secure computation (lecture 7-8) arpita patra. recap >> (n,t)-secret sharing...

Secure Computation (Lecture 7-8)

Arpita Patra

Recap

>> (n,t)-Secret Sharing (Sharing/Reconstruction)

> Shamir Sharing

> Lagrange’s Interpolation for reconstruction (any point on a d-degree poly can be

written as the linear combination of (d+1) or more points on the polynomial)

> Security: For any secret, the t shares generate a uniform distribution over Ft

p

> Linearity (addition, multiplication by constant free)>> MPC for arithmetic circuit with semi-honest i.t security

> Honest majority

> The protocol

> Simulator

> Indistinguishability proof

Secure Circuit Evaluation

x1 x2 x3 x4

c

y

2 1 5 9

y

3



1. (n, t)- secret share each input

2 1 5 9

3


2 1 5 9

2. Find (n, t)-sharing of each intermediate value


3


3

2 1 5 9

3

48

144

45




2 1 5 9

3

48

Linear gates: Linearity of Shamir Sharing - Non-Interactive

144

45 3




2 1 5 9

3

48 Non-linear gate: Require degree-reduction Technique. Interactive

45

144

3




Secure Multiplication Gate Evaluation

x2

x3

xn

x1P1

P2

Pn

P3

y2

y3

yn

y1

x y

x1y1 = z1

x2y2 = z2

x3y3 =z3

xnyn = zn

xy

f(x) = f1 (x)f2 (x) of degree 2tf1 (x) f2 (x)

Recombination Vector (r1, …,rn)

where

Secure Multiplication Gate Evaluation

x2

x3

xn

x1P1

P2

Pn

P3

y2

y3

yn

y1

x y

x1y1 = z1

x2y2 = z2

x3y3 =z3

xnyn = zn

xy

z1

z2

z3

zn

Shamir-share

Shamir-share

Shamir-share

f1 (x) f2 (x)

Shamir-share

Recombination Vector (r1, …,rn)

r1z1 +..+rnzn

xy

f(x) = f1 (x)f2 (x) of degree 2t


2 1 5 9

3

48

45

1443. Reconstruct the Shamir-sharing of the output by exchanging shares with each other

3

Non-linear gate: Require degree-reduction Technique. Interactive




Correctness: Easy

Real World View of Adversary

3. Output Reconstruction: Shares of the honest parties corresponding to output y

2. Input-sharing and multiplication gate computation: t shares of input/product share of honest parties

1. At the outset: Input and random coins

{{ViewReali}Pi in C} – Random

Variable

3. Output Reconstruction: Given his shares of the output and output, adv can computes shares of the honest parties corresponding to output y (using Lagrange’s interpolation)

2. Input-sharing and multiplication gate computation: t values distributed uniformly at random from Ft

p (irrespective of what values is shared)

1. At the outset: Input

Leaks nothing beyond inputs /outputs of corrupted parties

Simulator and Indistinguisahbility

3. Output Reconstruction: Given the shares of the corrupted parties (which it knows) and y compute shares of the honest parties corresponding to output y and send them to the adv.

2. Input-sharing and multiplication gate computation: Sample t random shares and give to adv on behalf of the honest parties

1. At the outset: Input, output (of corrupted parties) and random coins

{{ViewIdeali}Pi in C} – Random

VariableGenerated using inputs /outputs of corrupted parties

Step 2 simulation is perfect: The t shares can be seen in both worlds with same probability

Step 3 simulation is perfect too!: Given t shares of corrupted parties and y, the shares of the honest parties are unique in both the worlds.

Efficiency

4. Output Reconstruction: O(n) |Fp| bits

2. Addition Gate: NIL

1. Input: O(n) |Fp| bits

Communication Complexity: O(cI n + cM n2 + cO n2) |Fp| bits

3. Multiplication gate computation: O(n2) |Fp| bits

No. of Input Gate: cI

No. Addition Gates: cA

No. Multiplication Gates: cM

No. Output Gates: cO

Goal: O(cI n + cM n + cO n) |Fp| bits

Round Complexity: O(d); d = multiplicative depth of the circuit

Goal: Constant? Yes (restricted class of circuits/exponential computation: two papers)

In computational setting it is possible for any function with poly power

Offline/Online Paradigm

>> Online Phase:

>> Offline Phase:

No knowledge of inputs and function to be computed is needed

Create Shamir sharings where the secrets are “related” in some way

Is not expected to be very efficient

Use the the raw material created in offline phase to compute the agreed function on the parties private inputs.

Expected to be blazing fast

Will use sharing of secrets as well.

Will use only secret reconstruction

>> Communication Complexity: Offline + Online Complexity


3. Open output by Reconstruction algorithm





Reduction to two reconstructions

Reduction to one reconstruction

>> Raw Material: (n,t)-shamir sharing of a random and secret value

>> Raw Material: (n,t)-sharing of three values (a,b,c), s.t.a,b,c are random and secret and c = ab

Input Sharing Using One Reconstruction

r2

r3

rn

r1 P1

P2

Pn

P3

rPi

Apply reconstruction(Lagrange’s Interpolation)

x

Input Sharing Using One Reconstruction

P1

P2

Pn

P3

x + rPi x + r

r2

r3

rn

r1

x + rx + r

-

-

-

-

Communication Complexity = : O(cI n) |Fp| bits

3

2 1 5 9

3

Don Beaver CRYPTO 91

Beaver’s Circuit-randomization Technique for Multiplication

3

2 1 5 9

3

a b ab

Multiplication Triple


Offline Oracle

3

2 1 5 9

3

1 1 1


Ex:


3

2 1 5 9

3

1 6 6


Ex:


3

2 1 5 9

3

5 2 10


Ex:


3

2 1 5 9

3

a b ab



3

2 1 5 9

3

a b ab

• Random and Private a, b



3

2 1 x y

3

a b ab

• Two reconstructions

• Linear operations

• Random and Private a, b• Independent of the multiplication gate


Beaver’s Circuit Randomization Technique

xy = ((x-a) +a)((y-b)+b) = (α + a)(β + b) = ab + α b + β a + α β

α = x-a β = y-b

xy b ab= + α a+ β + α β

>> Write xy as linear combination of ab, a, b where the combiners will be publicly known and do not leak any information about x and y.

>> We can combine sharing of ab, a, b using the combiners to get sharing of xy

x

x2

x3


P1

P2

P3

Pn xn

b1

b2

b3

bn

x1

b x-a y

y2

y3

yn

y1

a1

a2

a3

an

a

c1

c2

c3

cn

c

x1-a1

x2-a2

x3-a3

xn-an

y-b

y1-b1

y2-b2

y3-b3

yn-bn

α = x-a

β = y-b

Reconstruct

x

x2

x3


P1

P2

P3

Pn xn

b1

b2

b3

bn

x1

b xy y

y2

y3

yn

y1

a1

a2

a3

an

a

c1

c2

c3

cn

c

c1 + α b1 + β a1 + α β

α = x-a β = y-b xy = ((x-a) +a)((y-b)+b) = (α + a)(β + b) = ab + α b + β a + α β

c2 + α b2 + β a2 + α β

c3 + α b3 + β a3 + α β

cn + α bn + β an + α β

• Let cM be the number of multiplication gates in the circuit

3

x1 x2 x3 x4

Secure Circuit Evaluation Using Beaver Circuit Randomization


3

x1 x2 x3 x4


• Ask triple-oracle for cM multiplication triples

3

x1 x2 x3 x4 5 2 10

2 2 4

1 0 0



• Ask triple-oracle for cM multiplication triples

3

5 2 10

2 2 4

2 2 2 2

1 0 0



3

2 2 2 2

5 2 10

2 2 4

1 0 0

4

5 2 10

2 2 4

1 0 0


3

2 2 2 2

4


3

2 2 2 2

2 2 4

1 0 0

4

5 2 10

4


3

2 2 2 2

1 0 0

4

5 2 10

4 2 2 4


3

2 2 2 2

1 0 0

4

5 2 10

4 2 2 4

16


5 2 10

2 2 4

1 0 0

3

2 2 2 2

4 4

16

Beaver’s Trick- Offline-online Paradigm

Triple generation parallelizable efficiency (amortization)

Offline Phase: Sitting Idle, Generate as many shared triples as possible---raw data

Online Phase: Use the raw data for circuit evaluation.

On the contrary, multiplications gates can not be evaluated in parallel

Reconstruction of Shamir-sharing: (n,t) - Secret Sharing for Semi-honest Adversaries

x2

x3

xn

x1P1

P2

Pn

P3

Pi

The same is done for all Pi Communication Complexity (CC): O(n2)

Lagrange’s Interpolation

Efficient Reconstruction of (n,t)- Shamir for Semi-honest Adversaries

>> Can we do better?

O(n) Easy

……Because we are assuming semi-honest adversaries.

Online Complexity = : O(cI n + cM n + cO n) |Fp| bits

x2

x3

xn

x1P1

P2

Pn

P3

P1 x

P1

P2

Pn

P3

xxxx

Online Complexity

How efficiently can we reconstruct a shared secret?s

Reconstruction cost of one shared secret = Cost Per Multiplication / Input / Output (asymptotically)

Offline Complexity

>> Task 1: Generation of Secret Sharing.

> a,b,c are secret shared using LSSS > a, b, c random and secret > c = ab

a

b

c

Generation of (cM + cI) shared, random, secret multiplication triples

>> Task 2: Generation of Secret Sharing where the secret is random and secret- different from the previous task

>> Task 3: Generation of Sharing of random, secret, multiplication triple

✓

CC of Task 1: O(n)

>> Each party Shamir share a random value

a1

a2

a3

Generation of Sharing for random secret

P1

P2

P3

Pn an

>> Pick any sharing- does this work?

>> Randomness extractor on (a1, …..an )

>> Simplest Randomness Extractor: Addition

a1+a2+…..+an

>> Sharing of a value that is random and secret>> Inefficient: n-t random and secret values among a’s but we had extracted just one.

a1

a2

a3

Efficient Randomness Extractor

P1

P2

P3

Pn an

>> Assume a1,….an are n points of a polynomial of degree n-1, f(x)

>> These are all random

>> t out of a1,….an are known to adversary and may be non-random

(n-t) points are randomly chosen and t points may be non-random and known to the adv.

>> Consider any (n-t) points on f(x) at x that are different from {1,..n,}, say f(n+1), ……f(n+n-t)

f(1) = a1

.

. f(n) = an


f(a1,….at): Fn-t Fn-t >> Choose (n-t) points at random>> Use n points to define a poly f(x) of degree at most n-1.>> Evaluate f(x) at n+1,…(n+n-t)

>> The mapping is a bijection.>> Since we have uniform distribution in the domain (uniform over Fn-

t), we get the same on the range.

a1

a2

a3


P1

P2

P3

Pn an


>> f(n+1), ……f(n+n-t) are random.

f(1) = a1

.

. f(n) = an

f(n+1) = an+1

.

. f(2n-t) = a2n –t

an+1

an+2

an+3

a2n-t

>> We need to find Shamir-sharing of an+1 ,….., a2n-t

>> Just Local computation: Lagrange’s Magic formula

a1

a2

a3


P1

P2

P3

Pn an


>> f(n+1), ……f(2n-t) are random.

f(1) = a1

.

. f(n) = an

f(n+1) = an+1

.

. f(2n-t) = a2n –t

an+1

an+2

an+3

a2n-t How many random values have we extracted? n-t

Amortized CC of generating one sharing of a random secret value is (Task 2): O(n)

Offline Complexity



a

b

c




✓

CC of Task 1: O(n)

✓

CC of Task 2: O(n)

a

a2

a3

Generating Sharing of Multiplication Triple

P1

P2

P3

Pn an

b1

b2

b3

bn

Sharing of random and secret values

a1

b ab

Multiplication Protocol

CC: O(n2)

Offline Complexity



a

b

c




✓

CC of Task 1: O(n)

✓

CC of Task 2: O(n)

Multiplication ProtocolCC of Task 3: O(n2)

✓

Offline CC: O(n2 cM + n cI) |F| bits.

Complexity

Offline complexity: O( cM n2 + n cI) |F| bits.

Total Complexity: O(cI n + cM n2 + cO n) |Fp| bits

Online Complexity: O(cI n + cM n + cO n) |Fp| bits

Is there a way to generate triple sharing with O(n) complexity?

Yes with n>=3t+1 perfect security (active adversary)

Yes but with statistical security!


3. Open output by Reconstruction algorithm







>> Raw Material: (n,t)-shamir sharing of a random value

>> Raw Material: (n,2t)-sharing and (n,t)-sharing of a random value

x

x2

x3

How to use Raw data for Multiplication

P1

P2

P3

Pn xn

a1

a2

a3

an

x1

a xy-a

y

y2

y3

yn

y1

A1

A2

A3

An

a

x1y1-A1

x2y2-A2

x3y3-A3

xnyn-An

Reconstruct xy-a No security breach since xy is blinded with random a

+ xy-a

+ xy-a

+ xy-a

+ xy-a

xy

Online Complexity = : O(cI n + cM n + cO n) |Fp| bits

Offline Complexity

>> Task 1: Generation of (n,2t) and (n,t)-secret Sharing.

> a is (n,2t)-shared and (n,t)-shared > a random and secret

a a

Generation of (cM + cI), (n,(2t,t))-secret sharing of random and secret values


✓

CC of Task 1: O(n)

✓

CC of Task 2: O(n) (amortized)

a1

a2

a3


P1

P2

P3

Pn an


>> f(n+1), ……f(2n-t) are random.

f(1) = a1

.

. f(n) = an

f(n+1) = an+1

.

. f(2n-t) = a2n –t

an+1

an+2

an+3

a2n-t How many random values have we extracted? n-t

Amortized CC of generating one sharing of a random secret value is (Task 2): O(n)

Complexity- Linear Overhead MPC

Offline complexity: O(n cM + n cI) |F| bits.

Total Complexity: O(cI n + cM n + cO n) |Fp| bits

Online Complexity: O(cI n + cM n + cO n) |Fp| bits

First CT Topic:

>> Various possible raw data >> Ways of generating them.

Computationally Secure Protocol in Honest Majority Settings

>> A1: Secure channel model relaxation.

>> A2: Constant Round protocol possible

CT Topic 2: [CDN01] Multiparty Computation from Threshold Homomorphic Encryption [Link: http://eprint.iacr.org/2000/055.pdf]

First protocol to present O(n) overhead MPC with n>=2t+1 (active)

After 12 looooooong years: First protocol with O(n) overhead MPC with n>=2t+1 in i.t. setting [BFO12] (active).

secure computation (lecture 7-8) arpita patra. recap >> (n,t)-secret sharing...

Documents