1 / 21

Multiparty Unconditionally Secure Protocols

Multiparty Unconditionally Secure Protocols . D. Chaum, C. Crepeau, and I. Damgaard presented by Chi Bun Chan Nov 15, 2004. Secure Multiparty Computation. System n participants: P 1 , P 2 , ..., P n P i has a secret value x i All participants agree on a multivariable function F Goals

ada
Download Presentation

Multiparty Unconditionally Secure Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Multiparty UnconditionallySecure Protocols D. Chaum, C. Crepeau, and I. Damgaard presented by Chi Bun Chan Nov 15, 2004

  2. Secure Multiparty Computation • System • n participants: P1, P2, ..., Pn • Pi has a secret value xi • All participants agree on a multivariable function F • Goals • Guarantee correctness: all reliable players compute the same z = F (x1, x2, ..., xn) • Preserve maximum privacy of xi • For non-trivial f, z reveals some information about xi • Theoretical solvable, efficient practical implementations? • Trusted third-party model • Ideal model • Efficiency? Fault tolerance? • Distributed computations

  3. Secure Multiparty Computation (General) • Circuit evaluation • Represent F as a boolean circuit composed of 2-input XOR and AND gates • Scan circuit from input wires to output wires, processing a single gate in each step • Reduce to secure multiparty computation at gate level: 2 single-bit inputs, 1 single bit output  private computation • Private computation • Break input bits into “random” shares distributed among Pi • Each Pi performs local computation on its shares, the global outcome is as if computing input bits directly

  4. This Paper • Two stages • Commitment • Participants commit to their inputs • Identify improper commitments or uncooperative participants • Computation • Perform private computation locally • Building blocks • Commitment protocol • Verifiable secret sharing (VSS)

  5. The Model • To tolerate up to less than one-third of participants (= d) that cheat • n participants: n = 3d + a (a = 1, 2, ...) • At least 2d + a participants are reliable (optimal assumption): • Do not leak secret information • Follow protocol and send correct messages • Efficient broadcast channel • Authenticated secrecy communication channels • Message confidentiality (and integrity) • Message origin authentication • Timely delivery of messages • No public key cryptography; rely on VSS instead • Not depend on restricting computing power

  6. Security Properties • Unconditionally secure if channels were unconditionally secure; otherwise, protocols as strong as secrecy and authentication of channels • Unconditional secrecy • In both stages, impossible for any d< n / 3 participants to gain information about any xi • Built-in fault tolerance • In computation stage, impossible for any d< n / 3 participants to prevent reliable participants from correctly evaluating z

  7. First Stage: Commitment

  8. Shamir’s Scheme for Secret Sharing • Components • A uniformly chosen function of degree d :f (x) = a0 + a1 x + a2 x2 + ... + ad xd • n shares: sk = f (ik) (1 k n andikis randomly chosen) • Secret value: f (0) = a0 • (d, n) threshold scheme • Interpolation of any subset ofd + 1 (or more) points of{(i1, s1), (i2, s2), ..., (in, sn)} uniquely determinesf • With less than d + 1 points, f can be one of multiple equally likely functions • (+, +) homomorphism property • Informally, computations on input shares give the same output shares as if a result of computations of inputs

  9. Blob: Commitment Protocol • PA want to commit to a secret bit v • Desired properties • Other participants cannot learn v without help from PA • PA cannot change its mind about v once it commits to v • Approach • Transform v into secret sharing form, blob, using (d, n) threshold scheme • The only d unreliable participants are unable to recover v by themselves • PA has to convince others that shares are consistent, which forces it to commit to a single value of v

  10. Blob: Commitment Protocol (cont.) • Commitment • PA transforms v into n shares (ik, sk) and distributes each share to corresponding participant • Proof • PAopens a blob by broadcasting ik • PB determines f by interpolation and checks if sB =f (iB), and then broadcasts whether it agrees or complains about PA • Validity of blob requires at least 2d + a participants not complaining • Problem: Need to prevent PA from cheating by distributing inconsistent shares to reliable participants • Solution: Cut-and-Choose

  11. Blob: Cut-and-Choose Procedure • Story • Bob is allowed to cut a cake into two pieces, but only Alice is allowed to choose which one.Greedy Bob thinks, “Should I cut equally?” • Idea • Prover offers a set of proofs • Verifier randomly chooses a subset of proofs to verify • Due to incapability to control verifier’s choices, prover has to take the risk of being caught for cheating • Intuitively, a “rational” prover is more likely to behave well • If all the chosen proofs verified, verifier concludes that the remaining proofs should be validwith high probability

  12. Blob: Cut-and-Choose Procedure (cont.) • PA (prover) distributes an original blob  • PA offers a set of blobs in multiple rounds, other participants (verifiers) take turn to verify • In each round, • PA distributes a new independently chosen blob  • One participant choose randomly on a coin-flip to askPA to open either or +; (+, +) homomorphism property allows + to be verified without knowing  • Stop until no complaints in m consecutive rounds or until more than d participants complains (i.e. stop in at most md rounds)

  13. Blob: Cut-and-Choose Procedure (cont.) • Pr{PA is unable to predict a coin-flip}  (2d+a) / n > 2/3 • If  is inconsistent, PA can only make or + consistent but not both. • PA is caught for cheating within m consecutive rounds unless it can predict roughly 2m/3 coin-flips

  14. VSS and Fault Tolerant Blobs • Without PA’s help, opening a blob may require searching exponentially many subsets of shares of size 2d + a yielding a consistent f • But PA’s help is not always available, e.g. upon communication failures • Solution: sharing of the shares of a blob, or double blob • PA creates an original (top-level) blob, and distributes shares to each participant PB • PB creates a sub-blob for its share, and distributes sub-shares • Use cut-and-choose procedure to check commitment of shares of top-level blob • To open top-level blob, all participants broadcast shares of both top-level blob and sub-blobs

  15. Robust Double Blobs • Commit to input bits by distributing shares to all participants; also need commitment to shares for proving a participant following the protocol • Apply double blob technique again: robust double blob • Top-level blob containing the bit committed to, and all sub-blobs contain valid shares of top-level blob • Creation of robust double blob  • PA creates a set of double blobs {1, 2, ..., n} distributed to all participants; each kcontains a share of  • PB creates sub-blobs for upon B receiving B • B is verified and opened to PB, PB commits to opened share using a single blob B

  16. 1 2 3 4  1 2 3 4 Robust Double Blobs: Example

  17. Second Stage: Computation

  18. Circuit Evaluation: XOR • Inputs: • 2 robust double blobs, representing bit v1 and v2 • Computation: • Equivalent to addition modulo 2 • Each Pi adds its shares for both top-level blobs and sub-blobs • Output: • By (+, +) homomorphism property, the additions of shares produce a robust double blob representing v1 XOR v2

  19. Circuit Evaluation: AND • Inputs: • 2 robust double blobs, representing bit v1 and v2 • Computation: • Equivalent to multiplication modulo 2 • Problem: lead to computation with polynomials of degree > d • Each participant chooses a pair of robust double blobs containing a pair of randomly chosen polynomials (f, g) s.t. deg(f) < 2d, deg(g) < d, f (0) = g (0) = 0/1 • Each Pi multiplies its shares for both top-level blobs and sub-blobs, commits to product p using a sub-blob, and proves it by cut-and-choose • Open double blob for f XOR p, replace p with g if f XOR p = 0, or 1+g otherwise • Output: • A robust double blob (g or 1+g) representing v1 AND v2

  20. Backup Slides

  21. Homomorphism • (, ) homomorphism • H(ab) = H(a) H(b) • Shamir’s scheme has (+, +) homomorphism property • a = akLk(0) (Lk(x): Lagrange coefficient polynomials) • b = bkLk(0) • H(a1+b1, a2+b2, ..., an+bn) = H(a) + H(b)whereH(x1, x2, ..., xn) = xkLk(0)

More Related