Title: Secure Multi-Party Computation
1Secure Multi-Party Computation
- Oded Goldreich
- Presented by Chun Liu
- Nov 2001
2Motivation
- Multiparty secure computation allows N parties to
share a computation, each learning only what can
be inferred from their own inputs and the output
of the computation. For example, the parties can
compute summary statistics on their shared
transaction logs, including cross-checking of the
logs against counterparties to a transaction,
without revealing those logs.
3An Example Dining Cryptographer Problem
- Three cryptographers are sitting down to dinner
at their favorite three-star restaurant. Their
waiter informs them that arrangements have been
made with the Nittany Lion Inn for the bill to be
paid anonymously. - One of the cryptographers might be paying for the
dinner, or it might have been NSA (U.S. National
Security Agency). The three cryptographers
respect each other's right to make an anonymous
payment, but they wonder if NSA is paying.
4Casting Cryptographic Problem
- Specifying a random process which maps m inputs
to m outputs.The inputs to the process are to be
thought of as local inputs of m parties, and the
m outputs are their corresponding local outputs. - Dining cryptographer problem is the simplified
version, where the m outputs are identical.
5In Plain English
- The problem of secure multi-party function
computation is as follows n players, P1,P2,Pn,
wish to evaluate a function , F(x1,x2,xn), where
xi is a secret value provided by Pi. The goal is
to preserve the privacy of the player's inputs
and guarantee the correctness of the computation.
6Trusted Third Party Presents
- This problem is trivial if we add a trusted third
party T to the computation. Simply, T collects
all the inputs from the players, computes the
function F, and announces the result. (This is
the way we usually have elections, where the
voters are the players and the trusted third
party is the government). In general, we define
secure multiparty computation as any protocol in
an ideal scenario with a trusted party, and
define a real life protocol as secure if it is
equivalent'' to a computation in the ideal
scenario.
7No Trusted Third Party
- We show that whatever can be computed in this
ideal scenario can be computed in a secure manner
when no such trusted party exists. - Two types of faulty behaviour by the players.
- we assume that players always follow the
protocol but may collaborate and try to learn
additional information (private computation) - the general case where faulty players can
collaborate in any way to gather information and
disrupt the computation (secure computation).
8General Two-Party Computation
- Content
- Semi-honest adversary.
- Secure protocol with respect to Semi-honest
Behavior. - Force parties to behave in a semi-honest manner.
9Definition
- Functionality a random process which maps pairs
of inputs (one per each party) to pairs of
outputs (one per each party). - f 0,1x0,1? 0,1x0,1
- For every input (x,y), the desired output-pair is
a random variable f(x,y). The first party holding
input x, wishes to obtain the first element of
f(x,y), while the second party wishes to obtain
the second one.
10Generic case
- The first party hold a1, b1, and the second party
holds a2, b2, where a1a2 is the value of one
input wire and b1 b2 is the value of the other
input wire. What we want to provide each party
with a random share of the value of the output
wire that is a share of the value (a1a2)(b1
b2). That is((a1b1), (a2 b2)) ?(c1,
c2) Eq.1where c1c2 (a1a2)(b1 b2) Eq.2
11The Semi-Honest Model
- Semi-honest party
- Follows the protocol properly
- Keeps a record of all its intermediate
computations. - Let f 0,1x0,1? 0,1x0,1, where
f1(x,y) (resp. f2(x,y)) denotes the first element
of f(x,y) and ? be a two party protocol for
computing f.
12Privacy w.r.t Semi-Honest
- During a execution of ? on (x,y)
- The view of the first party denoted by VIEW
1?(x,y), is (x,r,m1,,mt) - r, the outcome of the first partys internal coin
tosses. - mi, the ith message received.
- The output of the first party denoted byOUTPUT
1?(x,y).
13Privacy w.r.t Semi-Honest
- For a deterministic functionality f, ? privately
computes f if there exist polynomial-time
algorithms S1 and S2, such that - S1(x,f1(x,y))x,y?0,1?c VIEW 1?(x,y)
x,y?0,1 - S2(x,f1(x,y))x,y?0,1?c VIEW 2?(x,y)
x,y?0,1 - ?c Computational indistinguishable
14Privacy w.r.t Semi-Honest
- For a general case, ? privately computes f if
there exist polynomial-time algorithms S1 and S2,
such that - S1(x,f1(x,y)), f2(x,y)x,y ?c VIEW 1?(x,y),
OUTPUT 2?(x,y) x,y - f1(x,y), S2(x,f1(x,y))x,y?c OUTPUT 1?(x,y),
VIEW 2?(x,y) x,y
15Secure Protocol for Semi-Honest
- Oblivious Transfer. Let k be a fixed integer, and
let b1,b2,bk ?0,1 and i ? 1,k, then OT1K is
defined as - OT1K((b1,b2,bk),i) (?,bi)
- The first player, holding input (b1,b2,bk) is
called the sender and the second player holding
the input i ? 1,k, is called receiver.
16Secure Protocol for Semi-Honest
- Step S1 The sender uniformly select a trapdoor
pair, (a,t) by running the generation algorithm,
G, on input 1n. That is, it uniformly selects a
random-pad r, for G and sets (a,t) G(1n, r). It
sends a to the receiver. - Step R1 The receiver uniformly and independently
selects e1,e2,ek ?Da, sets yi fa(ei) and yj
ej, for every j?i, and sends (y1,y2,yk) to the
sender
17Secure Protocol for Semi-Honest
- Step S2 Upon receiving (y1,y2,yk), using the
inverting-with-trapdoor algorithm and the
trapdoor t, the sender computes xjfa-1(yj), for
every j ?1,,k). It sends (b1?b(x1),
b2?b(x2),, bk?b(xk)) to the receiver. - Step R2 Upon receiving (c1,c2,ck), the receiver
locally outputs ci ?b(ei)
18Circuit Evaluation Protocol
- Inputs Party i holds the bit string xi1,xin,
for i1,2 - Step 1 Share the inputs Each party splits and
shares each of its input bits with the other
party, that is for every i1,2, and j1,,n,
party I uniformly selects a bit rij and send it
to the other party as the other partys share of
input wire (i-1)nj, Party i sets its own share
of the (i-1)njth input wire to xij rij .
19Circuit Evaluation Protocol
- Step 2 Circuit Emulation Proceeding by the
order of wires, the parties use their shares of
the two input wires to a gate in order to
privately compute shares for the output wire of
the gate. Suppose that the parties hold shares to
the two input wires of a gate that is Party 1
holds the share a1, b1 and Party 2 holds the
share a2, b2, - Emulation of an addition gate Party 1 just sets
its share of the output wire of the gate to be
a1b1, so does Party 2.
20Circuit Evaluation Protocol
- Emulation of an multiplication gate Shares of
the output wire of the gate are obtained by
invoking the oracle for the functionality of Eq.
1-2, where Party 1 supplies the input (query
part) (a1, b1) and Party 2 supplies (a2, b2). - Step 3 Recovering the output bits Once the
shares of the circuit-output wires are computed,
each party sends its share of each such wire to
the party with which the wire is associated. Each
party recovers the output bits by adding-up the
two shares.
21Forcing Semi-Honest Behavior
- Possible Actions and Counter-Measures
- Sub-protocols
- Input commitment
- Coin-generation
- Protocol Emulation
- The Compiler itself.
22Forcing Semi-Honest Behavior
- What a malicious party can do?
Actions Counter-Measure
Substitute its input Commitment schemesw/ Strong 0-knownledge proofs
Not using uniformly distributed random-pad Coin-generation phase
Send different messages other than the specified Protocol emulation(Authenticated computation)
23BKGD Commitment Scheme
- Uniform family of probabilistic polynomial-size
circuits Cn, satisfying - Perfect Unambiguity For every n, the supports of
Cn(0) and Cn(1) are disjoint - Computational Secrecy The probability ensembles
Cn(0)n?N and Cn(1)n?N are computationally
indistinguishable. - Can be constructed given any 1-1 one-way
function. - Denote by Cn(b,r) the output of Cn on input bit b
using the random sequence r.
