 Hello and welcome to this talk. My name is Mark Simkin and I'm going to present the paper Blackbox Transformations from passive to covert security with public verifiability. This is joint work with Ivan Damgard and Claudia Orlandi from Ohus University. In this talk we will focus on the setting of secure computation where we have two or more parties each of those parties holding a private input and they would like to jointly compute some function such that at the end they all learn the output of the computation but none of the parties learns anything that is not trivially revealed by the output. So in particular the parties would really like to protect their inputs as much as possible. In this setting we commonly consider two types of adversaries. We consider passive adversaries which will follow the protocol specification honestly but they will still try to learn more than what they are supposed to learn by simply observing the messages that they receive and then we consider active adversaries which may deviate from the protocol description in an arbitrary fashion so they can send incorrect messages they may not respond to certain messages and such an adversary can not only potentially learn more about the private inputs of the honest parties it can also try to reduce an incorrect output of the computation. Now both of those types of adversaries have their disadvantages. Protocols that are secure against passive adversaries make a strong assumption about the behavior of the adversary and thus such protocols may not be secure enough for real world applications where we do actually want to prevent an adversary from misbehaving. On the other end of the spectrum we have active adversaries and protocols that are secure against such a strong adversary don't come for free so such protocols usually incur some computational and bandwidth overhead so actively secure protocols tend to be at least an order of magnitude slower than their passively secure counterparts. This was already observed in 2007 by Aumann and Lindell and there the authors suggested a new notion of covert adversaries which basically requires a protocol to detect any active misbehavior with some constant probability. As such the notion is placing itself in between passive and active security because it is a clearly stronger notion than passive security but because we allow the adversary to successfully cheat with some constant probability it is weaker than full active security and the hope here was to generate a notion that is good enough for real world applications but for which we can still hope to construct more efficient protocols than the ones that we have for active security. In 2012 Ashraf and Orlandi observed that we would actually like something that is a little bit stronger than just the notion of security against covert adversary. We would additionally like that the protocol is publicly verifiable which means that if the honest parties detect cheating so if the adversary does not successfully cheat in a protocol execution then the honest parties should obtain some publicly verifiable certificate that they can show to some outside observer to convince this observer from the fact that the adversary did indeed cheat and the motivation here was to disincentivize the adversary from cheating by potentially incurring a financial penalty in case cheating is detected. So what do we know so far about such protocols? In 2008 Goyal Mohaslin Smith showed how to construct garbled circuits and the multi-party version of garbled circuit based protocols called BMR with better efficiency by only requiring security against covert adversaries rather than security against active adversaries. Dungard Geisler Nielsen showed how to compile certain secret sharing based protocols that are secured in an honest majority setting into protocols that are covertly secure and in 2013 Dungard et al showed how to construct a very efficient pre-processing phase for the speech protocol that is also only covertly secure and very recently in 2019 Hong et al showed how to actually achieve very efficient garbled circuits with covert security and with public verifiability and here it should be pointed out that the first three protocols described here do not have public verifiability they just achieve the first notion of covert security and furthermore if we look at those four results we can see that three of those results provide specific protocols and only one of those results is a generic compiler and there is actually some advantage to studying compilers because if in the future we come up with some more efficient and new way of doing passively secure protocols then using the compiler we can potentially immediately obtain a covertly secure protocol or if we had such a compiler a covertly secure protocol with public verifiability and the only existing compiler that we have has some disadvantages because first of all it makes some specific assumptions about the underlying passively secure protocol that it compiles and it does not work for the two-party case because it does need an honest majority so in this work we focus on compilers that take a passively secure protocol and transform it into a protocol that is secure against covert adversaries and has public verifiability the first compiler that we present is a compiler that takes a passively secure two-party protocol that takes no private inputs from the parties and constructs a covert protocol with public verifiability and at first it may seem that a protocol that doesn't take any private inputs is useless but actually we will show that such protocols have applications in particular they are very useful for setting up correlated reminisce and using this compiler we can then construct the most efficient two-party speeds protocol with public verifiability that exists in the state and furthermore we show how to use the first compiler to obtain a second compiler that works for arbitrary two-party protocols and constructs covertly secure protocols with public verifiability by just making black box use of a passively secure protocol and oblivious transfer and lastly we also show how to extend these protocols to the multi-party setting but this is not something we will discuss in this talk so let us start with the compiler for protocols with no inputs so we have Alice and Bob they have black box access to some passively secure functionality that computes whatever they would like to compute so to execute this protocol the exchange messages according to the protocol description and at the end of this execution Alice will obtain some output a1 and Bob will obtain some output b1 because the protocol is only passively secure Alice could potentially send a maliciously form message and this would result in Bob producing an incorrect output now our first idea here is to do the same thing that virtually every single paper on covert security does namely execute the protocol many times in parallel with the idea to use some of those executions as check executions that check whether the parties behave honestly and use the last execution to actually produce the output that we want to use and here the hope is that for example Alice can do no better than just randomly guessing which execution will be used and thus has a probability of one-third of successfully cheating so what do we mean by checking an execution more concretely how such a protocol will run is both Alice and Bob will first generate commitments to a random tape for Alice and a random tape for Bob or a and rb then they will run the protocol where all random decisions that Alice or Bob will make will be deterministic functions of their random tapes after the protocol is finished the parties will reveal the random tapes that they were supposed to use by opening the commitments and then each party can check whether the messages that the parties received are consistent with the random tapes that were opened and to make this approach publicly verifiable we also would like the parties to sign the full transcript so after running the protocol both parties signed the transcript and then proceed to open the commitments and now if Alice cheats and still opens the commitment then Bob will have proof of Alice's misbehavior and can show the signed transcript and the opening of the commitment to a third party who will then be convinced of Alice's misbehavior the problem however is that Alice may simply decide to abort and to not open her execution if she doesn't like which of the executions is being checked and to avoid this we will do the following instead of publicly revealing which execution the parties will check each party will check some execution by itself so for example Bob randomly selects the first execution to check and Alice randomly selects the last execution to check but neither Alice nor Bob know which execution is checked by the other party and here the important part is that if each party checks less than half of the executions then we are guaranteed that at the end there is still at least one execution which we can use to produce the output of the computation so what does it mean to check an execution secretly Alice will use oblivious transfer to obtain the random tape for this execution and Bob will do the same and then we proceed as before so the parties execute the protocol and after the execution they can check whether everything was fine if this is the case they show which execution they checked and then they use the last execution to obtain the output and now importantly since Alice doesn't know which execution Bob checks she can only guess and if she cheats in an execution that is checked by Bob then Bob will obtain a certificate that he can show to a third party so now let us proceed with the compiler for arbitrary protocols here Alice and Bob now have private inputs x and y and our compiler will work by using something that is known as the player virtualization paradigm which works by letting Alice and Bob imagine some virtual parties in their head and then using those virtual parties in some way to execute a protocol on their behalf so what Alice and Bob will do is they will secret share their input each of the virtual parties will get one of the shares of this input and then the virtual parties will execute a passively secure protocol such that Alice and Bob in the end obtain the output of the computation since the protocol is passively secure we again have to deal with the fact that potentially one of Alice's virtual parties will misbehave and send a bad message to one of Bob's virtual parties the important observation here is that if Alice wants to cheat in the overall protocol execution then Alice has to necessarily cheat in one of those virtual parties there is no other way of misbehaving in this protocol so the idea here is again to use oblivious transfer to check some subset of these simulations of these virtual parties so for example Bob in this case will try to check the first virtual party and Alice will check the last virtual party of Bob and since Alice doesn't know which virtual party is checked the hope is that we can detect misbehavior with a probability of one-third but now we need to clarify what does it mean to check a virtual party so for this Bob needs several things Bob needs to see the random tape that this party will use Bob needs to see the input of that party and during the protocol execution Bob will need to be able to see all of the incoming and outgoing messages of this party the input and the random tape we can do via OT as we did it before and we will show how to deal with the incoming and outgoing messages in the following so recall that these are virtual parties they don't actually exist so now we need to specify what happens if a virtual party of Alice is supposed to send a message to a virtual party of Bob in this case we can let Alice faithfully simulate this virtual party and send the message directly to Bob if Bob checks this virtual party he can check whether this message is generated honestly and complain if this is not the case and implicitly here we again assume that every message that is sent by Alice also is sent along with the signature the more difficult case is when Alice has to send a message from one of her virtual parties to another of her virtual parties and the issue here is that if Bob checks either the sender or the receiver then he should be able to see the message because if he checks the sender he should be able to check whether the message is valid and if he checks the receiver then he needs to see the message to be able to check the execution at a later point because as we said before for checking a party Bob needs to see all incoming and outgoing messages of a party however if Bob does not check the sender or the receiver then Bob should have no information about the message so how do we solve this problem we for the moment assume that somehow magically Alice and Bob have some symmetric secret keys which they will use to encrypt all communications between the virtual parties and in addition we will assume that somehow Bob and Alice magically get all keys that are associated with communication channels that are connected to the parties that they check so in this case Bob checks the first virtual party of Alice so he will obtain the two communication keys that are used for talking to the second virtual parties and talking for the third virtual party and now what we will do is that Alice will encrypt the message that the first virtual party should send to the third virtual party and Alice will send this encrypted message to Bob now since Bob is checking the sender Bob has the corresponding secret key and he can decrypt the message however if the second virtual party sends a message to the third virtual party then Bob will obtain an encryption of a message under a key that he does not possess and thus he cannot see the message in the previous description of the compiler we have assumed that the parties have quite a lot of correlated randomness set up between each other so for instance we assumed that the parties all have honestly generated random tapes for all the virtual parties we have assumed that we have these symmetric keys and that Bob knows some of the symmetric keys of Alice and so on so here we'll just give like a very high level overview of how we generated this correlated randomness and for this we simply assumed that we have a passively secure functionality that generates this randomness and a bit more concretely this passively secure functionality generates commitments to all of this correlated randomness so it generates one commitment per secret key and one commitment per random tape and then it provides Bob with all of the openings that are related to his virtual parties and Alice with all the openings that are related to her virtual parties and in addition they also get the openings for the values that are related to the parties that they will check and here they don't actually choose which party they check by themselves we simply let the passively secure functionality pick a random party for each other and because this functionality doesn't get any inputs we can use our first compiler to make sure that this functionality will have covert security with public verifiability and here the important point is that now we have commitments for all of those things so we will let both parties sign those commitments before they start the protocol executions and this has the purpose that if Alice or Bob cheat during the execution then the other party will have a message with a signature which is not consistent with a random tape and in addition it will have a signature of the committed random tape and an opening thereof so it can convince a third party that this cheating did indeed happen I would like to thank you for your attention and I welcome you to read our paper which is on eprint which contains all the details that I have skipped in this talk