Topics in IT Security Secure Multiparty Computation

(1)

Topics in IT Security – Secure Multiparty Computation

Jürgen Ecker

FH Hagenberg, Sichere Informationssysteme/Secure Information Systems juergen.ecker@fh-hagenberg.at

CD-Manual Seite 4 Das Logo

• Hagenberg • Linz • Steyr • Wels

Das Logo

Das Logo der FH Oberösterreich besteht aus dem roten Kürzel „fh“ in Kleinbuchstaben, dem Schriftzug „Oberösterreich“ in Großbuchstaben und einer schwarzen Linie zwischen diesen beiden Elementen in der Länge des Wortes „Oberösterreich“. Die Schrift-Elemente stehen auf wei- ßem Untergrund in einem schwarzen, rechteckigen Rahmen mit abgerun- deten Ecken.

Das Logo muss immer in höchster Qualität gedruckt werden.

Die Proportionen, die Form, die Farben und die Bestandteile des Logos dürfen nicht verändert werden.

Das Logo darf nie verzerrt, geneigt oder gedreht werden.

Es dürfen keine Elemente wie Logo-Zusätze, Sublines etc. hinzugefügt werden.

Verwenden Sie bitte ausschließlich das Original-Logo, wie es im CD-Handbuch definiert ist. Die zulässigen Logo-Größen und die Platzierung sind auf den folgenden Seiten genau definiert.

Auf Geschäftspapieren und Formularen steht das Logo rechts oben.

Bei Werbemitteln wie Postern, Image-Inseraten oder Broschüren steht das Logo im rechten, unteren Bereich.

Karlstad, 2008

1 / 34 Topics in IT Security – Secure Multiparty Computation

(2)

Overview

Topics in IT Security – Secure Multiparty Computation

(3)

Problems

Millionaires’ Problem (Yao, 1982): Two millionaires want to find out who has more money, but

1 They both trust nobody.

2 They don’t want the other to learn more than this information.

(E.g. not how much money they have)

E-Voting: Each voter has a vote, togehter they want to compute the tally, but

1 Nobody is trusted.

2 They don’t want others to learn more than this information.

(E.g. not how they voted)

Privacy preserving database sharing: Statistical data from many databases owned by different parties shall be extracted.

1 Nobody is trusted.

2 Data in each database is confidential, statistics such as a mean value over many dabases are OK.

(4)

Secure multiparty computation

Mathematically and more generally an MPC problem is:

Players P₁, . . . ,P_nhave (private) inputs x₁, . . . ,x_nand want to compute

(y₁, . . . ,yn) =f (x₁, . . . ,xn)

in a way that in the end player i knows output y_i, but nothing more (that she can not deduce from x_i und y_i).

For the millionaires’ problem n = 2 and

f (x₁,x₂) =







(more, less), if x₁>x₂ (less, more), if x₁<x₂ (equal, equal), if x₁=x₂

(5)

Modelling the bad guy

We assume one adversary (A) A can corrupt players.

Corrupted players tell A everything they know.

Corrupted players

keep following the protocol (passive adversary, honest but curious), or

do what the adversary tells them to do (active adversary).

A either

decides which players he corrupts before the protocol is executed (static adversary) or

chooses players to corrupt during the execution depending on the information he sees (dynamic adversary).

(6)

Modelling the bad guy

The adversary usually can not corrupt all the players. This is modelled with an adversary structure.

Let S be the set of players. An adversary structure on S is a subset A of the power set P(S) (2^S) with the property that

∀M, N ⊆ S : M ∈ A & N ⊆ M =⇒ N ∈ A

(If A can corrupt a set M of players, he can also corrupt every subset of M.)

(7)

Special adversary structures

An adversary structure A on S is

a threshold-t-structure, if A = {M ⊆ S | |M| ≤ t}.

Q², if for all M, N ∈ A, we have M ∪ N 6= S.

Q³, if for all L, M, N ∈ A, we have L ∪ M ∪ N 6= S.

A threshold-t-structure on n players is Q²iff t < ⁿ₂ and it is

Q³iff t < ⁿ₃.

(8)

Computational strength of the adversary

With respect to the computational strength of the adversary we distinguish

the cryptographic scenario: the adversary is computationally bounded. In particular, he cannot break encryptions or signatures.

the information theoretic scenario (it. scenario): the adversary can compute everything that is computable in finite time (including brute force attacks)

Protocols which are secure in the it. scenario are independent of any infeasibility assumptions (hardness of factoring, collision resistance of hash functions, . . . ). In the it. scenario we assume private communication channels between the players.

(9)

Ideal world

If a trusted party (Clancy) is available, a simple solution to the MPC problem is

x_B

xM

xL

yB

y_M

y_L

(10)

Real world

If no trusted party (Clancy) is available, a solution to the MPC problem would look like this.

(11)

Multiparty computation security

Intuition:

A simulator in the ideal world, who does not know the inputs of the honest players, can present messages of a real world protocol to corrupted players.

Corrupted players cannot distinguish between the real world protocol and the simulation.

If there was a weakness in the real world protocol which the ideal world does not have and which the adversary can detect, then he would be able to distinguish.

(12)

General feasibility results

In the following cases every function can be computed by a secure multiparty computation protocol.

Scenario Adversary Threshold Reference i.t. adaptive, passive t < ⁿ₂ [2]

i.t. adaptive, active t < ⁿ₃ [3]

i.t. adaptive, active t < ⁿ₂ [4]¹ crypt. adaptive, passive t < n [5]

crypt. adaptive, active t < ⁿ₂ [6]

Scenario Adversary Adv. struct. Reference

i.t. adaptive, passive Q² [7]

i.t. adaptive, active Q³ [7]

1if a broadcast channel is available

(13)

Lagrange Interpolation

A polynomial f of degree ≤ d is uniquely determined by any collection of at least d + 1 distinct points on f . No collection of at most d points on f uniquely determines the value of f at any other point.

1 2 3 4 5 6

-5 -2.5 2.5 5 7.5 10

Untitled-1 1

f (x ) = 91.625 − 137.375 x + 71.25 x²− 14.5 x³+x⁴

This results in a secret sharing scheme.

(14)

Shamir Secret Sharing

Given a secret s

Select numbers ad,ad −1, . . . ,a1at random.

Let f (x ) = s +Pd i=1a_ixⁱ.

Compute shares s_j =f (j) for j = 1, . . . , r .

We write s−→ (s^f ₁, . . . ,s_n)for this process (assuming that each share remembers its index).

Given any collection of at least d + 1 pairs (j, s_j)will reconstruct f and s = f (0), any collection of at most d such pairs gives no information about s.

If shares are distributed among players, s can be reconstructed by any d + 1 (or more) players.

(15)

Lagrange Interpolation

Let F be a field, h ∈ F [x ] a polynomial of degree ≤ d and C ⊆ F , st. |C| = d + 1.

Then h can be reconstructed from the set of points {(i, h(i)) | i ∈ C} as follows

h(x ) =X

i∈C

δ_i(x ) · h(i)

where

δ_i(x ) = Y

j∈C,j6=i

j − x j − i.

(16)

Recombination vectors

In particular, for x = 0, h(0) = X

i∈C

r_i· h(i) , where r_i = Y

j∈C,j6=i

j j − i depends only on the choice of C, but not on h. The vector r_C = (r_i)_i∈C is called recombination vector for C.

Using a recombination vector, reconstruction of the polynomial is only a scalar product.

(17)

Distributed Addition

Suppose a−→ (a^f^a 1, . . . ,a_n)and b−→ (b^f^b 1, . . . ,b_n), and let f_a and f_bbe two polynomials of degree d . Privately send a_i and b_i to player P_i (1 ≤ i ≤ n).

Then any d + 1 players can use their shares to reconstruct a and b.

Now each player i computes c_i =a_i +b_i. Then a + b can be reconstructed from any d + 1 shares c_i, because

a + b ^f−→ (a^a^+f^b ₁+b₁, . . . ,a_n+b_n) and fa+f_bis a polynomial of degree at most d .

Thus, a + b can be computed without revealing a or b.

(18)

Distributed Addition and Multiplication with a Constant

Suppose a−→ (a^f^a 1, . . . ,a_n)and f_ais a polynomial of degree d . Privately send a_i to player P_i (1 ≤ i ≤ n).

Now each player i computes c_i = λa_i and d_i = λ +a_i. Then λa and λ + a can be reconstructed from any d + 1 shares c_iand d_i resp., because

λa−→ (λa^λf^a ₁, . . . , λan)

λ +a^¯^λ+f−→ (λ + a^a 1, . . . , λ +a_n)

and λf_aand ¯λ +f_aare polynomials of degree at most d . Thus, λa and λ + a can be computed in a distributed manner.

(19)

Distributed Multiplication (first step)

Suppose a−→ (a^f^a 1, . . . ,a_n)and b−→ (b^f^b 1, . . . ,b_n), and let f_a and f_bbe two polynomials of degree d . Privately send a_i and b_i to player P_i (1 ≤ i ≤ n).

Now each player i computes c_i =a_ib_i. Then ab can be reconstructed from any 2d + 1 shares c_i, because

ab −→ (a^f^a^f^b ₁b₁, . . . ,anbn) and f_af_bis a polynomial of degree at most 2d .

Thus, ab can be computed without revealing a or b (as long as 2d < n).

But: 2d + 1 shares are needed and f_af_bis not a random polynomial.

(20)

Distributed Multiplication (second step)

Each player i now computes shares for his c_i,

i.e. c_i −→ (c^fⁱ _i1, . . . ,c_in)(resharing) and sends share c_ij to player j.

Each player then reconstructs a value d_j from the shares c_1j, . . . ,c_nj.

Finally, ab−→ (d^f ₁, . . . ,dn), where f =Pn

i=1r_if_i and

r = (r₁, . . . ,rn)is the recombination vector corresponding to the set of all players. The polynomial f is of degree^≤d , so d + 1 shares are sufficient to reconstruct ab. Moreover, f is a linear combination of random polynomials, so it is random.

(21)

Adaptation to active adversaries

If the adversary is active, corrupted players do not have to follow the protocol.

Additional mechanisms have to make sure that:

1 When shares are distributed, honest players can uniquely reconstruct the shared value.

2 Reconstruction is possible and correct even when corrupted players participate in the protocol.

(22)

Sharing

1 C randomly chooses a bivariate polynomial

F (x , y ) =

d

X

k =0 d

X

l=0

cklx^ky^l,

such that F (x , y ) = F (y , x ) (i.e. c_kl=c_lk) and F (0, 0) = a (c₀₀=a) and computes s_ij=F (i, j) for all i, j ∈ {1, . . . , n}. Then he sends the verification polynomial (i.e. its coefficients)

f_i(x ) := F (x , i), to each player i.

2 Each player i sends tji :=fi(j) to each player j, where i > j.

(23)

Sharing

3 Each player j checks, if t_ji =f_j(i). If this is not the case,

1 player j broadcasts a complaint.

2 C replies by broadcasting sij.

3 Player j checks sij=fj(i). If this is not the case, he broadcasts an accusation.

4 Player i checks sij=fi(j). If this is not the case, he broadcasts an accusation.

4 For each player j, who has accused C, C broadcasts the verification polynomial f_j.

5 Each player i, who has not yet accused C, checks fi(j) = fj(i). If this is not the case, he broadcasts an accusation.

(24)

Sharing

5 If the number of accusations is greater than d the protocol is aborted. Otherwise, each player j, who has accused in step 3 has to use the verification polynomial f_j broadcast in step 4.

Each player i, wo has accused C in step 5 has to use the verification polynomial from step 1.

6 Each player computes his share s_i =f_i(0).

Observe that

a−→ (s^f ₁, . . . ,sn)

If the protocol terminates successfully, then sj =f (j) for every honest player j (honest players have correct shares).

If at most d players are corrupt and 3d < n, then the protocol always terminates successfully.

(25)

Reconstruction

Let f be a polynomial of degree ≤ d and 3d < n. Let

s−→ (s^f 1, . . . ,s_n)and let s₁⁰, . . . ,s_n⁰ be numbers such that for at most d indices i s_i 6= s_i⁰. Then f can be reconstructed from s⁰₁, . . . ,s⁰_n.

Let F be a bivariate polynomial of the form F (x , y ) = f₁(x ) + f₂(x ) · y , where

deg(f1) ≤2d , deg(f2) ≤d , and F (i, si) =0 for all i ∈ {1, . . . , n}.

Then f = ^f_f¹

2.

(26)

Multiparty computation and reality

VIFF (Virtual Ideal Functionality Framework) (http://viff.dk)

Danish sugar beet auctions. Bogetoft ea, Jan 2008 (http://eprint.iacr.org/2008/068.pdf)

A framework for doing privacy preserving statistics. Diploma Thesis, Reischl, Jul 2008

(27)

Commitment schemes

A commitment scheme consists of two protocols.

In the commit protocol, the committer commits to a value m.

In the opening protocol, the value m is shown to the recipient.

Security properties:

Hiding: The recipient does not learn anything about m from the commit protocol.

Binding: The committer cannot change the value m after the commit protocol.

(28)

QRA based commitment scheme ([8])

In order to commit to a single bit b, the following protocols are used.

Commit: The committer generates two large Blum primes p, q at random and computes n = pq. He chooses a random y ∈ Z^∗n

and computes

x = (−1)^by² mod n.

He sends his commitment (n, x ) to the recipient.

Open: The committer sends the values (b, p, q, y ) used in the commit protocol. The recipient checks n = pq, p 6= q, p, q are Blum primes, y ∈ Z^∗n, and x = (−1)^by² mod n.

For more than one bit, the same n can be used (if all commitments are openened at the same time).

(29)

Properties

The scheme is binding in the information theoretic scenario.

It is hiding under the QRA.

Given commitments (n, x₁)and (n, x₂)(same n) for b₁and b₂ resp., a commitment for b₁⊕ b₂can be computed as (n, x₁x₂).

(The scheme is homomorphic.)

Given a commitment (n, x ) for b, a commitment for ¬b can be computed as (n, −xy²)for an arbitrary y ∈ Z^∗n.

Given a commitment (n, x ) for b, a different commitment for b can be computed as (n, xy²)for an arbitrary y ∈ Z^∗n.

(Commitments can be “blinded”.)

(30)

DLP based commitment scheme

In order to commit to the value m, the following protocols are used.

Commit: Two messages are sent

1 The recipient randomly selects a large prime q and a large prime p, such that q | p − 1. Next, he chooses two random elements g, h ∈ Z^∗pof order q. He sends his public key pk = (p, q, g, h) to the committer.

2 The committer checks p, q ∈ P, q | p − 1, and

ord(g) = ord(h) = q. Then he selects k ∈ Z^qat random and sends the commitment

com = g^mh^k mod p.

Open: The committer sends the pair (m, k ) used in the commit protocol. The recipient checks com = g^mh^k mod p.

(31)

Properties

The scheme is hiding in the information theoretic scenario.

It is binding if the DLP is hard.

Given commitments com₁and com₂(same pk ) for m₁and m₂ resp., a commitment for m₁+m₂ (mod q) can be computed as com1com2 (mod p). (The scheme is homomorphic.)

Given a commitment com for m and λ ∈ Zq, a commitment for λm (mod q) can be computed as λcom (mod p).

(32)

References I

R. Cramer and I. Damgard.

Multi-party computation, an Introduction.

Lecture Notes, 2004

S. Goldwasser, M. Ben-Or, and A. Wigderson.

Completeness theorems for non-cryptographic fault-tolerant distributed computing.

In Proceedings of the 20th STOC, pages 1–10, 1988 D. Chaum, C. Crepeau, and I. Damgard.

Multiparty unconditionally secure protocols.

In Proc. of the 20th annual ACM symposium on Theory of computing, pages 11–19. ACM Press, 1988

(33)

References II

T. Rabin and M. Ben-Or.

Verifiable secret sharing and multiparty protocols with honest majority.

In Proc. of the 21st annual ACM symposium on Theory of Computing, pages 73–85. ACM Press, 1989

A. Yao.

Protocols for secure computation.

In Proc. 23rd Annual Symp. on Foundations of CS, pages 160–164. IEEE Computer Society Press, 1982

O. Goldreich, S. Micali, and A. Wigderson.

How to play any mental game.

In Proc. of the 19th annual ACM conference on Theory of Computing, pages 218–229. ACM Press, 1987.

(34)

References III

M. Hirt and U. Maurer.

Complete characterization of adversaries tolerable in secure multi-party computation.

In Proc. 16th ACM Symposium on Principles of Distributed Computing (PODC), pages 25–34, August 1997

S. Goldwasser, S. Micali.

Probabilistic Encryption.

Journal of Computer and System Sciences 28 (1984), pages 270–299.