Skip to main content

Correlated Randomness Teleportation via Semi-trusted Hardware—Enabling Silent Multi-party Computation

  • 1184 Accesses

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12973)

Abstract

With the advancement of the trusted execution environment (TEE) technologies, hardware-supported secure computing becomes increasingly popular due to its efficiency. During the protocol execution, typically, the players need to contact a third-party server for remote attestation, ensuring the validity of the involved trusted hardware component, such as Intel SGX, as well as the integrity of the computation result. When the hardware manufacturer is not fully trusted, sensitive information may be leaked to the third-party server through backdoors, steganography, and kleptography, etc. In this work, we introduce a new security notion called semi-trusted hardware model, where the adversary is allowed to passively or maliciously corrupt the hardware. Therefore, she can learn the input of the hardware component and might also tamper its output. We then show how to utilize such semi-trusted hardwares for correlated randomness teleportation. When the semi-trusted hardware is instantiated by Intel SGX, to generate 10k random OT’s, our protocol is 24X and 450X faster than the EMP-IKNP-ROT in the LAN and WAN setting, respectively. When SGX is used to teleport Garbled circuits, the resulting two-party computation protocol is 5.3-5.7X and 43-47X faster than the EMP-SH2PC in the LAN and WAN setting, respectively, for the AES-128, SHA-256, and SHA-512 evaluation. We also show how to achieve malicious security with little overhead.

Keywords

  • MPC
  • Semi-trusted hardware model
  • Garbled circuit

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-88428-4_34
  • Chapter length: 22 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   89.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-88428-4
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   119.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.

References

  1. Archer, D., et al.: ‘Bristol Fashion’ MPC Circuits (2020). https://homes.esat.kuleuven.be/~nsmart/MPC/. Accessed 5 Jan 2021

  2. Beaver, D., Micali, S., Rogaway, P.: The round complexity of secure protocols. In: Proceedings of the Twenty-Second Annual ACM Symposium on Theory of Computing, pp. 503–513 (1990)

    Google Scholar 

  3. Bellare, M., Hoang, V.T., Rogaway, P.: Foundations of garbled circuits. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 784–796 (2012)

    Google Scholar 

  4. Choi, J.I., et al.: A hybrid approach to secure function evaluation using SGX. In: Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security, pp. 100–113 (2019)

    Google Scholar 

  5. Dan, G., Jim, S.: More than 20 GB of Intel source code and proprietary data dumped online. [EB/OL]. https://arstechnica.com/information-technology/2020/08/intel-is-investigating-the-leak-of-20gb-of-its-source-code-and-private-data/. Accessed 30 Aug 2020

  6. Felsen, S., Kiss, Á., Schneider, T., Weinert, C.: Secure and private function evaluation with Intel SGX. In: Proceedings of the 2019 ACM SIGSAC Conference on Cloud Computing Security Workshop, pp. 165–181 (2019)

    Google Scholar 

  7. Gupta, D., Mood, B., Feigenbaum, J., Butler, K., Traynor, P.: Using Intel software guard extensions for efficient two-party secure function evaluation. In: Clark, J., Meiklejohn, S., Ryan, P.Y.A., Wallach, D., Brenner, M., Rohloff, K. (eds.) FC 2016. LNCS, vol. 9604, pp. 302–318. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53357-4_20

    CrossRef  Google Scholar 

  8. Ishai, Y., Kilian, J., Nissim, K., Petrank, E.: Extending oblivious transfers efficiently. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 145–161. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_9

    CrossRef  Google Scholar 

  9. Järvinen, K., Kolesnikov, V., Sadeghi, A.-R., Schneider, T.: Embedded SFE: offloading server and network using hardware tokens. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 207–221. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14577-3_17

    CrossRef  Google Scholar 

  10. Järvinen, K., Kolesnikov, V., Sadeghi, A.-R., Schneider, T.: Garbled circuits for leakage-resilience: hardware implementation and evaluation of one-time programs. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 383–397. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15031-9_26

    CrossRef  Google Scholar 

  11. Johnson, S., Scarlata, V., Rozas, C., Brickell, E., Mckeen, F.: Intel® software guard extensions: EPID provisioning and attestation services. White Paper 1(1–10), 119 (2016)

