Using TopGear in Overdrive: A more efficient ZKPoK for SPDZ

Transcription

1 Using TopGear in Overdrive: A more efficient ZKPoK for SPDZ Daniele Cozzo 1 and Nigel P. Smart 1,2 1 imec-cosic, KU Leuven, Leuven, Belgium. 2 Universit of Bristol, Bristol, UK. daniele.cozzo@kuleuven.be, nigel.smart@kuleuven.be Abstract. We present a modification to the ZKPoKs used in the HighGear offline protocol for the SPDZ Multi-Part Computation protocol. This modification allows us to both increase the securit of the underling protocols, whilst at the same time maintaining roughl the same performance in terms of memor and bandwidth consumption. The last two being major constraints of the original HighGear protocol. We argue the inefficienc of HighGear means that current implementations of SPDZ use far too low securit parameters in a number of places. We show that using TopGear one can select high securit parameters for all cases. 1 Introduction Multi-part computation (MPC) has turned in the last fifteen ears from a mainl theoretical endeavour to one which is now practical, with a number of companies fielding products based on it. MPC comes in a number of flavours, depending on the underling primitives (garbled circuit, secret sharing), number of parties (two or man parties), securit model (passive, covert, active), and so on. In this work we will focus on n-part secret sharing based MPC secure against a dishonest majorit of parties. In this setting the most efficient protocol known is still the SPDZ protocol [10] from 2012, along with its man improvements such as [9, 17, 18]. The SPDZ protocol famil uses a form of authenticated secret sharing over a finite field F p to perform the secure computation. The protocol is divided into two phases, an offline phase (which produces among other things Beaver triples) and an online phase (which consumes the Beaver triples to enable multiplication to be performed). In this work we will be focusing on the increasing the underling securit offered b the offline phase, whilst maintaining the same performance. The SPDZ protocol, amongst others, has been implemented in the SCALE-MAMBA sstem [2], which we refer to as a reference implementation for judging our own contribution. To understand our contribution in terms of efficienc and securit we first consider the genesis of the problem we solve. The SPDZ protocol is itself based on an earlier protocol called BDOZ [3]. The BDOZ protocol used a form of pairwise MAC to authenticate a secret sharing amongst n-parties. At the heart of the offline phase for BDOZ is a pairwise multiplication protocol, using linearl homomorphic encrption. To ensure active adversaries do not cheat in this phase pairwise zero-knowledge proofs are utilized to ensure active adversaries cannot deviate from the protocol without detection. Thus in total O(n 2 ) ZKPoKs need to be carried out per Beaver triple. The main contribution of the SPDZ paper [10] over BDOZ was the pairwise MACs were replaced b a global MAC. This was enabled b replacing the linearl homomorphic encrption used in BDOZ b a limited form of Somewhat Homomorphic Encrption (SHE) based on the BGV encrption scheme [6]. Now the pairwise ZKPoKs could be replaced b O(n) ZKPoKs per Beaver triple. Due to the Smart-Vercauteren SIMD packing underling BGV the implied constant here was relativel low, as a single ZKPoK could be used to prove statements needed for man thousands of Beaver triples. However, BGV is a lattice based SHE scheme and thus ZKPoKs are relativel costl. In particular the basic underling Σ-protocol has challenge space {0, 1}, and thus soundness securit of onl 1/2. Not onl that, but to provide zero-knowledge, one needs to blow-up the parameters proven, thus an adversar can onl be shown to prove a statement which is strictl weaker than what an honest part proves. This introduces what is called the soundness slack between the honest proven language L and the adversariall

2 proven language L. In particular to obtain statistical zero-knowledge of 2 ZK sec the parameters are (roughl) blown up b a factor of 2 ZK sec. To get around the first of these problems (the low soundness securit) SPDZ uses a standard amortization technique [8] to prove U statements at once. This boosts the soundness securit from 1/2 to 2 U, at the epense of introducing slighl more soundness slack, namel 2 U/2. In the implementation of this ZKPoK in the original, and subsequent works, the authors set U to be the same securit level as the statistical zero-knowledge parameter ZK sec. Despite this use of amortization techniques the ZKPoKs were considered too slow. This resulted in two new techniques based on cut-and-choose being introduced in [9]. The first of these techniques produced onl covert securit, but was highl efficient, and thus for a number of ears all implementations of the SPDZ offline phase onl provided covert securit. The second technique of [9] provided activel secure ZKPoK which seemed assmptoticall more efficient than that provided in [10], but which due to large memor requirements was impossible to implement in practice. This inabilit to provide efficient activel secure offline phased based on SHE led to a temporar switch to an OT-based offline phase, called MASCOT [17]. However, in 2018 Keller et al [18] introduced the Overdrive suit of offline protocols. The Overdrive paper revisited the previous work and came to some interesting conclusions. Firstl, in so-called Low Gear, for a small number of parties the original pairwise ZKPoKs of the BDOZ methodolog could be more efficient than the SPDZ stle methodolog. Thus an O(n 2 ) algorithm can beat an O(n) algorithm for small values of n, this was enabled b using in BDOZ the same SIMD packing as was being used for SPDZ. Interestingl this simple optimization had never been tried before on the BDOZ protocol. The second variant of Overdrive, so called High Gear, was for larger values of n. Here the original SPDZ ZKPoK was revisited and tweaked. Instead of at each iteration each part proving a statement to each other part, the parties proved a single joint statement. Thus the n parties act as a single proving entit for a joint statement of their secret inputs. This did not provide an improvement in communication efficienc, but it did make the computational costs a factor of n smaller. In the SCALE-MAMBA sstem (as of v1.2 in Nov 2018) onl the High-Gear variant of Overdrive is implemented for the case of dishonest majorit MPC, even when n = 2. However, like all prior work the sstem adopts U = ZK sec, and thus achieves the same soundess securit Snd sec as zero-knowledge indistinguishabilit. This is not efficient, or as secure, as one would want for two combined reasons. 1. The zero-knowledge securit ZK sec is related to a statistical distance, whereas the soundness securit Snd sec is related to the probabilit that an adversar can cheat. Thus a low value for Snd sec is more of a concern than a low value for ZK sec. 2. The practical compleit of the protocol, in particular the memor and computational consumption, is dominated b Snd sec. It turns out that ZK sec has ver virtuall no effect on the overall eecution time of the offline phase, for large values of p. It is for this reason that [18] gives performance metrics for 40, 64 and 128-bit active securit, and wh v1.2 of SCALE-MAMBA utilizes onl 40-bits of securit for Snd sec and ZK sec, since the eecution time is highl dependent on Snd sec. Our Contribution: We first formalize the tpe of statement which the Overdrive ZKPoK tries to prove. The original treatment in [18] is relativel intuitive. We formalize the statement b presenting a generalization of standard Σ-protocols to what we call an n-part Σ-protocol. This allows us to somewhat simplif the presentation of our protocol and also to elaborate on the effect of the various securit parameters. We then present a modified ZKPoK for the HighGear variant of Overdrive, which we denote TopGear. In this variant we treat the soundess securit Snd sec and the zero-knowledge securit ZK sec seperatel. This ZKPoK in its unamortized variant (i.e. onl proving one statement at once) uses a larger challenge set than {0, 1}. In particular, using a Lemma from [4] we are able to use a challenge set of size 2 N, where N is the ring dimension. We then amortize this b proving U statements in parallel using a modification of the technique of [8]. This enables us to achieve a soundness securit of Snd sec = U log 2 (2 N) for the 2

3 main zero-knowledge proofs in the offline phase of the SPDZ protocol. Since N is often = 2 15 we are able to achieve a high soundness securit, with a low value of U, i.e. using U = 8 we can obtain 128 bits of soundness securit. Thus we can use a smaller amount of amortization than in [18], and thus a smaller memor footprint etc. This then allows us to also select higher values of ZK sec, if so desired, as this has little affect on performance. However, we still obtain a soundness slack. Namel a difference between the honestl proven language and the language which we can guarantee a dishonest prover can select their statements from. This distinction comes from two sources. The first source comes from needing ZK sec to be larger to ensure zero-knowledge. In signature schemes based on lattices, such as BLISS, this issue is usuall dealt with using rejection sampling, e.g. [11,12,19]. However, in our case this slack will be removed due to the processing that happens after the ZKPoK is eecuted (during a modulus switch operation in the homomorphic processing). The second source comes from the use of the larger challenge set. To remove this we need to perform a minor tweak to how the outputs of the ZKPoK are used in the offline phase of the SPDZ protocol. 2 Preliminaries In this section we outline the details of what we require of the BGV encrption scheme [6]. Most of the details can be found in [6, 13 15], although we will onl require a variant, which supports circuits of multiplicative depth one. Notation: We assume that all the parties are probabilistic polnomial time Turing machines. We let [n] denote the interval [1,..., n]. If M is matri then we write M (r,c) for the entr in the r-th row and c-th column. We shall write vectors (usuall) in bold, and there elements in non-bold with a subscript, thus = ( i ) i [n], sometimes we will also write (i) to denote the i-th element in the vector. All modular reduction operations (mod q) will be to the centered interval ( q/2, q/2]. We let a X denote randoml assigning a value a from a set X, where we assume a uniform distribution on A. If A is an algorithm, we let a A denote assignment of the output, where the probabilit distribution is over the random tape of A; we also let a b be a shorthand for a {b}, i.e. to denote normal variable assignment. If D is a probabilit distribution over a set X then we let a D denote sampling from X with respect to the distribution D. We will make use of the following lemma in a number of places Lemma 2.1. Let D be an distribution bounded whose values are bounded b B. Then the distributions D + (0,, B ) (b which we mean the distribution obtained from sampling from the two distributions and adding the result) is statisticall close to the uniform distribution U (0,, B ), with statistical distance bounded b B B. SPDZ Secret Sharing: This SPDZ protocol [10] processes data using an authenticated secret sharing scheme defined over a finite field F p, where p is prime. The secret sharing scheme is defined as follows: Each part P i holds a global MAC ke α i F p and a data element F p is held in secret shared form as a tuple { i, γ i } i [n], such that = i i and γ i = α where α = i α i. We denote a value held in such a secret shared form as. The main goal of the SPDZ offline phase is to produce random triples ( a, b, c ) such that c = a b. If we wish to denote the specific value on which γ i is a MAC share then we write γ i []. The Rings: The BGV encrption scheme, as we will use it, is built around the arithmetic of the cclotomic ring R = Z[X]/(Φ m (X)), where Φ m (X) is the m-th cclotomic polnomial. For an integer q > 0, we denote b R q the ring obtained as reduction of R modulo q. We take m to be a power of two, m = 2 n+1 and hence Φ m (X) = X N + 1 where N = 2 n. Elements of R (resp. R q ) can either be thought of as polnomials (of degree less than N) or as vectors of elements (of length N). 3

