Download presentation

Presentation is loading. Please wait.

Published byTracy Perry Modified about 1 year ago

1
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

2
2

3
What is the minimal bias for multiparty coin-toss? Coin tossing is a basic primitive in secure computation ◦ Simple to define ◦ Used in many schemes Optimal bias means optimal fairness ◦ Essential in many tasks in MPC (e.g., fair exchange) To understand fairness in general secure computation, we must understand the basic task of coin tossing 3

4
We construct multiparty coin-tossing protocols ◦ Tolerating a majority of malicious parties ◦ Minimizing the bias of the adversary Optimal bias of O(1/r), where r is the number of rounds 4

5
Multiparty Coin-Toss: ◦ Examples and definitions ◦ Previous results ◦ Our results Reviewing the [Moran, Naor, Segev 09] result Our Result: Simplified Constructions Summary and Open Problems 5

6
b a 6 c a ⊕ b

7
I want c = 0 c = 0 w.p. 1 b a = b 7 c a ⊕ b = 0 Can’t we send messages simultaneously?? No. Not a reasonable assumption!

8
z commit(a) b a decommit(z) 8 c a ⊕ b

9
z commit(a) b a decommit(z) I want c = 0 If a = b Otherwise abort c = 0 w.p. 3/4 How to react if a party aborts?? The other party outputs a random bit 9 c a ⊕ b = 0 c 0 w.p. ½

10
Goal: honest parties agree on a uniform bit r-round protocol Π m parties, up to t malicious parties Rushing adversary ◦ Realistic communication model (do not assume simultaneous exchange) We assume a broadcast channel Bias – the maximum advantage of any adversary in the protocol over flipping a fair coin ◦ In Blum’s protocol, the bias is ¼ 10

11
Any r-round 2-party coin-tossing protocol, has bias Ω(1/r) ◦ Generalizes to any multiparty protocol with no honest majority Conclusion: impossible to achieve coin- tossing with a polynomial number of rounds and negligible bias without honest majority 11

12
Bias O(t/ r) with m parties, t malicious, and r rounds [ABCGM85,Cl86] ◦ Works by repeating Blum’s protocol r times and taking majority ◦ This is optimal in a natural restricted model [CI93] Breakthrough: it is possible to achieve 2-party coin-tossing with optimal bias O(1/r ) [MNS09] ◦ Matches Cleve’s lower bound and shows that restricted model is restricted 12

13
What is the optimal bias for multiparty? Honest majority: negligible bias [GMW87] No honest majority: ◦ Lower bound of bias Ω(1/r) for r rounds ◦ Previously known protocol gives O(t/ r) for r rounds 13

14
Goal: bias O(1/r) O(1/r) bias for any constant number of parties (less than 2/3 of which are malicious) O(1/r) bias when a “little” more than half the parties are corrupt ◦ These are corollaries of a general construction (see next slide) Also, when constant fraction of parties are honest, O(1/ r ) – improving a factor of t compared to the previous upper bound (t =#malicious) 14

15
Theorem: Multiparty r-round coin-tossing with bias O(2 2 k+1 /r), for m/2 ≤ t < 2m/3 m= #parties, t = #malicious, k = #diff between malicious and honest Corollaries: Optimal bias of O(1/r) when: 1.m is constant: e.g., with m=5, t=3 has bias 8/(r-O(1)), 2.k is constant: e.g., with m=2t (k=0) has bias 1/(2r-O(1)) Bias of O(t/r) when k is loglog m 15

16
Theorem: Multiparty r-round coin-tossing with bias O(1/ ), when t is a const. fraction of m (t = #malicious) Removes t factor from [ABCGM85,Cl86] 16

17
Multiparty Coin-Toss: ◦ Examples and definitions ◦ Previous results ◦ Our results Reviewing the [Moran, Naor, Segev 09] result Our Result: Simplified Constructions Summary and Open Problems 17

18
r-round 2-party coin-tossing protocol Special round i* ◦ Parties unknowingly learn the output in round i* ◦ Adversary must guess i* to bias output i* is uniformly chosen and concealed by the view of the parties Overall bias O(1/r) 18

19
What to do if a party aborts?? If Bob aborts in round i: Alice outputs a i-1 If Alice aborts in round i: Bob outputs b i-1 a i,b i ∈ {0,1} 19

20
i* Output bit: c ∈ R {0,1} Special round: i* ∈ R {1,…,r } a i,b i ∈ R {0,1} (for all i*
{
"@context": "http://schema.org",
"@type": "ImageObject",
"contentUrl": "http://images.slideplayer.com/14/4386993/slides/slide_19.jpg",
"name": "i* Output bit: c ∈ R {0,1} Special round: i* ∈ R {1,…,r } a i,b i ∈ R {0,1} (for all i
*

21
Preprocessing protocol i* Output bit: c ∈ R {0,1} Special round: i* ∈ R {1,…,r } a i,b i ∈ R {0,1} (for all i*
{
"@context": "http://schema.org",
"@type": "ImageObject",
"contentUrl": "http://images.slideplayer.com/14/4386993/slides/slide_20.jpg",
"name": "Preprocessing protocol i* Output bit: c ∈ R {0,1} Special round: i* ∈ R {1,…,r } a i,b i ∈ R {0,1} (for all i
*

22
Preprocessing protocol Output bit: c ∈ R {0,1} Special round: i* ∈ R {1,…,r } a i,b i ∈ R {0,1} (for all i*
{
"@context": "http://schema.org",
"@type": "ImageObject",
"contentUrl": "http://images.slideplayer.com/14/4386993/slides/slide_21.jpg",
"name": "Preprocessing protocol Output bit: c ∈ R {0,1} Special round: i* ∈ R {1,…,r } a i,b i ∈ R {0,1} (for all i
*

23
Multiparty Coin-Toss: ◦ Examples and definitions ◦ Previous results ◦ Our results Reviewing the [Moran, Naor, Segev 09] result Our Result: Simplified Constructions Summary and Open Problems 23

24
An Imam, and a Priest go on the same flight… 24 a Rabbi

25
Two ways we extend MNS: 1. Simulation — One subset simulating Alice, the other simulating Bob 2. Generalization — giving a bit to subsets of parties in each round. Before i* bits are independent. From i* bits are all the same bit. 25

26
i* I want c = 0 If Bob aborts in round i Alices output a i-1 Attack: If a 1 = 0 Bob aborts in round 2 Constant Bias! Output bit: c ∈ R {0,1} Special round: i* ∈ R {1,…,r} a i,b i ∈ R {0,1} (for all i*
{
"@context": "http://schema.org",
"@type": "ImageObject",
"contentUrl": "http://images.slideplayer.com/14/4386993/slides/slide_25.jpg",
"name": "i* I want c = 0 If Bob aborts in round i Alices output a i-1 Attack: If a 1 = 0 Bob aborts in round 2 Constant Bias.",
"description": "Output bit: c ∈ R {0,1} Special round: i* ∈ R {1,…,r} a i,b i ∈ R {0,1} (for all i
*

27
i* Reconstructing a i — only when needed Dealer: go on unless two parties abort Output bit: c ∈ R {0,1} Special round: i* ∈ R {1,…,r} a i,b i ∈ R {0,1} (for all i*
{
"@context": "http://schema.org",
"@type": "ImageObject",
"contentUrl": "http://images.slideplayer.com/14/4386993/slides/slide_26.jpg",
"name": "i* Reconstructing a i — only when needed Dealer: go on unless two parties abort Output bit: c ∈ R {0,1} Special round: i* ∈ R {1,…,r} a i,b i ∈ R {0,1} (for all i
*

28
Reconstruction upon abort in round i : Case 1: Two Alices aborted. Bob is honest. Sends b i-1 to third Alice Case 2: Bob aborted. Remaining Alices (at least two) reconstruct a i-1 Requires signatures (limiting adversary to aborts) 28

