multi party function evaluation with perfectly private
play

Multi-Party Function Evaluation with Perfectly Private Audit Trail - PowerPoint PPT Presentation

Dec 19, 2022 •412 likes •781 views

Multi-Party Function Evaluation with Perfectly Private Audit Trail Edouard Cuvelier & Olivier Pereira Universit e catholique de Louvain ICTEAM Crypto Group 1348 Louvain-la-Neuve Belgium UCL Crypto Group SDTA - December 2014

  1. Multi-Party Function Evaluation with Perfectly Private Audit Trail ´ Edouard Cuvelier & Olivier Pereira Universit´ e catholique de Louvain ICTEAM – Crypto Group 1348 Louvain-la-Neuve – Belgium UCL Crypto Group SDTA - December 2014 1 Microelectronics Laboratory

  2. Privacy vs Verifiability – Two Extremes Public Auctions Sealed Bids Auctions Verifiability 100% Verifiablility 0% Privacy 0% Privacy 100% UCL Crypto Group SDTA - December 2014 2 Microelectronics Laboratory

  3. Privacy vs Verifiability – Two Extremes Public Auctions Sealed Bids Auctions Verifiability 100% Verifiablility 0% Privacy 0% Privacy 100% How to conciliate Privacy and Verifiability ? UCL Crypto Group SDTA - December 2014 2 Microelectronics Laboratory

  4. Objectives ◮ Generic - Evaluate any computable functions in a multi-party setting ◮ Privacy - Parties only trust a third party for privacy ◮ Verifiability - Guarantee correctness of the result ◮ Efficiency - Run in reasonable execution-time & memory-size on standard laptop UCL Crypto Group SDTA - December 2014 3 Microelectronics Laboratory

  5. Outline 1. Motivations 2. Protocol description 3. Three test applications 4. Conclusion UCL Crypto Group SDTA - December 2014 4 Microelectronics Laboratory

  6. Motivations A direct solution is the use of “Classic” Secure Multi-Party Computation... UCL Crypto Group SDTA - December 2014 5 Microelectronics Laboratory

  7. “Classic” Secure Multi-Party Computation f ( x 1 , x 2 , x 3 ) Client 1 input : x 1 Client 2 Client 3 f ( x 1 , x 2 , x 3 ) f ( x 1 , x 2 , x 3 ) input : x 2 input : x 3 UCL Crypto Group SDTA - December 2014 6 Microelectronics Laboratory

  8. Motivations I A direct solution is the use of “Classic” Secure Multi-Party Computation... Interesting features : ◮ No need of a trusted third party ◮ Allows to evaluate any arithmetic or boolean function [VIFF,Fairplay, Sharemind, TASTY] ◮ Existing implementations more and more efficient [SPDZ (Damg˚ ard et al. 13), BeDOZa (Bendlin et al. 10), TinyOT (Nielsen et al. 12)] UCL Crypto Group SDTA - December 2014 7 Microelectronics Laboratory

  9. Motivations II In practice, it raises issues : ◮ Go from 3 clients to 3333 clients? ◮ Online infrastructure ◮ Clients need to agree on the algorithm to compute the function ◮ Still not efficient enough to solve complex functions (NP-hard problems) UCL Crypto Group SDTA - December 2014 8 Microelectronics Laboratory

  10. Protocol Description Public Bulletin Board Com ( x 1 ) Client 1 Com ( x 2 ) Client 2 . . . . . . Com ( x n ) Client n Com ( x ) is a commitment on the value x (e.g. Com ( x ) = g x h r ). ◮ Com ( x ) is perfectly private (information theory) ◮ Com ( x ) is computationally binding UCL Crypto Group SDTA - December 2014 9 Microelectronics Laboratory

  11. Protocol Description Public Bulletin Board Com ( x 1 ) Client 1 Enc ( x 1 ) f ( x 1 , · · · , x n ) Com ( x 2 ) Worker Client 2 and proof Enc ( x 2 ) . . . . . . Enc ( x n ) Com ( x n ) Client n Com ( x ) is a commitment on the value x (e.g. Com ( x ) = g x h r ). ◮ Com ( x ) is perfectly private (information theory) ◮ Com ( x ) is computationally binding UCL Crypto Group SDTA - December 2014 9 Microelectronics Laboratory

  12. Protocol Description Public Bulletin Board Com ( x 1 ) Client 1 Enc ( x 1 ) f ( x 1 , · · · , x n ) Com ( x 2 ) Worker Client 2 and proof Enc ( x 2 ) . . . . . . Enc ( x n ) Com ( x n ) Client n Com ( x ) is a commitment on the value x (e.g. Com ( x ) = g x h r ). ◮ Com ( x ) is perfectly private (information theory) ◮ Com ( x ) is computationally binding UCL Crypto Group SDTA - December 2014 9 Microelectronics Laboratory

  13. Advantages of the model I ◮ No communications between the clients C 3 C 4 C 3 C 4 C 2 C 5 C 2 C 5 versus Worker C 1 C 6 C 1 C 6 C 8 C 7 C 8 C 7 UCL Crypto Group SDTA - December 2014 10 Microelectronics Laboratory

  14. Advantages of the model II ◮ No communications between the clients ◮ The Worker can use his own sophisticated algorithms without compromising his intellectual property when the verification is not the algorithm itself UCL Crypto Group SDTA - December 2014 11 Microelectronics Laboratory

  15. Advantages of the model II ◮ No communications between the clients ◮ The Worker can use his own sophisticated algorithms without compromising his intellectual property when the verification is not the algorithm itself ◮ Gain in complexity when the proof is simpler to compute than the function itself UCL Crypto Group SDTA - December 2014 11 Microelectronics Laboratory

  16. A word on Encryption-Commitment Commitment Consistent Encryption (CCEnc) Proposed at Esorics 13 (Cuvelier, Pereira & Peters) CCEnc = ( Gen , Enc , Dec , DerivCom , Open , Verify ) ! Ensure consistency between the commitment and the encryption ! UCL Crypto Group SDTA - December 2014 12 Microelectronics Laboratory

  17. Efficient implementation over Elliptic Curve I G 1 , G 2 , G T different groups of same prime order q A bilinear map e : G 1 × G 2 → G T G 1 G 2 G T e ( h , g ) g h g a e ( g a , h ) = e ( g , h ) a h h b e ( g , h b ) = e ( g , h ) b g In our case : G 1 = E ( F p ), G 2 ⊂ E ′ ( F p 2 ) and G T ⊂ F p 12 where E is a BN-curve, E ′ the twisted curve ∼ E UCL Crypto Group SDTA - December 2014 13 Microelectronics Laboratory

  18. Efficient implementation over Elliptic Curve II small m ∈ Z q additively homomorphic encryption & commitment G 1 G 2 G T h , h 1 = h x 1 g , g 1 UCL Crypto Group SDTA - December 2014 14 Microelectronics Laboratory

  19. Efficient implementation over Elliptic Curve II small m ∈ Z q additively homomorphic encryption & commitment G 1 G 2 G T h , h 1 = h x 1 g , g 1 d = g r g m 1 UCL Crypto Group SDTA - December 2014 14 Microelectronics Laboratory

  20. Efficient implementation over Elliptic Curve II small m ∈ Z q additively homomorphic encryption & commitment G 1 G 2 G T h , h 1 = h x 1 g , g 1 d = g r g m c 1 = h s 1 c 2 = h r h s 1 UCL Crypto Group SDTA - December 2014 14 Microelectronics Laboratory

  21. Efficient implementation over Elliptic Curve II small m ∈ Z q additively homomorphic encryption & commitment G 1 G 2 G T h , h 1 = h x 1 g , g 1 d = g r g m c 1 = h s 1 c 2 = h r h s Dec sk ( c ) : DLog of 1 e ( g , c x 1 1 / c 2 ) · e ( d , h ) = e ( g , h 1 ) m Open sk ( c ) : a = c 2 / c x 1 1 Verif pk ( d , m , a ) : ? = e ( d / g m e ( g , a ) 1 , h ) UCL Crypto Group SDTA - December 2014 14 Microelectronics Laboratory

  22. A word on the proof The Proof of correctness is an aggregation of proofs on intermediate assumptions ◮ performed on the commitment space ◮ the proofs are Zero-Knowledge Proofs of Knowledge (ZKPK) that are rendered Non-Interactive ◮ ZKPK needed for multiplication and for range proof ◮ efficient in our elliptic curves based setting UCL Crypto Group SDTA - December 2014 15 Microelectronics Laboratory

  23. A word on the proof - multiplication proof From Damg˚ ard & Fujisaki 02 : Com 1 = g r 1 g x 1 1 , Com 2 = g r 2 g x 2 1 , Com 3 = g r 3 g x 3 1 we prove in NIZK that x 3 = x 1 x 2 1. Prove the knowledge of the openings of Com 1 , Com 2 , Com 3 2. Prove that Com 3 commits on the same value as Com 2 using base Com 1 ◮ online verification ◮ offline verification by using a precomputed multiplicative triplet [SPDZ] UCL Crypto Group SDTA - December 2014 16 Microelectronics Laboratory

  24. A word on the proof - range proof Com ( x ) = g r g x 1 we prove in NIZK that x ∈ [0 , L [ , L ≤ 2 16 ◮ needed for branching operators ( < ) ◮ based on signature-pairing (Camenish et al. 08) ◮ amortized cost for small L ◮ trusted setup ◮ precomputation ◮ based binary decomposition L = 2 k + 1 and ZKPK 0 , 1 ◮ cost linear in k UCL Crypto Group SDTA - December 2014 17 Microelectronics Laboratory

  25. A word on the proof - complexity M : 1 scalar multiplication over EC M p : 1 scalar multiplication over EC with precomputation ≈ 1 / 5M A : 1 addition over EC U : 1 integer in Z q Computation Verification Size Commitment 2M p + 1A 2M p + 1A 2 U ZKPK 0 , 1 4M p + 2A 2M + 3M p + 3A 4 U ZKPK dLog 4M p + 2A 2M + 4M p + 4A 4 U ZKPK consist 8M p + 3A 8M p + 3A 4 U ZKPK mul 6M p + 3A 4M + 5M p + 6A 6 U ZKPK range (2 k +1 ) 6 k M p + 3 k A (3 k − 1)M + 3 k M p + (4 k − 1)A 6 kU UCL Crypto Group SDTA - December 2014 18 Microelectronics Laboratory

  26. 1st application : Auctions x 1 x 2 x 3 x n Worker · · · Clients Bulletin Board Com ( x 1 ) Com ( x 2 ) Com ( x 3 ) Com ( x n ) · · · UCL Crypto Group SDTA - December 2014 19 Microelectronics Laboratory

  27. 1st application : Auctions x 1 x 2 x 3 x n Worker · · · optimal sorting O ( n log n ) x 3 x 7 x 1 x 10 · · · Clients Bulletin Board Com ( x 1 ) Com ( x 2 ) Com ( x 3 ) Com ( x n ) · · · UCL Crypto Group SDTA - December 2014 19 Microelectronics Laboratory

  28. 1st application : Auctions x 1 x 2 x 3 x n Worker · · · optimal sorting O ( n log n ) x 3 x 7 x 1 x 10 · · · Clients Com ( x 3 ) Com ( x 7 ) Com ( x 1 ) · · · Com ( x 10 ) Bulletin Board Com ( x 1 ) Com ( x 2 ) Com ( x 3 ) Com ( x n ) · · · UCL Crypto Group SDTA - December 2014 19 Microelectronics Laboratory

Recommend

Selective Private Function Evaluation Johan Wall en Based on Ran Canetti, Yuval Ishai, Ravi

Selective Private Function Evaluation Johan Wall en Based on Ran Canetti, Yuval Ishai, Ravi

Selective Private Function Evaluation Johan Wall en Based on Ran Canetti, Yuval Ishai, Ravi Kumar, Michael Reiter, Ronitt Rubin- feld, and Rebecca Wright. Selective private function evaluation with application to private statistics. In

218 views • 17 slides
Adaptively Secure Multi-Party Computation with Dishonest Majority Sanjam Garg Amit

Adaptively Secure Multi-Party Computation with Dishonest Majority Sanjam Garg Amit

Adaptively Secure Multi-Party Computation with Dishonest Majority Sanjam Garg Amit Sahai UCLA Secure Multiparty Computation A set of mutually distrustful parties (n) wish to compute a joint function of their private inputs

309 views • 16 slides
JNCF 2017 2017/01/20 Private Multi-party Matrix Multiplication and Trust Computations

JNCF 2017 2017/01/20 Private Multi-party Matrix Multiplication and Trust Computations

1 2 JNCF 2017 2017/01/20 Private Multi-party Matrix Multiplication and Trust Computations Jean-Guillaume Dumas 1 ; Pascal Lafourcade 2 ; Jean-Baptiste Orfila 1 ; Maxime Puys 1 1 Public Key Infrastructure Alice wants to securely reach a

838 views • 60 slides
SoK: General Purpose Frameworks for Secure Multi-party Computation Marcella Brett Daniel Steve

SoK: General Purpose Frameworks for Secure Multi-party Computation Marcella Brett Daniel Steve

SoK: General Purpose Frameworks for Secure Multi-party Computation Marcella Brett Daniel Steve Hemenway Hastings Noble Zdancewic University of Pennsylvania 1 / 20 Secure Multi-party Computation (MPC) Compute an arbitrary function among

1.13k views • 36 slides
Advanced Tools from Modern Cryptography Lecture 5 Secure Multi-Party Computation: Passive

Advanced Tools from Modern Cryptography Lecture 5 Secure Multi-Party Computation: Passive

Advanced Tools from Modern Cryptography Lecture 5 Secure Multi-Party Computation: Passive Corruption MPC: Honest-Majority + Passive-Corruption Can achieve information-theoretic security for any function Function should be given as an

573 views • 15 slides
Public-Private Partnership Approach for Smart Cities Essential elements of a PPP also

Public-Private Partnership Approach for Smart Cities Essential elements of a PPP also

Public-Private Partnership Approach for Smart Cities Essential elements of a PPP also applicable to Smart Cities PPPs are commercial transactions between a public and a private party by which the private party: performs a function

379 views • 13 slides
Communication Locality in C i i L li i Secure Multi Party Secure Multi-Party Computation

Communication Locality in C i i L li i Secure Multi Party Secure Multi-Party Computation

Communication Locality in C i i L li i Secure Multi Party Secure Multi-Party Computation Computation How to Run Sublinear Algorithms in a Distributed Algorithms in a Distributed Setting Elette Boyle Shafi Goldwasser Stefano Tessaro

1.01k views • 36 slides
Perfectly S Secure O Oblivious A s Algorithms s in t the M Multi-Server S Setting T-H.

Perfectly S Secure O Oblivious A s Algorithms s in t the M Multi-Server S Setting T-H.

Perfectly S Secure O Oblivious A s Algorithms s in t the M Multi-Server S Setting T-H. Hubert Chan, Jonathan Katz, Ka Kartik Nay ayak, Antigoni Polychroniadou, Elaine Shi Defini De ning ng an n Obl Oblivious us RAM Example request

812 views • 33 slides
Automatic Disfluency Automatic Disfluency Detection in Multi-party Detection in Multi-party

Automatic Disfluency Automatic Disfluency Detection in Multi-party Detection in Multi-party

German Research Center for Artificial Intelligence GmbH Automatic Disfluency Automatic Disfluency Detection in Multi-party Detection in Multi-party www.amiproject.org Conversations Conversations Feast, 30th September 2009 , 30th September

322 views • 28 slides
Multi-Party Computation in Presence of Corrupted Majorities Dominik Raub Institute of

Multi-Party Computation in Presence of Corrupted Majorities Dominik Raub Institute of

Multi-Party Computation in Presence of Corrupted Majorities Dominik Raub Institute of Theoretical Computer Science ETH Zrich on joint work with R. Knzler, J. Mller-Quade, C. Lucas, U. Maurer, M. Fitzi Metaguse, 2009/10/04 Multi-Party

1.04k views • 83 slides
Supreme Leader Pulkit Party!!!!!! Party!!!!!! Just us Party!!!!!! What we have done

Supreme Leader Pulkit Party!!!!!! Party!!!!!! Just us Party!!!!!! What we have done

Supreme Leader Pulkit Party!!!!!! Party!!!!!! Just us Party!!!!!! What we have done Party!!!!!! Party!!!!!! Curling Orientation Party!!!!!! Party!!!!!! Party!!!!!! National day parade Airport picking-uping Party!!!!!!

1.18k views • 69 slides
Universal Multi-Party Poisoning Attacks Saeed Mahloujifar Mohammad Mahmoody Ameer Mohammed

Universal Multi-Party Poisoning Attacks Saeed Mahloujifar Mohammad Mahmoody Ameer Mohammed

Universal Multi-Party Poisoning Attacks Saeed Mahloujifar Mohammad Mahmoody Ameer Mohammed Multi-Party Learning Distributions Data Providers 1 1 Model Multi-Party Learning (Round j) Distributions

540 views • 20 slides
ECO 610: Lecture 7 Perfectly Competitive Markets Perfectly Competitive Markets: Outline

ECO 610: Lecture 7 Perfectly Competitive Markets Perfectly Competitive Markets: Outline

ECO 610: Lecture 7 Perfectly Competitive Markets Perfectly Competitive Markets: Outline Goal: understanding firm and market supply in competitive markets Characteristics of perfectly competitive industries Short-run production

424 views • 27 slides
Multi-Party Computation Based on One-Way Functions Sandro Coretti (New York University) Juan

Multi-Party Computation Based on One-Way Functions Sandro Coretti (New York University) Juan

Constant-Round Asynchronous Multi-Party Computation Based on One-Way Functions Sandro Coretti (New York University) Juan Garay (Yahoo Research) Martin Hirt (ETH Zurich) Vassilis Zikas (RPI) Secure Multi-Party Computation (MPC) [Yao82, GMW87,

677 views • 47 slides
We Won a TAACCCT Grant! Now what about the Third-Party Evaluation? Informational Webinar

We Won a TAACCCT Grant! Now what about the Third-Party Evaluation? Informational Webinar

We Won a TAACCCT Grant! Now what about the Third-Party Evaluation? Informational Webinar November 5, 2014 To Ask Questions Evaluation Requirement Necessary Evil or Great Opportunity? 3 Ms. Eileen Poe-Yamagata Goals for Today 1. Encourage

611 views • 35 slides
Third-Party Violence at Work- a multi-sectoral approach by European social partners Presentation

Third-Party Violence at Work- a multi-sectoral approach by European social partners Presentation

11/24/2016 Third-Party Violence at Work- a multi-sectoral approach by European social partners Presentation by Nadja Salson, EPSU policy staff third-party violence in the workplace No recent data specifically on third party violence across

81 views • 7 slides
Multi Party Computation: From Theory to Practice Nigel P . Smart Department of Computer

Multi Party Computation: From Theory to Practice Nigel P . Smart Department of Computer

Multi Party Computation: From Theory to Practice Nigel P . Smart Department of Computer Science, University Of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB. January 8, 2013 Nigel P . Smart Multi Party

604 views • 28 slides
Revisiting Square Root ORAM Efficient Random Access in Multi-Party Computation Samee Zahur Xiao

Revisiting Square Root ORAM Efficient Random Access in Multi-Party Computation Samee Zahur Xiao

Revisiting Square Root ORAM Efficient Random Access in Multi-Party Computation Samee Zahur Xiao Wang Mariana Raykova Adri Gascn Jack Doerner Jonathan Katz David Evans oblivc.org/sqoram Secure multi-party computation applications Set

504 views • 25 slides
General Purpose Frameworks for Secure Multi-party Computation Marcella Brett Daniel Steve

General Purpose Frameworks for Secure Multi-party Computation Marcella Brett Daniel Steve

General Purpose Frameworks for Secure Multi-party Computation Marcella Brett Daniel Steve Hemenway Hastings Noble Zdancewic University of Pennsylvania 1 / 26 Secure multi-party computation (MPC) MPC allows a group of mutually

882 views • 51 slides
Secure Multi-Party Computation Gunnar Kreitz KTH Royal Institute of Technology

Secure Multi-Party Computation Gunnar Kreitz KTH Royal Institute of Technology

Background Secure Computation Security Model Generic Protocol Applications Secure Multi-Party Computation Gunnar Kreitz KTH Royal Institute of Technology gkreitz@kth.se October 4 2012 Gunnar Kreitz Secure Multi-Party Computation

1.28k views • 59 slides
Poisoning Attack Analysis Jeffrey Zhang Universal Multi-Party Poisoning Attacks Saeed

Poisoning Attack Analysis Jeffrey Zhang Universal Multi-Party Poisoning Attacks Saeed

Poisoning Attack Analysis Jeffrey Zhang Universal Multi-Party Poisoning Attacks Saeed Mahloujifar Mohammad Mahmoody Ameer Mohammed, ICML 2019 Multi-party Learning Application: Federated Learning Federated Learning : Train a centralized

589 views • 34 slides
Secure Multi-party Quantum Computation with a Dishonest Majority Yfke Dulek, Alex Grilo, Stacey

Secure Multi-party Quantum Computation with a Dishonest Majority Yfke Dulek, Alex Grilo, Stacey

Secure Multi-party Quantum Computation with a Dishonest Majority Yfke Dulek, Alex Grilo, Stacey Je ff ery, Christian Majenz, Christian Scha ff ner Introduction Multi-party computation (MPC) Input (player i): x i 83 false Output: f(x 1 , ,

686 views • 20 slides
Heat Recovery Ventilator W ith air conditioner perfectly com bination To create a clear healthy

Heat Recovery Ventilator W ith air conditioner perfectly com bination To create a clear healthy

Heat Recovery Ventilator W ith air conditioner perfectly com bination To create a clear healthy environm ent Multi running m ode High efficiency exchanger Flexible m ulti control w ays Com pact and low noises design

323 views • 16 slides
Brownfields Old Matanuska Townsite At the Old Matanuska Townsite, a private party, now

Brownfields Old Matanuska Townsite At the Old Matanuska Townsite, a private party, now

Brownfields Old Matanuska Townsite At the Old Matanuska Townsite, a private party, now insolvent stockpiled large amounts of contaminants, including military surplus petroleum products, PCBs, antifreeze, junk vehicles, glycol and other

149 views • 4 slides

More recommend