Oblivious Transfer and GMW MPC

Slides:



Advertisements
Similar presentations
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Advertisements

Secure Evaluation of Multivariate Polynomials
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications Dana Dachman-Soled, Tal Malkin, Mariana Raykova, Moti Yung.
How to Share a Secret Amos Beimel. Secret Sharing [Shamir79,Blakley79,ItoSaitoNishizeki87] ? bad.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.
How to play ANY mental game
Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.
Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.
Welcome to to Autumn School! Some practical issues.
Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized.
Secure Computation Lecture Arpita Patra. Recap >> MPC with dishonest majority over Boolean circuit- [GMW87] > Oblivious Transfer (from CPA secure.
Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.
Paradigms for Multiparty Computation Ivan Damgård BRICS, Århus University.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
1 Secure Multi-party Computation Minimizing Online Rounds Seung Geol Choi Columbia University Joint work with Ariel Elbaz(Columbia University) Tal Malkin(Columbia.
Secure Computation (Lecture 2) Arpita Patra. Vishwaroop of MPC.
On the Cryptographic Complexity of the Worst Functions Amos Beimel (BGU) Yuval Ishai (Technion) Ranjit Kumaresan (Technion) Eyal Kushilevitz (Technion)
Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.
Secure Computation Lecture Arpita Patra. Recap > Shamir Secret-sharing > BGW Protocol based on secret-sharing > Offline/Online phase > Creating.
Secure Computation (Lecture 9-10) Arpita Patra. Recap >> MPC with honest majority in i.t. settings > Protocol using (n,t)-sharing, proof of security---
Secure Computation Lecture Arpita Patra. Recap >Three orthogonal problems- (n,t)-sharing, reconstruction, multiplication protocol > Verifiable Secret.
Round-Efficient Multi-Party Computation in Point-to-Point Networks Jonathan Katz Chiu-Yuen Koo University of Maryland.
Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.
Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.
Cryptography Lecture 13 Arpita Patra
Topic 36: Zero-Knowledge Proofs
Adaptively Secure Multi-Party Computation from LWE (via Equivocal FHE)
Cryptography Lecture 5 Arpita Patra © Arpita Patra.
Foundations of Secure Computation
Some slides borrowed from Philippe Golle, Markus Jacobson
Foundations of Secure Computation
Committed MPC Multiparty Computation from Homomorphic Commitments
Zero Knowledge Anupam Datta CMU Fall 2017
The first Few Slides stolen from Boaz Barak
The Round Complexity of Verifiable Secret Sharing
Course Business I am traveling April 25-May 3rd
Cryptography CS 555 Lecture 22
Cryptographic protocols 2014, Lecture 8 multi-round and multi-party
Gate Evaluation Secret Sharing and Secure Two-Party Computation
On the Power of Hybrid Networks in Multi-Party Computation
Cryptography Lecture 3 Arpita Patra © Arpita Patra.
B504/I538: Introduction to Cryptography
Cryptography for Quantum Computers
Cryptographic protocols 2016, Lecture 9 multi-party computation
Cryptography Lecture 25.
Cryptography Lecture 12 Arpita Patra © Arpita Patra.
Multi-Party Computation: Second year
Round-Optimal and Efficient Verifiable Secret Sharing
Cryptography Lecture 5 Arpita Patra © Arpita Patra.
Cryptography CS 555 Digital Signatures Continued
Cryptography Lecture 5.
Cryptography Lecture 5 Arpita Patra © Arpita Patra.
Cryptographic protocols 2016, Lecture 8 multi-round protocols
Fast Secure Computation for Small Population over the Internet
Impossibility of SNARGs
Oblivious Transfer.
Cryptography Lecture 21.
Cryptography Lecture 23.
Cryptography Lecture 8 Arpita Patra © Arpita Patra.
A Light-weight Oblivious Transfer Protocol Based on Channel Noise
Presentation transcript:

Oblivious Transfer and GMW MPC Workshop on Cryptography Divya Ravi Slides borrowed from Arpita Patra, Ashish Choudhury

Agenda GMW semi-honest n-party MPC protocol Adversarial Setting Computationally-bounded Semi-honest n parties, dishonest majority t < n Oblivious Transfer: Important tool in GMW

Dis-honest Majority MPC (t < n) GMW87 [GMW87]: Oded Goldreich, Silvio Micali, Avi Wigderson:
How to Play any Mental Game or A Completeness Theorem for Protocols with Honest Majority. STOC 1987: 218-229 Dis-honest Majority MPC (t < n) Idea behind GMW87: shared circuit evaluation (similar to BGW88) The circuit is a Boolean circuit (over 𝔽2) The secret sharing is additive secret sharing, instead of Shamir Dis-honest majority : all but one honest party, so threshold for sharing is n - 1

[GMW87] Generic MPC Protocol f(x1, x2, …, xn) P1 : x1 P2 : x2 Pi : xi Pn : xn Circuit abstraction f : represented as a publicly known Boolean circuit C Any efficiently computable f can be represented as a C

[GMW87] Generic MPC Protocol Circuit abstraction Without loss of generality: Each party : 1 input to f f : only 1 output x1 x2 x3 x4  c y   GMW: secure circuit evaluation Parties jointly evaluate the circuit securely Only final outcome revealed during evaluation Intermediate values remain as private as possible

Principle Behind Secure Circuit Evaluation Circuit Evaluation in Clear Inputs : (n, t) box represented 1    2. Intermediate gates : (n, t) box representation of gate output from (n, t) box representation of gate inputs 3. Output box: Open it publicly 1 1 1 1    1 1 1

Principle Behind Secure Circuit Evaluation Circuit Evaluation in Clear Secure circuit evaluation 1 1 1 1       1 1 1 Input boxes of honest parties cannot be opened Any unwanted intermediate box cannot be opened

… Instantiating (n, t) Locked Box Representation (n, t) locked box representation -> (n, t) secret sharing Secret s Dealer v1 v2 v3 vn Sharing Phase …  t +1 parties can reconstruct the secret Secret s Less than t +1 parties have no info’ about the secret Reconstruction Phase Reconstruction Phase

… (n, t) Secret Sharing for the GMW Protocol For GMW : n = t + 1 Requires all the n parties for reconstructing the secret Secret as well as shares are bits (n, t) bit secret-sharing for GMW : n = (t+1) Sh1, Sh2, …, Shn-1 R {0, 1} Secret s {0, 1} Shn (Sh1  Sh2  …  Shn-1 )  s def = Dealer Sh1 Sh2 … Sh3 Shi Shn P1 P2 P3 Pi Pn

… (n, t) Secret Sharing for the GMW Protocol (n, t) bit secret-sharing for GMW : n = (t+1) Sh1, Sh2, …, Shn-1 R {0, 1} Secret s {0, 1} Shn (Sh1  Sh2  …  Shn-1 )  s def = Dealer Sh1 Sh2 … Sh3 Shi Shn P1 P2 P3 Pi Pn Shn-1 Pn - 1 Secret reconstruction protocol : Exchange shares pair-wise Output s = (Sh1  Sh2  …  Shn) Communication complexity Sharing : O(n) bits Rec : O(n2) bits

… (n, t) Secret Sharing for the GMW Protocol (n, t) bit secret-sharing for GMW : n = (t+1) Sh1, Sh2, …, Shn-1 R {0, 1} Secret s {0, 1} Shn (Sh1  Sh2  …  Shn-1 )  s def = Dealer Sh1 Sh2 … Sh3 Shi Shn P1 P2 P3 Pi Pn Shn-1 Pn - 1 Secret reconstruction protocol : Exchange shares pair-wise Output s = (Sh1  Sh2  …  Shn) # of Rounds of interaction Sharing : 1 round Rec : 1 round

(n, t) – Additive Secret Sharing (n, t) bit secret-sharing for GMW : n = (t+1) Sh1, Sh2, …, Shn-1 R {0, 1} Secret s {0, 1} Shn (Sh1  Sh2  …  Shn-1 )  s def = Dealer Sh1 Sh2 … Sh3 Shi Shn P1 P2 P3 Pi Pn Shn-1 Pn - 1 Reconstruction protocol : Exchange shares pair-wise Output s = (Sh1  Sh2  …  Shn) O(n) bit reconstruction with 2 rounds of interaction ?

… (n, t) Secret Sharing for the GMW Protocol (n, t) bit secret-sharing for GMW : n = (t+1) Sh1, Sh2, …, Shn-1 R {0, 1} Secret s {0, 1} Shn (Sh1  Sh2  …  Shn-1 )  s def = Dealer Sh1 Sh2 … P1 P2 P3 Pi Pn Sh3 Shi Shn-1 Shn Pn - 1 Any subset of t parties gets no additional information about the secret Ex: say P1, …, Pn-1 are corrupted (recall that t = n - 1) Adversary’s view : ? ? s = Sh1  Sh2  …  Shn-1  Shn Correctly guessing Shn  correct s Prob. of learning s = ½ (same as before) One-to-one mapping

 … S (n, t) Secret Sharing for the GMW Protocol (n, t) bit secret-sharing for GMW : n = (t+1) Sh1, Sh2, …, Shn-1 R {0, 1} Secret s {0, 1} Shn (Sh1  Sh2  …  Shn-1 )  s def = Dealer Sh1 Sh2 … Sh3 Shi Shn P1 P2 P3 Pi Pn Shn-1  Pn - 1 P1 P2 Pi Pn S (Sh1) (Sh2) (Shi) (Shn)

    Linearity of Secret Sharing Addition is free a = a1  a2  a3  a4     Local operation b b1 b2 b3 b4 b = b1  b2  b3  b4 c1 ab c2 c3 c4 ? c = c1  c2  c3  c4 No interaction to compute shares of sum of two shared secrets

Linearity of Secret Sharing Multiplication by a public constant is free a a1 a2 a3 a4 a = a1  a2  a3  a4     Local operation c c c c c Publicly known c  a = c  (a1  a2  a3  a4) c  a ? c1 c2 c3 c4 = (c1  c2  c3  c4) No interaction required to compute shares of a constant multiple of a shared secret

    Linearity of Secret Sharing Addition by a public constant is free a a1 a2 a3 a4 a = a1  a2  a3  a4     Local operation c c How to compute shares of a  c ? Publicly known c  a = c  (a1  a2  a3  a4) ac ? c1 c2 c3 c4 = (c1  c2  c3  c4) No interaction required to compute shares of the sum of a shared secret and a public constant

    (Non)Linearity of Secret Sharing AND (multiplication) is not free a a1 a2 a3 a4 a = a1  a2  a3  a4 Local operation     b b1 b2 b3 b4 b = b1  b2  b3  b4 How to compute shares of a  b ? ? a  b = (a1  a2  a3  a4) ab c1 c2 c3 c4  (b1  b2  b3  b4)  (c1  c2  c3  c4) Shares of AND of shared secrets cannot be computed locally

  Towards Computing AND of Shared Secrets a = a1  a2 For simplicity, assume n = 2, t =1 b b1 b2 b = b1  b2 a  b = (a1  a2)  (b1  b2) = (a1  b1)  (a1  b2)  (a2  b1)  (a2  b2) Can be computed locally by P1 Cross terms cannot be computed locally by P1 / P2 Can be computed locally by P2 How to securely computing (a1  b2), (a2  b1) ? Pair-wise exchange a1, a2, b1, b2 ? Privacy of a, b gone !!

Towards Computing AND of Shared Secrets Oblivious Transfer (OT) : A very fundamental primitive Michael O. Rabin. How to exchange secrets with oblivious transfer. Technical Report TR-81, Aiken Computation Lab, Harvard University, 1981. Formulated by Turing award winner Michael O. Rabin Required security properties : m1-b = ? b = ? b  {0, 1} 1-out-of-2 OT {m0, m1} mb S R

GMW87- AND Gate Evaluation Leaks information from the partial product !! a1 P1 P2 a2   b1 b2 1-out-of-2 OT b2 a1 a1b2 a=a1 + a2 b=b1 + b2 1-out-of-2 OT b1 b1a2 a2 a1b2 + a2b2 a1b1 + b1a2 a  b ab = (a1+a2)  (b1+ b2) = a1b1 + b1a2 + a1b2 + a2b2

GMW87- AND Gate Evaluation P1 P2 a2   b1 b2 1-out-of-2 OT r0 b2 r0 + a1 r0 + a1b2 a=a1 + a2 b=b1 + b2 1-out-of-2 OT b1 r1 r1+ b1a2 r1 + a2 a1b1 + r0 + (r1 + b1a2) (r0 + a1b2)+ r1 + a2b2 a  b ab = (a1+a2)  (b1+ b2) = a1b1 + a1b2 + b1a2 + a2b2

