Secure Multiparty Computation MPC Secure Multiparty Computation Yuval Ishai Technion Cryptography Boot Camp May 21, 2015 This seemingly poor choice of acronym actually serves two important purposes: (1) it puts you in a better legal position in case your security proof turns out to be buggy, (2) if you get to review an anonymous submission that uses a better acronym such as SMC or SMPC, you know it was written by a pedantic author who is not one of your friends and can therefore safely reject it.

Talk Outline Gentle introduction to MPC Definitions Protocols Open problems and why we will never run out of them… Open problems here are to some extent bigger and more qualitative in nature: the gaps are between “polynomial” or feasible and “super-polynomial” and infeasible; Gaps hold even if we don’t make any computational efficiency requirements. 2

MPC is more general than you think Can capture problems from many areas Error-correcting codes Distributed algorithms Interactive proofs, PCPs, randomness extractors Encryption, signatures, ZK proofs Obfuscation, functional encryption Anything that involves “good guys” trying to achieve a common goal in the presence of “bad guys” Too big to fail… Rest of talk: secure function evaluation Don’t think about it because you may run into circularity… There are problems from many areas that can be cast as special cases of the general MPC framework 3

Goal: compute xi without revealing anything else How much do we earn? x1 x2 x3 x4 x5 x6 xi Goal: compute xi without revealing anything else

A better way? m6-r Assumption: xi<M (say, M=1011) 0≤r<M x4 x3 m3=m2+x3 m4=m3+x4 x3 x5 m2=m1+x2 m5=m4+x5 m6-r x2 x6 Updated to 10^11 (bay area) m1=r+x1 m6=m5+x6 x1 Assumption: xi<M (say, M=1011) (+ and – operations carried modulo M) 0≤r<M

A security concern x4 x3 x5 m2=m1+x2 x2 x6 m1 x1

Resisting collusions r43 r51 r25 r32 r65 r12 r16 xi + inboxi - outboxi More generally, the adversary’s knowledge is equivalent to the sum of the inputs in each connected component in the underlying graph. x1 xi + inboxi - outboxi

Secure MPC protocol for f More generally P1,…,Pk want to securely compute f(x1,…,xk) Up to t parties can collude Should learn (essentially) nothing but the output Questions When is this at all possible? How efficiently? Secure MPC protocol for f Information-theoretic (unconditional) security possible when t<k/2 [Benor-Goldwasser-Wigderson88, Chaum-Crepeau-Damgard88, Rabin-Benor89] Computational security possible for any t (under standard assumptions) [Yao86, Goldreich-Micali-Wigderson87, Canetti-Lindell-Ostrovsky-Sahai02…] Or: Information-theoretic security with oblivious transfer or correlated randomness [Kilian88, I-Prabhakaran-Sahai08,…] OT s0 s1 c sc 8

More generally P1,…,Pk want to securely compute f(x1,…,xk) Questions Up to t parties can collude Should learn (essentially) nothing but the output Questions When is this at all possible? How efficiently? Several efficiency measures: communication, rounds, computation, randomness Known results depend on the type of security and assumptions Active area of research Relatively small gap between “provable” and “heuristic” security Strong synergy between theory and implementation efforts 9

Real/Ideal Paradigm [GM82,GMR85,GMW87,…,Can00,Can01] “Whatever an adversary can achieve by attacking the real protocol, it could have also achieved by attacking an ideal protocol that employs a trusted party.” Achieve = learn + influence Formalized via a simulator Captures privacy, correctness, independence of inputs. 10

Real/Ideal Paradigm [GM82,GMR85,GMW87,…,Can00,Can01] Real protocol Simulator Honest parties Trusted party computing f Ideal protocol Honest parties When considering information theoretic security and parties that follow the protocol, one can define secrecy in a shannon style. Things become more complicated when referring to information-theoretic security and especially to active attacks. What does correctness even mean? “I saw spirits of dead people who told me I can bend spoons” Adversary X2>7 X2>7 11

Real/Ideal Paradigm [GM82,GMR85,GMW87,…,Can00,Can01] Real protocol Ideal protocol Trusted party computing f Honest parties Honest parties When considering information theoretic security and parties that follow the protocol, one can define secrecy in a shannon style. Things become more complicated when referring to information-theoretic security and especially to active attacks. What does correctness even mean? Adversary Simulator Environment Z 0/1 Environment Z 0/1 12

Real/Ideal Paradigm [GM82,GMR85,GMW87,…,Can00,Can01] Real protocol Ideal protocol Protocol π securely realizes f if: For every A there is S such that for every Z, Pr[Real(Z,A,π)=1] ≅ Pr[Ideal(Z,S,f)=1] Standalone MPC: Z only sends inputs and receives outputs UC MPC: Z arbitrarily interacts with A/S Trusted party computing f Honest parties Honest parties When considering information theoretic security and parties that follow the protocol, one can define secrecy in a shannon style. Things become more complicated when referring to information-theoretic security and especially to active attacks. What does correctness even mean? Adversary Simulator Environment Z 0/1 Environment Z 0/1 13

Definitions Many different models… but: answers to most natural questions are only sensitive to very few aspects of model general connections between models few “standard” models Defining an MPC task involves specifying Functionality: what do we want to achieve? Network model: how are we going to do this? Adversary: who do we need to protect against? Security type: what kind of protection do we want? 14

Functionality Captures the ideal goal Specifies a solution using help of a trusted party Defines inevitable vulnerabilities Non-reactive f:(x1,…,xk)  (y1,…,yk) vs. reactive Deterministic vs. randomized Single output vs. multiple outputs May also capture other tolerable vulnerabilities Taking input from and delivering output to the adversary Which functionality is “safe” to compute? Out of scope for MPC Central theme of differential privacy (Cynthia’s talk tomorrow) 15

Network Model Synchronous vs. asynchronous Secure point-to-point channels vs. open channels Authenticated vs. unauthenticated communication Full network vs. partial network Other “helper functionalities” Setup: none, common random string (CRS), correlated randomness Oracles: broadcast, oblivious transfer (OT), noisy channels, … 16

Adversary Which sets of parties may be corrupted? Typically: threshold t on number of corrupted parties Honest majority vs. no honest majority Passive (semi-honest) vs. active (malicious) Computationally bounded vs. unbounded Static vs. adaptive vs. mobile 17

Security Type Standalone vs. UC Quality of simulator: perfect vs. statistical vs. computational Resources of simulator: bounded vs. unbounded Output delivery full security fair security security with abort security with identifiable abort 18

Information-Theoretic Security Unbounded adversary Passive or active Honest majority Alternatively: OT oracle or correlated randomness Secure point-to-point channels Broadcast if adversary is active and t<k/2 Security is typically (not always) Unconditional Universally composable Adaptive 19

Composition Composition theorems have the following form: Motivation If πf|g securely realizes f using oracle calls to g, and πg securely realizes g, then the protocol πf obtained by replacing each oracle call with πg securely realizes f. Motivation Outwards: ensure security inside bigger applications Inwards: modular protocol design, e.g.: Design and analyze protocols based on an OT oracle Plug in efficient realizations of OT [IKNP03,PVW08] Standalone models support sequential composition UC models support concurrent composition UC security generally impossible in plain model [CF01] Possible assuming an honest majority [Can01], different kinds of setup [CLOS02,…], or with super-polynomial simulation [PS04, …] 20

Feasibility: open questions Which functions can be computed fairly? Some cannot [Cleve86] A lot of recent activity [GHKL08, …, ABMO15] Which functions can be computed with information theoretic security? What assumptions are needed for those that cannot? Under what assumptions can f be reduced to g? Large body of works [Kus89,Bea89,…,KMPS14] Composable security Different ways around impossibility results (e.g., “environmentally friendly” protocols [CLP13]) Simpler versions of UC model [CCL15] Find new ways for deriving feasibility results 21

A simple MPC protocol Offline: Protocol on inputs (x,y): [IKMOP13] Alice (x) f(x,y) RA RB Trusted Dealer Bob (y) f(x,y) Offline: Set G[u,v] = f[u-dx, v-dy] for random dx, dy Pick random RA,RB such that G = RA+RB Alice gets RA,dx Bob gets RB,dy Protocol on inputs (x,y): Alice sends u=x+dx, Bob sends v=y+dy Alice sends zA= RA[u,v], Bob sends zB= RB[u,v] Both output z=zA+zB 0 1 1 0 1 2 1 0 1 0 2 0 1 2 0 dy Let’s see how we can get something similar to a one-time pad. dx

A simple MPC protocol The good: The bad: Can we do better? Perfect security Great online communication The bad: Exponential size randomness and storage Can we do better? Yes if f has small circuit complexity Idea: process circuit gate-by-gate Start by secret-sharing inputs For each gate whose inputs have been shared, compute shares of outputs Communication  circuit size, rounds  circuit depth Similar protocol using OT [GMW87,GV87,GHY87]

A simple MPC protocol The good: The bad: Perfect security Great online communication The bad: Exponential size randomness and storage Can we use less randomness for every f?

A simple MPC protocol The good: The bad: Perfect security Great online communication The bad: Exponential size randomness and storage Can we use less randomness for every f? Yes! Best upper bound: 2O~(√n) [BIKK14] Obtained via “computationally simple” 3-server PIR or 3-query LDC [Yek07,Efr09] Minimal randomness complexity wide open Compare with one-time pad, where

3-Party MPC for g(x,y,z) Define f((x,zA),(y,zB)) = g(x,y,zA+zB) RA Alice (x) zA Carol (z) g(x,y,z) zB RB Bob (y) Feasibility for passive, information-theoretic 3-party MPC Can be generically amplified to efficient* n-party MPC using recursive player virtualization and log-depth threshold formulas [HM01,CIDKRR03]

Approaches to passive MPC Information-theoretic, honest majority Using “multiplicative” linear secret sharing Arithmetic circuit evaluated gate-by-gate Additions done non-interactively Multiplications via 1-round protocol Round complexity ~ multiplicative depth x y S1 S2 S3 S4 S5 S6 S7 degree t<k/2

Approaches to passive MPC Information-theoretic, t<k, OT-hybrid model Using additive secret sharing over Z2 Boolean circuit evaluated gate-by-gate XOR / NOT gates evaluated non-interactively AND/OR: via one round of OT calls Round complexity ~ multiplicative depth

Approaches to passive MPC Boosting efficiency via randomized encodings / garbling schemes Encode “complex” f by “simple” randomized f’ Encoding can be information-theoretic or computational Apply previous protocols to f’ Typically used to reduce round complexity 2-round (3-round) i.t. protocols with t<k/3 (t<k/2), 2-round (4-round) computational 2PC (MPC) Recent iO-based constructions can also reduce communication, rebalance computation Much recent work on optimizing Yao-style garbled circuits

Approaches to passive MPC Using homomorphic encryption Linear-homomorphic [FH93,CDN01] FHE [Gen09] TFHE [AJLT12] Multi-key FHE [ATV12, MW15] Using iO [GGHR14]

Active-Secure MPC Security against active attacks is much more challenging. Common paradigm: passive security  active security GMW compiler: use ZK proofs [GMW87,…] Make sub-protocols verifiable [BGW88,CCD88,…] Ad-hoc cut-and-choose techniques […,LP07,…] AMD circuits [GIPST14,IKST14,GIP15] “MPC in the Head” [IKOS07,IPS08]

MPC in the Head

Back to the 1980s Zero-knowledge proofs for NP [GMR85,GMW86] Computational MPC with no honest majority [Yao86, GMW87] Unconditional MPC with honest majority [BGW88, CCD88, RB89] Unconditional MPC with no honest majority assuming ideal OT [Kilian88] Are these unrelated? Can some be derived from others?

Message of this part of talk Honest-majority MPC is useful even when there is no honest majority! Establishes unexpected relations between classical results New results for MPC with no honest majority New application domains for algebraic geometric codes Support “constant rate” honest-majority MPC [CC06,DI06]

Zero-knowledge proofs Goal: ZK proof for an NP-relation R(x,w) Completeness Soundness Zero-knowledge Towards using MPC: define n-party functionality g(x; w1,...,wn) = R(x, w1... wn) use any 2-secure, perfectly correct protocol for g security in passive model honest majority when n5

accept iff output=1 & Vi,Vj are consistent MPC  ZK [IKOS07] Given MPC protocol  for g(x; w1,...,wn) = R(x, w1... wn) P1 P2 P3 P4 P5 Pn V1 V2 V3 V4 V5 Vn w1 w2 w3 w4 w5 wn w w=w1... wn  views accept iff output=1 & Vi,Vj are consistent Prover Verifier commit to views V1,...,Vn random i,j open views Vi, Vj

Analysis Completeness:  Prover Verifier commit to views V1,...,Vn random i,j open views Vi, Vj accept iff output=1 & Vi,Vj are consistent w=w1... wn Completeness:  Zero-knowledge: by 2-security of  and randomness of wi, wj. (Note: enough to use w1,w2,w3 )

Analysis Prover Verifier commit to views V1,...,Vn random i,j open views Vi, Vj accept iff output=1 & Vi,Vj are consistent w=w1... wn Soundness: Suppose R(x, w)=0 for all w.  either (1) V1,...,Vn consistent with protocol  or (2) V1,...,Vn not consistent with  (1)  outputs=0 (perfect correctness)  Verifier rejects (2)  for some (i,j), Vi,Vj are inconsistent.  Verifier rejects with prob.  1/n2.

Extensions Works also with OT-based MPC Variant: Use 1-secure MPC Simple consistency check Variant: Use 1-secure MPC Open one view and one incident channel Extends to MPC with error Variant: Directly get 2-s soundness error via security in active model active adversary Two clients, n=O(s) servers (n)-security with abort Broadcast is “free” Realize Com using OWF

Applications Simple ZK proofs using: (1,3) semi-honest MPC [BGW88,CCD88] or [Mau02] (2,3) semi-honest MPCOT [GMW87,GV87,GHY87] ZK proofs with O(|R|)+poly(k) communication Using AG codes Many good ZK protocols implied by MPC literature ZK for linear algebra [CD01,…]

General 2-party protocols [IPS08] Life is easier when everyone follows instructions… GMW paradigm [GMW87]: passive-secure   active-secure ’ use ZK proofs to prove “sticking to protocol” Non-black-box: ZK proofs in ’ involve code of  Typically considered “impractical” Not applicable at all when  uses an oracle Functionality oracle: OT-hybrid model Crypto primitive oracle: black-box PRG Arithmetic oracle: black-box field or ring Is there a “black-box alternative” to GMW?

A dream goal  ’ realizes f in passive model realizes f in active model  realizes f in passive model Possible for some fixed f e.g., OT [IKLP06,Hai08] Impossible for general f e.g., ZK functionalities [IKOS07]

Idea Combine two types of “easy” protocols: Outer protocol: honest-majority active-secure MPC Inner protocol: passive-secure 2-party protocol possibly in OT-hybrid model Both are considerably easier than our goal Both can have information-theoretic security Both of these protocols are easier than what we want to get, and both exist unconditionally

Outer protocol k Servers Client A holds input x Client B holds input y Secure against active adaptive adversary corrupting one client and t=ck servers, for some constant c>0. Security with abort suffices. Straight-line simulation. Example: “BGW-lite”

Inner protocol OT Client A holds input x Client B holds input y Secure against passive adversary (Adaptive security w/erasures) Example: “GMW-lite”

Combining the two protocols oblivious watch lists Player virtualization panopticon outer protocol for f

A closer look at server emulation Assume servers are deterministic This is already the case for natural protocols Can be ensured in general with small overhead In outer protocol, server i gets messages from A and B sends messages to A and B may update a secret state Captured by reactive 2-party functionality Fi Inputs = incoming messages Outputs = outgoing messages Use passive-secure protocol for Fi Distribute server between clients “Local” computations do not need to be distributed.

A closer look at watchlists Inner protocol can’t prevent clients from cheating by sending “bad messages” Watchlist mechanism ensures that cheating does not occur too often Client doesn’t know which instances of inner protocol are watched Two cases: Client cheats in  t instances  cheating is tolerated by t-security of outer protocol Client cheats in >t instances  will be caught with overwhelming probability Non-interactive form of “cut-and-choose”

Applications Revisiting the classics BGW-lite + GMW-lite  Kilian Efficient MPC with no honest majority O(1) bits per gate in OT-hybrid model (+ additive term) All crypto can be pushed to preprocessing Constant-round MPCOT (t<n) using black-box PRG Extending 2-party “cut-and-choose” Yao Efficient OT extension in malicious model Constant-rate b.b. reduction of OT to semi-honest OT Secure arithmetic computation over black-box fields /rings Protocols making black-box use of linear-homomorphic encryption

Communication Complexity

Fully Homomorphic Encryption Gentry ‘09 Settles main communication complexity questions in complexity-based cryptography Even under “nice” assumptions [BV11,…] Main open questions Further improve assumptions Improve practical computational overhead FHE >> PKE >> SKE >> XOR

Communication Complexity MPC vs. Communication Complexity a b c Communication Complexity MPC Goal Each party learns f(a,b,c) Each party learns only f(a,b,c)

Communication Complexity MPC vs. Communication Complexity a b c Communication Complexity MPC Goal Each party learns f(a,b,c) Each party learns only f(a,b,c) Upper bound O(n) (n = input length) O(size(f)) [BGW88,CCD88]

Communication Complexity MPC vs. Communication Complexity Big open question: poly(n) communication for all f ? “fully homomorphic encryption of information-theoretic cryptography” a b c Communication Complexity MPC Goal Each party learns f(a,b,c) Each party learns only f(a,b,c) Upper bound O(n) (n = input length) O(size(f)) [BGW88,CCD88] Lower bound (n) (for most f)

Question Reformulated Is the communication complexity of MPC strongly correlated with the computational complexity of the function being computed? All functions efficiently computable functions = communication-efficient MPC = no communication-efficient MPC

The three problems are closely related [IK04] [KT00] MPC PIR LDC 1990 1995 2000 Equivalent in the sense that a big breakthrough on one problem will imply a similar breakthrough in the others. If you want to prove strong lower bounds on MPC, this will imply LDC lower bounds. The three problems are closely related

Private Information Retrieval [Chor-Goldreich-Kushilevitz-Sudan95] database x∈{0,1}n ? “Information-Theoretic” vs. Computational Main question: minimize communication (logn vs. n) xi

A Simple I.T. PIR Protocol n1/2 X S1 n1/2 S2 q2 q1 a2=X·q2 a1=X·q1 i q1 + q2 = ei What do you think is the best known communication complexity? a1+a2=X·ei i  2-server PIR with O(n1/2) communication

A Simple Computational PIR Protocol [Kushilevitz-Ostrovsky97] Tool: (linear) homomorphic encryption Protocol: a b a+b =  Client sends E(ei) E(0) E(0) E(1) E(0) (=c1 c2 c3 c4) Server replies with E(X·ei) c2c3 c1 c2c3 c1c2 c4 Client recovers ith column of X n1/2 0 1 1 0 1 1 1 0 1 1 0 0 0 0 0 1 X= n1/2 i  1-server CPIR with ~ O(n1/2) communication

Locally Decodable Codes   x i y Requirements: High robustness Local decoding If < 1% of y is corrupted, xi is recovered w/prob > 0.51 Refer to codeword alphabet being different from message alphabet. Mention alternative, erasure-based formulations. Question: how large should m(n) be in a k-query LDC? k=2: 2(n) k=3: 22^O~(sqrt(logn)) (n2)

From I.T. PIR to LDC [Katz-Trevisan00] Simplifying assumptions: Servers compute same function of (x,q) Each query is uniform over its support set k-server PIR with -bit queries and -bit answers k-query LDC of length 2 over ={0,1} y[q]=Answer(x,q) Binary LDC  PIR with one answer bit per server Uniform PIR queries  “smooth” LDC decoder  robustness Arrows can be reversed

Complexity of PIR: Short Answers For concreteness: 3-server protocols, database size N Answer length O(1) Lower bounds [Man98,…,Woo07]: clogN for c>1 Upper bounds [CGKS95] O(N1/2) [Yekhanin07] NO(1/loglogN) [Efremenko09…] NO~(1/sqrt(logN)) Even with 2 servers (w/o short answers) [DG14] Assuming infinitely many Mersenne primes 62

Complexity of PIR: Short Queries Short queries = O(logn) bit to each server Closely related to poly(n)-length LDCs over large Σ Application: PIR with preprocessing [BIM00] k=2,3,4,… Answer length = O(n1/k+ε) [BIK01] Lower bounds: ??? There are actually other interesting regimes.

Tool: Secret Sharing Randomized mapping of secret s to shares (s1,s2,…,sk) Linear secret sharing: shares = L(s,r1,…,rm) Useful examples for linear schemes Additive sharing: s=s1+s2+s3 Shamir’s secret sharing: si=p(i) where p(x)=s+rx CNF secret sharing: s=r1+r2+r3, s1=(r2,r3), s2=(r1,r3), s3=(r2,r3) CNF is “maximal”, Additive is “minimal” For any linear scheme: [v], x  [<v,x>] (without interaction) PIR with short answers reduces to client sharing [ei] while hiding i Enough to share a multiple of [ei] There are actually other interesting regimes.

Tool: Matching Vectors [Yek07,Efr09, DGY10] Vectors u1,…,un in Zmh are S-matching if: <ui,ui> = 0 <ui,uj> ∈ S (0∉S) Surprising fact: super-polynomial n(h) when m is a composite For instance, n=hO(logh) for m=6, S={1,3,4} Based on large set systems with restricted intersections modulo m [BF80, Gro00] There are actually other interesting regimes.

Tool: Matching Vectors [Yek07,Efr09, DGY10] Matching vectors can be used to compress “negated” shared unit vector [ui] locally expanded to [v] = [<ui,u1>, <ui,u2>, …,<ui,un>] v is 0 only in i-th entry Apply local share conversion to obtain shares of [v’], where v’ is nonzero only in i-th entry Efremenko09: share conversion from Shamir* to additive, requires large m Beimel-I-Kushilevitz-Orlov12: share conversions from CNF to additive, m=6,15,… There are actually other interesting regimes.

Matching Vectors & Circuits  Actual dimension wide open; related to size of: Set systems with restricted intersections [BF80, Gro00] Matching vector sets [Yek07,Efr09, DGY10] Degree of representing “OR” modulo m [BBR92] mod6 mod6 mod6 mod6 mod6 mod6 x1 x2 x3 xh 2h^logh < VC-dim << 22^h

Given: CNF shares of s mod 6 Share Conversion Given: CNF shares of s mod 6 s=0  s’0 s0  s’=0 s=1,3,4 We just used an old fashioned computer search 68

Big Set System with Limited mod-6 Intersections Goal: find N subsets Ti of [h] such that: |Ti|1 (mod 6) |TiTj|  {0,3,4} (mod 6) h = query length; N = database size [Frankl83]: h= 𝑟 2 , N= 𝑟−3 8 h  7N1/4 Better asymptotic constructions exist 69

Big Set System with Limited mod-6 Intersections r-clique 11 11 11 3 h= 𝑟 2 ; N= 𝑟−3 8 ; |Ti|= 11 2 =551 (mod 6) |TiTj|= 𝑡 2 , 3t 10  {0,3,4} (mod 6) 70

Open Problems: PIR and LDC Understand limitations of current techniques Better bounds on matching vectors? More powerful share conversions? t-private PIR with no(1) communication Known with 2t servers [BIW08,DG14] Related to locally correctable codes Any savings for (classes) of polynomial-time f:{0,1}n{0,1} ? Barriers for strong lower bounds? [Dvir10]: strong lower bounds for locally correctable codes imply explicit rigid matrices and size-depth lower bounds. 71

Open Problems: IT MPC Communication complexity High end: understand complexity of “worst” f O(2n^) vs. (n) Closely related to PIR and LDC Mid range: nontrivial savings for “moderately hard” f? Low end: bounds on amortized rate of finite f In honest-majority setting Given noisy channels 72

Open Problems: IT MPC Round complexity Computational complexity Known: efficient constant-round protocols for NC1, NL Big question: efficient constant-round protocols for P? Smaller question: 2-round, t<k/2, for Computational complexity Known: constant overhead with O(1) parties, polylog(k) with k parties Constant overhead for k parties? Will imply (under reasonable assumptions) constant-overhead computational ZK and active 2PC 73

Open Problems: Computational MPC Communication complexity FHE from LWE? Is interaction helpful? OWF => polylogarithmic 2-private 3-server PIR? Yes in 2-server case [GI14,BGI15] Round complexity 2-round MPC from other assumptions Eliminating CRS from recent 2-round protocols [GGHR14,MW15] Computational complexity Better assumptions for passive 2PC with constant overhead [IKOS08,App11] Constant-overhead ZK under any assumption Partial progress in [DMGN14] MPC in RAM model [OS08,…] – tomorrow! 74

The research leading to these results has received funding from the European Union's Seventh Framework Programme (FP7/2007-2013) under grant agreement no. 259426 – ERC – Cryptography and Complexity