Secure Multi-party Computation Minimizing Online Rounds Seung Geol Choi Columbia University

advertisement
Secure Multi-party Computation
Minimizing Online Rounds
Seung Geol Choi
Columbia University
Joint work with
Ariel Elbaz
(Columbia University)
Tal Malkin
(Columbia University)
Moti Yung
(Columbia University & Google)
1
Outline
• Motivation
• Our Results
– First Protocol
– Second Protocol
• Conclusion
2
Multi-party Computing with
Encrypted Data (MPCED)
Considered implicitly in [FH96,JJ00,CDN01]
external
parties
y
x
P2
P1
Pn
many computations on
encrypted database
…
dynamic data
contribution from
external parties 3
Round-complexity of protocols
• Critical measure on the efficiency
• There are constant-round MPC protocols, but
the exact constant is big.
• Focus on online round-complexity
– Possibly allow any poly-time preprocessing
independent of the function of interest and input.
– Minimization of turn-around time
– Preprocessing can be handled separately, e.g., by
cloud computing
4
Outline
• Motivation
• Our Results
– First Protocol
– Second Protocol
• Conclusion
5
Previous Work
Adaptive/Static
#rounds
#corrupt
[CLOS02]
Adaptive
O(d)
<n
[DN03]
Adaptive (Arithm.)
O(d)
<n
[DI05]
Adaptive
2
const
< n/5
< n/2
[DIK08+]
Adaptive
const
< n/2
[IPS08]
Adaptive
const
<n
Can we do it in one or two rounds for <n corruption?
Yes, for static case
6
Our Results
• Two protocols for MPCED with small online
round complexity w/ preprocessing
– one-round protocol P1
– Two-round protocol P2 (Depending on the case, P2
has more efficient preprocessing than P2).
• Static and <n corruption
• Uses ElGamal encryption
– extendable to any threshold homomorphic encryption
schemes.
7
Outline
• Motivation
• Our Results
– First Protocol
– Second Protocol
• Conclusion
8
First Protocol
• Takes one round
• General Idea: Modify Yao’s protocol
– Garble a universal circuit instead of a given
circuit
– Replace OT w/ one-round equivalent step
using homomorphism.
9
Preprocessing
• Generate a Garbled Circuit for a Universal
Circuit [V76,KS08]
• Overall, follow Yao’s technique except
input wire keys.
10
Yao’s Garbled Circuit
k0
NAND
k1
El0,r0(k1)
El1,r0(k1)
El0,r1(k1)
El1,r1(k0)
l0
l1
r0
r1
11
Yao’s Garbled Circuit
k0 k1
Ekl0,0r0(k
k11)
El1,r0(k1)
NAND El0,r1(k1)
E
r0(k
1)
Ell0,
(k
)
1,r1 0
El1,r0(k1)
El0,r1(k1)
l0
l1
r
El1,r1(k0) 0
l0
l1
r0
k0 k1
Once keys of the input wires in
El0,r0(k1)
the entire circuit are determined,
El1,r0(k1)
can compute the circuit locally.
El0,r1(k1)
El1,r1(k0)
r1
r1
l0
l1
r0
r1
12
Preprocessing - 2
• Input wires
– Pick a random h for global use: hidden
– Keys in each input wire j, say wj0 and wj1,
should satisfy wj1 = wj0 * h
– publish H = Ey(h)
– publish Ey(wj0) for each input wire j
13
Encrypted Input Data
• Ey(hb) for Boolean input b
– If b = 0, publish Ey(1)
– If b = 1, re-randomize H
14
Online Stage
• Given
– input wire: W0 = Ey(w0)
– Input data: C = Ey(hb)
• Decrypt W0 * C
– Note W0 * C = Ey(w0*hb) = Ey(wb)
• Requires only a single round
15
First Protocol: Summary
• Use garbled universal circuit with
augmented manipulation in the input wires
• Replace OT procedure in Yao with
threshold decryption using homomorphism
• Needs a single online round
16
Outline
• Motivation
• Our Results
– First Protocol
– Second Protocol
• Conclusion
17
Second Protocol
• Takes two rounds.
• Natural extension of two-party case
[CEJMY07]
• Idea
– Preprocessing: garble individual gates
• Independent of a circuit or input
– Online stage: construct wires between
garbled gates and inputs
18
Preprocessing
• Garbled NAND gates
• Bunch of fresh
ElGamal key pairs:
(pk, Ey(sk))
x>y
NAND
NAND
NAND
x
y
1
19
Garbled NAND gates
with fresh ElGamal key pairs
Intermediate gates: NAND + keys
top-level gates: IDENTITY + keys
20
Online stage
• Construct wires between garbled gates
and inputs
– How? Use CODE (explained next)
21
Conditional Oblivious Decryption
Exposure (CODE)
• Functionality
– Assumes parties share the private key for y
– Input: three ciphertexts Cin, Cout, Ckey, a key z
– Output: Ez(Mkey) if Min  Mout,
Ez(random) otherwise
Cin
Ey(1)
Ey(100)
Ckey
Cout
Ey(1)
Output: Ez(100)
Cin
Ey(1)
Ey(100)
Ckey
Cout
Ey(g)
Output: Ez(random)
Can be implemented w/ homomorphic enc in 2 rounds.
22
Online Stage – Run CODEs
• Run CODE in parallel
for each Cin, Cout, Ckey tuple.
NAND
NAND
x
encrypted under z = pkL * pkR: Ez(skL)
...
...
...
Then, locally computes the circuit
using CODE outputs inductively.
Not encrypted
z =1: skR
23
Online Stage –
After Running CODE
Decrypt Final column
Using sk
EpkL*pkR(sk)
...
...
...Ez(skL)
skR
24
Summary : Second Protocol
• Preprocessing
– Garbled NAND gates, fresh ElGamal keys
• Online Stage
– Run 2-round CODE protocols in parallel
25
Summary
• Second Protocol
• First Protocol
– online #round: two
– online #rounds: one
– No blow-up of gates
– Logarithmic blow-up of
gates
– 2n-round explicit
preprocessing:
efficient when n is very
small (when n is big,
use generic protocols)
– No explicit
preprocessing: should
use generic protocols
such as [IPS08].
26
Outline
• Motivation
• Our Results
– First Protocol
– Second Protocol
• Conclusion
27
Multi-party Computing with
Encrypted Data (MPCED)
Considered implicitly in [FH96,JJ00,CDN01]
external
parties
y
x
P2
P1
Pn
many computations on
encrypted database
…
dynamic data
contribution from
external parties 28
Our Results
• Two protocols for MPCED with small online
round complexity w/ preprocessing
– one-round protocol P1
– Two-round protocol P2 (Depending on the case, P2
has more efficient preprocessing than P2).
• Static and <n corruption
29
Thank you
30
Download