420 likes | 427 Views
Secret Sharing and Information-Theoretic MPC. Divya Ravi. Workshop on Cryptography. Slides borrowed from Arpita Patra, Ashish Choudhury. Agenda. Information-Theoretic MPC. Adversarial Setting Computationally-unbounded Semi-honest n parties, honest majority t < n/2.
E N D
Secret Sharing and Information-Theoretic MPC Divya Ravi Workshop on Cryptography Slides borrowed from Arpita Patra, Ashish Choudhury
Agenda • Information-Theoretic MPC • Adversarial Setting • Computationally-unbounded • Semi-honest • n parties, honest majority t < n/2 • Secret Sharing : Important tool for MPC • Shamir-secret sharing
S The Concept of Secret Sharing (n, t) LOCKED BOX REPRESENTATION A secret s P1 P2 Pn
S The Concept of Secret Sharing (n, t) LOCKED BOX REPRESENTATION A secret s locked in a box P1 P2 Pn
S Secret Sharing: Properties (n, t) LOCKED BOX REPRESENTATION A secret s locked in a box P1 P2 Pn • Any t parties cannot open the box
S Secret Sharing: Properties (n, t) LOCKED BOX REPRESENTATION A secret s locked in a box P1 Ex: t = 1 P2 Pn • Any t parties cannot open the box
S Secret Sharing: Properties (n, t) LOCKED BOX REPRESENTATION A secret s locked in a box P1 Ex: t = 1 P2 Pn • Any t parties cannot open the box
S Secret Sharing: Properties (n, t) LOCKED BOX REPRESENTATION A secret s locked in a box P1 Ex: t = 1 P2 Pn • Any t parties cannot open the box
S Secret Sharing: Properties (n, t) LOCKED BOX REPRESENTATION A secret s locked in a box P1 P2 Pn • Any t parties cannot open the box • Any (t + 1) parties can open the box
S Secret Sharing: Properties (n, t) LOCKED BOX REPRESENTATION A secret s locked in a box P1 Ex: t = 1 P2 Pn • Any t parties cannot open the box • Any (t + 1) parties can open the box
S Secret Sharing: Properties (n, t) LOCKED BOX REPRESENTATION A secret s locked in a box P1 Ex: t = 1 P2 Pn • Any t parties cannot open the box • Any (t + 1) parties can open the box
Unconditionally-secure Instantiation of (n, t)-locked box Representation Sharing Phase … vn v1 v3 v2 Reconstruction Phase t +1 parties can reconstruct the secret Less than t +1 parties have no info’ about the secret Secret s • Unconditionally-secure (n, t)-secret sharing Secret s Dealer Reconstruction Phase
Unconditionally-secure Instantiation of (n, t)-locked box Representation • Unconditionally-secure (n, t)-secret sharing AdiShamir: How to Share a Secret. Commun. ACM 22(11): 612-613 (1979) Sharing Phase Shn Sh2 Sh1 deg-t Shi s Shi = Evaluation of the curve at x = i 2 i n 1
Unconditionally-secure Instantiation of (n, t)-locked box Representation • Unconditionally-secure (n, t)-secret sharing AdiShamir: How to Share a Secret. Commun. ACM 22(11): 612-613 (1979) Reconstruction Phase Lagrange Interpolation deg-t s Shi = Evaluation of the curve at x = i 2 i n 1 Sh2 Shi Sh2 Shi Shn Shn Sh1 Sh1
Lagrange’s Interpolation Reconstructing t degree polynomial, given (t + 1) points where Theorem: h(x) can be written as >> Poly of degree t >> At i, it evaluates to 1 >> At any other point, it gives 0. are public polynomials >> are public values, denote by ri >> Can be written as the linear combination of h(i)s >> The combiners are (recombination vector): r1,….rt+1
Shamir Secret-sharing : Security Shn Sh2 Sh1 Shi deg-t s Shi = Evaluation of the curve at x = i i n 1 2 • A polynomial of degree t is uniquely determined by a set of t + 1 distinct values of the polynomial • Given only t distinct values, a polynomial of degree t is not uniquely determined • Fix any missing value. This will determine a polynomial of degree t along with the already available t distinct values • All possible secrets from the field are equi-probable
Shamir Secret-sharing : Security Demonstration • n = 3 and t = 1 • s • sh1 • sh2 • sh3 • 1 • 2 • 3
Shamir Secret-sharing : Security Demonstration • n = 3 and t = 1 • s • sh1 • sh3 • 1 • 3 • Any set of 2 shares original straight line and the secret
Shamir Secret-sharing : Security Demonstration • n = 3 and t = 1 • s • sh1 • s’’ s’ • 1 • Only 1 share all possible straight lines over the field
Secret Sharing: Applications • Distributed Key Storage • - Storing of encryption key in different servers using some secret • Sharing. • - Even if one of the servers or some of the servers is compromised • the key still would be secret and can only be recovered when threshold number of shares collude. • Reliable Data Storage • - withstand loss upto threshold servers • - the data can still be re-generated using shares from other servers. • Building Block of MPC
Secure Circuit Evaluation • Most MPC protocols assume that the function f to be securely computed is expressed as an arithmetic circuit over some finite field F • The circuit consists of : x1 x2 x3 x4 • Input gates: for the inputs of the parties • Output gates: for the function output • Linear gates 3 • Addition gates • Addition by public constants • Multiplication by public constants • Non-linear (multiplication) gates y
Secure Circuit Evaluation 1 5 9 2 3 y
Secure Circuit Evaluation (n, t)- secret share each input 3 2 1 5 9
Secure Circuit Evaluation (n, t)- secret share each input 2. Find (n, t)-sharing of each intermediate value 3 2 1 5 9
Secure Circuit Evaluation (n, t)- secret share each input 2. Find (n, t)-sharing of each intermediate value 3 144 2 1 5 9 3 48 45
Secure Circuit Evaluation (n, t)- secret share each input 2. Find (n, t)-sharing of each intermediate value 3 144 2 1 5 9 3 48 45
Secure Circuit Evaluation (n, t)- secret share each input 2. Find (n, t)-sharing of each intermediate value 3 144 2 1 5 9 3 48 45
Secure Circuit Evaluation Each party acts as a dealer and (n, t)- secret share its input 2. The parties jointly compute a (n, t)-sharing of each intermediate value 3 3 45 48 1 5 2 9 3. Reconstruct Shamir-sharing of the output by exchanging shares with each other 144
Secure Circuit Evaluation Privacy follows (intuitively) because: No inputs of the honest parties are leaked. 3 2 1 5 48 3 45 9 2. No intermediate value is leaked. 144 Goal : Obtain (n, t) sharing of sum / product from (n,t) sharing of inputs
Addition Gates • Let us consider n = 3, t = 1 Fa(0) • each party does locally c3 a1 a2 a3 a c2 c1 Fa(x) + Fb(x) Fb(0) b3 b2 + + + a+b b1 b1 b b2 b3 Fb(x) b a3 a2 a1 Fa(x) a • 1 • 2 • 3 a+b c1 c2 c3 Fa(0) + Fb(0) • We say that the parties compute [a]t + [b]t = [a + b]tto mean that every party locally adds its shares of a and b respectively to compute its share of a + b (Fa(i) + Fb(i)) • Addition of secret-shared values is absolutely free (non-interactive)
Linearity of (n, t) Shamir Secret Sharing : Example • Let us consider n = 3, t = 1 • Let c F be a public constant d3 a1 a2 a3 d2 d1 a cFa(x) ca c c c a3 a2 a1 a Fa(x) ca • 1 • 2 • 3 d1 d2 d3 • We say that the parties compute c . [a]t = [c . a]tto mean that every party locally multiplies its shares of a with c to compute its share of c . a. • Multiplication of a secret-shared value with public constants is absolutely free (non-interactive)
Linearity of (n, t) Shamir Secret Sharing : Summary • Shamir secret-sharing allows to non-interactively perform linear operations on secret-shared values • Given [a]t, [b]t and publicly known constants c1, c2, the parties can locally compute: c1 . [a]t + c2 . [b]t = [c1 . a + c2 . b]t • In general, let g : m be a linear function and let (y(1), …, y(m)) = g (x(1), …, x()) • Given sharings [x(1)]t, …, [x()]t, the parties can locally compute • [y(1)]t, …, [y(m)]t = g([x(1)]t, …, [x()]t) • From adversary’s point of view, any linear function of a random input sharing will be random as well • Ex: [a]t + [b]t = [a + b]t • If [a]t and [b]t is random for the adversary, then so is [a + b]t • Even if a + b is publicly reconstructed, a and b remains as private as possible!!
Linearity of (n, t) Shamir Secret Sharing : Example • Let us consider n = 3, t = 1, = {P1, P2, P3} with P1 being corrupted and = 17 • Let 1 = 1, = 2 and = 3 • Let P1 has no input, P2 and P3 have inputs a, b and y = f(a, b) = a + b • Let a = 2, shared through fa(x) = 2 + 2x and b = 4, shared through fb(x) = 4 + x • To compute c = a + b, the following computation and communication will be done: • The bold values denote the values seen by the adversary • By interpolating (1, 9), (2, 12) and (3, 15), adversary will see the polynomial fc(x) = 6 + 3x • From its view, can adversary infer any additional information about a and b ? • Is adversary’s view equally consistent with (a = 0, b = 6) and (a = 1, b = 5) and (a = 3, b = 3) and (a = 4, b = 2) and (a = 5, b = 1) and (a = 6, b = 0) ? • If so then indeed adversary learns nothing additional about a and b, even if c and its shares are made public!!
Linearity of (n, t) Shamir Secret Sharing : Example • The view of the adversary during the protocol: • The bold values denote the values seen by the adversary ? 1 10 7 ? ? • By interpolating (1, 9), (2, 12) and (3, 15), adversary will see the polynomial fc(x) = 6 + 3x 5 ? 5 ? 5 ? • Suppose the adversary makes the hypothesis that a = 1 and b = 5. Then is it consistent with the above view of the adversary ? • If a is fixed as 1, then it fixes the candidate a-sharing polynomial f’a(x) = 3x + 1 • The polynomial has degree 1 and passes through (0, 1) and (1, 4) • The rest of the shares of a (consistent with f’a(x)) also get fixed • If b is fixed as 5, then it fixes the candidate b-sharing polynomial f’b(x) = 0x + 5 • The polynomial has degree 1 and passes through (0, 5) and (1, 5) • The rest of the shares of b (consistent with f’b(x)) also get fixed • The hypothesis a = 1 and b = 5 is consistent with the view of the adversary
Linearity of (n, t) Shamir Secret Sharing : Example • The view of the adversary during the protocol: • The bold values denote the values seen by the adversary ? ? ? • By interpolating (1, 9), (2, 12) and (3, 15), adversary will see the polynomial fc(x) = 6 + 3x ? ? ? • The view of the adversary will be consistent with other candidate values of a and b as well 5 8 3 6 0 12 3 6 7 4 9 3 4 4 7 4 1 10 2 5 8 5 11 5
Multiplication Gate d2 d3 Fa(x) Fb(x) ab a1 a2 a3 a d1 b3 b2 b1 b1 b2 b3 b Fb(x) b a3 a2 a1 a Fa(x) d1 d2 d3 • 1 • 2 • 3 ab • Degree of sharing becomes 2t instead of t • a x b now shared by a non-random polynomial
Securely Multiplying Two Shamir-shared Values n = 2t+1 P2 P3 P1 t = 1 • a : shared via polynomial A(x) • b : shared via polynomial B(x) a2 a3 a1 d2 d1 d3 c a b • Let C(x) = A(x) . B(x) : degree 2t X X X b2 b3 b1 • Let C(0) = A(0) . B(0) = ab • Let C(i) = A(i) . B(i) = di d1 d2 d3 • C(0) is a linear function of d1, …, d2t+1 r3 r2 r1 r2 r1 r3 r2 r1 r3 d11 d12 d13 + + + + + + • C(0) = ab = r1 d1 + … + r2t+1 d2t+1 d21 d22 d23 • r1, …, r2t+1 : publicly known Lagrange’s coefficients d31 d32 d33 • Each Pi computes di = aibi and secret-shares di, acting as a dealer c2 c3 • So [ab] = r1 [d1] + … + r2t+1 [d2t+1] c1
The Multiplication Sub-protocol : Example • Let n = 3, t = 1, = {P1, P2, P3} with P1 being corrupted and = 5 ,1 = 1, = 2 and = 3 • Let P1 has no input, P2 and P3 have inputs a, b and y = f(a, b) = a * b • Let a = 2, shared through fa(x) = 2 + x and b = 2, shared through fb(x) = 2 + 2x • To compute c = a * b, the following computation and communication will be done: • The bold values denote the values seen by the adversary • Let P1 t-share c1 = 2 via 2 + x • Let P2 t-share c2 = 4 via 4 • Let P3 t-share c3 = 0 via 4x • Recombination vector (r1, r2, r3) r2 = = 2 r1 = = 3 r3 = = 1 4 • Interpolating (1, 1) and (2, 3) gives the curve 2x + 4 • Does the adversary learn anything about a, b beyond that a*b = 4 ?
The Multiplication Sub-protocol : Example • Adversary’s view in the protocol • The bold values denote the values seen by the adversary ? ? ? • (r1, r2, r3) = (3, 2, 1) ? ? ? • Will adversary’s view be consistent with a = 1 and b = 4 ? ? 0 3 ? • a = 1 fa(x) = 2x + 1 ? ? ? • b = 4 fb(x) = 4 ? ? ? • c2 = 0 fc2(x) = 4x • c3 = 3 fc3(x) = x + 3 4 • Adversary’s view is consistent with a = 1 and b = 4 • In fact adversary’s view will be consistent with all possible (a, b) 2, wit a*b = 4 0 0 3 4 2 4 2 1 4 0 3 1
BGW Unconditionally-secure MPC Protocol in the Semi-honest Setting • Input stage : n = 2t+1 x1 x2 x3 • Each Pi acts as a dealer and Shamir-shares its input xi with threshold t y x2 x3 x1 • Computation stage : gate invariant x1+x2 • Given Shamir-sharing of the gate inputs, compute a Shamir-sharing of the gate output y X • Linear gates : invariant is free • multiplication gates : re-sharing based interactive multiplication protocol y • Output stage : • Reconstruct the output value by exchanging shares of the function output