Introduction to Secure Multi-Party Computation

Similar documents
Introduction to Secure Multi-Party Computation

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

Secure Multiparty Computation

1 A Tale of Two Lovers

Secure Multiparty Computation

Secure Multiparty Computation: Introduction. Ran Cohen (Tel Aviv University)

2018: Problem Set 1

Lecture 19 - Oblivious Transfer (OT) and Private Information Retrieval (PIR)

Lecture 22 - Oblivious Transfer (OT) and Private Information Retrieval (PIR)

An Overview of Active Security in Garbled Circuits

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

An Overview of Secure Multiparty Computation

Secure Multi-Party Computation

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring and 6 February 2018

Notes for Lecture 24

Secure Multi-Party Computation. Lecture 13

Secure Multiparty Computation Introduction to Privacy Preserving Distributed Data Mining

Introduction to Cryptography Lecture 7

Lecture 10, Zero Knowledge Proofs, Secure Computation

Defining Multi-Party Computation

Secure Computation of Functionalities based on Hamming Distance and its Application to Computing Document Similarity

Vlad Kolesnikov Bell Labs

CSA E0 312: Secure Computation October 14, Guest Lecture 2-3

The Simplest Protocol for Oblivious Transfer

Algorithms (III) Yu Yu. Shanghai Jiaotong University

Algorithms (III) Yijia Chen Shanghai Jiaotong University

Foundations of Cryptography CS Shweta Agrawal

Introduction. Cambridge University Press Mathematics of Public Key Cryptography Steven D. Galbraith Excerpt More information

Universally Composable Two-Party and Multi-Party Secure Computation

Fairness versus Guaranteed Output Delivery in Secure Multiparty Computation

CS408 Cryptography & Internet Security

Introduction to Cryptography Lecture 7

Secure Outsourced Garbled Circuit Evaluation for Mobile Devices

Rational Oblivious Transfer

Lecture 15: Public Key Encryption: I

Privacy-Preserving Algorithms for Distributed Mining of Frequent Itemsets

Privacy Protected Spatial Query Processing

Fast Optimistically Fair Cut-and-Choose 2PC

2 What does it mean that a crypto system is secure?

- Presentation 25 minutes + 5 minutes for questions. - Presentation is on Wednesday, 11:30-12:00 in B05-B06

Secure Multi-Party Computation Without Agreement

Secure Multi-party Computation

Research Statement. Yehuda Lindell. Dept. of Computer Science Bar-Ilan University, Israel.

Bounded-Concurrent Secure Two-Party Computation Without Setup Assumptions

Algorithms (III) Yijia Chen Shanghai Jiaotong University

Security of Cryptosystems

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Crypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Quid-Pro-Quo-tocols: Strengthening Semi-Honest Protocols with Dual Execution

Improvement of Camenisch-Neven-Shelat Oblivious Transfer Scheme

White-box attack resistant cryptography

Study Guide for the Final Exam

Chapter 9 Public Key Cryptography. WANG YANG

CPSC 467b: Cryptography and Computer Security

Lecture 3 Algorithms with numbers (cont.)

Homomorphic Encryption

Non-Interactive Verifiable Computing: Outsourcing Computation to Untrusted Workers

Bounded-Concurrent Secure Multi-Party Computation with a Dishonest Majority

Formal Methods and Cryptography

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

High-Throughput Semi-Honest Secure Three-Party Computation with an Honest Majority

Dawn Song

Security and Composition of Cryptographic Protocols: A tutorial. Ran Canetti Tel Aviv University

Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24

Oblivious Signature-Based Envelope

Notes for Lecture 14

Adaptively Secure Computation with Partial Erasures

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Random Oracles - OAEP

from circuits to RAM programs in malicious-2pc

Protocols for Authenticated Oblivious Transfer

Multi-Party 2 Computation Part 1

Multi-Party 2 Computation Part 3

CS3235 Seventh set of lecture slides

CS 395T. Formal Model for Secure Key Exchange

Bounded-Concurrent Secure Multi-Party Computation with a Dishonest Majority

Security Against Covert Adversaries: Efficient Protocols for Realistic Adversaries

Multiparty Proximity Testing with Dishonest Majority from Equality Testing

Solutions to exam in Cryptography December 17, 2013

Other Topics in Cryptography. Truong Tuan Anh

Digital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Outsourcing Secure Two-Party Computation as a Black Box

CPSC 467: Cryptography and Computer Security

Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General Considerations:

Semantic Goal-Oriented Communication. Madhu Sudan Microsoft Research + MIT. Joint with Oded Goldreich (Weizmann) and Brendan Juba (MIT).

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

Symmetric Encryption 2: Integrity

Session-Key Generation using Human Passwords Only

A Systematic Approach to Practically Efficient General Two-Party Secure Function Evaluation Protocols and Their Modular Design

MTAT Research Seminar in Cryptography Building a secure aggregation database

ENEE 457: Computer Systems Security 09/12/16. Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions

Multi-Theorem Preprocessing NIZKs from Lattices

0x1A Great Papers in Computer Security

Secure Two-Party Computation: Generic Approach and Exploiting Specific Properties of Functions Approach

6.842 Randomness and Computation September 25-27, Lecture 6 & 7. Definition 1 Interactive Proof Systems (IPS) [Goldwasser, Micali, Rackoff]

Fairness Versus Guaranteed Output Delivery in Secure Multiparty Computation

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Transcription:

Introduction to Secure Multi-Party Computation Many thanks to Vitaly Shmatikov of the University of Texas, Austin for providing these slides. slide 1

Motivation General framework for describing computation between parties who do not trust each other Example: elections N parties, each one has a Yes or No vote Goal: determine whether the majority voted Yes, but no voter should learn how other people voted Example: auctions Each bidder makes an offer Offer should be committing! (can t change it later) Goal: determine whose offer won without revealing losing offers slide 2

More Examples Example: distributed data mining Two companies want to compare their datasets without revealing them For example, compute the intersection of two lists of names Example: database privacy Evaluate a query on the database without revealing the query to the database owner Evaluate a statistical query on the database without revealing the values of individual entries Many variations slide 3

A Couple of Observations In all cases, we are dealing with distributed multi-party protocols A protocol describes how parties are supposed to exchange messages on the network All of these tasks can be easily computed by a trusted third party The goal of secure multi-party computation is to achieve the same result without involving a trusted third party slide 4

How to Define Security? Must be mathematically rigorous Must capture all realistic attacks that a malicious participant may try to stage Should be abstract Based on the desired functionality of the protocol, not a specific protocol Goal: define security for an entire class of protocols slide 5

Functionality K mutually distrustful parties want to jointly carry out some task Model this task as a function f: ({0,1}*) K ({0,1}*) K K inputs (one per party); each input is a bitstring K outputs Assume that this functionality is computable in probabilistic polynomial time slide 6

Ideal Model Intuitively, we want the protocol to behave as if a trusted third party collected the parties inputs and computed the desired functionality Computation in the ideal model is secure by definition! x 1 x 2 A f 1 (x 1,x 2 ) f 2 (x 1,x 2 ) B slide 7

Slightly More Formally A protocol is secure if it emulates an ideal setting where the parties hand their inputs to a trusted party, who locally computes the desired outputs and hands them back to the parties Micali-Wigderson 1987] [Goldreich- x 1 x 2 A f 1 (x 1,x 2 ) f 2 (x 1,x 2 ) B slide 8

Adversary Models Some of protocol participants may be corrupt If all were honest, would not need secure multi-party computation Semi-honest (aka passive; honest-but-curious) Follows protocol, but tries to learn more from received messages than she would learn in the ideal model Malicious Deviates from the protocol in arbitrary ways, lies about her inputs, may quit at any point For now, we will focus on semi-honest adversaries and two-party protocols slide 9

Correctness and Security How do we argue that the real protocol emulates the ideal protocol? Correctness All honest participants should receive the correct result of evaluating function f Because a trusted third party would compute f correctly Security All corrupt participants should learn no more from the protocol than what they would learn in ideal model What does corrupt participant learn in ideal model? His input (obviously) and the result of evaluating f slide 10

Simulation Corrupt participant s view of the protocol = record of messages sent and received In the ideal world, view consists simply of his input and the result of evaluating f How to argue that real protocol does not leak more useful information than ideal-world view? Key idea: simulation If real-world view (i.e., messages received in the real protocol) can be simulated with access only to the idealworld view, then real-world protocol is secure Simulation must be indistinguishable from real view slide 11

Technicalities Distance between probability distributions A and B over a common set X is ½ * sum X ( Pr(A=x) Pr(B=x) ) Probability ensemble A i is a set of discrete probability distributions Index i ranges over some set I Function f(n) is negligible if it is asymptotically smaller than the inverse of any polynomial constant c m such that f(n) < 1/n c n>m slide 12

Notions of Indistinguishability Simplest: ensembles A i and B i are equal Distribution ensembles A i and B i are statistically close if dist(a i,b i ) is a negligible function of i Distribution ensembles A i and B i are computationally indistinguishable (A i B i ) if, for any probabilistic polynomial-time algorithm D, Pr(D(A i )=1) - Pr(D(B i )=1) is a negligible function of i No efficient algorithm can tell the difference between A i and B i except with a negligible probability slide 13

SMC Definition (1 st Attempt) Protocol for computing f(x A,X B ) betw. A and B is secure if there exist efficient simulator algorithms S A and S B such that for all input pairs (x A,x B ) Correctness: (y A,y B ) f(x A,x B ) Intuition: outputs received by honest parties are indistinguishable from the correct result of evaluating f Security: view A (real protocol) S A (x A,y A ) view B (real protocol) S B (x B,y B ) Intuition: a corrupt party s view of the protocol can be simulated from its input and output This definition does not work! Why? slide 14

Randomized Ideal Functionality Consider a coin flipping functionality f()=(b,-) where b is random bit f() flips a coin and tells A the result; B learns nothing The following protocol implements f() 1. A chooses bit b randomly 2. A sends b to B 3. A outputs b It is obviously insecure (why?) Yet it is correct and simulatable according to our attempted definition (why?) slide 15

SMC Definition Protocol for computing f(x A,X B ) betw. A and B is secure if there exist efficient simulator algorithms S A and S B such that for all input pairs (x A,x B ) Correctness: (y A,y B ) f(x A,x B ) Security: (view A (real protocol), y B ) (S A (x A,y A ), y B ) (view B (real protocol), y A ) (S B (x B,y B ), y A ) Intuition: if a corrupt party s view of the protocol is correlated with the honest party s output, the simulator must be able to capture this correlation Does this fix the problem with coin-flipping f? slide 16

Oblivious Transfer (OT) [Rabin 1981] Fundamental SMC primitive b 0, b 1 i = 0 or 1 A b i B A inputs two bits, B inputs the index of one of A s bits B learns his chosen bit, A learns nothing A does not learn which bit B has chosen; B does not learn the value of the bit that he did not choose Generalizes to bitstrings, M instead of 2, etc. slide 17

One-Way Trapdoor Functions Intuition: one-way functions are easy to compute, but hard to invert (skip formal definition for now) We will be interested in one-way permutations Intution: one-way trapdoor functions are one-way functions that are easy to invert given some extra information called the trapdoor Example: if n=pq where p and q are large primes and e is relatively prime to ϕ(n), f e,n (m) = m e mod n is easy to compute, but it is believed to be hard to invert Given the trapdoor d=e -1 mod ϕ(n), f e,n (m) is easy to invert because f e,n (m) d = (m e ) d = m mod n slide 18

Hard-Core Predicates Let f: S S be a one-way function on some set S B: S {0,1} is a hard-core predicate for f if B(x) is easy to compute given x S If an algorithm, given only f(x), computes B(x) correctly with prob > ½+ε, it can be used to invert f(x) easily Consequence: B(x) is hard to compute given only f(x) Intuition: there is a bit of information about x s.t. learning this bit from f(x) is as hard as inverting f Goldreich-Levin theorem B(x,r)=r x is a hard-core predicate for g(x,r) = (f(x),r) f(x) is any one-way function, r x=(r 1 x 1 ) (r n x n ) slide 19

Oblivious Transfer Protocol Assume the existence of some family of one-way trapdoor permutations Chooses a one-way permutation F and corresponding trapdoor T Chooses his input i (0 or 1) A F r 0, r 1, y 0, y 1 Chooses random r 0,r 1, x, y not i Computes y i = F(x) b 0 (r 0 T(y 0 )), b 1 (r 1 T(y 1 )) Computes m i (r i x) B = (b i (r i T(y i ))) (r i x) = (b i (r i T(F(x)))) (r i x) = b i slide 20

Proof of Security for B F A r 0, r 1, y 0, y 1 Chooses random r 0,1, x, y not i Computes y i = F(x) b 0 (r 0 T(y 0 )), b 1 (r 1 T(y 1 )) Computes m i (r i x) B y 0 and y 1 are uniformly random regardless of A s choice of permutation F (why?). Therefore, A s view is independent of B s input i. slide 21

Proof of Security for A (Sketch) Need to build a simulator whose output is indistinguishable from B s view of the protocol Knows i and b i (why?) F Chooses random F, random r 0,r 1, x, y not i computes y i = F(x), sets m i =b i (r i T(y i )), random m not i Sim Random r 0,1, x, y not i y i = F(x) r 0, r 1, y 0, y 1 b 0 (r 0 T(y 0 )), b 1 (r 1 T(y 1 )) B The only difference between simulation and real protocol: In simulation, m not i is random (why?) In real protocol, m not i =b not i (r not i T(y not i )) slide 22

Proof of Security for A (Cont d) Why is it computationally infeasible to distinguish random m and m =b (r T(y))? b is some bit, r and y are random, T is the trapdoor of a one-way trapdoor permutation (r x) is a hard-core bit for g(x,r)=(f(x),r) This means that (r x) is hard to compute given F(x) If B can distinguish m and m =b (r x ) given only y=f(x ), we obtain a contradiction with the fact that (r x ) is a hard-core bit Proof omitted slide 23

Yao s Protocol slide 24

Yao s Protocol Compute any function securely in the semi-honest model First, convert the function into a boolean circuit AND Alice s inputs AND NOT Bob s inputs AND OR OR x z AND y Truth table: z x y z x y z 0 0 0 0 0 0 0 1 0 OR Truth table: 0 1 1 1 0 0 1 0 1 x y 1 1 1 1 1 1 slide 25

1: Pick Random Keys For Each Wire Next, evaluate one gate securely Later, generalize to the entire circuit Alice picks two random keys for each wire One key corresponds to 0, the other to 1 6 keys in total for a gate with 2 input wires k 0z, k 1z z Alice x AND y Bob k 0x, k 1x k 0y, k 1y slide 26

2: Encrypt Truth Table Alice encrypts each row of the truth table by encrypting the output-wire key with the corresponding pair of input-wire keys z k 0z, k 1z Alice x AND y Bob k 0x, k 1x Original truth table: k 0y, k 1y x y z 0 0 0 0 1 0 1 0 0 1 1 1 Encrypted truth table: E k 0x (E k0y (k 0z )) E k 0x (E k1y (k 0z )) E k 1x (E k0y (k 0z )) E k 1x (E k1y (k 1z )) slide 27

3: Send Garbled Truth Table Alice randomly permutes ( garbles ) encrypted truth table and sends it to Bob Alice k 0z, k 1z x z AND y Does not know which row of garbled table corresponds to which row of original table Bob E k 0x (E k0y (k 0z )) E k 0x (E k1y (k 0z )) k 0x, k 1x k 0y, k 1y Garbled truth table: E (E k 1x k0y (k 0z )) E (E k 0x k1y (k 0z )) E (E k 1x k0y (k 0z )) E (E k 1x k1y (k 1z )) E (E k 1x k1y (k 1z )) E (E k 0x k0y (k 0z )) slide 28

4: Send Keys For Alice s Inputs Alice sends the key corresponding to her input bit Keys are random, so Bob does not learn what this bit is Alice k 0z, k 1z k 0x, k 1x k 0y, k 1y x z AND y Bob Learns K b x where b is Alice s input bit, but not b (why?) Garbled truth table: E (E k 1x E (E k0y (k k 0x k1y (k 0z )) 0z )) E (E k 1x E (E k1y (k k 0x k0y (k 1z )) 0z )) If Alice s bit is 1, she simply sends k 1x to Bob; if 0, she sends k 0x slide 29

5: Use OT on Keys for Bob s Input Alice and Bob run oblivious transfer protocol Alice s input is the two keys corresponding to Bob s wire Bob s input into OT is simply his 1-bit input on that wire Alice k 0z, k 1z x z AND y Bob Knows K b x where b is Alice s input bit and K by where b is his own input bit k 0x, k 1x k 0y, k 1y Garbled truth table: E (E k 1x E (E k0y (k k 0x k1y (k 0z )) 0z )) E (E k 1x E (E k1y (k k 0x k0y (k 1z )) 0z )) Run oblivious transfer Alice s input: k 0y, k 1y Bob s input: his bit b Bob learns k by What does Alice learn? slide 30

6: Evaluate Garbled Gate Using the two keys that he learned, Bob decrypts exactly one of the output-wire keys Bob does not learn if this key corresponds to 0 or 1 Why is this important? Alice k 0z, k 1z k 0x, k 1x k 0y, k 1y x z AND y Garbled truth table: Bob Knows K b x where b is Alice s input bit and K by where b is his own input bit E (E k 1x E (E k0y (k k 0x k1y (k 0z )) 0z )) E (E k 1x E (E k1y (k k 0x k0y (k 1z )) 0z )) Suppose b =0, b=1 This is the only row Bob can decrypt. He learns K 0z slide 31

An Important Aside Why is it that Bob can only decrypt one row of the garbled circuit? Use encryption scheme that has an elusive range and Use encryption scheme that has an efficiently verifiable range Elusive Range: Roughly, the probability that an encryption under one key is in the range of an encryption under another key is negligible. Efficiently Verifiable Range: A user, given a key, can efficiently verify whether ciphertext is in the range of that key. slide 32

Example (Lindell, Pinkas paper) F = {f k } a family of psuedorandom functions with f k : {0,1} n -> {0,1} 2n for k in {0,1} n For x in {0,1} n, r a random n bit string, define E k (x) = (r, f k (r) XOR x0 n ) x0 n is the concatenation of x and n bit string of 0s Elusive range: the low order n bits of f k (r) are revealed (and fixed) by the XOR. The odds of having two keys giving that same low order n bits is 1/2 n Verifiable range: Given r and a key k, it is trivial to verify that ciphertext is in the range of E k. slide 33

7: Evaluate Entire Circuit In this way, Bob evaluates entire garbled circuit For each wire in the circuit, Bob learns only one key It corresponds to 0 or 1 (Bob does not know which) Therefore, Bob does not learn intermediate values (why?) AND Alice s inputs AND NOT Bob s inputs AND OR OR Bob tells Alice the key for the final output wire and she tells him if it corresponds to 0 or 1 Bob does not tell her intermediate wire keys (why?) slide 34

Brief Discussion of Yao s Protocol Function must be converted into a circuit For many functions, circuit will be huge If m gates in the circuit and n inputs, then need 4m encryptions and n oblivious transfers Oblivious transfers for all inputs can be done in parallel Yao s construction gives a constant-round protocol for secure computation of any function in the semi-honest model Number of rounds does not depend on the number of inputs or the size of the circuit! Though the size of the data transferred does! slide 35

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback