secure multi-party computation oded goldreich presented by chun liu nov 2001
TRANSCRIPT
Secure Multi-Party Computation
Oded GoldreichPresented by Chun LiuNov 2001
CSE 597E
Motivation
Multiparty secure computation allows N parties to share a computation, each learning only what can be inferred from their own inputs and the output of the computation. For example, the parties can compute summary statistics on their shared transaction logs, including cross-checking of the logs against counterparties to a transaction, without revealing those logs.
CSE 597E
An Example: Dining Cryptographer Problem
Three cryptographers are sitting down to dinner at their favorite three-star restaurant. Their waiter informs them that arrangements have been made with the Nittany Lion Inn for the bill to be paid anonymously.
One of the cryptographers might be paying for the dinner, or it might have been NSA (U.S. National Security Agency). The three cryptographers respect each other's right to make an anonymous payment, but they wonder if NSA is paying.
CSE 597E
Casting Cryptographic Problem
Specifying a random process which maps m inputs to m outputs.The inputs to the process are to be thought of as local inputs of m parties, and the m outputs are their corresponding local outputs.
Dining cryptographer problem is the simplified version, where the m outputs are identical.
CSE 597E
In Plain English
The problem of secure multi-party function computation is as follows: n players, P1,P2,…Pn, wish to evaluate a function , F(x1,x2,…xn), where xi is a secret value provided by Pi. The goal is to preserve the privacy of the player's inputs and guarantee the correctness of the computation.
CSE 597E
Trusted Third Party Presents
This problem is trivial if we add a trusted third party T to the computation. Simply, T collects all the inputs from the players, computes the function F, and announces the result. (This is the way we usually have elections, where the voters are the players and the trusted third party is the government). In general, we define secure multiparty computation as any protocol in an ideal scenario with a ‘trusted party’, and define a real life protocol as secure if it is ``equivalent'' to a computation in the ideal scenario.
CSE 597E
No Trusted Third Party
We show that whatever can be computed in this ideal scenario can be computed in a secure manner when no such trusted party exists.
Two types of “faulty” behaviour by the players. we assume that players always follow the
protocol but may collaborate and try to learn additional information (private computation)
the general case where faulty players can collaborate in any way to gather information and disrupt the computation (secure computation).
CSE 597E
General Two-Party Computation
Content Semi-honest adversary. Secure protocol with respect to Semi-honest
Behavior. Force parties to behave in a semi-honest
manner.
CSE 597E
Definition
Functionality: a random process which maps pairs of inputs (one per each party) to pairs of outputs (one per each party). f: {0,1}*x{0,1}* {0,1}*x{0,1}* For every input (x,y), the desired output-pair is
a random variable f(x,y). The first party holding input x, wishes to obtain the first element of f(x,y), while the second party wishes to obtain the second one.
CSE 597E
Generic case
The first party hold a1, b1, and the second party holds a2, b2, where a1+a2 is the value of one input wire and b1 +b2 is the value of the other input wire. What we want to provide each party with a “random” share of the value of the output wire; that is a share of the value (a1+a2)*(b1 +b2). That is:((a1+b1), (a2 +b2)) (c1, c2) Eq.1where c1+c2 = (a1+a2)*(b1 +b2) Eq.2
CSE 597E
The Semi-Honest Model
Semi-honest party Follows the protocol properly Keeps a record of all its intermediate
computations.
Let f: {0,1}*x{0,1}* {0,1}*x{0,1}*, where f1(x,y) (resp. f2(x,y)) denotes the first element of f(x,y) and be a two party protocol for computing f.
CSE 597E
Privacy w.r.t Semi-Honest
During a execution of on (x,y): The view of the first party denoted by
VIEW 1(x,y), is (x,r,m1,…,mt)
r, the outcome of the first party’s internal coin tosses.
mi, the ith message received.
The output of the first party denoted byOUTPUT 1
(x,y).
CSE 597E
Privacy w.r.t Semi-Honest
For a deterministic functionality f, privately computes f if there exist polynomial-time algorithms S1 and S2, such that: {S1(x,f1(x,y))}x,y{0,1}*c {VIEW 1
(x,y)} x,y{0,1}*
{S2(x,f1(x,y))}x,y{0,1}*c {VIEW 2(x,y)} x,y{0,1}*
c Computational indistinguishable
CSE 597E
Privacy w.r.t Semi-Honest
For a general case, privately computes f if there exist polynomial-time algorithms S1 and S2, such that: {S1(x,f1(x,y)), f2(x,y)}x,y
c {VIEW 1(x,y), OUTPUT 2
(x,y)} x,y
{f1(x,y), S2(x,f1(x,y))}x,y
c {OUTPUT 1(x,y), VIEW 2
(x,y)} x,y
CSE 597E
Secure Protocol for Semi-Honest
Oblivious Transfer. Let k be a fixed integer, and let b1,b2,…bk {0,1} and i {1,…k}, then OT1
K is defined as
OT1K((b1,b2,…bk),i) = (,bi)
The first player, holding input (b1,b2,…bk) is called the sender and the second player holding the input i {1,…k}, is called receiver.
CSE 597E
Secure Protocol for Semi-Honest
Step S1: The sender uniformly select a trapdoor pair, (a,t) by running the generation algorithm, G, on input 1n. That is, it uniformly selects a random-pad r, for G and sets (a,t) = G(1n, r). It sends a to the receiver.
Step R1: The receiver uniformly and independently selects e1,e2,…ek Da, sets yi = fa(ei) and yj = ej, for every ji, and sends
(y1,y2,…yk) to the sender
CSE 597E
Secure Protocol for Semi-Honest
Step S2: Upon receiving (y1,y2,…yk), using the inverting-with-trapdoor algorithm and the trapdoor t, the sender computes xj=fa
-1(yj), for every j {1,…,k). It sends (b1b(x1), b2b(x2),…, bkb(xk)) to the receiver.
Step R2: Upon receiving (c1,c2,…ck), the receiver locally outputs ci b(ei)
CSE 597E
Circuit Evaluation Protocol
Inputs: Party i holds the bit string xi1,…xi
n, for i=1,2
Step 1 – Share the inputs: Each party splits and shares each of its input bits with the other party, that is for every i=1,2, and j=1,…,n, party I uniformly selects a bit ri
j and send it to the other party as the other party’s share of input wire (i-1)*n+j, Party i sets its own share of the (i-1)*n+jth input wire to xi
j+ rij .
CSE 597E
Circuit Evaluation Protocol
Step 2 – Circuit Emulation: Proceeding by the order of wires, the parties use their shares of the two input wires to a gate in order to privately compute shares for the output wire of the gate. Suppose that the parties hold shares to the two input wires of a gate; that is Party 1 holds the share a1, b1 and Party 2 holds the share a2, b2, Emulation of an addition gate: Party 1 just
sets its share of the output wire of the gate to be a1+b1, so does Party 2.
CSE 597E
Circuit Evaluation Protocol
Emulation of an multiplication gate: Shares of the output wire of the gate are obtained by invoking the oracle for the functionality of Eq. 1-2, where Party 1 supplies the input (query part) (a1, b1) and Party 2 supplies (a2, b2).
Step 3: Recovering the output bits: Once the shares of the circuit-output wires are computed, each party sends its share of each such wire to the party with which the wire is associated. Each party recovers the output bits by adding-up the two shares.
CSE 597E
Forcing Semi-Honest Behavior
Possible Actions and Counter-MeasuresSub-protocols:
Input commitment Coin-generation Protocol Emulation
The Compiler itself.
CSE 597E
Forcing Semi-Honest Behavior
What a malicious party can do?
Actions Counter-Measure
Substitute its input Commitment schemesw/ Strong 0-knownledge proofs
Not using uniformly distributed random-pad
Coin-generation phase
Send different messages other than the specified
Protocol emulation(Authenticated computation)
CSE 597E
BKGD: Commitment Scheme
Uniform family of probabilistic polynomial-size circuits {Cn}, satisfying: Perfect Unambiguity: For every n, the
supports of Cn(0) and Cn(1) are disjoint Computational Secrecy: The probability
ensembles {Cn(0)}nN and {Cn(1)}nN are computationally indistinguishable.
Can be constructed given any 1-1 one-way function.
Denote by Cn(b,r) the output of Cn on input bit b using the random sequence r.
CSE 597E
BKGD: Strong proofs of knowledge
R: binary relation V:efficient strategyV is a strong knowledge verifier for R iff:
Exists an interactive machine P so that for every (x,y) R, all possible interactions of V with P on common-input x and auxiliary-input y are accepting.
Exists a negligible : [0,1] and a probabilistic polynomial-time oracle machine K such that for every strategy P and every x,y,r {0,1}*, machine K satisfies the following condition:
If p(x) > u(|x|) then Pr[(x, KPx,y,r(x)) R]>1- u(|x|)
CSE 597E
Sub-protocol: Input Commitment
Goal: have Party 1 commit its input using commitment scheme {Cn}nN
Inputs: party 1 gets input (,r) {0,1}{0,1}n, and party 2 gets input 1n. Step C1: P1 sends c=Cn(,r) to P2. Step C2: zero-knowledge strong-proof-of-
knowledge. P1: prover and P2: verifier. Common input is c, prover gets auxiliary input (,r) with objective to prove that it knows (x,y) such that c=Cn(x,y).
Output: P2 sets its local output to c.
CSE 597E
Sub-protocol: coin-tossing (aug.d)
Goal: providing Party 2 with a commitment to the coin-outcome obtained by Party 1, rather than providing it with coin outcome itself.
Inputs: both parties get security parameter 1n. Step C1.1: P1 uniformly selects
(j,sj){0,1}{0,1}n, sends cj=Cn(j,sj) to P2. Step C1.2: The parties invoke a zero-knowledge
strong-proof-of-knowledge so that P1 plays the prover and P2 plays the verifier. The common input to the proof system is cj, the prover gets auxiliary input (j,sj) and its objectives is to prove that it know (x,y) such that cj=Cn(x,y).
CSE 597E
Sub-protocol: coin-tossing (aug.d)
Step C1.3: P2 uniformly selects ’j {0,1}, and send ’j to P1
Step C1.4: P1 set bj= ’j j
Step C2: P1 sets b=b0 and r=b1b2…bn, and sends c=Cn(b,r) to P2.
Step C3. The parties invoke a zero-knowledge proof system (P1: prover, P2:verifier). Common input (c0,c1,…,cn, ’1 ,’2,…, ’n,c), the prover gets auxiliary input (’1 ,’2,…, ’n,s0,s1,…,sn) w/ objective to prove there exists (x0,x1,…,xn, y0,y1,…,yn) such that:(j cj= Cn(xj,yj)) (c=Cn(x0’1 , x1’2,…, xn’n)
Step C4: P1 sets output to (b,r), P2 sets outputs c.
CSE 597E
Sub-protocol: Authenticated Computation
Goal: given f :{0,1}* {0,1}*{0,1}* and h: {0,1}* {0,1}*, force P1 send f(,) to P2, where is known to both, is known to P1, h() is known to P2.
Implementation: having P1 send f(,) and then prove in zero-knowledge the correctness of the value sent (w.r.t the common input (h(),).
CSE 597E
Authenticated Computation
Step C1: P1 sends v= f(,) to P2.Step C2: Invoke zero-knowledge proof
system. P1 plays prover, P2 verifier. Common input (v,h(),), prover get auxiliary input w/ objective to provex, s.t. (h()=h(x))(v= f(,))
Step C3: P2 sets local output to v.
CSE 597E
The compiler itself
Goal: Give a protocol, , for the semi-honest model, the compiler produces a protocol, ’, for the malicious model.
Input: P1 gets input x=x1x2…xn{0,1}n and P2 gets input y=y1y2…yn{0,1}n
Three phases: Input-commitment phase Coin-generation phase Protocol emulation phase
CSE 597E
Input-commitment phase
Each of the parties commits to each of its input bits using the input-commitment functionality.
P1 uniformly select p1i {0,1}n, playing P1
with input (xi, pi1), P2 playing P2 w/input 1n.
P2 get output Cn(xi, pi1). Vice Versa.
Each party now holds a string which uniquely determine the n-bit long input of the other party, and holds an NP-witness for the value of input committed to by the sequence held by the other party.
CSE 597E
Coin-generation phase
The parties generate random-pad for the emulation of . Invoking the (augmented) coin-tossing functionality.
P1 playing P1 w/ input 1n, P2 playing P2 w/ input 1n. P1 gets a pair (ri
1, wi1) and P2 gets Cn (ri
1, wi1). P1 set
the ith bit of the random-pad to be ri1, and record the
NP-witness. P2 records Cn (ri1, wi
1). Vice versa. Each party obtains the bits of the random-pad to be
held by it, whereas the other party obtains commitment to these bits. The party holding the bit also obtains the randomization used in these commitments, to be used as an NP-witness to the correctness of committed value.
CSE 597E
Protocol Emulation Phase
Use the authenticated-computation. Sender playing the role P1, and receiver playing
the role P2. a = (z,rj), where rj= r1
jr2j…rj
c(n)
r = (p1j, p2
j…pnj, w1
j, w2j…wj
c(n))
h(a,r) = (Cn (z1,p1j),Cn (z2,p2
j)…Cn (zn,pnj),
Cn (r1j,w1
j),Cn (r2j,w2
j)…Cn (rjc(n),wj
c(n)))
= all previous message sent by the other party. f = the computation which determines the message to
be sent in .
Each party holds the corresponding output of the party in protocol .
CSE 597E
General Multi-Party Computation
m-ary Functionality: a random process f which maps sequences of inputs (one per each party) to sequences of outputs (one per each party). Let m denote number of parties. f: {{0,1}*}m {{0,1}*}m
For every i, the ith party initially holds an input xi, and wishes to obtain the ith element in f(x1,x2,…,xm)
CSE 597E
MP The Semi-Honest Model
As defined exactly as in the two-party case. i.e.
Semi-honest party Follows the protocol properly Keeps a record of all its intermediate
computations.
CSE 597E
Two Malicious Models
The first model where the number of parties which deviate from the protocol is arbitrary. Treatment follows the one used in two-party
case.
The number of parties which deviate from the protocol is strictly less than half. Simpler than the above ones.
CSE 597E
MP circuit evaluation protocol
Inputs: Party i holds the bit string xi1,…xi
n, for i=1,…,m
Step 1 – Share the inputs: Each party splits and shares each of its input bits with the other party, that is for every i=1,…,m, and j=1,…,n, and every ki, party i uniformly selects a bit rk
(i-1)n+j and send it to the party k as the other party’s share of input wire (i-1)*n+j, Party i sets its own share of the (i-1)*n+jth input wire to xi
j+ ki rk(i-1)n+j .
CSE 597E
MP circuit evaluation protocol
Step 2 – Circuit Emulation: Proceeding by the order of wires, the parties use their shares of the two input wires to a gate in order to privately compute shares for the output wire of the gate. Suppose that the parties hold shares to the two input wires of a gate; that is Party i holds the share ai, bi, where a1,…,am are the inputs of the first wire and b1,…,bm are second. Emulation of an addition gate: Party i just sets
its share of the output wire of the gate to be ai+bi.
CSE 597E
MP circuit evaluation protocol
Emulation of an multiplication gate: Shares of the output wire of the gate are obtained by invoking the oracle for the functionality of Eq. 3.7-8, where Party i supplies the input (query part) (ai, bi).
Step 3: Recovering the output bits: Once the shares of the circuit-output wires are computed, each party sends its share of each such wire to the party with which the wire is associated. For i=1,..m, and j=1,..,n, each party sends its share of wire N-(m+1-j)*n+j to Party i. Each party recovers the corresponding output bits by adding-up the m shares.
Outputs: Each party outputs the bits recorded in Step 3
CSE 597E
MP Forcing the Semi-honest Model
Communication protocol: Broadcast, each round only one party send a message
which is received by all parties.
Sequence of transformation: Precompiling a protocol 0, which computes in the
point-to-point model, into a protocol ’0 which computes in the broadcast model.
Using the first compiler to transform ’0 into a protocol ’1 secure in first malicious model.
Using the second compiler to transform ’1 into a protocol ’2 secure in second malicious model.
Postcompiling the protocols ’1 and ’2 to use the standard point-to-point model.
CSE 597E
Forcing SHM: First Malicious Case
Input-commitment phase: each party commits to each of its input bits using multi-party version of the input commitment.
Coin-generation phase: The parties generate random-pads for each of the parties. These pads serve as the coins of the corresponding parties in their emulations of the semi-honest protocol. Each party obtains the bits of the random-pad, whereas the other parties obtains commitments to these bits.
Protocol Emulation Phase: The parties emulate the execution of the semi-honest protocol with respect to the input committed in the first phase and the random-pad selected in the second phase.
CSE 597E
Forcing SHM: Second Malicious Case
The sharing phase: Each party shares each bit of its input and random-pad, with all the parties. So that strict majority of parties can retrieve the bit. If a party aborts the execution prior to completion of this
phase, then the majority player will set its input and random-pad to some default value, and carry out the execution on its behalf.
If a party aborts the execution after this phase, the the majority players will reveal its input and random-pad, and will carry out the execution on its behalf.
Protocol emulation phase:The parties emulate the execution of original protocol w.r.t the input and random-pad in the first phase.
CSE 597E
The Compiler for the Second Case
Inputs: party i get input xi{0,1}n and random-pad ri{0,1}c(n)
The sharing phase: Each party shares each bit of its input and random-pad, with all parties. i.e. For i=1,..m, and j=1,..,n+c(n), party i invokes
VSS playing role P1 with input (, 1n), where is the ith bit of xiri. The other party playing roles P2..m with input 1n. Party i obtains output pair (pj
i, wj
i), and each other party k obtains a pair (skj,I,cj
i) so that sk
j,I are shares of a secret relative to Gm,
[m/2]’s random-pad pji.and cj
i is a sequence of commitments of the bits of pj
i.
CSE 597E
The Compiler for the Second Case
Protocol emulation phase: a = (xi,ri) r = ((p1
i, w1i),(p2
i, w2i),…(pn+c(n)
i, win+c(n)))
h(a,r) = (Cn (p1i, w1
i),Cn (p2i, w2
i ),…(pn+c(n)i, wi
n+c(n)))
= all previous message sent by the other party. f = the computation which determines the message to
be sent in . The input with with the other parties are to enter to the
authenticated-computation can be determined, in case the parties supply different values for (h(,r),), the majority value is used.
Output: each party holds the corresponding output of the party in protocol .
CSE 597E
Appendix
Solutions to dining cryptographer problemAuthenticated Byzantine AgreementVerifiable Secret Sharing
CSE 597E
Solution
Each cryptographer flips an unbiased coin behind his menu, between him and the cryptographer on his right, so that only the two of them can see the outcome. Each cryptographer then states aloud whether the two coins he can see--the one he flipped and the one his left-hand neighbor flipped--fell on the same side or on different sides. If one of the cryptographers is the payer, he states the opposite of what he sees.
CSE 597E
Solution (contd.)
An odd number of differences uttered at the table indicates that a cryptographer is paying; an even number indicates that NSA is paying (assuming that the dinner was paid for only once). Yet if a cryptographer is paying, neither of the other two learns anything from the utterances about which cryptographer it is.
CSE 597E
Authenticated Byzantine Agreement
Synchronous point-to-point and signature scheme. Phase 0: Party 1 sign its input and sends it to all
parties. Phase 1,…,m: Each honest party proceeds as follows:
It inspects the message received at phase i-1, which is admissible if all previous signature is verifiable. authentic v-message.
If the party finds such one, it will sign the message by appending its signature to it, and sends to all parties.
Each honest party evaluates the situation: If both authentic-0 and authentic-1 message received,
reports Party 1 is malicious. If for a single v {0,1}, if received authentic-v message, it
output v. Never received an authentic-v message, reports party 1 is
malicious.
CSE 597E
Verifiable Secret Sharing
(Unfinished)