Secure Multi-Party Computation Gunnar Kreitz KTH Royal Institute - - PowerPoint PPT Presentation

Background Secure Computation Security Model Generic Protocol Applications

Secure Multi-Party Computation

Gunnar Kreitz

KTH – Royal Institute of Technology gkreitz@kth.se

October 4 2012

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications Problem Statement (sketch) Famous examples Example protocol

Ingredients

◮ n parties ◮ n inputs (one per party) ◮ A function f (x1, . . . , xn) to compute

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications Problem Statement (sketch) Famous examples Example protocol

Goal (intuitive)

◮ Parties learn f (x1, . . . , xn) ◮ Noone learns anything more

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications Problem Statement (sketch) Famous examples Example protocol

Example time!

Let’s pick a function

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications Problem Statement (sketch) Famous examples Example protocol

The classic examples (Millionaire’s Problem)

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications Problem Statement (sketch) Famous examples Example protocol

The classic examples (Mental Poker)

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications Problem Statement (sketch) Famous examples Example protocol

The classic examples (Dining Cryptographers)

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications Problem Statement (sketch) Famous examples Example protocol

Example time!

Σxi

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications Problem Statement (sketch) Famous examples Example protocol

Private Summation (cont’d)

◮ The protocol does one round of input randomization (blinding) ◮ Then, any (non-private) summation protocol is run on the

blinded inputs

◮ The blinding preserves the sum of the inputs ◮ Information-theoretically secure

Photo by Mirko Tobias Schaefer http://www.flickr.com/photos/gastev/2960556197/, CC BY 2.0 Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications Problem Statement (sketch) Famous examples Example protocol

Summation Protocol by Example

2 1 3 x′

1 =x1 − r12 − r13 + r21

+ r31 x′

2 =x2 + r12

− r21 − r23 + r32 x′

3 =x3

+ r13 + r23 − r31 − r32

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications Problem Statement (sketch) Famous examples Example protocol

Summation Protocol by Example

2 1

r12

• 3

x′

1 =x1 − r12 − r13 + r21

+ r31 x′

2 =x2 + r12

− r21 − r23 + r32 x′

3 =x3

+ r13 + r23 − r31 − r32

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications Problem Statement (sketch) Famous examples Example protocol

Summation Protocol by Example

2 1

r13

3

x′

1 =x1 − r12 − r13 + r21

+ r31 x′

2 =x2 + r12

− r21 − r23 + r32 x′

3 =x3

+ r13 + r23 − r31 − r32

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications Problem Statement (sketch) Famous examples Example protocol

Summation Protocol by Example

2 1

• r21

3 x′

1 =x1 − r12 − r13 + r21

+ r31 x′

2 =x2 + r12

− r21 − r23 + r32 x′

3 =x3

+ r13 + r23 − r31 − r32

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications Problem Statement (sketch) Famous examples Example protocol

Summation Protocol by Example

2

r23

• 1

3 x′

1 =x1 − r12 − r13 + r21

+ r31 x′

2 =x2 + r12

− r21 − r23 + r32 x′

3 =x3

+ r13 + r23 − r31 − r32

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications Problem Statement (sketch) Famous examples Example protocol

Summation Protocol by Example

2 1

r31

3 x′

1 =x1 − r12 − r13 + r21

+ r31 x′

2 =x2 + r12

− r21 − r23 + r32 x′

3 =x3

+ r13 + r23 − r31 − r32

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications Problem Statement (sketch) Famous examples Example protocol

Summation Protocol by Example

2

• r32

1 3 x′

1 =x1 − r12 − r13 + r21

+ r31 x′

2 =x2 + r12

− r21 − r23 + r32 x′

3 =x3

+ r13 + r23 − r31 − r32

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications Problem Statement (sketch) Famous examples Example protocol

Private Summation Protocol

◮ Each party Pi with input xi proceeds as follows:

• 1. Send random ri,j to each neighbor Pj
• 2. Wait for rj,i from each neighbor Pj
• 3. Compute

x′

i = xi +

• Pjneighbor

rj,i −

• Pjneighbor

ri,j

◮ We could now publish x′ i and still remain private!

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

How to proceed?

◮ Do we develop protocols for each and every f ? ◮ (Are they all this simple?) ◮ How do we define security?

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

Security definitions

◮ Noone should learn anything but result ◮ Noone should be able to affect computation in an untoward

way

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

A Trusted Third Party

◮ Is there someone we all trust? ◮ Can send measurements to the Trusted Third Party ◮ She performs computation and tells everyone result ◮ Given a Trusted Third Party, problem is easy

Photo by Matt J. Rider http://www.flickr.com/photos/mjrindewitt/4759429254/, CC BY NC SA 2.0 Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

Sometimes There is no Trusted Third Party

Photo by Tayrawr Fortune http://www.flickr.com/photos/missfortune/4088429354/, CC BY NC ND 2.0 Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

Secure?

What do we mean by security?

◮ In an ideal world, we have a trusted third party ◮ We want our protocols to be as secure as the ideal world ◮ Cheating parties must not:

◮ learn more than they do in the ideal world ◮ be able to do more than they can in the ideal world Photo by Thomas Hawk http://www.flickr.com/photos/thomashawk/115213351/, CC BY NC 2.0 Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

What is an attack?

Functionality:

i xi (mod p). Adversary corrupts party 1. ◮ Adversary learns x1? ◮ Adversary learns x10? ◮ Adversary learns sum of all other parties’ input? ◮ Adversary learns i<n/2 xi? ◮ Adversary learns sum, everyone else gets random value? No

(pick random x1).

◮ Adversary ensures result is c?

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

What is an attack?

Functionality:

i xi (mod p). Adversary corrupts party 1. ◮ Adversary learns x1? No. ◮ Adversary learns x10? ◮ Adversary learns sum of all other parties’ input? ◮ Adversary learns i<n/2 xi? ◮ Adversary learns sum, everyone else gets random value? No

(pick random x1).

◮ Adversary ensures result is c?

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

What is an attack?

Functionality:

i xi (mod p). Adversary corrupts party 1. ◮ Adversary learns x1? No. ◮ Adversary learns x10? ◮ Adversary learns sum of all other parties’ input? ◮ Adversary learns i<n/2 xi? ◮ Adversary learns sum, everyone else gets random value? No

(pick random x1).

◮ Adversary ensures result is c?

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

What is an attack?

Functionality:

i xi (mod p). Adversary corrupts party 1. ◮ Adversary learns x1? No. ◮ Adversary learns x10? Yes. ◮ Adversary learns sum of all other parties’ input? ◮ Adversary learns i<n/2 xi? ◮ Adversary learns sum, everyone else gets random value? No

(pick random x1).

◮ Adversary ensures result is c?

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

What is an attack?

Functionality:

i xi (mod p). Adversary corrupts party 1. ◮ Adversary learns x1? No. ◮ Adversary learns x10? Yes. ◮ Adversary learns sum of all other parties’ input? ◮ Adversary learns i<n/2 xi? ◮ Adversary learns sum, everyone else gets random value? No

(pick random x1).

◮ Adversary ensures result is c?

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

What is an attack?

Functionality:

i xi (mod p). Adversary corrupts party 1. ◮ Adversary learns x1? No. ◮ Adversary learns x10? Yes. ◮ Adversary learns sum of all other parties’ input? No. ◮ Adversary learns i<n/2 xi? ◮ Adversary learns sum, everyone else gets random value? No

(pick random x1).

◮ Adversary ensures result is c?

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

What is an attack?

Functionality:

i xi (mod p). Adversary corrupts party 1. ◮ Adversary learns x1? No. ◮ Adversary learns x10? Yes. ◮ Adversary learns sum of all other parties’ input? No. ◮ Adversary learns i<n/2 xi? ◮ Adversary learns sum, everyone else gets random value? No

(pick random x1).

◮ Adversary ensures result is c?

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

What is an attack?

Functionality:

i xi (mod p). Adversary corrupts party 1. ◮ Adversary learns x1? No. ◮ Adversary learns x10? Yes. ◮ Adversary learns sum of all other parties’ input? No. ◮ Adversary learns i<n/2 xi? Yes. ◮ Adversary learns sum, everyone else gets random value? No

(pick random x1).

◮ Adversary ensures result is c?

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

What is an attack?

Functionality:

i xi (mod p). Adversary corrupts party 1. ◮ Adversary learns x1? No. ◮ Adversary learns x10? Yes. ◮ Adversary learns sum of all other parties’ input? No. ◮ Adversary learns i<n/2 xi? Yes. ◮ Adversary learns sum, everyone else gets random value? No

(pick random x1).

◮ Adversary ensures result is c?

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

What is an attack?

Functionality:

i xi (mod p). Adversary corrupts party 1. ◮ Adversary learns x1? No. ◮ Adversary learns x10? Yes. ◮ Adversary learns sum of all other parties’ input? No. ◮ Adversary learns i<n/2 xi? Yes. ◮ Adversary learns sum, everyone else gets random value? No

(pick random x1).

◮ Adversary ensures result is c?

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

What is an attack?

Functionality:

i xi (mod p). Adversary corrupts party 1. ◮ Adversary learns x1? No. ◮ Adversary learns x10? Yes. ◮ Adversary learns sum of all other parties’ input? No. ◮ Adversary learns i<n/2 xi? Yes. ◮ Adversary learns sum, everyone else gets random value? No

(pick random x1).

◮ Adversary ensures result is c?

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

What is an attack?

Functionality:

i xi (mod p). Adversary corrupts party 1. ◮ Adversary learns x1? No. ◮ Adversary learns x10? Yes. ◮ Adversary learns sum of all other parties’ input? No. ◮ Adversary learns i<n/2 xi? Yes. ◮ Adversary learns sum, everyone else gets random value? No

(pick random x1).

◮ Adversary ensures result is c? Yes.

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

How Powerful is Our Adversary?

◮ Two main models of adversary’s evilness:

◮ Passive/semi-honest (Honest-but-curious): follows protocol

but tries to deduce more information

◮ Active/malicious (Byzantine): arbitrary deviations from

protocol

Image credit: OpenBSD http://www.openbsd.org/art2.html Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

How Powerful is Our Adversary?

◮ Two main models of adversary’s power:

◮ Computational Security: Probabilistic polynomial time ◮ Information-Theoretic Security: Unlimited computation time

◮ In this talk, we consider both notions

Photo by slack12 http://www.flickr.com/photos/slack12/314854035/, CC BY NC ND 2.0 Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

One protocol to rule them all

◮ How can we get around having to design one protocol per

functionality?

◮ Something that can evaluate a circuit.

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

One protocol to rule them all

◮ How can we get around having to design one protocol per

functionality?

◮ Something that can evaluate a circuit.

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

Main idea

◮ Keep all intermediary values secret shared ◮ Evaluate circuit gate by gate, gate inputs and outputs being

secret shared

◮ Open up values of output gates to everyone ◮ We’ll need protocols for addition (XOR) and multiplication

(AND)

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

Different variations

◮ Built on Shamir/Verifiable Secret Sharing [BGW88,CCD88] ◮ Built on Oblivious Transfer [GMW87] ◮ Built on Homomorphic Encryption

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

Shamir secret sharing

◮ Math is now in a finite field (“mod a prime”) ◮ Pick a polynomial P(x) of degree t, with P(0) = s ◮ Knowing evaluations at t + 1 points uniquely determines P(x) ◮ Evaluations at t coordinates (= 0) reveal nothing about s

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

Secure computation: addition (XOR)

◮ Input: two polynomials∗ f (x), g(x) with f (0) = a, g(0) = b ◮ Output: polynomial∗ h(x) such that h(0) = a + b ◮ h(x) = f (x) + g(x) has the right property ◮ Party Pi knows f (i), g(i). Need a protocol for her to learn h(i) ◮ h(i) = f (i) + g(i) — XOR gates can be evaluated locally!

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

Secure computation: addition (XOR)

◮ Input: two polynomials∗ f (x), g(x) with f (0) = a, g(0) = b ◮ Output: polynomial∗ h(x) such that h(0) = a + b ◮ h(x) = f (x) + g(x) has the right property ◮ Party Pi knows f (i), g(i). Need a protocol for her to learn h(i) ◮ h(i) = f (i) + g(i) — XOR gates can be evaluated locally!

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

Secure computation: addition (XOR)

◮ Input: two polynomials∗ f (x), g(x) with f (0) = a, g(0) = b ◮ Output: polynomial∗ h(x) such that h(0) = a + b ◮ h(x) = f (x) + g(x) has the right property ◮ Party Pi knows f (i), g(i). Need a protocol for her to learn h(i) ◮ h(i) = f (i) + g(i) — XOR gates can be evaluated locally!

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

Secure computation: addition (XOR)

◮ Input: two polynomials∗ f (x), g(x) with f (0) = a, g(0) = b ◮ Output: polynomial∗ h(x) such that h(0) = a + b ◮ h(x) = f (x) + g(x) has the right property ◮ Party Pi knows f (i), g(i). Need a protocol for her to learn h(i) ◮ h(i) = f (i) + g(i) — XOR gates can be evaluated locally!

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

Secure computation: multiplication (AND)

◮ Input: two polynomials∗ f (x), g(x) with f (0) = a, g(0) = b ◮ Output: polynomial∗ h(x) such that h(0) = ab ◮ h(x) = f (x)g(x) has the right property ◮ But, it is a bad choice! ◮ It has degree 2t ◮ It is not uniformly random (e.g., cannot be irreducible)

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

Secure computation: multiplication (AND)

◮ Input: two polynomials∗ f (x), g(x) with f (0) = a, g(0) = b ◮ Output: polynomial∗ h(x) such that h(0) = ab ◮ h(x) = f (x)g(x) has the right property ◮ But, it is a bad choice! ◮ It has degree 2t ◮ It is not uniformly random (e.g., cannot be irreducible)

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

Secure computation: multiplication (AND)

◮ Input: two polynomials∗ f (x), g(x) with f (0) = a, g(0) = b ◮ Output: polynomial∗ h(x) such that h(0) = ab ◮ h(x) = f (x)g(x) has the right property ◮ But, it is a bad choice! ◮ It has degree 2t ◮ It is not uniformly random (e.g., cannot be irreducible)

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

Secure computation: multiplication (AND) (cont’d)

◮ h(x) = f (x)g(x) ◮ To make it uniformly random: add random polynomials with

p(0) = 0

◮ Each party picks one: h′(x) = f (x)g(x) + i pi(x) ◮ Degree reduction is slightly more involved ◮ Boils down to evaluating a linear form of the shares and

• pening it to each party

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

Secure computation: multiplication (AND) (cont’d)

◮ h(x) = f (x)g(x) ◮ To make it uniformly random: add random polynomials with

p(0) = 0

◮ Each party picks one: h′(x) = f (x)g(x) + i pi(x) ◮ Degree reduction is slightly more involved ◮ Boils down to evaluating a linear form of the shares and

• pening it to each party

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

Secure computation: multiplication (AND) (cont’d)

◮ h(x) = f (x)g(x) ◮ To make it uniformly random: add random polynomials with

p(0) = 0

◮ Each party picks one: h′(x) = f (x)g(x) + i pi(x) ◮ Degree reduction is slightly more involved ◮ Boils down to evaluating a linear form of the shares and

• pening it to each party

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

Is it used?

◮ Research area going back to the early 80’s ◮ Beautiful results ◮ Real-world use? ◮ Not much, yet

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

Is it used?

◮ Research area going back to the early 80’s ◮ Beautiful results ◮ Real-world use? ◮ Not much, yet

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

Efficiency

◮ Efficiency is a huge problem ◮ Time to encrypt 128 bytes using AES? ◮ Time to sort 16384 integers? ◮ 3 parties, passive adversary

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

Efficiency

◮ Efficiency is a huge problem ◮ Time to encrypt 128 bytes using AES? 2 seconds [DK10] ◮ Time to sort 16384 integers? ◮ 3 parties, passive adversary

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

Efficiency

◮ Efficiency is a huge problem ◮ Time to encrypt 128 bytes using AES? 2 seconds [DK10] ◮ Time to sort 16384 integers? 3.5 minutes [JKU11] ◮ 3 parties, passive adversary

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

Implementations

◮ Recently, a number of implementation efforts ◮ FairplayMP

http://www.cs.huji.ac.il/project/Fairplay/

◮ Viff http://viff.dk/ ◮ Sharemind http://sharemind.cyber.ee/ ◮ Sepia http://www.sepia.ee.ethz.ch/

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

Real-world use

Gunnar Kreitz Secure Multi-Party Computation

Background Secure Computation Security Model Generic Protocol Applications

Will it be used?

◮ Abundance of development environments ◮ Moore’s law chipping away at performance issue ◮ Nice security guarantees

Gunnar Kreitz Secure Multi-Party Computation