View
2
Download
0
Category
Preview:
Citation preview
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
Secure Multi-Party Computation
Gunnar Kreitz
KTH – Royal Institute of Technologygkreitz@kth.se
October 4 2012
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
Problem Statement (sketch)Famous examplesExample protocol
Ingredients
I n partiesI n inputs (one per party)I A function f (x1, . . . , xn) to compute
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
Problem Statement (sketch)Famous examplesExample protocol
Goal (intuitive)
I Parties learn f (x1, . . . , xn)
I Noone learns anything more
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
Problem Statement (sketch)Famous examplesExample protocol
Example time!
Let’s pick a function
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
Problem Statement (sketch)Famous examplesExample protocol
The classic examples (Millionaire’s Problem)
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
Problem Statement (sketch)Famous examplesExample protocol
The classic examples (Mental Poker)
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
Problem Statement (sketch)Famous examplesExample protocol
The classic examples (Dining Cryptographers)
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
Problem Statement (sketch)Famous examplesExample protocol
Example time!
Σxi
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
Problem Statement (sketch)Famous examplesExample protocol
Private Summation (cont’d)
I The protocol does one round of input randomization (blinding)I Then, any (non-private) summation protocol is run on the
blinded inputsI The blinding preserves the sum of the inputsI Information-theoretically secure
Photo by Mirko Tobias Schaefer http://www.flickr.com/photos/gastev/2960556197/, CC BY 2.0Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
Problem Statement (sketch)Famous examplesExample protocol
Summation Protocol by Example
2
1
3
x ′1 =x1 − r12 − r13 + r21 + r31
x ′2 =x2 + r12 − r21 − r23 + r32
x ′3 =x3 + r13 + r23 − r31 − r32
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
Problem Statement (sketch)Famous examplesExample protocol
Summation Protocol by Example
2
1
r12
99
3
x ′1 =x1 − r12 − r13 + r21 + r31
x ′2 =x2 + r12 − r21 − r23 + r32
x ′3 =x3 + r13 + r23 − r31 − r32
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
Problem Statement (sketch)Famous examplesExample protocol
Summation Protocol by Example
2
1r13
%%3
x ′1 =x1 − r12 − r13 + r21 + r31
x ′2 =x2 + r12 − r21 − r23 + r32
x ′3 =x3 + r13 + r23 − r31 − r32
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
Problem Statement (sketch)Famous examplesExample protocol
Summation Protocol by Example
2
1yy
r21
3
x ′1 =x1 − r12 − r13 + r21 + r31
x ′2 =x2 + r12 − r21 − r23 + r32
x ′3 =x3 + r13 + r23 − r31 − r32
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
Problem Statement (sketch)Famous examplesExample protocol
Summation Protocol by Example
2
r23
��
1
3
x ′1 =x1 − r12 − r13 + r21 + r31
x ′2 =x2 + r12 − r21 − r23 + r32
x ′3 =x3 + r13 + r23 − r31 − r32
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
Problem Statement (sketch)Famous examplesExample protocol
Summation Protocol by Example
2
1 eer31
3
x ′1 =x1 − r12 − r13 + r21 + r31
x ′2 =x2 + r12 − r21 − r23 + r32
x ′3 =x3 + r13 + r23 − r31 − r32
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
Problem Statement (sketch)Famous examplesExample protocol
Summation Protocol by Example
2OO
r321
3
x ′1 =x1 − r12 − r13 + r21 + r31
x ′2 =x2 + r12 − r21 − r23 + r32
x ′3 =x3 + r13 + r23 − r31 − r32
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
Problem Statement (sketch)Famous examplesExample protocol
Private Summation Protocol
I Each party Pi with input xi proceeds as follows:1. Send random ri,j to each neighbor Pj
2. Wait for rj,i from each neighbor Pj
3. Compute
x ′i = xi +∑
Pjneighbor
rj,i −∑
Pjneighbor
ri,j
I We could now publish x ′i and still remain private!
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
How to proceed?
I Do we develop protocols for each and every f ?I (Are they all this simple?)I How do we define security?
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
Security definitions
I Noone should learn anything but resultI Noone should be able to affect computation in an untoward
way
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
A Trusted Third Party
I Is there someone we all trust?I Can send measurements to the Trusted Third PartyI She performs computation and tells everyone resultI Given a Trusted Third Party, problem is easy
Photo by Matt J. Rider http://www.flickr.com/photos/mjrindewitt/4759429254/, CC BY NC SA 2.0Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
Sometimes There is no Trusted Third Party
Photo by Tayrawr Fortune http://www.flickr.com/photos/missfortune/4088429354/, CC BY NC ND 2.0Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
Secure?
What do we mean by security?
I In an ideal world, we have a trusted third partyI We want our protocols to be as secure as the ideal worldI Cheating parties must not:
I learn more than they do in the ideal worldI be able to do more than they can in the ideal world
Photo by Thomas Hawk http://www.flickr.com/photos/thomashawk/115213351/, CC BY NC 2.0Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
What is an attack?
Functionality:∑
i xi (mod p). Adversary corrupts party 1.
I Adversary learns x1?I Adversary learns x10?I Adversary learns sum of all other parties’ input?I Adversary learns
∑i<n/2 xi?
I Adversary learns sum, everyone else gets random value? No(pick random x1).
I Adversary ensures result is c?
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
What is an attack?
Functionality:∑
i xi (mod p). Adversary corrupts party 1.
I Adversary learns x1? No.I Adversary learns x10?I Adversary learns sum of all other parties’ input?I Adversary learns
∑i<n/2 xi?
I Adversary learns sum, everyone else gets random value? No(pick random x1).
I Adversary ensures result is c?
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
What is an attack?
Functionality:∑
i xi (mod p). Adversary corrupts party 1.
I Adversary learns x1? No.I Adversary learns x10?I Adversary learns sum of all other parties’ input?I Adversary learns
∑i<n/2 xi?
I Adversary learns sum, everyone else gets random value? No(pick random x1).
I Adversary ensures result is c?
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
What is an attack?
Functionality:∑
i xi (mod p). Adversary corrupts party 1.
I Adversary learns x1? No.I Adversary learns x10? Yes.I Adversary learns sum of all other parties’ input?I Adversary learns
∑i<n/2 xi?
I Adversary learns sum, everyone else gets random value? No(pick random x1).
I Adversary ensures result is c?
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
What is an attack?
Functionality:∑
i xi (mod p). Adversary corrupts party 1.
I Adversary learns x1? No.I Adversary learns x10? Yes.I Adversary learns sum of all other parties’ input?I Adversary learns
∑i<n/2 xi?
I Adversary learns sum, everyone else gets random value? No(pick random x1).
I Adversary ensures result is c?
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
What is an attack?
Functionality:∑
i xi (mod p). Adversary corrupts party 1.
I Adversary learns x1? No.I Adversary learns x10? Yes.I Adversary learns sum of all other parties’ input? No.I Adversary learns
∑i<n/2 xi?
I Adversary learns sum, everyone else gets random value? No(pick random x1).
I Adversary ensures result is c?
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
What is an attack?
Functionality:∑
i xi (mod p). Adversary corrupts party 1.
I Adversary learns x1? No.I Adversary learns x10? Yes.I Adversary learns sum of all other parties’ input? No.I Adversary learns
∑i<n/2 xi?
I Adversary learns sum, everyone else gets random value? No(pick random x1).
I Adversary ensures result is c?
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
What is an attack?
Functionality:∑
i xi (mod p). Adversary corrupts party 1.
I Adversary learns x1? No.I Adversary learns x10? Yes.I Adversary learns sum of all other parties’ input? No.I Adversary learns
∑i<n/2 xi? Yes.
I Adversary learns sum, everyone else gets random value? No(pick random x1).
I Adversary ensures result is c?
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
What is an attack?
Functionality:∑
i xi (mod p). Adversary corrupts party 1.
I Adversary learns x1? No.I Adversary learns x10? Yes.I Adversary learns sum of all other parties’ input? No.I Adversary learns
∑i<n/2 xi? Yes.
I Adversary learns sum, everyone else gets random value? No(pick random x1).
I Adversary ensures result is c?
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
What is an attack?
Functionality:∑
i xi (mod p). Adversary corrupts party 1.
I Adversary learns x1? No.I Adversary learns x10? Yes.I Adversary learns sum of all other parties’ input? No.I Adversary learns
∑i<n/2 xi? Yes.
I Adversary learns sum, everyone else gets random value? No(pick random x1).
I Adversary ensures result is c?
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
What is an attack?
Functionality:∑
i xi (mod p). Adversary corrupts party 1.
I Adversary learns x1? No.I Adversary learns x10? Yes.I Adversary learns sum of all other parties’ input? No.I Adversary learns
∑i<n/2 xi? Yes.
I Adversary learns sum, everyone else gets random value? No(pick random x1).
I Adversary ensures result is c?
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
What is an attack?
Functionality:∑
i xi (mod p). Adversary corrupts party 1.
I Adversary learns x1? No.I Adversary learns x10? Yes.I Adversary learns sum of all other parties’ input? No.I Adversary learns
∑i<n/2 xi? Yes.
I Adversary learns sum, everyone else gets random value? No(pick random x1).
I Adversary ensures result is c? Yes.
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
How Powerful is Our Adversary?
I Two main models of adversary’s evilness:I Passive/semi-honest (Honest-but-curious): follows protocol
but tries to deduce more informationI Active/malicious (Byzantine): arbitrary deviations from
protocol
Image credit: OpenBSD http://www.openbsd.org/art2.htmlGunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
How Powerful is Our Adversary?
I Two main models of adversary’s power:I Computational Security: Probabilistic polynomial timeI Information-Theoretic Security: Unlimited computation time
I In this talk, we consider both notions
Photo by slack12 http://www.flickr.com/photos/slack12/314854035/, CC BY NC ND 2.0Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
One protocol to rule them all
I How can we get around having to design one protocol perfunctionality?
I Something that can evaluate a circuit.
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
One protocol to rule them all
I How can we get around having to design one protocol perfunctionality?
I Something that can evaluate a circuit.
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
Main idea
I Keep all intermediary values secret sharedI Evaluate circuit gate by gate, gate inputs and outputs being
secret sharedI Open up values of output gates to everyoneI We’ll need protocols for addition (XOR) and multiplication
(AND)
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
Different variations
I Built on Shamir/Verifiable Secret Sharing [BGW88,CCD88]I Built on Oblivious Transfer [GMW87]I Built on Homomorphic Encryption
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
Shamir secret sharing
I Math is now in a finite field (“mod a prime”)I Pick a polynomial P(x) of degree t, with P(0) = s
I Knowing evaluations at t + 1 points uniquely determines P(x)I Evaluations at t coordinates ( 6= 0) reveal nothing about s
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
Secure computation: addition (XOR)
I Input: two polynomials∗ f (x), g(x) with f (0) = a, g(0) = b
I Output: polynomial∗ h(x) such that h(0) = a+ b
I h(x) = f (x) + g(x) has the right propertyI Party Pi knows f (i), g(i). Need a protocol for her to learn h(i)
I h(i) = f (i) + g(i) — XOR gates can be evaluated locally!
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
Secure computation: addition (XOR)
I Input: two polynomials∗ f (x), g(x) with f (0) = a, g(0) = b
I Output: polynomial∗ h(x) such that h(0) = a+ b
I h(x) = f (x) + g(x) has the right propertyI Party Pi knows f (i), g(i). Need a protocol for her to learn h(i)
I h(i) = f (i) + g(i) — XOR gates can be evaluated locally!
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
Secure computation: addition (XOR)
I Input: two polynomials∗ f (x), g(x) with f (0) = a, g(0) = b
I Output: polynomial∗ h(x) such that h(0) = a+ b
I h(x) = f (x) + g(x) has the right propertyI Party Pi knows f (i), g(i). Need a protocol for her to learn h(i)
I h(i) = f (i) + g(i) — XOR gates can be evaluated locally!
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
Secure computation: addition (XOR)
I Input: two polynomials∗ f (x), g(x) with f (0) = a, g(0) = b
I Output: polynomial∗ h(x) such that h(0) = a+ b
I h(x) = f (x) + g(x) has the right propertyI Party Pi knows f (i), g(i). Need a protocol for her to learn h(i)
I h(i) = f (i) + g(i) — XOR gates can be evaluated locally!
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
Secure computation: multiplication (AND)
I Input: two polynomials∗ f (x), g(x) with f (0) = a, g(0) = b
I Output: polynomial∗ h(x) such that h(0) = ab
I h(x) = f (x)g(x) has the right propertyI But, it is a bad choice!I It has degree 2tI It is not uniformly random (e.g., cannot be irreducible)
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
Secure computation: multiplication (AND)
I Input: two polynomials∗ f (x), g(x) with f (0) = a, g(0) = b
I Output: polynomial∗ h(x) such that h(0) = ab
I h(x) = f (x)g(x) has the right propertyI But, it is a bad choice!I It has degree 2tI It is not uniformly random (e.g., cannot be irreducible)
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
Secure computation: multiplication (AND)
I Input: two polynomials∗ f (x), g(x) with f (0) = a, g(0) = b
I Output: polynomial∗ h(x) such that h(0) = ab
I h(x) = f (x)g(x) has the right propertyI But, it is a bad choice!I It has degree 2tI It is not uniformly random (e.g., cannot be irreducible)
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
Secure computation: multiplication (AND) (cont’d)
I h(x) = f (x)g(x)
I To make it uniformly random: add random polynomials withp(0) = 0
I Each party picks one: h′(x) = f (x)g(x) +∑
i pi (x)
I Degree reduction is slightly more involvedI Boils down to evaluating a linear form of the shares and
opening it to each party
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
Secure computation: multiplication (AND) (cont’d)
I h(x) = f (x)g(x)
I To make it uniformly random: add random polynomials withp(0) = 0
I Each party picks one: h′(x) = f (x)g(x) +∑
i pi (x)
I Degree reduction is slightly more involvedI Boils down to evaluating a linear form of the shares and
opening it to each party
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
Secure computation: multiplication (AND) (cont’d)
I h(x) = f (x)g(x)
I To make it uniformly random: add random polynomials withp(0) = 0
I Each party picks one: h′(x) = f (x)g(x) +∑
i pi (x)
I Degree reduction is slightly more involvedI Boils down to evaluating a linear form of the shares and
opening it to each party
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
Is it used?
I Research area going back to the early 80’sI Beautiful resultsI Real-world use?I Not much, yet
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
Is it used?
I Research area going back to the early 80’sI Beautiful resultsI Real-world use?I Not much, yet
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
Efficiency
I Efficiency is a huge problemI Time to encrypt 128 bytes using AES?I Time to sort 16384 integers?I 3 parties, passive adversary
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
Efficiency
I Efficiency is a huge problemI Time to encrypt 128 bytes using AES? 2 seconds [DK10]I Time to sort 16384 integers?I 3 parties, passive adversary
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
Efficiency
I Efficiency is a huge problemI Time to encrypt 128 bytes using AES? 2 seconds [DK10]I Time to sort 16384 integers? 3.5 minutes [JKU11]I 3 parties, passive adversary
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
Implementations
I Recently, a number of implementation effortsI FairplayMP
http://www.cs.huji.ac.il/project/Fairplay/I Viff http://viff.dk/I Sharemind http://sharemind.cyber.ee/I Sepia http://www.sepia.ee.ethz.ch/
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
Real-world use
Gunnar Kreitz Secure Multi-Party Computation
BackgroundSecure Computation
Security ModelGeneric Protocol
Applications
Will it be used?
I Abundance of development environmentsI Moore’s law chipping away at performance issueI Nice security guarantees
Gunnar Kreitz Secure Multi-Party Computation
Recommended