Multiparty Computation from Somewhat Homomorphic Encryption ard 1 - PowerPoint PPT Presentation

Multiparty Computation from Somewhat Homomorphic Encryption ard 1 Valerio Pastro 1 Nigel Smart 2 Sarah Zakarias 1 Ivan Damg˚ 1 Aarhus University 2 Bristol University August 22, 2012 Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 1 / 19

Our work: What is it? An(other) MPC protocol: Active security Dishonest majority Computational security Universally composable Previous work (examples): Early construction [CLOS02] “MPC in the Head” approach [IKOS07, IPS08] Preprocessing model [DO10, BDOZ11, NNOB12] Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 2 / 19

Notation [BDOZ11]: (BeDOZa) “Semi-Homomorphic Encryption and Multiparty Computation” Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 3 / 19

Notation [BDOZ11]: (BeDOZa) “Semi-Homomorphic Encryption and Multiparty Computation” SPDZ: (SPeeDZ) ← This talk! “Multiparty Computation from Somewhat Homomorphic Encryption” Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 3 / 19

SPDZ Old Techniques – The Preprocessing Model 2-phases approach Preprocessing = ⇒ Online Shared randomness generation Evaluation of f = ⇒ (public key crypto required) using preprocessed data Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 4 / 19

SPDZ Old Techniques – The Preprocessing Model 2-phases approach Preprocessing = ⇒ Online Shared randomness generation Evaluation of f = ⇒ (public key crypto required) using preprocessed data Features: Preprocessing: independent of f Online phase: very fast – no PKE! Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 4 / 19

Online 1 Preprocessing 2 Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 5 / 19

� � Digression on [BDOZ11]’s Online Phase Computation : on additive secret sharing Secret x = x 1 + · · · + x n , x i − → P i Security : information theoretic MACs on shares β j MAC j ( x i ) α j = · x i + � � ��������������������� i � x , i � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � P j P i � � n �� n � MAC j ( x i ) α i j , β i � �� [ x ] := x i , j =1 , j � = i , x , j j =1 , j � = i i =1 ,..., n Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 6 / 19

Computation with Secret Sharing and MACs How to compute [ x + y ] from [ x ] and [ y ]? MAC j ( x i ) + MAC j ( y i ) , β i x , j + β i Very easy! P i : x i + y i , y , j Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 7 / 19

Computation with Secret Sharing and MACs How to compute [ x + y ] from [ x ] and [ y ]? MAC j ( x i ) + MAC j ( y i ) , β i x , j + β i Very easy! P i : x i + y i , y , j How to compute [ x · y ] from [ x ] and [ y ]? Using [Bea91]: easy if players have a “multiplicative triple” [ a ] , [ b ] , [ a · b ]: 1 Compute [ x + a ] , [ y + b ] (easy). 2 Reconstruct ε = x + a , δ = y + b (and MAC-checking) 3 Compute [ z ] = [ a · b ] − ε · [ b ] − δ · [ a ] + ε · δ. [ z ] equals [ x · y ]: z = a · b − ε · b − δ · a + ε · δ = a · b − ( x + a ) · b − ( y + b ) · a + ( x + a ) · ( y + b ) = x · y Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 7 / 19

Summary on the Online Phase Computation Linear secret sharing and MACs → [ x + y ]: locally add Multiplicative triples → [ x · y ]: add and reconstruct Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 8 / 19

Summary on the Online Phase Computation Linear secret sharing and MACs → [ x + y ]: locally add Multiplicative triples → [ x · y ]: add and reconstruct Security Secret sharing inputs → privacy MACs (on shares) → authenticity Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 8 / 19

Summary on the Online Phase Computation Linear secret sharing and MACs → [ x + y ]: locally add Multiplicative triples → [ x · y ]: add and reconstruct Security Secret sharing inputs → privacy MACs (on shares) → authenticity Data needed per secret One secret → n shares → n MACs (and keys) per share → → O ( n 2 ) field elements per secret. Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 8 / 19

Lowering the amount of data needed? The Catch In [BDOZ11], MACs on shares to authenticate secret . Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 9 / 19

Lowering the amount of data needed? The Catch In [BDOZ11], MACs on shares to authenticate secret . Why not MACs on to authenticate secret ? secret Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 9 / 19

Lowering the amount of data needed? The Catch In [BDOZ11], MACs on shares to authenticate secret . Why not MACs on to authenticate secret ? secret Assuming [ α ] ( one single value for all secrets), � x � := ( x 1 , . . . , x n , γ ( x ) 1 , . . . , γ ( x ) n ) ( x i , γ ( x ) i ) → P i x 1 , . . . , x n : additive secret sharing of x γ ( x ) 1 , . . . , γ ( x ) n : additive secret sharing of γ ( x ) = α · x (MAC on x ) Data needed per secret One secret → n shares + n shares of a MAC → → O ( n ) field elements per secret. Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 9 / 19

Does it really work? Setup MAC Keys in [ · ]: privately held, different secret → different key MAC Keys in �·� : [ α ], unique for all secrets! Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 10 / 19

Does it really work? Setup MAC Keys in [ · ]: privately held, different secret → different key MAC Keys in �·� : [ α ], unique for all secrets! Problem P i needs α to check a MAC → P i can later forge MACs! → Gate-by-gate check = insecure Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 10 / 19

Does it really work? Setup MAC Keys in [ · ]: privately held, different secret → different key MAC Keys in �·� : [ α ], unique for all secrets! Problem P i needs α to check a MAC → P i can later forge MACs! → Gate-by-gate check = insecure Solution Compute the whole circuit with no checks Commit to MACs Open [ α ] Check MACs Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 10 / 19

Online – the Numbers Notation: n : # players m f : # multiplications in the circuit C to compute | C | : Circuit size [BDOZ11] SPDZ Preprocessed data Θ( m f · n 2 ) O ( m f · n ) needed Complexity Ω( | C | · n 2 ) O ( | C | · n + n 3 ) (field mults) Amo. timing 7.7ms 0.05ms (64bit prime field) Note Preproc. data needed: Optimal up to constant factor. Complexity: Optimal up to poly-log factors. Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 11 / 19

Online 1 Preprocessing 2 Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 12 / 19

High Level Idea Generate a = a 1 + · · · + a n , b = b 1 + · · · + b n Generate and broadcast encryptions Enc( a i ), Enc( b i ) Compute an encryption Enc( c ), where c = a · b Distribute c i to P i , where c = c 1 + · · · + c n Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 13 / 19

High Level Idea Generate a = a 1 + · · · + a n , b = b 1 + · · · + b n Generate and broadcast encryptions Enc( a i ), Enc( b i ) Compute an encryption Enc( c ), where c = a · b Distribute c i to P i , where c = c 1 + · · · + c n Problems Does P i know the plaintext contained in Enc( a i ), Enc( b i )? How to compute Enc( c )? Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 13 / 19

High Level Idea Generate a = a 1 + · · · + a n , b = b 1 + · · · + b n Generate and broadcast encryptions Enc( a i ), Enc( b i ) Compute an encryption Enc( c ), where c = a · b Distribute c i to P i , where c = c 1 + · · · + c n Problems Does P i know the plaintext contained in Enc( a i ), Enc( b i )? How to compute Enc( c )? Solutions First problem: a ZK-Proof. Second problem: a very expensive ZK-Proof. . . or? Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 13 / 19

The Right Encryption Scheme The Problem:The Nicest Solution Given fresh Enc( a 1 ) , . . . , Enc( a n ), Enc( b 1 ) , . . . , Enc( b n ), compute: � � Enc( a ) ← Enc( a i ) , Enc( b ) ← Enc( b i ) i i Enc( c ) ← Enc( a ) · Enc( b ) . Where a 1 + · · · + a n = a , b 1 + · · · + b n = b , c = a · b Fresh: a ciphertext computed via the encryption algorithm. Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 14 / 19

The Right Encryption Scheme The Nicest Solution:The Problem Given fresh Enc( a 1 ) , . . . , Enc( a n ), Enc( b 1 ) , . . . , Enc( b n ), compute: � � Enc( a ) ← Enc( a i ) , Enc( b ) ← Enc( b i ) i i Enc( c ) ← Enc( a ) · Enc( b ) . Where a 1 + · · · + a n = a , b 1 + · · · + b n = b , c = a · b Fresh: a ciphertext computed via the encryption algorithm. Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 15 / 19

Our Abstract Scheme Somewhat Homomorphic Encryption Scheme An encryption scheme (KeyGen , Enc , Dec) such that: Dec( C ′ (Enc( m 1 ) , . . . , Enc( m n ))) = C ( m 1 , . . . , m n ) , where C is an arithmetic circuit in a specific set S . In our case: S = circuits of mult depth one. Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 16 / 19