Multi-Party Computation in Presence of Corrupted Majorities Dominik - PowerPoint PPT Presentation

Multi-Party Computation in Presence of Corrupted Majorities Dominik Raub Institute of Theoretical Computer Science ETH Zürich on joint work with R. Künzler, J. Müller-Quade, C. Lucas, U. Maurer, M. Fitzi Mäetaguse, 2009/10/04

Multi-Party Computation (MPC) F

Multi-Party Computation (MPC) F ● Voting ● Auctions ● Who is richest? ⇒ privacy, correctness required

Multi-Party Computation (MPC) π π π π F ≈ R π

Multi-Party Computation (MPC) π π π π F ≈ R π Generally encompasses: ● Secure or authenticated channels ● Optionally BC or PKI ● CRS for UC setting

Multi-Party Computation (MPC) π π π π F ≈ R π ∀ D I/O I/O 0/1

MPC: Active Adversary π π F ≈ R ∀ ∃ A S ∀ D I/O I/O 0/1

MPC: Passive Adversary π π π π F ≈ R π ∀ ∃ A S ∀ D forward I/O I/O I/O 0/1

MPC: Semi-Honest Adversary π π π π F ≈ R π ∀ ∃ A S ∀ D x i → x i ' I/O I/O y i → y i ' 0/1

Security Properties for MPC ● Correctness: protocol computes intended result ● Privacy: nobody learns more than intended ● Robustness: everybody receives intended result ● Fairness: everybody receives result, or nobody ● Agreement (on abort): all honest parties receive their result or notification of failure

Security Paradigms for MPC ● Abort Security: agreement, privacy, correctness ● Fair Security: fairness, privacy, correctness ● Full Security: robustness, privacy, correctness ● IT Security: tolerates unbounded adversaries ● CO Security: tolerates computationally bounded adversaries

Limitations for MPC with BC ● Fair security only for t < n/2 corrupted [Cle86] ● IT security only for t < n/2 [Kil00] ● Full security for t 1 and abort security for t 2 only if t 1 + t 2 < n [IKLP06], [Kat07] ● No IT full security for general MPC for t ≥ n/2 ⇒ Which functions can be computed with IT full security for t ≥ n/2 ? ⇒ Weaker assumptions, graceful degradation?

Limitations for MPC with BC ● Fair security only for t < n/2 corrupted [Cle86] ● IT security only for t < n/2 [Kil00] ● Full security for t 1 and abort security for t 2 only if t 1 + t 2 < n [IKLP06], [Kat07] ● No IT full security for general MPC for t ≥ n/2 ⇒ Which functions can be computed with IT full security for t ≥ n/2 ? ⇒ Weaker assumptions, graceful degradation?

Computability of Functions Security Adversary Resources Fair? Computable f F bc IT passive auth. BC yes pa s F bc semi-honest auth. BC yes s h F bc active auth. BC yes a c t

Computability of Functions Security Adversary Resources Fair? Computable f F bc IT passive auth. BC yes pa s ⊃ F bc semi-honest auth. BC yes s h ⊃ F bc active auth. BC yes a c t

Computability of Functions Security Adversary Resources Fair? Computable f F bc IT passive auth. BC yes pa s ⊃ F bc semi-honest auth. BC yes s h ⊃ F bc active auth. BC yes a c t ● Today: only symmetric functions ● Then:

Computability of Functions Security Adversary Resources Fair? Computable f F bc IT passive auth. BC yes pa s ⊃ F bc semi-honest auth. BC yes s h ⊃ F bc active auth. BC yes a c t F bc LT active auth. BC no l t s F a ut auth. chan. no l t s F i ns ; pki PKI no l t s ● Long-term (LT) security – Computational assumptions only during protocol run

Computability of Functions Security Adversary Resources Fair? Computable f F bc IT passive auth. BC yes pa s ⊃ F bc semi-honest auth. BC yes s h ⊃ F bc active auth. BC yes a c t F bc = LT active auth. BC no l t s F a ut auth. chan. no l t s F i ns ; pki PKI no l t s ● Long-term (LT) security – Computational assumptions only during protocol run

Computability of Functions Security Adversary Resources Fair? Computable f F bc IT passive auth. BC yes pa s ⊃ F bc semi-honest auth. BC yes s h ⊃ F bc active auth. BC yes a c t F bc = LT active auth. BC no l t s F a ut auth. chan. no l t s F i ns ; pki PKI no l t s ● “=”: modified [GMW87]-Compiler – computationally forces semi-honest behavior – maintains IT security against semi-honest adversary

Passively Computable Functions F bc pa s Input:

Passively Computable Functions F bc pa s Input:

Passively Computable Functions F bc pa s Input:

Passively Computable Functions F bc pa s Input:

Passively Computable Functions F bc pa s Input:

Passively Computable Functions F bc pa s Input:

Passively Computable Functions F bc pa s Input:

Actively Computable Functions F bc a c t

Actively Computable Functions F bc a c t

Actively Computable: Example

Summary: Computability ● Characterization of computable function classes F bc – : decomposability pa s F bc – : decomposability after removing redundancy s h F bc – : decomposability after removing redundancy, a c t exchange property (input for every strategy) ● Characterization of long-term security: F i ns ; pk i = F a ut s = F bc s = F bc l t l t s h l t s

Limitations for MPC with BC ● Fair security only for t < n/2 corrupted [Cle86] ● IT security only for t < n/2 [Kil00] ● Full security for t 1 and abort security for t 2 only if t 1 + t 2 < n [IKLP06], [Kat07] ● No IT full security for general MPC for t ≥ n/2 ⇒ Which functions can be computed with IT full security for t ≥ n/2 ? ⇒ Weaker assumptions, graceful degradation? >

Limitations for MPC with BC ● Fair security only for t < n/2 corrupted [Cle86] ● IT security only for t < n/2 [Kil00] ● Full security for t 1 and abort security for t 2 only if t 1 + t 2 < n [IKLP06], [Kat07] ● No IT full security for general MPC for t ≥ n/2 ⇒ Which functions can be computed with IT full security for t ≥ n/2 ? ⇒ Weaker assumptions, graceful degradation? ⇒ Hybrid-secure MPC (HMPC) >

Optimal Hybrid MPC (with BC) π π π π Goal: For any ρ < n/2 R ● IT full security for t ≤ ρ π ● IT fair security for t < n/2 ● CO abort security for t < n- ρ >

Optimal Hybrid MPC (with BC) π π π π Goal: For any ρ < n/2 R ● IT full security for t ≤ ρ π ● IT fair security for t < n/2 ● CO abort security for t < n- ρ [GMW87], [CLOS01]: can be IT protected >

Optimal Hybrid MPC (with BC) π π π π Goal: For any ρ < n/2 R ● IT full security for t ≤ ρ π ● IT fair security for t < n/2 ● CO abort security for t < n- ρ ⇒ Trusted IT fairness, correctness >

Optimal Hybrid MPC (with BC) π π [Cha89]: emulate! ⇒ honest for t < n/2 [RB89] ⇒ t < n/2: IT fair, correct π π ⇒ t ≥ n/2: CO private, correct R π R' ⇒ Trusted IT fairness, correctness >

Optimal Hybrid MPC (with BC) π π [Cha89]: emulate! ⇒ honest for t < n/2 [RB89] ⇒ t < n/2: IT fair, correct π π ⇒ t ≥ n/2: CO private, correct R Use sharing qualifying all sets of π emulated and n- ρ actual parties ⇒ t ≤ ρ : IT robust, correct ⇒ t < n/2: IT fair, correct R' ⇒ t < n- ρ : CO private, correct >

Optimal Hybrid MPC (with BC) π π Share inputs ⇒ t < n/2: IT privacy ⇒ t ≥ n/2: no correctness π π R x i = x ides ⊕ x iem π (x ides ) R' (x iem ) >

Optimal Hybrid MPC (with BC) π π Share and commit ⇒ no robustness or ⇒ no correctness for t ≥ n/2 π π R x i = x ides ⊕ x iem π (c i ,o i ) = com H (x iem ) (x ides ,c i ) R' (x iem ,o i ) >

Optimal Hybrid MPC (with BC) π π Share, commit, complain ⇒ t ≤ ρ: IT full security ⇒ t < n/2: IT fair security π π ⇒ t < n- ρ: CO abort security R x i = x ides ⊕ x iem π (c i ,o i ) = com H (x iem ) (x ides ,c i ) R' (x iem ,o i ) complaint? input x i >

Optimal Hybrid MPC (with BC) π ρ π π Share, commit, complain ⇒ t ≤ ρ: IT full security ⇒ t < n/2: IT fair security π π ⇒ t < n- ρ: CO abort security R x i = x ides ⊕ x iem π (c i ,o i ) = com H (x iem ) (x ides ,c i ) R' (x iem ,o i ) complaint? input x i >

Summary: Hybrid Security ● We provide optimal HMPC protocols and matching tight bounds for the setting – with BC

Summary: Hybrid Security ● We provide optimal HMPC protocols and matching tight bounds for the setting – with BC – without BC but with PKI – without BC or PKI ● We treat possibly inconsistent PKIs ● We consider signature forgery separately from other (computational) assumptions

Conclusions ● Characterization of computable function classes ● Characterization of long-term security ● Optimal HMPC protocols and matching tight bounds

Passively Computable Functions F bc pa s Input:

Hybrid MPC (HMPC) ● Different guarantees depending on t: – For t ≤ l r full (robust) security – For t ≤ l f fair security – For t ≤ L abort security ● While tolerating: – For t ≤ t c computationally unbounded adversaries – For t ≤ t σ signature forgery – For t ≤ t p inconsistent PKIs ⇒ Graceful degradation