Efficient Primitive Protocols for Sharemind Bingsheng Zhang 1 , 2 1 - PowerPoint PPT Presentation

Efficient Primitive Protocols for Sharemind Bingsheng Zhang 1 , 2 1 Cybernetica AS, Estonia 2 University of Tartu, Estonia Research Seminar in Cryptography, 2009s

Outline Outline Introduction Preliminaries Integer Aritmetic Protocols Private Update Protocol PrivateRetrieval Protocol Random Shuffle Protocol

Outline Outline Introduction Background Sharemind is an implementation of multi-party computation in real life, and it is mainly used for privacy preserving data-mining. Cur- rently, there are 3 miners, who additively share the data in Z 2 32 ; therefore, the whole system is information theoretically secure un- der at most 1 corrupted miner assumption. In this talk, we will intro- duce a number of important primitive protocols for Sharemind, such as share conversion between GF ( 2 32 ) and Z 2 32 , PrivateUpdate and random shuffle protocol.

Outline Outline Preliminaries Du-Atallah Multiplication Assume Alice has private a ∈ Z 2 32 , Bob has private b ∈ Z 2 32 . Now Alice, Bob and Charlie want to obtain S A , S B , S C ∈ Z 2 32 , such that S A + S B + S C = a · b ( mod 2 32 ) . During the protocol, Alice gener- ates γ 1 ← u Z 2 32 , and she sends γ 1 to Charlie and a + γ 1 ( mod 2 32 ) to Bob. Bob generates γ 2 ← u Z 2 32 , and he sends γ 2 to Char- lie and b + γ 2 ( mod 2 32 ) to Alice. They then set the shares as S A = − γ 1 · ( b + γ 2 ) ( mod 2 32 ) , S B = b · ( a + γ 1 ) ( mod 2 32 ) and S C = γ 1 · γ 2 ( mod 2 32 )

Outline Outline Preliminaries One-bit Share Conversion Protocol Let b ∈ Z 2 be shared as b = b 0 ⊕ b 1 ⊕ b 2 , where b 0 , b 1 , b 2 ∈ Z 2 . After executing this protocol, 3 miners get shares S 0 , S 1 , S 2 ∈ Z 2 32 such that b = S 0 + S 1 + S 2 ( mod 2 32 ) . Essentially, the protocol do ( mod 2 32 ) b = b 0 + b 1 + b 2 − 2 b 0 b 1 − 2 b 0 b 2 − 2 b 1 b 2 + 4 b 0 b 1 b 2 The protocol uses Du-Atallah multiplication protocol to get shares of 2 b i b j . As regarding to sharing 4 b 0 b 1 b 2 , miner M 2 shares 2 b 2 , and [[ 4 b 0 b 1 b 2 ]] = [[ 2 b 0 b 1 ]] · [[ 2 b 2 ]] by multiplication protocol. Finally, 3 miners reshare [[ b ]] in order to have uniformly distributed shares. So the whole protocol costs 3 rounds. NB: Recently, Tomas Toft and Margus Niitsoo implemented a new kind of one-bit share conversion protocol for Sharemind. It costs only 1 round with 1 exact round pre-computation, which can be shared with previous round of computation.

Outline Outline Preliminaries Randomized Shellsort for o = n / 2 , n / 2 2 , n / 2 3 , ··· , 1 do 1 Let A i denote subarray A [ io .. io + o − 1 ] , for 1 i = 0 , 1 , 2 , ··· , n / o − 1. do a shaker pass: 2 Region compare-exchange A i and A i + 1 , for 1 i = 0 , 1 , 2 , ··· , n / o − 2. Region compare-exchange A i + 1 and A i , for 2 i = n / o − 2 , ··· , 2 , 1 , 0. do a extended brick pass: 3 Region compare-exchange A i and A i + 3 , for 1 i = 0 , 1 , 2 , ··· , n / o − 4. Region compare-exchange A i and A i + 2 , for 2 i = 0 , 1 , 2 , ··· , n / o − 3. Region compare-exchange A i and A i + 1 , for even 3 i = 0 , 1 , 2 , ··· , n / o − 2. Region compare-exchange A i and A i + 1 , for odd 4 i = 0 , 1 , 2 , ··· , n / o − 2.

Outline Outline Preliminaries Benchmark

Outline Outline Integer Aritmetic Protocols Generating Random Invertible Pairs Server’s input: ⊥ Server’s output: Data shares in Z 2 32 : [[ R ← u Z ∗ 2 32 ]] and [[ R − 1 ]] Each miner M p ∈{ 0 , 1 , 2 } generates two random number 1 A p ← u { 1 , 2 , ··· , 2 31 } and B p ← u { 1 , 2 , ··· , 2 31 } . Set R p = 2 · A p − 1 and R ′ p = 2 · B p − 1 All miners M p ∈{ 0 , 1 , 2 } compute and reveal [[ C ]] = [[ R ]] · [[ R ′ ]] . 2 Each miner M p ∈{ 0 , 1 , 2 } computes and sets 3 [[ R − 1 ]] = C − 1 · [[ R ′ ]] . The total protocol costs 2 rounds.

Outline Outline Integer Aritmetic Protocols Unbounded Fan-in Multiplication Server’s input: Data shares in Z ∗ 2 32 : [[ X 1 ]] , ··· , [[ X k ]] Server’s output: Data shares in Z ∗ 2 32 : [[ � k i = 1 X i ]] All miners M p ∈{ 0 , 1 , 2 } generate random invertible pairs 1 ([[ R 0 ]] , [[ R − 1 0 ]]) , ··· , ([[ R k ]] , [[ R − 1 k ]]) by using sub-protocol in previous section. For i ∈ { 1 , ··· , k } , all miners M p ∈{ 0 , 1 , 2 } compute and reveal 2 [[ A i ]] = [[ R i − 1 ]] · [[ X i ]] · [[ R − 1 ]] . i Each miner M p ∈{ 0 , 1 , 2 } computes 3 B = � k i = 1 A i = R 0 · � k i = 1 X i · R − 1 k . All miners M p ∈{ 0 , 1 , 2 } compute [[ S ]] = [[ R − 1 0 ]] · B · [[ R k ]] . 4 The total protocol costs 5 rounds.

Outline Outline Integer Aritmetic Protocols Unbounded Fan-in Conjunction All miners M p ∈{ 0 , 1 , 2 } computes [[ S ]] = 1 + 2 � k i = 1 [[ X i ]] . 1 For i ∈ { 1 , ··· , k + 1 } , all miners M p ∈{ 0 , 1 , 2 } call unbounded 2 fan-in multiplication protocol to compute [[ S ]] , [[ S 2 ]] , ··· , [[ S k + 1 ]] . All miners M p ∈{ 0 , 1 , 2 } compute 3 [[ A ]] = [[ P ( S )]] · γ − 1 = ( α 0 + � k + 1 i = 1 α i [[ S i ]]) · γ − 1 . All miners reveal the shares from right most bit up to ( β 4 mod 32)-th bit of A , and compute the carry of ( ( β mod 32 )+ 1)-th position, denoting as c . Each miner set result share Y p as A p [( β mod 32 )+ 1 ] ⊕ c The total protocol costs 6 rounds, as step 3 can be computed locally.

Outline Outline Integer Aritmetic Protocols Bitwise Carry Protocol [[ a 0 ]] , ··· , [[ a 31 ]] and Server’s input: Data shares in Z 2 32 : [[ b 0 ]] , ··· , [[ b 31 ]] Server’s output: Data shares in Z 2 : [[ c 0 ]] , ··· , [[ c 31 ]] All miners M p ∈{ 0 , 1 , 2 } set [[ c 0 ]] = 0, [[ c 1 ]] = [[ a 0 ]] · [[ b 0 ]] 1 For i ∈ { 2 , ··· , 31 } , all miners M p ∈{ 0 , 1 , 2 } call unbounded fan-in 2 conjunction protocol to compute [[ c i ]] = [[ a i − 1 ]] · [[ c i − 1 ]] ⊕ [[ b i − 1 ]] · [[ c i − 1 ]] ⊕ [[ a i − 1 ]] · [[ b i − 1 ]] . The total protocol costs 6 rounds.

Outline Outline Integer Aritmetic Protocols Addition Protocol for Shares in GF ( 2 32 ) All miners M p ∈{ 0 , 1 , 2 } split A p and B p to bits A p [ 31 ] , ··· , A p [ 0 ] 1 and B p [ 31 ] , ··· , B p [ 0 ] . Then call one bit share conversion protocol, converting them to additive shares in Z 2 32 . Denote them as A ′ p [ 31 ] , ··· , A ′ p [ 0 ] and B ′ p [ 31 ] , ··· , B ′ p [ 0 ] All miners M p ∈{ 0 , 1 , 2 } call bitwise carry protocol and get carry 2 bit shares C ′ p [ 31 ] , ··· , C ′ p [ 0 ] . For i ∈ { 0 , ··· , 31 } , all miners M p ∈{ 0 , 1 , 2 } compute 3 C p [ i ] = A p [ i ] ⊕ B p [ i ] ⊕ C ′ p [ i ] ( Z 2 operation). Each miner M p ∈{ 0 , 1 , 2 } sets C p = C p [ 31 ] ||···|| C p [ 0 ] . 4 The total protocol costs 1 + 6 = 7 rounds.

Outline Outline Integer Aritmetic Protocols Generating Random Solved Bit-decomposition Instance Server’s output: [[ R ← u Z 2 32 ]] and [[ r 31 ]] , [[ r 30 ]] , ··· , [[ r 0 ]] , where r i ∈ { 0 , 1 } and R = � 31 i = 0 r i · 2 i . Each miner M p ∈{ 0 , 1 , 2 } randomly generates R ′ p ← u Z 2 32 , 1 denoting as R ′ p [ 31 ] , ··· , R ′ p [ 0 ] . All miners M p ∈{ 0 , 1 , 2 } call one bit share conversion 2 sub-protocol to convert from R ′ p [ 31 ] , ··· , R ′ p [ 0 ] to additive shares r p [ 31 ] , ··· , r p [ 0 ] . Each miner M p ∈{ 0 , 1 , 2 } computes and set 3 R p = 2 31 · r p [ 31 ]+ 2 30 · r p [ 30 ]+ ··· + 2 0 · r p [ 0 ] mod 2 32 The total protocol costs 1 rounds.

Outline Outline Integer Aritmetic Protocols Share conversion GF ( 2 32 ) → Z 2 32 Protocol Server’s input: Data shares in GF ( 2 32 ) : X = X 0 ⊕ X 1 ⊕ X 2 Server’s output: Data shares in Z 2 32 : X = X ′ 0 + X ′ 1 + X ′ 2 mod 2 32 Each miner M p ∈{ 0 , 1 , 2 } splits X p to bits, denoting as 1 X p [ 31 ] , ··· , X p [ 0 ] . All miners M p ∈{ 0 , 1 , 2 } call one bit share conversion 2 sub-protocol to compute additive shares A p [ 31 ] , ··· , A p [ 0 ] . Each miner M p ∈{ 0 , 1 , 2 } computes and set 3 p = 2 31 · A p [ 31 ]+ 2 30 · A p [ 30 ]+ ··· + 2 0 · A p [ 0 ] mod 2 32 X ′ The total protocol costs 1 rounds.

Outline Outline Integer Aritmetic Protocols Share conversion Z 2 32 → GF ( 2 32 ) Protocol Server’s input: Data shares in Z 2 32 : X = X 0 + X 1 + X 2 mod 2 32 Server’s output: Data shares in GF ( 2 32 ) : X = X ′ 0 ⊕ X ′ 1 ⊕ X ′ 2 Each miner M p ∈{ 0 , 1 , 2 } splits X p to bits, denoting as 1 X p [ 31 ] , ··· , X p [ 0 ] . 3 miners M p ∈{ 0 , 1 , 2 } call one bit share conversion 2 sub-protocol to compute additive shares A p [ 31 ] , ··· , A p [ 0 ] . Each miner M p ∈{ 0 , 1 , 2 } computes and set 3 S p = 2 31 · A p [ 31 ]+ 2 30 · A p [ 30 ]+ ··· + 2 0 · A p [ 0 ] mod 2 32 Each miner M p ∈{ 0 , 1 , 2 } computes ε p = X p − S p . Share ε p 4 bitwise in Z 2 32 . All miners M p ∈{ 0 , 1 , 2 } call addition protocol for shares in 5 GF ( 2 32 ) to compute [[ X ]] = [[ A ]]+[[ ε 0 ]]+[[ ε 1 ]]+[[ ε 2 ]] , where A = X 0 ⊕ X 1 ⊕ X 2 .