Presentation is loading. Please wait.

Presentation is loading. Please wait.

Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.

Published byFlorence Peters Modified over 7 years ago

Similar presentations

Presentation on theme: "Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information."— Presentation transcript:

1 Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information to leak on s i r Flavors  Information-theoretic vs. computational  Semi-honest vs. malicious  Who gets the output? r Measures  Time, communication, memory  Size of adversary’s coalition 1

2 MPC results r Describe computed function as circuit  Logic gates (binary) or algebraic gates (addition and multiplication over a field) r Information-theoretic privacy  Semi-honest adversary – coalition of t<n/2  Malicious adversary – coalition of t<n/3 r Computational privacy  Semi-honest adversary – coalition of t<n  Malicious adversary – coalition of t<n/2 r Complexity of all – proportional of circuit size 2

3 Information-Theoretic MPC r [BGW88] r We show protocol for semi-honest case r Algebraic circuit over field F, |F|>n r Each party distributes its shares in Shamir secret sharing r Addition gates are computed locally r Multiplication gates cause a degree problem 3

4 Changing the threshold r Can the agents change the threshold without the dealer? r Increasing the threshold (degree)  Easy, distribute shares of a k x k for k≥t+1 r Reducing the threshold  We will look at reducing the degree from 2t to t r Let S=(s 1,…,s n ) be shares of a degree 2t polynomial – h(x)=a 0 +a 1 x+…+a t x 2t r Let k(x)=a 0 +a 1 x+…+a t x t r Let s i =h(x i ), let r i =k(x i ) r Let R=(r 1,…,r n ) 4

5 Reducing the degree r The parties currently have S. However, they would like to have R r There is a constant matrix A such that R=AS. r Let H be an n vector (a 0,…,a 2t,0,..,0) and K be an n- vector K=(a 0,…,a t,0,..,0) r Let P be the linear projection P(x 0,…,x n-1 ) =(x 0,…,x t,0,…,0) (P is a matrix) r Let V be the VanderMonde matrix (non-singular)  HV=S (evaluating polynomials)=> H=SV -1  HP=K => SV -1 P=K  KV=R => S(V -1 PV)=R 5

6 Oblivious Transfer I r Definition  Alice holds two bits x 0, x 1  Bob holds single bit b  At end of protocol Bob learns x b and Alice learns nothing new r Attempt I  Alice chooses private/public key pair, sends public key to Bob  Bob chooses random plaintext s b and random ciphertext r 1-b. Let r b =E(s b ) and Bob sends r b and r 1-b to Alice  Let B be a hardcore bit of the encryption  Alice returns z 0, z 1, where z b =x b +B(s b ) 6

7 Oblivious Transfer II r Attempt II  Alice chooses two RSA key pairs, with public keys,, and sends public keys to Bob.  Bob chooses random plaintext s and sends r b =s e b mod n b to Alice.  Alice decrypts with both keys and obtains s 0, s 1  Let B be a hardcore bit of the encryption  Alice returns z 0, z 1, where z b =x b +B(s b ) r Problem – key length r The way to do it  Change attempt II so that encryption by both public keys gives the same distribution 7

8 Oblivious Transfer III r Possible candidate  El-Gamal encryption with p, g and two public keys g a 0 mod p and g a 1 mod p  Bob has to check that two keys give the same distribution: Alice sends factoring of p-1 Bob checks for each factor k that (g a 0 ) (p-1)/k  1 mod p r Example – Oblivious transfer of long strings, i.e. x 0, x 1  {0,1} n 8

9 SFE / 2-Party MPC r Definition  Alice has input x  Bob has input y  They both know a function f of two inputs  They want to compute f(x,y) without leaking information about input  Note: information may be inherently leaked by output (e.g. OR function). r Computation on a circuit r Any function can be computed r No memory 9

10 Garbled gate r Let G be logic gate, e.g. OR, AND, XOR  G has two input bits – four possible input pairs  G has one output bit r Assume Alice has one input x and Bob has one input y r Alice prepares four keys k x, for x=0,1 and k y for y=0,1 r Alice encrypts G(x,y) with k x and ky r Alice sends to Bob  Encrypted possible gate values after permutation  k x 10

11 Garbled gate (cont.) r Bob gets k y from Alice using oblivious transfer r Bob can decrypt G(x,y) and nothing else r Complexity  Four encryptions per gate – can be done before input is known  Oblivious transfer 11

12 Garbled Circuit r Link garbled gates r Output of garbled gate is a key (two keys, one for output=0, one for output=1) r Each of the four entries in the garbled gate encrypts a key associated with the correct output r Terminal gates encrypt values instead of keys r Alice sends to Bob all garbled gates and keys replacing its input r Bob uses oblivious transfer to obtain the keys that match his inputs r Bob computes keys all the way to the output 12

13 Cut and choose r Alice may provide the wrong garbled circuit  Example: instead of G(x, y)= x OR y, G(x, y)=y r Origin of cut and choose in cakes r Solution  Alice provides n garbled circuits to Bob  Bob randomly chooses one  Alice reveals all the other garbled circuits by mapping keys to inputs. r Alice can cheat with probability 1/n 13

14 Additions r Universal circuits r Proving that a protocol is secure  Ideal world vs. real-world r Homomorphic encryption 14

Download ppt "Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information."

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Secure Computation of Linear Algebraic Functions

Secure Computation of Linear Algebraic Functions
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Lecturer: Moni Naor Foundations of Cryptography Lecture 15: Oblivious Transfer and Secure Function Evaluation.

Lecturer: Moni Naor Foundations of Cryptography Lecture 15: Oblivious Transfer and Secure Function Evaluation.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Oblivious Transfer (OT) Alice (sender) has n secrets Alice wants to give k secrets to Bob Bob wants the secrets but does not want Alice to know which secrets.

Oblivious Transfer (OT) Alice (sender) has n secrets Alice wants to give k secrets to Bob Bob wants the secrets but does not want Alice to know which secrets.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University.

What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Oblivious Transfer based on the McEliece Assumptions

Oblivious Transfer based on the McEliece Assumptions
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.

1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.

Similar presentations

Ads by Google