Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana.

Slides:

Advertisements

Similar presentations

FULLY HOMOMORPHIC ENCRYPTION

Advertisements

Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)

MPC for Comparing Two Shared Secrets without Bit-Decomposition Takashi Nishide * Kazuo Ohta The University of Electro-Communications * Hitachi Software.

Fully Homomorphic Encryption over the Integers

Efficient Multiparty Protocols via Log-Depth Threshold Formulae Ron Rothblum Weizmann Institute Joint work with Gil Cohen, Ivan Damgard, Yuval Ishai, Jonas.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.

Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto

14. Aug Towards Practical Lattice-Based Public-Key Encryption on Reconfigurable Hardware SAC 2013, Burnaby, Canada Thomas Pöppelmann and Tim Güneysu.

Secure Evaluation of Multivariate Polynomials

Paper by: Craig Gentry Presented By: Daniel Henneberger.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.

Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.

1 Information Security – Theory vs. Reality , Winter 2011 Lecture 14: More on vulnerability and exploits, Fully homomorphic encryption Eran.

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Secure and Efficient Key Management in Mobile Ad Hoc Networks Bing Wu, Jie Wu, Eduardo B. Fernandez, Mohammad Ilyas, Spyros Magliveras Department of Computer.

Information Security for Sensors Overwhelming Random Sequences and Permutations Shlomi Dolev, Niv Gilboa, Marina Kopeetsky, Giuseppe Persiano, and Paul.

Network Security – Part 2 Public Key Cryptography Spring 2007 V.T. Raja, Ph.D., Oregon State University.

Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications Dana Dachman-Soled, Tal Malkin, Mariana Raykova, Moti Yung.

Privacy Preserving K-means Clustering on Vertically Partitioned Data Presented by: Jaideep Vaidya Joint work: Prof. Chris Clifton.

Two Round MPC via Multi-Key FHE Daniel Wichs (Northeastern University) Joint work with Pratyay Mukherjee.

Simons Institute, Cryptography Boot Camp

1 Cross-Domain Secure Computation Chongwon Cho (HRL Laboratories) Sanjam Garg (IBM T.J. Watson) Rafail Ostrovsky (UCLA)

Multi-Client Non-Interactive Verifiable Computation Seung Geol Choi (Columbia U.) Jonathan Katz (U. Maryland) Ranjit Kumaresan (Technion) Carlos Cid (Royal.

Privacy Preserving Query Processing in Cloud Computing Wen Jie

Efficient and Robust Private Set Intersection and multiparty multivariate polynomials Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung.

Collusion-Free Multiparty Computation in the Mediated Model

Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.

On the Practical Feasibility of Secure Distributed Computing A Case Study Gregory Neven, Frank Piessens, Bart De Decker Dept. of Computer Science, K.U.Leuven.

1 Information Security – Theory vs. Reality , Winter Lecture 10: Garbled circuits (cont.), fully homomorphic encryption Eran Tromer.

Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.

Improved Non-Committing Encryption with Application to Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia Univ.), Tal Malkin (Columbia.

On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.

1 Secure Multi-party Computation Minimizing Online Rounds Seung Geol Choi Columbia University Joint work with Ariel Elbaz(Columbia University) Tal Malkin(Columbia.

Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond

* Partially sponsored by IARPA SPAR * Partially sponsored by DARPA PROCEED.

1 Information Security – Theory vs. Reality , Winter Lecture 10: Garbled circuits and obfuscation Eran Tromer Slides credit: Boaz.

Non-Interactive Verifiable Computing August 5, 2009 Bryan Parno Carnegie Mellon University Rosario Gennaro, Craig Gentry IBM Research.

FHE Introduction Nigel Smart Avoncrypt 2015.

COMP 424 Lecture 04 Advanced Encryption Techniques (DES, AES, RSA)

China Summer School on Lattices and Cryptography Craig Gentry and Shai Halevi June 4, 2014 Homomorphic Encryption over Polynomial Rings.

1 Information Security – Theory vs. Reality , Winter Lecture 11: Fully homomorphic encryption Lecturer: Eran Tromer Including presentation.

Based on work with: Sergey Gorbunov and Vinod Vaikuntanathan Homomorphic Commitments & Signatures Daniel Wichs Northeastern University.

Efficient Private Matching and Set Intersection Mike Freedman, NYU Kobbi Nissim, MSR Benny Pinkas, HP Labs EUROCRYPT 2004.

China Summer School on Lattices and Cryptography Craig Gentry and Shai Halevi June 3, 2014 Fully Homomorphic Encryption and Bootstrapping.

China Summer School on Lattices and Cryptography Craig Gentry and Shai Halevi June 3, 2014 Somewhat Homomorphic Encryption.

KERBEROS SYSTEM Kumar Madugula.

Second Price Auctions A Case Study of Secure Distributed Computing Bart De Decker Gregory Neven Frank Piessens Erik Van Hoeymissen.

Cryptography Lecture 3 Arpita Patra © Arpita Patra.

Verifiable Threshold Secret Sharing and Full Fair Secure Two-party Computation YE Jian-wei March 7, 2009.

Round-Efficient Multi-Party Computation in Point-to-Point Networks Jonathan Katz Chiu-Yuen Koo University of Maryland.

The Many Faces of Garbled Circuits MIT Vinod Vaikuntanathan.

Fully Homomorphic Encryption (FHE) By: Matthew Eilertson.

Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.

Cryptography Resilient to Continual Memory Leakage Zvika Brakerski Weizmann Institute Yael Tauman Kalai Microsoft Jonathan Katz University of Maryland.

Packing Techniques for Homomorphic Encryption Schemes Scott Thompson CSCI-762 4/28/2016.

Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.

Lower bounds for Unconditionally Secure MPC Ivan Damgård Jesper Buus Nielsen Antigoni Polychroniadou Aarhus University.

Adaptively Secure Multi-Party Computation from LWE (via Equivocal FHE)

Four-Round Secure Computation without Setup

Cryptography for Quantum Computers

Helen: Maliciously Secure Coopetitive Learning for Linear Models

Presentation transcript:

Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana López-Alt Tel-Aviv University Eran Tromer University of Toronto Vinod Vaikuntanathan IBM Research Daniel Wichs

2-Party Computation Using FHE (semi-honest) y a b y = f(a,b) Y A =Encrypt(a) Y=Eval(f,A,B) Charlie Sally

Advantages  Low round complexity  Low communication complexity Independent of the function f Independent of Sally’s input b  Low computation Charlie’s work is independent of f  A simple template Can we get all these advantages in the multiparty case?

Threshold Key Generation Key Generation

Threshold Key Generation Key Generation

Input Encryption A B CD a c b d A=Enc(a) B=Enc(b) C=Enc(c) D=Enc(d)

Homomorphic Evaluation ABCD Y ABCD Y ABCD YABCD Y

Delegate to a Cloud ABCD Homomorphic Evaluation Y

Threshold Decryption Dec Y Y Y Y

Threshold Decryption Dec m m m m

MPC with Threshold FHE Threshold Key Gen Encrypt and Evaluate Threshold Decryption

MPC with TFHE Threshold KeyGen and Threshold Dec can be implemented using generic MPC Advantages:  Low communication complexity (even in malicious)  The homomorphic evaluation can be delegated / only one party Disadvantages:  Needs generic MPC techniques  Round complexity can be high Threshold Key Gen Encrypt and Evaluate Threshold Decryption Threshold Key Gen Encrypt and Evaluate Threshold Decryption

