Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Computation Lecture 17-18 Arpita Patra. Recap >Three orthogonal problems- (n,t)-sharing, reconstruction, multiplication protocol > Verifiable Secret.

Published byDavid McDowell Modified over 8 years ago

Similar presentations

Presentation on theme: "Secure Computation Lecture 17-18 Arpita Patra. Recap >Three orthogonal problems- (n,t)-sharing, reconstruction, multiplication protocol > Verifiable Secret."— Presentation transcript:

1 Secure Computation Lecture 17-18 Arpita Patra

2 Recap >Three orthogonal problems- (n,t)-sharing, reconstruction, multiplication protocol > Verifiable Secret Sharing (VSS) will take care first two problems >> i.t (perfect) MPC in malicious Setting >> Verifiable Secret Sharing (VSS) > Definition (Secrecy, Correctness, Strong Commitment) > Properties of Bivariate polynomial > Six round construction based on bivariate poly with n > 3t > Four round construction with minor tweaks > Reconstruction from error correction of RS codes- will be discussed today

3 i.t Multi-party Computation [BGW]     215934845 144 3. Reconstruct the Shamir-sharing of the output by exchanging shares with each other 3 Non-linear gate: Require degree- reduction Technique. Interactive 2. Find (n, t)-sharing of each intermediate value 1.(n, t)- secret share each input Linear gates: Linearity of Shamir Sharing - Non-Interactive

4 Definition of VSS [CGMA85] Extends Secret Sharing to the case of malicious corruption Secret s Dealer v1v1 v2v2 v3v3 v n Sharing Phase Reconstruction Phase Secret s … s is secure s is committed

5 Secrecy Correctness Strong Commitment –If D is honest, then A t has no information about secret s during the Sharing phase –If D is honest, then secret s will be correctly reconstructed during reconstruction phase –Corrupted D commits a unique s* - s* should be uniquely reconstructed  n parties P = {P 1, …, P n }, dealer D (e.g., D = P 1 )  t corrupted parties (possibly including D)  A t Definition of VSS [CGMA85] Continued..

6 Bivariate Polynomial and its properties Claim1: t F(x,i)’s and t F(i,y)’s will leak NO info about F(0,0). Claim2: (t+1) F(x,i)’s or (t+1) F(i,y)’s completely determine F(x,y). F(1,1)F(1,2).F(1,i).F(1,n) F(2,1)F(2,2).F(2,i)F(2,n)...... F(i,1)F(i,2).F(i,i).F(i,n)...... F(n,1)F(n,2)F(n,i)F(n,n) g 1 (y) = F(1,y) g 2 (y) = F(2,y) g i (y) = F(i,y) g n (y) = F(n,y) f 1 (x) = F(x,1) f i (x) = F(x,i)f n (x) = F(x,n) F(x,y) of degree atmost (t,t) Claim3: g i (j) = f j (i) = F(i,j) and g j (i) = f i (j) = F(j,i)

7 Four Round VSS- D’s Distribution F(1,1)F(1,2).F(1,i).F(1,n) F(2,1)F(2,2).F(2,i)F(2,n)...... F(i,1)F(i,2).F(i,i).F(i,n)...... F(n,1)F(n,2)F(n,i)F(n,n) g 1 (y) = F(1,y) g 2 (y) = F(2,y) g i (y) = F(i,y) g n (y) = F(n,y) f 1 (x) = F(x,1) f i (x) = F(x,i)f n (x) = F(x,n) F(x,y) of degree atmost (t,t) s.t. s = F(0,0) P1P1 P1P1 P2P2 P2P2 PiPi PiPi PnPn PnPn

8 Four Round VSS- Verification, Complaint & Resolution f i (x) = F(x,i) g i (y) = F(i,y) f j (x) = F(x,j) g j (y) = F(j,y) PiPi PjPj f i (j) = g j (i) = F(i,j) g i (j) = f j (i) = F(j,i) Every pair of honest parties’ polynomials are pairwise consistent

9 Four Round VSS- Output share g 1 (0) g 2 (0) g i (0) g n (0) P1P1 P2P2 PiPi PnPn f 0 (x) = Two level sharing- each Shamir share is also Shamir-shared g i (1) = f 1 (i) g i (2) = f 2 (i) g i (i) = f i (i) g i (n) = f n (i) = F(1,0) = F(2,0) = F(i,0) = F(n,0) F(x,0) f 0 (0) = F(0,0) = s Note: D can choose the polynomial with which it wants to (n,t)-share its secret as f(x) and then choose F(x,y) such that F(x,0) = f(x) and then do VSS using F(x,y)

10 Reconstruction Phase (Error Correction of Reed-Solomon Codes) f(1) f(2) f(i) f(n) P1P1 P2P2 PiPi PnPn (n,t+1)-RS code (over field F, |F| > n): Encoding: Given a message block of t+1 field elements, m 0,m 1,…m t, define f(x) = m 0 + m 0 x + ……+ m t x t C = (f(1),f(2),….,f(n)) Distance d of (n,t+1)-RS code is: n-t Theorem: (n,t+1) RS code can correct x errors if d > 2x With n > =3t+1, d > 2t, so we can correct t errors

11 Berlekamp-Welch Error Correction Algorithm for RS Codes f(1) f(2) f(i) f(n) P1P1 P2P2 PiPi PnPn r(x): Polynomial defined by the broadcasted points (degree at most 3t) f(x): Actual Polynomial (degree at most t). e(x): Error polynomial (x-e 1 )(x-e 2 )….(x-e t ) : e 1, e 2, … e t from {1,..,n} (degree t) f(x)e(x) = r(x)e(x) at x = 1,2…..n Let f(x)e(x) = q(x) (degree 2t) Find f(x) = Find e(x) Unknowns: Equations: Coefficients of q(x) and e(x) 3t+1 solving system of linear equations reduces to (publicly known) matrix multiplication Not claiming the LHS and RHS polynomials are same. They are same at x= 1,2…..n q(x) = r(x)e(x) at x = 1,2…..n q(x) and e(x) are unknown Goal is to find this poly How to find e(x)?- Solving system of linear equations

12 Distributed Error Correction of RS Codes linear operations f(1) f(2) f(i) f(n) P1P1 P2P2 PiPi PnPn f(1)f(2)f(i)f(n) Co-eff of e(x)

13 i.t Multi-party Computation     215934845 144 3. Reconstruct the Shamir-sharing of the output by exchanging shares with each other 3 Non-linear gate: Require degree- reduction Technique. Interactive 2. Find (n, t)-sharing of each intermediate value 1.(n, t)- secret share each input Linear gates: Linearity of Shamir Sharing - Non-Interactive

14 Secure Multiplication Gate Evaluation a2a2 a3a3 a n a1a1 P1P1 P2P2 PnPn P3P3 b2b2 b3b3 b n b1b1 a b a 1  b 1 = c 1 a 2  b 2 = c 2 a 3  b 3 =c 3 a n  b n = c n ab ab f(x) = f 1 (x)  f 2 (x) of degree 2t f 1 (x) f 2 (x) Recombination Vector (r 1, …,r n ) where

15 Secure Multiplication Gate Evaluation a2a2 a3a3 a n a1a1 P1P1 P2P2 PnPn P3P3 b2b2 b3b3 b n b1b1 a b a 1  b 1 = c 1 a 2  b 2 = c 2 a 3  b 3 =c 3 a n  b n = c n ab ab c1c1 c2c2 c3c3 cncn Shamir-share f 1 (x) f 2 (x) Shamir-share Recombination Vector (r 1, …,r n ) r 1 c 1 +..+r n c n abab f(x) = f 1 (x)  f 2 (x) of degree 2t

16 Secure Multiplication Gate Evaluation a2a2 a3a3 a n a1a1 P1P1 P2P2 PnPn P3P3 b2b2 b3b3 b n b1b1 a b a 1  b 1 = c 1 a 2  b 2 = c 2 a 3  b 3 =c 3 a n  b n = c n ab ab c1c1 c2c2 c3c3 cncn VSS-share f 1 (x) f 2 (x) VSS-share Recombination Vector (r 1, …,r n ) r 1 c 1 +..+r n c n abab f(x) = f 1 (x)  f 2 (x) of degree 2t

17 Secure Multiplication Gate Evaluation a2a2 a3a3 a n a1a1 P1P1 P2P2 PnPn P3P3 b2b2 b3b3 b n b1b1 a b a 1  b 1 = c 1 a 2  b 2 = c 2 a 3  b 3 =c 3 a n  b n = c n ab ab c1c1 c2c2 c’ 3 c’ n VSS-share f 1 (x) f 2 (x) VSS-share Recombination Vector (r 1, …,r n ) r 1 c 1 +..+r n c’ n c f(x) = f 1 (x)  f 2 (x) of degree 2t Force them to share CORRECT product-share

18 Secure Multiplication Gate Evaluation a2a2 a3a3 a n a1a1 P1P1 P2P2 PnPn P3P3 b2b2 b3b3 bnbn b1b1 a 1  b 1 = c 1 a 2  b 2 = c 2 a 3  b 3 =c 3 a n  b n = c n c1c1 c2c2 c3c3 cncn A corrupted party will either gets discarded or share correct c- value

19 Secure Multiplication Gate Evaluation a2a2 a3a3 a n a1a1 P1P1 P2P2 PnPn P3P3 b2b2 b3b3 b n b1b1 a1a1 b1b1 VSS-share a2a2 b2b2 a3a3 b3b3 anan bnbn

20 Secure Multiplication Gate Evaluation a2a2 a3a3 a n a1a1 P1P1 P2P2 PnPn P3P3 b2b2 b3b3 b n b1b1 a1a1 b1b1 VSS-share a2a2 b2b2 a’ 3 b’ 3 VSS-share a’ n b’ n Distributed Error Correction > Get error locations >Ignore the corresponding parties > Remaining parties has shared their a and b share correctly Focus on one party

21 Secure Multiplication Gate Evaluation (abusing notation) a P b c A(x) B(x) C(x) = A(x)B(x) -2t-degree -Non-random a2a2 a3a3 a n a1a1 b2b2 b3b3 b n b1b1 How to reduce the degree and randomize the polynomial? Choose t random polynomials D 1 (x),…, D t (x) s.t. the following polynomial is random and at most degree-t poly with constant term c = ab D(x) = C(x) - xD 1 (x) -…. -x t D t (x) C(x) = c + c 1 x + ……c t x t + c t+1 x t+1 +……….+ c 2t-1 x 2t-1 + c 2t x 2t D t (x) = r t,1 + r t,2 x + ………+ r t,t-1 x t-1 + c 2t x t

22 Secure Multiplication Gate Evaluation a P b c A(x) B(x) C(x) = A(x)B(x) -2t-degree -Non-random a2a2 a3a3 a n a1a1 b2b2 b3b3 b n b1b1 How to reduce the degree and randomize the polynomial? Choose t random polynomials D 1 (x),…, D t (x) s.t. the following polynomial is random and at most degree-t poly with constant term c = ab D(x) = C(x) - xD 1 (x) -…. -x t D t (x) x t D t (x) = r t,1 x t + r t,2 x t+1 + ………+ r t,t-1 x t-1 + c 2t x 2t D t-1 (x) = r t-1,1 + r t-1,2 x + ……… + (c 2t-1 – r t,t-1 )x t C(x) = c + c 1 x + ……c t x t + c t+1 x t+1 +……….+ c 2t-1 x 2t-1 + c 2t x 2t

23 Secure Multiplication Gate Evaluation a P b c A(x) B(x) C(x) = A(x)B(x) -2t-degree -Non-random a2a2 a3a3 a n a1a1 b2b2 b3b3 b n b1b1 How to reduce the degree and randomize the polynomial? Choose t random polynomials D 1 (x),…, D t (x) s.t. the following polynomial is random and at most degree-t poly with constant term c = ab D(x) = C(x) - xD 1 (x) -…. -x t D t (x) x t D t (x) = r t,1 x t + r t,2 x t+1 + ………+ r t,t-1 x t-1 + c 2t x 2t x t-1 D t-1 (x)= r t-1,1 x t-1 + r t-1,2 x t + ……… + (c 2t-1 – r t,t-1 ) x t-1 C(x) = c + c 1 x + ……c t x t + c t+1 x t+1 +……….+ c 2t-1 x 2t-1 + c 2t x 2t

24 Secure Multiplication Gate Evaluation C(x)cc1c1.. c t-1 ctct c t+1.. c 2t-2 c 2t-1 c 2t x t D t (x).. r t,1 r t,2.. r t,t-2 r t,t-1 c 2t x t-1 D t-1 (x).. r t-1,1 r t-1,2 r t-1,3 r t-1,t-1 c 2t-1 - r t,t-1 ….. … xD 1 (x)r 1,1 r 1,t-2 r 1,t-1 c t+1 - r t,2 -…..-r 2,t D(x) = C(x) - xD 1 (x) -…. -x t D t (x) - Degree t - Random - Constant term is c D(x) is an ideal poly to be used for sharing c

25 Secure Multiplication Gate Evaluation a P b A(x)B(x) a2a2 a3a3 a n a1a1 b2b2 b3b3 b n b1b1 D(x) ?= C(x) - xD 1 (x) -…. -x t D t (x) D(x) d2d2 d3d3 d1d1 d n (using VSS; and setting F(x,0)) If P is honest we are done, since D(x) is at most degree-t poly and random D 1 (x) D 2 (x) D t (x) d 12 d 13 d 11 d 1n d 22 d 23 d 21 d 2n d t2 d t3 d t1 d tn C(x) a2b2a2b2 a3b3a3b3 a1b1a1b1 a n b n d 1 ?= a 1 b 1 – 1. d 11 - ….- 1 t d t1 d 2 ?= a 2 b 2 – 2. d 12 - ….-2 t d t2 d 3 ?= a 3 b 3 – 3. d 13 - ….-3 t d t3 d n ?= a n b n – n. d 1n - ….- n t d tn

26 Secure Multiplication Gate Evaluation a P b A(x)B(x) a2a2 a3a3 a n a1a1 b2b2 b3b3 b n b1b1 D(x) ?= C(x) - xD 1 (x) -…. -x t D t (x) D(x) d2d2 d3d3 d1d1 d n If all honest parties find the relation true, then D(x) shares c. D 1 (x) D 2 (x) D t (x) d 12 d 13 d 11 d 1n d 22 d 23 d 21 d 2n d t2 d t3 d t1 d tn C(x) a2b2a2b2 a3b3a3b3 a1b1a1b1 a n b n d 1 ?= a 1 b 1 – 1. d 11 - ….- 1 t d t1 d 2 ?= a 2 b 2 – 2. d 12 - ….-2 t d t2 d 3 ?= a 3 b 3 – 3. d 13 - ….-3 t d t3 d n ?= a n b n – n. d 1n - ….- n t d tn D(x) is degree t but may not share c. RHS may not be degree t but shares c But we do not know who is honest/corrupted P 3 complains, check if complaint is correct, if so discard P, else ignore the complaint.

27 Chalk & Talks CT4 [LR15]: Blazing Fast 2PC in the Offline/Online Setting with Security for Malicious Adversaries. https://eprint.iacr.org/2015/987.pdf CT5 [AMPR15]: Non-Interactive Secure Computation Based on Cut-and- Choose. http://eprint.iacr.org/2015/282 CT6 [IOZ15]: Secure Multi-Party Computation with Identifiable Abort; http://eprint.iacr.org/2015/325 CT7 [LPSY15]: Efficient Constant Round Multi-party Computation Combining BMR and SPDZ. https://eprint.iacr.org/2015/523 CT8 [HR14]: Multi-Valued Byzantine Broadcast: the t < n Case http://eprint.iacr.org/2013/553

28

Download ppt "Secure Computation Lecture 17-18 Arpita Patra. Recap >Three orthogonal problems- (n,t)-sharing, reconstruction, multiplication protocol > Verifiable Secret."

Similar presentations

Secret Sharing Protocols [Sha79,Bla79]

Secret Sharing Protocols [Sha79,Bla79]
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.

Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
1 Asynchronous Broadcast Protocols in Distributed System Oct. 10, 2002 JaeHyrk Park ICU.

1 Asynchronous Broadcast Protocols in Distributed System Oct. 10, 2002 JaeHyrk Park ICU.
The factor theorem The Factor Theorem states that if f(a) = 0 for a polynomial then (x- a) is a factor of the polynomial f(x). Example f(x) = x 2 + x -

The factor theorem The Factor Theorem states that if f(a) = 0 for a polynomial then (x- a) is a factor of the polynomial f(x). Example f(x) = x 2 + x -
Solving Equations by factoring Algebra I Mrs. Stoltzfus.

Solving Equations by factoring Algebra I Mrs. Stoltzfus.
Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.

Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.

Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.
Secure Multi-party Computations (MPC) A useful tool to cryptographic applications Vassilis Zikas.

Secure Multi-party Computations (MPC) A useful tool to cryptographic applications Vassilis Zikas.
1 A simple algebraic representation of Rijndael Niels Ferguson Richard Schroeppel Doug Whiting.

1 A simple algebraic representation of Rijndael Niels Ferguson Richard Schroeppel Doug Whiting.
Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications Dana Dachman-Soled, Tal Malkin, Mariana Raykova, Moti Yung.

Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications Dana Dachman-Soled, Tal Malkin, Mariana Raykova, Moti Yung.
Quiz 2 key.

Quiz 2 key.
Efficient and Robust Private Set Intersection and multiparty multivariate polynomials Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung.

Efficient and Robust Private Set Intersection and multiparty multivariate polynomials Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung.
Cyclic codes 1 CHAPTER 3: Cyclic and convolution codes Cyclic codes are of interest and importance because They posses rich algebraic structure that can.

Cyclic codes 1 CHAPTER 3: Cyclic and convolution codes Cyclic codes are of interest and importance because They posses rich algebraic structure that can.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.

Similar presentations

Ads by Google