SLIDE 1
Synchronous Constructive Cry ryptography
Chen-Da Liu-Zhang
ETH Zurich
TCC 2020
Ueli Maurer
ETH Zurich
Synchronous Constructive Cry ryptography Chen-Da Ueli Liu-Zhang - - PowerPoint PPT Presentation
Synchronous Constructive Cry ryptography Chen-Da Ueli Liu-Zhang - - PowerPoint PPT Presentation
Synchronous Constructive Cry ryptography Chen-Da Ueli Liu-Zhang Maurer ETH Zurich ETH Zurich TCC 2020 R rounds R rounds Nave randomness generation 1 2 6
SLIDE 2
SLIDE 3
π
SLIDE 4
π R rounds
SLIDE 5
π π π π π π R rounds
SLIDE 6
π π π π π π R rounds π6 π3 π2 π5 π4 π1
NaΓ―ve randomness generation
SLIDE 7
π π π π π π R rounds π6 π3 π2 π5 π4 π1
NaΓ―ve randomness generation
ΰ»
π
ππ
SLIDE 8
Composable Security
Many existing composable frameworks [PW94,C01,N03,MR11,KT13,β¦]
Modularization Composition Clean guarantees
SLIDE 9
Generality vs Simplicity
SLIDE 10
Can we design a simple framework for a meaningful restricted setting?
Generality vs Simplicity
SLIDE 11
Can we design a simple framework for a meaningful restricted setting?
Generality vs Simplicity
Precision Formal Verification Teaching
SLIDE 12
Our Focus
- Inf. Theoretic
Synchronous Computational Asynchronous Adaptive Static Permissioned Permissionless
SLIDE 13
- Inf. Theoretic
Synchronous Computational Asynchronous Adaptive Static Permissioned Permissionless
Future Extension
SLIDE 14
Composable Synchronous Models
Current models* are built on top of asynchronous model
- 1. Extra functionalities
- 2. Activation token
- 3. Message scheduling
Our goal: minimal framework
- 1. Intuitive descriptions
- 2. Simple proofs
*[Can01,Nie03,HofMul04,KMTZ13]
SLIDE 15
Specifications
Ξ¦
SLIDE 16
Specifications
Ξ¦ π―
SLIDE 17
Specifications
Ξ¦ π―
SLIDE 18
Constructions
π― β2 β1
Recipe π
+
β Υ
π π―, or equivalently, π(β) β π―
SLIDE 19
Constructive Cryptography
π
1 2 3 4
Ξ¦ resources
*[Mau11,MR11,MR16]
SLIDE 20
Constructive Cryptography
π
1 2 3 4
Ξ¦ resources Ξ£ converters π
*[Mau11,MR11,MR16]
SLIDE 21
Multi-Party Constructive Cryptography
π
1 2 3 4
π¬ = {1, β¦ , π} Protocol π = (π1, β¦ , ππ)
SLIDE 22
Multi-Party Constructive Cryptography
π π1
1 2 3 4
π4 π3 π¬ = {1, β¦ , π} Protocol π = (π1, β¦ , ππ) π2
SLIDE 23
Multi-Party Constructive Cryptography
π π1
1 2 3 4
π4 π3 π¬ = {1, β¦ , π} Protocol π = (π1, β¦ , ππ) βπΌ β π βπΌ
{Οπ | πβπΌ}π―πΌ
π2
SLIDE 24
Multi-Party Constructive Cryptography
π¬ = {1, β¦ , π} Protocol π = (π1, β¦ , ππ) β 1,3,4 π1
1 2 3 4
π4 β π―{1,3,4}
1 3 4 2
π3 βπΌ β π βπΌ
{Οπ | πβπΌ}π―πΌ
SLIDE 25
Multi-Party Constructive Cryptography
π¬ = {1, β¦ , π} Protocol π = (π1, β¦ , ππ) β 1,3,4 π1
1 2 3 4
π4 β π3 βπΌ β π βπΌ
{Οπ | πβπΌ}π―πΌ
Ξ¦
SLIDE 26
Multi-Party Constructive Cryptography
Traditional simulation-based notion
β 1,3,4 π1
1 2 3 4
π4 β π
1 3 4 2
π3 π
SLIDE 27
Multi-Party Constructive Cryptography
Traditional simulation-based notion
β 1,3,4 π1
1 2 3 4
π4 β π
1 3 4 2
π3 π π―{1,3,4}
SLIDE 28
Multi-Party Constructive Cryptography
Traditional simulation-based notion
β 1,3,4 π1
1 2 3 4
π4 β π
1 3 4 2
π3 β π―{1,3,4} = {π2π | π β Ξ£}
SLIDE 29
Synchronous Systems
π
Resource
SLIDE 30
Synchronous Systems
π
Resource
SLIDE 31
Synchronous Systems
π
Resource
SLIDE 32
Synchronous Systems
π
Resource
π
Converter
SLIDE 33
Synchronous Systems
π
Converter
π
Resource
SLIDE 34
Synchronous Systems
π
Converter
π
Resource
SLIDE 35
Synchronous Systems
π
Converter
π
Resource
SLIDE 36
Synchronous Systems
π π
SLIDE 37
Synchronous Systems
π π
SLIDE 38
Round Structure
Round π
Send Receive
SLIDE 39
Round Structure
Round π
Leakage Send Send Receive Receive
Honest Dishonest
π . π π . π
SLIDE 40
Authenticated Channel with Upper Bound Ξ
π
- Honest parties are guaranteed to get
π after Ξ rounds
Round π Round π + Ξ AUTH Round π
SLIDE 41
Authenticated Channel with Upper Bound Ξ
π
- Honest parties are guaranteed to get
π after Ξ rounds
- Dishonest parties are guaranteed to
get π in the same round
Round π AUTH Round π Round π + Ξ
SLIDE 42
Authenticated Channel with Upper Bound Ξ
π
Round π AUTH
β
- Honest parties are guaranteed to get
π after Ξ rounds
- Dishonest parties do not have any
guarantee ππ±π°βΞ,π= ππ AUTHΞ | π β Ξ£
Round π + Ξ π
SLIDE 43
Broadcast
π
Validity: If sender is honest, all honest receivers output π Consistency: All honest receivers output the same πβ
Round π Round π
SLIDE 44
Broadcast
β¬ππ,π,πΌ= π | βπ€ βπ
π β πΌ π§π π = π€ β§ π π‘ β πΌ Υ π€ = π¦π‘ π Consistency Validity
Validity: If sender is honest, all honest receivers output π (at round π) Consistency: All honest receivers output the same πβ (at round π)
π
Round π Round π
SLIDE 45
Broadcast
β¬ππ,π,πΌ= π | βπ€ βπ
π β πΌ π§π π = π€ β§ π π‘ β πΌ Υ π€ = π¦π‘ π
Let π = (π1, β¦ , ππ) be a (standard) broadcast protocol that takes Ξ rounds
- Validity: If π
π‘ β πΌ, all honest parties obtain π at round π + Ξ
- Consistency: All honest parties obtain the same value at round π + Ξ
Standard proof ππΌπͺβ°π° β β¬ππ,π+Ξ,πΌ
SLIDE 46
Computer Resource
ins β¦ 1 2 3 4 n Instructions Values
1 2 3 4 5 β¦
*see also arithmetic black-box [DN03]
SLIDE 47
Computer Resource
ins β¦ 1 2 3 4 n Instructions Values
1 2 3 4 5 β¦
π½1
SLIDE 48
Computer Resource
ins β¦ 1 2 3 4 n Instructions Values
1 2 3 4 5 β¦
π½1 π½1 π½1 π½1 π½1 π½1
SLIDE 49
Computer Resource
ins β¦ 1 2 3 4 n Instructions Values
1 2 3 4 5 β¦
π½1 π½2
SLIDE 50
Computer Resource
ins β¦ 1 2 3 4 n Instructions Values
1 2 3 4 5 β¦
π½2 π½2 π½1 π½2 π½2 π½2 π½2
SLIDE 51
Computer Resource
ins β¦ 1 2 3 4 n Instructions Values
1 2 3 4 5 β¦
π½1 π½2 π½3 π½4 β¦
SLIDE 52
Computer Resource
ins β¦ 1 2 3 4 n Instructions Values
1 2 3 4 5 β¦
π½1 π½2 π½3 π½4 β¦
SLIDE 53
Computer Resource
ins β¦ 1 2 3 4 n Instructions Values
1 2 3 4 5 β¦
π½1 π½2 π½3 π½4 β¦
SLIDE 54
Computer Resource
ins β¦ 1 2 3 4 n Instructions Values
1 2 3 4 5 β¦
π½1 π½2 π½3 π½4 β¦
Instruction I:
- 1. (input, i, p)
- 2. (output,i,p)
- 3. (add,p1,p2,p3)
- 4. (mult,p1,p2,p3)
SLIDE 55
Computer Resource
ins β¦ 1 2 3 4 n Instructions Values
1 2 3 4 5 β¦
π½2 π½3 π½4 β¦
Instruction I:
- 1. (input, i, p)
- 2. (output,i,p)
- 3. (add,p1,p2,p3)
- 4. (mult,p1,p2,p3)
π½1
SLIDE 56
Computer Resource
ins β¦ 1 2 3 4 n Instructions Values
1 2 3 4 5 β¦
π½2 π½3 π½4 β¦
Instruction I:
- 1. (input, i, p)
- 2. (output,i,p)
- 3. (add,p1,p2,p3)
- 4. (mult,p1,p2,p3)
π½1
SLIDE 57
Computer Resource
ins β¦ 1 2 3 4 n Instructions Values
1 2 3 4 5 β¦
π½2 π½3 π½4 β¦
Instruction I:
- 1. (input, i, p)
- 2. (output,i,p)
- 3. (add,p1,p2,p3)
- 4. (mult,p1,p2,p3)
π½1 v
SLIDE 58
Computer Resource
ins β¦ 1 2 3 4 n Instructions Values
1 2 3 4 5 β¦
π½2 π½3 π½4 β¦
Instruction I:
- 1. (input, i, p)
- 2. (output,i,p)
- 3. (add,p1,p2,p3)
- 4. (mult,p1,p2,p3)
π½1 v
SLIDE 59
Computer Resource
ins β¦ 1 2 3 4 n Instructions Values
1 2 3 4 5 β¦
π½2 π½3 π½4 β¦
Instruction I:
- 1. (input, i, p)
- 2. (output,i,p)
- 3. (add,p1,p2,p3)
- 4. (mult,p1,p2,p3)
π½1 v
SLIDE 60
Computer Resource
ins β¦ 1 2 3 4 n Instructions Values
1 2 3 4 5 β¦
π½2 π½3 π½4 β¦
Instruction I:
- 1. (input, i, p)
- 2. (output,i,p)
- 3. (add,p1,p2,p3)
- 4. (mult,p1,p2,p3)
π½1 v v
SLIDE 61
Computer Resource
ins β¦ 1 2 3 4 n Instructions Values
1 2 3 4 5 β¦
π½2 π½3 π½4 β¦
Instruction I:
- 1. (input, i, p)
- 2. (output,i,p)
- 3. (add,p1,p2,p3)
- 4. (mult,p1,p2,p3)
π½1 v w
SLIDE 62
Computer Resource
ins β¦ 1 2 3 4 n Instructions Values
1 2 3 4 5 β¦
π½2 π½3 π½4 β¦
Instruction I:
- 1. (input, i, p)
- 2. (output,i,p)
- 3. (add,p1,p2,p3)
- 4. (mult,p1,p2,p3)
π½1 v w v+w
SLIDE 63
Computer Resource
ins β¦ 1 2 3 4 n Instructions Values
1 2 3 4 5 β¦
π½2 π½3 π½4 β¦
Instruction I:
- 1. (input, i, p)
- 2. (output,i,p)
- 3. (add,p1,p2,p3)
- 4. (mult,p1,p2,p3)
π½1 v w v+w vβw
SLIDE 64
MPC as Computer
ins β¦ 1 2 3 4 n Instructions Values
1 2 3 4 5 β¦
[BGW88] [Mau06]
β¬π, πͺβ°π°
SLIDE 65
Conclusions
- Simple model for synchronous protocols
- Parties are honest/dishonest
- Information-theoretic statements
- Flexible to capture property-based formalizations
SLIDE 66
Full version: https://eprint.iacr.org/2020/1226
Credits: Icons: https://www.flaticon.com/