Lower bounds for Unconditionally Secure MPC Ivan Damgård Jesper Buus Nielsen Antigoni Polychroniadou Aarhus University.

Slides:

Advertisements

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Advertisements

1+eps-Approximate Sparse Recovery Eric Price MIT David Woodruff IBM Almaden.

The Complexity of Agreement A 100% Quantum-Free Talk Scott Aaronson MIT.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Multi-Party Contract Signing Sam Hasinoff April 9, 2001.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

Circuit and Communication Complexity. Karchmer – Wigderson Games Given The communication game G f : Alice getss.t. f(x)=1 Bob getss.t. f(y)=0 Goal: Find.

Secure Evaluation of Multivariate Polynomials

Locally Decodable Codes from Nice Subsets of Finite Fields and Prime Factors of Mersenne Numbers Kiran Kedlaya Sergey Yekhanin MIT Microsoft Research.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Uniqueness of Optimal Mod 3 Circuits for Parity Frederic Green Amitabha Roy Frederic Green Amitabha Roy Clark University Akamai Clark University Akamai.

Gillat Kol (IAS) joint work with Ran Raz (Weizmann + IAS) Interactive Channel Capacity.

1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.

Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.

Achieving Byzantine Agreement and Broadcast against Rational Adversaries Adam Groce Aishwarya Thiruvengadam Ateeq Sharfuddin CMSC 858F: Algorithmic Game.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

COVERT MULTI-PARTY COMPUTATION YINMENG ZHANG ALADDIN REU 2005 LUIS VON AHN MANUEL BLUM.

Great Theoretical Ideas in Computer Science.

The Communication Complexity of Coalition Formation Among Autonomous Agents A. D. Procaccia & J. S. Rosenschein.

Explorations in Anonymous Communication Andrew Bortz with Luis von Ahn Nick Hopper Aladdin Center, Carnegie Mellon University, 8/19/2003.

Oblivious Transfer based on the McEliece Assumptions

Secure Multi-party Computations (MPC) A useful tool to cryptographic applications Vassilis Zikas.

On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.

Secure Message Transmission In Asynchronous Directed Networks Kannan Srinathan, Center for Security, Theory and Algorithmic Research, IIIT-Hyderabad. In.

Adaptively Secure Broadcast, Revisited

COMPSCI 102 Introduction to Discrete Mathematics.

Secure Computation of the k’th Ranked Element Gagan Aggarwal Stanford University Joint work with Nina Mishra and Benny Pinkas, HP Labs.

7 Graph 7.1 Even and Odd Degrees.

Provable Unlinkability Against Traffic Analysis Amnon Ta-Shma Joint work with Ron Berman and Amos Fiat School of Computer Science, Tel-Aviv University.

Saving peace in Europe Using MPC Carsten Baum Aarhus University.

Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.

Preference elicitation Communicational Burden by Nisan, Segal, Lahaie and Parkes October 27th, 2004 Jella Pfeiffer.

Welcome to to Autumn School! Some practical issues.

Privacy-Preserving Credit Checking Keith Frikken, Mikhail Atallah, and Chen Zhang Purdue University June 7, 2005.

On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.

On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase Ronald Cramer, Ivan Damgard, Serge Fehr.

Linkability of Some Blind Signature Schemes Swee-Huay Heng 1, Wun-She Yap 1 Khoongming Khoo 2 1 Multimedia University, 2 DSO National Laboratories.

1 Information Security – Theory vs. Reality , Winter Lecture 10: Garbled circuits and obfuscation Eran Tromer Slides credit: Boaz.

Rational Cryptography Some Recent Results Jonathan Katz University of Maryland.

Secure Computation (Lecture 2) Arpita Patra. Vishwaroop of MPC.

On the Cryptographic Complexity of the Worst Functions Amos Beimel (BGU) Yuval Ishai (Technion) Ranjit Kumaresan (Technion) Eyal Kushilevitz (Technion)

FHE Introduction Nigel Smart Avoncrypt 2015.

Umans Complexity Theory Lectures Lecture 7b: Randomization in Communication Complexity.

Lecture 14 Multi-party Computation Protocols Stefan Dziembowski MIM UW ver 1.0.

Secure Computation Lecture Arpita Patra. Recap > Shamir Secret-sharing > BGW Protocol based on secret-sharing > Offline/Online phase > Creating.

Secure Computation (Lecture 9-10) Arpita Patra. Recap >> MPC with honest majority in i.t. settings > Protocol using (n,t)-sharing, proof of security---

Round-Efficient Multi-Party Computation in Point-to-Point Networks Jonathan Katz Chiu-Yuen Koo University of Maryland.

Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.

1 Introduction to Quantum Information Processing CS 467 / CS 667 Phys 467 / Phys 767 C&O 481 / C&O 681 Richard Cleve DC 3524 Course.

Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.

The Exact Round Complexity of Secure Computation

The Exact Round Complexity of Secure Computation

Information Complexity Lower Bounds

Committed MPC Multiparty Computation from Homomorphic Commitments

Topic 14: Random Oracle Model, Hashing Applications

Cryptography for Quantum Computers

How to Delegate Computations: The Power of No-Signaling Proofs

Limits of Practical Sublinear Secure Computation

Presentation transcript:

Lower bounds for Unconditionally Secure MPC Ivan Damgård Jesper Buus Nielsen Antigoni Polychroniadou Aarhus University.

Unconditionally Secure MPC Protocols (GMW, SPDZ,..) They are great: Computationally much more efficient than, say, FHE based stuff. But they’re not so great: They need lots of interaction Rounds: Ω(CircuitDepth) Communication: Ω(n CircuitSize) - If you want to be efficient in the circuit size

The Really Hard Problem Can we improve this significantly? The FHE of unconditional security? We don’t know, but we have some partial answers..

Message Complexity How many messages do you need to send to compute a non-trivial function securely? (such as the AND of one bit from each player). Related to, but not the same as round complexity. If protocol sometimes but not always sends a message in given time slot, should we always charge for that time slot? (the absence of a message is also a signal). We will only charge the protocol for messages actually sent (lower bounds are stronger this way).

The Result n players, t semi-honest corruptions: must send Ω(nt) messages (stay tuned for more precise version) In particular, n=3, t=1, compute the AND of 3 input bits: 6 messages are necessary. Also sufficient (based on PSM [IK97]).

Intuition for lower bound Any player must communicate with at least t+1 players before his input becomes determined... and must later receive another message to be able to compute the result. So for each player we count (t+1)+2 sends or receives, hence at least n(t+3)/2 messages. Can be formalized, resulting in almost this: ceiling(n(t+3)-1)/2) This is exactly tight for t=1 and functions in det. log- space (positive result based on PSM).

What about number of rounds? Seems hard in general, but let’s see if some of the players can be lazy: get away with only 1 round. n=3t+1 players, t malicious corruptions. Can construct general protocol where up to t players can be lazy. At most t players can be lazy. Similar result for semi-honest - follows from message complexity bound.

Gate by Gate Protocols Bounding communication and rounds needed in general seems hard. But maybe we can bound it for the gate-by-gate protocols we use all the time. Known protocols: in the worst case, communication is Ω(n CircuitSize), rounds Ω(CircuitDepth). Question: is this optimal for gate-by-gate protocols (both honest majority and dishonest majority with preprocessing)?

Warm-up: Honest Majority A gate-by-gate protocol is one that handles a multiplication gate using a multiplication gate protocol: takes two sets of shares (of a and b in some field), returns shares of ab – perhaps in different secret sharing scheme, but same threshold t as for inputs. Further, revealing the output shares reveals nothing more than ab. Claim: any multiplication gate protocol must send at least t messages. If not, 2-party unconditionally secure protocol for computing the product would follow..

Alice a Bob b Shares of input Shares of ab

And so.. Any gate-by-gate protocol must (for a worst case circuit) have communication Ω(n CircuitSize), rounds Ω(CircuitDepth). But what if circuit is nice and allows many multiplications in parallel? We know optimizations using packed secret sharing....but only if number of players grows with number of parallel multiplications. OPEN: for a constant number of players, show that multiplication gate protocol for u multiplications must have communication Ω(u).

Solution for computational complexity Say n=2t+1, passive security. Assume mult.gate prot. that does u mults where some player P does o(u) local mults. Construct 2-party protocol for the preprocessing model: Alice emulates t players, Bob emulates another t, and we emulate P using preprocessed data and e.g. SPDZ. Can compute u products securely using o(u) preprocessed data. Contradiction with lower bounds by [Winkler and Wullschleger, Crypto 11]. Generalizes to show that packed SS methods are optimal up to constant factor.

Dishonest Majority, Preprocessing Previous argument that multiplication protocols need to communicate a lot breaks down. But we have lower bounds on the amount of preprocessed data (e.g. Winkler and Wullschleger). Can obtain same result as before: we show that a multiplication gate protocol that does not communicate enough implies a protocol that is too good to be true according to W&W.

Conclusion Even with preprocessing, gate-by-gate protocols require Ω(n CircuitSize) communication (and hence work) and Ω(CircuitDepth) rounds So to really improve GMW, SPDZ, TinyOT and the like, need a fundamentally different approach. Open: do these bounds hold for any protocol (with unconditional security and efficient in circuit size of function)? - Computation – I conjecture yes - Communication - ??

Thanks! Postdoc and PhD positions for studying theory and practice of MPC available in Aarhus (supported by ERC grant MPCPRO) – from October 1.