An Overview of Secure Multiparty Computation · An Overview of Secure Multiparty Computation T. E. Bjørstad The Selmer Center Department of Informatics ... Theoretical framework

BackgroundExample: Yao’s Millionaire protocol

More advanced protocolsMPC in the real world

An Overview of Secure Multiparty Computation

T. E. Bjørstad

The Selmer CenterDepartment of Informatics

University of BergenNorway

Prøveforelesning for PhD-graden2010-02-11

T. E. Bjørstad An Overview of Secure Multiparty Computation



Outline

1 BackgroundMotivational exampleTheoretical framework

2 Example: Yao’s Millionaire protocol

3 More advanced protocolsUseful toolsWhat is possible

4 MPC in the real world




Motivational exampleTheoretical framework

The Millionaire Problem

Andrew C. Yao, “Protocols for Secure Computations” (1982).

P(xi , xj) =

{(0, 0) if xi < xj ,(1, 1) if xi ≥ xj .

(1)





General setting

MPC: m users want to evaluate f (x1, . . . , xm).Privacy: user i does not learn anything about xj , i 6= j .Ideal functionality:

1 Each user securely sends their xi to a trusted third party.2 Trusted party evaluates f (x1, . . . , xm).3 Users receive result from trusted party.

Goal: replace TTP with interactive protocol.Subproblem: secure two-party computation (2PC), m = 2.





Applications

Participants want or need to collaborate, but do not wish to (orcannot) disclose their private inputs.

Secure auctions.Voting systems.Electronic cash.

Privacy-preserving . . .. . . database access.. . . optimisation problems.. . . statistical analysis.

Generally: evaluate arbitrary (polynomial-time) f (·).

Personal or sensitive information, trade secrets, etc.





Applications

Participants want or need to collaborate, but do not wish to (orcannot) disclose their private inputs.

Secure auctions.Voting systems.Electronic cash.

Privacy-preserving . . .. . . database access.. . . optimisation problems.. . . statistical analysis.

Generally: evaluate arbitrary (polynomial-time) f (·).

Personal or sensitive information, trade secrets, etc.





Security model

Many plausible scenarios:Security relative to a computational problem (e.g. RSA) . . .. . . statistical . . .. . . or unconditional (information-theoretical security).

Adversary may be a passive eavesdropper . . .. . . or actively manipulating communications channel . . .. . . or control one or many participants!

Goal: secure and efficient protocols, weak assumptions.





Security model

Many plausible scenarios:Security relative to a computational problem (e.g. RSA) . . .. . . statistical . . .. . . or unconditional (information-theoretical security).

Adversary may be a passive eavesdropper . . .. . . or actively manipulating communications channel . . .. . . or control one or many participants!

Goal: secure and efficient protocols, weak assumptions.





Security goals

What do we mean by security? What are the goals?

Protocol correctness.Privacy.Verifiability.Consistency.Fairness.Efficiency.. . . ?





Network model

Likewise, many possible communication models:Are participants synchronised?Is the network reliable? Is it authenticated? Anonymous?Can adversary alter (drop, delay, inject or modify) traffic?Network topology?Broadcast channel?Direct peer-to-peer channels?





Network model






Network model





Millionaire problem example (i)

Toy solution (using Yao’s 1982 protocol).Alice’s total wealth is i = 4 billion and Bob’s is j = 3 billion.Both know that i and j are integers in the range 1− 6.Alice uses RSA with a key length of N = 10 bits.Modulus n = 551 (= 19 · 29).Public exponent e = 5, private exponent d = 101.Secure, authenticated channel.




Millionaire problem example (i)

Toy solution (using Yao’s 1982 protocol).Alice’s total wealth is i = 4 billion and Bob’s is j = 3 billion.Both know that i and j are integers in the range 1− 6.Alice uses RSA with a key length of N = 10 bits.Modulus n = 551 (= 19 · 29).Public exponent e = 5, private exponent d = 101.Secure, authenticated channel.




Millionaire problem example (ii)

b1 Bob chooses a random integer k < n, e.g. k = 123.b2 Bob encrypts with Alice’s public key, c = ke (mod n) = 16.b3 Bob sets c′ = c − j + 1 = 14 and transmits c′ to Alice.

a1 Alice computes six messages xk = (c − j + k)d (mod n),thus obtaining the values

x1 = 14101 (mod 551) = 127,

x2 = 15101 (mod 551) = 250,

x3 = 16101 (mod 551) = 123,

x4 = 17101 (mod 551) = 365,

x5 = 18101 (mod 551) = 113,

x6 = 19101 (mod 551) = 304.

Note: Alice does not know which xk corresponds to j.T. E. Bjørstad An Overview of Secure Multiparty Computation



Millionaire problem example (ii)

b1 Bob chooses a random integer k < n, e.g. k = 123.b2 Bob encrypts with Alice’s public key, c = ke (mod n) = 16.b3 Bob sets c′ = c − j + 1 = 14 and transmits c′ to Alice.

a1 Alice computes six messages xk = (c − j + k)d (mod n),thus obtaining the values

x1 = 14101 (mod 551) = 127,

x2 = 15101 (mod 551) = 250,

x3 = 16101 (mod 551) = 123,

x4 = 17101 (mod 551) = 365,

x5 = 18101 (mod 551) = 113,

x6 = 19101 (mod 551) = 304.

Note: Alice does not know which xk corresponds to j.T. E. Bjørstad An Overview of Secure Multiparty Computation



Millionaire problem example (iii)

a2 Alice picks a random prime p of size N/2 bits, e.g. p = 47.a3 Alice computes yk = xk (mod p), obtaining the sequence

y1 = 127 (mod 47) = 33,

y2 = 250 (mod 47) = 15,

y3 = 123 (mod 47) = 29,

y4 = 365 (mod 47) = 36,

y5 = 113 (mod 47) = 19,

y6 = 304 (mod 47) = 22.

a4 Alice transmits p to Bob, as well as the valuesy1, y2, y3, y4, y5 + 1, y6 + 1 (thus marking her ownwealth in the sequence 33, 15, 29, 36, 20, 23).




Millionaire problem example (iii)

a2 Alice picks a random prime p of size N/2 bits, e.g. p = 47.a3 Alice computes yk = xk (mod p), obtaining the sequence

y1 = 127 (mod 47) = 33,

y2 = 250 (mod 47) = 15,

y3 = 123 (mod 47) = 29,

y4 = 365 (mod 47) = 36,

y5 = 113 (mod 47) = 19,

y6 = 304 (mod 47) = 22.

a4 Alice transmits p to Bob, as well as the valuesy1, y2, y3, y4, y5 + 1, y6 + 1 (thus marking her ownwealth in the sequence 33, 15, 29, 36, 20, 23).




Millionaire problem example (iv)

b4 Bob receives p and(z1, . . . , z6) from Alice. Hetests whether k (mod p)is equal to zj . In ourexample he finds that k(mod p) = 123(mod 47) = 29 = z3. Heconcludes that i ≥ j .

b5 Bob reports his result toAlice.

Note: Bob does not know atwhich point Alice startedaltering the sequence.




Millionaire problem (redux)

To summarise:

Protocol assumes that participants are honest.In particular, Bob may lie to Alice in step b5.Factoring Alice’s RSA key must be hard.Reductionist security proof not given.Alice and Bob need a reliable communication system.Computationally expensive, large bandwidth requirements.To test for i = j , repeat protocol in reverse.




Useful toolsWhat is possible

Correctness and verifiability (i)

Some useful tools for more advanced protocols:

Commitment schemes.Verifiable secret sharing.Oblivious transfer.Zero-knowledge proofs.Homomorphic encryption.





Correctness and verifiability (ii)

Secure committment scheme:A commitment protocol produces a hiding and bindingcommitment C to the value x .The commitment can later be opened by revealing x .

Verifiable secret sharing:A t-out-of-m secret sharing scheme generates m sharesbased on some secret value x .Given t shares, it is possible to reconstruct x .With less than t shares, no information is gained.Shamir secret sharing, based on polynomial interpolation.Verifiability: should resist dishonest dealer distributingincorrect shares, and / or participants submittingincorrect shares during reconstruction.





Correctness and verifiability (ii)

Secure committment scheme:A commitment protocol produces a hiding and bindingcommitment C to the value x .The commitment can later be opened by revealing x .

Verifiable secret sharing:A t-out-of-m secret sharing scheme generates m sharesbased on some secret value x .Given t shares, it is possible to reconstruct x .With less than t shares, no information is gained.Shamir secret sharing, based on polynomial interpolation.Verifiability: should resist dishonest dealer distributingincorrect shares, and / or participants submittingincorrect shares during reconstruction.





Oblivious transfer

Oblivious Transfer (OT): Wiesener (early 1970s), Rabin (1981).

Fundamental primitive to build MPC protocols.Simplest form: 1-2 Oblivious Transfer:

1 Alice has two messages m0, m1.2 Bob has a secret bit b.3 Bob receives mb.

Alice does not learn b.Bob does not learn mb⊕1.1-n OT: Alice has list of n elements, Bob a secret index.





Oblivious Transfer using RSA

Protocol from Even, Goldreich, Lempel (1985):– Alice’s RSA keys: d and (e, n); Bob’s bit: b.

a1 Alice picks two random messages x0, x1, sends to Bob.b1 Bob picks random message k , computes c = xb + ke

(mod n), sends c to Alice.a2 Alice decrypts both possible values of k , k0 = (c − x0)

d

(mod n) and k1 = (c − x1)d (mod n).

a3 Alice sends (m0 + k0) and (m1 + k1) to Bob.b2 Bob knows kb (but not kb⊕1), and uses it to recover mb.





Feasibility results (i)

What can we accomplish? (Goldreich)

Assuming trapdoor permutations:Passive adversary controlling < m users.Active adversary controlling < m/2 users.Better if “protocol aborted” is not failure.





Feasibility results (ii)

What can we accomplish? (Goldreich)

Assuming private channels:Passive adversary controlling < m/2 users.Active adversary controlling < m/3 users.Better if a broadcast channel also exists.




A real-world example

Secure sealed-bid auction (Bogetoft et al., 2008).Used to determine market clearing price for trading sugarbeet contracts between Danish farmersBids reveal sensitive information about bidders’ economicsituation to other farmers and monopoly buyer.Delegating legal responsibility to trusted auctioneerprohibitively expensive.1229 participants could place bids to sell, buy, or both.25 000 tons of production rights changed owners.


Appendix Further Reading

Further Reading

A. C. Yao. Protocols for secure computation.Proceedings of 27th IEEE symposium on Foundations ofComputer Science, pp. 162 – 167, 1986.

O. Goldreich. Foundations of Cryptography. Volume II:Basic Applications. Chapter 7. Cambridge University Press,2004.

R. Cramer and I. Damgård. Multiparty Computation, anIntroduction. In Contemporary Cryptology, AdvancedCourses in Mathematics CRM Barcelona, Birkhäuser.

P. Bogetoft, D. L. Christensen, I. Damgård, et al. SecureMultiparty Computation Goes Live. Cryptology ePrintReport 2008/068.


Documents

An Overview of Secure Multiparty Computation · An Overview of Secure Multiparty Computation T. E. Bjørstad The Selmer Center Department of Informatics ... Theoretical framework