Correlated Randomness Teleportation via Semi-trusted Hardware—Enabling Silent Multi-party Computation

Abstract

With the advancement of the trusted execution environment (TEE) technologies, hardware-supported secure computing becomes increasingly popular due to its efficiency. During the protocol execution, typically, the players need to contact a third-party server for remote attestation, ensuring the validity of the involved trusted hardware component, such as Intel SGX, as well as the integrity of the computation result. When the hardware manufacturer is not fully trusted, sensitive information may be leaked to the third-party server through backdoors, steganography, and kleptography, etc. In this work, we introduce a new security notion called semi-trusted hardware model, where the adversary is allowed to passively or maliciously corrupt the hardware. Therefore, she can learn the input of the hardware component and might also tamper its output. We then show how to utilize such semi-trusted hardwares for correlated randomness teleportation. When the semi-trusted hardware is instantiated by Intel SGX, to generate 10k random OT’s, our protocol is 24X and 450X faster than the EMP-IKNP-ROT in the LAN and WAN setting, respectively. When SGX is used to teleport Garbled circuits, the resulting two-party computation protocol is 5.3-5.7X and 43-47X faster than the EMP-SH2PC in the LAN and WAN setting, respectively, for the AES-128, SHA-256, and SHA-512 evaluation. We also show how to achieve malicious security with little overhead.

A Appendix

1.1 A.1 Security Proof of Our Main Theorems

Due to space limitation, we only provide the security proof for malicious setting.

Proof

To prove Theorem 2, we construct a simulator \(\mathcal {S} \) such that no non-uniform PPT environment \(\mathcal {Z}\) can distinguish between (i) the real execution \(\text{ exec}^{\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]}_{\varPi _{\mathsf {2pc}}^\mathsf {GC},\mathcal {A},\mathcal {Z}}\) where the parties \(\mathcal P:= \{P_1, P_2\}\) run protocol \(\varPi _{\mathsf {2pc}}^\mathsf {GC}\) in the \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\)-hybrid model and the corrupted parties are controlled by a dummy adversary \(\mathcal {A} \) who simply forwards messages from/to \(\mathcal {Z}\), and (ii) the ideal execution \(\text{ exec}_{\mathcal {F}^f_{\mathsf {2pc}},\mathcal {S},\mathcal {Z}}\) where the parties \(P_1\) and \(P_2\) interact with functionality \(\mathcal {F}^f_{\mathsf {2pc}} \) in the ideal world, and corrupted parties are controlled by the simulator \(\mathcal {S} \). We consider following cases.

Case 1: \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\) is corrupted; \(P_1\) and \(P_2\) are honest.

Simulator. The simulator \(\mathcal {S} \) internally runs \(\mathcal {A} \), forwarding messages to/from the environment \(\mathcal {Z} \). \(\mathcal {S} \) simulates the interface of \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\) as well as honest parties \(P_1\) and \(P_2\). In addition, the simulator \(\mathcal {S} \) simulates the following interactions with \(\mathcal {A} \).

• Upon receiving \((\textsc {ComputeNotify}, \mathsf {sid}, |x_2|, P_2)\) for an honest party \(P_2\) from the external \(\mathcal {F}^f_{\mathsf {2pc}} \), the simulator \(\mathcal {S} \) picks random \(x_{2,i}^0\leftarrow \{0,1\}\), for \(i\in [n_2]\), and it sends \((\mathsf {Run}, \mathsf {sid}, \langle f, \{x_{2,i}^0\}_{i\in [n_2]} \rangle )\) to \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\) on behave of \(P_2\).

• Upon receiving \((\textsc {ComputeNotify}, \mathsf {sid}, |x_1|, P_1)\) for an honest party \(P_1\) from the external \(\mathcal {F}^f_{\mathsf {2pc}} \), the simulator \(\mathcal {S} \) picks random \(k\leftarrow \{0,1\}^\lambda \), and it sends \((\mathsf {Run}, \mathsf {sid}, \langle k, f \rangle )\) to \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\) on behave of \(P_1\). \(\mathcal {S} \) then generate \( (F, e, d)\leftarrow \mathsf {Gb}(1^\lambda , f^*; k)\) and parse \(e= \{(X_i^{0}, X_i^{1})\}_{i\in [n^*]}\). Subsequently, for \(i\in [n_2^*]\), \(\mathcal {S} \) sets \(\sigma ^{0}_{i}:=H(X_{i+n_1}^{0})\) and \(\sigma ^{1}_{i}:=H(X_{i+n_1}^{1})\), and it sets \(\tau =H(F,d,\{\sigma ^{0}_{i},\sigma ^{1}_{i}\}_{i\in [n_2^*]})\). \(\mathcal {S} \) then sends \(\tau \) to the simulated party \(P_2\) on behave of \(P_1\).

• Upon receiving \((\mathsf {Run}, \mathsf {sid}, Q_i )\) from the party \(P_i\in \mathcal P \) via the interface of \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\), \(\mathcal {S} \) acts as \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\) to send \((\textsc {RunNotify}, \mathsf {sid}, Q_i, P_i)\) to \(\mathcal A \). \(\mathcal {S} \) then simulates the \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\) functionality as defined.

• When the simulated party \(P_2\) receives \( (\hat{F}, \hat{d}, \{X_{i+n_1}^{x_{2,i}^0}\}_{i\in [n_2]}, \{ \hat{\sigma }_i^0,\hat{\sigma }_i^1 \}_{i\in [n_2^*]})\) from \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\) and receives \(\tau \) from the simulated \(P_1\), \(P_2\) computes \(\hat{\tau }=H(\hat{F},\hat{d},\{\hat{\sigma }^{0}_{0,i},\hat{\sigma }^{1}_{0,i}\}_{i\in [n_2^*]})\) and asserts \(\hat{\tau }=\tau \). Thereafter, \(\mathcal {S} \) fetches the internal GC label information (F, e, d) from the simulated \(P_1\). For \(i\in [n_2]\), \(\mathcal {S} \) acts as \(P_2\) to assert \(Z_{i+n_1}=X_{i+n_1}^{x_{2,i}^0}\).

• Upon receiving \((\textsc {Output}, \mathsf {sid}, P_2)\) from the external \(\mathcal {F}^f_{\mathsf {2pc}} \), the simulator \(\mathcal {S} \) returns \((\textsc {Deliver}, \mathsf {sid}, P_2)\) if and only if all the checks are valid.

Indistinguishability. Assume the communication between \(P_1\) and \(P_2\) is via the secure channel functionality \(\mathcal {F}_{\text {SC}} \), the views of \(\mathcal A \) and \(\mathcal {Z}\) in \(\text{ exec}^{\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]}_{\varPi _{\mathsf {2pc}}^\mathsf {GC},\mathcal {A},\mathcal {Z}}\) and \(\text{ exec}_{\mathcal {F}^f_{\mathsf {2pc}},\mathcal {S},\mathcal {Z}}\) are identical except the scenario where the real-world output y is different from the ideal-world output \(y'\). This happens when the malicious \(\mathcal {F}_{\text {HW}} [\mathsf {M}^{\mathsf {GC}}]\) provides inconsistent information, yet she manages to pass all the hash validations. It means that the adversary provides at least one different hash preimage that would hashes to the same value as the original preimage. Therefore, the simulator and the adversary can jointly outputs two messages \(m_1\ne m_2\) such that \(H(m_1) = H(m_2)\). Assume H is a collision resistant cryptographic hash function, the views of \(\mathcal A \) and \(\mathcal {Z}\) in \(\text{ exec}^{\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]}_{\varPi _{\mathsf {2pc}}^\mathsf {GC},\mathcal {A},\mathcal {Z}}\) and \(\text{ exec}_{\mathcal {F}^f_{\mathsf {2pc}},\mathcal {S},\mathcal {Z}}\) are indistinguishable.

Case 2: \(P_1\) is corrupted; \(P_2\) and \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\) are honest.

Simulator. The simulator \(\mathcal {S} \) internally runs \(\mathcal {A} \), forwarding messages to/from the environment \(\mathcal {Z} \). \(\mathcal {S} \) simulates the interface of \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\) as well as honest \(P_2\). In addition, the simulator \(\mathcal {S} \) simulates the following interactions with \(\mathcal {A} \).

• Upon receiving \((\textsc {ComputeNotify}, \mathsf {sid}, |x_2|, P_2 )\) from the external \(\mathcal {F}^f_{\mathsf {2pc}} \), the simulator \(\mathcal {S} \) picks random \(x_{2,i}^0\leftarrow \{0,1\}\), for \(i\in [n_2]\), and it sends \((\mathsf {Run}, \mathsf {sid},\langle f, \{x_{2,i}^0\}_{i\in [n_2]} \rangle )\) to \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\) on behave of \(P_2\). For \(i\in [n_2]\) \(\mathcal {S} \) sends random \(\hat{x}_{2,i}^1\leftarrow \{0,1\}\) to \(P_1\) on behave of \(P_2\).

• Upon receiving \((\mathsf {Run}, \mathsf {sid}, \langle k, f \rangle )\) from \(P_1\) and \((\mathsf {Run}, \mathsf {sid}, \langle f, \{x_{2,i}^0\}_{i\in [n_2]} \rangle )\) from \(P_2\), \(\mathcal {S} \) acts as \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\) to set \(f^*(x_1,(x_{2}^0,x_{2}^1))=f_1(x_1,x_{2}^0\oplus x_{2}^1)\) and generate the garbled circuit by \( (F,e,d)\leftarrow \mathsf {Gb}(1^\lambda , f^*; k)\). \(\mathcal {S} \) then parse \(e= \{(X_i^{0}, X_i^{1})\}_{i\in [n_1+2n_2]}\) and sends \((F, d, \{X_{i+n_1}^{x_{2,i}^0}\}_{i\in [n_2]},\{\sigma ^{0}_{i},\sigma ^{1}_{i}\}_{i\in [n_2^*]})\) to the simulated party \(P_2\) on behave of \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\).

• When the simulated party \(P_2\) receives \( \{Z_i\}_{i\in [n_1]} \), \(\{Z_{i+n_1+n_2}\}_{i\in [n_2]}\) and \(\tau \) from \(P_1\), \(\mathcal {S} \) acts as \(P_2\) to compute \(\hat{\tau }=H(F,d,\{\sigma ^{0}_{i},\sigma ^{1}_{i}\}_{i\in [n_2^*]})\) and assert \(\hat{\tau }=\tau \). Thereafter, \(\mathcal {S} \) fetches the internal GC label information (F, e, d) from the simulated \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\). For \(i\in [n_2]\), \(\mathcal {S} \) acts as \(P_2\) to assert \(Z_{i+n_1+n_2}=X_{i+n_1+n_2}^{x_{2,i}^1}\). In addition, \(\mathcal {S} \) uses the internal GC label information (F, e, d) and \( \{Z_i\}_{i\in [n_1]} \) to extract \(P_1\)’s input \(x_1^*\), and it sends \((\textsc {Compute}, \mathsf {sid}, x^*_1)\) to the external \(\mathcal {F}^f_{\mathsf {2pc}} \) on behave of \(P_1\).

• Upon receiving \((\textsc {Output}, \mathsf {sid}, P_2)\) from the external \(\mathcal {F}^f_{\mathsf {2pc}} \), the simulator \(\mathcal {S} \) returns \((\textsc {Deliver}, \mathsf {sid}, P_2)\) if and only if all the checks are valid and \(\mathcal A \) allows \(P_2\) to finish the protocol execution and obtains y.

Indistinguishability. The indistinguishability is proven through a series of hybrid worlds \(\mathcal {H}_0,\ldots ,\mathcal {H}_2\).

Hybrid \(\mathcal {H}_0\) : It is the real protocol execution \(\text{ exec}^{\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]}_{\varPi _{\mathsf {2pc}}^\mathsf {GC},\mathcal {A},\mathcal {Z}}\).

Hybrid \(\mathcal {H}_1\) : \(\mathcal {H}_1\) is the same as \(\mathcal {H}_0\) except that in \(\mathcal {H}_1\), \(P_2\) sends random \(\{ \hat{x}_{2,i}^1\}_{i\in [n_2]}\) to \(P_1\), instead of \(\{ x_{2,i}^1 := x_{2,i}^0\oplus x_{2,i} \}_{i\in [n_2]}\).

Claim

\(\mathcal {H}_1\) and \(\mathcal {H}_0\) are perfectly indistinguishable.

Proof

Since \(\{x_{2,i}^0\}_{i\in [n_2]}\) are random bits picked by \(P_2\), the distribution of \(\{ \hat{x}_{2,i}^1 \}_{i\in [n_2]}\) and \(\{ x_{2,i}^1 \}_{i\in [n_2]}\) are identical. Therefore, \(\mathcal {H}_1\) and \(\mathcal {H}_0\) are perfectly indistinguishable.

Hybrid \(\mathcal {H}_2\) : \(\mathcal {H}_2\) is the same as \(\mathcal {H}_1\) except that in \(\mathcal {H}_2\), \(P_2\) fetches the internal GC label information (F, e, d) from the simulated \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\), and it checks if \(Z_{i+n_1+n_2}=X_{i+n_1+n_2}^{x_{2,i}^1}\); otherwise, \(\mathcal {S} \) aborts.

Claim

If H is a collision resistant cryptographic hash function, \(\mathcal {H}_2\) and \(\mathcal {H}_1\) are indistinguishable.

Proof

The difference between \(\mathcal {H}_1\) and \(\mathcal {H}_2\) is that in \(\mathcal {H}_1\), \(P_2\) only checks \(H(Z_{i+n_1+n_2})\); whereas, in \(\mathcal {H}_2\), \(P_2\) directly checks if \(Z_{i+n_1+n_2}=X_{i+n_1+n_2}^{x_{2,i}^1}\). It is easy to see when H is a collision resistant cryptographic hash function, \(\mathcal {H}_2\) and \(\mathcal {H}_1\) are indistinguishable.

The adversary’s view of \(\mathcal {H}_2\) is identical to the simulated view \(\text{ exec}_{\mathcal {F}^f_{\mathsf {2pc}},\mathcal {S},\mathcal {Z}}\). Therefore, it is perfectly indistinguishable.

Case 3: \(P_2\) is corrupted; \(P_1\) and \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\) are honest.

Simulator. The simulator \(\mathcal {S} \) internally runs \(\mathcal {A} \), forwarding messages to/from the environment \(\mathcal {Z} \). \(\mathcal {S} \) simulates the interface of \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\) as well as honest \(P_1\). In addition, the simulator \(\mathcal {S} \) simulates the following interactions with \(\mathcal {A} \).

• Upon receiving \((\textsc {ComputeNotify}, \mathsf {sid}, |x_1|, P_1 )\) from the external \(\mathcal {F}^f_{\mathsf {2pc}} \) and receiving \(\{x_{2,i}^1\}_{i\in [n_2]}\) from \(P_2\), the simulator \(\mathcal {S} \) picks random \(k\leftarrow \{0,1\}^\lambda \), and it sends \((\mathsf {Run}, \mathsf {sid}, \langle k, f \rangle )\) to \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\) on behave of \(P_1\).

• Upon receiving \((\mathsf {Run}, \mathsf {sid}, \langle k, f \rangle )\) from \(P_1\) and \((\mathsf {Run}, \mathsf {sid}, \langle f, \{x_{2,i}^0\}_{i\in [n_2]} \rangle )\) from \(P_2\), \(\mathcal {S} \) computes \(P_2\)’s input \(x^*_{2,i}:= x_{2,i}^0\oplus x_{2,i}^1\), for \(i\in [n_2]\). After that, it sends \((\textsc {Compute}, \mathsf {sid}, x^*_2)\) to the external \(\mathcal {F}^f_{\mathsf {2pc}} \) on behave of \(P_2\).

• Upon receiving \((\textsc {Compute}, \mathsf {sid}, y)\) from the external \(\mathcal {F}^f_{\mathsf {2pc}} \) for \(P_2\), the simulator \(\mathcal {S} \) sets \(f^*(x_1,(x_{2}^0,x_{2}^1))=f_1(x_1,x_{2}^0\oplus x_{2}^1)\) and uses the GC simulator to generate \((F',X',d') \leftarrow \mathsf {Sim}(1^\lambda , y, \varPhi (f^*))\). \(\mathcal {S} \) then uses \(X'\) as the wire labels to generate \( \{Z_i\}_{i\in [n_1+2n_2]} \) as \(Z_i:= X'_i\). \(\mathcal {S} \) picks \(2n_2\) random numbers \(\hat{Z}_i\leftarrow \{0,1\}^\lambda \). For \(i\in [n_2]\), \(\mathcal {S} \) sets \(\sigma ^{x_{2,i}^0}_{i}:=H(Z_{i+n_1})\), \(\sigma ^{x_{2,i}^0\oplus 1}_{i}:=H(\hat{Z}_{i})\), \(\sigma ^{x_{2,i}^1}_{i+n_2}:=H(Z_{i+n_1+n_2}\) and \(\sigma ^{x_{2,i}^1\oplus 1}_{i+n_2}:=H(\hat{Z}_{i+n_2})\). Subsequently, \(\mathcal {S} \) sets \(\tau =H(F',d',\{\sigma ^{0}_{i},\sigma ^{1}_{i}\}_{i\in [n_2^*]})\). At last, \(\mathcal {S} \) sends \(\{Z_{i+n_1}\}_{i\in [n_2]}\) as the wire label of \(x_2^0\), \((F',d')\) as the GC tables and decode information and \(\{\sigma ^{0}_{i},\sigma ^{1}_{i}\}_{i\in [n_2^*]}\) as the hash values of \(P_2\)’s wire labels to \(P_2\) on behave of \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\), and it sends \(\{Z_{i}\}_{i\in [n_1]}\), \(\{Z_{i+n_1+n_2}\}_{i\in [n_2]}\) and \(\tau \) to \(P_2\) on behave of \(P_1\).

Indistinguishability. The indistinguishability is proven through a series of hybrid worlds \(\mathcal {H}_0,\ldots ,\mathcal {H}_2\).

Hybrid \(\mathcal {H}_0\) : It is the real protocol execution \(\text{ exec}^{\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]}_{\varPi _{\mathsf {2pc}}^\mathsf {GC},\mathcal {A},\mathcal {Z}}\).

Hybrid \(\mathcal {H}_1\) : \(\mathcal {H}_1\) is the same as \(\mathcal {H}_0\) except that \(\mathcal {H}_1\) generates different hash values by \(\sigma ^{x_{2,i}^0\oplus 1}_{i}:=H(\hat{Z}_{i})\) and \(\sigma ^{x_{2,i}^1\oplus 1}_{i+n_2}:=H(\hat{Z}_{i+n_2})\), for \(i\in [n_2]\), where \(\{\hat{Z_i}\}_{i\in [2n_2]}\) are random values.

Claim

If H is a collision resistant cryptographic hash function, \(\mathcal {H}_1\) and \(\mathcal {H}_0\) are indistinguishable.

Proof

The difference between \(\mathcal {H}_0\) and \(\mathcal {H}_1\) is that in \(\mathcal {H}_0\), \(\sigma ^{x_{2,i}^0\oplus 1}_{i}:=H(X_{i+n_1}^{x_{2,i}^0\oplus 1})\) and \(\sigma ^{x_{2,i}^1\oplus 1}_{i+n_2}:=H(X_{i+n_1+n_2}^{x_{2,i}^1\oplus 1})\); whereas, in \(\mathcal {H}_1\), \(\sigma ^{x_{2,i}^0\oplus 1}_{i}:=H(\hat{Z}_{i})\) and \(\sigma ^{x_{2,i}^1\oplus 1}_{i+n_2}:=H(\hat{Z}_{i+n_2})\). It is easy to see when H is a collision resistant cryptographic hash function, \(\mathcal {H}_1\) and \(\mathcal {H}_0\) are indistinguishable.

Hybrid \(\mathcal {H}_2\) : \(\mathcal {H}_2\) is the same as \(\mathcal {H}_1\) except that \(\mathcal {H}_2\) generates \((F',X',d') \leftarrow \mathsf {Sim}(1^\lambda , y, \varPhi (f^*))\), and then it uses \(X'\) as the wire labels to generate \( \{Z_i\}_{i\in [n_1+2n_2]} \). \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\) also sends \((F',d')\) as the GC tables and decoding information to \(P_2\).

Claim

If \(\mathsf {GC}\) is simulatable private with adversarial distinguishing advantage \(\mathsf {Adv}_{\mathsf {GC}}^{\mathsf {prv.sim},\varPhi ,\mathsf {Sim}}(\mathcal A, \lambda )\), then \(\mathcal {H}_1\) and \(\mathcal {H}_0\) are indistinguishable with distinguishing advantage \(\mathsf {Adv}_{\mathsf {GC}}^{\mathsf {prv.sim},\varPhi ,\mathsf {Sim}}(\mathcal A, \lambda )\).

Proof

By the requirement of simulatable privacy in Definition 2, \((F',X',d') \leftarrow \mathsf {Sim}(1^\lambda , y, \varPhi (f^*))\) should be indistinguishable from the real one except for the adversarial distinguishing advantage \(\mathsf {Adv}_{\mathsf {GC}}^{\mathsf {prv.sim},\varPhi ,\mathsf {Sim}}(\mathcal A, \lambda )\).

The adversary’s view of \(\mathcal {H}_2\) is identical to the simulated view \(\text{ exec}_{\mathcal {F}^f_{\mathsf {2pc}},\mathcal {S},\mathcal {Z}}\). Therefore, if \(\mathsf {GC}\) is simulatable private, the views of \(\mathcal A \) and \(\mathcal {Z}\) in \(\text{ exec}^{\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]}_{\varPi _{\mathsf {2pc}}^\mathsf {GC},\mathcal {A},\mathcal {Z}}\) and \(\text{ exec}_{\mathcal {F}^f_{\mathsf {2pc}},\mathcal {S},\mathcal {Z}}\) are indistinguishable with distinguishing advantage

$$ \mathsf {Adv}_{\mathsf {GC}}^{\mathsf {prv.sim},\varPhi ,\mathsf {Sim}}(\mathcal A, \lambda ) = \mathsf {negl} (\lambda ). $$