and Related Models AMOS BEIMEL, BEN GURION UNIVERSITY, ISRAEL EYAL - - PowerPoint PPT Presentation

The Complexity of PSM Protocols and Related Models

AMOS BEIMEL, BEN GURION UNIVERSITY, ISRAEL EYAL KUSHILEVITZ, TECHNION, ISRAEL PNINA NISSIM, BEN GURION UNIVERSITY, ISRAEL

Overview

• Introduction
• Ideas of Our Construction
• Conclusion

Private Simultaneous Messages (PSM) model [FKN94,IK97]

• Simplest communication pattern.
• Shared randomness.
• Each party sends one message.
• Correctness: the referee learns

𝑔(𝑦1, … , 𝑦𝑙).

• Security: the referee learns nothing

else.

• Communication complexity:

the length of the messages.

r r r

Goal: compute 𝑔(𝑦1, … , 𝑦𝑙)

Motivation

• PSM is an interesting problem on its own
• Simplest model of secure computation – no interaction.
• PSM implies interesting cryptographic primitives as:
• Protocols for conditional disclosure of secrets (CDS).
• Generalized oblivious transfer.
• Several generalizations of PSM have been studied:
• Non-interactive MPC [BGIKMP14].
• Ad-hoc PSM protocols [BGIK16, BIK17].

Our results – PSM protocols for arbitrary functions

• Function 𝑔 ∶

𝑂 𝑙 → {0,1}

• [FKN] – Every function has a PSM protocol with communication 𝑃(𝑂𝑙−1).

Our Work 𝑃(𝑙3 ∙ 𝑂𝑙/2)

• Num. of parties

Previous works 2 3 𝑃(𝑂2) [FKN] 4 𝑃(𝑂3) [FKN] 5 𝑃(𝑂4) [FKN] 𝑙 ≥ 6 𝑃(𝑂𝑙−1) [FKN]

Our protocols for 𝑙 ≥ 6 can handle long outputs with the same message length.

𝑃(𝑂1/2) [BIKK] 𝑃(𝑂) 𝑃(𝑂5/3) 𝑃(𝑂7/3)

Our results

More results:

• PSM protocols for functions with inputs of different sizes
• A PSM for 𝑙 parties from a PSM for 𝑢 parties (𝑢 < 𝑙)
• Applications
• Ad-hoc PSM protocols
• Homogenous distribution designs
• Non-interactive MPC protocols
• Conditional disclosure of secrets implies Secret-sharing schemes

for homogenous access structures (independently by Liu and Vaikuntanathan STOC 2018)

Overview

• Introduction
• Ideas of Our Construction
• Conclusion

The cube approach

A technique from private information retrieval of CGKS98. Starting point – view a function 𝑔: 𝑂 𝑙 → 0,1 as an ℓ- dimensional cube for some ℓ. For a set 𝑇 and an element 𝑗 : 𝑇 ⊕ {𝑗} = ቊ𝑇 ∪ 𝑗 , 𝑗 ∉ 𝑇 𝑇\{𝑗}, 𝑗 ∈ 𝑇

𝑇1, 𝑇2 ⊆ 𝑂

𝑏(𝑇1, 𝑇2) =⊕𝑏∈𝑇1,𝑐∈𝑇2 𝑔(𝑏, 𝑐)

Fact:

𝑔 𝑦, 𝑧 = 𝑏(𝑇1, 𝑇2) ⊕ 𝑏(𝑇1 ⊕ {𝑦}, 𝑇2) ⊕ 𝑏(𝑇1, 𝑇2 ⊕ {𝑧}) ⊕ 𝑏(𝑇1 ⊕ {𝑦}, 𝑇2 ⊕ {𝑧})

The cube approach – 2 dimensions

𝑦 𝑧

𝑔(𝑦, 𝑧)

𝑦 𝑧

A 2-Party PSM Protocol for 𝑔: 𝑂 × 𝑂 → {0,1}

• View 𝑔 as a 2-dimensional cube.

𝐐𝟐 𝐐𝟑

𝑦1 𝑦2 referee

A 2-Party PSM Protocol

𝐐𝟐 𝐐𝟑

𝑦1 𝑦2

𝑇1, 𝑇2 ⊆𝑆 𝑂 , 𝑐 ∈ {0,1} 𝑇1, 𝑇2 ⊆𝑆 𝑂 , 𝑐 ∈ {0,1}

referee

A 2-Party PSM Protocol

𝐐𝟐 𝐐𝟑

𝑦1 𝑦2

𝑇1, 𝑇2 ⊆𝑆 𝑂 , 𝑐 ∈ {0,1} 𝑇1, 𝑇2 ⊆𝑆 𝑂 , 𝑐 ∈ {0,1} 𝑏00 = 𝑏(𝑇1, 𝑇2) 𝑏10 = 𝑏(𝑇1 ⊕ 𝑦1 , 𝑇2)

