Secure Multiparty Computations

Size: px

Start display at page:

Download "Secure Multiparty Computations"

Betty Hopkins
5 years ago
Views:

1 Secure Multiparty Computations CS 6750 Lecture 11 December 3, 2009 Riccardo Pucella

2 The Last Few Lectures... Secret sharing: How to get two or more parties to share a secret in such a way that each individual cannot recover the secret from their share Zero-knowledge protocols: How to get a party to prove to another that she knows a secret without revealing that secret Today: How to compute with secrets

3 Oblivious Transfer Suppose lice has two messages m 0 and m 1 Suppose ob has a bit b (= 0 or 1) ob wants to have m b Constraints: ob does not want lice to know b (Or, equivalently, which m b he wants) lice does not want ob to know both m 0 and m 1

4 1-2 Oblivious Transfer (RS-based version) lice generates an RS key mod N (public e, private d) msgs m 0, m 1 bit b

5 1-2 Oblivious Transfer (RS-based version) lice generates an RS key mod N (public e, private d) msgs m 0, m 1 random x 0, x 1 N, e, x 0, x 1 bit b

6 1-2 Oblivious Transfer (RS-based version) lice generates an RS key mod N (public e, private d) msgs m 0, m 1 random x 0, x 1 N, e, x 0, x 1 q bit b random k q = k e +x b (mod N)

7 1-2 Oblivious Transfer (RS-based version) lice generates an RS key mod N (public e, private d) msgs m 0, m 1 random x 0, x 1 t 0 = m 0 +(q-x 0 ) d t 1 = m 1 +(q-x 1 ) d N, e, x 0, x 1 q t 0, t 1 bit b random k q = k e +x b (mod N)

8 1-2 Oblivious Transfer (RS-based version) lice generates an RS key mod N (public e, private d) msgs m 0, m 1 random x 0, x 1 t 0 = m 0 +(q-x 0 ) d t 1 = m 1 +(q-x 1 ) d N, e, x 0, x 1 q t 0, t 1 bit b random k q = k e +x b (mod N) ob computes t b -k (= m b )

9 1-N Oblivious Transfer lice has N values ob has an index i ob wants to get i-th value without lice learning i lice wants ob to get only one value out of N Related to private information retrieval Part of some databases privacy requirement

10 K-N Oblivious Transfer lice has N values ob wants to get K of those values without lice learning which lice wants ob to get only those K values Two possibilities: messages requested simultaneously (non-adaptive) messages requested sequentially (adaptively) can depend on previous requests

11 The Millionaires Problem (ndrew Yao, 1982) lice and ob are both millionaires lice has I million dollars ob has J million dollars lice and ob both want to know who is richer ut they don t want the other to know how much money they have For simplicity, assume 1 I,J 4

12 The Protocol (RS-based version) lice generates an RS key mod N (public e, private d) I J

13 The Protocol (RS-based version) lice generates an RS key mod N (public e, private d) I N, e J

14 The Protocol (RS-based version) lice generates an RS key mod N (public e, private d) I N, e C-J+1 (mod N) J M-bits random x C = x e (mod N)

15 The Protocol (RS-based version) lice generates an RS key mod N (public e, private d) I M/2-bits random prime P N, e C-J+1 (mod N) P, Z 1,... Z I, Z I+1 +1,..., Z 4 +1 J M-bits random x C = x e (mod N)

16 The Protocol (The RS-based version) lice generates an RS key: N, public e, private d I M/2-bits random prime P N, e C-J+1 (mod N) P, Z 1,... Z I, Z I+1 +1,..., Z 4 +1 Z 1 = (C-J+1) d (mod P) Z 2 = (C-J+2) d (mod P) Z 3 = (C-J+3) d (mod P) Z 4 = (C-J+4) d (mod P) J M-bits random x C = x e (mod N)

17 The Protocol (RS-based version) lice generates an RS key mod N (public e, private d) I M/2-bits random prime P N, e C-J+1 (mod N) P, Z 1,... Z I, Z I+1 +1,..., Z 4 +1 J M-bits random x C = x e (mod N) ob receives P, R 1,...,R 4 : If R J = x mod P then I>=J (o/w I<J)

18 Secure Multiparty Computation Given a publicly known function F of N inputs and producing N outputs F(x 1,...,x n ) = (y 1,...,y n ) Suppose N parties, each party i with a private value a i Goal: compute F(a 1,...,a n ) = (r 1,...,r n ) Each party i wants to know r i No party want others to learn their private value

19 Secure Multiparty Computation Oblivious Transfer as a secure multiparty computation: Function F(<m 0,m 1 >,b) = (nil,m b ) lice has <m 0,m 1 >, ob has b ob wants m b (don t care about what lice wants) Millionaires Problem as a secure multiparty computation: Function F(I,J) = (lice,lice) if I>=J = (ob,ob) if I<J lice has I, ob has J lice and ob want to know who s richer

20 Other Examples Statistical analyses with data stored across multiple databases Each database may be proprietary I.e., models of organic compounds across various biocompanies Elections without a trusted third party Each elector gives his vote as input The function computed is vote tabulation (whatever it is)

Solution: Alice tosses a coin and conveys the result to Bob. Problem: Alice can choose any result.

Example - Coin Toss Coin Toss: Alice and Bob want to toss a coin. Easy to do when they are in the same room. How can they toss a coin over the phone? Mutual Commitments Solution: Alice tosses a coin and