2-party secure computation Problem: Two parties, Alice and Bob, with - PowerPoint PPT Presentation

1 International Conference on Practice and Theory of Public-Key Cryptography (PKC) 2020 Mon Z a: fast maliciously-secure 2-party computation on the ring ℤ 2 k Dario Catalano 1 , Mario Di Raimondo 1 , Dario Fiore 2 and Irene Giacomelli 3 1 Università di Catania, 2 IMDEA Software Institute, 3 Protocol Labs.

2 2-party secure computation Problem: Two parties, Alice and Bob, with private inputs, a and b , want to compute c = f(a,b) without revealing extra info on the private inputs. Bob with private input Alice with private input b a

3 2-party secure computation Solution: Design an interactive protocol for Alice and Bob such that, at the end of its execution, they learn c = f(a,b) and nothing else. Bob with private input Alice with private input b a Active security : executing the protocol in presence of a maliciously party is as secure as sending inputs to a trusted party who computes and returns only the output.

4 2-party secure computation over a ring • Common: the function f is represented as • binary circuit • circuit over a finite field • This work: f is represented as an arithmetic circuit over the ring ℤ 2 k (integers modulo 2 k ) f : ( ) n x ( ) m � ( ) u ℤ 2 k ℤ 2 k ℤ 2 k

5 Why focus on ? ℤ 2 k Integer arithmetic on standard CPUs is done modulo 2 k (eg, 32/64 bits), so an MPC protocol design that mirrors this can: • simplify implementation (no need for modular arithmetic or to compensate modular reduction) • use optimizations that are possible/done for CPU computations and that are often expensive to emulate modulo p.

6 MPC over a ring SPDZ2k, Overdrive2k (Cramer et al, Damgård (Orsini et al) n-party et al. S&P 2019) n-party Sharemind, actively-secure MPC actively-secure MPC (Bogdanov et al, Araki et protocol over in the protocol over in the ℤ 2 k ℤ N al. CCS2016) 3-party preprocessing model preprocessing model passively-secure protocol (based on SHE) with (based on OT) with with 1 corruption. over ℤ 2 k dishonest majority. dishonest majority. Esorics 2008 CT-RSA Crypto Eurocrypt 2020 2018 TCC 2009 2003 Damgård et al, Cramer et al, actively-secure MPC compiler from passive with honest majority to active security for Ishai et al, (black-box feasibility). any ring. Small number 2-party actively- of corrupted players. secure protocols (black-box feasibility & efficiency)

7 Our contribution MonZa Efficient 2-party actively-secure protocol over in the preprocessing model ℤ 2 k • Online phase: a la SPDZ2k • Preprocessing (new!): efficient generation of random triples and random elements via the Joye-Libert encryption scheme 1. linearly homomorphic 2. works naturally with elements in and many instances with the same ℤ 2 k plaintext space 3. efficient: fast encryption/decryption and small rate For example, decrypting a 120-bit plaintext using a 2048-bit modulus takes 4.8 ms (the equivalent with Paillier's scheme takes 9 to 5 ms, if exploiting CRT). 4. no need of ZK proofs of plaintext knowledge/range-proofs Everything solved? Nope… Challenge: design a ZK proof of correct multiplication. Stay tuned!

8 Our contribution MonZa Efficient 2-party actively-secure protocol over in the preprocessing model ℤ 2 k • Implemented in C, benchmarks on two servers Intel Xeon 8124M CPU runningat 3.0 GHz • Throughput: Latency (ms) 0.5 (LAN) 17 (WAN)100 (WAN) Triples/sec 19 18 17 input bit-length = 64 computational security = 112 bits statistical security = 56 bits Rand values/sec 134 132 121 batch size = 1000 ★ Notice (computational complexity): the pre-processing phase of MonZa is asymmetric (Alice has to decrypt, but Bob uses only faster operations) MonZa can be used for applications in the server-client model, (one party has less computational power than the other one).

9 SPDZ-like protocol • Additive secret-sharing : to hide the inputs and store the intermediate results. share(a) = (a 1 , a 2 ) with a 1 + a 2 = a • Information-theoretic MAC : to guarantee active security MAC(a) = Δ a = m(a) 1 + m(a) 2 ⋅ Δ = Δ 1 + Δ 2 , global random MAC-key. Used in the SPDZ family for computation over a field, adapted to work for computation over the ring by Cramer et al (Crypto 2018). ℤ 2 k

10 SPDZ2k - value representation Key idea : to securely compute over , share and authenticate over ℤ 2 k ℤ 2 k + s Δ random value in (fixed for the protocol) shared as Δ = Δ 1 + Δ 2 mod 2 k+s ℤ 2 s • a’ in such that ℤ 2 k + s a’ = a mod 2 k , a’ = a 1 + a 2 mod 2 k+s , m(a) 1 + m(a) 2 = Δ a’ mod 2 k+s ⋅ MAC key share: Δ 1 (fixed) MAC key share: Δ 2 (fixed) Shares in : a 1 , b 1 ℤ 2 k + s Shares in : a 2 , b 2 ℤ 2 k + s MAC shares: m(a) 1 , m(b) 1 MAC shares: m(a) 2 , m(b) 2

11 SPDZ2k - online phase Both the MAC and the secret-sharing scheme are homomorphic, so linear operations can be easily computed with no interaction! Compute a + b mod 2 k : MAC key share: Δ 1 (fixed) MAC key share: Δ 2 (fixed) shares: a 1 + b 1 shares: a 2 + b 2 MAC shares: m(a) 1 + m(b) 1 MAC shares: m(a) 2 + m(b) 2

12 SPDZ2k - online phase Both the MAC and the secret-sharing scheme are homomorphic, so linear operations can be easily computed with no interaction! Compute a + b mod 2 k : x 1 , y 1 , z 1 x 2 , y 2 , z 2 m(x) 1 , m(y) 1 , m(z) 1 m(x) 2 , m(y) 2 , m(z) 2 Multiplication is harder, it needs a random triple : x, y and z random elements (in shared & authenticated form) such that z = x y ⋅ Given a triple, computing a b mod 2 k can be done using Beaver’s formula: ⋅ a b = (a+x) (b+y) + (a+x) y + (b+y) y + z ⋅ ⋅ ⋅ ⋅ opened values

13 Preprocessing model Random triples (and other correlated randomness) are created during a preprocessing phase (no inputs). Pre-processing (using PKC) Correlated randomness outputs inputs On-line (fast arithmetic ops)

14 Triple construction 1. Take x and y at random (easy, each party choses its share at random) x = x 1 + x 2 mod 2 k+s , y = y 1 + y 2 mod 2 k+s and compute shares of MAC(x) = Δ x mod 2 k+s and MAC(y) = Δ y mod 2 k+s ⋅ ⋅ 2. Compute the shares of z = x y mod 2 k+s ⋅ 3. Compute the shares of MAC(z) = Δ z mod 2 k+s ⋅ For all compute, we need a protocol for multiplying two secret values! x 1 y 2 Mult(x 1 y 2 ) ⋅ z 1 z 2 z 1 + z 2 = x 1 y 2 ⋅

15 Multiplication of secret values 1) ︎ Linearly-homomorphic encryption (e.g., BeDOZa,Overdrive) • ZK proofs of plaintext knowledge (and range-proofs) • ZK proofs of correct multiplication (BeDOZa) or “SPDZ-sacrifice” 2) Somewhat homomorphic encryption (e.g., SPDZ, Overdrive2k) • ZK proofs of plaintext knowledge (and plaintext range) • Relatively expensive computation, RAM-intense 3) Oblivious transfer (e.g., Mascot, SPDZ2k) • ︎ Cheap computation with OT extension, but bandwidth intense • ︎ Need to mitigate selective failure

16 Our approach Use Joye-Libert (JL) scheme! (linearly-homomorphic encryption) • The message space is ℤ 2 n • The public key is (N, g), where N = pq and g is an element of maximal order in ( ) * and whose Jacobi symbol is 1 ℤ N Jac N (g) = Leg p (g) × Leg q (g) = (g (p-1)/2 mod p) × (g (q-1)/2 mod q) • To encrypt m ∈ , choose a random x ∈ ( ) * and set ℤ 2 n ℤ N C = g m x 2^n mod N ⋅

17 Mult(x,y) (Gilboa-like protocol) Bob with keys pk 1 Alice with key pk 1 , sk 1 Input: y Input: x Enc pk2 (y) A = Enc pk1 (x) check A, sample r and compute C = y A + Enc pk1 (r) ⋅ verify π C compute π compute π z 1 = Dec sk1 (C) z 2 = - r Correctness : C = Enc pk1 (x y+r) and z 1 + z 2 = Dec sk1 (Enc pk1 (x y+r))-r = x y mod 2 n ⋅ ⋅ ⋅ Security for Bob : easy! Security for Alice : Bob needs to prove that the ciphertext C is computed in the correct way via a ZK proof π proving C = y A + Enc pk1 (r) and B = Enc pk2 (y) (y and ⋅ r private inputs).

18 Challenge : Design π , the ZK proof for correct multiplication with JL! No such protocol exists for JL ! • Overdrive’s approach needs an encryption with enhanced CPA (i.e., non-linear operations on ciphertexts are not possible) • Standard Schnorr-like protocol techniques do not work due to the message space not being a field (or ). ℤ pq In there are several and efficiently-findable noninvertible ℤ 2 n elements, so novel techniques needed to prove soundness!

19 Goal: ZK-proof for correct multiplication with JL scheme Bob’s witness: messages y and r in ℤ 2 n Public inputs: ciphertexts A, B and C Statement: C = y A + Enc pk1 (r) and B = Enc pk2 (y) ⋅ For the sake of simplicity, in this talk I’ll focus on: ZK-proof of knowledge for a JL plaint text Bob’s witness: messages m in ℤ 2 n Public inputs: ciphertext C Statement: C = Enc(m)

20 ZK-proof for JL scheme Bob’s witness: messages m in ℤ 2 n Public inputs: ciphertext C Statement: C = Enc(m) = g m x 2^n mod N ⋅ A Schnorr-like protocol goes like this: sample s and w S = Enc(s) S = g s w 2^n mod N ⋅ e sample e in ℤ 2 s compute z = s + m e mod 2 n ⋅ z ,y y = g t w x e mod N ⋅ ⋅ g z y 2^n = S C e mod N ? ⋅ ⋅ with t s.t. t 2 n = s+m e-z ⋅