Completeness in Two-Party Secure Computation Revisited
Danny Harnik Moni Naor Omer Reingold Alon Rosen
Weizmann Institute of Science
AT&T
IAS
Secure Function Evaluation (SFE) of a Function f
f(x,y)
Alice learns “nothing
else”
Bob learns “nothing”
Alice
x
Bob
y
Many possible definitions and settings. We concentrate on a specific setting:
• Asymmetric version (only Alice gets output).
• Deterministic functions (vs. prob. functionality)
• Computational security definitions.• Definition via simulation.
• Honest but curious model.• Can use compiler of [GMW86] for malicious model.
Secure Function Evaluation• General framework that captures many
cryptographic tasks.• SFE for any poly-time f - key
achievement in cryptography.
Oblivious Transfer
• Rabin-OT (Noisy-OT) - Sender has bit b. Receiver learns b with probability 1/2. Sender doesn’t know if bit was received.
• 1-2 OT [EGL85] - Sender has two bits b0, b1 and Receiver has choice bit c. Receiver learns bc but not b1-c. Sender learns nothing of c.
• Can view as an asymmetric SFE protocol.• Equivalence between them showed by Crépeau 87.
Many variants are “information theoretic” equivalent.
Several equivalent flavors:
1-2 Oblivious Transfer
bc
Alice learns nothing about
b1-c
Bob learns nothing about
c
Alice
c
Bob
b0,b1
Completeness of OT
• OT is Complete for SFE. [Yao, GMW, Kilian]
What does Complete mean?• SFE for any efficiently computable function f
can be constructed using “solely” a protocol for OT.
Several constructions for OT exist, relying on various computational assumptions (PKC).
•Not the focus of this talk.
SFE-Completeness• g securely reduces to f if an SFE for g can
be constructed using an SFE protocol for f.
• f is SFE-Complete if every poly-time function g securely reduces to f.
• To show that f is complete, enough to show a reduction from OT to f.
x y
g(x,y)
f(x’,y’)
SFE Complete - Questions
• Are there other complete functions? • Is there a “nice” classification of all the
complete functions?• Are there functions that have “trivial”
SFE protocols (under no assumption)?• Are there functions that are neither
complete nor trivial?
Main Result
• Introduce a computational criterion for completeness called Row Non-Transitivity.
Main Theorem• If f is Row Non-Transitive then it is SFE-
Complete.• If f is Row Transitive then there is a trivial
SFE protocol for f.
Corollary: Complete Classification
• Essentially all “nice” functions are either SFE-Complete or have a trivial SFE protocol.
Previous Work
• SFE-Completeness discussed in:[CK91, Kush92, Kil91, KMO94, BMM99, Kil00]
Beimel, Chor, Kilian, Kushilevitz, Malkin, Micali, Ostrovsky
• Mostly studied under Information Theoretic security definitions.
• Strong results in form of combinatorial criteria. Insecure Minor, Imbedded Or
• Most works consider finite functions (i.e. functions on constant domain size)
Insecure Minor [Beimel, Malkin & Micali 99]
• A function f(.,.) is said to contain an Insecure Minor if there are inputs x0, x1, y0, y1 such that :
y0 y1
x0 a a x1 b c
Where b c.
. . . Insecure Minor [BMM]
• If a finite function f(.,.) contains an insecure minor then f is complete.
• Otherwise f has an SFE protocol (f is “trivial”).
Full characterization of finite functions.
Surprising “all or nothing” behavior.
What about non-finite functions?
Does the insecure minor characterization work when the domain is large?
• Completeness: Same reduction.
• Triviality: ...
Example 1: one-to-one functions
• Consider one-to-one functions • Do not contain an insecure minor.
• Trivial SFE for 1-1 function f(x,y):• Bob sends y to Alice.• Alice calculates f(x,y).
• Security: given f(x,y) a simulator can find y (since f is 1-1).
But the simulator might not be efficient for functions on large domain!
y0 y1
x0 a a x1 b c
Example 2: A “trivial” function that is complete• Let g be a 1-1 One-Way function.
• Consider the following function :
f(c, y0, y1) = (c, yc, g(y1-c) )
x y
f is 1-1 and hence has no insecure minor.• Claim: f is SFE-Complete ! Note: 1-1 one-way functions are not known to imply the
existence of OT (BB separation Impagliazzo Rudich).
1-2-OT from SFE for f
(c, yc, g(y1-c) )
4. Alice calculates bc
1. Choose random y0, y1
2. SFE for f(c, y0, y1)
3. h(y0)b0, h(y1)b1
1-2-OT
* h is a hardcore bit of g
Alice
c
Bob
b0,b1
Open Questions in the Computational Setting
• Is there a simple characterization of SFE-Complete functions and of trivial functions?
• How do these sets relate? All or nothing?
Yes.
Almost tight.
Row Non-Transitivity
• A function f(.,.) is (Computational) Row Non-Transitive if:
for some x0, x1 and Dy it is (somewhat) hard to calculate f(x1,y) given x0, x1 and f(x0,y) for yrDy.
• A function f(.,.) is (Computational) Row Transitive if:
for all x0, x1 and y it is easy to calculate f(x1,y) given x0, x1 and f(x0,y).
Illustration of row non transitivity
x0
x1
y
Hard
f
Main Theorem• Completeness: If a function f(.,.) is
• row non-transitive • efficiently computablethen f is SFE-Complete.
• Triviality: If function f(.,.) is • row transitive• efficiently computable
then f has a trivial SFE.
Note: There is a small gap between the two criteria.Why? Hard and easy not complementary…
Trivial SFE for row transitive f
Calculate f(x,y) Choose input x’ x’, f(x’, y)
SFE for f
Security:• Bob learns nothing.• Simulating Alice’s view: choose x’ and
calculate f(x’,y) from f(x,y).
Alice
x
Bob
y
Completeness Sketch
• Using an SFE for f we construct a Naive-OT protocol.
• Naive-OT is an SFE of the function:
f(c, b) = { b if c=1
if c=0
• Recall: f is row non-transitive if there are choices of x0, x1, y such that it is hard to calculate f(x1,y) given x0, x1 and f(x0,y).
Completeness Sketch: Naive-OT from SFE for f
f(xc, y)
5. If c=1 calculate b
Alice
c
Bob
b
3. SFE for f(xc, y)
4. h(f(x1,y))b
* h is the GL hardcore bit
1. Choose x0, x1, y
2. x0, x1
Security of the Protocol
• Easy to argue: Bob learns nothing because only receives information via the SFE protocol.
• Should argue: Alice learns nothing if c=0, or this will contradict the hardness of the hardcore bit.
Technical Issues
• Somewhat non-standard use of the hardcore bit - Not a one-way function: could be hard both ways
• Need “strong hardness” of function for hardcore bit proof • Our hardness is defined as weak• Standard hardness amplification relies
strongly on one-wayness.
Solutions
• Only claim that a GL bit is “weakly” hard• Cannot predict with probability better than
9/10.
• Introduce a relaxed version (implementation) of naive-OT that we call Weak-OT.
• Show how to construct OT from Weak-OT • Via amplification using Yao’s Xor Lemma.
Full Definition of Non-transitivity
A function f(.,.) is Computational Row Non-Transitive if there exist• Samplable distributions Dx, Dy • A polynomial p(.)
such that
for every PPTM M and all but finitely many n’s.
Pr[ M(x0, x1, f(x0, y)) = f(x1, y) ] < 1-1/p(n)
Insecure Minor Non-Transitive
• Dx uniform on {x0,x1}
• Dy uniform on {y0,y1}
• PPTM M: Pr[ M(x0, x1, f(x0, y)) = f(x1, y) ] ½
y0 y1
X0 a aX1 b c
Meaning of this Result
• Quantity• Complexity• Application
Insecure Minor
Complete
Trivial
Row Non-Transitivity
Efficiently computable functions f(x,y)
Complexity Discussion
• OT exists (Cryptomania in [Impagliazzo 95]) SFE-C = Eff-SFE• OT doesn’t exist but OWF do ( Minicrypt in [Imp95]):
• Are there intermediate assumptions? • Assumptions of type “function f has an SFE protocol”
?
Our results: As far as SFE goes, no additional worlds between Minicrypt & Cryptomania !
Minicrypt (OWF)
Cryptomania (OT)
?
Possible Applications?
Provides a tool for proving easily that a function is complete
• Example: f(x,y)=(x+y)3 mod N. Factorization of N unknownIs it complete? Trivial?Note: “almost” a permutation for x and for y
Assuming RSA is hard - f is row non-transitive f is complete.
. . . Possible Applications?
• Framework for constructing OT protocols.• Example: f(g,y) = gy mod p.
• Has SFE under CDH assumption:
1. Choose random r
g y2. a = gr
3. b = gry
4. Calculate gy = b 1/r
. . . Possible Applications?
• Use reduction to construct OT:
Naive-OT
c b
2. g0, g1, gcr
4. z, h(g1y)b
5. If c=1 calculate g1y = z
1/r and the bit b
3. Calculate z=gcry
1. Choose random r, g0, g1
1. Choose random y
• What did we get?A scheme similar to [Bellare & Micali 89]!
Can the Gap be closed?
• Possible to narrow the gap by relaxing the definitions of SFE.
• Can the gap be closed altogether ? • Not clear. Example:
f(x,y) = OT(x,y)f(x,y) = y
|y|2...222
22222222222
2222222
222
nToo short -Low security
Too long - High running time
Further Issues : Symmetric SFE
• “All or nothing” result for Boolean functions [CK89, Kil91].
• Gap in finite functions world [Kush92] • Completeness for finite functions iff
contains Imbedded Or [Kil91]:
y0 y1
x0 a a x1 a b
• Does not hold for non-finite functions!
Consider the following complete function: f((c, x0, x1), (y0, y1)) = (x0 yc, x1 g(x1-c))g one-way 1-1 function
Further Issues: Probabilistic functionalities
• Probabilistic functionality (not deterministic functions) • Some criteria for completeness in [Kil
00].
• Interesting even when neither party has an input (IOS)! Does not have an interesting information
theoretic analogue
Further Issues: semi honest vs malicious
• BMM: Use GMW86 transformation• GMW transformation requires one-way
functions• Exist in Minicrypt and above• SFE of a row non-transitive f implies
• Honest OT• One-way functions [Impagliazzo Luby]
• Argument does not work when SFE done by magic (quantum, noisy channels, etc..)
• What about cheating in trivial protocols?• In contrast Kilian 2000: for finite functions
Complete SFE are not the same for• Honest and Curious • Malicious