Completeness in Two-Party Secure Computation – A Computational View
Danny Harnik Moni Naor Omer Reingold Alon Rosen
Weizmann Institute of Science
AT&T
IAS
MIT
Secure Function Evaluation (SFE) of a Function f
f(x,y)
Alice learns “nothing
else”
Bob learns “nothing”
Alice
x
Bob
y
Many possible definitions and settings. We concentrate on a specific setting:
• Asymmetric version (only Alice gets output).• Deterministic functions (vs. prob.
functionality).• Computational security definitions
(vs. information theoretic). Simulation based.
• Semi-Honest parties• Can use GMW compiler for malicious model.
Secure Function Evaluation• General framework that captures many
cryptographic tasks.• SFE for any poly-time f - key
achievement in cryptography.
Oblivious Transfer
• Several equivalent flavors.
• 1-2 OT [EGL85] – Sender has two bits b0, b1 and Receiver has choice bit c. Receiver learns bc but not b1-c.
Sender learns nothing of c.
• Can view 1-2 OT as an asymmetric SFE protocol of the function OT(c; b0, b1) = bc
• Introduced by Rabin (Noisy-OT)
The Power of OT
• Given an OT protocol, one can construct an SFE for any efficiently computable function f . [Yao, GMW, Kilian … ]
This is a Completeness behavior.
Reductions & Completeness• A function g securely reduces to f if an SFE for g
can be constructed using calls to an ideal box for
evaluating f.
• f is SFE-Complete if every poly-time function g securely reduces to f.
x y
g(x,y)
f(x’,y’)
f(x’’,y’’)
SFE-Completeness
SFE-Complete
Eff-SFE
Polynomial-time functions f(x,y)
Main Result
• Introduce a computational criterion for completeness called Row Non-Transitivity.
Main Theorem• If f is Row Non-Transitive then it is SFE-
Complete.• If f is Row Transitive then it is in Eff-
SFE unconditionally.
Corollary: Complete Classification
• Essentially all “nice” functions are either SFE-Complete or have an efficient SFE protocol.
Previous Work• SFE-Completeness discussed in:[CK91, Kush92, Kil91, KMO94, BMM99, Kil00]
Beimel, Chor, Kilian, Kushilevitz, Malkin, Micali, Ostrovsky
• Mostly studied under Information Theoretic security definitions.
• Strong results in form of combinatorial criteria.• Most works consider functions with a constant
or small domain size ( “Crypto-gates”).• Avoid computational issues.
Insecure Minor [Beimel, Malkin & Micali 99]
• A function f(.,.) is said to contain an Insecure Minor if there are inputs x0, x1, y0, y1 such that :
y0 y1
x0 a a x1 b c
Where b c.
. . . Insecure Minor [BMM]
• If a function f(.,.) contains an insecure minor then f is SFE-complete.
• Otherwise f has an SFE protocol (f is “trivial”).
Full characterization of Crypto-gates.
Surprising “all or nothing” behavior.
Also discussed computational definitions
What next?
Does the insecure minor characterization work for functions over a large domain?
• Completeness: functions with insecure minor still complete• Same reduction.
• Unconditional SFE: ...
Example 1: one-to-one functions
• Consider one-to-one functions • Do not contain an insecure minor.
• Unconditional SFE for 1-1 function f(x,y):• Bob sends y to Alice.• Alice calculates f(x,y).
• Security: given f(x,y) a simulator can find y (since f is 1-1).
But the simulator might not be efficient for functions on large domain!
y0 y1
x0 a ax1 b c
Example 2: No insecure minor but still complete• Let g be a 1-1 One-Way function.
• Consider the following function :
f(c, y0, y1) = (c, yc, g(y1-c) )
x y
f is 1-1 and hence has no insecure minor.
• Claim: f is SFE-Complete !
1-2-OT using SFE for f
(c, yc, g(y1-c) )
4. Alice calculates bc
1. Choose random y0, y1
3. h(y0)b0, h(y1)b1
1-2-OT
*h is a hardcore bit of g
Alice
c
Bob
b0,b1
2. Call f(c, y0, y1)
Summary of the state in Computational Setting
• Functions with Insecure Minor: SFE-Complete• Functions with no Insecure Minor:
• Some have trivial SFE. • Some are Complete
• Is there a simple characterization of SFE-Complete functions and of functions with unconditional SFE? Characterization by row non-transitivity.
• How do these sets relate? All or nothing behavior?All `nice’ functions are either complete or have
Efficient SFE.
