1 / 30

Verifiable Threshold Secret Sharing and Full Fair Secure Two-party Computation

Verifiable Threshold Secret Sharing and Full Fair Secure Two-party Computation. YE Jian-wei March 7, 2009. outline. Full fair secure two-party computation Problem Existing methods Our method Overview Advantages Cryptography foundation

forrest-barr
Download Presentation

Verifiable Threshold Secret Sharing and Full Fair Secure Two-party Computation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Verifiable Threshold Secret Sharing and Full Fair Secure Two-party Computation YE Jian-wei March 7, 2009

  2. outline • Full fair secure two-party computation • Problem • Existing methods • Our method • Overview • Advantages • Cryptography foundation • New Full Fair Secure Two-party Computation Protocol

  3. Full fair secure two-party computation ——problem two parties A with input x and B with input y jointly compute a two output function f(x,y)=(fA(x,y), fB(x,y)) • Secure: A learn only x and fA(x,y) B learn only y and fB(x,y) • Fair: A learns fA(x,y) iffB learns fB(x,y)

  4. Full fair secure two-party computation ——existing methods • For security • Garbled circuit computation • For fairness • gradual release technique • Methods employing trusted third party

  5. Full fair secure two-party computation ——existing methods • gradual release technique Without third parties at the cost of many rounds of interaction impossible to get full fairness

  6. Full fair secure two-party computation ——existing methods • Methods employing trusted third party full fairness the trusted third party must be neutral (doesn’t collude with A or B) single point of failure the performance bottleneck

  7. Our method——overview • full fairness • employ Yao’s garbled circuit computation for security • employ a group of servers as the third party for full fairness

  8. Our method——advantages 1. Weakening the trust assumption. Our method doesn’t require all third-party servers are trusted, but just require more than two-third of them are honest. 2. Protection against collusion. Our method can keep the fairness when less than one-third of the servers are dishonest (or malicious) and collude with the any party.

  9. Our method——advantages 3. Fault-tolerance. In our method, not all servers must be always available. More precisely, when the count of the dishonest servers is m, only 3m+1 servers are needed simultaneously.

  10. Our method——Cryptography foundation 1. Garbled circuit computation 2. Verifiable encryption scheme of Jarecki and Shmatikov (sCS encryption scheme) 3. zero-knowledge proof(ZKP) protocols of Jarecki and Shmatikov 4. Verifiable threshold secret sharing (VTSS) scheme of Pedersen

  11. Garbled circuit computation 1. A constructs a boolean circuit, C, computing f(x,y) 2. A garbles C to GC 3. A sends GC, the garbled x and the cleartext interpretation of fB(x,y) to B 4. B gets the garbled y form A 5. B computes GC and gets its output, garbled fA(x,y) and garbled fB(x,y) 6. Bungarbles the garbled fB(x,y) to get fB(x,y) by the cleartext interpretation of fB(x,y) 7. B sends the garbled fA(x,y) to A 8. A ungarbles the garbled fA(x,y) to get fA(x,y)

  12. sCS encryption scheme • a simplification of the verifiable encryption scheme of Camenisch and Shoup • semantically secure in CRS model under DCR assumption and safe RSA moduli. • a very strong unambiguous encryption. a ciphertext that passes a certain proof system cannot decrypt to two different plaintexts under two different private keys. Moreover, no two distinct decryption keys can decrypt a ciphertext even to the same plaintext.

  13. sCS encryption scheme • CRS.

  14. sCS encryption scheme • sCS encryption.

  15. sCS encryption scheme • sCS decryption.

  16. ZKP protocols of Jarecki and Shmatikov • Relying on the Unambiguity of sCS encryption scheme, Jarecki and Shmatikov proposed the sCS commitment scheme and a group of efficient concurrently secure ZKP protocols. • sCS commitment scheme

  17. ZKP protocols of Jarecki and Shmatikov • ZKP protoclos • ZKDL(ɡ, X) is used to prove that there exists a xs.t. X2=ɡ2x. • ZKNotEq(Ca, Cb) is used to prove that Ca, Cb are sCS commitments to different values. • ZKPlainEq((u, e),Ck, Cm) is used to prove that (u, e) is a sCS encryption of cleartextm committed (sCS commitment) in Cm under the key k committed in Ck.

  18. VTSS scheme of Pedersen • Pedersen gave a semantically secure commitment scheme based on the difficulty of discrete logarithm problem, and proposed a VTSS scheme in the CRS model by it. • CRS

  19. VTSS scheme of Pedersen • Pedersen’s commitment scheme

  20. VTSS scheme of Pedersen • Sharing and Verifying process

  21. New Full Fair Secure Two-party Computation Protocol • New ZKP protocol ZKEq( CKD,CKD ) prove that the sCS commitment CKD commits the same value as the Pedersen’s commitment CKD

  22. New Full Fair Secure Two-party Computation Protocol——overview • In usual garbled circuit computation A send the cleartext interpretation of fB(x,y) to B, therefore the circuit evaluator B may not send garbled fA(x,y) to A after get his output fB(x,y). • In our protocol A commits all output wire keys corresponding fB(x,y) in GC A shares a private key KD∈[0,2k′′] among a group of third-party servers by VTSS scheme of Pedersen A provides B an encrypted cleartext interpretation of fB(x,y), CIB

  23. New Full Fair Secure Two-party Computation Protocol——overview • By correctly performing all ZKP protocols involved in following formula with A and verifying process of Pedersen’s VTSS scheme, B is convinced that CIB is correctly constructed and able to be decrypted with the key (i.e. KD) shared in the servers, and he can retrieve the key to decrypt CIB as long as sending correct output keys corresponding to fA(x,y) to the servers.

  24. New Full Fair Secure Two-party Computation Protocol——overview

  25. New Full Fair Secure Two-party Computation Protocol——overview • After sending correct output wire keys corresponding to fA(x,y) to the servers, B gets enough shares of KD to retrieve it and compute his output fB(x,y). Henceforth, A can compute his output fA(x,y) even if B sends him wrong output wire keys by obtaining correct these from the servers.

  26. New Full Fair Secure Two-party Computation Protocol——protocol

  27. New Full Fair Secure Two-party Computation Protocol——protocol

  28. New Full Fair Secure Two-party Computation Protocol——protocol

  29. New Full Fair Secure Two-party Computation Protocol——analyse • Fairness • When the amount of dishonest servers m is less than s/3,our protocol is able to guarantee that A learns fA(x,y) iffB learnsfB(x,y). • Complexity • Computational complexity is O(S+s2) • Communication complexity is O(S+s) • only two additional interaction rounds for full fair • where S is the size of the circuit and s is the amount of employed servers.

  30. END! THANKS!

More Related