Preprocessing Based Verification of Multiparty Protocols with an - PowerPoint PPT Presentation

Preprocessing Based Verification of Multiparty Protocols with an Honest Majority 20.07.17 Alisa Pankova Roman Jagomägis Peeter Laud 1 / 10

Secure Multiparty Computation 2 / 10

Secure Multiparty Computation 2 / 10

Secure Multiparty Computation 2 / 10

Secure Multiparty Computation 2 / 10

Secure Multiparty Computation ◮ Passive adversary: all parties follow the protocol. 2 / 10

Secure Multiparty Computation ◮ Passive adversary: all parties follow the protocol. ◮ Active adversary: corrupted parties may cheat. 2 / 10

Secure Multiparty Computation ◮ Passive adversary: all parties follow the protocol. ◮ Active adversary: corrupted parties may cheat. 2 / 10

Secure Multiparty Computation ◮ Passive adversary: all parties follow the protocol. ◮ Active adversary: corrupted parties may cheat. 2 / 10

Secure Multiparty Computation ◮ Passive adversary: all parties follow the protocol. ◮ Active adversary: corrupted parties may cheat. 2 / 10

Secure Multiparty Computation ◮ Passive adversary: all parties follow the protocol. ◮ Active adversary: corrupted parties may cheat. ◮ Covert adversary: will not cheat if it will be caught. 2 / 10

Verifiable MPC with Honest Majority ◮ Execution: run the passively secure protocol. 3 / 10

Verifiable MPC with Honest Majority ◮ Execution: run the passively secure protocol. ◮ Verification: each party proves that it followed the protocol. 3 / 10

Verifiable MPC with Honest Majority ◮ Preprocessing: generate correlated randomness. ◮ Execution: run the passively secure protocol. ◮ Verification: each party proves that it followed the protocol. 3 / 10

Verifiable MPC with Honest Majority ◮ Preprocessing: generate correlated randomness. ◮ Execution: run the passively secure protocol. ◮ Verification: each party proves that it followed the protocol. 3 / 10

Execution Phase ◮ Run the initial passively secure protocol. ◮ Each message m is provided with a sender’s signature σ m . 4 / 10

Execution Phase ◮ Run the initial passively secure protocol. ◮ Each message m is provided with a sender’s signature σ m . 4 / 10

Execution Phase ◮ Run the initial passively secure protocol. ◮ Each message m is provided with a sender’s signature σ m . 4 / 10

Execution Phase ◮ Run the initial passively secure protocol. ◮ Each message m is provided with a sender’s signature σ m . ◮ If Alice refuses to send ( m , σ m ) Bob asks Chris to deliver it. ◮ If Alice or Bob is corrupt, ( m , σ m ) is already known to the attacker anyway. 4 / 10

Verification phase Each party (the prover P ) proves its honesty to the other parties (the verifiers V 1 and V 2 ) . All relevant values of P are shared among V 1 and V 2 : ◮ Message m: m + 0 or 0 + m ◮ Input x: x 1 + x 2 ◮ Correlated randomness r: r 1 + r 2 known by P , shared in the preprocessing phase. All shares are signed by the prover. 5 / 10

Verification phase (reproducing computation of P ) 6 / 10

Verification phase (reproducing computation of P ) ◮ P takes precomputed correlated randomness (e.g. Beaver triples ( a , b , c ) s.t. c = a · b ). 6 / 10

Verification phase (reproducing computation of P ) ◮ P takes precomputed correlated randomness (e.g. Beaver triples ( a , b , c ) s.t. c = a · b ). ◮ P sends hints to V 1 and V 2 . 6 / 10

Verification phase (reproducing computation of P ) ◮ P takes precomputed correlated randomness (e.g. Beaver triples ( a , b , c ) s.t. c = a · b ). ◮ P sends hints to V 1 and V 2 . ◮ V 1 and V 2 use the hints to reproduce computation of P . 6 / 10

Verification phase (reproducing computation of P ) ◮ P takes precomputed correlated randomness (e.g. Beaver triples ( a , b , c ) s.t. c = a · b ). ◮ P sends hints to V 1 and V 2 . ◮ V 1 and V 2 use the hints to reproduce computation of P . ◮ V 1 and V 2 verify the hints. 6 / 10

Verification phase (reproducing computation of P ) ◮ P takes precomputed correlated randomness (e.g. Beaver triples ( a , b , c ) s.t. c = a · b ). ◮ P sends hints to V 1 and V 2 . ◮ V 1 and V 2 use the hints to reproduce computation of P . ◮ V 1 and V 2 verify the hints. ◮ V 1 and V 2 check if they get committed messages of P . 6 / 10

Verification phase (reproducing computation of P ) ◮ P takes precomputed correlated randomness (e.g. Beaver triples ( a , b , c ) s.t. c = a · b ). ◮ P sends hints to V 1 and V 2 . ◮ V 1 and V 2 use the hints to reproduce computation of P . ◮ V 1 and V 2 verify the hints. ◮ V 1 and V 2 check if they get committed messages of P . 6 / 10

Verification phase (checking if z = 0) ◮ V 1 and V 2 exchange h 1 = H ( z 1 ) and h 2 = H ( − z 2 ) , and check h 1 = h 2 . 7 / 10

Verification phase (checking if z = 0) ◮ V 1 and V 2 exchange h 1 = H ( z 1 ) and h 2 = H ( − z 2 ) , and check h 1 = h 2 . ◮ If h 1 � = h 2 , they send h 1 and h 2 to P . 7 / 10

Verification phase (checking if z = 0) ◮ V 1 and V 2 exchange h 1 = H ( z 1 ) and h 2 = H ( − z 2 ) , and check h 1 = h 2 . ◮ If h 1 � = h 2 , they send h 1 and h 2 to P . ◮ P has right to complain against one verifier (e.g V 1 ). 7 / 10

Verification phase (checking if z = 0) ◮ V 1 and V 2 exchange h 1 = H ( z 1 ) and h 2 = H ( − z 2 ) , and check h 1 = h 2 . ◮ If h 1 � = h 2 , they send h 1 and h 2 to P . ◮ P has right to complain against one verifier (e.g V 1 ). ◮ V 1 opens its shares of P commitments with all signatures. 7 / 10

Verification phase (checking if z = 0) ◮ V 1 and V 2 exchange h 1 = H ( z 1 ) and h 2 = H ( − z 2 ) , and check h 1 = h 2 . ◮ If h 1 � = h 2 , they send h 1 and h 2 to P . ◮ P has right to complain against one verifier (e.g V 1 ). ◮ V 1 opens its shares of P commitments with all signatures. ◮ V 2 repeats the computation of V 1 , getting h 1 . 7 / 10

Preprocessing Phase ◮ The prover P generates correlated randomness (e.g. Beaver triples in a certain ring Z m ). 8 / 10

Preprocessing Phase ◮ The prover P generates correlated randomness (e.g. Beaver triples in a certain ring Z m ). ◮ It additively shares the randomness among V 1 and V 2 . 8 / 10

Preprocessing Phase ◮ The prover P generates correlated randomness (e.g. Beaver triples in a certain ring Z m ). ◮ It additively shares the randomness among V 1 and V 2 . ◮ V 1 and V 2 run cut-and-choose and pairwise checks to verify that correlation holds (e.g. that a · b = c ). 8 / 10

Preprocessing Phase ◮ The prover P generates correlated randomness (e.g. Beaver triples in a certain ring Z m ). ◮ It additively shares the randomness among V 1 and V 2 . ◮ V 1 and V 2 run cut-and-choose and pairwise checks to verify that correlation holds (e.g. that a · b = c ). 8 / 10

Preprocessing Phase (other preprocessed tuples) ◮ We also have other types of preprocessed tuples: ◮ Trusted bits b ∈ { 0 , 1 } shared over Z 2 m . ◮ Characteristic vector tuple ( r ,� b ) (i.e b r = 0 iff i � = r ). a ,� b ) s.t the vector � ◮ Rotation tuple ( r ,� b is � a rotated by r . a ,� b ) s.t � ◮ Permutation tuple ( π,� b = π ( � a ) . ◮ Their generation and verification is analogous. 9 / 10

Summary ◮ We proposed a generic method for achieving covert security under honest majority assumption. ◮ Applying it to Sharemind SMC platform, we get efficient actively secure protocols with identifiable abort. ◮ The overhead of the execution phase is insignificant. ◮ In practice, the bottleneck of active security is generation of preprocessed tuples. 10 / 10