Multi-Party Function Evaluation with Perfectly Private Audit Trail - - PowerPoint PPT Presentation

UCL Crypto Group

Microelectronics Laboratory

SDTA - December 2014 1

Multi-Party Function Evaluation with Perfectly Private Audit Trail

´ Edouard Cuvelier & Olivier Pereira

Universit´ e catholique de Louvain ICTEAM – Crypto Group 1348 Louvain-la-Neuve – Belgium

UCL Crypto Group

Microelectronics Laboratory

SDTA - December 2014 2

Privacy vs Verifiability – Two Extremes

Public Auctions Sealed Bids Auctions Verifiability 100% Verifiablility 0% Privacy 0% Privacy 100%

UCL Crypto Group

Microelectronics Laboratory

SDTA - December 2014 2

Privacy vs Verifiability – Two Extremes

Public Auctions Sealed Bids Auctions Verifiability 100% Verifiablility 0% Privacy 0% Privacy 100% How to conciliate Privacy and Verifiability ?

UCL Crypto Group

Microelectronics Laboratory

SDTA - December 2014 3

Objectives

◮ Generic - Evaluate any computable functions in a multi-party setting ◮ Privacy - Parties only trust a third party for privacy ◮ Verifiability - Guarantee correctness of the result ◮ Efficiency - Run in reasonable execution-time & memory-size on

standard laptop

UCL Crypto Group

Microelectronics Laboratory

SDTA - December 2014 4

Outline

• 1. Motivations
• 2. Protocol description
• 3. Three test applications
• 4. Conclusion

UCL Crypto Group

Microelectronics Laboratory

SDTA - December 2014 5

Motivations

A direct solution is the use of “Classic” Secure Multi-Party Computation...

UCL Crypto Group

Microelectronics Laboratory

SDTA - December 2014 6

“Classic” Secure Multi-Party Computation

Client 1 input : x1 Client 2 input : x2 Client 3 input : x3 f (x1, x2, x3) f (x1, x2, x3) f (x1, x2, x3)

UCL Crypto Group

Microelectronics Laboratory

SDTA - December 2014 7

Motivations I

A direct solution is the use of “Classic” Secure Multi-Party Computation... Interesting features :

◮ No need of a trusted third party ◮ Allows to evaluate any arithmetic or boolean function [VIFF,Fairplay,

Sharemind, TASTY]

◮ Existing implementations more and more efficient [SPDZ (Damg˚

ard et al. 13), BeDOZa (Bendlin et al. 10), TinyOT (Nielsen et al. 12)]

UCL Crypto Group

Microelectronics Laboratory

SDTA - December 2014 8

Motivations II

In practice, it raises issues :

◮ Go from 3 clients to 3333 clients? ◮ Online infrastructure ◮ Clients need to agree on the algorithm to compute the function ◮ Still not efficient enough to solve complex functions (NP-hard

problems)

UCL Crypto Group

Microelectronics Laboratory

SDTA - December 2014 9

Protocol Description

Client 1 Client 2 . . . . . . Client n Public Bulletin Board Com(x1) Com(x2) Com(xn)

Com(x) is a commitment on the value x (e.g. Com(x) = g xhr ).

◮ Com(x) is perfectly private (information theory) ◮ Com(x) is computationally binding

UCL Crypto Group

Microelectronics Laboratory

SDTA - December 2014 9

Protocol Description

Client 1 Client 2 . . . . . . Client n Public Bulletin Board Com(x1) Com(x2) Com(xn) Worker f (x1, · · · , xn) and proof Enc(x2) Enc(x1) Enc(xn)

Com(x) is a commitment on the value x (e.g. Com(x) = g xhr ).

◮ Com(x) is perfectly private (information theory) ◮ Com(x) is computationally binding

UCL Crypto Group

Microelectronics Laboratory

SDTA - December 2014 9

Protocol Description

Client 1 Client 2 . . . . . . Client n Public Bulletin Board Com(x1) Com(x2) Com(xn) Worker f (x1, · · · , xn) and proof Enc(x2) Enc(x1) Enc(xn)

Com(x) is a commitment on the value x (e.g. Com(x) = g xhr ).

◮ Com(x) is perfectly private (information theory) ◮ Com(x) is computationally binding

UCL Crypto Group

Microelectronics Laboratory

SDTA - December 2014 10

Advantages of the model I

◮ No communications between the clients

C1 C2 C3 C4 C5 C6 C7 C8 versus C1 C2 C3 C4 C5 C6 C7 C8 Worker

UCL Crypto Group

Microelectronics Laboratory

SDTA - December 2014 11

Advantages of the model II

◮ No communications between the clients ◮ The Worker can use his own sophisticated algorithms without

compromising his intellectual property when the verification is not the algorithm itself

UCL Crypto Group

Microelectronics Laboratory

SDTA - December 2014 11

Advantages of the model II

◮ No communications between the clients ◮ The Worker can use his own sophisticated algorithms without

compromising his intellectual property when the verification is not the algorithm itself

◮ Gain in complexity when the proof is simpler to compute than the

function itself

UCL Crypto Group

Microelectronics Laboratory

SDTA - December 2014 12

A word on Encryption-Commitment

Commitment Consistent Encryption (CCEnc) Proposed at Esorics 13 (Cuvelier, Pereira & Peters) CCEnc = (Gen, Enc, Dec, DerivCom, Open, Verify) ! Ensure consistency between the commitment and the encryption !

UCL Crypto Group

Microelectronics Laboratory

SDTA - December 2014 13

Efficient implementation over Elliptic Curve I

G1, G2, GT different groups of same prime order q A bilinear map e : G1 × G2 → GT G1 G2 GT g h e(h, g) g a h e(g a, h) = e(g, h)a g hb e(g, hb) = e(g, h)b In our case : G1 = E(Fp), G2 ⊂ E ′(Fp2) and GT ⊂ Fp12 where E is a BN-curve, E ′ the twisted curve ∼ E

UCL Crypto Group

Microelectronics Laboratory

SDTA - December 2014 14

Efficient implementation over Elliptic Curve II

small m ∈ Zq additively homomorphic encryption & commitment G1 G2 GT g, g1 h, h1 = hx1

UCL Crypto Group

Microelectronics Laboratory

SDTA - December 2014 14

Efficient implementation over Elliptic Curve II

small m ∈ Zq additively homomorphic encryption & commitment G1 G2 GT g, g1 h, h1 = hx1 d = g rg m

1

UCL Crypto Group

Microelectronics Laboratory

SDTA - December 2014 14

Efficient implementation over Elliptic Curve II

small m ∈ Zq additively homomorphic encryption & commitment G1 G2 GT g, g1 h, h1 = hx1 d = g rg m

1

c1 = hs c2 = hrhs

1

UCL Crypto Group

Microelectronics Laboratory

SDTA - December 2014 14

Efficient implementation over Elliptic Curve II

small m ∈ Zq additively homomorphic encryption & commitment G1 G2 GT g, g1 h, h1 = hx1 d = g rg m

1

c1 = hs c2 = hrhs

1

Decsk(c) : DLog of e(g, cx1

1 /c2) · e(d, h)

Opensk(c) : = e(g, h1)m a = c2/cx1

1

Verifpk(d, m, a) : e(g, a)

?

= e(d/g m

1 , h)

UCL Crypto Group

Microelectronics Laboratory

SDTA - December 2014 15

A word on the proof

The Proof of correctness is an aggregation of proofs on intermediate assumptions

◮ performed on the commitment space ◮ the proofs are Zero-Knowledge Proofs of Knowledge (ZKPK) that

are rendered Non-Interactive

◮ ZKPK needed for multiplication and for range proof ◮ efficient in our elliptic curves based setting

UCL Crypto Group

Microelectronics Laboratory

SDTA - December 2014 16

A word on the proof - multiplication proof

From Damg˚ ard & Fujisaki 02 : Com1 = g r1g x1

1 , Com2 = g r2g x2 1 , Com3 = g r3g x3 1

we prove in NIZK that x3 = x1x2

• 1. Prove the knowledge of the openings of Com1, Com2, Com3
• 2. Prove that Com3 commits on the same value as Com2 using base

Com1

◮ online verification ◮ offline verification by using a precomputed multiplicative triplet

[SPDZ]

UCL Crypto Group

Microelectronics Laboratory

SDTA - December 2014 17

A word on the proof - range proof

Com(x) = g rg x

1

we prove in NIZK that x ∈ [0, L[, L ≤ 216

◮ needed for branching operators (<) ◮ based on signature-pairing (Camenish et al. 08) ◮ amortized cost for small L ◮ trusted setup ◮ precomputation ◮ based binary decomposition L = 2k + 1 and ZKPK0,1 ◮ cost linear in k

UCL Crypto Group

Microelectronics Laboratory

SDTA - December 2014 18

A word on the proof - complexity

M : 1 scalar multiplication over EC Mp : 1 scalar multiplication over EC with precomputation ≈ 1/5M A : 1 addition over EC U : 1 integer in Zq

Computation Verification Size Commitment 2Mp + 1A 2Mp + 1A 2U ZKPK0,1 4Mp + 2A 2M + 3Mp + 3A 4U ZKPKdLog 4Mp + 2A 2M + 4Mp + 4A 4U ZKPKconsist 8Mp + 3A 8Mp + 3A 4U ZKPKmul 6Mp + 3A 4M + 5Mp + 6A 6U ZKPKrange(2k+1) 6kMp + 3kA (3k − 1)M + 3kMp + (4k − 1)A 6kU

UCL Crypto Group

Microelectronics Laboratory

SDTA - December 2014 19

1st application : Auctions

Clients Worker Bulletin Board x1 Com(x1) x2 Com(x2) x3 Com(x3) · · · · · · xn Com(xn)

UCL Crypto Group

Microelectronics Laboratory

SDTA - December 2014 19

1st application : Auctions

Clients Worker Bulletin Board x1 Com(x1) x2 Com(x2) x3 Com(x3) · · · · · · xn Com(xn)

• ptimal sorting O(n log n)

x3 x7 x1 · · · x10

UCL Crypto Group

Microelectronics Laboratory

SDTA - December 2014 19

1st application : Auctions

Clients Worker Bulletin Board x1 Com(x1) x2 Com(x2) x3 Com(x3) · · · · · · xn Com(xn)

• ptimal sorting O(n log n)

x3 x7 x1 · · · x10 Com(x3) Com(x7) Com(x1) · · · Com(x10)

UCL Crypto Group

Microelectronics Laboratory

SDTA - December 2014 19

1st application : Auctions

Clients Worker Bulletin Board x1 Com(x1) x2 Com(x2) x3 Com(x3) · · · · · · xn Com(xn)

• ptimal sorting O(n log n)

x3 x7 x1 · · · x10 Com(x3) Com(x7) Com(x1) · · · Com(x10) ≥ ≥ ≥ ≥

The Proof consists of n − 1 NIZK Range Proofs in the commitment space O(n)

UCL Crypto Group

Microelectronics Laboratory

SDTA - December 2014 20

2nd application : Linear System Solving

S :=      a1,1z1 + · · · + a1,nzn = b1 . . . am,1z1 + · · · + am,nzn = bm ⇔ AZ = B ai,j = Com(xi,j) X ∈ Mm×n, A ∈ C m×n, B ∈ C m×1 The unique solution, if one exists, is Zs = X −1B O(m3n3) The Worker publishes Zs with the list of openings of AZs The Clients verify that AZs open to B O(mn)

UCL Crypto Group

Microelectronics Laboratory

SDTA - December 2014 21

3rd application : Shortest Path in a Graph I

Weighted graph with E edges and V vertices Each Client owns one or several edges

Source Sink x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18

UCL Crypto Group

Microelectronics Laboratory

SDTA - December 2014 22

3rd application : Shortest Path in a Graph II

The Clients commit on their private input and publish it. They send Enc(xi) to the Worker The Worker computes the shortest path using Bellman-Ford’s algorithm O(EV ) The Proof of correctness is the evaluation of the algorithm on the commitments O(EV )

UCL Crypto Group

Microelectronics Laboratory

SDTA - December 2014 23

Applications results

test application algorithm complexity

• verif. proof complexity

Auctions with n bids O(n log n) O(n) Solving Linear System O(m3n3) O(mn)

• f Equations with m

equations, n variables Shortest Path in a Graph (E edges, V vertices) O(EV ) O(EV )

Specifications Worker Client Auctions n = 10/100/1000 2.71e10−1/2.74/27.5 2.59e10−1/2.8/28.21 Linear System n = 16/256/4096 1.43e10−1/2.3/36.8 5.54e10−3/7.28e10−2/1.14 Solving Shortest Path E = V = 4/16/64 5.15e10−1/6.87/106.58 3.85e10−1/6.44/70.88 timings in seconds that include encryption/decryption and computation/verification of the proofs

UCL Crypto Group

Microelectronics Laboratory

SDTA - December 2014 24

Conclusion

A protocol that evaluates any multi-party functions

◮ with strong guarantee on the correctness of the result ◮ with perfect privacy given the trust assumption on the worker ◮ efficiently

We offer :

◮ the possibility to use optimized algorithms without compromising

the intellectual property when the verification proof does not depend

• n the algorithm

◮ a gain in complexity for the client compared with the complexity of

the whole algorithm (in any case the maximum bound)

◮ no need for a (big) network infrastructure

UCL Crypto Group

Microelectronics Laboratory

SDTA - December 2014 25

Future applications

The technique is especially efficient for applications where the solution is easier to verify than to compute. In particular, NP-hard problems such as

◮ the map coloring problem ◮ finding an Hamiltonian cycle in a graph ◮ the knapsack problem