Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Computation with Minimal Interaction, Revisited Yuval Ishai (Technion) Ranjit Kumaresan (MIT) Eyal Kushilevitz (Technion) Anat Paskin-Cherniavsky.

Published bySheryl Warren Modified over 8 years ago

Similar presentations

Presentation on theme: "Secure Computation with Minimal Interaction, Revisited Yuval Ishai (Technion) Ranjit Kumaresan (MIT) Eyal Kushilevitz (Technion) Anat Paskin-Cherniavsky."— Presentation transcript:

1 Secure Computation with Minimal Interaction, Revisited Yuval Ishai (Technion) Ranjit Kumaresan (MIT) Eyal Kushilevitz (Technion) Anat Paskin-Cherniavsky (Ariel)

2 Secure Multiparty Computation IDEAL Parties submit inputs Parties get back outputs IDEAL  REAL Done by MPC [Yao86,GMW87,…] … lose the “minimal” structure Broadcast requires ≥ 2 rounds Even with broadcast, 3 rounds necessary when t ≥ 2 [GIKR02]

3 This Talk Why n = 3, n = 4? Why t = 1? Typically small number of parties More than 1 corruption unlikely E.g.: sharemind, danish beet Redundancy  recoverability Why 2 rounds? Revisit question of MPC in 2 rounds Specifically, n = 3 and n = 4 cases –Tolerating t = 1 malicious corruption –Minimal setting: no broadcast, no set up n = 2: 5-round lower bound [KO04] n ≥ 5 : 2-round [IKP10] – Guaranteed output delivery – No broadcast, no set up 3-round lower bound for t > 1 [GIKR02] Minimal structure MPC impossible in 1 round

4 Prior Work: 3-party Prior Work: 4-party Broadcast impossible for t = 1; need computational assumptions LWE+PKE/iO+CRS  2-round MPC for t < n/2 [GGHR14, AJL + 12,GLS15,MW15] 2-round perfect SFE impossible [GIKR02] 2-round SFE with “selective abort” security [IKP10] Statistical VSS: – 1-round sharing, 2-round reconstruction [PCRR09] – 2-round sharing, 1-round reconstruction [Agr12] LWE + PKE / iO + CRS  2-round MPC for t < n/2 2-round general SFE in preprocessing model [IKMOP13] – Correlated randomness size = Exponential in input size

5 Our Results: 3-party Our Results: 4-party All +ve results previously unknown even with broadcast channel 2-round, no broadcast, no set up, t =1 malicious corruption General SFE with “selective abort” security – Adv can selectively deny output to individual parties – Blackbox PRG, stat. security for NC1 Concrete efficiency comparable to semihonest Yao 2-round, no broadcast, no set up, t = 1 malicious corruption Statistical VSS (implies 2-round coin tossing, simultaneous broadcast) – 1 round sharing, 1 round reconstruction Statistical Linear Function Evaluation with guaranteed output delivery – Impossibility for general SFE; even with broadcast; even with non-rushing adv Computational General SFE with guaranteed output delivery – Assumption: one-to-one one-way functions General SFE in preprocessing model with guaranteed output delivery – Correlated randomness = O(input size); Blackbox PRG, stat. security for NC1

6 Talk Outline –Tools: PSM, secret sharing –3-party “security with selective abort” –4-party statistical VSS –4-party linear function evaluation –4-party impossibility of statistical SFE –4-party computational SFE –4-party statistical SFE in preprocessing model

7 Private Simultaneous Messages Secret Sharing Shared randomness PSM [FKN94] Multiple “clients” sharing randomness Single “referee” gets one message from each client Referee learns only f(x,y) Simple PSM protocol via “garbled circuits”: – Randomness defines GC/GC input keys – Client mesg = GC + input keys based on client input – Keys validated via authentication (MAC/Hash) – Referee rejects if GC’s don’t match or keys invalid – Else evaluates GC to learn f(x,y) xy f(x, y) 1-private 3-party CNF sharing Secret s  s1 + s2 + s3 Shares: (s2, s3), (s3, s1), (s1, s2) Pairs of shares have common values Additive sharing 2-out-of-2 sharing Secret s  s1 + s2 Shares: s1, s2 Efficient extendability: Given secret & one share, possible to compute other shares

8 Talk Outline –Tools: PSM, secret sharing –3-party “security with selective abort” –4-party statistical VSS –4-party linear function evaluation –4-party impossibility of statistical SFE –4-party computational SFE –4-party statistical SFE in preprocessing model

9 2-Round 3-Party Protocol with Selective Abort Security PSM protocol reconstructs inputs – Joint view of pairs of parties defines inputs Evaluates f on reconstructed inputs Insecure against malicious adversary – Selective Abort – Inconsistent inputs (next slide) PSM protocol messages Round 2 Selective Abort: Blue PSM aborted Round 2 PSM shared randomnessAdditive input sharing Round 1

10 2-Round 3-Party Protocol with Selective Abort Security Round 1Round 2 PSM messages corresponding to y ≠ x Additive sharing of x Inconsistent inputs attack Blue, Red PSM evaluate f on y Green PSM evaluates f on x Honest parties accept “wrong output” View Reconstruction Trick PSM reconstructs secret share of PSM client input “ought to be held” by PSM referee (in addition to eval. f) Accept output only if reconstructed share matches distributed share Stat. security for NC1; Comp. security with blackbox PRG

11 Talk Outline –Tools: PSM, secret sharing –3-party “security with selective abort” –4-party statistical VSS –4-party linear function evaluation –4-party impossibility of statistical SFE –4-party computational SFE –4-party statistical SFE in preprocessing model

12 Verifiable Secret Sharing Sharing Privacy: dealer input secret hidden from adv Commitment: unique secret defined at end of sharing is reconstructed Correctness: unique secret equals honest dealer’s input Reconstruction Naïve VSS Sharing: 1-private 3-party CNF  Parties share common value Recon.: Broadcast shares  Defines “inconsistency graphs” CNF sharing Secret s  s1 + s2 + s3 Shares: (s2, s3), (s3, s1), (s1, s2) Inconsistent CNF shares Consistent CNF shares

13 No edge 3 edges 2 edges 1 edge Sharing Broadcast

14 Protocol Idea: Cut & choose + MAC Trick Dealer sends k MACs to “disputed” parties (+ CNF shares) “Undisputed party” gets k MAC keys from dealer – Sends random k/2 keys to a “disputed party” (priv. channels) – Sends all k MAC keys to the other (priv. channels) Decision for “disputed parties”: Compute ‘VOTES’ – Self: all k/2 MACs pass – Other: all k/2 MACs pass +at least 1 of remaining k/2 MACs pass Both/No VOTE: discard dealer; else choose winning share Analysis Honest dealer/Bad party: – No VOTE without forging 1 of unknown k/2 MAC for bad share – Honest “disputed party” always gets VOTE Bad dealer: – Unanimous agreement on VOTES except with negl(k) prob. Stat. 4-party VSS in 2 rounds

15 Talk Outline –Tools: PSM, secret sharing –3-party “security with selective abort” –4-party statistical VSS –4-party linear function evaluation –4-party impossibility of statistical SFE –4-party computational SFE –4-party statistical SFE in preprocessing model

16 2-Round 4-Party Statistical Linear Function Evaluation Round 1 Same as VSS: CNF Sharing + MAC distribution Extract “0” Simulation Extraction 3 edges No edge 2 edges 1 edge Protocol Ideas: PSM + View Reconstruction Trick Private evaluation of function Inconsistency graphs – Challenge: different parties hold different versions Exploit linearity to force parties’ output to be consistent with extracted input Resolvable Exactly one disputed party gets VOTE – Extract: input reconstructed using value got from winning share Identifiable Both/None get VOTE – Input reconstructed using value got from xoring both losing shares

17 Talk Outline –Tools: PSM, secret sharing –3-party “security with selective abort” –4-party statistical VSS –4-party linear function evaluation –4-party impossibility of statistical SFE –4-party computational SFE –4-party statistical SFE in preprocessing model

18 y_0, y_1 b Compute output based on these messages only; Output = y_0 Compute output based on these messages only; Output = y_1 y_0, y_1 b Impossibility for 4-party stat. nonlinear function evaluation Message consistent with b = 0 Message consistent with b = 1 Sampling possible Privacy: message does not reveal b Comp. unbounded adv can sample such pairwise consistent messages y_0, y_1 b Attack obtains both outputs Guaranteed output delivery: output can be computed even if “adversary” aborts Not simulatable in the IDEAL world!

19 Talk Outline –Tools: PSM, secret sharing –3-party “security with selective abort” –4-party statistical VSS –4-party linear function evaluation –4-party impossibility of statistical SFE –4-party computational SFE –4-party statistical SFE in preprocessing model

20 2-Round 4-Party Computational SFE Round 1Round 2 Broadcast com(b)Secret share decommitment y_0, y_1 b b b Binding  Pairwise messages cannot be consistent with both b = 0 and b = 1 Pairwise PSM evaluates function BUT delivers output only if reconstructed decommitment (from shares) opens com(b) Guaranteeing output delivery via View Reconstruction Trick  --One honest pair might hold valid decommitment, other honest pairs might not  --Adversary aborts in the 2 nd round; does not deliver any messages  IDEA: PSM also reconstructs views that ought to be held by PSM referee

21 Talk Outline –Tools: PSM, secret sharing –3-party “security with selective abort” –4-party statistical VSS –4-party linear function evaluation –4-party impossibility of statistical SFE –4-party computational SFE –4-party statistical SFE in preprocessing model

22 2-Round 4-Party Stat. SFE in Preprocessing Model r 2, s 1, s 3, s 4 r 4, s 1, s 2, s 3 r 3, s 1, s 2, s 4 r 1, s 2, s 3, s 4 Correlated Randomness Random pad for each party CNF share each random pad Round 1 Broadcast masked input Set pairwise PSM rand Round 2 Pairwise PSM messages for function: Checks if masked inputs match Check consistency of CNF shares of randomness Unmask within PSM to get true inputs Evaluate function on true inputs Compute CNF share “ought to be held” by PSM ref Output accepted if reconstructed CNF share matches

23 Conclusions –2 rounds, no broadcast or set up –Tools: PSM, secret sharing –3-party stat. “selective abort” security –4-party statistical VSS –4-party stat. linear function evaluation –4-party impossibility of statistical SFE –4-party computational SFE (1-1 owf) –4-party statistical SFE in preprocessing model Thank You!

Download ppt "Secure Computation with Minimal Interaction, Revisited Yuval Ishai (Technion) Ranjit Kumaresan (MIT) Eyal Kushilevitz (Technion) Anat Paskin-Cherniavsky."

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Secret Sharing Protocols [Sha79,Bla79]

Secret Sharing Protocols [Sha79,Bla79]
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto

Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.

Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.

1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),

Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
On Fair Exchange, Fair Coins and Fair Sampling Shashank Agrawal, Manoj Prabhakaran University of Illinois at Urbana-Champaign.

On Fair Exchange, Fair Coins and Fair Sampling Shashank Agrawal, Manoj Prabhakaran University of Illinois at Urbana-Champaign.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Similar presentations

Ads by Google