ke yang ph.d. in computer science carnegie mellon university
DESCRIPTION
Ke Yang Ph.D. in Computer Science Carnegie Mellon University. My Research Interests…. Cryptography and Security Fair Computation Non-malleability Obfuscation and tamper-resistant software Quantum information theory and quantum computation Limitations in NMR computation - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/1.jpg)
04/24/23 Ke Yang, CMU 1
Ke Yang
Ph.D. in Computer ScienceCarnegie Mellon University
![Page 2: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/2.jpg)
04/24/23 Ke Yang, CMU 2
My Research Interests… Cryptography and Security
Fair Computation Non-malleability Obfuscation and tamper-resistant software
Quantum information theory and quantum computation Limitations in NMR computation EPR pair distillation
Machine Learning Computational Complexity Theory
![Page 3: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/3.jpg)
04/24/23 Ke Yang, CMU 3
Fair Computation Ke Yang
Carnegie Mellon University
![Page 4: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/4.jpg)
04/24/23 Ke Yang, CMU 4
Fairness: an example Consider the eBay problem…
Alice sells iPods and Bob wants to buy one. Alice likes to deliver the iPod only if Bob pays. Bob likes to pay only if Alice delivers.
We need a fair exchange!either Alice gets the $$$ and Bob gets the iPod, or none gets any.
![Page 5: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/5.jpg)
04/24/23 Ke Yang, CMU 5
Fairness means…
All should get the “stuff” they want at the same time.
(for the rest of this talk, “stuff” = “information”)
(fair exchange is a special case)
![Page 6: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/6.jpg)
04/24/23 Ke Yang, CMU 6
Fair exchange in business A fundamental issue
“I should receive what I paid for.” “I should get paid for what I deliver.”
(Traditional) solutions Proactive: enforcing fairness in the first place
escrow accounts, Cash-On-Delivery... Reactive: punishing unfair behavior afterwards
credit system, legal measures...
![Page 7: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/7.jpg)
04/24/23 Ke Yang, CMU 7
proactive vs. reactive The proactive solution…
is more effective“An ounce of prevention is worth a pound of cure.”
but is typically inefficientNeeds a trusted party, complicated procedure…
The reactive solution… is more efficient and more popular
Efficient normal execution (when nothing goes wrong). but not as effective
Not all misbehaviors are caught.
![Page 8: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/8.jpg)
04/24/23 Ke Yang, CMU 8
Fairness in e-business Fair exchange of information: still a
fundamental issue. Complicated by the “e-”
Problems with the proactive solution: efficiency Need efficient normal execution Trusted third party can be unrealistic
Problems with the reactive solution: identity Easy to fake, expensive to verify Paperless transactions – hard to obtain evidence
![Page 9: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/9.jpg)
04/24/23 Ke Yang, CMU 9
This talk is about fairness Fair exchange: a fundamental problem in
security as well as in business Fairness beyond fair exchange Why we didn’t have fair solutions Our solution:
Proactive without trusted third party Efficient normal execution Rigorous and provable security Applications to the Socialist Millionaires’ Problem
√
![Page 10: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/10.jpg)
04/24/23 Ke Yang, CMU 10
Fairness beyond exchange For more complicated tasks, the
parties may do more than just exchanging information.
Fairness formulated in the framework of 2-Party Computation (2PC) and Multi-party Computation (MPC) protocols.
![Page 11: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/11.jpg)
04/24/23 Ke Yang, CMU 11
MPC and 2PC…Multi-party computation (MPC):
n parties {P1, P2, …, Pn}: each Pi holds a private input xi
One public function f(x1,x2,…,xn) All want to learn y=f(x1,x2,…,xn) None wants to disclose his private input
2-party computation (2PC): n=2We work with 2PC for most of the talk.
![Page 12: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/12.jpg)
04/24/23 Ke Yang, CMU 12
Instances of MPC and 2PC… Authentication
Parties: 1 server, 1 client Function : if (server.passwd == client.passwd),
then return “succeed,” else return “fail.” On-line Bidding
Parties: 1 seller, 1 buyer Function: if (seller.price <= buyer.price), then
return (seller.price + buyer.price)/2, else return “no transaction.”
Rough intuition: in NYSE, the trading price is between the ask (selling) price and bid (buying) price.
