multiparty computation with low communication, computation and interaction via threshold fhe...
TRANSCRIPT
![Page 1: Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana](https://reader038.vdocument.in/reader038/viewer/2022110206/56649cd85503460f949a10b1/html5/thumbnails/1.jpg)
Multiparty Computation with Low Communication, Computation and
Interaction via Threshold FHEBar-Ilan University Gilad Asharov
UCLA Abhishek Jain
NYU Adriana López-Alt
Tel-Aviv University Eran Tromer
University of Toronto Vinod Vaikuntanathan
IBM Research Daniel Wichs
![Page 2: Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana](https://reader038.vdocument.in/reader038/viewer/2022110206/56649cd85503460f949a10b1/html5/thumbnails/2.jpg)
2-Party Computation Using FHE(semi-honest)
y
a by = f(a,b)
Y
A=Encrypt(a)
Y=Eval(f,A,B)
Charlie Sally
![Page 3: Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana](https://reader038.vdocument.in/reader038/viewer/2022110206/56649cd85503460f949a10b1/html5/thumbnails/3.jpg)
Advantages
Low round complexity Low communication complexity• Independent of the function f• Independent of Sally’s input b
Low computation• Charlie’s work is independent of f
A simple template
Can we get all these advantages in the multiparty case?
![Page 4: Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana](https://reader038.vdocument.in/reader038/viewer/2022110206/56649cd85503460f949a10b1/html5/thumbnails/4.jpg)
Threshold Key Generation
Key Generation
![Page 5: Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana](https://reader038.vdocument.in/reader038/viewer/2022110206/56649cd85503460f949a10b1/html5/thumbnails/5.jpg)
Threshold Key Generation
Key Generation
![Page 6: Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana](https://reader038.vdocument.in/reader038/viewer/2022110206/56649cd85503460f949a10b1/html5/thumbnails/6.jpg)
Input Encryption
A B
C D
a
c
b
d
A=Enc(a) B=Enc(b)
C=Enc(c) D=Enc(d)
![Page 7: Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana](https://reader038.vdocument.in/reader038/viewer/2022110206/56649cd85503460f949a10b1/html5/thumbnails/7.jpg)
Homomorphic EvaluationA B C DHomomorphic Evaluation
Y
A B C DHomomorphic Evaluation
Y
A B C DHomomorphic Evaluation
Y
A B C DHomomorphic Evaluation
Y
![Page 8: Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana](https://reader038.vdocument.in/reader038/viewer/2022110206/56649cd85503460f949a10b1/html5/thumbnails/8.jpg)
Delegate to a Cloud
A B C DHomomorphic Evaluation
Y
![Page 9: Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana](https://reader038.vdocument.in/reader038/viewer/2022110206/56649cd85503460f949a10b1/html5/thumbnails/9.jpg)
Threshold Decryption
Dec
Y Y
YY
![Page 10: Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana](https://reader038.vdocument.in/reader038/viewer/2022110206/56649cd85503460f949a10b1/html5/thumbnails/10.jpg)
Threshold Decryption
Dec
m m
mm
![Page 11: Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana](https://reader038.vdocument.in/reader038/viewer/2022110206/56649cd85503460f949a10b1/html5/thumbnails/11.jpg)
MPC with Threshold FHE
• Threshold Key Gen• Encrypt and Evaluate• Threshold Decryption
![Page 12: Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana](https://reader038.vdocument.in/reader038/viewer/2022110206/56649cd85503460f949a10b1/html5/thumbnails/12.jpg)
MPC with TFHE
• Threshold KeyGen and Threshold Dec can be implemented using generic MPC
• Advantages: Low communication complexity (even in malicious)
The homomorphic evaluation can be delegated / only one party
• Disadvantages: Needs generic MPC techniques Round complexity can be high
• Threshold Key Gen• Encrypt and Evaluate• Threshold Decryption
![Page 13: Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana](https://reader038.vdocument.in/reader038/viewer/2022110206/56649cd85503460f949a10b1/html5/thumbnails/13.jpg)
Our Main Results
• Threshold KeyGen and Threshold Dec algebraically [BV11b, BGV12] (based on LWE)
• Advantages: Low communication complexity (even in malicious)
The homomorphic evaluation can be delegated / only one party
Simple: there is no need for generic MPC protocol Extremely low round complexity
Only 3 broadcast rounds (CRS model) 2 rounds reusable PKI – optimal(!)
• Threshold Key Gen• Encrypt and Evaluate• Threshold Decryption
![Page 14: Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana](https://reader038.vdocument.in/reader038/viewer/2022110206/56649cd85503460f949a10b1/html5/thumbnails/14.jpg)
Our Main Results(malicious)
• Threshold KeyGen and Threshold Dec algebraically [BV11b, BGV12] (based on LWE)
• Advantages: Low communication complexity (even in malicious)
The homomorphic evaluation can be delegated / only one party (assuming cs poofs / SNARGs)
Simple: there is no need for generic MPC protocol Extremely low round complexity
Only 3 broadcast rounds (CRS model) 2 rounds reusable PKI – optimal(!)
UC security (assuming UC-NIZK)
• Threshold Key Gen• Encrypt and Evaluate• Threshold Decryption
![Page 15: Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana](https://reader038.vdocument.in/reader038/viewer/2022110206/56649cd85503460f949a10b1/html5/thumbnails/15.jpg)
Related Work
• [CramerDamgardNielsen01]– MPC using threshold HE• [Gentry09] – MPC using threshold FHE• [BendlinDamgard10] – threshold version for LWE• [KatzOstrovsky04] – lower bound of 5 rounds for
MPC in the plain model• [MyersSergishelat11] – threshold version of
[vDGHV10]
![Page 16: Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana](https://reader038.vdocument.in/reader038/viewer/2022110206/56649cd85503460f949a10b1/html5/thumbnails/16.jpg)
The LWE Assumption [Regev05]
Distribution 1 Distribution 2
• • “small”
also secure if q is odd and we choose noise to be small and even (2e instead e)
![Page 17: Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana](https://reader038.vdocument.in/reader038/viewer/2022110206/56649cd85503460f949a10b1/html5/thumbnails/17.jpg)
Basic LWE-Based Encryption
Symmetric Key Public Key
• Encs():
• Decs(c): – mod 2
• KeyGen:– sk: s– pk: Encryptions of 0
• Encpk():– Random subset sum of
the public key +
![Page 18: Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana](https://reader038.vdocument.in/reader038/viewer/2022110206/56649cd85503460f949a10b1/html5/thumbnails/18.jpg)
Key-Homomorphic Properties of the Basic Scheme
𝐴⋅𝒔1+2𝒆1𝐴⋅𝒔2+2𝒆2
𝐴⋅ (𝒔1+𝒔2 )+2𝒆∗
Two public keys, same “coefficient” A
A new public key with secret key: s1+s2, coefficient A
(almost the same as El-Gammal)
![Page 19: Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana](https://reader038.vdocument.in/reader038/viewer/2022110206/56649cd85503460f949a10b1/html5/thumbnails/19.jpg)
Threshold Key GenerationA
s1
s3
(A,p1) = As1+2e1
(A,p3) = As3+2e3
(A,p2) = As2+2e2
(A,p4) = As4+2e4
s2
s4
![Page 20: Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana](https://reader038.vdocument.in/reader038/viewer/2022110206/56649cd85503460f949a10b1/html5/thumbnails/20.jpg)
Threshold Key GenerationA
s1
s3
(A,p1) = As1+2e1
(A,p3) = As3+2e3
(A,p2) = As2+2e2
(A,p4) = As4+2e4
s2
s4
![Page 21: Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana](https://reader038.vdocument.in/reader038/viewer/2022110206/56649cd85503460f949a10b1/html5/thumbnails/21.jpg)
Threshold Key GenerationA
s2
s4
(A,p1 = )As1+2e1
(A,p3 = )As3+2e3
(A,p2 = )As2+2e2
(A,p4 = )As4+2e4
(A,p*) = As*+2e*
(A,p*)
(A,p*)
(A,p*)
(A,p*)
Joint secret key: s*=s1+s2+s3+s4
Joint public key: p*=p1+p2+p3+p4
s1
s3
![Page 22: Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana](https://reader038.vdocument.in/reader038/viewer/2022110206/56649cd85503460f949a10b1/html5/thumbnails/22.jpg)
Threshold Decryption
s1
s3
⟨𝒂 ,𝒔𝟏 ⟩+2𝑒1
s2
s4
⟨𝒂 ,𝒔𝟑 ⟩+2𝑒3
⟨𝒂 ,𝒔𝟐 ⟩+2𝑒2
⟨𝒂 ,𝒔𝟒 ⟩+2𝑒4
(mod 2)
![Page 23: Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana](https://reader038.vdocument.in/reader038/viewer/2022110206/56649cd85503460f949a10b1/html5/thumbnails/23.jpg)
Threshold Decryption
s1
s3
⟨𝒂 ,𝒔𝟏 ⟩+2𝑒1
s2
s4
⟨𝒂 ,𝒔𝟑 ⟩+2𝑒3
⟨𝒂 ,𝒔𝟐 ⟩+2𝑒2
⟨𝒂 ,𝒔𝟒 ⟩+2𝑒4
(mod 2)
![Page 24: Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana](https://reader038.vdocument.in/reader038/viewer/2022110206/56649cd85503460f949a10b1/html5/thumbnails/24.jpg)
Threshold Decryption
s1
s3
⟨𝒂 ,𝒔𝟏 ⟩+2𝑒1 s2
s4
⟨𝒂 ,𝒔𝟑 ⟩+2𝑒3⟨𝒂 ,𝒔𝟐 ⟩+2𝑒2
⟨𝒂 ,𝒔𝟒 ⟩+2𝑒4
⟨𝒂 ,𝒔∗ ⟩+2𝑒∗𝑣=¿
mod 2
𝜇
𝜇
𝜇
𝜇
(mod 2)
![Page 25: Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana](https://reader038.vdocument.in/reader038/viewer/2022110206/56649cd85503460f949a10b1/html5/thumbnails/25.jpg)
• Addition:
•Multiplication:More complicated…
Basic LWE-Based Encryption – Homomorphism
![Page 26: Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana](https://reader038.vdocument.in/reader038/viewer/2022110206/56649cd85503460f949a10b1/html5/thumbnails/26.jpg)
FHE From LWE [BV11b],[BGV12]
• Multiplication is possible if we have additional public information (evaluation key):
• We need to generate it in a threshold manner
Simplified!
![Page 27: Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana](https://reader038.vdocument.in/reader038/viewer/2022110206/56649cd85503460f949a10b1/html5/thumbnails/27.jpg)
Evaluation Key
• Recall joint secret-key: • We need:
• =
• Therefore, we need to create:
![Page 28: Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana](https://reader038.vdocument.in/reader038/viewer/2022110206/56649cd85503460f949a10b1/html5/thumbnails/28.jpg)
Threshold KeyGen –Round 2
s2
s4
s1
s3
…𝐸𝑛𝑐𝒔∗(𝒔2 [1 ] )
𝐸𝑛𝑐𝒔∗(𝒔2 [𝑛 ])
𝐸𝑛𝑐𝒔∗(𝒔1 [1 ] )
𝐸𝑛𝑐𝒔∗(𝒔1 [𝑛 ])…
𝐸𝑛𝑐𝒔∗(𝒔3 [1 ])
𝐸𝑛𝑐𝒔∗(𝒔3 [𝑛 ])…
𝐸𝑛𝑐𝒔∗(𝒔4 [1 ])
𝐸𝑛𝑐𝒔∗(𝒔4 [𝑛 ] )…
![Page 29: Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana](https://reader038.vdocument.in/reader038/viewer/2022110206/56649cd85503460f949a10b1/html5/thumbnails/29.jpg)
Threshold KeyGen – End Of Round 2
s2
s4
s1
s3
𝐸𝑛𝑐𝒔∗(𝒔1 [1 ] ) 𝐸𝑛𝑐𝒔∗(𝒔1 [𝑛 ])
𝐸𝑛𝑐𝒔∗(𝒔3 [1 ]) 𝐸𝑛𝑐𝒔∗(𝒔3 [𝑛 ])…𝐸𝑛𝑐𝒔∗(𝒔2 [1 ] ) 𝐸𝑛𝑐𝒔∗(𝒔2 [𝑛 ])…
𝐸𝑛𝑐𝒔∗(𝒔4 [1 ]) 𝐸𝑛𝑐𝒔∗(𝒔4 [𝑛 ] )…
…
![Page 30: Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana](https://reader038.vdocument.in/reader038/viewer/2022110206/56649cd85503460f949a10b1/html5/thumbnails/30.jpg)
𝐸𝑛𝑐𝒔∗(𝒔1 [1 ] ) 𝐸𝑛𝑐𝒔∗(𝒔1 [𝑛 ])
𝐸𝑛𝑐𝒔∗(𝒔3 [1 ]) 𝐸𝑛𝑐𝒔∗(𝒔3 [𝑛 ])…𝐸𝑛𝑐𝒔∗(𝒔2 [1 ] ) 𝐸𝑛𝑐𝒔∗(𝒔2 [𝑛 ])…
𝐸𝑛𝑐𝒔∗(𝒔4 [1 ]) 𝐸𝑛𝑐𝒔∗(𝒔4 [𝑛 ] )…
…
Threshold KeyGen – Round 3
s2
s4
s1
s3
𝐸𝑛𝑐𝒔∗(𝒔𝑘 [ 𝑖 ])
𝐸𝑛𝑐𝒔∗(𝒔𝑘 [ 𝑖 ] 𝒔1[1])
𝐸𝑛𝑐𝒔∗(𝒔𝑘 [ 𝑖 ] 𝒔1[𝑛])…
𝐸𝑛𝑐𝒔∗(𝒔𝑘 [ 𝑖 ] 𝒔3 [1])
𝐸𝑛𝑐𝒔∗(𝒔𝑘 [ 𝑖 ] 𝒔3 [𝑛 ])…
𝐸𝑛𝑐𝒔∗(𝒔𝑘 [ 𝑖 ] 𝒔2 [1])
𝐸𝑛𝑐𝒔∗(𝒔𝑘 [ 𝑖 ] 𝒔2 [𝑛])…
𝐸𝑛𝑐𝒔∗(𝒔𝑘 [ 𝑖 ] 𝒔4[1])
𝐸𝑛𝑐𝒔∗(𝒔𝑘 [ 𝑖 ] 𝒔4[𝑛])…
𝐸𝑛𝑐𝒔∗(𝒔𝑘 [ 𝑖 ] 𝒔ℓ[ 𝑗 ])
![Page 31: Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana](https://reader038.vdocument.in/reader038/viewer/2022110206/56649cd85503460f949a10b1/html5/thumbnails/31.jpg)
Threshold KeyGen – End Of Round 3
s2
s4
s1
s3
𝐸𝑛𝑐𝒔∗(𝒔𝑘 [ 𝑖 ] 𝒔ℓ[ 𝑗 ])
𝐸𝑛𝑐𝒔∗(𝒔∗ [ 𝑖 ] 𝒔∗ [ 𝑗 ])
![Page 32: Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana](https://reader038.vdocument.in/reader038/viewer/2022110206/56649cd85503460f949a10b1/html5/thumbnails/32.jpg)
Threshold FHE - KeyGen
• Round 1: Establishing joint public key
• Round 2: Each party creates encryptions
)• Round 3:
Each party P multiplies in
)
• End of Round 3: )
one round!
![Page 33: Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana](https://reader038.vdocument.in/reader038/viewer/2022110206/56649cd85503460f949a10b1/html5/thumbnails/33.jpg)
The MPC Protocol
• Threshold KeyGen (2 rounds)– Round 1: Creates public key– Round 2: Creates evaluation key
• The parties encrypt their inputs (sent concurrently with round 2 of KeyGen)
• Threshold Dec (1 round)
![Page 34: Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana](https://reader038.vdocument.in/reader038/viewer/2022110206/56649cd85503460f949a10b1/html5/thumbnails/34.jpg)
Malicious
• Can generically get malicious security by coin-tossing + (NI)ZK– Increases rounds complexity– Generic NIZK inefficient
• We show coin-tossing is not necessary in our protocol – Using bad randomness can only hurt you– Honest parties “smudge out” bad noise by adding
bigger noise• We show efficient Sigma-protocols for all
required relations NIZK in the RO-model
![Page 35: Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana](https://reader038.vdocument.in/reader038/viewer/2022110206/56649cd85503460f949a10b1/html5/thumbnails/35.jpg)
Conclusion
• TFHE based on LWE– In the paper: Ring – LWE
• 3 Rounds MPC• 2 Rounds in reusable PKI - optimal(!)
• Low Communication Complexity• Easy to delegate
Thank You!