1 / 28

Secure Computation Lecture 17-18

Secure Computation Lecture 17-18. Arpita Patra. Recap. >> i.t (perfect) MPC in malicious Setting. >Three orthogonal problems- ( n,t )-sharing, reconstruction, multiplication protocol > Verifiable Secret Sharing (VSS) will take care first two problems. >> Verifiable Secret Sharing (VSS).

andrewf
Download Presentation

Secure Computation Lecture 17-18

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Computation Lecture 17-18 ArpitaPatra

  2. Recap >> i.t (perfect) MPC in malicious Setting >Three orthogonal problems- (n,t)-sharing, reconstruction, multiplication protocol > Verifiable Secret Sharing (VSS) will take care first two problems >> Verifiable Secret Sharing (VSS) > Definition (Secrecy, Correctness, Strong Commitment) > Properties of Bivariate polynomial > Six round construction based on bivariate poly with n > 3t > Four round construction with minor tweaks > Reconstruction from error correction of RS codes- will be discussed today

  3. i.t Multi-party Computation [BGW]   (n, t)- secret share each input  3 9 2 1 5 3 48 45 2. Find (n, t)-sharing of each intermediate value  Linear gates: Linearity of Shamir Sharing - Non-Interactive 144 Non-linear gate: Require degree-reduction Technique. Interactive 3. Reconstruct the Shamir-sharing of the output by exchanging shares with each other

  4. Sharing Phase vn v1 v3 v2 Secret s Definition of VSS [CGMA85] • Extends Secret Sharing to the case of malicious corruption s is committed s is secure Secret s Dealer … Reconstruction Phase

  5. Definition of VSS [CGMA85] Continued.. • n parties P = {P1, …, Pn}, dealer D (e.g., D = P1) • t corrupted parties (possibly including D)  At Secrecy • If D is honest, then At has no information about secret s during the Sharing phase Correctness • If D is honest, then secret s will be correctly reconstructed during reconstruction phase Strong Commitment • Corrupted D commits a unique s* • - s* should be uniquely reconstructed

  6. Bivariate Polynomial and its properties F(x,y) of degree atmost (t,t) f1(x) = F(x,1) fi(x) = F(x,i) fn(x) = F(x,n) g1(y) = F(1,y) g2(y) = F(2,y) gi(y) = F(i,y) gn(y) = F(n,y) Claim1: t F(x,i)’s and t F(i,y)’s will leak NO info about F(0,0). Claim2: (t+1) F(x,i)’s or (t+1) F(i,y)’s completely determine F(x,y). Claim3: gi(j) = fj(i) = F(i,j)and gj(i) = fi(j) = F(j,i)

  7. Four Round VSS- D’s Distribution F(x,y) of degree atmost (t,t) s.t. s = F(0,0) Pn Pi P2 P1 f1(x) = F(x,1) fi(x) = F(x,i) fn(x) = F(x,n) g1(y) = F(1,y) P1 g2(y) = F(2,y) P2 Pi gi(y) = F(i,y) gn(y) = F(n,y) Pn

  8. Four Round VSS- Verification, Complaint & Resolution Pj Pi fj(x) = F(x,j) gj(y) = F(j,y) fi(x) = F(x,i) gi(y) = F(i,y) fi(j) = gj(i) = F(j,i) gi(j) = fj(i) = F(i,j) Every pair of honest parties’ polynomials are pairwise consistent

  9. Four Round VSS- Output share Note: D can choose the polynomial with which it wants to (n,t)-share its secret as f(x) and then choose F(x,y) such that F(x,0) = f(x) and then do VSS using F(x,y) f0(0) = F(0,0) = s F(x,0) f0(x) = g1(0) = f1(i) = F(1,0) gi(1) P1 = f2(i) P2 gi(2) g2(0) = F(2,0) Pi = fi(i) gi(0) gi(i) = F(i,0) = fn(i) gi(n) Pn gn(0) = F(n,0) Two level sharing- each Shamir share is also Shamir-shared

  10. Reconstruction Phase (Error Correction of Reed-Solomon Codes) P1 f(1) (n,t+1)-RS code (over field F, |F| > n): P2 Encoding: Given a message block of t+1 field elements, m0,m1,…mt, define f(x) = m0 + m0 x + ……+ mtxt C = (f(1),f(2),….,f(n)) f(2) Distance d of (n,t+1)-RS code is: n-t Pi f(i) Theorem: (n,t+1) RS code can correct x errors if d > 2x With n > =3t+1, d > 2t, so we can correct t errors f(n) Pn

  11. Berlekamp-Welch Error Correction Algorithm for RS Codes P1 f(1) r(x): Polynomial defined by the broadcasted points (degree at most 3t) f(x): Actual Polynomial (degree at most t). Goal is to find this poly P2 f(2) e(x): Error polynomial (x-e1)(x-e2)….(x-et) : e1 , e2, … et from {1,..,n} (degree t) Not claiming the LHS and RHS polynomials are same. They are same at x= 1,2…..n f(x)e(x) = r(x)e(x) at x = 1,2…..n Pi f(i) Let f(x)e(x) = q(x) (degree 2t) q(x) and e(x) are unknown q(x) = r(x)e(x) at x = 1,2…..n How to find e(x)?- Solving system of linear equations Find f(x) = Find e(x) 3t+1 Unknowns: Coefficients of q(x) and e(x) Pn f(n) 3t+1 Equations: solving system of linear equations reduces to (publicly known) matrix multiplication

  12. Distributed Error Correction of RS Codes P1 f(1) P2 f(2) f(1) f(2) f(i) f(n) Co-eff of e(x) Pi f(i) linear operations Pn f(n)

  13. i.t Multi-party Computation   (n, t)- secret share each input  3 9 2 1 5 3 48 45 2. Find (n, t)-sharing of each intermediate value  Linear gates: Linearity of Shamir Sharing - Non-Interactive 144 Non-linear gate: Require degree-reduction Technique. Interactive 3. Reconstruct the Shamir-sharing of the output by exchanging shares with each other

  14. Secure Multiplication Gate Evaluation a b ab where P1 b1 a1 a1b1 =c1 P2 b2 a2 a2b2 =c2 Recombination Vector (r1, …,rn) b3 a3 P3 a3b3 =c3 Pn bn an anbn= cn f2(x) f1 (x) f(x) = f1 (x)f2 (x) of degree 2t

  15. Secure Multiplication Gate Evaluation a b ab P1 b1 Shamir-share a1 a1b1 =c1 P2 Shamir-share b2 a2 a2b2 =c2 c3 c2 cn r1c1 +..+rncn ab c1 b3 a3 P3 Shamir-share a3b3 =c3 Shamir-share Pn bn an anbn= cn f2(x) f1 (x) Recombination Vector (r1, …,rn) f(x) = f1 (x)f2 (x) of degree 2t

  16. Secure Multiplication Gate Evaluation a b ab P1 b1 VSS-share a1 a1b1 =c1 P2 VSS-share b2 a2 a2b2 =c2 c3 c2 cn r1c1 +..+rncn ab c1 b3 a3 P3 VSS-share a3b3 =c3 VSS-share Pn bn an anbn= cn f2(x) f1 (x) Recombination Vector (r1, …,rn) f(x) = f1 (x)f2 (x) of degree 2t

  17. Secure Multiplication Gate Evaluation a b ab P1 b1 VSS-share a1 a1b1 =c1 P2 VSS-share b2 a2 a2b2 =c2 c2 c’n c’3 c r1c1 +..+rnc’n c1 b3 a3 P3 VSS-share Force them to share CORRECT product-share a3b3 =c3 VSS-share Pn bn an anbn= cn f2(x) f1 (x) Recombination Vector (r1, …,rn) f(x) = f1 (x)f2 (x) of degree 2t

  18. Secure Multiplication Gate Evaluation A corrupted party will either gets discarded or share correct c-value P1 b1 a1 a1b1 =c1 P2 b2 a2 a2b2 =c2 cn c3 c2 c1 b3 a3 P3 a3b3 =c3 Pn bn an anbn= cn

  19. Secure Multiplication Gate Evaluation P1 VSS-share b1 a1 VSS-share P2 b2 a2 bn a1 an b1 a2 b2 a3 b3 b3 a3 VSS-share P3 VSS-share Pn bn an

  20. Secure Multiplication Gate Evaluation P1 Distributed Error Correction VSS-share b1 a1 > Get error locations >Ignore the corresponding parties > Remaining parties has shared their a and b share correctly VSS-share P2 b2 a2 b’n b’3 a’3 b2 a2 a’n a1 b1 Focus on one party b3 a3 VSS-share P3 VSS-share Pn bn an

  21. Secure Multiplication Gate Evaluation (abusing notation) b a How to reduce the degree and randomize the polynomial? P • C(x) = A(x)B(x) • 2t-degree • Non-random A(x) B(x) a1 b1 Choose t random polynomials D1(x),…,Dt(x) s.t. the following polynomial is random and at most degree-t poly with constant term c = ab D(x) = C(x) - xD1(x) -…. -xtDt(x) a2 c b2 C(x) = c+ c1 x + ……ctxt+ ct+1 xt+1 +……….+ c2t-1 x2t-1 + c2t x2t Dt(x) = rt,1 + rt,2x + ………+ rt,t-1 xt-1 + c2txt a3 b3 an bn

  22. Secure Multiplication Gate Evaluation b a How to reduce the degree and randomize the polynomial? P • C(x) = A(x)B(x) • 2t-degree • Non-random A(x) B(x) a1 b1 Choose t random polynomials D1(x),…,Dt(x) s.t. the following polynomial is random and at most degree-t poly with constant term c = ab D(x) = C(x) - xD1(x) -…. -xtDt(x) a2 c b2 C(x) = c+ c1 x + ……ctxt+ ct+1 xt+1 +……….+ c2t-1 x2t-1 + c2t x2t xtDt(x) = rt,1xt + rt,2xt+1 + ………+ rt,t-1 xt-1 + c2t x2t a3 b3 Dt-1(x) = rt-1,1 + rt-1,2 x + ……… + (c2t-1 – rt,t-1)xt an bn

  23. Secure Multiplication Gate Evaluation b a How to reduce the degree and randomize the polynomial? P • C(x) = A(x)B(x) • 2t-degree • Non-random A(x) B(x) a1 b1 Choose t random polynomials D1(x),…,Dt(x) s.t. the following polynomial is random and at most degree-t poly with constant term c = ab D(x) = C(x) - xD1(x) -…. -xtDt(x) a2 c b2 C(x) = c+ c1 x + ……ctxt+ ct+1 xt+1 +……….+ c2t-1 x2t-1 + c2t x2t xtDt(x) = rt,1xt + rt,2xt+1 + ………+ rt,t-1 xt-1 + c2t x2t a3 b3 xt-1 Dt-1(x)= rt-1,1xt-1 + rt-1,2xt + ……… + (c2t-1 – rt,t-1) xt-1 an bn

  24. Secure Multiplication Gate Evaluation D(x) = C(x) - xD1(x) -…. -xtDt(x) - Degree t - Random - Constant term is c D(x) is an ideal poly to be used for sharing c

  25. Secure Multiplication Gate Evaluation (using VSS; and setting F(x,0)) b a P D2(x) Dt(x) D(x) D1(x) C(x) D(x) ?= C(x) - xD1(x) -…. -xtDt(x) A(x) B(x) a1b1 d1 ?=a1b1 – 1. d11- ….- 1t dt1 dt1 d21 d11 d1 a1 b1 a2b2 dt2 d2?=a2b2– 2. d12- ….-2t dt2 d22 d12 d2 a2 b2 dt3 a3b3 d23 d13 d3 a3 b3 d3?=a3b3– 3. d13- ….-3t dt3 anbn dtn d2n dn?=anbn– n. d1n- ….- ntdtn d1n dn an bn If P is honest we are done, since D(x) is at most degree-t poly and random

  26. Secure Multiplication Gate Evaluation D(x) is degree t but may not share c. RHS may not be degree t but shares c b a P D2(x) Dt(x) D(x) D1(x) C(x) D(x) ?= C(x) - xD1(x) -…. -xtDt(x) A(x) B(x) a1b1 d1 ?=a1b1 – 1. d11- ….- 1t dt1 dt1 d21 d11 d1 a1 b1 a2b2 dt2 d2?=a2b2– 2. d12- ….-2t dt2 d22 d12 d2 a2 b2 dt3 a3b3 d23 d13 d3 a3 b3 d3?=a3b3– 3. d13- ….-3t dt3 P3 complains, check if complaint is correct, if so discard P, else ignore the complaint. anbn dtn d2n dn?=anbn– n. d1n- ….- ntdtn d1n dn an bn If all honest parties find the relation true, then D(x) shares c. But we do not know who is honest/corrupted

  27. Chalk & Talks CT4 [LR15]: Blazing Fast 2PC in the Offline/Online Setting with Security for Malicious Adversaries.  https://eprint.iacr.org/2015/987.pdf CT5 [AMPR15]: Non-Interactive Secure Computation Based on Cut-and-Choose.http://eprint.iacr.org/2015/282 CT6 [IOZ15]: Secure Multi-Party Computation with Identifiable Abort; http://eprint.iacr.org/2015/325 CT7 [LPSY15]: Efficient Constant Round Multi-party Computation Combining BMR and SPDZ.https://eprint.iacr.org/2015/523 CT8 [HR14]: Multi-Valued Byzantine Broadcast: the t < n Casehttp://eprint.iacr.org/2013/553

More Related