Introduction to SMPC

Introduction to SMPCJitendra Kumar Patel Saturday, January 30, 2016

Secure Multi-Party Computation

Jitendra Patel ... ?

M.Tech from International Institute of Information Technology, Bangalore (Pursuing)

Experience in Teaching ( 3+ years)

Worked as an Offline Instructor at Innobuzz Knowledge Solutions - Delhi, Classroom faculty at Oviyans Infotech – Indore, Trainer at Osinfotech – Indore, Performance Engineering R&D at RedHat, Bangalore.

Research interest in Ethical Hacking, Network Security, Reverse Engineering, Wireless Security, Technical Analysis, Bitcoin Blockchain Technology, SMPC

Tech Enthusiast

Agenda of the Talk ... ?StoryWhat is Secure Multi Party Computation ?The Millionaires Problem and Few real world problemsAdversary classification Issues and desirable properties from SMPCFew SMPC Terminologies/TechniquesWhat is next ?

Should I invite her for a cup of coffee… ?

Alice and Bob meet accidentally. Both don’t know India. Both are tourists.

Bob is lost. He would like to ask Alice for the way to his guest house. And maybe whether she would like to drink a hot coffee with him. But he doesn’t know her. And if she says no? “I would ask her, if

only I knew that she would accept”, he thinks. But he is shy. Too shy.

Alice is lost as well. She would like to ask Bob for the way to the hostel. And maybe whether Bob would not be willing to accompany her. It’s already getting dark. She would of course then invite him

for a cup of hot milk with honey. And some banana cake. In order to thank him. And maybe...who knows. But what if he says no? Should she dare to ask? “If I knew that he would not laugh at me, I

would ask”. But Alice is shy. Too shy.

They cross each other. Watching each other. Not asking each other. Finally, they both find their way. Bob to his guest house, Alice to the hostel. The wrong way. They will never meet Again.

If only they would know the techniques of secure multi-party computation.

Story

Secure Multi Party Computation… ? Also known as secure computation or multi-party computation

Fundamental problem in distributed computing and cryptography

Definition- Set of n parties - Some are faulty/corrupted- Do not trust each other- Still parties wish to compute some function- Private local inputs (Privacy)- Public Output (Correctness)

The Millionaires Problem

Protocols for Secure Computations (Extended Abstract). FOCS 1982: 160-164

Yao’s millionaires’ problem

X $ Y $

?<=>

Find the richer without disclosing exact value of individual assets

Formulated by Turing award winner Andrew Yao

Real World Problem….?

Online Dating

Electronic Voting

Privacy-preserving Statistics [ ex: satellite collision ]

Privacy-preserving Database Operations

Benchmarking

Privacy-preserving data mining

Secure e-auction

Secure Function Evaluation A set of (two or more) parties with private inputs wish to

compute some joint function of their inputs. Parties wish to preserve some security properties. E.g.,

privacy and correctness.– Example: Computing the maximum

Many results depending on – Number of players– Means of communication– the power and MODEL of the adversary – how the function is REPRESENTED

The Security Definition

IDEALREALTrusted party

Protocolinteraction

For every real adversary A

there exists anadversary S

Computational Setting

Any two-party function can be securely computed in the semi-honest adversarial model [Yao]

Any multiparty function can be securely computed in the malicious model, for any number of corrupted parties [GMW]

Adversary Classification ... ?Nature of Adversary : Passive

Fail-stopActiveMixed

Mobility : StaticAdaptive/Dynamic:Mobile

Corruption Capacity : ThresholdNon-threshold

Computational Resources : BoundedUnbounded

Issues with the Design of SMPC…?

Possibility : What are the necessary and sufficient conditions for the existence of a protocol in a given network?

Feasibility : Does there exist a polynomial time and efficient protocol ? (We assume that the protocol exists).

Optimality : How do we design a protocol whose total complexities (communication and round) match their respective lower bound?

Desirable Properties of a SMPC…?

Correctness

Privacy

Input Independence

Robustness

Fairness

SMPC Terminologies/Techniques…?Semi Honest Adversary

Garbled Circuit

Oblivious Transfer

Secret Sharing

Verifiable Secret Sharing

Commitment Schemes

Garbled Circuit…?We can garble a circuit (hide its structure) so that two parties, sender and receiver, can learn the output of the circuit and nothing else.

At a high level, the sender prepares the garbled circuit and sends it to the receiver, who obliviously evaluates the circuit, learning the encodings corresponding to both his and the senders output.

He then just sends back the senders encodings, allowing the sender to compute his part of the output.

The sender sends the mapping from the receivers output encodings to bits to the receiver, allowing the receiver to obtain their output.

Ref : Wikipedia

Semi-Honest Construction1-out-of-2 Oblivious Transfer (OT) Inputs

– Sender has two messages m0 and m1

– Receiver has a single bit {0,1} Outputs

– Sender receives nothing– Receiver obtain m and learns nothing of m1-

Semi-Honest OT Let (G,E,D) be a public-key encryption scheme

– G is a key-generation algorithm (pk,sk) G– Encryption: c = Epk(m)– Decryption: m = Dsk(c)

Assume that a public-key can be sampled without knowledge of its secret key:– Oblivious key generation: pk OG– El-Gamal encryption has this property

Semi-Honest OTProtocol for Oblivious Transfer Receiver (with input ):

– Receiver chooses one key-pair (pk,sk) and one public-key pk’ (obliviously of secret-key).

– Receiver sets pk = pk, pk1- = pk’– Note: receiver can decrypt for pk but not for pk1-

– Receiver sends pk0,pk1 to sender Sender (with input m0,m1):

– Sends receiver c0=Epk0(m0), c1=Epk1(m1) Receiver:

– Decrypts c using sk and obtains m.

Security Proof Intuition:

– Sender's view consists only of two public keys pk0 and pk1. Therefore, it doesn't learn anything about that value of .

– The receiver only knows one secret-key and so can only learn one message

Formally: – Sender's view is independent of receiver's input and so can

easily be simulated (just give it 2 keys)– Receiver's view can be simulated by obtaining the output m

and sending it Epk0(m),Epk1(m).

Note: Assumes semi-honest behavior. A malicious receiver can choose two keys together with their secret keys.

Secret Sharing.... ?In secret sharing

- Dealer who shares a secret among a group of n parties- Sharing Phase- Reconstruction Phase

The requirements are that :- For t <n, any set of t colluding parties- No information about the dealer’s secret at the end of the sharing- Any set of t+1 parties can recover the dealer’s secret

Assumption : - The dealer is honest

Verifiable Secret Sharing (VSS) .... ?Just like secret sharing but requires :

- No matter what a cheating dealer does (in conjunction with t other colluding parties), there is some unique secret to which the dealer is “committed” by the end of the sharing phase.

Perfect VSS, where the security guarantees are :- Unconditional- Privacy is perfect- Protocol is error-free.

Perfect VSS is known to be possible if and only if t < n/3

Whats Cooking in the Kitchen ... ?Bitcoin and Block Chain Technologies

Yao's Millionaire Problem and Proposed Solution

Secret Sharing and VSS (almost done but still need help)

Secure 2 Party Computation (AES) (protocol implementation)

GMW Protocol

Efficient Micro-payments with Bitcoins (current research)

References - 1 ...Y. Lindell and B. PinkasY. Lindell and B. PinkasA Proof of Yao's Protocol for Secure Two-Party Computation (Paper)A Proof of Yao's Protocol for Secure Two-Party Computation (Paper)

Iftach HaitnerIftach HaitnerImplementing Oblivious Transfer Using Collection of Dense Trapdoor Permutations (Paper)Implementing Oblivious Transfer Using Collection of Dense Trapdoor Permutations (Paper)

Yan Huang, David Evans, Jonathan Katz, Lior MalkaYan Huang, David Evans, Jonathan Katz, Lior Malka

Faster Secure Two-Party Computation Using Garbled Circuits (Paper)Faster Secure Two-Party Computation Using Garbled Circuits (Paper)Ninghui Li , Purdue UniversityNinghui Li , Purdue UniversityTopic 24: Secure Function Evaluation (Slides)Topic 24: Secure Function Evaluation (Slides)

Benny Pinkas, HP Labs, PrincetonBenny Pinkas, HP Labs, PrincetonIntroduction to Secure Computation (Slides)Introduction to Secure Computation (Slides)

Moni Naor , Weizmann Institute of ScienceMoni Naor , Weizmann Institute of ScienceLecture 15: Oblivious Transfer and Secure Function Evaluation (Slides)Lecture 15: Oblivious Transfer and Secure Function Evaluation (Slides)

Scribes from Dr. Ashish Choudhury lecturesScribes from Dr. Ashish Choudhury lectureshttps://sites.google.com/site/ashishcrypto/Courses/2015-cs-nc-813

ApologiesApologies for Others unmentioned sources from internet for articles and references for Others unmentioned sources from internet for articles and references

References -2 ...Improving The Round Complexity of VSS in Point-To-Point Networks Jonathan KatzChiu-Yuen KoobDepartment of Computer Science,University of Maryland, College Park, MD 20742, USA

Ranjit Kumaresana Google Labs, Mountain View, CA 94043, USA

Link : http://www.journals.elsevier.com/information-and-computation

Jitendra Kumar [email protected]@bewithjitendrafacebook.com/bewithjitendrapatel

Saturday, January 30, 2016