Secure Multiparty Computation goes Live Peter Bogetoft, Dan Christensen, Ivan Damgård, Martin Geisler, Thomas Jakobsen, Mikkel Krøigaard, Janus Nielsen,

Slides:

Advertisements

Similar presentations

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.

Advertisements

Public Key Cryptography Nick Feamster CS 6262 Spring 2009.

MONEY – The basic problem

Secure Multiparty Computations on Bitcoin

SRIRAM KRISHNAMACHARI MEHRDAD NOJOUMIAN KEMAL AKKAYA SOUTHERN ILLINOIS UNIVERSITY CARBONDALE FLORIDA ATLANTIC UNIVERSITY FLORIDA INTERNATIONAL UNIVERSITY.

Manipulating Encrypted Data. You store your data in the cloud, encrypted of course. You want to use the computing power of the cloud to analyze your data.

ITIS 6200/ Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.

CHAPTER 8: SECURITY IN COMPUTER NETWORKS Encryption Encryption Authentication Authentication Security Security Secure Sockets Layer Secure.

Digital Signatures and Hash Functions. Digital Signatures.

Public Key Algorithms …….. RAIT M. Chatterjee.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

Apr 30, 2002Mårten Trolin1 Previous lecture – passwords Passwords for authentication –Storing hashed passwords –Use of salt Passwords for key generation.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)

More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.

EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Overview of Cryptography and Its Applications Dr. Monther Aldwairi New York Institute of Technology- Amman Campus INCS741: Cryptography.

Public Key Algorithms 4/17/2017 M. Chatterjee.

Computer Science Public Key Management Lecture 5.

Practical Techniques for Searches on Encrypted Data Yongdae Kim Written by Song, Wagner, Perrig.

Chapter 31 Network Security

Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Digital Cash By Gaurav Shetty. Agenda Introduction. Introduction. Working. Working. Desired Properties. Desired Properties. Protocols for Digital Cash.

 How have you faced competition?  How would you define competition in economic terms?  What does perfect competition mean to you? DO NOW.

Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

Basic Persuasion Skills in Employee Ownership Corey Rosen National Center for Employee Ownerships.

Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.

A Secure Protocol for Computing Dot-products in Clustered and Distributed Environments Ioannis Ioannidis, Ananth Grama and Mikhail Atallah Purdue University.

Overview of Privacy Preserving Techniques.  This is a high-level summary of the state-of-the-art privacy preserving techniques and research areas  Focus.

Bitcoin (what, why and how?)

Summary Buyer or Seller: You will be randomly assigned to the role of a Buyer or Seller by the computer. Your role will remain the same throughout the.

Electronic Commerce & Marketing. What is E-Commerce? Business communications and transactions over networks and through computers, specifically –The buying.

Implementing e-Auctions with Sharemind Md. Sadek Ferdous 12th November 2008.

Secure Multiparty Computation Ivan Damgård, Department of Computer Science, Aarhus Universitet.

Cryptography, Authentication and Digital Signatures

Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

1 Practical Techniques for Searches on Encrypted Data Dawn Song, David Wagner, Adrian Perrig.

Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.

Identity-Based Secure Distributed Data Storage Schemes.

Secure Cloud Database with Sense of Security. Introduction Cloud computing – IT as a service from third party service provider Security in cloud environment.

Software Security Seminar - 1 Chapter 5. Advanced Protocols 조미성 Applied Cryptography.

Cryptography (2) University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

Privacy-Preserving Credit Checking Keith Frikken, Mikhail Atallah, and Chen Zhang Purdue University June 7, 2005.

Encryption Questions answered in this lecture: How does encryption provide privacy? How does encryption provide authentication? What is public key encryption?

Chapter 7 – Confidentiality Using Symmetric Encryption.

Cryptography 1 Crypto Cryptography 2 Crypto  Cryptology  The art and science of making and breaking “secret codes”  Cryptography  making “secret.

31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

MONEY. Why do we need money? ► Key Economic Concepts: ► Barter ► Exchange ► Markets ► Price.

Summary Buyer or Seller: You will be randomly assigned to the role of a Buyer or Seller by the computer. Your role will remain the same throughout the.

CS 4803 Fall 04 Public Key Algorithms. Modular Arithmetic n Public key algorithms are based on modular arithmetic. n Modular addition. n Modular multiplication.

Group 9 Chapter 8.3 – 8.6. Public Key Algorithms  Symmetric Key Algorithms face an inherent problem  Keys must be distributed to all parties but kept.

Secure Messenger Protocol using AES (Rijndael) Sang won, Lee

1 MEVAL: A Practically Efficient System for Secure Multi-party Statistical Analysis Koki Hamada NTT Secure Platform Laboratories.

1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.

Key Generation Protocol in IBC Author ： Dhruti Sharma and Devesh Jinwala 論文報告 2015/12/24 董晏彰 1.

1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.

SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.

Multi-Agents System CMSC 691B Gunjan Kalra Peter DSouza.

1 Example security systems n Kerberos n Secure shell.

Lecture 4 on Auctions Multiunit Auctions We begin this lecture by comparing auctions with monopolies. We then discuss different pricing schemes for selling.

CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.

LESSON 12 Business Internet. Electronic business, or e-business, is the application of information and communication technologies (ICT) in support of.

Lower bounds for Unconditionally Secure MPC Ivan Damgård Jesper Buus Nielsen Antigoni Polychroniadou Aarhus University.

Helen: Maliciously Secure Coopetitive Learning for Linear Models

A Light-weight Oblivious Transfer Protocol Based on Channel Noise

Presentation transcript:

Secure Multiparty Computation goes Live Peter Bogetoft, Dan Christensen, Ivan Damgård, Martin Geisler, Thomas Jakobsen, Mikkel Krøigaard, Janus Nielsen, Jesper Nielsen, Kurt Nielsen, Jacob Pagter, Michael Schwartzbach, Tomas Toft Barbados, 2009 Ivan Damgård Århus University

January 14, Danish Farmers trade production rights for sugarbeets via an electronic auction. As a result, tons worth of production rights change owner The market price at which trading occurs is computed by 3 servers, based on encrypted bids that are never decrypted. First large-scale application of Secure Multiparty Computation.

Some Background About 5000 Danish farmers produce sugarbeets. A farmer owns a contract, a production right, allowing him to produce a certain quantity of beets. Beets are delivered to Danisco, the only Danish sugar producer. Recently EU drastically reduced support for production, as a result urgent need to move production to places where it pays best. Hence need for a nation wide-market where production rights can be traded. Decision: use a double auction.

Double Auction Some commodity is traded. Many sellers, many buyers. Each bid from a seller is a list of numbers: ”At each possible price per unit, I want to sell this much” – similar for buyers. Send to auctioneer. For each possible price, auctioneer add up bids to find total supply, and total demand in the market at that price. price/unit quantity Market clearing price Everybody gets to sell or buy the quantity they were willing to sell or buy at the mcp. Demand goes down, supply up with increasing price, so can find solution by binary search: number of comparisons logarithmic in number of prices. supply demand

Privacy of Bids – Who should be auctioneer? In the sugar beet case, privacy of bids is crucial. Bids reveal private information about a farmer’s economy. In survey, 75% said it was important to them that bids were confidential. Information on farmers’ ecomic situation can be misused by Danisco  Danisco cannot be auctioneer Farmers could do it themselves? No, Danisco wants some control, some farmer’s owe Danisco money, contracts act as security. Besides, farmers do not all trust each other.. Hire a consultancy house to be auctioneer? No, too expensive Solution chosen: do an electronic double auction, with ”virtual auctioneer”, implemented by Danisco, DKS (farmer’s organization) and the SIMAP research project, using multiparty computation.

Multiparty computation, intuition m input clients I1,...,Im and n servers P1, P2, …, Pn Usually m large, n small (ex. m=1500, n=3) Player Ii submits input xi in appropriately encrypted form By collaborating, P1,..Pn compute y= f(x1,…,xm) for some function f. Must be be done securely, i.e., All learn the correct value of y Nothing except y is made public. In particular no input is decrypted, and no Pi gets access to any information on the inputs. P1,.., Pn implement a ”virtual trusted party”

Computation needed Lots of additions to find total demand/supply at each price. Some comparisons to do binary search for market clearing price. Comparison results can be public, follow anyway from value of market clearing price. Protocols Used Based on Shamir Secret sharing modulo a sufficiently large prime p (65 bits in our case). Notation: [c] means c, secret shared. Addition and multiplication easy using standard tools Comparison a bit harder..

Comparison ct’d Problem: hard to go from [c] to [c 0 ], [c 1 ],…, [c n ] where [c i ] is i’th bit of c. Observation [from Damgård et al TCC 07] : much easier go from [c 0 ], [c 1 ],…, [c n ] to [c] since Shamir secret sharing is linear - just multiply by 2-powers and add. Suppose we know a,b are at most t-bit numbers. Algorithm 1. Generate random shared 0/1 values [r 0 ],…., [r v ], compute [r], where r= r r 1 + … + 2 v r v v chosen so r >> a,b 2. Compute and open T= r + 2 t +a – b (statistically secure since r >> a,b). 3. Remaining problem: if we subtract bit-wise shared number r from the public T, will bit no. t be set? Hence enough to do a linear (in t) number of binary operations. In paper: technique to do this in logarithmic number of rounds.

How to deliver inputs The obvious idea: client secret shares each input number and encrypts all shares intended for Pi under his public key Communication becomes linear size in number of servers, to encrypt B bits, must send O(nB) bits In paper: Technique to encrypt shares such that only an additive overhead depends on number of servers, need to send O(n) + O(B) bits.

Implementation Architecture DB Submitting bids beregning SIMAP DKS Danisco LAN Danisco SIMAP web- server farmer Java-applet Encrypted bid log-in session

Implementation Architecture DB Submitting bids Computation SIMAP DKS Danisco LAN Danisco SIMAP web- server Farmer Java-applet Encrypted bid log-in session

Performance 1

Performance 2

Why Multiparty Computation? If some party has access to the private data in the clear, everone has to agree on a security policy: who is allowed access, and when? Who is held responsible if data leaks and what are the consequences?  Difficult negotiations because parties have conflicting interests, could have halted the entire project.  Nobody wanted the responsibility of having to store the bids in clear. These concerns seem more important than fear of malicious attack by the “opponent” => security against malicious attacks seems less important. With multiparty computation, bids are kept protected at all times, hence easier to communicate security policy to the farmers. An MPC based software solution can be developed and scrutinized once and cost can be amortized over several applications. In contrast, having a consultancy house be trusted party costs a fee every time.

Use secure hardware instead? This is also a single trusted party solution! Even if hardware protection cannot be broken, security depends on how the hardware box is administrated, maintained, backed up etc. Hence we still need to agree on a common security policy. Seems more natural for players to use hardware to improve their own security

In Conclusion.. Applications of MPC can be realized with the efficiency and functionality that is required in real life. Ability of MPC to keep private data secret to everyone, really is useful in practice. More applications? I think yes, but give it time! Compare to Digital signatures: invented in 1977, first nation-wide system in Denmark started 2 years ago! More info on research projects, see New spin-off by the SIMAP people

Attacks External attacks: need to handle those, but similar issues and solutions as lots of other applications.. Attacks by bidders Can protect against malicious bidders, we decided the risk was too low to motivate cost. Attacks by parties doing the computation No party seriously suspected others of a malicious attack, BUT not acceptable to give all the bids to the opponent AND nobody wanted the responsibility of dealing with the private data. Would lead to earlier mentioned problems with agreeing on security policy etc. Hence we went for semi-honest security.