Efficient Two-Party Secure Computation on Committed Inputs

page 1

Efficient Two-PartySecure Computation

onCommitted Inputs

Stanislaw Jarecki, UC IrvineVitaly Shmatikov, UT Austin

page 2

1. Committed Oblivious Transfer of Bitstrings [String-COT]• O(1) modular exponentiations per player

• 2 rounds + proofs (single message in R.O.M. if commitments public)

• Universally Composable in Common Reference String [CRS] model

2. Secure Two-Party Computation [2PC] on Committed Inputs• O(g) modular exponentiations, where g = # gates in the circuit

• round complexity, UC in CRS, as above

Technical Contribution of General Interest:

• Encryption with Verifiable Plaintexts and Keys,i.e.:Encryption with efficient Zero-Knowledge Proof for relation:

{(E, Cm, Ck) s.t. E encrypts m committed in Cm under key k committed in Ck }

Our Contributions

page 3






Main Technical Contribution of General Interest:



Our Contributions

Contribution for both COT and 2PC is in efficiency.(and provable universal composability of an efficient construction)

Quick comparison of constant-round 2PC protocols:

Yao’86: O(g) symmetric-key operations, passive adv.

Yao + Generic ZKP’s: poly(k,g) operations, malicious adv.

[P’03,MF’06,KS’06,LP’07,W’07]Cut & Choose Proofs: O(kg) symmetric-key ops., malicious adv.

[Here]: Efficient ZKP per gate: O(g) public-key operations, malicious adv.

page 4






Main Technical Contribution of General Interest:



Our Contributions

Contribution for both COT and 2PC is in efficiency.(and provable universal composability of an efficient construction)

Quick comparison of constant-round 2PC protocols:

Yao’86: O(g) symmetric-key operations, passive adv.

Yao + Generic ZKP’s: poly(k,g) operations, malicious adv.

[P’03,MF’06,KS’06,LP’07,W’07]Cut & Choose Proofs: O(kg) symmetric-key ops., malicious adv.

[Here]: Efficient ZKP per gate: O(g) public-key operations, malicious adv.

page 5

Talk Outline

• Overview of the results:• Committed Oblivious Transfer on Strings• General Secure Two-Party Computation on Committed Inputs

• Applications • Committed Secure Computation • Committed String-OT

• Comparison with previous results

• Technical Discussion:Public Key Encryption with Efficient Zero-Knowledge Proof for Verifiability of both the Plaintext and the Key

• Extensions, Open Questions

page 6

Universally Composable Secure Two-Party Computation on Committed Inputs:Definitio

nPicture

page 7

CA1

(xA2)

Commit(xA1)

Commit(xA2)

Commitment properties:

Binding: xi’s cannot be substituted after Ci is sent

Hiding:xi’s remain hidden from other players

(Can be implemented e.g. with Public Key Encryption)

Commit(xB1)

Commit(xB2)

(xA1)

Universally Composable Secure Two-Party Computation on Committed Inputs

Alice

Bob

CA2

(xB1)CB1

(xB2)CB2

Public Board

page 8

Commit(xA1)

Commit(xA2)

Non-Malleable [NM] Commitments:

Bob’s messages cannot depend on Alice’s messages

(can be done with CCA-Secure Encryption, in CRS)

Commit(xB1)

Commit(xB2)

CA1

CA2

(xA1)Alice

Bob


CA2 (xA2)

(xB1)CB1

(xB2)CB2

Public Board

page 9

AliceCompute( [ ] with Bob,CA1,CB1)

Bob

(xA1)

xA1 xB1

F(xA1,xB1)

F(xA1,xB1)


(xA2)

(xB1)

(xB2)

Properties of 2P Secure Computation (Obl.Circ.Eval.) on Committed Inputs:

• Bob learns only output F(xA,xB), nothing else about Alice’s input xA

• Alice learns nothing

• values xA, xB in the computation are committed in CA, CB

Public Board

page 10

Alice

Bob

(xA1)

Compute( [ ] with Alice)

F(xA1,xB1)

F(xA1,xB1)


Properties of 2P Secure Computation (Obl.Circ.Eval.) on Committed Inputs:

• Bob learns only output F(xA,xB), nothing else about Alice’s input xA

• Alice learns nothing

• values xA, xB in the computation are committed in CA, CB

(xA2)

(xB1)

(xB2)

=> Two-sided computation on same inputs (with abort)

Compute( [ ] with Bob)

Public Board

page 11

Alice

Bob

(xA1)

Examples of circuits:

= Equality(xA,xB): outputs 1 if xA = xB, 0 otherwise= `Less or Equal’(xA,xB): outputs 1 if integer xA ≤ xB, 0 o/w= F(xA,xB) = intersection of sets represented by xA,xB

= F(xA,xB) = median value in the union of setsIt can be any circuit !!


Benefit of computation on committed inputs: Ensuring consistency between

computations of several circuits on same data

(xA2)

(xB1)

(xB2)

Compute( [ ])

Compute( [ ])

Compute( [ ])

Compute( [ ])

page 12

F(xA1,xB1)

Alice

Bob

(xA1)

Dorothy

Compute( [ ] with Dorothy)

(xD1)Commit(xD1)

F(xD1,xB1)

Consistency Across Protocol Instances Ex.1: Multi-Player Example

(xB1)


page 13

Alice

Bob

(xA1)

Commit(xA3)

Compute( [ ] w/ Alice)

xA1 xA3 xB1

F(xA1,xA3,xB1)General Benefit of UC Committed 2PC: Ensuring consistency between

sub-protocols in any distributed algorithm Some computation can be local (“insecure” but fast), while commitments keep the overall protocol consistent

(xA3)

(xB1)


F(xA1,xB1)

xA3 = output of Alice’s local computation given F(xA1,xB1)

Consistency Across Protocol Instances: Ex.2: Security with some local computation off-line

page 14

Consistency Across Protocol Instances: Ex.3: Solution to the “Abort & Re-start” Problem

Protocols that use 2PC / OT without committed inputscan be insecure against abort & re-start:

A malicious player can effectively execute several instances of the protocol, each on different inputs.

In practice protocols must allow re-start in case ofcommunication or hardware faults…

page 15

Talk Outline

• Statement of the results:• Committed Oblivious Transfer on Strings• General Secure Two-Party Computation on Committed Inputs

• Applications • Committed Secure Computation • Committed String-OT




page 16

Universally Composable Committed String-OT

1. Alice learns mb s.t.• mb is committed in Cmb

• b is committed in Cb

2. Alice learns nothing about mb

3. Bob learns nothing

Alice: bit b Bob: strings m0,m1

mb ┴

Common Input:Commitments Cb , (Cm0 , Cm1)

UC String-COT is like UC two-party secure computation

but the only computed function is String-OT

Crepeau’86 introduced COT s.t.Alice gets (de) commitment of Cb,

not just mb

(our construction can support this too)

page 17

OT is a sub-procedure in General Secure Computation Protocols[the original motivation for Committed OT by Crepeau]

1. Interactive Secure 2-Party Computation [GV’87]:• Players secret-share all their input bits• Gate computation (shared input bits → shared output bit) via Bit-

OT

Tool: Committed Bit-OT

2. 2-round Secure 2-Party Computation (“Garbled Circuit” [Yao’86]):• Sender S creates two keys per each wire• For each gate, S encrypts appropriate output wire keys

with appropriate input wire keys• S performs String-OT on keys corresponding to R’s input wires

Tool: Committed String-OT

Applications of Committed String-OT (Ex.1):Ensuring Consistency across Calls to OT

page 18

1. Privacy applications:– oblivious transfer of one key out of a set of keys– same for signatures, decryptions, …

2. Support for probabilistic systems:– probabilistic escrow of information (keys, signatures, plaintexts)– probabilistic payment of digital cash– …

What’s needed in such applications?– OT on values with proven properties (key, coin, signature, …)

Done in 2 steps:– perform an OT on the committed string value (e.g. a key)– prove correctness of the committed value

(efficient proofs for such statements exist for many cryptographic schemes)

Applications of Committed String-OT (Ex.2):Privacy, E-Cash, Escrow, …

page 19

• Statement of the results:• Committed Oblivious Transfer on Strings

• General Secure Two-Party Computation on Committed Inputs

• Applications of Committed Secure Computation / Committed String-OT

• Comparisons with previous results on COT and 2PC

• Technical Discussion:Public Key Encryption with Efficient Zero-Knowledge Proof for Verifiability of both Plaintexts and Keys


Talk Outline

page 20

O(1) modular exponentiations per player• exponentiations modulo n2 where n is a strong RSA modulus, |n2| = 2000 bits

• 500-bit exponents

Round complexity: 2 rounds + proofs (e.g. one/two rounds in R.O.M.) Security under Decisional Composite Residuosity Assumption [DCR] Universal Composability in Common Reference String model [CRS]

• static adversary

• CRS includes modulus n and a few group elements, |CRS| ≈ 10 |n|

Towards efficient String-COT:

[NP’00, AIR’01] String-OT O(1) exp’s, DDH Assumption

[Cre’89] Bit/String-COT Ω(k3) Bit/String-OT’s[CvdGT’95] Bit-COT Ω(k) Bit-OT’s

[GMY’04] Bit-COT O(1) exp’s, DDH[CC’00] String-COT O(k) exp’s, DDH

[Here] String-COT O(1) exp’s, DCR

Our Contributions vs. Previous Work:(1) Committed OT on Bitstrings

page 21

Security under DCR and Strong RSA Assumptions O(g) modular exponentiations, where g = # gates in the Circuit Round complexity: 2 rounds + proofs (e.g. one/two rounds in R.O.M.) Universal Composability in the CRS model

Towards efficient constant-round Secure Two-Party Computation (2PC):

Passive Security:- [Yao’86] O(g) symmetric-key op’s

Malicious Security using ZKP’s for NP-complete languages:- [GMW,…,Lin’03,KO’04] poly(g, k) op’s

Malicious Security without generic ZKP’s:- [DI’05], multi-party computation,

O(n2 g) PRG’s + VSS’s- [CC’00], cut & choose gate-specific ZKP’s,

O(kg) exp’s, DDH- [Pin’03, MF’06, KS’06, LP’07, W’07], cut & choose on the whole garbled circuit,

O(kg) symmetric-key op’s- [Here], efficient gate-specific ZKP’s,

O(g) exp’s, DCR + Strong RSA

Our Contributions vs. Previous Work:(2) Secure 2PC on Committed Inputs

page 22

• Statement of the results:• Committed Oblivious Transfer on Strings

• General Secure Two-Party Computation on Committed Inputs

• Applications of Committed Secure Computation / Committed String-OT




Talk Outline

page 23

Yao’s Garbled Circuit Construction

1. For each circuit wire w, Sender S picks a pair of keyskw

0“bit 0 on wire w”kw

1“bit 1 on wire w”

G

kw0,kw

1 kv0,kv

1

kz0,kz

1

G

kw0,kw

1 kv0,kv

1

kz0,kz

1

kw0,kw

1 kv0,kv

1

kz0,kz

1Invariant:

For every wire w, Receiver R learns one keyin {kw0,kw

1}, but doesn’t learnwhich one!

2. For each gate, S sends to R a table:

Encryption of kz0 under keys

kw0,kv

0


kw0,kv

1


kw1,kv

0


kw1,kv

1

3. For each R’s input wire,transfer the right key using String-OT:OT [ R(b) , S(k0,k1) ] → kb

Strategy towards 2PC with O(1) exp’s / gate1. S commits to each key2. S proves circuit is properly garbled:

• each ciphertext formed correctly• […other proofs…]

3. S performs String-COT for R’s input keys

page 24

Yao’s Garbled Circuit Construction Closer Look: Proof of ciphertext correctness




G

kw0,kw

1 kv0,kv

1

kz0,kz

1

G

kw0,kw

1 kv0,kv

1

kz0,kz

1

kw0,kw

1 kv0,kv

1

kz0,kz

1Invariant:





kw0,kv

0


kw0,kv

1


kw1,kv

0


kw1,kv

1





page 25





G

kw0,kw

1 kv0,kv

1

kz0,kz

1

G

kw0,kw

1 kv0,kv

1

kz0,kz

1

kw0,kw

1 kv0,kv

1

kz0,kz

1Invariant:





kw0,kv

0


kw0,kv

1


kw1,kv

0


kw1,kv

1





page 26


kw0“bit 0 on wire w”

kw1“bit 1 on wire w”

G

kw0,kw

1 kv0,kv

1

kz0,kz

1

G

kw0,kw

1 kv0,kv

1

kz0,kz

1

kw0,kw

1 kv0,kv

1

kz0,kz

1


kw0,kv

0

Simplify to standard (one-key) encryption:

Need Efficient ZKP for relation

R = { (E, Cm, Ck) } s.t.

1. E = Enc [ m ; k ] 2. m is committed in Cm

3. k is committed in Ck

page 27

Efficient Encryption withmessage and key verifiability

1. Assume commitment (to value ‘a’) is of the formCa = ga (or Ca = ga hr )

for some multiplicative group <g>

2. Assume encryption also has both plaintext and key in the exponent, e.g.

E = Enc[ m ; k ] = αm βk

where <α> , <β> are disjoint subgroups of some groupCan be done with Paillier encryption [Camenisch-Shoup’03]:α generates subgroup of order n, β generates subgroup of order φ(n),in group of order φ(n2)=n*φ(n) [multiplicative group of residues mod n2]

Need Efficient ZKP for relation

R = { (E, Cm, Ck) } s.t.

1. E = Enc [ m ; k ] 2. m is committed in Cm

3. k is committed in Ck

ZKPR is a proof of equalities between discrete-log representations:

1. (m , k) = Rep( (α, β) , E)2. m = DL( g, Cm )3. k = DL( g, Ck )

page 28


ZKPR is a proof of equalities between discrete-log representations:

1. (m , k) = Rep( (α, β) , E)2. m = DL( g, Cm )3. k = DL( g, Ck )

Each (Representation=DL) proof is an extension of standard ZKPK-of-DL, except if the orders involved (#g vs. #α) and (#g vs. #β) are:

(1) unknown (2) unequal

Cm = gm

E = αm βk

Ck = gk

#α = n , #β = φ(n)#g = whatever is convenient

The ZKP of “equality of m”:DL(g,Cm)=Rep(α,

E)

The ZKP of “equality of k”:

DL(g,Ck)=Rep(β,E)

problem if

#g ≠ #α

problem if

#g ≠ #β

page 29


Cm = gm

E = αm βk

Ck = gk



DL(g,Ck)=Rep(β,E)


E)

• If orders not equal then responses must be computed over integers(linear equations involving secrets)

Efficient Zero-Knowledge of DLEQ known only if secret << (both orders)Why?1. Known DLEQ(gx,hx) proofs for groups with unknown order

leak c*x+r over integers, for public challenge c, and random secret pad r x is statistically hidden only if r > c*x*280

r > x*2160 (since c ≈ 280)2. To avoid wrap-around we need c*x+r < (orders of g and h)

x * 2160 < (orders of g and h)

problem if

#g ≠ #α

problem if

#g ≠ #β

page 30


Cm = gm

E = αm βk

Ck = gk



DL(g,Ck)=Rep(β,E)


E)

• If orders not equal then responses must be computed over integers(linear equations involving secrets)

Efficient Zero-Knowledge of DLEQ only if secret << (both orders) Either m or k must be << |φ(n)| ≈ |n|• But m’s and k’s are interchangeable in Yao’s garbled circuit

construction! Need Camenisch-Shoup encryption with shorter keys (k ≈ ¾ |n|)

• [Hastad-Schrift-Shamir]: exponentiation mod n hides |n|/2 bits

using ½ |n| - long keys is indistinguishable from |n|-long keys same holds for the φ(n)-order subgroup, where [CS] keys live

problem if

#g ≠ #α

problem if

#g ≠ #β

page 31

Summary:• Efficient UC-Secure computation on committed inputs

with O( |Circuit| ) public key op.’s• Fast committed String-OT• Encryption with efficient verifiability for both messages

and keys

Some questions:• Handling adaptive corruptions?• Weakening assumptions on the RSA modulus?• Efficient String-COT and Committed-2PC without CRS?• Verifiable Encryption for committed plaintexts and/or

keys, for moduli smaller than |n2|=2000 bits?

Summary and some open questions

page 32

Thank You!

Documents

Efficient Two-Party Secure Computation on Committed Inputs