Secure Multi-party Computation Minimizing Online Rounds Seung Geol Choi Columbia University
advertisement
Secure Multi-party Computation Minimizing Online Rounds Seung Geol Choi Columbia University Joint work with Ariel Elbaz (Columbia University) Tal Malkin (Columbia University) Moti Yung (Columbia University & Google) 1 Outline • Motivation • Our Results – First Protocol – Second Protocol • Conclusion 2 Multi-party Computing with Encrypted Data (MPCED) Considered implicitly in [FH96,JJ00,CDN01] external parties y x P2 P1 Pn many computations on encrypted database … dynamic data contribution from external parties 3 Round-complexity of protocols • Critical measure on the efficiency • There are constant-round MPC protocols, but the exact constant is big. • Focus on online round-complexity – Possibly allow any poly-time preprocessing independent of the function of interest and input. – Minimization of turn-around time – Preprocessing can be handled separately, e.g., by cloud computing 4 Outline • Motivation • Our Results – First Protocol – Second Protocol • Conclusion 5 Previous Work Adaptive/Static #rounds #corrupt [CLOS02] Adaptive O(d) <n [DN03] Adaptive (Arithm.) O(d) <n [DI05] Adaptive 2 const < n/5 < n/2 [DIK08+] Adaptive const < n/2 [IPS08] Adaptive const <n Can we do it in one or two rounds for <n corruption? Yes, for static case 6 Our Results • Two protocols for MPCED with small online round complexity w/ preprocessing – one-round protocol P1 – Two-round protocol P2 (Depending on the case, P2 has more efficient preprocessing than P2). • Static and <n corruption • Uses ElGamal encryption – extendable to any threshold homomorphic encryption schemes. 7 Outline • Motivation • Our Results – First Protocol – Second Protocol • Conclusion 8 First Protocol • Takes one round • General Idea: Modify Yao’s protocol – Garble a universal circuit instead of a given circuit – Replace OT w/ one-round equivalent step using homomorphism. 9 Preprocessing • Generate a Garbled Circuit for a Universal Circuit [V76,KS08] • Overall, follow Yao’s technique except input wire keys. 10 Yao’s Garbled Circuit k0 NAND k1 El0,r0(k1) El1,r0(k1) El0,r1(k1) El1,r1(k0) l0 l1 r0 r1 11 Yao’s Garbled Circuit k0 k1 Ekl0,0r0(k k11) El1,r0(k1) NAND El0,r1(k1) E r0(k 1) Ell0, (k ) 1,r1 0 El1,r0(k1) El0,r1(k1) l0 l1 r El1,r1(k0) 0 l0 l1 r0 k0 k1 Once keys of the input wires in El0,r0(k1) the entire circuit are determined, El1,r0(k1) can compute the circuit locally. El0,r1(k1) El1,r1(k0) r1 r1 l0 l1 r0 r1 12 Preprocessing - 2 • Input wires – Pick a random h for global use: hidden – Keys in each input wire j, say wj0 and wj1, should satisfy wj1 = wj0 * h – publish H = Ey(h) – publish Ey(wj0) for each input wire j 13 Encrypted Input Data • Ey(hb) for Boolean input b – If b = 0, publish Ey(1) – If b = 1, re-randomize H 14 Online Stage • Given – input wire: W0 = Ey(w0) – Input data: C = Ey(hb) • Decrypt W0 * C – Note W0 * C = Ey(w0*hb) = Ey(wb) • Requires only a single round 15 First Protocol: Summary • Use garbled universal circuit with augmented manipulation in the input wires • Replace OT procedure in Yao with threshold decryption using homomorphism • Needs a single online round 16 Outline • Motivation • Our Results – First Protocol – Second Protocol • Conclusion 17 Second Protocol • Takes two rounds. • Natural extension of two-party case [CEJMY07] • Idea – Preprocessing: garble individual gates • Independent of a circuit or input – Online stage: construct wires between garbled gates and inputs 18 Preprocessing • Garbled NAND gates • Bunch of fresh ElGamal key pairs: (pk, Ey(sk)) x>y NAND NAND NAND x y 1 19 Garbled NAND gates with fresh ElGamal key pairs Intermediate gates: NAND + keys top-level gates: IDENTITY + keys 20 Online stage • Construct wires between garbled gates and inputs – How? Use CODE (explained next) 21 Conditional Oblivious Decryption Exposure (CODE) • Functionality – Assumes parties share the private key for y – Input: three ciphertexts Cin, Cout, Ckey, a key z – Output: Ez(Mkey) if Min Mout, Ez(random) otherwise Cin Ey(1) Ey(100) Ckey Cout Ey(1) Output: Ez(100) Cin Ey(1) Ey(100) Ckey Cout Ey(g) Output: Ez(random) Can be implemented w/ homomorphic enc in 2 rounds. 22 Online Stage – Run CODEs • Run CODE in parallel for each Cin, Cout, Ckey tuple. NAND NAND x encrypted under z = pkL * pkR: Ez(skL) ... ... ... Then, locally computes the circuit using CODE outputs inductively. Not encrypted z =1: skR 23 Online Stage – After Running CODE Decrypt Final column Using sk EpkL*pkR(sk) ... ... ...Ez(skL) skR 24 Summary : Second Protocol • Preprocessing – Garbled NAND gates, fresh ElGamal keys • Online Stage – Run 2-round CODE protocols in parallel 25 Summary • Second Protocol • First Protocol – online #round: two – online #rounds: one – No blow-up of gates – Logarithmic blow-up of gates – 2n-round explicit preprocessing: efficient when n is very small (when n is big, use generic protocols) – No explicit preprocessing: should use generic protocols such as [IPS08]. 26 Outline • Motivation • Our Results – First Protocol – Second Protocol • Conclusion 27 Multi-party Computing with Encrypted Data (MPCED) Considered implicitly in [FH96,JJ00,CDN01] external parties y x P2 P1 Pn many computations on encrypted database … dynamic data contribution from external parties 28 Our Results • Two protocols for MPCED with small online round complexity w/ preprocessing – one-round protocol P1 – Two-round protocol P2 (Depending on the case, P2 has more efficient preprocessing than P2). • Static and <n corruption 29 Thank you 30