4 The canonical embedding of R is the mapping of R into C φ(m) given b σ() = ((ζm)) i i [n], where we think of as a polnomial. We are interested in two norms of elements in R (resp. R q ). For the -norm in the standard polnomial embedding we write, where as the -norm in the canonical embedding we will write as can = σ(). B standard inequalities we have can can can, can 1, φ(m) and can ; with the last two inequalities holding due to our specific choice of cclotimic ring. Such norms can also be emploed on elements of R q b using the standard (centered) embedding of R q into R. We will use the following two facts in a number of places. can Lemma 2.2. Let m be a power of two then 2 (X i X j ) 1 (mod φ m (X)) 1 for all 0 i, j < 2 N then Proof. Given in [4]. Lemma 2.3. In the ring R defined b Φ m (X) with m a power of two we have that for all a R that a X i = a. Proof. This follows as X i acts as a shift operation, with the wrap-around modulo φ(m) simpl negating the respective coordinate. Various Distributions: Following [15][Full version, Appendi A.5] and [2] we need different distributions to define the BGV scheme, all of which produce vectors of length N which we consider as elements in R. - HWT(h, N): This generates a vector of length N with elements chosen at random from { 1, 0, 1} subject to the condition that the number of non-zero elements is equal to h. - ZO(0.5, N): This generates a vector of length N with elements chosen from { 1, 0, 1} such that the probabilit of each coefficient is p 1 = 1/4, p 0 = 1/2 and p 1 = 1/4. Thus if ZO(0.5, N) then 1. - dn(σ 2, N): This generates a vector of length N with elements chosen according to an approimation to the discrete Gaussian distribution with variance σ 2. - RC(0.5, σ 2, N): This generates a triple of elements (r 1, r 2, r 3 ) where r 3 is sampled from ZO s (0.5, N) and r 1 and r 2 are sampled from dn s (σ 2, N). - U(q, N): This generates a vector of length N with elements generated uniforml modulo q in a centred range. Thus U(q, N) implies q/2. Following prior work on SPDZ we select σ = 3.17 and hence we can approimate the sampling from the discrete Gaussian distribution using a binomial distribution, as is done in NewHope [1]. In such a situation an element dn(σ 2, N) is gauranteed to satisf 20. The Two Level BGV Scheme: We consider a two-leveled homomorphic scheme, given b the following algorithms {KeGen, Enc, SwitchMod, Dec}. The plaintet space is the ring R p, for some prime modulus p, which is the same modulus used to define the SPDZ secret sharing scheme. The algorithms are parametrized b a computational securit parameter κ and are defined as follows. First we fi two moduli q 0 and q 1 such that q 1 = p 0 p 1 and q 0 = p 0, where p 0, p 1 are prime numbers. Encrption generates level one ciphertets, i.e. with respect to the largest modulo q 1, and level one ciphertets can be moved to level zero ciphertets via the modulus switching operation. We require p 1 1 (mod p) and p 0 1 p (mod p). The first condition is to enable modulus switching to be performed efficientl, whereas the second is to enable fast arithmetic using Number Theoretic Fourier Transforms. - KeGen(1 κ ): The secret ke sk is randoml selected from a distribution with Hamming weight h, i.e. HWT(h, N), much as in other sstems, e.g. HELib [16] and SCALE [2] etc. The public ke, pk, is of the form (a, b), such that a U(q 1, N) and b = a sk + p ɛ (mod q 1 ), where ɛ dn(σ 2, N). This algorithm also outputs the relinearisation data (a sk,sk 2, b sk,sk 2) [7], where a sk,sk 2 U(q 1, N) and b sk,sk 2 = a sk,sk 2 sk + p r sk,sk 2 p 1 sk 2 (mod q 1 ), with r sk,sk 2 dn(σ 2, N). 4

5 - Enc(m, r; pk): Given a plaintet m R p, and randomness r = (r 1, r 2, r 3 ) chosen from RC(0.5, σ 2, n), i.e. r 1, r 2 dn(σ 2, N) and r 3 ZO(0.5, N), this algorithm sets c 0 = b r 3 + p r 1 + m (mod q 1 ), c 1 = a r 3 + p r 2 (mod q 1 ). Hence the initial ciphertet is ct = (1, c 0, c 1 ), where the first inde denotes the level (initiall set to be equal to one). If the level l is obvious we drop it in future discussions and refer to the ciphertet as an element in R 2 q l. - SwitchMod((1, c 0, c 1 )): We define a modulus switching operation which allows us to move from a level one to a level zero ciphertet, without altering the plaintet polnomial, that is (0, c 0, c 1) SwitchMod((1, c 0, c 1 )), c 0, c 1 R q0. The effect of this operation is also to scale the noise term (see below) b a factor of q 0 /q 1 = 1/p 1. - Dec((c 0, c 1 ); sk): Decrption is obtained b switching the ciphertet to level zero (if it is not alread at level zero) and then decrpting (0, c 0, c 1 ) via the equation (c 0 sk c 1 (mod q 0 )) (mod p), which results in an element of R p. Homomorphic Operations: Ciphertets at the same level l can be added, (l, c 0, c 1 ) (l, c 0, c 1) = (l, (c 0 + c 0 (mod q l )), (c 1 + c 1 (mod q l )), with the result being a ciphertet, which encodes a plaintet that is the sum of the two initial plaintets. Ciphertets at level one can be multiplied together to obtain a ciphertet at level zero, where the output ciphertet encodes a plaintet which is the product of the plaintets encoded b the input plaintets. We do not present the method here, although it is prett standard consisting of a modulus-switch, tensor-operation, then relinearization (which we carr out in this order). We write the operation as (1, c 0, c 1 ) (1, c 0, c 1) = (0, c 0, c 1), with c 0, c 1 R q0, or more simpl as (c 0, c 1 ) (c 0, c 1) = (c 0, c 1) as the levels are implied. Ciphertet Noise: The noise term associated with a ciphertet is the value c 0 sk c 1 can. To derive parameters for the scheme we need to maintain a handle on this value. The term is additive under addition and is roughl divided b p 1 under a modulus switch. For the tensoring and relinearization in multiplication the terms roughl multipl. A ciphertet at level zero will decrpt correctl if we have c 0 sk c 1 q 0 /2, which we can enforce b requiring c 0 sk c 1 can q 0/2. We would like a ciphertet (adversariall chosen or not) to decrpt correctl with probabilit 1 2 ɛ. In [15] ɛ is chosen to be around 55, but the effect of ɛ is onl in producing the following constants: we define e i such that erfc(e i ) i 2 ɛ and then we set c i = e i i. This implies that c 1 V, is a high probabilit bound on the canonical norm of a ring element whose coefficients are selected from a distribution with variance V. And c 2 V 1 V 2 is a similar bound on a produce of elements whose coefficient are chosen from distributions of variance V 1 and V 2 respectivel. With probabilit much greater than 1 2 ɛ the noise of an honestl generated ciphertet (given honestl generated kes) will be bounded b c 0 sk c 1 can = ((a sk + p ɛ) r 3 + p r 1 + m (a r 3 + p r 2 ) sk can = m + p (ɛ r 3 + r 1 r 2 sk) can m can φ(m) p/2 + p ( ɛ r 3 can + p σ + r 1 can + r 2 sk can ) ( c 2 φ(m)/ 2 + c 1 φ(m) + c 2 h ) φ(m) 5

