COMPLEXITY-THEORETIC FOUNDATIONS OF STEGANOGRAPHY AND COVERT COMPUTATION Daniel Apon TODAY’S TALK We’re baking a steganographic cake! Ingredients: Normal cryptographic notions Secure multi-party computation And in the process we answer one of life’sf(x ultimate a , xb) = ? questions! Hopefully we have a Alice and Bob want to How tohandle find out if “he” or “she” is good on jointly compute athis! function Portrait an invisible cake. without giving awayoftheir romantically interested in you, without secrets! risking embarrassment! WHAT IS STEGANOGRAPHY? See us? We’re not doing anything out of the ordinary! I sure hope Ward didn’t notice! Now, onto the technical fun stuff! PRELIMINARIES U(·) = uniform distribution over strings, functions, or finite sets Given a distribution C over support X, the minimum entropy of C is: PRELIMINARIES The statistical distance between two distributions C and D with joint support X is: Two sequences of distributions, {Ck}k and {Dk}k, are computationally indistinguishable (C ≈ D), if for any PPT adversary A: is negligible in k. PRELIMINARIES A family of functions Fk(·) is called pseudorandom if for is ≤ ε, for some negligible quantity ε. PRELIMINARIES An cryptosystem E is called indistinguishable from random under chosen plaintext attack if for is ≤ ε, for some negligible quantity ε. PRELIMINARIES A channel Ch is a distribution on bit sequences with time-stamped bits, conditioned on the channel history h. Assume over blocks (e.g. symbols) of channel bits b: Sometimes we think of channels as one-way, sometimes as bidirectional, and sometimes as supporting broadcast messages only. (They all behave pretty much how you’d expect!) STEGANOGRAPHY Steganographic theory and an explicit construction of a steganographic system STEGANOGRAPHY Intuitively, steganographic secrecy results from messages that are indistinguishable from arbitrary distributions First, we need a way to encode messages to achieve arbitrary indistinguishability Then, we want to compose our new idea with canonical cryptographic themes to produce a functional steganographic system STEGANOGRAPHY A stegosystem is a pair of probabilistic algorithms (SE, SD) such that: SEM takes as input a key {0,1}k, a hiddentext bit-string {0,1}*, a message history h, and a sampling oracle M(h) and returns a sequence of blocks c (the stegotext) from the support of Ch SDM takes as input a key K, a stegotext c, a message history h, a sampling oracle M(h), and returns a hiddentext m. STEGANOGRAPHY Finally, there must be a polynomial p(k) > k such that SEM and SED also satisfy the following relationship: STEGANOGRAPHY The Rejection Sampling function: STEGANOGRAPHY STEGANOGRAPHY STEGANOGRAPHY STEGANOGRAPHY Lemma. The probability of failure of RS in the S1 procedure is bounded from above by 3/8 + ε. Let the channel in question have symbols {S1, …, Sk} and assign each symbol the occurrence probabilities {p1, …, pk} respectively. Play the following bit-wise RS-based game: 1. Draw Sa from the channel. If F(N, Sa) is correct, output Sa. 2. Otherwise, draw Sb from the channel and output Sb. STEGANOGRAPHY How often do we “win”? Let SE denote the result of this game. Let D denote the event of a non-collision (when the two symbols drawn are different). Note that two successful outcomes are possible here: 1. The first symbol drawn maps to 0 (success). (1/2) 2. The first symbol maps to 1 (failure), but the second symbol drawn is a different symbol that maps to 0. (1/4 Pr[D]) STEGANOGRAPHY Summing over the probabilities of each of these events gives: Let Si be a symbol with the greatest occurrence probability. Then, STEGANOGRAPHY And finally, which bounds RS’s probability of failure at 3/8 + ε, which proves the lemma. STEGANOGRAPHY Finally, we employ an error-correcting code to recover from RS’s chance to fail. Intuitively, we’re equating sending messages over a noisy channel with the act of sending stegotexts when RS makes mistakes. Basically, we pad redundant parity data into our messages so that the message gets through (with overwhelming probability)! A code with a stretch of 2n will correct for an error rate of up to 1/2. The well-known Hadamard code could easily be adapted here. STEGANOGRAPHY Theorem. If FK is pseudorandom, then S1 is universally steganographically secret against chosen hiddentext attacks. COVERT COMPUTATION Covert computation theory, encryption transformations between distributions, and an informal construction of a two-party covert computation protocol Would you like to run a covert protocol to determine if we are both members of a secret, zombie army? COVERT COMPUTATION !! Um… COVERT COMPUTATION STEP 1: First, we design a covert computation protocol over the uniform channel U. STEP 2: Then, we develop a technique to transform any stegosystem over the uniform channel into a stegosystem over an arbitrary channel B. At the end, we have a covert computation protocol over the channel we’re interested in! This is an important improvement in the overall strategy, because it modularizes and simplifies the design of covert protocols! COVERT COMPUTATION: STEP 1 To design a covert computation protocol over U, we will begin with two cryptographic primitives: 1. Oblivious Transfer 2. Yao’s Protocol for secure multi-party computation COVERT COMPUTATION: STEP 1 Oblivious Transfer m1 m2 mn … I want mi. …whatever it is! COVERT COMPUTATION: STEP 1 Oblivious Transfer 1. Alice generates RSA keys, including modulus N, the public exponent e, and the private exponent d, picks two random messages x0 and x1, and sends N, e, x0, and x1 to Bob. 2. Bob picks random message k, encrypts k, and adds xb to the encryption of k, modulo N, and sends the result v to Alice. 3. Alice computes k0 to be the decryption of v - x0 and k1 to be the decryption of v - x1 and sends m0 + k0 and m1+ k1 to Bob. 4. Bob knows kb and so subtracts this from the corresponding messages, obtaining mb from one of them. COVERT COMPUTATION: STEP 1 And I can’t tell you what xb is… Yao’s Protocol xa I can’t tell you what xa is. ha! to ButAh I want f(xa,f(x xb)!! know a, xb)!! xb COVERT COMPUTATION: STEP 1 Yao’s Protocol Assume f can be expressed as a combinatorial circuit that Bob knows. (WLOG, all gates have 2-fan-out.) 1. Bob assigns two uniformly random k-bit values each wire W of the circuit, representing the wire holding the value 0 or 1, respectively. 2. Then Bob assigns a random permutation πi over {0,1} to each wire. If a wire Wi originally had value bi, then it now has “garbled” value: 3. To each gate g, Bob assigns a unique identifier Ig and a table Tg. 4. Each gate g then uses a pseudorandom function F to “garble” its own functionality as follows: COVERT COMPUTATION: STEP 1 Yao’s Protocol Yao’s Garbled Tables That is, each Tg outputs the XOR of a pseudorandom function applied to the two values of the “garbled” input wires and the value of the “garbled” output wire. The result is a bit string that is indistinguishable from random but that is uniquely identifiable and re-usable within the context of a specific execution of Yao’s protocol. COVERT COMPUTATION: STEP 1 Yao’s Protocol Then to compute f: 1. Bob computes garbled tables Tg and sends them to Alice. 2. As Alice computes the necessary values of each circuit input wire i, Bob and Alice perform an oblivious transfer, with Bob playing the role of sender. Alice learns the uniformly random string that represents the true value, 0 or 1 respectively, for the wire she is interested in. 3. At the end of the protocol (determined by the number of gates in the circuit), Bob applies π-1 to the final output string to learn the value of the computed function. COVERT COMPUTATION: STEP 1 Finally, we define a new protocol COVERT-YAO that is Yao’s Protocol with the modification that all messages sent through oblivious transfers or elsewhere through Yao’s protocol are steganographically encoded over the uniform channel by being run through a stegosystem prior to being transmitted. Theorem. The COVERT-YAO protocol covertly realizes any functionality f for the uniform channel, U. COVERT COMPUTATION: STEP 2 Now we need to develop a transformation algorithm that, given as input a covert computation protocol for the uniform channel U, outputs a covert computation protocol for an arbitrary channel B. The first step is to recall the details of our previous stegosystem, and reword its description in terms of hash functions. COVERT COMPUTATION: STEP 2 Let denote a pair-wise independent family of hash functions H: D {0,1}c. Let denote an arbitrary distribution with support D. Let m be the message length, let c be the encryption of hiddentext messages by an appropriate error-correcting code, and let k be an iteration bound. Then we can reformulate S1 as follows: COVERT COMPUTATION: STEP 2 COVERT COMPUTATION: STEP 2 Lemma. Let H . Then we have: That is, the statistical distance between the channel and the output of Encode is negligible. Or in other words, the two distributions are statistically indistinguishable. COVERT COMPUTATION: STEP 2 Therefore, we can covertly transmit over B by applying Encode at the end of any message-generating process to covert the distribution of bits sent to be statistically indistinguishable from other messages in B. And so we can define the protocol as: COVERT COMPUTATION: STEP 2 COVERT COMPUTATION: STEP 2 And now, the big finish! Theorem. If ∏ covertly realizes the functionality f for the uniform channel, then ∑∏ covertly realizes f for the bidirectional channel B. Corollary. COVERT-YAO is a universal, two-party covert computation protocol. Questions?