Multi-Party Proofs and Computation Based in part on materials from Cornell class CS 4830.

Interactive Proofs A prover must convince a verifier that some statement is true. Typically the prover is thought of as all powerful, while the verifier has limited computational ability. The verifier doesn’t trust the prover. 2

Sudoku How can the prover convince the verifier that this puzzle has a solution?

Interactive Proof Prover shows the verifier a solution. Verifier checks every row, column, 3x3 box.

Pepsi Challenge Professor Maggs claims that he can distinguish Pepsi from Coke without ever making an error. How can this claim be verified?

Experiment: Boyang: Randomly decides (with equal probability) on Coke or Pepsi and hands the professor a glass containing the chosen drink. Professor: Takes a sip of the drink and pronounces “Coke” or “Pepsi”. Boyang: Notes whether the pronouncement was correct, and repeats.

Verifying the Claim Suppose that the professor can actually only tell the difference between Coke and Pepsi with probability p. After t trials, the probability that the professor gets the answer correctly every time is p t. Example, for p = 0.9, t = 100, p t <

Zero-Knowledge Proof Prover wants to convince verifier that some statement is true, without revealing anything about the proof. Rewording: prover wants to convince verifier that prover knows a solution to a problem without revealing any information about the solution.

Hamilton Path A graph has a Hamilton path if there is a path through the graph that visits every vertex exactly one

Zero-Knowledge Proof Prover: 1. Draw the graph on a piece of cardboard with vertices positioned at random places. Vertices are unnumbered. 2. Cover the drawing with scratch-off paint. 3. Give the cardboard to the verifier

Verification The verifier flips a unbiased random coin, then based on the outcome asks the prover to do one of two things: 1: Reveal the numbers of the vertices. The verifier will then check that the graph is correct. 2: Reveal the Hamilton path (without revealing the numbers of the vertices). The verifier then knows that the drawn graph is Hamiltonian. If the graph is Hamiltonian, the prover always succeeds. If the graph is not Hamiltonian, the prover fails with probability ½.

Note that Hamilton Path is NP-complete, i.e., every other problem in NP can be reduced to Hamilton Path ZKP for Hamilton Path → ZKP for all NP!

How to flip a coin over the Internet 1. First party chooses a random number X in the range [ ) publishes A := H(X) 2. Second party likewise chooses a number Y publishes B := H(Y) 3. After receiving A,B, both parties reveal X and Y If (X+Y) is even, first party wins. What if first party waits to see H(Y) before choosing X? What if first party tries to change X after seeing Y?

Computing Average Salary n professors in a room would like to compute their average salary, but they do not wish to reveal their salary to others. in fact, they do not wish to reveal their salary to any coalition of n-2 professors.

Protocol

Collusion Suppose prof 3 through prof n collude. What can they learn about the salaries of prof 1 and prof 2 ? They can deduce s 1 + s 2 from the sum, but this in inherent in the computation. They have shares r 1,3 through r 1,n and r 2,3 through r 2,n They can deduce r 1,1 +r 1,2 +r 2,1 +r 2,2 from the shares they have and s 1 + s 2 But they can’t deduce s 1 or s 2 to an accuracy greater than r 1,1 +r 1,2 +r 2,1 +r 2,2 16

Two-Party Secure AND Computation Alice and Bob wish to know whether they mutually have feelings for each other. If both have feelings for the other, great! If Alice loves Bob but Bob does not love Alice back, Alice will be embarrassed -- she would not want Bob to know that she loves Bob (or vice versa)

Securely computing AND truth table A B AND both learn the others’ input by definition Alice does not learn which case Bob does not learn which case

Protocol 1.place Alice’s input cards, heart, Bob’s input cards in order, face down 1.shuffle (cycle shift) 1.reveal

We have seen so far: n-party secure computation for addition (n>2) 2-party secure computation for AND (multiplication mod 2) This is tantalizing: gives us reason to hope that secure multiparty computation is generally possible for any function!

Byzantine Agreement Requirement [Consensus] All honest nodes agree on the same value [Validity] If sender is correct, all honest nodes agree on sender’s proposed value

A protocol that defends against f malicious nodes in f+1 rounds extracted = {}, sender signs value and sends it to all for round r = 1...f+1: receive message preserve only messages whose value v has not been extracted, and has r distinct sigs if v is extracted in this round and node has not relayed v in any round: append node’s sig and relay v to nodes not on the signature list

In round f+1: decide based on the following decide 0 if 2 values have been extracted decide 0 if no value has been extracted decide v is a single value v has been extracted

Validity: If sender is honest, then all correct nodes will extract sender’s value v, and all correct nodes can’t extract anything else

Claim 1: If a correct node extracts v in round r < f+1, then all correct nodes must have extracted v by round f+1. Proof of consensus

Claim 2: If a node extracts a value v{p 1, p 2, … p r } in round r then p 1, p 2, …p r-1 are faulty Claim 3: If a node extracts a value v{p 1, p 2, … p f+1 } in round f+1 then p 1, p 2, …p f are faulty, and p f+1 must be correct

If a correct node did not extract v by round f+1. suppose another correct node extracted v in round r < f+1. this is impossible by claim 1 suppose that another correct node extracted v in round r = f+1, then by claim 3, p f+1 is correct, and therefore all correct nodes must extract v in round r=f+1 (if not earlier), since the correct p f+1 will send the message to everyone in round f+1

This is not the most efficient Byzantine Agreement protocol