2-round secure mpc from indistinguishability obfuscation
DESCRIPTION
2-round secure MPC from IndISTINGUISHABILITY Obfuscation. Sanjam Garg , Craig Gentry, Shai Halevi (IBM), Mariana Raykova (SRI). Background: Secure Multi-Party Computation. Many slides borrowed from Yehuda Lindell. Secure Multiparty Computation. A set of parties with private inputs - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: 2-round secure MPC from IndISTINGUISHABILITY Obfuscation](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816687550346895dda355b/html5/thumbnails/1.jpg)
2-ROUND SECURE MPC FROMINDISTINGUISHABILITY OBFUSCATIONSanjam Garg, Craig Gentry, Shai Halevi (IBM), Mariana Raykova (SRI)
![Page 2: 2-round secure MPC from IndISTINGUISHABILITY Obfuscation](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816687550346895dda355b/html5/thumbnails/2.jpg)
2
BACKGROUND:
SECURE MULTI-PARTY COMPUTATIONMany slides borrowed from Yehuda Lindell
![Page 3: 2-round secure MPC from IndISTINGUISHABILITY Obfuscation](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816687550346895dda355b/html5/thumbnails/3.jpg)
3
Secure Multiparty Computation• A set of parties with private inputs• Wish to compute on their joint inputs• While ensuring some security properties
• Privacy, Correctness,…
• Even if some parties areadversarial
𝒙 𝒚
𝒛
𝑓 (𝑥 , 𝑦 ,𝑧)
![Page 4: 2-round secure MPC from IndISTINGUISHABILITY Obfuscation](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816687550346895dda355b/html5/thumbnails/4.jpg)
4
Adversarial behavior
Semi-honest: follows the protocol• Trying to learn more than what’sallowed by inspecting transcript
Malicious: deviates arbitrarily from protocol• Trying to compromise privacy,correctness, or both
![Page 5: 2-round secure MPC from IndISTINGUISHABILITY Obfuscation](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816687550346895dda355b/html5/thumbnails/5.jpg)
5
Defining Security: the Ideal/Real Paradigm
• What is the best we could hope for?• An incorruptible trusted party• All parties send inputs to trusted party
• over perfectly secure communication lines• Trusted party computes output, sends to parties
• This is an ideal world• What can an adversary do?
• Just choose its input(s)…
![Page 6: 2-round secure MPC from IndISTINGUISHABILITY Obfuscation](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816687550346895dda355b/html5/thumbnails/6.jpg)
6
• A real-world protocol is secure if it emulates an ideal-world execution• Any damage that can happen in the real world can also happen in the ideal world
• Ideal-world adversary cannot do much, so the same is true of the real-world adversary• Privacy, correctness, independence of inputs (and more), all hold in the real world
Defining Security: the Ideal/Real Paradigm
![Page 7: 2-round secure MPC from IndISTINGUISHABILITY Obfuscation](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816687550346895dda355b/html5/thumbnails/7.jpg)
7
x’ y
Ideal World
Trusted Party
f(x’,y)
f(x’
,y)
Real WorldProtocol
arbitraryoutput
protocoloutput
arbitraryoutput
f(x’,y)
yx
The Ideal/Real Paradigm
≈
![Page 8: 2-round secure MPC from IndISTINGUISHABILITY Obfuscation](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816687550346895dda355b/html5/thumbnails/8.jpg)
8
The Ideal/Real ParadigmA -party protocol securely realizes the -input function if
• For every real-world adversary • Controlling some bad players, interacting with protocol
• There exists an ideal-world simulator • Same bad players, interacting with the trusted party
• s.t. for any environment (supplying the inputs):
[GMW86,…] Any has a secure protocol • Extensions to “interactive functions” […,C01,…]
![Page 9: 2-round secure MPC from IndISTINGUISHABILITY Obfuscation](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816687550346895dda355b/html5/thumbnails/9.jpg)
9
Some Specifics of Our “Real World”• We assume trusted setup (CRS)
• A random common reference string is chosen honestly, made available to all the players• E.g., hard-wired into the protocol implementation
• A broadcast channel is available• If I received msg, everyone received same msg
• The set of bad players is determined before the protocol execution• Aka “static corruption model”
![Page 10: 2-round secure MPC from IndISTINGUISHABILITY Obfuscation](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816687550346895dda355b/html5/thumbnails/10.jpg)
10
Round Complexity of Secure MPC• Without privacy, one round is enough
• Everyone broadcast their inputs• With privacy, need at least two
• Else, bad guys get access to residual function • Can evaluate residual function on many inputs• Yields more info on the good guys inputs than what they can get in the ideal world
![Page 11: 2-round secure MPC from IndISTINGUISHABILITY Obfuscation](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816687550346895dda355b/html5/thumbnails/11.jpg)
11
Round Complexity of Secure MPC• Can we get 2-round secure computation?
• Two broadcast rounds after seeing the CRS
• Before this work, best result was 3 rounds• [Asharov, Jain, Lopez-Alt, Tromer, Vaikuntanathan, Wichs, Eurocrypt 2012],using threshold (multi-key) FHE
• This work: doing it in two rounds• Using heavy tools (iO, NIZK)
![Page 12: 2-round secure MPC from IndISTINGUISHABILITY Obfuscation](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816687550346895dda355b/html5/thumbnails/12.jpg)
12
The Tools We Use• We start from an Interactive Semi-Honest-Secure Protocol for
• Compile it into a 2-round protocols using:• Indistinguishability Obfuscation• Noninteractive Zero-Knowledge (w/ stat. soundness)• Chosen-Ciphertext Secure Encryption
![Page 13: 2-round secure MPC from IndISTINGUISHABILITY Obfuscation](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816687550346895dda355b/html5/thumbnails/13.jpg)
13
Main Tool: Obfuscation• Make programs “unintelligible” while maintaining their functionality• Example from Wikipedia:
• Rigorous treatment [Hada’00, BGIRSVY’01,…]• Constructions [GGHRSW13,…]
@P=split//,".URRUU\c8R";@d=split//,"\nrekcah xinU / lreP rehtona tsuJ";sub p{ @p{"r$p","u$p"}=(P,P);pipe"r$p","u$p";++$p;($q*=2)+=$f=!fork;map{$P=$P[$f^ord ($p{$_})&6];$p{$_}=/ ^$P/ix?$P:close$_}keys%p}p;p;p;p;p;map{$p{$_}=~/^[P.]/&& close$_}%p;wait until$?;map{/^r/&&<$_>}%p;$_=$d[$q];sleep rand(2)if/\S/;print
![Page 14: 2-round secure MPC from IndISTINGUISHABILITY Obfuscation](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816687550346895dda355b/html5/thumbnails/14.jpg)
14
What’s “Unintelligible”?• What we want: can’t do much more with obfuscated code than running it on inputs• At least: If function depends on secrets that are not apparent in its I/O, then obfuscated code does not reveal these secrets
• [B+01] show that this is impossible:• Thm: If PRFs exist, then there exists PRF families , for which it is possible to recover from any circuit that computes .• These PRFs are unobfuscatable
![Page 15: 2-round secure MPC from IndISTINGUISHABILITY Obfuscation](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816687550346895dda355b/html5/thumbnails/15.jpg)
15
What’s “Unintelligible”?• Okay, some function are bad, but not all…
• Can we get OBF() that does “as well as possible” on every function?
• [B+01] suggested the weaker notion of “indistinguishability obfuscation” (iO)• Gives the “best-possible” guarantee [GR07]• Turns out to suffice for many applications, including ours
![Page 16: 2-round secure MPC from IndISTINGUISHABILITY Obfuscation](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816687550346895dda355b/html5/thumbnails/16.jpg)
16
Defining Obfuscation• An efficient public procedure OBF(*)• Takes as input a program
• E.g., encoded as a circuit• Produce as output another program
• computes the same function as • at most polynomially larger than
• Indistinguishability-Obfuscation (iO)• If compute the same function (and ), then
![Page 17: 2-round secure MPC from IndISTINGUISHABILITY Obfuscation](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816687550346895dda355b/html5/thumbnails/17.jpg)
17
Another Tool: Noninteractive ZK(slide due to Jens Groth)
Prover VerifierSoundness:Statement is true
Zero-knowledge:Nothing but truth revealed
Statement:
Proof:
(𝑥 ,𝑤 )∈𝑅𝐿
Common reference string:0100…11010
![Page 18: 2-round secure MPC from IndISTINGUISHABILITY Obfuscation](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816687550346895dda355b/html5/thumbnails/18.jpg)
18
Non Interactive Zero Knowledge• Proving statement of the form
• is an NP language, is public
NIZK has three algorithms (+ a simulator)• CRS generation: • Proof: • Verification: • Simulator:
![Page 19: 2-round secure MPC from IndISTINGUISHABILITY Obfuscation](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816687550346895dda355b/html5/thumbnails/19.jpg)
19
Non Interactive Zero KnowledgePerfect completeness: for all
Statistical soundness:
Computational ZK: for all
![Page 20: 2-round secure MPC from IndISTINGUISHABILITY Obfuscation](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816687550346895dda355b/html5/thumbnails/20.jpg)
20
Last Tool: CCA-Secure EncryptionPublic-key encryption
• Adversary wins if not queries and • Scheme is secure if
(𝑠𝑘,𝑝𝑘 )←𝐾𝑒𝑦𝐺𝑒𝑛 (1𝑘 )Challenger (𝑝𝑘 ,𝑠𝑘 ) Adversary (𝑝𝑘 )𝑐 𝑖
𝑚𝑖=𝐷𝑒𝑐𝑠𝑘(𝑐¿¿ 𝑖)¿𝑚0
∗ ,𝑚1∗
𝑐∗←𝐸𝑛𝑐𝑝𝑘 (𝑚𝑏∗ )𝑏← {0,1 }𝑏′
