Abstract
Secure multi-party computation (MPC) protocols do not completely prevent malicious parties from cheating or disrupting the computation. We augment MPC with three new properties to discourage cheating. First is a strengthening of identifiable abort, called completely identifiable abort, where all parties who do not follow the protocol will be identified as cheaters by each honest party. The second is completely identifiable auditability, which means that a third party can determine whether the computation was performed correctly (and who cheated if it was not). The third is openability, which means that a distinguished coalition of parties can recover the MPC inputs.
We construct the first (efficient) MPC protocol achieving these properties. Our scheme is built on top of the SPDZ protocol (Damgard et al., Crypto 2012), which leverages an offline (computation-independent) pre-processing phase to speed up the online computation. Our protocol is optimistic, retaining online SPDZ efficiency when no one cheats. If cheating does occur, each honest party performs only local computation to identify cheaters.
Our main technical tool is a new locally identifiable secret sharing scheme (as defined by Ishai, Ostrovsky, and Zikas (TCC 2012)) which we call commitment enhanced secret sharing or CESS.
The work of Baum, Damgård, and Orlandi (SCN 2014) introduces the concept of auditability, which allows a third party to verify that the computation was executed correctly, but not to identify the cheaters if it was not. We enable the third party to identify the cheaters by augmenting the scheme with CESS. We add openability through the use of verifiable encryption and specialized zero-knowledge proofs.
Approved for public release: distribution unlimited. This material is based upon work supported under Air Force Contract No. FA8721-05-C-0002 and/or FA8702- 15-D-0001. Any opinions, findings, conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the U.S. Air Force.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
In this work we consider an arbitrary number of malicious parties. In this setting, it is impossible to guarantee termination without error [11].
- 2.
- 3.
We use Pedersen commitments [23] to enable efficient zero-knowledge proofs.
- 4.
- 5.
We use the Pedersen commitment scheme, which is information-theoretically hiding but only computationally binding. So, computational assumptions are only necessary for the correctness of cheater identification.
- 6.
- 7.
We call the list of protocol messages the view of the protocol. We use the word transcript or \(\tau \) to refer to the public information used for auditing (following the notation of [2]).
- 8.
Robust secret sharing does not require security in the presence of a malicious dealer. This is in contrast to verifiable secret sharing [24]. Looking ahead, the reason we do not require security against a malicious dealer is that dealing is done via MPC in the preprocessing phase.
- 9.
We do not extend the definition of a locally identifiable secret sharing scheme to support private opening; rather, we just describe the functionality. We leave a formal definition to future work.
- 10.
The SPDZ protocol generates the same number of shared values. However, their sharings only contain an additive secret sharing and a linear MAC. The size of \(\langle \langle \rangle \rangle _{}\)-shares grows linearly with the number of players, while SPDZ shares have a constant size for a fixed security parameter.
- 11.
Note that if a public transcript \(\tau \) is maintained, it contains all of these difference values.
- 12.
Their scheme is secure against chosen ciphertext attacks, which is unnecessary for our purposes.
- 13.
The simulator chooses the generators used in the Pedersen commitment scheme when selecting the CRS; he does so in such a way that he knows their discrete log relationship, which serves as his trapdoor.
References
Andrychowicz, M., Dziembowski, S., Malinowski, D., Mazurek, L.: Secure multiparty computations on Bitcoin. Commun. ACM 59(4), 76–84 (2016)
Baum, C., Damgård, I., Orlandi, C.: Publicly auditable secure multi-party computation. In: Abdalla, M., De Prisco, R. (eds.) SCN 2014. LNCS, vol. 8642, pp. 175–196. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10879-7_11
Baum, C., Orsini, E., Scholl, P.: Efficient secure multiparty computation with identifiable abort. Cryptology ePrint Archive, Report 2016/187 (2016). http://eprint.iacr.org/2016/187
Beaver, D.: Efficient multiparty protocols using circuit randomization. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 420–432. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_34
Bogetoft, P., Christensen, D.L., Damgård, I., Geisler, M., Jakobsen, T., Krøigaard, M., Nielsen, J.D., Nielsen, J.B., Nielsen, K., Pagter, J., Schwartzbach, M., Toft, T.: Secure multiparty computation goes live. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 325–343. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03549-4_20
Boudot, F.: Efficient proofs that a committed number lies in an interval. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 431–444. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_31
Brickell, E.F., Stinson, D.R.: The detection of cheaters in threshold schemes. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 564–577. Springer, New York (1990). https://doi.org/10.1007/0-387-34799-2_40
Camenisch, J., Shoup, V.: Practical verifiable encryption and decryption of discrete logarithms. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 126–144. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_8
Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. Cryptology ePrint Archive, Report 2000/067 (2000). http://eprint.iacr.org/2000/067
Chor, B., Fiat, A., Naor, M.: Tracing traitors. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 257–270. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48658-5_25
Cleve, R.: Limits on the security of coin flips when half the processors are faulty. In: Proceedings of the Eighteenth Annual ACM Symposium on Theory of Computing, STOC 1986, pp. 364–369. ACM, New York (1986)
Damgård, I., Fujisaki, E.: A statistically-hiding integer commitment scheme based on groups with hidden order. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 125–142. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36178-2_8
Damgård, I., Keller, M., Larraia, E., Pastro, V., Scholl, P., Smart, N.P.: Practical covertly secure MPC for dishonest majority – or: breaking the SPDZ limits. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 1–18. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40203-6_1
Damgård, I., Pastro, V., Smart, N., Zakarias, S.: Multiparty computation from somewhat homomorphic encryption. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 643–662. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_38
Fujisaki, E., Okamoto, T.: Statistical zero knowledge protocols to prove modular polynomial relations. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 16–30. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052225
Hemenway, B., Lu, S., Ostrovsky, R., IV, W.W.: High-precision secure computation of satellite collision probabilities. Cryptology ePrint Archive, Report 2016/319 (2016). http://eprint.iacr.org/2016/319
Hemenway, B., Welser, W.I., Baiocchi, D.: Achieving higher-fidelity conjunction analyses using cryptography to improve information sharing. Technical report (2014). http://www.rand.org/pubs/research_reports/RR344.html
Ishai, Y., Ostrovsky, R., Seyalioglu, H.: Identifying cheaters without an honest majority. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 21–38. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28914-9_2
Ishai, Y., Ostrovsky, R., Zikas, V.: Secure multi-party computation with identifiable abort. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 369–386. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44381-1_21
Jakhu, R.S.: Iridium-Cosmos collision and its implications for space operations. In: Schrogl, KU., Rathgeber, W., Baranes, B., Venet C. (eds.) Yearbook on Space Policy 2008/2009. Yearbook on Space Policy, pp. 254–275. Springer, Vienna (2010). https://doi.org/10.1007/978-3-7091-0318-0_10
Kumaresan, R., Bentov, I.: How to use Bitcoin to incentivize correct computations. In: Ahn, G.-J., Yung, M., Li, N. (eds.) ACM CCS 14: 21st Conference on Computer and Communications Security, 3–7 November 2014, pp. 30–41. ACM Press, Scottsdale (2014)
Kurosawa, K., Obana, S., Ogata, W.: t-cheater identifiable (k, n) threshold secret sharing schemes. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 410–423. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-44750-4_33
Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_9
Rabin, T., Ben-Or, M.: Verifiable secret sharing and multiparty protocols with honest majority (extended abstract). In: 21st Annual ACM Symposium on Theory of Computing, 15–17 May 1989, pp. 73–85. ACM Press, Seattle (1989)
Shamir, A.: How to share a secret. Commun. Assoc. Comput. Mach. 22(11), 612–613 (1979)
Spini, G., Fehr, S.: Cheater detection in SPDZ multiparty computation. In: Nascimento, A.C.A., Barreto, P. (eds.) ICITS 2016. LNCS, vol. 10015, pp. 151–176. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-49175-2_8
Tompa, M., Woll, H.: How to share a secret with cheaters. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 261–265. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_20
Wright, D.: Colliding satellites: consequences and implications. Union Concerned Scientists 26, 1–10 (2009)
Wu, T.-C., Wu, T.-S.: Cheating detection and cheater identification in secret sharing schemes. In: IEE Proceedings - Computers and Digital Techniques, vol. 142, pp. 367–369. IET (1995)
Acknowledgements
2016 Massachusetts Institute of Technology. Delivered to the US Government with Unlimited Rights, as defined in DFARS Part 252.227-7013 or 7014 (Feb 2014). Notwithstanding any copyright notice, U.S. Government rights in this work are defined by DFARS 252.227-7013 or DFARS 252.227-7014 as detailed above. Use of this work other than as specifically authorized by the U.S. Government may violate any copyrights that exist in this work. The work of Benjamin Fuller was done in part at MIT Lincoln Laboratory.
The authors would like to thank Carsten Baum, Mayank Varia, Samuel Yeom, and Arkady Yerukhimovich for helpful discussion.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Cunningham, R., Fuller, B., Yakoubov, S. (2017). Catching MPC Cheaters: Identification and Openability. In: Shikata, J. (eds) Information Theoretic Security. ICITS 2017. Lecture Notes in Computer Science(), vol 10681. Springer, Cham. https://doi.org/10.1007/978-3-319-72089-0_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-72089-0_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-72088-3
Online ISBN: 978-3-319-72089-0
eBook Packages: Computer ScienceComputer Science (R0)