Presentation is loading. Please wait.

Presentation is loading. Please wait.

Verifiable Threshold Secret Sharing and Full Fair Secure Two-party Computation YE Jian-wei March 7, 2009.

Published byIsabella Barnett Modified over 8 years ago

Similar presentations

Presentation on theme: "Verifiable Threshold Secret Sharing and Full Fair Secure Two-party Computation YE Jian-wei March 7, 2009."— Presentation transcript:

1 Verifiable Threshold Secret Sharing and Full Fair Secure Two-party Computation YE Jian-wei March 7, 2009

2 outline Full fair secure two-party computation – Problem – Existing methods Our method – Overview – Advantages – Cryptography foundation – New Full Fair Secure Two-party Computation Protocol

3 Full fair secure two-party computation ——problem two parties A with input x and B with input y jointly compute a two output function f(x,y)=(f A (x,y), f B (x,y)) Secure: A learn only x and f A (x,y) B learn only y and f B (x,y) Fair: A learns f A (x,y) iff B learns f B (x,y)

4 For security – Garbled circuit computation For fairness – gradual release technique – Methods employing trusted third party Full fair secure two-party computation ——existing methods

5 gradual release technique Without third parties at the cost of many rounds of interaction impossible to get full fairness Full fair secure two-party computation ——existing methods

6 Methods employing trusted third party full fairness the trusted third party must be neutral (doesn’t collude with A or B) single point of failure the performance bottleneck Full fair secure two-party computation ——existing methods

7 Our method——overview full fairness employ Yao’s garbled circuit computation for security employ a group of servers as the third party for full fairness

8 Our method——advantages 1. Weakening the trust assumption. Our method doesn’t require all third-party servers are trusted, but just require more than two-third of them are honest. 2. Protection against collusion. Our method can keep the fairness when less than one-third of the servers are dishonest (or malicious) and collude with the any party.

9 Our method——advantages 3. Fault-tolerance. In our method, not all servers must be always available. More precisely, when the count of the dishonest servers is m, only 3m+1 servers are needed simultaneously.

10 Our method——Cryptography foundation 1. Garbled circuit computation 2. Verifiable encryption scheme of Jarecki and Shmatikov (sCS encryption scheme) 3. zero-knowledge proof (ZKP) protocols of Jarecki and Shmatikov 4. Verifiable threshold secret sharing (VTSS) scheme of Pedersen

11 Garbled circuit computation 1. A constructs a boolean circuit, C, computing f(x,y) 2. A garbles C to GC 3. A sends GC, the garbled x and the cleartext interpretation of f B (x,y) to B 4. B gets the garbled y form A 5. B computes GC and gets its output, garbled f A (x,y) and garbled f B (x,y) 6. B ungarbles the garbled f B (x,y) to get f B (x,y) by the cleartext interpretation of f B (x,y) 7. B sends the garbled f A (x,y) to A 8. A ungarbles the garbled f A (x,y) to get f A (x,y)

12 sCS encryption scheme a simplification of the verifiable encryption scheme of Camenisch and Shoup semantically secure in CRS model under DCR assumption and safe RSA moduli. a very strong unambiguous encryption. a ciphertext that passes a certain proof system cannot decrypt to two different plaintexts under two different private keys. Moreover, no two distinct decryption keys can decrypt a ciphertext even to the same plaintext.

13 sCS encryption scheme CRS.

14 sCS encryption scheme sCS encryption.

15 sCS encryption scheme sCS decryption.

16 ZKP protocols of Jarecki and Shmatikov Relying on the Unambiguity of sCS encryption scheme, Jarecki and Shmatikov proposed the sCS commitment scheme and a group of efficient concurrently secure ZKP protocols. sCS commitment scheme

17 ZKP protocols of Jarecki and Shmatikov ZKP protoclos – ZKDL( ɡ, X) is used to prove that there exists a x s.t. X 2 = ɡ 2x. – ZKNotEq(C a, C b ) is used to prove that C a, C b are sCS commitments to different values. – ZKPlainEq((u, e),C k, C m ) is used to prove that (u, e) is a sCS encryption of cleartext m committed (sCS commitment) in C m under the key k committed in C k.

18 VTSS scheme of Pedersen Pedersen gave a semantically secure commitment scheme based on the difficulty of discrete logarithm problem, and proposed a VTSS scheme in the CRS model by it. CRS

19 VTSS scheme of Pedersen Pedersen’s commitment scheme

20 VTSS scheme of Pedersen Sharing and Verifying process

21 New Full Fair Secure Two-party Computation Protocol New ZKP protocol ZKEq( C K D,C K D ) prove that the sCS commitment C K D commits the same value as the Pedersen’s commitment C K D

22 New Full Fair Secure Two-party Computation Protocol——overview In usual garbled circuit computation A send the cleartext interpretation of f B (x,y) to B, therefore the circuit evaluator B may not send garbled f A (x,y) to A after get his output f B (x,y). In our protocol A commits all output wire keys corresponding f B (x,y) in GC A shares a private key K D ∈ [0,2 k′′ ] among a group of third- party servers by VTSS scheme of Pedersen A provides B an encrypted cleartext interpretation of f B (x,y), CI B

23 New Full Fair Secure Two-party Computation Protocol——overview By correctly performing all ZKP protocols involved in following formula with A and verifying process of Pedersen’s VTSS scheme, B is convinced that CI B is correctly constructed and able to be decrypted with the key (i.e. K D ) shared in the servers, and he can retrieve the key to decrypt CI B as long as sending correct output keys corresponding to f A (x,y) to the servers.

24 New Full Fair Secure Two-party Computation Protocol——overview

25 After sending correct output wire keys corresponding to f A (x,y) to the servers, B gets enough shares of K D to retrieve it and compute his output f B (x,y). Henceforth, A can compute his output f A (x,y) even if B sends him wrong output wire keys by obtaining correct these from the servers.

26 New Full Fair Secure Two-party Computation Protocol——protocol

27

28

29 New Full Fair Secure Two-party Computation Protocol——analyse Fairness When the amount of dishonest servers m is less than s/3 , our protocol is able to guarantee that A learns f A (x,y) iff B learns f B (x,y). Complexity Computational complexity is O(S+s 2 ) Communication complexity is O(S+s) only two additional interaction rounds for full fair where S is the size of the circuit and s is the amount of employed servers.

30 END! THANKS!

Download ppt "Verifiable Threshold Secret Sharing and Full Fair Secure Two-party Computation YE Jian-wei March 7, 2009."

Similar presentations

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.

Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.

Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
Oblivious Transfer based on the McEliece Assumptions

Oblivious Transfer based on the McEliece Assumptions
10/25/20061 Threshold Paillier Encryption Web Service A Master’s Project Proposal by Brett Wilson.

10/25/20061 Threshold Paillier Encryption Web Service A Master’s Project Proposal by Brett Wilson.

Similar presentations

Ads by Google