covert multi party computation focs 2007 l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Covert Multi-party Computation (FOCS 2007) PowerPoint Presentation
Download Presentation
Covert Multi-party Computation (FOCS 2007)

Loading in 2 Seconds...

play fullscreen
1 / 37

Covert Multi-party Computation (FOCS 2007) - PowerPoint PPT Presentation


  • 328 Views
  • Uploaded on

Covert Multi-party Computation (FOCS 2007). Nishanth Chandran Vipul Goyal Rafail Ostrovsky Amit Sahai UCLA. Plan of talk. Background on the problem addressed. Informal Problem Statement. Main Technical Challenges. Ingredients. High Level Description of Solution.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Covert Multi-party Computation (FOCS 2007)' - Melvin


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
covert multi party computation focs 2007
Covert Multi-party Computation(FOCS 2007)

Nishanth Chandran Vipul Goyal Rafail Ostrovsky Amit Sahai

UCLA

plan of talk
Plan of talk
  • Background on the problem addressed
  • Informal Problem Statement
  • Main Technical Challenges
  • Ingredients
  • High Level Description of Solution
multi party computation yao gmw
Multi-party Computation[Yao,GMW]

P2

P3

P1

P4

x3

x2

x4

x1

f(x1,x2,x3,x4)

No information other than f(x1,x2,x3,x4)

slide5

Do all of us want to rebel??

P2

P1

P3

Powerful Dictator

slide6

Crypto Solution [Yao,GMW]

Rebel = 1

No Action = 0

Multi-party

Computation

AND(inputs)

P1

0

1

P2

1

P3

slide8

Crypto Solution [Yao,GMW]

Lets run MPC to see if all of us want to rebel

P1

P2

P3

P1 wants to rebel!!

slide9

Ideally

How are you guys?

I couldn’t agree more

P1

P3

All of us want to rebel!!

Doing well.. Army life is hectic…

P2

slide10

Ideally

Oh.. That’s fantastic!

How are you guys?

Someone does not

want to rebel or did

not participate!!

P1

P3

Not too bad.. I am going back home on vacation

P2

slide11

Covert Computation

Can we reveal protocol participation and

output only upon the condition that everyone

participated and output was favorable ??

  • Two party case (restricted): [AHL05]
  • Multi-party case: ????
slide12

Covert Computation – Other examples

  • Joint buying over of a company
  • Group of companies wish to check if they are jointly
  • capable of buying over another company
  • If their intent is revealed, the price of the company
  • rises
  • Tracing a hacker
  • Data sets of companies have been hacked into
  • Companies can find the culprit if they join forces, yet
  • no company wants to accept having compromised its
  • data set alone
making mpc covert
Making MPC Covert
  • Protocol with uniformly random messages
  • can be converted to arbitrary distribution of
  • messages
  • All messages need to be indistinguishable
  • from random… even to participants
  • Standard two-party (Yao) and multi-party
  • computation (GMW) protocols are covert in
  • semi-honest case .. with small modifications
malicious case where is the problem
Malicious Case: Where is the problem?
  • Converting protocol secure in semi-honest
  • case to protocol secure in malicious case
  • requires Proving Honest Behavior
  • Proofs or any verification cannot be used
garbled circuits yao computing f x y
Garbled Circuits [Yao]Computing f(x,y)

P1

Two-party computation

P2

Input y

x

y

Garbled

Circuit

Function output

f(x,y)

Input x

Note: Garbled Circuit created by P1, but evaluated by P2

commitment schemes
Commitment Schemes

Receiver

Sender

b

b

b

  • Hiding – Receiver has no information about b
  • Binding – Sender cannot change b
dealing with proofs in covert two party computation ahl05
Dealing with proofs in Covert - Two Party Computation [AHL05]

Commit to r0, x, R0

Commit to r1, y, R1

P1

P2

Covert-Yao with output f(x,y)  F(r0)

Covert-Yao with output f(x,y)  F(r1)

If P2 did not cheat, output r0[i]

k times

If P1 did not cheat, output r1[i]

f(x,y)

f(x,y)

garbled circuit verification ahl05
Garbled-circuit Verification [AHL05]

P2

P1

Commitment openings, input,

randomness

r0[i]

P2’s commitments,

protocol transcript

G.C.

protocol at a high level
Protocol at a High Level
  • Parties execute a GMW protocol to compute the function
  • They hold additive shares of output at the end of this phase
  • Proof of honest behavior done when
  • exchanging these shares
  • Pi gets correct output share from Pk only if Pi
  • can prove his honesty, otherwise gets a random
  • value
  • If some party is malicious / does not participate,
  • some share is random, leading to random output
main task to solve
Main Task to Solve

If P2 was honest, give

him V else give R

Either V or R

P2

P1

V: Correct share of output

R: Random Value

garbled circuit verification in mpc
Garbled-circuit Verification in MPC?

Output share is broadcast in MPC and can depend on input!

P2

P1

Commitment openings, input,

randomness

Output share

P2’s commitments,

protocol transcript

G.C.

In 2PC, if P1 is dishonest, P2 “stops” protocol with P1

In MPC, P2 might “continue” protocol with P3

main task to solve25
Main Task to Solve

If P2 was honest, give

him V else give R

Either V or R

P2

P1

V: Correct share of output

R: Random Value

But V or R should not

depend on my inputs!!

main task properties
Main Task Properties
  • Prover proves to the garbled circuit
  • generated by Verifier that he was honest.
  • If the proof is correct, then prover receives
  • a value (V) from the garbled circuit,
  • otherwise receives a random value R
  • Dishonest verifier learns nothing about the
  • prover’s inputs (even if the output of the
  • garbled circuit is broadcast)
zero knowledge proofs gmr
Zero knowledge proofs[GMR]

Witness w

Statement: x

Prover

Verifier

  • Completeness: HonestVerifier always accepts if proof is
  • correct
  • Soundness: Cheating prover cannot convince verifier
  • of a false statement
  • Zero-knowledge: Cheating verifier learns nothing other
  • than validity of statement
solution very high level idea
Solution: Very High Level Idea

P2

P1

ZK proof that P2 was honest

Output share

or Random Value

P2’s commitments,

protocol transcript

G.C.

zero knowledge proofs for np blum gmw
Zero knowledge proofsfor NP [Blum,GMW]

Hamiltonian Cycle H

Statement: G has Hamiltonian Cycle

Com(π(G)), Com(π)

Verifier

Prover

Random bit b

Opening of Com(π(G)),Com(π) if b = 0

Random π

Opening of Com(π(H)) if b = 1

Soundness can be amplified by repeating above protocol k times

Every message other than final verification of Blum ZK

protocol for Graph Hamiltonicity can be made uniformly random

covert zk to garbled circuits
Covert ZK to Garbled Circuits

Statement: G has Hamiltonian Cycle

Hamiltonian Cycle H

Secret V

Random R

Com(π(G)), Com(π)

Random bit b

Opening of Com(π(G)),Com(π) if b = 0

Opening of Com(π(H)) if b = 1

Random π

Garbled

Circuit

V if “Accept”

R if “Reject”

Transcript, Statement, V, R

covert zk to garbled circuits31
Covert ZK to Garbled Circuits

Secret V

Random R

Statement: G has Hamiltonian Cycle

Hamiltonian Cycle H

V = V1  ….  Vk

Com(π(G)), Com(π)

Random bit b

Opening of Com(π(G)),Com(π) if b = 0

Opening of Com(π(H)) if b = 1

Garbled

Circuit

Vi if “Accept”

Ri if “Reject”

Transcript, Statement, Vi, Ri

preventing adversary from forcing random output on honest parties
Preventing Adversary from forcingrandom output on honest parties
  • Covert Computation has a new problem

Since no verification is done, malicious parties could force

a random output on honest parties

  • How do honest parties know if everyone participated and the output was y or if someone was malicious and output was forced to be y?
preventing adversary from forcing random output on honest parties33
Preventing Adversary from forcingrandom output on honest parties
  • Let x denote the vector of inputs
  • Let (ki, ri) be a (secret key, random share) pair
  • chosen by party Pi.
  • Let a|b denote string ‘a’ concatenated with string ‘b’
  • Using the GMW protocol, the parties compute
  • Com(f(x)|k1|k2|…..|kn) with randomness r1 ….  rk
  • and later on compute its opening using another
  • GMW protocol
favorable outputs
Favorable Outputs?
  • Recall that we wanted output/participation
  • to be revealed only if function output was favorable
  • Function g(x) is a boolean function evaluating to 1
  • if output is favorable and 0 otherwise
  • Parties compute
  • (R1, R2) if g(x) = 0
  • (Com(f(x),k1|k2|….|kn),Open(Com(f(x),k1|k2|….|kn))) if g(x) = 1
other issues not addressed in this talk
Other issues not addressed in this talk
  • Ideal/Real Model for Covert Computation with and without fairness
  • Obtaining fairness in covert computation by making timed commitments covert
conclusions
CONCLUSIONS
  • Two party case does not extend to

multi-party case, but it is possible to do

  • New technique of ZK to garbled circuits

– might be useful in other settings

  • Cleaner definitions of covert computation

security, even for two party case