Secure Multi-party Computation Minimizing Online Rounds

1
Secure Multi-party ComputationMinimizing Online
Rounds

• Seung Geol Choi
• Columbia University

Joint work with Ariel Elbaz (Columbia
University) Tal Malkin (Columbia University) Moti
Yung (Columbia University Google)
2
Outline

• Motivation
• Our Results
• First Protocol
• Second Protocol
• Conclusion

3
Multi-party Computing with Encrypted Data (MPCED)
Considered implicitly in FH96,JJ00,CDN01
external parties
many computations on encrypted database
dynamic data contribution from external parties
4
Round-complexity of protocols

• Critical measure on the efficiency
• There are constant-round MPC protocols, but the
  exact constant is big.
• Focus on online round-complexity
• Possibly allow any poly-time preprocessing
  independent of the function of interest and
  input.
• Minimization of turn-around time
• Preprocessing can be handled separately, e.g., by
  cloud computing

5
Outline

• Motivation
• Our Results
• First Protocol
• Second Protocol
• Conclusion

6
Previous Work
Adaptive/Static rounds corrupt
CLOS02 Adaptive O(d) lt n
DN03 Adaptive (Arithm.) O(d) ltn
DI05 Adaptive 2 const lt n/5 lt n/2
DIK08 Adaptive const lt n/2
IPS08 Adaptive const lt n
Can we do it in one or two rounds for ltn
corruption?
Yes, for static case
7
Our Results

• Two protocols for MPCED with small online round
  complexity w/ preprocessing
• one-round protocol P1
• Two-round protocol P2 (Depending on the case, P2
  has more efficient preprocessing than P2).
• Static and ltn corruption
• Uses ElGamal encryption
• extendable to any threshold homomorphic
  encryption schemes.

8
Outline

• Motivation
• Our Results
• First Protocol
• Second Protocol
• Conclusion

9
First Protocol

• Takes one round
• General Idea Modify Yaos protocol
• Garble a universal circuit instead of a given
  circuit
• Replace OT w/ one-round equivalent stepusing
  homomorphism.

10
Preprocessing

• Generate a Garbled Circuit for a Universal
  Circuit V76,KS08
• Overall, follow Yaos technique except input wire
  keys.

11
Yaos Garbled Circuit
k0
k1
NAND
El0,r0(k1) El1,r0(k1) El0,r1(k1) El1,r1(k0)
l0
l1
r0
r1
12
Yaos Garbled Circuit
NAND
Once keys of the input wires in the entire
circuit are determined, can compute the circuit
locally.
13
Preprocessing - 2

• Input wires
• Pick a random h for global use hidden
• Keys in each input wire j, say wj0 and wj1,
  should satisfy wj1 wj0 h
• publish H Ey(h)
• publish Ey(wj0) for each input wire j

14
Encrypted Input Data

• Ey(hb) for Boolean input b
• If b 0, publish Ey(1)
• If b 1, re-randomize H

15
Online Stage

• Given
• input wire W0 Ey(w0)
• Input data C Ey(hb)
• Decrypt W0 C
• Note W0 C Ey(w0hb) Ey(wb)
• Requires only a single round

16
First Protocol Summary

• Use garbled universal circuit with augmented
  manipulation in the input wires
• Replace OT procedure in Yao with threshold
  decryption using homomorphism
• Needs a single online round

17
Outline

• Motivation
• Our Results
• First Protocol
• Second Protocol
• Conclusion

18
Second Protocol

• Takes two rounds.
• Natural extension of two-party case CEJMY07
• Idea
• Preprocessing garble individual gates
• Independent of a circuit or input
• Online stage construct wires between garbled
  gates and inputs

19
Preprocessing

• Garbled NAND gates
• Bunch of fresh ElGamal key pairs (pk, Ey(sk))

20
Garbled NAND gateswith fresh ElGamal key pairs
Intermediate gates NAND keys
top-level gates IDENTITY keys
21
Online stage

• Construct wires between garbled gates and inputs
• How? Use CODE (explained next)

22
Conditional Oblivious Decryption Exposure (CODE)

• Functionality
• Assumes parties share the private key for y
• Input three ciphertexts Cin, Cout, Ckey, a key z
  
• Output Ez(Mkey) if Min ? Mout,
  Ez(random) otherwise

Can be implemented w/ homomorphic enc in 2 rounds.
23
Online Stage Run CODEs

• Run CODE in parallel for each Cin, Cout, Ckey
  tuple.

encrypted under z pkL pkR Ez(skL)
Not encrypted z 1 skR
Then, locally computes the circuit using CODE
outputs inductively.
24
Online Stage After Running CODE
Decrypt Final column Using sk
EpkLpkR(sk)
Ez(skL)
skR
25
Summary Second Protocol

• Preprocessing
• Garbled NAND gates, fresh ElGamal keys
• Online Stage
• Run 2-round CODE protocols in parallel

26
Summary

• Second Protocol
• online round two
• No blow-up of gates
• 2n-round explicit preprocessing efficient when n
  is very small (when n is big, use generic
  protocols)

• First Protocol
• online rounds one
• Logarithmic blow-up of gates
• No explicit preprocessing should use generic
  protocols such as IPS08.

27
Outline

• Motivation
• Our Results
• First Protocol
• Second Protocol
• Conclusion

28
Multi-party Computing with Encrypted Data (MPCED)
Considered implicitly in FH96,JJ00,CDN01
external parties
many computations on encrypted database
dynamic data contribution from external parties
29
Our Results

• Two protocols for MPCED with small online round
  complexity w/ preprocessing
• one-round protocol P1
• Two-round protocol P2 (Depending on the case, P2
  has more efficient preprocessing than P2).
• Static and ltn corruption

30
Thank you