Upload
securityxploded
View
410
Download
2
Embed Size (px)
Citation preview
Introduction to SMPCJitendra Kumar Patel Saturday, January 30, 2016
Secure Multi-Party Computation
Jitendra Patel ... ?
M.Tech from International Institute of Information Technology, Bangalore (Pursuing)
Experience in Teaching ( 3+ years)
Worked as an Offline Instructor at Innobuzz Knowledge Solutions - Delhi, Classroom faculty at Oviyans Infotech – Indore, Trainer at Osinfotech – Indore, Performance Engineering R&D at RedHat, Bangalore.
Research interest in Ethical Hacking, Network Security, Reverse Engineering, Wireless Security, Technical Analysis, Bitcoin Blockchain Technology, SMPC
Tech Enthusiast
Agenda of the Talk ... ?StoryWhat is Secure Multi Party Computation ?The Millionaires Problem and Few real world problemsAdversary classification Issues and desirable properties from SMPCFew SMPC Terminologies/TechniquesWhat is next ?
Should I invite her for a cup of coffee… ?
Alice and Bob meet accidentally. Both don’t know India. Both are tourists.
Bob is lost. He would like to ask Alice for the way to his guest house. And maybe whether she would like to drink a hot coffee with him. But he doesn’t know her. And if she says no? “I would ask her, if
only I knew that she would accept”, he thinks. But he is shy. Too shy.
Alice is lost as well. She would like to ask Bob for the way to the hostel. And maybe whether Bob would not be willing to accompany her. It’s already getting dark. She would of course then invite him
for a cup of hot milk with honey. And some banana cake. In order to thank him. And maybe...who knows. But what if he says no? Should she dare to ask? “If I knew that he would not laugh at me, I
would ask”. But Alice is shy. Too shy.
They cross each other. Watching each other. Not asking each other. Finally, they both find their way. Bob to his guest house, Alice to the hostel. The wrong way. They will never meet Again.
If only they would know the techniques of secure multi-party computation.
Story
Secure Multi Party Computation… ? Also known as secure computation or multi-party computation
Fundamental problem in distributed computing and cryptography
Definition- Set of n parties - Some are faulty/corrupted- Do not trust each other- Still parties wish to compute some function- Private local inputs (Privacy)- Public Output (Correctness)
The Millionaires Problem
Protocols for Secure Computations (Extended Abstract). FOCS 1982: 160-164
Yao’s millionaires’ problem
X $ Y $
?<=>
Find the richer without disclosing exact value of individual assets
Formulated by Turing award winner Andrew Yao
Real World Problem….?
Online Dating
Electronic Voting
Privacy-preserving Statistics [ ex: satellite collision ]
Privacy-preserving Database Operations
Benchmarking
Privacy-preserving data mining
Secure e-auction
Secure Function Evaluation A set of (two or more) parties with private inputs wish to
compute some joint function of their inputs. Parties wish to preserve some security properties. E.g.,
privacy and correctness.– Example: Computing the maximum
Many results depending on – Number of players– Means of communication– the power and MODEL of the adversary – how the function is REPRESENTED
The Security Definition
IDEALREALTrusted party
Protocolinteraction
For every real adversary A
there exists anadversary S
Computational Setting
Any two-party function can be securely computed in the semi-honest adversarial model [Yao]
Any multiparty function can be securely computed in the malicious model, for any number of corrupted parties [GMW]
Adversary Classification ... ?Nature of Adversary : Passive
Fail-stopActiveMixed
Mobility : StaticAdaptive/Dynamic:Mobile
Corruption Capacity : ThresholdNon-threshold
Computational Resources : BoundedUnbounded
Issues with the Design of SMPC…?
Possibility : What are the necessary and sufficient conditions for the existence of a protocol in a given network?
Feasibility : Does there exist a polynomial time and efficient protocol ? (We assume that the protocol exists).
Optimality : How do we design a protocol whose total complexities (communication and round) match their respective lower bound?
Desirable Properties of a SMPC…?
Correctness
Privacy
Input Independence
Robustness
Fairness
SMPC Terminologies/Techniques…?Semi Honest Adversary
Garbled Circuit
Oblivious Transfer
Secret Sharing
Verifiable Secret Sharing
Commitment Schemes
Garbled Circuit…?We can garble a circuit (hide its structure) so that two parties, sender and receiver, can learn the output of the circuit and nothing else.
At a high level, the sender prepares the garbled circuit and sends it to the receiver, who obliviously evaluates the circuit, learning the encodings corresponding to both his and the senders output.
He then just sends back the senders encodings, allowing the sender to compute his part of the output.
The sender sends the mapping from the receivers output encodings to bits to the receiver, allowing the receiver to obtain their output.
Ref : Wikipedia
Semi-Honest Construction1-out-of-2 Oblivious Transfer (OT) Inputs
– Sender has two messages m0 and m1
– Receiver has a single bit {0,1} Outputs
– Sender receives nothing– Receiver obtain m and learns nothing of m1-
Semi-Honest OT Let (G,E,D) be a public-key encryption scheme
– G is a key-generation algorithm (pk,sk) G– Encryption: c = Epk(m)– Decryption: m = Dsk(c)
Assume that a public-key can be sampled without knowledge of its secret key:– Oblivious key generation: pk OG– El-Gamal encryption has this property
Semi-Honest OTProtocol for Oblivious Transfer Receiver (with input ):
– Receiver chooses one key-pair (pk,sk) and one public-key pk’ (obliviously of secret-key).
– Receiver sets pk = pk, pk1- = pk’– Note: receiver can decrypt for pk but not for pk1-
– Receiver sends pk0,pk1 to sender Sender (with input m0,m1):
– Sends receiver c0=Epk0(m0), c1=Epk1(m1) Receiver:
– Decrypts c using sk and obtains m.
Security Proof Intuition:
– Sender's view consists only of two public keys pk0 and pk1. Therefore, it doesn't learn anything about that value of .
– The receiver only knows one secret-key and so can only learn one message
Formally: – Sender's view is independent of receiver's input and so can
easily be simulated (just give it 2 keys)– Receiver's view can be simulated by obtaining the output m
and sending it Epk0(m),Epk1(m).
Note: Assumes semi-honest behavior. A malicious receiver can choose two keys together with their secret keys.
Secret Sharing.... ?In secret sharing
- Dealer who shares a secret among a group of n parties- Sharing Phase- Reconstruction Phase
The requirements are that :- For t <n, any set of t colluding parties- No information about the dealer’s secret at the end of the sharing- Any set of t+1 parties can recover the dealer’s secret
Assumption : - The dealer is honest
Verifiable Secret Sharing (VSS) .... ?Just like secret sharing but requires :
- No matter what a cheating dealer does (in conjunction with t other colluding parties), there is some unique secret to which the dealer is “committed” by the end of the sharing phase.
Perfect VSS, where the security guarantees are :- Unconditional- Privacy is perfect- Protocol is error-free.
Perfect VSS is known to be possible if and only if t < n/3
Whats Cooking in the Kitchen ... ?Bitcoin and Block Chain Technologies
Yao's Millionaire Problem and Proposed Solution
Secret Sharing and VSS (almost done but still need help)
Secure 2 Party Computation (AES) (protocol implementation)
GMW Protocol
Efficient Micro-payments with Bitcoins (current research)
References - 1 ...Y. Lindell and B. PinkasY. Lindell and B. PinkasA Proof of Yao's Protocol for Secure Two-Party Computation (Paper)A Proof of Yao's Protocol for Secure Two-Party Computation (Paper)
Iftach HaitnerIftach HaitnerImplementing Oblivious Transfer Using Collection of Dense Trapdoor Permutations (Paper)Implementing Oblivious Transfer Using Collection of Dense Trapdoor Permutations (Paper)
Yan Huang, David Evans, Jonathan Katz, Lior MalkaYan Huang, David Evans, Jonathan Katz, Lior Malka
Faster Secure Two-Party Computation Using Garbled Circuits (Paper)Faster Secure Two-Party Computation Using Garbled Circuits (Paper)Ninghui Li , Purdue UniversityNinghui Li , Purdue UniversityTopic 24: Secure Function Evaluation (Slides)Topic 24: Secure Function Evaluation (Slides)
Benny Pinkas, HP Labs, PrincetonBenny Pinkas, HP Labs, PrincetonIntroduction to Secure Computation (Slides)Introduction to Secure Computation (Slides)
Moni Naor , Weizmann Institute of ScienceMoni Naor , Weizmann Institute of ScienceLecture 15: Oblivious Transfer and Secure Function Evaluation (Slides)Lecture 15: Oblivious Transfer and Secure Function Evaluation (Slides)
Scribes from Dr. Ashish Choudhury lecturesScribes from Dr. Ashish Choudhury lectureshttps://sites.google.com/site/ashishcrypto/Courses/2015-cs-nc-813
ApologiesApologies for Others unmentioned sources from internet for articles and references for Others unmentioned sources from internet for articles and references
References -2 ...Improving The Round Complexity of VSS in Point-To-Point Networks Jonathan KatzChiu-Yuen KoobDepartment of Computer Science,University of Maryland, College Park, MD 20742, USA
Ranjit Kumaresana Google Labs, Mountain View, CA 94043, USA
Link : http://www.journals.elsevier.com/information-and-computation
Jitendra Kumar [email protected]@bewithjitendrafacebook.com/bewithjitendrapatel
Saturday, January 30, 2016