Tw Two-round Secu cure MPC from Mi Mini nimal Assum umptions - PowerPoint PPT Presentation

Tw Two-round Secu cure MPC from Mi Mini nimal Assum umptions ns Sanjam Garg Akshayaram Srinivasan University of California, Berkeley Eurocrypt 2018

Secure Two-Party Computation [Yao 86] “Securely” compute 𝑔(𝑦 " , 𝑦 # ) 𝑦 # 𝑦 " • Two-rounds are necessary. • Garbled circuits + two-round OT => two-round secure 2-PC • Minimal assumptions

Secure Multiparty Computation [Goldreich-Micali-Wigderson 87] Compute 𝑔(𝑦 " , 𝑦 # , … , 𝑦 , ) 𝑦 ( 𝑦 # 𝑦 ) 𝑦 " 𝑦 * … 𝑦 + 𝑦 ,

Secure Multiparty Computation [Yao 86, Goldreich-Micali-Wigderson 87] 𝑦 ( 𝑦 # 𝑦 ) Not learn anything about honest 𝑦 " 𝑦 * parties inputs apart from 𝑔(𝑦 " , 𝑦 # , … , 𝑦 , ) … 𝑦 + 𝑦 ,

What is known? • Goldreich-Micali-Wigderson protocol. • Number of rounds grows with the depth of the circuit. • Long line of work reducing the round complexity [BMR90,…]. • Two-round secure MPC protocols [GGHR14, GLS15, MW16, BGI17,G S 17]. • Gap in the assumptions sufficient for two-round MPC and 2PC. Can we construct two-round MPC from weaker assumptions ?

Our Work Two-round protocol for secure multiparty computation from any two- round oblivious transfer. • Semi-honest: From any two-round OT in the plain model. • Malicious: From any two-round maliciously secure OT in the CRS model. Concurrent and Independent work by Benhamouda-Lin 18

Ma Main Idea

Round Compression Protocol 𝜚 securely computes 𝑔(𝑦 " , 𝑦 # , … , 𝑦 , ) 𝑦 ( 𝑦 # 𝑦 ) 𝑦 " 𝑦 * … 𝑦 + 𝑦 ,

Round Compression 𝑦 ( 𝑦 # 𝑦 ) 𝑦 " 𝑦 * Two broadcast rounds … 𝑦 + 𝑦 ,

Toy protocol 𝜚 𝑔 𝑏, 𝑐, 𝑑 = (𝑏, 𝑏 ∧ 𝑐, 𝑏 ∧ 𝑐 ∧ 𝑑) 𝑑 Inputs: 𝑏 𝑐 Round-1 𝑏 𝑏 ∧ 𝑐 Round-2 𝑏 ∧ 𝑐 ∧ 𝑑 Round-3

Ro Round Compression using Garbled Circuits

Garbled Circuits [Yao 86, Applebaum-Ishai-Kushilevitz 04, Bellare-Hoang-Rogaway 12] 𝑔: 0,1 , → 0,1 9 : 𝑔 𝑔 , 𝑚 " # 𝑚 " " 𝑚 " , 𝑚 < " # 𝑚 < 𝑚 <

Garbled Circuits [Yao 86, Applebaum-Ishai-Kushilevitz 04, Bellare-Hoang-Rogaway 12] Evaluation : 𝑔 𝑔(𝑦) + , 𝑚 = @ # " 𝑚 = ? 𝑚 = >

Garbled Circuits [Yao 86, Applebaum-Ishai-Kushilevitz 04, Bellare-Hoang-Rogaway 12] Leaks only : 𝑔 𝑔(𝑦) + , 𝑚 = @ # " 𝑚 = ? 𝑚 = >

Ho How w to Compr pres ess the the Toy Protocol l to 2 ro rounds?

Two-Round Protocol: High level Idea 𝑑 Inputs: 𝑏 𝑐 𝑏 Round-1 Implement the 2 nd round Round-2 Implements the 3 rd round

How do the garbled circuits implement rounds? 𝑑 𝑏, 𝑐 Round-2 𝑏 ∧ 𝑐 𝑑, 𝑏 ∧ 𝑐 In [G S 17], we achieved this by a special purpose WE Round-3 [GGSW13, DG17] 𝑏 ∧ 𝑐 ∧ 𝑑

Ma Maki king t the g garb rbled c circuits “t “talk” f k” from O OT

Oblivious Transfer [Rabin 81] 𝒑𝒖𝒕 𝟐 ← 𝑷𝑼 𝟐 (𝒄; 𝒔) 𝑛 < , 𝑛 " 𝑐 𝒑𝒖𝒕 𝟑 ← 𝑷𝑼 𝟑 (𝒑𝒖𝒕 𝟐 , 𝒏 𝟏 , 𝒏 𝟐 ) 𝒏 𝒄 ← 𝑷𝑼 𝟒 (𝒑𝒖𝒕 𝟑 , 𝒔) Two-message OTs are known from a variety of assumptions [AIR01,NP01,PVW08]

Two-Round Protocol for Toy Function 𝑑 Inputs: 𝑏 𝑐 0 𝑃𝑈 " 0 ∧ 𝑐; 𝜕 < 1 𝑃𝑈 " 1 ∧ 𝑐; 𝜕 " 𝑏 Round-1 Round-2

Functions computed by Garbled Circuits Party 3 Party 2 𝑑 𝑏, 𝑐 " , 𝑚 " " 𝑚 < 0 𝑃𝑈 " 0 ∧ 𝑐; 𝜕 < 𝑏 𝜕 < , 𝜕 " # , 𝑚 " # 1 𝑃𝑈 " 1 ∧ 𝑐; 𝜕 " 𝑚 < # , 𝑚 " # ) 𝑏 ∧ 𝑐 𝜕 U " 𝑃𝑈 # (𝑃𝑈 " ( 𝑏 ∧ 𝑐 ), 𝑚 < 𝑚 T 𝑑, 𝑏 ∧ 𝑐 𝑏 ∧ 𝑐 ∧ 𝑑

Ge Generalizing t to Arb Arbitrary C y Computations

General Case 𝐷 " Round-1 𝐷 # Round-2 . . . 𝐷 W Round-T

Conclusion • We gave a two-round protocol for secure multiparty computation from two-round OT . • In a subsequent work [Garg-Miao- S ], we gave a protocol where the number of public key operations is independent of the circuit size. • Open Questions: • Can we improve the communication complexity? • Concrete efficiency? Th Than ank you ou!