Private Matching

1
Efficient Two-Party Secure Computation on Committe
d Inputs
Stanislaw Jarecki, UC Irvine Vitaly Shmatikov, UT
Austin
2
Our Contributions

• Committed Oblivious Transfer of Bitstrings
  String-COT
• O(1) modular exponentiations per player
• 2 rounds proofs (single message in R.O.M. if
  commitments public)
• Universally Composable in Common Reference String
  CRS model
• Secure Two-Party Computation 2PC on Committed
  Inputs
• O(g) modular exponentiations, where g gates
  in the circuit
• round complexity, UC in CRS, as above
• Technical Contribution of General Interest
• Encryption with Verifiable Plaintexts and Keys,
• i.e.
• Encryption with efficient Zero-Knowledge Proof
  for relation
• (E, Cm, Ck) s.t. E encrypts m committed in Cm
  under key k committed in Ck

3
Our Contributions

• Committed Oblivious Transfer of Bitstrings
  String-COT
• O(1) modular exponentiations per player
• 2 rounds proofs (single message in R.O.M. if
  commitments public)
• Universally Composable in Common Reference String
  CRS model
• Secure Two-Party Computation 2PC on Committed
  Inputs
• O(g) modular exponentiations, where g gates
  in the circuit
• round complexity, UC in CRS, as above
• Main Technical Contribution of General Interest
• Encryption with Verifiable Plaintexts and Keys,
• i.e.
• Encryption with efficient Zero-Knowledge Proof
  for relation
• (E, Cm, Ck) s.t. E encrypts m committed in Cm
  under key k committed in Ck

Contribution for both COT and 2PC is in
efficiency. (and provable universal composability
of an efficient construction) Quick comparison
of constant-round 2PC protocols Yao86
O(g) symmetric-key operations, passive
adv. Yao Generic ZKPs poly(k,g)
operations, malicious adv. P03,MF06,KS06,LP
07,W07 Cut Choose Proofs O(kg)
symmetric-key ops., malicious adv. Here
Efficient ZKP per gate O(g) public-key
operations, malicious adv.
4
Our Contributions

• Committed Oblivious Transfer of Bitstrings
  String-COT
• O(1) modular exponentiations per player
• 2 rounds proofs (single message in R.O.M. if
  commitments public)
• Universally Composable in Common Reference String
  CRS model
• Secure Two-Party Computation 2PC on Committed
  Inputs
• O(g) modular exponentiations, where g gates
  in the circuit
• round complexity, UC in CRS, as above
• Main Technical Contribution of General Interest
• Encryption with Verifiable Plaintexts and Keys,
• i.e.
• Encryption with efficient Zero-Knowledge Proof
  for relation
• (E, Cm, Ck) s.t. E encrypts m committed in Cm
  under key k committed in Ck

Contribution for both COT and 2PC is in
efficiency. (and provable universal composability
of an efficient construction) Quick comparison
of constant-round 2PC protocols Yao86
O(g) symmetric-key operations, passive
adv. Yao Generic ZKPs poly(k,g)
operations, malicious adv. P03,MF06,KS06,LP
07,W07 Cut Choose Proofs O(kg)
symmetric-key ops., malicious adv. Here
Efficient ZKP per gate O(g) public-key
operations, malicious adv.
5
Talk Outline

• Overview of the results
• Committed Oblivious Transfer on Strings
• General Secure Two-Party Computation on Committed
  Inputs
• Applications
• Committed Secure Computation
• Committed String-OT
• Comparison with previous results
• Technical Discussion
• Public Key Encryption with Efficient
  Zero-Knowledge Proof for Verifiability of both
  the Plaintext and the Key
• Extensions, Open Questions

6
Universally Composable Secure Two-Party
Computation on Committed Inputs
Definition
Picture
7
Universally Composable Secure Two-Party
Computation on Committed Inputs
Public Board
Alice
CA1
(xA1)
(xA2)
CA2
Bob
(xB1)
CB1
(xB2)
CB2
Commitment properties Binding xis cannot
be substituted after Ci is sent Hiding xis
remain hidden from other players (Can be
implemented e.g. with Public Key Encryption)
8
Universally Composable Secure Two-Party
Computation on Committed Inputs
Public Board
Alice
CA1
(xA1)
CA2
CA2
(xA2)
Bob
(xB1)
CB1
(xB2)
CB2
Non-Malleable NM Commitments Bobs messages
cannot depend on Alices messages (can be done
with CCA-Secure Encryption, in CRS)
9
Universally Composable Secure Two-Party
Computation on Committed Inputs
Public Board
Alice
Compute( with Bob,CA1,CB1)
(xA1)
(xA2)
F(xA1,xB1)
Bob
(xB1)
F(xA1,xB1)
(xB2)
xA1
xB1

• Properties of 2P Secure Computation
  (Obl.Circ.Eval.) on Committed Inputs
• Bob learns only output F(xA,xB), nothing else
  about Alices input xA
• Alice learns nothing
• values xA, xB in the computation are committed in
  CA, CB

10
Universally Composable Secure Two-Party
Computation on Committed Inputs
Public Board
Alice
Compute( with Bob)
(xA1)
(xA2)
F(xA1,xB1)
Bob
(xB1)
F(xA1,xB1)
(xB2)

• Properties of 2P Secure Computation
  (Obl.Circ.Eval.) on Committed Inputs
• Bob learns only output F(xA,xB), nothing else
  about Alices input xA
• Alice learns nothing
• values xA, xB in the computation are committed in
  CA, CB

gt Two-sided computation on same inputs (with
abort)
11
Universally Composable Secure Two-Party
Computation on Committed Inputs

• Benefit of computation on committed inputs
• Ensuring consistency between
• computations of several circuits on same data

Alice
Compute( )
(xA1)
(xA2)
Compute( )
Compute( )
Compute( )
Bob
(xB1)
(xB2)
Examples of circuits Equality(xA,xB)
outputs 1 if xA xB, 0 otherwise Less or
Equal(xA,xB) outputs 1 if integer xA xB, 0
o/w F(xA,xB) intersection of sets
represented by xA,xB F(xA,xB) median value
in the union of sets It can be any circuit !!
12
Consistency Across Protocol Instances Ex.1
Multi-Player Example
Alice
(xA1)
Bob
(xB1)
Compute( with Dorothy)
Dorothy
(xD1)
13
Consistency Across Protocol Instances Ex.2
Security with some local computation off-line
F(xA1,xB1)
Alice
(xA1)
xA3 output of Alices local computation
given F(xA1,xB1)
(xA3)
Bob
(xB1)

• General Benefit of UC Committed 2PC
• Ensuring consistency between
• sub-protocols in any distributed algorithm
• Some computation can be local (insecure but
  fast),
• while commitments keep the overall protocol
  consistent

14
Consistency Across Protocol Instances Ex.3
Solution to the Abort Re-start Problem

• Protocols that use 2PC / OT without committed
  inputs
• can be insecure against abort re-start
• A malicious player can effectively execute
  several
• instances of the protocol, each on different
  inputs.
• In practice protocols must allow re-start in
  case of
• communication or hardware faults

15
Talk Outline

• Statement of the results
• Committed Oblivious Transfer on Strings
• General Secure Two-Party Computation on Committed
  Inputs
• Applications
• Committed Secure Computation
• Committed String-OT
• Comparison with previous results
• Technical Discussion
• Public Key Encryption with Efficient
  Zero-Knowledge Proof for Verifiability of both
  the Plaintext and the Key
• Extensions, Open Questions

16
Universally Composable Committed String-OT
UC String-COT is like UC two-party secure
computation but the only computed
function is String-OT
Crepeau86 introduced COT s.t. Alice gets (de)
commitment of Cb, not just mb (our construction
can support this too)

• Alice learns mb s.t.
• mb is committed in Cmb
• b is committed in Cb
• Alice learns nothing about mb
• Bob learns nothing

17
Applications of Committed String-OT
(Ex.1)Ensuring Consistency across Calls to OT

• OT is a sub-procedure in General Secure
  Computation Protocols
• the original motivation for Committed OT by
  Crepeau
• Interactive Secure 2-Party Computation GV87
• Players secret-share all their input bits
• Gate computation (shared input bits ? shared
  output bit) via Bit-OT
• Tool Committed Bit-OT
• 2-round Secure 2-Party Computation (Garbled
  Circuit Yao86)
• Sender S creates two keys per each wire
• For each gate, S encrypts appropriate output wire
  keys with appropriate input wire keys
• S performs String-OT on keys corresponding to Rs
  input wires
• Tool Committed String-OT

18
Applications of Committed String-OT
(Ex.2)Privacy, E-Cash, Escrow,

• 1. Privacy applications
• oblivious transfer of one key out of a set of
  keys
• same for signatures, decryptions,
• 2. Support for probabilistic systems
• probabilistic escrow of information (keys,
  signatures, plaintexts)
• probabilistic payment of digital cash
• Whats needed in such applications?
• OT on values with proven properties (key, coin,
  signature, )
• Done in 2 steps
• perform an OT on the committed string value (e.g.
  a key)
• prove correctness of the committed value
• (efficient proofs for such statements exist for
  many cryptographic schemes)

19
Talk Outline

• Statement of the results
• Committed Oblivious Transfer on Strings
• General Secure Two-Party Computation on Committed
  Inputs
• Applications of Committed Secure Computation /
  Committed String-OT
• Comparisons with previous results on COT and 2PC
• Technical Discussion
• Public Key Encryption with Efficient
  Zero-Knowledge Proof for Verifiability of both
  Plaintexts and Keys
• Extensions, Open Questions

20
Our Contributions vs. Previous Work(1)
Committed OT on Bitstrings

• O(1) modular exponentiations per player
• exponentiations modulo n2 where n is a strong RSA
  modulus, n2 2000 bits
• 500-bit exponents
• Round complexity 2 rounds proofs (e.g.
  one/two rounds in R.O.M.)
• Security under Decisional Composite Residuosity
  Assumption DCR
• Universal Composability in Common Reference
  String model CRS
• static adversary
• CRS includes modulus n and a few group elements,
  CRS 10 n
• Towards efficient String-COT
• NP00, AIR01 String-OT O(1) exps, DDH
  Assumption
• Cre89 Bit/String-COT O(k3) Bit/String-OTs
• CvdGT95 Bit-COT O(k) Bit-OTs
• GMY04 Bit-COT O(1) exps, DDH
• CC00 String-COT O(k) exps, DDH

21
Our Contributions vs. Previous Work(2) Secure
2PC on Committed Inputs

• Security under DCR and Strong RSA Assumptions
• O(g) modular exponentiations, where g gates
  in the Circuit
• Round complexity 2 rounds proofs (e.g.
  one/two rounds in R.O.M.)
• Universal Composability in the CRS model
• Towards efficient constant-round Secure Two-Party
  Computation (2PC)
• Passive Security
• Yao86 O(g) symmetric-key ops
• Malicious Security using ZKPs for NP-complete
  languages
• GMW,,Lin03,KO04 poly(g, k) ops
• Malicious Security without generic ZKPs
• DI05, multi-party computation,
• O(n2 g) PRGs VSSs
• CC00, cut choose gate-specific ZKPs,
• O(kg) exps, DDH
• Pin03, MF06, KS06, LP07, W07, cut choose
  on the whole garbled circuit,
• O(kg) symmetric-key ops
• Here, efficient gate-specific ZKPs,

22
Talk Outline

• Statement of the results
• Committed Oblivious Transfer on Strings
• General Secure Two-Party Computation on Committed
  Inputs
• Applications of Committed Secure Computation /
  Committed String-OT
• Comparison with previous results
• Technical Discussion
• Public Key Encryption with Efficient
  Zero-Knowledge Proof for Verifiability of both
  the Plaintext and the Key
• Extensions, Open Questions

23
Yaos Garbled Circuit Construction
1. For each circuit wire w, Sender S picks a pair
of keys
º
k
0

bit 0 on wire w

• Strategy towards 2PC with O(1) exps / gate
• S commits to each key
• S proves circuit is properly garbled
• each ciphertext formed correctly
• other proofs
• S performs String-COT for Rs input keys

w
º
k
1

bit 1 on wire w

w

• 2. For each gate, S sends to R a table

3. For each Rs input wire, transfer the right
key using String-OT OT R(b) , S(k0,k1) ? kb
Encryption of kz0 under keys kw0,kv0 Encryption
of kz0 under keys kw0,kv1 Encryption of kz0 under
keys kw1,kv0 Encryption of kz1 under keys kw1,kv1
24
Yaos Garbled Circuit Construction Closer Look
Proof of ciphertext correctness
1. For each circuit wire w, Sender S picks a pair
of keys
º
k
0

bit 0 on wire w

• Strategy towards 2PC with O(1) exps / gate
• S commits to each key
• S proves circuit is properly garbled
• each ciphertext formed correctly
• other proofs
• S performs String-COT for Rs input keys

w
º
k
1

bit 1 on wire w

w

• 2. For each gate, S sends to R a table

3. For each Rs input wire, transfer the right
key using String-OT OT R(b) , S(k0,k1) ? kb
Encryption of kz0 under keys kw0,kv0 Encryption
of kz0 under keys kw0,kv1 Encryption of kz0 under
keys kw1,kv0 Encryption of kz1 under keys kw1,kv1
25
Yaos Garbled Circuit Construction Closer Look
Proof of ciphertext correctness
1. For each circuit wire w, Sender S picks a pair
of keys
º
k
0

bit 0 on wire w

• Strategy towards 2PC with O(1) exps / gate
• S commits to each key
• S proves circuit is properly garbled
• each ciphertext formed correctly
• other proofs
• S performs String-COT for Rs input keys

w
º
k
1

bit 1 on wire w

w
k
,k
k
,k
k
,k
0
1
0
1
0
1
z
z
z
z
z
z
G
G
k
,k
k
,k
k
,k
k
,k
k
,k
k
,k
0
1
0
1
0
1
0
1
0
1
0
1
w
w
v
v
w
w
v
v
w
w
v
v

• 2. For each gate, S sends to R a table

3. For each Rs input wire, transfer the right
key using String-OT OT R(b) , S(k0,k1) ? kb
Encryption of kz0 under keys kw0,kv0 Encryption
of kz0 under keys kw0,kv1 Encryption of kz0 under
keys kw1,kv0 Encryption of kz1 under keys kw1,kv1
26
Yaos Garbled Circuit Construction Closer Look
Proof of ciphertext correctness
Simplify to standard (one-key) encryption
º
k
0

bit 0 on wire w

w
º
k
1

bit 1 on wire w

w
k
,k
k
,k
k
,k
0
1
0
1
0
1
z
z
z
z
z
z
G
G
k
,k
k
,k
k
,k
k
,k
k
,k
k
,k
0
1
0
1
0
1
0
1
0
1
0
1
w
w
v
v
w
w
v
v
w
w
v
v
Encryption of kz0 under keys kw0,kv0
27
Efficient Encryption withmessage and key
verifiability
1. Assume commitment (to value a) is of the
form Ca ga (or Ca ga hr ) for some
multiplicative group ltggt 2. Assume encryption
also has both plaintext and key in the exponent,
e.g. E Enc m k am ßk where ltagt ,
ltßgt are disjoint subgroups of some group
Can be done with Paillier encryption
Camenisch-Shoup03 a generates subgroup of
order n, ß generates subgroup of order f(n), in
group of order f(n2)nf(n) multiplicative
group of residues mod n2
ZKPR is a proof of equalities between
discrete-log representations 1. (m , k)
Rep( (a, ß) , E) 2. m DL( g, Cm ) 3. k
DL( g, Ck )
28
Efficient Encryption withmessage and key
verifiability
Cm gm
Ck gk
The ZKP of equality of m DL(g,Cm)Rep(a,E)
The ZKP of equality of k DL(g,Ck)Rep(ß,E)
E am ßk
a n , ß f(n) g whatever is
convenient
problem if g ? ß
problem if g ? a
ZKPR is a proof of equalities between
discrete-log representations 1. (m , k)
Rep( (a, ß) , E) 2. m DL( g, Cm ) 3. k
DL( g, Ck ) Each (RepresentationDL) proof
is an extension of standard ZKPK-of-DL, except if
the orders involved (g vs. a) and (g vs. ß)
are (1) unknown (2) unequal
29
Efficient Encryption withmessage and key
verifiability
Cm gm
Ck gk
The ZKP of equality of k DL(g,Ck)Rep(ß,E)
The ZKP of equality of m DL(g,Cm)Rep(a,E)
E am ßk
a n , ß f(n) g whatever is
convenient
problem if g ? ß
problem if g ? a

• If orders not equal then responses must be
  computed over integers
• (linear equations involving secrets)
• Efficient Zero-Knowledge of DLEQ known only if
  secret ltlt (both orders)
• Why?
• Known DLEQ(gx,hx) proofs for groups with unknown
  order leak cxr over integers, for
  public challenge c, and random secret pad r
• x is statistically hidden only if r gt cx280
• r gt x2160 (since c 280)
• To avoid wrap-around we need cxr lt (orders of g
  and h)
• x 2160 lt (orders of g and h)

30
Efficient Encryption withmessage and key
verifiability
Cm gm
Ck gk
The ZKP of equality of k DL(g,Ck)Rep(ß,E)
The ZKP of equality of m DL(g,Cm)Rep(a,E)
E am ßk
a n , ß f(n) g whatever is
convenient
problem if g ? ß
problem if g ? a

• If orders not equal then responses must be
  computed over integers
• (linear equations involving secrets)
• Efficient Zero-Knowledge of DLEQ only if secret
  ltlt (both orders)
• Either m or k must be ltlt f(n) n
• But ms and ks are interchangeable in Yaos
  garbled circuit construction!
• Need Camenisch-Shoup encryption with shorter keys
  (k ¾ n)
• Hastad-Schrift-Shamir exponentiation mod n
  hides n/2 bits
• using ½ n - long keys is indistinguishable from
  n-long keys
• same holds for the f(n)-order subgroup, where
  CS keys live

31
Summary and some open questions

• Summary
• Efficient UC-Secure computation on committed
  inputs
• with O( Circuit ) public key op.s
• Fast committed String-OT
• Encryption with efficient verifiability for both
  messages and keys
• Some questions
• Handling adaptive corruptions?
• Weakening assumptions on the RSA modulus?
• Efficient String-COT and Committed-2PC without
  CRS?
• Verifiable Encryption for committed plaintexts
  and/or keys, for moduli smaller than n22000
  bits?

32

• Thank You!