# MPC DICE Alice $\Rightarrow$ :woman: :game_die: :man: $\Leftarrow$ Bob **D**ice over **IN**secure **N**etwork between untrust**E**d pa**R**ties (DINNER) Lorenzo Gentile Note: lorg@itu.dk Insecure network $\rightarrow$ MAC, Digital signatures, encryption, TLS Untrusted parties $\rightarrow$ MPC --- #### About me - PhD Student at ITU :male_elf: - / Cryptographic protocols / Secure multi-party computation (MPC) / Privacy preserving blockchain applications :mag:  --- #### My research - How can different parties (e.g., tax authorities, hospitals, universities) **combine their data** to **extract something useful** while **preserving privacy** (usually no third party involved)? :see_no_evil: - What lies between **MPC and blockchain**? :chains: --- #### MPC intro: Yao's Millionaires' problem - Introduced in 1982 by computer scientist Andrew Yao: two millionaires, Alice and Bob, are interested in knowing which of them is richer without revealing their actual wealth. ``` a +--------+ Alice ---> | YAO | f(a,b) = 1 if a > b else 0 b | | ---> Bob ---> | | +--------+ ``` - Compute $f(a, b)$ while preserving the privacy of $a$ and $b$. --- #### Dealing with untrusted parties - $k$: security parameter - $\mathcal{h}$: hash function (e.g., sha256) ``` sequence participant Alice as A participant Bob as B Note left of A: a <-$- {0,1}^3\nr <-$- {0,1}^k Note right of B: b <-$- {0,1}^3 A->B: h(a | r) B->A: b A->B: a, r Note left of A: d = a XOR b % 6 + 1 Note right of B: d = a XOR b % 6 + 1 ``` Note: - Hiding and binding properties of the hash-based commitment hold against computationally bounded adversaries. What if Pedersen commitment was used? In the Pedersen commitment the hiding property is unconditional (i.e., it holds without any computational assumption). The binding property holds under the assumption that computing discrete logarithms is hard. - Optional: Dice is not fair. --- #### Dealing with untrusted parties (optional) - ... - $\mathcal{PRNG}$: pseudorandom number generator ``` sequence participant Alice as A participant Bob as B Note left of A: a <-$- {0,1}^k\nr <-$- {0,1}^k Note right of B: b <-$- {0,1}^k A->B: h(a | r) B->A: b A->B: a, r Note left of A: d = PRNG(a XOR b) % 6 + 1 Note right of B: d = PRNG(a XOR b) % 6 + 1 ``` Note: - Dice is now fair. --- #### Creating a secure channel **Minimum properties** - Integrity (e.g., HMAC with sha256, digital signatures based on RSA) - Authenticity (e.g., HMAC with sha256, digital signatures based on RSA) **Optional properties** - Confidentiality (e.g., encryption based on RSA) - Non-repudiation (e.g., digital signatures based on RSA) Note: [1](https://security.stackexchange.com/questions/220309/do-integrity-and-authentication-always-come-together) [2](https://crypto.stackexchange.com/questions/5646/what-are-the-differences-between-a-digital-signature-a-mac-and-a-hash) --- #### Possible approaches 1) Assuming Alice and Bob share a symmetric key, then use HMAC with sha256. 2) Assuming Alice and Bob know the public key of the other party, then use digital signatures based on RSA. --- 3) Assuming Alice and Bob know the public key of the other party, then agree on a symmetric key using authenticated diffie-hellman key exchange and then use HMAC with sha256. 4) Assuming Alice and Bob know the public key of the other party (e.g., it comes from a CA), then use TLS. ... --- #### Implementation ``` console user@host:~/mpc-dice$ python3 alice.py a > 101 Press enter to send: com(a,r) sig > Bob sent: b sig = 010 b'\x85\x88\xcc\'\x89\xb7\x9b\x8e\x85\\\x1b\xfb\xe5\xbb\xbe\xaaC_{\xa3\x9a\xc9g\x89L\x12H\x02\xc7\x822\x03\xebZ\xb5*\xccM\xfe\xbaHl\xbe\x8f\x1f\xe5\xce:~^}+\xa9a&_^\xdb\xe3\xf0\xc6\xa9~?\x0bf\xf2\x1e\xfc\xcb\x8b\xe1\x85\x8bi\xf5\xca\\\xb0h\xcb\x06\x95\xde~\xd8.\xb9n\xcfGE4\x0bT\xb6\xf0\x0f=\xe0[I3%\xec!\x97\x98\x07\xc9\xbc\\\xff\x94+)_\xf0\xea\xb7"\xf6\xf3\x17\xdb2>\x05\xe0\xa8\xcaUC\xd5\x85\x02\x13\xa6)]8\x82\x06\xd0\xd6\x8cA\x13\xce[\xea\x9f6\x97\x95\xe2\xed\xfa"\xe6\xf0w\xbc\x8c\\i\x7f\xee.\xa5\xcc(\xc1\x85e\xb8Q\x0e\xa9\xd7\xd6z$\xd6\x0f\xae6\xe9-\xd6\xaa^\x02u5\xb5\x0f-\xc8D\xdc\xef\x88\xa2\xee\xa8\xc7:o\xfdN\x9e\x10\x91Yq\xcaI+\xc0y\x90\xc6\x8au9\x0b\xea5OG\xb0\xcd\x06"\x8e)\xea\x81\xa3H\x00\xf7[\xe0\x86c\t\xb8i\x0c\x0e\xb3\x0c\xfek' Press enter to send: a r sig > b sig valid. Compute d = (a ^ b) % 6 + 1 101 ^ 010 = 111 = 7 (base 10) 7 % 6 + 1 = 2 ``` Available on [GitHub](https://github.com/lorenzogentile404/mpc-dice). --- #### Time for questions! Alice $\Rightarrow$ :woman: :game_die: :man: $\Leftarrow$ Bob Lorenzo Gentile Note: lorg@itu.dk