on y tee - Stanford University › cs355 › 18sp › lec7.pdff gates are addition and...
Transcript of on y tee - Stanford University › cs355 › 18sp › lec7.pdff gates are addition and...
-
CS 355 Lecture 7 (4/23).
Logistics: 4W2 due This Friday at 5pm ( submit via Grade scope)
HW3 posted this Friday
See Piazza for office hour information for upcoming week ( course staff is traveling)
Previte : 2- party computation ( Yao's garbled circuits )
Suppose Alice and Bob want to compute function f on joint input ( X , y)
Alice ( X ) Bob ( y )0T=9mstfr×y ) requires algebraic assumptions HWL : Realize large number of OTS from
OT responses( more expensive ) (
a snag ( ~x ) number of baseOTs]garbled circuit for f | only requires cheap symmetricgarbled inputs for y primitives
ffx ,g ) tee: neither party
learns more from protocol other than what is revealed by f ( x , y )
e.g. {Viewa ( × , y ) } I { s 11'
,×
,
ftview of Alice in real protocol Transcriptprotocol execution can be simulated just givenon inputs X and y party's input and output of computation
Question : What if we have more than two parties ?
This : Secret sharing and MPC
Beaver Triples and MPC in the preprocessingmodel
Secretsharingn Suppose we have a secret and want to distribute it among n parties such That any t of then can subsequently recover
The secret andany
It - l ) subset coat ( e.g. , Board of directors at Coca-Cola want to protect Coca-Cola recipe ]
D# A ( t , n ) - secret sharing scheme over a message space M and share space S consists of two efficient algorithms :
Share : M → gn
Reconstruct : st → M
with the following properties :
Correctness : Any t shares can be used to reconstruct m:
V. m E m : ( s , , ... , Sn ) ← Share ( m )
V. S E { s , , ... , sn ] where 151 = t : Reconstruct ( s ) = m
Secuity: Need at least t shares to learn He secret
ycan relax To computational indistinguishable ity ( in which case ,
fmo,
m,
E M,
VI c- En ] where III < t : Share takes in additional security parameter)¥↳
notion here Is
{ ( s , , ... , Sn ) ← share ( no ) : Si for all it I } = { ( s , , ... , Sn ) ← Share ( m , ) : Si for all it I } information . theoretic
-
f any ringwill work ( p need not be Prime)
n
Examples: Additive secret sharing [ n out of n ] : M= Zp, S =Zp Provides information - theoretic
- Share ( M ) : Sample r , , ... , rn . , I zp and set rn = m = [ innj'
r ;E zp
security - check this !
• Reconstruct ( r , , ... , rn ) : Output IF: ' ri~
satisfying CPA -securityCombinatorial secret sharing
[ t out of n ] : Will use a symmetric encryption scheme over { 0/15'
(e.g. AES- CTR )
-
Share ( m ) : Sample n keys k , , ... , kn for encryption scheme
for everyt - subset { in ... , it } E Cn ] , encrypt m using ki , , ... , kit (e.g. , Enc ( kg , Enc ( kiz ,
. . '
, Eadkie,
on ) ' ' ' D)
Let { 4 } be the collection of cipher texts←
Very large shares ! Question : Can we do better ?
Output shares ( ( K , , { ct 3 ) , ... , ( kn , { 43 )) ~relies on computational assumptions
- Reconstruct ( ( k , , { of ) , . . . ( Kt , { 43 )) : by construction , there is one Ct C- { Ct } encrypted under ki , ... , kt , so decrypt accordinglyShamir secret sharing [ t out of n ] : M
=
Ftp , 5= FF (require p > n )
Any 2 points↳ beautiful construction based on polynomials (very useful mechanism for sharing data) fth define a
••g(3)
Keyidea : Any d points uniquely define a degree. ldt ) polynomial over a field • unnigeline
••
-
eg . 2 points define a line , 3 points define of oarabola , etc .
••g (1)
fl 3)
•
given d points , can effetely obtain entire polynomial [ Lagrange interpolation ] p , • • .←
Share ( m ) : Choose y , , ... , y← ,I Fp 1 2 3
4 5
Let f : Fp → Ftp be the unique polynomial of degree 4 - I
f(o)=m and ffi ) = yi fit[ t - i ] [ t points unity define the polynomial f ]Output shares ( i , fli ) ) fit [ n ] Each share is just 2 field elements lindependent of Threshold t or # parties n ) .> Reconstruct ( Cii, y , ) , ... , lit , yt ) ) :Interpolate The unique polynomial f of degree At ) defined by the points ( ing , ) , ... , ( it ,yt )Output flo )
correctness: Follows byuniqueness of The interpolating polynomial
Setty : Given any subset of At ) shares ( ii , yi ) , ... , ( in , yi . i ) , and any message M E Ftp , there Is ainife polynomial fof degree tt where flii ) : y , , ... , flied = you and f ( o ) = m
Thus, any
th ) shares can be consistent with secret - sharing of any message m⇒ information - theoretic
security
Efficiency: Secret sharing and secret reconstruction correspond to polynomial evaluation and interpolation ( over Ttp ) . Both ofThese operations can be expressed as
tides:
t - I-
Suppose f ( x )= do + a xt - . - +
a-, ×
-
Evaluation of f at points Xi , Xz , ... , Xn can be expressed as matrix. Vector product :H:#III;¥III¥Df?D±H:p in .IE#r..a.
