A Zero-One Law for Secure Multi-Party Computation with Ternary Outputs

Similar documents
A Zero-One Law for Secure Multi-Party Computation with Ternary Outputs

Multi-Party Computation with Conversion of Secret Sharing

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

Secure Multi-Party Computation. Lecture 17 GMW & BGW Protocols

Lecture 38: Secure Multi-party Computation MPC

From Secure MPC to Efficient Zero-Knowledge

Complexity of Multi-Party Computation Functionalities

Physically Uncloneable Functions in the Universal Composition Framework. Christina Brzuska Marc Fischlin Heike Schröder Stefan Katzenbeisser

Efficient Conversion of Secret-shared Values Between Different Fields

1 Secure two-party computation

On Achieving the Best of Both Worlds in Secure Multiparty Computation

Are you the one to share? Secret Transfer with Access Structure

On the Cryptographic Complexity of the Worst Functions

Resource-efficient OT combiners with active security

FAIR AND EFFICIENT SECURE MULTIPARTY COMPUTATION WITH REPUTATION SYSTEMS

SPDZ 2 k: Efficient MPC mod 2 k for Dishonest Majority a

Oblivious Transfer in Incomplete Networks

A Full Characterization of Functions that Imply Fair Coin Tossing and Ramifications to Fairness

Perfect Secure Computation in Two Rounds

Lecture 14: Secure Multiparty Computation

On Expected Constant-Round Protocols for Byzantine Agreement

Network Oblivious Transfer

Secure Multiparty Computation from Graph Colouring

MASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer

Introduction to Cryptography Lecture 13

Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols

Impossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

Robust Non-Interactive Multiparty Computation Against Constant-Size Collusion

Round-Efficient Multi-party Computation with a Dishonest Majority

Multiparty Computation

Improved High-Order Conversion From Boolean to Arithmetic Masking

Secure Computation. Unconditionally Secure Multi- Party Computation

1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds

k-nearest Neighbor Classification over Semantically Secure Encry

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 10

Perfect Secure Computation in Two Rounds

Fast Large-Scale Honest-Majority MPC for Malicious Adversaries

Efficient General-Adversary Multi-Party Computation

Computing on Encrypted Data

4-3 A Survey on Oblivious Transfer Protocols

Additive Conditional Disclosure of Secrets

Cut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings

ECS 189A Final Cryptography Spring 2011

On Two Round Rerunnable MPC Protocols

Lecture 11: Key Agreement

Introduction to Modern Cryptography Lecture 11

Randomized Algorithms. Lecture 4. Lecturer: Moni Naor Scribe by: Tamar Zondiner & Omer Tamuz Updated: November 25, 2010

Lecture 3,4: Multiparty Computation

Broadcast and Verifiable Secret Sharing: New Security Models and Round-Optimal Constructions

Yuval Ishai Technion

Multiparty Computation, an Introduction

Lecture Notes on Secret Sharing

High-Order Conversion From Boolean to Arithmetic Masking

Efficient Multiparty Protocols via Log-Depth Threshold Formulae

Error-Tolerant Combiners for Oblivious Primitives

Private Computation Using a PEZ Dispenser

Lecture 1. 1 Introduction. 2 Secret Sharing Schemes (SSS) G Exposure-Resilient Cryptography 17 January 2007

ANALYSIS OF PRIVACY-PRESERVING ELEMENT REDUCTION OF A MULTISET

14 Diffie-Hellman Key Agreement

SELECTED APPLICATION OF THE CHINESE REMAINDER THEOREM IN MULTIPARTY COMPUTATION

Benny Pinkas. Winter School on Secure Computation and Efficiency Bar-Ilan University, Israel 30/1/2011-1/2/2011

Lecture Notes 17. Randomness: The verifier can toss coins and is allowed to err with some (small) probability if it is unlucky in its coin tosses.

An Efficient and Secure Protocol for Privacy Preserving Set Intersection

Realistic Failures in Secure Multi-Party Computation

Multiparty Computation (MPC) Arpita Patra

Notes for Lecture 25

Shift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3

Sign Modules in Secure Arithmetic Circuits (A Full Version)

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

Notes on Zero Knowledge

Efficient Public-Key Distance Bounding

A New Approach to Practical Active-Secure Two-Party Computation

No#ons of Privacy: ID- Hiding, Untrace- ability, Anonymity & Deniability

Complexity of Multi-party Computation Problems: The Case of 2-Party Symmetric Secure Function Evaluation

Why is Deep Random suitable for cryptology

New Notions of Security: Universal Composability without Trusted Setup

Perfectly-Secure Multiplication for any t < n/3

Secure Multi-Party Computation

Universally Composable Multi-Party Computation with an Unreliable Common Reference String

Protocols for Multiparty Coin Toss with a Dishonest Majority

6.897: Selected Topics in Cryptography Lectures 11 and 12. Lecturer: Ran Canetti

Near-Optimal Secret Sharing and Error Correcting Codes in AC 0

Fast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries

Notes for Lecture 17

Cryptanalysis of Threshold-Multisignature Schemes

Benny Pinkas Bar Ilan University

Reducing Garbled Circuit Size While Preserving Circuit Gate Privacy *

Entropy Accumulation in Device-independent Protocols

Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension

Efficient and Private Scoring of Decision Trees, Support Vector Machines and Logistic Regression Models based on Pre-Computation

Data fusion without data fusion: localization and tracking without sharing sensitive information

Lecture 3: Interactive Proofs and Zero-Knowledge

Oblivious Evaluation of Multivariate Polynomials. and Applications

How to Construct a Leakage-Resilient (Stateless) Trusted Party

Cryptographic Protocols FS2011 1

Question: Total Points: Score:

6.897: Advanced Topics in Cryptography. Lecturer: Ran Canetti

Cryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1

Exploring the Limits of Common Coins Using Frontier Analysis of Protocols

Transcription:

A Zero-One Law for Secure Multi-Party Computation with Ternary Outputs KTH Royal Institute of Technology gkreitz@kth.se TCC, Mar 29 2011

Model Limits of secure computation Our main result Theorem (This paper) For every n-argument function f : A 1... A n Z 3, f is either n-private, or it requires honest majority (formally: f is (n 1)/2 -private and not n/2 -private).

Model Limits of secure computation Secure multi-party computation Construct protocol to securely implement some functionality n parties jointly fill the role of trusted third party Here, we work with symmetric secure function evaluation Each party Pi has secret input x i Want to evaluate a function f (x1, x 2,..., x n ) f has finite domain All parties receive the output (symmetric)

Model Limits of secure computation Our model In this talk, all our adversaries are passive (honest-but-curious) Dishonest parties follow the protocol specification Information-theoretic security Adversary has unlimited computation power Private-channels model Parties are connected pairwise with perfectly private channels

Model Limits of secure computation Security Threshold adversary Can corrupt any subset of parties of size t Adversary s goal: learn more than what can be deduced from input of corrupted parties + function s output If there is protocol for f with threshold t, then we say f is t-private

Model Limits of secure computation Background results In our model, all functions are (n 1)/2 -private [BGW 88, CCD 88] This is tight, some functions require honest majority (e.g., disjunction) But, some functions are n-private (e.g., summation) General understanding of limits is still an open problem

Model Limits of secure computation The two-party case is known Two-party f either not private, or is 1-private (= 2-private) An f with forbidden submatrix is not private [Bea 89, Kus 89] 1-private protocol for f without forbidden submatrix: decomposition Oblivious Transfer (OT) is not 1-private

Model Limits of secure computation In general, the privacy hierarchy is complete For every n/2 t n 2 there is f which is t-private but not t + 1-private [CGK 94] Construction to show this has f with large range, 2 t+2 2 Gives that for range Z 14, the hierarchy is complete for n = 4 parties

Model Limits of secure computation Zero-one law of Boolean privacy For Boolean functions, a zero-one law exists [CK 91] For Boolean f either: f has an embedded OR, or n f is a summation, f = i=1 f i(x i )

Model Limits of secure computation Zero-one law of Boolean privacy Theorem ([CK 91]) For every n-argument function f : A 1... A n Z 2, f is either n-private, or it requires honest majority (formally: f is (n 1)/2 -private and not n/2 -private).

Our main result Theorem (This paper) For every n-argument function f : A 1... A n Z 3, f is either n-private, or it requires honest majority (formally: f is (n 1)/2 -private and not n/2 -private).

Context of the result Progress on a long-standing open problem Somewhat surprising that there is a zero-one structure for Z 3 Proof along the lines of classic proofs With generalizations of the techniques

Proof ingredients Structure lemma for functions with range Z 3 Two n-private protocols, generalizing summation and decomposition Blood, sweat, and tears

Boolean structure lemma Lemma ([CK 91]) For every n-argument function f : A 1... A n Z 2, exactly one of the following holds: f has an embedded OR f is a sum: n i=1 f i(x i ) This should not be visible

Our structure lemma Lemma (Structure lemma) For every n-argument function f : A 1... A n Z 3, at least one of the following holds: f has an embedded OR f is a permuted sum: π xn ( n 1 i=1 f i(x i )) f is collapsible

Decomposition Recall that for two-party computation, there is a complete characterization Functions which are decomposable are 1-private (=n-private) Collapsible is a generalization of decomposable

Drawing functions 1 1 2 Figure: f (x 1 )

Drawing functions 1 1 1 1 2 2 3 3 2 2 4 5 Figure: f (x 1, x 2 )

Drawing functions 1 1 1 1 1 1 1 1 2 2 3 3 6 7 6 7 2 2 4 5 7 6 7 6 Figure: f (x 1, x 2, x 3 )

Decomposition protocol by example 1 1 1 1 1 1 1 1 2 2 3 3 6 7 6 7 2 2 4 5 7 6 7 6

Decomposition protocol by example 1 1 1 1 1 1 1 1 2 2 3 3 6 7 6 7 2 2 4 5 7 6 7 6

Decomposition protocol by example 1 1 1 1 1 1 1 1 2 2 3 3 6 7 6 7 2 2 4 5 7 6 7 6

Decomposition protocol by example 1 1 1 1 1 1 1 1 2 2 3 3 6 7 6 7 2 2 4 5 7 6 7 6

Decomposition protocol by example 1 1 1 1 1 1 1 1 2 2 3 3 6 7 6 7 2 2 4 5 7 6 7 6

0 1 2 2 2 1 1 0 2 2 2 0 2 2 0 0 1 2 Figure: f (x 1, x 2, x 3 )

0 1 2 2 2 1 1 0 2 2 2 0 2 2 0 0 1 2 0 0 1 1 1 0 0 0 1 1 1 0 1 1 0 0 0 1 Figure: f (x 1, x 2, x 3 ) Figure: 3 i=1 f i(x i ) mod 2

0 1 2 2 2 1 1 0 2 2 2 0 2 2 0 0 1 2 0 0 1 1 1 0 0 0 1 1 1 0 1 1 0 0 0 1 Figure: f (x 1, x 2, x 3 ) Figure: 3 i=1 f i(x i ) mod 2

0 1 1 1 0 0 0 0 1 Figure: Partial f (x 1, x 2, x 3 )

0 1 1 1 0 0 0 0 1 0 2 3 3 1 2 2 0 1 1 3 0 1 3 0 0 2 3 Figure: Partial f (x 1, x 2, x 3 ) Figure: 3 i=1 f i(x i ) mod 4

0 1 1 1 0 0 0 0 1 0 2 3 3 1 2 2 0 1 1 3 0 1 3 0 0 2 3 Figure: Partial f (x 1, x 2, x 3 ) Figure: 3 i=1 f i(x i ) mod 4

Blood, Sweat, and Tears Structure lemma (case analysis) without embedded OR are n-private Once one output eliminated, remaining two can be separated Large embedded OR implies small embedded OR

and Open Problems To Z 4 and beyond!? Do not know if a zero-one law holds for Z 4 If it does: Protocols and generalized definition still apply for larger ranges But, structure lemma would change Proof heavily relies on range of function

and Open Problems Proved Zero-One law for secure computation with range Z 3 Information-theoretic passive adversary, private channels Proof via structure lemma and generalized protocols

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback