1. Homomorphic Secret Sharing Yuval Ishai Technion
Crypto Innovation School, November 2018

2. Primitives Assumptions 1970 1980 1990 2000 2010 PKE Factoring
Discrete Log
Signatures ZK OT
Secure Computation
We heard about Glorious 1980s, which for personal reasons I’d like to think of them as the glorious 20th century
Lucky streak
CRYPTO

3. Minimize communication? Minimize interaction?
Primitives
Assumptions
PKE
Factoring
Discrete Log
Signatures ZK OT
Secure Computation
These are qualitative questions, not quantitative ones.
Minimize communication?
Minimize interaction?
Minimize local computation?

4. Primitives Assumptions 1970 1980 1990 2000 2010 PKE Factoring
Discrete Log
Signatures ZK OT
Secure Computation
Lattices: initially motivated by avg-case to worst case and post-quantum, then led to FHE that both as a primitive and the underlying technique led to an explosive growth of the field. IO FE
IBE
ABE
Bilinear Maps
FHE
Lattices

5. Fully Homomorphic Encryption [RAD79,Gen09]
Dec
P(x) sk
Function Privacy
Eval
[P(x)] P
Compactness:
|Dec|<< |P|
[x]
Enc x pk sk

6. State of the FHE The good The not so good Huge impact on the field
Solid foundations [BV11,GSW13,…]
Major progress on efficiency [BGV12,HS15,DM15,CGGI16,…]
The not so good
Narrow set of assumptions and underlying structures, all related to lattices
Susceptible to lattice reduction attacks and other attacks
Concrete efficiency still leaves much to be desired
Given a generic group G:
Unconditionally secure PKE and even secure computation
Not known to be helpful for FHE

7. IN SOME SENSE DIFFERENT
Better => different => in some sense better => an

8. Recall: FHE
Dec
P(x) sk
Eval
[P(x)] P
[x]
Enc x pk

9. “1/2 FHE” Dec Eval Enc P(x) sk [x]1 x pk [P(x)]1 P [P(x)]2 [x]2
Only problem is that Vinos likes this name so much that he starts applying the one-half modifiers to other primitives.
computationally
hides x
computationally
hides x

10. (2-Party) Homomorphic Secret Sharing
P(x)
Dec 
Eval
[P(x)]1 P
Eval
[P(x)]2 P
We can view these ciphertexts as shares like a standard secret sharing scheme, and we no longer need keys.
(Let’s get rid of the bloody keys)
[x]1
[x]2
Share x

11. (2-Party) Homomorphic Secret Sharing
P(x)
Dec +
Eval
[P(x)]1 P
Eval
[P(x)]2 P
More generally, we can view the output as living in some abelian group and use addition.
[x]1
[x]2
Share x

12. Other HSS Variants More than 2 shares: (m,t)-HSS
Non-trivial information-theoretic HSS when m>2t
Implicit in best known information theoretic PIR and locally decodable codes [Yek07,Efr09,BIKO12]
General compact output
Compact HSS for low-degree polynomials [BI01,WY05,CF15,LMS18]
Multiple inputs
Public/secret key HSS
HSS taxonomy in [Boyle-Gilboa-I-Lin-Tessaro18]
IT HSS for rich class of functions implies good LDC

13. HSS vs. FHE HSS is generally weaker… … but has some advantages
2 (or more) shares vs. single ciphertext
Non-collusion assumption
… but has some advantages
Ultimate output compactness
Efficient and public decoding
Can aggregate many outputs
Add up outputs of many different computations, on inputs that come from different sources who don’t share a key and don’t trust each other.

14. Delegating Computations to the Cloud
Applications
Delegating Computations to the Cloud
FHE
HSS
[x]1
[x]2
[x]
Bonus features:
Multiple clients
Useful also for small P
P(x)
[P(x)]2
[P(x)]1
[P(x)]  sk
P(x)

15. Communication complexity of securely computing C?
Applications
Communication complexity of securely computing C?
(a,b) C
C(a,b)
Classically: > |C| [Yao86,GMW87,BGW88,CCD88,…] … even for restricted classes, such as formulas
Using FHE: ~ |input|+|output|

16. Succinct Secure Computation
Applications
Succinct Secure Computation
FHE
HSS
[a] sk a b a b
HSS can do better when the outputs are long, e.g., generating correlated randomness from a short seed.
[Cb(a)]
[(a,b)]1
[(a,b)]2
C(a,b)
Eval
Bonus features:
Beats FHE for long outputs
Useful for generating correlations [BCGIO17,BCGI18]
[C(a,b)]1
[C(a,b)]2
C(a,b)

17. Worst-case to average-case reductions
Applications
Worst-case to average-case reductions
Goal: reduce f(x) to g(x1), g(x2) where:
if f is boolean then so is g
x1,x2 are individually “random”
Complexity of g comparable to that of f
HSS-based solution: g=Evalf
Weaker solutions via FHE, or even unconditionally
Useful for
“Fine-grained” average-case hardness
Verifiable computation

18. Worst-case to average-case reductions
Applications
Worst-case to average-case reductions
f(x)? x
f(x)=y!
f(x)?!

19. Applications Worst-case to average-case reductions r1 f(r1)
Test on random inputs? rn
x will not be one of them…
f(rn)

20. Worst-case to average-case reductions
Applications
Worst-case to average-case reductions x1
g(x1)=y1
f(x)? x2
f(x)
g(x2)=y2

21. HSS for Circuits from LWE via FHE
From multi-key FHE [LTV12,CM15,MW16,DHRW16,BGILT18]
“Additive-spooky” encryption [Dodis-Halevi-Rothblum-Wichs16]
From threshold FHE [AJLTVW12,BGI15,DHRW16]

22. 20th century assumptions?
HSS without FHE?
20th century assumptions?

23. Example: Additive Secret Sharing
Let (G,+) be a finite Abelian group (e.g., G=Zp)
Additive secret sharing of x ∈ G: split x into (y,z) where y,z are random subject to x=y+z.
Each of y and z (separately) is uniform over G
More generally, we can view the output as living in some abelian group and use addition. x y z +

24. Additive Secret Sharing is Homomorphic!x y z = + x’ y’ z’
Similarly:
scalar multiplication
More generally, we can view the output as living in some abelian group and use addition. +
x+x’
y+y’
z+z’ =

25. HSS for linear functions [Benaloh86]
L(x)
Dec +
Eval
L(y)
L(X)=
c1X1+c2X2+…+cnXn
Eval
L(z)
More generally, we can view the output as living in some abelian group and use addition. y z
Add-Share
x=(x1,…,xn)

26. HSS for linear functions [Benaloh86]
L(x)
Can we go beyond linear functions?
Trivially: share all possible functions of x
Not efficient!
Inherent limitation of information-theoretic HSS
Dec +
Eval
L(y)
L(X)=
c1X1+c2X2+…+cnXn
Eval
L(z)
More generally, we can view the output as living in some abelian group and use addition. y z
Share
x=(x1,…,xn)

27. Coming Up HSS for “simple” functions from one-way functions
HSS for branching programs from DDH
Many open questions

28. Low-End HSS
from OWF

29. Function Secret Sharing [Boyle-Gilboa-Ishai15]
Reverse roles of function/program and input
Share size can grow with program size
P(x)  
[P(x)]1
[P(x)]2
Looks like a cosmetic change, but is actually more natural in the context of some applications, and also allow broader feasibility results: for instance, decision trees from OWF, where the share size grows with the DT size. x
Eval
Eval x
[P]1
[P]2
Share P

30. Function Secret Sharing [Boyle-Gilboa-Ishai15]
Reverse roles of function/program and input
Share size can grow with program size
Very efficient constructions for “simple” classes from one-way functions [GI14,BGI15,BGI16] - Point functions - Intervals - Decision trees
Applications to privacy-preserving data access - Reading (e.g., PIR [CGKS95,CG97] “Splinter” [WYGVZ17]) - Writing (e.g., private storage [OS98], “Riposte” [CBM15]) - Reading+writing (e.g., distributed ORAM [Ds17,GKY18,BKKO18])
P(x)  
[P(x)]1
[P(x)]2
Looks like a cosmetic change, but is actually more natural in the context of some applications, and also allow broader feasibility results: for instance, decision trees from OWF, where the share size grows with the DT size. x
Eval
Eval x
[P]1
[P]2
Share P

31. Distributed Point Functions
Point function fα,β:{0,1}nG
fα,β(α)=β
fα,β(x)=0 for x≠α
DPF = FSS for class of point functions
Simple solution: share truth-table of fα,β
Goal: poly(n) share size
Implies OWF
Super-poly DPF implicit in PIR protocols [CGKS95,CG97]

32. Applications: Reading
Keyword search [CGN96,FIPR05,OS05,HL08, …]
X= {x1,…,xN}
xi  {0,1}n
Server 1
Server 2
y1=i f1(xi)
y2= if2(xi) f1 f2
fx,1:{0,1}nZ2
Client
Is x in X?
1-bit answers!
No data structures, no error
Works well on streaming data
y1y2

33. Applications: Reading
Keyword search with payloads
X= {(x1,p1),…,(xN,pN)}
xi  {0,1}n
Server 1
Server 2
y1=i pi.f1(xi)
y2= i pi.f2(xi) f1 f2
fx,1:{0,1}nZ2
Client
Get payload of keyword x
y1y2

34. Applications: Reading
Generalized keyword search
X= {x1, …, xN}
xi  {0,1}n
Server 1
Server 2
y1=Σi f1(xi)
y2=Σi f2(xi) f1 f2
f:{0,1}nZu
Client
How many xi satisfy f(xi)=1?
y1+y2

35. Applications: Reading
Generalized keyword search with payloads?
X= {(x1,p1),…,(xN,pN)}
xi  {0,1}n
Server 1
Server 2
y1=Σi E(pi). f1(xi)
y2=Σi E(pi). f2(xi) f1 f2
f:{0,1}nZu
Client
Return (some) pi with f(xi)=1
y1+y2

36. Applications: Writing
Secure aggregation X1 X2
Server 1
α1 α2 α3 α4 α5 α6 α7 α8 α9 α10
Server 2
Xi1Xi1+f1 (αi) f1 f2
fα, 1:{0,1}nZu
Client doesn’t need to know which items are being tracked
Server work proportional to number of items being tracked
α = “embarrassing.com”
Xα+=1

37. Applications: Writing
Anonymous messaging [CBM15] m X1 X2
Server 1
Server 2 f1 f2
Client
Anonymously post m

38. Applications: Writing
Anonymous messaging [CBM15] m’ m
m’’ X1 X2
Server 1
Server 2 f1 f2
Anonymously post m’’
Client
Client
Anonymously post m’
Client
Client

39. PRG-based DPF Let <x> denote additive secret sharing
<x>=(x1,x2) s.t. x1-x2=x
Exploit two simple types of homomorphism
Additive: <x> , <y>  <x+y> by local addition
Weak expansion: <x>  <X> by locally applying PRG
x=0λ  X=02λ
x = random  X = pseudo-random
X looks p.r. even if you know one of the two shares

40. PRG-based DPF share1 share2α1 α1 α2 α2 α3 α3 α4 α4 β β
Shares define two correlated “GGM-like” trees
[GGM84] “How to Construct Random Functions”

41. PRG-based DPF share1 share2 Invariant for Eval:
λ-bit
1-bit
For each node v on evaluation path we have <S>|<b>

42. PRG-based DPF share1 share2 <$>|<1> Invariant for Eval:
For each node v on evaluation path we have <S>|<b>
v on special path: S is pseudorandom, b=1
v off special path: S=0, b=0

43. PRG-based DPF share1 share2 <$>|<1> Invariant for Eval:
For each node v on evaluation path we have <S>|<b>
v on special path: S is pseudorandom, b=1
v off special path: S=0, b=0

44. Gadget: Conditional Correction
R1{0,1}k
<R>
R2=R1R
b1{0,1}
<b>
b2=b1b
Δ{0,1}k
<Rb.Δ>
R1b1.Δ
R2b2.Δ
Shared control bit t and secret string E, and a public correction Delta, we can conditionally add delta to

45. Correct to <β>,<0>
PRG-based DPF
share1
share2
[$],[1] Δ1 Δ2 Δn
Just need to correct to the fixed values, the remaining seed will be pseudorandom
Correct to <β>,<0>

46. Concrete Efficiency of DPF
Share size  n.λ, for PRG:{0,1}λ{0,1}2(λ+1)
Slightly better for binary output
Concrete cost of Eval  n x PRG, Gen  2 x Eval
Evaluating on the entire domain [N]  N/λ x PRG (N/64 x AES)
Example: 2-server PIR on 225 records of length d
Communication: 2578 bits to each server, d bits in return
Computation: dominated by reading + XORing all records
2^25 = 33 million

47. Extensions m-party DPF from PRG [BGI15]
Near-quadratic improvement over naive solution … with 2m overhead
FSS for intervals, decision trees (leaking topology), d-dimensional intervals [BGI16]
Barrier (?): FSS for class F containing decryption  Succinct 2PC for F from OT (w/reusable preprocessing)
Meaningful even for F=AC0
May lead to positive results!

48. Recent Applications to MPC
MPC for RAM programs [Ds17,GKY18,BKKO18]
Competitive with ORAM despite linear-time computation!
Compressing correlations [BCGI18]

49. Secure Computation with Correlated Randomness
[Beaver 1995]
𝑥 𝐴
𝑥 𝐵 …
interactive preprocessing
Trusted Dealer
𝑦 𝐴 = 𝑓 𝐴 (𝑥 𝐴 , 𝑥 𝐵 )
𝑦 𝐵 = 𝑓 𝐵 (𝑥 𝐴 , 𝑥 𝐵 ) rA rB
Information-Theoretic Security
Constant Computational Overhead
[Bea95, Bea97, IPS09, BDOZ11, BIKW12, NNOB12, DPSZ12, IKMOP13, DZ13, DLT14, BIKK14, LOS14, FKOS15, DZ16, KOS16, DNNR17, C18, … ]

50. Pseudorandom Correlation Generator (PCG)
𝑥 𝐴
𝑥 𝐵 …
𝑦 𝐴 = 𝑓 𝐴 (𝑥 𝐴 , 𝑥 𝐵 )
𝑦 𝐵 = 𝑓 𝐵 (𝑥 𝐴 , 𝑥 𝐵 ) KA KB
rA=PCGA(KA)
rB=PCGB(KB)

51. PCGs in Secure Computation
Phase 1:
“tiny” interactive protocol
Phase 2:
local expansion procedure
Phase 3:
fast
“non-cryptographic”
MPC with “silent preprocessing”
Improved overall communication
Near-optimal online computation
preprocessing
online
Short setup s0 s1
HSS0(s)
Let s=s0+s1
HSS1(s)
LOCAL
Decompression
Eval
[correlated-randomness]0
[correlated-randomness]1
Online protocol

52. Oblivious Linear Evaluation (OLE) [NP99]
a, b x
OLE 𝔽
ax + b
Generalizes Oblivious Transfer
Enables secure computation of arithmetic circuits over 𝔽

53. Vector Oblivious Linear Evaluation (VOLE)x b
VOLE 𝔽
ax + b
Analog of string OT for larger fields
Easy to implement from random VOLE correlation
Useful for arithmetic secure computation, NIZK, and more.

54. Compressing Sparse VOLE
(note: a’ can be represented succinctly) a’ x
Wanted: b’
a’x+b’
Secret shares
of a’x
Function Secret Sharing
for Multi-Point Functions
Convert “sparse” to “pseudorandom” via public linear mapping
Secure assuming “Learning Parity with Noise” over 𝔽

55. Open Problems: HSS from OWF
3-party DPF
o(N1/2) key size from OWF?
Limits of 2-party HSS from OWF
HSS for conjunctions / partial match?
Stronger barriers
Power of information-theoretic (m,t)-HSS
Negative results for multi-input case [BGILT18]
Single-input case wide open even for (2,1)-HSS
Efficiency of 2-party DPF from OWF
Beat n.λ key size?
Amortizing cost of multi-point DPF?

56. HSS for Branching Programs
from DDH

57. Recall: Homomorphic Secret Sharing
EvalP x1 x2 x
Share y1
= P(x) + y2
EvalP
Security: xi hides x
Correctness: EvalP(x1) + EvalP(x2) = P(x)
Compactness vs additive
Emphasize: (1) share size ~input, (2) output share size = output size eg SINGLE BIT

58. δ-HSS x = P(x) Security: xi hides x
EvalP x1 x2 x
Share y1
= P(x) + y2
EvalP
Security: xi hides x
δ-Correctness: Except with prob. δ, EvalP(x1) + EvalP(x2) = P(x)
Compactness vs additive
Emphasize: (1) share size ~input, (2) output share size = output size eg SINGLE BIT

59. Main Theorem
2-party δ-HSS for branching programs under Decisional Diffie-Hellman
Share: runtime (& share size) = |x|poly(λ)
Eval: runtime = poly(λ,|P|,1/δ) for error probability δ
Compactness vs additive
Emphasize: (1) share size ~input, (2) output share size = output size eg SINGLE BIT

60. Living in a log-space world
Multiplication of n n-bit numbers
Streaming algorithms
Min L2-distance from list of length-n vectors
Many numerical / statistical calculations
approx
Finite automata
Undirected graph connectivity
FHE Decryption …

61. The HSS Construction

62. (More generally: ReachFewL)
RMS Programs
Restricted-Multiplication Straight-line programs:
vi  xj Load an input into memory.
vi  vj+vk Add values in memory.
vi  vj*xk Multiply value in memory by an input.
Output vi (mod m)
ReachFewL (nondet counting apps where all intermediate counts poly bounded)
Emphasize concrete efficiency benefits of small Z
We will support homomorphic evaluation of RMS programs over Z s.t. all intermediate values are “small” (e.g., {0,1})
Captures branching programs and log-space computations
(More generally: ReachFewL)

63. 3 Ways to Share a Number
Let G be a DDH group of size q with generator g
3 levels of encoding Zq elements
[u] : (gu, gu)  G x G “encryption”
<v> : (v1,v2)  Zq x Zq s.t. v1=v2+v additive
{w} : (w1,w2)  G x G s.t. w1=w2gw multiplicative
Each level is additively homomorphic
<v>,<v’><v+v’> {w},{w’}{w+w’}
Natural pairing: pair([u],<v>)  {uv}
((gu)^v1,(gu)^v2)=(guv2guv,guv2)

64. Need Convert : {w}  <w>
Toy Version
Let’s pretend gx is a secure encryption of x
Emulating an RMS program – first attempt:
Share: for each input xi
Encrypt as [xi]
Additively secret-share as <xi>
Eval: // maintain the invariant: Vi = <vi>
vi  xj : Vi  <xj>
vi  vj+vk : Vi  Vj+Vk // Vi= <vj+vk>
Output vi (mod m): Output Vi +(r,r) (mod m)
vi  xk*vj : Wi  pair([xk],Vj) // Wi= {w} for w=xkvj
[u]=(gu,gu)
<v>=(v2+v,v2)
{w}=(w2gw,w2)
Need Convert : {w}  <w>
Solved by discrete log
Stuck?

65. Share Conversion Goal: Locally convert multiplicative sharing of w
Group G g0 g1
gz1
Group G g0 g1
gz2
Goal: Locally convert multiplicative sharing of w
to additive sharing of w

66. Share Conversion   Goal: Convert multiplicative sharing of w
gz1
Convert (gzb):
Return distance distb from gzb to S.
Return distb=0 if distance>(1/δ)log(1/δ)
S is a δ-sparse “random” set on G
eg S={hG | (h)=0}
for suitable PRF  
gz2
Goal: Convert multiplicative sharing of w
to additive sharing of w

67. Conversion Error       Error probability depends on w Bad cases:
Bad Zone
gz0
Good Zone
Las Vegas version   
Reminiscent of cryptanalytic
gz1
Bad cases:
   Bad Zone error ~ δw
   Good Zone error ~ δ
Error probability depends on w
Case I:  ∉ Zone1,
Case II:  ∈ Zone1
Case III:  ∉ (Zone1 ∪ Zone2)
 ∈ Zone2
dist0-dist1=z
Error ~z𝛿

68. Toy Version Let’s pretend gx is a secure encryption of x
Emulating an RMS program:
Share: for each input xi
Encrypt as [xi]
Additively secret-share as <xi>
Eval: // maintain the invariant: Vi = <vi>
vi  xj : Vi  <xj>
vi  vj+vk : Vi  Vj+Vk // Vi= <vj+vk>
vi  xk*vj : Wi  pair([xk],Vj); Vi Convert(Wi)
Output vi (mod m): Output Vi mod m
[u]=(gu,gu)
<v>=(v2+v,v2)
{w}=(w2gw,w2)

69. From Toy Version to Real Version
Pick secret key cZq for ElGamal encryption
Encrypt each input xi as [r], [cr+xi] (secret-key ElGamal)
Invariant: Each memory value vj shared as <vj>, <cvj>
To multiply xivj: pair, subtract and get {xivj}
Use conversion to get <xivj>
Problem: Need also <cxivj> to maintain invariant
Solution? Share cxi in addition to xi
Problem: Can’t convert {cxivj} (cxivj too big)
Solution: Break c into binary representation, encrypt xick
Problem: circular security for ElGamal?
Solutions: (1) assume it! (2) leveled version (3) use [BHHO08]

70. pk = ElGamal public key + encryptions of bits ck of secret key
Public-Key Variant
P(x)
Dec 
Eval
[P(x)]1 P
Eval
[P(x)]2 P
pk = ElGamal public key + encryptions of bits ck of secret key
ek = load 1 to memory
Can be viewed as a threshold homomorphic encryption with secret evaluation keys
The main thing common to all these variants is that we have two separate local evaluations running, each depending on its own secret information, and we have no central ciphertext that encrypts the output.
ek1
ek2
[xi]
[xi]
[xi]
Enc pk xi

71. Applications to MPC (from DDH)
Succinct 2PC for branching programs / logspace / NC1
Communication |inputs| + |outputs| + poly(λ) bits
Slightly sublinear 2PC for “nice” circuits
Communication O(|C|/log|C|) + … bits
O(|C|)+… bits for general circuits
2-server PIR for branching program queries
2-round MPC in PKI model [BGI17, BGILT18]
Worst-case to average-case reductions in P [BGILT18]
Pratay Mukherjee and Wichs

72. Computational Optimizations
“Conversion-friendly” groups: g = 2 is generator & p = 2i - (small) h.g = (shift 1) + small
Distinguished points:
Index of minimum value of min-wise hash Saves log(1/δ) factor in worst-case runtime
Heuristic: sequence 10d Fast implementation via circular buffer
* 𝛾
shift 32
hg32 h

73. Further Optimizations
Assume circular-secure ElGamal
Elliptic-curve ElGamal for short ciphertexts
“Small exponent” ElGamal for shorter secret key
Preprocess for fixed-basis exponentiations
Replace binary sk decomposition by base D
Bottom line:
Orders of magnitude improvement compared to baseline
Ciphertexts and keys shorter than in FHE
Fast enough for non-trivial applications [BCGIO17]
160 bits small exponent. Heuristic: 1 grp element per ElGamal CT. Base D=2^10. Then 1 sk needs 16 CTs
Focus on succinctness: 2.5k-5k bits

74. Conclusions Group-based HSS Not post-quantum
Supports branching program computation
Yields succinct secure computation and other applications of FHE
Some applications not implied by standard FHE
Good concrete efficiency for “small” computations
Not post-quantum
I have bigger concerns at this moment

75. Open Questions (and recent progress)
Beyond branching programs
FHE-style bootstrapping?
More than 2 parties?
Better time/error tradeoff of conversion? Yes! [Dinur-Keller-Klein18]
Fault tolerance at the branching program level?
Different assumptions?
Paillier [Fazio-Gennaro-Jafarikah-Skeith17, Couteau17]
Better from LWE? Yes! [Boyle-Kohl-Scholl18]
QRA? LPN?
Better concrete efficiency
Progress in [Boyle-Couteau-Gilboa-I-Orru17]

76. The research leading to these results has received funding from the European Union's Horizon 2020 Research and Innovation Program under grant agreement no – ERC – NTSC