220 likes | 411 Views
Practical comparison of secret values – and practical applications. Tomas Toft (CWI & TU/e) Sabanci University April 18 th 2008. Overview of this Talk. What and why of MPC Algorithmic protocol construction Practical comparison of secret values Applications Small demo of VIFF.
E N D
Practical comparison of secret values – and practical applications Tomas Toft (CWI & TU/e) Sabanci University April 18th 2008
Overview of this Talk • What and why of MPC • Algorithmic protocol construction • Practical comparison of secret values • Applications • Small demo of VIFF
Multiparty Computation x1 x2 f(x1, x2, x3) x3
Why Perform MPC • Plenty of real-world motivation for privacy • Auctions • Data-mining • Benchmarking • The use of MPC technique in practice is limited despite plenty of motivation
How to Perform MPC • In theory we can do anything [Yao86,GMW87,BGW88,CCD88] • Basically secure function evaluation (SFE) • Some “problems” • MPC can also be reactive/interactive • Large computations are not described using circuits • Computation may be wasted, e.g. simulating secure Boolean arithmetic in a large ring
An Algorithmic Approach • Assume access to a trusted third party (TTP) who runs the computation • Input, output, and arithmetic only • Can be implemented using standard solutions • Algorithm → circuits → protocol • Multiplications provide measure of complexity • Zm arithmetic simulates integer arithmetic • Adding new operations to TTP is easy • Constructed from arithmetic (and I/O)
An Auction Example (Highest Bid) • Receive bids • For [b] in bids do • if [b] >? [max] then [max] := [b] • [max] := ([b] >? [max]) ∙ ([b] – [max]) + [max] • Output [max] Disclaimer: For clarity only Linear round complexity
Pros and Cons • Pros • Simple protocol construction • Description follows high-level intuition • Simple, iterative protocol construction • Cons • Difficult complexity analysis • Concrete protocols allow more efficiency tweaks
Comparison (<?) • Given secret inputs [a] and [a’]: • Compute [b] = [a] <? [a’] {0,1} • Assume • a, a’ are of bounded size (l bit), a ≠ a’ • Computation modulo prime p > 2l+k + 2k • There is a source of secret randomness • Cannot compare with arithmetic only • Transform to a solvable problem
Initial Problem Transformation • Extract the l+1’th bit of [z] = 2l + [a] – [a’] • [z] – [z mod 2l] is the result (almost) • Add a uniformly random shared l+k bit value (with shared bits) and reconstruct • [r] = Σ 2i [ri] • c = [z] + [r] • [z mod 2l] = (c mod 2l - [r mod 2l]) mod 2l • The final “mod 2l” can be accomplished by comparing [r mod 2l] and c mod 2l
Comparing [r] and c • For each bit-position compute • [ei] = 1+ ci – [ri] + Σj>icj[rj] ([DGK07]) • The product of [ei] will be 0, when [r] > c • Reveal d = [v]∙∏ [ei] • Compute in stead • [ei] = [s]+ ci – [ri] + 3Σj>icj[rj] • The final result is (d==0) ([s]==-1) • The whole thing boils down to a product of l+1 shared values
Theoretical vs Practical Solution • Above: O(log(l)) rounds, O(l) multiplications • Theory: O(1) rounds, O(l) multiplications • But: theory has worse constants: • [RT07]: 10 rounds 24l multiplications • Above: log(l+1)+preproc rounds, l multiplications + randomness • For many input sizes, the above wins outright • Even when there is a tradeoff, between rounds and computation the above may win
Final Words on Comparison • Efficient theory does not imply practical efficiency • Rounds matter, but so does communication size and computation • Often the same overall ideas can be applied • The comparison operator has been implemented in VIFF • Runs on 500-bit numbers in seconds
Applications • TTP is quite powerful ”secure computer” • A few example applications • Auction • Double auction • Benchmarking
Double Auction • Buyers and sellers trade one type of good • Goal: Determine Market clearing price • Done using additions and a binary search • All trade occurs at MCP, bids are binding • Motivation: Trading sugar beet quotas • Has been run (3 parties, distributed trust) • Input data from 1200 farmers • See [BCD+08] for more details, ePrint:2008/068
Benchmarking (and Others) • Companies want to know how well they are doing • Compare performance to that of competitors • E.g. relative performance pay scheme [NT07] • Actual performance is a trade secret • Can be translated to solving a linear program • Other LP examples: Multi-attribute auctions, bilateral negotiations
Linear Programming • The problem • Maximize f(x1,…,xn) = ∑fi∙xi • Subject to ∑ci,j∙xi ≤ bj for 1 ≤ j ≤ m • Not necessarily integer computation and result
Solving LPs Efficiently • There is a variant of simplex using only integer computation • Works using repeated refinement of the problem in tableau form • Generally efficient, but may require exponentially many steps • Therefore: • Perform pivots (refinements) obliviously… • But test termination publicly
MPC-simplex • Iterations consist of • Computing minimal values (of many) • Update the tableau (integer arithmetic) • Iteration-obliviousness “cheap” • Essentially the same complexity as a non-oblivious version, but with MPC • Termination condition is “free”
Conclusions • MPC comparison is possible, even on large values • This can be used to construct large-scale applications • The Double Auction runs • Simplex should run on relatively large problems • Good theory does not imply good practice (but it should not be ignored)
Virtual Ideal Functionality Framework (VIFF) • Python implementation of Shamir sharing and Gennaro et. al. multiplication [GRR] • Asynchronous communication using deferreds • Allows field arithmetic and comparison • More on http://www.viff.dk