
For example:
Alice can always declare that she loves Bob, while in fact
she doesn’t.
A millionaire can always claim to be poorer or reacher
than he is...
But:
Berlusconi cannot force the output of the protocol to be
“equal” if he doesn’t know the value of A.
Let’s generalize it a bit:
A
B
f1(A,B)
f2(A,B)
1. the outputs of Alice and Bob can be different
2. the function that they compute may be randomized
An adversary
It is convenient to thing about an adversary that
corrupts one of the players.
(clearly if the adversary corrupts both players,
there is no sense to talk about any security)
Two goals that the adversary may want
to achieve
1. learn about the input of the other party
“more than he would learn in the ideal
scenario”,
2. change the output of the protocol.
Two types of adversarial behavior
In general, we consider two types of adversarial
behavior:
• passive, also called: honest-but-curious:
a corrupted party follows the protocol,
• active, also called Byzantine
a corrupted party doesn’t need to follow the
protocol
Two types of security
• a protocol is passively secure if it is secure
against one of the parties behaving
maliciously in a passive way.
• a protocol is actively secure if it is secure
against one of the parties behaving
maliciously in an active way.
Problem with active security
In general, it is impossible to achieve a complete
fairness.
That is: one of the parties may (after receiving her
own output)
prevent the other party from receiving her output
(by halting the protocol)
(remember the coin-flipping protocol?)
Fact
Let π be a passively secure protocol computing
some function f.
Then, we can construct a protocol π’ that is
actively secure, and computes the same
function f.
How?
Using Zero-Knowledge!
(we skip the details)
Power of the adversary
The malicious parties may be
• computationally bounded (poly-time)
• computationally unbounded.
In this case we say that security is
information-theoretic
We usually allow the adversary to “break the
security” with some negligible probability.
Plan
1.
2.
3.
4.
Motivation
Definitions
Information-theoretic impossibility
Constructions
1. oblivious transfer
2. computing general circuits
5. Applications
Most of the natural functions cannot be
computed by an information-theoretically
secure protocol
Example
Consider a function
f(A,B) = A and B.
There exists an infinitely-powerful adversary that
breaks any protocol computing it.
The adversary may even be passive.
A transcript
A
RA
B
RB
transcript
T
A and B
A and B
Definition
for B – symmetric
Transcript T is consistent with input A=A0
if there exist random inputs RA (for Alice) and (B,RB) (for Bob)
such that
T is a transcript of the execution of the protocol with inputs
• (A0,RA) – for Alice
• (B,RB) – for Bob.
1. Suppose A = 0 and B = 0
A=0
A
B
B=0
T
has to be consistent with A=1
Otherwise a
malicious Bob
knows that A = 0
2. Suppose A = 0 and B = 1
A=0
A
B
B=1
T
cannot be consistent with A=1
Because the output of the protocol
has to be different in these two cases:
• A=0 and B=1 and
• A=1 and B=1
So, if A = 0 then a malicious Alice has a way to learn
what the input of Bob!
A
B
T
Alice checks if T is consistent with
A=1
If yes then she knows that B=0
otherwise B=1
Moral
If we want to construct a protocol for computing
AND, we need to rely on computational
assumptions.
Plan
1.
2.
3.
4.
Motivation
Definitions
Information-theoretic impossibility
Constructions
1. oblivious transfer
2. computing general circuits
5. Applications
A question
Does there exist a protocol π that is “complete
for secure two-party computations”?
In other words:
We are looking for π such that:
if we have a protocol for π then we can
construct a provably secure protocol for any
function?
Answer
Yes!
A protocol like this is exists.
It is called Oblivious Transfer (OT). There are two
versions if it:
• Rabin’s Oblivious Transfer
M. O. Rabin. How to exchange secrets by oblivious transfer, 1981.
• One-out-of-Two Oblivious Transfer
S. Even, O. Goldreich, and A. Lempel, A Randomized Protocol for
Signing Contracts, 1985.
Rabin’s Oblivious Transfer
input
bit A
receiver
sender
The sender should have no
information which was the case
outputs B such that
B :=
A with probability 0.5
?
with probability 0.5
If B = ? then the receiver has no
information on A
One-out-of-two Oblivious Transfer
input
bits
(A0,A1)
input
bit B
receiver
sender
The sender should have no
information which was the case
outputs C such that
C :=
A0 if B = 0
A1
if B = 1
We will also write
C := OT((A0,A1),B)
then the receiver has no
information on the other Ai
Fact
Rabin’s Oblivious Transfer
and
One-out-of-Two Oblivious Transfer
are “equivalent”.
Claude Crépeau. Equivalence between two flavours of oblivious transfer, 1988
1-out-of-2 OT
Rabin OT
Rabin
input
bit A
sender
receiver
choose random (A0,A1) such that A0 xor A1 = A
input
bits
(A0,A1)
choose random bit R
choose a random bit B
1-out-of-2
sender
receiver
input
bit B
AB
AR
If R ≠ B then output A = AB xor AR
otherwise he has no information on
A1-B so he has no information on A
It remains to show the opposite
direction
1-out-of-2 OT
Rabin OT
input
bits
(A0,A1)
input
bit B
α1 α2 α3 α4 α5 α6 α7
random string
of bits
k times
Rabin OT
α1
the receiver
knows only the
indices in βB
if B=0 send (X0,X1) := (I,Ic)
if B=1 send (X0,X1) := (Ic,I)
send
(Z0,Z1) := (β0 xor A0, β1 xor A1)
?
?
α 4 α5
?
α7
Let I be the set of indices of the
bits that he “knows”.
Let Ic be the complement of I.
He outputs βB xor ZB
Security?
1. The learn B the sender would need to
distinguish I from Ic
2. To learn both A0 and A1 the receiver would
need to know both β0 and β1
This is possible only if he knows all αi’s
This happens with probability 0.5k.
An implementation of Rabin’s OT
input
bit A
sender
a random RSA public key pk := (N,e)
C := Epk(A)
y :=
x2
mod N
receiver
chooses a random
x from ZN*
If x = ± z mod N output ?
random z such that z2 = y mod N
Remember the proof that computing square root is
equivalent to factoring?
We used exactly the reasoning:
1. with probability 0.5 we have x ≠ ± y mod N
2. if x ≠ ± y mod N then gcd(x-z, N) is a non-trivial factor
of N
otherwise gcd(x-z, N) is a
non-trivial factor of N
hence the receiver can
decrypt A from C.
Output A
How does it look now?
input
bit A
sender
receiver
a random RSA public key pk := (N,e)
C := Epk(A)
y := x2 mod N
chooses a random
x from ZN*
receiver proves in ZK
that he knows x
If x = ± y mod N output ?
random z such that z2 = y mod N
otherwise gcd(x-z, N) is a
non-trivial factor of N
hence the receiver can
decrypt A from C.
Output A
Is it secure?
Against passive cheating?
YES!
Against active cheating?
Not so clear...
The sender acts as an oracle for computing square roots
modulo N.
Does it can help him?
We don’t know.
Solution
Add an intermediary step in which the sender proves in
zero-knowledge that he knows x.
Implementation of the 1-out-of-2 OT
(Gen, Enc, Dec) – public key encryption scheme
(E,D) – szyfr z kluczem symetrycznym
1. generates two pairs
(sk0,pk0)
(sk1,pk1)
A0
pk0 , pk1
B
A1
X := Enc(pkB, K)
two cases:
B=0
K0 =
K
K1 =
“random”
2. generates a
random
symmetric key K
B=1
3. computes:
“random”
K0 := Dec (sk0 , X)
K1 := Dec (sk1 , X)
K
C0 := E (K0, A0)
C1 := E (K1, A1)
C0 , C1
4. computes AB as:
AB = D (K,CB)
How to solve the love problem of Alice
and Bob using OT?
A
B
Sets (A0,A1) := (0,A)
1-out-of-2
OT
output A and B
A and B
the output of Bob is equal to 1
iff A = B = 1,
so it is equal to A and B
Bob just outputs it
works, because: A and B = OT((0,A),B)
Plan
1.
2.
3.
4.
Motivation
Definitions
Information-theoretic impossibility
Constructions
1. oblivious transfer
2. computing general circuits
5. Applications
How to compute any function?
We will now show how Alice and Bob can
securely compute any function f.
More precisely: they can compute any function
that can be computed by a poly-time Boolean
circuit.
