Overdrive: Making SPDZ Great Again Marcel Keller, Valerio Pastro, - - PowerPoint PPT Presentation

• M. Keller, V. Pastro, Dragos Rotaru

imec-Cosic, Dept. Electrical Engineering 1

Eurocrypt 2018

Overdrive: Making SPDZ Great Again

Marcel Keller, Valerio Pastro, and Dragos Rotaru

University of Bristol, Yale University, KU Leuven

• M. Keller, V. Pastro, Dragos Rotaru

imec-Cosic, Dept. Electrical Engineering 2

What’s all the fuss about?

Dragos Rotaru 2

Goal: Compute F(a, b, c)

a c b

• M. Keller, V. Pastro, Dragos Rotaru

imec-Cosic, Dept. Electrical Engineering 3

Security Model

Dragos Rotaru 3

• Many parties (up to N)
• Malicious adversary
• Dishonest majority of corrupted parties

• M. Keller, V. Pastro, Dragos Rotaru

imec-Cosic, Dept. Electrical Engineering 4

Security Model

Dragos Rotaru 4

• Many parties (up to N)
• Malicious adversary
• Dishonest majority of corrupted parties

• M. Keller, V. Pastro, Dragos Rotaru

imec-Cosic, Dept. Electrical Engineering 5

Malicious MPC protocols

Preprocessing phase Online phase

Inputs PKC SPDZ, TinyOT, BDOZa, MASCOT

• M. Keller, V. Pastro, Dragos Rotaru

imec-Cosic, Dept. Electrical Engineering 6

Secret share then authenticate

𝑦1 𝑦2 𝑦3 𝑦 α𝑦 γ(𝑦)2 γ(𝑦)1 γ(𝑦)3

+ + + +

= =

α1 α2 α3 α

+ +

=

• M. Keller, V. Pastro, Dragos Rotaru

imec-Cosic, Dept. Electrical Engineering 7

Secret share then authenticate

(𝑦 + 𝑧)1 (𝑦 + 𝑧)2 (𝑦 + 𝑧)3 𝑦 + 𝑧

α(𝑦 + 𝑧)

γ(𝑦 + 𝑧)2 γ(𝑦 + 𝑧)1 γ(𝑦 + 𝑧)3

+ + +

= =

α1 α2 α3 α

+ +

=

+

• M. Keller, V. Pastro, Dragos Rotaru

imec-Cosic, Dept. Electrical Engineering 8

Secret share then authenticate

But we want to multiply!

• M. Keller, V. Pastro, Dragos Rotaru

imec-Cosic, Dept. Electrical Engineering 9

Let’s do it – what do we need?

Dragos Rotaru 9

• M. Keller, V. Pastro, Dragos Rotaru

imec-Cosic, Dept. Electrical Engineering 10

Let’s do it – what do we need?

Dragos Rotaru 10

• M. Keller, V. Pastro, Dragos Rotaru

imec-Cosic, Dept. Electrical Engineering 11

Let’s do it – what do we need?

Dragos Rotaru 11

• M. Keller, V. Pastro, Dragos Rotaru

imec-Cosic, Dept. Electrical Engineering 12

Let’s do it – what do we need?

Dragos Rotaru 12

• M. Keller, V. Pastro, Dragos Rotaru

imec-Cosic, Dept. Electrical Engineering 13

What we have done

13

Fastest triple generation!

• M. Keller, V. Pastro, Dragos Rotaru

imec-Cosic, Dept. Electrical Engineering 14

How to multiply shared inputs with triples (Beaver’s Trick)

• M. Keller, V. Pastro, Dragos Rotaru

imec-Cosic, Dept. Electrical Engineering 15

How to multiply shared inputs with triples (Beaver’s Trick)

• M. Keller, V. Pastro, Dragos Rotaru

imec-Cosic, Dept. Electrical Engineering 16

Revisit, improve, revisit…

SPDZ-1 (DPSZ’12) SPDZ-2 (DKL+’13) MASCOT (KOS’16) BDOZa (BDOZ’11)

Semi-homomorphic encryption Depth-1 SHE (Dedicated BGV) Depth-1 SHE (NTL), ZK Proof

Triple Sacrificing technique

• M. Keller, V. Pastro, Dragos Rotaru

imec-Cosic, Dept. Electrical Engineering 17

Revisit, improve, revisit…

SPDZ-1 (DPSZ’12) SPDZ-2 (DKL+’13) MASCOT (KOS’16) BDOZa (BDOZ’11)

Semi-homomorphic encryption Depth-1 SHE (Dedicated BGV) Depth-1 SHE (NTL), ZK Proof

Triple Sacrificing technique High Gear Low Gear

• M. Keller, V. Pastro, Dragos Rotaru

imec-Cosic, Dept. Electrical Engineering 18

Revisit, improve, revisit…

SPDZ-1 (DPSZ’12) SPDZ-2 (DKL+’13) MASCOT (KOS’16) BDOZa (BDOZ’11)

Semi-homomorphic encryption Depth-1 SHE (Dedicated BGV) Depth-1 SHE (NTL), ZK Proof

Triple Sacrificing technique High Gear Low Gear

• M. Keller, V. Pastro, Dragos Rotaru

imec-Cosic, Dept. Electrical Engineering 19

LAN Timings

• M. Keller, V. Pastro, Dragos Rotaru

imec-Cosic, Dept. Electrical Engineering 20

LAN Timings

• M. Keller, V. Pastro, Dragos Rotaru

imec-Cosic, Dept. Electrical Engineering 21

Revisit, improve, revisit…

SPDZ-1 (DPSZ’12) SPDZ-2 (DKL+’13) MASCOT (KOS’16) BDOZa (BDOZ’11)

Semi-homomorphic encryption Depth-1 SHE (Dedicated BGV) Depth-1 SHE (NTL), ZK Proof

Triple Sacrificing technique High Gear Low Gear

• M. Keller, V. Pastro, Dragos Rotaru

imec-Cosic, Dept. Electrical Engineering 22

SPDZ-1 recap

Enc(a[1]) Enc(b[1]) Enc(a[2]) Enc(b[2]) Enc(a[3]) Enc(b[3])

• M. Keller, V. Pastro, Dragos Rotaru

imec-Cosic, Dept. Electrical Engineering 23

SPDZ-1 recap

Enc(a[1]) Enc(b[1]) Enc(a[2]) Enc(b[2]) Enc(a[3]) Enc(b[3])

• M. Keller, V. Pastro, Dragos Rotaru

imec-Cosic, Dept. Electrical Engineering 24

SPDZ-1 recap

Enc(a[1]) Enc(b[1]) Enc(a[2]) Enc(b[2]) Enc(a[3]) Enc(b[3]) C =

• M. Keller, V. Pastro, Dragos Rotaru

imec-Cosic, Dept. Electrical Engineering 25

SPDZ-1 recap

Enc(a[1]) Enc(b[1]) Enc(a[2]) Enc(b[2]) Enc(a[3]) Enc(b[3]) C[1] C[2] C[3]

+ +

C =

=

C

• Parties may lie about their plaintext - incorrect decryption,

reveal info about secret keys.

• Need to add ZK proofs for bounding the plaintext

• M. Keller, V. Pastro, Dragos Rotaru

imec-Cosic, Dept. Electrical Engineering 26

How to 0-knowledge

I know my eX! Not sure. Let’s verify!

Prover: x Verifier: f(x)

Commitment f’(r) Challenge: E Response: r+E(x)

• M. Keller, V. Pastro, Dragos Rotaru

imec-Cosic, Dept. Electrical Engineering 27

How to 0-knowledge

I know my eX!

I have negligible doubts.

Prover: x Verifier: f(x)

Commitment f’(r) Challenge: E Response: r+E(x)

• f’(r+E(x)) = f’(r)+E(f(x))
• r+E(x) is bounded
• r >> x, r/x is called slack

• M. Keller, V. Pastro, Dragos Rotaru

imec-Cosic, Dept. Electrical Engineering 28

To slack or not to slack

• ZKPoPk: to prove that x < B we need an encryption scheme

which supports plaintexts < B * slack Slack is:

• ~2^50 for 40-bit security
• ~2^100 for 128-bit security

Well, that’s a big ciphertext.

• M. Keller, V. Pastro, Dragos Rotaru

imec-Cosic, Dept. Electrical Engineering 29

To slack or not to slack

• ZKPoPk: to prove that x < B we need an encryption scheme

which supports plaintexts < B * slack Slack is:

• ~2^50 for 40-bit security
• ~2^100 for 128-bit security
• Improve the ZK slack analysis.
• With depth-1 BGV the slack becomes tiny tiny because
• f the modulus switching.

Well, that’s a big ciphertext.

• M. Keller, V. Pastro, Dragos Rotaru

imec-Cosic, Dept. Electrical Engineering 30

Some ciphertexts need no slack

• M. Keller, V. Pastro, Dragos Rotaru

imec-Cosic, Dept. Electrical Engineering 31

High Gear: SPDZ-1 with global proof

V(P(Alice) +P(Bob)) V(P(Bob)) V(P(Charlie) V(P(Alice)) V(P(Charlie)) V(P(Alice)) V(P(Bob)) V(P(Bob)+P(Charlie)) V(P(Alice)+P(Charlie))

• M. Keller, V. Pastro, Dragos Rotaru

imec-Cosic, Dept. Electrical Engineering 32

High Gear: SPDZ-1 with global proof

• M. Keller, V. Pastro, Dragos Rotaru

imec-Cosic, Dept. Electrical Engineering 33

Low Gear vs High Gear, the tipping point

224k Triples/s

64 CPUs, 488Gb RAM, 25Gb Network

6 parties

• M. Keller, V. Pastro, Dragos Rotaru

imec-Cosic, Dept. Electrical Engineering 34

100 party Vickrey Auction

AWS m3.2xlarge 8 CPUs, 30Gb RAM, 10Gb Network

• M. Keller, V. Pastro, Dragos Rotaru

imec-Cosic, Dept. Electrical Engineering 35

Code lives on the internetz

https://github.com/bristolcrypto/SPDZ-2

• In the Low Gear protocol we assumed semi-

homomorphic BGV is a linear only encryption scheme.

• Can you create ciphertexts which decrypt to non-linear

plaintexts without the KS info? Known as linear target malleability [BCI+13] or linear only encryption [BISW17].

Open problem alert:

• M. Keller, V. Pastro, Dragos Rotaru

imec-Cosic, Dept. Electrical Engineering 36

Thank you!

• M. Keller, V. Pastro, Dragos Rotaru

imec-Cosic, Dept. Electrical Engineering 37

• Questions?

Thank you!

• M. Keller, V. Pastro, Dragos Rotaru

imec-Cosic, Dept. Electrical Engineering 38

• SCALE (Secure Computation Algorithms from Leuven)
• We do a better analysis of the ZK proofs involved.
• Pre-processing phase coupled with the online phase.
• Compiler is documented, people can read how to use it.
• Others bells and whistles.

Tiny advert: SCALE at TPMPC