Add to collection(s) Add to saved
  1. Math
  2. Linear Algebra

Multi Party Computation: From Theory to Practice Nigel P. Smart

advertisement 
Multi Party Computation: From Theory to
Practice
Nigel P. Smart
Department of Computer Science,
University Of Bristol,
Merchant Venturers Building,
Woodland Road,
Bristol, BS8 1UB.
July 1, 2013
Nigel P. Smart
Multi Party Computation: From Theory to Practice
Slide 1
What if?
Take two drug companies.
Each has a database of molecules and toxicology test results.
They want to combine their results
Without revealing what molecules are in the databases.
Nigel P. Smart
Multi Party Computation: From Theory to Practice
Slide 2
What if?
A government wants to search network traffic for a specific
anomolous behaviour.
But the network operator does not want to give access to the
network to the government.
And the government does not want to reveal exactly what behaviour
it is searching for.
Nigel P. Smart
Multi Party Computation: From Theory to Practice
Slide 3
Computing on Encrypted Data
There are two main ways of performing susch Computations On
Encrypted Data:
Fully Homomorphic Encryption
I First scheme developed in 2009
I Party A sends encrypted data to party B.
I Party B does some computation and returns the encrypted
result to party A
I Party A now decrypts to find out the answer.
Multi-Party Computation
I First schemes developed in mid 1980’s.
I Parties jointly compute a function on their inputs using a
protocol
I No information is revealed about the parties inputs.
Nigel P. Smart
Multi Party Computation: From Theory to Practice
Slide 4
Theory
In theory both such technologies can compute anything.
In FHE one has a huge computational cost, but zero communication.
In MPC one has virtually no computational cost, but huge
communication.
In theory we can make either technology error tolerent
I
Even against malicious players.
Nigel P. Smart
Multi Party Computation: From Theory to Practice
Slide 5
Practice
FHE is currently impractical for all but the simplest functions
I
Although you can do some useful things with it.
MPC has been deployed for some operations
I
Mainly against semi-honest adversaries.
I
Tolerating only one baddie out of exactly three players.
We will show how to combine FHE and MPC to get something much
better and practical.
Nigel P. Smart
Multi Party Computation: From Theory to Practice
Slide 6
Set up
Assume n parties of which n − 1 can be malicious.
Assume a global (secret) key α ∈ Fp is determined
Each party i holds αi with
α = α1 + . . . + αn .
Nigel P. Smart
Multi Party Computation: From Theory to Practice
Slide 7
Secret Sharing
All data is represented by elements in Fp .
A secret value x ∈ Fp is shared between the parties as follows
I
Party i holds a data share xi
I
Party i holds a “MAC” share γi (x)
such that
x = x1 + · · · + xn
and
α · x = γ1 (x) + · · · + γn (x).
Note we can share a public constant v by
I
Party 1 sets x1 = v
I
Party i 6= 1 sets xi = 0
I
Party i sets γi (v ) = αi · v .
Nigel P. Smart
Multi Party Computation: From Theory to Practice
Slide 8
Preprocessing Model
Such a sharing of x is denoted by [x].
Our protocol works in the preprocessing model.
We (overnight say) generate a lot of data which is independent of
the function to be computed, or its inputs.
In its basic form the data consists of triples of shared values
[a], [b], [c]
such that
c = a · b.
We discuss how to produce these triples later.
Nigel P. Smart
Multi Party Computation: From Theory to Practice
Slide 9
The Computation
To perform the computation we utilize the following idea
Any computation can be represented by a series of additions and
multiplications of elements in Fp .
In other words + and × are a set of Universal Gates over Fp .
We assume the players inputs are shared first using the above
sharing
I
Will not explain how to do this, but it is easy
So all we need do is working out how to add and multiply shared
values.
Addition will be easy, multiplication will be hard.
Nigel P. Smart
Multi Party Computation: From Theory to Practice
Slide 10
Addition
Suppose we have two shared values [x] and [y ].
To compute the result [z] of an addition gate the parties individually
execute
I
zi = xi + yi
I
γi (z) = γi (x) + γi (y )
Note this is a local operation and that we end up with
X X X
X
z=
zi =
(xi + yi ) =
xi +
yi
= x + y,
X
X
α·z =
γi (z) =
(γi (x) + γi (y )) = α · x + α · y
= α · (x + y ).
Nigel P. Smart
Multi Party Computation: From Theory to Practice
Slide 11
Linear Secret Sharing
The addition trick works because we have a Linear Secret Sharing
Scheme.
We can locally compute any linear function of shared values
i.e. given constants v1 , v2 and v3 and shared values [x] and [y ] we
can compute
v1 · [x] + v2 · [y ] + v3 = [v1 · x + v2 · y + v3 ].
We will now use this in our method to perform multiplication.
Note: In what follows “partially opening” a share [x] means revealing
xi but not the MAC share.
Nigel P. Smart
Multi Party Computation: From Theory to Practice
Slide 12
Multiplication
To multiply [x] and [y ] to obtain [z] we work as follows:
I Take a new triple ([a], [b], [c]) off the precomputed list.
I Partially open [x] − [a] to obtain = x − a.
I Partially open [y ] − [b] to obtain ρ = y − b.
I Locally compute the linear function
[z] = [c] + · [b] + ρ · [a] + · ρ.
Note
I Each multiplication requires interaction
I If a (resp. b) is random then (resp. ρ) is a one-time pad
encryption of x (resp. y ).
We get the correct result because
c+·b+ρ·a+·ρ
= a · b + (x − a) · b + (y − b) · a + (x − a) · (y − b)
= (a · b) + (x · b − a · b) + (y · a − a · b) + (x · y − x · b − y · a + a · b)
= x · y.
Nigel P. Smart
Multi Party Computation: From Theory to Practice
Slide 13
Verifying Correctness
So given we can add and multiply we can compute anything
At the end of the computation we check correctness by interactively
checking the MAC values are all correct.
Each player i has an agreed set of partially open values
aj ,
1≤j ≤t
and each one has a sharing of the associated MAC value
γ(aj )i ,
1 ≤ j ≤ t.
Each player i also has a share of the MAC key
αi .
Nigel P. Smart
Multi Party Computation: From Theory to Practice
Slide 14
Verifying Correctness
We generate an agreed set of random values
1≤j ≤t
rj ,
Each player i computes
a=
t
X
rj · aj .
j=1
They also compute their share of the MAC on a
γi =
t
X
rj · γ(aj )t
j=1
and then
σi = γi − αi · a.
Note, if all is correct then σi is a sharing of zero.
I So players broadcast σi
I Then all check whether σ1 + · · · + σn = 0.
Nigel P. Smart
Multi Party Computation: From Theory to Practice
Slide 15
Preprocessing and FHE
We return to the preprocessing, which we do using FHE
I
Following is a naive version, the real version has lots of bells
and whistles.
We assume an FHE scheme with keys (pk, sk) whose plaintext is Fp
I
In practice for efficiency work on vectors of such elements in a
SIMD fashion
Given ct1 = Encpk (m1 ) and ct2 = Encpk (m2 ) we have
Decsk (ct1 + ct2 ) = m1 + m2
and
Decsk (ct1 · ct2 ) = m1 · m2 .
We only need to evaluate circuits of multiplicative depth one.
Nigel P. Smart
Multi Party Computation: From Theory to Practice
Slide 16
Preprocessing and FHE
We require a little more of our FHE scheme though
We assume a shared FHE public key pk for an FHE scheme.
I
Party i holds a share ski
I
Together they can decrypt a ciphertext ct via Decsk1 ,...,skn (ct).
I
Each party computes Encpk (αi ) and broadcasts this.
Last step needed so that each party has Encpk (α).
Nigel P. Smart
Multi Party Computation: From Theory to Practice
Slide 17
Reshare
Given a ciphertext ct encrypting a value m we can make each party
obtain
P
I An additive share mi , s.t. m =
mi
I
And (if needed) a new fresh ciphertext ct0 encrypting m.
Reshare(ct)
I
Party i generates a random fi and transmits ctfi = Encpk (fi ).
P
All compute ctm+f = ct + ctfi .
I
Execute Decsk1 ,...,skn (ctm+f ) to obtain m + f .
I
Party 1 sets m1 = (m + f ) − f1 .
I
Party i 6= 1 sets mi = −fi .
P
Set ct0 = Encpk (m + f ) − ctfi .
I
I
Use some “default” randomness for the last encryption.
Nigel P. Smart
Multi Party Computation: From Theory to Practice
Slide 18
Generating [a] and [b]
We can generate our sharing [a] as follows
I
Party i generates a random ai and transmits ctai = Encpk (ai ).
P
All compute cta = ctai .
I
All compute ctα·a = ctα · cta .
I
Execute Reshare on ctα·a so party i obtains γi (a).
I
Note this can also be executed to obtain [b].
Nigel P. Smart
Multi Party Computation: From Theory to Practice
Slide 19
Generating [c]
This is also easy
I
We have cta and ctb .
I
All compute ctc = cta·b from cta · ctb .
I
Get shares ci via executing Reshare on ctc ; also obtaining a
fresh ciphertext ct0c .
I
All compute ctα·c = ctα · ct0c .
I
Execute Reshare on ctα·c so party i obtains γi (c).
This is efficient despite using FHE technology because we only
compute with depth one circuits.
Similar tricks with FHE allow us to perform other preprocessing
making the computation phase even faster.
Nigel P. Smart
Multi Party Computation: From Theory to Practice
Slide 20
SPDZ and Tiny-OT
The above is called the SPDZ protocol
Very efficient and practical for some applications.
Better security properties than other MPC implementations
More flexible in terms of parameters than other MPC
implementations.
I
Not quite suited to evaluating binary circuits, or circuits over
small finite fields.
I
A variant of the above protocol can do this.
I
Or another protocol related to SPDZ due to Nielsen, Nordholt,
Orlandi and Burra (Tiny-OT).
Nigel P. Smart
Multi Party Computation: From Theory to Practice
Slide 21
Performance SPDZ
There has been a lot of work on protocols to perform various higher
level operations via MPC
I
Without evaluating “circuits”.
I
Using ability to open data.
Many of these protocols can be improved by offloading function
independent processing into the Offline phase.
I
We expect more impressive results to come out in the next few
months
In the next slides we present timings for our current Online phase,
for two players, for various functions
I
Again we expect these to improve dramatically in the coming
months
Nigel P. Smart
Multi Party Computation: From Theory to Practice
Slide 22
Integer Multiplication
1 thread
4 threads
7 threads
·103
Throughput (1000/s)
600
400
200
0
0
2
4
6
8 10 12 14 16
Latency (ms)
Figure: Integer multiplication
Nigel P. Smart
Multi Party Computation: From Theory to6Practice
Slide 23
A “386” did about 10 integer mults per second.
Integer Comparison
1 thread (32-Bit)
4 threads (32-Bit)
7 threads (32-bit)
1 thread (64-Bit)
4 threads (64-bit)
7 threads (64-bit)
Throughput (/s)
6,000
4,000
2,000
0
0
10
20
30
Latency (ms)
40
Figure:
Integer comparison (logarithmic rounds protocol).
Nigel P. Smart
Multi Party Computation: From Theory to Practice
Slide 24
Sorting
1 thread (32-Bit)
1 thread (64-Bit)
2,500
Latency (ms)
2,000
1,500
1,000
500
0
0
100
200
300
List size
400
Figure: Sorting.
Nigel P. Smart
Multi Party Computation: From Theory to Practice
Slide 25
500
Fixed/Floating Point Multiplication
1 thread (fixed)
4 threads (fixed)
7 threads (fixed)
(floating)
(floating)
(floating)
Throughput (/s)
6,000
4,000
2,000
0
0
10
20
30
Latency (ms)
40
50
Figure: Fixed and floating point multiplication
Nigel P. Smart
Multi Party Computation: From Theory to Practice
Slide 26
Single Precision Floating Point Addition
1 thread
4 threads
7 threads
Throughput (/s)
1,000
800
600
400
200
0
0
20
40
60 80 100 120 140
Latency (ms)
Figure: Floating point addition
ENIAC did 384 FLOPS.
Nigel P. Smart
Multi Party Computation: From Theory to Practice
Slide 27
Fixed/Floating Point Comparison
1 thread (fixed)
4 threads (fixed)
7 threads (fixed)
(floating)
(floating)
(floating)
Throughput (/s)
4,000
3,000
2,000
1,000
0
0
5
10
15 20 25
Latency (ms)
30
35
Figure:
Fixed and floating point comparison operation (less than)
Nigel P. Smart
Multi Party Computation: From Theory to Practice
Slide 28
Small Finite Field Example
As an another example we present timings for evaluating the AES,
DES, MD5 and SHA-1 functionalities, for two players and active
security.
Why do we care about the such functionalities?
I Many attacks against stored password systems in recent past
by people breaking into individual servers
EMC/RSA have the following solution for static passwords:
I User splits password up p = p U ⊕ p U
1
2
I Sends p1 to server one, and p2 to server two.
I Servers have another share of the password p = p S ⊕ p S .
1
2
I Servers compute ti = p U ⊕ p S
i
i
I Servers sent ti to each other.
I Accept password if
t1 = p1U ⊕ p1S = (p ⊕ p2U ) ⊕ (p ⊕ p2S ) = p2U ⊕ p2S = t2 .
Attacker needs to compromise both servers to get the password.
Nigel P. Smart
Multi Party Computation: From Theory to Practice
Slide 29
AES Functionality
The EMC/RSA solution does not work with dynamic passwords
I
SecureID tokens.
I
e-banking applications using CAP/EMV
I
etc
Password is typically
p = AESk (m)
where m is a counter, or a challenge from the server and k is the
master “password”.
Here AES could be replaced by any keyed PRF really; e.g. DES,
MD5, SHA-1 etc.
Nigel P. Smart
Multi Party Computation: From Theory to Practice
Slide 30
AES Functionality
In joint work with Bar Ilan University (Lindell) and Partisia (Damgård
and Nielsen) we have a proposed system to verify such dynamic
passwords using multiple servers
I
Need to compromise all servers to break the system.
Basically just apply MPC to the dynamic password situation.
Now working on system to do this for real
I
Can now meet latency and throughput for AES based solutions.
I
Working on improving the DES, MD5 and SHA-1 based
solutions.
Nigel P. Smart
Multi Party Computation: From Theory to Practice
Slide 31
AES Functionality
1 thread excl. KS
4 threads excl. KS
7 threads excl. KS
1 thread incl. KS
4 threads incl. KS
7 threads incl. KS
Throughput : #/s
103
102
0
50
100
150
200
Latency : ms
250
Figure: AES runtimes
Nigel P. Smart
Multi Party Computation: From Theory to Practice
Slide 32
AES Functionality : Zoom In
1 thread excl. KS
4 threads excl. KS
7 threads excl. KS
1 thread incl. KS
4 threads incl. KS
7 threads incl. KS
500
Throughput : #/s
400
300
200
100
0
10
20
30
Latency : ms
40
50
Figure: AES runtimes (low latency values)
Nigel P. Smart
Multi Party Computation: From Theory to Practice
Slide 33
DES
1 thread excl. KS
4 threads excl. KS
7 threads excl. KS
1 thread incl. KS
4 threads incl. KS
7 threads incl. KS
Throughput : #/s
300
200
100
0
0
200
400
600
Latency : ms
800
Figure: DES runtimes
Nigel P. Smart
Multi Party Computation: From Theory to Practice
Slide 34
1,000
MD-5
1 thread
4 threads
7 threads
Throughput : #/s
60
40
20
0
350 400 450 500 550 600 650 700
Latency : ms
Figure: MD5 runtimes
Nigel P. Smart
Multi Party Computation: From Theory to Practice
Slide 35
SHA-1
Throughput : #/s
1 thread
4 threads
7 threads
30
20
10
0
650 700 750 800 850 900 950 1,000
Latency : ms
Figure: SHA-1 runtimes
Nigel P. Smart
Multi Party Computation: From Theory to Practice
Slide 36
Any Questions ?
Nigel P. Smart
Multi Party Computation: From Theory to Practice
Slide 37
Related documents
Grant End Dates
Grant End Dates
Mathematics/Statistics Template ()
Mathematics/Statistics Template ()
Download
advertisement