general cryptographic protocols (aka secure multi-party computation) oded goldreich weizmann...
TRANSCRIPT
General Cryptographic
Protocols (aka secure multi-party
computation)
Oded GoldreichWeizmann Institute of Science
(and me)
Joachim (and Claus)
A general framework (for casting crypto problems)
An m-ary (randomized) functionality (desired process)F:({0,1}n)m → ({0,1}n)m (where m2 denotes the # of parties).
P1 P2 Pm x1 x2 xm (local inputs)
y1 y2 ym (local outputs)
(y1,y2,…,ym) = F(x1,x2,…,xm)
Desired solution: delivery of outputs as if the operation was performed by a trusted party.
Secure Multi-Party Computation (Crypto Protocols)
A secure protocol obtains the same effect as the operation of a trusted party.
Thus, mutually distrustful parties emulate the effect of a trusted party.
On the feasibility of General Secure MPC
Meta-THM: General Secure MPC is possible under a variety of natural assumptions.
• Assuming an honest majority + TDP
• Allowing abort + TDP
(i.e., not considering early termination as breach of security)
[reflected in the ideal model]
• Assuming a 2/3-majority + private channels.
TDP == Trapdoor Permutations (which exist, e.g., assuming the intractability of factoring integers).
Two-Step construction of General Secure MPC
E.g., assuming an honest majority + TDP
1. Constructing protocols that are secure wrt semi-honest (“honest-but-curious”) adversaries. [“privacy only”]
2. Enforcing semi-honest behavior via ZK proofs (+commit)
T = public information (transcript)
Sender (secret input s) Receiver
Supposed to send y = f(T,s) y’
Idea: provide a ZK proof that s’ s.t y’=f(T,s’)
Step 2:
enforcin
g
Secure (private) MPC in the semi-honest model.
We assume a TDP (trapdoor permutation).
Reduce to deterministic functionalities with same outputs.
Let C be a GF(2) circuit for computing the m-ary function.
Idea: The parties propagate shares of the values of all wires in C from the input wires of C to its output wires.
x y
z = z1+z2+z3 +… +zm
x1 x2 x3 xm
y1 y2 y3 ym
z1 z2 z3 zm
(x = x1+x2+x3 +… +xm
y = y1+y2+y3 +… +ym)
Secure (private) MPC of the gate functionality.
x y
z = z1+z2+z3 +… +zm
x1 x2 x3 xm
y1 y2 y3 ym
z1 z2 z3 zm
(x = x1+x2+x3 +… +xm
y = y1+y2+y3 +… +ym)
Easy case – addition gate: Set zi xi+yi (local computation).
Similarly for negation: zi xi+1 if i=1 and zi xi o.w.
Hard case – multiplication gate: we wish
z1+z2+… +zm = (x1+x2 +… +xm) ∙ (y1+y2 +… +ym)
(use algebra)
(x1+x2+… +xm) ∙ (y1+y2+… +ym) = ∑i xiyi + ∑i≠j (xiyj+xjyi)
local 2PC
)(iiz
)()( ij
ji zz
The parties need to propagate shares of the values through each gate. (Shares with subscript i belong to party i.)
Secure 2-PC of s.t.
Recall: General secure MPC “reduces” to secure 2PC of ((x1,y1),(y2,x2)) → (z1,z2), where (z1,z2) is random subject to z1+z2 = x1x2+y2y1.
Sender Receiver Inputs: s0,s1 c Outputs: - sc
1st 2nd Inputs: x1,y1 x2,y2
Outputs: r r+x1x2+y1y2
1st 2nd Inputs: x,z yOutputs: - z+xy
In the i-th invocation use inputs (xi,ri) and yi, where ri is a random bit. Each party sets its final output = sum of both intermediate outputs.
),(),( )()( ij
jijjii zzyxyx ijji
ij
ji yxyxzz )()(
(OT)
Sender sets
sy = z+yx.
Implementing OT(OT = Oblivious Transfer)
Sender Receiver Inputs: s0,s1 c Outputs: - sc
Background: assuming a collection of TDP {fi:Di→Di}
Sender Receiver Inputs: s0,s1 c desired outputs: - sc
selects an index i select xc,y1-cDi
compute yc=fi(xc)
find the fi-preimages of both: z0 , z1, and send
b(z0)+s0 , b(z1)+s1
y0 , y1
Conclusion: General Secure MPC is feasible
Meta-THM: General Secure MPC (i.e., secure emulation of trusted parties) is possible under a variety of natural assumptions.
• MPC for an honest majority, assuming TDP
• Similar ideas (+more) yield MPC wo honest majority, but when “allowing abort” (i.e., not considering early termination as
breach of security). (Also assuming TDP).
• Assuming a 2/3-majority + private channels.
The EndThe slides of this talk are available at
http://www.wisdom.weizmann.ac.il/~oded/T/mpc.pptA related survey is available at http://www.wisdom.weizmann.ac.il/~oded/s_mpc.html
Zero-Knowledge Proofs
A secure protocol (i.e., ZK proof) obtains the same effect as the operation of a trusted party.
Thus, mutually distrustful parties emulate the effect of a trusted party.
)( jiz
)( jiz
Secure 2-PC of the Inner Product mod 2 of two vectors
Recall: General secure MPC “reduces” to secure 2PC of the inner product mod 2 of two input vectors held by the two parties. (For us n=2 suffices.)
Sender Receiver Inputs: s0,s1 c Outputs: - sc
1st 2nd Inputs: x1,…,xn y1,…,yn
Outputs: r r+∑ixiyi
1st 2nd Inputs: x,z yOutputs: - z+xy
In the ith invocation use inputs (xi,ri) and
yi, where ri is a random bit.
Final output = sum of all n outputs.