Verifiable Threshold Secret Sharing and Full Fair Secure Two-party Computation YE Jian-wei March 7, 2009

outline Full fair secure two-party computation – Problem – Existing methods Our method – Overview – Advantages – Cryptography foundation – New Full Fair Secure Two-party Computation Protocol

Full fair secure two-party computation ——problem two parties A with input x and B with input y jointly compute a two output function f(x,y)=(f A (x,y), f B (x,y)) Secure: A learn only x and f A (x,y) B learn only y and f B (x,y) Fair: A learns f A (x,y) iff B learns f B (x,y)

For security – Garbled circuit computation For fairness – gradual release technique – Methods employing trusted third party Full fair secure two-party computation ——existing methods

gradual release technique Without third parties at the cost of many rounds of interaction impossible to get full fairness Full fair secure two-party computation ——existing methods

Methods employing trusted third party full fairness the trusted third party must be neutral (doesn’t collude with A or B) single point of failure the performance bottleneck Full fair secure two-party computation ——existing methods

Our method——overview full fairness employ Yao’s garbled circuit computation for security employ a group of servers as the third party for full fairness

Our method——advantages 1. Weakening the trust assumption. Our method doesn’t require all third-party servers are trusted, but just require more than two-third of them are honest. 2. Protection against collusion. Our method can keep the fairness when less than one-third of the servers are dishonest (or malicious) and collude with the any party.

Our method——advantages 3. Fault-tolerance. In our method, not all servers must be always available. More precisely, when the count of the dishonest servers is m, only 3m+1 servers are needed simultaneously.

Our method——Cryptography foundation 1. Garbled circuit computation 2. Verifiable encryption scheme of Jarecki and Shmatikov (sCS encryption scheme) 3. zero-knowledge proof (ZKP) protocols of Jarecki and Shmatikov 4. Verifiable threshold secret sharing (VTSS) scheme of Pedersen

Garbled circuit computation 1. A constructs a boolean circuit, C, computing f(x,y) 2. A garbles C to GC 3. A sends GC, the garbled x and the cleartext interpretation of f B (x,y) to B 4. B gets the garbled y form A 5. B computes GC and gets its output, garbled f A (x,y) and garbled f B (x,y) 6. B ungarbles the garbled f B (x,y) to get f B (x,y) by the cleartext interpretation of f B (x,y) 7. B sends the garbled f A (x,y) to A 8. A ungarbles the garbled f A (x,y) to get f A (x,y)

sCS encryption scheme a simplification of the verifiable encryption scheme of Camenisch and Shoup semantically secure in CRS model under DCR assumption and safe RSA moduli. a very strong unambiguous encryption. a ciphertext that passes a certain proof system cannot decrypt to two different plaintexts under two different private keys. Moreover, no two distinct decryption keys can decrypt a ciphertext even to the same plaintext.

sCS encryption scheme CRS.

sCS encryption scheme sCS encryption.

sCS encryption scheme sCS decryption.

ZKP protocols of Jarecki and Shmatikov Relying on the Unambiguity of sCS encryption scheme, Jarecki and Shmatikov proposed the sCS commitment scheme and a group of efficient concurrently secure ZKP protocols. sCS commitment scheme

ZKP protocols of Jarecki and Shmatikov ZKP protoclos – ZKDL( ɡ, X) is used to prove that there exists a x s.t. X 2 = ɡ 2x. – ZKNotEq(C a, C b ) is used to prove that C a, C b are sCS commitments to different values. – ZKPlainEq((u, e),C k, C m ) is used to prove that (u, e) is a sCS encryption of cleartext m committed (sCS commitment) in C m under the key k committed in C k.

VTSS scheme of Pedersen Pedersen gave a semantically secure commitment scheme based on the difficulty of discrete logarithm problem, and proposed a VTSS scheme in the CRS model by it. CRS

VTSS scheme of Pedersen Pedersen’s commitment scheme

VTSS scheme of Pedersen Sharing and Verifying process

New Full Fair Secure Two-party Computation Protocol New ZKP protocol ZKEq( C K D,C K D ) prove that the sCS commitment C K D commits the same value as the Pedersen’s commitment C K D

New Full Fair Secure Two-party Computation Protocol——overview In usual garbled circuit computation A send the cleartext interpretation of f B (x,y) to B, therefore the circuit evaluator B may not send garbled f A (x,y) to A after get his output f B (x,y). In our protocol A commits all output wire keys corresponding f B (x,y) in GC A shares a private key K D ∈ [0,2 k′′ ] among a group of third- party servers by VTSS scheme of Pedersen A provides B an encrypted cleartext interpretation of f B (x,y), CI B

New Full Fair Secure Two-party Computation Protocol——overview By correctly performing all ZKP protocols involved in following formula with A and verifying process of Pedersen’s VTSS scheme, B is convinced that CI B is correctly constructed and able to be decrypted with the key (i.e. K D ) shared in the servers, and he can retrieve the key to decrypt CI B as long as sending correct output keys corresponding to f A (x,y) to the servers.

New Full Fair Secure Two-party Computation Protocol——overview

After sending correct output wire keys corresponding to f A (x,y) to the servers, B gets enough shares of K D to retrieve it and compute his output f B (x,y). Henceforth, A can compute his output f A (x,y) even if B sends him wrong output wire keys by obtaining correct these from the servers.

New Full Fair Secure Two-party Computation Protocol——protocol

New Full Fair Secure Two-party Computation Protocol——analyse Fairness When the amount of dishonest servers m is less than s/3 ， our protocol is able to guarantee that A learns f A (x,y) iff B learns f B (x,y). Complexity Computational complexity is O(S+s 2 ) Communication complexity is O(S+s) only two additional interaction rounds for full fair where S is the size of the circuit and s is the amount of employed servers.

END! THANKS!