Multiparty Computation (MPC) Arpita Patra

Similar documents
Introduction to Cryptography Lecture 13

Lecture 3,4: Multiparty Computation

Benny Pinkas. Winter School on Secure Computation and Efficiency Bar-Ilan University, Israel 30/1/2011-1/2/2011

MASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer

Secure Computation. Unconditionally Secure Multi- Party Computation

An Unconditionally Secure Protocol for Multi-Party Set Intersection

Efficient Asynchronous Multiparty Computation with Optimal Resilience

Multi-Party Computation with Conversion of Secret Sharing

Secret sharing schemes

Cut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings

From Secure MPC to Efficient Zero-Knowledge

Secure Multi-Party Computation. Lecture 17 GMW & BGW Protocols

Yuval Ishai Technion

Robustness for Free in Unconditional Multi-Party Computation

Multiparty Computation, an Introduction

Fundamental MPC Protocols

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

CSA E0 312: Secure Computation September 09, [Lecture 9-10]

Fast Large-Scale Honest-Majority MPC for Malicious Adversaries

Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols

1 Number Theory Basics

Computing on Encrypted Data

Unconditionally Secure Multiparty Set Intersection Re-Visited

Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension

Simple and Asymptotically Optimal t-cheater Identifiable Secret Sharing Scheme

Broadcast and Verifiable Secret Sharing: New Security Models and Round-Optimal Constructions

Multiparty Computation from Somewhat Homomorphic Encryption. November 9, 2011

Introduction to Modern Cryptography Lecture 11

Lecture 14: Secure Multiparty Computation

Efficient General-Adversary Multi-Party Computation

Lecture Notes on Secret Sharing

Round-Efficient Multi-party Computation with a Dishonest Majority

An Efficient and Secure Protocol for Privacy Preserving Set Intersection

Winter 2011 Josh Benaloh Brian LaMacchia

Secure Multiplication of Shared Secrets In The Exponent

Efficient Constant Round Multi-Party Computation Combining BMR and SPDZ

A New Approach to Practical Secure Two-Party Computation. Jesper Buus Nielsen Peter Sebastian Nordholt Claudio Orlandi Sai Sheshank

Almost-Surely Terminating Asynchronous Byzantine Agreement Revisited

Fast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries

On Achieving the Best of Both Worlds in Secure Multiparty Computation

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

1 Basic Number Theory

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Realistic Failures in Secure Multi-Party Computation

Perfect Secure Computation in Two Rounds

Communication-Efficient MPC for General Adversary Structures

Efficient Conversion of Secret-shared Values Between Different Fields

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

SELECTED APPLICATION OF THE CHINESE REMAINDER THEOREM IN MULTIPARTY COMPUTATION

1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds

Extending Oblivious Transfers Efficiently

Authenticated Garbling and Efficient Maliciously Secure Two-Party Computation

SPDZ 2 k: Efficient MPC mod 2 k for Dishonest Majority a

A New Approach to Practical Active-Secure Two-Party Computation

Benny Pinkas Bar Ilan University

Reducing the Share Size in Robust Secret Sharing

Cryptography CS 555. Topic 22: Number Theory/Public Key-Cryptography

Malicious Security. 6.1 Cut-and-Choose. Figure 6.1: Summary of malicious MPC protocols discussed in this chapter.

Cryptographic Asynchronous Multi-Party Computation with Optimal Resilience

Round-Efficient Perfectly Secure Message Transmission Scheme Against General Adversary

Data-Mining on GBytes of

Cryptographical Security in the Quantum Random Oracle Model

On Two Round Rerunnable MPC Protocols

Public-key Cryptography and elliptic curves

On the Cryptographic Complexity of the Worst Functions

On the Round Complexity of Covert Computation

Katz, Lindell Introduction to Modern Cryptrography

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

Historical cryptography. cryptography encryption main applications: military and diplomacy

Network Oblivious Transfer

Lecture 1. 1 Introduction. 2 Secret Sharing Schemes (SSS) G Exposure-Resilient Cryptography 17 January 2007

CPSC 467: Cryptography and Computer Security

Efficient Secret Sharing Schemes Achieving Optimal Information Rate

Protocols for Multiparty Coin Toss with a Dishonest Majority

On Expected Constant-Round Protocols for Byzantine Agreement

Shlomi Dolev 1 and Niv Gilboa 2 and Ximing Li 1.

Cryptanalysis of Threshold-Multisignature Schemes

Error-Tolerant Combiners for Oblivious Primitives

A New Approach to Practical Active-Secure Two-Party Computation

Efficient and Secure Delegation of Linear Algebra

New Notions of Security: Universal Composability without Trusted Setup

Robust Non-Interactive Multiparty Computation Against Constant-Size Collusion

One-Round Secure Computation and Secure Autonomous Mobile Agents

Entity Authentication

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Threshold Cryptography

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Covert Multi-party Computation

A Full Characterization of Functions that Imply Fair Coin Tossing and Ramifications to Fairness

Authentication. Chapter Message Authentication

Constant-Round MPC with Fairness and Guarantee of Output Delivery

Cyber Security in the Quantum Era

Lecture 38: Secure Multi-party Computation MPC

Minimal Design for Decentralized Wallet. Omer Shlomovits

Are you the one to share? Secret Transfer with Access Structure

MTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu

Secure Multi-Party Computation

6.897: Advanced Topics in Cryptography. Lecturer: Ran Canetti

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

Perfectly-Secure Multiplication for any t < n/3

Transcription:

Multiparty Computation (MPC) Arpita Patra

MPC offers more than Traditional Crypto! > MPC goes BEYOND traditional Crypto > Models the distributed computing applications that simultaneously demands usability and privacy of sensitive data

Satellite Collision in Space

Satellite Collision in Space NASA tracks 7,000 space crafts and 21,000 objects (space debris) in space Approximately 20,00,00,000 pairs

List of High-speed Collisions The 1996 collision between the French Cerise military reconnaissance satellite and debris from Ariane rocket The 2009 collision between the Iridium 33 communications satellite and the derelict Russian Kosmos 2251 spacecraft over Siberia, which resulted in the destruction of both satellites The 22 May 2013 collision between Ecuador's NEE-01 Pegaso and Argentina's CubeBug-1, and the particles of a debris cloud left over from the launch of Kosmos 1666 On Jan. 22, 2013, debris from the destroyed Chinese satellite Fengyun 1C collided with a small Russian laser-ranging retroreflector satellite called BLITS ("Ball Lens in The Space").

Preventing Satellite Collision in Space NASA tracks 7,000 space crafts and 21,000 objects (space debris) in space Approximately 20,00,00,000 pairs High-accuracy positional information is privy to operators National secret

Secure Multiparty Computation (MPC) MPC is the holy grail >> n parties P 1,...,P n some are corrupted >> P i has private input x i >> A common n-input function f Goals: >> Correctness: Compute f(x 1,x 2,..x n ) >> Privacy: Nothing beyond function output should be leaked. Applications: (Dual need of data privacy & data usability) E-voting Biometrics E-auction Data Mining Bioinformatics

The Goal of MPC x 1 x 2 x 3 x4 y = f(x 1,x 2,x 3,x 4 ) REAL world

The Goal of MPC x 1 x 2 y y y y x 3 x4 y = f(x 1,x 2,x 3,x 4 ) REAL world

The Goal of MPC x 1 x 2 x 1 x 2 y y Any task y y Invisible x 3 x 4 IDEAL world y = f(x 1,x 2,x 3,x 4 ) x 3 REAL world x4

The Goal of MPC x 1 x 2 x 1 x 2 y y y Any task y y Invisible x 3 x 4 IDEAL world y = f(x 1,x 2,x 3,x 4 ) x 3 REAL world x4

Important Parameters of an MPC Protocol 1. Communication Complexity (b) : Total number of bits communicated by the honest parties 2. Round Complexity (r) : Total number of rounds of interaction in the protocol

Two models of MPC for any function f Boolean Circuit (AND, OR, NOT, XOR) Arithmetic Circuit over finite field (Addition and Multiplication) x 1 x 2 x 3 x 4 x 1 x 2 x 3 x 4 + f(x 1, x 2, x 3, x 4 ); inputs are bits f(x 1, x 2, x 3, x 4 ); inputs are field elements Secure Circuit evaluation: Nothing other than the output gate value will be revealed

Threshold Adversary Assumption: any t out of n parties can be corrupted t is the threshold which t don t known

(n, t) - Secret Sharing [Shamir 1979, Blackley 1979] Secret s Dealer

(n, t) - Secret Sharing [Shamir 1979, Blackley 1979] Sharing Phase Secret s Dealer v 1 v 2 v 3 v n

(n, t) - Secret Sharing [Shamir 1979, Blackley 1979] Sharing Phase Secret s Dealer v 1 v 2 v 3 v n Reconstruction Phase Less than t +1 parties have no info about the secret

(n, t) - Secret Sharing [Shamir 1979, Blackley 1979] Sharing Phase Secret s Dealer v 1 v 2 v 3 v n Reconstruction Phase Secret s t +1 parties can reconstruct the secret

(n,t) Secret Sharing s Linear : (n,t) Secret Sharing of secret s For MPC: Linear (n,t) Secret Sharing Linearity: The parties can do the following s 1 s 2 from s 1 s 2 c s from c: public constant s

Shamir-sharing: (n,t) - Secret Sharing for Semi-honest Adversaries Secret x is Shamir-Shared if Random polynomial of degree t x 1 x 2 x 3 x n P 1 P 2 P 3 P n

Reconstruction of Shamir-sharing: (n,t) - Secret Sharing for Semi-honest Adversaries P 1 x 1 P 2 x 2 P i P 3 x 3 P n x n Lagrange s Interpolation The same is done for all P i

Secure Circuit Evaluation 2 1 5 9 3 y

Secure Circuit Evaluation 2 1 5 9 1. (n, t)- secret share each input 3

Secure Circuit Evaluation 2 1 5 9 1. (n, t)- secret share each input 3 2. Find (n, t)-sharing of each intermediate value

Secure Circuit Evaluation 2 1 5 9 1. (n, t)- secret share each input 2. Find (n, t)-sharing of each intermediate value 3 45 3 48 144

Secure Circuit Evaluation 2 1 5 9 1. (n, t)- secret share each input 2. Find (n, t)-sharing of each intermediate value 3 45 3 Linear gates: Linearity of Shamir Sharing - Non-Interactive 48 144

Secure Circuit Evaluation 2 1 5 9 1. (n, t)- secret share each input 2. Find (n, t)-sharing of each intermediate value 3 45 3 Linear gates: Linearity of Shamir Sharing - Non-Interactive 48 Non-linear gate: Require degreereduction Technique. Interactive 144

Secure Circuit Evaluation 2 1 5 9 Privacy follows (intuitively) because: 3 48 45 3 1. No inputs of the honest parties are leaked. 2. No intermediate value is leaked. 144

One Significant Contribution Underlying Network: Synchronous Asynchronous NO Efficient MPC protocols

Synchronous Model Global Clock Channels have fixed delay x Knows how long to wait... Compute and send x... Wait to receive x

Asynchronous Model No Global Clock Channels have arbitrary yet finite delay x Does not Know how long to wait... Compute and send x... Wait to receive x

Asynchronous Model No Global Clock Channels have arbitrary yet finite delay x Does not Know how long to wait... Compute and send x... Wait to receive x

n parties Challenges in Asynchronous Model n parties and t corrupted x 1 Cannot wait for all Else endless waiting x 2 can afford to wait to listen from (n-t) parties x n But leads to ignoring messages of t honest parties

Synchronous vs. Asynchronous Linear (O(n)) overhead MPC O(n 3 ) overhead MPC Our contribution: Journal of Cryptology: O(n 2 ) overhead MPC without error DISC 14 (Full version submitted to IEEE Transactions on Information Theory): O(n) overhead MPC with negligible error Scalable Solution (par party communication is independent of no. of parties)

Adaptive Corruption stronger than Static Corruption Hackers constantly trying to break into computers running secure protocols but could do so after the protocol has started. The attacker first looks at the communication and then decide who to corrupt (not allowed in static model)

Static vs. Adaptive Efficient; Constant Round MPC In-efficient; NO constant MPC Our contribution: >> TCC 14 (Full version awaiting acceptance in Journal of Cryptology): Proposed slightly restricted models (one adaptive corruption). Proposed solutions static protocols >> PODC 15 (Full version submitted to Journal of Cryptology): Proposed yet another practical model (partial erasure). Proposed solutions static protocols partial erasure)

Threshold Adversary Assumption: any t out of n parties can be corrupted t is the threshold which t don t known

(n, t) - Secret Sharing [Shamir 1979, Blackley 1979] Secret s Dealer

(n, t) - Secret Sharing [Shamir 1979, Blackley 1979] Sharing Phase Secret s Dealer v 1 v 2 v 3 v n

(n, t) - Secret Sharing [Shamir 1979, Blackley 1979] Sharing Phase Secret s Dealer v 1 v 2 v 3 v n Reconstruction Phase Less than t +1 parties have no info about the secret

(n, t) - Secret Sharing [Shamir 1979, Blackley 1979] Sharing Phase Secret s Dealer v 1 v 2 v 3 v n Reconstruction Phase Secret s t +1 parties can reconstruct the secret

(n,t) Secret Sharing s Linear : (n,t) Secret Sharing of secret s For MPC: Linear (n,t) Secret Sharing Linearity: The parties can do the following s 1 s 2 from s 1 s 2 c s from c: public constant s

Reconstruction of Linearly Shared Secrets The efficiency of MPC reduces to the efficiency of reconstructing a secret >> Part I: How to reconstruct a secret efficiently? > Semi-honest Model: (n,t) secret sharing and reconstruction with linear (O(n)) overhead; > Malicious Model: (n 3t+1,t) secret sharing and reconstruction with linear (O(n)) overhead; n 3t+1 is necessary and sufficient for error-free reconstruction > Malicious Model: (n 2t+1,t) secret sharing and reconstruction with linear (O(n)) overhead; n 2t+1 is necessary and sufficient for reconstruction >> Part II: How MPC reduces to reconstruction of secrets? > Semi-honest Model: Linear Overhead MPC > Malicious Model: Linear Overhead Error-free MPC with n 3t+1 > Malicious Model: Linear Overhead MPC with n 2t+1

Shamir-sharing: (n,t) - Secret Sharing for Semi-honest Adversaries Secret x is Shamir-Shared if Random polynomial of degree t x 1 x 2 x 3 x n P 1 P 2 P 3 P n

Reconstruction of Shamir-sharing: (n,t) - Secret Sharing for Semi-honest Adversaries P 1 x 1 P 2 x 2 P i P 3 x 3 P n x n Lagrange s Interpolation The same is done for all P i Communication Complexity (CC): O(n 2 )

Efficient Reconstruction of (n,t)- Shamir for Semi-honest Adversaries >> Can we do better? O(n) Easy P 1 x 1 Because we are assuming semi-honest adversaries. P 1 P 2 x 2 P 2 P 1 x P 3 x 3 P 3 P n x n P n Challenge: Linear Solution tolerating malicious adversaries

Reconstruction of (n 3t+1,t) - Shamir Secret Sharing for Malicious Adversaries P 1 x 1 Error Correction Possible to get back x!! P 2 x 2 >> Shamir-sharing Reed-Solomon Code (linear) with distance n-t 2t P i >> Fundamental result: distance 2 errors P 3 x x 3 P n x n x n The same is done for all P i Communication Complexity (CC): O(n 2 )

Efficient Reconstruction of (n 3t+1,t) - Shamir Secret Sharing for Malicious Adversaries >> Can we do better? O(n) Can we use the same trick as before? P 1 x 1 P 1 P 2 x 2 P 2 P 1 Error correct and get x P 3 x 3 P 3 P n x n P n Trick for semi-honest adversaries does not work

Reconstruction of (t+1) secrets with O(n 2 ) Cost for n 3t+1 a 0 b 1 P 1 a 1 Local Computation b 2 P 2 a t b n P n f(x) = a 0 + a 1 x + + a t x t b i = f(i) = a 0 + a 1 i + + a t i t Communication Complexity: O(n 2 )

Reconstruction of (t+1) secrets with O(n 2 ) Cost for n 3t+1 a 0 b 1 P 0 b 0 a 1 Local Computation b 2 P 1 b 1 P i >> Apply Error Correction >> Obtain f(x) a t b n P n b n f(x) = a 0 + a 1 x + + a t x t b i = f(i) = a 0 + a 1 i + + a t i t The same is done for all P i Amortized Communication CC /secret: Complexity O(n) (CC): O(n 2 )

Reconstruction of (n 2t+1,t) - Shamir Secret Sharing for Malicious Adversaries P 1 x 1 Error Correction NOT Possible! >> Shamir-sharing Reed-Solomon Code (linear) with distance n-t t P 2 P 3 P n x 2 x x 3 x n x n P i >> Fundamental result: distance 2 errors >> Enhance the secret sharing in such a way that a party cannot lie about his share >> If they lie, they will be detected as corrupted >> Use information-theoretic MACs

Information Theoretic MACs Message: MAC: a MAC K (a) MAC Key: K a, MAC K (a) Accept a, MAC K (a) Reject

Information Theoretic MAC a K = (α, β) from F MAC K (a) = α a + β a, MAC K (a) Accept a, MAC K (a) Reject

Homomorphic Information Theoretic MAC a MAC K1 (a) = α a + β 1 b MAC K2 (b) = α b + β 2 K 1 = (α, β 1 ) K 2 = (α, β 2 ) a + b MAC K (a + b) = MAC K1 (a) + MAC K2 (b) = α (a + b) + (β 1 + β 2 ) K = (α, β 1 + β 2 ) No interaction needed. We can use similar trick for multiplication by publicly known constant and again no need of interaction.

Enhanced Shamir-sharing: (n 2t+1,t) - Secret Sharing for Malicious Adversaries Secret s is enhanced-shamir- Shared if s is Shamir-shared + Pairwise MACs P 1 x 1 MAC 1 (x 1 ) MAC 2 (x 1 ) MAC n (x 1 ) K 1 K 2 P 2 x 2 P 3 x 3 P n x n K n The same holds for all P i Enhanced-Shamir-Sharing is also linear

Reconstruction of (n 2t+1,t) - Shamir Secret Sharing for Malicious Adversaries P 1 x 1 MAC i (x 1 ) P 2 x 2 MAC i (x 2 ) P i Verify with K 1. If accept, keep x 1 Verify with K 2. If accept, keep x 2 P 3 x x 3 MAC i (x 3 ) Verify with K 3. If reject, ignore x 3 P n xx n MAC i (x i (x n ) n ) Will have at least t+1 accepted shares (from the honest parties) The same is done for all P i Communication Complexity (CC): O(n 2 )

Efficient Reconstruction of (n 2t+1,t) Enhanced Shamir Secret Sharing for Malicious Adversaries a 0 b 1 P 0 b 0 a 1 Local Computation b 2 P 1 b 1 P i >> Apply Error Correction >> Obtain f(x) But Error Correction does not work a t b n P n b n f(x) = a 0 + a 1 x + + a t x t b i = f(i) = a 0 + a 1 i + + a t i t Does the trick for 3t+1 work? Challenge: Linear Overhead tolerating malicious adversaries for n 2t+1

Reconstruction of n(t+1) secrets with O(n 3 ) Cost for n 2t+1 a 10 a 1i a 1t b 11 b 12 b 1n a 20 a 2i a 2t b 21 b 21 b 2n Local Computation a n0 a ni a nt b n1 b n2 b nn f 0 (x) = a 00 + a 01 x + + a 0t x t b 0j = f 0 (j) = a 00 + a 01 j + + a 0t j t j =1,..,n

Reconstruction of n(t+1) secrets with O(n 3 ) Cost for n 2t+1 a 10 a 1i a 1t b 11 b 1i b 1n a 20 a 2i a 2t b 21 b 2i b 2n Local Computation a n0 a ni a nt b n1 b ni b nn A n.(t+1) B n.n f i (x) = a i0 + a i1 x + + a it x t b ij = f i (j) = a i0 + a i1 j + + a it j t j =1,..,n t+1 columns of B matrix are required to reconstruct A

Reconstruction of n(t+1) secrets with O(n 3 ) Cost for n 2t+1 b 11 b 1i b 1n b 21 b 2i b 2n b n1 b ni b nn P 1 P i P n Communication Complexity: O(n 3 )

Reconstruction of n(t+1) secrets with O(n 3 ) Cost for n 2t+1 b 11 b 1i b 1n >> If the parties honestly communicate their column to every other party, we are done. b 21 b 2i b 2n >> But there is no guarantee that a corrupted P i will do that. b n1 b ni b nn >> Prevent a party from sending a wrong column (he should be caught if he does so) P 1 P i P n Communication Complexity: O(n 3 )

Reconstruction of n(t+1) secrets with O(n 3 ) Cost for n 2t+1 b 1i r 1i b 2i r 2i b ni r ni P i P j r 1i b 1i + r 2i b 2i.. + r ni b ni r 1i, r 2i.., r ni are remains hidden from everyone

Reconstruction of n(t+1) secrets with O(n 3 ) Cost for n 2t+1 b 1i r 1i b 2i r 2i >> A corrupted P i will fail very high probability. >> P j will ignore P i s column b ni r ni P j Verify if the sum is same as the below (r 1i b 1i + r 2i b 2i.. + r ni b ni ) How P j can compute (r 1i b 1i + r 2i b 2i.. + r ni b ni ) without revealing his random choice.

Reconstruction of n(t+1) secrets with O(n 3 ) Cost for n 2t+1 b 1i E(r 1i ) E(r 1i b 1i +..+ r ni b ni b 2i E(r 2i ) b ni E(r ni ) P j E(r 1i b 1i +..+ r ni b ni ) Decrypt r 1i b 1i +..+ r ni b ni (pk,sk): Homomorphic Encryption For each pair of parties Communication Complexity: O(n)

Part II: Reduction from MPC to Reconstruction of Secrets Reduction holds for any linear secret sharing

Secure Circuit Evaluation x 1 x 2 x 3 x 4 y c

Secure Circuit Evaluation 2 1 5 9 3 y

Secure Circuit Evaluation 2 1 5 9 1. (n, t)- secret share each input 3

Secure Circuit Evaluation 2 1 5 9 1. (n, t)- secret share each input 3 2. Find (n, t)-sharing of each intermediate value

Secure Circuit Evaluation 2 1 5 9 1. (n, t)- secret share each input 2. Find (n, t)-sharing of each intermediate value 3 45 3 48 144

Secure Circuit Evaluation 2 1 5 9 1. (n, t)- secret share each input 2. Find (n, t)-sharing of each intermediate value 3 45 3 Linear gates: Linearity of Shamir Sharing - Non-Interactive 48 144

Secure Circuit Evaluation 2 1 5 9 1. (n, t)- secret share each input 2. Find (n, t)-sharing of each intermediate value 3 45 3 Linear gates: Linearity of Shamir Sharing - Non-Interactive 48 Non-linear gate: Require degreereduction Technique. Interactive 144

Secure Circuit Evaluation 2 1 5 9 3 48 45 3 144 1. (n, t)- secret share each input Reduction to one reconstruction 2. Find (n, t)-sharing of each intermediate value Linear gates: Linearity of Shamir Sharing - Non-Interactive Non-linear gate: Require degreereduction Technique. Interactive Reduction to two reconstructions 3. Open output by Reconstruction algorithm

Secure Circuit Evaluation 2 1 5 9 Privacy follows (intuitively) because: 3 48 45 3 1. No inputs of the honest parties are leaked. 2. No intermediate value is leaked. 144

Beaver s Circuit-randomization Technique for Multiplication Don Beaver CRYPTO 91 2 1 5 9 3 3

Beaver s Circuit-randomization Technique for Multiplication 2 1 5 9 a b ab 3 3 Multiplication Triple

Beaver s Circuit-randomization Technique for Multiplication Ex: 2 1 5 9 1 1 1 3 3 Multiplication Triple

Beaver s Circuit-randomization Technique for Multiplication Ex: 2 1 5 9 1 6 6 3 3 Multiplication Triple

Beaver s Circuit-randomization Technique for Multiplication Ex: 2 1 5 9 5 2 10 3 3 Multiplication Triple

Beaver s Circuit-randomization Technique for Multiplication 2 1 5 9 a b ab 3 3 Multiplication Triple

Beaver s Circuit-randomization Technique for Multiplication Random and Private a, b 2 1 5 9 a b ab 3 3 Multiplication Triple

Beaver s Circuit-randomization Technique for Multiplication Random and Private a, b Independent of the multiplication gate 2 1 5 9 a b ab 3 3 Two reconstructions Linear operations

Beaver s Circuit-randomization Technique for Multiplication Random and Private a, b Independent of the multiplication gate 2 1 5 9 a b ab 3 45 3 Two reconstructions Linear operations

Secure Circuit Evaluation Using Beaver Circuit Randomization Let M be the number of multiplication gates in the circuit x 1 x 2 x 3 x 4 3

Secure Circuit Evaluation Using Beaver Circuit Randomization Let M be the number of multiplication gates in the circuit Ask triple-oracle for M multiplication triples x 1 x 2 x 3 x 4 3

Secure Circuit Evaluation Using Beaver Circuit Randomization Let M be the number of multiplication gates in the circuit Ask triple-oracle for M multiplication triples x 1 x 2 x 3 x 4 5 2 10 2 2 4 3 1 0 0

Secure Circuit Evaluation Using Beaver Circuit Randomization 2 2 2 2 5 2 10 3 2 2 4 1 0 0

Secure Circuit Evaluation Using Beaver Circuit Randomization 2 2 2 2 5 2 10 4 3 2 2 4 1 0 0

Secure Circuit Evaluation Using Beaver Circuit Randomization 2 2 2 2 5 2 10 4 3 2 2 4 1 0 0

Secure Circuit Evaluation Using Beaver Circuit Randomization 2 2 2 2 5 2 10 4 4 3 2 2 4 1 0 0

Secure Circuit Evaluation Using Beaver Circuit Randomization 2 2 2 2 5 2 10 4 4 3 2 2 4 1 0 0

Secure Circuit Evaluation Using Beaver Circuit Randomization 2 2 2 2 5 2 10 4 4 3 2 2 4 16 1 0 0

Secure Circuit Evaluation Using Beaver Circuit Randomization 2 2 2 2 5 2 10 4 4 3 2 2 4 16 1 0 0

Why Beaver s Trick is Useful Offline Phase- Online Phase Paradigm Offline Phase: Sitting Idle, Generate as many shared triples as possible---raw data Online Phase: Use the raw data for circuit evaluation. Triple generation parallelizable efficiency On the contrary, multiplications gates can not be evaluated in parallel

Online Complexity How efficiently can we reconstruct a shared secret? s Reconstruction cost of one shared secret = Cost Per Multiplication (asymptotically) 1. Generate shared data s 2. Implement the oracle

Beaver s Circuit Randomization Technique xy = ((x-a) +a)((y-b)+b) = (α + a)(β + b) = ab + α b +β a + α β xy = ab + α b a + β + α β α = x-a β = y-b

Beaver s Circuit Randomization Technique x y a b ab x-a xy

Beaver s Circuit Randomization Technique y b ab x a x-a Open α = x-a y-b Open β = y-b α b a β (α β) xy

Linearity of (n, t) Shamir Secret Sharing say t = 1 a

Linearity of (n, t) Shamir Secret Sharing say t = 1 a b a 1 a 2 a 3 a 4 b 1 b 2 b 3 b 4 each party does locally b a b 1 b 2 b 4 a 1 a 2 a 3 a 4 c 1 c 2 c 3 c 4 1 2 3 4

Linearity of (n, t) Shamir Secret Sharing say t = 1 a b a 1 a 2 a 3 a 4 Addition is Absolutely free c 1 c 2 c 3 c 4 ab b b b 4 2 1 b 1 b 2 b 3 b 4 b a 1 a 2 a 3 a 4 a ab c 1 c 2 c 3 c 4 1 2 3 4

Linearity of (n, t) Shamir Secret Sharing say t = 1 a a 1 a 2 a 3 a 4 a a 1 a 2 a 3 a 4 1 2 3 4

Linearity of (n, t) Shamir Secret Sharing say t = 1 a a 1 a 2 a 3 a 4 c c c c a a 1 a 2 a 3 a 4 1 2 3 4

Linearity of (n, t) Shamir Secret Sharing say t = 1 a c is a publicly a 1 a 2 a 3 a known constant 4 c c c c a a 1 a 2 a 3 a 4 1 2 3 4

Linearity of (n, t) Shamir Secret Sharing say t = 1 a a 1 a 2 a 3 a 4 c c c c a a 1 a 2 a 3 a 4 1 2 3 4 d 1 d 2 d 3 d 4

Linearity of (n, t) Shamir Secret Sharing say t = 1 a a 1 a 2 a 3 a 4 ca c c c c a a 1 a 2 a 3 a 4 1 2 3 4 d 1 d 2 d 3 d 4

Linearity of (n, t) Shamir Secret Sharing say t = 1 a a 1 a 2 a 3 a 4 d 1 d 2 d 3 d 4 ca c c c c a a 1 a 2 a 3 a 4 1 2 3 4 d 1 d 2 d 3 d 4

Linearity of (n, t) Shamir Secret Sharing say t = 1 a a 1 a 2 a 3 a 4 Multiplication by public constants is Absolutely free ca d 1 d 2 d 3 d 4 ca c c c c a a 1 a 2 a 3 a 4 1 2 3 4 d 1 d 2 d 3 d 4

Non-linearity of (n, t) Shamir Secret Sharing say t = 1 a a 1 a 2 a 3 a 4 b b 1 b 2 b 3 b 4 b b 1 b 2 b 3 b 4 a a 1 a 2 a 3 a 4 1 2 3 4

Non-linearity of (n, t) Shamir Secret Sharing say t = 1 a a 1 a 2 a 3 a 4 b b 1 b 2 b 3 b 4 b b 1 b 2 b 3 b 4 a a 1 a 2 a 3 a 4 1 2 3 4

Non-linearity of (n, t) Shamir Secret Sharing say t = 1 a a 1 a 2 a 3 a 4 b b 1 b 2 b 3 b 4 b b 1 b 2 b 3 b 4 a a 1 a 2 a 3 a 4 d 1 d 2 d 3 d 4 1 2 3 4

Non-linearity of (n, t) Shamir Secret Sharing say t = 1 a a 1 a 2 a 3 a 4 b b 1 b 2 b 3 b 4 b b 1 b 2 b 3 b 4 a a 1 a 2 a 3 a 4 ab d 1 d 2 d 3 d 4 1 2 3 4

Non-linearity of (n, t) Shamir Secret Sharing say t = 1 a a 1 a 2 a 3 a 4 b b 1 b 2 b 3 b 4 b b 1 b 2 b 3 b 4 a a 1 a 2 a 3 a 4 ab d 1 d 2 d 3 d 4 1 2 3 4

Non-linearity of (n, t) Shamir Secret Sharing say t = 1 d 4 d 3 a a 1 a 2 a 3 a 4 d 1 d 2 b b 1 b 2 b 3 b 4 b b 1 b 2 b 3 b 4 a a 1 a 2 a 3 a 4 ab d 1 d 2 d 3 d 4 1 2 3 4

Non-linearity of (n, t) Shamir Secret Sharing say t = 1 a Multiplication of shared d 4 secrets is not free ab d 2 d a 1 a 2 a 3 a 1 4 d 3 b b 1 b 2 b 3 b 4 b b 1 b 2 b 3 b 4 a a 1 a 2 a 3 a 4 ab d 1 d 2 d 3 d 4 1 2 3 4

Linear (n,t) Secret Sharing s 1 s = 2 s 1 + s 2 Linear Operation c s = c s s 1 s 2 s 2 s 1 Non-Linear Operation L

An Abstract Tool for the Generic Solution (n, t) LOCKED BOX REPRESENTATION A secret s is locked in the box P 1 P 2 Any t parties cannot open the box P n

An Abstract Tool for the Generic Solution (n, t) LOCKED BOX REPRESENTATION A secret s is locked in the box P 1 P 2 Any t parties cannot open the box P n

An Abstract Tool for the Generic Solution (n, t) LOCKED BOX REPRESENTATION A secret s is locked in the box P 1 P 2 P n Any t parties cannot open the box

An Abstract Tool for the Generic Solution (n, t) LOCKED BOX REPRESENTATION A secret s is locked in the box P 1 P 2 Any t parties cannot open the box Any (t + 1) parties can open the box P n

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback