secure multi-party computation -...

BackgroundSecure Computation

Security ModelGeneric Protocol

Applications

Secure Multi-Party Computation

Gunnar Kreitz

KTH – Royal Institute of [email protected]

October 4 2012

Gunnar Kreitz Secure Multi-Party Computation



Applications

Problem Statement (sketch)Famous examplesExample protocol

Ingredients

I n partiesI n inputs (one per party)I A function f (x1, . . . , xn) to compute




Applications


Goal (intuitive)

I Parties learn f (x1, . . . , xn)

I Noone learns anything more




Applications


Example time!

Let’s pick a function




Applications


The classic examples (Millionaire’s Problem)




Applications


The classic examples (Mental Poker)




Applications


The classic examples (Dining Cryptographers)




Applications


Example time!

Σxi




Applications


Private Summation (cont’d)

I The protocol does one round of input randomization (blinding)I Then, any (non-private) summation protocol is run on the

blinded inputsI The blinding preserves the sum of the inputsI Information-theoretically secure

Photo by Mirko Tobias Schaefer http://www.flickr.com/photos/gastev/2960556197/, CC BY 2.0Gunnar Kreitz Secure Multi-Party Computation

http://www.flickr.com/photos/gastev/2960556197/



Applications


Summation Protocol by Example

2

1

3

x ′1 =x1 − r12 − r13 + r21 + r31

x ′2 =x2 + r12 − r21 − r23 + r32

x ′3 =x3 + r13 + r23 − r31 − r32




Applications



2

1

r12

99

3

x ′1 =x1 − r12 − r13 + r21 + r31

x ′2 =x2 + r12 − r21 − r23 + r32

x ′3 =x3 + r13 + r23 − r31 − r32




Applications



2

1r13

%%3

x ′1 =x1 − r12 − r13 + r21 + r31

x ′2 =x2 + r12 − r21 − r23 + r32

x ′3 =x3 + r13 + r23 − r31 − r32




Applications



2

1yy

r21

3

x ′1 =x1 − r12 − r13 + r21 + r31

x ′2 =x2 + r12 − r21 − r23 + r32

x ′3 =x3 + r13 + r23 − r31 − r32




Applications



2

r23

��

1

3

x ′1 =x1 − r12 − r13 + r21 + r31

x ′2 =x2 + r12 − r21 − r23 + r32

x ′3 =x3 + r13 + r23 − r31 − r32




Applications



2

1 eer31

3

x ′1 =x1 − r12 − r13 + r21 + r31

x ′2 =x2 + r12 − r21 − r23 + r32

x ′3 =x3 + r13 + r23 − r31 − r32




Applications



2OO

r321

3

x ′1 =x1 − r12 − r13 + r21 + r31

x ′2 =x2 + r12 − r21 − r23 + r32

x ′3 =x3 + r13 + r23 − r31 − r32




Applications


Private Summation Protocol

I Each party Pi with input xi proceeds as follows:1. Send random ri,j to each neighbor Pj

2. Wait for rj,i from each neighbor Pj

3. Compute

x ′i = xi +∑

Pjneighbor

rj,i −∑

Pjneighbor

ri,j

I We could now publish x ′i and still remain private!




Applications

How to proceed?

I Do we develop protocols for each and every f ?I (Are they all this simple?)I How do we define security?




Applications

Security definitions

I Noone should learn anything but resultI Noone should be able to affect computation in an untoward

way




Applications

A Trusted Third Party

I Is there someone we all trust?I Can send measurements to the Trusted Third PartyI She performs computation and tells everyone resultI Given a Trusted Third Party, problem is easy

Photo by Matt J. Rider http://www.flickr.com/photos/mjrindewitt/4759429254/, CC BY NC SA 2.0Gunnar Kreitz Secure Multi-Party Computation

http://www.flickr.com/photos/mjrindewitt/4759429254/



Applications

Sometimes There is no Trusted Third Party

Photo by Tayrawr Fortune http://www.flickr.com/photos/missfortune/4088429354/, CC BY NC ND 2.0Gunnar Kreitz Secure Multi-Party Computation

http://www.flickr.com/photos/missfortune/4088429354/



Applications

Secure?

What do we mean by security?

I In an ideal world, we have a trusted third partyI We want our protocols to be as secure as the ideal worldI Cheating parties must not:

I learn more than they do in the ideal worldI be able to do more than they can in the ideal world

Photo by Thomas Hawk http://www.flickr.com/photos/thomashawk/115213351/, CC BY NC 2.0Gunnar Kreitz Secure Multi-Party Computation

http://www.flickr.com/photos/thomashawk/115213351/



Applications

What is an attack?

Functionality:∑

i xi (mod p). Adversary corrupts party 1.

I Adversary learns x1?I Adversary learns x10?I Adversary learns sum of all other parties’ input?I Adversary learns

∑i<n/2 xi?

I Adversary learns sum, everyone else gets random value? No(pick random x1).

I Adversary ensures result is c?




Applications

What is an attack?

Functionality:∑


I Adversary learns x1? No.I Adversary learns x10?I Adversary learns sum of all other parties’ input?I Adversary learns

∑i<n/2 xi?






Applications

What is an attack?

Functionality:∑


I Adversary learns x1? No.I Adversary learns x10? Yes.I Adversary learns sum of all other parties’ input?I Adversary learns

∑i<n/2 xi?






Applications

What is an attack?

Functionality:∑


I Adversary learns x1? No.I Adversary learns x10? Yes.I Adversary learns sum of all other parties’ input? No.I Adversary learns

∑i<n/2 xi?






Applications

What is an attack?

Functionality:∑



∑i<n/2 xi? Yes.






Applications

What is an attack?

Functionality:∑



∑i<n/2 xi? Yes.


I Adversary ensures result is c? Yes.




Applications

How Powerful is Our Adversary?

I Two main models of adversary’s evilness:I Passive/semi-honest (Honest-but-curious): follows protocol

but tries to deduce more informationI Active/malicious (Byzantine): arbitrary deviations from

protocol

Image credit: OpenBSD http://www.openbsd.org/art2.htmlGunnar Kreitz Secure Multi-Party Computation

http://www.openbsd.org/art2.html



Applications

How Powerful is Our Adversary?

I Two main models of adversary’s power:I Computational Security: Probabilistic polynomial timeI Information-Theoretic Security: Unlimited computation time

I In this talk, we consider both notions

Photo by slack12 http://www.flickr.com/photos/slack12/314854035/, CC BY NC ND 2.0Gunnar Kreitz Secure Multi-Party Computation

http://www.flickr.com/photos/slack12/314854035/



Applications

One protocol to rule them all

I How can we get around having to design one protocol perfunctionality?

I Something that can evaluate a circuit.




Applications

Main idea

I Keep all intermediary values secret sharedI Evaluate circuit gate by gate, gate inputs and outputs being

secret sharedI Open up values of output gates to everyoneI We’ll need protocols for addition (XOR) and multiplication

(AND)




Applications

Different variations

I Built on Shamir/Verifiable Secret Sharing [BGW88,CCD88]I Built on Oblivious Transfer [GMW87]I Built on Homomorphic Encryption




Applications

Shamir secret sharing

I Math is now in a finite field (“mod a prime”)I Pick a polynomial P(x) of degree t, with P(0) = s

I Knowing evaluations at t + 1 points uniquely determines P(x)I Evaluations at t coordinates ( 6= 0) reveal nothing about s




Applications

Secure computation: addition (XOR)

I Input: two polynomials∗ f (x), g(x) with f (0) = a, g(0) = b

I Output: polynomial∗ h(x) such that h(0) = a+ b

I h(x) = f (x) + g(x) has the right propertyI Party Pi knows f (i), g(i). Need a protocol for her to learn h(i)

I h(i) = f (i) + g(i) — XOR gates can be evaluated locally!




Applications

Secure computation: multiplication (AND)

I Input: two polynomials∗ f (x), g(x) with f (0) = a, g(0) = b

I Output: polynomial∗ h(x) such that h(0) = ab

I h(x) = f (x)g(x) has the right propertyI But, it is a bad choice!I It has degree 2tI It is not uniformly random (e.g., cannot be irreducible)




Applications

Secure computation: multiplication (AND) (cont’d)

I h(x) = f (x)g(x)

I To make it uniformly random: add random polynomials withp(0) = 0

I Each party picks one: h′(x) = f (x)g(x) +∑

i pi (x)

I Degree reduction is slightly more involvedI Boils down to evaluating a linear form of the shares and

opening it to each party




Applications

Is it used?

I Research area going back to the early 80’sI Beautiful resultsI Real-world use?I Not much, yet




Applications

Efficiency

I Efficiency is a huge problemI Time to encrypt 128 bytes using AES?I Time to sort 16384 integers?I 3 parties, passive adversary




Applications

Efficiency

I Efficiency is a huge problemI Time to encrypt 128 bytes using AES? 2 seconds [DK10]I Time to sort 16384 integers?I 3 parties, passive adversary




Applications

Efficiency

I Efficiency is a huge problemI Time to encrypt 128 bytes using AES? 2 seconds [DK10]I Time to sort 16384 integers? 3.5 minutes [JKU11]I 3 parties, passive adversary




Applications

Implementations

I Recently, a number of implementation effortsI FairplayMP

http://www.cs.huji.ac.il/project/Fairplay/I Viff http://viff.dk/I Sharemind http://sharemind.cyber.ee/I Sepia http://www.sepia.ee.ethz.ch/


http://www.cs.huji.ac.il/project/Fairplay/

http://viff.dk/

http://sharemind.cyber.ee/

http://www.sepia.ee.ethz.ch/



Applications

Real-world use




Applications

Will it be used?

I Abundance of development environmentsI Moore’s law chipping away at performance issueI Nice security guarantees


secure multi-party computation -...

Documents