SLIDE 1
Secure Two-Party Computation
[Yao 86]
π¦" π¦# βSecurelyβ compute π(π¦", π¦#)
- Two-rounds are necessary.
- Garbled circuits + two-round OT => two-round secure 2-PC
- Minimal assumptions
Tw Two-round Secu cure MPC from Mi Mini nimal Assum umptions - - PowerPoint PPT Presentation
Tw Two-round Secu cure MPC from Mi Mini nimal Assum umptions - - PowerPoint PPT Presentation
Tw Two-round Secu cure MPC from Mi Mini nimal Assum umptions ns Sanjam Garg Akshayaram Srinivasan University of California, Berkeley Eurocrypt 2018 Secure Two-Party Computation [Yao 86] Securely compute ( " , #
SLIDE 2
SLIDE 3
Secure Multiparty Computation
[Goldreich-Micali-Wigderson 87]
π¦" π¦# π¦( π¦) π¦* π¦+ π¦,
β¦
Compute π(π¦", π¦#, β¦ , π¦,)
SLIDE 4
π¦)
β¦
Not learn anything about honest parties inputs apart from π(π¦", π¦#, β¦ , π¦,)
Secure Multiparty Computation
[Yao 86, Goldreich-Micali-Wigderson 87]
π¦" π¦# π¦( π¦* π¦+ π¦,
SLIDE 5
What is known?
- Goldreich-Micali-Wigderson protocol.
- Number of rounds grows with the depth of the circuit.
- Long line of work reducing the round complexity [BMR90,β¦].
- Two-round secure MPC protocols [GGHR14, GLS15, MW16,
BGI17,GS17].
- Gap in the assumptions sufficient for two-round MPC and 2PC.
Can we construct two-round MPC from weaker assumptions?
SLIDE 6
Our Work
Two-round protocol for secure multiparty computation from any two- round oblivious transfer.
- Semi-honest: From any two-round OT in the plain model.
- Malicious: From any two-round maliciously secure OT in the CRS
model. Concurrent and Independent work by Benhamouda-Lin 18
SLIDE 7
Ma Main Idea
SLIDE 8
π¦" π¦# π¦( π¦) π¦* π¦+ π¦,
β¦
Protocol π securely computes π(π¦", π¦#, β¦ , π¦,)
Round Compression
SLIDE 9
Round Compression
π¦" π¦# π¦( π¦) π¦* π¦+ π¦,
β¦
Two broadcast rounds
SLIDE 10
Toy protocol π
Round-1 π Round-2 Round-3
π π, π, π = (π, π β§ π, π β§ π β§ π)
Inputs: π π π π β§ π π β§ π β§ π
SLIDE 11
Ro Round Compression using Garbled Circuits
SLIDE 12
Garbled Circuits
[Yao 86, Applebaum-Ishai-Kushilevitz 04, Bellare-Hoang-Rogaway 12]
π: 0,1 , β 0,1 9
π π :
π<
" π" "
π<
# π" #
π<
, π" ,
SLIDE 13
Garbled Circuits
[Yao 86, Applebaum-Ishai-Kushilevitz 04, Bellare-Hoang-Rogaway 12]
π :
π=>
"
π=?
#
π=@
,
+
Evaluation
π(π¦)
SLIDE 14
π :
π=>
"
π=?
#
π=@
,
+
Leaks only
Garbled Circuits
[Yao 86, Applebaum-Ishai-Kushilevitz 04, Bellare-Hoang-Rogaway 12]
π(π¦)
SLIDE 15
Ho How w to Compr pres ess the the Toy Protocol l to 2 ro rounds?
SLIDE 16
Two-Round Protocol: High level Idea
Inputs: π π π Round-1 π Round-2
Implement the 2nd round Implements the 3rd round
SLIDE 17
How do the garbled circuits implement rounds?
π, π π
Round-2 Round-3
π β§ π π, π β§ π π β§ π β§ π
In [GS17], we achieved this by a special purpose WE [GGSW13, DG17]
SLIDE 18
Ma Maki king t the g garb rbled c circuits βt βtalkβ f kβ from O OT
SLIDE 19
Oblivious Transfer
[Rabin 81]
π π<, π"
ππππ β π·πΌπ(π; π)
Two-message OTs are known from a variety of assumptions [AIR01,NP01,PVW08]
ππππ β π·πΌπ(ππππ, ππ, ππ) ππ β π·πΌπ(ππππ, π)
SLIDE 20
Two-Round Protocol for Toy Function
Inputs: π π π
ππ
" 0 β§ π; π<
1 ππ
" 1 β§ π; π"
Round-1 π Round-2
SLIDE 21
Functions computed by Garbled Circuits
π, π
π<, π"
π
πT
"
ππ#(ππ
"(π β§ π), π< #, π" #)
πU π<
#, π" #
ππ
" 0 β§ π; π<
1 ππ
" 1 β§ π; π"
π<
", π" "
π, π β§ π π β§ π β§ π
π π β§ π
Party 2 Party 3
SLIDE 22
Ge Generalizing t to Arb Arbitrary C y Computations
SLIDE 23
General Case
Round-1 Round-2 . . . Round-T π·" π·# π·W
SLIDE 24
Conclusion
- We gave a two-round protocol for secure multiparty computation
from two-round OT.
- In a subsequent work [Garg-Miao-S], we gave a protocol where the
number of public key operations is independent of the circuit size.
- Open Questions:
- Can we improve the communication complexity?
- Concrete efficiency?
Th Than ank you
- u!