Round-Optimal Secure Multi-Party Computation

Similar documents
The Exact Round Complexity of Secure Computation

Yuval Ishai Technion

Better 2-round adaptive MPC

A Unified Approach to Constructing Black-box UC Protocols in Trusted Setup Models

Secure Multiparty Computation: Introduction. Ran Cohen (Tel Aviv University)

Multi-Theorem Preprocessing NIZKs from Lattices

Simple, Black-Box Constructions of Adaptively Secure Protocols

Adaptively Secure Computation with Partial Erasures

Secure Multi-Party Computation. Lecture 13

On the Composition of Public- Coin Zero-Knowledge Protocols. Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm(KTH)

Secure Computation Against Adaptive Auxiliary Information

Universally Composable Two-Party and Multi-Party Secure Computation

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

Actively Secure Garbled Circuits with Constant Communication Overhead in the Plain Model

Round-Efficient Concurrently Composable Secure Computation via a Robust Extraction Lemma

Asynchronous Secure Multiparty Computation in Constant Time

Secure Computation of Functionalities based on Hamming Distance and its Application to Computing Document Similarity

One-Shot Verifiable Encryption from Lattices. Vadim Lyubashevsky and Gregory Neven IBM Research -- Zurich

Efficient and Secure Multi-Party Computation with Faulty Majority and Complete Fairness

Bounded-Concurrent Secure Multi-Party Computation with a Dishonest Majority

Rational Oblivious Transfer

Secure Multiparty RAM Computation in Constant Rounds,

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

Resettably Secure Computation

Zero-Knowledge Proofs

Somewhat Non-Committing Encryption and Efficient Adaptively Secure Oblivious Transfer

Leakage-Tolerant Interactive Protocols

Leakage-Resilient Zero Knowledge

Secure Multiparty Computation

High-Throughput Semi-Honest Secure Three-Party Computation with an Honest Majority

Curriculum Vitae. Carmit Hazay May 3, Associate Professor in the Faculty of Engineering in Bar-Ilan University, Israel.

Resettably Secure Computation

Application to More Efficient Obfuscation

Plaintext Awareness via Key Registration

Round Optimal Concurrent Non-Malleability from Polynomial Hardness

Constant-Round Concurrent Zero Knowledge in the Bounded Player Model

Resettably Sound Zero-Knoweldge Arguments from OWFs - the (semi) Black-Box way

MTAT Cryptology II. Commitment Schemes. Sven Laur University of Tartu

New Constructions for UC Secure Computation using Tamper-proof Hardware

1 A Tale of Two Lovers

Notes for Lecture 24

Security and Composition of Cryptographic Protocols: A tutorial. Ran Canetti Tel Aviv University

Bounded-Concurrent Secure Multi-Party Computation with a Dishonest Majority

The IPS Compiler: Optimizations, Variants and Concrete Efficiency

The Simplest Protocol for Oblivious Transfer

Fairness Versus Guaranteed Output Delivery in Secure Multiparty Computation

On Deniability in the Common Reference String and Random Oracle Model

Defining Multi-Party Computation

New Notions of Security: Achieving Universal Composability without Trusted Setup

Efficient Round Optimal Blind Signatures

Secure Multiparty Computation

Introduction to Secure Multi-Party Computation

Concurrent Zero Knowledge in Polylogarithmic Rounds. 2 Concurrent Composable Zero Knowledge: The Construction

MTAT Cryptology II. Entity Authentication. Sven Laur University of Tartu

Secure Outsourced Garbled Circuit Evaluation for Mobile Devices

Detectable Byzantine Agreement Secure Against Faulty Majorities

SAS-Based Group Authentication and Key Agreement Protocols

Universally Composable Commitments

Efficient Non-Interactive Secure Computation

Knowledge Preserving Interactive Coding

Efficient and Non-malleable Proofs of Plaintext Knowledge and Applications

Introduction to Cryptography Lecture 7

Actively Secure Private Function Evaluation

Improvement of Camenisch-Neven-Shelat Oblivious Transfer Scheme

- Presentation 25 minutes + 5 minutes for questions. - Presentation is on Wednesday, 11:30-12:00 in B05-B06

Adaptively Secure Broadcast, Revisited

On Black-Box Complexity and Adaptive, Universal Composability of Cryptographic Tasks. Dana Dachman-Soled

Zero-Knowledge from Secure Multiparty Computation

Secure Multi-Party Computation

Sharding. Making blockchains scalable, decentralized and secure.

Lecture 8: Cryptography in the presence of local/public randomness

Introduction to Secure Multi-Party Computation

Adaptively Secure Broadcast, Revisited

Stateless Cryptographic Protocols

The Magic of ELFs. Mark Zhandry Princeton University (Work done while at MIT)

Multiparty Computation Secure Against Continual Memory Leakage

Efficient and Non-Malleable Proofs of Plaintext Knowledge and Applications

On Robust Combiners for Private Information Retrieval and Other Primitives

Lecture 5: Zero Knowledge for all of NP

CSA E0 312: Secure Computation October 14, Guest Lecture 2-3

Simultaneous Resettable WI from One-way Functions

Lecture 22 - Oblivious Transfer (OT) and Private Information Retrieval (PIR)

Secure Multi-party Computation

Universally Composable Protocols with Relaxed Set-up Assumptions

Concurrent Secure Computation with Optimal Query Complexity

6.897: Selected Topics in Cryptography Lectures 9 and 10. Lecturer: Ran Canetti

Fairness versus Guaranteed Output Delivery in Secure Multiparty Computation

Research Statement. Yehuda Lindell. Dept. of Computer Science Bar-Ilan University, Israel.

An Overview of Active Security in Garbled Circuits

A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks

How To Play Almost Any Mental Game Over The Net Concurrent Composition via Super-Polynomial Simulation

Implementing Resettable UC-functionalities with Untrusted Tamper-proof Hardware-Tokens

Bounded-Concurrent Secure Two-Party Computation Without Setup Assumptions

On the Black-Box Complexity of Optimally-Fair Coin Tossing

Client-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity

Whitewash: Outsourcing Garbled Circuit Generation for Mobile Devices

Program Obfuscation with Leaky Hardware

How to (not) Share a Password:

A Mathematical Proof. Zero Knowledge Protocols. Interactive Proof System. Other Kinds of Proofs. When referring to a proof in logic we usually mean:

Zero Knowledge Protocols. c Eli Biham - May 3, Zero Knowledge Protocols (16)

Transcription:

TPMPC 2018 Round-Optimal Secure Multi-Party Computation WITHOUT Setup C R Y P T O Shai Halevi, IBM Carmit Hazay, Bar Ilan University Antigoni Polychroniadou, Cornell Tech Muthuramakrishnan Venkitasubramaniam, University of Rochester 2 0 1 8

Secure Multi-Party Computation (MPC) f(x 1, x 2, x 3, x 4 ) = (y 1, y 2,y 3,y 4 ) x 1 x 1 y 1 x 4 y 4 Goal: Correctness: Everyone computes f(x 1,,x 4 ) Security: Nothing else but the output is revealed Adversary PPT x 2 y2 y 3 x 3 Malicious Static

4-round Can we construct round-optimal MPC protocols? f(x 1, x 2, x 3, x 4 ) = (y 1, y 2,y 3,y 4 ) x 1 x 1 Without y 1 setup In the presence of malicious adversaries Goal: Correctness: Everyone computes f(x 1,,x 4 ) Security: Nothing else but the output is revealed Under standard (polytime) assumptions x 4 y 4 Adversary PPT x 2 y2 [GMPP16]: 4 rounds are necessary with y 3 black box simulation x 3 Malicious Static

State-of-the-Art Until 2016 Can we construct 4-round MPC protocols? O(1)-round protocols 6-round protocol 1 st O(1)-round Protocol* [KOS03, KO04, Pas04,DI05,DI06, IPS08,Wee10, Goy11,LP11, GLOV12] [GMPP] O(d F )-round protocol [BMR] 2016 [GMW] 1990 2003-2012 *Honest majority 1987 Lower Bound: 5 rounds for sequential 2PC [KO04,ORS15] Lower Bound: 4 rounds

State-of-the-Art Since 2016 Without setup (requires CRS) In the presence of malicious adversaries Under standard (polytime) assumptions 2-round: [MW16, BP16, PS16,GS17, GS18,BL18] Without setup In the presence of malicious adversaries Under standard (polytime) assumptions 2-round semi-malicious: [BL18,GS18] from DDH, QR,DCR 3-round semi-malicious: [BHP17] from LWE Without setup In the presence of malicious adversaries Under standard (polytime) assumptions 4-round: [ACJ17,BHP17] Without setup In the presence of malicious adversaries Under standard (polytime) assumptions 4-round 2PC and MPC coin-flipping: [COSV17a,b] 5-round: [ACJ17,BL18] Can we construct 4-round MPC protocols?

4-round Can we construct round-optimal MPC protocols? f(x 1, x 2, x 3, x 4 ) = (y 1, y 2,y 3,y 4 ) x 1 x 1 Without y 1 setup In the presence of malicious adversaries Goal: Correctness: Everyone computes f(x 1,,x 4 ) Security: Nothing else but the output is revealed Under standard (polytime) assumptions x 4 y 4 Adversary PPT x 2 y2 [GMPP16]: 4 rounds are necessary with y 3 black box simulation x 3 Malicious Static

Our Results Theorem (informal) Injective OWFs + ZAPS + AHE 4-round malicious MPC Corollary (informal) ETDP + QR/LWE/DDH/DCR 4-round malicious MPC QR 4-round malicious MPC Concurrent work Badrinarayanan,Goyal,Jain,Kalai,Khurana,Sahai: 4-round MPC Injective OWFs + dense cryptosystems + 2-round OT 4-round malicious MPC

MPC with Setup to MPC without Setup [GMPP16]: compilation 2-round malicious MPC in the CRS model [MW16, ] 4-round malicious multi-party coin flipping (MCF) [GMPP16,COSV17a] 6-round malicious MPC MCF MPC

GMW paradigm compilation (1) [ACJ17]: 4-round semi-malicious MPC [BL18]: 2-round semi-malicious MPC [GS18, BL18] Delayed input 4-round NMZK Delayed input 4-round NMZK 5-round malicious MPC 5-round malicious MPC NMZK NMZK MPC NMZK NMZK MPC

GMW paradigm compilation (2) [ACJ17]: 4-round semi-malicious MPC [BHP17]: 3-round semi-malicious MPC Delayed input 3-round NMZK with complexity leveraging Delayed input 3-round NMZK with complexity leveraging 4-round malicious MPC from sub-exponential assumptions 4-round malicious MPC from sub-exponential assumptions NMZK NMZK MPC NMZK NMZK MPC

GMW paradigm compilation (2) [ACJ17]: 4-round semi-malicious MPC [BHP17]: 3-round semi-malicious MPC Delayed input 3-round NMZK with complexity leveraging 4-round malicious MPC from sub-exponential assumptions 3-round ZK proofs impossible [GK96] Delayed input 3-round NMZK with complexity leveraging 4-round malicious MPC from sub-exponential assumptions NMZK NMZK MPC NMZK NMZK MPC

Our Approach: replace ZK by WI proofs in the 3 rd round Even if we use weaker tools, we still need to design a protocol that guarantees the same level of security.

Our Approach 4-round WI-friendly semi-malicious MPC 3-round NMWI primitive 3-round ZK proofs impossible 4-round malicious MPC NMWI NMZK MPC

Our Approach in a nutshell 3-round 3-bit Mult protocol Design NMWI* Incorporate NY Paradigm Tolerate additive errors

Our Approach in a nutshell Secure comp. of ff reduces to secure comp. of randomized encoding (RE) of ff AAAAAA06. Q: Randomized Encoding with degree 3? 3-bit MULT protocol based on 2-round oblivious transfer [ACJ17] A: 3-bit multiplication protocol 3MULT based on 2-round OT [ACJ17] 3MULT3MULT 3MULT

Our Approach in a nutshell Randomized Encoding with degree 3 3-bit 3MULT protocol via 2-round OT Modify 3MULT using the NY Paradigm

Our Approach in a nutshell Q: Can we replace ZK by WI? (Unlike ZK proofs, in WI proofs the simulator must follow the real prover strategy with a real witness) A: Modify 3MULT using the Naor-Yung paradigm NM ZK NM WI 3MULT 3MULT 3MULT 3MULT 3MULT 3MULT

Our Approach in a nutshell Randomized Encoding with degree 3 3-bit 3MULT protocol via 2-round OT Modify 3MULT using the NY Paradigm Tolerate additive errors using BMR Replace ZK by WI

Our Approach in a nutshell To accommodate WI proofs we need to weaken the correctness guarantees Q: Can we protect against all adversarial attacks? A: Adversary can include additive errors in the computation. NM WI Double Double 3MULT 3MULT Double 3MULT

Our Approach in a nutshell Randomized Encoding with degree 3 3-bit 3MULT protocol via 2-round OT Modify weak NMCOM using the NY Paradigm Achieve NMWI using 3-round weak NMCOMs Modify 3MULT using the NY Paradigm Tolerate additive errors Replace ZK by WI + Require Sender Equivocal OT ( via Additive HE) Weaken correctness guarantees in WI proofs do not protect against all adversarial attacks.

Outline 3-bit 3MULT protocol via 2-round OT Modify 3MULT using the NY Paradigm Tolerate additive errors

Starting Point:3-party 3-bit multiplication protocol (3MULT) [Yuval+ACJ17] Theorem (informal) [ACJ17]: Assuming 2-round OT, there is a 3-round 3-bit multiplication protocol P 1 (x 1 ;s 1 ) P 2 (x 2 ;r 2,s 2 ) P 3 (x 3 ) OT α [P 1 (x 1 ), OT P 2 (-r α 2,x 2 -r 2 )] OΤ β [P 3 (x 3 OT ), P β2 (-s 2,r 2 -s 2 )] u=x 1 x 2 -r 2 v=r 2 x 3 -s 2 OT γ [P 3 (x 3 ), POT 1 (-s γ 1,u-s 1 )] w=ux 3 -s s 1 1 s 2 v+w v u w Output s 2 +s 1 + r 2 x 3 -s 2 +(x 1 x 2 -r 2 ) x 3 -s 1 = x 1 x 2 x 3

Double 3MULT using the NY Paradigm P 1 (x 1 ;s 1 ) P 2 (x 2 ;r 2,s 2 ) P 3 (x 3 ) u OT α' OT α OT β' OT β v OT γ' OT γ s 1 s 2 v+w Receiver sets same input in both OTs Sender secret shares its input across the OTs w

Double 3MULT using the NY Paradigm P 1 (x 1 ;s 1 ) P 2 (x 2 ;r 2,s 2 ) P 3 (x 3 ) x 1 x 1 x 3 x 3 u v x 3 x 3 s 1 s 2 v+w w Receiver sets same input in both OTs Sender secret shares its input across the OTs

Incorporating NMWI NM uu WI There is a uu problem

Incorporating NMWI NM uu WI Problem: 3 rd -round message depends on uu Solution: Don t enforce correctness with uu

So what if uu is not correct P 1 (x 1 ;s 1 ) P 2 (x 2 ;r 2,s 2 ) P 3 (x 3 ) x 1 x 3 u x 1 x 2 -r 2 r 2 x 3 -s 2 v x 3 ux 3 -s 1 s 1 s 2 v+w w

So what if uu is not correct P 1 (x 1 ;s 1 ) P 2 (x 2 ;r 2,s 2 ) P 3 (x 3 ) x 1 x 3 u x 1 x 2 -r 2 r 2 x 3 -s 2 v x 3 u'x 3 -s 1 s 1 s 2 v+w w An incorrect uu results in xx 1 xx 2 + ee xx 3

So what if uu is not correct P 1 (x 1 ;s 1 ) P 2 (x 2 ;r 2,s 2 ) P 3 (x 3 ) x 1 x 3 u x 1 x 2 -r 2 x 3 u'x 3 -s 1 r 2 x 3 -s 2 Tolerating Additive errors using BMR Cannot use directly compilers [GIPST14,GIP15] Distributed Yao (BMR) Choose RE and massage double 3MULT so that additive errors reduce to additive errors on the underlying computation. s 1 s 2 v+w An incorrect uu results in xx 1 xx 2 + uu uu xx 3 v w

Conclusion Round-optimal MPC protocol: Without setup In the presence of malicious adversaries Under standard (polytime) assumptions Theorem (informal) ETDP + QR/LWE/DDH/DCR 4-round malicious MPC QR 4-round malicious MPC

Open Problems 4-round malicious MPC from minimal assumptions (4- round malicious OT) With CRS: 2-round [GS18] 4-round malicious MPC in the adaptive setting With CRS: 2-round [BLPV18] [GS12] Adaptive security without setup requires non-black box techniques. 4-round MPC

Tak!

Our Approach in a nutshell Q: How can we achieve extraction and WI with non-malleability guarantees? A: 1. Extract via a 3-round weak non-malleable commitment [GRRV14] 2. Modify 3-round weak NMCOM using the Naor-Yung paradigm 3. Make weak NMCOM rewinding safe NM Com NM Com NM WI Double Double 3MULT 3MULT Double 3MULT

Circuits resilient to additive attacks [GIPST14,GIP15,GIW16] C Any additive attack on C translates to an equivalent additive attack on the inputs of C + X +1 +1 - X +1 + X - X +1-1 C X X

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback