Presentation is loading. Please wait.

Presentation is loading. Please wait.

Welcome to to Autumn School! Some practical issues.

Published byClaire Bradley Modified over 9 years ago

Similar presentations

Presentation on theme: "Welcome to to Autumn School! Some practical issues."— Presentation transcript:

1 Welcome to to Autumn School! Some practical issues

2 Linear Secret-Sharing and Multiparty Computation Ivan Damgård BRICS, Århus University

3 The MPC problem n players P1, P2, …, Pn Player Pi holds input xi Goal: for some given function f with n inputs and n outputs, compute f(x1,…,xn)= (y1,…,yn) securely, i.e., we want a protocol such that: Pi learns the correct value of yi No information on inputs is leaked to Pi, other than what follows from xi and yi. We want this to hold, even when (some of) the players behave adversarially. Examples: Match-making, Electronic Voting, Payment systems etc, etc.. In principle any cryptographic protocol problem

4 Modelling Adversarial Behavior Assume one central adversary Adv. Adv may corrupt some of the players and use this to learn information he should not know, or mess up the results. When Pi is corrupted, Adv learns complete history of Pi. An adversary may be Passive or Active: just monitor corrupted players or take full control. Static or Adaptive: all corruptions take place before protocol starts, or happen dynamically during protocol (but once you’re corrupt, you stay bad). Unbounded or probabilistic polynomial time Goal of MPC, a bit more precisely: Want protocol to work as if we had a trusted party T, who gets inputs from players, computes results and returns them to the players, hence: Adv may decide inputs for corrupted players, but honest players get correct results, and protocol tells Adv only inputs/outputs of corrupted players.

5 Bounds on corruption If Adv can corrupt an arbitrary subset of players, in most cases problem cannot be solved – for instance, what does security mean if everyone is corrupted? So need to define some bound on which subsets can be corrupt. Adversary Structure Γ: family of subsets of P= {P1,…,Pn} Adv is a Γ-adversary: set of corrupted players is in Γ at all times To make sense, Γ must be monotone: B  Γ and A  B implies A  Γ i.e. If Adv can corrupt set B, he can choose to corrupt any smaller set. Threshold-t structure: contains all subsets of size at most t. Γ is Q3: for any A1,A2,A3  Γ, A1  A2  A3 is smaller than P Γ is Q2: for any A1,A2  Γ, A1  A2 is smaller than P Threshold-t structure for t< n/3 is Q3 Threshold-t structure for t< n/2 is Q2

6 Why General Access Structures? -And not just a bound on the number of players that can be corrupt? Threshold adversaries (where we just bound the number of corruptions) make sense in a network where all nodes are equally hard to break into. This is often not the case in practice. With general access structures, we can express things such as: the adversary can break into a small number of the more secure nodes and a larger number of less secure ones.

7 Modelling Communication In these lectures: Synchronous network: communication proceeds in rounds – in each round each player may send a message to each other player, all messages received in same round. We only look at: Information Theoretic scenario: assume secure point to point channels  Adv does not see communication between honest (uncorrupted) players  can get security for unbounded Adv.

8 Summary Adv The players Synchronous communication x2, y2 x1, y1 x3, y3 x4,y4 Corrupt Adv can choose which players to corrupt statically or adaptively – but set of corrupted players must be ”not too large”, i.e., it must be in the given adversary structure Corruption can be passive: just observe computation and mess. Or active: take full control Inputs, Desired outputs I.T. scenario: no info on honest-to-honest mess. This is the one we focus on

9 Known Results, Information theoretic scenario Passive, adaptive, unbounded Γ-adversary: any function can be securely computed with perfect security iff Γ is Q2 in threshold-t case, if and only if t< n/2 Meaning of ”only if”: there exists a function that cannot be computed securely, if condition on Γ (t) not satisfied. Active, adaptive, unbounded Γ-adversary: any function can be securely computed with perfect security iff Γ is Q3 in threshold-t case, iff t< n/3 If we assume that a broadcast channel is given for free, and we accept a non-zero error probability, more is possible: i.t. scenario with broadcast and active, adaptive, unbounded Γ-adversary: any function can be securely computed with small error prob. iff Γ is Q2 in threshold-t case, iff t< n/2 Results of [CCD88, BGW88, RB89, HM99,CDDHR00]

10 Tool for solution: Secret Sharing A Dealer holds a secret value s in Zp*, p > n is a prime. Dealer chooses a random polynomial f() over Zp* of degree at most t, such that f(0)=s: f(x) = s + a 1 x + a 2 x 2 + …+ a t x t Dealer sends s i = f(i) privately to Pi. Properties: Any subset of at most t players has no information on s Any subset of at least t+1 players can easily compute s – can be done by taking a linear combination of the shares they know. A consequence – the reconstruction vector: There exists a reconstruction vector (r 1,…,r n ) such that for any polynomial h() of degree less than n: h(0) = r 1 h(1) + … + r n h(n)