29
We described a protocol with a trusted dealer Does not exist in real-life How to eliminate the dealer? ◦ To be answered in a few slides… 29

30
Two ways we extend MNS: 1. Simulation — One subset simulating Alice, the other simulating Bob 2. Generalization — giving a bit to subsets of parties in each round. Before i* bits are independent. From i* bits are all the same bit. 30

31
Overview: r-round protocol with an online dealer In round i: each subset S of size 2 or 3 gets a bit Each bit is shared with threshold 2. Dealing with aborts in round i: Reconstruct the bit of round i-1 E.g., if A, B abort — C, D, E reconstruct E.g., if A, B, C abort — D, E reconstruct m=5, t=3 31

32
Dealer randomly selects: Output c, special round i* Random bits for i*
{
"@context": "http://schema.org",
"@type": "ImageObject",
"contentUrl": "http://images.slideplayer.com/14/4386993/slides/slide_31.jpg",
"name": "Dealer randomly selects: Output c, special round i* Random bits for i
*

33
In round i: Dealer continues if 4 parties are still active Give party p its share for each bit p ∈ S (a pair or triplet) If less than 4 parties are active: Dealer halts Active parties (set S ) reconstruct 33

34
Dealer halts at most 3 active parties. At least 2 are honest! A and D can reconstruct bit (threshold 2) Adversary could not see Before i* abort is independent of reconstructed bit m=5, t=3 34

35
Adversary must guess i* to bias output!! Adversary can see 10 bits in each round i (If not all equal, then i*
{
"@context": "http://schema.org",
"@type": "ImageObject",
"contentUrl": "http://images.slideplayer.com/14/4386993/slides/slide_34.jpg",
"name": "Adversary must guess i* to bias output!.",
"description": "Adversary can see 10 bits in each round i (If not all equal, then i
*

36
To turn into an off-line dealer: Clever use of another layer of secret sharing To omit the off-line dealer: Preprocessing protocol (requires only security with abort) 36

37
1.Simulate dealer’s preprocessing Compute c, i*, bits for all subsets, rounds Compute shares for all bits (inner secret sharing) 2.Share info (for each round) – in 4-out-of-5 SSS Adversary cannot reconstruct (4=t+1) As long as 4 active protocol can go on (outer secret sharing) 37

38
If there are 4 active parties: Send shares of outer secret sharing (4-out-of-5) Each party learns its shares of appropriate bits (of inner secret sharing) If at least 2 parties aborted (cannot continue) Reconstruct bit (same as with online dealer) 38

39
In each round i parties hold the same information as with online dealer (due to outer-secret-sharing) To halt computation (prevent reconstruction) 2 must abort. Adversary can see the same bits after round i as with online dealer 39

40
1.Security with abort (constant round [Pass04]) with cheat detection 2.Cheat detection: All honest parties identify a cheater Continue without it Can be repeated at most twice Abort in preprocessing is independent of output 40

41
Combining ideas (simulation, generalization): ◦ Number of subsets depends on k = 2t-m (gap between honest and malicious) ◦ Bound on bias (rather than ) 41

42
Multiparty Coin-Toss: ◦ Examples and definitions ◦ Previous results ◦ Our results Reviewing the [Moran, Naor, Segev 09] result Our Result: Simplified Constructions Summary and Open Problems 42

43
Optimal O(1/r) bias for any constant number of parties (less than 2/3 of which are malicious) Optimal O(1/r) bias when a “little” more than half the parties are corrupt r= #rounds in the protocol 43

44
1. Improve dependency on k, prove lower bounds k= #malicious - #honest 2. Open joke: An Imam, a Rabbi and a Priest go on the same flight… The engine breaks. Someone needs to go… They toss a fair coin. But how fair can it be…??!! Is O(1/r) bias possible when t ≥ 2m/3? Specifically, 2 malicious out of 3 parties 44

45
45 Thank You!!!

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google