Secure Computation in the Preprocessing Model

MPC workshop, 2012

Ivan Damgård

Dept. Of Computer Science, Århus University

The MPC scenario for this talk

Adv

The players

Communication Network

x2, y2x1, y1

x3,y3 x4,y4

Corrupt

Inputs, Desired outputs

• Secure point-to-point channels. • Synchronous network. • Active corruption.

The Case of Dishonest Majority

Assume t=n-1 of the n players can be corrupted. Cannot have information theoretic security.

But we can protect against a computationally bounded adversary using public-key technology:

If t=n-1, we can compute any function securely, based on suitable computational assumptions (but termination cannot be guaranteed).

So information theoretic tools useless here?

NO!

”MPC in the head” can improve efficiency [IKOS06, etc.]

”On-line/off-line MPC” (this talk:

[Bendlin Damgård Orlandi Zakarias EuroCrypt 11], [Damgård Pastro Smart Zakarias Crypto 12], and [Damgård Zakarias 12])

On-Line/Off-line MPC • Preprocessing Phase, can be done any time, inputs, function to compute need not be known. Create raw material for

• On-line phase, inputs supplied here. Function can be computed more efficiently because we have raw material from preprocessing.

Goal: use only cheap information theoretic tools here, push all the expensive public-key stuff into preprocessing.

In the following..Think of the Preprocessing as Trusted Dealer, whom we can ask to give us data in any form we like.Later, must implement the dealer via secure protocol that does not assume trusted parties..

Information Theoretic Message Authentication Codes (MACs) and Secret-Sharing.Basic idea: values occurring in the computation will be secret-sharedand we protect against malicious attacks by authenticating the shares using unconditionally secure message authentication codes (MACs).

First seen in [RB89], in different form in [BDOZ11] where we also did a preprocessing phase based on so called semi-homomorphic encryption.

Doing Better with Many Players and Arithmetic Circuits

[joint work with Pastro, Smart and Zakarias, Crypto 2012]Also known as “SPDZ”..

Observation: what we really want to protect is the shared value, not the shares...

An issue with authentication of shares:Each player needs his own key (all other players could be corrupt)-> each share must be authenticated with n MACs

-> total storage and communication complexity is O(n2).

A security game for the authentication scheme we will use:Message x, Key α, MAC is mx = α x mod p, p a prime

An Authentication scheme

Check: is mx+e’ = α (x +e) mod p ?Adversary wins if wrong value of x is accepted.To win, must guess α.

Sender 1 Receiver

Sender 2

x α

mx = α x mod p

x x+e

mx

mx+e’e’

The representation of secret values

Secret value x= x1+x2 mod p, x1,x2 shares in x

MAC mx = α x = m(x)1 + m(x)2 mod p shares in the

MACDealer keeps the key α, will release it on request.

x1

x2

If one of the players is malicious, cannot reconstruct x correctly. Could try to check the MAC, but then we need the key and given the key, anyone can forge new MACs

m(x)1 m(x)2

Solution: just open shares of x and hope for the best. Call this a partial opening. Turns out to be OK as long as we do not reveal sensitive info *and* if we catch errors before it is too late.

Representation cnt’d.

[x] = (x1, m(x)1 x2,

m(x)2)

[y] = (y1, m(y)1 y2,

m(y)2)

Can define [x] +[y] = [x+y] by local component-wise addition.Similar for multiplication by public constants.

Multiplication [Beaver’s Circuit Randomization Technique]

Given [x], [y], want to compute [xy]

Assume the trusted dealer gives to the players

[a], [b], [c], random a,b, c=ab.

Partially open e= x-a, d= y-b

Then, if values are correct, we have:

[xy] = [c] + e[b] + d[a] + ed

Putting it all together – Three Phases

Input Phase – make representation [x] for each input value [x] (details skipped here).

Computation Phase – work our way through the circuitAddition gates, no communication. Each multiplication gate consumes a multiplication triple, and we (partially)open two random values.

Output Phase – open the outputs (to be described).

Many Players

[x] defined to be - x1,…, xn with x= x1+…+xn mod p

- m(x)1,…, m(x)n with mx= m(x)1+…+m(x)n mod p and where mx = αx mod p

And Dealer holds α

Computation and Output phase in more detail:

Computation Phase: For every [x] to open, we only open the x-value, not the MAC. Instead people commit to their shares of the MACs.

Stop just before we open the outputs, commit to the shares you would reveal to open results.

Output Phase: Dealer opens the key α. Players open commitments to shares of MACs. If all OK, we know we are about to reveal correct results, so we complete protocol by also revealing shares/MACs of the output.

Fits with the security game: adversary must modify message and MAC before seeing MAC and key.

Further Improvement.

Now players only store a constant number of field elements per shared value [x].

But need to commit to shares of all macs before revealing them. Too expensive.

We have [x1], [x2],…,[xt] and opened values x’1,…, x’tWant to check whether xi= x’i

Instead of checking individually, take a randomlinear combination – choose e1,…,et at random and compute (locally)[y] = [e1 x1 + … + et xt] as well as y’= e1 x’1 +…+ et x’t.

Now people commit only to shares in the mac for [y] and we check that y’=y.

Can be shown that if any x’i is incorrect, y’ is correct only with probability 1/ size of field.

Summing up

For n players, to compute circuit of size S securely with error probability ≈ 1/p, each player needs (essentially):- Storing O(S) field elements.- Do O(S) local field operations.

For large fields, where 1/p acceptable error probability, means each player spends not much more work than we need to compute the circuit with no security.

For a preprocessing model allowing to compute any circuit of size <= S, can show that storage is optimal and work is optimal up to a polylog factor.

Communication is O(S) as well – is this optimal??

Implementation: 3 players, connected on a LAN, 64 bit prime p, one secure multiplication in amortized time 0.05 ms.

Implementing the Dealer, or: Preprocessing

Based on a somewhat homomorphic encryption scheme allowing many values to be multiplied in parallel inside one ciphertext.

Cryptosystem based on the Ring-LWE assumption and variant of [Brakersky et al.], Crypto 2011.

Somewhat homomorphic Cryptosystem: A secure public-key

scheme, plaintexts are vectors m= (m1,…,ms) in Zps

Epk(a+b) = Epk(a) + Epk(b)

Epk(a*b) = Epk(a) Epk(b) where a*b is coordinatewise multiplication

Dsk(Epk(x))) = x

- if Epk(x) is not “too dirty”, i.e. the result of “too many” operations.In our case: “not too many”= 1 multiplication and many additions.

Just what we need for preprocessing: each multiplicative triple can be prepared using the same set of operations, can all be done in parallel.

To make it work, lots of stuff needed

- ZK proof that you know what is inside a ciphertext you prepared.

- Set-up: one global public key, secret key shared among players. A distributed decryption protocol.

- Lots of math to analyze what the optimal – and secure - choices of parameters are.

Results for Preprocessing

Number of public-key operations spent to prepare a secure

multiplication is O(n2/s) where s is number of fields elements packed in one ciphertext (about 12000 in our implementation).

Latest implementation: 3 players connected on a LAN, security similar to 1024 bit RSA, spends 10-13 ms. (amortized time) to prepare for 1 secure 64-bit multiplication for 3 players. But see also results from Marcel Keller’s talk later..

Comparison to Other Implementations[Nielsen et al. 11] does Boolean Circuits based on OT extensions and clever cut and choose techniques to get active security.

Can do 200-300 AND gates in the time we need for a 64 bit multiplication. Indicates our approach may be faster for arithmetic in large fields.

Boolean Circuits?

The SPDZ protocol works also for Boolean circuits, but we would need touse GF(2k) for the MACs, to get small enough error probability.

Means we use a k bit MAC to authenticate one bit – large overhead, protocol not optimal for small fields..

Doing Boolean Circuits with (almost) Constant Overhead

[Damgård, Zakarias 2012, work in progress]

Idea: try to implement the Boolean circuit by doing only blockwiseoperations, i.e., b+v = (b1,…,bm) + (v1,…,vm) = (b1 + v1,…,bm + vm) b*v = (b1,…,bm) * (v1,…,vm) = (b1 * v1,…,bm * vm)

Hope: authenticating a block should be cheaper than authenticating each bit individually.

Result from [DIK10]: can restructure any Boolean circuit so that only block-operations and a small number of permutations of bits inside blocks are needed. Comes at cost a logarithmic blow-up.This talk, for simplicity: ignore the permutations inside blocks

Security game for authentication scheme:Message (a codeword) x, Key α, MAC is mx = α*x

New Authentication scheme..

Is based on a (good) linear error correcting code C

Check: is mx+e’ = α*(x +e) ?AND is x+e a codeword?Adversary wins if wrong value is accepted.

Sender 1 Receiver

Sender 2

x α

mx = α*x

x x+e

mx

mx+e’e’

Note that e must be a codeword. Implies adversary much cheat in many positions to win.“many” = minimum distance of C

Equivalent to many 1-bit MACs in parallel

Equivalent to many 1-bit MACs in parallel

A new Authentication Scheme for n-bit blocks

x1

x2

Secret value x= x1+x2 mod p, x1,x2 shares in x

MAC mx = α*x = m(x)1 + m(x)2 shares in the MAC

Dealer keeps the key α, will release it on request.

If one of the players is malicious, cannot reconstruct x correctly. Solve as before, just open shares of x, check MACs later.

m(x)1 m(x)2

New Message Authentication Codes cnt’d.

[x] = (x1, m(x1) x2, m(x2))

mac(x) + mac(y) = α*x + α*y = α*(x+y) = mac(x+y)

[y] = (y1, m(y1), y2, m(y2))

Can define [x] +[y] = [x+y] by local componentwise addition.

Problem! multiplications by constants do not work the same way as before: say we havemac(x) = α*x mult. by e on both sides, get e*mac(x) = α*(e*x)Even if e is a codeword, no guarantee that e*α is a codeword!However..

Solving the Problem using the Schur Transform

C*= Schur transform of C Defined as linear span of all words of form x*y where x,y are in C.

Can arrange that in the protocol e is always in C, so e*a is in C*. If also C* has large minimum distance, then we’re fine.

e*mac(x) = α*(e*x) = mac(e*a)

When opening, players checks that e*a is in C*

Now, everything works as before, including usage of multiplication triples.We just need a family of codes C such that:

C and C* have constant information and error ratesEncoding into C is efficient (ideally O(m) or O(m log m) )C should be over a small field, ideally constant size.

Constructions of Codes

Can use Reed-Solomon codes based on GF(2log m),For circuit of size S, storage, communication and computation complexity will be O(polylog(m) n S).

Can also use codes from Algebraic Geometry [Cramer et al.]

-> Field can be constant size.

-> Storage and communication complexity will be O(n S)

-> Hope to show that also Computational complexity will be O(n S).

THANKS!