Abstract
We present a multi-party computation protocol in the case of dishonest majority which has very low round complexity. Our protocol sits philosophically between Gentry’s Fully Homomorphic Encryption based protocol and the SPDZ-BMR protocol of Lindell et al. (CRYPTO 2015). Our protocol avoids various inefficiencies of the previous two protocols. Compared to Gentry’s protocol we only require Somewhat Homomorphic Encryption (SHE). Whilst in comparison to the SPDZ-BMR protocol we require only a quadratic complexity in the number of players (as opposed to cubic), we have fewer rounds, and we require less proofs of correctness of ciphertexts. Additionally, we present a variant of our protocol which trades the depth of the garbling circuit (computed using SHE) for some more multiplications in the offline and online phases.
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
1 Introduction
Secure multiparty computation: In the setting of secure multiparty computation (MPC), a set of mutually distrusting parties wish to compute a joint function of their private inputs. Secure computation has been studied since the 1980s, and it has been shown that any functionality can be securely computed, even in the presence of a dishonest majority [17, 35]. Classically, two main types of adversaries have been considered: passive (or semi-honest) adversaries follow the protocol specification but try to learn more than allowed from the transcript, and active (or malicious) adversaries who run any arbitrary strategy in an attempt to breach security.
Efficient MPC: In the last decade, significant effort has been placed on making secure computation efficient, both theoretically (with asymptotic efficiency) and practically. Both in theory and in practice the round complexity of MPC protocols is of interest. The theoretical interest is obvious, but it is in practice that probably the most effect can be felt. It is well known from practical experiments that often round complexity has more of an effect on the performance of MPC systems than communication complexity. This is especially true in networks with high latency (e.g., when the participating parties are on opposite sides of the world), where protocols with many rounds perform very poorly [33]. In practice, one also finds that constants matter considerably.
Most of the research effort on making secure computation practically efficient has focused on the case of two parties [30, 31, 35]. The most progress has been with protocols based on Yao’s garbled circuits [35]. Extraordinary efficiency has been achieved for both passive adversaries [1, 4] and active adversaries [19, 23, 25, 26, 28, 29, 34]. In contrast, the case of multiple parties is way behind. When considering protocols with many rounds, the protocol of GMW can be used for passive adversaries (see [17] with an implementation in [7]) and the protocols of SPDZ and TinyOT can be used for active adversaries [10, 11, 22]. However, as mentioned above, these protocols have inherent inefficiency based on the fact that the number of rounds in the protocol is linear in the depth of the circuit that the parties compute.
In contrast to the impressive progress made in the garbled circuits area for the case of two parties, very little is known for multiple parties.
The focus of this paper: In this paper, we focus on the construction of a concretely efficient actively secure MPC protocol in the case of dishonest majority, which requires a (small) constant number of rounds. From a theoretical standpoint this problem is essentially solved: By combining Gentry’s passively secure MPC protocol based on Fully Homomorphic Encryption (FHE) (see [16] and below) with generic non-interactive zero-knowledge proofs (NIZKs), one can obtain a protocol with two rounds of communication. Below we will show that such a protocol using more “practical” interactive zero-knowledge proofs can be realised using five rounds of interaction. In the plain model (with no pre-processing or access to a common reference string) recent work of Garg et al. [14] shows that six rounds are sufficient (using a construction based on iO). This work of Garg et al. builds on earlier work of Katz and Ostrovsky [21] who showed that five rounds are necessary and sufficient for the case of two parties.
From a practical point of view though the use of either general FHE, iO and/or generic NIZKs are clearly not suitable. Our protocol is based on the BMR approach [3]; and will use only Somewhat Homomorphic Encryption (SHE) and relatively efficient interactive zero-knowledge proofs. This approach consists of constructing a two phase protocol. In the first phase the parties use a generic MPC protocol to construct a “garbled” version of the function being computed. Then, in a constant round evaluation phase the garbled function is evaluated. The first garbling phase works in a gate-by-gate manner, and so by processing all gates in one go we obtain a constant round protocol for both phases; since this first garbling phase evaluates, via generic MPC, a circuit of constant depth.
