Covert Multi-party Computation(FOCS 2007) Nishanth Chandran Vipul Goyal Rafail Ostrovsky Amit Sahai UCLA
Plan of talk • Background on the problem addressed • Informal Problem Statement • Main Technical Challenges • Ingredients • High Level Description of Solution
Multi-party Computation[Yao,GMW] P2 P3 P1 P4 x3 x2 x4 x1 f(x1,x2,x3,x4) No information other than f(x1,x2,x3,x4)
Do all of us want to rebel?? P2 P1 P3 Powerful Dictator
Crypto Solution [Yao,GMW] Rebel = 1 No Action = 0 Multi-party Computation AND(inputs) P1 0 1 P2 1 P3
Crypto Solution [Yao,GMW] Lets run MPC to see if all of us want to rebel P1 P2 P3 P1 wants to rebel!!
Ideally How are you guys? I couldn’t agree more P1 P3 All of us want to rebel!! Doing well.. Army life is hectic… P2
Ideally Oh.. That’s fantastic! How are you guys? Someone does not want to rebel or did not participate!! P1 P3 Not too bad.. I am going back home on vacation P2
Covert Computation Can we reveal protocol participation and output only upon the condition that everyone participated and output was favorable ?? • Two party case (restricted): [AHL05] • Multi-party case: ????
Covert Computation – Other examples • Joint buying over of a company • Group of companies wish to check if they are jointly • capable of buying over another company • If their intent is revealed, the price of the company • rises • Tracing a hacker • Data sets of companies have been hacked into • Companies can find the culprit if they join forces, yet • no company wants to accept having compromised its • data set alone
Making MPC Covert • Protocol with uniformly random messages • can be converted to arbitrary distribution of • messages • All messages need to be indistinguishable • from random… even to participants • Standard two-party (Yao) and multi-party • computation (GMW) protocols are covert in • semi-honest case .. with small modifications
Malicious Case: Where is the problem? • Converting protocol secure in semi-honest • case to protocol secure in malicious case • requires Proving Honest Behavior • Proofs or any verification cannot be used
Garbled Circuits [Yao]Computing f(x,y) P1 Two-party computation P2 Input y x y Garbled Circuit Function output f(x,y) Input x Note: Garbled Circuit created by P1, but evaluated by P2
Commitment Schemes Receiver Sender b b b • Hiding – Receiver has no information about b • Binding – Sender cannot change b
Dealing with proofs in Covert - Two Party Computation [AHL05] Commit to r0, x, R0 Commit to r1, y, R1 P1 P2 Covert-Yao with output f(x,y) F(r0) Covert-Yao with output f(x,y) F(r1) If P2 did not cheat, output r0[i] k times If P1 did not cheat, output r1[i] f(x,y) f(x,y)
Garbled-circuit Verification [AHL05] P2 P1 Commitment openings, input, randomness r0[i] P2’s commitments, protocol transcript G.C.
Protocol at a High Level • Parties execute a GMW protocol to compute the function • They hold additive shares of output at the end of this phase • Proof of honest behavior done when • exchanging these shares • Pi gets correct output share from Pk only if Pi • can prove his honesty, otherwise gets a random • value • If some party is malicious / does not participate, • some share is random, leading to random output
Main Task to Solve If P2 was honest, give him V else give R Either V or R P2 P1 V: Correct share of output R: Random Value
Garbled-circuit Verification in MPC? Output share is broadcast in MPC and can depend on input! P2 P1 Commitment openings, input, randomness Output share P2’s commitments, protocol transcript G.C. In 2PC, if P1 is dishonest, P2 “stops” protocol with P1 In MPC, P2 might “continue” protocol with P3
Main Task to Solve If P2 was honest, give him V else give R Either V or R P2 P1 V: Correct share of output R: Random Value But V or R should not depend on my inputs!!
Main Task Properties • Prover proves to the garbled circuit • generated by Verifier that he was honest. • If the proof is correct, then prover receives • a value (V) from the garbled circuit, • otherwise receives a random value R • Dishonest verifier learns nothing about the • prover’s inputs (even if the output of the • garbled circuit is broadcast)
Zero knowledge proofs[GMR] Witness w Statement: x Prover Verifier • Completeness: HonestVerifier always accepts if proof is • correct • Soundness: Cheating prover cannot convince verifier • of a false statement • Zero-knowledge: Cheating verifier learns nothing other • than validity of statement
Solution: Very High Level Idea P2 P1 ZK proof that P2 was honest Output share or Random Value P2’s commitments, protocol transcript G.C.
Zero knowledge proofsfor NP [Blum,GMW] Hamiltonian Cycle H Statement: G has Hamiltonian Cycle Com(π(G)), Com(π) Verifier Prover Random bit b Opening of Com(π(G)),Com(π) if b = 0 Random π Opening of Com(π(H)) if b = 1 Soundness can be amplified by repeating above protocol k times Every message other than final verification of Blum ZK protocol for Graph Hamiltonicity can be made uniformly random
Covert ZK to Garbled Circuits Statement: G has Hamiltonian Cycle Hamiltonian Cycle H Secret V Random R Com(π(G)), Com(π) Random bit b Opening of Com(π(G)),Com(π) if b = 0 Opening of Com(π(H)) if b = 1 Random π Garbled Circuit V if “Accept” R if “Reject” Transcript, Statement, V, R
Covert ZK to Garbled Circuits Secret V Random R Statement: G has Hamiltonian Cycle Hamiltonian Cycle H V = V1 …. Vk Com(π(G)), Com(π) Random bit b Opening of Com(π(G)),Com(π) if b = 0 Opening of Com(π(H)) if b = 1 Garbled Circuit Vi if “Accept” Ri if “Reject” Transcript, Statement, Vi, Ri
Preventing Adversary from forcingrandom output on honest parties • Covert Computation has a new problem Since no verification is done, malicious parties could force a random output on honest parties • How do honest parties know if everyone participated and the output was y or if someone was malicious and output was forced to be y?
Preventing Adversary from forcingrandom output on honest parties • Let x denote the vector of inputs • Let (ki, ri) be a (secret key, random share) pair • chosen by party Pi. • Let a|b denote string ‘a’ concatenated with string ‘b’ • Using the GMW protocol, the parties compute • Com(f(x)|k1|k2|…..|kn) with randomness r1 …. rk • and later on compute its opening using another • GMW protocol
Favorable Outputs? • Recall that we wanted output/participation • to be revealed only if function output was favorable • Function g(x) is a boolean function evaluating to 1 • if output is favorable and 0 otherwise • Parties compute • (R1, R2) if g(x) = 0 • (Com(f(x),k1|k2|….|kn),Open(Com(f(x),k1|k2|….|kn))) if g(x) = 1
Other issues not addressed in this talk • Ideal/Real Model for Covert Computation with and without fairness • Obtaining fairness in covert computation by making timed commitments covert
CONCLUSIONS • Two party case does not extend to multi-party case, but it is possible to do • New technique of ZK to garbled circuits – might be useful in other settings • Cleaner definitions of covert computation security, even for two party case