two round information-theoretic mpc with malicious...

Two Round Information-Theoretic MPC with Malicious Security

Prabhanjan Ananth Arka Rai Choudhuri Aarushi Goel Abhishek Jain

TPMPC 2019

Adversarial Model

Adversarial Model

Malicious Adversary

Adversarial Model

Malicious Adversary

Corrupts < "/2 parties (Honest Majority)

Honest Majority MPC

Honest Majority MPCInformation-Theoretic security is possible.

[Ben-Or, Goldwasser, Widgerson’88]

Typically UC secureSimulation proofs are typically straight-line

Round complexity lower bounds for dishonest majority do not apply 4 rounds necessary for dishonest majority in the plain model [Garg- Mukherjee-Pandey-Polychroniadou16]

Clean ConstructionsUse lightweight tools such as garbling and secret-sharing

Honest Majority MPC: Applications

Useful for constructing efficient ZK-protocols.

Honest Majority MPC: Applications

(Courtesy: Sergey Gorbunov’s talk)

History of IT-MPC

Round Complexity

Class of Functions

Corruption Threshold

Adversary

[BGW’88] > # of multiplications

P/Poly t<n/2 Malicious

[BB’89, IK’00, AIK’06]

constant NC1 t<n/2 Malicious

[IKP’10] 2 NC1 t<n/3 Malicious[GIS’18, ABT’18] 2 NC1 t<n/2 Semi-honest

Security with selective abort

Our Results

Round Complexity Class of Functions Corruption Threshold Adversary2 NC1 t<n/2 Malicious

Security with Abort over Broadcast + P2P

Security with Selective Abort over P2P

Our Results




Concurrent Work [ABT19]

Consider security with selective abort.

This Talk




Our Strategy

2 Round IT-MPC(Privacy with Knowledge of

Outputs)

2 Round IT-MPC(Security with Abort)

Broadcast + P2P

Broadcast + P2P

Constant Round IT-MPC(Security with Abort)

Broadcast + P2P

Round Compression

Security Upgrade

Security with Abort

Party 1

Party 2

Party 3

Trusted Party

!

Security with Abort

!1

!2

!3Party 1

Party 2

Party 3

Trusted Party

%

Security with Abort

!1

!2

!3

% = '(!1, !2, !3)

Party 1

Party 2

Party 3

Trusted Party

'

Security with Abort

!1

!2

!3

% = '(!1, !2, !3)

%’ = % ,- ⊥Party 1

Party 2

Party 3

Trusted Party

'

Security with Abort

!1

!2

!3

% = '(!1, !2, !3)

%’ = % ,- ⊥

%’

%’Party 1

Party 2

Party 3

Trusted Party

'

Security with Abort

Privacy!2 and !3 remain hidden

$

Security with Abort


Output CorrectnessHonest Parties either output

$ !%, !', !( or ⊥

$

Privacy with Knowledge of Outputs


Output CorrectnessHonest Parties either output

$ !%, !', !( or ⊥

$

First Step


Outputs)


Broadcast + P2P

Broadcast + P2P


Broadcast + P2P

Round Compression

Security Upgrade

Using Signed Outputs [IKP10]

!"1"2"3

& = ! ("), "+, ",)

Using Signed Outputs [IKP10]

!′#1, &'(, )'(

* = ! (#(, #-, #.)

#-,&'-, )'-#., &'., )'.

(&'(,0( = 1234 (*, )'1))(&'-,0- = 1234 (*, )'-))(&'.,0. = 1234 (*, )'.))

