Dias nummer 1

About This Presentation

Title:

Dias nummer 1

Description:

So we are going to demand that the protocols works as it should, ... can assume desired computation specified as algebraic circuit over finite field K= GF(p) ... – PowerPoint PPT presentation

Number of Views:35

Avg rating:3.0/5.0

Slides: 74

Provided by: ivand6

Category:

more less

Transcript and Presenter's Notes

Title: Dias nummer 1

1
Multiparty Computation Ivan Damgård BRICS, Århus
University
2

The MPC problem
n players P1, P2, , Pn
Player Pi holds input xi
Goal for some given function f with n inputs and
n outputs, compute f(x1,,xn) (y1,,yn)
securely, i.e., we want a protocol such that
Pi learns the correct value of yi
No information on inputs is leaked to Pi, other
than what follows from xi and yi.
We want this to hold, even when (some of) the
players behave adversarially.
Examples
Match-making, Electronic Voting,

3
Generality MPC is extremely general a solution
implies in principle a solution to any
cryptographic protocol problem. But note not
all problems can be modelled by computing a
single function securely. Example Secure
electronic payments is more like secure
computation of several functions, keeping track
of some state information in between. Not a
problem, however the definition we will see is
fully general, and the protocols we describe are
actually fully general as well, although they are
phrased as solutions for computing a single
function, for simplicity.
4

Modelling Adversarial Behavior
Assume one central adversary Adv.
Adv may
corrupt some of the players and use this to learn
information he should not know, or mess up the
results.
When Pi is corrupted, Adv learns complete history
of Pi.
An adversary may be
Passive or Active just monitor corrupted
players or take full control.
Static or Adaptive all corruptions take place
before protocol starts, or happen dynamically
during protocol (but once youre corrupt, you
stay bad).
Unbounded or probabilistic polynomial time
Goal of MPC, a bit more precisely
Want protocol to work as if we had a trusted
party T, who gets inputs from players, computes
results and returns them to the players, hence
Adv may decide inputs for corrupted players, but
honest players get correct results, and protocol
tells Adv only inputs/outputs of corrupted
players.

5
Bounds on corruption If Adv can corrupt an
arbitrary subset of players, in most cases
problem cannot be solved for instance, what
does security mean if everyone is corrupted? So
need to define some bound on which subsets can be
corrupt. Adversary Structure G family of subsets
of P P1,,Pn Adv is a G-adversary set of
corrupted players is in G at all times To make
sense, G must be monotone B?G and A ? B implies
A?G i.e. If Adv can corrupt set B, he
can choose to corrupt any smaller
set. Threshold-t structure contains all subsets
of size at most t. G is Q3 for any A1,A2,A3 ? G,
A1?A2 ?A3 is smaller than P G is Q2 for any
A1,A2 ? G, A1?A2 is smaller than P Threshold-t
structure for tlt n/3 is Q3 Threshold-t structure
for tlt n/2 is Q2
6

Why General Access Structures?
And not just a bound on the number of players
that can be corrupt?
Threshold adversaries (where we just bound the
number of corruptions) make sense in a network
where all nodes are equally hard to break into.
This is often not the case in practice.
With general access structures, we can express
things such as the adversary can
break into a small number of the more secure
nodes and a larger number of less secure ones.

Modelling Communication
Asynchronous network adversary sees all
messages, can delay them indefinitely.
Some forms of the MPC problem harder or
impossible on such a network, in any case
additional complications. So in these lectures
Synchronous network communication proceeds in
rounds in each round each player may send a
message to each other player, all messages
received in same round.
Two main variants
Information Theoretic scenario Adv does not see
communication between honest (uncorrupted)
players ? can get security for unbounded Adv.
Cryptographic scenario Adv sees all messages
sent, but cannot change messages exchanged
between honest players ? can only get security
for (poly-time) bounded Adv.

8
Summary
The players
Corruption can be passive just observe
computation and mess.
x2, y2
x1, y1
Or active take full control
Inputs, Desired outputs
Synchronous communication
Corrupt
Adv
x3, y3
x4,y4
Crypto scenario Adv sees all messages or I.T.
scenario no info on honest-to-honest mess.
Adv can choose which players to corrupt
statically or adaptively but set
of corrupted players must be not too large,
i.e., it must be in the given adversary structure
9

Known Results, Information theoretic scenario
Passive, adaptive, unbounded G-adversary
any
function can be securely computed with perfect
security iff G is Q2
in threshold-t case, if and only if tlt
n/2
Meaning of only if there exists a function
that cannot be computed securely, if condition on
G (t) not satisfied.
Active, adaptive, unbounded G-adversary
any
function can be securely computed with perfect
security iff G is Q3
in threshold-t case, iff tlt n/3
If we assume that a broadcast channel is given
for free, and we accept a non-zero error
probability, more is possible
i.t. scenario with broadcast and active,
adaptive, unbounded G-adversary
any function can
be securely computed with small error prob. iff G
is Q2 in
threshold-t case, iff tlt n/2
Results of CCD88, BGW88, RB89, HM99,CDDHR00

Known Results, Cryptographic Scenario
Passive, adaptive, polynomial time adversary

Assuming one-way trapdoor permutations exist, any
function can be securely computed with
computational security if number of corrupted
players is lt n.
Active, adaptive, polynomial time G-adversary

Assuming one-way trapdoor permutations exist, any
function can be securely computed with
computational security iff G is Q2
in threshold-t case, iff
tlt n/2.
Results of Y86, GMW87,CFGN

Defining Security of MPC (or Protocols in
General)
Classical approach write list of desired
properties
- Not good, hard to make sure the list is
complete. Ex. Secure voting.
New approach define an ideal version of the
functionality we want. Say that protocol is good
if it is equivalent to the ideal thing.
Advantage from equivalence, we know that
protocol has all good properties of the ideal
version also those we did not think of yet!
We will give a variant of the definition of
Canetti for Universally Composable (UC) Security.
(Variant is due to Jesper Nielsen, main
difference explicitly considers synchronous
networks, original UC was for the asynchronous
case).

