Multi-Party Computation: Second year Eduardo Soria Vázquez October 11, 2017
A Year in a slide 1. Conferences attended : 1. Flagship: TCC 2016-B, Eurocrypt 2017. 2. Domain-specific: TPMPC. 3. Smaller Meetings: ECRYPT collaborative writing workshop, HEAT, Lattice Meeting (ENS Lyon). 2. Talks given: TCC 2016-B, Lattice Meeting: More Efficient Constant-Round Multi-Party Computation from BMR and SHE . 3. Research visits: Thales UK, Bar-Ilan University. 4. Outreach: Digimakers (coming on 11th November, 2017) Eduardo Soria-Vázquez
A Year in a slide 5. Papers: * ACNS 2017: Faster Secure Multi-Party Computation of AES and DES Using Lookup Tables. Joint work with Marcel Keller, Emmanuela Orsini, Dragos Rotaru, Peter Scholl and Srinivas Vivek. * ASIACRYPT 2017: Low Cost Constant Round MPC Combining BMR and Oblivious Transfer . Joint work with Carmit Hazay and Peter Scholl. * A submission to EUROCRYPT 2018 Eduardo Soria-Vázquez
Low Cost Constant Round MPC Combining BMR and Oblivious Transfer Carmit Hazay, Peter Scholl, Eduardo Soria Vázquez October 11, 2017
Overview 1. What is MPC? 1. Garbled Circuits: 2PC (Yao) vs MPC (BMR) 2. Results: 1. A compiler from binary MPC to BMR 2. Robustness of Garbling in BMR 3. Optimized Garbling with TinyOT 3. Conclusion Eduardo Soria-Vázquez 5
Multi-Party Computation =f( x 1 , x 2 , x 3 , x 4 ) Eduardo Soria-Vázquez 6
Multi-Party Computation Adversaries participate in the protocol Protocol indistinguishable from the ideal one run by a Trusted Party Eduardo Soria-Vázquez 7
MPC setting in this talk Model of Computation: • Boolean circuit C Preprocessing • Preprocessing phase Adversary: corr. • Static, malicious rand. x x • Dishonest majority 1 2 Online x Main focus: x 4 3 • Constant rounds – Garbled Circuits • Concrete efficiency ( , , , ) C x x x x 1 2 3 4 Eduardo Soria-Vázquez 8
Starting point: garbled circuits for semi-honest 2-PC [Yao86] Boolean circuit C Garble x x 2 1 ~ ~ C C x ~ ~ ~ x 2 Input encoding , , C X X 1 1 2 protocol ~ X ~ Encodings , X 1 2 Eval ( , ) C x 1 x 2 ( , ) C x 1 x 2 Eduardo Soria-Vázquez 9
BMR: Everyone garbles (MPC) and evaluates (local computation) [BeaverMicaliRogaway90] ~ C Boolean circuit C Garble Eval ~ ( 1 , , ) C x x 1 , , x x Inputs X n Input n i Encoding Local Generic MPC Can be any non-constant round protocol Eduardo Soria-Vázquez 7
Challenge in BMR: evaluate Garbling step in MPC, efficiently Eduardo Soria-Vázquez 11
Comparison of approaches to BMR with active security Protocol Based on Free XOR Main cost per gate ZK proofs of PRG BMR90 Generic MPC computation LPSY15 MPC in F p 8n + 5 MPC mult. O(n 2 ) ZK proofs of LS S 16 SHE plaintext knowledge This talk OT + MPC in F 2 1 MPC mult. in F 2 (and [KRW17]) Eduardo S oria-Vázquez 12
Garbling an AND gate with Yao u v w 0 0 0 0 1 0 1 0 0 u w 1 1 1 v Eduardo Soria-Vázquez 13
Garbling an AND gate with Yao u v w 0 0 0 0 1 0 , , K K 0 , 1 u u 1 0 0 , , K K 0 , 1 w w 1 1 1 , , K K 0 , 1 v v • Pick 2 random keys for each wire Eduardo Soria-Vázquez 14
Garbling an AND gate with Yao E K , , 0 K K w u , 0 v , 0 E K , , 0 K K w , 0 , 1 u v E K , , K K , , 0 K K w , 1 , 0 u v 0 , 1 u u , , K K E K 0 , 1 w w , , 1 K K w , 1 , 1 u v , , K K 0 , 1 v v • Pick 2 random keys for each wire • Encrypt the truth table of each gate Eduardo Soria-Vázquez 15
Garbling an AND gate with Yao E K , , 0 K K w u , 0 v , 1 E K , , 1 K K w , 1 , 1 u v E K , , K K , , 0 K K w , 0 , 0 u v 0 , 1 u u , , K K E K 0 , 1 w w K , K w , 0 , 1 , 0 u v , , K K 0 , 1 v v • Pick 2 random keys for each wire • Encrypt the truth table of each gate • Randomly permute the entries Eduardo Soria-Vázquez 16
Garbling in BMR Eduardo Soria-Vázquez 17
BMR has an MPC-friendly Garbling Enc K , , 0 K K w u , 0 v , 1 Enc K , , 1 K K w , 1 , 1 u v Enc K , , K K , , 0 K K w , 0 , 0 u v 0 , 1 u u , , K K Enc K 0 , 1 w w K , K w , 0 , 1 , 0 u v , , K K • 0 , 1 v v Pick 2n random keys for each wire: 1 n ( , , ), { 0 , 1 } K K K b , , , u b u b u b Initially, party P i gets keys K i u,0 , K i u,1 . • Next slides: – Encrypt the truth table of each gate – Randomly permute the entries Eduardo Soria-Vázquez 18
Encryption in BMR is straightforward n g Enc j j ( ) , K K F g j K , K , 0 , 0 w w i i , Input PRF keys u, a v, b K K , , u a v b i 1 Enc j ( ) and values K g g g Enc Enc Enc 1 n ( ) ( ) || || ( ) , 0 K K K w K , K K , K K , K , 0 , , w w a w b u, a v, b u, a v, b u, a v, b Generic MPC : just XOR F is a double-key PRF, g is gate index. Next: Randomly permute the entries Eduardo Soria-Vázquez 19
Entire BMR Garbling (with Free-XOR) Garbled AND gate is: Garb Enc j j ( , , , ) (( ) ( ) ) g j a b K R a b Enc j , 0 ( ) w u v w ~ K g , 0 w R j Secret permutation bits 2 to shuffle entries for { 1 ,..., } and ( , ) { 0 , 1 } j n a b j j j R j : Fixed string enabling Free-XOR, secret to party P j : K K R , 1 , 0 w w Observation (next slide) : Mult. are bit/bit or bit/string only. [Ben-Efraim Lindell Omri 16] Eduardo Soria-Vázquez 20
Transforming any MPC to BMR (Constant rounds for Boolean Circ.) For each AND gate: • Sample , , { 0 , 1 } u v w • Compute shares of : Input R j j (( ) ( ) ) R a b u v w 2 for ( , ) { 0 , 1 } a b MPC ~ shares of XOR C (shares of) Enc j ( ) K , 0 w Eduardo Soria-Vázquez 21
Transforming any MPC to BMR (Constant rounds for Boolean Circ.) For each AND gate: • Sample , , { 0 , 1 } u v w i i i , , 1 x F 2 mult in u v w Input R j MPC Consistency Check i i , u R n(n-1) COTs for bit/string mult. ~ shares of XOR C (shares of) Enc j ( ) K , 0 w Eduardo Soria-Vázquez 22
Robustness of Garbling in BMR Eduardo Soria-Vázquez 23
BMR garbling is very robust to errors Thought experiment with an adversary: x , C ~ C C Garble x Encoding ~ X ˆ C Eval / y Eduardo Soria-Vázquez 24
BMR garbling is very robust to errors • Intuition: – Only possible break is to flip honest P j ‘s masked key: j j j Enc ( ) Enc ( ) K K R w w – Negligible (guess R j ) if the mask was obtained from a suitable PRF Enc j j ( ) , , K K F g j F g j 1 1 w w n n , , K K K K u v u v • We strengthen previous results (proofs) [LPSY15, KRW17]: – Allowed incorrect PRF values, non-adaptively . – Did not directly reduce to PRF security. – Shares of garbling had to be authenticated (less efficient). Eduardo Soria-Vázquez 25
An optimized protocol for BMR: TinyOT Eduardo Soria-Vázquez 26
Optimized variant based on TinyOT • Multi-party TinyOT protocol [FrederiksenKellerOrsiniScholl15] – Efficient instantiation of binary MPC. – Optimized in [KatzRanellucciWang17] • Uses Correlated OT to create information-theoretic MACs – MAC (x) = K + x R – For shared bit x, and MAC key (K, R) • Fix R to be the global difference in Free-XOR – Bit/string products for free! Eduardo Soria-Vázquez 27
Optimized variant based on TinyOT For each AND gate: • Sample , , { 0 , 1 } u v w i i i , , 1 x F 2 mult in u v w Input R j MPC Consistency Check i i , u R n(n-1) COTs for bit/string mult. ~ shares of XOR C (shares of) Enc j ( ) K , 0 w Eduardo Soria-Vázquez 28
Comms. (MB) for 1 AES evaluation in efficient constant-round MPC 1000000 100000 10000 1000 10 parties 3 parties 100 10 1 SPDZ-BMR SHE-BMR MASCOT-BMR This work (2015) (2016) (2016) (2017) Eduardo Soria-Vázquez 29
Conclusion Constant Rounds (Almost) For Free: • Small, O(k) overhead on top of any protocol for binary circuits. • Almost no overhead when using TinyOT. Improved security proof: Unauthenticated shares, better online. Open Problems: • Can BMR garbling be optimized? Currently: 4nk bits + O(n 2 ) PRF eval. • How about TinyOT? • Can we further tailor other MPC protocols for BMR garbling? Eduardo Soria-Vázquez 30
Thank you! http://ia.cr/2017/214 Low Cost, Constant Round MPC Combining BMR and Oblivious Transfer Carmit Hazay, Peter Scholl and Eduardo Soria-Vázquez Eduardo Soria-Vázquez 31
Runtimes AES (B=3) SHA-256 (B=3) Benchmark: 9 parties, 1 Gbps LAN, 2.3GHz Intel Xeon CPUs with 20 cores. Eduardo Soria-Vázquez 32
Recommend
More recommend
