multiparty computation with low communication, computation and interaction via threshold fhe
DESCRIPTION
Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE. 2-Party Computation Using FHE (semi-honest). b. a. y = f( a,b ). A =Encrypt(a). Y= Eval ( f,A,B ). Y. C harlie. Sally. y. Advantages. Low round complexity Low communication complexity - PowerPoint PPT PresentationTRANSCRIPT
Multiparty Computation with Low Communication, Computation and
Interaction via Threshold FHEBar-Ilan University Gilad Asharov
UCLA Abhishek Jain
NYU Adriana LΓ³pez-Alt
Tel-Aviv University Eran Tromer
University of Toronto Vinod Vaikuntanathan
IBM Research Daniel Wichs
2-Party Computation Using FHE(semi-honest)
y
a by = f(a,b)
Y
A=Encrypt(a)
Y=Eval(f,A,B)
Charlie Sally
Advantages
Low round complexity Low communication complexityβ’ Independent of the function fβ’ Independent of Sallyβs input b
Low computationβ’ Charlieβs work is independent of f
A simple template
Can we get all these advantages in the multiparty case?
Threshold Key Generation
Key Generation
Threshold Key Generation
Key Generation
Input Encryption
A B
C D
a
c
b
d
A=Enc(a) B=Enc(b)
C=Enc(c) D=Enc(d)
Homomorphic EvaluationA B C DHomomorphic Evaluation
Y
A B C DHomomorphic Evaluation
Y
A B C DHomomorphic Evaluation
Y
A B C DHomomorphic Evaluation
Y
Delegate to a Cloud
A B C DHomomorphic Evaluation
Y
Threshold Decryption
Dec
Y Y
YY
Threshold Decryption
Dec
m m
mm
MPC with Threshold FHE
β’ Threshold Key Genβ’ Encrypt and Evaluateβ’ Threshold Decryption
MPC with TFHE
β’ Threshold KeyGen and Threshold Dec can be implemented using generic MPC
β’ Advantages: Low communication complexity (even in malicious)
The homomorphic evaluation can be delegated / only one party
β’ Disadvantages: Needs generic MPC techniques Round complexity can be high
β’ Threshold Key Genβ’ Encrypt and Evaluateβ’ Threshold Decryption
Our Main Results
β’ Threshold KeyGen and Threshold Dec algebraically [BV11b, BGV12] (based on LWE)
β’ Advantages: Low communication complexity (even in malicious)
The homomorphic evaluation can be delegated / only one party
Simple: there is no need for generic MPC protocol Extremely low round complexity
Only 3 broadcast rounds (CRS model) 2 rounds reusable PKI β optimal(!)
β’ Threshold Key Genβ’ Encrypt and Evaluateβ’ Threshold Decryption
Our Main Results(malicious)
β’ Threshold KeyGen and Threshold Dec algebraically [BV11b, BGV12] (based on LWE)
β’ Advantages: Low communication complexity (even in malicious)
The homomorphic evaluation can be delegated / only one party (assuming cs poofs / SNARGs)
Simple: there is no need for generic MPC protocol Extremely low round complexity
Only 3 broadcast rounds (CRS model) 2 rounds reusable PKI β optimal(!)
UC security (assuming UC-NIZK)
β’ Threshold Key Genβ’ Encrypt and Evaluateβ’ Threshold Decryption
Related Work
β’ [CramerDamgardNielsen01]β MPC using threshold HEβ’ [Gentry09] β MPC using threshold FHEβ’ [BendlinDamgard10] β threshold version for LWEβ’ [KatzOstrovsky04] β lower bound of 5 rounds for
MPC in the plain modelβ’ [MyersSergishelat11] β threshold version of
[vDGHV10]
The LWE Assumption [Regev05]
Distribution 1 Distribution 2
β’ β’ βsmallβ
also secure if q is odd and we choose noise to be small and even (2e instead e)
Basic LWE-Based Encryption
