Two-Round Secure Multiparty Computation Minimizing Public Key - - PowerPoint PPT Presentation

two round secure multiparty computation minimizing public
SMART_READER_LITE
LIVE PREVIEW

Two-Round Secure Multiparty Computation Minimizing Public Key - - PowerPoint PPT Presentation

Jun 30, 2023 201 likes •631 views

Two-Round Secure Multiparty Computation Minimizing Public Key Operations Sanjam Garg Peihan Miao Akshayaram Srinivasan What did we achieve? Two-Round Secure Multiparty Computation Minimizing Public Key Operations Sanjam Garg

slide-1
SLIDE 1

Two-Round Secure Multiparty Computation Minimizing Public Key Operations

Sanjam Garg Peihan Miao Akshayaram Srinivasan

slide-2
SLIDE 2

What did we achieve?

slide-3
SLIDE 3

Two-Round Secure Multiparty Computation Minimizing Public Key Operations

Sanjam Garg Peihan Miao Akshayaram Srinivasan

slide-4
SLIDE 4

Secure Multiparty Computation (MPC)

slide-5
SLIDE 5

What does Two-Round mean? The MPC protocol has two rounds.

slide-6
SLIDE 6

Two-Round MPC

slide-7
SLIDE 7

Two-Round MPC

slide-8
SLIDE 8

Why is round complexity important?

slide-9
SLIDE 9

Why is round complexity important?

~200ms

my mom

me

slide-10
SLIDE 10

Why not one round? Because it’s impossible! [HLP’11]

slide-11
SLIDE 11

Two-Round MPC?

slide-12
SLIDE 12

Can we implement it?

Yes, but it’s too slow…

Why?

Too many public key operations…

Why is it bad?

Because public key operation is VERY slow!

  • Symmetric key operations (AES) ~100M/sec
  • Public (asymmetric) key operations ~10K/sec
slide-13
SLIDE 13

Our Main Result

slide-14
SLIDE 14

How did we achieve it?

slide-15
SLIDE 15

How to reduce OTs (public key operations) ?

Combine?

2-round OT extension? Yes! [Beaver’96]

slide-16
SLIDE 16

How to reduce OTs (public key operations) ? 2-round OT extension? Yes! [Beaver’96]

No! Why? Combine?

slide-17
SLIDE 17

2-round OT extension?

No! Why? Combine?

slide-18
SLIDE 18

2-round OT extension?

How to solve it?

No! Why? Combine?

slide-19
SLIDE 19

2-round OT extension?

How to solve it? No! Why? Combine?

slide-20
SLIDE 20

2-round OT extension?

Combine? How to solve it? No! Why?

slide-21
SLIDE 21

Technical Overview (semi-honest)

  • Building blocks
  • Yao’s garbled circuit (symmetric key)
  • two-round OT (public key)
  • Two-Round MPC [BL’18, GS’18]
  • What are the special properties needed from OT?
  • Why are they needed?
  • Two-Round OT Extension [Beaver’96]
  • Why not satisfying the special properties needed from OT?
  • How to solve the problems?
slide-22
SLIDE 22

Technical Overview (semi-honest)

  • Building blocks
  • Yao’s garbled circuit (symmetric key)
  • two-round OT (public key)
  • Two-Round MPC [BL’18, GS’18]
  • What are the special properties needed from OT?
  • Why are they needed?
  • Two-Round OT Extension [Beaver’96]
  • Why not satisfying the special properties needed from OT?
  • How to solve the problems?
slide-23
SLIDE 23

Yao’s garbled circuit [Yao’86]

Garble Garble

0 1 0 0 1

slide-24
SLIDE 24

Oblivious Transfer (OT) [Rab’81, EGL’85, BCR’86, Kil’88]

Oblivious Transfer

slide-25
SLIDE 25

Two-Round OT [AIR’01, NP’01, HK’12]

slide-26
SLIDE 26

Technical Overview (semi-honest)

  • Building blocks
  • Yao’s garbled circuit (symmetric key)
  • two-round OT (public key)
  • Two-Round MPC [BL’18, GS’18]
  • What are the special properties needed from OT?
  • Why are they needed?
  • Two-Round OT Extension [Beaver’96]
  • Why not satisfying the special properties needed from OT?
  • How to solve the problems?
slide-27
SLIDE 27

Two-Round MPC [BL’18, GS’18]

Oblivious Transfer

Oblivious Transfer Oblivious Transfer

slide-28
SLIDE 28

Two-Round MPC [BL’18, GS’18]

  • Decryption secrets are known by Receiver before Round-2
  • Decryption secrets are independent

Why?

slide-29
SLIDE 29

Two-Round MPC [BL’18, GS’18]

Round-1 Round-2

… … … … …

  • Decryption secrets are known by Receiver before Round-2
  • Decryption secrets are independent
slide-30
SLIDE 30

Technical Overview (semi-honest)

  • Building blocks
  • Yao’s garbled circuit (symmetric key)
  • two-round OT (public key)
  • Two-Round MPC [BL’18, GS’18]
  • What are the special properties needed from OT?
  • Why are they needed?
  • Two-Round OT Extension [Beaver’96]
  • Why not satisfying the special properties needed from OT?
  • How to solve the problems?
slide-31
SLIDE 31

OT Extension [Beaver’96]

Oblivious Transfer

Oblivious Transfer Oblivious Transfer

slide-32
SLIDE 32

Two-Round OT Extension [Beaver’96]

 Decryption secrets are known by Receiver before Round-2  Decryption secrets are independent

Why?

slide-33
SLIDE 33

Two-Round OT Extension [Beaver’96]

… … …

 Decryption secrets are independent

slide-34
SLIDE 34

2-round OT extension?

How to solve it?

No! Why? Combine?

slide-35
SLIDE 35

Two-Round OT Extension [Beaver’96]

 Decryption secrets are known by Receiver before Round-2  Decryption secrets are independent

slide-36
SLIDE 36

First Attempt: Modify Two-Round OT Extension

 Decryption secrets are known by Receiver before Round-2  Decryption secrets are independent

slide-37
SLIDE 37

Two-Round MPC [BL’18, GS’18]

Round-1 Round-2

… … … … …

Decryption secrets are hard-coded in the garbled circuits; So they should be known before Round-2!

slide-38
SLIDE 38

Second Attempt: Weaken Special Properties

Decryption secrets are hard-coded in the garbled circuits; So they should be known before Round-2! Weakened property: Decryption secrets can be computed and fed into the garbled circuits after Round-2.

slide-39
SLIDE 39

Summary

slide-40
SLIDE 40

Future Work

  • How to make it more practical?
  • Making black-box use of crypto operations?
  • Impossible for 2 rounds! [GMMM’18] talk tomorrow morning :)
  • Black-box but 3 rounds?
  • Combining with black-box OT extension [IKNP’03]
  • Concrete optimization for implementation
slide-41
SLIDE 41

Thanks!