Design of advanced primitives for secure multiparty computation : special shuffles and integer comparison

In modern cryptography, the problem of secure multiparty computation is about the cooperation between mutually distrusting parties computing a given function. Each party holds some private information that should remain secret as much as possible throughout the computation. A large body of research initiated in the early 1980's has shown that any computable function can be evaluated using secure multiparty computation. Though these feasibility results are general, their applicability in practical situations is rather unsatisfactory. This thesis concerns the study of two particular cryptographic primitives with focus on efficiency. The first primitive studied is a generalization of verifiable shuffles of homomorphic encryptions, where the shuffler is only allowed to apply a permutation from a restricted set of permutations. In this thesis, we consider shuffles using permutations from a k-fragile set, meaning that any k input-output correspondences uniquely identify a permutation within the set. We provide verifiable shuffles restricted to the set of all rotations (1-fragile), affine transformations (2-fragile), and Möbius transformations (3-fragile). Applications of these special shuffles include fragile mixing, electronic elections, secure function evaluation using scrambled circuits, and secure integer comparison. Two approaches for verifiable rotations are presented. On the one hand, we use properties of the Discrete Fourier Transform (DFT) to express in a compact way that a rotation is applied in a shuffle. The solution is efficient, but imposes some mild restrictions on the parameters to allow DFT to work. On the other hand, we present a general solution that does not impose any parameter constraint and works on any homomorphic cryptosystem. These protocols for rotations are used to build efficient shuffling protocols for affine and Möbius transformations. The second primitive is secure integer comparison. In a general scenario, parties are given homomorphic encryptions of the bits of two integers and, after running a protocol, an encryption of a bit is produced, telling the result of the greater-than comparison of the two integers. This is a useful building block for higher-level protocols such as electronic voting, biometrics authentication or electronic auctions. A study of the relationship of other problems to integer comparison is given as well. We present two types of solutions for integer comparison. Firstly, we consider an arithmetic circuit yielding secure protocols within the framework for multiparty computation based on threshold homomorphic cryptosystems. Our circuit achieves a good balance between round and computational complexities, when compared to the similar solutions in the literature. The second type of solutions uses a intricate approach where different building blocks are used. A full analysis is made for the two-party case where efficiency of the resulting protocols compares favorably to other solutions and approaches

Universally Verifiable MPC with Applications to IRV Ballot Counting

We present a very simple universally verifiable MPC protocol. The first component is a threshold somewhat homomorphic cryptosystem that permits an arbitrary number of additions (in the source group), followed by a single multiplication, followed by an arbitrary number of additions in the target group. The second component is a black-box construction of universally verifiable distributed encryption switching between any public key encryption schemes supporting shared setup and key generation phases, as long as the schemes satisfy some natural additive-homomorphic properties. This allows us to switch back from the target group to the source group, and hence perform an arbitrary number of multiplications. The key generation algorithm of our prototypical cryptosystem, which is based upon concurrent verifiable secret sharing, permits robust re-construction of powers of a shared secret. We demonstrate the scalability of distribution switching as a viable approach to secure vote tallying by implementing a private verifiable form of Instant Runoff Voting on real Australian election data comprising 40,000 votes

Secure and fair two-party computation

Consider several parties that do not trust each other, yet they wish to correctly compute some common function of their local inputs while keeping these inputs private. This problem is known as "Secure Multi-Party Computation", and was introduced by Andrew Yao in 1982. Secure multi-party computations have some real world examples like electronic auctions, electronic voting or fingerprinting. In this thesis we consider the case where there are only two parties involved. This is known as "Secure Two-Party Computation". If there is a trusted third party called Carol, then the problem is pretty straightforward. The participating parties could hand their inputs in Carol who can compute the common function correctly and could return the outputs to the corresponding parties. The goal is to achieve (almost) the same result when there is no trusted third party. Cryptographic protocols are designed in order to solve these kinds of problems. These protocols are analyzed within an appropriate model in which the behavior of parties is structured. The basic level is called the Semi-Honest Model where parties are assumed to follow the protocol specification, but later can derive additional information based on the messages which have been received so far. A more realistic model is the so-called Malicious Model. The common approach is to first analyze a protocol in the semi-honest model and then later extend it into the malicious model. Any cryptographic protocol for secure two-party computation must satisfy the following security requirements: correctness, privacy and fairness. It must guarantee the correctness of the result while preserving the privacy of the parties’ inputs, even if one of the parties is malicious and behaves arbitrarily throughout the protocol. It must also guarantee fairness. This roughly means that whenever a party aborts the protocol prematurely, he or she should not have any advantage over the other party in discovering the output. The main question for researchers is to construct new protocols that achieve the above mentioned goals for secure multi-party computation. Of course, such protocols must be secure in a given model, as well as be as efficient as possible. In 1986, Yao presented the first general protocol for secure two-party computation which was applicable only to the semi-honest model. He uses a tool called "Garbled Circuit". Yao’s protocol uses the underlying primitives ("Pseudorandom Generator" and "Oblivious Transfer") as blackboxes which lead to efficient results. After Yao’s work many variants and improvements have been proposed for the malicious model. In this thesis, we design several new protocols for secure two-party computation based on Yao’s garbled circuit. Before we present the details of our new designs, we first show several weaknesses, security flaws or problems with the existing protocols in the literature. We first work in the semi-honest model and then extend it into the malicious model by presenting new protocols. Finally we add fairness to our protocol. Oblivious transfer (OT) is a fundamental primitive in modern cryptography which is useful for implementing protocols for secure multi-party computation. We study several variants of oblivious transfer in this thesis. We present a new protocol for the so-called "Committed OT". This protocol is very efficient in the sense that it is quite good in comparison to the most efficient committed OT protocols in the literature. The abovementioned flaw with the use of OT can be fixed with our committed oblivious transfer protocol. Furthermore, it is more general than all previous protocols, and, therefore, it is of independent interest. We also deal with fairness in this thesis. For protocols based on garbled circuit, so far only Benny Pinkas has presented a protocol in the literature for achieving fairness. We show a subtle problem with this protocol where the privacy of the inputs of one party can be compromised. We also describe this problem in detail which is in fact related to the fairness, and finally propose a more efficient scheme that does achieve fairness

Mental Card Gaming Protocols Supportive Of Gameplay Versatility, Robustness And Efficiency

Pennainan kad mental merupakan protokol kriptografi yang membolehkan pennainan yang ~ disahkan adil di kalangan parti-parti jauh yang penyangsi dan berpotensi menipu. Pennainan kad ini setidak-tidaknya patut menyokong-tanpa memperkenal~an parti ketiga yang dipercayai (TTP)--rahsia kad, pengesanan penipuan dan keselamatan bersyarat ke atas pakatan pemain. Tambahan kepada keperJuan asas ini, kami meninjau isu-isu pennainan kad mental yang berkaitan dengan fungsian permainan, keteguhan operasional dan kecekapan implementasi. Pengkajian kami diberangsang oleh potensi pennainan berasaskan komputer dan rangkaian yang melewati batas kemampuan kad fizikal, terutamanya pembongkaran maklumat terperinci kad (seperti warna, darjat, simbol atau kebangsawanan) sambil merahsiakan nilai keseluruhan kad tersebut. ~. Mental card games are cryptographic protocols which permit verifiably fair gameplay among a l< ~. priori distrustful and potentially untrustworthy remote parties and should minimally providewithout the introduction of a trusted third party (TTP)---for card confidentiality, fraud detection and conditional security against collusion. In addition to these basic requirements, we explore into gameplay functionality, operational robustness and implementation efficiency issues of mental card gaming. Our research is incited by the potential of computer-based and networkmediated gameplay beyond the capability of physical cards, particularly fine-grained information disclosure (such as colour, rank, symbol or courtliness) with preservation of card secrecy. On the other hand, being network connected renders the protocol susceptible to (accidental or intentional) disconnection attack, as well as other malicious behaviours

Hierarchical and dynamic threshold Paillier cryptosystem without trusted dealer

We propose the first hierarchical and dynamic threshold Paillier cryptosystem without trusted dealer and prove its security in the malicious adversary model. The new cryptosystem is fully distributed, i. e., public and private key generation is performed without a trusted dealer. The private key is shared with a hierarchical and dynamic secret sharing scheme over the integers. In such a scheme not only the amount of shareholders, but also their levels in the hierarchy decide whether or not they can reconstruct the secret and new shareholders can be added or removed without reconstruction of the secret

Born and Raised Distributively: Fully Distributed Non-Interactive Adaptively-Secure Threshold Signatures with Short Shares

International audienceThreshold cryptography is a fundamental distributed computational paradigm for enhancing the availability and the security of cryptographic public-key schemes. It does it by dividing private keys into $n$ shares handed out to distinct servers. In threshold signature schemes, a set of at least $t+1 \leq n$ servers is needed to produce a valid digital signature. Availability is assured by the fact that any subset of $t+1$ servers can produce a signature when authorized. At the same time, the scheme should remain robust (in the fault tolerance sense) and unforgeable (cryptographically) against up to $t$ corrupted servers; {\it i.e.}, it adds quorum control to traditional cryptographic services and introduces redundancy. Originally, most practical threshold signatures have a number of demerits: They have been analyzed in a static corruption model (where the set of corrupted servers is fixed at the very beginning of the attack), they require interaction, they assume a trusted dealer in the key generation phase (so that the system is not fully distributed), or they suffer from certain overheads in terms of storage (large share sizes). In this paper, we construct practical {\it fully distributed} (the private key is born distributed), non-interactive schemes -- where the servers can compute their partial signatures without communication with other servers -- with adaptive security ({\it i.e.}, the adversary corrupts servers dynamically based on its full view of the history of the system). Our schemes are very efficient in terms of computation, communication, and scalable storage (with private key shares of size $O(1)$, where certain solutions incur $O(n)$ storage costs at each server). Unlike other adaptively secure schemes, our schemes are erasure-free (reliable erasure is a hard to assure and hard to administer property in actual systems). To the best of our knowledge, such a fully distributed highly constrained scheme has been an open problem in the area. In particular, and of special interest, is the fact that Pedersen's traditional distributed key generation (DKG) protocol can be safely employed in the initial key generation phase when the system is born -- although it is well-known not to ensure uniformly distributed public keys. An advantage of this is that this protocol only takes one round optimistically (in the absence of faulty player)

Actively Secure Two-Party Computation: Efficient Beaver Triple Generation

Töö kombineerib erinevaid ideid, et saavutada aktiivses mudelis turvalist kahe osapoolega ühisarvutust. Töö käigus defineerime Sharemindi raamistikku kaks uut turvaala. Kasutame aditiivset ühissalastust, sõnumiautentimisskeeme, aditiivselt homomorfset krüptosüsteemi ning nullteadmustõestusi. Protokollistikud jagame kahte osasse, vastavalt ettearvutamise ja töö faas. Ettearvutamise ajal valmistatakse ette juhuslikke väärtusi, mis võimaldavad töö faasis arvutusi kiirendada. Eelkõige keskendume korrutamise jaoks vajalike Beaveri kolmikute genereerimisele.This thesis combines currently popular ideas in actively secure multi-party computation to define two actively secure two-party protocol sets for Sharemind secure multi-party computation framework. This includes additive secret sharing, dividing work as online and precomputation phase, using Beaver triples for multiplication and using message authentication codes for integrity checks. Our protocols use additively homomorphic Paillier cryptosystem, especially in the precomputation phase. The thesis includes two different setups for secure two-party computation which are also implemented and compared to each other. In addition, we propose new ideas to use additively homomorphic cryptosystem to generate Beaver triples for any chosen modulus. The important aspects of Beaver triple generation are maximising the amount of useful bits we get from one generation and assuring that these triples are correct

Finding Safety in Numbers with Secure Allegation Escrows

For fear of retribution, the victim of a crime may be willing to report it only if other victims of the same perpetrator also step forward. Common examples include 1) identifying oneself as the victim of sexual harassment, especially by a person in a position of authority or 2) accusing an influential politician, an authoritarian government, or ones own employer of corruption. To handle such situations, legal literature has proposed the concept of an allegation escrow: a neutral third-party that collects allegations anonymously, matches them against each other, and de-anonymizes allegers only after de-anonymity thresholds (in terms of number of co-allegers), pre-specified by the allegers, are reached. An allegation escrow can be realized as a single trusted third party; however, this party must be trusted to keep the identity of the alleger and content of the allegation private. To address this problem, this paper introduces Secure Allegation Escrows (SAE, pronounced "say"). A SAE is a group of parties with independent interests and motives, acting jointly as an escrow for collecting allegations from individuals, matching the allegations, and de-anonymizing the allegations when designated thresholds are reached. By design, SAEs provide a very strong property: No less than a majority of parties constituting a SAE can de-anonymize or disclose the content of an allegation without a sufficient number of matching allegations (even in collusion with any number of other allegers). Once a sufficient number of matching allegations exist, the join escrow discloses the allegation with the allegers' identities. We describe how SAEs can be constructed using a novel authentication protocol and a novel allegation matching and bucketing algorithm, provide formal proofs of the security of our constructions, and evaluate a prototype implementation, demonstrating feasibility in practice.Comment: To appear in NDSS 2020. New version includes improvements to writing and proof. The protocol is unchange