Secure Multi-Party Computation. Lecture 13

Similar documents
Secure Multi-Party Computation

Secure Multiparty Computation: Introduction. Ran Cohen (Tel Aviv University)

1 A Tale of Two Lovers

Introduction to Secure Multi-Party Computation

Defining Encryption. Lecture 2. Simulation & Indistinguishability

Secure Multiparty Computation

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

Notes for Lecture 24

Introduction to Secure Multi-Party Computation

Yuval Ishai Technion

Secure Multiparty Computation

Cryptography. Andreas Hülsing. 6 September 2016

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

Defining Multi-Party Computation

CS 395T. Formal Model for Secure Key Exchange

Lecture 22 - Oblivious Transfer (OT) and Private Information Retrieval (PIR)

Lecture 19 - Oblivious Transfer (OT) and Private Information Retrieval (PIR)

An Overview of Secure Multiparty Computation

Foundations of Cryptography CS Shweta Agrawal

More crypto and security

Multiparty Computation (MPC) protocols

Secure Multi-party Computation

Fairness Versus Guaranteed Output Delivery in Secure Multiparty Computation

Information Security

Lecture 10, Zero Knowledge Proofs, Secure Computation

Identification Schemes

Secure Multi-Party Computation Without Agreement

Multi-Party 2 Computation Part 1

Security and Composition of Cryptographic Protocols: A tutorial. Ran Canetti Tel Aviv University

Delegatable Functional Signatures

Plaintext Awareness via Key Registration

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring and 6 February 2018

Research Statement. Yehuda Lindell. Dept. of Computer Science Bar-Ilan University, Israel.

Adaptively Secure Computation with Partial Erasures

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Computer Security CS 426 Lecture 35. CS426 Fall 2010/Lecture 35 1

Crypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))

Round-Optimal Secure Multi-Party Computation

Hash Proof Systems and Password Protocols

Detectable Byzantine Agreement Secure Against Faulty Majorities

2 Secure Communication in Private Key Setting

CSC 580 Cryptography and Computer Security

CSA E0 312: Secure Computation October 14, Guest Lecture 2-3

Security Protections for Mobile Agents

Homework 3: Solution

ENEE 459-C Computer Security. Security protocols (continued)

Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24

APPLICATIONS AND PROTOCOLS. Mihir Bellare UCSD 1

Fairness versus Guaranteed Output Delivery in Secure Multiparty Computation

Protocols for Anonymous Communication

Universally Composable Commitments

Lecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422

l20 nov zero-knowledge proofs

A Unified Approach to Constructing Black-box UC Protocols in Trusted Setup Models

The Simplest Protocol for Oblivious Transfer

CS 161 Computer Security

ENEE 459-C Computer Security. Security protocols

Study Guide for the Final Exam

Rational Oblivious Transfer

Attribute-Based Publishing with Hidden Credentials and Hidden Policies

Lecture 3. Introduction to Cryptocurrencies

Cryptography and Cryptocurrencies. Intro to Cryptography and Cryptocurrencies

Lecture 12. Algorand

Lecture 5: Zero Knowledge for all of NP

Overview of Cryptography

New Notions of Security: Achieving Universal Composability without Trusted Setup

0x1A Great Papers in Computer Security

Securely Outsourcing Garbled Circuit Evaluation

Multi-Theorem Preprocessing NIZKs from Lattices

An Overview of Active Security in Garbled Circuits

Compiling an Honest but Curious Protocol

Key Establishment. Chester Rebeiro IIT Madras. Stinson : Chapter 10

Whitewash: Outsourcing Garbled Circuit Generation for Mobile Devices

Probabilistic Termination and Composability of Cryptographic Protocols [Crypto 16]

Cryptographic proof of custody for incentivized file-sharing

Network Security: Anonymity. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Universally Composable Two-Party and Multi-Party Secure Computation

Adaptively Secure Broadcast

Zero-Knowledge from Secure Multiparty Computation

Security of Cryptosystems

MTAT Research Seminar in Cryptography Building a secure aggregation database

CS 161 Computer Security

Introduction to Cryptography Lecture 7

arxiv:quant-ph/ v2 30 Nov 2004

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Introduction to Cryptography Lecture 7

Cryptography CS 555. Topic 1: Course Overview & What is Cryptography

Lecture 7 - Applied Cryptography

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

Universally Composable Multiparty Computation with Partially Isolated Parties

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

Fast Optimistically Fair Cut-and-Choose 2PC

Cryptography. and Network Security. Lecture 0. Manoj Prabhakaran. IIT Bombay

Bitcoin, Security for Cloud & Big Data

Security Against Covert Adversaries: Efficient Protocols for Realistic Adversaries

Notes for Lecture 14

Securing Distributed Computation via Trusted Quorums. Yan Michalevsky, Valeria Nikolaenko, Dan Boneh

Lectures 4+5: The (In)Security of Encrypted Search

Lecture 8 - Message Authentication Codes

Efficient Server-Aided Secure Two-Party Function Evaluation with Applications to Genomic Computation

Transcription:

Secure Multi-Party Computation Lecture 13

Must We Trust? Can we have an auction without an auctioneer?! Declared winning bid should be correct Only the winner and winning bid should be revealed

Using data without sharing? Hospitals which can t share their patient records with anyone But want to data-mine on combined data Data Mining Tool

Secure Function Evaluation A general problem To compute a function of private inputs without revealing information about the inputs Beyond what is revealed by the function X 1 X 4 X 2 f(x 1, X 2, X 3, X 4 ) X 3

Poker With No Dealer? Need to ensure Cards are shuffled and dealt correctly Complete secrecy No cheating by players, even if they collude No universally trusted dealer

The Ambitious Goal Without any trusted party, securely do Any Task! Distributed Data mining E-commerce Network Games E-voting Secure function evaluation...

Emulating Trusted Computation Encryption/Authentication allowed us to emulate a trusted channel Secure MPC: to emulate a source of trusted computation Trusted means it will not leak a party s information to others And it will not cheat in the computation

SIM-Secure MPC i face F i face proto proto Secure (and correct) if: s.t. IDEAL Env output of is distributed identically in REAL and IDEAL Env REAL

Trust Issues Considered Protocol may leak a party s secrets Clearly an issue -- even if we trust everyone not to cheat in our protocol (i.e., honest-but-curious) Also, a liability for a party if extra information reaches it Say in medical data mining Protocol may give adversary illegitimate influence on the outcome Say in poker, if adversary can influence hands dealt SIM security covers these concerns Because IDEAL trusted entity would allow neither

Adversary REAL-adversary can corrupt any set of players In security requirement IDEAL-world adversary should corrupt the same set of players i.e., environment gets to know the set of corrupt players More sophisticated notion: adaptive adversary which corrupts players dynamically during/after the execution We ll stick to static adversaries Passive vs. Active adversary: Passive adversary gets only read access to the internal state of the corrupted players. Active adversary overwrites their state and program.

Passive Adversary Gets only read access to the internal state of the corrupted players (and can use that information in talking to environment) Also called Honest-But-Curious adversary Will require that simulator also corrupts passively Simplifies several cases e.g. coin-tossing [why?], commitment [coming up] Oddly, sometimes security against a passive adversary is more demanding than against an active adversary Active adversary: too pessimistic about what guarantee is available even in the IDEAL world e.g. 2-party SFE for OR, with output going to only one party (trivial against active adversary; impossible without computational assumptions against passive adversary)

Example Functionalities Can consider arbitrary functionalities i.e., arbitrary (PPT) program of the trusted party to be emulated Some simple (but important) examples: Secure Function Evaluation e.g. Oblivious Transfer (coming up) Can be randomized: e.g. Coin-tossing Reactive functionalities (maintains state over multiple rounds) e.g. Commitment (coming up)

Commitment Commit now, reveal later IDEAL World 30 Day Free Trial Intuitive properties: hiding and binding up F COM COMMIT: m m F commit up REVEAL We Predict STOCKS!! up COMMIT Really? Next Day REVEAL: reveal Fm m

Oblivious Transfer Pick one out of two, without revealing which IDEAL World Intuitive property: transfer partial information obliviously x 0 x 1 F b x b All 2 of them! Sure A:up, B:down We Predict STOCKS!! FOT up A I need just one But can t tell you which

Can we REAL-ize them? Are there protocols which securely realize these functionalities? Securely Realize: A protocol for the REAL world, so that SIM security definition satisfied Turns out SIM definition too strong Unless modified carefully...

Alternate Security Definitions Standalone security: environment is not live : interacts with the adversary before and after (but not during) the protocol Honest-majority security: adversary can corrupt only a strict minority of parties. (Not useful when only two parties involved) Passive (a.k.a honest-but-curious) adversary: where corrupt parties stick to the protocol (but we don t want to trust them with information) Functionality-specific IND definitions: usually leave out several attacks (e.g. malleability related attacks) Protocols on top of a real trusted entity for a basic functionality Modified SIM definitions (super-ppt adversary for ideal world)

2-Party Secure Function Evaluation Functionality takes (X;Y) and outputs f(x;y) to Alice, g(x;y) to Bob OT is an instance of 2-party SFE f(x 0,x 1 ;b) = none; g(x 0,x 1 ;b) = x b Symmetric SFE: both parties get the same output e.g. f(x 0,x 1 ;b,z) = g(x 0,x 1 ;b,z) = x b z [OT from this! How?] More generally, any SFE from an appropriate symmetric SFE i.e., there is a protocol securely realizing SFE functionality G, which accesses a trusted party providing some symmetric SFE functionality F Exercise

Gives a protocol using access to f, to securely realize f Exercise 2-Party Secure Function Evaluation Randomized Functions: f(x;y;r) r is chosen randomly by the trusted party Neither party should know r (beyond what is revealed by output) Consider evaluating f (X,a;Y,b) := f(x;y;a b) Note f is deterministic If either a or b is random a b is random and hidden from each party

An OT Protocol (passive receiver corruption) Using a T-OWP Depends on receiver to pick x 0, x 1 as prescribed Simulation for passive corrupt receiver: simulate z 0,z 1 knowing only x b (use random z 1-b ) Simulation for corrupt sender: Extract x 0,x 1 from interaction (pick s 1-b also) x 0 x 1 F b x b Pick (f,f -1 ) let s i =f -1 (r i ) z i = x i B(s i ) x 0,x 1 f r 0, r 1 z 0, z 1 pick s b,r 1-b let r b =f(s b ) x b =z b B(s b ) x b b

Today Secure MPC: formalized using IDEAL world with trusted computational entity Examples: poker, auction, privacy-preserving data-mining Basic Examples: SFE, Oblivious Transfer, Commitment Weaker security requirements: security against passive (honest-but-curious) adversary, standalone security Example of a protocol: OT secure against passive adversary Coming up: SFE protocols for passive security. Zero-Knowledge proofs. Issues of composition. Universal Composition.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback