1 / 52

Secure Multiparty Computation

Secure Multiparty Computation. Li Xiong CS573 Data Privacy and Security. Outline. Secure multiparty computation Problem and security definitions Basic cryptographic tools and general constructions. Yao’s Millionnare Problem.

bairn
Download Presentation

Secure Multiparty Computation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Multiparty Computation Li Xiong CS573 Data Privacy and Security

  2. Outline • Secure multiparty computation • Problem and security definitions • Basic cryptographic tools and general constructions

  3. Yao’s Millionnare Problem • Two millionaires, Alice and Bob, who are interested in knowing which of them is richer without revealing their actual wealth. • This problem is analogous to a more general problem where there are two numbers a and b and the goal is to solve the inequality without revealing the actual values of a and b.

  4. Secure Multiparty Computation A set of parties with private inputs Parties wish to jointly compute a function of their inputs so that certain security properties (like privacy and correctness) are preserved Properties must be ensured even if some of the parties maliciously attack the protocol Examples Secure elections Auctions Privacy preserving data mining …

  5. Heuristic Approach to Security • Build a protocol • Try to break the protocol • Fix the break • Return to (2)

  6. Another Heuristic Tactic • Design a protocol • Provide a list of attacks that (provably) cannot be carried out on the protocol • Reason that the list is complete

  7. A Rigorous Approach • Provide an exact problem definition • Adversarial power • Network model • Meaning of security • Prove that the protocol is secure

  8. Secure Multiparty Computation • A set of parties with private inputs wish to compute some joint function of their inputs. • Parties wish to preserve some security properties. e.g., privacy and correctness. • Example: secure election protocol • Security must be preserved in the face of adversarial behavior by some of the participants, or by an external party.

  9. Defining Security The real/ideal model paradigm for defining security [GMW,GL,Be,MR,Ca]: Ideal model: parties send inputs to a trusted party, who computes the function for them Real model: parties run a real protocol with no trusted help A protocol is secure if any attack on a real protocol can be carried out in the ideal model

  10. The Real Model x y Protocol output Protocol output

  11. The Ideal Model x y y x f1(x,y) f2(x,y) f2(x,y) f1(x,y)

  12. The Security Definition: there exists an adversary S For every real adversary A  Protocol interaction Trusted party REAL IDEAL

  13. Properties of the Definition Privacy: The ideal-model adversary cannot learn more about the honest party’s input than what is revealed by the function output Thus, the same is true of the real-model adversary Correctness: In the ideal model, the function is always computed correctly Thus, the same is true in the real-model Others: For example, fairness, independence of inputs

  14. Adversary Model Computational power: polynomial-timeversus all-powerful Adversarial behaviour: Semi-honest: follows protocol instructions Malicious: arbitrary actions Corruption behaviour Static: set of corrupted parties fixed at onset Adaptive: can choose to corrupt parties at any time during computation Number of corruptions Honest majority versus unlimited corruptions

  15. Security proof tools • Real/ideal model: the real model can be simulated in the ideal model • Key idea – Show that whatever can be computed by a party participating in the protocol can be computed based on its input and output only •  polynomial time S such that {S(x,f(x,y))} ≡ {View(x,y)}

  16. Security proof tools • Composition theorem • if a protocol is secure in the hybrid model where the protocol uses a trusted party that computes the (sub) functionalities, and we replace the calls to the trusted party by calls to secure protocols, then the resulting protocol is secure • Prove that component protocols are secure, then prove that the combined protocol is secure

  17. Outline • Secure multiparty computation • Defining security • Basic cryptographic tools and general constructions

  18. Public-key encryption • Let (G,E,D) be a public-key encryption scheme • G is a key-generation algorithm (pk,sk)  G • Pk: public key • Sk: secret key • Terms • Plaintext: the original text, notated as m • Ciphertext: the encrypted text, notated as c • Encryption: c = Epk(m) • Decryption: m = Dsk(c) • Concept of one-way function: knowing c, pk, and the function Epk, it is still computationally intractable to find m. *Different implementations available, e.g. RSA

  19. Construction paradigms • Passively-secure computation for two-parties • Use oblivious transfer to securely select a value • Passively-secure computation with shares • Use secret sharing scheme such that data can be reconstructed from some shares • From passively-secure protocols to actively-secure protocols • Use zero-knowledge proofs to force parties to behave in a way consistent with the passively-secure protocol

  20. 1-out-of-2 Oblivious Transfer (OT) 1-out-of-2 Oblivious Transfer (OT) • Inputs • Sender has two messages m0 and m1 • Receiver has a single bit {0,1} • Outputs • Sender receives nothing • Receiver obtain m and learns nothing ofm1-

  21. Semi-Honest OT • Let (G,E,D) be a public-key encryption scheme • G is a key-generation algorithm (pk,sk)  G • Encryption: c = Epk(m) • Decryption: m = Dsk(c) • Assume that a public-key can be sampled without knowledge of its secret key: • Oblivious key generation: pk  OG • El-Gamal encryption has this property

  22. Semi-Honest OT Protocol for Oblivious Transfer • Receiver (with input ): • Receiver chooses one key-pair (pk,sk) and one public-key pk’ (oblivious of secret-key). • Receiver sets pk = pk, pk1- = pk’ • Note: receiver can decrypt for pk but not for pk1- • Receiver sends pk0,pk1 to sender • Sender (with input m0,m1): • Sends receiver c0=Epk0(m0), c1=Epk1(m1) • Receiver: • Decrypts c using sk and obtains m.

  23. Security Proof • Intuition: • Sender’s view consists only of two public keys pk0 and pk1. Therefore, it doesn’t learn anything about that value of . • The receiver only knows one secret-key and so can only learn one message • Note: this assumes semi-honest behavior. A malicious receiver can choose two keys together with their secret keys.

  24. Generalization • Can define 1-out-of-k oblivious transfer • Protocol remains the same: • Choose k-1 public keys for which the secret key is unknown • Choose 1 public-key and secret-key pair

  25. Secrete Sharing Scheme • Distributing a secret amongst n participants, each of whom is allocated a share of the secret • The secret can be reconstructed only when a sufficient number (t) of shares are combined together • (t, n)-threshold scheme • Secrete shares, random shares • individual shares are of no use on their own

  26. Trivial Secrete Sharing Scheme • Encode the secret as an integer s. • Give to each player i (except one) a random integer ri. Give to the last player the number (s − r1 − r2 − ... − rn − 1)

  27. Secrete sharing scheme • Shamir’s scheme • It takes t points to define a polynomial of degree t-1 • Create a t-1 degree polynomial with secret as the first coefficient and the remaining coefficients picked at random. Findn points on the curve and give one to each of the players. Tt At leasttpoints are required to fit the polynomial. • Blakey’s scheme • any n nonparallel n-dimensional hyperplanes intersect at a specific point • Secrete as the coordinate of the hyperplanes • Less space efficient

  28. General GMW Construction • For simplicity – consider two-party case • Let f be the function that the parties wish to compute • Represent f as an arithmetic circuit with addition and multiplication gates • Aim – compute gate-by-gate, revealing only random shares each time

  29. Random Shares Paradigm • Let a be some value: • Party 1 holds a random value a1 • Party 2 holds a+a1 • Note that without knowing a1, a+a1 is just a random value revealing nothing of a. • We say that the parties hold random shares of a. • The computation will be such that all intermediate values are random shares (and so they reveal nothing).

  30. AND AND AND OR OR Circuit Computation • Stage 1: each party randomly shares its input with the other party • Stage 2: compute gates of circuit as follows • Given random shares to the input wires, compute random shares of the output wires • Stage 3: combine shares of the output wires in order to obtain actual output NOT Alice’s inputs Bob’s inputs

  31. Addition Gates Input wires to gate have values a and b: Party 1 has shares a1 and b1 Party 2 has shares a2 and b2 Note: a1+a2=a and b1+b2=b To compute random shares of output c=a+b Party 1 locally computes c1=a1+b1 Party 2 locally computes c2=a2+b2 Note: c1+c2=a1+a2+b1+b2=a+b=c

  32. Multiplication Gates • Input wires to gate have values a and b: • Party 1 has shares a1 and b1 • Party 2 has shares a2 and b2 • Wish to compute c = ab = (a1+a2)(b1+b2) • Party 1 knows its concrete share values a1 and b1. • Party 2’s shares a2 and b2 are unknown to Party 1, but there are only 4 possibilities (00,01,10,11)

  33. Multiplication (cont) • Party 1 prepares a table as follows (Let rbe a random bit chosen by Party 1): • Row 1 contains the value ab+r when a2=0,b2=0 • Row 2 contains the value ab+r when a2=0,b2=1 • Row 3 contains the value ab+r when a2=1,b2=0 • Row 4 contains the value ab+r when a2=1,b2=1

  34. Concrete Example • Assume: a1=0, b1=1 • Assume: r=1

  35. The Gate Protocol • The parties run a 1-out-of-4 oblivious transfer protocol • Party 1 plays the sender: message i is row i of the table. • Party 2 plays the receiver: it inputs 1 if a2=0 and b2=0, 2 if a2=0 and b2=1, and so on… • Output: • Party 2 receives c2=c+r – this is its output • Party 1 outputs c1=r • Note: c1 and c2 are random shares of c, as required

  36. Security • Reduction to the oblivious transfer protocol • Assuming security of the OT protocol, parties only see random values until the end. Therefore, simulation is straightforward. • Note:correctness relies heavily on semi-honest behavior (otherwise can modify shares).

  37. Outline Secure multiparty computation Defining security Basic cryptographic tools and general constructions Coming up Applications in privacy preserving distributed data mining Random response protocols

  38. A real-world problem and some simple solutions • Bob comes to Ron (a manager), with a complaint about a sensitive matter, asking Ron to keep his identity confidential • A few months later, Moshe (another manager) tells Ron that someone has complained to him, also with a confidentiality request, about the same matter • Ron and Moshe would like to determine whether the same person has complained to each of them without giving information to each other about their identities Comparing information without leaking it. Fagin et al, 1996

  39. Solutions • Solution 1: Trusted third party • Solution 7: message for Moshe • Solution 8: Airline reservation • Solution 9: Password

  40. References • Secure Multiparty Computation for Privacy-Preserving Data Mining, Pinkas, 2009 • Chapter 7: General Cryptographic Protocols ( 7.1 Overview), The Foundations of Cryptography, Volume 2, OdedGoldreich http://www.wisdom.weizmann.ac.il/~Eoded/foc-vol2.html • Comparing information without leaking it. Fagin et al, 1996

  41. Slides credits • Tutorial on secure multi-party computation, Lindell www.cs.biu.ac.il/~lindell/research-statements/tutorial-secure-computation.ppt • Introduction to secure multi-party computation, Vitaly Shmatikov, UT Austin www.cs.utexas.edu/~shmat/courses/cs380s_fall08/16smc.ppt

  42. Malicious Adversaries • The above protocol is not secure against malicious adversaries: • A malicious adversary may learn more than it should. • A malicious adversary can cause the honest party to receive incorrect output. • We need to be able to extract a malicious adversary’s input and send it to the trusted party.

  43. Tool: Zero Knowledge • Problem setting: a prover wishes to prove a statement to the verifier so that: • Zero knowledge: the verifier will learn nothing beyond the fact that the statement is correct • Soundness: the prover will not be able to convince the verifier of a wrong statement • Zero-knowledge proven using simulation.

  44. Illustrative Example • Prover has two colored cards that he claims are of different color • The verifier is color blind and wants a proof that the colors are different. • Idea 1: use a machine to measure the light waves and color. But, then the verifier will learn what the colors are.

  45. Example (continued) • Protocol: • Verifier writes color1 and color2 on the back of the cards and shows the prover • Verifier holds out one card so that the prover only sees the front • The prover then says whether or not it is color1 or color2 • Soundness: if they are both the same color, the prover will fail with probability ½. By repeating many times, will obtain good soundness bound. • Zero knowledge: verifier can simulate by itself by holding out a card and just saying the color that it knows

  46. Zero Knowledge • Fundamental Theorem [GMR]:zero-knowledge proofs exist for all languages in NP • Observation: given commitment to input and random tape, and given incoming message series, correctness of next message in a protocol is an NP-statement. • Therefore, it can be proved in zero-knowledge.

  47. Protocol Compilation • Given any protocol, construct a new protocol as follows: • Both parties commit to inputs • Both parties generate uniform random tape • Parties send messages to each other, each message is proved “correct” with respect to the original protocol, with zero-knowledge proofs.

  48. Resulting Protocol • Theorem: if the initial protocol was secure against semi-honest adversaries, then the compiled protocol is secure against malicious adversaries. • Proof: • Show that even malicious adversaries are limited to semi-honest behavior. • Show that the additional messages from the compilation all reveal nothing.

  49. Summary • GMW paradigm: • First, construct a protocol for semi-honest adv. • Then, compile it so that it is secure also against malicious adversaries • There are many other ways to construct secure protocols – some of them significantly more efficient. • Efficient protocols against semi-honest adversaries are far easier to obtain than for malicious adversaries.

  50. Useful References • Oded Goldreich. Foundations of Cryptography Volume 1 – Basic Tools. Cambridge University Press. • Computational hardness, pseudorandomness, zero knowledge • Oded Goldreich. Foundations of Cryptography Volume 2 – Basic Applications. Cambridge University Press. • Chapter on secure computation • Papers: an endless list (I would rather not go on record here, but am very happy to personally refer people).

More Related