COVERT TWOPARTY COMPUTATION

1
COVERT TWO-PARTY COMPUTATION
CARNEGIE MELLON UNIVERSITY
JOINT WORK WITH NICK HOPPER JOHN LANGFORD
2
HAVE YOU EVER
WANTED TO BRIBE AN OFFICER?
WANTED TO STAGE A COUP DETAT TO OVERTHROW THE
PRESIDENT?
BEEN IN LOVE BUT DIDNT HAVE THE GUTS TO CONFRONT
THE PERSON?
WANTED TO COLLUDE WITH ANOTHER PLAYER TO CHEAT IN
A CARD GAME?
INFILTRATED A TERRORIST CELL?
3
ALLOWS TWO PARTIES WITH SECRET INPUTS X AND Y TO
LEARN F(X,Y) BUT NOTHING ELSE
COVERT
PARTY 1
PARTY 2
TWO-PARTY COMPUTATION
X
Y
F( ? , ? )
F( ? , ? )
F(X,Y)
F(X,Y)
4
1 IF XgtY 0 OTHERWISE
F(X,Y)
JEN
BEN
45 MILLION
32 MILLION
F(X,Y)1
5
I DONT WANT HIM TO KNOW THAT I LIKE HIM UNLESS
HE LIKES ME TOO!
WHAT SHOULD I DO?
I LIKE HIM, BUT IM SHY!
BRITNEY SPEARS
ME
6
WELL USE TWO-PARTY COMPUTATION
IF HE DOESNT, THEN F(X,Y) 0 SO HE WONT KNOW
THAT I LIKE HIM
IF HE LIKES ME, WE WILL BOTH FIND OUT
1 MEANS YES 0 MEANS NO
IF X,Y ARE BITS, LET F(X,Y) X AND Y
F(X,Y) X AND Y
LETS FIGURE OUT IF WE LIKE EACH OTHER
7
COVERT TWO-PARTY COMPUTATION
EXTERNAL COVERTNESS
NO OUTSIDE OBSERVER CAN TELL IF THE TWO PARTIES
ARE RUNNING A COMPUTATION OR JUST COMMUNICATING
AS NORMAL
INTERNAL COVERTNESS
AFTER LEARNING F(X,Y), EACH PARTY CAN ONLY TELL
WHETHER THE OTHER PARTICIPATED IF THEY CAN
DISTINGUISH F(X,Y) FROM RANDOM BITS
8
THE WAR ON TERROR
HE WORKS FOR MI-6
CIA AGENT
HE WORKS FOR CIA
MI-6 AGENT
9
THE WAR ON TERROR
THE UTTERANCES CONTAINED A COVERT TWO-PARTY
COMPUTATION
THE FUNCTION F VERIFIED THE CREDENTIALS
SINCE BOTH WERE VALID, IT OUTPUT 1K
X WAS A CREDENTIAL SIGNED BY CIA AND Y WAS SIGNED
BY MI-6
FOR ANY OTHER INPUTS, F OUTPUTS A RANDOM VALUE
10
COVERT TWO-PARTY COMPUTATION
EXTERNAL COVERTNESS
NO OUTSIDE OBSERVER CAN TELL IF THE TWO PARTIES
ARE RUNNING A COMPUTATION OR JUST COMMUNICATING
AS NORMAL
CANNOT BE DONE WITH STANDARD TWO-PARTY COMPUTATION
INTERNAL COVERTNESS
AFTER LEARNING F(X,Y), EACH PARTY CAN ONLY TELL
WHETHER THE OTHER PARTICIPATED IF THEY CAN
DISTINGUISH F(X,Y) FROM RANDOM BITS
11
WHO KNOWS WHAT?
WE ASSUME THAT BOTH PARTIES KNOW THE FUNCTION
THEY WISH TO EVALUATE
BOTH KNOW WHICH ROLE THEY ARE TO PLAY IN THE
EVALUATION
BOTH KNOW WHEN TO START COMPUTING
12
ORDINARY COMMUNICATION
MESSAGES ARE DRAWN FROM A SET D
TIME PROCEEDS IN DISCRETE TIMESTEPS
EACH PARTY MAINTAINS A HISTORY h OF ALL DOCUMENTS
THEY SENT AND RECEIVED
TO EACH PARTY P, WE ASSOCIATE A FAMILY OF
PROBABILITY DISTRIBUTIONS ON D BhP
13
P1
P2
hP1
hP2
D1
t0
D2
hP1 hP1 (D1,D2)
hP2 hP2 (D2,D1)
D1
t1
14
WE ASSUME THAT
DDH IS HARD GIVEN gx, gy PARTIES CANT
EFFICIENTLY DISTINGUISH gxy FROM gz
15
WE SHOW THAT
COVERT TWO-PARTY COMPUTATION IS POSSIBLE AGAINST
HONEST-BUT-CURIOUS ADVERSARIES
IN THE RO MODEL, FAIR COVERT TWO-PARTY
COMPUTATION IS POSSIBLE AGAINST MALICIOUS
ADVERSARIES
16
ROADMAP
1
USE STEGANOGRAPHY TO SHOW THAT IT IS ENOUGH THAT
ALL MESSAGES BE INDISTINGUISHABLE FROM UNIFORM
2
SHOW A TWO-PARTY COMPUTATION PROTOCOL FOR WHICH
ALL MESSAGES ARE INDISTINGUISHABLE FROM UNIFORM
17
BASIC-ENCODE
PROPER SIZE
LET D BE A DISTRIBUTION ON D AND H BE A PAIRWISE
INDEPENDENT FAMILY OF HASH FUNCTIONS
UNIFORM
ENOUGH MIN ENTROPY
THEN THE DISTRIBUTION ON S IS
STA-TISTICALLY INDISTINGUISHABLE FROM D
IF
ALLOWS SENDING C ENCODED IN SOMETHING THAT COMES
FROM D
18
BASIC - ENC ODE
LOOKS UNIFORM
LOOKS NORMAL
OOPS! I DID IT AGAIN
001
19
ROADMAP
1
USE STEGANOGRAPHY TO SHOW THAT IT IS ENOUGH THAT
ALL MESSAGES BE INDISTINGUISHABLE FROM UNIFORM
2
SHOW A TWO-PARTY COMPUTATION PROTOCOL FOR WHICH
ALL MESSAGES ARE INDISTINGUISHABLE FROM UNIFORM
20
COVERT OBLIVIOUS TRANSFER
IT IS POSSIBLE TO MODIFY AN OBLIVIOUS TRANSFER
SCHEME BY NAOR AND PINKAS SO THAT ALL MESSAGES
ARE INDISTINGUI-SHABLE FROM UNIFORM RANDOM BITS
UNIFORM
21
THE MODIFIED NAOR-PINKAS OT PLUGGED INTO YAOS
GARBLED CIRCUIT GIVES A SCHEME WITH MESSAGES
THAT ARE INDISTINGUISHABLE FROM UNIFORM
YAO

22
OOPS! MALLICIOUS ADVERSARIES CAN BREAK THIS
PROTOCOL
YOURE SO SMART BRITNEY!
WE CANNOT SIMPLY USE ZK TO FIX IT
MATH IS FUN!
F(X,Y)1
F(X,Y)1
23
THE END
24
COMPETITOR COOPERATION
TWO COMPETING ONLINE RETAILERS ARE COMPROMISED BY
A HACKER
NEITHER CAN CATCH THE HACKER BY THEMSELVES
HOWEVER, NEITHER WILL ADMIT THAT THEY WERE HACKED
UNLESS THE OTHER WAS HACKED TOO
25
WE ASSUME THAT
PARTY P CAN DRAW FROM BPh FOR ANY PLAUSIBLE h
ADVERSARY KNOWS BPh FOR ANY P, h
DDH IS HARD GIVEN gx, gy PARTIES CANT
EFFICIENTLY DISTINGUISH gxy FROM gz