More Practical Multi-Party Computation Feng Hao University of - - PowerPoint PPT Presentation

More Practical Multi-Party Computation

Feng Hao University of Warwick

Tutorial, Indocryt’19 Hyderabad, India

“There are only three papers that are worth writing: the first, the last and the best.”

• Roger Needham (1935-2003)

Outline of the tutorial (3 hours)

• 1. Boolean-OR function: Anonymous Veto (20 min)
• 2. Boolean-Count function: Boardroom voting (20 min)
• 3. Equality function: PAKE (20 min)
• 4. Tallying function: E-voting (1 hour)
• 5. Max function: E-Auction (1 hour)

How to anonymously veto a motion?

• Invading Iraq – “Yes/No”

“Either you are with us, or you are with the terrorists.” George Bush

A classic Dining Cryptographers problem

• Dining Cryptographers problem (Chaum, 1988)
• How to determine logical OR – essentially a veto problem
• Chaum’s solution: DC-net
• Set up pairwise keys through private channels
• Broadcast XOR of the shared keys or the opposite
• Compute XOR of the broadcast values

Dining Cryptographers

• Summary of DC-net weaknesses
• Message collisions
• Complex key setup
• Subject to disruptions
• There are other solutions
• Circuit evaluation by Goldreich, Micali and Wigderson (1987)
• Anonymous veto protocols by Kiayias-Yung (2003), Groth (2004) and Brandt

(2005)

• But they are not efficient.

Anonymous Veto Network (Hao-Zielinski’06)

The cancelation of random factors

Efficiency comparison

Outline of the tutorial

• 1. Boolean-OR function: Anonymous Veto
• 2. Boolean-Count function: Boardroom voting
• 3. Equality function: PAKE
• 4. Tallying function: E-voting
• 5. Max function: E-Auction

A crypto puzzle

The chancellor is seeking re-election in the senate. Some delegates do not want to vote for him, but worry about the revenge. There is no secrecy in communication. Everything you say will be recorded and traced back to you. Furthermore, no trusted third parties exists. Can we still have an election with voter privacy preserved?

Constraints in the scenario

• 1. There are no private channels.
• All communication is public and traceable to the sender.
• 2. There are no trusted third parties.
• The only person you trust is yourself.

Previous solution: Kiayias-Yung, 2002

• Kiayias and Yung first proposed a solution in 2002.
• The protocol executes in 3 rounds.
• Each voter publishes O(n) ephemeral public keys.
• And performs O(n) public key operations.
• System complexity O(n2): too complex.

Groth's solution (2004)

• Groth improved Kiayias-Yung's solution in 2004.
• His solution trades round efficiency off system complexity.
• Its system complexity O(n) vs Kiayias-Yung's O(n2).
• Its round efficiency O(n) vs Kiayias-Yung's 3.
• Too many rounds.

Open Vote Network (Hao-Ryan-Zielinski, 08)

• Generalization of Anonymous Veto Network (Hao-Ryan, 2006)
• Only two rounds.
• Linear system complexity.
• As secure as Kiayias-Yung and Groth's.
• But much more efficient than both.

The protocol

Security properties

• 1. Maximum ballot secrecy
• Each cast ballot is indistinguishable from random.
• 2. Self-tallying
• Anyone can tally the votes without external help.
• 3. Dispute-freeness
• Anyone can verify all voters act according to the protocol.

Comparison

Outline of the tutorial

• 1. Boolean-OR function: Anonymous Veto
• 2. Boolean-Count function: Boardroom voting
• 3. Equality function: PAKE
• 4. Tallying function: E-voting
• 5. Max function: E-Auction

• Establish a high-entropy session key from a low-entropy secret
• No trusted third party

Password Authenticated Key Exchange

Background

• 1992, EKE (Bellovin, Merritt) – patented by Lucent
• 1996, SPEKE (Jablon) – patented by Phoenix
• 1998, SRP-6 (Wu) – patented by Stanford University
• 2005, OPAKE (Gentry et al) – patented by DoCoMo
• An explosion of interest and many solutions proposed

Standardization

• 2000, IEEE P1363.2 Working Group formed to standardize PAKE
• 2004, no concrete outcome
• Project extended, and extended …
• 2008, still no concrete outcome
• It then became clear that problem had remained unsolved

Password Authenticated Key Exchange by Juggling (Hao, Ryan ’08)

• Based on adapting solution of Dining Cryptographers problem
• Essentially, solving a two-party equality problem

J-PAKE protocol

Security properties

• 1. Off-line dictionary attack resistance - It does not leak any password

verification information to a passive attacker

• 2. Known-key security - It prevents a disclosed session key from affecting

the security of other sessions.

• 3. Forward secrecy - It produces session keys that remain secure even

when the password is later disclosed.

• 4. On-line dictionary attack resistance - It strictly limits an active attacker

to test only one password per protocol execution.

Adopted by web browsers for secure sync

• Used in Firefox sync (2010), Palemoon sync (2014)

Built into IoT products

• 2014, J-PAKE accepted as the IoT industry standard by Thread Group
• 2017, built into Google Nest, ARM mbed, NXP IoT gateway

Nest Smart Home

Outline of the tutorial

• 1. Boolean-OR function: Anonymous Veto
• 2. Boolean-Count function: Boardroom voting
• 3. Equality function: PAKE
• 4. Tallying function: E-voting
• 5. Max function: E-Auction

Two types of e-voting

• Local polling station voting using DRE
• 100% DRE usage in elections in India, Brazil
• 1/3 voting machines are DRE in USA
• Remote e-voting using Internet
• In 2007, Estonia held the first national Internet election
• In 2015, about 30% Estonians voted over the Internet

Source: NDI (2017)

Source: US Election Data Services

USA

The controversial side of e-voting

Future of e-voting?

What’s wrong with current e-voting product?

• A blackbox e-voting system is unverifiable.

A black-box voting system critically relies on trusting the government officials

• But shouldn’t we trust the government officials in any case?

Saddam won 100% votes

• It was official result!

Lessons from the past

• Verifiability is critical
• A trustworthy e-voting system should allow people to independently

verify the integrity of its operations

Research on verifiable e-voting

• Requirements on verifiability

1. Cast as intended: every vote can verify their vote is cast as intended 2. Recorded as cast: every vote can verify their vote is recorded as cast 3. Tallied as recorded: every vote (and any observer) can verify all votes are tallied as recorded.

• Systems that satisfy all above are called end-to-end (E2E) verifiable
• Over 20 years research on this subject

The power of E2E verifiable voting systems

Paper-ballot DRE DRE with VVPAT E2E Cast as intended

✓ ✗ ✓ ✓

Recorded as cast

✗ ✗ ✗ ✓

Tallied as recorded ✗

✗ ✗ ✓

A gap between theory and practice

• Unfortunately, despite many E2E voting systems in the literature,

they are not used in real-world national elections.

Conventional E2E verifiable e-voting systems

• The same architectural design for over 20 years

Self-enforcing e-voting

Two ways to cancel random factors

• Strategy 1: Pre-computation
• The DRE-i protocol (Hao et al, USENIX JETS, 2014)
• Suitable for Internet voting
• Used regularly for student prize competitions since 2013
• Strategy 2: Real-time computation
• The DRE-ip protocol (Shahandashti-Hao, ESORICS, 2016)
• Suitable for onsite voting
• Trialed in Gateshead, UK during local elections in May 2019

Direct Recording Electronic with Integrity (DRE-i)

• Three phases

1. Setup 2. Voting 3. Tallying

Phase 1: Setup

• Well-formedness: any single cryptogram is either “No” or “Yes”
• Concealing: a single cryptogram doesn’t reveal it is “No” or “Yes”
• Revealing: a pair of cryptograms reveal “No”/”Yes”
• Self-tallying: given selection of an arbitrary cryptogram from each of the N

ballots, anyone can tally “Yes”

Cancellation formula – an example

Phase 2: Voting

• Intuitive voting

experience as normal touch screen selection

• Cryptography transparent

to ordinary users

• Receipt-freeness: because
• f the concealing property
• Cast as intended: because
• f the revealing property

Phase 3: Tallying

• Anyone is able to compute
• (cancellation formula)

Putting theory into practice

• Verifiable Classroom Voting (VCV)

system based on DRE-i

• An end-to-end verifiable

classroom voting system

• Used regularly in real classroom

teaching and student prize competitions in Newcastle/Warwick since 2013

Voting through a mobile web browser

Select a candidate answer (audit)

Select a candidate (cast vote)

An alternative approach

• Strategy 1: Pre-computation
• The DRE-i protocol (Hao et al, USENIX JETS, 2014)
• Suitable for Internet voting
• Used regularly for student prize competitions since 2013
• Strategy 2: Real-time computation
• The DRE-ip protocol (Shahandashti-Hao, ESORICS, 2016)
• Suitable for onsite voting
• Trialed in Gateshead, UK during local elections in May 2019

DRE-i with enforced privacy (DRE-ip)

• Motivation
• DRE-i works by pre-computing encrypted ballots
• However, pre-computed ballots need to be stored securely
• Can we remove this secure storage requirement?
• Naturally, that leads us to a different strategy
• DRE-ip works by computing encrypted ballots in the real-time
• Still three phases: setup, voting and tallying

Phase 1: setup

• Two generators g1 and g2 with unknown log relation
• E.g., use a one-way hash o obtain g2 from g1 (in our implementation)

Phase 2: Voting

• Encrypted vote
• DRE keeps in memory

,

• At the end, DRE posts t, s
• n bulletin board

Phase 3: Tallying

• DRE publishes t and s and all

receipts on bulletin board

• The public verify

,

DRE-ip in practice

• Google Pixel to

implement the DRE

• DRE connected to a

thermal printer

• The backend is a web

server hosted in the university campus

Gateshead trial using DRE-ip (2 May 2019)

• Voters voted as normal using

paper ballots

• Upon exit, they were invited to

trial a new e-polling system

• They were then asked which

system they preferred

* Approved by Gateshead council and Warwick University’s Ethics Committee

Gateshead Civic Center, 6:30 am, 2 May 2019

Polling station E-polling trial station

Research team for the e-voting trial

Introductory video

A dummy election

Election results

Survey result (91 responses)

Based on your experience of using paper ballots and e-voting, which system do you prefer?

Strongly prefer paper Prefer paper Neutral Prefer e-voting Strongly prefer e-voting

Those who prefer e-voting (55 voters)

Those who prefer paper ballots (20 voters)

Those who are neutral (16)

• Don’t see much difference if one has to come to the polling station
• Want to vote from home

Our vision about future e-voting

An overview of existing e-voting systems

Outline of the tutorial

• 1. Boolean-OR function: Anonymous Veto
• 2. Boolean-Count function: Boardroom voting
• 3. Equality function: PAKE
• 4. Tallying function: E-voting
• 5. Max function: E-Auction

Acknowledgement

• Joint work with Bag, Shahandashti and Ray.
• Based on the following paper

Samiran Bag, Feng Hao, Siamak Shahandashti, and Indranil G. Ray, "SEAL: Sealed-bid Auction without Auctioneers," IEEE Transactions on Information Security and Forensics, 2020, https://eprint.iacr.org/2019/1332.pdf.

Background in auction

• A very common practice: US treasury sells trillions of securities via auction
• Open cry

○ Ascending: English auction ○ Deceding: Dutch auction

• Sealed-bid

○ First-price (equivalent to Dutch auction based on game theory) ○ Second-price (equivalent to English auction when voters evaluate items in private)

• We will focus on sealed-bid auctions

Sealed-bid auction

Bid price 1 Bid price 2 Bid price 3 Bid price 4

Two types of sealed-bid auction

• First price sealed-bid auction

○

The highest bidder wins, and pays the highest bid price

• Second price sealed-bid auction

○

The highest bidder wins, but pays the second-highest bid price

○

Also called “Vickrey auction”, named after William Vickrey who first developed theory for this type of auction (won Nobel Prize in 1996)

William Vickrey (1914-1996)

Vickrey auction

• Extremely important in the auction theory
• Based on game theory, this scheme is “strategy-proof”: when values are

evaluated in private, the best strategy for bidders is to bid their true evaluation

• Unfortunately, rarely used in practice

• Two main security concerns

○ (Privacy) The true evaluation is a commercial secret but the auctioneer sees my bid ○ (Integrity) How do I know I really pay the 2nd highest price (auctioneer didn’t change)?

• Completely trustworthy auctioneers do not exist
• In this talk, I’ll present a solution that removes the need for auctioneers

Practical concerns in Vickrey auction

Overview of e-auction research

• A very active field since the seminal paper by Franklin-Reiter in 1996
• A large amount of e-auction systems proposed
• However, almost all of them assume the role of a trustworthy auctioneer
• They apply threshold crypto or MPC to distribute the trust

Summary of previous work

In general two types of solutions 1. Use two or more auctioneers: Franklin-Reiter, 1996; Sako, 2000; Kurosawa-Ogata, 2002; Bogetoft et al., 2006; Cartlidge et al., 2019, … 2. Add other trusted third parties: Naor-Pinkas-Sumner, 1999; Juels-Szydlo, 2002; Lipmaa-Asokan-Niemi, 2002; Abe-Suzuki, 2002, Montenegro-Fischer-Lopez-Peralta, 2013 … However, we want to get rid of “trustworthy auctioneers” completely

Can’t we just use MPC without auctioneers?

• In theory, general MPC allows secure computation on any function

○ n players, each with a secret input xi, i=1,2,...,n ○ Each player learns nothing more than f(x1, x2, ... , xn)

• So we simply apply it to a max function without involving auctioneers
• Problem trivially solved?
• However, not that simple …

Typical assumptions in MPC

• Pairwise secret channels + a public authenticated channel

○ O(n2) complexity of setting up pairwise secret channels ○ The existence of secret channels makes the protocol not publicly verifiable

• The honest majority

○ In practice, the vast majority of participants may be corrupted (e.g., 3 players)

A real-world MPC application on auction

• Bogetoft, Damgard, Jakobsen, Nielsen, Pragter, Toft, 2006
• Used in Denmark for auction sales on sugar beets

Bid price 1 Bid price 2 Bid price 3 Bid price 4

Danisco DKS Researchers pub3/prv3 pub2/prv2 pub1/prv3

• Assume 2 out of 3

auctioneers honest

• Public key pairs for

pairwise secure communication

Is e-auction without auctioneers possible?

• Yes, but a trivial method will give you an exponential complexity
• For example: each bidder encrypts “Yes”/”No” for all possible bid prices
• Similar ideas proposed by Brandt, 2002; Brandt, 2003; Wu et al, 2004; Brandt

2005; Brandt, 2006.

• They all incur O(2c) complexity, c being the bit length of the bid
• We will show a solution with O(c) complexity

Bid price 1 Bid price 2 Bid price 3 Bid price 4

Communication setting in our solution

Public bulletin board (Ethereum blockchain)

• No secret channels
• An authenticated public channel (required in all schemes)
• No trustworthy auctioneers

Security definitions

Overview of the auction protocol

• Called Self-Enforcing Auction Lot (SEAL)
• Based on a single primitive: boolean-OR (modified AV-net, Hao-Zielinski’06)
• Two phases: commitment and bidding

Commitment Phase

Bidding Phase

An example

Efficiency analysis

Computational load (no of exponentiations) Communication bandwidth (No of group elements) Notations: c the bit length of the bid. n the total number of bidders. the number of iterations of stage 1

Proof-of-concept implementation

• Using Java on Linux Platform
• Experiment done on an Asus Core i3 laptop (2.1 GHz with 4 GB RAM)

Commitment phase

10 bidders Bit length of the bid fixed at 10

Bidding Phase

10 bidders Bit length of the bid fixed at 10

Security analysis - integrity of auction outcome

Security analysis - privacy of losing bids

Can we achieve inclusive-privacy?

• Yes, simple to do

○ Just replace AV-net with another anonymous veto protocol that satisfies “inclusive privacy” (e.g., PriVeto by Bag, Zad, Hao, IET Information Security, 2019)

• However, the resultant scheme will be less interesting and less useful ...

Practical concerns

Auction (inclusive privacy) Auction (exclusive privacy) Resolving tie Adaptive Extension to Vickrey

Extension to Vickrey auction

• Image a (perfect) MPC protocol that limits you to learn nothing more than the
• utput of the max function
• You run the protocol twice to get the second highest bid
• But the highest bid is trivially revealed!

A better way to support Vickrey auction

• With exclusive-privacy, at each deciding bit position, each bidder learns

○ If he has lost ○ Else remains in the race ■ If he is the only winner ■ Else there is a tie

• Hence, when the bidder learns he is the only winner

○ He declares himself as the winner (with a proof) and steps aside ○ Losing bidders reset the output of that winning iteration to be Tj = 0 and makes it a non-deciding iteration. ○ They continue executing the rest of the protocol and obtain the 2nd highest bid

Concluding remarks

• Two main approaches in MPC research

○ Top-down: general -> specific ○ Button-up: specific -> general

• So far button-up has produced practically deployable solutions
• However, they are specifically designed for specific context
• Maybe the two approaches can meet in the middle?