Download presentation

Presentation is loading. Please wait.

Published byTracy Perry Modified over 2 years ago

1
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

2
2

3
What is the minimal bias for multiparty coin-toss? Coin tossing is a basic primitive in secure computation ◦ Simple to define ◦ Used in many schemes Optimal bias means optimal fairness ◦ Essential in many tasks in MPC (e.g., fair exchange) To understand fairness in general secure computation, we must understand the basic task of coin tossing 3

4
We construct multiparty coin-tossing protocols ◦ Tolerating a majority of malicious parties ◦ Minimizing the bias of the adversary Optimal bias of O(1/r), where r is the number of rounds 4

5
Multiparty Coin-Toss: ◦ Examples and definitions ◦ Previous results ◦ Our results Reviewing the [Moran, Naor, Segev 09] result Our Result: Simplified Constructions Summary and Open Problems 5

6
b a 6 c a ⊕ b

7
I want c = 0 c = 0 w.p. 1 b a = b 7 c a ⊕ b = 0 Can’t we send messages simultaneously?? No. Not a reasonable assumption!

8
z commit(a) b a decommit(z) 8 c a ⊕ b

9
z commit(a) b a decommit(z) I want c = 0 If a = b Otherwise abort c = 0 w.p. 3/4 How to react if a party aborts?? The other party outputs a random bit 9 c a ⊕ b = 0 c 0 w.p. ½

10
Goal: honest parties agree on a uniform bit r-round protocol Π m parties, up to t malicious parties Rushing adversary ◦ Realistic communication model (do not assume simultaneous exchange) We assume a broadcast channel Bias – the maximum advantage of any adversary in the protocol over flipping a fair coin ◦ In Blum’s protocol, the bias is ¼ 10

11
Any r-round 2-party coin-tossing protocol, has bias Ω(1/r) ◦ Generalizes to any multiparty protocol with no honest majority Conclusion: impossible to achieve coin- tossing with a polynomial number of rounds and negligible bias without honest majority 11

12
Bias O(t/ r) with m parties, t malicious, and r rounds [ABCGM85,Cl86] ◦ Works by repeating Blum’s protocol r times and taking majority ◦ This is optimal in a natural restricted model [CI93] Breakthrough: it is possible to achieve 2-party coin-tossing with optimal bias O(1/r ) [MNS09] ◦ Matches Cleve’s lower bound and shows that restricted model is restricted 12

13
What is the optimal bias for multiparty? Honest majority: negligible bias [GMW87] No honest majority: ◦ Lower bound of bias Ω(1/r) for r rounds ◦ Previously known protocol gives O(t/ r) for r rounds 13

14
Goal: bias O(1/r) O(1/r) bias for any constant number of parties (less than 2/3 of which are malicious) O(1/r) bias when a “little” more than half the parties are corrupt ◦ These are corollaries of a general construction (see next slide) Also, when constant fraction of parties are honest, O(1/ r ) – improving a factor of t compared to the previous upper bound (t =#malicious) 14

15
Theorem: Multiparty r-round coin-tossing with bias O(2 2 k+1 /r), for m/2 ≤ t < 2m/3 m= #parties, t = #malicious, k = #diff between malicious and honest Corollaries: Optimal bias of O(1/r) when: 1.m is constant: e.g., with m=5, t=3 has bias 8/(r-O(1)), 2.k is constant: e.g., with m=2t (k=0) has bias 1/(2r-O(1)) Bias of O(t/r) when k is loglog m 15

16
Theorem: Multiparty r-round coin-tossing with bias O(1/ ), when t is a const. fraction of m (t = #malicious) Removes t factor from [ABCGM85,Cl86] 16

17
Multiparty Coin-Toss: ◦ Examples and definitions ◦ Previous results ◦ Our results Reviewing the [Moran, Naor, Segev 09] result Our Result: Simplified Constructions Summary and Open Problems 17

18
r-round 2-party coin-tossing protocol Special round i* ◦ Parties unknowingly learn the output in round i* ◦ Adversary must guess i* to bias output i* is uniformly chosen and concealed by the view of the parties Overall bias O(1/r) 18

19
What to do if a party aborts?? If Bob aborts in round i: Alice outputs a i-1 If Alice aborts in round i: Bob outputs b i-1 a i,b i ∈ {0,1} 19

20
i* Output bit: c ∈ R {0,1} Special round: i* ∈ R {1,…,r } a i,b i ∈ R {0,1} (for all i*
{
"@context": "http://schema.org",
"@type": "ImageObject",
"contentUrl": "http://images.slideplayer.com/14/4386993/slides/slide_20.jpg",
"name": "i* Output bit: c ∈ R {0,1} Special round: i* ∈ R {1,…,r } a i,b i ∈ R {0,1} (for all i
*

21
Preprocessing protocol i* Output bit: c ∈ R {0,1} Special round: i* ∈ R {1,…,r } a i,b i ∈ R {0,1} (for all i*
{
"@context": "http://schema.org",
"@type": "ImageObject",
"contentUrl": "http://images.slideplayer.com/14/4386993/slides/slide_21.jpg",
"name": "Preprocessing protocol i* Output bit: c ∈ R {0,1} Special round: i* ∈ R {1,…,r } a i,b i ∈ R {0,1} (for all i
*

22
Preprocessing protocol Output bit: c ∈ R {0,1} Special round: i* ∈ R {1,…,r } a i,b i ∈ R {0,1} (for all i*
{
"@context": "http://schema.org",
"@type": "ImageObject",
"contentUrl": "http://images.slideplayer.com/14/4386993/slides/slide_22.jpg",
"name": "Preprocessing protocol Output bit: c ∈ R {0,1} Special round: i* ∈ R {1,…,r } a i,b i ∈ R {0,1} (for all i
*

23
Multiparty Coin-Toss: ◦ Examples and definitions ◦ Previous results ◦ Our results Reviewing the [Moran, Naor, Segev 09] result Our Result: Simplified Constructions Summary and Open Problems 23

24
An Imam, and a Priest go on the same flight… 24 a Rabbi

25
Two ways we extend MNS: 1. Simulation — One subset simulating Alice, the other simulating Bob 2. Generalization — giving a bit to subsets of parties in each round. Before i* bits are independent. From i* bits are all the same bit. 25

26
i* I want c = 0 If Bob aborts in round i Alices output a i-1 Attack: If a 1 = 0 Bob aborts in round 2 Constant Bias! Output bit: c ∈ R {0,1} Special round: i* ∈ R {1,…,r} a i,b i ∈ R {0,1} (for all i*
{
"@context": "http://schema.org",
"@type": "ImageObject",
"contentUrl": "http://images.slideplayer.com/14/4386993/slides/slide_26.jpg",
"name": "i* I want c = 0 If Bob aborts in round i Alices output a i-1 Attack: If a 1 = 0 Bob aborts in round 2 Constant Bias.",
"description": "Output bit: c ∈ R {0,1} Special round: i* ∈ R {1,…,r} a i,b i ∈ R {0,1} (for all i
*

27
i* Reconstructing a i — only when needed Dealer: go on unless two parties abort Output bit: c ∈ R {0,1} Special round: i* ∈ R {1,…,r} a i,b i ∈ R {0,1} (for all i*
{
"@context": "http://schema.org",
"@type": "ImageObject",
"contentUrl": "http://images.slideplayer.com/14/4386993/slides/slide_27.jpg",
"name": "i* Reconstructing a i — only when needed Dealer: go on unless two parties abort Output bit: c ∈ R {0,1} Special round: i* ∈ R {1,…,r} a i,b i ∈ R {0,1} (for all i
*

28
Reconstruction upon abort in round i : Case 1: Two Alices aborted. Bob is honest. Sends b i-1 to third Alice Case 2: Bob aborted. Remaining Alices (at least two) reconstruct a i-1 Requires signatures (limiting adversary to aborts) 28

29
We described a protocol with a trusted dealer Does not exist in real-life How to eliminate the dealer? ◦ To be answered in a few slides… 29

30
Two ways we extend MNS: 1. Simulation — One subset simulating Alice, the other simulating Bob 2. Generalization — giving a bit to subsets of parties in each round. Before i* bits are independent. From i* bits are all the same bit. 30

31
Overview: r-round protocol with an online dealer In round i: each subset S of size 2 or 3 gets a bit Each bit is shared with threshold 2. Dealing with aborts in round i: Reconstruct the bit of round i-1 E.g., if A, B abort — C, D, E reconstruct E.g., if A, B, C abort — D, E reconstruct m=5, t=3 31

32
Dealer randomly selects: Output c, special round i* Random bits for i*
{
"@context": "http://schema.org",
"@type": "ImageObject",
"contentUrl": "http://images.slideplayer.com/14/4386993/slides/slide_32.jpg",
"name": "Dealer randomly selects: Output c, special round i* Random bits for i
*

33
In round i: Dealer continues if 4 parties are still active Give party p its share for each bit p ∈ S (a pair or triplet) If less than 4 parties are active: Dealer halts Active parties (set S ) reconstruct 33

34
Dealer halts at most 3 active parties. At least 2 are honest! A and D can reconstruct bit (threshold 2) Adversary could not see Before i* abort is independent of reconstructed bit m=5, t=3 34

35
Adversary must guess i* to bias output!! Adversary can see 10 bits in each round i (If not all equal, then i*
{
"@context": "http://schema.org",
"@type": "ImageObject",
"contentUrl": "http://images.slideplayer.com/14/4386993/slides/slide_35.jpg",
"name": "Adversary must guess i* to bias output!.",
"description": "Adversary can see 10 bits in each round i (If not all equal, then i
*

36
To turn into an off-line dealer: Clever use of another layer of secret sharing To omit the off-line dealer: Preprocessing protocol (requires only security with abort) 36

37
1.Simulate dealer’s preprocessing Compute c, i*, bits for all subsets, rounds Compute shares for all bits (inner secret sharing) 2.Share info (for each round) – in 4-out-of-5 SSS Adversary cannot reconstruct (4=t+1) As long as 4 active protocol can go on (outer secret sharing) 37

38
If there are 4 active parties: Send shares of outer secret sharing (4-out-of-5) Each party learns its shares of appropriate bits (of inner secret sharing) If at least 2 parties aborted (cannot continue) Reconstruct bit (same as with online dealer) 38

39
In each round i parties hold the same information as with online dealer (due to outer-secret-sharing) To halt computation (prevent reconstruction) 2 must abort. Adversary can see the same bits after round i as with online dealer 39

40
1.Security with abort (constant round [Pass04]) with cheat detection 2.Cheat detection: All honest parties identify a cheater Continue without it Can be repeated at most twice Abort in preprocessing is independent of output 40

41
Combining ideas (simulation, generalization): ◦ Number of subsets depends on k = 2t-m (gap between honest and malicious) ◦ Bound on bias (rather than ) 41

42
Multiparty Coin-Toss: ◦ Examples and definitions ◦ Previous results ◦ Our results Reviewing the [Moran, Naor, Segev 09] result Our Result: Simplified Constructions Summary and Open Problems 42

43
Optimal O(1/r) bias for any constant number of parties (less than 2/3 of which are malicious) Optimal O(1/r) bias when a “little” more than half the parties are corrupt r= #rounds in the protocol 43

44
1. Improve dependency on k, prove lower bounds k= #malicious - #honest 2. Open joke: An Imam, a Rabbi and a Priest go on the same flight… The engine breaks. Someone needs to go… They toss a fair coin. But how fair can it be…??!! Is O(1/r) bias possible when t ≥ 2m/3? Specifically, 2 malicious out of 3 parties 44

45
Omrier@gmail.com 45 Thank You!!!

Similar presentations

OK

Secure Computation with Minimal Interaction, Revisited Yuval Ishai (Technion) Ranjit Kumaresan (MIT) Eyal Kushilevitz (Technion) Anat Paskin-Cherniavsky.

Secure Computation with Minimal Interaction, Revisited Yuval Ishai (Technion) Ranjit Kumaresan (MIT) Eyal Kushilevitz (Technion) Anat Paskin-Cherniavsky.

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt online examination project in php Ppt on earth and space facts Ppt on automobile related topics in biology Ppt on credit policy template Ppt on old age problems Ppt on asian continent deserts Ppt on 60 years of indian parliament pictures Ppt on non conventional source of energy Ppt on power sharing in democracy sovereignty Ppt on standing order meaning