On-Line/Off-Line Leakage Resilient Secure Computation Protocols [chapter]

Chaya Ganesh, Vipul Goyal, Satya Lokam
2012 Lecture Notes in Computer Science  
We study the question of designing leakage-resilient secure computation protocols. Our model is that of only computation leaks information with a leak-free input encoding phase. In more detail, we assume an offline phase called the input encoding phase in which each party encodes its input in a specified format. This phase is assumed to be free of any leakage and may or may not depend upon the function that needs to be jointly computed by the parties. Then finally, we have a secure computation
more » ... hase in which the parties exchange messages with each other. In this phase, the adversary gets access to a leakage oracle which allows it to download a function of the computation transcript produced by an honest party to compute the next outgoing message. We present two main constructions of secure computation protocols in the above model. Our first construction is based only on the existence of (semi-honest) oblivious transfer. This construction employs an encoding phase which is dependent of the function to be computed (and the size of the encoded input is dependent on the size of the circuit of the function to be computed). Our second construction has an input encoding phase independent of the function to be computed. Hence in this construction, the parties can simple encode their input and store it as soon as it is received and then later on run secure computation for any function of their choice. Both of the above constructions, tolerate complete leakage in the secure computation phase. Our second construction (with a function independent input encoding phase) makes use of a fully homomorphic encryption scheme. A natural question that arises is "can a leakage-resilient secure computation protocol with function independent input encoding be based on simpler and weaker primitives?". Towards that end, we show that any such construction would imply a secure two-party computation protocol with sub-linear communication complexity (in fact, communication complexity independent of the size of the function being computed). Finally, we also show how to extend our constructions for the continual leakage case where there is: a one time leak-free input encoding phase, a leaky secure computation phase which could be run multiple times for different functionalities (but the same input vector), and, a leaky refresh phase after each secure computation phase where the input is "re-encoded". * IIT Madras, chaya.ganesh@gmail.com. Work done in part while visiting Microsoft Research, India. † Microsoft Research, India, vipul@microsoft.com. ‡ Microsoft Research, India, satya@microsoft.com. 0 1 Please see the end of this section for a discussion of the concurrent independent work. 1 secure computation protocol with function independent input encoding phase be based on simpler and weaker primitives?". In fact, can we even have a leakage-resilient secure computation protocol (based on weaker primitives) where the size of the encoded input is independent of the size of the circuit of the function to be computed? Towards that end, we show that any such construction would imply a secure two-party computation protocol with sub-linear communication complexity (in fact, communication complexity independent of the size of the function being computed). Note that constructing such a protocol was a central open problem in the field of secure computation (until a construction for FHE was proposed by Gentry [Gen09]). Currently, the only known way to construct a sub-linear communication complexity secure computation protocol is to rely on a FHE scheme. Finally, we also show how to extend our constructions for the continual leakage case where there is: a one time leak-free input encoding phase, a leaky secure computation phase which could be run multiple times for different functionalities (but the same input vector), and, a leaky refresh phase after each secure computation phase where the input is "re-encoded". As before, the secure computation phase can tolerate complete leakage. However in the refresh phase, the leakage is bounded by a parameter t (which can be any apriori chosen polynomial in the security parameter).
doi:10.1007/978-3-642-34931-7_7 fatcat:z52v3a7hungktepatkv5rogyv4