310 likes | 425 Vues
Paradigms for Multiparty Computation Ivan Damgård BRICS, Århus University. Agenda Intro: the MPC problem Models for adversaries and communication Overview of (im)possibility results The paradigms Applications Some open problems are pointed out along the way.
E N D
Paradigms for Multiparty Computation Ivan Damgård BRICS, Århus University
Agenda • Intro: the MPC problem • Models for adversaries and communication • Overview of (im)possibility results • The paradigms • Applications • Some open problems are pointed out along the way. • Disclaimer: this is not a complete list of paradigms, or an exhaustive overview of references – no time for that!
The MPC problem • n players P1, P2, …, Pn • Player Pi holds private input xi • Goal: for some given function f with n inputs and n outputs, compute f(x1,…,xn)= (y1,…,yn) securely, i.e., we want a protocol such that: • Pi learns the correct value of yi • No information on inputs is leaked to Pi, other than what follows from xi and yi. • We want this to hold, even when (some of) the players behave adversarially. • Examples: • Match-making, Electronic Voting, Auctions, Ecommerce, etc..
Generality MPC is extremely general: a solution implies in principle a solution to any cryptographic protocol problem. Note: not all problems can be modelled by computing a single function securely. Not a problem, however: many known protocols are actually fully general, even if they were phrased as solutions for computing a single function.
Modelling Adversarial Behavior Assume one central adversary Adv. Adv may corrupt some of the players and use this to learn information he should not know, or mess up the results. When Pi is corrupted, Adv learns all internal data and history of Pi. Different types of adversaries, depending on computing power, amount of control over corrupted players, etc. (more later) Goal of MPC, a bit more precisely: Want protocol to work as if we had a trusted party T, who gets inputs from players, computes results and returns them to the players. In the ideal scenario, Adv may decide inputs for corrupted players, but honest players get correct results, and Adv only learns inputs/outputs of corrupted players. We want that Adv cannot achieve more when attacking the real protocol Many ways of formalizing this [Micali-Rogaway, Beaver, Canetti, Pfitzmann-Waidner]..
Bounds on corruption We need to define some bound on which subsets can be corrupted by Adv. Simplest case: assume Adv can corrupt at most t players. In general: Adversary StructureΓ: family of subsets of P= {P1,…,Pn} Adv is assumed to behave such that set of corrupted players is in Γ at all times. Threshold-t structure: contains all subsets of size at most t. Γ is Q3: for any A1,A2,A3 Γ, A1A2 A3 is smaller than P Γ is Q2: for any A1,A2 Γ, A1A2 is smaller than P Threshold-t structure for t< n/3 is Q3 Threshold-t structure for t< n/2 is Q2
Summary The players Corruption can be passive: just observe computation and mess. x2, y2 x1, y1 Or active: take full control Inputs, Desired outputs Corrupt Adv x3, y3 x4,y4 Crypto scenario: Adv sees all messages; or I.T. scenario: no info on honest-to-honest mess. Adv can choose which players to corrupt statically or adaptively – but set of corrupted players must be ”not too large”, i.e., it must be in the given adversary structure
Known Results, Information theoretic scenario • Passive security: less than n/2 corruptions (Q2 adversary) necessary and sufficient to compute any function with perfect security. • If more corruptions: then some functions cannot be computed securely. • Active security: less than n/3 corruptions (Q3 adversary) necessary and sufficient to compute any function with perfect security. • If we assume that a broadcast channel is given for free, and we accept a non-zero error probability, honest majority is enough, even in the active case • Results of [CCD88, BGW88, RB89, HM99,CDDHR00]
Known Results, Cryptographic Scenario • Passive security: Assuming one-way trapdoor permutations exist, less than n corruptions necessary and sufficient to compute any function with computational security • Active security: Assuming one-way trapdoor permutations exist, less than n/2 corruptions (Q2 adversary) necessary and sufficient to compute any function with computational security. • Results of [Y86, GMW87,CFGN]
Paradigms for building MPC protocols • Circuit scrambling • Based on Oblivious Transfer • Secret Sharing • Homomorphic Encryption • All paradigms: we assume the desired computation is specified as an algebraic circuit over a finite field. • Note: • Boolean circuit equivalent to algebraic circuit over GF(2). • Some applications more naturally described as circuits over the integers, more on this later. • Circuit size depends on the field/ring used in the circuit it’s not necessarily inefficient just because we use a circuit!
Circuit Scrambling • [Yao86], [Chaum Damgård, van de Graaf 87], [Beaver,Micali, Rogaway 90] • Computation specified as a Boolean Circuit C • The Idea: • The players collaborate to scramble or encrypt C to get encrypted circuit E(C). • Players supply appropriately encrypted input. • A computation is carried out in E(C). Reveals no new information, due to the encryption. • The outputs are recovered once the encrypted computation is done (E(C) can be designed so that the outputs are in the clear). • Advantage of Yao’s scrambling technique (also used in BMR): can be used to get a constant round protocol. • Problems with all known scrambling techniques: Only work for Boolean circuits, or circuits with ”small” gates. Computational assumption needed. Not known if we can do constant round I.T. secure MPC for all functions.
MPC based on Oblivious Transfer (OT) [Goldreich, Micali Wigderson 87], [Kilian 88] OT is a two-party primitive where a sender sends bits b0, b1. The receiver can choose which bit to receive, will not learn the other one. The sender has no idea what happened. A main result of GMW: OT follows from existence of one-way trapdoor permutations. GMW used this, plus other techniques based on one-way trapdoor permutations to implement MPC Kilian showed that MPC follows from OT alone, with no further assumptions. Great for fundamental feasibility results: implies that MPC follows from 1-way trapdoor permutations, also from various physical assumptions (noisy channels..). Not so great in practice… When based on general assumptions, is typically limited to ”1 bit at a time” computations
MPC based on Secret Sharing [Ben-Or, Goldwasser, Wigderson 88], [Chaum, Crépeau, Damgård 88], [Rabin, Ben-Or 89], [Hirt, Maurer 97], [Cramer, Damgård, Maurer ’00] Computation specified as circuit C over some (possibly large) finite field, say GF(p). I.e., if the inputs were given, we could do the desired computation by a number of additions and multiplications in the field. Will assume the I.T. scenario: we have ideally secure channels between each pair of players, and a broadcast channel. Assuming appropriate bounds on the number of corrupt players, broadcast can be implemented by a subprotocol.
Secret Sharing • A Dealer holds a secret value s in Zp, p > n is a prime. • Dealer chooses a random polynomial f() over Zp* of degree at most t, such that f(0)=s: • f(x) = s + a1 x + a2 x2+ …+ at xt • Dealer sends si = f(i) privately to Pi. • Properties: • Any subset of at most t players has no information on s • Any subset of at least t+1 players can easily compute s – can be done by taking a linear combination of the shares they know.
A Protocol for the Passive Corruption Case • threshold adversary, may corrupt up to t players, t< n/2. Circuit and inputs given Create ”objects” representing inputs, jointly held by players, value not accessible to adversary. Compute new objects. Open outputs 12 7 23 8 + · 6 4 · 9 Create Objects (Sharing Phase): Each Pi shares each of his input value using a random polynomial of degree at most t, sends a share of each input to each player. Notation: a f() a1, a2, …, an means: value a has been shared using polynomial f(), resulting in shares a1,…,an, where player Pi knows ai.
Computation Phase • Secure Linear Computation, addition • Input: a fa() a1,…,an and b fb() b1,…,bn • Desired Output: c= a+b fc() c1,…,cn • Each player sets ci := ai+bi. • Then we have what we want: a+b fc() c1,…,cn, with fc() = fa()+fb() note: adding polynomials does not increase degree. • Multiplication by constant v • Just multiply all shares by v. • We know how to securely compute any linear function of inputs held by players. • Secure Multiplication • Use trick from [Gennaro,Rabin,Rabin] that reduces this to linear computation: Compute di = ai bi and exploit that ab is a linear combination of di’s
Output Opening Phase Having made our way through the circuit, we have for each output value y: y fy() y1,…, yn If y is to be received by player Pi, each Pj sends yj to Pi. Pi reconstructs in the normal way. Security, intuitively: Outputs trivially correct, since all players follow protocol For every input from an honest player, intermediate result and outputs of honest players, Adv sees at most t shares. These are always t random field elements, so reveal no information.
Protocol for Active Adversaries • General idea: use protocol for passive case, but make players prove that they send correct information. • Main tool for this: commitment scheme • In the protocol, players commit to all private data, and prove (without revealing additional information) that each message they send is computed according to the protocol. • Corrupted players are forced to follow the protocol or be exposed as corrupt (equivalent to stop participating). When t< n/3, this behavior is harmless An information theoretically secure commitment scheme can be implemented based on threshold-t secret sharing, assuming t<n/3.
From Threshold to General Adversaries and Access Structures • Reminder • Adversary StructureΓ: family of subsets of P= {P1,…,Pn} • List of subsets the adversary can corrupt ”describes Adv’s corruption capabitities” • Threshold-t structure: contains all subsets of size at most t. • Why General Adversary Structures? • And not just a bound on the number of players that can be corrupt? • Threshold adversaries (where we just bound the number of corruptions) make sense in a network where all nodes are equally hard to break into. This is often not the case in practice. • With general access structures, we can express things such as: the adversary can break into a small number of the more secure nodes and a larger number of less secure ones.
How to go from threshold to general adversaries, cont’d. Use same ideas as before, but more general form of secret sharing… Shamir’s scheme can be written as fixed matrix secret+randomness shares 1 11 12 … 1t a a1 1 21 22 … 2t r1 =a2 … .. .. rt .. 1 n1 n2 … nt an Each player ”owns” a row of the matrix and is assigned the share corresponding to his row. Can be generalized to other matrices than Van der Monde, and to more than one row pr. player.
Linear Secret Sharing Schemes (LSSS). s Rows of P1 Share of P1 Share of P2 Rows of P2 = M Randomness …… Rows of Pn Share of Pn Subset A can reconstruct s if their rows span (1, 0, 0,…,0), otherwise they have no information. LSSS is most powerful general SS method known, can handle any adversary structure – but cannot be efficient on any structure (counting argument). Shamir, Benaloh-Leichter, Van Dijk, Brickell are special cases.
Building General Adversary protocols To make our protocol work for general, non-threshold adversaries, basically we plug in an LSSS M for Γ instead of Shamir’s scheme. Works almost immediately, since the protocol we saw mainly exploits that Shamir’s scheme is linear. Non-trivial technical problems with multiplication, but in the end [CDM00]: Result: From any LSSS M for a Q2 adversary structure Γ, can build MPC protocol secure against passive Γ-adversary (need Q3 for active adversaries). So, by [Hirt-Maurer]: it works when Γ allows for MPC at all. Construction is efficient: yields an MPC protocol of complexity polynomial in size of the given LSSS.
Beyond LSSS? Can we build MPC efficiently from ANY secret sharing scheme,? – probably not! [CDD 00] Theorem: there exists no efficient black-box reduction building MPC from any secret sharing scheme: any black-box reduction from secret sharing to MPC must be inefficient on some adversary structures.
Protocols for the Cryptographic scenario Can be based on ideas from info. theory scenario, several possibilities: First Idea Implement ideal channels from IT scenario using (public-key) cryptography This works using CCA secure encryption if adversary is static and Non-committing encryption if adversary is adaptive. CCA-secure encryption and non committing encryption exist if one-way trapdoor permutations exist. CCA security can be implemented quite efficiently based on standard techniques, non-committing encryption is much less efficient, even using best known techniques.
Alternative Idea Instead of starting from a protocol for the i.t. scenario, use a different paradigm, tailored for the crypto scenario. Maybe gain efficiency this way.. Basic primitive: Homomorphic threshold public-key encryption [CDN02]. A common public key pk for everyone, secret key secret-shared among the players Adv cannot decrypt, the set of honest players can. Player Pi supplies input xi by just supplying an encryption Epk(xi). Homomorphic property: the set of plaintexts is a ring. Multiplication operation on ciphertexts. The requirement: for any plaintexts a,b: Epk(a)Epk(b) = Epk(a+b) Can also multiply constant ”into” encryption. Example: Paillier encryption. Gives the most efficient known protocols. Plaintext space is Zn for RSA modulus n, ciphertexts are numbers modulo n2
MPC from homomorphic encryption • Players publish encryptions of their inputs • We walk through an arithmetic circuit, as before, adding and multiplying values while they are encrypted • This produces encryptions of the outputs, which we can decrypt because we share the private key. • Secure addition is immediate by homomorphic property: just multiply the two encryptions. • Multiplication: from Epk(a), Epk(b), how to produce securely Epk(ab)? • Each Pi chooses ri at random, publishes Epk(ri) • Multiply Epk(a) by all Epk(ri), decrypt result. Leads to a+R, where R= r1+…rn • From (a+R), Epk(b) we can all produce Epk((a+R)b). • From ri, Epk(b), each Pi can produce and publish Epk(-rib), we multiply all these to get Epk(-Rb). • Finally, from Epk((a+R)b) and Epk(-Rb), produce Epk(ab).
Efficiency C, size of circuit n, number of players k, bit-length of encryptions Protocol based on homomorphic encryption needs to broadcast O(nCk) bits. Lots of optimizations when complexity of broadcast is taken into account.. Since additions are for free, we get really practical solutions for electronic voting, for instance. Also practical in case circuit is not too large, say a few comparisons of integers (auctions, contract bidding). Recent work [DN03]: even adaptive security with constant factor loss of efficiency.
Application: Double Auctions • A market scenario, where some commodity is being traded (Excursion Tickets!) • There are several sellers and buyers. • Each seller Si has a (private) table Ti describing what he is willing to offer, Entries of form (quantity, price pr. unit) • Each buyer Bj has a (private) table Tj describing what he is willing to buy. Entries of form (quantity, price pr. unit). • Assumption: tables describe the true intentions of buyers and sellers. • Problem: cannot just make tables public. For instance • If a buyer goes public first, sellers will adjust their prices. • If the buyer is aware of this risk, may publish artifically low prices. • No deals actually happen, even though there actually exists a market price that would have made everyone happy.
Result from Theory of Economy • Revelation principle: Assume the existence of a trusted third party T (”impartial social planner”), the players submit their private information to T and T then instructs them about how to act. • Theorem: This will produce results that are at least as good as anything players could have done on their own, and sometimes better. • In this case: buyers and sellers send privately their tables to T, who evaluates a market clearing pricemcp, the price that produces the maximal value for players. • Every Bi who submitted bids above mcp gets to buy at mcp • Every Sj who submitted bids below mcp gets to sell at mcp • Note: it is in the players’ best interest to submit true info to T. • But who could play the role T in real life ?? • Implement of T via MPC! • Given set of parties that players trust sufficiently, results can be computed that are equivalent to what T does (cf [DHR´00]).
An open problem in this connection: Auctions and many other applications are naturally described as integer computations - comparison, integer division etc. Known how to do this, if we represent numbers by encryptions or secret sharings of single bits. But we have encryptions that can hold many bits, and we can do operations involving many bits at a time. Does this mean we can compare integers more efficiently than by converting to binary first?? Doing it in real life.. Secure, Computing Economy and Trust (SCET) A project aimed at developing protocols and software to do MPC solutions for double auctions and related problems. Partners: Aarhus University, Economists at Danish Agricultural University, Cryptomathic, Danisco.
Conclusion MPC is cool, useful and interesting, in theory as well as in practice.. You ain’t seen nothin’ yet..