In recent work [27] an efficient variant of the BMR protocol is used which utilizes the SPDZ [11] generic MPC protocol in the first garbling phase. In addition the authors introduce other optimizations which make the entire protocol actively secure for very little additional overhead. The SPDZ protocol itself uses a two phase approach, in the first phase, which utilizes Somewhat Homomorphic Encryption, correlated randomness is produced. As opposed to the general Fully Homomorphic Encryption of the above theoretical approaches. Then in the second phase this correlated randomness is used to evaluate the desired functionality (which in this case is the BMR garbling). Thus overall this protocol, which we dub SPDZ-BMR, consists of three phases; a phase using SHE, a phase doing generic MPC via the SPDZ online phase, and the final BMR circuit evaluation phase.
As alluded to above, there is another approach to constant round MPC, which utilizes Fully Homomorphic Encryption, namely Gentry’s MPC protocol [16]. In this protocol the parties simply input their data using the encryption of the underlying FHE scheme, the parties evaluate the function locally using FHE, and then perform a distributed decryption (which requires \(R_\mathsf {Out}=2\) rounds of interaction with current FHE schemes). This protocol is essentially optimal in terms of the number of rounds of communication, but it suffers from a number of drawbacks. The major drawback is that it requires FHE, which is itself a prohibitively expensive operation (and currently not practical). In addition, it is not immediately clear how to make the protocol actively secure without incurring significant additional costs. We outline in this paper how to address this latter problem, as a by-product of the analysis of our main protocol.
Our Contributions: Returning to the BMR based approach we note that any MPC protocol could be used for the BMR garbling phase, as long as it can be made actively secure within the specific context of the BMR protocol. In particular we could utilize Gentry’s FHE-based MPC protocol (using only a SHE scheme) to perform the first stage of the BMR protocol; a protocol idea which we shall denote by SHE-BMR. The main observation as to why this is possible is that, as we have mentioned, the depth of the circuit computing the BMR garbled circuit is itself constant (and, in particular, independent of the depth of the circuit computing the function itself). This is due to the fact that in the BMR approach all garbled gates are computed in parallel; thus, the depth of the circuit computing the entire garbled circuit equals the depth of the circuit required to compute a single garble gate. We therefore conclude that somewhat homomorphic encryption suffices, with the depth being that sufficient to compute a single garbled gate.
A number of problems arise with this idea, which we address in this paper. First, can we make the resulting protocol actively secure for little additional cost? Second, is the required depth of the SHE scheme sufficiently small to make the scheme somewhat practical? Recall the SPDZ-BMR protocol only requires the underlying SHE scheme to support circuits of multiplicative depth one, and increasing the depth increases the cost of the SHE itself. Third, is the resulting round complexity of the scheme significantly less than that of the SPDZ-BMR protocol? Note that we can only expect a constant factor improvement, but such constants matter in practice. Fourth, can we save on any additional costs of the SPDZ-BMR protocol?
Since we use Gentry’s FHE-based protocol (or an SHE version of it), we now outline two key challenges with using Gentry’s FHE based protocol, which also apply to our protocol. When entering data we require an actively secure protocol to encrypt the FHE data, in particular we need to guarantee to the receiving parties that each encryption is well formed. The standard technique to do this is to also transmit a zero-knowledge proof of the correctness of encryption. A method to do this is given in [10, Appendix F], or [2, Sect. 3.2]. This is costly, and in practice rather inefficient. We call this protocol \(\mathsf {ID}\), and the associated round cost by \(R_\mathsf {ID}\). In addition if we need to make further input dependent inputs, then this round cost will multiply. Thus we also need to introduce a sub-protocol with round cost \(R_{\mathsf {Input}+}=1\), which enables us to place all the zero-knowledge proofs for proving correctness of input into a pre-processing phase.
The second problem with Gentry’s protocol is that we need to ensure that the distributed decryption is also actively secure; in the sense that the malicious parties cannot get an honest party to accept an incorrect result. We describe an efficient sub-protocol \(\mathsf {Out}+\) for performing this task, which importantly does not require zero-knowledge proofs (after a key generation phase) and has round complexity \(R_{\mathsf {Out}+}=2\).
We present a variant of our protocol which reduces the depth of the required SHE scheme, at the expense of requiring each party to input a larger amount of data. Interestingly, the main aim of the design in the SPDZ-BMR protocol was to reduce the number of multiplications needed (since each multiplication required generating a multiplication tuple for SPDZ, and this was the main cost). In contrast, when using SHE directly, additional multiplications are not expensive as long as they are carried out in parallel. Stated differently, the main concern is the depth of the circuit computing the BMR garbled circuit, and not necessarily its size. Of course, for concrete efficiency, one must try to minimize both, as reducing one slightly while greatly increasing the other would not be beneficial. In order to achieve this reduction in the depth of the circuit computing the BMR circuit, we utilize an observation that when computing the garbled circuit it suffices to obtain either the PRF key on the output wire or its additive inverse. This is due to the fact that we can actually take the PRF key to be the square of the value obtained in the garbled gate, which is the same whether k or \(-k\) is obtained. This allows us to combine the generation of the indicator-bits and the key-vector generation together. The additional flexibility of being able to output either the key or its additive inverse allows us to reduce the required SHE depth by one; in particular, from a depth of four to a depth of three.
In summary, we actually obtain two distinct protocols \(\pi _{b}\) where \(b \in \{0,1\}\); for which \(b=0\) means applying our basic variant protocol and \(b=1\) means applying the modified variant with a reduced depth cost. In some sense we can think of our basic SHE-BMR protocol as the same as the SPDZ-BMR protocol of [27], but it “cuts out the middle man” of producing multiplication triples, and the interaction needed to evaluate the garbling via the online phase of SPDZ. Indeed almost all of our basic protocol is identical to that described in [27]. However, naively applying SHE to the protocol from [27] results in a protocol that is neither efficient nor secure. For example, naively applying Gentry’s MPC protocol to the garbling stage would result in needing an SHE scheme which supports a depth logarithmic in the number of parties n; whereas we would rather utilize a SHE scheme with constant depth. Thus we need to carefully design the FHE based MPC protocol to realise the BMR garbled circuit.
By utilizing the actively secure input and output routines in Gentry’s protocol we also obtain an actively secure variant of Gentry’s FHE based protocol which we denote by \(G_a\). This is in addition to the original passively secure FHE based protocol of Gentry which we denote by \(G_p\).
Comparison: By way of comparison we outline in Fig. 1 differences between the variants of our protocol, and those of Gentry and SPDZ-BMR. We let n denote the number of parties, W and G denote the number of wires and gates in the binary circuit respectively, and \(W_{in}\) the number of input wires and \(W_{out}\) the number of output wires. To ease counting of rounds we consider a secure broadcast to be a single round operation (in the case of a dishonest majority, where parties may abort, a simple two-round echo-broadcast protocol suffices in any case [18]). We will see later that \(R_{\mathsf {Out}+}=2\), and \(R_\mathsf {ID}=3\). In the table the various functions \(T_1,T_2,T_3\) describing the number of executions of \(\mathsf {ID}\) are
If we compare the SPDZ-BMR protocol with our protocol variants \(\pi _0\) and \(\pi _1\) we see that the major difference in computational cost is the number of invocations of the protocol \(\mathsf {ID}\). The difference between SPDZ-BMR and \(\pi _0\) is equal to \(T_1-T_2 = 16 \cdot G \cdot n^3 + 4 \cdot (G+ W)\cdot n^2 + (6 \cdot W - 1)\cdot n + 156\cdot G \cdot n \) invocations. To be very concrete, for 9 parties, a circuit of size 10,000 gates and wires, the number of \(\mathsf {ID}\) invocations equals 141,210,000 in SPDZ-BMR versus 3,510,009 in SHE-BMR-\(\pi _0\) versus 4,950,009 in SHE-BMR-\(\pi _1\). Thus, \(\pi _0\) is one fortieth of the cost of SPDZ-BMR, and \(\pi _1\) is one twenty-eighth of the cost of SPDZ-BMR. This gap widens further as the number of parties grows, with the difference for 25 parties being a factor of 100 for \(\pi _0\) and 70 for \(\pi _1\). We remark, however, that even for just 3 parties, protocols \(\pi _0\) and \(\pi _1\) are already one twenty-third and one eighteenth of the cost, respectively.
On the downside we require an SHE scheme which will support depth three or four circuits, as opposed to the depth one circuits of the SPDZ-BMR protocol. The SHE scheme needs to support message spaces of \(\mathbb {F}_p\), where \(p>2^\kappa \). We use [9], which gives potential parameter sizes for various SHE schemes supporting depth two and five, and run the experiments there to compare the parameters required for our specific depths here (depth 1 for SPDZ, depth 4 for protocol \(\pi _0\) and depth 3 for protocol \(\pi _1\)). Specifically, assuming ciphertexts live in a ring \(R_q\), then the dimension needs to go up by approximately a factor of 1.5 for depth-3 and a factor of 2 for depth-4, and the modulus by a factor of 1.6 for depth-3 and a factor of 2 for depth-4. Assuming standard DCRT representation of \(R_q\) elements, this equates to an increase in the ciphertext size by a factor of approximately 2.4 for depth-3, and by approximately a factor of 4 for depth-4. Furthermore, the performance penalty (cost of doing arithmetic) increases by a factor of approximately 3.6 for depth-3, and by a factor of 8 for depth-4. Factoring in this additional cost, we have that when compared to SPDZ-BMR, the relative improvement in the computational cost in the above example becomes a factor of \(40/8 = 5\) for \(\pi _0\) and \(28/3.6 = 7.7\) for \(\pi _1\) for 9 parties, and a factor of \(100/8 = 12.5\) for \(\pi _0\) and \(70/3.6 \approx 19.4\) for \(\pi _1\) for 25 parties. Thus, both \(\pi _0\) and \(\pi _1\) significantly outperform BMR-SPDZ, and the depth reduction carried out in \(\pi _1\) provides additional speedup (and reduction in bandwidth).
Our work should also be compared to [8] in which a constant round 3PC protocol is given, based on Yao’s garbled circuits. However, active security in their case is provided by an expensive cut-and-choose protocol. In addition, their protocol is specifically designed for the three-party case, whereas we consider multiparty computation for any number of parties. Another constant-round multiparty protocol was constructed by [20]. However, although this protocol has good asymptotic complexity, its concrete efficiency is very unclear and no concretely efficient instantiation has been found. In [24] the authors propose a concrete instantiation of [20] for the two-party case, but no analogous proposal exists for the multiparty case.
2 Background on MPC and FHE
As a warm up to our main protocol, and to introduce the aspects of the FHE functionality we shall be using in detail we first give an outline of Gentry’s FHE based protocol to evaluate the generic MPC functionality.
2.1 The Generic MPC Functionality
The goal of all the protocols in this paper is to securely realise the functionality given in Fig. 2. Namely we want protocols which allow n mutually distrusting parties, with a possibly dishonest majority, to evaluate the function \(f(x_1,\dots ,x_n)\) on their joint inputs.
2.2 A Basic FHE Functionality with Distributed Decryption
We first describe in Fig. 3 a basic FHE functionality which contains a distributed decryption functionality. Two points need to be noted about the functionality: Firstly, the distributed decryption operation in Output can produce an incorrect result under the control of the adversary, but the “additive error” which is introduced by the adversary is introduced before the adversary learns the correct output. Secondly, the InputData routine is actively secure, and so a proof of correctness of its correct decryption is needed for each input ciphertext. The need for such an actively secure input routines is because we need to ensure that parties enter “valid” FHE/SHE encryptions, and that the simulator can “extract” the plaintext values. Within the functionality we denote the depth of a variable x by D(x), and we describe how the depth is altered with each operation which can affect the depth.
A method to perform the required InputData operation is given in [10, Appendix F], or [2, Sect. 3.2]. The basic idea is to check a number of executions of InputData at the same time. The protocol run in two phases, in the first phase a set of reference ciphertexts are produced and via cut-and-choose one subset is checked for correctness, whilst the other is permuted into buckets; one bucket for each value entered via InputData. In the second phase the input ciphertexts are checked for correctness by combining them homomorphically with the reference ciphertexts and opening the result. We denote the round complexity of the protocol implementing InputData by \(R_\mathsf {ID}\). An analysis of the protocol from [10] indicates that it requires \(R_\mathsf {ID}=3\) rounds of communication: In the first round of the proof one party broadcasts the reference ciphertexts, in the next round the parties choose which ciphertexts to open, and in the third round the ciphertexts are opened and combined.Footnote 1 Thus, overall, three rounds suffice.
In the following, we fix the notation \({\langle varid \rangle }\) to represent the result stored in the variable \(\mathsf {varid}\) by the \(\mathcal {F}_{\text {FHE}}/\mathcal {F}_{\text {SHE}}\) functionalities. In particular, we will use the arithmetic shorthands \({\langle z \rangle }={\langle x \rangle }+{\langle y \rangle }\) and \({\langle z \rangle }={\langle x \rangle } \cdot {\langle y \rangle }\) to represent the result of calling the Add and Multiply commands in the \(\mathcal {F}_{\text {FHE}}/\mathcal {F}_{\text {SHE}}\) functionality, and we will slightly abuse those shorthands to denote subsequent additions or multiplications.
The description of Output in the case of a passively secure functionality is identical to the behaviour of the standard distributed decryption procedure for FHE schemes such as BGV, again see [10] for how the distributed decryption is performed. The basic protocol is to commit to the distributed decryption shares, and then open the shares. This gives a round complexity for \(\mathbf Output \) of \(R_{\mathsf {Out}}=2\). We shall provide a simple mechanism to provide active security for the Output command in the next section, which comes at the expense of increasing the required supported depth of the SHE scheme by one.
In the case of a passively secure variant of the FHE functionality, one would always have \(e=0\) in the Output routine. Furthermore, we would not need a proof of correctness of the input ciphertexts and so the number of rounds of interaction in the InputData routine would be \(R_\mathsf {ID}=1\).
2.3 Gentry’s FHE-Based MPC Protcol
In [16] Gentry presents an MPC protocol which has optimal round complexity to implement \(\mathcal {F}_{\text {MPC}}\). In the \(\mathcal {F}_{\text {FHE}}\)-hybrid model the protocol can be trivially described as follows: The parties enter their data using the InputData command of the FHE functionality, the required function is evaluated using the Add and Multiply commands (i.e. each party locally evaluates the function using the FHE operations). The Add-scalar and Multiply-scalar commands can be computed by the parties locally encrypting the scalar with a mutually agreed randomness (so that all hold the same ciphertext) and then using the regular FHE Add or Multiply command, respectively.
Finally, the output is obtained using the Output command of the FHE functionality. For passively secure adversaries this gives us an “efficient” MPC protocol, assuming the FHE scheme can actually evaluate the function. For active adversaries we then have to impose complex zero-knowledge proofs to ensure that the InputData command is performed correctly, and we need a way of securing the Output command (which we will come to later).
