Near-Linear Unconditionally-Secure MPC with a Dishonest Minority Serge Fehr CWI Amsterdam www.cwi.nl/~fehr Eli Ben-Sasson Rafail Ostrovsky Technion UCLA
Multiparty Computation (MPC) x 2 x 3 Goal: x 1 Compute function f on private inputs x 1 ,..., x n , so that all learn correct f ( x 1 ,..., x n ) x 4 x i ‘s remain private x n even if adversary corrupts t players. … Classical possibility results: computational security for t < n /2 [GMW87,CDG88] unconditional security for t < n /2 (assuming broadcast) [RB89,Bea89] perfect security for t < n /3 [CCD88,BGW88] Beyond (im)possibility results: (communication) complexity
Amortized Communication Complexity Best known results (binary circuits): Bits/multiplication 1) Attack Resilience Security Ref O ( n log n ) passive t < n /2 perfect [DamNie07] O ( n log n ) active computational [DamNie07] t < n /2 O ( n 2 k ) active unconditional [BerHirt06] t < n /2 O ( n log n ) 2) active perfect [BerHirt08] t < n /3 O ( n log n + k ) 2) Our new result: (actually: O ( n log n + k / n c ) for any c - can probably be removed) 1) Amortized complexity: assumes large enough circuits 2) Requires not too large multiplicative depth
Tricks Protocol makes use of known techniques: Shamir secret sharing [Sha79] Beaver’ s circuit randomization [Bea89] dispute control [BerHirt06] linear-time passively-secure multiplication [DamNie07] ... , but crucially relies on two new tricks : and cumbersome fine-tuning 1. efficient batch verification for multiplication triples 3) (to verify c = a·b for many shared triples ( a,b,c ) in one go ) 2. efficient “mini MPC” for computing authentication tags 3) Independent work: similar trick used in [CraDamPas12], in setting of computational interactive proofs
Reconstruction in the Presence of Faults secret: s f ( X ) = s + a 1 X +...+ a t X t shares: s 1 = f ( x 1 ) s i = f ( x i ) s k = f ( x k ) s n = f ( x n ) … … … Problem: how to reconstruct s if up to t shares are faulty? In case n /3 ! t < n /2 : impossible (without additional redundancy) Idea [RB89]: authenticate the shares
Reconstruction in the Presence of Faults secret: s f ( X ) = s + a 1 X +...+ a t X t shares: s 1 = f ( x 1 ) s i = f ( x i ) s k = f ( x k ) s n = f ( x n ) … … … ! i 1 , ( " i 1 , # i 1 ) ! k 1 , ( " k 1 , # k 1 ) ! 11 , ( " 11 , # 11 ) ! n 1 , ( " n 1 , # n 1 ) ⋮ ⋮ … ! 1 n , ( " 1 n , # 1 n ) ! nn , ( " nn , # nn ) ⋮ ⋮ ! ki , ( " ki , # ki ) … ! ik , ( " ik , # ik ) ⋮ ! ik = " ki ·s i + # ki ⋮ ! in , ( " in , # in ) ! kn , ( " kn , # kn ) Problem: how to reconstruct s if up to t shares are faulty? Problem #1: Blows up complexity! In case n /3 ! t < n /2 : impossible (without additional redundancy) Problem #2: Who computes the tag ! ik = " ki s i + # ki ? Idea [RB89]: authenticate the shares
ℓ Solving Problem #1 Authenticate large blocks of shares s i L (for secrets s 1 ,..., s L ) via 1 ,..., s i + # ! = ! · s i + # = ! ℓ " ℓ s i with key ! = ( " 1 ,..., " L ) and # (actually: ! ki , ! ki and # ki ). For large L , efficiency loss due to # and ! becomes negligible. Use the same ! = ( " 1 ,..., " L ) for different blocks s i = ( s i L ) . 1 ,..., s i For many blocks, efficiency loss due to ! becomes negligible.
ℓ Solving Problem #2 Problem #2: Who computes tag ! = " s i + # (actually ! + # )? ℓ " ℓ s i Recall: P k - who holds ( " , # ) - is not supposed to learn s i P i - who holds s i - is not supposed to learn ( " , # ) dealer is not supposed to learn ( " , # ) - as he might be dishonest Standard approach/solution: do a 2-level sharing: every s i is re-shares into s i 1,..., s in quadratic complexity � sub-shares s ij are authenticated player P i computes tags for sub-shares s i 1,..., s in of s i
ℓ Solving Problem #2 Problem #2: Who computes tag ! = " s i + # (actually ! + # )? ℓ " ℓ s i Recall: P k - who holds ( " , # ) - is not supposed to learn s i P i - who holds s i - is not supposed to learn ( " , # ) dealer is not supposed to learn ( " , # ) - as he might be dishonest New approach: by means of a MPC ? ? ? Appears hopeless: just sharing the input, s i , leads to quadratic complexity Good news: Circuit is very simple: multiplicative depth 1 Don’ t need to worry about other inputs, " and # Dispute control framework => only need passive security (correctness can be verified by cut-and-choose)
Solving Problem #2 Solution: To not share the share s i Instead: use the remaining shares ( s j ) j ! i of s as shares of s i s 2 s i s n s s 1 ... ... 0 1 2 i n Fact: any t of the shares ( s j ) j ! i give no info on s i any t +1 of the shares ( s j ) j ! i reveal s i Thus: ( s j ) j ! i is a sharing of s i , wrt. to a variant of Shamir’ s scheme (where secret is evaluation of f at point i , rather than at 0 )
Multiparty-Computing the Tag Protocol M INI MPC s 2 s n s i s deg( f ) = t s 1 f (0) = s Given: shares s 1 ,..., s i ,..., s n ... ... 0 1 2 i n " P k shares " as follows " 1 " 2 deg( g ) = t g ( i ) = " ( P i gets no share) " n 0 g (0) = 0 P k shares # as follows # 2 deg( h ) = 2 t # h ( i ) = # ( P i gets no share) # 1 # n 0 h (0) = 0 every P j ( j " i ) sends ! 1 ! 2 ! ! j = " j s j + # j to P i 0 ! n P i reconstructs ! = " s i + # from ! j ’ s
Multiparty-Computing the Tag Protocol M INI MPC s 2 s n s i s deg( f ) = t s 1 f (0) = s Given: shares s 1 ,..., s i ,..., s n ... ... 0 1 2 i n " P k shares " as follows " 1 " 2 deg( g ) = t g ( i ) = " ( P i gets no share) " n 0 g (0) = 0 P k shares # as follows # 2 deg( h ) = 2 t # Note: h ( i ) = # ( P i gets no share) # 1 # n 0 h (0) = 0 Adversary can learn " by corrupting t players P j " P i . every P j ( j " i ) sends But " is of no use, if he does not corrupt P i . ! 1 ! 2 ! ! j = " j s j + # j to P i 0 ! n P i reconstructs ! = " s i + # from ! j ’ s
Conclusion ! unconditionally-secure MPC with near-linear complexity There exist cases where MPC improves efficiency Open problems: Improve circuit-independent part of the complexity: O ( n 7 k ) Remove restriction on multiplicative depth of circuit (also present in the simpler t < n /3 setting) What about non-threshold adversary structures? (Mini MPC crucially relies on Shamir’ s secret sharing scheme)
Recommend
More recommend