1 / 21

Practical comparison of secret values – and practical applications

Practical comparison of secret values – and practical applications. Tomas Toft (CWI & TU/e) Sabanci University April 18 th 2008. Overview of this Talk. What and why of MPC Algorithmic protocol construction Practical comparison of secret values Applications Small demo of VIFF.

kele
Télécharger la présentation

Practical comparison of secret values – and practical applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Practical comparison of secret values – and practical applications Tomas Toft (CWI & TU/e) Sabanci University April 18th 2008

  2. Overview of this Talk • What and why of MPC • Algorithmic protocol construction • Practical comparison of secret values • Applications • Small demo of VIFF

  3. Multiparty Computation x1 x2 f(x1, x2, x3) x3

  4. Why Perform MPC • Plenty of real-world motivation for privacy • Auctions • Data-mining • Benchmarking • The use of MPC technique in practice is limited despite plenty of motivation

  5. How to Perform MPC • In theory we can do anything [Yao86,GMW87,BGW88,CCD88] • Basically secure function evaluation (SFE) • Some “problems” • MPC can also be reactive/interactive • Large computations are not described using circuits • Computation may be wasted, e.g. simulating secure Boolean arithmetic in a large ring

  6. An Algorithmic Approach • Assume access to a trusted third party (TTP) who runs the computation • Input, output, and arithmetic only • Can be implemented using standard solutions • Algorithm → circuits → protocol • Multiplications provide measure of complexity • Zm arithmetic simulates integer arithmetic • Adding new operations to TTP is easy • Constructed from arithmetic (and I/O)

  7. An Auction Example (Highest Bid) • Receive bids • For [b] in bids do • if [b] >? [max] then [max] := [b] • [max] := ([b] >? [max]) ∙ ([b] – [max]) + [max] • Output [max] Disclaimer: For clarity only Linear round complexity

  8. Pros and Cons • Pros • Simple protocol construction • Description follows high-level intuition • Simple, iterative protocol construction • Cons • Difficult complexity analysis • Concrete protocols allow more efficiency tweaks

  9. Comparison (<?) • Given secret inputs [a] and [a’]: • Compute [b] = [a] <? [a’]  {0,1} • Assume • a, a’ are of bounded size (l bit), a ≠ a’ • Computation modulo prime p > 2l+k + 2k • There is a source of secret randomness • Cannot compare with arithmetic only • Transform to a solvable problem

  10. Initial Problem Transformation • Extract the l+1’th bit of [z] = 2l + [a] – [a’] • [z] – [z mod 2l] is the result (almost) • Add a uniformly random shared l+k bit value (with shared bits) and reconstruct • [r] = Σ 2i [ri] • c = [z] + [r] • [z mod 2l] = (c mod 2l - [r mod 2l]) mod 2l • The final “mod 2l” can be accomplished by comparing [r mod 2l] and c mod 2l

  11. Comparing [r] and c • For each bit-position compute • [ei] = 1+ ci – [ri] + Σj>icj[rj] ([DGK07]) • The product of [ei] will be 0, when [r] > c • Reveal d = [v]∙∏ [ei] • Compute in stead • [ei] = [s]+ ci – [ri] + 3Σj>icj[rj] • The final result is (d==0)  ([s]==-1) • The whole thing boils down to a product of l+1 shared values

  12. Theoretical vs Practical Solution • Above: O(log(l)) rounds, O(l) multiplications • Theory: O(1) rounds, O(l) multiplications • But: theory has worse constants: • [RT07]: 10 rounds 24l multiplications • Above: log(l+1)+preproc rounds, l multiplications + randomness • For many input sizes, the above wins outright • Even when there is a tradeoff, between rounds and computation the above may win

  13. Final Words on Comparison • Efficient theory does not imply practical efficiency • Rounds matter, but so does communication size and computation • Often the same overall ideas can be applied • The comparison operator has been implemented in VIFF • Runs on 500-bit numbers in seconds

  14. Applications • TTP is quite powerful ”secure computer” • A few example applications • Auction • Double auction • Benchmarking

  15. Double Auction • Buyers and sellers trade one type of good • Goal: Determine Market clearing price • Done using additions and a binary search • All trade occurs at MCP, bids are binding • Motivation: Trading sugar beet quotas • Has been run (3 parties, distributed trust) • Input data from 1200 farmers • See [BCD+08] for more details, ePrint:2008/068

  16. Benchmarking (and Others) • Companies want to know how well they are doing • Compare performance to that of competitors • E.g. relative performance pay scheme [NT07] • Actual performance is a trade secret • Can be translated to solving a linear program • Other LP examples: Multi-attribute auctions, bilateral negotiations

  17. Linear Programming • The problem • Maximize f(x1,…,xn) = ∑fi∙xi • Subject to ∑ci,j∙xi ≤ bj for 1 ≤ j ≤ m • Not necessarily integer computation and result

  18. Solving LPs Efficiently • There is a variant of simplex using only integer computation • Works using repeated refinement of the problem in tableau form • Generally efficient, but may require exponentially many steps • Therefore: • Perform pivots (refinements) obliviously… • But test termination publicly

  19. MPC-simplex • Iterations consist of • Computing minimal values (of many) • Update the tableau (integer arithmetic) • Iteration-obliviousness “cheap” • Essentially the same complexity as a non-oblivious version, but with MPC • Termination condition is “free”

  20. Conclusions • MPC comparison is possible, even on large values • This can be used to construct large-scale applications • The Double Auction runs • Simplex should run on relatively large problems • Good theory does not imply good practice (but it should not be ignored)

  21. Virtual Ideal Functionality Framework (VIFF) • Python implementation of Shamir sharing and Gennaro et. al. multiplication [GRR] • Asynchronous communication using deferreds • Allows field arithmetic and comparison • More on http://www.viff.dk

More Related