Concretely Efficient La Large-Sc Scale M MPC wi with th Acti - - PowerPoint PPT Presentation

β–Ά
concretely efficient la large sc scale m mpc wi with th
SMART_READER_LITE
LIVE PREVIEW

Concretely Efficient La Large-Sc Scale M MPC wi with th Acti - - PowerPoint PPT Presentation

Oct 15, 2022 163 likes β€’402 views

Concretely Efficient La Large-Sc Scale M MPC wi with th Acti tive Securi rity ty (or (or, Ti TinyKeys fo for Ti TinyOT) ) Carmit Hazay, Emmanuela Orsini, Peter Scholl and Eduardo Soria-Vazquez La Large-Sc Scale MP MPC Current

slide-1
SLIDE 1

Carmit Hazay, Emmanuela Orsini, Peter Scholl and Eduardo Soria-Vazquez

Concretely Efficient La Large-Sc Scale M MPC wi with th Acti tive Securi rity ty (or (or, Ti TinyKeys fo for Ti TinyOT) )

slide-2
SLIDE 2

La Large-Sc Scale MP MPC

Growing number of users want to compute privately and jointly.

Current practical MPC doesn’t scale well for large numbers

  • f parties.

Outsource?

Fixed set

  • f parties

Sample a committee

1229 farmers (auction) +6000 relays (statistics)

Eduardo Soria-Vazquez 2

slide-3
SLIDE 3

MP MPC C setting in this talk

Main focus:

  • Concrete efficiency for large numbers of parties

(e.g. π‘œ in 10s, 100s). Adversary:

  • Static, active.
  • Dishonest majority, but not full threshold!
  • Assume β„Ž > 1 honest parties to increase efficiency.

Model of Computation:

  • Boolean circuits.
  • Preprocessing phase.

Preprocessing Online a b c d

corr. rand.

3 Eduardo Soria-Vazquez

slide-4
SLIDE 4

Ou Our resu sults

New TinyOT-style protocol (actively secure, dishonest majority) exploiting more honest parties:

v Up to 34x less communication compared with [WRK17]’s TinyOT with π‘œ βˆ’ 1 corruptions. v Up to 18x less communication compared with [WRK17]’s TinyOT mixed with committees (β„Ž > 1 honest parties). v Good improvements (2-6x less comm) with just 10% honest parties.

4 Eduardo Soria-Vazquez

slide-5
SLIDE 5

Ho How to to scale ale Tin inyOT

slide-6
SLIDE 6

Th The Ti TinyOT pr protocol [NNOB12]

Eduardo Soria-Vazquez 6

  • Based on additive secret sharing: 𝑦 = 𝑦) + 𝑦+.
  • Multiplications computed using Beaver’s triples: (𝐲, 𝐳, 𝐲𝐳).
  • Active security: Information-theoretic MACs (authenticated bits).
slide-7
SLIDE 7

Th The Ti TinyOT pr protocol [NNOB12]

Eduardo Soria-Vazquez 7

𝑦) ∈ {0,1} 𝑛 𝑦) ∈ 0,1 )+4

βˆ†, 𝑙 𝑦) ∈ 0,1 )+4

𝑛[𝑦)] = 𝑙[𝑦)] + 𝑦) Β· βˆ†

  • Based on additive secret sharing: 𝑦 = 𝑦) + 𝑦+.
  • Multiplications computed using Beaver’s triples: (𝐲, 𝐳, 𝐲𝐳).
  • Active security: Information-theoretic MACs (authenticated bits).

𝑦), 𝑛 𝑦)

slide-8
SLIDE 8

Th The Ti TinyOT pr protocol [NNOB12]

Eduardo Soria-Vazquez 8

𝑦+ ∈ {0,1} 𝑛 𝑦+ ∈ 0,1 )+4

βˆ†, 𝑙 𝑦+ ∈ 0,1 )+4

𝑛[𝑦+] = 𝑙[𝑦+] + 𝑦+ Β· βˆ†

  • Based on additive secret sharing: 𝑦 = 𝑦) + 𝑦+.
  • Multiplications computed using Beaver’s triples: (𝐲, 𝐳, 𝐲𝐳).
  • Active security: Information-theoretic MACs (authenticated bits).

𝑦+, 𝑛 𝑦+

slide-9
SLIDE 9

Mu Multi-Pa Party Ti TinyOT

Eduardo Soria-Vazquez 9

slide-10
SLIDE 10

Th The Ti TinyOT pr protocol [NNOB12]

Eduardo Soria-Vazquez 10

𝑦) ∈ {0,1} 𝑛 𝑦) ∈ 0,1 )+4

βˆ†, 𝑙 𝑦) ∈ 0,1 )+4

𝑛[𝑦)] = 𝑙[𝑦)] + 𝑦) Β· βˆ†

  • Based on additive secret sharing: 𝑦 = 𝑦) + 𝑦+.
  • Multiplications computed using Beaver’s triples: (𝐲, 𝐳, 𝐲𝐳).
  • Active security: Information-theoretic MACs (authenticated bits).

𝑦) + 1, 𝑛 𝑦) + βˆ†

slide-11
SLIDE 11

Th The Ti TinyOT pr protocol [NNOB12]

Eduardo Soria-Vazquez 11

𝑦) ∈ {0,1} 𝑛 𝑦) ∈ 0,1 β„“

βˆ†, 𝑙 𝑦) ∈ 0,1 β„“

𝑛[𝑦)] = 𝑙[𝑦)] + 𝑦) Β· βˆ†

  • Based on additive secret sharing: 𝑦 = 𝑦) + 𝑦+.
  • Multiplications computed using Beaver’s triples: (𝐲, 𝐳, 𝐲𝐳).
  • Active security: Information-theoretic MACs (authenticated bits).

𝑦) + 1, β„“ β‰ͺ 128 𝑛 𝑦) + βˆ†

slide-12
SLIDE 12

𝑛[𝑦)] = 𝑙[𝑦)] + 𝑦) Β· βˆ†

Th The Ti TinyOT pr protocol [NNOB12]

Eduardo Soria-Vazquez 12

𝑦) ∈ {0,1} 𝑛 𝑦) ∈ 0,1 β„“

βˆ†, 𝑙 𝑦) ∈ 0,1 β„“

  • Based on additive secret sharing: 𝑦 = 𝑦) + 𝑦+.
  • Multiplications computed using Beaver’s triples: (𝐲, 𝐳, 𝐲𝐳).
  • Active security: Information-theoretic MACs (authenticated bits).

β„“ β‰ͺ 128 β„“ Β· β„Ž β‰₯ 𝑑 βˆ†, 𝑙 𝑦) ∈ 0,1 β„“

slide-13
SLIDE 13

Co Commi mmittees s + + Ti TinyOT + + Short Keys

Eduardo Soria-Vazquez 13

slide-14
SLIDE 14

Co Commi mmittees s + + Ti TinyOT + + Short Keys

Eduardo Soria-Vazquez 14

Short keys h honest Additive shares 1 honest

slide-15
SLIDE 15

15

Th The problem with short MACs

𝑠× Triple (𝐲, 𝐳, 𝐲𝐳)

Eduardo Soria-Vazquez

𝐳 ∈ 0,1 B 𝐲 ∈ 0,1 B 𝑦)𝑧) + 𝑑), … , 𝑦B𝑧B + 𝑑B

𝑀 𝒛 β‰ˆ 𝐼 βˆ† + 𝒛

𝑦), … , 𝑦B ∈ 0,1 𝑛 𝑦) , … , 𝑛 𝑦B ∈ 0,1 β„“ 𝑑), … , 𝑑B ∈ 𝒱( 0,1 ) 𝑧), … , 𝑧B ∈ {0,1} βˆ† ∈ 0,1 β„“ 𝑙 𝑦) , … , 𝑙 𝑦B ∈ 0,1 β„“

𝑑), … , 𝑑B

Only πŸ‘β„“ possible values for 𝚬 ! β„“ as small as 1 !

slide-16
SLIDE 16

16

Leakage gets worse… …

𝑠× Triple (𝐲, 𝐳, 𝐲𝐳)

Eduardo Soria-Vazquez

𝑠× Triple (𝐲, 𝐳, 𝐲𝐳)

, . . . ,

𝑀 π’›πŸ + β‹― + π’›π’Š = S 𝐼 βˆ†π’‹ +

  • VW) ..X

𝒛𝒋 β‰ˆ

π’›πŸ π’›π’Š π’š π’š

𝑀 π’›πŸ β‰ˆ 𝐼 βˆ†) + π’›πŸ 𝑀 π’›π’Š β‰ˆ 𝐼 βˆ†X + π’›π’Š

slide-17
SLIDE 17

Wha What is s Ti TinyKeys? ? [HO HOSS18] 18]

  • New tool for large-scale MPC (more honesty β‡’ shorter keys).
  • Base security on the concatenation of honest parties’ keys.
  • Security reduces to Regular Syndrome Decoding:
  • Not much easier than Syndrome Decoding ⇔ LPN.
  • Params: # products 𝑠, key length β„“, # honest parties β„Ž.
  • Statistically hard for small 𝑠/large β„Ž.

Eduardo Soria-Vazquez 17

[Saa07] [BM17] [MO15] [NCB11] [BLN+09] [Kir11] [CJ04] [FS09] [MMT11] [BJMM12] [BLP08] [BLP11] [MS09]

slide-18
SLIDE 18

Wha What is s Ti TinyKeys? ? [HO HOSS18] 18]

  • New tool for large-scale MPC (more honesty β‡’ shorter keys).
  • Base security on the concatenation of honest parties’ keys.
  • Security reduces to Regular Syndrome Decoding:
  • Not much easier than syndrome decoding ⇔ LPN.
  • Params: # products 𝑠, key length β„“, # honest parties β„Ž.
  • Statistically hard for small 𝑠/large β„Ž.

Eduardo Soria-Vazquez 18

  • Params: # products 𝑠, key length β„“, # honest parties β„Ž.

Pr Problems with Ti TinyKeys [H [HOSS18] 18]

slide-19
SLIDE 19
  • Params: # products 𝒔, key length β„“, # honest parties β„Ž.
  • A single βˆ† can only be used to produce r triples!
  • Solution: Use different ones for every r triples: βˆ†[^,B), βˆ†[B,+B), …

Secure method for switching: βˆ† ^,B β†’ βˆ†, βˆ†[B,+B)β†’ βˆ† , …

  • Best bucketing technique cannot apply (mult. overhead: 𝐢).
  • Solution: Use previous bucketing techniques (mult. overhead: B+).
  • Still worth! 𝐢 ∈ {3,4} in practice.

Eduardo Soria-Vazquez 19

Pr Problems with Ti TinyKeys [H [HOSS18] 18]

slide-20
SLIDE 20

Co Commu mmunication comp mplexity y (400 (400 part rties) s)

20 50 100 150 200 250 300 350 1 10 20 30 40 50 60 70 80 90 100 110 120

  • Comm. (megabits/AND triple)

# honest parties

Standard [WRK17] [WRK17] + Committee This Work Eduardo Soria-Vazquez

slide-21
SLIDE 21

Co Conclusi sion and fu future directions

  • First extension of TinyKeys [HOSS18] to the active setting.
  • Take-away: Large-scale requires different/new techniques (bucketing, MACs).
  • Improved TinyOT with 30+ parties.
  • Up to 18x in communication (vs multiparty [WRK17] + committees).
  • Significant improvements (2-6x) with as little as 10% honest parties.

Future challenges:

  • Optimize TinyKeys: More cryptanalysis (conservative parameters atm).
  • Adaptive adversaries? Actively secure TinyKeys-BMR [HOSS18]?

21 Eduardo Soria-Vazquez

slide-22
SLIDE 22

Th Thank you! Questions?

Eduardo Soria-Vazquez 22

https://ia.cr/2018/843 [Full version] Concretely Efficient Large-Scale MPC with Active Security (or, TinyKeys for TinyOT) Carmit Hazay, Emmanuela Orsini, Peter Scholl and Eduardo Soria-Vazquez eduardo.soria-vazquez@bristol.ac.uk Paper: Mail: