Yehuda uda Lindel dell, Benny Pinkas and Eli Oxman Bar-Ilan - PowerPoint PPT Presentation

Yehuda uda Lindel dell, Benny Pinkas and Eli Oxman Bar-Ilan University, Israel

 Info forma mation tion theoreti etic ◦ Uses aesthetic mathematical tools that are typically very efficient ◦ Adversary is computationally unbounded ◦ Requires honest majority  Computa utatio tional nal ◦ Uses computational hardness for oblivious transfer, zero knowledge and more ◦ Adversary runs in polynomial time ◦ Any number of corrupted parties

 Semi mi-hon ones est ◦ Corrupted parties follow protocol, but try to learn more than allowed by inspecting transcript  Maliciou ious ◦ Corrupted parties follow any arbitrary strategy  Covert rt ◦ Corrupted parties follow any strategy ◦ If they follow a strategy enabling them to cheat, then they are guaranteed to be caught with some probability (e.g., ½)

 Step 1 – construct a protocol that is secure for semi-hone onest st adversaries  Step 2 – construct a compil iler that transforms any protocol that is secure for semi-honest adversaries into a protocol that is secure for malicious ous adversaries  The GM GMW87 comp mpiler er achieves es step 2 by using zero-knowl nowledge dge proofs fs (and more) ) to ensure re semi-hone onest st behaviour our

 At Crypto to 2008, , Ishai et al. presente nted d a completel tely y diff fferent t compiler er fo for obtaining ining security ity fo for any number of c f corrupte pted d partie ies  The buildi ding ng blocks ks of f IPS ◦ An information-theoretically secure protocol for computing the functionality (secure for mali lici cious us) ◦ Se Semi-hon honest st protocols for computing simple functions (like shares of the product of shares)  Advanta ntage ges s of f IPS ◦ Excellent asymptotic efficiency ◦ Completely different way of working ◦ Black-box in the semi-honest protocols

 Si Simul mulate te an infor formation ation-th theor eoretic etic proto otocol col that at is secur ure e for or an hone nest st major ority ity (malici licious ous adve versary) rsary) ◦ Let  be an information-theoretic protocol for n parties/servers (n is a parameter to be determined)  A r A real al mu multiparty ltiparty protocol rotocol for r m p m parties rties (w (with ith m< m<n) n) works rks by having ving the m real al part rties ies simul mulate ate an executi cution on of  ◦ The m parties run secure protocols  1 ,…,  n where  i is a secure simulation of the i th server  Se Servers rvers are vi virt rtual al and  is call lled ed the outer ter prot otocol ocol  The m real al part rties ies are call lled ed clients ients and  1 ,…,  n are call lled ed inner ner protocols rotocols

Server Server Server Server 𝑻 𝟐 𝑻 𝟑 𝑻 𝟒 𝑻 𝒐 Real al inner protocols Client Client t 𝝆 𝟐 , … , 𝝆 𝒐 ; Server 𝑻 𝒋 is 𝑸 𝟐 𝑸 𝟑 simulated with inner ner protocol 𝝆 𝒋

 What securi rity ty level is required ed by the inner protoc ocol ols s  1 ,…,  n ? ◦ If they are secure against malicious, this is clearly fine ◦ However, our aim is to use subprotocols that are secure for weaker (say, semi-honest) adversaries ◦ If they are secure for only semi-honest, then what stops a real malicious client from cheating?

 Consi nsider der inner nner proto otocol cols s  1 ,…,  n that at are secur ure e for or cove vert rt adve versaries rsaries ◦ With any cheating detected with probability ½  In order der to cheat at in the outer ter protoc otocol ol  (which hich is secur ure e as long ng as only nly a mi mino nority ity are corrupt rrupt), ), the adve versary rsary has to chea eat t in at least st n/2 inner ner protoco otocols ls ◦ Cheating in an inner protocol is the only way to “corrupt” a server in the outer simulate lated protocol   By the cove vert rt guarante arantees, es, such ch cheati ating g wil ill l go undete detected cted with th probab obabil ility ity at most t 2 -n/2 /2  The protoc otocol ol is there erefor fore secur ure e for or mali lici ciou ous s adversaries versaries

 The challen enge: ge: how to prevent a malicious party from cheating in a semi-honest protocol  Watchi hing: ng: if the randomness (and inputs) that should be used by one party is known to the others, then any cheating can be detected  The IPS watchlis list mechanism: sm: ◦ Each party “watches” every other party in k out of the n (real) inner protocols ◦ No party knows where it’s being watched (oblivious transfer based setup) ◦ Therefore, cheating in many inner protocols is detected with high probability (like covert)

 We study the IPS comp mpile ler r fr from m a numb mber of f diff fferent t angles ◦ Opti timi mization ations: s: we provide efficiency improvements on the IPS construction ◦ Vari ariant ants: s: we apply the IPS paradigm to study covert security and its relation to both semi-honest and malicious adversaries ◦ Conc ncrete ete effi fici cienc ency: y: we calculate the concrete effiency of IPS (in contrast to just asymptotic)

 More eff fficient t wa watchlist hlist setup p protoco ocol ◦ Based on DDH; uses a special committed oblivious transfer type of protocol ◦ Our protocol also gives a more exact result, enabling a tighter cheating probability (yielding better concrete efficiency) ◦ Our setup is much more efficient and allows for the use of more servers (which can be in the thousan ousands ds)  More in the paper…

 IPS constr tructs ucts ma malicious ous fr from m semi mi-hon ones est  We use the IPS paradig igm m to: ◦ Construct covert from semi-honest  Just like IPS but with few watchlists ◦ Construct malicious from covert  As we saw before  Signific ficanc nce ◦ Deepen understanding of covert adversary model (open question from TCC 2010) ◦ Conceptually and technically simple ◦ Better asymptotic efficiency for some problems

 IPS has been shown wn to have excellent nt asymp mptoti otic c eff fficiency cy, , but no one knows s how it behaves s concre rete tely ly ◦ This is due to the high level of abstraction ◦ Efficiency depends on:  The outer information-theoretic protocol used  The inner protocols used  The number of servers and watchlists to obtain a given error

 All mu multipl plic icati ation on gates s require re an interactiv ctive e inner protoco col ◦ Best efficiency is therefore achieved by minimizing the number of multiplications ◦ This is achieved using the packed secret sharing methodology  Note that the mo most eff fficient t info forma mati tion on- theore reti tic c protoc ocol ol is not necessar aril ily y optima mal l here

 The sma mallest st numb mber r of f servers s possible ble should uld give the best eff fficiency cy ◦ Less work in simulating the outer protocol  However, er, less servers s means less corruptio ptions ns needed by the adversar ary y to achieve ve an eff ffective ve dishone onest st majority ty ◦ And so more watchlists to catch cheating ◦ And in turn more servers to maintain an honest majority  Instantia ntiatin ting g IPS concre retel tely y and eff fficientl tly y require res s choose se these parame mete ters rs optimal mally ly

 We carry out an analytic tic and nume merica cal l analysis sis of o f optimal al parameter ers s fo for IPS fo for a n number r of f diff fferent t circuits ts  We have some rather surpris ising ing results ts ◦ For example, for the case of 2 parties and an outer protocol secure for a plain honest majority 4k 4k servers is optimal (3k 3k results in effectively more servers for the same error probability)  Recall k is the number of watchlists

 One of t f the ma major diff fficultie ties s wi with the IPS protoc ocol ol is that its instanti ntiati ation on is diff fferent ◦ For every functi ction on (circuit)  The circuit size and structure affects the choice of block size (for packed secret sharing), affecting the degree of the polynomial, affecting the number of servers and the size of the watchlists and so on  The number of servers can in turn affect the circuit, unless the circuit is over a huge field to start with ◦ For every number ber of cli lients ents  Analyz yzing ng the optimal al number r of f servers, s, wa watchlist list size and so on is a very diff fficult ult task

 AE AES-type type circu rcuit it (2400 00 gates es ove ver r 100 layers) ers) ◦ A minimal number of OT’s and multiplications is achieved by taking block size n/73 73 (numerical analysis)  For r this is blo lock ck size e (and proto otocol col thre hresh shold) old) we found und “optimal” param ameters eters for r erro ror 2 -40 40 : ◦ Number of servers n=17 1752 ◦ Number of watchlists k=207 07  The actual ual cost st (for or 2 different fferent choi oices ces of the inner nner mult ltipl iplic icati ation n pro rotoco tocol) l) ◦ 13.8 million OT’s and 4.5 billion field multiplications ◦ 5.5 million OT’s and 5.5 billion field multiplications  What’s better ? It probably robably depends ends on the machine…