Homomorphic Secret Sharing II Homomorphic Secret Sharing for - - PowerPoint PPT Presentation

homomorphic secret sharing ii homomorphic secret sharing
SMART_READER_LITE
LIVE PREVIEW

Homomorphic Secret Sharing II Homomorphic Secret Sharing for - - PowerPoint PPT Presentation

Apr 07, 2023 12 likes •350 views

Homomorphic Secret Sharing II Homomorphic Secret Sharing for Branching Programs Under DDH Ele:e Boyle Niv Gilboa Yuval Ishai IDC BGU Technion & UCLA Secure ComputaGon Approaches Classical

slide-1
SLIDE 1

Homomorphic Secret Sharing II Homomorphic Secret Sharing for Branching Programs Under DDH

Ele:e Boyle Niv Gilboa Yuval Ishai

IDC BGU Technion & UCLA

slide-2
SLIDE 2

Secure ComputaGon Approaches

“Classical” Approaches Yao’s garbled circuits [Yao86] GMW [GMW87] BGW [BGW88] FHE-Based ConstrucGons [Gen09] Homomorphic Secret Sharing [BGI16,17]

+ Heavily opGmized

  • O(|C|) communicaGon bits

+ Low asymptoGc communicaGon

  • High concrete costs
  • Based on narrow range
  • f (la_ce) assumpGons

Coming up

slide-3
SLIDE 3

Homomorphic Secret Sharing (HSS)

  • Security: xi hides x
  • Correctness:

EvalP(x0) + EvalP(x1) = P(x) = P(x)

y0 y1 +

EvalP EvalP

x0 x1

x

Share

slide-4
SLIDE 4

𝜀-HSS

  • HSS
  • Security: xi hides x
  • 𝜀-Correctness: Except with prob 𝜀 (over Share),
  • Correctness: Except with prob 𝜀 (over Share),

(over Share),

EvalP(x0) + EvalP(x1) = P(x) = P(x)

y0 y1 +

EvalP EvalP

x0 x1

x

Share

slide-5
SLIDE 5

This Talk

  • 𝜀-HSS for Branching Programs from DDH [BGI16a]
  • DDH-Based Secure ComputaGon [BGI17]

– Rounds – CommunicaGon – ComputaGon

slide-6
SLIDE 6

Main Theorem

  • 2-party Homomorphic Secret Sharing

for branching programs under DDH

– δ failure probability – Share: runGme (& share size) n⋅poly(λ) – Eval: runGme poly(λ,|P|,1/δ)

slide-7
SLIDE 7

Living in a log-space world

Multiplication of n n-bit numbers Many numerical / statistical calculations FHE Decryption … Min L2-distance from list of length-n vectors Undirected graph connectivity Streaming algorithms Finite automata

slide-8
SLIDE 8

The HSS ConstrucGon

slide-9
SLIDE 9

RMS Programs

Restricted-MulGplicaGon Straight-line programs:

  • vi ß xj Load an input into memory.
  • vi ß vj+vk Add values in memory.
  • vi ß vj*xk MulGply value in memory by an input.
  • Output vi (mod m)

We will support homomorphic evaluaGon of RMS programs

  • ver Z s.t. all intermediate values are “small” (e.g., {0,1})

Captures branching programs and log-space computaGons (More generally: ReachFewL)

slide-10
SLIDE 10

RMS Captures Branching Programs

Program Input: x1 x2 x3 x4 … xn 1

Program Output:

xi

To evaluate as RMS: Memory variable for each node (whether it’s on red path)

vl = (1-x1) vi + (x3) vj + (1-x1) vk

x3=1

vi vj Computable via RMS vk

slide-11
SLIDE 11

3 Ways to Share a Number

  • Let G be a DDH group of size q with generator g

– (ga,gb,gab) indisGnguishable from (ga,gb,gc)

  • 3 levels of encoding Zq elements

– [u] : (gu, gu) ∈ G x G “encrypGon” – <v> : (v1,v2) ∈ Zq x Zq s.t. v1=v2+v addiGve – {w} : (w1,w2) ∈ G x G s.t. w1=w2⋅gw mulGplicaGve

  • Each level is addiGvely homomorphic

– <v>,<v’>è<v+v’> {w},{w’}è{w+w’}

  • Natural pairing: pair([u],<v>) è {uv}

– ((gu)^v1,(gu)^v2)=(guv2⋅guv,guv2)

slide-12
SLIDE 12

Toy Version

EmulaGng an RMS program – first a:empt:

  • Share: for each input xi

– Encrypt as [xi] – AddiGvely secret-share as <xi>

  • Eval: // maintain the invariant: Vi = <vi>
  • vi ß xj : Vi ß <xj>
  • vi ß vj+vk : Vi ß Vj+Vk

// Vi= <vj+vk>

  • Output vi (mod m): Output Vi +(r,r) (mod m)
  • vi ß xk*vj : Wi ß pair([xk],Vj)

// Wi= {w} for w=xk⋅vj [u]=(gu,gu) <v>=(v2+v,v2) {w}=(w2⋅gw,w2)

Let’s pretend gx is a secure encrypGon of x

Need Convert : {w} è <w> Solved by discrete log Stuck?

slide-13
SLIDE 13

Share Conversion

Group G Group G g0 g1 gz1 gz2 g0 g1 w

Goal: Convert multiplicative sharing of w to additive sharing of w

slide-14
SLIDE 14

Share Conversion

gz2 w

S is a 𝜀-sparse “random” set on G eg S={h∈G | φ(h)=0} for suitable PRF φ

  • Convert (gzb):
  • Return distance distb

from gzb to S.

  • Return distb=0 if

distance>δ⋅log(1/δ)

Goal: Convert multiplicative sharing of w to additive sharing of w

gz1 𝜀 log​(1/𝜀) 𝜀 log​(1/𝜀)

slide-15
SLIDE 15

Good Zone Bad Zone

Conversion Error

gz0 gz1

  • w

  • Bad cases:

∃ • ∈ Bad Zone error ~ w𝜀 ∃ • ∉ Good Zone error ~ 𝜀

Error: depends on “conversion payload” z

Las Vegas version

slide-16
SLIDE 16

Toy Version

EmulaGng an RMS program:

  • Share: for each input xi

– Encrypt as [xi] – AddiGvely secret-share as <xi>

  • Eval: // maintain the invariant: Vi = <vi>
  • vi ß xj : Vi ß <xj>
  • vi ß vj+vk : Vi ß Vj+Vk

// Vi= <vj+vk>

  • vi ß xk*vj : Wi ß pair([xk],Vj); Vi ßConvert(Wi)
  • Output vi (mod m): Output Vi mod m

[u]=(gu,gu) <v>=(v2+v,v2) {w}=(w2⋅gw,w2)

Let’s pretend gx is a secure encrypGon of x

slide-17
SLIDE 17

From Toy Version to Real Version

  • Pick secret key c∈Zq for ElGamal encrypGon
  • Encrypt each input xi

as [r], [cr+xi] (secret-key ElGamal)

  • Invariant: Each memory value vj shared as <vj>, <cvj>
  • To mulGply xivj: pair, subtract and get {xivj}

– Use conversion to get <xivj> – Problem: Need also <c⋅xivj> to maintain invariant – SoluGon? Share c⋅xi in addiGon to xi – Problem: Can’t convert {c⋅xivj} (c⋅xivj too big) – SoluGon: Break c into binary representaGon, encrypt xick – Problem: circular security for ElGamal? – SoluGons: (1) assume it! (2) leveled version (3) use [BHHO08]

slide-18
SLIDE 18

[xi] [xi]

Public-Key Variant

Dec

P(x) [xi]

Enc

xi

Eval

[P(x)]1 P

Eval

[P(x)]2 P

pk ek1 ek2

pk = ElGamal public key + encrypGons of bits ck of secret key ek = load 1 to memory

slide-19
SLIDE 19

DDH-Based ApplicaGons

  • Succinct 2PC for branching programs / logspace / NC1

– CommunicaGon |inputs| + |outputs| + poly(λ) bits

  • Sublinear 2PC for “nice” circuits

– CommunicaGon O(|C|/log|C|) + … bits – O(|C|)+… bits for general circuits

  • 2-server PIR for branching program queries
  • 2-party FuncGon Secret Sharing for branching programs
  • 2-round MPC in PKI model
slide-20
SLIDE 20

Succinct 2PC for Branching Programs

Generic MPC for KeyGen Hom evaluate P on share of a,b Hom evaluate P on share of a,b pk ek2 ek1 b HSS(pk, a) HSS(pk, b) Goal: Evaluate program P yA yB yA+yB = C(a,b), Except with prob. 1/3 Repeat 𝜇 Gmes Generic MPC to output majority yA

1 yA 2

yA

3 yA 4

yB

1 yB 2

yB

3 yB 4

a

Communica9on:

poly(λ) + poly(λ)* (|a|+|b|) + poly(λ) * (|output|)

Hybrid encrypGon tricks Coming up

slide-21
SLIDE 21

Sublinear 2PC for “Nice” Circuits

x1 y1

¬x1 ¬y1 xn yn ¬xn ¬yn

Gate Gate

Gate Gate Gate

IntuiGon:

Gate Gate Gate Gate Gate Gate Gate

slide-22
SLIDE 22

Sublinear 2PC for “Nice” Circuits

x1 y1

¬x1 ¬y1 xn yn ¬xn ¬yn

Gate Gate

Gate Gate Gate

IntuiGon:

Gate Gate Gate Gate Gate Gate Gate BP “Gate” BP “Gate” BP “Gate”

Only pay ~ (inputs + outputs) of BP gates

slide-23
SLIDE 23

Achieving Fault Tolerance

x1 y1

¬x1 ¬y1 xn yn ¬xn ¬yn

Gate Gate

Gate Gate Gate Gate Gate Gate Gate Gate Gate Gate BP “Gate” BP “Gate” BP “Gate” ECC Decode ECC Encode ECC Decode ECC Encode ECC Decode ECC Encode

slide-24
SLIDE 24

OpGmizing Rounds

slide-25
SLIDE 25

Two-Round MPC

  • PKI setup: each party publishes public key and keeps the

secret key.

– Input-independent, short

  • Ideas

– Start with a 2-server protocol, then emulate a server using 2 servers via the same protocol

  • Each virtualizaGon step increases complexity by poly(λ)

– Threshold generaGon of (pk, ek0,ek1)

  • Side benefit: black-box use of group

– Reduce general circuits to shallow ones via garbled circuits – Negligible error via virtual 2-round honest-majority MPC

slide-26
SLIDE 26

OpGmizing CommunicaGon for 2PC

slide-27
SLIDE 27

“Punctured OT”

  • One-sided Las Vegas HSS + linear erasure code
  • Goal: P0 learns P1 values at non-⊥ posiGons

P1 does not learn ids of ⊥ posiGons

  • Idea: Cheap almost-all OT via punctured PRF

P1 sends share, using PRFk(i) as mask for posiGon i

⊥ ⊥

P0 P1

MPC PRF key k ⊥-Punctured PRF key k⊥

slide-28
SLIDE 28

OpGmizing ComputaGon

slide-29
SLIDE 29

Baseline: Cost per Hom MulGplicaGon

  • Phase 1: ExponenGaGon
  • Phase 2: Share Conversion

Repeated (Θ(1/𝜀) expected):

  • MulGply h by generator g
  • Test if new h is disGnguished (evaluate PRF)

(gr)-<cv> (grc+x)<v> = g<vx>

Group G g0 g1 h

  • Note: fixed base
slide-30
SLIDE 30

ComputaGonal OpGmizaGons

  • “Conversion-friendly” groups:

g = 2 is generator & |G| = 2i - (small 𝛿) hg = (shi} 1) + small 𝛿

  • DisGnguished points:

– Provable: Min-wise hash [Ind01]

saves log​(1/𝜀) worst-case parallel runGme

– HeurisGc: Fixed window of 0s Perform blocks of repeGGons

h shi} 32 + * 𝛿 hg32

slide-31
SLIDE 31

Further OpGmizaGons

  • Assume circular-secure ElGamal
  • EllipGc-curve ElGamal for short ciphertexts
  • “Small exponent” ElGamal for shorter secret key
  • Preprocess for fixed-basis exponenGaGons
  • Replace binary sk decomposiGon by base D
  • Bo:om line:

– Ciphertexts shorter than FHE ciphertexts – “Shallow” computaGons may be faster

slide-32
SLIDE 32

Conclusions

  • Homomorphic secret sharing from DDH

– Supports branching program computaGon – Yields succinct secure computaGon and other applicaGons of FHE – Some applicaGons not implied by standard FHE – Good concrete efficiency for “shallow” computaGons

  • Not post-quantum

– I have bigger concerns at this parGcular moment – Quantum-friendly cryptography?

slide-33
SLIDE 33

Open QuesGons

  • Beyond branching programs

– FHE-style bootstrapping?

  • More than 2 parGes
  • Similar approach under different assumpGons
  • Improving Gme/error tradeoff of conversion?
  • Fault tolerance at branching program level?
  • OpGmizing concrete efficiency