Homomorphic Secret Sharing II Homomorphic Secret Sharing for - PowerPoint PPT Presentation

Homomorphic Secret Sharing II Homomorphic Secret Sharing for Branching Programs Under DDH Ele:e Boyle Niv Gilboa Yuval Ishai IDC BGU Technion & UCLA

Secure ComputaGon Approaches “Classical” Approaches + Heavily opGmized Yao’s garbled circuits [Yao86] - O(|C|) communicaGon bits GMW [GMW87] BGW [BGW88] + Low asymptoGc communicaGon - High concrete costs FHE-Based ConstrucGons [Gen09] - Based on narrow range of (la_ce) assumpGons Homomorphic Secret Sharing [BGI16,17] Coming up

Homomorphic Secret Sharing (HSS) Eval P Share y 0 x 0 x = P(x) + x 1 y 1 Eval P • Security: x i hides x • Correctness: Eval P (x 0 ) + Eval P (x 1 ) = P (x)

𝜀 -HSS -HSS Eval P Share y 0 x 0 x = P(x) + x 1 y 1 Eval P • Security: x i hides x • 𝜀 -Correctness: Except with prob 𝜀 (over Share), -Correctness: Except with prob 𝜀 (over Share), (over Share), Eval P (x 0 ) + Eval P (x 1 ) = P (x)

This Talk • 𝜀 -HSS for Branching Programs from DDH [BGI16a] • DDH-Based Secure ComputaGon [BGI17] – Rounds – CommunicaGon – ComputaGon

Main Theorem • 2-party Homomorphic Secret Sharing for branching programs under DDH – δ failure probability – Share: runGme (& share size) n ⋅ poly(λ) – Eval: runGme poly(λ,|P|,1/δ)

Living in a log-space world Multiplication of n n -bit numbers Streaming algorithms Min L 2 -distance from list of length- n vectors Many numerical / statistical calculations Finite automata Undirected graph connectivity FHE Decryption …

The HSS ConstrucGon

RMS Programs Restricted-MulGplicaGon Straight-line programs: • v i ß x j Load an input into memory. • v i ß v j +v k Add values in memory. • v i ß v j *x k MulGply value in memory by an input . • Output v i (mod m) We will support homomorphic evaluaGon of RMS programs over Z s.t. all intermediate values are “small” (e.g., {0,1}) Captures branching programs and log-space computaGons (More generally: ReachFewL)

RMS Captures Branching Programs Program Input: x 1 x 2 x 3 x 4 … x n Program Output: 0 x i 1 To evaluate as RMS: Memory variable for each node (whether it’s on red path) v i v l = (1-x 1 ) v i + (x 3 ) v j + (1-x 1 ) v k x 3 =1 v j Computable via RMS v k

3 Ways to Share a Number • Let G be a DDH group of size q with generator g – (g a ,g b ,g ab ) indisGnguishable from (g a ,g b ,g c ) • 3 levels of encoding Z q elements – [u] : (g u , g u ) ∈ G x G “encrypGon” – <v> : (v 1 ,v 2 ) ∈ Z q x Z q s.t. v 1 =v 2 +v addiGve – {w} : (w 1 ,w 2 ) ∈ G x G s.t. w 1 =w 2 ⋅ g w mulGplicaGve • Each level is addiGvely homomorphic – <v>,<v’> è <v+v’> {w},{w’} è {w+w’} • Natural pairing: pair([u],<v>) è {uv} – ((g u )^v 1 ,(g u )^v 2 )=(g uv2 ⋅ g uv ,g uv2 )

Toy Version Let’s pretend g x is a secure encrypGon of x EmulaGng an RMS program – first a:empt: [u]=(g u ,g u ) <v>=(v 2 +v,v 2 ) • Share: for each input x i {w}=(w 2 ⋅ g w ,w 2 ) – Encrypt as [x i ] Need Convert : {w} è <w> – AddiGvely secret-share as <x i > • Eval: // maintain the invariant: V i = <v i > Solved by discrete log • v i ß x j : V i ß <x j > • v i ß v j +v k : V i ß V j +V k // V i = <v j +v k > Stuck? • Output v i (mod m): Output V i +(r,r) (mod m) • v i ß x k * v j : W i ß pair([x k ],V j ) // W i = {w} for w=x k ⋅ v j

Share Conversion w Group G g 0 g 1 g z 1 Group G g z 2 g 0 g 1 Goal: Convert multiplicative sharing of w to additive sharing of w

Share Conversion w 𝜀 log​(1/ 𝜀 ) • • • • • • Convert (g z b ): g z 1 S is a 𝜀 -sparse � • Return distance dist b “random” set on G from g z b to S. eg S= { h ∈ G | φ (h)=0 } • Return dist b =0 if for suitable PRF φ distance> δ ⋅ log( 1 / δ ) • • • • • • g z 2 𝜀 log​(1/ 𝜀 ) Goal: Convert multiplicative sharing of w to additive sharing of w

Conversion Error w • • • • • • • g z 0 Good Zone Bad Zone Las Vegas version • • • • • • • g z 1 Bad cases: ∃ • ∈ Bad Zone error ~ w 𝜀 ∃ • ∉ Good Zone error ~ 𝜀 Error: depends on “conversion payload” z ∈ ∉

Toy Version Let’s pretend g x is a secure encrypGon of x EmulaGng an RMS program: [u]=(g u ,g u ) <v>=(v 2 +v,v 2 ) • Share: for each input x i {w}=(w 2 ⋅ g w ,w 2 ) – Encrypt as [x i ] – AddiGvely secret-share as <x i > • Eval: // maintain the invariant: V i = <v i > • v i ß x j : V i ß <x j > • v i ß v j +v k : V i ß V j +V k // V i = <v j +v k > • v i ß x k * v j : W i ß pair([x k ],V j ); V i ß Convert(W i ) • Output v i (mod m): Output V i mod m

