q:mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf ·...
TRANSCRIPT
![Page 1: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/1.jpg)
Q:Must you know the code of fto securely compute f?
Mike Rosulek | | CRYPTO 2012
.
![Page 2: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/2.jpg)
black-box reductions
.Reduction..
.
. ..
.
.
X has an algorithm⇒ Y has an algorithm
Black-box: ∃B : BX is an algorithm for Y
Non-black-box: Algorithm for Y depends on code of algorithm for X
.Pervasive question since [ImpagliazzoRudich89]:.... ..
.
.When do black-box constructions exist?
Black-box constructions tend to be more practical
(efficient & modular).
.
![Page 3: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/3.jpg)
black-box reductions
.Reduction..
.
. ..
.
.
X has an algorithm⇒ Y has an algorithm
Black-box: ∃B : BX is an algorithm for Y
Non-black-box: Algorithm for Y depends on code of algorithm for X
.Pervasive question since [ImpagliazzoRudich89]:.... ..
.
.When do black-box constructions exist?
Black-box constructions tend to be more practical
(efficient & modular).
.
![Page 4: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/4.jpg)
black-box reductions
.Reduction..
.
. ..
.
.
X has an algorithm⇒ Y has an algorithm
Black-box: ∃B : BX is an algorithm for Y
Non-black-box: Algorithm for Y depends on code of algorithm for X
.Pervasive question since [ImpagliazzoRudich89]:.... ..
.
.When do black-box constructions exist?
Black-box constructions tend to be more practical
(efficient & modular).
.
![Page 5: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/5.jpg)
black-box reductions
.Reduction..
.
. ..
.
.
X has an algorithm⇒ Y has an algorithm
Black-box: ∃B : BX is an algorithm for Y
Non-black-box: Algorithm for Y depends on code of algorithm for X
.Pervasive question since [ImpagliazzoRudich89]:.... ..
.
.When do black-box constructions exist?
Black-box constructions tend to be more practical
(efficient & modular).
.
![Page 6: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/6.jpg)
secure computation. . .
Several parties wish to carry out an agreed-upon computation.
I Parties have individual inputs / output
I Security guarantees:I Privacy (learn no more than your prescribed output)I Input independenceI Output consistency, etc..
I Parties are mutually distrusting, some possibly malicious
.
![Page 7: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/7.jpg)
black-box secure computation.Typical theorem statement:..
.
. ..
.
.
If trapdoor functions exist, then for every f, there is a secure (in some
model) protocol for evaluating f.
..trapdoor function
.f
.secure protocolfor evaluating f
.BBX
.BB ?
Protocol can be black-box in its usage of underlying primitives!
I [Ishai+06, LindellPinkas07, Haitner08, IshaiPrabhakaranSahai08, Choi+09,
PassWee09, ..]
What about usage of f? Typical approach (since [Yao86,GMW87]):
I Express f as a circuit, and evaluate it gate-by-gate — non-black-box!
.
![Page 8: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/8.jpg)
black-box secure computation.Typical theorem statement:..
.
. ..
.
.
If trapdoor functions exist, then for every f, there is a secure (in some
model) protocol for evaluating f.
..trapdoor function
.f
.secure protocolfor evaluating f
.BBX
.BB ?
Protocol can be black-box in its usage of underlying primitives!
I [Ishai+06, LindellPinkas07, Haitner08, IshaiPrabhakaranSahai08, Choi+09,
PassWee09, ..]
What about usage of f? Typical approach (since [Yao86,GMW87]):
I Express f as a circuit, and evaluate it gate-by-gate — non-black-box!
.
![Page 9: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/9.jpg)
black-box secure computation.Typical theorem statement:..
.
. ..
.
.
If trapdoor functions exist, then for every f, there is a secure (in some
model) protocol for evaluating f.
..trapdoor function
.f
.secure protocolfor evaluating f
.BBX
.BB ?
Protocol can be black-box in its usage of underlying primitives!
I [Ishai+06, LindellPinkas07, Haitner08, IshaiPrabhakaranSahai08, Choi+09,
PassWee09, ..]
What about usage of f? Typical approach (since [Yao86,GMW87]):
I Express f as a circuit, and evaluate it gate-by-gate — non-black-box!
.
