1 / 28

Counting Method for Multi-party Computation over Non-abelian Groups

Counting Method for Multi-party Computation over Non-abelian Groups. YouMing Qiao ( * ) and Christophe Tartary ( ** ) *: Institute for Theoretical Computer Science Tsinghua University, Beijing, China **: Division of Mathematical Sciences School of Physical and Mathematical Sciences

linnea
Télécharger la présentation

Counting Method for Multi-party Computation over Non-abelian Groups

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Counting Method for Multi-party Computation over Non-abelian Groups YouMingQiao(*) and Christophe Tartary(**) *: Institute for Theoretical Computer Science Tsinghua University, Beijing, China **: Division of Mathematical Sciences School of Physical and Mathematical Sciences Nanyang Technological University, Singapore

  2. Outline • Problem Review: MPC on non-Abelian Groups • Counting Approach: Improvements and Limitations • Analysis of the Approach • New Lattices • Limitation • Summary

  3. Problem Review: MPC on non-Abelian Groups Problem Statement Two Reductions Graph Coloring Problem

  4. MPC: Problem Statement f1 t1 Consider the Following Setting • There are m people, and each holds an input ti • They want compute f(t1, t2, …, tm)=(f1, f2, …, fm)collaboratively • At the same time, they don’t want others to know their own inputs. f2 t2 f3 t3 f5 t5 f4 t4 ? Ask t1 ! Sorry I’ve no idea…

  5. Motivation • Traditional MPC protocol is built on the circuit that computes the function • Universal solution: any function could be securely computed; • Drawback: high communication complexity, since the circuit size may be large; • YvoDesmedt et al considers a specific setting of secure computation in [1] • Higher level of abstraction: black-box group operation; protocol is built on the multiplication tree; • Achieving better com-complexity: O(nt2 l(G)) compared with O(t2logt NAND(fG));

  6. MPC on non-Ablian Groups • Consider a specific computation • Each party holds one input, ti ∈some group G • f(t1, t2, …, tm) =∏ti(The sequence of multiplication matters) • What we want • Black-box: allowed operations are multiplication, inverse and random sampling • Parameters: semi-honest adversary and information-theoretic security • Basic result • Majority is needed to ensure security • Reduced to a graph coloring problem

  7. Two Reductions • Build protocol on the computation tree • Reduce to the secure computation of the node • Reduce to the secure coloring of a graph

  8. Graph Coloring Problem n=3,t=1; l=2. • A l×l grid, with diagonal edges; • A good (n, t) coloring is to • Assign n colors to the vertices; • Removing any t colors, we still have… • One path from top to bottom, and one path from left to right

  9. Counting Approach: Improvements and Limitations Introduction Improvement Limitation

  10. Counting Approach: Introduction • Algorithm: random coloring • We would like to show that with good probability, we could get a good (n, t) coloring • Counting approach is initialized by Desmedt et al.. They showed: • For any constant R> μ, if t≤n/R, there exists a black-box t-private protocol for group multiplication with com-complexity O(nt2) group elements; • Desmedt et al show that μ =2.948, on triangular lattices

  11. Counting Approach: Our Work • First we give an altered exposition of their proof, so that: • Some concepts are clarified; • The proof can be adapted to square lattices; • The we apply this approach to square lattices: • The adversary threshold: μ =5 • Com-complexity: saving about 1/3 com-complexity in practice • Finally, we show the limitation of this approach: • For counting approach on triangular lattice, μ>2.414

  12. Counting Approach: Minimal Cutset • Central combinatorial object: minimal cutset • A left-to-right cutset is a set of nodes such that each top-to-bottom path has at least one node in this set • A minimallr-cutset is a lr-cutset such that removing any node in this set would destroy cutset property

  13. Counting Approach: Why MC Matters • Minimal cutset is important due to its following relation with (n, t) good coloring: (Lemma 1) Given an coloring with n colors, if every minimal cutset contains more than t colors, then it is an (n, t) good coloring; • This observation enables us to bound the probability that a random coloring is not an (n, t) good coloring.

  14. Counting Approach: Probabilistic Argument • Let NP(k, l) denotes the # of minimal lrcutsets in Gtri(l, l) of size k; • For a t-color set I, let px(I) (py(I)) denote the probability that there exists a minimal lr (tb) cutset whose node colors are in I; • Summing over k ∈[l, l2], px and py, t-color subsets I, the probability p that a random coloring is not (n, t) good is bounded as:

  15. Counting Approach: MCs and Walks • Next we try to bound the number of MCs w.r.t its size; • Desmedt et al.’s insight: • For triangular lattices, lrMC=restricted NAW • NAW: neighbor avoiding walk • Restricted: start and end node are on the left/right column; no other nodes lie on the left/right column

  16. Counting Approach: MC and Good Coloring • So we can bound the number of MCs through bounding the number of walks with respect to the # of steps already taken • e.g. , # of walks=f(# of steps) • As the theory of self avoiding walk suggests, this number often takes the following format[4]: • μ is called the connective constant • One could establish the following: • NAW on triangular lattices, μ<=2.948 • 3-2 walk on square lattices, μ<=5

  17. Combining MC and NAW Together • Plugging into and after some manipulation, we get: • So if μt/n<1 and we set good parameter for l, we have p<1, which means we have the chance to get a good coloring.

  18. Applying to Square Lattice • A bit summary of counting approach: • From the relation of MC and good coloring, we can bound the probability of getting a good coloring; • Given the correspondence between MC and NAW (on triangular lattice), we bound the # of MC by bounding the number of NAWs; • To apply this method to square lattices: • The first part can be kept without changing; • Only need to find a similar correspondence between MC on square lattice with some kind of “walk”.

  19. MC as a Walk on Square Lattices • Our observation: from Gsqr, we get Gdia by connecting the diagonals of every 1×1 grid. Then we have the following equivalence: • (Lemma 4) lr (tb) MC on Gsqr is equivalent to restricted tb (lr) NAW on Gdia.

  20. MC as a Walk on Square Lattices • The combinatorial object used to prove the above claim is unique path. It connects cutset and paths. (Lemma 5) A right-left cutset S is minimal if and only if for all v ∈ S, there is some right-left path Pv, such that the only node from S on Pv is v. For some node v in a minimal cutset S, such a Pv is called the unique path of v.

  21. Counting Approach: Comparison • The original work: • On triangular lattices • Bound the number of NAWs • μ=2.948 • By ruling out 6 node cycles • The bound of t/n is better • Our work: • On square lattices • Bound the number of 3-2 walks • μ=5 • Trivial bound • We save com-complexity by removing the diagonals

  22. Counting Approach: Limitations • Desmedt et al. suggest that μ=2.948 could be improved • This makes the lower bound of μ interesting • μ>2 since majority is needed • Unfortunately, we show that purely improving μ would not give us optimal result • μ>2.414 in the triangular lattice

  23. Counting Approach: Limitations • Consider such a rule to form a family of NAWs on triangular lattices • The walker starts at the original point, and only move left, up and up-right diagonal. • The possible choices of the walker depends on its last move: • It could be shown that: • This is a family of NAWs • This family has connective constant 1+ √2 • Thus this approach has a limitation of 2.414

  24. Analysis And Summary Comparison of Current Analyzing Methods Summary

  25. Comparison of Current Methods at most t ≤ n/(2.414+ε)

  26. Summary and Open Problems • We give a clear exposition of counting method, and apply it to another setting (square lattice); • The relation of minimal cutsets with some type of random walk is of particular interest. • We show the limitation of the approach. • Open problems: • Can we generalize this approach to other types of lattices? • We bound the number of random walks on infinite graphs. But random walks on finite graphs is enough.

  27. References • Desmedt, Y., Pieprzyk, J., Steinfeld, R., Wang, H.: On secure multi-party computation in black-box groups. CRYPTO 2007. • Xiaoming Sun, Andrew Chi-Chih Yao and Christophe Tartary, Graph Design for Secure Multiparty Computation over Non-Abelian Groups, Asiacrypt 2008. • Goldwasser, S.: Multi-party computations: Past and present, PODC 1997. • Lin, K.-Y., Hsaio, Y.C.: Self-avoiding walks and related problems. Chinese Journal of Physics 31(6-I), 695–708 (1993).

  28. Questions please

More Related