Download presentation

Presentation is loading. Please wait.

Published byJeffery Denier Modified about 1 year ago

1
Multi-Party Computation Forever for Cloud Computing and Beyond Shlomi Dolev Joint works with Limor Lahiani, Moti Yung, Juan Garay, Niv Gilboa and Vladimir Kolesnikov

2
Secret Swarm Unit Reactive K-Secret Sharing INDOCRYPT 2007 Shlomi Dolev 1, Limor Lahiani 1, Moti Yung 2 Department of Computer Science 1 Ben-Gurion University of the Negev 2 Columbia University

3
Talk Outline Introduction & motivation The problem Swarm settings Reactive k-secret sharing solutions Polynomial based solution Chinese remaindering based solution Vandermonde-matrix based solution Virtual I/O automaton Conclusions

4
The Polynomial Based Solution Shamir’s (k,n)-threshold scheme Secret: Globl secret gs p(x) = a 0 +a 1 x+a 2 x 2 +…+a k x k a 1..a k are random Secret: a 0 = gs Secret distribution n distinct points: (x i,p(x i )), x i 0 gs = p(0) Any k+1 points reveals the secret No less than k+1 reveals it

5
The Polynomial Based counter Increment counter: gs gs+δ p(x) = gs+a 1 x+a 2 x 2 +…+a k x k q(x) = p(x) + δ q(x) is defined by x i,p(x i )+δ Multiply : gs gs·μ p(x) = gs+a 1 x+a 2 x 2 +…+ a k x k q(x) = p(x)·μ q(x) is defined by x i,p(x i )·μ

6
The Polynomial based solution Swarm input: set set( x i,p(x i ) )

7
The Polynomial based solution Swarm input: step step() x i, p(x i ) x i, p(x i )+ And the same for multiplication by μ

8
The Polynomial based solution input: regain consistency request regainConsistencyReq() leader x i, p(x i )

9
The Polynomial based solution input: regain consistency request leader

10
The Polynomial based solution input: regain consistency reply leader x i, p(x i )

11
The Polynomial based solution input: join request & reply joinReq() joinReply()

12
The Polynomial Based Solution (Corruptive Adversary) Berlekamp-Welch Polynomial p(x) of degree k k+r points e errors Decode p(x) if e r/2 Polynomial based solution Decode p(x) if f (n–k–lp)/2 Where lp = num of leaving processes between two regainConsistency ops.

13
Talk Outline Introduction & motivation The Problem Swarm settings Reactive k-secret sharing solutions Polynomial based solution Chinese remaindering based solution Vandermonde-matrix based solution Virtual I/O automaton Conclusions

14
Our Chinese Remainder Based Solution Swarm secret: global secret gs p 1 < p 2 < … < p k relatively primes M k = p 1 p 2 … p k 0 gs M k gs r 1,p 1 , r 2,p 2 ,…, r l,p k [CRT] r i = gs mod p i gs r 1, r 2,…,r k Secret share r i, p i , r i = gs mod p i

15
Swarm Input p i x i, r i p(x i ) set() step() regainConsistencyRequest() joinRequest() joinReply() regainConsistencyReply()

16
Our Chinese Remainder Based Solution Swarm input: step step(δ) i, b i b i [l 1 ] … [l j ] M[l 1 ]=…=M[l j ]=1

17
Talk Outline Introduction & motivation The problem Swarm settings Reactive k-secret sharing solutions Polynomial based solution Chinese remaindering based solution Vandermonde-matrix based solution Virtual I/O automaton Conclusions

18
Virtual I/O Automaton I/O Automaton A Implemented by the swarm Global state (Global secret) Current state of A Replicated at least T n times Regain consistency ensures: At least T+lp+f replicas of the global state At most T-f-1 replicas of any other state Global output Output with at least T n replicas Threshold device

19
Virtual I/O Automaton Secret share Tuple s i1,s i2,…,s im of candidates At most 1 state is the global state Step( ) transition step on s i1,s i2,…,s im and Randomly solve convergence to same state New tuple of candidates: s’ i1,s’ i2,…,s’ im Output actions o i1,o i2,…,o im At least T replicas of the global output

20
Talk Outline Introduction & motivation The problem Swarm Settings Reactive k-secret sharing solutions Polynomial based solution Chinese remaindering based solution Vandermonde-matrix based solution Virtual I/O automaton Conclusions

21
polynomial based solution Addition & multiplication Error correcting [Berlekamp-Welch] Chinese remaindering based solution Addition Error correcting [Mandelbaum] Virtual I/O automaton Mask the global state Further results: Vandermonde matrix Support XOR operations

22
Thank You!

23
Swarming Secrets Shlomi Dolev (BGU), Juan Garay (AT&T Labs), Niv Gilboa (BGU) Vladimir Kolesnikov (Bell Labs) PODC 2010 (Allerton 2009)

24
Talk Outline Objectives Adversary Secret sharing Membership and thresholds Private computation in swarms –Perfectly oblivious TM –Computing transitions

