TinyKeys: A New Approach to Efficient Multi-Party Computation - PowerPoint PPT Presentation

TinyKeys: A New Approach to Efficient Multi-Party Computation Carmit Hazay , Emmanuela Orsini, Peter Scholl and Eduardo Soria-Vazquez Based on slides prepared by Peter Scholl and Eduardo Soria-Vazquez

Secure Multi-Party Computation (MPC) Secure computation has many applications a b • Auctions with private bids • Privacy-preserving data mining • Private health records • Cryptographic key protection • Secure statistical analyses • Smart city research – gender inequity • … c d Goal: Compute f(a,b,c,d)

MPC - Past and Present a b c d Feasibility results: Back to the 80’s [Yao86,GMW87,BGW88,CCD88,Kilian88,RB89,BMR90] Broad focus on improving efficiency in past decade: Two-party setting [LP07,KS08,NO09,IKOPS11,NNOB12,HKK+14,ZRE15,RR16,GLNP15,WMK17, WRK17,HIV17,KRRW18], Multi-party setting [IPS08-09,DPSZ12,DKL+13,LPSY15,WRK17b,HSS17,KPR18,CGHIKLN18]

Properties of MPC Protocols Computational model: Boolean/arithmetic circuits, RAM Adversary model: Passive (semi-honest) or active (malicious) Threshold 𝒖 (number of corrupted parties) Efficiency: Computation/ communication complexity Round complexity

Corruption Thresholds vs Communication Complexity of Practical MPC n/2 n − 1 Corruptions: 0 Efficiency: O(n 2 k) O(nlog n) ??? n parties k -bit security Can we design concretely efficient MPC protocols where each honest party can be leveraged to increase efficiency?

Main Question Can we trade off the number of corrupt parties for a more efficient, practical protocol?

Motivation: Large Scale, Dishonest Majority Large number of users want to conduct surveys, auctions, statistical analysis, measure network activity, etc. MPC between Committee- all users based MPC Dishonest Majority : More parties ⇒ More trustworthy

MPC Setting in This Talk Main focus: • Concrete efficiency for large numbers of parties (e.g. 𝑜 in 10s, 100s) Preprocessing Adversary: • Static, passive corr. • Dishonest majority ( 𝑢 > 𝑜/2) rand. a b Online Model of Computation: • Boolean circuits c d • Preprocessing phase

Our Results New dishonest majority protocols exploiting more honest parties: 1. Passive GMW-style MPC based on OT Up to 25x less communication compared with 𝑜 − 1 corruptions 2. Passive constant-round BMR-style MPC based on garbled circuits Up to 7x reduction in GC size and communication cost Best improvements with 20+ parties when 70-90% are corrupt

The TinyKeys Technique

Warm-up: Distributed Encryption … 𝜆 𝜆 𝜆 𝜆 𝜆 , … , , = Enc 𝜆 = ෍ 𝐼 𝑗 + ≈ 𝑗

Distributed Encryption: Can We Do Better? … …

Distributed Encryption with TinyKeys … ℓ … ℓ ℓ ℓ ℓ ℓ , … , , = Enc ℓ = ෍ 𝐼 𝑗 + ≈ 𝑗

Breaking Security 2 ℓ keys ℓ ℓ ℓ + ෍ 𝐼 ≈ 𝐼 1 + ⋯ + 𝐼 ℎ 𝑘 𝑘=ℎ+1 .. 𝑜

Breaking Security 0 𝐼 1 2 ℓ − 1 0 Length 2 ℓ , × 1 𝐼 1 0 … Hamming 0 0 Weight 1 0 ℓ ℓ ≈ 𝐼 1 + ⋯ + 𝐼 ℎ

Breaking Security 0 𝐼 1 2 ℓ − 1 0 Length 2 ℓ , × 1 𝐼 1 0 … Hamming 0 0 Weight 1 0 Length 2 ℓ , ℓ 𝑓 1 Hamming ≈ 𝐼 1 + ⋯ + 𝐼 ℎ Weight 1 𝐼 1 2 ℓ − 1 𝐼 1 0 …

Breaking Security 0 0 𝐼 𝑗 2 ℓ − 1 Length 2 ℓ , × 0 𝐼 𝑗 0 … Hamming 0 1 Weight 1 0 Length 2 ℓ , ℓ 𝑓 1 Hamming ≈ 𝐼 1 + ⋯ + 𝐼 ℎ Weight 1 𝐼 1 2 ℓ − 1 𝐼 1 0 … ⋮

Breaking Security 0 𝐼 ℎ 2 ℓ − 1 1 Length 2 ℓ , × 0 𝐼 ℎ 0 … Hamming 0 0 Weight 1 0 Length 2 ℓ , ℓ 𝑓 1 Hamming ≈ 𝐼 1 + ⋯ + 𝐼 ℎ Weight 1 𝐼 1 2 ℓ − 1 𝐼 1 0 … ⋮

Breaking Security 0 𝐼 ℎ 2 ℓ − 1 1 Length 2 ℓ , × 0 𝐼 ℎ 0 … Hamming 0 0 Weight 1 0 𝑓 1 Length 2 ℓ , Hamming ≈ Weight 1 𝐼 ℎ 2 ℓ − 1 𝐼 1 2 ℓ − 1 𝐼 ℎ 0 𝐼 1 0 … … ⋮ 𝐼 𝑓 ℎ 2 ℓ 2 ℓ

Breaking Security Adv wins: Given 𝐼 and y = He , distinguish y from random 𝑓 1 Length 2 ℓ , Hamming ≈ Weight 1 𝐼 ℎ 2 ℓ − 1 𝐼 1 2 ℓ − 1 = 𝐼 ℎ 0 𝐼 1 0 … … ⋮ 𝐼 y 𝑓 ℎ 2 ℓ 2 ℓ

Breaking Security: Regular Syndrome Decoding 0,1 𝑠×𝑛 , and regular 𝑓 ∈ {0,1} 𝑛 of weight ℎ Sample random 𝐼 ∈ ⇔ distinguish y from random Adv wins: Given 𝐼 and y = He , find 𝑓 Length 2 ℓ , Hamming Weight 1 y ≈ 𝐼 𝑠 = h e blocks m = ℎ ⋅ 2 ℓ

Hardness of Regular Syndrome Decoding • Used for SHA-3 candidate FSB [Augot Finiasz Sendrier 03] • Not much easier than syndrome decoding ⇔ LPN • Params: Message length 𝑠 , key length ℓ , #honest ℎ • Statistically hard for small 𝑠 /large ℎ [FS09] [Saa07] [NCB11] [MO15] [Kir11] [BM17] [BJMM12] [CJ04] [BLN+09] [BLP08] [MS09] [MMT11] [BLP11]

TinyKeys: A Little Honesty Goes a Long Way (Tiny) GMW (Tiny) BMR OT • Key length: ℓ ≥ 1 • Key length: ℓ ≥ 5 • Many challenges: • High Fan-Out • Enabling FreeXOR

(Tiny) GMW

Quick Recap of GMW 𝑦 = 𝑦 1 + … + 𝑦 𝑜 ∈ {0,1} 𝑦 8 , 𝑧 8 𝑧 = 𝑧 1 + … + 𝑧 𝑜 ∈ {0,1} + P8 𝑦 + 𝑧 = 𝑦 1 + 𝑧 1 ) + … + (𝑦 𝑜 + 𝑧 𝑜 P1 P7 𝑦 1 , 𝑧 1 𝑦 7 , 𝑧 7 𝑦 ∧ 𝑧 = 𝑦 1 + ⋯ + 𝑦 𝑜 · 𝑧 1 + ⋯ + 𝑧 𝑜 P2 P6 x i ∈ {0,1} r, r + y j ∈ {0,1} 𝑦 2 , 𝑧 2 𝑦 6 , 𝑧 6 1-out-2 r + x i · y j Bit OT P3 P5 𝑦 3 , 𝑧 3 𝑦 5 , 𝑧 5 r r + x i · y j P4 𝑦 4 , 𝑧 4

[ I shai K ilian N issim P etrank 03] “ IKNP ” OT Extension with Short Keys! ℓ 𝜆 × 1-out-2 OTs on 𝜆 -bit strings Shrink PRG, hash + the keys! r 𝜆 bits comm. ℓ 1 , … , X 0 r ∈ 0,1 2 𝐜 ∈ 0,1 r 1 , X 1 r , X 1 X 0 r × 1-out-2 Bit OTs 2 ℓ keys 1 , … , X b r r X b 1 L 𝐜 ≈ H + 𝐜

Using leaky OT for GMW-Style MPC x ∧ y = x 1 + ⋯ + x n · y 1 + ⋯ + y n = ෍ (x 1 + ⋯ +x n ) · y j Sharings j=1..n P of zero: 1 s 1,j + x 1 + ෍ (s 1,j + ⋯ +s n,j ) · y j k 1,j ෍ s ij = 0 j=1..n i H 1 k 1,j + x 1 + s 1,j ≈ H 2 k 2,j + x 2 P + s 2,j P ≈ Leaky OT 2 j s 2,j + x 2 ⋯ y j k 2,j + s h,j ≈ H h k h,j + x h + P h ≈ + s ij ෍ H i k i,j + x i ℓ ℓ i=1..h s h,j + x h k h,j + H 1 + ⋯ + H h

GMW: Communication Cost of Producing a Single Triple (200 Parties) 3000 2500 Comm. (bits/AND triple) 2000 1500 Standard [DKSSZZ17] Committee TinyKeys 1000 500 0 0 10 20 30 40 50 60 70 80 90 100 # honest parties

(Tiny) BMR

Garbling an AND Gate with Yao u v w 0 0 0 u w 0 1 0 v 1 0 0 1 1 1

Garbling an AND Gate with Yao E A 0 ,B 0 C 0 A 0 , A 1 E A 0 ,B 1 (C 0 ) C 0 , C 1 E A 1 ,B 0 C 0 B 0 , B 1 E A 1 ,B 1 (C 1 ) • Pick two random keys for each wire Randomly permute entries • Encrypt the truth table of each gate Invariant : evaluator learns one key per wire throughout the circuit

Distributed Garbling [BMR90] E A 0 ,B 0 C 0 1 , … , A 0 n ), (A 1 1 , … , A 1 n ) (A 0 1 , … , B 0 n ), (B 1 1 , … , B 1 n ) E A 0 ,B 1 (C 0 ) (B 0 E A 1 ,B 0 C 0 1 , … , B 0 n ), (B 1 1 , … , B 1 n ) (B 0 E A 1 ,B 1 (C 1 ) ℓ Shrink i , A 1 i ∈ 0,1 k etc Each P i gets A 0 the keys! A 1 B 1 Use distributed encryption: E A,B C = H 1 ⊕ ⋯ ⊕ H n | A n ||B n ) ⊕ nℓ For hash function H ∶ 0,1 ∗ → 0,1 nk (C 1 , … , C n )

BMR with Short Keys 𝐸 0 , 𝐸 1 𝐹 0 , 𝐹 1 Reusing keys reduces security in regular syndrome decoding problem for: High fan-out Free-xor Solution: Splitter gates [Tate Xu 03] – can be garbled for free Local free-XOR offsets

BMR: Communication Cost of Garbling an AND Gate ( 1 00 Parties) 6000 5000 4000 Comms (kbit) 3000 Standard Short keys 2000 1000 0 0 10 20 30 40 50 60 70 80 90 # honest parties Comparison with [Ben-Efraim Lindell Omri 16]

Conclusion and Future Directions New technique for distributing trust (more honesty ⇒ s horter keys) Improved protocols with 20+ parties GMW: Up to 25x in communication (vs multi-party [DKSSZZ17]) BMR: Up to 7x in communication (vs [BLO16]) Follow-up work: Active Security – TinyKeys for TinyOT (Asiacrypt ’18) Future challenges: Optimizations, more cryptanalysis (conservative parameters atm)

Thank you! Questions? Paper: https://ia.cr/2017/214 [Full version] TinyKeys: A New Approach to Efficient Multi-Party Computation Carmit Hazay , Emmanuela Orsini, Peter Scholl and Eduardo Soria-Vázquez