Alex Shpiner (Technion/Mellanox) Isaac Keslassy (Technion) Rami Cohen (IBM Research)
On the Cryptographic Complexity of the Worst Functions Amos Beimel (BGU) Yuval Ishai (Technion)...
-
Upload
gordon-carson -
Category
Documents
-
view
223 -
download
0
Transcript of On the Cryptographic Complexity of the Worst Functions Amos Beimel (BGU) Yuval Ishai (Technion)...
On the Cryptographic Complexity of the Worst Functions
Amos Beimel (BGU)Yuval Ishai (Technion) Ranjit Kumaresan (Technion)Eyal Kushilevitz (Technion)
How Bad are the Worst Functions?Function class FN of all functions f : [N][N] {0,1}
This work: Cryptographic complexity of the worst functions
Standard Complexity Theoretic Measures
• Circuit complexity• (N2/log N)
[Sha48,Lup58]• 2-party communication
complexity• (log N) [Yao79]
Information-theoreticCryptography
• Communication complexity• Randomness complexity
Model
Security Model• Information-theoretic
• Unbounded adversaries• Statistical/perfect security
• Semi-honest adversary • No deviation from protocol
Functions• Function class FN : Class of
all two argument functions f : [N] [N] {0,1}
• Interested in worst f FN
Crypto Primitives• Secure Computation
• Various models• Communication/randomness
• Secret Sharing• Share complexity
Secure ComputationWhat is Known?
Information Theoretic Security• Honest majority [RB89,BGW88]• 2-party in the OT-hybrid or
preprocessing model [Kil88,Bea95]• Impossible in plain model [Kus89]
• Private Simultaneous Messages [FKN94]
x
f1(x,y)
y
f2(x,y)
• Best upper bounds linear in N– Sublinear if big honest majority [BFKR90,IK04]
• Counting arguments yield weak lower bounds
Can communication complexity be made logarithmic in N?
2-Party Secure Computation (2PC)
Information Theoretic Security• Impossible in plain model [Kus89]• OT-hybrid/preprocessing model• Popular protocols [GMW87, Y86]
Information-theoretic garbled circuits [Yao86]
• Depends on circuit structure• Quadratic in formula
depth• Exponential in depth
overhead for circuits
GMW [GMW87]• Gate-by-gate evaluation
of given circuit• #OTs required:
Twice #AND gates• Communication cost:
Twice #AND gates
x
f1(x,y)
y
f2(x,y)
What is Known?
OT-Hybrid Model
x0 , x1
???
b
xb
OT Extension• Impossible in information
theoretic setting [Bea97]• OT as an “atomic currency”
Pre-computation• Random OT correlations
can be “corrected” [Bea95]
Complete• Given ideal OT oracle, can
get information theoretic 2-party secure computation [Kil88,GV88]
d = c b
z0 = x0yd
z1 = x1y1-d
y0 , y1 c, yc
zbyc
x0 , x1 b
x0 , x1 b
xb
Oblivious Transfer [Rab81,EGL85]
*Slide created before revelations
OT ComplexityOT Complexity of a function f
Number of (bit) OTs required to securely evaluate f
This work: O(N2/3) OT complexity
??? f(x,y)
x yf(x,1)f(x,2)
. .
f(x,N)
y
Circuit based 2PC: • O(N2/log N) [GMW87] Truth-table based 2PC: • O(N) via1-out-of-N OT
• 1-out-of-N OT from O(N) 1-out-of-2 OTs [BCR86]
• Let FN be the class of all 2-party f : [N] [N] {0,1}
• What is the OT complexity of the worst function in FN?
Preprocessing Model
Correlated Randomness• Independent of inputs• May depend on f
Correlated Randomness
Offline Phase
Online Phase
x
rBrA
y
rBrA
f(x,y) f(x,y)
OT Correlations• Special case
• Pre-computed OTs• “Simpler” correlations
• Indep. of function
Correlated Randomness Complexity
Correlated Randomness Complexity of a function fSize of correlated randomness required to securely evaluate f
O(log N) online communication [IKMOP13]• Correlated randomness: O(N2)Truth-table based 2PC: O(N)• Via 1-out-of-N OT [BCR86]
This work: 2Õ(log N) correlated randomness
• Let FN be the class of all 2-party f : [N] [N] {0,1}
• Correlated randomness complexity of the worst function in FN?
