Presentation is loading. Please wait.

Presentation is loading. Please wait.

Adaptively Secure Multi-Party Computation from LWE (via Equivocal FHE)

Published byEunice Lyons Modified over 6 years ago

Similar presentations

Presentation on theme: "Adaptively Secure Multi-Party Computation from LWE (via Equivocal FHE)"— Presentation transcript:

1 Adaptively Secure Multi-Party Computation from LWE (via Equivocal FHE)
Ivan Damgård, Aarhus University, Denmark Antigoni Polychroniadou Aarhus University, Denmark Vanishree Rao, PARC, a Xerox Company

2 Multi-Party Computation (MPC)
f(x1, x2, x3, x4) = (y1, y2 ,y3 ,y4 ) x1 x1 x1 y4 y1 x4 Goal: Correctness: Everyone computes f(x1,…,x4) Security: Nothing else revealed π Adversary: Unbounded or PPT x2 y3 Passive or Active Static or Adaptive y2 x3

3 … … … … Static Corruption Adaptive Corruption
Corrupt only on the onset of π Adaptive Corruption Corrupt adaptively during the execution of π

4 Adaptive adversary always succeeds.
Why Adaptive Security? Real adversaries are adaptive! Toy secret sharing example: Protocol πSS Static adversary succeeds in recovering the dealer’s secret with negligible probability. s=(s1,s2,s3) Adaptive adversary always succeeds. s1 s2 s3

5 Modelling Communication
Synchronous network: Communication proceeds in rounds, all messages received in same round. Important: Round/Communication complexity

6 Motivating Question Construct adaptively secure MPC protocols with
minimal round complexity; low communication complexity (dependent only on the length of the inputs and outputs).

7 Known Results on Adaptive Security
Information theoretic setting: [BGW88, CCD88]: O(depthC) rounds. Impossibility of [DNP15] -> Novel approach must be found to construct O(1) round protocols (that beat the complexities of BGW, CCD, GMW etc.) Cryptographic setting: Up to n-1 corruptions [CFGN96,DN03] [Bea98,BH92,KO04,DI05,DI06,DIKNS08] [IPS08,GS12,HP13] Up to n corruptions [CLOS02, GS12, DMRV13, V14]

8 Round Complexity of Static vs. Adaptive MPC Protocols
Bounds on the round complexity of secure MPC: CRS Model: 2 rounds [HLP11] Plain model: max(4, k+1) rounds given a k-round non-malleable commitment [GMPP16] Static Security: 2 rounds [MW15, GGHR14] in the CRS model. 4 rounds [[HPW16] (improve upon 5 rounds [GMPP16]) in the plain model. Crypto Assumption Adaptive MPC Protocols Semi-Honest OT O(1) 1 [IPS08]; O(depthC) 2 [CLOS02, GS12, DMRV13, V14] LWE N/A iO 2 rounds 2 [GP15] This talk 1 n-1 adaptive corruptions. 2 n adaptive corruptions.

9 Communication Complexity of Adaptive MPC Protocols
The communication complexity of all previous results grows with|C|. Goal: Construct adaptively secure MPC using FHE techniques. [KTZ13] showed that adaptive FHE is impossible. Our Solution: n − 1 corruptions is the best we can achieve based only on FHE. Focus on n-1 corruptions.

10 Motivating Question Construct adaptively secure MPC protocols with
minimal round complexity; low communication complexity (dependent only on the length of the inputs and outputs).

11 We require a set-up assumption (UC security)
The goal - Our Result Adaptively secure protocol π: n-party Up to n-1 corruptions Malicious & UC security 3-round CC grows with |input|+|output| We require a set-up assumption (UC security)

12 Our Results LWE  Equivocal FHE (QFHE)
This talk QFHE + UC NIZK  3-round adaptive MPC This talk LWE  adaptive UC Commitments & ZKPoK AMD Code mechanism to replace ZK proofs s.t. CC independent even from |CDECRYPT|

13 Static MPC from FHE blueprint
Tools for our Protocol Equivocal FHE Adaptive UC NIZK/ZKPoK Static MPC from FHE blueprint [Gentry09] LWE LWE Adaptive UC Commitments AMD Code Mechanism LWE

14 Static MPC from FHE blueprint
Tools for our Protocol Equivocal FHE Adaptive UC NIZK/ZKPoK Static MPC from FHE blueprint [Gentry09] Adaptive UC Commitments AMD Code Mechanism

15 Static MPC from FHE Blueprint
Setup: (distributed key generation): Parties P1,…, Pn agree on a common public key pk and perform n-out-of-n secret sharing of the secret key sk. Private Inputs: ∀Pi, i ∈ [n], input xi and ski. 1st round: ∀Pi proceeds as follows: Generates ci=Encpk(xi) Broadcast ci. 2nd round: ∀Pi proceeds as follows: Run homomorphic evaluation to get C = Encpk( f(x1,…,xn) ). Decrypt C running distributed decryption to recover y = f(x1,…,xn).

16 (n,n-1)-distributed FHE
Public key for everyone, secret key secret-shared among the parties Corruption threshold n-1. KG KGen ∀Pi broadcasts ENC (xi)

17 (n,n-1)-distributed FHE
Distributed Decryption: ct ct m m KG Dec Dec m m ct ct

18 Adaptive Simulation Challenges
Simulatability: Simulate messages of parties without knowledge of their inputs. Equivocality: Upon adaptive corruption explain the generated transcript so far by computing consistent random coins. General solutions: Non-committing encryption [CFGN96] …Deniable Encryption […SW14] SIM Equivocate real Input Dummy Input

19 Static MPC from FHE Blueprint
Setup: (distributed key generation): Parties P1,…, Pn agree on a common public key pk and perform n-out-of-n secret sharing of the secret key sk. Private Inputs: ∀Pi, i ∈ [n], input xi and ski. Problem: Not adaptive 1st round: ∀Pi proceeds as follows: Generates ci=Encpk(xi) Broadcast ci. Solution: Construct Equivocal FHE 2nd round: ∀Pi proceeds as follows: Run homomorphic evaluation to get C = Encpk( f(x1,…,xn) ). Decrypt C running distributed decryption to recover z = f(x1,…,xn).

20 Static MPC from FHE blueprint
Tools for our Protocol Equivocal FHE (QFHE) Adaptive UC NIZK/ZKPoK Static MPC from FHE blueprint [Gentry09] Adaptive UC Commitments AMD Code Mechanism

21 Failed Attempt to build QFHE
FHE + NCE SK: skFHE of an FHE scheme. PK: an FHE encryption of the skNCE and (pkNCE, pkFHE) NCE is interactive Our Solution is weaker than NCE

22 No Adv can distinguish between
Equivocal FHE (QFHE) QFHE = (KeyGen, Qenc, Eval, Dec, KeyGen*, Equiv, Rand) Properties of QFHE (informal): Indistinguishability of equivocal keys No Adv can distinguish between (PK,SK) and (PK*,SK*) where (PK,SK) ← KeyGen(1λ) and (PK*,SK*) ← KeyGen*(1λ) Indistinguishability of equivocation (m, c, r) and (m, c, e) where e=Equiv(PK*, SK*, c, m, r; u). Ciphertext Randomization (see later)

23 Special FHE Scheme Properties of special FHE (informal):
Additive Homomorphism over random coins. E-Hiding. Invertible Samping. Theorem (informal) Let FHE be a special FHE scheme. Then QFHE =KeyGen, Qenc, Eval, Dec, KeyGen*, Equiv, Rand) is an equivocal QFHE scheme. We show that [BV11] is a special FHE scheme.

24 QFHE PK: SK: KeyGen(1λ): pk K=Encpk(1;rk) sk R=Encpk(0;rk)
Let (KeyGenFHE, Enc, Eval, Dec) be an IND-CPA FHE encryption scheme. Let (pk,sk) ← KeyGenFHE(1λ).

25 QFHE PK*: SK*: KeyGen*(1λ): pk* K*=Encpk*(0;rK*) sk* rK* rR*
R*=Encpk*(1;rR*) Let (KeyGenFHE, Enc, Eval, Dec) be an IND-CPA FHE encryption scheme. Let (pk*,sk*) ← KeyGenFHE(1λ).

26 QFHE c c QencPK(b, m ;r): b=0 b=1 cblind=Encpk(0;rblind)
PK=(pk,K,R) PK=(pk,K,R) cblind=Encpk(0;rblind) c= (m⨀K) ⨁ ctblind cblind=Encpk(0;rblind) c= (m⨀R) ⨁ ctblind c c

27 (n,n-1) Distributed Decryption
QFHE Dec (SK, c): c (n,n-1) Distributed Decryption SK Dec m

28 Compute rblind := r0 − m · rK* s.t.
QFHE Equiv(PK*, SK*, c, m, r0; u): c m r0 PK*=(pk*,K*,R*), SK*=(sk*,rk*, rR*) c= QEncPK* (b,0; r0) Compute rblind := r0 − m · rK* s.t. c= QEncPK* (b,m; rblind) rstate <- Inv(rblind) rstate Encpk*(0;rblind)=Encpk(0; r0 − m · rK* ) c=(m⨀Encpk*(0;rK*)) ⨁Encpk*(0; r0 − m · rK* )=Encpk(0;r0)

29 E-Hiding: rblind follows the right Distribution (formula privacy)
Our QFHE CPA Security (m⨀K) ⨁ ctblind =QEncPK(b; m; mrK+rblind) Make sure that rblind is large enough to dwarf mrK. (rblind <- D(1λ) and rK <- D’(1λ) s.t. the noise of D(1λ) is super polynomially larger than the noise of D’(1λ).) Indistinguishability of equivocal keys Indistinguishability of equivocation E-Hiding: rblind follows the right Distribution (formula privacy)

30 Adaptive MPC from FHE Setup: (distributed key generation): Parties P1,…, Pn agree on a common public key PK and perform n-out-of-n secret sharing of the secret key SK. Private Inputs: ∀Pi, i ∈ [n], input xi and ski. 1st round: ∀Pi proceeds as follows: Generates ci=QEncPK(xi) Broadcast ci. Problem in the Simulation with PK*: Extraction of Adv inputs Solution: Use UC commitments + NIZK 2nd round: ∀Pi proceeds as follows: Run homomorphic evaluation to get C = Encpk( f(x1,…,xn) ). Decrypt C running distributed decryption to recover z = f(x1,…,xn).

31 Adaptive MPC from FHE Setup: (distributed key generation): Parties P1,…, Pn agree on a common public key PK and perform n-out-of-n secret sharing of the secret key SK. Private Inputs: ∀Pi, i ∈ [n], input xi and ski. NIZK 1st round: ∀Pi proceeds as follows: Generates ci=QEncPK(xi) and comi=Com(xi). Broadcast ci, comi. Problem in the Simulation: Sim cannot force the output. 2nd round: ∀Pi proceeds as follows: Run homomorphic evaluation to get C = Encpk( f(x1,…,xn) ). Decrypt C running distributed decryption to recover z = f(x1,…,xn). Solution: Ciphertext Randomization

32 Private Inputs: ∀Pi, i ∈ [n], input xi and ski.
Setup: (distributed key generation): Parties P1,…, Pn agree on a common public key PK and perform n-out-of-n secret sharing of the secret key SK. Private Inputs: ∀Pi, i ∈ [n], input xi and ski. 1st round: ∀Pi proceeds as follows: Generates and broadcast ci=QEncPK(0; xi) and comi=Com(xi). 2nd round: ∀Pi proceeds as follows: Run homomorphic evaluation to get C = EncPK( f(x1,…,xn) ). Generates C’i=QEncPK(1, yi ;si) Compute CT= C ⨁i…nC’i Trapdoor Mode (Simplified) 3rd round: Decrypt CT running distributed decryption to recover z = f(x1,…,xn).

33 Conclusion Construct adaptively secure MPC protocols with
minimal round complexity; low communication complexity (dependent only on the length of the inputs and outputs).

34 Open problems Construct constant-round adaptive (2PC) MPC where all the parties can be (passively) corrupted.

35 Adaptive MPC Protocols
Open problems Bounds on the round complexity of secure MPC: CRS Model: 2 rounds [HLP11] Plain model: max(4, k+1) rounds given a k-round non-malleable commitment [GMPP16] Can we get optimal-round static as well as adaptive MPC protocols from different/weaker assumptions? Static Security: 2 rounds [MW15, GGHR14] in the CRS model. 4 rounds [[HPW16] (improve upon 5 rounds [GMPP16]) in the plain model. Crypto Assumption Adaptive MPC Protocols Semi-Honest OT O(1) 1 [IPS08]; O(depthC) 2 [CLOS02, GS12, DMRV13, V14] LWE N/A iO 2 rounds 2 [GP15] This talk 1 n-1 adaptive corruptions. 2 n adaptive corruptions.

36 Thank you 謝謝

Download ppt "Adaptively Secure Multi-Party Computation from LWE (via Equivocal FHE)"

Similar presentations

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption

Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.

1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.
Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),

Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana.

Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110 100100101010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100101

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Two Round MPC via Multi-Key FHE Daniel Wichs (Northeastern University) Joint work with Pratyay Mukherjee.

Two Round MPC via Multi-Key FHE Daniel Wichs (Northeastern University) Joint work with Pratyay Mukherjee.
Adaptively Secure Broadcast, Revisited

Adaptively Secure Broadcast, Revisited
Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN.

Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN.
Efficient and Robust Private Set Intersection and multiparty multivariate polynomials Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung.

Efficient and Robust Private Set Intersection and multiparty multivariate polynomials Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung.
Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.

Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.

Similar presentations

Ads by Google