An Overview of Secure Multiparty Computation

Size: px

Start display at page:

Download "An Overview of Secure Multiparty Computation"

Claud Hodges
5 years ago
Views:

1 An Overview of Secure Multiparty Computation T. E. Bjørstad The Selmer Center Department of Informatics University of Bergen Norway Prøveforelesning for PhD-graden

2 Outline Background 1 Background Motivational example Theoretical framework 2 3 Useful tools What is possible 4

3 The Millionaire Problem Motivational example Theoretical framework Andrew C. Yao, Protocols for Secure Computations (1982). { (0, 0) if x i < x j, P(x i, x j ) = (1) (1, 1) if x i x j.

4 General setting Background Motivational example Theoretical framework MPC: m users want to evaluate f (x 1,..., x m ). Privacy: user i does not learn anything about x j, i j. Ideal functionality: 1 Each user securely sends their x i to a trusted third party. 2 Trusted party evaluates f (x 1,..., x m ). 3 Users receive result from trusted party. Goal: replace TTP with interactive protocol. Subproblem: secure two-party computation (2PC), m = 2.

5 Applications Background Motivational example Theoretical framework Participants want or need to collaborate, but do not wish to (or cannot) disclose their private inputs. Secure auctions. Voting systems. Electronic cash. Privacy-preserving database access.... optimisation problems.... statistical analysis. Generally: evaluate arbitrary (polynomial-time) f ( ). Personal or sensitive information, trade secrets, etc.

6 Applications Background Motivational example Theoretical framework Participants want or need to collaborate, but do not wish to (or cannot) disclose their private inputs. Secure auctions. Voting systems. Electronic cash. Privacy-preserving database access.... optimisation problems.... statistical analysis. Generally: evaluate arbitrary (polynomial-time) f ( ). Personal or sensitive information, trade secrets, etc.

7 Security model Background Motivational example Theoretical framework Many plausible scenarios: Security relative to a computational problem (e.g. RSA) statistical or unconditional (information-theoretical security). Adversary may be a passive eavesdropper or actively manipulating communications channel or control one or many participants! Goal: secure and efficient protocols, weak assumptions.

8 Security model Background Motivational example Theoretical framework Many plausible scenarios: Security relative to a computational problem (e.g. RSA) statistical or unconditional (information-theoretical security). Adversary may be a passive eavesdropper or actively manipulating communications channel or control one or many participants! Goal: secure and efficient protocols, weak assumptions.

9 Security goals Background Motivational example Theoretical framework What do we mean by security? What are the goals? Protocol correctness. Privacy. Verifiability. Consistency. Fairness. Efficiency....?

10 Network model Background Motivational example Theoretical framework Likewise, many possible communication models: Are participants synchronised? Is the network reliable? Is it authenticated? Anonymous? Can adversary alter (drop, delay, inject or modify) traffic? Network topology? Broadcast channel? Direct peer-to-peer channels?

11 Network model Background Motivational example Theoretical framework Likewise, many possible communication models: Are participants synchronised? Is the network reliable? Is it authenticated? Anonymous? Can adversary alter (drop, delay, inject or modify) traffic? Network topology? Broadcast channel? Direct peer-to-peer channels?

12 Network model Background Motivational example Theoretical framework Likewise, many possible communication models: Are participants synchronised? Is the network reliable? Is it authenticated? Anonymous? Can adversary alter (drop, delay, inject or modify) traffic? Network topology? Broadcast channel? Direct peer-to-peer channels?

13 Millionaire problem example (i) Toy solution (using Yao s 1982 protocol). Alice s total wealth is i = 4 billion and Bob s is j = 3 billion. Both know that i and j are integers in the range 1 6. Alice uses RSA with a key length of N = 10 bits. Modulus n = 551 (= 19 29). Public exponent e = 5, private exponent d = 101. Secure, authenticated channel.

14 Millionaire problem example (i) Toy solution (using Yao s 1982 protocol). Alice s total wealth is i = 4 billion and Bob s is j = 3 billion. Both know that i and j are integers in the range 1 6. Alice uses RSA with a key length of N = 10 bits. Modulus n = 551 (= 19 29). Public exponent e = 5, private exponent d = 101. Secure, authenticated channel.

15 Millionaire problem example (ii) b1 Bob chooses a random integer k < n, e.g. k = 123. b2 Bob encrypts with Alice s public key, c = k e (mod n) = 16. b3 Bob sets c = c j + 1 = 14 and transmits c to Alice. a1 Alice computes six messages x k = (c j + k) d (mod n), thus obtaining the values x 1 = (mod 551) = 127, x 2 = (mod 551) = 250, x 3 = (mod 551) = 123, x 4 = (mod 551) = 365, x 5 = (mod 551) = 113, x 6 = (mod 551) = 304. Note: Alice does not know which x k corresponds to j.

16 Millionaire problem example (ii) b1 Bob chooses a random integer k < n, e.g. k = 123. b2 Bob encrypts with Alice s public key, c = k e (mod n) = 16. b3 Bob sets c = c j + 1 = 14 and transmits c to Alice. a1 Alice computes six messages x k = (c j + k) d (mod n), thus obtaining the values x 1 = (mod 551) = 127, x 2 = (mod 551) = 250, x 3 = (mod 551) = 123, x 4 = (mod 551) = 365, x 5 = (mod 551) = 113, x 6 = (mod 551) = 304. Note: Alice does not know which x k corresponds to j.

17 Millionaire problem example (iii) a2 Alice picks a random prime p of size N/2 bits, e.g. p = 47. a3 Alice computes y k = x k (mod p), obtaining the sequence y 1 = 127 (mod 47) = 33, y 2 = 250 (mod 47) = 15, y 3 = 123 (mod 47) = 29, y 4 = 365 (mod 47) = 36, y 5 = 113 (mod 47) = 19, y 6 = 304 (mod 47) = 22. a4 Alice transmits p to Bob, as well as the values y 1, y 2, y 3, y 4, y 5 + 1, y (thus marking her own wealth in the sequence 33, 15, 29, 36, 20, 23).

18 Millionaire problem example (iii) a2 Alice picks a random prime p of size N/2 bits, e.g. p = 47. a3 Alice computes y k = x k (mod p), obtaining the sequence y 1 = 127 (mod 47) = 33, y 2 = 250 (mod 47) = 15, y 3 = 123 (mod 47) = 29, y 4 = 365 (mod 47) = 36, y 5 = 113 (mod 47) = 19, y 6 = 304 (mod 47) = 22. a4 Alice transmits p to Bob, as well as the values y 1, y 2, y 3, y 4, y 5 + 1, y (thus marking her own wealth in the sequence 33, 15, 29, 36, 20, 23).

19 Millionaire problem example (iv) b4 Bob receives p and (z 1,..., z 6 ) from Alice. He tests whether k (mod p) is equal to z j. In our example he finds that k (mod p) = 123 (mod 47) = 29 = z 3. He concludes that i j. b5 Bob reports his result to Alice. Note: Bob does not know at which point Alice started altering the sequence.

Millionaire problem (redux) To summarise: Protocol assumes that participants are honest. In particular, Bob may lie to Alice in step b5. Factoring Alice s RSA key must be hard.

20 Millionaire problem (redux) To summarise: Protocol assumes that participants are honest. In particular, Bob may lie to Alice in step b5. Factoring Alice s RSA key must be hard. Reductionist security proof not given. Alice and Bob need a reliable communication system. Computationally expensive, large bandwidth requirements. To test for i = j, repeat protocol in reverse.

21 Correctness and verifiability (i) Useful tools What is possible Some useful tools for more advanced protocols: Commitment schemes. Verifiable secret sharing. Oblivious transfer. Zero-knowledge proofs. Homomorphic encryption.

22 Correctness and verifiability (ii) Secure committment scheme: Useful tools What is possible A commitment protocol produces a hiding and binding commitment C to the value x. The commitment can later be opened by revealing x. Verifiable secret sharing: A t-out-of-m secret sharing scheme generates m shares based on some secret value x. Given t shares, it is possible to reconstruct x. With less than t shares, no information is gained. Shamir secret sharing, based on polynomial interpolation. Verifiability: should resist dishonest dealer distributing incorrect shares, and / or participants submitting incorrect shares during reconstruction.

23 Correctness and verifiability (ii) Secure committment scheme: Useful tools What is possible A commitment protocol produces a hiding and binding commitment C to the value x. The commitment can later be opened by revealing x. Verifiable secret sharing: A t-out-of-m secret sharing scheme generates m shares based on some secret value x. Given t shares, it is possible to reconstruct x. With less than t shares, no information is gained. Shamir secret sharing, based on polynomial interpolation. Verifiability: should resist dishonest dealer distributing incorrect shares, and / or participants submitting incorrect shares during reconstruction.

24 Oblivious transfer Background Useful tools What is possible Oblivious Transfer (OT): Wiesener (early 1970s), Rabin (1981). Fundamental primitive to build MPC protocols. Simplest form: 1-2 Oblivious Transfer: 1 Alice has two messages m 0, m 1. 2 Bob has a secret bit b. 3 Bob receives m b. Alice does not learn b. Bob does not learn m b 1. 1-n OT: Alice has list of n elements, Bob a secret index.

25 Oblivious Transfer using RSA Useful tools What is possible Protocol from Even, Goldreich, Lempel (1985): Alice s RSA keys: d and (e, n); Bob s bit: b. a1 Alice picks two random messages x 0, x 1, sends to Bob. b1 Bob picks random message k, computes c = x b + k e (mod n), sends c to Alice. a2 Alice decrypts both possible values of k, k 0 = (c x 0 ) d (mod n) and k 1 = (c x 1 ) d (mod n). a3 Alice sends (m 0 + k 0 ) and (m 1 + k 1 ) to Bob. b2 Bob knows k b (but not k b 1 ), and uses it to recover m b.

26 Feasibility results (i) Useful tools What is possible What can we accomplish? (Goldreich) Assuming trapdoor permutations: Passive adversary controlling < m users. Active adversary controlling < m/2 users. Better if protocol aborted is not failure.

27 Feasibility results (ii) Useful tools What is possible What can we accomplish? (Goldreich) Assuming private channels: Passive adversary controlling < m/2 users. Active adversary controlling < m/3 users. Better if a broadcast channel also exists.

28 A real-world example Secure sealed-bid auction (Bogetoft et al., 2008). Used to determine market clearing price for trading sugar beet contracts between Danish farmers Bids reveal sensitive information about bidders economic situation to other farmers and monopoly buyer. Delegating legal responsibility to trusted auctioneer prohibitively expensive participants could place bids to sell, buy, or both tons of production rights changed owners.

29 Appendix Further Reading Further Reading A. C. Yao. Protocols for secure computation. Proceedings of 27th IEEE symposium on Foundations of Computer Science, pp , O. Goldreich. Foundations of Cryptography. Volume II: Basic Applications. Chapter 7. Cambridge University Press, R. Cramer and I. Damgård. Multiparty Computation, an Introduction. In Contemporary Cryptology, Advanced Courses in Mathematics CRM Barcelona, Birkhäuser. P. Bogetoft, D. L. Christensen, I. Damgård, et al. Secure Multiparty Computation Goes Live. Cryptology eprint Report 2008/068.

Secure Multiparty Computation

CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation