1 / 34

Round-Optimal Secure Multi-Party Computation

This paper discusses the construction of round-optimal multi-party computation protocols without the need for setup, ensuring correctness and security against malicious adversaries.

tylerbell
Download Presentation

Round-Optimal Secure Multi-Party Computation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CRYPTO 2018 Round-Optimal Secure Multi-Party Computation WITHOUT Setup Shai Halevi, IBM CarmitHazay, Bar Ilan University Antigoni Polychroniadou, Cornell Tech MuthuramakrishnanVenkitasubramaniam, University of Rochester

  2. Secure Multi-Party Computation (MPC) f(x1, x2, x3, x4) = (y1, y2 ,y3 ,y4 ) x1 x1 x1 y4 y1 x4 • Goal: • Correctness: Everyone computes f(x1,…,x4) • Security: Nothing else but the output is revealed Adversary PPT Malicious Static x2 y3 y2 x3

  3. 4-round • Can we construct round-optimal MPC protocols? f(x1, x2, x3, x4) = (y1, y2 ,y3 ,y4 ) x1 x1 x1 y4 Without setup y1 x4 In the presence of malicious adversaries • Goal: • Correctness: Everyone computes f(x1,…,x4) • Security: Nothing else but the output is revealed Adversary PPT Malicious Static Under standard (polytime) assumptions x2 [GMPP16]: 4 rounds are necessary with black box simulation y3 y2 x3

  4. State-of-the-Art Can we construct 4-round MPC protocols? [BMR] O(1)-round protocols 4-round protocols 5-round protocols 6-round protocol [KOS03, KO04, Pas04,DI05,DI06, IPS08,Wee10, Goy11,LP11, GLOV12] 1st O(1)-round Protocol* [ACJ17, BHP17] [ACJ17, BL18] [GMPP] Lower Bound: 4 rounds [GMW] O(dF)-round protocol 2017-2018 2016 1990 2003-2012 1987 Lower Bound: 5 rounds for sequential 2PC [KO04,ORS15] *Honest majority

  5. 4-round • Can we construct round-optimal MPC protocols? f(x1, x2, x3, x4) = (y1, y2 ,y3 ,y4 ) x1 x1 x1 y4 Without setup y1 x4 In the presence of malicious adversaries • Goal: • Correctness: Everyone computes f(x1,…,x4) • Security: Nothing else but the output is revealed Adversary PPT Malicious Static Under standard (polytime) assumptions x2 [GMPP16]: 4 rounds are necessary with black box simulation y3 y2 x3

  6. Our Results Theorem (informal) Injective OWFs + ZAPS + AHE4-round malicious MPC QR  4-round malicious MPC Corollary (informal) ETDP + LWE/QR/DDH/DCR  4-round malicious MPC Concurrent work [BGJKKS]: Injective OWFs + dense cryptosystems + 2-round OT  4-round malicious MPC Corollary: QR/DDH/DCR/LWE  4-round malicious MPC

  7. GMW paradigm compilation (1) [ACJ17 ,BL18]: 4-round (or 2-round) semi-malicious MPC [GS18, BL18] Delayed input 4-round NMZK 5-round malicious MPC NMZK NMZK MPC MPC

  8. GMW paradigm compilation (2) [ACJ17,BHP17]: 4-round (or 3-round) semi-malicious MPC Delayed input 3-round NMZK with complexity leveraging 4-round malicious MPC from sub-exponential assumptions NMZK MPC NMZK

  9. GMW paradigm compilation (2) [ACJ17,BHP17]: 4-round (or 2-round) semi-malicious MPC Delayed input 3-round ‘NMZK’ with complexity leveraging 3-round ZK proofs impossible [GK96] 4-round malicious MPC from sub-exponential assumptions MPC NMZK NMZK

  10. Our Approach: replace ZK by WI proofs

  11. Our Approach 4-round WI-friendly semi-malicious MPC 3-round NMWI primitive 3-round ZK proofs impossible 4-round malicious MPC MPC NMWI NMZK

  12. Our Approach in a nutshell Semi-malicious MPC Design NMWI* Incorporate Naor-Yung Tolerate additive errors

  13. Our Approach in a nutshell Secure comp. of reduces to secure comp. of randomized encoding (RE) of 3-bit MULT protocol based on 2-round oblivious transfer [ACJ17] • Q: Randomized Encoding with degree 3? • A: 3-bit multiplication protocol 3MULT based on 2-round OT [ACJ17] 3MULT 3MULT 3MULT … f(x)

  14. Our Approach in a nutshell Q: Can we replace ZK by WI? (Unlike ZK proofs, in WI proofs the simulator must follow the real prover strategy with a real witness) A: Modify 3MULT using the Naor-Yung paradigm NM ZK NMWI 3MULT 3MULT 3MULT 3MULT 3MULT 3MULT …

  15. Our Approach in a nutshell To accommodate WI proofs we need to weaken the correctness guarantees Q: Can we protect against all adversarial attacks? A: Adversary can include additive errors in the computation. NMWI Double 3MULT Double 3MULT Double 3MULT …