11 A Protocol for the Passive Corruption Case, I.T. scenario - threshold adversary, may corrupt up to t players, t< n/2. Create Objects (Sharing Phase): Each Pi shares each of his input value using a random polynomial of degree at most t, sends a share of each input to each player. Notation Notation: a  f()  a 1, a 2, …, a n means: value a has been shared using polynomial f(), resulting in shares a 1,…,a n, where player Pi knows a i. 1732 +· · Circuit and inputs given Create ”objects” representing inputs, jointly held by players, value not accessible to adversary. Computing phase: compute new objects. Open outputs 48 8 6

12 Computation Phase Addition Gates Input: a  f a ()  a 1,…,a n and b  f b ()  b 1,…,b n Desired Output: c= a+b  fc()  c 1,…,c n Each player sets c i := a i +b i. Then we have what we want: a+b  f c ()  c 1,…,c n, with f c () = f a ()+f b () - works, since adding two random polynomials of degree ≤ t produces random polynomial of degree ≤ t Multiplication Gates Input: a  f a ()  a 1,…,a n and b  f b ()  b 1,…,b n Desired Output: c= ab  f c ()  c 1,…,c n. Each player sets d i := a i b i. If we set h() = f a () f b (), then d i = f a (i) f b (i) = h(i). Also h(0)= ab = c Unfortunately, h() may have degree up to 2t, and is not even a random polynomial of degree at most 2t. What to do?

13 Multiplication Gates, con’t We have public reconstruction vector (r 1,…,r n ) – know that c= h(0) = r 1 h(1) + …+ r n h(n) = r 1 d 1 + … + r n d n - since deg(h)≤ 2t < n Each player Pi creates d i  h i ()  c i1, c i2,…,c in. So we have: d 1  h 1 ()  c 11 c 12 … c 1n d 2  h 2 ()  c 21 c 22 … c 2n … d n  h n ()  c n1 c n2 … c nn Known by: P1 P2 Pn r 1 r 1 r 1 + + + r 2 r 2 r 2 + + + … … … r n r n r n = = = c 1 c 2 … c n c  f c ()  c is now shared using polynomial fc(), where f c () =  r i h i ()

14 Output Opening Phase Having made our way through the circuit, we have for each output value y: y  f y ()  y 1,…, y n If y is to be received by player Pi, each Pj sends y j to Pi. Pi reconstructs in the normal way. Security, intuitively: Outputs trivially correct, since all players follow protocol For every input from an honest player, intermediate result and outputs of honest players, Adv sees at most t shares. These are always t random field elements, so reveal no information.

15 How to go from threshold to general adversaries. Use same ideas, but more general form of secret sharing… Shamir’s scheme can be written as fixed matrix secret+randomness shares 1 1 1 1 2 … 1 t a a 1 1 2 1 2 2 … 2 t  r 1 = a 2 ….... r t.. 1 n 1 n 2 … n t a n Each player ”owns” a row of the matrix and is assigned the share corresponding to his row. Can be generalized to other matrices than Van der Monde, and to more than one row pr. player.

16 Linear Secret Sharing Schemes (LSSS). …… Rows of P1 Rows of P2 Rows of Pn s Randomness = Share of P1 Share of P2 Share of Pn Subset A can reconstruct s if their rows span the target vector (1, 0, 0,…,0), otherwise they have no information. Note: any vector v can be used as target vector, to share secret, choose v s such that v· v s = s. LSSS is most powerful general SS method known, can handle any adversary structure – but cannot be efficient on any structure (counting argument). Shamir, Benaloh-Leichter, Van Dijk, Brickell are special cases. MM vsvs

17 Reminder Adversary Structure Γ: family of subsets of P= {P1,…,Pn} List of subsets the adversary can corrupt. Threshold-t structure: contains all subsets of size at most t. Γ is Q3: for any A1,A2,A3  Γ, A1  A2  A3 is smaller than P Γ is Q2: for any A1,A2  Γ, A1  A2 is smaller than P To make our protocol work for general Q2/Q3 adversaries, basically we plug in an LSSS M for Γ instead of Shamir’s scheme. This works for computing any linear function: Let v a be the vector chosen in order to secret share value a. Then complete set of shares is the vector M v a. We can securely add shared secrets, local addition of shares of a and b means we compute M v a + M v b = M(v a + v b ) - produces shares of the sum a+b, since vector v a +v b has a+b in first coordinate. Multiplication by public constants easy as well.

