Embed Size (px)
DESCRIPTION
Swarming Secrets. Shlomi Dolev (BGU), Juan Garay (AT&T Labs), Niv Gilboa (BGU) Vladimir Kolesnikov (Bell Labs). Allerton 2009. Talk Outline. Objectives Adversary Secret sharing Membership and thresholds Private computation in swarms Perfectly oblivious TM - PowerPoint PPT Presentation
Citation preview
Swarming Secrets Shlomi Dolev (BGU), Juan Garay (AT&T Labs), Niv Gilboa (BGU)Vladimir Kolesnikov (Bell Labs)
Allerton 2009
Talk Outline• Objectives• Adversary• Secret sharing• Membership and thresholds• Private computation in swarms
– Perfectly oblivious TM– Computing transitions
Objectives• Why swarms• Why secrets in a swarm• Dynamic membership in swarms• Computation in a swarm
Adversary• Honest but curious• Adaptive• Controls swarm members
– Up to a threshold of t members• What about eavesdropping?
– We assume that can eavesdrop on the links (incoming and outgoing) of up to t members
Secret sharing
X
Y
i
j P(i,j)
Bivariate Polynomial P(x,y)i
Share of Player i
Share of Player i
P(i,y)
P(x,i)
JoinHey Guys,
can I play with you? I’m J!
J
B
DC
A
Sure!PA(J,y), PA(x,J)
PB(J,y), PB(x,J)
PC(J,y), PC(x,J)
PA(J,y), PA(x,J)
Leave• Problem:
– Member retains share after leaving– Adversary could corrupt leaving member
and t current members• Refreshing (Proactive Secret Sharing)
– Each member shares random polynomial with free coefficient 0
Additional Operations• Merge• Split• Clone
Increase Threshold• Why do it?• How – simple, add random
polynomials of higher degree with P(0,0)=0
Decrease Threshold- t to t*
J
B
DC
A
Choose random, Degree t* QA(x,y)
Share ofQA(x,y)
Share ofQA(x,y)
Share ofQA(x,y)
Share ofQA(x,y)
B, C, D, … also sharerandom polynomials
Decrease Threshold- t to t*
J
B
DC
AAdd local
shares
Add local shares
Add local shares
Add local shares
Add local shares
Interpolate
P(x,y) + QA(x,y) + QB(x,y) +…
Remove high degreeterms
R(x,y)
Decrease Threshold- t to t*
J
B
DC
A
High mon.Of P
High mon.Of PHigh mon.
Of P
High mon.Of P
Computereduced P
Computereduced P
Computereduced P
Computereduced P
Computereduced P
Computation in a Swarm• A distributed system
– Computational model– Communication between members– Input – we can consider global and non-
global input– Changes to “software”– “Output” of computation when
computation time is unbounded
What is Hidden• Current state• Input• Software• TimeWhat is not Hidden?• Space
How is it Hidden?• Secret sharing
– Input– State
• Universal TM– Software
• Perfectly oblivious universal TM– Time
Architecture of a Swarm TM
0 ...10
ObliviousUniversalMachine
1 ...00
User 1
Input tape
Work tape
Tape heads
1 ...11
ObliviousUniversalMachine
1 ...10
User 2
Input tape
Work tape
Tape heads
Communication
Perfectly Oblivious TM
Perfectly Oblivious TM
Tape head
Oblivious TM – Head moves as function of number of steps
Perfectly Oblivious TM – Head moves as function of current position
N N Y N
Perfectly Oblivious TM
Perfectly Oblivious TM
Tape
Orig. TapeHead
Transition: (st, )(st2,,right)
Transition: (st, )(st1,,left)
Tape shifts right,copy that was in previous cell
Tape shifts right, headshifts left, Y stays in
place, copy
Insert result of “real”transition,
Transition: (st, )(st3,,left)
TM Transitions
…
TapeTape head
st1
st2
…st
…
States Transition Table
st1
…
…
1 … …
ns,st
ns
…
Encoding States & Cells
…
Tape
st1
st2
…st
…
States
10…0
01…0
0…010…0
index st
0…010…0
index
Computing a Transition• Goal, Compute transition privately in one
communication round• Method, Construct new state/symbol unit vector,
ns/n, from • Current state - st• Current symbol -
• ns[k]= st[i] [j], for all i, j such that a transition of (i, j) gives state k
• Construct new symbol vector in analogous way
n[k]= st[i] [j], for all i, j such that a transition of (i, j) gives symbol k
Encoding State TransitionsTransition Table
st1
…
st2
…
ns, st1, St1,
St2, ns,
ns, St2, st2,ns,st
Current Transition
0
…
0
0 … 0
0*0 0*1 0*0
1*0 1*0
0*0 0*1 0*0
1*11
1
ns,ns,
ns,
ns,
1*01*1
0*0
0*0
st1, St1,0*1 0*0
St2, st2,
St2,
0*1 0*0
1*0
0*0+0*1=0 … 1*0+0*1+0*0=00*0+0*0+1*1+1*0=1
0…010…0 New state is ns
Encoding Symbol TransitionsTransition Table
st1
…
st2
…
ns, st1, St1,
St2, ns,
ns, St2, st2,ns,st
Current Transition
0
…
0
0 … 0
0*0 0*1 0*0
1*0 1*0
0*0 0*1 0*0
1*11
1st1,
ns,st2,
0*1
1*10*0
St1,
ns,St2,
ns,
0*0
1*01*0
0*0
ns,
St2,
0*0
0*1
0*0+0*1=0 … 1*0+0*0+0*0+1*0=0 0*1+1*1+0*0=1
0…01 New symbol is
What about Privacy?• Goal: compute transitions privately• Method
– Compute new shares using the st[i] [j],
– Reduce polynomial degree
Sharing States & Symbols• Initially• Encode 1 by P(x,y), P(0,0)=1• Encode 0 by Q(x,y), Q(0,0)=0• Share bivariate polynomials for state
and symbol• Step• Compute 0*0+ 1*0+ 1*1… by
– Multiplying and summing local shares– Running “Decrease” degree protocol
Thank You!!!
