« search calendars« DIMACS/MACS Workshop on Usable, Efficient, and Formally Verified Secure Computation

« Computer-Aided Proofs for Multiparty Computation with Active Security

Computer-Aided Proofs for Multiparty Computation with Active Security

March 15, 2019, 11:15 AM - 11:45 AM

Location:

Barrister's Hall - first floor

Boston University Law School

765 Commonwealth Avenue

Boston, MA 02215

Sabine Oechsner, Aarhus University

Secure multi-party computation (MPC) is a general cryptographic technique that allows distrusting parties to compute a function of their individual inputs, while only revealing the output of the function. Given the importance, it is crucial that the protocols are specified and implemented correctly. In the programming language community, it has become good practice to use computer proof assistants to verify correctness proofs. In the field of cryptography, EasyCrypt is the state of the art proof assistant. It provides an embedded language for probabilistic programming, together with a specialized logic, embedded into an ambient general purpose higher-order logic. It allows us to conveniently express cryptographic properties. EasyCrypt has been used successfully on many applications, including public-key encryption, signatures, differential privacy, and two-party computation with security against semi-honest adversaries. Here we show for the first time that it can also be used to prove security of MPC against a malicious adversary. We formalize additive and replicated secret sharing schemes and apply them to Maurer’s simple MPC protocol for secure addition and multiplication. Our method extends to general polynomial functions. We follow the insights from EasyCrypt that security proofs can often be reduced to proofs about program equivalence, a topic that is well understood in the verification of programming languages. In particular, we show that for a class of MPC protocols in the passive case the non-interference-based (NI) definition is equivalent to a standard simulation-based security definition. For the active case, we provide a new non-interference based alternative to the usual simulation-based cryptographic definition that is tailored specifically to our protocol.

Joint work with Helene Haagh, Aleksandr Karbyshev, Bas Spitters (Aarhus University) and Pierre-Yves Strub (École Polytechnique).