24 research outputs found
Almost-Everywhere Secure Computation with Edge Corruptions
We consider secure multi-party computation (MPC) in a setting where
the adversary can separately corrupt not only the parties (nodes) but
also the communication channels (edges), and can furthermore choose
selectively and adaptively which edges or nodes to corrupt. Note that
if an adversary corrupts an edge, even if the two nodes that share
that edge are honest, the adversary can control the link and thus
deliver wrong messages to both players. We consider this question in
the information-theoretic setting, and require security against a
computationally unbounded adversary.
In a fully connected network the above question is simple (and we
also provide an answer
that is optimal up to a constant factor). What makes the problem
more challenging is to consider the case of sparse networks.
Partially connected networks are far more realistic than fully
connected networks, which led Garay and Ostrovsky [Eurocrypt\u2708] to
formulate the notion of (unconditional) \emph{almost everywhere (a.e.)
secure computation} in the node-corruption model, i.e., a model in
which not all pairs of nodes are connected by secure channels and the
adversary can corrupt some of the nodes (but not the edges). In such a setting,
MPC amongst all honest nodes cannot be guaranteed due
to the possible poor connectivity of some honest nodes with other
honest nodes, and hence some of
them must be ``given up\u27\u27 and left out of the
computation. The number of such nodes is a function of the underlying
communication graph and the adversarial set of nodes.
In this work we introduce the notion of \emph{almost-everywhere secure
computation with edge corruptions}, which is exactly the same problem as
described above, except that we additionally allow the adversary to
completely control some of the communication channels between two
correct nodes---i.e., to ``corrupt\u27\u27 edges in the network. While it is
easy to see that an a.e. secure computation protocol for the original
node-corruption model is also an a.e. secure computation protocol tolerating
edge corruptions (albeit for a reduced fraction of edge corruptions
with respect to the bound for node corruptions), no polynomial-time
protocol is known in the case where a {\bf constant fraction} of the edges can be corrupted (i.e., the maximum that can be tolerated)
and the degree of the network is sub-linear.
We make progress on this front, by constructing graphs of degree
(for arbitrary constant ) on which we
can run a.e. secure computation protocols tolerating a constant fraction of
adversarial edges. The number of given-up nodes in our construction
is (for some constant that depends on the fraction
of corrupted edges), which is also asymptotically optimal
Efficient Constructions for Almost-everywhere Secure Computation
The importance of efficient MPC in today\u27s world needs no retelling. An obvious barebones requirement to execute protocols for MPC is the ability of parties to communicate with each other. Traditionally, we solve this problem by assuming that every pair of parties in the network share a dedicated secure link that enables reliable message transmission. This assumption is clearly impractical as the number of nodes in the network grows, as it has today. In their seminal work, Dwork, Peleg, Pippenger and Upfal introduced the notion of almost-everywhere secure primitives in an effort to model the reality of large scale global networks and study the impact of limited connectivity on the properties of fundamental fault-tolerant distributed tasks. In this model, the underlying communication network is sparse and hence some nodes may not even be in a position to participate in the protocol (all their neighbors may be corrupt, for instance). A protocol for almost everywhere reliable message transmission, which would guarantee that a large subset of the network can transmit messages to each other reliably, implies a protocol for almost-everywhere agreement where nodes are required to agree on a value despite malicious or byzantine behavior of some subset of nodes, and an almost-everywhere agreement protocol implies a protocol almost-everywhere secure MPC that is unconditionally or information-theoretically secure. The parameters of interest are the degree of the network, the number of corrupted nodes that can be tolerated and the number of nodes that the protocol may give up. Prior work achieves for and for for some fixed constant .
In this work, we first derive message protocols which are efficient with respect to the total number of computations done across the network. We use this result to show an abundance of networks with that are resilient to random corruptions. This randomized result helps us build networks which are resistant to worst-case adversaries.
In particular, we improve the state of the art in the almost everywhere reliable message transmission problem in the worst-case adversary model by showing the existence of an abundance of networks that satisfy for , thus making progress on this question after nearly a decade. Finally, we define a new adversarial model of corruptions that is suitable for networks shared amongst a large group of corporations that: (1) do not trust each other, and (2) may collude,
and construct optimal networks achieving for in this model
Adversarial Wiretap Channel with Public Discussion
Wyner's elegant model of wiretap channel exploits noise in the communication
channel to provide perfect secrecy against a computationally unlimited
eavesdropper without requiring a shared key. We consider an adversarial model
of wiretap channel proposed in [18,19] where the adversary is active: it
selects a fraction of the transmitted codeword to eavesdrop and a
fraction of the codeword to corrupt by "adding" adversarial error. It
was shown that this model also captures network adversaries in the setting of
1-round Secure Message Transmission [8]. It was proved that secure
communication (1-round) is possible if and only if .
In this paper we show that by allowing communicants to have access to a
public discussion channel (authentic communication without secrecy) secure
communication becomes possible even if . We formalize the
model of \awtppd protocol and for two efficiency measures, {\em information
rate } and {\em message round complexity} derive tight bounds. We also
construct a rate optimal protocol family with minimum number of message rounds.
We show application of these results to Secure Message Transmission with Public
Discussion (SMT-PD), and in particular show a new lower bound on transmission
rate of these protocols together with a new construction of an optimal SMT-PD
protocol
Breaking the O(n^2) Bit Barrier: Scalable Byzantine agreement with an Adaptive Adversary
We describe an algorithm for Byzantine agreement that is scalable in the
sense that each processor sends only bits, where is
the total number of processors. Our algorithm succeeds with high probability
against an \emph{adaptive adversary}, which can take over processors at any
time during the protocol, up to the point of taking over arbitrarily close to a
1/3 fraction. We assume synchronous communication but a \emph{rushing}
adversary. Moreover, our algorithm works in the presence of flooding:
processors controlled by the adversary can send out any number of messages. We
assume the existence of private channels between all pairs of processors but
make no other cryptographic assumptions. Finally, our algorithm has latency
that is polylogarithmic in . To the best of our knowledge, ours is the first
algorithm to solve Byzantine agreement against an adaptive adversary, while
requiring total bits of communication
Secured Distributed Algorithms Without Hardness Assumptions
We study algorithms in the distributed message-passing model that produce secured output, for an input graph G. Specifically, each vertex computes its part in the output, the entire output is correct, but each vertex cannot discover the output of other vertices, with a certain probability. This is motivated by high-performance processors that are embedded nowadays in a large variety of devices. Furthermore, sensor networks were established to monitor physical areas for scientific research, smart-cities control, and other purposes. In such situations, it no longer makes sense, and in many cases it is not feasible, to leave the whole processing task to a single computer or even a group of central computers. As the extensive research in the distributed algorithms field yielded efficient decentralized algorithms for many classic problems, the discussion about the security of distributed algorithms was somewhat neglected. Nevertheless, many protocols and algorithms were devised in the research area of secure multi-party computation problem (MPC or SMC). However, the notions and terminology of these protocols are quite different than in classic distributed algorithms. As a consequence, the focus in those protocols was to work for every function f at the expense of increasing the round complexity, or the necessity of several computational assumptions. In this work, we present a novel approach, which rather than turning existing algorithms into secure ones, identifies and develops those algorithms that are inherently secure (which means they do not require any further constructions). This approach yields efficient secure algorithms for various locality problems, such as coloring, network decomposition, forest decomposition, and a variety of additional labeling problems. Remarkably, our approach does not require any hardness assumption, but only a private randomness generator in each vertex. This is in contrast to previously known techniques in this setting that are based on public-key encryption schemes
Efficient Robust Secret Sharing from Expander Graphs
Threshold secret sharing is a protocol that allows a dealer to share a secret among players so that any coalition of players learns nothing about the secret, but any players can reconstruct the secret in its entirety.
Robust secret sharing (RSS) provides the additional guarantee that even if malicious players mangle their shares, they cannot cause the honest players to reconstruct an incorrect secret.
When , RSS is known to be impossible, but for much less is known.
When previous RSS protocols could either achieve optimal share size with inefficient (exponential time) reconstruction procedures, or sub-optimal share size with polynomial time reconstruction.
In this work, we construct a simple RSS protocol for that achieves logarithmic overhead in terms of share size and simultaneously allows efficient reconstruction. Our shares size increases by an additive term of , and reconstruction succeeds except with probability at most . This provides a partial solution to a problem posed by Cevallos et al. in Eurocrypt 2012. Namely, when we show that the share size in RSS schemes do not require an overhead that is linear in .
Previous efficient RSS protocols like that of Rabin and Ben-Or (STOC \u2789) and Cevallos et al. (Eurocrypt \u2712) use MACs to allow each player to check the shares of each other player in the protocol. These checks provide robustness, but require significant overhead in share size. Our construction identifies the players as nodes in an expander graph, each player only checks its neighbors in the expander graph.
When , the concurrent, independent work of Cramer et al. (Eurocrypt \u2715) shows how to achieve shares that \emph{decrease} with the number of players using completely different techniques