On Protocol Security in the Cryptographic Model
Jesper Buus Nielsen August 2003 |
Abstract:
It seems to be a generally acknowledged fact that you should
never trust a computer and that you should trust the person operating the
computer even less. This in particular becomes a problem when the party that
you do not trust is one which is separated from you and is one on which you
depend, e.g. because that party is the holder of some data or some capability
that you need in order to operate correctly. How do you perform a given task
involving interaction with other parties while allowing these parties a
minimal influence on you and, if privacy is an issue, allowing them to learn
as little about you as possible. This is the general problem of secure multiparty computation. The usual way of formalizing the problem is to say
that a number of parties who do not trust each other wish to compute some
function of their local inputs, while keeping their inputs as secret as
possible and guaranteeing the correctness of the output. Both goals should be
obtained even if some parties stop participating or some malevolent coalition
of the parties start deviating arbitrarily from the agreed protocol. The task
is further complicated by the fact that besides their mutual distrust, nor do
the parties trust the channels by which they communicate. A general solution
to the secure multiparty computation problem is a compiler which given any
feasible function describes an efficient protocol which allows the parties to
compute the function securely on their local inputs over an open
network.
Over the past twenty years the secure multiparty computation problem has been the subject of a large body of research, both research into the models of multiparty computation and research aimed at realizing general secure multiparty computation. The main approach to realizing secure multiparty computation has been based on verifiable secret sharing as computation, where each party holds a secret share of each input and during the execution computes secret shares of all intermediate values. This approach allows the parties to keep all inputs and intermediate values secret and to pool the shares of the output values to learn exactly these values. More recently an approach based on joint homomorphic encryption was introduced, allowing for an efficient realization of general multiparty computation secure against an eavesdropper. A joint encryption scheme is an encryption scheme where all parties can encrypt, but where it takes the participation of all parties to open an encryption. The computation then starts by all parties broadcasting encryptions of their inputs and progresses through computing encryptions of the intermediary values using the homomorphic properties of the encryption scheme. The encryptions of the outputs can then be jointly decrypted. In this dissertation we extend this approach by using threshold homomorphic encryption to provide full-fledged security against an active attacker which might control some of the parties and which might take over parties during the course of the protocol execution. As opposed to a joint encryption scheme a threshold encryption scheme only requires that a given number of the parties are operating correctly for decryption to be possible. In this dissertation we show that threshold homomorphic encryption allows to solve the secure general multiparty computation problem more efficiently than previous approaches to the problem. Starting from an open point-to-point network there is a long way to general secure multiparty computation. The dissertation contains contributions at several points along the way. In particular we investigate how to realize secure channels. We also show how threshold signature schemes can be used to efficiently realize a broadcast channel and how threshold cryptography can be used to provide the parties of the network with a source of shared randomness. All three tools are well-known to be extremely powerful resources in a network, and our principle contribution is to provide efficient realizations. The dissertation also contains contributions to the definitional part of the field of multiparty computation. Most significantly we augment the recent model of universally composable security with a formal notion of what it means for a protocol to only realize a given problem under a given restricted input-output behavior of the environment. This e.g. allows us to give the first specification of a universally composable zero-knowledge proof of membership which does not at the same time require the proof system to be a proof of knowledge. Available as PostScript, PDF. |