Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Computation Lecture 15-16 Arpita Patra. Recap > Shamir Secret-sharing > BGW Protocol based on secret-sharing > Offline/Online phase > Creating.

Published byAgnes Lawson Modified over 8 years ago

Similar presentations

Presentation on theme: "Secure Computation Lecture 15-16 Arpita Patra. Recap > Shamir Secret-sharing > BGW Protocol based on secret-sharing > Offline/Online phase > Creating."— Presentation transcript:

1 Secure Computation Lecture 15-16 Arpita Patra

2 Recap > Shamir Secret-sharing > BGW Protocol based on secret-sharing > Offline/Online phase > Creating offline material and how to use them in online phase (Beaver’s trick etc) >> i.t MPC with Honest Majority >> i.t MPC with DisHonest Majority Impossible >> Crypto MPC > OT (from PKE with public-key samplability / Dual-mode Encryption) > GMW (2 and n-party) Protocol from OT and additive secret-sharing > Optimizations of GMW- preprocessing OT, Domain Extension, OT Extension (IKNP/KK13) > Yao Protocol using garbled circuit and OT > Optimazations- point-and-permute, garbled row reduction, Free-XOR > Multi-party Yao i.e. BMR

3 Entering into the world of Malicious Adversary

4 i.t Multi-party Computation [BGW]     215934845 144 3. Reconstruct the Shamir-sharing of the output by exchanging shares with each other 3 Non-linear gate: Require degree- reduction Technique. Interactive 2. Find (n, t)-sharing of each intermediate value 1.(n, t)- secret share each input Linear gates: Linearity of Shamir Sharing - Non-Interactive

5 Sharing Phase: (n,t) – Secret-Sharing x2x2 x3x3 x n x1x1 … Random polynomial of degree t over F p s.t p>n P1P1 P2P2 PnPn P3P3

6 Secret Sharing with Malicious Dealer Inconsistent share …………. Inconsistent share Inconsistent Share Inconsistent share Shamir Sharing: Points on a polynomial of degree more than t Duality: An honest dealer must pass where a malicious one should fail Verifiable Secret Sharing (VSS)

7 Reconstruction Phase: (n,t)-Shamir-sharing x2x2 x3x3 x n x1x1 P1P1 P2P2 PnPn P3P3 PiPi The same is done for all P i Lagrange’s Interpolation

8 Reconstruction Phase: (n,t)-Shamir-sharing Malicious A t Verifiable Secret Sharing (VSS) handles this too!

9 Definition of VSS [CGMA85] Extends Secret Sharing to the case of malicious corruption Secret s Dealer v1v1 v2v2 v3v3 v n Sharing Phase Reconstruction Phase Secret s … s is secure s is committed

10 Secrecy Correctness Strong Commitment –If D is honest, then A t has no information about secret s during the Sharing phase –If D is honest, then secret s will be correctly reconstructed during reconstruction phase –Corrupted D commits a unique s* - s* should be uniquely reconstructed  n parties P = {P 1, …, P n }, dealer D (e.g., D = P 1 )  t corrupted parties (possibly including D)  A t Definition of VSS [CGMA85] Continued..

11 SS to VSS SS SS with Cheaters / Honest Dealer VSS VSS A t is semi-honest A t is malicious Dealer is Honest Dealer is honest A t is malicious Dealer may be controlled by A t !

12 i.t Multi-party Computation     215934845 144 3. Reconstruct the Shamir-sharing of the output by exchanging shares with each other 3 Non-linear gate: Require degree- reduction Technique. Interactive 2. Find (n, t)-sharing of each intermediate value 1.(n, t)- secret share each input Linear gates: Linearity of Shamir Sharing - Non-Interactive

13 Secure Multiplication Gate Evaluation x2x2 x3x3 x n x1x1 P1P1 P2P2 PnPn P3P3 y2y2 y3y3 y n y1y1 x y x 1  y 1 = z 1 x 2  y 2 = z 2 x 3  y 3 =z 3 x n  y n = z n xy xy f(x) = f 1 (x)  f 2 (x) of degree 2t f 1 (x) f 2 (x) Recombination Vector (r 1, …,r n ) where

14 Secure Multiplication Gate Evaluation x2x2 x3x3 x n x1x1 P1P1 P2P2 PnPn P3P3 y2y2 y3y3 y n y1y1 x y x 1  y 1 = z 1 x 2  y 2 = z 2 x 3  y 3 =z 3 x n  y n = z n xy xy z1z1 z2z2 z3z3 znzn Shamir-share f 1 (x) f 2 (x) Shamir-share Recombination Vector (r 1, …,r n ) r 1 z 1 +..+r n z n xyxy f(x) = f 1 (x)  f 2 (x) of degree 2t

15 Secure Multiplication Gate Evaluation x2x2 x3x3 x n x1x1 P1P1 P2P2 PnPn P3P3 y2y2 y3y3 y n y1y1 x y x 1  y 1 = z 1 x 2  y 2 = z 2 x 3  y 3 =z 3 x n  y n = z n xy xy z1z1 z2z2 z3z3 znzn VSS-share f 1 (x) f 2 (x) VSS-share Recombination Vector (r 1, …,r n ) r 1 z 1 +..+r n z n xyxy f(x) = f 1 (x)  f 2 (x) of degree 2t

16 Secure Multiplication Gate Evaluation x2x2 x3x3 x n x1x1 P1P1 P2P2 PnPn P3P3 y2y2 y3y3 y n y1y1 x y x 1  y 1 = z 1 x 2  y 2 = z 2 x 3  y 3 =z 3 x n  y n = z n xy xy z1z1 z2z2 z’ 3 z’ n VSS-share f 1 (x) f 2 (x) VSS-share Recombination Vector (r 1, …,r n ) r 1 z 1 +..+r n z’ n z f(x) = f 1 (x)  f 2 (x) of degree 2t O1: Prevent them in doing this. n ≥ 2t+1 O2: Find a mechanism so that we can correct the errors- n ≥ 3t+1

17 i.t Multi-party Computation     215934845 144 3. Reconstruct the Shamir-sharing of the output by exchanging shares with each other 3 Non-linear gate: Require degree- reduction Technique. Interactive 2. Find (n, t)-sharing of each intermediate value 1.(n, t)- secret share each input Linear gates: Linearity of Shamir Sharing - Non-Interactive VSS with n ≥ 3t+1 For perfect security n ≥ 3t+1 is necessary and sufficient.

18 Perfect VSS with n>= 3t+1 Bivariate Polynomial of degree t in x,y as the basis- F(x,y) Univariate Polynomial of degree t in x as the basis – f(x) F(x,i) & F(i,y)- ith share f(i)- ith share t F(x,i)’s and F(i,y)’s will leak NO info about F(0,0) F(0,0)- secret f(0)- secret t f(i)’s will leak NO info about f(0) t+1 F(x,i)’s (F(i,y)’s) will completely determine F(x,y) – Lagrange’s formula t+1 f(i)’s will completely determine f(x) – Lagrange’s formula F(x,i) F(i,y) F(x,j) F(j,y) Pi Pj F(j,i) F(i,j) F(j,i) Ensure every pair Happy

19 Perfect VSS with n>= 3t+1 Bivariate Polynomial of degree t in x,y as the basis- F(x,y) Univariate Polynomial of degree t in x as the basis – f(x) f(i)- ith share t F(x,i)’s and F(i,y)’s will leak NO info about F(0,0) F(0,0)- secret f(0)- secret t f(i)’s will leak NO info about f(0) t+1 F(x,i)’s (F(i,y)’s) will completely determine F(x,y) – Lagrange’s formula t+1 f(i)’s will completely determine f(x) – Lagrange’s formula Two random univariate polynomials of degree at most t with the secret F(0,0) as the constants. F(x,i) & F(i,y)- ith share F(0,y) and F(x,0) Pi has F(0,i) and F(i,0)- Shamir share of F(0,0)

20 Rest on the board Matrix view of bivariate polynomial Claim: t F(x,i)’s and t F(i,y)’s will leak NO info about F(0,0). Claim: (t+1) F(x,i)’s or (t+1) F(i,y)’s completely determines F(x,y). Six round VSS and proof Reducing the number of rounds to four

21 Feasibility of VSS How big t is compared to n? Adversary (A t )Characterization Polynomially Bounded Adversary n ≥ 2t + 1, t ≥1 Unbounded Adversary and no error allowed n ≥ 3t + 1, t ≥1 Unbounded Adversary and error allowed in reconstruction n ≥ 2t+ 1, t ≥1 Round Complexity (Sharing Phase) No. of Interaction 2 3 3

22 Interplay of Round Complexity and Fault tolerance in VSS Unbounded Powerful Adversary Adversary (A t )CharacterizationRound Complexity Polynomially Bounded Adversary n ≥ 2t + 1, t ≥1 t = 1; n ≥ 4 2121 Unbounded Adversary and no error allowed n ≥ 3t + 1, t ≥1 n ≥ 4t + 1, t ≥1 t = 1; n ≥ 5 321321 Unbounded Adversary and error allowed in reconstruction n ≥ 2t+ 1, t ≥1 n ≥ 3t+ 1, t ≥1 t = 1; n ≥ 4 321321 ASIACRYPT’11 [BKP] CRYPTO’09 [PCRR], ASIACRYPT’10 [KPR] STOC’01 [GIKT] TCC’06 [FGGRS]

23 Chalk & Talks CT3 [BH08]: Perfectly secure MPC with Linear Communication Complexity. http://cs.au.dk/~vpastro/study_groups/spring_2011/papers/BeeHir08.pdf CT4 [BFO12]: Near-Linear Unconditionally-Secure Multiparty Computation with a Dishonest Minority. http://eprint.iacr.org/2011/629 CT1 [PCRR09]: The Round Complexity of Verifiable Secret Sharing Revisited http://eprint.iacr.org/2008/172

24

Download ppt "Secure Computation Lecture 15-16 Arpita Patra. Recap > Shamir Secret-sharing > BGW Protocol based on secret-sharing > Offline/Online phase > Creating."

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Secret Sharing Protocols [Sha79,Bla79]

Secret Sharing Protocols [Sha79,Bla79]
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.

1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION

GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION
Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.

Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems Omer Barkol Yuval Ishai Technion.

Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems Omer Barkol Yuval Ishai Technion.
Secure Multi-party Computations (MPC) A useful tool to cryptographic applications Vassilis Zikas.

Secure Multi-party Computations (MPC) A useful tool to cryptographic applications Vassilis Zikas.
Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications Dana Dachman-Soled, Tal Malkin, Mariana Raykova, Moti Yung.

Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications Dana Dachman-Soled, Tal Malkin, Mariana Raykova, Moti Yung.
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.

1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
1 Cross-Domain Secure Computation Chongwon Cho (HRL Laboratories) Sanjam Garg (IBM T.J. Watson) Rafail Ostrovsky (UCLA)

1 Cross-Domain Secure Computation Chongwon Cho (HRL Laboratories) Sanjam Garg (IBM T.J. Watson) Rafail Ostrovsky (UCLA)
Efficient and Robust Private Set Intersection and multiparty multivariate polynomials Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung.

Efficient and Robust Private Set Intersection and multiparty multivariate polynomials Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung.

Similar presentations

Ads by Google