reducing communication channels in mpc
play

Reducing Communication Channels in MPC Marcel Keller 1,2 Dragos - PowerPoint PPT Presentation

Reducing Communication Channels in MPC Marcel Keller 1,2 Dragos Rotaru 1,3 Nigel Smart 1,3 T im Wood 1,3 1 University of Bristol 2 Data61 3 KU Leuven/COSIC ESAT 1/35 Outline Goal Generalising MPC Tools Performing MPC 2/35 Outline Goal


  1. Reducing Communication Channels in MPC Marcel Keller 1,2 Dragos Rotaru 1,3 Nigel Smart 1,3 T im Wood 1,3 1 University of Bristol 2 Data61 3 KU Leuven/COSIC ESAT 1/35

  2. Outline Goal Generalising MPC Tools Performing MPC 2/35

  3. Outline Goal Generalising MPC Tools Performing MPC 3/35

  4. What is MPC? 4/35

  5. What is MPC? P 7 P 6 P 1 F P 5 P 2 P 4 P 3 4/35

  6. What is MPC? P 7 P 6 P 1 F P 5 P 2 P 4 P 3 4/35

  7. What is MPC? P 7 P 7 P 6 P 1 P 6 P 1 F P 5 P 2 P 5 P 2 P 4 P 3 P 4 P 3 4/35

  8. What is MPC? P 7 P 7 P 6 P 1 P 6 P 1 F ≈ P 5 P 2 P 5 P 2 P 4 P 3 P 4 P 3 4/35

  9. What is MPC? P 7 P 7 P 6 P 1 P 6 P 1 F ≈ P 5 P 2 P 5 P 2 P 4 P 3 P 4 P 3 Various guarantees: Privacy/Secrecy Correctness Fairness etc. 4/35

  10. What is MPC? Types: Garbled circuits Secret-sharing 5/35

  11. What is MPC? Types: Garbled circuits Secret-sharing Examples: General MPC (e.g. SPDZ, MASCOT, Yao, etc.) PSI Auctions 5/35

  12. What is MPC? Types: Garbled circuits Secret-sharing Examples: General MPC (e.g. SPDZ, MASCOT, Yao, etc.) PSI Auctions Corruption Models: Active/Passive Static/Adaptive etc. 5/35

  13. Goal This work: Goal Communication-efficient actively-secure MPC arithmetic circuit evaluation for any Q 2 access structure. as part of overarching goal: Efficient 1 MPC protocols for any access structure. 1 communication/computation cost 6/35

  14. Related Work Previous best-known protocol was due to Maurer [Mau06]: passively-secure for Q 2 structures, actively-secure for Q 3 . [Mau06] Secure Multi-party Computation Made Simple, Journal of Discrete Applied Mathematics, 2006 7/35

  15. Related Work Previous best-known protocol was due to Maurer [Mau06]: passively-secure for Q 2 structures, actively-secure for Q 3 . Araki et al. [AFLNO16] give active security in the (3 , 1)-threshold case with efficient “hash-check” authentication. [Mau06] Secure Multi-party Computation Made Simple, Journal of Discrete Applied Mathematics, 2006 [AFLNO16] High-Throughput Semi-Honest Secure Three-Party Computation with an Honest Majority, CCS 2016 7/35

  16. Related Work Previous best-known protocol was due to Maurer [Mau06]: passively-secure for Q 2 structures, actively-secure for Q 3 . Araki et al. [AFLNO16] give active security in the (3 , 1)-threshold case with efficient “hash-check” authentication. Our contribution: Generalise to any Q 2 access structure for any number of parties... ...and optimise the communication 2 . [Mau06] Secure Multi-party Computation Made Simple, Journal of Discrete Applied Mathematics, 2006 [AFLNO16] High-Throughput Semi-Honest Secure Three-Party Computation with an Honest Majority, CCS 2016 2 Asymptotics are hard to give because it depends on the access structure 7/35

  17. Outline Goal Generalising MPC Tools Performing MPC 8/35

  18. Access Structures Definition by example { 1 , 2 , 3 , 4 } { 1 , 2 , 3 } { 1 , 2 , 4 } { 1 , 3 , 4 } { 2 , 3 , 4 } { 1 , 2 } { 1 , 3 } { 1 , 4 } { 2 , 3 } { 2 , 4 } { 3 , 4 } { 1 } { 2 } { 3 } { 4 } ∅ Q 2 : union of no two unqualified sets is { 1 , 2 , 3 , 4 } 9/35

  19. Access Structures Specify minimally qualified sets { 1 , 2 , 3 , 4 } { 1 , 2 , 3 } { 1 , 2 , 4 } { 1 , 3 , 4 } { 2 , 3 , 4 } { 1 , 2 } { 1 , 3 } { 1 , 4 } { 2 , 3 } { 2 , 4 } { 3 , 4 } { 1 } { 2 } { 3 } { 4 } ∅ Q 2 : union of no two unqualified sets is { 1 , 2 , 3 , 4 } 9/35

  20. Access Structures Check monotonicity { 1 , 2 , 3 , 4 } { 1 , 2 , 3 } { 1 , 2 , 4 } { 1 , 3 , 4 } { 2 , 3 , 4 } { 1 , 2 } { 1 , 3 } { 1 , 4 } { 2 , 3 } { 2 , 4 } { 3 , 4 } { 1 } { 2 } { 3 } { 4 } ∅ Q 2 : union of no two unqualified sets is { 1 , 2 , 3 , 4 } 9/35

  21. Access Structures Decide on remaining sets { 1 , 2 , 3 , 4 } { 1 , 2 , 3 } { 1 , 2 , 4 } { 1 , 3 , 4 } { 2 , 3 , 4 } { 1 , 2 } { 1 , 3 } { 1 , 4 } { 2 , 3 } { 2 , 4 } { 3 , 4 } { 1 } { 2 } { 3 } { 4 } ∅ Q 2 : union of no two unqualified sets is { 1 , 2 , 3 , 4 } 9/35

  22. Access Structures Determine maximally-unqualified sets { 1 , 2 , 3 , 4 } { 1 , 2 , 3 } { 1 , 2 , 4 } { 1 , 3 , 4 } { 2 , 3 , 4 } { 1 , 2 } { 1 , 3 } { 1 , 4 } { 2 , 3 } { 2 , 4 } { 3 , 4 } { 1 } { 2 } { 3 } { 4 } ∅ Q 2 : union of no two unqualified sets is { 1 , 2 , 3 , 4 } 9/35

  23. Replicated Secret-sharing Starting with the access structure ∆ + = {{ 1 } , { 2 , 3 } , { 2 , 4 } , { 3 , 4 }} we obtain replicated secret sharing by taking the complements B = {{ 2 , 3 , 4 } , { 1 , 4 } , { 1 , 3 } , { 1 , 2 }} and sharing a secret s by letting s = s { 2 , 3 , 4 } + s { 1 , 4 } + s { 1 , 3 } + s { 1 , 2 } $ ← F subject to s = � where { s B } B ∈B B ∈B s B . Then s B is sent to all parties whose party index is in B . Denote by [ [ s ] ] 10/35

  24. Replicated Secret-sharing s = s { 2 , 3 , 4 } + s { 1 , 4 } + s { 1 , 3 } + s { 1 , 2 } Thus the parties have shares as follows: P 1 : s { 1 , 2 } s { 1 , 3 } s { 1 , 4 } P 2 : s { 2 , 3 , 4 } s { 1 , 2 } P 3 : s { 2 , 3 , 4 } s { 1 , 3 } P 4 : s { 2 , 3 , 4 } s { 1 , 4 } 11/35

  25. Linear operations for free [ [ s ] ] + [ [ t ] ] : P 1 P 2 P 3 P 4 [ [ s ] ] s { 1 , 2 } s { 1 , 3 } s { 1 , 4 } s { 1 , 2 } s { 2 , 3 , 4 } s { 1 , 3 } s { 2 , 3 , 4 } s { 1 , 4 } s { 2 , 3 , 4 } + + + + + + + + + + [ [ t ] ] t { 1 , 2 } t { 1 , 3 } t { 1 , 4 } t { 1 , 2 } t { 2 , 3 , 4 } t { 1 , 3 } t { 2 , 3 , 4 } t { 1 , 4 } t { 2 , 3 , 4 } = = = = = = = = = = [ [ u ] ] u { 1 , 2 } u { 1 , 3 } u { 1 , 4 } u { 1 , 2 } u { 2 , 3 , 4 } u { 1 , 3 } u { 2 , 3 , 4 } u { 1 , 4 } u { 2 , 3 , 4 } 12/35

  26. Goal Goal Communication-efficient actively-secure MPC arithmetic circuit evaluation for any Q 2 access structure. Arithmetic circuits: – Additions – Multiplications 13/35

  27. Goal Goal Communication-efficient actively-secure MPC arithmetic circuit evaluation for any Q 2 access structure. Arithmetic circuits: ✓ Additions: for free – Multiplications 13/35

  28. Goal Goal Communication-efficient actively-secure MPC arithmetic circuit evaluation for any Q 2 access structure. Arithmetic circuits: ✓ Additions: for free – Multiplications: we will require Tool 1: Passive multiplication Tool 2: Efficient opening procedure 13/35

  29. Outline Goal Generalising MPC Tools Performing MPC 14/35

  30. Tool 1: Passive Multiplication Theorem [1] If Q 2 , each cross term is computable by at least one party. P 1 , P 2 , P 3 , P 4 can compute an additive sharing of the product: st = s { 2 , 3 , 4 } · t { 2 , 3 , 4 } + s { 2 , 3 , 4 } · t { 1 , 4 } + s { 2 , 3 , 4 } · t { 1 , 3 } + s { 2 , 3 , 4 } · t { 1 , 2 } s { 1 , 4 } · t { 2 , 3 , 4 } + s { 1 , 4 } · t { 1 , 4 } + s { 1 , 4 } · t { 1 , 3 } + s { 1 , 4 } · t { 1 , 2 } s { 1 , 3 } · t { 2 , 3 , 4 } + s { 1 , 3 } · t { 1 , 4 } + s { 1 , 3 } · t { 1 , 3 } + s { 1 , 3 } · t { 1 , 2 } s { 1 , 2 } · t { 2 , 3 , 4 } + s { 1 , 2 } · t { 1 , 4 } + s { 1 , 2 } · t { 1 , 3 } + s { 1 , 2 } · t { 1 , 2 } M 1 ∪ M 2 � P ∀ M 1 , M 2 ∈ ∆ + ⇐ ⇒ B 1 ∩ B 2 � = ∅ ∀ B 1 , B 2 ∈ B 15/35

  31. Tool 1: Passive Multiplication Theorem [1] If Q 2 , each cross term is computable by at least one party. P 1 , P 2 , P 3 , P 4 can compute an additive sharing of the product: st = s { 2 , 3 , 4 } · t { 2 , 3 , 4 } + s { 2 , 3 , 4 } · t { 1 , 4 } + s { 2 , 3 , 4 } · t { 1 , 3 } + s { 2 , 3 , 4 } · t { 1 , 2 } s { 1 , 4 } · t { 2 , 3 , 4 } + s { 1 , 4 } · t { 1 , 4 } + s { 1 , 4 } · t { 1 , 3 } + s { 1 , 4 } · t { 1 , 2 } s { 1 , 3 } · t { 2 , 3 , 4 } + s { 1 , 3 } · t { 1 , 4 } + s { 1 , 3 } · t { 1 , 3 } + s { 1 , 3 } · t { 1 , 2 } s { 1 , 2 } · t { 2 , 3 , 4 } + s { 1 , 2 } · t { 1 , 4 } + s { 1 , 2 } · t { 1 , 3 } + s { 1 , 2 } · t { 1 , 2 } E.g. P 2 computes u (2) := s { 2 , 3 , 4 } · t { 1 , 2 } + s { 1 , 2 } · t { 2 , 3 , 4 } + s { 1 , 2 } · t { 1 , 2 } 15/35

  32. Tool 1: Passive Multiplication – Maurer-style [ u (1) ] [ u (2) ] [ u (3) ] [ u (4) ] Reshare each summand to get [ ], [ ], [ ] and [ ]. 16/35

  33. Tool 1: Passive Multiplication – Maurer-style [ u (1) ] [ u (2) ] [ u (3) ] [ u (4) ] Reshare each summand to get [ ], [ ], [ ] and [ ]. E.g. P 1 additively splits u (1) as u (1) = u (1) { 1 , 2 } + u (1) { 1 , 3 } + u (1) { 1 , 4 } + u (1) { 2 , 3 , 4 } and sends shares P 1 P 2 P 4 P 3 16/35

  34. Tool 1: Passive Multiplication – Maurer-style [ u (1) ] [ u (2) ] [ u (3) ] [ u (4) ] Reshare each summand to get [ ], [ ], [ ] and [ ]. E.g. P 1 additively splits u (1) as u (1) = u (1) { 1 , 2 } + u (1) { 1 , 3 } + u (1) { 1 , 4 } + u (1) { 2 , 3 , 4 } and sends shares u (1) { 1 , 2 } P 1 P 2 P 4 P 3 16/35

  35. Tool 1: Passive Multiplication – Maurer-style [ u (1) ] [ u (2) ] [ u (3) ] [ u (4) ] Reshare each summand to get [ ], [ ], [ ] and [ ]. E.g. P 1 additively splits u (1) as u (1) = u (1) { 1 , 2 } + u (1) { 1 , 3 } + u (1) { 1 , 4 } + u (1) { 2 , 3 , 4 } and sends shares P 1 P 2 u (1) { 1 , 3 } P 4 P 3 16/35

  36. Tool 1: Passive Multiplication – Maurer-style [ u (1) ] [ u (2) ] [ u (3) ] [ u (4) ] Reshare each summand to get [ ], [ ], [ ] and [ ]. E.g. P 1 additively splits u (1) as u (1) = u (1) { 1 , 2 } + u (1) { 1 , 3 } + u (1) { 1 , 4 } + u (1) { 2 , 3 , 4 } and sends shares P 1 P 2 u (1) { 1 , 4 } P 4 P 3 16/35

Recommend


More recommend