Secure multi party computation minimizing online rounds
This presentation is the property of its rightful owner.
Sponsored Links
1 / 30

Secure Multi-party Computation Minimizing Online Rounds PowerPoint PPT Presentation


  • 83 Views
  • Uploaded on
  • Presentation posted in: General

Secure Multi-party Computation Minimizing Online Rounds. Seung Geol Choi Columbia University. Joint work with Ariel Elbaz(Columbia University) Tal Malkin(Columbia University) Moti Yung (Columbia University & Google). Outline. Motivation Our Results First Protocol Second Protocol

Download Presentation

Secure Multi-party Computation Minimizing Online Rounds

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Secure multi party computation minimizing online rounds

Secure Multi-party ComputationMinimizing Online Rounds

Seung Geol Choi

Columbia University

Joint work with

Ariel Elbaz(Columbia University)

Tal Malkin(Columbia University)

Moti Yung (Columbia University & Google)


Outline

Outline

  • Motivation

  • Our Results

    • First Protocol

    • Second Protocol

  • Conclusion


Multi party computing with encrypted data mpced

x

y

P2

P1

Pn

Multi-party Computing with Encrypted Data (MPCED)

Considered implicitly in [FH96,JJ00,CDN01]

external parties

many computations on encrypted database

dynamic data contribution from external parties


Round complexity of protocols

Round-complexity of protocols

  • Critical measure on the efficiency

  • There are constant-round MPC protocols, but the exact constant is big.

  • Focus on online round-complexity

    • Possibly allow any poly-time preprocessing independent of the function of interest and input.

    • Minimization of turn-around time

    • Preprocessing can be handled separately, e.g., by cloud computing


Outline1

Outline

  • Motivation

  • Our Results

    • First Protocol

    • Second Protocol

  • Conclusion


Previous work

Previous Work

Can we do it in one or two rounds for <n corruption?

  • Yes, for static case


Our results

Our Results

  • Two protocols for MPCED with small online round complexity w/ preprocessing

    • one-round protocol P1

    • Two-round protocol P2 (Depending on the case, P2 has more efficient preprocessing than P2).

  • Static and <n corruption

  • Uses ElGamal encryption

    • extendable to any threshold homomorphic encryption schemes.


Outline2

Outline

  • Motivation

  • Our Results

    • First Protocol

    • Second Protocol

  • Conclusion


First protocol

First Protocol

  • Takes one round

  • General Idea: Modify Yao’s protocol

    • Garble a universal circuitinstead of a given circuit

    • Replace OT w/ one-round equivalent stepusing homomorphism.


Preprocessing

Preprocessing

  • Generate a Garbled Circuit for a Universal Circuit [V76,KS08]

  • Overall, follow Yao’s technique except input wire keys.


Yao s garbled circuit

Yao’s Garbled Circuit

k0

k1

NAND

El0,r0(k1)

El1,r0(k1)

El0,r1(k1)

El1,r1(k0)

l0

l1

r0

r1


Secure multi party computation minimizing online rounds

k0

k1

El0,r0(k1)

El1,r0(k1)

El0,r1(k1)

El1,r1(k0)

k0

k0

k1

k1

El0,r0(k1)

El1,r0(k1)

El0,r1(k1)

El1,r1(k0)

El0,r0(k1)

El1,r0(k1)

El0,r1(k1)

El1,r1(k0)

l0

l1

r0

r1

l0

l0

l1

l1

r0

r0

r1

r1

Yao’s Garbled Circuit

NAND

Once keys of the input wires in the entire circuit are determined, can compute the circuit locally.


Preprocessing 2

Preprocessing - 2

  • Input wires

    • Pick a random h for global use: hidden

    • Keys in each input wire j, say wj0 and wj1,should satisfy wj1 = wj0 * h

    • publish H = Ey(h)

    • publish Ey(wj0) for each input wire j


Encrypted input data

Encrypted Input Data

  • Ey(hb) for Boolean input b

    • If b = 0, publish Ey(1)

    • If b = 1, re-randomize H


Online stage

Online Stage

  • Given

    • input wire: W0 = Ey(w0)

    • Input data: C = Ey(hb)

  • Decrypt W0 * C

    • Note W0 * C = Ey(w0*hb) = Ey(wb)

  • Requires only a single round


First protocol summary

First Protocol: Summary

  • Use garbled universal circuit with augmented manipulation in the input wires

  • Replace OT procedure in Yao with threshold decryption using homomorphism

  • Needs a single online round


Outline3

Outline

  • Motivation

  • Our Results

    • First Protocol

    • Second Protocol

  • Conclusion


Second protocol

Second Protocol

  • Takes two rounds.

  • Natural extension of two-party case [CEJMY07]

  • Idea

    • Preprocessing: garble individual gates

      • Independent of a circuit or input

    • Online stage: construct wires between garbled gates and inputs


Preprocessing1

x > y

NAND

NAND

NAND

x

y

1

Preprocessing

  • Garbled NAND gates

  • Bunch of fresh ElGamal key pairs: (pk, Ey(sk))


Garbled nand gates with fresh elgamal key pairs

Garbled NAND gateswith fresh ElGamal key pairs

Intermediate gates: NAND + keys

top-level gates: IDENTITY + keys


Online stage1

Online stage

  • Construct wires between garbled gates and inputs

    • How? Use CODE (explained next)


Conditional oblivious decryption exposure code

Ey(1)

Ey(100)

Ey(1)

Ey(100)

Cin

Cin

Ckey

Ckey

Ey(1)

Ey(g)

Cout

Cout

Output: Ez(100)

Output: Ez(random)

Conditional Oblivious Decryption Exposure (CODE)

  • Functionality

    • Assumes parties share the private key for y

    • Input: three ciphertexts Cin, Cout, Ckey, a key z

    • Output: Ez(Mkey) if Min Mout, Ez(random) otherwise

Can be implemented w/ homomorphic enc in 2 rounds.


Online stage run codes

NAND

NAND

x

...

...

...

Online Stage – Run CODEs

  • Run CODE in parallel for each Cin, Cout, Ckey tuple.

encrypted under z = pkL * pkR: Ez(skL)

Not encrypted z =1: skR

Then, locally computes the circuit

using CODE outputs inductively.


Online stage after running code

...

...

...

Online Stage – After Running CODE

Decrypt Final column

Usingsk

EpkL*pkR(sk)

Ez(skL)

skR


Summary second protocol

Summary : Second Protocol

  • Preprocessing

    • Garbled NAND gates, fresh ElGamal keys

  • Online Stage

    • Run 2-round CODE protocols in parallel


Summary

Second Protocol

online #round: two

No blow-up of gates

2n-round explicit preprocessing: efficient when n is very small (when n is big, use generic protocols)

First Protocol

online #rounds: one

Logarithmic blow-up of gates

No explicit preprocessing: should use generic protocols such as [IPS08].

Summary


Outline4

Outline

  • Motivation

  • Our Results

    • First Protocol

    • Second Protocol

  • Conclusion


Multi party computing with encrypted data mpced1

x

y

P2

P1

Pn

Multi-party Computing with Encrypted Data (MPCED)

Considered implicitly in [FH96,JJ00,CDN01]

external parties

many computations on encrypted database

dynamic data contribution from external parties


Our results1

Our Results

  • Two protocols for MPCED with small online round complexity w/ preprocessing

    • one-round protocol P1

    • Two-round protocol P2 (Depending on the case, P2 has more efficient preprocessing than P2).

  • Static and <n corruption


Thank you

Thank you


  • Login