On Multiparty Garbling of Arithmetic Circuits Aner Ben-Efraim Ariel - - PowerPoint PPT Presentation

On Multiparty Garbling of Arithmetic Circuits

Aner Ben-Efraim Ariel University & Ben-Gurion University

Lecture Plan

• MPC & Our Results
• Garbled Circuits – Yao and BMR
• Our Techniques and Constructions

• Idea: parties compute a function of their inputs, revealing only

the output, even if some of the parties are corrupt.

– Examples: online auction, tender, elections, cloud computing…

What is secure multiparty computation?

• Idea: parties compute a function of their inputs, revealing only

the output, even if some of the parties are corrupt.

– Examples: online auction, tender, elections, cloud computing…

• Some desirable properties:

Correctness Privacy Independence of Inputs Fairness Guaranteed Output Delivery Efficiency

What is secure multiparty computation?

Efficiency Concrete

1 1 1 1 Alice’s inputs Bob’s inputs

Secure Computation via Circuits – Idea

Outputs 1 1

Boolean circuits:

• 0/1 values, AND, XOR, NOT gates
• Natural for conditional statements

Arithmetic circuits:

• Values in field or integers
• Addition & multiplication gates
• Natural for arithmetic computations

Mixed Boolean-arithmetic computation

• Neither circuit type is “natural”
• Mixed Boolean-arithmetic circuit?

High-Throughput

• Low bandwidth
• Simple Computations

Low Latency

• Constant rounds of

communication

𝑄

"

𝑄

#

𝑄

"

𝑄

#

“the garbled-circuit approach” “the secret-sharing approach”

Low Latency vs. High Throughput

Examples: Yao, BMR Examples: GMW, BGW, SPDZ

Some Related Works on Garbled Circuits

• Garbled circuits introduced [Yao82]
• Multiparty garbled circuits introduced [BMR90]
• Many optimizations to 2-party garbled circuit, e.g.,

– Row-reduction [NPS99,PSSW09,GLNP15], – Free-XOR [KS08] (extended to multiparty [BLO16]), – Half-Gates [ZRE15]

• 2-party arithmetic garbled circuits

– Based on LWE [AIK12] – By extending free-XOR and half-gates [MPs] – Using projection gates and CRT [BMR16]

The Natural Question

Can we construct multiparty arithmetic garbed circuits efficiently?

• Some results extend directly

–E.g., Free addition

• Some results less trivial

–Half gates? Multiplication gates?

• Some results still unclear

–E.g., can we efficiently extend [AIK12]?

Our Results

• 1. Efficient constant round secure multiparty protocol

for arithmetic circuits

• We extend free-addition and multiplication by a constant from

2-party [MPs, BMR16] to multiparty setting

• We extend half-gates [ZRE15, MPs] to multiparty

multiplication gates

–[ZRE15] Half gates for 2-party Boolean –[MPs] Extended half gates to 2-party multiplication –[BMR16] Different 2-party multiplication using projection gates

• 2. Efficient constant round secure multiparty protocol

for mixed Boolean-arithmetic garbled circuits

• We show improved selector gates using new techniques

Lecture Plan

üMPC & Our Results

• Garbled Circuits – Yao and BMR
• Our Techniques and Constructions

1 1 1 1 Alice’s inputs Bob’s inputs

Yao’s Protocol – Idea

Outputs

• Yao’s protocol has two parties:

–Garbler – encrypts the circuit –Evaluator – evaluates the encrypted circuit

• Point and permute: Allows evaluator to know which row

to decrypt without learning wires’ values

• Important observation: All gates can be garbled in

parallel (also in multiparty)

Garbled Circuits [Yao]

Point and Permute [BMR90]

• Every wire 𝜕 is assigned a secret random permutation

bit 𝜇& ∈ {0,1}

–Intuitively, the 𝜇 bits create a permutation –In multiparty, the permutation bits are secret-shared

• External value, 𝑓& ≝ 𝜇& ⊕ 𝑤&, revealed at evaluation

–𝑤& is real value on the wire –External value does not leak information on real value

• Evaluation done according to the external values

–Keys correspond to the external value –External value decides which row to decrypt

• Evaluator decrypts only one cipher-text per gate
• Only 𝜇s of the circuit output wires are revealed to the evaluator

Point and Permute Illustration

1

Truth table: x y z

1 1 1 1

x y z

z 1

k

z

k

x 1

k

x

k

y 1

k

y

k

Encrypted/Garbled Truth Table:

) ∘ 0

z

k (

y k x, k

E ) ∘ 0

z

k (

y 1 k x, k

E ) ∘ 1

z 1

k (

y k x, 1 k

E ) ∘ 0

z

k (

y 1 k x, 1 k

E

𝜇2 𝜇3 = 0 𝜇5 𝑓& = 𝑤& ⊕ 𝜇& 1 𝜇3 = 1 𝜇3

z 1

k

z

k

x 1

k

x

k

y 1

k

y

k

𝑓& – value seen by evaluator 𝑤& – real value, corresponding to ungarbled computation

Multiparty Garbling of a Single Gate

z 1

k

z

k

x 1

k

x

k

y 1

k

y

k

Garbled Truth Table:

)

z

k (

y k x, k

E )

z

k (

y 1 k x, k

E )

z 1

k (

y k x, 1 k

E )

z

k (

y 1 k x, 1 k

E

• Each wire key is a set of keys: 𝒍 = 𝑙", … , 𝑙M
• Both 𝑗th keys known only to party 𝑗
• The 𝜇s are not known by any of the parties. Exceptions:
• Parties learn 𝜇s of their input wires
• The 𝜇s of the circuit output wires are revealed to evaluator(s)
• Keys corresponding to chosen inputs revealed to all the parties
• Keys correspond to external values, do not reveal inputs

1

Truth table: x y z

1 1 1 1

x y z

𝜇2 𝜇3 𝜇5

Multiparty Computation via Garbling

Offline Phase:

• 1. Parties compute garbled circuit

(using MPC sub-protocol) Online Phase:

• 2. Parties exchange input external

values and corresponding keys

• 3. Each party locally computes the
• utputs of the circuit

Free XOR [KS08,BLO16]

1

Truth table: x y z

1 1 1 1

x y z

Δ ⊕

z

k

z

k

𝜇2 𝜇3 𝜇5

Δ ⊕

x

k

x

k Δ ⊕

y

k

y

k

z 1

k

z

k

x 1

k

x

k

y 1

k

y

k

• Party 𝑗 chooses a global key offset ∆i

and sets the difference

• f its keys to be ∆i

for all the wires

• Induces a global key set offset ∆= ∆1,…,∆n

2-party multiparty

Free XOR

1

Truth table: x y z

1 1 1 1 1

x y z

𝜇2 𝜇3 𝜇5

Δ ⊕

z

k

z

k Δ ⊕

x

k

x

k Δ ⊕

y

k

y

k 𝒍𝑨 ≝ 𝒍𝑦 ⊕ 𝒍𝑧 𝜇2 ≝ 𝜇3 ⊕ 𝜇5

• Party 𝑗 chooses a global key offset ∆i

and sets the difference

• f its keys to be ∆i

for all the wires

• Induces a global key set offset ∆= ∆1,…,∆n
• XOR gates do not require encryption or communication!*

* The fine print:

• Free XOR relies on circular correlation robustness of the underlying hash function
• All the secret-sharing schemes must be in Characteristic 2

Lecture Plan

üMPC & Our Results üGarbled Circuits – Yao and BMR

• Our Techniques and Constructions

Extending Free-XOR [MPs,BMR16]

• Working in characteristic 2 ⇒ working in characteristic 𝑞

Characteristic 𝒒 Characteristic 2 𝜇& ∈ 𝔾V 𝜇& ∈ 0,1 Permutation bit 𝑓& = 𝜇& + 𝑤& (in 𝔾V) 𝑓& = 𝜇& ⊕ 𝑤& External value 𝑙Z, ΔZ ∈ (𝔾V)\ 𝑙Z, ΔZ ∈ 0,1 \ Keys, Global offsets 𝑞 keys 𝒍] = 𝒍^ + 𝛽𝚬 2 keys 𝒍" = 𝒍^ ⊕ 𝚬 #Keys

Free addition 𝜇2 ≝ 𝜇3 + 𝜇5 𝒍2 ≝ 𝒍3 + 𝒍5 Free-XOR 𝜇2 ≝ 𝜇3 ⊕ 𝜇5 𝒍2 ≝ 𝒍3 ⊕ 𝒍5 Free multiplication by a constant c ≠ 0 𝜇2 ≝ 𝑑𝜇3 𝒍2 ≝ 𝑑𝒍3

2-party

Observation for multiparty: field p characteristic shared in

• secret

𝜇

• For each AND gate: garble 2 “half gates” and XOR

results

–Each half gate uses only 1 key for encryption/decryption

• Requires only 2 encryptions

–XOR is free –Total 4 encryptions (but saves communication in 2-party)

• Idea: 𝑤3𝑤5 = 𝑤3 𝑤5 ⊕ 𝜇5 ⊕ 𝜇5𝑤3

Half Gates [ZRE15,MPs] Idea Overview

2-party Boolean 2-party Arithmetic

Half Gates: Idea Sketch

𝑤5 𝜇5 𝑤3 𝜇5𝑤3 𝑤3(𝑤5 ⊕ 𝜇5) 𝑤3𝑤5 𝜇3 𝜇2 𝜇2 h 𝜇2 𝜇2 = 𝜇2 h ⊕ 𝜇2

Half Gates

Known by evaluator Independent of real value 2 encryptions 2 encryptions “free”

• For each AND gate: garble 2 “half gates” and XOR

results

–Each half gate uses only 1 key for encryption/decryption

• Requires only 2 encryptions

–XOR is free –Total 4 encryptions

• Idea: 𝑓2 = 𝑤3𝑤5 ⊕ 𝜇2 = 𝑤3 𝑤5 ⊕ 𝜇5 ⊕ 𝜇5𝑤3 ⊕ 𝜇2
• Observations:
• 1. 𝑤3 𝑤5 ⊕ 𝜇5 ⊕ 𝜇2

h = 𝑓3𝑓5 ⊕ 𝜇3𝑓5 ⊕ 𝜇2 h

• 2. 𝜇5𝑤3 ⊕ 𝜇2 = 𝜇5𝑓3 ⊕ 𝜇5𝜇3 ⊕ 𝜇2

Multiparty Garbling of Half-Gates

z 1

k

z

k

x 1

k

x

k

y 1

k

y

k

Garbled Truth Tables:

)

z

• 𝒍

k (

x k

E )

z

• 𝒍

k (

x 1 k

E )

z

• 𝒍

l (

y k

E )

z

• 𝒍

l (

y 1 k

E

• Partitioning of permutation bit and keys required

– 𝜇2 = 𝜇 m2 ⊕ 𝜇̅2 – 𝒍2 = 𝒍 k2 ⊕ 𝒍 l2 (𝑙 2

Z = 𝑙

• Z2 ⊕ 𝑙

pZ2)

• “Key of 𝑓3𝑓5” computed without encryption

– Set to be 𝑓5𝒍qr,3 (some technical issues) – Output key = summation of both decrypted keys and key of 𝑓3𝑓5

1

Truth table: x y z

1 1 1 1

x y z

𝜇2 𝜇3 𝜇5

• For each AND gate: garble 2 “half gates” and

XOR the results

–Each half gate uses only 1 key for encryption/decryption

• Requires only 2 encryptions

–XOR is free –Total 4 encryptions

• Idea: 𝑓2 = 𝑤3𝑤5 ⊕ 𝜇2 = 𝑤3 𝑤5 ⊕ 𝜇5 ⊕ 𝜇5𝑤3 ⊕ 𝜇2
• Observations:
• 1. 𝑤3 𝑤5 ⊕ 𝜇5 ⊕ 𝜇2

h = 𝑓3𝑓5 ⊕ 𝜇3𝑓5 ⊕ 𝜇2 h

• 2. 𝜇5𝑤3 ⊕ 𝜇2 = 𝜇5𝑓3 ⊕ 𝜇5𝜇3 ⊕ 𝜇2

Half Gates

Known by evaluator Independent of real value 2 encryptions 2 encryptions “free”

Multiplication

Multiplication Sum

Addition 𝑞 2𝑞

+ + – +

𝑞 𝑞

+ + + + – – +

⇒ arithmetic circuits via CRT [AIK11,BMR16]

More Efficient Selector Gates

x

Truth table: w z

1 y

z

• Honest evaluator decrypts only a single corrector gate

— Requires decrypting 2 rows instead of 3 using projection

• Dishonest evaluator might decrypt the “wrong” corrector gate

― To maintain security, we introduce a new technique: double partitioning the keys and permutation bits

• To garble this gate we use multi-field shared bits

x y w

27

Thank you!

Questions?