preprocessing based verification of multiparty protocols
play

Preprocessing Based Verification of Multiparty Protocols with an - PowerPoint PPT Presentation

Nov 09, 2023 •244 likes •641 views

Preprocessing Based Verification of Multiparty Protocols with an Honest Majority 20.07.17 Alisa Pankova Roman Jagomgis Peeter Laud 1 / 10 Secure Multiparty Computation 2 / 10 Secure Multiparty Computation 2 / 10 Secure Multiparty

  1. Preprocessing Based Verification of Multiparty Protocols with an Honest Majority 20.07.17 Alisa Pankova Roman Jagomägis Peeter Laud 1 / 10

  2. Secure Multiparty Computation 2 / 10

  3. Secure Multiparty Computation 2 / 10

  4. Secure Multiparty Computation 2 / 10

  5. Secure Multiparty Computation 2 / 10

  6. Secure Multiparty Computation ◮ Passive adversary: all parties follow the protocol. 2 / 10

  7. Secure Multiparty Computation ◮ Passive adversary: all parties follow the protocol. ◮ Active adversary: corrupted parties may cheat. 2 / 10

  8. Secure Multiparty Computation ◮ Passive adversary: all parties follow the protocol. ◮ Active adversary: corrupted parties may cheat. 2 / 10

  9. Secure Multiparty Computation ◮ Passive adversary: all parties follow the protocol. ◮ Active adversary: corrupted parties may cheat. 2 / 10

  10. Secure Multiparty Computation ◮ Passive adversary: all parties follow the protocol. ◮ Active adversary: corrupted parties may cheat. 2 / 10

  11. Secure Multiparty Computation ◮ Passive adversary: all parties follow the protocol. ◮ Active adversary: corrupted parties may cheat. ◮ Covert adversary: will not cheat if it will be caught. 2 / 10

  12. Verifiable MPC with Honest Majority ◮ Execution: run the passively secure protocol. 3 / 10

  13. Verifiable MPC with Honest Majority ◮ Execution: run the passively secure protocol. ◮ Verification: each party proves that it followed the protocol. 3 / 10

  14. Verifiable MPC with Honest Majority ◮ Preprocessing: generate correlated randomness. ◮ Execution: run the passively secure protocol. ◮ Verification: each party proves that it followed the protocol. 3 / 10

  15. Verifiable MPC with Honest Majority ◮ Preprocessing: generate correlated randomness. ◮ Execution: run the passively secure protocol. ◮ Verification: each party proves that it followed the protocol. 3 / 10

  16. Execution Phase ◮ Run the initial passively secure protocol. ◮ Each message m is provided with a sender’s signature σ m . 4 / 10

  17. Execution Phase ◮ Run the initial passively secure protocol. ◮ Each message m is provided with a sender’s signature σ m . 4 / 10

  18. Execution Phase ◮ Run the initial passively secure protocol. ◮ Each message m is provided with a sender’s signature σ m . 4 / 10

  19. Execution Phase ◮ Run the initial passively secure protocol. ◮ Each message m is provided with a sender’s signature σ m . ◮ If Alice refuses to send ( m , σ m ) Bob asks Chris to deliver it. ◮ If Alice or Bob is corrupt, ( m , σ m ) is already known to the attacker anyway. 4 / 10

  20. Verification phase Each party (the prover P ) proves its honesty to the other parties (the verifiers V 1 and V 2 ) . All relevant values of P are shared among V 1 and V 2 : ◮ Message m: m + 0 or 0 + m ◮ Input x: x 1 + x 2 ◮ Correlated randomness r: r 1 + r 2 known by P , shared in the preprocessing phase. All shares are signed by the prover. 5 / 10

  21. Verification phase (reproducing computation of P ) 6 / 10

  22. Verification phase (reproducing computation of P ) ◮ P takes precomputed correlated randomness (e.g. Beaver triples ( a , b , c ) s.t. c = a · b ). 6 / 10

  23. Verification phase (reproducing computation of P ) ◮ P takes precomputed correlated randomness (e.g. Beaver triples ( a , b , c ) s.t. c = a · b ). ◮ P sends hints to V 1 and V 2 . 6 / 10

  24. Verification phase (reproducing computation of P ) ◮ P takes precomputed correlated randomness (e.g. Beaver triples ( a , b , c ) s.t. c = a · b ). ◮ P sends hints to V 1 and V 2 . ◮ V 1 and V 2 use the hints to reproduce computation of P . 6 / 10

  25. Verification phase (reproducing computation of P ) ◮ P takes precomputed correlated randomness (e.g. Beaver triples ( a , b , c ) s.t. c = a · b ). ◮ P sends hints to V 1 and V 2 . ◮ V 1 and V 2 use the hints to reproduce computation of P . ◮ V 1 and V 2 verify the hints. 6 / 10

  26. Verification phase (reproducing computation of P ) ◮ P takes precomputed correlated randomness (e.g. Beaver triples ( a , b , c ) s.t. c = a · b ). ◮ P sends hints to V 1 and V 2 . ◮ V 1 and V 2 use the hints to reproduce computation of P . ◮ V 1 and V 2 verify the hints. ◮ V 1 and V 2 check if they get committed messages of P . 6 / 10

  27. Verification phase (reproducing computation of P ) ◮ P takes precomputed correlated randomness (e.g. Beaver triples ( a , b , c ) s.t. c = a · b ). ◮ P sends hints to V 1 and V 2 . ◮ V 1 and V 2 use the hints to reproduce computation of P . ◮ V 1 and V 2 verify the hints. ◮ V 1 and V 2 check if they get committed messages of P . 6 / 10

  28. Verification phase (checking if z = 0) ◮ V 1 and V 2 exchange h 1 = H ( z 1 ) and h 2 = H ( − z 2 ) , and check h 1 = h 2 . 7 / 10

  29. Verification phase (checking if z = 0) ◮ V 1 and V 2 exchange h 1 = H ( z 1 ) and h 2 = H ( − z 2 ) , and check h 1 = h 2 . ◮ If h 1 � = h 2 , they send h 1 and h 2 to P . 7 / 10

  30. Verification phase (checking if z = 0) ◮ V 1 and V 2 exchange h 1 = H ( z 1 ) and h 2 = H ( − z 2 ) , and check h 1 = h 2 . ◮ If h 1 � = h 2 , they send h 1 and h 2 to P . ◮ P has right to complain against one verifier (e.g V 1 ). 7 / 10

  31. Verification phase (checking if z = 0) ◮ V 1 and V 2 exchange h 1 = H ( z 1 ) and h 2 = H ( − z 2 ) , and check h 1 = h 2 . ◮ If h 1 � = h 2 , they send h 1 and h 2 to P . ◮ P has right to complain against one verifier (e.g V 1 ). ◮ V 1 opens its shares of P commitments with all signatures. 7 / 10

  32. Verification phase (checking if z = 0) ◮ V 1 and V 2 exchange h 1 = H ( z 1 ) and h 2 = H ( − z 2 ) , and check h 1 = h 2 . ◮ If h 1 � = h 2 , they send h 1 and h 2 to P . ◮ P has right to complain against one verifier (e.g V 1 ). ◮ V 1 opens its shares of P commitments with all signatures. ◮ V 2 repeats the computation of V 1 , getting h 1 . 7 / 10

  33. Preprocessing Phase ◮ The prover P generates correlated randomness (e.g. Beaver triples in a certain ring Z m ). 8 / 10

  34. Preprocessing Phase ◮ The prover P generates correlated randomness (e.g. Beaver triples in a certain ring Z m ). ◮ It additively shares the randomness among V 1 and V 2 . 8 / 10

  35. Preprocessing Phase ◮ The prover P generates correlated randomness (e.g. Beaver triples in a certain ring Z m ). ◮ It additively shares the randomness among V 1 and V 2 . ◮ V 1 and V 2 run cut-and-choose and pairwise checks to verify that correlation holds (e.g. that a · b = c ). 8 / 10

  36. Preprocessing Phase ◮ The prover P generates correlated randomness (e.g. Beaver triples in a certain ring Z m ). ◮ It additively shares the randomness among V 1 and V 2 . ◮ V 1 and V 2 run cut-and-choose and pairwise checks to verify that correlation holds (e.g. that a · b = c ). 8 / 10

  37. Preprocessing Phase (other preprocessed tuples) ◮ We also have other types of preprocessed tuples: ◮ Trusted bits b ∈ { 0 , 1 } shared over Z 2 m . ◮ Characteristic vector tuple ( r ,� b ) (i.e b r = 0 iff i � = r ). a ,� b ) s.t the vector � ◮ Rotation tuple ( r ,� b is � a rotated by r . a ,� b ) s.t � ◮ Permutation tuple ( π,� b = π ( � a ) . ◮ Their generation and verification is analogous. 9 / 10

  38. Summary ◮ We proposed a generic method for achieving covert security under honest majority assumption. ◮ Applying it to Sharemind SMC platform, we get efficient actively secure protocols with identifiable abort. ◮ The overhead of the execution phase is insignificant. ◮ In practice, the bottleneck of active security is generation of preprocessed tuples. 10 / 10

Recommend

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems & Applications Nancy France August 2018 Outline 1 Formal Models 2

1.01k views • 81 slides
Il Ilan Orlov ov (BGU GU) ) Eran Omri (BIU) We explore 1/p-secure multiparty

Il Ilan Orlov ov (BGU GU) ) Eran Omri (BIU) We explore 1/p-secure multiparty

Yehuda Lindell (BIU) Amos Beimel (BGU BGU) Il Ilan Orlov ov (BGU GU) ) Eran Omri (BIU) We explore 1/p-secure multiparty protocols wi without out an honest majority Positive result: 1/p-secure protocols for cons

487 views • 27 slides
Scribble, Runtime Verification and Multiparty Session Types http://mrg.doc.ic.ac.uk/ Nobuko

Scribble, Runtime Verification and Multiparty Session Types http://mrg.doc.ic.ac.uk/ Nobuko

Scribble, Runtime Verification and Multiparty Session Types http://mrg.doc.ic.ac.uk/ Nobuko Yoshida Imperial College London 1 In collaboration with: Matthew Arrott (OOI) Gary Brown (Red Hat) Stephen Henrie (OOI) Bippin Makoond

1.38k views • 80 slides
Scribble, Runtime Verification and Multiparty Session Types http://mrg.doc.ic.ac.uk/ Nobuko

Scribble, Runtime Verification and Multiparty Session Types http://mrg.doc.ic.ac.uk/ Nobuko

Scribble, Runtime Verification and Multiparty Session Types http://mrg.doc.ic.ac.uk/ Nobuko Yoshida Imperial College London 1 In collaboration with: Matthew Arrott (OOI) Gary Brown (Red Hat) Stephen Henrie (OOI) Bippin Makoond

1.38k views • 78 slides
Simultaneous Multiparty Communication Protocols for Composed Functions Yassine Hamoudi IRIF ,

Simultaneous Multiparty Communication Protocols for Composed Functions Yassine Hamoudi IRIF ,

Simultaneous Multiparty Communication Protocols for Composed Functions Yassine Hamoudi IRIF , Universit Paris Diderot, CNRS MFCS 2018 Number-On-Forehead model [Chandra, Furst, Lipton83] 2 F : X 1 X k {0,1} Player 1 Player

772 views • 33 slides
Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and Algorithmic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems & Applications Nancy France August 2018

1.23k views • 78 slides
1 Pitfalls of Lock-Based Protocols (Cont.) The Two-Phase Locking Protocol The potential for

1 Pitfalls of Lock-Based Protocols (Cont.) The Two-Phase Locking Protocol The potential for

Concurrency Control Lock-Based Protocols Timestamp-Based Protocols Lecture 9 Concurrency Control Validation-Based Protocols Multiple Granularity Multiversion Schemes Deadlock Handling Chapter 16 Insert and Delete

780 views • 8 slides
Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017 Vincent Cheval Equipe Pesto, INRIA, Nancy 1 Cryptographic protocols Communication on public network Cryptographic protocols: Concurrent programs

946 views • 69 slides
Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA), CNRS, France Tuesday, September 13th, 2016 Security protocols everywhere ! Cryptographic protocols small programs designed to secure

923 views • 56 slides
Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS,

Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS,

Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS, IRISA, France joint work with Alexandre Debant and Cyrille Wiedling 1/29 Security protocols everywhere ! Cryptographic protocols small

1.04k views • 56 slides
SIMPLE Multiparty Chat draft-niemi-simple-chat-04.txt Aki Niemi aki.niemi@nokia.com Tuesday,

SIMPLE Multiparty Chat draft-niemi-simple-chat-04.txt Aki Niemi aki.niemi@nokia.com Tuesday,

SIMPLE Multiparty Chat draft-niemi-simple-chat-04.txt Aki Niemi aki.niemi@nokia.com Tuesday, March 21, 2006 IETF65 SIMPLE WG Background Multiparty, or multi-user chat protocols have existed since late 1980s Some features common

339 views • 9 slides
Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique

Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique

Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique Cortier INRIA project Cassis, Loria CNRS, Nancy, France French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of

605 views • 46 slides
20-03-28 9. General Improvement Techniques 9.1 Preprocessing There are several

20-03-28 9. General Improvement Techniques 9.1 Preprocessing There are several

20-03-28 9. General Improvement Techniques 9.1 Preprocessing There are several concepts/techniques to improve The following is based on slides by Michael M. Richter. learning results that are general enough to be applicable Data preprocessing

221 views • 3 slides
HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest

HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest

HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest mechanisms called challenge-response entity authentication exchange cleartext bitstrings directly, i.e., no cryptographic primitives are used A PUF

1.08k views • 38 slides
protocols Protocols where the users of the protocol dont trust each other, but nevertheless

protocols Protocols where the users of the protocol dont trust each other, but nevertheless

Multiparty Computation (MPC) protocols Protocols where the users of the protocol dont trust each other, but nevertheless they want to achieve a common goal I dont trust Bob I dont trust Alice Alice Bob bfa1406343bb49 ga63w234349aa

804 views • 26 slides
SAT-based verification (BMC, temporal induction) Mary Sheeran, Chalmers SAT-based verification

SAT-based verification (BMC, temporal induction) Mary Sheeran, Chalmers SAT-based verification

SAT-based verification (BMC, temporal induction) Mary Sheeran, Chalmers SAT-based verification now hot Used here in Sweden since 1989 mostly in safety critical applications (railway control program verification) Bounded Model Checking a

468 views • 25 slides
Constant-Overhead Secure Computation using Preprocessing Ivan Damgrd, Sarah Zakarias Aarhus

Constant-Overhead Secure Computation using Preprocessing Ivan Damgrd, Sarah Zakarias Aarhus

Constant-Overhead Secure Computation using Preprocessing Ivan Damgrd, Sarah Zakarias Aarhus University, Denmark Multiparty Computation Goal: Compute circuit UC-securely Unlike previous talk: I Interested in d i complexity of protocol

462 views • 21 slides
An Introduction to Practical Multiparty Computation This Talk MPC Frameworks - General

An Introduction to Practical Multiparty Computation This Talk MPC Frameworks - General

Jack Doerner [Northeastern U] An Introduction to Practical Multiparty Computation This Talk MPC Frameworks - General Computation Circuit Structures - Solving Specific Problems The Memory Problem - A Perpetual Bugbear Custom Protocols

855 views • 53 slides
TOWARDS EFFICIENT VERIFICATION OF POPULATION PROTOCOLS Michael Blondin, Javier Esparza, Philipp

TOWARDS EFFICIENT VERIFICATION OF POPULATION PROTOCOLS Michael Blondin, Javier Esparza, Philipp

TOWARDS EFFICIENT VERIFICATION OF POPULATION PROTOCOLS Michael Blondin, Javier Esparza, Philipp J. Meyer Stefan Jaax TU Mnchen Population Protocols Population protocols (Angluin et al., 2004) are a model of Can be used to model networks of

471 views • 29 slides
Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin

Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin

Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin ETH Zurich Summer School on Verification Technology, Systems & Applications Nancy France August 2018 Organization of the course Two

774 views • 74 slides
Verification of Security Protocols Part I eronique Cortier 1 V September, 2010 Fosad 2010 1

Verification of Security Protocols Part I eronique Cortier 1 V September, 2010 Fosad 2010 1

Introduction on security protocols Formal models Unbounded number of sessions Verification of Security Protocols Part I eronique Cortier 1 V September, 2010 Fosad 2010 1 LORIA, CNRS 1/65 V eronique Cortier Verification of Security

1.29k views • 111 slides
Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS & ENS Cachan, Universit Paris Saclay, France Monday, June 27th, 2016 S. Delaune (LSV) Verification of security protocols 27th June 2016 1

1.88k views • 175 slides
Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1

Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1

Formal methods for protocols Cryptographic models Passive case Active case Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1 LORIA, CNRS 1/76 V eronique Cortier Verification of Security

1.92k views • 139 slides
Verification of Communication Protocols with Messages Carrying Values Tristan Le Gall joint work

Verification of Communication Protocols with Messages Carrying Values Tristan Le Gall joint work

ASYNCHRON 2006 Verification of Communication Protocols with Messages Carrying Values Tristan Le Gall joint work with Bertrand Jeannet and Thierry J eron Vertecs team IRISA/INRIA Rennes page 1 Comunication protocols Communication

563 views • 39 slides

More recommend