Presentation is loading. Please wait.

Presentation is loading. Please wait.

Collusion-Free Multiparty Computation in the Mediated Model

Published byRaymond Camron Parker Modified over 8 years ago

Similar presentations

Presentation on theme: "Collusion-Free Multiparty Computation in the Mediated Model"— Presentation transcript:

1 Collusion-Free Multiparty Computation in the Mediated Model
Joël Alwen (NYU) Jonathan Katz (U. Maryland) Yehuda Lindell (Bar-Ilan U.) Giuseppe Persiano (U. Salerno) abhi shelat (U. Virginia) Ivan Visconti (U.Salerno)

2 Crime Organized Crime Standard Crypto Model:
Single adversary coordinating all corrupted parties.

3 Why Standard Crypto Model Assumes Organized Crime
Intuition: Protect against strongest adversary On the other hand, unclear how to avoid it in standard communication models.

4 How to Coordinate Security requires randomness
Randomness enables side channels Side channels imply collusion ERGO, organized crime.

5 Collusion-free protocol
“The protocol does not introduce any opportunities for parties to collude.”

6 Solution Concept Problem: “Randomness enables side channels”
Standard Model broadcast Problem: “Randomness enables side channels” Solution: Re-Randomize

7 Mediated Model Mediator (aka Router) But not a TRUSTED PARTY

8 Main Results Improved definition of Collusion-free
Give protocol compilers CP and CA: CP(π) securely cf-realizes F Mediated Model Public PKI Setting π securely realizing F Standard security With broadcast CA(π) securely cf-realizes F Mediated Model Anonymous PKI Setting Result: Collusion-free computation for any n-party functionality.

9 Motivation: Auction Parties: n bidders, auction house
Collusion: Bidders decide amongst themselves who is willing to bid the most. Winner bids 1$, rest bid 0$. Result: auction house’s commission diminished Ideal 2-Adv Bidder 1 Value: 101 $ Bid:1$ Auction House 10% commission: with collusion = .1$ w/o collusion = 10.1$ Bidder 2 Value: 100 $ Bid:0$

10 Motivation: Applications to Game Theory
Implementing Nash Equilibria Weak Stability: Unilateral deviations are irrational. Playing Bayesian Games i.e. games with secret input e.g. valuation of an item by a bidder in an auction Playing games of Imperfect Information i.e. games in which players do have full knowledge of the current global state. e.g. hidden cards in opponents hand in poker More generally: Playing Mediated Games i.e. games with isolated players talking only to a trusted mediator

11 + Previous Work Main Goal: Enforce isolation. Avoid steganography.
Steg.-free Signatures: [S83,D96,S96,BDI+96,BS05] Collusion Free MPC: Verifiable Determinism Initiated by Lepinski, Micali, shelat at STOC’05 Other works [LMS05b, ILM05, ILM08] Make use of strong physical assumptions New Approach: Rerandomization [ASV08] In the Mediated Model Network model still strong assumption But allows for computation with Turing Machines Commitments and Zero Knowledge +

12 Definitions

13 Multiparty Computation “Protocol  realizes functionality F”
Ideal Players Real Players Get Private Input Send it to “Ideal Functionality” F Receive Private Output Get Private Input Interact (run protocol ) Compute Private Output F F can be probabilistic, and/or reactive with a secret persistent internal state.

14 (Traditional) Monolithic Adversary
Model Real: All corrupt real parties controlled by a single malicious adversary. Model Ideal: All corrupt ideal parties controlled by a single simulator. View F output FakeView  is secure (power preservation) if for any malicious adversary there exists a simulator that outputs a (fake) view such that: {FakeView, Ideal-I/O}  {View,Real-I/O}

15 Modeling Collusion Free MPC
Idea: Corrupt players act independently. Each has its own simulator. Joint “fake views” still remain indistinguishable. View FakeView F { {FakeView}, Ideal-I/O}  { {View}, Real-I/O} Anything they can compute together with  they can also compute with F.

16 The Mediated Model  New Communication Model
Communication channel modeled as turing machine (called mediator) The mediator can also have input to F Ideal World Real World F F : Uncorruptable (ideal) functionality : Honest parties do not use blue communication lines (corrupted ones can) : Mediator honest  ideal players separate Mediator corrupt  standard security (monolithic adversary)

17 Establishing Identities
We explore two settings: Anonymous Setting: Identities setup after inputs determined Achieves stronger notion of collusion-freeness. Requires more trust in mediator Implementation: Parties generate key pairs and send their public key to mediator. For each player the Mediator sends a vector of fresh independent commitment to all public keys. Public PKI Setting: PKI setup before inputs determined Each player knows the identity (public keys) of all other payers involved in the execution. More practical (realistic). Parties generate keys and send public keys to trusted setup TTP. TTP redistributes all public keys consistently. Note: Neither setting requires honest key generation or proof of knowledge of the secret key.

18 Assumptions and Tools π is n-party protocol Primitives
Securely computes F. Plain model with broadcast channel W.l.o.g. assume all messages sent via broadcast. Primitives Signatures. Perfectly binding Commitments. 2-party (bounded) concurrently self-composable protocols. SFE. ZK protocol.

19 Key: sk, Coins: r, Input: x
High Level Idea Jointly emulate an execution of π. Mediator maintains list of π-messages received by each player. Players maintain only their random tapes, signing keys, and inputs to π. Emulation proceeds as a sequence of two party computations between a player and the mediator. Emulating round j+1 of π. Compute message mj+1 of π: Emulate broadcast of m’j+1 := (mj+1,j+1). Msgs := (m1,…,mj) Sigs := (1,…, j) Key: sk, Coins: r, Input: x Com(Msgs,Sigs) Fnext-msg Dec(Msgs, Sigs) Pi M mj+1 := Pi(x,m1,…,mj;r) j+1 := Sig(mj+1,sk)

20 Mediated Broadcast Functionality
P1 “Abort bit” b1 Msg: m Output Set: H[n] Com1(S1) FMed.-Bcast M “Abort bit” b1 Deci(Si) Com1(S1) Pn If at least one Pi set bi = 1 then all Si :=  If iH then Si :=  Else Si := m

21 Mediated Broadcast 1. Deliver 2. Sign 3. Commited Broadcast
ski, vk1,…, vkn independent skj, vk1,…, vkn ci  com(m) cj  com(m) 1. Deliver σi  sig(ski, ci) σj  sig(skj, cj) 2. Sign c'i  com(σ 1,…, σ n) c‘j  com(σ 1,…, σ n) 3. Commited Broadcast independent ZK Statement: c' is com of (valid) sig of com of same message 4. ZK Proof

22 Side-channels SFE input privacy, Com hiding and ZK properties imply π-messages (nor sigs) ever seen by players.  Players views remain independent of each other until output is delivered. Using aborts to communicate [ASV08] allows log(# rounds) bits of communication via aborts. This work: 1 bit at end of computation. How: Mediator uses default messages for aborting party and emulation of π continues until output delivery. Result: Round # of abort remains hidden. Only bit communicated is that an abort occurred at some point.

23 Honest but Curious Mediator
π secure against passive (eves dropping) adversary & 2-party SFE’s input privacy  Mediator learns nothing about I/O of players. Mediator removes side channels.  Corrupt players can not communicate or coordinate. Result: Compiled protocol is a collusion-free secure realization of F.

24 Corrupt Mediators Mediator controls scheduling
 Require bounded (by n) concurrent security for 2-party SFEs and for ZK. π secure against active adversary  F realized faithfully. (Correctness)  Privacy of honest players maintained. Corrupt players can communicate via corrupt mediator.  Security falls back to standard monolithic adversary security.

25 Open Problems Efficient constructions (esp. for specific functionalities such as auctions). Alternative (yet more realistic) models where similar results are possible. Security & Collusion-Freeness under stronger composition. Anonymous settings with reduced trust in mediator for setup phase.

Download ppt "Collusion-Free Multiparty Computation in the Mediated Model"

Similar presentations

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.

1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
Survey: Secure Composition of Multiparty Protocols Yehuda Lindell Bar-Ilan University.

Survey: Secure Composition of Multiparty Protocols Yehuda Lindell Bar-Ilan University.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto.

Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.

Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
1 Asynchronous Broadcast Protocols in Distributed System Oct. 10, 2002 JaeHyrk Park ICU.

1 Asynchronous Broadcast Protocols in Distributed System Oct. 10, 2002 JaeHyrk Park ICU.
Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.

Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Similar presentations

Ads by Google