Multi-Party Computation in Presence of Corrupted Majorities Dominik - - PowerPoint PPT Presentation

Multi-Party Computation in Presence of Corrupted Majorities

Dominik Raub

Institute of Theoretical Computer Science ETH Zürich

• n joint work with
• R. Künzler, J. Müller-Quade, C. Lucas, U. Maurer, M. Fitzi

Mäetaguse, 2009/10/04

Multi-Party Computation (MPC)

F

Multi-Party Computation (MPC)

F

• Voting
• Auctions
• Who is richest?

⇒ privacy, correctness required

Multi-Party Computation (MPC)

F R π π π π π

≈

Multi-Party Computation (MPC)

F R π π π π π

≈

Generally encompasses:

• Secure or authenticated channels
• Optionally BC or PKI
• CRS for UC setting

Multi-Party Computation (MPC)

F R π π π π π

≈

D I/O I/O 0/1

∀

MPC: Active Adversary

F D R I/O I/O 0/1

∃

S

∀ ∀

A π π

≈

MPC: Passive Adversary

F D R I/O I/O 0/1

∃

S

∀ ∀

A π π

≈

π π π forward I/O

MPC: Semi-Honest Adversary

F D R I/O I/O 0/1

∃

S

∀ ∀

A π π

≈

π π π xi → xi' yi → yi'

Security Properties for MPC

• Correctness: protocol computes intended result
• Privacy: nobody learns more than intended
• Robustness: everybody receives intended result
• Fairness: everybody receives result, or nobody
• Agreement (on abort): all honest parties receive

their result or notification of failure

Security Paradigms for MPC

• Abort Security: agreement, privacy, correctness
• Fair Security: fairness, privacy, correctness
• Full Security: robustness, privacy, correctness
• IT Security: tolerates unbounded adversaries
• CO Security: tolerates computationally bounded

adversaries

Limitations for MPC with BC

• Fair security only for t < n/2 corrupted [Cle86]
• IT security only for t < n/2 [Kil00]
• Full security for t1 and abort security for t2 only if

t1 + t2 < n [IKLP06], [Kat07]

• No IT full security for general MPC for t ≥ n/2

⇒ Which functions can be computed with IT full security for t ≥ n/2 ? ⇒ Weaker assumptions, graceful degradation?

Limitations for MPC with BC

• Fair security only for t < n/2 corrupted [Cle86]
• IT security only for t < n/2 [Kil00]
• Full security for t1 and abort security for t2 only if

t1 + t2 < n [IKLP06], [Kat07]

• No IT full security for general MPC for t ≥ n/2

⇒ Which functions can be computed with IT full security for t ≥ n/2 ? ⇒ Weaker assumptions, graceful degradation?

Computability of Functions

Security Adversary Resources Fair? Computable f IT passive yes semi-honest yes active yes

• auth. BC
• auth. BC
• auth. BC

Fbc

a c t

Fbc

pa s

Fbc

s h

Computability of Functions

Security Adversary Resources Fair? Computable f IT passive yes semi-honest yes active yes

• auth. BC
• auth. BC
• auth. BC

Fbc

a c t

Fbc

pa s

Fbc

s h

⊃ ⊃

Computability of Functions

Security Adversary Resources Fair? Computable f IT passive yes semi-honest yes active yes

• auth. BC
• auth. BC
• auth. BC

Fbc

a c t

Fbc

pa s

Fbc

s h

⊃ ⊃

• Today: only symmetric functions
• Then:

Computability of Functions

Security Adversary Resources Fair? Computable f IT passive yes semi-honest yes active yes LT active no no PKI no

• auth. BC
• auth. BC
• auth. BC
• auth. BC
• auth. chan.

Fbc

a c t

Fbc

pa s

Fbc

s h

Fbc

l t s

Fa

ut l t s

Fi

ns

;pki

l t s

⊃ ⊃

• Long-term (LT) security

– Computational assumptions only during protocol run

Computability of Functions

Security Adversary Resources Fair? Computable f IT passive yes semi-honest yes active yes LT active no no PKI no

• auth. BC
• auth. BC
• auth. BC
• auth. BC
• auth. chan.

Fbc

a c t

Fbc

pa s

Fbc

s h

Fbc

l t s

Fa

ut l t s

Fi

ns

;pki

l t s

⊃ ⊃ =

• Long-term (LT) security

– Computational assumptions only during protocol run

Computability of Functions

Security Adversary Resources Fair? Computable f IT passive yes semi-honest yes active yes LT active no no PKI no

• auth. BC
• auth. BC
• auth. BC
• auth. BC
• auth. chan.

Fbc

a c t

Fbc

pa s

Fbc

s h

Fbc

l t s

Fa

ut l t s

Fi

ns

;pki

l t s

⊃ ⊃ =

• “=”: modified [GMW87]-Compiler

– computationally forces semi-honest behavior – maintains IT security against semi-honest adversary

Passively Computable Functions Fbc

pa s

Input:

Passively Computable Functions Fbc

pa s

Input:

Passively Computable Functions Fbc

pa s

Input:

Passively Computable Functions Fbc

pa s

Input:

Passively Computable Functions Fbc

pa s

Input:

Passively Computable Functions Fbc

pa s

Input:

Passively Computable Functions Fbc

pa s

Input:

Actively Computable Functions Fbc

a c t

Actively Computable Functions Fbc

a c t

Actively Computable: Example

Summary: Computability

• Characterization of computable function classes

– : decomposability – : decomposability after removing redundancy – : decomposability after removing redundancy,

exchange property (input for every strategy)

• Characterization of long-term security:

Fbc

a c t

Fbc

pa s

Fbc

s h

Fi

ns

;pk

i l t s

= Fa

ut l t s = Fbc l t s= Fbc s h

Limitations for MPC with BC

• Fair security only for t < n/2 corrupted [Cle86]
• IT security only for t < n/2 [Kil00]
• Full security for t1 and abort security for t2 only if

t1 + t2 < n [IKLP06], [Kat07]

• No IT full security for general MPC for t ≥ n/2

⇒ Which functions can be computed with IT full security for t ≥ n/2 ? ⇒ Weaker assumptions, graceful degradation?

>

Limitations for MPC with BC

• Fair security only for t < n/2 corrupted [Cle86]
• IT security only for t < n/2 [Kil00]
• Full security for t1 and abort security for t2 only if

t1 + t2 < n [IKLP06], [Kat07]

• No IT full security for general MPC for t ≥ n/2

⇒ Which functions can be computed with IT full security for t ≥ n/2 ? ⇒ Weaker assumptions, graceful degradation? ⇒ Hybrid-secure MPC (HMPC)

>

Optimal Hybrid MPC (with BC)

R π π π π π Goal: For any ρ < n/2

• IT full security for t ≤ ρ
• IT fair security for t < n/2
• CO abort security for t < n-ρ

>

Optimal Hybrid MPC (with BC)

R π π π π π [GMW87], [CLOS01]: can be IT protected Goal: For any ρ < n/2

• IT full security for t ≤ ρ
• IT fair security for t < n/2
• CO abort security for t < n-ρ

>

Optimal Hybrid MPC (with BC)

R π π π π π Trusted ⇒ IT fairness, correctness Goal: For any ρ < n/2

• IT full security for t ≤ ρ
• IT fair security for t < n/2
• CO abort security for t < n-ρ

>

Optimal Hybrid MPC (with BC)

R

R'

π π π π π [Cha89]: emulate! ⇒ honest for t < n/2 [RB89] ⇒ t < n/2: IT fair, correct ⇒ t ≥ n/2: CO private, correct Trusted ⇒ IT fairness, correctness

>

Optimal Hybrid MPC (with BC)

R

R'

π π π π π [Cha89]: emulate! ⇒ honest for t < n/2 [RB89] ⇒ t < n/2: IT fair, correct ⇒ t ≥ n/2: CO private, correct Use sharing qualifying all sets of emulated and n-ρ actual parties ⇒ t ≤ ρ: IT robust, correct ⇒ t < n/2: IT fair, correct ⇒ t < n-ρ: CO private, correct

>

Optimal Hybrid MPC (with BC)

R

R'

π π π π π xi = xides ⊕ xiem (xides) (xiem) Share inputs ⇒ t < n/2: IT privacy ⇒ t ≥ n/2: no correctness

>

Optimal Hybrid MPC (with BC)

R

R'

π π π π π xi = xides ⊕ xiem (ci,oi) = comH(xiem) (xides,ci) (xiem,oi) Share and commit ⇒ no robustness

• r

⇒ no correctness for t ≥ n/2

>

Optimal Hybrid MPC (with BC)

R

R'

π π π π π xi = xides ⊕ xiem (ci,oi) = comH(xiem) (xides,ci) (xiem,oi) complaint? input xi Share, commit, complain ⇒ t ≤ ρ: IT full security ⇒ t < n/2: IT fair security ⇒ t < n-ρ: CO abort security

>

Optimal Hybrid MPC (with BC)

R

R'

π π π π π xi = xides ⊕ xiem (ci,oi) = comH(xiem) (xides,ci) (xiem,oi) complaint? input xi Share, commit, complain ⇒ t ≤ ρ: IT full security ⇒ t < n/2: IT fair security ⇒ t < n-ρ: CO abort security

πρ

>

Summary: Hybrid Security

• We provide optimal HMPC protocols and

matching tight bounds for the setting

– with BC

Summary: Hybrid Security

• We provide optimal HMPC protocols and

matching tight bounds for the setting

– with BC – without BC but with PKI – without BC or PKI

• We treat possibly inconsistent PKIs
• We consider signature forgery separately from
• ther (computational) assumptions

Conclusions

• Characterization of computable function classes
• Characterization of long-term security
• Optimal HMPC protocols and matching tight

bounds

Passively Computable Functions Fbc

pa s

Input:

Hybrid MPC (HMPC)

• Different guarantees depending on t:

– For t ≤ lr full (robust) security – For t ≤ lf fair security – For t ≤ L abort security

• While tolerating:

– For t ≤ tc computationally unbounded adversaries – For t ≤ tσ signature forgery – For t ≤ tp inconsistent PKIs

⇒ Graceful degradation

Summary: Hybrid Security

• We provide HMPC protocols for the setting

– with BC under the bounds

tc < n/2 ∧ lr ≤ lf ≤ L ∧ lf < n/2 ∧ lr + L < n

– without BC but with PKI under the bounds

tc < n/2 ∧ lr ≤ lf ≤ L ∧ lf < n/2 ∧ lr + L < n ∧ 2 tσ + L < n ( ∧

tp > 0

⇒ tp + 2 L < n)

– without BC or PKI under the bounds

tc < n/2 ∧ lr ≤ lf ≤ L ∧ lf < n/2 ∧ ( lr > 0 ⇒ lr + 2 L < n)

• Our bounds are tight, given lr ≥ tp, tσ

Limitations for HMPC with BC

• IT security for t ≤ tc only if tc < n/2 [Kil00]
• Fair security for t ≤ lf only if lf < n/2 [Cle86]
• Full security for t≤lr and abort security for t≤L
• nly if lr+L < n [IKLP06], [Kat07]
• Therefore:

tc < n/2 ∧ lr ≤ lf ≤ L ∧ lf < n/2 ∧ lr+L < n (1)

Hybrid MPC without BC or PKI

• Fair security for t ≤ lf only if lf < n/2 [Cle86]
• IT security for t ≤ tc only if tc < n/2 [Kil00]
• Full security for t ≤ lr and abort security for t ≤ L
• nly if lr > 0 ⇒ lr+2L < n [FHHW03]
• Protocol πρ with the BC from [FHHW03]

achieves bound tc < n/2 ∧ lr ≤ lf ≤ L ∧ lf < n/2 ∧ (lr > 0 ⇒ lr+2L < n) (2)

• Improves over [FHHW03] for ρ=0, which

makes no guarantees for t > n/2

Limits for MPC without BC, with PKI

• Tolerate inconsistent PKI for t ≤ tp
• Tolerate signature forgery for t ≤ tσ
• We achieve the following bounds

tc < n/2 ∧ lr ≤ lf ≤ L ∧ lf < n/2 ∧ lr+L < n 2 ∧ tσ+L < n ∧ (tp > 0 ⇒ tp+2L < n) (3) and prove them necessary for lr ≥ tp, tσ

Hybrid MPC without BC, with PKI

• Protocol πρ with a hybrid BC (HBC) for bounds

2tσ+T < n ∧ (tp > 0 ⇒ tp+2T < n) achieves bound (3) (where BC secure for t ≤ T)

• For tp > 0 treated in [FHW04]
• For tp = 0 and 2tσ+T < n we provide an HBC

protocol achieving full BC

– For t = 0 unconditionally – For t ≤ tσ conditional on PKI consistency – For t ≤ T conditional on unforgeability and PKI

consistency

BC with extended validity (BCEV)

• For 2tσ+T < n and tp = -1 BCEV achieves:

– For t ≤ tσ full broadcast – For t ≤ T validity, conditional on unforgeability

BC with extended validity (BCEV)

• For 2tσ+T < n and tp = -1 BCEV achieves:

– For t ≤ tσ full broadcast – For t ≤ T validity, conditional on unforgeability

>

BCEV: Validity for t ≤ T

>

BCEV: Validity for t ≤ T

validity: Ps honest

>

BCEV: Validity for t ≤ T

validity: Ps honest = (m,σs(m))

>

BCEV: Validity for t ≤ T

validity: Ps honest for Pj honest = ((m,σs(m)), ?) = (m,σs(m))

>

holds always (for xi=m)

BCEV: Validity for t ≤ T

validity: Ps honest for Pj honest = ((m,σs(m)), ?) = (m,σs(m))

>

holds always (for xi=m)

BCEV: Validity for t ≤ T

validity: Ps honest for Pj honest = ((m,σs(m)), ?) = (m,σs(m)) holds for t > tσ (and xi=m)

>

secure for t ≤ t

σ < n/3

holds always (for xi=m)

BCEV: Validity for t ≤ T

validity: Ps honest for Pj honest = ((m,σs(m)), ?) = (m,σs(m)) holds for t > tσ (and xi=m)

>

secure for t ≤ t

σ < n/3

holds always (for xi=m)

BCEV: Validity for t ≤ T

validity: Ps honest for Pj honest = ((m,σs(m)), ?) = (m,σs(m)) holds for t > tσ (and xi=m) holds for t ≤ tσ (and m=0)

>

BCEV: Consistency for t ≤ tσ

>

BCEV: Consistency for t ≤ tσ

secure for t ≤ t

σ < n/3

>

BCEV: Consistency for t ≤ tσ

secure for t ≤ t

σ < n/3

Siv

= Sjv

>

BCEV: Consistency for t ≤ tσ

secure for t ≤ t

σ < n/3

all decisions here identical Siv

= Sjv

>

BCEV: Consistency for t ≤ tσ

secure for t ≤ t

σ < n/3

all decisions here identical identical Sjv Siv

= Sjv

>

BCEV: Consistency for t ≤ tσ

secure for t ≤ t

σ < n/3

all decisions here identical

j ∈ Siv,0 ⇔ j ∈ Siv

for Pj honest identical Sjv Siv

= Sjv

>

Hybrid Broadcast (HBC)

• For 2tσ+T < n and tp = 0 HBC achieves

– For t = 0 full BC – For t ≤ tσ full BC, conditional on PKI consistency – For t ≤ T full BC, conditional on unforgeability and

PKI consistency

• Protocol idea:

– Attempt detectable precomputation of a new PKI

[FHHW03]; fall back to existing PKI

– Run an HBC for 2tσ+T < n and tp = -1 constructed

from BCEV and DS

Hybrid Broadcast (HBC) for tp = -1

>

HBC: Security for t ≤ tσ

>

HBC: Security for t ≤ tσ

BC for t ≤ tσ

>

HBC: Security for t ≤ tσ

BC for t ≤ tσ holds for t ≤ tσ

>

HBC: Consistency for tσ < t ≤ T

>

HBC: Consistency for tσ < t ≤ T

BC for t > tσ

>

HBC: Consistency for tσ < t ≤ T

BC for t > tσ consistent for t > tσ

>

HBC: Consistency for tσ < t ≤ T

BC for t > tσ consistent for t > tσ if holds then ...

>

HBC: Consistency for tσ < t ≤ T

BC for t > tσ consistent for t > tσ also holds for same v if holds then ...

>

HBC: Validity for tσ < t ≤ T

>

HBC: Validity for tσ < t ≤ T

BC for t > tσ guarantees validity

>

HBC: Validity for tσ < t ≤ T

BC for t > tσ can only hold for v = m guarantees validity

>

HBC: Validity for tσ < t ≤ T

BC for t > tσ can only hold for v = m guarantees validity can only hold for v = m

>

HBC: Validity for tσ < t ≤ T

BC for t > tσ can only hold for v = m di = m guarantees validity can only hold for v = m

>