From Toy Version to Real Version • Pick secret key c ∈ Z q for ElGamal encrypGon • Encrypt each input x i as [r], [cr+x i ] (secret-key ElGamal) • Invariant: Each memory value v j shared as <v j >, <cv j > • To mulGply x i v j : pair, subtract and get {x i v j } – Use conversion to get <x i v j > – Problem: Need also <c ⋅ x i v j > to maintain invariant – SoluGon? Share c ⋅ x i in addiGon to x i – Problem: Can’t convert {c ⋅ x i v j } (c ⋅ x i v j too big) – SoluGon: Break c into binary representaGon, encrypt x i c k – Problem: circular security for ElGamal? – SoluGons: (1) assume it! (2) leveled version (3) use [BHHO08]

Public-Key Variant P(x) Dec ⊕ [P(x)] 1 [P(x)] 2 pk = ElGamal public key + encrypGons of bits c k of secret key Eval Eval P P ek = load 1 to memory ek 2 ek 1 [x i ] [x i ] [x i ] Enc pk x i

DDH-Based ApplicaGons • Succinct 2PC for branching programs / logspace / NC 1 – CommunicaGon |inputs| + |outputs| + poly(λ) bits • Sublinear 2PC for “nice” circuits – CommunicaGon O(|C|/log|C|) + … bits – O(|C|)+ … bits for general circuits • 2-server PIR for branching program queries • 2-party FuncGon Secret Sharing for branching programs • 2-round MPC in PKI model

Succinct 2PC for Branching Programs Goal: Evaluate program P Generic MPC for KeyGen pk ek 2 ek 1 a b HSS(pk, a) HSS(pk, b) Hom evaluate P on share of a,b Hom evaluate P on share of a,b 1 y A 2 1 y B 2 y A y B y A y B y A 3 y A y B 3 y B 4 4 y A +y B = C(a,b), Repeat 𝜇 Gmes Except with prob. 1/3 Generic MPC to output majority Hybrid encrypGon tricks Coming up Communica9on: + poly(λ)* (|a|+|b|) + poly( λ ) * (|output|) poly( λ )

Sublinear 2PC for “Nice” Circuits IntuiGon: Gate Gate Gate Gate Gate Gate Gate Gate … Gate Gate Gate Gate … x 1 ¬ x 1 y 1 ¬ y 1 x n ¬ x n y n ¬ y n

Sublinear 2PC for “Nice” Circuits IntuiGon: Gate BP “Gate” Gate Gate Gate Gate Gate Gate Gate … BP “Gate” BP “Gate” Gate Gate Gate Gate … x 1 ¬ x 1 y 1 ¬ y 1 x n ¬ x n y n ¬ y n Only pay ~ (inputs + outputs) of BP gates

Achieving Fault Tolerance ECC Encode Gate BP “Gate” Gate Gate Gate ECC Decode ECC Encode ECC Encode Gate Gate Gate Gate … BP “Gate” BP “Gate” Gate Gate Gate Gate ECC Decode ECC Decode … x 1 ¬ x 1 y 1 ¬ y 1 x n ¬ x n y n ¬ y n

OpGmizing Rounds

Two-Round MPC • PKI setup: each party publishes public key and keeps the secret key. – Input-independent, short • Ideas – Start with a 2-server protocol, then emulate a server using 2 servers via the same protocol • Each virtualizaGon step increases complexity by poly(λ) – Threshold generaGon of (pk, ek 0 ,ek 1 ) • Side benefit: black-box use of group – Reduce general circuits to shallow ones via garbled circuits – Negligible error via virtual 2-round honest-majority MPC

OpGmizing CommunicaGon for 2PC

“Punctured OT” • One-sided Las Vegas HSS + linear erasure code • Goal: P 0 learns P 1 values at non- ⊥ posiGons P 1 does not learn ids of ⊥ posiGons • Idea: Cheap almost-all OT via punctured PRF P 1 sends share, using PRF k (i) as mask for posiGon i ⊥ -Punctured PRF key k ⊥ P 0 ⊥ ⊥ MPC P 1 PRF key k

OpGmizing ComputaGon

Baseline: Cost per Hom MulGplicaGon • Phase 1: ExponenGaGon (g r ) -<cv> (g rc+x ) <v> = g <vx> Note: fixed base • Phase 2: Share Conversion Group G • g 0 g 1 h Repeated ( Θ(1/ 𝜀 ) expected) : • MulGply h by generator g • Test if new h is disGnguished (evaluate PRF)

ComputaGonal OpGmizaGons • “Conversion-friendly” groups: g = 2 is generator & |G| = 2 i - (small 𝛿 ) hg = (shi} 1) + small 𝛿 • DisGnguished points: – Provable: Min-wise hash [Ind01] saves log​(1/ 𝜀 ) worst-case parallel runGme – HeurisGc: Fixed window of 0s Perform blocks of repeGGons + * 𝛿 hg 32 shi} 32 h

Further OpGmizaGons • Assume circular-secure ElGamal • EllipGc-curve ElGamal for short ciphertexts • “Small exponent” ElGamal for shorter secret key • Preprocess for fixed-basis exponenGaGons • Replace binary sk decomposiGon by base D • Bo:om line: – Ciphertexts shorter than FHE ciphertexts – “Shallow” computaGons may be faster