Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lower bounds for Unconditionally Secure MPC Ivan Damgård Jesper Buus Nielsen Antigoni Polychroniadou Aarhus University.

Published byJason Lawrence Modified over 7 years ago

Similar presentations

Presentation on theme: "Lower bounds for Unconditionally Secure MPC Ivan Damgård Jesper Buus Nielsen Antigoni Polychroniadou Aarhus University."— Presentation transcript:

1 Lower bounds for Unconditionally Secure MPC Ivan Damgård Jesper Buus Nielsen Antigoni Polychroniadou Aarhus University.

2 Unconditionally Secure MPC Protocols (GMW, SPDZ,..) They are great: Computationally much more efficient than, say, FHE based stuff. But they’re not so great: They need lots of interaction Rounds: Ω(CircuitDepth) Communication: Ω(n CircuitSize) - If you want to be efficient in the circuit size

3 The Really Hard Problem Can we improve this significantly? The FHE of unconditional security? We don’t know, but we have some partial answers..

4 Message Complexity How many messages do you need to send to compute a non-trivial function securely? (such as the AND of one bit from each player). Related to, but not the same as round complexity. If protocol sometimes but not always sends a message in given time slot, should we always charge for that time slot? (the absence of a message is also a signal). We will only charge the protocol for messages actually sent (lower bounds are stronger this way).

5 The Result n players, t semi-honest corruptions: must send Ω(nt) messages (stay tuned for more precise version) In particular, n=3, t=1, compute the AND of 3 input bits: 6 messages are necessary. Also sufficient (based on PSM [IK97]).

6 Intuition for lower bound Any player must communicate with at least t+1 players before his input becomes determined... and must later receive another message to be able to compute the result. So for each player we count (t+1)+2 sends or receives, hence at least n(t+3)/2 messages. Can be formalized, resulting in almost this: ceiling(n(t+3)-1)/2) This is exactly tight for t=1 and functions in det. log- space (positive result based on PSM).

7 What about number of rounds? Seems hard in general, but let’s see if some of the players can be lazy: get away with only 1 round. n=3t+1 players, t malicious corruptions. Can construct general protocol where up to t players can be lazy. At most t players can be lazy. Similar result for semi-honest - follows from message complexity bound.

8 Gate by Gate Protocols Bounding communication and rounds needed in general seems hard. But maybe we can bound it for the gate-by-gate protocols we use all the time. Known protocols: in the worst case, communication is Ω(n CircuitSize), rounds Ω(CircuitDepth). Question: is this optimal for gate-by-gate protocols (both honest majority and dishonest majority with preprocessing)?

9 Warm-up: Honest Majority A gate-by-gate protocol is one that handles a multiplication gate using a multiplication gate protocol: takes two sets of shares (of a and b in some field), returns shares of ab – perhaps in different secret sharing scheme, but same threshold t as for inputs. Further, revealing the output shares reveals nothing more than ab. Claim: any multiplication gate protocol must send at least t messages. If not, 2-party unconditionally secure protocol for computing the product would follow..

10 Alice a Bob b Shares of input Shares of ab

11 And so.. Any gate-by-gate protocol must (for a worst case circuit) have communication Ω(n CircuitSize), rounds Ω(CircuitDepth). But what if circuit is nice and allows many multiplications in parallel? We know optimizations using packed secret sharing....but only if number of players grows with number of parallel multiplications. OPEN: for a constant number of players, show that multiplication gate protocol for u multiplications must have communication Ω(u).

12 Solution for computational complexity Say n=2t+1, passive security. Assume mult.gate prot. that does u mults where some player P does o(u) local mults. Construct 2-party protocol for the preprocessing model: Alice emulates t players, Bob emulates another t, and we emulate P using preprocessed data and e.g. SPDZ. Can compute u products securely using o(u) preprocessed data. Contradiction with lower bounds by [Winkler and Wullschleger, Crypto 11]. Generalizes to show that packed SS methods are optimal up to constant factor.

13 Dishonest Majority, Preprocessing Previous argument that multiplication protocols need to communicate a lot breaks down. But we have lower bounds on the amount of preprocessed data (e.g. Winkler and Wullschleger). Can obtain same result as before: we show that a multiplication gate protocol that does not communicate enough implies a protocol that is too good to be true according to W&W.

14 Conclusion Even with preprocessing, gate-by-gate protocols require Ω(n CircuitSize) communication (and hence work) and Ω(CircuitDepth) rounds So to really improve GMW, SPDZ, TinyOT and the like, need a fundamentally different approach. Open: do these bounds hold for any protocol (with unconditional security and efficient in circuit size of function)? - Computation – I conjecture yes - Communication - ??

15 Thanks! Postdoc and PhD positions for studying theory and practice of MPC available in Aarhus (supported by ERC grant MPCPRO) – from October 1.

Download ppt "Lower bounds for Unconditionally Secure MPC Ivan Damgård Jesper Buus Nielsen Antigoni Polychroniadou Aarhus University."

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
1+eps-Approximate Sparse Recovery Eric Price MIT David Woodruff IBM Almaden.

1+eps-Approximate Sparse Recovery Eric Price MIT David Woodruff IBM Almaden.
The Complexity of Agreement A 100% Quantum-Free Talk Scott Aaronson MIT.

The Complexity of Agreement A 100% Quantum-Free Talk Scott Aaronson MIT.
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Multi-Party Contract Signing Sam Hasinoff April 9, 2001.

Multi-Party Contract Signing Sam Hasinoff April 9, 2001.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.

Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Circuit and Communication Complexity. Karchmer – Wigderson Games Given The communication game G f : Alice getss.t. f(x)=1 Bob getss.t. f(y)=0 Goal: Find.

Circuit and Communication Complexity. Karchmer – Wigderson Games Given The communication game G f : Alice getss.t. f(x)=1 Bob getss.t. f(y)=0 Goal: Find.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Locally Decodable Codes from Nice Subsets of Finite Fields and Prime Factors of Mersenne Numbers Kiran Kedlaya Sergey Yekhanin MIT Microsoft Research.

Locally Decodable Codes from Nice Subsets of Finite Fields and Prime Factors of Mersenne Numbers Kiran Kedlaya Sergey Yekhanin MIT Microsoft Research.
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Uniqueness of Optimal Mod 3 Circuits for Parity Frederic Green Amitabha Roy Frederic Green Amitabha Roy Clark University Akamai Clark University Akamai.

Uniqueness of Optimal Mod 3 Circuits for Parity Frederic Green Amitabha Roy Frederic Green Amitabha Roy Clark University Akamai Clark University Akamai.
Gillat Kol (IAS) joint work with Ran Raz (Weizmann + IAS) Interactive Channel Capacity.

Gillat Kol (IAS) joint work with Ran Raz (Weizmann + IAS) Interactive Channel Capacity.
1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.

1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.

Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.
Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.

Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Similar presentations

Ads by Google