Score:2

non-interactive secure computation with a twist?

cn flag

non-interactive secure computation (NISC) (introduced by this paper, followed by others) is a variant of secure 2PC/MPC defined as the following setting:

Alice publishes an encrypted version of f(*, y), such that Bob or anyone else who knows some x can construct a message m that reveals f(x, y) to Alice (without requiring any other interaction with Alice).

However, in the current proposals Bob would not be able to learn f(x, y) without the help of Alice, if I understand correctly. But that's exactly what I want. In contrast to the NISC literature, neither Bob's privacy of x nor that of f(x, y) is important to me. Just the privacy of y is important. Does anyone know if this is possible/already proposed somewhere?

us flag
Are you asking for Alice to send a single message, so that Bob learns $f(x,y)$ without sending anything himself?
Jonas Metzger avatar
cn flag
Yes! Sorry for not being clear right away
Score:3
us flag

If Alice is the only person to speak, but Bob can learn output, then the protocol must leak more than just $f(x,y)$. See:

Halevi, Lindell, Pinkas: Secure Computation on the Web: Computing without Simultaneous Interaction

Essentially, Bob can choose many different $y_i$ values and re-run the protocol to learn many different $f(x,y_i)$ outputs. Since Bob never speaks in the protocol, he can do all this "in his head", without Alice's involvement. So the best you can hope for is that the protocol leaks no more to Bob than an oracle for the residual function $f(x,\cdot)$.

For some functions $f$, achieving this "best possible" leakage is impossible. Theorem 2.3 of the paper has an example (in which $f$ is a pseudorandom function and $x$ is its seed). For other functions, "best possible" leakage is equivalent to just giving out $x$ in the clear. So it's not always clear what you can get from this limited-interaction model.

Jonas Metzger avatar
cn flag
Thank you, that's very helpful! I think you mixed up x and y relative to my original post, right?
Jonas Metzger avatar
cn flag
My setting (using my original notation): x is a message, y is a symmetric encryption key, and f(x,y) is the symmetrically encrypted message. Alice publishes f(.,y). It's fine that Bob can encrypt multiple different x_i. It's also fine is this eventually leaks y, as long as it would take more than say 1h for the public to find y given f(.,y). (I want to retrofit a protocol on top of TLS - akin to TLSNotary - in which Bob can prove to the public that he received a symmetrically encypted message from the server before knowing y. this wouldn't yet solve my problem, but be a big step towards it)
Jonas Metzger avatar
cn flag
The paper you suggested is great and on point, I have to mark this as the accepted answer. Thanks!
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.