Introduction t-privacy Tools t-resilience Advanced Non-Cryptographic Fault-Tolerant Distributed Computation Marek Hamerlik December 6, 2007 Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation
Introduction t-privacy Abstract Tools Two approaches t-resilience Assumptions Advanced Completeness Theorems Every function of n inputs can be effciently computed by a complete network of n processors in such a way that: If no faults occur, no set of size t < n / 2 of players gets any additional information (other then the function value), Even if Byzantine faults are allowed, no set of size t < n / 3 can either disrupt computation or get additional information. Above bounds are tight! Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation
Introduction t-privacy Abstract Tools Two approaches t-resilience Assumptions Advanced Cryptographic approach one-way functions zero-knowledge proofs participants computationaly bounded Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation
Introduction t-privacy Abstract Tools Two approaches t-resilience Assumptions Advanced Cryptographic approach one-way functions zero-knowledge proofs participants computationaly bounded if no faults occur no subset of the players can compute any additional information if Byzantine faults are allowed no set of size t < n / 2 can either disrupt computation or compute additional information Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation
Introduction t-privacy Abstract Tools Two approaches t-resilience Assumptions Advanced Non-Cryptographic approach secure channels participants computationaly unbounded stronger notion of privacy - some things cannot be computed at all, not only in some time limit! Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation
Introduction t-privacy Abstract Tools Two approaches t-resilience Assumptions Advanced Non-Cryptographic approach secure channels participants computationaly unbounded stronger notion of privacy - some things cannot be computed at all, not only in some time limit! if no faults occur no no set of size t < n / 2 can compute any additional information if Byzantine faults are allowed no set of size t < n / 3 can either disrupt computation or compute additional information Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation
Introduction t-privacy Abstract Tools Two approaches t-resilience Assumptions Advanced Remarks one-way functions ”more powerful” then secure channels no bound on computational power used only to allow most stringent definition of privacy most liberal definition of faultiness protocol requires only polynomial amount of work from players Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation
Introduction t-privacy Abstract Tools Two approaches t-resilience Assumptions Advanced Model of computations complete synchronous network of n processors secure pairwise communication channels between players in one round arbitrary amount of local computation send a message to each of the players read all messages that were sent in that round Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation
Introduction t-privacy Abstract Tools Two approaches t-resilience Assumptions Advanced What are we computing? some fixed finite field E , where | E | > n function F is a polynomial over E (inputs and outputs from E ) computation of function F from n inputs to n outputs player i holds the i -th input and should obtain i -th output we are given some arithmetic circuit computing F using addition and multiplication, and constants from E . Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation
Introduction t-privacy Abstract Tools Two approaches t-resilience Assumptions Advanced Faults ”Gossip” and ”Byzantine” faults A protocol is t -private if any set of at most t players cannot compute after the protocol more then they could jointly compute solely from their set of private inputs and outputs A protocol is t -resilient if no set of t or less players can influence the correctness of the outputs of the ramaining players. The function definition should specify what it is if some players neglect to give their inputs or are caught cheating. Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation
Introduction Shamir’s secret sharing scheme t-privacy Three stages proof Tools Computation stage t-resilience Completeness Advanced What does it give? sharing a secret among n participants divide secret into parts give each participant unique part k parts ( k ≤ n ) are needed to reconstruct the secret Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation
Introduction Shamir’s secret sharing scheme t-privacy Three stages proof Tools Computation stage t-resilience Completeness Advanced How does it work? d + 1 points define polynomial of degree d tunable k and n parameters Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation
Introduction Shamir’s secret sharing scheme t-privacy Three stages proof Tools Computation stage t-resilience Completeness Advanced Sharing secret s choose at random k − 1 coefficients a 1 , ..., a k − 1 and let a 0 = s build polynomial f ( x ) = a 0 + a 1 x + a 2 x 2 + ... + a k − 1 x k − 1 choose any n distinct points of it (except for 0) send pairs argument-value to n participants Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation
Introduction Shamir’s secret sharing scheme t-privacy Three stages proof Tools Computation stage t-resilience Completeness Advanced Gathering gather at least k shares find coefficients by interpolation evaluate a 0 (= s ) Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation
Introduction Shamir’s secret sharing scheme t-privacy Three stages proof Tools Computation stage t-resilience Completeness Advanced Dividing the computation Stage I: Input stage. Each player enters its input using Shamir’s secret sharing procedure. Stages I and III very simple. Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation
Introduction Shamir’s secret sharing scheme t-privacy Three stages proof Tools Computation stage t-resilience Completeness Advanced Dividing the computation Stage I: Input stage. Each player enters its input using Shamir’s secret sharing procedure. Stage II: Computation stage. Players simulate circuit computing F , gate by gate, keeping the value computed by each gate as a secret shared by everyone. Stages I and III very simple. Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation
Introduction Shamir’s secret sharing scheme t-privacy Three stages proof Tools Computation stage t-resilience Completeness Advanced Dividing the computation Stage I: Input stage. Each player enters its input using Shamir’s secret sharing procedure. Stage II: Computation stage. Players simulate circuit computing F , gate by gate, keeping the value computed by each gate as a secret shared by everyone. Stage III: Final stage. Secret shares of the final value are revealed to one or all of the players. Stages I and III very simple. Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation
Introduction Shamir’s secret sharing scheme t-privacy Three stages proof Tools Computation stage t-resilience Completeness Advanced The input stage Each player introduces its input s using Shamir’s secret sharing procedure. Value of the input is completely independent from the shares s i that are given to any set of t players. Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation
Introduction Shamir’s secret sharing scheme t-privacy Three stages proof Tools Computation stage t-resilience Completeness Advanced The final stage during the whole computation each gate output s will be shared among all players using some random polinomial f of degree t with f (0) = s in particular at the end of computation we will have output of function F shared among all players to get the result we gather it as in Shamir’s secret sharing procedure Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation
Introduction Shamir’s secret sharing scheme t-privacy Three stages proof Tools Computation stage t-resilience Completeness Advanced The final stage - no additional information there is one-to-one corespondence between polynomial coefficients and the set of all shares all coefficients of f , except for its free coefficient, are uniform random variables all shares doesn’t contain any information about the inputs that doesn’t follow from f (0) Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation
Introduction Shamir’s secret sharing scheme t-privacy Three stages proof Tools Computation stage t-resilience Completeness Advanced How do we compute? Let a , b be two secrets shared with polynomials f ( x ), g ( x ) respectively, and let c ∈ E , c � = 0 be some constant. possible operations: c ∗ a a + b a ∗ b Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation
Recommend
More recommend