Hyper-Invertible Matrices and Applications

Transcription

1 Hyper-Invertible Matrices and Applications Martin Hirt ETH Zurich Theory and Practice of MPC, Aarhus, June 2012

2 Outline Hyper-Invertible Matrices Motivation Definition & Properties Construction Applications Conclusions

3 How can n parties generate random values? Model n parties, t are bad aim for random shared values (sharing doesn t matter) Approach 1 1. Every P i shares random value x i 2. y = n Only one good sharing from n sharings x i i=1 Approach 2 1. Every P i shares random value x i 2. y 1 = λ 1i x i, y 2 = λ 2i x i,... i i How many good sharings from n sharings? Best we can hope for: n t

4 More Abstractly... Given: n values x 1 x 2 x 3 x 4 x 5... x n where n t values are good (e.g. uniformly random), t values are bad (e.g. chosen by adversary). Goal: Find (the) n t good values Goal : Find y 1,..., y n t which are as good as x 2, x 5,..., x n. y 1 y 2. y n t y n t+1. y n = Hyper-Invertible Matrix x 1 x 2 x 3 x 4 x 5. x n

5 Hyper-Invertible Matrix The Definition Def: M is hyper-invertible : every square sub-matrix M C R λ 11 λ 12 λ 13 λ 1n λ 21 λ 22 λ 23 λ 2n.. λ m1 λ m2 λ m3 λ mn is invertible. Note: Cf. Parity-check matrix of MDS-Codes, Cauchy matrices,...

6 Properties (1/2) Property 1: Given some x j -s and some y i -s (in total n values), one can compute all other x j -s and y i -s. y 1 y 2 y m = M x 1 x 2 x n Lemma 1: Given HIM M, index sets C {1... n}, R {1... m} with ( C = R. Then given x C, ) ( y R one can compute x C, ) y R. Proof: 1. y R = M R x = M C R x C + MR C x C 2. ) 1 ( x C = y R MR C ) x C ( M C R

7 Properties (1/2) Property 1: Given some x j -s and some y i -s (in total n values), one can compute all other x j -s and y i -s. y 1 y 2 y m = M x 1 x 2 x n Lemma 2: Given matrix M. If for all C {1... n}, R {1... m} with C = R one can compute x C from ( x C, y R ), then M is HIM. Proof: Invert M C R as follows: 1. Given y R. Let x C = 0 2. Can compute x C ( MR C ) 1

8 Properties (2/2) Property 2: Fix k values, then there is a bijection from any n k values to any other n k values. y 1 y 2 y m = M x 1 x 2 x n

9 The Construction Idea: Construct mapping (x 1,.., x n ) (y 1,.., y m ) with Property 1. Construction 1. fix values α 1,..., α n, β 1,..., β m in F 2. let polynomial f(z) s.t. f(α j ) = x j j 3. compute y i = f(β i ) i Formally f(z) = n j=1 n k=1 k j z α k α j α k x j y i = f(β i ) = M := [ λ i,j ] n j=1 n β i α k α j α k k=1 k j }{{} λ i,j x j = n j=1 λ i,j x j

10 The Field The Field Size Previous construction requires F n + m. Easy patch: F = n + m 1. Lower Bounds (Conjecture) F = n + m 1 is optimal for F = GF(2 k ) But: is HIM over GF(4) (though m + n 1 = 5)

11 Randomness Extraction Passive Security Model n parties, t are bad (passive only) aim for random shared values given n n hyper-invertible matrix M Protocol 1. Every P i shares random value x i [x i ] 2. ([y 1 ],..., [y n ]) = M([x 1 ],..., [x n ]) 3. Output [y 1 ],..., [y n t ] Analysis Adversary A {1,..., n}, A = t, hence knows [x] A. Prop. 2: Fix A, [x] A, mapping [x] A [y] {1,...,n t} is bijective.

12 Randomness Extraction Active Security Attempt #1 Model n parties, t are bad (active) Protocol Every P i VSSes random value x i [x i ]... Analysis works, but complicated & inefficient

13 Randomness Extraction Active Security Attempt #2 Model n parties, t are bad (active) detectable security (cf player elimination / dispute control) Protocol 1. Every P i passively shares random x i [x i ] 2. ([y 1 ],..., [y n ]) = M([x 1 ],..., [x n ]) 3. Reconstruct and check degree of [y 1 ],..., [y t ] 4. Output [y t+1 ],..., [y n t ] Analysis Adversary A {1,..., n}, A = t; H A, H = n 2t. Prop. 1: Degrees of [x] A and [y] {1,...,t} ok all degrees ok. Prop. 2: Fix A, [x] A, y {1,...,t}, bij. mapping [x] H [y] {t+1,...,n t}.

14 Randomness Extraction Active Security Attempt #3 Protocol 1. Every P i passively shares random x i [x i ] 2. ([y 1 ],..., [y n ]) = M([x 1 ],..., [x n ]) 3. For i = 1,..., 2t, have P i check degree of [y i ] 4. Output [y 2t+1 ],..., [y n ] Analysis Adversary A {1,..., n}, A = t; H A, H = n 2t. Prop. 1: Degrees of [x] A and [y] {1,...,2t} A ok all degrees ok. Prop. 2: Fix A, [x] A, [y] {1,...,2t} A, Efficiency mapping [x] H [y] {2t+1,...,n} is bijective. n passive sharings n 2t good random sharings

15 Enhanced Checks Example: Random Zero-Sharings [0] 1. Every P i passively shares x i = 0 [x i ] 2. ([y 1 ],..., [y n ]) = M([x 1 ],..., [x n ]) 3. For i = 1,..., 2t, have P i check degree of [y i ] and y i? = Output [y 2t+1 ],..., [y n ] Analysis Adversary A {1,..., n}, A = t Prop. 1: If [x] A and [y] {1,...,2t} A have right degree and share 0 all sharings have right degree and share 0.

16 Enhanced Checks More Abstractly Requirements Goodness must be linear: x 1 and x 2 good x 1 + x 2 good. ( ) ( ) Remember: [x]a, [y] {t+1,...,n} = L [x]a, [y] {1,...,t} Badness does not need to be linear. Examples Sharings [x i ] of degree t Sharings [x i ] of degree t and x i = 0 Shared random bits [b i ] over GF(2 k ). Double-sharings [x i ], [y i ] of degrees t, 2t, resp., and x i = y i....

17 Perfect MPC with Active Security Model n parties, t < n/3 actively corrupted secure channels model (w/o broadcast) Achievements O(nκ) bits for multiplying two κ-bit values Tools Use HIM to generate random [x], [y] of degree t,2t and x = y. Mult.: P i compute v i = a i b i y i, reconstruct v, use [x] v for [ab]. Beaver s circuit randomization + Player Elimination

18 Conclusions Hyper-Invertible Matrices easy to construct very good diffusing properties perfect security, no probabilities Applications extract randomness (propagate good properties) check consistency (concentrate bad properties) linear-complexity perfectly-secure MPC, very small overhead many more?