Post on 03-Jan-2016
Secure Computation (Lecture 5)
Arpita Patra
Recap
>> Scope of MPC
> models of computation
> network models
> modelling distrust (centralized/decentralized adversary)
> modelling adversary
> Various Parameters/questions asked in MPC
>> Defining Security of MPC
> Ideal World & Real world
> Indistinguishability of the view of adversary in real and ideal (with the help of simulator) world
> Indistinguishability of the joint dist. of the output of the honest parties and the view of adversary in real and ideal (with the help of simulator) world.
Ideal World MPC
x1 x2
x3 x4
Any task
(y1,y2,y3,y4) = f(x1,x2,x3,x4)
Ideal World MPC
Any task
y1y2y4y3
The Ideal World
y1 y2
y4y3
The Real World
(y1,y2,y3,y4) = f(x1,x2,x3,x4) (y1,y2,y3,y4) = f(x1,x2,x3,x4)
x1 x2
x3 x4
x1 x2
x3x4
How do you compare Real world with Ideal World?
>> Fix the inputs of the parties, say x1,….xn >> Real world view of adv contains no more info than ideal world view
ViewReali : The view of Pi on input (x1,
….xn) - Leaked Values
{x3, y3, r3, protocol transcript}
The Real World
y1y2
y4
{ViewReali}Pi in C
{x3, y3}
y1y2
y4
The Ideal World
ViewIdeali : The view of Pi on input (x1,
….xn) - Allowed values
{ViewIdeali}Pi in C
Our protocol is secure if the leaked values contains no more info than allowed values
Real world (leaked values) vs. Ideal world (allowed values)
{x3, y3, r3, protocol transcript}
The Real World
y1y2
y4
{x3, y3}
y1y2
y4
The Ideal World
>> If leaked values can be efficiently computed from allowed values.
>> Such an algorithm is called SIMULATOR (simulates the view of the adversary in the real protocol).
>> It is enough if SIM creates a view of the adversary is “close enough” to the real view so that adv. can not distinguish from its real view.
Definition1: View indistinguishability of Adversary in Real and Ideal world
{ViewReali}Pi in C
The Real World
y1y2
y4
{x3, y3}
y1y2
y4
The Ideal World
SIM
Interaction on behalf of the honest parties
SIM: Ideal Adversary
{ViewIdeali}Pi in C
Random Variable/distribution (over the random coins of parties)
Random Variable/distribution (over the random coins of SIM and adv)
{x3, y3, r3, protocol transcript}
Definition 2: Indistinguishability of Joint Distributions of Output and View
>> Joint distribution of output & view of the honest & corrupted parties in both the worlds can not be told apart
OutputReali : The output of Pi on input
(x1,….xn) when Pi is honest.
ViewReali : As defined before when Pi is
corrupted.
The Real World
[ {ViewReali}Pi in C , {OutputReal
i}Pi in H ]
The Ideal World
OutputIdeali : The output of Pi on input
(x1,….xn) when Pi is honest.
ViewIdeali : As defined before when Pi is
corrupted.
[ {ViewIdeali}Pi in C , {OutputIdeal
i}Pi in H ]
>> First note that this def. subsumes the previous definition (stronger)
>> Captures randomized functions as well
Randomized Function and Definition 1
The Real WorldThe Ideal World
>> Is this protocol secure?
The proof says the protocol is secure!
f( , ) = (r , ) r is a random bit
r .
. .
Sample r randomly
. .
Sample r randomly and output
r
No!
{ViewReali}Pi in C
SIMInteraction on behalf of the honest party
Sample and send a random r’
{ViewIdeali}Pi in C
r : r is random r’ : r’ random
Randomized Function and Definition 2
The Real WorldThe Ideal World
>> Is this protocol secure?
The proof says the protocol is insecure!
f( , ) = (r , ) r is a random bit
r .
. .
Sample r randomly
. .
Sample r randomly and output
r
No!
{ViewReali}Pi in C
SIM
{ViewIdeali}Pi in C
[ {ViewReali}Pi in C , {OutputReal
i}Pi in H ][ {ViewIdeali}Pi in C , {OutputIdeal
i}Pi in H ]
[{r’ , r} | r,r’ random and independent] [{r , r} | r random]
Interaction on behalf of the honest party
Sample and send a random r’
Definition 1 is Enough!
{{ViewReali}Pi in C }{x1,.,xn ,
k}
{ {ViewIdeali}Pi in C }{x1,.,xn ,
k}
{{ViewReal
i}Pi in C ,{OutputReali}Pi in H } {x1,..xn , k}{{ViewIdeal
i}Pi in C ,{OutputIdeali}Pi in H }{x1,.,xn , k}
>> For deterministic Functions:
> View of the adversary and output are NOT co-related. > We can separately consider the distributions> Output of the honest parties are fixed for inputs
>> For randomized functions:
> We can view it as a deterministic function where the parties input randomness (apart from usual inputs).
Compute f((x1,r1), (x2,r2)) to compute g(x1,x2;r) where r1+r2 can act as r.
Making Indistinguishability Precise
Notations:o Security parameter k (natural number)o We wish security to hold for all inputs of all lengths, as long as k is
large enough
Definition (Function is negligible): If for every polynomial p() there exists an N such that for all k > N we have (k) < 1/p(k)
Definition (Probability ensemble X={X(a,k)}): o Infinite series, indexed by a string a and natural ko Each X(a,k) is a random variable
In our context: o X(x1,.,xn , k) = { {ViewReal
i}Pi in C }{x1,.,xn , k} (Probability space: randomness of parties)
o Y(x1,.,xn , k) = { {ViewIdeali}Pi in C }{x1,.,xn , k} (Probability space: randomness
of the corrupt parties and simulator)
Computational Indistinguishability
o X(x1,.,xn , k) = { {ViewReali}Pi in C }{x1,.,xn , k} (Probability space: randomness
of parties)o Y(x1,.,xn , k) = { {ViewIdeal
i}Pi in C }{x1,.,xn , k} (Probability space: randomness of the corrupt parties and simulator)
Definition (Computational indistinguishability of X = {X(a,k)} c Y =
{Y(a,k)})
For every polynomial-time distinguisher* D there exists a negligible function such that for every a and all large enough k’s:
|Pr[D(X(a,k) = 1 ] - Pr[D(Y(a,k) = 1 ]| < (k)
For our case a: (x1,.,xn)
Alternative def.AdvD (X,Y) = The prob of D guessing the correct distribution|AdvD (X,Y)| < ½ + (k)
distinguisher D = Real Adv A
Statistical Indistinguishability
o X(x1,.,xn , k) = { {ViewReali}Pi in C }{x1,.,xn , k} (Probability space: randomness
of parties)o Y(x1,.,xn , k) = { {ViewIdeal
i}Pi in C }{x1,.,xn , k} (Probability space: randomness of the corrupt parties and simulator)
Definition (Statistical indistinguishability of X = {X(a,k)} s Y = {Y(a,k)})
For every* distinguisher D there exists a negligible function such that for every a and all large enough k’s:
|Pr[D(X(a,k) = 1 ] - Pr[D(Y(a,k) = 1 ]| < (k)
For our case a: (x1,.,xn)
Alternative def.AdvD (X,Y) = The prob of D guessing the correct distribution|AdvD (X,Y)| < ½ + (k)
May have unbounded power
Perfect Indistinguishability
o X(x1,.,xn , k) = { {ViewReali}Pi in C }{x1,.,xn , k} (Probability space: randomness
of parties)o Y(x1,.,xn , k) = { {ViewIdeal
i}Pi in C }{x1,.,xn , k} (Probability space: randomness of the corrupt parties and simulator)
Definition (Perfect indistinguishability of X = {X(a,k)} P Y = {Y(a,k)})
For every* distinguisher D such that for every a and for all k:
|Pr[D(X(a,k) = 1 ] - Pr[D(Y(a,k) = 1 ]| = 0
For our case a: (x1,.,xn)
Alternative def.AdvD (X,Y) = The prob of D guessing the correct distribution|AdvD (X,Y)| = ½
May have unbounded power
Definition Applies for
Dimension 2 (Networks)
Complete
Synchronous
Dimension 3 (Distrust)
Centralized
Dimension 4 (Adversary)
Threshold/non-threshold
Polynomially Bounded and unbounded powerful
Semi-honest
Static
What is so great about the definition paradigm?
>> One definition for all
> Sum: (x1 + x2 + … + xn) = f(x1, x2, … , xn)
> OT: (- , xb) = f((x1, x2 ), b)
> BA: (y , y, …,y) = f(x1, x2, … , xn): y = majority(x1, x2, … ,
xn)/default value
>> Easy to tweak the ideal world and weaken/strengthen securityReal world protocol achieves whatever ideal world achieves
>> Coming up with the right ideal world is tricky and requires skill
> Will have fun with it in malicious world!
Information Theoretic MPC with Semi-honest Adversary and honest majority [BGW88]
Dimension 2 (Networks)
Complete
Synchronous
Dimension 3 (Distrust)
Centralized
Dimension 4 (Adversary)
Threshold (t)
Unbounded powerful
Semi-honest
Static
Dimension 1 (Models of Computation)
Arithmetic
Michael Ben-Or, Shafi Goldwasser, Avi Wigderson:Completeness Theorems for Non-Cryptographic Fault-Tolerant Distributed Computation (Extended Abstract). STOC 1988.
(n, t) - Secret Sharing Scheme [Shamir 1979, Blackley 1979]
Secret s Dealer
(n, t) - Secret Sharing Scheme [Shamir 1979, Blackley 1979]
Secret s Dealer
v1 v2 v3 vn
Sharing Phase
…
(n, t) - Secret Sharing Scheme[Shamir 1979, Blackley 1979]
Secret s Dealer
v1 v2 v3 vn
Sharing Phase
…
Less than t +1 parties have no info’ about the secret
ReconstructionPhase
(n, t) - Secret Sharing Scheme [Shamir 1979, Blackley 1979]
Secret s Dealer
v1 v2 v3 vn
Sharing Phase
…
t +1 parties can reconstruct the secretSecret s
Reconstruction Phase
Shamir-sharing: (n,t) - Secret Sharing for Semi-honest Adversaries
Secret x is Shamir-Shared if
x2 x3 xnx1 …
Random polynomial of degree t over Fp s.t p>n
P1 P2 PnP3
Reconstruction of Shamir-sharing: (n,t) - Secret Sharing for Semi-honest Adversaries
x2
x3
xn
x1P1
P2
Pn
P3
Pi
The same is done for all Pi
Lagrange’s Interpolation
Shamir-sharing Properties
Property 2: Any t parties have ‘no’ information about the secret. Pr[secret =s before secret sharing] – Pr[secret =s after secret sharing] = 0
Property 1: Any (t+1) parties have ‘complete’ information about the secret.
>> Both proof can be derived from Lagrange’s Interpolation.
Lagrange’s Interpolation
>> Assume that h(x) is a polynomial of degree at most t and C is a subset of Fp of size t+1
>> Poly of degree t
>> At i, it evaluates to 1
>> At any other point, it gives 0.
Theorem: h(x) can be written as
>> Assume for simplicity C = {1,……,t+1}
where
Proof:
Consider LHS – RHS:
Both LHS and RHS evaluates to h(i) for every i in C
Both LHS and RHS has degree at most t
LHS - RHS evaluates to 0 for every i in C and has degree at most t
More zeros (roots) than degree Zero polynomial!
LHS = RHS
Lagrange’s Interpolation
>> Poly of degree t
>> At i, it evaluates to 1
>> At any other point, it gives 0.
Theorem: h(x) can be written as
C = {1,……,t+1}
where
>> are public polynomials
>> are public values, denote by ri
>> Can be written as the linear combination of h(i)s
The combiners are (recombination vector): r1,….rt+1
Property 1: Any (t+1) parties have ‘complete’ information about the secret.
