ArticlePDF Available

On Necessary Conditions for Secure Distributed Computation

Authors:

Abstract

What assumptions are required to achieve an unconditionally secure distributed circuit evaluation in a fully connected network? This question was addressed with respect to the allowed number of malicious players [BGW, CCD, RB], given that every channel is unconditionally secure. In this paper we investigate whether the security of all channels is also a necessary condition. [BGW, CCD] showed how secure computation can be achieved, provided that a constant fraction of the total number of players is honest. An insecure channel can be modeled as faults on both ends of the channel. Thus, as long as the number of such "faulty" players is smaller then the fraction established in [BGW, CCD], the channels can be made insecure. However, an insecure channel seems to be a much weaker fault than a corruption of both players. Thus, can a bigger fraction of insecure channels be tolerated? In this paper we show that this is not the case. That is, we show that in some cases the perfect security of mul...
On Necessary Conditions for
Secure Distributed Computation
Rafail Ostrovsky
Moti Yung
y
Abstract
What assumptions are required to achievean
unconditionally secure
distributed circuit evaluation
in a fully connected network? This question was addressed with respect to the allowed number
of malicious players [BGW, CCD,RB],given that
every channel
is unconditionally secure. In
this paper weinvestigate whether the security of all channels is also a necessary condition.
[BGW, CCD] showed how secure computation can b e achieved, provided that a constant fraction
of the total number of players is honest. An insecure channel can be mo deled as faults on both
ends of the channel. Thus, as long as the number of such \faulty" players is smaller then the
fraction established in [BGW, CCD], the channels can be made insecure. However, an insecure
channel seems to be a muchweaker fault than a corruption of both players. Thus, can a bigger
fraction of insecure channels be tolerated? In this paper we show that this is not the case. That
is, we show that in some cases the perfect securityofmulti-party protocols in a fully connected
network requires
all
the channels to be physically secure. In particular, weshow a simple protocol
(for three parties) for whichifprivacy of even one channel is compromised, the protocol can not
be computed securely.Thus, we establish that the securityof
all
channels is not only sucient
(by the work of [BGW, CCD]), but also
necessary
. The lower bound holds even if players follow
the protocol. That is, we establish our impossibility result even if all the players are honest
but curious | if they follow the protocol exactly, but try to extract additional information \on
the side". Thus, our result gives a pure security perspective of the impossibility. An additional
feature of our result is its extreme simplicity,which is usually hard to come by for the lower
bound pro ofs.
AMS(MOS) Sub ject Classication: 68M10, 68P25, 68Q05.
MIT Lab. for Computer Science Cambridge, MA 02139. E-mail to: \raf@theory.lcs.mit.edu". Part of this
work was done while the author was at the IBM Research, T.J. Watson ResearchCenter, Yorktown Heights,
NY 10598.
y
IBM Research, T.J. Watson ResearchCenter, Yorktown Heights, NY 10598. E-mail to: \moti@ibm.com".
1
1 Introduction
This paper deals with feasibility results concerning the implementation of unconditionally se-
cure computation in insecure communication environments. That is, we examine the feasibility
of multi (
3)-party secure computation. We concentrate on global computations in which all
parties compute a private (possibly random) output.
The question of secure distributed computation received a lot of attention over the past
decade, which culminated in the work of [GMW1] where they showed a way to compute any
poly-size function on a fully-connected network of processors securely, under some general
cryptographic assumptions, provided that more than
2
3
of the processors are honest.
The cryptographic assumptions were then eliminated in the work of [BGW, CCD] where it
was established that if every two processors can communicate secretly, one can achieve secure
computation without any cryptographic assumptions for three or more processors (provided
that either more than
1
2
are honest while the rest are honest but may be curious, or that more
than
2
3
of the processors are honest in the case the rest of the processors may be Byzantine
(malicious)). However, both the workof[BGW, CCD] and further extensions by[RB,BG]
require each pair of processors to have a secure communication channel. In this work we
examine whether this condition can be weakened, and provide a strong negative answer to this
question.
That is, weshowagapbetweenanetwork with physically secure channels and a network
without such security measures. To do so, we exhibit a protocol for which there is no perfectly
secure implementation on the second model even when only one channel is unprotected. The
rst model, on the other hand, is known to be universal for perfectly secure computations
(even when up to
1
3
of participants are malicious [BGW, CCD].) This shows formally that
adding physical securityto
all
channels is not just sucient but also
necessary
.
