Il Ilan Orlov ov (BGU GU) ) Eran Omri (BIU) We explore - - PowerPoint PPT Presentation

il ilan orlov ov bgu gu
SMART_READER_LITE
LIVE PREVIEW

Il Ilan Orlov ov (BGU GU) ) Eran Omri (BIU) We explore - - PowerPoint PPT Presentation

Jan 02, 2024 207 likes •493 views

Yehuda Lindell (BIU) Amos Beimel (BGU BGU) Il Ilan Orlov ov (BGU GU) ) Eran Omri (BIU) We explore 1/p-secure multiparty protocols wi without out an honest majority Positive result: 1/p-secure protocols for cons

slide-1
SLIDE 1
  • Yehuda Lindell (BIU)
  • Il

Ilan Orlov

  • v (BGU

GU) )

  • Amos Beimel (BGU

BGU)

  • Eran Omri (BIU)
slide-2
SLIDE 2

 We explore 1/p-secure multiparty protocols

wi without

  • ut an honest majority

 Positive result:

  • 1/p-secure protocols for cons

nstant tant number of parties for computing any function with polynomial-sized range tolerating any number of corrupt parties

 Impossibility result:

  • There is no general 1/p-secure protocol for non-const

constant ant number of parties

 Best of both worlds:

  • A single protocol that

 Honest majority  Full security  No honest majority  1/p

/p-security

2

slide-3
SLIDE 3

 Background  Our results  The ideas of our protocol  Summary and Open Problems

3

slide-4
SLIDE 4

4

16 16/8

slide-5
SLIDE 5

5

slide-6
SLIDE 6

 m parties  r-round protocol

  • r=poly

poly(security parameter)

 Adversary:

  • Polynomial time
  • Malicious – corrupts and controls some of the parties
  • Rushing adversary

 In each round:

 Sees all messages of honest parties  Chooses and sends messages on behalf of malicious parties

 Can depend on the messages of honest parties

  • More realistic than simulations channels

 Broadcast channel

6

slide-7
SLIDE 7

 The security definitions involve a comparison

between two worlds:

7

There is a trusted party that helps with the computation

Ideal World Real World

The protocol

slide-8
SLIDE 8

 Guarantees many nice properties:

Privacy, correctness, and Fai airne ness (fairness = corrupt parties get the output  the honest parties get the output)

8

x1 x2 x3 x4 xm y = =f(x1,x ,x2,x ,x3,z4…,zm) y y y y y zm z4

Trusted party Adversary

slide-9
SLIDE 9

9

Ideal World Real World

Security Requirement: No REAL world adversary can do more harm than IDEAL world adversary

slide-10
SLIDE 10

 [GoldreichMicaliWigderson87]: Any polynomial-time F

can be computed with full security wi with an honest majority

 [Cleave86]: Any r-round m-party coin-tossing

protocol has bias Ω(1/r) wi without ut an honest majority

 Conclusio

lusion: impossible to achieve full security wi without ut an honest majority for general functionalities

10

slide-11
SLIDE 11

11

 [GMW87]: Security-with-abort

  • Achieved without an honest majority
  • Does not provide ANY fairness!!

 The adversary can learn the output, while the honest parties learn noting

Can we g get reasonabl

  • nable fair

airne ness ss without hout honest est majori

  • rity?

ty?

slide-12
SLIDE 12

 Compare the previous two worlds:  Full security – REAL fully emulates IDEAL  1/p-security – REAL emulates IDEAL within

“computational distance” of at most 1/p

12

Ideal World Real World

slide-13
SLIDE 13

 For every function F, where the size of

domain or range is polynomial, there exists a 1/p /p-secure 2-party protocol

  • For every polynomial p

 Impossibility: Domain or range have

e to b be polynomial

GK: K: Can an this is re result lt be extended ended to the mu multip tipar arty ty cas ase?

13

slide-14
SLIDE 14

 Background  Our results  The ideas of our protocol  Summary and Open Problems

14

slide-15
SLIDE 15

Theorem: For every function F, where

  • 1. Number of parties m is constant
  • 2. Size of range of F

F is polynomial

there exists a 1/p /p-secure protocol that tolerates up to m-1 1 corrupt parties

  • For every polynomial p

Also when

  • 1. No. of corrupt parties < 2m/3

2.

  • 2. F is deterministic & size of domain of F

F is constant 3.

  • 3. m=O(

O(log log log log n) n)

15

Info forma rmally: lly: We construct structed ed 1/p /p-sec secure ure pro rotoc

  • col
  • ls

s fo for r consta stant nt number er of f part rties ies

slide-16
SLIDE 16

16

 Special

ecial cas ase of f poss ssib ibility ility re result sult: There exists a 1/p-secure protocol when

  • m is constant
  • F is deterministic
  • |Domain| of each party is polynomial

 Impos

mpossibility sibility: Such protocol is not possible when m is non-constant

  • Explains why m=O

=O(1 (1) in our result

slide-17
SLIDE 17

 [GMW 87]: Any polynomial-time F can be computed by a

protocol with full security with an honest majority

 If there is no honest majority, the above protocol does

not guarantee any security

 Goal: Single protocol that achieves

 Honest majority  Full security  No honest majority  Some weaker notion of security

(fallback security)

 [IshaiKatzKushilevitzLindellPetrank]: Defined the problem and

suggested protocols achieving several models of fallback security

 Do not achieve the above goal (for some good reasons)

17

Total disaster !!!

slide-18
SLIDE 18

 For every function F for m parties, if

  • 1. Both the domain and the range are polynomial

2.

  • 2. m is constant

then, there exists a (single) protocol

 Honest majority  Full security  No honest majority  1/p

/p-security

 This is best of both worlds!  Secure-with-abort is not possibl

sible e as a fallback [IKKLP]

 Strong motivation for 1/p-security

18

Info forma rmally: lly: 1/p 1/p-sec securit urity y is is possib ible le as a fa fall llback ck securi curity ty fo for r consta stant nt numb mber er of f part rties ies

slide-19
SLIDE 19

 Background  Our Results  The Ideas of Our Protocol  Summary and Open Problems

19

slide-20
SLIDE 20

 The protocol has 2 steps:

  • Preprocessing step
  • r rounds of interaction

 Prepressing: The parties execute a secure-with-abort

protocol:

  • The parties input their inputs
  • Receive a set of shares and signed messages for executing an r-

round protocol

 Rounds of Interaction: There are r rounds, in each round:

  • Each party broadcasts its message
  • Each subset of parties learns a value
  • The value is used if other parties abort

20

slide-21
SLIDE 21

21

 There is a special round, called i*

i*

  • After round i*, each subset of parties receives the actual
  • utput of F
  • Before round i*

i*, each subset of parties receives a value that depends only on its inputs

 To cause “computational distance”, the adversary

must guess i*

 The value of i* is concealed  This structure was used in previous constructions:

[IKLP06, Katz06, GK06, GHKL06, MNS09, GK10, BOO10, …]

slide-22
SLIDE 22

22

 How to conceal the value of i*

i* in a multiparty setting?

 How to deal with any possible abort of any

subset?

 Some of the solutions:

  • The information is shared in a few layers of secret

sharing

  • After an abort, the remaining parties execute a

protocol

 This protocol has to conceal i* i*

slide-23
SLIDE 23

 Background  Our Results  The Ideas of Our Protocol  Summary and Open Problems

23

slide-24
SLIDE 24

 We explore 1/p

/p-secure multiparty protocols without

  • ut

an honest majority

 Positive result:

  • 1/p

/p-secure protocols for cons nstant tant number of parties*

 Impossibility result:

  • There is no general 1/p

/p-secure protocol for non-const constant ant number of parties*

 Best of both worlds

  • Single protocol that

 Honest majority  Full security  No honest majority  1/p

/p-security

24

* Some restriction might apply

slide-25
SLIDE 25

25

slide-26
SLIDE 26

26

 Is there a 1/p-secure protocol for F

F with non- constant number of parties and polynomial- sized range and domain?

 Are there more efficient 1/p

/p-secure protocols?

 Can we guarantee full-privacy and partial

fairness in secure multiparty computation without an honest majority?

  • 1/p

/p security: With prob. 1/p /p privacy can be totally lost

  • Maybe suggest new definitions?
slide-27
SLIDE 27

27