Yuval Ishai Technion

Similar documents
Secure Multi-Party Computation. Lecture 17 GMW & BGW Protocols

Secure Computation. Unconditionally Secure Multi- Party Computation

Benny Pinkas. Winter School on Secure Computation and Efficiency Bar-Ilan University, Israel 30/1/2011-1/2/2011

Perfect Secure Computation in Two Rounds

Extending Oblivious Transfers Efficiently

Lecture 3,4: Multiparty Computation

Perfect Secure Computation in Two Rounds

Robustness for Free in Unconditional Multi-Party Computation

Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension

Multi-Party Computation with Conversion of Secret Sharing

Efficient General-Adversary Multi-Party Computation

Round-Efficient Multi-party Computation with a Dishonest Majority

Efficient Multiparty Protocols via Log-Depth Threshold Formulae

Multiparty Computation (MPC) Arpita Patra

Secure Arithmetic Computation with Constant Computational Overhead

On Achieving the Best of Both Worlds in Secure Multiparty Computation

Fundamental MPC Protocols

From Secure MPC to Efficient Zero-Knowledge

Near-Optimal Secret Sharing and Error Correcting Codes in AC 0

Round-Preserving Parallel Composition of Probabilistic-Termination Cryptographic Protocols

Efficient Conversion of Secret-shared Values Between Different Fields

Introduction to Cryptography Lecture 13

Efficient Constant Round Multi-Party Computation Combining BMR and SPDZ

MASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer

Benny Pinkas Bar Ilan University

Broadcast and Verifiable Secret Sharing: New Security Models and Round-Optimal Constructions

Circuits Resilient to Additive Attacks with Applications to Secure Computation

How many rounds can Random Selection handle?

On the Cryptographic Complexity of the Worst Functions

Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols

SPDZ 2 k: Efficient MPC mod 2 k for Dishonest Majority a

Cut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings

1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds

Multiparty Computation, an Introduction

Communication-Efficient MPC for General Adversary Structures

Bounded-Communication Leakage Resilience via Parity-Resilient Circuits

Communication Complexity and Secure Function Evaluation

Keyword Search and Oblivious Pseudo-Random Functions

Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply

Malicious Security. 6.1 Cut-and-Choose. Figure 6.1: Summary of malicious MPC protocols discussed in this chapter.

Cryptographic Asynchronous Multi-Party Computation with Optimal Resilience

Secure Multiparty Computation from Graph Colouring

How to Construct a Leakage-Resilient (Stateless) Trusted Party

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

Lattice-Based Non-Interactive Arugment Systems

Fast Large-Scale Honest-Majority MPC for Malicious Adversaries

Oblivious Transfer in Incomplete Networks

Computing on Encrypted Data

Protocols for Multiparty Coin Toss with a Dishonest Majority

On Expected Constant-Round Protocols for Byzantine Agreement

6.897: Advanced Topics in Cryptography. Lecturer: Ran Canetti

Perfectly-Secure Multiplication for any t < n/3

Compact VSS and Efficient Homomorphic UC Commitments

Linear Multi-Prover Interactive Proofs

Lecture 1. 1 Introduction. 2 Secret Sharing Schemes (SSS) G Exposure-Resilient Cryptography 17 January 2007

Making the Best of a Leaky Situation: Zero-Knowledge PCPs from Leakage-Resilient Circuits

New Notions of Security: Universal Composability without Trusted Setup

On the Round Complexity of Covert Computation

1 Secure two-party computation

Authenticated Garbling and Efficient Maliciously Secure Two-Party Computation

On the Message Complexity of Secure Multiparty Computation

Unconditionally Secure Multiparty Set Intersection Re-Visited

Notes on Zero Knowledge

Shai Halevi IBM August 2013

1 Cryptographic hash functions

On Expected Constant-Round Protocols for Byzantine Agreement

Efficient Multi-party Computation over Rings

Network Oblivious Transfer

Efficient Asynchronous Multiparty Computation with Optimal Resilience

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

Secure Multi-party Computation Minimizing Online Rounds

Verifying Computations in the Cloud (and Elsewhere) Michael Mitzenmacher, Harvard University Work offloaded to Justin Thaler, Harvard University

Complexity of Multi-Party Computation Functionalities

Constant-Round MPC with Fairness and Guarantee of Output Delivery

Universally Composable Multi-Party Computation with an Unreliable Common Reference String

i-hop Homomorphic Encryption Schemes

An Unconditionally Secure Protocol for Multi-Party Set Intersection

Foundations of Homomorphic Secret Sharing

CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16

Realistic Failures in Secure Multi-Party Computation

Executable Proofs, Input-Size Hiding Secure Computation and a New Ideal World

More Efficient Oblivious Transfer Extensions with Security for Malicious Adversaries

Secret sharing schemes

Impossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs

6.897: Selected Topics in Cryptography Lectures 7 and 8. Lecturer: Ran Canetti

SELECTED APPLICATION OF THE CHINESE REMAINDER THEOREM IN MULTIPARTY COMPUTATION

An Efficient Protocol for Fair Secure Two-Party Computation

Round Efficiency of Multi-Party Computation with a Dishonest Majority

Efficient Unconditional Asynchronous Byzantine Agreement with Optimal Resilience

Round Efficiency of Multi-Party Computation with a Dishonest Majority

Multiparty Computation

Millions of Millionaires: Multiparty Computation in Large Networks

Lecture 24: MAC for Arbitrary Length Messages. MAC Long Messages

Secure Multiplication of Shared Secrets In The Exponent

Implicit Zero-Knowledge Arguments and Applications to the Malicious Setting

A New Approach to Practical Active-Secure Two-Party Computation

Multiparty Computation from Somewhat Homomorphic Encryption. November 9, 2011

Cryptographic Protocols Notes 2

Transcription:

Winter School on, Israel 30/1/2011-1/2/2011 Yuval Ishai Technion 1

Several potential advantages Unconditional security Guaranteed output and fairness Universally composable security This talk: efficiency Main feasibility results Perfect security with t<n/3 [BGW88,CCD88] Statistical security with t<n/2 (assuming broadcast) [RB89] Goal: minimize complexity Communication Computation 2

Communication Match insecure communication complexity? Possible (in theory, up to poly(k) overhead) using FHE Big open question in information-theoretic setting A more realistic goal Allow communication for each gate Minimize amortized cost as a function of n Ignore additive terms that do not depend on circuit size Ideally, O(1) bits per gate Computation O(1) computation per gate? 3

Essentially what we could hope for At most polylog(n) overhead Work per party decreases with number of parties! Small price in resilience O(depth) rounds or O(1) rounds with poly(k) overhead and comp. security This talk: several simplifying assumptions Inputs originate from a constant number of clients Security with abort Statistical security against static malicious adversary Small fractional resilience Broadcast Assumptions can be removed 4

m 2 clients, n servers Only clients have inputs and outputs Assume m=o(1) in most of this talk Motivated by next talk servers clients 5

Synchronous secure point-to-point channels + broadcast Servers only talk to clients Malicious adversary corrupting: at most cn servers for some constant 0<c<1/2 any subset of the m clients Statistical security with abort 6

Functionality represented by a circuit C Arithmetic circuit over F (with + and x gates) Assume n C, depth(c) C Ignore low-order additive terms Goal 1: Minimize communication Initial protocols [BGW88,CCD88]: C poly(n) Best unconditional protocols (this talk): C O(1) Using FHE: input +poly(k) output Goal 2: Minimize computation Best one can hope for: C field ops. Best known (this talk): C O(logn) Assumes large F ( F >2 k ) Polylog(n) overhead possible for any F 7

Franklin-Yung 92 Run several parallel instances of BGW roughly for price of one Small penalty in security threshold Reduces complexity of BGW for some tasks Hirt-Maurer 01, Cramer-Damgård-Nielsen 01, Damgård-Nielsen 06 Improved overhead of MPC with optimal resilience Damgård-I 06, I-Prabhakaran-Sahai 09 Extend scope of Franklin-Yung technique to general tasks Optimize computational complexity using technique from Groth 09

Damgård-I-Kroigaard-Nielsen-Smith 08 efficiency with many clients, boosting resilience using technique of Bracha 87 Beerliova-Hirt 08, Damgård-I-Kroigaard 10 perfect security Beaver-Micali-Rogaway 90, Damgård-I 05 constant-round protocols Chen-Cramer 06 using constant-size fields

Secret-share inputs Evaluate C on shares Non-interactive addition Interactive multiplication Recover outputs x y degree t<n/2 Secure with t<n/2 (semi-honest) or t<n/3 (malicious) Complexity: C O(n 2 ) (semi-honest) C poly(n) (malicious) S 1 S 2 S 3 S 4 S 5 S 6 S 7 10

Each wire value is split into n shares Use packed secret sharing to amortize cost Multiplication involves communication between each pair of servers Reveal blinded product to a single client Expensive consistency checks Efficient batch verification 11

x w x 2 x 1 degree d<n/2 Denote shared block by [x 1,,x w ] d S 1 S 2 S 3 S 4 S 5 S 6 S 7 Handle block of w secrets for price of one. Security threshold degrades from d to d-w+1 w=n/10 (n) savings for small security loss Compare with error correcting codes 12

YES: evaluate a circuit on multiple inputs in parallel NO: evaluate a circuit on a single input x y z v w x y z v w 3 inputs 5 blocks 13

Client C Left-block a 1 a 2 a 2 Right-block X X X + b 1 b 2 b 1 a 1 a 1 a 2 + + b 2 b 1 b 2 A S: p A =[a 1,a 2,a 2 ] d q A =[a 1,a 1,a 2 ] d z A =[0,0,0] 2d B S: p B =[b 1,b 2,b 1 ] d q B =[b 2,b 1,b 2 ] d z B =[0,0,0] 2d a 2 a 1 b 1 b 2 S C: p A p B +z A +z B q A +q B Client A Client B Extends to constant-depth circuits Still 2 rounds, t= (n) 14

Assume circuit is composed of layers 1,,H. Clients share inputs into [left 1 ] d and [right 1 ] d For h=1 to H-1: Clients generate random blocks [r] 2d, [left_r] d and [right_r] d replicated according to structure of layer h+1 Servers send masked output shares of layer h to Client A: [y] 2d =[left h ] d *[right h ] d +[r] 2d (* {x,+,-}) A decodes, rearranges and reshares y into [left_y] d, [right_y] d Servers let [left h+1 ] d =[left_y] d -[left_r] d [right h+1 ] d =[right_y] d -[right_r] d Servers reveal output shares [left H ] d *[right H ] d +[0] 2d 15

+ + + + - y 1 y 1 y 2 y 3 y 2 y 4 y 3 y 4 - r 1 r 1 r 2 r 3 r 2 r 4 r 3 r 4 Left h+1 Right h+1 X X X X Left h X + r 1 r 2 r 3 r 4 Right h y 1 y 2 y 3 y 4 16

Need to protect against t= (n) malicious servers and t <m malicious clients. Malicious servers handled via error correction Valid shares form a good error-correcting code Error detection sufficient for security with abort Malicious clients handled via efficient VSS procedures (coming up) 17

Recall: only shoot for security with abort Two types of verification procedures Verify that shares lie in a linear space E.g., degree-d polynomials Verify that shared blocks satisfy a given replication pattern E.g., [r 1,r 1,r 2,r 1 ] [r 2,r 3,r 1,r 2 ] Cost is amortized over multiple instances 18

Suppose Client A distributed a vector v between servers. S i holds the i-th entry of v Can be generalized to an arbitrary partition of entries Goal: Prove in zero-knowledge to Client B that v is in some (publicly known) linear space L. Protocol: A distributes a random u r L B picks and broadcasts c r F Servers jointly send w=cv+u to B B checks that w L ZK: w is a random vector in L Soundness (static corruption): consider messages from honest servers cv+u,c v+u L (c-c )v L v L soundness error 1/ F 19

Can be jointly generated by clients Can be pseudorandom ( -biased) c 1 c 2 c 3 c 4 c 5 x x x x x + v 1 v 2 v 3 v 4 v 5 u w L? 20

secret public a b c d e f g h inner product r 1 r 2 s 1 s 2 r 3 s 3 r 4 r 5 r 2 r 3 s 2 s 3 r 4 s 1 r 5 r 1 a b c d X r 1 r 2 s 1 s 2 r 3 s 3 r 4 r 5 + e f g h X - a b c d X r 2 r 3 s 2 s 3 r 4 s 1 r 5 r 1 - e f g h X + z 1 z 2 z 3 z 4 21

Communication O( C ) field elements ( F >n) + low order terms Low order terms include: Additive term of O(depth n) for layered circuits depth # communicating layer pairs for general circuits Multiply by k/log F for small fields (k = statistical security parameter) Computation Communication x O(log n) Uses FFT for polynomial operations Multiply by k/log F for small fields 22

Goal: small fractional resilience nearly optimal resilience without increasing asymptotic complexity! Solution: server virtualization Example: 0.01n-secure 0.33n-secure Pick n committees of servers such that Each committee is of size s=o(1) If 0.33n servers are corrupted, then > 99% of the committees have < s/3 corrupted members Choose committees at random, or use explicit constructions uses s-party BGW to simulate each server in by a committee Overhead poly(s)=o(1) 23

Consider a boolean circuit C with C» depth Previous protocol requires F >n O( C logn) bits of communication Can we get rid of the logn term? Yes, using algebraic-geometric codes Field size independent of n Small fractional loss of resilience Asymptotically optimal protocols for natural classes of circuits 24

Many clients Previous protocol required generating secret blocks Easy to implement by summing blocks generated by all clients Overhead can be amortized if only a constant fraction of clients are corrupted Requires converting circuit into a repetitive form Gives protocols with polylog(n) overhead in standard n-party setting with t= (n). Perfect security Use efficient variant of BGW VSS with share packing 25

BMR90: Constant-round version of BGW Uses garbled circuit technique Black-box use of PRG in semi-honest model (Benny s talk) Non-black-box use of PRG in malicious model Required for zero-knowledge proofs involving cryptographic relations In BMR paper: distributed ZK proofs of consistency of seed with PRG output DI05: Black-box use of PRG in malicious model Uses threshold symmetric encryption 26

An honest majority can be useful Unconditional, composable security Fairness Efficiency Open efficiency questions Break circuit size communication barrier for unconditional security Constant computational overhead Improve additive terms Better constant-round protocols O(1) PRG invocations per gate? Practical efficiency 27

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback