Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Computation (Lecture 2) Arpita Patra. Vishwaroop of MPC.

Published byJerome Gordon Modified over 8 years ago

Similar presentations

Presentation on theme: "Secure Computation (Lecture 2) Arpita Patra. Vishwaroop of MPC."— Presentation transcript:

1 Secure Computation (Lecture 2) Arpita Patra

2 Vishwaroop of MPC

3 Expanding the scope of MPC Dimension 1: Any polynomially computable function can be computed securely. >> So far you have seen how to compute addition and bit multiplication securely >> less than, equal to, greater than >> AES encryption function, >> any encryption function (key and message in different location or shared), >> satellite collision probability computation function >> set intersection ………

4 Two models of Computation Secure Circuit evaluation: Nothing other than the output gate value will be revealed Boolean Circuit (AND, OR, NOT, XOR) Arithmetic Circuit over finite field (Addition and Multiplication) x1x1 x2x2 x3x3 x4x4 +  f(x 1, x 2, x 3, x 4 ); inputs are field elements  x1x1 x2x2 x3x3 x4x4 ∧ f(x 1, x 2, x 3, x 4 ); inputs are bits ∨ 

5 Which one will you prefer? Dimension 1: Any polynomially computable function can be computed securely. Boolean Circuit (AND, OR, NOT, XOR) x1x1 x2x2 Depends on f that you want to compute f(x 1,x 2 ) = x 1 + x 2 ; x 1, x 2 are from F 5 x1+x2x1+x2 + More than one gate Non-linear operation (comparison, greater than etc are more concisely represented in Boolean circuit) Arithmetic Circuit over finite field (Addition and Multiplication)

6 Which one will you prefer? Dimension 1: Any polynomially computable function can be computed securely. Boolean Circuit (AND, OR, NOT, XOR) Huge body of work Combination(B + A) + Very less amount of work + Scope for Research Arithmetic Circuit over finite field (Addition and Multiplication)

7 Expanding the scope of MPC Dimension 2.1: Varieties of network (complete vs. incomplete ) Complete Network Incomplete Network Most of the works in this model Very less explored Practical for applications involving very few parties (less than 10) Practical for applications where billions can participate (E-election)

8 Expanding the scope of MPC Dimension 2.2: Varieties of network (synchronous vs. asynchronous) Synchronous Network Asynchronous Network Compute and send x... Wait to receive x... x Global Clock Channels have fixed delay Knows how long to wait

9 Asynchronous Network Compute and send x... Wait to receive x... x No Global Clock Channels have arbitrary yet finite delay Does not Know how long to wait

10 Compute and send x... Wait to receive x... x No Global Clock Channels have arbitrary yet finite delay Does not Know how long to wait Is he cheating or slow ? Oh! I have to drop the message Asynchronous Network

11 n parties and t of them may cheat n parties x1x1 x2x2 xnxn can afford to wait to listen from (n-t) parties Else endless waiting But leads to ignoring messages of t honest parties Cannot wait for all Asynchronous Network

12 Secure Addition y = x 1 +x 2 +x 3 (assume n=3 parties) in asynchronous settings x1x1 P1P1 P2P2 P3P3 P1P1 x2x2 P2P2 x3x3 P3P3 x 12 x 13 + + + + + + = = = PiPi y = s 1 + s 2 + s 3 x 11 x 12 x 13 x 21 x 22 x 23 x 31 x 32 x 33 x 11 x 13 x 11 x 12 x 22 x 23 x 21 x 23 x 21 x 22 x 32 x 33 x 31 x 33 x 31 x 32 s2s3s2s3 s1s3s1s3 s1s2s1s2 One of the parties may cheat. This simple protocol does not work ! No protocol with n parties where t will be cheating works when n ≤ 3t  No input provision!

13 Expanding the scope of MPC Dimension 2.3: Varieties of network (synchronous vs. asynchronous vs. hybrid) Synchronous Network Asynchronous Network >> Most of the works in this model >> simple to comprehend >> Models small local network >> Less explored >> Models real-life networks better than synchronous network >> Hard and challenging to deal with >> Many impossibility results >> Scope of work Hybrid Network- Synchronous up to some point and asynchronous afterwards >> Very less explored again >> Models real-life networks better than synchronous network >> Some of the impossibility results in asynchronous network is shown to be possible here >> Scope of work

14 Expanding the scope of MPC Dimension 3: Modelling Dis-trust x1x1 P1P1 P2P2 P3P3 P1P1 x2x2 P2P2 x3x3 P3P3 x 12 x 13 + + + + + + = = = yiyi x = x 1 + x 2 + x 3 x 11 x 12 x 13 x 21 x 22 x 23 x 31 x 32 x 33 x 11 x 13 x 11 x 12 x 22 x 23 x 21 x 23 x 21 x 22 x 32 x 33 x 31 x 33 x 31 x 32 s2s3s2s3 s1s3s1s3 s1s2s1s2 Protected against a single curious party What if they parties are curious and join hand?

