280 likes | 386 Vues
Counting Method for Multi-party Computation over Non-abelian Groups. YouMing Qiao ( * ) and Christophe Tartary ( ** ) *: Institute for Theoretical Computer Science Tsinghua University, Beijing, China **: Division of Mathematical Sciences School of Physical and Mathematical Sciences
E N D
Counting Method for Multi-party Computation over Non-abelian Groups YouMingQiao(*) and Christophe Tartary(**) *: Institute for Theoretical Computer Science Tsinghua University, Beijing, China **: Division of Mathematical Sciences School of Physical and Mathematical Sciences Nanyang Technological University, Singapore
Outline • Problem Review: MPC on non-Abelian Groups • Counting Approach: Improvements and Limitations • Analysis of the Approach • New Lattices • Limitation • Summary
Problem Review: MPC on non-Abelian Groups Problem Statement Two Reductions Graph Coloring Problem
MPC: Problem Statement f1 t1 Consider the Following Setting • There are m people, and each holds an input ti • They want compute f(t1, t2, …, tm)=(f1, f2, …, fm)collaboratively • At the same time, they don’t want others to know their own inputs. f2 t2 f3 t3 f5 t5 f4 t4 ? Ask t1 ! Sorry I’ve no idea…
Motivation • Traditional MPC protocol is built on the circuit that computes the function • Universal solution: any function could be securely computed; • Drawback: high communication complexity, since the circuit size may be large; • YvoDesmedt et al considers a specific setting of secure computation in [1] • Higher level of abstraction: black-box group operation; protocol is built on the multiplication tree; • Achieving better com-complexity: O(nt2 l(G)) compared with O(t2logt NAND(fG));
MPC on non-Ablian Groups • Consider a specific computation • Each party holds one input, ti ∈some group G • f(t1, t2, …, tm) =∏ti(The sequence of multiplication matters) • What we want • Black-box: allowed operations are multiplication, inverse and random sampling • Parameters: semi-honest adversary and information-theoretic security • Basic result • Majority is needed to ensure security • Reduced to a graph coloring problem
Two Reductions • Build protocol on the computation tree • Reduce to the secure computation of the node • Reduce to the secure coloring of a graph
Graph Coloring Problem n=3,t=1; l=2. • A l×l grid, with diagonal edges; • A good (n, t) coloring is to • Assign n colors to the vertices; • Removing any t colors, we still have… • One path from top to bottom, and one path from left to right
Counting Approach: Improvements and Limitations Introduction Improvement Limitation
Counting Approach: Introduction • Algorithm: random coloring • We would like to show that with good probability, we could get a good (n, t) coloring • Counting approach is initialized by Desmedt et al.. They showed: • For any constant R> μ, if t≤n/R, there exists a black-box t-private protocol for group multiplication with com-complexity O(nt2) group elements; • Desmedt et al show that μ =2.948, on triangular lattices
Counting Approach: Our Work • First we give an altered exposition of their proof, so that: • Some concepts are clarified; • The proof can be adapted to square lattices; • The we apply this approach to square lattices: • The adversary threshold: μ =5 • Com-complexity: saving about 1/3 com-complexity in practice • Finally, we show the limitation of this approach: • For counting approach on triangular lattice, μ>2.414
Counting Approach: Minimal Cutset • Central combinatorial object: minimal cutset • A left-to-right cutset is a set of nodes such that each top-to-bottom path has at least one node in this set • A minimallr-cutset is a lr-cutset such that removing any node in this set would destroy cutset property
Counting Approach: Why MC Matters • Minimal cutset is important due to its following relation with (n, t) good coloring: (Lemma 1) Given an coloring with n colors, if every minimal cutset contains more than t colors, then it is an (n, t) good coloring; • This observation enables us to bound the probability that a random coloring is not an (n, t) good coloring.
Counting Approach: Probabilistic Argument • Let NP(k, l) denotes the # of minimal lrcutsets in Gtri(l, l) of size k; • For a t-color set I, let px(I) (py(I)) denote the probability that there exists a minimal lr (tb) cutset whose node colors are in I; • Summing over k ∈[l, l2], px and py, t-color subsets I, the probability p that a random coloring is not (n, t) good is bounded as:
Counting Approach: MCs and Walks • Next we try to bound the number of MCs w.r.t its size; • Desmedt et al.’s insight: • For triangular lattices, lrMC=restricted NAW • NAW: neighbor avoiding walk • Restricted: start and end node are on the left/right column; no other nodes lie on the left/right column
Counting Approach: MC and Good Coloring • So we can bound the number of MCs through bounding the number of walks with respect to the # of steps already taken • e.g. , # of walks=f(# of steps) • As the theory of self avoiding walk suggests, this number often takes the following format[4]: • μ is called the connective constant • One could establish the following: • NAW on triangular lattices, μ<=2.948 • 3-2 walk on square lattices, μ<=5
Combining MC and NAW Together • Plugging into and after some manipulation, we get: • So if μt/n<1 and we set good parameter for l, we have p<1, which means we have the chance to get a good coloring.
Applying to Square Lattice • A bit summary of counting approach: • From the relation of MC and good coloring, we can bound the probability of getting a good coloring; • Given the correspondence between MC and NAW (on triangular lattice), we bound the # of MC by bounding the number of NAWs; • To apply this method to square lattices: • The first part can be kept without changing; • Only need to find a similar correspondence between MC on square lattice with some kind of “walk”.
MC as a Walk on Square Lattices • Our observation: from Gsqr, we get Gdia by connecting the diagonals of every 1×1 grid. Then we have the following equivalence: • (Lemma 4) lr (tb) MC on Gsqr is equivalent to restricted tb (lr) NAW on Gdia.
MC as a Walk on Square Lattices • The combinatorial object used to prove the above claim is unique path. It connects cutset and paths. (Lemma 5) A right-left cutset S is minimal if and only if for all v ∈ S, there is some right-left path Pv, such that the only node from S on Pv is v. For some node v in a minimal cutset S, such a Pv is called the unique path of v.
Counting Approach: Comparison • The original work: • On triangular lattices • Bound the number of NAWs • μ=2.948 • By ruling out 6 node cycles • The bound of t/n is better • Our work: • On square lattices • Bound the number of 3-2 walks • μ=5 • Trivial bound • We save com-complexity by removing the diagonals
Counting Approach: Limitations • Desmedt et al. suggest that μ=2.948 could be improved • This makes the lower bound of μ interesting • μ>2 since majority is needed • Unfortunately, we show that purely improving μ would not give us optimal result • μ>2.414 in the triangular lattice
Counting Approach: Limitations • Consider such a rule to form a family of NAWs on triangular lattices • The walker starts at the original point, and only move left, up and up-right diagonal. • The possible choices of the walker depends on its last move: • It could be shown that: • This is a family of NAWs • This family has connective constant 1+ √2 • Thus this approach has a limitation of 2.414
Analysis And Summary Comparison of Current Analyzing Methods Summary
Comparison of Current Methods at most t ≤ n/(2.414+ε)
Summary and Open Problems • We give a clear exposition of counting method, and apply it to another setting (square lattice); • The relation of minimal cutsets with some type of random walk is of particular interest. • We show the limitation of the approach. • Open problems: • Can we generalize this approach to other types of lattices? • We bound the number of random walks on infinite graphs. But random walks on finite graphs is enough.
References • Desmedt, Y., Pieprzyk, J., Steinfeld, R., Wang, H.: On secure multi-party computation in black-box groups. CRYPTO 2007. • Xiaoming Sun, Andrew Chi-Chih Yao and Christophe Tartary, Graph Design for Secure Multiparty Computation over Non-Abelian Groups, Asiacrypt 2008. • Goldwasser, S.: Multi-party computations: Past and present, PODC 1997. • Lin, K.-Y., Hsaio, Y.C.: Self-avoiding walks and related problems. Chinese Journal of Physics 31(6-I), 695–708 (1993).