Secure Multiparty Computation Li Xiong Outline Cryptographic - - PowerPoint PPT Presentation

CS573 Data Privacy and Security Cryptographic Primitives and Secure Multiparty Computation

Li Xiong

Outline

• Cryptographic primitives
• Symmetric Encryption
• Public Key Encryption
• Secure Multiparty Computation
• Problem and security definitions
• General constructions
• Specialized protocols

Basic notation

• Plaintext (m):

– the original message

• Ciphertext (c):

– the coded message

• Secret key (k):

– info used in cipher known only to sender/receiver

• Encryption function Ek(m):

– performs substitutions/ transformations on plaintext

• Decryption function Dk(c):

– inverse of encryption algorithm

• Efficiency:

– functions EK and DK should have efficient algorithms

• Consistency:

– Decrypting the ciphertext yields the plaintext DK(EK(m)) = m

4

E D

m plaintext k encryption key k’ decryption key Ek(m) ciphertext Dk’(Ek(m)) = m attacker

Operational model of encryption

• Kerckhoff’s assumption:

– attacker knows E and D – attacker doesn’t know the (decryption) key

• attacker’s goal:

– to systematically recover plaintext from ciphertext – to deduce the (decryption) key

• attack models:

– ciphertext-only (COA) – known-plaintext (KPA) – (adaptive) chosen-plaintext (CPA) – (adaptive) chosen-ciphertext (CCA)

Symmetric Encryption

• or conventional / secret-key / single-key
• sender and recipient share a common key
• Scenario:

– Alice wants to send a message (plaintext P) to Bob – The communication channel is insecure and can be eavesdropped – If Alice and Bob have previously agreed on a symmetric encryption scheme and a secret key K, the message can be sent encrypted (ciphertext C)

Symmetric Key Cryptography

symmetric key crypto: Bob and Alice share the same (symmetric) key: KA-B

plaintext ciphertext

K

A-B encryption algorithm decryption algorithm

K

A-B plaintext message, m c=KA-B (m) K (m)

A-B

m = K (

)

A-B

Outline

• Cryptographic primitives
• Symmetric Encryption
• Public Key Encryption
• Secure Multiparty Computations
• Problem and security definitions
• General constructions

Private-Key Cryptography

• traditional private/secret/single key

cryptography uses one key

• Sender and receiver must share the same key
• needs secure channel for key distribution
• impossible for two parties having no prior relationship
• if this key is disclosed communications are

compromised

• also is symmetric, parties are equal
• hence does not protect sender from receiver

forging a message & claiming is sent by sender

Public-Key Cryptography

• uses two keys – a public & a private key
• asymmetric since parties are not equal
• complements rather than replaces private key

crypto

– neither more secure than private key (security depends on the key size for both) – nor do they replace private key schemes (they are too slow to do so)

Public-Key Cryptography

• public-key/two-key/asymmetric cryptography

involves the use of two keys:

– a public-key, which may be known by anybody, and can be used to encrypt messages, and verify signatures – a private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures

• Encryption: c = Epk(m)
• Decryption: m = Dsk(c)
• is asymmetric because

– those who encrypt messages or verify signatures cannot decrypt messages or create signatures

Public-Key Cryptography

Public-Key Characteristics

• Public-Key algorithms rely on two keys with

the characteristics that it is:

– computationally infeasible to find decryption key knowing only algorithm & encryption key – computationally easy to en/decrypt messages when the relevant (en/decrypt) key is known – either of the two related keys can be used for encryption, with the other used for decryption (in some schemes) – Many can encrypt, only one can decrypt

RSA (Rivest, Shamir, Adleman, 1978)

• basis
• intractability of integer factoring
• Setup:
• select p, q large primes
• n = pq, ф(n)= (p-1)(q-1)
• select e relatively prime to ф(n)
• compute d such that ed mod ф(n) = 1
• Keys:
• public key: KE= (n,e)
• private key: KD= d
• Encryption:
• Plaintext m
• c = me mod n
• Decryption:
• m= cd mod n

13

• Example:
• Setup:
• p =7, q=17
• n = 7*17 = 119
• ф(n) = 6 *16 = 96
• e= 5
• d= 77
• Keys:
• public key: KE= (119, 5)
• private key: KD= 77
• Encryption:
• m = 19
• c = 195 mod 119 = 66
• Decryption:
• m= 6677 mod 119 = 19

Outline

• Cryptographic primitives
• Symmetric Encryption
• Public Key Encryption
• Secure Multiparty Computations
• Problem and security definitions
• General constructions

slide 15

Motivation

• General framework for describing computation

between parties who do not trust each other

• Example: elections

– N parties, each one has a “Yes” or “No” vote – Goal: determine whether the majority voted “Yes”, but no voter should learn how other people voted

• Example: auctions

– Each bidder makes an offer

• Offer should be committing! (can’t change it later)

– Goal: determine whose offer won without revealing losing offers

slide 16

More Examples

• Example: distributed computation/data

mining/machine learning

– Two companies want to perform computation/learning

• ver their datasets without revealing them
• Compute the intersection of two lists of names
• Distributed learning
• Example: private queries on secure database

– Evaluate a query on the database without revealing the query to the database owner and without revealing data to the querier – Many variations

Secure Multiparty Computation

• A set of parties with private inputs wish to

compute some joint function of their inputs.

• Parties wish to preserve some security
• properties. e.g., privacy and correctness.
• Security must be preserved in the face of

adversarial behavior by some of the participants, or by an external party.

Yao’s Millionaire Problem

• Two millionaires, Alice and Bob, who are

interested in knowing which of them is richer without revealing their actual wealth.

• This problem is analogous to a more general

problem where there are two numbers a and b and the goal is to solve the inequality without revealing the actual values of a and b.

slide 20

How to Define Security?

• Must be mathematically rigorous
• Must capture all realistic attacks that a

malicious participant may try to stage

• Should be “abstract”

– Based on the desired “functionality” of the protocol, not a specific protocol – Goal: define security for an entire class of protocols

slide 22

Functionality

• K mutually distrustful parties want to jointly

carry out some task

• Model this task as a function

f: ({0,1}*)K ({0,1}*)K

• Assume that this functionality is computable in

probabilistic polynomial time

K inputs (one per party); each input is a bitstring K outputs

Defining Security

• The real/ideal model paradigm for defining

security [GMW,GL,Be,MR,Ca]:

– Ideal model: parties send inputs to a trusted party, who computes the function for them – Real model: parties run a real protocol with no trusted help

• A protocol is secure if any attack on a real

protocol can be carried out in the ideal model

slide 24

Ideal Model

• Intuitively, we want the protocol to behave “as if” a

trusted third party collected the parties’ inputs and computed the desired functionality

– Computation in the ideal model is secure by definition!

A B

x1 f2(x1,x2) f1(x1,x2) x2

slide 25

More Formally

• A protocol is secure if it emulates an ideal setting

where the parties hand their inputs to a “trusted party,” who locally computes the desired outputs and hands them back to the parties

[Goldreich-Micali-Wigderson 1987]

A B

x1 f2(x1,x2) f1(x1,x2) x2

Real world

• No trusted third party
• Participants run some protocol amongst

themselves without any help

• Despite that, secure protocol should emulate

an ideal setting.

• Real protocol that is run by the participants is

secure if

– no adversary can do more harm in real execution than an execution that takes place in the ideal world

slide 27

Adversary Models

• Some of protocol participants may be corrupt

– If all were honest, would not need secure multi-party computation

• Semi-honest (aka passive; honest-but-curious)

– Follows protocol, but tries to learn more from received messages than he would learn in the ideal model

• Malicious

– Deviates from the protocol in arbitrary ways, lies about his inputs, may quit at any point

• For now, we will focus on semi-honest adversaries

and two-party protocols

slide 28

Properties of the Definition

• How do we argue that the real protocol

“emulates” the ideal protocol?

• Correctness

– All honest participants should receive the correct result of evaluating function f

• Because a trusted third party would compute f correctly
• Privacy

– All corrupt participants should learn no more from the protocol than what they would learn in ideal model – What does corrupt participant learn in ideal model?

• His input (obviously) and the result of evaluating f

slide 29

Simulation

• Corrupt participant’s view of the protocol = record
• f messages sent and received

– In the ideal world, view consists simply of his input and the result of evaluating f

• How to argue that real protocol does not leak more

useful information than ideal-world view?

• Key idea: simulation

– If real-world view (i.e., messages received in the real protocol) can be simulated with access only to the ideal- world view, then real-world protocol is secure – Simulation must be indistinguishable from real view

Security proof tools

– Real/ideal model: the real model can be simulated in

the ideal model

• Key idea – Show that whatever can be computed by a

party participating in the protocol can be computed based on its input and output only

•  polynomial time S such that {S(x,f(x,y))} ≡ {View(x,y)}

Security proof tools

• Composition theorem

– if a protocol is secure in the hybrid model where the protocol uses a trusted party that computes the (sub) functionalities, and we replace the calls to the trusted party by calls to secure protocols, then the resulting protocol is secure – Prove that component protocols are secure, then prove that the combined protocol is secure

Outline

• Secure multiparty computation

– Defining security – General constructions

General Constructions

• Yao’s Garbled circuit protocol

– Use Oblivious transfer for securely selecting a value – Represent function as an arithmetic circuit with addition and multiplication gates

• From passively-secure protocols to actively-

secure protocols

– Use zero-knowledge proofs to force parties to behave in a way consistent with the passively- secure protocol

1-out-of-2 Oblivious Transfer (OT)

1-out-of-2 Oblivious Transfer (OT)

• Inputs

– Sender has two messages m0 and m1 – Receiver has a single bit {0,1}

• Outputs

– Sender receives nothing – Receiver obtain m and learns nothing of m1-

slide 35

Oblivious Transfer (OT)

• Fundamental MPC primitive
• 1-out-of-2 Oblivious Transfer (OT)

S R

m0, m1 m  = 0 or 1 S inputs two bits, R inputs the index of one of S’s bits R learns his chosen bit, S learns nothing

– S does not learn which bit R has chosen; R does not learn the value of the bit that he did not choose [Rabin 1981]

Semi-Honest OT

• Let (G,E,D) be a public-key encryption scheme

– G is a key-generation algorithm (pk,sk)  G – Encryption: c = Epk(m) – Decryption: m = Dsk(c)

• Assume that a public-key can be sampled

without knowledge of its secret key:

– Oblivious key generation: pk  OG – El-Gamal encryption has this property

Semi-Honest OT

Protocol for Oblivious Transfer

• Receiver (with input ):

– Receiver chooses one key-pair (pk,sk) and one public-key pk’ (oblivious of secret-key). – Receiver sets pk = pk, pk1- = pk’ – Note: receiver can decrypt for pk but not for pk1- – Receiver sends pk0,pk1 to sender

• Sender (with input m0,m1):

– Sends to receiver c0=Epk0(m0), c1=Epk1(m1)

• Receiver:

– Decrypts c using sk and obtains m.

Security Proof

• Intuition:

– Sender’s view consists only of two public keys pk0 and

• pk1. Therefore, it doesn’t learn anything about that

value of . – The receiver only knows one secret-key and so can only learn one message

• Note: this assumes semi-honest behavior. A

malicious receiver can choose two keys together with their secret keys.

Generalization

• Can define 1-out-of-k oblivious transfer

 Protocol remains the same:

 Choose k-1 public keys for which the secret key is

unknown

 Choose 1 public-key and secret-key pair

slide 40 1

Yao’s Protocol

Compute any function securely

• … in the semi-honest model

First, convert the function into a boolean circuit

AND

x y z Truth table: x y z

1 1 1 1 1

OR

x y z Truth table: x y z

1 1 1 1 1 1

AND OR AND NOT OR AND

Alice’s inputs Bob’s inputs

slide 41

1: Pick Random Keys For Each Wire

Next, evaluate one gate securely

• Later, generalize to the entire circuit

Alice picks two random keys for each wire

• One key corresponds to “0”, the other to “1”
• 6 keys in total for a gate with 2 input wires

AND

x y z

k0z, k1z Alice Bob k0x, k1x k0y, k1y

slide 42

2: Encrypt Truth Table

Alice encrypts each row of the truth table by encrypting the output-wire key with the corresponding pair of input-wire keys

AND

x y z

k0z, k1z Alice Bob k0x, k1x k0y, k1y

1

Original truth table: x y z

1 1 1 1

Encrypted truth table:

Ek0x(Ek0y(k0z)) Ek0x(Ek1y(k0z)) Ek1x(Ek0y(k0z)) Ek1x(Ek1y(k1z))

slide 43

3: Send Garbled Truth Table

Alice randomly permutes (“garbles”) encrypted truth table and sends it to Bob

AND

x y z

k0z, k1z Alice Bob k0x, k1x k0y, k1y

Garbled truth table:

Ek0x(Ek0y(k0z)) Ek0x(Ek1y(k0z)) Ek1x(Ek0y(k0z)) Ek1x(Ek1y(k1z))

Ek0x(Ek0y(k0z)) Ek0x(Ek1y(k0z)) Ek1x(Ek0y(k0z)) Ek1x(Ek1y(k1z))

Does not know which row of garbled table corresponds to which row of original table

slide 44

4: Send Keys For Alice’s Inputs

Alice sends the key corresponding to her input bit

• Keys are random, so Bob does not learn what this bit is

AND

x y z

k0z, k1z Alice Bob k0x, k1x k0y, k1y If Alice’s bit is 1, she simply sends k1x to Bob; if 0, she sends k0x

Learns Kb’x where b’ is Alice’s input bit, but not b’ (why?) Garbled truth table:

Ek0x(Ek0y(k0z)) Ek0x(Ek1y(k0z)) Ek1x(Ek0y(k0z)) Ek1x(Ek1y(k1z))

slide 45

5: Use OT on Keys for Bob’s Input

Alice and Bob run oblivious transfer protocol

• Alice’s input is the two keys corresponding to Bob’s wire
• Bob’s input into OT is simply his 1-bit input on that wire

AND

x y z

k0z, k1z Alice Bob k0x, k1x k0y, k1y Run oblivious transfer Alice’s input: k0y, k1y Bob’s input: his bit b Bob learns kby

What does Alice learn?

Knows Kb’x where b’ is Alice’s input bit and Kby where b is his own input bit Garbled truth table:

Ek0x(Ek0y(k0z)) Ek0x(Ek1y(k0z)) Ek1x(Ek0y(k0z)) Ek1x(Ek1y(k1z))

slide 46

6: Evaluate Garbled Gate

Using the two keys that he learned, Bob decrypts exactly one of the output-wire keys

• Bob does not learn if this key corresponds to 0 or 1

– Why is this important?

AND

x y z

k0z, k1z Alice Bob k0x, k1x k0y, k1y

Knows Kb’x where b’ is Alice’s input bit and Kby where b is his own input bit Garbled truth table:

Ek0x(Ek0y(k0z)) Ek0x(Ek1y(k0z)) Ek1x(Ek0y(k0z)) Ek1x(Ek1y(k1z))

Suppose b’=0, b=1 This is the only row Bob can decrypt. He learns K0z

slide 47

In this way, Bob evaluates entire garbled circuit

• For each wire in the circuit, Bob learns only one key
• It corresponds to 0 or 1 (Bob does not know which)

– Therefore, Bob does not learn intermediate values (why?)

Bob tells Alice the key for the final output wire and she tells him if it corresponds to 0 or 1

• Bob does not tell her intermediate wire keys (why?)

7: Evaluate Entire Circuit

AND OR AND NOT OR AND

Alice’s inputs Bob’s inputs

Summary

• GMW paradigm:

– First, construct a protocol for semi-honest adv. – Then, compile it so that it is secure also against malicious adversaries

• There are different ways to construct secure

protocols

– Garbled circuit – Secret sharing – Homomorphic encryption

• Efficient protocols against semi-honest adversaries

are far easier to obtain than for malicious adversaries.

Slides credits

• Tutorial on secure multi-party computation, Lindell

www.cs.biu.ac.il/~lindell/research-statements/tutorial-secure-computation.ppt

• Introduction to secure multi-party computation,

Vitaly Shmatikov, UT Austin

http://www.cs.utexas.edu/~shmat/courses/cs380s_fall09/15smc.ppt

• Introduction to Cryptography, Yehuda Lindell, Bar Ilan

University, IL

http://crypto.biu.ac.il/sites/default/files/

• Information Security Management, UTC