Lecture 10 - Multi-Party Computation Protocols

Lecture 10 Multi-party Computation Protocols Stefan Dziembowski University of Rome La Sapienza

Plan ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Multi-party computations (MPC) P 5 P 1 P 3 P 2 P 4 input a 1 input a 2 input a 3 input a 4 input a 5 they want to compute some value f(a 1 ,a 2 ,a 3 ,a 4 ,a 5 ) for a publicly-known f . a group of parties: Before we considered this problem for n = 2 parties. Now, we are interested in arbitrary groups of n parties. output f(a 1 ,a 2 ,a 3 ,a 4 ,a 5 )

Examples P 5 P 1 P 3 P 2 P 4 input a 1 input a 2 input a 3 input a 4 input a 5 Another example: voting A group of millionaires wants to compute how much money they own together . f(a 1 ,a 2 ,a 3 ,a 4 ,a 5 ) = a 1 +a 2 +a 3 +a 4 +a 5

The general settings P 5 P 1 P 3 P 2 P 4 Each pair of parties is connected by a secure channel . (assume also that the network is synchronous ) Some parties may be corrupted . The corrupted parties may act in coalition .

How to model the coalitions of the corrupted parties? ,[object Object],[object Object],what it means depends on the settings

Threshold adversaries In the two-party case we considered an adversary that could corrupt one of the players. Now, we assume that the adversary can corrupt some subset of the players . The simplest case: set some threshold t < n and allow the adversary to corrupt up to t players .

Example ,[object Object],P 5 P 1 P 3 P 2 P 4

Types of adversaries all those choices make sense! ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],computationally bounded infinitely powerful passive active

Adaptivness ,[object Object],[object Object],[object Object]

The security definition ,[object Object],[object Object],[object Object],A B f(A,B) f(A,B) A B f(A,B) f(A,B) A f(A,B) f(A,B) B protocol π “ ideal” scenario “ real” scenario

The “real scenaro” P 5 P 1 P 3 P 2 input a 1 input a 2 input a 3 input a 4 input a 5 output: f(a 1 ,...,a 5 ) output: f(a 1 ,...,a 5 ) output: f(a 1 ,...,a 5 ) output: f(a 1 ,...,a 5 ) output: f(a 1 ,...,a 5 ) P 4 protocol π

The “ideal” scenario P 5 P 1 P 3 P 2 input a 1 input a 2 input a 3 input a 4 input a 5 output: f(a 1 ,...,a 5 ) output: f(a 1 ,...,a 5 ) output: f(a 1 ,...,a 5 ) output: f(a 1 ,...,a 5 ) output: f(a 1 ,...,a 5 ) P 4 computes f

Classical results ,[object Object],[object Object],[object Object],(Turns out that the adaptivness doesn’t matter) (these are tight bounds) setting adversary type condition computational passive t < n computational active t < n/2 information-theoretic passive t < n/2 information-theoretic active t < n/3 this can be improved to t < n/2 if we add a “broadcast channel” this can be improved to t < n if we give up “fairness”

Example of a lower bound ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

the “internal” messages are not sent outside the “external” messages are exchanged between Alice and Bob P 1 input a 1 P 2 input a 2 P 3 input a 3 input a 4 P 4 input a 5 P 5 input a 6 P 6 input a 7 P 7 input a 8 P 8 simulates with a 5 :=B a 6 := a 7 := a 8 := 1 simulates with a 1 :=A a 2 := a 3 := a 4 := 1

Correctness? ,[object Object],[object Object],[object Object]

Why is this protocol secure? ,[object Object],[object Object]

A broadcast channel P 5 P 1 P 3 P 2 P 4 m m m m Every player receives to same message (even if the sender is malicious). m m

Broadcast channel vs. byzantine agreement ,[object Object],[object Object],[object Object]

Fact In the information-theoretic settings : A broadcast channel can be “emulated” by a multiparty protocol.

On the other hand ,[object Object],P 5 P 1 P 3 P 2 input m output: m output: m output: m output: m output: m P 4 So, this is the reason, why in the information theoretic, active case we have t < n/3

Idea ,[object Object],[object Object],setting adversary type condition information-theoretic passive t < n/2 information-theoretic active t < n/3 information-theoretic (with broadcast) active t < n/2

How to construct such protocols? usually : arithmetic circuit over some field ,[object Object],[object Object],[object Object],[object Object],[object Object]

Fields ,[object Object],[object Object],[object Object],[object Object],Examples of fields : real numbers, Z p for prime p . Polynomials over any field have many intuitive properties of the polynomials over the reals.

Arithmetic circuits a 0 a 1 a 2 a 3 a 4 a 5 a 6 a 7 + * + + + * * + * * c 1 * c 2 c 5 c 4 c 3 input gates output gates multplication gates addition gates

How to share a secret? ,[object Object],[object Object],[object Object],[object Object]

m -out-of- n secret sharing dealer’s secret S S 1 S 5 S 3 S 2 S 4 ,[object Object],[object Object],[object Object],( n = 5) we will have m = t+1

[object Object],[object Object],[object Object],[object Object],[object Object],matching m -out-of- n secret sharing – more formally

Shamir’s secret sharing [1/2] 1 2 3 n . . . f(1) f(n) f(3) f(2) P 1 P 2 P 3 P n . . . s 0 Suppose that s is an element of some finite field F , such that |F| > n f – a random polynomial of degree m-1 over F such that f(0) = s sharing:

[object Object],Shamir’s secret sharing [2/2] reconstruction: security: One can show that f(i 1 ),...,f(i m-1 ) are independent on f(0) .

How to construct a MPC protocol on top of Shamir’s secret sharing? ,[object Object],[object Object],[object Object]

Polynomials are homomorphic with respect to addition 1 2 n . . . f(1) f(n) f(3) s 0 t g(1) g(3) g(n) s + t f(1) + g(1) f(3) + g(3) f(n) + g(n) degree t degree t degree t

Addition sharing secret a sharing secret b sharing secret a+b The parties can compute it non-interactively, by adding their shares locally!

How can we use it? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

A protocol for f(a 1 ,...,a n ) := a 1 + · · · + a n ,[object Object],[object Object],a 1 1 ... a i 1 ... a n 1 ... ... ... a 1 j a i j a n j ... ... ... a 1 n ... a i n ... a n n

[object Object],this is what P j received in Step 1 a 1 1 ... a i 1 ... a n 1 ... ... ... a 1 j a i j a n j ... ... ... a 1 n ... a i n ... a n n

The final steps: ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

How to construct a protocol for any function ,[object Object],[object Object],[object Object],[object Object],[object Object]

General adversary structures Sometimes assuming that the adversary can corrupt up to t parties is not general enough. It is better to consider arbitrary coalitions of the sets of parites that can be corrupted.

Adversary structures ,[object Object],[object Object],[object Object],[object Object],This property is called monotonicity . Because of this, to specify Δ it is enough to specify a set M of its maximal sets . We will also say that M induces Δ .

Q2 and Q3 structures ,[object Object],[object Object],[object Object],[object Object],[object Object]

A generalization of the classical results [Martin Hirt, Ueli M. Maurer: Player Simulation and General Adversary Structures in Perfect Multiparty Computation . J. Cryptology, 2000] setting adversary type condition generalized condition information-theoretic passive t < n/2 Q2 information-theoretic active t < n/3 Q3 information-theoretic with broadcast active t < n/2 Q2

There is one problem, though... ,[object Object],[object Object],[object Object]

Why? {P 1 ,...,P n } (suppose n is even) X := family of sets of cardinality n/2 inclusion is a partial order on the set of subsets of {P 1 ,...,P n }

On the other hand... ,[object Object],[object Object],( X := family of sets of cardinality n/2 )

So, we have a problem, because ,[object Object],[object Object],[object Object],[object Object]

What to do? ,[object Object],[object Object],[object Object]

Practical implementation ,[object Object],[object Object]

Other applications ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

© 2009 by Stefan Dziembowski. Permission to make digital or hard copies of part or all of this material is currently granted without fee provided that copies are made only for personal or classroom use, are not distributed for profit or commercial advantage, and that new copies bear this notice and the full citation .

Lecture 10 - Multi-Party Computation Protocols

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Lecture 10 - Multi-Party Computation Protocols

Similar to Lecture 10 - Multi-Party Computation Protocols (20)

Lecture 10 - Multi-Party Computation Protocols