multi party function evaluation with perfectly private
play

Multi-Party Function Evaluation with Perfectly Private Audit Trail - PowerPoint PPT Presentation

Dec 19, 2022 •412 likes •781 views

Multi-Party Function Evaluation with Perfectly Private Audit Trail Edouard Cuvelier & Olivier Pereira Universit e catholique de Louvain ICTEAM Crypto Group 1348 Louvain-la-Neuve Belgium UCL Crypto Group SDTA - December 2014

  1. Multi-Party Function Evaluation with Perfectly Private Audit Trail ´ Edouard Cuvelier & Olivier Pereira Universit´ e catholique de Louvain ICTEAM – Crypto Group 1348 Louvain-la-Neuve – Belgium UCL Crypto Group SDTA - December 2014 1 Microelectronics Laboratory

  2. Privacy vs Verifiability – Two Extremes Public Auctions Sealed Bids Auctions Verifiability 100% Verifiablility 0% Privacy 0% Privacy 100% UCL Crypto Group SDTA - December 2014 2 Microelectronics Laboratory

  3. Privacy vs Verifiability – Two Extremes Public Auctions Sealed Bids Auctions Verifiability 100% Verifiablility 0% Privacy 0% Privacy 100% How to conciliate Privacy and Verifiability ? UCL Crypto Group SDTA - December 2014 2 Microelectronics Laboratory

  4. Objectives ◮ Generic - Evaluate any computable functions in a multi-party setting ◮ Privacy - Parties only trust a third party for privacy ◮ Verifiability - Guarantee correctness of the result ◮ Efficiency - Run in reasonable execution-time & memory-size on standard laptop UCL Crypto Group SDTA - December 2014 3 Microelectronics Laboratory

  5. Outline 1. Motivations 2. Protocol description 3. Three test applications 4. Conclusion UCL Crypto Group SDTA - December 2014 4 Microelectronics Laboratory

  6. Motivations A direct solution is the use of “Classic” Secure Multi-Party Computation... UCL Crypto Group SDTA - December 2014 5 Microelectronics Laboratory

  7. “Classic” Secure Multi-Party Computation f ( x 1 , x 2 , x 3 ) Client 1 input : x 1 Client 2 Client 3 f ( x 1 , x 2 , x 3 ) f ( x 1 , x 2 , x 3 ) input : x 2 input : x 3 UCL Crypto Group SDTA - December 2014 6 Microelectronics Laboratory

  8. Motivations I A direct solution is the use of “Classic” Secure Multi-Party Computation... Interesting features : ◮ No need of a trusted third party ◮ Allows to evaluate any arithmetic or boolean function [VIFF,Fairplay, Sharemind, TASTY] ◮ Existing implementations more and more efficient [SPDZ (Damg˚ ard et al. 13), BeDOZa (Bendlin et al. 10), TinyOT (Nielsen et al. 12)] UCL Crypto Group SDTA - December 2014 7 Microelectronics Laboratory

  9. Motivations II In practice, it raises issues : ◮ Go from 3 clients to 3333 clients? ◮ Online infrastructure ◮ Clients need to agree on the algorithm to compute the function ◮ Still not efficient enough to solve complex functions (NP-hard problems) UCL Crypto Group SDTA - December 2014 8 Microelectronics Laboratory

  10. Protocol Description Public Bulletin Board Com ( x 1 ) Client 1 Com ( x 2 ) Client 2 . . . . . . Com ( x n ) Client n Com ( x ) is a commitment on the value x (e.g. Com ( x ) = g x h r ). ◮ Com ( x ) is perfectly private (information theory) ◮ Com ( x ) is computationally binding UCL Crypto Group SDTA - December 2014 9 Microelectronics Laboratory

  11. Protocol Description Public Bulletin Board Com ( x 1 ) Client 1 Enc ( x 1 ) f ( x 1 , · · · , x n ) Com ( x 2 ) Worker Client 2 and proof Enc ( x 2 ) . . . . . . Enc ( x n ) Com ( x n ) Client n Com ( x ) is a commitment on the value x (e.g. Com ( x ) = g x h r ). ◮ Com ( x ) is perfectly private (information theory) ◮ Com ( x ) is computationally binding UCL Crypto Group SDTA - December 2014 9 Microelectronics Laboratory

  12. Protocol Description Public Bulletin Board Com ( x 1 ) Client 1 Enc ( x 1 ) f ( x 1 , · · · , x n ) Com ( x 2 ) Worker Client 2 and proof Enc ( x 2 ) . . . . . . Enc ( x n ) Com ( x n ) Client n Com ( x ) is a commitment on the value x (e.g. Com ( x ) = g x h r ). ◮ Com ( x ) is perfectly private (information theory) ◮ Com ( x ) is computationally binding UCL Crypto Group SDTA - December 2014 9 Microelectronics Laboratory

