1
Secure Multi-party ComputationMinimizing Online Rounds
Seung Geol Choi Columbia University
Joint work with
Ariel Elbaz (Columbia University)
Tal Malkin (Columbia University)
Moti Yung (Columbia University & Google)
2
Outline
• Motivation
• Our Results– First Protocol– Second Protocol
• Conclusion
3
Multi-party Computing with Encrypted Data (MPCED)
P1
P2
Pn
…
x y
external parties
Considered implicitly in [FH96,JJ00,CDN01]
many computations on encrypted database
dynamic data contribution from external parties
4
Round-complexity of protocols
• Critical measure on the efficiency• There are constant-round MPC protocols, but
the exact constant is big.• Focus on online round-complexity
– Possibly allow any poly-time preprocessing independent of the function of interest and input.
– Minimization of turn-around time– Preprocessing can be handled separately, e.g., by
cloud computing
5
Outline
• Motivation
• Our Results– First Protocol– Second Protocol
• Conclusion
6
Previous Work
Adaptive/Static #rounds #corrupt
[CLOS02] Adaptive O(d) < n
[DN03] Adaptive (Arithm.) O(d) <n
[DI05] Adaptive 2const
< n/5< n/2
[DIK08+] Adaptive const < n/2
[IPS08] Adaptive const < n
Yes, for static case
Can we do it in one or two rounds for <n corruption?
7
Our Results
• Two protocols for MPCED with small online round complexity w/ preprocessing– one-round protocol P1
– Two-round protocol P2 (Depending on the case, P2
has more efficient preprocessing than P2).
• Static and <n corruption• Uses ElGamal encryption
– extendable to any threshold homomorphic encryption schemes.
8
Outline
• Motivation
• Our Results– First Protocol– Second Protocol
• Conclusion
9
First Protocol
• Takes one round
• General Idea: Modify Yao’s protocol– Garble a universal circuit instead of a given
circuit– Replace OT w/ one-round equivalent step
using homomorphism.
10
Preprocessing
• Generate a Garbled Circuit for a Universal Circuit [V76,KS08]
• Overall, follow Yao’s technique except input wire keys.
11
l0 l1 r0 r1
El0,r0(k1)
El1,r0(k1)
El0,r1(k1)
El1,r1(k0)
k0 k1
Yao’s Garbled Circuit
NAND
12
l0 l1 r0 r1
El0,r0(k1)
El1,r0(k1)
El0,r1(k1)
El1,r1(k0)
k0 k1
l0 l1 r0 r1
El0,r0(k1)
El1,r0(k1)
El0,r1(k1)
El1,r1(k0)
k0 k1
l0 l1 r0 r1
El0,r0(k1)
El1,r0(k1)
El0,r1(k1)
El1,r1(k0)
k0 k1
Yao’s Garbled Circuit
NAND Once keys of the input wires in the entire circuit are determined, can compute the circuit locally.
13
Preprocessing - 2
• Input wires– Pick a random h for global use: hidden
– Keys in each input wire j, say wj0 and wj
1,
should satisfy wj1 = wj
0 * h
– publish H = Ey(h)
– publish Ey(wj0) for each input wire j
14
Encrypted Input Data
• Ey(hb) for Boolean input b
– If b = 0, publish Ey(1)
– If b = 1, re-randomize H
15
Online Stage
• Given – input wire: W0 = Ey(w0)
– Input data: C = Ey(hb)
• Decrypt W0 * C
– Note W0 * C = Ey(w0*hb) = Ey(wb)
• Requires only a single round
16
First Protocol: Summary
• Use garbled universal circuit with augmented manipulation in the input wires
• Replace OT procedure in Yao with threshold decryption using homomorphism
• Needs a single online round
17
Outline
• Motivation
• Our Results– First Protocol– Second Protocol
• Conclusion
18
Second Protocol
• Takes two rounds.
• Natural extension of two-party case [CEJMY07]
• Idea– Preprocessing: garble individual gates
• Independent of a circuit or input
– Online stage: construct wires between garbled gates and inputs
19
Preprocessing
• Garbled NAND gates
• Bunch of fresh ElGamal key pairs: (pk, Ey(sk))
NAND
NAND
NAND
1yx
x > y
20
Garbled NAND gateswith fresh ElGamal key pairs
Intermediate gates: NAND + keys
top-level gates: IDENTITY + keys
21
Online stage
• Construct wires between garbled gates and inputs– How? Use CODE (explained next)
22
Conditional Oblivious Decryption Exposure (CODE)
• Functionality– Assumes parties share the private key for y
– Input: three ciphertexts Cin, Cout, Ckey, a key z
– Output: Ez(Mkey) if Min Mout, Ez(random) otherwise
Ey(g)
Ey(1) Ey(100)
Cout
Cin
Ckey
Output: Ez(random)
Ey(1)
Ey(1) Ey(100)
Cout
Cin
Ckey
Output: Ez(100)
Can be implemented w/ homomorphic enc in 2 rounds.
23
Online Stage – Run CODEs• Run CODE in parallel
for each Cin, Cout, Ckey tuple.NAND
NAND x
encrypted under z = pkL * pkR: Ez(skL)
... ... ... Not encrypted z =1: skR
Then, locally computes the circuit using CODE outputs inductively.
24
Online Stage – After Running CODE
... ... ...Ez(skL) skR
EpkL*pkR(sk)
Decrypt Final columnUsing sk
25
Summary : Second Protocol
• Preprocessing– Garbled NAND gates, fresh ElGamal keys
• Online Stage– Run 2-round CODE protocols in parallel
26
Summary
• Second Protocol– online #round: two
– No blow-up of gates
– 2n-round explicit preprocessing: efficient when n is very small (when n is big, use generic protocols)
• First Protocol– online #rounds: one
– Logarithmic blow-up of gates
– No explicit preprocessing: should use generic protocols such as [IPS08].
27
Outline
• Motivation
• Our Results– First Protocol– Second Protocol
• Conclusion
28
Multi-party Computing with Encrypted Data (MPCED)
P1
P2
Pn
…
x y
external parties
Considered implicitly in [FH96,JJ00,CDN01]
many computations on encrypted database
dynamic data contribution from external parties
29
Our Results
• Two protocols for MPCED with small online round complexity w/ preprocessing– one-round protocol P1
– Two-round protocol P2 (Depending on the case, P2
has more efficient preprocessing than P2).
• Static and <n corruption
30
Thank you