Secure Computation Lecture Arpita Patra
Recap > Shamir Secret-sharing > BGW Protocol based on secret-sharing > Offline/Online phase > Creating offline material and how to use them in online phase (Beaver’s trick etc) >> i.t MPC with Honest Majority >> i.t MPC with DisHonest Majority Impossible >> Crypto MPC > OT (from PKE with public-key samplability / Dual-mode Encryption) > GMW (2 and n-party) Protocol from OT and additive secret-sharing > Optimizations of GMW- preprocessing OT, Domain Extension, OT Extension (IKNP/KK13) > Yao Protocol using garbled circuit and OT > Optimazations- point-and-permute, garbled row reduction, Free-XOR > Multi-party Yao i.e. BMR
Entering into the world of Malicious Adversary
i.t Multi-party Computation [BGW] Reconstruct the Shamir-sharing of the output by exchanging shares with each other 3 Non-linear gate: Require degree- reduction Technique. Interactive 2. Find (n, t)-sharing of each intermediate value 1.(n, t)- secret share each input Linear gates: Linearity of Shamir Sharing - Non-Interactive
Sharing Phase: (n,t) – Secret-Sharing x2x2 x3x3 x n x1x1 … Random polynomial of degree t over F p s.t p>n P1P1 P2P2 PnPn P3P3
Secret Sharing with Malicious Dealer Inconsistent share …………. Inconsistent share Inconsistent Share Inconsistent share Shamir Sharing: Points on a polynomial of degree more than t Duality: An honest dealer must pass where a malicious one should fail Verifiable Secret Sharing (VSS)
Reconstruction Phase: (n,t)-Shamir-sharing x2x2 x3x3 x n x1x1 P1P1 P2P2 PnPn P3P3 PiPi The same is done for all P i Lagrange’s Interpolation
Reconstruction Phase: (n,t)-Shamir-sharing Malicious A t Verifiable Secret Sharing (VSS) handles this too!
Definition of VSS [CGMA85] Extends Secret Sharing to the case of malicious corruption Secret s Dealer v1v1 v2v2 v3v3 v n Sharing Phase Reconstruction Phase Secret s … s is secure s is committed
Secrecy Correctness Strong Commitment –If D is honest, then A t has no information about secret s during the Sharing phase –If D is honest, then secret s will be correctly reconstructed during reconstruction phase –Corrupted D commits a unique s* - s* should be uniquely reconstructed n parties P = {P 1, …, P n }, dealer D (e.g., D = P 1 ) t corrupted parties (possibly including D) A t Definition of VSS [CGMA85] Continued..
SS to VSS SS SS with Cheaters / Honest Dealer VSS VSS A t is semi-honest A t is malicious Dealer is Honest Dealer is honest A t is malicious Dealer may be controlled by A t !
i.t Multi-party Computation Reconstruct the Shamir-sharing of the output by exchanging shares with each other 3 Non-linear gate: Require degree- reduction Technique. Interactive 2. Find (n, t)-sharing of each intermediate value 1.(n, t)- secret share each input Linear gates: Linearity of Shamir Sharing - Non-Interactive
Secure Multiplication Gate Evaluation x2x2 x3x3 x n x1x1 P1P1 P2P2 PnPn P3P3 y2y2 y3y3 y n y1y1 x y x 1 y 1 = z 1 x 2 y 2 = z 2 x 3 y 3 =z 3 x n y n = z n xy xy f(x) = f 1 (x) f 2 (x) of degree 2t f 1 (x) f 2 (x) Recombination Vector (r 1, …,r n ) where
Secure Multiplication Gate Evaluation x2x2 x3x3 x n x1x1 P1P1 P2P2 PnPn P3P3 y2y2 y3y3 y n y1y1 x y x 1 y 1 = z 1 x 2 y 2 = z 2 x 3 y 3 =z 3 x n y n = z n xy xy z1z1 z2z2 z3z3 znzn Shamir-share f 1 (x) f 2 (x) Shamir-share Recombination Vector (r 1, …,r n ) r 1 z r n z n xyxy f(x) = f 1 (x) f 2 (x) of degree 2t
Secure Multiplication Gate Evaluation x2x2 x3x3 x n x1x1 P1P1 P2P2 PnPn P3P3 y2y2 y3y3 y n y1y1 x y x 1 y 1 = z 1 x 2 y 2 = z 2 x 3 y 3 =z 3 x n y n = z n xy xy z1z1 z2z2 z3z3 znzn VSS-share f 1 (x) f 2 (x) VSS-share Recombination Vector (r 1, …,r n ) r 1 z r n z n xyxy f(x) = f 1 (x) f 2 (x) of degree 2t
Secure Multiplication Gate Evaluation x2x2 x3x3 x n x1x1 P1P1 P2P2 PnPn P3P3 y2y2 y3y3 y n y1y1 x y x 1 y 1 = z 1 x 2 y 2 = z 2 x 3 y 3 =z 3 x n y n = z n xy xy z1z1 z2z2 z’ 3 z’ n VSS-share f 1 (x) f 2 (x) VSS-share Recombination Vector (r 1, …,r n ) r 1 z r n z’ n z f(x) = f 1 (x) f 2 (x) of degree 2t O1: Prevent them in doing this. n ≥ 2t+1 O2: Find a mechanism so that we can correct the errors- n ≥ 3t+1
i.t Multi-party Computation Reconstruct the Shamir-sharing of the output by exchanging shares with each other 3 Non-linear gate: Require degree- reduction Technique. Interactive 2. Find (n, t)-sharing of each intermediate value 1.(n, t)- secret share each input Linear gates: Linearity of Shamir Sharing - Non-Interactive VSS with n ≥ 3t+1 For perfect security n ≥ 3t+1 is necessary and sufficient.
