SlideShare a Scribd company logo

Introduction to SMPC

Download as PPT, PDF
securityxploded
securityxploded

Presented by Jitendra Kumar Patel in SecurityXploded cyber security meet. visit: http://www.securitytrainings.net for more information

Related slideshows

Principles of public key cryptography and its Uses
Principles of public key cryptography and its UsesPrinciples of public key cryptography and its Uses
Principles of public key cryptography and its Uses
 
RSA - ENCRYPTION ALGORITHM CRYPTOGRAPHY
RSA - ENCRYPTION ALGORITHM CRYPTOGRAPHYRSA - ENCRYPTION ALGORITHM CRYPTOGRAPHY
RSA - ENCRYPTION ALGORITHM CRYPTOGRAPHY
 
A Novel Key Distribution Scheme f or a Visual Crypto System
A Novel Key Distribution Scheme f or a Visual Crypto SystemA Novel Key Distribution Scheme f or a Visual Crypto System
A Novel Key Distribution Scheme f or a Visual Crypto System
 
1 of 26
Introduction to SMPC Jitendra Kumar Patel Saturday, January 30, 2016 Secure Multi-Party Computation
Jitendra Patel ... ?  M.Tech from International Institute of Information Technology, Bangalore (Pursuing)  Experience in Teaching ( 3+ years)  Worked as an Offline Instructor at Innobuzz Knowledge Solutions - Delhi, Classroom faculty at Oviyans Infotech – Indore, Trainer at Osinfotech – Indore, Performance Engineering R&D at RedHat, Bangalore.  Research interest in Ethical Hacking, Network Security, Reverse Engineering, Wireless Security, Technical Analysis, Bitcoin Blockchain Technology, SMPC  Tech Enthusiast
Agenda of the Talk... ?  Story  What is Secure Multi Party Computation ?  The Millionaires Problem and Few real world problems  Adversary classification  Issues and desirable properties from SMPC  Few SMPC Terminologies/Techniques  What is next ?
Should I invite herfora cup of coffee… ? Alice and Bob meet accidentally. Both don’t know India. Both are tourists. Bob is lost. He would like to ask Alice for the way to his guest house. And maybe whether she would like to drink a hot coffee with him. But he doesn’t know her. And if she says no? “I would ask her, if only I knew that she would accept”, he thinks. But he is shy. Too shy. Alice is lost as well. She would like to ask Bob for the way to the hostel. And maybe whether Bob would not be willing to accompany her. It’s already getting dark. She would of course then invite him for a cup of hot milk with honey. And some banana cake. In order to thank him. And maybe...who knows. But what if he says no? Should she dare to ask? “If I knew that he would not laugh at me, I would ask”. But Alice is shy. Too shy. They cross each other. Watching each other. Not asking each other. Finally, they both find their way. Bob to his guest house, Alice to the hostel. The wrong way. They will never meet Again. If only they would know the techniques of secure multi-party computation. Story
Secure Multi Party Computation… ? Also known as secure computation or multi-party computation Fundamental problem in distributed computing and cryptography Definition - Set of n parties - Some are faulty/corrupted - Do not trust each other - Still parties wish to compute some function - Private local inputs (Privacy) - Public Output (Correctness)
The Millionaires Problem P r o t o c o l s f o r S  Y a o ’ sX $ Y $ ? < = > F  F o r m u l a t e d b y T u
Real World Problem….?  Online Dating  Electronic Voting  Privacy-preserving Statistics [ ex: satellite collision ]  Privacy-preserving Database Operations  Benchmarking  Privacy-preserving data mining  Secure e-auction
Secure Function Evaluation  A set of (two or more) parties with private inputs wish to compute some joint function of their inputs.  Parties wish to preserve some security properties. E.g., privacy and correctness. – Example: Computing the maximum  Many results depending on – Number of players – Means of communication – the power and MODEL of the adversary – how the function is REPRESENTED
The Security Definition IDEALREAL Trusted party Protocol interaction For every real adversary A there exists an adversary S ≈
Computational Setting  Any two-party function can be securely computed in the semi- honest adversarial model [Yao]  Any multiparty function can be securely computed in the malicious model, for any number of corrupted parties [GMW]
Adversary Classification ... ? Nature of Adversary : Passive Fail-stop Active Mixed Mobility : Static Adaptive/Dynamic: Mobile Corruption Capacity : Threshold Non-threshold Computational Resources : Bounded Unbounded
Issues with the Design of SMPC…? Possibility : What are the necessary and sufficient conditions for the existence of a protocol in a given network? Feasibility : Does there exist a polynomial time and efficient protocol ? (We assume that the protocol exists). Optimality : How do we design a protocol whose total complexities (communication and round) match their respective lower bound?
Desirable Properties of a SMPC…?  Correctness  Privacy  Input Independence  Robustness  Fairness
SMPC Terminologies/Techniques…? Semi Honest Adversary Garbled Circuit Oblivious Transfer Secret Sharing Verifiable Secret Sharing Commitment Schemes
Garbled Circuit…? We can garble a circuit (hide its structure) so that two parties, sender and receiver, can learn the output of the circuit and nothing else. At a high level, the sender prepares the garbled circuit and sends it to the receiver, who obliviously evaluates the circuit, learning the encodings corresponding to both his and the senders output. He then just sends back the senders encodings, allowing the sender to compute his part of the output. The sender sends the mapping from the receivers output encodings to bits to the receiver, allowing the receiver to obtain their output. Ref : Wikipedia
Semi-Honest Construction 1-out-of-2 Oblivious Transfer (OT)  Inputs – Sender has two messages m0 and m1 – Receiver has a single bit σ∈{0,1}  Outputs – Sender receives nothing – Receiver obtain mσ and learns nothing of m1-σ
Semi-Honest OT  Let (G,E,D) be a public-key encryption scheme – G is a key-generation algorithm (pk,sk) ← G – Encryption: c = Epk(m) – Decryption: m = Dsk(c)  Assume that a public-key can be sampled without knowledge of its secret key: – Oblivious key generation: pk ← OG – El-Gamal encryption has this property
Semi-Honest OT Protocol for Oblivious Transfer  Receiver (with input σ): – Receiver chooses one key-pair (pk,sk) and one public-key pk’ (obliviously of secret-key). – Receiver sets pkσ = pk, pk1-σ = pk’ – Note: receiver can decrypt for pkσ but not for pk1-σ – Receiver sends pk0,pk1 to sender  Sender (with input m0,m1): – Sends receiver c0=Epk0(m0), c1=Epk1(m1)  Receiver: – Decrypts cσ using sk and obtains mσ.
Security Proof  Intuition: – Sender's view consists only of two public keys pk0 and pk1. Therefore, it doesn't learn anything about that value of σ. – The receiver only knows one secret-key and so can only learn one message  Formally: – Sender's view is independent of receiver's input and so can easily be simulated (just give it 2 keys) – Receiver's view can be simulated by obtaining the output m and sending it Epk0(m),Epk1(m).  Note: Assumes semi-honest behavior. A malicious receiver can choose two keys together with theirsecret keys.
Secret Sharing.... ? In secret sharing - Dealer who shares a secret among a group of n parties - Sharing Phase - Reconstruction Phase The requirements are that : - For t <n, any set of t colluding parties - No information about the dealer’s secret at the end of the sharing - Any set of t+1 parties can recover the dealer’s secret Assumption : - The dealer is honest
Verifiable Secret Sharing (VSS) .... ? Just like secret sharing but requires : - No matter what a cheating dealer does (in conjunction with t other colluding parties), there is some unique secret to which the dealer is “committed” by the end of the sharing phase. Perfect VSS, where the security guarantees are : - Unconditional - Privacy is perfect - Protocol is error-free. Perfect VSS is known to be possible if and only if t < n/3
Whats Cooking in the Kitchen ... ?  Bitcoin and Block Chain Technologies  Yao's Millionaire Problem and Proposed Solution  Secret Sharing and VSS (almost done but still need help)  Secure 2 Party Computation (AES) (protocol implementation)  GMW Protocol  Efficient Micro-payments with Bitcoins (current research)
References - 1 ... Y. Lindell and B. PinkasY. Lindell and B. Pinkas A Proof of Yao's Protocol for Secure Two-Party Computation (Paper)A Proof of Yao's Protocol for Secure Two-Party Computation (Paper) Iftach HaitnerIftach Haitner Implementing Oblivious Transfer Using Collection of Dense Trapdoor Permutations (Paper)Implementing Oblivious Transfer Using Collection of Dense Trapdoor Permutations (Paper) Yan Huang, David Evans, Jonathan Katz, Lior MalkaYan Huang, David Evans, Jonathan Katz, Lior Malka Faster Secure Two-Party Computation Using Garbled Circuits (Paper)Faster Secure Two-Party Computation Using Garbled Circuits (Paper) Ninghui Li , Purdue UniversityNinghui Li , Purdue University Topic 24: Secure Function Evaluation (Slides)Topic 24: Secure Function Evaluation (Slides) Benny Pinkas, HP Labs, PrincetonBenny Pinkas, HP Labs, Princeton Introduction to Secure Computation (Slides)Introduction to Secure Computation (Slides) Moni Naor , Weizmann Institute of ScienceMoni Naor , Weizmann Institute of Science Lecture 15: Oblivious Transfer and Secure Function Evaluation (Slides)Lecture 15: Oblivious Transfer and Secure Function Evaluation (Slides) Scribes from Dr. Ashish Choudhury lecturesScribes from Dr. Ashish Choudhury lectures https://sites.google.com/site/ashishcrypto/Courses/2015-cs-nc-813https://sites.google.com/site/ashishcrypto/Courses/2015-cs-nc-813 ApologiesApologies for Others unmentioned sources from internet for articles and referencesfor Others unmentioned sources from internet for articles and references
References -2 ... Improving The Round Complexity of VSS in Point-To-Point Networks Jonathan Katz Chiu-Yuen Koob Department of Computer Science, University of Maryland, College Park, MD 20742, USA Ranjit Kumaresana Google Labs, Mountain View, CA 94043, USA Link : http://www.journals.elsevier.com/information-and-computation
Jitendra Kumar Patel www.jitendrapatel.in jitendra.dinesh@gmail.com @bewithjitendra facebook.com/bewithjitendrapatel Saturday, January 30, 2016
Introduction to SMPC

More Related Content

Introduction to SMPC

  • 1. Introduction to SMPC Jitendra Kumar Patel Saturday, January 30, 2016 Secure Multi-Party Computation
  • 2. Jitendra Patel ... ?  M.Tech from International Institute of Information Technology, Bangalore (Pursuing)  Experience in Teaching ( 3+ years)  Worked as an Offline Instructor at Innobuzz Knowledge Solutions - Delhi, Classroom faculty at Oviyans Infotech – Indore, Trainer at Osinfotech – Indore, Performance Engineering R&D at RedHat, Bangalore.  Research interest in Ethical Hacking, Network Security, Reverse Engineering, Wireless Security, Technical Analysis, Bitcoin Blockchain Technology, SMPC  Tech Enthusiast
  • 3. Agenda of the Talk... ?  Story  What is Secure Multi Party Computation ?  The Millionaires Problem and Few real world problems  Adversary classification  Issues and desirable properties from SMPC  Few SMPC Terminologies/Techniques  What is next ?
  • 4. Should I invite herfora cup of coffee… ? Alice and Bob meet accidentally. Both don’t know India. Both are tourists. Bob is lost. He would like to ask Alice for the way to his guest house. And maybe whether she would like to drink a hot coffee with him. But he doesn’t know her. And if she says no? “I would ask her, if only I knew that she would accept”, he thinks. But he is shy. Too shy. Alice is lost as well. She would like to ask Bob for the way to the hostel. And maybe whether Bob would not be willing to accompany her. It’s already getting dark. She would of course then invite him for a cup of hot milk with honey. And some banana cake. In order to thank him. And maybe...who knows. But what if he says no? Should she dare to ask? “If I knew that he would not laugh at me, I would ask”. But Alice is shy. Too shy. They cross each other. Watching each other. Not asking each other. Finally, they both find their way. Bob to his guest house, Alice to the hostel. The wrong way. They will never meet Again. If only they would know the techniques of secure multi-party computation. Story
  • 5. Secure Multi Party Computation… ? Also known as secure computation or multi-party computation Fundamental problem in distributed computing and cryptography Definition - Set of n parties - Some are faulty/corrupted - Do not trust each other - Still parties wish to compute some function - Private local inputs (Privacy) - Public Output (Correctness)
  • 7. Real World Problem….?  Online Dating  Electronic Voting  Privacy-preserving Statistics [ ex: satellite collision ]  Privacy-preserving Database Operations  Benchmarking  Privacy-preserving data mining  Secure e-auction
  • 8. Secure Function Evaluation  A set of (two or more) parties with private inputs wish to compute some joint function of their inputs.  Parties wish to preserve some security properties. E.g., privacy and correctness. – Example: Computing the maximum  Many results depending on – Number of players – Means of communication – the power and MODEL of the adversary – how the function is REPRESENTED
  • 9. The Security Definition IDEALREAL Trusted party Protocol interaction For every real adversary A there exists an adversary S ≈
  • 10. Computational Setting  Any two-party function can be securely computed in the semi- honest adversarial model [Yao]  Any multiparty function can be securely computed in the malicious model, for any number of corrupted parties [GMW]
  • 11. Adversary Classification ... ? Nature of Adversary : Passive Fail-stop Active Mixed Mobility : Static Adaptive/Dynamic: Mobile Corruption Capacity : Threshold Non-threshold Computational Resources : Bounded Unbounded
  • 12. Issues with the Design of SMPC…? Possibility : What are the necessary and sufficient conditions for the existence of a protocol in a given network? Feasibility : Does there exist a polynomial time and efficient protocol ? (We assume that the protocol exists). Optimality : How do we design a protocol whose total complexities (communication and round) match their respective lower bound?
  • 13. Desirable Properties of a SMPC…?  Correctness  Privacy  Input Independence  Robustness  Fairness
  • 14. SMPC Terminologies/Techniques…? Semi Honest Adversary Garbled Circuit Oblivious Transfer Secret Sharing Verifiable Secret Sharing Commitment Schemes
  • 15. Garbled Circuit…? We can garble a circuit (hide its structure) so that two parties, sender and receiver, can learn the output of the circuit and nothing else. At a high level, the sender prepares the garbled circuit and sends it to the receiver, who obliviously evaluates the circuit, learning the encodings corresponding to both his and the senders output. He then just sends back the senders encodings, allowing the sender to compute his part of the output. The sender sends the mapping from the receivers output encodings to bits to the receiver, allowing the receiver to obtain their output. Ref : Wikipedia
  • 16. Semi-Honest Construction 1-out-of-2 Oblivious Transfer (OT)  Inputs – Sender has two messages m0 and m1 – Receiver has a single bit σ∈{0,1}  Outputs – Sender receives nothing – Receiver obtain mσ and learns nothing of m1-σ
  • 17. Semi-Honest OT  Let (G,E,D) be a public-key encryption scheme – G is a key-generation algorithm (pk,sk) ← G – Encryption: c = Epk(m) – Decryption: m = Dsk(c)  Assume that a public-key can be sampled without knowledge of its secret key: – Oblivious key generation: pk ← OG – El-Gamal encryption has this property
  • 18. Semi-Honest OT Protocol for Oblivious Transfer  Receiver (with input σ): – Receiver chooses one key-pair (pk,sk) and one public-key pk’ (obliviously of secret-key). – Receiver sets pkσ = pk, pk1-σ = pk’ – Note: receiver can decrypt for pkσ but not for pk1-σ – Receiver sends pk0,pk1 to sender  Sender (with input m0,m1): – Sends receiver c0=Epk0(m0), c1=Epk1(m1)  Receiver: – Decrypts cσ using sk and obtains mσ.
  • 19. Security Proof  Intuition: – Sender's view consists only of two public keys pk0 and pk1. Therefore, it doesn't learn anything about that value of σ. – The receiver only knows one secret-key and so can only learn one message  Formally: – Sender's view is independent of receiver's input and so can easily be simulated (just give it 2 keys) – Receiver's view can be simulated by obtaining the output m and sending it Epk0(m),Epk1(m).  Note: Assumes semi-honest behavior. A malicious receiver can choose two keys together with theirsecret keys.
  • 20. Secret Sharing.... ? In secret sharing - Dealer who shares a secret among a group of n parties - Sharing Phase - Reconstruction Phase The requirements are that : - For t <n, any set of t colluding parties - No information about the dealer’s secret at the end of the sharing - Any set of t+1 parties can recover the dealer’s secret Assumption : - The dealer is honest
  • 21. Verifiable Secret Sharing (VSS) .... ? Just like secret sharing but requires : - No matter what a cheating dealer does (in conjunction with t other colluding parties), there is some unique secret to which the dealer is “committed” by the end of the sharing phase. Perfect VSS, where the security guarantees are : - Unconditional - Privacy is perfect - Protocol is error-free. Perfect VSS is known to be possible if and only if t < n/3
  • 22. Whats Cooking in the Kitchen ... ?  Bitcoin and Block Chain Technologies  Yao's Millionaire Problem and Proposed Solution  Secret Sharing and VSS (almost done but still need help)  Secure 2 Party Computation (AES) (protocol implementation)  GMW Protocol  Efficient Micro-payments with Bitcoins (current research)
  • 23. References - 1 ... Y. Lindell and B. PinkasY. Lindell and B. Pinkas A Proof of Yao's Protocol for Secure Two-Party Computation (Paper)A Proof of Yao's Protocol for Secure Two-Party Computation (Paper) Iftach HaitnerIftach Haitner Implementing Oblivious Transfer Using Collection of Dense Trapdoor Permutations (Paper)Implementing Oblivious Transfer Using Collection of Dense Trapdoor Permutations (Paper) Yan Huang, David Evans, Jonathan Katz, Lior MalkaYan Huang, David Evans, Jonathan Katz, Lior Malka Faster Secure Two-Party Computation Using Garbled Circuits (Paper)Faster Secure Two-Party Computation Using Garbled Circuits (Paper) Ninghui Li , Purdue UniversityNinghui Li , Purdue University Topic 24: Secure Function Evaluation (Slides)Topic 24: Secure Function Evaluation (Slides) Benny Pinkas, HP Labs, PrincetonBenny Pinkas, HP Labs, Princeton Introduction to Secure Computation (Slides)Introduction to Secure Computation (Slides) Moni Naor , Weizmann Institute of ScienceMoni Naor , Weizmann Institute of Science Lecture 15: Oblivious Transfer and Secure Function Evaluation (Slides)Lecture 15: Oblivious Transfer and Secure Function Evaluation (Slides) Scribes from Dr. Ashish Choudhury lecturesScribes from Dr. Ashish Choudhury lectures https://sites.google.com/site/ashishcrypto/Courses/2015-cs-nc-813https://sites.google.com/site/ashishcrypto/Courses/2015-cs-nc-813 ApologiesApologies for Others unmentioned sources from internet for articles and referencesfor Others unmentioned sources from internet for articles and references
  • 24. References -2 ... Improving The Round Complexity of VSS in Point-To-Point Networks Jonathan Katz Chiu-Yuen Koob Department of Computer Science, University of Maryland, College Park, MD 20742, USA Ranjit Kumaresana Google Labs, Mountain View, CA 94043, USA Link : http://www.journals.elsevier.com/information-and-computation