SLIDE 1
Hig igh-Throughput Secure Three-Party Computation for Mali licious Adversaries and an Honest Majority
Jun Furukawa*, Yehuda Lindell**, Ariel Nof** and Or Weinstein**
**Bar-Ilan University, Israel *NEC corporation, Israel
Computation for Mali licious Adversaries and an Honest Majority Jun - - PowerPoint PPT Presentation
Computation for Mali licious Adversaries and an Honest Majority Jun - - PowerPoint PPT Presentation
Hig igh-Throughput Secure Three-Party Computation for Mali licious Adversaries and an Honest Majority Jun Furukawa*, Yehuda Lindell**, Ariel Nof** and Or Weinstein** *NEC corporation, Israel **Bar-Ilan University, Israel Eurocrypt 2017
SLIDE 2
SLIDE 3
Secure Three-Party Computation wit ith an Honest Majority
π(π¦1, π¦2, π¦3) π¦1 π¦2 π¦3
SLIDE 4
Secure Three-Party Computation wit ith an Honest Majority
π(π¦1, π¦2, π¦3) π¦1 π¦2 π¦3
- Functionality is represented
by a Boolean circuit
- Security with abort
SLIDE 5
High-Throughput Secure Three-Party Computation
with an Honest Majority
SLIDE 6
High-Throughput Secure Three-Party Computation
with an Honest Majority
f π’π‘π’ππ π’ π’πππ
How much time it takes to compute a function?
SLIDE 7
High-Throughput Secure Three-Party Computation
with an Honest Majority Latency
f π’π‘π’ππ π’ π’πππ
How much time it takes to compute a function?
SLIDE 8
High-Throughput Secure Three-Party Computation
with an Honest Majority Latency
f π’π‘π’ππ π’ π’πππ
How much time it takes to compute a function?
f 1 π‘ππ f f f f f f f f
How many functions can we compute in one sec?
SLIDE 9
High-Throughput Secure Three-Party Computation
with an Honest Majority Latency Throughput
f π’π‘π’ππ π’ π’πππ
How much time it takes to compute a function?
f 1 π‘ππ f f f f f f f f
How many functions can we compute in one sec?
SLIDE 10
Low Latency VS. High-Throughput
High-Throughput Low Latency
SLIDE 11
Low Latency VS. High-Throughput
High-Throughput Low Latency
- Constant rounds of
communication
π
1
π2
βthe garbled-circuit approachβ
SLIDE 12
Low Latency VS. High-Throughput
High-Throughput
- Low bandwidth
- Simple Computations
Low Latency
- Constant rounds of
communication
π
1
π2 π
1
π2
βthe garbled-circuit approachβ βthe secret-sharing approachβ
SLIDE 13
Low Latency VS. High-Throughput
High-Throughput
- Low bandwidth
- Simple Computations
Low Latency
- Constant rounds of
communication
π
1
π2 π
1
π2
βthe garbled-circuit approachβ βthe secret-sharing approachβ
SLIDE 14
The Starting Point: The Semi-honest protocol of [AFLNO16 16]
- Based on replicated secret sharing
- Requires 1 bit of communication sent by each party
per AND gate.
- Speed: compute over 7 billion AND gates per second
- Concretely, over 1,300,000 AES operations per second
SLIDE 15
From Semi-Honest to Malicious adversary ry
- Sharing the inputs
- Emulating the circuit
- Output Reconstruction
SLIDE 16
From Semi-Honest to Malicious adversary ry
- Sharing the inputs
- Emulating the circuit
- Output Reconstruction
How to force the corrupted party to share its inputs βcorrectlyβ? How to verify AND gates were computed correctly? How to verify that the output was reconstructed correctly?
SLIDE 17
From Semi-Honest to Malicious adversary ry
- Sharing the inputs
- Emulating the circuit
- Output Reconstruction
How to force the corrupted party to share its inputs βcorrectlyβ? How to verify AND gates were computed correctly? How to verify that the output was reconstructed correctly?
SLIDE 18
Verification of AND Gates
A βmultiplication tripleβ is a triple of shares π , π , π such that π = π β π
SLIDE 19
Verification of AND Gates
A βmultiplication tripleβ is a triple of shares π , π , π such that π = π β π
Let π¦ , π§ , π¨ be a triple generated by computing an AND gate Let π , π , π be a random triple
SLIDE 20
Verification of AND Gates
A βmultiplication tripleβ is a triple of shares π , π , π such that π = π β π
Let π¦ , π§ , π¨ be a triple generated by computing an AND gate Let π , π , π be a random triple
SLIDE 21
Verification of AND Gates
A βmultiplication tripleβ is a triple of shares π , π , π such that π = π β π
Let π¦ , π§ , π¨ be a triple generated by computing an AND gate Let π , π , π be a random triple If π , π , π is a βvalidβ triple, then we can use π , π , π to detect cheating in π¦ , π§ , π¨ with probability 1.
SLIDE 22
Verification of AND Gates
A βmultiplication tripleβ is a triple of shares π , π , π such that π = π β π
Let π¦ , π§ , π¨ be a triple generated by computing an AND gate Let π , π , π be a random triple If π , π , π is a βvalidβ triple, then we can use π , π , π to detect cheating in π¦ , π§ , π¨ with probability 1.
Sub-protocol βtriple verification without openingβ
Communication: 2 bits per each party
SLIDE 23
The Protocol
On-line protocol
- 1. Share the inputs
- 2. Run the Semi-honest
protocol
- 3. Verify all ANDs gates
- 4. Reconstruct Output
3 bits per AND gate
SLIDE 24
The Protocol
On-line protocol
- 1. Share the inputs
- 2. Run the Semi-honest
protocol
- 3. Verify all ANDs gates
- 4. Reconstruct Output
Output πΆ triples
3 bits per AND gate
SLIDE 25
The Protocol
On-line protocol
- 1. Share the inputs
- 2. Run the Semi-honest
protocol
- 3. Verify all ANDs gates
- 4. Reconstruct Output
Pre-processing protocol
Output πΆ triples
3 bits per AND gate
SLIDE 26
The Protocol
On-line protocol
- 1. Share the inputs
- 2. Run the Semi-honest
protocol
- 3. Verify all ANDs gates
- 4. Reconstruct Output
Pre-processing protocol
Output πΆ triples
?
3 bits per AND gate
SLIDE 27
Generation of f Random Multiplication Triples
- π , [π] are generated without any interaction!
- [π] is computed using the semi-honest protocol
SLIDE 28
Generation of f Random Multiplication Triples
- π , [π] are generated without any interaction!
- [π] is computed using the semi-honest protocol
1 bit of communication!
SLIDE 29
Generation of f Random Multiplication Triples
- π , [π] are generated without any interaction!
- [π] is computed using the semi-honest protocol
How to verify that the triple is valid?
1 bit of communication!
SLIDE 30
Generation of f Random Multiplication Triples
. . .
SLIDE 31
Generation of f Random Multiplication Triples
. . .
Random permutation
SLIDE 32
Generation of f Random Multiplication Triples
. . .
Random permutation Open C triples
SLIDE 33
Generation of f Random Multiplication Triples
. . .
Random permutation Open C triples
If one of the
- pened triples is
incorrect, the honest parties will detect it and abort
SLIDE 34
Generation of f Random Multiplication Triples
. . .
Random permutation Open C triples
SLIDE 35
Generation of f Random Multiplication Triples
. . .
Random permutation Open C triples
. . .
Split into N buckets of equal size πΆ1 πΆ2 πΆπ πΎ π’π πππππ‘ πΎ π’π πππππ‘ πΎ π’π πππππ‘
SLIDE 36
Generation of f Random Multiplication Triples
. . .
Random permutation Open C triples
. . .
Split into N buckets of equal size πΆ1 πΆ2 πΆπ πΎ π’π πππππ‘ πΎ π’π πππππ‘ πΎ π’π πππππ‘ Verify the first triple in each bucket using πΈ β π triples
. . .
SLIDE 37
Generation of f Random Multiplication Triples
. . .
Random permutation Open C triples
. . .
Split into N buckets of equal size πΆ1 πΆ2 πΆπ πΎ π’π πππππ‘ πΎ π’π πππππ‘ πΎ π’π πππππ‘ Verify the first triple in each bucket using πΈ β π triples
. . . If one of the buckets is βmixedβ, the honest parties will detect it and abort
SLIDE 38
Generation of f Random Multiplication Triples
. . .
Random permutation Open C triples
. . .
Split into N buckets of equal size πΆ1 πΆ2 πΆπ πΎ π’π πππππ‘ πΎ π’π πππππ‘ πΎ π’π πππππ‘ Verify the first triple in each bucket using πΈ β π triples
. . .
SLIDE 39
Generation of f Random Multiplication Triples
. . .
Random permutation Open C triples
. . .
Split into N buckets of equal size πΆ1 πΆ2 πΆπ πΎ π’π πππππ‘ πΎ π’π πππππ‘ πΎ π’π πππππ‘ Verify the first triple in each bucket using πΈ β π triples
. . .
SLIDE 40
Generation of f Random Multiplication Triples
. . .
Random permutation Open C triples
. . .
Split into N buckets of equal size πΆ1 πΆ2 πΆπ πΎ π’π πππππ‘ πΎ π’π πππππ‘ πΎ π’π πππππ‘ Verify the first triple in each bucket using πΈ β π triples
. . .
SLIDE 41
Generation of f Random Multiplication Triples
. . .
Random permutation Open C triples
. . .
Split into N buckets of equal size πΆ1 πΆ2 πΆπ πΎ π’π πππππ‘ πΎ π’π πππππ‘ πΎ π’π πππππ‘ Verify the first triple in each bucket using πΈ β π triples
. . .
SLIDE 42
Generation of f Random Multiplication Triples
. . .
Random permutation Open C triples
. . .
Split into N buckets of equal size πΆ1 πΆ2 πΆπ πΎ π’π πππππ‘ πΎ π’π πππππ‘ πΎ π’π πππππ‘ Verify the first triple in each bucket using πΈ β π triples
. . .
Overall: π΅ + ππ« + ππΆ πΈ β π = πΆ ππΈ β π + ππ« bits
SLIDE 43
The Balls & Buckets Game
πππ(π΅, π, πΆ, π·) 1. chooses ππΎ + π· balls, where each ball can be bad or good 1.
Cost of the pre-processing: πΆ ππΈ β π + ππ«
SLIDE 44
The Balls & Buckets Game
π·π·), πΆπΆππ, , π΅π΅π»πππ(π(π΅, π, πΆ, π·)
- 1. chooses ππΎ + π· balls, where each ball can be
bad or good 1.
Cost of the pre-processing: πΆ ππΈ β π + ππ«
SLIDE 45
The Balls & Buckets Game
π·π· balls, where each ball can be bad or good 1. The adversary π΅ chooses ππΎ + π· balls, where each ball can be bad or good 2. chooses ππΎ + π· balls, where each ball can be bad or good 1.
Cost of the pre-processing: πΆ ππΈ β π + ππ«
SLIDE 46
The Balls & Buckets Game
π·π· balls, where each ball can be bad or good
- 1. C balls are randomly chosen and opened.
- If a bad ball was opened β the adversary loses
1.
Cost of the pre-processing: πΆ ππΈ β π + ππ«
SLIDE 47
The Balls & Buckets Game
π·π· balls, where each ball can be bad or good
- 1. C balls are randomly chosen and opened.
- If a bad ball was opened β the adversary loses
- 2. The balls are being randomly thrown into N buckets of size πΎ
- If all the buckets are fully good or fully bad, then the adversary wins
Cost of the pre-processing: πΆ ππΈ β π + ππ«
SLIDE 48
The Balls & Buckets Game
π·π· balls, where each ball can be bad or good
- 1. C balls are randomly chosen and opened.
- If a bad ball was opened β the adversary loses
- 2. The balls are being randomly thrown into N buckets of size πΎ
- If all the buckets are fully good or fully bad, then the adversary wins
Cost of the pre-processing: πΆ ππΈ β π + ππ«
The goal: Given a statistical parameter π and number of triples πΆ to generate, find πΈ, π« of minimal size such that: πΈπ π© ππππ β€ πβπ
SLIDE 49
The Balls & Buckets Game
The goal: Given a statistical parameter π and number of triples πΆ to generate, find πΈ, π« of minimal size such that: πΈπ π© ππππ β€ πβπ Tiny OT Our Work πΎ 4 3 π· 65,536 3 π = ππΎ + π· 4,259,840 3,154,731 πΆ = πππ, π = ππ
SLIDE 50
Summary ry & Efficiency
On-line protocol
- 1. Share the inputs
- 2. Run the Semi-honest
protocol
- 3. Verify all ANDs gates
- 4. Reconstruct Output
Pre-processing protocol
- 1. Generate ππΎ + π· triples
- 2. Open π· triples
- 3. Split into buckets and use πΎ β 1
triples to verify one triple
Output πΆ triples
Parameters: π = 220, πΎ = 3, π· = 3 7 bits per AND gate 3 bits per AND gate
SLIDE 51
Efficiency Comparison
Communication (bits) Number of AES Computations MRZ[15] 85N 3N Our protocol 10N N/5
N = number of AND gates
SLIDE 52
Efficiency Comparison
Communication (bits) Number of AES Computations MRZ[15] 85N 3N Our protocol 10N N/5
Three-party with honest majority at the cost of semi-honest Yao
N = number of AND gates
SLIDE 53
More Im Improvements & Im Implementation
βOptimized Honest-Majority MPC for Malicious Adversaries β Breaking the 1-Billion-Gate Barrierβ (To appear in IEEE S&P 2017)
- Reduction of communication from 10 bits to 7 bits only!
- This is achieved by better combinatorics that allows to use a bucket of size 2
(instead of 3)
- Cache-efficient shuffling
- Implementation
- Basic implementation: 503,766,615 AND gates/sec
- With optimizations: 1,152,751,967 AND gates/sec
SLIDE 54