25
Objectives Why swarms Why secrets in a swarm Dynamic membership in swarms Computation in a swarm

26
Adversary Honest but curious Adaptive Controls swarm members –Up to a threshold of t members What about eavesdropping? –We assume that can eavesdrop on the links (incoming and outgoing) of up to t members

27
Secret sharing X Y i j P(i,j) Bivariate Polynomial P(x,y) i Share of Player i P(i,y) P(x,i)

28
Join Hey Guys, can I play with you? I’m J! J B D C A Sure! P A (J,y), P A (x,J) P B (J,y), P B (x,J) P C (J,y), P C (x,J) P A (J,y), P A (x,J)

29
Leave Problem: –Member retains share after leaving –Adversary could corrupt leaving member and t current members Refreshing (Proactive Secret Sharing) –Each member shares random polynomial with free coefficient 0

30
Additional Operations Merge Split Clone

31
Increase Threshold Why do it? How – simple, add random polynomials of higher degree with P(0,0)=0

32
Decrease Threshold- t to t* J B D C A Choose random, Degree t* Q A (x,y) Share of Q A (x,y) Share of Q A (x,y) Share of Q A (x,y) Share of Q A (x,y) B, C, D, … also share random polynomials

33
Decrease Threshold- t to t* J B D C A Add local shares Add local shares Add local shares Add local shares Add local shares Interpolate P(x,y) + Q A (x,y) + Q B (x,y) +… Remove high degree terms R(x,y)

34
Decrease Threshold- t to t* J B D C A High mon. Of P High mon. Of P High mon. Of P High mon. Of P Compute reduced P Compute reduced P Compute reduced P Compute reduced P Compute reduced P

35
Computation in a Swarm A distributed system –Computational model –Communication between members –Input – we can consider global and non- global input –Changes to “software” –“Output” of computation when computation time is unbounded

36
What is Hidden Current state Input Software Time What is not Hidden? Space

37
How is it Hidden? Secret sharing –Input –State Universal TM –Software Perfectly oblivious universal TM –Time

38
Architecture of a Swarm TM

39
Perfectly Oblivious TM Perfectly Oblivious TM Tape head Oblivious TM – Head moves as function of number of steps Perfectly Oblivious TM – Head moves as function of current position

40
NNYN Perfectly Oblivious TM Perfectly Oblivious TM Tape Orig. Tape Head Transition: ( st, ) (st2, ,right) Transition: ( st, ) (st1, ,left) Tape shifts right, copy that was in previous cell Tape shifts right, head shifts left, Y stays in place, copy Insert result of “real” transition, Transition: ( st, ) (st3, ,left)

41
TM Transitions … Tape Tape head st1 st2 … st … States Transition Table st1 … … 1 …… ns, st ns …

42
Encoding States & Cells … Tape st1 st2 … st … States 10…0 01…0 0…010…0 index st 0…010…0 index

43
Computing a Transition Goal, Compute transition privately in one communication round Method, Construct new state/symbol unit vector, ns/n , from Current state - st Current symbol - ns[k]= st[i] [j], for all i, j such that a transition of (i, j) gives state k Construct new symbol vector in analogous way n [k]= st[i] [j], for all i, j such that a transition of (i, j) gives symbol k

44
Encoding State Transitions Transition Table st1 … st2 … ns, st1, St1, St2, ns, St2, st2, ns, st Current Transition 0 … 0 0 … 0 0*0 0* 1 0*0 1 *0 0*0 0* 1 0*0 1*11 1 ns, ns, ns, ns, 1 *0 1*1 0*0 st1, St1, 0* 1 0*0 St2, st2, St2, 0* 1 0*0 1 *0 0*0+0* 1 =0 … 1 *0+0* 1 +0*0=00*0+0*0+ 1*1 + 1 *0 =1 0…010…0New state is ns

45
Encoding Symbol Transitions Transition Table st1 … st2 … ns, st1, St1, St2, ns, St2, st2, ns, st Current Transition 0 … 0 0 … 0 0*0 0* 1 0*0 1 *0 0*0 0* 1 0*0 1*1 1 1 st1, ns, st2, 0* 1 1*1 0*0 St1, ns, St2, ns, 0*0 1 *0 0*0 ns, St2, 0*0 0* 1 0*0+0* 1 =0 … 1 *0+0*0+0*0+ 1 *0=00* 1 + 1*1 +0*0 =1 0…01 New symbol is

46
What about Privacy? Goal: compute transitions privately Method –Compute new shares using the st[i] [j], –Reduce polynomial degree

47
Sharing States & Symbols Initially Encode 1 by P(x,y), P(0,0)=1 Encode 0 by Q(x,y), Q(0,0)=0 Share bivariate polynomials for state and symbol Step Compute 0*0+ 1*0+ 1*1… by –Multiplying and summing local shares –Running “Decrease” degree protocol

