Presentation is loading. Please wait.

Presentation is loading. Please wait.

Foundations of Secure Computation

Published byMeagan Mosley Modified over 5 years ago

Similar presentations

Presentation on theme: "Foundations of Secure Computation"β€” Presentation transcript:

1 Foundations of Secure Computation
Arpita Patra Β© Arpita Patra

2 Ideal World MPC x1 x2 Any task x3 x4 (y1,y2,y3,y4) = f(x1,x2,x3,x4)

3 Ideal World MPC x1 x1 x2 x2 y1 y2 y1 y2 y4 y3 y4 y3 x4 x3 x3 x4
Any task y1 y2 y4 y3 y4 y3 x4 x3 x3 x4 (y1,y2,y3,y4) = f(x1,x2,x3,x4) (y1,y2,y3,y4) = f(x1,x2,x3,x4) The Ideal World The Real World

4 How to Compare Real World with Ideal World?
Fix the inputs of the parties, say x1,….xn . Call it π‘₯ Real-world view of adv should contain no more info than the ideal-world view of adv y1 y2 y4 x1 x2 x4 y3 x3 y1 y2 y4 x1 x2 x4 y3 x3 {x3, y3, r3, protocol transcript} (xi, yi) : The view of a party Pi on input π‘₯ - Allowed values From the view point of the adversary. ViewReali ( π‘₯ ): The view of a party Pi on input π‘₯ - Leaked Values (random variable) Ideal-world view of adv is {(xi, yi)}Pi in C Let C be the set of corrupted parties. Then the real-world view of the adversary is: ViewRealC ( π‘₯ ) = {(ViewReali ( π‘₯ ))}Pi in C A real-world protocol is secure if the leaked values contain no more info than allowed values

5 Real-world (leaked values) vs. Ideal world (allowed values)
y1 y2 y1 y2 y4 {x3, y3} y4 {x3, y3, r3, protocol transcript} When can we say that the real-world view (leaked values) of adv contain no more info than the ideal-world view of adv If the leaked values can be efficiently computed (by some algorithm) from the allowed values. Such an algorithm is called SIMULATOR ---denoted as SIM Takes input {(xi, yi)}Pi ∈ C and simulates the view of the adversary in the real protocol. It is enough if SIM creates a view of the adversary that is β€œclose enough” to the real view so that adv. can not distinguish the simulated view from its real view.

6 Real-world (leaked values) vs. Ideal world (allowed values)
y1 y2 y1 y2 x1 x2 x1 x2 x4 x4 SIM y4 {x3, y3} y4 {x3, y3, r3, protocol transcript} Interaction with real-world adversary on behalf of the honest parties SIM produces the simulated view ο‚» ViewRealC ( π‘₯ ) SIM({(xi, yi)}Pi ∈ C ) = ViewIdealC ( π‘₯ ) Random Variable/distribution (over the random coins of SIM and adv) Random Variable/distribution (over the random coins of parties) SIM: Ideal Adversary The Ideal World The Real World

7 Real-world vs. Ideal world
y1 y2 y1 y2 x1 x1 x2 x2 x4 x4 SIM y4 {x3, y3} y4 {x3, y3, r3, protocol transcript} Interaction on behalf of the honest parties ο‚» {ViewIdealC ( π‘₯ )} {ViewRealC ( π‘₯ )} If the two views (distributions) are perfectly indistinguishabe (even for a computationally unbounded distinguisher) then we get perfect privacy If the two views (distributions) are statistically indistinguishabe (even for a computationally unbounded distinguisher) then we get statistical privacy If the two views (distributions) are computationally indistinguishabe then we get computational privacy

8 Real-world vs. Ideal world : Some Notations
y1 y2 y1 y2 x1 x1 x2 x2 x4 x4 SIM y4 {x3, y3} y4 {x3, y3, r3, protocol transcript} Interaction on behalf of the honest parties ViewRealC ( π‘₯ ) SIM({(xi, yi)}Pi ∈ C ) = ViewIdealC ( π‘₯ ) OutputIdealH ( π‘₯ ) : the output of the honest parties on input ( π‘₯ ) in the ideal world OutputRealH ( π‘₯ ) : the output of the honest parties on input ( π‘₯ ) in the real world ViewIdealC ( π‘₯ ) : the simulated view of the adversary produced by SIM ViewRealC ( π‘₯ ): the real view of the adversary seen in the protocol

9 Real-world vs. Ideal world : Definition 1 (For Deterministic Functionalities )
y1 y2 y1 y2 x1 x1 x2 x2 x4 x4 SIM y4 {x3, y3} y4 {x3, y3, r3, protocol transcript} Separate conditions for correctness and privacy A protocol for computing f is perfectly-secure if it satisfies the following conditions: Correctness: Privacy: OutputIdealH ( π‘₯ ) = OutputRealH ( π‘₯ ) {ViewIdealC ( π‘₯ )} = {ViewRealC ( π‘₯ )} A protocol for computing f is statistically-secure if it satisfies the following conditions: Correctness: Privacy: ο‚» s |OutputIdealH ( π‘₯ ) - OutputRealH ( π‘₯ )|≀ negl(k) {ViewIdealC ( π‘₯ )} {ViewRealC ( π‘₯ )}

10 Real-world vs. Ideal world : Definition 1 (For Deterministic Functionalities )
y1 y2 y1 y2 x1 x1 x2 x2 x4 x4 SIM y4 {x3, y3} y4 {x3, y3, r3, protocol transcript} Separate conditions for correctness and privacy A protocol for computing f is computationally-secure if it satisfies the following conditions: Correctness: Privacy: ο‚» c |OutputIdealH ( π‘₯ ) - OutputRealH ( π‘₯ )|≀ negl(k) {ViewIdealC ( π‘₯ )} {ViewRealC ( π‘₯ )}

11 Real-world vs. Ideal world : Definition 1 (For Deterministic Functionalities )
y1 y2 y1 y2 x1 x1 x2 x2 x4 x4 SIM y4 {x3, y3} y4 {x3, y3, r3, protocol transcript} Perfect-security: OutputIdealH ( π‘₯ ) = OutputRealH ( π‘₯ ) {ViewIdealC ( π‘₯ )} = {ViewRealC ( π‘₯ )} Statistical-security: ο‚» s |OutputIdealH ( π‘₯ ) - OutputRealH ( π‘₯ )|≀ negl(k) {ViewIdealC ( π‘₯ )} {ViewRealC ( π‘₯ )} Computational-security: ο‚» c |OutputIdealH ( π‘₯ ) - OutputRealH ( π‘₯ )|≀ negl(k) {ViewIdealC ( π‘₯ )} {ViewRealC ( π‘₯ )} For deterministic functions, output is fixed once inputs are fixed (irrespective of the random coins) So no probability distribution considered over OutputIdealH ( π‘₯ ) and OutputRealH ( π‘₯ )

12 Making β€œVery Small/Negligible” Precise– Asymptotic Approach
>> β€œ Very Small / negligible in n” means those f(n) : - for every polynomial in n, p(n), there exists some positive integer N, such that f(n) < 1/p(n) , for all n > N n: Security parameter. A tunable parameter that tunes how difficult it is to break a cryptosystem - β€œgrows slower than any inverse poly” >> Example: 1/2n , 1/2n/2 >> How about 1/n10 ? For 1/n20 there is NO N s.t. 1/n10 < 1/n20 - The more the value of n, the tougher the life of the adversary is.

13 Real-world vs. Ideal world : Definition 2 (For Randomized Functionalities )
y1 y2 y1 y2 x1 x1 x2 x2 x4 x4 SIM y4 {x3, y3} y4 {x3, y3, r3, protocol transcript} For randomized functions, output is not fixed even if inputs are fixed Need to consider probability distribution considered over OutputIdealH ( π‘₯ ) and OutputRealH ( π‘₯ ) Correctness and privacy combined in a single condition Perfect-security: {OutputIdealH ( π‘₯ ), ViewIdealC ( π‘₯ )} = {OutputRealH ( π‘₯ ), ViewRealC ( π‘₯ )} Statistical-security: ο‚» s {OutputIdealH ( π‘₯ ), ViewIdealC ( π‘₯ )} {OutputRealH ( π‘₯ ), ViewRealC ( π‘₯ )} Computational-security: ο‚» c {OutputIdealH ( π‘₯ ), ViewIdealC ( π‘₯ )} {OutputRealH ( π‘₯ ), ViewRealC ( π‘₯ )}

14 Real-world vs. Ideal world : Definition 2 vs Definition 1
y1 y2 y1 y2 x1 x1 x2 x2 x4 x4 SIM y4 {x3, y3} y4 {x3, y3, r3, protocol transcript} Perfect-security: {OutputIdealH ( π‘₯ ), ViewIdealC ( π‘₯ )} = {OutputRealH ( π‘₯ ), ViewRealC ( π‘₯ )} Statistical-security: ο‚» s {OutputIdealH ( π‘₯ ), ViewIdealC ( π‘₯ )} {OutputRealH ( π‘₯ ), ViewRealC ( π‘₯ )} Computational-security: ο‚» c {OutputIdealH ( π‘₯ ), ViewIdealC ( π‘₯ )} {OutputRealH ( π‘₯ ), ViewRealC ( π‘₯ )} Definition 2 subsumes definition 1 (definition 2 is stronger) Definition 2 captures randomized functions as well

15 Randomized Function and Definition 1
f( , ) = (r , ) r is a random bit . . . . r r . Sample r randomly and output Sample r randomly SIM Interaction on behalf of the honest party Sample and send a random r’ >> Does this protocol achieve privacy ? No! {ViewIdealC ( π‘₯ )} = {ViewRealC ( π‘₯ )} {r’ : r’ random} {r : r is random} The proof says the protocol achieves privacy ! The Ideal World The Real World

16 Randomized Function and Definition 2
f( , ) = (r , ) r is a random bit . . . . r r . Sample r randomly and output Sample r randomly SIM Interaction on behalf of the honest party Sample and send a random r’ >> Is this protocol secure? No! The proof says the protocol is insecure! {ViewIdealC ( π‘₯ )} = {ViewRealC ( π‘₯ )} {OutputIdealH ( π‘₯ ), ViewIdealC ( π‘₯ )} {OutputRealH ( π‘₯ ), ViewRealC ( π‘₯ )} β‰  {(r , r’}) | r,r’ random and independent} {(r , r)} | r random The Ideal World The Real World

17 Definition 1 is Enough! Consider the case when n = 2, t = 1 (the argument holds for general n and t) Let g(x, y; r) be a randomized functionality P1 and P2 has inputs x and y respectively The functionality picks a uniform randomness r and then computes g(x, y; r) Can we can replace functionality g by a deterministic functionality, where randomness r is ”contributed” by P1 and P2 (apart from their usual inputs x and y) ? Define f((x, r1), (y, r2)) ≝ to compute g(x, y; r) where r1+r2 can act as r. Party P1 will input (x, r1) Party P2 will input (y, r2) The role of r played by r1 + r2 If Pi is honest then ri will be random and so will be r For the rest of the course, we will consider only deterministic functionalities

18 Definition Applies for
Dimension 2 (Networks) Complete Synchronous Dimension 3 (Distrust) Centralized Dimension 4 (Adversary) Threshold/non-threshold Polynomially Bounded and unbounded powerful Semi-honest Static

19

Download ppt "Foundations of Secure Computation"

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:

Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),

Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.

Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
Complexity 18-1 Complexity Andrei Bulatov Probabilistic Algorithms.

Complexity 18-1 Complexity Andrei Bulatov Probabilistic Algorithms.
Models and Security Requirements for IDS. Overview The system and attack model Security requirements for IDS –Sensitivity –Detection Analysis methodology.

Models and Security Requirements for IDS. Overview The system and attack model Security requirements for IDS –Sensitivity –Detection Analysis methodology.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.

CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
Foundations of Cryptography Lecture 9 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 9 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 2 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 2 Lecturer: Moni Naor.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Information-Theoretic Security and Security under Composition Eyal Kushilevitz (Technion) Yehuda Lindell (Bar-Ilan University) Tal Rabin (IBM T.J. Watson)

Information-Theoretic Security and Security under Composition Eyal Kushilevitz (Technion) Yehuda Lindell (Bar-Ilan University) Tal Rabin (IBM T.J. Watson)

Similar presentations

Ads by Google