General Cryptographic Protocols (aka secure multi-party computation) - PowerPoint PPT Presentation

general cryptographic protocols aka secure multi party computation n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
General Cryptographic Protocols (aka secure multi-party computation) PowerPoint Presentation
Download Presentation
General Cryptographic Protocols (aka secure multi-party computation)

Loading in 2 Seconds...

play fullscreen
1 / 14
General Cryptographic Protocols (aka secure multi-party computation)
122 Views
Download Presentation
catherine-dudley
Download Presentation

General Cryptographic Protocols (aka secure multi-party computation)

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. General Cryptographic Protocols(aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science

  2. Joachim (and Claus) (and me)

  3. A general framework (for casting crypto problems) An m-ary (randomized) functionality (desired process) F:({0,1}n)m → ({0,1}n)m(where m2 denotes the # of parties). P1P2Pm x1 x2 xm(local inputs) y1 y2 ym(local outputs) (y1,y2,…,ym) = F(x1,x2,…,xm) Desired solution: delivery of outputs as if the operation was performed by a trusted party.

  4. Secure Multi-Party Computation (Crypto Protocols) A secure protocol obtains the same effect as the operation of a trusted party. Thus, mutually distrustful parties emulate the effect of a trusted party.

  5. On the feasibility of General Secure MPC Meta-THM: General Secure MPC is possible under a variety of natural assumptions. • Assuming an honest majority + TDP • Allowing abort + TDP • (i.e., not considering early termination as breach of security) • [reflected in the ideal model] • Assuming a 2/3-majority + private channels. • TDP== Trapdoor Permutations (which exist, e.g., assuming the intractability of factoring integers).

  6. Two-Step construction of General Secure MPC E.g., assuming an honest majority + TDP • Constructing protocols that are secure wrt semi-honest (“honest-but-curious”) adversaries. [“privacy only”] • Enforcing semi-honest behavior via ZK proofs (+commit) T = public information (transcript) Sender (secret input s) Receiver Supposed to send y = f(T,s) y’ Idea: provide a ZK proof that s’ s.t y’=f(T,s’) Step 2: enforcing

  7. Secure (private) MPC in the semi-honest model. We assume a TDP (trapdoor permutation). Reduce to deterministic functionalities with same outputs. Let C be a GF(2) circuit for computing the m-ary function. Idea: The parties propagate shares of the values of all wires inCfrom the input wires ofCto its output wires. x1 x2 x3 xm x y y1 y2 y3 ym (x = x1+x2+x3 +… +xm y = y1+y2+y3 +… +ym) z = z1+z2+z3 +… +zm z1 z2 z3 zm

  8. Secure (private) MPC of the gate functionality. The parties need to propagate shares of the values through each gate. (Shares with subscript i belong to party i.) x1 x2 x3 xm x y y1 y2 y3 ym (x = x1+x2+x3 +… +xm y = y1+y2+y3 +… +ym) z = z1+z2+z3 +… +zm z1 z2 z3 zm Easy case – addition gate: Set zi xi+yi (local computation). Similarly for negation: zi  xi+1 if i=1 and zi  xi o.w. Hard case – multiplication gate: we wish z1+z2+… +zm = (x1+x2 +… +xm) ∙ (y1+y2 +… +ym) (use algebra) (x1+x2+… +xm) ∙ (y1+y2+… +ym) = ∑i xiyi + ∑i≠j (xiyj+xjyi) local2PC

  9. Secure 2-PC of s.t. Recall: General secure MPC “reduces” to secure 2PC of ((x1,y1),(y2,x2)) → (z1,z2), where (z1,z2) is random subject to z1+z2 = x1x2+y2y1. In the i-th invocation use inputs (xi,ri) and yi, where ri is a random bit. Each party sets its final output = sum of both intermediate outputs. 1st2nd Inputs: x1,y1 x2,y2 Outputs: rr+x1x2+y1y2 1st2nd Inputs: x,z y Outputs: -z+xy (OT) SenderReceiver Inputs: s0,s1c Outputs: -sc Sender sets sy = z+yx.

  10. SenderReceiver Inputs: s0,s1c Outputs: -sc Implementing OT(OT = Oblivious Transfer) Background: assuming a collection of TDP {fi:Di→Di} with hardcore predicate b SenderReceiver Inputs: s0,s1c selects a permutation f (with trapdoor) select xc,y1-cDi compute yc=fi(xc) find thef-preimages of both denoted z0 , z1, and send b(z0)+s0 , b(z1)+s1 recover by + b(xc) y0 , y1

  11. Conclusion: General Secure MPC is feasible • MPC for an honest majority, assuming TDP • Similar ideas (+more) yield MPC wo honest majority, but when “allowing abort” (i.e., not considering early termination as breach of security). (Also assuming TDP). • Assuming a 2/3-majority + private channels. Meta-THM: General Secure MPC (i.e., secure emulation of trusted parties) is possible under a variety of natural assumptions.

  12. The End The slides of this talk are available at http://www.wisdom.weizmann.ac.il/~oded/T/mpc.ppt A related survey is available at http://www.wisdom.weizmann.ac.il/~oded/s_mpc.html

  13. Zero-Knowledge Proofs A secure protocol (i.e., ZK proof) obtains the same effect as the operation of a trusted party. Thus, mutually distrustful parties emulate the effect of a trusted party.

  14. Secure 2-PC of the Inner Product mod 2 of two vectors Recall: General secure MPC “reduces” to secure 2PC of the inner product mod 2 of two input vectors held by the two parties. (For us n=2 suffices.) In the ith invocation use inputs (xi,ri) and yi, where ri is a random bit. Final output = sum of all n outputs. 1st2nd Inputs: x1,…,xn y1,…,yn Outputs: rr+∑ixiyi 1st2nd Inputs: x,z y Outputs: -z+xy SenderReceiver Inputs: s0,s1c Outputs: -sc