310 likes | 429 Views
Efficient Multiparty Protocols via Log-Depth Threshold Formulae. Ron Rothblum Weizmann Institute Joint work with Gil Cohen, Ivan Damgard , Yuval Ishai , Jonas Kolker , Peter Bro Miltersen and Ran Raz. Secure Multiparty Computation (MPC) [Yao86,GMW87].
E N D
Efficient Multiparty Protocols via Log-Depth Threshold Formulae Ron Rothblum Weizmann Institute Joint work with Gil Cohen, Ivan Damgard, Yuval Ishai, Jonas Kolker, Peter Bro Miltersen and Ran Raz
Secure Multiparty Computation (MPC) [Yao86,GMW87] mutually distrustful parties wish to jointly perform some computational task securely. An adversary that controls a (limited) subset of the parties learns nothing more than the inputs and outputs of the parties it controls.
Feasibility Results: Perfect Security[BGW88,CCD88] Assume synchronous network with private channels and computationally unbounded adversary. Passive security: Every functionality can be securely computed if adversary passively controls parties. Active security: Every functionality can be securely computed if adversary activelycontrols parties.
Our Contribution Huge body of work on secure MPC but protocols are fairly complicated. We suggest a conceptually simple and flexible approach to designing efficient MPC protocols. Building blocks: • Player emulation - builds on Hirt-Maurer [HM00] but with a different motivation. • Simple constant-party MPC protocols. • Threshold formulae composed of threshold gates.
Applications • Conceptually simple protocols for perfectly secure MPC – obtaining passive/active security. • New results on feasibility of MPC in a variety of settings, e.g., secure MPC over algebraic structures such as non-Abelian groups. • Distributed computing – broadcast/Byzantine agreement.
MPC via Player Emulation [HM00] A player in a protocol is a reactive functionality it can be emulated by other players. Reduce the construction of -party protocols to the construction of constant-party protocols. Designing constant–party protocols is typically easier (can be exponential in #parties).
Minimal number of parties needed for security against one passive party MPC via Player Emulation For simplicity, first consider passive security - reduce -party protocol to 3-party protocol. Assume that for every computational task we have a 3-party protocol secure against 1 passive party. Start with an -party protocol with a trusted party.
MPC with a Trusted Party 1 2 3 4 5
MPC with a Trusted Party Can emulate by three virtual parties 1 2 3 4 5
MPC via Player Emulation Parties send input to the virtual party which is emulated by . 1 2 3 4 5
MPC via Player Emulation emulate ’s functionality. 1 2 3 4 5
MPC via Player Emulation The output is sent back to the parties. 1 2 3 4 5
MPC via Player Emulation The initial protocol was secure as long as the adversary did not control the trusted party. The new protocol is secure as long as the adversary does not control a majority of Proceed by emulating by 3 more virtual parties
MPC via Player Emulation Parties send input the reactive functionality . 1 2 3 4 5
MPC via Player Emulation emulate . 1 2 3 4 5
MPC via Player Emulation emulate 1 2 3 4 5
MPC via Player Emulation emulate 1 2 3 4 5
MPC via Player Emulation sends back output to parties. 1 2 3 4 5
MPC via Player Emulation The protocol is secure even if the adversary controls: One of and one of ; or , and . Consider the formula: Associate wires with parties and place 1 on input wires that the adversary controls. If output is 0 then the protocol is secure against this adversary.
MPC via Player Emulation We can keep doing this recursive emulation by following some given formula. The leaves are emulated by the real players. The protocol is secure as long as the formula evaluates to 0. If the formula computes the majority function, secure against every adversary that controls less than half of the parties (as in [BGW]). Complexity: Every atomic operation is emulated by a constant-size protocol protocol complexity grows exponentially in the depth of the formula.
Comparison with [HM00] The recursive emulation approach was suggested by [HM00] as a way to obtain security against general adversary structures. They obtain exponential protocols for a rich class of adversary structures (). We follow their approach but obtain an efficient protocol by focusing only on the adversary that controls of the parties.
MPC via Player Emulation • Construct a secure 3-party protocol. • Majority from majorities: Construct a log-depth formula that computes majority using only gates (no constants or negations).
MPC via Player Emulation • Construct a secure 3-party protocol. • Majority from majorities: Construct a log-depth formula that computes majority using only gates (no constants or negations).
3-Party Protocols Can use BGW restricted to 3 parties or better yet use the “MPC made simple” protocol of [Maurer02]. Maurer’s protocol is simple and elegant but exponential in the number of parties. For 3 parties– not an issue!
MPC via Player Emulation • Construct a secure 3-party protocol. • Majority from majorities: Construct a log-depth formula that computes majority using only gates (no constants or negations).
Majority from Majorities A randomized construction of majority-from-majorities [Implicit in Valiant84]. Statistical security, . An explicit construction of “approximate majority” that outputs the majority value whenever at least 51% of inputs agree. Perfect security, . If exponentially strong OWF exist an explicit construction that works on every input. Actually even Perfect security, , conditional.
Active Security Minimal number of parties for security against one active party Follow the same paradigm except that now we reduce -party protocols to 4-party protocols. Emulate virtual parties by 4 virtual parties – out of which 1 can be malicious. Proceed as before but need a log-depth threshold -out-of-formula composed of 2-out-of-4 threshold gates. We construct a formula that works if <33% or >34% of the inputs are 1. Or even
Applications Simplifications*: • MPC over fields ([BGW88], [CCD88], [AL13]). • MPC over rings ([CFIK03]). • MPC over groups ([DPSW07,DPS+12a,DPS12+b]). • Distributed computing: broadcast, broadcast from 2-cast ([FM00]). * Caveats: non-optimal threshold and higher polynomial complexity.
Applications New results: • MPC over groups: • Passive setting – explicit protocol for improving on of [DPS+12b]. • Active setting – first efficient protocol, improves on inefficient protocol of [DPS+12a]. • Two-party protocol in hybrid-OT model. • MPC over multilinear maps.
Conclusions and Open Questions MPC methodology: • Design simple constant-party protocols. • Prove player emulation theorem. Intriguing connections to open questions in complexity-theory: • Explicit exact majority-from-majorities formula. • Exact threshold-from-thresholds formula (even non-explicit).