Secure Multi-Party Computation

1. Secure Multi-Party Computation A. Satapathy1 C. Soni2 1,2Information and Communication Laboratory Industrial Technology Research Institute Taiwan Under the guidance of Dr. Tzi-cker Chiueh 2017, September 8th A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 1 / 54

2. Outline 1 Introduction What is SMC SMC Models Type of Adversaries Applications 2 Goals and Actions Goals Actions 3 SMC Approaches Types of Operations Randomization Techniques Oblivious Transfer Cryptographic Techniques 4 Summary 5 References A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 2 / 54

4. What is SMC In Secure Multiparty Computation (SMC), multiple parties carry out computation over their conﬁdential data without any loss of data security/privacy. Let multiple parties P1, P2.....Pn want to perform computation Ci on their private data. D1, D2.....Dn be the data corresponding to P1, P2.....Pn. Di should not be accessible to any Pj during computation Ci where i=j and j = 1,2.....n A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 4 / 54

6. SMC Models Generally two model paradigms are popular Ideal model prototype of SMC Real model prototype of SMC Ideal model prototype of SMC is also called Uncorrupted Trusted Third Party (UTTP). Parties send their data to UTTP to perform computation. In real model prototype of SMC, no external party is used. Both parties agree on a protocol to preserve privacy and maintain correctness result. Let Di is private data of Pi, i = 1,2.....n. In ideal model, data are send to UTTP directly where as in real model, f(D1), f(D2).....f(Dn) exchange between the parties. A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 6 / 54

7. SMC Models Ideal vs. Real Figure 1.1: Ideal model prototype of SMC Limitation UTTP turns corrupt, the privacy will be destroyed. It is costly due to the cost of working of the UTTP. A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 7 / 54

8. SMC Models Ideal vs. Real Figure 1.2: Real model prototype of SMC Limitation Adversary (a party) can carry out attack in the real model. Attack can be passive or active. A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 8 / 54

10. Type of Adversaries An adversary can be static or adaptive in nature. A static adversary is malicious in nature prior to the execution of protocol. An adaptive adversary is malicious during the execution of protocol. A semi-honest adversary follows the protocol but tries to learn other than the output of the computation. A corrupt or malicious adversary does not follows the protocol and tries to learn other than result. Note Diﬀerent SMC protocols have been developed to provide security against above adversaries. Some of them are Yao’s Garbled circuit, BGW, GMW etc. A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 10 / 54

12. Applications Private Information Retrieval: Client requests the server to provide ith bit/word without the server knowing anything about it. Client is also not aware of bit/ word sequence. Privacy-Preserving Data Mining: One or multiple parties execute data mining operation on the private database of another party without knowing any details. Privacy-Preserving Database Query: One party has a string Si and other party has database D to be searched. Such that other party does not know about Si and ﬁrst one does not know about D. Privacy-Preserving Intrusion Detection: Party B enters the hacker’s information and searches A’s database, B only gets the comparison results. A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 12 / 54

14. Goals Let Di is private data of Pi, i = 1,2.....n. Wish to perform a computation f(D1, D2.....Dn) = (Y1, Y2.....Yn). Yi is private output value for Pi. Correct: Parties correctly compute f. Privacy: For P1, P2.....Pn, each player’s input remains private. Output Delivery: Protocol never end until everyone receives an output. Fairness: If one party gets the answer, so does every one else. A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 14 / 54

16. Actions 1 Data stored at remote site must be obscured. 2 Data must be obscured during transition. 3 Prevent information access pattern of data at remote site from adversaries. 4 Perform operation on obscured data at remote site. Note: All the above cases need not to be satisﬁed for all the SMC operations. A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 16 / 54

18. Types of Operations Mainly three techniques are used for SMC Randomization methods Cryptographic techniques Anonymization methods In randomization methods, participants use random numbers for obscuring their input. In cryptographic techniques, secret input are encrypted at participants side. Computation is performed on encrypted data. In anonymization methods, the identity of the parties are hide rather than hiding individual parties’ data. It is the ideal model where TTP is used. A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 18 / 54

