Presentation is loading. Please wait.

Presentation is loading. Please wait.

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

Published byElaine Woods Modified over 9 years ago

Similar presentations

Presentation on theme: "General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science."— Presentation transcript:

1 General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science

2 (and me) Joachim (and Claus)

3 A general framework (for casting crypto problems) An m-ary (randomized) functionality (desired process) F:({0,1} n ) m → ({0,1} n ) m (where m  2 denotes the # of parties). P 1 P 2 P m x 1 x 2 x m (local inputs) y 1 y 2 y m (local outputs) (y 1,y 2,…,y m ) = F(x 1,x 2,…,x m ) Desired solution: delivery of outputs as if the operation was performed by a trusted party.

4 Secure Multi-Party Computation (Crypto Protocols) A secure protocol obtains the same effect as the operation of a trusted party. Thus, mutually distrustful parties emulate the effect of a trusted party.

5 On the feasibility of General Secure MPC Meta-THM: General Secure MPC is possible under a variety of natural assumptions. Assuming an honest majority + TDP Allowing abort + TDP (i.e., not considering early termination as breach of security) [reflected in the ideal model] Assuming a 2/3-majority + private channels. TDP == Trapdoor Permutations (which exist, e.g., assuming the intractability of factoring integers).

6 Two-Step construction of General Secure MPC E.g., assuming an honest majority + TDP 1.Constructing protocols that are secure wrt semi-honest (“honest-but-curious”) adversaries. [“privacy only”] 2.Enforcing semi-honest behavior via ZK proofs (+commit) T = public information (transcript) Sender (secret input s) Receiver Supposed to send y = f(T,s) y’ Idea: provide a ZK proof that  s’ s.t y’=f(T,s’) Step 2:enforcing

7 Secure (private) MPC in the semi-honest model. We assume a TDP (trapdoor permutation). Reduce to deterministic functionalities with same outputs. Let C be a GF(2) circuit for computing the m-ary function. Idea: The parties propagate shares of the values of all wires in C from the input wires of C to its output wires. xy z = z 1 +z 2 +z 3 +… +z m x 1 x 2 x 3 x m y 1 y 2 y 3 y m z 1 z 2 z 3 z m (x = x 1 +x 2 +x 3 +… +x m y = y 1 +y 2 +y 3 +… +y m )

8 Secure (private) MPC of the gate functionality. xy z = z 1 +z 2 +z 3 +… +z m x 1 x 2 x 3 x m y 1 y 2 y 3 y m z 1 z 2 z 3 z m (x = x 1 +x 2 +x 3 +… +x m y = y 1 +y 2 +y 3 +… +y m ) Easy case – addition gate: Set z i  x i +y i (local computation). Similarly for negation: z i  x i +1 if i=1 and z i  x i o.w. Hard case – multiplication gate: we wish z 1 +z 2 +… +z m = (x 1 +x 2 +… +x m ) ∙ (y 1 +y 2 +… +y m ) (use algebra) (x 1 +x 2 +… +x m ) ∙ (y 1 +y 2 +… +y m ) = ∑ i x i y i + ∑ i≠j (x i y j +x j y i ) local 2PC The parties need to propagate shares of the values through each gate. (Shares with subscript i belong to party i.)

9 Secure 2-PC of s.t. Recall: General secure MPC “reduces” to secure 2PC of ((x 1,y 1 ),(y 2,x 2 )) → (z 1,z 2 ), where (z 1,z 2 ) is random subject to z 1 +z 2 = x 1 x 2 +y 2 y 1. Sender Receiver Inputs : s 0,s 1 c Outputs : - s c 1st 2nd Inputs : x 1,y 1 x 2,y 2 Outputs : r r+x 1 x 2 +y 1 y 2 1st 2nd Inputs : x,z y Outputs : - z+xy In the i-th invocation use inputs (x i,r i ) and y i, where r i is a random bit. Each party sets its final output = sum of both intermediate outputs. (OT) Sender sets s y = z+yx.

10 Implementing OT (OT = Oblivious Transfer) Sender Receiver Inputs : s 0,s 1 c Outputs : - s c Background: assuming a collection of TDP {f i :D i →D i } Sender Receiver Inputs: s 0,s 1 c desired outputs: - s c selects an index i select x c,y 1-c  D i compute y c =f i (x c ) find the f i -preimages of both: z 0, z 1, and send b(z 0 )+s 0, b(z 1 )+s 1 y 0, y 1

11 Conclusion: General Secure MPC is feasible Meta-THM: General Secure MPC (i.e., secure emulation of trusted parties) is possible under a variety of natural assumptions. MPC for an honest majority, assuming TDP Similar ideas (+more) yield MPC wo honest majority, but when “allowing abort” (i.e., not considering early termination as breach of security). ( Also assuming TDP). Assuming a 2/3-majority + private channels.

12 The End The slides of this talk are available at http://www.wisdom.weizmann.ac.il/~oded/T/mpc.ppt A related survey is available at http://www.wisdom.weizmann.ac.il/~oded/s_mpc.html

13 Zero-Knowledge Proofs A secure protocol (i.e., ZK proof) obtains the same effect as the operation of a trusted party. Thus, mutually distrustful parties emulate the effect of a trusted party.

14 Secure 2-PC of the Inner Product mod 2 of two vectors Recall: General secure MPC “reduces” to secure 2PC of the inner product mod 2 of two input vectors held by the two parties. (For us n=2 suffices.) Sender Receiver Inputs : s 0,s 1 c Outputs : - s c 1st 2nd Inputs : x 1,…,x n y 1,…,y n Outputs : r r+∑ i x i y i 1st 2nd Inputs : x,z y Outputs : - z+xy In the ith invocation use inputs (xi,ri) and yi, where ri is a random bit. Final output = sum of all n outputs.

Download ppt "General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science."

Similar presentations

Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:

Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner www.wisdom.weizmann.ac.il/~iftachh WEIZMANN INSTITUTE.

Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner WEIZMANN INSTITUTE.
Lecturer: Moni Naor Foundations of Cryptography Lecture 15: Oblivious Transfer and Secure Function Evaluation.

Lecturer: Moni Naor Foundations of Cryptography Lecture 15: Oblivious Transfer and Secure Function Evaluation.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.

1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION

GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
The Bright Side of Hardness Relating Computational Complexity and Cryptography Oded Goldreich Weizmann Institute of Science.

The Bright Side of Hardness Relating Computational Complexity and Cryptography Oded Goldreich Weizmann Institute of Science.
Oblivious Transfer based on the McEliece Assumptions

Oblivious Transfer based on the McEliece Assumptions
Secure Multi-party Computations (MPC) A useful tool to cryptographic applications Vassilis Zikas.

Secure Multi-party Computations (MPC) A useful tool to cryptographic applications Vassilis Zikas.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Jointly Restraining Big Brother: Using cryptography to reconcile privacy with data aggregation Ran Canetti IBM Research.

Jointly Restraining Big Brother: Using cryptography to reconcile privacy with data aggregation Ran Canetti IBM Research.
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.

1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
Tutorial on Secure Multi-Party Computation

Tutorial on Secure Multi-Party Computation

Similar presentations

Ads by Google