Private Simultaneous Messages (PSM)
r
Model [FKN94]• Multiple clients
• Share randomness• Single referee• Non-interactive• Referee learns only f(x,y)• No collusionx yr
f (x,y)
Why PSM?• Minimal model of secure computation [FKN94]• Applications in round-efficient protocol design [IKP10]• Connections to secret sharing! [BI01]
What is Known?
f(x,1)f(x,2)
. .
f(x,N)
[FKN94,IK97]• Efficient for f with
small formulas, branching programs
• Worst case f : O(N)• Lower bound: 3logN-4
f(x,1+s) + r1
f(x,2+s) + r2
. .
f(x,N+s) + rN
y-s, ry-s
f(x,y)
PSM ComplexityPSM Complexity of a function f
Communication complexity of PSM protocol for f
This work: O(N) PSM complexity
rx yr
r = s, (r1, …, rN)
• What is the PSM complexity of the worst function in FN?
Secret Sharing
Model • External dealer + n parties• Dealer has input secret s
• Sends “shares” to parties• Then, inactive
• Access structure• Set of “authorized” subsets
• Secret hidden from unauth. subsets• Any auth. subset can reconstruct s
What is Known?
Poly(n) share complexity for every n-party access structure?
Share ComplexitySize of each share
• Best upper bound: 2O(n) [BL90,Bri89,KW93]• Best lower bound: (n/log n) [Csi97]
Share Complexity
Forbidden Graph [SS97]• Graph G = (V,E) with |V| = N• Authorized subsets:
• Sets {u,v} with (u,v) E• Any set of size 3
Forbidden Graph Access Structures
• Naïve solution: O(N) [SS97,BL90]• O(N/log N) share complexity [BDGV96,EP97,Bub86]
This work: O(N) share complexity
• What is the share complexity of the worst N-vertex graph?
Talk Outline• Main Technical Tool – PIR
• OT Complexity
• Correlated Randomness Complexity
• PSM Complexity
• Share Complexity for Forbidden Graphs
Private Information RetrievalModel [CGKS95]
• Single client• Multiple servers• Each server has same DB
• Size of DB = N (bits)• DB unknown to client
• Client input: index i [N]• Privately retrieve DB[ i ]• No collusion among servers• Goal: min. communication
i
DB DB
Query generation• (q1, q2) Q(i , r)
Answer generation• ak A( k, qk , DB)
Reconstruction• z R(i , r, a1, a2)
Best Known PIR Schemes2-server: O(N1/3) [CGKS95]
3-server: 2Õ(log N) [Yek07,Efr09]
rq1
a1 a2
q2
q1 q2
a1 a2z
Talk Outline• Main Technical Tool – PIR
• OT Complexity– Upper bound: O(N2/3)
• Correlated Randomness Complexity
• PSM Complexity
• Share Complexity for Forbidden Graphs
2-server PIR
OT-Hybrid Model (Recap)
• Let FN be the class of all 2-party f : [N] [N] {0,1}
• What is the OT complexity of the worst function in FN?
OT Complexity of a function fNumber of (bit) OTs required to securely evaluate f
• Circuit based 2PC for worst f : • O(N2/log N) [GMW87]
• Truth-table based 2PC for worst f : • O(N), 1-out-of-N OT [BCR86]
• OT is “complete”• Pre-computation• No OT extension
x0 , x1 b
xb
O(N2/3) Upper Bound on OT Complexity
Notation• PIR Algorithms: Q, A, R
• (q1, q2) Q(i , r) • ak A( k, qk , DB) • z R(i , r, a1, a2)
• Circuit for alg. B: C(B)• |C(B)|= #ANDs in C(B)
Via 2-server PIR
x yr1 r2
q1 q2
GMW(C(Q’))
Q’ = Q(x||y, r1r2)
R’ = R(x||y, r1r2, a1, a2)
x yr1 r2
GMW(C(R’))
a1 = A(1, q1, f ) a2 = A(2, q2, f )
a1 a2
f(x,y) f(x,y)
High-level ideaUse 2 party secure computation to emulate client + 2 PIR servers• DB = truth table of f• Client query = x||y
O(N2/3) Upper Bound on OT Complexity
Efficiency• 2-server PIR [CGKS95]• |C(Q)|=|C(R)|= O(N2/3)• By property of GMW:
• O(N2/3) OT comp. • O(N2/3) communication
Via 2-server PIR
x yr1 r2
q1 q2
GMW(C(Q’))
Q’ = Q(x||y, r1r2)
R’ = R(x||y, r1r2, a1, a2)
x yr1 r2
GMW(C(R’))
a1 = A(1, q1, f ) a2 = A(2, q2, f )
a1 a2
f(x,y) f(x,y)
Privacy• Privacy of GMW• Privacy of 2-server PIR
• Query does not leak additional info
More Applications• Honest majority secure computation
– Efficient in circuit size [RB89,BGW88]– Specific setting: n = 3 parties with at most 1 corruption– Communication 2Õ(log N) via 3-server PIR
• “ - Secure Sampling” from joint distribution D [PP12]– Protocol lets Alice & Bob to sample (x,y) from D
• Alice knows nothing about y (over what is implied by D)• Bob knows nothing about x (over what is implied by D)
– Rate of secure sampling D [N] [N] from OT– New upper bound: O(N2/3 poly(log N, 1/))
Talk Outline• Main Technical Tool – PIR
• OT Complexity– Upper bound: O(N2/3)
• Correlated Randomness Complexity– Upper bound: 2Õ( log N)
• PSM Complexity
• Share Complexity for Forbidden Graphs
2-server PIR
3-server PIR
Preprocessing Model (Recap)Correlated Randomness
Offline Phase Correlated Randomness• Independent of inputs• May depend on f• OT correlations special case
Online Phase
x y
rBrA
f(x,y) f(x,y)
rBrA
Correlated Randomness Complexity of a function f
Size of correlated randomness required to securely evaluate f
Truth-table based 2PC: O(N)• Via 1-out-of-N OT [BCR86]
Correlated randomness complexity of the worst function in FN?
Correlated Randomness Complexity:
Via 3-server PIR2O(log N) Upper Bound
Offline Phase
Key Observation• Individual PIR query
independent of input• Q = (Q1,2 , Q3)
• (q1, q2) Q1,2(i, r)• q3 Q3 (r)
High-level ideaUse 2 party secure computation to emulate client + 3 PIR servers• DB = truth table of f• Client query = x||y
r1 r2
r1 r2
q3=Q3(r1 r2)
a3 = A(3, q3, f )
a3,1 a3,2
a3 = a3,1a3,2
OTA OTB
a3,1 OTA OTB a3,2
Correlated Randomness Complexity:2O(log N) Upper Bound
x y
q1 q2
GMW(C(Q’))
Q’ = Q1,2(x||y, r1r2)
R’ = R(x||y, r1r2, a1, a2, a3,1a3,1)
x y
GMW(C(R’))
a1 = A(1, q1, f ) a2 = A(2, q2, f )
a1 a2
f(x,y) f(x,y)
r1 r2
r1 r2a3,1 a3,2
Online Phase
Correlated Randomness• Shares of randomness for
PIR query generation alg.• Shares of answer to third
PIR query• OT correlations for GMW
Notation• PIR Algorithms: Q, A, R• Circuit for alg. B: C(B)• |C(B)|= #ANDs in C(B)
Correlated Randomness Complexity:2O(log N) Upper Bound
x y
q1 q2
GMW(C(Q’))
Q’ = Q1,2(x||y, r1r2)
R’ = R(x||y, r1r2, a1, a2, a3,1a3,1)
x y
GMW(C(R’))
a1 = A(1, q1, f ) a2 = A(2, q2, f )
a1 a2
f(x,y) f(x,y)
r1 r2
r1 r2a3,1 a3,2
a3,1 a3,2
Efficiency• 3-server PIR [Efr09]• |C(Q)|=|C(R)|=2Õ(log N)
• By property of GMW:• 2Õ(log N) OT correlations • 2Õ(log N) communication
• Correlated rand.: 2Õ(log N)
Privacy• Additive secret sharing• Privacy of GMW• Privacy of 3-server PIR
• Query does not leak additional info
Improving the Bounds?
• (OT + communication) complexity of 2PC– Bounded by communication complexity of 2-server PIR
• Client shares its input, then acts as OT oracle
• (Cor. Rand. + communication) complexity of 2PC – Bounded by communication comp. of 3-server PIR [IKM+13]
• 3rd server provides correlated randomness to servers 1 & 2
• Qualitative explanation of difference in efficiency – 2-server PIR ~ 2PC with OT preprocessing– 3-server PIR ~ 2PC with arbitrary preprocessing
Summary• Main Technical Tool – PIR
• OT Complexity– Upper bound: O(N2/3)
• Correlated Randomness Complexity– Upper bound: 2Õ( log N)
• PSM Complexity– Upper bound: O(N)
• Share Complexity for Forbidden Graphs– Upper bound: O(N)
2-server PIR
3-server PIR
4-server PIR
Using PSM above
Thank You!
Preliminary Version: www.cs.umd.edu/~ranjit/BIKK.pdfSlides: www.cs.umd.edu/~ranjit/BIKK.pptx
Talk Outline• Main Technical Tool – PIR
• OT Complexity– Upper bound: O(N2/3)
• Correlated Randomness Complexity– Upper bound: 2Õ( log N)
• PSM Complexity– Upper bound: O(N)
• Share Complexity for Forbidden Graphs– Upper bound: O(N)
2-server PIR
3-server PIR
4-server PIR
Using PSM above
Share Complexity (Recap)Forbidden Graph Access Structures
• O(N/log N) share complexity [DPGV96,EP97,B86]
Share ComplexitySize of each share
Model • External dealer + n parties• Dealer inactive after sending “shares”• Access structure: “authorized” subsets
Forbidden Graph [SS97]• Graph G = (V,E) with |V| = N• Authorized subsets:
• Sets {u,v} with (u,v) E• Any set of size 3
• What is the share complexity of the worst N-vertex graph?
Bipartite CaseForbidden Bipartite Graph
• Graph G = (L,R,E) with |L| = |R| = N• Authorized subsets:
• {x,y} with x L, y R, (x,y) E• Any set of size 3
• G associated with f :[N][N] {0,1}
Secret Sharing• Share s using 3-out-of-2N
Shamir secret sharing• Also secret share s = sL sR s’
• Send sL to x L• Send sR to y R• How to share s’ ?
PSM & Secret Sharing
PSM NotationShared rand. : rAlice with input x • Message: Af (x,r)Bob with input y• Message: Bf (y,r)
Secret Sharing Scheme for s’
If dealer input s’ = 0• x L : Af (x0,r) • y R : Bf (y0,r)If dealer input s’ = 1• x L : Af (x ,r) • y R : Bf (y ,r)
High-level IdeaShares :• PSM messagesReconstruction :• PSM reconstructionAf (x,r) Bf (y,r)
r
x L y R
Good for s’ = 1
For s’ = 0Pick some x0, y0 s.t f (x0 , y0) = 0
Forbidden Graph Access Structures
• From Bipartite to General Graphs– Decomposed into log N bipartite graphs– Apply standard techniques [BL90,Sti94]
• Forbidden graph access structures – O(N) share complexity– Via O(N) PSM
• Scheme is non-linear (?)– Matches best known lower bound for linear
schemes: (N) [Min12]
Summary• Cryptographic complexity of worst functions
– Main Technical Tool - PIR
• OT Complexity– Upper bound: O(N2/3)
• Correlated Randomness Complexity– Upper bound: 2Õ( log N)
• PSM Complexity– Upper bound: O(N)
• Share Complexity for Forbidden Graphs– Upper bound: O(N)
2-server PIR
3-server PIR
4-server PIR
Using PSM above
Thank You!
Preliminary Version: www.cs.umd.edu/~ranjit/BIKK.pdfSlides: www.cs.umd.edu/~ranjit/BIKK.pptx
Talk Outline• Main Technical Tool – PIR
• OT Complexity– Upper bound: O(N2/3)
• Correlated Randomness Complexity– Upper bound: 2Õ( log N)
• PSM Complexity– Upper bound: O(N)
• Share Complexity for Forbidden Graphs
2-server PIR
3-server PIR
4-server PIR
PIR Examples [CGKS95]
i
DB DB
A(1,T1)
2d server PIR with O(N1/d) communication
T cT{c}, if c TT \{c}, if c T
PIR Answers
DB[ j ] j T
A(2,T2)
z = A(1,T1) A(2,T2)
T1 T2
T1PIR Queries
• T1 R [N]• T2 = T1 i
T2
Efficiency• Client Server j : O(N) bits• Server j Client : 1 bit
PIR Examples [CGKS95]
i
DB DB
A(1, T00...0)
2d server PIR with O(N1/d) communication
PIR Answers
DB[k1,…, kd] k1T1’,…,kdTd’
DB as d-dim. hypercubeIndex i (i1, … , id)• Binary rep of (i -1) A(2d,T11…1)
z = A(1,T00..0) A(2d,T11..1 )
S1 S2d
T00...0
Efficiency• Client Server j : O(dN1/d) bits• Server j Client : 1 bit
PIR QueriesPick (T1 , … , Td) R [N1/d]d
Server k : Query T • (T1(k1 i1), … ,Td(kd id))
where k (k1,…, kd)
k1 , … , kd
dT11…1
Reducing the #Servers [CGKS95]
Key ObservationAny server can emulate d other
servers with cost O(N1/d)
Example: 2-server O(N1/3) PIRServer 1: Query T000 = (T1 , T2 , T3)List “potential” queries for T100: (T1t, T2 , T3) for t [N1/3]Similarly for T010: (T1, T2t, T3) & T001: (T1, T2, T3t)
Answer query & 3N1/3 “potential” queriesServer 2: Query T111 =(T1 i1, T2 i2, T3 i3)List “potential” queries for T011 ,T101 , T110
Answer query & 3N1/3 “potential” queriesClient picks correct answer in each answer list and XORs them
Query T for Server k(T1(k1 i1), … ,Td(kd id))
where k ( k1,…, kd)
k1 , … , kd
Private Simultaneous Messages (Recap)Model [FKN94]
• Single referee• Two (or more) clients• Non-interactive• Referee learns only f(x,y)• Clients share randomness
• Unknown to referee• All parties know f• No collusion
rx yr
f(x,y)
PSM Complexity of a function fCommunication complexity of PSM protocol for f
Efficient for small-depth formulaeWorst case f : O(N) [FKN94]
• What is the PSM complexity of the worst function in FN?
O(N) Upper Bound on PSM ComplexityVia 4-server PIR
Key Observation• Index i (i1 , i2 , i3 , i4)• Input x specifies i1, i2
• Input y specifies i3, i4
• 15 of 16 servers emulated by clients
High-level ideaClients use shared randomness & referee’s help to emulate client + 3 PIR servers in 4-server PIR scheme of [CGKS95]• DB = truth table of f• Client query i = x||y
4-server PIR [CGKS95]Obtained by collapsing basic
16-server O(N1/4) PIR scheme
rx yr
f(x,y)
Query + Answer GenerationAlice knows T1 i1 , T2 i2
• Answers for T**00
• “Potential” answers for T**01, T**10
Bob knows T3 i3 , T4 i4
• Answers for T00**
• “Potential” answers for T01**, T10**
Missing query T1111 equals• (T1 i1 , T2 i2, T3 i3 , T4 i4)Answer to T1111 computed by referee
O(N) Upper Bound on PSM ComplexityVia 4-server PIR
Query T for Server k(T1(k1 i1), … ,T4(k4 i4))
where k ( k1,…, k4)
k1 , … , kd
x yT0000=(T1,…,T4)i1 i2 i3 i4
T**00 T00**T1 i1 T2 i2 T3 i3 T4 i4
T**01 T**10 T01** T10**
T1111
Key Observation• i (i1 , i2 , i3 , i4)• x specifies i1, i2
• y specifies i3, i4
Query + Answer Generation
• Answers for T**00,T00**
• “Potential” answers for T**01, T**10 , T01**, T10**
• Referee answers T1111
O(N) Upper Bound on PSM ComplexityVia 4-server PIR
ReconstructionSelecting from “potential” answer list• Use known PSM (small-depth circuit)• PSM outputs XOR of these 15 answers Remaining answer computed by referee• Finally, XORs this with PSM output
Referee’s reconstruction function is “non-universal”
Summary• Cryptographic complexity of worst functions
– Main Technical Tool - PIR
• OT Complexity– Upper bound: O(N2/3)
• Correlated Randomness Complexity– Upper bound: 2Õ( log N)
• PSM Complexity– Upper bound: O(N)
• Share Complexity for Forbidden Graphs– Upper bound: O(N)
2-server PIR
3-server PIR
4-server PIR
Using PSM above
Thank You!
Preliminary Version: www.cs.umd.edu/~ranjit/BIKK.pdfSlides: www.cs.umd.edu/~ranjit/BIKK.pptx
The research leading to these results has received funding from the European Union's Seventh Framework
Programme (FP7/2007-2013) under grant agreement no. 259426 – ERC – Cryptography and Complexity