Tw Two-round Secu cure MPC from Mi Mini nimal Assum umptions ns Sanjam Garg Akshayaram Srinivasan University of California, Berkeley Eurocrypt 2018
Secure Two-Party Computation [Yao 86] βSecurelyβ compute π(π¦ " , π¦ # ) π¦ # π¦ " β’ Two-rounds are necessary. β’ Garbled circuits + two-round OT => two-round secure 2-PC β’ Minimal assumptions
Secure Multiparty Computation [Goldreich-Micali-Wigderson 87] Compute π(π¦ " , π¦ # , β¦ , π¦ , ) π¦ ( π¦ # π¦ ) π¦ " π¦ * β¦ π¦ + π¦ ,
Secure Multiparty Computation [Yao 86, Goldreich-Micali-Wigderson 87] π¦ ( π¦ # π¦ ) Not learn anything about honest π¦ " π¦ * parties inputs apart from π(π¦ " , π¦ # , β¦ , π¦ , ) β¦ π¦ + π¦ ,
What is known? β’ Goldreich-Micali-Wigderson protocol. β’ Number of rounds grows with the depth of the circuit. β’ Long line of work reducing the round complexity [BMR90,β¦]. β’ Two-round secure MPC protocols [GGHR14, GLS15, MW16, BGI17,G S 17]. β’ Gap in the assumptions sufficient for two-round MPC and 2PC. Can we construct two-round MPC from weaker assumptions ?
Our Work Two-round protocol for secure multiparty computation from any two- round oblivious transfer. β’ Semi-honest: From any two-round OT in the plain model. β’ Malicious: From any two-round maliciously secure OT in the CRS model. Concurrent and Independent work by Benhamouda-Lin 18
Ma Main Idea
Round Compression Protocol π securely computes π(π¦ " , π¦ # , β¦ , π¦ , ) π¦ ( π¦ # π¦ ) π¦ " π¦ * β¦ π¦ + π¦ ,
Round Compression π¦ ( π¦ # π¦ ) π¦ " π¦ * Two broadcast rounds β¦ π¦ + π¦ ,
Toy protocol π π π, π, π = (π, π β§ π, π β§ π β§ π) π Inputs: π π Round-1 π π β§ π Round-2 π β§ π β§ π Round-3
Ro Round Compression using Garbled Circuits
Garbled Circuits [Yao 86, Applebaum-Ishai-Kushilevitz 04, Bellare-Hoang-Rogaway 12] π: 0,1 , β 0,1 9 : π π , π " # π " " π " , π < " # π < π <
Garbled Circuits [Yao 86, Applebaum-Ishai-Kushilevitz 04, Bellare-Hoang-Rogaway 12] Evaluation : π π(π¦) + , π = @ # " π = ? π = >
Garbled Circuits [Yao 86, Applebaum-Ishai-Kushilevitz 04, Bellare-Hoang-Rogaway 12] Leaks only : π π(π¦) + , π = @ # " π = ? π = >
Ho How w to Compr pres ess the the Toy Protocol l to 2 ro rounds?
Two-Round Protocol: High level Idea π Inputs: π π π Round-1 Implement the 2 nd round Round-2 Implements the 3 rd round
How do the garbled circuits implement rounds? π π, π Round-2 π β§ π π, π β§ π In [G S 17], we achieved this by a special purpose WE Round-3 [GGSW13, DG17] π β§ π β§ π
Ma Maki king t the g garb rbled c circuits βt βtalkβ f kβ from O OT
Oblivious Transfer [Rabin 81] πππ π β π·πΌ π (π; π) π < , π " π πππ π β π·πΌ π (πππ π , π π , π π ) π π β π·πΌ π (πππ π , π) Two-message OTs are known from a variety of assumptions [AIR01,NP01,PVW08]
Two-Round Protocol for Toy Function π Inputs: π π 0 ππ " 0 β§ π; π < 1 ππ " 1 β§ π; π " π Round-1 Round-2
Functions computed by Garbled Circuits Party 3 Party 2 π π, π " , π " " π < 0 ππ " 0 β§ π; π < π π < , π " # , π " # 1 ππ " 1 β§ π; π " π < # , π " # ) π β§ π π U " ππ # (ππ " ( π β§ π ), π < π T π, π β§ π π β§ π β§ π
Ge Generalizing t to Arb Arbitrary C y Computations
General Case π· " Round-1 π· # Round-2 . . . π· W Round-T
Conclusion β’ We gave a two-round protocol for secure multiparty computation from two-round OT . β’ In a subsequent work [Garg-Miao- S ], we gave a protocol where the number of public key operations is independent of the circuit size. β’ Open Questions: β’ Can we improve the communication complexity? β’ Concrete efficiency? Th Than ank you ou!
Recommend
More recommend
