Presentation is loading. Please wait.

Presentation is loading. Please wait.

Round-Efficient Multi-Party Computation in Point-to-Point Networks Jonathan Katz Chiu-Yuen Koo University of Maryland.

Published byOsborn Leonard Modified over 9 years ago

Similar presentations

Presentation on theme: "Round-Efficient Multi-Party Computation in Point-to-Point Networks Jonathan Katz Chiu-Yuen Koo University of Maryland."— Presentation transcript:

1 Round-Efficient Multi-Party Computation in Point-to-Point Networks Jonathan Katz Chiu-Yuen Koo University of Maryland

2 Round-Efficient Multi-Party Computation in Point-to-Point Networks Jonathan Katz Chiu-Yuen Koo University of Maryland

3 Motivation Suppose we want to obtain a practical protocol for a given task The protocol needs to be round-efficient If we know round-efficient solutions exist, we can then turn our attention to improving other aspects (such as computation)

4 Motivation Suppose we want to obtain a practical protocol for a given task The protocol needs to be round-efficient If we know round-efficient solutions exist, we can then turn our attention to improving other aspects (such as computation) How do we know?

5 Motivation Approach 1: Determine whether round-efficient solutions are possible after we are given the task Given task A, ask if round-efficient solutions for task A exist Given task B, ask if round-efficient solutions for task B exist Given task C, ask if round-efficient solutions for task C exist …………………………………………………… Repetitive! Can we solve the problem once and for all?

6 Motivation Approach 2: Determine whether round-efficient solutions for secure multi-party computation (MPC) exist A MPC protocol can solve almost every task A round-efficient solution for MPC implies the existence of round-efficient solutions for (almost) every task!

7 Round-Efficient Multi-Party Computation in Point-to-Point Networks

8

9 Our Motivation Previous work on round complexity (for the most part) has assumed a broadcast channel “for free” A broadcast channel enables one party to send the same message to all parties But in point-to-point networks, a broadcast channel does not come for free; it is emulated by a broadcast protocol High overhead

10 Our Motivation Previous work on round complexity (for the most part) has assumed a broadcast channel “for free” A broadcast channel enables one party to send the same message to all parties But in point-to-point networks, a broadcast channel does not come for free; it is emulated by a broadcast protocol High overhead

11 Our Motivation If the broadcast channel is emulated by a deterministic protocol, then the round complexity will be linear in the number of corrupted parties [FL82] This will not lead to sub-linear-round protocols

12 Our Motivation If the broadcast channel is emulated by a randomized protocol, then each round of broadcast can be emulated in an expected constant number of rounds (assuming honest majority) [FM88, FG03, KK06] But the exact constant is rather high If broadcast is used in more than one round, then we need to handle sequential composition of protocols without simultaneous termination — leads to complication and a substantial increase in round complexity [LLR02, BY03, KK06]

13 Our Motivation If the broadcast channel is emulated by a randomized protocol, then each round of broadcast can be emulated in an expected constant number of rounds (assuming honest majority) [FM88, FG03, KK06] But the exact constant is rather high If broadcast is used in more than one round, then we need to handle sequential composition of protocols without simultaneous termination — leads to complication and a substantial increase in round complexity [LLR02, BY03, KK06]

14 Our Motivation Sequential composition of protocols without simultaneous termination In a broadcast protocol, each party is assumed to start at the same round However, parties may leave at different rounds So parties may start execution of the next protocol in different rounds If protocols are executed sequentially, additional rounds are needed to handle the composition

15 Our Motivation If the broadcast channel is emulated by a randomized protocol, then each round of broadcast can be emulated in an expected constant number of rounds (assuming honest majority) [FM88, FG03, KK06] But the exact constant is rather high If broadcast is used in more than one round, then we need to handle sequential composition of protocols without simultaneous termination — leads to complication and a substantial increase in round complexity [LLR02, BY03, KK06]

16 Our Motivation If the broadcast channel is emulated by a randomized protocol, then each round of broadcast can be emulated in an expected constant number of rounds (assuming honest majority) [FM88, FG03, KK06] But the exact constant is rather high If broadcast is used in more than one round, then we need to handle sequential composition of protocols without simultaneous termination — leads to complication and a substantial increase in round complexity [LLR02, BY03, KK06]