Boolean circuits
size: number of gates
c1
c2
and
depth
c4
c5
and
and
neg
conjunciton
gates
neg
and
and
output gates
and
and
neg
a0
c3
and
and
and
and
a1
neg
a2
input of Alice
a3
b1
b2
b3
input of Bob
b4
negation
gates
input gates
Ogólna idea
Alicja „zaszyfruje” obwód razem z własnym inputem i
prześle go do Boba.
Bob doda swój input i obliczy obwód bramka-po-bramce.
Zrobią to w taki sposób, że wartości na bramkach
pozostają tajne (za wyjątkiem bramek outputu).
Założenia upraszczające:
Nieuczciwi użytkownicy nie oszukują aktywnie (honestbut-curious)
Output będzie poznany tylko przez Boba.
Ponumerujmy bramki
funkcja f
c1
c2
and
neg
neg
a0
c5
neg
and
4
and
2
and
and
5
1
c4
and
and
3
c3
a1
and
and
and
and
neg
a2
a3
b1
b2
b3
b4
Krok 1: generacja kluczy
Dla każdej bramki (oprócz outputu) Alicja losuje dwa
klucze symetryczne.
z
z
and
x
Kz,1
y
or
Kz,0
aj
x
Kx,0
Kx,1
Alicja nie wysyła tych kluczy do Boba.
y
Ky,0
Ky,1
Pytanie
Jak zaszyfrować wiadomość
M
tak żeby do jej odszyfrowania trzeba
było znać dwa klucze:
K0 i K1 ?
Odpowiedź: szyfrować dwukrotnie:
E(K0 , E(K1 , M))
Krok 2: szyfrowanie kluczy
z
z
and
Kz,0
Kz,1
x
x
y
y
Kx,0
Ky,0
Kx,1
Kz,1
x
y
x and Y
„zaszyfrowane klucze”
0
0
0
E(Kx,0 , E(Ky,0 , Kz,0))
0
1
0
E(Kx,0 , E(Ky,1 , Kz,0))
1
0
0
E(Kx,1 , E(Ky,0 , Kz,0))
1
1
1
E(Kx,1 , E(Ky,1 , Kz,1))
analogicznie
dla bramek
neg i or
Bramki wynikowe
y
y
out
„0”
„1”
x
x
Kx,0
Kx,1
x
szyfrogramy
0
E(Kx,0 , „0”)
1
E(Kx,0 , „1”)
Krok 3: wysłanie szyfrogramów
Dla każdej bramki Alicja losowo permutuje „zaszyfrowane
klucze” i wysyła je do Boba.
„zaszyfrowane klucze”
E(Kx,0 , E(Ky,0, Kz,0))
Cz,1
E(Kx,0 , E(Ky,1, Kz,0))
Cz,2
E(Kx,1 , E(Ky,0, Kz,0))
Cz,3
E(Kx,1 , E(Ky,1, Kz,1))
Cz,4
Sytuacja: Bob zna 4 szyfrogramy dla
każdej bramki
5
5
and
C5,1 C5,2 C5,3 C5,4
4
4
neg
3
C4,1 C4,2 C4,3 C4,4
3
neg
C3,1 C3,2 C3,3 C4,4
2
and
1
2
C2,1 C2,2 C2,3 C2,4
1
and
C1,1 C1,2 C1,3 C1,4
Jak Bob może obliczyć wynik?
Metoda: odszyfrować obwód „od dołu do góry”, aż do
uzyskania kluczy szyfrujących wynik.
Aby to zrobić Bob musi poznać klucze odpowiadające
bramkom wejściowym.
Przypomnijmy, że bramki wejściowe dzielą się na:
„input Boba” i „input Alicji”.
a0
a1
a2
input Alicji
a3
b1
b2
b3
input Boba
b4
Z inputem Alicji nie ma problemu
Krok 4: Alicja wysyła klucze odpowiadające bitom jej inputu.
input Alicji:
1
2
3
4
1
0
1
1
K1,1
K2,0
K3,1
K4,1
Obserwacja: ponieważ bramki są „spermutowane”, to Bob
nie wie czy dostał klucz odpowiadający zeru czy jedynce.
Co zrobić z inputem Boba?