  16. Our Approach in a nutshell Randomized Encoding with degree 3 Achieve ‘NMWI’ using 3-round weak NMCOMs Modify weak NMCOM using the NY Paradigm 3-bit3MULT protocol via 2-round OT Modify 3MULT using the NYParadigm Tolerate additive errors Weaken correctness guarantees in WI proofs do not protect against all adversarial attacks. Replace ZK by WI + Require Sender Equivocal OT ( via Additive HE)

  17. Starting Point:3-party 3-bit multiplication protocol (3MULT) [Yuval+ACJ17] Theorem (informal) [ACJ17]: Assuming 2-round OT, there is a 3-round 3-bit multiplication protocol 3MULT P2(x2) P1(x1) P3(x3) OTα OTβ OTγ

  18. Double 3MULT using the NY Paradigm Double 3MULT P1(x1) P3(x3) P2(x2) OTα OTα' OTβ' OTβ OTγ' OTγ

  19. Double 3MULT using the NY Paradigm Double 3MULT P1(x1) P3(x3) P2(x2) OTα OTα' OTβ' OTβ OTγ' OTγ Need to weaken the WI statement

  20. Tolerate Additive Errors Build a RE encoding secure against additive attacks Cannot use directly compilers [GIPST14,GIP15, GIW16] STAGE 1 1 Choose RE and massage double 3MULT so that additive errors reduce to additive errors on the underlying circuit C. C’ STAGE 2 2 C Precompileunderlying circuit using [GIPST14,GIP15,GIW16]

  21. Conclusion Round-optimal MPC protocol: Without setup In the presence of malicious adversaries Under standard (polytime) assumptions Theorem (informal) ETDP + QR/LWE/DDH/DCR  4-round malicious MPC QR  4-round malicious MPC

  22. Open Problems 4-round malicious MPC from minimal assumptions (4-round malicious OT) 4-round MPC

  23. Tak!

  24. Our Approach in a nutshell Q: How can we achieve extraction and WI with non-malleability guarantees? A: Extract via a 3-round weak non-malleable commitment [GRRV14] Modify 3-round weak NMCOM using the Naor-Yung paradigm Make weak NMCOM rewinding safe NM Com NMWI Double 3MULT Double 3MULT Double 3MULT NM Com …

  25. Circuits resilient to additive attacks [GIPST14,GIP15,GIW16] Any additive attack on C’ translates to an equivalent additive attack on the inputs of C’ C + + - - +1 +1 +1 X X +1 X X -1 X X C’

  26. Circuits resilient to additive attacks [GIPST14,GIP15,GIW16] Any additive attack on C’ translates to an equivalent additive attack on the inputs of C’ C + + - - +1 +1 +1 X X +1 X X -1 X X C’

  27. Starting Point:3-party 3-bit multiplication protocol (3MULT) [Yuval+ACJ17] Theorem (informal) [ACJ17]: Assuming 2-round OT, there is a 3-round 3-bit multiplication protocol P3(x3) P2(x2;r2,s2) P1(x1;s1) OTα OTβ u=x1x2-r2 v=r2x3-s2 OΤβ[P3(x3), P2(-s2,r2-s2)] OTα[P1(x1), P2(-r2,x2-r2)] OTγ[P3(x3), P1(-s1,u-s1)] OTγ w=ux3-s1 v+w s2 s1 w v u s2 +s1+ r2x3-s2 +(x1x2-r2)x3-s1 = x1x2x3 Output

  28. Double 3MULT using the NY Paradigm P3(x3) P2(x2;r2,s2) P1(x1;s1) v u OTγ' OTγ OTα OTα' OTβ' OTβ w v+w s2 s1 Receiver sets same input in both OTs Sendersecret shares its input across the OTs

  29. Double 3MULT using the NY Paradigm P3(x3) P2(x2;r2,s2) P1(x1;s1) x1 x3 x1 x3 v u x3 x3 w v+w s2 s1 Receiver sets same input in both OTs Sendersecret shares its input across the OTs

  30. Incorporating NMWI NM WI There is a “” problem

  31. Incorporating NMWI NM WI Problem: 3rd-round message depends on Solution: Don’t enforce correctness with

  32. So what if is not correct P3(x3) P2(x2;r2,s2) P1(x1;s1) x1 x3 v u x1x2-r2 r2x3-s2 x3 w ux3-s1 v+w s2 s1

  33. So what if is not correct P3(x3) P2(x2;r2,s2) P1(x1;s1) x1 x3 v u x1x2-r2 r2x3-s2 x3 w u'x3-s1 v+w s2 s1 An incorrect results in

  34. Weak correctness guarantees: Sender P3(x3) P2(x2;r2,s2) P1(x1;s1) x1 x3 x1 x3 v u x3 x3 w v+w s2 s1 Rely on special OT that information theoretically hides the sender’s ``other’’ input

More Related