CS573 Data Privacy and Security Secure Multiparty Computation - PowerPoint PPT Presentation

CS573 Data Privacy and Security Secure Multiparty Computation General Constructions Li Xiong

Last Lecture • Symmetric & Public key encryption • Secure Multiparty Computations • Problem and security definitions • General constructions • Oblivious Transfer

Secure Multiparty Computation • A set of parties with private inputs • Parties wish to jointly compute a function of their inputs so that certain security properties are preserved • Properties must be ensured even if some of the parties maliciously attack the protocol • Can model any cryptographic task

Security Requirements • Consider a secure auction (with secret bids): – An adversary may wish to learn the bids of all parties – to prevent this, require PRIVACY – An adversary may wish to win with a lower bid than the highest – to prevent this, require CORRECTNESS – But, the adversary may also wish to ensure that it always gives the highest bid – to prevent this, require INDEPENDENCE OF INPUTS – An adversary may try to abort the execution if its bid is not the highest – require FAIRNESS

Security Requirements • Privacy : only the output is revealed • Correctness : the function is computed correctly • Independence of inputs : parties cannot choose inputs based on others’ inputs • Fairness : if one party receives output, all receive output • Guaranteed output delivery

Defining Security • Option 1: analyze security concerns for each specific problem – Auctions: as in previous slide – Elections: privacy, correctness and fairness only (?) • Problems: – How do we know that all concerns are covered? – Definitions are application dependent and need to be redefined from scratch for each task

Defining Security • Option 2: general definition that captures all (most) secure computation tasks • Properties of any such definition – Well-defined adversary model • Semi-honest, Malicious – Well-defined execution setting • Stand-alone, concurrent general composition – Security guarantees are clear and simple to understand

Defining Security: the Ideal/Real Paradigm • What is the best we could hope for? – An incorruptible trusted party – All parties send inputs to trusted party (over perfectly secure communication lines) – Trusted party computes output – Trusted party sends each party its output (over perfectly secure communication lines) – This is the ideal world • What can an adversary do? – Just choose its input… • Semi-honest: simulator given input/output generates the adversary’s view

Today • Cont. Secure Multiparty Computations • Problem and security definitions • General constructions

Construction paradigms • We sketch a couple of paradigms used in the construction of secure multiparty protocols. • Passively-secure computation for two-parties – Use oblivious transfer to securely select a value • Passively-secure computation with shares – Use secret sharing scheme such that data can be reconstructed from some shares • From passively-secure protocols to actively- secure protocols – Use zero-knowledge proofs to force parties to behave in a way consistent with the passively-secure protocol

Secret Sharing Scheme • Distributing a secret amongst n participants, each of whom is allocated a share of the secret • The secret can be reconstructed only when a sufficient number ( t ) of shares are combined together – ( t , n )-threshold scheme

Trivial Secret Sharing Scheme • Splitting – Encode the secret as an integer S . – Give to each player i (except one) a random integer r i . 𝑜−1 𝑠 – Give to the last player the number 𝑇 − σ 𝑗=1 𝑗

(t, n) threshold scheme • Shamir’s scheme 1979 – It takes t points to define a polynomial of degree t-1 – Create a t-1 degree polynomial with secret as the first coefficient and the remaining coefficients picked at random. Find n points on the curve and give one to each of the players. At least t points are required to fit the polynomial.

The GMW Paradigm • “ Can we design protocols that remain secure even when some parties can behave maliciously? “* • GMW (Goldreich, Micali and Wigderson) • Paradigm for designing secure computation protocols against malicious adversaries • Secure computation for more than two parties, computing Boolean circuits Secure Multi-Party Computation, By M.M. Prabhakaran

The GMW Paradigm • Construct a protocol for the semi-honest model • “Compile it” to obtain a protocol that is secure for the malicious model – Compilation involves forcing the parties to follow the protocol • It may be more efficient to work differently

General GMW Construction • For simplicity – consider two-party case • Let f be the function that the parties wish to compute • Represent f as an arithmetic circuit with addition and multiplication gates • Aim – compute gate-by-gate, revealing only random shares each time

Random Shares Paradigm • Let a be some value: – Party 1 holds a random value a 1 – Party 2 holds a+a 1 – Note that without knowing a 1 , a+a 1 is just a random value revealing nothing of a. – We say that the parties hold random shares of a. • The computation will be such that all intermediate values are random shares (and so they reveal nothing).

Circuit Computation • Stage 1: each party randomly shares its input with the other party • Stage 2: compute gates of circuit as follows – Given random shares to the input wires, compute random shares of the output wires • Stage 3: combine shares of the output wires in order to obtain actual output AND AND Alice’s inputs Bob’s inputs NOT AND OR OR

Addition Gates • Input wires to gate have values a and b: – Party 1 has shares a 1 and b 1 – Party 2 has shares a 2 and b 2 – Note: a 1 +a 2 =a and b 1 +b 2 =b • To compute random shares of output c=a+b – Party 1 locally computes c 1 =a 1 +b 1 – Party 2 locally computes c 2 =a 2 +b 2 – Note: c 1 +c 2 =a 1 +a 2 +b 1 +b 2 =a+b=c

Multiplication Gates • Input wires to gate have values a and b: – Party 1 has shares a 1 and b 1 – Party 2 has shares a 2 and b 2 – Wish to compute c = ab = (a 1 +a 2 )(b 1 +b 2 ) • Party 1 knows its concrete share values a 1 and b 1 . • Party 2’s shares a 2 and b 2 are unknown to Party 1, but there are only 4 possibilities (00,01,10,11)

Multiplication (cont) • Party 1 prepares a table as follows: – Row 1 corresponds to Party 2’s input 00 – Row 2 corresponds to Party 2’s input 01 – Row 3 corresponds to Party 2’s input 10 – Row 4 corresponds to Party 2’s input 11

Multiplication (cont) • Party 1 prepares a table as follows (Let r be a random bit chosen by Party 1): – Row 1 contains the value a  b+r when a 2 =0,b 2 =0 – Row 2 contains the value a  b+r when a 2 =0,b 2 =1 – Row 3 contains the value a  b+r when a 2 =1,b 2 =0 – Row 4 contains the value a  b+r when a 2 =1,b 2 =1

Concrete Example • Assume: a 1 =0, b 1 =1 Party 2’s Row Output value shares • Assume: r=1 1 a 2 =0,b 2 =0 (0+0) . (1+0)+1=1 2 a 2 =0,b 2 =1 (0+0) . (1+1)+1=1 3 a 2 =1,b 2 =0 (0+1) . (1+0)+1=0 4 a 2 =1,b 2 =1 (0+1) . (1+1)+1=1

The Gate Protocol • The parties run a 1-out-of-4 oblivious transfer protocol • Party 1 plays the sender: message i is row i of the table. • Party 2 plays the receiver: it inputs 1 if a 2 =0 and b 2 =0, 2 if a 2 =0 and b 2 =1 , and so on… • Output: – Party 2 receives c 2 =c+r – this is its output – Party 1 outputs c 1 =r – Note: c 1 and c 2 are random shares of c, as required

Summary • By computing each gate these way, at the end the parties hold shares of the output wires • Function output generated by simply sending shares to each other.

Security • Reduction to the oblivious transfer protocol • Assuming security of the OT protocol, parties only see random values until the end. Therefore, simulation is straightforward. • Note: correctness relies heavily on semi-honest behavior (otherwise can modify shares). • Theorem: any functionality f can be securely computed in the semi-honest model.

Remark • The semi-honest model is often used as a tool for obtaining security against malicious parties. • In many (most?) settings, security against semi-honest adversaries does not suffice. • In some settings, it may suffice. – One example: hospitals that wish to share data.

Malicious Adversaries • The above protocol is not secure against malicious adversaries: – A malicious adversary may learn more than it should. – A malicious adversary can cause the honest party to receive incorrect output. – We need to be able to extract a malicious adversary’s input and send it to the trusted party.

Obtaining Security Three goals: • Force the adversary to use a fixed input – Furthermore, make it possible for the ideal-model simulator/adversary to extract this input. • Force the adversary to use a uniform random tape • Force the adversary to follow the protocol exactly (consistently with their fixed input and random tape)

The compiler • Input commitment phase: – Each party commits to its input • Coin generation phase: – The parties generate random tapes for each other – Initial idea: random tape of P i is defined as S 1,i ⨁ S 2,i ⨁ … ⨁ S n,i , where S j,i is chosen by P j • Protocol emulation phase: – Run the protocol while proving that parties operations comply with their inputs and random tapes