Download presentation
Presentation is loading. Please wait.
Published byJeffery Denier Modified over 9 years ago
1
Multi-Party Computation Forever for Cloud Computing and Beyond Shlomi Dolev Joint works with Limor Lahiani, Moti Yung, Juan Garay, Niv Gilboa and Vladimir Kolesnikov
2
Secret Swarm Unit Reactive K-Secret Sharing INDOCRYPT 2007 Shlomi Dolev 1, Limor Lahiani 1, Moti Yung 2 Department of Computer Science 1 Ben-Gurion University of the Negev 2 Columbia University
3
Talk Outline Introduction & motivation The problem Swarm settings Reactive k-secret sharing solutions Polynomial based solution Chinese remaindering based solution Vandermonde-matrix based solution Virtual I/O automaton Conclusions
4
The Polynomial Based Solution Shamir’s (k,n)-threshold scheme Secret: Globl secret gs p(x) = a 0 +a 1 x+a 2 x 2 +…+a k x k a 1..a k are random Secret: a 0 = gs Secret distribution n distinct points: (x i,p(x i )), x i 0 gs = p(0) Any k+1 points reveals the secret No less than k+1 reveals it
5
The Polynomial Based counter Increment counter: gs gs+δ p(x) = gs+a 1 x+a 2 x 2 +…+a k x k q(x) = p(x) + δ q(x) is defined by x i,p(x i )+δ Multiply : gs gs·μ p(x) = gs+a 1 x+a 2 x 2 +…+ a k x k q(x) = p(x)·μ q(x) is defined by x i,p(x i )·μ
6
The Polynomial based solution Swarm input: set set( x i,p(x i ) )
7
The Polynomial based solution Swarm input: step step() x i, p(x i ) x i, p(x i )+ And the same for multiplication by μ
8
The Polynomial based solution input: regain consistency request regainConsistencyReq() leader x i, p(x i )
9
The Polynomial based solution input: regain consistency request leader
10
The Polynomial based solution input: regain consistency reply leader x i, p(x i )
11
The Polynomial based solution input: join request & reply joinReq() joinReply()
12
The Polynomial Based Solution (Corruptive Adversary) Berlekamp-Welch Polynomial p(x) of degree k k+r points e errors Decode p(x) if e r/2 Polynomial based solution Decode p(x) if f (n–k–lp)/2 Where lp = num of leaving processes between two regainConsistency ops.
13
Talk Outline Introduction & motivation The Problem Swarm settings Reactive k-secret sharing solutions Polynomial based solution Chinese remaindering based solution Vandermonde-matrix based solution Virtual I/O automaton Conclusions
14
Our Chinese Remainder Based Solution Swarm secret: global secret gs p 1 < p 2 < … < p k relatively primes M k = p 1 p 2 … p k 0 gs M k gs r 1,p 1 , r 2,p 2 ,…, r l,p k [CRT] r i = gs mod p i gs r 1, r 2,…,r k Secret share r i, p i , r i = gs mod p i
15
Swarm Input p i x i, r i p(x i ) set() step() regainConsistencyRequest() joinRequest() joinReply() regainConsistencyReply()
16
Our Chinese Remainder Based Solution Swarm input: step step(δ) i, b i b i [l 1 ] … [l j ] M[l 1 ]=…=M[l j ]=1
17
Talk Outline Introduction & motivation The problem Swarm settings Reactive k-secret sharing solutions Polynomial based solution Chinese remaindering based solution Vandermonde-matrix based solution Virtual I/O automaton Conclusions
18
Virtual I/O Automaton I/O Automaton A Implemented by the swarm Global state (Global secret) Current state of A Replicated at least T n times Regain consistency ensures: At least T+lp+f replicas of the global state At most T-f-1 replicas of any other state Global output Output with at least T n replicas Threshold device
19
Virtual I/O Automaton Secret share Tuple s i1,s i2,…,s im of candidates At most 1 state is the global state Step( ) transition step on s i1,s i2,…,s im and Randomly solve convergence to same state New tuple of candidates: s’ i1,s’ i2,…,s’ im Output actions o i1,o i2,…,o im At least T replicas of the global output
20
Talk Outline Introduction & motivation The problem Swarm Settings Reactive k-secret sharing solutions Polynomial based solution Chinese remaindering based solution Vandermonde-matrix based solution Virtual I/O automaton Conclusions
21
polynomial based solution Addition & multiplication Error correcting [Berlekamp-Welch] Chinese remaindering based solution Addition Error correcting [Mandelbaum] Virtual I/O automaton Mask the global state Further results: Vandermonde matrix Support XOR operations
22
Thank You!
23
Swarming Secrets Shlomi Dolev (BGU), Juan Garay (AT&T Labs), Niv Gilboa (BGU) Vladimir Kolesnikov (Bell Labs) PODC 2010 (Allerton 2009)
24
Talk Outline Objectives Adversary Secret sharing Membership and thresholds Private computation in swarms –Perfectly oblivious TM –Computing transitions
25
Objectives Why swarms Why secrets in a swarm Dynamic membership in swarms Computation in a swarm
26
Adversary Honest but curious Adaptive Controls swarm members –Up to a threshold of t members What about eavesdropping? –We assume that can eavesdrop on the links (incoming and outgoing) of up to t members
27
Secret sharing X Y i j P(i,j) Bivariate Polynomial P(x,y) i Share of Player i P(i,y) P(x,i)
28
Join Hey Guys, can I play with you? I’m J! J B D C A Sure! P A (J,y), P A (x,J) P B (J,y), P B (x,J) P C (J,y), P C (x,J) P A (J,y), P A (x,J)
29
Leave Problem: –Member retains share after leaving –Adversary could corrupt leaving member and t current members Refreshing (Proactive Secret Sharing) –Each member shares random polynomial with free coefficient 0
30
Additional Operations Merge Split Clone
31
Increase Threshold Why do it? How – simple, add random polynomials of higher degree with P(0,0)=0
32
Decrease Threshold- t to t* J B D C A Choose random, Degree t* Q A (x,y) Share of Q A (x,y) Share of Q A (x,y) Share of Q A (x,y) Share of Q A (x,y) B, C, D, … also share random polynomials
33
Decrease Threshold- t to t* J B D C A Add local shares Add local shares Add local shares Add local shares Add local shares Interpolate P(x,y) + Q A (x,y) + Q B (x,y) +… Remove high degree terms R(x,y)
34
Decrease Threshold- t to t* J B D C A High mon. Of P High mon. Of P High mon. Of P High mon. Of P Compute reduced P Compute reduced P Compute reduced P Compute reduced P Compute reduced P
35
Computation in a Swarm A distributed system –Computational model –Communication between members –Input – we can consider global and non- global input –Changes to “software” –“Output” of computation when computation time is unbounded
36
What is Hidden Current state Input Software Time What is not Hidden? Space
37
How is it Hidden? Secret sharing –Input –State Universal TM –Software Perfectly oblivious universal TM –Time
38
Architecture of a Swarm TM
39
Perfectly Oblivious TM Perfectly Oblivious TM Tape head Oblivious TM – Head moves as function of number of steps Perfectly Oblivious TM – Head moves as function of current position
40
NNYN Perfectly Oblivious TM Perfectly Oblivious TM Tape Orig. Tape Head Transition: ( st, ) (st2, ,right) Transition: ( st, ) (st1, ,left) Tape shifts right, copy that was in previous cell Tape shifts right, head shifts left, Y stays in place, copy Insert result of “real” transition, Transition: ( st, ) (st3, ,left)
41
TM Transitions … Tape Tape head st1 st2 … st … States Transition Table st1 … … 1 …… ns, st ns …
42
Encoding States & Cells … Tape st1 st2 … st … States 10…0 01…0 0…010…0 index st 0…010…0 index
43
Computing a Transition Goal, Compute transition privately in one communication round Method, Construct new state/symbol unit vector, ns/n , from Current state - st Current symbol - ns[k]= st[i] [j], for all i, j such that a transition of (i, j) gives state k Construct new symbol vector in analogous way n [k]= st[i] [j], for all i, j such that a transition of (i, j) gives symbol k
44
Encoding State Transitions Transition Table st1 … st2 … ns, st1, St1, St2, ns, St2, st2, ns, st Current Transition 0 … 0 0 … 0 0*0 0* 1 0*0 1 *0 0*0 0* 1 0*0 1*11 1 ns, ns, ns, ns, 1 *0 1*1 0*0 st1, St1, 0* 1 0*0 St2, st2, St2, 0* 1 0*0 1 *0 0*0+0* 1 =0 … 1 *0+0* 1 +0*0=00*0+0*0+ 1*1 + 1 *0 =1 0…010…0New state is ns
45
Encoding Symbol Transitions Transition Table st1 … st2 … ns, st1, St1, St2, ns, St2, st2, ns, st Current Transition 0 … 0 0 … 0 0*0 0* 1 0*0 1 *0 0*0 0* 1 0*0 1*1 1 1 st1, ns, st2, 0* 1 1*1 0*0 St1, ns, St2, ns, 0*0 1 *0 0*0 ns, St2, 0*0 0* 1 0*0+0* 1 =0 … 1 *0+0*0+0*0+ 1 *0=00* 1 + 1*1 +0*0 =1 0…01 New symbol is
46
What about Privacy? Goal: compute transitions privately Method –Compute new shares using the st[i] [j], –Reduce polynomial degree
47
Sharing States & Symbols Initially Encode 1 by P(x,y), P(0,0)=1 Encode 0 by Q(x,y), Q(0,0)=0 Share bivariate polynomials for state and symbol Step Compute 0*0+ 1*0+ 1*1… by –Multiplying and summing local shares –Running “Decrease” degree protocol
48
Thank You!!! E.g. http://senseable.mit.edu/flyfire/
49
Secret Sharing Krohn-Rhodes: Private and Perennial Distributed Computation Shlomi Dolev (BGU), Juan Garay (AT&T Labs) Niv Gilboa (BGU and Deutsche Telekom) Vladimir Kolesnikov (Bell Labs) ICS 2011
50
Model
51
The Setting Dealer k parties A1A1 AkAk … Outsourcing … ii i+1 i+2 … Work!Reconstruction State k State 1 Automaton A S Initial state Automaton A is public, State S is secret Dealer wants to outsource computation of A Parties receive the same global, unbounded length input Each party computes internal state. No communication! T Final state
52
Adversary Model Adversary knows FSA A Adversary does not know –Initial state S –Input stream 1,…, i,… Adversary can –Control up to t executing parties –“one shot” – looks once at memory of executing party. Subsequently, this party stops functioning Motivation- sensor networks/ UAV/ Cloud computing We consider honest-but-curious adversary Robust secret sharing works against malicious adversary
53
Security Security definition – Scheme is secure if for adversary every: –Two initial states S and S’ –Two input streams: 1,…, i and ’ 1,…, ’ j –Two corruption timelines 1, 2 of eq. length The view of the adversary is identical The adversary’s view includes A and the memory of the parties it corrupts
54
Why not MPC? MPC [Yao’82,GMW’87,BGW’88,CCD’88]: n players, t corrupted, each with input x i of the same length, compute F(x 1,…,x n ), while keeping x i private. Known MPC techniques cannot handle combination of –Non-interactivity of online phase –IT security –Unbounded input
55
FSA Our model for FSA –States –Input symbols (no output) –Transitions
56
Our Scheme
57
Contributions Scheme for perennial computation for every FSA Complexity depends on complexity of Krohn- Rhodes decomposition of FSA –Linear for certain interesting cases –n! in the worst case Complexity measures –Size of FSA (space) –Number of transitions per original transition (time) Bridging of two “worlds”: IT cryptography and automata theory
58
A simple Case Permutation FSA
59
Permutation Automaton S1S1 S4S4 S2S2 S3S3 α α α α β β β β
60
Initialization: Secret Sharing Secret shares of the value 1 … k instances Permutation FSA Secret shares of the value 0 Each state looks the same S Initial state
61
Online Phase … k parties A global input for all parties
62
Reconstruction Dealer collects all shares from every party Correct final state is associated with a shared 1 All other states are associated with a shared 0
63
The Full Solution
64
What’s Missing? Not every FSA is a permutation FSA! Our plan: –Decompose FSA into simple components Permutation FSA Reset FSA
65
Reset Automaton S1S1 S2S2 S3S3 S4S4 α β α α α β β β
66
Cascade/Wreath Product FSA i-1 FSA 1 FSA n … … S1S1 FSA i S i-1 SiSi SnSn Sequence of n Automata Current state of each FSA i-1 nn ii 11 Component input Global input i = i ( ,s 1,…,s i-1 )
67
Homomorphic Representation FSA i-1 FSA 1 FSA n … … S1S1 FSA i S i-1 SiSi SnSn Automaton A S Cascade product represents some FSA Mapping between states (s 1,…,s n )=s Mapping satisfied for every input Cascade can be used instead of A
68
Krohn-Rhodes Theory [Krohn-Rhodes 1962, 1965] – every FSA can be homomorphically represented by cascade of permutation FSA and reset FSA [Zieger 1967, Eilenberg 1976] – the Holonomy decomposition – for n-state FSA A, ≤n level cascade, ≤n states in each component
69
Initialization: Decomposition Dealer input Automaton A Initial state S … … … Decompose to cascade of permutation and reset FSA SiSi Permutation FSA, initial state s i Reset FSA, initial state s j SjSj (s 1,…,s n )=s
70
Initialization: Secret Sharing … … … Secret shares of the value 1 Reset FSA … k instances Permutation FSA Secret shares of the value 0 … Each state looks the same Secret share 1 for correct reset Secret share 0 for other resets
71
Party Input k Parties Decomposition of A to permutation and reset FSA Cascade functions 1,…, n-1 Secret shares for one instance
72
Party Initialization … … Permutation: One child per state Reset: One child per FSA Every path: cascade representing A Correct path: 1 shares
73
Online Phase … … i = i ( ,s 1,…,s i-1 ) i+1 = i+1 ( ,s 1,…,s i ) i+1 = i+1 ( ,s 1,…,t i )
74
Reconstruction Dealer collects shares Reconstructs 1 shares layer by layer Obtains s 1,…,s n Computes s= (s 1,…,s n )
75
Example: Gen. Decision Tree
76
Summary Scheme for perennial computation for every FSA Complexity depends on complexity of Krohn- Rhodes decomposition of FSA –Linear for certain interesting cases –n! in the worst case Complexity measures –Size of FSA (space) –Number of transitions per original transition (time) Bridging of two “worlds”: IT cryptography and automata theory
77
Thank You!!!
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.