How to play ANY mental game A Completeness Theorem for Protocols with Honest Majority Overview 1. Introduction 2. Solution for TM-Games 2.1. for passive adversaries 2.2. for malicious adversaries 3. General games 4. Summary 1. Introduction • Motivation: n Players want to compute y M ( x1 ,..., xn ) • Problem: each xi is a private input of the player i • Question: Is it possible to run M so that 1. The output is correct 2. No additional information of the x i´s is leaked 1. Introduction • Adversaries: - passive Adversaries: Run the protocol correct but run „on the side“ other efficient algorithmns - malicious Adversaries: Replace the algorithm by any efficient algorithm 1. Introduction • First Observation: – Easy to solve with an extra trusted party • In most situations there is no trusted party -> This notation wouldn‘t be useful • „Purely playable games“ – No extra party which is trusted by everyone Overview 1. Introduction 2. Solution for TM-Games 2.1. for passive adversaries 2.2. for malicious adversaries 3. General games 4. Summary 2.1. Solution for TM-Games • Motivation: – Restricting the scenario to: • A special case of games (Turing-machine games) • Passive adversaries -> Easier to prove, yet useful for further proofs 2.1. Solution for TM-Games • General Definitions: – Random Variable (RV) R: R : 0 : 1 (assigns a probability to each value ) – PA = probablistic poly-time algorithm – Efficient ≙element of PA 2.1. Solution for TM-Games • Game network of size n: – n Turing machines with (for each TM): • • • • 1 read-only private input tape 1 write only private output tape 1 read/write private work tape n-1 special public communication tapes – 1 common read-only input and 1 common write only output tape 2.1. Solution for TM-Games • A probablistic distributed algorithm S in a game network of size n is a sequence of programs S ( S1 ,...S n ) • Denote the class of all such algorithms by PDA 2.1. Solution for TM-Games • Let S∈PDA run in a network of size n with common input CI and private inputs x1 ,..., xn Definition: – HS ( x1,..., xn , CI ) denotes the RV of the public history – HS i ( x1 ,..., xn , CI ) denotes the RV of the private history of machine i 2.1. Solution for TM-Games • Let S∈PDA run in a network of size n with common input CI and private inputs x1 ,..., xn Definition: – OS i ( x1 ,..., xn , CI ) denotes the RV of the private output of machine i – For T⊆{1,…n} let HST ( x1 ,..., xn , CI ) denote the vector of private histories of the members of T 2.1. Solution for TM-Games • Indistinguishability of RV‘s: – Poly-bounded RV‘s: c constant, k∈ℕ the security parameter c x : U k ( x) 0 x k – Circuit C k is a „judge“ for two families of RV‘s U,V X a RV from U or V: Ck ( X ) 1 if C "believes " X U 0 else – Denote by P(U,C,k) the probability that C k outputs 1 on a random sample of U k 2.1. Solution for TM-Games • Definition: (Indistinguishability of RV‘s) U and V are computationally indistinguishable if for all C, for all f∈ℕ and „sufficiently large“ k∈ℕ : P(U , C , k ) P(V , C , k ) k f 2.1. Solution for TM-Games • Solution for a TM-Game: k ( M , 1 ) – An algorithm in PDA with input s.t. the following conditions are satisfied: • Agreement: for all i,j output i equals output j • Correctness: OS1 ( x1 ,..., xn , ( M ,1k )) M ( x1 ,... xn ) 2.1. Solution for TM-Games • Solution for a TM-Game: k ( M , 1 ) – An algorithm in PDA with input s.t. the following conditions are satisfied: • Privacy: T 1,... n, A PPT : B PPT s.t. : Ak A( ( M ,1k ), HS (( M ,1k )) , HS T (( M ,1k )) ) and Bk B( ( M ,1k ), M ( x1,..., xn ),(i, xi ) : i T ) are indistingu ishable RV ' s 2.1. Solution for TM-Games • Familiy of trap-door permutations: - Easy to select an f for a k∈ℕ and some extra trap-door information - Easy to compute f(x) 1 f ( x) , if one doesn‘t know - Hard to compute the trap-door information • One-way permutation: - Same as above, but trap-door information must not exist 2.1. Solution for TM-Games • Theorem: – If a trapdoor function exists, there exists a TM-game solver for passive adversaries • Proof sketch: – We use a lemma by Barrington‘s that simulates computation by composing elements in S 5 – > Transform our TM in a circuit and further into a straight-line program 2.1. Solution for TM-Games • This straight-line program contains: – 0 and 1 as specially selected 5-permutations – Variables in the range of S 5 – Instructions consist of multiplying two 5permutations and which can be: • constant • a variable • the inverse (in S 5 ) of a variable 2.1. Solution for TM-Games • Initialization: – Each party encodes his private input by a 5permutation – He selects random 5-permutations 1 ,..., n 1 such that 1 ... n 1 and gives the pair (i, i ) to player i – He then sets n ( 1 ... n1 ) 1 and gives (n, n ) to player n 2.1. Solution for TM-Games • Computation with variable and: 1. case: c ,c constant. Then set (n, n ) to (n, n c) 2. case: 1 c, c constant. Then each player 1 ( x , ) to ( n x 1 , sets x x ) 2.1. Solution for TM-Games • Computation with variable and: 3. case: ⋅ , a variable. Then 1 ... n 1 ... n • assume party i posseses i and i • we can‘t just multiply as S 5 is not commutative 2.1. Solution for TM-Games • Idea to solve the problem in case 3: – „swap“ pieces until each player can compute his share • first step: compute 1' for party 1 and n' for party n s.t. : 1' n' n 1 • run this for all players resulting in O(n²) swaps – Problem: privacy constraint would be violated – Solution? 2.1. Solution for TM-Games • Random bits: - Given a trap-door permutation f A random bit B f of f is: - A poly-time computable function - Computing B f on f(x) is essentialy “as hard as inverting f” -> Blackboard 2.1. Solution for TM-Games • Oblivious transfer (OT): – Sending information to the receiver, but it’s oblivious (“not clear”) what he received – Rabin’s OT: • A sends B an encrypted message E(m) and B can decrypt it with 50% probability -> Blackboard 2.1. Solution for TM-Games • 1-2 oblivious transfer: – A∈PA with input bits (b0 , b1 ) – B∈PA with input bit – A sends B one out of two messages, s.t.: 1. B will read b , but can’t predict b 2. A cannot predict 2.1. Solution for TM-Games • Implementation of 1-2 OT in 4 steps: 1 ( f , f ) a trapdoor permutation of 1. A selects size having a random bit B f A sends f to B and keeps f 1 secret 2. B selects at random x0, x1 dom ( f ) and sends A: ( f ( x0 ), x1 ) if 0 (u, v) ( x0 , f ( x1 )) if 1 2.1. Solution for TM-Games • Implementation of 1-2 OT in 4 steps: 3. A computes: (c0 , c1 ) ( B f ( f 1 (u)), B f ( f 1 (v))) and sends B d 0 b0 c0 and d1 b1 c1 4. B computes b d B f ( x ) 2.1. Solution for TM-Games • Why does it work? -> Blackboard 2.1. Solution for TM-Games • Combined Oblivious Transfer (COT): – A and B owning some inputs a and b – In the end of the protocol, A has computed g(a,b), while B doesn‘t know what A has computed – When a and b are secrets, it seems that B transfered a combination of his and A‘s secret to A 2.1. Solution for TM-Games • Example: COT AND-gate A0 1 0 1 E3 E4 E1 E2 E1( p) E3 (q) E2 (c) E3 (d ) E1(u ) E4 (v) E2 ( s) E4 (t ) 0 1 E5 E6 B This labels are secret! 2.1. Solution for TM-Games • Combined Oblivious Transfer (COT): – We‘ve seen the COT-AND gate – The COT-NOT gate is trivial -> Therefor we can compute any 2-gates function 2.1. Solution for TM-Games • Applying the COT to our problem: – Player 1 and n use the following function for COT: g(x,(y,z) = w , where w⋅z=y⋅x – Player 1 is A with input a 1 – Player n is B with input b ( n , ) , where S5 selected at random by n ' ' g ( a , b ) and – Then set 1 n -> Notice that g(x,(y,⋅)) is injective on S 5 Overview 1. Introduction 2. Solution for TM-Games 2.1. for passive adversaries 2.2. for malicious adversaries 3. General games 4. Summary 2.2. Solution for TM-Games • Motivation: – With malicious adversaries we must clarify how to handle private inputs • Say if one player stops computing or tries to pretend his private input is different from what it actually is, how can we handle this? • Theorem: – Given n players „willing to play“, less then half of which malicious, all TM-games are playable 2.2. Solution for TM-Games • Zero-knowledge proof: Prove that you know a secret without revealing it. must satisfy 3 properties: - Completeness: - honest prover can convince honest verifier - Soundness: - cheating prover can’t convince honest verifier, except with small probability - Zero-knowledge: - no cheating verifier learns any other information 2.2. Solution for TM-Games • What means „willing to play“? – Successfully completing a protocol s.t. : 1. For all players i, no minority can predict a bit of player i‘s input with prob. > ½ but it is guaranteed that a majority of players can efficiently compute i‘s input 2. Each player i has a sequence of random encrypted bits s.t.: 1. He knows the decryption 2. No minority can predict them 3. A majority can easily compute them 2.2. Solution for TM-Games • How can we use this to „play“ the game? – For any randomness, players must use the bits they received – Each player proves - in zero-knowledge - that each message is what he should have send – If any player should stop at this phase then: • The others can reconstruct his random bits and private input • Compute his further messages when necessary Overview 1. Introduction 2. Solution for TM-Games 2.1. for passive adversaries 2.2. for malicious adversaries 3. General games 4. Summary 3. General games • Game theory: – Definition of a general game: • A set S of possible states • A set M of possible moves • A set of knowledge functions of each state : Ki ( ) represents the informatio n about of player i • A payoff function p evaluating the final state 3. General games • Game theory: – Given a description of a game, how can we find some strategy satisfying some property? – Problem: given a description of a game, how can we actually PLAY the game? • For a general n-player game, we need n+1 players to play it ( which is unfortunate as we need another trusted party, which we normally don‘t have ) 3. General games • Game Theory Example: – The game „poker“ is clearly playable (e.g. in our physical world) – Let NEWPOKER be the same as normal poker, but in addition you have the information, whether all hands combined form a royal flush • Is this game playable, too? 3. General games • Questions that arise: – Is there a model which makes all games playable, or at least – Does every game have a model in which it is playable? – Should we restrict us to the class of playable games? 3. General games • Theorem: – If any trap-door function exists, any game is playable if more than half of the players are honest • Idea to prove this: – Simulate a trusting party in an ideal game Overview 1. Introduction 2. Solution for TM-Games 2.1. for passive adversaries 2.2. for malicious adversaries 3. General games 4. Summary 4. Summary • Theorem: – Under the assumption that any trap-door permutation exists: • We can tolerate any number of passive adversaries • We can tolerate up to ½ ⋅n malicious adversaries • If there are more than ½ ⋅n malicious adversaries then some protocols have no efficient solution 4. Summary • Why is this useful? – > Because every protocol can be formalized to a game with incomplete information – > We can even find a solution uniformly: • We can use an efficient algoritm, that, on input a protocol problem, outputs an efficient, distributed protocol for solving it Thank you for your attention! Any questions?