Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information to leak on s i r Flavors  Information-theoretic vs. computational  Semi-honest vs. malicious  Who gets the output? r Measures  Time, communication, memory  Size of adversary’s coalition 1

MPC results r Describe computed function as circuit  Logic gates (binary) or algebraic gates (addition and multiplication over a field) r Information-theoretic privacy  Semi-honest adversary – coalition of t<n/2  Malicious adversary – coalition of t<n/3 r Computational privacy  Semi-honest adversary – coalition of t<n  Malicious adversary – coalition of t<n/2 r Complexity of all – proportional of circuit size 2

Information-Theoretic MPC r [BGW88] r We show protocol for semi-honest case r Algebraic circuit over field F, |F|>n r Each party distributes its shares in Shamir secret sharing r Addition gates are computed locally r Multiplication gates cause a degree problem 3

Changing the threshold r Can the agents change the threshold without the dealer? r Increasing the threshold (degree)  Easy, distribute shares of a k x k for k≥t+1 r Reducing the threshold  We will look at reducing the degree from 2t to t r Let S=(s 1,…,s n ) be shares of a degree 2t polynomial – h(x)=a 0 +a 1 x+…+a t x 2t r Let k(x)=a 0 +a 1 x+…+a t x t r Let s i =h(x i ), let r i =k(x i ) r Let R=(r 1,…,r n ) 4

Reducing the degree r The parties currently have S. However, they would like to have R r There is a constant matrix A such that R=AS. r Let H be an n vector (a 0,…,a 2t,0,..,0) and K be an n- vector K=(a 0,…,a t,0,..,0) r Let P be the linear projection P(x 0,…,x n-1 ) =(x 0,…,x t,0,…,0) (P is a matrix) r Let V be the VanderMonde matrix (non-singular)  HV=S (evaluating polynomials)=> H=SV -1  HP=K => SV -1 P=K  KV=R => S(V -1 PV)=R 5

Oblivious Transfer I r Definition  Alice holds two bits x 0, x 1  Bob holds single bit b  At end of protocol Bob learns x b and Alice learns nothing new r Attempt I  Alice chooses private/public key pair, sends public key to Bob  Bob chooses random plaintext s b and random ciphertext r 1-b. Let r b =E(s b ) and Bob sends r b and r 1-b to Alice  Let B be a hardcore bit of the encryption  Alice returns z 0, z 1, where z b =x b +B(s b ) 6

Oblivious Transfer II r Attempt II  Alice chooses two RSA key pairs, with public keys,, and sends public keys to Bob.  Bob chooses random plaintext s and sends r b =s e b mod n b to Alice.  Alice decrypts with both keys and obtains s 0, s 1  Let B be a hardcore bit of the encryption  Alice returns z 0, z 1, where z b =x b +B(s b ) r Problem – key length r The way to do it  Change attempt II so that encryption by both public keys gives the same distribution 7

Oblivious Transfer III r Possible candidate  El-Gamal encryption with p, g and two public keys g a 0 mod p and g a 1 mod p  Bob has to check that two keys give the same distribution: Alice sends factoring of p-1 Bob checks for each factor k that (g a 0 ) (p-1)/k  1 mod p r Example – Oblivious transfer of long strings, i.e. x 0, x 1  {0,1} n 8

SFE / 2-Party MPC r Definition  Alice has input x  Bob has input y  They both know a function f of two inputs  They want to compute f(x,y) without leaking information about input  Note: information may be inherently leaked by output (e.g. OR function). r Computation on a circuit r Any function can be computed r No memory 9

Garbled gate r Let G be logic gate, e.g. OR, AND, XOR  G has two input bits – four possible input pairs  G has one output bit r Assume Alice has one input x and Bob has one input y r Alice prepares four keys k x, for x=0,1 and k y for y=0,1 r Alice encrypts G(x,y) with k x and ky r Alice sends to Bob  Encrypted possible gate values after permutation  k x 10

Garbled gate (cont.) r Bob gets k y from Alice using oblivious transfer r Bob can decrypt G(x,y) and nothing else r Complexity  Four encryptions per gate – can be done before input is known  Oblivious transfer 11

Garbled Circuit r Link garbled gates r Output of garbled gate is a key (two keys, one for output=0, one for output=1) r Each of the four entries in the garbled gate encrypts a key associated with the correct output r Terminal gates encrypt values instead of keys r Alice sends to Bob all garbled gates and keys replacing its input r Bob uses oblivious transfer to obtain the keys that match his inputs r Bob computes keys all the way to the output 12

Cut and choose r Alice may provide the wrong garbled circuit  Example: instead of G(x, y)= x OR y, G(x, y)=y r Origin of cut and choose in cakes r Solution  Alice provides n garbled circuits to Bob  Bob randomly chooses one  Alice reveals all the other garbled circuits by mapping keys to inputs. r Alice can cheat with probability 1/n 13

Additions r Universal circuits r Proving that a protocol is secure  Ideal world vs. real-world r Homomorphic encryption 14