1 / 14

General Cryptographic Protocols (aka secure multi-party computation)

General Cryptographic Protocols (aka secure multi-party computation). Oded Goldreich Weizmann Institute of Science. Joachim (and Claus). (and me). A general framework (for casting crypto problems). An m -ary (randomized) functionality (desired process)

bess
Download Presentation

General Cryptographic Protocols (aka secure multi-party computation)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. General Cryptographic Protocols(aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science

  2. Joachim (and Claus) (and me)

  3. A general framework (for casting crypto problems) An m-ary (randomized) functionality (desired process) F:({0,1}n)m → ({0,1}n)m(where m2 denotes the # of parties). P1P2Pm x1 x2 xm(local inputs) y1 y2 ym(local outputs) (y1,y2,…,ym) = F(x1,x2,…,xm) Desired solution: delivery of outputs as if the operation was performed by a trusted party.

  4. Secure Multi-Party Computation (Crypto Protocols) A secure protocol obtains the same effect as the operation of a trusted party. Thus, mutually distrustful parties emulate the effect of a trusted party.

  5. On the feasibility of General Secure MPC Meta-THM: General Secure MPC is possible under a variety of natural assumptions. • Assuming an honest majority + TDP • Allowing abort + TDP • (i.e., not considering early termination as breach of security) • [reflected in the ideal model] • Assuming a 2/3-majority + private channels. • TDP== Trapdoor Permutations (which exist, e.g., assuming the intractability of factoring integers).

  6. Two-Step construction of General Secure MPC E.g., assuming an honest majority + TDP • Constructing protocols that are secure wrt semi-honest (“honest-but-curious”) adversaries. [“privacy only”] • Enforcing semi-honest behavior via ZK proofs (+commit) T = public information (transcript) Sender (secret input s) Receiver Supposed to send y = f(T,s) y’ Idea: provide a ZK proof that s’ s.t y’=f(T,s’) Step 2: enforcing

  7. Secure (private) MPC in the semi-honest model. We assume a TDP (trapdoor permutation). Reduce to deterministic functionalities with same outputs. Let C be a GF(2) circuit for computing the m-ary function. Idea: The parties propagate shares of the values of all wires inCfrom the input wires ofCto its output wires. x1 x2 x3 xm x y y1 y2 y3 ym (x = x1+x2+x3 +… +xm y = y1+y2+y3 +… +ym) z = z1+z2+z3 +… +zm z1 z2 z3 zm

  8. Secure (private) MPC of the gate functionality. The parties need to propagate shares of the values through each gate. (Shares with subscript i belong to party i.) x1 x2 x3 xm x y y1 y2 y3 ym (x = x1+x2+x3 +… +xm y = y1+y2+y3 +… +ym) z = z1+z2+z3 +… +zm z1 z2 z3 zm Easy case – addition gate: Set zi xi+yi (local computation). Similarly for negation: zi  xi+1 if i=1 and zi  xi o.w. Hard case – multiplication gate: we wish z1+z2+… +zm = (x1+x2 +… +xm) ∙ (y1+y2 +… +ym) (use algebra) (x1+x2+… +xm) ∙ (y1+y2+… +ym) = ∑i xiyi + ∑i≠j (xiyj+xjyi) local2PC

  9. Secure 2-PC of s.t. Recall: General secure MPC “reduces” to secure 2PC of ((x1,y1),(y2,x2)) → (z1,z2), where (z1,z2) is random subject to z1+z2 = x1x2+y2y1. In the i-th invocation use inputs (xi,ri) and yi, where ri is a random bit. Each party sets its final output = sum of both intermediate outputs. 1st2nd Inputs: x1,y1 x2,y2 Outputs: rr+x1x2+y1y2 1st2nd Inputs: x,z y Outputs: -z+xy (OT) SenderReceiver Inputs: s0,s1c Outputs: -sc Sender sets sy = z+yx.

  10. SenderReceiver Inputs: s0,s1c Outputs: -sc Implementing OT(OT = Oblivious Transfer) Background: assuming a collection of TDP {fi:Di→Di} SenderReceiver Inputs: s0,s1c desired outputs: -sc selects an indexi select xc,y1-cDi compute yc=fi(xc) find thefi-preimages of both: z0 , z1, and send b(z0)+s0 , b(z1)+s1 y0 , y1

  11. Conclusion: General Secure MPC is feasible • MPC for an honest majority, assuming TDP • Similar ideas (+more) yield MPC wo honest majority, but when “allowing abort” (i.e., not considering early termination as breach of security). (Also assuming TDP). • Assuming a 2/3-majority + private channels. Meta-THM: General Secure MPC (i.e., secure emulation of trusted parties) is possible under a variety of natural assumptions.

  12. The End The slides of this talk are available at http://www.wisdom.weizmann.ac.il/~oded/T/mpc.ppt A related survey is available at http://www.wisdom.weizmann.ac.il/~oded/s_mpc.html

  13. Zero-Knowledge Proofs A secure protocol (i.e., ZK proof) obtains the same effect as the operation of a trusted party. Thus, mutually distrustful parties emulate the effect of a trusted party.

  14. Secure 2-PC of the Inner Product mod 2 of two vectors Recall: General secure MPC “reduces” to secure 2PC of the inner product mod 2 of two input vectors held by the two parties. (For us n=2 suffices.) In the ith invocation use inputs (xi,ri) and yi, where ri is a random bit. Final output = sum of all n outputs. 1st2nd Inputs: x1,…,xn y1,…,yn Outputs: rr+∑ixiyi 1st2nd Inputs: x,z y Outputs: -z+xy SenderReceiver Inputs: s0,s1c Outputs: -sc

More Related