18 Multiplication? For vectors u =(u 1,…,u d ), v= (v 1,….,v d ) let u◊v = (u 1 v 1,…,u d v d ) and u  v =(u 1 v 1, u 1 v 2,…,u 1 v n, u 2 v 1,......, u d v d ) M  N is the matrix where the i’th row is the  -product of the i’th row in M with the i’th row in N. Now, given shares of a,and b, M v a and M v b, we can compute by local multiplication M v a ◊ M v b. where each player knows a subset of the entries. We have M v a ◊ M v b = ( M  M)(v a  v b ) Note: v a  v b contains ab in the first coordinate. Thus we have produced a sharing of ab in the LSSS defined by M  M.

19 Multiplication, cont’d Definition M is multiplicative if the set of all players is qualified in the LSSS defined by M  M. If M is multiplicative, we can use the same idea as for polynomial secret sharing to convert the sharing using M  M to a sharing using M. Namely, we already have the product ab shared using M  M. Means ab= linear combination of shares held by players So we just use the fact that we already know how to compute linear functions. Results in a sharing of ab using M.

20 A Problem and a solution A matrix M defining an LSSS is NOT always multiplicative. However: Theorem[CDM 00]: from any LSSS M for a Q2 adversary structure, can always construct multiplicative M’ of size at most twice that of M. This implies: from any LSSS M for Q2 adversary structure Γ, can build general MPC protocols with perfect security against passive, adaptive Γ-adversaries. Proof of theorem Up to now, we used (1,0,….,0) as target vector. But any vector v can be used, as mentioned. We now switch for a while to v= (1,1,….,1). From our given M we can get an LSSS with v as target vector: just switch to a new basis. Note that, now, to share secret s, we choose a random vector v s such that v· v s = s, i.e., sum of coordinates is s.

21 Proof Cont’d For qualified set A, let u A be a column vector with n entries. It contains the coefficients used by members in A to reconstruct a secret shared by M, and 0 for players not in A. Form a matrix M* with all the u A ’s as columns. This is also an LSSS! Same number of rows as M, same ownership of rows. Note: the inner product of a column in M and a column in M* is always 1. Let B be an unqualified set w.r.t. M. Note that B is also unqualified w.r.t. M*: the complement of B is a qualified set A since the adversary structure for M is Q2. Players in B have 0’s in their entries in u A, so rows of B cannot span the vector (1,1,….,1). Hence safe to share secret w.r.t both M and M*. Let a and b be shared this way, resulting in vectors of shares M v a and M* v b, we can now compute by local multiplication M v a ◊ M* v b. where each player knows a subset of the entries. We have M v a ◊ M* v b = ( M  M*)(v a  v b ) This is a sharing of ab using M  M* since (v a  v b ) (1,1,…,1) = ab

22 Final part of proof We have managed to share a and b using M and M* such that local multiplication results in a sharing of ab in the LSSS M  M* Now note that the full set of players is qualified in M  M*: the sum of all rows equals the target vector (1,1,…,1). Final step: construct a single LSSS M’ such that sharing a secret under M’ results in a set of shares from both M and M*. M  M contains among its rows the rows of M  M* Can be done using 2d rows, where d is the number of rows in M (and M*). This M is clearly multiplicative.

23 Protocol for Active Adversaries General idea: use protocol for passive case, but make players prove that they send correct information. Main tool for this: commitment scheme Intuition: committer Pi puts secret value s  K ”in a locked box” and puts it on the table. Later, Pi can choose to open the box, by releasing the key. Hiding – no one else can learn s from the commitment Binding – having given away the box, Pi cannot change what is inside.

24 Implementing Commitments Idea for commitments: implement using secret sharing. To commit to s, a dealer D just creates Mv s =(s1,…,sn) To open, D broadcasts v s, each player Pi says if his share really was the i’th coordinate of Mv s. Opening accepted, if all but an unqualified set of players agree. The good news: If D remains honest, Adv learns no information at commitment time. Furthermore, by just locally adding shares of two commitments, we get a commitment to the sum of the committed values. Useful property in applications. The bad news: who says D distributes correctly computed shares? If not, s not uniquely determined, D may open different values later.

25 Some Wishful Thinking.. Suppose for a moment we could magically force D to distribute shares of correct form Mv s. Then it works! - Easy to see that things are fine if D remains honest - If D corrupt, want to show that D must open to value s or be rejected. Assume D opens some s’, by broadcasting some vector v s’. If this is accepted, everyone agrees except unqualified set B. Let C be set of corrupt players, A set of players NOT in B or C. These are all honest, and A qualified since adv.structure is Q3. We then have that A, a qualified set of honest players agree  Mv s agrees with Mv s’ in points owned by players in A  s=s’. Therefore sufficient to force D to be consistent

