500 likes | 541 Views
Discover a theorem presenting a solution for private mental games with passive and malicious adversaries using probabilistic algorithms in a game network. Explore the mathematical definitions and techniques behind ensuring privacy, correctness, and agreement in Turing-machine games.
E N D
How to play ANY mental game A Completeness Theorem for Protocols with Honest Majority
Overview • Introduction 2. Solution for TM-Games 2.1. for passive adversaries 2.2. for malicious adversaries 3. General games • Summary
1. Introduction • Motivation: n Players want to compute • Problem: each is a private input of the player i • Question: Is it possible to run M so that • The output is correct • No additional information of the is leaked
1. Introduction • Adversaries: - passive Adversaries: Run the protocol correct but run „on the side“ other efficient algorithmns - malicious Adversaries: Replace the algorithm by any efficient algorithm
1. Introduction • First Observation: • Easy to solve with an extra trusted party • In most situations there is no trusted party -> This notation wouldn‘t be useful • „Purely playable games“ • No extra party which is trusted by everyone
Overview • Introduction 2. Solution for TM-Games 2.1. for passive adversaries 2.2. for malicious adversaries 3. General games • Summary
2.1. Solution for TM-Games • Motivation: • Restricting the scenario to: • A special case of games (Turing-machine games) • Passive adversaries -> Easier to prove, yet useful for further proofs
2.1. Solution for TM-Games • General Definitions: • Random Variable (RV) R: (assigns a probability to each value ) • PA = probablistic poly-time algorithm • Efficient ≙ element of PA
2.1. Solution for TM-Games • Game network of size n: • n Turing machines with (for each TM): • 1 read-only private input tape • 1 write only private output tape • 1 read/write private work tape • n-1 special public communication tapes • 1 common read-only input and 1 common write only output tape
2.1. Solution for TM-Games • A probablistic distributed algorithm S in a game network of size n is a sequence of programs • Denote the class of all such algorithms by PDA
2.1. Solution for TM-Games • Let S∈PDA run in a network of size n with common input CI and private inputs Definition: • denotes the RV of the public history • denotes the RV of the private history of machine i
2.1. Solution for TM-Games • Let S∈PDA run in a network of size n with common input CI and private inputs Definition: • denotes the RV of the private output of machine i • For T⊆{1,…n} let denote the vector of private histories of the members of T
2.1. Solution for TM-Games • Indistinguishability of RV‘s: • Poly-bounded RV‘s: c constant, k∈ℕ the security parameter • Circuit is a „judge“ for two families of RV‘s U,V X a RV from U or V: • Denote by P(U,C,k) the probability that outputs 1 on a random sample of
2.1. Solution for TM-Games • Definition: (Indistinguishability of RV‘s) U and V are computationally indistinguishable if for all C, for all f∈ℕ and „sufficiently large“ k∈ℕ :
2.1. Solution for TM-Games • Solution for a TM-Game: • An algorithm in PDA with input s.t. the following conditions are satisfied: • Agreement: for all i,j output i equals output j • Correctness:
2.1. Solution for TM-Games • Solution for a TM-Game: • An algorithm in PDA with input s.t. the following conditions are satisfied: • Privacy:
2.1. Solution for TM-Games • Familiy of trap-door permutations: • Easy to select an f for a k∈ℕ and some extra trap-door information • Easy to compute f(x) • Hard to compute , if one doesn‘t know the trap-door information • One-way permutation: • Same as above, but trap-door information must not exist
2.1. Solution for TM-Games • Theorem: • If a trapdoor function exists, there exists a TM-game solver for passive adversaries • Proof sketch: • We use a lemma by Barrington‘s that simulates computation by composing elements in • > Transform our TM in a circuit and further into a straight-line program
2.1. Solution for TM-Games • This straight-line program contains: • 0 and 1 as specially selected 5-permutations • Variables in the range of • Instructions consist of multiplying two 5-permutations and which can be: • constant • a variable • the inverse (in ) of a variable
2.1. Solution for TM-Games • Initialization: • Each party encodes his private input by a 5-permutation • He selects random 5-permutations and gives the pair to player i • He then sets and gives to player n
2.1. Solution for TM-Games • Computation with variable and: 1. case: ,c constant. Then set 2. case: , c constant. Then each player sets
2.1. Solution for TM-Games • Computation with variable and: 3. case: ⋅ , a variable. Then • assume • we can‘t just multiply as is not commutative
2.1. Solution for TM-Games • Idea to solve the problem in case 3: • „swap“ pieces until each player can compute his share • first step: • run this for all players resulting in O(n²) swaps • Problem: privacy constraint would be violated • Solution?
2.1. Solution for TM-Games • Random bits: • Given a trap-door permutation f A random bit of f is: - A poly-time computable function - Computing on f(x) is essentialy “as hard as inverting f” -> Blackboard
2.1. Solution for TM-Games • Oblivious transfer (OT): • Sending information to the receiver, but it’s oblivious (“not clear”) what he received • Rabin’s OT: • A sends B an encrypted message E(m) and B can decrypt it with 50% probability -> Blackboard
2.1. Solution for TM-Games • 1-2 oblivious transfer: • A∈PA with input bits • B∈PA with input bit • A sends B one out of two messages, s.t.: 1. B will read , but can’t predict 2. A cannot predict
2.1. Solution for TM-Games • Implementation of 1-2 OT in 4 steps: • A selects a trapdoor permutation of size having a random bit A sends f to B and keeps secret • B selects at random and sends A:
2.1. Solution for TM-Games • Implementation of 1-2 OT in 4 steps: • A computes: and sends B 4. B computes
2.1. Solution for TM-Games • Why does it work? -> Blackboard
2.1. Solution for TM-Games • Combined Oblivious Transfer (COT): • A and B owning some inputs a and b • In the end of the protocol, A has computed g(a,b), while B doesn‘t know what A has computed • When a and b are secrets, it seems that B transfered a combination of his and A‘s secret to A
2.1. Solution for TM-Games • Example: COT AND-gate A B This labels are secret!
2.1. Solution for TM-Games • Combined Oblivious Transfer (COT): • We‘ve seen the COT-AND gate • The COT-NOT gate is trivial -> Therefor we can compute any 2-gates function
2.1. Solution for TM-Games • Applying the COT to our problem: • Player 1 and n use the following function for COT: g(x,(y,z) = w , where w⋅z=y⋅x • Player 1 is A with input • Player n is B with input • Then set -> Notice that g(x,(y,⋅)) is injective on
Overview • Introduction 2. Solution for TM-Games 2.1. for passive adversaries 2.2. for malicious adversaries 3. General games • Summary
2.2. Solution for TM-Games • Motivation: • With malicious adversaries we must clarify how to handle private inputs • Say if one player stops computing or tries to pretend his private input is different from what it actually is, how can we handle this? • Theorem: • Given n players „willing to play“, less then half of which malicious, all TM-games are playable
2.2. Solution for TM-Games • Zero-knowledge proof: Prove that you know a secret without revealing it. must satisfy 3 properties: • Completeness: • honest prover can convince honest verifier • Soundness: • cheating prover can’t convince honest verifier, except with small probability • Zero-knowledge: • no cheating verifier learns any other information
2.2. Solution for TM-Games • What means „willing to play“? • Successfully completing a protocol s.t. : • For all players i, no minority can predict a bit of player i‘s input with prob. > ½ but it is guaranteed that a majority of players can efficiently compute i‘s input • Each player i has a sequence of random encrypted bits s.t.: • He knows the decryption • No minority can predict them • A majority can easily compute them
2.2. Solution for TM-Games • How can we use this to „play“ the game? • For any randomness, players must use the bits they received • Each player proves - in zero-knowledge - that each message is what he should have send • If any player should stop at this phase then: • The others can reconstruct his random bits and private input • Compute his further messages when necessary
Overview • Introduction 2. Solution for TM-Games 2.1. for passive adversaries 2.2. for malicious adversaries 3. General games • Summary
3. General games • Game theory: • Definition of a general game: • A set S of possible states • A set M of possible moves • A set of knowledge functions of each state : • A payoff function p evaluating the final state
3. General games • Game theory: • Given a description of a game, how can we find some strategy satisfying some property? • Problem: given a description of a game, how can we actually PLAY the game? • For a general n-player game, we need n+1 players to play it ( which is unfortunate as we need another trusted party, which we normally don‘t have )
3. General games • Game Theory Example: • The game „poker“ is clearly playable (e.g. in our physical world) • Let NEWPOKER be the same as normal poker, but in addition you have the information, whether all hands combined form a royal flush • Is this game playable, too?
3. General games • Questions that arise: • Is there a model which makes all games playable, or at least • Does every game have a model in which it is playable? • Should we restrict us to the class of playable games?
3. General games • Theorem: • If any trap-door function exists, any game is playable if more than half of the players are honest • Idea to prove this: • Simulate a trusting party in an ideal game
Overview • Introduction 2. Solution for TM-Games 2.1. for passive adversaries 2.2. for malicious adversaries 3. General games • Summary
4. Summary • Theorem: • Under the assumption that any trap-door permutation exists: • We can tolerate any number of passive adversaries • We can tolerate up to ½ ⋅n malicious adversaries • If there are more than ½ ⋅n malicious adversaries then some protocols have no efficient solution
4. Summary • Why is this useful? • > Because every protocol can be formalized to a game with incomplete information • > We can even find a solution uniformly: • We can use an efficient algoritm, that, on input a protocol problem, outputs an efficient, distributed protocol for solving it