/
Fast Large-Scale Honest Majority MPC for Malicious Adversaries Fast Large-Scale Honest Majority MPC for Malicious Adversaries

Fast Large-Scale Honest Majority MPC for Malicious Adversaries - PowerPoint Presentation

goldengirl
goldengirl . @goldengirl
Follow
342 views
Uploaded On 2020-08-28

Fast Large-Scale Honest Majority MPC for Malicious Adversaries - PPT Presentation

Yehuda Lindell Ariel Nof Koji Chida Koki Hamada Dai Ikarashi Ryo Kikuchi Daniel Genkin To Appear in Crypto 2018 Bar Ilan University Israel University of Pennsylvania ID: 806704

parties gate circuit verification gate parties verification circuit multiplication step compute sharing protocol honest secret malicious majority security field

Share:

Link:

Embed:

Download Presentation from below link

Download The PPT/PDF document "Fast Large-Scale Honest Majority MPC for..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.


Presentation Transcript

Slide1

Fast Large-Scale Honest Majority MPC for Malicious Adversaries

Yehuda Lindell, Ariel Nof

Koji Chida, Koki Hamada, Dai Ikarashi, Ryo Kikuchi

Daniel Genkin

To Appear in Crypto 2018

Bar-Ilan University Israel

University of Pennsylvania & University of Maryland

NTT, Japan

DPMPC

2018

Slide2

Our Setting

parties wish to compute an

arithmetic circuit over a field Malicious adversary controlling partiesHonest majority (

)Security with abort 

 

  

  

 

Slide3

Our Setting

parties wish to compute an

arithmetic circuit over a field Malicious adversary controlling partiesHonest majority (

)Security with abort 

 

  

  

 

Arithmetic circuits:

Better for integer operations

Addition gates for free

Slide4

Our Setting

parties wish to compute an

arithmetic circuit over a field Malicious adversary controlling partiesHonest majority (

)Security with abort 

 

  

  

 

Order of magnitude faster than dishonest majority setting:

State of the art (SPDZ): only ~10k multiplications per second

No need for public key cryptography tools and assumptions

Slide5

Our Setting

parties wish to compute an

arithmetic circuit over a field Malicious adversary controlling partiesHonest majority (

)Security with abort 

 

  

  

 

Fairness can be achieved but with significant overhead

Slide6

The Starting Point

An observation made by Genkin et al. [GIPST15, GIP16]:In secret-sharing based protocols, many semi-honest multiplication protocols are secure up to additive attack

in the presence of malicious adversaries.For the honest-majority setting, there exists highly efficient semi-honest multiplication protocols with low and linear communication complexity.

Slide7

Our Main Results

A statistically secure protocol maliciously secured with abort at the cost of running semi-honest protocol

times, where is such that ( is the security parameter).For “large” fields, the semi-honest protocol is run only twice!Two instantiations:3-party with replicated secret sharing: each party sends 2 field elements per multiplication gate (for large fields).Multi-party with Shamir’s secret sharing: each party sends 12 field elements

per multiplication gate (for large fields). 

Slide8

The Protocol flow

+

  ++

+

Slide9

1st step: Input Distribution

+

  +

++

[a]

[b][c][d][e][f]

– a sharing of .We assume linearity of the secret sharing scheme. 

Slide10

2nd Step: Circuit Emulation

+

  +

++

[a]

[b][c][d][e][f]

[a+b][cd] [ef] 

Local computation – no interaction!

- a multiplication protocol secure up to additive attack.

 

Slide11

3nd Step: Output reconstruction

+

  +

++

[a]

[b][c][d][e][f]

[o]Reconstruct the secret on the output wire to the party who should receive the output on that wire.

Slide12

Some Notation

– a sharing of

.We assume linearity of the secret sharing scheme. - a multiplication protocol secure up to additive attack. - a sub-protocol to generate random sharings. 

Slide13

Achieving Malicious Security

 

 

 

 

 How can the honest parties detect (and abort) when ? 

Slide14

Cheating Detection - The Main Idea

Generate a random sharing

.For each wire of the circuit, hold the pair Use to randomize the input wires of the circuitFor each multiplication gate: 

 

 

 

 

  

Slide15

Cheating Detection - The Main Idea

 

 

 

 

 

 Verification step

  

 

 

Check equality!

If

for

, then the honest parties abort

w.p

.

 

Real circuit gate

Randomized Gate

Verification gate

Slide16

Cheating Detection - Optimized

 

 

 

 

 

 

Verification step  

 

 

 

Real circuit gate

Randomized Gate

Verification gate

One verification gate for the entire circuit!

 

Check equality!

Slide17

A security problem!

 

 

 

 

 

 

Verification step  

 

 

 

Real circuit gate

Randomized Gate

Verification gate

This is done

after

the random coefficients have been chosen!!

Slide18

Cheating Detection - Optimized and Secure

 

 

 

 

 

 

Verification step Open Compute Check that:

 

Real circuit gate

Randomized Gate

Local operation

Slide19

What about Small fields?

 

 

 

 

 

Real circuit gate

Randomized Gate

 

 

Randomized Gate

. . .

Verification step

Verification step

. . .

 

 

. . .

 

Slide20

Small Fields – New Verification

Verification step

Call

to receive Open Compute

Check that:

 

Need to call for each gate two more times!! 

Slide21

Computing Sum of Products Efficiently

 

 

 

 

 

The parties locally multiply their sharesCommunicationLocal computation 

The parties locally multiply their sharesCommunicationLocal computation The parties locally

multiply their shares

Communication

Local computation

 

 

Slide22

Computing Sum of Products Efficiently

 

 

 

 

 

The parties locally multiply their sharesThe parties locally multiply their sharesThe parties locally multiply their shares 

CommunicationLocal computation

Slide23

Small Fields – New Verification

Verification step

Call

to receive Open Compute

Check that:

 

Can compute the sum of products of shares at the cost of a single multiplication

Slide24

Summary

A protocol for large

fieldsThe amortized cost for multiplication gate: 2 calls to  

A protocol for small fieldsThe amortized cost for multiplication gate: ( calls to

+ calls to

 

Slide25

Experimental ResultsTwo instantiations:

Replicated secret sharing (3 parties)Shamir’s secret sharing (n parties)

OpenReplicated102Shamir62

n-1OpenReplicated102Shamir62n-1# of elements sent per party

Slide26

Experimental Results 1,000,000 multiplication gate circuit with different depths

61-bit Mersenne fieldSingle AWS region

Execution time in millisecondsCan compute 1M gates with 3 parties in 319msCan compute 1M gates with 110 parties in 8.2s

Slide27

THANK YOU!