Our Main Results Threshold KeyGen and Threshold Dec algebraically [BV11b, BGV12] (based on LWE) Advantages:  Low communication complexity (even in malicious)  The homomorphic evaluation can be delegated / only one party  Simple: there is no need for generic MPC protocol  Extremely low round complexity  Only 3 broadcast rounds (CRS model)  2 rounds reusable PKI – optimal(!) Threshold Key Gen Encrypt and Evaluate Threshold Decryption Threshold Key Gen Encrypt and Evaluate Threshold Decryption

Our Main Results (malicious) Threshold KeyGen and Threshold Dec algebraically [BV11b, BGV12] (based on LWE) Advantages:  Low communication complexity (even in malicious)  The homomorphic evaluation can be delegated / only one party (assuming cs poofs / SNARGs)  Simple: there is no need for generic MPC protocol  Extremely low round complexity  Only 3 broadcast rounds (CRS model)  2 rounds reusable PKI – optimal(!)  UC security (assuming UC-NIZK) Threshold Key Gen Encrypt and Evaluate Threshold Decryption Threshold Key Gen Encrypt and Evaluate Threshold Decryption

Related Work [C ramer D amgard N ielsen 01]– MPC using threshold HE [G entry 09] – MPC using threshold FHE [B endlin D amgard 10] – threshold version for LWE [K atz O strovsky 04] – lower bound of 5 rounds for MPC in the plain model [M yers S ergi s helat 11] – threshold version of [vDGHV10]

The LWE Assumption [Regev05] Distribution 1Distribution 2 also secure if q is odd and we choose noise to be small and even (2e instead e)

Basic LWE-Based Encryption Symmetric KeyPublic Key

Key-Homomorphic Properties of the Basic Scheme Two public keys, same “coefficient” A A new public key with secret key: s 1 +s 2, coefficient A (almost the same as El-Gammal)

Threshold Key Generation A s1s1 s3s3 (A,p 1 ) = As 1 +2e 1 (A,p 3 ) = As 3 +2e 3 (A,p 2 ) = As 2 +2e 2 (A,p 4 ) = As 4 +2e 4 s2s2 s4s4

Threshold Key Generation A s1s1 s3s3 (A,p 1 ) = As 1 +2e 1 (A,p 3 ) = As 3 +2e 3 (A,p 2 ) = As 2 +2e 2 (A,p 4 ) = As 4 +2e 4 s2s2 s4s4

Threshold Key Generation A s2s2 s4s4 (A,p 1 ) = As 1 +2e 1 (A,p 3 ) = As 3 +2e 3 (A,p 2 ) = As 2 +2e 2 (A,p 4 ) = As 4 +2e 4 (A,p*) = As*+2e* (A,p * ) Joint secret key: s * =s 1 +s 2 +s 3 +s 4 Joint public key: p * =p 1 +p 2 +p 3 +p 4 s1s1 s3s3

Threshold Decryption s1s1 s3s3 s2s2 s4s4

s1s1 s3s3 s2s2 s4s4

s1s1 s3s3 s2s2 s4s4

Basic LWE-Based Encryption – Homomorphism

FHE From LWE [BV11b],[BGV12]

Evaluation Key

Threshold KeyGen –Round 2 s2s2 s4s4 s1s1 s3s3 … … … …

Threshold KeyGen – End Of Round 2 s2s2 s4s4 s1s1 s3s3 … … … …

… … … … Threshold KeyGen – Round 3 s2s2 s4s4 s1s1 s3s3 …………

Threshold KeyGen – End Of Round 3 s2s2 s4s4 s1s1 s3s3

Threshold FHE - KeyGen one round!

The MPC Protocol Threshold KeyGen (2 rounds) – Round 1: Creates public key – Round 2: Creates evaluation key The parties encrypt their inputs (sent concurrently with round 2 of KeyGen) Threshold Dec (1 round)

Malicious

Conclusion TFHE based on LWE – In the paper: Ring – LWE 3 Rounds MPC 2 Rounds in reusable PKI - optimal(!) Low Communication Complexity Easy to delegate Thank You!