general cryptographic protocols (aka secure multi-party computation) oded goldreich weizmann...

14
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science

Upload: elaine-woods

Post on 18-Dec-2015

229 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science

General Cryptographic

Protocols (aka secure multi-party

computation)

Oded GoldreichWeizmann Institute of Science

Page 2: General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science

(and me)

Joachim (and Claus)

Page 3: General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science

A general framework (for casting crypto problems)

An m-ary (randomized) functionality (desired process)F:({0,1}n)m → ({0,1}n)m (where m2 denotes the # of parties).

P1 P2 Pm x1 x2 xm (local inputs)

y1 y2 ym (local outputs)

(y1,y2,…,ym) = F(x1,x2,…,xm)

Desired solution: delivery of outputs as if the operation was performed by a trusted party.

Page 4: General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science

Secure Multi-Party Computation (Crypto Protocols)

A secure protocol obtains the same effect as the operation of a trusted party.

Thus, mutually distrustful parties emulate the effect of a trusted party.

Page 5: General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science

On the feasibility of General Secure MPC

Meta-THM: General Secure MPC is possible under a variety of natural assumptions.

• Assuming an honest majority + TDP

• Allowing abort + TDP

(i.e., not considering early termination as breach of security)

[reflected in the ideal model]

• Assuming a 2/3-majority + private channels.

TDP == Trapdoor Permutations (which exist, e.g., assuming the intractability of factoring integers).

Page 6: General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science

Two-Step construction of General Secure MPC

E.g., assuming an honest majority + TDP

1. Constructing protocols that are secure wrt semi-honest (“honest-but-curious”) adversaries. [“privacy only”]

2. Enforcing semi-honest behavior via ZK proofs (+commit)

T = public information (transcript)

Sender (secret input s) Receiver

Supposed to send y = f(T,s) y’

Idea: provide a ZK proof that s’ s.t y’=f(T,s’)

Step 2:

enforcin

g

Page 7: General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science

Secure (private) MPC in the semi-honest model.

We assume a TDP (trapdoor permutation).

Reduce to deterministic functionalities with same outputs.

Let C be a GF(2) circuit for computing the m-ary function.

Idea: The parties propagate shares of the values of all wires in C from the input wires of C to its output wires.

x y

z = z1+z2+z3 +… +zm

x1 x2 x3 xm

y1 y2 y3 ym

z1 z2 z3 zm

(x = x1+x2+x3 +… +xm

y = y1+y2+y3 +… +ym)

Page 8: General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science

Secure (private) MPC of the gate functionality.

x y

z = z1+z2+z3 +… +zm

x1 x2 x3 xm

y1 y2 y3 ym

z1 z2 z3 zm

(x = x1+x2+x3 +… +xm

y = y1+y2+y3 +… +ym)

Easy case – addition gate: Set zi xi+yi (local computation).

Similarly for negation: zi xi+1 if i=1 and zi xi o.w.

Hard case – multiplication gate: we wish

z1+z2+… +zm = (x1+x2 +… +xm) ∙ (y1+y2 +… +ym)

(use algebra)

(x1+x2+… +xm) ∙ (y1+y2+… +ym) = ∑i xiyi + ∑i≠j (xiyj+xjyi)

local 2PC

)(iiz

)()( ij

ji zz

The parties need to propagate shares of the values through each gate. (Shares with subscript i belong to party i.)

Page 9: General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science

Secure 2-PC of s.t.

Recall: General secure MPC “reduces” to secure 2PC of ((x1,y1),(y2,x2)) → (z1,z2), where (z1,z2) is random subject to z1+z2 = x1x2+y2y1.

Sender Receiver Inputs: s0,s1 c Outputs: - sc

1st 2nd Inputs: x1,y1 x2,y2

Outputs: r r+x1x2+y1y2

1st 2nd Inputs: x,z yOutputs: - z+xy

In the i-th invocation use inputs (xi,ri) and yi, where ri is a random bit. Each party sets its final output = sum of both intermediate outputs.

),(),( )()( ij

jijjii zzyxyx ijji

ij

ji yxyxzz )()(

(OT)

Sender sets

sy = z+yx.

Page 10: General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science

Implementing OT(OT = Oblivious Transfer)

Sender Receiver Inputs: s0,s1 c Outputs: - sc

Background: assuming a collection of TDP {fi:Di→Di}

Sender Receiver Inputs: s0,s1 c desired outputs: - sc

selects an index i select xc,y1-cDi

compute yc=fi(xc)

find the fi-preimages of both: z0 , z1, and send

b(z0)+s0 , b(z1)+s1

y0 , y1

Page 11: General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science

Conclusion: General Secure MPC is feasible

Meta-THM: General Secure MPC (i.e., secure emulation of trusted parties) is possible under a variety of natural assumptions.

• MPC for an honest majority, assuming TDP

• Similar ideas (+more) yield MPC wo honest majority, but when “allowing abort” (i.e., not considering early termination as

breach of security). (Also assuming TDP).

• Assuming a 2/3-majority + private channels.

Page 12: General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science

The EndThe slides of this talk are available at

http://www.wisdom.weizmann.ac.il/~oded/T/mpc.pptA related survey is available at http://www.wisdom.weizmann.ac.il/~oded/s_mpc.html

Page 13: General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science

Zero-Knowledge Proofs

A secure protocol (i.e., ZK proof) obtains the same effect as the operation of a trusted party.

Thus, mutually distrustful parties emulate the effect of a trusted party.

)( jiz

)( jiz

Page 14: General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science

Secure 2-PC of the Inner Product mod 2 of two vectors

Recall: General secure MPC “reduces” to secure 2PC of the inner product mod 2 of two input vectors held by the two parties. (For us n=2 suffices.)

Sender Receiver Inputs: s0,s1 c Outputs: - sc

1st 2nd Inputs: x1,…,xn y1,…,yn

Outputs: r r+∑ixiyi

1st 2nd Inputs: x,z yOutputs: - z+xy

In the ith invocation use inputs (xi,ri) and

yi, where ri is a random bit.

Final output = sum of all n outputs.