Secure Computation (Lecture 7-8) Arpita Patra

Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for reconstruction (any point on a d-degree poly can be written as the linear combination of (d+1) or more points on the polynomial) > Security: For any secret, the t shares generate a uniform distribution over F t p > Linearity (addition, multiplication by constant free) >> MPC for arithmetic circuit with semi-honest i.t security > Honest majority > The protocol > Simulator > Indistinguishability proof

Secure Circuit Evaluation x1x1 x2x2 x3x3 x4x4     c y

    y 3

1.(n, t)- secret share each input    

Secure Circuit Evaluation     Find (n, t)-sharing of each intermediate value 1.(n, t)- secret share each input 3

Secure Circuit Evaluation     Find (n, t)-sharing of each intermediate value 1.(n, t)- secret share each input

Secure Circuit Evaluation     Linear gates: Linearity of Shamir Sharing - Non-Interactive Find (n, t)-sharing of each intermediate value 1.(n, t)- secret share each input

Secure Circuit Evaluation     Non-linear gate: Require degree- reduction Technique. Interactive Find (n, t)-sharing of each intermediate value 1.(n, t)- secret share each input Linear gates: Linearity of Shamir Sharing - Non-Interactive

Secure Multiplication Gate Evaluation x2x2 x3x3 x n x1x1 P1P1 P2P2 PnPn P3P3 y2y2 y3y3 y n y1y1 x y x 1  y 1 = z 1 x 2  y 2 = z 2 x 3  y 3 =z 3 x n  y n = z n xy xy f(x) = f 1 (x)  f 2 (x) of degree 2t f 1 (x) f 2 (x) Recombination Vector (r 1, …,r n ) where

Secure Multiplication Gate Evaluation x2x2 x3x3 x n x1x1 P1P1 P2P2 PnPn P3P3 y2y2 y3y3 y n y1y1 x y x 1  y 1 = z 1 x 2  y 2 = z 2 x 3  y 3 =z 3 x n  y n = z n xy xy z1z1 z2z2 z3z3 znzn Shamir-share f 1 (x) f 2 (x) Shamir-share Recombination Vector (r 1, …,r n ) r 1 z r n z n xyxy f(x) = f 1 (x)  f 2 (x) of degree 2t

Secure Circuit Evaluation     Reconstruct the Shamir-sharing of the output by exchanging shares with each other 3 Non-linear gate: Require degree- reduction Technique. Interactive 2. Find (n, t)-sharing of each intermediate value 1.(n, t)- secret share each input Linear gates: Linearity of Shamir Sharing - Non-Interactive Correctness: Easy

Real World View of Adversary 3. Output Reconstruction: Shares of the honest parties corresponding to output y 2. Input-sharing and multiplication gate computation: t shares of input/product share of honest parties 1. At the outset: Input and random coins {{View Real i } Pi in C } – Random Variable 3. Output Reconstruction: Given his shares of the output and output, adv can computes shares of the honest parties corresponding to output y (using Lagrange’s interpolation) 2. Input-sharing and multiplication gate computation: t values distributed uniformly at random from F t p (irrespective of what values is shared) 1. At the outset: Input Leaks nothing beyond inputs /outputs of corrupted parties

Simulator and Indistinguisahbility 3. Output Reconstruction: Given the shares of the corrupted parties (which it knows) and y compute shares of the honest parties corresponding to output y and send them to the adv. 2. Input-sharing and multiplication gate computation: Sample t random shares and give to adv on behalf of the honest parties 1. At the outset: Input, output (of corrupted parties) and random coins {{View Ideal i } Pi in C } – Random VariableGenerated using inputs /outputs of corrupted parties Step 2 simulation is perfect: The t shares can be seen in both worlds with same probability Step 3 simulation is perfect too!: Given t shares of corrupted parties and y, the shares of the honest parties are unique in both the worlds.

Efficiency 4. Output Reconstruction: O(n) |F p | bits 2. Addition Gate: NIL 1. Input: O(n) |F p | bits Communication Complexity: O(c I n + c M n 2 + c O n 2 ) |F p | bits 3. Multiplication gate computation: O(n 2 ) |F p | bits No. of Input Gate: c I No. Addition Gates: c A No. Multiplication Gates: c M No. Output Gates: c O Goal: O(c I n + c M n + c O n) |F p | bits Round Complexity: O(d); d = multiplicative depth of the circuit Goal: Constant? Yes (restricted class of circuits/exponential computation: two papers) In computational setting it is possible for any function with poly power

Offline/Online Paradigm >> Online Phase: >> Offline Phase: No knowledge of inputs and function to be computed is needed Create Shamir sharings where the secrets are “related” in some way Is not expected to be very efficient Use the the raw material created in offline phase to compute the agreed function on the parties private inputs. Expected to be blazing fast Will use sharing of secrets as well. Will use only secret reconstruction >> Communication Complexity: Offline + Online Complexity

Secure Circuit Evaluation 3. Open output by Reconstruction algorithm 2. Find (n, t)-sharing of each intermediate value 1.(n, t)- secret share each input Linear gates: Linearity of Shamir Sharing - Non-Interactive Non-linear gate: Require degree- reduction Technique. Interactive Reduction to two reconstructions Reduction to one reconstruction >> Raw Material: (n,t)-shamir sharing of a random and secret value >> Raw Material: (n,t)-sharing of three values (a,b,c), s.t.a,b,c are random and secret and c = ab

Input Sharing Using One Reconstruction r2r2 r3r3 r n r1r1 P1P1 P2P2 PnPn P3P3 r PiPi Apply reconstruction (Lagrange’s Interpolation) x

Input Sharing Using One Reconstruction P1P1 P2P2 PnPn P3P3 x + r PiPi r2r2 r3r3 r n r1r1 x + r Communication Complexity = : O(c I n) |F p | bits

    3 Don Beaver CRYPTO 91 Beaver’s Circuit-randomization Technique for Multiplication

    3 a b a  b Multiplication Triple Beaver’s Circuit-randomization Technique for Multiplication Offline Oracle

    Multiplication Triple Ex: Beaver’s Circuit-randomization Technique for Multiplication

    Multiplication Triple Ex: Beaver’s Circuit-randomization Technique for Multiplication

    Multiplication Triple Ex: Beaver’s Circuit-randomization Technique for Multiplication

    3 a b a  b Multiplication Triple Beaver’s Circuit-randomization Technique for Multiplication

    3 a b a  b Random and Private a, b Beaver’s Circuit-randomization Technique for Multiplication Multiplication Triple

   x y  3 a b a  b Two reconstructions Linear operations Random and Private a, b Independent of the multiplication gate Beaver’s Circuit-randomization Technique for Multiplication

Beaver’s Circuit Randomization Technique xy = ((x-a) +a)((y-b)+b) = ( α + a)(β + b) = ab + α b + β a + α β α = x-aβ = y-b xy b ab = + α a + β + α β >> Write xy as linear combination of a  b, a, b where the combiners will be publicly known and do not leak any information about x and y. >> We can combine sharing of a  b, a, b using the combiners to get sharing of xy

x x 2 x3x3 Beaver’s Circuit Randomization Technique P1P1 P2P2 P3P3 PnPn x n b1 b1 b 2 b3b3 b n x 1 b x-a y y 2 y3y3 y n y 1 a1 a1 a 2 a3a3 a n a c1 c1 c 2 c3c3 c n c x1-a1x1-a1 x2-a2x2-a2 x3-a3x3-a3 xn-anxn-an y-b y1-b1y1-b1 y2-b2y2-b2 y3-b3y3-b3 yn-bnyn-bn α = x-a β = y-b Reconstruct

x x 2 x3x3 Beaver’s Circuit Randomization Technique P1P1 P2P2 P3P3 PnPn x n b1 b1 b 2 b3b3 b n x 1 b xy y y 2 y3y3 y n y 1 a1 a1 a 2 a3a3 a n a c1 c1 c 2 c3c3 c n c c 1 + α b 1 + β a 1 + α β α = x-a β = y-b xy = ((x-a) +a)((y-b)+b) = ( α + a)(β + b) = ab + α b + β a + α β c 2 + α b 2 + β a 2 + α β c 3 + α b 3 + β a 3 + α β c n + α b n + β a n + α β

Let c M be the number of multiplication gates in the circuit  3    x1x1 x2x2 x3x3 x4x4 Secure Circuit Evaluation Using Beaver Circuit Randomization

Let c M be the number of multiplication gates in the circuit  3    x1x1 x2x2 x3x3 x4x4 Secure Circuit Evaluation Using Beaver Circuit Randomization Ask triple-oracle for c M multiplication triples

 3    x1x1 x2x2 x3x3 x4x Secure Circuit Evaluation Using Beaver Circuit Randomization Let c M be the number of multiplication gates in the circuit Ask triple-oracle for c M multiplication triples

 3    Secure Circuit Evaluation Using Beaver Circuit Randomization

 3   

Secure Circuit Evaluation Using Beaver Circuit Randomization  3   

 3   

Secure Circuit Evaluation Using Beaver Circuit Randomization  3   

Secure Circuit Evaluation Using Beaver Circuit Randomization  3   

Secure Circuit Evaluation Using Beaver Circuit Randomization  3   

Beaver’s Trick- Offline-online Paradigm Triple generation parallelizable  efficiency (amortization) Offline Phase: Sitting Idle, Generate as many shared triples as possible---raw data Online Phase: Use the raw data for circuit evaluation. On the contrary, multiplications gates can not be evaluated in parallel

Reconstruction of Shamir-sharing: (n,t) - Secret Sharing for Semi-honest Adversaries x2x2 x3x3 x n x1x1 P1P1 P2P2 PnPn P3P3 PiPi The same is done for all P i Communication Complexity (CC): O(n 2 ) Lagrange’s Interpolation

Efficient Reconstruction of (n,t)- Shamir for Semi-honest Adversaries >> Can we do better? O(n) Easy ……Because we are assuming semi-honest adversaries. Online Complexity = : O(c I n + c M n + c O n) |F p | bits x2x2 x3x3 x n x1x1 P1P1 P2P2 PnPn P3P3 P1P1 x P1P1 P2P2 PnPn P3P3 x xx x

Online Complexity How efficiently can we reconstruct a shared secret? s Reconstruction cost of one shared secret = Cost Per Multiplication / Input / Output (asymptotically)

Offline Complexity >> Task 1: Generation of Secret Sharing. > a,b,c are secret shared using LSSS > a, b, c random and secret > c = ab a b c Generation of (c M + c I ) shared, random, secret multiplication triples >> Task 2: Generation of Secret Sharing where the secret is random and secret- different from the previous task >> Task 3: Generation of Sharing of random, secret, multiplication triple ✓ CC of Task 1: O(n)

>> Each party Shamir share a random value a 1 a 2 a 3 Generation of Sharing for random secret P1P1 P2P2 P3P3 PnPn a n >> Pick any sharing- does this work? >> Randomness extractor on (a 1, …..a n ) >> Simplest Randomness Extractor: Addition a 1 +a 2 +…..+a n >> Sharing of a value that is random and secret >> Inefficient: n-t random and secret values among a’s but we had extracted just one.

a 1 a 2 a 3 Efficient Randomness Extractor P1P1 P2P2 P3P3 PnPn a n >> Assume a 1,….a n are n points of a polynomial of degree n-1, f(x) >> These are all random >> t out of a 1,….a n are known to adversary and may be non-random (n-t) points are randomly chosen and t points may be non-random and known to the adv. >> Consider any (n-t) points on f(x) at x that are different from {1,..n,}, say f(n+1), ……f(n+n-t) f(1) = a 1. f(n) = a n

Efficient Randomness Extractor f (a1,….at) : F n-t  F n-t >> Choose (n-t) points at random >> Use n points to define a poly f(x) of degree at most n-1. >> Evaluate f(x) at n+1,…(n+n-t) >> The mapping is a bijection. >> Since we have uniform distribution in the domain (uniform over F n-t ), we get the same on the range.

a 1 a 2 a 3 Efficient Randomness Extractor P1P1 P2P2 P3P3 PnPn a n >> Assume a 1,….a n are n points of a polynomial of degree n-1, f(x) >> f(n+1), ……f(n+n-t) are random. f(1) = a 1. f(n) = a n f(n+1) = a n+1. f(2n-t) = a 2n –t a n+1 a n+2 a n+3 a 2n-t >> We need to find Shamir-sharing of a n+1,….., a 2n-t >> Just Local computation: Lagrange’s Magic formula

a 1 a 2 a 3 Efficient Randomness Extractor P1P1 P2P2 P3P3 PnPn a n >> Assume a 1,….a n are n points of a polynomial of degree n-1, f(x) >> f(n+1), ……f(2n-t) are random. f(1) = a 1. f(n) = a n f(n+1) = a n+1. f(2n-t) = a 2n –t a n+1 a n+2 a n+3 a 2n-t How many random values have we extracted? n-t Amortized CC of generating one sharing of a random secret value is (Task 2): O(n)

Offline Complexity >> Task 1: Generation of Secret Sharing. > a,b,c are secret shared using LSSS > a, b, c random and secret > c = ab a b c Generation of (c M + c I ) shared, random, secret multiplication triples >> Task 2: Generation of Secret Sharing where the secret is random and secret- different from the previous task >> Task 3: Generation of Sharing of random, secret, multiplication triple ✓ CC of Task 1: O(n) ✓ CC of Task 2: O(n)

a a 2 a 3 Generating Sharing of Multiplication Triple P1P1 P2P2 P3P3 PnPn a n b1 b1 b 2 b3b3 b n Sharing of random and secret values a 1 b ab Multiplication Protocol CC: O(n 2 )

Offline Complexity >> Task 1: Generation of Secret Sharing. > a,b,c are secret shared using LSSS > a, b, c random and secret > c = ab a b c Generation of (c M + c I ) shared, random, secret multiplication triples >> Task 2: Generation of Secret Sharing where the secret is random and secret- different from the previous task >> Task 3: Generation of Sharing of random, secret, multiplication triple ✓ CC of Task 1: O(n) ✓ CC of Task 2: O(n) Multiplication Protocol CC of Task 3: O(n 2 ) ✓ Offline CC: O(n 2 c M + n c I ) |F| bits.

Complexity Offline complexity: O( c M n 2 + n c I ) |F| bits. Total Complexity: O(c I n + c M n 2 + c O n) |F p | bits Online Complexity: O(c I n + c M n + c O n) |F p | bits Is there a way to generate triple sharing with O(n) complexity? Yes with n>=3t+1 perfect security (active adversary) Yes but with statistical security!

Secure Circuit Evaluation 3. Open output by Reconstruction algorithm 2. Find (n, t)-sharing of each intermediate value 1.(n, t)- secret share each input Linear gates: Linearity of Shamir Sharing - Non-Interactive Non-linear gate: Require degree- reduction Technique. Interactive Reduction to one reconstruction >> Raw Material: (n,t)-shamir sharing of a random value >> Raw Material: (n,2t)-sharing and (n,t)-sharing of a random value

x x 2 x3x3 How to use Raw data for Multiplication P1P1 P2P2 P3P3 PnPn x n a1 a1 a 2 a3a3 a n x 1 a xy-a y y 2 y3y3 y n y 1 A1 A1 A 2 A3A3 An An a x1y1-A1x1y1-A1 x2y2-A2x2y2-A2 x3y3-A3x3y3-A3 xnyn-Anxnyn-An Reconstruct xy-aNo security breach since xy is blinded with random a + xy-a xy Online Complexity = : O(c I n + c M n + c O n) |F p | bits

Offline Complexity >> Task 1: Generation of (n,2t) and (n,t)-secret Sharing. > a is (n,2t)-shared and (n,t)-shared > a random and secret a a Generation of (c M + c I ), (n,(2t,t))-secret sharing of random and secret values >> Task 2: Generation of Secret Sharing where the secret is random and secret- different from the previous task ✓ CC of Task 1: O(n) ✓ CC of Task 2: O(n) (amortized)

a 1 a 2 a 3 Efficient Randomness Extractor P1P1 P2P2 P3P3 PnPn a n >> Assume a 1,….a n are n points of a polynomial of degree n-1, f(x) >> f(n+1), ……f(2n-t) are random. f(1) = a 1. f(n) = a n f(n+1) = a n+1. f(2n-t) = a 2n –t a n+1 a n+2 a n+3 a 2n-t How many random values have we extracted? n-t Amortized CC of generating one sharing of a random secret value is (Task 2): O(n)

Complexity- Linear Overhead MPC Offline complexity: O(n c M + n c I ) |F| bits. Total Complexity: O(c I n + c M n + c O n) |F p | bits Online Complexity: O(c I n + c M n + c O n) |F p | bits First CT Topic: >> Various possible raw data >> Ways of generating them.

Computationally Secure Protocol in Honest Majority Settings >> A1: Secure channel model relaxation. >> A2: Constant Round protocol possible CT Topic 2: [CDN01] Multiparty Computation from Threshold Homomorphic Encryption [Link: First protocol to present O(n) overhead MPC with n>=2t+1 (active) After 12 looooooong years: First protocol with O(n) overhead MPC with n>=2t+1 in i.t. setting [BFO12] (active).