Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Computation (Lecture 9-10) Arpita Patra. Recap >> MPC with honest majority in i.t. settings > Protocol using (n,t)-sharing, proof of security---

Published byAlisha Chandler Modified over 9 years ago

Similar presentations

Presentation on theme: "Secure Computation (Lecture 9-10) Arpita Patra. Recap >> MPC with honest majority in i.t. settings > Protocol using (n,t)-sharing, proof of security---"— Presentation transcript:

1 Secure Computation (Lecture 9-10) Arpita Patra

2 Recap >> MPC with honest majority in i.t. settings > Protocol using (n,t)-sharing, proof of security--- Feasibility Result > Efficiency: Offline-online paradigm, Reduction of online phase to secret using raw material Various Raw materials Randomness extraction techniques Linear Overhead MPC >> Comp. MPC with n>= 2t+1 is useful (CDN)

3 Impossibility of i.t MPC with n<=2t >> Do you first see that the protocols that we discussed so far will not work? >> Generating triple sharing >> Multiplication gate >> Functions consisting of linear gates: no problem >> (n,(2t,t))-sharing >> Impossibility of i.t. for any function

4 Impossibility of i.t MPC with n=2 for multiplication of bits P0P0 P1P1 b0b0 b1b1 m0m0 m1m1 m2m2 m3m3 m 2i m 2i+1.... T (b 0, b 1 ) Random variable over the random choice of the parties b 0  b 1 r0r0 r1r1

5 Impossibility of i.t MPC with n=2 for multiplication of bits P0P0 P1P1 b0b0 b1b1 m0m0 m1m1 m2m2 m3m3 m 2i m 2i+1.... T (b 0, b 1 ) If b 0 = 0, then T (b 0, b 1 ) should leak nothing about b 1. Otherwise corrupted P 0 can learn b 1 Breach in perfect secrecy We show P 0 can learn b 1 even when b 0 =0 and thus breach in perfect secrecy

6 Impossibility of i.t MPC with n=2 for multiplication of bits P0P0 P1P1 b0b0 b1b1 m0m0 m1m1 m2m2 m3m3 m 2i m 2i+1.... T (b 0, b 1 ) If b 1 = 0, then T (b 0, b 1 ) should leak nothing about b 0. b 0 = 0, r 0 b 0 = 1, r 1

7 Impossibility of i.t. MPC with n=2 for multiplication of bits P0P0 P1P1 b 0 = 0 b1b1 m0m0 m1m1 m2m2 m3m3 m 2i m 2i+1.... T (b 0, b 1 ) If b 1 = 0, there exists r 1 so that T (b 0, b 1 ) is consistent with (b 0 =1, r 1 ) If b 1 = 1, there can NOT exist r 1 so that T (b 0, b 1 ) is consistent with (b 0 =1, r 1 ) b 1 = ?? r0r0 b 0  b 1

8 Impossibility of i.t. MPC with n=2 for multiplication of bits P0P0 P1P1 b 0 = 0, r 0 b 1 = 1 m0m0 m1m1 m2m2 m3m3 m 2i m 2i+1.... T (b 0, b 1 ) b 0  b 1 = 0 b 0 = 1, r 1 Same transcript - > same output!! No correctness! But output should be 1 But since the protocol is correct……

9 Impossibility of i.t. MPC with n=2 for multiplication of bits P0P0 P1P1 b 0 = 0 b1b1 m0m0 m1m1 m2m2 m3m3 m 2i m 2i+1.... T (b 0, b 1 ) Adversary’s algorithm to find b 1 : 1. Try to find a randomness r 1 so that T (b 0, b 1 ) is consistent with (b 0 =1, r 1 ) 2. If found output b 1 = 0 else output b 1 = 1

10 OT is impossible information theoretically. We get something for free x1x1 P1P1 P2P2 x2x2 1-out-of-2 OT 0 x1x1 x2x2 x1x2x1x2

11 Secure Computation with Dishonest Majority Boolean Circuit (AND (  ), NOT( ), XOR (+)) Arithmetic Circuit over finite field (Addition (+) and Multiplication (  )) x1x1 x2x2 x3x3 x4x4 +  f(x 1, x 2, x 3, x 4 ); inputs are field elements  x1x1 x2x2 x3x3 x4x4 f(x 1, x 2, x 3, x 4 ); inputs are bits + OT Homomorphic / Semi-homomorphic Encryption Constant Round Protocols No Constant Round Protocols  

12 1-out-of-2 Oblivious Transfer S Message Transfer: R m S R m0m1m0m1 b mbmb m S does not know b R does not know m 1-b 1-out-of-2 OT m0m0 m1m1 b mbmb

13 Ideal Functionality for OT.mbmb m0m1m0m1 b

14 OT from CPA-secure PKE with Public Key Samplability [EvenGoldreichLempel85] >> A public-key encryption scheme is a collection of 3 PPT algorithms  = (Gen, Enc, Dec) Gen 1n1n pk, sk  {0, 1} n Syntax: (pk, sk)  Gen(1 n ) Enc m  Mc pk Syntax: c  Enc pk (m) Randomized algo Dec cm sk Syntax: m:= Dec sk (c) Except with a negligible probability over (pk, sk) output by Gen(1 n ), we require the following for every (legal) plaintext m Dec sk (Enc pk (m)):= m Randomized Algo Deterministic (w.l.o.g)

15 CPA Security  = (Gen, Enc, Dec) I can break  Let me verify m 0, m 1, |m 0 |=|m 1 | Gen(1 n ) b  {0, 1} c  Enc pk (m b ) b’  {0, 1} (Attacker’s guess about encrypted message) Game Output b = b’ 1 --- attacker won b  b’ 0 --- attacker lost Indistinguishability experiment PubK (n) A,  cpa PPT A pk, sk pk In the real-world, everyone including the attacker will have the public key pk  is CPA-secure if for every PPT attacker A taking part in the above experiment, the probability that A wins the experiment is at most negligibly better than ½ ½ + negl(n) Pr PubK (n) A,  cpa = 1 

16 PKE with Public Key Samplability >> A public-key encryption scheme is a collection of 5 PPT algorithms  = (Gen, Enc, Dec, oGen, fGen) oGen 1n1n pk, rSyntax: (pk, r)  oGen(1 n ) fGen pk: (pk,sk)  Gen(1 n ) r’ Syntax: r’  fGen(pk) (pk,r’) and (pk,r) looks indistinguishable

17 Key Samplability  = (Gen, Enc, Dec, oGen, fGen) I can break  b  {0, 1} b’  {0, 1} Game Output b = b’ 1 --- attacker won b  b’ 0 --- attacker lost Indistinguishability experiment PubK (n) A,  ksamp PPT A (pk, sk)  Gen(1 n ) r  fGen(pk) (pk,r)  is key-samplable if for every PPT attacker A taking part in the above experiment, the probability that A wins the experiment is at most negligibly better than ½ ½ + negl(n) Pr PubK (n) A,  ksamp = 1  (pk, r)  oGen(1 n )

18 ElGamal PKE Enc pk (m) c 1 = g y for random y c 2 = h y.. m c= (c 1,c 2 ) Dec sk (c) c 2 / (c 1 ) x = c 2. [(c 1 ) x ] -1 Gen(1 n ) (G, o, q, g) h = g x. For random x pk= (G,o,q,g,h), sk = x

19 1-out-of-2 Oblivious Transfer S R m0m1m0m1 b S does not know b R does not know m 1-b (pk b, sk b )  Gen(1 n ) (pk 1-b, r 1-b )  oGen(1 n ) (pk 0,pk 1 ) c 0  Enc pk0 (m 0 ) c 1  Enc pk1 (m 1 ) (c 0,c 1 ) m b  Dec skb (m b )

20 Security for the Receiver S R m0m1m0m1 b (pk b, sk b )  Gen(1 n ) (pk 1-b, r 1-b )  oGen(1 n ) (pk 0,pk 1 ) c 0  Enc pk0 (m 0 ) c 1  Enc pk1 (m 1 ) (c 0,c 1 ) m b  Dec skb (m b ) View S Real (m 0,m 1,b,k ) = {m 0,m 1,pk 0,pk 1,r S 0,r S 1 } S SIM S m0m1m0m1 m0m1m0m1 (pk 0, sk 0 )  Gen(1 n ) (pk 1, sk 1 )  Gen(1 n ) (pk 0,pk 1 ) c 0  Enc pk0 (m 0 ) c 1  Enc pk1 (m 1 ) (c 0,c 1 ) View S Ideal (m 0,m 1,b,k ) = {m 0,m 1,pk 0,pk 1, r S 0,r S 1 } = {m 0,m 1,pk b,pk 1-b, r S 0,r S 1 } Easy Reduction to ksamp security of the PKE!!

21 Indistinguishability of Real and Ideal View Theorem. If  is ksamp-secure, then our OT provides receiver security according to real world/ideal world paradigm. Proof: Assume OT does not provide receiver security D, p(n): ½ + 1/p(n) Pr D(View S Real (m 0,m 1,b,k) =1) - > D A (pk,r) b’  {0, 1} (pk,r) by oGen or (Gen,fGen) m 0,m 1,pk 0,pk 1,r S 0,r S 1 m 0,m 1 (pk b, sk b )  Gen(1 n ) D(View S Ideal (m 0,m 1,b,k) =1) {m 0,m 1,pk b,pk 1-b,r S 0,r S 1 } pk 1-b = pk r S 0,r S 1 b’  {0, 1} If b is guessed correctly, then A emulates Real/Idea View -> A breaks ksamp security with non-negligible advantage (PKE is not ksamp-secure) -> Contradiction

22 Security for the Sender S R m0m1m0m1 b (pk b, sk b )  Gen(1 n ) (pk 1-b, r 1-b )  oGen(1 n ) (pk 0,pk 1 ) c 0  Enc pk0 (m 0 ) c 1  Enc pk1 (m 1 ) (c 0,c 1 ) m b  Dec skb (m b ) View R Real (m 0,m 1,b,k ) = {b,m b,pk b,r b,pk 1-b, r 1-b, c 0,c 1 } SIM R bmbbmb b (pk 0,pk 1 ) c b  Enc pkb (m b ) c 1-b  Enc pk 1-b (0 k ) (c 0,c 1 ) R (pk b, sk b )  Gen(1 n ) (pk 1-b, r 1-b )  oGen(1 n ) m b  Dec skb (m b ) View R Ideal (m 0,m 1,b,k ) = {b,m b,pk b,r b,pk 1-b, r 1-b, c b,c 1-b } Reduction to CPA does not work as c 1-b is encrypted using a public key generated by oGen NOT Gen

23 Security proof via Hybrid Arguments View R Real (m 0,m 1,b,k ) = {b,m b,pk b,r b,pk 1-b, r 1-b, c b,c 1-b } View R Ideal (m 0,m 1,b,k ) = {b,m b,pk b,r b,pk 1-b, r 1-b, c b,c 1-b } View R Hybrid1 (m 0,m 1,b,k ) = {b,m b,pk b,r b,pk 1-b, r 1-b, c b,c 1-b } (pk b, sk b )  Gen(1 n ) (pk 1-b, r 1-b )  oGen(1 n ) (pk b, sk b )  Gen(1 n ) (pk 1-b, r 1-b )  oGen(1 n ) (pk b, sk b )  Gen(1 n ) (pk 1-b, sk 1-b )  Gen(1 n ) c b  Enc pkb (m b ) c 1-b  Enc pk 1-b (0 k ) c b  Enc pkb (m 0 ) c 1-b  Enc pk1-b (m 1-b ) r 1-b  fGen(pk 1-b ) c b  Enc pkb (m b ) c 1-b  Enc pk 1-b (m 1-b ) View R Hybrid2 (m 0,m 1,b,k ) = {b,m b,pk b,r b,pk 1-b, r 1-b, c b,c 1-b } (pk b, sk b )  Gen(1 n ) (pk 1-b, sk 1-b )  Gen(1 n ) r 1-b  fGen(pk 1-b ) c b  Enc pkb (m b ) c 1-b  Enc pk 1-b (0 k )  ksamp security  CPA security  ksamp security 

24 More OTs CT3 [PVW08] A Framework for Efficient and Composable Oblivious Transfer http://eprint.iacr.org/2007/348

25 GMW87 [GMW87]: How to Play any Mental Game or A Completeness Theorem for Protocols with Honest Majority. STOC 1987.STOC 1987. Over Binary circuits

26 (n,n) - Secret Sharing for Semi-honest Adversaries Secret x is (n,n) if x2x2 x3x3 x n x1x1 … P1P1 P2P2 PnPn P3P3 x = x 1 + x 2 + ….. + x n ; shares are random; all are bits; + is + mod 2 Linearity is satisfied!!

27 GMW87 x1x1 x2x2 x3x3 x4x4   y 

28 1.(n, n)- secret share each input  y 01 1 0 2. Find (n, n)-sharing of each intermediate value XOR gate: Non-Interactive P0P0 P1P1 x0x0 x1x1 y0y0 y1y1 y + + + y=y0 + y1y=y0 + y1 x=x 0 + x 1 x + y =( x 0 + y 0 ) + ( x 1 + y 1 ) x  

29 GMW87 1.(n, n)- secret share each input  y 01 1 0 2. Find (n, n)-sharing of each intermediate value NOT gate: Non-Interactive (One party flips the bit) P0P0 P1P1 x0x0 x1x1 x= x 0 + x 1  

30 GMW87 1.(n, n)- secret share each input  y 01 1 0 2. Find (n, n)-sharing of each intermediate value XOR gate: Non-Interactive NOT gate: Non-Interactive (One party flips the bit) AND gate: Interactive (OT)  

31 GMW87- AND Gate Evaluation P0P0 P1P1 x0x0 x1x1 y0y0 y1y1 y   y=y0 + y1y=y0 + y1 x=x 0 + x 1 x  y = ( x 0 +x 1 )  ( y 0 + y 1 ) = x 0  y 0 + x 0  y 1 + y 0  x 1 + x 1  y 1 x  1-out-of-2 OT 0 x0x0 y1y1 x0y1x0y1 1-out-of-2 OT y0y0 y0x1y0x1 0 x1x1 x 0  y 0 + y 0  x 1 x 0  y 1 + x 1  y 1 Leaks information from the partial product !!

32 GMW87- AND Gate Evaluation P0P0 P1P1 x0x0 x1x1 y0y0 y1y1 y   y=y0 + y1y=y0 + y1 x=x 0 + x 1 x  y = ( x 0 +x 1 )  ( y 0 + y 1 ) = x 0  y 0 + x 0  y 1 + y 0  x 1 + x 1  y 1 x  1-out-of-2 OT r0r0 r 0 + x 0 y1y1 1-out-of-2 OT y0y0 r 1 + y 0  x 1 r1r1 r 1 + x 1 x 0  y 0 + r 0 + (r 1 + y 0  x 1 ) (r 0 + x 0  y 1 )+ r 1 + x 1  y 1 r 0 + x 0  y 1

33 GMW87 1.(n, n)- secret share each input  y 01 1 0 2. Find (n, n)-sharing of each intermediate value XOR gate: Non-Interactive NOT gate: Non-Interactive (One party flips the bit) AND gate: Interactive (OT)   3. Reconstruct y by exchanging the shares

34 Extension to Multiparty and 2 party Security Proof On the board.

35

Download ppt "Secure Computation (Lecture 9-10) Arpita Patra. Recap >> MPC with honest majority in i.t. settings > Protocol using (n,t)-sharing, proof of security---"

Similar presentations

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Cryptography Lecture 9 Arpita Patra.

Cryptography Lecture 9 Arpita Patra.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.

Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.
Multi-Client Non-Interactive Verifiable Computation Seung Geol Choi (Columbia U.) Jonathan Katz (U. Maryland) Ranjit Kumaresan (Technion) Carlos Cid (Royal.

Multi-Client Non-Interactive Verifiable Computation Seung Geol Choi (Columbia U.) Jonathan Katz (U. Maryland) Ranjit Kumaresan (Technion) Carlos Cid (Royal.
How to play ANY mental game

How to play ANY mental game
Cryptography Lecture 8 Stefan Dziembowski

Cryptography Lecture 8 Stefan Dziembowski

Similar presentations

Ads by Google