Multiparty Computation from Somewhat Homomorphic Encryption ard 1 - - PowerPoint PPT Presentation

Multiparty Computation from Somewhat Homomorphic Encryption

Ivan Damg˚ ard1 Valerio Pastro1 Nigel Smart2 Sarah Zakarias1

1Aarhus University 2Bristol University

August 22, 2012

Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 1 / 19

Our work: What is it?

An(other) MPC protocol: Active security Dishonest majority Computational security Universally composable Previous work (examples): Early construction [CLOS02] “MPC in the Head” approach [IKOS07, IPS08] Preprocessing model [DO10, BDOZ11, NNOB12]

Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 2 / 19

Notation

[BDOZ11]: (BeDOZa) “Semi-Homomorphic Encryption and Multiparty Computation”

Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 3 / 19

Notation

[BDOZ11]: (BeDOZa) “Semi-Homomorphic Encryption and Multiparty Computation” SPDZ: (SPeeDZ) ← This talk! “Multiparty Computation from Somewhat Homomorphic Encryption”

Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 3 / 19

SPDZ Old Techniques – The Preprocessing Model

2-phases approach

Preprocessing = ⇒ Online Shared randomness generation (public key crypto required) = ⇒ Evaluation of f using preprocessed data

Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 4 / 19

SPDZ Old Techniques – The Preprocessing Model

2-phases approach

Preprocessing = ⇒ Online Shared randomness generation (public key crypto required) = ⇒ Evaluation of f using preprocessed data Features: Preprocessing: independent of f Online phase: very fast – no PKE!

Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 4 / 19

1

Online

2

Preprocessing

Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 5 / 19

Digression on [BDOZ11]’s Online Phase

Computation: on additive secret sharing Secret x = x1 + · · · + xn, xi − → Pi Security: information theoretic MACs on shares MACj(xi)

• =

αj

i

• ·

xi

• +

βj

x,i

• Pi

Pj [x] :=

• xi,
• MACj(xi)

n

j=1,j=i ,

• αi

j, βi x,j

n

j=1,j=i

• i=1,...,n

Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 6 / 19

Computation with Secret Sharing and MACs

How to compute [x + y] from [x] and [y]?

Very easy! Pi : xi + yi, MACj(xi) + MACj(yi), βi

x,j + βi y,j

Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 7 / 19

Computation with Secret Sharing and MACs

How to compute [x + y] from [x] and [y]?

Very easy! Pi : xi + yi, MACj(xi) + MACj(yi), βi

x,j + βi y,j

How to compute [x · y] from [x] and [y]?

Using [Bea91]: easy if players have a “multiplicative triple” [a], [b], [a · b]:

1 Compute [x + a], [y + b]

(easy).

2 Reconstruct ε = x + a, δ = y + b

(and MAC-checking)

3 Compute

[z] = [a · b] − ε · [b] − δ · [a] + ε · δ. [z] equals [x · y]: z = a · b − ε · b − δ · a + ε · δ = a · b − (x + a) · b − (y + b) · a + (x + a) · (y + b) = x · y

Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 7 / 19

Summary on the Online Phase

Computation

Linear secret sharing and MACs → [x + y]: locally add Multiplicative triples → [x · y]: add and reconstruct

Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 8 / 19

Summary on the Online Phase

Computation

Linear secret sharing and MACs → [x + y]: locally add Multiplicative triples → [x · y]: add and reconstruct

Security

Secret sharing inputs → privacy MACs (on shares) → authenticity

Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 8 / 19

Summary on the Online Phase

Computation

Linear secret sharing and MACs → [x + y]: locally add Multiplicative triples → [x · y]: add and reconstruct

Security

Secret sharing inputs → privacy MACs (on shares) → authenticity

Data needed per secret

One secret → n shares → n MACs (and keys) per share → → O(n2) field elements per secret.

Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 8 / 19

Lowering the amount of data needed?

The Catch

In [BDOZ11], MACs on shares to authenticate secret.

Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 9 / 19

Lowering the amount of data needed?

The Catch

In [BDOZ11], MACs on shares to authenticate secret. Why not MACs on secret to authenticate secret?

Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 9 / 19

Lowering the amount of data needed?

The Catch

In [BDOZ11], MACs on shares to authenticate secret. Why not MACs on secret to authenticate secret? Assuming [α] (one single value for all secrets), x := (x1, . . . , xn, γ(x)1, . . . , γ(x)n) (xi, γ(x)i) → Pi x1, . . . , xn: additive secret sharing of x γ(x)1, . . . , γ(x)n: additive secret sharing of γ(x) = α · x (MAC on x)

Data needed per secret

One secret → n shares + n shares of a MAC → → O(n) field elements per secret.

Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 9 / 19

Does it really work?

Setup

MAC Keys in [·]: privately held, different secret → different key MAC Keys in ·: [α], unique for all secrets!

Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 10 / 19

Does it really work?

Setup

MAC Keys in [·]: privately held, different secret → different key MAC Keys in ·: [α], unique for all secrets!

Problem

Pi needs α to check a MAC → Pi can later forge MACs! → Gate-by-gate check = insecure

Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 10 / 19

Does it really work?

Setup

MAC Keys in [·]: privately held, different secret → different key MAC Keys in ·: [α], unique for all secrets!

Problem

Pi needs α to check a MAC → Pi can later forge MACs! → Gate-by-gate check = insecure

Solution

Compute the whole circuit with no checks Commit to MACs Open [α] Check MACs

Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 10 / 19

Online – the Numbers

Notation: n: # players mf : # multiplications in the circuit C to compute |C|: Circuit size [BDOZ11] SPDZ Preprocessed data needed Θ(mf · n2) O(mf · n) Complexity (field mults) Ω(|C| · n2) O(|C| · n + n3)

• Amo. timing

(64bit prime field) 7.7ms 0.05ms

Note

• Preproc. data needed: Optimal up to constant factor.

Complexity: Optimal up to poly-log factors.

Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 11 / 19

1

Online

2

Preprocessing

Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 12 / 19

High Level Idea

Generate a = a1 + · · · + an, b = b1 + · · · + bn Generate and broadcast encryptions Enc(ai), Enc(bi) Compute an encryption Enc(c), where c = a · b Distribute ci to Pi, where c = c1 + · · · + cn

Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 13 / 19

High Level Idea

Generate a = a1 + · · · + an, b = b1 + · · · + bn Generate and broadcast encryptions Enc(ai), Enc(bi) Compute an encryption Enc(c), where c = a · b Distribute ci to Pi, where c = c1 + · · · + cn

Problems

Does Pi know the plaintext contained in Enc(ai), Enc(bi)? How to compute Enc(c)?

Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 13 / 19

High Level Idea

Generate a = a1 + · · · + an, b = b1 + · · · + bn Generate and broadcast encryptions Enc(ai), Enc(bi) Compute an encryption Enc(c), where c = a · b Distribute ci to Pi, where c = c1 + · · · + cn

Problems

Does Pi know the plaintext contained in Enc(ai), Enc(bi)? How to compute Enc(c)?

Solutions

First problem: a ZK-Proof. Second problem: a very expensive ZK-Proof. . . or?

Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 13 / 19

The Right Encryption Scheme

The Problem:The Nicest Solution Given fresh Enc(a1), . . . , Enc(an), Enc(b1), . . . , Enc(bn), compute: Enc(a)←

• i

Enc(ai), Enc(b)←

• i

Enc(bi) Enc(c)← Enc(a) · Enc(b). Where a1 + · · · + an = a, b1 + · · · + bn = b, c = a · b Fresh: a ciphertext computed via the encryption algorithm.

Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 14 / 19

The Right Encryption Scheme

The Nicest Solution:The Problem Given fresh Enc(a1), . . . , Enc(an), Enc(b1), . . . , Enc(bn), compute: Enc(a)←

• i

Enc(ai), Enc(b)←

• i

Enc(bi) Enc(c)← Enc(a) · Enc(b). Where a1 + · · · + an = a, b1 + · · · + bn = b, c = a · b Fresh: a ciphertext computed via the encryption algorithm.

Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 15 / 19

Our Abstract Scheme

Somewhat Homomorphic Encryption Scheme

An encryption scheme (KeyGen, Enc, Dec) such that: Dec(C ′(Enc(m1), . . . , Enc(mn))) = C(m1, . . . , mn), where C is an arithmetic circuit in a specific set S. In our case: S = circuits of mult depth one.

Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 16 / 19

Our Concrete Scheme

A variant of Brakerski Vaikuntanathan [BV11] (based on Ring-LWE)

Features of our variant

computation of circuits of multiplicative depth 1 on ciphertexts, distributed decryption, specialized for parallel operations on multiple data (SIMD).

Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 17 / 19

Preprocessing – The Numbers

Notation: u: security parameter κ: size of encryption [BDOZ11] SPDZ Encryption Type Semi-Homomorphic SHE, mult. depth 1 ZKPoPK amortized complexity O(κ + u) bits O(κ + u) bits Correct Mult. amortized complexity O(κ · u) bits Offline benchmark (2-party, sec=80bits) 2-4sec 0.008sec

Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 18 / 19

Summary

SPDZ

Active security, dishonest majority, preprocessing model Online phase:

◮ Linear amount of data needed ◮ Essentially linear communication complexity

Preprocessing:

◮ Rational use of SHE ◮ Fewer ZK protocols, compared to [BDOZ11] ◮ Very practical

http://eprint.iacr.org/2011/535.pdf

Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 19 / 19

Summary

SPDZ

Active security, dishonest majority, preprocessing model Online phase:

◮ Linear amount of data needed ◮ Essentially linear communication complexity

Preprocessing:

◮ Rational use of SHE ◮ Fewer ZK protocols, compared to [BDOZ11] ◮ Very practical

http://eprint.iacr.org/2011/535.pdf

Thanks

Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 19 / 19

Rikke Bendlin, Ivan Damg˚ ard, Claudio Orlandi, and Sarah Zakarias. Semi-homomorphic encryption and multiparty computation. In EUROCRYPT, pages 169–188, 2011. Donald Beaver. Efficient multiparty protocols using circuit randomization. In Joan Feigenbaum, editor, CRYPTO, volume 576 of Lecture Notes in Computer Science, pages 420–432. Springer, 1991. Zvika Brakerski and Vinod Vaikuntanathan. Fully homomorphic encryption from ring-lwe and security for key dependent messages. In Phillip Rogaway, editor, CRYPTO, volume 6841 of Lecture Notes in Computer Science, pages 505–524. Springer, 2011. Ran Canetti, Yehuda Lindell, Rafail Ostrovsky, and Amit Sahai. Universally composable two-party and multi-party secure computation. In STOC, pages 494–503, 2002. Ivan Damg˚ ard and Claudio Orlandi.

Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 19 / 19

Multiparty computation for dishonest majority: From passive to active security at low cost. In CRYPTO, pages 558–576, 2010. Yuval Ishai, Eyal Kushilevitz, Rafail Ostrovsky, and Amit Sahai. Zero-knowledge from secure multiparty computation. In David S. Johnson and Uriel Feige, editors, STOC, pages 21–30. ACM, 2007. Yuval Ishai, Manoj Prabhakaran, and Amit Sahai. Founding cryptography on oblivious transfer - efficiently. In David Wagner, editor, CRYPTO, volume 5157 of Lecture Notes in Computer Science, pages 572–591. Springer, 2008. Jesper Buus Nielsen, Peter Sebastian Nordholt, Claudio Orlandi, and Sai Sheshank Burra. A new approach to practical active-secure two-party computation. In Reihaneh Safavi-Naini and Ran Canetti, editors, CRYPTO, volume 7417 of Lecture Notes in Computer Science, pages 681–700. Springer, 2012.

Damg˚ ard, Pastro, Smart, Zakarias (-.-) SPDZ August 22, 2012 19 / 19