k -Round Multiparty Computation from k -Round Oblivious Transfer via - - PowerPoint PPT Presentation

k-Round Multiparty Computation from k-Round Oblivious Transfer via Garbled Interactive Circuits

Fabrice Benhamouda Huijia (Rachel) Lin

IBM Research / Columbia University, US University of California, Santa Barbara, US

Eurocrypt 2018, May 1, 2018

Introduction Overview Round Collapsing via GIC FC with WE

Secure Multiparty Computation (MPC)

Auction Seller P1 (no input) Buyer Pi bids xi USD

P1 x1 P2 x2 P3 x3 P4 x4 P5 x5

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 2 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Secure Multiparty Computation (MPC)

Auction Seller P1 (no input) Buyer Pi bids xi USD Seller P1 gets y1 = (max bid, buyer) Buyer Pi gets yi =

• 1

if winner else

P1 x1 y1 P2 x2 y2 P3 x3 y3 P4 x4 y4 P5 x5 y5

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 2 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Secure Multiparty Computation (MPC)

Auction Seller P1 (no input) Buyer Pi bids xi USD Seller P1 gets y1 = (max bid, buyer) Buyer Pi gets yi =

• 1

if winner else Question: How many rounds?

P1 x1 y1 P2 x2 y2 P3 x3 y3 P4 x4 y4 P5 x5 y5

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 2 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Secure Multiparty Computation

Adversarial Model

Adversary can corrupt any party at the beginning semi-honest: corrupted parties behave honestly

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 3 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Secure Multiparty Computation

Adversarial Model

Adversary can corrupt any party at the beginning semi-honest: corrupted parties behave honestly malicious: corrupted parties can behave arbitrarily

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 3 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Secure Multiparty Computation

Adversarial Model

Adversary can corrupt any party at the beginning semi-honest: corrupted parties behave honestly semi-malicious: corrupted parties behave honestly but adaptively choose input and randomness malicious: corrupted parties can behave arbitrarily

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 3 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Secure Multiparty Computation

Adversarial Model

Adversary can corrupt any party at the beginning semi-honest: corrupted parties behave honestly semi-malicious: corrupted parties behave honestly but adaptively choose input and randomness malicious: corrupted parties can behave arbitrarily k-round semi-malicious MPC + NIZK ⇒ k-round malicious MPC

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 3 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Oblivious Transfer (OT)

receiver b ∈ {0, 1} sender x0, x1 . . .

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 4 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Oblivious Transfer (OT)

receiver b ∈ {0, 1} sender x0, x1 . . .

xb ⊥

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 4 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Oblivious Transfer (OT)

receiver b ∈ {0, 1} sender x0, x1 . . .

xb ⊥ k-round OT k-round MPC

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 4 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Oblivious Transfer (OT)

receiver b ∈ {0, 1} sender x0, x1 . . .

xb ⊥ k-round OT k-round MPC

?

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 4 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Previous Results

Semi-Honest Setting

N: number of parties; L: number of rounds N L Assumptions

[Yao82, Yao86]

2 k k-round OT

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 5 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Previous Results

Semi-Honest Setting

N: number of parties; L: number of rounds N L Assumptions

[Yao82, Yao86]

2 k k-round OT

[GMW87]

N O(d) O(1)-round OT

[BMR90]

N O(1) O(1)-round OT . . .

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 5 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Previous Results

Semi-Honest Setting

N: number of parties; L: number of rounds N L Assumptions

[Yao82, Yao86]

2 k k-round OT

[GMW87]

N O(d) O(1)-round OT

[BMR90]

N O(1) O(1)-round OT . . .

[AJLTVW12, MW16, CM15, BP16, PS16]

N 2 CRS/... + LWE

[BGI16, BGI17, BGILT18]

N 2 PKI + DDH

[GGHR14, GP15, CGP15, DKR15, GLS15]

N 2 iO or WE

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 5 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Previous Results

Semi-Honest Setting

N: number of parties; L: number of rounds N L Assumptions

[Yao82, Yao86]

2 k k-round OT

[GMW87]

N O(d) O(1)-round OT

[BMR90]

N O(1) O(1)-round OT . . .

[AJLTVW12, MW16, CM15, BP16, PS16]

N 2 CRS/... + LWE

[BGI16, BGI17, BGILT18]

N 2 PKI + DDH

[GGHR14, GP15, CGP15, DKR15, GLS15]

N 2 iO or WE

[GS17a]

N 2 bilinear group

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 5 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Previous Results

Semi-Honest Setting

N: number of parties; L: number of rounds N L Assumptions

[Yao82, Yao86]

2 k k-round OT

[GMW87]

N O(d) O(1)-round OT

[BMR90]

N O(1) O(1)-round OT . . .

[AJLTVW12, MW16, CM15, BP16, PS16]

N 2 CRS/... + LWE

[BGI16, BGI17, BGILT18]

N 2 PKI + DDH

[GGHR14, GP15, CGP15, DKR15, GLS15]

N 2 iO or WE

[GS17a]

N 2 bilinear group

[GS17b]

N k k-round OT

• urs

N k k-round OT

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 5 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Results

Theorem k-round OT ⇔ k-round MPC‡ Corollary

semi-honest semi-malicious

• 2-round OT ⇔

semi-honest semi-malicious

• 2-round MPC‡

Corollary (using [AJLTVW12]) semi-malicious k-round OT + NIZK ⇒ malicious k-round MPC‡

∗ delayed semi-malicious security is sufficient; † for k ≥ 5 ‡ simultaneous messages, broadcast channel, static corruptions, with abort Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 6 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Results

Theorem

semi-honest semi-malicious malicious∗

   k-round OT ⇔

semi-honest semi-malicious malicious†

   k-round MPC‡ Corollary

semi-honest semi-malicious

• 2-round OT ⇔

semi-honest semi-malicious

• 2-round MPC‡

Corollary (using [AJLTVW12]) semi-malicious k-round OT + NIZK ⇒ malicious k-round MPC‡

∗ delayed semi-malicious security is sufficient; † for k ≥ 5 ‡ simultaneous messages, broadcast channel, static corruptions, with abort Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 6 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Results

Theorem

semi-honest semi-malicious malicious∗

   k-round OT ⇔

semi-honest semi-malicious malicious†

   k-round MPC‡ Corollary

semi-honest semi-malicious

• 2-round OT ⇔

semi-honest semi-malicious

• 2-round MPC‡

Corollary (using [AJLTVW12]) semi-malicious k-round OT + NIZK ⇒ malicious k-round MPC‡

∗ delayed semi-malicious security is sufficient; † for k ≥ 5 ‡ simultaneous messages, broadcast channel, static corruptions, with abort Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 6 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Results

Theorem

semi-honest semi-malicious malicious∗

   k-round OT ⇔

semi-honest semi-malicious malicious†

   k-round MPC‡ Corollary

semi-honest semi-malicious

• 2-round OT ⇔

semi-honest semi-malicious

• 2-round MPC‡

Corollary (using [AJLTVW12]) semi-malicious k-round OT + NIZK ⇒ malicious k-round MPC‡

∗ delayed semi-malicious security is sufficient; † for k ≥ 5 ‡ simultaneous messages, broadcast channel, static corruptions, with abort Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 6 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Previous Results

Malicious Setting in the Plain Model

N: number of parties; L: number of rounds Blackbox lower-bound: L ≥ 4 N L Assumptions

[ACJ17]

N 5 DDH

[ACJ17]

N 4 subexp DDH

[BHP17]

N 4 subexp LWE + adp. com.

[HHPV17]

N 4 ETDP + DDH/LWE or QR

[BGJKKS17]

N 4 DDH or QR or N-th res

• urs

N k ≥ 5 k-round OT

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 7 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Previous Results

Malicious Setting in the Plain Model

N: number of parties; L: number of rounds Blackbox lower-bound: L ≥ 4 N L Assumptions

[ACJ17]

N 5 DDH

[ACJ17]

N 4 subexp DDH

[BHP17]

N 4 subexp LWE + adp. com.

[HHPV17]

N 4 ETDP + DDH/LWE or QR

[BGJKKS17]

N 4 DDH or QR or N-th res

• urs

N k ≥ 5 k-round OT Open problem: 4-round MPC from 4-round OT

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 7 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Results

Theorem

semi-honest semi-malicious malicious∗

   k-round OT ⇔

semi-honest semi-malicious malicious†

   k-round MPC‡ Corollary

semi-honest semi-malicious

• 2-round OT ⇔

semi-honest semi-malicious

• 2-round MPC‡

Corollary (using [AJLTVW12]) semi-malicious k-round OT + NIZK ⇒ malicious k-round MPC‡

∗ delayed semi-malicious security is sufficient; † for k ≥ 5 ‡ simultaneous messages, broadcast channel, static corruptions, with abort Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 8 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Results

Theorem

semi-honest semi-malicious malicious∗

   k-round OT ⇔

semi-honest semi-malicious malicious†

   k-round MPC‡ Corollary

semi-honest semi-malicious

• 2-round OT ⇔

semi-honest semi-malicious

• 2-round MPC‡

Corollary (using [AJLTVW12]) semi-malicious k-round OT + NIZK ⇒ malicious k-round MPC‡

∗ delayed semi-malicious security is sufficient; † for k ≥ 5 ‡ simultaneous messages, broadcast channel, static corruptions, with abort Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 8 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Overview: Round Collapsing

Idea: round collapsing [GGHR14] L-round MPC

(GMW)

− → 2-round MPC

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 9 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Overview: Round Collapsing

Idea: round collapsing [GGHR14] L-round MPC

(GMW)

− → 2-round MPC High-level construction

1 Pi broadcasts some “obfuscated” version of itself: Pi

containing its input xi and random tape ri

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 9 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Overview: Round Collapsing

Idea: round collapsing [GGHR14] L-round MPC

(GMW)

− → 2-round MPC High-level construction

1 Pi broadcasts some “obfuscated” version of itself: Pi

containing its input xi and random tape ri

2 Using all the Pj ’s, Pi can locally run the L-round MPC Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 9 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Overview: Constructions

High-level construction

1 Pi broadcasts some “obfuscated” version of itself: Pi

containing its input xi and random tape ri

2 Using all the Pj ’s, Pi can locally run the L-round MPC

[GGHR14]: From iO + NIZK [GLS15]: From witness encryption + NIZK [GS17a]: From bilinear groups

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 10 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Overview: Constructions

High-level construction

1 Pi broadcasts some “obfuscated” version of itself: Pi

containing its input xi and random tape ri

2 Using all the Pj ’s, Pi can locally run the L-round MPC

[GGHR14]: From iO + NIZK [GLS15]: From witness encryption + NIZK [GS17a]: From bilinear groups

• ur work:

From 2-round OT

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 10 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Overview: Constructions

High-level construction

1 Pi broadcasts some “obfuscated” version of itself: Pi

containing its input xi and random tape ri

2 Using all the Pj ’s, Pi can locally run the L-round MPC

[GGHR14]: From iO + NIZK [GLS15]: From witness encryption + NIZK [GS17a]: From bilinear groups

• ur work:

From 2-round OT

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 10 / 23

Introduction Overview Round Collapsing via GIC FC with WE

L-Round MPC

P1 x1 P2 x2 P3 x3 P4 x4 P5 x5

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 11 / 23

Introduction Overview Round Collapsing via GIC FC with WE

L-Round MPC

P1 x1 r1 P2 x2 r2 P3 x3 r3 P4 x4 r4 P5 x5 r5

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 11 / 23

Introduction Overview Round Collapsing via GIC FC with WE

L-Round MPC

For all Pi: Round 1: send m1

i = Next(xi, ri) P1 x1 r1 P2 x2 r2 P3 x3 r3 P4 x4 r4 P5 x5 r5 m1

1

m1

2

m1

3

m1

4

m1

5 Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 11 / 23

Introduction Overview Round Collapsing via GIC FC with WE

L-Round MPC

For all Pi: Round 1: send m1

i = Next(xi, ri)

Round 2: send m2

i = Next(xi, ri,

m<2)

P1 x1 r1 P2 x2 r2 P3 x3 r3 P4 x4 r4 P5 x5 r5 m2

1

m2

2

m2

3

m2

4

m2

5 Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 11 / 23

Introduction Overview Round Collapsing via GIC FC with WE

L-Round MPC

For all Pi: Round 1: send m1

i = Next(xi, ri)

Round 2: send m2

i = Next(xi, ri,

m<2) . . .

P1 x1 r1 P2 x2 r2 P3 x3 r3 P4 x4 r4 P5 x5 r5 mℓ

1

mℓ

2

mℓ

3

mℓ

4

mℓ

5 Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 11 / 23

Introduction Overview Round Collapsing via GIC FC with WE

L-Round MPC

For all Pi: Round 1: send m1

i = Next(xi, ri)

Round 2: send m2

i = Next(xi, ri,

m<2) . . . Round L: send mL

i = Next(xi, ri,

m<L)

P1 x1 r1 P2 x2 r2 P3 x3 r3 P4 x4 r4 P5 x5 r5 mL

1

mL

2

mL

3

mL

4

mL

5 Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 11 / 23

Introduction Overview Round Collapsing via GIC FC with WE

L-Round MPC

For all Pi: Round 1: send m1

i = Next(xi, ri)

Round 2: send m2

i = Next(xi, ri,

m<2) . . . Round L: send mL

i = Next(xi, ri,

m<L) Output: yi = Output(xi, ri, m)

P1 x1 r1 y1 P2 x2 r2 y2 P3 x3 r3 y3 P4 x4 r4 y4 P5 x5 r5 y5

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 11 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Round Collapsing via Obfuscation [GGHR14]

For all Pi send m1

i

+ obfuscation of

input m<2

• utput m2

i = Next(xi, ri,

m<2)

+ . . . + obfuscation of

input m<L

• utput mL

i = Next(xi, ri,

m<L)

P1 x1 r1 P2 x2 r2 P3 x3 r3 P4 x4 r4 P5 x5 r5

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 11 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Round Collapsing via Obfuscation [GGHR14]

For all Pi send m1

i

+ obfuscation of

input m<2

• utput m2

i = Next(xi, ri,

m<2)

+ . . . + obfuscation of

input m<L

• utput mL

i = Next(xi, ri,

m<L)

Correct: local evaluation

• f MPC

P1 x1 r1 P2 x2 r2 P3 x3 r3 P4 x4 r4 P5 x5 r5

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 11 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Round Collapsing via Obfuscation [GGHR14]

For all Pi send m1

i

+ obfuscation of

input m<2

• utput m2

i = Next(xi, ri,

m<2)

+ . . . + obfuscation of

input m<L

• utput mL

i = Next(xi, ri,

m<L)

Insecure: corrupted

player can get yi for all xi

P1 x1 r1 P2 x2 r2 P3 x3 r3 P4 x4 r4 P5 x5 r5

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 11 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Round Collapsing via Obfuscation [GGHR14]

For all Pi Round 1: send ci

$

← Com((xi, ri); ρi) Round 2: send m1

i + proof π1 i

+ obfuscation of

input m<2, π<2 abort if a proof πℓ

i invalid

• utput m2

i + proof π2 i

+ . . . + obfuscation of

input m<L, π<L abort if a proof πL

i invalid

• utput mL

i + proof πL i

Proof πℓ

i prove that:

ci commits to (xi, ri) such that mℓ

i = Next(xi, ri,

m<ℓ)

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 11 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Our Modular Construction

2-round semi-honest OT⋆ Functional Commitment FC with Witness Encryption⋆ Garbled Interactive Circuit

(for oracle OFC)

2-round semi-honest MPC

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 12 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Our Modular Construction

2-round semi-honest OT⋆ Functional Commitment FC with Witness Encryption⋆ Garbled Interactive Circuit

(for oracle OFC)

2-round semi-honest MPC

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 12 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Our Modular Construction

2-round semi-honest OT⋆ Functional Commitment FC with Witness Encryption⋆ Garbled Interactive Circuit

(for oracle OFC)

2-round semi-honest MPC Functional Commitment with Witness Encryption Role: Replace “commitment + NIZK”

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 12 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Our Modular Construction

2-round semi-honest OT⋆ Functional Commitment FC with Witness Encryption⋆ Garbled Interactive Circuit

(for oracle OFC)

2-round semi-honest MPC Garbled Interactive Circuit Role: Replace “obfuscation” Equivalent of garbled circuits which can adaptively make queries (to some oracle)

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 12 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Our Modular Construction

2-round semi-honest OT⋆ Functional Commitment FC with Witness Encryption⋆ Garbled Interactive Circuit

(for oracle OFC)

2-round semi-honest MPC

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 12 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Our Modular Construction

2-round semi-honest OT⋆ Functional Commitment FC with Witness Encryption⋆ Garbled Interactive Circuit

(for oracle OFC)

2-round semi-honest MPC Roadmap

1 Garbled Interactive Circuits

= ⇒ MPC (replace “obfuscation”)

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 12 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Our Modular Construction

2-round semi-honest OT⋆ Functional Commitment FC with Witness Encryption⋆ Garbled Interactive Circuit

(for oracle OFC)

2-round semi-honest MPC Roadmap

1 Garbled Interactive Circuits

= ⇒ MPC (replace “obfuscation”)

2 Functional Commitment

with Witness Encryption (replace “commitment + NIZK”)

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 12 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Our Modular Construction

2-round semi-honest OT⋆ Functional Commitment FC with Witness Encryption⋆ Garbled Interactive Circuit

(for oracle OFC)

2-round semi-honest MPC Roadmap

1 Garbled Interactive Circuits

= ⇒ MPC (replace “obfuscation”)

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 13 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Round Collapsing via Obfuscation [GGHR14]

For all Pi Round 1: send ci

$

← Com((xi, ri); ρi) Round 2: send m1

i + proof π1 i

+ obfuscation of

input m<2, π<2 abort if a proof πℓ

i invalid

• utput m2

i + proof π2 i

+ . . . + obfuscation of

input m<L, π<L abort if a proof πL

i invalid

• utput mL

i + proof πL i

Proof πℓ

i prove that:

ci commits to (xi, ri) such that mℓ

i = Next(xi, ri,

m<ℓ)

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 14 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Towards Garbled Interactive Circuits

For all Pi Round 1: send ci

$

← Com((xi, ri); ρi) Round 2: send m1

i + proof π1 i

+ obfuscation of

input m<2, π<2 abort if a proof πℓ

i invalid

• utput m2

i + proof π2 i

+ . . . + obfuscation of

input m<L, π<L abort if a proof πL

i invalid

• utput mL

i + proof πL i

Proof πℓ

i prove that:

ci commits to (xi, ri) such that mℓ

i = Next(xi, ri,

m<ℓ) Observation: mℓ

i is unique!

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 14 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Towards Garbled Interactive Circuits

For all Pi Round 1: send ci

$

← Com((xi, ri); ρi) Round 2: send m1

i + proof π1 i

+ obfuscation of

input m<2, π<2 abort if a proof πℓ

i invalid

• utput m2

i + proof π2 i

+ . . . + obfuscation of

input m<L, π<L abort if a proof πL

i invalid

• utput mL

i + proof πL i

Proof πℓ

i prove that:

ci commits to (xi, ri) such that mℓ

i = Next(xi, ri,

m<ℓ) Observation: mℓ

i is unique!

Intuitively Obfuscation seems overkill. Garbling + Witness Encryption should be sufficient. [GLS15]

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 14 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Towards Garbled Interactive Circuits

Party Pi:

iC 1 m1

i , π1 i

st1 message + proof of Pi for the current round

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 15 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Towards Garbled Interactive Circuits

Party Pi:

iC 1 m1

i , π1 i

iC 2 m2

i , π2 i

st1 st2

• m1

messages of the Pj’s for the previous round message + proof of Pi for the current round

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 15 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Towards Garbled Interactive Circuits

Party Pi:

iC 1 m1

i , π1 i

iC 2 m2

i , π2 i

. . . . . . st1 st2

• m1

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 15 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Towards Garbled Interactive Circuits

Party Pi:

iC 1 m1

i , π1 i

iC 2 m2

i , π2 i

. . . . . . iC L−1 mL−1

i

, πL−1

i

st1 st2 stL−1 stL−2

• m1
• mL−2

messages of the Pj’s for the previous round message + proof of Pi for the current round

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 15 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Towards Garbled Interactive Circuits

Party Pi:

iC 1 m1

i , π1 i

iC 2 m2

i , π2 i

. . . . . . iC L−1 mL−1

i

, πL−1

i

iC L mL

i , πL

st1 st2 stL−1 stL−2

• m1
• mL−2
• mL−1

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 15 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Towards Garbled Interactive Circuits

iC 1 m1

i , π1 i

iC 2 m2

i , π2 i

. . . . . . iC L−1 mL−1

i

, πL−1

i

iC L mL

i , πL

st1 st2 stL−1

• m1
• mL−2
• mL−1

Goal: Obfuscate the above interactive circuit Important observation: Messages mℓ are unique!

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 15 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Towards Garbled Interactive Circuits

• iC

1

m1

i , π1 i

• iC

2

m2

i , π2 i

. . . . . .

• iC

L−1

mL−1

i

, πL−1

i

• iC

L

mL

i , πL

• st

1

• st

2

• st

L−1

• m

1

• m

L−2

• m

L−1

Goal: Obfuscate the above interactive circuit Important observation: Messages mℓ are unique! Solution: Garble!

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 15 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Towards Garbled Interactive Circuits

• iC

1

m1

i , π1 i

• iC

2

m2

i , π2 i

. . . . . .

• iC

L−1

mL−1

i

, πL−1

i

• iC

L

mL

i , πL

?

• m1,

π1

?

• m2,

π2 . . .

?

• mL−1,

πL−1

• st

1

• st

2

• st

L−1

• m

1

• m

L−2

• m

L−1

Goal: Obfuscate the above interactive circuit Important observation: Messages mℓ are unique! Solution: Garble!

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 15 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Witness Encryption to the Rescue

Goal: Allow to compute labels for mℓ

j (i.e., implement ?

) Simplification: mℓ

j is one bit — labels: K0 and K1

Solution: For b ∈ {0, 1}, encrypt Kb Can be decrypted using proof πℓ

j for

cj commits to v = (xj, rj) such that mℓ

j = Next(xj, rj,

m<ℓ) = b Simple implementation: using generic Witness Encryption (drawback: very inefficient and non-standard assumption)

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 16 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Garbled Interactive Circuits

iC 1 m1

i , π1 i

iC 2 m2

i , π2 i

. . . . . . iC L−1 mL−1

i

, πL−1

i

iC L mL

i , πL

O

• w 1

O

• w 2

. . . O

• w L−1

st1 st2 stL−1

• q1
• q2
• qL−1
• m1
• mL−2
• mL−1

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 17 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Other Applications of Garbled Interactive Circuits

Laconic OT [CDGGMP17] and CDH-based IBE [DG17] Alice knows a Merkle tree public hash h h0 h00 h01 h1 h10 h11 Bob sends M to Alice if h10 = 0 Oracle O:

query: h′ answer: (h′

0, h′ 1)

witness: (h′

0, h′ 1) s.t. h′ = Hash(h′ 0h′ 1)

Step 1:

next query: h

Step 2:

answer: (h0, h1) next query: h1

Step 3:

answer: (h10, h11)

• utput: output M if h10 = 0

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 18 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Our Modular Construction

2-round semi-honest OT⋆ Functional Commitment FC with Witness Encryption⋆ Garbled Interactive Circuit

(for oracle OFC)

2-round semi-honest MPC Roadmap

1 Garbled Interactive Circuits

= ⇒ MPC (replace “obfuscation”)

2 Functional Commitment

with Witness Encryption (replace “commitment + NIZK + Witness Encryption”)

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 19 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Classical Commitment

committer v c = Com(v; ρ)

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 20 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Classical Commitment

committer v c = Com(v; ρ) v′, ρ′ binding: v′ = v hiding: c reveals nothing

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 20 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Functional Commitment with Witness Encryption

committer v c = Com(v; ρ) G, y, d binding: y = G(v) zero-knowledge: (c, d) only reveals G(v) = y + Witness Encryption can be constructed from 2-round OT⋆

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 21 / 23

Introduction Overview Round Collapsing via GIC FC with WE

Oblivous Transfer ≈ Commitment with Witness encryption

receiver b ∈ {0, 1} sender x0, x1 c = Com(b; ρ) WE ciphertext of x0, x1 s.t. can decrypt to xb if c commits to b

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 22 / 23

Conclusion

Theorem

semi-honest semi-malicious malicious

   k-round OT ⇔

semi-honest semi-malicious malicious†

   k-round MPC Corollary (using [AJLTVW12]) semi-malicious k-round OT + NIZK ⇒ malicious k-round MPC Main new tools Garbled interactive circuits Functional commitments with witness encryption/selector

† for k ≥ 5 Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 23 / 23

Conclusion

Theorem

semi-honest semi-malicious malicious

   k-round OT ⇔

semi-honest semi-malicious malicious†

   k-round MPC Corollary (using [AJLTVW12]) semi-malicious k-round OT + NIZK ⇒ malicious k-round MPC Main new tools Garbled interactive circuits Functional commitments with witness encryption/selector

Thank you for your attention! Questions?

† for k ≥ 5 Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 23 / 23

References I

Prabhanjan Ananth, Arka Rai Choudhuri, and Abhishek Jain. A new approach to round-optimal secure multiparty computation. In Jonathan Katz and Hovav Shacham, editors, CRYPTO 2017, Part I, volume 10401 of LNCS, pages 468–499. Springer, Heidelberg, August 2017. Gilad Asharov, Abhishek Jain, Adriana López-Alt, Eran Tromer, Vinod Vaikuntanathan, and Daniel Wichs. Multiparty computation with low communication, computation and interaction via threshold FHE. In David Pointcheval and Thomas Johansson, editors, EUROCRYPT 2012, volume 7237 of LNCS, pages 483–501. Springer, Heidelberg, April 2012.

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 24 / 23

References II

Elette Boyle, Niv Gilboa, and Yuval Ishai. Function secret sharing: Improvements and extensions. In Edgar R. Weippl, Stefan Katzenbeisser, Christopher Kruegel, Andrew C. Myers, and Shai Halevi, editors, ACM CCS 16, pages 1292–1303. ACM Press, October 2016. Elette Boyle, Niv Gilboa, and Yuval Ishai. Group-based secure computation: Optimizing rounds, communication, and computation. In Jean-Sébastien Coron and Jesper Buus Nielsen, editors, EUROCRYPT 2017, Part II, volume 10211 of LNCS, pages 163–193. Springer, Heidelberg, May 2017.

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 25 / 23

References III

Elette Boyle, Niv Gilboa, Yuval Ishai, Huijia Lin, and Stefano Tessaro. Foundations of homomorphic secret sharing. To appear, ITCS, 2018. Saikrishna Badrinarayanan, Vipul Goyal, Abhishek Jain, Yael Tauman Kalai, Dakshita Khurana, and Amit Sahai. Promise zero knowledge and its applications to round optimal mpc. Cryptology ePrint Archive, Report 2017/1088, 2017. https://eprint.iacr.org/2017/1088. Zvika Brakerski, Shai Halevi, and Antigoni Polychroniadou. Four round secure computation without setup. In Yael Kalai and Leonid Reyzin, editors, TCC 2017, Part I, volume 10677 of LNCS, pages 645–677. Springer, Heidelberg, November 2017.

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 26 / 23

References IV

Donald Beaver, Silvio Micali, and Phillip Rogaway. The round complexity of secure protocols (extended abstract). In 22nd ACM STOC, pages 503–513. ACM Press, May 1990. Zvika Brakerski and Renen Perlman. Lattice-based fully dynamic multi-key FHE with short ciphertexts. In Matthew Robshaw and Jonathan Katz, editors, CRYPTO 2016, Part I, volume 9814 of LNCS, pages 190–213. Springer, Heidelberg, August 2016. Chongwon Cho, Nico Döttling, Sanjam Garg, Divya Gupta, Peihan Miao, and Antigoni Polychroniadou. Laconic oblivious transfer and its applications. In Jonathan Katz and Hovav Shacham, editors, CRYPTO 2017, Part II, volume 10402 of LNCS, pages 33–65. Springer, Heidelberg, August 2017.

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 27 / 23

References V

Ran Canetti, Shafi Goldwasser, and Oxana Poburinnaya. Adaptively secure two-party computation from indistinguishability

• bfuscation.

In Yevgeniy Dodis and Jesper Buus Nielsen, editors, TCC 2015, Part II, volume 9015 of LNCS, pages 557–585. Springer, Heidelberg, March 2015. Michael Clear and Ciaran McGoldrick. Multi-identity and multi-key leveled FHE from learning with errors. In Rosario Gennaro and Matthew J. B. Robshaw, editors, CRYPTO 2015, Part II, volume 9216 of LNCS, pages 630–656. Springer, Heidelberg, August 2015.

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 28 / 23

References VI

Nico Döttling and Sanjam Garg. Identity-based encryption from the Diffie-Hellman assumption. In Jonathan Katz and Hovav Shacham, editors, CRYPTO 2017, Part I, volume 10401 of LNCS, pages 537–569. Springer, Heidelberg, August 2017. Dana Dachman-Soled, Jonathan Katz, and Vanishree Rao. Adaptively secure, universally composable, multiparty computation in constant rounds. In Yevgeniy Dodis and Jesper Buus Nielsen, editors, TCC 2015, Part II, volume 9015 of LNCS, pages 586–613. Springer, Heidelberg, March 2015.

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 29 / 23

References VII

Sanjam Garg, Craig Gentry, Shai Halevi, and Mariana Raykova. Two-round secure MPC from indistinguishability obfuscation. In Yehuda Lindell, editor, TCC 2014, volume 8349 of LNCS, pages 74–94. Springer, Heidelberg, February 2014.

• S. Dov Gordon, Feng-Hao Liu, and Elaine Shi.

Constant-round MPC with fairness and guarantee of output delivery. In Rosario Gennaro and Matthew J. B. Robshaw, editors, CRYPTO 2015, Part II, volume 9216 of LNCS, pages 63–82. Springer, Heidelberg, August 2015. Oded Goldreich, Silvio Micali, and Avi Wigderson. How to play any mental game or A completeness theorem for protocols with honest majority. In Alfred Aho, editor, 19th ACM STOC, pages 218–229. ACM Press, May 1987.

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 30 / 23

References VIII

Sanjam Garg and Antigoni Polychroniadou. Two-round adaptively secure MPC from indistinguishability

• bfuscation.

In Yevgeniy Dodis and Jesper Buus Nielsen, editors, TCC 2015, Part II, volume 9015 of LNCS, pages 614–637. Springer, Heidelberg, March 2015. Sanjam Garg and Akshayaram Srinivasan. Garbled protocols and two-round MPC from bilinear maps. In 58th FOCS, pages 588–599. IEEE Computer Society Press, 2017. Sanjam Garg and Akshayaram Srinivasan. Two-round multiparty secure computation from minimal assumptions. Cryptology ePrint Archive, Report 2017/1156, 2017. https://eprint.iacr.org/2017/1156.

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 31 / 23

References IX

Shai Halevi, Carmit Hazay, Antigoni Polychroniadou, and Muthuramakrishnan Venkitasubramaniam. Round-optimal secure multi-party computation. Cryptology ePrint Archive, Report 2017/1056, 2017. http://eprint.iacr.org/2017/1056. Pratyay Mukherjee and Daniel Wichs. Two round multiparty computation via multi-key FHE. In Marc Fischlin and Jean-Sébastien Coron, editors, EUROCRYPT 2016, Part II, volume 9666 of LNCS, pages 735–763. Springer, Heidelberg, May 2016.

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 32 / 23

References X

Chris Peikert and Sina Shiehian. Multi-key FHE from LWE, revisited. In Martin Hirt and Adam D. Smith, editors, TCC 2016-B, Part II, volume 9986 of LNCS, pages 217–238. Springer, Heidelberg, October / November 2016. Andrew Chi-Chih Yao. Protocols for secure computations (extended abstract). In 23rd FOCS, pages 160–164. IEEE Computer Society Press, November 1982. Andrew Chi-Chih Yao. How to generate and exchange secrets (extended abstract). In 27th FOCS, pages 162–167. IEEE Computer Society Press, October 1986.

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 33 / 23

Construction from Commitment with Witness Encryption

Commit to v: garble (GC C, keys = ki,b)

input G

• utput G(v)

+ Com(ki,b) for each i, b

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 34 / 23

Construction from Commitment with Witness Encryption

Commit to v: garble (GC C, keys = ki,b)

input G

• utput G(v)

+ Com(ki,b) for each i, b Open w.r.t. function G: open Com(ki,G[i])

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 34 / 23

Construction from Commitment with Witness Encryption

Commit to v: garble (GC C, keys = ki,b)

input G

• utput G(v)

+ Com(ki,b) for each i, b Open w.r.t. function G: open Com(ki,G[i]) Check opening d for (G, y): check opening of Com(ki,G[i]) and C({ki,G[i]}) = y

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 34 / 23

Construction from Commitment with Witness Encryption

Commit to v: garble (GC C, keys = ki,b)

input G

• utput G(v)

+ Com(ki,b) for each i, b Open w.r.t. function G: open Com(ki,G[i]) Check opening d for (G, y): check opening of Com(ki,G[i]) and C({ki,G[i]}) = y Witness encryption of M for “y1 = 0 w.r.t. G”: garble

input keys ki,G[i] compute y = C({ki,G[i]})

• utput M if y1 = 0, else ⊥

+ send keys using WE for Com(ki,b)

Fabrice Benhamouda (IBM) k-Round MPC from k-Round OT Eurocrypt 2018 34 / 23