![Page 21: 2-round secure MPC from IndISTINGUISHABILITY Obfuscation](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816687550346895dda355b/html5/thumbnails/21.jpg)
21
OUR PROTOCOL
![Page 22: 2-round secure MPC from IndISTINGUISHABILITY Obfuscation](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816687550346895dda355b/html5/thumbnails/22.jpg)
22
Starting Point: Use Obfuscation• Start from any -round secure MPC • Consider the next-message functions
• With input, -randomness hard-wired in
![Page 23: 2-round secure MPC from IndISTINGUISHABILITY Obfuscation](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816687550346895dda355b/html5/thumbnails/23.jpg)
23
Starting Point: Use Obfuscation• Players obfuscate, broadcast, theirnext-message functions• With input, -randomness hard-wired in• Each player obfuscates one function per round
• Then everyone can locally evaluate the obfuscated functions to get the final output
• But this is a one-round protocol, so it must leak the residual function
![Page 24: 2-round secure MPC from IndISTINGUISHABILITY Obfuscation](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816687550346895dda355b/html5/thumbnails/24.jpg)
24
Add a Commitment Round• 1st round: commit to input, -randomness
• Using CCA-secure encryption• 2nd round: obfuscate next-message functions
• With input, -randomness hard-wired in• Also the 1st-round commitments hard-wired in
• We want next-msg-functions to work only if transcript is consistent with commitments• This will prevent bad guys from using it with inputs other than ones committed in 1st round
![Page 25: 2-round secure MPC from IndISTINGUISHABILITY Obfuscation](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816687550346895dda355b/html5/thumbnails/25.jpg)
25
Proofs of Consistency
• New-proof generated with randomness • Proves that next-msg was generated by
• on (), for some consistent with
• Each party obfuscates, broadcasts
![Page 26: 2-round secure MPC from IndISTINGUISHABILITY Obfuscation](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816687550346895dda355b/html5/thumbnails/26.jpg)
26
Is It Secure?• It would be if we had “ideal obfuscation”
• “Easy to show” that this is secure when the functions are oracles
• Essentially since +proofs is resettably-secure• Key observation: transcript fixed after 1st round• This assumes that can handle bad randomness
• Alternatively we can include coin-tossing in the compiler
• But we only have iO• So we must jump through a few more hoops
![Page 27: 2-round secure MPC from IndISTINGUISHABILITY Obfuscation](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816687550346895dda355b/html5/thumbnails/27.jpg)
27
Dealing with iO• Change the obfuscated functions as follows:
• Each player obfuscates such functions• One for every communication round• All with same , independent ’s• All with
![Page 28: 2-round secure MPC from IndISTINGUISHABILITY Obfuscation](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816687550346895dda355b/html5/thumbnails/28.jpg)
28
The Full* Compiler• CRS: of CCA-PKE, of NIZK• 1st round: chooses , broadcasts
• 2nd round: chooses ’s, broadcasts
• Local evaluations: For , , use to get ’s ’th message and a proof for it
![Page 29: 2-round secure MPC from IndISTINGUISHABILITY Obfuscation](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816687550346895dda355b/html5/thumbnails/29.jpg)
29
Complexity, Functionality• 2 rounds after seeing CRS• Every :
• Checks at most proofs• Computes one protocol message and proves itHas complexity at most
• OBF increases complexity by factor
• Correctness follows from correctness of and and completeness of proof system
![Page 30: 2-round secure MPC from IndISTINGUISHABILITY Obfuscation](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816687550346895dda355b/html5/thumbnails/30.jpg)
30
Security
Thm: The compiled protocol UC-securely realizes against malicious adversaries if
• securely realizes against semi-honest• And can tolerate bad randomness
• Proof system is NIZK• Encryption is CCA secure• OBF is iO
![Page 31: 2-round secure MPC from IndISTINGUISHABILITY Obfuscation](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816687550346895dda355b/html5/thumbnails/31.jpg)
31
Proof Of Security• Main idea in the proof:
• Recall that 1st round fixes the -transcript• So these two circuits compute the same things:
• The as constructed in the protocol ()• A function with the fixed transcript ()
• The simulator will use the latter• By iO, these are indistinguishable.
