Multi-Party Computation: Second year Eduardo Soria Vázquez October 11, 2017
Eduardo Soria-Vázquez A Year in a slide Conferences attended: Flagship: TCC 2016-B, Eurocrypt 2017. Domain-specific: TPMPC. Smaller Meetings: ECRYPT collaborative writing workshop, HEAT, Lattice Meeting (ENS Lyon). Talks given: TCC 2016-B, Lattice Meeting: More Efficient Constant-Round Multi-Party Computation from BMR and SHE. 3. Research visits: Thales UK, Bar-Ilan University. 4. Outreach: Digimakers (coming on 11th November, 2017) Eduardo Soria-Vázquez
Eduardo Soria-Vázquez A Year in a slide 5. Papers: * ACNS 2017: Faster Secure Multi-Party Computation of AES and DES Using Lookup Tables. Joint work with Marcel Keller, Emmanuela Orsini, Dragos Rotaru, Peter Scholl and Srinivas Vivek. * ASIACRYPT 2017: Low Cost Constant Round MPC Combining BMR and Oblivious Transfer. Joint work with Carmit Hazay and Peter Scholl. * A submission to EUROCRYPT 2018 Eduardo Soria-Vázquez
Low Cost Constant Round MPC Combining BMR and Oblivious Transfer Carmit Hazay, Peter Scholl, Eduardo Soria Vázquez October 11, 2017
Eduardo Soria-Vázquez Overview What is MPC? Garbled Circuits: 2PC (Yao) vs MPC (BMR) Results: A compiler from binary MPC to BMR Robustness of Garbling in BMR Optimized Garbling with TinyOT Conclusion Eduardo Soria-Vázquez
Multi-Party Computation =f( x1 , x2 , x3 , x4 ) Eduardo Soria-Vázquez
Multi-Party Computation Adversaries participate in the protocol Protocol indistinguishable from the ideal one run by a Trusted Party Eduardo Soria-Vázquez
MPC setting in this talk Model of Computation: Boolean circuit C Preprocessing phase Adversary: Static, malicious Dishonest majority Main focus: Constant rounds – Garbled Circuits Concrete efficiency Preprocessing corr. rand. Online Eduardo Soria-Vázquez
Starting point: garbled circuits for semi-honest 2-PC [Yao86] Boolean circuit C Garble Input encoding protocol Encodings Eval Eduardo Soria-Vázquez
BMR: Everyone garbles (MPC) and evaluates (local computation) [BeaverMicaliRogaway90] Boolean circuit C Garble Eval Inputs Input Encoding Local Generic MPC Can be any non-constant round protocol Eduardo Soria-Vázquez
Challenge in BMR: evaluate Garbling step in MPC, efficiently Eduardo Soria-Vázquez
Comparison of approaches to BMR with active security Protocol Based on Free XOR Main cost per gate BMR90 Generic MPC ZK proofs of PRG computation LPSY15 MPC in Fp 8n + 5 MPC mult. LSS16 SHE O(n2) ZK proofs of plaintext knowledge This talk OT + MPC in F2 1 MPC mult. in F2 (and [KRW17]) Eduardo Soria-Vázquez
Garbling an AND gate with Yao u v w 1 u w v Eduardo Soria-Vázquez
Garbling an AND gate with Yao u v w 1 Pick 2 random keys for each wire Eduardo Soria-Vázquez
Garbling an AND gate with Yao Pick 2 random keys for each wire Encrypt the truth table of each gate Eduardo Soria-Vázquez
Garbling an AND gate with Yao Pick 2 random keys for each wire Encrypt the truth table of each gate Randomly permute the entries Eduardo Soria-Vázquez
Eduardo Soria-Vázquez Garbling in BMR Eduardo Soria-Vázquez
BMR has an MPC-friendly Garbling Pick 2n random keys for each wire: Initially, party Pi gets keys Kiu,0 , Kiu,1. Next slides: Encrypt the truth table of each gate Randomly permute the entries Eduardo Soria-Vázquez
Encryption in BMR is straightforward Input PRF keys and values Generic MPC: just XOR F is a double-key PRF, g is gate index. Next: Randomly permute the entries Eduardo Soria-Vázquez 19
Entire BMR Garbling (with Free-XOR) Garbled AND gate is: Rj: Fixed string enabling Free-XOR, secret to party Pj: Observation (next slide): Mult. are bit/bit or bit/string only. [Ben-Efraim Lindell Omri 16] Secret permutation bits to shuffle entries Rj Eduardo Soria-Vázquez
Transforming any MPC to BMR (Constant rounds for Boolean Circ.) For each AND gate: Input Rj MPC XOR Eduardo Soria-Vázquez
Transforming any MPC to BMR (Constant rounds for Boolean Circ.) For each AND gate: 1 x F2 mult in MPC Consistency Check Input Rj n(n-1) COTs for bit/string mult. XOR Eduardo Soria-Vázquez
Robustness of Garbling in BMR Eduardo Soria-Vázquez
BMR garbling is very robust to errors Thought experiment with an adversary: Garble Encoding Eval Eduardo Soria-Vázquez
BMR garbling is very robust to errors Intuition: Only possible break is to flip honest Pj‘s masked key: Negligible (guess Rj) if the mask was obtained from a suitable PRF We strengthen previous results (proofs) [LPSY15, KRW17]: Allowed incorrect PRF values, non-adaptively. Did not directly reduce to PRF security. Shares of garbling had to be authenticated (less efficient). Eduardo Soria-Vázquez
An optimized protocol for BMR: TinyOT Eduardo Soria-Vázquez
Optimized variant based on TinyOT Multi-party TinyOT protocol [FrederiksenKellerOrsiniScholl15] Efficient instantiation of binary MPC. Optimized in [KatzRanellucciWang17] Uses Correlated OT to create information-theoretic MACs MAC(x) = K + x R For shared bit x, and MAC key (K, R) Fix R to be the global difference in Free-XOR Bit/string products for free! Eduardo Soria-Vázquez
Optimized variant based on TinyOT For each AND gate: 1 x F2 mult in MPC Consistency Check Input Rj n(n-1) COTs for bit/string mult. XOR Eduardo Soria-Vázquez
Comms. (MB) for 1 AES evaluation in efficient constant-round MPC Ours: 3PC: 15 MB, 10PC: 67 MB MASCOT-BMR-FX: 3PC: 3.84 GB, 10PC: 54.65 GB Eduardo Soria-Vázquez
Eduardo Soria-Vázquez Conclusion Constant Rounds (Almost) For Free: Small, O(k) overhead on top of any protocol for binary circuits. Almost no overhead when using TinyOT. Improved security proof: Unauthenticated shares, better online. Open Problems: Can BMR garbling be optimized? Currently: 4nk bits + O(n2) PRF eval. How about TinyOT? Can we further tailor other MPC protocols for BMR garbling? Eduardo Soria-Vázquez
Eduardo Soria-Vázquez Thank you! http://ia.cr/2017/214 Low Cost, Constant Round MPC Combining BMR and Oblivious Transfer Carmit Hazay, Peter Scholl and Eduardo Soria-Vázquez Eduardo Soria-Vázquez
Eduardo Soria-Vázquez Runtimes AES: 6800 AND gates. SHA-256: 90825 AND gates. AES (B=3) SHA-256 (B=3) Benchmark: 9 parties, 1 Gbps LAN, 2.3GHz Intel Xeon CPUs with 20 cores. Eduardo Soria-Vázquez