Notice that any insecure channel can b e made secure using suitable cryptographic assump-
tions [GMW2, GHY]. The resulting protocol, however, is only as secure as the cryptographic
assumption whichwas utilized. Instead, we are interested in the question of absolute security,
independentofany assumptions. Our proof establishes that:
MAIN THEOREM:
Providing physical security to all channels is
necessary
to the achieve-
ment of perfect security in distributed multi-party securecomputation.
Thus, our result justies the model of physically secure channels as a model whichachieves
universality in the set of perfectly secure computation even when the parties are computation-
ally unlimited, provided that
every
channel is secure. It also justies the use of cryptography
(and achieving only computational security) when suchchannels are not available.
The rest of the paper is organized as follows: In section 2 we describe our mo del. Section
3 explains our proof, while in section 4, we review recent and related results.
2 The mo del
We consider two models of computation for multi-party protocols. Both have computationally
unlimited users in a fully-connected network. The rst one has secure channels b etween each
pair of users, while in the second model all (or some) channels are unprotected.
2
Both models have been used in various contexts in the past. For example, Feldman and
Micali [FM] implemented a fast Byzantine Agreement protocol in the secure channel model
and left an open problem whether such a fast Byzantine Agreement protocol (even with relaxed
performance) can be implemented on the insecure channel mo del. (They also show a simulation
of the private channel model in the insecure channel mo del using cryptographic assumptions,
but here weareinterested in perfect security.)
A bit more formally,we consider the model of multi-party protocols which is the standard
system of communicating machines [GMR]. Each player is a probabilistic Turing machine with
a private computation environment. They share communication tapes and communicate by
writing messages on these tapes in a synchronous fashion.
Each pair of machines share a communication tape (for each such tape only two machines
are allowed to write on it). When eachmachine has \read access" to all communication tap es
this is the
insecure channels
model (or the bboard mo del), on the other hand when eachofthe
communication tapes can be accessed only by the pair of parties which are allowed to write on
it { this is the
secure channels
model. A natural intermediate models with some private and
some insecure channels can be dened as well.
A p ointworth mentioning is that the notion of secure channels can b e somewhat relaxed.
That is, the channels do not have to be totally secure, as we can adapt the wire-tap model
of Wyner [W]. (He basically assumes certain rate of being caughtbytheeavesdropper. By
using linear codes according to the rate one gets that the users get the message while the
eavesdropper does not.) Thus, the notion of \secure" channel can be interpreted in the above,
weaker sense.
3 A simple proof of our result
We start with a review of Shamir, Rivest and Adleman's impossibilityofMental Poker [SRA].
This is a basic impossibility result (which seems to have been somewhat forgotten!) It shows
that twoplayers cannot deal a secret, disjoint, and random card hands based on information
theory and open communication.
Shamir, Rivest and Adleman proof considers the minimal non-trivial scenario of two un-
faulty (but possibly \curious") players,
A
and
B
, who try to deal a hand of one card to each
out of a deck of three cards
f
x; y; z
g
. (This scenario can be extended to larger decks and any
size of hands). Let the protocol
execution
M
be the nite sequence of transmitted messages.
M
should coordinate the cards drawn byeach player (the cards drawn are a function of
M
and
the player's internal computations). The hands should be drawn uniformly at random and be
disjoint. Let
x
(
y
) be the actual card received by
A
(
B
).
Let
S
A
(
S
B
) be the set of candidate cards
A
(
B
) could have gotten, given
M
.
S
A
cannot
contain only
x
since then
B
can compute the hand of
A
bysimulating all possible computations
of
A
consistent with the execution.
S
A
cannot contain all three cards since
B
will not be able to
get any card disjointto
S
A
: regardless of what card
B
gets, there is a computation consistent
with
M
in which
A
may get the same card. Thus,
S
A
consists of two cards. Similarly,
S
B
must contain two cards. The total size of both candidate sets is four while the total size
of the deck is three, thus there is an intersection b etween
S
A
and
S
B
, and there must be a
3
computation consistent with
M
in which both players gets the same card (in this case it is
z
).
This contradicts the disjointness requirement which implies the impossibility.
We can nowgiveanoverview of our proof: consider the case of three nodes in the network.
Note that if three players want to playandonechannel is suspected not to be secure, they could
use cryptography to solve the problem [GMW2, GHY]. But this solution relies on unproven
complexity assumptions, while weareinterested in retaining
perfect
(i.e. information-theoretic)
security. A proto col for dealing cards (Mental-Poker) for three or more players whichachieved
information theoretic securitywas implemented, provided that all channels are secure in 1983
[BaFu]. The basic idea of our proof is to show that a three player Mental-Poker is impossible
if the channels are not secure.
We consider dealing of cards where there are three players and four cards in the deck.
We start by assuming totally open communication. Given an execution (the protocol message
sequence), none of the players can have only one card in the set of cards which are candidate
to be taken to his hand consistent with the execution | this will violate security. The case of
more than three cards in the candidate set is impossible as well (since if one player has more
than three possible cards, then another player must have a non-disjoint card in his candidate
set violating disjointedness of hands). Thus all players havetwo cards in their candidate set.
However, again the deckistoosmalltoprovide disjointedness of the candidate sets, that is,
there must be a computation consistent with the execution in which hands are not disjoint.
Thus, the dealing protocol is impossible when all channels are insecure.
Can we make the result sharp er and consider a network with only one insecure channel
(while the rest are secure)? We assume the same scenario and problem as b efore with an
intermediate model of a single insecure channel (saybetween
A
and
B
, while both channels to
C
are private). Wehave the execution which is the three sequences of messages over the three
channels
M
ab
,
M
ac
,
M
bc
.
Again, in this case as before, no player mayhave a candidate set bigger than three.
C
mayhave a candidate set of size one. However, both
A
and
B
must have candidate sets of
size two, since otherwise
C
who knows all the messages can determine their cards. The sum
of the sizes of the candidate card sets from
C
's point of view is at least 5 while only 4 cards
are present in the deck. (The other players see even less information than
C
and thus their
view of the computation should also leave candidate set of size 2.) This is a contradiction to
disjointedness.
Thus, in this case even one public channel prevents a perfectly secure implementation:
Theorem:
There exists protocols which can not beexecutedsecurely in the information-
theoretic sense on a fully-connected network if any one of the channels is compromised.
This proves the necessity of secure channels in the case of computationally unbounded
parties.
4
4 Related work
Recently,[OVY] considered a two-party asymmetric games when one of the players is innitely-
powerful while the other is polynomially-b ounded. Using the proof method similar to the above,
they were able to show that information-theoretic Oblivious Transfer protocol is impossible to
achieve. Moreover, non-interactive Oblivious Transfer was also shown to be imp ossible. On
the positive side, they were able to show that if one-way functions exist, then anytwo-party
asymmetric game (for example, Oblivious Transfer protocol) is possible to implement.
Further study of requirements for multi-party secure computation, when the network is
not fully connected was done by [DDWY], where they presented tight results on the required
connectivity of the network in order to preserve security.
Acknowledgments
The authors thank Silvio Micali and Joan Fiegenbaum for helpful discussions on the topic of
the pap er.
References
[BaFu] I. Barany, and Z. Furedy,
Mental Poker with ThreeorMore Players
, Info. and Cont. v. 59,
1983, pp. 84-93.
[BGW] Ben-Or M., S. Goldwasser and A. Wigderson,
Completeness Theorem for Noncryptographic
Fault-tolerant Distributed Computing
,STOC1988,ACM, pp. 1-10.
[BG] Beaver D., S. Goldwasser
Multiparty Computation with Faulty Majority
FOCS 1989, IEEE,
pp. 468-473.
[CCD] D. Chaum, C. Crepeau and I. Damgard,
Multiparty Unconditionally SecureProtocols
, STOC
1988, ACM, pp. 11-19.
[DDWY] D. Dolev, C. Dwork, O. Waarts and M. Yung,
Secure Message Transmission
,FOCS 1990,
IEEE.
[FM] P.Feldman and S. Micali,
Optimal Algorithms for Byzantine Agreement
, STOC 1988, ACM,
pp. 148-161.
[GHY] Z. Galil, S. Haber and M. Yung,
Cryptographic Computations and the Public-Key Model
,
The 7-th Crypto 1987, Springer-Verlag, pp. 135-155.
[GMW1] S. Goldreich, S. Micali and A. Wigderson,
Proofs that Yields Nothing But their Validity
,
FOCS 1986, IEEE, pp. 174-187.
[GMW2] S. Goldreich, S. Micali and A. Wigderson,
How to Play any Mental Poker
, STOC 1987,
ACM, pp. 218-229.
[GMR] S. Goldwasser, S. Micali and C. Racko,
The Knowledge Complexity of Interactive Proof-
Systems
, STOC 1985, ACM, pp. 291-304.
5
[OVY] R. Ostrovsky,R.Venkatesan, M. Yung
On The Complexity of Asymmetric Games
,
manuscript.
[RB] T. Rabin and M. Ben-Or,
Veriable Secret Sharing and Multiparty Protocols with Honest
Majority
, STOC 1989, ACM, pp. 73-85.
[SRA] A. Shamir, R. Rivest and L. Adleman,
Mental Poker
,Technical Memo MIT (1979).
[W] Wyner, A.D.,
The WireTap Channel
Bell System J., 54, 1981, pp. 1355-1387.
6
... The main result of this paper is that for NC 1 , the answer is that interaction is not needed (namely: the scenario which resembles "computing with encrypted data" is possible). Since our solution can implement O.T., it is optimal in its communication rounds [32]. While employing basic new techniques, our method improves on previous results: Solutions which reduced interaction in multi-party secure circuit evaluation in the information theoretic model were shown in [2] for NC 1 circuits, whereas for computational security [4] showed how any polynomial size circuit can be evaluated in a constant number of communication rounds. ...
Article
Full-text available
The area of "computing with encrypted data" has been studied by numerous authors in the past twenty years since it is fundamental to understanding properties of encryption and it has many practical applications. The related fundamental area of "secure function evaluation" has been studied since the mid 80's. In its basic two-party case, two parties (Alice and Bob) evaluate a known circuit over private inputs (or a private input and a private circuit). Much attention has been paid to the important issue of minimizing rounds of computation in this model. Namely, the number of communication rounds in which Alice and Bob need to engage in to evaluate a circuit on encrypted data securely. Advancements in these areas have been recognized as open problems and have remained open for a number of years. In this paper we give a one round, and thus round optimal, protocol for secure evaluation of circuits which is in polynomialtime for NC
Conference Paper
In this work we investigate the power of Public Randomness in the context of Public-key cryptosystems. We consider the Diffie-Hellman Public-key model in which an additional short random string is shared by all users. This, which we call Public-Key Public-Randomness (PKPR) model, is very powerful as we show that it supports simple non-interactive implementations of important cryptographic primitives. We give the first completely non-interactive implementation of Oblivious Transfer. Our implementation is also secure against receivers with unlimited computational power. We propose the first implementation of non-interactive nature for Perfect Zero-Knowledge in the dual model of Brassard, Crépeau, and Chaum for all NP-languages.
Conference Paper
The general area of secure distributed computing and the interplay between distributed computing and security/ cryptography research is reviewed. Recent theoretical and practical developments are discussed.
Article
This thesis addresses the topic of secure distributed computation, a general and powerful tool for balancing cooperation and mistrust among independent agents. We study many related models, which differ as to the allowable communication among agents, the ways in which agents may misbehave, and the complexity (cryptographic) assumptions that are made. We present new protocols, both for general secure computation (i.e., of any function over a finite domain) and for specific tasks (e.g., electronic money). We investigate fundamental relationships among security needs and various resource requirements, with an emphasis on communication complexity. A number of mathematical methods are employed for our investigations, including algebraic, graph-theoretic, and cryptographic techniques. Table of Contents 1. Introduction 5 2. Survey of Secure Distributed Computing 8 3. Communication Complexity of Secure Computation 50 4. Eavesdropping Games 66 5. Joint Encryption and Message-Efficient Sec...
Article
Full-text available
this paper, we will see solutions to the Fortune 500 problem (or any other computational problem) that assume nothing more than that each company trusts that there are at least 333 other companies that will not betray it (plus secure phone lines). Other solutions show that if conference-calling is also allowed, then each company need only assume that 250 other companies are honest. Still other solutions need only assume that the Chief Number Theorist of each company certifies that certain problems (such as quadratic residuosity) will remain intractable for as long as its financial information remains sensitive.
Article
Full-text available
Under the assumption that each participant can broadcast a message to all other participants and that each pair of participants can communicate secretly, we present a verifiable secret sharing protocol, and show that any multiparty protocol, or game with incomplete information, can be achieved if a majority of the players are honest. The secrecy achieved is unconditional and does not rely on any assumption about computational intractability. Applications of these results to Byzantine Agreement are also presented. Underlying our results is a new tool of Information Checking which provides authentication without cryptographic assumptions and may have wide applications elsewhere.
Article
Full-text available
We present a polynomial-time algorithm that, given as a input the description of a game with incomplete information and any number of players, produces a protocol for playing the game that leaks no partial information, provided the majority of the players is honest. Our algorithm automatically solves all the multi-party protocol problems addressed in complexity-based cryptography during the last 10 years. It actually is a completeness theorem for the class of distributed protocols with honest majority. Such completeness theorem is optimal in the sense that, if the majority of the players is not honest, some protocol problems have no efficient solution [C].
Conference Paper
Full-text available
It has been shown previously how almost any multiparty protocol problem can be solved. All the constructions suggested so far rely on trapdoor one-way functions, and therefore must assume essentially that public key cryptography is possible. It has also been shown that unconditional protection of a single designated participant is all that can be achieved under that model. Assuming only authenticated secrecy channels between pairs of participants, we show that essentially any multiparty protocol problem can be solved. Such a model actually implies the further requirement that less than one third of the participants deviate from the protocol. The techniques presented do not, however, rely on any cryptographic assumptions; they achieve the optimal result and provide security as good as the secrecy and authentication of the channels used. Moreover, the constructions have a built-in fault tolerance: once the participants have sent messages committing themselves to the secrets they will use in the protocol, there is no way less than a third of them can stop the protocol from completing correctly. Our technique relies on the so called key-safeguarding or secret-sharing schemes proposed by Blakley and Shamir as basic building blocks. The usefulness of their homomorphic structure was observed by Benaloh, who proposed techniques very similar to ours.
Conference Paper
Full-text available
The problem of perfectly secure communication in a general network in which processors and communication lines may be faulty is studied. Lower bounds are obtained on the connectivity required for successful secure communication. Efficient algorithms that operate with this connectivity and rely on no complexity theoretic assumptions are derived. These are the first algorithms for secure communication in a general network to achieve simultaneously the goals of perfect secrecy, perfect resiliency, and a worst case time which is linear in the diameter of the network
Conference Paper
Full-text available
The problem of performing a multiparty computation when more than half of the processors are cooperating Byzantine faults is addressed. It is shown how to compute any Boolean function of n inputs distributively, preserving the privacy of inputs held by nonfaulty processors and ensuring that faulty processors obtain the function value if and only if the nonfaulty processors do. If the nonfaulty processors do not obtain the correct function value, they detect cheating with high probability. The solution is based on a new type of verifiable secret sharing in which the secret is revealed not all at once but in small increments. This process ensures that all processors discover the secret at roughly the same time. The solution assumes the existence of an oblivious transfer protocol and uses broadcast channels. The processors are not required to have equal computing power
Conference Paper
We exhibit randomized Byzantine agreement (BA) algorithms achieving optimal running time and fault tolerance against all types of adversaries ever considered in the literature. Our BA algorithms do not require trusted parties, preprocessing, or non-constructive arguments.Given private communication lines, we show that n processors can reach BA in expected constant time in a syncronous network if any < n/3 faults occurin an asynchronous network if any < n/4 faults occurFor both synchronous and asynchronous networks whose lines do not guarantee private communication, we may use cryptography to obtain algorithms optimal both in fault tolerance and running time against computationally bounded adversaries. (Thus, in this setting, we tolerate up to n/3 faults even in an asynchronous network.)
Article
Usually, a proof of a theorem contains more knowledge than the mere fact that the theorem is true. For instance, to prove that a graph is Hamiltonian it suffices to exhibit a Hamiltonian tour in it; however, this seems to contain more knowledge than the single bit Hamiltonian/non-Hamiltonian. In this paper a computational complexity theory of the 'knowledge' contained in a proof is developed. Zero-knowledge proofs are defined as those proofs that convey no additional knowledge other than the correctness of the proposition in question. Examples of zero-knowledge proof systems are given for the languages of quadratic residuosity and quadratic nonresiduosity. These are the first examples of zero-knowledge proofs for languages not known to be efficiently recognizable.
Mental Poker with Three o r M o r e Players
  • I Barany
  • Z Furedy
I. Barany, and Z. Furedy, Mental Poker with Three o r M o r e Players, Info. and Cont. v. 59, 1983, pp. 84-93.
  • Sra A Shamir
  • R Rivest
  • L Adleman
SRA] A. Shamir, R. Rivest and L. Adleman, Mental Poker, T echnical Memo MIT (1979).
Cryptographic Computations and the Public-Key Model, The 7-th Crypto
  • Ghy Z Galil
  • S Haber
  • M Yung
GHY] Z. Galil, S. Haber and M. Yung, Cryptographic Computations and the Public-Key Model, The 7-th Crypto 1987, Springer-Verlag, pp. 135-155.