1. Lecture 10 Multi-party Computation Protocols Stefan Dziembowski University of Rome La Sapienza
2.
3. Multi-party computations (MPC) P 5 P 1 P 3 P 2 P 4 input a 1 input a 2 input a 3 input a 4 input a 5 they want to compute some value f(a 1 ,a 2 ,a 3 ,a 4 ,a 5 ) for a publicly-known f . a group of parties: Before we considered this problem for n = 2 parties. Now, we are interested in arbitrary groups of n parties. output f(a 1 ,a 2 ,a 3 ,a 4 ,a 5 )
4. Examples P 5 P 1 P 3 P 2 P 4 input a 1 input a 2 input a 3 input a 4 input a 5 Another example: voting A group of millionaires wants to compute how much money they own together . f(a 1 ,a 2 ,a 3 ,a 4 ,a 5 ) = a 1 +a 2 +a 3 +a 4 +a 5
5. The general settings P 5 P 1 P 3 P 2 P 4 Each pair of parties is connected by a secure channel . (assume also that the network is synchronous ) Some parties may be corrupted . The corrupted parties may act in coalition .
6.
7. Threshold adversaries In the two-party case we considered an adversary that could corrupt one of the players. Now, we assume that the adversary can corrupt some subset of the players . The simplest case: set some threshold t < n and allow the adversary to corrupt up to t players .
8.
9.
10.
11.
12. The “real scenaro” P 5 P 1 P 3 P 2 input a 1 input a 2 input a 3 input a 4 input a 5 output: f(a 1 ,...,a 5 ) output: f(a 1 ,...,a 5 ) output: f(a 1 ,...,a 5 ) output: f(a 1 ,...,a 5 ) output: f(a 1 ,...,a 5 ) P 4 protocol π
13. The “ideal” scenario P 5 P 1 P 3 P 2 input a 1 input a 2 input a 3 input a 4 input a 5 output: f(a 1 ,...,a 5 ) output: f(a 1 ,...,a 5 ) output: f(a 1 ,...,a 5 ) output: f(a 1 ,...,a 5 ) output: f(a 1 ,...,a 5 ) P 4 computes f
14.
15.
16.
17. the “internal” messages are not sent outside the “external” messages are exchanged between Alice and Bob P 1 input a 1 P 2 input a 2 P 3 input a 3 input a 4 P 4 input a 5 P 5 input a 6 P 6 input a 7 P 7 input a 8 P 8 simulates with a 5 :=B a 6 := a 7 := a 8 := 1 simulates with a 1 :=A a 2 := a 3 := a 4 := 1
18.
19.
20. A broadcast channel P 5 P 1 P 3 P 2 P 4 m m m m Every player receives to same message (even if the sender is malicious). m m
21.
22. Fact In the information-theoretic settings : A broadcast channel can be “emulated” by a multiparty protocol.
23.
24.
25.
26.
27.
28. Arithmetic circuits a 0 a 1 a 2 a 3 a 4 a 5 a 6 a 7 + * + + + * * + * * c 1 * c 2 c 5 c 4 c 3 input gates output gates multplication gates addition gates
29.
30.
31.
32. Shamir’s secret sharing [1/2] 1 2 3 n . . . f(1) f(n) f(3) f(2) P 1 P 2 P 3 P n . . . s 0 Suppose that s is an element of some finite field F , such that |F| > n f – a random polynomial of degree m-1 over F such that f(0) = s sharing:
33.
34.
35. Polynomials are homomorphic with respect to addition 1 2 n . . . f(1) f(n) f(3) s 0 t g(1) g(3) g(n) s + t f(1) + g(1) f(3) + g(3) f(n) + g(n) degree t degree t degree t
36. Addition sharing secret a sharing secret b sharing secret a+b The parties can compute it non-interactively, by adding their shares locally!
37.
38.
39.
40.
41.
42.
43. General adversary structures Sometimes assuming that the adversary can corrupt up to t parties is not general enough. It is better to consider arbitrary coalitions of the sets of parites that can be corrupted.
47. A generalization of the classical results [Martin Hirt, Ueli M. Maurer: Player Simulation and General Adversary Structures in Perfect Multiparty Computation . J. Cryptology, 2000] setting adversary type condition generalized condition information-theoretic passive t < n/2 Q2 information-theoretic active t < n/3 Q3 information-theoretic with broadcast active t < n/2 Q2
48.
49. Why? {P 1 ,...,P n } (suppose n is even) X := family of sets of cardinality n/2 inclusion is a partial order on the set of subsets of {P 1 ,...,P n }