Secure Multiparty Computation and its Applications
description
Transcript of Secure Multiparty Computation and its Applications
![Page 1: Secure Multiparty Computation and its Applications](https://reader036.fdocuments.us/reader036/viewer/2022062302/568166a9550346895dda9e8a/html5/thumbnails/1.jpg)
Secure Multiparty Computationand its Applications
Yuval Ishai
Technion
![Page 2: Secure Multiparty Computation and its Applications](https://reader036.fdocuments.us/reader036/viewer/2022062302/568166a9550346895dda9e8a/html5/thumbnails/2.jpg)
How much do we earn?
Goal: compute xi without revealing anything else
x1
x2
x3
x4
x5
x6
xi
![Page 3: Secure Multiparty Computation and its Applications](https://reader036.fdocuments.us/reader036/viewer/2022062302/568166a9550346895dda9e8a/html5/thumbnails/3.jpg)
A better way?
x1
x2
x3
x4
x5
x6
0≤r<MAssumption: xi<M (say, M=1010)(+ and – operations carried modulo M)
m1=r+x1
m2=m1+x2
m3=m2+x3 m4=m3+x4
m5=m4+x5
m6=m5+x6
m6-r
![Page 4: Secure Multiparty Computation and its Applications](https://reader036.fdocuments.us/reader036/viewer/2022062302/568166a9550346895dda9e8a/html5/thumbnails/4.jpg)
A security concern
x1
x2
x3
x4
x5
x6
m1
m2=m1+x2
![Page 5: Secure Multiparty Computation and its Applications](https://reader036.fdocuments.us/reader036/viewer/2022062302/568166a9550346895dda9e8a/html5/thumbnails/5.jpg)
Resisting collusions
x1
x2
x3
x4
x5
x6
r43
r12 r16
r65
r51
r32r25
xi + inboxi - outboxi
![Page 6: Secure Multiparty Computation and its Applications](https://reader036.fdocuments.us/reader036/viewer/2022062302/568166a9550346895dda9e8a/html5/thumbnails/6.jpg)
• P1,…,Pn want to securely compute f(x1,…,xn)– Up to t parties can collude
• Questions– When is this at all possible?– How efficiently?
More generally
• Information-theoretic security possible when t<n/2 [BGW88,CCD88,RB89]
• Computational security possible for any t (under standard cryptographic assumptions) [Yao86,GMW87,CLOS02]
![Page 7: Secure Multiparty Computation and its Applications](https://reader036.fdocuments.us/reader036/viewer/2022062302/568166a9550346895dda9e8a/html5/thumbnails/7.jpg)
• P1,…,Pn want to securely compute f(x1,…,xn)– Up to t parties can collude
• Questions– When is this at all possible?– How efficiently?
More generally
• Several efficiency measures: communication, computation, rounds
• Until recently: communication grows linearly with circuit size f• [Gentry ’09]: dependence on circuit size can be
eliminated!• Still wide open in information-theoretic setting
![Page 8: Secure Multiparty Computation and its Applications](https://reader036.fdocuments.us/reader036/viewer/2022062302/568166a9550346895dda9e8a/html5/thumbnails/8.jpg)
Even more generally…• Functionality f mapping n inputs to n outputs
– possibly randomized or reactive• Goal: t-secure protocol realizing f
– Emulate an ideal evaluation of f using a trusted party … even if up to t of the n parties can be corrupted
• Variants:– Semi-honest vs. malicious corruptions– Honest majority (t<n/2) vs. no honest majority (tn/2)– Information-theoretic vs. computational security– Standlone vs. composable security– Adaptive vs. non-adaptive security– Different network models, setup assumptions
![Page 9: Secure Multiparty Computation and its Applications](https://reader036.fdocuments.us/reader036/viewer/2022062302/568166a9550346895dda9e8a/html5/thumbnails/9.jpg)
MPC and the real world• Numerous motivating application scenarios
– voting, bidding, matching, searching, data mining, gambling …
• Several ongoing implementation projects– Jan 2008: “MPC gone live” in Denmark
• Much room for efficiency improvements– Ideally: approach efficiency of insecure computation– No barriers in sight
![Page 10: Secure Multiparty Computation and its Applications](https://reader036.fdocuments.us/reader036/viewer/2022062302/568166a9550346895dda9e8a/html5/thumbnails/10.jpg)
• Connections between MPC and problems from other domains– motivate new questions– broaden application of techniques
• Connections between different MPC variants
• Disclaimer: small sample of examples, biased by own research
Rest of Talk
![Page 11: Secure Multiparty Computation and its Applications](https://reader036.fdocuments.us/reader036/viewer/2022062302/568166a9550346895dda9e8a/html5/thumbnails/11.jpg)
Applying MPC in Two-Party Cryptography
![Page 12: Secure Multiparty Computation and its Applications](https://reader036.fdocuments.us/reader036/viewer/2022062302/568166a9550346895dda9e8a/html5/thumbnails/12.jpg)
• Zero-knowledge proofs for NP [GMR85,GMW86]• Computational MPC with no honest majority
[Yao86, GMW87]• Unconditional MPC with honest majority
[BGW88, CCD88, RB89]• Unconditional MPC with no honest majority
assuming ideal OT [Kilian88]
• Are these unrelated?
Back to the 1980s
S R(s0,s1)
xc
c
![Page 13: Secure Multiparty Computation and its Applications](https://reader036.fdocuments.us/reader036/viewer/2022062302/568166a9550346895dda9e8a/html5/thumbnails/13.jpg)
MPC with honest majority
ZKCom/2PCOT
ZK/2PC
Next slides
Com/OTprotocols
• Simplifies and unifies feasibility results
• Improves asymptotic efficiency of ZK/2PC
![Page 14: Secure Multiparty Computation and its Applications](https://reader036.fdocuments.us/reader036/viewer/2022062302/568166a9550346895dda9e8a/html5/thumbnails/14.jpg)
A high level idea [IKOS07,IPS08]:
• Run MPC “in the head”.• Commit to virtual views.• Use consistency checks to ensure honest majority.
![Page 15: Secure Multiparty Computation and its Applications](https://reader036.fdocuments.us/reader036/viewer/2022062302/568166a9550346895dda9e8a/html5/thumbnails/15.jpg)
• Goal: ZK proof for a relation R(x,w)• Towards using MPC:
– define n-party functionality g(x; w1,...,wn) = R(x, w1... wn)
– use any 2-secure, perfectly correct protocol for g• security in semi-honest model• honest majority when n>4
Zero-Knowledge Proofs
![Page 16: Secure Multiparty Computation and its Applications](https://reader036.fdocuments.us/reader036/viewer/2022062302/568166a9550346895dda9e8a/html5/thumbnails/16.jpg)
MPC ZK [IKOS07]Given MPC protocol for g(x; w1,...,wn) = R(x, w1... wn)
Prover
Verifier
w=w1... wn
P1 P2
P3
P4P5
Pn
w1 w2
w3w4
w5
wn
V1 V2
V3V4
V5
Vn views
commit to views V1,...,Vn
random i,j
open views Vi, Vj
accept iff output=1 & Vi,Vj are consistent
w
![Page 17: Secure Multiparty Computation and its Applications](https://reader036.fdocuments.us/reader036/viewer/2022062302/568166a9550346895dda9e8a/html5/thumbnails/17.jpg)
• Works also with OT-based MPC• Variant: use 1-secure MPC
– Commit to views of parties + channels– Open one view and one incident channel
• Handle MPC with error via coin-flipping• Better soundness via t-robust MPC
Extensions
![Page 18: Secure Multiparty Computation and its Applications](https://reader036.fdocuments.us/reader036/viewer/2022062302/568166a9550346895dda9e8a/html5/thumbnails/18.jpg)
Communication Complexity
Gentry ‘09
![Page 19: Secure Multiparty Computation and its Applications](https://reader036.fdocuments.us/reader036/viewer/2022062302/568166a9550346895dda9e8a/html5/thumbnails/19.jpg)
y1
y2
y3y4
y5
Communication complexity: learn f (y1,y2,…,yn)
Secure multiparty computation: learn only f (y1,y2,…,yn)
• n parties• n-argument function f
Information-Theoretic MPC
![Page 20: Secure Multiparty Computation and its Applications](https://reader036.fdocuments.us/reader036/viewer/2022062302/568166a9550346895dda9e8a/html5/thumbnails/20.jpg)
Big Open Question
Beaver, Micali, Rogaway, 1990B, Feigenbaum, Kilian, R., 1990
Can n computationally unbounded players compute an arbitrary f with communication input-length?
Open question:
Ben-Or, Goldwasser, Wigderson, 1988Chaum, Crépeau, Damgård, 1988
n3 players can compute any function f of their inputs with total work circuit-size
Information-theoretic MPC is feasible!
“Fully homomorphic encryption of information-theoretic
cryptography”
![Page 21: Secure Multiparty Computation and its Applications](https://reader036.fdocuments.us/reader036/viewer/2022062302/568166a9550346895dda9e8a/html5/thumbnails/21.jpg)
Question Reformulated
Is the communication complexity of MPC strongly correlated with the computational complexity of the function being computed?
efficientlycomputablefunctions
All functions
=communication-efficient MPC =no communication-efficient MPC
![Page 22: Secure Multiparty Computation and its Applications](https://reader036.fdocuments.us/reader036/viewer/2022062302/568166a9550346895dda9e8a/html5/thumbnails/22.jpg)
Locally Decodable Codes
m ci
Simultaneously provide:• robustness• local (randomized) decoding
Big open question: minimize length
![Page 23: Secure Multiparty Computation and its Applications](https://reader036.fdocuments.us/reader036/viewer/2022062302/568166a9550346895dda9e8a/html5/thumbnails/23.jpg)
[KT00]
1990 1995
2000
• MPC and LDC are closely related• Rough idea: m = truth-table of f, c = truth-table of
MPC• Privacy of MPC “smooth” decoding robustness
• New LDCs [Yek07,Efr09] better MPC for “hard” f• Open: better MPC for moderately hard f• Motivates new LDC questions
[IK04]
![Page 24: Secure Multiparty Computation and its Applications](https://reader036.fdocuments.us/reader036/viewer/2022062302/568166a9550346895dda9e8a/html5/thumbnails/24.jpg)
Round Complexity
![Page 25: Secure Multiparty Computation and its Applications](https://reader036.fdocuments.us/reader036/viewer/2022062302/568166a9550346895dda9e8a/html5/thumbnails/25.jpg)
“Simple” functions require few rounds
NC0 functionsOutput locality c
![Page 26: Secure Multiparty Computation and its Applications](https://reader036.fdocuments.us/reader036/viewer/2022062302/568166a9550346895dda9e8a/html5/thumbnails/26.jpg)
Enc(y)
Randomized Encoding of Functions [Yao86,…,IK00,AIK04]
• g is a “randomized encoding” of f– Nontrivial relaxation of computing f
• Hope: g can be “simple”– Achievable via MPC techniques
x yf
Enc(y)x gr
decodersimulator
Dec(g(x,r)) = f(x)
Sim(f(x)) g(x,r)
![Page 27: Secure Multiparty Computation and its Applications](https://reader036.fdocuments.us/reader036/viewer/2022062302/568166a9550346895dda9e8a/html5/thumbnails/27.jpg)
OWF
Cryptography in NC0 [AIK04]
![Page 28: Secure Multiparty Computation and its Applications](https://reader036.fdocuments.us/reader036/viewer/2022062302/568166a9550346895dda9e8a/html5/thumbnails/28.jpg)
Computational Complexity
![Page 29: Secure Multiparty Computation and its Applications](https://reader036.fdocuments.us/reader036/viewer/2022062302/568166a9550346895dda9e8a/html5/thumbnails/29.jpg)
Private Circuits [ISW03,…]
s
m
AES(s,m)
s’
m
AES(s,m)
![Page 30: Secure Multiparty Computation and its Applications](https://reader036.fdocuments.us/reader036/viewer/2022062302/568166a9550346895dda9e8a/html5/thumbnails/30.jpg)
MPC on Silicon
S1 S2
S3
Non-standard goal:Maximize resilience/size ratio
Many tiny parties!
output
inputChallenge 1: Improve complexity and leakage rate [Ajt11]
Challenge 2: Extend leakage model [FRRTV10,GR10,JV10,…]
![Page 31: Secure Multiparty Computation and its Applications](https://reader036.fdocuments.us/reader036/viewer/2022062302/568166a9550346895dda9e8a/html5/thumbnails/31.jpg)
Concluding Remarks
• MPC is an exciting research area– Many connections with other problems – Inherits depth from related problems– Motivates new theoretical questions – Motivated by practical applications