!", $%", &%"', (), $%) , (", $%" , ((+, $%+)

Party 2Trusted Party

Security with abort: Using Signed Outputs

-./01'(', (", $%")1’

-./01'(', (), $%))

-./01'(', (+, $%+)

!", $%", &%"', (), $%) , (", $%" , ((+, $%+)



-’

Accept if all 3 verify

./01-'(', (", $%")

./01-'(', (), $%))

./01-'(', (+, $%+)


!", $%", &%"', (), $%) , (", $%" , ((+, $%+)


-’


./01-'(', (", $%")

./01-'(', (), $%))

./01-'(', (+, $%+)

Digital signatures require one-way functions


!", $%", &%"', (), $%) , (", $%" , ((+, $%+)


-’


./01-'(', (", $%")

./01-'(', (), $%))

./01-'(', (+, $%+)


MACs are not sufficient


!", $%", &%"', (), $%) , (", $%" , ((+, $%+)


-’


./01-'(', (", $%")

./01-'(', (), $%))

./01-'(', (+, $%+)


How can we do it information theoretically?

MACs are not sufficient

Our Tool: Multi-Key MAC

!"

!#

!$%


! = #. %&'( ), +,, +-, +.

+,

+-

+.)


!

!

!

! = #. %&'( ), +,, +-, +.

)

Our Tool: Multi-Key MAC!.#$%&'( (*, ,, -.)

!. #$%&'( (*, ,, -0)

!. #$%&'( (*, ,, -1)

,

,

,

, = !. 3&45 *, -., -0, -1

*

Our Tool: Multi-Key MAC (Correctness)

YES

YES

YES

!.#$%&'( (*, ,, -.)

!. #$%&'( (*, ,, -0)

!. #$%&'( (*, ,, -1)

,

,

,

, = !. 3&45 *, -., -0, -1

*

Our Tool: Multi-Key MAC (Security)

!, "#, "%& = (. *+,- !, "., "#, "%

&".


!, "#, "%& = (. *+,- !, "., "#, "%

&".

"#

!/, &’

(.012+34 (!′, &′, "#)NO


!, "#, "%& = ()*+ !, ",, "#, "%

&",

"#

!-, &’

..012)34 (!′, &′, "#)NO

An adversary cannot output any valid message-signature pair other than the

one it received

Security with Abort: Using Multi-Key MAC

!′#1, &' ( = ! (#', #+, #,)#+, &+#,, &,

. = /. 1234 ((, &1, &2, &3)

!", $"%, &


Security with Abort: Using Multi-Key MAC

'.)*+,-%(%, &, $")

-’

Security with abort: Using Multi-Key MAC

IF !, # = %′((()*)), ((,, *,), ((-, *-))

(,, *,

!, #

Honest Party 2Trusted Party

(-, *-

!, #

Honest Party 3

%′


!.#$%&'(((, +, ,-)!. #$%&'(((, +, ,/ )

0-, ,-

(, +


0/, ,/

(, +

Honest Party 3

YES YES

IF (, + = '′((03,3), (0-, ,-), (0/, ,/))

'′


!", $"

%, &


!', $'

%, &

Honest Party 3

IF %, & ≠ )′((!,$,), (!", $"), (!', $'))

)′


Honest Party 2

!", $"

%, &


!', $'

%, &

Honest Party 3

NONO

(.*+,-.%(%, &, $")(. *+,-.%(%, &, $' ) IF %, & ≠ .′((!3$3), (!", $"), (!', $'))

.′

Recall: Our Strategy


Outputs)


Broadcast + P2P

Broadcast + P2P


Broadcast + P2P

Using Multi-Key MAC

Round Compression

Security Upgrade

Security Upgrade Using Multi-Key MAC

Second Step


Outputs)


Broadcast + P2P

Broadcast + P2P


Broadcast + P2P

Round Compression

Technique: Round Compression

Interactive secure MPC

2 round secure MPC

[GGHR’13]Indistinguishability Obfuscation

[GLS’15]Witness Encryption + Garbled circuits

[GS’17]Bilinear Maps + Garbled circuits

[GS’18, BL’18]OT + Garbled Circuits

[ACGJ’18] Garbled circuits

Initial Idea


2 round secure MPC






Replace garbled circuits with Information-theoretic garbled circuits

(IT-GC)

Round Compression Template

!"#$

...

Interactive secure MPC 2 round secure MPC

!"#%!"#&

Commit Inputs

'( !"#$ , '( !"#% , . .

Round Compression Template

!"#$

...

Interactive secure MPC 2 round secure MPC

!"#%!"#&

Commit Inputs

'( !"#$ , '( !"#% , . .

'( !"#%

After Round 2

'( !"#$

'( !"#%

'( !"#$

Party 1 Party 2

.

.

.

.

.

.

...

...

Round Compression Template: After Round 2

!" #$%&

!" #$%' !" #$%'

Party 1 Party 2

Round Compression Template: After Round 2!" #$%&

!" #$%' !" #$%'

Party 1 Party 2

Statistically secure multi-party helper protocol for

OT functionality

Wire Labels 1st Message of Party 2

Wire Labels for 1st Message of Party 2

Initial Idea: Doesn’t Work


2 round secure MPC







(IT-GC)

ProblemSize of the input wire labels in IT-GC grows exponentially in the depth of

the circuit being garbled.



2 round secure MPC







(IT-GC)



No. of garbled circuits generated per-party ≥ |#|



2 round secure MPC







(IT-GC)



No. of garbled circuits generated per-party ≥ |#|

Size of bottom-most garbled circuits is exp( # )

Our Approach!" #$%&

!" #$%' !" #$%'

Party 1 Party 2

Statistically secure multi-party helper protocol for

OT functionality

Wire Labels1st Message of Party 2


(&

Inspired by the approach used in [BL’18]

Our Approach!" #$%&

!" #$%' !" #$%'

Party 1 Party 2

Statistically secure multi-party helper protocol forOT functionality OT

functionality

Wire Labels


() *', #$%' *&

*&

Our ApproachDesign a 2 round helper protocol for

!" #$, &'($ #)*+ &'()

*+ &'($ *+ &'($

Party 1 Party 2

Helper Protocol for OT functionality

Wire Labels


!" #$, &'() #)

#)

Statistically secure multi-party helper protocol forOT functionality OT

functionality!" #$, &'($ #)

Challenges in Designing such a protocol

2 Round MPC Template using a 2 Round Helper Protocol

1st round of Helper Protocol (implicitly commits to inputs)

2nd round of Helper Protocol & !" #$%& , !" #$%( , . .R 2

R 1


R 1

R 2

Inputs of Adversary

Output y

Trusted Party

Simulator

Adversary

A

A

Malicious Security


R 1

R 2

Inputs of Adversary

Output y

Trusted Party

Outer Simulator

OuterAdversary

Inner Simulator

A

BA

InnerAdversary

B

Malicious Security using helper protocol


R 1

R 2

Inputs of Adversary

Output y

Trusted Party

Outer Simulator

OuterAdversary

Inner Simulator

A

BA

InnerAdversary

B

Need to extract the inputs from inner adversary

Malicious Security using helper protocol


R 1

R 2

Inputs of Adversary

Output y

Trusted Party

Outer Simulator

OuterAdversary

Inner Simulator

A

BA

InnerAdversary

B

Need to extract the inputs from inner adversary

For Malicious Security

How to design a 2 round maliciously secure helper protocol for this functionality?

Our Solution

Properties:!"#$ is not known in the first round.

Party 1 Party 2

HONEST Nothing beyond the output is leaked Nothing beyond !"#%('$) is leaked

CORRUPT Simulator can extract '% Simulator can extract !"#%('$)

A two-round helper MPC protocol for 2 input delayed-function )* '%, !"#% '$

This asymmetric weaker security suffices!

Conclusion


Outputs)


Broadcast + P2P

Broadcast + P2P


Broadcast + P2P

Conclusion

2 Round IT-MPC(Security with Selective Abort)

P2P


Outputs)


Broadcast + P2P

Broadcast + P2P


Broadcast + P2P

Thank You!

https://eprint.iacr.org/2018/1078

[email protected]

https://eprint.iacr.org/2018/1078

two round information-theoretic mpc with malicious...

Documents