Presentation is loading. Please wait.

Presentation is loading. Please wait.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Published byAlan Feimster Modified over 9 years ago

Similar presentations

Presentation on theme: "Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis."— Presentation transcript:

1 Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis

2 2 Secure Multiparty Computation Parties learn f(x 1,…,x n ) But no other information P 1, x 1 P 2, x 2 P 5, x 5 P 4, x 4 P 3, x 3

3 Adversary Models Number of corrupted parties Honest majority General adversary structures Dishonest majority No fairness or output delivery guarantee Malicious vs. Semi-honest Static vs. Adaptive

4 Covert Adversaries Somewhere between malicious and semi-honest Adversary can cheat but, Caught with reasonable probability Detected cheaters are punished! Studied in several previous works [FY92], [CO99], [AL07], etc.

5 Covert Adversaries Simulation-based definition [AL07] TTP malicious honest x1x1 x2x2 x2x2 anything cheat 1- ɛ corrupted

6 Covert Adversaries TTP malicious honest x1x1 x2x2 x2x2 anything cheat ɛ anything x2x2

7 Current Situation Honest Majority [DI05] Constant Round Blackbox reduction to PRG Dishonest Majority [IKLP06] Blackbox Polynomial number of rounds [KOS03] generic ZK O(log(n)) rounds [MF06,Woo07,LP07,JS07] Constant round No generic ZK Only two-party case

8 Goal Combine all the good properties Round and communication efficiency Avoiding generic ZK Handle dishonest majority Settle for Covert Adversaries

9 Contributions Two-party Case Improve communication Malicious and covert adversaries Multiparty Case Avoids generic ZK O(log(n)) rounds Covert Adversaries

10 Two-party Overview P1P1 P2P2 Challenge e OTs for P 2 ’s input keys t GC[1] GC[t] Open all except for GC[e] P 2 evaluates GC[e]

11 TWO-Party Improvements  Circuits generated pseudo randomly Only hashes of circuits sent over Seeds are revealed for opened circuits Reduced OT communication Only first few steps of OTs are executed initially Receiver committed to his inputs Sufficient for simulation to go through

12 Two-party Improvements P1P1 P2P2 s 1 ← 1 k, G(s 1 ), GC[1] ← Garble(G(s 1 )) Challenge e com(s 1 ), com(h(GC[1])) Reveal all seeds except s e Send GC[e], P 2 evaluates GC[e] com(s t ), com(h(GC[t])) h: hash function; G: PRG s t ← 1 k, G(s t ), GC[t] ← Garble(G(s t ))

13 Two-party Improvements Communication Undetected cheating prob. 1/t O(|C| + t) instead of O(t|C|) Can handle larger t More incentive not to cheat Malicious adversaries Similar techniques work Have not analyzed asymptotically

14 Multiparty Case Modify [BMR90] garbled circuit construction Run the protocol in t session Each session performed using semihonest SFE Perform cut-and-choose

15 Modified BMR A mask bit λ w for every wire w P i holds λ i w λ w = λ 1 w λ 2 w... λ n w for P i ’ s input bit x w let x w λ i w Two random keys k w,0, k w,1 for wire w P i holds k i w,0, k i w,1 k w,j = k 1 w,j || k 2 w,j ||... || k n w,j

16 Modified BMR P i expands his keys to one-time pads p i w,0, q i w,0 ← G(k i w,0 ) p i w,1, q i w,1 ← G(k i w,1 ) Garbled NAND gate g: input wires a,b output wire c

17 Modified BMR g(0,0) = p 1 a,0 … p n a,0 p 1 b,0 … p n b,0 x a λ a = 0; x b λ b = 0 (x a NAND x b ) λ c = (λ a NAND λ b ) λ c Similarly for g(0,1), g(1,0) and g(1,1) k 1 c,0 || … || k n c,0 if λ a NAND λ b = λ c k 1 c,1 || … || k n c,1 otherwise g(0,0) g(0,1) g(1,0) g(1,1)

18 Main Modifications Inputs not embedded in garbled circuit Opening a circuit does not reveal inputs Garbling done using a semi-honest SFE Parties commit to their random coins Run multiple semi-honest sessions Cheating is detected through cut-and- choose

19 Sub-Protocols PublicCoinFlip (1 k,…, 1 k ) → (σ, …, σ) [CR87, KOS03] O(logn) rounds Simulatable Commitments Commit: (σ;x 1, …,x n ) → ({com(x i )}, …, {com(x i )}) Open: P i opens com(x i ) CommittedCoinFlipToAll (σ;1 k, …,1 k ) → (com(e), …, com(e)) CommittedCoinFlipToP i (σ;1 k, …,1 k ) → (com(e), …, e, …, com(e))

20 Main Protocol CRS generation σ ← PublicCoinFlip Challenge generation Com(e) ← CommittedCoinFlipToAll(σ) Committing to randomness For each player i, for each session S in [1..t] - r i [S] ← CommittedCoinFlipToP i (σ) - Expanded using pseudorandom generator - used to generate mask bits, wire keys, semi-honest SFE randomness Committing to Masked Inputs P i commits to x w λ i w [S] for his input wires w Generating Garbled Circuits Parties run t parallel sessions to generate garbled circuits GC[1], …, GC[t] Verification Phase Parties open the committed challenge e For each session S ≠ e, parties open all commitments (except for masked inputs) Evaluation Phase For GC[e], parties open masked inputs and broadcast Each party evaluates the garbled circuit on their own

21 Summary Multiparty Covert Adversaries Avoid generic ZK Round efficient Two-party Improved efficiency Covert and malicious adversaries

22 Thank you!

23 Efficiency Measures Communication Number of bits exchanged Rounds Number of rounds of interaction Computation Local work by each party Practical measures Black-box use of underlying primitives Avoiding generic ZK proofs Efficiently implementable primitives

Download ppt "Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis."

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.

Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.

Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.
Coin Tossing With A Man In The Middle Boaz Barak.

Coin Tossing With A Man In The Middle Boaz Barak.
Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto

Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.

1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),

Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Similar presentations

Ads by Google