• Formally: fix adversary , we describe a simulator, prove its output indistinguishable
![Page 32: 2-round secure MPC from IndISTINGUISHABILITY Obfuscation](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816687550346895dda355b/html5/thumbnails/32.jpg)
32
The Simulator (1)• CRS: • Good players’ ciphertexts:
• Bad players’ ciphertexts:
• Decrypts bad players’ • Yields input, randomness for bad players
• If invalid ciphertext, use default value
• Sends inputs to trusted party, get outputs
![Page 33: 2-round secure MPC from IndISTINGUISHABILITY Obfuscation](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816687550346895dda355b/html5/thumbnails/33.jpg)
33
The Simulator (2)• Runs -simulator on bad players’(input, output, rand), gets a -transcript
• Runs of NIZK, gets proofs for-messages of good players• Relative to their ’s
• Obfuscate for good players• Using , random ’s• Also using
• from simulated transcript, by NIZK sim.
![Page 34: 2-round secure MPC from IndISTINGUISHABILITY Obfuscation](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816687550346895dda355b/html5/thumbnails/34.jpg)
34
Real/Ideal Indistinguishability• We prove indistinguishability by going through several hybrids
Adversary Honest Players Trusted Party
Hybrid Manager
Environment
: anything that doesn’t fit elsewhere
This interface isindistinguishableBetween hybrids
![Page 35: 2-round secure MPC from IndISTINGUISHABILITY Obfuscation](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816687550346895dda355b/html5/thumbnails/35.jpg)
35
Real/Ideal Indistinguishability• is the real-world game
• HM runs setup, trusted party is never used
• Lemma: After 1st round, -transcript for which proofs that would make output anything other than • Whp over the CRS, by statistical NIZK soundness• Moreover, given the HM can efficiently compute that transcript
• Denote that transcript by
![Page 36: 2-round secure MPC from IndISTINGUISHABILITY Obfuscation](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816687550346895dda355b/html5/thumbnails/36.jpg)
36
Real/Ideal Indistinguishability• : Obfuscate different functions
• In we had • Now we have
• contains the message from , NIZK proof corresponding to wrt
• By lemma from above:• Both functions output under same conditions• If then , so both functions output
![Page 37: 2-round secure MPC from IndISTINGUISHABILITY Obfuscation](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816687550346895dda355b/html5/thumbnails/37.jpg)
37
Real/Ideal Indistinguishability• : Obfuscate different functions
• In we had • Now we have
• contains the message from , NIZK proof corresponding to wrt
• They are functionally identical (whp over CRS)• By iO, their obfuscation is indistinguishable
• So
![Page 38: 2-round secure MPC from IndISTINGUISHABILITY Obfuscation](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816687550346895dda355b/html5/thumbnails/38.jpg)
38
Real/Ideal Indistinguishability• Simulated CRS & NIZKs
• Indistinguishable by computational ZK
• Encrypt zeroes for honest players instead of inputs & randomness• Indistinguishable by security of the PKE• Need CCA-security to decrypt ’s ciphertexts
• If adversary copies a good-player ciphertext, then treat it as invalid (since it encrypts the wrong index)
![Page 39: 2-round secure MPC from IndISTINGUISHABILITY Obfuscation](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816687550346895dda355b/html5/thumbnails/39.jpg)
39
Real/Ideal Indistinguishability• Use -simulator to generate
• Send inputs, get outputs from trusted party• Indistinguishable by security of • This is the ideal world, HM is the simulator
![Page 40: 2-round secure MPC from IndISTINGUISHABILITY Obfuscation](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816687550346895dda355b/html5/thumbnails/40.jpg)
40
Reducing Communication Complexity
• The basic construction has communication complexity depends on the complexity of • Which is at least as large as that of
• To save communication, use multi-key HE• Players encrypt their input, broadcast ctxts• Use multi-key HE to evaluate• Apply 2nd round of our protocol to the HE decryption function
![Page 41: 2-round secure MPC from IndISTINGUISHABILITY Obfuscation](https://reader035.vdocuments.us/reader035/viewer/2022062218/56816687550346895dda355b/html5/thumbnails/41.jpg)
41
Questions?