Auction Parties: 1 auctioneer, (n-1) bidders Function: many possibilities (e.g. Vickrey)…
![Page 13: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/13.jpg)
04/24/23 Ke Yang, CMU 13
Secure MPC/2PC MPC/2PC protocols have been studied
for a long time… The focus was security
Correctness: the protocol computes the right function.
Privacy: the protocol discloses minimal amount of information.
![Page 14: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/14.jpg)
04/24/23 Ke Yang, CMU 14
Example: on-line bidding protocol
seller buyer (seller.price) (buyer.price)
(seller.output) (buyer.output)
} transcript
![Page 15: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/15.jpg)
04/24/23 Ke Yang, CMU 15
Definition of security
correctness: seller.output = buyer.output = f (seller.price, buyer.price)
privacy: the transcript carries no additional information about seller.price and buyer.price.
seller buyer (seller.price) (buyer.price)
(seller.output) (buyer.output)} transcript
![Page 16: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/16.jpg)
04/24/23 Ke Yang, CMU 16
“Privacy” is a little tricky…On-line Bidding Function
if (seller.price <= buyer.price), then return (seller.price + buyer.price)/2, else return “no transaction.” If seller.price ≤ buyer.price, then both parties
can learn each other’s private input. If seller.price > buyer.price, then both parties
should learn nothing more than this fact. Privacy: each party should only learn whatever
can be inferred from the output (which can be a lot sometimes).
![Page 17: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/17.jpg)
04/24/23 Ke Yang, CMU 17
State of art on secure MPC/2PC Well-studied
[Yao ’82, Yao ’86] 2PC [Goldreich-Micali-Wigderson ’87] MPC many papers to follow…
Well-understood Rigorous security notions (simulation paradigm). General constructions for any (efficient) function. Practical solutions for specific functions. Protocols of (very strong) “Internet Security”:
concurrency, non-malleability…
![Page 18: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/18.jpg)
04/24/23 Ke Yang, CMU 18
Security vs. fairness? The problem of secure MPC/2PC is
well-studied and well-understood. The problem of fair MPC/2PC is not! Security and fairness are not only
different, but almost orthogonal.
![Page 19: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/19.jpg)
04/24/23 Ke Yang, CMU 19
Security ≠ fairness Security is about absolute information gain. A typical security statement ---
Fairness is about relative information gain. A typical fairness statement:
“At the end of the protocol, each party learns at most y=f(x1,x2,…,xn) and anything inferable from y.”
“At the end of protocol, either all parties learns y=f(x1,x2,…,xn), or no party learns anything.”
![Page 20: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/20.jpg)
04/24/23 Ke Yang, CMU 20
Security fairness Many existing secure MPC/2-PC protocols
are completely unfair.
E.g. in an unfair on-line bidding protocol, the seller may learn the output (and thus buyer.price) before the buyer learns anything.
On-line Bidding Functionif (seller.price <= buyer.price), then return (seller.price + buyer.price)/2else return “no transaction.”
![Page 21: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/21.jpg)
04/24/23 Ke Yang, CMU 21
Unfair protocols can be bad! Fair exchange is a fundamental
problem itself. Even when fairness does not seem
relevant, an unfair protocol can completely destroy the security…
Example: the on-line bidding problem.
![Page 22: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/22.jpg)
04/24/23 Ke Yang, CMU 22
How to cheat w/ an unfair protocolOn-line Bidding Function: if (seller.price <= buyer.price), then return (seller.price + buyer.price)/2else return “no transaction.”
A cheating seller: 1. Initiate protocol w/ price x (originally $999,999).2. Run until getting the output (buyer hasn’t got the
output yet).3. if (output == “no transaction”), then abort (e.g.
announce “network failure”), set x x-1, and repeat.
![Page 23: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/23.jpg)
04/24/23 Ke Yang, CMU 23
Cheating with unfair protocolsA cheating seller: 1. Initiate protocol w/ price x (originally $999,999).2. Run until getting the output (buyer hasn’t got the output
yet).3. if (output == “no transaction”), then abort (e.g.
announce “network failure”), set x x-1, and repeat.
A cheating seller can: find out the buyer’s price (destroys privacy) and achieve maximum profit (destroys correctness)(the actual function computed is {return buyer.price;})
The lack of fairness completely voids the security!
![Page 24: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/24.jpg)
04/24/23 Ke Yang, CMU 24
Fair exchange and beyond Fair exchange: a fundamental problem in
security as well as in business Fairness beyond fair exchange Why we didn’t have fair solutions Our solution:
Proactive without trusted third party Efficient normal execution Rigorous and provable security Applications to the Socialist Millionaires’ Problem
√√
![Page 25: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/25.jpg)
04/24/23 Ke Yang, CMU 25
Designing fair protocolsQ: “If fairness is that important, why
can’t we have fair protocols?”A: “Because it is impossible!”
![Page 26: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/26.jpg)
04/24/23 Ke Yang, CMU 26
Impossibility of fair protocols [Cleve ’86] There do not exist fair two-party
coin-tossing protocols. coin-tossing protocol: Alice and Bob jointly
generate a uniformly distributed bit b. Fairness: no one should be able to bias b.
(different fairness condition: probabilistic function) The coin-tossing protocol is one of the basic
building blocks of MPC/2PC protocols, and its impossibility implies that fair MPC/2PC is in general impossible.
![Page 27: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/27.jpg)
04/24/23 Ke Yang, CMU 27
Wait a minute! What’s wrong with Blum’s protocol? [Blum ’81] There exists a secure two-party
coin-tossing protocol.1. Alice generates bit a and sends Commit(a) to Bob.2. Bob generates bit b and sends b to Alice.3. Alice opens a to Bob.4. The result is a XOR b.Intuition: a XOR b is uniform if either a or b is uniform.
![Page 28: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/28.jpg)
04/24/23 Ke Yang, CMU 28
Problem: premature abort
Suppose Alice wishes to bias the output towards 0. (Malicious Alice) in step 3, if a XOR b == 0, then
open a; otherwise, abort. Then the output is always 0!
1. Alice generates bit a and sends Commit(a) to Bob.2. Bob generates bit b and sends b to Alice.3. Alice opens a to Bob.4. The result is a XOR b.
![Page 29: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/29.jpg)
04/24/23 Ke Yang, CMU 29
Summary of the impossibility result No fair two-party protocols in general. Case for MPC is more complicated:
suppose n parties, t corrupted. t < n/3: yes with point-to-point network. n/3 ≤ t < n/2: yes with broadcast network. n/2 ≤ t (fault majority): no!
![Page 30: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/30.jpg)
04/24/23 Ke Yang, CMU 30
What to do next? Fair exchange: a fundamental problem in
security as well as in business Fairness beyond fair exchange Why we didn’t have fair solutions Our solution:
Proactive without trusted third party Efficient normal execution Rigorous and provable security Applications to the Socialist Millionaires’ Problem
√
√√
![Page 31: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/31.jpg)
04/24/23 Ke Yang, CMU 31
Fair protocols? We still need (some form of) fairness. We have to “tweak” the model to circumvent
the impossibility result. Tweak the set-up (optimistic approach):
Add a trusted party as arbiter in case of abort. Can achieve full fairness. Need for trusted party can be unrealistic.
Tweak the definition (gradual release approach):Parties take turns to reveal information “bit by bit.” No trusted parties needed. Still somewhat unfair, but we can quantify and
control the amount of “unfairness.”
![Page 32: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/32.jpg)
04/24/23 Ke Yang, CMU 32
The gradual release approach Reasonably studied
Initial idea by [Blum ’83] Subsequent work: [Damgard ’95, Boneh-Naor
’00, Garay-Jakobsson ’02, Pinkas ’03]… Not quite well-understood
Ad hoc security notions Limited general constructions (only 2PC) Few practical constructions Weak security (no “Internet Security”)
![Page 33: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/33.jpg)
04/24/23 Ke Yang, CMU 33
Our contributions A rigorous definition of security/fairness.
First in the simulation paradigm. Construction of secure and fair protocols.
A general technique to convert completely unfair MPC/2PC protocols into fair ones.
First fair MPC protocol with corrupted majority. Efficient, practical for specific applications.
E.g. the Socialist Millionaires’ Problem Very strong “Internet Security”
Concurrency, non-malleability…
√
√
√
![Page 34: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/34.jpg)
04/24/23 Ke Yang, CMU 34
The simulation paradigm De facto standard in secure MPC/2PC. A real world: parties engage in protocol . An ideal world: an ideal functionality F does
all the computation (guaranteed correctness, privacy, and fairness).
Simulation: Protocol securely realizes F, if adversary A, simulator S, s.t.
View(A, ) ≈ View(S, F)
![Page 35: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/35.jpg)
04/24/23 Ke Yang, CMU 35
Simulation paradigm and fairness Tradition (security) definition: protocol , adversary A, simulator S, s.t.
View(A, ) ≈ View(S, F). Doesn’t work with fairness! [Cleve ’86] (for 2PC)
protocol , adversary A, s.t. A makes unfair (unsimulatable).
![Page 36: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/36.jpg)
04/24/23 Ke Yang, CMU 36
Our solution: quantifier switch A timed protocol [T] is a collection of protocols,
parameterized by T: each [t] is a “normal” protocol each t.
A timed protocol [T] securely realizes F, if t, adversary A of time t, simulator S, s.t.
View(A, [t]) ≈ View(S, F) Notice the quantifier switch:
old definition:
new definition: protocol , adversary A, simulator S… protocol , adversary A, simulator S…
![Page 37: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/37.jpg)
04/24/23 Ke Yang, CMU 37
What about fairness? In our framework, fairness is simply a
statement about the running time of the protocols.
A timed protocol [T] is fair, if the running time of [t] is O(t).
Intuition: “Whatever an adversary can compute in time t, an honest party can compute in time comparable to t as well.”
The first rigorous security/fairness definition that completely falls in the simulation paradigm (previous ones are rather ad hoc).
![Page 38: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/38.jpg)
04/24/23 Ke Yang, CMU 38
Constructing fair protocols Now we have a rigorous definition for
security and fairness. Next we need to construct protocols
that satisfy this definition.
![Page 39: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/39.jpg)
04/24/23 Ke Yang, CMU 39
Fair Exchange of Information (FEI) Alice has a, and Bob has b. At the end of the protocol, either:
Alice learns b, and Bob learns a, or No one learns anything.
![Page 40: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/40.jpg)
04/24/23 Ke Yang, CMU 40
FEI is the core of fair 2PC Once we can solve FEI, we can construct general fair 2PC protocols easily…
fair coin-tossing Alice generates bit a Bob generates bit b. Alice and Bob fairly exchange a and b. The result is a XOR b.
![Page 41: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/41.jpg)
04/24/23 Ke Yang, CMU 41
Great if we can solve FEI…
So what do we do?
![Page 42: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/42.jpg)
04/24/23 Ke Yang, CMU 42
Solving FEI using time lines
A time-line: an array of numbers (head, …, tail). Time-line commitments:
TL-Commit(x) = (head, tail * x) Perfect binding Hiding (2k steps to compute tail from head) Gradual opening: each accelerator cuts the
number of steps by half.
…head tail
accelerator 1 accelerator 2 accelerator k
![Page 43: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/43.jpg)
04/24/23 Ke Yang, CMU 43
A time line, mathematically
N=p·q, where p, q, (p-1)/2, (q-1)/2 are all primes. g a random element in ZN
*. head = g, tail = g22k . one step = one squaring modulo N. Knowing (p,q) makes it easy to compute g22k .
g22kg g22k-1 g2(2k-1+2k-2) …accelerator 1 accelerator 2 …
![Page 44: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/44.jpg)
04/24/23 Ke Yang, CMU 44
Sounds familiar? Time-lines are used before:
[Boneh-Naor ’00, Garay-Jakobsson ’02, Garay-Pomerance ’03]
Our construction is a (simplified) variant of the [Garay-Pomerance ’03].
Difference: a new Yet-More-General BBS (YMG-BBS) assumption – also needed by previous constructions to work.
![Page 45: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/45.jpg)
04/24/23 Ke Yang, CMU 45
FEI using time-lines START: Alice has a, Bob has b. COMMIT:
Alice sends TL-Commit(a) to Bob, Bob sends TL-Commit(b) to Alice.
OPEN: Take turns to gradually open the commitments.
Bob
Alice
![Page 46: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/46.jpg)
04/24/23 Ke Yang, CMU 46
FEI using time-lines
ABORT: If Bob aborts and force-open in t steps, Alice can do it as well in 2t steps.
Bob
Alice
t
2t
![Page 47: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/47.jpg)
04/24/23 Ke Yang, CMU 47
Time-lines makes FEI THM: At any time, if a party aborts
and force-opens in time t, the other party can force-open in time 2t.
Intuition: “Whatever an adversary can compute in time t, an honest party can compute in time comparable to t as well.”
![Page 48: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/48.jpg)
04/24/23 Ke Yang, CMU 48
Dealing with cheating parties
A cheating party might give false accelerators. Can add zero-knowledge proofs to enforce correctness. Reasonably efficient protocols.
g22k
g22k
Bob
Alice
g g22k-1 g2(2k-1+2k-2) …
g g22k-1 g2(2k-1+2k-2) …
A A A A
BB B B
![Page 49: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/49.jpg)
04/24/23 Ke Yang, CMU 49
Derived time-lines
Can derive a new time-line from a master time-line by raising everything to a random power a.
A master time-line in the public parameter (common reference string); each party derives a new time-line and proves correctness.
Very efficient zero-knowledge proofs!
g22kg g22k-1 g2(2k-1+2k-2) …
h22kh=gah22k-1 h2(2k-1+2k-2) …
![Page 50: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/50.jpg)
04/24/23 Ke Yang, CMU 50
From FEI to Fair 2PC Most existing (unfair) secure 2PC protocols
contains three phases… Share: parties share their private inputs. Evaluate: jointly evaluate the function in a “gate-
by-gate” fashion. Reveal: parties reveal their secrets.
The reveal phase makes the protocol unfair. FEI can make the reveal phase fair, and thus
making the entire protocol fair.
![Page 51: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/51.jpg)
04/24/23 Ke Yang, CMU 51
Fair MPC/2PC THEOREM: There exist secure and fair 2PC
protocols for any (efficiently) function. MPC: can extend FEI to multi-party case:
{P1, P2, …, Pn}: each Pi holds a private input xi Either all parties learn everything, or no one
learns anything. Similar solution using time-lines.
![Page 52: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/52.jpg)
04/24/23 Ke Yang, CMU 52
An application We show how to compute the socialist
millionaires’ problem fairly and efficiently.
![Page 53: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/53.jpg)
04/24/23 Ke Yang, CMU 53
The Socialist Millionaires’ Problem The Millionaires’ Problem
Alice has $a million, Bob has $b million. They want to compare who is richer but not
disclosing a or b. f(a,b) = {if (a>b) then 1 else 0}
The Socialist Millionaires’ Problem (SMP) Alice has $a million, Bob has $b million. They want to compare if they are equal but not
disclosing a or b. f(a,b) = {if (a=b) then 1 else 0}
![Page 54: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/54.jpg)
04/24/23 Ke Yang, CMU 54
SMP is useful! Remember the authentication problem?
Parties: 1 server, 1 client Function : if (server.passwd == client.passwd),
then return “succeed,” else return “fail.” This is exactly SMP! SMP is also known as “private equality testing”
a basic building block for Privacy-Preserving Data Mining (PPDM).
Many applications in cryptography, security, and e-commerce…
![Page 55: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/55.jpg)
04/24/23 Ke Yang, CMU 55
We need secure and fair SMP Take the authentication problem… Security:
We don’t want a cheating client/server to learn the password by trying a bad one
Fairness: Typically the server limits the number of
unsuccessful attempts to prevent on-line attacks.
Unfair for clients with bad connection. Need a fair protocol!
![Page 56: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/56.jpg)
04/24/23 Ke Yang, CMU 56
Our solution for fair SMP Based on ideas from [Cramer-Damgard-Nielsen ’01,
Damgard-Nielsen ’03] Alice has a, Bob has b. They jointly compute y=(a-b)*r for a random r. If a=b, then y=0; otherwise y is a random non-zero
number. Efficient protocol to compute y=(a-b)*r. We make it fair and strongly secure (“Internet
security”). Direct applications in Password Authenticated Key-
exchange (PAK) and Privacy-Preserving Data Mining (PPDM).
![Page 57: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/57.jpg)
04/24/23 Ke Yang, CMU 57
Conclusions Fairness is about relative information gain, almost
orthogonal to security, which is about absolute information gain.
Important to design fair protocols: fundamental by itself; the lack of fairness may destroy the security.
Impossibility result: premature abort. Gradual release approach to control the unfairness. Time-line solution for FEI: unfairness is 2x in time. First MPC protocol that is fair and secure with
faulty majority.
![Page 58: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/58.jpg)
04/24/23 Ke Yang, CMU 58
References Juan Garay, Philip MacKenzie and Ke Yang
Efficient and Secure Multi-Party Computation with Faulty Majority and Complete Fairness
Paper available on-line at http://www.cs.cmu.edu/~yangke/papers/fmpc.ps
A more technical version of this talk athttp://www.cs.cmu.edu/~yangke/papers/fmpc-talk.pdf
![Page 59: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/59.jpg)
04/24/23 Ke Yang, CMU 59
My other work in cryptography… Non-malleability
Zero Knowledge [Garay-MacKenzie-Y ’03] Encryption [MacKenzie-Reiter-Y ’04] Oblivious Transfer [Garay-MacKenzie-Y ’04] Commitment [MacKenzie-Y ’04]
Obfuscation and tamper-resistance (security and non-malleability of programs) Impossibility of obfuscation [BGIRSVY ’01] Tamper-resistant software library (with Eric
Grosse) Efficient PIR with applications in anonymous
communication [KORSY ’04]
![Page 60: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/60.jpg)
04/24/23 Ke Yang, CMU 60
My other work… Quantum information theory and quantum
computation Limits in NMR computation [Blum-Y ’03]
NMR computing uses a different model from the “standard” quantum computing.
Needs an (inefficient) compiler to covert algorithms in standard model to NMR model.
Our result: such inefficiency is inherent. EPR pair distillation
[Ambainis-Smith-Y ’02, Ambainis-Y ’04] Machine learning and computatoinal
complexity…
![Page 61: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/61.jpg)
04/24/23 Ke Yang, CMU 61
Thank you!
![Page 62: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/62.jpg)
04/24/23 Ke Yang, CMU 62
How do we do FEI? Intuitively, release information “bit by bit…” So that if Alice aborts prematurely, she is
only one bit ahead of Bob. However, “bit by bit” doesn’t work…
The information might just be one bit. Different bits might have different importance.
real info junk real info junk
Alice’s information (for Bob) Bob’s information (for Alice)
![Page 63: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/63.jpg)
04/24/23 Ke Yang, CMU 63
A Hierarchical view of game theory
Mechanism Design:Design a function y=f(x1,x2,…,xn) that satisfy certain requirement (truthful, etc…)
Multi-Party Computation:Design a protocol to compute y=f(x1,x2,…,xn) that maintains privacy, fairness, etc…
![Page 64: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/64.jpg)
04/24/23 Ke Yang, CMU 64
Intuition behind Cleve’s proof
It is impossible to prevent abort. A protocol contains some critical rounds
where information is exchanged. Aborting at a critical round creates
unfairness. Therefore, at least one party can cause a
significant bias by aborting.
[Cleve ’86] There do not exist fair two-party coin-tossing protocols.
![Page 65: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/65.jpg)
04/24/23 Ke Yang, CMU 65
Number theoretical assumptions Let N=p·q, where p, q, (p-1)/2, (q-1)/2 are all primes. Let g be a random element in ZN
*. Let G = (g, g2, g4, …, g2T).
Suppose we want to compute points in G…
sequential access: can move one step forward by squaring. random access: can compute any point if we know (p,q). Assumption: without knowing (p,q), can only do sequential
access (one step at a time). Corollary: g2T takes T steps to compute – if T=2k is large, it is
infeasible to compute. YMG-BBS assumption: it appears pseudorandom.
![Page 66: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/66.jpg)
04/24/23 Ke Yang, CMU 66
Time-line commitments Let N=p·q, where p, q, (p-1)/2, (q-1)/2 are all primes. Let g be a random element in ZN
*. Let G = (g, g2, g4, …, g2T), where T=2k.
We call G a time line. Time-line commitment – (N, g, g2T·x) is a time-line commitment to x:
Efficiently computable knowing (p,q). Uniquely determines x (perfect binding). Computationally hiding (based on the YMG-BBS
assumption) Force-open in T steps.
![Page 67: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/67.jpg)
04/24/23 Ke Yang, CMU 67
More on time-line commitments (N, g, g2T·x) is a time-line commitment to x. Force-opening takes T=2k steps. Gradual opening:
Step 1: reveal g22k-1 – cuts force-opening time by half.
Step 2: reveal g2(2k-1+2k-2) – cuts the time by another half....Each step cuts the work by half!
g22kg g22k-1 g2(2k-1+2k-2) …Step 1 Step 2 …accelerator #1
accelerator #2
![Page 68: Ke Yang Ph.D. in Computer Science Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062521/56812d16550346895d92037a/html5/thumbnails/68.jpg)
04/24/23 Ke Yang, CMU 68
secret (committed value)
Intuition: layered blinding
g22kg g22k-1 g2(2k-1+2k-2) …