Non-Cryptographic Fault-Tolerant Distributed Computation Marek - - PowerPoint PPT Presentation

Introduction t-privacy Tools t-resilience Advanced

Non-Cryptographic Fault-Tolerant Distributed Computation

Marek Hamerlik December 6, 2007

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Abstract Two approaches Assumptions

Completeness Theorems

Every function of n inputs can be effciently computed by a complete network of n processors in such a way that: If no faults occur, no set of size t < n/2 of players gets any additional information (other then the function value), Even if Byzantine faults are allowed, no set of size t < n/3 can either disrupt computation or get additional information. Above bounds are tight!

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Abstract Two approaches Assumptions

Cryptographic approach

• ne-way functions

zero-knowledge proofs participants computationaly bounded

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Abstract Two approaches Assumptions

Cryptographic approach

• ne-way functions

zero-knowledge proofs participants computationaly bounded if no faults occur no subset of the players can compute any additional information if Byzantine faults are allowed no set of size t < n/2 can either disrupt computation or compute additional information

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Abstract Two approaches Assumptions

Non-Cryptographic approach

secure channels participants computationaly unbounded stronger notion of privacy - some things cannot be computed at all, not only in some time limit!

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Abstract Two approaches Assumptions

Non-Cryptographic approach

secure channels participants computationaly unbounded stronger notion of privacy - some things cannot be computed at all, not only in some time limit! if no faults occur no no set of size t < n/2 can compute any additional information if Byzantine faults are allowed no set of size t < n/3 can either disrupt computation or compute additional information

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Abstract Two approaches Assumptions

Remarks

• ne-way functions ”more powerful” then secure channels

no bound on computational power used only to allow

most stringent definition of privacy most liberal definition of faultiness

protocol requires only polynomial amount of work from players

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Abstract Two approaches Assumptions

Model of computations

complete synchronous network of n processors secure pairwise communication channels between players in one round

arbitrary amount of local computation send a message to each of the players read all messages that were sent in that round

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Abstract Two approaches Assumptions

What are we computing?

some fixed finite field E, where |E| > n function F is a polynomial over E (inputs and outputs from E) computation of function F from n inputs to n outputs player i holds the i-th input and should obtain i-th output we are given some arithmetic circuit computing F using addition and multiplication, and constants from E.

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Abstract Two approaches Assumptions

Faults

”Gossip” and ”Byzantine” faults A protocol is t-private if any set of at most t players cannot compute after the protocol more then they could jointly compute solely from their set of private inputs and outputs A protocol is t-resilient if no set of t or less players can influence the correctness of the outputs of the ramaining

• players. The function definition should specify what it is if

some players neglect to give their inputs or are caught cheating.

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Shamir’s secret sharing scheme Three stages proof Computation stage Completeness

What does it give?

sharing a secret among n participants divide secret into parts give each participant unique part k parts (k ≤ n) are needed to reconstruct the secret

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Shamir’s secret sharing scheme Three stages proof Computation stage Completeness

How does it work?

d + 1 points define polynomial of degree d tunable k and n parameters

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Shamir’s secret sharing scheme Three stages proof Computation stage Completeness

Sharing secret s

choose at random k − 1 coefficients a1, ..., ak−1 and let a0 = s build polynomial f (x) = a0 + a1x + a2x2 + ... + ak−1xk−1 choose any n distinct points of it (except for 0) send pairs argument-value to n participants

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Shamir’s secret sharing scheme Three stages proof Computation stage Completeness

Gathering

gather at least k shares find coefficients by interpolation evaluate a0(= s)

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Shamir’s secret sharing scheme Three stages proof Computation stage Completeness

Dividing the computation

Stage I: Input stage. Each player enters its input using Shamir’s secret sharing procedure. Stages I and III very simple.

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Shamir’s secret sharing scheme Three stages proof Computation stage Completeness

Dividing the computation

Stage I: Input stage. Each player enters its input using Shamir’s secret sharing procedure. Stage II: Computation stage. Players simulate circuit computing F, gate by gate, keeping the value computed by each gate as a secret shared by everyone. Stages I and III very simple.

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Shamir’s secret sharing scheme Three stages proof Computation stage Completeness

Dividing the computation

Stage I: Input stage. Each player enters its input using Shamir’s secret sharing procedure. Stage II: Computation stage. Players simulate circuit computing F, gate by gate, keeping the value computed by each gate as a secret shared by everyone. Stage III: Final stage. Secret shares of the final value are revealed to one or all of the players. Stages I and III very simple.

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Shamir’s secret sharing scheme Three stages proof Computation stage Completeness

The input stage

Each player introduces its input s using Shamir’s secret sharing procedure. Value of the input is completely independent from the shares si that are given to any set of t players.

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Shamir’s secret sharing scheme Three stages proof Computation stage Completeness

The final stage

during the whole computation each gate output s will be shared among all players using some random polinomial f of degree t with f (0) = s in particular at the end of computation we will have output of function F shared among all players to get the result we gather it as in Shamir’s secret sharing procedure

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Shamir’s secret sharing scheme Three stages proof Computation stage Completeness

The final stage - no additional information

there is one-to-one corespondence between polynomial coefficients and the set of all shares all coefficients of f , except for its free coefficient, are uniform random variables all shares doesn’t contain any information about the inputs that doesn’t follow from f (0)

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Shamir’s secret sharing scheme Three stages proof Computation stage Completeness

How do we compute?

Let a, b be two secrets shared with polynomials f (x), g(x) respectively, and let c ∈ E, c = 0 be some constant. possible operations: c ∗ a a + b a ∗ b

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Shamir’s secret sharing scheme Three stages proof Computation stage Completeness

Linear operations

h(x) = c ∗ f (x) encodes c ∗ a h(x) = f (x) + g(x) encodes a + b no communication necessary h(αi) = c ∗ f (αi) h(αi) = f (αi) + g(αi)

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Shamir’s secret sharing scheme Three stages proof Computation stage Completeness

Linear operations - conclusions

Every linear functional F(x0, ..., xn−1) = a0x0 + ... + an−1xn−1 can be computed t-privately, where Pi has input xi and ai are known constants. For every constant n ∗ n matrix M and input variables vector X we can compute t-privately Y = X ∗ A

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Shamir’s secret sharing scheme Three stages proof Computation stage Completeness

Multiplication

free coefficient of h(x) = f (x) ∗ g(x) is a ∗ b degree of h(x) is 2t instead of t assumption n ≥ 2t + 1 in further multiplications possibly too high degree to interpolate - need to decrease the degree h(x) is not totaly random (for example it’s a product of two polynomials and cannot be irreducible) - need to randomize

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Shamir’s secret sharing scheme Three stages proof Computation stage Completeness

Degree reduction

h(x) = h0 + h1x + ... + h2tx2t si = h(αi) = f (αi)g(αi) truncation of h(x) is k(x) = h0 + h1x + ... + htxt ri = k(αi) S = (s0, ..., sn−1) and R = (r0, ..., rn−1) there is a constant n ∗ n matrix A s.t. R = S ∗ A

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Shamir’s secret sharing scheme Three stages proof Computation stage Completeness

Matrix computation

let H be n-vector H = (h0, ..., h2t, 0, ...0) let K be n-vector K = (h0, ..., ht, 0, ...0) let B = (bi,j) be the n ∗ n Vandermonde matrix, where bi,j = αi

j

let P be te linear projection (matrix) P(x0, ..., xn−1) = (x0, ..., xt, 0, ..., 0)

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Shamir’s secret sharing scheme Three stages proof Computation stage Completeness

Matrix computation

let H be n-vector H = (h0, ..., h2t, 0, ...0) let K be n-vector K = (h0, ..., ht, 0, ...0) let B = (bi,j) be the n ∗ n Vandermonde matrix, where bi,j = αi

j

let P be te linear projection (matrix) P(x0, ..., xn−1) = (x0, ..., xt, 0, ..., 0) then H ∗ B = S, H ∗ P = K and K ∗ B = R

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Shamir’s secret sharing scheme Three stages proof Computation stage Completeness

Matrix computation

let H be n-vector H = (h0, ..., h2t, 0, ...0) let K be n-vector K = (h0, ..., ht, 0, ...0) let B = (bi,j) be the n ∗ n Vandermonde matrix, where bi,j = αi

j

let P be te linear projection (matrix) P(x0, ..., xn−1) = (x0, ..., xt, 0, ..., 0) then H ∗ B = S, H ∗ P = K and K ∗ B = R B is invertible (because αi are distinct) S ∗ (B−1 ∗ P ∗ B) = R then A = B−1 ∗ P ∗ B is constant matrix

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Shamir’s secret sharing scheme Three stages proof Computation stage Completeness

Randomization

each player selects random polynomial qi(x) of degree 2t and free coefficient zero, and distributes among the players instead of using h(x) in our reduction we use h′(x) = h(x) + n−1

j=0 qj(x)

h′(0) = h(0) but other coefficients of h′(x) are completely random each player can evaluate his point s′

i = h′(αi)

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Shamir’s secret sharing scheme Three stages proof Computation stage Completeness

Multiplication - summary

Multiplying shares, applying randomization and then degree reduction we get polynomial k′(x) which satisfies deg k′(x) = t k′(0) = a ∗ b k′(x) is properly shared among all the players each player can evaluate his point s′

i = h′(αi)

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Shamir’s secret sharing scheme Three stages proof Computation stage Completeness

Completeness

There are functions for which there are no n/2-private protocol. For example computation of OR function for two players must leak some information.