AND Gate Evaluation : The n-party Case Let [x] = (x1, …, xn) and [y] = (y1, …, yn), with party Pi holding the share xi and yi P1 Pn Pi Pj x1 xi xj xn     y1 yi yj yn Two cross summands xiyj and yixj 1-out-of-2 OT ri yj ri + xi ri + xiyj 1-out-of-2 OT yi rj rj+ yixj rj + xj Pi ‘s share: his summand + 2 shares of two cross terms (for every other party) x  y

GMW MPC Protocol for Semi-honest Setting Input Stage : Each party acts as a dealer and secret-shares its input bits At the end, each party will have a share of each input bit Computation Stage : Circuit evaluation : following invariant for each gate Given shares of the inputs of the gate, compute shares of the gate output At the end, each party will have a share of every value along every wire in the circuit Output Stage : Reconstruct the function output by exchanging shares of the output gate value

GMW MPC Protocol : Demonstration Some notation for secret-sharing : P1 P2 Pi Pn a = a1  a2  …  an a  {0, 1} Each ai  {0, 1} [a]  a1 a2 ai an We will say that value a is []-shared if the above holds We already know that []-sharing is linear []-sharing of a + b can be computed by doing local operations on shares of []-sharing of a and []-sharing of b []-sharing of c  a can be computed by doing local operations on shares of []-sharing of a, provided c is a public constant []-sharing of c  a can be computed by doing local operations on shares of []-sharing of a, provided c is a public constant

GMW MPC Protocol : Demonstration For simplicity, assume n = 2 and t = 1 P1 P2 Input stage [a1] a1 [a2] a2 [b1] b1 A = (a1, a2) B = (b1) (a11, a12) a12  Computation stage (a21, a22) a22 [a1  a2]  b11 (b11, b12) Output stage a11  a21 a12  a22 (a1  a2)  b1 [a1  a2  b1] a11  a21  b11 a12  a22  b12 a12  a22  b12 a11  a21  b11 (a1  a2)  b1 (a1  a2)  b1

GMW MPC Protocol : Demonstration Variable Value a1 a2 b1 a1  a2  b1 a1  a2 ? 1  a1 a2 b1 (a1  a2)  b1 Variable Value Let a1 = a2 = 0, b1 = 1 a1 1 1 a2 Let [a1] = (1, 1) b1 1 1 Let [a2] = (0, 0) a1  a2 1 1 a1  a2  b1 Let [b1] = (1, 0) 1 1 1 Suppose P2 is corrupted  P2 learns b1, [b1] and a1  a2 P2 learns either (a1=0,a2=0) or (a1=1, a2=1) --- anything else ? Variable Value Variable Value a1 a1 1 ? 1 1 ? 1 Possible if a2 a2 ? 1 1 ? Possible if b1 b1 1 1 1 1 a1  a2 a1  a2 1 1 1 1 a1  a2  b1 a1  a2  b1 1 1 1 1

GMW MPC Protocol : Security Demonstration  a1 a2 b1 (a1  a2)  b1 Variable a1 a11 a12 ? ? a2 a21 a22 ? ? b1 b11 b12 a1  a2 a11  a21 a12  a22 a1  a2  b1 a11  a21  b11 a12  a22  b12 Suppose P2 is corrupted  P2 learns b1, [b1] and a1  a2 P2 does not learn any additional thing about a1, a2 from its protocol transcript Every (a1, a2) satisfying the known a1  a2  corresponding (a11, a21) consistent with P2’s transcript What happens if P1 is corrupted ? From the inputs (a1, a2) and output a1  a2  b1, the other input b1 can always be inferred

GMW MPC Protocol : Demonstration of AND Input stage (a1, a2) a2 b1 (b1, b2) [a] a [b] b OT r r  a1 b2 r  (a1  b2) Computation stage  [c = a  b] c = a  b OT t t  a2 b1 t  (a2  b1) Output stage c1 = a1b1  r  t  a2b1 c2 = a2b2  r  a1b2  t c = c1  c2 c1 = a1b1  r  t  a2b1 c2 = a2b2  r  a1b2  t

GMW MPC Protocol : Demonstration of AND b a1b1  r  t  a2b1 Variable a b r  a1b2 a  b 1 ? r t t  a2b1 a2b2  r  a1b2  t Variable Value a 1 1  b r 1 1 c = a  b r  a1b2 1 1 Let a = 0, b = 0 t t  a2b1 Let [a] = (1, 1) Let [b] = (0, 0) a1b1  r  t  a2b1 1 1 OT r ra1 b2 ra1b2 a2b2  r  a1b2  t 1 1 OT t ta2 b1 t a2b1 a  b 1 1 Suppose P1 is corrupted P1 learns a = 0 and c = 0 (b = 0, prob. ½) or (b = 1, prob. ½) Any additional thing about b from the protocol transcript ?

GMW MPC Protocol : Demonstration of AND b Variable Value Variable Value a 1 1  a 1 1 b ? ? b 1 ? ? 1 r 1 1 c = a  b r 1 1 Prob. of learning b from the transcript = prob. of correctly guessing b2 = ½ No additional information about b leaked from the protocol transcript r  a1b2 1 ? 1 r  a1b2 1 ? t OT r ra1 b2 ra1b2 t t  a2b1 t  a2b1 a1b1  r  t  a2b1 1 1 OT t ta2 b1 t a2b1 a1b1  r  t  a2b1 1 1 a2b2  r  a1b2  t 1 1 1 a2b2  r  a1b2  t 1 1 1 a  b 1 1 b = 0 if b = 1 if a  b 1 1 Prob. = ½ Prob. = ½ Suppose P1 is corrupted P1 learns a = 0 and c = 0 (b = 0, prob. ½) or (b = 1, prob. ½)

EGL85 Oblivious Transfer (OT) Protocol S. Even, O. Goldreich: On the Power of Cascade Ciphers. ACM Trans. Comput. Syst. 3(2): 108-116 (1985) A very simple OT protocol in the semi-honest setting Based on public-key samplability Public-key encryption with public-key samplability Collection of algorithms (Gen, Enc, Dec, fGen) Enc m {0, 1}* c pk Dec c m sk Gen 1n pk, sk (Usual public-key encryption) fGen 1n pk* Probability distribution of “genuine” pk and “fake” pk* are computationally indistinguishable

EGL85 Oblivious Transfer (OT) Protocol (Gen, Enc, Dec, fGen) b  {0, 1} m0, m1  {0, 1}* pk0 = pk and pk1 = pk* if b= 0 pk0 = pk* and pk1 = pk if b= 1 (pk0 , pk1) Gen 1n pk, sk pkb = pk pk1-b = pk* Enc m0  {0, 1}* c0 pk0 fGen 1n pk* (c0 , c1) Enc m1  {0, 1}* c1 pk1 Dec cb mb sk

EGL85 Oblivious Transfer (OT) Protocol (Gen, Enc, Dec, fGen) m0, m1  {0, 1}* b  {0, 1} (pk0 , pk1) Gen 1n pk, sk fGen 1n pk* Enc m0  {0, 1}* c0 pk0 pkb = pk pk1-b = pk* Enc m1  {0, 1}* c1 pk1 (c0 , c1) Dec cb mb sk If P1 is corrupted it does not learn the choice bit b pk0 is indistinguishable from pk1 If P2 is corrupted it does not learn the other message m1-b P2 does not know the corresponding secret key sk*

Improving the efficiency of OT Need O(n2) OT executions per AND gate OT : Public Key operations Improve performance Offline-Online Approach OT execution overhead shifted to offline phase OT Extension Improving the efficiency of OT

Preprocessing of OT (Random OT) Can we run OTs on random inputs in the offline phase and use the data used in OT later during online phase ? Preprocessing on Random Inputs 1-out-of-2 OT r0 c P0 P1 r1 rc Computation in Online Phase m0 b m1 z = b + c mb If z = 0 y0 = m0 + r0 y1 = m1 + r1 If z = 1 y0 = m0 + r1 y1 = m1 + r0 y0 , y1 mb = yb + rc

Public-key Encryption with Key Samplability Example of public-key encryption with public-key samplability Gen(1n) Compute h = gx Output sk = x and pk = (G, g, h) Select a generator g for a cyclic group G and a random x  G fGen(1n) Randomly select h*  G Output pk* = (G, g, h*) Select a generator g for a cyclic group G  sk* corresponding to pk* = dlogg(h*) Difficult to compute given only G, g and pk* --- Discrete log assumption Enc(m, pk) : pk = (G, g, h) Compute C1 = gr and C2 = hr m Output C = (C1, C2) Select a random r  G Dec(C, sk) : C = (C1, C2) and sk = x Compute (C1)x Output m = C2 / (C1)x El-Gamal public-key encryption