1 / 30

Secure Multi-party Computation Minimizing Online Rounds

Secure Multi-party Computation Minimizing Online Rounds. Seung Geol Choi Columbia University. Joint work with Ariel Elbaz (Columbia University) Tal Malkin (Columbia University) Moti Yung (Columbia University & Google). Outline. Motivation Our Results First Protocol Second Protocol

murphy-eaton
Télécharger la présentation

Secure Multi-party Computation Minimizing Online Rounds

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Multi-party ComputationMinimizing Online Rounds Seung Geol Choi Columbia University Joint work with Ariel Elbaz (Columbia University) Tal Malkin (Columbia University) Moti Yung (Columbia University & Google)

  2. Outline • Motivation • Our Results • First Protocol • Second Protocol • Conclusion

  3. x y P2 P1 … Pn Multi-party Computing with Encrypted Data (MPCED) Considered implicitly in [FH96,JJ00,CDN01] external parties many computations on encrypted database dynamic data contribution from external parties

  4. Round-complexity of protocols • Critical measure on the efficiency • There are constant-round MPC protocols, but the exact constant is big. • Focus on online round-complexity • Possibly allow any poly-time preprocessing independent of the function of interest and input. • Minimization of turn-around time • Preprocessing can be handled separately, e.g., by cloud computing

  5. Outline • Motivation • Our Results • First Protocol • Second Protocol • Conclusion

  6. Previous Work Can we do it in one or two rounds for <n corruption? • Yes, for static case

  7. Our Results • Two protocols for MPCED with small online round complexity w/ preprocessing • one-round protocol P1 • Two-round protocol P2 (Depending on the case, P2 has more efficient preprocessing than P2). • Static and <n corruption • Uses ElGamal encryption • extendable to any threshold homomorphic encryption schemes.

  8. Outline • Motivation • Our Results • First Protocol • Second Protocol • Conclusion

  9. First Protocol • Takes one round • General Idea: Modify Yao’s protocol • Garble a universal circuitinstead of a given circuit • Replace OT w/ one-round equivalent stepusing homomorphism.

  10. Preprocessing • Generate a Garbled Circuit for a Universal Circuit [V76,KS08] • Overall, follow Yao’s technique except input wire keys.

  11. Yao’s Garbled Circuit k0 k1 NAND El0,r0(k1) El1,r0(k1) El0,r1(k1) El1,r1(k0) l0 l1 r0 r1

  12. k0 k1 El0,r0(k1) El1,r0(k1) El0,r1(k1) El1,r1(k0) k0 k0 k1 k1 El0,r0(k1) El1,r0(k1) El0,r1(k1) El1,r1(k0) El0,r0(k1) El1,r0(k1) El0,r1(k1) El1,r1(k0) l0 l1 r0 r1 l0 l0 l1 l1 r0 r0 r1 r1 Yao’s Garbled Circuit NAND Once keys of the input wires in the entire circuit are determined, can compute the circuit locally.

  13. Preprocessing - 2 • Input wires • Pick a random h for global use: hidden • Keys in each input wire j, say wj0 and wj1,should satisfy wj1 = wj0 * h • publish H = Ey(h) • publish Ey(wj0) for each input wire j

  14. Encrypted Input Data • Ey(hb) for Boolean input b • If b = 0, publish Ey(1) • If b = 1, re-randomize H

  15. Online Stage • Given • input wire: W0 = Ey(w0) • Input data: C = Ey(hb) • Decrypt W0 * C • Note W0 * C = Ey(w0*hb) = Ey(wb) • Requires only a single round

  16. First Protocol: Summary • Use garbled universal circuit with augmented manipulation in the input wires • Replace OT procedure in Yao with threshold decryption using homomorphism • Needs a single online round

  17. Outline • Motivation • Our Results • First Protocol • Second Protocol • Conclusion

  18. Second Protocol • Takes two rounds. • Natural extension of two-party case [CEJMY07] • Idea • Preprocessing: garble individual gates • Independent of a circuit or input • Online stage: construct wires between garbled gates and inputs

  19. x > y NAND NAND NAND x y 1 Preprocessing • Garbled NAND gates • Bunch of fresh ElGamal key pairs: (pk, Ey(sk))

  20. Garbled NAND gateswith fresh ElGamal key pairs Intermediate gates: NAND + keys top-level gates: IDENTITY + keys

  21. Online stage • Construct wires between garbled gates and inputs • How? Use CODE (explained next)

  22. Ey(1) Ey(100) Ey(1) Ey(100) Cin Cin Ckey Ckey Ey(1) Ey(g) Cout Cout Output: Ez(100) Output: Ez(random) Conditional Oblivious Decryption Exposure (CODE) • Functionality • Assumes parties share the private key for y • Input: three ciphertexts Cin, Cout, Ckey, a key z • Output: Ez(Mkey) if Min Mout, Ez(random) otherwise Can be implemented w/ homomorphic enc in 2 rounds.

  23. NAND NAND x ... ... ... Online Stage – Run CODEs • Run CODE in parallel for each Cin, Cout, Ckey tuple. encrypted under z = pkL * pkR: Ez(skL) Not encrypted z =1: skR Then, locally computes the circuit using CODE outputs inductively.

  24. ... ... ... Online Stage – After Running CODE Decrypt Final column Usingsk EpkL*pkR(sk) Ez(skL) skR

  25. Summary : Second Protocol • Preprocessing • Garbled NAND gates, fresh ElGamal keys • Online Stage • Run 2-round CODE protocols in parallel

  26. Second Protocol online #round: two No blow-up of gates 2n-round explicit preprocessing: efficient when n is very small (when n is big, use generic protocols) First Protocol online #rounds: one Logarithmic blow-up of gates No explicit preprocessing: should use generic protocols such as [IPS08]. Summary

  27. Outline • Motivation • Our Results • First Protocol • Second Protocol • Conclusion

  28. x y P2 P1 … Pn Multi-party Computing with Encrypted Data (MPCED) Considered implicitly in [FH96,JJ00,CDN01] external parties many computations on encrypted database dynamic data contribution from external parties

  29. Our Results • Two protocols for MPCED with small online round complexity w/ preprocessing • one-round protocol P1 • Two-round protocol P2 (Depending on the case, P2 has more efficient preprocessing than P2). • Static and <n corruption

  30. Thank you

More Related