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Coding theory Sharing secrets with cheaters Verifying a secret Verifying that c=a*b

Definition

branch of mathematics and computer science dealing with the error-prone process of transmitting data across noisy channels... so that a large number of errors that occur can be corrected There are lots of ways of doing it (called codes). We will use Generalized BCH Code (explicitly Generalized ReedMuller Code).

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Coding theory Sharing secrets with cheaters Verifying a secret Verifying that c=a*b

Error correction in BCH codes

BCH codes use field theory and polynomials over finite fields, so we can represent vectors of finite fields elements used in

• ur model.

Received vector consists of proper vector and errors (R(X) = F(X) + E(X)). We employ redundancy to detect and correct these errors. For Generalized ReedMuller Code we can correct 1

2 deg g

(code generating polynomial) errors. In our case it is t errors.

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Coding theory Sharing secrets with cheaters Verifying a secret Verifying that c=a*b

Assumptions and Goals

Assumptions n ≥ 3t + 1 let E be a finite field with a primitive n-th root of unity, ω ∈ E, ωn = 1 and for all 1 < j < n, ωj = 1 without loss of generality we can assume that our secret is in E Goals Any set of at most t players does not have have any information about the secret. It is easy to compute the secret from all its shares even if up to t pieces are wrong or missing

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Coding theory Sharing secrets with cheaters Verifying a secret Verifying that c=a*b

Sharing

Shamir’s secret sharing scheme with ωi points taken instead

• f just distinct αi

f (x) = a0 + ... + atxt share of Pi is si = f (ωi)

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Coding theory Sharing secrets with cheaters Verifying a secret Verifying that c=a*b

Properties

setting ai = 0 for i > t makes our secret shares the Discrete Fourier Transform of the sequence (a0, ..., an−1) the polynomial g(x) = n−1

i=t+1(x − ω−i) is then generator for

the code by our choice of g(x) this code is Generalized Reed-Muller Code, so we can correct up to 1

2 deg g(x) = t errors in shares

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Coding theory Sharing secrets with cheaters Verifying a secret Verifying that c=a*b

Set up

before entering shared input to computation we want to check if the shares we are holding are shares of some real secret or n random numbers without revealing any information on secret or its shares

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Coding theory Sharing secrets with cheaters Verifying a secret Verifying that c=a*b

Protocol - 1st step (sharing)

Verification of P0’s secret dealer selects random polynomial f (x, y) of degree t in both variables x and y, with restriction f (0, 0) = s his secret he sends polynomials fi(x) = f (x, ωi) and gi(y) = f (ωi, y) to player Pi (the real share is si = fi(0))

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Coding theory Sharing secrets with cheaters Verifying a secret Verifying that c=a*b

Protocol - 2nd step (verifying players’ data)

each Pi sends si,j = fi(ωj) = f (ωi, ωj) = gj(ωi) to each player Pj each Pj player compares received values to the values he can compute using his polynomial gj(y)

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Coding theory Sharing secrets with cheaters Verifying a secret Verifying that c=a*b

Protocol - 3rd step (publishing errors)

each player Pj broadcasts request to make the coordinates (i,j) he had to correct public if Pj detects more then t errors or had to correct his own value then dealer is faulty and player broadcasts request to make fj(x) and gj(y) public making fi(x) and gj(y) public makes all sk,j and sj,k for 0 ≤ k < n public dealer broadcasts all requested points si,j and polynomials

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Coding theory Sharing secrets with cheaters Verifying a secret Verifying that c=a*b

Protocol - 4th step (verifying public data)

if some player Pi observes that some new public si,j contradicts the polynomials he is holding or it contradicts itself he broadcasts request to make fi(x) and gi(y) public finally if t + 1 or more players have asked to make their information public dealer is faulty if t or less players have complained then there are at least t + 1 good players that are satisfied that define polynomial; in this case complaining players take public information as their share

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Coding theory Sharing secrets with cheaters Verifying a secret Verifying that c=a*b

Correctness

if dealer is honest no good player needs to corect value comming from other good player and therefore there is polynomial of degree t that passes through the points of good players

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Coding theory Sharing secrets with cheaters Verifying a secret Verifying that c=a*b

Privacy

if the dealer has distributed a correct secrets then no piece of information of any good player is revealed if the dealer was bad we don’t need to worry about secrecy of the shares

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Coding theory Sharing secrets with cheaters Verifying a secret Verifying that c=a*b

What do we want to achieve?

P distributes a and b using the polynomials A(x) and B(x) respectively we want P to distribute random polynomial encoding C(x) of c = a ∗ b in such a way that players can all verify that indeed c = a ∗ b

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Coding theory Sharing secrets with cheaters Verifying a secret Verifying that c=a*b

Auxiliary polynomials

let us define D(x) = A(x) ∗ B(x) = c + c1x + ... + c2tx2t Dt(x) = rt,0 + rt,1x + ... + rt,t−1xt−1 + c2txt Dt−1(x) = rt−1,0+rt−1,1x+...+rt−1,t−1xt−1+(c2t−1−rt,t−1)xt ... D1(x) = r1,0+r1,1x +...+r1,t−1xt−1+(ct+1−rt,1−rt−1,2−...−r2,t−1)xt

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Coding theory Sharing secrets with cheaters Verifying a secret Verifying that c=a*b

Protocol

P sends proper points (shares) on A(x), B(x) and Di(x) after verifying that all of them are of degree t, define C(x) = D(x) − t

i=1 xi ∗ Di(x) and verify that it is also of

degree t from construction we know that C(x) is random polynomial of degree t with restriction that C(0) = a ∗ b

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Three stages proof Computation stage Completeness Summary

The input stage

the same as in t-privacy but we verify each secret introuced to the system with Shamir’s secrete sharing scheme

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Three stages proof Computation stage Completeness Summary

The final stage

the same as in t-privacy but at most t pieces are wrong so each player can use error correcting procedure to recover the result

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Three stages proof Computation stage Completeness Summary

Linear operations

let a and b be ”properly encoded” (all pieces of good players are on some polynomial of degree t) by f (x) and g(x) respectively then f (x) + g(x) and c ∗ f (x) properly encode a + b and c ∗ a respectively similar to t-privacy

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Three stages proof Computation stage Completeness Summary

Multiplication - idea

similar to t-privacy (using degree reduction) we need to be sure each player uses as its input to this procedure its correct point on the product polynomial h(x) = f (x)g(x)

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Three stages proof Computation stage Completeness Summary

Sharing the shares

let ai = f (ωi), bi = g(ωi), ci = h(ωi) = ai ∗ bi each Pi shares ai, bi and ci using polynomials Ai(x), Bi(x) and Ci(x) respectively we verify that Ai(x), Bi(x) and Ci(x) are of degree t and that Ci(0) = Ai(0)Bi(0) using showed techinique to show that free coefficients of Ci(x) are all points on the product polynomial h(x) it is enough to show that free coefficients of Ai(x) and Bi(x) are points on the polynomials f (x) and g(x) respectively

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Three stages proof Computation stage Completeness Summary

Verifying free coefficient

thanks to specific structure of our shares (Reed-Muller Code) we can: blind our shares check which of them are wrong reveal and correct only wrong ones use for them constant polynomial with corrected value instead

• f Ai(x)

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Three stages proof Computation stage Completeness Summary

Byzantine Agreement

consensus problem each player has input and output they must agree on some output properties termination agreement - all good players agree on one value validity - if all inputs v then output also v

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Three stages proof Computation stage Completeness Summary

Completeness

There are functions for which there is no n/3-resilient protocol. This follows from lower bound for Byzantine Agreement.

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Three stages proof Computation stage Completeness Summary

Questions?

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced Three stages proof Computation stage Completeness Summary

Thank you!

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced t-privacy Coding Theory Correcting errors in shares Zero-knowledge secret verification Generating polynomials

The input stage - extended

Each player introduces its input s using Shamir’s secret sharing procedure. select t random elements ai ∈ E, for i = 1, ..., t select n distinct points αi ∈ E, for i = 1, ..., n set f (x) = s + a1x + ... + atxt to each player Pi send value si = f (αi) (s0, ..., sn−1) is a sequence of t-wise independent random variables uniformly distributed over E value of the input is completely independent from the shares si that are given to any set of t players

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced t-privacy Coding Theory Correcting errors in shares Zero-knowledge secret verification Generating polynomials

Complexity remarks

complexity of computing F t-privately is bounded by a polynomial (in n) factor times the complexity of computing F if F can be computed by an aritmetic circuit over some filed using unbounded linear fan-in operation and bounded fan-in multiplication, in depth d, then F can be computed t-privately in O(d) rounds of exchange of information if t << n then players can simulate many steps of the computation before degrees come close to n, doing so without communication.

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced t-privacy Coding Theory Correcting errors in shares Zero-knowledge secret verification Generating polynomials

BCH codes

They use field theory and polynomials over finite fields. To obtain a code over the finite field GF(qm) its elements are represented as polynomials over the ground field GF(q) modulo some irreducible polynomial. Then a generator polynomial g is chosen. The code words are those polynomials that are the multiples

• f the generator polynomial.

For Generalized ReedMuller Code we can correct 1

2 deg g

errors.

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced t-privacy Coding Theory Correcting errors in shares Zero-knowledge secret verification Generating polynomials

Error-correction procedure

Original vector F(X) Received vector R(X) = F(X) + E(X) Calculate the 2t syndrome values, for the received vector R (given by parity check calculations) Calculate the error locator polynomials (determine number of lineary independent equations = v < t) Calculate the (v) roots of the polynomial, to get error location positions. If non-binary BCH, Calculate the error values at these error locations.

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced t-privacy Coding Theory Correcting errors in shares Zero-knowledge secret verification Generating polynomials

Properties

setting ai = 0 for i > t makes our secret shares the Discrete Fourier Transform of the sequence (a0, ..., an−1) let f ′(x) = s0 + ...sn−1sn−1 the inverse transform formula is ai = 1

nf ′(ω−i)

in particular f ′(ω−i) = 0 for i = t + 1, ..., n − 1 si satisfy the linear equations n−1

i=0 ωrisi = 0 for r = 1, ..., 2t

the polynomial g(x) = n−1

i=t+1(x − ω−i) divides the

polynomial f ′(x)

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced t-privacy Coding Theory Correcting errors in shares Zero-knowledge secret verification Generating polynomials

Error correction

in a language of Error Correcting Codes vector s = (s0, ..., sn−1) is a codeword in the Cyclic Code of length n generated by g(x) by our choice of g(x) this code is Generalized Reed-Muller Code therefore it has simple error correction procedure to correct 1

2

deg g(x) = t errors

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced t-privacy Coding Theory Correcting errors in shares Zero-knowledge secret verification Generating polynomials

Verifying free coefficient of shared shares

all the Ai(x) are properly encoded we can compute linear function of them Sr(x) = n−1

i=0 ωriAi(x) for r = 1, ..., 2t

if all Ai(x) are correct (i.e. on polynomial of degree t) then sr = 0 computed values of sr are just function of errors introduced by Byzantine players (does not reveal information of good players) these values are so called Syndrome Vectore, which is enough to locate and correct errors, compute proper ai and use constant polynomial with this value instead of Ai(x) we do the same for Bi(x) and we are sure of the input to degree reduction procedure

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced t-privacy Coding Theory Correcting errors in shares Zero-knowledge secret verification Generating polynomials

Simple verification

Verification of P’s secret let f0 be the original polynomial let f1, ..., fm (where m = 3n) be random polynomials of degree t generated by P in addition to normal share, P sends fj(ωi) to each Pi each Pi selects random α and broadcasts it dealer broadcasts set of polynomials (not shares but all coefficients!) f α = m

k=0 αkfk

each player Pi checks equations (for all α’s) in point ωi, if not agree complains if t + 1 complaints then dealer is faulty, take default value for his input and necessary shares

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced t-privacy Coding Theory Correcting errors in shares Zero-knowledge secret verification Generating polynomials

Errors correction

all polynomials interpolated from shares kept by good players that didn’t complain are of degree t with probability 1 − m2n/|E| we can have 2t errors (t bad players and at most t good (complaining) players with bad values) to correct it we need n ≥ 5t + 1 for n = 3t + 1 we need all good players to have good shares dealer must broadcast all data sent to player that complained we repeat the test with other set of α’s each player checks his point and all the points that were made public if t + 1 complaints then dealer is faulty, take default value for his input and necessary shares with high probability all good players are on polynomial of degree t

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced t-privacy Coding Theory Correcting errors in shares Zero-knowledge secret verification Generating polynomials

Privacy

if the delare is correct no good player’s values will become public all the polynomial dealer reveal are completely independent from the polynomial f0

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation

Introduction t-privacy Tools t-resilience Advanced t-privacy Coding Theory Correcting errors in shares Zero-knowledge secret verification Generating polynomials

Generating polynomials of degree 2t

each players distributes t random (including free coefficient) polynomials gi,k(x) of degree t (actually points on these polynomials) this can be verified using presented techniques let fi(x) = t

k=1 xkgi,k

each player can compute its point on fi from its points on gi,k’s, which has degree 2t and no free coefficient finally as our random polynomial we take f (x) = n−1

i=0 fi(x)

Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation