multi party computation in presence of corrupted
play

Multi-Party Computation in Presence of Corrupted Majorities Dominik - PowerPoint PPT Presentation

Multi-Party Computation in Presence of Corrupted Majorities Dominik Raub Institute of Theoretical Computer Science ETH Zrich on joint work with R. Knzler, J. Mller-Quade, C. Lucas, U. Maurer, M. Fitzi Metaguse, 2009/10/04 Multi-Party


  1. Multi-Party Computation in Presence of Corrupted Majorities Dominik Raub Institute of Theoretical Computer Science ETH Zürich on joint work with R. Künzler, J. Müller-Quade, C. Lucas, U. Maurer, M. Fitzi Mäetaguse, 2009/10/04

  2. Multi-Party Computation (MPC) F

  3. Multi-Party Computation (MPC) F ● Voting ● Auctions ● Who is richest? ⇒ privacy, correctness required

  4. Multi-Party Computation (MPC) π π π π F ≈ R π

  5. Multi-Party Computation (MPC) π π π π F ≈ R π Generally encompasses: ● Secure or authenticated channels ● Optionally BC or PKI ● CRS for UC setting

  6. Multi-Party Computation (MPC) π π π π F ≈ R π ∀ D I/O I/O 0/1

  7. MPC: Active Adversary π π F ≈ R ∀ ∃ A S ∀ D I/O I/O 0/1

  8. MPC: Passive Adversary π π π π F ≈ R π ∀ ∃ A S ∀ D forward I/O I/O I/O 0/1

  9. MPC: Semi-Honest Adversary π π π π F ≈ R π ∀ ∃ A S ∀ D x i → x i ' I/O I/O y i → y i ' 0/1

  10. Security Properties for MPC ● Correctness: protocol computes intended result ● Privacy: nobody learns more than intended ● Robustness: everybody receives intended result ● Fairness: everybody receives result, or nobody ● Agreement (on abort): all honest parties receive their result or notification of failure

  11. Security Paradigms for MPC ● Abort Security: agreement, privacy, correctness ● Fair Security: fairness, privacy, correctness ● Full Security: robustness, privacy, correctness ● IT Security: tolerates unbounded adversaries ● CO Security: tolerates computationally bounded adversaries

  12. Limitations for MPC with BC ● Fair security only for t < n/2 corrupted [Cle86] ● IT security only for t < n/2 [Kil00] ● Full security for t 1 and abort security for t 2 only if t 1 + t 2 < n [IKLP06], [Kat07] ● No IT full security for general MPC for t ≥ n/2 ⇒ Which functions can be computed with IT full security for t ≥ n/2 ? ⇒ Weaker assumptions, graceful degradation?

  13. Limitations for MPC with BC ● Fair security only for t < n/2 corrupted [Cle86] ● IT security only for t < n/2 [Kil00] ● Full security for t 1 and abort security for t 2 only if t 1 + t 2 < n [IKLP06], [Kat07] ● No IT full security for general MPC for t ≥ n/2 ⇒ Which functions can be computed with IT full security for t ≥ n/2 ? ⇒ Weaker assumptions, graceful degradation?

  14. Computability of Functions Security Adversary Resources Fair? Computable f F bc IT passive auth. BC yes pa s F bc semi-honest auth. BC yes s h F bc active auth. BC yes a c t

  15. Computability of Functions Security Adversary Resources Fair? Computable f F bc IT passive auth. BC yes pa s ⊃ F bc semi-honest auth. BC yes s h ⊃ F bc active auth. BC yes a c t

  16. Computability of Functions Security Adversary Resources Fair? Computable f F bc IT passive auth. BC yes pa s ⊃ F bc semi-honest auth. BC yes s h ⊃ F bc active auth. BC yes a c t ● Today: only symmetric functions ● Then:

  17. Computability of Functions Security Adversary Resources Fair? Computable f F bc IT passive auth. BC yes pa s ⊃ F bc semi-honest auth. BC yes s h ⊃ F bc active auth. BC yes a c t F bc LT active auth. BC no l t s F a ut auth. chan. no l t s F i ns ; pki PKI no l t s ● Long-term (LT) security – Computational assumptions only during protocol run

  18. Computability of Functions Security Adversary Resources Fair? Computable f F bc IT passive auth. BC yes pa s ⊃ F bc semi-honest auth. BC yes s h ⊃ F bc active auth. BC yes a c t F bc = LT active auth. BC no l t s F a ut auth. chan. no l t s F i ns ; pki PKI no l t s ● Long-term (LT) security – Computational assumptions only during protocol run

  19. Computability of Functions Security Adversary Resources Fair? Computable f F bc IT passive auth. BC yes pa s ⊃ F bc semi-honest auth. BC yes s h ⊃ F bc active auth. BC yes a c t F bc = LT active auth. BC no l t s F a ut auth. chan. no l t s F i ns ; pki PKI no l t s ● “=”: modified [GMW87]-Compiler – computationally forces semi-honest behavior – maintains IT security against semi-honest adversary

  20. Passively Computable Functions F bc pa s Input:

  21. Passively Computable Functions F bc pa s Input:

  22. Passively Computable Functions F bc pa s Input:

  23. Passively Computable Functions F bc pa s Input:

  24. Passively Computable Functions F bc pa s Input:

  25. Passively Computable Functions F bc pa s Input:

  26. Passively Computable Functions F bc pa s Input:

  27. Actively Computable Functions F bc a c t

  28. Actively Computable Functions F bc a c t

  29. Actively Computable: Example

  30. Summary: Computability ● Characterization of computable function classes F bc – : decomposability pa s F bc – : decomposability after removing redundancy s h F bc – : decomposability after removing redundancy, a c t exchange property (input for every strategy) ● Characterization of long-term security: F i ns ; pk i = F a ut s = F bc s = F bc l t l t s h l t s

  31. Limitations for MPC with BC ● Fair security only for t < n/2 corrupted [Cle86] ● IT security only for t < n/2 [Kil00] ● Full security for t 1 and abort security for t 2 only if t 1 + t 2 < n [IKLP06], [Kat07] ● No IT full security for general MPC for t ≥ n/2 ⇒ Which functions can be computed with IT full security for t ≥ n/2 ? ⇒ Weaker assumptions, graceful degradation? >

  32. Limitations for MPC with BC ● Fair security only for t < n/2 corrupted [Cle86] ● IT security only for t < n/2 [Kil00] ● Full security for t 1 and abort security for t 2 only if t 1 + t 2 < n [IKLP06], [Kat07] ● No IT full security for general MPC for t ≥ n/2 ⇒ Which functions can be computed with IT full security for t ≥ n/2 ? ⇒ Weaker assumptions, graceful degradation? ⇒ Hybrid-secure MPC (HMPC) >

  33. Optimal Hybrid MPC (with BC) π π π π Goal: For any ρ < n/2 R ● IT full security for t ≤ ρ π ● IT fair security for t < n/2 ● CO abort security for t < n- ρ >

  34. Optimal Hybrid MPC (with BC) π π π π Goal: For any ρ < n/2 R ● IT full security for t ≤ ρ π ● IT fair security for t < n/2 ● CO abort security for t < n- ρ [GMW87], [CLOS01]: can be IT protected >

  35. Optimal Hybrid MPC (with BC) π π π π Goal: For any ρ < n/2 R ● IT full security for t ≤ ρ π ● IT fair security for t < n/2 ● CO abort security for t < n- ρ ⇒ Trusted IT fairness, correctness >

  36. Optimal Hybrid MPC (with BC) π π [Cha89]: emulate! ⇒ honest for t < n/2 [RB89] ⇒ t < n/2: IT fair, correct π π ⇒ t ≥ n/2: CO private, correct R π R' ⇒ Trusted IT fairness, correctness >

  37. Optimal Hybrid MPC (with BC) π π [Cha89]: emulate! ⇒ honest for t < n/2 [RB89] ⇒ t < n/2: IT fair, correct π π ⇒ t ≥ n/2: CO private, correct R Use sharing qualifying all sets of π emulated and n- ρ actual parties ⇒ t ≤ ρ : IT robust, correct ⇒ t < n/2: IT fair, correct R' ⇒ t < n- ρ : CO private, correct >

  38. Optimal Hybrid MPC (with BC) π π Share inputs ⇒ t < n/2: IT privacy ⇒ t ≥ n/2: no correctness π π R x i = x ides ⊕ x iem π (x ides ) R' (x iem ) >

  39. Optimal Hybrid MPC (with BC) π π Share and commit ⇒ no robustness or ⇒ no correctness for t ≥ n/2 π π R x i = x ides ⊕ x iem π (c i ,o i ) = com H (x iem ) (x ides ,c i ) R' (x iem ,o i ) >

  40. Optimal Hybrid MPC (with BC) π π Share, commit, complain ⇒ t ≤ ρ: IT full security ⇒ t < n/2: IT fair security π π ⇒ t < n- ρ: CO abort security R x i = x ides ⊕ x iem π (c i ,o i ) = com H (x iem ) (x ides ,c i ) R' (x iem ,o i ) complaint? input x i >

  41. Optimal Hybrid MPC (with BC) π ρ π π Share, commit, complain ⇒ t ≤ ρ: IT full security ⇒ t < n/2: IT fair security π π ⇒ t < n- ρ: CO abort security R x i = x ides ⊕ x iem π (c i ,o i ) = com H (x iem ) (x ides ,c i ) R' (x iem ,o i ) complaint? input x i >

  42. Summary: Hybrid Security ● We provide optimal HMPC protocols and matching tight bounds for the setting – with BC

  43. Summary: Hybrid Security ● We provide optimal HMPC protocols and matching tight bounds for the setting – with BC – without BC but with PKI – without BC or PKI ● We treat possibly inconsistent PKIs ● We consider signature forgery separately from other (computational) assumptions

  44. Conclusions ● Characterization of computable function classes ● Characterization of long-term security ● Optimal HMPC protocols and matching tight bounds

  45. Passively Computable Functions F bc pa s Input:

  46. Hybrid MPC (HMPC) ● Different guarantees depending on t: – For t ≤ l r full (robust) security – For t ≤ l f fair security – For t ≤ L abort security ● While tolerating: – For t ≤ t c computationally unbounded adversaries – For t ≤ t σ signature forgery – For t ≤ t p inconsistent PKIs ⇒ Graceful degradation

Recommend


More recommend