Multi-Party Computation with Hybrid Security Matthias Fitzi, Thomas - PowerPoint PPT Presentation

Multi-Party Computation with Hybrid Security Matthias Fitzi, Thomas Holenstein, and J¨ urg Wullschleger

✏ � ☛ ✌ ✌ ✌ � ✡ ✠ ✟ ✟ ✟ ✟ ✟ ✟ ✄ � ✂ � ✁ Multi-Party Computation (MPC) [Yao82,GMW87] �✞✝ �✆☎ �✎✍ ✁☞☛

✏ ✟ ✍ � ☛ ✌ ✌ ✌ � ✡ ✠ ✟ � ✟ ✟ ✟ ✄ � ✂ � ✁ MPC: Adversary �✆☎ �✞✝ ✁☞☛

✏ ✠ ✍ � ☛ ✌ ✌ ✌ � ✡ ✟ � ✁ MPC: Adversary Central adversary : – corrupt up to players actively – Privacy : no information about good � ✄✂ – Correctness : ✁☞☛

✂ ✁ ✆ ✄ � ✁ ✂ ✄ ☎ � MPC: General Achievability MPC achievable iff Standard model: Broadcast Model: x x x x x [BGW88,CCD88] [B89,RB89] tight [LSP82] tight [Cleve86]

✁ � ✁ ✂ � How to do Broadcast with ? Construction using: Hardware.

✁ � ✁ ✂ � How to do Broadcast with ? Construction using: Hardware. How???

✁ � ✁ ✂ � � How to do Broadcast with ? Construction using: Hardware. How??? Signature Scheme [LSP82,DS82,PW96]

✁ � ✁ ✂ � � How to do Broadcast with ? Construction using: Hardware. How??? Signature Scheme [LSP82,DS82,PW96] + Consistent PKI.

✟ ☎ ✟ ✟ ✟ ✟ ✝ � � ✄ � ✂ � ✁ � MPC with Signature Scheme ... ...

✁ � ✂ ✄ ☎ � ✁ ✂ ✄ ✆ MPC: Compare Models Standard model: Standard Model with Signature Scheme and consistent PKI:

✁ � ✂ ✄ ☎ � � ✁ MPC: Compare Models Standard model: Standard Model with Signature Scheme and consistent PKI: Adversary can forge Signature or make PKI inconsistent.

� ✁ ✂ � ✁ � Model - Idea Adversary - can Forge Signature - can make PKI inkonsistent

✂ ✄ ☎ ✂ ✄ ✆ Model - Idea ? Adversary - can Forge Signature - can make PKI inkonsistent

✂ ✄ ☎ ✂ ✄ ✆ Model - Idea ? Adversary - can Forge Signature - can make PKI inkonsistent

� ✁ � � ✁ � � Hybrid Security Model , ✁ ☎✂ ✁ ✁� ✁ ✄✂ A B C D Adversary can: corrupt up to players. if , forge signatures. if , make the PKI inconsistent. ✁ ☎✂

✂ � ✁ � � ✁ Previous Results: Tight Bounds T n 2 n 3 n n 3 3 n 2 n n t t p σ

✏ ✂ ✂ � ✁ � ✁ ✡ � � � ✏ ✄ ✡ � ✁ � ✂ � ✁ � ✁ � � � ✁ Tight Bounds for Hybrid Security T n 2 n 4 n 3 n n 3 3 n 2 n n t p t σ ✁ ✄✂

☛ ✁ � ☛ ✂ � ✁ � The Protocol - Idea MPC: [RB89] / [B89] ✁ ☎✂ Broadcast

� � ✂ � ☛ � ✁ ☛ ✁ ✁ � ✂ ☛ � ✁ ☛ The Protocol - Idea MPC: [RB89] / [B89] ✁ ☎✂ Broadcast: [FM00] ✁ ☎✂ Weak Broadcast [Dolev82]

✏ ✂ � ✂ � ✁ � ✡ ✄ ✏ � ✂ � ✡ � ✁ � � ✂ ☛ � ☛ ✁ ☛ ✁ � ☛ ✁ � The Protocol - Idea MPC: [RB89] / [B89] ✁ ☎✂ Broadcast: [FM00] ✁ ☎✂ Weak Broadcast [this paper] ✁ ☎✂

� � � � ✡ � � ✂ ✏ � ✄ ✡ � ✁ � ✂ ✁ ✂ ✏ � ☛ ✁ � ☛ ✟ ✂ ✁ � � ✟ ☛ ✁ � ☛ � The Protocol - Idea MPC: [RB89] / [B89] ✁ ☎✂ Broadcast: [FM00] ✁ ☎✂ Weak Broadcast [this paper] ✁ ☎✂ . . Weak Broadcast: .

� Weak Broadcast - Protocol

� � Weak Broadcast - Protocol

� � � � � Weak Broadcast - Protocol

� � � � � ✁ ✁ � � � � Weak Broadcast - Protocol

� ✁ ✁ � � � � � ✁ ✁ � ✁ ✁ Weak Broadcast - Protocol

✟ ✝ ✝ � � ✁ ✝ ✁ ✞ � ✝ ✟ ✁ ✝ ✁ ✞ ✝ � ✟ ✞ ✠ ✝ ✁ ✁ ✁ � � � � � ✁ ✞ � ✁ ✁ ✁ ✠ � ✝ � ✄ Weak Broadcast - Protocol honest? ✁ ✄✂ ✁✂✁✄✁✄✁✂✁✄☎ Output , if: ✁ ✁� ✁✂✁✄✁✂✁✄✁✄✆ and otherwise.

� ✁ ✁ � � ✁ � ✏ ✁ ✂ � � � ✡ ✄ ✏ � ✂ � � ✡ ✁ ✂ Conclusion MPC with Hybrid Security: Tight Bound: ✁ ☎✂ Trade-Off For Free! Efficient!