Multi-Party Computation: Second year Eduardo Soria Vzquez October - - PowerPoint PPT Presentation

multi party computation
SMART_READER_LITE
LIVE PREVIEW

Multi-Party Computation: Second year Eduardo Soria Vzquez October - - PowerPoint PPT Presentation

Jan 24, 2024 31 likes •358 views

Multi-Party Computation: Second year Eduardo Soria Vzquez October 11, 2017 A Year in a slide 1. Conferences attended : 1. Flagship: TCC 2016-B, Eurocrypt 2017. 2. Domain-specific: TPMPC. 3. Smaller Meetings: ECRYPT collaborative writing

slide-1
SLIDE 1

Multi-Party Computation: Second year

Eduardo Soria Vázquez October 11, 2017

slide-2
SLIDE 2

A Year in a slide

  • 1. Conferences attended:
  • 1. Flagship: TCC 2016-B, Eurocrypt 2017.
  • 2. Domain-specific: TPMPC.
  • 3. Smaller Meetings: ECRYPT collaborative writing

workshop, HEAT, Lattice Meeting (ENS Lyon).

  • 2. Talks given: TCC 2016-B, Lattice Meeting:

More Efficient Constant-Round Multi-Party Computation from BMR and SHE.

  • 3. Research visits: Thales UK, Bar-Ilan University.
  • 4. Outreach: Digimakers (coming on 11th November, 2017)

Eduardo Soria-Vázquez

slide-3
SLIDE 3
  • 5. Papers:

* ACNS 2017: Faster Secure Multi-Party Computation of AES and DES Using Lookup

  • Tables. Joint work with Marcel Keller,

Emmanuela Orsini, Dragos Rotaru, Peter Scholl and Srinivas Vivek. * ASIACRYPT 2017: Low Cost Constant Round MPC Combining BMR and Oblivious Transfer. Joint work with Carmit Hazay and Peter Scholl. * A submission to EUROCRYPT 2018

A Year in a slide

Eduardo Soria-Vázquez

slide-4
SLIDE 4

Low Cost Constant Round MPC Combining BMR and Oblivious Transfer

Carmit Hazay, Peter Scholl, Eduardo Soria Vázquez October 11, 2017

slide-5
SLIDE 5

Overview

  • 1. What is MPC?
  • 1. Garbled Circuits: 2PC (Yao) vs MPC (BMR)
  • 2. Results:
  • 1. A compiler from binary MPC to BMR
  • 2. Robustness of Garbling in BMR
  • 3. Optimized Garbling with TinyOT
  • 3. Conclusion

5 Eduardo Soria-Vázquez

slide-6
SLIDE 6

=f( x1 , x2 , x3 , x4 )

Multi-Party Computation

Eduardo Soria-Vázquez 6

slide-7
SLIDE 7

Protocol indistinguishable from the ideal one run by a Trusted Party Adversaries participate in the protocol

Multi-Party Computation

Eduardo Soria-Vázquez 7

slide-8
SLIDE 8

MPC setting in this talk

Model of Computation:

  • Boolean circuit C
  • Preprocessing phase

Adversary:

  • Static, malicious
  • Dishonest majority

Main focus:

  • Constant rounds – Garbled Circuits
  • Concrete efficiency

Preprocessing Online

corr. rand.

8 Eduardo Soria-Vázquez

1

x

3

x

2

x

4

x ) , , , (

4 3 2 1

x x x x C

slide-9
SLIDE 9

Starting point: garbled circuits for semi-honest 2-PC

Boolean circuit C

Eduardo Soria-Vázquez 9

Garble Input encoding protocol Eval

2 1

~ , ~ , ~ X X C

2 1

~ , ~ X X

) , (

2 1 x

x C

Encodings

) , (

2 1 x

x C

C ~

2

x

1

x

2

x

1

x

[Yao86]

C ~

slide-10
SLIDE 10

BMR: Everyone garbles (MPC) and evaluates (local computation)

Boolean circuit C

Eduardo Soria-Vázquez 7

Garble

C ~

Input Encoding

Inputs

Eval ) , , ( 1

n

x x C 

n

x x , ,

1 

Generic MPC

[BeaverMicaliRogaway90]

Can be any non-constant round protocol

i

X ~

Local

slide-11
SLIDE 11

Challenge in BMR: evaluate Garbling step in MPC, efficiently

Eduardo Soria-Vázquez 11

slide-12
SLIDE 12

Comparison of approaches to BMR with active security

Eduardo Soria-Vázquez 12

Protocol Based on Free XOR Main cost per gate BMR90 Generic MPC ZK proofs of PRG computation LPSY15 MPC in Fp 8n + 5 MPC mult. LSS16 SHE O(n2) ZK proofs of plaintext knowledge This talk OT + MPC in F2 1 MPC mult. in F2

(and [KRW17])

slide-13
SLIDE 13

Garbling an AND gate with Yao

Eduardo Soria-Vázquez 13

u v w 1 1 1 1 1 u v w

slide-14
SLIDE 14

Garbling an AND gate with Yao

Eduardo Soria-Vázquez 14

1 , , , u u

K K

1 , , , v v

K K

1 , , , w w

K K

u v w 1 1 1 1 1

  • Pick 2 random keys for each wire
slide-15
SLIDE 15

Garbling an AND gate with Yao

Eduardo Soria-Vázquez 15

 

, ,

, ,

w K K

K E

v u

 

, ,

1 , ,

w K K

K E

v u

 

, ,

, 1 ,

w K K

K E

v u

 

1 , ,

1 , 1 ,

w K K

K E

v u

1 , , , u u

K K

1 , , , v v

K K

1 , , , w w

K K

  • Pick 2 random keys for each wire
  • Encrypt the truth table of each gate
slide-16
SLIDE 16

Garbling an AND gate with Yao

Eduardo Soria-Vázquez 16

 

, ,

1 , ,

w K K

K E

v u

 

1 , ,

1 , 1 ,

w K K

K E

v u

 

, ,

, 1 ,

w K K

K E

v u

1 , , , u u

K K

1 , , , v v

K K

1 , , , w w

K K

 

, ,

, ,

w K K

K E

v u

  • Pick 2 random keys for each wire
  • Encrypt the truth table of each gate
  • Randomly permute the entries
slide-17
SLIDE 17

Garbling in BMR

Eduardo Soria-Vázquez 17

slide-18
SLIDE 18

BMR has an MPC-friendly Garbling

  • Pick 2n random keys for each wire:

Initially, party Pi gets keys Ki

u,0 , Ki u,1.

  • Next slides:

– Encrypt the truth table of each gate – Randomly permute the entries

Eduardo Soria-Vázquez 18

 

, ,

1 , ,

Enc

w K K

K

v u

 

1 , ,

1 , 1 ,

Enc

w K K

K

v u

 

, ,

, 1 ,

Enc

w K K

K

v u

1 , , , u u

K K

1 , , , v v

K K

1 , , , w w

K K

 

, ,

, ,

Enc

w K K

K

v u

} 1 , { ), , , (

, 1 , ,

  b K K K

n b u b u b u

slide-19
SLIDE 19

Encryption in BMR is straightforward

Eduardo Soria-Vázquez 19

Input PRF keys and values

Generic MPC: just XOR

) (

, j w

K Enc

F is a double-key PRF, g is gate index.

 

) ( || || ) ( ) ( , ) (

, 1 , , 1 , , ,

, ,

n b w a w w n i K K j w j w

K K K j g F K K

i b v i a u

g K , K g K , K g K , K g K , K

b v, a u, b v, a u, b v, a u, b v, a u,

Enc Enc Enc Enc    

Next: Randomly permute the entries

slide-20
SLIDE 20

Entire BMR Garbling (with Free-XOR)

Garbled AND gate is: Rj: Fixed string enabling Free-XOR, secret to party Pj: Observation (next slide): Mult. are bit/bit or bit/string only.

[Ben-Efraim Lindell Omri 16]

Eduardo Soria-Vázquez 20

 

) ) ( ) (( ) , , , (

, w v u j j w

b a R K b a j g           Enc Garb

Secret permutation bits to shuffle entries

2

} 1 , { ) , ( and } ,..., 1 { for   b a n j

g ~ ) (

, j w

K Enc

Rj

j j w j w

R K K  

, 1 ,

slide-21
SLIDE 21

Transforming any MPC to BMR

(Constant rounds for Boolean Circ.)

