Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Multiparty Computation Basic Technology + Past, Present, Future Jesper Buus Nielsen Associate Professor Aarhus University Send comments and input.

Published byHorace Webster Modified over 9 years ago

Similar presentations

Presentation on theme: "Secure Multiparty Computation Basic Technology + Past, Present, Future Jesper Buus Nielsen Associate Professor Aarhus University Send comments and input."— Presentation transcript:

1 Secure Multiparty Computation Basic Technology + Past, Present, Future Jesper Buus Nielsen Associate Professor Aarhus University Send comments and input to: jbn@cs.au.dk

2 Agenda A Brief History of MPC – Including basic techniques and methodologies Grand Challenges Methodologies for the Future

3 A Brief History of MPC 1980s: Birth of a Research Field 1990s: Basic Feasibility Questions 2000s: Asymptotic Complexity 2010s: Towards Practice The Next Frontier: Practical Scalability

4 The Dark Ages (Before 1982) Cryptography concerned with protecting: – Data in transport – Data at rest Example: Encryption – A secret key: K – A plaintext: M – A ciphertext: C = E K (M) – The ciphertext does not reveal any information about the plaintext if you do not know the key

5 1982, Andrew Yao: “Protocols for Secure Computation” 1980s: Birth of a Research Field Whatever two parties can compute together, they can also compute together in such a way that none of them learn more than the desired output Turing Award Turing Award

6 1982 Garbled Circuits – Andrew Yao, “Protocols for Secure Computation” 1987-89 (Unconditionally) Multiparty Computation – Goldreich, Micali, Wigderson – Chaum, Crépeau, Damgård – Ben-Or, Goldwasser, Wigderson – Rabin, Ben-OR 1988 Founding Cryptography on Oblivious Transfer – Joe Kilian 1980s: Birth of a Research Field

7 Are we Ready? a=1 : Army A is ready a=0 : Army A is not ready b=1 : Army B is ready b=0 : Army B is not ready r = a ✕ b r=1 : Both are ready r=0 : One or both not ready r=0 a?

8 Are we Ready? a=1 : Army A is ready a=0 : Army A is not ready b=1 : Army B is ready b=0 : Army B is not ready r = a ✕ b r=1 : Both are ready r=0 : One or both not ready r=0 a?

9 Garbling a=1 : Army A is ready a=0 : Army A is not ready b=1 : Army B is ready b=0 : Army B is not ready r=0 C 11,C 01,C 00,C 10 A1 B0 C 11,C 01,C 00, 0 A0 A1 B0 B1 C 00 =E A0 (E B0 (0)) C 01 =E A0 (E B1 (0)) C 10 =E A1 (E B0 (0)) C 11 =E A1 (E B1 (1)) C 00 =E A0 (E B0 (0)) C 01 =E A0 (E B1 (0)) C 10 =E A1 (E B0 (0)) C 11 =E A1 (E B1 (1)) a? Oblivious Transfer

10 1982 Garbled Circuits – Andrew Yao, “Protocols for Secure Computation” 1987-89 (Unconditional) Multiparty Computation – Goldreich, Micali, Wigderson – Chaum, Crépeau, Damgård – Ben-Or, Goldwasser, Wigderson – Rabin, Ben-OR 1988 Founding Cryptography on Oblivious Transfer – Joe Kilian 1980s: Birth of a Research Field

11 Now there are any n parties Each has its own private input They compute a function of all inputs, for instance, Are we all ready? The protocol can tolerate that any minority of the parties collude, pool their view of the protocol run and even deviate from the protocol and still guarantee: – Correctness: The output is correct – Privacy: The colluding parties learn no information extra to the output – Termination: The corrupted parties cannot prevent the computation from completing Multiparty Computation

12 We have a secret M to share between two parties P 1 and P 2 Assume that M=0 or M=1 Pick a random integer S 2 between 0 to 1,000,000,000,000 Let S 1 = M-S 2 Give S 1 to P 1 and give S 2 to P 2 No party gets information on M Together they can compute M = S 1 + S 2 Secret Sharing S1S1 S1S1 S2S2 S2S2

13 Given a ciphertext C=E K (M) one can in principle always find M – Exhaustive search for K – Insecurity of E? From any secret share no information can be deduced about the secret even with unlimited computing power – There is no information present at any individual party – According to the laws of physics Secret Sharing vs. Encryption S1S1 S1S1 S2S2 S2S2

14 We have a secret M to share between three parties P 1, P 2, P 3 Assume that M=0 or M=1 Pick a random integers S 2 and S 3 between 0 to 1,000,000,000,000 Let S 3 = M-S 1 -S 2 Give S i to P i No two parties get information on M even if they pool their shares Together they can compute M = S 1 + S 2 + S 3 S1S1 S1S1 Secret Sharing S3S3 S3S3 S2S2 S2S2

15 Multiparty Computation a1a1 a1a1 a2a2 a2a2 a3a3 a3a3 a a b b a = a 1 + a 2 + a 3 a2a2 a2a2 a3a3 a3a3 b1b1 b1b1 b2b2 b2b2 b3b3 b3b3 b = b 1 + b 2 + b 3 a+b = (a 1 +b 1 ) + (a 2 +b 2 ) + (a 3 +b 3 ) c 3 =a 3 +b 3 a+b = c 1 + c 2 + c 3 c = c 1 + c 2 + c 3 c 1 =a 1 +b 1 c 2 =a 2 +b 2 a+b = c

16 Multiparty Computation a1a1 a1a1 a = a 1 + a 2 + a 3 a2a2 a2a2 a3a3 a3a3 b1b1 b1b1 b2b2 b2b2 b3b3 b3b3 b = b 1 + b 2 + b 3 ab = a 1 b 1 + a 1 b 2 + a 1 b 3 + a 2 b 1 + a 2 b 2 + a 2 b 3 + a 3 b 1 + a 3 b 2 + a 3 b 3 c = c 1 + c 2 + c 3 a1b1a1b1 a1b1a1b1 a2b2a2b2 a2b2a2b2 a3b3a3b3 a3b3a3b3 a1a1 a1a1 a1b2a1b2 a1b2a1b2 a2a2 a2a2 a3a3 a3a3 b1b1 b1b1 b2b2 b2b2 b3b3 b3b3

17 1982 Garbled Circuits – Andrew Yao, “Protocols for Secure Computation” 1987-89 (Unconditionally) Multiparty Computation – Goldreich, Micali, Wigderson – Chaum, Crépeau, Damgård – Ben-Or, Goldwasser, Wigderson – Rabin, Ben-OR 1988 Founding Cryptography on Oblivious Transfer – Joe Kilian 1980s: Birth of a Research Field

18 Garbling and OT-Based MPC – Can tolerate 1 corrupted party out of 2 – In general n-1 corruptions out of n – Only computational security Unconditional Multiparty Computation – Can only tolerate 1 out of 3 corrupted parties – In general any <n/2 corruptions out of n – Has unconditional security – Generally faster Multiparty Computation vs. Garbled Circuits and OT-Based MPC S1S1 S1S1 S2S2 S2S2

19 A Brief History of MPC 1980s: Birth of a research field 1990s: Basic Feasibility Questions 2000s: Asymptotic Complexity 2010s: Towards Practice The Next Frontier: Practical Scalability

20 What is Possible? (ignore efficiency) Now followed a period of investigating basic feasibility results: Which functions can in principle be computed securely in a given context?

21 Which functions: – All versus low depth How securely: – Correctness, Privacy, Termination, Fairness, … – n-1, n/2, n/3, … corruptions out of n General adversary structures, asymmetric trust, … – Computational versus unconditional security – Mobile versus stationary adversaries – Active versus adaptive corruptions – Malicious security, fail-stop security, semi-honest security Given context: – Synchronous versus asynchronous communication – Secure channels versus open channels – Stand-alone versus concurrent composition – Complete network versus sparse networks What is Possible? (ignore efficiency)

22 The main structures of feasibility is by today fairly well understood Many important open problems: Cryptographic Program Obfuscation??? Constant-round unconditional MPC Non-interactive client-server computation Individual privacy preserving data mining …... What is Possible? (ignore efficiency)

23 A Brief History of MPC 1980s: Birth of a research field 1990s: Basic Feasibility Questions 2000s: Asymptotic Complexity 2010s: Towards Practice The Next Frontier: Practical Scalability

24 At some point the main quest became asymptotic complexity analysis Define: C(s, n) = Number of bits you need to communicate to securely evaluate a function f of size s among n parties tolerating t<n/3 active corruptions using the best possible protocol Task: Compute the function C(s, n) So it is possible but What does it Cost?

25 Don’t compute C(n) exactly, just find out the general behaviour Is it like C(n)=2n or C(n)=n 2 or C(n)=2 n Ignore all constants Upper bounds: Give a better protocol Lower bounds: Prove that no better protocol exists So it is possible but What does it Cost?

26 Methodology from algorithmics Rational: 1000000 n >> 1000 n 2 >> 2 n – Constants do not matter because linear will always eventually beat polynomial will always eventually beat exponential when the input size grows – Constants will be eaten by Moore’s law – Ignoring irrelevant details facilitate thinking freely out of the box Has been tremendously successful in coming up with fundamentally new techniques which also fly in practice What is the Asymptotic Methodology About? n=10n=100n=1000 2n202002000 n2n2 10010,0001,000,000 2n2n ~1000~1,000,000,000,000,000,000,0 00,000,000,000 INFINITY

27 Example line of work: – by the speaker a co-authors Ivan Damgård, Martin Hirt, Yuval Ishai, Mikkel Krøigaard, Adam Smith C(s, n): size(f)=s, n parties, t<n/3 corruptions, bits communicated 2001: s ✕ n 3 2005: s ✕ n 2 2006: s ✕ n 2008: s So it is possible but What does it Cost? Along the way we developed many new tools and tricks being used in todays practical protocols!

28 Big constant do not always amortize away In algorithmics input size does seem to keep growing but Some important parameters in MPC do not seem to grow fast enough to justify asymptotics: – Security parameter k: Do we ever want 1000-bit statistical security? – Number of parties n: Will we ever run MPC between a 1000 servers Often a fixed number of parties is given by the constant Problems with the Asymptotic Methodology in MPC

29 Data and systems will always grow to exhaust the available resources – Large constants will not eventually be swallowed by advances in technology – Even a factor 100 overhead makes general secure encryption impractical Example study: >10% overhead and users turn off security Constants matter! Problems with the Asymptotic Methodology in MPC

30 C(f, n): size(f)=s, n parties, t<n/3 corruptions, bits communicated Educated guesses at order of magnitudes: 2001: 100 × s × n 3 2005: 10 4 × s × n 2 2006: 10 6 × s × n 2008: 10 8 × s What does it really Cost?

31 Another example for: Two parties + malicious security Security parameter k: Size of encryption keys Security parameter b: Bad stuff can happen with probability 2 -b In theory we know how to do: size(f) k In practice the best protocols are: Practice: – Forge-and-Loose Garbling: size(f) k s Lindell – TinyOT: size(f) k s / log(size(f)) Speaker, Nordholt, Orlandi, Burra Asymptotics vs. Practice

32 Many important open questions: – Constant overhead with n-1 corruptions? – Constant overhead with any constant honesty? – Oblivious Transfer extension with constant overhead for bit-OT? – Lower bounds!! What is not possible? – Better measures Will keep producing many fundamentally new techniques which also fly in practice Future of Asymptotics

33 A Brief History of MPC 1980s: Birth of a research field 1990s: Basic Feasibility Questions 2000s: Asymptotic Complexity 2010s: Towards Practice The Next Frontier: Practical Scalability

34 Are we Ready? 2004 Fairplay – Malkhi, Nisan, Pinkas, Sella – First prototype implementation of Yao Garbling – Two parties, semi-honest security 2008 FairplayMultiParty – As above + multiple parties – Ben-David, Nisan, Pinkas 2008 Not Named! – Lindell, Pinkas, Smart – Prototype implementation of Yao Garbling – Two parties, active security 2008 ShareMind Ran on toy examples, but we now had actual running prototypes!

35 2009: We are Ready! “Secure Two-Party Computation is Practical” – Garbling, two parties, malicious security, moderately complicated functions, “fast” – Pinkas, Schneider, Smart, Williams The VIFF Framework – Framework in Python for programming multiparty computation with malicious security – Speaker, Damgård, Geisler, Krøigaard The Commodity Contract Auction – Report on implementation of three-party MPC solution used to clear the Danish market for contracts on an agricultural commodity market – First commercial application of MPC – The speaker and eleven collaborators

36 2009: We are Ready! And implementations for special domains: Medical Applications – Barni, Failla, Kolesnikov, Lazzeretti, Paus, Sadeghi, Schneider, Kolesnikov Face Recognition – Sadeghi, Schneider, Wehrenberg

37 2010s: The Practical Explosion 2010: TASTY – Compiler, Garbling, Homomorphic Encryption – Henecka, Kögl, Sadeghi, Schneider, Wehrenberg 2011: Sharemind used for Financial Data Analysis – Three parties, semi-honest, MPC – Bogdanov, Talviste, Willemson 2011: MightBeEvil – Framework, Garbling, Two parties, Malicious – Huang, Evans, Katz, Malka 2012: TinyOT – OT-based, two parties, malicious security, gigasized functions – Speaker, Nordholt, Orlandi, Burra By 2012 all the main pillars (Garbling, Unconditional MPC, OT-Based MPC and Homomorphic encryption) had been implemented in practice and there are now innumerable prototypes and frameworks out there

38 First Spin Offs 2008 Partisia (Market Design) – Still runs the MPC solution for clearing contracts on the commodity market – Speaker and 11 other co-funders 2008 Sharemind – A three-party, semi-honest secure MPC solution of privacy-preserving data mining – Splitting up sensitive data on three servers using secret sharing and compute with MPC – Cybernetica 2015 Dyadic Security – Splitting sensitive data using MPC to for instance protect against server breaches – Yehuda Lindell, Nigel Smart 2015 Sepior – Uses MPC to implement SaaS solution for key management in the cloud – Speaker and finite set of other co-founders...

39 State of Practice Either small data – E.g. Partisia Market, Dyadic or small number of parties – E.g. Partisia Market, Dyadic, Sharemind or simple, special case function – E.g. Partisia Market, Sepior, Dyadic or only semi-honest security – E.g. Partisia Market, Sharemind

40 Grand Challenge: Practical Scalability Big Data – Petabyte data with 1-out-of-3 active security and a moderately complex general function? Complex Functions – How do we evalute a terasized function (two parties, active security say)? Many Parties – We have good solutions for two and three parties, but what about 10, 20, 30? Many Technologies and Models – Data encrypted at collection time and stays encrypted throughout the life- time of the data / system – Move between best technologies for the given sub-problem – Should integrate also with existing technology with different trust models and possibly lower security

41 Grand Challenge: Practical Scalability The scalability problems we face mean that we do not just have to improve running time by a small or medium factor by better implementation/engineering of existing techniques – We need many orders of magnitude! We need to develop fundamentally new techniques This means: More fundamental research

42 Grand Challenge: Tradeoffs Understand and exploit tradeoffs – For instance by leaking some non-sensitive data, can we handle bigger data, functions, … – Can we automatically identify non-sensitive data – Can we make tools that help us reason about sensitive versus non-sensitive – Other trade offs...

43 Grand Challenge: Compiler and Friends High-Level Language and Compiler Support – We are decades behind general purpose compilers Static Analysis to Support Development – Understanding security of a COED program – Optimization, Map parts to right technology, What is not sensitive, … Linker – Diverse tools – Diverse technologies – Diverse trust models – What are the right interfaces between modules? – Models and tools for reasoning at a module level

44 A Methodology for the Future Prototype-Steered Fundamental Research Feasibility and asymptotic analysis have been tremendously successful – Has produced many fundamentally new techniques that also fly in practice – Can inspire practical techniques – If not guided it often runs into the woods to never be seen again Use prototyping to mitigate the cons – Does not mean every new idea must be demoed, but having demoability of the best ideas as a goal keeps a healthy direction – Product development cannot act as the same guiding principle Focus on too low level details or completely irrelevant details Details re market readiness and good system development are very important in other contexts, but a straight jacket for producing fundamentally new techniques Prototyping helps develop better measures for theory

45 Let us take some of the things we have been prototyping and turn them into actual products with industrial partners – Even better: Go make some companies! Feedback to fundamental research line: – If we can do this, why can’t we then do that? – Realize which bottlenecks matter in practice – Find practical but restricted problem settings Another Methodology for the Future Industry-Driven Problem Formulation

46 Oh, I Forgot: Models All our current security models have one or more of the following two properties: Proving security in the model does guarantee that the protocol is secure in real-life!! – In particular if the protocol is adversarially chosen Natural protocols which we think are secure cannot be proven secure in the model!? Someone should do something about that, but not really a COED problem

47 Future of MPC All stages in the supply line are still active and important – Birth – Basic Feasibility Questions – Asymptotic Complexity – Prototyping – Scalability in Practice Areas in Biggest Need of a Boost: – Practical Scalability – Compiler and Language Support Methodologies for the Future: – Prototype-Steered Asymptotic Analysis – Industry-Driven Problem Formulation

Download ppt "Secure Multiparty Computation Basic Technology + Past, Present, Future Jesper Buus Nielsen Associate Professor Aarhus University Send comments and input."

Similar presentations

Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.

Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto

Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto
Yan Huang, David Evans, Jonathan Katz

Yan Huang, David Evans, Jonathan Katz
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
ITIS 6200/8200. 2 Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.

ITIS 6200/ Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
Secure Multiparty Computation goes Live Peter Bogetoft, Dan Christensen, Ivan Damgård, Martin Geisler, Thomas Jakobsen, Mikkel Krøigaard, Janus Nielsen,

Secure Multiparty Computation goes Live Peter Bogetoft, Dan Christensen, Ivan Damgård, Martin Geisler, Thomas Jakobsen, Mikkel Krøigaard, Janus Nielsen,
GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION

GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION
New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.

New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea 34901784 443099

Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea
Oblivious Transfer based on the McEliece Assumptions

Oblivious Transfer based on the McEliece Assumptions
Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.

Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Similar presentations

Ads by Google