K5,0
K6,0
K7,0
K8,0
K5,1
K6,1
K7,1
K8,1
5
6
b1
7
b2
8
b3
b4
Problem 1: Bob nie może poprosić Alicji o przekazanie kluczy odpowiadającym
jego bitom inputu (bo zdradziłby jej ten input).
Problem 2: Alicja nie może wysłać kluczy odpowiadającym obydwu bitom (bo
wtedy Bob mógłby obliczyć f dla dwóch różnych inputów B).
Rozwiązanie: 1-out-of-2 Oblivious Transfer!
Metoda Yao - podsumowanie
• „zaszyfrowany”(ang. garbled)
obwód dla f
• klucze odpowiadające
inputom a1,…,an
a1,…,an
b1,…,bm
m razy oblivious transfer (dla
każdego bitu bi )
oblicza
obwód od
dołu do góry
i poznaje
wynik
Problem
Do niedawna protokoły wymagały wymiany
dużej liczby wiadomości.
Np. w protokole Yao Alicja musi wysłać cały
zaszyfrowany obwód do Boba.
Czy można to zrobić lepiej?
Pomysł
Jak byśmy umieli skonstruować szyfr „homomorficzny ze
względu na operacje w ciele” to bezpieczne obliczanie
funkcji byłoby łatwe.
Fully homomorphic encryption:
(załóżmy, że zbiór wiadomości jest ciałem z operacjami + i ×)
nie zna sk
umie policzyć:
ma klucz sk
Enc(sk, X)
Enc(sk, X + Y)
Enc(sk, Y)
Enc(sk, X×Y)
Jak obliczyć f za pomocą takiego szyfru?
Załóżmy, że szyfr działa nad Z2 .
Wówczas koniunkcja logiczna jest mnożeniem, a negacja
dodaniem stałej 1.
input: a1,…,an
1. generuje parę (sk,pk)
2. oblicza dla każdego i:
ci = Enc(pk,ai)
5. oblicza wynik jako
Dec(sk,c)
pk, a1,…,an
input: b1,…,bn
3. oblicza dla każdego i:
di = Enc(pk,bi)
4. oblicza f korzystając z
homomorfizmu szyfru
wysyła szyfrogram c
odpowiadający wynikowi
Homomorfizm RSA
Homomorfizm ze względu na mnożenie posiadał
już szyfr RSA:
Enc((N,e), X) ×Enc((N,e), Y) = Xe ×Ye mod N
= (X×Y)e mod N
= Enc((N,e), X×Y)
Znalezienie szyfru homomorficznego ze względu na
mnożenie i dodawanie jednocześnie było
problemem otwartym od lat 70-tych.
Niedawny przełom
konstrukcja szyfru w pełni
homomorficznego w
oparciu o teorię krat
Craig Gentry [2009]
Wydajność w praktyce?
Początkowe wersje koszmarnie niewydajne.
Przykład:
rozmiar klucza: 2.3 GB,
czas generacji klucza: 2 godziny
policzenie 1 operacji: 30 minut
(czasy mierzone na typowym komputerze PC).
Ale jest powstają wydajniejsze wersje.
Plan
1.
2.
3.
4.
Motivation
Definitions
Information-theoretic impossibility
Constructions
1. oblivious transfer
2. computing general circuits
5. Applications
Applications?
In practice this protocol is extremely inefficient.
But it shows that some things in principle can be
done.
Research problem
Construct protocols (for concrete problems) that
are efficient.
Example
Michael J. Freedman, Kobbi Nissim, Benny Pinkas: Efficient Private
Matching and Set Intersection. EUROCRYPT 2004
Set intersection:
Alice and Bob want to see which friends they have in common
(without revealing to each other their lists of firends)
input:
set A
input:
set B
output:
intersection of
A and B
A natural question?
What if the number of parties is greater than 2?
Solutions for this also exist!
These protocols are used in practice
Is the oblivious transfer in Minicrypt?
As far as we know:
no!
cryptomania
???
trap-door permutations
exist
public-key encryption
exists
minicrypt
oblivious transfer
exist
???
???
???
key exchange
protocols exist
one way functions
exist
©2013 by Stefan Dziembowski. Permission to make digital or hard copies of part or all of
this material is currently granted without fee provided that copies are made only for
personal or classroom use, are not distributed for profit or commercial advantage, and
that new copies bear this notice and the full citation.