covert two-party computation
DESCRIPTION
LUIS VON AHN. COVERT TWO-PARTY COMPUTATION. CARNEGIE MELLON UNIVERSITY. JOINT WORK WITH NICK HOPPER JOHN LANGFORD. HAVE YOU EVER. WANTED TO BRIBE AN OFFICER?. WANTED TO STAGE A COUP D’ETAT TO OVERTHROW THE PRESIDENT?. BEEN IN LOVE BUT DIDN’T HAVE THE GUTS TO CONFRONT THE PERSON?. - PowerPoint PPT PresentationTRANSCRIPT
COVERT TWO-PARTY COMPUTATION
LUIS VON AHN
CARNEGIE MELLON UNIVERSITY
JOINT WORK WITHNICK HOPPER
JOHN LANGFORD
HAVE YOU EVER
BEEN IN LOVE BUT DIDN’T HAVE THE GUTS TO CONFRONT THE PERSON?
WANTED TO BRIBE AN OFFICER?
WANTED TO COLLUDE WITH ANOTHER PLAYER TO CHEAT IN A CARD GAME?
WANTED TO STAGE A COUP D’ETAT TO OVERTHROW THE PRESIDENT?
INFILTRATED A TERRORIST CELL?
F( , )
TWO-PARTY COMPUTATIONCOVERT
ALLOWS TWO PARTIES WITH SECRET INPUTS X AND Y TO LEARN F(X,Y) BUT NOTHING ELSE
F( , )
PARTY 1 PARTY 2X Y
F(X,Y) F(X,Y)
F(X,Y) = 1 IF X>Y
0 OTHERWISE
$45 MILLION $32 MILLION
F(X,Y)=1
LET’S NOT GET MARRIED
JEN BEN
BRITNEY SPEARS
I DON’T WANT HIM TO KNOW THAT I LIKE HIM
UNLESS HE LIKES ME TOO!
I LIKE HIM, BUT I’M SHY!
WHAT SHOULD I DO? ME
WE’LL USE TWO-PARTY COMPUTATION
IF HE DOESN’T, THEN F(X,Y) = 0 SO HE WON’T KNOW THAT I
LIKE HIM
IF HE LIKES ME, WE WILL BOTH FIND OUT
1 MEANS “YES” 0 MEANS “NO”IF X,Y ARE BITS, LET
F(X,Y) = X AND YF(X,Y) = X AND Y
LET’S FIGURE OUT IF WE LIKE
EACH OTHER
COVERT TWO-PARTY COMPUTATION
AFTER LEARNING F(X,Y), EACH PARTY CAN ONLY TELL WHETHER THE OTHER PARTICIPATED IF THEY CAN DISTINGUISH F(X,Y) FROM RANDOM BITS
EXTERNAL COVERTNESS
INTERNAL COVERTNESS
NO OUTSIDE OBSERVER CAN TELL IF THE TWO PARTIES ARE RUNNING A COMPUTATION OR JUST COMMUNICATING AS NORMAL
THE WAR ON TERROR
I GUESS I CAN USE MY
BAZOOKA
HAVE YOU SEEN MY
AK-47?
YOU LEFT IT NEXT TO MY
GRENADES
THE AXIS OF EVIL SHALL PREVAIL!
MI-6 AGENT
CIA AGENT
HE WORKS FOR CIA
HE WORKS FOR MI-6
THE WAR ON TERROR
HE WORKS FOR CIA
HE WORKS FOR MI-6
THE UTTERANCES CONTAINED A
COVERT TWO-PARTY COMPUTATION
THE FUNCTION F VERIFIED THE CREDENTIALS
SINCE BOTH WERE VALID, IT OUTPUT 1K
X WAS A CREDENTIAL SIGNED
BY CIA AND Y WAS SIGNED BY MI-6
FOR ANY OTHER INPUTS, F OUTPUTS A RANDOM VALUE
COVERT TWO-PARTY COMPUTATION
AFTER LEARNING F(X,Y), EACH PARTY CAN ONLY TELL WHETHER THE OTHER PARTICIPATED IF THEY CAN DISTINGUISH F(X,Y) FROM RANDOM BITS
EXTERNAL COVERTNESS
INTERNAL COVERTNESS
NO OUTSIDE OBSERVER CAN TELL IF THE TWO PARTIES ARE RUNNING A COMPUTATION OR JUST COMMUNICATING AS NORMAL
CANNOT BE DONE WITH STANDARD
TWO-PARTY COMPUTATION
WHO KNOWS WHAT?
WE ASSUME THAT BOTH PARTIES KNOW THE FUNCTION THEY WISH TO EVALUATE
BOTH KNOW WHICH ROLE THEY ARE TO PLAY IN THE EVALUATION
BOTH KNOW WHEN TO START COMPUTING
ORDINARY COMMUNICATION
MESSAGES ARE DRAWN FROM A SET D
TIME PROCEEDS IN DISCRETE TIMESTEPS
EACH PARTY MAINTAINS A HISTORY h OF ALL DOCUMENTS THEY SENT AND RECEIVED
TO EACH PARTY P, WE ASSOCIATE A FAMILY OF PROBABILITY DISTRIBUTIONS ON D:
{BhP}
P1 P2
hP1
D1 ← BP1hP1
hP2
D2 ← BP2hP2
hP1 = hP1 + (D1,D2) hP2 = hP2 + (D2,D1)
D’1 ← BP1
hP1
← BP2hP2
D1
D2
D’1
t0
t1
WE ASSUME THAT
DDH IS HARD: GIVEN gx, gy PARTIES CAN’T EFFICIENTLY DISTINGUISH gxy FROM gz
WE SHOW THAT
COVERT TWO-PARTY COMPUTATION IS POSSIBLE AGAINST HONEST-BUT-CURIOUS ADVERSARIES
IN THE RO MODEL, FAIR COVERT TWO-PARTY COMPUTATION IS POSSIBLE AGAINST MALICIOUS ADVERSARIES
ROADMAP
USE STEGANOGRAPHY TO SHOW THAT IT IS ENOUGH THAT ALL MESSAGES BE INDISTINGUISHABLE FROM UNIFORM
SHOW A TWO-PARTY COMPUTATION PROTOCOL FOR WHICH ALL MESSAGES ARE INDISTINGUISHABLE FROM UNIFORM
1
2
BASIC-ENCODE
INPUT: H H, TARGET C, BOUND K
LET J = 0REPEAT:
SAMPLE S ← D, INCREMENT JUNTIL H(S) = C OR J > K
OUTPUT: S
LET D BE A DISTRIBUTION ON D AND H BE A PAIRWISE INDEPENDENT FAMILY OF HASH FUNCTIONS
ALLOWS SENDING C ENCODED IN SOMETHING
THAT COMES FROM D
UNIFORM
PROPER SIZE
ENOUGH MIN ENTROPY
… THEN THE DISTRIBUTION ON S IS STA-
TISTICALLY INDISTINGUISHABLE FROM DIF
OOPS! I DID IT AGAIN001
LOOKS UNIFORM
BASIC-ENCODE
LOOKSNORMAL
ROADMAP
USE STEGANOGRAPHY TO SHOW THAT IT IS ENOUGH THAT ALL MESSAGES BE INDISTINGUISHABLE FROM UNIFORM
SHOW A TWO-PARTY COMPUTATION PROTOCOL FOR WHICH ALL MESSAGES ARE INDISTINGUISHABLE FROM UNIFORM
1
2
COVERT OBLIVIOUS TRANSFER
IT IS POSSIBLE TO MODIFY AN OBLIVIOUS TRANSFER SCHEME BY NAOR AND PINKAS SO THAT ALL MESSAGES ARE INDISTINGUI-SHABLE FROM UNIFORM RANDOM BITS
OT UNIFORM
THE MODIFIED NAOR-PINKAS OT PLUGGED INTO YAO’S “GARBLED CIRCUIT” GIVES A SCHEME WITH MESSAGES THAT ARE INDISTINGUISHABLE FROM UNIFORM
+
YAO
OT
F(X,Y)=1 F(X,Y)=1
OOPS! MALLICIOUS ADVERSARIES CAN
BREAK THIS PROTOCOL
YOU’RE SO SMART BRITNEY!MATH IS FUN!WE CANNOT SIMPLY
USE ZK TO FIX IT
THE END
COMPETITOR COOPERATION
TWO COMPETING ONLINE RETAILERS ARE COMPROMISED BY A HACKER
NEITHER CAN CATCH THE HACKER BY THEMSELVES
HOWEVER, NEITHER WILL ADMIT THAT THEY WERE HACKED UNLESS THE OTHER WAS HACKED TOO
PARTY P CAN DRAW FROM BPh FOR ANY
PLAUSIBLE h
ADVERSARY KNOWS BPh FOR ANY P, h
WE ASSUME THAT
DDH IS HARD: GIVEN gx, gy PARTIES CAN’T EFFICIENTLY DISTINGUISH gxy FROM gz