48
Thank You!!! E.g.

49
Secret Sharing Krohn-Rhodes: Private and Perennial Distributed Computation Shlomi Dolev (BGU), Juan Garay (AT&T Labs) Niv Gilboa (BGU and Deutsche Telekom) Vladimir Kolesnikov (Bell Labs) ICS 2011

50
Model

51
The Setting Dealer k parties A1A1 AkAk … Outsourcing … ii i+1 i+2 … Work!Reconstruction State k State 1 Automaton A S Initial state Automaton A is public, State S is secret Dealer wants to outsource computation of A Parties receive the same global, unbounded length input Each party computes internal state. No communication! T Final state

52
Adversary Model Adversary knows FSA A Adversary does not know –Initial state S –Input stream 1,…, i,… Adversary can –Control up to t executing parties –“one shot” – looks once at memory of executing party. Subsequently, this party stops functioning Motivation- sensor networks/ UAV/ Cloud computing We consider honest-but-curious adversary Robust secret sharing works against malicious adversary

53
Security Security definition – Scheme is secure if for adversary every: –Two initial states S and S’ –Two input streams: 1,…, i and ’ 1,…, ’ j –Two corruption timelines 1, 2 of eq. length The view of the adversary is identical The adversary’s view includes A and the memory of the parties it corrupts

54
Why not MPC? MPC [Yao’82,GMW’87,BGW’88,CCD’88]: n players, t corrupted, each with input x i of the same length, compute F(x 1,…,x n ), while keeping x i private. Known MPC techniques cannot handle combination of –Non-interactivity of online phase –IT security –Unbounded input

55
FSA Our model for FSA –States –Input symbols (no output) –Transitions

56
Our Scheme

57
Contributions Scheme for perennial computation for every FSA Complexity depends on complexity of Krohn- Rhodes decomposition of FSA –Linear for certain interesting cases –n! in the worst case Complexity measures –Size of FSA (space) –Number of transitions per original transition (time) Bridging of two “worlds”: IT cryptography and automata theory

58
A simple Case Permutation FSA

59
Permutation Automaton S1S1 S4S4 S2S2 S3S3 α α α α β β β β

60
Initialization: Secret Sharing Secret shares of the value 1 … k instances Permutation FSA Secret shares of the value 0 Each state looks the same S Initial state

61
Online Phase … k parties A global input for all parties

62
Reconstruction Dealer collects all shares from every party Correct final state is associated with a shared 1 All other states are associated with a shared 0

63
The Full Solution

64
What’s Missing? Not every FSA is a permutation FSA! Our plan: –Decompose FSA into simple components Permutation FSA Reset FSA

65
Reset Automaton S1S1 S2S2 S3S3 S4S4 α β α α α β β β

66
Cascade/Wreath Product FSA i-1 FSA 1 FSA n … … S1S1 FSA i S i-1 SiSi SnSn Sequence of n Automata Current state of each FSA i-1 nn ii 11 Component input Global input i = i ( ,s 1,…,s i-1 )

67
Homomorphic Representation FSA i-1 FSA 1 FSA n … … S1S1 FSA i S i-1 SiSi SnSn Automaton A S Cascade product represents some FSA Mapping between states (s 1,…,s n )=s Mapping satisfied for every input Cascade can be used instead of A

68
Krohn-Rhodes Theory [Krohn-Rhodes 1962, 1965] – every FSA can be homomorphically represented by cascade of permutation FSA and reset FSA [Zieger 1967, Eilenberg 1976] – the Holonomy decomposition – for n-state FSA A, ≤n level cascade, ≤n states in each component

69
Initialization: Decomposition Dealer input Automaton A Initial state S … … … Decompose to cascade of permutation and reset FSA SiSi Permutation FSA, initial state s i Reset FSA, initial state s j SjSj (s 1,…,s n )=s

70
Initialization: Secret Sharing … … … Secret shares of the value 1 Reset FSA … k instances Permutation FSA Secret shares of the value 0 … Each state looks the same Secret share 1 for correct reset Secret share 0 for other resets

71
Party Input k Parties Decomposition of A to permutation and reset FSA Cascade functions 1,…, n-1 Secret shares for one instance

72
Party Initialization … … Permutation: One child per state Reset: One child per FSA Every path: cascade representing A Correct path: 1 shares

73
Online Phase … … i = i ( ,s 1,…,s i-1 ) i+1 = i+1 ( ,s 1,…,s i ) i+1 = i+1 ( ,s 1,…,t i )

74
Reconstruction Dealer collects shares Reconstructs 1 shares layer by layer Obtains s 1,…,s n Computes s= (s 1,…,s n )

75
Example: Gen. Decision Tree

76
Summary Scheme for perennial computation for every FSA Complexity depends on complexity of Krohn- Rhodes decomposition of FSA –Linear for certain interesting cases –n! in the worst case Complexity measures –Size of FSA (space) –Number of transitions per original transition (time) Bridging of two “worlds”: IT cryptography and automata theory

77
Thank You!!!

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google