Presentation is loading. Please wait.

Presentation is loading. Please wait.

Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana.

Published byLoren Susanna Cook Modified over 9 years ago

Similar presentations

Presentation on theme: "Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana."— Presentation transcript:

1 Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana López-Alt Tel-Aviv University Eran Tromer University of Toronto Vinod Vaikuntanathan IBM Research Daniel Wichs

2 2-Party Computation Using FHE (semi-honest) y a b y = f(a,b) Y A =Encrypt(a) Y=Eval(f,A,B) Charlie Sally

3 Advantages  Low round complexity  Low communication complexity Independent of the function f Independent of Sally’s input b  Low computation Charlie’s work is independent of f  A simple template Can we get all these advantages in the multiparty case?

4 Threshold Key Generation Key Generation

5 Threshold Key Generation Key Generation

6 Input Encryption A B CD a c b d A=Enc(a) B=Enc(b) C=Enc(c) D=Enc(d)

7 Homomorphic Evaluation ABCD Y ABCD Y ABCD YABCD Y

8 Delegate to a Cloud ABCD Homomorphic Evaluation Y

9 Threshold Decryption Dec Y Y Y Y

10 Threshold Decryption Dec m m m m

11 MPC with Threshold FHE Threshold Key Gen Encrypt and Evaluate Threshold Decryption

12 MPC with TFHE Threshold KeyGen and Threshold Dec can be implemented using generic MPC Advantages:  Low communication complexity (even in malicious)  The homomorphic evaluation can be delegated / only one party Disadvantages:  Needs generic MPC techniques  Round complexity can be high Threshold Key Gen Encrypt and Evaluate Threshold Decryption Threshold Key Gen Encrypt and Evaluate Threshold Decryption

13 Our Main Results Threshold KeyGen and Threshold Dec algebraically [BV11b, BGV12] (based on LWE) Advantages:  Low communication complexity (even in malicious)  The homomorphic evaluation can be delegated / only one party  Simple: there is no need for generic MPC protocol  Extremely low round complexity  Only 3 broadcast rounds (CRS model)  2 rounds reusable PKI – optimal(!) Threshold Key Gen Encrypt and Evaluate Threshold Decryption Threshold Key Gen Encrypt and Evaluate Threshold Decryption

14 Our Main Results (malicious) Threshold KeyGen and Threshold Dec algebraically [BV11b, BGV12] (based on LWE) Advantages:  Low communication complexity (even in malicious)  The homomorphic evaluation can be delegated / only one party (assuming cs poofs / SNARGs)  Simple: there is no need for generic MPC protocol  Extremely low round complexity  Only 3 broadcast rounds (CRS model)  2 rounds reusable PKI – optimal(!)  UC security (assuming UC-NIZK) Threshold Key Gen Encrypt and Evaluate Threshold Decryption Threshold Key Gen Encrypt and Evaluate Threshold Decryption

15 Related Work [C ramer D amgard N ielsen 01]– MPC using threshold HE [G entry 09] – MPC using threshold FHE [B endlin D amgard 10] – threshold version for LWE [K atz O strovsky 04] – lower bound of 5 rounds for MPC in the plain model [M yers S ergi s helat 11] – threshold version of [vDGHV10]

16 The LWE Assumption [Regev05] Distribution 1Distribution 2 also secure if q is odd and we choose noise to be small and even (2e instead e)

17 Basic LWE-Based Encryption Symmetric KeyPublic Key

18 Key-Homomorphic Properties of the Basic Scheme Two public keys, same “coefficient” A A new public key with secret key: s 1 +s 2, coefficient A (almost the same as El-Gammal)

19 Threshold Key Generation A s1s1 s3s3 (A,p 1 ) = As 1 +2e 1 (A,p 3 ) = As 3 +2e 3 (A,p 2 ) = As 2 +2e 2 (A,p 4 ) = As 4 +2e 4 s2s2 s4s4

20 Threshold Key Generation A s1s1 s3s3 (A,p 1 ) = As 1 +2e 1 (A,p 3 ) = As 3 +2e 3 (A,p 2 ) = As 2 +2e 2 (A,p 4 ) = As 4 +2e 4 s2s2 s4s4

21 Threshold Key Generation A s2s2 s4s4 (A,p 1 ) = As 1 +2e 1 (A,p 3 ) = As 3 +2e 3 (A,p 2 ) = As 2 +2e 2 (A,p 4 ) = As 4 +2e 4 (A,p*) = As*+2e* (A,p * ) Joint secret key: s * =s 1 +s 2 +s 3 +s 4 Joint public key: p * =p 1 +p 2 +p 3 +p 4 s1s1 s3s3

22 Threshold Decryption s1s1 s3s3 s2s2 s4s4

23 s1s1 s3s3 s2s2 s4s4

24 s1s1 s3s3 s2s2 s4s4

25 Basic LWE-Based Encryption – Homomorphism

26 FHE From LWE [BV11b],[BGV12]

27 Evaluation Key

28 Threshold KeyGen –Round 2 s2s2 s4s4 s1s1 s3s3 … … … …

29 Threshold KeyGen – End Of Round 2 s2s2 s4s4 s1s1 s3s3 … … … …

30 … … … … Threshold KeyGen – Round 3 s2s2 s4s4 s1s1 s3s3 …………

31 Threshold KeyGen – End Of Round 3 s2s2 s4s4 s1s1 s3s3

32 Threshold FHE - KeyGen one round!

33 The MPC Protocol Threshold KeyGen (2 rounds) – Round 1: Creates public key – Round 2: Creates evaluation key The parties encrypt their inputs (sent concurrently with round 2 of KeyGen) Threshold Dec (1 round)

34 Malicious

35 Conclusion TFHE based on LWE – In the paper: Ring – LWE 3 Rounds MPC 2 Rounds in reusable PKI - optimal(!) Low Communication Complexity Easy to delegate Thank You!

Download ppt "Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana."

Similar presentations

FULLY HOMOMORPHIC ENCRYPTION

FULLY HOMOMORPHIC ENCRYPTION
Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)

Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)
MPC for Comparing Two Shared Secrets without Bit-Decomposition Takashi Nishide * Kazuo Ohta The University of Electro-Communications * Hitachi Software.

MPC for Comparing Two Shared Secrets without Bit-Decomposition Takashi Nishide * Kazuo Ohta The University of Electro-Communications * Hitachi Software.
Fully Homomorphic Encryption over the Integers

Fully Homomorphic Encryption over the Integers
Efficient Multiparty Protocols via Log-Depth Threshold Formulae Ron Rothblum Weizmann Institute Joint work with Gil Cohen, Ivan Damgard, Yuval Ishai, Jonas.

Efficient Multiparty Protocols via Log-Depth Threshold Formulae Ron Rothblum Weizmann Institute Joint work with Gil Cohen, Ivan Damgard, Yuval Ishai, Jonas.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto

Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto
14. Aug. 2013 Towards Practical Lattice-Based Public-Key Encryption on Reconfigurable Hardware SAC 2013, Burnaby, Canada Thomas Pöppelmann and Tim Güneysu.

14. Aug Towards Practical Lattice-Based Public-Key Encryption on Reconfigurable Hardware SAC 2013, Burnaby, Canada Thomas Pöppelmann and Tim Güneysu.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Paper by: Craig Gentry Presented By: Daniel Henneberger.

Paper by: Craig Gentry Presented By: Daniel Henneberger.
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.

1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.
Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.

Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.
1 Information Security – Theory vs. Reality 0368-4474-01, Winter 2011 Lecture 14: More on vulnerability and exploits, Fully homomorphic encryption Eran.

1 Information Security – Theory vs. Reality , Winter 2011 Lecture 14: More on vulnerability and exploits, Fully homomorphic encryption Eran.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.

New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.

Similar presentations

Ads by Google