Efficient Primitive Protocols for Sharemind Bingsheng Zhang 1 , 2 1 - - PowerPoint PPT Presentation

Efficient Primitive Protocols for Sharemind

Bingsheng Zhang1,2

1Cybernetica AS, Estonia 2University of Tartu, Estonia

Research Seminar in Cryptography, 2009s

Outline

Outline

Introduction Preliminaries Integer Aritmetic Protocols Private Update Protocol PrivateRetrieval Protocol Random Shuffle Protocol

Outline

Outline

Introduction

Background Sharemind is an implementation of multi-party computation in real life, and it is mainly used for privacy preserving data-mining. Cur- rently, there are 3 miners, who additively share the data in Z232; therefore, the whole system is information theoretically secure un- der at most 1 corrupted miner assumption. In this talk, we will intro- duce a number of important primitive protocols for Sharemind, such as share conversion between GF(232) and Z232, PrivateUpdate and random shuffle protocol.

Outline

Outline

Preliminaries

Du-Atallah Multiplication Assume Alice has private a ∈ Z232, Bob has private b ∈ Z232. Now Alice, Bob and Charlie want to obtain SA,SB,SC ∈ Z232, such that SA + SB + SC = a · b (mod 232). During the protocol, Alice gener- ates γ1 ←u Z232, and she sends γ1 to Charlie and a +γ1 (mod 232) to Bob. Bob generates γ2 ←u Z232, and he sends γ2 to Char- lie and b + γ2 (mod 232) to Alice. They then set the shares as SA = −γ1 · (b + γ2) (mod 232), SB = b · (a + γ1) (mod 232) and SC = γ1 ·γ2 (mod 232)

Outline

Outline

Preliminaries

One-bit Share Conversion Protocol Let b ∈ Z2 be shared as b = b0 ⊕b1 ⊕b2, where b0,b1,b2 ∈ Z2. After executing this protocol, 3 miners get shares S0,S1,S2 ∈ Z232 such that b = S0 +S1 +S2 (mod 232). Essentially, the protocol do b = b0 +b1 +b2 −2b0b1 −2b0b2 −2b1b2 +4b0b1b2

(mod 232)

The protocol uses Du-Atallah multiplication protocol to get shares of

• 2bibj. As regarding to sharing 4b0b1b2, miner M2 shares 2b2, and

[[4b0b1b2]] = [[2b0b1]] · [[2b2]] by multiplication protocol. Finally, 3

miners reshare [[b]] in order to have uniformly distributed shares. So the whole protocol costs 3 rounds. NB: Recently, Tomas Toft and Margus Niitsoo implemented a new kind of one-bit share conversion protocol for Sharemind. It costs

• nly 1 round with 1 exact round pre-computation, which can be

shared with previous round of computation.

Outline

Outline

Preliminaries Randomized Shellsort

1

for o = n/2,n/22,n/23,··· ,1 do

1

Let Ai denote subarray A[io..io +o −1], for i = 0,1,2,··· ,n/o −1.

2

do a shaker pass:

1

Region compare-exchange Ai and Ai+1, for i = 0,1,2,··· ,n/o −2.

2

Region compare-exchange Ai+1 and Ai, for i = n/o −2,··· ,2,1,0.

3

do a extended brick pass:

1

Region compare-exchange Ai and Ai+3, for i = 0,1,2,··· ,n/o −4.

2

Region compare-exchange Ai and Ai+2, for i = 0,1,2,··· ,n/o −3.

3

Region compare-exchange Ai and Ai+1, for even i = 0,1,2,··· ,n/o −2.

4

Region compare-exchange Ai and Ai+1, for odd i = 0,1,2,··· ,n/o −2.

Outline

Outline

Preliminaries

Benchmark

Outline

Outline

Integer Aritmetic Protocols Generating Random Invertible Pairs

Server’s input: ⊥ Server’s output: Data shares in Z232: [[R ←u Z∗

232]] and [[R−1]]

1

Each miner Mp∈{0,1,2} generates two random number Ap ←u {1,2,··· ,231} and Bp ←u {1,2,··· ,231}. Set Rp = 2·Ap −1 and R′

p = 2·Bp −1

2

All miners Mp∈{0,1,2} compute and reveal [[C]] = [[R]]·[[R′]].

3

Each miner Mp∈{0,1,2} computes and sets

[[R−1]] = C−1 ·[[R′]].

The total protocol costs 2 rounds.

Outline

Outline

Integer Aritmetic Protocols Unbounded Fan-in Multiplication

Server’s input: Data shares in Z∗

232: [[X1]],··· ,[[Xk]]

Server’s output: Data shares in Z∗

232: [[k i=1 Xi]]

1

All miners Mp∈{0,1,2} generate random invertible pairs

([[R0]],[[R−1

0 ]]),··· ,([[Rk]],[[R−1 k ]]) by using sub-protocol in

previous section.

2

For i ∈ {1,··· ,k}, all miners Mp∈{0,1,2} compute and reveal

[[Ai]] = [[Ri−1]]·[[Xi]]·[[R−1

i

]].

3

Each miner Mp∈{0,1,2} computes B = k

i=1 Ai = R0 ·k i=1 Xi ·R−1 k .

4

All miners Mp∈{0,1,2} compute [[S]] = [[R−1

0 ]]·B ·[[Rk]].

The total protocol costs 5 rounds.

Outline

Outline

Integer Aritmetic Protocols Unbounded Fan-in Conjunction

1

All miners Mp∈{0,1,2} computes [[S]] = 1+2k

i=1[[Xi]].

2

For i ∈ {1,··· ,k +1}, all miners Mp∈{0,1,2} call unbounded fan-in multiplication protocol to compute

[[S]],[[S2]],··· ,[[Sk+1]].

3

All miners Mp∈{0,1,2} compute

[[A]] = [[P(S)]]·γ−1 = (α0 +k+1

i=1 αi[[Si]])·γ−1.

4

All miners reveal the shares from right most bit up to (β mod 32)-th bit of A, and compute the carry of ((β mod 32)+1)-th position, denoting as c. Each miner set result share Yp as Ap[(β mod 32)+1]⊕c The total protocol costs 6 rounds, as step 3 can be computed locally.

Outline

Outline

Integer Aritmetic Protocols Bitwise Carry Protocol

Server’s input: Data shares in Z232:

[[a0]],··· ,[[a31]] and [[b0]],··· ,[[b31]]

Server’s output: Data shares in Z2: [[c0]],··· ,[[c31]]

1

All miners Mp∈{0,1,2} set [[c0]] = 0, [[c1]] = [[a0]]·[[b0]]

2

For i ∈ {2,··· ,31}, all miners Mp∈{0,1,2} call unbounded fan-in conjunction protocol to compute

[[ci]] = [[ai−1]]·[[ci−1]]⊕[[bi−1]]·[[ci−1]]⊕[[ai−1]]·[[bi−1]].

The total protocol costs 6 rounds.

Outline

Outline

Integer Aritmetic Protocols Addition Protocol for Shares in GF(232)

1

All miners Mp∈{0,1,2} split Ap and Bp to bits Ap[31],··· ,Ap[0] and Bp[31],··· ,Bp[0]. Then call one bit share conversion protocol, converting them to additive shares in Z232. Denote them as A′

p[31],··· ,A′ p[0] and B′ p[31],··· ,B′ p[0]

2

All miners Mp∈{0,1,2} call bitwise carry protocol and get carry bit shares C′

p[31],··· ,C′ p[0].

3

For i ∈ {0,··· ,31}, all miners Mp∈{0,1,2} compute Cp[i] = Ap[i]⊕Bp[i]⊕C′

p[i] (Z2 operation).

4

Each miner Mp∈{0,1,2} sets Cp = Cp[31]||···||Cp[0]. The total protocol costs 1+6 = 7 rounds.

Outline

Outline

Integer Aritmetic Protocols Generating Random Solved Bit-decomposition Instance

Server’s output: [[R ←u Z232]] and [[r31]],[[r30]],··· ,[[r0]], where ri ∈ {0,1} and R = 31

i=0 ri ·2i.

1

Each miner Mp∈{0,1,2} randomly generates R′

p ←u Z232,

denoting as R′

p[31],··· ,R′ p[0].

2

All miners Mp∈{0,1,2} call one bit share conversion sub-protocol to convert from R′

p[31],··· ,R′ p[0] to additive

shares rp[31],··· ,rp[0].

3

Each miner Mp∈{0,1,2} computes and set Rp = 231 ·rp[31]+230 ·rp[30]+···+20 ·rp[0] mod 232 The total protocol costs 1 rounds.

Outline

Outline

Integer Aritmetic Protocols Share conversion GF(232) → Z232 Protocol

Server’s input: Data shares in GF(232): X = X0 ⊕X1 ⊕X2 Server’s output: Data shares in Z232: X = X′

0 +X′ 1 +X′ 2 mod 232

1

Each miner Mp∈{0,1,2} splits Xp to bits, denoting as Xp[31],··· ,Xp[0].

2

All miners Mp∈{0,1,2} call one bit share conversion sub-protocol to compute additive shares Ap[31],··· ,Ap[0].

3

Each miner Mp∈{0,1,2} computes and set X′

p = 231 ·Ap[31]+230 ·Ap[30]+···+20 ·Ap[0] mod 232

The total protocol costs 1 rounds.

Outline

Outline

Integer Aritmetic Protocols Share conversion Z232 → GF(232) Protocol

Server’s input: Data shares in Z232: X = X0 +X1 +X2 mod 232 Server’s output: Data shares in GF(232): X = X′

0 ⊕X′ 1 ⊕X′ 2

1

Each miner Mp∈{0,1,2} splits Xp to bits, denoting as Xp[31],··· ,Xp[0].

2

3 miners Mp∈{0,1,2} call one bit share conversion sub-protocol to compute additive shares Ap[31],··· ,Ap[0].

3

Each miner Mp∈{0,1,2} computes and set Sp = 231 ·Ap[31]+230 ·Ap[30]+···+20 ·Ap[0] mod 232

4

Each miner Mp∈{0,1,2} computes εp = Xp −Sp. Share εp bitwise in Z232.

5

All miners Mp∈{0,1,2} call addition protocol for shares in

GF(232) to compute [[X]] = [[A]]+[[ε0]]+[[ε1]]+[[ε2]],

where A = X0 ⊕X1 ⊕X2.

Outline

Outline

Integer Aritmetic Protocols Bits Decomposition Protocol

Server’s input: Data shares in Z232: X = X0 +X1 +X2 mod 232 Server’s output: Data shares in Z232: X[i] = X′

0[i] + X′ 1[i] + X′ 2[i]

mod 232 (i ∈ {0,··· ,31})

1

All miners Mp∈{0,1,2} call sub-protocol to generate random solved bit-decomposition instance: [[R ←u Z232]] and

[[r31]],[[r30]],··· ,[[r0]], where ri ∈ {0,1} and R = 31

i=0 ri ·2i.

2

All miners Mp∈{0,1,2} compute [[A]] = [[X]]−[[R]], and reveal A.

3

All miners Mp∈{0,1,2} split A to bits and call addition protocol for shares in GF(232) to get [[B]] = A +[[R]].

4

All miners Mp∈{0,1,2} split Bp, and call one bit share conversion protocol to get X[i].

Outline

Outline

Integer Aritmetic Protocols Share conversion Z232 → GF(232) Protocol

Server’s input: Data shares in Z232: X = X0 +X1 +X2 mod 232 Server’s output: Data shares in GF(232): X = X′

0 ⊕X′ 1 ⊕X′ 2

1

All miners Mp∈{0,1,2} call bit decomposition protocol for [[X]], denoting the bit shares at miner Mp∈{0,1,2} is X31

p ,··· ,X0 p.

2

Each miner Mp∈{0,1,2} set X′

p = R31 p ||···||R0 p, where R∗ p is the

right most bit of X∗

p.

The total protocol costs 8 rounds.

Outline

Outline

Private Update Protocol

PrivateUpdate Protocol In a PrivateUpdate protocol, the client updates one element of the encrypted database such that the semi-honest server does not get to know which element was updated and to which value. Client’s input: (x,y) (He want to update the x-th element to value y.) Server’s input: ({ci}n−1

i=0 = [[fi]]n−1 i=0).

Client’s output: ⊥ Server’s output: {c′

i }n−1 i=0 :=

       [[fi]] ,

x i

[[y]] ,

x = i

Outline

Outline

Private Update Protocol

Circuit ϕi Constant Rounds.

Outline

Outline

Private Update Protocol Constant Rounds PrivateUpdate Protocol

Client’s input: (x,y) Server’s input: Shared database [[f]] = {[[f0]],··· ,[[fn−1]]}

1

Client sends x = x0 ⊕x1 ⊕x2 (in GF(232)) and y = y0 +y1 +y2 mod 232 (in Z32

2 ) to 3 miners Mp∈{0,1,2}.

2

Each miner Mp∈{0,1,2} splits xp to bits, denoting as xp[0],··· ,xp[32].

3

All miners Mp∈{0,1,2} call one bit share conversion sub-protocol to compute additive shares in Z32

2 :

Ip[0],··· ,Ip[31].

4

For i ∈ {0,...,n −1}, the 3 miners Mp∈{0,1,2} does in parallel:

1

Run shared circuit [[ψi(x)]].

2

Compute and store new shared database: [[f′

i ]] ← ([[y]]−[[fi]])·[[ψi(x)]]+[[fi]] .

Outline

Outline

PrivateRetrieval Protocol

PrivateRetrieval Protocol In a PrivateRetrieval protocol, the client want to retrieve i-th doc- ument without revealing i to the server. Similar as the constant rounds PrivateUpdate protocol for Sharemind, PrivateRetrieval pro- tocol use the circuit to compute so-called selection vector −

→

S from shared index [[x]] such that S[x] = 1 and S[i] = 0 for i x. The all the miners compute [[−

→

S]]T · [[−

→

D]] with 1 round, where −

→

D =

{D0,D1,··· ,Dn−1}.

Outline

Outline

Random Shuffle Protocol

1

For i ∈ {1,··· ,k logn}, all miners Mp∈{0,1,2} do:

1

Generate a random number with length n, and split Rp to bits, denoting as Rp[0],··· ,Rp[n −1].

2

Call one bit share conversion sub-protocol to compute additive shares in Z32

2 : bp[0],··· ,bp[n −1].

3

For j ∈ {0,··· ,n −1}, all miners Mp∈{0,1,2} compute [[sj]] = [[bj]]·j−1

w=0((1−[[bw]])+2·[[bw]]). Denote the

selection vector [[− → S]] = ([[s0]],[[s1]],··· ,[[sn−1]]).

4

For k ∈ {0,··· ,|D|−1}, all miners Mp∈{0,1,2} compute [[L[k]]] ← [[− → S]]T ·[[− − → f[k]]]. Then split [[L[k]]] to bits.

5

For j ∈ {0,··· ,n −1}, all miners Mp∈{0,1,2} compute [[sj]] = (1−[[bj]])·j−1

w=0([[bw]]+2·(1−[[bw]])). Denote the

selection vector [[− → S]] = ([[s0]],[[s1]],··· ,[[sn−1]]).

6

For k ∈ {0,··· ,|D|−1}, all miners Mp∈{0,1,2} compute [[R[k]]] ← [[− → S]]T ·[[− − → f[k]]]. Then split [[R[k]]] to bits.

7

All miners Mp∈{0,1,2} reveal n−1

w=0((1−[[bw]])+2·[[bw]]),

namely, how many documents in L and R, respectively. Then

Outline

Outline

Random Shuffle Protocol O(logn)-round Random Shuffle Protocol (Shellsort)

Client’s input: ⊥ Server’s input: Shared database vector [[−

→

f ]] = {[[f0]],··· ,[[fn−1]]} Server’s

• utput:

Shuffled database vector

[[− →

f′]] =

{[[f′

0]],··· ,[[f′ n−1]]}

1

All miners Mp∈{0,1,2} generate random number Ri

p with

length k logn for document fi, where i ∈ {0,··· ,n −1}.

2

All miners Mp∈{0,1,2} do oblivious shellsort for documents based on the associated random numbers.

3

All miners Mp∈{0,1,2} delete random number shares.

Outline

Outline

Random Shuffle Protocol

1

For set size i = {n,n/2,n/22,··· ,1}, all miners Mp∈{0,1,2} do:

1

Set array size to Ap[i] = 0. Pick i/2 positions randomly, and set them to 1. Now Ap[i] can be regarded as random number with hamming weight exactly i/2.

2

For u = 0,1,2, miner Mu shares Au[i] bitwisely: [[b[0]]],··· ,[[b[i −1]]].

1

For j ∈ {0,··· ,i −1}, all miners Mp∈{0,1,2} compute [[sj]] = [[bj]]·j−1

w=0((1−[[bw]])+2·[[bw]]). Denote the

selection vector [[− → S]] = ([[s0]],[[s1]],··· ,[[si−1]]).

2

For k ∈ {0,··· ,|D|−1}, all miners Mp∈{0,1,2} compute [[L[k]]] ← [[− → S]]T ·[[− − → f[k]]]. Then split [[L[k]]] to bits.

3

For j ∈ {0,··· ,n −1}, all miners Mp∈{0,1,2} compute [[sj]] = (1−[[bj]])·j−1

w=0([[bw]]+2·(1−[[bw]])). Denote the

selection vector [[− → S]] = ([[s0]],[[s1]],··· ,[[si−1]]).

4

For k ∈ {0,··· ,|D|−1}, all miners Mp∈{0,1,2} compute [[R[k]]] ← [[− → S]]T ·[[− − → f[k]]]. Then split [[R[k]]] to bits.

5

All miners Mp∈{0,1,2} merge sets L and R together.

3

All miners Mp∈{0,1,2} will execute in a parallel for sets L and R