Yehuda Lindell Ariel Nof Koji Chida Koki Hamada Dai Ikarashi Ryo Kikuchi Daniel Genkin To Appear in Crypto 2018 Bar Ilan University Israel University of Pennsylvania ID: 806704
Download The PPT/PDF document "Fast Large-Scale Honest Majority MPC for..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Fast Large-Scale Honest Majority MPC for Malicious Adversaries
Yehuda Lindell, Ariel Nof
Koji Chida, Koki Hamada, Dai Ikarashi, Ryo Kikuchi
Daniel Genkin
To Appear in Crypto 2018
Bar-Ilan University Israel
University of Pennsylvania & University of Maryland
NTT, Japan
DPMPC
2018
Slide2Our Setting
parties wish to compute an
arithmetic circuit over a field Malicious adversary controlling partiesHonest majority (
)Security with abort
Our Setting
parties wish to compute an
arithmetic circuit over a field Malicious adversary controlling partiesHonest majority (
)Security with abort
Arithmetic circuits:
Better for integer operations
Addition gates for free
Slide4Our Setting
parties wish to compute an
arithmetic circuit over a field Malicious adversary controlling partiesHonest majority (
)Security with abort
Order of magnitude faster than dishonest majority setting:
State of the art (SPDZ): only ~10k multiplications per second
No need for public key cryptography tools and assumptions
Slide5Our Setting
parties wish to compute an
arithmetic circuit over a field Malicious adversary controlling partiesHonest majority (
)Security with abort
Fairness can be achieved but with significant overhead
Slide6The Starting Point
An observation made by Genkin et al. [GIPST15, GIP16]:In secret-sharing based protocols, many semi-honest multiplication protocols are secure up to additive attack
in the presence of malicious adversaries.For the honest-majority setting, there exists highly efficient semi-honest multiplication protocols with low and linear communication complexity.
Slide7Our Main Results
A statistically secure protocol maliciously secured with abort at the cost of running semi-honest protocol
times, where is such that ( is the security parameter).For “large” fields, the semi-honest protocol is run only twice!Two instantiations:3-party with replicated secret sharing: each party sends 2 field elements per multiplication gate (for large fields).Multi-party with Shamir’s secret sharing: each party sends 12 field elements
per multiplication gate (for large fields).
Slide8The Protocol flow
+
++
+
Slide91st step: Input Distribution
+
+
++
[a]
[b][c][d][e][f]
– a sharing of .We assume linearity of the secret sharing scheme.
Slide102nd Step: Circuit Emulation
+
+
++
[a]
[b][c][d][e][f]
[a+b][cd] [ef]
Local computation – no interaction!
- a multiplication protocol secure up to additive attack.
3nd Step: Output reconstruction
+
+
++
[a]
[b][c][d][e][f]
[o]Reconstruct the secret on the output wire to the party who should receive the output on that wire.
Slide12Some Notation
– a sharing of
.We assume linearity of the secret sharing scheme. - a multiplication protocol secure up to additive attack. - a sub-protocol to generate random sharings.
Slide13Achieving Malicious Security
How can the honest parties detect (and abort) when ?
Slide14Cheating Detection - The Main Idea
Generate a random sharing
.For each wire of the circuit, hold the pair Use to randomize the input wires of the circuitFor each multiplication gate:
Cheating Detection - The Main Idea
Verification step
Check equality!
If
for
, then the honest parties abort
w.p
.
Real circuit gate
Randomized Gate
Verification gate
Slide16Cheating Detection - Optimized
Verification step
Real circuit gate
Randomized Gate
Verification gate
One verification gate for the entire circuit!
Check equality!
Slide17A security problem!
Verification step
Real circuit gate
Randomized Gate
Verification gate
This is done
after
the random coefficients have been chosen!!
Slide18Cheating Detection - Optimized and Secure
Verification step Open Compute Check that:
Real circuit gate
Randomized Gate
Local operation
Slide19What about Small fields?
Real circuit gate
Randomized Gate
Randomized Gate
. . .
Verification step
Verification step
. . .
. . .
Small Fields – New Verification
Verification step
Call
to receive Open Compute
Check that:
Need to call for each gate two more times!!
Slide21Computing Sum of Products Efficiently
The parties locally multiply their sharesCommunicationLocal computation
The parties locally multiply their sharesCommunicationLocal computation The parties locally
multiply their shares
Communication
Local computation
Computing Sum of Products Efficiently
The parties locally multiply their sharesThe parties locally multiply their sharesThe parties locally multiply their shares
CommunicationLocal computation
Slide23Small Fields – New Verification
Verification step
Call
to receive Open Compute
Check that:
Can compute the sum of products of shares at the cost of a single multiplication
Slide24Summary
A protocol for large
fieldsThe amortized cost for multiplication gate: 2 calls to
A protocol for small fieldsThe amortized cost for multiplication gate: ( calls to
+ calls to
Experimental ResultsTwo instantiations:
Replicated secret sharing (3 parties)Shamir’s secret sharing (n parties)
OpenReplicated102Shamir62
n-1OpenReplicated102Shamir62n-1# of elements sent per party
Slide26Experimental Results 1,000,000 multiplication gate circuit with different depths
61-bit Mersenne fieldSingle AWS region
Execution time in millisecondsCan compute 1M gates with 3 parties in 319msCan compute 1M gates with 110 parties in 8.2s
Slide27THANK YOU!