Secure Computation Recap: Perfect MPC in Malicious Setting

Secure Computation Lecture 17-18 ArpitaPatra

Recap >> i.t (perfect) MPC in malicious Setting >Three orthogonal problems- (n,t)-sharing, reconstruction, multiplication protocol > Verifiable Secret Sharing (VSS) will take care first two problems >> Verifiable Secret Sharing (VSS) > Definition (Secrecy, Correctness, Strong Commitment) > Properties of Bivariate polynomial > Six round construction based on bivariate poly with n > 3t > Four round construction with minor tweaks > Reconstruction from error correction of RS codes- will be discussed today

i.t Multi-party Computation [BGW]   (n, t)- secret share each input  3 9 2 1 5 3 48 45 2. Find (n, t)-sharing of each intermediate value  Linear gates: Linearity of Shamir Sharing - Non-Interactive 144 Non-linear gate: Require degree-reduction Technique. Interactive 3. Reconstruct the Shamir-sharing of the output by exchanging shares with each other

Sharing Phase vn v1 v3 v2 Secret s Definition of VSS [CGMA85] • Extends Secret Sharing to the case of malicious corruption s is committed s is secure Secret s Dealer … Reconstruction Phase

Definition of VSS [CGMA85] Continued.. • n parties P = {P1, …, Pn}, dealer D (e.g., D = P1) • t corrupted parties (possibly including D)  At Secrecy • If D is honest, then At has no information about secret s during the Sharing phase Correctness • If D is honest, then secret s will be correctly reconstructed during reconstruction phase Strong Commitment • Corrupted D commits a unique s* • - s* should be uniquely reconstructed

Bivariate Polynomial and its properties F(x,y) of degree atmost (t,t) f1(x) = F(x,1) fi(x) = F(x,i) fn(x) = F(x,n) g1(y) = F(1,y) g2(y) = F(2,y) gi(y) = F(i,y) gn(y) = F(n,y) Claim1: t F(x,i)’s and t F(i,y)’s will leak NO info about F(0,0). Claim2: (t+1) F(x,i)’s or (t+1) F(i,y)’s completely determine F(x,y). Claim3: gi(j) = fj(i) = F(i,j)and gj(i) = fi(j) = F(j,i)

Four Round VSS- D’s Distribution F(x,y) of degree atmost (t,t) s.t. s = F(0,0) Pn Pi P2 P1 f1(x) = F(x,1) fi(x) = F(x,i) fn(x) = F(x,n) g1(y) = F(1,y) P1 g2(y) = F(2,y) P2 Pi gi(y) = F(i,y) gn(y) = F(n,y) Pn

Four Round VSS- Verification, Complaint & Resolution Pj Pi fj(x) = F(x,j) gj(y) = F(j,y) fi(x) = F(x,i) gi(y) = F(i,y) fi(j) = gj(i) = F(j,i) gi(j) = fj(i) = F(i,j) Every pair of honest parties’ polynomials are pairwise consistent

Four Round VSS- Output share Note: D can choose the polynomial with which it wants to (n,t)-share its secret as f(x) and then choose F(x,y) such that F(x,0) = f(x) and then do VSS using F(x,y) f0(0) = F(0,0) = s F(x,0) f0(x) = g1(0) = f1(i) = F(1,0) gi(1) P1 = f2(i) P2 gi(2) g2(0) = F(2,0) Pi = fi(i) gi(0) gi(i) = F(i,0) = fn(i) gi(n) Pn gn(0) = F(n,0) Two level sharing- each Shamir share is also Shamir-shared

Reconstruction Phase (Error Correction of Reed-Solomon Codes) P1 f(1) (n,t+1)-RS code (over field F, |F| > n): P2 Encoding: Given a message block of t+1 field elements, m0,m1,…mt, define f(x) = m0 + m0 x + ……+ mtxt C = (f(1),f(2),….,f(n)) f(2) Distance d of (n,t+1)-RS code is: n-t Pi f(i) Theorem: (n,t+1) RS code can correct x errors if d > 2x With n > =3t+1, d > 2t, so we can correct t errors f(n) Pn

Berlekamp-Welch Error Correction Algorithm for RS Codes P1 f(1) r(x): Polynomial defined by the broadcasted points (degree at most 3t) f(x): Actual Polynomial (degree at most t). Goal is to find this poly P2 f(2) e(x): Error polynomial (x-e1)(x-e2)….(x-et) : e1 , e2, … et from {1,..,n} (degree t) Not claiming the LHS and RHS polynomials are same. They are same at x= 1,2…..n f(x)e(x) = r(x)e(x) at x = 1,2…..n Pi f(i) Let f(x)e(x) = q(x) (degree 2t) q(x) and e(x) are unknown q(x) = r(x)e(x) at x = 1,2…..n How to find e(x)?- Solving system of linear equations Find f(x) = Find e(x) 3t+1 Unknowns: Coefficients of q(x) and e(x) Pn f(n) 3t+1 Equations: solving system of linear equations reduces to (publicly known) matrix multiplication

Distributed Error Correction of RS Codes P1 f(1) P2 f(2) f(1) f(2) f(i) f(n) Co-eff of e(x) Pi f(i) linear operations Pn f(n)

i.t Multi-party Computation   (n, t)- secret share each input  3 9 2 1 5 3 48 45 2. Find (n, t)-sharing of each intermediate value  Linear gates: Linearity of Shamir Sharing - Non-Interactive 144 Non-linear gate: Require degree-reduction Technique. Interactive 3. Reconstruct the Shamir-sharing of the output by exchanging shares with each other

Secure Multiplication Gate Evaluation a b ab where P1 b1 a1 a1b1 =c1 P2 b2 a2 a2b2 =c2 Recombination Vector (r1, …,rn) b3 a3 P3 a3b3 =c3 Pn bn an anbn= cn f2(x) f1 (x) f(x) = f1 (x)f2 (x) of degree 2t

Secure Multiplication Gate Evaluation a b ab P1 b1 Shamir-share a1 a1b1 =c1 P2 Shamir-share b2 a2 a2b2 =c2 c3 c2 cn r1c1 +..+rncn ab c1 b3 a3 P3 Shamir-share a3b3 =c3 Shamir-share Pn bn an anbn= cn f2(x) f1 (x) Recombination Vector (r1, …,rn) f(x) = f1 (x)f2 (x) of degree 2t

Secure Multiplication Gate Evaluation a b ab P1 b1 VSS-share a1 a1b1 =c1 P2 VSS-share b2 a2 a2b2 =c2 c3 c2 cn r1c1 +..+rncn ab c1 b3 a3 P3 VSS-share a3b3 =c3 VSS-share Pn bn an anbn= cn f2(x) f1 (x) Recombination Vector (r1, …,rn) f(x) = f1 (x)f2 (x) of degree 2t

Secure Multiplication Gate Evaluation a b ab P1 b1 VSS-share a1 a1b1 =c1 P2 VSS-share b2 a2 a2b2 =c2 c2 c’n c’3 c r1c1 +..+rnc’n c1 b3 a3 P3 VSS-share Force them to share CORRECT product-share a3b3 =c3 VSS-share Pn bn an anbn= cn f2(x) f1 (x) Recombination Vector (r1, …,rn) f(x) = f1 (x)f2 (x) of degree 2t

Secure Multiplication Gate Evaluation A corrupted party will either gets discarded or share correct c-value P1 b1 a1 a1b1 =c1 P2 b2 a2 a2b2 =c2 cn c3 c2 c1 b3 a3 P3 a3b3 =c3 Pn bn an anbn= cn

Secure Multiplication Gate Evaluation P1 VSS-share b1 a1 VSS-share P2 b2 a2 bn a1 an b1 a2 b2 a3 b3 b3 a3 VSS-share P3 VSS-share Pn bn an

Secure Multiplication Gate Evaluation P1 Distributed Error Correction VSS-share b1 a1 > Get error locations >Ignore the corresponding parties > Remaining parties has shared their a and b share correctly VSS-share P2 b2 a2 b’n b’3 a’3 b2 a2 a’n a1 b1 Focus on one party b3 a3 VSS-share P3 VSS-share Pn bn an

Secure Multiplication Gate Evaluation (abusing notation) b a How to reduce the degree and randomize the polynomial? P • C(x) = A(x)B(x) • 2t-degree • Non-random A(x) B(x) a1 b1 Choose t random polynomials D1(x),…,Dt(x) s.t. the following polynomial is random and at most degree-t poly with constant term c = ab D(x) = C(x) - xD1(x) -…. -xtDt(x) a2 c b2 C(x) = c+ c1 x + ……ctxt+ ct+1 xt+1 +……….+ c2t-1 x2t-1 + c2t x2t Dt(x) = rt,1 + rt,2x + ………+ rt,t-1 xt-1 + c2txt a3 b3 an bn

Secure Multiplication Gate Evaluation b a How to reduce the degree and randomize the polynomial? P • C(x) = A(x)B(x) • 2t-degree • Non-random A(x) B(x) a1 b1 Choose t random polynomials D1(x),…,Dt(x) s.t. the following polynomial is random and at most degree-t poly with constant term c = ab D(x) = C(x) - xD1(x) -…. -xtDt(x) a2 c b2 C(x) = c+ c1 x + ……ctxt+ ct+1 xt+1 +……….+ c2t-1 x2t-1 + c2t x2t xtDt(x) = rt,1xt + rt,2xt+1 + ………+ rt,t-1 xt-1 + c2t x2t a3 b3 Dt-1(x) = rt-1,1 + rt-1,2 x + ……… + (c2t-1 – rt,t-1)xt an bn

Secure Multiplication Gate Evaluation b a How to reduce the degree and randomize the polynomial? P • C(x) = A(x)B(x) • 2t-degree • Non-random A(x) B(x) a1 b1 Choose t random polynomials D1(x),…,Dt(x) s.t. the following polynomial is random and at most degree-t poly with constant term c = ab D(x) = C(x) - xD1(x) -…. -xtDt(x) a2 c b2 C(x) = c+ c1 x + ……ctxt+ ct+1 xt+1 +……….+ c2t-1 x2t-1 + c2t x2t xtDt(x) = rt,1xt + rt,2xt+1 + ………+ rt,t-1 xt-1 + c2t x2t a3 b3 xt-1 Dt-1(x)= rt-1,1xt-1 + rt-1,2xt + ……… + (c2t-1 – rt,t-1) xt-1 an bn

Secure Multiplication Gate Evaluation D(x) = C(x) - xD1(x) -…. -xtDt(x) - Degree t - Random - Constant term is c D(x) is an ideal poly to be used for sharing c

Secure Multiplication Gate Evaluation (using VSS; and setting F(x,0)) b a P D2(x) Dt(x) D(x) D1(x) C(x) D(x) ?= C(x) - xD1(x) -…. -xtDt(x) A(x) B(x) a1b1 d1 ?=a1b1 – 1. d11- ….- 1t dt1 dt1 d21 d11 d1 a1 b1 a2b2 dt2 d2?=a2b2– 2. d12- ….-2t dt2 d22 d12 d2 a2 b2 dt3 a3b3 d23 d13 d3 a3 b3 d3?=a3b3– 3. d13- ….-3t dt3 anbn dtn d2n dn?=anbn– n. d1n- ….- ntdtn d1n dn an bn If P is honest we are done, since D(x) is at most degree-t poly and random

Secure Multiplication Gate Evaluation D(x) is degree t but may not share c. RHS may not be degree t but shares c b a P D2(x) Dt(x) D(x) D1(x) C(x) D(x) ?= C(x) - xD1(x) -…. -xtDt(x) A(x) B(x) a1b1 d1 ?=a1b1 – 1. d11- ….- 1t dt1 dt1 d21 d11 d1 a1 b1 a2b2 dt2 d2?=a2b2– 2. d12- ….-2t dt2 d22 d12 d2 a2 b2 dt3 a3b3 d23 d13 d3 a3 b3 d3?=a3b3– 3. d13- ….-3t dt3 P3 complains, check if complaint is correct, if so discard P, else ignore the complaint. anbn dtn d2n dn?=anbn– n. d1n- ….- ntdtn d1n dn an bn If all honest parties find the relation true, then D(x) shares c. But we do not know who is honest/corrupted

Chalk & Talks CT4 [LR15]: Blazing Fast 2PC in the Offline/Online Setting with Security for Malicious Adversaries. https://eprint.iacr.org/2015/987.pdf CT5 [AMPR15]: Non-Interactive Secure Computation Based on Cut-and-Choose.http://eprint.iacr.org/2015/282 CT6 [IOZ15]: Secure Multi-Party Computation with Identifiable Abort; http://eprint.iacr.org/2015/325 CT7 [LPSY15]: Efficient Constant Round Multi-party Computation Combining BMR and SPDZ.https://eprint.iacr.org/2015/523 CT8 [HR14]: Multi-Valued Byzantine Broadcast: the t < n Casehttp://eprint.iacr.org/2013/553

Secure Computation Recap: Perfect MPC in Malicious Setting