COVERT MULTI-PARTY COMPUTATION YINMENG ZHANG ALADDIN REU 2005 LUIS VON AHN MANUEL BLUM

COVERT MULTI-PARTY COMPUTATION

YINMENG ZHANG

ALADDIN REU 2005

LUIS VON AHNMANUEL BLUM

JUST THE ANSWER PLEASE

WHAT CAN WE KEEP SECRET?

• INPUTS• PARTICIPATION

[FROM OUTSIDERS]

• PARTICIPATION[FROM EACH OTHER]

R1,R2,R3

SECRET+

R1+R2+R

3

R1

R2

R3

SECURE COMPUTATION

KEEP INPUTS SECRET

• SPLIT THE SECRETS INTO RANDOM SHARES

• 2-PARTY COMPUTE ON SHARES

• RECOMBINE

ANSWER+

R1+R2+R

3

R1

R2

R3

STEGANOGRAPHY

EXTERNAL COVERTNESS

EXTERNAL OBSERVERS DON’T NOTICE ANYTHING

WEATHER SURE IS

NICE

• THINK OF IT AS A CLEVER HASH

10011

WE CAN HASH ANY MESSAGE[EVEN IF THE SENDER HONESTLY

WANTED TO TALK ABOUT THE WEATHER]

CAN WE DO SOMETHING CLEVER WITH THAT?

COVERT COMPUTATION

INTERNAL COVERTNESS

EVEN THE OTHER PARTIES DON’T KNOW YOU’RE COMPUTING!

WEATHER SURE IS

NICE

RANDOM OR

PSEUDO-RANDOM

???• WHAT DO YOU MEAN “DON’T KNOW”?

THREE DEFINITIONSAND

PROOFS/DISPROOFSOF FEASIBILITY

COVERT TWO PARTY COMPUTATION:VON AHN,HOPPER,LANGFORD

COVERT TWO-PARTY COMPUTATION

AFTER LEARNING F(X,Y), EACH PARTY CAN ONLY TELL WHETHER THE OTHER PARTICIPATED IF THEY CAN DISTINGUISH F(X,Y) FROM RANDOM BITS

EXTERNAL COVERTNESS

INTERNAL COVERTNESS

NO OUTSIDE OBSERVER CAN TELL IF THE TWO PARTIES ARE RUNNING A COMPUTATION OR JUST COMMUNICATING AS NORMAL

ASSOCIATE

REVEALING OTHER PARTIES

WITH

SUCCESSFUL OUTPUT

COULD WE GET THE ANSWERWITHOUT EVER REVEALING WHO WAS

COMPUTING?

A SIMPLE WORLD [GIVEN STEGO]

01101 01111

1100101001

10000 11100

1010110100

• A ROOM OF SLEEPING PARTIES SNORING 0s AND 1s AT RANDOM

• SOME PARTIES ARE AWAKE AND “SNORING” PSEUDO-RANDOMLY

COULD WE GET THE ANSWERWITHOUT REVEALING GUILT?

• AT THE END OF THE PROTOCOL:– OUR INPUT– THE ANSWER– TRANSCRIPT OF ALL COMMUNICATIONS

• PROTOCOL SHOULD GIVE:– ANSWER WRONG WITH NEGLIGIBLE

[<1/POLY] PROBABILITY– NEGLIGIBLY BETTER CHANCE OF

GUESSING WHO’S ASLEEP THAN WITH JUST INPUT AND ANSWER

COULD WE GET THE ANSWERWITHOUT REVEALING GUILT?

EXAMPLE: VOTING IN A SECRET ORGANIZATION

IF, SAY, MORE THAN HALF THE PEOPLE ARE PARTICIPATING, CAN WE DETERMINE A NEW LEADER?

• INFORMATION THEORY POV

• COMPUTATIONAL COMPLEXITY POV

NO.

SIMPLIFYING FURTHER:AWAKE PARTY’S POINT OF VIEW

W

S/W W/S

•THREE PLAYERS•FORGET ABOUT HIDING INPUTS [SAY WE ARE CALCULATING THE XOR]•ONE PERSON IS ASLEEP; CAN I TELL WHICH?

THOUGHT EXPERIMENT:INFORMATION THEORETIC VIEW

W:A BIT

S/W W/S

THE OTHER BIT

• INFORMATION GETS TO THE AWAKE PARTY

• ONE CHANNEL IS RANDOM - THE OTHER MUST NOT BE!

COMPUTATIONAL COMPLEXITY VIEW

• EVEN PUBLIC KEY CRYPTO BREAKS IN INFORMATION THEORETIC MODEL

• IDEA: NORMALLY, WE CAN’T MODEL THE OTHER PARTIES – BUT SNORING IS JUST RANDOM

• THE AWAKE PARTY’S ALGORITHM SHOULD WORK REGARDLESS OF SNORER’S INPUT

COMPUTATIONAL COMPLEXITY VIEW:PROOF IDEA

• CONSIDER THE LAST ROUND OF COMMUNICATION

• WHAT HAPPENS IF WE REPLACE ONE OF THE MESSAGES WITH RANDOM NOISE?

• IF THE ALGORITHM DOESN’T BREAK – THE LAST ROUND WASN’T HELPFUL!

THAT’S NOT RANDOM

I GUESS EVERYONE’S

AWAKE

CHANGE OF DEFINITION

• CONCLUSION: SNORING PEOPLE SUCK

• TOO HARD TO PROTECT THEM!

• COULD WE HAVE INDISTINGUISHABLE PARTIES UNLESS A NON-RANDOM ANSWER IS OUTPUTTED?

RESULT:111111

ASSOCIATE

REVEALING OTHER PARTIES

WITH

SUCCESSFUL OUTPUT

YES.

COVERT COMPUTATION

SNORERS GIVE RANDOM RESULTS

• A BAD COMPUTATION

• THROWS EVERYTHING ELSE OFF

• RESULT RANDOM

• SPLIT THE SECRETS INTO RANDOM SHARES

• COVERT 2-PARTY COMPUTE ON SHARES

• RECOMBINE

MALICIOUS PARTIES

• SNORERS ARE A KIND OF MALICIOUS PARTY

• YET WE WANT TO PROTECT THEM [IF WE KNOW THE SNORERS, THEN WE KNOW WHO WAS AWAKE]

• CAN WE FIDDLE THE DEFINITION INTO HANDLING MALICIOUS PARTIES SENSIBLY?

THANK YOU!