Presentation is loading. Please wait.

Presentation is loading. Please wait.

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Published byTracy Perry Modified over 9 years ago

Similar presentations

Presentation on theme: "Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!"— Presentation transcript:

1 Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

2 2

3  What is the minimal bias for multiparty coin-toss?  Coin tossing is a basic primitive in secure computation ◦ Simple to define ◦ Used in many schemes  Optimal bias means optimal fairness ◦ Essential in many tasks in MPC (e.g., fair exchange)  To understand fairness in general secure computation, we must understand the basic task of coin tossing 3

4  We construct multiparty coin-tossing protocols ◦ Tolerating a majority of malicious parties ◦ Minimizing the bias of the adversary  Optimal bias of O(1/r), where r is the number of rounds 4

5  Multiparty Coin-Toss: ◦ Examples and definitions ◦ Previous results ◦ Our results  Reviewing the [Moran, Naor, Segev 09] result  Our Result: Simplified Constructions  Summary and Open Problems 5

6 b a 6 c  a ⊕ b

7 I want c = 0 c = 0 w.p. 1 b a = b 7 c  a ⊕ b = 0 Can’t we send messages simultaneously?? No. Not a reasonable assumption!

8 z  commit(a) b a  decommit(z) 8 c  a ⊕ b

9 z  commit(a) b a  decommit(z) I want c = 0 If a = b Otherwise abort c = 0 w.p. 3/4 How to react if a party aborts?? The other party outputs a random bit 9 c  a ⊕ b = 0 c  0 w.p. ½

10  Goal: honest parties agree on a uniform bit  r-round protocol Π  m parties, up to t malicious parties  Rushing adversary ◦ Realistic communication model (do not assume simultaneous exchange)  We assume a broadcast channel  Bias – the maximum advantage of any adversary in the protocol over flipping a fair coin ◦ In Blum’s protocol, the bias is ¼ 10

11  Any r-round 2-party coin-tossing protocol, has bias Ω(1/r) ◦ Generalizes to any multiparty protocol with no honest majority  Conclusion: impossible to achieve coin- tossing with a polynomial number of rounds and negligible bias without honest majority 11

12  Bias O(t/ r) with m parties, t malicious, and r rounds [ABCGM85,Cl86] ◦ Works by repeating Blum’s protocol r times and taking majority ◦ This is optimal in a natural restricted model [CI93]  Breakthrough: it is possible to achieve 2-party coin-tossing with optimal bias O(1/r ) [MNS09] ◦ Matches Cleve’s lower bound and shows that restricted model is restricted 12

13 What is the optimal bias for multiparty?  Honest majority: negligible bias [GMW87]  No honest majority: ◦ Lower bound of bias Ω(1/r) for r rounds ◦ Previously known protocol gives O(t/ r) for r rounds 13

14  Goal: bias O(1/r)  O(1/r) bias for any constant number of parties (less than 2/3 of which are malicious)  O(1/r) bias when a “little” more than half the parties are corrupt ◦ These are corollaries of a general construction (see next slide)  Also, when constant fraction of parties are honest, O(1/ r ) – improving a factor of t compared to the previous upper bound (t =#malicious) 14

15  Theorem: Multiparty r-round coin-tossing with bias O(2 2 k+1 /r), for m/2 ≤ t < 2m/3 m= #parties, t = #malicious, k = #diff between malicious and honest  Corollaries:  Optimal bias of O(1/r) when: 1.m is constant: e.g., with m=5, t=3 has bias 8/(r-O(1)), 2.k is constant: e.g., with m=2t (k=0) has bias 1/(2r-O(1))  Bias of O(t/r) when k is loglog m 15

16  Theorem: Multiparty r-round coin-tossing with bias O(1/ ), when t is a const. fraction of m (t = #malicious)  Removes t factor from [ABCGM85,Cl86] 16

17  Multiparty Coin-Toss: ◦ Examples and definitions ◦ Previous results ◦ Our results  Reviewing the [Moran, Naor, Segev 09] result  Our Result: Simplified Constructions  Summary and Open Problems 17

