Arpita Patra Recap gtThree orthogonal problems nt sharing reconstruction multiplication protocol gt Verifiable Secret Sharing VSS will take care first two problems gtgt ID: 1038910
Download Presentation The PPT/PDF document "Secure Computation Lecture 17-18" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1. Secure Computation Lecture 17-18Arpita Patra
2. Recap >Three orthogonal problems- (n,t)-sharing, reconstruction, multiplication protocol> Verifiable Secret Sharing (VSS) will take care first two problems>> i.t (perfect) MPC in malicious Setting >> Verifiable Secret Sharing (VSS) > Definition (Secrecy, Correctness, Strong Commitment) > Properties of Bivariate polynomial> Six round construction based on bivariate poly with n > 3t > Four round construction with minor tweaks> Reconstruction from error correction of RS codes- will be discussed today
3. i.t Multi-party Computation [BGW]2159348451443. Reconstruct the Shamir-sharing of the output by exchanging shares with each other3 Non-linear gate: Require degree-reduction Technique. Interactive2. Find (n, t)-sharing of each intermediate value(n, t)- secret share each input Linear gates: Linearity of Shamir Sharing - Non-Interactive
4. Definition of VSS [CGMA85] Extends Secret Sharing to the case of malicious corruptionSecret sDealerv1v2v3 vnSharing PhaseReconstructionPhaseSecret s…s is secures is committed
5. Secrecy Correctness Strong CommitmentIf D is honest, then At has no information about secret s during the Sharing phaseIf D is honest, then secret s will be correctly reconstructed during reconstruction phaseCorrupted D commits a unique s* - s* should be uniquely reconstructedn parties P = {P1, …, Pn}, dealer D (e.g., D = P1)t corrupted parties (possibly including D) AtDefinition of VSS [CGMA85] Continued..
6. Bivariate Polynomial and its propertiesClaim1: t F(x,i)’s and t F(i,y)’s will leak NO info about F(0,0). Claim2: (t+1) F(x,i)’s or (t+1) F(i,y)’s completely determine F(x,y). F(1,1)F(1,2).F(1,i).F(1,n)F(2,1)F(2,2).F(2,i)F(2,n)......F(i,1)F(i,2).F(i,i).F(i,n)......F(n,1)F(n,2)F(n,i)F(n,n)g1(y) = F(1,y)g2(y) = F(2,y)gi(y) = F(i,y)gn(y) = F(n,y)f1(x) = F(x,1)fi(x) = F(x,i)fn(x) = F(x,n)F(x,y) of degree atmost (t,t)Claim3: gi(j) = fj(i) = F(i,j) and gj(i) = fi(j) = F(j,i)
7. Four Round VSS- D’s DistributionF(1,1)F(1,2).F(1,i).F(1,n)F(2,1)F(2,2).F(2,i)F(2,n)......F(i,1)F(i,2).F(i,i).F(i,n)......F(n,1)F(n,2)F(n,i)F(n,n)g1(y) = F(1,y)g2(y) = F(2,y)gi(y) = F(i,y)gn(y) = F(n,y)f1(x) = F(x,1)fi(x) = F(x,i)fn(x) = F(x,n)F(x,y) of degree atmost (t,t)s.t. s = F(0,0)P1P1P2P2PiPiPnPn
8. Four Round VSS- Verification, Complaint & Resolutionfi(x) = F(x,i)gi(y) = F(i,y) fj(x) = F(x,j)gj(y) = F(j,y) PiPjfi(j) = gj(i) = F(i,j) gi(j) = fj(i) = F(j,i) Every pair of honest parties’ polynomials are pairwise consistent
9. Four Round VSS- Output shareg1(0)g2(0)gi(0)gn(0)P1P2PiPnf0(x) = Two level sharing- each Shamir share is also Shamir-sharedgi(1)= f1(i) gi(2)= f2(i) gi(i)= fi(i)gi(n)= fn(i) = F(1,0)= F(2,0)= F(i,0)= F(n,0) F(x,0)f0(0) = F(0,0) = s Note: D can choose the polynomial with which it wants to (n,t)-share its secret as f(x) and then choose F(x,y) such that F(x,0) = f(x) and then do VSS using F(x,y)
