Secure Multiparty Computation: Introduction Ran Cohen (Tel Aviv University)
Secure Multiparty Computation: Introduction
Ran Cohen (Tel Aviv University)
Scenario 1: Private Dating
Alice and Bob meet at a pub
โข If both of them want to date together โ they will find out
โข If Alice doesnโt want to date โ she wonโt learn his intentions
โข If Bob doesnโt want to date โ he wonโt learn her intentions
Scenario 1: Private Dating
Alice and Bob meet at a pub
โข If both of them want to date together โ they will find out
โข If Alice doesnโt want to date โ she wonโt learn his intentions
โข If Bob doesnโt want to date โ he wonโt learn her intentions
Solution: use a trusted bartender
Scenario 2: Private Auction
Many parties wish to execute a private auction
โข The highest bid wins
โข Only the highest bid (and bidder) is revealed
Scenario 2: Private Auction
Many parties wish to execute a private auction
โข The highest bid wins
โข Only the highest bid (and bidder) is revealed
Solution: use a trusted auctioneer
Scenario 3: Private Set Intersection
Intelligence agencies holds lists of potential terrorists
โข The would like to compute the intersection
โข Any other information must remain secret
MI5 FBI
Mossad
Scenario 3: Private Set Intersection
Intelligence agencies holds lists of potential terrorists
โข The would like to compute the intersection
โข Any other information must remain secret
Solution: use a trusted party
Trust meMI5 FBI
Mossad
Scenario 4: Online Poker
Play online poker reliably
Scenario 4: Online Poker
Play online poker reliably
Solution: use a trusted party
Secure Multiparty Computation
โข In all scenarios the solution of an externaltrusted third party works
โข Trusting a third party is a very strong assumption
โข Can we do better?
โข We would like a solution with the same security guarantees, but without using any trusted party
X
Secure Multiparty Computation
Goal: use a protocol to emulate the trusted party
X XX
The Setting
โข Parties ๐1, โฆ , ๐๐ (modeled as interactive TM)
โข Party ๐๐ has private input ๐ฅ๐
โข The parties wish to jointly compute a (known) function ๐ฆ = ๐ ๐ฅ1, โฆ , ๐ฅ๐
โข The computation must preserve certain security properties, even is some of the parties collude and maliciously attack the protocol
โข Normally, this is modeled by an external adversary ๐ that corrupts some parties and coordinates their actions
Auction Example โ Security Requirements
โ Correctness: ๐ canโt win using lower bid than the highest
โ Privacy: ๐ learns an upper bound on all inputs, nothing else
โ Independence of inputs: ๐ canโt bid one dollar more than the highest (honest) bid
โ Fairness: ๐ canโt abort the auction if his bid isnโt the highest (i.e., after learning the result)
โ Guaranteed output delivery: ๐ canโt abort (stronger than fairness, no DoS attacks)
Security Requirements
โ Correctness: parties obtain correct output (even if some parties misbehave)
โ Privacy: only the output is learned (nothing else)
โ Independence of inputs: parties cannot choose their inputs as a function of other partiesโ inputs
โ Fairness: if one party learns the output, then all parties learn the output
โ Guaranteed output delivery: all honest parties learn the output
Example โ Computing Sumโข Each ๐๐ has input ๐ฅ๐ < ๐ (work modulo ๐)
โข Want to compute โ๐ฅ๐
โข Is the protocol is secure facing one corruption (semi-honest)?
๐ โ โค๐
๐1 = ๐ฅ1 + ๐
๐2 = ๐ฅ2 +๐1
๐3 = ๐ฅ3 +๐2๐4 = ๐ฅ4 +๐3
๐5 = ๐ฅ5 +๐4
๐6 = ๐ฅ6 +๐5
๐6 โ ๐
Example โ Computing Sumโข Each ๐๐ has input ๐ฅ๐ < ๐ (work modulo ๐)
โข Want to compute โ๐ฅ๐
โข Is the protocol is secure facing one corruption (semi-honest)?
โข What about two corruptions?
๐ โ โค๐
๐1 = ๐ฅ1 + ๐
๐2 = ๐ฅ2 +๐1
๐3 = ๐ฅ3 +๐2๐4 = ๐ฅ4 +๐3
๐5 = ๐ฅ5 +๐4
๐6 = ๐ฅ6 +๐5
๐6 โ ๐
How to Define Security
Option 1: property-based definition
โข Define a list of security requirements for the task
โข Used for Byzantine agreement, coin flipping, etc.
โข Difficult to analyze complex tasks
โข How do we know if all concerns are covered?
Option 2: the real/ideal paradigm
โข Whatever an adversary can achieve by attacking a realprotocol can also be achieved by attacking an idealcomputation involving a trusted party
โข Formalized via a simulator
Ideal World1) Each party sends its input to the trusted party
2) The trusted party computes ๐ฆ = ๐ ๐ฅ1, โฆ , ๐ฅ๐3) Trusted party sends ๐ฆ to each party
Real WorldParties run a protocol ๐ on inputs ๐ฅ1, โฆ , ๐ฅ๐
Simulation-Based Security
Simulation-Based Security
โ
Distinguisher ๐
Simulation-Based Security
โ
Distinguisher ๐ Adversary ๐
Simulation-Based Security
โ
Distinguisher ๐Simulator ๐ฎ Adversary ๐
Simulation-Based Security
โ
The distinguisher ๐:
โข Gives inputs to parties
โข Gets back output from parties and from adversary/simulator
โข Guesses which world it is real/ideal
Protocol ๐ securely computes ๐ if โ๐ โ๐ฎ โ๐ distinguishing success is โsmallโ
Sanity check
โ
โข Fairnessโข Correctness
โข Guaranteed output deliveryโข Privacy
โข Independence of inputs
Advantages of this Approach
โข Very general โ captures any computational task
โข The security guarantees are simple to understand Simply imagine a trusted party computes the task
โข No security requirements are โmissedโ
โข Supports sequential modular composition
โ Security remains when secure protocols run sequentially
โ A single execution at a time
โ Arbitrary messages can be sent between executions
โข Useful for modular design of protocols
Sequential Modular Composition
โข Design a protocol in a hybrid model
โ Similar to the stand-alone real world
โ A trusted party helps to compute some functionality ๐
โ In rounds with calls to ๐ no other messages are allowed
โข Theorem (informal)
โ Protocol ๐ securely computes ๐ in the ๐-hybrid model
โ Protocol ๐ securely computes ๐
โ Then, protocol ๐๐ securely computes ๐ in the real world
Replace ideal calls to ๐ with real protocol ๐
The Definition Contโd
A definition of an MPC task involves defining:
โข Functionality: what do we want to compute?
โข Security type: how strong protection do we want?
โข Adversarial model: what do we want to protect against?
โข Network model: in what setting are we going to do it?
The Functionality
โข The code of the trusted party
โข Captures inevitable vulnerabilities
โข Sometimes useful to let the functionality talk to the ideal-world adversary (simulator)
โข We will focus on secure function evaluation (SFE), the trusted party computes ๐ฆ = ๐ ๐ฅ1, โฆ , ๐ฅ๐
โ Deterministic vs. randomized
โ Single public output vs. private outputs
โ Reactive vs. non-reactive
Security Type
โข Computational: a PPT distinguisher
โ The real & ideal worlds are computationally indistinguishable
โข Statistical: all-powerful distinguisher, negligible error probability
โ The real & ideal worlds are statistically close
โข Perfect: all-powerful distinguisher, zero error probability
โ The real & ideal worlds are identically distributed
Adversarial Model (1)
โข Adversarial behavior
โ Semi honest: honest-but-curious. corrupted parties follow the protocol honestly, ๐ tries to learn more information. Models inadvertent leakage
โ Fail stop: same as semi honest, but corrupted parties can prematurely halt. Models crash failures
โ Malicious: corrupted parties can deviate from the protocol in an arbitrary way
Adversarial Model (2)
โข Adversarial power
โ Polynomial time: computational security, normally requires cryptographic assumptions, e.g., encryption, signatures, oblivious transfer
โ Computationally unbounded: an all-powerful adversary, information-theoretic security
Adversarial Model (3)
โข Adversarial corruption
โ Static: the set of corrupted parties is defined before the execution of the protocol begins. Honest parties are always honest, corrupted parties are always corrupted
โ Adaptive: ๐ can decide which parties to corrupt during the course of the protocol, based on information it dynamically learns
โ Mobile: ๐ can โjumpโ between parties Honest parties can become corrupted, corrupted parties can become honest again
Adversarial Model (4)
โข Number of corrupted parties
โ Threshold adversary:Denote by ๐ก โค ๐ an upper bound on # corruptions
No honest majority, e.g., two-party computation
Honest majority, i.e., ๐ก < ๐/2
Two-thirds majority, i.e., ๐ก < ๐/3
โ General adversary structure: Protection against specific subsets of parties
Communication Model (1)
โข Point-to-point: fully connected network of pairwise channels.
โ Unauthenticated channels
โ Authenticated channels: in the computational setting
โ Private channels: in the IT setting
Partial networks: star, chain
โข Broadcast: additional broadcast channel
Communication Model (2)
โข Message delivery:
โ Synchronous: the protocol proceeds in rounds. Every message that is sent arrives within an known time frame
โ Asynchronous (eventual delivery): the adversary can impose arbitrary (finite) delay on any message
โ Fully Asynchronous: the adversary has full control over the network, can even drop messages
Execution Environment
โข Stand alone:
โ A single protocol execution at any given time (isolated from the rest of the world)
โข Concurrent general composition:
โ Arbitrary protocols are executed concurrently
โ An Internet-like setting
โ Requires a strictly stronger definition Captured by the universal composability (UC) framework
โ Impossible in general without a trusted setup assumption (e.g., common reference string)
Relaxing the Definition
โข Recall the ideal world (with guaranteed output delivery)
1) Each party sends its input to the trusted party
2) The trusted party computes ๐ฆ = ๐ ๐ฅ1, โฆ , ๐ฅ๐3) Trusted party sends ๐ฆ to each party
โข This ideal world is overly ideal
โข In general, fairness cannot be achieved without an honest majority [Cleveโ86]
โข A relaxed definition is normally considered
Security with Abort
โข Ideal world without fairness and guaranteed output delivery:
1) Each party sends its input to the trusted party
2) The trusted party computes ๐ฆ = ๐ ๐ฅ1, โฆ , ๐ฅ๐
3) Trusted party sends ๐ฆ to the adversary
4) The adversary responds with continue/abort
5) If continue, trusted party sends ๐ฆ to all partiesIf abort, trusted party sends โฅ to all parties
โข Correctness, privacy, independence of inputs are satisfied
Prevalent Modelsโข In the seminar we will consider:
โ Adversary: semi honest / malicious with static corruptions
โ Synchronous P2P network with a broadcast channel
โ Stand-alone setting
โข Computational setting
โ PPT adversary & distinguisher (computational security)
โ Arbitrary number of corruptions ๐ก < ๐
โ Authenticated channels
โข Information-theoretic setting
โ All powerful adversary & distinguisher (perfect/statistical)
โ Honest majority ๐ก < ๐/2 (if ๐ก < ๐/3 no need for broadcast)
โ Secure channels
Oblivious Transfer
๐0, ๐1 ๐ โ 0,1
๐๐
Feasibility Results
โข Malicious setting
โ For ๐ก < ๐/3, every ๐ can be securely computed with perfect security [BGWโ88,CCDโ88]
โ For ๐ก < ๐/2, every ๐ can be securely computed with statistical security [RBโ89]
โ For ๐ก < ๐, assuming OT, every ๐ can be securely computed with abort and computational security [GMWโ87]
โข Semi-honest setting
โ For ๐ก < ๐/2, every ๐ can be securely computed with perfect security [BGWโ88,CCDโ88]
โ For ๐ก < ๐, assuming OT, every ๐ can be securely computed with computational security [GMWโ87]
Outline of the Seminarโข Lecture 2: definitions
โข Lectures 3-7: semi-honest setting
โ Yaoโs garbled circuit
โ Oblivious transfer
โ GMW protocol [Goldreich, Micali, Wigdersonโ87]
โ BGW protocol [Ben-Or, Goldwasser, Wigdersonโ88]
โ BMR protocol (constant-round MPC) [Beaver, Micali, Rogawayโ90]
โข Lectures 8-11: malicious setting โ GMW compiler
โ IKOS zero-knowledge proof
โ Cut and choose (Yaoโs protocol for malicious)
โ Sigma protocols
โข Lecture 12: specific functionalities (median, PSI)
Summary
โข Secure multiparty protocols emulate computations involving a trusted party
โข Impressive feasibility results: every task that can be computed can also be computed securely
โข Many different models and settings
โข Exciting and active field โ many open questions