18  r-round 2-party coin-tossing protocol  Special round i* ◦ Parties unknowingly learn the output in round i* ◦ Adversary must guess i* to bias output  i* is uniformly chosen and concealed by the view of the parties  Overall bias O(1/r) 18

19 What to do if a party aborts?? If Bob aborts in round i: Alice outputs a i-1 If Alice aborts in round i: Bob outputs b i-1 a i,b i ∈ {0,1} 19

20 i* Output bit: c ∈ R {0,1} Special round: i* ∈ R {1,…,r } a i,b i ∈ R {0,1} (for all i<i* ) I want c = 0 View is independent of output No BIAS Output is fixed No BIAS Adversary must guess i* View at i ≤ i* is independent of i* Bias O(1/r) BIAS !!  20

21 Preprocessing protocol i* Output bit: c ∈ R {0,1} Special round: i* ∈ R {1,…,r } a i,b i ∈ R {0,1} (for all i<i*) Use secret sharing: To restrict adv. to aborting — all shares are authenticated 21

22 Preprocessing protocol Output bit: c ∈ R {0,1} Special round: i* ∈ R {1,…,r } a i,b i ∈ R {0,1} (for all i<i*) Compute secret sharing:  Preprocessing?? Both parties get output?? But, How??  Answer: NO, only guarantee “Security With Abort” ◦ Adversary learns output, then may deny output from honest party.  No harm: preprocessing reveals nothing to adversary  Constant number of rounds [Lindell 2003] 22

23  Multiparty Coin-Toss: ◦ Examples and definitions ◦ Previous results ◦ Our results  Reviewing the [Moran, Naor, Segev 09] result  Our Result: Simplified Constructions  Summary and Open Problems 23

24 An Imam, and a Priest go on the same flight… 24 a Rabbi

25  Two ways we extend MNS: 1. Simulation — One subset simulating Alice, the other simulating Bob 2. Generalization — giving a bit to subsets of parties in each round.  Before i* bits are independent.  From i* bits are all the same bit. 25

26 i* I want c = 0 If Bob aborts in round i Alices output a i-1 Attack: If a 1 = 0 Bob aborts in round 2 Constant Bias! Output bit: c ∈ R {0,1} Special round: i* ∈ R {1,…,r} a i,b i ∈ R {0,1} (for all i<i* ) Observation: At least two parties are honest. Either Bob is honest or There is an honest majority of Alices 26

27 i* Reconstructing a i — only when needed Dealer: go on unless two parties abort Output bit: c ∈ R {0,1} Special round: i* ∈ R {1,…,r} a i,b i ∈ R {0,1} (for all i<i* ) Use 2-out-of-3 secret sharing of a i : 27

28 Reconstruction upon abort in round i : Case 1: Two Alices aborted. Bob is honest. Sends b i-1 to third Alice Case 2: Bob aborted. Remaining Alices (at least two) reconstruct a i-1 Requires signatures (limiting adversary to aborts) 28

29  We described a protocol with a trusted dealer  Does not exist in real-life  How to eliminate the dealer? ◦ To be answered in a few slides… 29

30  Two ways we extend MNS: 1. Simulation — One subset simulating Alice, the other simulating Bob 2. Generalization — giving a bit to subsets of parties in each round.  Before i* bits are independent.  From i* bits are all the same bit. 30

31 Overview: r-round protocol with an online dealer In round i: each subset S of size 2 or 3 gets a bit Each bit is shared with threshold 2. Dealing with aborts in round i: Reconstruct the bit of round i-1 E.g., if A, B abort — C, D, E reconstruct E.g., if A, B, C abort — D, E reconstruct m=5, t=3 31

32 Dealer randomly selects: Output c, special round i* Random bits for i<i* (for all pairs, triples) (bits for i≥i* are set to c) Shares for every bit (all shares are signed) For pairs: in 2-out-of-2 SSS For triples: in 2-out-of-3 SSS 32

33 In round i: Dealer continues if 4 parties are still active Give party p its share for each bit p ∈ S (a pair or triplet) If less than 4 parties are active: Dealer halts Active parties (set S ) reconstruct 33

34 Dealer halts  at most 3 active parties. At least 2 are honest! A and D can reconstruct bit (threshold 2) Adversary could not see Before i* abort is independent of reconstructed bit m=5, t=3 34

35 Adversary must guess i* to bias output!! Adversary can see 10 bits in each round i (If not all equal, then i<i* ) Once in every 2 9 rounds they are all the same Probability to guess i* ≤ 2 9 /r (Improved later) m=5, t=3 35

36  To turn into an off-line dealer: Clever use of another layer of secret sharing  To omit the off-line dealer: Preprocessing protocol (requires only security with abort) 36

37 1.Simulate dealer’s preprocessing Compute c, i*, bits for all subsets, rounds Compute shares for all bits (inner secret sharing) 2.Share info (for each round) – in 4-out-of-5 SSS Adversary cannot reconstruct (4=t+1) As long as 4 active protocol can go on (outer secret sharing) 37

38 If there are 4 active parties: Send shares of outer secret sharing (4-out-of-5) Each party learns its shares of appropriate bits (of inner secret sharing) If at least 2 parties aborted (cannot continue) Reconstruct bit (same as with online dealer) 38

39 In each round i parties hold the same information as with online dealer (due to outer-secret-sharing) To halt computation (prevent reconstruction) 2 must abort. Adversary can see the same bits after round i as with online dealer 39

40 1.Security with abort (constant round [Pass04]) with cheat detection 2.Cheat detection: All honest parties identify a cheater Continue without it Can be repeated at most twice Abort in preprocessing is independent of output 40

41  Combining ideas (simulation, generalization): ◦ Number of subsets depends on k = 2t-m (gap between honest and malicious) ◦ Bound on bias (rather than ) 41

42  Multiparty Coin-Toss: ◦ Examples and definitions ◦ Previous results ◦ Our results  Reviewing the [Moran, Naor, Segev 09] result  Our Result: Simplified Constructions  Summary and Open Problems 42

43  Optimal O(1/r) bias for any constant number of parties (less than 2/3 of which are malicious)  Optimal O(1/r) bias when a “little” more than half the parties are corrupt r= #rounds in the protocol 43

44 1. Improve dependency on k, prove lower bounds k= #malicious - #honest 2. Open joke: An Imam, a Rabbi and a Priest go on the same flight… The engine breaks. Someone needs to go… They toss a fair coin. But how fair can it be…??!! Is O(1/r) bias possible when t ≥ 2m/3? Specifically, 2 malicious out of 3 parties 44

45 Omrier@gmail.com 45 Thank You!!!

Download ppt "Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!"

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Dov Gordon & Jonathan Katz University of Maryland.

Dov Gordon & Jonathan Katz University of Maryland.
Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)

Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)
Private Inference Control

Private Inference Control
Fair Computation with Rational Players Adam Groce and Jonathan Katz University of Maryland.

Fair Computation with Rational Players Adam Groce and Jonathan Katz University of Maryland.
Ulams Game and Universal Communications Using Feedback Ofer Shayevitz June 2006.

Ulams Game and Universal Communications Using Feedback Ofer Shayevitz June 2006.
Foundations of Cryptography Lecture 3 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 3 Lecturer: Moni Naor.
Multi-Party Contract Signing Sam Hasinoff April 9, 2001.

Multi-Party Contract Signing Sam Hasinoff April 9, 2001.
Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.

Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.
Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.

Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
Gillat Kol (IAS) joint work with Ran Raz (Weizmann + IAS) Interactive Channel Capacity.

Gillat Kol (IAS) joint work with Ran Raz (Weizmann + IAS) Interactive Channel Capacity.
Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),

Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),
Survey: Secure Composition of Multiparty Protocols Yehuda Lindell Bar-Ilan University.

Survey: Secure Composition of Multiparty Protocols Yehuda Lindell Bar-Ilan University.
On Fair Exchange, Fair Coins and Fair Sampling Shashank Agrawal, Manoj Prabhakaran University of Illinois at Urbana-Champaign.

On Fair Exchange, Fair Coins and Fair Sampling Shashank Agrawal, Manoj Prabhakaran University of Illinois at Urbana-Champaign.
Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.

Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Similar presentations

Ads by Google