17 Our Motivation For example, Consider the setting in which at most one-third of parties are corrupted Micali and Rabin show a Verifiable Secret Sharing (VSS) protocol that uses 16 rounds but only a single round of broadcast Compiling the above protocol for a point-to-point network, it runs in an expected 31 rounds Any protocol that uses broadcast twice will require an expected 55 rounds after being compiled for a point- to-point network

18 Our Motivation If the ultimate goal is a round-efficient protocol for point-to-point networks, then it is preferable to focus on minimizing the number of rounds in which broadcast is used rather than minimizing the total number of rounds

19 Our Motivation This raises the following question: Is it possible to construct a constant-round (or sub-linear-round) MPC protocol that uses only a single round of broadcast? (This is clearly optimal…) We resolve the above question in the affirmative in a number of settings

20 The Rest of the Talk Prior work Results and constructions Future directions

21 Prior Work Broadcast/Byzantine agreement Verifiable secrete sharing (VSS) General secure MPC

22 Prior Work Broadcast/Byzantine agreement Reviewed in the last talk Verifiable secrete sharing (VSS) General secure MPC

23 Prior Work Broadcast/Byzantine agreement Verifiable secrete sharing (VSS) [CGMA85] General secure MPC

24 Prior Work Round complexity of VSS (Let t be the number of corrupted parties; n be the total number of parties) [GIKR01]: n > 4t : Efficient 2-round protocol n > 3t : No 2-round protocol exists Efficient 4-round protocol Inefficient 3-round protocol [FGGRS06]: Efficient 3-round protocol for n > 3t

25 But… Previous work studies the round complexity of VSS under the assumption that a broadcast channel is available As we have seen, this is not necessarily the best way to optimize round complexity of VSS in a point-to-point setting Prior Work

26 Broadcast/Byzantine Agreement Verifiable Secrete Sharing (VSS) General Secure MPC

27 Prior Work Secure MPC Allows a set of parties with private inputs to compute some joint function of their inputs. Feasibility results [BGW88, CDD88]: MPC for n > 3t in point-to point networks [RB89, B89, CDDHR99]: MPC for n > 2t assuming a broadcast channel

28 Prior Work Round-efficient solutions [BMR90, DI05]: constant-round MPC for n> 2t assuming a broadcast channel and one-way functions Both protocols can be converted to expected O(1)-round protocols in point-to-point networks using authenticated broadcast

29 Prior Work Round-efficient solutions [BMR90, DI05]: constant-round MPC for n> 2t assuming a broadcast channel and one-way functions Both protocols can be converted to expected O(1)-round protocols in point-to-point networks using authenticated broadcast but the constant obtained is very high, on the order of hundreds of rounds

30 Prior Work Round-efficient solutions [GIKR01]: 3-round MPC for t < n/4 assuming a broadcast channel and one-way functions The protocol uses only a single round of broadcast Resilience is not optimal [GL02]: round-efficient protocols for t < n Fairness and output delivery not guaranteed

31 The Rest of the Talk Prior work Results and constructions Future directions

32 Network Assumptions Synchronous communication Pairwise private and authenticated channels A broadcast channel With the understanding that it will be emulated by a round-efficient broadcast sub-routine Recall, our goal is to use broadcast only once Honest majority n > 3t : do not assume setup n > 2t : assume a PKI Adaptive adversary

33 Results and Constructions We start by sketching a MPC protocol that uses only a single round of broadcast Call (a, b, c) a random multiplication triple if c = ab a, b, and c have been “shared” among the parties a and b are uniformly distributed

34 Results and Constructions Beaver shows that if, in a “setup” phase, parties share their inputs along with sufficiently-many multiplication triples,

35 Results and Constructions Beaver shows that if, in a “setup” phase, parties share their inputs along with sufficiently-many multiplication triples, then the parties can carry out secure MPC in a round-efficient manner without using any further invocations of broadcast Our task is now reduced to implement the setup phase using only a single round of broadcast

36 Results and Constructions Implementation of the setup phase Recall the concept of moderated protocol from the previous talk There is a distinguished party P m known as the moderator Given a protocol , designed under the assumption of a broadcast channel, the moderated version  ’ does not use broadcast

37 Results and Constructions Implementation of the setup phase  ’ has the following properties: By the end of the protocol, each party P i outputs a binary value trust i (m) If the moderator P m is honest, then each honest party outputs trust i (m)= 1 If an honest party that outputs trust i (m)=1, then  achieves the functionality of  ’

38 Results and Constructions Implementation of the setup phase Previous talk has illustrated how to compile a protocol  into its moderated version  ’ while increasing the round complexity by at most a constant multiplicative factor

39 Results and Constructions Implementation of the setup phase Let  i denote some constant-round protocol, designed assuming a broadcast channel, that shares the input value of party P i as well as sufficiently- many multiplication triples. Such protocols are constructed in, e.g., [BGW88, B89, RB89, B91, GRR98, CDDHR99, DI05] Compile  i into a moderated protocol  i ’ where P i acts as the moderator

40 Results and Constructions Implementation of the setup phase 1. Run protocols {  1 ’,…,  n ’ } in parallel 2. Each party P i broadcasts {trust i (1),…, trust i (n)} 3. A party P i is disqualified if t or fewer parties broadcast trust j (i)=1. If a party is disqualified, then a default value is used as input of P i 4. Let i* be the minimum value such that P i* is not disqualified. The set of random multiplication triples that the parties will use is taken to be the set that was generated in  i*

41 Results and Constructions Implementation of the setup phase 1. Run protocols {  1 ’,…,  n ’ } in parallel 2. Each party P i broadcasts {trust i (1),…, trust i (n)} 3. A party P i is disqualified if t or fewer parties broadcast trust j (i)=1. If a party is disqualified, then a default value is used as input of P i 4. Let i* be the minimum value such that P i* is not disqualified. The set of random multiplication triples that the parties will use is taken to be the set that was generated in  i* The above protocol uses broadcast in only one round

42 Results and Constructions Implementation of the setup phase 1. Run protocols {  1 ’,…,  n ’ } in parallel 2. Each party P i broadcasts {trust i (1),…, trust i (n)} 3. A party P i is disqualified if t or fewer parties broadcast trust j (i)=1. If a party is disqualified, then a default value is used as input of P i 4. Let i* be the minimum value such that P i* is not disqualified. The set of random multiplication triples that the parties will use is taken to be the set that was generated in  i* An honest party will not be disqualified

43 Results and Constructions Implementation of the setup phase 1. Run protocols {  1 ’,…,  n ’ } in parallel 2. Each party P i broadcasts {trust i (1),…, trust i (n)} 3. A party P i is disqualified if t or fewer parties broadcast trust j (i)=1. If a party is disqualified, then a default value is used as input of P i 4. Let i* be the minimum value such that P i* is not disqualified. The set of random multiplication triples that the parties will use is taken to be the set that was generated in  i* If P i is not disqualified, then  i ’ achieves the functionality of  i

44 Results and Constructions Implementation of the setup phase 1. Run protocols {  1 ’,…,  n ’ } in parallel 2. Each party P i broadcasts {trust i (1),…, trust i (n)} 3. A party P i is disqualified if t or fewer parties broadcast trust j (i)=1. If a party is disqualified, then a default value is used as input of P i 4. Let i* be the minimum value such that P i* is not disqualified. The set of random multiplication triples that the parties will use is taken to be the set that was generated in  i* The above protocol implements the setup phase using only one round of broadcast

45 Results and Constructions Combined with [BGW88, CDDHR99, DI05], we obtain MPC using only one round of broadcast and: O(depth of the circuit) rounds, assuming n > 3t (without computational assumption) O(1) rounds, assuming n > 3t and the existence of one-way functions O(1) rounds, assuming n > 2t, the existence of one-way functions, and a PKI

46 Results and Constructions However, a naïve compilation will yield MPC protocols with relatively high round complexity Existing construction of  i does not attempt to minimize the number of rounds of broadcast for n > 3t, each round of broadcast in  i is replaced by six rounds of interaction in  i ’ for n > 2t, it is eight rounds We construct a new set of protocols that minimize their use of broadcast as well as the total number of rounds

47 Results and Constructions In the following, we illustrate one of the techniques used to reduce the number of rounds of broadcast — without compilation We show how to obtain a 6-round VSS protocol that uses 2 rounds of broadcast from the 4-round VSS protocol in [GIKR01] (which uses 3 rounds of broadcast) In the paper, this is improved to 7 rounds with 1 round of broadcast

48 Results and Constructions VSS – informal definitions There is a dealer D with an input s. A VSS protocol is a 2-phase protocol: Sharing phase: D shares s Reconstruction phase: The parties reconstruct a value s’ If D is honest, then: During the sharing phase, the joint view of corrupted parties is independent of s In the reconstruction phase, s is reconstructed

49 Results and Constructions VSS – informal definitions If D is dishonest: The view of the honest parties at the end of the sharing phase defines a value s’ that will be reconstructed in the reconstruction phase

50 Results and Constructions Review of the [GIKR01] protocol: Round 1: D selects a random bivariate polynomial F(x,y) of degree t in each variable, s.t. F(0,0) = s; sends F(x,i) = g i (x) and F(i,y) = h i (y) to P i. P i sends to P j a random pad r ij.

51 Results and Constructions Review of the [GIKR01] protocol: Round 1: D selects a random bivariate polynomial F(x,y) of degree t in each variable, s.t. F(0,0) = s; sends F(x,i) = g i (x) and F(i,y) = h i (y) to P i. P i sends to P j a random pad r ij. Round 2: P i broadcasts a ij = g i (j) + r ij ; b ij = h i (j) + r ji P j broadcasts a ji = g j (i) + r ji ; b ji = h j (i) + r ij

52 Results and Constructions Review of the [GIKR01] protocol: Round 1: D selects a random bivariate polynomial F(x,y) of degree t in each variable, s.t. F(0,0) = s; sends F(x,i) = g i (x) and F(i,y) = h i (y) to P i. P i sends to P j a random pad r ij. Round 2: P i broadcasts a ij = g i (j) + r ij ; b ij = h i (j) + r ji Round 3: For each a ij ≠ b ji P i broadcasts g i (j); P j broadcasts h j (i); D broadcasts F(j,i) Round 4: …

53 Results and Constructions Review of the [GIKR01] protocol: Round 1: D selects a random bivariate polynomial F(x,y) of degree t in each variable, s.t. F(0,0) = s; sends F(x,i) = g i (x) and F(i,y) = h i (y) to P i. P i sends to P j a random pad r ij. Round 2: P i broadcasts a ij = g i (j) + r ij ; b ij = h i (j) + r ji Round 3: For each a ij ≠ b ji P i broadcasts g i (j); P j broadcasts h j (i); D broadcasts F(j,i) Round 4: …

54 Results and Constructions Replace round 2 and round 3 by the following steps: 1. P i sends h i (j) to P j 2. Let h j,i ’ be the value P i received from P j. If h j,i ’ ≠ g i (j), then P i sends “complain(i,j)” to D 3. If D receives “complain(i,j)” from P i in the last step, then D sends “complain(i,j)” to P j. 4. (i) If P i sends “complain(i,j)” to D in (2), then P i broadcasts “(i,j): g i (j)” else broadcasts “(i,j): no complaint” (ii) If P j receives “complain(i,j)” from D in (3), then P j broadcasts “(i,j): h j (i)” else broadcasts “(i,j): no complaint” (iii) If D receives “complain(i,j)” from P i in (2), then D broadcasts “(i,j): F(j,i)” else broadcasts “(i,j): no complaint”

55 Results and Constructions Summary of our results: Round Complexity of MPC n > 3t26 (1 round of broadcast) n > 2t34 (1 round of broadcast)

56 Results and Constructions Round complexity of our MPC protocols in point-to- point networks (in expectation) n > 3t n > 2t Our work * 4164 Any protocol using broadcast twice (even with no additional rounds!) * 5594 * Given best currently-known protocols for broadcast

57 The Rest of the Talk Prior work Results and constructions Future directions

58 Future Directions Characterize the round complexity of VSS in a point- to-point network Better lower bounds on the round complexity of secure computation? For n > 2t, determine the existence of an MPC protocol using a single round of broadcast and not relying on a PKI

59 Round-Efficient Multi-Party Computation in Point-to-Point Networks Jonathan Katz Chiu-Yuen Koo University of Maryland

Download ppt "Round-Efficient Multi-Party Computation in Point-to-Point Networks Jonathan Katz Chiu-Yuen Koo University of Maryland."

Similar presentations

Quantum t-designs: t-wise independence in the quantum world Andris Ambainis, Joseph Emerson IQC, University of Waterloo.

Quantum t-designs: t-wise independence in the quantum world Andris Ambainis, Joseph Emerson IQC, University of Waterloo.
Secret Sharing Protocols [Sha79,Bla79]

Secret Sharing Protocols [Sha79,Bla79]
Chapter 5: Tree Constructions

Chapter 5: Tree Constructions
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.

1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.
Pairwise Key Agreement in Broadcasting Networks - 2005.11.11 - Ik Rae Jeong.

Pairwise Key Agreement in Broadcasting Networks Ik Rae Jeong.
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.

1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.
Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),

Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.

Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.
Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.

Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.

Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Similar presentations

Ads by Google