COVERT TWO-PARTY COMPUTATION

LUIS VON AHN

CARNEGIE MELLON UNIVERSITY

JOINT WORK WITHNICK HOPPER

JOHN LANGFORD

HAVE YOU EVER

BEEN IN LOVE BUT DIDN’T HAVE THE GUTS TO CONFRONT THE PERSON?

WANTED TO BRIBE AN OFFICER?

WANTED TO COLLUDE WITH ANOTHER PLAYER TO CHEAT IN A CARD GAME?

WANTED TO STAGE A COUP D’ETAT TO OVERTHROW THE PRESIDENT?

INFILTRATED A TERRORIST CELL?

F( , )

TWO-PARTY COMPUTATIONCOVERT

ALLOWS TWO PARTIES WITH SECRET INPUTS X AND Y TO LEARN F(X,Y) BUT NOTHING ELSE

F( , )

PARTY 1 PARTY 2X Y

F(X,Y) F(X,Y)

F(X,Y) = 1 IF X>Y

0 OTHERWISE

$45 MILLION $32 MILLION

F(X,Y)=1

LET’S NOT GET MARRIED

JEN BEN

BRITNEY SPEARS

I DON’T WANT HIM TO KNOW THAT I LIKE HIM

UNLESS HE LIKES ME TOO!

I LIKE HIM, BUT I’M SHY!

WHAT SHOULD I DO? ME

WE’LL USE TWO-PARTY COMPUTATION

IF HE DOESN’T, THEN F(X,Y) = 0 SO HE WON’T KNOW THAT I

LIKE HIM

IF HE LIKES ME, WE WILL BOTH FIND OUT

1 MEANS “YES” 0 MEANS “NO”IF X,Y ARE BITS, LET

F(X,Y) = X AND YF(X,Y) = X AND Y

LET’S FIGURE OUT IF WE LIKE

EACH OTHER

COVERT TWO-PARTY COMPUTATION

AFTER LEARNING F(X,Y), EACH PARTY CAN ONLY TELL WHETHER THE OTHER PARTICIPATED IF THEY CAN DISTINGUISH F(X,Y) FROM RANDOM BITS

EXTERNAL COVERTNESS

INTERNAL COVERTNESS

NO OUTSIDE OBSERVER CAN TELL IF THE TWO PARTIES ARE RUNNING A COMPUTATION OR JUST COMMUNICATING AS NORMAL

THE WAR ON TERROR

I GUESS I CAN USE MY

BAZOOKA

HAVE YOU SEEN MY

AK-47?

YOU LEFT IT NEXT TO MY

GRENADES

THE AXIS OF EVIL SHALL PREVAIL!

MI-6 AGENT

CIA AGENT

HE WORKS FOR CIA

HE WORKS FOR MI-6

THE WAR ON TERROR

HE WORKS FOR CIA

HE WORKS FOR MI-6

THE UTTERANCES CONTAINED A

COVERT TWO-PARTY COMPUTATION

THE FUNCTION F VERIFIED THE CREDENTIALS

SINCE BOTH WERE VALID, IT OUTPUT 1K

X WAS A CREDENTIAL SIGNED

BY CIA AND Y WAS SIGNED BY MI-6

FOR ANY OTHER INPUTS, F OUTPUTS A RANDOM VALUE

COVERT TWO-PARTY COMPUTATION

AFTER LEARNING F(X,Y), EACH PARTY CAN ONLY TELL WHETHER THE OTHER PARTICIPATED IF THEY CAN DISTINGUISH F(X,Y) FROM RANDOM BITS

EXTERNAL COVERTNESS

INTERNAL COVERTNESS

NO OUTSIDE OBSERVER CAN TELL IF THE TWO PARTIES ARE RUNNING A COMPUTATION OR JUST COMMUNICATING AS NORMAL

CANNOT BE DONE WITH STANDARD

TWO-PARTY COMPUTATION

WHO KNOWS WHAT?