  13. Advantages of the model I ◮ No communications between the clients C 3 C 4 C 3 C 4 C 2 C 5 C 2 C 5 versus Worker C 1 C 6 C 1 C 6 C 8 C 7 C 8 C 7 UCL Crypto Group SDTA - December 2014 10 Microelectronics Laboratory

  14. Advantages of the model II ◮ No communications between the clients ◮ The Worker can use his own sophisticated algorithms without compromising his intellectual property when the verification is not the algorithm itself UCL Crypto Group SDTA - December 2014 11 Microelectronics Laboratory

  15. Advantages of the model II ◮ No communications between the clients ◮ The Worker can use his own sophisticated algorithms without compromising his intellectual property when the verification is not the algorithm itself ◮ Gain in complexity when the proof is simpler to compute than the function itself UCL Crypto Group SDTA - December 2014 11 Microelectronics Laboratory

  16. A word on Encryption-Commitment Commitment Consistent Encryption (CCEnc) Proposed at Esorics 13 (Cuvelier, Pereira & Peters) CCEnc = ( Gen , Enc , Dec , DerivCom , Open , Verify ) ! Ensure consistency between the commitment and the encryption ! UCL Crypto Group SDTA - December 2014 12 Microelectronics Laboratory

  17. Efficient implementation over Elliptic Curve I G 1 , G 2 , G T different groups of same prime order q A bilinear map e : G 1 × G 2 → G T G 1 G 2 G T e ( h , g ) g h g a e ( g a , h ) = e ( g , h ) a h h b e ( g , h b ) = e ( g , h ) b g In our case : G 1 = E ( F p ), G 2 ⊂ E ′ ( F p 2 ) and G T ⊂ F p 12 where E is a BN-curve, E ′ the twisted curve ∼ E UCL Crypto Group SDTA - December 2014 13 Microelectronics Laboratory

  18. Efficient implementation over Elliptic Curve II small m ∈ Z q additively homomorphic encryption & commitment G 1 G 2 G T h , h 1 = h x 1 g , g 1 UCL Crypto Group SDTA - December 2014 14 Microelectronics Laboratory

  19. Efficient implementation over Elliptic Curve II small m ∈ Z q additively homomorphic encryption & commitment G 1 G 2 G T h , h 1 = h x 1 g , g 1 d = g r g m 1 UCL Crypto Group SDTA - December 2014 14 Microelectronics Laboratory

  20. Efficient implementation over Elliptic Curve II small m ∈ Z q additively homomorphic encryption & commitment G 1 G 2 G T h , h 1 = h x 1 g , g 1 d = g r g m c 1 = h s 1 c 2 = h r h s 1 UCL Crypto Group SDTA - December 2014 14 Microelectronics Laboratory

  21. Efficient implementation over Elliptic Curve II small m ∈ Z q additively homomorphic encryption & commitment G 1 G 2 G T h , h 1 = h x 1 g , g 1 d = g r g m c 1 = h s 1 c 2 = h r h s Dec sk ( c ) : DLog of 1 e ( g , c x 1 1 / c 2 ) · e ( d , h ) = e ( g , h 1 ) m Open sk ( c ) : a = c 2 / c x 1 1 Verif pk ( d , m , a ) : ? = e ( d / g m e ( g , a ) 1 , h ) UCL Crypto Group SDTA - December 2014 14 Microelectronics Laboratory

  22. A word on the proof The Proof of correctness is an aggregation of proofs on intermediate assumptions ◮ performed on the commitment space ◮ the proofs are Zero-Knowledge Proofs of Knowledge (ZKPK) that are rendered Non-Interactive ◮ ZKPK needed for multiplication and for range proof ◮ efficient in our elliptic curves based setting UCL Crypto Group SDTA - December 2014 15 Microelectronics Laboratory

  23. A word on the proof - multiplication proof From Damg˚ ard & Fujisaki 02 : Com 1 = g r 1 g x 1 1 , Com 2 = g r 2 g x 2 1 , Com 3 = g r 3 g x 3 1 we prove in NIZK that x 3 = x 1 x 2 1. Prove the knowledge of the openings of Com 1 , Com 2 , Com 3 2. Prove that Com 3 commits on the same value as Com 2 using base Com 1 ◮ online verification ◮ offline verification by using a precomputed multiplicative triplet [SPDZ] UCL Crypto Group SDTA - December 2014 16 Microelectronics Laboratory

  24. A word on the proof - range proof Com ( x ) = g r g x 1 we prove in NIZK that x ∈ [0 , L [ , L ≤ 2 16 ◮ needed for branching operators ( < ) ◮ based on signature-pairing (Camenish et al. 08) ◮ amortized cost for small L ◮ trusted setup ◮ precomputation ◮ based binary decomposition L = 2 k + 1 and ZKPK 0 , 1 ◮ cost linear in k UCL Crypto Group SDTA - December 2014 17 Microelectronics Laboratory

  25. A word on the proof - complexity M : 1 scalar multiplication over EC M p : 1 scalar multiplication over EC with precomputation ≈ 1 / 5M A : 1 addition over EC U : 1 integer in Z q Computation Verification Size Commitment 2M p + 1A 2M p + 1A 2 U ZKPK 0 , 1 4M p + 2A 2M + 3M p + 3A 4 U ZKPK dLog 4M p + 2A 2M + 4M p + 4A 4 U ZKPK consist 8M p + 3A 8M p + 3A 4 U ZKPK mul 6M p + 3A 4M + 5M p + 6A 6 U ZKPK range (2 k +1 ) 6 k M p + 3 k A (3 k − 1)M + 3 k M p + (4 k − 1)A 6 kU UCL Crypto Group SDTA - December 2014 18 Microelectronics Laboratory

  26. 1st application : Auctions x 1 x 2 x 3 x n Worker · · · Clients Bulletin Board Com ( x 1 ) Com ( x 2 ) Com ( x 3 ) Com ( x n ) · · · UCL Crypto Group SDTA - December 2014 19 Microelectronics Laboratory

  27. 1st application : Auctions x 1 x 2 x 3 x n Worker · · · optimal sorting O ( n log n ) x 3 x 7 x 1 x 10 · · · Clients Bulletin Board Com ( x 1 ) Com ( x 2 ) Com ( x 3 ) Com ( x n ) · · · UCL Crypto Group SDTA - December 2014 19 Microelectronics Laboratory

  28. 1st application : Auctions x 1 x 2 x 3 x n Worker · · · optimal sorting O ( n log n ) x 3 x 7 x 1 x 10 · · · Clients Com ( x 3 ) Com ( x 7 ) Com ( x 1 ) · · · Com ( x 10 ) Bulletin Board Com ( x 1 ) Com ( x 2 ) Com ( x 3 ) Com ( x n ) · · · UCL Crypto Group SDTA - December 2014 19 Microelectronics Laboratory

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Selective Private Function Evaluation Johan Wall en Based on Ran Canetti, Yuval Ishai, Ravi

Selective Private Function Evaluation Johan Wall en Based on Ran Canetti, Yuval Ishai, Ravi

Selective Private Function Evaluation Johan Wall en Based on Ran Canetti, Yuval Ishai, Ravi Kumar, Michael Reiter, Ronitt Rubin- feld, and Rebecca Wright. Selective private function evaluation with application to private statistics. In

218 views • 17 slides
Adaptively Secure Multi-Party Computation with Dishonest Majority Sanjam Garg Amit

Adaptively Secure Multi-Party Computation with Dishonest Majority Sanjam Garg Amit

Adaptively Secure Multi-Party Computation with Dishonest Majority Sanjam Garg Amit Sahai UCLA Secure Multiparty Computation A set of mutually distrustful parties (n) wish to compute a joint function of their private inputs

309 views • 16 slides
JNCF 2017 2017/01/20 Private Multi-party Matrix Multiplication and Trust Computations

JNCF 2017 2017/01/20 Private Multi-party Matrix Multiplication and Trust Computations

1 2 JNCF 2017 2017/01/20 Private Multi-party Matrix Multiplication and Trust Computations Jean-Guillaume Dumas 1 ; Pascal Lafourcade 2 ; Jean-Baptiste Orfila 1 ; Maxime Puys 1 1 Public Key Infrastructure Alice wants to securely reach a

838 views • 60 slides
SoK: General Purpose Frameworks for Secure Multi-party Computation Marcella Brett Daniel Steve

SoK: General Purpose Frameworks for Secure Multi-party Computation Marcella Brett Daniel Steve

SoK: General Purpose Frameworks for Secure Multi-party Computation Marcella Brett Daniel Steve Hemenway Hastings Noble Zdancewic University of Pennsylvania 1 / 20 Secure Multi-party Computation (MPC) Compute an arbitrary function among

1.13k views • 36 slides
Advanced Tools from Modern Cryptography Lecture 5 Secure Multi-Party Computation: Passive

Advanced Tools from Modern Cryptography Lecture 5 Secure Multi-Party Computation: Passive

Advanced Tools from Modern Cryptography Lecture 5 Secure Multi-Party Computation: Passive Corruption MPC: Honest-Majority + Passive-Corruption Can achieve information-theoretic security for any function Function should be given as an

573 views • 15 slides
Public-Private Partnership Approach for Smart Cities Essential elements of a PPP also

Public-Private Partnership Approach for Smart Cities Essential elements of a PPP also

Public-Private Partnership Approach for Smart Cities Essential elements of a PPP also applicable to Smart Cities PPPs are commercial transactions between a public and a private party by which the private party: performs a function

379 views • 13 slides
Communication Locality in C i i L li i Secure Multi Party Secure Multi-Party Computation

Communication Locality in C i i L li i Secure Multi Party Secure Multi-Party Computation

Communication Locality in C i i L li i Secure Multi Party Secure Multi-Party Computation Computation How to Run Sublinear Algorithms in a Distributed Algorithms in a Distributed Setting Elette Boyle Shafi Goldwasser Stefano Tessaro

1.01k views • 36 slides
Perfectly S Secure O Oblivious A s Algorithms s in t the M Multi-Server S Setting T-H.

Perfectly S Secure O Oblivious A s Algorithms s in t the M Multi-Server S Setting T-H.

Perfectly S Secure O Oblivious A s Algorithms s in t the M Multi-Server S Setting T-H. Hubert Chan, Jonathan Katz, Ka Kartik Nay ayak, Antigoni Polychroniadou, Elaine Shi Defini De ning ng an n Obl Oblivious us RAM Example request

812 views • 33 slides
Automatic Disfluency Automatic Disfluency Detection in Multi-party Detection in Multi-party

Automatic Disfluency Automatic Disfluency Detection in Multi-party Detection in Multi-party

German Research Center for Artificial Intelligence GmbH Automatic Disfluency Automatic Disfluency Detection in Multi-party Detection in Multi-party www.amiproject.org Conversations Conversations Feast, 30th September 2009 , 30th September

322 views • 28 slides
Multi-Party Computation in Presence of Corrupted Majorities Dominik Raub Institute of

Multi-Party Computation in Presence of Corrupted Majorities Dominik Raub Institute of

Multi-Party Computation in Presence of Corrupted Majorities Dominik Raub Institute of Theoretical Computer Science ETH Zrich on joint work with R. Knzler, J. Mller-Quade, C. Lucas, U. Maurer, M. Fitzi Metaguse, 2009/10/04 Multi-Party

1.04k views • 83 slides
Supreme Leader Pulkit Party!!!!!! Party!!!!!! Just us Party!!!!!! What we have done

Supreme Leader Pulkit Party!!!!!! Party!!!!!! Just us Party!!!!!! What we have done

Supreme Leader Pulkit Party!!!!!! Party!!!!!! Just us Party!!!!!! What we have done Party!!!!!! Party!!!!!! Curling Orientation Party!!!!!! Party!!!!!! Party!!!!!! National day parade Airport picking-uping Party!!!!!!

1.18k views • 69 slides
Universal Multi-Party Poisoning Attacks Saeed Mahloujifar Mohammad Mahmoody Ameer Mohammed

Universal Multi-Party Poisoning Attacks Saeed Mahloujifar Mohammad Mahmoody Ameer Mohammed

Universal Multi-Party Poisoning Attacks Saeed Mahloujifar Mohammad Mahmoody Ameer Mohammed Multi-Party Learning Distributions Data Providers 1 1 Model Multi-Party Learning (Round j) Distributions

540 views • 20 slides
ECO 610: Lecture 7 Perfectly Competitive Markets Perfectly Competitive Markets: Outline

ECO 610: Lecture 7 Perfectly Competitive Markets Perfectly Competitive Markets: Outline

ECO 610: Lecture 7 Perfectly Competitive Markets Perfectly Competitive Markets: Outline Goal: understanding firm and market supply in competitive markets Characteristics of perfectly competitive industries Short-run production

424 views • 27 slides
Multi-Party Computation Based on One-Way Functions Sandro Coretti (New York University) Juan

Multi-Party Computation Based on One-Way Functions Sandro Coretti (New York University) Juan

Constant-Round Asynchronous Multi-Party Computation Based on One-Way Functions Sandro Coretti (New York University) Juan Garay (Yahoo Research) Martin Hirt (ETH Zurich) Vassilis Zikas (RPI) Secure Multi-Party Computation (MPC) [Yao82, GMW87,

677 views • 47 slides
We Won a TAACCCT Grant! Now what about the Third-Party Evaluation? Informational Webinar

We Won a TAACCCT Grant! Now what about the Third-Party Evaluation? Informational Webinar

We Won a TAACCCT Grant! Now what about the Third-Party Evaluation? Informational Webinar November 5, 2014 To Ask Questions Evaluation Requirement Necessary Evil or Great Opportunity? 3 Ms. Eileen Poe-Yamagata Goals for Today 1. Encourage

611 views • 35 slides
Third-Party Violence at Work- a multi-sectoral approach by European social partners Presentation

Third-Party Violence at Work- a multi-sectoral approach by European social partners Presentation

11/24/2016 Third-Party Violence at Work- a multi-sectoral approach by European social partners Presentation by Nadja Salson, EPSU policy staff third-party violence in the workplace No recent data specifically on third party violence across

81 views • 7 slides
SWALA Evaluation and the Audit Trail Emily Heard Head of Procurement, Competition and State Aid

SWALA Evaluation and the Audit Trail Emily Heard Head of Procurement, Competition and State Aid

SWALA Evaluation and the Audit Trail Emily Heard Head of Procurement, Competition and State Aid Bevan Brittan 7 June 2016 Overview General principles A practical example The audit trail General principles (1) TFEU

828 views • 24 slides
CSE306 Software Quality in Practice Dr. Carl Alphonce alphonce@buffalo.edu 343 Davis Hall

CSE306 Software Quality in Practice Dr. Carl Alphonce alphonce@buffalo.edu 343 Davis Hall

CSE306 Software Quality in Practice Dr. Carl Alphonce alphonce@buffalo.edu 343 Davis Hall Recall the rules 1. Understand the requirements 2. Make it fail 3. Simplify the test case 4. Read the right error message 5. Check the plug 6.

637 views • 20 slides
The Battle for Principles &amp; concepts Trust and DREs Accountable Voting Voter

The Battle for Principles &amp; concepts Trust and DREs Accountable Voting Voter

Outline The Battle for Principles &amp; concepts Trust and DREs Accountable Voting Voter verifiable audit trail Systems Future Conclusion Prof. David L. Dill Department of Computer Science Stanford University

298 views • 7 slides
JSONB AUDITS PRO &amp; CONTRA WIR HABEN EINEN TRAUM DIE STAUFREIE STADT 2

JSONB AUDITS PRO &amp; CONTRA WIR HABEN EINEN TRAUM DIE STAUFREIE STADT 2

Felix Kunde and Petra Sauer JSONB AUDITS PRO &amp; CONTRA WIR HABEN EINEN TRAUM DIE STAUFREIE STADT 2 Wirtschaftsatlas Berlin In the GIS scene more and more users are interested in data curation. Data creation has been too

909 views • 31 slides
Final blow before Tea! Atif Rahman Twitter: @mantaq10 Zetaris www.zetaris.com Data Exchanged

Final blow before Tea! Atif Rahman Twitter: @mantaq10 Zetaris www.zetaris.com Data Exchanged

I was like her according to her; We were both outliers Privacy Preserved Data Augmentation using Enterprise Data Fabric Final blow before Tea! Atif Rahman Twitter: @mantaq10 Zetaris www.zetaris.com Data Exchanged (without consent) GPS

559 views • 39 slides
Moral Responsibility and Technology Agent : The entity that performs the action and causes

Moral Responsibility and Technology Agent : The entity that performs the action and causes

Moral Responsibility and Technology Agent : The entity that performs the action and causes something to happen Patient: The entity that is affected by the action Moral responsibility: deals with the link between the agent and the

602 views • 3 slides
Open Source IAM using Fortress and OpenLDAP LDAPCon October 11, 2011 Shawn.McKinney@ Agenda

Open Source IAM using Fortress and OpenLDAP LDAPCon October 11, 2011 Shawn.McKinney@ Agenda

Open Source IAM using Fortress and OpenLDAP LDAPCon October 11, 2011 Shawn.McKinney@ Agenda Product vision Project status Functional gaps covered Features and technologies Installation and usage demo Where to get more

564 views • 23 slides
NOSCAM : NOSCAM : Sequential System Snapshot Service Sequential System Snapshot Service Ashish

NOSCAM : NOSCAM : Sequential System Snapshot Service Sequential System Snapshot Service Ashish

NOSCAM : NOSCAM : Sequential System Snapshot Service Sequential System Snapshot Service Ashish Gehani and Gershon Kedem Duke University Computer Science Introduction Internet survivability design Security of single node Growth of

435 views • 19 slides

More recommend