On Multiparty Garbling of Arithmetic Circuits Aner Ben-Efraim Ariel - PowerPoint PPT Presentation

On Multiparty Garbling of Arithmetic Circuits Aner Ben-Efraim Ariel University & Ben-Gurion University

Lecture Plan • MPC & Our Results • Garbled Circuits – Yao and BMR • Our Techniques and Constructions

What is secure multiparty computation? • Idea: parties compute a function of their inputs, revealing only the output, even if some of the parties are corrupt. – Examples: online auction, tender, elections, cloud computing…

What is secure multiparty computation? • Idea: parties compute a function of their inputs, revealing only the output, even if some of the parties are corrupt. – Examples: online auction, tender, elections, cloud computing… • Some desirable properties: Correctness Privacy Independence of Inputs Fairness Guaranteed Output Delivery Concrete Efficiency Efficiency

Secure Computation via Circuits – Idea Boolean circuits: 0 0 Outputs 0 0/1 values, AND, XOR, NOT gates • Natural for conditional statements • Arithmetic circuits: 0 1 Values in field or integers • Addition & multiplication gates • Natural for arithmetic computations • 1 0 0 1 1 1 0 1 0 Mixed Boolean-arithmetic computation • Neither circuit type is “natural” Bob’s inputs Alice’s inputs • Mixed Boolean-arithmetic circuit?

Low Latency vs. High Throughput High-Throughput Low Latency • Low bandwidth • Constant rounds of • Simple Computations communication 𝑄 𝑄 " " 𝑄 𝑄 # # “the secret-sharing approach” “the garbled-circuit approach” Examples: Yao, BMR Examples: GMW, BGW, SPDZ

Some Related Works on Garbled Circuits • Garbled circuits introduced [Yao82] • Multiparty garbled circuits introduced [BMR90] • Many optimizations to 2-party garbled circuit, e.g., – Row-reduction [NPS99,PSSW09,GLNP15], – Free-XOR [KS08] (extended to multiparty [BLO16]), – Half-Gates [ZRE15] • 2-party arithmetic garbled circuits – Based on LWE [AIK12] – By extending free-XOR and half-gates [MPs] – Using projection gates and CRT [BMR16]

The Natural Question Can we construct multiparty arithmetic garbed circuits efficiently ? • Some results extend directly – E.g., Free addition • Some results less trivial – Half gates? Multiplication gates? • Some results still unclear – E.g., can we efficiently extend [AIK12]?

Our Results 1. Efficient constant round secure multiparty protocol for arithmetic circuits • We extend free-addition and multiplication by a constant from 2-party [MPs, BMR16] to multiparty setting • We extend half-gates [ZRE15, MPs] to multiparty multiplication gates – [ZRE15] Half gates for 2-party Boolean – [MPs] Extended half gates to 2-party multiplication – [BMR16] Different 2-party multiplication using projection gates 2. Efficient constant round secure multiparty protocol for mixed Boolean-arithmetic garbled circuits • We show improved selector gates using new techniques

Lecture Plan ü MPC & Our Results • Garbled Circuits – Yao and BMR • Our Techniques and Constructions

Yao’s Protocol – Idea 0 Outputs 1 1 1 0 0 1 Bob’s inputs Alice’s inputs

Garbled Circuits [Yao] • Yao’s protocol has two parties: – Garbler – encrypts the circuit – Evaluator – evaluates the encrypted circuit • Point and permute: Allows evaluator to know which row to decrypt without learning wires’ values • Important observation: All gates can be garbled in parallel (also in multiparty)

Point and Permute [BMR90] • Every wire 𝜕 is assigned a secret random permutation bit 𝜇 & ∈ {0,1} – Intuitively, the 𝜇 bits create a permutation – In multiparty, the permutation bits are secret-shared • External value , 𝑓 & ≝ 𝜇 & ⊕ 𝑤 & , revealed at evaluation – 𝑤 & is real value on the wire – External value does not leak information on real value • Evaluation done according to the external values – Keys correspond to the external value – External value decides which row to decrypt

Point and Permute Illustration 𝜇 2 k k k k Encrypted/Garbled 0 0 z z 1 1 z z Truth Table: z Truth table: E ( k ) ∘ 0 x y z k 0 x, k 0 y 0 z E ( k ) 0 0 0 ∘ 0 k 0 x, k 1 y 0 z 0 1 0 E ( k ) ∘ 1 1 0 0 k 1 x, k 0 y 1 z 1 1 1 E ( k ) ∘ 0 k 1 x, k 1 y 0 z 𝜇 5 𝜇 3 = 0 𝜇 3 = 1 𝜇 3 y x k k k k k k k k 0 0 y y 1 1 y y 0 0 x x 1 1 x x 𝑓 & = 𝑤 & ⊕ 𝜇 & 0 1 𝑓 & – value seen by evaluator • Evaluator decrypts only one cipher-text per gate 𝑤 & – real value, corresponding to ungarbled computation • Only 𝜇 s of the circuit output wires are revealed to the evaluator

Multiparty Garbling of a Single Gate k k 𝜇 2 Garbled 0 z 1 z Truth Table: z Truth table: E ( k ) k 0 x, k 0 y 0 z x y z E ( k ) 0 0 0 k 0 x, k 1 y 0 z 0 1 0 E ( k ) 1 0 0 k 1 x, k 0 y 1 z 1 1 1 E ( k ) k 1 x, k 1 y 0 z 𝜇 5 𝜇 3 y x k k k k 0 y 1 y 0 x 1 x • Each wire key is a set of keys: 𝒍 = 𝑙 " , … , 𝑙 M Both 𝑗 th keys known only to party 𝑗 • • The 𝜇 s are not known by any of the parties. Exceptions: Parties learn 𝜇 s of their input wires • The 𝜇 s of the circuit output wires are revealed to evaluator(s) • • Keys corresponding to chosen inputs revealed to all the parties Keys correspond to external values, do not reveal inputs •

Multiparty Computation via Garbling Offline Phase: 1. Parties compute garbled circuit (using MPC sub-protocol) Online Phase: 2. Parties exchange input external values and corresponding keys 3. Each party locally computes the outputs of the circuit

2-party multiparty Free XOR [KS08,BLO16] 𝜇 2 k k k k Δ ⊕ z z 0 z 1 z z Truth table: x y z 0 0 0 0 1 0 1 0 0 1 1 1 𝜇 5 𝜇 3 y x k k k k k k Δ k k Δ ⊕ ⊕ 0 y 1 y x x y y 0 x 1 x • Party 𝑗 chooses a global key offset ∆ i and sets the difference of its keys to be ∆ i for all the wires • Induces a global key set offset ∆ = ∆ 1 ,…,∆ n

Free XOR 𝜇 2 ≝ 𝜇 3 ⊕ 𝜇 5 𝒍 𝑨 ≝ 𝒍 𝑦 ⊕ 𝒍 𝑧 𝜇 2 k k Δ ⊕ z z z Truth table: x y z 0 0 0 0 1 1 1 0 1 1 1 0 𝜇 3 𝜇 5 y x k k Δ k k Δ ⊕ ⊕ x x y y • Party 𝑗 chooses a global key offset ∆ i and sets the difference of its keys to be ∆ i for all the wires • Induces a global key set offset ∆ = ∆ 1 ,…,∆ n • XOR gates do not require encryption or communication! * * The fine print: • Free XOR relies on circular correlation robustness of the underlying hash function • All the secret-sharing schemes must be in Characteristic 2

Lecture Plan ü MPC & Our Results ü Garbled Circuits – Yao and BMR • Our Techniques and Constructions

2-party Extending Free-XOR [MPs,BMR16] • Working in characteristic 2 ⇒ working in characteristic 𝑞 Characteristic 2 Characteristic 𝒒 Permutation bit 𝜇 & ∈ 𝔾 V 𝜇 & ∈ 0,1 External value 𝑓 & = 𝜇 & ⊕ 𝑤 & 𝑓 & = 𝜇 & + 𝑤 & (in 𝔾 V ) 𝑙 Z , Δ Z ∈ 0,1 \ 𝑙 Z , Δ Z ∈ (𝔾 V ) \ Keys, Global offsets 𝑞 keys 2 keys #Keys 𝒍 " = 𝒍 ^ ⊕ 𝚬 𝒍 ] = 𝒍 ^ + 𝛽𝚬 Free addition 𝜇 2 ≝ 𝜇 3 + 𝜇 5 Free-XOR 𝒍 2 ≝ 𝒍 3 + 𝒍 5 𝜇 2 ≝ 𝜇 3 ⊕ 𝜇 5 Free multiplication 𝒍 2 ≝ 𝒍 3 ⊕ 𝒍 5 by a constant c ≠ 0 𝜇 2 ≝ 𝑑𝜇 3 Observation for multiparty: 𝒍 2 ≝ 𝑑𝒍 3 𝜇 secret - shared in characteristic p field

2-party 2-party Boolean Arithmetic Half Gates [ZRE15,MPs] Idea Overview • For each AND gate: garble 2 “half gates” and XOR results – Each half gate uses only 1 key for encryption/decryption • Requires only 2 encryptions – XOR is free – Total 4 encryptions (but saves communication in 2-party ) • Idea: 𝑤 3 𝑤 5 = 𝑤 3 𝑤 5 ⊕ 𝜇 5 ⊕ 𝜇 5 𝑤 3

Half Gates: Idea Sketch 𝑤 5 𝑤 3 (𝑤 5 ⊕ 𝜇 5 ) 𝜇 5 h 𝜇 2 𝑤 3 𝑤 5 h ⊕ 𝜇 2 𝜇 2 = 𝜇 2 𝜇 2 𝜇 5 𝑤 3 𝑤 3 𝜇 2 𝜇 3

Half Gates • For each AND gate: garble 2 “half gates” and XOR results – Each half gate uses only 1 key for encryption/decryption • Requires only 2 encryptions – XOR is free – Total 4 encryptions • Idea: 𝑓 2 = 𝑤 3 𝑤 5 ⊕ 𝜇 2 = 𝑤 3 𝑤 5 ⊕ 𝜇 5 ⊕ 𝜇 5 𝑤 3 ⊕ 𝜇 2 • Observations: 2 encryptions “free” h = 𝑓 3 𝑓 5 ⊕ 𝜇 3 𝑓 5 ⊕ 𝜇 2 h 1. 𝑤 3 𝑤 5 ⊕ 𝜇 5 ⊕ 𝜇 2 2. 𝜇 5 𝑤 3 ⊕ 𝜇 2 = 𝜇 5 𝑓 3 ⊕ 𝜇 5 𝜇 3 ⊕ 𝜇 2 2 encryptions Independent of real value Known by evaluator

Multiparty Garbling of Half-Gates k k 𝜇 2 Garbled 0 z 1 z Truth Tables: z Truth table: k E ( ) 𝒍 � k 0 x z x y z k E ( ) 𝒍 � k 1 x z 0 0 0 0 1 0 l 1 0 0 E ( ) 𝒍 � 1 k 0 y z 1 1 l E ( ) 𝒍 𝜇 5 � k 1 y z 𝜇 3 y x k k k k 0 y 1 y 0 x 1 x • Partitioning of permutation bit and keys required m 2 ⊕ 𝜇̅ 2 – 𝜇 2 = 𝜇 Z = 𝑙 k 2 ⊕ 𝒍 l 2 o Z2 ⊕ 𝑙 p Z2 ) – 𝒍 2 = 𝒍 ( 𝑙 2 • “Key of 𝑓 3 𝑓 5 ” computed without encryption – Set to be 𝑓 5 𝒍 q r ,3 (some technical issues) – Output key = summation of both decrypted keys and key of 𝑓 3 𝑓 5