“MPCintheHead”
YuvalIshaiTechnion andUCLA
Backtothe1980s• Zero-knowledgeproofsforNP[GMR85,GMW86]
• ComputationalMPCwithnohonestmajority[Yao86,GMW87]
• UnconditionalMPCwithhonestmajority[BGW88,CCD88,RB89]
• UnconditionalMPCwithnohonestmajorityassumingidealOT[Kilian88]
• Aretheseunrelated?
Messageofthistalk
• Honest-majorityMPCisusefulevenwhenthereisnohonestmajority!
• Establishesunexpectedrelationsbetweenclassicalresults
• NewresultsforMPCwithnohonestmajority• Newapplicationdomainsforhonest-majoritytoolsandtechniques
Bernard
Researchinterests:- zero-knowledgeproofs- efficienttwo-partyprotocols
Researchinterests:- information-theoreticcryptography- honest-majorityMPC
somerelevance
norelevance?
Allison
Bernard
Researchinterests:- zero-knowledgeproofs- efficienttwo-partyprotocols
Researchinterests:- information-theoreticcryptography- honest-majorityMPC
Allison
WanttohearaboutmylatestandcoolestVSSprotocol?
whatadork…
Helpingmakethematch• AddtoAllison’sworldasimpleidealfunctionality– Idealcommitment oracleforZK(Com-hybrid model)– IdealOT oracleforgeneralprotocols(OT-hybrid model)
• Makesunconditional(andUC)securitypossible– AnalogoustosecurechannelsinBernard’sworld
• WhyshouldAllisonbehappy?– Generality:ComorOTcanberealizedinavarietyofmodels,underavarietyofassumptions
– Efficiency:ComorOTcanberealizedwithlittleoverhead• Essentiallyfreegivenpreprocessing[BG89]• Cheappreprocessing:fastOT[…,PVW08,…], fasterOTextension[Bea96,IKNP03…]
• Still:WhyshouldBernard’sresearchberelevant?
Helpingmakethematch• AddtoAllison’sworldasimpleidealfunctionality– Idealcommitment oracleforZK(Com-hybrid model)– IdealOT oracleforgeneralprotocols(OT-hybrid model)
• Makesunconditional(andUC)securitypossible– AnalogoustosecurechannelsinBernard’sworld
• WhyshouldAllisonbehappy?– Generality:ComorOTcanberealizedinavarietyofmodels,underavarietyofassumptions
– Efficiency:ComorOTcanberealizedwithlittleoverhead• Essentiallyfreegivenpreprocessing[BG89]• Cheappreprocessing:fastOT[…,PVW08,…], fasterOTextension[Bea96,IKNP03…]
• Still:WhyshouldBernard’sresearchberelevant?
Ahighlevelidea:
• RunMPC“inthehead”.• Committogeneratedviews.• Useconsistencychecks toensurehonestmajority.
Zero-knowledgeproofs
• Goal:ZKproofforanNP-relationR(x,w)– Completeness– Soundness– Zero-knowledge
• TowardsusingMPC:– definen-partyfunctionality
g(x;w1,...,wn)=R(x,w1Å...Å wn)– useany2-secure,perfectlycorrect protocolforg
• securityinsemi-honest(passiveadversary)model• honestmajoritywhenn³5
MPCà ZK[IKOS07]
Prover Verifier
w=w1Å...Å wn
P1 P2
P3
P4P5
Pn
w1 w2
w3w4w5
wn
V1 V2
V3V4V5
Vn viewsp
commit to views V1,...,Vn
random i,j
open views Vi, Vj
w accept iff output=1 &
Vi,Vj are consistent
Given MPC protocol p for g(x; w1,...,wn) = R(x, w1Å...Å wn)
Analysis
• Completeness:Ö• Zero-knowledge: by 2-security of p and randomness of wi, wj. (Note: enough to use w1,w2,w3 )
Prover Verifiercommit to views V1,...,Vn
random i,j
open views Vi, Vj
accept iff output=1 &
Vi,Vj are consistent
w=w1Å...Å wn
Analysis
• Soundness: Suppose R(x, w)=0 for all w.è either (1) V1,...,Vn consistent with protocol p
or (2) V1,...,Vn not consistent with p
Prover Verifiercommit to views V1,...,Vn
random i,j
open views Vi, Vj
accept iff output=1 &
Vi,Vj are consistent
w=w1Å...Å wn
(2) Þ for some (i,j), Vi,Vj are inconsistent.Þ Verifier rejects with prob. ³ 1/n2.
(1) Þ outputs=0 (perfect correctness)Þ Verifier rejects
Infact,proofofknowledge
AnalysisProver Verifier
commit to views V1,...,Vn
random i,j
open views Vi, Vj
accept iff output=1 &
Vi,Vj are consistent
w=w1Å...Å wn
Communication complexity: ≤ (comm. complexity + rand. complexity + input size) of p.
Extensions• Variant:Use1-secureMPC– Openoneviewandoneincidentchannel
• ExtendstoOT-basedMPC– Simpleconsistencycheckwhent≥2– Slightlymoreinvolvedwitht=1[HV16,IKPSY16]
• ExtendstoMPCwitherror• Variant:Directlyget2-k soundnesserrorviasecurityinmaliciousmodel(activeadversary)– Twoclients,n=O(k)servers– W(n)-securitywithabort– Broadcastis“free”
• RealizeCom usingaone-wayfunction
Applications
• SimpleZKproofsusing:– (1,3)semi-honestMPC[BGW88,CCD88]or[Mau02]– (2,3)oreven(1,2)semi-honestMPCOT [GMW87,GV87,GHY87]
• PracticalZKproofs(“ZKBoo” [GMO16])• ZKproofswithO(|R|)+poly(k)communication
– UsingefficientMPC+AGcodes[DI06,CC06]• ManygoodZKprotocolsimpliedbyMPCliterature
– ZKforlinearalgebra[CD01,…]
General2-partyprotocols[IPS08]• Lifeiseasierwheneveryonefollowsinstructions…• GMWparadigm [GMW87]:
– semi-honest-securepàmalicious-securep’– useZKproofstoprove“stickingtoprotocol”
• Non-black-box:ZK proofsinp’ involvecode of p– Typicallyconsidered“impractical”– Notapplicableatallwhenp usesanoracle
• Functionalityoracle:OT-hybridmodel• Cryptoprimitiveoracle:black-boxPRG• Arithmeticoracle:black-boxfieldorring
• Is there a “black-box alternative” to GMW?
Adreamgoal
• Possibleforsomefixed f– e.g.,OT[IKLP06,Hai08]
• Impossibleforgeneralf– e.g.,ZKfunctionalities[IKOS07]
p’realizesfin
maliciousmodel
prealizesfin
semi-honestmodel
Idea• Combinetwotypesof“easy” protocols:– Outerprotocol:honest-majorityMPC
– Innerprotocol:semi-honest2-partyprotocol• possiblyinOT-hybridmodel
• Bothareconsiderablyeasierthanourgoal• Bothcanhaveinformation-theoreticsecurity
Outerprotocol
18
k Servers
Client Aholds input x
Client Bholds input y
Secureagainstmalicious adaptiveadversarycorruptingoneclientandt=ckservers,forsomeconstantc>0.
Securitywithabortsuffices.
Straight-linesimulation.
Example:“BGW-lite”
Innerprotocol
Secureagainstsemi-honestadversary
(Adaptivesecurityw/erasures)
Example:“GMW-lite”
Client Aholds input x
Client Bholds input yOT
Combiningthetwoprotocols
Playervirtualization
OTcallsbyinnerprotocolare“risky”
obliviouswatchlists
outerprotocolforf
panopticon
Acloserlookatserveremulation• Assumeserversaredeterministic
– Thisisalreadythecasefornaturalprotocols– Canbeensuredingeneralwithsmalloverhead
• Inouterprotocol,serveri– getsmessagesfromAandB– sendsmessagestoAandB– mayupdateasecretstate
• Capturedbyreactive2-partyfunctionalityFi– Inputs=incomingmessages– Outputs=outgoingmessages
• Usesemi-honestprotocolforFi– Distributeserverbetweenclients– “Local” computationsdonotneedtobedistributed.
Acloserlookatwatchlists• Innerprotocolcan’tpreventclientsfromcheatingbysending“badmessages”
• Watchlistmechanismensuresthatcheatingdoesnotoccurtoooften– Clientdoesn’tknowwhichinstancesofinnerprotocolarewatched
– Twocases:• Clientcheatsin£ tinstancesð cheatingistoleratedbyt-securityofouterprotocol
• Clientcheatsin>tinstancesð willbecaughtwithoverwhelmingprobability
• Non-interactiveformof“cut-and-choose”
Settingupthewatchlists• Eachclientpicksnlongone-timepadsRi• |Ri|=lengthofmessages+randomnessinexecutionofi-thinnerprotocol– ShortPRGseedsufficesforcomputationalsecurity
• EachclientusesOTtoselect~t/2oftheotherclient’spadsRi
• ImplementedviaRabin-OTforeachserver– Reducestoaconstantnumberof(1,2)string-OTsperserverforanyrationalprobabilityp
– Withoverwhelmingprobability,p±0.01 fractionofRiarereceived
Usingthewatchlists} ConsiderhereBwatchingA– AwatchesBsymmetrically• AusessequentialpartsofeachRi tomaskher(progressive)viewofthei-thinnerprotocol– IfBobtainedRi,hehasfullviewofi-thinnerprotocol– Candetect(andabort)assoonasAcheats–WhataboutidealOTcallsininnerprotocol?
• Cheatingcaughtw/prob½ifOTinputsarerandom• UseOTtorandom-OTreduction
Example• Considera“BGW-style” outerprotocol• Eachserverperformstwotypesofcomputations:– Sendaibi+zi toA,whereai isasecretreceivedfromAandbi,zi aresecretsreceivedfromB• O(|C|)suchcomputationsoverall• Canbeimplementedbysimpleinnerprotocols
– unconditionallyusingOT[GMW87,IPS09]– usinghomomorphicencryption(e.g.,Paillier)– usingcodingassumptionsandOT[NP99,IPS09]
– SendtoAapubliclinearcombinationofsecretssentbyB(andviceversa)• CanbeimplementedvialocalcomputationofB
• Givesefficientprotocolsforarithmeticcomputations
Simulation(roughidea)• SupposeAiscorruptedinfinalprotocol• Mainsimulatorrunsoutersimulatorto– extractinputofA– generateouterprotocolmessagesfromB– generatefullviewofinnerprotocolswatchedbyA(requirescorrupting~t/2servers)
– generateA’sinputsandoutputsinotherinnerprotocols(communicationofAwithservers)• feedtoinnersimulatortogenerateinnerprotocolview• validaslongasAdoesnotdeviatefrominnerprotocol
• Mainsimulatorcanobservedeviationfrominnerprotocol– WhenAcheatsoni-thinnerprotocol,outersimulatorcorruptsi-thserverandmainsimulatorabortsw/prob.p
Ageneralprotocolcompiler
§ Givena2-partyfunctionalityF§ Getanhonest-majority-secureouterprotocolΠforthefunctionalityF
(with2clientsandkservers)§ Getasemi-honest-secureinnerprotocolρOT fora
2-partyfunctionalityGΠ correspondingtotheservers’programinΠ
(GΠ isareactivefunctionalitydefinedblack-box w.r.tΠ)
§ Our(2-party)protocolΦOT,withblack-box accesstoΠandρ,isamalicious-secureprotocolforF.
m
m
m
m
Applications• Revisitingtheclassics
– BGW-lite+GMW-liteè Kilian
• EfficientMPCwithnohonestmajority– O(1)bitspergateinOT-hybridmodel(+additiveterm)– Allcryptocanbepushedtopreprocessing
• Constant-round MPCOT (t<n)usingblack-box PRG– Extending2-party“cut-and-choose” Yao
• EfficientOTextensioninmaliciousmodel• Constant-rateb.b.reductionofOTtosemi-honestOT• Securearithmeticcomputationoverblack-boxfields/rings• Protocolsmakingblack-boxuseofhomomorphicencryption
More“MPCintheHead”:OTcombinersandOTextractors
• OTcombiners[HKNRR05]– Givenn instancesofOT,ofwhicht arefaulty,producem goodOTs– Canbeobtainedviahonest-majorityMPC[HIKN08,IPS08]
• Outerprotocol:honest-majorityMPCformOTs• Innerprotocol:OT-based2-partyprotocolforemulatingMPCserver
– Usedforconstant-rateOTfromnoisychannels[HIKN08,IKOPSW11]
• OTextractors[IKOS09]– GeneralizeOTcombinersbyallowinggloballeakage– Constructionmakesanad-hocuseofsuitable“outerprotocol” and
“innerprotocol”– Yieldconstant-rateOTprotocolsfromimperfectnoisychannels,
constant-rateOTfrom(computational)“q-Hidingassumption”.
OTExtractor
OTCombiner Randomnessextractor
Extractorforbit-fixingsources
Randomcodes
Arithmeticcodes
More“MPCintheHead”:Non-InteractiveSecureComputation• Goal:Protectnon-interactiveOT-basedprotocolsagainstmalicioussender
• Challenge:allowReceivertodetectwhenSender’sOTinputsareinconsistentwithprotocol
OT OT OT OT OT
Sender
Receiver
More“MPCintheHead”:Non-InteractiveSecureComputation• AnMPC-basedapproach[IKOPS11]
OT OT OT OT OT
Sender
Receiver
Inputclient
Servers
Outputclients
Protectagainst“correlatedabort”attacksbyencodingreceiver’sinput
[Kil98,LP07,IKOPS11]
FurtherresearchI• Findotheruseful“black-box” connections• Formalizedviaoraclegame:
– Protocolmove:givenoracleg,get(arbitrary)protocoloraclepg
– Buildmove:givenoraclef,buildoracleg
– Goal:givenoraclef,obtainaprotocolpf ina“strong” modelusingonlyprotocolmovesin“weaker” model(s)
• Previousexamples– ZKfromMPC:
build– protocol– build– Newprotocolcompiler:
protocol– build– protocol- build
FurtherResearch
• Otheruseful“black-box” connections?– Formalizedvia“MPCtransformations” framework[IKPSY16]– Giveshopeforprovingnegativeresults
• Findleanerversionsofprotocolcompilers– Weakerouterprotocol?
• Minimizeconstantsinconstant-rateprotocols– Better“arithmeticcodes”?
• Optimizeforpracticalefficiency?– Manydegreesoffreedom!– Progressmadein[LOP11]