45
Protocols for Multiparty Coin Toss With Dishonest Majority Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Protocols for Multiparty Coin Toss With Dishonest Majority

  • Upload
    neci

  • View
    48

  • Download
    0

Embed Size (px)

DESCRIPTION

Protocols for Multiparty Coin Toss With Dishonest Majority. Eran Omri, Bar-Ilan University. Joint work with Amos Beimel and Ilan Orlov, BGU . Ilan Orlov …!??!!. Coin Tossing. A Fundamental Question. What is the minimal bias for multiparty coin-toss ? - PowerPoint PPT Presentation

Citation preview

Page 1: Protocols for Multiparty Coin Toss With Dishonest Majority

Protocols for Multiparty Coin Toss With Dishonest Majority

Eran Omri, Bar-Ilan University

Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Page 2: Protocols for Multiparty Coin Toss With Dishonest Majority

2

Coin Tossing

Page 3: Protocols for Multiparty Coin Toss With Dishonest Majority

3

What is the minimal bias for multiparty coin-toss?

Coin tossing is a basic primitive in secure computation◦ Simple to define◦ Used in many schemes

Optimal bias means optimal fairness◦ Essential in many tasks in MPC (e.g., fair exchange)

To understand fairness in general secure computation, we must understand the basic task of coin tossing

A Fundamental Question

Page 4: Protocols for Multiparty Coin Toss With Dishonest Majority

4

We construct multiparty coin-tossing protocols◦ Tolerating a majority of malicious parties◦ Minimizing the bias of the adversary

Optimal bias of O(1/r), where r is the number of rounds

Our Results in a Glance

Page 5: Protocols for Multiparty Coin Toss With Dishonest Majority

Multiparty Coin-Toss:◦ Examples and definitions◦ Previous results◦ Our results

Reviewing the [Moran, Naor, Segev 09] result

Our Result: Simplified Constructions

Summary and Open Problems

Talk Outline

5

Page 6: Protocols for Multiparty Coin Toss With Dishonest Majority

6

Naive Coin-Toss Protocol

b

a

c a ⊕ b c a ⊕ b

Page 7: Protocols for Multiparty Coin Toss With Dishonest Majority

7

Naive Coin-Toss ProtocolI want c = 0

c = 0 w.p. 1

b

a = b

c a ⊕ b = 0

Can’t we send messages simultaneously??

No. Not a reasonable assumption!

Page 8: Protocols for Multiparty Coin Toss With Dishonest Majority

8

[Blum 83]’s Coin-Toss Protocol

z commit(a)

b

a decommit(z)

c a ⊕ b c a ⊕ b

Page 9: Protocols for Multiparty Coin Toss With Dishonest Majority

9

[Blum 83]’s Coin-Toss Protocol

z commit(a)

b

a decommit(z)

I want c = 0

If a = b

Otherwise abort

c = 0 w.p. 3/4How to react if a party aborts??The other party outputs a random bit

c a ⊕ b = 0

c 0 w.p. ½

Page 10: Protocols for Multiparty Coin Toss With Dishonest Majority

10

Goal: honest parties agree on a uniform bit r-round protocol Π m parties, up to t malicious parties Rushing adversary

◦ Realistic communication model (do not assume simultaneous exchange)

We assume a broadcast channel

Bias – the maximum advantage of any adversary in the protocol over flipping a fair coin◦ In Blum’s protocol, the bias is ¼

Secure Coin Toss—The Model

Page 11: Protocols for Multiparty Coin Toss With Dishonest Majority

11

Any r-round 2-party coin-tossing protocol, has bias Ω(1/r)◦ Generalizes to any multiparty protocol with no

honest majority

Conclusion: impossible to achieve coin-tossing with a polynomial number of rounds and negligible bias without honest majority

[Cleve 86]’s Lower Bound

Page 12: Protocols for Multiparty Coin Toss With Dishonest Majority

12

Bias O(t/ r) with m parties, t malicious, and r rounds [ABCGM85,Cl86]◦ Works by repeating Blum’s protocol r times and

taking majority◦ This is optimal in a natural restricted model [CI93]

Breakthrough: it is possible to achieve 2-party coin-tossing with optimal bias O(1/r ) [MNS09]◦ Matches Cleve’s lower bound and shows that

restricted model is restricted

Previous Results

Page 13: Protocols for Multiparty Coin Toss With Dishonest Majority

13

What is the optimal bias for multiparty?

Honest majority: negligible bias [GMW87]

No honest majority:◦ Lower bound of bias Ω(1/r) for r rounds◦ Previously known protocol gives O(t/ r) for r

rounds

A Fundamental Question

Page 14: Protocols for Multiparty Coin Toss With Dishonest Majority

14

Goal: bias O(1/r)

O(1/r) bias for any constant number of parties (less than 2/3 of which are malicious)

O(1/r) bias when a “little” more than half the parties are corrupt◦ These are corollaries of a general construction (see next

slide)

Also, when constant fraction of parties are honest, O(1/ r ) – improving a factor of t compared to the previous upper bound (t =#malicious)

Our results

Page 15: Protocols for Multiparty Coin Toss With Dishonest Majority

15

Theorem: Multiparty r-round coin-tossingwith bias O(22k+1/r), for m/2 ≤ t < 2m/3m= #parties, t = #malicious,k = #diff between malicious and honest

Corollaries: Optimal bias of O(1/r) when:

1. m is constant: e.g., with m=5, t=3 has bias 8/(r-O(1)), 2. k is constant: e.g., with m=2t (k=0) has bias 1/(2r-O(1))

Bias of O(t/r) when k is loglog m

A Formal Statement of Main Result

Page 16: Protocols for Multiparty Coin Toss With Dishonest Majority

16

Theorem: Multiparty r-round coin-tossingwith bias O(1/ ), when t is a const. fraction of m (t = #malicious)

Removes t factor from [ABCGM85,Cl86]

A Formal Statement of Results

r

Page 17: Protocols for Multiparty Coin Toss With Dishonest Majority

Multiparty Coin-Toss:◦ Examples and definitions◦ Previous results◦ Our results

Reviewing the [Moran, Naor, Segev 09] result

Our Result: Simplified Constructions

Summary and Open Problems

Talk Outline

17

Page 18: Protocols for Multiparty Coin Toss With Dishonest Majority

18

r-round 2-party coin-tossing protocol

Special round i* ◦ Parties unknowingly learn the output in round i*◦ Adversary must guess i* to bias output

i* is uniformly chosen and concealed by the view of the parties

Overall bias O(1/r)

The [MNS 09] Construction

Page 19: Protocols for Multiparty Coin Toss With Dishonest Majority

19

[MNS 09] — Online Dealer

What to do if a party aborts??

If Bob aborts in round i: Alice outputs ai-1If Alice aborts in round i: Bob outputs bi-1

1b

ra

2a1a

3a2b3b

rb

ai,bi ∈ {0,1}

rbc rac

Page 20: Protocols for Multiparty Coin Toss With Dishonest Majority

20

i*

[MNS 09] — Online Dealer

01 b

car

02 a03 a

02 b13 b

cbr

• Output bit: c ∈R {0,1}

• Special round: i* ∈ R {1,…,r }• ai,bi ∈ R {0,1} (for all i<i* )

cai *cbi *

11 *ia11 *ib

11 a

I want c = 0

View is independent

of output

No BIAS

Output is fixed

No BIAS

Adversary must guess i*View at i ≤ i* is independent of i*Bias O(1/r)

BIAS !!

Page 21: Protocols for Multiparty Coin Toss With Dishonest Majority

21

Preprocessing protocol

i*

[MNS 09] — Omitting the Dealer

Ab1

Br

a

Ba2Ba3

Ab2Ab3

Ar

b

• Output bit: c ∈R {0,1} • Special round: i* ∈ R {1,…,r }• ai,bi ∈ R {0,1} (for all i<i*)

Bi

a*

Ai

b*

Bi

a1*

Ai

b1*

Ba1

Use secret sharing:ibbb B

iAii

iaaa Bi

Aii

Ar

A

A

A

a

aaa

3

2

1

Ar

A

A

A

b

bbb

3

2

1

Br

B

B

B

a

aaa

3

2

1

Br

B

B

B

b

bbb

3

2

1

To restrict adv. to aborting — all shares are authenticated

Page 22: Protocols for Multiparty Coin Toss With Dishonest Majority

22

[MNS 09] — Omitting the DealerPreprocessing

protocol• Output bit: c ∈R {0,1} • Special round: i* ∈ R {1,…,r }• ai,bi ∈ R {0,1} (for all i<i*)

Compute secret sharing:ibbb B

iAii

iaaa Bi

Aii

Preprocessing?? Both parties get output?? But, How??

Answer: NO, only guarantee “Security With Abort” ◦ Adversary learns output, then may deny output from honest

party.

No harm: preprocessing reveals nothing to adversary

Constant number of rounds [Lindell 2003]

Page 23: Protocols for Multiparty Coin Toss With Dishonest Majority

Multiparty Coin-Toss:◦ Examples and definitions◦ Previous results◦ Our results

Reviewing the [Moran, Naor, Segev 09] result

Our Result: Simplified Constructions

Summary and Open Problems

Talk Outline

23

Page 24: Protocols for Multiparty Coin Toss With Dishonest Majority

24

An Imam,

and a Priest

go on the same flight…

Just a Second….a Rabbi

Page 25: Protocols for Multiparty Coin Toss With Dishonest Majority

Two ways we extend MNS:

1. Simulation — One subset simulating Alice, the other simulating Bob

2. Generalization — giving a bit to subsets of parties in each round. Before i* bits are independent. From i* bits are all the same bit.

Extending to the Multiparty Setting

25

Page 26: Protocols for Multiparty Coin Toss With Dishonest Majority

26

i*

When Simulation Works— m=4,t=2

I want c = 0

11 b

car

02 a02 b

cbr

cai *cbi *

01 a

If Bob aborts in round i Alices output ai-1Attack: If a1= 0 Bob aborts in round 2Constant Bias!

• Output bit: c ∈R {0,1} • Special round: i* ∈ R {1,…,r}• ai,bi ∈ R {0,1} (for all i<i* )

Observation: At least two parties are honest.Either Bob is honest or There is an honest majority of Alices

Page 27: Protocols for Multiparty Coin Toss With Dishonest Majority

27

4 Parties 2 Malicious — With Shares

i*

01 b02 b

cbr

cbi *

Reconstructing ai — only when neededDealer: go on unless two parties abort

• Output bit: c ∈R {0,1} • Special round: i* ∈ R {1,…,r}• ai,bi ∈ R {0,1} (for all i<i* )

Use 2-out-of-3 secret sharingof ai:

1ia 2

ia 3ia

11a 2

1a 31a

12a 2

2a 32a

1*ia 2

*ia 3*ia

1ra 2

ra 3ra

Page 28: Protocols for Multiparty Coin Toss With Dishonest Majority

28

Reconstruction

1ib

Reconstruction upon abort in round i :Case 1: Two Alices aborted. Bob is honest. Sends bi-1 to third AliceCase 2: Bob aborted.

Remaining Alices (at least two) reconstruct ai-1 Requires signatures (limiting adversary to

aborts)

11ia 2

1ia 31ia

Page 29: Protocols for Multiparty Coin Toss With Dishonest Majority

We described a protocol with a trusted dealer

Does not exist in real-life

How to eliminate the dealer?◦ To be answered in a few slides…

Omitting the Dealer

29

Page 30: Protocols for Multiparty Coin Toss With Dishonest Majority

Two ways we extend MNS:

1. Simulation — One subset simulating Alice, the other simulating Bob

2. Generalization — giving a bit to subsets of parties in each round. Before i* bits are independent. From i* bits are all the same bit.

Extending to the Multiparty Setting

30

Page 31: Protocols for Multiparty Coin Toss With Dishonest Majority

5-Party Protocol with 3 Malicious

Overview: r-round protocol with an online dealer•In round i: each subset S of size 2 or 3 gets a bit • Each bit is shared with threshold 2.

•Dealing with aborts in round i: Reconstruct the bit of round i-1• E.g., if A, B abort — C, D, E reconstruct • E.g., if A, B, C abort — D, E reconstruct

B CA D E

CDEiσ 1DEiσ 1

m=5, t=3

31

Siσ

Page 32: Protocols for Multiparty Coin Toss With Dishonest Majority

PreprocessingDealer randomly selects:• Output c, special round i*• Random bits for i<i* (for all pairs, triples) (bits for i≥i* are set to c)• Shares for every bit (all shares are signed)• For pairs: in 2-out-of-2 SSS• For triples: in 2-out-of-3 SSS

32

Page 33: Protocols for Multiparty Coin Toss With Dishonest Majority

Interaction RoundsIn round i:•Dealer continues if 4 parties are still active • Give party p its share for each bit p ∈ S (a pair or triplet)

•If less than 4 parties are active:• Dealer halts• Active parties (set S ) reconstruct

33

Siσ 1

Siσ

Page 34: Protocols for Multiparty Coin Toss With Dishonest Majority

Reconstruction

Dealer halts at most 3 active parties. • At least 2 are honest!• A and D can reconstruct bit (threshold 2) • Adversary could not see

• Before i* abort is independent of reconstructed bit

B C

ACDi 1

A D E

m=5, t=3

34

ACDiσ 1

Page 35: Protocols for Multiparty Coin Toss With Dishonest Majority

Security:

•Adversary must guess i* to bias output!!

•Adversary can see 10 bits in each round i (If not all equal, then i<i* )

• Once in every 29 rounds they are all the same• Probability to guess i* ≤ 29/r (Improved later)

B CA D E

m=5, t=3

35

Page 36: Protocols for Multiparty Coin Toss With Dishonest Majority

36

Omitting the Dealer

To turn into an off-line dealer: Clever use of another layer of secret sharing

To omit the off-line dealer: Preprocessing protocol (requires only security with abort)

Page 37: Protocols for Multiparty Coin Toss With Dishonest Majority

Omitting the Dealer—Preprocessing

1. Simulate dealer’s preprocessing• Compute c, i*, bits for all subsets, rounds• Compute shares for all bits

(inner secret sharing)

2. Share info (for each round) – in 4-out-of-5 SSS• Adversary cannot reconstruct (4=t+1)• As long as 4 active protocol can go on

(outer secret sharing)

37

Page 38: Protocols for Multiparty Coin Toss With Dishonest Majority

Omitting the Dealer — Round i • If there are 4 active parties:• Send shares of outer secret sharing

(4-out-of-5)

• Each party learns its shares of appropriate bits(of inner secret sharing)

• If at least 2 parties aborted (cannot continue) Reconstruct bit

(same as with online dealer)38

Page 39: Protocols for Multiparty Coin Toss With Dishonest Majority

Omitting the Dealer—Correctness

• In each round i parties hold the same information as with online dealer(due to outer-secret-sharing)

• To halt computation (prevent reconstruction) 2 must abort.

• Adversary can see the same bits after round i as with online dealer

39

Page 40: Protocols for Multiparty Coin Toss With Dishonest Majority

Implementing the Preprocessing

1. Security with abort (constant round [Pass04]) with cheat detection

2. Cheat detection: All honest parties identify a cheater • Continue without it • Can be repeated at most twice

Abort in preprocessing is independent of output

40

Page 41: Protocols for Multiparty Coin Toss With Dishonest Majority

Combining ideas (simulation, generalization):

◦Number of subsets depends on k = 2t-m (gap between honest and malicious)

◦Bound on bias (rather than )

Final construction

r

k 122

r

t22

41

Page 42: Protocols for Multiparty Coin Toss With Dishonest Majority

Multiparty Coin-Toss:◦ Examples and definitions◦ Previous results◦ Our results

Reviewing the [Moran, Naor, Segev 09] result

Our Result: Simplified Constructions

Summary and Open Problems

Talk Outline

42

Page 43: Protocols for Multiparty Coin Toss With Dishonest Majority

43

Optimal O(1/r) bias for any constant number of parties (less than 2/3 of which are malicious)

Optimal O(1/r) bias when a “little” more than half the parties are corrupt

r= #rounds in the protocol

Summary

Page 44: Protocols for Multiparty Coin Toss With Dishonest Majority

44

1. Improve dependency on k, prove lower bounds k= #malicious - #honest

2. Open joke: An Imam, a Rabbi and a Priest go on the same flight…

The engine breaks. Someone needs to go… They toss a fair coin. But how fair can it be…??!!

Is O(1/r) bias possible when t ≥ 2m/3? Specifically, 2 malicious out of 3 parties

Open Problems

Page 45: Protocols for Multiparty Coin Toss With Dishonest Majority

45

[email protected]

Thank You!!!