24BKGD Strong proofs of knowledge
- R binary relation Vefficient strategy
- V is a strong knowledge verifier for R iff
- Exists an interactive machine P so that for every
(x,y) ?R, all possible interactions of V with P
on common-input x and auxiliary-input y are
accepting. - Exists a negligible ? ??0,1 and a
probabilistic polynomial-time oracle machine K
such that for every strategy P and every x,y,r ?
0,1, machine K satisfies the following
condition - If p(x) gt u(x) then Pr(x, KPx,y,r(x)) ?Rgt1-
u(x)
25Sub-protocol Input Commitment
- Goal have Party 1 commit its input using
commitment scheme Cnn?N - Inputs party 1 gets input (?,r) ? 0,1?0,1n,
and party 2 gets input 1n. - Step C1 P1 sends cCn(?,r) to P2.
- Step C2 zero-knowledge strong-proof-of-knowledge.
P1 prover and P2 verifier. Common input is c,
prover gets auxiliary input (?,r) with objective
to prove that it knows (x,y) such that cCn(x,y). - Output P2 sets its local output to c.
26Sub-protocol coin-tossing (aug.d)
- Goal providing Party 2 with a commitment to the
coin-outcome obtained by Party 1, rather than
providing it with coin outcome itself. - Inputs both parties get security parameter 1n.
- Step C1.1 P1 uniformly selects
(?j,sj)?0,1?0,1n, sends cjCn(?j,sj) to P2. - Step C1.2 The parties invoke a zero-knowledge
strong-proof-of-knowledge so that P1 plays the
prover and P2 plays the verifier. The common
input to the proof system is cj, the prover gets
auxiliary input (?j,sj) and its objectives is to
prove that it know (x,y) such that cjCn(x,y).
27Sub-protocol coin-tossing (aug.d)
- Step C1.3 P2 uniformly selects ?j ?0,1, and
send ?j to P1 - Step C1.4 P1 set bj ?j ? ?j
- Step C2 P1 sets bb0 and rb1b2bn, and sends
cCn(b,r) to P2. - Step C3. The parties invoke a zero-knowledge
proof system (P1 prover, P2verifier). Common
input (c0,c1,,cn, ?1 ,?2,, ?n,c), the prover
gets auxiliary input (?1 ,?2,, ?n,s0,s1,,sn)
w/ objective to prove there exists (x0,x1,,xn,
y0,y1,,yn) such that(?j cj Cn(xj,yj))
?(cCn(x0??1 , x1??2,, xn??n) - Step C4 P1 sets output to (b,r), P2 sets outputs
c.
28Sub-protocol Authenticated Computation
- Goal given f 0,1 ?0,1?0,1 and h
0,1 ?0,1, force P1 send f(?,?) to P2, where
? is known to both, ? is known to P1, h(?) is
known to P2. - Implementation having P1 send f(?,?) and then
prove in zero-knowledge the correctness of the
value sent (w.r.t the common input (h(?),?).
29Authenticated Computation
- Step C1 P1 sends v f(?,?) to P2.
- Step C2 Invoke zero-knowledge proof system. P1
plays prover, P2 verifier. Common input
(v,h(?),?), prover get auxiliary input ? w/
objective to prove?x, s.t. (h(?)h(x))?(v
f(?,?)) - Step C3 P2 sets local output to v.
30The compiler itself
- Goal Give a protocol, ?, for the semi-honest
model, the compiler produces a protocol, ?, for
the malicious model. - Input P1 gets input xx1x2xn?0,1n and P2 gets
input yy1y2yn?0,1n - Three phases
- Input-commitment phase
- Coin-generation phase
- Protocol emulation phase
31Input-commitment phase
- Each of the parties commits to each of its input
bits using the input-commitment functionality. - P1 uniformly select p1i ?0,1n, playing P1 with
input (xi, pi1), P2 playing P2 w/input 1n. P2 get
output Cn(xi, pi1). Vice Versa. - Each party now holds a string which uniquely
determine the n-bit long input of the other
party, and holds an NP-witness for the value of
input committed to by the sequence held by the
other party.
32Coin-generation phase
- The parties generate random-pad for the emulation
of ?. Invoking the (augmented) coin-tossing
functionality. - P1 playing P1 w/ input 1n, P2 playing P2 w/ input
1n. P1 gets a pair (ri1, wi1) and P2 gets Cn
(ri1, wi1). P1 set the ith bit of the random-pad
to be ri1, and record the NP-witness. P2 records
Cn (ri1, wi1). Vice versa. - Each party obtains the bits of the random-pad to
be held by it, whereas the other party obtains
commitment to these bits. The party holding the
bit also obtains the randomization used in these
commitments, to be used as an NP-witness to the
correctness of committed value.
33Protocol Emulation Phase
- Use the authenticated-computation.
- Sender playing the role P1, and receiver playing
the role P2. - a (z,rj), where rj r1jr2jrjc(n)
- r (p1j, p2jpnj, w1j, w2jwjc(n))
- h(a,r) (Cn (z1,p1j),Cn (z2,p2j)Cn (zn,pnj),
Cn (r1j,w1j),Cn (r2j,w2j)Cn (rjc(n),wjc(n))) - ? all previous message sent by the other party.
- f the computation which determines the message
to be sent in ?. - Each party holds the corresponding output of the
party in protocol ?.
34General Multi-Party Computation
- m-ary Functionality a random process f which
maps sequences of inputs (one per each party) to
sequences of outputs (one per each party). Let m
denote number of parties. - f 0,1m? 0,1m
- For every i, the ith party initially holds an
input xi, and wishes to obtain the ith element in
f(x1,x2,,xm)
35MP The Semi-Honest Model
- As defined exactly as in the two-party case. i.e.
- Semi-honest party
- Follows the protocol properly
- Keeps a record of all its intermediate
computations.
36Two Malicious Models
- The first model where the number of parties which
deviate from the protocol is arbitrary. - Treatment follows the one used in two-party case.
- The number of parties which deviate from the
protocol is strictly less than half. - Simpler than the above ones.
37MP circuit evaluation protocol
- Inputs Party i holds the bit string xi1,xin,
for i1,,m - Step 1 Share the inputs Each party splits and
shares each of its input bits with the other
party, that is for every i1,,m, and j1,,n,
and every k?i, party i uniformly selects a bit
rk(i-1)nj and send it to the party k as the
other partys share of input wire (i-1)nj,
Party i sets its own share of the (i-1)njth
input wire to xij ? k?i rk(i-1)nj .
38MP circuit evaluation protocol
- Step 2 Circuit Emulation Proceeding by the
order of wires, the parties use their shares of
the two input wires to a gate in order to
privately compute shares for the output wire of
the gate. Suppose that the parties hold shares to
the two input wires of a gate that is Party i
holds the share ai, bi, where a1,,am are the
inputs of the first wire and b1,,bm are second. - Emulation of an addition gate Party i just sets
its share of the output wire of the gate to be
aibi.
39MP circuit evaluation protocol
- Emulation of an multiplication gate Shares of
the output wire of the gate are obtained by
invoking the oracle for the functionality of Eq.
3.7-8, where Party i supplies the input (query
part) (ai, bi). - Step 3 Recovering the output bits Once the
shares of the circuit-output wires are computed,
each party sends its share of each such wire to
the party with which the wire is associated. For
i1,..m, and j1,..,n, each party sends its share
of wire N-(m1-j)nj to Party i. Each party
recovers the corresponding output bits by
adding-up the m shares. - Outputs Each party outputs the bits recorded in
Step 3
40MP Forcing the Semi-honest Model
- Communication protocol
- Broadcast, each round only one party send a
message which is received by all parties. - Sequence of transformation
- Precompiling a protocol ?0, which computes in the
point-to-point model, into a protocol ?0 which
computes in the broadcast model. - Using the first compiler to transform ?0 into a
protocol ?1 secure in first malicious model. - Using the second compiler to transform ?1 into a
protocol ?2 secure in second malicious model. - Postcompiling the protocols ?1 and ?2 to use
the standard point-to-point model.
41Forcing SHM First Malicious Case
- Input-commitment phase each party commits to
each of its input bits using multi-party version
of the input commitment. - Coin-generation phase The parties generate
random-pads for each of the parties. These pads
serve as the coins of the corresponding parties
in their emulations of the semi-honest protocol.
Each party obtains the bits of the random-pad,
whereas the other parties obtains commitments to
these bits. - Protocol Emulation Phase The parties emulate the
execution of the semi-honest protocol with
respect to the input committed in the first phase
and the random-pad selected in the second phase.
42Forcing SHM Second Malicious Case
- The sharing phase Each party shares each bit of
its input and random-pad, with all the parties.
So that strict majority of parties can retrieve
the bit. - If a party aborts the execution prior to
completion of this phase, then the majority
player will set its input and random-pad to some
default value, and carry out the execution on its
behalf. - If a party aborts the execution after this phase,
the the majority players will reveal its input
and random-pad, and will carry out the execution
on its behalf. - Protocol emulation phaseThe parties emulate the
execution of original protocol w.r.t the input
and random-pad in the first phase.
43The Compiler for the Second Case
- Inputs party i get input xi?0,1n and
random-pad ri?0,1c(n) - The sharing phase Each party shares each bit of
its input and random-pad, with all parties. i.e. - For i1,..m, and j1,..,nc(n), party i invokes
VSS playing role P1 with input (?, 1n), where ?
is the ith bit of xiri. The other party playing
roles P2..m with input 1n. Party i obtains output
pair (pji, wji), and each other party k obtains a
pair (skj,I,cji) so that skj,I are shares of a
secret relative to Gm,m/2s random-pad pji.and
cji is a sequence of commitments of the bits of
pji.
44The Compiler for the Second Case
- Protocol emulation phase
- a (xi,ri)
- r ((p1i, w1i),(p2i, w2i),(pnc(n)i, winc(n)))
- h(a,r) (Cn (p1i, w1i),Cn (p2i, w2i
),(pnc(n)i, winc(n))) - ? all previous message sent by the other party.
- f the computation which determines the message
to be sent in ?. - The input with with the other parties are to
enter to the authenticated-computation can be
determined, in case the parties supply different
values for (h(?,r),?), the majority value is
used. - Output each party holds the corresponding output
of the party in protocol ?.
45Appendix
- Solutions to dining cryptographer problem
- Authenticated Byzantine Agreement
- Verifiable Secret Sharing
46Solution
- Each cryptographer flips an unbiased coin behind
his menu, between him and the cryptographer on
his right, so that only the two of them can see
the outcome. Each cryptographer then states aloud
whether the two coins he can see--the one he
flipped and the one his left-hand neighbor
flipped--fell on the same side or on different
sides. If one of the cryptographers is the payer,
he states the opposite of what he sees.
47Solution (contd.)
- An odd number of differences uttered at the table
indicates that a cryptographer is paying an even
number indicates that NSA is paying (assuming
that the dinner was paid for only once). Yet if a
cryptographer is paying, neither of the other two
learns anything from the utterances about which
cryptographer it is.
48Authenticated Byzantine Agreement
- Synchronous point-to-point and signature scheme.
- Phase 0 Party 1 sign its input and sends it to
all parties. - Phase 1,,m Each honest party proceeds as
follows - It inspects the message received at phase i-1,
which is admissible if all previous signature is
verifiable. authentic v-message. - If the party finds such one, it will sign the
message by appending its signature to it, and
sends to all parties. - Each honest party evaluates the situation
- If both authentic-0 and authentic-1 message
received, reports Party 1 is malicious. - If for a single v ?0,1, if received authentic-v
message, it output v. - Never received an authentic-v message, reports
party 1 is malicious.
49Verifiable Secret Sharing