Completeness in Two-Party Secure Computation – A Computational View

Danny Harnik Moni Naor Omer Reingold Alon Rosen

Weizmann Institute of Science

AT&T

IAS

MIT

Secure Function Evaluation (SFE) of a Function f

f(x,y)

Alice learns “nothing

else”

Bob learns “nothing”

Alice

x

Bob

y

Many possible definitions and settings. We concentrate on a specific setting:

• Asymmetric version (only Alice gets output).• Deterministic functions (vs. prob.

functionality).• Computational security definitions

(vs. information theoretic). Simulation based.

• Semi-Honest parties• Can use GMW compiler for malicious model.

Secure Function Evaluation• General framework that captures many

cryptographic tasks.• SFE for any poly-time f - key

achievement in cryptography.

Oblivious Transfer

• Several equivalent flavors.

• 1-2 OT [EGL85] – Sender has two bits b0, b1 and Receiver has choice bit c. Receiver learns bc but not b1-c.

Sender learns nothing of c.

• Can view 1-2 OT as an asymmetric SFE protocol of the function OT(c; b0, b1) = bc

• Introduced by Rabin (Noisy-OT)

The Power of OT

• Given an OT protocol, one can construct an SFE for any efficiently computable function f . [Yao, GMW, Kilian … ]

This is a Completeness behavior.

Reductions & Completeness• A function g securely reduces to f if an SFE for g

can be constructed using calls to an ideal box for

evaluating f.

• f is SFE-Complete if every poly-time function g securely reduces to f.

x y

g(x,y)

f(x’,y’)

f(x’’,y’’)

SFE-Completeness

SFE-Complete

Eff-SFE

Polynomial-time functions f(x,y)

Main Result

• Introduce a computational criterion for completeness called Row Non-Transitivity.

Main Theorem• If f is Row Non-Transitive then it is SFE-

Complete.• If f is Row Transitive then it is in Eff-

SFE unconditionally.

Corollary: Complete Classification

• Essentially all “nice” functions are either SFE-Complete or have an efficient SFE protocol.

Previous Work• SFE-Completeness discussed in:[CK91, Kush92, Kil91, KMO94, BMM99, Kil00]

Beimel, Chor, Kilian, Kushilevitz, Malkin, Micali, Ostrovsky

• Mostly studied under Information Theoretic security definitions.

• Strong results in form of combinatorial criteria.• Most works consider functions with a constant

or small domain size ( “Crypto-gates”).• Avoid computational issues.

Insecure Minor [Beimel, Malkin & Micali 99]

• A function f(.,.) is said to contain an Insecure Minor if there are inputs x0, x1, y0, y1 such that :

y0 y1

x0 a a x1 b c

Where b c.

. . . Insecure Minor [BMM]

• If a function f(.,.) contains an insecure minor then f is SFE-complete.

• Otherwise f has an SFE protocol (f is “trivial”).

Full characterization of Crypto-gates.

Surprising “all or nothing” behavior.

Also discussed computational definitions

What next?

Does the insecure minor characterization work for functions over a large domain?

• Completeness: functions with insecure minor still complete• Same reduction.

• Unconditional SFE: ...

Example 1: one-to-one functions

• Consider one-to-one functions • Do not contain an insecure minor.

• Unconditional SFE for 1-1 function f(x,y):• Bob sends y to Alice.• Alice calculates f(x,y).

• Security: given f(x,y) a simulator can find y (since f is 1-1).

But the simulator might not be efficient for functions on large domain!

y0 y1

x0 a ax1 b c

Example 2: No insecure minor but still complete• Let g be a 1-1 One-Way function.

• Consider the following function :

f(c, y0, y1) = (c, yc, g(y1-c) )

x y

f is 1-1 and hence has no insecure minor.

• Claim: f is SFE-Complete !

1-2-OT using SFE for f

(c, yc, g(y1-c) )

4. Alice calculates bc

1. Choose random y0, y1

3. h(y0)b0, h(y1)b1

1-2-OT

*h is a hardcore bit of g

Alice

c

Bob

b0,b1

2. Call f(c, y0, y1)

Summary of the state in Computational Setting

• Functions with Insecure Minor: SFE-Complete• Functions with no Insecure Minor:

• Some have trivial SFE. • Some are Complete

• Is there a simple characterization of SFE-Complete functions and of functions with unconditional SFE? Characterization by row non-transitivity.

• How do these sets relate? All or nothing behavior?All `nice’ functions are either complete or have

Efficient SFE.

Row Non-Transitivity

x0

x1

y

Hard

f

Row Non-Transitivity

• A function f(.,.) is (Computational) Row Non-Transitive if:

for some x0, x1 and a distribution Dy it is (somewhat) hard to calculate f(x1,y) given x0, x1 and f(x0,y) for yr Dy.

• A function f(.,.) is (Computational) Row Transitive if:

for all x0, x1 and y it is easy to calculate f(x1,y) given x0, x1 and f(x0,y).

Prob < 1 - 1/poly

Prob =1

Note: There is a small gap between the two criteria.

Illustration of Row Non-Transitivity

x0

x1

y

Hard

f

Note: A different notion than OWF.

May be hard in both directions…

?

Must find specific value, not any consistent value…

Examples • Row Transitive :

• f(x,y) = y• f(x,y) = x + y• f(x,y) = x g(y)

• Row Non-Transitive : Computational• let g be a OWF,

f(x, y) = { y if x=1

g(y) if x=0

• Under CDH assumption, p prime,

f(g, y) = gy Mod p

Row Non-Transitive example – information theoretic

• y chosen uniformly from {y0,y1}

• C: Pr[ C[x0, x1, f(x0, y)] = f(x1, y) ] ½

y0 y1

X0 a aX1 b c

Insecure Minor Row Non-Transitive

Main Theorem

• Completeness: If a function f(.,.) is • row non-transitive • efficiently computablethen f is SFE-Complete.

• Unconditional SFE: If function f(.,.) is • row transitive• efficiently computable then f has an efficient SFE (with no further

assumptions).

Unconditional SFE for row transitive f

Calculate f(x,y) Choose input x’ x’, f(x’, y)

SFE for f

Security:• Bob learns nothing.• Simulating Alice’s view: choose x’ and

calculate f(x’,y) from f(x,y).

Alice

x

Bob

y

Completeness Proof sketch

• Use two rows to pass secret.• Value at one row is known, the other is

“unknown” (due to the row non-transitivity).• this determines what secret is transferred.

Technical notes:• Use of GL hardcore bit.• First create a weak version of OT.• Use Yao XOR lemma to amplify hardness.

Row Non-TransitivityInsecure Minor

Complete

Eff-SFE

Efficiently computable functions f(x,y)

Semi Honest vs Malicious

If OWF not guaranteed:• Completeness Theorem holds.• Unconditional SFE: Not necessarily.

• Note: Complete functions are different in Info-Theoretic• [BMM99] vs. [Kil00]

If OWF guaranteed to exist: use GMW transformation.• Properties of row non-transitive functions

remain.

Complexity Discussion

• OT exists (Cryptomania in [Impagliazzo

95]) SFE-Complete = Eff-SFE• OT doesn’t exist but OWF do ( Minicrypt in [Imp95]):

• Are there intermediate assumptions?

Our results: As far as SFE goes, no additional (nice) worlds between Minicrypt & Cryptomania !

Minicrypt (OWF)

Cryptomania (OT)

?

Possible Applications?

• Framework for constructing OT protocols.• Example: f(g,y) = gy mod p.

• Has unconditional SFE:

1. Choose random r

g y2. gr

3. gry

4. Calculate gy = b 1/r

Row non-transitive under CDH assumption.

. . . Possible Applications?

• Use reduction to construct OT:

1-2-OT

c b

2. g0, g1, gcr

4. z, h(g0y)b0

h(g1y)b1

5. Calculate gcy = z 1/r

and the bit bc

3. Calculate z=gcry

1. Choose random r, g0, g1

1. Choose random y

• What did we get?A scheme similar to [Bellare & Micali 89]!

Further Work ?

• Construct a new OT protocol using framework

• Symmetric SFE• Probabilistic Functionalities.

Further Issues : Symmetric SFE

• “All or nothing” result for Boolean functions [CK89, Kil91].

• Gap in information theoretic world [Kush92] • Completeness for crypto-gates iff contains

Imbedded Or [Kil91]:

y0 y1

x0 a a x1 a b

• Does not hold for large domain functions!

Consider the following complete function: f((c, x0, x1), (y0, y1)) = (x0 yc, x1 g(y1-c))g one-way 1-1 function

Further Issues: Probabilistic functionalities

• Probabilistic functionality (as opposed to deterministic functions) • Some criteria for completeness in [Kil00].

• Anything possible if OT exists• What if no OT? Any useful weaker

assumptions?

Summary:

• Showed that combinatorial criteria do not generalize to large domain functions.

• Introduced alternative computational criteria for completeness & triviality.

• Surprising “All or nothing” nature remains.

Thank You