6 = B clean. Recall this is the average case bound on the noise of honestl generated ciphertets. In our protocols ciphertets can be adversariall generated, and determining (and ensuring) a worst case bound on the resulting ciphertets is the main focus of the HighGear and TopGear protocols. Distributed Decrption: The BGV encrption scheme supports a form of distributed decrption, which is utilized in the SPDZ offline phase. A secret ke sk R q can be additivel shared amongst n parties b giving each part a value sk i R q such that sk = sk sk n. We assume, as is done in most other works on SPDZ, that the ke generation phase, including the distribution of the shares of the secret ke to the parties, is done in a trusted setup. To perform a distributed decrption of a ciphertet ct = (c 0, c 1 ) at level zero, each part computes d i c 0 c 1 sk i + p R i (mod q 0 ) where R i is a uniforml random value selected from [0,..., 2 DD sec B/p] where B is an upper bound on the norm c 0 c 1 sk. The values d i are then echanged between the plaers and the plaintet is obtained from m (d d n (mod q 0 )) (mod p). The statistical distance between the distribution of the coefficients of d i and uniforml random elements of size 2 DD sec B is bounded b 2 DD sec b Lemma 2.1. To ensure valid decrption we need the value of q 0 to satisf q 0 > 2 (1+n 2 DD sec ) B instead of q 0 > 2 B for a scheme without distributed decrption. Thus the need for distributed decrption makes the parameters get a lot larger. 3 n-prover Σ-Protocols The Overdrive ZKPoK is an n + 1 part Σ-protocol between n provers and one verifier 3. The Overdrive ZKPoK also has a difference, unlike traditional Σ-protocols, between the language used for completeness and the language for soundness; much like the protocols considered in [5][Definition 2.2]. The Overdrive paper does not formalize such Σ-protocols, so our first contribution is to do precisel this. Consider a set of n provers {P 1,..., P n } each with private input w i and public input i. The provers wish to convince a verifier V (who could be one or all of the provers) that a given predicate holds between the input values, i.e. P( 1,..., n, w 1,..., w n ) = 1, and that the provers hold knowledge of the said witnesses w i. The predicate P defines a language L; namel a binar relation on the pairs (, w). In the definition below we also utilize another language L such that L L defined b a second predicate P. In the following definition if one sets n = 1, L = L and utilizes perfect zero-knowledge then we have the traditional definition of a Σ-protocol. Definition 3.1. An n-part Σ-protocol with challenge set C for the languages L and L is defined as a tuple of PPT algorithms (Comm, Resp, Verif). The protocol is then eecuted in the following four phases: 1. Each prover independentl eecutes the algorithms (comm i, state i ) Comm(w i ) and sends ( i, comm i ) to the verifier. 2. The verifier selects a challenge value c C and sends it to each prover. 3. The provers eecute, again independentl, the algorithms resp i Resp(state i, c) and send resp i to the verifier. 4. The verifier accepts if Verif({comm i, resp i } i [n], c) = true. 3 In the wa it is used each prover also acts as an independent verifier. 6

7 Such a protocol should satisf the following three properties - Correctness: A set of honest provers should make the verifier accept with probabilit one if the first predicate P is true. - Special Soundness: Two accepting conversations with the same commitment but different challenges, can be passed into a PPT algorithm Etract (called the knowledge etractor) so as to obtain a witness (w 1,..., w n), to the second predicate P. In other words given two tuples ({comm i, resp i } i [n], c) and ({comm i, resp i } i [n], c ) such that we can obtain Verif({comm i, resp i } i [n], c) = Verif({comm i, resp i} i [n], c ) = true, (w 1,..., w n) Etract({comm i, resp i, comm i, resp i} i [n], c, c ) such that P ( 1,..., n, w 1,..., w n) = true. - Honest Verifier Zero-Knowledge: There is a PPT algorithm Sim A indeed b a set A [n], which takes as input an element in the language L and a challenge c C, and then outputs tuples {comm i, resp i } i/ A. We require that for all such A the output of Sim A is statisticall indistinguishable from a valid eecution of the protocol. We first discuss the definition of zero-knowledge. Firstl, the adversar, controlling the plaers in A, can alwas learn something about the inputs to the predicate P, given it was true, and his own input. For eample if the predicate was = 2 and the adversar has the witness 1 = 1, then he knows the other plaers witness was 2 = 1. We require that the adversar learns no more than he can alread deduce from his own input and the predicate being true. Secondl, since the eecution of the commitment and response phases are independent for each plaer, we onl need to look at indistguishabilit of the distribution of the values {c, {comm i, resp i } i / A } produced in a valid and a simulated eecution of the protocol. What the adversar does cannot affect the zero-knowledge as the adversaries values are independent. Our formalism for HV-ZK is therefore onl to allow the simulator to be applied when some provers are adversarial. Unlike in [5] we use a notion of statistical zero-knowledge, whereas [5] uses computational zero-knowledge. This is because our final protocol will be have statistical zero-knowledge. Modifing the definition for other forms of zero-knowledge is straight forward. The above definitions implies two implied securit parameters, which are important in what follows (and in prior treatments of the HighGear ZKPoK have been confusingl merged into one parameter). The first parameter is the soundness parameter Snd sec = log 2 C ; this gives the probabilit 2 Snd sec that a dishonest prover (b which we mean all provers are dishonest) can make an honest verifier accept. The second parameter is the zero-knowledge parameter ZK sec, which defines the closeness of the distributions of genuine from simulated transcripts. We let the statistical distance between the distributed of valid transcripts and transcripts produced b the simulator be bounded b 2 ZK sec. The knowledge etractor above outputs a witness for a predicate P which is potentiall different from the predicate that honest parties are proving. In traditional Σ-protocols (such as Schnorr s protocol) we have that P = P but in man lattice based protocols these two predicates are distinct. The gap between the two predicates #P /#P what we earlier referred to as the soundness slack. 4 ZKPoK Our protocol, which we call TopGear, is given in Figure 1 and Figure 2. The protocol is a n-prover Σ- Protocol in which, in the wa we have described it, the n plaers act both as a set of provers and individuall as verifiers; as this is how the Σ-protocol will be used in the SPDZ protocol. Thus in our description in Figure 1 and Figure 2 the challenge is produced via calling a random functionalit F Rand which produces a single joint challenge between the plaers. Such a functionalit is standard, see for eample [10], so we do not discuss its implementation further. 7

8 Protocol Π ZKPoK : Commitment, Challenge and Response Phases The protocol is parametrized b an integer parameter U and a flag {Diag, }. Input: Each (honest) part P i enters U plaintets m i R U p (considered as elements of R U q 1 ) and U randomness triples R i R U 3 q 1, where each row of R i (r (j,1) i, r (j,2) i, r (j,3) i ) is generated from RC ( σ 2, 0.5, N ). For honest P i we therefore have, for all j [U], m (j) i p and r(j,k) 2 i ρ k, where ρ 1 = ρ 2 = 20 and ρ 3 = 1. We write V = 2 U 1. Commitment Phase: Comm 1. P i computes the BGV encrptions b appling the BGV encrption algorithm to the j plaintet/randomness vectors in turn to obtain C i Enc(m i, R i; pk) R U 2 q The plaers broadcast C i. 3. Each P i samples V pseudo-plaintets i R V q 1 and pseudo-randomness vectors S i = (s (j,k) i ) R V q 3 1 such that, for all j [V ], (j) i 2 ZK sec 1 p and s (j,k) i 2 ZK sec ρ k. 4. Part P i computes A i Enc( i, S i; pk) R V q The plaers broadcast comm i A i. Challenge Phase: Chall { {X i 1. Parties call F Rand to obtain a random vector e = (e i) such that e } } U i=0...,2 N 1 if flag = and e {0, 1} U if flag = Diag. Response Phase: Resp 1. Parties define the V U matri M e where { M e (k,l) ek l+1 if 1 k l + 1 U = 0 otherwise 2. Each P i computes z i i + M e m i and T i S i + M e R i. 3. Part P i sets resp i (z i, T i), and broadcasts resp i. Verification Phase: Verif Figure 1. Protocol for global proof of knowledge of a set of ciphertets: Part I Protocol Π ZKPoK : Verification Phase 1. Each part P i computes D i Enc(z i, T i; pk). 2. The parties compute A n i=1 Ai, C n i=1 Ci, D n i=1 Di, T n i=1 Ti and z n i=1 zi. 3. The parties check whether D = A + M e C, and then whether the following inequalities hold, for j [V ], z (j) n 2 ZK sec p, T (j,k) 2 n 2 ZK sec ρ k for k = 1, 2, If flag = Diag then the proof is rejected if z (j) is not a constant polnomial (i.e. a diagonal plaintet element). 5. If all checks pass, the parties output C. Figure 2. Protocol for global proof of knowledge of a set of ciphertets: Part II To understand its workings and securit, first we give the two languages and then a securit proof. We present our proofs in the simpler case where no additional predicate needs to be proved about the ciphertets. In the SPDZ protocol [10], at one stage ciphertets need to be proved to be Diagonal, namel each plaintet slot component contains the same element. Adding this additional requirement into our protocols below can be done using the standard method given in [10]. However, this results in a reduced soundness securit parameter for the underling protocol. Later we shall see that this does not matter in practice in this specific case. 8

9 The Honest Language: In an honest eecution of the SPDZ offline phase each part P i has as input a set of U ciphertets given b, for j [U], ( ) ct (j) i = Enc m (j) i, (r (j,1) i, r (j,2) i, r (j,3) i ); pk. Part P i wishes to keep the values w i = (m (j) i, r (j,1) i, r (j,2) i, r (j,3) i ) U j=1 private, where as the ciphertet values i = (ct i,j ) U j=1 are public. The proof aims to prove something about the sum of these values, when summed over the plaers. We write the vector of plaer P i s plaintets as m i, the U 3 matri of its random values as R i and the resulting U 2 elements of R q1 giving the ciphertets as C i. B abuse of notation we relate these via the equation C i Enc(m i, R i ; pk). Thus the proof argues about the following values over R (and not R q1 ), m = n i=1 m i, R = n i=1 R i and C = n i=1 C i. Given the above notation, for honest provers the language we define is L = { (( 1,..., n ),(w 1,..., w n )) : i = C i, w i = (m i, R i ), C = C i, m = m i, R = R i, C = Enc(m, R; pk) and for all j [U] m (j) n p/2, R (j,k) n ρ k }. where ρ 1 = ρ 2 = 20 and ρ 3 = 1. Note, the language sas nothing about whether the initial witnesses encrpt to the initial public values C i, it onl discusses a joint statement about all plaers inputs (i.e. there sum). In the notation for the language we abuse notation b using Enc as simpl a procedure irrespective of the distributiosn of the input variables (as m (j) and R (j,k) are now elements in R and not necessaril in the correct domain). Thus we mean simpl appl the equations b R (j,3) + p R (j,1) + m (j) (mod q 1 ), a R (j,3) + p R (j,2) (mod q 1 ). For dishonest provers (where we assume the worst case of all provers being dishonest) we will onl be able to show that the inputs are from the language { L = (( 1,..., n ),(w 1,..., w n )) : i = C i, w i = (m i, R i ), C = C i, m = m i, R = R i, C = Enc(m, R; pk) and for all j [U] 2 m (j) 2 ZK sec+u/2+1 n p, 2 R (j,k) 2 2 ZK sec+u/2+1 n ρ k }. Notice, how not onl have the bounds increased on the right, but also the values within the norms have also increased b two. Thus we see that at a high level the bounds for the honest language are w i < B, whilst the bounds for the proven language are 2 w i < 2 ZK sec+u/2 B, where U is our amortization parameter. This eplosion in the proved bounds, 2 ZK sec+u/2, is called the soundness slack. This soundness slack could be reduced b utilizing rejection sampling as in lattice signature schemes, but this would complicate the protocol (being an n-part proof) and (more importantl) it turns out that the soundness slack has no effect on the parameters needed in the protocol. There is an added complication arising from the language L, corresponding to the factor of two in Lemma 2.2 arising in the inequalit on the left. However, this complication is then side-stepped b a minor modification to how the ZKPoKs are used with the SPDZ offline phase (which we describe in Section 5). 9