- - -
x x y' ' Vander monde matrix
"
-
Polynomial evaluation corresponds to computing product X. a and interpolation corresponds To
computingthe product Xly
- Both of these operations can be done in Time 0(nlogn) using the Fast Fourier Transform ( FFT )
-
f gates are addition and
multiplication over Fp
Competingonseaet-sh=aa : Another paradigm for 2PC (and MPC ) - better . suited for evaluating arithmetic circuits
rats←r Ep
Alice
txa) _- Bob ( x . ) At: Chooses raps , race
Ftp and sends#ftp.T.shifgfacahii.ie's share
RBA £
Fp ↳ Observation: ( Xa - rats - race , rats , rac ) is additiverB¥rac "µ
,secret sharing of Alice's input Xa
€Bob's share
HXA,43
,
Xc ) = XATXBHC Charlie ( Xc ) We will write [ Xa ] to denote additive secret sharing of XA
Computing: Given shares of XA and XB
,
[ Xa + XB ] = ( Xa ] + ( XB ] (component . wise addition)
Specifically if [ XA ]= ( Xad
,Xar
,XA
, 3)where xa.it/a,2tkn..3=XaE
Ftp
[XB] = (XB , " 43,2 , 143,3 ) where Xen +43,2+43,3 = XB E Ftp
then (XA + XB ) = ( XA , it XB , l , XA ,z + ×Br , XA . } + XB , } ) and Had + XB , , ) + ( Xar + XB, 2) + (XA , } + XB , } ) = XATXB E Ftp
M¥14: 1
.Share addition : [ xa + XB ] = [ xn. ] + [ xis ]
2.
Scalar multiplication : ( kxa ] ' K . [ Xa ]
3. Addition by constant: K Xatk ] = (Xa
, ,+ k
, Xar , Xais)
feach party only has a share ofQuetta: How To multiply shared values ? a. b. c : no one knows actual values !
Amazing insight due To Beaver : Suppose parties have a secret-
sharing of a
randomproduct : [ a ] , [ b ] , [ c ] where C= Ab
e
FpE T
Then, given [
× ] and [ y ] , we proceed as follows : A ,b £ IFP ( a ,b are uniformly random values)1
.Each
party computes[ * a ] and publishes Their share of X
- a
2 . Eachparty computes
[y- b ] and publishes Their share of y
- b
3 . All of The parties compute non- interactively :
G- ] = [ of + [ x ] ( y- b) + [ y ] ( × - a)
- ( x . a) ( y- b)
Claim : Z = Xy . Follows by following calculation :
Z = C + × (y- b) + y ( x . a)
- ( x - a) ly - b)=
#+ xy . bytxf. af-xftby + aftab=
xyObserve : Parties only see X - a and y
. b in This protocol . Since a , b are uniformly random and unknown to the parties , X- a and
y. b
is a one-time pad encryption of X and y. Resulting protocol provides information
- theoretic privacy for parties'
inputs.
Assuming we have access to Beaver multiplication triples , we can evaluate any arithmetic circuit as follows(
amongn - parties) :
1. Every party
secret shares their input with everyother
party What goes wrong if the2
. For each addition gate in the circuit , parties locally compute on their sharessame Triple is usedtwice ?
3. For each multiplication gate in
The circuit, parties run Bearer
's multiplication protocol ( usingINTriple each time ! )
4 . Every party publishes share of The output ; parties run share reduction to obtain output.
-
Secret - Sharing
Yao* Can be improved further !
Comparing: Type of computation Arithmetic circuits (Fp ) Boolean circuits * Leverages several optimizations
Number of parties Arbitrary ( n ) 2( half . gates + free Xor )
Roundcomplexity Depth of circuit 2
~2nkgp bits per *~ 256 bits per
*Communication multiplicationgate AND gate A-side: preprocessing is also possible forInformation . Theoretic
Security ( with Bearer triples)Computational OT ( OT correlations ) : gives fast ,
information . Theoretic OT in the online
Question : Where do Beaver Triples come from ? =Preprocessing is input.in#pdnt.l phase
Typically , generated In an offline"
preprocessing"
phase . Many techniques:
- Trusted dealer (e.g. , Intel SGX) can generate them =Implication : Otis
'
complete"
for MPC : any n. party
functionality can be computed securely-
Using oblivious Transfer ( OT )- accelerate
usingOT extensions ( Hw2 , Problem 4) assuming existence of OT .
•
Using somewhat homomorphic encryption (discussed later in the course )
Question : What if parties are malicious? [ So far
, everything is only semi - honest secure ][ Goldrich - Micali - Wigdersm]
The GMW compiler Transforms any protocol with semi- honest security to
one with malicious security
Highly: Parties include a zero . knowledge proof That each step of the protocol was performed according To The protocol specification .
Corollary: Anything That can be computed with a Trusted party can be computed without ! [ Ben . Or - Goldwasser - Wigderson]- For n - parties , if we have fewer Than
43 corrupted parties , this is even possible information - theoretically!
- Withcryptographic assumptions ( i.e. OT ) , we can support n - 1 corrupted parties ( with some caveats . . )