size hiding computation for multiple parties
play

Size-Hiding Computation for Multiple Parties Kazumasa Shinagawa 1,2 - PowerPoint PPT Presentation

Nov 23, 2023 β€’229 likes β€’524 views

Size-Hiding Computation for Multiple Parties Kazumasa Shinagawa 1,2 Koji Nuida 2,3 Takashi Nishide 1 Goichiro Hanaoka 2 Eiji Okamoto 1 1: University of Tsukuba, 2: AIST, 3: JST PRESTO 1 Secure Multiparty Computation l Each party "

  1. Size-Hiding Computation for Multiple Parties Kazumasa Shinagawa 1,2 Koji Nuida 2,3 Takashi Nishide 1 Goichiro Hanaoka 2 Eiji Okamoto 1 1: University of Tsukuba, 2: AIST, 3: JST PRESTO 1

  2. Secure Multiparty Computation l Each party 𝑄 " has some private input 𝑦 " l The parties wish to compute a function 𝑧 = 𝑔(𝑦 ( , β‹―, 𝑦 + ) without revealing the inputs l Consider the single output, semi-honest, π‘œ βˆ’ 1 corruption 𝑦 0 𝑦 ( 𝑦 4 𝑦 1 𝑦 2 𝑦 3 2

  3. Size-Hiding Computation l can hide some of input/output-sizes from some of parties l Each private size can be hidden from different set of parties l It is known that some of size-hiding is impossible in general l Which type of size-hiding is possible in general? This Talk complete characterization for the feasibility (assuming the existence of FHE) 3

  4. Set Intersection l Police has a list of terrorists π‘Œ l Company has a list of customers 𝑍 l Police wants to compute π‘Œ ∩ 𝑍 without revealing |π‘Œ| l NaΓ―ve approach: Padding l Padding is inefficient Compute π‘Œ ∩ 𝑍 π‘Œ 𝑍 4

  5. Millionaire Problem l Aliens: β€œWhich planet has the largest population?” l The population is related to the military power l The input-size is also related to the military power l Padding doesn’t work ∡ The largest population in the universe is too large 5

  6. NEW NEW NEW NEW NEW NEW NEW NEW Outline l Notations l Classification for two-party [LNO13] l Classification for multiparty u Almost all sizes cannot be hidden l Strong secure channel (SSC) model u It is implementable by steganography l Classification for multiparty in SSC model u Many sizes can be hidden in SSC model 6

  7. Notations : 𝑄 9 can know |𝑦 " | 𝑗 Β‘ Β‘π‘˜ : who must not know the output size ・ A size-hiding class Β‘1 Β‘2 ü 𝑄 0 must not know |𝑦 ( | ü 𝑄 1 must not know the output-size 3 Def. A class is feasible if general MPC is possible 7

  8. Two-party Cases [LNO13] Hiding two or more sizes is infeasible in two-party case Private Private |𝑦 0 |, |𝑧| 2 Β‘1 nothing Β‘1 Β‘2 𝑦 0 Β‘1 Β‘2 1 |𝑦 0 |, |𝑧| Β‘2 |𝑧| 2 Β‘1 Β‘1 |𝑦 ( , |𝑦 0 Β‘2 2 |𝑦 ( , |𝑦 0 , |𝑧| Β‘1 Feasible Infeasible 8

  9. NEW NEW NEW NEW NEW NEW NEW NEW Outline l Notations l Classification for two-party [LNO13] l Classification for multiparty u Almost all sizes cannot be hidden l Strong secure channel (SSC) model u It is implementable by steganography l Classification for multiparty in SSC model u Many sizes can be hidden in SSC model 9

  10. Multiparty Cases (Our Result) Our result in standard model Even in MPC, it is infeasible to hide two sizes l The infeasibility is proven by techniques of [LNO13] l The protocol for hiding |𝑦 ( | u The parties invoke KeyGen for threshold FHE u Each party 𝑄 " sends πΉπ‘œπ‘‘(𝑦 " ) to 𝑄 ( u 𝑄 ( computes [𝑧] and broadcast it u They invoke Decryption 10

  11. Limitation of standard channel 3 Infeasible Infeasible 2 2 1 1 (with additional party) 𝑄 ( cannot send πΉπ‘œπ‘‘(𝑦 ( ) 𝑄 1 can know 𝑦 ( and 𝑦 0 but 𝑄 0 cannot send πΉπ‘œπ‘‘(𝑦 0 ) ∡ channel may leak the number of communication bits 11

  12. Strong Secure Channel (SSC) Secure channel model 𝑛 |𝑛| Adv ? SSC model 𝑛′ l It is implementable by steganography 12

  13. NEW NEW NEW NEW NEW NEW NEW NEW Outline l Notations l Classification for two-party [LNO13] l Classification for multiparty u Almost all sizes cannot be hidden l Strong secure channel (SSC) model u It is implementable by steganography l Classification for multiparty in SSC model u Many sizes can be hidden in SSC model 13

  14. Our Result in SSC model l Complete classification in SSC model l Maximum number of private sizes is π‘œ # of private sizes 1 2 3 4 … ❌ ❌ ❌ Secure channel … βœ” βœ” / ❌ βœ” / ❌ βœ” / ❌ SSC model … βœ” 14

  15. Case 1 When the output-size is public 15

  16. Case 1 (public output-size) l Suppose the output-size is public l Size-hiding computation is feasible in SSC model ⇔ for every and Β‘ ‘𝑗 Β‘ Β‘π‘˜ βˆƒ or : Β‘ ‘𝑗 Β‘ Β‘π‘˜ Β‘ ‘𝑗 Β‘ Β‘π‘˜ or Β‘ ‘𝑙 Β‘ ‘𝑗 Β‘ ‘𝑙 Β‘ Β‘π‘˜ Infeasible Feasible! 16

  17. Main Idea for Construction l Invoke Sharing Protocols for 𝑄 ( , 𝑄 0 , 𝑄 1 [𝑦] : FHE ciphertext Sharing Protocol for 𝑄 ( : Β‘2 Β‘3 𝑄 1 sends to 𝑄 ( : [1 ‘𝑦 1 ] 𝑄 0 sends to 𝑄 ( : Β‘1 [1 Β‘0 J K L J M ‘𝑦 0 ] If 𝑦 ( β‰₯ 𝑦 0 Otherwise [0 Β‘0 J K ] Longest input One of them can obtain all flagged ciphertexts! β†’ [𝑔(𝑦 ( , 𝑦 0 , 𝑦 1 )] can be computed 17

  18. Infeasibility (Reduced to [LNO13]) Β‘3 Β‘2 Β‘3 Β‘2 P B P A Β‘1 Β‘4 Β‘1 Β‘4 𝐺 𝑦 ( ,𝑦 0 ,𝑦 1 ,𝑦 2 l Suppose the class is feasible l Let 𝐺 𝑦 ( , 𝑦 0 , 𝑦 1 ,𝑦 2 = 𝑔 𝑦 ( , 𝑦 0 l Two private sizes (in two-party) is feasible l It contradicts [LNO13] 18

  19. Case 2 When the output-size is private 19

  20. Case 2 (private output-size) l Suppose the output-size is private l Size-hiding computation is feasible in SSC model ⇔ for every ü The party can know all input-sizes; and ü βˆƒ : Feasible! Infeasible 20

  21. Main Idea for Construction (1) 3 4 + Β‘1 Β‘2 FHE MPC l 𝑄 1 , 𝑄 2 are not involved in KeyGen ∡ 𝑄 1 , 𝑄 2 must not join threshold Decryption of 𝒛 l 𝑄 1 , 𝑄 2 do Evaluation , and obtain 𝑧 with zero paddings Thanks to the padding, they can do this without knowing |𝑧| 21

  22. Main Idea for Construction (2) 3 4 l 𝑄 ( , 𝑄 0 do KeyGen l 𝑄 1 , 𝑄 2 get encrypted input-shares l 𝑄 1 , 𝑄 2 do Evaluate using MPC Β‘1 Β‘2 l 𝑄 ( , 𝑄 0 do threshold Decryption If 𝑄 ( , 𝑄 1 or 𝑄 2 is honest 𝑄 0 are corrupted Security by MPC FHE does not work If 𝑄 1 , 𝑄 ( or 𝑄 0 is honest 2 are corrupted 𝑄 Security by FHE MPC does not work FHE or MPC guarantee the security! 22

  23. Infeasibility (Reduced to [LNO13]) P B 2 2 3 1 3 1 P A 𝐺 𝑦 ( ,𝑦 0 ,𝑦 1 l Suppose the class is feasible l Let 𝐺 𝑦 ( , 𝑦 0 , 𝑦 1 = 𝑔 𝑦 ( , 𝑦 0 l Two private sizes (in two-party) is feasible l It contradicts [LNO13] 23

  24. Conclusion l Hiding two is infeasible (standard model) l SSC model is rich for size-hiding l Some of them are still infeasible Thank you for your attention! 24

  25. Q&A l How to implement SSC by steganography? u A party can hide message of an arbitrary length Adv ? Q3&5?9A8K7#*AS4W356 25

  26. Q&A l How to implement SSC by steganography? u A party can hide message of an arbitrary length Adv ? Q3&5?9A8K7#*AS4W356 26

  27. Conclusion Background l [LNO13] constructed size-hiding protocol for two parties l They also proved the strong limitation This work l We introduce the strong secure channel (SSC) model l We construct size-hiding protocols in the SSC model l We also prove the (weaker) limitation for the SSC model Thank you for your attention! 27

  28. Set Intersection l Police has a list of terrorists π‘Œ l Company has a list of customers 𝑍 l Police wish to compute π‘Œ ∩ 𝑍 without revealing |π‘Œ| l NaΓ―ve approach, Padding, is inefficient ・ Millionaire Problem (Population version) l Aliens: β€œWhich planet has the largest population?” l The population is related to the military power l Its size is also related to the military power l Padding doesn’t work since the upper-bound is too large 28

Recommend

Topology-Hiding Computation for Large Diameter Graphs Adi Akavia Tal Moran The Academic College

Topology-Hiding Computation for Large Diameter Graphs Adi Akavia Tal Moran The Academic College

Topology-Hiding Computation for Large Diameter Graphs Adi Akavia Tal Moran The Academic College IDC Herzliya of Tel-Aviv Jaffa MPC [Yao 86 , GMW 87]: multiple parties can jointly compute a function of their private inputs, while

1.56k views β€’ 123 slides
Hiding the Input Size in Secure Two-Party Computation Yehuda Lindell , Kobbi Nissim, Claudio

Hiding the Input Size in Secure Two-Party Computation Yehuda Lindell , Kobbi Nissim, Claudio

Hiding the Input Size in Secure Two-Party Computation Yehuda Lindell , Kobbi Nissim, Claudio Orlandi (or a more privacy Privacy on sensitive social network) My friends should only see our common friends Secure Computation 8dx2rru3d0fW2TS y

520 views β€’ 36 slides
Secure Database Commitments and Universal Arguments of Quasi Knowledge Melissa Chase (Microsoft

Secure Database Commitments and Universal Arguments of Quasi Knowledge Melissa Chase (Microsoft

Secure Database Commitments and Universal Arguments of Quasi Knowledge Melissa Chase (Microsoft Research) Ivan Visconti (University of Salerno) Size hiding protocols Traditional secure computation: All existing definitions and Parties

631 views β€’ 22 slides
Full statistical analyses with secure multi-party computation Dan Bogdanov, Liina Kamm, Ville

Full statistical analyses with secure multi-party computation Dan Bogdanov, Liina Kamm, Ville

Full statistical analyses with secure multi-party computation Dan Bogdanov, Liina Kamm, Ville Sokk dan@cyber.ee http://sharemind.cyber.ee/ The Sharemind model Input Computing Result parties parties parties x 11 CP 1 y 1 IP 1 ... RP 1 x

411 views β€’ 14 slides
Political Party System 1 Two parties equal size More like mass movements 800,000

Political Party System 1 Two parties equal size More like mass movements 800,000

Political Party System 1 Two parties equal size More like mass movements 800,000 members Two party system unusual multi-party the norm Makes national consensus difficult to achieve Government of National Unity almost

277 views β€’ 25 slides
Self-Stabilizing Master--Slave Token Circulation and Efficient Size-Computation in a

Self-Stabilizing Master--Slave Token Circulation and Efficient Size-Computation in a

Self-Stabilizing Master--Slave Token Circulation and Efficient Size-Computation in a Unidirectional Ring of Arbitrary Size Wayne Goddard & Pradip K. Srimani Clemson University, South Carolina {goddard,srimani}@cs.clemson.edu

318 views β€’ 12 slides
CSE 461: Multiple Access Homework: Chapter 2, problems 1, 8, 12, 18, 23, 24, 35, 43, 46, and 58

CSE 461: Multiple Access Homework: Chapter 2, problems 1, 8, 12, 18, 23, 24, 35, 43, 46, and 58

CSE 461: Multiple Access Homework: Chapter 2, problems 1, 8, 12, 18, 23, 24, 35, 43, 46, and 58 Next Topic Key Focus: How do multiple parties share a wire? Application This is the Medium Access Control Presentation (MAC) portion of

991 views β€’ 59 slides
Introduction to Secure Multi-Party Computation Many thanks to Vitaly Shmatikov of the

Introduction to Secure Multi-Party Computation Many thanks to Vitaly Shmatikov of the

Introduction to Secure Multi-Party Computation Many thanks to Vitaly Shmatikov of the University of Texas, Austin for providing these slides. slide 1 Motivation General framework for describing computation between parties who do not

1.03k views β€’ 35 slides
Information hiding Information hiding Notice how a user of a service being provided by an

Information hiding Information hiding Notice how a user of a service being provided by an

Information hiding Information hiding Notice how a user of a service being provided by an object, need only know the name of the messages that the object will accept. They need not have any idea how the actions performed in response to

474 views β€’ 34 slides
Secure Computation with Low Communication from Cross-checking Dov Gordon (George Mason U.)

Secure Computation with Low Communication from Cross-checking Dov Gordon (George Mason U.)

Secure Computation with Low Communication from Cross-checking Dov Gordon (George Mason U.) Samuel Ranellucci (Unbound Tech) Xiao Wang (MIT & Boston U.) Secure Computation 4 parties each hold private data. They wish to compute C(x 1

414 views β€’ 24 slides
2-party secure computation Problem: Two parties, Alice and Bob, with private inputs, a and b ,

2-party secure computation Problem: Two parties, Alice and Bob, with private inputs, a and b ,

1 International Conference on Practice and Theory of Public-Key Cryptography (PKC) 2020 Mon Z a: fast maliciously-secure 2-party computation on the ring 2 k Dario Catalano 1 , Mario Di Raimondo 1 , Dario Fiore 2 and Irene Giacomelli 3 1

504 views β€’ 25 slides
Economics and Computation Lirong Xia 1 This Course Economics: decision making by multiple

Economics and Computation Lirong Xia 1 This Course Economics: decision making by multiple

Economics and Computation Lirong Xia 1 This Course Economics: decision making by multiple actors, each with individual preferences, capabilities, and information, and motivated to act in regard to these preferences. Computer science:

448 views β€’ 22 slides
High-Accurate Computation of One-Loop Integrals by Several Hundred Digits Multiple-Precision

High-Accurate Computation of One-Loop Integrals by Several Hundred Digits Multiple-Precision

High-Accurate Computation of One-Loop Integrals by Several Hundred Digits Multiple-Precision Arithmetic Hiroshi Fujiwara ( ) Graduate School of Informatics, Kyoto University CPP2010 Workshop KEK Japan, 24 September 2010 H.

622 views β€’ 45 slides
Structured matrix methods for the computation of multiple roots of univariate polynomials John D.

Structured matrix methods for the computation of multiple roots of univariate polynomials John D.

