Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing...
-
Upload
brook-gilbert -
Category
Documents
-
view
215 -
download
0
Transcript of Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing...
![Page 1: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/1.jpg)
Secure Computation (Lecture 7-8)
Arpita Patra
![Page 2: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/2.jpg)
Recap
>> (n,t)-Secret Sharing (Sharing/Reconstruction)
> Shamir Sharing
> Lagrange’s Interpolation for reconstruction (any point on a d-degree poly can be
written as the linear combination of (d+1) or more points on the polynomial)
> Security: For any secret, the t shares generate a uniform distribution over Ft
p
> Linearity (addition, multiplication by constant free)>> MPC for arithmetic circuit with semi-honest i.t security
> Honest majority
> The protocol
> Simulator
> Indistinguishability proof
![Page 3: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/3.jpg)
Secure Circuit Evaluation
x1 x2 x3 x4
c
y
![Page 4: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/4.jpg)
2 1 5 9
y
3
Secure Circuit Evaluation
![Page 5: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/5.jpg)
Secure Circuit Evaluation
1. (n, t)- secret share each input
2 1 5 9
3
![Page 6: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/6.jpg)
Secure Circuit Evaluation
2 1 5 9
2. Find (n, t)-sharing of each intermediate value
1. (n, t)- secret share each input
3
![Page 7: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/7.jpg)
Secure Circuit Evaluation
3
2 1 5 9
3
48
144
45
2. Find (n, t)-sharing of each intermediate value
1. (n, t)- secret share each input
![Page 8: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/8.jpg)
Secure Circuit Evaluation
2 1 5 9
3
48
Linear gates: Linearity of Shamir Sharing - Non-Interactive
144
45 3
2. Find (n, t)-sharing of each intermediate value
1. (n, t)- secret share each input
![Page 9: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/9.jpg)
Secure Circuit Evaluation
2 1 5 9
3
48 Non-linear gate: Require degree-reduction Technique. Interactive
45
144
3
2. Find (n, t)-sharing of each intermediate value
1. (n, t)- secret share each input
Linear gates: Linearity of Shamir Sharing - Non-Interactive
![Page 10: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/10.jpg)
Secure Multiplication Gate Evaluation
x2
x3
xn
x1P1
P2
Pn
P3
y2
y3
yn
y1
x y
x1y1 = z1
x2y2 = z2
x3y3 =z3
xnyn = zn
xy
f(x) = f1 (x)f2 (x) of degree 2tf1 (x) f2 (x)
Recombination Vector (r1, …,rn)
where
![Page 11: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/11.jpg)
Secure Multiplication Gate Evaluation
x2
x3
xn
x1P1
P2
Pn
P3
y2
y3
yn
y1
x y
x1y1 = z1
x2y2 = z2
x3y3 =z3
xnyn = zn
xy
z1
z2
z3
zn
Shamir-share
Shamir-share
Shamir-share
f1 (x) f2 (x)
Shamir-share
Recombination Vector (r1, …,rn)
r1z1 +..+rnzn
xy
f(x) = f1 (x)f2 (x) of degree 2t
![Page 12: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/12.jpg)
Secure Circuit Evaluation
2 1 5 9
3
48
45
1443. Reconstruct the Shamir-sharing of the output by exchanging shares with each other
3
Non-linear gate: Require degree-reduction Technique. Interactive
2. Find (n, t)-sharing of each intermediate value
1. (n, t)- secret share each input
Linear gates: Linearity of Shamir Sharing - Non-Interactive
Correctness: Easy
![Page 13: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/13.jpg)
Real World View of Adversary
3. Output Reconstruction: Shares of the honest parties corresponding to output y
2. Input-sharing and multiplication gate computation: t shares of input/product share of honest parties
1. At the outset: Input and random coins
{{ViewReali}Pi in C} – Random
Variable
3. Output Reconstruction: Given his shares of the output and output, adv can computes shares of the honest parties corresponding to output y (using Lagrange’s interpolation)
2. Input-sharing and multiplication gate computation: t values distributed uniformly at random from Ft
p (irrespective of what values is shared)
1. At the outset: Input
Leaks nothing beyond inputs /outputs of corrupted parties
![Page 14: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/14.jpg)
Simulator and Indistinguisahbility
3. Output Reconstruction: Given the shares of the corrupted parties (which it knows) and y compute shares of the honest parties corresponding to output y and send them to the adv.
2. Input-sharing and multiplication gate computation: Sample t random shares and give to adv on behalf of the honest parties
1. At the outset: Input, output (of corrupted parties) and random coins
{{ViewIdeali}Pi in C} – Random
VariableGenerated using inputs /outputs of corrupted parties
Step 2 simulation is perfect: The t shares can be seen in both worlds with same probability
Step 3 simulation is perfect too!: Given t shares of corrupted parties and y, the shares of the honest parties are unique in both the worlds.
![Page 15: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/15.jpg)
Efficiency
4. Output Reconstruction: O(n) |Fp| bits
2. Addition Gate: NIL
1. Input: O(n) |Fp| bits
Communication Complexity: O(cI n + cM n2 + cO n2) |Fp| bits
3. Multiplication gate computation: O(n2) |Fp| bits
No. of Input Gate: cI
No. Addition Gates: cA
No. Multiplication Gates: cM
No. Output Gates: cO
Goal: O(cI n + cM n + cO n) |Fp| bits
Round Complexity: O(d); d = multiplicative depth of the circuit
Goal: Constant? Yes (restricted class of circuits/exponential computation: two papers)
In computational setting it is possible for any function with poly power
![Page 16: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/16.jpg)
Offline/Online Paradigm
>> Online Phase:
>> Offline Phase:
No knowledge of inputs and function to be computed is needed
Create Shamir sharings where the secrets are “related” in some way
Is not expected to be very efficient
Use the the raw material created in offline phase to compute the agreed function on the parties private inputs.
Expected to be blazing fast
Will use sharing of secrets as well.
Will use only secret reconstruction
>> Communication Complexity: Offline + Online Complexity
![Page 17: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/17.jpg)
Secure Circuit Evaluation
3. Open output by Reconstruction algorithm
2. Find (n, t)-sharing of each intermediate value
1. (n, t)- secret share each input
Linear gates: Linearity of Shamir Sharing - Non-Interactive
Non-linear gate: Require degree-reduction Technique. Interactive
Reduction to two reconstructions
Reduction to one reconstruction
>> Raw Material: (n,t)-shamir sharing of a random and secret value
>> Raw Material: (n,t)-sharing of three values (a,b,c), s.t.a,b,c are random and secret and c = ab
![Page 18: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/18.jpg)
Input Sharing Using One Reconstruction
r2
r3
rn
r1 P1
P2
Pn
P3
rPi
Apply reconstruction(Lagrange’s Interpolation)
x
![Page 19: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/19.jpg)
Input Sharing Using One Reconstruction
P1
P2
Pn
P3
x + rPi x + r
r2
r3
rn
r1
x + rx + r
-
-
-
-
Communication Complexity = : O(cI n) |Fp| bits
![Page 20: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/20.jpg)
3
2 1 5 9
3
Don Beaver CRYPTO 91
Beaver’s Circuit-randomization Technique for Multiplication
![Page 21: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/21.jpg)
3
2 1 5 9
3
a b ab
Multiplication Triple
Beaver’s Circuit-randomization Technique for Multiplication
Offline Oracle
![Page 22: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/22.jpg)
3
2 1 5 9
3
1 1 1
Multiplication Triple
Ex:
Beaver’s Circuit-randomization Technique for Multiplication
![Page 23: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/23.jpg)
3
2 1 5 9
3
1 6 6
Multiplication Triple
Ex:
Beaver’s Circuit-randomization Technique for Multiplication
![Page 24: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/24.jpg)
3
2 1 5 9
3
5 2 10
Multiplication Triple
Ex:
Beaver’s Circuit-randomization Technique for Multiplication
![Page 25: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/25.jpg)
3
2 1 5 9
3
a b ab
Multiplication Triple
Beaver’s Circuit-randomization Technique for Multiplication
![Page 26: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/26.jpg)
3
2 1 5 9
3
a b ab
• Random and Private a, b
Beaver’s Circuit-randomization Technique for Multiplication
Multiplication Triple
![Page 27: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/27.jpg)
3
2 1 x y
3
a b ab
• Two reconstructions
• Linear operations
• Random and Private a, b• Independent of the multiplication gate
Beaver’s Circuit-randomization Technique for Multiplication
![Page 28: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/28.jpg)
Beaver’s Circuit Randomization Technique
xy = ((x-a) +a)((y-b)+b) = (α + a)(β + b) = ab + α b + β a + α β
α = x-a β = y-b
xy b ab= + α a+ β + α β
>> Write xy as linear combination of ab, a, b where the combiners will be publicly known and do not leak any information about x and y.
>> We can combine sharing of ab, a, b using the combiners to get sharing of xy
![Page 29: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/29.jpg)
x
x2
x3
Beaver’s Circuit Randomization Technique
P1
P2
P3
Pn xn
b1
b2
b3
bn
x1
b x-a y
y2
y3
yn
y1
a1
a2
a3
an
a
c1
c2
c3
cn
c
x1-a1
x2-a2
x3-a3
xn-an
y-b
y1-b1
y2-b2
y3-b3
yn-bn
α = x-a
β = y-b
Reconstruct
![Page 30: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/30.jpg)
x
x2
x3
Beaver’s Circuit Randomization Technique
P1
P2
P3
Pn xn
b1
b2
b3
bn
x1
b xy y
y2
y3
yn
y1
a1
a2
a3
an
a
c1
c2
c3
cn
c
c1 + α b1 + β a1 + α β
α = x-a β = y-b xy = ((x-a) +a)((y-b)+b) = (α + a)(β + b) = ab + α b + β a + α β
c2 + α b2 + β a2 + α β
c3 + α b3 + β a3 + α β
cn + α bn + β an + α β
![Page 31: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/31.jpg)
• Let cM be the number of multiplication gates in the circuit
3
x1 x2 x3 x4
Secure Circuit Evaluation Using Beaver Circuit Randomization
![Page 32: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/32.jpg)
• Let cM be the number of multiplication gates in the circuit
3
x1 x2 x3 x4
Secure Circuit Evaluation Using Beaver Circuit Randomization
• Ask triple-oracle for cM multiplication triples
![Page 33: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/33.jpg)
3
x1 x2 x3 x4 5 2 10
2 2 4
1 0 0
Secure Circuit Evaluation Using Beaver Circuit Randomization
• Let cM be the number of multiplication gates in the circuit
• Ask triple-oracle for cM multiplication triples
![Page 34: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/34.jpg)
3
5 2 10
2 2 4
2 2 2 2
1 0 0
Secure Circuit Evaluation Using Beaver Circuit Randomization
![Page 35: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/35.jpg)
Secure Circuit Evaluation Using Beaver Circuit Randomization
3
2 2 2 2
5 2 10
2 2 4
1 0 0
4
![Page 36: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/36.jpg)
5 2 10
2 2 4
1 0 0
Secure Circuit Evaluation Using Beaver Circuit Randomization
3
2 2 2 2
4
![Page 37: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/37.jpg)
Secure Circuit Evaluation Using Beaver Circuit Randomization
3
2 2 2 2
2 2 4
1 0 0
4
5 2 10
4
![Page 38: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/38.jpg)
Secure Circuit Evaluation Using Beaver Circuit Randomization
3
2 2 2 2
1 0 0
4
5 2 10
4 2 2 4
![Page 39: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/39.jpg)
Secure Circuit Evaluation Using Beaver Circuit Randomization
3
2 2 2 2
1 0 0
4
5 2 10
4 2 2 4
16
![Page 40: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/40.jpg)
Secure Circuit Evaluation Using Beaver Circuit Randomization
5 2 10
2 2 4
1 0 0
3
2 2 2 2
4 4
16
![Page 41: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/41.jpg)
Beaver’s Trick- Offline-online Paradigm
Triple generation parallelizable efficiency (amortization)
Offline Phase: Sitting Idle, Generate as many shared triples as possible---raw data
Online Phase: Use the raw data for circuit evaluation.
On the contrary, multiplications gates can not be evaluated in parallel
![Page 42: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/42.jpg)
Reconstruction of Shamir-sharing: (n,t) - Secret Sharing for Semi-honest Adversaries
x2
x3
xn
x1P1
P2
Pn
P3
Pi
The same is done for all Pi Communication Complexity (CC): O(n2)
Lagrange’s Interpolation
![Page 43: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/43.jpg)
Efficient Reconstruction of (n,t)- Shamir for Semi-honest Adversaries
>> Can we do better?
O(n) Easy
……Because we are assuming semi-honest adversaries.
Online Complexity = : O(cI n + cM n + cO n) |Fp| bits
x2
x3
xn
x1P1
P2
Pn
P3
P1 x
P1
P2
Pn
P3
xxxx
![Page 44: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/44.jpg)
Online Complexity
How efficiently can we reconstruct a shared secret?s
Reconstruction cost of one shared secret = Cost Per Multiplication / Input / Output (asymptotically)
![Page 45: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/45.jpg)
Offline Complexity
>> Task 1: Generation of Secret Sharing.
> a,b,c are secret shared using LSSS > a, b, c random and secret > c = ab
a
b
c
Generation of (cM + cI) shared, random, secret multiplication triples
>> Task 2: Generation of Secret Sharing where the secret is random and secret- different from the previous task
>> Task 3: Generation of Sharing of random, secret, multiplication triple
✓
CC of Task 1: O(n)
![Page 46: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/46.jpg)
>> Each party Shamir share a random value
a1
a2
a3
Generation of Sharing for random secret
P1
P2
P3
Pn an
>> Pick any sharing- does this work?
>> Randomness extractor on (a1, …..an )
>> Simplest Randomness Extractor: Addition
a1+a2+…..+an
>> Sharing of a value that is random and secret>> Inefficient: n-t random and secret values among a’s but we had extracted just one.
![Page 47: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/47.jpg)
a1
a2
a3
Efficient Randomness Extractor
P1
P2
P3
Pn an
>> Assume a1,….an are n points of a polynomial of degree n-1, f(x)
>> These are all random
>> t out of a1,….an are known to adversary and may be non-random
(n-t) points are randomly chosen and t points may be non-random and known to the adv.
>> Consider any (n-t) points on f(x) at x that are different from {1,..n,}, say f(n+1), ……f(n+n-t)
f(1) = a1
.
. f(n) = an
![Page 48: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/48.jpg)
Efficient Randomness Extractor
f(a1,….at): Fn-t Fn-t >> Choose (n-t) points at random>> Use n points to define a poly f(x) of degree at most n-1.>> Evaluate f(x) at n+1,…(n+n-t)
>> The mapping is a bijection.>> Since we have uniform distribution in the domain (uniform over Fn-
t), we get the same on the range.
![Page 49: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/49.jpg)
a1
a2
a3
Efficient Randomness Extractor
P1
P2
P3
Pn an
>> Assume a1,….an are n points of a polynomial of degree n-1, f(x)
>> f(n+1), ……f(n+n-t) are random.
f(1) = a1
.
. f(n) = an
f(n+1) = an+1
.
. f(2n-t) = a2n –t
an+1
an+2
an+3
a2n-t
>> We need to find Shamir-sharing of an+1 ,….., a2n-t
>> Just Local computation: Lagrange’s Magic formula
![Page 50: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/50.jpg)
a1
a2
a3
Efficient Randomness Extractor
P1
P2
P3
Pn an
>> Assume a1,….an are n points of a polynomial of degree n-1, f(x)
>> f(n+1), ……f(2n-t) are random.
f(1) = a1
.
. f(n) = an
f(n+1) = an+1
.
. f(2n-t) = a2n –t
an+1
an+2
an+3
a2n-t How many random values have we extracted? n-t
Amortized CC of generating one sharing of a random secret value is (Task 2): O(n)
![Page 51: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/51.jpg)
Offline Complexity
>> Task 1: Generation of Secret Sharing.
> a,b,c are secret shared using LSSS > a, b, c random and secret > c = ab
a
b
c
Generation of (cM + cI) shared, random, secret multiplication triples
>> Task 2: Generation of Secret Sharing where the secret is random and secret- different from the previous task
>> Task 3: Generation of Sharing of random, secret, multiplication triple
✓
CC of Task 1: O(n)
✓
CC of Task 2: O(n)
![Page 52: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/52.jpg)
a
a2
a3
Generating Sharing of Multiplication Triple
P1
P2
P3
Pn an
b1
b2
b3
bn
Sharing of random and secret values
a1
b ab
Multiplication Protocol
CC: O(n2)
![Page 53: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/53.jpg)
Offline Complexity
>> Task 1: Generation of Secret Sharing.
> a,b,c are secret shared using LSSS > a, b, c random and secret > c = ab
a
b
c
Generation of (cM + cI) shared, random, secret multiplication triples
>> Task 2: Generation of Secret Sharing where the secret is random and secret- different from the previous task
>> Task 3: Generation of Sharing of random, secret, multiplication triple
✓
CC of Task 1: O(n)
✓
CC of Task 2: O(n)
Multiplication ProtocolCC of Task 3: O(n2)
✓
Offline CC: O(n2 cM + n cI) |F| bits.
![Page 54: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/54.jpg)
Complexity
Offline complexity: O( cM n2 + n cI) |F| bits.
Total Complexity: O(cI n + cM n2 + cO n) |Fp| bits
Online Complexity: O(cI n + cM n + cO n) |Fp| bits
Is there a way to generate triple sharing with O(n) complexity?
Yes with n>=3t+1 perfect security (active adversary)
Yes but with statistical security!
![Page 55: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/55.jpg)
Secure Circuit Evaluation
3. Open output by Reconstruction algorithm
2. Find (n, t)-sharing of each intermediate value
1. (n, t)- secret share each input
Linear gates: Linearity of Shamir Sharing - Non-Interactive
Non-linear gate: Require degree-reduction Technique. Interactive
Reduction to one reconstruction
Reduction to one reconstruction
>> Raw Material: (n,t)-shamir sharing of a random value
>> Raw Material: (n,2t)-sharing and (n,t)-sharing of a random value
![Page 56: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/56.jpg)
x
x2
x3
How to use Raw data for Multiplication
P1
P2
P3
Pn xn
a1
a2
a3
an
x1
a xy-a
y
y2
y3
yn
y1
A1
A2
A3
An
a
x1y1-A1
x2y2-A2
x3y3-A3
xnyn-An
Reconstruct xy-a No security breach since xy is blinded with random a
+ xy-a
+ xy-a
+ xy-a
+ xy-a
xy
Online Complexity = : O(cI n + cM n + cO n) |Fp| bits
![Page 57: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/57.jpg)
Offline Complexity
>> Task 1: Generation of (n,2t) and (n,t)-secret Sharing.
> a is (n,2t)-shared and (n,t)-shared > a random and secret
a a
Generation of (cM + cI), (n,(2t,t))-secret sharing of random and secret values
>> Task 2: Generation of Secret Sharing where the secret is random and secret- different from the previous task
✓
CC of Task 1: O(n)
✓
CC of Task 2: O(n) (amortized)
![Page 58: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/58.jpg)
a1
a2
a3
Efficient Randomness Extractor
P1
P2
P3
Pn an
>> Assume a1,….an are n points of a polynomial of degree n-1, f(x)
>> f(n+1), ……f(2n-t) are random.
f(1) = a1
.
. f(n) = an
f(n+1) = an+1
.
. f(2n-t) = a2n –t
an+1
an+2
an+3
a2n-t How many random values have we extracted? n-t
Amortized CC of generating one sharing of a random secret value is (Task 2): O(n)
![Page 59: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/59.jpg)
Complexity- Linear Overhead MPC
Offline complexity: O(n cM + n cI) |F| bits.
Total Complexity: O(cI n + cM n + cO n) |Fp| bits
Online Complexity: O(cI n + cM n + cO n) |Fp| bits
First CT Topic:
>> Various possible raw data >> Ways of generating them.
![Page 60: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/60.jpg)
Computationally Secure Protocol in Honest Majority Settings
>> A1: Secure channel model relaxation.
>> A2: Constant Round protocol possible
CT Topic 2: [CDN01] Multiparty Computation from Threshold Homomorphic Encryption [Link: http://eprint.iacr.org/2000/055.pdf]
First protocol to present O(n) overhead MPC with n>=2t+1 (active)
After 12 looooooong years: First protocol with O(n) overhead MPC with n>=2t+1 in i.t. setting [BFO12] (active).
![Page 61: Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eb75503460f94bc0a27/html5/thumbnails/61.jpg)