Minimal Interaction Revisited Yuval Ishai Technion Ranjit Kumaresan MIT Eyal Kushilevitz Technion Anat PaskinCherniavsky Ariel Secure Multiparty Computation ID: 135765
Download Presentation The PPT/PDF document "Secure Computation with" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Secure Computation withMinimal Interaction, Revisited
Yuval Ishai (Technion) Ranjit Kumaresan (MIT)Eyal Kushilevitz (Technion)Anat Paskin-Cherniavsky (Ariel)Slide2
Secure Multiparty Computation
IDEAL
Parties submit inputs
Parties get back outputs
IDEAL
REAL
Done by MPC [Yao86,GMW87,…]
… lose the “minimal” structure
Broadcast requires
≥
2 rounds
Even with broadcast, 3 rounds necessary when t
≥ 2
[GIKR02]Slide3
This Talk
Why n = 3, n = 4? Why t = 1?
Typically small number of parties
More than 1 corruption unlikely
E.g.:
sharemind
,
danish
beet
Redundancy
recoverability
Why 2 rounds?
Revisit question of MPC in
2 rounds
Specifically,
n = 3 and n = 4 cases Tolerating t = 1 malicious corruptionMinimal setting: no broadcast, no set up
n = 2: 5-round lower bound [KO04]
n ≥
5
:
2-round
[IKP10]
Guaranteed output delivery No broadcast, no set up3-round lower bound for t > 1 [GIKR02]
Minimal structure
MPC impossible in 1 round Slide4
Prior Work: 3-party
Prior Work: 4-party
Broadcast impossible for t = 1; need computational assumptions
LWE+PKE/
iO+CRS
2-round MPC for t < n/2
[
GGHR14, AJL
+
12,GLS15,MW15]
2-round perfect SFE impossible [GIKR02]
2-round SFE with “selective abort” security [IKP10]
Statistical VSS:
1-round sharing, 2-round reconstruction [PCRR09]2-round sharing, 1-round reconstruction [Agr12]LWE + PKE / iO + CRS 2-round MPC for t < n/2 2-round general SFE in preprocessing model [IKMOP13]Correlated randomness size = Exponential in input sizeSlide5
Our Results: 3-party
Our Results: 4-partyAll +ve results previously unknown even with broadcast channel
2-round, no broadcast, no set up,
t
=1 malicious corruption
General SFE with “selective abort” security
Adv
can selectively deny output to individual parties
Blackbox
PRG, stat. security for NC1
Concrete efficiency comparable to
semihonest
Yao
2-round, no broadcast, no set up,
t
= 1 malicious corruption
Statistical VSS (implies 2-round coin tossing, simultaneous broadcast)1
round sharing, 1 round reconstruction
Statistical Linear Function Evaluation with guaranteed output delivery
Impossibility for general SFE; even with broadcast; even with non-rushing
adv
Computational General SFE with guaranteed output delivery
Assumption: one-to-one one-way functions
General SFE in preprocessing model with guaranteed output delivery Correlated randomness = O(input size); Blackbox PRG, stat. security for NC1Slide6
Talk Outline
Tools: PSM,
s
ecret
s
haring
3-party “security with selective abort”
4-party statistical VSS
4-party linear function evaluation
4-party impossibility of statistical SFE
4-party computational SFE
4-party statistical SFE in preprocessing modelSlide7
Private Simultaneous Messages
Secret Sharing
Shared
randomness
PSM [FKN94]
Multiple “clients” sharing randomness
Single “referee” gets one message from each client
Referee learns only f(
x,y
)
Simple PSM protocol via “garbled circuits”:
Randomness defines GC/GC input keys
Client
m
esg
= GC + input keys based on client input
Keys validated via authentication (MAC/Hash)
Referee rejects if GC’s don’t match or keys invalid
Else evaluates GC to learn f(
x,y
)
x
y
f(x, y)
1-private 3-party CNF sharing
Secret s
s1 + s2 + s3
Shares: (s2, s3), (s3, s1), (s1, s2)
Pairs of shares have common values
Additive sharing
2-out-of-2 sharing
Secret s
s1 + s2
Shares: s1, s2
Efficient
extendability
: Given secret & one share, possible to compute other sharesSlide8
Talk Outline
Tools: PSM, secret sharing
3-party “security with selective abort”
4-party statistical VSS
4-party linear function evaluation
4-party impossibility of statistical SFE
4-party computational SFE
4-party statistical SFE in preprocessing modelSlide9
2-Round 3-Party Protocol with Selective Abort
SecurityPSM protocol reconstructs inputs
Joint view of pairs of parties defines inputsEvaluates f on reconstructed inputs
Insecure against malicious adversary
Selective Abort
Inconsistent inputs (next slide)
PSM protocol messages
Round 2
Selective Abort:
Blue PSM aborted
Round 2
PSM shared randomness
Additive input sharing
Round 1
Slide10
2-Round 3-Party Protocol with
Selective Abort
Security
Round 1
Round 2
PSM messages corresponding to
y
≠
x
Additive sharing of
x
Inconsistent inputs attack
Blue, Red PSM evaluate f on y
Green PSM evaluates f on x
Honest parties accept “wrong output”
View Reconstruction Trick
PSM reconstructs secret share of PSM client input “ought to be held” by PSM referee (in addition to
eval
.
f
)
Accept output only if reconstructed share matches distributed share
Stat. security for NC1; Comp. security with
blackbox
PRG
Slide11
Talk Outline
Tools:
PSM, secret sharing
3-party “security with selective abort”
4-party statistical VSS
4-party linear function evaluation
4-party impossibility of statistical SFE
4-party computational SFE
4-party statistical SFE in preprocessing modelSlide12
Verifiable Secret Sharing
Sharing
Privacy:
dealer input secret hidden from
adv
Commitment:
unique secret defined at end of sharing is reconstructed
Correctnes
s
:
unique secret equals honest dealer’s input
Reconstruction
Naïve VSS
Sharing: 1-private 3-party CNF
Parties share common value
Recon.: Broadcast shares
Defines “inconsistency graphs”
CNF sharing
Secret s
s1 + s2 + s3
Shares: (
s2
,
s3
), (
s3
,
s1
), (
s1
,
s2
)
Inconsistent CNF shares
C
onsistent CNF shares
Slide13
No edge
3 edges
2 edges
1 edge
Sharing
BroadcastSlide14
Protocol Idea: Cut & choose + MAC Trick
Dealer sends
k
MACs
to “disputed” parties (+ CNF shares)
“Undisputed party” gets
k
MAC keys
from dealer
Sends random
k
/2 keys
to a “disputed party” (priv. channels)
Sends all
k
MAC keys
to the other (priv. channels)
Decision for “disputed parties”:
Compute
‘VOTES’
Self: all
k
/2 MACs
pass
Other: all
k
/2 MACs
pass +at least 1 of remaining
k
/2 MACs
pass
Both/No
VOTE
: discard dealer; else choose winning share
Analysis
Honest dealer/Bad party:
No
VOTE
without forging 1 of unknown
k
/2 MAC
for bad share
Honest “disputed party” always gets
VOTE
Bad dealer:
Unanimous agreement on
VOTES
except with
negl
(
k
) prob.
Stat. 4-party VSS in 2 roundsSlide15
Talk Outline
Tools:
PSM, secret sharing
3-party “security with selective abort”
4-party statistical VSS
4-party linear function evaluation
4-party impossibility of statistical SFE
4-party computational SFE
4-party statistical SFE in preprocessing modelSlide16
2-Round
4-
Party Statistical Linear Function Evaluation
Round 1
Same as VSS: CNF Sharing + MAC distribution
Extract “0”
Simulation Extraction
3 edges
No edge
2 edges
1
edge
Protocol Ideas: PSM + View Reconstruction Trick
Private evaluation of function
Inconsistency graphs
Challenge: different parties hold different versions
Exploit linearity to force parties’ output to be consistent with extracted input
Resolvable
Exactly one disputed party gets VOTE
Extract: input reconstructed using value got from winning share
Identifiable
Both/None get VOTE
Input reconstructed using value got from
xoring
both losing sharesSlide17
Talk Outline
Tools:
PSM, secret sharing
3-party “security with selective abort”
4-party statistical VSS
4-party linear function evaluation
4-party impossibility of statistical SFE
4-party computational SFE
4-party statistical SFE in preprocessing modelSlide18
y_0, y_1
b
Compute output based on these messages only;
Output = y_0
Compute output based on these messages only;
Output = y_1
y_0, y_1
b
Impossibility for 4-party stat. nonlinear function evaluation
Message consistent with b = 0
Message consistent with b = 1
Sampling possible
Privacy
: message does not reveal b
Comp. unbounded
adv
can sample such pairwise consistent messages
y_0, y_1
b
Attack obtains both outputs
Guaranteed output delivery
: output can be computed even if “adversary” aborts
Not
simulatable
in the IDEAL world!Slide19
Talk Outline
Tools:
PSM, secret sharing
3-party “security with selective abort”
4-party statistical VSS
4-party linear function evaluation
4-party impossibility of statistical SFE
4-party computational SFE
4-party statistical SFE in preprocessing modelSlide20
2-Round 4-Party Computational SFE
Round 1
Round 2
Broadcast
com
(b)
Secret share
decommitment
y_0, y_1
b
y_0, y_1
b
y_0, y_1
b
Binding
Pairwise messages cannot be consistent with both
b = 0
and
b = 1
Pairwise PSM evaluates function BUT
delivers output only if reconstructed
decommitment
(from shares) opens com(b)
Guaranteeing output delivery
via
View Reconstruction Trick
--One honest pair might hold valid
decommitment
, other honest pairs might not
--Adversary aborts in the 2
nd
round; does not deliver any messages
IDEA
: PSM also
reconstructs views
that ought to be held by PSM referee
Slide21
Talk Outline
Tools:
PSM, secret sharing
3-party “security with selective abort”
4-party statistical VSS
4-party linear function evaluation
4-party impossibility of statistical SFE
4-party computational SFE
4-party statistical SFE in preprocessing modelSlide22
2-Round 4-Party Stat. SFE in Preprocessing Model
r2, s1, s3, s4
r
4
, s
1
, s
2
, s
3
r
3
, s
1
, s2, s
4r1, s2
, s3, s4
Correlated Randomness
Random pad for each party
CNF share each random pad
Round 1
Broadcast masked input
Set pairwise PSM rand
Round 2
Pairwise PSM messages for function:
Checks if masked inputs match
Check consistency of CNF shares of randomness
Unmask within PSM to get true inputs
Evaluate function on true inputs
Compute CNF share “ought to be held” by PSM ref
Output accepted if reconstructed CNF share matchesSlide23
Conclusions
2 rounds, no
broadcast or set up
Tools: PSM, secret
sharing
3-party stat. “selective abort” security
4-party statistical VSS
4-party stat. linear function evaluation
4-party impossibility of statistical SFE
4-party computational SFE (1-1
owf
)
4-party statistical SFE in preprocessing model
Thank You!