10 Theorem 4.1. The protocol in Figure 1 and Figure 2 is an n-part Σ protocol in the sense of Definition 3.1 for the languages L and L. The statistical distance between the coefficients of the ring elements in an honest and simulated transcripts is bounded b 2 ZK sec. The probabilit of an adversar being able to produce an invalid proof is given b - 2 U if flag = Diag. - (2 N) U if flag =. Proof. In the proof we concentrate on the case flag =, as the case flag = Diag is (roughl) the same. Correctness: In proving the correctness propert all the parties are assumed to be honest. We show that if this is the case then the final output passes the check. The equalit D = A + M e C follows at once from the fact that everthing is defined as a linear function of their arguments and the BGV encrption function, in particular, is linear and works componentwise. As for the bounds, verification is carried out according to the honest-prover language L, as the parties are honest and thus produce elements with the right bounds. B repeatedl appling Lemma 2.3 one has, and using the fact that U 2 ZK sec in practice, z (j) n i=1 ( ( i + M e m i ) (j) < n 2 ZK sec p 2 + U p ) 2 p n 2 ZK sec, n T (j,k) (S i + M e R i ) (j,k) < n (2 ZK sec ) ρ k + U ρ k i=1 2 n 2 ZK sec ρ k. Honest verifier zero-knowledge: Following our definition of n-prover Σ-protocol we give in Figure 3 a simulator, parametrized b a set of adversaries A, which produces transcripts. It is clear that the statistical difference in the distribution of the coefficients of the ring elements in z i and T i for i A in a real eecution and the simulated eecution can be bounded b Lemma 2.1 b 2 ZK sec. The Simulator Sim A { {X i If flag = then the input is a challenge value e } } U i=0,...,2 N 1 otherwise the input is a vector e {0, 1} U. 1. For all i A do (a) Sample z i R V q 1 such that, for j [V ], we have z (j) (b) Sample T i R V 3 q 1 i 2 ZK sec p. such that, for j [V ] and k = 1, 2, 3, we have T (j,k) i 2 2 ZK sec ρ k. (c) Set resp i (z i, T i). (d) Compute comm i = A i Enc(z i, T i; pk) M e C i. 2. Output (comm i, resp i ) i A. Figure 3. Simulator Sim A for our protocol Special soundness: Let the two accepting transcripts be ({A i } i [n], e, {z i, T i } i [n] ) and ({A i } i [n], e, {z i, T i } i [n]). We need to show we can recover a set of witnesses (m i, R i ) i [n] such that the sum m = m i and R = R i satisfies the bounds in the language L. The proof relies cruciall on the shape of the matri M e generated 10

11 in the proof, which is e e 2 e e 3 e 2 e M e = e U e U 1 e U 2... e 1 0 e U e U 1... e e U e U 1... e e U e U e U Since both the transcripts accept, we obtain a sstem of equations (M e M e ) C = D D where D = i [n] Enc(z i, T i ; pk), D = i [n] Enc(z i, T i ; pk) and C = C i. As the challenge vectors are distinct, there is an inde j such that e j e j. Take the largest of these indices and consider the submatri obtained from M e M e b taking the rows from j to j + U/2 1, and columns 1 to U/2. This is an upper triangular U/2 U/2 matri, whose diagonal elements are defined b e j e j, which we will denote b U. This matri gives rise to equations in the first U/2 ciphertets ct 1,..., ct U/2, ct 1 d j U... =.... ct U/2 d j+u/2 1 This turns into 2 (U/2) equations in the unknowns (inherent in the ct 1 ) namel m (l) and R (l,k) for l = 1,..., U/2 and k = 1, 2, 3, in terms of the known values (inherent in the d j,..., d j+u/2 1 ) namel T (l,k), T (l,k), z (l ), z (l ) for l = j,..., j + U/2 1 and k = 1, 2, 3. Equating suitable coefficients in the encrption equation we can solve for the variables using back substitution. Using Lemma 2.2 and the bounds on the known values (from the successful acceptance of the two transcripts) we obtain the bounds, for j = 1,..., U/2 and k = 1, 2, 3, 2 m (l) 2 n 2 ZK sec+u/2+1 p 2, 2 R (l,k) 2 n 2 ZK sec+u/2+1 ρ k. To obtain similar bounds for the same variables with l = U/2 + 1,..., U we return to the original matri equation and now take the smallest inde j such that e j e j. Then we take the U/2 U/2 submatri consisting of rows U/2 + j to j + U/2 1 and columns U/2 + 1,..., U. This is a lower triangular matri L, giving rise to an equation ct U/2+1 d U/2+j L... ct U =.... d j+u 1 We now solve the linear sstem in the same wa, obtaining solutions such that for j = U/2 + 1,..., U and k = 1, 2, 3, 2 m (l) 2 n 2 ZK sec+u/2+1 p 2, 2 R (l,k) 2 n 2 ZK sec+u/2+1 ρ k. From these solutions for the sums it is then eas to obtain witnesses for each individual plaers contribution which produces the given sum. 11

12 Given these etracted sums we can now produce witnesses for the specific plaers inputs in an wa we choose (as long as the add up to the correct sum). Recall that the language does not require that the witness produce the encrptions C i enterred b the plaers, onl that the sum C is correct. 5 SPDZ Offline Phase The application of the previousl considered ZKPoK is to the offline phase of the SPDZ protocol. We briefl recap on this here and give the necessar adaption from the HighGear protocol of [18]. Recall the offline phase of SPDZ primaril generates shared random triples ( a, b, c ) such that c = a b where a, b are selected uniforml at random from F p (and no subset of parties either know a, b or c, or can affect their distribution). This is done, at a high level, b each part P i encoding φ(m) a i and b i values into two elements a i and b i in R p The elements a i and b i are encrpted via the BGV scheme, and the parties obtain ct ai = Enc(a i, r a,i ; pk) and ct bi = Enc(b i, r b,i ; pk). Using the homomorphic properties of the BGV encrption scheme the parties can then compute an encrption of the product c R p via ct c = (ct a1 ct an ) (ct b1 ct bn ). (1) This is then passed to a distributed decrption protocol which gives to each part a share c i F p of the underling plaintet behind ct c. The associated shared MAC values, γ i [a], γ i [b] and γ i [c], to obtain the full sharing a, b, c are obtained in a similar manner. The problem is that dishonest parties could produce invalid ciphertets, which would result in either selective failure attacks or information leakage during the distributed decrption procedure. Thus in the SPDZ protocol [10] each ciphertet ct ai needs to be accompanied b a ZKPoK that it is not too far from being a valid ciphertet. Essentiall we use the ZKPoK to bound the noise term associated to even adversarial ciphertets, and then we use this bound to ensure that all ciphertets will validl encrpt (b using this bound to derive the parameters for the BGV encrption scheme). This is done for the ciphertets encrpting a i and the ciphertet encrpting the shares of the MAC ke α i. Where we eecute U such proofs in parallel so as to make use of good amortization in the ZKPoK. In HighGear from [18] it is noticed that the ciphertets ct ai are onl ever used in a sum (as in Equation 1). Thus one can replace the n ZKPoKs for ct ai b a single ZKPoK for the sum ct a = ct a1 ct an. It is this strateg we adapted in the previous section, to enable smaller values of U to be used. However, our adaption comes at the epense of us having a bound on the noise of not the original ciphertet sum ct a but of the sum 2 ct a = ct a ct a. Luckil this does not affect our final application as we can simpl multipl the underling plaintets b two and continue as normal. The modifications are eplained in Figure 4 for the case of triple production. The modifications to obtain other forms of offline data such as those in [9] are immediate. Note we repeat the proofs for the ciphertets encrpting α i a total of Snd sec/u times. This is because we onl have soundness parameter U for the proofs when flag = Diag. However, this is not an issue since the amortization does not produce an advantages here when we are tring to prove a single fied ciphertet has been validl created. We select U so that the ZKPoKs for the a i, b i and f i need onl be repeated once for the desired soundness securit parameter. In the protocol in Figure 4 we have utilized the more efficient Distributed Decrption protocol from HighGear to obtain the MAC shares, and have merged in the ReShare protocol, [9][Figure 11], needed to obtain the shares of c and the fresh encrption of c. The latter has been done so as to demonstrate our modified ZKPoKs make no difference to the overall protocol. The proof of securit of this offline phase follows eactl as in the original SPDZ papers [9, 10], all that changes is the bounds on the noise of the resulting ciphertets. Suppose (c 0, c 1 ) is a ciphertet corresponding to one of ct α, ct a, ct b or ct f in our protocol. We need to obtain worst case bounds on the value of c 0 sk c 1 can for such ciphertets, comparable to the average case bound on honestl generated fresh ciphertets given 12

13 Π offline Init: - Each part generates α i F p. - Each part sets α i 2 α i. - Each part computes an encrption ct α i of the plaintet consisting of α i in each slot position. - The resulting ciphertets, and associated random coins, are passed to Protocol Π ZKPoK from Figure 1 and Figure 2 using flag = Diag, where we use the same input for all U inputs of the protocol Π ZKPoK. The ZKPoK is repeated Snd sec/u times to achieve the desired soundness securit parameter. - The parties set ct α 2 (ct α 1 ct α n ). Triples: - Each part generates a i, b i, f i (F p) φ(m) and the associated elements a i, b i, f i R p. - Each part sets a i 2 a i, b i 2 b i. and f i 2 f i. - Each part computes an encrption ct a i, ct b i and ct f i of a i, b i and f i. - The resulting ciphertets, and associated random coins, are passed to Protocol Π ZKPoK from Figure 1 and Figure 2 using flag =. - The parties set ct a 2 (ct a 1 ct a n ), ct b 2 (ct b 1 ct b n ) and ct f 2 (ct f 1 ct f n ). - The parties compute ct c ct a ct b and ct c+f ct c ct f. - Using the distributed decrption operation of the BGV scheme the parties obtain in the clear c + f. - Part one sets c 1 (c + f) f 1 and part i 1 sets c i f i. - The parties compute a fresh encrption of c via ct c Enc(c + f, 0; pk) ct f with some default random coins 0. - The parties compute ct α a ct α ct a, ct α b ct α ct b and ct α c ct α ct c. - The MAC values γ i[a], γ i[b], γ i[c] are obtained b appling the DistDec protocol in Figure 14 from [18] and mapping the associated polnomials into the slot representation. Figure 4. TopGear Variant of the SPDZ Offline Phase earlier. We know that c 0 sk c 1 = 2 n (m i + p (ɛ r (3) i + r (1) i r (2) i sk)) i=1 where (m i, r (1) i, r (2) i, r (3) i ) were enterred into our ZKPoK. From the soundness of our ZKPoK we can guarantee that even adversariall produced inputs must satisf 2 m i 2 ZK sec+u/2+1 n p, i [n] 2 i [n] r (k) i 2 ZK sec+u/2+2 n ρ k. Due to our assumption of an honest ke generation phase we also know that with probabilit 1 2 ɛ we have that ɛ can c 1 σ φ(m) and that sk can c 1 h. Then using the inequalit can φ(m) we obtain the following inequalit, for the ciphertets output b the ZKPoK procedure, n c 0 sk c 1 can ( 2 m i can + p ɛ can 2 e 2,i can + 2 e 0,i can i=1 + sk can ) 2 e 1,i can 2 φ(m) 2 ZK sec+u/2+1 n p/2 ( + p c 1 σ φ(m) 3/2 2 2 ZK sec+u/2+1 n 13

14 + φ(m) 2 2 ZK sec+u/2+1 n 20 + c 1 h ) φ(m) 2 2 ZK sec+u/2+1 n 20 ( 41 = φ(m) 2 ZK sec+u/2+2 n p 2 + c 1 σ φ(m) 1/ c 1 h) = B dishonest clean. Using this bound we can then derive the parameters for the BGV sstem using eactl the same methodolog as can be found in [2]. 6 Results Recall we have three different securit parameters in pla, apart from the computational securit parameter κ of the underling BGV encrption scheme. The main benefit of TopGear over HighGear is that it potentiall enables higher values of the parameter Snd sec to be obtained. Recall 2 Snd sec is the probabilit that an adversar will be able to produce a convincing ZKPoK for an invalid input. The other two securit parameters are ZK sec and DD sec, which measure the statistical distance of coefficients of ring elements generated in a protocol to the same coefficients being generated uniforml at random from a similar range. In the contet of the HighGear ZKPoK in the Overdrive paper [18] the two securit parameters are set to be equal, i.e. ZK sec = Snd sec. In practice the value of Snd sec needs to be ver low for the HighGear ZKPoK as it has a direct effect on the memor consumption of the underling protocol. Thus in SCALE v1.2 the default value for Snd sec is 40. This is unfortunate as having a high probabilit of an adversar being able to get awa with cheating in a ZKPoK is not desirable. The first goal of our work is to enable Snd sec to be taken to be as large as is desired, whilst also obtaining an efficienc saving. As a second goal we also aim to increase the values of ZK sec and DD sec. These measure statistical distances of coefficients. But recall the ring elements have man thousands of coefficients, and in the course of a protocol eecution we generate man such ring elements. So whilst a high statistical distance is not as worrisome as a high probabilit of cheating, picking ZK sec and DD sec at low values we feel is also not desirable. Hence, after demonstrating the effect of our new protocol with respect to the increase in Snd sec, we then turn to eamining the effect of increasing the other securit parameters. In Table 1 we give various parameter sizes for the degree N and moduli q 0 = p 0, q 1 = p 0 p 1 for different plaintet space sizes p, and different securit levels ZK sec, Snd sec, DD sec and computational securit parameter κ, and two parties 4. We selected parameters for which ZK sec, DD sec Snd sec to keep the table managable. We use the methodolog described in [2] to derive parameter sizes for both HighGear and TopGear; which maps the computational securit parameter is mapped to lattice parameters using Albrecht s tool 5. A row which with values of in the ZK sec columns means that the values do not change when one varies this parameter is 40 or 80. From the table we see that the values of ZK sec and Snd sec produce relativel little effect on the overall parameter sizes, especiall for large values of the plaintet modulus p. This is because the modulus switch, within the homomorphic evaluation, squashes the noise b a factor of at least p. The values ZK sec and Snd sec onl blow up the noise b a factor of 2 ZK sec+u/2+2 (where U = Snd sec for HighGear and U = Snd sec/ log 2 (2 N) for TopGear) and hence a large p value cancels out this increase in noise due to the ZKPoK securit parameters. In addition the parameter sizes are identical for both HighGear and TopGear, ecept in the case of some parameters for low values of log 2 p. We based our implementation and eperiments on the SCALE-MAMBA sstem [2] which has an impementation of the HighGear protocol, which we modified to test against our TopGear protocol. We focused on the case of 128-bit plaintet moduli in our eperiments, being the recommended size in SCALE-MAMBA to support other MPC operations (such as fied point operations). We first baselined the implementation 4 Similar values can be obtained for other values of n, we selected n = 2 purel for illustration here, the effect of n on the values is relativel minor

15 HighGear TopGear log 2 p κ DD sec Snd sec ZK sec N log 2 p 0 log 2 p 1 N U log 2 p 0 log 2 p Table 1. SHE parameters sizes for various securit parameters in HighGear and TopGear (two parties). With DD sec, ZK sec Snd sec and DD sec, ZK sec, Snd sec {40, 80, 128}. The light graed rows show the default parameters used in SCALE-MAMBA. The medium gra denote the parameters we use in the eperiments in Sections 6.1 and 6.2. The dark graed rows show the parameters we would recommend, i.e. the ones we use in Section

16 in SCALE-MAMBA of HighGear against the implementation reported in [18]. The eperiments in [18] were eecuted on i and i7-3770s CPUs, compared to our eperiments which utilzied i7-7700k CPUs. From a pure CPU point of view our machines should be roughl 30% faster. The ping time between our machines was 0.47 milliseconds, whereas that for [18] was 0.3 milliseconds. Keller et al [18], in the case of 128-bit plaintet moduli, and with the securit settings equivalent to our setting of DD sec = ZK sec = Snd sec = 64, utilize a ciphertet modulus of 572 bits, whereas SCALE- MAMBA utilizes a ciphertet modulus of 541 bits. In this setting Keller et al [18] achieve a maimum throughput of 5600 triples per second, whereas SCALE-MAMBA s implementation of HighGear obtains a maimum throughput of roughl 2900 triples per second. We suspect the reason for the difference in costs is that SCALE-MAMBA is performing other operations related to storing the triples for later consumption b online operations. This also means that memor utilization grows as more triples are produced, leading to larger numbers of non-local memor accesses. These effects decrease the measurable triple production rate in SCALE-MAMBA. We now turn to eamining the performance differences between HighGear and the new TopGear protocol within our modified version of SCALE-MAMBA. We first looked at two securit settings so as to isolate the effect of increasing the Snd sec parameter alone. Our first setting was the standard SCALE-MAMBA setting of DD sec = ZK sec = Snd sec = 40, our second was the more secure setting of DD sec = ZK sec = 40 and Snd sec = 128. There are two main parameters in SCALE-MAMBA one can tweak which affect triple production; i) the number of threads devoted to eecuting the zero-knowledge proofs and ii) the number of threads devoted to taking the output of these proofs and producing triples. We call these two values t ZK and t Tr ; we looked at values for which t ZK, t Tr {1, 2, 4, 8}. We focus here on triple production for simplicit, a similar situation to that described below occurs in the case of bit production. We eamine memor consumption (Section 6.1) and triple production (Section 6.2) in these settings so as to see the effect of changing Snd sec. After this we eamine increasing all the securit parameters in Section 6.3, and the effect this has on memor and triple production. 6.1 Memor Consumption We see from Table 1 that the parameters in TopGear for the underling FHE scheme are generall identical to the those in HighGear. The onl difference being when the etra soundness slack in HighGear compared to TopGear is not counter balanced b size of the underling plaintet modulus. However, the real affect of TopGear comes in the amount of data one has to simultaneousl process. Running the implementation in SCALE-MAMBA for HighGear one sees immediatel that memor usage is a main constraint of the sstem. A rough (under) estimation of the memor requirements of the ZKPoKs in HighGear and TopGear can be given b the sizes of the input and auillar ciphertets to the ZKPoK. A single ciphertet takes (roughl) φ(m) log 2 (p 0 p 1 ) bits to represent it. There are U input ciphertets and V = 2 U 1 auillar ciphertets per plaer. Hence, the total nunber of bits required to process a ZKPoK is at least 3 U n φ(m) log 2 (p 0 p 1 ). Now in HighGear we need to take U = Snd sec, which is what limits the applicabilit of large soundness securit parameters in the implementations of HighGear. Whereas in TopGear we can take U = Snd sec/ log 2 (2 N). Thus, all other things being equal (which the above table gives evidence for) the memor requirements in TopGear are reduced b a factor of roughl log 2 (2 N). For the range of N under consideration (i.e to 32768) this gives a memor saving of a factor of between 14 and 16. A similar saving occurs in the amount of data which needs to be transferred when eecuting the ZKPoK. Note, this is purel the saving for holding the zero-knowledge proofs, the overall effect on memor consumption will be much less. To see this in practice we eamined the memor consumption of running HighGear and TopGear with the above settings (of DD sec = ZK sec = Snd sec = 40, and DD sec = ZK sec = 40, Snd sec = 128) the results being given in Tables 2 and 3. We give the percentage memor consumption (given in thems of the percentage maimum resident set size obtained from /usr/bin/time -v). This is the maimum percentage 16