Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 14 Multi-party Computation Protocols Stefan Dziembowski www.dziembowski.net MIM UW 25.01.13ver 1.0.

Published byClinton Hardy Modified over 8 years ago

Similar presentations

Presentation on theme: "Lecture 14 Multi-party Computation Protocols Stefan Dziembowski www.dziembowski.net MIM UW 25.01.13ver 1.0."— Presentation transcript:

1 Lecture 14 Multi-party Computation Protocols Stefan Dziembowski www.dziembowski.net MIM UW 25.01.13ver 1.0

2 Plan 1.Definitions and motivation 2.Security against the threshold adversaries 1.overview of the results 2.overview of the constructions 3.General adversary structures 4.Applications

3 Multi-party computations (MPC) P5P5 P1P1 P3P3 P2P2 P4P4 input a 1 input a 2 input a 3 input a 4 input a 5 they want to compute some value f(a 1,a 2,a 3,a 4,a 5 ) for a publicly-known f. they want to compute some value f(a 1,a 2,a 3,a 4,a 5 ) for a publicly-known f. a group of parties: Before we considered this problem for n = 2 parties. Now, we are interested in arbitrary groups of n parties. Before we considered this problem for n = 2 parties. Now, we are interested in arbitrary groups of n parties. output f(a 1,a 2,a 3,a 4,a 5 )

4 Examples P5P5 P1P1 P3P3 P2P2 P4P4 input a 1 input a 2 input a 3 input a 4 input a 5 A group of millionaires wants to compute how much money they own together. f(a 1,a 2,a 3,a 4,a 5 ) = a 1 +a 2 +a 3 +a 4 +a 5 A group of millionaires wants to compute how much money they own together. f(a 1,a 2,a 3,a 4,a 5 ) = a 1 +a 2 +a 3 +a 4 +a 5 Another example: voting

5 The general settings Each pair of parties is connected by a secure channel. (assume also that the network is synchronous) Some parties may be corrupted. The corrupted parties may act in coalition. Each pair of parties is connected by a secure channel. (assume also that the network is synchronous) Some parties may be corrupted. The corrupted parties may act in coalition. P5P5 P1P1 P3P3 P2P2 P4P4

6 How to model the coalitions of the corrupted parties? We assume that there exists one adversary that can corrupt several parties. Once a parity is corrupted the adversary “takes control over it”. what it means depends on the settings

7 Threshold adversaries In the two-party case we considered an adversary that could corrupt one of the players. Now, we assume that the adversary can corrupt some subset of the players. The simplest case: set some threshold t < n and allow the adversary to corrupt up to t players. In the two-party case we considered an adversary that could corrupt one of the players. Now, we assume that the adversary can corrupt some subset of the players. The simplest case: set some threshold t < n and allow the adversary to corrupt up to t players.

8 Example n = 5, t = 2 P5P5 P5P5 P1P1 P1P1 P3P3 P3P3 P2P2 P2P2 P4P4 P4P4

9 Types of adversaries As before, the adversary can be: computationally bounded, or infinitely powerful, and passive active These choices are orthogonal! As before, the adversary can be: computationally bounded, or infinitely powerful, and passive active These choices are orthogonal! computationally bounded infinitely powerful passive active all those choices make sense!

10 Adaptivness In addition to it the adversary may be adaptive – he may decide whom to corrupt during the execution of the protocol, or non-adaptive – he has to decide whom to corrupt, before the execution starts. In addition to it the adversary may be adaptive – he may decide whom to corrupt during the execution of the protocol, or non-adaptive – he has to decide whom to corrupt, before the execution starts.

11 The security definition The security definition is complicated and we do not present it here. Main intuition: the adversary should not be able to do more damage in the “real” scenario than he can in the “ideal” scenario. Remember the two-party case? A A B B f(A,B) A A B B A A B B protocol π “ideal” scenario“real” scenario

12 The “real scenaro” P5P5 P1P1 P3P3 P2P2 input a 1 input a 2 input a 3 input a 4 input a 5 output: f(a 1,...,a 5 ) output: f(a 1,...,a 5 ) output: f(a 1,...,a 5 ) output: f(a 1,...,a 5 ) output: f(a 1,...,a 5 ) output: f(a 1,...,a 5 ) output: f(a 1,...,a 5 ) output: f(a 1,...,a 5 ) output: f(a 1,...,a 5 ) output: f(a 1,...,a 5 ) P4P4 protocol π

13 The “ideal” scenario P5P5 P1P1 P3P3 P2P2 input a 1 input a 2 input a 3 input a 4 input a 5 output: f(a 1,...,a 5 ) output: f(a 1,...,a 5 ) output: f(a 1,...,a 5 ) output: f(a 1,...,a 5 ) output: f(a 1,...,a 5 ) output: f(a 1,...,a 5 ) output: f(a 1,...,a 5 ) output: f(a 1,...,a 5 ) output: f(a 1,...,a 5 ) output: f(a 1,...,a 5 ) P4P4 computes f

14 Plan 1.Definitions and motivation 2.Security against the threshold adversaries 1.overview of the results 2.overview of the constructions 3.General adversary structures 4.Applications

15 Classical results Question: For which values of the parameter t multi-party computations are possible (for every poly-time computable function f)? n – the number of players settingadversary type condition computationalpassivet < n computationalactivet < n/2 information-theoreticpassivet < n/2 information-theoreticactivet < n/3 (Turns out that the adaptivness doesn’t matter) this can be improved to t < n/2 if we add a “broadcast channel” (these are tight bounds) this can be improved to t < n if we give up “fairness”

16 Example of a lower bound information-theoretic, passive: t < n/2 Suppose n=8 and t=4 Suppose we have a protocol for computing f(a 1,a 2,a 3,a 4,a 5,a 6,a 7,a 8 ) = a 1  a 2  a 3  a 4  a 5  a 6  a 7  a 8 We show an information-theoretically secure 2-party protocol for computing F(A,B) = A  B After showing this we will be done, since we know it’s impossible!

17 P1P1 input a 1 P2P2 input a 2 P3P3 input a 3 input a 4 P4P4 input a 5 P5P5 input a 6 P6P6 input a 7 P7P7 input a 8 P8P8 simulates with a 5 :=B a 6 := a 7 := a 8 := 1 simulates with a 1 :=A a 2 := a 3 := a 4 := 1 the “internal” messages are not sent outside the “external” messages are exchanged between Alice and Bob

18 Correctness? At the end of the execution of the simulated protocol Alice and Bob know f(A,1,1,1,B,1,1,1) = A  B So they have computed F.

19 Why is this protocol secure? If the adversary corrupted Alice or Bob then he “corrupted” exactly t=4 parties. From the security of the MPC protocol the “new” 2-party protocol is also secure!

20 A broadcast channel P5P5 P1P1 P3P3 P2P2 P4P4 m m m m m m m m Every player receives to same message (even if the sender is malicious). m m m m

21 Byzantine Agreement A classical problem in distributed computing [Lamport, Shostak, Pease, 1982]: n generals (connected with private channels) want to reach a consensus there may be t traitors among them attack/retreat

22 A classical result Byzantine agreement is possible if and only if t < n/3

23 Broadcast channel vs. byzantine agreement If t < n/2 and the broadcast channel is available then the byzantine agreement can be achieved as follows: 1.every party P i broadcasts her input s i 2.the majority of the broadcasted values is the agreed value.

24 Fact In the information-theoretic settings: A broadcast channel can be “emulated” by a multiparty protocol. In the information-theoretic settings: A broadcast channel can be “emulated” by a multiparty protocol.

25 On the other hand A trusted party can “emulate” a broadcast channel: P5P5 P1P1 P3P3 P2P2 input m output: m P4P4 So, this is the reason, why in the information theoretic, active case we have t < n/3

26 Idea Allow the parties to use a broadcast channel. We get: settingadversary type condition information- theoretic passivet < n/2 information- theoretic activet < n/3 information- theoretic (with broadcast) activet < n/2

27 Plan 1.Definitions and motivation 2.Security against the threshold adversaries 1.overview of the results 2.overview of the constructions 3.General adversary structures 4.Applications

28 How to construct such protocols? The general scheme is like in the two-party case: 1.Represent the function as a circuit. 2.Let every party “share” her input with the other parties. 3.Evaluate the circuit gate-by-gate (maintaining the invariant that the values of the intermediary gates are shared between the parties) 4.Reconstruct the output. usually: arithmetic circuit over some field

29 Fields A field is a set F with operations + and ·, and an element 0 such that F is an abelian group with the operation +, F \ {0} is an abelian group with the operation ·, [distributivity of multiplication over addition]: For all a, b and c in F, the following equality holds: a · (b + c) = (a · b) + (a · c). Examples of fields: real numbers, Z p for prime p. Polynomials over any field have many intuitive properties of the polynomials over the reals.

30 Arithmetic circuits a0a0 a0a0 a1a1 a1a1 a2a2 a2a2 a3a3 a3a3 a4a4 a4a4 a5a5 a5a5 a6a6 a6a6 a7a7 a7a7 + + * * + + + + + + * * * * + + * * * * c1c1 c1c1 * * c2c2 c2c2 c5c5 c5c5 c4c4 c4c4 c3c3 c3c3 input gates output gates multplication gates multplication gates addition gates

31 How to share a secret? Informally: We want to share a secret s between a group of parties, in such a way that: 1.any set of up to t corrupted parties has no information on s, and 2.even if t parties refuse to cooperate we can still reconstruct the secret s.

32 m-out-of-n secret sharing dealer’s secret S S1S1 S1S1 S5S5 S5S5 S3S3 S3S3 S2S2 S2S2 S4S4 S4S4 1.Every set of at least m players can reconstruct S. 2.Any set of less than m players has no information about S. note: this primitive assumes that the adversary is passive (n = 5) we will have m = t+1

33 Every secret sharing protocol consists of a sharing procedure: (S 1,...,S n ) = share(S) a reconstruction procedure: for any i 1,..,i m we have S = reconstruct(S i 1,...,S i m ) a security condition: for every S,S ’ and every i 1,..,i m-1 : (S i 1,...,S i m-1 ) and (S’ i 1,...,S’ i m-1 ) are distributed indentically, where: (S 1,...,S n ) := share(S) and (S’ 1,...,S’ n ) := share(S’) matching m-out-of-n secret sharing – more formally

34 Shamir’s secret sharing [1/2] 123n... f(1) f(n) f(3) f(2) P1P1 P2P2 P3P3 PnPn... s s 0 Suppose that s is an element of some finite field F, such that |F| > n f – a random polynomial of degree m-1 over F such that f(0) = s sharing:

35 Given f(i 1 ),...,f(i m ) one can interpolate the polynomial f in point 0. Shamir’s secret sharing [2/2] reconstruction: security: One can show that f(i 1 ),...,f(i m-1 ) are independent on f(0).

36 How to construct a MPC protocol on top of Shamir’s secret sharing? Observation Addition is easy... Why?: because polynomials are homomorphic with respect to addition.

37 Polynomials are homomorphic with respect to addition 12n... f(1) f(n) f(3) s s 0 t t g(1) g(3) g(n) s+ts+t s+ts+t f(1)+g(1) f(3)+g(3) f(n)+g(n) degree t

38 Addition sharing secret a sharing secret b sharing secret a+b The parties can compute it non- interactively, by adding their shares locally!

39 How can we use it? We can construct a protocol for computing f(a 1,...,a n ) := a 1 + · · · + a n This protocol will be secure against an adversary that corrupts up to t parties and is passive, and information-theoretic.

40 A protocol for f(a 1,...,a n ) := a 1 + · · · + a n 1.Each party P i shares her input using a (t+1)-out-of-n Shamir’s secret sharing. Let a i 1,...,a i n be the shares. Therefore at the end we have quadratic number of shares a11a11...ai1ai1 an1an1 a1ja1j aijaij anjanj a1na1n ainain annann

41 2.Each P j computes a sum of the shares that he received a11a11...ai1ai1 an1an1 a1ja1j aijaij anjanj a1na1n ainain annann this is what P j received in Step 1

42 The final steps: 3.Each party P j broadcasts b j 4.Every party can now reconstruct f(a 1,...,a n ) := a 1 + · · · + a n by interpolating the shares b 1,..., b n It can be shown that no coalition of up to t parties can break the security of the protocol. (Even if they are infinitely-powerful)

43 How to construct a protocol for any function Polynomials are homomorphic also with respect to multiplication. Problem The degree gets doubled... Hence, the construction of such protocols is not- trivial. But it is possible!

44 Plan 1.Definitions and motivation 2.Security against the threshold adversaries 1.overview of the results 2.overview of the constructions 3.General adversary structures 4.Applications

45 General adversary structures Sometimes assuming that the adversary can corrupt up to t parties is not general enough. It is better to consider arbitrary coalitions of the sets of parites that can be corrupted. Sometimes assuming that the adversary can corrupt up to t parties is not general enough. It is better to consider arbitrary coalitions of the sets of parites that can be corrupted.

46 Example of coalitions

47 Adversary structures Δ is an adversary structure over the set of players {P 1,...,P n } if: Δ  2 {P 1,...,P n } and for every A  Δ if B  A then B  Δ This property is called monotonicity. Because of this, to specify Δ it is enough to specify a set M of its maximal sets. We will also say that M induces Δ. This property is called monotonicity. Because of this, to specify Δ it is enough to specify a set M of its maximal sets. We will also say that M induces Δ.

48 Q2 and Q3 structures We say that A is a Δ-adversary if he can corrupt only the sets in Δ. How to generalize the condition that t < n/2? We say that a structure Δ is Q2 if What about “t < n/3”? We say that a structure Δ is Q3 if

49 A generalization of the classical results setting adversary type condition generalized condition information- theoretic passivet < n/2Q2 information- theoretic activet < n/3Q3 information- theoretic with broadcast active t < n/2 Q2 [Martin Hirt, Ueli M. Maurer: Player Simulation and General Adversary Structures in Perfect Multiparty Computation. J. Cryptology, 2000]

50 There is one problem, though... What is the total number of possible adversary structures? Fact It is doubly-exponential in the number of players.

51 Why? {P 1,...,P n } (suppose n is even) X := family of sets of cardinality n/2 inclusion is a partial order on the set of subsets of {P 1,...,P n }

52 On the other hand... Every subset of X induces a different adversary structure. Hence the set of all adversary structures has cardinality at least: (X := family of sets of cardinality n/2 )

53 So, we have a problem, because On the other hand The number of poly-time protocols is just exponential in the size of the input. Hence If the number of players is super-logarithmic, we cannot hope to have a poly-time protocol for every adversary structure.

54 What to do? Consider only those adversary structure that “can be represented in polynomial space”. For example see: Ronald Cramer, Ivan Damgård, Ueli M. Maurer: General Secure Multi-party Computation from any Linear Secret-Sharing Scheme. EUROCRYPT 2000:

55 Plan 1.Definitions and motivation 2.Security against the threshold adversaries 1.overview of the results 2.overview of the constructions 3.General adversary structures 4.Applications

56 Practical implementation Peter Bogetoft et al. Multiparty Computation Goes Live. 2009 The Danish farmers can now bet in a secure way for the contracts to deliver sugar beets.

57 Efficiency

58 Other applications Distributed cryptography is also used in the following way. Suppose we have a secret key sk (for a signature scheme) and we do not wan to store it on on machine. Solution: 1.share sk between n machines P 1,...,P n 2.“sign” in a distributed way (without reconstructing sk) see e.g.: Rosario Gennaro, Stanislaw Jarecki, Hugo Krawczyk, Tal Rabin: Robust Threshold DSS Signatures. EUROCRYPT 1996:

59 © 2013 by Stefan Dziembowski. Permission to make digital or hard copies of part or all of this material is currently granted without fee provided that copies are made only for personal or classroom use, are not distributed for profit or commercial advantage, and that new copies bear this notice and the full citation.

Download ppt "Lecture 14 Multi-party Computation Protocols Stefan Dziembowski www.dziembowski.net MIM UW 25.01.13ver 1.0."

Similar presentations

Efficient Multiparty Protocols via Log-Depth Threshold Formulae Ron Rothblum Weizmann Institute Joint work with Gil Cohen, Ivan Damgard, Yuval Ishai, Jonas.

Efficient Multiparty Protocols via Log-Depth Threshold Formulae Ron Rothblum Weizmann Institute Joint work with Gil Cohen, Ivan Damgard, Yuval Ishai, Jonas.
Ulams Game and Universal Communications Using Feedback Ofer Shayevitz June 2006.

Ulams Game and Universal Communications Using Feedback Ofer Shayevitz June 2006.
Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
1 390-Elliptic Curves and Elliptic Curve Cryptography Michael Karls.

1 390-Elliptic Curves and Elliptic Curve Cryptography Michael Karls.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.

Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.
Achieving Byzantine Agreement and Broadcast against Rational Adversaries Adam Groce Aishwarya Thiruvengadam Ateeq Sharfuddin CMSC 858F: Algorithmic Game.

Achieving Byzantine Agreement and Broadcast against Rational Adversaries Adam Groce Aishwarya Thiruvengadam Ateeq Sharfuddin CMSC 858F: Algorithmic Game.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
1 Asynchronous Broadcast Protocols in Distributed System Oct. 10, 2002 JaeHyrk Park ICU.

1 Asynchronous Broadcast Protocols in Distributed System Oct. 10, 2002 JaeHyrk Park ICU.
Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.

Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.
Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.

Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.
The Byzantine Generals Problem (M. Pease, R. Shostak, and L. Lamport) 236357 - January 2011 Presentation by Avishay Tal.

The Byzantine Generals Problem (M. Pease, R. Shostak, and L. Lamport) January 2011 Presentation by Avishay Tal.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Similar presentations

Ads by Google