Multi-Party Proofs and Computation
Based in part on materials from
Cornell class CS 4830.
Interactive Proofs
A prover must convince a verifier that
some statement is true.
Typically the prover is thought of as all
powerful, while the verifier has limited
computational ability.
The verifier doesn’t trust the prover.
2
Sudoku
How can the prover convince the verifier that
this puzzle has a solution?
Interactive Proof
Prover shows the verifier a solution.
Verifier checks every row, column, 3x3 box.
Pepsi Challenge
Professor Maggs claims that he can
distinguish Pepsi from Coke without ever
making an error.
How can this claim be verified?
Experiment:
Boyang: Randomly decides (with equal
probability) on Coke or Pepsi and hands the
professor a glass containing the chosen drink.
Professor: Takes a sip of the drink and
pronounces “Coke” or “Pepsi”.
Boyang: Notes whether the pronouncement was
correct, and repeats.
Verifying the Claim
Suppose that the professor can actually only
tell the difference between Coke and
Pepsi with probability p.
After t trials, the probability that the
professor gets the answer correctly every
time is pt.
Example, for p = 0.9, t = 100, pt < 0.00003
Zero-Knowledge Proof
Prover wants to convince verifier that some
statement is true, without revealing
anything about the proof.
Rewording: prover wants to convince verifier
that prover knows a solution to a problem
without revealing any information about
the solution.
Hamilton Path
A graph has a Hamilton path if there is a
path through the graph that visits every
vertex exactly one.
5
1
2
6
7
4
3
Zero-Knowledge Proof
Prover:
1.Draw the graph on a piece of cardboard
with vertices positioned at random places.
Vertices are unnumbered.
2.Cover the drawing with scratch-off paint.
3.Give the cardboard to the verifier
Verification
The verifier flips a unbiased random coin, then based on
the outcome asks the prover to do one of two things:
1: Reveal the numbers of the vertices. The verifier will then
check that the graph is correct.
2: Reveal the Hamilton path (without revealing the numbers
of the vertices). The verifier then knows that the drawn
graph is Hamiltonian.
If the graph is Hamiltonian, the prover always succeeds. If
the graph is not Hamiltonian, the prover fails with
probability ½.
Note that Hamilton Path is NP-complete,
i.e., every other problem in NP can be
reduced to Hamilton Path
ZKP for Hamilton Path → ZKP for all NP!
How to flip a coin over the Internet
1. First party chooses a random number X in the range [02256)
publishes A := H(X)
2. Second party likewise chooses a number Y
publishes B := H(Y)
3. After receiving A,B, both parties reveal X and Y
If (X+Y) is even, first party wins.
What if first party waits to see H(Y) before choosing X?
What if first party tries to change X after seeing Y?
Computing Average Salary
n professors in a room would like to
compute their average salary, but they do
not wish to reveal their salary to others. in
fact, they do not wish to reveal their salary
to any coalition of n-2 professors.
Protocol
•
Collusion
• Suppose prof3 through profn collude.
• What can they learn about the salaries of prof1
•
•
•
•
and prof2?
They can deduce s1 + s2 from the sum, but this
in inherent in the computation.
They have shares r1,3 through r1,n and r2,3
through r2,n
They can deduce r1,1+r1,2+r2,1+r2,2 from the
shares they have and s1 + s2
But they can’t deduce s1 or s2 to an accuracy
greater than r1,1+r1,2+r2,1+r2,2
16
Two-Party Secure AND Computation
Alice and Bob wish to know whether they
mutually have feelings for each other.
• If both have feelings for the other, great!
• If Alice loves Bob but Bob does not love
Alice back, Alice will be embarrassed -she would not want Bob to know that she
loves Bob (or vice versa)
Securely computing AND
Bob
does
not
learn
which
case
truth table
A B AND
0 0 0 Alice does not learn which case
01 0
10 0
1 1 1 both learn the others’ input by
definition
Protocol
1. place Alice’s input cards,
heart, Bob’s input cards
in order, face down
1. shuffle (cycle shift)
1. reveal
We have seen so far:
• n-party secure computation for addition
(n>2)
• 2-party secure computation for AND
(multiplication mod 2)
This is tantalizing: gives us reason to hope
that secure multiparty computation is
generally possible for any function!
Byzantine Agreement Requirement
[Consensus]
• All honest nodes agree on the same value
[Validity]
• If sender is correct, all honest nodes
agree on sender’s proposed value
A protocol that defends against f
malicious nodes in f+1 rounds
extracted = {}, sender signs value and sends it to all
for round r = 1...f+1:
• receive message
• preserve only messages whose value v has not
been extracted, and has r distinct sigs
• if v is extracted in this round and node has not
relayed v in any round: append node’s sig and
relay v to nodes not on the signature list
In round f+1: decide based on the following
• decide 0 if 2 values have been extracted
• decide 0 if no value has been extracted
• decide v is a single value v has been
extracted
Validity: If sender is honest, then all correct
nodes will extract sender’s value v, and all
correct nodes can’t extract anything else
Proof of consensus
Claim 1: If a correct node extracts v in
round r < f+1, then all correct nodes must
have extracted v by round f+1.
Proof of consensus
Claim 2: If a node extracts a value
v{p1, p2, … pr} in round r
then p1, p2, …pr-1 are faulty
Claim 3: If a node extracts a value
v{p1, p2, … pf+1} in round f+1
then p1, p2, …pf are faulty, and pf+1 must be
correct
If a correct node did not extract v by round
f+1.
• suppose another correct node extracted v
in round r < f+1. this is impossible by
claim 1
• suppose that another correct node
extracted v in round r = f+1, then by claim
3, pf+1 is correct, and therefore all correct
nodes must extract v in round r=f+1 (if not
earlier), since the correct pf+1 will send
the message to everyone in round f+1
This is not the most efficient
Byzantine Agreement protocol