Oblivious Transfer and GMW MPC Workshop on Cryptography Divya Ravi Slides borrowed from Arpita Patra, Ashish Choudhury

Agenda GMW semi-honest n-party MPC protocol Adversarial Setting Computationally-bounded Semi-honest n parties, dishonest majority t < n Oblivious Transfer: Important tool in GMW

Dis-honest Majority MPC (t < n) GMW87 [GMW87]: Oded Goldreich, Silvio Micali, Avi Wigderson:
How to Play any Mental Game or A Completeness Theorem for Protocols with Honest Majority. STOC 1987: 218-229 Dis-honest Majority MPC (t < n) Idea behind GMW87: shared circuit evaluation (similar to BGW88) The circuit is a Boolean circuit (over 𝔽2) The secret sharing is additive secret sharing, instead of Shamir Dis-honest majority : all but one honest party, so threshold for sharing is n - 1

[GMW87] Generic MPC Protocol f(x1, x2, …, xn) P1 : x1 P2 : x2 Pi : xi Pn : xn Circuit abstraction f : represented as a publicly known Boolean circuit C Any efficiently computable f can be represented as a C

[GMW87] Generic MPC Protocol Circuit abstraction Without loss of generality: Each party : 1 input to f f : only 1 output x1 x2 x3 x4  c y   GMW: secure circuit evaluation Parties jointly evaluate the circuit securely Only final outcome revealed during evaluation Intermediate values remain as private as possible

Principle Behind Secure Circuit Evaluation Circuit Evaluation in Clear Inputs : (n, t) box represented 1    2. Intermediate gates : (n, t) box representation of gate output from (n, t) box representation of gate inputs 3. Output box: Open it publicly 1 1 1 1    1 1 1

Principle Behind Secure Circuit Evaluation Circuit Evaluation in Clear Secure circuit evaluation 1 1 1 1       1 1 1 Input boxes of honest parties cannot be opened Any unwanted intermediate box cannot be opened

… Instantiating (n, t) Locked Box Representation (n, t) locked box representation -> (n, t) secret sharing Secret s Dealer v1 v2 v3 vn Sharing Phase …  t +1 parties can reconstruct the secret Secret s Less than t +1 parties have no info’ about the secret Reconstruction Phase Reconstruction Phase

… (n, t) Secret Sharing for the GMW Protocol For GMW : n = t + 1 Requires all the n parties for reconstructing the secret Secret as well as shares are bits (n, t) bit secret-sharing for GMW : n = (t+1) Sh1, Sh2, …, Shn-1 R {0, 1} Secret s {0, 1} Shn (Sh1  Sh2  …  Shn-1 )  s def = Dealer Sh1 Sh2 … Sh3 Shi Shn P1 P2 P3 Pi Pn

… (n, t) Secret Sharing for the GMW Protocol (n, t) bit secret-sharing for GMW : n = (t+1) Sh1, Sh2, …, Shn-1 R {0, 1} Secret s {0, 1} Shn (Sh1  Sh2  …  Shn-1 )  s def = Dealer Sh1 Sh2 … Sh3 Shi Shn P1 P2 P3 Pi Pn Shn-1 Pn - 1 Secret reconstruction protocol : Exchange shares pair-wise Output s = (Sh1  Sh2  …  Shn) Communication complexity Sharing : O(n) bits Rec : O(n2) bits

… (n, t) Secret Sharing for the GMW Protocol (n, t) bit secret-sharing for GMW : n = (t+1) Sh1, Sh2, …, Shn-1 R {0, 1} Secret s {0, 1} Shn (Sh1  Sh2  …  Shn-1 )  s def = Dealer Sh1 Sh2 … Sh3 Shi Shn P1 P2 P3 Pi Pn Shn-1 Pn - 1 Secret reconstruction protocol : Exchange shares pair-wise Output s = (Sh1  Sh2  …  Shn) # of Rounds of interaction Sharing : 1 round Rec : 1 round

(n, t) – Additive Secret Sharing (n, t) bit secret-sharing for GMW : n = (t+1) Sh1, Sh2, …, Shn-1 R {0, 1} Secret s {0, 1} Shn (Sh1  Sh2  …  Shn-1 )  s def = Dealer Sh1 Sh2 … Sh3 Shi Shn P1 P2 P3 Pi Pn Shn-1 Pn - 1 Reconstruction protocol : Exchange shares pair-wise Output s = (Sh1  Sh2  …  Shn) O(n) bit reconstruction with 2 rounds of interaction ?