10. Reconstruction Phase (Error Correction of Reed-Solomon Codes)f(1)f(2)f(i)f(n)P1P2PiPn(n,t+1)-RS code (over field F, |F| > n):Encoding: Given a message block of t+1 field elements, m0,m1,…mt , definef(x) = m0 + m0 x + ……+ mt xtC = (f(1),f(2),….,f(n))Distance d of (n,t+1)-RS code is: n-tTheorem: (n,t+1) RS code can correct x errors if d > 2xWith n > =3t+1, d > 2t, so we can correct t errors
11. Berlekamp-Welch Error Correction Algorithm for RS Codesf(1)f(2)f(i)f(n)P1P2PiPnr(x): Polynomial defined by the broadcasted points (degree at most 3t)f(x): Actual Polynomial (degree at most t). e(x): Error polynomial (x-e1)(x-e2)….(x-et) : e1 , e2, … et from {1,..,n} (degree t)f(x)e(x) = r(x)e(x) at x = 1,2…..n Let f(x)e(x) = q(x) (degree 2t)Find f(x) = Find e(x)Unknowns:Equations:Coefficients of q(x) and e(x)3t+13t+1solving system of linear equations reduces to (publicly known) matrix multiplicationNot claiming the LHS and RHS polynomials are same.They are same at x= 1,2…..n q(x) = r(x)e(x) at x = 1,2…..n q(x) and e(x) are unknownGoal is to find this polyHow to find e(x)?- Solving system of linear equations
12. Distributed Error Correction of RS Codeslinear operationsf(1)f(2)f(i)f(n)P1P2PiPnf(1)f(2)f(i)f(n)Co-eff of e(x)
13. i.t Multi-party Computation2159348451443. Reconstruct the Shamir-sharing of the output by exchanging shares with each other3 Non-linear gate: Require degree-reduction Technique. Interactive2. Find (n, t)-sharing of each intermediate value(n, t)- secret share each input Linear gates: Linearity of Shamir Sharing - Non-Interactive
14. Secure Multiplication Gate Evaluationa2a3 ana1P1P2PnP3b2b3 bnb1aba1b1 = c1 a2b2 = c2 a3b3 =c3 anbn = cn ab f(x) = f1 (x)f2 (x) of degree 2tf1 (x)f2 (x)Recombination Vector (r1, …,rn)where
15. Secure Multiplication Gate Evaluationa2a3 ana1P1P2PnP3b2b3 bnb1aba1b1 = c1 a2b2 = c2 a3b3 =c3 anbn = cn ab c1c2c3cnShamir-share Shamir-share Shamir-share f1 (x)f2 (x)Shamir-share Recombination Vector (r1, …,rn)r1c1 +..+rncn abf(x) = f1 (x)f2 (x) of degree 2t
16. Secure Multiplication Gate Evaluationa2a3 ana1P1P2PnP3b2b3 bnb1aba1b1 = c1 a2b2 = c2 a3b3 =c3 anbn = cn ab c1c2c3cnVSS-share VSS-share VSS-share f1 (x)f2 (x)VSS-share Recombination Vector (r1, …,rn)r1c1 +..+rncn abf(x) = f1 (x)f2 (x) of degree 2t
17. Secure Multiplication Gate Evaluationa2a3 ana1P1P2PnP3b2b3 bnb1aba1b1 = c1 a2b2 = c2 a3b3 =c3 anbn = cn ab c1c2c’3c’nVSS-share VSS-share VSS-share f1 (x)f2 (x)VSS-share Recombination Vector (r1, …,rn)r1c1 +..+rnc’n cf(x) = f1 (x)f2 (x) of degree 2tForce them to share CORRECT product-share
18. Secure Multiplication Gate Evaluationa2a3 ana1P1P2PnP3b2b3bnb1a1b1 = c1 a2b2 = c2 a3b3 =c3 anbn = cn c1c2c3cnA corrupted party will either gets discarded or share correct c-value
19. Secure Multiplication Gate Evaluationa2a3 ana1P1P2PnP3b2b3 bnb1a1b1VSS-share VSS-share a2b2a3b3VSS-share VSS-share anbn
20. Secure Multiplication Gate Evaluationa2a3 ana1P1P2PnP3b2b3 bnb1a1b1VSS-share VSS-share a2b2a’3b’3VSS-share VSS-share a’nb’nDistributed Error Correction> Get error locations>Ignore the corresponding parties> Remaining parties has shared their a and b share correctly Focus on one party
21. Secure Multiplication Gate Evaluation (abusing notation)aPbcA(x)B(x)C(x) = A(x)B(x) 2t-degreeNon-randoma2a3 ana1b2b3 bnb1How to reduce the degree and randomize the polynomial?Choose t random polynomials D1(x),…, Dt(x) s.t. the following polynomial is random and at most degree-t poly with constant term c = abD(x) = C(x) - xD1(x) -…. -xt Dt(x)C(x) = c + c1 x + ……ct xt + ct+1 xt+1 +……….+ c2t-1 x2t-1 + c2t x2t Dt(x) = rt,1 + rt,2 x + ………+ rt,t-1 xt-1 + c2t xt
22. Secure Multiplication Gate EvaluationaPbcA(x)B(x)C(x) = A(x)B(x) 2t-degreeNon-randoma2a3 ana1b2b3 bnb1How to reduce the degree and randomize the polynomial?Choose t random polynomials D1(x),…, Dt(x) s.t. the following polynomial is random and at most degree-t poly with constant term c = abD(x) = C(x) - xD1(x) -…. -xt Dt(x)xt Dt(x) = rt,1xt + rt,2 xt+1 + ………+ rt,t-1 xt-1 + c2t x2t Dt-1(x) = rt-1,1 + rt-1,2 x + ……… + (c2t-1 – rt,t-1)xt C(x) = c + c1 x + ……ct xt + ct+1 xt+1 +……….+ c2t-1 x2t-1 + c2t x2t
23. Secure Multiplication Gate EvaluationaPbcA(x)B(x)C(x) = A(x)B(x) 2t-degreeNon-randoma2a3 ana1b2b3 bnb1How to reduce the degree and randomize the polynomial?Choose t random polynomials D1(x),…, Dt(x) s.t. the following polynomial is random and at most degree-t poly with constant term c = abD(x) = C(x) - xD1(x) -…. -xt Dt(x)xt Dt(x) = rt,1xt + rt,2 xt+1 + ………+ rt,t-1 xt-1 + c2t x2t xt-1 Dt-1(x)= rt-1,1 xt-1 + rt-1,2 xt + ……… + (c2t-1 – rt,t-1) xt-1 C(x) = c + c1 x + ……ct xt + ct+1 xt+1 +……….+ c2t-1 x2t-1 + c2t x2t
24. Secure Multiplication Gate EvaluationC(x)cc1..ct-1ctct+1..c2t-2c2t-1c2txtDt(x)..rt,1rt,2..rt,t-2rt,t-1c2txt-1Dt-1(x)..rt-1,1rt-1,2rt-1,3rt-1,t-1c2t-1-rt,t-1…..…........xD1(x)r1,1r1,t-2r1,t-1ct+1-rt,2 -…..-r2,tD(x) = C(x) - xD1(x) -…. -xt Dt(x)- Degree t- Random- Constant term is cD(x) is an ideal poly to be used for sharing c
25. Secure Multiplication Gate EvaluationaPbA(x)B(x)a2a3 ana1b2b3 bnb1D(x) ?= C(x) - xD1(x) -…. -xt Dt(x)D(x) d2d3d1 dn(using VSS; and setting F(x,0))If P is honest we are done, since D(x) is at most degree-t poly and random D1(x) D2(x) Dt(x) d12d13d11 d1nd22d23d21 d2ndt2dt3dt1 dtnC(x) a2b2a3b3a1b1 anbnd1 ?= a1b1 – 1. d11 - ….- 1t dt1 d2 ?= a2b2 – 2. d12 - ….-2t dt2 d3 ?= a3b3 – 3. d13 - ….-3t dt3 dn ?= anbn – n. d1n - ….- nt dtn
26. Secure Multiplication Gate EvaluationaPbA(x)B(x)a2a3 ana1b2b3 bnb1D(x) ?= C(x) - xD1(x) -…. -xt Dt(x)D(x) d2d3d1 dnIf all honest parties find the relation true, then D(x) shares c. D1(x) D2(x) Dt(x) d12d13d11 d1nd22d23d21 d2ndt2dt3dt1 dtnC(x) a2b2a3b3a1b1 anbnd1 ?= a1b1 – 1. d11 - ….- 1t dt1 d2 ?= a2b2 – 2. d12 - ….-2t dt2 d3 ?= a3b3 – 3. d13 - ….-3t dt3 dn ?= anbn – n. d1n - ….- nt dtn D(x) is degree t but may not share c. RHS may not be degree t but shares c But we do not know who is honest/corruptedP3 complains, check if complaint is correct, if so discard P, else ignore the complaint.
27. Chalk & TalksCT4 [LR15]: Blazing Fast 2PC in the Offline/Online Setting with Security for Malicious Adversaries. https://eprint.iacr.org/2015/987.pdfCT5 [AMPR15]: Non-Interactive Secure Computation Based on Cut-and-Choose. http://eprint.iacr.org/2015/282CT6 [IOZ15]: Secure Multi-Party Computation with Identifiable Abort; http://eprint.iacr.org/2015/325CT7 [LPSY15]: Efficient Constant Round Multi-party Computation Combining BMR and SPDZ. https://eprint.iacr.org/2015/523CT8 [HR14]: Multi-Valued Byzantine Broadcast: the t < n Case http://eprint.iacr.org/2013/553
28.