General Adversarial Activity
Important note before definition in general the
adversary may be able to do more than corrupt
players and control their behavior
Most protocols run as a part of a bigger system,
fx think of key exchange protocols or electronic
payment schemes.
A real-life adversary will attack the whole
system, not just the protocol
Hence the adversary may have some influence on
the inputs that the honest players will
contribute, maybe he can even control them.
Also, the adversary might get some information
on the results that the honest players obtain
from the protocol perhaps even full
information.
In our definition, the adversary should be
allowed to choose inputs for honest players and
see their results.

General Adversarial Activity, Contd
In our definition, the adversary should be
allowed to choose inputs for honest players and
see their results.
Question this is very strange didnt we say
that the adversary should not get information
about honest players results??
Answer what we said was that the protocol should
not release such information. The protocol cannot
help it, if the adversary learns something from
other sources, such as the surrounding system.
So we are going to demand that the protocols
works as it should, regardless of what the
adversary knows or can control by means that are
external to the protocol.

Concepts in the definition.
All entities (players, adversary, trusted
parties) formally speaking are interactive,
probabilistic Turing machines. Everyone gets as
input security parameter k, Adv gets aux. input
z.
The Ideal Functionality (or Trusted Party) F
Models the functionality we would like the
protocol to implement.
Cannot be corrupted
Can communicate with all players and with the
adversary.
Receives inputs from all players, does
computation according to its program and returns
results to players.
Has memory and can be invoked several times -
can therefore be used to model any reasonable
primitive we could imagine.
Of course, no such F exists in real life, only
used a specification of what we would like to
have. Definition basically says that a protocol
is good (w.r.t. F) if it creates in real life a
situation equivalent to having F available.

Plan for Definition.
Define two processes
The Real Process
The Ideal Process
In the Real Process, we have the adversary Adv
and the players executing the protocol ? (no
trusted party).
In the Ideal Process, we still have the Adv, but
? is replaced by the trusted party F (plus a
simulator S to be explained later).
We will say that ? securely realizes F if Adv
cannot tell whether he is in the real or in the
ideal process.

16
The Real Process
Exchange input/results with honest players
Protocol ?
Corrupt
Adv
If active, Adv chooses messages for corrupt
players, always sees their internal data and
received messages
When protocol over, Adv outputs a bit. Given Adv,
? ,k and z, this is a random variable called
REALAdv, ?(k,z)
17
The Ideal Process
Exchange inputs/results with players
Exchange inputs/results for honest players
Adv
No Protocol, but an Ideal Functionality F... Same
Adv activities as before So as honest players
only forward info between Adv and F, we may as
well abstract them away
Corrupt
F
But Adv will expect to see internal data and
protocol messages received by corrupted players.
No protocol here so what to do?
18
To make things seem the same to Adv in the real
as in the ideal process, we introduce the
Simulator.. Who will magically produce Advs
view of attacking the protocol, based on the
exchange with F.
The Ideal Process
Exchange inputs/results for honest players
Adv
Corrupt
F
Exchange inputs/results for corrupt players
S
At end of protocol, Adv outputs a bit, a random
variable called IDEALAdv,F,S(k,z)
19
The Definition We say that ? ?-securely realizes
F perfectly if there exists a simulator S such
that for all adversaries Adv corrupting only sets
in ? it holds that Prob(IDEALAdv,F,S(k,z) 0)
Prob(REALAdv, ?(k,z) 0) For all k and
z. Intuition we think of Advs output bit as its
guess at whether it is in the real or ideal
world. The two probabilities equal means it has
no idea. Note we say for all Adv, so no bound
here on Advs computing power. We talk about
realizing F statistically if
Prob(IDEALAdv,T,S(k,z) 0) - Prob(REALAdv,
?(k,z) 0) is
negligible in k (for arbitrary choice of
z). Realizing F computationally the same, but
but only for all polynomial time bounded
Adv. Note misprint in notes, says for all Adv,
there exists S such that.., should be the other
way around, as here.
20
Intuition on Definition It ensures that the
real-life process inherits natural security
properties from the ideal process. For
instance.. The protocol forces Adv to be aware of
which inputs corrupt players contribute S must
figure out which input values to send to F in
ideal process. These inputs must follow from the
protocol messages sent by corrupt players (and
produced by Adv). The protocol ensures that
honest players compute correct results is always
true in ideal process by def. of F, and if
protocol produces inconsistent results, Adv could
distinguish easily. The protocol does not release
information it shouldnt S is able to simulate
convincingly Advs view of attacking the
protocol, based only on what F sends to corrupt
players.
21

Secret Sharing
A Dealer holds a secret value s in Zp, p gt n is
a prime.
Dealer chooses a random polynomial f() over Zp
of degree at most t, such that f(0)s
f(x) s a1 x a2 x2 at xt
Dealer sends si f(i) privately to Pi.
Properties
Any subset of at most t players has no
information on s
Any subset of at least t1 players can easily
compute s can be done by taking a linear
combination of the shares they know.
A consequence the reconstruction vector
There exists a reconstruction vector (r1,,rn)
such that for any polynomial h() of degree less
than n
h(0) r1 h(1) rn h(n)

A Protocol for the Passive Case, I.T. Scenario
threshold adversary, may corrupt up to t
players, tlt n/2.
can assume desired computation specified as
algebraic circuit over finite field K GF(p).
3 Phases in protocol
Shares inputs among players
Do the computation, results in sharings of the
outputs
Open outputs

Sharing Phase Each Pi shares each of his input
value using a random polynomial of degree at most
t, sends a share of each input to each
player. Notation a ?f()? a1, a2, , an means
value a has been shared using polynomial f(),
resulting in shares a1,,an, where player Pi
knows ai. f() is random polynomial of degree at
most t, only constraint is that f(0) a.
23
Computation Phase Addition Gates Input a ?fa()?
a1,,an and b ?fb()? b1,,bn Desired Output c
ab ?fc()? c1,,cn Each player sets ci aibi.
Then we have what we want ab ?fc()? c1,,cn,
with fc() fa()fb() - works, since
adding two random polynomials of degree t
produces random polynomial of degree
t Multiplication Gates Input a ?fa()? a1,,an
and b ?fb()? b1,,bn
Desired Output c ab ?fc()? c1,,cn. Each
player sets di ai bi. If we set h() fa()
fb(), then di fa(i) fb(i) h(i). Also h(0) ab
c Unfortunately, h() may have degree up to 2t,
and is not even a random polynomial of degree at
most 2t. What to do?
24
Multiplication Gates, cont We have public
reconstruction vector (r1,,rn) know that c
h(0) r1 h(1) rn h(n) r1 d1 rn dn
- since deg(h) 2t lt n Each player Pi creates di
?hi()? ci1, ci2,,cin. So we have
d1 ?h1()? c11 c12
c1n d2 ?h2()? c21 c22
c2n dn ?hn()? cn1
cn2 cnn
Known by P1 P2
Pn
r1 r1 r1
r2
r2 r2

rn rn
rn
c1 c2
cn
c is now shared using polynomial fc(), where fc()
? ri hi()
c ?fc()?
25
Output Opening Phase Having made our way through
the circuit, we have for each output value y y
?fy()? y1,, yn If y is to be received by player
Pi, each Pj sends yj to Pi. Pi reconstructs in
the normal way. Security, intuitively Outputs
trivially correct, since all players follow
protocol For every input from an honest player,
intermediate result and outputs of honest
players, Adv sees at most t shares. These are
always t random field elements, so reveal no
information.
26
Security proof, more formally First define
functionality FMPC Basically, it receives inputs
from all players x1,,xn. Compute function
(y1,,yn) f(x1,,xn), send yi to Pi. Want to
prove that protocol realizes FMPC with perfect
security (assuming lt n/2 players corrupted) By
definition, must construct efficient simulator S,
interacting on one side with Adv, on other side
with FMPC. Assume first Adv is static. Interface
Adv vs. S In each round, S must specify messages
that corrupt players receive from honest players
and Adv specifies messages that corrupt players
send (since Adv is passive, we can assume the
messages are computed according to
protocol. Interface S vs. FMPC S sends inputs to
FMPC on behalf of corrupted players, FMPC sends
results for corrupted players to S.
27
Sketch of Algorithm for S Input sharing
phase When Adv generates messages containing
shares of corrupt players input, S can
reconstruct and send input value to FMPC. To
simulate honest players sharing their inputs, S
chooses a random value for each corrupt player
and shows them to Adv. Computation phase Only
multiplication gates generate communication,
namely local products are shared. S records what
corrupt players send and generate random values
to simulate honest players sharings.
Note S can keep track
of the shares that corrupt players hold of every
intermediate result. Output phase FMPC sends to
S result y meant for a corrupt player. S knows
the (simulated) shares of y held by corrupt
players. S interpolates a polynomial that fits
with result and the lt t shares already known by
Adv, and uses this to simulate the shares of
honest players. This simulation is perfect
28

Proof for adaptive Adv
New elements in the interaction of S
S vs Adv
Adv can say at any point corrupt Pi. S must
then generate complete history of Pi
participating in protocol, i.e., internal data,
random coins, messages received. Must be
consistent with what Adv has seen so far
S vs. FMPC
S can say corrupt Pi. Then S gets inputs and
results for Pi (if they have been specified at
this point).
Must add to algorithm of S a reconstruct
history procedure.
Works essentially as follows
Internal data of Pi essentially a list of
polynomials used for secret sharing values. For
each value x, some shares known already by Adv. S
chooses random polynomial consistent with x and
known shares.
Extra technicalities for the output phase, see
notes for details.

Protocol for Active Adversaries
General idea use protocol for passive case, but
make players prove that they send correct
information.
Main tool for this commitment scheme
Intuition committer Pi puts secret value s?K in
a locked box and puts it on the table. Later,
Pi can choose to open the box, by releasing the
key.
Hiding no one else can learn s from the
commitment
Binding having given away the box, Pi cannot
change what is inside.
We can model a commitment scheme by an ideal
functionality Fcom, that offers the following
commands
Commit player Pi sends a value s to the
functionality, Fcom records it is internal memory
Open if Pi sends this, Fcom recovers s from
memory and sends it to all players.
Trivially satisfies hiding and binding since Fcom
cannot be corrupted.

Using Functionalities in Protocols
The plan is to use a commitment scheme, i.e., (an
extention of) Fcom as a subrutine to build a
realization of FMPC , secure against active
cheating. So we need
A model specifying what it means to use an ideal
functionality in a protocol. As a result, we can
formally specify what it means that protocol ?
implements FMPC when given access to Fcom.
A theorem saying that if protocol ? realizes for
instance Fcom securely, then it is OK to replace
Fcom by ?.
Doing this in ? would result in the desired
real-life protocol for FMPC

31
The G-Hybrid model Realizing F given G
Exchange input/results with honest players
Protocol ?
Corrupt
Adv
G
When protocol over, Adv outputs a bit. Given Adv,
? ,k and z, this is a random variable called
HYBRIDG, Adv, ?(k,z)
32
The Ideal Process
Same as before, except Adv now expects to act in
a world where G is present, so S must also
emulate Advs and corrupt players interaction
with G
Exchange inputs/results for honest players
Adv
Corrupt
F
Exchange inputs/results for corrupt players
S
At end of protocol, Adv outputs a bit, a random
variable called IDEALAdv,F,S(k,z)
33
Definition We say that ? ?-securely realizes F
perfectly in the G-hybrid model if there exists a
simulator S such that for all adversaries Adv
corrupting only sets in ? it holds
that Prob(IDEALAdv,F,S(k,z) 0)
Prob(HYBRIDG,Adv, ?(k,z) 0) For all k and z. If
? is a protocol in the G-Hybrid model, and ? is a
protocol realizing G, we let ?? be the protocol
obtained by replacing all calls to G by calls to
?. Composition Theorem If ? ?-securely realizes
F in the G-hybrid model and ? securely realizes G
(in the real model), then ?? ?-securely realizes
F in the real model. Intuition to implement F,
enough to first show how to do it, assuming we
are (magically) given access to G. Then show how
to implement G, then a (real) implementation for
F automatically follows. Result holds also when
several instances of the subprotocol are used
concurrently.
34

Definition of Fcom functionality.
Notation for commitments si
means Pi has successfully committed to s, and
Fcom has stored s in its internal memory.
Commit command
Goal create si
Executed if all honest players send a commit i
command and Pi sends a value s. If Pi is corrupt,
he may send refuse instead.
If Pi refused, send fail to all players,
otherwise store s in a new variable and send
success to everyone.
Open command
Goal open si
Executed if all honest players send a open
command referring to si. If Pi is corrupt, he
may send refuse instead.
If Pi refused, send fail to all players,
otherwise send s to everyone.
Can also be called as private open, j where s
is sent to only Pj.

We need Fcom to offer more functionality, it
needs to implement Homomorphic Commitments, i.e.
the following two commands
CommitAdd command
Goal from ai and bi
create new commitment ai bi abi
Executed if all honest players send a
CommitAdd command referring to ai and bi.
Fcom will compute ab and store it in a new
variable, as if committed to by Pi (in
particular, Pi can open this new commitment, as
if he had committed to ab in the normal way.)
ConstantMult command
Goal from ai and public
u, create new commitment u ? si uai
Executed if all honest players send a
ConstantMult u command referring to ai.
Fcom will compute ua and store it in a new
variable, as if committed to by Pi

Advanced commands
From the basic Commit, Open, CommitAdd and
ConstantMult commands, anything else we need can
be built, but for simplicity, we define some
extra commands..
CTP command (CTP Commitment Transfer Protocol)
Goal from si , produce sj for i?j
Executed if all honest players send a CTP
command referring to si, i and j. If Pi is
corrupt, he may send refuse instead.
If Pi refused, send fail to all players,
otherwise store s in a new variable as if
committed by Pj, send success to everyone and
send s to Pj.

CMP command (CMP Commitment Multiplication
Protocol)
Goal Given ai bi ci Pi can convince
all players that cab (if true)
executed if all honest players send a CMP
command referring to ai bi ci . If Pi is
corrupt, he may send refuse.
if Pi refused or if c?ab, send fail to all
players. Otherwise, send success to everyone.
CSP command (CSP Commitment Sharing Protocol)
Goal Given ai , create a11, a22,,ann
where f(i)ai and f is a polynomial of degree at
most t.
executed if all honest players send a CSP
command referring to ai . Pi should send a
polynomial f() of degree at most t. If Pi is
corrupt, he may send refuse.
if Pi refused, send fail to all players.
Otherwise, for i1..n, compute ai f(i) store it
in a variable as if committed by Pi and send
success to everyone.

38
Implementation of CSP from basic Fcom
commands. Pi chooses random polynomial fa(x) a
c1 x c2 x2 ct xt and make
commitments c1i, c2i,, cti. We define
aj fa(j). By calling the CommitAdd and
ConstantMult commands, we can create
commitments aji ai j?c1i j2?
c2i jt?cti. Finally, we use CTP to
create ajj from aji. During creation and
manipulation of the commitments, Pi can refuse if
he is corrupt (and hes the only one who can do
so). This counts as Pi refusing the entire CSP
operation. We return to implementation of other
commands later.
39

Protocol for Active Adversary
Adv is adaptive, unbounded and corrupts up to t
players, tlt n/3.
We assume Fcom is available, with the Commit,
Open, CommitAdd, ConstantMult, CTP, CMP and CSP
commands.
We will assume that a broadcast channel is
available (not trivial when Adv is active). Can
be implemented via a subprotocol if tlt n/3.
Broadcast not used directly in high-level
protocol, but is needed for the implementation of
Fcom.
Same phases as in passively secure protocol, but
now we want to maintain that all players are
committed to their shares of all values.
For simplicity, assume first that no one behaves
such that Fcom will return fail.
Input Sharing Phase
Pi commits to his input value a creates ai,
then we call the CSP command.
So we have..

Result of Input Sharing Phase
Each input value a has been shared by some
player Pi using a polynomial fa(), where fa() is
of degree t.
If Pi is honest, fa() is random of degree t.
Each player Pi is committed to his share in a.
Notation
a ?fa()? a11, a22,, ann

41
Computation Phase Addition Gates Input a ?fa()?
a11, a22,, ann and b ?fb()? b11,
b22,, bnn Desired Output c ab ?fc()?
c11, c22,, cnn Each player Pi sets ci
aibi and all players compute cii aii
bii . Produces desired result with fc() fa()
fb(). Multiplication Gates Input a ?fa()?
a11, a22,, ann and b ?fb()? b11,
b22,, bnn Desired Output c ab ?fc()?
c11, c22,, cnn Each player Pi sets di
ai bi, makes commitment dii and uses CMP on
commitments aii, bii , dii to show that di
is correct If we set h() fa() fb(), then di
fa(i) fb(i) h(i). Also h(0) ab c So we can
use essentially same method as in passive case to
get to a sharing of c using a random polynomial
of degree t.
42
Multiplication Gates, cont Public reconstruction
vector is still (r1,,rn) Using same method as in
input sharing phase, each player Pi creates di
?hi()? ci11, ci22,,cinn. So we have
d1 ?h1()? c111
c122 c1nn d2 ?h2()?
c211 c222
c2nn dn ?hn()? cn11 cn22
cnnn
Committed by P1 P2
Pn
r1? r1? r1?

r2? r2? r2?

rn? rn? rn?

c11 c22
cnn
c is now shared using polynomial fc(), where fc()
? ri hi()
c ?fc()?
43
Output Opening Phase Having made our way through
the circuit, we have for each output value y y
?fy()? y11,, ynn If y is to be received by
player Pi, private open i is invoked for each
commitment, such only Pi learns the
shares. Opening may fail for some commitments,
but the rest are guaranteed to be correct, so Pi
can recontruct y in the normal way. Note this
would work, assuming only that tlt n/2. In fact
the entire high-level protocol works for tlt
n/2. It is only the implementation of Fcom that
needs tlt n/3. ? High-level protocol can be used
to get MPC for tlt n/2 in the cryptographic model,
if we can build a computationally secure
implementation of Fcom in that scenario.
44

How to handle Failures
If a player Pi sends refuse in some command,
causing Fcom to return fail
In input sharing phase ignore or use default
value of input
In computation phase can always go back to
start, open Pis inputs and recompute, simulating
Pi openly.
Also more efficient
solution since tlt n/3 at least n-t gt 2t players
do multiplication step correctly. So can still do
multiplication step using reconstruction vector
tailored to the set that behaves well.
In output opening phase the receiver of an
output just ignores incorrectly opened
commitments there is enough info to
reconstruct, since n-t gt t.

45
Proving Security of High-Level Protocol. Very
similar to proof for passive case, since same
pattern, except for the commitments. More
concretely Sketch of Algorithm for S Input
sharing phase When Adv secret shares his input,
this happens in the protocol by sending the input
and a polynomial for sharing it to Fcom. However,
S emulates also interaction between Adv and Fcom,
so S receives this and can send input value to
FMPC. If Adv sends incorrect stuff, S just
returns fail, like the real Fcom would do, and
sends default value to FMPC. To simulate an
honest player sharing his inputs, S chooses a
random value for each corrupt player and shows
them to Adv, this emulates what corrupt players
would receive from Fcom. The other phases are
modified in a similar way from the simulator for
the passive case. Leads to perfect simulation.
46

Implementing Fcom commands
Commit, Open
CommitAdd, ConstantMult
CPT protocol, CMP protocol
Idea for commitments implement using secret
sharing. To commit to s, a dealer D just creates
s?f()? s1,,sn
To open, D broadcasts f(), each player Pi says if
his share really was f(i). Opening accepted, if
at least n-t players agree.
The good news CommitAdd can be implemented by
just locally adding shares, ConstantMult by
multiplying all shares by constant. Furthermore,
if D remains honest, Adv learns no information at
commitment time.
The bad news who says D distributes correctly
computed shares? If not, s not uniquely
determined, D may open different values later.

Some Wishful Thinking..
Suppose for a moment we could magically force D
to distribute shares consistent with a polynomial
f() of degree t lt n/3.
Then it works!
Easy to see that things are fine if D remains
honest
If D corrupt, want to show that D must open to
value s or be rejected. Assume
D opens some s, by broadcasting polynomial f().
If this is accepted,
at least n-tgt 2t players agree
? at least t1 honest players
agree
? f() agrees with f() in t1
points
? f()f() ? ss.
Therefore sufficient to force D to be consistent

How to force consistency
Main tool
f(X,Y) ? cij XiYj
a bivariate polynomial of degree at most t in
both variables. Will assume f() is symmetric,
i.e. cij cji
Define, for 0lt i,j n
f0(X) f(X,0), and set s f0(0), si
f0(i)
fi(X) f(X,i), fi(j) sij
How to think of this
s is the real secret to be committed, using
polynomial f0(). Hence f0(i) si will be player
Pis share in s. The rest of the machinery is
just for checking.
Observations, by symmetry
si f0(i) f(i,0) f(0,i) fi(0)
sij fi(j) f(j,i) f(i,j) fj(i)
sji

Commit Protocol
Dealer D chooses random bivariate polynomial f()
as above, such that f(0,0) s, the value he wants
to commit to. Sends privately fi() to player Pi.
Pi sends sij fi(j) to Pj, who compares to sji
fj(i) broadcast complaint if conflict.
D must broadcast correct value of all sijs
complained about
If some Pi finds disagreement between broadcasted
values and what he received privately from D, he
broadcasts accuse D
In response to accusation from Pi, D must
broadcast what he sent to Pi fi(). This may
cause further players to find disagreement as in
Step 4, they then also accuse D.
If D has been accused by more than t players,
commit protocol fails.
Otherwise, the commitment is accepted. Accusing
players from step 4 use the fi() broadcast as
their polynomial. Accusing players from step 5
use the polynomial sent in step 1. Each player Pi
stores fi(0) as his share of the commitment.

Commitments, more concretely
In our implementation, a commitment
ai is a set of shares a1 a2 ...
an
held by P1 P2
Pn
where Pi knows the polynomial fa() that was used
to create the shares and where fa(0) a.
Checking using bivariate polynomial forces Pi to
create shares correctly
Opening means Pi broadcasts fa(), each Pj checks
if fa(j) aj, complains if not, opening accepted
iff at most t complaints.
ai bi means each Pj has aj and bj, now
computes cj aj bj. Pi computes
fc() fa() fb(). We now have new commitment
abi, defined by shares c1,,cn, and polynomial
fc().
u? ai means each Pj has aj, now computes dj
u aj. Pi computes fd() u fa(). We now
have new commitment uai, defined by shares
d1,,dn and polynomial fd().

Implementing CTP (Commitment Transfer) Command
Purpose from ai, produce aj
Given ai, Pi sends privately to Pj the
polynomial fa() defining the commitment. If Pj
does not get something of correct form, he
brodcasts a complaint and we go to the complain
step below
Pj creates aj where a is the value he
learned in the first step. Note that assuming Pj
received correct info from Pi, he is now in state
equivalent to having created ai himself. So we
can use CommitAdd, ConstantMult to create
ai(-1)aj which we open. The result should
be 0. If yes, continue with aj, accept and
stop.
Complaint step If we reach this one, clear that
at least one of Pi, Pj is corrupt. Hence OK to
ask Pi to open ai. If this succeeds, continue
with default commitment by Pj to a. Else the CPT
fails.

52
Reminder Given commitment by Pi to a value a
ai, the Commitment Share Protocol (CSP) works
as follows Pi chooses random polynomial fa(x)
a c1 x c2 x2 ct xt and make
commitments c1i, c2i,, cti. The jth
share of a is aj fa(j). Players can now
immediately compute commitments to the
shares aji ai j?c1i j2? c2i
jt?cti. Finally, we use CTP to create
ajj from aji. This trivially generalizes to
polynomials of any degree.
53
Implementing CMP (Commitment Multiplication)
Command Given ai , bi , ci , Pi wants to
convince us that c ab. Pi uses CSP command to
create a ?fa()? a11, a22,, ann b
?fb()? b11, b22,, bnn c ?fc()? c11,
c22,, cnn Where fc() fa() fb() Even if Pi
corrupt, this guarantees that all committed
shares are consistent with polynomials of degree
at most t, t, and 2t, and that fa(0)a, fb(0)b,
fc(0)c. Hence sufficient to verify that indeed
fc() fa() fb() Each Pi checks that ci ai bi.
If not he complains and proves his case by
opening the commitments. Honest players will do
this correctly, so we know that fc() agrees with
fa() fb() in at least n-t gt 2t points ? fc()
fa() fb().
54
Proving Fcom implementation is secure Basic
Ideas When corrupt player commits, simulator can
reconstruct value committed to from the messages
sent, because consistency is enforced. So you
know what to send to Fcom. When honest player
commits to value s, s is not known to simulator.
So we show the adversary random values in place
of the shares in s that the honest player would
send. At opening time, simulator gets s from
Fcom, then complete set of shares to a complete
set of shares in s, and claim this was what the
honest players held. Leads to perfect
simulation. Note on the Fcom implementation it
is based on Shamirs threshold secret sharing
scheme. But it is has been designed such that any
linear secret sharing scheme can be plugged in
instead (more on this later). Using special
properties of Shamirs scheme, some parts can be
done more efficiently. For instance, Commit
protocol based on Shamir is already itself a CSP,
fi()-polynomials can be used as commitments to
shares in s details in notes.
55

Another Improvement of Fcom (works only for
Shamir case)
Alternative Open protocol
Commitment si has been established using
s?f()? s1,,sn
Each player Pj sends sj to every other player
From received shares, each player reconstructs s
using algorithm given below.
Does not require use of broadcast, which is often
very expensive
This works, if we can construct algorithm with
the following property
Given a set of values s1,s2,.,sn where si
f(i) for a polynomial of degree at most tlt n/3,
except for at most t values, compute f().
We already proved that since tlt n/3, only one
polynomial can be consistent with enough values,
so can find f() by exhaustive search. Can we do
it efficiently?

56
Algorithm Construct a bivariate polynomial
Q(X,Y), such that for i1n Q(i, si) 0 Q(X,Y)
f0(X) f1(X)Y Where deg(f0) at most 2t and
deg(f1) at most t. Conditions on Q() define
linear system of equations with coefficients of
f0, f1 as unknowns, so easy to find Q() if it
exists. Hence enough to show that 1. a Q() of
correct form always exists. 2. desired f() easy
to find from f0, f1. As for 1, let A be the set
of positions where the si do not agree with f().
If we set k(X) ?i ?A (X-i) then
Q(X,Y) k(X) f(X) k(X) Y does the
trick. For 2. define Q(X) Q(X,f(X)). Turns
out that Q(i)0 for all i not in A, so Q(X)
f0(X) f1(X)f(X) 0 ? f(X)
f0(X)/f1(X)
57
Why are the bounds ngt 2t, ngt 3t optimal? In the
passive case, it is impossible already for 2
players to compute for instance the AND function
with unconditional security against both
players Inputs from A bit a from B bit
b Results A and B learn a AND b Suppose a0,
then A is to learn nothing. Nevertheless using
infinite computing power, A can determine if the
conversation she just had with B, could have
resulted from both a0 and a1, i.e., is my bit
uniquely determined from conversation?. If not, B
also learned nothing, and so must have b0, else
has b1. Note Multiparty case reduces to
2-party case. In active case, it is impossible to
do broadcast already for 3 players when 1 can be
corrupt Assume players A,B,C, A wants to
broadcast bit b. A may send b to B and C, but
e.g. B does not know if C received same bit as
him. Only possibility is to ask B. If
inconsistency, clear that A or C is corrupt, but
no way to tell which one!
58
How to go from threshold to general
adversaries. Use same ideas, but more general
form of secret sharing Shamirs scheme can be
written as fixed matrix
secretrandomness shares 1 11 12
1t a a1
1 21 22 2t ? r1
a2 ..
..
rt
.. 1 n1 n2 nt
an Each player owns a row of
the matrix and is assigned the share
corresponding to his row. Can be generalized to
other matrices than Van der Monde, and to more
than one row pr. player.
59
Linear Secret Sharing Schemes (LSSS).
s
Rows of P1
Share of P1
Share of P2
Rows of P2

M?
Randomness

Rows of Pn
Share of Pn
Subset A can reconstruct s if their rows span (1,
0, 0,,0), otherwise they have no
information. LSSS is most powerful general SS
method known, can handle any adversary structure
but cannot be efficient on any structure
(counting argument). Shamir, Benaloh-Leichter,
Van Dijk, Brickell are special cases.
60
Reminder Adversary Structure G family of subsets
of P P1,,Pn List of subsets the adversary
can corrupt. Threshold-t structure contains all
subsets of size at most t. G is Q3 for any
A1,A2,A3 ? G, A1?A2 ?A3 is smaller than P G is
Q2 for any A1,A2 ? G, A1?A2 is smaller than
P To make our protocol work for general Q2/Q3
adversaries, basically we plug in an LSSS M for G
instead of Shamirs scheme. Does this work? Let
va be the vector chosen in order to secret share
value a. Then complete set of shares is the
vector M va. We can securely add shared secrets,
local addition of shares of a and b means we
compute M va M vb M(va vb) - produces
shares of the sum ab, since vector vavb has ab
in first coordinate.
61
Multiplication? For vectors u (u1,,ud), v
(v1,.,vd) let u?v (u1v1,,udvd) and u?v
(u1v1, u1v2,,u1vn, u2v1,......, udvd) Now,
given shares of a,and b, M va and M vb , we can
compute by local multiplication M va ? M vb.
where each player knows a subset of the entries.
We have M va ? M vb (M ? M)(va ? vb) where M ?
M is the matrix containing as rows all ?-products
of rows in M with themselves. Note va ? vb
contains ab in the first coordinate. Thus we
have produced a sharing of ab in a LSSS defined
by M ? M. Definition M is multiplicative if the
set of all players is qualified in the LSSS
defined by M ? M. If M is multiplicative, we can
use the same idea as for polynomial secret
sharing to convert the sharing using M ? M to a
sharing using M.
62
A matrix M defining a LSSS is NOT always
multiplicative. However TheoremCDM 00 from
any LSSS M for a Q2 adversary structure, can
always construct multiplicative M of size at
most twice that of M. This implies from any
LSSS M for Q2 adversary structure G, can build
general MPC protocols with perfect security
against passive, adaptive G-adversaries . Can
get protocol for active adversaries and Q3
adversary structure also, by generalizing from
the threshold protocol we have seen Must
implement commitments - same idea as before,
secret share committed value using M. Since
adversary structure is Q3, committed value still
determined if sharing is consistent. To verify
consistency, use bivariate polynomial technique,
generalized to LSSSs, same commit protocol
applies. For details, see CDM 00, full version
on my web page.
63
MPC from LSSS, contd Everything else in the
Fcom implementation is generic and generalizes
immediately to any LSSS, except the CMP
protocol. Generalizing CMP requires an extra
property the given LSSS must be strongly
multiplicative. Definition M is strongly
multiplicative if the set of honest players is
qualified in the LSSS defined by M ? M. Not
known whether from LSSS M for Q3 adversary
structure, we can build strongly multiplicative
M not much larger than M the major open
problem in this area! Fortunately, there is a
solution that works for ANY homomorphic
commitment scheme, and is only inferior in that
it has an exponentially small error probability
64

Generic Implementation of CMP (Commitment
Multiplication) Command
Given ai , bi , ci , Pi wants to convince
us that c ab.
The following convinces a single player Pj that
the statement is true, it can be repeated (in
parallel) so every other player gets to play the
role of Pj
1. Pi chooses ? at random and makes commitments
?i, ?bi
2. Pj chooses a random challenge r (in the field
GF(p)), sends to Pi
3. Pi opens the commitment rai ?i to reveal
a value r1. Also opens commitment r1 bi ?
bi r ci, result must be 0.
4. If any of the openings fail, Pj rejects,
otherwise he accepts.
If Pi remains honest so that abc, Pj will
always accept. Moreover, all values opened are
random or fixed to 0, so no extra information to
Adv. Easy to construct simulator, techniques as
seen before.
If Pi is corrupt, then after step 1, if Pi can
answer convincingly 2 different values of r, then
abc - so error probability is 1/p.
Remark, simulation in UC model, vs. simulation
for computational ZK protocols in the UC model,
simulator is NOT allowed to rewind the adversary
(necessary for concurrent composition theorem).

65
Beyond LSSS? The above construction yields an
MPC protocol of complexity polynomial in size of
the given LSSS. Can we build MPC from ANY
secret sharing scheme,?
probably not! CDD 00 Theorem there exists
no efficient black-box reduction building MPC
from any secret sharing scheme.
66
Protocols for the Cryptographic scenario Can be
based on ideas from info. theory scenario,
several possibilities First Idea One can think
of the I.T. scenario as the cryptographic
scenario, augmented by an ideal functionality
Ftransmit that securely transmits messages from
player to player. Then, implement Ftransmit in
the cryptographic model (using public-key
encryption, for instance). Now, general MPC for
cryptographic scenario follows from the
composition theorem. Using standard CCA secure
public key encryption, this works as long as the
adversary is static. For adaptive adversary,
technical problems with simulation when honest
players Pi, Pj communicate, S must create
ciphertext c to show Adv without knowing the
plaintext m. If Pi is corrupted later, S is given
m, but must explain c as an encryption of m. Most
likely impossible! Can be solved using stronger
type of encryption known as non-committing
encryption the simulator can create special
fake ciphertexts that can later be explained as
encryptions of anything.
67
Implementation CCA-secure encryption and non
committing encryption exist if one-way trapdoor
permutations exist. Hence, the theorems stated
for the IT scenario essentially imply the ones
for the crypto scenario. CCA security can be
implemented quite efficiently based on standard
techniques, non-committing encryption is much
less efficient, even using best known techniques.
68
Second Idea Gain efficiency by implementing not
just message transmission, but also Fcom using
cryptographic tools. Quite efficient
implementations known for static adversaries,
e.g. based on the discrete log problem. Let p 2q
1 where p,q are primes. Take g, h, y ?Zp of
order q. Then to commit to element a? Zq , choose
r at random, commitment is (gr mod p, yahr mod
p) i.e. an El Gamal encryption of a. Clearly
homomorphic mod q. Known techniques suffice for
implementing CTP, CMP, etc. In particular, can
use ZK protocols to implement efficiently, e.g.,
earlier protocol for CMP. Using same approach
for adaptive adversaries is not so interesting,
since we would need non-committing encryption for
message transmission, so we would loose
efficiency again.
69
Protocol for proving knowledge of discrete
logarithm - Example of efficient ZK proof for use
in this context Given h gw, in group or prime
order q. P claims he knows w. P sends a gr to
V V sends a random e 0 or 1. P responds with z
r ew mod q V checks that gz a hz Also works if
e is random mod q now error probability is 1/q,
for the same price!
70
Third Idea In stead of starting from a protocol
for the i.t. scenario, use a different paradigm,
tailored for the crypto scenario. Maybe gain
efficiency this way.. Basic primitive needed
Homomorphic threshold public-key encryption
CDN02. A common public key pk for everyone,
secret key secret-shared among the players ? Adv
cannot decrypt, honest players can. Player Pi
supplies input xi by just publishing an
encryption Epk(xi). Homomorphic property the
set of plaintexts is assumed to be a ring, and
there is a multiplication operation on
ciphertexts. The requirement is that we have for
any plaintexts a,b Epk(a)Epk(b) Epk(ab) Can
also multiply constant into encryption.
Example Paillier encryption. Gives the most
efficient known protocols. Plaintext space is Zn
for RSA modulus n, ciphertexts are numbers modulo
n2
71

MPC from homomorphic encryption
Players publish encryptions of their inputs
We walk through an arithmetic circuit, as before,
adding and multiplying values while they are
encrypted
This produces encryptions of the outputs, which
we can decrypt because we share the private key.
Secure addition is immediate by homomorphic
property just multiply the two encryptions.
Multiplication from Epk(a), Epk(b), how to
produce securely Epk(ab)?
Each Pi chooses ri at random, publishes Epk(ri)
Multiply Epk(a), by all Epk(ri), decrypt result.
Leads to aR, where R r1rn
From (aR), Epk(b) we can all produce
Epk((aR)b).
From ri, Epk(b), each Pi can produce Epk(-rib),
we multiply all these to get Epk(-Rb).
Finally, from Epk((aR)b) and Epk(-Rb), produce
Epk(ab).

72
Efficiency All information theoretic protocols we
saw were polynomial time in C, size of
circuit

size of secret sharing scheme (in threshold case
poly in n, number of players).

k size of field
Protocol based on homomorphic encryption needs
to communicate O(nCk) bits. Additions are
for free, so we get really practical solutions
for electronic voting, for instance. Also
practical in case circuit is not too large, say a
few comparisons of integers (auctions, contract
bidding). Recent work DN03 even adaptive
security with constant factor loss of efficiency.
73
Where to read more. Defintions/model for
asynchronous communication
Ran Canetti, paper on the UC model, Eprint
archive on www.iacr.org More on UC model for
synchronous communication, complete proof of
composition theorem, and details on MPC from
homomorphic encryption Jesper Nielsens PhD
thesis, final version available soon on
www.brics.dk Theory of linear secret sharing,
details on MPC from LSSS Cramer, Damgård
and Maurer General Multiparty Computation from
any Linear Secret Sharing Scheme, full version on
www.daimi.au.dk/ivan The one result we did not
cover here Protocols showing how to do tlt
n/2 for active Adv in IT model, assuming
broadcast, and with small error probability

Rabin and Ben-Or Verifiable
secret sharing and multiparty computation with
honest majority, STOC 89. Also later more
efficient version by Cramer, Damgård,
Dziembowski, Hirt and Rabin Efficient MPC with
dishonest minority. Impossibility of MPC from any
secret sharing scheme Cramer, Damgård,
Dziembowski

On the complexity of verifiable secret sharing
and MPC, STOC00 and www.daimi.au.dk/ivan

Write a Comment

User Comments (0)