Secure Multiparty Computation

Similar documents
CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

Secure Multiparty Computation

Introduction to Secure Multi-Party Computation

1 A Tale of Two Lovers

Secure Multiparty Computation: Introduction. Ran Cohen (Tel Aviv University)

An Overview of Secure Multiparty Computation

Introduction to Secure Multi-Party Computation

Secure Multiparty Computation Introduction to Privacy Preserving Distributed Data Mining

MTAT Research Seminar in Cryptography Building a secure aggregation database

Secure Multi-Party Computation

2018: Problem Set 1

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

Security Protections for Mobile Agents

Foundations of Cryptography CS Shweta Agrawal

Research Statement. Yehuda Lindell. Dept. of Computer Science Bar-Ilan University, Israel.

Introduction to Cryptography Lecture 7

Introduction to Cryptography Lecture 7

Secure Computation of Functionalities based on Hamming Distance and its Application to Computing Document Similarity

CS3235 Seventh set of lecture slides

Secure Multi-Party Computation. Lecture 13

Adaptively Secure Computation with Partial Erasures

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Rational Oblivious Transfer

An Overview of Active Security in Garbled Circuits

The Simplest Protocol for Oblivious Transfer

CRYPTOGRAPHIC PROTOCOLS: PRACTICAL REVOCATION AND KEY ROTATION

Public Key Cryptography and the RSA Cryptosystem

- Presentation 25 minutes + 5 minutes for questions. - Presentation is on Wednesday, 11:30-12:00 in B05-B06

Fairness Versus Guaranteed Output Delivery in Secure Multiparty Computation

Defining Multi-Party Computation

Fairness versus Guaranteed Output Delivery in Secure Multiparty Computation

How to securely perform computations on secret-shared data

The IPS Compiler: Optimizations, Variants and Concrete Efficiency

Universally Composable Two-Party and Multi-Party Secure Computation

Cryptography Today. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 44

More crypto and security

Notes for Lecture 24

OBLIVIOUS ENFORCEMENT OF HIDDEN INFORMATION RELEASE POLICIES USING ONLINE CERTIFICATION AUTHORITIES

Cryptography. Andreas Hülsing. 6 September 2016

CPSC 467b: Cryptography and Computer Security

What did we talk about last time? Public key cryptography A little number theory

Efficient and Secure Multi-Party Computation with Faulty Majority and Complete Fairness

Verifiably Encrypted Signature Scheme with Threshold Adjudication

Plaintext Awareness via Key Registration

Cryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III

Securely Outsourcing Garbled Circuit Evaluation

Using Commutative Encryption to Share a Secret

0x1A Great Papers in Computer Security

Proofs for Key Establishment Protocols

Attribute-based encryption with encryption and decryption outsourcing

Secure Multi-Party Computation Without Agreement

High-Throughput Semi-Honest Secure Three-Party Computation with an Honest Majority

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Algorithms (III) Yijia Chen Shanghai Jiaotong University

Oblivious Transfer(OT)

Algorithms (III) Yu Yu. Shanghai Jiaotong University

Lecture 10, Zero Knowledge Proofs, Secure Computation

Improvement of Camenisch-Neven-Shelat Oblivious Transfer Scheme

Cryptography: More Primitives

Multi-Party 2 Computation Part 1

RSA. Public Key CryptoSystem

Algorithms (III) Yijia Chen Shanghai Jiaotong University

Public-key Cryptography: Theory and Practice

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring and 6 February 2018

Faster Private Set Intersection based on OT Extension

1 Identification protocols

Outsourcing secure two-party computation as a black box

CPSC 467: Cryptography and Computer Security

Cryptography (DES+RSA) by Amit Konar Dept. of Math and CS, UMSL

Lecture 14 Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze. 1 A Note on Adaptively-Secure NIZK. 2 The Random Oracle Model

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Accountability in Privacy-Preserving Data Mining

Efficient Private Matching and Set Intersection

Michael Zohner (TU Darmstadt)

Whitewash: Outsourcing Garbled Circuit Generation for Mobile Devices

CSC 5930/9010 Modern Cryptography: Public Key Cryptography

Cryptographically Secure Bloom-Filters

Security Against Covert Adversaries: Efficient Protocols for Realistic Adversaries

Fast Optimistically Fair Cut-and-Choose 2PC

Secure Outsourced Garbled Circuit Evaluation for Mobile Devices

CS 161 Computer Security

Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls

Lecture 8: Privacy and Anonymity Using Anonymizing Networks. CS 336/536: Computer Network Security Fall Nitesh Saxena

Lecture 7 - Applied Cryptography

Secure Two-Party Computation: Generic Approach and Exploiting Specific Properties of Functions Approach

Secret Sharing With Trusted Third Parties Using Piggy Bank Protocol

Scalable privacy-enhanced traffic monitoring in vehicular ad hoc networks

Ref:

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Key Protection for Endpoint, Cloud and Data Center

Lecture 19 - Oblivious Transfer (OT) and Private Information Retrieval (PIR)

Lecture 3 Algorithms with numbers (cont.)

CSE 127: Computer Security Cryptography. Kirill Levchenko

CSA E0 312: Secure Computation October 14, Guest Lecture 2-3

Applied Cryptography and Computer Security CSE 664 Spring 2018

Outsourcing Secure Two-Party Computation as a Black Box

CS 395T. Formal Model for Secure Key Exchange

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

CS 161 Computer Security

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Transcription:

Secure Multiparty Computation Li Xiong CS573 Data Privacy and Security

Outline Secure multiparty computation Problem and security definitions Basic cryptographic tools and general constructions

Yao s Millionnare Problem Two millionaires, Alice and Bob, who are interested in knowing which of them is richer without revealing their actual wealth. This problem is analogous to a more general problem where there are two numbers a and b and the goal is to solve the inequality without revealing the actual values of a and b.

Secure Multiparty Computation A set of parties with private inputs Parties wish to jointly compute a function of their inputs so that certain security properties (like privacy and correctness) are preserved Properties must be ensured even if some of the parties maliciously attack the protocol Examples Secure elections Auctions Privacy preserving data mining

Heuristic Approach to Security 1. Build a protocol 2. Try to break the protocol 3. Fix the break 4. Return to (2)

Another Heuristic Tactic Design a protocol Provide a list of attacks that (provably) cannot be carried out on the protocol Reason that the list is complete

A Rigorous Approach Provide an exact problem definition Adversarial power Network model Meaning of security Prove that the protocol is secure

Secure Multiparty Computation A set of parties with private inputs wish to compute some joint function of their inputs. Parties wish to preserve some security properties. e.g., privacy and correctness. Example: secure election protocol Security must be preserved in the face of adversarial behavior by some of the participants, or by an external party.

Defining Security The real/ideal model paradigm for defining security [GMW,GL,Be,MR,Ca]: Ideal model: parties send inputs to a trusted party, who computes the function for them Real model: parties run a real protocol with no trusted help A protocol is secure if any attack on a real protocol can be carried out in the ideal model

The Real Model x y Protocol output Protocol output

The Ideal Model x y x y f 1 (x,y) f 2 (x,y) f 1 (x,y) f 2 (x,y)

The Security Definition: Protocol interaction For every real adversary A there exists an adversary S Trusted party REAL IDEAL

Properties of the Definition Privacy: The ideal-model adversary cannot learn more about the honest party s input than what is revealed by the function output Thus, the same is true of the real-model adversary Correctness: In the ideal model, the function is always computed correctly Thus, the same is true in the real-model Others: For example, fairness, independence of inputs

Adversary Model Computational power: polynomial-time versus all-powerful Adversarial behaviour: Semi-honest: follows protocol instructions Malicious: arbitrary actions Corruption behaviour Static: set of corrupted parties fixed at onset Adaptive: can choose to corrupt parties at any time during computation Number of corruptions Honest majority versus unlimited corruptions

Security proof tools Real/ideal model: the real model can be simulated in the ideal model Key idea Show that whatever can be computed by a party participating in the protocol can be computed based on its input and output only polynomial time S such that {S(x,f(x,y))} {View(x,y)}

Security proof tools Composition theorem if a protocol is secure in the hybrid model where the protocol uses a trusted party that computes the (sub) functionalities, and we replace the calls to the trusted party by calls to secure protocols, then the resulting protocol is secure Prove that component protocols are secure, then prove that the combined protocol is secure

Outline Secure multiparty computation Defining security Basic cryptographic tools and general constructions

Public-key encryption Let (G,E,D) be a public-key encryption scheme G is a key-generation algorithm (pk,sk) G Pk: public key Sk: secret key Terms Plaintext: the original text, notated as m Ciphertext: the encrypted text, notated as c Encryption: c = E pk (m) Decryption: m = D sk (c) Concept of one-way function: knowing c, pk, and the function E pk, it is still computationally intractable to find m. *Different implementations available, e.g. RSA

Construction paradigms Passively-secure computation for two-parties Use oblivious transfer to securely select a value Passively-secure computation with shares Use secret sharing scheme such that data can be reconstructed from some shares From passively-secure protocols to activelysecure protocols Use zero-knowledge proofs to force parties to behave in a way consistent with the passivelysecure protocol

1-out-of-2 Oblivious Transfer (OT) 1-out-of-2 Oblivious Transfer (OT) Inputs Sender has two messages m 0 and m 1 Receiver has a single bit σ {0,1} Outputs Sender receives nothing Receiver obtain m σ and learns nothing of m 1-σ

Semi-Honest OT Let (G,E,D) be a public-key encryption scheme G is a key-generation algorithm (pk,sk) G Encryption: c = E pk (m) Decryption: m = D sk (c) Assume that a public-key can be sampled without knowledge of its secret key: Oblivious key generation: pk OG El-Gamal encryption has this property

Semi-Honest OT Protocol for Oblivious Transfer Receiver (with input σ): Receiver chooses one key-pair (pk,sk) and one public-key pk (oblivious of secret-key). Receiver sets pk σ = pk, pk 1-σ = pk Note: receiver can decrypt for pk σ but not for pk 1-σ Receiver sends pk 0,pk 1 to sender Sender (with input m 0,m 1 ): Sends receiver c 0 =E pk0 (m 0 ), c 1 =E pk1 (m 1 ) Receiver: Decrypts c σ using sk and obtains m σ.

Security Proof Intuition: Sender s view consists only of two public keys pk 0 and pk 1. Therefore, it doesn t learn anything about that value of σ. The receiver only knows one secret-key and so The receiver only knows one secret-key and so can only learn one message Note: this assumes semi-honest behavior. A malicious receiver can choose two keys together with their secret keys.

Generalization Can define 1-out-of-k oblivious transfer Protocol remains the same: Choose k-1 public keys for which the secret key is unknown Choose 1 public-key and secret-key pair

Secrete Sharing Scheme Distributing a secret amongst n participants, each of whom is allocated a share of the secret The secret can be reconstructed only when a sufficient number (t) of shares are combined together (t, n)-threshold scheme Secrete shares, random shares individual shares are of no use on their own

Trivial Secrete Sharing Scheme Encode the secret as an integer s. Give to each player i (except one) a random integer r i. Give to the last player the number (s r 1 r 2... r n 1 )

Secrete sharing scheme Shamir s scheme It takes t points to define a polynomial of degree t-1 Create a t-1 degree polynomial with secret as the first coefficient and the remaining coefficients picked at random. Find n points on the curve and give one to each of the players. Tt At least t points are required to fit the polynomial. Blakey s scheme any n nonparallel n-dimensional hyperplanes intersect at a specific point Secrete as the coordinate of the hyperplanes Less space efficient

General GMW Construction For simplicity consider two-party case Let f be the function that the parties wish to compute Represent f as an arithmetic circuit with addition and multiplication gates Aim compute gate-by-gate, revealing only random shares each time

Random Shares Paradigm Let a be some value: Party 1 holds a random value a 1 Party 2 holds a+a 1 Note that without knowing a 1, a+a 1 is just a random value revealing nothing of a. We say that the parties hold random shares of a. The computation will be such that all intermediate values are random shares (and so they reveal nothing).

Circuit Computation Stage 1: each party randomly shares its input with the other party Stage 2: compute gates of circuit as follows Given random shares to the input wires, compute random shares of the output wires Stage 3: combine shares of the output wires in order to obtain actual output AND Alice s inputs AND NOT Bob s inputs AND OR OR

Addition Gates Input wires to gate have values a and b: Party 1 has shares a 1 and b 1 Party 2 has shares a 2 and b 2 Note: a 1 +a 2 =a and b 1 +b 2 =b To compute random shares of output c=a+b Party 1 locally computes c 1 =a 1 +b 1 Party 2 locally computes c 2 =a 2 +b 2 Note: c 1 +c 2 =a 1 +a 2 +b 1 +b 2 =a+b=c

Multiplication Gates Input wires to gate have values a and b: Party 1 has shares a 1 and b 1 Party 2 has shares a 2 and b 2 Wish to compute c = ab = (a 1 +a 2 )(b 1 +b 2 ) Party 1 knows its concrete share values a 1 and b 1. Party 2 s shares a 2 and b 2 are unknown to Party 1, but there are only 4 possibilities (00,01,10,11)

Multiplication (cont) Party 1 prepares a table as follows (Let r be a random bit chosen by Party 1): Row 1 contains the value a b+r when a 2 =0,b 2 =0 Row 2 contains the value a b+r when a 2 =0,b 2 =1 Row 3 contains the value a b+r when a 2 =1,b 2 =0 Row 4 contains the value a b+r when a 2 =1,b 2 =1

Concrete Example Assume: a 1 =0, b 1 =1 Assume: r=1 Row Party 2 s shares Output value 1 a. 2 =0,b 2 =0 (0+0) (1+0)+1=1 2 a 2 =0,b 2 =1 (0+0). (1+1)+1=1 3 a 2 =1,b 2 =0 (0+1). (1+0)+1=0 4 a 2 =1,b 2 =1 (0+1). (1+1)+1=1

The Gate Protocol The parties run a 1-out-of-4 oblivious transfer protocol Party 1 plays the sender: message i is row i of the table. Party 2 plays the receiver: it inputs 1 if a 2 =0 and b 2 =0, 2 if a 2 =0 and b 2 =1, and so on Output: Party 2 receives c 2 =c+r this is its output Party 1 outputs c 1 =r Note: c 1 and c 2 are random shares of c, as required

Security Reduction to the oblivious transfer protocol Assuming security of the OT protocol, parties only see random values until the end. Therefore, simulation is straightforward. Note: correctness relies heavily on semihonest behavior (otherwise can modify shares).

Outline Secure multiparty computation Defining security Basic cryptographic tools and general constructions Coming up Applications in privacy preserving distributed data mining Random response protocols

A real-world problem and some simple solutions Bob comes to Ron (a manager), with a complaint about a sensitive matter, asking Ron to keep his identity confidential A few months later, Moshe (another manager) tells Ron that someone has complained to him, also with a confidentiality request, about the same matter Ron and Moshe would like to determine whether the same person has complained to each of them without giving information to each other about their identities Comparing information without leaking it. Fagin et al, 1996

Solutions Solution 1: Trusted third party Solution 7: message for Moshe Solution 8: Airline reservation Solution 9: Password

References Secure Multiparty Computation for Privacy- Preserving Data Mining, Pinkas, 2009 Chapter 7: General Cryptographic Protocols ( 7.1 Overview), The Foundations of Cryptography, Volume 2, Oded Goldreich http://www.wisdom.weizmann.ac.il/~eoded/foc-vol2.html Comparing information without leaking it. Fagin et al, 1996

Slides credits Tutorial on secure multi-party computation, Lindell www.cs.biu.ac.il/~lindell/research-statements/tutorial-secure-computation.ppt Introduction to secure multi-party computation, Vitaly Shmatikov, UT Austin www.cs.utexas.edu/~shmat/courses/cs380s_fall08/16smc.ppt

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback