Efficient Covert Two-Party Computation

Covert computation (of general functions) strengthens the notion of secure computation so that the computation hides not only everything about the participants’ inputs, except for what is revealed by the function output, but it also hides the very fact that the computation is taking place, by ensuring that protocol participants are indistinguishable from random beacons, except when the function output explicitly reveals the fact that a computation took place. General covert computation protocols proposed before have non-constant round complexity [19, 4] and their efficiency is orders of magnitude away from non-covert secure computation. Furthermore, [10] showed that constant-round covert computation of non-trivial functionalities with black-box simulation is impossible in the plain model. However, the lower-bound of [10] does not disallow constant-round covert computation given some relaxation in the computation model. Indeed, we propose the first constant-round protocol for Covert Two-Party Computation (2PC) of general functions secure against malicious adversaries in the Common Reference String (CRS) model. Our protocol is a covert variant of a well-known paradigm in standard, i.e. non-covert, secure 2PC, using cut-and-choose technique over O(security parameter) copies of Yao’s garbled circuit. Remarkably, the proposed protocol is efficiencywise in the same ballpark as existing non-covert constant-round 2PC protocols secure against malicious players. As an added benefit, the protocol remains covert under concurrent composition. An essential tool in the protocol is a concurrently secure covert zeroknowledge and simulation-sound Conditional KEM (CKEM) for arithmetic languages in prime-order groups. We show how to realize covert zero-knowledge and simulation-sound CKEM’s for such languages in the Random Oracle Model, based on the covert CKEM’s of [13], and in the CRS model, based on the Implicit Zero-Knowledge arguments of Benhamouda et al. [2]. The ROM-based covert CKEM’s match the cost of known ROM-based NIZK’s for the same languages, while the CRS-model CKEM’s are 2-4 times more expensive.