Lecture 14: Secure Multiparty Computation

Similar documents
Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension

Introduction to Cryptography Lecture 13

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

Secure Multi-Party Computation. Lecture 17 GMW & BGW Protocols

Round-Efficient Multi-party Computation with a Dishonest Majority

CSA E0 312: Secure Computation September 09, [Lecture 9-10]

Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols

Lecture 3,4: Multiparty Computation

Multi-Party Computation with Conversion of Secret Sharing

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 10

Multiparty Computation

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

An Unconditionally Secure Protocol for Multi-Party Set Intersection

On Achieving the Best of Both Worlds in Secure Multiparty Computation

Covert Multi-party Computation

Multiparty Computation, an Introduction

Introduction to Modern Cryptography Lecture 11

Lecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics

Cut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings

SELECTED APPLICATION OF THE CHINESE REMAINDER THEOREM IN MULTIPARTY COMPUTATION

From Secure MPC to Efficient Zero-Knowledge

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

Oblivious Evaluation of Multivariate Polynomials. and Applications

MULTIPARTY UNCONDITIONALLY SECURE PROTOCOLS

Covert Multi-party Computation

Notes on Zero Knowledge

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

6.897: Advanced Topics in Cryptography. Lecturer: Ran Canetti

Efficient General-Adversary Multi-Party Computation

Lecture 38: Secure Multi-party Computation MPC

Impossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs

Universally Composable Multi-Party Computation with an Unreliable Common Reference String

Introduction to Modern Cryptography. Benny Chor

CPSC 467b: Cryptography and Computer Security

Complete Fairness in Multi-Party Computation Without an Honest Majority

An Introduction to Probabilistic Encryption

6.897: Selected Topics in Cryptography Lectures 7 and 8. Lecturer: Ran Canetti

Error-Tolerant Combiners for Oblivious Primitives

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

On the Number of Synchronous Rounds Required for Byzantine Agreement

A Full Characterization of Functions that Imply Fair Coin Tossing and Ramifications to Fairness

: Cryptography and Game Theory Ran Canetti and Alon Rosen. Lecture 8

New Notions of Security: Universal Composability without Trusted Setup

Lecture 2: Perfect Secrecy and its Limitations

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

An Optimally Fair Coin Toss

Complete Fairness in Multi-Party Computation Without an Honest Majority

On the Round Complexity of Covert Computation

Protocols for Multiparty Coin Toss with a Dishonest Majority

Winter 2011 Josh Benaloh Brian LaMacchia

Realistic Failures in Secure Multi-Party Computation

Lecture Notes, Week 10

Lecture 18: Zero-Knowledge Proofs

Complete Fairness in Secure Two-Party Computation

Lecture 24: Goldreich-Levin Hardcore Predicate. Goldreich-Levin Hardcore Predicate

CPSC 467: Cryptography and Computer Security

Secure Modulo Zero-Sum Randomness as Cryptographic Resource

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Secure Computation. Unconditionally Secure Multi- Party Computation

Benny Pinkas. Winter School on Secure Computation and Efficiency Bar-Ilan University, Israel 30/1/2011-1/2/2011

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

Bit-Commitment and Coin Flipping in a Device-Independent Setting

Fast Large-Scale Honest-Majority MPC for Malicious Adversaries

How many rounds can Random Selection handle?

A Fair and Efficient Solution to the Socialist Millionaires Problem

Lecture 8: The Dummy Adversary

n-party protocol for this purpose has maximum privacy if whatever a subset of the users can

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Secure Multiplication of Shared Secrets In The Exponent

1 Recap: Interactive Proofs

1 Secure two-party computation

Pseudorandom Generators

Complexity of Multi-Party Computation Functionalities

CPSC 467: Cryptography and Computer Security

An Efficient Protocol for Fair Secure Two-Party Computation

Lecture 3: Interactive Proofs and Zero-Knowledge

Zero-Knowledge Proofs and Protocols

Lecture Notes 20: Zero-Knowledge Proofs

Cryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1

Malicious Security. 6.1 Cut-and-Choose. Figure 6.1: Summary of malicious MPC protocols discussed in this chapter.