Eduardo Soria-Vázquez 21

For each AND gate:

Input Rj

2

} 1 , { ) , ( for ) ) ( ) (( :

  • f

shares Compute } 1 , { , , Sample      

  • b

a b a R

w v u j w v u

     

MPC C ~

  • f

shares XOR

) (

, j w

K Enc

  • f)

(shares

slide-22
SLIDE 22

Eduardo Soria-Vázquez 22

For each AND gate:

Input Rj

} 1 , { , , Sample 

  • w

v u

  

C ~

  • f

shares 1 x F2 mult in MPC

i w i v i u

   , , n(n-1) COTs for bit/string mult.

i i u R

,  Consistency Check XOR

Transforming any MPC to BMR

(Constant rounds for Boolean Circ.)

) (

, j w

K Enc

  • f)

(shares

slide-23
SLIDE 23

Robustness of Garbling in BMR

Eduardo Soria-Vázquez 23

slide-24
SLIDE 24

BMR garbling is very robust to errors

Thought experiment with an adversary:

Eduardo Soria-Vázquez 24

Garble Encoding

C C ~ C ˆ x X ~

Eval

 / y

C x,

slide-25
SLIDE 25

BMR garbling is very robust to errors

  • Intuition:

– Only possible break is to flip honest Pj‘s masked key: – Negligible (guess Rj) if the mask was obtained from a suitable PRF

  • We strengthen previous results (proofs) [LPSY15, KRW17]:

– Allowed incorrect PRF values, non-adaptively. – Did not directly reduce to PRF security. – Shares of garbling had to be authenticated (less efficient).

Eduardo Soria-Vázquez 25

) ( Enc ) ( Enc

j j w j w

R K K  

   

j g F j g F K K

n v n u v u

K K K K j w j w

, , ) (

, ,

1 1

     Enc

slide-26
SLIDE 26

An optimized protocol for BMR: TinyOT

Eduardo Soria-Vázquez 26

slide-27
SLIDE 27

Optimized variant based on TinyOT

  • Multi-party TinyOT protocol [FrederiksenKellerOrsiniScholl15]

– Efficient instantiation of binary MPC. – Optimized in [KatzRanellucciWang17]

  • Uses Correlated OT to create information-theoretic MACs

– MAC(x) = K + x R – For shared bit x, and MAC key (K, R)

  • Fix R to be the global difference in Free-XOR

– Bit/string products for free!

Eduardo Soria-Vázquez 27

slide-28
SLIDE 28

Eduardo Soria-Vázquez 28

For each AND gate:

Input Rj

} 1 , { , , Sample 

  • w

v u

  

C ~

  • f

shares 1 x F2 mult in MPC

i w i v i u

   , , n(n-1) COTs for bit/string mult.

i i u R

,  Consistency Check XOR

Optimized variant based on TinyOT

) (

, j w

K Enc

  • f)

(shares

slide-29
SLIDE 29
  • Comms. (MB) for 1 AES evaluation in

efficient constant-round MPC

29 Eduardo Soria-Vázquez

1 10 100 1000 10000 100000 1000000 SPDZ-BMR (2015) SHE-BMR (2016) MASCOT-BMR (2016) This work (2017) 10 parties 3 parties

slide-30
SLIDE 30

Conclusion

Constant Rounds (Almost) For Free:

  • Small, O(k) overhead on top of any protocol for binary circuits.
  • Almost no overhead when using TinyOT.

Improved security proof: Unauthenticated shares, better online. Open Problems:

  • Can BMR garbling be optimized? Currently: 4nk bits + O(n2) PRF eval.
  • How about TinyOT?
  • Can we further tailor other MPC protocols for BMR garbling?

30 Eduardo Soria-Vázquez

slide-31
SLIDE 31

Thank you!

Eduardo Soria-Vázquez 31

http://ia.cr/2017/214 Low Cost, Constant Round MPC Combining BMR and Oblivious Transfer Carmit Hazay, Peter Scholl and Eduardo Soria-Vázquez

slide-32
SLIDE 32

Runtimes

Eduardo Soria-Vázquez 32

Benchmark: 9 parties, 1 Gbps LAN, 2.3GHz Intel Xeon CPUs with 20 cores. AES (B=3) SHA-256 (B=3)