Multi-Party Computation: Second year

Slides:

Advertisements

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Advertisements

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.

Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto

Yan Huang, David Evans, Jonathan Katz

Secure Evaluation of Multivariate Polynomials

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)

GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION

New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.

Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.

Insert presenter logo here on slide master. See hidden slide 4 for directions  Session ID: Session Classification: SEUNG GEOL CHOI UNIVERSITY OF MARYLAND.

Slide 1 Vitaly Shmatikov CS 380S Introduction to Secure Multi-Party Computation.

GARBLED CIRCUITS CHECKING GARBLED CIRCUITS MORE EFFICIENT AND SECURE TWO-PARTY COMPUTATION Payman Mohassel Ben Riva University of Calgary Tel Aviv University.

Slide 1 Vitaly Shmatikov CS 380S Yao’s Protocol. slide Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert.

Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.

TOWARDS PRACTICAL (GENERIC) ZERO-KNOWLEDGE Claudio Orlandi – Aarhus University.

Slide 1 Yao’s Protocol. slide Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert the function into a boolean.

Improved Non-Committing Encryption with Application to Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia Univ.), Tal Malkin (Columbia.

Secure Computation Lecture Arpita Patra. Recap >> MPC with dishonest majority over Boolean circuit- [GMW87] > Oblivious Transfer (from CPA secure.

On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.

1 Secure Multi-party Computation Minimizing Online Rounds Seung Geol Choi Columbia University Joint work with Ariel Elbaz(Columbia University) Tal Malkin(Columbia.

Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.

UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.

Slide 1 Many thanks to Vitaly Shmatikov of the University of Texas, Austin for providing these slides. Introduction to Secure Multi-Party Computation.

Secure Computation Lecture Arpita Patra. Recap > Shamir Secret-sharing > BGW Protocol based on secret-sharing > Offline/Online phase > Creating.

Secure Computation (Lecture 9-10) Arpita Patra. Recap >> MPC with honest majority in i.t. settings > Protocol using (n,t)-sharing, proof of security---

1 / 23 Efficient Garbling from A Fixed-key Blockcipher Applied MPC workshop February 20, 2014 Mihir Bellare UC San Diego Viet Tung Hoang UC San Diego Phillip.

Improved OT Extension for Transferring Short Secrets Vladimir Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion)

Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.

Cryptography Lecture 13 Arpita Patra

Garbling Techniques David Evans

A Fixed-key Blockcipher

The Exact Round Complexity of Secure Computation

The Exact Round Complexity of Secure Computation

Carmit Hazay (Bar-Ilan University, Israel)

Fast Actively Secure OT Extension For Short Secrets

TCC 2016-B Composable Security in the Tamper-Proof Hardware Model under Minimal Complexity Carmit Hazay Bar-Ilan University, Israel Antigoni Ourania.

MPC and Verifiable Computation on Committed Data

Foundations of Secure Computation

Committed MPC Multiparty Computation from Homomorphic Commitments

Laconic Oblivious Transfer and its Applications

Modern symmetric-key Encryption

Oblivious Transfer and GMW MPC

The first Few Slides stolen from Boaz Barak

Course Business I am traveling April 25-May 3rd

Gate Evaluation Secret Sharing and Secure Two-Party Computation

Improved Private Set Intersection against Malicious Adversaries

Maliciously Secure Two-Party Computation

Cryptographic protocols 2015, Lecture 14 Garbled Circuits

Fastest 2PC in all the land

Four-Round Secure Computation without Setup

Cryptography for Quantum Computers

Cryptography CS 555 Digital Signatures Continued

Malicious-Secure Private Set Intersection via Dual Execution

MPC Scenario 1. “Privacy-protected contingency tables”

Fast Secure Computation for Small Population over the Internet

Two-Round Adaptively Secure Protocols from Standard Assumptions

Helen: Maliciously Secure Coopetitive Learning for Linear Models

CRYP-F02 Actively Secure 1-out-of-N OT Extension with Application to Private Set Intersection Peter Scholl (University of Bristol) Michele Orrù (ENS Paris)

Cryptography Lecture 8 Arpita Patra © Arpita Patra.

A Light-weight Oblivious Transfer Protocol Based on Channel Noise

Presentation transcript:

Multi-Party Computation: Second year Eduardo Soria Vázquez October 11, 2017

Eduardo Soria-Vázquez A Year in a slide Conferences attended: Flagship: TCC 2016-B, Eurocrypt 2017. Domain-specific: TPMPC. Smaller Meetings: ECRYPT collaborative writing workshop, HEAT, Lattice Meeting (ENS Lyon). Talks given: TCC 2016-B, Lattice Meeting: More Efficient Constant-Round Multi-Party Computation from BMR and SHE. 3. Research visits: Thales UK, Bar-Ilan University. 4. Outreach: Digimakers (coming on 11th November, 2017) Eduardo Soria-Vázquez

Eduardo Soria-Vázquez A Year in a slide 5. Papers: * ACNS 2017: Faster Secure Multi-Party Computation of AES and DES Using Lookup Tables. Joint work with Marcel Keller, Emmanuela Orsini, Dragos Rotaru, Peter Scholl and Srinivas Vivek. * ASIACRYPT 2017: Low Cost Constant Round MPC Combining BMR and Oblivious Transfer. Joint work with Carmit Hazay and Peter Scholl. * A submission to EUROCRYPT 2018 Eduardo Soria-Vázquez

Low Cost Constant Round MPC Combining BMR and Oblivious Transfer Carmit Hazay, Peter Scholl, Eduardo Soria Vázquez October 11, 2017

Eduardo Soria-Vázquez Overview What is MPC? Garbled Circuits: 2PC (Yao) vs MPC (BMR) Results: A compiler from binary MPC to BMR Robustness of Garbling in BMR Optimized Garbling with TinyOT Conclusion Eduardo Soria-Vázquez

Multi-Party Computation =f( x1 , x2 , x3 , x4 ) Eduardo Soria-Vázquez

Multi-Party Computation Adversaries participate in the protocol Protocol indistinguishable from the ideal one run by a Trusted Party Eduardo Soria-Vázquez

MPC setting in this talk Model of Computation: Boolean circuit C Preprocessing phase Adversary: Static, malicious Dishonest majority Main focus: Constant rounds – Garbled Circuits Concrete efficiency Preprocessing corr. rand. Online Eduardo Soria-Vázquez

Starting point: garbled circuits for semi-honest 2-PC [Yao86] Boolean circuit C Garble Input encoding protocol Encodings Eval Eduardo Soria-Vázquez

BMR: Everyone garbles (MPC) and evaluates (local computation) [BeaverMicaliRogaway90] Boolean circuit C Garble Eval Inputs Input Encoding Local Generic MPC Can be any non-constant round protocol Eduardo Soria-Vázquez

Challenge in BMR: evaluate Garbling step in MPC, efficiently Eduardo Soria-Vázquez

Comparison of approaches to BMR with active security Protocol Based on Free XOR Main cost per gate BMR90 Generic MPC ZK proofs of PRG computation LPSY15 MPC in Fp 8n + 5 MPC mult. LSS16 SHE O(n2) ZK proofs of plaintext knowledge This talk OT + MPC in F2 1 MPC mult. in F2 (and [KRW17]) Eduardo Soria-Vázquez

Garbling an AND gate with Yao u v w 1 u w v Eduardo Soria-Vázquez

Garbling an AND gate with Yao u v w 1 Pick 2 random keys for each wire Eduardo Soria-Vázquez

Garbling an AND gate with Yao Pick 2 random keys for each wire Encrypt the truth table of each gate Eduardo Soria-Vázquez

Garbling an AND gate with Yao Pick 2 random keys for each wire Encrypt the truth table of each gate Randomly permute the entries Eduardo Soria-Vázquez

Eduardo Soria-Vázquez Garbling in BMR Eduardo Soria-Vázquez

BMR has an MPC-friendly Garbling Pick 2n random keys for each wire: Initially, party Pi gets keys Kiu,0 , Kiu,1. Next slides: Encrypt the truth table of each gate Randomly permute the entries Eduardo Soria-Vázquez

Encryption in BMR is straightforward Input PRF keys and values Generic MPC: just XOR F is a double-key PRF, g is gate index. Next: Randomly permute the entries Eduardo Soria-Vázquez 19

Entire BMR Garbling (with Free-XOR) Garbled AND gate is: Rj: Fixed string enabling Free-XOR, secret to party Pj: Observation (next slide): Mult. are bit/bit or bit/string only. [Ben-Efraim Lindell Omri 16] Secret permutation bits to shuffle entries Rj Eduardo Soria-Vázquez

Transforming any MPC to BMR (Constant rounds for Boolean Circ.) For each AND gate: Input Rj MPC XOR Eduardo Soria-Vázquez

Transforming any MPC to BMR (Constant rounds for Boolean Circ.) For each AND gate: 1 x F2 mult in MPC Consistency Check Input Rj n(n-1) COTs for bit/string mult. XOR Eduardo Soria-Vázquez

Robustness of Garbling in BMR Eduardo Soria-Vázquez

BMR garbling is very robust to errors Thought experiment with an adversary: Garble Encoding Eval Eduardo Soria-Vázquez

BMR garbling is very robust to errors Intuition: Only possible break is to flip honest Pj‘s masked key: Negligible (guess Rj) if the mask was obtained from a suitable PRF We strengthen previous results (proofs) [LPSY15, KRW17]: Allowed incorrect PRF values, non-adaptively. Did not directly reduce to PRF security. Shares of garbling had to be authenticated (less efficient). Eduardo Soria-Vázquez

An optimized protocol for BMR: TinyOT Eduardo Soria-Vázquez

Optimized variant based on TinyOT Multi-party TinyOT protocol [FrederiksenKellerOrsiniScholl15] Efficient instantiation of binary MPC. Optimized in [KatzRanellucciWang17] Uses Correlated OT to create information-theoretic MACs MAC(x) = K + x R For shared bit x, and MAC key (K, R) Fix R to be the global difference in Free-XOR Bit/string products for free! Eduardo Soria-Vázquez

Optimized variant based on TinyOT For each AND gate: 1 x F2 mult in MPC Consistency Check Input Rj n(n-1) COTs for bit/string mult. XOR Eduardo Soria-Vázquez

Comms. (MB) for 1 AES evaluation in efficient constant-round MPC Ours: 3PC: 15 MB, 10PC: 67 MB MASCOT-BMR-FX: 3PC: 3.84 GB, 10PC: 54.65 GB Eduardo Soria-Vázquez

Eduardo Soria-Vázquez Conclusion Constant Rounds (Almost) For Free: Small, O(k) overhead on top of any protocol for binary circuits. Almost no overhead when using TinyOT. Improved security proof: Unauthenticated shares, better online. Open Problems: Can BMR garbling be optimized? Currently: 4nk bits + O(n2) PRF eval. How about TinyOT? Can we further tailor other MPC protocols for BMR garbling? Eduardo Soria-Vázquez

Eduardo Soria-Vázquez Thank you! http://ia.cr/2017/214 Low Cost, Constant Round MPC Combining BMR and Oblivious Transfer Carmit Hazay, Peter Scholl and Eduardo Soria-Vázquez Eduardo Soria-Vázquez

Eduardo Soria-Vázquez Runtimes AES: 6800 AND gates. SHA-256: 90825 AND gates. AES (B=3) SHA-256 (B=3) Benchmark: 9 parties, 1 Gbps LAN, 2.3GHz Intel Xeon CPUs with 20 cores. Eduardo Soria-Vázquez