Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.

Published byBrook Gilbert Modified over 8 years ago

Similar presentations

Presentation on theme: "Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for."— Presentation transcript:

1 Secure Computation (Lecture 7-8) Arpita Patra

2 Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for reconstruction (any point on a d-degree poly can be written as the linear combination of (d+1) or more points on the polynomial) > Security: For any secret, the t shares generate a uniform distribution over F t p > Linearity (addition, multiplication by constant free) >> MPC for arithmetic circuit with semi-honest i.t security > Honest majority > The protocol > Simulator > Indistinguishability proof

3 Secure Circuit Evaluation x1x1 x2x2 x3x3 x4x4     c y

4 2 1 5 9     y 3

5 1.(n, t)- secret share each input     2159 3

6 Secure Circuit Evaluation     2159 2. Find (n, t)-sharing of each intermediate value 1.(n, t)- secret share each input 3

7 Secure Circuit Evaluation     3 215934814445 2. Find (n, t)-sharing of each intermediate value 1.(n, t)- secret share each input

8 Secure Circuit Evaluation     2159348 Linear gates: Linearity of Shamir Sharing - Non-Interactive 14445 3 2. Find (n, t)-sharing of each intermediate value 1.(n, t)- secret share each input

9 Secure Circuit Evaluation     2159348 Non-linear gate: Require degree- reduction Technique. Interactive 45144 3 2. Find (n, t)-sharing of each intermediate value 1.(n, t)- secret share each input Linear gates: Linearity of Shamir Sharing - Non-Interactive

10 Secure Multiplication Gate Evaluation x2x2 x3x3 x n x1x1 P1P1 P2P2 PnPn P3P3 y2y2 y3y3 y n y1y1 x y x 1  y 1 = z 1 x 2  y 2 = z 2 x 3  y 3 =z 3 x n  y n = z n xy xy f(x) = f 1 (x)  f 2 (x) of degree 2t f 1 (x) f 2 (x) Recombination Vector (r 1, …,r n ) where

11 Secure Multiplication Gate Evaluation x2x2 x3x3 x n x1x1 P1P1 P2P2 PnPn P3P3 y2y2 y3y3 y n y1y1 x y x 1  y 1 = z 1 x 2  y 2 = z 2 x 3  y 3 =z 3 x n  y n = z n xy xy z1z1 z2z2 z3z3 znzn Shamir-share f 1 (x) f 2 (x) Shamir-share Recombination Vector (r 1, …,r n ) r 1 z 1 +..+r n z n xyxy f(x) = f 1 (x)  f 2 (x) of degree 2t

12 Secure Circuit Evaluation     215934845 144 3. Reconstruct the Shamir-sharing of the output by exchanging shares with each other 3 Non-linear gate: Require degree- reduction Technique. Interactive 2. Find (n, t)-sharing of each intermediate value 1.(n, t)- secret share each input Linear gates: Linearity of Shamir Sharing - Non-Interactive Correctness: Easy

13 Real World View of Adversary 3. Output Reconstruction: Shares of the honest parties corresponding to output y 2. Input-sharing and multiplication gate computation: t shares of input/product share of honest parties 1. At the outset: Input and random coins {{View Real i } Pi in C } – Random Variable 3. Output Reconstruction: Given his shares of the output and output, adv can computes shares of the honest parties corresponding to output y (using Lagrange’s interpolation) 2. Input-sharing and multiplication gate computation: t values distributed uniformly at random from F t p (irrespective of what values is shared) 1. At the outset: Input Leaks nothing beyond inputs /outputs of corrupted parties

14 Simulator and Indistinguisahbility 3. Output Reconstruction: Given the shares of the corrupted parties (which it knows) and y compute shares of the honest parties corresponding to output y and send them to the adv. 2. Input-sharing and multiplication gate computation: Sample t random shares and give to adv on behalf of the honest parties 1. At the outset: Input, output (of corrupted parties) and random coins {{View Ideal i } Pi in C } – Random VariableGenerated using inputs /outputs of corrupted parties Step 2 simulation is perfect: The t shares can be seen in both worlds with same probability Step 3 simulation is perfect too!: Given t shares of corrupted parties and y, the shares of the honest parties are unique in both the worlds.

