0
Upcoming SlideShare
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Standard text messaging rates apply

# Lecture 10 - Multi-Party Computation Protocols

643

Published on

Lecture 10 - Multi-Party Computation Protocols

Lecture 10 - Multi-Party Computation Protocols

1 Like
Statistics
Notes
• Full Name
Comment goes here.

Are you sure you want to Yes No
• Be the first to comment

Views
Total Views
643
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
36
0
Likes
1
Embeds 0
No embeds

No notes for slide

### Transcript

• 1. Lecture 10 Multi-party Computation Protocols Stefan Dziembowski University of Rome La Sapienza
• 2. Plan
• Definitions and motivation
• Security against the threshold adversaries
• overview of the results
• overview of the constructions
• Applications
• 3. Multi-party computations (MPC) P 5 P 1 P 3 P 2 P 4 input a 1 input a 2 input a 3 input a 4 input a 5 they want to compute some value f(a 1 ,a 2 ,a 3 ,a 4 ,a 5 ) for a publicly-known f . a group of parties: Before we considered this problem for n = 2 parties. Now, we are interested in arbitrary groups of n parties. output f(a 1 ,a 2 ,a 3 ,a 4 ,a 5 )
• 4. Examples P 5 P 1 P 3 P 2 P 4 input a 1 input a 2 input a 3 input a 4 input a 5 Another example: voting A group of millionaires wants to compute how much money they own together . f(a 1 ,a 2 ,a 3 ,a 4 ,a 5 ) = a 1 +a 2 +a 3 +a 4 +a 5
• 5. The general settings P 5 P 1 P 3 P 2 P 4 Each pair of parties is connected by a secure channel . (assume also that the network is synchronous ) Some parties may be corrupted . The corrupted parties may act in coalition .
• 6. How to model the coalitions of the corrupted parties?
• We assume that there exists one adversary that can corrupt several parties.
• Once a parity is corrupted the adversary “takes control over it”.
what it means depends on the settings
• 7. Threshold adversaries In the two-party case we considered an adversary that could corrupt one of the players. Now, we assume that the adversary can corrupt some subset of the players . The simplest case: set some threshold t < n and allow the adversary to corrupt up to t players .
• 8. Example
• n = 5, t = 2
P 5 P 1 P 3 P 2 P 4
• 9. Types of adversaries all those choices make sense!
• As before, the adversary can be:
• computationally bounded , or
• infinitely powerful ,
• and
• passive
• active
• These choices are orthogonal!
computationally bounded infinitely powerful passive active
• adaptive – he may decide whom to corrupt during the execution of the protocol , or
• non-adaptive – he has to decide whom to corrupt, before the execution starts .
• 11. The security definition
• The security definition is complicated and we do not present it here.
• Main intuition: the adversary should not be able to do more damage in the “real” scenario than he can in the “ideal” scenario .
• Remember the two-party case ?
A B f(A,B) f(A,B) A B f(A,B) f(A,B) A f(A,B) f(A,B) B protocol π “ ideal” scenario “ real” scenario
• 12. The “real scenaro” P 5 P 1 P 3 P 2 input a 1 input a 2 input a 3 input a 4 input a 5 output: f(a 1 ,...,a 5 ) output: f(a 1 ,...,a 5 ) output: f(a 1 ,...,a 5 ) output: f(a 1 ,...,a 5 ) output: f(a 1 ,...,a 5 ) P 4 protocol π
• 13. The “ideal” scenario P 5 P 1 P 3 P 2 input a 1 input a 2 input a 3 input a 4 input a 5 output: f(a 1 ,...,a 5 ) output: f(a 1 ,...,a 5 ) output: f(a 1 ,...,a 5 ) output: f(a 1 ,...,a 5 ) output: f(a 1 ,...,a 5 ) P 4 computes f
• 14. Plan
• Definitions and motivation
• Security against the threshold adversaries
• overview of the results
• overview of the constructions
• Applications
• 15. Classical results
• Question :
• For which values of the parameter t multi-party computations are possible (for every poly-time computable function f )?
• n – the number of players
(Turns out that the adaptivness doesn’t matter) (these are tight bounds) setting adversary type condition computational passive t < n computational active t < n/2 information-theoretic passive t < n/2 information-theoretic active t < n/3 this can be improved to t < n/2 if we add a “broadcast channel” this can be improved to t < n if we give up “fairness”
• 16. Example of a lower bound
• information-theoretic, passive: t < n/2
• Suppose n=8 and t=4
• Suppose we have a protocol for computing
• f(a 1 ,a 2 ,a 3 ,a 4 ,a 5 ,a 6 ,a 7 ,a 8 ) = a 1  a 2  a 3  a 4  a 5  a 6  a 7  a 8
• We show an information-theoretically secure 2-party protocol for computing
• F(A,B) = A  B
• After showing this we will be done, since we know it’s impossible!
• 17. the “internal” messages are not sent outside the “external” messages are exchanged between Alice and Bob P 1 input a 1 P 2 input a 2 P 3 input a 3 input a 4 P 4 input a 5 P 5 input a 6 P 6 input a 7 P 7 input a 8 P 8 simulates with a 5 :=B a 6 := a 7 := a 8 := 1 simulates with a 1 :=A a 2 := a 3 := a 4 := 1
• 18. Correctness?
• At the end of the execution of the simulated protocol Alice and Bob know
• f(A,1,1,1,B,1,1,1) = A  B
• So they have computed F .
• 19. Why is this protocol secure?
• If the adversary corrupted Alice or Bob then he “corrupted” exactly t=4 parties.
• From the security of the MPC protocol the “new” 2-party protocol is also secure!
• 20. A broadcast channel P 5 P 1 P 3 P 2 P 4 m m m m Every player receives to same message (even if the sender is malicious). m m
• 21. Broadcast channel vs. byzantine agreement
• If t < n/2 and the broadcast channel is available then the byzantine agreement can be achieved as follows:
• every party P i broadcasts her input s i
• the majority of the broadcasted values is the agreed value.
• 22. Fact In the information-theoretic settings : A broadcast channel can be “emulated” by a multiparty protocol.
• 23. On the other hand
• A trusted party can “emulate” a broadcast channel:
P 5 P 1 P 3 P 2 input m output: m output: m output: m output: m output: m P 4 So, this is the reason, why in the information theoretic, active case we have t < n/3
• 24. Idea
• Allow the parties to use a broadcast channel.
• We get:
setting adversary type condition information-theoretic passive t < n/2 information-theoretic active t < n/3 information-theoretic (with broadcast) active t < n/2
• 25. Plan
• Definitions and motivation
• Security against the threshold adversaries
• overview of the results
• overview of the constructions
• Applications
• 26. How to construct such protocols? usually : arithmetic circuit over some field
• The general scheme is like in the two-party case:
• Represent the function as a circuit .
• Let every party “share” her input with the other parties.
• Evaluate the circuit gate-by-gate (maintaining the invariant that the values of the intermediary gates are shared between the parties)
• Reconstruct the output .
• 27. Fields
• A field is a set F with operations + and · , and an element 0 such that
• F is an abelian group with the operation + ,
• F {0} is an abelian group with the operation · ,
• [distributivity of multiplication over addition] : For all a, b and c in F , the following equality holds: a · (b + c) = (a · b) + (a · c) .
Examples of fields : real numbers, Z p for prime p . Polynomials over any field have many intuitive properties of the polynomials over the reals.
• 28. Arithmetic circuits a 0 a 1 a 2 a 3 a 4 a 5 a 6 a 7 + * + + + * * + * * c 1 * c 2 c 5 c 4 c 3 input gates output gates multplication gates addition gates
• 29. How to share a secret?
• Informally :
• We want to share a secret s between a group of parties, in such a way that:
• any set of up to t corrupted parties has no information on s , and
• even if t parties refuse to cooperate we can still reconstruct the secret s .
• 30. m -out-of- n secret sharing dealer’s secret S S 1 S 5 S 3 S 2 S 4
• Every set of at least m players can reconstruct S .
• Any set of less than m players has no information about S .
• note : this primitive assumes that the adversary is passive
( n = 5) we will have m = t+1
• 31.
• Every secret sharing protocol consists of
• a sharing procedure: (S 1 ,...,S n ) = share(S)
• a reconstruction procedure: for any i 1 ,..,i m we have S = reconstruct(S i 1 ,...,S i m )
• a security condition : for every S,S ’ and every i 1 ,..,i m-1 : (S i 1 ,...,S i m-1 ) and (S’ i 1 ,...,S’ i m-1 ) are distributed indentically, where:
• (S 1 ,...,S n ) := share(S) and (S’ 1 ,...,S’ n ) := share(S’)
matching m -out-of- n secret sharing – more formally
• 32. Shamir’s secret sharing [1/2] 1 2 3 n . . . f(1) f(n) f(3) f(2) P 1 P 2 P 3 P n . . . s 0 Suppose that s is an element of some finite field F , such that |F| > n f – a random polynomial of degree m-1 over F such that f(0) = s sharing:
• 33.
• Given f(i 1 ),...,f(i m ) one can interpolate the polynomial f in point 0 .
Shamir’s secret sharing [2/2] reconstruction: security: One can show that f(i 1 ),...,f(i m-1 ) are independent on f(0) .
• 34. How to construct a MPC protocol on top of Shamir’s secret sharing?
• Observation
• Why? : because polynomials are homomorphic with respect to addition.
• 35. Polynomials are homomorphic with respect to addition 1 2 n . . . f(1) f(n) f(3) s 0 t g(1) g(3) g(n) s + t f(1) + g(1) f(3) + g(3) f(n) + g(n) degree t degree t degree t
• 36. Addition sharing secret a sharing secret b sharing secret a+b The parties can compute it non-interactively, by adding their shares locally!
• 37. How can we use it?
• We can construct a protocol for computing
• f(a 1 ,...,a n ) := a 1 + · · · + a n
• This protocol will be secure against an adversary that
• corrupts up to t parties and is
• passive , and
• information-theoretic .
• 38. A protocol for f(a 1 ,...,a n ) := a 1 + · · · + a n
• Each party P i shares her input using a (t+1) -out-of- n Shamir’s secret sharing. Let a i 1 ,...,a i n be the shares.
• Therefore at the end we have quadratic number of shares
a 1 1 ... a i 1 ... a n 1 ... ... ... a 1 j a i j a n j ... ... ... a 1 n ... a i n ... a n n
• 39.
• Each P j computes a sum of the shares that he received
this is what P j received in Step 1 a 1 1 ... a i 1 ... a n 1 ... ... ... a 1 j a i j a n j ... ... ... a 1 n ... a i n ... a n n
• 40. The final steps:
• Each party P j broadcasts b j
• Every party can now reconstruct
• f(a 1 ,...,a n ) := a 1 + · · · + a n
• by interpolating the shares
• b 1 ,..., b n
• It can be shown that no coalition of up to t parties can break the security of the protocol.
• (Even if they are infinitely-powerful)
• 41. How to construct a protocol for any function
• Polynomials are homomorphic also with respect to multiplication.
• Problem
• The degree gets doubled...
• Hence, the construction of such protocols is not-trivial.
• But it is possible!
• 42. Plan
• Definitions and motivation
• Security against the threshold adversaries
• overview of the results
• overview of the constructions
• Applications
• 43. General adversary structures Sometimes assuming that the adversary can corrupt up to t parties is not general enough. It is better to consider arbitrary coalitions of the sets of parites that can be corrupted.
• 44. Example of coalitions
• Δ is an adversary structure over the set of players {P 1 ,...,P n } if:
• Δ  2 {P 1 ,...,P n }
• and for every A  Δ
• if B  A then B  Δ
This property is called monotonicity . Because of this, to specify Δ it is enough to specify a set M of its maximal sets . We will also say that M induces Δ .
• 46. Q2 and Q3 structures
• We say that A is a Δ -adversary if he can corrupt only the sets in Δ .
• How to generalize the condition that t < n/2 ?
• We say that a structure Δ is Q2 if
• What about “ t < n/3 ”?
• We say that a structure Δ is Q3 if
• 47. A generalization of the classical results [Martin Hirt, Ueli M. Maurer: Player Simulation and General Adversary Structures in Perfect Multiparty Computation . J. Cryptology, 2000] setting adversary type condition generalized condition information-theoretic passive t < n/2 Q2 information-theoretic active t < n/3 Q3 information-theoretic with broadcast active t < n/2 Q2
• 48. There is one problem, though...
• What is the total number of possible adversary structures?
• Fact
• It is doubly-exponential in the number of players.
• 49. Why? {P 1 ,...,P n } (suppose n is even) X := family of sets of cardinality n/2 inclusion is a partial order on the set of subsets of {P 1 ,...,P n }
• 50. On the other hand...
• Every subset of X induces a different adversary structure.
• Hence the set of all adversary structures has cardinality at least:
( X := family of sets of cardinality n/2 )
• 51. So, we have a problem, because
• On the other hand
• The number of poly-time protocols is just exponential in the size of the input.
• Hence
• If the number of players is super-logarithmic, we cannot hope to have a poly-time protocol for every adversary structure.
• 52. What to do?
• Consider only those adversary structure that “can be represented in polynomial space”.
• For example see:
• Ronald Cramer, Ivan Damgård, Ueli M. Maurer: General Secure Multi-party Computation from any Linear Secret-Sharing Scheme. EUROCRYPT 2000:
• 53. Plan
• Definitions and motivation
• Security against the threshold adversaries
• overview of the results
• overview of the constructions