# Round-Optimal Black-Box Two-Party Computation

IACR Cryptology ePrint Archive, Volume 2015, 2015.

EI

Weibo:

Abstract:

In [Eurocrypt 2004] Katz and Ostrovsky establish the exact round complexity of secure two-party computation with respect to blackbox proofs of security. They prove that 5 rounds are necessary for secure two-party protocols (4-round are sufficient if only one party receives the output) and provide a protocol that matches such lower bound. ...More

Code:

Data:

Introduction

- Secure two-party computation allows two mutually distrustful parties to compute a function of their secret inputs without revealing any information except c International Association for Cryptologic Research 2015 R.
- Their work is based on the following observation: the authors can check that a party is honestly computing the protocol messages, by challenging the party to reveal the input and the randomness

Highlights

- Secure two-party computation allows two mutually distrustful parties to compute a function of their secret inputs without revealing any information except c International Association for Cryptologic Research 2015 R
- We provide the first 4-round black-box oblivious transfer based on any enhanced trapdoor permutation
- Protocols based on general assumptions are flexible in that they allow the protocol to be implemented based on a variety concrete assumptions; even possibly ones which where not considered when the protocol was designed
- Constructions based on general assumptions may use the cryptographic primitive based on the assumption in two ways: black-box usage, if the construction refers only to the input/output behavior of the underlying primitive; non-black-box usage, if the construction uses the code computing the functionality of the primitive
- We solve the second problem by having S commit the inputs already in the second round and prove that such committed inputs are the ones used for the Oblivious Transfer. Doing this naıvely would require making non-black-box use of cryptographic primitives, so, in typical cut-and-choose style, we instead have S commit to shares of the inputs, and play the protocol many times in parallel where R opens mostly the shares corresponding to his input bit but enough shares of s1−b to be convinced that S is playing fairly
- We need a way for R to retrieve the decommitments of the shares for the secret he is interested in, without the server knowing which decommitments are revealed. We accomplish this by using the Oblivious Transfer protocol ΠORT implemented above. In parallel to such extractable commitments and proofs, the sender and the receiver will engage in 2κ parallel executions of ΠORT: in the i-th Oblivious Transfer execution S plays with inputs the opening of the i-th coordinate of (a0,j, b0,j) and (a1,j, b1,j) for all j, and R plays with bit bi

Results

- Can the authors construct a round-optimal fully black-box protocol for two-party computation based on general assumptions?
- The authors' construction is extended to achieve parallel secure oblivious transfer which, using the compiler of [12], gives a round-optimal black-box protocol for two-party computation in the plain model.
- Doing this naıvely would require making non-black-box use of cryptographic primitives, so, in typical cut-and-choose style, the authors instead have S commit to shares of the inputs, and play the protocol many times in parallel where R opens mostly the shares corresponding to his input bit but enough shares of s1−b to be convinced that S is playing fairly.
- The authors show how to use extractable commitments and Shamir secret sharing, to compile ΠORT into a protocol that is fully simulatable.
- When extending the above warm-up protocol to a string via bit-wise commit-and-proofs the authors must enforce that a malicious receiver cannot cheat by controlling some of the bits of both z0 and z1 and wind up knowing preimages of both values.
- In parallel to such extractable commitments and proofs, the sender and the receiver will engage in 2κ parallel executions of ΠORT: in the i-th OT execution S plays with inputs the opening of the i-th coordinate of (a0,j, b0,j) and (a1,j, b1,j) for all j, and R plays with bit bi.
- Correctness follows from the correctness of the underlying ΠORT protocol, the correctness of the statistically binding commitment scheme and the Shamir secret sharing scheme: the receiver will be able to retrieve more than κ + 1 shares and reconstruct the key xb that allows to decrypt sb.
- The indistinguishability of the simulation follows from the simulatability of the underlying OT, the security of Shamir secret sharing and the hiding of the underlying commitment scheme.

Conclusion

- Sim runs as receiver in the ΠOT protocol by choosing sets T0 and T1, and playing with a random bit in the remaining OT executions.
- Due to the binding of the commitment scheme, to the correctness of Shamir’s secret sharing, and the correctness of the proof of consistency of the shares, the values reconstructed from the shares extracted by the simulator in the extractable commitments correspond to the unique value that a honest receiver would have obtained from the shares retrieved via ΠORT.