Private Computation Using a PEZ Dispenser

Foundations of Cryptography

Attribute-based Encryption & Delegation of Computation

Lecture 5. 1 Review (Pairwise Independence and Derandomization)

Abstract. Often the core diculty in designing zero-knowledge protocols arises from having to

Lecture 1. 1 Introduction. 2 Secret Sharing Schemes (SSS) G Exposure-Resilient Cryptography 17 January 2007

Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics

Abstract In a (k; n) threshold digital signature scheme, k out of n signers must cooperate to issue a signature. In this paper, we show an ecient (k;

CPSC 467: Cryptography and Computer Security

Scribe for Lecture #5

Lecture Notes 15 : Voting, Homomorphic Encryption

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]

Robustness for Free in Unconditional Multi-Party Computation

CPSC 467b: Cryptography and Computer Security

A Verifiable 1-out-of-n Distributed Oblivious Transfer Protocol

Session 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University

On Expected Constant-Round Protocols for Byzantine Agreement

Transcription:

600.641 Special Topics in Theoretical Cryptography 3/20/2007 Lecture 14: Secure Multiparty Computation Instructor: Susan Hohenberger Scribe: Adam McKibben 1 Overview Suppose a group of people want to determine who has the highest salary. One method would be for each person to reveal their salary to the others. But what if no one wanted the others to know their actual salary? Another method might be to have each party reveal their salary to some trusted party. The trusted party could then determine who had the highest salary and tell everyone the corresponding name. However, each player must still reveal their salary to a trusted party (whom they all have to trust), which may not exist in a real world situation. Is there a way to perform this computation without requiring a trusted party? This is the kind of problem that secure multiparty computation was invented to solve. The problem was first addressed by Yao [Yao82] and a method for performing secure multiparty computation 1 was developed by Goldriech, Micali and Wigderson in [GMW87]. Today we will be covering the GMW results. 1.1 Goals of secure MPC Let s begin by informally trying to define what the security guarantees for multiparty computation (MPC) should be. Suppose there are several parties P 1, P 2,..., P n who each have some private input x 1, x 2,...x n and wish to perform some polynomial-time computation f(x 1, x 2,...x n, R) = (y 1, y 2,..., y n ) where R is some randomness and (y 1, y 2,..., y n ) are private output values for each party. The protocol (π) for this computation should be: correct - π should allow the parties to correctly compute f privacy - for P 1, P 2,..., P n, each player s input remains private. That is, no one learns any more about their input than can be deduced from the output. output delivery - the protocol doesn t end until everyone receives an output (the output may indicate failure) fairness - if one party gets the answer, so does everyone else (either everyones gets the answer, or the output for everyone is failure) 1 with an honest majority 14-1

Figure 1: Ideal world vs. Real world 1.2 Formalizing Security In an ideal world the parties would each send their input to the function and receive their output. This requires a trusted party or machine to calculate f. In the real world, we have no trusted party. The parties must calculate the function by exchanging messages with each other using π. In defining security, we consider the following game. Suppose there is an environment who can give all the parties inputs, communicate with any corrupted parties, and see all the parties outputs. This enviroment s job is to try to decide whether it is in the real or ideal worlds. We say that a protocol π is secure if the environnment cannot distinguish these two worlds non-negligibly better than guessing. For a good protocol, no environment, which can give all the parties inputs and communicate with any corrupted parties should be able to distinguish between the real and ideal worlds. This means that in the ideal world, we must show that there is an ideal adversary denoted S who controls the same parties in the ideal world as the real adversary A does in the real world. The goal is to show that anything A can learn (about the private inputs of honest parties) by running π, the ideal adversary S can also learn by interacting with the ideal functionality f. In other words, since S can t do any real damage, then neither can A. Consider that here the only real thing the simulator can do is change the inputs it gives to f. Definition: Let π be an n party protocol. Then π t-securely computes f if: A S such that I [n] with n t REAL π,a,i IDEAL f,s,i where I is a set of indices of the corrupted parties. There are some disappointing impossibility results for how large t may be. For example, if more than 1 2 the parties are corrupt, then we cannot achieve all four of our informal security goals simultaneously. In GMW [GMW87], we will be able to acheive all four of the security goals by assuming an honest majority (i.e., t < n 2 ). 14-2

