How to play ANY mental game A Completeness Theorem for

Transcription

How to play ANY mental game A Completeness Theorem for
How to play ANY
mental game
A Completeness Theorem for
Protocols with Honest Majority
Overview
1. Introduction
2. Solution for TM-Games
2.1. for passive adversaries
2.2. for malicious adversaries
3. General games
4. Summary
1. Introduction
• Motivation: n Players want to compute
y  M ( x1 ,..., xn )
• Problem: each xi is a private input of the
player i
• Question: Is it possible to run M so that
1. The output is correct
2. No additional information of the x i´s is
leaked
1. Introduction
• Adversaries:
- passive Adversaries:
Run the protocol correct but run „on the
side“ other efficient algorithmns
- malicious Adversaries:
Replace the algorithm by any efficient
algorithm
1. Introduction
• First Observation:
– Easy to solve with an extra trusted party
• In most situations there is no trusted party
-> This notation wouldn‘t be useful
• „Purely playable games“
– No extra party which is trusted by everyone
Overview
1. Introduction
2. Solution for TM-Games
2.1. for passive adversaries
2.2. for malicious adversaries
3. General games
4. Summary
2.1. Solution for TM-Games
• Motivation:
– Restricting the scenario to:
• A special case of games (Turing-machine games)
• Passive adversaries
-> Easier to prove, yet useful for further proofs
2.1. Solution for TM-Games
• General Definitions:
– Random Variable (RV) R:
R :   0 : 1
(assigns a probability to each value )
– PA = probablistic poly-time algorithm
– Efficient ≙element of PA
2.1. Solution for TM-Games
• Game network of size n:
– n Turing machines with (for each TM):
•
•
•
•
1 read-only private input tape
1 write only private output tape
1 read/write private work tape
n-1 special public communication tapes
– 1 common read-only input and 1 common
write only output tape
2.1. Solution for TM-Games
• A probablistic distributed algorithm S in a
game network of size n is a sequence of
programs S  ( S1 ,...S n )
• Denote the class of all such algorithms by
PDA
2.1. Solution for TM-Games
• Let S∈PDA run in a network of size n with
common input CI and private inputs x1 ,..., xn
Definition:
– HS ( x1,..., xn , CI ) denotes the RV of the
public history
– HS i ( x1 ,..., xn , CI ) denotes the RV of the
private history of machine i
2.1. Solution for TM-Games
• Let S∈PDA run in a network of size n with
common input CI and private inputs x1 ,..., xn
Definition:
– OS i ( x1 ,..., xn , CI ) denotes the RV of the private
output of machine i
– For T⊆{1,…n} let HST ( x1 ,..., xn , CI ) denote the
vector of private histories of the members of T
2.1. Solution for TM-Games
• Indistinguishability of RV‘s:
– Poly-bounded RV‘s: c constant, k∈ℕ the security
parameter
c
x : U k ( x)  0  x  k
– Circuit C k is a „judge“ for two families of RV‘s U,V
X a RV from U or V:
Ck ( X ) 

1 if C "believes " X U
0 else
– Denote by P(U,C,k) the probability that C k outputs 1
on a random sample of U k
2.1. Solution for TM-Games
• Definition: (Indistinguishability of RV‘s)
U and V are computationally
indistinguishable if for all C, for
all f∈ℕ and „sufficiently large“ k∈ℕ :
P(U , C , k )  P(V , C , k )  k
f
2.1. Solution for TM-Games
• Solution for a TM-Game:
k
(
M
,
1
)
– An algorithm in PDA with input
s.t. the following conditions are satisfied:
• Agreement:
for all i,j output i equals output j
• Correctness:
OS1 ( x1 ,..., xn , ( M ,1k ))  M ( x1 ,... xn )
2.1. Solution for TM-Games
• Solution for a TM-Game:
k
(
M
,
1
)
– An algorithm in PDA with input
s.t. the following conditions are satisfied:
• Privacy:
T  1,... n, A  PPT : B  PPT s.t. :
Ak  A( ( M ,1k ), HS (( M ,1k )) , HS T (( M ,1k )) )
and
Bk  B( ( M ,1k ), M ( x1,..., xn ),(i, xi ) : i  T )
are indistingu ishable RV ' s
2.1. Solution for TM-Games
• Familiy of trap-door permutations:
- Easy to select an f for a k∈ℕ and some extra
trap-door information
- Easy to compute f(x)
1
f
( x) , if one doesn‘t know
- Hard to compute
the trap-door information
• One-way permutation:
- Same as above, but trap-door information
must not exist
2.1. Solution for TM-Games
• Theorem:
– If a trapdoor function exists, there exists a
TM-game solver for passive adversaries
• Proof sketch:
– We use a lemma by Barrington‘s that
simulates computation by composing
elements in S 5
– > Transform our TM in a circuit and further
into a straight-line program
2.1. Solution for TM-Games
• This straight-line program contains:
– 0 and 1 as specially selected 5-permutations
– Variables in the range of S 5
– Instructions consist of multiplying two 5permutations and which can be:
• constant
• a variable
• the inverse (in S 5 ) of a variable
2.1. Solution for TM-Games
• Initialization:
– Each party encodes his private input by a 5permutation
– He selects random 5-permutations
 1 ,...,  n 1 such that    1  ...   n 1
and gives the pair (i, i ) to player i
– He then sets n  ( 1  ...   n1 ) 1   and gives
(n, n ) to player n
2.1. Solution for TM-Games
• Computation with variable and:
1. case:   c ,c constant. Then set
(n, n ) to (n, n  c)
2. case:  1  c, c constant. Then each player
1
(
x
,

)
to
(
n

x

1
,

sets
x
x )
2.1. Solution for TM-Games
• Computation with
variable and:
3. case: ⋅ , a variable. Then
    1  ... n  1  ...   n
• assume party i posseses  i and  i
• we can‘t just multiply as S 5 is not commutative
2.1. Solution for TM-Games
• Idea to solve the problem in case 3:
– „swap“ pieces until each player can compute
his share
• first step:
compute  1' for party 1 and  n' for party n s.t. :  1'   n'   n  1
• run this for all players resulting in O(n²) swaps
– Problem: privacy constraint would be violated
– Solution?
2.1. Solution for TM-Games
• Random bits:
- Given a trap-door permutation f
A random bit B f of f is:
- A poly-time computable function
- Computing B f on f(x) is essentialy
“as hard as inverting f”
-> Blackboard
2.1. Solution for TM-Games
• Oblivious transfer (OT):
– Sending information to the receiver, but
it’s oblivious (“not clear”) what he received
– Rabin’s OT:
• A sends B an encrypted message E(m) and
B can decrypt it with 50% probability
-> Blackboard
2.1. Solution for TM-Games
• 1-2 oblivious transfer:
– A∈PA with input bits (b0 , b1 )
– B∈PA with input bit
– A sends B one out of two messages, s.t.:
1. B will read b , but can’t predict b
2. A cannot predict
2.1. Solution for TM-Games
• Implementation of 1-2 OT in 4 steps:
1
(
f
,
f
) a trapdoor permutation of
1. A selects
size having a random bit B f
A sends f to B and keeps f 1 secret
2. B selects at random x0, x1  dom ( f )
and sends A:
( f ( x0 ), x1 ) if   0
(u, v)  ( x0 , f ( x1 )) if  1

2.1. Solution for TM-Games
• Implementation of 1-2 OT in 4 steps:
3. A computes:
(c0 , c1 )  ( B f ( f 1 (u)), B f ( f 1 (v)))
and sends B
d 0  b0  c0 and d1  b1  c1
4. B computes
b  d  B f ( x )
2.1. Solution for TM-Games
• Why does it work?
-> Blackboard
2.1. Solution for TM-Games
• Combined Oblivious Transfer (COT):
– A and B owning some inputs a and b
– In the end of the protocol, A has computed
g(a,b), while B doesn‘t know what A has
computed
– When a and b are secrets, it seems that B
transfered a combination of his and A‘s secret
to A
2.1. Solution for TM-Games
• Example: COT AND-gate
A0
1
0 1
E3 E4
E1 E2
E1( p) E3 (q)
E2 (c) E3 (d )
E1(u ) E4 (v)
E2 ( s) E4 (t )
0 1
E5 E6
B
This labels
are secret!
2.1. Solution for TM-Games
• Combined Oblivious Transfer (COT):
– We‘ve seen the COT-AND gate
– The COT-NOT gate is trivial
-> Therefor we can compute any 2-gates
function
2.1. Solution for TM-Games
• Applying the COT to our problem:
– Player 1 and n use the following function for
COT: g(x,(y,z) = w , where w⋅z=y⋅x
– Player 1 is A with input a   1
– Player n is B with input
b  ( n ,  ) , where   S5 selected at random by n
'
'


g
(
a
,
b
)
and

– Then set 1
n 
-> Notice that g(x,(y,⋅)) is injective on S 5
Overview
1. Introduction
2. Solution for TM-Games
2.1. for passive adversaries
2.2. for malicious adversaries
3. General games
4. Summary
2.2. Solution for TM-Games
• Motivation:
– With malicious adversaries we must clarify
how to handle private inputs
• Say if one player stops computing or tries to
pretend his private input is different from what it
actually is, how can we handle this?
• Theorem:
– Given n players „willing to play“, less then half
of which malicious, all TM-games are playable
2.2. Solution for TM-Games
• Zero-knowledge proof:
Prove that you know a secret without revealing it.
must satisfy 3 properties:
- Completeness:
- honest prover can convince honest verifier
- Soundness:
- cheating prover can’t convince honest verifier, except with
small probability
- Zero-knowledge:
- no cheating verifier learns any other information
2.2. Solution for TM-Games
• What means „willing to play“?
– Successfully completing a protocol s.t. :
1. For all players i, no minority can predict a bit of
player i‘s input with prob. > ½ but it is guaranteed
that a majority of players can efficiently compute
i‘s input
2. Each player i has a sequence of random
encrypted bits s.t.:
1. He knows the decryption
2. No minority can predict them
3. A majority can easily compute them
2.2. Solution for TM-Games
• How can we use this to „play“ the game?
– For any randomness, players must use the
bits they received
– Each player proves - in zero-knowledge - that
each message is what he should have send
– If any player should stop at this phase then:
• The others can reconstruct his random bits and
private input
• Compute his further messages when necessary
Overview
1. Introduction
2. Solution for TM-Games
2.1. for passive adversaries
2.2. for malicious adversaries
3. General games
4. Summary
3. General games
• Game theory:
– Definition of a general game:
• A set S of possible states
• A set M of possible moves
• A set of knowledge functions of each state :
Ki ( ) represents the informatio n about  of player i
• A payoff function p evaluating the final state
3. General games
• Game theory:
– Given a description of a game, how can we
find some strategy satisfying some property?
– Problem: given a description of a game, how
can we actually PLAY the game?
• For a general n-player game, we need n+1 players
to play it ( which is unfortunate as we need another
trusted party, which we normally don‘t have )
3. General games
• Game Theory Example:
– The game „poker“ is clearly playable (e.g. in
our physical world)
– Let NEWPOKER be the same as normal
poker, but in addition you have the
information, whether all hands combined form
a royal flush
• Is this game playable, too?
3. General games
• Questions that arise:
– Is there a model which makes all games
playable, or at least
– Does every game have a model in which it is
playable?
– Should we restrict us to the class of playable
games?
3. General games
• Theorem:
– If any trap-door function exists, any game is playable
if more than half of the players are honest
• Idea to prove this:
– Simulate a trusting party in an ideal game
Overview
1. Introduction
2. Solution for TM-Games
2.1. for passive adversaries
2.2. for malicious adversaries
3. General games
4. Summary
4. Summary
• Theorem:
– Under the assumption that any trap-door
permutation exists:
• We can tolerate any number of passive
adversaries
• We can tolerate up to ½ ⋅n malicious adversaries
• If there are more than ½ ⋅n malicious adversaries
then some protocols have no efficient solution
4. Summary
• Why is this useful?
– > Because every protocol can be formalized
to a game with incomplete information
– > We can even find a solution uniformly:
• We can use an efficient algoritm, that, on input a
protocol problem, outputs an efficient, distributed
protocol for solving it
Thank you for your attention!
Any questions?