… (n, t) Secret Sharing for the GMW Protocol (n, t) bit secret-sharing for GMW : n = (t+1) Sh1, Sh2, …, Shn-1 R {0, 1} Secret s {0, 1} Shn (Sh1  Sh2  …  Shn-1 )  s def = Dealer Sh1 Sh2 … P1 P2 P3 Pi Pn Sh3 Shi Shn-1 Shn Pn - 1 Any subset of t parties gets no additional information about the secret Ex: say P1, …, Pn-1 are corrupted (recall that t = n - 1) Adversary’s view : ? ? s = Sh1  Sh2  …  Shn-1  Shn Correctly guessing Shn  correct s Prob. of learning s = ½ (same as before) One-to-one mapping

 … S (n, t) Secret Sharing for the GMW Protocol (n, t) bit secret-sharing for GMW : n = (t+1) Sh1, Sh2, …, Shn-1 R {0, 1} Secret s {0, 1} Shn (Sh1  Sh2  …  Shn-1 )  s def = Dealer Sh1 Sh2 … Sh3 Shi Shn P1 P2 P3 Pi Pn Shn-1  Pn - 1 P1 P2 Pi Pn S (Sh1) (Sh2) (Shi) (Shn)

    Linearity of Secret Sharing Addition is free a = a1  a2  a3  a4     Local operation b b1 b2 b3 b4 b = b1  b2  b3  b4 c1 ab c2 c3 c4 ? c = c1  c2  c3  c4 No interaction to compute shares of sum of two shared secrets

Linearity of Secret Sharing Multiplication by a public constant is free a a1 a2 a3 a4 a = a1  a2  a3  a4     Local operation c c c c c Publicly known c  a = c  (a1  a2  a3  a4) c  a ? c1 c2 c3 c4 = (c1  c2  c3  c4) No interaction required to compute shares of a constant multiple of a shared secret

    Linearity of Secret Sharing Addition by a public constant is free a a1 a2 a3 a4 a = a1  a2  a3  a4     Local operation c c How to compute shares of a  c ? Publicly known c  a = c  (a1  a2  a3  a4) ac ? c1 c2 c3 c4 = (c1  c2  c3  c4) No interaction required to compute shares of the sum of a shared secret and a public constant

    (Non)Linearity of Secret Sharing AND (multiplication) is not free a a1 a2 a3 a4 a = a1  a2  a3  a4 Local operation     b b1 b2 b3 b4 b = b1  b2  b3  b4 How to compute shares of a  b ? ? a  b = (a1  a2  a3  a4) ab c1 c2 c3 c4  (b1  b2  b3  b4)  (c1  c2  c3  c4) Shares of AND of shared secrets cannot be computed locally

  Towards Computing AND of Shared Secrets a = a1  a2 For simplicity, assume n = 2, t =1 b b1 b2 b = b1  b2 a  b = (a1  a2)  (b1  b2) = (a1  b1)  (a1  b2)  (a2  b1)  (a2  b2) Can be computed locally by P1 Cross terms cannot be computed locally by P1 / P2 Can be computed locally by P2 How to securely computing (a1  b2), (a2  b1) ? Pair-wise exchange a1, a2, b1, b2 ? Privacy of a, b gone !!

Towards Computing AND of Shared Secrets Oblivious Transfer (OT) : A very fundamental primitive Michael O. Rabin. How to exchange secrets with oblivious transfer. Technical Report TR-81, Aiken Computation Lab, Harvard University, 1981. Formulated by Turing award winner Michael O. Rabin Required security properties : m1-b = ? b = ? b  {0, 1} 1-out-of-2 OT {m0, m1} mb S R

GMW87- AND Gate Evaluation Leaks information from the partial product !! a1 P1 P2 a2   b1 b2 1-out-of-2 OT b2 a1 a1b2 a=a1 + a2 b=b1 + b2 1-out-of-2 OT b1 b1a2 a2 a1b2 + a2b2 a1b1 + b1a2 a  b ab = (a1+a2)  (b1+ b2) = a1b1 + b1a2 + a1b2 + a2b2

GMW87- AND Gate Evaluation P1 P2 a2   b1 b2 1-out-of-2 OT r0 b2 r0 + a1 r0 + a1b2 a=a1 + a2 b=b1 + b2 1-out-of-2 OT b1 r1 r1+ b1a2 r1 + a2 a1b1 + r0 + (r1 + b1a2) (r0 + a1b2)+ r1 + a2b2 a  b ab = (a1+a2)  (b1+ b2) = a1b1 + a1b2 + b1a2 + a2b2

AND Gate Evaluation : The n-party Case Let [x] = (x1, …, xn) and [y] = (y1, …, yn), with party Pi holding the share xi and yi P1 Pn Pi Pj x1 xi xj xn     y1 yi yj yn Two cross summands xiyj and yixj 1-out-of-2 OT ri yj ri + xi ri + xiyj 1-out-of-2 OT yi rj rj+ yixj rj + xj Pi ‘s share: his summand + 2 shares of two cross terms (for every other party) x  y

GMW MPC Protocol for Semi-honest Setting Input Stage : Each party acts as a dealer and secret-shares its input bits At the end, each party will have a share of each input bit Computation Stage : Circuit evaluation : following invariant for each gate Given shares of the inputs of the gate, compute shares of the gate output At the end, each party will have a share of every value along every wire in the circuit Output Stage : Reconstruct the function output by exchanging shares of the output gate value

GMW MPC Protocol : Demonstration Some notation for secret-sharing : P1 P2 Pi Pn a = a1  a2  …  an a  {0, 1} Each ai  {0, 1} [a]  a1 a2 ai an We will say that value a is []-shared if the above holds We already know that []-sharing is linear []-sharing of a + b can be computed by doing local operations on shares of []-sharing of a and []-sharing of b []-sharing of c  a can be computed by doing local operations on shares of []-sharing of a, provided c is a public constant []-sharing of c  a can be computed by doing local operations on shares of []-sharing of a, provided c is a public constant

GMW MPC Protocol : Demonstration For simplicity, assume n = 2 and t = 1 P1 P2 Input stage [a1] a1 [a2] a2 [b1] b1 A = (a1, a2) B = (b1) (a11, a12) a12  Computation stage (a21, a22) a22 [a1  a2]  b11 (b11, b12) Output stage a11  a21 a12  a22 (a1  a2)  b1 [a1  a2  b1] a11  a21  b11 a12  a22  b12 a12  a22  b12 a11  a21  b11 (a1  a2)  b1 (a1  a2)  b1

GMW MPC Protocol : Demonstration Variable Value a1 a2 b1 a1  a2  b1 a1  a2 ? 1  a1 a2 b1 (a1  a2)  b1 Variable Value Let a1 = a2 = 0, b1 = 1 a1 1 1 a2 Let [a1] = (1, 1) b1 1 1 Let [a2] = (0, 0) a1  a2 1 1 a1  a2  b1 Let [b1] = (1, 0) 1 1 1 Suppose P2 is corrupted  P2 learns b1, [b1] and a1  a2 P2 learns either (a1=0,a2=0) or (a1=1, a2=1) --- anything else ? Variable Value Variable Value a1 a1 1 ? 1 1 ? 1 Possible if a2 a2 ? 1 1 ? Possible if b1 b1 1 1 1 1 a1  a2 a1  a2 1 1 1 1 a1  a2  b1 a1  a2  b1 1 1 1 1

GMW MPC Protocol : Security Demonstration  a1 a2 b1 (a1  a2)  b1 Variable a1 a11 a12 ? ? a2 a21 a22 ? ? b1 b11 b12 a1  a2 a11  a21 a12  a22 a1  a2  b1 a11  a21  b11 a12  a22  b12 Suppose P2 is corrupted  P2 learns b1, [b1] and a1  a2 P2 does not learn any additional thing about a1, a2 from its protocol transcript Every (a1, a2) satisfying the known a1  a2  corresponding (a11, a21) consistent with P2’s transcript What happens if P1 is corrupted ? From the inputs (a1, a2) and output a1  a2  b1, the other input b1 can always be inferred

GMW MPC Protocol : Demonstration of AND Input stage (a1, a2) a2 b1 (b1, b2) [a] a [b] b OT r r  a1 b2 r  (a1  b2) Computation stage  [c = a  b] c = a  b OT t t  a2 b1 t  (a2  b1) Output stage c1 = a1b1  r  t  a2b1 c2 = a2b2  r  a1b2  t c = c1  c2 c1 = a1b1  r  t  a2b1 c2 = a2b2  r  a1b2  t

GMW MPC Protocol : Demonstration of AND b a1b1  r  t  a2b1 Variable a b r  a1b2 a  b 1 ? r t t  a2b1 a2b2  r  a1b2  t Variable Value a 1 1  b r 1 1 c = a  b r  a1b2 1 1 Let a = 0, b = 0 t t  a2b1 Let [a] = (1, 1) Let [b] = (0, 0) a1b1  r  t  a2b1 1 1 OT r ra1 b2 ra1b2 a2b2  r  a1b2  t 1 1 OT t ta2 b1 t a2b1 a  b 1 1 Suppose P1 is corrupted P1 learns a = 0 and c = 0 (b = 0, prob. ½) or (b = 1, prob. ½) Any additional thing about b from the protocol transcript ?

GMW MPC Protocol : Demonstration of AND b Variable Value Variable Value a 1 1  a 1 1 b ? ? b 1 ? ? 1 r 1 1 c = a  b r 1 1 Prob. of learning b from the transcript = prob. of correctly guessing b2 = ½ No additional information about b leaked from the protocol transcript r  a1b2 1 ? 1 r  a1b2 1 ? t OT r ra1 b2 ra1b2 t t  a2b1 t  a2b1 a1b1  r  t  a2b1 1 1 OT t ta2 b1 t a2b1 a1b1  r  t  a2b1 1 1 a2b2  r  a1b2  t 1 1 1 a2b2  r  a1b2  t 1 1 1 a  b 1 1 b = 0 if b = 1 if a  b 1 1 Prob. = ½ Prob. = ½ Suppose P1 is corrupted P1 learns a = 0 and c = 0 (b = 0, prob. ½) or (b = 1, prob. ½)

EGL85 Oblivious Transfer (OT) Protocol S. Even, O. Goldreich: On the Power of Cascade Ciphers. ACM Trans. Comput. Syst. 3(2): 108-116 (1985) A very simple OT protocol in the semi-honest setting Based on public-key samplability Public-key encryption with public-key samplability Collection of algorithms (Gen, Enc, Dec, fGen) Enc m {0, 1}* c pk Dec c m sk Gen 1n pk, sk (Usual public-key encryption) fGen 1n pk* Probability distribution of “genuine” pk and “fake” pk* are computationally indistinguishable

EGL85 Oblivious Transfer (OT) Protocol (Gen, Enc, Dec, fGen) b  {0, 1} m0, m1  {0, 1}* pk0 = pk and pk1 = pk* if b= 0 pk0 = pk* and pk1 = pk if b= 1 (pk0 , pk1) Gen 1n pk, sk pkb = pk pk1-b = pk* Enc m0  {0, 1}* c0 pk0 fGen 1n pk* (c0 , c1) Enc m1  {0, 1}* c1 pk1 Dec cb mb sk

EGL85 Oblivious Transfer (OT) Protocol (Gen, Enc, Dec, fGen) m0, m1  {0, 1}* b  {0, 1} (pk0 , pk1) Gen 1n pk, sk fGen 1n pk* Enc m0  {0, 1}* c0 pk0 pkb = pk pk1-b = pk* Enc m1  {0, 1}* c1 pk1 (c0 , c1) Dec cb mb sk If P1 is corrupted it does not learn the choice bit b pk0 is indistinguishable from pk1 If P2 is corrupted it does not learn the other message m1-b P2 does not know the corresponding secret key sk*

Improving the efficiency of OT Need O(n2) OT executions per AND gate OT : Public Key operations Improve performance Offline-Online Approach OT execution overhead shifted to offline phase OT Extension Improving the efficiency of OT

Preprocessing of OT (Random OT) Can we run OTs on random inputs in the offline phase and use the data used in OT later during online phase ? Preprocessing on Random Inputs 1-out-of-2 OT r0 c P0 P1 r1 rc Computation in Online Phase m0 b m1 z = b + c mb If z = 0 y0 = m0 + r0 y1 = m1 + r1 If z = 1 y0 = m0 + r1 y1 = m1 + r0 y0 , y1 mb = yb + rc

Public-key Encryption with Key Samplability Example of public-key encryption with public-key samplability Gen(1n) Compute h = gx Output sk = x and pk = (G, g, h) Select a generator g for a cyclic group G and a random x  G fGen(1n) Randomly select h*  G Output pk* = (G, g, h*) Select a generator g for a cyclic group G  sk* corresponding to pk* = dlogg(h*) Difficult to compute given only G, g and pk* --- Discrete log assumption Enc(m, pk) : pk = (G, g, h) Compute C1 = gr and C2 = hr m Output C = (C1, C2) Select a random r  G Dec(C, sk) : C = (C1, C2) and sk = x Compute (C1)x Output m = C2 / (C1)x El-Gamal public-key encryption