Eurocrypt 2018 Overdrive: Making SPDZ Great Again Marcel Keller, Valerio Pastro, and Dragos Rotaru University of Bristol, Yale University, KU Leuven 1 M. Keller, V. Pastro, Dragos Rotaru imec-Cosic, Dept. Electrical Engineering
What’s all the fuss about? a c b Goal : Compute F(a, b, c) Dragos Rotaru 2 2 M. Keller, V. Pastro, Dragos Rotaru imec-Cosic, Dept. Electrical Engineering
Security Model • Many parties (up to N) • Malicious adversary • Dishonest majority of corrupted parties Dragos Rotaru 3 3 M. Keller, V. Pastro, Dragos Rotaru imec-Cosic, Dept. Electrical Engineering
Security Model • Many parties (up to N) • Malicious adversary • Dishonest majority of corrupted parties Dragos Rotaru 4 4 M. Keller, V. Pastro, Dragos Rotaru imec-Cosic, Dept. Electrical Engineering
Malicious MPC protocols Preprocessing Online phase phase PKC Inputs SPDZ, TinyOT, BDOZa, MASCOT 5 M. Keller, V. Pastro, Dragos Rotaru imec-Cosic, Dept. Electrical Engineering
Secret share then authenticate α 1 α 2 + α 3 + α = 𝑦 3 𝑦 1 𝑦 2 𝑦 + + = γ(𝑦) 1 γ(𝑦) 2 + + γ(𝑦) 3 α 𝑦 = 6 M. Keller, V. Pastro, Dragos Rotaru imec-Cosic, Dept. Electrical Engineering
Secret share then authenticate α 1 α 2 + α 3 + α = (𝑦 + 𝑧) 1 (𝑦 + 𝑧) 2 (𝑦 + 𝑧) 3 𝑦 + 𝑧 + + = γ(𝑦 + 𝑧) 1 γ(𝑦 + 𝑧) 2 + + γ(𝑦 + 𝑧) 3 α ( 𝑦 + 𝑧) = 7 M. Keller, V. Pastro, Dragos Rotaru imec-Cosic, Dept. Electrical Engineering
Secret share then authenticate But we want to multiply! 8 M. Keller, V. Pastro, Dragos Rotaru imec-Cosic, Dept. Electrical Engineering
Let’s do it – what do we need? Dragos Rotaru 9 9 M. Keller, V. Pastro, Dragos Rotaru imec-Cosic, Dept. Electrical Engineering
Let’s do it – what do we need? Dragos Rotaru 10 10 M. Keller, V. Pastro, Dragos Rotaru imec-Cosic, Dept. Electrical Engineering
Let’s do it – what do we need? Dragos Rotaru 11 11 M. Keller, V. Pastro, Dragos Rotaru imec-Cosic, Dept. Electrical Engineering
Let’s do it – what do we need? Dragos Rotaru 12 12 M. Keller, V. Pastro, Dragos Rotaru imec-Cosic, Dept. Electrical Engineering
What we have done Fastest triple generation! 13 13 M. Keller, V. Pastro, Dragos Rotaru imec-Cosic, Dept. Electrical Engineering
How to multiply shared inputs with triples (Beaver’s Trick) 14 M. Keller, V. Pastro, Dragos Rotaru imec-Cosic, Dept. Electrical Engineering
How to multiply shared inputs with triples (Beaver’s Trick) 15 M. Keller, V. Pastro, Dragos Rotaru imec-Cosic, Dept. Electrical Engineering
Revisit, improve, revisit… BDOZa (BDOZ’11) Semi-homomorphic encryption MASCOT SPDZ-1 (KOS’16) (DPSZ’12) Triple Sacrificing Depth-1 SHE technique (NTL), ZK Proof SPDZ-2 (DKL+’13) Depth-1 SHE (Dedicated BGV) 16 M. Keller, V. Pastro, Dragos Rotaru imec-Cosic, Dept. Electrical Engineering
Revisit, improve, revisit… BDOZa (BDOZ’11) Semi-homomorphic Low Gear encryption MASCOT SPDZ-1 (KOS’16) (DPSZ’12) Triple Sacrificing Depth-1 SHE technique (NTL), ZK Proof High Gear SPDZ-2 (DKL+’13) Depth-1 SHE (Dedicated BGV) 17 M. Keller, V. Pastro, Dragos Rotaru imec-Cosic, Dept. Electrical Engineering
Revisit, improve, revisit… BDOZa (BDOZ’11) Semi-homomorphic Low Gear encryption MASCOT SPDZ-1 (KOS’16) (DPSZ’12) Triple Sacrificing Depth-1 SHE technique (NTL), ZK Proof High Gear SPDZ-2 (DKL+’13) Depth-1 SHE (Dedicated BGV) 18 M. Keller, V. Pastro, Dragos Rotaru imec-Cosic, Dept. Electrical Engineering
LAN Timings 19 M. Keller, V. Pastro, Dragos Rotaru imec-Cosic, Dept. Electrical Engineering
LAN Timings 20 M. Keller, V. Pastro, Dragos Rotaru imec-Cosic, Dept. Electrical Engineering
Revisit, improve, revisit… BDOZa (BDOZ’11) Semi-homomorphic Low Gear encryption MASCOT SPDZ-1 (KOS’16) (DPSZ’12) Triple Sacrificing Depth-1 SHE technique (NTL), ZK Proof High Gear SPDZ-2 (DKL+’13) Depth-1 SHE (Dedicated BGV) 21 M. Keller, V. Pastro, Dragos Rotaru imec-Cosic, Dept. Electrical Engineering
SPDZ-1 recap Enc(a[1]) Enc(a[2]) Enc(a[3]) Enc(b[1]) Enc(b[2]) Enc(b[3]) 22 M. Keller, V. Pastro, Dragos Rotaru imec-Cosic, Dept. Electrical Engineering
SPDZ-1 recap Enc(a[1]) Enc(a[2]) Enc(a[3]) Enc(b[1]) Enc(b[2]) Enc(b[3]) 23 M. Keller, V. Pastro, Dragos Rotaru imec-Cosic, Dept. Electrical Engineering
SPDZ-1 recap Enc(a[1]) Enc(a[2]) Enc(a[3]) Enc(b[1]) Enc(b[2]) Enc(b[3]) C = 24 M. Keller, V. Pastro, Dragos Rotaru imec-Cosic, Dept. Electrical Engineering
SPDZ-1 recap Enc(a[1]) Enc(a[2]) Enc(a[3]) Enc(b[1]) Enc(b[2]) Enc(b[3]) C = + + = C[3] C C[2] C[1] • Parties may lie about their plaintext - incorrect decryption, reveal info about secret keys. • Need to add ZK proofs for bounding the plaintext 25 M. Keller, V. Pastro, Dragos Rotaru imec-Cosic, Dept. Electrical Engineering
How to 0-knowledge Not sure. I know my Let’s verify! eX! Commitment f’(r) Challenge: E Prover: x Verifier: f(x) Response: r+E(x) 26 M. Keller, V. Pastro, Dragos Rotaru imec-Cosic, Dept. Electrical Engineering
How to 0-knowledge I know my I have negligible doubts. eX! Commitment f’(r) Challenge: E Prover: x Verifier: f(x) Response: r+E(x) • f’( r+E (x)) = f’(r)+E(f(x)) • r+E(x) is bounded • r >> x, r/x is called slack 27 M. Keller, V. Pastro, Dragos Rotaru imec-Cosic, Dept. Electrical Engineering
To slack or not to slack • ZKPoPk: to prove that x < B we need an encryption scheme which supports plaintexts < B * slack Well, that’s a Slack is: big ciphertext. • ~2^50 for 40-bit security • ~2^100 for 128-bit security 28 M. Keller, V. Pastro, Dragos Rotaru imec-Cosic, Dept. Electrical Engineering
To slack or not to slack • ZKPoPk: to prove that x < B we need an encryption scheme which supports plaintexts < B * slack Well, that’s a Slack is: big ciphertext. • ~2^50 for 40-bit security • ~2^100 for 128-bit security • Improve the ZK slack analysis. • With depth-1 BGV the slack becomes tiny tiny because of the modulus switching. 29 M. Keller, V. Pastro, Dragos Rotaru imec-Cosic, Dept. Electrical Engineering
Some ciphertexts need no slack 30 M. Keller, V. Pastro, Dragos Rotaru imec-Cosic, Dept. Electrical Engineering
High Gear: SPDZ-1 with global proof V(P(Alice)) V(P(Bob)) V(P(Alice)) V(P(Bob)) V(P(Charlie) V(P(Charlie)) V(P(Alice) +P(Bob)) V(P(Bob)+P(Charlie)) V(P(Alice)+P(Charlie)) 31 M. Keller, V. Pastro, Dragos Rotaru imec-Cosic, Dept. Electrical Engineering
High Gear: SPDZ-1 with global proof 32 M. Keller, V. Pastro, Dragos Rotaru imec-Cosic, Dept. Electrical Engineering
Low Gear vs High Gear, the tipping point 224k Triples/s 6 parties 64 CPUs, 488Gb RAM, 25Gb Network 33 M. Keller, V. Pastro, Dragos Rotaru imec-Cosic, Dept. Electrical Engineering
100 party Vickrey Auction AWS m3.2xlarge 8 CPUs, 30Gb RAM, 10Gb Network 34 M. Keller, V. Pastro, Dragos Rotaru imec-Cosic, Dept. Electrical Engineering
Code lives on the internetz https://github.com/bristolcrypto/SPDZ-2 Open problem alert: • In the Low Gear protocol we assumed semi- homomorphic BGV is a linear only encryption scheme. • Can you create ciphertexts which decrypt to non-linear plaintexts without the KS info? Known as linear target malleability [BCI+13] or linear only encryption [BISW17]. 35 M. Keller, V. Pastro, Dragos Rotaru imec-Cosic, Dept. Electrical Engineering
Thank you! 36 M. Keller, V. Pastro, Dragos Rotaru imec-Cosic, Dept. Electrical Engineering
Thank you! • Questions? 37 M. Keller, V. Pastro, Dragos Rotaru imec-Cosic, Dept. Electrical Engineering
Tiny advert: SCALE at TPMPC • SCALE (Secure Computation Algorithms from Leuven) • We do a better analysis of the ZK proofs involved. • Pre-processing phase coupled with the online phase. • Compiler is documented, people can read how to use it. • Others bells and whistles. 38 M. Keller, V. Pastro, Dragos Rotaru imec-Cosic, Dept. Electrical Engineering
Recommend
More recommend
