Multi-Party Computations: Past and Present



Similar documents
Non-Black-Box Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak

On Combining Privacy with Guaranteed Output Delivery in Secure Multiparty Computation

Lecture 2: Complexity Theory Review and Interactive Proofs

The Role of Cryptography in Database Security

Security of Blind Digital Signatures

A Secure and Efficient Conference Key Distribution System

A New, Publicly Veriable, Secret Sharing Scheme

Victor Shoup Avi Rubin. Abstract

Legally Enforceable Fairness in Secure Two-Party Computation

ETH Zurich. participants such that only certain groups of them can recover it.

Round-Efficient Secure Computation in Point-to-Point Networks

Social Secret Sharing

Hybrid-Secure MPC: Trading Information-Theoretic Robustness for Computational Privacy

Perfectly-Secure MPC with Linear Communication Complexity

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring

Deniable Encryption Key

BRICS. Improved Non-Committing Encryption Schemes based on a General Complexity Assumption

How to Prove a Theorem So No One Else Can Claim It

How to Protect Peer-to-Peer Online Games from Cheats

Trading Static for Adaptive Security in Universally Composable Zero-Knowledge

Efficient General-Adversary Multi-Party Computation

A Secure Protocol for the Oblivious Transfer (Extended Abstract) M. J. Fischer. Yale University. S. Micali Massachusetts Institute of Technology

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

Massachusetts Institute of Technology. Abstract

On Generating the Initial Key in the Bounded-Storage Model

Privacy-Providing Signatures and Their Applications. PhD Thesis. Author: Somayeh Heidarvand. Advisor: Jorge L. Villar

Lecture 15 - Digital Signatures

Information Sciences

Improved Online/Offline Signature Schemes

On Unconditionally Secure Distributed Oblivious Transfer

MANAGING OF AUTHENTICATING PASSWORD BY MEANS OF NUMEROUS SERVERS

DELEGATING LOG MANAGEMENT TO THE CLOUD USING SECURE LOGGING

How to Make Replicated Data Secure

Adaptively-Secure, Non-Interactive Public-Key Encryption

Secure Computation Without Authentication

Fairness with an Honest Minority and a Rational Majority

A Secure Model for Medical Data Sharing

Cryptography: Authentication, Blind Signatures, and Digital Cash

Universal Padding Schemes for RSA

SUBLIMINALFREE AUTHENTICATION AND SIGNATURE

Succinct Proofs for NP and Spooky Interactions

Reusable Anonymous Return Channels

Efficient Receipt-Free Voting Based on Homomorphic Encryption

Lecture 25: Pairing-Based Cryptography

A Linked-List Approach to Cryptographically Secure Elections Using Instant Runoff Voting

Paillier Threshold Encryption Toolbox

CPSC 467b: Cryptography and Computer Security

Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords

Efficient Two Party and Multi Party Computation against Covert Adversaries

Multi-Authority Secret-Ballot Elections with Linear Work

Distributed Key Generation for the Internet

A Simulation Game for Teaching Secure Data Communications Protocols

Vinodu George 1 and M P Sebastian 2. vinodu.george@gmail.com. sebasmp@nitc.ac.in

Fundamental problems in provable security and cryptography

Public Key Encryption with keyword Search

Verifiable Agreement: Limits of Non-Repudiation in Mobile Peer-to-Peer Ad Hoc Networks

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

A Survey on Optimistic Fair Digital Signature Exchange Protocols

Security in Electronic Payment Systems

Subtitle? Subtitle? Subtitle? Subtitle? Privacy Preserving Protocols. Subtitle? Subtitle? Subtitle? Subtitle? and Security Proof Techniques

Public Key Encryption with keyword Search

A Method for Making Password-Based Key Exchange Resilient to Server Compromise

Analysis of Privacy-Preserving Element Reduction of Multiset

1 Domain Extension for MACs

3-6 Toward Realizing Privacy-Preserving IP-Traceback

Introduction. Digital Signature

Guaranteed Slowdown, Generalized Encryption Scheme, and Function Sharing

The Complexity of Online Memory Checking

Key Agreement from Close Secrets over Unsecured Channels Winter 2010

Public Key Cryptography. c Eli Biham - March 30, Public Key Cryptography

Secure Node Discovery in Ad-hoc Networks and Applications 1

The Phish Market Protocol: Securely Sharing Attack Data Between Competitors

FairplayMP A System for Secure Multi-Party Computation

On-Line/Off-Line Digital Signatures

Non-interactive and Reusable Non-malleable Commitment Schemes

Modular Security Proofs for Key Agreement Protocols

An Overview of Common Adversary Models

Lecture 9 - Message Authentication Codes

RSA OAEP is Secure under the RSA Assumption

Secure Equality and Greater-Than Tests with Sublinear Online Complexity

Ch.9 Cryptography. The Graduate Center, CUNY.! CSc Theoretical Computer Science Konstantinos Vamvourellis

Forward-Secure Threshold Signature Schemes

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Lecture 17: Re-encryption

Chosen-Ciphertext Security from Identity-Based Encryption

Using Adversary Structures to Analyze Network Models,

Chosen-Ciphertext Security from Identity-Based Encryption

Security Analysis of DRBG Using HMAC in NIST SP

An Anonymous Endorsement System

Categorical Heuristic for Attribute Based Encryption in the Cloud Server

New Efficient Searchable Encryption Schemes from Bilinear Pairings

MPC vs. SFE : Unconditional and Computational Security

Improving Practical Performance on Secure and Private Collaborative Linear Programming

A Secure Decentralized Access Control Scheme for Data stored in Clouds

Public Key Cryptography and RSA. Review: Number Theory Basics

Secure Multi-Party computations

Applying General Access Structure to Metering Schemes

Capture Resilient ElGamal Signature Protocols

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Keyword Search over Shared Cloud Data without Secure Channel or Authority

Transcription:

Invited Talk: Multi-Party Computations: Past and Present Shafi Goldwasser Cryptography is traditionally concerned with two users, Alice and Bob, who want to communicate privately and authentically over an insecure channel, and in modern times engage in protocols such as coin flipping over the telephone, contract signing, and interactive zero-knowledge proofs. Today, Alice and Bob are part of the internet, The cryptographic challenges involve n users who want to perform arbitrary interactive and probabilistic computations among themselves, all the while keeping their local data secret. Examples of such computations, where secrecy is an issue, include: Elections over the internet The voters would like to be able to verify that the votes were tallied up correctly without revealing individual votes. In addition, voters should choose votes independently from each other, and the voting authorities should ensure that all votes are by legal voters. Ekct ronic Bidding fov Contracts : Several bidders bid for a work contract over the network, so that the lowest bld verifiably gets the contract. In addition, bids should MIT Laboratory for Computer Science, 545 Technology Square, Cambridge, MA 02139, USA, and the Weizmann [nstitue. e-mail: shsf iqtheory. lcs. mit. edu. remain secret, and bidders should choose their individual bids completely independently from each other. Joint Data Base Computation: Several data bases would like to jointly compute queries which depends on their joint data, without showing each other their entire data base. For example, each data base is a list of private names and the query is which (or how many) names appear on all the lists. Private and Secure Data Base Acces~ A client wants to ask queries of a database without the database knowing what has been asked and without the client learning more than the query requested. Joint Signatww: A group of users would like to be able to digitally sign documents so that only if all of them (or at least a number above threshold) participate, then a signature can be produced. Joint Decryption: A group of users would like to be able to decrypt messages only if all of them (or at least a number above threshold) participate. This is similar to Split Key Escrow where trustees of the government hold a piece of every users secret decryption key, which would enable them to decrypt users data if and only if they pool their pieces together. All of the above examples are special cases of the so called multi-party computation problem: How to compute any probabilistic function on n 1

inputs, in a distributed network where each participant holds one of the inputs, ensuring independence of the inputs, correctness of the computation, and that no more information is revealed to participants in the computation than can be computed from a coalition of participants inputs and outputs. Note that a trivial centralized solution to this problem would be to assume a trusted center (denoted by TC) exists, and have all users send their inputs to TC to compute their respective outputs. We, however, do not trust any center, and thus desire a distributed solution where trust is distributed. The history of the multi-party computation problem is extensive since its introduction by Yao [Y] for n = 2 and by Goldreich, Micali, and Wigderson [GMW2] for general n. I will survey much of this work in the talk, but only mention in brief a few directions of research in this short note. My apologies for the many missing written references. The first question to consider is: who is the adversary and what are his capabilities? Several adversaries have been considered in the litreature.. The Passive adversary is a coalition of users in the network, who participate in the protocol without deviating from it except for possibly deciding on their inputs together rather than independent of each other before the protocol starts. The goal of the passive adversary is to compute information on inputs of participants who are not part of the coalition. Originally, in [Y, GMW2] the parties were polynomial time bounded. In a line of work initiated by Ben Or, Goldwasser, and Wigderson [BGW] the computational limitations on the adversary were removed, but usere were assumed to be able to communicate in pairs in perfect secrecy< The Byzantine adversary is a coalition of users in the network who can deviate from the protocol in an arbitrary fashion depending on their inputs and messages received in the protocol. Again, in [Y, GMW2] the adversary is polynomial time bounded, whereas in [BGW, CCD] they are not. The scheduling of faults may be static or dynamic. In static scheduling the faults are fixed in advance, whereas in the dynamic case, users can join the faulty coalition at any time of the protocol depending on messages exchanged so far. Generally, it is much harder to prove results in presence of dynamic scheduling of faults, unless one assumes that non-faulty processors erase their memory at every round [BH]. Proving security for dynamic scheduling without this simplifying assumption was recently achieved by Canetti, Feige, Goldreich, and Naor [CGFN]. The Mobde adversary is a corrupt coalition of users who may be either passive or Byzantine, with the property that at every round of communication of the protocol (for simplicity we only consider here a synchronous network) a different set of users may make up the coalition, with the restriction that at most a fixed number t of users participate in the corrupt coalition at every round. The study of this adversary model was initiated by Ostrovsky and Yung [OY]. The Coercing adversary who can force users to choose their inputs in a way he favors, was introduced in the context of electronic elections by Benaloh and Tunistra [BT], and generalized to arbitrary multi-party computation by Canetti and Genaro [CG]. The next question is how to define precisely what we mean by a secure solution to the multiparty computation problem. Much effort by Micali and Rogaway, Beaver, Goldwasser and Levin, and Canetti [MR, B, GL, C] ha.% been devoted to coming up with crisp definitions of security for multi-party computation whit-h capture the properties which emerge from the above examples. The definition we will use is froln [GL] and [C]. Informally, let TCSf denote the \ rusted center solution (see above) for a particular probabilistic function j. An adversary against a 7Z Sf is a coalition of users users who can decide on 2

their inputs before giving them to the trusted center, and similarity can decide on their final outputs after receiving their answers from the trsuted center. We call a multi-party protocol for ~ secure (respectively cofnputationaly secure) for any of the adversary classes above, if for any execution of the protocol and adversary in the class, there exists an adversary against the TCSf which could achieve the same (respectively polynomial time indistinguishable) output distribution. This definition implies the properties of correctness, input independence and privacy that emerged earlier in the examples. Many parameters of the network underlying the multi-party computation have been considered. Notably, the timing of the network, the number of users in a coalition, availability or lack of broadcast channels. Efficiency parameters considered include the number of rounds of communication necessary to complete the protocol, and the communication complexity of secure computation. Canetti and Rabin [CR] and Ben-Or, Canetti and Goldreich [BCG] achieve multi-party computations in asynchronous networks whereas the original works focused on synchronous networks. The question of whether a broadcast channel is necessary or not was considered by Ben-or and Rabin [BR1 who showed that the number of faults tolerated for general multiparty computation can increase from a ~ minority to a mere minority, if a broadcast hannel was available as a primitive. Franklin and Yung [FR] initiated the study of the communication complexity of unconditionally secure protocols. The number of rounds of communication was studied by Beaver and Bar Ilan [BI] and by Beaver, Micali and Rogaway in the computational setting [BMR]. What type of results have been shown? The work is generally divided into two categories: 1. Results which make computational assump tions such as the existence of trapdoor functions, do not assume secure channels, and achieve computational security. 2. Results which make physical assumptions such assthe existence of perfect secret channels between pairs of users, make no computational assumption, and achieve unconditionally secure privacy. The work of [CGFN] essentially shows a general transformation between results obtained in the perfect secret channel model into results that hold in model without these assumption, by introducing a special encryption functions for sending messages between users over insecure channels. Remarkably strong completeness theorems are known for the general multi-party computation problem, as indicated in the many papers in the bibfipgraphy. Essentially, we know for all the adversary classes outlined above, how given the description of any n-input probabilistic function ~, to automatically construct a secure (resp. computationally secure) multi-party protocol for j, as long as the number of total users n, and users in a faulty colition obey n z ct + 1 for optimal values of c z 2. The value of c changes depending on the adversary chss, type of security required (computational or information theoretic), and the parameters of the network, The results in the computational setting require various cryptographic assumptions such as the existence of oneway functions and oblivious transfer protocols. The case of a coalition of half or more of faulty users has been studied ([Y,C, BG,BL]), but it seems much harder to solve in a completely satisfactory manner. The underlying problem in this case is how to release the outputs of the computation via a slow probabilistic process, to prevent a majority of faulty users to quit the protocol early as soon as they compute their own outputs. If we assume that none oft he users stop early, Kilian shows under the assumption that a primitive for oblivious transfer exists, how to achieve secure two party protocols, and [GL] show under the same assumption how to achieve security for n users with a faulty majority. What are the tools and techniques underlying the solutions? The beauty of multi-party protocols is that they use a rich body of tools and sub-protocols, some of which developed especially for this application and some previously developed for the 3

cryptographic non-distributed setting. They include Zero-Knowledge Proofs [GMR, GMW1], Probabilistic Encryption [GM], error correcting code representation of data [BGW], various distributed commitment schemes, and Oblivious Transfer [MRal, K, CK]. Most importantly, secret sharing and computing with shares of a secret is fundamental to achieving secure multiparty computation. In particular, the polynomial secret sharing of Shamir [Sh] in the case of passive adversary is a corner stone in multiparty computations, and the verifiable secret sharing of Chor, Goldwasser, Micali and Awerbuch [CGMA, RB] plays an analogous role in the Byzantine adversary case. Beautiful techniques have been developed to compute on shares of secrets for the various secret sharing scheme, and in essence such a technique is present in any work on multi-party computation, e.g. [GMW2, CCD, BGW, BCC]. Whereas in the 80 s the focus of research was to show the most general result possible yielding multi-party protocol solutions fo any probabilistic function, any adversary class, and any network constraints, the theme of the 90 s is different. Much of current work is to focus on e&- cienf and non-interactive solutions to special important problems such as joint-signatures, jointdecryption, and secure and private data base access. Some of the new conceptual issues that researchers are currently tackling are the deniability of users actions in presence of a coercing adversary and the anonymity of users. We believe that the field of multi party computations is today where public-key cryptography was ten years ago, namely an extremely powerful tool and rich theory whose real-life usage is at this time only beginning but will become in the future an integral part of our computing reality. References [Be] D. Beaver, Foundations of Secure Interactive Computing, CR YPT(I, 1991. [BH] D. Beaver and S. Haber, Cryptographic Protocols Provably secure Against Dynamic Adversaries, Eurocrypt, 1992. [BR1] [BT] M. Bellare and P. Rogaway, Entity authentication and key distribution, Advances in Cryptology: Proc. of Crypto 93, August 1993, pp. 232-249. Josh Benaloh and Dwight Tunistra, Receipt-Free Secret-Ballot Elections, 26th STOC, 1994, pp. 544-552. [BCG] M. Ben-Or, R. Canetti and O. Goldreich, Asynchronous Secure Computations, 25th STOC, 1993, pp. 52-61. [BGW] M. Ben-Or, S. Goldwasser and A. Wigderson, Completeness Theorems for Non-Cryptographic Fault-Tolerant Distributed Computation, 20th STOC, 1988, pp. 1-10. [BKR] [BL] [BCC] [c] [CK] M. Ben-Or, B. Kelmer and T. Rabin, Asynchronous Secure Computation with Optimal Resilience, 13th PODC, 1994 pp. 183-192. M. Ben-Or and N. Linial, Collective Coin Flipping, Advances in Computing Research, VOL 5, 1989, pp. 91-11,5. G. Bra.ssard, D. Chaum and C. Crepeau, Minimum Disclosure Proofs of Knowledge, Journal of Computing and System Sciences, Vol. 37, No. 2, 1988, pp. 156-189. R. Canetti, Asynchronous Secure Computation, Technical Report no. 755, CS department, Technion, 1992. C. Crepeau and J. Kilian, Achieving Oblivious Transfer Using Weakened security Assumptions, 29th FOCS, pp. 42-52. [CDNO] R. Canetti, C. Dwork, M. Naor and R. Ostrovsky, Deniable Encryptions, manuscript, [CFGN] R. Canetti, U. Feige, O. Goldreich and M. Naor, Adaptively Secure Computation, LV7th STOC, 1996. 4

[CG] R. Canetti and R. Genaro, Deniable Multiparty Computation, manuscript. [CaH] R. Canetti and A. Herzberg, Maintaining security in the presence of transient faults, Crypto 91, 1994, PP. 425-439. [CR] R. Canetti and T. Rabin, Optimal Asynchronous Byzantine Agreement, 25th STOC, 1993, pp. 42-51. [CCD] D. Chaum, C. Crepeau and I Damgard, Multiparty unconditionally secure protocols, 20th STOC, 1988, pp. 11-19. [CGMA] B. Chor, S. Goldwasser, S. Micali and B. Awerbuch, Verifiable Secret Sharing and Achieving Simultaneity in the Presence of Fau Its, 26th FOCS, 1985, pp. 383-395. [CK] [CM] [DH] B. Chor and E. Kushilevitz, A Zero-One Law for Boolean Privacy, SIAM J. on Disc. Math., Vol. 4, no. 1, 1991, pp.36-47, B. Chor and L. Moscovici, Solvability in Asynchronous Environments, 30th FOGS, 1989. W. Diffie and M. Hellman, New directions in cryptography, IEEE Trans. on in.o. Theory, IT-22(6), 1976, pp. 644-654. [DDN] D. Dolev, C. Dwork and M. Naor, Nonmalleable Cryptography, 23rd STOC, 1991. [FM] [FY] [G] P. Feldman and S. MicaIi, An Optimal Algorithm For Synchronous Byzantine Agreement, 20th STOC, 1988, pp. 148-161. M. Franklin and M. Yung, Communication Corn plexity of Secure Computation, 2//th. STOC. O. Goldreich, Foundations of Cryptography (Fragments of a Book), ed. Dept. of Computer Science and Applied Mathematics, Weizmann Institute, 1995. [GGL] O. Goldreich, S. Goldwasser, and N. Linial, Fault-Tolerant Computation in the Full Information Model, 32nd FOCS, 1991, pp. 447-457. [GMW1] O. Goldreich, S. Micali and A. Wigderson, Proof that Yield Nothing But their Validity and a Methodology of Cryptographic Protocol Design, 27th FOCS, 1986, pp. 174-187. [GMW2] O. Goldreich, S. Micali and A. Wigderson, HOW to Play any Mental Ga-me, [GM] [GwL] 19th STOC, 1987, pp. 218-229. S. Goldwa.sser, and S. Micali, Probabilistic Encryption, SOTC, 1982. Journal version appeared in the JCSS special issue. S. Goldwasser, and L. Levin, Fair Computation of General Functions in Presence of Immoral Majority, CR YF TO, 1990. [GMR] S. Goldwasser, S. Micali and C. Rackoff, The Knowledge Complexity of Interactive Proof Systems, SZA M Journal on Co?nput., Vol. 18, No. 1, 1989, pp. 186-208. [HJKY] A. Herzberg, S. Jarecki, H. Krawczyk and M. Yung, Proactive Secret Sharing or: How to Cope with Perpetual Leakage, CRYPTO 1995. [K] [MR] [oyj J. Kilian, Founding Cryptography on Oblivious Transfer, STOC 88,, pp. 20-31. S. Micali and P. Rogaway, Secure Computation. Preliminary version in CRYPTO 91. R. Ostrovsky and M. Yung, How to withstand mobile virus attacks, Proceedings of the 101h Annual ACM Sgmposium on Principles oj Distributed Computing, 1991, pp 51-59. 5

[MRal] M. Rabin, How to exchange secrets by oblivious transfer, Tech. Memo TR-81, Aiken Computation Laboratory, Harvard LJ., 1981. [RB] T. Rabin and M. Ben-Or, Verifiable Secret Sharing and Multiparty Protocols with Honest Majority, 21st STOC, 1989, pp. 73-85. [TRa] T. Rabin, Robust Sharing of Secrets When The Dealer is Honest or Faulty, Journal of the ACM, No. 6, Vol. 41, 1994, pp. 1089-1109. [sk] K. Sako and J. Kilian, Receipt-Free Mix- Type Voting Scheme, Eurocrypt 1995, pp. 393-403. [Sh] [Yl] A. Shamir, How to share a secret, CA CM, Voi. 22, NO. 11, 1979, pp. 612-613. A. Yao, Protocols for Secure Computation, 23th FOCS, 1982, pp. 160-164.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information