Presentation is loading. Please wait.

Presentation is loading. Please wait.

Multi-Party Computation: Second year

Published byÉmilie Aubé Modified over 6 years ago

Similar presentations

Presentation on theme: "Multi-Party Computation: Second year"— Presentation transcript:

1 Multi-Party Computation: Second year
Eduardo Soria Vázquez October 11, 2017

2 Eduardo Soria-Vázquez
A Year in a slide Conferences attended: Flagship: TCC 2016-B, Eurocrypt 2017. Domain-specific: TPMPC. Smaller Meetings: ECRYPT collaborative writing workshop, HEAT, Lattice Meeting (ENS Lyon). Talks given: TCC 2016-B, Lattice Meeting: More Efficient Constant-Round Multi-Party Computation from BMR and SHE. 3. Research visits: Thales UK, Bar-Ilan University. 4. Outreach: Digimakers (coming on 11th November, 2017) Eduardo Soria-Vázquez

3 Eduardo Soria-Vázquez
A Year in a slide 5. Papers: * ACNS 2017: Faster Secure Multi-Party Computation of AES and DES Using Lookup Tables. Joint work with Marcel Keller, Emmanuela Orsini, Dragos Rotaru, Peter Scholl and Srinivas Vivek. * ASIACRYPT 2017: Low Cost Constant Round MPC Combining BMR and Oblivious Transfer. Joint work with Carmit Hazay and Peter Scholl. * A submission to EUROCRYPT 2018 Eduardo Soria-Vázquez

4 Low Cost Constant Round MPC Combining BMR and Oblivious Transfer
Carmit Hazay, Peter Scholl, Eduardo Soria Vázquez October 11, 2017

5 Eduardo Soria-Vázquez
Overview What is MPC? Garbled Circuits: 2PC (Yao) vs MPC (BMR) Results: A compiler from binary MPC to BMR Robustness of Garbling in BMR Optimized Garbling with TinyOT Conclusion Eduardo Soria-Vázquez

6 Multi-Party Computation
=f( x1 , x2 , x3 , x4 ) Eduardo Soria-Vázquez

7 Multi-Party Computation
Adversaries participate in the protocol Protocol indistinguishable from the ideal one run by a Trusted Party Eduardo Soria-Vázquez

8 MPC setting in this talk
Model of Computation: Boolean circuit C Preprocessing phase Adversary: Static, malicious Dishonest majority Main focus: Constant rounds – Garbled Circuits Concrete efficiency Preprocessing corr. rand. Online Eduardo Soria-Vázquez

9 Starting point: garbled circuits for semi-honest 2-PC
[Yao86] Boolean circuit C Garble Input encoding protocol Encodings Eval Eduardo Soria-Vázquez

10 BMR: Everyone garbles (MPC) and evaluates (local computation)
[BeaverMicaliRogaway90] Boolean circuit C Garble Eval Inputs Input Encoding Local Generic MPC Can be any non-constant round protocol Eduardo Soria-Vázquez

11 Challenge in BMR: evaluate Garbling step in MPC, efficiently
Eduardo Soria-Vázquez

12 Comparison of approaches to BMR with active security
Protocol Based on Free XOR Main cost per gate BMR90 Generic MPC ZK proofs of PRG computation LPSY15 MPC in Fp 8n + 5 MPC mult. LSS16 SHE O(n2) ZK proofs of plaintext knowledge This talk OT + MPC in F2 1 MPC mult. in F2 (and [KRW17]) Eduardo Soria-Vázquez

13 Garbling an AND gate with Yao
u v w 1 u w v Eduardo Soria-Vázquez

14 Garbling an AND gate with Yao
u v w 1 Pick 2 random keys for each wire Eduardo Soria-Vázquez

15 Garbling an AND gate with Yao
Pick 2 random keys for each wire Encrypt the truth table of each gate Eduardo Soria-Vázquez

16 Garbling an AND gate with Yao
Pick 2 random keys for each wire Encrypt the truth table of each gate Randomly permute the entries Eduardo Soria-Vázquez

17 Eduardo Soria-Vázquez
Garbling in BMR Eduardo Soria-Vázquez

18 BMR has an MPC-friendly Garbling
Pick 2n random keys for each wire: Initially, party Pi gets keys Kiu,0 , Kiu,1. Next slides: Encrypt the truth table of each gate Randomly permute the entries Eduardo Soria-Vázquez

19 Encryption in BMR is straightforward
Input PRF keys and values Generic MPC: just XOR F is a double-key PRF, g is gate index. Next: Randomly permute the entries Eduardo Soria-Vázquez 19

20 Entire BMR Garbling (with Free-XOR)
Garbled AND gate is: Rj: Fixed string enabling Free-XOR, secret to party Pj: Observation (next slide): Mult. are bit/bit or bit/string only. [Ben-Efraim Lindell Omri 16] Secret permutation bits to shuffle entries Rj Eduardo Soria-Vázquez

21 Transforming any MPC to BMR (Constant rounds for Boolean Circ.)
For each AND gate: Input Rj MPC XOR Eduardo Soria-Vázquez

22 Transforming any MPC to BMR (Constant rounds for Boolean Circ.)
For each AND gate: 1 x F2 mult in MPC Consistency Check Input Rj n(n-1) COTs for bit/string mult. XOR Eduardo Soria-Vázquez

23 Robustness of Garbling in BMR
Eduardo Soria-Vázquez

24 BMR garbling is very robust to errors
Thought experiment with an adversary: Garble Encoding Eval Eduardo Soria-Vázquez

25 BMR garbling is very robust to errors
Intuition: Only possible break is to flip honest Pj‘s masked key: Negligible (guess Rj) if the mask was obtained from a suitable PRF We strengthen previous results (proofs) [LPSY15, KRW17]: Allowed incorrect PRF values, non-adaptively. Did not directly reduce to PRF security. Shares of garbling had to be authenticated (less efficient). Eduardo Soria-Vázquez

26 An optimized protocol for BMR: TinyOT
Eduardo Soria-Vázquez

27 Optimized variant based on TinyOT
Multi-party TinyOT protocol [FrederiksenKellerOrsiniScholl15] Efficient instantiation of binary MPC. Optimized in [KatzRanellucciWang17] Uses Correlated OT to create information-theoretic MACs MAC(x) = K + x R For shared bit x, and MAC key (K, R) Fix R to be the global difference in Free-XOR Bit/string products for free! Eduardo Soria-Vázquez

28 Optimized variant based on TinyOT
For each AND gate: 1 x F2 mult in MPC Consistency Check Input Rj n(n-1) COTs for bit/string mult. XOR Eduardo Soria-Vázquez

29 Comms. (MB) for 1 AES evaluation in efficient constant-round MPC
Ours: 3PC: 15 MB, 10PC: 67 MB MASCOT-BMR-FX: 3PC: 3.84 GB, 10PC: GB Eduardo Soria-Vázquez

30 Eduardo Soria-Vázquez
Conclusion Constant Rounds (Almost) For Free: Small, O(k) overhead on top of any protocol for binary circuits. Almost no overhead when using TinyOT. Improved security proof: Unauthenticated shares, better online. Open Problems: Can BMR garbling be optimized? Currently: 4nk bits + O(n2) PRF eval. How about TinyOT? Can we further tailor other MPC protocols for BMR garbling? Eduardo Soria-Vázquez

31 Eduardo Soria-Vázquez
Thank you! Low Cost, Constant Round MPC Combining BMR and Oblivious Transfer Carmit Hazay, Peter Scholl and Eduardo Soria-Vázquez Eduardo Soria-Vázquez

32 Eduardo Soria-Vázquez
Runtimes AES: AND gates. SHA-256: AND gates. AES (B=3) SHA-256 (B=3) Benchmark: 9 parties, 1 Gbps LAN, 2.3GHz Intel Xeon CPUs with 20 cores. Eduardo Soria-Vázquez

Download ppt "Multi-Party Computation: Second year"

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.

Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.
Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto

Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto
Yan Huang, David Evans, Jonathan Katz

Yan Huang, David Evans, Jonathan Katz
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)

On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)
GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION

GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION
New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.

New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.

1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.

Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.
Insert presenter logo here on slide master. See hidden slide 4 for directions  Session ID: Session Classification: SEUNG GEOL CHOI UNIVERSITY OF MARYLAND.

Insert presenter logo here on slide master. See hidden slide 4 for directions  Session ID: Session Classification: SEUNG GEOL CHOI UNIVERSITY OF MARYLAND.

Similar presentations

Ads by Google