Round-Efficient Multi-Party Computation in Point-to-Point Networks Jonathan Katz Chiu-Yuen Koo University of Maryland.

Slides:



Advertisements
Similar presentations
Quantum t-designs: t-wise independence in the quantum world Andris Ambainis, Joseph Emerson IQC, University of Waterloo.
Advertisements

Secret Sharing Protocols [Sha79,Bla79]
Chapter 5: Tree Constructions
Secure Evaluation of Multivariate Polynomials
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.
Pairwise Key Agreement in Broadcasting Networks Ik Rae Jeong.
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.
Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.
Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
Randomized Algorithms for Reliable Broadcast (IBM T.J. Watson) Vinod Vaikuntanathan Michael Ben-OrShafi GoldwasserElan Pavlov.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
A Pairwise Key Pre-Distribution Scheme for Wireless Sensor Networks Wenliang (Kevin) Du, Jing Deng, Yunghsiang S. Han and Pramod K. Varshney Department.
Secure Multi-party Computations (MPC) A useful tool to cryptographic applications Vassilis Zikas.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications Dana Dachman-Soled, Tal Malkin, Mariana Raykova, Moti Yung.

Randomized and Quantum Protocols in Distributed Computation Michael Ben-Or The Hebrew University Michael Rabin’s Birthday Celebration.
Jointly Restraining Big Brother: Using cryptography to reconcile privacy with data aggregation Ran Canetti IBM Research.
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
Survey: Secure Composition of Multiparty Protocols Yehuda Lindell IBM T.J. Watson.
Optimistic Synchronous Multi-Party Contract Signing N. Asokan, Baum-Waidner, M. Schunter, M. Waidner Presented By Uday Nayak Advisor: Chris Lynch.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Distributed Combinatorial Optimization
K-Anonymous Message Transmission Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University.
1 Cross-Domain Secure Computation Chongwon Cho (HRL Laboratories) Sanjam Garg (IBM T.J. Watson) Rafail Ostrovsky (UCLA)
Information-Theoretic Security and Security under Composition Eyal Kushilevitz (Technion) Yehuda Lindell (Bar-Ilan University) Tal Rabin (IBM T.J. Watson)
Adaptively Secure Broadcast, Revisited
How to play ANY mental game
Secure Computation of the k’th Ranked Element Gagan Aggarwal Stanford University Joint work with Nina Mishra and Benny Pinkas, HP Labs.
Insert presenter logo here on slide master. See hidden slide 4 for directions  Session ID: Session Classification: SEUNG GEOL CHOI UNIVERSITY OF MARYLAND.
Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.
Private Approximation of Search Problems Amos Beimel Paz Carmi Kobbi Nissim Enav Weinreb (Technion)
Welcome to to Autumn School! Some practical issues.
Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase Ronald Cramer, Ivan Damgard, Serge Fehr.
1 Secure Multi-party Computation Minimizing Online Rounds Seung Geol Choi Columbia University Joint work with Ariel Elbaz(Columbia University) Tal Malkin(Columbia.
Rational Cryptography Some Recent Results Jonathan Katz University of Maryland.
Secure Computation Lecture Arpita Patra. Recap > Shamir Secret-sharing > BGW Protocol based on secret-sharing > Offline/Online phase > Creating.
Jonathan Katz University of Maryland Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/08/08 CRYP-108 Aggregate Message- Authentication.
Utility Dependence in Correct and Fair Rational Secret Sharing Gilad Asharov Yehuda Lindell Bar-Ilan University, Israel.
Secure Computation with Minimal Interaction, Revisited Yuval Ishai (Technion) Ranjit Kumaresan (MIT) Eyal Kushilevitz (Technion) Anat Paskin-Cherniavsky.
Secure Computation Lecture Arpita Patra. Recap >Three orthogonal problems- (n,t)-sharing, reconstruction, multiplication protocol > Verifiable Secret.
Completeness Theorems for Non-Cryptographic Fault-Tolerant Distributed Computation Michael Ben-Or Shafi Goldwasser Avi Wigderson Lecture: Mickey Hakimi.
Round-Efficient Broadcast Authentication Protocols for Fixed Topology Classes Haowen Chan, Adrian Perrig Carnegie Mellon University 1.
Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.
Lower bounds for Unconditionally Secure MPC Ivan Damgård Jesper Buus Nielsen Antigoni Polychroniadou Aarhus University.
Unified Adaptivity Optimization of Clock and Logic Signals Shiyan Hu and Jiang Hu Dept of Electrical and Computer Engineering Texas A&M University.
Foundations of Secure Computation
Committed MPC Multiparty Computation from Homomorphic Commitments
The Round Complexity of Verifiable Secret Sharing
Verifiable Oblivious Storage
Ranjit Kumaresan (UMD) Arpita Patra C. Pandu Rangan (IITMadras)
On the Power of Hybrid Networks in Multi-Party Computation
Cryptography for Quantum Computers
Expected Constant-Round Protocols for Broadcast
Round-Optimal and Efficient Verifiable Secret Sharing
Presentation transcript:

Round-Efficient Multi-Party Computation in Point-to-Point Networks Jonathan Katz Chiu-Yuen Koo University of Maryland

Round-Efficient Multi-Party Computation in Point-to-Point Networks Jonathan Katz Chiu-Yuen Koo University of Maryland

Motivation Suppose we want to obtain a practical protocol for a given task The protocol needs to be round-efficient If we know round-efficient solutions exist, we can then turn our attention to improving other aspects (such as computation)

Motivation Suppose we want to obtain a practical protocol for a given task The protocol needs to be round-efficient If we know round-efficient solutions exist, we can then turn our attention to improving other aspects (such as computation) How do we know?

Motivation Approach 1: Determine whether round-efficient solutions are possible after we are given the task Given task A, ask if round-efficient solutions for task A exist Given task B, ask if round-efficient solutions for task B exist Given task C, ask if round-efficient solutions for task C exist …………………………………………………… Repetitive! Can we solve the problem once and for all?

Motivation Approach 2: Determine whether round-efficient solutions for secure multi-party computation (MPC) exist A MPC protocol can solve almost every task A round-efficient solution for MPC implies the existence of round-efficient solutions for (almost) every task!

Round-Efficient Multi-Party Computation in Point-to-Point Networks

Our Motivation Previous work on round complexity (for the most part) has assumed a broadcast channel “for free” A broadcast channel enables one party to send the same message to all parties But in point-to-point networks, a broadcast channel does not come for free; it is emulated by a broadcast protocol High overhead

Our Motivation Previous work on round complexity (for the most part) has assumed a broadcast channel “for free” A broadcast channel enables one party to send the same message to all parties But in point-to-point networks, a broadcast channel does not come for free; it is emulated by a broadcast protocol High overhead

Our Motivation If the broadcast channel is emulated by a deterministic protocol, then the round complexity will be linear in the number of corrupted parties [FL82] This will not lead to sub-linear-round protocols

Our Motivation If the broadcast channel is emulated by a randomized protocol, then each round of broadcast can be emulated in an expected constant number of rounds (assuming honest majority) [FM88, FG03, KK06] But the exact constant is rather high If broadcast is used in more than one round, then we need to handle sequential composition of protocols without simultaneous termination — leads to complication and a substantial increase in round complexity [LLR02, BY03, KK06]

Our Motivation If the broadcast channel is emulated by a randomized protocol, then each round of broadcast can be emulated in an expected constant number of rounds (assuming honest majority) [FM88, FG03, KK06] But the exact constant is rather high If broadcast is used in more than one round, then we need to handle sequential composition of protocols without simultaneous termination — leads to complication and a substantial increase in round complexity [LLR02, BY03, KK06]

Our Motivation Sequential composition of protocols without simultaneous termination In a broadcast protocol, each party is assumed to start at the same round However, parties may leave at different rounds So parties may start execution of the next protocol in different rounds If protocols are executed sequentially, additional rounds are needed to handle the composition

Our Motivation If the broadcast channel is emulated by a randomized protocol, then each round of broadcast can be emulated in an expected constant number of rounds (assuming honest majority) [FM88, FG03, KK06] But the exact constant is rather high If broadcast is used in more than one round, then we need to handle sequential composition of protocols without simultaneous termination — leads to complication and a substantial increase in round complexity [LLR02, BY03, KK06]

Our Motivation If the broadcast channel is emulated by a randomized protocol, then each round of broadcast can be emulated in an expected constant number of rounds (assuming honest majority) [FM88, FG03, KK06] But the exact constant is rather high If broadcast is used in more than one round, then we need to handle sequential composition of protocols without simultaneous termination — leads to complication and a substantial increase in round complexity [LLR02, BY03, KK06]

Our Motivation For example, Consider the setting in which at most one-third of parties are corrupted Micali and Rabin show a Verifiable Secret Sharing (VSS) protocol that uses 16 rounds but only a single round of broadcast Compiling the above protocol for a point-to-point network, it runs in an expected 31 rounds Any protocol that uses broadcast twice will require an expected 55 rounds after being compiled for a point- to-point network

Our Motivation If the ultimate goal is a round-efficient protocol for point-to-point networks, then it is preferable to focus on minimizing the number of rounds in which broadcast is used rather than minimizing the total number of rounds

Our Motivation This raises the following question: Is it possible to construct a constant-round (or sub-linear-round) MPC protocol that uses only a single round of broadcast? (This is clearly optimal…) We resolve the above question in the affirmative in a number of settings

The Rest of the Talk Prior work Results and constructions Future directions

Prior Work Broadcast/Byzantine agreement Verifiable secrete sharing (VSS) General secure MPC

Prior Work Broadcast/Byzantine agreement Reviewed in the last talk Verifiable secrete sharing (VSS) General secure MPC

Prior Work Broadcast/Byzantine agreement Verifiable secrete sharing (VSS) [CGMA85] General secure MPC

Prior Work Round complexity of VSS (Let t be the number of corrupted parties; n be the total number of parties) [GIKR01]: n > 4t : Efficient 2-round protocol n > 3t : No 2-round protocol exists Efficient 4-round protocol Inefficient 3-round protocol [FGGRS06]: Efficient 3-round protocol for n > 3t

But… Previous work studies the round complexity of VSS under the assumption that a broadcast channel is available As we have seen, this is not necessarily the best way to optimize round complexity of VSS in a point-to-point setting Prior Work

Broadcast/Byzantine Agreement Verifiable Secrete Sharing (VSS) General Secure MPC

Prior Work Secure MPC Allows a set of parties with private inputs to compute some joint function of their inputs. Feasibility results [BGW88, CDD88]: MPC for n > 3t in point-to point networks [RB89, B89, CDDHR99]: MPC for n > 2t assuming a broadcast channel

Prior Work Round-efficient solutions [BMR90, DI05]: constant-round MPC for n> 2t assuming a broadcast channel and one-way functions Both protocols can be converted to expected O(1)-round protocols in point-to-point networks using authenticated broadcast

Prior Work Round-efficient solutions [BMR90, DI05]: constant-round MPC for n> 2t assuming a broadcast channel and one-way functions Both protocols can be converted to expected O(1)-round protocols in point-to-point networks using authenticated broadcast but the constant obtained is very high, on the order of hundreds of rounds

Prior Work Round-efficient solutions [GIKR01]: 3-round MPC for t < n/4 assuming a broadcast channel and one-way functions The protocol uses only a single round of broadcast Resilience is not optimal [GL02]: round-efficient protocols for t < n Fairness and output delivery not guaranteed

The Rest of the Talk Prior work Results and constructions Future directions

Network Assumptions Synchronous communication Pairwise private and authenticated channels A broadcast channel With the understanding that it will be emulated by a round-efficient broadcast sub-routine Recall, our goal is to use broadcast only once Honest majority n > 3t : do not assume setup n > 2t : assume a PKI Adaptive adversary

Results and Constructions We start by sketching a MPC protocol that uses only a single round of broadcast Call (a, b, c) a random multiplication triple if c = ab a, b, and c have been “shared” among the parties a and b are uniformly distributed

Results and Constructions Beaver shows that if, in a “setup” phase, parties share their inputs along with sufficiently-many multiplication triples,

Results and Constructions Beaver shows that if, in a “setup” phase, parties share their inputs along with sufficiently-many multiplication triples, then the parties can carry out secure MPC in a round-efficient manner without using any further invocations of broadcast Our task is now reduced to implement the setup phase using only a single round of broadcast

Results and Constructions Implementation of the setup phase Recall the concept of moderated protocol from the previous talk There is a distinguished party P m known as the moderator Given a protocol , designed under the assumption of a broadcast channel, the moderated version  ’ does not use broadcast

Results and Constructions Implementation of the setup phase  ’ has the following properties: By the end of the protocol, each party P i outputs a binary value trust i (m) If the moderator P m is honest, then each honest party outputs trust i (m)= 1 If an honest party that outputs trust i (m)=1, then  achieves the functionality of  ’

Results and Constructions Implementation of the setup phase Previous talk has illustrated how to compile a protocol  into its moderated version  ’ while increasing the round complexity by at most a constant multiplicative factor

Results and Constructions Implementation of the setup phase Let  i denote some constant-round protocol, designed assuming a broadcast channel, that shares the input value of party P i as well as sufficiently- many multiplication triples. Such protocols are constructed in, e.g., [BGW88, B89, RB89, B91, GRR98, CDDHR99, DI05] Compile  i into a moderated protocol  i ’ where P i acts as the moderator

Results and Constructions Implementation of the setup phase 1. Run protocols {  1 ’,…,  n ’ } in parallel 2. Each party P i broadcasts {trust i (1),…, trust i (n)} 3. A party P i is disqualified if t or fewer parties broadcast trust j (i)=1. If a party is disqualified, then a default value is used as input of P i 4. Let i* be the minimum value such that P i* is not disqualified. The set of random multiplication triples that the parties will use is taken to be the set that was generated in  i*

Results and Constructions Implementation of the setup phase 1. Run protocols {  1 ’,…,  n ’ } in parallel 2. Each party P i broadcasts {trust i (1),…, trust i (n)} 3. A party P i is disqualified if t or fewer parties broadcast trust j (i)=1. If a party is disqualified, then a default value is used as input of P i 4. Let i* be the minimum value such that P i* is not disqualified. The set of random multiplication triples that the parties will use is taken to be the set that was generated in  i* The above protocol uses broadcast in only one round

Results and Constructions Implementation of the setup phase 1. Run protocols {  1 ’,…,  n ’ } in parallel 2. Each party P i broadcasts {trust i (1),…, trust i (n)} 3. A party P i is disqualified if t or fewer parties broadcast trust j (i)=1. If a party is disqualified, then a default value is used as input of P i 4. Let i* be the minimum value such that P i* is not disqualified. The set of random multiplication triples that the parties will use is taken to be the set that was generated in  i* An honest party will not be disqualified

Results and Constructions Implementation of the setup phase 1. Run protocols {  1 ’,…,  n ’ } in parallel 2. Each party P i broadcasts {trust i (1),…, trust i (n)} 3. A party P i is disqualified if t or fewer parties broadcast trust j (i)=1. If a party is disqualified, then a default value is used as input of P i 4. Let i* be the minimum value such that P i* is not disqualified. The set of random multiplication triples that the parties will use is taken to be the set that was generated in  i* If P i is not disqualified, then  i ’ achieves the functionality of  i

Results and Constructions Implementation of the setup phase 1. Run protocols {  1 ’,…,  n ’ } in parallel 2. Each party P i broadcasts {trust i (1),…, trust i (n)} 3. A party P i is disqualified if t or fewer parties broadcast trust j (i)=1. If a party is disqualified, then a default value is used as input of P i 4. Let i* be the minimum value such that P i* is not disqualified. The set of random multiplication triples that the parties will use is taken to be the set that was generated in  i* The above protocol implements the setup phase using only one round of broadcast

Results and Constructions Combined with [BGW88, CDDHR99, DI05], we obtain MPC using only one round of broadcast and: O(depth of the circuit) rounds, assuming n > 3t (without computational assumption) O(1) rounds, assuming n > 3t and the existence of one-way functions O(1) rounds, assuming n > 2t, the existence of one-way functions, and a PKI

Results and Constructions However, a naïve compilation will yield MPC protocols with relatively high round complexity Existing construction of  i does not attempt to minimize the number of rounds of broadcast for n > 3t, each round of broadcast in  i is replaced by six rounds of interaction in  i ’ for n > 2t, it is eight rounds We construct a new set of protocols that minimize their use of broadcast as well as the total number of rounds

Results and Constructions In the following, we illustrate one of the techniques used to reduce the number of rounds of broadcast — without compilation We show how to obtain a 6-round VSS protocol that uses 2 rounds of broadcast from the 4-round VSS protocol in [GIKR01] (which uses 3 rounds of broadcast) In the paper, this is improved to 7 rounds with 1 round of broadcast

Results and Constructions VSS – informal definitions There is a dealer D with an input s. A VSS protocol is a 2-phase protocol: Sharing phase: D shares s Reconstruction phase: The parties reconstruct a value s’ If D is honest, then: During the sharing phase, the joint view of corrupted parties is independent of s In the reconstruction phase, s is reconstructed

Results and Constructions VSS – informal definitions If D is dishonest: The view of the honest parties at the end of the sharing phase defines a value s’ that will be reconstructed in the reconstruction phase

Results and Constructions Review of the [GIKR01] protocol: Round 1: D selects a random bivariate polynomial F(x,y) of degree t in each variable, s.t. F(0,0) = s; sends F(x,i) = g i (x) and F(i,y) = h i (y) to P i. P i sends to P j a random pad r ij.

Results and Constructions Review of the [GIKR01] protocol: Round 1: D selects a random bivariate polynomial F(x,y) of degree t in each variable, s.t. F(0,0) = s; sends F(x,i) = g i (x) and F(i,y) = h i (y) to P i. P i sends to P j a random pad r ij. Round 2: P i broadcasts a ij = g i (j) + r ij ; b ij = h i (j) + r ji P j broadcasts a ji = g j (i) + r ji ; b ji = h j (i) + r ij

Results and Constructions Review of the [GIKR01] protocol: Round 1: D selects a random bivariate polynomial F(x,y) of degree t in each variable, s.t. F(0,0) = s; sends F(x,i) = g i (x) and F(i,y) = h i (y) to P i. P i sends to P j a random pad r ij. Round 2: P i broadcasts a ij = g i (j) + r ij ; b ij = h i (j) + r ji Round 3: For each a ij ≠ b ji P i broadcasts g i (j); P j broadcasts h j (i); D broadcasts F(j,i) Round 4: …

Results and Constructions Review of the [GIKR01] protocol: Round 1: D selects a random bivariate polynomial F(x,y) of degree t in each variable, s.t. F(0,0) = s; sends F(x,i) = g i (x) and F(i,y) = h i (y) to P i. P i sends to P j a random pad r ij. Round 2: P i broadcasts a ij = g i (j) + r ij ; b ij = h i (j) + r ji Round 3: For each a ij ≠ b ji P i broadcasts g i (j); P j broadcasts h j (i); D broadcasts F(j,i) Round 4: …

Results and Constructions Replace round 2 and round 3 by the following steps: 1. P i sends h i (j) to P j 2. Let h j,i ’ be the value P i received from P j. If h j,i ’ ≠ g i (j), then P i sends “complain(i,j)” to D 3. If D receives “complain(i,j)” from P i in the last step, then D sends “complain(i,j)” to P j. 4. (i) If P i sends “complain(i,j)” to D in (2), then P i broadcasts “(i,j): g i (j)” else broadcasts “(i,j): no complaint” (ii) If P j receives “complain(i,j)” from D in (3), then P j broadcasts “(i,j): h j (i)” else broadcasts “(i,j): no complaint” (iii) If D receives “complain(i,j)” from P i in (2), then D broadcasts “(i,j): F(j,i)” else broadcasts “(i,j): no complaint”

Results and Constructions Summary of our results: Round Complexity of MPC n > 3t26 (1 round of broadcast) n > 2t34 (1 round of broadcast)

Results and Constructions Round complexity of our MPC protocols in point-to- point networks (in expectation) n > 3t n > 2t Our work * 4164 Any protocol using broadcast twice (even with no additional rounds!) * 5594 * Given best currently-known protocols for broadcast

The Rest of the Talk Prior work Results and constructions Future directions

Future Directions Characterize the round complexity of VSS in a point- to-point network Better lower bounds on the round complexity of secure computation? For n > 2t, determine the existence of an MPC protocol using a single round of broadcast and not relying on a PKI

Round-Efficient Multi-Party Computation in Point-to-Point Networks Jonathan Katz Chiu-Yuen Koo University of Maryland