Row Non-Transitivity
x0
x1
y
Hard
f
Row Non-Transitivity
• A function f(.,.) is (Computational) Row Non-Transitive if:
for some x0, x1 and a distribution Dy it is (somewhat) hard to calculate f(x1,y) given x0, x1 and f(x0,y) for yr Dy.
• A function f(.,.) is (Computational) Row Transitive if:
for all x0, x1 and y it is easy to calculate f(x1,y) given x0, x1 and f(x0,y).
Prob < 1 - 1/poly
Prob =1
Note: There is a small gap between the two criteria.
Illustration of Row Non-Transitivity
x0
x1
y
Hard
f
Note: A different notion than OWF.
May be hard in both directions…
?
Must find specific value, not any consistent value…
Examples • Row Transitive :
• f(x,y) = y• f(x,y) = x + y• f(x,y) = x g(y)
• Row Non-Transitive : Computational• let g be a OWF,
f(x, y) = { y if x=1
g(y) if x=0
• Under CDH assumption, p prime,
f(g, y) = gy Mod p
Row Non-Transitive example – information theoretic
• y chosen uniformly from {y0,y1}
• C: Pr[ C[x0, x1, f(x0, y)] = f(x1, y) ] ½
y0 y1
X0 a aX1 b c
Insecure Minor Row Non-Transitive
Main Theorem
• Completeness: If a function f(.,.) is • row non-transitive • efficiently computablethen f is SFE-Complete.
• Unconditional SFE: If function f(.,.) is • row transitive• efficiently computable then f has an efficient SFE (with no further
assumptions).
Unconditional SFE for row transitive f
Calculate f(x,y) Choose input x’ x’, f(x’, y)
SFE for f
Security:• Bob learns nothing.• Simulating Alice’s view: choose x’ and
calculate f(x’,y) from f(x,y).
Alice
x
Bob
y
Completeness Proof sketch
• Use two rows to pass secret.• Value at one row is known, the other is
“unknown” (due to the row non-transitivity).• this determines what secret is transferred.
Technical notes:• Use of GL hardcore bit.• First create a weak version of OT.• Use Yao XOR lemma to amplify hardness.
Row Non-TransitivityInsecure Minor
Complete
Eff-SFE
Efficiently computable functions f(x,y)
Semi Honest vs Malicious
If OWF not guaranteed:• Completeness Theorem holds.• Unconditional SFE: Not necessarily.
• Note: Complete functions are different in Info-Theoretic• [BMM99] vs. [Kil00]
If OWF guaranteed to exist: use GMW transformation.• Properties of row non-transitive functions
remain.
Complexity Discussion
• OT exists (Cryptomania in [Impagliazzo
95]) SFE-Complete = Eff-SFE• OT doesn’t exist but OWF do ( Minicrypt in [Imp95]):
• Are there intermediate assumptions?
Our results: As far as SFE goes, no additional (nice) worlds between Minicrypt & Cryptomania !
Minicrypt (OWF)
Cryptomania (OT)
?
Possible Applications?
• Framework for constructing OT protocols.• Example: f(g,y) = gy mod p.
• Has unconditional SFE:
1. Choose random r
g y2. gr
3. gry
4. Calculate gy = b 1/r
Row non-transitive under CDH assumption.
. . . Possible Applications?
• Use reduction to construct OT:
1-2-OT
c b
2. g0, g1, gcr
4. z, h(g0y)b0
h(g1y)b1
5. Calculate gcy = z 1/r
and the bit bc
3. Calculate z=gcry
1. Choose random r, g0, g1
1. Choose random y
• What did we get?A scheme similar to [Bellare & Micali 89]!
Further Work ?
• Construct a new OT protocol using framework
• Symmetric SFE• Probabilistic Functionalities.
Further Issues : Symmetric SFE
• “All or nothing” result for Boolean functions [CK89, Kil91].
• Gap in information theoretic world [Kush92] • Completeness for crypto-gates iff contains
Imbedded Or [Kil91]:
y0 y1
x0 a a x1 a b
• Does not hold for large domain functions!
Consider the following complete function: f((c, x0, x1), (y0, y1)) = (x0 yc, x1 g(y1-c))g one-way 1-1 function
Further Issues: Probabilistic functionalities
• Probabilistic functionality (as opposed to deterministic functions) • Some criteria for completeness in [Kil00].
• Anything possible if OT exists• What if no OT? Any useful weaker
assumptions?
Summary:
• Showed that combinatorial criteria do not generalize to large domain functions.
• Introduced alternative computational criteria for completeness & triviality.
• Surprising “All or nothing” nature remains.
Thank You
Top Related