1 / 37

Covert Multi-party Computation (FOCS 2007)

Covert Multi-party Computation (FOCS 2007). Nishanth Chandran Vipul Goyal Rafail Ostrovsky Amit Sahai UCLA. Plan of talk. Background on the problem addressed. Informal Problem Statement. Main Technical Challenges. Ingredients. High Level Description of Solution.

Melvin
Télécharger la présentation

Covert Multi-party Computation (FOCS 2007)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Covert Multi-party Computation(FOCS 2007) Nishanth Chandran Vipul Goyal Rafail Ostrovsky Amit Sahai UCLA

  2. Plan of talk • Background on the problem addressed • Informal Problem Statement • Main Technical Challenges • Ingredients • High Level Description of Solution

  3. BACKGROUND

  4. Multi-party Computation[Yao,GMW] P2 P3 P1 P4 x3 x2 x4 x1 f(x1,x2,x3,x4) No information other than f(x1,x2,x3,x4)

  5. Do all of us want to rebel?? P2 P1 P3 Powerful Dictator

  6. Crypto Solution [Yao,GMW] Rebel = 1 No Action = 0 Multi-party Computation AND(inputs) P1 0 1 P2 1 P3

  7. INFORMAL PROBLEM STATEMENTIntroduced by [von Ahn, Hopper, Langford ‘05]

  8. Crypto Solution [Yao,GMW] Lets run MPC to see if all of us want to rebel P1 P2 P3 P1 wants to rebel!!

  9. Ideally How are you guys? I couldn’t agree more P1 P3 All of us want to rebel!! Doing well.. Army life is hectic… P2

  10. Ideally Oh.. That’s fantastic! How are you guys? Someone does not want to rebel or did not participate!! P1 P3 Not too bad.. I am going back home on vacation P2

  11. Covert Computation Can we reveal protocol participation and output only upon the condition that everyone participated and output was favorable ?? • Two party case (restricted): [AHL05] • Multi-party case: ????

  12. Covert Computation – Other examples • Joint buying over of a company • Group of companies wish to check if they are jointly • capable of buying over another company • If their intent is revealed, the price of the company • rises • Tracing a hacker • Data sets of companies have been hacked into • Companies can find the culprit if they join forces, yet • no company wants to accept having compromised its • data set alone

  13. MAIN TECHNICAL CHALLENGES

  14. Making MPC Covert • Protocol with uniformly random messages • can be converted to arbitrary distribution of • messages • All messages need to be indistinguishable • from random… even to participants • Standard two-party (Yao) and multi-party • computation (GMW) protocols are covert in • semi-honest case .. with small modifications

  15. Malicious Case: Where is the problem? • Converting protocol secure in semi-honest • case to protocol secure in malicious case • requires Proving Honest Behavior • Proofs or any verification cannot be used

  16. OLD INGREDIENTS

  17. Garbled Circuits [Yao]Computing f(x,y) P1 Two-party computation P2 Input y x y Garbled Circuit Function output f(x,y) Input x Note: Garbled Circuit created by P1, but evaluated by P2

  18. Commitment Schemes Receiver Sender b b b • Hiding – Receiver has no information about b • Binding – Sender cannot change b

  19. Dealing with proofs in Covert - Two Party Computation [AHL05] Commit to r0, x, R0 Commit to r1, y, R1 P1 P2 Covert-Yao with output f(x,y)  F(r0) Covert-Yao with output f(x,y)  F(r1) If P2 did not cheat, output r0[i] k times If P1 did not cheat, output r1[i] f(x,y) f(x,y)

  20. Garbled-circuit Verification [AHL05] P2 P1 Commitment openings, input, randomness r0[i] P2’s commitments, protocol transcript G.C.

  21. NEW IDEAS THAT ARE NEEDED:MPC SOLUTION AT A HIGH LEVEL

  22. Protocol at a High Level • Parties execute a GMW protocol to compute the function • They hold additive shares of output at the end of this phase • Proof of honest behavior done when • exchanging these shares • Pi gets correct output share from Pk only if Pi • can prove his honesty, otherwise gets a random • value • If some party is malicious / does not participate, • some share is random, leading to random output

  23. Main Task to Solve If P2 was honest, give him V else give R Either V or R P2 P1 V: Correct share of output R: Random Value

  24. Garbled-circuit Verification in MPC? Output share is broadcast in MPC and can depend on input! P2 P1 Commitment openings, input, randomness Output share P2’s commitments, protocol transcript G.C. In 2PC, if P1 is dishonest, P2 “stops” protocol with P1 In MPC, P2 might “continue” protocol with P3

  25. Main Task to Solve If P2 was honest, give him V else give R Either V or R P2 P1 V: Correct share of output R: Random Value But V or R should not depend on my inputs!!

  26. Main Task Properties • Prover proves to the garbled circuit • generated by Verifier that he was honest. • If the proof is correct, then prover receives • a value (V) from the garbled circuit, • otherwise receives a random value R • Dishonest verifier learns nothing about the • prover’s inputs (even if the output of the • garbled circuit is broadcast)

  27. Zero knowledge proofs[GMR] Witness w Statement: x Prover Verifier • Completeness: HonestVerifier always accepts if proof is • correct • Soundness: Cheating prover cannot convince verifier • of a false statement • Zero-knowledge: Cheating verifier learns nothing other • than validity of statement

  28. Solution: Very High Level Idea P2 P1 ZK proof that P2 was honest Output share or Random Value P2’s commitments, protocol transcript G.C.

  29. Zero knowledge proofsfor NP [Blum,GMW] Hamiltonian Cycle H Statement: G has Hamiltonian Cycle Com(π(G)), Com(π) Verifier Prover Random bit b Opening of Com(π(G)),Com(π) if b = 0 Random π Opening of Com(π(H)) if b = 1 Soundness can be amplified by repeating above protocol k times Every message other than final verification of Blum ZK protocol for Graph Hamiltonicity can be made uniformly random

  30. Covert ZK to Garbled Circuits Statement: G has Hamiltonian Cycle Hamiltonian Cycle H Secret V Random R Com(π(G)), Com(π) Random bit b Opening of Com(π(G)),Com(π) if b = 0 Opening of Com(π(H)) if b = 1 Random π Garbled Circuit V if “Accept” R if “Reject” Transcript, Statement, V, R

  31. Covert ZK to Garbled Circuits Secret V Random R Statement: G has Hamiltonian Cycle Hamiltonian Cycle H V = V1  ….  Vk Com(π(G)), Com(π) Random bit b Opening of Com(π(G)),Com(π) if b = 0 Opening of Com(π(H)) if b = 1 Garbled Circuit Vi if “Accept” Ri if “Reject” Transcript, Statement, Vi, Ri

  32. Preventing Adversary from forcingrandom output on honest parties • Covert Computation has a new problem Since no verification is done, malicious parties could force a random output on honest parties • How do honest parties know if everyone participated and the output was y or if someone was malicious and output was forced to be y?

  33. Preventing Adversary from forcingrandom output on honest parties • Let x denote the vector of inputs • Let (ki, ri) be a (secret key, random share) pair • chosen by party Pi. • Let a|b denote string ‘a’ concatenated with string ‘b’ • Using the GMW protocol, the parties compute • Com(f(x)|k1|k2|…..|kn) with randomness r1 ….  rk • and later on compute its opening using another • GMW protocol

  34. Favorable Outputs? • Recall that we wanted output/participation • to be revealed only if function output was favorable • Function g(x) is a boolean function evaluating to 1 • if output is favorable and 0 otherwise • Parties compute • (R1, R2) if g(x) = 0 • (Com(f(x),k1|k2|….|kn),Open(Com(f(x),k1|k2|….|kn))) if g(x) = 1

  35. Other issues not addressed in this talk • Ideal/Real Model for Covert Computation with and without fairness • Obtaining fairness in covert computation by making timed commitments covert

  36. CONCLUSIONS • Two party case does not extend to multi-party case, but it is possible to do • New technique of ZK to garbled circuits – might be useful in other settings • Cleaner definitions of covert computation security, even for two party case

  37. Thank you

More Related