Figure 2: Circuit for f 2 Strategy Suppose we have some function f(x 1, x 2,...x n ) = (y 1, y 2,..., y n ) that can be computed in polynomial time. (For now, we drop the randomness R. The interested reader should think about how we might add randomness to the strategy detailed herein.) Instead of modeling the computation as a Turing machine, [GMW87] decided to model the function as a circuit. This circuit has some inputs x 1, x 2,...x n which are controlled by parties P 1, P 2,..., P n respectively, and some outputs (y 1, y 2,..., y n ). (Figure 2) Any circuit can be constructed using only AND and NOT gates. So we assume without loss of generality that these are the only gates in the circuit. We also assume that maximum the number of inputs for each gate is two. The strategy that [GMW87] used was this: 1. Design a protocol with honest but curious (HBC) parties. HBC parties will follow the protocol, but will collect all the information to which they have access and try to compute some additional information from it. 2. Compile the HBC protocol into a protocol that can be used when the majority of the participants are honest. The remaining parties may cheat, collude or not follow the protocol and the honest parties will still receive their correct output and have privacy. 3 Setup Suppose there are n parties. Each party is assigned an identity from 1 to n and we assume that each party knows the identity of all other parties. Each P i knows their input x i, which may be a string. We will be working in F 2, so all computations are modulo 2. *Remember* we are in the HBC model, so each party will follow these instructions! Each P i shares each bit b of their input with all the other parties as follows: 1. Choose n random bits b 1,..., b n such that b = n i=1 b i mod 2. 2. Send share b j to P j (including one share to one s self). 14-3

Now the parties start evaluating the circuit together from left to right, top to bottom. Each gate must be evaluated so that each party owns a share of the input and of the output. At each step of the evaluation, all the shares should be uniformly distributed (i.e the value for the share belonging to any party should be equally likely to be 0 or 1.) If at some step the share owned by one party is likely to be 0 or 1, the other parties could continue the computation without that bit. At the very end of the protocol, all the shares of the output wires representing y 1 should be sent to P 1. The same should be done for P 2...P n. But we are getting ahead of ourselves, let s first see how we securely, but privately evaluate these gates. 4 Evaluation 4.1 NOT gates A NOT gate has an input b and an output c = b+1. The input b = b j (the sum of shares b i held respectively by party P i ) and we want one output c = c i, where each share c i is held by party P i. When a NOT gate is reached it can be evaluated as follows: P 1 sets c i = b i + 1 mod 2 i = 2,..., n, P i sets c i = b i Which party is chosen as P 1 is unimportant. It is only necessary that one of the parties be designated as P 1. 4.2 AND gates An AND gate has two inputs c, d and one output b. When working mod 2, an AND gate is equivalent to b = cd. AND c d b 0 0 0 0 1 0 1 0 0 1 1 1 14-4

Each party P i holds input shares c i, d i and wants to obtain an output share b i, where the following holds: ( ) ( ) b = b i = c i d i = c i d i + (c i d j + c j d i ) i=1 i=1 i=1 i=1 1 i j n Each party knows it own c i d i, but each (c i d j + c j d i ) part must be computed together by parties P i and P j. Define: b i = where and j=1 b ij b ii = c i d i b ij + b ji = c i d j + c j d i for i j In other words, consider breaking each share (b i ) of b further into shares (b ij ). Since we are working mod 2, we can move b ji to the other side of the equation. b ij = b ji + c i d j + c j d i Now we need to describe how each party obtains their shares b ij of their output share b i. This process is not symmetric. That is, each pair of parties P i and P j must execute a small protocol together to obtain b ij and b ji, respectively. Here s how they do it. Suppose j > i. 1. P j wants b ji. 2. P j picks b ji at random from {0, 1}. 3. P i wants b ij = b ji + c i d j + c j d i. 4. P i knows c i and d i. 5. P j knows c j, d j and b ji. P i would like to learn the value of b ji + c i d j + c j d i without revealing its values for c i and d i. Similarly, P j does not want to reveal its values for c j and d j. P i and P j can use ( 4 1) OT to accomplish this. In this exchange, P j is the sender and P i is the receiver. P j will offer < b ji, b ji + c j, b ji + d j, b ji + c j + d j > and P i will select which one of these to receive based on the values of c i and d i as shown below. P i knows P i wants c i d i b ij 0 0 b ji 0 1 b ji + c j 1 0 b ji + d j 1 1 b ji + c j + d j 14-5

. The actual value for b = b i = Thus, we ve seen how to evaluate both NOT and AND gates, and we are done! As the final step, each party must send its shares of y i to P i. i j b ij 5 Compiling HBC protocol for honest majority world The protocol shown above works only if all the parties are honest but curious. If one or more parties cheat, the whole protocol will break down. For example, one party could compute everything according to the protocol until a certain point, then decide to change its inputs or begin sending random values. So how do we make this protocol work with only an honest majority world (where t < n 2 )? Where: Cheaters can collude and share inputs freely Cheaters know the code of honest parties (which follow the protocol) Cheaters know who the other cheaters are Cheaters do not know honest party inputs or random coins Suppose there is a Turing machine for P 1 which has an input tape, a random tape, and a work tape and where the other parties can write to its inputs. If we know each party s input and randomness, then everything else is deterministic. If everyone follows the protocol, the outcome can only go one way. We want to stop any party from changing its inputs part way through the computation. To do this we make each party commit to the values on its tapes: commit(input, randomness, 0 k ). Each time a party changes some value of its tapes (eg. writing to its work tape) it must make a new commitment to the change and provide a zero knowledge proof that this change is the valid one given its former state. (For example, if P 1 with share b i is passing through a NOT gate, then he must commit to his output c i = b i + 1 and prove that commit(c i ) is correctly computed from commit(b i ).) These commitments are never actually opened because doing so would reveal private information. It is sufficient to have the zero knowledge proof that the commitment is correct. Now if a party tries to change some value midway, it will not be able to give the zero knowledge proof. These proofs must happen between every two parties, at each step of the computation. Even with these changes the protocol is still broken with respect to privacy and fairness. The problem is in the initial commit step. If some parties commit to randomness which isn t actually random, then the other cheaters can know each others randomness and the final outputs may be skewed. And how would one prove that some bits were randomly chosen anyway?? 14-6

So we want to fill the random tape of each party P i with real random bits, but we can t allow others to know what they are. We also can t allow any party to control its own randomness. Let s consider how we do this for party P 1. To get the first bit for the random tape of P 1, each party commits to a bit. Then all parties, except for P 1 decommit their bits. P 1 calculates the first bit by XORing all the bits, including its own and writes this to the random tape. P 1 won t decommit but must prove that it actually wrote the correct XORed value to the tape. The commitment scheme used must be non-malleable. This must be done for each bit of the random tape of each party. There are additional problems remaining with this protocol. Each of them must be fixed individually. For example, one party could follow the protocol until the last step. Then it would refuse to send its shares to the proper parties. The cheater would receive its result, but no one else would, breaking fairness. To fix this problem, a secret sharing scheme could be added to the protocol (such as Shamir s). This would divide the original inputs x i for each party up among the others. This would allow a number of parties > t to reconstruct the input of a cheater, but any coalition of t or less members would not be able to reconstruct the inputs. (Recall that t is the max number of corrupt parties tolerated.) If some party P i tries to quit early, the remaining parties could reconstruct its input. They could then restart the protocol without the cheater and simulate its behavior based on the reconstructed input. 6 What if we aren t sure if majority is honest? This is a great question. But we are out of time! See the recent work of Katz [Kat07] for more. References [GMW87] O. Goldreich, S. Micali, and A. Wigderson. How to play any mental game or a completeness theorem for protocols with honest majority. 19th ACM Symposium on the Theory of Computing, pages 218 229, 1987. [Kat07] Jonathan Katz. On achieving the best of both worlds in secure multiparty computation. In (to appear) STOC 07, 2007. Available at http://eprint.iacr.org/2006/455. [Yao82] A.C. Yao. Theory and applications of trapdoor functions. 23rd Annual Symposium on Foundations of Computer Science, pages 80 91, 1982. 14-7

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback