CTIC Damg ard, Pastro, Smart, Zakarias (-.-) MPC from SHE - PowerPoint PPT Presentation

Multiparty Computation from Somewhat Homomorphic Encryption ard 1 Valerio Pastro 1 Nigel Smart 2 Sarah Zakarias 1 Ivan Damg˚ 1 Aarhus University 2 Bristol University November 9, 2011 CTIC 交互计算 Damg˚ ard, Pastro, Smart, Zakarias (-.-) MPC from SHE November 9, 2011 1 / 36

Introduction 1 Online Phase 2 Preprocessing 3 An Improved Online Phase 4 Concrete Scheme 5 Benchmarks 6 Damg˚ ard, Pastro, Smart, Zakarias (-.-) MPC from SHE November 9, 2011 2 / 36

Multiparty Computation The problem n parties: P 1 , . . . , P n for all i P i has private input x i a function f : ( x 1 , . . . , x n ) �→ ( y 1 , . . . , y n ) Outcome for all i y i to be delivered to P i no more info revealed Damg˚ ard, Pastro, Smart, Zakarias (-.-) MPC from SHE November 9, 2011 3 / 36

Applications – Examples The millionaire problem [Yao82]: n = 2, x i = P i ’s income, f ( x 1 , x 2 ) = ( b , b ) , where x b = max { x 1 , x 2 } Keywords search Set intersection Auctions (e.g. the sugar beet auction, Denmark 2008) Dominik’s dating problem . . . Damg˚ ard, Pastro, Smart, Zakarias (-.-) MPC from SHE November 9, 2011 4 / 36

Multiparty Computation – Ideal The ideal solution: A trusted party! P 1 P 2 P 3 f P n Damg˚ ard, Pastro, Smart, Zakarias (-.-) MPC from SHE November 9, 2011 5 / 36

✛ ✉ ❆ Multiparty Computation – Ideal Players send their inputs.. P 1 x 1 P 2 x 2 x 3 ✱ f P 3 x n P n Damg˚ ard, Pastro, Smart, Zakarias (-.-) MPC from SHE November 9, 2011 6 / 36

✁ ❬ ✺ ❧ Multiparty Computation – Ideal ..and get their result. P 1 P 2 y 1 y 2 P 3 f y 3 y n P n Damg˚ ard, Pastro, Smart, Zakarias (-.-) MPC from SHE November 9, 2011 7 / 36

✶ ▲ ❯ ✮ ☞ ❁ ✐ q ⑤ ✕ Multiparty Computation – Real The trusted party: useful? P 1 P 2 P 3 f P n Damg˚ ard, Pastro, Smart, Zakarias (-.-) MPC from SHE November 9, 2011 8 / 36

Multiparty Computation – Dealing with Players Ideal scenario ⇒ concrete protocol? The setup – Real world n parties: P 1 , . . . , P n for all i P i has private input x i f replaced by interaction between players and local computation Outcome for all i y i to be delivered to P i no more info revealed Damg˚ ard, Pastro, Smart, Zakarias (-.-) MPC from SHE November 9, 2011 9 / 36

Multiparty Computation – Those Annoying Players Some players may cheat (to get more info)! Secure Protocol? Real world indistinguishable from Ideal world. Adversarial entity who controls dishonest players. Adversarial Behavior Dishonest players follow the protocol: Passive Adversary Dishonest players deviate from the protocol: Active Adversary Security Requirements View ( P i ) Ideal ≡ Stat / Comp View ( P i ) Real in presence of passive/active Adversary Damg˚ ard, Pastro, Smart, Zakarias (-.-) MPC from SHE November 9, 2011 10 / 36

Our Target Construction of a protocol for: Secure Multiparty Computation Active Adversary Dishonest Majority ( P i honest, for all j � = i , P j controlled by the Adversary) Damg˚ ard, Pastro, Smart, Zakarias (-.-) MPC from SHE November 9, 2011 11 / 36

Modern Approaches – High Level 2-phases approach Preprocessing ⇒ Online Players generate Previous data some shared randomness, used to evaluate of f ⇒ independently of f (seen as an arithmetic circuit). (public key crypto required). Online phase: very fast – no PKE! Damg˚ ard, Pastro, Smart, Zakarias (-.-) MPC from SHE November 9, 2011 12 / 36

Modern Approaches – High Level Fully Homomorphic Encryption [Gen09] Use an encryption scheme (KeyGen , Enc , Dec) such that for any arithmetic circuit C : Dec sk ( C ′ (Enc pk ( m 1 ) , . . . , Enc pk ( m n ))) = C ( m 1 , . . . , m n ) , where C ′ acts as C on encrypted data. If so, Enc pk i ( y i ) = Enc pk i ( f i ( x 1 , . . . , x n )) = f i (Enc pk i ( x 1 ) , . . . , Enc pk i ( x n )). Drawback: FHE is impractical (nowadays)! Damg˚ ard, Pastro, Smart, Zakarias (-.-) MPC from SHE November 9, 2011 13 / 36

Our Approach Take the best of the two previous methods! 2-phases approach with Somewhat Homomorphic Encryption. Somewhat Homomorphic Encryption Scheme An encryption scheme (KeyGen , Enc , Dec) such that: Dec sk ( C ′ (Enc pk ( m 1 ) , . . . , Enc pk ( m n ))) = C ( m 1 , . . . , m n ) , where C is an arithmetic circuit in a specific set S . In our case: S = circuits of mult depth one. Further requirement: a distributed decryption . Damg˚ ard, Pastro, Smart, Zakarias (-.-) MPC from SHE November 9, 2011 14 / 36

Our Approach – Showing off 1 (much) More practical than the FHE-approach. 2 Preprocessing phase: similar to [BDOZ11], but less protocols needed. 3 Online phase: Better scalability ( O ( n ) vs O ( n 2 ) mults to compute a secure mult) msgs in ( F p k ) s : a vector space of dim s over a field of size p k .. Note: ..but for simplicity we set s = 1 (more details later!) Damg˚ ard, Pastro, Smart, Zakarias (-.-) MPC from SHE November 9, 2011 15 / 36

Introduction 1 Online Phase 2 Preprocessing 3 An Improved Online Phase 4 Concrete Scheme 5 Benchmarks 6 Damg˚ ard, Pastro, Smart, Zakarias (-.-) MPC from SHE November 9, 2011 16 / 36

Online Phase – Digression Suppose x , y ∈ F p k . We write [ x ] , [ y ] if x , y are additively secret shared among the players: n n � � x = x i , y = y i , P i has x i , y i . i =1 i =1 Easy to compute [ x + y ]: P i locally computes a i = x i + y i . n n � � a i = ( x i + y i ) = x + y . i =1 i =1 Addition: easy. Damg˚ ard, Pastro, Smart, Zakarias (-.-) MPC from SHE November 9, 2011 17 / 36

Online Phase Multiplication? Not as easy as addition! Want to compute [ x · y ] from [ x ] , [ y ]. Using [Bea91]: easy if players have a “multiplicative triple” [ a ] , [ b ] , [ a · b ]: 1 Compute [ x + a ] , [ y + b ] (easy). 2 Reconstruct ε = x + a , δ = y + b 3 Compute [ z ] = [ a · b ] − ε · [ b ] − δ · [ a ] + ε · δ. [ z ] is a secret sharing of x · y : z = a · b − ε · b − δ · a + ε · δ = a · b − ( x + a ) · b − ( y + b ) · a + ( x + a ) · ( y + b ) = xy Damg˚ ard, Pastro, Smart, Zakarias (-.-) MPC from SHE November 9, 2011 18 / 36

★ ✮ ⑧ ✉ Online Phase Security? MACs! Message Authentication Codes (` a la [BDOZ11]) α j β j MAC j ( x i ) = · + x i i x , i P i P j �� n � n �� MAC j ( x i ) α i j , β i � We require P i to have: x i , j =1 , j � = i , x , j j =1 , j � = i Above situation: [ x ] (“bracket notation”). Notice: each player has O ( n ) MACs, O ( n ) keys for each secret value. Result: for each secret value O ( n 2 ) keys and MACs to insure security. Damg˚ ard, Pastro, Smart, Zakarias (-.-) MPC from SHE November 9, 2011 19 / 36

Summary  Multiplicative Triples  Additive Secret Sharing  = ⇒ Secure MPC. MACs How to obtain multiplicative triples? Preprocessing! Damg˚ ard, Pastro, Smart, Zakarias (-.-) MPC from SHE November 9, 2011 20 / 36

Introduction 1 Online Phase 2 Preprocessing 3 An Improved Online Phase 4 Concrete Scheme 5 Benchmarks 6 Damg˚ ard, Pastro, Smart, Zakarias (-.-) MPC from SHE November 9, 2011 21 / 36

Preprocessing Phase Target: generate [ a ] , [ b ] , [ c ] with c = ab . Setup 1 Generate keys for the SHE scheme 2 Generate the α i j ’s (first half of the MACs’ keys) 3 Broadcast Enc pk ( α i j ) 4 Invoke a Zero-Knowledge Proof of Knowledge (Π ZKPoPK ) on (Enc pk ( α i j ) , α i j ) Setup: independent from values to generate. Damg˚ ard, Pastro, Smart, Zakarias (-.-) MPC from SHE November 9, 2011 22 / 36

Preprocessing Phase Triples Getting a · b + r : 1 P i generates uniform values a i , b i , r i ∈ F p k 2 P i generates uniform values β i a , j , β i b , j , β i r , j ∈ F p k 3 P i computes and broadcasts encryptions of all the above values 4 P i Invokes Π ZKPoPK on the above ciphertexts 5 local comp.: get Enc pk ( a ) , Enc pk ( b ) , Enc pk ( r )   n n �  ← � E.g.: Enc pk ( a ) = Enc pk Enc pk ( a j ) a j  j =1 j =1 6 local comp.: get Enc pk ( r + a · b ) ← Enc pk ( r ) + Enc pk ( a ) · Enc pk ( b ) 7 agreement on decrypting: everyone gets a · b + r Damg˚ ard, Pastro, Smart, Zakarias (-.-) MPC from SHE November 9, 2011 23 / 36

Preprocessing Phase Triples from a · b + r to [ c ] = [ a · b ] & MACs on it: 8 P 1 sets c 1 ← ( r + c ) − r 1 , P i sets c i ← − r i , for ( i � = 1) 9 All players compute Enc pk ( c 1 ) ← Enc pk ( r + c , 0 ) − Enc pk ( r 1 ) 10 All players set Enc pk ( c i ) ← − Enc pk ( r i ), for ( i � = j ) 11 P i computes encryptions on MACs for a j (sim. b j , c j ): Enc pk (MAC i ( a j )) ← Enc pk ( α i j ) · Enc pk ( a j ) + Enc pk ( β i a , j ) Damg˚ ard, Pastro, Smart, Zakarias (-.-) MPC from SHE November 9, 2011 24 / 36

Introduction 1 Online Phase 2 Preprocessing 3 An Improved Online Phase 4 Concrete Scheme 5 Benchmarks 6 Damg˚ ard, Pastro, Smart, Zakarias (-.-) MPC from SHE November 9, 2011 25 / 36

Not Happy with the Current Online Phase? As said, [ x ] means O ( n 2 ) keys and MACs to compute securely. � � n �� n � ( x i ) n MAC j ( x i ) α i j , β i � �� [ x ] = i =1 , i , j =1 , x , j i , j =1 Additive secret sharing of x MACs on shared values Keys for the MACs MACs on shares ⇒ Authentication on secret values . Why not MACs on secret values ? Damg˚ ard, Pastro, Smart, Zakarias (-.-) MPC from SHE November 9, 2011 26 / 36