Summary

- Secure two-party computation allows two mutually distrustful parties to compute a function of their secret inputs without revealing any information except c International Association for Cryptologic Research 2015 R.
- Their work is based on the following observation: the authors can check that a party is honestly computing the protocol messages, by challenging the party to reveal the input and the randomness
- Can the authors construct a round-optimal fully black-box protocol for two-party computation based on general assumptions?
- The authors' construction is extended to achieve parallel secure oblivious transfer which, using the compiler of [12], gives a round-optimal black-box protocol for two-party computation in the plain model.
- Doing this naıvely would require making non-black-box use of cryptographic primitives, so, in typical cut-and-choose style, the authors instead have S commit to shares of the inputs, and play the protocol many times in parallel where R opens mostly the shares corresponding to his input bit but enough shares of s1−b to be convinced that S is playing fairly.
- The authors show how to use extractable commitments and Shamir secret sharing, to compile ΠORT into a protocol that is fully simulatable.
- When extending the above warm-up protocol to a string via bit-wise commit-and-proofs the authors must enforce that a malicious receiver cannot cheat by controlling some of the bits of both z0 and z1 and wind up knowing preimages of both values.
- In parallel to such extractable commitments and proofs, the sender and the receiver will engage in 2κ parallel executions of ΠORT: in the i-th OT execution S plays with inputs the opening of the i-th coordinate of (a0,j, b0,j) and (a1,j, b1,j) for all j, and R plays with bit bi.
- Correctness follows from the correctness of the underlying ΠORT protocol, the correctness of the statistically binding commitment scheme and the Shamir secret sharing scheme: the receiver will be able to retrieve more than κ + 1 shares and reconstruct the key xb that allows to decrypt sb.
- The indistinguishability of the simulation follows from the simulatability of the underlying OT, the security of Shamir secret sharing and the hiding of the underlying commitment scheme.
- Sim runs as receiver in the ΠOT protocol by choosing sets T0 and T1, and playing with a random bit in the remaining OT executions.
- Due to the binding of the commitment scheme, to the correctness of Shamir’s secret sharing, and the correctness of the proof of consistency of the shares, the values reconstructed from the shares extracted by the simulator in the extractable commitments correspond to the unique value that a honest receiver would have obtained from the shares retrieved via ΠORT.

Related work

**Other Related Work on Black**

Box Secure Computation

We mention additional related work that are less relevant for our result but that have contributed in the understanding of the power of black-box access to cryptographic primitives. In [3] Damgaard and Ishai show a constant round multi-party protocol where the party have only black-box access to a PRG. This work assumes honest majority. In [27], Wee shows the first black-box constructions with sub-linear round complexity for MPC, which Goyal [6] improves to obtain constant-round MPC constructions based on the black-box use of any OWF. In [7] black-box use of OWFs has been shown to be sufficient to construct constant-round concurrent non-malleable commitments. Other black-box constructions for commitment schemes have been considered w.r.t. selective opening attacks in [22,28]. In [20] Lin and Pass showed the first black-box construction for MPC in the standard model that satisfies a non-trivial form of concurrent security. Their construction requires a non-constant number of rounds. Very recently, Kiyoshima et al in [18] improved on the round complexity providing a constant- round construction for the same result. Finally, another line of research has looked at achieving black-box construction for protocols that requires nonblack-box simulation, such as black-box public coin ZK [8] and resettably-sound ZK from OWF [23].

Funding

- Work supported in part by NSF grants 09165174, 1065276, 1118126 and 1136174, US-Israel BSF grant 2008411, OKAWA Foundation Research Award, IBM Faculty Research Award, Xerox Faculty Research Award, B
- This material is based upon work supported by the Defense Advanced Research Projects Agency through the U.S Office of Naval Research under Contract N00014 -11 -1-0392

