Foundations of Secure Computation Arpita Patra © Arpita Patra

GMW87 [GMW87]: How to Play any Mental Game or A Completeness Theorem for Protocols with Honest Majority. STOC 1987. Over Binary circuits

(n,n) - Secret Sharing for Semi-honest Adversaries Secret x is (n,n) if x = x1 + x2 + ….. + xn ; shares are random; all are bits; + is + mod 2 … x2 x3 xn x1 P1 P2 P3 Pn Linearity is satisfied!!

GMW87- Two Party Case x1 x2 x3 x4    y

GMW87- Two Party Case (2, 2)- secret share each input 1 1 (2, 2)- secret share each input  2. Find (2, 2)-sharing of each intermediate value   XOR gate: Non-Interactive x0 x1 P1 P0 + + y1 y0 y x + y x=x0 + x1 y=y0 + y1 x + y=(x0 + y0) + (x1 + y1)

GMW87- Two Party Case (2, 2)- secret share each input 1 1 (2, 2)- secret share each input  2. Find (2, 2)-sharing of each intermediate value   NOT gate: Non-Interactive (One party flips the bit) P1 P0 x0 x1 y x= x0 + x1

GMW87- Two Party Case (2, 2)- secret share each input 1 1 (2, 2)- secret share each input  2. Find (2, 2)-sharing of each intermediate value   XOR gate: Non-Interactive NOT gate: Non-Interactive (One party flips the bit) AND gate: Interactive (OT) y

AND Gate Evaluation x0 P0 P1 x1 y0 y1 y x=x0 + x1 y=y0 + y1 Leaks information from the partial product !! x0 P0 P1 x1   y0 y1 1-out-of-2 OT y1 x0 x0y1 1-out-of-2 OT y0 y0x1 x1 x0y1 + x1y1 x0y0 + y0x1 x  y x=x0 + x1 y=y0 + y1 xy = (x0+x1)  (y0+ y1) = x0y0 + x0y1 + y0x1 + x1y1

AND Gate Evaluation x0 P1 P0 x1 y0 y1 y   1-out-of-2 OT r0 y1 Try doing it using one 1-out-of-4 OT ! x0 P0 P1 x1   y0 y1 1-out-of-2 OT r0 y1 r0 + x0 r0 + x0y1 1-out-of-2 OT y0 r1 r1+ y0x1 r1 + x1 x0y0 + r0 + (r1 + y0x1) (r0 + x0y1)+ r1 + x1y1 x  y x=x0 + x1 y=y0 + y1 xy = (x0+x1)  (y0+ y1) = x0y0 + x0y1 + y0x1 + x1y1

GMW87- Two Party Case (2, 2)- secret share each input 1 1 (2, 2)- secret share each input  2. Find (2, 2)-sharing of each intermediate value   XOR gate: Non-Interactive NOT gate: Non-Interactive (One party flips the bit) AND gate: Interactive (OT) y 3. Reconstruct y by exchanging the shares

Extension to Multiparty Case >> Use (n,n) secret sharing instead of (2,2)-secret sharing >> XOR and NOT gate evaluation extend in natural way in n party case >> AND gate evaluation: xy = (x1+x2 + ……+ xn)  (y1+ y2 + ……+ yn) = n summands that can be locally computed of the form (x1y1, ……, xnyn ) + (n2-n) summands that need 1-out-of-2 OT for (2,2)-sharing ( x1y2 , y1x2 etc) To compute (2,2)-secret sharing of xiyj 1-out-of-2 OT ri yj Pi Pj ri + xi ri + xiyj

AND Gate Evaluation Pn P0 Pi Pj x0 xi xj xn y0 yi yj yn y     Two cross summands xiyj and yixj 1-out-of-2 OT ri yj ri + xi ri + xiyj 1-out-of-2 OT yi rj rj+ yixj rj + xj Pi ‘s share: his summand + 2 shares of two cross terms (for every other party) >> Security will hold even in the presence of (n-1) corruptions. Adv will have no info about the shares held by the sole honest party (reduces to OT security) x  y

OT is Complete for Secure Computation >> the security of GMW is information-theoretic assuming ideal realization of OT. >> the security of GMW relies on crypto only inside the OTs. >> If OT can be realized i.t settings then secure computation via GMW can be done in i.t. settings. >> Unconventional setting (noisy channel) where OT can be realized in i.t. security

Efficiency >> Computation Complexity ≥ Communication Complexity (the parties will send subset of what it computes) >> Unlike i.t. settings computation complexity matters here as we usually work on huge algebraic structures to maintain security I.T settings: k > log n (perfect security) k > 40 (statistical security) Comp. settings: k > 128 (symmetric key) k > 3248 (public key) Multiplication gate computation: O(1) PKE operation [1 PKE Op = one Gen, one Enc, one Dec] Computation Complexity: O(n2cAND) PKE operations Goal: O(n2cAND) SKE operations in offline phase I.T online phase with no operations other than bit XOR. Round Complexity: O(d); d = multiplicative depth of the circuit Goal: Constant? Yes, Yao’s 2PC, BMR90 for MPC

Efficiency Computation Complexity: O(n2cAND) PKE operations Goal: O(n2cAND) SKE operations in offline phase I.T online phase with no operations other than bit XOR. Step 1: O(n2cAND) OTs (PKE operations) in offline phase I.T online phase with no operations other than bit XOR. Step 2: O(n2cAND) SKE operations + k OTs in offline phase I.T online phase with no operations other than bit XOR.

Preprocessing of OT P1 P0 Preprocessing on Random Inputs 1-out-of-2 OT >> Can we run OTs on random inputs in the offline phase and use during online phase.. Preprocessing on Random Inputs 1-out-of-2 OT r0 c P0 P1 r1 rc Computation in Online Phase m0 b m1 z = b + c mb If z = 0 y0 = m0 + r0 y1 = m1 + r1 If z = 1 y0 = m0 + r1 y1 = m1 + r0 y0 , y1 mb = yb + rc

GMW in Offline/Online Setting Offline Phase >> cAND OT operations in the offline phase. >> cAND PKE operations >> Goal: cAND SKE operations + k OT operations (via OT-extension) Online Phase >> Cheap XOR operations in the online phase. >> Information theoretic!!