CS 355 Lecture 7 (4/23).

Logistics: 4W2 due This Friday at 5pm ( submit via Grade scope)

HW3 posted this Friday

See Piazza for office hour information for upcoming week ( course staff is traveling)

Previte : 2- party computation ( Yao's garbled circuits )

Suppose Alice and Bob want to compute function f on joint input ( X , y)

Alice ( X ) Bob ( y )0T=9mstfr×y ) requires algebraic assumptions HWL : Realize large number of OTS from

OT responses( more expensive ) (

a snag ( ~x ) number of baseOTs]garbled circuit for f | only requires cheap symmetricgarbled inputs for y primitives

ffx ,g ) tee: neither party

learns more from protocol other than what is revealed by f ( x , y )

e.g. {Viewa ( × , y ) } I { s 11'

,×

,

ftview of Alice in real protocol Transcriptprotocol execution can be simulated just givenon inputs X and y party's input and output of computation

Question : What if we have more than two parties ?

This : Secret sharing and MPC

Beaver Triples and MPC in the preprocessingmodel

Secretsharingn Suppose we have a secret and want to distribute it among n parties such That any t of then can subsequently recover

The secret andany

It - l ) subset coat ( e.g. , Board of directors at Coca-Cola want to protect Coca-Cola recipe ]

D# A ( t , n ) - secret sharing scheme over a message space M and share space S consists of two efficient algorithms :

Share : M → gn

Reconstruct : st → M

with the following properties :

Correctness : Any t shares can be used to reconstruct m:

V. m E m : ( s , , ... , Sn ) ← Share ( m )

V. S E { s , , ... , sn ] where 151 = t : Reconstruct ( s ) = m

Secuity: Need at least t shares to learn He secret

ycan relax To computational indistinguishable ity ( in which case ,

fmo,

m,

E M,

VI c- En ] where III < t : Share takes in additional security parameter)¥↳

notion here Is

{ ( s , , ... , Sn ) ← share ( no ) : Si for all it I } = { ( s , , ... , Sn ) ← Share ( m , ) : Si for all it I } information . theoretic

f any ringwill work ( p need not be Prime)

n

Examples: Additive secret sharing [ n out of n ] : M= Zp, S =Zp Provides information - theoretic

- Share ( M ) : Sample r , , ... , rn . , I zp and set rn = m = [ innj'

r ;E zp

security - check this !

• Reconstruct ( r , , ... , rn ) : Output IF: ' ri~

satisfying CPA -securityCombinatorial secret sharing

[ t out of n ] : Will use a symmetric encryption scheme over { 0/15'

(e.g. AES- CTR )

-

Share ( m ) : Sample n keys k , , ... , kn for encryption scheme

for everyt - subset { in ... , it } E Cn ] , encrypt m using ki , , ... , kit (e.g. , Enc ( kg , Enc ( kiz ,

. . '

, Eadkie,

on ) ' ' ' D)

Let { 4 } be the collection of cipher texts←

Very large shares ! Question : Can we do better ?

Output shares ( ( K , , { ct 3 ) , ... , ( kn , { 43 )) ~relies on computational assumptions

- Reconstruct ( ( k , , { of ) , . . . ( Kt , { 43 )) : by construction , there is one Ct C- { Ct } encrypted under ki , ... , kt , so decrypt accordinglyShamir secret sharing [ t out of n ] : M

=

Ftp , 5= FF (require p > n )

Any 2 points↳ beautiful construction based on polynomials (very useful mechanism for sharing data) fth define a

••g(3)

Keyidea : Any d points uniquely define a degree. ldt ) polynomial over a field • unnigeline

••

-

eg . 2 points define a line , 3 points define of oarabola , etc .

••g (1)

fl 3)

•

given d points , can effetely obtain entire polynomial [ Lagrange interpolation ] p , • • .←

Share ( m ) : Choose y , , ... , y← ,I Fp 1 2 3

4 5

Let f : Fp → Ftp be the unique polynomial of degree 4 - I

f(o)=m and ffi ) = yi fit[ t - i ] [ t points unity define the polynomial f ]Output shares ( i , fli ) ) fit [ n ] Each share is just 2 field elements lindependent of Threshold t or # parties n ) .> Reconstruct ( Cii, y , ) , ... , lit , yt ) ) :Interpolate The unique polynomial f of degree At ) defined by the points ( ing , ) , ... , ( it ,yt )Output flo )

correctness: Follows byuniqueness of The interpolating polynomial

Setty : Given any subset of At ) shares ( ii , yi ) , ... , ( in , yi . i ) , and any message M E Ftp , there Is ainife polynomial fof degree tt where flii ) : y , , ... , flied = you and f ( o ) = m

Thus, any

th ) shares can be consistent with secret - sharing of any message m⇒ information - theoretic

security

Efficiency: Secret sharing and secret reconstruction correspond to polynomial evaluation and interpolation ( over Ttp ) . Both ofThese operations can be expressed as

tides:

t - I-

Suppose f ( x )= do + a xt - . - +

a-, ×

-

Evaluation of f at points Xi , Xz , ... , Xn can be expressed as matrix. Vector product :H:#III;¥III¥Df?D±H:p in .IE#r..a.

- - -

x x y' ' Vander monde matrix

"

-

Polynomial evaluation corresponds to computing product X. a and interpolation corresponds To

computingthe product Xly

- Both of these operations can be done in Time 0(nlogn) using the Fast Fourier Transform ( FFT )

f gates are addition and

multiplication over Fp

Competingonseaet-sh=aa : Another paradigm for 2PC (and MPC ) - better . suited for evaluating arithmetic circuits

rats←r Ep

Alice

txa) _- Bob ( x . ) At: Chooses raps , race

Ftp and sends#ftp.T.shifgfacahii.ie's share

RBA £

Fp ↳ Observation: ( Xa - rats - race , rats , rac ) is additiverB¥rac "µ

,secret sharing of Alice's input Xa

€Bob's share

HXA,43

,

Xc ) = XATXBHC Charlie ( Xc ) We will write [ Xa ] to denote additive secret sharing of XA

Computing: Given shares of XA and XB

,

[ Xa + XB ] = ( Xa ] + ( XB ] (component . wise addition)

Specifically if [ XA ]= ( Xad

,Xar

,XA

, 3)where xa.it/a,2tkn..3=XaE

Ftp

[XB] = (XB , " 43,2 , 143,3 ) where Xen +43,2+43,3 = XB E Ftp

then (XA + XB ) = ( XA , it XB , l , XA ,z + ×Br , XA . } + XB , } ) and Had + XB , , ) + ( Xar + XB, 2) + (XA , } + XB , } ) = XATXB E Ftp

M¥14: 1

.Share addition : [ xa + XB ] = [ xn. ] + [ xis ]

2.

Scalar multiplication : ( kxa ] ' K . [ Xa ]

3. Addition by constant: K Xatk ] = (Xa

, ,+ k

, Xar , Xais)

feach party only has a share ofQuetta: How To multiply shared values ? a. b. c : no one knows actual values !

Amazing insight due To Beaver : Suppose parties have a secret-

sharing of a

randomproduct : [ a ] , [ b ] , [ c ] where C= Ab

e

FpE T

Then, given [

× ] and [ y ] , we proceed as follows : A ,b £ IFP ( a ,b are uniformly random values)1

.Each

party computes[ * a ] and publishes Their share of X

- a

2 . Eachparty computes

[y- b ] and publishes Their share of y

- b

3 . All of The parties compute non- interactively :

G- ] = [ of + [ x ] ( y- b) + [ y ] ( × - a)

- ( x . a) ( y- b)

Claim : Z = Xy . Follows by following calculation :

Z = C + × (y- b) + y ( x . a)

- ( x - a) ly - b)=

#+ xy . bytxf. af-xftby + aftab=

xyObserve : Parties only see X - a and y

. b in This protocol . Since a , b are uniformly random and unknown to the parties , X- a and

y. b

is a one-time pad encryption of X and y. Resulting protocol provides information

- theoretic privacy for parties'

inputs.

Assuming we have access to Beaver multiplication triples , we can evaluate any arithmetic circuit as follows(

amongn - parties) :

1. Every party

secret shares their input with everyother

party What goes wrong if the2

. For each addition gate in the circuit , parties locally compute on their sharessame Triple is usedtwice ?

3. For each multiplication gate in

The circuit, parties run Bearer

's multiplication protocol ( usingINTriple each time ! )

4 . Every party publishes share of The output ; parties run share reduction to obtain output.

Secret - Sharing

Yao* Can be improved further !

Comparing: Type of computation Arithmetic circuits (Fp ) Boolean circuits * Leverages several optimizations

Number of parties Arbitrary ( n ) 2( half . gates + free Xor )

Roundcomplexity Depth of circuit 2

~2nkgp bits per *~ 256 bits per

*Communication multiplicationgate AND gate A-side: preprocessing is also possible forInformation . Theoretic

Security ( with Bearer triples)Computational OT ( OT correlations ) : gives fast ,

information . Theoretic OT in the online

Question : Where do Beaver Triples come from ? =Preprocessing is input.in#pdnt.l phase

Typically , generated In an offline"

preprocessing"

phase . Many techniques:

- Trusted dealer (e.g. , Intel SGX) can generate them =Implication : Otis

'

complete"

for MPC : any n. party

functionality can be computed securely-

Using oblivious Transfer ( OT )- accelerate

usingOT extensions ( Hw2 , Problem 4) assuming existence of OT .

•

Using somewhat homomorphic encryption (discussed later in the course )

Question : What if parties are malicious? [ So far

, everything is only semi - honest secure ][ Goldrich - Micali - Wigdersm]

The GMW compiler Transforms any protocol with semi- honest security to

one with malicious security

Highly: Parties include a zero . knowledge proof That each step of the protocol was performed according To The protocol specification .

Corollary: Anything That can be computed with a Trusted party can be computed without ! [ Ben . Or - Goldwasser - Wigderson]- For n - parties , if we have fewer Than

43 corrupted parties , this is even possible information - theoretically!

- Withcryptographic assumptions ( i.e. OT ) , we can support n - 1 corrupted parties ( with some caveats . . )