Symmetric Key Public Key
β’ Encs():
β’ Decs(c): β mod 2
β’ KeyGen:β sk: sβ pk: Encryptions of 0
β’ Encpk():β Random subset sum of
the public key +
Key-Homomorphic Properties of the Basic Scheme
π΄β π1+2π1π΄β π2+2π2
π΄β (π1+π2 )+2πβ
Two public keys, same βcoefficientβ A
A new public key with secret key: s1+s2, coefficient A
(almost the same as El-Gammal)
Threshold Key GenerationA
s1
s3
(A,p1) = As1+2e1
(A,p3) = As3+2e3
(A,p2) = As2+2e2
(A,p4) = As4+2e4
s2
s4
Threshold Key GenerationA
s1
s3
(A,p1) = As1+2e1
(A,p3) = As3+2e3
(A,p2) = As2+2e2
(A,p4) = As4+2e4
s2
s4
Threshold Key GenerationA
s2
s4
(A,p1 = )As1+2e1
(A,p3 = )As3+2e3
(A,p2 = )As2+2e2
(A,p4 = )As4+2e4
(A,p*) = As*+2e*
(A,p*)
(A,p*)
(A,p*)
(A,p*)Joint secret key: s*=s1+s2+s3+s4
Joint public key: p*=p1+p2+p3+p4
s1
s3
Threshold Decryption
s1
s3
β¨π ,ππ β©+2π1
s2
s4
β¨π ,ππ β©+2π3
β¨π ,ππ β©+2π2
β¨π ,ππ β©+2π4
(mod 2)
Threshold Decryption
s1
s3
β¨π ,ππ β©+2π1
s2
s4
β¨π ,ππ β©+2π3
β¨π ,ππ β©+2π2
β¨π ,ππ β©+2π4
(mod 2)
Threshold Decryption
s1
s3
β¨π ,ππ β©+2π1 s2
s4
β¨π ,ππ β©+2π3β¨π ,ππ β©+2π2
β¨π ,ππ β©+2π4
β¨π ,πβ β©+2πβπ£=ΒΏ
mod 2
π
π
π
π
(mod 2)
β’ Addition:
β’Multiplication:More complicatedβ¦
Basic LWE-Based Encryption β Homomorphism
FHE From LWE [BV11b],[BGV12]
β’ Multiplication is possible if we have additional public information (evaluation key):
β’ We need to generate it in a threshold manner
Simplified!
Evaluation Key
β’ Recall joint secret-key: β’ We need:
β’ =
β’ Therefore, we need to create:
Threshold KeyGen βRound 2s2
s4
s1
s3
β¦πΈπππβ(π2 [1 ] )
πΈπππβ(π2 [π ])
πΈπππβ(π1 [1 ] )
πΈπππβ(π1 [π ])β¦
πΈπππβ(π3 [1 ])
πΈπππβ(π3 [π ])β¦ πΈπππβ(π4 [1 ])
πΈπππβ(π4 [π ] )β¦
Threshold KeyGen β End Of Round 2s2
s4
s1
s3
πΈπππβ(π1 [1 ] ) πΈπππβ(π1 [π ])
πΈπππβ(π3 [1 ]) πΈπππβ(π3 [π ])β¦πΈπππβ(π2 [1 ] ) πΈπππβ(π2 [π ])β¦
πΈπππβ(π4 [1 ]) πΈπππβ(π4 [π ] )β¦β¦
πΈπππβ(π1 [1 ] ) πΈπππβ(π1 [π ])
πΈπππβ(π3 [1 ]) πΈπππβ(π3 [π ])β¦πΈπππβ(π2 [1 ] ) πΈπππβ(π2 [π ])β¦
πΈπππβ(π4 [1 ]) πΈπππβ(π4 [π ] )β¦β¦
Threshold KeyGen β Round 3s2
s4
s1
s3
πΈπππβ(ππ [ π ])
πΈπππβ(ππ [ π ] π1[1])
πΈπππβ(ππ [ π ] π1[π])β¦
πΈπππβ(ππ [ π ] π3 [1])
πΈπππβ(ππ [ π ] π3 [π ])β¦
πΈπππβ(ππ [ π ] π2 [1])
πΈπππβ(ππ [ π ] π2 [π])β¦
πΈπππβ(ππ [ π ]π4[1])
πΈπππβ(ππ [ π ] π4[π])β¦
πΈπππβ(ππ [ π ] πβ[ π ])
Threshold KeyGen β End Of Round 3s2
s4
s1
s3
πΈπππβ(ππ [ π ] πβ[ π ])
πΈπππβ(πβ [ π ] πβ [ π ])
Threshold FHE - KeyGenβ’ Round 1:
Establishing joint public key
β’ Round 2: Each party creates encryptions
)β’ Round 3:
Each party P multiplies in )
β’ End of Round 3: )
one round!
The MPC Protocol
β’ Threshold KeyGen (2 rounds)β Round 1: Creates public keyβ Round 2: Creates evaluation key
β’ The parties encrypt their inputs (sent concurrently with round 2 of KeyGen)
β’ Threshold Dec (1 round)
Malicious
β’ Can generically get malicious security by coin-tossing + (NI)ZKβ Increases rounds complexityβ Generic NIZK inefficient
β’ We show coin-tossing is not necessary in our protocol β Using bad randomness can only hurt youβ Honest parties βsmudge outβ bad noise by adding
bigger noiseβ’ We show efficient Sigma-protocols for all required
relations NIZK in the RO-model
Conclusion
β’ TFHE based on LWEβ In the paper: Ring β LWE
β’ 3 Rounds MPCβ’ 2 Rounds in reusable PKI - optimal(!)
β’ Low Communication Complexityβ’ Easy to delegate
Thank You!