20. Randomization Techniques Private Summation Protocol Private Summation Protocol: Parties use random numbers for obscuring their inputs. Perform computation over obscured inputs. Algorithm Given: Each party Pi with input Di step 1: Generate random number ri,j to its neighbour Pj. step 2: Wait for rj, i from each neighbour Pj. step 3: Compute Di ’ = Di + j rj,i - j ri,j. step 4: Publish Di ’ to each other. step 5: Output = i Di ’ A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 20 / 54

21. Randomization Techniques Private Summation Protocol Figure 3.1: Private summation protocol D1 ’ = D1 - r12 - r13 + r21 + r31 D2 ’ = D2 - r21 - r23 + r12 + r32 D3 ’ = D3 - r31 - r32 + r13 + r23 i Di ’ = i Di A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 21 / 54

22. Randomization Techniques Three Party Protocol Three Party Protocol: Source party uses a random number for obscuring the whole operation where f(D1, D2, D3) = D1D2D3. Algorithm Given: Parties P1, P2 and P3 have D1, D2, D3 respectively. step 1: P1 chooses a random number r1. step 2: Computes r1D1 and sends it to P2. step 3: P2 computes r1D1D2, sends to P3. step 4: P3 computes r1D1D2D3. sends to P1. step 5: P1 computes r1 -1(r1D1D2D3). Sends D1D2D3 to P2 and P3. A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 22 / 54

23. Randomization Techniques Three Party Protocol Figure 3.2: Three party protocol Limitation No standardize algorithm for a single operation. A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 23 / 54

25. Oblivious Transfer Oblivious Transfer (OT): It is a protocol where party P1 transfer many pieces of information to party P2 but remain oblivious about which piece of information retrieved by party P2. Figure 3.3: Blackbox of OT mechanism A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 25 / 54

26. Oblivious Transfer Figure 3.4: OT for private information retrieval A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 26 / 54

27. Oblivious Transfer Algorithm step 1: Alice (Party 1) and Bob (Party 2) agree upon shared input ’g’ and ’p’. step 2: Party 1 generates a random number ’a’ and computes A = gamod p. Sends index number of its messages m0 = 0, m1 = 1 with A to Party 2. step 3: Party 2 generates a random number ’b’ and computes B = gbmod p / A(gbmod p) based on its choice 0/1 and sends it to Party 1. Generate Ks = Abmod p. step 4: Party 1 generates K0 = Bamod p and K1 = (B/A)amod p. Sends EK0 (m0) and Ek1 (m1) to Party 2. step 5: Party 2 decrypts both messages using Ks. One gives valid output but another not. A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 27 / 54

28. Oblivious Transfer Example Given: Alice’s m0 = 10, m1 = 12. step 1: Alice (Party 1) and Bob (Party 2) agree upon shared input g = 3 and p = 77. step 2: Party 1 generates a = 5 and computes A = 12. Sends index number of its messages m0 = 0, m1 = 1 with A to Party 2. step 3: Party 2 generates b = 4 and computes B = 4 / 48 based on its choice 0/1 and sends it to Party 1. Generate Ks = 23. step 4: If c = 0 at party 2, party 1 generates K0 = 23 and K1 = 0.0041. Sends EK0 (10) and Ek1 (12) to Party 2. step 5: Party 2 decrypts both messages using Ks. DKs (EK0 (10)) = 10, DKs (EK1 (12)) = garbage. A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 28 / 54

30. Cryptographic Techniques Yao’s Garbled Circuit Yao’s Garbled Circuit: One of the protocol for secure m-party computation. Used to evaluate boolean function. Figure 3.5: Circuit diagram of D1∧D2∧D3 A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 30 / 54

31. Cryptographic Techniques Yao’s Garbled Circuit Yao’s Garbled Circuit: It is a 2-party computation protocol. It can be extended to m-party. Algorithm (2-party) Given: Digital Circuit. P1 is generator and P2 is evaluator. step 1: P1 generates GCT. Encrypts each row of GCT. step 2: P1 sends GCT and key associate with its input. step 3: P1 and P2 do oblivious transfer. P2 obtains the key associated with its input. step 4: P2 computes circuit output and sends to P1 A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 31 / 54

32. Cryptographic Techniques Yao’s Garbled Circuit Figure 3.6: Circuit diagram of x∧y Table 3.1: AND truth table and its GCT generation. x y z 0 0 0 0 1 0 1 0 0 1 1 1 x’ y’ z’ GCT Kx 0 Ky 0 0 EKx 0 (EKy 0 (0)) Kx 0 Ky 1 0 EKx 0 (EKy 1 (0)) Kx 1 Ky 0 0 EKx 1 (EKy 0 (0)) Kx 1 Ky 1 1 EKx 1 (EKy 1 (1)) Where Kx 0, Kx 1, Ky 0 and Ky 1 are random numbers generated by P1. A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 32 / 54

33. Cryptographic Techniques Yao’s Garbled Circuit Table 3.2: Suﬄed GCT GCT EKx 0 (EKy 0 (0)) EKx 1 (EKy 1 (1)) EKx 1 (EKy 0 (0)) EKx 0 (EKy 1 (0)) P1 suﬄes the GCT. Send GCT and Kx a to P2. P2 does oblivious transfer for Ky b. P2 decrypts one row successfully. Send the output to P1. A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 33 / 54

34. Cryptographic Techniques Yao’s Garbled Circuit Figure 3.7: Circuit diagram of x∧y Table 3.3: AND truth table and its GCT generation x y z 0 0 0 0 1 0 1 0 0 1 1 1 x’ y’ z’ GCT 3 7 0 E3(E7(0)) 3 9 0 E3(E9(0)) 5 7 0 E5(E7(0)) 5 9 1 E5(E9(1)) Where 3, 5, 7 and 9 are random numbers generated by P1. A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 34 / 54

35. Cryptographic Techniques Yao’s Garbled Circuit Table 3.4: Suﬄed GCT GCT E3(E7(0)) E5(E9(1)) E5(E7(0)) E3(E9(0)) P1 suﬄes the GCT. Send GCT and 3 to P2. P2 does oblivious transfer for Ky b. If choice = 0 then 7 else 9 will be retrieved. P2 decrypts one row successfully. Send the output to P1. A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 35 / 54

36. Cryptographic Techniques Yao’s Garbled Circuits Figure 3.8: Circuit diagram of D1∧D2∧D3 For 1st circuit, P1 is generator and P2 is evaluator. 2nd circuit, P2 is generator and P3 is evaluator. A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 36 / 54

37. Cryptographic Techniques Yao’s Garbled Circuit Algorithm (3-party) Given: For digital Circuit C1, P1 is generator and P2 is evaluator. Digital Circuit C2, P2 is generator and P3 is evaluator. step 1: P1 generates GCT1. Encrypts each row of GCT1. step 2: P1 sends GCT1 and key associate with its input. step 3: P1 and P2 do oblivious transfer. P2 obtains the key associated with its input. step 4: P2 computes circuit output and one will be valid. step 5: Repeat step 1 to step 4 for circuit C2. step 6: P3 sends ﬁnal output to P1 and P2. A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 37 / 54

38. Cryptographic Techniques Improved Yao’s Garbled Circuit (Basic GMW) Improved Yao’s Garbled Circuit: Another protocol for secure m-party computation. Used to evaluate both arithmatic and logical functions. Each party creates shares of its secret data based on number of parties’s involvement and distributes shares among the parties. After distribution, each party holds shares from diﬀerent parties only i.e. one share from each party. Parties perform computation on shares individually. Share their outputs to compute ﬁnal output. Yao’s backend circuit is mixture of additive (XOR) and/or multiplicate (AND) gates where intermediate outputs are also secretly shared. A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 38 / 54

39. Cryptographic Techniques Improved Yao’s Garbled Circuit (Basic GMW) Algorithm (2-party) Given: Yao’s digital circuit. Parties P1 and P2 with secret ’u’ and ’v’. step 1: P1 creates two shares ’u1’ and ’u2’. step 2: Similar for P2 i.e.’v1’ and ’v2’ for ’v’. step 3: P1 and P2 exchange their shares with each other i.e. ’u2’ to P2 and ’v1’ to P1. step 4: P1 computes O1 = f(u1, v1) on its shares (u1, v1). Similar O2 = f(u2, v2) on P2’s shares (u2, v2). step 5: P1 and P2 share their outputs O1 and O2. step 6: At last, P1 and P2 compute ﬁnal output f(O1, O2). A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 39 / 54

40. Cryptographic Techniques Improved Yao’s Garbled Circuit (Basic GMW) Secret shares generation (2-party) Given: Parties P1 and P2 with secret ’7’ and ’9’ respectively. step 1: P1 selects a random no. ’3’ and computes (7 ⊕ 3) = 4. step 2: P2 selects a random no. ’5’ and computes (9 ⊕ 5) = 12. step 3: For P1, (u1, u2) = (3, 4). For P2, (v1, v2) = (5, 12). step 4: P1 sends ’u2 = 4’ to P2 and P2 sends ’v1 = 5’ to P1. step 5: After exchange, P1 holds (u1, v1) = (3, 5) and P2 holds (u2, v2) = (4, 12). Note Finally, P1 and P2 have (3, 5) and (4, 12) respectively. Nothing else. A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 40 / 54

41. Cryptographic Techniques Improved Yao’s Garbled Circuit (Basic GMW) Addition Gate (XOR): w = u ⊕ v. (u and v are from P1 and P2) Figure 3.9: Addition over secret inputs A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 41 / 54

42. Cryptographic Techniques Improved Yao’s Garbled Circuit (Basic GMW) Example (2-party Addition) Given: From prev. example, P1’s secret shares (u1, v1) = (3, 5) and P2’s secret shares (u2, v2) = (4, 12). step 1: P1 performs (u1 ⊕ v1) = (3 ⊕ 5) = 6. step 2: P2 performs (u2 ⊕ v2) = (4 ⊕ 12) = 8. step 3: Both P1 and P2 share their outputs. 6 to P2 and 8 to P1. step 4: P1 computes (6 ⊕ 8) = 14. <ﬁnal output>. step 5: P2 computes (6 ⊕ 8) = 14. <ﬁnal output>. Note Final output 14, same as XOR of P1’s and P2’s input (7 ⊕ 9) = 14. A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 42 / 54

43. Cryptographic Techniques Improved Yao’s Garbled Circuit (Basic GMW) Multiplication Gate (AND): w = u.v = (u1 ⊕ u2).(v1 ⊕ v2) = (xn...x2x1 ⊕ yn...y2y1).(tn...t2t1 ⊕ zn...z2z1) [u, v = inputs from P1, P2, where u1 = xn...x2x1 (Binary Representation). Similarly u2, v1, v2 = yn...y2y1, tn...t2t1, zn...z2z1] Here, one party generates all possible output which is called generator. Suppose P1 is generator. It generates (w00, w01, w11, w10). wab = wi ⊕ (xi ⊕ yi).(ti ⊕ zi) [wi = xi ⊕ ti] Other party P2 is the evaluator, retrieves correct output based on its secret shares (yi, zi) using oblivious transfer. A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 43 / 54

44. Cryptographic Techniques Improved Yao’s Garbled Circuit (Basic GMW) At Generator (P1): Known (xi, ti). Table 3.5: GCT generation index (yi, zi) wab 1 (0, 0) w00 = (xi ⊕ ti) ⊕ (xi ⊕ 0).(ti ⊕ 0) 2 (0, 1) w01 = (xi ⊕ ti) ⊕ (xi ⊕ 0).(ti ⊕ 1) 3 (1, 1) w11 = (xi ⊕ ti) ⊕ (xi ⊕ 1).(ti ⊕ 1) 4 (1, 0) w10 = (xi ⊕ ti) ⊕ (xi ⊕ 1).(ti ⊕ 0) Transfers index numbers 1, 2, 3, 4 with wi to P2. A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 44 / 54

45. Cryptographic Techniques Improved Yao’s Garbled Circuit (Basic GMW) At Evaluator (P2): If choice = 1 then w00, output wi ⊕ w00 = w. If choice = 2 then w01, output wi ⊕ w01 = w. If choice = 3 then w11, output wi ⊕ w11 = w. If choice = 4 then w10, output wi ⊕ w10 = w. Based on the choice, corresponding output will be correctly retrieved others will be garbage. It has to follow same procedure as in slide 26. A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 45 / 54

46. Cryptographic Techniques Improved Yao’s Garbled Circuit (Basic GMW) Example (2-party Multiplication) Known: P1’s (u1, v1) = (3, 5) = (0011, 0101) step 1: Start from LSB of u1 and v1. (x1, t1) = (1, 1) step 2: P1 generates wab. (w00, w01, w11, w10) = (1, 0, 0, 0). step 3: P1 and P2 use oblivious transfer as in slide 26. Here P1 has (w00, w01, w11, w10) step 4: P1 transfers index numbers 1, 2, 3, 4 with w1 = 0 to P2. step 5: At P2, (u2, v2) = (4, 12) = (0100, 1100). As, (y1, z1) = (0, 0) so, choice = 1. step 6: P2 successfully retrieves w00 = 1. Final O/P bit = 0 ⊕ 1 = 1. step 7: Repreat above steps until (xi, ti) = (x4, t4). A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 46 / 54

47. Cryptographic Techniques Improved Yao’s Garbled Circuit (Basic GMW) Figure 3.10: Digital circuit of full adder (P1 + P2) In Yao’s circuit, OR gate will be replaced by AND and XOR gates. A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 47 / 54

48. Cryptographic Techniques Improved Yao’s Garbled Circuit (Basic GMW) As discuss eariler, parties inputs and intermediate outputs are secretly shared between parties. Figure 3.11: Yao’s circuit representation of full adder (P1 + P2) For each XOR and AND gate, result is computed as discussed eariler. A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 48 / 54

49. Cryptographic Techniques Improved Yao’s Garbled Circuit (Basic GMW) Figure 3.12: Digital circuit of full adder (P1 + P2 + P3). In Yao’s circuit, OR gates will be replaced by AND and XOR gates. A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 49 / 54

50. Cryptographic Techniques Improved Yao’s Garbled Circuit (Basic GMW) For each XOR and AND gate, result is computed as discussed eariler. Here, inputs including intermediate outputs are secretly shared. Figure 3.13: Yao’s circuit representation of full adder (P1 + P2 + P3). A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 50 / 54

51. Summary We discussed 1 Secure multi-party computation (SMC), SMC models and its applications. 2 Type of adversaries such as static, adaptive, semi-honest and malicious adversaries. 3 Goals and actions are required to achieve SMC. 4 Diﬀerent types of SMC operations, mainly randomization and cryptographic techniques with examples. 5 At last, improved Yao’s garbled circuit protocol and its circuit representation. A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 51 / 54

52. References S. Shukla, ”Secure Multi-Party Computation (SMC): A Review”, in International Conference on Communication, Computing and Information Technology (ICCCMIT), Chennai, 2012. S. Hohenberger, ”Secure Multiparty Computation”, 2007. G. Kreitz, ”Secure Multi-Party Computation”, KTH - Royal Institute of Technology, 2012. J. Covington and M. Golbek, ”Secure Multiparty Computation”, Oregon State University, 2015. B. Buchanan, Oblivious Transfer. 2016. Simons Institute for the Theory of Computing, The Simplest Oblivious Transfer Protocol. 2015. A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 52 / 54

53. References P. Snyder, ”Yaos Garbled Circuits: Recent Directions and Implementations.” K. Gkikas, ”Yaos Garbled Circuit”, 2014. R. Canetti and A. Rosen, ”General secure two party and multi party computation”, 2009. A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 53 / 54

54. To be Continued ... A. Satapathy, C. Soni Secure Multi-Party Computation 2017, September 8th 54 / 54

Secure Multi-Party Computation

Secure Multi-Party Computation

Recommended

More Related Content

What's hot

What's hot(20)

Similar to Secure Multi-Party Computation

Similar to Secure Multi-Party Computation(20)

Recently uploaded

Recently uploaded(20)

Secure Multi-Party Computation