Secure Multiparty Computation

Transcription

1 CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions Li Xiong

2 Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation Problem and security definitions General constructions

3 Basic notation Plaintext (m): the original message Ciphertext (c): the coded message Secret key (k): info used in cipher known only to sender/receiver Encryption function E k (m): performs substitutions/ transformations on plaintext Decryption function D k (c): inverse of encryption algorithm Efficiency: functions E K and D K should have efficient algorithms Consistency: Decrypting the ciphertext yields the plaintext D K (E K (m)) = m

4 Operational model of encryption m plaintext E E k (m) ciphertext D D k (E k (m)) = m k encryption key attacker k decryption key 4 Kerckhoff s assumption: attacker knows E and D attacker doesn t know the (decryption) key attacker s goal: to systematically recover plaintext from ciphertext to deduce the (decryption) key attack models: ciphertext-only known-plaintext (adaptive) chosen-plaintext (adaptive) chosen-ciphertext

5 Symmetric Encryption or conventional / secret-key / single-key sender and recipient share a common key Scenario: Alice wants to send a message (plaintext P) to Bob The communication channel is insecure and can be eavesdropped If Alice and Bob have previously agreed on a symmetric encryption scheme and a secret key K, the message can be sent encrypted (ciphertext C)

6 Symmetric Key Cryptography K A-B K A-B plaintext message, m encryption algorithm ciphertext decryption plaintext algorithm c=k A-B (m) K (m) m = K ( ) A-B A-B symmetric key crypto: Bob and Alice share know same (symmetric) key: K A-B

7 Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computations Problem and security definitions General constructions

8 Private-Key Cryptography traditional private/secret/single key cryptography uses one key Sender and receiver must share the same key needs secure channel for key distribution impossible for two parties having no prior relationship if this key is disclosed communications are compromised also is symmetric, parties are equal hence does not protect sender from receiver forging a message & claiming is sent by sender

9 Public-Key Cryptography uses two keys a public & a private key asymmetric since parties are not equal complements rather than replaces private key crypto neither more secure than private key (security depends on the key size for both) nor do they replace private key schemes (they are too slow to do so)

10 Public-Key Cryptography public-key/two-key/asymmetric cryptography involves the use of two keys: a public-key, which may be known by anybody, and can be used to encrypt messages, and verify signatures a private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures Encryption: c = E pk (m) Decryption: m = D sk (c) is asymmetric because those who encrypt messages or verify signatures cannot decrypt messages or create signatures

11 Public-Key Cryptography

12 Public-Key Characteristics Public-Key algorithms rely on two keys with the characteristics that it is: computationally infeasible to find decryption key knowing only algorithm & encryption key computationally easy to en/decrypt messages when the relevant (en/decrypt) key is known either of the two related keys can be used for encryption, with the other used for decryption (in some schemes) Many can encrypt, only one can decrypt

13 RSA (Rivest, Shamir, Adleman, 1978) basis intractability of integer factoring Setup: select p, q large primes n = pq, ф(n)= (p-1)(q-1) select e relatively prime to ф(n) compute d such that ed mod ф(n) = 1 Keys: public key: K E = (n,e) private key: K D = d Encryption: Plaintext m c = m e mod n Decryption: Example: Setup: p =7, q=17 n = 7.17 = 119 ф(n) = = 96 e= 5 d= 77 Keys: public key: K E = (119, 5) private key: K D = 77 Encryption: m = 19 c = 19 5 mod 119 = 66 Decryption: m= c d 13 mod n m= mod 119 = 19

14 Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computations Problem and security definitions General constructions

15 Motivation General framework for describing computation between parties who do not trust each other Example: elections N parties, each one has a Yes or No vote Goal: determine whether the majority voted Yes, but no voter should learn how other people voted Example: auctions Each bidder makes an offer Offer should be committing! (can t change it later) Goal: determine whose offer won without revealing losing offers slide 15

16 More Examples Example: distributed data mining Two companies want to compare their datasets without revealing them For example, compute the intersection of two lists of names Example: database privacy Evaluate a query on the database without revealing the query to the database owner Evaluate a statistical query on the database without revealing the values of individual entries Many variations slide 16

17 A Couple of Observations In all cases, we are dealing with distributed multi-party protocols A protocol describes how parties are supposed to exchange messages on the network All of these tasks can be easily computed by a trusted third party The goal of secure multi-party computation is to achieve the same result without involving a trusted third party slide 17

18 Secure Multiparty Computation A set of parties with private inputs wish to compute some joint function of their inputs. Parties wish to preserve some security properties. e.g., privacy and correctness. Security must be preserved in the face of adversarial behavior by some of the participants, or by an external party.

19 Yao s Millionaire Problem Two millionaires, Alice and Bob, who are interested in knowing which of them is richer without revealing their actual wealth. This problem is analogous to a more general problem where there are two numbers a and b and the goal is to solve the inequality without revealing the actual values of a and b.

20 How to Define Security? Must be mathematically rigorous Must capture all realistic attacks that a malicious participant may try to stage Should be abstract Based on the desired functionality of the protocol, not a specific protocol Goal: define security for an entire class of protocols slide 20

21 A Rigorous Approach Provide an exact problem definition Adversarial power Network model Meaning of security Prove that the protocol is secure Often by reduction to an assumed hard problem, like factoring large composites

22 Functionality K mutually distrustful parties want to jointly carry out some task Model this task as a function f: ({0,1}*) K ({0,1}*) K K inputs (one per party); each input is a bitstring K outputs Assume that this functionality is computable in probabilistic polynomial time slide 22

23 Defining Security The real/ideal model paradigm for defining security [GMW,GL,Be,MR,Ca]: Ideal model: parties send inputs to a trusted party, who computes the function for them Real model: parties run a real protocol with no trusted help A protocol is secure if any attack on a real protocol can be carried out in the ideal model

24 Ideal Model Intuitively, we want the protocol to behave as if a trusted third party collected the parties inputs and computed the desired functionality Computation in the ideal model is secure by definition! x 1 x 2 A f 1 (x 1,x 2 ) f 2 (x 1,x 2 ) B slide 24

25 More Formally A protocol is secure if it emulates an ideal setting where the parties hand their inputs to a trusted party, who locally computes the desired outputs and hands them back to the parties [Goldreich-Micali-Wigderson 1987] x 1 x 2 A f 1 (x 1,x 2 ) f 2 (x 1,x 2 ) B slide 25

26 Real world No trusted third party Participants run some protocol amongst themselves without any help Despite that, secure protocol should emulate an ideal setting. Real protocol that is run by the participants is secure if no adversary can do more harm in real execution than an execution that takes place in the ideal world

27 Adversary Models Some of protocol participants may be corrupt If all were honest, would not need secure multi-party computation Semi-honest (aka passive; honest-but-curious) Follows protocol, but tries to learn more from received messages than he would learn in the ideal model Malicious Deviates from the protocol in arbitrary ways, lies about his inputs, may quit at any point For now, we will focus on semi-honest adversaries and two-party protocols slide 27

28 Properties of the Definition How do we argue that the real protocol emulates the ideal protocol? Correctness All honest participants should receive the correct result of evaluating function f Because a trusted third party would compute f correctly Privacy All corrupt participants should learn no more from the protocol than what they would learn in ideal model What does corrupt participant learn in ideal model? His input (obviously) and the result of evaluating f slide 28

29 Simulation Corrupt participant s view of the protocol = record of messages sent and received In the ideal world, view consists simply of his input and the result of evaluating f How to argue that real protocol does not leak more useful information than ideal-world view? Key idea: simulation If real-world view (i.e., messages received in the real protocol) can be simulated with access only to the idealworld view, then real-world protocol is secure Simulation must be indistinguishable from real view slide 29

30 Security proof tools Real/ideal model: the real model can be simulated in the ideal model Key idea Show that whatever can be computed by a party participating in the protocol can be computed based on its input and output only polynomial time S such that {S(x,f(x,y))} {View(x,y)}

31 Security proof tools Composition theorem if a protocol is secure in the hybrid model where the protocol uses a trusted party that computes the (sub) functionalities, and we replace the calls to the trusted party by calls to secure protocols, then the resulting protocol is secure Prove that component protocols are secure, then prove that the combined protocol is secure

32 Outline Secure multiparty computation Defining security General constructions

33 Construction paradigms Passively-secure computation for two-parties Use oblivious transfer to securely select a value Passively-secure computation with shares Use secret sharing scheme such that data can be reconstructed from some shares From passively-secure protocols to activelysecure protocols Use zero-knowledge proofs to force parties to behave in a way consistent with the passively-secure protocol

34 1-out-of-2 Oblivious Transfer (OT) 1-out-of-2 Oblivious Transfer (OT) Inputs Sender has two messages m 0 and m 1 Receiver has a single bit {0,1} Outputs Sender receives nothing Receiver obtain m and learns nothing of m 1-

35 Oblivious Transfer (OT) Fundamental SMC primitive 1-out-of-2 Oblivious Transfer (OT) [Rabin 1981] m 0, m 1 = 0 or 1 S m R S inputs two bits, R inputs the index of one of S s bits R learns his chosen bit, S learns nothing S does not learn which bit R has chosen; R does not learn the value of the bit that he did not choose slide 35

36 Semi-Honest OT Let (G,E,D) be a public-key encryption scheme G is a key-generation algorithm (pk,sk) G Encryption: c = E pk (m) Decryption: m = D sk (c) Assume that a public-key can be sampled without knowledge of its secret key: Oblivious key generation: pk OG El-Gamal encryption has this property

37 Semi-Honest OT Protocol for Oblivious Transfer Receiver (with input ): Receiver chooses one key-pair (pk,sk) and one public-key pk (oblivious of secret-key). Receiver sets pk = pk, pk 1- = pk Note: receiver can decrypt for pk but not for pk 1- Receiver sends pk 0,pk 1 to sender Sender (with input m 0,m 1 ): Sends receiver c 0 =E pk0 (m 0 ), c 1 =E pk1 (m 1 ) Receiver: Decrypts c using sk and obtains m.

38 Security Proof Intuition: Sender s view consists only of two public keys pk 0 and pk 1. Therefore, it doesn t learn anything about that value of. The receiver only knows one secret-key and so can only learn one message Note: this assumes semi-honest behavior. A malicious receiver can choose two keys together with their secret keys.

39 Generalization Can define 1-out-of-k oblivious transfer Protocol remains the same: Choose k-1 public keys for which the secret key is unknown Choose 1 public-key and secret-key pair