SPDZ 2 k: Efficient MPC mod 2 k for Dishonest Majority a

Transcription

1 SPDZ 2 k: Efficient MPC mod 2 k for Dishonest Majority a Ronald Cramer 1 Ivan Damgård 2 Daniel Escudero 2 Peter Scholl 2 Chaoping Xing 3 August 21, CWI, Amsterdam 2 Aarhus University, Denmark 3 Nanyang Technological University, Singapore a Supported by the European Research Council (ERC); the European Union s Horizon 2020 research and innovation programme; the European Union s Horizon 2020 research and innovation programme and the Danish Independent Research Council.

2 Introduction

3 MPC Alice Bob Trusted Party Charlie Dave 1

4 MPC Alice x 1 x 2 Trusted Party Bob x 3 x 4 Charlie Dave 1

5 MPC Alice z z x 1 x 2 Trusted Party Bob x 3 x 4 z z Charlie Dave 1

6 MPC Alice Bob Trusted Party Charlie Dave 1

7 Many different approaches Circuits over F 2 Garbled Circuits BMR GMW Circuits over F p BGW BeDOZa SPDZ MASCOT 2

8 Many different approaches Circuits over F 2 Garbled Circuits BMR GMW Circuits over F p BGW BeDOZa SPDZ MASCOT Few works address circuits over Z 2 k with active security 2

9 Why should we care about computation modulo 2k? Closer to standard CPUs Efficiency improvement Simple compilation of existing 32/64-bit code into arithmetic circuits. Simplified implementations 3

10 Why should we care about computation modulo 2k? Closer to standard CPUs Efficiency improvement Simple compilation of existing 32/64-bit code into arithmetic circuits. Simplified implementations Completeness result Filling a gap in the theory of MPC Just for fun! 3

11 Some works on this direction Cramer et al, EUROCRYPT 2003 Actively secure MPC over black-box rings Mostly a feasibility result, honest majority Bogdanov et al, ESORICS 2008 (Sharemind); Araki et al, CCS 2016 Computation over Z 2 k Passive security, n = 3 and t = 1 Damgård, Orlandi, Simkin, CRYPTO 2018 Compiler from passive to active security for arbitrary rings Small number of corruptions 4

12 Why is it so difficult? Pratical protocols use information-theoretic MACs over finite fields. Problems with Z 2 k Zero-divisors! Non-invertible elements! x, y is not a 2-universal hash function! Open problem Design an efficient homomorphic authentication scheme modulo 2 k 5

13 Our contributions 1. A new additively homomorphic authentication scheme over Z 2 k Efficient Number-theoretic tricks Fine-grained analysis of batch-checking 6

14 Our contributions 1. A new additively homomorphic authentication scheme over Z 2 k Efficient Number-theoretic tricks Fine-grained analysis of batch-checking 2. Triples generation Communication complexity: O((k + s) 2 ) bits per multiplication gate. Roughly twice the communication cost of MASCOT 6

15 Our contributions 1. A new additively homomorphic authentication scheme over Z 2 k Efficient Number-theoretic tricks Fine-grained analysis of batch-checking 2. Triples generation Communication complexity: O((k + s) 2 ) bits per multiplication gate. Roughly twice the communication cost of MASCOT 3. A protocol for MPC over Z 2 k O( C n) operations over Z 2 k+s Amortized communication complexity of online phase: O( C k) bits 6

16 SPDZ

17 Additive Secret sharing with MACs We denote by [x] the following x i = x. α i = α, where α is a random global key m i = α x. P i has x i, α i, m i 7

18 Additive Secret sharing with MACs We denote by [x] the following x i = x. α i = α, where α is a random global key m i = α x. P i has x i, α i, m i Important! [x + y] = [x] + [y], [c x] = c [x] and [x + c] = [x] + c can be computed locally. 7

19 Secure computation with preprocessing Input phase [x i ] = (x i r i ) +[r }{{} i ] open where x i are the inputs and (r i, [r i ]) is preprocessed. Addition gates [x + y] = [x] + [y] Multiplication gates [x y] = [c] + (x a) [b] + (y b) [a] + (x a) (y b) }{{}}{{}}{{}}{{} open open open open where ([a], [b], [c]) is preprocessed with c = a b. 8

20 Reconstruction of [x] x 1 x 2 Alice x 3 x 4 Bob Charlie Dave n i=1 x i = x 9

21 Reconstruction of [x] x 1 x 2 z 1 = m 1 α 1 x z 2 = m 2 α 2 x Alice x 3 x 4 Bob Alice z 3 = m 3 α 3 x Bob z 4 = m 4 α 4 x Charlie Dave Charlie Dave n i=1 x i = x Check that n i=1 z i = 0 9

22 Security Analysis Adversarial behavior can cause: x = x + δ and z = z + with δ 0. Adversary knows and δ such that δ α =. The adversary guesses α = δ 1 Probability at most 1/ F 10

23 Security Analysis Adversarial behavior can cause: x = x + δ and z = z + with δ 0. Adversary knows and δ such that δ α =. The adversary guesses α = δ 1 Probability at most 1/ F This does not work modulo 2 k The equation α δ mod 2 k can be satisfied with high probability Main problem: δ may not be invertible modulo 2 k. For instance: δ = 2 k 1 and = 0 10

24 SPDZ 2 k

25 Our solution The computation is done in Z 2 k+s but correctness is only guaranteed modulo 2 k 11

26 Our solution The computation is done in Z 2 k+s but correctness is only guaranteed modulo 2 k To share x Z 2 k : We denote by [x] the following x i k+s x with x k x α i k+s α, where α Z 2 s global key m i k+s α x. is a random P i has x i, α i, m i Z 2 k+s x y mod 2 l will be abbreviated by x l y 11

27 k + s k+s x 1 x 2 x n x 12

28 s k + s k+s x k x 1 x 2 x n x 12

29 Security Analysis 13

30 Security Analysis There is an error x = x + δ with δ k 0 13

31 Security Analysis There is an error x = x + δ with δ k 0 The check passes α δ k+s 13

32 k + s k+s α δ 14

33 k + s k+s v < k 0 0 α δ 14

34 k + s k+s v (k + s) v > s α δ 2 v 2 v 14

35 (k + s) v > s k+s v α ( δ 2 v ) 1 2 v 14

36 Security Analysis There is an error x = x + δ with δ k 0 The check passes α δ k+s 15

37 Security Analysis There is an error x = x + δ with δ k 0 The check passes α δ k+s α δ 2 v k+s v 2 v where v is the largest integer such that 2 v δ (we have that v < k) But δ/2 v ( is odd! So we can invert: α δ ) 1 k+s v 2 v 2 v Therefore, the adversary knows the last k + s v bits of α, which happens with probability at most 2 v k s < 2 s. 15

38 SPDZ 2 k: Protocol overview Offline phase (preprocessing) 1. Random authenticated values 2. Multiplication triples 3. Generate shares of MAC key and shares of MACked values Online phase 1. Distribute inputs 2. Compute shares of the values on the circuit 3. Check correctness of the opened values using their MACs Checking individual MACs Batch MAC-checking 16

39 SPDZ 2 k: Protocol overview Offline phase (preprocessing) 1. Random authenticated values 2. Multiplication triples 3. Generate shares of MAC key and shares of MACked values Online phase 1. Distribute inputs 2. Compute shares of the values on the circuit 3. Check correctness of the opened values using their MACs Checking individual MACs Batch MAC-checking 16

40 Batch MAC-checking

41 Motivation Many values are opened... it is expensive to check each one of them! 17

42 Motivation Many values are opened... it is expensive to check each one of them! Typical solution over fields To check correctness of x 1,..., x t, only check correctness of x = i r i x i. Individual errors δ i get aggregated δ = i r i δ i δ i 0 for at least one i implies δ 0 with high probability 17

43 Motivation Many values are opened... it is expensive to check each one of them! Typical solution over fields To check correctness of x 1,..., x t, only check correctness of x = i r i x i. Individual errors δ i get aggregated δ = i r i δ i δ i 0 for at least one i implies δ 0 with high probability Key idea for SPDZ 2 k Do the same! (analysis gets tricky...) 17

44 Batch MAC-checking in SPDZ 2 k Let E be the event: δ α k+s Naive approach Pr[E] 2 s 2 18

45 Batch MAC-checking in SPDZ 2 k Let E be the event: δ α k+s Naive approach Pr[E] 2 s 2 Fine-grained analysis Pr[E] 2 s + 2 s 1+log s 18

46 Multiplication Triples

47 General Idea (high level) Preprocess triples ([a], [b], [c]) such that a, b are random and c k a b. Key idea (two parties) ( a 1 + a 2) (b 1 + b 2) = a 1 b 1 + a 2 b 2 + a 1 b 2 + a 2 b 1 Share mixed products using OT Similar to the MASCOT triple generation protocol (Keller et al, CCS 2016). Based on Oblivious Transfer. 19

48 General Idea (high level) 1. OT: c k+s a b 2. Combine: Take inner product with a random vector: r, c k+s r, a b MASCOT: a is a vector of (field) elements SPDZ 2 k : a is a vector of bits 3. Authenticate: Shares are authenticated (using a MAC functionality) 4. Sacrifice: Check correctness 20

49 Conclusions

50 We develop an efficient dishonest majority MPC protocol for computation over Z 2 k. New number-theoretic tricks introduced to overcome the difficulties of working over a ring as Z 2 k : Zero-divisors! Non-invertible elements! Taking dot product with random vectors is not a 2-universal function! First efficient, information-theoretic secure, homomorphic authentication scheme modulo 2 k. 21

51 Future work Implementation and performance test Preprocessing is theoretically slower than MASCOT SPDZ 2 k s online phase is expected to be faster in practice. 22

52 Future work Implementation and performance test Preprocessing is theoretically slower than MASCOT SPDZ 2 k s online phase is expected to be faster in practice. Develop sub-protocols for basic primitives Inequality and equality tests, bit comparisons, bit decomposition, shifting, etc. Highly non-trivial! Dividing by 2 is not possible directly. 22

53 Future work Implementation and performance test Preprocessing is theoretically slower than MASCOT SPDZ 2 k s online phase is expected to be faster in practice. Develop sub-protocols for basic primitives Inequality and equality tests, bit comparisons, bit decomposition, shifting, etc. Highly non-trivial! Dividing by 2 is not possible directly. Extending security model MPC over Z 2 k in the honest majority setting. 22

54 Thank you! 22

55 Supplementary Material

56 A Secret-sharing-based protocol 23

57 A Secret-sharing-based protocol x y Input phase [x] [y] 23

58 A Secret-sharing-based protocol x y [x] [y] Input phase [x] [y] [x y] 23

59 A Secret-sharing-based protocol x y [x] [y] [z] Input phase Output phase [x] [y] [x y] z 23

60 Batch MAC-checking in SPDZ 2 k Let E be the event: δ α k+s Let w be the largest integer such that 2 w divides δ. 2 s 1 {}}{{}}{ Pr[E] = Pr[E 0 w k] Pr[0 w k] s + Pr[E w = k + c] Pr[w = k + c] 2 s + 2 s 1+log s }{{}}{{} c=1 2 c s 2 c 1 24

61 Pr[E 0 w k] 2 s We have that ( ) δ 1 α k+s w 2 w 2 w α mod 2 k+s w is fully determined This happens with probability at most 2 w k s 2 s. 25

62 Pr[0 w k]

63 Pr[E w = k + c] 2 c s, c {1,..., s} Follows from the first proof (writing w = k + c) 27

64 Pr[w = k + c] 2 c 1, c {1,..., s} Since 2 w divides δ, we have that δ w 0, which implies t 1 χ t δ t w χ i δ i i=1 } {{ } S Let v k 1 be the largest integer such that 2 v divides δ t, then ( ) 1 δt χ t w v 2 v S 2 v. Since χ t mod 2 w v is fully determined, this happens with probability at most 2 v w 2 c 1. 28

65 Batch MAC Checking 29

66 Triples - Part 1 30

67 Triples - Part 2 31

68 Triples - Part 3 32

69 Communication 33

70 Performance (1) 34

71 Performance (2) 35