WE ASSUME THAT BOTH PARTIES KNOW THE FUNCTION THEY WISH TO EVALUATE

BOTH KNOW WHICH ROLE THEY ARE TO PLAY IN THE EVALUATION

BOTH KNOW WHEN TO START COMPUTING

ORDINARY COMMUNICATION

MESSAGES ARE DRAWN FROM A SET D

TIME PROCEEDS IN DISCRETE TIMESTEPS

EACH PARTY MAINTAINS A HISTORY h OF ALL DOCUMENTS THEY SENT AND RECEIVED

TO EACH PARTY P, WE ASSOCIATE A FAMILY OF PROBABILITY DISTRIBUTIONS ON D:

{BhP}

P1 P2

hP1

D1 ← BP1hP1

hP2

D2 ← BP2hP2

hP1 = hP1 + (D1,D2) hP2 = hP2 + (D2,D1)

D’1 ← BP1

hP1

← BP2hP2

D1

D2

D’1

t0

t1

WE ASSUME THAT

DDH IS HARD: GIVEN gx, gy PARTIES CAN’T EFFICIENTLY DISTINGUISH gxy FROM gz

WE SHOW THAT

COVERT TWO-PARTY COMPUTATION IS POSSIBLE AGAINST HONEST-BUT-CURIOUS ADVERSARIES

IN THE RO MODEL, FAIR COVERT TWO-PARTY COMPUTATION IS POSSIBLE AGAINST MALICIOUS ADVERSARIES

ROADMAP

USE STEGANOGRAPHY TO SHOW THAT IT IS ENOUGH THAT ALL MESSAGES BE INDISTINGUISHABLE FROM UNIFORM

SHOW A TWO-PARTY COMPUTATION PROTOCOL FOR WHICH ALL MESSAGES ARE INDISTINGUISHABLE FROM UNIFORM

1

2

BASIC-ENCODE

INPUT: H H, TARGET C, BOUND K

LET J = 0REPEAT:

SAMPLE S ← D, INCREMENT JUNTIL H(S) = C OR J > K

OUTPUT: S

LET D BE A DISTRIBUTION ON D AND H BE A PAIRWISE INDEPENDENT FAMILY OF HASH FUNCTIONS

ALLOWS SENDING C ENCODED IN SOMETHING

THAT COMES FROM D

UNIFORM

PROPER SIZE

ENOUGH MIN ENTROPY

… THEN THE DISTRIBUTION ON S IS STA-

TISTICALLY INDISTINGUISHABLE FROM DIF

OOPS! I DID IT AGAIN001

LOOKS UNIFORM

BASIC-ENCODE

LOOKSNORMAL

ROADMAP

USE STEGANOGRAPHY TO SHOW THAT IT IS ENOUGH THAT ALL MESSAGES BE INDISTINGUISHABLE FROM UNIFORM

SHOW A TWO-PARTY COMPUTATION PROTOCOL FOR WHICH ALL MESSAGES ARE INDISTINGUISHABLE FROM UNIFORM

1

2

COVERT OBLIVIOUS TRANSFER

IT IS POSSIBLE TO MODIFY AN OBLIVIOUS TRANSFER SCHEME BY NAOR AND PINKAS SO THAT ALL MESSAGES ARE INDISTINGUI-SHABLE FROM UNIFORM RANDOM BITS

OT UNIFORM

THE MODIFIED NAOR-PINKAS OT PLUGGED INTO YAO’S “GARBLED CIRCUIT” GIVES A SCHEME WITH MESSAGES THAT ARE INDISTINGUISHABLE FROM UNIFORM

+

YAO

OT

F(X,Y)=1 F(X,Y)=1

OOPS! MALLICIOUS ADVERSARIES CAN

BREAK THIS PROTOCOL

YOU’RE SO SMART BRITNEY!MATH IS FUN!WE CANNOT SIMPLY

USE ZK TO FIX IT

THE END

COMPETITOR COOPERATION

TWO COMPETING ONLINE RETAILERS ARE COMPROMISED BY A HACKER

NEITHER CAN CATCH THE HACKER BY THEMSELVES

HOWEVER, NEITHER WILL ADMIT THAT THEY WERE HACKED UNLESS THE OTHER WAS HACKED TOO

PARTY P CAN DRAW FROM BPh FOR ANY

PLAUSIBLE h

ADVERSARY KNOWS BPh FOR ANY P, h

WE ASSUME THAT

DDH IS HARD: GIVEN gx, gy PARTIES CAN’T EFFICIENTLY DISTINGUISH gxy FROM gz