15 Expanding the scope of MPC Dimension 3: Modelling Dis-trust (centralized vs. decentralized ) To model this, we assume that there is a single monolithic/centralized entity who we call as adversary (A) and who controls a number of parties out of n parties. Bad people work together

16 Redefine MPC – >> n parties P 1,....,P n ‘some’ are corrupted by A >> A common n-input function f >> P i has private input x i Goals: >> Correctness: Compute f(x 1,x 2,..x n ) >> Privacy: Nothing more than y is leaked to A

17 Secure Addition y = x 1 +x 2 +x 3 +x 4 with n=4 and t=2 x1x1 P1P1 P2P2 P3P3 P1P1 x2x2 P2P2 x3x3 P3P3 x 12 x 13 x 14 + + + + + + = = = PiPi x 11 x 12 x 13 x 14 x 21 x 22 x 23 x 24 x 31 x 32 x 33 x 34 x 11 x 13 x 14 x 11 x 12 x 14 x 22 x 23 x 24 x 21 x 23 x 24 x 21 x 22 x 24 x 32 x 33 x 34 x 31 x 33 x 34 x 31 x 32 x 34 s2s3s4s2s3s4 s1s3s4s1s3s4 s1s2s4s1s2s4 Can you modify the secret sharing and tolerate coalition of two? x4x4 + + + x 41 x 42 x 43 x 44 x 42 x 43 x 44 x 41 x 43 x 44 x 41 x 42 x 44 P4P4 P4P4 + + = x 11 x 12 x 13 x 21 x 22 x 23 x 31 x 32 x 33 s1s2sss1s2sss + x 41 x 42 x 43 y = s 1 + s 2 + s 3 + s 4

18 Secure Addition y = x 1 +x 2 +x 3 +x 4 with n=4 and t=2 x1x1 P1P1 P2P2 P3P3 P1P1 x2x2 P2P2 x3x3 P3P3 x 11 + + + + + + = = = PiPi x 12 x 13 All the parties together hold the secret. Any two parties hold no info about the secret x 21 x 22 x 23 x 31 x 32 x 33 s1s1 s2s2 s3s3 x4x4 P4P4 + + + x 31 x 32 x 33 x 11 x 12 x 13 x 14 x 21 x 22 x 23 x 24 x 31 x 32 x 33 x 34 x 41 x 42 x 43 x 44 P4P4 + + = x 14 x 24 x 34 s4s4 + y = s 1 + s 2 + s 3 + s 4

19 Expanding the scope of MPC Dimension 4.1: Various Characteristics of adversary A (threshold vs. non- threshold) Threshold: A can corrupt at most t out of n (n: total no of participating parties; t = threshold; t < n) Non-Threshold: Adversaries behavior is captured by a set of subset of parties. A can corrupt one of the sub-sets. Eg. P = {P 1, P 2, P 3 } A = {{P 1 }, {P 2, P 3 }} >> Most of the works in this model because of its simplicity >> Generalization of threshold >> Less explored >> Models real-life scenarios >> Very non-intuitive >> Non-threshold secret sharing

20 Expanding the scope of MPC Dimension 4.2: Various Characteristics of adversary A (polynomially bounded vs. unbounded powerful) Polynomially Bounded: A has polynomial computing power Unbounded: A has unbounded computing power >> Well explored >> Relies on cryptography that are based on number theoretic hard problems >> Cryptographic/Computatio nal >> Well explored >> Does not reply on any hard problem >> Even if A has quantum computers, it cannot break privacy- very strong security >> Information-theoretic >> Impossibility results for n ≤ 2t One of the earlier demarcations made in the study MPC. We will see both types of protocols in the course

21 Secure bit multiplication y = x 1  x 2 with (n=2,t=1) using crypto x1x1 P1P1 P2P2 x2x2 1-out-of-2 OT 0 x1x1 x2x2 x1x2x1x2 OT CANNOT be realized information-theoretically!

22 Secure bit multiplication y = x 1  x 2 with (n=2,t=1) i.t. security x1x1 P1P1 P2P2 P1P1 x2x2 P2P2 x 12   We can use OT to compute the summand but then we use crypto! x 11 x 12 x 21 x 22 x 11 x 22 x 21 y = x 1  x 2 = (x 11 + x 12 )  (x 21 + x 22 ) = (x 11  x 21 + x 11  x 22 + x 12  x 21 + x 12  x 22 ) = x 12  x 22 = x 11  x 21 AND cannot be computed information theoretically with n ≤ 2t!

23 Secure Multiplication y = x 1  x 2 with (n=3,t=1) with i.t. security x1x1 P1P1 P2P2 P3P3 P1P1 x2x2 P2P2 x 12 x 13  s 1 = x 12  x 22 + x 12  x 23 + x 13  x 21   Use three party protocol for sum y= s 1 +s 2 +s 3 where s 1,s 2,s 3 act as secret inputs x 11 x 12 x 13 x 21 x 22 x 23 x 11 x 13 x 11 x 12 x 22 x 23 x 21 x 23 x 21 x 22 y = x 1  x 2 = (x 11 + x 12 + x 13 )  (x 21 + x 22 + x 23 ) = (x 11  x 21 + x 11  x 22 + x 11  x 23 + x 12  x 21 + x 12  x 22 + x 12  x 23 + x 13  x 21 + x 13  x 22 + x 13  x 23 ) s 2 = x 11  x 23 + x 13  x 21 + x 13  x 23 s 3 = x 11  x 21 + x 11  x 22 + x 12  x 21 This breaches privacy since it is not supposed to learn x 2 when x 1 = 0 Can the parties exchange s 1, s 2, s 3 ? If P 1 is corrupted, it can learn x 2 irrespective of the value for x 1 ! How?

24 Expanding the scope of MPC Dimension 4.3: Various Characteristics of adversary A (semi-honest vs. malicious vs. covert) Passive/Semi-honest: A is a passive observer, eavesdrops the corrupted parties Active/Malicious: A takes full control over the corrupted parties >> Well explored >> Often acts as a starting point for malicious protocols >> Well explored >> final goal >> Demands a whole lot of new primitives, Commitment, Zero- knowledge Proofs, Byzantine agreement/broadcast One of the earlier demarcations made in the study MPC. First half: semi-honest Second Half: Malicious Covert: A behaves maliciously only when its prob. Of getting caught is low >> Very less explored >> More efficient solutions than maliciously secure protocols >> Scope of work

25 Secure Addition y = x 1 +x 2 +x 3 with n=3 and t=1 in Malicious Setting x1x1 P1P1 P2P2 P3P3 P1P1 x2x2 P2P2 x3x3 P3P3 x 11 + + + + + + = = = PiPi y = s 1 + s 2 + s 3 x 11 x 12 x 13 x 21 x 22 x 23 x 31 x 32 x 33 x 12 x 13 x 21 x 22 x 23 x 31 x 32 x 33 s1s1 s2s2 s3s3 P 1 under the influence of A may not send his shares to others!

26 Secure Addition y = x 1 +x 2 +x 3 with n=3 and t=1 in Malicious Setting x1x1 P1P1 P2P2 P3P3 P1P1 x2x2 P2P2 x3x3 P3P3 x 11 + + + + + + = = = P2P2 y = s 1 + s 2 + s 3 x 11 x 12 x 13 x 21 x 22 x 23 x 31 x 32 x 33 x 12 x 13 x 21 x 22 x 23 x 31 x 32 x 33 s1s1 s2s2 s3s3 A can make P 2 and P 3 to output different sums! P3P3 y’ = s’ 1 + s 2 + s 3 s’ 1 If you are thinking that the problem can be resolved by exchanging the outputs, you are absolutely wrong! Primitive 3 (Byzantine Agreement/broadcast): Another fundamental building block of MPC

27

Download ppt "Secure Computation (Lecture 2) Arpita Patra. Vishwaroop of MPC."

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.
Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.

Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto

Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.

Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.

1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
Short course on quantum computing Andris Ambainis University of Latvia.

Short course on quantum computing Andris Ambainis University of Latvia.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Similar presentations

Ads by Google