between a rock and a hard place: interpolating between mpc and fhe
DESCRIPTION
Between a Rock and a Hard Place: Interpolating Between MPC and FHE. Arpita Patra. Joint work with: Ashish Choudhury Jake Loftus Emmanuela Orsini Nigel P. Smart. Secure Multiparty Computation (MPC). – . n parties P 1 ,...., P n t corrupted. P i has private input x i. - PowerPoint PPT PresentationTRANSCRIPT
Between a Rock and a Hard Place: Interpolating Between MPC
and FHE
Joint work with:Ashish ChoudhuryJake LoftusEmmanuela OrsiniNigel P. Smart
Arpita Patra
Secure Multiparty Computation (MPC)
–
• A common n-input function f
• Pi has private input xi
Goal:- compute f(x1,x2,..xn) -- CorrectnessHide input of the
honest parties -- Privacy
• n parties P1,....,Pn t corrupted
MPC Before and After FHE Arrived
• Small Computational Overhead• High Communication Overhead• Communication per mult gate
• Huge Computational Overhead• Low (circuit independent) Communication Overhead
Protocols in pre-FHE era
Protocols in post-FHE era
MPC Before and After FHE ArrivedProtocols in pre-FHE era
Protocols in post-FHE era
parameter L
L = 2 L = infinity
We trade communication for computation in a simple way
Interpolate between these two
worlds
The Main Contribution
“Distributed Bootstrapping” of SHE:
Reduced communication for MPC for relatively small values of L
Based on L-levelled somewhat homomorphic encryption (SHE) with the ability of distributed decryption
• Interactive (distributed decryption) • Communication efficient • Simple
• NOT the blueprint of Gentry
x1 x2
x3 x4
REAL world
The Goal of MPC
y = f(x1,x2,x3,x4)
x1 x2
x3 x4
REAL world
The Goal of MPC
y y
yy
y = f(x1,x2,x3,x4)
x1 x2
x3 x4
REAL world
The Goal of MPCx1 x2
x3 x4
Any task
IDEAL world
Invisible
y = f(x1,x2,x3,x4)
y y
yy
x1 x2
x3 x4
REAL world
The Goal of MPCx1 x2
x3 x4
Any task
IDEAL world
Invisible
y = f(x1,x2,x3,x4)
y y
yyyyyy
• Represent f by Circuit C of say over a finite field F x1 x2 x3 x4
f(x1,x2,x3,x4)
addition gates multiplication gates
• Any computable f can be represented like this
GOAL: SECURE CIRCUIT EVALUATION
The first step of General MPC
L-levelled SHE
Allows to evaluate any arithmetic circuit of multiplicative depth L in the encrypted form
With the guarantee that the encrypted outputs can be decrypted correctly at the end
L- leve
lled
x1
x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
y1 y2 y3 y4 y5 y6
w1 w2 w3
z1
z2
Threshold L-levelled SHE
Allows Distributed decryption For a threshold t, t+1 decryption keys are required to decrypt a ciphertext
L- leve
lled
x1
x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
y1 y2 y3 y4 y5 y6
w1 w2 w3
z1
z2
KeyGen: pk, sk
Enc (c, L) pk, m :
Dec m * l = [0,,,,L]
L = Label of freshness
ml
mL
: sk ,
L-levelled SHE
L-levelled SHEKeyGen: pk, sk
Encpk
Decsk
Evalek
Evaluation Key: ek
x1
Lx2
Lx3
Lx4
L
x1x2
L x3 x4
L-1
Add
Mult l1,l2=[0,..,L]
m1 l1
m2 l2
m1 l1
m2 l2
m1m2
min(l1,l2)
m1 m2 min(l1,l2)-1
C(x1,x2,x3,x4) l
Threshold L-levelled SHEKeyGen: pk, sk
Encpk
Decsk
Evalek
Evaluation Key: ek
Decryption Keys:
dk1,…….…dkn
Any t+1 sk
t is threshold
ShareDec dki, μi
ShareCombine ,{μ1 ... μn}
m
ml
ml
Circuit Evaluation Using SHEx1
x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
y1 y2 y3 y4 y5 y6
w1 w2 w3
z1
z2
D
• Parameter L : L-level SHE
L
L
Circuit Evaluation Using SHEx1
x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
y1 y2 y3 y4 y5 y6
z1
z2
D
• Parameter L : L-level SHE
L
L
Refresh
w1 w2 w3w1 w2 w3
• Fresh ciphertexts without perturbing the plaintext
w1 w2 w3
How to Refresh?• Gentry’s Bootstrapping
No! Computationally Expensive
• “Distributed Bootstrapping” of SHE
• Interactive (distributed decryption) • Communication efficient • Simple
• Computationally inexpensive
Distributed Refresh/BootstrappingRefresh
r is random
rL
ml
Mask: ml
rL
mrl
using distributed decryption of SHEDecrypt: m r
mrl
Re-encrypt: (m r) using Enc of SHE
mrL
Unmask: mrL
rL
mL
Distributed Refresh/BootstrappingOffline Phase
r is random
rL
Distributed Refresh/Bootstrapping
• r is random
rL
Mask: ml
rL
mrl
using distributed decryption of SHEDecrypt: m r
mrl
Re-encrypt: (m r) using Enc of SHE
mrL
Unmask: mrL
rL
mL
Decrypt: The only step involving communication in
Online Phase
Improving Communication of Refresh
Tool: Packed SHE with message space FpN
m1 …… mN
Any ciphertext contains N message slots
m1
But, MPC is done over Fp
Parallelism: N ciphertexts are refreshed together
…….
Refreshing N ciphertexts Together
m1
l1
mN
lN
m2
l2Pack
Ml
M=m1…..mN
l = min(l1,….lN)
• R=r1….. rN is random
RL
MaskDecrypt
Re-encryptUnmask
MLUnpack
…….
m1
L m2
L
mN
L
One dist. Decrypt for every N Ciphertexts
Gain by factor of NDistribute
d Decryptio
n
Distributed Decryption of ml
dk1 dk2 dkn
ShareDecμ1
ShareDec ShareDec
μ2μn
Exchange μi’s with each other
ShareCombinem
ShareCombine ShareCombinem m
μ1,….., μn μ1,….., μn μ1,….., μn
Actively Secure Distributed Decryption when n ≥ 3t+1
dk1 dk2 dkn
ShareDecμ1
ShareDec ShareDec
μ2 μn
Exchange μi’s with each other
ShareCombinem
ShareCombine ShareCombinem m
μ1,….., μn μ1,….., μn μ1,….., μn
Shamir Secret Sharing
Wrong Shares by corrupted
parties
Error Correctio
n
Error Correctio
n
Error Correctio
n
Actively Secure Distributed Decryption when n ≥ 2t+1
dk1 dk2 dkn
ShareDecμ1
ShareDec ShareDec
μ2 μn
Exchange μi’s with each other
ShareCombinem
ShareCombine ShareCombinem m
μ1,….., μn μ1,….., μn μ1,….., μn
Use ZK Proofs !!Error Correctio
n
Error Correctio
n
Error Correctio
n
Only t instances !!
Heavy Machinery
Actively Secure Distributed Decryption when n ≥ 2t+1
dk1 dk2 dkn
ShareDecμ1
ShareDec ShareDec
μ2 μn
Exchange μi’s with each other
ShareCombinem
ShareCombine ShareCombinem m
μ1,….., μn μ1,….., μn μ1,….., μn
Use ZK Proofs !!Error Detection
Error Detection
Error Detection
Only t instances !!
