more practical multi party computation
play

More Practical Multi-Party Computation Feng Hao University of - PowerPoint PPT Presentation

More Practical Multi-Party Computation Feng Hao University of Warwick Tutorial, Indocryt19 Hyderabad, India There are only three papers that are worth writing: the first, the last and the best. - Roger Needham (1935-2003) Outline of


  1. DRE-i with enforced privacy (DRE-ip) • Motivation • DRE-i works by pre-computing encrypted ballots • However, pre-computed ballots need to be stored securely • Can we remove this secure storage requirement? • Naturally, that leads us to a different strategy • DRE-ip works by computing encrypted ballots in the real-time • Still three phases: setup, voting and tallying

  2. Phase 1: setup • Two generators g 1 and g 2 with unknown log relation • E.g., use a one-way hash o obtain g 2 from g 1 (in our implementation)

  3. Phase 2: Voting • Encrypted vote • DRE keeps in memory , • At the end, DRE posts t, s on bulletin board

  4. Phase 3: Tallying • DRE publishes t and s and all receipts on bulletin board • The public verify ,

  5. DRE-ip in practice • Google Pixel to implement the DRE • DRE connected to a thermal printer • The backend is a web server hosted in the university campus

  6. Gateshead trial using DRE-ip (2 May 2019) • Voters voted as normal using paper ballots • Upon exit, they were invited to trial a new e-polling system • They were then asked which system they preferred * Approved by Gateshead council and Warwick University’s Ethics Committee

  7. Polling station E-polling trial station Gateshead Civic Center, 6:30 am, 2 May 2019

  8. Research team for the e-voting trial

  9. Introductory video

  10. A dummy election

  11. Election results

  12. Survey result (91 responses) Based on your experience of using paper ballots and e-voting, which system do you prefer? Strongly Prefer Neutral Prefer Strongly prefer paper paper e-voting prefer e-voting

  13. Those who prefer e-voting (55 voters)

  14. Those who prefer paper ballots (20 voters)

  15. Those who are neutral (16) ● Don’t see much difference if one has to come to the polling station ● Want to vote from home

  16. Our vision about future e-voting

  17. An overview of existing e-voting systems

  18. Outline of the tutorial 1. Boolean-OR function: Anonymous Veto 2. Boolean-Count function: Boardroom voting 3. Equality function: PAKE 4. Tallying function: E-voting 5. Max function: E-Auction

  19. Acknowledgement ● Joint work with Bag, Shahandashti and Ray. ● Based on the following paper Samiran Bag, Feng Hao, Siamak Shahandashti, and Indranil G. Ray, "SEAL: Sealed-bid Auction without Auctioneers," IEEE Transactions on Information Security and Forensics, 2020, https://eprint.iacr.org/2019/1332.pdf.

  20. Background in auction ● A very common practice: US treasury sells trillions of securities via auction ● Open cry ○ Ascending: English auction ○ Deceding: Dutch auction ● Sealed-bid ○ First-price (equivalent to Dutch auction based on game theory) ○ Second-price (equivalent to English auction when voters evaluate items in private) ● We will focus on sealed-bid auctions

  21. Sealed-bid auction Bid price 4 Bid price 1 Bid price 3 Bid price 2

  22. Two types of sealed-bid auction ● First price sealed-bid auction ○ The highest bidder wins, and pays the highest bid price ● Second price sealed-bid auction ○ The highest bidder wins, but pays the second-highest bid price ○ Also called “Vickrey auction”, named after William Vickrey who first developed theory for this type of auction (won Nobel Prize in 1996) William Vickrey (1914-1996)

  23. Vickrey auction ● Extremely important in the auction theory ● Based on game theory, this scheme is “strategy-proof”: when values are evaluated in private, the best strategy for bidders is to bid their true evaluation ● Unfortunately, rarely used in practice

  24. Practical concerns in Vickrey auction ● Two main security concerns ○ (Privacy) The true evaluation is a commercial secret but the auctioneer sees my bid ○ (Integrity) How do I know I really pay the 2nd highest price (auctioneer didn’t change)? ● Completely trustworthy auctioneers do not exist ● In this talk, I’ll present a solution that removes the need for auctioneers

  25. Overview of e-auction research ● A very active field since the seminal paper by Franklin-Reiter in 1996 ● A large amount of e-auction systems proposed ● However, almost all of them assume the role of a trustworthy auctioneer ● They apply threshold crypto or MPC to distribute the trust

  26. Summary of previous work In general two types of solutions 1. Use two or more auctioneers: Franklin-Reiter, 1996; Sako, 2000; Kurosawa-Ogata, 2002; Bogetoft et al., 2006; Cartlidge et al., 2019, … 2. Add other trusted third parties: Naor-Pinkas-Sumner, 1999; Juels-Szydlo, 2002; Lipmaa-Asokan-Niemi, 2002; Abe-Suzuki, 2002, Montenegro-Fischer-Lopez-Peralta, 2013 … However, we want to get rid of “trustworthy auctioneers” completely

  27. Can’t we just use MPC without auctioneers? ● In theory, general MPC allows secure computation on any function ○ n players, each with a secret input x i , i=1,2,...,n ○ Each player learns nothing more than f(x 1 , x 2 , ... , x n ) ● So we simply apply it to a max function without involving auctioneers ● Problem trivially solved? ● However, not that simple …

  28. Typical assumptions in MPC ● Pairwise secret channels + a public authenticated channel O(n 2 ) complexity of setting up pairwise secret channels ○ ○ The existence of secret channels makes the protocol not publicly verifiable ● The honest majority ○ In practice, the vast majority of participants may be corrupted (e.g., 3 players)

  29. A real-world MPC application on auction ● Bogetoft, Damgard, Jakobsen, Nielsen, Pragter, Toft, 2006 ● Used in Denmark for auction sales on sugar beets ● Assume 2 out of 3 pub2/prv2 pub3/prv3 pub1/prv3 auctioneers honest ● Public key pairs for DKS Researchers Danisco pairwise secure communication Bid price 3 Bid price 1 Bid price 2 Bid price 4

  30. Is e-auction without auctioneers possible? ● Yes, but a trivial method will give you an exponential complexity ● For example: each bidder encrypts “Yes”/”No” for all possible bid prices ● Similar ideas proposed by Brandt, 2002; Brandt, 2003; Wu et al, 2004; Brandt 2005; Brandt, 2006. They all incur O(2 c ) complexity, c being the bit length of the bid ● ● We will show a solution with O(c) complexity

  31. Communication setting in our solution Public bulletin board (Ethereum blockchain) Bid price 4 Bid price 1 Bid price 3 Bid price 2 ● No secret channels ● An authenticated public channel (required in all schemes) ● No trustworthy auctioneers

  32. Security definitions

  33. Overview of the auction protocol ● Called Self-Enforcing Auction Lot (SEAL) ● Based on a single primitive: boolean-OR (modified AV-net, Hao-Zielinski’06) ● Two phases: commitment and bidding

  34. Commitment Phase

  35. Bidding Phase

  36. An example

  37. Efficiency analysis Computational load (no of exponentiations) Communication bandwidth (No of group elements) Notations: c the bit length of the bid. n the total number of bidders. the number of iterations of stage 1

  38. Proof-of-concept implementation ● Using Java on Linux Platform ● Experiment done on an Asus Core i3 laptop (2.1 GHz with 4 GB RAM)

  39. Commitment phase Bit length of the bid fixed at 10 10 bidders

  40. Bidding Phase 10 bidders Bit length of the bid fixed at 10

  41. Security analysis - integrity of auction outcome

  42. Security analysis - privacy of losing bids

  43. Can we achieve inclusive-privacy? ● Yes, simple to do ○ Just replace AV-net with another anonymous veto protocol that satisfies “inclusive privacy” (e.g., PriVeto by Bag, Zad, Hao, IET Information Security , 2019) ● However, the resultant scheme will be less interesting and less useful ...

  44. Practical concerns Auction (inclusive privacy) Auction (exclusive privacy) Resolving tie Adaptive Extension to Vickrey

  45. Extension to Vickrey auction ● Image a (perfect) MPC protocol that limits you to learn nothing more than the output of the max function ● You run the protocol twice to get the second highest bid ● But the highest bid is trivially revealed!

Recommend


More recommend