    Google Scholar 

  12. Katz, J.: Universally composable multi-party computation using tamper-proof hardware. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 115–128. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72540-4_7

    CrossRef  Google Scholar 

  13. Kolesnikov, V.: Truly efficient string oblivious transfer using resettable tamper-proof tokens. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 327–342. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11799-2_20

    CrossRef  Google Scholar 

  14. Kolesnikov, V., Schneider, T.: Improved garbled circuit: free XOR gates and applications. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008. LNCS, vol. 5126, pp. 486–498. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70583-3_40

    CrossRef  MATH  Google Scholar 

  15. Mohassel, P., Orobets, O., Riva, B.: Efficient server-aided 2PC for mobile phones. Proc. Privacy Enhanc. Technol. 2016(2), 82–99 (2016)

    CrossRef  Google Scholar 

  16. Mohassel, P., Rosulek, M., Zhang, Y.: Fast and secure three-party computation: the garbled circuit approach. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 591–602 (2015)

    Google Scholar 

  17. Naor, M., Pinkas, B., Sumner, R.: Privacy preserving auctions and mechanism design. In: Proceedings of the 1st ACM Conference on Electronic Commerce, pp. 129–139 (1999)

    Google Scholar 

  18. Pass, R., Shi, E., Tramèr, F.: Formal abstractions for attested execution secure processors. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 260–289. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_10

    CrossRef  Google Scholar 

  19. Pinkas, B., Schneider, T., Smart, N.P., Williams, S.C.: Secure two-party computation is practical. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 250–267. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_15

    CrossRef  Google Scholar 

  20. Wang, X., Malozemoff, A.J., Katz, J.: EMP-toolkit: efficient MultiParty computation toolkit (2016). https://github.com/emp-toolkit/. Accessed 5 Jan 2021

  21. Wang, X., Ranellucci, S., Katz, J.: Authenticated garbling and efficient maliciously secure two-party computation. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 21–37 (2017)

    Google Scholar 

  22. Zahur, S., Rosulek, M., Evans, D.: Two halves make a whole. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 220–250. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_8

    CrossRef  MATH  Google Scholar 

Download references

Acknowledgments

Bingsheng Zhang is supported by the “Open Project Program of Key Laboratory of Blockchain and Cyberspace Governance of Zhejiang Province” and the National Natural Science Foundation of China (Grant No. 62072401). Hong-Sheng Zhou acknowledges support by NSF grant CNS-1801470, a Google Faculty Research Award and a research gift from Ergo Platform. This work is also supported by Alibaba Group through Alibaba Innovative Research Program.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Bingsheng Zhang .

Editor information

Editors and Affiliations

A Appendix

A Appendix

1.1 A.1 Security Proof of Our Main Theorems

Due to space limitation, we only provide the security proof for malicious setting.

Proof

To prove Theorem 2, we construct a simulator \(\mathcal {S} \) such that no non-uniform PPT environment \(\mathcal {Z}\) can distinguish between (i) the real execution \(\text{ exec}^{\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]}_{\varPi _{\mathsf {2pc}}^\mathsf {GC},\mathcal {A},\mathcal {Z}}\) where the parties \(\mathcal P:= \{P_1, P_2\}\) run protocol \(\varPi _{\mathsf {2pc}}^\mathsf {GC}\) in the \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\)-hybrid model and the corrupted parties are controlled by a dummy adversary \(\mathcal {A} \) who simply forwards messages from/to \(\mathcal {Z}\), and (ii) the ideal execution \(\text{ exec}_{\mathcal {F}^f_{\mathsf {2pc}},\mathcal {S},\mathcal {Z}}\) where the parties \(P_1\) and \(P_2\) interact with functionality \(\mathcal {F}^f_{\mathsf {2pc}} \) in the ideal world, and corrupted parties are controlled by the simulator \(\mathcal {S} \). We consider following cases.

Case 1: \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\) is corrupted; \(P_1\) and \(P_2\) are honest.

Simulator. The simulator \(\mathcal {S} \) internally runs \(\mathcal {A} \), forwarding messages to/from the environment \(\mathcal {Z} \). \(\mathcal {S} \) simulates the interface of \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\) as well as honest parties \(P_1\) and \(P_2\). In addition, the simulator \(\mathcal {S} \) simulates the following interactions with \(\mathcal {A} \).

  • Upon receiving \((\textsc {ComputeNotify}, \mathsf {sid}, |x_2|, P_2)\) for an honest party \(P_2\) from the external \(\mathcal {F}^f_{\mathsf {2pc}} \), the simulator \(\mathcal {S} \) picks random \(x_{2,i}^0\leftarrow \{0,1\}\), for \(i\in [n_2]\), and it sends \((\mathsf {Run}, \mathsf {sid}, \langle f, \{x_{2,i}^0\}_{i\in [n_2]} \rangle )\) to \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\) on behave of \(P_2\).

  • Upon receiving \((\textsc {ComputeNotify}, \mathsf {sid}, |x_1|, P_1)\) for an honest party \(P_1\) from the external \(\mathcal {F}^f_{\mathsf {2pc}} \), the simulator \(\mathcal {S} \) picks random \(k\leftarrow \{0,1\}^\lambda \), and it sends \((\mathsf {Run}, \mathsf {sid}, \langle k, f \rangle )\) to \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\) on behave of \(P_1\). \(\mathcal {S} \) then generate \( (F, e, d)\leftarrow \mathsf {Gb}(1^\lambda , f^*; k)\) and parse \(e= \{(X_i^{0}, X_i^{1})\}_{i\in [n^*]}\). Subsequently, for \(i\in [n_2^*]\), \(\mathcal {S} \) sets \(\sigma ^{0}_{i}:=H(X_{i+n_1}^{0})\) and \(\sigma ^{1}_{i}:=H(X_{i+n_1}^{1})\), and it sets \(\tau =H(F,d,\{\sigma ^{0}_{i},\sigma ^{1}_{i}\}_{i\in [n_2^*]})\). \(\mathcal {S} \) then sends \(\tau \) to the simulated party \(P_2\) on behave of \(P_1\).

  • Upon receiving \((\mathsf {Run}, \mathsf {sid}, Q_i )\) from the party \(P_i\in \mathcal P \) via the interface of \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\), \(\mathcal {S} \) acts as \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\) to send \((\textsc {RunNotify}, \mathsf {sid}, Q_i, P_i)\) to \(\mathcal A \). \(\mathcal {S} \) then simulates the \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\) functionality as defined.

  • When the simulated party \(P_2\) receives \( (\hat{F}, \hat{d}, \{X_{i+n_1}^{x_{2,i}^0}\}_{i\in [n_2]}, \{ \hat{\sigma }_i^0,\hat{\sigma }_i^1 \}_{i\in [n_2^*]})\) from \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\) and receives \(\tau \) from the simulated \(P_1\), \(P_2\) computes \(\hat{\tau }=H(\hat{F},\hat{d},\{\hat{\sigma }^{0}_{0,i},\hat{\sigma }^{1}_{0,i}\}_{i\in [n_2^*]})\) and asserts \(\hat{\tau }=\tau \). Thereafter, \(\mathcal {S} \) fetches the internal GC label information (Fed) from the simulated \(P_1\). For \(i\in [n_2]\), \(\mathcal {S} \) acts as \(P_2\) to assert \(Z_{i+n_1}=X_{i+n_1}^{x_{2,i}^0}\).

  • Upon receiving \((\textsc {Output}, \mathsf {sid}, P_2)\) from the external \(\mathcal {F}^f_{\mathsf {2pc}} \), the simulator \(\mathcal {S} \) returns \((\textsc {Deliver}, \mathsf {sid}, P_2)\) if and only if all the checks are valid.

Indistinguishability. Assume the communication between \(P_1\) and \(P_2\) is via the secure channel functionality \(\mathcal {F}_{\text {SC}} \), the views of \(\mathcal A \) and \(\mathcal {Z}\) in \(\text{ exec}^{\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]}_{\varPi _{\mathsf {2pc}}^\mathsf {GC},\mathcal {A},\mathcal {Z}}\) and \(\text{ exec}_{\mathcal {F}^f_{\mathsf {2pc}},\mathcal {S},\mathcal {Z}}\) are identical except the scenario where the real-world output y is different from the ideal-world output \(y'\). This happens when the malicious \(\mathcal {F}_{\text {HW}} [\mathsf {M}^{\mathsf {GC}}]\) provides inconsistent information, yet she manages to pass all the hash validations. It means that the adversary provides at least one different hash preimage that would hashes to the same value as the original preimage. Therefore, the simulator and the adversary can jointly outputs two messages \(m_1\ne m_2\) such that \(H(m_1) = H(m_2)\). Assume H is a collision resistant cryptographic hash function, the views of \(\mathcal A \) and \(\mathcal {Z}\) in \(\text{ exec}^{\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]}_{\varPi _{\mathsf {2pc}}^\mathsf {GC},\mathcal {A},\mathcal {Z}}\) and \(\text{ exec}_{\mathcal {F}^f_{\mathsf {2pc}},\mathcal {S},\mathcal {Z}}\) are indistinguishable.

Case 2: \(P_1\) is corrupted; \(P_2\) and \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\) are honest.

Simulator. The simulator \(\mathcal {S} \) internally runs \(\mathcal {A} \), forwarding messages to/from the environment \(\mathcal {Z} \). \(\mathcal {S} \) simulates the interface of \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\) as well as honest \(P_2\). In addition, the simulator \(\mathcal {S} \) simulates the following interactions with \(\mathcal {A} \).

  • Upon receiving \((\textsc {ComputeNotify}, \mathsf {sid}, |x_2|, P_2 )\) from the external \(\mathcal {F}^f_{\mathsf {2pc}} \), the simulator \(\mathcal {S} \) picks random \(x_{2,i}^0\leftarrow \{0,1\}\), for \(i\in [n_2]\), and it sends \((\mathsf {Run}, \mathsf {sid},\langle f, \{x_{2,i}^0\}_{i\in [n_2]} \rangle )\) to \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\) on behave of \(P_2\). For \(i\in [n_2]\) \(\mathcal {S} \) sends random \(\hat{x}_{2,i}^1\leftarrow \{0,1\}\) to \(P_1\) on behave of \(P_2\).

  • Upon receiving \((\mathsf {Run}, \mathsf {sid}, \langle k, f \rangle )\) from \(P_1\) and \((\mathsf {Run}, \mathsf {sid}, \langle f, \{x_{2,i}^0\}_{i\in [n_2]} \rangle )\) from \(P_2\), \(\mathcal {S} \) acts as \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\) to set \(f^*(x_1,(x_{2}^0,x_{2}^1))=f_1(x_1,x_{2}^0\oplus x_{2}^1)\) and generate the garbled circuit by \( (F,e,d)\leftarrow \mathsf {Gb}(1^\lambda , f^*; k)\). \(\mathcal {S} \) then parse \(e= \{(X_i^{0}, X_i^{1})\}_{i\in [n_1+2n_2]}\) and sends \((F, d, \{X_{i+n_1}^{x_{2,i}^0}\}_{i\in [n_2]},\{\sigma ^{0}_{i},\sigma ^{1}_{i}\}_{i\in [n_2^*]})\) to the simulated party \(P_2\) on behave of \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\).

  • When the simulated party \(P_2\) receives \( \{Z_i\}_{i\in [n_1]} \), \(\{Z_{i+n_1+n_2}\}_{i\in [n_2]}\) and \(\tau \) from \(P_1\), \(\mathcal {S} \) acts as \(P_2\) to compute \(\hat{\tau }=H(F,d,\{\sigma ^{0}_{i},\sigma ^{1}_{i}\}_{i\in [n_2^*]})\) and assert \(\hat{\tau }=\tau \). Thereafter, \(\mathcal {S} \) fetches the internal GC label information (Fed) from the simulated \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\). For \(i\in [n_2]\), \(\mathcal {S} \) acts as \(P_2\) to assert \(Z_{i+n_1+n_2}=X_{i+n_1+n_2}^{x_{2,i}^1}\). In addition, \(\mathcal {S} \) uses the internal GC label information (Fed) and \( \{Z_i\}_{i\in [n_1]} \) to extract \(P_1\)’s input \(x_1^*\), and it sends \((\textsc {Compute}, \mathsf {sid}, x^*_1)\) to the external \(\mathcal {F}^f_{\mathsf {2pc}} \) on behave of \(P_1\).

  • Upon receiving \((\textsc {Output}, \mathsf {sid}, P_2)\) from the external \(\mathcal {F}^f_{\mathsf {2pc}} \), the simulator \(\mathcal {S} \) returns \((\textsc {Deliver}, \mathsf {sid}, P_2)\) if and only if all the checks are valid and \(\mathcal A \) allows \(P_2\) to finish the protocol execution and obtains y.

Indistinguishability. The indistinguishability is proven through a series of hybrid worlds \(\mathcal {H}_0,\ldots ,\mathcal {H}_2\).

Hybrid \(\mathcal {H}_0\) : It is the real protocol execution \(\text{ exec}^{\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]}_{\varPi _{\mathsf {2pc}}^\mathsf {GC},\mathcal {A},\mathcal {Z}}\).

Hybrid \(\mathcal {H}_1\) : \(\mathcal {H}_1\) is the same as \(\mathcal {H}_0\) except that in \(\mathcal {H}_1\), \(P_2\) sends random \(\{ \hat{x}_{2,i}^1\}_{i\in [n_2]}\) to \(P_1\), instead of \(\{ x_{2,i}^1 := x_{2,i}^0\oplus x_{2,i} \}_{i\in [n_2]}\).

Claim

\(\mathcal {H}_1\) and \(\mathcal {H}_0\) are perfectly indistinguishable.

Proof

Since \(\{x_{2,i}^0\}_{i\in [n_2]}\) are random bits picked by \(P_2\), the distribution of \(\{ \hat{x}_{2,i}^1 \}_{i\in [n_2]}\) and \(\{ x_{2,i}^1 \}_{i\in [n_2]}\) are identical. Therefore, \(\mathcal {H}_1\) and \(\mathcal {H}_0\) are perfectly indistinguishable.

Hybrid \(\mathcal {H}_2\) : \(\mathcal {H}_2\) is the same as \(\mathcal {H}_1\) except that in \(\mathcal {H}_2\), \(P_2\) fetches the internal GC label information (Fed) from the simulated \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\), and it checks if \(Z_{i+n_1+n_2}=X_{i+n_1+n_2}^{x_{2,i}^1}\); otherwise, \(\mathcal {S} \) aborts.

Claim

If H is a collision resistant cryptographic hash function, \(\mathcal {H}_2\) and \(\mathcal {H}_1\) are indistinguishable.

Proof

The difference between \(\mathcal {H}_1\) and \(\mathcal {H}_2\) is that in \(\mathcal {H}_1\), \(P_2\) only checks \(H(Z_{i+n_1+n_2})\); whereas, in \(\mathcal {H}_2\), \(P_2\) directly checks if \(Z_{i+n_1+n_2}=X_{i+n_1+n_2}^{x_{2,i}^1}\). It is easy to see when H is a collision resistant cryptographic hash function, \(\mathcal {H}_2\) and \(\mathcal {H}_1\) are indistinguishable.

The adversary’s view of \(\mathcal {H}_2\) is identical to the simulated view \(\text{ exec}_{\mathcal {F}^f_{\mathsf {2pc}},\mathcal {S},\mathcal {Z}}\). Therefore, it is perfectly indistinguishable.

Case 3: \(P_2\) is corrupted; \(P_1\) and \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\) are honest.

Simulator. The simulator \(\mathcal {S} \) internally runs \(\mathcal {A} \), forwarding messages to/from the environment \(\mathcal {Z} \). \(\mathcal {S} \) simulates the interface of \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\) as well as honest \(P_1\). In addition, the simulator \(\mathcal {S} \) simulates the following interactions with \(\mathcal {A} \).

  • Upon receiving \((\textsc {ComputeNotify}, \mathsf {sid}, |x_1|, P_1 )\) from the external \(\mathcal {F}^f_{\mathsf {2pc}} \) and receiving \(\{x_{2,i}^1\}_{i\in [n_2]}\) from \(P_2\), the simulator \(\mathcal {S} \) picks random \(k\leftarrow \{0,1\}^\lambda \), and it sends \((\mathsf {Run}, \mathsf {sid}, \langle k, f \rangle )\) to \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\) on behave of \(P_1\).

  • Upon receiving \((\mathsf {Run}, \mathsf {sid}, \langle k, f \rangle )\) from \(P_1\) and \((\mathsf {Run}, \mathsf {sid}, \langle f, \{x_{2,i}^0\}_{i\in [n_2]} \rangle )\) from \(P_2\), \(\mathcal {S} \) computes \(P_2\)’s input \(x^*_{2,i}:= x_{2,i}^0\oplus x_{2,i}^1\), for \(i\in [n_2]\). After that, it sends \((\textsc {Compute}, \mathsf {sid}, x^*_2)\) to the external \(\mathcal {F}^f_{\mathsf {2pc}} \) on behave of \(P_2\).

  • Upon receiving \((\textsc {Compute}, \mathsf {sid}, y)\) from the external \(\mathcal {F}^f_{\mathsf {2pc}} \) for \(P_2\), the simulator \(\mathcal {S} \) sets \(f^*(x_1,(x_{2}^0,x_{2}^1))=f_1(x_1,x_{2}^0\oplus x_{2}^1)\) and uses the GC simulator to generate \((F',X',d') \leftarrow \mathsf {Sim}(1^\lambda , y, \varPhi (f^*))\). \(\mathcal {S} \) then uses \(X'\) as the wire labels to generate \( \{Z_i\}_{i\in [n_1+2n_2]} \) as \(Z_i:= X'_i\). \(\mathcal {S} \) picks \(2n_2\) random numbers \(\hat{Z}_i\leftarrow \{0,1\}^\lambda \). For \(i\in [n_2]\), \(\mathcal {S} \) sets \(\sigma ^{x_{2,i}^0}_{i}:=H(Z_{i+n_1})\), \(\sigma ^{x_{2,i}^0\oplus 1}_{i}:=H(\hat{Z}_{i})\), \(\sigma ^{x_{2,i}^1}_{i+n_2}:=H(Z_{i+n_1+n_2}\) and \(\sigma ^{x_{2,i}^1\oplus 1}_{i+n_2}:=H(\hat{Z}_{i+n_2})\). Subsequently, \(\mathcal {S} \) sets \(\tau =H(F',d',\{\sigma ^{0}_{i},\sigma ^{1}_{i}\}_{i\in [n_2^*]})\). At last, \(\mathcal {S} \) sends \(\{Z_{i+n_1}\}_{i\in [n_2]}\) as the wire label of \(x_2^0\), \((F',d')\) as the GC tables and decode information and \(\{\sigma ^{0}_{i},\sigma ^{1}_{i}\}_{i\in [n_2^*]}\) as the hash values of \(P_2\)’s wire labels to \(P_2\) on behave of \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\), and it sends \(\{Z_{i}\}_{i\in [n_1]}\), \(\{Z_{i+n_1+n_2}\}_{i\in [n_2]}\) and \(\tau \) to \(P_2\) on behave of \(P_1\).

Indistinguishability. The indistinguishability is proven through a series of hybrid worlds \(\mathcal {H}_0,\ldots ,\mathcal {H}_2\).

Hybrid \(\mathcal {H}_0\) : It is the real protocol execution \(\text{ exec}^{\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]}_{\varPi _{\mathsf {2pc}}^\mathsf {GC},\mathcal {A},\mathcal {Z}}\).

Hybrid \(\mathcal {H}_1\) : \(\mathcal {H}_1\) is the same as \(\mathcal {H}_0\) except that \(\mathcal {H}_1\) generates different hash values by \(\sigma ^{x_{2,i}^0\oplus 1}_{i}:=H(\hat{Z}_{i})\) and \(\sigma ^{x_{2,i}^1\oplus 1}_{i+n_2}:=H(\hat{Z}_{i+n_2})\), for \(i\in [n_2]\), where \(\{\hat{Z_i}\}_{i\in [2n_2]}\) are random values.

Claim

If H is a collision resistant cryptographic hash function, \(\mathcal {H}_1\) and \(\mathcal {H}_0\) are indistinguishable.

Proof

The difference between \(\mathcal {H}_0\) and \(\mathcal {H}_1\) is that in \(\mathcal {H}_0\), \(\sigma ^{x_{2,i}^0\oplus 1}_{i}:=H(X_{i+n_1}^{x_{2,i}^0\oplus 1})\) and \(\sigma ^{x_{2,i}^1\oplus 1}_{i+n_2}:=H(X_{i+n_1+n_2}^{x_{2,i}^1\oplus 1})\); whereas, in \(\mathcal {H}_1\), \(\sigma ^{x_{2,i}^0\oplus 1}_{i}:=H(\hat{Z}_{i})\) and \(\sigma ^{x_{2,i}^1\oplus 1}_{i+n_2}:=H(\hat{Z}_{i+n_2})\). It is easy to see when H is a collision resistant cryptographic hash function, \(\mathcal {H}_1\) and \(\mathcal {H}_0\) are indistinguishable.

Hybrid \(\mathcal {H}_2\) : \(\mathcal {H}_2\) is the same as \(\mathcal {H}_1\) except that \(\mathcal {H}_2\) generates \((F',X',d') \leftarrow \mathsf {Sim}(1^\lambda , y, \varPhi (f^*))\), and then it uses \(X'\) as the wire labels to generate \( \{Z_i\}_{i\in [n_1+2n_2]} \). \(\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]\) also sends \((F',d')\) as the GC tables and decoding information to \(P_2\).

Claim

If \(\mathsf {GC}\) is simulatable private with adversarial distinguishing advantage \(\mathsf {Adv}_{\mathsf {GC}}^{\mathsf {prv.sim},\varPhi ,\mathsf {Sim}}(\mathcal A, \lambda )\), then \(\mathcal {H}_1\) and \(\mathcal {H}_0\) are indistinguishable with distinguishing advantage \(\mathsf {Adv}_{\mathsf {GC}}^{\mathsf {prv.sim},\varPhi ,\mathsf {Sim}}(\mathcal A, \lambda )\).

Proof

By the requirement of simulatable privacy in Definition 2, \((F',X',d') \leftarrow \mathsf {Sim}(1^\lambda , y, \varPhi (f^*))\) should be indistinguishable from the real one except for the adversarial distinguishing advantage \(\mathsf {Adv}_{\mathsf {GC}}^{\mathsf {prv.sim},\varPhi ,\mathsf {Sim}}(\mathcal A, \lambda )\).

The adversary’s view of \(\mathcal {H}_2\) is identical to the simulated view \(\text{ exec}_{\mathcal {F}^f_{\mathsf {2pc}},\mathcal {S},\mathcal {Z}}\). Therefore, if \(\mathsf {GC}\) is simulatable private, the views of \(\mathcal A \) and \(\mathcal {Z}\) in \(\text{ exec}^{\mathcal {F}_{\text {HW}} [\mathsf {M}^\mathsf {GC}]}_{\varPi _{\mathsf {2pc}}^\mathsf {GC},\mathcal {A},\mathcal {Z}}\) and \(\text{ exec}_{\mathcal {F}^f_{\mathsf {2pc}},\mathcal {S},\mathcal {Z}}\) are indistinguishable with distinguishing advantage

$$ \mathsf {Adv}_{\mathsf {GC}}^{\mathsf {prv.sim},\varPhi ,\mathsf {Sim}}(\mathcal A, \lambda ) = \mathsf {negl} (\lambda ). $$

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Lu, Y., Zhang, B., Zhou, HS., Liu, W., Zhang, L., Ren, K. (2021). Correlated Randomness Teleportation via Semi-trusted Hardware—Enabling Silent Multi-party Computation. In: Bertino, E., Shulman, H., Waidner, M. (eds) Computer Security – ESORICS 2021. ESORICS 2021. Lecture Notes in Computer Science(), vol 12973. Springer, Cham. https://doi.org/10.1007/978-3-030-88428-4_34

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-88428-4_34

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-88427-7

  • Online ISBN: 978-3-030-88428-4

  • eBook Packages: Computer ScienceComputer Science (R0)