Reference

- Choi, S.G., Dachman-Soled, D., Malkin, T., Wee, H.: Simple, Black-box constructions of adaptively secure protocols. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 387–402. Springer, Heidelberg (2009)
- Cramer, R., Damgard, I.B., Schoenmakers, B.: Proof of partial knowledge and simplified design of witness hiding protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174–187. Springer, Heidelberg (1994). http://dx.doi.org/10.1007/3-540-48658-5 19
- Damgard, I.B., Ishai, Y.: Constant-round multiparty computation using a blackbox pseudorandom generator. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 378–394. Springer, Heidelberg (2005). http://dx.doi.org/10.1007/11535218 23
- Damgard, I., Scafuro, A.: Unconditionally secure and universally composable commitments from physical assumptions. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 100–119. Springer, Heidelberg (2013). http://dx.doi.org/10.1007/978-3-642-42045-0 6
- Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or A completeness theorem for protocols with honest majority. In: Aho, A.V. (ed.) Proceedings of the 19th Annual ACM Symposium on Theory of Computing, pp. 218–229. ACM, New York (1987). http://doi.acm.org/10.1145/28395.28420
- Goyal, V.: Constant round non-malleable protocols using one-way functions. In: Proceedings of the 43rd Annual ACM Symposium on Theory of Computing, STOC 2011, pp. 695–704. ACM (2011)
- Goyal, V., Lee, C.K., Ostrovsky, R., Visconti, I.: Constructing non-malleable commitments: A black-box approach. In: FOCS, pp. 51–60. IEEE Computer Society (2012)
- Goyal, V., Ostrovsky, R., Scafuro, A., Visconti, I.: Black-box non-black-box zero knowledge. In: Symposium on Theory of Computing, STOC 2014, pp. 515–524 (2014)
- Haitner, I.: Semi-honest to malicious oblivious transfer—the black-box way. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 412–426. Springer, Heidelberg (2008)
- Hazay, C., Lindell, Y.: Efficient secure two-party protocols - techniques and constructions. In: Information Security and Cryptography. Springer (2010). http://dx.doi.org/10.1007/978-3-642-14303-8
- Ishai, Y., Kushilevitz, E., Lindell, Y., Petrank, E.: Black-box constructions for secure computation. In: Proceedings of the 38th Annual ACM Symposium on Theory of Computing, STOC 2006, pp. 99–108 (2006)
- Ishai, Y., Kushilevitz, E., Ostrovsky, R., Prabhakaran, M., Sahai, A.: Efficient non-interactive secure computation. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 406–425. Springer, Heidelberg (2011)
- Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Zero-knowledge from secure multiparty computation. In: Proceedings of the 39th Annual ACM Symposium on Theory of Computing, STOC 2007, pp. 21–30 (2007)
- Ishai, Y., Prabhakaran, M., Sahai, A.: Founding cryptography on oblivious transfer – efficiently. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 572–591. Springer, Heidelberg (2008). http://dx.doi.org/10.1007/978-3-540-85174-5 32
- Katz, J., Ostrovsky, R.: Round-optimal secure two-party computation. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 335–354. Springer, Heidelberg (2004)
- Kilian, J.: Founding cryptography on oblivious transfer. In: Proceedings of the 20th Annual ACM Symposium on Theory of Computing, May 2–4, 1988, Chicago, Illinois, USA, pp. 20–31. ACM (1988)
- Kilian, J.: A note on efficient zero-knowledge proofs and arguments. In: STOC, pp. 723–732 (1992)
- Kiyoshima, S., Manabe, Y., Okamoto, T.: Constant-round black-box construction of composable multi-party computation protocol. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 343–367. Springer, Heidelberg (2014)
- Lapidot, D., Shamir, A.: Publicly verifiable non-interactive zero-knowledge proofs. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 353– 365. Springer, Heidelberg (1991)
- Lin, H., Pass, R.: Black-box constructions of composable protocols without setup. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 461–478. Springer, Heidelberg (2012)
- Micciancio, D., Ong, S.J., Sahai, A., Vadhan, S.P.: Concurrent zero knowledge without complexity assumptions. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 1–20. Springer, Heidelberg (2006)
- Ostrovsky, R., Rao, V., Scafuro, A., Visconti, I.: Revisiting lower and upper bounds for selective decommitments. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 559–578. Springer, Heidelberg (2013)
- Ostrovsky, R., Scafuro, A., Venkitasubramanian, M.: Resettably sound zeroknowledge arguments from OWFs - the (semi) black-box way. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015, Part I. LNCS, vol. 9014, pp. 345–374. Springer, Heidelberg (2015)
- Pass, R., Wee, H.: Black-box constructions of two-party protocols from one-way functions. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 403–418. Springer, Heidelberg (2009)
- Peikert, C., Vaikuntanathan, V., Waters, B.: A framework for efficient and composable oblivious transfer. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 554–571. Springer, Heidelberg (2008)
- Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979)
- Wee, H.: Black-box, round-efficient secure computation via non-malleability amplification. In: Proceedings of the 51th Annual IEEE Symposium on Foundations of Computer Science, pp. 531–540 (2010)
- Xiao, D.: (Nearly) round-optimal black-box constructions of commitments secure against selective opening attacks. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 541–558. Springer, Heidelberg (2011)
- Yao, A.C.C.: How to generate and exchange secrets (extended abstract). In: FOCS, pp. 162–167 (1986)

Tags

Comments