15 Efficiency 4. Output Reconstruction: O(n) |F p | bits 2. Addition Gate: NIL 1. Input: O(n) |F p | bits Communication Complexity: O(c I n + c M n 2 + c O n 2 ) |F p | bits 3. Multiplication gate computation: O(n 2 ) |F p | bits No. of Input Gate: c I No. Addition Gates: c A No. Multiplication Gates: c M No. Output Gates: c O Goal: O(c I n + c M n + c O n) |F p | bits Round Complexity: O(d); d = multiplicative depth of the circuit Goal: Constant? Yes (restricted class of circuits/exponential computation: two papers) In computational setting it is possible for any function with poly power

16 Offline/Online Paradigm >> Online Phase: >> Offline Phase: No knowledge of inputs and function to be computed is needed Create Shamir sharings where the secrets are “related” in some way Is not expected to be very efficient Use the the raw material created in offline phase to compute the agreed function on the parties private inputs. Expected to be blazing fast Will use sharing of secrets as well. Will use only secret reconstruction >> Communication Complexity: Offline + Online Complexity

17 Secure Circuit Evaluation 3. Open output by Reconstruction algorithm 2. Find (n, t)-sharing of each intermediate value 1.(n, t)- secret share each input Linear gates: Linearity of Shamir Sharing - Non-Interactive Non-linear gate: Require degree- reduction Technique. Interactive Reduction to two reconstructions Reduction to one reconstruction >> Raw Material: (n,t)-shamir sharing of a random and secret value >> Raw Material: (n,t)-sharing of three values (a,b,c), s.t.a,b,c are random and secret and c = ab

18 Input Sharing Using One Reconstruction r2r2 r3r3 r n r1r1 P1P1 P2P2 PnPn P3P3 r PiPi Apply reconstruction (Lagrange’s Interpolation) x

19 Input Sharing Using One Reconstruction P1P1 P2P2 PnPn P3P3 x + r PiPi r2r2 r3r3 r n r1r1 x + r - - - - Communication Complexity = : O(c I n) |F p | bits

20    3 2 15 9  3 Don Beaver CRYPTO 91 Beaver’s Circuit-randomization Technique for Multiplication

21    3 2 15 9  3 a b a  b Multiplication Triple Beaver’s Circuit-randomization Technique for Multiplication Offline Oracle

22    3 2 15 9  3 1 1 1 Multiplication Triple Ex: Beaver’s Circuit-randomization Technique for Multiplication

23    3 2 15 9  3 1 6 6 Multiplication Triple Ex: Beaver’s Circuit-randomization Technique for Multiplication

24    3 2 15 9  3 5 2 10 Multiplication Triple Ex: Beaver’s Circuit-randomization Technique for Multiplication

25    3 2 15 9  3 a b a  b Multiplication Triple Beaver’s Circuit-randomization Technique for Multiplication

26    3 2 15 9  3 a b a  b Random and Private a, b Beaver’s Circuit-randomization Technique for Multiplication Multiplication Triple

27    3 2 1 x y  3 a b a  b Two reconstructions Linear operations Random and Private a, b Independent of the multiplication gate Beaver’s Circuit-randomization Technique for Multiplication

28 Beaver’s Circuit Randomization Technique xy = ((x-a) +a)((y-b)+b) = ( α + a)(β + b) = ab + α b + β a + α β α = x-aβ = y-b xy b ab = + α a + β + α β >> Write xy as linear combination of a  b, a, b where the combiners will be publicly known and do not leak any information about x and y. >> We can combine sharing of a  b, a, b using the combiners to get sharing of xy

29 x x 2 x3x3 Beaver’s Circuit Randomization Technique P1P1 P2P2 P3P3 PnPn x n b1 b1 b 2 b3b3 b n x 1 b x-a y y 2 y3y3 y n y 1 a1 a1 a 2 a3a3 a n a c1 c1 c 2 c3c3 c n c x1-a1x1-a1 x2-a2x2-a2 x3-a3x3-a3 xn-anxn-an y-b y1-b1y1-b1 y2-b2y2-b2 y3-b3y3-b3 yn-bnyn-bn α = x-a β = y-b Reconstruct

30 x x 2 x3x3 Beaver’s Circuit Randomization Technique P1P1 P2P2 P3P3 PnPn x n b1 b1 b 2 b3b3 b n x 1 b xy y y 2 y3y3 y n y 1 a1 a1 a 2 a3a3 a n a c1 c1 c 2 c3c3 c n c c 1 + α b 1 + β a 1 + α β α = x-a β = y-b xy = ((x-a) +a)((y-b)+b) = ( α + a)(β + b) = ab + α b + β a + α β c 2 + α b 2 + β a 2 + α β c 3 + α b 3 + β a 3 + α β c n + α b n + β a n + α β

31 Let c M be the number of multiplication gates in the circuit  3    x1x1 x2x2 x3x3 x4x4 Secure Circuit Evaluation Using Beaver Circuit Randomization

32 Let c M be the number of multiplication gates in the circuit  3    x1x1 x2x2 x3x3 x4x4 Secure Circuit Evaluation Using Beaver Circuit Randomization Ask triple-oracle for c M multiplication triples

33  3    x1x1 x2x2 x3x3 x4x4 5 2 10 2 2 4 1 0 0 Secure Circuit Evaluation Using Beaver Circuit Randomization Let c M be the number of multiplication gates in the circuit Ask triple-oracle for c M multiplication triples

34  3    5 2 10 2 2 4 2 22 2 1 0 0 Secure Circuit Evaluation Using Beaver Circuit Randomization

35  3    2 22 2 5 2 10 2 2 4 1 0 0 4

36 5 2 2 2 4 1 0 0 Secure Circuit Evaluation Using Beaver Circuit Randomization  3    2 22 2 4

37  3    2 22 2 2 2 4 1 0 0 4 5 2 10 4

38 Secure Circuit Evaluation Using Beaver Circuit Randomization  3    2 22 2 1 0 0 4 5 2 10 4 2 2 4

39 Secure Circuit Evaluation Using Beaver Circuit Randomization  3    2 22 2 1 0 0 4 5 2 10 4 2 2 4 16

40 Secure Circuit Evaluation Using Beaver Circuit Randomization 5 2 10 2 2 4 1 0 0  3    2 22 2 4 4 16

41 Beaver’s Trick- Offline-online Paradigm Triple generation parallelizable  efficiency (amortization) Offline Phase: Sitting Idle, Generate as many shared triples as possible---raw data Online Phase: Use the raw data for circuit evaluation. On the contrary, multiplications gates can not be evaluated in parallel

42 Reconstruction of Shamir-sharing: (n,t) - Secret Sharing for Semi-honest Adversaries x2x2 x3x3 x n x1x1 P1P1 P2P2 PnPn P3P3 PiPi The same is done for all P i Communication Complexity (CC): O(n 2 ) Lagrange’s Interpolation

43 Efficient Reconstruction of (n,t)- Shamir for Semi-honest Adversaries >> Can we do better? O(n) Easy ……Because we are assuming semi-honest adversaries. Online Complexity = : O(c I n + c M n + c O n) |F p | bits x2x2 x3x3 x n x1x1 P1P1 P2P2 PnPn P3P3 P1P1 x P1P1 P2P2 PnPn P3P3 x xx x

44 Online Complexity How efficiently can we reconstruct a shared secret? s Reconstruction cost of one shared secret = Cost Per Multiplication / Input / Output (asymptotically)

45 Offline Complexity >> Task 1: Generation of Secret Sharing. > a,b,c are secret shared using LSSS > a, b, c random and secret > c = ab a b c Generation of (c M + c I ) shared, random, secret multiplication triples >> Task 2: Generation of Secret Sharing where the secret is random and secret- different from the previous task >> Task 3: Generation of Sharing of random, secret, multiplication triple ✓ CC of Task 1: O(n)

46 >> Each party Shamir share a random value a 1 a 2 a 3 Generation of Sharing for random secret P1P1 P2P2 P3P3 PnPn a n >> Pick any sharing- does this work? >> Randomness extractor on (a 1, …..a n ) >> Simplest Randomness Extractor: Addition a 1 +a 2 +…..+a n >> Sharing of a value that is random and secret >> Inefficient: n-t random and secret values among a’s but we had extracted just one.

47 a 1 a 2 a 3 Efficient Randomness Extractor P1P1 P2P2 P3P3 PnPn a n >> Assume a 1,….a n are n points of a polynomial of degree n-1, f(x) >> These are all random >> t out of a 1,….a n are known to adversary and may be non-random (n-t) points are randomly chosen and t points may be non-random and known to the adv. >> Consider any (n-t) points on f(x) at x that are different from {1,..n,}, say f(n+1), ……f(n+n-t) f(1) = a 1. f(n) = a n

48 Efficient Randomness Extractor f (a1,….at) : F n-t  F n-t >> Choose (n-t) points at random >> Use n points to define a poly f(x) of degree at most n-1. >> Evaluate f(x) at n+1,…(n+n-t) >> The mapping is a bijection. >> Since we have uniform distribution in the domain (uniform over F n-t ), we get the same on the range.

49 a 1 a 2 a 3 Efficient Randomness Extractor P1P1 P2P2 P3P3 PnPn a n >> Assume a 1,….a n are n points of a polynomial of degree n-1, f(x) >> f(n+1), ……f(n+n-t) are random. f(1) = a 1. f(n) = a n f(n+1) = a n+1. f(2n-t) = a 2n –t a n+1 a n+2 a n+3 a 2n-t >> We need to find Shamir-sharing of a n+1,….., a 2n-t >> Just Local computation: Lagrange’s Magic formula

50 a 1 a 2 a 3 Efficient Randomness Extractor P1P1 P2P2 P3P3 PnPn a n >> Assume a 1,….a n are n points of a polynomial of degree n-1, f(x) >> f(n+1), ……f(2n-t) are random. f(1) = a 1. f(n) = a n f(n+1) = a n+1. f(2n-t) = a 2n –t a n+1 a n+2 a n+3 a 2n-t How many random values have we extracted? n-t Amortized CC of generating one sharing of a random secret value is (Task 2): O(n)

51 Offline Complexity >> Task 1: Generation of Secret Sharing. > a,b,c are secret shared using LSSS > a, b, c random and secret > c = ab a b c Generation of (c M + c I ) shared, random, secret multiplication triples >> Task 2: Generation of Secret Sharing where the secret is random and secret- different from the previous task >> Task 3: Generation of Sharing of random, secret, multiplication triple ✓ CC of Task 1: O(n) ✓ CC of Task 2: O(n)

52 a a 2 a 3 Generating Sharing of Multiplication Triple P1P1 P2P2 P3P3 PnPn a n b1 b1 b 2 b3b3 b n Sharing of random and secret values a 1 b ab Multiplication Protocol CC: O(n 2 )

53 Offline Complexity >> Task 1: Generation of Secret Sharing. > a,b,c are secret shared using LSSS > a, b, c random and secret > c = ab a b c Generation of (c M + c I ) shared, random, secret multiplication triples >> Task 2: Generation of Secret Sharing where the secret is random and secret- different from the previous task >> Task 3: Generation of Sharing of random, secret, multiplication triple ✓ CC of Task 1: O(n) ✓ CC of Task 2: O(n) Multiplication Protocol CC of Task 3: O(n 2 ) ✓ Offline CC: O(n 2 c M + n c I ) |F| bits.

54 Complexity Offline complexity: O( c M n 2 + n c I ) |F| bits. Total Complexity: O(c I n + c M n 2 + c O n) |F p | bits Online Complexity: O(c I n + c M n + c O n) |F p | bits Is there a way to generate triple sharing with O(n) complexity? Yes with n>=3t+1 perfect security (active adversary) Yes but with statistical security!

55 Secure Circuit Evaluation 3. Open output by Reconstruction algorithm 2. Find (n, t)-sharing of each intermediate value 1.(n, t)- secret share each input Linear gates: Linearity of Shamir Sharing - Non-Interactive Non-linear gate: Require degree- reduction Technique. Interactive Reduction to one reconstruction >> Raw Material: (n,t)-shamir sharing of a random value >> Raw Material: (n,2t)-sharing and (n,t)-sharing of a random value

56 x x 2 x3x3 How to use Raw data for Multiplication P1P1 P2P2 P3P3 PnPn x n a1 a1 a 2 a3a3 a n x 1 a xy-a y y 2 y3y3 y n y 1 A1 A1 A 2 A3A3 An An a x1y1-A1x1y1-A1 x2y2-A2x2y2-A2 x3y3-A3x3y3-A3 xnyn-Anxnyn-An Reconstruct xy-aNo security breach since xy is blinded with random a + xy-a xy Online Complexity = : O(c I n + c M n + c O n) |F p | bits

57 Offline Complexity >> Task 1: Generation of (n,2t) and (n,t)-secret Sharing. > a is (n,2t)-shared and (n,t)-shared > a random and secret a a Generation of (c M + c I ), (n,(2t,t))-secret sharing of random and secret values >> Task 2: Generation of Secret Sharing where the secret is random and secret- different from the previous task ✓ CC of Task 1: O(n) ✓ CC of Task 2: O(n) (amortized)

58 a 1 a 2 a 3 Efficient Randomness Extractor P1P1 P2P2 P3P3 PnPn a n >> Assume a 1,….a n are n points of a polynomial of degree n-1, f(x) >> f(n+1), ……f(2n-t) are random. f(1) = a 1. f(n) = a n f(n+1) = a n+1. f(2n-t) = a 2n –t a n+1 a n+2 a n+3 a 2n-t How many random values have we extracted? n-t Amortized CC of generating one sharing of a random secret value is (Task 2): O(n)

59 Complexity- Linear Overhead MPC Offline complexity: O(n c M + n c I ) |F| bits. Total Complexity: O(c I n + c M n + c O n) |F p | bits Online Complexity: O(c I n + c M n + c O n) |F p | bits First CT Topic: >> Various possible raw data >> Ways of generating them.

60 Computationally Secure Protocol in Honest Majority Settings >> A1: Secure channel model relaxation. >> A2: Constant Round protocol possible CT Topic 2: [CDN01] Multiparty Computation from Threshold Homomorphic Encryption [Link: http://eprint.iacr.org/2000/055.pdf] First protocol to present O(n) overhead MPC with n>=2t+1 (active) After 12 looooooong years: First protocol with O(n) overhead MPC with n>=2t+1 in i.t. setting [BFO12] (active).

61

Download ppt "Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for."

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.

1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
Derandomized parallel repetition theorems for free games Ronen Shaltiel, University of Haifa.

Derandomized parallel repetition theorems for free games Ronen Shaltiel, University of Haifa.
Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.

Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.
New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.

New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems Omer Barkol Yuval Ishai Technion.

Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems Omer Barkol Yuval Ishai Technion.
Secure Multi-party Computations (MPC) A useful tool to cryptographic applications Vassilis Zikas.

Secure Multi-party Computations (MPC) A useful tool to cryptographic applications Vassilis Zikas.

Similar presentations

Ads by Google