How to play ANY mental game A Completeness
- Slides: 48
How to play ANY mental game A Completeness Theorem for Protocols with Honest Majority
Overview 1. Introduction 2. Solution for TM-Games 2. 1. for passive adversaries 2. 2. for malicious adversaries 3. General games 4. Summary
1. Introduction • Motivation: n Players want to compute • Problem: each is a private input of the player i • Question: Is it possible to run M so that 1. The output is correct 2. No additional information of the leaked is
1. Introduction • Adversaries: - passive Adversaries: Run the protocol correct but run „on the side“ other efficient algorithmns - malicious Adversaries: Replace the algorithm by any efficient algorithm
1. Introduction • First Observation: – Easy to solve with an extra trusted party • In most situations there is no trusted party -> This notation wouldn‘t be useful • „Purely playable games“ – No extra party which is trusted by everyone
Overview 1. Introduction 2. Solution for TM-Games 2. 1. for passive adversaries 2. 2. for malicious adversaries 3. General games 4. Summary
2. 1. Solution for TM-Games • Motivation: – Restricting the scenario to: • A special case of games (Turing-machine games) • Passive adversaries -> Easier to prove, yet useful for further proofs
2. 1. Solution for TM-Games • General Definitions: – Random Variable (RV) R: (assigns a probability to each value ) – PA = probablistic poly-time algorithm – Efficient ≙ element of PA
2. 1. Solution for TM-Games • Game network of size n: – n Turing machines with (for each TM): • • 1 read-only private input tape 1 write only private output tape 1 read/write private work tape n-1 special public communication tapes – 1 common read-only input and 1 common write only output tape
2. 1. Solution for TM-Games • A probablistic distributed algorithm S in a game network of size n is a sequence of programs • Denote the class of all such algorithms by PDA
2. 1. Solution for TM-Games • Let S∈PDA run in a network of size n with common input CI and private inputs Definition: – denotes the RV of the public history – denotes the RV of the private history of machine i
2. 1. Solution for TM-Games • Let S∈PDA run in a network of size n with common input CI and private inputs Definition: – denotes the RV of the private output of machine i – For T⊆{1, …n} let denote the vector of private histories of the members of T
2. 1. Solution for TM-Games • Indistinguishability of RV‘s: – Poly-bounded RV‘s: c constant, k∈ℕ the security parameter – Circuit is a „judge“ for two families of RV‘s U, V X a RV from U or V: – Denote by P(U, C, k) the probability that on a random sample of outputs 1
2. 1. Solution for TM-Games • Definition: (Indistinguishability of RV‘s) U and V are computationally indistinguishable if for all C, for all f∈ℕ and „sufficiently large“ k∈ℕ :
2. 1. Solution for TM-Games • Solution for a TM-Game: – An algorithm in PDA with input the following conditions are satisfied: • Agreement: for all i, j output i equals output j • Correctness: s. t.
2. 1. Solution for TM-Games • Solution for a TM-Game: – An algorithm in PDA with input the following conditions are satisfied: • Privacy: s. t.
2. 1. Solution for TM-Games • Familiy of trap-door permutations: - Easy to select an f for a k∈ℕ and some extra trap-door information - Easy to compute f(x) - Hard to compute , if one doesn‘t know the trap-door information • One-way permutation: - Same as above, but trap-door information must not exist
2. 1. Solution for TM-Games • Theorem: – If a trapdoor function exists, there exists a TMgame solver for passive adversaries • Proof sketch: – We use a lemma by Barrington‘s that simulates computation by composing elements in – > Transform our TM in a circuit and further into a straight-line program
2. 1. Solution for TM-Games • This straight-line program contains: – 0 and 1 as specially selected 5 -permutations – Variables in the range of – Instructions consist of multiplying two 5 permutations and which can be: • constant • a variable • the inverse (in ) of a variable
2. 1. Solution for TM-Games • Initialization: – Each party encodes his private input by a 5 permutation – He selects random 5 -permutations and gives the pair – He then sets to player n to player i and gives
2. 1. Solution for TM-Games • Computation with variable and: 1. case: , c constant. Then set 2. case: sets , c constant. Then each player
2. 1. Solution for TM-Games • Computation with variable and: 3. case: ⋅ , a variable. Then • assume • we can‘t just multiply as is not commutative
2. 1. Solution for TM-Games • Idea to solve the problem in case 3: – „swap“ pieces until each player can compute his share • first step: • run this for all players resulting in O(n²) swaps – Problem: privacy constraint would be violated – Solution?
2. 1. Solution for TM-Games • Random bits: - Given a trap-door permutation f A random bit of f is: - A poly-time computable function - Computing on f(x) is essentialy “as hard as inverting f” -> Blackboard
2. 1. Solution for TM-Games • Oblivious transfer (OT): – Sending information to the receiver, but it’s oblivious (“not clear”) what he received – Rabin’s OT: • A sends B an encrypted message E(m) and B can decrypt it with 50% probability -> Blackboard
2. 1. Solution for TM-Games • 1 -2 oblivious transfer: – A∈PA with input bits – B∈PA with input bit – A sends B one out of two messages, s. t. : 1. B will read , but can’t predict 2. A cannot predict
2. 1. Solution for TM-Games • Implementation of 1 -2 OT in 4 steps: 1. A selects a trapdoor permutation of size having a random bit A sends f to B and keeps secret 2. B selects at random and sends A:
2. 1. Solution for TM-Games • Implementation of 1 -2 OT in 4 steps: 3. A computes: and sends B 4. B computes
2. 1. Solution for TM-Games • Why does it work? -> Blackboard
2. 1. Solution for TM-Games • Combined Oblivious Transfer (COT): – A and B owning some inputs a and b – In the end of the protocol, A has computed g(a, b), while B doesn‘t know what A has computed – When a and b are secrets, it seems that B transfered a combination of his and A‘s secret to A
2. 1. Solution for TM-Games • Example: COT AND-gate A B This labels are secret!
2. 1. Solution for TM-Games • Combined Oblivious Transfer (COT): – We‘ve seen the COT-AND gate – The COT-NOT gate is trivial -> Therefor we can compute any 2 -gates function
2. 1. Solution for TM-Games • Applying the COT to our problem: – Player 1 and n use the following function for COT: g(x, (y, z) = w , where w⋅z=y⋅x – Player 1 is A with input – Player n is B with input – Then set -> Notice that g(x, (y, ⋅)) is injective on
Overview 1. Introduction 2. Solution for TM-Games 2. 1. for passive adversaries 2. 2. for malicious adversaries 3. General games 4. Summary
2. 2. Solution for TM-Games • Motivation: – With malicious adversaries we must clarify how to handle private inputs • Say if one player stops computing or tries to pretend his private input is different from what it actually is, how can we handle this? • Theorem: – Given n players „willing to play“, less then half of which malicious, all TM-games are playable
2. 2. Solution for TM-Games • Zero-knowledge proof: Prove that you know a secret without revealing it. must satisfy 3 properties: - Completeness: - honest prover can convince honest verifier - Soundness: - cheating prover can’t convince honest verifier, except with small probability - Zero-knowledge: - no cheating verifier learns any other information
2. 2. Solution for TM-Games • What means „willing to play“? – Successfully completing a protocol s. t. : 1. For all players i, no minority can predict a bit of player i‘s input with prob. > ½ but it is guaranteed that a majority of players can efficiently compute i‘s input 2. Each player i has a sequence of random encrypted bits s. t. : 1. He knows the decryption 2. No minority can predict them 3. A majority can easily compute them
2. 2. Solution for TM-Games • How can we use this to „play“ the game? – For any randomness, players must use the bits they received – Each player proves - in zero-knowledge - that each message is what he should have send – If any player should stop at this phase then: • The others can reconstruct his random bits and private input • Compute his further messages when necessary
Overview 1. Introduction 2. Solution for TM-Games 2. 1. for passive adversaries 2. 2. for malicious adversaries 3. General games 4. Summary
3. General games • Game theory: – Definition of a general game: • A set S of possible states • A set M of possible moves • A set of knowledge functions of each state : • A payoff function p evaluating the final state
3. General games • Game theory: – Given a description of a game, how can we find some strategy satisfying some property? – Problem: given a description of a game, how can we actually PLAY the game? • For a general n-player game, we need n+1 players to play it ( which is unfortunate as we need another trusted party, which we normally don‘t have )
3. General games • Game Theory Example: – The game „poker“ is clearly playable (e. g. in our physical world) – Let NEWPOKER be the same as normal poker, but in addition you have the information, whether all hands combined form a royal flush • Is this game playable, too?
3. General games • Questions that arise: – Is there a model which makes all games playable, or at least – Does every game have a model in which it is playable? – Should we restrict us to the class of playable games?
3. General games • Theorem: – If any trap-door function exists, any game is playable if more than half of the players are honest • Idea to prove this: – Simulate a trusting party in an ideal game
Overview 1. Introduction 2. Solution for TM-Games 2. 1. for passive adversaries 2. 2. for malicious adversaries 3. General games 4. Summary
4. Summary • Theorem: – Under the assumption that any trap-door permutation exists: • We can tolerate any number of passive adversaries • We can tolerate up to ½ ⋅n malicious adversaries • If there are more than ½ ⋅n malicious adversaries then some protocols have no efficient solution
4. Summary • Why is this useful? – > Because every protocol can be formalized to a game with incomplete information – > We can even find a solution uniformly: • We can use an efficient algoritm, that, on input a protocol problem, outputs an efficient, distributed protocol for solving it
Thank you for your attention! Any questions?
How to play any mental game
There are some pasta
Any to any connectivity
Seknder
Permutation and combination keywords
Mental health and mental illness chapter 20
Mental health jeopardy questions and answers
I've got a friend we like to play we play together
Louise made the chocolate cake active or passive
Typewriter types
Play within the play hamlet
What game do the members of the joy luck club play?
Cannibal and missionaries game
Fictious play
Steal the pile card game
Lets play a game
Play out game
Np complete
Time4writing demo
Iscgem
What is institutional completeness
Data flow diagram phases
Completeness in communication
Parity drop in des
Completeness in business letter
Completeness definition in communication
Etmf reference model
What is completeness in writing
Technical writing definitions
Principles of completeness
Concreteness and conciseness
Packaged data models
Correctness in effective communication
Abstract adj
Completeness in quantum mechanics
The pirate game
The farming game rules
A formal approach to game design and game research
Game lab game theory
Liar game game theory
Liar game game theory
Information system of zara
How to write a five sentence paragraph
Any time interrogation call flow
Finish your homework
Graphic communications definition
Special purpose diode
Any device anywhere
Disadvantage of railways
