COVERT MULTI-PARTY COMPUTATION
YINMENG ZHANG
ALADDIN REU 2005
LUIS VON AHNMANUEL BLUM
JUST THE ANSWER PLEASE
WHAT CAN WE KEEP SECRET?
• INPUTS• PARTICIPATION
[FROM OUTSIDERS]
• PARTICIPATION[FROM EACH OTHER]
R1,R2,R3
SECRET+
R1+R2+R
3
R1
R2
R3
SECURE COMPUTATION
KEEP INPUTS SECRET
• SPLIT THE SECRETS INTO RANDOM SHARES
• 2-PARTY COMPUTE ON SHARES
• RECOMBINE
ANSWER+
R1+R2+R
3
R1
R2
R3
STEGANOGRAPHY
EXTERNAL COVERTNESS
EXTERNAL OBSERVERS DON’T NOTICE ANYTHING
WEATHER SURE IS
NICE
• THINK OF IT AS A CLEVER HASH
10011
WE CAN HASH ANY MESSAGE[EVEN IF THE SENDER HONESTLY
WANTED TO TALK ABOUT THE WEATHER]
CAN WE DO SOMETHING CLEVER WITH THAT?
COVERT COMPUTATION
INTERNAL COVERTNESS
EVEN THE OTHER PARTIES DON’T KNOW YOU’RE COMPUTING!
WEATHER SURE IS
NICE
RANDOM OR
PSEUDO-RANDOM
???• WHAT DO YOU MEAN “DON’T KNOW”?
THREE DEFINITIONSAND
PROOFS/DISPROOFSOF FEASIBILITY
COVERT TWO PARTY COMPUTATION:VON AHN,HOPPER,LANGFORD
COVERT TWO-PARTY COMPUTATION
AFTER LEARNING F(X,Y), EACH PARTY CAN ONLY TELL WHETHER THE OTHER PARTICIPATED IF THEY CAN DISTINGUISH F(X,Y) FROM RANDOM BITS
EXTERNAL COVERTNESS
INTERNAL COVERTNESS
NO OUTSIDE OBSERVER CAN TELL IF THE TWO PARTIES ARE RUNNING A COMPUTATION OR JUST COMMUNICATING AS NORMAL
ASSOCIATE
REVEALING OTHER PARTIES
WITH
SUCCESSFUL OUTPUT
COULD WE GET THE ANSWERWITHOUT EVER REVEALING WHO WAS
COMPUTING?
A SIMPLE WORLD [GIVEN STEGO]
01101 01111
1100101001
10000 11100
1010110100
• A ROOM OF SLEEPING PARTIES SNORING 0s AND 1s AT RANDOM
• SOME PARTIES ARE AWAKE AND “SNORING” PSEUDO-RANDOMLY
COULD WE GET THE ANSWERWITHOUT REVEALING GUILT?
• AT THE END OF THE PROTOCOL:– OUR INPUT– THE ANSWER– TRANSCRIPT OF ALL COMMUNICATIONS
• PROTOCOL SHOULD GIVE:– ANSWER WRONG WITH NEGLIGIBLE
[<1/POLY] PROBABILITY– NEGLIGIBLY BETTER CHANCE OF
GUESSING WHO’S ASLEEP THAN WITH JUST INPUT AND ANSWER
COULD WE GET THE ANSWERWITHOUT REVEALING GUILT?
EXAMPLE: VOTING IN A SECRET ORGANIZATION
IF, SAY, MORE THAN HALF THE PEOPLE ARE PARTICIPATING, CAN WE DETERMINE A NEW LEADER?
• INFORMATION THEORY POV
• COMPUTATIONAL COMPLEXITY POV
NO.
SIMPLIFYING FURTHER:AWAKE PARTY’S POINT OF VIEW
W
S/W W/S
•THREE PLAYERS•FORGET ABOUT HIDING INPUTS [SAY WE ARE CALCULATING THE XOR]•ONE PERSON IS ASLEEP; CAN I TELL WHICH?
THOUGHT EXPERIMENT:INFORMATION THEORETIC VIEW
W:A BIT
S/W W/S
THE OTHER BIT
• INFORMATION GETS TO THE AWAKE PARTY
• ONE CHANNEL IS RANDOM - THE OTHER MUST NOT BE!
COMPUTATIONAL COMPLEXITY VIEW
• EVEN PUBLIC KEY CRYPTO BREAKS IN INFORMATION THEORETIC MODEL
• IDEA: NORMALLY, WE CAN’T MODEL THE OTHER PARTIES – BUT SNORING IS JUST RANDOM
• THE AWAKE PARTY’S ALGORITHM SHOULD WORK REGARDLESS OF SNORER’S INPUT
COMPUTATIONAL COMPLEXITY VIEW:PROOF IDEA
• CONSIDER THE LAST ROUND OF COMMUNICATION
• WHAT HAPPENS IF WE REPLACE ONE OF THE MESSAGES WITH RANDOM NOISE?
• IF THE ALGORITHM DOESN’T BREAK – THE LAST ROUND WASN’T HELPFUL!
THAT’S NOT RANDOM
I GUESS EVERYONE’S
AWAKE
CHANGE OF DEFINITION
• CONCLUSION: SNORING PEOPLE SUCK
• TOO HARD TO PROTECT THEM!
• COULD WE HAVE INDISTINGUISHABLE PARTIES UNLESS A NON-RANDOM ANSWER IS OUTPUTTED?
RESULT:111111
ASSOCIATE
REVEALING OTHER PARTIES
WITH
SUCCESSFUL OUTPUT
YES.
COVERT COMPUTATION
SNORERS GIVE RANDOM RESULTS
• A BAD COMPUTATION
• THROWS EVERYTHING ELSE OFF
• RESULT RANDOM
• SPLIT THE SECRETS INTO RANDOM SHARES
• COVERT 2-PARTY COMPUTE ON SHARES
• RECOMBINE
MALICIOUS PARTIES
• SNORERS ARE A KIND OF MALICIOUS PARTY
• YET WE WANT TO PROTECT THEM [IF WE KNOW THE SNORERS, THEN WE KNOW WHO WAS AWAKE]
• CAN WE FIDDLE THE DEFINITION INTO HANDLING MALICIOUS PARTIES SENSIBLY?
THANK YOU!