Pobieranie prezentacji. Proszę czekać

Pobieranie prezentacji. Proszę czekać

Lecture 13 Two-Party Computation Protocols Stefan Dziembowski www.dziembowski.net MIM UW 11.01.13ver 1.0.

Podobne prezentacje


Prezentacja na temat: "Lecture 13 Two-Party Computation Protocols Stefan Dziembowski www.dziembowski.net MIM UW 11.01.13ver 1.0."— Zapis prezentacji:

1 Lecture 13 Two-Party Computation Protocols Stefan Dziembowski MIM UW ver 1.0

2 Plan 1.Motivation 2.Definitions 3.Information-theoretic impossibility 4.Constructions 1.oblivious transfer 2.computing general circuits 5.Applications

3 A love problem A := 0 if Alice doesnt love Bob 1 if Alice loves Bob B := 0 if Bob doesnt love Alice 1 if Bob loves Alice They want to learn the value of f(A,B) := A and B They want to learn the value of f(A,B) := A and B

4 Solution? A A B B Problem If A = 0 and B = 1 then Bob knows that Alice loves him while he doesnt! If B = 1 and A = 0 then Alice knows that Bob loves him while she doesnt! computes A and B locally computes A and B locally computes A and B locally computes A and B locally

5 Solution? trusted party computes A and B trusted party computes A and B A A B B Alice and Bob learn only the value of f(A,B) = A and B. Of course: if A = B = 1 then f(A,B) = 1 and there is no secret to protect. But, e.g., if A = 0 and B = 1 then f(A,B) = 0 then Alice will not know the value of B. Question: Is it possible to compute f without a trusted party?

6 Another example: the millionaires problem A := how much money Abramovich has B := how much money Berlusconi has f(A,B) := Abramovich if A > B equal if A = B Berlusconi if A < B

7 How to solve this problem? Can they compute f in a secure way? (secure = only the output is revealed) Of course, they do not trust any third party.

8 Answer It turns out that: in both cases, there exists a cryptographic protocol that allows A and B to compute f in a secure way. Moreover: In general, every poly-time computable function f can be computed securely by two-parties. (assuming some problems are computationally hard) Of course, this has to be defined...

9 Plan 1.Motivation 2.Definitions 3.Information-theoretic impossibility 4.Constructions 1.oblivious transfer 2.computing general circuits 5.Applications

10 What do we mean by a secure function evaluation? In general, the definition is complicated, and we will not present it here. Main idea: suppose we have a function f: {0,1}* × {0,1}* {0,1}* A A B B f(A,B) protocol π Each of the parties may try to: learn something about the input of the other party, or disturb the output of the protocol.

11 What do we mean by a secure function evaluation? A A B B f(A,B) A A B B A A B B protocol π ideal scenarioreal scenario A malicious participant (Alice or Bob) should not be able to learn more information, or do more damage to the output in the real scenario, than it can in the ideal one.

12 What do we mean by this? For example: Alice can always declare that she loves Bob, while in fact she doesnt. A millionaire can always claim to be poorer or reacher than he is... But: Berlusconi cannot force the output of the protocol to be equal if he doesnt know the value of A.

13 Lets generalize it a bit: A A B B f 1 (A,B) f 2 (A,B) 1.the outputs of Alice and Bob can be different 2.the function that they compute may be randomized

14 An adversary It is convenient to thing about an adversary that corrupts one of the players. (clearly if the adversary corrupts both players, there is no sense to talk about any security)

15 Two goals that the adversary may want to achieve 1.learn about the input of the other party more than he would learn in the ideal scenario, 2.change the output of the protocol. 1.learn about the input of the other party more than he would learn in the ideal scenario, 2.change the output of the protocol.

16 Two types of adversarial behavior In general, we consider two types of adversarial behavior: passive, also called: honest-but-curious: a corrupted party follows the protocol, active, also called Byzantine a corrupted party doesnt need to follow the protocol

17 Two types of security a protocol is passively secure if it is secure against one of the parties behaving maliciously in a passive way. a protocol is actively secure if it is secure against one of the parties behaving maliciously in an active way.

18 Problem with active security In general, it is impossible to achieve a complete fairness. That is: one of the parties may (after receiving her own output) prevent the other party from receiving her output (by halting the protocol) (remember the coin-flipping protocol?)

19 Fact Let π be a passively secure protocol computing some function f. Then, we can construct a protocol π that is actively secure, and computes the same function f. How? Using Zero-Knowledge! (we skip the details)

20 Power of the adversary The malicious parties may be computationally bounded (poly-time) computationally unbounded. We usually allow the adversary to break the security with some negligible probability. In this case we say that security is information-theoretic

21 Plan 1.Motivation 2.Definitions 3.Information-theoretic impossibility 4.Constructions 1.oblivious transfer 2.computing general circuits 5.Applications

22 Most of the natural functions cannot be computed by an information-theoretically secure protocol Example Consider a function f(A,B) = A and B. There exists an infinitely-powerful adversary that breaks any protocol computing it. The adversary may even be passive.

23 A transcript A A B B transcript T Definition Transcript T is consistent with input A=A 0 if there exist random inputs R A (for Alice) and (B,R B ) (for Bob) such that T is a transcript of the execution of the protocol with inputs (A 0,R A ) – for Alice (B,R B ) – for Bob. A and B RARA RARA RBRB RBRB for B – symmetric

24 1. Suppose A = 0 and B = 0 A A B B has to be consistent with A=1 T T Otherwise a malicious Bob knows that A = 0 A = 0B = 0

25 2. Suppose A = 0 and B = 1 A A B B cannot be consistent with A=1 T T Because the output of the protocol has to be different in these two cases: A=0 and B=1 and A=1 and B=1 B = 1A = 0

26 So, if A = 0 then a malicious Alice has a way to learn what the input of Bob! A A B B T T Alice checks if T is consistent with A=1 If yes then she knows that B=0 otherwise B=1 Alice checks if T is consistent with A=1 If yes then she knows that B=0 otherwise B=1

27 Moral If we want to construct a protocol for computing AND, we need to rely on computational assumptions.

28 Plan 1.Motivation 2.Definitions 3.Information-theoretic impossibility 4.Constructions 1.oblivious transfer 2.computing general circuits 5.Applications

29 A question Does there exist a protocol π that is complete for secure two-party computations? In other words: We are looking for π such that: if we have a protocol for π then we can construct a provably secure protocol for any function?

30 Answer Yes! A protocol like this is exists. It is called Oblivious Transfer (OT). There are two versions if it: Rabins Oblivious Transfer M. O. Rabin. How to exchange secrets by oblivious transfer, One-out-of-Two Oblivious Transfer S. Even, O. Goldreich, and A. Lempel, A Randomized Protocol for Signing Contracts, 1985.

31 Rabins Oblivious Transfer sender receiver input bit A outputs B such that B := A with probability 0.5 ? with probability 0.5 The sender should have no information which was the case If B = ? then the receiver has no information on A

32 One-out-of-two Oblivious Transfer sender receiver input bits (A 0,A 1 ) outputs C such that C := A 0 if B = 0 A 1 if B = 1 The sender should have no information which was the case then the receiver has no information on the other A i input bit B We will also write C := OT((A 0,A 1 ),B) We will also write C := OT((A 0,A 1 ),B)

33 Fact Rabins Oblivious Transfer and One-out-of-Two Oblivious Transfer are equivalent. Rabins Oblivious Transfer and One-out-of-Two Oblivious Transfer are equivalent. Claude Crépeau. Equivalence between two flavours of oblivious transfer, 1988

34 choose a random bit B If R B then output A = A B xor A R otherwise he has no information on A 1-B so he has no information on A choose a random bit B If R B then output A = A B xor A R otherwise he has no information on A 1-B so he has no information on A choose random (A 0,A 1 ) such that A 0 xor A 1 = A choose random bit R choose random (A 0,A 1 ) such that A 0 xor A 1 = A choose random bit R sender receiver input bit A sender receiver input bits (A 0,A 1 ) input bit B ARAR ARAR ABAB ABAB Rabin OT 1-out-of-2 OT Rabin 1-out-of-2

35 It remains to show the opposite direction Rabin OT 1-out-of-2 OT

36 α1α1 ??α4α4 α5α5 ?α7α7 α1α1 α2α2 α3α3 α4α4 α5α5 α6α6 α7α7 k times Rabin OT k times Rabin OT Let I be the set of indices of the bits that he knows. Let I c be the complement of I. Let I be the set of indices of the bits that he knows. Let I c be the complement of I. input bits (A 0,A 1 ) input bit B if B=0 send (X 0,X 1 ) := (I,I c ) if B=1 send (X 0,X 1 ) := (I c,I) if B=0 send (X 0,X 1 ) := (I,I c ) if B=1 send (X 0,X 1 ) := (I c,I) send (Z 0,Z 1 ) := (β 0 xor A 0, β 1 xor A 1 ) send (Z 0,Z 1 ) := (β 0 xor A 0, β 1 xor A 1 ) He outputs β B xor Z B the receiver knows only the indices in β B random string of bits

37 Security? 1.The learn B the sender would need to distinguish I from I c 2.To learn both A 0 and A 1 the receiver would need to know both β 0 and β 1 This is possible only if he knows all α i s This happens with probability 0.5 k. 1.The learn B the sender would need to distinguish I from I c 2.To learn both A 0 and A 1 the receiver would need to know both β 0 and β 1 This is possible only if he knows all α i s This happens with probability 0.5 k.

38 An implementation of Rabins OT sender receiver input bit A a random RSA public key pk := (N,e) C := E pk (A) a random RSA public key pk := (N,e) C := E pk (A) chooses a random x from Z N * chooses a random x from Z N * y := x 2 mod N random z such that z 2 = y mod N If x = ± z mod N output ? otherwise gcd(x-z, N) is a non-trivial factor of N hence the receiver can decrypt A from C. Output A If x = ± z mod N output ? otherwise gcd(x-z, N) is a non-trivial factor of N hence the receiver can decrypt A from C. Output A Remember the proof that computing square root is equivalent to factoring? We used exactly the reasoning: 1.with probability 0.5 we have x ± y mod N 2.if x ± y mod N then gcd(x-z, N) is a non-trivial factor of N

39 How does it look now? sender receiver input bit A a random RSA public key pk := (N,e) C := E pk (A) a random RSA public key pk := (N,e) C := E pk (A) chooses a random x from Z N * chooses a random x from Z N * y := x 2 mod N random z such that z 2 = y mod N If x = ± y mod N output ? otherwise gcd(x-z, N) is a non-trivial factor of N hence the receiver can decrypt A from C. Output A If x = ± y mod N output ? otherwise gcd(x-z, N) is a non-trivial factor of N hence the receiver can decrypt A from C. Output A receiver proves in ZK that he knows x

40 Is it secure? Against passive cheating? YES! Against active cheating? Not so clear... The sender acts as an oracle for computing square roots modulo N. Does it can help him? We dont know. Solution Add an intermediary step in which the sender proves in zero-knowledge that he knows x.

41 Implementation of the 1-out-of-2 OT ( Gen, Enc, Dec ) – public key encryption scheme (E,D) – szyfr z kluczem symetrycznym A0A0 A0A0 A1A1 A1A1 B B 1. generates two pairs ( sk 0,pk 0 ) ( sk 1,pk 1 ) C 0, C 1 2. generates a random symmetric key K X := Enc ( pk B, K) 3. computes: K 0 := Dec ( sk 0, X) K 1 := Dec ( sk 1, X) C 0 := E (K 0, A 0 ) C 1 := E (K 1, A 1 ) pk 0, pk 1 4. computes A B as: A B = D (K,C B ) two cases: B=0B=1 K 0 =K random K 1 = random K

42 How to solve the love problem of Alice and Bob using OT? the output of Bob is equal to 1 iff A = B = 1, so it is equal to A and B Bob just outputs it the output of Bob is equal to 1 iff A = B = 1, so it is equal to A and B Bob just outputs it A A B B Sets (A 0,A 1 ) := (0,A) 1-out-of-2 OT A and B works, because: A and B = OT((0,A),B) output A and B

43 Plan 1.Motivation 2.Definitions 3.Information-theoretic impossibility 4.Constructions 1.oblivious transfer 2.computing general circuits 5.Applications

44 How to compute any function? We will now show how Alice and Bob can securely compute any function f. More precisely: they can compute any function that can be computed by a poly-time Boolean circuit.

45 Boolean circuits a0a0 a0a0 a1a1 a1a1 a2a2 a2a2 a3a3 a3a3 b1b1 b1b1 b2b2 b2b2 b3b3 b3b3 b4b4 b4b4 neg and neg and c1c1 c1c1 c2c2 c2c2 c5c5 c5c5 c4c4 c4c4 c3c3 c3c3 input gates output gates conjunciton gates conjunciton gates negation gates depth size: number of gates input of Aliceinput of Bob

46 Ogólna idea Alicja zaszyfruje obwód razem z własnym inputem i prześle go do Boba. Bob doda swój input i obliczy obwód bramka-po-bramce. Zrobią to w taki sposób, że wartości na bramkach pozostają tajne (za wyjątkiem bramek outputu). Założenia upraszczające: Nieuczciwi użytkownicy nie oszukują aktywnie (honest- but-curious) Output będzie poznany tylko przez Boba.

47 Ponumerujmy bramki a0a0 a0a0 a1a1 a1a1 a2a2 a2a2 a3a3 a3a3 b1b1 b1b1 b2b2 b2b2 b3b3 b3b3 b4b4 b4b4 neg and neg and c1c1 c1c1 c2c2 c2c2 c5c5 c5c5 c4c4 c4c4 c3c3 c3c3 funkcja f

48 Krok 1: generacja kluczy or ajaj ajaj and x x y y z z K x,0 K x,1 K y,0 K y,1 K z,0 K z,1 x x y y z z Dla każdej bramki (oprócz outputu) Alicja losuje dwa klucze symetryczne. Alicja nie wysyła tych kluczy do Boba.

49 Pytanie Jak zaszyfrować wiadomość M tak żeby do jej odszyfrowania trzeba było znać dwa klucze: K 0 i K 1 ? Odpowiedź: szyfrować dwukrotnie: E(K 0, E(K 1, M))

50 Krok 2: szyfrowanie kluczy and x x y y z z K x,0 K x,1 K y,0 K z,1 K z,0 K z,1 x x y y z z xyx and Yzaszyfrowane klucze 000 E(K x,0, E(K y,0, K z,0 )) 010 E(K x,0, E(K y,1, K z,0 )) 100 E(K x,1, E(K y,0, K z,0 )) 111 E(K x,1, E(K y,1, K z,1 )) analogicznie dla bramek neg i or

51 Bramki wynikowe out x x y y K x,0 K x, x x y y xszyfrogramy 0 E(K x,0, 0) 1 E(K x,0, 1)

52 Krok 3: wysłanie szyfrogramów zaszyfrowane klucze E(K x,0, E(K y,0, K z,0 )) E(K x,0, E(K y,1, K z,0 )) E(K x,1, E(K y,0, K z,0 )) E(K x,1, E(K y,1, K z,1 )) Dla każdej bramki Alicja losowo permutuje zaszyfrowane klucze i wysyła je do Boba. C z,1 C z,2 C z,3 C z,4

53 Sytuacja: Bob zna 4 szyfrogramy dla każdej bramki C 1,1 C 1,2 C 1,3 C 1,4 C 2,1 C 2,2 C 2,3 C 2,4 C 4,1 C 4,2 C 4,3 C 4,4 C 3,1 C 3,2 C 3,3 C 4,4 C 5,1 C 5,2 C 5,3 C 5,4 and neg and

54 Jak Bob może obliczyć wynik? Metoda: odszyfrować obwód od dołu do góry, aż do uzyskania kluczy szyfrujących wynik. Aby to zrobić Bob musi poznać klucze odpowiadające bramkom wejściowym. Przypomnijmy, że bramki wejściowe dzielą się na: input Boba i input Alicji. a0a0 a0a0 a1a1 a1a1 a2a2 a2a2 a3a3 a3a3 b1b1 b1b1 b2b2 b2b2 b3b3 b3b3 b4b4 b4b4 input Alicji input Boba

55 input Alicji: Z inputem Alicji nie ma problemu Krok 4: Alicja wysyła klucze odpowiadające bitom jej inputu K 1,1 K 3,1 K 2,0 K 4,1 Obserwacja: ponieważ bramki są spermutowane, to Bob nie wie czy dostał klucz odpowiadający zeru czy jedynce.

56 Co zrobić z inputem Boba? Problem 1: Bob nie może poprosić Alicji o przekazanie kluczy odpowiadającym jego bitom inputu (bo zdradziłby jej ten input). Problem 2: Alicja nie może wysłać kluczy odpowiadającym obydwu bitom (bo wtedy Bob mógłby obliczyć f dla dwóch różnych inputów B). Rozwiązanie: 1-out-of-2 Oblivious Transfer! b1b1 b1b1 b2b2 b2b2 b3b3 b3b3 b4b4 b4b K 5,0 K 6,0 K 7,0 K 8,0 K 5,1 K 6,1 K 7,1 K 8,1

57 Metoda Yao - podsumowanie zaszyfrowany(ang. garbled) obwód dla f klucze odpowiadające inputom a 1,…,a n zaszyfrowany(ang. garbled) obwód dla f klucze odpowiadające inputom a 1,…,a n a 1,…,a n b 1,…,b m m razy oblivious transfer (dla każdego bitu b i ) oblicza obwód od dołu do góry i poznaje wynik

58 Problem Do niedawna protokoły wymagały wymiany dużej liczby wiadomości. Np. w protokole Yao Alicja musi wysłać cały zaszyfrowany obwód do Boba. Czy można to zrobić lepiej?

59 Pomysł Jak byśmy umieli skonstruować szyfr homomorficzny ze względu na operacje w ciele to bezpieczne obliczanie funkcji byłoby łatwe. Enc(sk, X) Enc(sk, Y) Enc(sk, X + Y) Enc(sk, X × Y) nie zna sk umie policzyć: ma klucz sk Fully homomorphic encryption: (załóżmy, że zbiór wiadomości jest ciałem z operacjami + i × )

60 Jak obliczyć f za pomocą takiego szyfru? Załóżmy, że szyfr działa nad Z 2. Wówczas koniunkcja logiczna jest mnożeniem, a negacja dodaniem stałej 1. 1.generuje parę (sk,pk) 2.oblicza dla każdego i: c i = Enc(pk,a i ) 1.generuje parę (sk,pk) 2.oblicza dla każdego i: c i = Enc(pk,a i ) input: a 1,…,a n pk, a 1,…,a n input: b 1,…,b n 3.oblicza dla każdego i: d i = Enc(pk,b i ) 4.oblicza f korzystając z homomorfizmu szyfru 3.oblicza dla każdego i: d i = Enc(pk,b i ) 4.oblicza f korzystając z homomorfizmu szyfru wysyła szyfrogram c odpowiadający wynikowi 5.oblicza wynik jako Dec(sk,c)

61 Homomorfizm RSA Homomorfizm ze względu na mnożenie posiadał już szyfr RSA: Enc((N,e), X) × Enc((N,e), Y)= X e × Y e mod N = (X × Y) e mod N = Enc((N,e), X × Y) Znalezienie szyfru homomorficznego ze względu na mnożenie i dodawanie jednocześnie było problemem otwartym od lat 70-tych.

62 Niedawny przełom Craig Gentry [2009] konstrukcja szyfru w pełni homomorficznego w oparciu o teorię krat

63 Wydajność w praktyce? Początkowe wersje koszmarnie niewydajne. Przykład: rozmiar klucza: 2.3 GB, czas generacji klucza: 2 godziny policzenie 1 operacji: 30 minut (czasy mierzone na typowym komputerze PC). Ale jest powstają wydajniejsze wersje.

64 Plan 1.Motivation 2.Definitions 3.Information-theoretic impossibility 4.Constructions 1.oblivious transfer 2.computing general circuits 5.Applications

65 Applications? In practice this protocol is extremely inefficient. But it shows that some things in principle can be done. Research problem Construct protocols (for concrete problems) that are efficient.

66 Example Michael J. Freedman, Kobbi Nissim, Benny Pinkas: Efficient Private Matching and Set Intersection. EUROCRYPT 2004 Set intersection: Alice and Bob want to see which friends they have in common (without revealing to each other their lists of firends) input: set A input: set A input: set B input: set B output: intersection of A and B output: intersection of A and B

67 A natural question? What if the number of parties is greater than 2? Solutions for this also exist!

68 These protocols are used in practice

69 Is the oblivious transfer in Minicrypt? As far as we know: no! public-key encryption exists trap-door permutations exist key exchange protocols exist one way functions exist minicrypt ??? cryptomania oblivious transfer exist ???

70 © 2013 by Stefan Dziembowski. Permission to make digital or hard copies of part or all of this material is currently granted without fee provided that copies are made only for personal or classroom use, are not distributed for profit or commercial advantage, and that new copies bear this notice and the full citation.


Pobierz ppt "Lecture 13 Two-Party Computation Protocols Stefan Dziembowski www.dziembowski.net MIM UW 11.01.13ver 1.0."

Podobne prezentacje


Reklamy Google