Secure Computation (Lecture 2) Arpita Patra

Vishwaroop of MPC

Expanding the scope of MPC Dimension 1: Any polynomially computable function can be computed securely. >> So far you have seen how to compute addition and bit multiplication securely >> less than, equal to, greater than >> AES encryption function, >> any encryption function (key and message in different location or shared), >> satellite collision probability computation function >> set intersection ………

Two models of Computation Secure Circuit evaluation: Nothing other than the output gate value will be revealed Boolean Circuit (AND, OR, NOT, XOR) Arithmetic Circuit over finite field (Addition and Multiplication) x1x1 x2x2 x3x3 x4x4 +  f(x 1, x 2, x 3, x 4 ); inputs are field elements  x1x1 x2x2 x3x3 x4x4 ∧ f(x 1, x 2, x 3, x 4 ); inputs are bits ∨ 

Which one will you prefer? Dimension 1: Any polynomially computable function can be computed securely. Boolean Circuit (AND, OR, NOT, XOR) x1x1 x2x2 Depends on f that you want to compute f(x 1,x 2 ) = x 1 + x 2 ; x 1, x 2 are from F 5 x1+x2x1+x2 + More than one gate Non-linear operation (comparison, greater than etc are more concisely represented in Boolean circuit) Arithmetic Circuit over finite field (Addition and Multiplication)

Which one will you prefer? Dimension 1: Any polynomially computable function can be computed securely. Boolean Circuit (AND, OR, NOT, XOR) Huge body of work Combination(B + A) + Very less amount of work + Scope for Research Arithmetic Circuit over finite field (Addition and Multiplication)

Expanding the scope of MPC Dimension 2.1: Varieties of network (complete vs. incomplete ) Complete Network Incomplete Network Most of the works in this model Very less explored Practical for applications involving very few parties (less than 10) Practical for applications where billions can participate (E-election)

Expanding the scope of MPC Dimension 2.2: Varieties of network (synchronous vs. asynchronous) Synchronous Network Asynchronous Network Compute and send x... Wait to receive x... x Global Clock Channels have fixed delay Knows how long to wait

Asynchronous Network Compute and send x... Wait to receive x... x No Global Clock Channels have arbitrary yet finite delay Does not Know how long to wait

Compute and send x... Wait to receive x... x No Global Clock Channels have arbitrary yet finite delay Does not Know how long to wait Is he cheating or slow ? Oh! I have to drop the message Asynchronous Network

n parties and t of them may cheat n parties x1x1 x2x2 xnxn can afford to wait to listen from (n-t) parties Else endless waiting But leads to ignoring messages of t honest parties Cannot wait for all Asynchronous Network

Secure Addition y = x 1 +x 2 +x 3 (assume n=3 parties) in asynchronous settings x1x1 P1P1 P2P2 P3P3 P1P1 x2x2 P2P2 x3x3 P3P3 x 12 x = = = PiPi y = s 1 + s 2 + s 3 x 11 x 12 x 13 x 21 x 22 x 23 x 31 x 32 x 33 x 11 x 13 x 11 x 12 x 22 x 23 x 21 x 23 x 21 x 22 x 32 x 33 x 31 x 33 x 31 x 32 s2s3s2s3 s1s3s1s3 s1s2s1s2 One of the parties may cheat. This simple protocol does not work ! No protocol with n parties where t will be cheating works when n ≤ 3t  No input provision!

Expanding the scope of MPC Dimension 2.3: Varieties of network (synchronous vs. asynchronous vs. hybrid) Synchronous Network Asynchronous Network >> Most of the works in this model >> simple to comprehend >> Models small local network >> Less explored >> Models real-life networks better than synchronous network >> Hard and challenging to deal with >> Many impossibility results >> Scope of work Hybrid Network- Synchronous up to some point and asynchronous afterwards >> Very less explored again >> Models real-life networks better than synchronous network >> Some of the impossibility results in asynchronous network is shown to be possible here >> Scope of work

Expanding the scope of MPC Dimension 3: Modelling Dis-trust x1x1 P1P1 P2P2 P3P3 P1P1 x2x2 P2P2 x3x3 P3P3 x 12 x = = = yiyi x = x 1 + x 2 + x 3 x 11 x 12 x 13 x 21 x 22 x 23 x 31 x 32 x 33 x 11 x 13 x 11 x 12 x 22 x 23 x 21 x 23 x 21 x 22 x 32 x 33 x 31 x 33 x 31 x 32 s2s3s2s3 s1s3s1s3 s1s2s1s2 Protected against a single curious party What if they parties are curious and join hand?

Expanding the scope of MPC Dimension 3: Modelling Dis-trust (centralized vs. decentralized ) To model this, we assume that there is a single monolithic/centralized entity who we call as adversary (A) and who controls a number of parties out of n parties. Bad people work together

Redefine MPC – >> n parties P 1,....,P n ‘some’ are corrupted by A >> A common n-input function f >> P i has private input x i Goals: >> Correctness: Compute f(x 1,x 2,..x n ) >> Privacy: Nothing more than y is leaked to A

Secure Addition y = x 1 +x 2 +x 3 +x 4 with n=4 and t=2 x1x1 P1P1 P2P2 P3P3 P1P1 x2x2 P2P2 x3x3 P3P3 x 12 x 13 x = = = PiPi x 11 x 12 x 13 x 14 x 21 x 22 x 23 x 24 x 31 x 32 x 33 x 34 x 11 x 13 x 14 x 11 x 12 x 14 x 22 x 23 x 24 x 21 x 23 x 24 x 21 x 22 x 24 x 32 x 33 x 34 x 31 x 33 x 34 x 31 x 32 x 34 s2s3s4s2s3s4 s1s3s4s1s3s4 s1s2s4s1s2s4 Can you modify the secret sharing and tolerate coalition of two? x4x x 41 x 42 x 43 x 44 x 42 x 43 x 44 x 41 x 43 x 44 x 41 x 42 x 44 P4P4 P4P4 + + = x 11 x 12 x 13 x 21 x 22 x 23 x 31 x 32 x 33 s1s2sss1s2sss + x 41 x 42 x 43 y = s 1 + s 2 + s 3 + s 4

Secure Addition y = x 1 +x 2 +x 3 +x 4 with n=4 and t=2 x1x1 P1P1 P2P2 P3P3 P1P1 x2x2 P2P2 x3x3 P3P3 x = = = PiPi x 12 x 13 All the parties together hold the secret. Any two parties hold no info about the secret x 21 x 22 x 23 x 31 x 32 x 33 s1s1 s2s2 s3s3 x4x4 P4P x 31 x 32 x 33 x 11 x 12 x 13 x 14 x 21 x 22 x 23 x 24 x 31 x 32 x 33 x 34 x 41 x 42 x 43 x 44 P4P4 + + = x 14 x 24 x 34 s4s4 + y = s 1 + s 2 + s 3 + s 4

Expanding the scope of MPC Dimension 4.1: Various Characteristics of adversary A (threshold vs. non- threshold) Threshold: A can corrupt at most t out of n (n: total no of participating parties; t = threshold; t < n) Non-Threshold: Adversaries behavior is captured by a set of subset of parties. A can corrupt one of the sub-sets. Eg. P = {P 1, P 2, P 3 } A = {{P 1 }, {P 2, P 3 }} >> Most of the works in this model because of its simplicity >> Generalization of threshold >> Less explored >> Models real-life scenarios >> Very non-intuitive >> Non-threshold secret sharing

Expanding the scope of MPC Dimension 4.2: Various Characteristics of adversary A (polynomially bounded vs. unbounded powerful) Polynomially Bounded: A has polynomial computing power Unbounded: A has unbounded computing power >> Well explored >> Relies on cryptography that are based on number theoretic hard problems >> Cryptographic/Computatio nal >> Well explored >> Does not reply on any hard problem >> Even if A has quantum computers, it cannot break privacy- very strong security >> Information-theoretic >> Impossibility results for n ≤ 2t One of the earlier demarcations made in the study MPC. We will see both types of protocols in the course

Secure bit multiplication y = x 1  x 2 with (n=2,t=1) using crypto x1x1 P1P1 P2P2 x2x2 1-out-of-2 OT 0 x1x1 x2x2 x1x2x1x2 OT CANNOT be realized information-theoretically!

Secure bit multiplication y = x 1  x 2 with (n=2,t=1) i.t. security x1x1 P1P1 P2P2 P1P1 x2x2 P2P2 x 12   We can use OT to compute the summand but then we use crypto! x 11 x 12 x 21 x 22 x 11 x 22 x 21 y = x 1  x 2 = (x 11 + x 12 )  (x 21 + x 22 ) = (x 11  x 21 + x 11  x 22 + x 12  x 21 + x 12  x 22 ) = x 12  x 22 = x 11  x 21 AND cannot be computed information theoretically with n ≤ 2t!

Secure Multiplication y = x 1  x 2 with (n=3,t=1) with i.t. security x1x1 P1P1 P2P2 P3P3 P1P1 x2x2 P2P2 x 12 x 13  s 1 = x 12  x 22 + x 12  x 23 + x 13  x 21   Use three party protocol for sum y= s 1 +s 2 +s 3 where s 1,s 2,s 3 act as secret inputs x 11 x 12 x 13 x 21 x 22 x 23 x 11 x 13 x 11 x 12 x 22 x 23 x 21 x 23 x 21 x 22 y = x 1  x 2 = (x 11 + x 12 + x 13 )  (x 21 + x 22 + x 23 ) = (x 11  x 21 + x 11  x 22 + x 11  x 23 + x 12  x 21 + x 12  x 22 + x 12  x 23 + x 13  x 21 + x 13  x 22 + x 13  x 23 ) s 2 = x 11  x 23 + x 13  x 21 + x 13  x 23 s 3 = x 11  x 21 + x 11  x 22 + x 12  x 21 This breaches privacy since it is not supposed to learn x 2 when x 1 = 0 Can the parties exchange s 1, s 2, s 3 ? If P 1 is corrupted, it can learn x 2 irrespective of the value for x 1 ! How?

Expanding the scope of MPC Dimension 4.3: Various Characteristics of adversary A (semi-honest vs. malicious vs. covert) Passive/Semi-honest: A is a passive observer, eavesdrops the corrupted parties Active/Malicious: A takes full control over the corrupted parties >> Well explored >> Often acts as a starting point for malicious protocols >> Well explored >> final goal >> Demands a whole lot of new primitives, Commitment, Zero- knowledge Proofs, Byzantine agreement/broadcast One of the earlier demarcations made in the study MPC. First half: semi-honest Second Half: Malicious Covert: A behaves maliciously only when its prob. Of getting caught is low >> Very less explored >> More efficient solutions than maliciously secure protocols >> Scope of work

Secure Addition y = x 1 +x 2 +x 3 with n=3 and t=1 in Malicious Setting x1x1 P1P1 P2P2 P3P3 P1P1 x2x2 P2P2 x3x3 P3P3 x = = = PiPi y = s 1 + s 2 + s 3 x 11 x 12 x 13 x 21 x 22 x 23 x 31 x 32 x 33 x 12 x 13 x 21 x 22 x 23 x 31 x 32 x 33 s1s1 s2s2 s3s3 P 1 under the influence of A may not send his shares to others!

Secure Addition y = x 1 +x 2 +x 3 with n=3 and t=1 in Malicious Setting x1x1 P1P1 P2P2 P3P3 P1P1 x2x2 P2P2 x3x3 P3P3 x = = = P2P2 y = s 1 + s 2 + s 3 x 11 x 12 x 13 x 21 x 22 x 23 x 31 x 32 x 33 x 12 x 13 x 21 x 22 x 23 x 31 x 32 x 33 s1s1 s2s2 s3s3 A can make P 2 and P 3 to output different sums! P3P3 y’ = s’ 1 + s 2 + s 3 s’ 1 If you are thinking that the problem can be resolved by exchanging the outputs, you are absolutely wrong! Primitive 3 (Byzantine Agreement/broadcast): Another fundamental building block of MPC