swarming secrets
DESCRIPTION
Swarming Secrets. Shlomi Dolev (BGU), Juan Garay (AT&T Labs), Niv Gilboa (BGU) Vladimir Kolesnikov (Bell Labs). Allerton 2009. Talk Outline. Objectives Adversary Secret sharing Membership and thresholds Private computation in swarms Perfectly oblivious TM - PowerPoint PPT PresentationTRANSCRIPT
Swarming Secrets Shlomi Dolev (BGU), Juan Garay (AT&T Labs), Niv Gilboa (BGU)Vladimir Kolesnikov (Bell Labs)
Allerton 2009
Talk Outline• Objectives• Adversary• Secret sharing• Membership and thresholds• Private computation in swarms
– Perfectly oblivious TM– Computing transitions
Objectives• Why swarms• Why secrets in a swarm• Dynamic membership in swarms• Computation in a swarm
Adversary• Honest but curious• Adaptive• Controls swarm members
– Up to a threshold of t members• What about eavesdropping?
– We assume that can eavesdrop on the links (incoming and outgoing) of up to t members
Secret sharing
X
Y
i
j P(i,j)
Bivariate Polynomial P(x,y)i
Share of Player i
Share of Player i
P(i,y)
P(x,i)
JoinHey Guys,
can I play with you? I’m J!
J
B
DC
A
Sure!PA(J,y), PA(x,J)
PB(J,y), PB(x,J)
PC(J,y), PC(x,J)
PA(J,y), PA(x,J)
Leave• Problem:
– Member retains share after leaving– Adversary could corrupt leaving member
and t current members• Refreshing (Proactive Secret Sharing)
– Each member shares random polynomial with free coefficient 0
Decrease Threshold- t to t*
J
B
DC
A
Choose random, Degree t* QA(x,y)
Share ofQA(x,y)
Share ofQA(x,y)
Share ofQA(x,y)
Share ofQA(x,y)
B, C, D, … also sharerandom polynomials
Decrease Threshold- t to t*
J
B
DC
AAdd local
shares
Add local shares
Add local shares
Add local shares
Add local shares
Interpolate
P(x,y) + QA(x,y) + QB(x,y) +…
Remove high degreeterms
R(x,y)
Decrease Threshold- t to t*
J
B
DC
A
High mon.Of P
High mon.Of PHigh mon.
Of P
High mon.Of P
Computereduced P
Computereduced P
Computereduced P
Computereduced P
Computereduced P
Computation in a Swarm• A distributed system
– Computational model– Communication between members– Input – we can consider global and non-
global input– Changes to “software”– “Output” of computation when
computation time is unbounded
How is it Hidden?• Secret sharing
– Input– State
• Universal TM– Software
• Perfectly oblivious universal TM– Time
Architecture of a Swarm TM
0 ...10
ObliviousUniversalMachine
1 ...00
User 1
Input tape
Work tape
Tape heads
1 ...11
ObliviousUniversalMachine
1 ...10
User 2
Input tape
Work tape
Tape heads
Communication
Perfectly Oblivious TM
Perfectly Oblivious TM
Tape head
Oblivious TM – Head moves as function of number of steps
Perfectly Oblivious TM – Head moves as function of current position
N N Y N
Perfectly Oblivious TM
Perfectly Oblivious TM
Tape
Orig. TapeHead
Transition: (st, )(st2,,right)
Transition: (st, )(st1,,left)
Tape shifts right,copy that was in previous cell
Tape shifts right, headshifts left, Y stays in
place, copy
Insert result of “real”transition,
Transition: (st, )(st3,,left)
Computing a Transition• Goal, Compute transition privately in one
communication round• Method, Construct new state/symbol unit vector,
ns/n, from • Current state - st• Current symbol -
• ns[k]= st[i] [j], for all i, j such that a transition of (i, j) gives state k
• Construct new symbol vector in analogous way
n[k]= st[i] [j], for all i, j such that a transition of (i, j) gives symbol k
Encoding State TransitionsTransition Table
st1
…
st2
…
ns, st1, St1,
St2, ns,
ns, St2, st2,ns,st
Current Transition
0
…
0
0 … 0
0*0 0*1 0*0
1*0 1*0
0*0 0*1 0*0
1*11
1
ns,ns,
ns,
ns,
1*01*1
0*0
0*0
st1, St1,0*1 0*0
St2, st2,
St2,
0*1 0*0
1*0
0*0+0*1=0 … 1*0+0*1+0*0=00*0+0*0+1*1+1*0=1
0…010…0 New state is ns
Encoding Symbol TransitionsTransition Table
st1
…
st2
…
ns, st1, St1,
St2, ns,
ns, St2, st2,ns,st
Current Transition
0
…
0
0 … 0
0*0 0*1 0*0
1*0 1*0
0*0 0*1 0*0
1*11
1st1,
ns,st2,
0*1
1*10*0
St1,
ns,St2,
ns,
0*0
1*01*0
0*0
ns,
St2,
0*0
0*1
0*0+0*1=0 … 1*0+0*0+0*0+1*0=0 0*1+1*1+0*0=1
0…01 New symbol is
What about Privacy?• Goal: compute transitions privately• Method
– Compute new shares using the st[i] [j],
– Reduce polynomial degree
Sharing States & Symbols• Initially• Encode 1 by P(x,y), P(0,0)=1• Encode 0 by Q(x,y), Q(0,0)=0• Share bivariate polynomials for state
and symbol• Step• Compute 0*0+ 1*0+ 1*1… by
– Multiplying and summing local shares– Running “Decrease” degree protocol