Content uploaded by Moti Yung
Author content
All content in this area was uploaded by Moti Yung on Oct 13, 2014
Content may be subject to copyright.
On Necessary Conditions for
Secure Distributed Computation
Rafail Ostrovsky
Moti Yung
y
Abstract
What assumptions are required to achievean
unconditionally secure
distributed circuit evaluation
in a fully connected network? This question was addressed with respect to the allowed number
of malicious players [BGW, CCD,RB],given that
every channel
is unconditionally secure. In
this paper weinvestigate whether the security of all channels is also a necessary condition.
[BGW, CCD] showed how secure computation can b e achieved, provided that a constant fraction
of the total number of players is honest. An insecure channel can be mo deled as faults on both
ends of the channel. Thus, as long as the number of such \faulty" players is smaller then the
fraction established in [BGW, CCD], the channels can be made insecure. However, an insecure
channel seems to be a muchweaker fault than a corruption of both players. Thus, can a bigger
fraction of insecure channels be tolerated? In this paper we show that this is not the case. That
is, we show that in some cases the perfect securityofmulti-party protocols in a fully connected
network requires
all
the channels to be physically secure. In particular, weshow a simple protocol
(for three parties) for whichifprivacy of even one channel is compromised, the protocol can not
be computed securely.Thus, we establish that the securityof
all
channels is not only sucient
(by the work of [BGW, CCD]), but also
necessary
. The lower bound holds even if players follow
the protocol. That is, we establish our impossibility result even if all the players are honest
but curious | if they follow the protocol exactly, but try to extract additional information \on
the side". Thus, our result gives a pure security perspective of the impossibility. An additional
feature of our result is its extreme simplicity,which is usually hard to come by for the lower
bound pro ofs.
AMS(MOS) Sub ject Classication: 68M10, 68P25, 68Q05.
MIT Lab. for Computer Science Cambridge, MA 02139. E-mail to: \raf@theory.lcs.mit.edu". Part of this
work was done while the author was at the IBM Research, T.J. Watson ResearchCenter, Yorktown Heights,
NY 10598.
y
IBM Research, T.J. Watson ResearchCenter, Yorktown Heights, NY 10598. E-mail to: \moti@ibm.com".
1
1 Introduction
This paper deals with feasibility results concerning the implementation of unconditionally se-
cure computation in insecure communication environments. That is, we examine the feasibility
of multi (
3)-party secure computation. We concentrate on global computations in which all
parties compute a private (possibly random) output.
The question of secure distributed computation received a lot of attention over the past
decade, which culminated in the work of [GMW1] where they showed a way to compute any
poly-size function on a fully-connected network of processors securely, under some general
cryptographic assumptions, provided that more than
2
3
of the processors are honest.
The cryptographic assumptions were then eliminated in the work of [BGW, CCD] where it
was established that if every two processors can communicate secretly, one can achieve secure
computation without any cryptographic assumptions for three or more processors (provided
that either more than
1
2
are honest while the rest are honest but may be curious, or that more
than
2
3
of the processors are honest in the case the rest of the processors may be Byzantine
(malicious)). However, both the workof[BGW, CCD] and further extensions by[RB,BG]
require each pair of processors to have a secure communication channel. In this work we
examine whether this condition can be weakened, and provide a strong negative answer to this
question.
That is, weshowagapbetweenanetwork with physically secure channels and a network
without such security measures. To do so, we exhibit a protocol for which there is no perfectly
secure implementation on the second model even when only one channel is unprotected. The
rst model, on the other hand, is known to be universal for perfectly secure computations
(even when up to
1
3
of participants are malicious [BGW, CCD].) This shows formally that
adding physical securityto
all
channels is not just sucient but also
necessary
.
Notice that any insecure channel can b e made secure using suitable cryptographic assump-
tions [GMW2, GHY]. The resulting protocol, however, is only as secure as the cryptographic
assumption whichwas utilized. Instead, we are interested in the question of absolute security,
independentofany assumptions. Our proof establishes that:
MAIN THEOREM:
Providing physical security to all channels is
necessary
to the achieve-
ment of perfect security in distributed multi-party securecomputation.
Thus, our result justies the model of physically secure channels as a model whichachieves
universality in the set of perfectly secure computation even when the parties are computation-
ally unlimited, provided that
every
channel is secure. It also justies the use of cryptography
(and achieving only computational security) when suchchannels are not available.
The rest of the paper is organized as follows: In section 2 we describe our mo del. Section
3 explains our proof, while in section 4, we review recent and related results.
2 The mo del
We consider two models of computation for multi-party protocols. Both have computationally
unlimited users in a fully-connected network. The rst one has secure channels b etween each
pair of users, while in the second model all (or some) channels are unprotected.
2
Both models have been used in various contexts in the past. For example, Feldman and
Micali [FM] implemented a fast Byzantine Agreement protocol in the secure channel model
and left an open problem whether such a fast Byzantine Agreement protocol (even with relaxed
performance) can be implemented on the insecure channel mo del. (They also show a simulation
of the private channel model in the insecure channel mo del using cryptographic assumptions,
but here weareinterested in perfect security.)
A bit more formally,we consider the model of multi-party protocols which is the standard
system of communicating machines [GMR]. Each player is a probabilistic Turing machine with
a private computation environment. They share communication tapes and communicate by
writing messages on these tapes in a synchronous fashion.
Each pair of machines share a communication tape (for each such tape only two machines
are allowed to write on it). When eachmachine has \read access" to all communication tap es
this is the
insecure channels
model (or the bboard mo del), on the other hand when eachofthe
communication tapes can be accessed only by the pair of parties which are allowed to write on
it { this is the
secure channels
model. A natural intermediate models with some private and
some insecure channels can be dened as well.
A p ointworth mentioning is that the notion of secure channels can b e somewhat relaxed.
That is, the channels do not have to be totally secure, as we can adapt the wire-tap model
of Wyner [W]. (He basically assumes certain rate of being caughtbytheeavesdropper. By
using linear codes according to the rate one gets that the users get the message while the
eavesdropper does not.) Thus, the notion of \secure" channel can be interpreted in the above,
weaker sense.
3 A simple proof of our result
We start with a review of Shamir, Rivest and Adleman's impossibilityofMental Poker [SRA].
This is a basic impossibility result (which seems to have been somewhat forgotten!) It shows
that twoplayers cannot deal a secret, disjoint, and random card hands based on information
theory and open communication.
Shamir, Rivest and Adleman proof considers the minimal non-trivial scenario of two un-
faulty (but possibly \curious") players,
A
and
B
, who try to deal a hand of one card to each
out of a deck of three cards
f
x; y; z
g
. (This scenario can be extended to larger decks and any
size of hands). Let the protocol
execution
M
be the nite sequence of transmitted messages.
M
should coordinate the cards drawn byeach player (the cards drawn are a function of
M
and
the player's internal computations). The hands should be drawn uniformly at random and be
disjoint. Let
x
(
y
) be the actual card received by
A
(
B
).
Let
S
A
(
S
B
) be the set of candidate cards
A
(
B
) could have gotten, given
M
.
S
A
cannot
contain only
x
since then
B
can compute the hand of
A
bysimulating all possible computations
of
A
consistent with the execution.
S
A
cannot contain all three cards since
B
will not be able to
get any card disjointto
S
A
: regardless of what card
B
gets, there is a computation consistent
with
M
in which
A
may get the same card. Thus,
S
A
consists of two cards. Similarly,
S
B
must contain two cards. The total size of both candidate sets is four while the total size
of the deck is three, thus there is an intersection b etween
S
A
and
S
B
, and there must be a
3
computation consistent with
M
in which both players gets the same card (in this case it is
z
).
This contradicts the disjointness requirement which implies the impossibility.
We can nowgiveanoverview of our proof: consider the case of three nodes in the network.
Note that if three players want to playandonechannel is suspected not to be secure, they could
use cryptography to solve the problem [GMW2, GHY]. But this solution relies on unproven
complexity assumptions, while weareinterested in retaining
perfect
(i.e. information-theoretic)
security. A proto col for dealing cards (Mental-Poker) for three or more players whichachieved
information theoretic securitywas implemented, provided that all channels are secure in 1983
[BaFu]. The basic idea of our proof is to show that a three player Mental-Poker is impossible
if the channels are not secure.
We consider dealing of cards where there are three players and four cards in the deck.
We start by assuming totally open communication. Given an execution (the protocol message
sequence), none of the players can have only one card in the set of cards which are candidate
to be taken to his hand consistent with the execution | this will violate security. The case of
more than three cards in the candidate set is impossible as well (since if one player has more
than three possible cards, then another player must have a non-disjoint card in his candidate
set violating disjointedness of hands). Thus all players havetwo cards in their candidate set.
However, again the deckistoosmalltoprovide disjointedness of the candidate sets, that is,
there must be a computation consistent with the execution in which hands are not disjoint.
Thus, the dealing protocol is impossible when all channels are insecure.
Can we make the result sharp er and consider a network with only one insecure channel
(while the rest are secure)? We assume the same scenario and problem as b efore with an
intermediate model of a single insecure channel (saybetween
A
and
B
, while both channels to
C
are private). Wehave the execution which is the three sequences of messages over the three
channels
M
ab
,
M
ac
,
M
bc
.
Again, in this case as before, no player mayhave a candidate set bigger than three.
C
mayhave a candidate set of size one. However, both
A
and
B
must have candidate sets of
size two, since otherwise
C
who knows all the messages can determine their cards. The sum
of the sizes of the candidate card sets from
C
's point of view is at least 5 while only 4 cards
are present in the deck. (The other players see even less information than
C
and thus their
view of the computation should also leave candidate set of size 2.) This is a contradiction to
disjointedness.
Thus, in this case even one public channel prevents a perfectly secure implementation:
Theorem:
There exists protocols which can not beexecutedsecurely in the information-
theoretic sense on a fully-connected network if any one of the channels is compromised.
This proves the necessity of secure channels in the case of computationally unbounded
parties.
4
4 Related work
Recently,[OVY] considered a two-party asymmetric games when one of the players is innitely-
powerful while the other is polynomially-b ounded. Using the proof method similar to the above,
they were able to show that information-theoretic Oblivious Transfer protocol is impossible to
achieve. Moreover, non-interactive Oblivious Transfer was also shown to be imp ossible. On
the positive side, they were able to show that if one-way functions exist, then anytwo-party
asymmetric game (for example, Oblivious Transfer protocol) is possible to implement.
Further study of requirements for multi-party secure computation, when the network is
not fully connected was done by [DDWY], where they presented tight results on the required
connectivity of the network in order to preserve security.
Acknowledgments
The authors thank Silvio Micali and Joan Fiegenbaum for helpful discussions on the topic of
the pap er.
References
[BaFu] I. Barany, and Z. Furedy,
Mental Poker with ThreeorMore Players
, Info. and Cont. v. 59,
1983, pp. 84-93.
[BGW] Ben-Or M., S. Goldwasser and A. Wigderson,
Completeness Theorem for Noncryptographic
Fault-tolerant Distributed Computing
,STOC1988,ACM, pp. 1-10.
[BG] Beaver D., S. Goldwasser
Multiparty Computation with Faulty Majority
FOCS 1989, IEEE,
pp. 468-473.
[CCD] D. Chaum, C. Crepeau and I. Damgard,
Multiparty Unconditionally SecureProtocols
, STOC
1988, ACM, pp. 11-19.
[DDWY] D. Dolev, C. Dwork, O. Waarts and M. Yung,
Secure Message Transmission
,FOCS 1990,
IEEE.
[FM] P.Feldman and S. Micali,
Optimal Algorithms for Byzantine Agreement
, STOC 1988, ACM,
pp. 148-161.
[GHY] Z. Galil, S. Haber and M. Yung,
Cryptographic Computations and the Public-Key Model
,
The 7-th Crypto 1987, Springer-Verlag, pp. 135-155.
[GMW1] S. Goldreich, S. Micali and A. Wigderson,
Proofs that Yields Nothing But their Validity
,
FOCS 1986, IEEE, pp. 174-187.
[GMW2] S. Goldreich, S. Micali and A. Wigderson,
How to Play any Mental Poker
, STOC 1987,
ACM, pp. 218-229.
[GMR] S. Goldwasser, S. Micali and C. Racko,
The Knowledge Complexity of Interactive Proof-
Systems
, STOC 1985, ACM, pp. 291-304.
5
[OVY] R. Ostrovsky,R.Venkatesan, M. Yung
On The Complexity of Asymmetric Games
,
manuscript.
[RB] T. Rabin and M. Ben-Or,
Veriable Secret Sharing and Multiparty Protocols with Honest
Majority
, STOC 1989, ACM, pp. 73-85.
[SRA] A. Shamir, R. Rivest and L. Adleman,
Mental Poker
,Technical Memo MIT (1979).
[W] Wyner, A.D.,
The WireTap Channel
Bell System J., 54, 1981, pp. 1355-1387.
6