Heavy Machinery
• O(n/L) field elements per multiplication gate
Communication Complexity of our MPC
• For small L; i.e. L=5, we already get better exact complexity compared to the traditional practical protocols
SHE is efficient for small values of L
• Hope: FHE is a fast growing area. We can increase L and can get even better communication complexity
-1
• Inductively associate an integer label with each wire x1 x2 x3 x4
Input wires: label 1
Output wire of Add gate: min(label of input wires)
Output wire of Mult gate: min(label of input wires) - 1
Augmenting the Circuit
1 1 1 1
f(x1,x2,x3,x4)
1 0
Augmenting the Circuit
-1
x1 x2 x3 x4
1 1 1 1
f(x1,x2,x3,x4)
1 0
Augment such that allowed labels [1,…,L]Refresh Gate: Re-labelling
Re
[1…L]
L
Augmenting the Circuit
x1 x2 x3 x4
f(x1,x2,x3,x4)
L
L-1
L-2
1Re
L
1Re
L
1Re
L
1Re
L
-1
x1 x2 x3 x4
1 1 1 1
f(x1,x2,x3,x4)
1 0
Assume L >= 3
Threshold L-levelled SHEKeyGen pk, sk
Enc (c, L) pk, m
Dec m sk, (c,l)
Decryption Keys:
dk1,…….…dkn
ShareDecdki, (c,l) μi
ShareCombine(c,l),{μ1 ... μn} m
* l = [0,,,,L]
Eval (e1,l1),…(eout,lout); l1 …. lout =[0,..,L] Ckt,ek
(c1,L),…,(cin,L)
Evaluation Key: ek
L = Label of freshness
Add (c,min(l1,,l2)); (c1,l1) (c2,l2) =
Mult (c,min(l1,,l2) – 1; (c1,l1) (c2,l2) =
Any t+1 sk
t is threshold
l1,l2=[0,..,L]
Representing Encrypted Value
Ciphertext of plaintext m with level l = [0,..,L]m
l
Distributed Refresh/BootstrappingRefresh
(cr,L)
(cm,l)• r is random
(cm,l)
(cr,L)
(cm+r,l)Mask:
(cm+r,l) using distributed decryption of SHEDecrypt: m+r
Re-encrypt: (cm+r,L) m+r using Enc of SHE
(cr,L)(cm+r,L) (cm,L)
Unmask:
ml
Distributed Refresh/Bootstrapping
(cm+r,l) using distributed decryption of SHEDecrypt: m+r
• r is random
(cr,L)Refresh
(cr,L)
(cm,l)
(cm,l) (cm+r,l)Mask:
Re-encrypt: (cm+r,L) m+r using Enc of SHE
(cr,L)(cm+r,L) (cm,L)
Unmask:
Decrypt: The only step involving communication in
Online Phase
…….(c3,l3)
Pack(c,min(l1,….lN))
Parallelizing Refresh for N ciphertexts
• r is random• cr is a packed ciphertext
(cr,L)
MaskDecrypt
Re-encryptUnmask
(c,L
Unpack…….(c1,L) (c2,L) (c3,L) (cN,L)
m1
l1
mN
lN
Threshold L-levelled SHE(KeyGen, Enc, Dec, ShareDec, ShareCombine
pk, sk (c,L) m = Decsk (c,l); l = [0,,,,L]
dk1,……dkn
Decryption Keys
μi = ShareDecdki (c,l); l = [0,,,,L]
μi = ShareDecdki (c,l); l = [0,,,,L]
pk m
(n, t) - Secret Sharing [Shamir 1979, Blackley 1979]
Secret s Dealer
v1 v2 v3 vn
Sharing Phase
…
(n, t) - Secret Sharing [Shamir 1979, Blackley 1979]
Secret s Dealer
v1 v2 v3 vn
Sharing Phase
…
Less than t +1 parties have no info’ about the secret
ReconstructionPhase
(n, t) - Secret Sharing [Shamir 1979, Blackley 1979]
Secret s Dealer
v1 v2 v3 vn
Sharing Phase
…
t +1 parties can reconstruct the secretSecret s
Reconstruction Phase
(n,t) - Shamir Secret Sharing Sharing Phase:
(n,t) - Shamir Secret Sharing Sharing Phase:
(n,t) - Shamir Secret Sharing Sharing Phase:
(n,t) - Shamir Secret Sharing Reconstruction Phase:
(n,t) - Shamir Secret Sharing Reconstruction Phase:
(n,t) - Shamir Secret Sharing Reconstruction Phase: