260 likes | 483 Views
Multiparty Unconditionally Secure Protocols . D. Chaum, C. Crepeau, and I. Damgaard presented by Chi Bun Chan Nov 15, 2004. Secure Multiparty Computation. System n participants: P 1 , P 2 , ..., P n P i has a secret value x i All participants agree on a multivariable function F Goals
E N D
Multiparty UnconditionallySecure Protocols D. Chaum, C. Crepeau, and I. Damgaard presented by Chi Bun Chan Nov 15, 2004
Secure Multiparty Computation • System • n participants: P1, P2, ..., Pn • Pi has a secret value xi • All participants agree on a multivariable function F • Goals • Guarantee correctness: all reliable players compute the same z = F (x1, x2, ..., xn) • Preserve maximum privacy of xi • For non-trivial f, z reveals some information about xi • Theoretical solvable, efficient practical implementations? • Trusted third-party model • Ideal model • Efficiency? Fault tolerance? • Distributed computations
Secure Multiparty Computation (General) • Circuit evaluation • Represent F as a boolean circuit composed of 2-input XOR and AND gates • Scan circuit from input wires to output wires, processing a single gate in each step • Reduce to secure multiparty computation at gate level: 2 single-bit inputs, 1 single bit output private computation • Private computation • Break input bits into “random” shares distributed among Pi • Each Pi performs local computation on its shares, the global outcome is as if computing input bits directly
This Paper • Two stages • Commitment • Participants commit to their inputs • Identify improper commitments or uncooperative participants • Computation • Perform private computation locally • Building blocks • Commitment protocol • Verifiable secret sharing (VSS)
The Model • To tolerate up to less than one-third of participants (= d) that cheat • n participants: n = 3d + a (a = 1, 2, ...) • At least 2d + a participants are reliable (optimal assumption): • Do not leak secret information • Follow protocol and send correct messages • Efficient broadcast channel • Authenticated secrecy communication channels • Message confidentiality (and integrity) • Message origin authentication • Timely delivery of messages • No public key cryptography; rely on VSS instead • Not depend on restricting computing power
Security Properties • Unconditionally secure if channels were unconditionally secure; otherwise, protocols as strong as secrecy and authentication of channels • Unconditional secrecy • In both stages, impossible for any d< n / 3 participants to gain information about any xi • Built-in fault tolerance • In computation stage, impossible for any d< n / 3 participants to prevent reliable participants from correctly evaluating z
Shamir’s Scheme for Secret Sharing • Components • A uniformly chosen function of degree d :f (x) = a0 + a1 x + a2 x2 + ... + ad xd • n shares: sk = f (ik) (1 k n andikis randomly chosen) • Secret value: f (0) = a0 • (d, n) threshold scheme • Interpolation of any subset ofd + 1 (or more) points of{(i1, s1), (i2, s2), ..., (in, sn)} uniquely determinesf • With less than d + 1 points, f can be one of multiple equally likely functions • (+, +) homomorphism property • Informally, computations on input shares give the same output shares as if a result of computations of inputs
Blob: Commitment Protocol • PA want to commit to a secret bit v • Desired properties • Other participants cannot learn v without help from PA • PA cannot change its mind about v once it commits to v • Approach • Transform v into secret sharing form, blob, using (d, n) threshold scheme • The only d unreliable participants are unable to recover v by themselves • PA has to convince others that shares are consistent, which forces it to commit to a single value of v
Blob: Commitment Protocol (cont.) • Commitment • PA transforms v into n shares (ik, sk) and distributes each share to corresponding participant • Proof • PAopens a blob by broadcasting ik • PB determines f by interpolation and checks if sB =f (iB), and then broadcasts whether it agrees or complains about PA • Validity of blob requires at least 2d + a participants not complaining • Problem: Need to prevent PA from cheating by distributing inconsistent shares to reliable participants • Solution: Cut-and-Choose
Blob: Cut-and-Choose Procedure • Story • Bob is allowed to cut a cake into two pieces, but only Alice is allowed to choose which one.Greedy Bob thinks, “Should I cut equally?” • Idea • Prover offers a set of proofs • Verifier randomly chooses a subset of proofs to verify • Due to incapability to control verifier’s choices, prover has to take the risk of being caught for cheating • Intuitively, a “rational” prover is more likely to behave well • If all the chosen proofs verified, verifier concludes that the remaining proofs should be validwith high probability
Blob: Cut-and-Choose Procedure (cont.) • PA (prover) distributes an original blob • PA offers a set of blobs in multiple rounds, other participants (verifiers) take turn to verify • In each round, • PA distributes a new independently chosen blob • One participant choose randomly on a coin-flip to askPA to open either or +; (+, +) homomorphism property allows + to be verified without knowing • Stop until no complaints in m consecutive rounds or until more than d participants complains (i.e. stop in at most md rounds)
Blob: Cut-and-Choose Procedure (cont.) • Pr{PA is unable to predict a coin-flip} (2d+a) / n > 2/3 • If is inconsistent, PA can only make or + consistent but not both. • PA is caught for cheating within m consecutive rounds unless it can predict roughly 2m/3 coin-flips
VSS and Fault Tolerant Blobs • Without PA’s help, opening a blob may require searching exponentially many subsets of shares of size 2d + a yielding a consistent f • But PA’s help is not always available, e.g. upon communication failures • Solution: sharing of the shares of a blob, or double blob • PA creates an original (top-level) blob, and distributes shares to each participant PB • PB creates a sub-blob for its share, and distributes sub-shares • Use cut-and-choose procedure to check commitment of shares of top-level blob • To open top-level blob, all participants broadcast shares of both top-level blob and sub-blobs
Robust Double Blobs • Commit to input bits by distributing shares to all participants; also need commitment to shares for proving a participant following the protocol • Apply double blob technique again: robust double blob • Top-level blob containing the bit committed to, and all sub-blobs contain valid shares of top-level blob • Creation of robust double blob • PA creates a set of double blobs {1, 2, ..., n} distributed to all participants; each kcontains a share of • PB creates sub-blobs for upon B receiving B • B is verified and opened to PB, PB commits to opened share using a single blob B
1 2 3 4 1 2 3 4 Robust Double Blobs: Example
Circuit Evaluation: XOR • Inputs: • 2 robust double blobs, representing bit v1 and v2 • Computation: • Equivalent to addition modulo 2 • Each Pi adds its shares for both top-level blobs and sub-blobs • Output: • By (+, +) homomorphism property, the additions of shares produce a robust double blob representing v1 XOR v2
Circuit Evaluation: AND • Inputs: • 2 robust double blobs, representing bit v1 and v2 • Computation: • Equivalent to multiplication modulo 2 • Problem: lead to computation with polynomials of degree > d • Each participant chooses a pair of robust double blobs containing a pair of randomly chosen polynomials (f, g) s.t. deg(f) < 2d, deg(g) < d, f (0) = g (0) = 0/1 • Each Pi multiplies its shares for both top-level blobs and sub-blobs, commits to product p using a sub-blob, and proves it by cut-and-choose • Open double blob for f XOR p, replace p with g if f XOR p = 0, or 1+g otherwise • Output: • A robust double blob (g or 1+g) representing v1 AND v2
Homomorphism • (, ) homomorphism • H(ab) = H(a) H(b) • Shamir’s scheme has (+, +) homomorphism property • a = akLk(0) (Lk(x): Lagrange coefficient polynomials) • b = bkLk(0) • H(a1+b1, a2+b2, ..., an+bn) = H(a) + H(b)whereH(x1, x2, ..., xn) = xkLk(0)