Perfect VSS with n>= 3t+1 Bivariate Polynomial of degree t in x,y as the basis- F(x,y) Univariate Polynomial of degree t in x as the basis – f(x) F(x,i) & F(i,y)- ith share f(i)- ith share t F(x,i)’s and F(i,y)’s will leak NO info about F(0,0) F(0,0)- secret f(0)- secret t f(i)’s will leak NO info about f(0) t+1 F(x,i)’s (F(i,y)’s) will completely determine F(x,y) – Lagrange’s formula t+1 f(i)’s will completely determine f(x) – Lagrange’s formula F(x,i) F(i,y) F(x,j) F(j,y) Pi Pj F(j,i) F(i,j) F(j,i) Ensure every pair Happy
Perfect VSS with n>= 3t+1 Bivariate Polynomial of degree t in x,y as the basis- F(x,y) Univariate Polynomial of degree t in x as the basis – f(x) f(i)- ith share t F(x,i)’s and F(i,y)’s will leak NO info about F(0,0) F(0,0)- secret f(0)- secret t f(i)’s will leak NO info about f(0) t+1 F(x,i)’s (F(i,y)’s) will completely determine F(x,y) – Lagrange’s formula t+1 f(i)’s will completely determine f(x) – Lagrange’s formula Two random univariate polynomials of degree at most t with the secret F(0,0) as the constants. F(x,i) & F(i,y)- ith share F(0,y) and F(x,0) Pi has F(0,i) and F(i,0)- Shamir share of F(0,0)
Rest on the board Matrix view of bivariate polynomial Claim: t F(x,i)’s and t F(i,y)’s will leak NO info about F(0,0). Claim: (t+1) F(x,i)’s or (t+1) F(i,y)’s completely determines F(x,y). Six round VSS and proof Reducing the number of rounds to four
Feasibility of VSS How big t is compared to n? Adversary (A t )Characterization Polynomially Bounded Adversary n ≥ 2t + 1, t ≥1 Unbounded Adversary and no error allowed n ≥ 3t + 1, t ≥1 Unbounded Adversary and error allowed in reconstruction n ≥ 2t+ 1, t ≥1 Round Complexity (Sharing Phase) No. of Interaction 2 3 3
Interplay of Round Complexity and Fault tolerance in VSS Unbounded Powerful Adversary Adversary (A t )CharacterizationRound Complexity Polynomially Bounded Adversary n ≥ 2t + 1, t ≥1 t = 1; n ≥ Unbounded Adversary and no error allowed n ≥ 3t + 1, t ≥1 n ≥ 4t + 1, t ≥1 t = 1; n ≥ Unbounded Adversary and error allowed in reconstruction n ≥ 2t+ 1, t ≥1 n ≥ 3t+ 1, t ≥1 t = 1; n ≥ ASIACRYPT’11 [BKP] CRYPTO’09 [PCRR], ASIACRYPT’10 [KPR] STOC’01 [GIKT] TCC’06 [FGGRS]
Chalk & Talks CT3 [BH08]: Perfectly secure MPC with Linear Communication Complexity. CT4 [BFO12]: Near-Linear Unconditionally-Secure Multiparty Computation with a Dishonest Minority. CT1 [PCRR09]: The Round Complexity of Verifiable Secret Sharing Revisited