Input-IndistinguishableComputation

Silvio Micali MITRafael Pass CornellAlon Rosen Harvard

Definitions vs. ProtocolsCrypto in the 20th century – protocols -> definitions

Crypto in the 21st century – definitions -> protocols

This talk:

New definition (input-indistinguishable computation)

1. For secure two-party computation (malicious).2. Definition is “simulation free.” 3. Inspired by witness indistinguishability.

New protocol1. Concurrency without trusted set-up.2. Standard complexity assumptions.

Our motivation is “protocol driven.’’

We do not achieve “holy grail” of cryptography (yet)…

xx

To reach balance:1. Establish feasibility.2. Improve efficiency.3. Weaken hardness assumption.

See if can satisfy a stronger definition (stronger adversary)...

Modern Crypto Methodology

Need to convince that:1. Definition is meaningful.2. Adversary is realistic.3. Assumption is reasonable.

Delicate balance

Define security (what it means to break the scheme).

Specify adversary in terms of:1. computational power,2. access to scheme.

Construct scheme and prove that breaking it implies solving (assumed) computationally hard problem (e.g. factoring).

YES WELL…If you believe

Factoring/DL are hard.

IDEALREAL

PPT B*

PPT S

Secure Two-Party Computation

Alic

e

Alic

e

BobBob

1. Is definition meaningful? 2. Is adversary realistic?3. Is assumption reasonable?

…

Theorem [Yao, GMW,Kil]: Assuming OT protocol, every efficient two-party function can be securely computed.

1. Is definition meaningful?2. Is adversary realistic?3. Is assumption reasonable?

IDEALREAL

UC/General/Self Composition [C,L03,L04]

AB

AA

A

A

B

B

B

AB

AA

A

A

B

B

B

YES YESMaybe, if we just had a

protocol…

Theorem [CKL, L03, L04]: For most “interesting’’ functions definitions of UC/General/Self composition cannot be achieved.

Theorems [CLOS, BCNP, CDPW]: Assuming OT, every efficient two-party function can be securely (UC) computed with some form of trusted set-up.

Reference String

1. Meaningful?2. Realistic?

IDEALREAL

Set-Up Assumptions

B

AA

A

B

B

AA

A

B

YES in many cases[BS] very sensitive to security parameters [PS] non-standard assumptions

Theorems [PS,BS]: Assuming subexp-hardness (and OT), every eff. two-party function can be securely computed with quasi-poly simulator.

IDEALREAL

Super-Polynomial Time Simulation [P03]

AB

AA

A

A

B

B

B

AB

AA

A

A

B

B

B

PPT B* PsuperPT S

1. Is definition meaningful?2. Is adversary realistic?3. Is assumption reasonable?

Super-polynomial time simulation (SPS) is very appealing:

1. Yields meaningful security guarantee.2. Handles a realistic adversary.3. Has the potential of being realized

a. Under standard assumptions.b. Without constraints on security parameters.

But coming up with such a protocol is still open.

We give a definition that can be realized:a. Under standard assumptions.b. Without constraints on security parameters.c. In face of unbounded number of concurrent executions.

Definition: Any protocol (A,B) is secure.

Super-Polynomial Time Simulation

d. Is (arguably) meaningful for many interesting functions.

e. May lead to solution that admits unbounded simulation.

ALL inputs of A compatible with output of B* “EQUALLY LIKELY”

To distinguish x0,x1 must use y* s.t. F(x0,y*) ≠ F(x1,y*)

1. Trivial if single-input per output

2. Generalization of Witness-Indist [FS90]

Input-Indistinguishable Computation

1. Correctness.

2. Input-Independence

3. Input-Indistinguishability Privacy

What is y*?

Implicit input function IN(viewB*) = y*

Consider1. honest A with input x2. malicious B* with input y3. B* should get output.

Witness Indistinguishability [FS90]

Prover Verifier

view(w) = V*’s view of the interaction when P uses w

Witness Indistinguishability: for PPT V* , w0, w1

view(w0) view(w1)

WI property “well-behaved’’ under concurrent composition

Interactive Proofs vs. Two-Party Computation

V* has no input B* has input y

V* output is 0/1 B* output is F(x,y*)

P input “hard” to compute A input can be finite

P V*

A B*

Implicit Input FunctionImplicit input function INB:

1. defined on B*’s view of the interaction.

2. Wlog view depends only on x and on randomness of A

3. Well defined for all possible views.

Notation: for PPT B*, x

y* <- INB(view(x))

Consistency: Output of A = F(x,y*)

Output delivery message: there exists a round in protocol s.t.1. Implicit input is fully defined from view so far, but

2. no “information’’ about output has been released yet.

Implicit input and output round are implicit in ideal/real like definitions, but not required explicitly!

Input-Indistinguishable Computation

(A,B) securely computes F w.r.t A if implicit input function INB s.t.

Completeness: in honest execution of (A,B)

inputs = x,y output = F(x,y)

Input-Independence: for PPT B* , x0, x1

INB(view(x0)) INB(view(x1))

Input-Indistinguishability: for PPT B*, x0, x1

y* <- INB(view)B* can only “distinguish” x0 and x1 when

F(x0,y*) ≠ F(x1,y*)B* received output in the protocol

Input-Indistinguishable Computation

(A,B) securely computes F w.r.t A if implicit input function INB s.t.

Completeness: in honest execution of (A,B)

inputs = x,y output = F(x,y)

Input-Indist. and Indep.: For PPT B*, x0, x1

Expt0 (x0, x1) Expt1(x0, x1) Expti(x0,x1):

view view of B* in execution with A(xi)

y* INB(view)

If output = true and F(x0,y*) ≠ F(x1,y*)

Otherwise (y*,view)

Example

Oblivious transfer function.

F((s0,s1),c) = sc

(So x= (s0,s1) and y=c.)

Input independence: c is (computationally) independent of (s0,s1).

Input indistinguishability: Given sc* as output, and view((s0,s1)), the input s1-c* could take any value.

Very meaningful.

Concurrent Input Indistinguishable

Computation(A,B) securely computes F w.r.t A if implicit input

function INB s.t.

Completeness: in honest execution of (A,B)

inputs = x,y output = F(x,y)

Concurrent Inp-Indist. and Indep.: For PPT B*, x0, x1

Expt0 (x0, x1) Exp1(x0, x1) Basic Concurrency:

1. Same Protocol (self composition)

2. fixed inputs sequences

3. Can be extended to handle arbitrary corruptions.

Composibility

Unlike WI (and UC) input-indistiguishability does not compose in general.

There exist protocols that are 1. stand-alone input indistinguishable, but 2. not concurrent input indistinguishable

(even for two executions).

The problem is the potential malleability of (A,B).

Any solution must take malleability into consideration.

Turns out that insuring non-malleability is sufficient!

Main Theorem

Theorem: Suppose there exist (trapdoor) claw-free permutations. Then for any efficient 2-party function F, there exists a concurrent input-indistinguishable protocol for computing F.

Trapdoor claw-free permutations:1. Required for OT, CRH, perfectly hiding commitments.2. Follow from hardness of Factoring/DL.

Yao’s protocol secure against honest-but-curious.

Compile a’ la GMW, but:

1. Instead of normal ZK, NMZK protocols of [P04][PR05]

1. Instructions of NMZK depend on identity of prover.

2. Different provers have different identities.

2. Provable Determinism [LMS04]: once first message sent, only one possible continuation (except for ZK).

3. And some more…

Let (A,B) denote resulting protocol.

High-Level Idea of Protocol

Lemma: (A,B) is (stand-alone) ideal/real secure.

Lemma: Stand-alone ideal/real -> stand-alone inp.-ind.

1. Implicit input is the value fed to trusted party.

2. Requires augmenting outputs of ideal/real w/ input of B*.

3. Relies on existence of output delivery message.

4. B*,D breaking inp.-ind. -> B**,D breaking ideal/real.

Lemma: (A,B) stand-alone inp.-ind. -> (A,B) conc. inp.-ind.

1. Implicit inputs same as in stand-alone.

2. Interplay between Hybrid argument and Simulation

3. Mixture of Black-box and Non black-box [PR05].

Analysis

One-many Simulation-Extractable ZK [PR05]

B*

Left interaction: simulate only one ZK execution.

Right interaction: concurrently extract witnesses from many executions.

ZKID

ZKID2~

ZKID1~

ZKIDm~

w

~

wm

~

w2

~

S

(view,y*)

(view,y*)

Concurrent -> Stand-Alone

Assume existence of concurrent adversary B*, and x, x s.t. corresponding EXPT can be distinguished.

Construct B** that violates stand-alone inp.-ind. Of (A,B).

B*x2

x1

xm

x1

x2

xm

-

Concurrent -> Stand-Alone

Mxi

x1

or xi

xm

Using a hybrid argument.Only need to simulate the ZK proof in the ith execution.Requires to extract all y*.

B**

Comparison

Meaningfuldefinition

Realisticadversary

Reasonableassumption

Stand-Alone

YES NO YES

UC YES YES NOSPS

[BS] YES* YES* YES*potential YES* YES YES

This work YES** YES YES

Summary

Zero-knowledge (simulation paradigm) seems to have “hit the wall” with respect to protocol composition.

Maybe [Goldreich Micali Wigderson87] has made us “too ambitious…”

Perhaps we should1. Give up in meaningfulness of definitions.

a) Super polynomial-time simulators [P03, PS04, BS05].

b) Based on indistinguishability [FS90].

2. Give up in generality of definitions.a) Be meaningful only in specific cases.b) Secure protocols for specific tasks [PR05,BPS06].

Thank You!