General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

Slides:



Advertisements
Similar presentations
Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:
Advertisements

Secure Evaluation of Multivariate Polynomials
Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner WEIZMANN INSTITUTE.
Lecturer: Moni Naor Foundations of Cryptography Lecture 15: Oblivious Transfer and Secure Function Evaluation.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
The Bright Side of Hardness Relating Computational Complexity and Cryptography Oded Goldreich Weizmann Institute of Science.
Oblivious Transfer based on the McEliece Assumptions
Secure Multi-party Computations (MPC) A useful tool to cryptographic applications Vassilis Zikas.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Jointly Restraining Big Brother: Using cryptography to reconcile privacy with data aggregation Ran Canetti IBM Research.
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
Tutorial on Secure Multi-Party Computation
Privacy Preserving Data Mining Yehuda Lindell & Benny Pinkas.
Rafael Pass Cornell University Constant-round Non-malleability From Any One-way Function Joint work with Huijia (Rachel) Lin.
Rafael Pass Cornell University Constant-round Non-malleability From Any One-way Function Joint work with Huijia (Rachel) Lin.
Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.
Information-Theoretic Security and Security under Composition Eyal Kushilevitz (Technion) Yehuda Lindell (Bar-Ilan University) Tal Rabin (IBM T.J. Watson)
How to play ANY mental game
CS573 Data Privacy and Security
Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/09/08 CRYP-202 Legally-Enforceable Fairness in Secure Two-Party Computation.
Insert presenter logo here on slide master. See hidden slide 4 for directions  Session ID: Session Classification: SEUNG GEOL CHOI UNIVERSITY OF MARYLAND.
A Linear Lower Bound on the Communication Complexity of Single-Server PIR Weizmann Institute of Science Israel Iftach HaitnerJonathan HochGil Segev.
Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.
Slide 1 Vitaly Shmatikov CS 380S Introduction to Secure Multi-Party Computation.
Secure Cloud Database with Sense of Security. Introduction Cloud computing – IT as a service from third party service provider Security in cloud environment.
Slide 1 Vitaly Shmatikov CS 380S Yao’s Protocol. slide Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert.
Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.
TOWARDS PRACTICAL (GENERIC) ZERO-KNOWLEDGE Claudio Orlandi – Aarhus University.
Improved Non-Committing Encryption with Application to Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia Univ.), Tal Malkin (Columbia.
Welcome to to Autumn School! Some practical issues.
Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized.
On the work of Shafi Goldwasser and Silvio Micali By Oded Goldreich WIS, Dec 2013.
Input-Indistinguishable Computation Silvio MicaliMIT Rafael PassCornell Alon RosenHarvard.
Secure Computation (Lecture 2) Arpita Patra. Vishwaroop of MPC.
Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.
Secure Multiparty Computation and its Applications
Universally Composable computation with any number of faults Ran Canetti IBM Research Joint works with Marc Fischlin, Yehuda Lindell, Rafi Ostrovsky, Tal.
Secure Computation Lecture Arpita Patra. Recap > Shamir Secret-sharing > BGW Protocol based on secret-sharing > Offline/Online phase > Creating.
Feasibility and Completeness of Cryptographic Tasks in the Quantum World Hong-Sheng Zhou (U. Maryland) Joint work with Jonathan Katz (U. Maryland) Fang.
6.897: Selected Topics in Cryptography Lectures 11 and 12 Lecturers: Ran Canetti, Ron Rivest Scribes?
Secure Computation (Lecture 9-10) Arpita Patra. Recap >> MPC with honest majority in i.t. settings > Protocol using (n,t)-sharing, proof of security---
A Game-Theoretic Perspective on Oblivious Transfer Kenji Yasunaga (ISIT) Joint work with Haruna Higo, Akihiro Yamada, Keisuke Tanaka (Tokyo Inst. of Tech.)
Round-Efficient Multi-Party Computation in Point-to-Point Networks Jonathan Katz Chiu-Yuen Koo University of Maryland.
Verifiable Distributed Oblivious Transfer and Mobile-agent Security Speaker: Sheng Zhong (joint work with Yang Richard Yang) Yale University.
Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.
Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.
Topic 36: Zero-Knowledge Proofs
The Exact Round Complexity of Secure Computation
Carmit Hazay (Bar-Ilan University, Israel)
Foundations of Secure Computation
MPC and Verifiable Computation on Committed Data
Foundations of Secure Computation
Committed MPC Multiparty Computation from Homomorphic Commitments
The first Few Slides stolen from Boaz Barak
Course Business I am traveling April 25-May 3rd
Cryptography CS 555 Lecture 22
Cryptography for Quantum Computers
Cryptographic protocols 2016, Lecture 9 multi-party computation
Oded Goldreich Weizmann Institute of Science
Oblivious Transfer.
Oded Goldreich Weizmann Institute of Science
Cryptography Lecture 8 Arpita Patra © Arpita Patra.
Presentation transcript:

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science

(and me) Joachim (and Claus)

A general framework (for casting crypto problems) An m-ary (randomized) functionality (desired process) F:({0,1} n ) m → ({0,1} n ) m (where m  2 denotes the # of parties). P 1 P 2 P m x 1 x 2 x m (local inputs) y 1 y 2 y m (local outputs) (y 1,y 2,…,y m ) = F(x 1,x 2,…,x m ) Desired solution: delivery of outputs as if the operation was performed by a trusted party.

Secure Multi-Party Computation (Crypto Protocols) A secure protocol obtains the same effect as the operation of a trusted party. Thus, mutually distrustful parties emulate the effect of a trusted party.

On the feasibility of General Secure MPC Meta-THM: General Secure MPC is possible under a variety of natural assumptions. Assuming an honest majority + TDP Allowing abort + TDP (i.e., not considering early termination as breach of security) [reflected in the ideal model] Assuming a 2/3-majority + private channels. TDP == Trapdoor Permutations (which exist, e.g., assuming the intractability of factoring integers).

Two-Step construction of General Secure MPC E.g., assuming an honest majority + TDP 1.Constructing protocols that are secure wrt semi-honest (“honest-but-curious”) adversaries. [“privacy only”] 2.Enforcing semi-honest behavior via ZK proofs (+commit) T = public information (transcript) Sender (secret input s) Receiver Supposed to send y = f(T,s) y’ Idea: provide a ZK proof that  s’ s.t y’=f(T,s’) Step 2:enforcing

Secure (private) MPC in the semi-honest model. We assume a TDP (trapdoor permutation). Reduce to deterministic functionalities with same outputs. Let C be a GF(2) circuit for computing the m-ary function. Idea: The parties propagate shares of the values of all wires in C from the input wires of C to its output wires. xy z = z 1 +z 2 +z 3 +… +z m x 1 x 2 x 3 x m y 1 y 2 y 3 y m z 1 z 2 z 3 z m (x = x 1 +x 2 +x 3 +… +x m y = y 1 +y 2 +y 3 +… +y m )

Secure (private) MPC of the gate functionality. xy z = z 1 +z 2 +z 3 +… +z m x 1 x 2 x 3 x m y 1 y 2 y 3 y m z 1 z 2 z 3 z m (x = x 1 +x 2 +x 3 +… +x m y = y 1 +y 2 +y 3 +… +y m ) Easy case – addition gate: Set z i  x i +y i (local computation). Similarly for negation: z i  x i +1 if i=1 and z i  x i o.w. Hard case – multiplication gate: we wish z 1 +z 2 +… +z m = (x 1 +x 2 +… +x m ) ∙ (y 1 +y 2 +… +y m ) (use algebra) (x 1 +x 2 +… +x m ) ∙ (y 1 +y 2 +… +y m ) = ∑ i x i y i + ∑ i≠j (x i y j +x j y i ) local 2PC The parties need to propagate shares of the values through each gate. (Shares with subscript i belong to party i.)

Secure 2-PC of s.t. Recall: General secure MPC “reduces” to secure 2PC of ((x 1,y 1 ),(y 2,x 2 )) → (z 1,z 2 ), where (z 1,z 2 ) is random subject to z 1 +z 2 = x 1 x 2 +y 2 y 1. Sender Receiver Inputs : s 0,s 1 c Outputs : - s c 1st 2nd Inputs : x 1,y 1 x 2,y 2 Outputs : r r+x 1 x 2 +y 1 y 2 1st 2nd Inputs : x,z y Outputs : - z+xy In the i-th invocation use inputs (x i,r i ) and y i, where r i is a random bit. Each party sets its final output = sum of both intermediate outputs. (OT) Sender sets s y = z+yx.

Implementing OT (OT = Oblivious Transfer) Sender Receiver Inputs : s 0,s 1 c Outputs : - s c Background: assuming a collection of TDP {f i :D i →D i } Sender Receiver Inputs: s 0,s 1 c desired outputs: - s c selects an index i select x c,y 1-c  D i compute y c =f i (x c ) find the f i -preimages of both: z 0, z 1, and send b(z 0 )+s 0, b(z 1 )+s 1 y 0, y 1

Conclusion: General Secure MPC is feasible Meta-THM: General Secure MPC (i.e., secure emulation of trusted parties) is possible under a variety of natural assumptions. MPC for an honest majority, assuming TDP Similar ideas (+more) yield MPC wo honest majority, but when “allowing abort” (i.e., not considering early termination as breach of security). ( Also assuming TDP). Assuming a 2/3-majority + private channels.

The End The slides of this talk are available at A related survey is available at

Zero-Knowledge Proofs A secure protocol (i.e., ZK proof) obtains the same effect as the operation of a trusted party. Thus, mutually distrustful parties emulate the effect of a trusted party.

Secure 2-PC of the Inner Product mod 2 of two vectors Recall: General secure MPC “reduces” to secure 2PC of the inner product mod 2 of two input vectors held by the two parties. (For us n=2 suffices.) Sender Receiver Inputs : s 0,s 1 c Outputs : - s c 1st 2nd Inputs : x 1,…,x n y 1,…,y n Outputs : r r+∑ i x i y i 1st 2nd Inputs : x,z y Outputs : - z+xy In the ith invocation use inputs (xi,ri) and yi, where ri is a random bit. Final output = sum of all n outputs.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.