Verifiable Threshold Secret Sharing and Full Fair Secure Two-party Computation

Verifiable Threshold Secret Sharing and Full Fair Secure Two-party

Computation

YE Jian-wei

March 7, 2009

outline• Full fair secure two-party computation–Problem –Existing methods

• Our method–Overview –Advantages–Cryptography foundation–New Full Fair Secure Two-party

Computation Protocol

Full fair secure two-party computation ——problem

two parties A with input x and B with input y jointly compute a two output function

f(x,y)=(fA(x,y), fB(x,y))

• Secure:

A learn only x and fA(x,y)

B learn only y and fB(x,y)

• Fair:

A learns fA(x,y) iff B learns fB(x,y)

• For security– Garbled circuit computation

• For fairness– gradual release technique–Methods employing trusted third party

Full fair secure two-party computation ——existing methods

• gradual release techniqueWithout third parties

at the cost of many rounds of interaction

impossible to get full fairness


• Methods employing trusted third party

full fairness

the trusted third party must be neutral (doesn’t collude with A or B)

single point of failure

the performance bottleneck


Our method——overview

• full fairness• employ Yao’s garbled circuit computation for

security

• employ a group of servers as the third party for full fairness

Our method——advantages

1. Weakening the trust assumption.

Our method doesn’t require all third-party servers are trusted, but just require more than two-third of them are honest.

2. Protection against collusion.

Our method can keep the fairness when less than one-third of the servers are dishonest (or malicious) and collude with the any party.

Our method——advantages

3. Fault-tolerance.

In our method, not all servers must be always available. More precisely, when the count of the dishonest servers is m, only 3m+1 servers are needed simultaneously.

Our method——Cryptography foundation

1. Garbled circuit computation

2. Verifiable encryption scheme of Jarecki and Shmatikov (sCS encryption scheme)

3. zero-knowledge proof (ZKP) protocols of Jarecki and Shmatikov

4. Verifiable threshold secret sharing (VTSS) scheme of Pedersen

Garbled circuit computation1. A constructs a boolean circuit, C, computing f(x,y)

2. A garbles C to GC

3. A sends GC, the garbled x and the cleartext interpretation of fB(x,y) to B

4. B gets the garbled y form A

5. B computes GC and gets its output, garbled fA(x,y) and garbled fB(x,y)

6. B ungarbles the garbled fB(x,y) to get fB(x,y) by the cleartext interpretation of fB(x,y)

7. B sends the garbled fA(x,y) to A

8. A ungarbles the garbled fA(x,y) to get fA(x,y)

sCS encryption scheme • a simplification of the verifiable encryption scheme

of Camenisch and Shoup• semantically secure in CRS model under DCR

assumption and safe RSA moduli.• a very strong unambiguous encryption.

a ciphertext that passes a certain proof system cannot decrypt to two different plaintexts under two different private keys. Moreover, no two distinct decryption keys can decrypt a ciphertext even to the same plaintext.

sCS encryption scheme

• CRS.


• sCS encryption.


• sCS decryption.

ZKP protocols of Jarecki and Shmatikov

• Relying on the Unambiguity of sCS encryption scheme, Jarecki and Shmatikov proposed the sCS commitment scheme and a group of efficient concurrently secure ZKP protocols.

• sCS commitment scheme

ZKP protocols of Jarecki and Shmatikov

• ZKP protoclos–ZKDL(ɡ, X) is used to prove that there exists a x

s.t. X2=ɡ2x.

–ZKNotEq(Ca, Cb) is used to prove that Ca, Cb are sCS commitments to different values.

–ZKPlainEq((u, e),Ck, Cm) is used to prove that (u, e) is a sCS encryption of cleartext m committed (sCS commitment) in Cm under the key k committed in Ck.

VTSS scheme of Pedersen• Pedersen gave a semantically secure

commitment scheme based on the difficulty of discrete logarithm problem, and proposed a VTSS scheme in the CRS model by it.

• CRS

VTSS scheme of Pedersen• Pedersen’s commitment scheme

VTSS scheme of Pedersen

• Sharing and Verifying process

New Full Fair Secure Two-party Computation Protocol

• New ZKP protocol ZKEq( CKD,CKD

)

prove that the sCS commitment CKD commits

the same value as the Pedersen’s commitment CKD

New Full Fair Secure Two-party Computation Protocol——overview• In usual garbled circuit computation

A send the cleartext interpretation of fB(x,y) to B, therefore the circuit evaluator B may not send garbled fA(x,y) to A after get his output fB(x,y).

• In our protocol

A commits all output wire keys corresponding fB(x,y) in GC

A shares a private key KD∈[0,2k′′] among a group of third-party servers by VTSS scheme of Pedersen

A provides B an encrypted cleartext interpretation of fB(x,y), CIB

New Full Fair Secure Two-party Computation Protocol——overview• By correctly performing all ZKP protocols

involved in following formula with A and verifying process of Pedersen’s VTSS scheme, B is convinced that CIB is correctly constructed and able to be decrypted with the key (i.e. KD) shared in the servers, and he can retrieve the key to decrypt CIB as long as sending correct output keys corresponding to fA(x,y) to the servers.

New Full Fair Secure Two-party Computation Protocol——overview

New Full Fair Secure Two-party Computation Protocol——overview• After sending correct output wire keys

corresponding to fA(x,y) to the servers, B gets enough shares of KD to retrieve it and compute his output fB(x,y). Henceforth, A can compute his output fA(x,y) even if B sends him wrong output wire keys by obtaining correct these from the servers.

New Full Fair Secure Two-party Computation Protocol——protocol



New Full Fair Secure Two-party Computation Protocol——analyse• Fairness When the amount of dishonest servers m is less than s/3， our protocol is able to guarantee that A learns fA(x,y) iff B learns fB(x,y).

• Complexity Computational complexity is O(S+s2) Communication complexity is O(S+s) only two additional interaction rounds for full fair where S is the size of the circuit and s is the amount of employed servers.

END!

THANKS!

Documents

Verifiable Threshold Secret Sharing and Full Fair Secure Two-party Computation