![Page 10: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/10.jpg)
black-box secure computation.Typical theorem statement:..
.
. ..
.
.
If trapdoor functions exist, then for every f, there is a secure (in some
model) protocol for evaluating f.
..trapdoor function
.f
.secure protocolfor evaluating f
.BBX
.BB ?
Protocol can be black-box in its usage of underlying primitives!
I [Ishai+06, LindellPinkas07, Haitner08, IshaiPrabhakaranSahai08, Choi+09,
PassWee09, ..]
What about usage of f? Typical approach (since [Yao86,GMW87]):
I Express f as a circuit, and evaluate it gate-by-gate — non-black-box!
.
![Page 11: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/11.jpg)
themodel
.
![Page 12: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/12.jpg)
themodel (2-party SFE)Let C be a class of 2-input functions..Definition..
.
. ..
.
.
Functionality-black-box (FBB) secure evaluation of C means:
I ∃ oracle machines πA, πB:
I ∀ f ∈ C:I πf
A(x) � πfB(y) is a secure protocol for evaluating f(x, y)
If protocol uses trusted setup, then same setup for all f ∈ C!
FBB secure evaluation of C is trivial if:I |C| = 1 (protocol could “know” code of f)
I C is exactly learnable via oracle queries (learn code of f, then
proceed in non-black-box way)
.
![Page 13: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/13.jpg)
themodel (2-party SFE)Let C be a class of 2-input functions..Definition..
.
. ..
.
.
Functionality-black-box (FBB) secure evaluation of C means:
I ∃ oracle machines πA, πB:
I ∀ f ∈ C:I πf
A(x) � πfB(y) is a secure protocol for evaluating f(x, y)
If protocol uses trusted setup, then same setup for all f ∈ C!
FBB secure evaluation of C is trivial if:I |C| = 1 (protocol could “know” code of f)
I C is exactly learnable via oracle queries (learn code of f, then
proceed in non-black-box way)
.
![Page 14: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/14.jpg)
themodel (2-party SFE)Let C be a class of 2-input functions..Definition..
.
. ..
.
.
Functionality-black-box (FBB) secure evaluation of C means:
I ∃ oracle machines πA, πB:
I ∀ f ∈ C:I πf
A(x) � πfB(y) is a secure protocol for evaluating f(x, y)
If protocol uses trusted setup, then same setup for all f ∈ C!
FBB secure evaluation of C is trivial if:I |C| = 1 (protocol could “know” code of f)
I C is exactly learnable via oracle queries (learn code of f, then
proceed in non-black-box way)
.
![Page 15: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/15.jpg)
autoreducibility
.
![Page 16: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/16.jpg)
autoreducibility
How much “structure” does a set/function L have?
.Basic Definition..
.
. ..
.
.
L is autoreducible if there exists efficientM:
1. ML(x) = L(x)
2. M doesn’t simply query its oracle on x
.
![Page 17: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/17.jpg)
autoreducibility
How much “structure” does a set/function L have?
.Basic Definition..
.
. ..
.
.
L is autoreducible if there exists efficientM:
1. ML(x) = L(x)
2. M doesn’t simply query its oracle on x
.
![Page 18: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/18.jpg)
autoreducibility examples
Discrete log problem in 〈g〉 is autoreducible:
dlogg(x): // find d such that gd = x
1. Choose a← Zn, where n = ord(g).2. Output: dlogg(x · ga)− a (mod n)
.“Instance-hiding” autoreducible [BeaverFeigenbaum90]..
.
. ..
.
.
Oracle queries ofML(x) distributed independent of x.
.
![Page 19: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/19.jpg)
autoreducibility examples
Discrete log problem in 〈g〉 is autoreducible:
dlogg(x): // find d such that gd = x
1. Choose a← Zn, where n = ord(g).2. Output: dlogg(x · ga)− a (mod n)
.“Instance-hiding” autoreducible [BeaverFeigenbaum90]..
.
. ..
.
.
Oracle queries ofML(x) distributed independent of x.
.
![Page 20: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/20.jpg)
autoreducibility examples
Discrete log problem in 〈g〉 is autoreducible:
dlogg(x): // find d such that gd = x
1. Choose a← Zn, where n = ord(g).2. Output: dlogg(x · ga)− a (mod n)
.“Instance-hiding” autoreducible [BeaverFeigenbaum90]..
.
. ..
.
.
Oracle queries ofML(x) distributed independent of x.
.
![Page 21: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/21.jpg)
autoreducibility examples
Discrete log problem in 〈g〉 is instance-hiding autoreducible:
dlogg(x): // find d such that gd = x
1. Choose a← Zn, where n = ord(g).2. Output: dlogg(x · ga)− a (mod n)
.“Instance-hiding” autoreducible [BeaverFeigenbaum90]..
.
. ..
.
.
Oracle queries ofML(x) distributed independent of x.
.
![Page 22: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/22.jpg)
semi-honest adversaries
.
![Page 23: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/23.jpg)
characterization.Definition..
.
. ..
.
.
A class C is 2-hiding autoreducible if there exists efficientM:
1. Mf,f(x, y) = f(x, y), for all f ∈ C
2. M’s queries to left oracle “don’t depend on” y
3. M’s queries to right oracle “don’t depend on” x
Discussion:
I SameMmust work for every f ∈ C.I Distinction between x and y.
.Theorem..
.
. ..
.
.
FBB secure computation of C is possible inFot-hybrid (against
semi-honest adversaries) if and only if C is 2-hiding autoreducible
.
![Page 24: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/24.jpg)
characterization.Definition..
.
. ..
.
.
A class C is 2-hiding autoreducible if there exists efficientM:
1. Mf,f(x, y) = f(x, y), for all f ∈ C2. M’s queries to left oracle “don’t depend on” y
3. M’s queries to right oracle “don’t depend on” x
Discussion:
I SameMmust work for every f ∈ C.I Distinction between x and y.
.Theorem..
.
. ..
.
.
FBB secure computation of C is possible inFot-hybrid (against
semi-honest adversaries) if and only if C is 2-hiding autoreducible
.
![Page 25: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/25.jpg)
characterization.Definition..
.
. ..
.
.
A class C is 2-hiding autoreducible if there exists efficientM:
1. Mf,f(x, y) = f(x, y), for all f ∈ C2. M’s queries to left oracle “don’t depend on” y
3. M’s queries to right oracle “don’t depend on” x
Discussion:
I SameMmust work for every f ∈ C.I Distinction between x and y.
.Theorem..
.
. ..
.
.
FBB secure computation of C is possible inFot-hybrid (against
semi-honest adversaries) if and only if C is 2-hiding autoreducible
.
![Page 26: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/26.jpg)
characterization.Definition..
.
. ..
.
.
A class C is 2-hiding autoreducible if there exists efficientM:
1. Mf,f(x, y) = f(x, y), for all f ∈ C2. M’s queries to left oracle “don’t depend on” y
3. M’s queries to right oracle “don’t depend on” x
Discussion:
I SameMmust work for every f ∈ C.I Distinction between x and y.
.Theorem..
.
. ..
.
.
FBB secure computation of C is possible inFot-hybrid (against
semi-honest adversaries) if and only if C is 2-hiding autoreducible
.
![Page 27: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/27.jpg)
proof: fbb⇒ autoreducibleGiven FBB protocol, constructM for autoreducibility:
... .π .. .π.Alice .Bob
.f .f
.· · ·
.f(x, y).f(x, y).x .y.(x, y)
.y.x .M
Correctness of protocol:
⇒ Output is f(x, y)
Security of protocol:
⇒ Alice’s view (incl. oracle queries) “doesn’t depend on” y.
⇒ Bob’s view (incl. oracle queries) “doesn’t depend on” x.
.
![Page 28: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/28.jpg)
proof: fbb⇒ autoreducibleGiven FBB protocol, constructM for autoreducibility:
... .π .. .π.Alice .Bob
.f .f
.· · ·
.f(x, y).f(x, y)
.x .y
.(x, y)
.y.x .M
Correctness of protocol:
⇒ Output is f(x, y)
Security of protocol:
⇒ Alice’s view (incl. oracle queries) “doesn’t depend on” y.
⇒ Bob’s view (incl. oracle queries) “doesn’t depend on” x.
.
![Page 29: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/29.jpg)
proof: fbb⇒ autoreducibleGiven FBB protocol, constructM for autoreducibility:
... .π .. .π.Alice .Bob
.f .f
.· · ·
.f(x, y).f(x, y)
.x .y
.(x, y)
.y.x .M
Correctness of protocol:
⇒ Output is f(x, y)
Security of protocol:
⇒ Alice’s view (incl. oracle queries) “doesn’t depend on” y.
⇒ Bob’s view (incl. oracle queries) “doesn’t depend on” x.
.
![Page 30: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/30.jpg)
proof: fbb⇒ autoreducibleGiven FBB protocol, constructM for autoreducibility:
... .π .. .π.Alice .Bob
.f .f
.· · ·
.f(x, y).f(x, y)
.x .y.(x, y)
.y.x .M
Correctness of protocol:
⇒ Output is f(x, y)
Security of protocol:
⇒ Alice’s view (incl. oracle queries) “doesn’t depend on” y.
⇒ Bob’s view (incl. oracle queries) “doesn’t depend on” x.
.
![Page 31: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/31.jpg)
proof: fbb⇒ autoreducibleGiven FBB protocol, constructM for autoreducibility:
... .π .. .π.Alice .Bob
.f .f
.· · ·
.f(x, y).f(x, y).x .y.(x, y)
.y.x
.M
Correctness of protocol:
⇒ Output is f(x, y)
Security of protocol:
⇒ Alice’s view (incl. oracle queries) “doesn’t depend on” y.
⇒ Bob’s view (incl. oracle queries) “doesn’t depend on” x.
.
![Page 32: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/32.jpg)
proof: fbb⇒ autoreducibleGiven FBB protocol, constructM for autoreducibility:
... .π .. .π.Alice .Bob
.f .f
.· · ·
.f(x, y).f(x, y).x .y
.(x, y)
.y.x .M
Correctness of protocol:
⇒ Output is f(x, y)
Security of protocol:
⇒ Alice’s view (incl. oracle queries) “doesn’t depend on” y.
⇒ Bob’s view (incl. oracle queries) “doesn’t depend on” x.
.
![Page 33: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/33.jpg)
proof: fbb⇒ autoreducibleGiven FBB protocol, constructM for autoreducibility:
... .π .. .π.Alice .Bob
.f .f
.· · ·
.f(x, y).f(x, y).x .y
.(x, y)
.y.x .M
Correctness of protocol:
⇒ Output is f(x, y)
Security of protocol:
⇒ Alice’s view (incl. oracle queries) “doesn’t depend on” y.
⇒ Bob’s view (incl. oracle queries) “doesn’t depend on” x.
.
![Page 34: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/34.jpg)
proof: fbb⇒ autoreducibleGiven FBB protocol, constructM for autoreducibility:
... .π .. .π.Alice .Bob
.f .f
.· · ·
.f(x, y)
.f(x, y)
.x .y
.(x, y)
.y.x .M
Correctness of protocol:
⇒ Output is f(x, y)
Security of protocol:
⇒ Alice’s view (incl. oracle queries) “doesn’t depend on” y.
⇒ Bob’s view (incl. oracle queries) “doesn’t depend on” x.
.
![Page 35: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/35.jpg)
proof: fbb⇒ autoreducibleGiven FBB protocol, constructM for autoreducibility:
... .π .. .π.Alice .Bob
.f .f
.· · ·
.f(x, y)
.f(x, y)
.x .y
.(x, y)
.y.x .M
Correctness of protocol:
⇒ Output is f(x, y)
Security of protocol:
⇒ Alice’s view (incl. oracle queries) “doesn’t depend on” y.
⇒ Bob’s view (incl. oracle queries) “doesn’t depend on” x.
.
![Page 36: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/36.jpg)
proof: autoreducible⇒ fbbGivenM from autoreducibility, construct FBB protocol:
.
.trusted party (fromFot):
.M
.(x, y)
.f .f
.f(x, y)
.. ...Alice .Bob
.x .y
.x .y
.q?.q .⊥
.f.f(q)
.f(q) .q?.⊥ .q
.f.f(q)
.f(q)
.z
.z .z
.z .z
I Entire protocol treats f as black-box.
I Protocol output is correct (when protocol is followed!)
I Alice sees only output &M’s left oracle queries.I These “don’t depend on” Bob’s input y.
I Bob’s sees only output &M’s right oracle queries.I These “don’t depend on” Alice’s input x.
.
![Page 37: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/37.jpg)
proof: autoreducible⇒ fbbGivenM from autoreducibility, construct FBB protocol:
.
.trusted party (fromFot):
.M
.(x, y)
.f .f
.f(x, y)
.. ...Alice .Bob
.x .y
.x .y
.q?.q .⊥
.f.f(q)
.f(q) .q?.⊥ .q
.f.f(q)
.f(q)
.z
.z .z
.z .z
I Entire protocol treats f as black-box.
I Protocol output is correct (when protocol is followed!)
I Alice sees only output &M’s left oracle queries.I These “don’t depend on” Bob’s input y.
I Bob’s sees only output &M’s right oracle queries.I These “don’t depend on” Alice’s input x.
.
![Page 38: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/38.jpg)
proof: autoreducible⇒ fbbGivenM from autoreducibility, construct FBB protocol:
.
.trusted party (fromFot):
.M
.(x, y)
.f .f
.f(x, y)
.. ...Alice .Bob
.x .y
.x .y
.q?.q .⊥
.f.f(q)
.f(q) .q?.⊥ .q
.f.f(q)
.f(q)
.z
.z .z
.z .z
I Entire protocol treats f as black-box.
I Protocol output is correct (when protocol is followed!)
I Alice sees only output &M’s left oracle queries.I These “don’t depend on” Bob’s input y.
I Bob’s sees only output &M’s right oracle queries.I These “don’t depend on” Alice’s input x.
.
![Page 39: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/39.jpg)
proof: autoreducible⇒ fbbGivenM from autoreducibility, construct FBB protocol:
.
.trusted party (fromFot):
.M
.(x, y)
.f .f
.f(x, y)
.. ...Alice .Bob
.x .y
.x .y
.q?.q .⊥
.f.f(q)
.f(q) .q?.⊥ .q
.f.f(q)
.f(q)
.z
.z .z
.z .z
I Entire protocol treats f as black-box.
I Protocol output is correct (when protocol is followed!)
I Alice sees only output &M’s left oracle queries.I These “don’t depend on” Bob’s input y.
I Bob’s sees only output &M’s right oracle queries.I These “don’t depend on” Alice’s input x.
.
![Page 40: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/40.jpg)
proof: autoreducible⇒ fbbGivenM from autoreducibility, construct FBB protocol:
.
.trusted party (fromFot):
.M
.(x, y)
.f .f
.f(x, y)
.. ...Alice .Bob
.x .y
.x .y
.q?.q .⊥
.f.f(q)
.f(q) .q?.⊥ .q
.f.f(q)
.f(q)
.z
.z .z
.z .z
I Entire protocol treats f as black-box.
I Protocol output is correct (when protocol is followed!)
I Alice sees only output &M’s left oracle queries.I These “don’t depend on” Bob’s input y.
I Bob’s sees only output &M’s right oracle queries.I These “don’t depend on” Alice’s input x.
.
![Page 41: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/41.jpg)
proof: autoreducible⇒ fbbGivenM from autoreducibility, construct FBB protocol:
.
.trusted party (fromFot):
.M
.(x, y)
.f .f
.f(x, y)
.. ...Alice .Bob
.x .y
.x .y
.q?.q .⊥
.f.f(q)
.f(q) .q?.⊥ .q
.f.f(q)
.f(q)
.z
.z .z
.z .z
I Entire protocol treats f as black-box.
I Protocol output is correct (when protocol is followed!)
I Alice sees only output &M’s left oracle queries.I These “don’t depend on” Bob’s input y.
I Bob’s sees only output &M’s right oracle queries.I These “don’t depend on” Alice’s input x.
.
![Page 42: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/42.jpg)
proof: autoreducible⇒ fbbGivenM from autoreducibility, construct FBB protocol:
.
.trusted party (fromFot):
.M
.(x, y)
.f .f
.f(x, y)
.. ...Alice .Bob
.x .y
.x .y
.q?.q .⊥
.f.f(q)
.f(q) .q?.⊥ .q
.f.f(q)
.f(q)
.z
.z .z
.z .z
I Entire protocol treats f as black-box.
I Protocol output is correct (when protocol is followed!)
I Alice sees only output &M’s left oracle queries.I These “don’t depend on” Bob’s input y.
I Bob’s sees only output &M’s right oracle queries.I These “don’t depend on” Alice’s input x.
.
![Page 43: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/43.jpg)
proof: autoreducible⇒ fbbGivenM from autoreducibility, construct FBB protocol:
.
.trusted party (fromFot):
.M
.(x, y)
.f .f
.f(x, y)
.. ...Alice .Bob
.x .y
.x .y
.q?
.q .⊥.f
.f(q).f(q) .q?
.⊥ .q.f
.f(q).f(q)
.z
.z .z
.z .z
I Entire protocol treats f as black-box.
I Protocol output is correct (when protocol is followed!)
I Alice sees only output &M’s left oracle queries.I These “don’t depend on” Bob’s input y.
I Bob’s sees only output &M’s right oracle queries.I These “don’t depend on” Alice’s input x.
.
![Page 44: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/44.jpg)
proof: autoreducible⇒ fbbGivenM from autoreducibility, construct FBB protocol:
.
.trusted party (fromFot):
.M
.(x, y)
.f .f
.f(x, y)
.. ...Alice .Bob
.x .y
.x .y
.q?.q .⊥
.f.f(q)
.f(q) .q?.⊥ .q
.f.f(q)
.f(q)
.z
.z .z
.z .z
I Entire protocol treats f as black-box.
I Protocol output is correct (when protocol is followed!)
I Alice sees only output &M’s left oracle queries.I These “don’t depend on” Bob’s input y.
I Bob’s sees only output &M’s right oracle queries.I These “don’t depend on” Alice’s input x.
.
![Page 45: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/45.jpg)
proof: autoreducible⇒ fbbGivenM from autoreducibility, construct FBB protocol:
.
.trusted party (fromFot):
.M
.(x, y)
.f .f
.f(x, y)
.. ...Alice .Bob
.x .y
.x .y
.q?.q .⊥
.f
.f(q).f(q) .q?
.⊥ .q.f
.f(q).f(q)
.z
.z .z
.z .z
I Entire protocol treats f as black-box.
I Protocol output is correct (when protocol is followed!)
I Alice sees only output &M’s left oracle queries.I These “don’t depend on” Bob’s input y.
I Bob’s sees only output &M’s right oracle queries.I These “don’t depend on” Alice’s input x.
.
![Page 46: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/46.jpg)
proof: autoreducible⇒ fbbGivenM from autoreducibility, construct FBB protocol:
.
.trusted party (fromFot):
.M
.(x, y)
.f .f
.f(x, y)
.. ...Alice .Bob
.x .y
.x .y
.q?.q .⊥
.f.f(q)
.f(q)
.q?.⊥ .q
.f.f(q)
.f(q)
.z
.z .z
.z .z
I Entire protocol treats f as black-box.
I Protocol output is correct (when protocol is followed!)
I Alice sees only output &M’s left oracle queries.I These “don’t depend on” Bob’s input y.
I Bob’s sees only output &M’s right oracle queries.I These “don’t depend on” Alice’s input x.
.
![Page 47: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/47.jpg)
proof: autoreducible⇒ fbbGivenM from autoreducibility, construct FBB protocol:
.
.trusted party (fromFot):
.M
.(x, y)
.f .f
.f(x, y)
.. ...Alice .Bob
.x .y
.x .y
.q?.q .⊥
.f.f(q)
.f(q)
.q?
.⊥ .q.f
.f(q).f(q)
.z
.z .z
.z .z
I Entire protocol treats f as black-box.
I Protocol output is correct (when protocol is followed!)
I Alice sees only output &M’s left oracle queries.I These “don’t depend on” Bob’s input y.
I Bob’s sees only output &M’s right oracle queries.I These “don’t depend on” Alice’s input x.
.
![Page 48: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/48.jpg)
proof: autoreducible⇒ fbbGivenM from autoreducibility, construct FBB protocol:
.
.trusted party (fromFot):
.M
.(x, y)
.f .f
.f(x, y)
.. ...Alice .Bob
.x .y
.x .y
.q?.q .⊥
.f.f(q)
.f(q)
.q?.⊥ .q
.f.f(q)
.f(q)
.z
.z .z
.z .z
I Entire protocol treats f as black-box.
I Protocol output is correct (when protocol is followed!)
I Alice sees only output &M’s left oracle queries.I These “don’t depend on” Bob’s input y.
I Bob’s sees only output &M’s right oracle queries.I These “don’t depend on” Alice’s input x.
.
![Page 49: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/49.jpg)
proof: autoreducible⇒ fbbGivenM from autoreducibility, construct FBB protocol:
.
.trusted party (fromFot):
.M
.(x, y)
.f .f
.f(x, y)
.. ...Alice .Bob
.x .y
.x .y
.q?.q .⊥
.f.f(q)
.f(q)
.q?.⊥ .q
.f
.f(q).f(q)
.z
.z .z
.z .z
I Entire protocol treats f as black-box.
I Protocol output is correct (when protocol is followed!)
I Alice sees only output &M’s left oracle queries.I These “don’t depend on” Bob’s input y.
I Bob’s sees only output &M’s right oracle queries.I These “don’t depend on” Alice’s input x.
.
![Page 50: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/50.jpg)
proof: autoreducible⇒ fbbGivenM from autoreducibility, construct FBB protocol:
.
.trusted party (fromFot):
.M
.(x, y)
.f .f
.f(x, y)
.. ...Alice .Bob
.x .y
.x .y
.q?.q .⊥
.f.f(q)
.f(q) .q?.⊥ .q
.f.f(q)
.f(q)
.z
.z .z
.z .z
I Entire protocol treats f as black-box.
I Protocol output is correct (when protocol is followed!)
I Alice sees only output &M’s left oracle queries.I These “don’t depend on” Bob’s input y.
I Bob’s sees only output &M’s right oracle queries.I These “don’t depend on” Alice’s input x.
.
![Page 51: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/51.jpg)
proof: autoreducible⇒ fbbGivenM from autoreducibility, construct FBB protocol:
.
.trusted party (fromFot):
.M
.(x, y)
.f .f
.f(x, y)
.. ...Alice .Bob
.x .y
.x .y
.q?.q .⊥
.f.f(q)
.f(q) .q?.⊥ .q
.f.f(q)
.f(q)
.z
.z .z
.z .z
I Entire protocol treats f as black-box.
I Protocol output is correct (when protocol is followed!)
I Alice sees only output &M’s left oracle queries.I These “don’t depend on” Bob’s input y.
I Bob’s sees only output &M’s right oracle queries.I These “don’t depend on” Alice’s input x.
.
![Page 52: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/52.jpg)
proof: autoreducible⇒ fbbGivenM from autoreducibility, construct FBB protocol:
.
.trusted party (fromFot):
.M
.(x, y)
.f .f
.f(x, y)
.. ...Alice .Bob
.x .y
.x .y
.q?.q .⊥
.f.f(q)
.f(q) .q?.⊥ .q
.f.f(q)
.f(q)
.z
.z .z
.z .z
I Entire protocol treats f as black-box.
I Protocol output is correct (when protocol is followed!)
I Alice sees only output &M’s left oracle queries.I These “don’t depend on” Bob’s input y.
I Bob’s sees only output &M’s right oracle queries.I These “don’t depend on” Alice’s input x.
.
![Page 53: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/53.jpg)
proof: autoreducible⇒ fbbGivenM from autoreducibility, construct FBB protocol:
.
.trusted party (fromFot):
.M
.(x, y)
.f .f
.f(x, y)
.. ...Alice .Bob
.x .y
.x .y
.q?.q .⊥
.f.f(q)
.f(q) .q?.⊥ .q
.f.f(q)
.f(q)
.z
.z .z
.z .z
I Entire protocol treats f as black-box.
I Protocol output is correct (when protocol is followed!)
I Alice sees only output &M’s left oracle queries.I These “don’t depend on” Bob’s input y.
I Bob’s sees only output &M’s right oracle queries.I These “don’t depend on” Alice’s input x.
.
![Page 54: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/54.jpg)
using the characterization:.Positive example..
.
. ..
.
.
There is a class C that is 2-hiding autoreducible, but not learnable via
oracle queries.
⇒ Non-trivial FBB secure computation!
/ Class C is not especially interesting.
.Negative example..
.
. ..
.
.
Class of all PRFs is not 2-hiding autoreducible.
⇒ Can’t securely evaluate PRFs in FBB way (Alice holds seed, Bob holds
input)
... even against semi-honest adversaries.
... even with arbitrarily powerful trusted setup
.
![Page 55: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/55.jpg)
using the characterization:.Positive example..
.
. ..
.
.
There is a class C that is 2-hiding autoreducible, but not learnable via
oracle queries.
⇒ Non-trivial FBB secure computation!
/ Class C is not especially interesting.
.Negative example..
.
. ..
.
.
Class of all PRFs is not 2-hiding autoreducible.
⇒ Can’t securely evaluate PRFs in FBB way (Alice holds seed, Bob holds
input)
... even against semi-honest adversaries.
... even with arbitrarily powerful trusted setup
.
![Page 56: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/56.jpg)
using the characterization:.Positive example..
.
. ..
.
.
There is a class C that is 2-hiding autoreducible, but not learnable via
oracle queries.
⇒ Non-trivial FBB secure computation!
/ Class C is not especially interesting.
.Negative example..
.
. ..
.
.
Class of all PRFs is not 2-hiding autoreducible.
⇒ Can’t securely evaluate PRFs in FBB way (Alice holds seed, Bob holds
input)
... even against semi-honest adversaries.
... even with arbitrarily powerful trusted setup
.
![Page 57: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/57.jpg)
malicious adversaries
.
![Page 58: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/58.jpg)
malicious adversaries.Definition..
.
. ..
.
.
A class C is 1-hiding autoreducible if there exists efficientM:
1. Mf(x, y) = f(x, y), for all f ∈ C2. M’s queries to oracle “don’t depend on” (x, y)
Compare to “instance hiding” [BeaverFeigenbaum90]
.Theorem..
.
. ..
.
.
If C is 1-hiding autoreducible, then FBB secure computation of C ispossible against malicious adversaries.
Proof sketch:
I Securely simulateM
I Send its oracle queries to both parties
I Securely check for agreement of oracle responses
.
![Page 59: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/59.jpg)
malicious adversaries.Definition..
.
. ..
.
.
A class C is 1-hiding autoreducible if there exists efficientM:
1. Mf(x, y) = f(x, y), for all f ∈ C2. M’s queries to oracle “don’t depend on” (x, y)
Compare to “instance hiding” [BeaverFeigenbaum90]
.Theorem..
.
. ..
.
.
If C is 1-hiding autoreducible, then FBB secure computation of C ispossible against malicious adversaries.
Proof sketch:
I Securely simulateM
I Send its oracle queries to both parties
I Securely check for agreement of oracle responses
.
![Page 60: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/60.jpg)
malicious adversaries.Definition..
.
. ..
.
.
A class C is 1-hiding autoreducible if there exists efficientM:
1. Mf(x, y) = f(x, y), for all f ∈ C2. M’s queries to oracle “don’t depend on” (x, y)
Compare to “instance hiding” [BeaverFeigenbaum90]
.Theorem..
.
. ..
.
.
If C is 1-hiding autoreducible, then FBB secure computation of C ispossible against malicious adversaries.
Proof sketch:
I Securely simulateM
I Send its oracle queries to both parties
I Securely check for agreement of oracle responses.
![Page 61: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/61.jpg)
wrap-up. . .
Also in the paper:
I Definition of FBB for more than just function evaluation
I Impossibility of ZK for membership in im(f), for f OWF
Summary:
I Definitions for MPC protocol that has “black-box usage of
functionality”
I Characterizations based on autoreducibility
I It is possible to “evaluate f without knowing the code of f”
I ... but definitely not in general.
.
![Page 62: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/62.jpg)
wrap-up. . .
Also in the paper:
I Definition of FBB for more than just function evaluation
I Impossibility of ZK for membership in im(f), for f OWF
Summary:
I Definitions for MPC protocol that has “black-box usage of
functionality”
I Characterizations based on autoreducibility
I It is possible to “evaluate f without knowing the code of f”
I ... but definitely not in general.
.
![Page 63: Q:Mustyouknowthe code of tosecurelycomputerosulekm/pubs/fbb-talk-crypto.pdf · black-boxsecurecomputation. Typicaltheoremstatement:..... ... Iftrapdoorfunctionsexist,thenforeveryf,thereisasecure(insome](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5127ce474e37cf712acff/html5/thumbnails/63.jpg)
.