26 How to force consistency – using Shamir Sharing. Main tool: f(X,Y) =  c ij X i Y j - a bivariate polynomial of degree at most t in both variables. Will assume f() is symmetric, i.e. c ij =c ji Define, for 0< i,j ≤ n: f 0 (X) = f(X,0), and set s= f 0 (0), s i = f 0 (i) f i (X) = f(X,i), f i (j) = s ij How to think of this: s is the ”real” secret to be committed, using polynomial f 0 (). Hence f 0 (i) = s i will be player Pi’s share in s. The rest of the machinery is just for checking. Observations, by symmetry: s i = f 0 (i) = f(i,0) = f(0,i) = f i (0) s ij = f i (j) = f(j,i) = f(i,j) = f j (i) = s ji

27 Commit Protocol 1.Dealer D chooses random bivariate polynomial f() as above, such that f(0,0)= s, the value he wants to commit to. Sends privately f i () to player Pi. 2.Pi sends s ij = f i (j) to Pj, who compares to s ji = f j (i) – broadcast ”complaint” if conflict. 3.D must broadcast correct value of all s ij ’s complained about 4.If some Pi finds disagreement between broadcasted values and what he received privately from D, he broadcasts ”accuse D” 5.In response to accusation from Pi, D must broadcast what he sent to Pi – f i (). This may cause further players to find disagreement as in Step 4, they then also accuse D. If D has been accused by more than t players, commit protocol fails. Otherwise, the commitment is accepted. Accusing players from step 4 use the f i () broadcast as their polynomial. Accusing players from step 5 use the polynomial sent in step 1. Each player Pi stores f i (0) as his share of the commitment.

28 Actively Secure MPC from LSSS, cont’d The techniques we have seen so far are good enough to do MPC from any LSSS for a Q3 adversary structure, with an exponentially small but non- zero error probability. Possible to get perfect security, but this requires an extra property: the given LSSS must be strongly multiplicative. Definition M is strongly multiplicative if the set of honest players is qualified in the LSSS defined by M  M. Not known whether from LSSS M for Q3 adversary structure, we can build strongly multiplicative M’ not much larger than M – the major open problem in this area! Note: known that there exists a strongly multiplicative LSSS for any Q3 structure – but is its size poly-related to the smallest LSSS for that structure?

29 Beyond LSSS? The above construction yields an MPC protocol of complexity polynomial in size of the given LSSS. Can we build MPC from ANY secret sharing scheme,? – probably not! [CDD 00] Theorem. there exists no efficient black-box reduction building MPC from any secret sharing scheme. Must be inefficient for some access structures Proof by advanced counting argument. Open problem: above shows that any general reduction from MPC to secret sharing must assume some special property of the secret sharinf scheme used – such as linearity. Is there is any other property that would suffice?

Download ppt "Welcome to to Autumn School! Some practical issues."

Similar presentations

1+eps-Approximate Sparse Recovery Eric Price MIT David Woodruff IBM Almaden.

1+eps-Approximate Sparse Recovery Eric Price MIT David Woodruff IBM Almaden.
Secret Sharing Protocols [Sha79,Bla79]

Secret Sharing Protocols [Sha79,Bla79]
Sublinear Algorithms 1 3 2 … Lecture 23: April 20.

Sublinear Algorithms … Lecture 23: April 20.
5.1 Real Vector Spaces.

5.1 Real Vector Spaces.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Circuit and Communication Complexity. Karchmer – Wigderson Games Given The communication game G f : Alice getss.t. f(x)=1 Bob getss.t. f(y)=0 Goal: Find.

Circuit and Communication Complexity. Karchmer – Wigderson Games Given The communication game G f : Alice getss.t. f(x)=1 Bob getss.t. f(y)=0 Goal: Find.
Secure Computation of Linear Algebraic Functions

Secure Computation of Linear Algebraic Functions
Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Information and Coding Theory

Information and Coding Theory
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.
Achieving Byzantine Agreement and Broadcast against Rational Adversaries Adam Groce Aishwarya Thiruvengadam Ateeq Sharfuddin CMSC 858F: Algorithmic Game.

Achieving Byzantine Agreement and Broadcast against Rational Adversaries Adam Groce Aishwarya Thiruvengadam Ateeq Sharfuddin CMSC 858F: Algorithmic Game.
Parallel Scheduling of Complex DAGs under Uncertainty Grzegorz Malewicz.

Parallel Scheduling of Complex DAGs under Uncertainty Grzegorz Malewicz.
Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.

Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.
Reliability of Disk Systems. Reliability So far, we looked at ways to improve the performance of disk systems. Next, we will look at ways to improve the.

Reliability of Disk Systems. Reliability So far, we looked at ways to improve the performance of disk systems. Next, we will look at ways to improve the.
Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.

Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
CS151 Complexity Theory Lecture 7 April 20, 2004.

CS151 Complexity Theory Lecture 7 April 20, 2004.
Chapter 5 Orthogonality

Chapter 5 Orthogonality
1 Adapted from Oded Goldreich’s course lecture notes.

1 Adapted from Oded Goldreich’s course lecture notes.

Similar presentations

Ads by Google