Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Secure Multi-party Computation Minimizing Online Rounds Seung Geol Choi Columbia University Joint work with Ariel Elbaz(Columbia University) Tal Malkin(Columbia.

Published byMorgan Underwood Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Secure Multi-party Computation Minimizing Online Rounds Seung Geol Choi Columbia University Joint work with Ariel Elbaz(Columbia University) Tal Malkin(Columbia."— Presentation transcript:

1 1 Secure Multi-party Computation Minimizing Online Rounds Seung Geol Choi Columbia University Joint work with Ariel Elbaz(Columbia University) Tal Malkin(Columbia University) Moti Yung (Columbia University & Google)

2 2 Outline Motivation Our Results –First Protocol –Second Protocol Conclusion

3 3 Multi-party Computing with Encrypted Data (MPCED) P1P1 P2P2 PnPn … x y external parties Considered implicitly in [FH96,JJ00,CDN01] many computations on encrypted database dynamic data contribution from external parties

4 4 Round-complexity of protocols Critical measure on the efficiency There are constant-round MPC protocols, but the exact constant is big. Focus on online round-complexity –Possibly allow any poly-time preprocessing independent of the function of interest and input. –Minimization of turn-around time –Preprocessing can be handled separately, e.g., by cloud computing

5 5 Outline Motivation Our Results –First Protocol –Second Protocol Conclusion

6 6 Previous Work Adaptive/Static#rounds#corrupt [CLOS02]AdaptiveO(d)< n [DN03]Adaptive (Arithm.)O(d)<n [DI05]Adaptive2 const < n/5 < n/2 [DIK08+]Adaptiveconst< n/2 [IPS08]Adaptiveconst< n Yes, for static case Can we do it in one or two rounds for <n corruption?

7 7 Our Results Two protocols for MPCED with small online round complexity w/ preprocessing –one-round protocol P 1 –Two-round protocol P 2 (Depending on the case, P 2 has more efficient preprocessing than P 2 ). Static and <n corruption Uses ElGamal encryption –extendable to any threshold homomorphic encryption schemes.

8 8 Outline Motivation Our Results –First Protocol –Second Protocol Conclusion

9 9 First Protocol Takes one round General Idea: Modify Yao’s protocol –Garble a universal circuit instead of a given circuit –Replace OT w/ one-round equivalent step using homomorphism.

10 10 Preprocessing Generate a Garbled Circuit for a Universal Circuit [V76,KS08] Overall, follow Yao’s technique except input wire keys.

11 11 l0l0 l1l1 r0r0 r1r1 E l 0, r 0 (k 1 ) E l 1, r 0 (k 1 ) E l 0, r 1 (k 1 ) E l 1, r 1 (k 0 ) k0k0 k1k1 Yao’s Garbled Circuit NAND

12 12 l0l0 l1l1 r0r0 r1r1 E l 0, r 0 (k 1 ) E l 1, r 0 (k 1 ) E l 0, r 1 (k 1 ) E l 1, r 1 (k 0 ) k0k0 k1k1 l0l0 l1l1 r0r0 r1r1 E l 0, r 0 (k 1 ) E l 1, r 0 (k 1 ) E l 0, r 1 (k 1 ) E l 1, r 1 (k 0 ) k0k0 k1k1 l0l0 l1l1 r0r0 r1r1 E l 0, r 0 (k 1 ) E l 1, r 0 (k 1 ) E l 0, r 1 (k 1 ) E l 1, r 1 (k 0 ) k0k0 k1k1 Yao’s Garbled Circuit NAND Once keys of the input wires in the entire circuit are determined, can compute the circuit locally.

13 13 Preprocessing - 2 Input wires –Pick a random h for global use: hidden –Keys in each input wire j, say w j 0 and w j 1, should satisfy w j 1 = w j 0 * h –publish H = E y (h) –publish E y (w j 0 ) for each input wire j

14 14 Encrypted Input Data E y (h b ) for Boolean input b – If b = 0, publish E y (1) – If b = 1, re-randomize H

15 15 Online Stage Given –input wire: W 0 = E y (w 0 ) –Input data: C = E y (h b ) Decrypt W 0 * C –Note W 0 * C = E y (w 0 *h b ) = E y (w b ) Requires only a single round

16 16 First Protocol: Summary Use garbled universal circuit with augmented manipulation in the input wires Replace OT procedure in Yao with threshold decryption using homomorphism Needs a single online round

17 17 Outline Motivation Our Results –First Protocol –Second Protocol Conclusion

18 18 Second Protocol Takes two rounds. Natural extension of two-party case [CEJMY07] Idea –Preprocessing: garble individual gates Independent of a circuit or input –Online stage: construct wires between garbled gates and inputs

19 19 Preprocessing Garbled NAND gates Bunch of fresh ElGamal key pairs: (pk, E y (sk)) NAND 1yx x > y

20 20 Garbled NAND gates with fresh ElGamal key pairs Intermediate gates: NAND + keys top-level gates: IDENTITY + keys

21 21 Online stage Construct wires between garbled gates and inputs –How? Use CODE (explained next)

22 22 Conditional Oblivious Decryption Exposure (CODE) Functionality –Assumes parties share the private key for y –Input: three ciphertexts C in, C out, C key, a key z –Output: E z (M key ) if M in  M out, E z (random) otherwise E y (g) E y (1)E y (100) C out C in C key Output: E z (random) E y (1) E y (100) C out C in C key Output: E z (100) Can be implemented w/ homomorphic enc in 2 rounds.

23 23 Online Stage – Run CODEs Run CODE in parallel for each C in, C out, C key tuple. NAND x encrypted under z = pkL * pkR: E z (skL)... Not encrypted z =1: skR Then, locally computes the circuit using CODE outputs inductively.

24 24 Online Stage – After Running CODE... E z (skL) skR E pkL*pkR (sk) Decrypt Final column Using sk

25 25 Summary : Second Protocol Preprocessing –Garbled NAND gates, fresh ElGamal keys Online Stage –Run 2-round CODE protocols in parallel

26 26 Summary Second Protocol –online #round: two –No blow-up of gates –2n-round explicit preprocessing: efficient when n is very small (when n is big, use generic protocols) First Protocol –online #rounds: one –Logarithmic blow-up of gates –No explicit preprocessing: should use generic protocols such as [IPS08].

27 27 Outline Motivation Our Results –First Protocol –Second Protocol Conclusion

28 28 Multi-party Computing with Encrypted Data (MPCED) P1P1 P2P2 PnPn … x y external parties Considered implicitly in [FH96,JJ00,CDN01] many computations on encrypted database dynamic data contribution from external parties

29 29 Our Results Two protocols for MPCED with small online round complexity w/ preprocessing –one-round protocol P 1 –Two-round protocol P 2 (Depending on the case, P 2 has more efficient preprocessing than P 2 ). Static and <n corruption

30 30 Thank you

Download ppt "1 Secure Multi-party Computation Minimizing Online Rounds Seung Geol Choi Columbia University Joint work with Ariel Elbaz(Columbia University) Tal Malkin(Columbia."

Similar presentations

Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)

Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)
Private Inference Control

Private Inference Control
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Secure Computation of Linear Algebraic Functions

Secure Computation of Linear Algebraic Functions
Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto

Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Improved Efficiency for Private Stable Matching Matthew Franklin, Mark Gondree, and Payman Mohassel University of California, Davis 02/07/07 - Session.

Improved Efficiency for Private Stable Matching Matthew Franklin, Mark Gondree, and Payman Mohassel University of California, Davis 02/07/07 - Session.
1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.

1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),

Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Privacy Preserving Auctions and Mechanism Design Moni Naor Benny Pinkas Reuben Sumner Presented by: Raffi Margaliot.

Privacy Preserving Auctions and Mechanism Design Moni Naor Benny Pinkas Reuben Sumner Presented by: Raffi Margaliot.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)

On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)
New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.

New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.

Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Similar presentations

Ads by Google