[PPT] - Encryption in the Plain Model Giulio Malavolta Abhishek Jain PowerPoint Presentation

SLIDE 1

Multi-key Fully-Homomorphic Encryption in the Plain Model

Prabhanjan Ananth

Abhishek Jain

Zhengzhong Jin

Giulio Malavolta

Johns Hopkins University Johns Hopkins University

Carnegie Mellon University University of California, Berkeley

University of California, Santa Barbara

SLIDE 2

Multi-key Fully-Homomorphic Encryption [LTV12]

SLIDE 3

Multi-key Fully-Homomorphic Encryption [LTV12]

SLIDE 4

Multi-key Fully-Homomorphic Encryption [LTV12]

⋯

Public Keys:

𝐪𝐥𝟐 𝐪𝐥2 𝐪𝐥𝑶

SLIDE 5

Multi-key Fully-Homomorphic Encryption [LTV12]

⋯ 𝑛1 𝑛2 𝑛𝑂

Ciphertexts: Public Keys:

𝐪𝐥𝟐 𝐪𝐥2 𝐪𝐥𝑶

SLIDE 6

Multi-key Fully-Homomorphic Encryption [LTV12]

⋯ 𝑛1 𝑛2 𝑛𝑂 𝐷

Ciphertexts: Public Keys:

𝐪𝐥𝟐 𝐪𝐥2 𝐪𝐥𝑶

SLIDE 7

Multi-key Fully-Homomorphic Encryption [LTV12]

⋯ 𝑛1 𝑛2 𝑛𝑂 𝐷 𝐷(𝑛1, 𝑛2, … , 𝑛𝑂)

Ciphertexts: Public Keys:

𝐪𝐥𝟐 𝐪𝐥2 𝐪𝐥𝑶

SLIDE 8

Multi-key Fully-Homomorphic Encryption [LTV12]

⋯ 𝑛1 𝑛2 𝑛𝑂 𝐷 𝐷(𝑛1, 𝑛2, … , 𝑛𝑂)

Ciphertexts: Public Keys:

𝐪𝐥𝟐 𝐪𝐥2 𝐪𝐥𝑶

Decryption Protocol:

SLIDE 9

Multi-key Fully-Homomorphic Encryption [LTV12]

⋯ 𝑛1 𝑛2 𝑛𝑂 𝐷 𝐷(𝑛1, 𝑛2, … , 𝑛𝑂)

Ciphertexts: Public Keys:

𝐪𝐥𝟐 𝐪𝐥2 𝐪𝐥𝑶

Decryption Protocol:

SLIDE 10

Multi-key Fully-Homomorphic Encryption [LTV12]

⋯ 𝑛1 𝑛2 𝑛𝑂 𝐷 𝐷(𝑛1, 𝑛2, … , 𝑛𝑂)

Ciphertexts: Public Keys:

𝐪𝐥𝟐 𝐪𝐥2 𝐪𝐥𝑶

Decryption Protocol:

⋯

SLIDE 11

Multi-key Fully-Homomorphic Encryption [LTV12]

⋯ 𝑛1 𝑛2 𝑛𝑂 𝐷 𝐷(𝑛1, 𝑛2, … , 𝑛𝑂)

Ciphertexts: Public Keys:

𝐪𝐥𝟐 𝐪𝐥2 𝐪𝐥𝑶

Decryption Protocol:

⋯

SLIDE 12

Multi-key Fully-Homomorphic Encryption [LTV12]

⋯ 𝑛1 𝑛2 𝑛𝑂 𝐷 𝐷(𝑛1, 𝑛2, … , 𝑛𝑂)

Ciphertexts: Public Keys:

𝐪𝐥𝟐 𝐪𝐥2 𝐪𝐥𝑶

Decryption Protocol:

𝐷(𝑛1, 𝑛2, … , 𝑛𝑂) ⋯

Recovery:

SLIDE 13

Multi-key Fully-Homomorphic Encryption [LTV12]

⋯ 𝑛1 𝑛2 𝑛𝑂 𝐷 𝐷(𝑛1, 𝑛2, … , 𝑛𝑂)

Ciphertexts: Public Keys:

𝐪𝐥𝟐 𝐪𝐥2 𝐪𝐥𝑶

Decryption Protocol:

𝐷(𝑛1, 𝑛2, … , 𝑛𝑂)

(Compact)

⋯

Recovery:

SLIDE 14

Multi-key Fully-Homomorphic Encryption [LTV12]

⋯ 𝑛1 𝑛2 𝑛𝑂 𝐷 𝐷(𝑛1, 𝑛2, … , 𝑛𝑂)

Ciphertexts: Public Keys:

𝐪𝐥𝟐 𝐪𝐥2 𝐪𝐥𝑶

Decryption Protocol:

𝐷(𝑛1, 𝑛2, … , 𝑛𝑂)

(Compact)

Security: adversary can learn nothing beyond 𝐷(𝑛1, 𝑛2, … , 𝑛𝑂).

⋯

Recovery:

SLIDE 15

Multi-key Fully-Homomorphic Encryption [LTV12]

⋯ 𝑛1 𝑛2 𝑛𝑂 𝐷 𝐷(𝑛1, 𝑛2, … , 𝑛𝑂)

Ciphertexts: Public Keys:

𝐪𝐥𝟐 𝐪𝐥2 𝐪𝐥𝑶

Decryption Protocol:

𝐷(𝑛1, 𝑛2, … , 𝑛𝑂) ⋯

Recovery:

(Implicit) Reusability: decryption can run for different ,

without re-generating the public keys/ciphertexts.

𝐷(𝑛1, 𝑛2, … , 𝑛𝑂)

SLIDE 16

Multi-key Fully-Homomorphic Encryption [LTV12]

⋯ 𝑛1 𝑛2 𝑛𝑂

Ciphertexts: Public Keys:

𝐪𝐥𝟐 𝐪𝐥2 𝐪𝐥𝑶 ⋯

(Implicit) Reusability: decryption can run for different ,

without re-generating the public keys/ciphertexts.

𝐷(𝑛1, 𝑛2, … , 𝑛𝑂) 𝐷′ 𝐷′(𝑛1, 𝑛2, … , 𝑛𝑂)

SLIDE 17

Multi-key Fully-Homomorphic Encryption [LTV12]

⋯ 𝑛1 𝑛2 𝑛𝑂

Ciphertexts: Public Keys:

𝐪𝐥𝟐 𝐪𝐥2 𝐪𝐥𝑶

Decryption Protocol:

⋯

(Implicit) Reusability: decryption can run for different ,

without re-generating the public keys/ciphertexts.

𝐷(𝑛1, 𝑛2, … , 𝑛𝑂) 𝐷′ 𝐷′(𝑛1, 𝑛2, … , 𝑛𝑂)

SLIDE 18

Multi-key Fully-Homomorphic Encryption [LTV12]

⋯ 𝑛1 𝑛2 𝑛𝑂

Ciphertexts: Public Keys:

𝐪𝐥𝟐 𝐪𝐥2 𝐪𝐥𝑶

Decryption Protocol:

⋯

Recovery:

(Implicit) Reusability: decryption can run for different ,

without re-generating the public keys/ciphertexts.

𝐷(𝑛1, 𝑛2, … , 𝑛𝑂) 𝐷′ 𝐷′(𝑛1, 𝑛2, … , 𝑛𝑂) 𝐷′(𝑛1, 𝑛2, … , 𝑛𝑂)

SLIDE 19

⋯ 𝑛1 𝑛2 𝑛𝑂 𝐷 𝐷(𝑛1, 𝑛2, … , 𝑛𝑂) 𝐪𝐥𝟐 𝐪𝐥2 𝐪𝐥𝑶

Ciphertexts: Public Keys:

MK-FHE with 1-Round Decryption [MW16]

Decryption Protocol

⋯

SLIDE 20

1-round Decryption:

⋯ 𝑛1 𝑛2 𝑛𝑂 𝐷 𝐷(𝑛1, 𝑛2, … , 𝑛𝑂) 𝐪𝐥𝟐 𝐪𝐥2 𝐪𝐥𝑶

Ciphertexts: Public Keys:

MK-FHE with 1-Round Decryption [MW16]

⋯

SLIDE 21

1-round Decryption:

⋯ 𝑛1 𝑛2 𝑛𝑂 𝐷 𝐷(𝑛1, 𝑛2, … , 𝑛𝑂) 𝐪𝐥𝟐 𝐪𝐥2 𝐪𝐥𝑶

Ciphertexts: Public Keys:

MK-FHE with 1-Round Decryption [MW16]

⋯ 𝐷(𝑛1, 𝑛2, … , 𝑛𝑂)

Public Recovery:

SLIDE 22

Applications

SLIDE 23

Applications

2-round multiparty computation [MW16]
Spooky encryption [DHRW16]
Homomorphic secret sharing [BGI16, BGI17]
obfuscation & functional encryption combiners [AJNSY16, AJS17]
Multiparty obfuscation [HIJKSY17]
Homomorphic time-lock puzzles [MT19,BDGM19]
Ad-hoc multi-input functional encryption [ACFGOT20]
……

SLIDE 24

Applications

2-round multiparty computation [MW16]
Spooky encryption [DHRW16]
Homomorphic secret sharing [BGI16, BGI17]
obfuscation & functional encryption combiners [AJNSY16, AJS17]
Multiparty obfuscation [HIJKSY17]
Homomorphic time-lock puzzles [MT19,BDGM19]
Ad-hoc multi-input functional encryption [ACFGOT20]
……

SLIDE 25

Prior works on

Multi-key FHE with 1-round decryption

[CM15, MW16, BP16, PS16] need a trusted setup.
[DHRW16] sub-exponentially secure indistinguishable obfuscation.

SLIDE 26

In In th the e pl plain in mode del, l, do does es Mu Mult lti-key key FHE HE wi with h 1-rou

und

nd de decrypti yption

n ex

exis ist?

SLIDE 27

Our Results

SLIDE 28

Our Results

1.

1. Mu

Mult lti-key key FH FHE wi with th 1-ro roun und d dec ecry ryption ption in in th the e pla lain in mo model el from m Learn arning ing wit ith Err rror

r (LWE)

WE), , Rin ing-LWE, LWE, and De Decisio isiona nal l Sm Small ll Pol

lyn

ynomial

mial Ratio

tio prob

blem

lem.

O(1)-party

arty Multi lti-key ey FH FHE from m only ly LWE. E.

SLIDE 29

Our Results

1.

1. Mu

Mult lti-key key FH FHE wi with th 1-ro roun und d dec ecry ryption ption in in th the e pla lain in mo model el from m Learn arning ing wit ith Err rror

r (LWE)

WE), , Rin ing-LWE, LWE, and De Decisio isiona nal l Sm Small ll Pol

lyn

ynomial

mial Ratio

tio prob

blem

lem.

O(1)-party

arty Multi lti-key ey FH FHE from m only ly LWE. E. 2.

2. Mult

ltipar iparty ty Homo momor morphic hic Encryp ryptio tion (a weaker er notio ion n of MK MK-FH FHE) E) from

m LWE.

E.

SLIDE 30

⋯ 𝑛1 𝑛2 𝑛𝑂 𝐪𝐥𝟐 𝐪𝐥2 𝐪𝐥𝑶

Ciphertexts: Public Keys:

Multiparty Homomorphic Encryption: A weakening of MK-FHE

Partial Decryption:

⋯ 𝐷 𝐷(𝑛1, 𝑛2, … , 𝑛𝑂)

Public Recovery:

→ 𝐷 𝑛1, 𝑛2, … , 𝑛𝑂 Partial Decryptions

SLIDE 31

⋯ 𝑛1 𝑛2 𝑛𝑂 𝐪𝐥𝟐 𝐪𝐥2 𝐪𝐥𝑶

Ciphertexts: Public Keys:

Multiparty Homomorphic Encryption: A weakening of MK-FHE

Partial Decryption:

⋯

Public Recovery:

𝐷, → 𝐷 𝑛1, 𝑛2, … , 𝑛𝑂 Partial Decryptions

𝐷 𝐷(𝑛1, 𝑛2, … , 𝑛𝑂)

SLIDE 32

⋯ 𝑛1 𝑛2 𝑛𝑂 𝐪𝐥𝟐 𝐪𝐥2 𝐪𝐥𝑶

Ciphertexts: Public Keys:

Multiparty Homomorphic Encryption: A weakening of MK-FHE

Partial Decryption:

⋯

Public Recovery:

It implies 2-round reusable multiparty computation with compact

communication complexity.

𝐷, → 𝐷 𝑛1, 𝑛2, … , 𝑛𝑂 Partial Decryptions

𝐷 𝐷(𝑛1, 𝑛2, … , 𝑛𝑂)

SLIDE 33

⋯ 𝑛1 𝑛2 𝑛𝑂 𝐪𝐥𝟐 𝐪𝐥2 𝐪𝐥𝑶

Ciphertexts: Public Keys:

Multiparty Homomorphic Encryption: A weakening of MK-FHE

SLIDE 34

⋯ 𝑛1 𝑛2 𝑛𝑂 𝐷 𝐪𝐥𝟐 𝐪𝐥2 𝐪𝐥𝑶

Ciphertexts: Public Keys:

Multiparty Homomorphic Encryption: A weakening of MK-FHE

Partial Decryption:

⋯ 𝐷 𝐷

SLIDE 35

⋯ 𝑛1 𝑛2 𝑛𝑂 𝐷 𝐪𝐥𝟐 𝐪𝐥2 𝐪𝐥𝑶

Ciphertexts: Public Keys:

Multiparty Homomorphic Encryption: A weakening of MK-FHE

Partial Decryption:

⋯ 𝐷 𝐷

SLIDE 36

⋯ 𝑛1 𝑛2 𝑛𝑂 𝐷 𝐪𝐥𝟐 𝐪𝐥2 𝐪𝐥𝑶

Ciphertexts: Public Keys:

Multiparty Homomorphic Encryption: A weakening of MK-FHE

Partial Decryption:

⋯ 𝐷 𝐷

Public Recovery:

𝐷, → 𝐷 𝑛1, 𝑛2, … , 𝑛𝑂 Partial Decryptions

SLIDE 37

⋯ 𝑛1 𝑛2 𝑛𝑂 𝐷 𝐪𝐥𝟐 𝐪𝐥2 𝐪𝐥𝑶

Ciphertexts: Public Keys:

Multiparty Homomorphic Encryption: A weakening of MK-FHE

Partial Decryption:

⋯ 𝐷 𝐷

Public Recovery:

𝐷, → 𝐷 𝑛1, 𝑛2, … , 𝑛𝑂 Partial Decryptions

Reusability: public keys can be reused for different circuits.
Compactness: communication complexity is independent of the circuit.

SLIDE 38

⋯ 𝑛1 𝑛2 𝑛𝑂 𝐷 𝐪𝐥𝟐 𝐪𝐥2 𝐪𝐥𝑶

Ciphertexts: Public Keys:

Multiparty Homomorphic Encryption: A weakening of MK-FHE

Partial Decryption:

⋯ 𝐷 𝐷

Public Recovery:

𝐷, → 𝐷 𝑛1, 𝑛2, … , 𝑛𝑂 Partial Decryptions

𝐷′ 𝐷′ 𝐷′

Reusability: public keys can be reused for different circuits.
Compactness: communication complexity is independent of the circuit.

SLIDE 39

⋯ 𝑛1 𝑛2 𝑛𝑂 𝐷 𝐪𝐥𝟐 𝐪𝐥2 𝐪𝐥𝑶

Ciphertexts: Public Keys:

Multiparty Homomorphic Encryption: A weakening of MK-FHE

Partial Decryption:

⋯ 𝐷 𝐷

Public Recovery:

𝐷, → 𝐷 𝑛1, 𝑛2, … , 𝑛𝑂 Partial Decryptions

𝐷′ 𝐷′ 𝐷′

Reusability: public keys can be reused for different circuits.
Compactness: communication complexity is independent of the circuit.

SLIDE 40

⋯ 𝑛1 𝑛2 𝑛𝑂 𝐷 𝐪𝐥𝟐 𝐪𝐥2 𝐪𝐥𝑶

Ciphertexts: Public Keys:

Multiparty Homomorphic Encryption: A weakening of MK-FHE

Partial Decryption:

⋯ 𝐷 𝐷

Public Recovery:

It implies 2-round Multiparty Computation.

𝐷, → 𝐷 𝑛1, 𝑛2, … , 𝑛𝑂 Partial Decryptions

𝐷′ 𝐷′ 𝐷′

Reusability: public keys can be reused for different circuits.
Compactness: communication complexity is independent of the circuit.

SLIDE 41

Our Approach

SLIDE 42

Our Approach

2-round MPC Multi-key FHE [MW16]

SLIDE 43

Reusable MPC Multi-key FHE

Our Approach

2-round MPC Multi-key FHE [MW16]

SLIDE 44

Reusable MPC Multi-key FHE

Our Approach

2-round MPC Multi-key FHE [MW16]

𝑛1 𝑛2 𝑛𝑂 𝐷

1st Round: 2nd Round:

⋯ 𝐷 𝐷 ⋯

SLIDE 45

Reusable MPC Multi-key FHE

Our Approach

2-round MPC Multi-key FHE [MW16]

𝑛1 𝑛2 𝑛𝑂 𝐷

1st Round: 2nd Round:

⋯ 𝐷 𝐷 ⋯

Reusability: 1st round is reusable.
See Also:
[BL20], from bilinear maps.
[BGMM20], from DDH or

Succinct 1st msg MPC

SLIDE 46

Reusable MPC Multi-key FHE

Our Approach

2-round MPC Multi-key FHE [MW16]

𝑛1 𝑛2 𝑛𝑂 𝐷

1st Round: 2nd Round:

⋯ 𝐷 𝐷 ⋯ 𝐷′

Another 2nd Round:

𝐷′ 𝐷′ ⋯ ⋯

Reusability: 1st round is reusable.
See Also:
[BL20], from bilinear maps.
[BGMM20], from DDH or

Succinct 1st msg MPC

SLIDE 47

Reusable MPC Multi-key FHE

Our Approach

2-round MPC Multi-key FHE [MW16]

𝑛1 𝑛2 𝑛𝑂 𝐷

1st Round: 2nd Round:

⋯ 𝐷 𝐷 ⋯ 𝐷′

Another 2nd Round:

𝐷′ 𝐷′ ⋯ ⋯

Reusability: 1st round is reusable.
See Also:
[BL20], from bilinear maps.
[BGMM20], from DDH or

Succinct 1st msg MPC

SLIDE 48

1-time MPC Reusable MPC Multi-key FHE

Our Approach

2-round MPC Multi-key FHE [MW16]

𝑛1 𝑛2 𝑛𝑂 𝐷

1st Round: 2nd Round:

⋯ 𝐷 𝐷 ⋯ 𝐷′

Another 2nd Round:

𝐷′ 𝐷′ ⋯ ⋯

Reusability: 1st round is reusable.
See Also:
[BL20], from bilinear maps.
[BGMM20], from DDH or

Succinct 1st msg MPC

SLIDE 49

1-time MPC Reusable MPC Multi-key FHE

Our Approach

2-round MPC Multi-key FHE [MW16]

Succinctness Property

𝑛1 𝑛2 𝑛𝑂 𝐷

1st Round: 2nd Round:

⋯ 𝐷 𝐷 ⋯ 𝐷′

Another 2nd Round:

𝐷′ 𝐷′ ⋯ ⋯

Reusability: 1st round is reusable.
See Also:
[BL20], from bilinear maps.
[BGMM20], from DDH or

Succinct 1st msg MPC

SLIDE 50

1-time MPC Reusable MPC Multi-key FHE

Our Approach

2-round MPC Multi-key FHE [MW16]

Succinctness Property

𝑛1 𝑛2 𝑛𝑂 𝐷

1st Round: 2nd Round:

⋯ 𝐷 𝐷 ⋯ 𝐷′

Another 2nd Round:

𝐷′ 𝐷′ ⋯ ⋯

Reusability: 1st round is reusable.
See Also:
[BL20], from bilinear maps.
[BGMM20], from DDH or

Succinct 1st msg MPC

SLIDE 51

Reusable MPC → Multi-key FHE

SLIDE 52

Reusable MPC → Multi-key FHE

[LTV12] is in plain mode, but has a multi-round decryption protocol.

SLIDE 53

Reusable MPC → Multi-key FHE

⋯ 𝑛1 𝑛2 𝑛𝑂 𝐷 𝐷(𝑛1, 𝑛2, … , 𝑛𝑂)

Ciphertexts: Public Keys:

𝐪𝐥𝟐 𝐪𝐥2 𝐪𝐥𝑶

[LTV12] is in plain mode, but has a multi-round decryption protocol.

𝐷(𝑛1, 𝑛2, … , 𝑛𝑂)

Multi-round Decryption:

⋯

SLIDE 54

Reusable MPC → Multi-key FHE

⋯ 𝑛1 𝑛2 𝑛𝑂 𝐷 𝐷(𝑛1, 𝑛2, … , 𝑛𝑂)

Ciphertexts: Public Keys:

𝐪𝐥𝟐 𝐪𝐥2 𝐪𝐥𝑶

[LTV12] is in plain mode, but has a multi-round decryption protocol.

𝐷(𝑛1, 𝑛2, … , 𝑛𝑂)

Multi-round Decryption:

⋯

Run reusable MPC for Dec(⋅).

SLIDE 55

Reusable MPC → Multi-key FHE

⋯ 𝑛1 𝑛2 𝑛𝑂 𝐷 𝐷(𝑛1, 𝑛2, … , 𝑛𝑂)

Ciphertexts:

𝐪𝐥𝟐 𝐪𝐥2 𝐪𝐥𝑶

[LTV12] is in plain mode, but has a multi-round decryption protocol.

𝐷(𝑛1, 𝑛2, … , 𝑛𝑂)

Reusable MPC 2nd Round

⋯ 𝑡𝑙1 𝑡𝑙1 𝑡𝑙𝑂

Public Keys & Reusable MPC 1st Round

Run reusable MPC for Dec(⋅).

SLIDE 56

Our Approach

1-time MPC Reusable MPC Multi-key FHE

Succinctness Property

SLIDE 57

Our Approach

1-time MPC Reusable MPC Multi-key FHE

Succinctness Property

SLIDE 58

Reusable MPC: A Self-Synthesis Approach

SLIDE 59

Reusable MPC: A Self-Synthesis Approach

1-time MPC 2-times MPC

SLIDE 60

Reusable MPC: A Self-Synthesis Approach

Use 1-time MPC to generate 2 sets of fresh new 1st round messages

1-time MPC 2-times MPC

SLIDE 61

Reusable MPC: A Self-Synthesis Approach

Use 1-time MPC to generate 2 sets of fresh new 1st round messages

1-time MPC 2-times MPC ⋯

𝑛1 𝑛2 𝑛𝑂

SLIDE 62

Reusable MPC: A Self-Synthesis Approach

Use 1-time MPC to generate 2 sets of fresh new 1st round messages

1-time MPC 2-times MPC ⋯

𝑛1 𝑛2 𝑛𝑂

𝑛1 𝑛2

𝑛𝑂

1st Round:

SLIDE 63

Reusable MPC: A Self-Synthesis Approach

Use 1-time MPC to generate 2 sets of fresh new 1st round messages

1-time MPC 2-times MPC ⋯

𝑛1 𝑛2 𝑛𝑂

𝑛1 𝑛2

𝑛𝑂

1st Round:

𝑯 𝒏𝟐, 𝒏𝟑, … , 𝒏𝑶 :

⋯ ⋯ 𝑛1 𝑛2 𝑛𝑂 𝑛1 𝑛2 𝑛𝑂

SLIDE 64

Reusable MPC: A Self-Synthesis Approach

Use 1-time MPC to generate 2 sets of fresh new 1st round messages

1-time MPC 2-times MPC ⋯

𝑛1 𝑛2 𝑛𝑂

𝑛1 𝑛2

𝑛𝑂

1st Round:

𝑯 𝒏𝟐, 𝒏𝟑, … , 𝒏𝑶 :

⋯ ⋯ 𝑛1 𝑛2 𝑛𝑂 𝑛1 𝑛2 𝑛𝑂

2nd round:

SLIDE 65

Reusable MPC: A Self-Synthesis Approach

Use 1-time MPC to generate 2 sets of fresh new 1st round messages

1-time MPC 2-times MPC ⋯

𝑛1 𝑛2 𝑛𝑂

𝑛1 𝑛2

𝑛𝑂

1st Round:

𝑯 𝒏𝟐, 𝒏𝟑, … , 𝒏𝑶 :

⋯ ⋯ 𝑛1 𝑛2 𝑛𝑂 𝑛1 𝑛2 𝑛𝑂

2nd round:

⋯ ⋯ 𝑛1 𝑛2 𝑛𝑂 𝑛1 𝑛2 𝑛𝑂

SLIDE 66

Reusable MPC: A Self-Synthesis Approach

Use 1-time MPC to generate 2 sets of fresh new 1st round messages

1-time MPC 2-times MPC ⋯

𝑛1 𝑛2 𝑛𝑂

𝑛1 𝑛2

𝑛𝑂

1st Round:

𝑯 𝒏𝟐, 𝒏𝟑, … , 𝒏𝑶 :

⋯ ⋯ 𝑛1 𝑛2 𝑛𝑂 𝑛1 𝑛2 𝑛𝑂

2nd round:

1st time

⋯ ⋯ 𝑛1 𝑛2 𝑛𝑂 𝑛1 𝑛2 𝑛𝑂

SLIDE 67

Reusable MPC: A Self-Synthesis Approach

Use 1-time MPC to generate 2 sets of fresh new 1st round messages

1-time MPC 2-times MPC ⋯

𝑛1 𝑛2 𝑛𝑂

𝑛1 𝑛2

𝑛𝑂

1st Round:

𝑯 𝒏𝟐, 𝒏𝟑, … , 𝒏𝑶 :

⋯ ⋯ 𝑛1 𝑛2 𝑛𝑂 𝑛1 𝑛2 𝑛𝑂

2nd round:

1st time 2nd time

⋯ ⋯ 𝑛1 𝑛2 𝑛𝑂 𝑛1 𝑛2 𝑛𝑂

SLIDE 68

Reusable MPC: A Self-Synthesis Approach

Use 1-time MPC to generate 2 sets of fresh new 1st round messages

1-time MPC 2-times MPC ⋯

𝑛1 𝑛2 𝑛𝑂

𝑛1 𝑛2

𝑛𝑂

1st Round:

𝑯 𝒏𝟐, 𝒏𝟑, … , 𝒏𝑶 :

⋯ ⋯ 𝑛1 𝑛2 𝑛𝑂 𝑛1 𝑛2 𝑛𝑂

Need the 3rd round to compute 𝐷

2nd round:

1st time 2nd time

⋯ ⋯ 𝑛1 𝑛2 𝑛𝑂 𝑛1 𝑛2 𝑛𝑂

SLIDE 69

Round Compression to Rescue

SLIDE 70

Round Compression to Rescue

Garble the 3rd round next message function Next𝑗to compress to 2 rounds.

SLIDE 71

Round Compression to Rescue

Garble the 3rd round next message function Next𝑗to compress to 2 rounds.

1st round 2nd round 𝑯 𝒏𝟐, 𝒏𝟑, … , 𝒏𝑶 : ⋯ ⋯

𝑛1 𝑛2 𝑛𝑂 𝑛1 𝑛2 𝑛𝑂

⋯

𝑛1 𝑛2 𝑛𝑂

𝑛1 𝑛2

𝑛𝑂

⋯

SLIDE 72

Round Compression to Rescue

Garble the 3rd round next message function Next𝑗to compress to 2 rounds.

𝐻𝑏𝑠𝑐𝑚𝑓(Next1 ) 𝐻𝑏𝑠𝑐𝑚𝑓(Next2 ) 𝐻𝑏𝑠𝑐𝑚𝑓(Next𝑂 )

1st round 2nd round 𝑯 𝒏𝟐, 𝒏𝟑, … , 𝒏𝑶 : ⋯ ⋯

𝑛1 𝑛2 𝑛𝑂 𝑛1 𝑛2 𝑛𝑂

⋯

𝑛1 𝑛2 𝑛𝑂

𝑛1 𝑛2

𝑛𝑂

⋯

Label( Label( ) )

SLIDE 73

Full-Fledged Tree-Based Approach

SLIDE 74

Full-Fledged Tree-Based Approach

From 2-times usable to reusable:

SLIDE 75

Full-Fledged Tree-Based Approach

From 2-times usable to reusable:

Recursively apply the self-synthesis

SLIDE 76

Full-Fledged Tree-Based Approach

From 2-times usable to reusable:

1-time MPC 1-time MPC 1-time MPC

Recursively apply the self-synthesis

1

SLIDE 77

Full-Fledged Tree-Based Approach

From 2-times usable to reusable:

1-time MPC 1-time MPC 1-time MPC

1-time MPC 1-time MPC

Recursively apply the self-synthesis

1 1

SLIDE 78

Full-Fledged Tree-Based Approach

From 2-times usable to reusable:

1-time MPC 1-time MPC 1-time MPC

1-time MPC 1-time MPC 1-time MPC 1-time MPC

Recursively apply the self-synthesis

1 1

SLIDE 79

Full-Fledged Tree-Based Approach

From 2-times usable to reusable:

1-time MPC 1-time MPC 1-time MPC

1-time MPC 1-time MPC 1-time MPC 1-time MPC

Recursively apply the self-synthesis

⋯ ⋯

1 1

SLIDE 80

Full-Fledged Tree-Based Approach

From 2-times usable to reusable:

1-time MPC 1-time MPC 1-time MPC

1-time MPC 1-time MPC 1-time MPC 1-time MPC

Recursively apply the self-synthesis

⋯ ⋯

Given 𝐷, walk down the tree according to 𝐷. 1 1

SLIDE 81

Full-Fledged Tree-Based Approach

From 2-times usable to reusable:

1-time MPC 1-time MPC 1-time MPC

1-time MPC 1-time MPC 1-time MPC 1-time MPC

Recursively apply the self-synthesis

⋯ ⋯

e.g. 𝐷 = 01 …

Given 𝐷, walk down the tree according to 𝐷. 1 1

SLIDE 82

Full-Fledged Tree-Based Approach

From 2-times usable to reusable:

1-time MPC 1-time MPC 1-time MPC

1-time MPC 1-time MPC 1-time MPC 1-time MPC

Recursively apply the self-synthesis

⋯ ⋯

e.g. 𝐷 = 01 …

Given 𝐷, walk down the tree according to 𝐷. 1-time MPC 1 1

SLIDE 83

Full-Fledged Tree-Based Approach

From 2-times usable to reusable:

1-time MPC 1-time MPC 1-time MPC

1-time MPC 1-time MPC 1-time MPC 1-time MPC

Recursively apply the self-synthesis

⋯ ⋯

e.g. 𝐷 = 01 …

Given 𝐷, walk down the tree according to 𝐷. 1-time MPC 1-time MPC 1 1

SLIDE 84

Full-Fledged Tree-Based Approach

From 2-times usable to reusable:

1-time MPC 1-time MPC 1-time MPC

1-time MPC 1-time MPC 1-time MPC 1-time MPC

Recursively apply the self-synthesis

⋯ ⋯

e.g. 𝐷 = 01 …

Given 𝐷, walk down the tree according to 𝐷. 1-time MPC

1-time MPC

1-time MPC 1 1

SLIDE 85

Full-Fledged Tree-Based Approach

From 2-times usable to reusable:

1-time MPC 1-time MPC 1-time MPC

1-time MPC 1-time MPC 1-time MPC 1-time MPC

Recursively apply the self-synthesis

⋯ ⋯

e.g. 𝐷 = 01 …

Given 𝐷, walk down the tree according to 𝐷. 1-time MPC

1-time MPC

1-time MPC 1 1

Eval. 𝑫

SLIDE 86

Time Complexity Blow Up

1-time MPC 1-time MPC 1-time MPC

1-time MPC 1-time MPC 1-time MPC 1-time MPC

⋯ ⋯

SLIDE 87

Time Complexity Blow Up

For 1-time MPC in plain model,

Time(1st Round) ≈ 𝐷 ⋅ 𝑞𝑝𝑚𝑧 𝜇 1-time MPC 1-time MPC 1-time MPC

1-time MPC 1-time MPC 1-time MPC 1-time MPC

⋯ ⋯

SLIDE 88

Time Complexity Blow Up

For 1-time MPC in plain model,

Time(1st Round) ≈ 𝐷 ⋅ 𝑞𝑝𝑚𝑧 𝜇 1-time MPC 1-time MPC 1-time MPC

1-time MPC 1-time MPC 1-time MPC 1-time MPC

⋯ ⋯

SLIDE 89

Time Complexity Blow Up

For 1-time MPC in plain model,

Time(1st Round) ≈ 𝐷 ⋅ 𝑞𝑝𝑚𝑧 𝜇 1-time MPC 1-time MPC 1-time MPC

1-time MPC 1-time MPC 1-time MPC 1-time MPC

⋯ ⋯

𝐷 𝜇

SLIDE 90

Time Complexity Blow Up

For 1-time MPC in plain model,

Time(1st Round) ≈ 𝐷 ⋅ 𝑞𝑝𝑚𝑧 𝜇 1-time MPC 1-time MPC 1-time MPC

1-time MPC 1-time MPC 1-time MPC 1-time MPC

⋯ ⋯

𝐷 𝜇 𝐷 𝜇2

SLIDE 91

Time Complexity Blow Up

For 1-time MPC in plain model,

Time(1st Round) ≈ 𝐷 ⋅ 𝑞𝑝𝑚𝑧 𝜇 1-time MPC 1-time MPC 1-time MPC

1-time MPC 1-time MPC 1-time MPC 1-time MPC

⋯ ⋯

𝐷 𝜇 𝐷 𝜇2 𝐷 𝜇3

SLIDE 92

Time Complexity Blow Up

For 1-time MPC in plain model,

Time(1st Round) ≈ 𝐷 ⋅ 𝑞𝑝𝑚𝑧 𝜇 1-time MPC 1-time MPC 1-time MPC

1-time MPC 1-time MPC 1-time MPC 1-time MPC

⋯ ⋯

Time(Root node) is exponential in 𝜇

𝐷 𝜇 𝐷 𝜇2 𝐷 𝜇3

SLIDE 93

Necessary Condition for Recursion

1-time MPC

Succinct MPC Succinct MPC

Succinct MPC Succinct MPC Succinct MPC Succinct MPC

⋯ ⋯

SLIDE 94

Necessary Condition for Recursion

Succinct 1-time MPC:

Time(1st Round) is independent of 𝐷 .

1-time MPC

Succinct MPC Succinct MPC

Succinct MPC Succinct MPC Succinct MPC Succinct MPC

⋯ ⋯

SLIDE 95

Necessary Condition for Recursion

Succinct 1-time MPC:

Time(1st Round) is independent of 𝐷 .

1-time MPC

Succinct MPC Succinct MPC

Succinct MPC Succinct MPC Succinct MPC Succinct MPC

⋯ ⋯

[MW16] satisfies succinctness,

but in CRS model.

SLIDE 96

Necessary Condition for Recursion

Succinct 1-time MPC:

Time(1st Round) is independent of 𝐷 .

1-time MPC

Succinct MPC Succinct MPC

Succinct MPC Succinct MPC Succinct MPC Succinct MPC

⋯ ⋯

[MW16] satisfies succinctness,

but in CRS model.

CRS CRS CRS CRS CRS CRS

Plain Model

SLIDE 97

In fact succinct 1-time MPC

in preprocessing model suffices.

Necessary Condition for Recursion

Succinct 1-time MPC:

Time(1st Round) is independent of 𝐷 .

1-time MPC

Succinct MPC Succinct MPC

Succinct MPC Succinct MPC Succinct MPC Succinct MPC

⋯ ⋯

[MW16] satisfies succinctness,

but in CRS model.

CRS CRS CRS CRS CRS CRS

Plain Model

SLIDE 98