Lagrange’s Interpolation
Property 2: Any t parties have ‘no’ information about the secret. Pr[secret =s before secret sharing] – Pr[secret =s after secret sharing] = 0
Proof: For any secret s from Fp if we sample f(x) of degree at most t randomly s.t. f(0) = s and consider the following distribution for any C that is subset of Fp \ {0} and of size t :
( {f(i)}i in C ) uniform distribution in Fpt
For a fixed s,
If not then two different sets of t+1 values will define the same polynomial
t coefficients from Fpt A unique element from the above
distribution
Lagrange’s Interpolation
Property 2: Any t parties have ‘no’ information about the secret. Pr[secret =s before secret sharing] – Pr[secret =s after secret sharing] = 0
Proof: For any secret s from Fp if we sample f(x) of degree at most t randomly s.t. f(0) = s and consider the following distribution for any C that is subset of Fp \ {0} and of size t :
( {f(i)}i in C ) uniform distribution in Fpt
For a fixed s,
t coefficients from Fpt A unique element from the above
distribution
fs : Fpt Fp
t
Uniform distribution
bijective
Uniform distribution
For every s, uniform dist and independent of dist. of s
Lagrange’s Interpolation
Property 2: Any t parties have ‘no’ information about the secret. Pr[secret =s before secret sharing] – Pr[secret =s after secret sharing] = 0
Proof:
(n,t) Secret Sharing
s : (n,t) Secret Sharing of secret s
For MPC: Linear (n,t) Secret Sharing
s1 s2
c s
s1 s2
c: public constant s
from
from
Linearity: The parties can do the following
Linear
Linearity of (n, t) Shamir Secret Sharing
a1 a2 a3 a
1 2 3
a1 a2
a3 a
b1 b2 b3 b b
b1 b2
b3+ + +
each party does locally
c1 c2 c3
Linearity of (n, t) Shamir Secret Sharing
a1 a2 a3 a
1 2 3
a1 a2
a3 a
b1 b2 b3 b b
b1 b2
b3+ + +
c1 c2 c3 ab
c1 c2
c3
a+b
Addition is Absolutely free
Linearity of (n, t) Shamir Secret Sharing
1 2 3
a1 a2 a3
a1 a2
a3 a
a
c c c
c is a publicly known constant
d1 d2 d3
ca
d1 d2
d3
ca
Multiplication by public constants is Absolutely free
Non-linearity of (n, t) Shamir Secret Sharing
a1 a2 a3
b1 b2 b3 b
a
1 2 3
a1 a2
a3 a
b
b1 b2
b3
d1 d2 d3 ab
d1
d3 d2
ab
Multiplication of shared secrets is not free
Secure Circuit Evaluation
x1 x2 x3 x4
c
y
2 1 5 9
y
3
Secure Circuit Evaluation
Secure Circuit Evaluation
1. (n, t)- secret share each input
2 1 5 9
3
Secure Circuit Evaluation
2 1 5 9
2. Find (n, t)-sharing of each intermediate value
1. (n, t)- secret share each input
3
Secure Circuit Evaluation
3
2 1 5 9
3
48
144
45
2. Find (n, t)-sharing of each intermediate value
1. (n, t)- secret share each input
Secure Circuit Evaluation
2 1 5 9
3
48
Linear gates: Linearity of Shamir Sharing - Non-Interactive
144
45 3
2. Find (n, t)-sharing of each intermediate value
1. (n, t)- secret share each input
Secure Circuit Evaluation
2 1 5 9
3
48 Non-linear gate: Require degree-reduction Technique. Interactive
45
144
3
2. Find (n, t)-sharing of each intermediate value
1. (n, t)- secret share each input
Linear gates: Linearity of Shamir Sharing - Non-Interactive
Secure Circuit Evaluation
2 1 5 9
1. No inputs of the honest parties are leaked.
2. No intermediate value is leaked.
3
48
45
144
Privacy follows (intuitively) because:
3