new exact on the round complexity landscape of secure...
TRANSCRIPT
OnTheRoundComplexityLandscapeofSecureComputation
ArpitaPatra
IndianInstituteofScience
TPMPC2019
Exact▲
JointworkwithDivya RaviandSwatiSingla
Roadmap
HonestMajority DishonestMajority
Best-of-Both-World
- guaranteedoutputdelivery(god)- fairness(fn)
- unanimousabort(ua)- selectiveabort(sa)
- god|ua- fn |ua
Plain (nosetup) Public (CRS)
Private (CRS+PKI)
P2P+BCChannel
MPC
x2
x3
x4
x1
Setup:- n partiesP1,....,Pn ;t are corruptedbyacentralizedadv
- Acommonn-inputfunctionf(x1,x2,..xn)- Pi hasprivate inputxi
- Correctness:Computef(x1,x2,..xn)- Privacy:Nothingmorethanfunctionoutputshouldberevealed
Goals:
- HonestMajority- DishonestMajority
CorruptionThreshold:
DegreeofRobustness- Guaranteedoutputdelivery (god)- Strongest
Adversarycannotpreventhonestpartiesfromgettingoutput
- Fairness(fn)Ifadversarygetsoutput,allgettheoutput
- Securitywithunanimousabort(ua)
Eitherallornoneofthehonestpartiesgetoutput(maybeunfair)
- Securitywithselectiveabort(sa) - weakest
Adversaryselectivelydeprivessomehonestpartiesoftheoutput
yy y y y y
┴ ┴ ┴ ┴┴┴
yy y y
yyy yyy
yy
y yyy ┴ ┴
┴ ┴ ┴ ┴
HonestMajority
Best-of-Both-World(BoBW)MPCM1:Protocolsofonetypebreakdownintheothersetting.
M3:Importantapplications(voting,federatedlearning)
F1:(god|ua)[IKLP06,K07,IKKLP11]:n,t,s:t<n/2,s+t<n(elsenopolynomialtimeprotocolexists)
- AHMprotocolisnolongerprivateandcorrectinDMsetting- ADMprotocolcannotachievegod/fn evenwhenasinglepartyiscorrupt
- Privacyviolationiscompletenoatanycost- Yet,guaranteedoutputcomputationiscalledfor(asmuchastheoreticallypossible)
F2:fn |ua [LRM10]
+Honestpresenceisstronger
IdealFeasibility:n,t,s:t<n/2ands<n
F3:god|ua (s+1residual)[IKLP06]F4:god|ua (1/psecurity)[K07,IKKLP11]
F5:god|ua (semi-honest)[IKLP06][PR19]
M2:Donotcareabouthowtheadversaryisgoingtostrike.Sleepwell.
TheRoundComplexityLandscape
HonestMajority(t<n/2) DishonestMajority(s<n)
Best-of-Both-World
P2P+BCChannel
Guaranteed(god)
fairness(fn)
unabort(ua)
seabort(sa)
Private
2
2
Public
3
3
Plain
3
3
[GIKR02,PR18JLS15]
Private
2
2
Public
2
2
Plain
4
4
[HLP12GS18,BL18]
god uafn ua
Private Public Plain
LB:r-round(fn|ua)-BoBW protocolreducesto(r-1)-roundOT.
n,t<n/2,s<n
n,t<n/2,t+s<n
3 3 5
Selectiveabort
*
UB:rroundua dishonestmajorityimplies(r+1)-round(fn|ua)-BoBW
+[HH+18,BG+18]:sa ua
TheRoundComplexityLandscape
HonestMajority(t<n/2) DishonestMajority(s<n)
Best-of-Both-World
P2P+BCChannel
Guaranteed(god)
fairness(fn)
unabort(ua)
seabort(sa)
Private
2
2
Public
3
3
Plain
3
3
[GIKR02,PR18JLS15]
Private
2
2
Public
2
2
Plain
4
4
[HLP12GS18,BL18]
god uafn ua
Private Public Plainn,t<n/2,t+s<n
3 3 52 3 4
LB:Public+3roundsA)s≤ t:Degenerateston/3≤ t≤ n/2;[PR18]
n t s n t s
B)s> t: NewLB
TheRoundComplexityLandscape
HonestMajority(t<n/2) DishonestMajority(s<n)
Best-of-Both-World
P2P+BCChannel
Guaranteed(god)
fairness(fn)
unabort(ua)
seabort(sa)
Private
2
2
Public
3
3
Plain
3
3
[GIKR02,PR18JLS15]
Private
2
2
Public
2
2
Plain
4
4
[HLP12GS18,BL18]
god uafn ua
Private Public Plainn,t<n/2,t+s<n
3 3 52 3 4/5(?)
UB1,2:Seriesofcompilersstartingfroma2-roundua inDMintheBC-onlysetting[GS18,BL18].
UB3:Non-optimal(possibly)yetmostchallenging
TheRoundComplexityLandscape
HonestMajority(t<n/2) DishonestMajority(s<n)
Best-of-Both-World
P2P+BCChannel
Guaranteed(god)
fairness(fn)
unabort(ua)
seabort(sa)
Private
2
2
Public
3
3
Plain
3
3
[GIKR02,PR18JLS15]
Private
2
2
Public
2
2
Plain
4
4
[HLP12GS18,BL18]
god uafn ua
Private Public Plainn,t<n/2,t+s<n
3 3 52 3 4/5
BoBW arenotdemanding-max{DM,HM}
+(1/0)
- Identifiabilitywhenabort- Commonrandomstring
LowerBoundsfor(fn|ua)-BoBWMPCAssume4-round(fn|ua)with3parties 3-roundOTbetween2-parties
Anyr-round(fn|ua)-BoBWimplies(r-1)-roundOT
P3
P2
P1
(HM) t=1:fn (DM) s=2:ua
𝑓 𝑚%,𝑚( , 𝑐, 𝑟+ , 𝑟, = ( 𝑚/ +𝑟+ + 𝑟, , 𝑚/, 𝑚/)
PRPS
𝑓𝑂𝑇 𝑚%, 𝑚( , 𝑐 = (⊥,𝑚/)
LowerBoundsfor(fn|ua)-BoBWMPCAssume4-round(fn|ua)with3parties 3-roundOTbetween2-parties
Anyr-round(fn|ua)-BoBWimplies(r-1)-roundOT
P3
P2
P1
(HM)t=1:fn (DM)s=2:ua
𝑓 𝑚%,𝑚( , 𝑐, 𝑟+ , 𝑟, = ( 𝑚/ +𝑟+ + 𝑟, , 𝑚/, 𝑚/)
P3
P2
P1
𝑓𝑂𝑇 𝑚%, 𝑚( , 𝑐 = (⊥,𝑚/)
C1:View{P2,P3}=outputbyR3
PRPS
EmulateP1untilR3 EmulateP2 andP3
untilR3
𝑚%,𝑚(
Pick𝑟+, 𝑟,
𝑐
UseoutputcompofΣ1byP2 andP3
Σ1
A.Correctness:C1B.CorruptPR:Cases=2C.CorruptPS:Caset=1
fn
LowerBoundsfor(fn|ua)-BoBWMPC3-roundsimultaneous-messageOT 3-roundalternatingOT
Anyr-round(fn|ua)-BoBWimplies(r-1)-roundOT
PRPS
𝑚%,𝑚( 𝑐
M1SM1
R
M2R M2
S
M3SM3
R
PRPSM1
S
M1R M2
R
M3SM2
S
𝑚%,𝑚( 𝑐
PSdoesnotneedoutputandthereforelastroundmessageofPR
Reschedulingmessages
Toleranttorushing:Anhonestpartiesmessagedoesnotdependoncorruptpartiesinthesameround.
[GGMP14,CCGJO19]
UpperBoundsfor(fn|ua)-BoBW Anyrroundua dishonest-majorityimplies(i.t) (r+1)-round(fn|ua)-BoBW
r-roundua DMprotocol
P1
P2
P4
y1
y2
y4
M12
K12
M13
K14
P3 y3K13
Authenticatedt-sharing
P5 y5K15
M14 M15
(a,b)
=ay1 +b
UpperBoundsfor(fn|ua)-BoBW Anyrroundua dishonest-majorityimplies(i.t) (r+1)-round(fn|ua)-BoBW
n-partyr-roundua DMprotocol
Broadcast&Verify
rrounds 1round
A.(HM)t=2:fnAuthenticated2-sharing
P1
P2
P4
y1
y2
y4
P3 y3
P5 y5
y2
y1 /⏊
/⏊
y4
y3
y5
y
y
y
y
y
UpperBoundsfor(fn|ua)-BoBW Anyrroundua dishonest-majorityimplies(i.t) (r+1)-round(fn|ua)-BoBW
n-partyr-roundua DMprotocol
Broadcast&Verify
rrounds 1round
A.(HM)t=2:fnAuthenticated2-sharing
⏊
⏊
P1
P2
P4
y1
y2
P3
P5
⏊
y2
y1 /⏊
/⏊
⏊
⏊
⏊
⏊
⏊
⏊
⏊
⏊
UpperBoundsfor(fn|ua)-BoBW Anyrroundua dishonest-majorityimplies(i.t) (r+1)-round(fn|ua)-BoBW
n-partyr-roundua DMprotocol
Broadcast&Verify
rrounds 1round
A.(HM)t=2:fn
B.(DM)s=3:ua?
Authenticated2-sharing
y5
y4
P1
P2
P4 y4
P3 y3
P5 y5
y3
⏊
⏊
⏊
⏊
⏊
⏊
y
y
y
UpperBoundsfor(fn|ua)-BoBW Anyrroundua dishonest-majorityimplies(i.t) (r+1)-round(fn|ua)-BoBW
n-partyr-roundua DMprotocol
Broadcast&Verify
rrounds 1round
A.(HM)t=1:fn
B.(DM)s=2:ua?
Authenticated2-sharing
y5
y4
P1
P2
P4
y1
y2
y4
P3 y3
P5 y5
y3
y2
y1
y
⏊
y
y
y
UpperBoundsfor(fn|ua)-BoBW Anyrroundua dishonest-majorityimplies(i.t) (r+1)-round(fn|ua)-BoBW
n-partyr-roundua DMprotocol
Broadcast&Verify
rrounds 1round
A.(HM)t=1:fn
B.(DM)s=2:ua?
Authenticated2-sharing
y5
y4
P1
P2
P4
y1
y2
y4
P3 y3
P5 y5
y3
y2
y1
UpperBoundsfor(fn|ua)-BoBW Anyrroundua dishonest-majorityimplies(i.t) (r+1)-round(fn|ua)-BoBW
n-partyr-roundua DMprotocol
P1
P2
P4
y1
y2
y4
a5(x)
K12
K14
P3 y3K13
Authenticated2-sharing[P10]
P5 y5
K1 , a5(K1)
a5(0)=y5
K2 , a5(K2)
(god|ua)-BoBW:Overview(3-round+CRS|2-roundPKI)
2-roundua
dis-majSemi-maliciousBroadcast-only
*Semi-malicious:Betweensemi-honestandmalicious- foreveryroundrthereisaninputandrandomcoinsthatexplainsitsbehaviouruntilroundr
- Canabort
3-round(god|ua)-BoBWSemi-maliciousBroadcast-only
2-round(god|ua)-BoBWSemi-maliciousBroadcast-only
PKI
2-round(god|ua)-BoBWSemi-maliciousBroadcast-onlyP-2-PChannels
GCofnext-messagefunction
Secret-sharingofthelabelsusings-
sharing
2-round(god|ua)-BoBW
MaliciousBroadcast-only
PKI+CRS
NIZK[AJL+12]
3-round(god|ua)-BoBW
MaliciousBroadcast-only
CRS
NIZK[AJL+12]
(god|ua)-BoBW:Overview(5-round+Plain)
3-round(god|ua)-BoBW
Semi-maliciousBroadcast-only
3-round(god|ua)-BoBW
Delayed-semi-maliciousBroadcast-only
5-round(god|ua)-BoBW
MaliciousBroadcast-only
BL18-likecompiler
Theproofwasextremelychallenging
Conclusion
Wealmost settledtheexactroundcomplexityoftwo(actuallythree)importantclassesofBoBW protocols
?)4-round(god |ua)-BoBw inPlainmodel?
??)RoundcomplexityoftheotherclassofBoBW protocols?
