Multiparty Computation

Transcription

1 Multiparty Computation

2 Principle There is a (randomized) function f : ({0, 1} l ) n ({0, 1} l ) n. There are n parties, P 1,...,P n. Some of them may be adversarial. Two forms of adversarial behaviour: Semi-honest will follow the protocol as prescribed, but tries to deduce extra information from what it sees. Malicious will not necessarily follow the protocol. Party P i has the bit-string x i {0, 1} l. Party P i wants to learn y i, where (y 1,...,y n ) = f(x 1,...,x n ). No party P i may learn anything beyond x i and y i. 2 / 32

3 Examples Two millionaires want to determine who is richer. Revealing one s net worth to the other party means losing one s face if the other party turns out to be much richer. Alice and Bob are considering to start dating each other. Revealing that one is interesting in dating means losing one s face if the other party is not interested. Three cryptographers are dining in a restaurant. The waiter informs them that the bill has already been payed. The cryptographers want to know whether the payer was one of them (who wants to remain anonymous) or the NSA. Everything else... 3 / 32

4 Pieces The number of parties n. n = 2 n 3 A function f, represented as a Boolean circuit. Deterministic or randomized. Common output or separate outputs. A n-party protocol Π. Two main techniques: Garbled circuits Secret-sharing the values on wires. The adversary (a coalition of parties) maximum size semi-honest or malicious non-adaptive or adaptive 4 / 32

5 Security definition Consider the deterministic two-party, semi-honest case. A protocol Π securely evaluates the function f(x 1,x 2 ) if there exist PPT simulators S 1 and S 2, such that for all x 1 and x 2 : The distribution of S 1 (x 1,f 1 (x 1,x 2 )) is indistinguishable from the view of the first party in the execution of Π(x 1,x 2 ). The distribution of S 2 (x 2,f 2 (x 1,x 2 )) is indistinguishable from the view of the second party in the execution of Π(x 1,x 2 ). 5 / 32

6 Security definition Consider the randomized two-party, semi-honest case. A protocol Π securely evaluates the randomized function f(x 1,x 2 ) if there exist PPT simulators S 1 and S 2, such that for all x 1 and x 2 : The following two distributions are indistinguishable (for i {1, 2}): 1. First distribution: sample (y 1,y 2 ) f(x 1,x 2 ); run S i (x i,y 1,y 2 ). 2. Second distribution: sample tr Π(x 1,x 2 ); take (View 1 (tr),result 2 (tr)). 6 / 32

7 Exercises Show that the secure evaluation of a randomized f is reducible to the secure evaluation of some deterministic f. Show that the secure evaluation of some f with separate outputs for all parties is reducible to the secure evaluation of some f with common output. 7 / 32

8 Example functionality f(x,y) = (x? = y,x? < y) (common output). For one-bit x and y: x y & 8 / 32

9 Example functionality For 2k-bit x and y: x 1...k y 1...k x k+1...2k y k+1...2k k-bit k-bit & & 9 / 32

10 Example functionality For 4-bit x and y: x 1 y 1 x 2 y 2 x 3 y 3 x 4 y 4 & & & & & & & & & & 10 / 32

11 Evaluating a circuit Each internal gate g is determined by the function it computes: 0 0 g(00) 0 1 g(01) 1 0 g(10) 1 1 g(11) The values of input gates are the bits of x and y. The value of an internal gate is found from its inputs. Computed from top to bottom. The value of an output gate is its input. 11 / 32

12 Garbling a circuit For each input and internal gate g, generate two (symmetric) encryption keys k 0 g and k 1 g. Let g be an internal gate. Let g 1 and g 2 provide the two inputs to g. Compute {{k g(00) g } r 2 k 0 g 2 } r 1 k 0 g 1, {{k g(01) g } r 4 k 1 g 2 } r 3 k 0 g 1, {{k g(10) g } r 6 k 0 g 2 } r 5 k 1 g 1, {{k g(11) g } r 8 k 1 g 2 } r 7 k 1 g 1 The encoding of an internal gate g is a random permutation of these four values. Let g provide the input to some output gate. The encoding of this output gate is ({0} k 0 g, {1} k 1 g ) or ({1} k 1 g, {0} k 0 g ). The encoding of a circuit maps each internal and output gate to its encoding. 12 / 32

13 Evaluating a garbled circuit Let the input gates be g 1,...,g l. Let the input be b 1 b l. Somehow obtain k b 1 g 1,...,k b l g l. Do not obtain k b 1 g 1,...,k b l g l. Let g be an internal gate. Let (m 1,m 2,m 3,m 4 ) be its encoding. Let g and g provide the inputs to g. Let us know a key k corresponding to g. Let us know a key k corresponding to g. Try to decrypt: compute D k (D k (m i )) for 1 i 4. Let k be the result of successful decryption. This key corresponds to g. At an output gate we can decrypt one of the ciphertexts, giving us either the bit 0 or the bit / 32

14 The protocol Π Both parties have agreed on the circuit that computes f. Party P 1 prepares the garbled circuit and sends it to P 2. P 1 sends to P 2 the keys k x 1 1,...,k x l l corresponding to its input x going into the input gates g 1,...,g l. Party P 1 and P 2 run a protocol, resulting in P 2 learning the keys k y 1 l+1,...,ky l 2l corresponding to its input y going into the input gates g l+1,...,g 2l ; P 1 not learning anything new at all. P 2 evaluates the garbled circuit, eventually learning f(x,y). P 2 sends f(x,y) back to P / 32

15 Oblivious transfer A special case of two-party computation. P 1 (sender) has l-bit strings m 1,...,m n. P 2 (receiver) has an integer i {1,...,n}. P 2 should learn m i and nothing else. P 1 should learn nothing. 15 / 32

16 Oblivious transfer A special case of two-party computation. P 1 (sender) has l-bit strings m 1,...,m n. P 2 (receiver) has an integer i {1,...,n}. P 2 should learn m i and nothing else. P 1 should learn nothing. Let E be a trapdoor permutation of some set X including {0, 1} l. for example RSA. Let (k e,k d ) be the public and secret key of P 1. P 2 randomly chooses r 1,...,r n X. He defines { r j, if j i z j := E ke (r j ), if j = i and sends (z 1,...,z n ) to P 1. P 2 computes w j := m j E 1 k d (z j ) and sends (w 1,...,w n ) to P 1. a group operation on X P 1 finds m i as w i r 1 i. 15 / 32

17 Exercise Show that the preceeding protocol securely performs oblivious transfer in the presence of semi-honest adversaries. I.e. construct the simulators. 16 / 32

18 Exercise Show that the preceeding protocol securely performs oblivious transfer in the presence of semi-honest adversaries. I.e. construct the simulators. This simulation is not quite correct, though. E ke (r) reveals some information about r. But each trapdoor permutation has a hardcore bit B. If m 1,...,m n are just 1 bit long, then the sender may define w j := m j B(E 1 k d (z j )). The receiver recovers m i as w i B(r i ). 16 / 32

19 Correctness of the protocol Π Trace of the first party: Random coins for all the keys and encryptions. Traces of the OT-protocol as the sender. The final result. Trace of the second party: A garbled circuit and the keys corresponding to the input bits. Traces of the OT-protocol as the receiver. Exercise. Construct a simulator for the first party. 17 / 32

20 Simulator for P 2 For each input or internal gate g, generate two keys k g, k g. The simulated encoding of the gate g g 1,g 2 is {{k g } r 2 k g2 } r 1 k g1, {{k g } r 4 k g2 } r 3 k g1, {{k g } r 6 k g2 } r 5 k g1, {{k g } r 8 k g2 } r 7 k g1 The simulated encoding of an output gate g is ({z} r 1 k g, {z} r 2 k g ), where z is the output bit corresponding to this gate. The simulated trace consists of simulated garbled circuit; the keys k 1,...,k l ; Simulated traces of the OT-protocol as the receiver, resulting in the keys k l+1,...,k 2l. 18 / 32

21 Example comparing one bit Let x 0 = 0, y 0 = 1. Then the output bits are (0, 1). The real view is k1 0,k1 2,{{{k1 3 }r 2 } r k2 0 1, {{k 0 k1 0 3 }r 4 } r k2 1 3, {{k 0 k1 0 3 }r 6 } r k2 0 5, {{k 1 k1 1 3 }r 8 } r k2 1 7 k1}, 1 {{{k4} 0 r 10} r k2 0 9 k1 0 The simulated view is, {{k 1 4} r 12 k 1 2 } r 11 k 0 1, {{k 0 4} r 14 k 0 2 {{0} r 17 k 0 3 } r 13 k 1 1, {{k 0 4} r 16 k 1 2, {1} r 18 k 1 3 } r 15}, k1 1 },{{0} r 19 k 0 4 k 1,k 2,{{{k 3 } r 2 k 2 } r 1 k 1, {{k 3 } r 4 k 2 } r 3 k 1, {{k 3 } r 6 k 2 } r 5 k 1, {{k 3 } r 8 k 2 } r 7 k 1 }, {{{k 4 } r 10 k 2 } r 9 k 1, {{k 4 } r 12 k 2 } r 11 k 1, {{k 4 } r 14 k 2 } r 13 k 1, {{k 4 } r 16 k 2 } r 15 k 1 },, {1} r 20} k4 1 {{0} r 17 k 3, {0} r 18 k 3 },{{1} r 19 k 4, {1} r 20 k 4 } 19 / 32

22 The real pattern The real view is k1,k 0 2,{{{k 1 3} 1 r 2 } r k2 0 1, {{k k 3} 0 r } r k2 1 3, {{k k 3} 0 r } r k2 0 5, {{k k 3} 1 r } r k2 1 7 k1}, 1 Its pattern is {{{k4} 0 r 10} r k2 0 9 k1 0, {{k 1 4} r 12 k 1 2 } r 11 k 0 1, {{k 0 4} r 14 k 0 2 {{0} r 17 k 0 3 k1,k 0 2,{{ 1 r 2 } r 1, {{k k 3} 0 r } r k2 1 3 k1, r 5, r 7 }, 0 {{ r 10 } r 9 k 0 1, {{k 1 4 }r 12 k 1 2 } r 13 k 1 1, {{k 0 4} r 16 k 1 2, {1} r 18 k 1 3 } r 11, r k1 0 13, r 15 }, {{0} r 17 k 0 3 } r 15}, k1 1 },{{0} r 19 k 0 4, {1} r 20} k4 1, r 18 },{ r 19, {1} r 20} k / 32

23 The simulated pattern The simulated view is k 1,k 2,{{{k 3 } r 2 k 2 } r 1 k 1, {{k 3 } r 4 k 2 } r 3 k 1, {{k 3 } r 6 k 2 } r 5 k 1, {{k 3 } r 8 k 2 } r 7 k 1 }, Its pattern is {{{k 4 } r 10 k 2 } r 9 k 1, {{k 4 } r 12 k 2 } r 11 k 1, {{k 4 } r 14 k 2 } r 13 k 1, {{k 4 } r 16 k 2 } r 15 k 1 }, k 1,k 2,{{{k 3 } r 2 k 2 } r 1 k 1, { r 4 } r 3 k 1, r 5, r 7 }, {{0} r 17 k 3, {0} r 18 k 3 },{{1} r 19 k 4, {1} r 20 k 4 } {{{k 4 } r 10 k 2 } r 9 k 1, { r 12 } r 11 k 1, r 13, r 15 }, {{0} r 17 k 3, r 18 },{{1} r 19 k 4, r 20 } 21 / 32

24 Compare the patterns The real pattern k1,k 0 2,{{ 1 r 2 } r 1, {{k k 3} 0 r } r k2 1 3 k1, r 5, r 7 }, 0 {{ r 10 } r 9 k 0 1, {{k 1 4} r 12 k 1 2 The simulated pattern } r 11 k 0 1, r 13, r 15 },{{0} r 17 k 0 3, r 18 },{ r 19, {1} r 20} k4 1 k 1,k 2,{{{k 3 } r 2 k 2 } r 1 k 1, { r 4 } r 3 k 1, r 5, r 7 }, {{{k 4 } r 10 k 2 } r 9 k 1, { r 12 } r 11 k 1, r 13, r 15 },{{0} r 17 k 3, r 18 },{{1} r 19 k 4, r 20 } They are equal up to renaming. In general, the real and simulated garbled circuits will be indistinguishable. 22 / 32

25 Sharing the contents of wires Assume that the only operations of circuits are and &. These are the addition and multiplication in the field Z 2. They, together with the constant 1, are sufficient to express any functionality. Let there be an extra 1-gate that takes no inputs. During the protocol, the parties compute for all gates g the values a 1 g and a 2 g, such that the real value computed by g is a 1 g + a 2 g; P 1 knows a 1 g and P 2 knows a 2 g. The protocol is well-suited for functionalities with separate outputs. At the end of the protocol, P 1 will send to P 2 the values a 1 g corresponding to the output gates g of P 2. P 2 behaves similarly. 23 / 32

26 The protocol Sharing the inputs For P i s input b at the input gate g generate a random bit r and send (g,r) to the other party. Let a i g = b + r. For the 1-gate g let P 1 generate a random bit r and send (g,r) to P 2. Let a 1 g = r + 1. When P i receives (g,r) from the other party, set a i g = r. Evaluating an addition gate Let g = g 1 + g 2. Define a i g = a i g 1 + a i g 2. Communicating the outputs If g is an output gate for P i, then the other party P j will send (g,a j g ) to P i once he has it. P i outputs a i g + a j g as the output of that gate. 24 / 32

27 Evaluating a multiplication gate Let g = g 1 g 2 = (a 1 g 1 + a 2 g 1 ) (a 1 g 2 + a 2 g 2 ). We ll define a protocol for finding a 1 g and a 2 g, such that P i does not learn anything besides a i g ; a i g is uniformly distributed; a 1 g + a 2 g = a g. 25 / 32

28 Evaluating a multiplication gate Let g = g 1 g 2 = (a 1 g 1 + a 2 g 1 ) (a 1 g 2 + a 2 g 2 ). We ll define a protocol for finding a 1 g and a 2 g, such that P i does not learn anything besides a i g ; a i g is uniformly distributed; a 1 g + a 2 g = a g. a 1 g is picked uniformly from {0, 1}. P 1 defines m 1 = a 1 g + a1 g 1 a 1 g 2 m 3 = a 1 g + (a1 g 1 + 1)a 1 g 2 m 2 = a 1 g + a1 g 1 (a 1 g 2 + 1) m 4 = a 1 g + (a1 g 1 + 1)(a 1 g 2 + 1) P 2 defines a 2 g = m 2a 2 g1 +a 2 g Use oblivious transfer to transmit that m to P 2. Exercise. Correctness and security? 25 / 32

29 Exercise How can one party simulate the computation of this protocol? 26 / 32

30 Multi-party semi-honest case A protocol Π securely evaluates the function (y 1,...,y n ) = f(x 1,...,x n ) if there exists a PPT simulator S, such that for each I = {i 1,...,i m } {1,...,n} for all x 1,...,x n the distribution S(I, (x i1,...,x im ), (y i1,...,y im )) equals the joint view of the parties P i1,...,p im in the execution of Π(x 1,...,x n ). 27 / 32

31 The protocol Most steps of the two-party case easily generalize to the multi-party case. How about multiplication? 28 / 32

32 The protocol Most steps of the two-party case easily generalize to the multi-party case. How about multiplication? We have a 1 g 1,...,a n g 1,a 1 g 2,...,a n g 2 with j aj g i = a gi. We want a 1 g,...,a n g that sum up to a g1 a g2. ( n ) ( n ) a j g 1 a j g 2 = j=1 (1 (n 1)) j=1 n a j g 1 a j g 2 + j=1 n a j g 1 a j g 2 + j=1 1 i<j n n 1 i<j n (a i g 1 a j g 2 + a i g 2 a j g 1 ) = (a i g 1 a i g 2 + a i g 1 a j g 2 + a i g 2 a j g 1 + a j g 1 a j g 2 ) = n a j g 1 a j g 2 + j=1 1 i<j n (a i g 1 + a i g 2 )(a j g 1 + a j g 2 ) 28 / 32

33 Multiplication protocol Each party P i engages in the two-party multiplication protocol with all other parties P j. As result, party P i learns the values c i,j, such that c i,j + c j,i = (a i g 1 + a i g 2 ) (a j g 1 + a j g 2 ) P i defines a i g = n a i g 1 a i g 2 + j i ci,j. Exercise. Correctness, security? Uniformity of the values a i g? 29 / 32

34 Oblivious transfer in the malicious model Bellare-Micali construction (1-out-of-2 OT): Let G be a group with hard Diffie-Hellman problem. Let g generate G. Let p = G. Sender randomly picks C G and sends it to the receiver. Receiver chooses x Z p and defines h b = g x, h 1 b = c/h b. Sends h 0,h 1 to the sender. Sender checks that h 0 h 1 = C. Uses ElGamal encryption to encrypt m i with h i. Sends (g r 0,m 0 h r 0 0 ), (g r 1,m 1 h r 1 1 ) to the receiver. Receiver decrypts the ciphertext that he can decrypt and learns m b. Exercise. Security? 30 / 32

35 Naor-Pinkas construction Let G, g, p be as before. Receiver picks s,t,c 1 b R Z p, defines c b = st mod p, x = g s, y = g t, z i = g c i. Sends x,y,z 0,z 1 to sender. Sender checks that z 0 z 1. Picks random r 0,r 0,r 1,r 1 Z p and returns to the receiver ((xg r 0 ) r 0,m0 (z 0 y r 0 ) r 0 ), ((xg r 1 ) r 1,m1 (z 1 y r 1 ) r 1 ) The receiver... Exercise. What is the receiver going to do with the values it got? What about security? Exercise. Generalize this construction to 1-out-of-n OT. 31 / 32

36 Securing the original OT Exercise. The original OT-protocol can also be secured by letting the receiver first commit to the randomness he s going to use, and then letting him prove in zero knowledge that he really used that randomness. Work out the details for 1-out-of-2 OT. 32 / 32