Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University), and Hoeteck Wee (Queens College, CUNY) Seung Geol Choi Columbia University
Dec 15, 2015
Simple, Black-Box Constructions of Adaptively Secure Protocols
joint work withDana Dachman-Soled (Columbia University),
Tal Malkin (Columbia University), and Hoeteck Wee (Queens College, CUNY)
Seung Geol Choi Columbia University
2
Outline
• Motivation• Our Work• Our Compiler
– Comp
3
Outline
• Motivation• Our Work• Our Compiler
– Comp
Criteria of adversarial corruptionin Multi-party Computation (MPC)
• Semi-honest vs. Malicious– semi-honest: corrupted parties should behave
honestly– malicious: they can behave arbitrarily
• How many parties can be corrupted?– Honest majority vs. honest minority.
• Static vs. Adaptive– static: adv corrupts parties at the outset– adaptive [CFGN96]: during the protocol adaptively
Adaptively Secure OT - Simulator(s0, s1) ReceiverSender
m1m2m3
srOutput
r
Corrupt Sender
Bad SimulationPick (s0, s1), r, rand for S & R randomly and execute the protocol honestly w/ these values.
Given the actual input (s0’, s1’), Sim is unable to patch rand for S consistent w/ the transcript & the input
No Corruption
MPC (malicious majority) and OT -- Roughly
• Non-black-box– Basically everything is known: use ZK, e.g.,– Static: from semi-honest OT [GMW87] (stand-alone)– Adaptive: from semi-honest OT with FCOM [CLOS02] (UC)
• Black-box – Static: from semi-honest OT [K88,IKLP06,H08] (stand-
alone)– Adaptive: from malicious OT [IPS08] (UC) But, malicious OT [B98, CLOS02, KO04] has
non-black-box access to the underlying primitive.
Goal
• Achieve MPC– adaptive, malicious majority– black-box (BB) access to lower primitives
• Of theoretical interest• Arguably more efficient: avoid general NP reductions
incurred by ZK proofs.– constant-round
8
Outline
• Motivation• Our Work• Our Compiler
– Comp
Main ResultUC, adaptive
semi-honest bit OT
UC, adaptive
malicious string OT
in FCOM hybrid
Compiler
• Black-box
• constant multiplicative blow-up in rounds
Improvement over [IKLP06,H08] :
UC and adaptive
BB Implications – UC & Adaptive
constant-round semi-honest bit OT
Trapdoor simulatable
cryptosystem
DDHRSA
FactoringLWE
[CDMW09, CLOS02]
this work:
• in FCOM hybrid- MPC allowing corruption of any
number of parties- constant-round MPC allowing
corruption of n-1 parties
[IPS08]
malicious string OT in FCOM hybrid
Our MPC Construction
• FCOM hybrid: Can be combined with existing results under various setup – e.g., [CLOS02, BCNP04, CDPW07, K07]. Usually
start by how to UC realize FCOM.
[CLOS02] [IPS08] ours#rounds for n,
(n-1) corruptionsO(depth)O(depth)
O(depth)O(1)
O(depth)O(1)
hybrid FCOM FOT FCOM
BB/non-BB non-BB BB BB
• UC, adaptive in FCOM hybrid- MPC allowing corruption of any
number of parties- constant-round MPC allowing
corruption of n-1 parties
• stand-alone, adaptive
BB Implications - Stand-aloneUC, adaptive,
constant-round semi-honest bit OT
Trapdoor simulatable
cryptosystem
DDHRSA
FactoringLWE
[CDMW09, CLOS02]
this work:
[IPS08]
malicious string OT in FCOM hybrid
[PW09]
- constant-round malicious string OT
[PW09]
Our Work - Summary
• Adaptively secure MPC: UC in FCOM hybrid / stand-alone - allowing corruption of any number of
parties- allowing corruption of n-1 parties in
constant-round
UC, adaptivesemi-honest bit OT
UC, adaptivemalicious string OT
in FCOM hybridCompiler
MPC
stand-alone, adaptive constant-round malicious string OT String OT
14
Outline
• Motivation• Our Work• Our Compiler
– Comp
Previous Work: Stand-alone & Static case
semi-honest bit OT
malicious OT
Haitner [H08]
defensible bit OT
Ishai,Kushilevitz,Lindell, and Petrank
[IKLP06]
eTDP, homomorphic enc
[K88]MPC
Our Compiler - 1
• Basically, [H08]+[IKLP06].• Insight
– View [H08] + [IKLP06] as GMW Compiler • With ZK proof replaced with cut-and-choose technique.
– Our presentation doesn’t need the notion of defensible OT.
Our Compiler - 2• Has two modules
– Comp: boost receiver-side security (for string)– OT-Reversal [WW06]: reverse the role of sender
and receiver (for bit)
maliciousmaliciousApply Compsemi-honestmaliciousApply OT-Reversal
malicioussemi-honestApply Compsemi-honestsemi-honestStarting protocol
receiver senderOur Compiler
defensibledefensible
defensibledefensible[IKLP06]
[H08] : Commit input & randomness at the outsetsemi-honest semi-honest
Parallel executions
18
Outline
• Motivation• Our Work• Our Compiler
– Comp
I. Run con-tossing in the well using FCOM
to fix R’s input & rand for Phase II.
II. Run 2n executions of ¦ in parallel w/ R using input & rand generated in Phase I.
III. R opens commitments in Phase I for n random OT execs.
IV. Apply combiner to the rest of n executions.
Comp(¦)
[H08]
[IKLP06]
Cut & Choose
UC Security in Comp
• Straight-line simulation– Extract receiver’s input in a straight-line manner
w/ info from Phase I.
Adaptively Secure OT - Simulator(s0, s1) ReceiverSender
m1m2m3
srOutput
r
Corrupt Sender
Upon corruption, Sim has to patch rand for S consistent w/ the transcript & the given input
No Corruption
Simulation in Comp – Achieving Adaptive Security
1. Extract R’s input & rand. in Phase I w/ FCOM
2. For i-th OT execution ¦i:• Run simulator for ¦i (SIMi) until the R behaves
consistently w/ the commitments. • Inconsistent R: “corrupt S” on SIMi (input & rand of S
in ¦i is fixed ). Follow spec. of ¦ w/ this fixed info.
3. Patching the S’s overall rand.• If R behaved honestly in some ¦j, can patch using SIMj :
with high probability there is at least one such j.
Use adaptive security of ¦: Guaranteed as long as R behaves honestly
Conclusion
• Adaptively secure MPC: UC in FCOM hybrid / stand-alone - allowing corruption of any number of
parties- allowing corruption of n-1 parties in
constant-round
UC, adaptivesemi-honest bit OT
UC, adaptivemalicious string OT
in FCOM hybridCompiler
MPC
stand-alone, adaptive constant-round malicious string OT String OT
Thank you