Structured matrix methods for the computation of multiple roots of univariate polynomials John D. Allan and Joab R. Winkler Department of Computer Science The University of Sheffield, United Kingdom Overview

537 views β€’ 27 slides
Data-driven Model Selection for Approximate Bayesian Computation via Multiple Logisitic

Data-driven Model Selection for Approximate Bayesian Computation via Multiple Logisitic

Data-driven Model Selection for Approximate Bayesian Computation via Multiple Logisitic Regression. Ben Rohrlach Prof. Nigel Bean, Dr Jonathan Tuke University of Adelaide November 6, 2014 Adam Rohrlach Table of Contents Introduction. 1

1.72k views β€’ 112 slides
Multiprocessor OS 2003 1 Multiple processor systems Why? Clock speed limit: 10GHz

Multiprocessor OS 2003 1 Multiple processor systems Why? Clock speed limit: 10GHz

Multiprocessor OS 2003 1 Multiple processor systems Why? Clock speed limit: 10GHz 2cm chip size 100GHz 2mm chip size 1THz <100 m chip size In practice, we could put many processors together OS 2003 2

253 views β€’ 9 slides
CSL 860: Modern Parallel Computation Computation MPI: MESSAGE PASSING INTERFACE Message

CSL 860: Modern Parallel Computation Computation MPI: MESSAGE PASSING INTERFACE Message

CSL 860: Modern Parallel Computation Computation MPI: MESSAGE PASSING INTERFACE Message Passing Model Process (program counter, address space) Multiple threads (pc, stacks) MPI is for inter-process communication Process creation

546 views β€’ 53 slides
Adaptively Secure Multi-Party Computation with Dishonest Majority Sanjam Garg Amit

Adaptively Secure Multi-Party Computation with Dishonest Majority Sanjam Garg Amit

Adaptively Secure Multi-Party Computation with Dishonest Majority Sanjam Garg Amit Sahai UCLA Secure Multiparty Computation A set of mutually distrustful parties (n) wish to compute a joint function of their private inputs

309 views β€’ 16 slides
The impact of side-channel attacks on the design of cryptosystems D. J. Bernstein University of

The impact of side-channel attacks on the design of cryptosystems D. J. Bernstein University of

The impact of side-channel attacks on the design of cryptosystems D. J. Bernstein University of Illinois at Chicago The standard model of senders, receivers, attackers, etc.: 1. Parties perform computation, send messages to other parties.

550 views β€’ 32 slides
POKING HOLES IN INFORMATION HIDING Angelos Oikonomopoulos Elias Athanasopoulos Herbert Bos

POKING HOLES IN INFORMATION HIDING Angelos Oikonomopoulos Elias Athanasopoulos Herbert Bos

POKING HOLES IN INFORMATION HIDING Angelos Oikonomopoulos Elias Athanasopoulos Herbert Bos Cristiano Giuffrida Vrije Universiteit Amsterdam Teaser Break ideal information hiding in seconds Few probes, typically no crashes

854 views β€’ 33 slides
headquarters?) Sample Size: 179 (91% of Respondents) What type of entity best describes your

headquarters?) Sample Size: 179 (91% of Respondents) What type of entity best describes your

What country is your business in? (If multiple countries, where is your headquarters?) Sample Size: 179 (91% of Respondents) What type of entity best describes your business? Single location 85% Multiple locations 13% Franchise location 1%

518 views β€’ 27 slides
David Lorge Parnas When the first papers on information Hiding were published (1970-72) ,

David Lorge Parnas When the first papers on information Hiding were published (1970-72) ,

Middle Road Software, Inc. How Precise Documentation allows Information Hiding to Reduce Software Complexity and Increase its Agility" David Lorge Parnas When the first papers on information Hiding were published (1970-72) , reaction

845 views β€’ 47 slides
Lab 2 discussion Last Time Debugging Its a science use experiments to refine

Lab 2 discussion Last Time Debugging Its a science use experiments to refine

size= 64 correct= 0 size= 73 correct= 0 Shuying Liang size= 107 correct= 1 size= 107 correct= 0 size= 108 correct= 0 size= 108 correct= 1 Please do not handin a .doc file, a .zip file, a .tar file, size= 111 correct= 1 size=

430 views β€’ 7 slides
CMP202 Revised Treatment of BSUoS for Lead Parties of Interconnector BM Units Place your chosen

CMP202 Revised Treatment of BSUoS for Lead Parties of Interconnector BM Units Place your chosen

CMP202 Revised Treatment of BSUoS for Lead Parties of Interconnector BM Units Place your chosen image here. The four corners must just cover the arrow tips. For covers, the three pictures should be the same size and in a straight line. CUSC

328 views β€’ 8 slides

More recommend