Yehuda Lindell Bar-Ilan University, Israel Tal Rabin IBM Research, - PowerPoint PPT Presentation

Gilad Asharov Bar-Ilan University, Israel Yehuda Lindell Bar-Ilan University, Israel Tal Rabin IBM Research, New York

 A set of parties with private inputs wish to compute some joint function of their inputs  Parties wish to preserve some security properties. E.g., privacy and correctness ◦ Example: secure election protocol  Security must be preserved in the face of adversarial behavior by some of the participants, or by an external party

 Michael B en-Or, Shafi G oldwasser and Avi W igderson  A protocol for general multiparty computation ◦ Perfectly secure ◦ Adaptively secure ◦ Concurrently secure  Elegant and beautiful construction  A huge impact on our field

 A full specification of the BGW multiplication protocol ◦ The protocol requires a new step for the case of n/4 ≤ t < n/ 3 ◦ A full proof of security  A new multiplication protocol ◦ More efficient ◦ Simpler ◦ Constant round per multiplication (as BGW)

 Perfect multiplication based on homomorphic secret sharing ◦ [Cramer, Damgard, Maurer 00]  Efficiency of perfect multiplication ◦ Player elimination technique [Hirt, Maurer, Przydatek 00] [Hirt, Maurer 01], [Beerliova- Trubıniova , Hirt 06] [Hirt, Nielsen 06] [Damgard, Nielsen 07] [ Trubıniova , Hirt 08] ◦ Very efficient protocols ◦ The round complexity per multiplication depends on the number of parties

At each gate, the Inputs Outputs parties compute the shares of the … output wire using y 1 x 1 the shares of the y 2 input wires x 2 … . . … . . . … . x n-1 y n-1 Invariant: x n y n At each wire, the … intermediate value is hidden by secret At the output wires Each party sharing – the parties send distributes its to the relevant input using secret party their shares sharing

a + b  The invariant: ◦ Each party holds shares of a and b +  Addition Gate: a b ◦ Each party locally adds its shares  The result is a share of a random polynomial of degree-t that hides a+b

a ⋅ b .  The invariant: ◦ Each party holds shares of a and b  Addition Gate: a b ◦ Each party locally adds its shares  The result is a share of a random polynomial of degree-t that hides a+b  Multiplication Gate: ◦ Each party locally multiplies its shares  Result is a share of a poly of degree-2t that hides a ⋅ b  Run an interactive protocol to reduce the degree

degree 2t, hides ab a 1 b 1 a 2 b 2 a 3 b 3 a n b n a n-2 b n-2 a n-1 b n-1 P 1 P 2 P 3 P n-2 P n-1 P n g 1 (n) g 1 (1) g 1 (2) g 1 (3) g 1 (n-2) g 1 (n-1) g 2 (1) g 2 (2) g 2 (3) g 2 (n-2) g 2 (n-1) g 2 (n) … … … … … … … g n (n) g n (1) g n (2) g n (3) g n (n-2) g n (n-1) H(n-1) H(1) H(n) H(2) degree t, hides ab Possible whenever at least 2t+1 shares were sub-shared correctly

degree 2t, hides ab a 1 b 1 a 2 b 2 a 3 b 3 a n b n a n-2 b n-2 a n-1 b n-1 P 1 P 2 P 3 P n-2 P n-1 P n g 1 (n) g 1 (1) g 1 (2) g 1 (3) g 1 (n-2) g 1 (n-1) g 2 (1) g 2 (2) g 2 (3) g 2 (n-2) g 2 (n-1) g 2 (n) The honest parties need to identify the … … … … … … incorrect shares … g n (n) g n (1) g n (2) g n (3) g n (n-2) g n (n-1) wrong! H(n-1) H(1) H(n) H(2) *we assume: at least 2t+1 honest parties at most t corrupted parties

degree-t f(1) f(2) f(3) … f(n-2) f(n-1) f(n) P 1 P 2 P 3 P n-2 P n-1 P n … g 1 (n) g 1 (1) g 1 (2) g 1 (3) g 1 (n-2) g 1 (n-1) … g 2 (n) g 2 (1) g 2 (2) g 2 (3) … g 2 (n-2) g 2 (n-1) … g 3 (n) g 3 (1) g 3 (2) g 3 (3) g 3 (n-2) g 3 (n-1) … … … … … … … g n (n) g n (1) g n (2) g n (3) g n (n-2) g n (n-1)

a i b i a i b i P i A i (1) B i (1) C i (1) P 1 P 2 A i (2) B i (2) C i (2) A i (3) B i (3) C i (3) P 3 P n-2 A i (n-2) B i (n-2) C i (n-2) A i (n-1) B i (n-1) C i (n-1) P n-1 A i (n) B i (n) C i (n) P n

hides a a 1 a 2 a 3 a n-2 a n-1 a n … A 1 (n) A 1 (1) A 1 (2) A 1 (3) hides a 1 A 1 (n-2) A 1 (n-1) … A 2 (n) A 2 (1) A 2 (2) A 2 (3) A 2 (n-2) A 2 (n-1) hides a 2 … … … … hides b b 1 b 2 b 3 b n-2 b n-1 b n … B 1 (n) B 1 (1) B 1 (2) B 1 (3) B 1 (n-2) B 1 (n-1) hides b 1 … B 2 (1) B 2 (2) B 2 (3) hides b 2 B 2 (n-2) B 2 (n-1) B 2 (n) … … … … C 1 (n) C 1 (1) C 1 (2) C 1 (3) hides a 1 b 1 C 1 (n-2) C 1 (n-1) C 2 (n) C 2 (1) C 2 (2) C 2 (3) hides a 2 b 2 C 2 (n-2) C 2 (n-1)

hides a a 1 a 2 a 3 a n-2 a n-1 a n … hides a 1 A 1 (n) A 1 (1) A 1 (2) A 1 (3) A 1 (n-2) A 1 (n-1) … A 2 (n) A 2 (1) A 2 (2) A 2 (3) A 2 (n-2) A 2 (n-1) hides a 2 … … … … hides b b 1 b 2 b 3 b n-2 b n-1 b n … B 1 (n) B 1 (1) B 1 (2) B 1 (3) B 1 (n-2) B 1 (n-1) hides b 1 … B 2 (1) B 2 (2) B 2 (3) hides b 2 B 2 (n-2) B 2 (n-1) B 2 (n) … … … … C 1 (n) C 1 (1) C 1 (2) C 1 (3) hides a 1 b 1 C 1 (n-2) C 1 (n-1) C 2 (n) C 2 (1) C 2 (2) C 2 (3) hides a 2 b 2 C 2 (n-2) C 2 (n-1)

 Inputs: ◦ Each party P j holds sub-shares A i (j), B i (j) ◦ The dealer – P i – knows A i (x), B i (x) The parties need to verify that C i (x)  The dealer distributes t polynomials of degree- t (VSS), D 1 (x),…, D t (x) , such that: is of degree-t 𝑢 𝑦 𝑚 C i (x) = A i (x)B i (x) - D 𝑚 (x) 𝑚=1 is of degree-t ◦ each party computes its share on C i (x) using its other shares ◦ The free coefficient of C i (x) is always A i (0)B i (0) = a i b i ◦ Choosing D 1 ,…, D t inappropriately can end up with a polynomial of degree higher than t

 Parties have shares of C i (x) and want to check that it is of degree-t  P i distributes C' i (x) using VSS (guarantees degree-t) and claims that C' i (x) = C i (x) ◦ C i (0) has the correct free coefficient, but unknown degree ◦ C' i (x) is of degree-t, not necessarily the correct free coefficient  Each party P j checks that C' i (j) = C i (j) ◦ If C' i (j) ≠ C i (j) – it broadcasts a “ complaint ”  If number of complaints > t : "reject" ◦ need more than t complaints, since the adversary may complain about an honest dealer

 The dealer creates D 1 (x),…, D t (x) not according to the protocol and so C i (x) is of degree higher than t  It chooses C' i (x) of degree-t such that C' i (j) = C i (j) for t+1 honest parties, but C' i (0 ) ≠ a i b i  The corrupted parties do not complain  Result: ◦ t+1 honest parties do not complain ◦ t corrupted parties do not complain ◦ t honest parties complain  The polynomial is accepted

degree-t f(1) f(2) f(3) … f(n-2) f(n-1) f(n) P 1 P 2 P 3 P n-2 P n-1 P n f(k) f(k) f(k) f(k) f(k) f(k)

 For each complaining party P k – the parties check if its complaint is fake or legitimate: ◦ Invoke f eval on the shares of A i (x) and receive A i (k) ◦ Invoke f eval on the shares of B i (x) and receive B i (k) ◦ … ◦ The values C’ i (k), A i (k), B i (k), D 1 (k), …, D t (k) become public ◦ The parties compute C i (k), and compare it to C i ’(k)  If C i (k) = C i ’(k): the complaint is fake  If C i (k) ≠ C i ’(k): the complaint is legitimate  If there is one legitimate complaint – reject

Utilizing Bivariate Sharing for Simplicity and Efficiency

g(x) g n (x) g n-1 (x) g n-2 (x) g 3 (x) g 2 (x) g 1 (x) f(x) f(0) = s f 1 (x) f 2 (x) f 3 (x) f n-2 (x) f n-1 (x) f n (x) P 2 P n P 1 P 3 P n-2 P n-1

g(x) g n (x) g n-1 (x) g n-2 (x) Sub-Sharing for free! g 3 (x) g 2 (x) g 1 (x) f(x) f(0) = s f 1 (x) f 2 (x) f 3 (x) f n-2 (x) f n-1 (x) f n (x) P 2 P n P 1 P 3 P n-2 P n-1

 The invariant is changed: univariate --> bivariate  Sub-sharing for free – no need for robust sub-sharing  f eval and other tools are much more efficient and simpler ◦ All the constructions become simpler ◦ including the proof of security  But maintaining the invariant requires some work  Reduced the communication complexity of BGW by quadratic factor ◦ Best constant-round multiplication protocol (by a linear factor) ◦ Incomparable to player elimination techniques that have lower communication complexity but higher round complexity

 We study perfect multiplication  We filled a missing gap in the BGW protocol  A full proof of security  A simpler construction ◦ more efficient ◦ and simpler Thank You!