Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols

Similar documents
Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension

CSA E0 312: Secure Computation September 09, [Lecture 9-10]

Lecture 3,4: Multiparty Computation

1 Secure two-party computation

Cut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings

Lecture 14: Secure Multiparty Computation

Fundamental MPC Protocols

Computing on Encrypted Data

Multiparty Computation

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

Secure Multi-Party Computation. Lecture 17 GMW & BGW Protocols

Fast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries

On Achieving the Best of Both Worlds in Secure Multiparty Computation

From Secure MPC to Efficient Zero-Knowledge

Secure Computation. Unconditionally Secure Multi- Party Computation

Benny Pinkas. Winter School on Secure Computation and Efficiency Bar-Ilan University, Israel 30/1/2011-1/2/2011

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

6.897: Advanced Topics in Cryptography. Lecturer: Ran Canetti

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

On Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan)

New Impossibility Results for Concurrent Composition and a Non-Interactive Completeness Theorem for Secure Computation

Round-Efficient Multi-party Computation with a Dishonest Majority

MTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu

A Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM

One-Round Secure Computation and Secure Autonomous Mobile Agents

6.892 Computing on Encrypted Data October 28, Lecture 7

Reducing Garbled Circuit Size While Preserving Circuit Gate Privacy *

Covert Multi-party Computation

Perfect Secure Computation in Two Rounds

Lecture 9 - Symmetric Encryption

On the Cryptographic Complexity of the Worst Functions

Notes on Zero Knowledge

Multi-Party Computation with Conversion of Secret Sharing

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 10

Authenticated Garbling and Efficient Maliciously Secure Two-Party Computation

Efficient Constant Round Multi-Party Computation Combining BMR and SPDZ

i-hop Homomorphic Encryption Schemes

Complexity of Multi-Party Computation Functionalities

Two-Round Multiparty Secure Computation from Minimal Assumptions

Introduction to Cryptography Lecture 13

Distributed Oblivious RAM for Secure Two-Party Computation

Communication Complexity and Secure Function Evaluation

On the Round Complexity of Covert Computation

Malicious Security. 6.1 Cut-and-Choose. Figure 6.1: Summary of malicious MPC protocols discussed in this chapter.

A Full Characterization of Functions that Imply Fair Coin Tossing and Ramifications to Fairness

Executable Proofs, Input-Size Hiding Secure Computation and a New Ideal World

Privacy Preserving Set Intersection Protocol Secure Against Malicious Behaviors

Benny Pinkas Bar Ilan University

Introduction to Modern Cryptography Lecture 11

Topology-Hiding Computation

Distinguisher-Dependent Simulation in Two Rounds and its Applications

Impossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs

Cryptographic Asynchronous Multi-Party Computation with Optimal Resilience

Notes on BAN Logic CSG 399. March 7, 2006

An Unconditionally Secure Protocol for Multi-Party Set Intersection

8 Security against Chosen Plaintext

Covert Multi-party Computation

Resource-efficient OT combiners with active security

The Exact Round Complexity of Secure Computation

Rate-Limited Secure Function Evaluation: Definitions and Constructions

Lecture 38: Secure Multi-party Computation MPC

Lecture 2: Perfect Secrecy and its Limitations

Oblivious Evaluation of Multivariate Polynomials. and Applications

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Lecture 13: Private Key Encryption

6.897: Selected Topics in Cryptography Lectures 7 and 8. Lecturer: Ran Canetti

Constant-Round MPC with Fairness and Guarantee of Output Delivery

On Expected Constant-Round Protocols for Byzantine Agreement

Bounded-Communication Leakage Resilience via Parity-Resilient Circuits

Network Oblivious Transfer

Notes for Lecture 17

Perfect Secure Computation in Two Rounds

Additive Conditional Disclosure of Secrets

Faster Maliciously Secure Two-Party Computation Using the GPU Full version

On i-hop Homomorphic Encryption

Multiparty Computation (MPC) Arpita Patra

Garbled Protocols and Two-Round MPC from Bilinear Maps

Efficient General-Adversary Multi-Party Computation

4-3 A Survey on Oblivious Transfer Protocols

1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds

Robust Non-Interactive Multiparty Computation Against Constant-Size Collusion

Round-Preserving Parallel Composition of Probabilistic-Termination Cryptographic Protocols

Founding Cryptography on Smooth Projective Hashing

Extracting Witnesses from Proofs of Knowledge in the Random Oracle Model

An Efficient Protocol for Fair Secure Two-Party Computation

Exploring the Limits of Common Coins Using Frontier Analysis of Protocols

Multiparty Computation, an Introduction

Improved Non-Committing Encryption Schemes based on a General Complexity Assumption

Complete Fairness in Multi-Party Computation Without an Honest Majority

Security Protocols and Application Final Exam

Resource Fairness and Composability of Cryptographic Protocols

6.897: Selected Topics in Cryptography Lectures 11 and 12. Lecturer: Ran Canetti

Statistical WI (and more) in Two Messages

k-round MPC from k-round OT via Garbled Interactive Circuits

On the Communication Complexity of Secure Function Evaluation with Long Output

Lecture 15 - Zero Knowledge Proofs

A Round and Communication Efficient Secure Ranking Protocol

Lecture 28: Public-key Cryptography. Public-key Cryptography

Outsourcing Multi-Party Computation

Transcription:

CS 294 Secure Computation January 19, 2016 Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols Instructor: Sanjam Garg Scribe: Pratyush Mishra 1 Introduction Secure multiparty computation considers the problem of different parties computing a joint function of their separate, private inputs without revealing any extra information about these inputs than that is leaked by just the result of the computation. This setting is well motivated, and captures many different applications. Considering some of these applications will provide intuition about how security should be defined for secure computation: Voting: Electronic voting can be thought of as a multi party computation between n players: the voters. Their input is their choice b {0, 1} (we restrict ourselves to the binary choice setting wlog), and the function they wish to compute is the majority function. Now consider what happens when only one user votes: their input is trivially revealed as the output of the computation. What does privacy of inputs mean in this scenario? Searchable Encryption: Searchable encryption schemes allow clients to store their data with a server, and subsequently grant servers tokens to conduct specific searches. However, most schemes do not consider access pattern leakage. This leakage tells the server potentially valuable information about the underlying plaintext. How do we model all the different kinds information that is leaked? From these examples we see that defining security is tricky, with lots of potential edge cases to consider. We want to ensure that no party can learn anything more from the secure computation protocol than it can from just its input and the result of the computation. To formalize this, we adopt the real/ideal paradigm. 1.1 Real/Ideal Paradigm Notation. For simplicity, we stick to just two parties, P 1 and P 2. The input of each party is denoted by x 1 and x 2 respectively. These parties wish to compute a joint function f(, ) of their inputs. Real World. In the real world, the two parties execute a protocol Π to compute the function f. This protocol can involve multiple rounds of interaction. Each party can additionally have some randomness r 1 and r 2. The real world adversary A can corrupt at most one of these parties. Ideal World. In the ideal world, a trusted party helps in the computation of f: each party sends their input to the trusted party and receives the output of the computation (f(x 1, x 2 )). Here, the ideal world adversary S can again corrupt at most one party. Denote this entire protocol by F. 1&2-1

Definition of Security. We require that the views of the parties in each of the scenarios be identical, i.e. that a real-world execution of the protocol Π should not leak any information not leaked by the ideal-world execution. Hence, the parties can only learn what they can infer from their inputs and the output f(x 1, x 2 ). More formally, assuming A corrupts one party (say P 1, wlog), we define random variables Real Π,A (x 1, x 2 ) = {x 1, r 1, messages sent in Π} and Ideal F,S (x 1, x 2 ) = {x 1, f(x 1, x 2 )}. These random variables represent the views of the adversary in each of the two settings. Our definition of security thus requires that Real Π,A (x 1, x 2 ) c = Ideal F,S (x 1, x 2 ) Assumptions. We have brushed over some details of the above setting. Below we state these assumptions explicitly: 1. Communication channel: We assume that the communication channel between the involved parties is completely insecure i.e. it does not preserve the privacy of the messages. However, we assume that it is reliable, which means that the adversary can drop messages, but if a message is delivered, then the receiver knows the origin. 2. Corruption model: Ww have different models of how and when the adversary can corrupt parties involved in the protocol: Static: The adversary chooses which parties to corrupt before the protocol execution starts, and during the protocol, the malicious parties remain fixed. Adaptive: The adversary can corrupt parties dynamically during the protocol execution, but the simulator can do the same. Mobile: Parties corrupted by the adversary can be uncorrupted at any time during the protocol execution at the adversary s discretion. 3. Fairness: The protocols we consider are not fair, i.e. the adversary can cause corrupted parties to abort arbitrarily. This can mean that one party does not get its share of the output of the computation. 4. Bounds on corruption: In some scenarios, we place upper bounds on the number of parties that the adversary can corrupt. 5. Power of the adversary: We consider primarily two types of adversaries: Semi-honest adversaries: Corrupted parties follow the protocol execution honestly, but attempt to learn as much information as they can from the protocol transcript. Malicious adversaries: Corrupted parties can deviate arbitrarily from the protocol. 6. Standalone vs. Multiple execution: In some settings, protocols can be executed in isolation; only one instance of a particular protocol is ever executed at any given time. In other settings, many different protocols can be executed concurrently. This can compromise security. 1&2-2

2 Yao s Two Party Computation Protocol Yao s Two Party Protocol is a protocol conducted between two parties for computing any function. It is obtained by combining two primitives: a scheme for garbling circuits and oblivious transfer. Informally, the idea is that one party (say P 1 ) garbles a circuit. This involves assigning random labels to each wire of the circuit, including the input and output wires. P 1 then sends the garbled circuit and the labels corresponding to its input wires to P 2. The two parties then engage in an oblivious transfer protocol to transfer the labels corresponding to P 2 s inputs to P 2. P 2 then evaluates the garbled circuit using the two sets of input labels to get the result of the computation. Problem Setup: Let G and W be the gates and wires respectively in U, the universal circuit. Let w i be the i th input wire, i [n], and w out be the output wire. Definition 1 (Garbling Scheme) A garbling scheme is a pair of ppt. algorithms (Garble, Eval): Garble(1 κ, C) wire. ( C, {labi,bi } i [n],bi {0,1}). The circuit C has n input wires and one output Eval(1 κ, C, {lab i,xi } i [n] ) y. It satisfies the following two properties: Correctness: C, x, we have that Pr[( C, lab i,bi ) Garble(1 κ, C) y Eval(1 κ, C, lab i,xi ) y C(x)] = 0 Security: simulator S s.t. C, x, we have that 2.1 Construction: We construct a garbling scheme: ( C, {lab i,xi }) c = S(1 κ, C(x)) Garble(1 κ, C): 1. For each w W, sample (k 0 w, k 1 w) as enc. keys. 2. For each g G with input wires w 0, w 1, and output wire w 2, set 3. Set C := ((e g ) g G, kw 0 out 0, kw 1 out 1). 4. Set lab i,bi := k b i w i. 5. Output ( C, lab i,bi ). e g := (Enc k a w0 (Enc k b w1 (0 κ kw g(a,b) 2 ))) a,b {0,1} Eval(1 κ, C, {lab i,xi } i [n] ): 1. For each gate g G, obtain lab w2 Dec labw0 (Dec labw1 (e g )). Figure 1: Definition of a garbling scheme 1&2-3

2.2 Proof of Security Proof. We construct a ppt. simulator Sim such that x {0, 1} n : { C, labi,xi } c = {Sim(κ, C(x))} Sim(1 κ, C(x)): 1. Sample random k w, k w w W. 2. For each g G with input wires w 0, w 1 and output wire w 2, set e g as Enc kw0 (Enc kw1 (0 κ k w2 )) Enc kw0 (Enc k w1 (0 κ k w2 )) Enc k w0 (Enc kw1 (0 κ k w2 )) Enc k w0 (Enc k w1 (0 κ k w2 )) 3. Output C := ((e g ) g G, k wout C(x), k w out 1 C(x)). Figure 2: Simulator for security of garbled circuits We prove that the output of this simulator is indistinguishable from the actual view of the circuit evaluator via a series of hybrids: { } c c H 0 := C, labi,xi = H 1 = = c c H T 1 = {Sim(1 κ, C(x))} := H T We proceed by replacing wires gate by gate. The idea is to replace the three non-opened entries with encryptions of the only wire which is correct. Say the input labels are k 0 w 0, k 1 w 1. These input labels are obtained from the simulator for the oblivious transfer. Originally, e g consists of Enc k 0 w0 (Enc k 0 w1 (0 κ k g(0,0) w 2 )) Enc k 0 w0 (Enc k 1 w1 (0 κ k g(0,1) w 2 )) For each a, b {0, 1}, we replace the encrypted values with Enc k a w0 (Enc k b w1 (0 κ kw g(0,1) 2 )). By security of the encryption scheme, this new e g is indistinguishable from the original e g. Thus each hybrid is indistinguishable from the previous one. This hybrid argument provides security for P 1 s input. Security of the 1-out-of-2 oblivious transfer provides privacy for P 2 s input. 3 GMW Protocol Yao s protocol is limited to two party computation. Goldreich, Micali and Wigderson (GMW) created the first secure multiparty computation protocol. Here we give an informal sketch of the protocol, limiting ourselves to two parties for simplicity of exposition.. 1&2-4

3.1 Construction Let P 1 s input be x 1, and P 2 s input be x 2. Each party creates a secret share of their input and sends it to the other party. For example, P 1 samples a random a, and computes b 1 = a 1 x 1. P 2 does the same for x 2. P 1 gets the a shares, and P 2 gets the b shares. Computing NOT, XOR, and AND gates is done as follows: NOT gates: Each party simply flips their share of the input bit. XOR gates: Since x 1 x 2 = (a 1 b 1 ) (a 2 b 2 ) = (a 1 a 2 ) (b 1 b 2 ), each party can simply XOR their shares separately. AND gates: (a 1 b 1 ) (a 2 b 2 ) = ((a 1 a 2 ) (b 1 b 2 )) ((a 1 b 2 ) (a 2 b 1 )). We see that each party can compute the first parts with the shares they possess. However, to get the remaining, they need to know the other party s shares, which compromises security. So instead, the parties utilize 1-out-of-4 oblivious transfer to compute the AND gate. The setup is as follows: P 1 samples a random bit a. This its share of the result of the gate. It computes the following table: b 1 b 2 b 3 0 0 (a 1 a 2 ) a 0 1 (a 1 a 2 ) a 1 0 ( a 1 a 2 ) a 1 1 ( a 1 a 2 ) a The intuition for the entries in the table is that when b 1 = b 2 = 1, the AND gate becomes (a 1 b 1 ) (a 2 b 2 ) = (a 1 1) (a 2 1) = ( a 1 ) ( a 2 ). The other entries are computed similarly. P 1 computes each of the possible values of b 3, and feeds them as input to the OT. P 2 feeds in (b 1, b 2 ) to the OT, and gets some secret share. Thus both parties possess a share of the correct output. 3.2 1-out-of-4 Oblivious Transfer We describe how to implement a 1-out-of-4 OT using 1-out-of-2 OT: 1. The sender, P 1 samples 5 random values S i {0, 1}, i {1,..., 5}. 2. P 1 computes It sends these values to P 2. α 0 = S 0 S 2 m 0 α 1 = S 0 S 3 m 1 α 2 = S 1 S 4 m 2 α 3 = S 1 S 5 m 3 1&2-5

3. The parties engage in 3 1-out-of-2 Oblivious Transfer protocols for the following messages: (S 0, S 1 ), (S 2, S 3 ), (S 4, S 5 ). THe receiver s input for the first OT is the first choice bit, and for the second and third ones is the second choice bit. 4. The receiver can only decrypt one ciphertext. 1&2-6

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback