Download presentation
Presentation is loading. Please wait.
1
Multi-Party Computation: Second year
Eduardo Soria Vázquez October 11, 2017
2
Eduardo Soria-Vázquez
A Year in a slide Conferences attended: Flagship: TCC 2016-B, Eurocrypt 2017. Domain-specific: TPMPC. Smaller Meetings: ECRYPT collaborative writing workshop, HEAT, Lattice Meeting (ENS Lyon). Talks given: TCC 2016-B, Lattice Meeting: More Efficient Constant-Round Multi-Party Computation from BMR and SHE. 3. Research visits: Thales UK, Bar-Ilan University. 4. Outreach: Digimakers (coming on 11th November, 2017) Eduardo Soria-Vázquez
3
Eduardo Soria-Vázquez
A Year in a slide 5. Papers: * ACNS 2017: Faster Secure Multi-Party Computation of AES and DES Using Lookup Tables. Joint work with Marcel Keller, Emmanuela Orsini, Dragos Rotaru, Peter Scholl and Srinivas Vivek. * ASIACRYPT 2017: Low Cost Constant Round MPC Combining BMR and Oblivious Transfer. Joint work with Carmit Hazay and Peter Scholl. * A submission to EUROCRYPT 2018 Eduardo Soria-Vázquez
4
Low Cost Constant Round MPC Combining BMR and Oblivious Transfer
Carmit Hazay, Peter Scholl, Eduardo Soria Vázquez October 11, 2017
5
Eduardo Soria-Vázquez
Overview What is MPC? Garbled Circuits: 2PC (Yao) vs MPC (BMR) Results: A compiler from binary MPC to BMR Robustness of Garbling in BMR Optimized Garbling with TinyOT Conclusion Eduardo Soria-Vázquez
6
Multi-Party Computation
=f( x1 , x2 , x3 , x4 ) Eduardo Soria-Vázquez
7
Multi-Party Computation
Adversaries participate in the protocol Protocol indistinguishable from the ideal one run by a Trusted Party Eduardo Soria-Vázquez
8
MPC setting in this talk
Model of Computation: Boolean circuit C Preprocessing phase Adversary: Static, malicious Dishonest majority Main focus: Constant rounds – Garbled Circuits Concrete efficiency Preprocessing corr. rand. Online Eduardo Soria-Vázquez
9
Starting point: garbled circuits for semi-honest 2-PC
[Yao86] Boolean circuit C Garble Input encoding protocol Encodings Eval Eduardo Soria-Vázquez
10
BMR: Everyone garbles (MPC) and evaluates (local computation)
[BeaverMicaliRogaway90] Boolean circuit C Garble Eval Inputs Input Encoding Local Generic MPC Can be any non-constant round protocol Eduardo Soria-Vázquez
11
Challenge in BMR: evaluate Garbling step in MPC, efficiently
Eduardo Soria-Vázquez
12
Comparison of approaches to BMR with active security
Protocol Based on Free XOR Main cost per gate BMR90 Generic MPC ZK proofs of PRG computation LPSY15 MPC in Fp 8n + 5 MPC mult. LSS16 SHE O(n2) ZK proofs of plaintext knowledge This talk OT + MPC in F2 1 MPC mult. in F2 (and [KRW17]) Eduardo Soria-Vázquez
13
Garbling an AND gate with Yao
u v w 1 u w v Eduardo Soria-Vázquez
14
Garbling an AND gate with Yao
u v w 1 Pick 2 random keys for each wire Eduardo Soria-Vázquez
15
Garbling an AND gate with Yao
Pick 2 random keys for each wire Encrypt the truth table of each gate Eduardo Soria-Vázquez
16
Garbling an AND gate with Yao
Pick 2 random keys for each wire Encrypt the truth table of each gate Randomly permute the entries Eduardo Soria-Vázquez
17
Eduardo Soria-Vázquez
Garbling in BMR Eduardo Soria-Vázquez
18
BMR has an MPC-friendly Garbling
Pick 2n random keys for each wire: Initially, party Pi gets keys Kiu,0 , Kiu,1. Next slides: Encrypt the truth table of each gate Randomly permute the entries Eduardo Soria-Vázquez
19
Encryption in BMR is straightforward
Input PRF keys and values Generic MPC: just XOR F is a double-key PRF, g is gate index. Next: Randomly permute the entries Eduardo Soria-Vázquez 19
20
Entire BMR Garbling (with Free-XOR)
Garbled AND gate is: Rj: Fixed string enabling Free-XOR, secret to party Pj: Observation (next slide): Mult. are bit/bit or bit/string only. [Ben-Efraim Lindell Omri 16] Secret permutation bits to shuffle entries Rj Eduardo Soria-Vázquez
21
Transforming any MPC to BMR (Constant rounds for Boolean Circ.)
For each AND gate: Input Rj MPC XOR Eduardo Soria-Vázquez
22
Transforming any MPC to BMR (Constant rounds for Boolean Circ.)
For each AND gate: 1 x F2 mult in MPC Consistency Check Input Rj n(n-1) COTs for bit/string mult. XOR Eduardo Soria-Vázquez
23
Robustness of Garbling in BMR
Eduardo Soria-Vázquez
24
BMR garbling is very robust to errors
Thought experiment with an adversary: Garble Encoding Eval Eduardo Soria-Vázquez
25
BMR garbling is very robust to errors
Intuition: Only possible break is to flip honest Pj‘s masked key: Negligible (guess Rj) if the mask was obtained from a suitable PRF We strengthen previous results (proofs) [LPSY15, KRW17]: Allowed incorrect PRF values, non-adaptively. Did not directly reduce to PRF security. Shares of garbling had to be authenticated (less efficient). Eduardo Soria-Vázquez
26
An optimized protocol for BMR: TinyOT
Eduardo Soria-Vázquez
27
Optimized variant based on TinyOT
Multi-party TinyOT protocol [FrederiksenKellerOrsiniScholl15] Efficient instantiation of binary MPC. Optimized in [KatzRanellucciWang17] Uses Correlated OT to create information-theoretic MACs MAC(x) = K + x R For shared bit x, and MAC key (K, R) Fix R to be the global difference in Free-XOR Bit/string products for free! Eduardo Soria-Vázquez
28
Optimized variant based on TinyOT
For each AND gate: 1 x F2 mult in MPC Consistency Check Input Rj n(n-1) COTs for bit/string mult. XOR Eduardo Soria-Vázquez
29
Comms. (MB) for 1 AES evaluation in efficient constant-round MPC
Ours: 3PC: 15 MB, 10PC: 67 MB MASCOT-BMR-FX: 3PC: 3.84 GB, 10PC: GB Eduardo Soria-Vázquez
30
Eduardo Soria-Vázquez
Conclusion Constant Rounds (Almost) For Free: Small, O(k) overhead on top of any protocol for binary circuits. Almost no overhead when using TinyOT. Improved security proof: Unauthenticated shares, better online. Open Problems: Can BMR garbling be optimized? Currently: 4nk bits + O(n2) PRF eval. How about TinyOT? Can we further tailor other MPC protocols for BMR garbling? Eduardo Soria-Vázquez
31
Eduardo Soria-Vázquez
Thank you! Low Cost, Constant Round MPC Combining BMR and Oblivious Transfer Carmit Hazay, Peter Scholl and Eduardo Soria-Vázquez Eduardo Soria-Vázquez
32
Eduardo Soria-Vázquez
Runtimes AES: AND gates. SHA-256: AND gates. AES (B=3) SHA-256 (B=3) Benchmark: 9 parties, 1 Gbps LAN, 2.3GHz Intel Xeon CPUs with 20 cores. Eduardo Soria-Vázquez
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.