Lecture 38: Secure Multi-party Computation MPC

Similar documents
Lecture 22: RSA Encryption. RSA Encryption

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 10

1 Secure two-party computation

Lecture 28: Public-key Cryptography. Public-key Cryptography

ECS 189A Final Cryptography Spring 2011

Introduction to Cryptography Lecture 13

Multiparty Computation

Lecture 1: Introduction to Public key cryptography

Lecture 11: Key Agreement

Introduction to Modern Cryptography Lecture 11

Lecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics

CPSC 467b: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security

Question 1. The Chinese University of Hong Kong, Spring 2018

Theory of Computation Chapter 12: Cryptography

Introduction to Modern Cryptography. Benny Chor

Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension

ASYMMETRIC ENCRYPTION

Benny Pinkas Bar Ilan University

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

Lecture 14: Secure Multiparty Computation

Simple Math: Cryptography

Entanglement and information

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Cryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

CPSC 467: Cryptography and Computer Security

Quantum Entanglement and Cryptography. Deepthi Gopal, Caltech

Question: Total Points: Score:

Lecture Notes, Week 10

Introduction to Modern Cryptography. Benny Chor

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Security Implications of Quantum Technologies

The Laws of Cryptography Zero-Knowledge Protocols

Exam Security January 19, :30 11:30

Introduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions

RSA RSA public key cryptosystem

Lecture 3,4: Multiparty Computation

1 Indistinguishability for multiple encryptions

1 Cryptographic hash functions

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

Computing on Encrypted Data

Authentication. Chapter Message Authentication

Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols

Lecture Notes, Week 6

Lecture 10. Public Key Cryptography: Encryption + Signatures. Identification

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

A FRAMEWORK FOR UNCONDITIONALLY SECURE PUBLIC-KEY ENCRYPTION (WITH POSSIBLE DECRYPTION ERRORS)

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Lecture 5, CPA Secure Encryption from PRFs

Lecture 15 - Zero Knowledge Proofs

Lecture 17: Constructions of Public-Key Encryption

Secure Multi-Party Computation. Lecture 17 GMW & BGW Protocols

A Zero-One Law for Secure Multi-Party Computation with Ternary Outputs

Logic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation

Tutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction

PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

From Secure MPC to Efficient Zero-Knowledge

CPSC 467b: Cryptography and Computer Security

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds

Public-Key Encryption: ElGamal, RSA, Rabin

1 Number Theory Basics

Semantic Security of RSA. Semantic Security

CPSC 467b: Cryptography and Computer Security

1 Recap: Interactive Proofs

6.080/6.089 GITCS Apr 15, Lecture 17

1/ 17 2/20 3/19 4/12 5/14 6/13 7/10 Total /105. Please do not write in the spaces above.

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Lecture Notes 20: Zero-Knowledge Proofs

1 Cryptographic hash functions

Lecture 21: Quantum communication complexity

Midterm 2. Your Exam Room: Name of Person Sitting on Your Left: Name of Person Sitting on Your Right: Name of Person Sitting in Front of You:

Public Key Encryption

Oblivious Evaluation of Multivariate Polynomials. and Applications

Lecture 24: MAC for Arbitrary Length Messages. MAC Long Messages

CS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing

Lecture 3: Interactive Proofs and Zero-Knowledge

Notes 10: Public-key cryptography

8 Elliptic Curve Cryptography

Scribe for Lecture #5

Homework 1 Submission

Quantum sampling of mixed states

Additive Conditional Disclosure of Secrets

Public Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.

RSA and Rabin Signatures Signcryption

Cryptography and Security Final Exam

Public-Key Cryptosystems CHAPTER 4

Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply

An Introduction to Probabilistic Encryption

Protocols for Multiparty Coin Toss with a Dishonest Majority

You submitted this homework on Wed 31 Jul :50 PM PDT (UTC -0700). You got a score of out of You can attempt again in 10 minutes.

9 Knapsack Cryptography

Quantum Simultaneous Contract Signing

Transcription:

Lecture 38: Secure Multi-party Computation

Problem Statement I Suppose Alice has private input x, and Bob has private input y Alice and Bob are interested in computing z = f (x, y) such that each party obtains no additional information than z For the current presentation, we shall assume that f (, ) is a deterministic function of the inputs. It is possible to consider randomized functions as well, but we shall not cover it in this course. In this course we shall restrict to two-parties. In general, there can be n-parties where the private-inputs of the parties, respectively, are x 1, x 2,..., x n. All parties know the function f that they are evaluating. In this course we shall consider adversaries that are semi-honest, i.e., the parties follow the protocol but are curious to know more information about the private input of the other parties

Problem Statement II Example. Suppose countries A and B have two military satellites orbiting the earth The input for party 1 is the location and trajectory of their satellite The input for party 2 is the location and trajectory of their satellite The function f computes whether the two satellites will collide in the next 10 minutes (the output is true or false)

Problem Statement III Correctly Evaluating Functions. Note that it is trivial to correctly evaluate a function. First, each party declares its private input to all other parties. Next, each party computes the function. However, this is not secure. Because, the parties (potentially) learn more than the output z. For example, in the example we consider, parties shall learn the location and trajectory of each other s military satellites, which is definitely not secure! The difficulty of the problem arises from the security constraint (and not the correctness constraint)

Trusted Third-party Suppose Alice and Bob have a trusted third-party (TTP) Then, Alice and Bob can send their respective private inputs x and y to the TTP, and the TTP computes z = f (x, y) and sends z to both Alice and Bob In our example, suppose, both countries trust Switzerland. Countries A and B share the location and trajectory of their military satellites, and Switzerland computes whether they will collide in the next 10 minutes and tells the answer to both the countries. This is a secure solution! Lesson Learned. If there is a trusted third-party, then secure computation is easy. The non-triviality of secure multi-party computation arises because there is no trusted third-party in the real world

Ideal World In the ideal world, parties have a trusted third-party In this world, parties send their respective input to the TTP and the TTP performs the computation on behalf of the parties, and reports back their respective outputs z A and z B f Alice Private Input: x Bob Private Input: y Output: z A Output: z B

Real World In the real world, there is no trusted third-party Our goal is to algorithmically implement the TTP using cryptographic protocols Security implies that Alice learns no more than z A and Bob learns no more than z B Alice Private Input: x Bob Private Input: y Cryptographic Protocol Compute z A Compute z B

Example of Secure Computation: XOR I Suppose Alice has private input x {0, 1} Suppose Bob has private input y {0, 1} They are interested in computing z A = z B = f (x, y) = x y The function is equivalently represented by the following matrix Bob Input 0 1 Alice Input 0 1 0 1 1 0

Example of Secure Computation: XOR II Note that if the private input of Alice is x = 0 then z A reveals the private input of Bob (Think about this) Similarly, if the private input of Alice is x = 1 then z A reveals the private input of Bob (Think) So, it is secure for Bob to just reveal his input to Alice (because Alice finds out Bob s input from her output anyways) Analogously, Bob also finds out the private input of Alice always. So, it is secure for Alice to reveal her private input to Bob (because Bob finds out Alice s input from his output anyways) So, the following protocol is a secure protocol to compute z A = z B = x y 1 Alice sends her private input x to Bob 2 Bob sends his private input y to Alice 3 Both parties compute z A = z B = x y

Example of Secure Computation: OR I Suppose Alice has private input x {0, 1} Suppose Bob has private input y {0, 1} They are interested in computing z A = z B = f (x, y) = x y The function is equivalently represented by the following matrix Bob Input 0 1 Alice Input 0 1 0 1 1 1

Example of Secure Computation: OR II Note that if the private input of Alice is x = 0 then z A reveals the private input of Bob However, if the private input of Alice is x = 1 then z A does not reveal anything about Bob s input (Think) So, Bob can reveal his private input to Alice only when x = 0; otherwise, not Analogously, Alice can reveal her private input to Bob only when y = 0; otherwise, not The Conclusion. Alice cannot reveal her private input unless she is sure that y = 0. Moreover, Bob cannot reveal his private input unless he is sure that x = 0. So, neither party can risk revealing their respective private inputs first. There is a deadlock. This argument can be made more formal mathematically to argue that there is no secure protocol to compute z A = z B = x y. (This mathematical argument is beyond the scope of this course)

Example of Secure Computation: OR III Additional Pointer. In fact, one can show that computing OR is complete. That is, if we can securely compute z A = z B = x y then we can securely compute any function! (Again, this is beyond the scope of this course)

Example of Secure Computation: MAX I Suppose Alice has private input x {0, 2} Suppose Bob has private input y {1, 3} They are interested in computing z A = z B = f (x, y) = max{x, y} The function is equivalently represented by the following matrix Bob Input 1 3 Alice Input 0 2 1 3 2 3

Example of Secure Computation: MAX II Note that z A always reveals Bob s private input to Alice (Think) Moreover, z B reveals Alice s private input to Bob if y = 1; otherwise, it reveals no information (Think) So, it is secure for Bob to reveal his private input to Alice. If y 3, then Alice can reveal her private input to Bob. So, the following is a secure protocol to compute z A = z B = max{x, y}, where x {0, 2} and y {1, 3}. 1 Bob sends y to Alice 2 Alice sends z = max{x, y} to Bob

Example of Secure Computation: The Dutch Flower Auction I Let us generalize the previous example. Suppose Alice and Bob are bidding for an item Assume that Alice only bids even amount of money x {0, 2,..., 2k 2}, and Bob bids odd amount of money y {1, 3,..., 2k 1} We are interested in computing the winning bid z A = z B = max{x, y}

Example of Secure Computation: The Dutch Flower Auction II Crucial Observation. Let M be the maximum possible bid. (In this case, we have M = 2k 1.) Note that both parties find out whether the bid is M or not. (Think very carefully about this) So, the party who can make the bid M declares whether his bid is M or not (In this case, Bob can declare whether y = 2k 1 or not) If the maximum bid is made then we are done! Otherwise, we recurse. (In this case, we recursively compute the maximum where x {0, 2,..., 2k 2} and y {1, 3,..., 2k 3})

Example of Secure Computation: The Dutch Flower Auction III The secure protocol, therefore, is 1 If y = 2k 1, then Bob declares z = 2k 1; otherwise he asks Alice to continue 2 If x = 2k 2, then Alice declares z = 2k 2; otherwise she asks Bob to continue 3 If y = 2k 3, then Bob declares z = 2k 3; otherwise he asks Alice to continue 4 And so on...

Example of Secure Computation: The Dutch Flower Auction IV However, this protocol is not efficient. The round complexity of the protocol is exponential in the representation size of the parties inputs.

Oblivious Transfer I m-choose-1-oblivious Transfer (OT). Alice has private input (θ 1, θ 2,..., θ m ) such that each θ i S (an arbitrary set S) Bob has private input i {1, 2,..., m} And, we have z A = NULL (the empty string), and z B = θ i

Oblivious Transfer II Security Requirement. Note that Alice obtains no additional information about Bob s private input i And, Bob obtains no additional information about θ j, where j i

Oblivious Transfer III Using the RSA assumption, we can construct a secure protocol for m-choose-1 OT. OT(θ 1, θ 2,..., θ n, i): 1 Alice picks (u, trap) and sends the trapdoor permutation f u : D R to Bob $ 2 Bob picks α i D and computes β i = f u (α i ). For all j i, $ Bob picks β j R. Bob sends (β 1, β 2,..., β m ) to Alice. 3 For each j, Alice computes α j = fu 1 (β j ), using the trapdoor trap. For each j, Alice computes the encryption c j = θ j α j (i.e., the encryption of θ j using one-time pad, where the secret-key is α j ). Alice sends (c 1, c 2,..., c m ) to Bob. 4 Bob recovers θ i by computing c i /α i.

Oblivious Transfer IV Note that Bob cannot recover any other message θ j, where j i, because he does not have the associated secret-key α j (he only has β j and it is computationally hard for him to invert β j because he does not have the trapdoor trap). Alice s view in this protocol is independent of Bob s input i.

Securely Computing Any Function using Oblivious Transfer I Suppose Alice and Bob have private inputs x S A and y S B, respectively They are interested in securely computing z A = z B = f (x, y) Let us use the m-choose-1 OT protocol to securely compute f 1 Suppose S B = {y 1, y 2,..., y m }. Alice computes θ j = f (x, y j ), where j {1, 2,..., m}. Let y = y i. Alice and Bob run the m-choose-1 OT protocol with Alice private input (θ 1, θ 2,..., θ m ) and Bob private input i. At the end of this OT protocol, Bob obtains the output z = θ i = f (x, y i ). 2 Bob sends z to Alice

Securely Computing Any Function using Oblivious Transfer II Note that this is an efficient protocol only when m is a constant. So, for a constant value of m we have constructed a secure protocol for f that is also efficient. Otherwise, the value m is exponentially large in the size of the representation of Bob s input. In this case, the protocol is secure but not efficient. In the next lecture, we shall construct efficient secure computation protocols for any efficient f.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback