Secure Multiparty Computation

Similar documents
CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

Secure Multiparty Computation

Introduction to Secure Multi-Party Computation

Introduction to Secure Multi-Party Computation

An Overview of Secure Multiparty Computation

Secure Multiparty Computation: Introduction. Ran Cohen (Tel Aviv University)

1 A Tale of Two Lovers

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Overview. Public Key Algorithms I

Chapter 3 Public Key Cryptography

Chapter 9 Public Key Cryptography. WANG YANG

Secure Multiparty Computation Introduction to Privacy Preserving Distributed Data Mining

Public Key Algorithms

Public Key Cryptography and the RSA Cryptosystem

Chapter 9. Public Key Cryptography, RSA And Key Management

Introduction to Cryptography Lecture 7

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

Public-key Cryptography: Theory and Practice

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Chapter 7 Public Key Cryptography and Digital Signatures

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

CS3235 Seventh set of lecture slides

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Cryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III

Applied Cryptography and Computer Security CSE 664 Spring 2018

Improvement of Camenisch-Neven-Shelat Oblivious Transfer Scheme

CSC 5930/9010 Modern Cryptography: Public Key Cryptography

Cryptography and Network Security. Sixth Edition by William Stallings

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

Crypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))

Part VI. Public-key cryptography

CSC 474/574 Information Systems Security

Notes for Lecture 24

Lecture 10, Zero Knowledge Proofs, Secure Computation

Introduction to Cryptography and Security Mechanisms: Unit 5. Public-Key Encryption

Kurose & Ross, Chapters (5 th ed.)

Lecture 2 Applied Cryptography (Part 2)

Foundations of Cryptography CS Shweta Agrawal

Research Statement. Yehuda Lindell. Dept. of Computer Science Bar-Ilan University, Israel.

Introduction to Cryptography Lecture 7

CS669 Network Security

Public Key Cryptography and RSA

Public Key Algorithms

Study Guide for the Final Exam

CSC/ECE 774 Advanced Network Security

RSA. Public Key CryptoSystem

Public Key Cryptography

CS 395T. Formal Model for Secure Key Exchange

CPSC 467b: Cryptography and Computer Security

Key Exchange. Secure Software Systems

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

Public Key Cryptography

Cryptography (DES+RSA) by Amit Konar Dept. of Math and CS, UMSL

Introduction to Cryptography and Security Mechanisms. Abdul Hameed

Other Topics in Cryptography. Truong Tuan Anh

Cryptography. and Network Security. Lecture 0. Manoj Prabhakaran. IIT Bombay

Public-key encipherment concept

Chapter 11 : Private-Key Encryption

Encryption. INST 346, Section 0201 April 3, 2018

Homomorphic Encryption

Secrets & Lies, Knowledge & Trust. (Modern Cryptography) COS 116 4/20/2006 Instructor: Sanjeev Arora

Secure Multi-Party Computation

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

Secure Multi-Party Computation Without Agreement

Public Key Encryption. Modified by: Dr. Ramzi Saifan

Secure Multi-party Computation

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

Rational Oblivious Transfer

Public Key Algorithms

CPSC 467: Cryptography and Computer Security

Introduction. Cambridge University Press Mathematics of Public Key Cryptography Steven D. Galbraith Excerpt More information

The Network Security Model. What can an adversary do? Who might Bob and Alice be? Computer Networks 12/2/2009. CSC 257/457 - Fall

Cryptography Today. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 44

Cryptography. Andreas Hülsing. 6 September 2016

Chapter 8 Security. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

MTAT Research Seminar in Cryptography Building a secure aggregation database

ISA 562: Information Security, Theory and Practice. Lecture 1

CS 161 Computer Security

Lecture 6: Overview of Public-Key Cryptography and RSA

Secure Multi-Party Computation. Lecture 13

An Overview of Active Security in Garbled Circuits

Using Commutative Encryption to Share a Secret

CS408 Cryptography & Internet Security

1 Identification protocols

Verifiably Encrypted Signature Scheme with Threshold Adjudication

Security: Cryptography

Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls

Public Key (asymmetric) Cryptography

More crypto and security

Crypto Basics. Recent block cipher: AES Public Key Cryptography Public key exchange: Diffie-Hellmann Homework suggestion

Encrypted Data Deduplication in Cloud Storage

Cryptographic Primitives and Protocols for MANETs. Jonathan Katz University of Maryland

Ref:

The Simplest Protocol for Oblivious Transfer

CSE 127: Computer Security Cryptography. Kirill Levchenko

2.1 Basic Cryptography Concepts

Transcription:

CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions Li Xiong

Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation Problem and security definitions General constructions

Basic notation Plaintext (m): the original message Ciphertext (c): the coded message Secret key (k): info used in cipher known only to sender/receiver Encryption function E k (m): performs substitutions/ transformations on plaintext Decryption function D k (c): inverse of encryption algorithm Efficiency: functions E K and D K should have efficient algorithms Consistency: Decrypting the ciphertext yields the plaintext D K (E K (m)) = m

Operational model of encryption m plaintext E E k (m) ciphertext D D k (E k (m)) = m k encryption key attacker k decryption key 4 Kerckhoff s assumption: attacker knows E and D attacker doesn t know the (decryption) key attacker s goal: to systematically recover plaintext from ciphertext to deduce the (decryption) key attack models: ciphertext-only known-plaintext (adaptive) chosen-plaintext (adaptive) chosen-ciphertext

Symmetric Encryption or conventional / secret-key / single-key sender and recipient share a common key Scenario: Alice wants to send a message (plaintext P) to Bob The communication channel is insecure and can be eavesdropped If Alice and Bob have previously agreed on a symmetric encryption scheme and a secret key K, the message can be sent encrypted (ciphertext C)

Symmetric Key Cryptography K A-B K A-B plaintext message, m encryption algorithm ciphertext decryption plaintext algorithm c=k A-B (m) K (m) m = K ( ) A-B A-B symmetric key crypto: Bob and Alice share know same (symmetric) key: K A-B

Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computations Problem and security definitions General constructions

Private-Key Cryptography traditional private/secret/single key cryptography uses one key Sender and receiver must share the same key needs secure channel for key distribution impossible for two parties having no prior relationship if this key is disclosed communications are compromised also is symmetric, parties are equal hence does not protect sender from receiver forging a message & claiming is sent by sender

Public-Key Cryptography uses two keys a public & a private key asymmetric since parties are not equal complements rather than replaces private key crypto neither more secure than private key (security depends on the key size for both) nor do they replace private key schemes (they are too slow to do so)

Public-Key Cryptography public-key/two-key/asymmetric cryptography involves the use of two keys: a public-key, which may be known by anybody, and can be used to encrypt messages, and verify signatures a private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures Encryption: c = E pk (m) Decryption: m = D sk (c) is asymmetric because those who encrypt messages or verify signatures cannot decrypt messages or create signatures

Public-Key Cryptography

Public-Key Characteristics Public-Key algorithms rely on two keys with the characteristics that it is: computationally infeasible to find decryption key knowing only algorithm & encryption key computationally easy to en/decrypt messages when the relevant (en/decrypt) key is known either of the two related keys can be used for encryption, with the other used for decryption (in some schemes) Many can encrypt, only one can decrypt

RSA (Rivest, Shamir, Adleman, 1978) basis intractability of integer factoring Setup: select p, q large primes n = pq, ф(n)= (p-1)(q-1) select e relatively prime to ф(n) compute d such that ed mod ф(n) = 1 Keys: public key: K E = (n,e) private key: K D = d Encryption: Plaintext m c = m e mod n Decryption: Example: Setup: p =7, q=17 n = 7.17 = 119 ф(n) = 6. 16 = 96 e= 5 d= 77 Keys: public key: K E = (119, 5) private key: K D = 77 Encryption: m = 19 c = 19 5 mod 119 = 66 Decryption: m= c d 13 mod n m= 66 77 mod 119 = 19

Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computations Problem and security definitions General constructions

Motivation General framework for describing computation between parties who do not trust each other Example: elections N parties, each one has a Yes or No vote Goal: determine whether the majority voted Yes, but no voter should learn how other people voted Example: auctions Each bidder makes an offer Offer should be committing! (can t change it later) Goal: determine whose offer won without revealing losing offers slide 15

More Examples Example: distributed data mining Two companies want to compare their datasets without revealing them For example, compute the intersection of two lists of names Example: database privacy Evaluate a query on the database without revealing the query to the database owner Evaluate a statistical query on the database without revealing the values of individual entries Many variations slide 16

A Couple of Observations In all cases, we are dealing with distributed multi-party protocols A protocol describes how parties are supposed to exchange messages on the network All of these tasks can be easily computed by a trusted third party The goal of secure multi-party computation is to achieve the same result without involving a trusted third party slide 17

Secure Multiparty Computation A set of parties with private inputs wish to compute some joint function of their inputs. Parties wish to preserve some security properties. e.g., privacy and correctness. Security must be preserved in the face of adversarial behavior by some of the participants, or by an external party.

Yao s Millionaire Problem Two millionaires, Alice and Bob, who are interested in knowing which of them is richer without revealing their actual wealth. This problem is analogous to a more general problem where there are two numbers a and b and the goal is to solve the inequality without revealing the actual values of a and b.

How to Define Security? Must be mathematically rigorous Must capture all realistic attacks that a malicious participant may try to stage Should be abstract Based on the desired functionality of the protocol, not a specific protocol Goal: define security for an entire class of protocols slide 20

A Rigorous Approach Provide an exact problem definition Adversarial power Network model Meaning of security Prove that the protocol is secure Often by reduction to an assumed hard problem, like factoring large composites

Functionality K mutually distrustful parties want to jointly carry out some task Model this task as a function f: ({0,1}*) K ({0,1}*) K K inputs (one per party); each input is a bitstring K outputs Assume that this functionality is computable in probabilistic polynomial time slide 22

Defining Security The real/ideal model paradigm for defining security [GMW,GL,Be,MR,Ca]: Ideal model: parties send inputs to a trusted party, who computes the function for them Real model: parties run a real protocol with no trusted help A protocol is secure if any attack on a real protocol can be carried out in the ideal model

Ideal Model Intuitively, we want the protocol to behave as if a trusted third party collected the parties inputs and computed the desired functionality Computation in the ideal model is secure by definition! x 1 x 2 A f 1 (x 1,x 2 ) f 2 (x 1,x 2 ) B slide 24

More Formally A protocol is secure if it emulates an ideal setting where the parties hand their inputs to a trusted party, who locally computes the desired outputs and hands them back to the parties [Goldreich-Micali-Wigderson 1987] x 1 x 2 A f 1 (x 1,x 2 ) f 2 (x 1,x 2 ) B slide 25

Real world No trusted third party Participants run some protocol amongst themselves without any help Despite that, secure protocol should emulate an ideal setting. Real protocol that is run by the participants is secure if no adversary can do more harm in real execution than an execution that takes place in the ideal world

Adversary Models Some of protocol participants may be corrupt If all were honest, would not need secure multi-party computation Semi-honest (aka passive; honest-but-curious) Follows protocol, but tries to learn more from received messages than he would learn in the ideal model Malicious Deviates from the protocol in arbitrary ways, lies about his inputs, may quit at any point For now, we will focus on semi-honest adversaries and two-party protocols slide 27

Properties of the Definition How do we argue that the real protocol emulates the ideal protocol? Correctness All honest participants should receive the correct result of evaluating function f Because a trusted third party would compute f correctly Privacy All corrupt participants should learn no more from the protocol than what they would learn in ideal model What does corrupt participant learn in ideal model? His input (obviously) and the result of evaluating f slide 28

Simulation Corrupt participant s view of the protocol = record of messages sent and received In the ideal world, view consists simply of his input and the result of evaluating f How to argue that real protocol does not leak more useful information than ideal-world view? Key idea: simulation If real-world view (i.e., messages received in the real protocol) can be simulated with access only to the idealworld view, then real-world protocol is secure Simulation must be indistinguishable from real view slide 29

Security proof tools Real/ideal model: the real model can be simulated in the ideal model Key idea Show that whatever can be computed by a party participating in the protocol can be computed based on its input and output only polynomial time S such that {S(x,f(x,y))} {View(x,y)}

Security proof tools Composition theorem if a protocol is secure in the hybrid model where the protocol uses a trusted party that computes the (sub) functionalities, and we replace the calls to the trusted party by calls to secure protocols, then the resulting protocol is secure Prove that component protocols are secure, then prove that the combined protocol is secure

Outline Secure multiparty computation Defining security General constructions

Construction paradigms Passively-secure computation for two-parties Use oblivious transfer to securely select a value Passively-secure computation with shares Use secret sharing scheme such that data can be reconstructed from some shares From passively-secure protocols to activelysecure protocols Use zero-knowledge proofs to force parties to behave in a way consistent with the passively-secure protocol

1-out-of-2 Oblivious Transfer (OT) 1-out-of-2 Oblivious Transfer (OT) Inputs Sender has two messages m 0 and m 1 Receiver has a single bit {0,1} Outputs Sender receives nothing Receiver obtain m and learns nothing of m 1-

Oblivious Transfer (OT) Fundamental SMC primitive 1-out-of-2 Oblivious Transfer (OT) [Rabin 1981] m 0, m 1 = 0 or 1 S m R S inputs two bits, R inputs the index of one of S s bits R learns his chosen bit, S learns nothing S does not learn which bit R has chosen; R does not learn the value of the bit that he did not choose slide 35

Semi-Honest OT Let (G,E,D) be a public-key encryption scheme G is a key-generation algorithm (pk,sk) G Encryption: c = E pk (m) Decryption: m = D sk (c) Assume that a public-key can be sampled without knowledge of its secret key: Oblivious key generation: pk OG El-Gamal encryption has this property

Semi-Honest OT Protocol for Oblivious Transfer Receiver (with input ): Receiver chooses one key-pair (pk,sk) and one public-key pk (oblivious of secret-key). Receiver sets pk = pk, pk 1- = pk Note: receiver can decrypt for pk but not for pk 1- Receiver sends pk 0,pk 1 to sender Sender (with input m 0,m 1 ): Sends receiver c 0 =E pk0 (m 0 ), c 1 =E pk1 (m 1 ) Receiver: Decrypts c using sk and obtains m.

Security Proof Intuition: Sender s view consists only of two public keys pk 0 and pk 1. Therefore, it doesn t learn anything about that value of. The receiver only knows one secret-key and so can only learn one message Note: this assumes semi-honest behavior. A malicious receiver can choose two keys together with their secret keys.

Generalization Can define 1-out-of-k oblivious transfer Protocol remains the same: Choose k-1 public keys for which the secret key is unknown Choose 1 public-key and secret-key pair

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback