Multiparty Computation (MPC) Arpita Patra

Size: px

Start display at page:

Download "Multiparty Computation (MPC) Arpita Patra"

Ursula Porter
5 years ago
Views:

1 Multiparty Computation (MPC) Arpita Patra

2 MPC offers more than Traditional Crypto! > MPC goes BEYOND traditional Crypto > Models the distributed computing applications that simultaneously demands usability and privacy of sensitive data

3 Satellite Collision in Space

4 Satellite Collision in Space NASA tracks 7,000 space crafts and 21,000 objects (space debris) in space Approximately 20,00,00,000 pairs

5 List of High-speed Collisions The 1996 collision between the French Cerise military reconnaissance satellite and debris from Ariane rocket The 2009 collision between the Iridium 33 communications satellite and the derelict Russian Kosmos 2251 spacecraft over Siberia, which resulted in the destruction of both satellites The 22 May 2013 collision between Ecuador's NEE-01 Pegaso and Argentina's CubeBug-1, and the particles of a debris cloud left over from the launch of Kosmos 1666 On Jan. 22, 2013, debris from the destroyed Chinese satellite Fengyun 1C collided with a small Russian laser-ranging retroreflector satellite called BLITS ("Ball Lens in The Space").

6 Preventing Satellite Collision in Space NASA tracks 7,000 space crafts and 21,000 objects (space debris) in space Approximately 20,00,00,000 pairs High-accuracy positional information is privy to operators National secret

7 Secure Multiparty Computation (MPC) MPC is the holy grail >> n parties P 1,...,P n some are corrupted >> P i has private input x i >> A common n-input function f Goals: >> Correctness: Compute f(x 1,x 2,..x n ) >> Privacy: Nothing beyond function output should be leaked. Applications: (Dual need of data privacy & data usability) E-voting Biometrics E-auction Data Mining Bioinformatics

8 The Goal of MPC x 1 x 2 x 3 x4 y = f(x 1,x 2,x 3,x 4 ) REAL world

9 The Goal of MPC x 1 x 2 y y y y x 3 x4 y = f(x 1,x 2,x 3,x 4 ) REAL world

10 The Goal of MPC x 1 x 2 x 1 x 2 y y Any task y y Invisible x 3 x 4 IDEAL world y = f(x 1,x 2,x 3,x 4 ) x 3 REAL world x4

11 The Goal of MPC x 1 x 2 x 1 x 2 y y y Any task y y Invisible x 3 x 4 IDEAL world y = f(x 1,x 2,x 3,x 4 ) x 3 REAL world x4

12 Important Parameters of an MPC Protocol 1. Communication Complexity (b) : Total number of bits communicated by the honest parties 2. Round Complexity (r) : Total number of rounds of interaction in the protocol

13 Two models of MPC for any function f Boolean Circuit (AND, OR, NOT, XOR) Arithmetic Circuit over finite field (Addition and Multiplication) x 1 x 2 x 3 x 4 x 1 x 2 x 3 x 4 + f(x 1, x 2, x 3, x 4 ); inputs are bits f(x 1, x 2, x 3, x 4 ); inputs are field elements Secure Circuit evaluation: Nothing other than the output gate value will be revealed

14 Threshold Adversary Assumption: any t out of n parties can be corrupted t is the threshold which t don t known

15 (n, t) - Secret Sharing [Shamir 1979, Blackley 1979] Secret s Dealer

16 (n, t) - Secret Sharing [Shamir 1979, Blackley 1979] Sharing Phase Secret s Dealer v 1 v 2 v 3 v n

17 (n, t) - Secret Sharing [Shamir 1979, Blackley 1979] Sharing Phase Secret s Dealer v 1 v 2 v 3 v n Reconstruction Phase Less than t +1 parties have no info about the secret

18 (n, t) - Secret Sharing [Shamir 1979, Blackley 1979] Sharing Phase Secret s Dealer v 1 v 2 v 3 v n Reconstruction Phase Secret s t +1 parties can reconstruct the secret

19 (n,t) Secret Sharing s Linear : (n,t) Secret Sharing of secret s For MPC: Linear (n,t) Secret Sharing Linearity: The parties can do the following s 1 s 2 from s 1 s 2 c s from c: public constant s

20 Shamir-sharing: (n,t) - Secret Sharing for Semi-honest Adversaries Secret x is Shamir-Shared if Random polynomial of degree t x 1 x 2 x 3 x n P 1 P 2 P 3 P n

21 Reconstruction of Shamir-sharing: (n,t) - Secret Sharing for Semi-honest Adversaries P 1 x 1 P 2 x 2 P i P 3 x 3 P n x n Lagrange s Interpolation The same is done for all P i

22 Secure Circuit Evaluation y

23 Secure Circuit Evaluation (n, t)- secret share each input 3

24 Secure Circuit Evaluation (n, t)- secret share each input 3 2. Find (n, t)-sharing of each intermediate value

25 Secure Circuit Evaluation (n, t)- secret share each input 2. Find (n, t)-sharing of each intermediate value

26 Secure Circuit Evaluation (n, t)- secret share each input 2. Find (n, t)-sharing of each intermediate value Linear gates: Linearity of Shamir Sharing - Non-Interactive

27 Secure Circuit Evaluation (n, t)- secret share each input 2. Find (n, t)-sharing of each intermediate value Linear gates: Linearity of Shamir Sharing - Non-Interactive 48 Non-linear gate: Require degreereduction Technique. Interactive 144

28 Secure Circuit Evaluation Privacy follows (intuitively) because: No inputs of the honest parties are leaked. 2. No intermediate value is leaked. 144

29 One Significant Contribution Underlying Network: Synchronous Asynchronous NO Efficient MPC protocols

30 Synchronous Model Global Clock Channels have fixed delay x Knows how long to wait... Compute and send x... Wait to receive x

31 Asynchronous Model No Global Clock Channels have arbitrary yet finite delay x Does not Know how long to wait... Compute and send x... Wait to receive x

32 Asynchronous Model No Global Clock Channels have arbitrary yet finite delay x Does not Know how long to wait... Compute and send x... Wait to receive x

33 n parties Challenges in Asynchronous Model n parties and t corrupted x 1 Cannot wait for all Else endless waiting x 2 can afford to wait to listen from (n-t) parties x n But leads to ignoring messages of t honest parties

34 Synchronous vs. Asynchronous Linear (O(n)) overhead MPC O(n 3 ) overhead MPC Our contribution: Journal of Cryptology: O(n 2 ) overhead MPC without error DISC 14 (Full version submitted to IEEE Transactions on Information Theory): O(n) overhead MPC with negligible error Scalable Solution (par party communication is independent of no. of parties)

Adaptive Corruption stronger than Static Corruption Hackers constantly trying to break into computers running secure protocols but could do

36 Adaptive Corruption stronger than Static Corruption Hackers constantly trying to break into computers running secure protocols but could do so after the protocol has started. The attacker first looks at the communication and then decide who to corrupt (not allowed in static model)

37 Static vs. Adaptive Efficient; Constant Round MPC In-efficient; NO constant MPC Our contribution: >> TCC 14 (Full version awaiting acceptance in Journal of Cryptology): Proposed slightly restricted models (one adaptive corruption). Proposed solutions static protocols >> PODC 15 (Full version submitted to Journal of Cryptology): Proposed yet another practical model (partial erasure). Proposed solutions static protocols partial erasure)

38 Threshold Adversary Assumption: any t out of n parties can be corrupted t is the threshold which t don t known

39 (n, t) - Secret Sharing [Shamir 1979, Blackley 1979] Secret s Dealer

40 (n, t) - Secret Sharing [Shamir 1979, Blackley 1979] Sharing Phase Secret s Dealer v 1 v 2 v 3 v n

41 (n, t) - Secret Sharing [Shamir 1979, Blackley 1979] Sharing Phase Secret s Dealer v 1 v 2 v 3 v n Reconstruction Phase Less than t +1 parties have no info about the secret

42 (n, t) - Secret Sharing [Shamir 1979, Blackley 1979] Sharing Phase Secret s Dealer v 1 v 2 v 3 v n Reconstruction Phase Secret s t +1 parties can reconstruct the secret

43 (n,t) Secret Sharing s Linear : (n,t) Secret Sharing of secret s For MPC: Linear (n,t) Secret Sharing Linearity: The parties can do the following s 1 s 2 from s 1 s 2 c s from c: public constant s

44 Reconstruction of Linearly Shared Secrets The efficiency of MPC reduces to the efficiency of reconstructing a secret >> Part I: How to reconstruct a secret efficiently? > Semi-honest Model: (n,t) secret sharing and reconstruction with linear (O(n)) overhead; > Malicious Model: (n 3t+1,t) secret sharing and reconstruction with linear (O(n)) overhead; n 3t+1 is necessary and sufficient for error-free reconstruction > Malicious Model: (n 2t+1,t) secret sharing and reconstruction with linear (O(n)) overhead; n 2t+1 is necessary and sufficient for reconstruction >> Part II: How MPC reduces to reconstruction of secrets? > Semi-honest Model: Linear Overhead MPC > Malicious Model: Linear Overhead Error-free MPC with n 3t+1 > Malicious Model: Linear Overhead MPC with n 2t+1

45 Shamir-sharing: (n,t) - Secret Sharing for Semi-honest Adversaries Secret x is Shamir-Shared if Random polynomial of degree t x 1 x 2 x 3 x n P 1 P 2 P 3 P n

46 Reconstruction of Shamir-sharing: (n,t) - Secret Sharing for Semi-honest Adversaries P 1 x 1 P 2 x 2 P i P 3 x 3 P n x n Lagrange s Interpolation The same is done for all P i Communication Complexity (CC): O(n 2 )

47 Efficient Reconstruction of (n,t)- Shamir for Semi-honest Adversaries >> Can we do better? O(n) Easy P 1 x 1 Because we are assuming semi-honest adversaries. P 1 P 2 x 2 P 2 P 1 x P 3 x 3 P 3 P n x n P n Challenge: Linear Solution tolerating malicious adversaries

48 Reconstruction of (n 3t+1,t) - Shamir Secret Sharing for Malicious Adversaries P 1 x 1 Error Correction Possible to get back x!! P 2 x 2 >> Shamir-sharing Reed-Solomon Code (linear) with distance n-t 2t P i >> Fundamental result: distance 2 errors P 3 x x 3 P n x n x n The same is done for all P i Communication Complexity (CC): O(n 2 )

49 Efficient Reconstruction of (n 3t+1,t) - Shamir Secret Sharing for Malicious Adversaries >> Can we do better? O(n) Can we use the same trick as before? P 1 x 1 P 1 P 2 x 2 P 2 P 1 Error correct and get x P 3 x 3 P 3 P n x n P n Trick for semi-honest adversaries does not work

50 Reconstruction of (t+1) secrets with O(n 2 ) Cost for n 3t+1 a 0 b 1 P 1 a 1 Local Computation b 2 P 2 a t b n P n f(x) = a 0 + a 1 x + + a t x t b i = f(i) = a 0 + a 1 i + + a t i t Communication Complexity: O(n 2 )

51 Reconstruction of (t+1) secrets with O(n 2 ) Cost for n 3t+1 a 0 b 1 P 0 b 0 a 1 Local Computation b 2 P 1 b 1 P i >> Apply Error Correction >> Obtain f(x) a t b n P n b n f(x) = a 0 + a 1 x + + a t x t b i = f(i) = a 0 + a 1 i + + a t i t The same is done for all P i Amortized Communication CC /secret: Complexity O(n) (CC): O(n 2 )

52 Reconstruction of (n 2t+1,t) - Shamir Secret Sharing for Malicious Adversaries P 1 x 1 Error Correction NOT Possible! >> Shamir-sharing Reed-Solomon Code (linear) with distance n-t t P 2 P 3 P n x 2 x x 3 x n x n P i >> Fundamental result: distance 2 errors >> Enhance the secret sharing in such a way that a party cannot lie about his share >> If they lie, they will be detected as corrupted >> Use information-theoretic MACs

53 Information Theoretic MACs Message: MAC: a MAC K (a) MAC Key: K a, MAC K (a) Accept a, MAC K (a) Reject

54 Information Theoretic MAC a K = (α, β) from F MAC K (a) = α a + β a, MAC K (a) Accept a, MAC K (a) Reject

55 Homomorphic Information Theoretic MAC a MAC K1 (a) = α a + β 1 b MAC K2 (b) = α b + β 2 K 1 = (α, β 1 ) K 2 = (α, β 2 ) a + b MAC K (a + b) = MAC K1 (a) + MAC K2 (b) = α (a + b) + (β 1 + β 2 ) K = (α, β 1 + β 2 ) No interaction needed. We can use similar trick for multiplication by publicly known constant and again no need of interaction.

56 Enhanced Shamir-sharing: (n 2t+1,t) - Secret Sharing for Malicious Adversaries Secret s is enhanced-shamir- Shared if s is Shamir-shared + Pairwise MACs P 1 x 1 MAC 1 (x 1 ) MAC 2 (x 1 ) MAC n (x 1 ) K 1 K 2 P 2 x 2 P 3 x 3 P n x n K n The same holds for all P i Enhanced-Shamir-Sharing is also linear

57 Reconstruction of (n 2t+1,t) - Shamir Secret Sharing for Malicious Adversaries P 1 x 1 MAC i (x 1 ) P 2 x 2 MAC i (x 2 ) P i Verify with K 1. If accept, keep x 1 Verify with K 2. If accept, keep x 2 P 3 x x 3 MAC i (x 3 ) Verify with K 3. If reject, ignore x 3 P n xx n MAC i (x i (x n ) n ) Will have at least t+1 accepted shares (from the honest parties) The same is done for all P i Communication Complexity (CC): O(n 2 )

58 Efficient Reconstruction of (n 2t+1,t) Enhanced Shamir Secret Sharing for Malicious Adversaries a 0 b 1 P 0 b 0 a 1 Local Computation b 2 P 1 b 1 P i >> Apply Error Correction >> Obtain f(x) But Error Correction does not work a t b n P n b n f(x) = a 0 + a 1 x + + a t x t b i = f(i) = a 0 + a 1 i + + a t i t Does the trick for 3t+1 work? Challenge: Linear Overhead tolerating malicious adversaries for n 2t+1

59 Reconstruction of n(t+1) secrets with O(n 3 ) Cost for n 2t+1 a 10 a 1i a 1t b 11 b 12 b 1n a 20 a 2i a 2t b 21 b 21 b 2n Local Computation a n0 a ni a nt b n1 b n2 b nn f 0 (x) = a 00 + a 01 x + + a 0t x t b 0j = f 0 (j) = a 00 + a 01 j + + a 0t j t j =1,..,n

60 Reconstruction of n(t+1) secrets with O(n 3 ) Cost for n 2t+1 a 10 a 1i a 1t b 11 b 1i b 1n a 20 a 2i a 2t b 21 b 2i b 2n Local Computation a n0 a ni a nt b n1 b ni b nn A n.(t+1) B n.n f i (x) = a i0 + a i1 x + + a it x t b ij = f i (j) = a i0 + a i1 j + + a it j t j =1,..,n t+1 columns of B matrix are required to reconstruct A

61 Reconstruction of n(t+1) secrets with O(n 3 ) Cost for n 2t+1 b 11 b 1i b 1n b 21 b 2i b 2n b n1 b ni b nn P 1 P i P n Communication Complexity: O(n 3 )

62 Reconstruction of n(t+1) secrets with O(n 3 ) Cost for n 2t+1 b 11 b 1i b 1n >> If the parties honestly communicate their column to every other party, we are done. b 21 b 2i b 2n >> But there is no guarantee that a corrupted P i will do that. b n1 b ni b nn >> Prevent a party from sending a wrong column (he should be caught if he does so) P 1 P i P n Communication Complexity: O(n 3 )

63 Reconstruction of n(t+1) secrets with O(n 3 ) Cost for n 2t+1 b 1i r 1i b 2i r 2i b ni r ni P i P j r 1i b 1i + r 2i b 2i.. + r ni b ni r 1i, r 2i.., r ni are remains hidden from everyone

64 Reconstruction of n(t+1) secrets with O(n 3 ) Cost for n 2t+1 b 1i r 1i b 2i r 2i >> A corrupted P i will fail very high probability. >> P j will ignore P i s column b ni r ni P j Verify if the sum is same as the below (r 1i b 1i + r 2i b 2i.. + r ni b ni ) How P j can compute (r 1i b 1i + r 2i b 2i.. + r ni b ni ) without revealing his random choice.

65 Reconstruction of n(t+1) secrets with O(n 3 ) Cost for n 2t+1 b 1i E(r 1i ) E(r 1i b 1i +..+ r ni b ni b 2i E(r 2i ) b ni E(r ni ) P j E(r 1i b 1i +..+ r ni b ni ) Decrypt r 1i b 1i +..+ r ni b ni (pk,sk): Homomorphic Encryption For each pair of parties Communication Complexity: O(n)

66 Part II: Reduction from MPC to Reconstruction of Secrets Reduction holds for any linear secret sharing

67 Secure Circuit Evaluation x 1 x 2 x 3 x 4 y c

68 Secure Circuit Evaluation y

69 Secure Circuit Evaluation (n, t)- secret share each input 3

70 Secure Circuit Evaluation (n, t)- secret share each input 3 2. Find (n, t)-sharing of each intermediate value

71 Secure Circuit Evaluation (n, t)- secret share each input 2. Find (n, t)-sharing of each intermediate value

72 Secure Circuit Evaluation (n, t)- secret share each input 2. Find (n, t)-sharing of each intermediate value Linear gates: Linearity of Shamir Sharing - Non-Interactive

73 Secure Circuit Evaluation (n, t)- secret share each input 2. Find (n, t)-sharing of each intermediate value Linear gates: Linearity of Shamir Sharing - Non-Interactive 48 Non-linear gate: Require degreereduction Technique. Interactive 144

74 Secure Circuit Evaluation (n, t)- secret share each input Reduction to one reconstruction 2. Find (n, t)-sharing of each intermediate value Linear gates: Linearity of Shamir Sharing - Non-Interactive Non-linear gate: Require degreereduction Technique. Interactive Reduction to two reconstructions 3. Open output by Reconstruction algorithm

75 Secure Circuit Evaluation Privacy follows (intuitively) because: No inputs of the honest parties are leaked. 2. No intermediate value is leaked. 144

76 Beaver s Circuit-randomization Technique for Multiplication Don Beaver CRYPTO

77 Beaver s Circuit-randomization Technique for Multiplication a b ab 3 3 Multiplication Triple

78 Beaver s Circuit-randomization Technique for Multiplication Ex: Multiplication Triple

79 Beaver s Circuit-randomization Technique for Multiplication Ex: Multiplication Triple

80 Beaver s Circuit-randomization Technique for Multiplication Ex: Multiplication Triple

81 Beaver s Circuit-randomization Technique for Multiplication a b ab 3 3 Multiplication Triple

82 Beaver s Circuit-randomization Technique for Multiplication Random and Private a, b a b ab 3 3 Multiplication Triple

83 Beaver s Circuit-randomization Technique for Multiplication Random and Private a, b Independent of the multiplication gate a b ab 3 3 Two reconstructions Linear operations

84 Beaver s Circuit-randomization Technique for Multiplication Random and Private a, b Independent of the multiplication gate a b ab Two reconstructions Linear operations

85 Secure Circuit Evaluation Using Beaver Circuit Randomization Let M be the number of multiplication gates in the circuit x 1 x 2 x 3 x 4 3

86 Secure Circuit Evaluation Using Beaver Circuit Randomization Let M be the number of multiplication gates in the circuit Ask triple-oracle for M multiplication triples x 1 x 2 x 3 x 4 3

87 Secure Circuit Evaluation Using Beaver Circuit Randomization Let M be the number of multiplication gates in the circuit Ask triple-oracle for M multiplication triples x 1 x 2 x 3 x

88 Secure Circuit Evaluation Using Beaver Circuit Randomization

89 Secure Circuit Evaluation Using Beaver Circuit Randomization

90 Secure Circuit Evaluation Using Beaver Circuit Randomization

91 Secure Circuit Evaluation Using Beaver Circuit Randomization

92 Secure Circuit Evaluation Using Beaver Circuit Randomization

93 Secure Circuit Evaluation Using Beaver Circuit Randomization

94 Secure Circuit Evaluation Using Beaver Circuit Randomization

Why Beaver s Trick is Useful Offline Phase- Online Phase Paradigm Offline Phase: Sitting Idle, Generate as many shared triples as possible---raw data Online

95 Why Beaver s Trick is Useful Offline Phase- Online Phase Paradigm Offline Phase: Sitting Idle, Generate as many shared triples as possible---raw data Online Phase: Use the raw data for circuit evaluation. Triple generation parallelizable efficiency On the contrary, multiplications gates can not be evaluated in parallel

96 Online Complexity How efficiently can we reconstruct a shared secret? s Reconstruction cost of one shared secret = Cost Per Multiplication (asymptotically) 1. Generate shared data s 2. Implement the oracle

98 Beaver s Circuit Randomization Technique xy = ((x-a) +a)((y-b)+b) = (α + a)(β + b) = ab + α b +β a + α β xy = ab + α b a + β + α β α = x-a β = y-b

99 Beaver s Circuit Randomization Technique x y a b ab x-a xy

100 Beaver s Circuit Randomization Technique y b ab x a x-a Open α = x-a y-b Open β = y-b α b a β (α β) xy

101 Linearity of (n, t) Shamir Secret Sharing say t = 1 a

102 Linearity of (n, t) Shamir Secret Sharing say t = 1 a b a 1 a 2 a 3 a 4 b 1 b 2 b 3 b 4 each party does locally b a b 1 b 2 b 4 a 1 a 2 a 3 a 4 c 1 c 2 c 3 c

103 Linearity of (n, t) Shamir Secret Sharing say t = 1 a b a 1 a 2 a 3 a 4 Addition is Absolutely free c 1 c 2 c 3 c 4 ab b b b b 1 b 2 b 3 b 4 b a 1 a 2 a 3 a 4 a ab c 1 c 2 c 3 c

104 Linearity of (n, t) Shamir Secret Sharing say t = 1 a a 1 a 2 a 3 a 4 a a 1 a 2 a 3 a

105 Linearity of (n, t) Shamir Secret Sharing say t = 1 a a 1 a 2 a 3 a 4 c c c c a a 1 a 2 a 3 a

106 Linearity of (n, t) Shamir Secret Sharing say t = 1 a c is a publicly a 1 a 2 a 3 a known constant 4 c c c c a a 1 a 2 a 3 a

107 Linearity of (n, t) Shamir Secret Sharing say t = 1 a a 1 a 2 a 3 a 4 c c c c a a 1 a 2 a 3 a d 1 d 2 d 3 d 4

108 Linearity of (n, t) Shamir Secret Sharing say t = 1 a a 1 a 2 a 3 a 4 ca c c c c a a 1 a 2 a 3 a d 1 d 2 d 3 d 4

109 Linearity of (n, t) Shamir Secret Sharing say t = 1 a a 1 a 2 a 3 a 4 d 1 d 2 d 3 d 4 ca c c c c a a 1 a 2 a 3 a d 1 d 2 d 3 d 4

110 Linearity of (n, t) Shamir Secret Sharing say t = 1 a a 1 a 2 a 3 a 4 Multiplication by public constants is Absolutely free ca d 1 d 2 d 3 d 4 ca c c c c a a 1 a 2 a 3 a d 1 d 2 d 3 d 4

111 Non-linearity of (n, t) Shamir Secret Sharing say t = 1 a a 1 a 2 a 3 a 4 b b 1 b 2 b 3 b 4 b b 1 b 2 b 3 b 4 a a 1 a 2 a 3 a

112 Non-linearity of (n, t) Shamir Secret Sharing say t = 1 a a 1 a 2 a 3 a 4 b b 1 b 2 b 3 b 4 b b 1 b 2 b 3 b 4 a a 1 a 2 a 3 a

113 Non-linearity of (n, t) Shamir Secret Sharing say t = 1 a a 1 a 2 a 3 a 4 b b 1 b 2 b 3 b 4 b b 1 b 2 b 3 b 4 a a 1 a 2 a 3 a 4 d 1 d 2 d 3 d

114 Non-linearity of (n, t) Shamir Secret Sharing say t = 1 a a 1 a 2 a 3 a 4 b b 1 b 2 b 3 b 4 b b 1 b 2 b 3 b 4 a a 1 a 2 a 3 a 4 ab d 1 d 2 d 3 d

115 Non-linearity of (n, t) Shamir Secret Sharing say t = 1 a a 1 a 2 a 3 a 4 b b 1 b 2 b 3 b 4 b b 1 b 2 b 3 b 4 a a 1 a 2 a 3 a 4 ab d 1 d 2 d 3 d

116 Non-linearity of (n, t) Shamir Secret Sharing say t = 1 d 4 d 3 a a 1 a 2 a 3 a 4 d 1 d 2 b b 1 b 2 b 3 b 4 b b 1 b 2 b 3 b 4 a a 1 a 2 a 3 a 4 ab d 1 d 2 d 3 d

117 Non-linearity of (n, t) Shamir Secret Sharing say t = 1 a Multiplication of shared d 4 secrets is not free ab d 2 d a 1 a 2 a 3 a 1 4 d 3 b b 1 b 2 b 3 b 4 b b 1 b 2 b 3 b 4 a a 1 a 2 a 3 a 4 ab d 1 d 2 d 3 d

118 Linear (n,t) Secret Sharing s 1 s = 2 s 1 + s 2 Linear Operation c s = c s s 1 s 2 s 2 s 1 Non-Linear Operation L

119 An Abstract Tool for the Generic Solution (n, t) LOCKED BOX REPRESENTATION A secret s is locked in the box P 1 P 2 Any t parties cannot open the box P n

120 An Abstract Tool for the Generic Solution (n, t) LOCKED BOX REPRESENTATION A secret s is locked in the box P 1 P 2 Any t parties cannot open the box P n

121 An Abstract Tool for the Generic Solution (n, t) LOCKED BOX REPRESENTATION A secret s is locked in the box P 1 P 2 P n Any t parties cannot open the box

122 An Abstract Tool for the Generic Solution (n, t) LOCKED BOX REPRESENTATION A secret s is locked in the box P 1 P 2 Any t parties cannot open the box Any (t + 1) parties can open the box P n

Introduction to Cryptography Lecture 13

Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple