Multi-Party Proofs and Computation Based in part on materials from Cornell class CS 4830. Interactive Proofs A prover must convince a verifier that some statement is true. Typically the prover is thought of as all powerful, while the verifier has limited computational ability. The verifier doesn’t trust the prover. 2 Sudoku How can the prover convince the verifier that this puzzle has a solution? Interactive Proof Prover shows the verifier a solution. Verifier checks every row, column, 3x3 box. Pepsi Challenge Professor Maggs claims that he can distinguish Pepsi from Coke without ever making an error. How can this claim be verified? Experiment: Boyang: Randomly decides (with equal probability) on Coke or Pepsi and hands the professor a glass containing the chosen drink. Professor: Takes a sip of the drink and pronounces “Coke” or “Pepsi”. Boyang: Notes whether the pronouncement was correct, and repeats. Verifying the Claim Suppose that the professor can actually only tell the difference between Coke and Pepsi with probability p. After t trials, the probability that the professor gets the answer correctly every time is pt. Example, for p = 0.9, t = 100, pt < 0.00003 Zero-Knowledge Proof Prover wants to convince verifier that some statement is true, without revealing anything about the proof. Rewording: prover wants to convince verifier that prover knows a solution to a problem without revealing any information about the solution. Hamilton Path A graph has a Hamilton path if there is a path through the graph that visits every vertex exactly one. 5 1 2 6 7 4 3 Zero-Knowledge Proof Prover: 1.Draw the graph on a piece of cardboard with vertices positioned at random places. Vertices are unnumbered. 2.Cover the drawing with scratch-off paint. 3.Give the cardboard to the verifier Verification The verifier flips a unbiased random coin, then based on the outcome asks the prover to do one of two things: 1: Reveal the numbers of the vertices. The verifier will then check that the graph is correct. 2: Reveal the Hamilton path (without revealing the numbers of the vertices). The verifier then knows that the drawn graph is Hamiltonian. If the graph is Hamiltonian, the prover always succeeds. If the graph is not Hamiltonian, the prover fails with probability ½. Note that Hamilton Path is NP-complete, i.e., every other problem in NP can be reduced to Hamilton Path ZKP for Hamilton Path → ZKP for all NP! How to flip a coin over the Internet 1. First party chooses a random number X in the range [02256) publishes A := H(X) 2. Second party likewise chooses a number Y publishes B := H(Y) 3. After receiving A,B, both parties reveal X and Y If (X+Y) is even, first party wins. What if first party waits to see H(Y) before choosing X? What if first party tries to change X after seeing Y? Computing Average Salary n professors in a room would like to compute their average salary, but they do not wish to reveal their salary to others. in fact, they do not wish to reveal their salary to any coalition of n-2 professors. Protocol • Collusion • Suppose prof3 through profn collude. • What can they learn about the salaries of prof1 • • • • and prof2? They can deduce s1 + s2 from the sum, but this in inherent in the computation. They have shares r1,3 through r1,n and r2,3 through r2,n They can deduce r1,1+r1,2+r2,1+r2,2 from the shares they have and s1 + s2 But they can’t deduce s1 or s2 to an accuracy greater than r1,1+r1,2+r2,1+r2,2 16 Two-Party Secure AND Computation Alice and Bob wish to know whether they mutually have feelings for each other. • If both have feelings for the other, great! • If Alice loves Bob but Bob does not love Alice back, Alice will be embarrassed -she would not want Bob to know that she loves Bob (or vice versa) Securely computing AND Bob does not learn which case truth table A B AND 0 0 0 Alice does not learn which case 01 0 10 0 1 1 1 both learn the others’ input by definition Protocol 1. place Alice’s input cards, heart, Bob’s input cards in order, face down 1. shuffle (cycle shift) 1. reveal We have seen so far: • n-party secure computation for addition (n>2) • 2-party secure computation for AND (multiplication mod 2) This is tantalizing: gives us reason to hope that secure multiparty computation is generally possible for any function! Byzantine Agreement Requirement [Consensus] • All honest nodes agree on the same value [Validity] • If sender is correct, all honest nodes agree on sender’s proposed value A protocol that defends against f malicious nodes in f+1 rounds extracted = {}, sender signs value and sends it to all for round r = 1...f+1: • receive message • preserve only messages whose value v has not been extracted, and has r distinct sigs • if v is extracted in this round and node has not relayed v in any round: append node’s sig and relay v to nodes not on the signature list In round f+1: decide based on the following • decide 0 if 2 values have been extracted • decide 0 if no value has been extracted • decide v is a single value v has been extracted Validity: If sender is honest, then all correct nodes will extract sender’s value v, and all correct nodes can’t extract anything else Proof of consensus Claim 1: If a correct node extracts v in round r < f+1, then all correct nodes must have extracted v by round f+1. Proof of consensus Claim 2: If a node extracts a value v{p1, p2, … pr} in round r then p1, p2, …pr-1 are faulty Claim 3: If a node extracts a value v{p1, p2, … pf+1} in round f+1 then p1, p2, …pf are faulty, and pf+1 must be correct If a correct node did not extract v by round f+1. • suppose another correct node extracted v in round r < f+1. this is impossible by claim 1 • suppose that another correct node extracted v in round r = f+1, then by claim 3, pf+1 is correct, and therefore all correct nodes must extract v in round r=f+1 (if not earlier), since the correct pf+1 will send the message to everyone in round f+1 This is not the most efficient Byzantine Agreement protocol