referee

A 2-Party PSM Protocol

𝐐𝟐 𝐐𝟑

𝑦1 𝑦2

𝑇1, 𝑇2 ⊆𝑆 𝑂 , 𝑐 ∈ {0,1} 𝑏00 ⊕ 𝑏10 ⊕ 𝑐, 𝑇1 ⊕ {𝑦1} 𝑇1, 𝑇2 ⊆𝑆 𝑂 , 𝑐 ∈ {0,1}

referee

A 2-Party PSM Protocol

𝐐𝟐 𝐐𝟑

𝑦1 𝑦2

𝑇1, 𝑇2 ⊆𝑆 𝑂 , 𝑐 ∈ {0,1} 𝑇1, 𝑇2 ⊆𝑆 𝑂 , 𝑐 ∈ {0,1} 𝑏01 = 𝑏(𝑇1, 𝑇2 ⊕ {𝑦2}) 𝑏00 ⊕ 𝑏10 ⊕ 𝑐, 𝑇1 ⊕ {𝑦1}

referee

A 2-Party PSM Protocol

𝐐𝟐 𝐐𝟑

𝑦1 𝑦2

𝑇1, 𝑇2 ⊆𝑆 𝑂 , 𝑐 ∈ {0,1} 𝑏00 ⊕ 𝑏10 ⊕ 𝑐, 𝑇1 ⊕ {𝑦1} 𝑏01 ⊕ 𝑐, 𝑇2 ⊕ {𝑦2} 𝑇1, 𝑇2 ⊆𝑆 𝑂 , 𝑐 ∈ {0,1}

referee

A 2-Party PSM Protocol

𝐐𝟐 𝐐𝟑

𝑦1 𝑦2

𝑇1, 𝑇2 ⊆𝑆 𝑂 , 𝑐 ∈ {0,1} 𝑏00 ⊕ 𝑏10 ⊕ 𝑐, 𝑇1 ⊕ {𝑦1} 𝑏01 ⊕ 𝑐, 𝑇2 ⊕ {𝑦2} 𝑇1, 𝑇2 ⊆𝑆 𝑂 , 𝑐 ∈ {0,1}

referee 𝑏 𝑇1 ⊕ 𝑦1 , 𝑇2 ⊕ 𝑦2 ?

A 2-Party PSM Protocol

𝐐𝟐 𝐐𝟑

𝑦1 𝑦2

𝑇1, 𝑇2 ⊆𝑆 𝑂 , 𝑐 ∈ {0,1} 𝑏00 ⊕ 𝑏10 ⊕ 𝑐, 𝑇1 ⊕ {𝑦1} 𝑏01 ⊕ 𝑐, 𝑇2 ⊕ {𝑦2} 𝑇1, 𝑇2 ⊆𝑆 𝑂 , 𝑐 ∈ {0,1}

referee

A 2-Party PSM Protocol

𝐐𝟐 𝐐𝟑

𝑦1 𝑦2

𝑇1, 𝑇2 ⊆𝑆 𝑂 , 𝑐 ∈ {0,1} 𝑏00 ⊕ 𝑏10 ⊕ 𝑐, 𝑇1 ⊕ {𝑦1} 𝑏01 ⊕ 𝑐, 𝑇2 ⊕ {𝑦2} 𝑇1, 𝑇2 ⊆𝑆 𝑂 , 𝑐 ∈ {0,1}

Computes 𝑏11 = 𝑏 𝑇1 ⊕ 𝑦1 , 𝑇2 ⊕ 𝑦2 . referee

A 2-Party PSM Protocol

𝐐𝟐 𝐐𝟑

𝑦1 𝑦2

𝑇1, 𝑇2 ⊆𝑆 𝑂 , 𝑐 ∈ {0,1} 𝑏00 ⊕ 𝑏10 ⊕ 𝑐, 𝑇1 ⊕ {𝑦1} 𝑏01 ⊕ 𝑐, 𝑇2 ⊕ {𝑦2} 𝑇1, 𝑇2 ⊆𝑆 𝑂 , 𝑐 ∈ {0,1}

𝑔 𝑦1, 𝑦2 = 𝑏00 ⊕ 𝑏10 ⊕ 𝑐 ⊕ 𝑏01 ⊕ 𝑐 ⊕ 𝑏11 referee

• The communication complexity of this protocol is 𝑃(𝑂).
• The same complexity as the protocol of [FKN] .
• There is a more efficient PSM protocol with communication

𝑃(𝑂

1 2) [BIKK].

A 2-Party PSM Protocol for 𝑔: 𝑂 × 𝑂 → {0,1}

A 𝑙-Party PSM Protocol

𝐐𝟐 𝐐𝒍

𝑦1 𝑦𝑙

𝐐𝒍/𝟑

𝑦𝑙

2

𝐐𝒍/𝟑+𝟐

𝑦𝑙

2+1

… …

PSM protocol for function 𝑔: 𝑂 𝑙 → {0,1} using the cube approach.

A 𝑙-Party PSM Protocol

𝐐𝟐 𝐐𝒍

𝑦1 𝑦𝑙

𝐐𝒍/𝟑

𝑦𝑙

2

𝐐𝒍/𝟑+𝟐

𝑦𝑙

2+1

… …

𝑧1 𝑧2

We view 𝑔 as a 2-dimensional cube.

A 𝑙-Party PSM Protocol

𝐐𝟐 𝐐𝟑

𝑦1 𝑦𝑙

𝐐𝒍/𝟑

𝑦𝑙

2

𝐐𝒍/𝟑+𝟐

𝑦𝑙

2+1

… …

The common randomness: 𝑇1, 𝑇2 ⊆𝑆 [𝑂𝑙/2]

𝑧1 𝑧2

A 𝑙-Party PSM Protocol

4 Cubes:

• 1. 𝑏00 = 𝑏(𝑇1, 𝑇2)
• 2. 𝑏10 = 𝑏(𝑇1 ⊕ 𝑧1 , 𝑇2)
• 3. 𝑏01 = 𝑏 𝑇1, 𝑇2 ⊕ 𝑧2
• 4. 𝑏11 = 𝑏(𝑇1 ⊕ 𝑧1 , 𝑇2 ⊕ 𝑧2 )

A 𝑙-Party PSM Protocol

4 Cubes:

• 1. 𝑏00 = 𝑏(𝑇1, 𝑇2) – Party 𝑄

1 computes 𝑏00.

• 2. 𝑏10 = 𝑏(𝑇1 ⊕ 𝑧1 , 𝑇2)
• 3. 𝑏01 = 𝑏 𝑇1, 𝑇2 ⊕ 𝑧2
• 4. 𝑏11 = 𝑏(𝑇1 ⊕ 𝑧1 , 𝑇2 ⊕ 𝑧2 )

𝑷(𝟐)

Computing

𝐐𝟐 𝐐𝟑

𝑦1 𝑦𝑙

𝐐𝒍/𝟑

𝑦𝑙

2

𝐐𝒍/𝟑+𝟐

𝑦𝑙

2+1

… …

Use a k/2-party PSM for this function

𝑧1 𝑧2

𝑏(𝑇1 ⊕ {𝑧1}, 𝑇2)

A 𝑙-Party PSM Protocol

4 Cubes:

• 1. 𝑏00 = 𝑏(𝑇1, 𝑇2)
• 2. 𝑏10 = 𝑏(𝑇1 ⊕ 𝑧1 , 𝑇2)
• 3. 𝑏01 = 𝑏 𝑇1, 𝑇2 ⊕ 𝑧2
• 4. 𝑏11 = 𝑏(𝑇1 ⊕ 𝑧1 , 𝑇2 ⊕ 𝑧2 )

𝑷(𝟐) 𝑷(𝒍𝑶𝒍/𝟑−𝟐) 𝑷(𝒍𝑶𝒍/𝟑−𝟐)

A 𝑙-Party PSM Protocol

4 Cubes:

• 1. 𝑏00 = 𝑏(𝑇1, 𝑇2)
• 2. 𝑏10 = 𝑏(𝑇1 ⊕ 𝑧1 , 𝑇2)
• 3. 𝑏01 = 𝑏 𝑇1, 𝑇2 ⊕ 𝑧2
• 4. 𝑏11 = 𝑏(𝑇1 ⊕ 𝑧1 , 𝑇2 ⊕ 𝑧2 ) – Use a PSM to send 𝑇1 ⊕ 𝑧1

and 𝑇2 ⊕ 𝑧2 to referee. 𝑷(𝟐) 𝑷(𝒍𝑶𝒍/𝟑−𝟐) 𝑷(𝒍𝑶𝒍/𝟑−𝟐)

A 𝑙-Party PSM Protocol

4 Cubes:

• 1. 𝑏00 = 𝑏(𝑇1, 𝑇2)
• 2. 𝑏10 = 𝑏(𝑇1 ⊕ 𝑧1 , 𝑇2)
• 3. 𝑏01 = 𝑏 𝑇1, 𝑇2 ⊕ 𝑧2
• 4. 𝑏11 = 𝑏(𝑇1 ⊕ 𝑧1 , 𝑇2 ⊕ 𝑧2 )

The referee can compute 𝑔(𝑧1, 𝑧2) which is the xor of the 4 cubes. Communication and randomness complexity 𝑷 𝒍𝟒𝑶𝒍/𝟑 . 𝑷(𝟐) 𝑷(𝒍𝑶𝒍/𝟑−𝟐) 𝑷(𝒍𝑶𝒍/𝟑−𝟐) 𝑷(𝒍𝟒𝑶𝒍/𝟑)

The cube approach – summary

• Num. of

parties (𝑙)

• Num. of

dimensions (ℓ) 2 4 3,4,5 3 𝑙 ≥ 6 2

[BIKK14]

The number of dimensions for functions in which the domain

• f inputs are not the same depends on the domains.

Overview

• Introduction
• Ideas of Our Construction
• Conclusion

Conclusion and open problems

• Main result: a PSM protocol for an arbitrary function

𝑔: 𝑂 𝑙 → 0,1 .

• Our construction is based on the cube approach, which is technique

from PIR.

• Can we use other techniques from PIR to improve the complexity of

PSM protocols?

• [LVW18] efficient CDS protocols
• Can we improve the complexity of PSM protocols in other ways?

Thank you!