secure computation (lecture 7-8) arpita patra. recap >> (n,t)-secret sharing...
TRANSCRIPT
Secure Computation (Lecture 7-8)
Arpita Patra
Recap
>> (n,t)-Secret Sharing (Sharing/Reconstruction)
> Shamir Sharing
> Lagrange’s Interpolation for reconstruction (any point on a d-degree poly can be
written as the linear combination of (d+1) or more points on the polynomial)
> Security: For any secret, the t shares generate a uniform distribution over Ft
p
> Linearity (addition, multiplication by constant free)>> MPC for arithmetic circuit with semi-honest i.t security
> Honest majority
> The protocol
> Simulator
> Indistinguishability proof
Secure Circuit Evaluation
x1 x2 x3 x4
c
y
2 1 5 9
y
3
Secure Circuit Evaluation
Secure Circuit Evaluation
1. (n, t)- secret share each input
2 1 5 9
3
Secure Circuit Evaluation
2 1 5 9
2. Find (n, t)-sharing of each intermediate value
1. (n, t)- secret share each input
3
Secure Circuit Evaluation
3
2 1 5 9
3
48
144
45
2. Find (n, t)-sharing of each intermediate value
1. (n, t)- secret share each input
Secure Circuit Evaluation
2 1 5 9
3
48
Linear gates: Linearity of Shamir Sharing - Non-Interactive
144
45 3
2. Find (n, t)-sharing of each intermediate value
1. (n, t)- secret share each input
Secure Circuit Evaluation
2 1 5 9
3
48 Non-linear gate: Require degree-reduction Technique. Interactive
45
144
3
2. Find (n, t)-sharing of each intermediate value
1. (n, t)- secret share each input
Linear gates: Linearity of Shamir Sharing - Non-Interactive
Secure Multiplication Gate Evaluation
x2
x3
xn
x1P1
P2
Pn
P3
y2
y3
yn
y1
x y
x1y1 = z1
x2y2 = z2
x3y3 =z3
xnyn = zn
xy
f(x) = f1 (x)f2 (x) of degree 2tf1 (x) f2 (x)
Recombination Vector (r1, …,rn)
where
Secure Multiplication Gate Evaluation
x2
x3
xn
x1P1
P2
Pn
P3
y2
y3
yn
y1
x y
x1y1 = z1
x2y2 = z2
x3y3 =z3
xnyn = zn
xy
z1
z2
z3
zn
Shamir-share
Shamir-share
Shamir-share
f1 (x) f2 (x)
Shamir-share
Recombination Vector (r1, …,rn)
r1z1 +..+rnzn
xy
f(x) = f1 (x)f2 (x) of degree 2t
Secure Circuit Evaluation
2 1 5 9
3
48
45
1443. Reconstruct the Shamir-sharing of the output by exchanging shares with each other
3
Non-linear gate: Require degree-reduction Technique. Interactive
2. Find (n, t)-sharing of each intermediate value
1. (n, t)- secret share each input
Linear gates: Linearity of Shamir Sharing - Non-Interactive
Correctness: Easy
Real World View of Adversary
3. Output Reconstruction: Shares of the honest parties corresponding to output y
2. Input-sharing and multiplication gate computation: t shares of input/product share of honest parties
1. At the outset: Input and random coins
{{ViewReali}Pi in C} – Random
Variable
3. Output Reconstruction: Given his shares of the output and output, adv can computes shares of the honest parties corresponding to output y (using Lagrange’s interpolation)
2. Input-sharing and multiplication gate computation: t values distributed uniformly at random from Ft
p (irrespective of what values is shared)
1. At the outset: Input
Leaks nothing beyond inputs /outputs of corrupted parties
Simulator and Indistinguisahbility
3. Output Reconstruction: Given the shares of the corrupted parties (which it knows) and y compute shares of the honest parties corresponding to output y and send them to the adv.
2. Input-sharing and multiplication gate computation: Sample t random shares and give to adv on behalf of the honest parties
1. At the outset: Input, output (of corrupted parties) and random coins
{{ViewIdeali}Pi in C} – Random
VariableGenerated using inputs /outputs of corrupted parties
Step 2 simulation is perfect: The t shares can be seen in both worlds with same probability
Step 3 simulation is perfect too!: Given t shares of corrupted parties and y, the shares of the honest parties are unique in both the worlds.
Efficiency
4. Output Reconstruction: O(n) |Fp| bits
2. Addition Gate: NIL
1. Input: O(n) |Fp| bits
Communication Complexity: O(cI n + cM n2 + cO n2) |Fp| bits
3. Multiplication gate computation: O(n2) |Fp| bits
No. of Input Gate: cI
No. Addition Gates: cA
No. Multiplication Gates: cM
No. Output Gates: cO
Goal: O(cI n + cM n + cO n) |Fp| bits
Round Complexity: O(d); d = multiplicative depth of the circuit
Goal: Constant? Yes (restricted class of circuits/exponential computation: two papers)
In computational setting it is possible for any function with poly power
Offline/Online Paradigm
>> Online Phase:
>> Offline Phase:
No knowledge of inputs and function to be computed is needed
Create Shamir sharings where the secrets are “related” in some way
Is not expected to be very efficient
Use the the raw material created in offline phase to compute the agreed function on the parties private inputs.
Expected to be blazing fast
Will use sharing of secrets as well.
Will use only secret reconstruction
>> Communication Complexity: Offline + Online Complexity
Secure Circuit Evaluation
3. Open output by Reconstruction algorithm
2. Find (n, t)-sharing of each intermediate value
1. (n, t)- secret share each input
Linear gates: Linearity of Shamir Sharing - Non-Interactive
Non-linear gate: Require degree-reduction Technique. Interactive
Reduction to two reconstructions
Reduction to one reconstruction
>> Raw Material: (n,t)-shamir sharing of a random and secret value
>> Raw Material: (n,t)-sharing of three values (a,b,c), s.t.a,b,c are random and secret and c = ab
Input Sharing Using One Reconstruction
r2
r3
rn
r1 P1
P2
Pn
P3
rPi
Apply reconstruction(Lagrange’s Interpolation)
x
Input Sharing Using One Reconstruction
P1
P2
Pn
P3
x + rPi x + r
r2
r3
rn
r1
x + rx + r
-
-
-
-
Communication Complexity = : O(cI n) |Fp| bits
3
2 1 5 9
3
Don Beaver CRYPTO 91
Beaver’s Circuit-randomization Technique for Multiplication
3
2 1 5 9
3
a b ab
Multiplication Triple
Beaver’s Circuit-randomization Technique for Multiplication
Offline Oracle
3
2 1 5 9
3
1 1 1
Multiplication Triple
Ex:
Beaver’s Circuit-randomization Technique for Multiplication
3
2 1 5 9
3
1 6 6
Multiplication Triple
Ex:
Beaver’s Circuit-randomization Technique for Multiplication
3
2 1 5 9
3
5 2 10
Multiplication Triple
Ex:
Beaver’s Circuit-randomization Technique for Multiplication
3
2 1 5 9
3
a b ab
Multiplication Triple
Beaver’s Circuit-randomization Technique for Multiplication
3
2 1 5 9
3
a b ab
• Random and Private a, b
Beaver’s Circuit-randomization Technique for Multiplication
Multiplication Triple
3
2 1 x y
3
a b ab
• Two reconstructions
• Linear operations
• Random and Private a, b• Independent of the multiplication gate
Beaver’s Circuit-randomization Technique for Multiplication
Beaver’s Circuit Randomization Technique
xy = ((x-a) +a)((y-b)+b) = (α + a)(β + b) = ab + α b + β a + α β
α = x-a β = y-b
xy b ab= + α a+ β + α β
>> Write xy as linear combination of ab, a, b where the combiners will be publicly known and do not leak any information about x and y.
>> We can combine sharing of ab, a, b using the combiners to get sharing of xy
x
x2
x3
Beaver’s Circuit Randomization Technique
P1
P2
P3
Pn xn
b1
b2
b3
bn
x1
b x-a y
y2
y3
yn
y1
a1
a2
a3
an
a
c1
c2
c3
cn
c
x1-a1
x2-a2
x3-a3
xn-an
y-b
y1-b1
y2-b2
y3-b3
yn-bn
α = x-a
β = y-b
Reconstruct
x
x2
x3
Beaver’s Circuit Randomization Technique
P1
P2
P3
Pn xn
b1
b2
b3
bn
x1
b xy y
y2
y3
yn
y1
a1
a2
a3
an
a
c1
c2
c3
cn
c
c1 + α b1 + β a1 + α β
α = x-a β = y-b xy = ((x-a) +a)((y-b)+b) = (α + a)(β + b) = ab + α b + β a + α β
c2 + α b2 + β a2 + α β
c3 + α b3 + β a3 + α β
cn + α bn + β an + α β
• Let cM be the number of multiplication gates in the circuit
3
x1 x2 x3 x4
Secure Circuit Evaluation Using Beaver Circuit Randomization
• Let cM be the number of multiplication gates in the circuit
3
x1 x2 x3 x4
Secure Circuit Evaluation Using Beaver Circuit Randomization
• Ask triple-oracle for cM multiplication triples
3
x1 x2 x3 x4 5 2 10
2 2 4
1 0 0
Secure Circuit Evaluation Using Beaver Circuit Randomization
• Let cM be the number of multiplication gates in the circuit
• Ask triple-oracle for cM multiplication triples
3
5 2 10
2 2 4
2 2 2 2
1 0 0
Secure Circuit Evaluation Using Beaver Circuit Randomization
Secure Circuit Evaluation Using Beaver Circuit Randomization
3
2 2 2 2
5 2 10
2 2 4
1 0 0
4
5 2 10
2 2 4
1 0 0
Secure Circuit Evaluation Using Beaver Circuit Randomization
3
2 2 2 2
4
Secure Circuit Evaluation Using Beaver Circuit Randomization
3
2 2 2 2
2 2 4
1 0 0
4
5 2 10
4
Secure Circuit Evaluation Using Beaver Circuit Randomization
3
2 2 2 2
1 0 0
4
5 2 10
4 2 2 4
Secure Circuit Evaluation Using Beaver Circuit Randomization
3
2 2 2 2
1 0 0
4
5 2 10
4 2 2 4
16
Secure Circuit Evaluation Using Beaver Circuit Randomization
5 2 10
2 2 4
1 0 0
3
2 2 2 2
4 4
16
Beaver’s Trick- Offline-online Paradigm
Triple generation parallelizable efficiency (amortization)
Offline Phase: Sitting Idle, Generate as many shared triples as possible---raw data
Online Phase: Use the raw data for circuit evaluation.
On the contrary, multiplications gates can not be evaluated in parallel
Reconstruction of Shamir-sharing: (n,t) - Secret Sharing for Semi-honest Adversaries
x2
x3
xn
x1P1
P2
Pn
P3
Pi
The same is done for all Pi Communication Complexity (CC): O(n2)
Lagrange’s Interpolation
Efficient Reconstruction of (n,t)- Shamir for Semi-honest Adversaries
>> Can we do better?
O(n) Easy
……Because we are assuming semi-honest adversaries.
Online Complexity = : O(cI n + cM n + cO n) |Fp| bits
x2
x3
xn
x1P1
P2
Pn
P3
P1 x
P1
P2
Pn
P3
xxxx
Online Complexity
How efficiently can we reconstruct a shared secret?s
Reconstruction cost of one shared secret = Cost Per Multiplication / Input / Output (asymptotically)
Offline Complexity
>> Task 1: Generation of Secret Sharing.
> a,b,c are secret shared using LSSS > a, b, c random and secret > c = ab
a
b
c
Generation of (cM + cI) shared, random, secret multiplication triples
>> Task 2: Generation of Secret Sharing where the secret is random and secret- different from the previous task
>> Task 3: Generation of Sharing of random, secret, multiplication triple
✓
CC of Task 1: O(n)
>> Each party Shamir share a random value
a1
a2
a3
Generation of Sharing for random secret
P1
P2
P3
Pn an
>> Pick any sharing- does this work?
>> Randomness extractor on (a1, …..an )
>> Simplest Randomness Extractor: Addition
a1+a2+…..+an
>> Sharing of a value that is random and secret>> Inefficient: n-t random and secret values among a’s but we had extracted just one.
a1
a2
a3
Efficient Randomness Extractor
P1
P2
P3
Pn an
>> Assume a1,….an are n points of a polynomial of degree n-1, f(x)
>> These are all random
>> t out of a1,….an are known to adversary and may be non-random
(n-t) points are randomly chosen and t points may be non-random and known to the adv.
>> Consider any (n-t) points on f(x) at x that are different from {1,..n,}, say f(n+1), ……f(n+n-t)
f(1) = a1
.
. f(n) = an
Efficient Randomness Extractor
f(a1,….at): Fn-t Fn-t >> Choose (n-t) points at random>> Use n points to define a poly f(x) of degree at most n-1.>> Evaluate f(x) at n+1,…(n+n-t)
>> The mapping is a bijection.>> Since we have uniform distribution in the domain (uniform over Fn-
t), we get the same on the range.
a1
a2
a3
Efficient Randomness Extractor
P1
P2
P3
Pn an
>> Assume a1,….an are n points of a polynomial of degree n-1, f(x)
>> f(n+1), ……f(n+n-t) are random.
f(1) = a1
.
. f(n) = an
f(n+1) = an+1
.
. f(2n-t) = a2n –t
an+1
an+2
an+3
a2n-t
>> We need to find Shamir-sharing of an+1 ,….., a2n-t
>> Just Local computation: Lagrange’s Magic formula
a1
a2
a3
Efficient Randomness Extractor
P1
P2
P3
Pn an
>> Assume a1,….an are n points of a polynomial of degree n-1, f(x)
>> f(n+1), ……f(2n-t) are random.
f(1) = a1
.
. f(n) = an
f(n+1) = an+1
.
. f(2n-t) = a2n –t
an+1
an+2
an+3
a2n-t How many random values have we extracted? n-t
Amortized CC of generating one sharing of a random secret value is (Task 2): O(n)
Offline Complexity
>> Task 1: Generation of Secret Sharing.
> a,b,c are secret shared using LSSS > a, b, c random and secret > c = ab
a
b
c
Generation of (cM + cI) shared, random, secret multiplication triples
>> Task 2: Generation of Secret Sharing where the secret is random and secret- different from the previous task
>> Task 3: Generation of Sharing of random, secret, multiplication triple
✓
CC of Task 1: O(n)
✓
CC of Task 2: O(n)
a
a2
a3
Generating Sharing of Multiplication Triple
P1
P2
P3
Pn an
b1
b2
b3
bn
Sharing of random and secret values
a1
b ab
Multiplication Protocol
CC: O(n2)
Offline Complexity
>> Task 1: Generation of Secret Sharing.
> a,b,c are secret shared using LSSS > a, b, c random and secret > c = ab
a
b
c
Generation of (cM + cI) shared, random, secret multiplication triples
>> Task 2: Generation of Secret Sharing where the secret is random and secret- different from the previous task
>> Task 3: Generation of Sharing of random, secret, multiplication triple
✓
CC of Task 1: O(n)
✓
CC of Task 2: O(n)
Multiplication ProtocolCC of Task 3: O(n2)
✓
Offline CC: O(n2 cM + n cI) |F| bits.
Complexity
Offline complexity: O( cM n2 + n cI) |F| bits.
Total Complexity: O(cI n + cM n2 + cO n) |Fp| bits
Online Complexity: O(cI n + cM n + cO n) |Fp| bits
Is there a way to generate triple sharing with O(n) complexity?
Yes with n>=3t+1 perfect security (active adversary)
Yes but with statistical security!
Secure Circuit Evaluation
3. Open output by Reconstruction algorithm
2. Find (n, t)-sharing of each intermediate value
1. (n, t)- secret share each input
Linear gates: Linearity of Shamir Sharing - Non-Interactive
Non-linear gate: Require degree-reduction Technique. Interactive
Reduction to one reconstruction
Reduction to one reconstruction
>> Raw Material: (n,t)-shamir sharing of a random value
>> Raw Material: (n,2t)-sharing and (n,t)-sharing of a random value
x
x2
x3
How to use Raw data for Multiplication
P1
P2
P3
Pn xn
a1
a2
a3
an
x1
a xy-a
y
y2
y3
yn
y1
A1
A2
A3
An
a
x1y1-A1
x2y2-A2
x3y3-A3
xnyn-An
Reconstruct xy-a No security breach since xy is blinded with random a
+ xy-a
+ xy-a
+ xy-a
+ xy-a
xy
Online Complexity = : O(cI n + cM n + cO n) |Fp| bits
Offline Complexity
>> Task 1: Generation of (n,2t) and (n,t)-secret Sharing.
> a is (n,2t)-shared and (n,t)-shared > a random and secret
a a
Generation of (cM + cI), (n,(2t,t))-secret sharing of random and secret values
>> Task 2: Generation of Secret Sharing where the secret is random and secret- different from the previous task
✓
CC of Task 1: O(n)
✓
CC of Task 2: O(n) (amortized)
a1
a2
a3
Efficient Randomness Extractor
P1
P2
P3
Pn an
>> Assume a1,….an are n points of a polynomial of degree n-1, f(x)
>> f(n+1), ……f(2n-t) are random.
f(1) = a1
.
. f(n) = an
f(n+1) = an+1
.
. f(2n-t) = a2n –t
an+1
an+2
an+3
a2n-t How many random values have we extracted? n-t
Amortized CC of generating one sharing of a random secret value is (Task 2): O(n)
Complexity- Linear Overhead MPC
Offline complexity: O(n cM + n cI) |F| bits.
Total Complexity: O(cI n + cM n + cO n) |Fp| bits
Online Complexity: O(cI n + cM n + cO n) |Fp| bits
First CT Topic:
>> Various possible raw data >> Ways of generating them.
Computationally Secure Protocol in Honest Majority Settings
>> A1: Secure channel model relaxation.
>> A2: Constant Round protocol possible
CT Topic 2: [CDN01] Multiparty Computation from Threshold Homomorphic Encryption [Link: http://eprint.iacr.org/2000/055.pdf]
First protocol to present O(n) overhead MPC with n>=2t+1 (active)
After 12 looooooong years: First protocol with O(n) overhead MPC with n>=2t+1 in i.t. setting [BFO12] (active).