Upload
neci
View
48
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Protocols for Multiparty Coin Toss With Dishonest Majority. Eran Omri, Bar-Ilan University. Joint work with Amos Beimel and Ilan Orlov, BGU . Ilan Orlov …!??!!. Coin Tossing. A Fundamental Question. What is the minimal bias for multiparty coin-toss ? - PowerPoint PPT Presentation
Citation preview
Protocols for Multiparty Coin Toss With Dishonest Majority
Eran Omri, Bar-Ilan University
Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
2
Coin Tossing
3
What is the minimal bias for multiparty coin-toss?
Coin tossing is a basic primitive in secure computation◦ Simple to define◦ Used in many schemes
Optimal bias means optimal fairness◦ Essential in many tasks in MPC (e.g., fair exchange)
To understand fairness in general secure computation, we must understand the basic task of coin tossing
A Fundamental Question
4
We construct multiparty coin-tossing protocols◦ Tolerating a majority of malicious parties◦ Minimizing the bias of the adversary
Optimal bias of O(1/r), where r is the number of rounds
Our Results in a Glance
Multiparty Coin-Toss:◦ Examples and definitions◦ Previous results◦ Our results
Reviewing the [Moran, Naor, Segev 09] result
Our Result: Simplified Constructions
Summary and Open Problems
Talk Outline
5
6
Naive Coin-Toss Protocol
b
a
c a ⊕ b c a ⊕ b
7
Naive Coin-Toss ProtocolI want c = 0
c = 0 w.p. 1
b
a = b
c a ⊕ b = 0
Can’t we send messages simultaneously??
No. Not a reasonable assumption!
8
[Blum 83]’s Coin-Toss Protocol
z commit(a)
b
a decommit(z)
c a ⊕ b c a ⊕ b
9
[Blum 83]’s Coin-Toss Protocol
z commit(a)
b
a decommit(z)
I want c = 0
If a = b
Otherwise abort
c = 0 w.p. 3/4How to react if a party aborts??The other party outputs a random bit
c a ⊕ b = 0
c 0 w.p. ½
10
Goal: honest parties agree on a uniform bit r-round protocol Π m parties, up to t malicious parties Rushing adversary
◦ Realistic communication model (do not assume simultaneous exchange)
We assume a broadcast channel
Bias – the maximum advantage of any adversary in the protocol over flipping a fair coin◦ In Blum’s protocol, the bias is ¼
Secure Coin Toss—The Model
11
Any r-round 2-party coin-tossing protocol, has bias Ω(1/r)◦ Generalizes to any multiparty protocol with no
honest majority
Conclusion: impossible to achieve coin-tossing with a polynomial number of rounds and negligible bias without honest majority
[Cleve 86]’s Lower Bound
12
Bias O(t/ r) with m parties, t malicious, and r rounds [ABCGM85,Cl86]◦ Works by repeating Blum’s protocol r times and
taking majority◦ This is optimal in a natural restricted model [CI93]
Breakthrough: it is possible to achieve 2-party coin-tossing with optimal bias O(1/r ) [MNS09]◦ Matches Cleve’s lower bound and shows that
restricted model is restricted
Previous Results
13
What is the optimal bias for multiparty?
Honest majority: negligible bias [GMW87]
No honest majority:◦ Lower bound of bias Ω(1/r) for r rounds◦ Previously known protocol gives O(t/ r) for r
rounds
A Fundamental Question
14
Goal: bias O(1/r)
O(1/r) bias for any constant number of parties (less than 2/3 of which are malicious)
O(1/r) bias when a “little” more than half the parties are corrupt◦ These are corollaries of a general construction (see next
slide)
Also, when constant fraction of parties are honest, O(1/ r ) – improving a factor of t compared to the previous upper bound (t =#malicious)
Our results
15
Theorem: Multiparty r-round coin-tossingwith bias O(22k+1/r), for m/2 ≤ t < 2m/3m= #parties, t = #malicious,k = #diff between malicious and honest
Corollaries: Optimal bias of O(1/r) when:
1. m is constant: e.g., with m=5, t=3 has bias 8/(r-O(1)), 2. k is constant: e.g., with m=2t (k=0) has bias 1/(2r-O(1))
Bias of O(t/r) when k is loglog m
A Formal Statement of Main Result
16
Theorem: Multiparty r-round coin-tossingwith bias O(1/ ), when t is a const. fraction of m (t = #malicious)
Removes t factor from [ABCGM85,Cl86]
A Formal Statement of Results
r
Multiparty Coin-Toss:◦ Examples and definitions◦ Previous results◦ Our results
Reviewing the [Moran, Naor, Segev 09] result
Our Result: Simplified Constructions
Summary and Open Problems
Talk Outline
17
18
r-round 2-party coin-tossing protocol
Special round i* ◦ Parties unknowingly learn the output in round i*◦ Adversary must guess i* to bias output
i* is uniformly chosen and concealed by the view of the parties
Overall bias O(1/r)
The [MNS 09] Construction
19
[MNS 09] — Online Dealer
What to do if a party aborts??
If Bob aborts in round i: Alice outputs ai-1If Alice aborts in round i: Bob outputs bi-1
1b
ra
2a1a
3a2b3b
rb
ai,bi ∈ {0,1}
rbc rac
20
i*
[MNS 09] — Online Dealer
01 b
car
02 a03 a
02 b13 b
cbr
• Output bit: c ∈R {0,1}
• Special round: i* ∈ R {1,…,r }• ai,bi ∈ R {0,1} (for all i<i* )
cai *cbi *
11 *ia11 *ib
11 a
I want c = 0
View is independent
of output
No BIAS
Output is fixed
No BIAS
Adversary must guess i*View at i ≤ i* is independent of i*Bias O(1/r)
BIAS !!
21
Preprocessing protocol
i*
[MNS 09] — Omitting the Dealer
Ab1
Br
a
Ba2Ba3
Ab2Ab3
Ar
b
• Output bit: c ∈R {0,1} • Special round: i* ∈ R {1,…,r }• ai,bi ∈ R {0,1} (for all i<i*)
Bi
a*
Ai
b*
Bi
a1*
Ai
b1*
Ba1
Use secret sharing:ibbb B
iAii
iaaa Bi
Aii
Ar
A
A
A
a
aaa
3
2
1
Ar
A
A
A
b
bbb
3
2
1
Br
B
B
B
a
aaa
3
2
1
Br
B
B
B
b
bbb
3
2
1
To restrict adv. to aborting — all shares are authenticated
22
[MNS 09] — Omitting the DealerPreprocessing
protocol• Output bit: c ∈R {0,1} • Special round: i* ∈ R {1,…,r }• ai,bi ∈ R {0,1} (for all i<i*)
Compute secret sharing:ibbb B
iAii
iaaa Bi
Aii
Preprocessing?? Both parties get output?? But, How??
Answer: NO, only guarantee “Security With Abort” ◦ Adversary learns output, then may deny output from honest
party.
No harm: preprocessing reveals nothing to adversary
Constant number of rounds [Lindell 2003]
Multiparty Coin-Toss:◦ Examples and definitions◦ Previous results◦ Our results
Reviewing the [Moran, Naor, Segev 09] result
Our Result: Simplified Constructions
Summary and Open Problems
Talk Outline
23
24
An Imam,
and a Priest
go on the same flight…
Just a Second….a Rabbi
Two ways we extend MNS:
1. Simulation — One subset simulating Alice, the other simulating Bob
2. Generalization — giving a bit to subsets of parties in each round. Before i* bits are independent. From i* bits are all the same bit.
Extending to the Multiparty Setting
25
26
i*
When Simulation Works— m=4,t=2
I want c = 0
11 b
car
02 a02 b
cbr
cai *cbi *
01 a
If Bob aborts in round i Alices output ai-1Attack: If a1= 0 Bob aborts in round 2Constant Bias!
• Output bit: c ∈R {0,1} • Special round: i* ∈ R {1,…,r}• ai,bi ∈ R {0,1} (for all i<i* )
Observation: At least two parties are honest.Either Bob is honest or There is an honest majority of Alices
27
4 Parties 2 Malicious — With Shares
i*
01 b02 b
cbr
cbi *
Reconstructing ai — only when neededDealer: go on unless two parties abort
• Output bit: c ∈R {0,1} • Special round: i* ∈ R {1,…,r}• ai,bi ∈ R {0,1} (for all i<i* )
Use 2-out-of-3 secret sharingof ai:
1ia 2
ia 3ia
11a 2
1a 31a
12a 2
2a 32a
1*ia 2
*ia 3*ia
1ra 2
ra 3ra
28
Reconstruction
1ib
Reconstruction upon abort in round i :Case 1: Two Alices aborted. Bob is honest. Sends bi-1 to third AliceCase 2: Bob aborted.
Remaining Alices (at least two) reconstruct ai-1 Requires signatures (limiting adversary to
aborts)
11ia 2
1ia 31ia
We described a protocol with a trusted dealer
Does not exist in real-life
How to eliminate the dealer?◦ To be answered in a few slides…
Omitting the Dealer
29
Two ways we extend MNS:
1. Simulation — One subset simulating Alice, the other simulating Bob
2. Generalization — giving a bit to subsets of parties in each round. Before i* bits are independent. From i* bits are all the same bit.
Extending to the Multiparty Setting
30
5-Party Protocol with 3 Malicious
Overview: r-round protocol with an online dealer•In round i: each subset S of size 2 or 3 gets a bit • Each bit is shared with threshold 2.
•Dealing with aborts in round i: Reconstruct the bit of round i-1• E.g., if A, B abort — C, D, E reconstruct • E.g., if A, B, C abort — D, E reconstruct
B CA D E
CDEiσ 1DEiσ 1
m=5, t=3
31
Siσ
PreprocessingDealer randomly selects:• Output c, special round i*• Random bits for i<i* (for all pairs, triples) (bits for i≥i* are set to c)• Shares for every bit (all shares are signed)• For pairs: in 2-out-of-2 SSS• For triples: in 2-out-of-3 SSS
32
Interaction RoundsIn round i:•Dealer continues if 4 parties are still active • Give party p its share for each bit p ∈ S (a pair or triplet)
•If less than 4 parties are active:• Dealer halts• Active parties (set S ) reconstruct
33
Siσ 1
Siσ
Reconstruction
Dealer halts at most 3 active parties. • At least 2 are honest!• A and D can reconstruct bit (threshold 2) • Adversary could not see
• Before i* abort is independent of reconstructed bit
B C
ACDi 1
A D E
m=5, t=3
34
ACDiσ 1
Security:
•Adversary must guess i* to bias output!!
•Adversary can see 10 bits in each round i (If not all equal, then i<i* )
• Once in every 29 rounds they are all the same• Probability to guess i* ≤ 29/r (Improved later)
B CA D E
m=5, t=3
35
36
Omitting the Dealer
To turn into an off-line dealer: Clever use of another layer of secret sharing
To omit the off-line dealer: Preprocessing protocol (requires only security with abort)
Omitting the Dealer—Preprocessing
1. Simulate dealer’s preprocessing• Compute c, i*, bits for all subsets, rounds• Compute shares for all bits
(inner secret sharing)
2. Share info (for each round) – in 4-out-of-5 SSS• Adversary cannot reconstruct (4=t+1)• As long as 4 active protocol can go on
(outer secret sharing)
37
Omitting the Dealer — Round i • If there are 4 active parties:• Send shares of outer secret sharing
(4-out-of-5)
• Each party learns its shares of appropriate bits(of inner secret sharing)
• If at least 2 parties aborted (cannot continue) Reconstruct bit
(same as with online dealer)38
Omitting the Dealer—Correctness
• In each round i parties hold the same information as with online dealer(due to outer-secret-sharing)
• To halt computation (prevent reconstruction) 2 must abort.
• Adversary can see the same bits after round i as with online dealer
39
Implementing the Preprocessing
1. Security with abort (constant round [Pass04]) with cheat detection
2. Cheat detection: All honest parties identify a cheater • Continue without it • Can be repeated at most twice
Abort in preprocessing is independent of output
40
Combining ideas (simulation, generalization):
◦Number of subsets depends on k = 2t-m (gap between honest and malicious)
◦Bound on bias (rather than )
Final construction
r
k 122
r
t22
41
Multiparty Coin-Toss:◦ Examples and definitions◦ Previous results◦ Our results
Reviewing the [Moran, Naor, Segev 09] result
Our Result: Simplified Constructions
Summary and Open Problems
Talk Outline
42
43
Optimal O(1/r) bias for any constant number of parties (less than 2/3 of which are malicious)
Optimal O(1/r) bias when a “little” more than half the parties are corrupt
r= #rounds in the protocol
Summary
44
1. Improve dependency on k, prove lower bounds k= #malicious - #honest
2. Open joke: An Imam, a Rabbi and a Priest go on the same flight…
The engine breaks. Someone needs to go… They toss a fair coin. But how fair can it be…??!!
Is O(1/r) bias possible when t ≥ 2m/3? Specifically, 2 malicious out of 3 parties
Open Problems