3 The SPDZ-BMR Protocol
We shall now overview the SPDZ-BMR protocol from [27]. Much of the details we cover here focus on the offline SHE-part of the SPDZ protocol and how it is used in the SPDZ-BMR protocol. Recall the SPDZ protocol makes use of two phases; one an offline phase which uses an SHE scheme (which for our purposes we model via the functionality \(\mathcal {F}_{\text {SHE}}\) above restricted to functions of multiplicative depth one), and an online phase using (essentially) only information theoretic constructs. These two phases are used to create a shared garbled circuit which is then evaluated in a third phase in the SPDZ-BMR protocol.
First Phase Cost: The first phase of the SPDZ-BMR protocol requires an upper bound on the total number of parties n, internal wires W, gates G and input wires per party \(W_{in}\) of the circuit which will be evaluated. The phase then calls the offline phase of the SPDZ engine to produce \(M=13 \cdot G\) multiplication triples, \(B=W\) shared random bits, \(R=2\cdot W\cdot n\) shared random values and \(I=8 \cdot G \cdot n\) shared values for entering data per party.
The main cost of the SPDZ-BMR protocol is actually in computing this initial data; yet the paper [27] does not address this cost in much detail. Delving into the paper [10] we see that each of these operations requires parties to encrypt random data under the SHE scheme and to produce additive sharings of SHE encrypted data. This first operation is identical to our input command on the functionality \(\mathcal {F}_{\text {SHE}}\). We delve into the costs of the operations in more detail:
-
Encrypting (Input) Data \(\mathsf {ID}\): When a party produces an encryption we need to ensure that it is validly formed, so as to protect against active attackers. As remarked above this is done using a zero-knowledge proof of correctness. Whilst the computational costs of this can be amortized due to “packing” in the SHE scheme, it is a non-trivial cost per encryption. We shall denote the computational and round cost in what follows by \(C_\mathsf {ID}\) and \(R_\mathsf {ID}\) respectively, i.e. the computational and round cost of the actively secure EncCommit operation from [10].
-
Producing Random ReSharings: Given a ciphertext encrypting a value m this procedure results in an additive sharing of m amongst the n parties. The computational cost of this procedure is dominated by the invocations of the \(\mathsf {ID}\) protocol. Since each party needs to encrypt a random value, the computational cost \(n \cdot C_{\mathsf {ID}}\) and the round complexity is \(R_\mathsf {ID}+1\). Again, the computational costs can be amortized due to the packing of the SHE scheme.
-
Producing Multiplication Triples: To produce an unchecked triple this requires (per party) the encryption of two random values (of \(a_i\) and \(b_i\) in the triple ([a], [b], [c])), plus four resharings (three of which can be done in parallel, with the fourth only partially in parallel). To produce a checked triple, this needs to be done twice (in parallel), followed by a sacrificing step of one of the triples via a procedure (described in [10]) which requires another two rounds of interaction. Thus the total computational cost is dominated by \(12 \cdot n \cdot C_\mathsf {ID}\); the round complexity is \(R_\mathsf {ID}+4\).
-
Producing Shared Random Bits: To produce an unchecked random bit we require (per party) the encryption of one random value, one passively secure distributed decryption (with only one round of interaction), plus two resharings (in parallel). To produce a checked random bit, the above has to be combined with an unchecked multiplication triple in a sacrificing step which requires two rounds of interaction. Thus the total computational cost is dominated by \(9 \cdot n \cdot C_\mathsf {ID}\); and the round complexity is \(R_\mathsf {ID}+4\).
-
Producing Shared Random Values: This requires (per party) the encryption of one random value, and two resharings which can be done in parallel. Thus the total computational cost is \(2 \cdot n \cdot C_\mathsf {ID}\), and the round complexity is \(R_\mathsf {ID}+1\).
-
Producing Input Data: Per data item which needs to be input for each player this requires the encryption of one random value plus two resharings (which cannot be fully parallelised), as well as one additional round of interaction. Thus the total computational cost is dominated by \(C_\mathsf {ID}+2 \cdot n \cdot C_\mathsf {ID}\), and the round complexity is \(R_\mathsf {ID}+3\).
A major bottleneck in the protocol, for active security, is the cost of encrypting the random data required by the protocol. Combining the costs, using the various formulae above, we see that this cost is given by
which is cubic in the number of players. In our protocol the same amortization due to SHE packing can be achieved. Thus we do not pay further attention to the constant improvement in performance due to packing, as the same constant can be applied to our protocol.
The total round complexity of the SPDZ offline phase is the maximum round complexity of the various pre-processing operations in the SPDZ offline phase; namely \(R_\mathsf {ID}+4\). This holds since the transmission of all random encrypted values can occur in one round at the beginning of this phase. We stress that the depth of the SHE needed for SPDZ is just one, making it very efficient.
Second Phase Cost: A careful analysis of the rest of the garbling phase of SPDZ-BMR implies that it requires six additional rounds of communication.Footnote 2
Third Phase Cost: The online phase of the SPDZ-BMR protocol requires three rounds of interaction, one to open the secret shared values and two to verify the associated MACs.
Summary: In summary, the round complexity of SPDZ-BMR is \(R_\mathsf {ID}+10\) in the offline phase, and 3 in the online phase.
4 Extending the \(\mathcal {F}_{\text {FHE}}\)/\(\mathcal {F}_{\text {SHE}}\) Functionalities
4.1 The Extended Functionality Definition
The first step in describing our new offline protocol for constructing the BMR circuit is to extend the functionalities \(\mathcal {F}_{\text {FHE}}\)/\(\mathcal {F}_{\text {SHE}}\) to new functionalities \(\mathcal {F}_{\text {FHE}^+}\)/ \(\mathcal {F}_{\text {SHE}^+}\). In Fig. 4 we present the \(\mathcal {F}_{\text {FHE}^+}\) functionality; the definition of the \(\mathcal {F}_{\text {SHE}^+}\) functionality is immediate.
These new functionalities mimic the output possibilities of the SPDZ offline phase, which were exploited in [27]; by allowing the functionality to produce encryptions of random data and encryptions of random bits. In addition the functionalities provide a version of Output, which we call Output+, which does not allow the adversary to introduce an error value. There is also a new version of InputData called InputData+ which will enable us to reduce the number of rounds of interaction in our main protocol. Functionally this does nothing different from InputData but it will be convenient to introduce a different name for a different implementation within our FHE functionality.
4.2 Securely Realising the Extended Functionality
In Fig. 5 we give the protocol \(\pi _{\text {FHE}^+}\) for realising the \(\mathcal {F}_{\text {FHE}^+}\) functionality in the \(\mathcal {F}_{\text {FHE}}\)-hybrid model. Let us start by looking at the Output+ command in more detail (after first reading Fig. 5). Suppose the adversary tries to make player \(P_j\) accept an incorrect value, by introducing errors into the calls to the weakly secure Output command from \(\mathcal {F}_{\text {FHE}}\). The honest player \(P_j\) will receive \(\mathsf {varid}+e_1\) instead of \(\mathsf {varid}\) and \(\mathsf {authvarid}_j+ e_2\) instead of \(\mathsf {authvarid}_j\), for some adversarially chosen values of \(e_1\) and \(e_2\). If player \(P_j\) is not to abort then these quantities must satisfy \(\mathsf {authvarid}_j+e_2 = sk_j \cdot (\mathsf {varid}+e_1)\). Now since we know that \(\mathsf {authvarid}_j=\mathsf {varid}\cdot sk_j\) then this implies that the adversary needs to select \(e_1\) and \(e_2\) such that \(e_2=sk_j \cdot e_1\), which it needs to do without having any knowledge of \(sk_j\). Thus either the adversary needs to select \(e_1=e_2=0\), or he needs to guess the correct value of \(sk_j\). This will happen with probability at most 1 / p, which is negligible.
We note that in the concurrent independent work of [12] a similar approach to our Output+ command is taken in order to attain active security. Nevertheless, they use a global MAC key \({\langle sk \rangle } = {\langle sk_1 \rangle } + \dots +{\langle sk_n \rangle }\) that is revealed to all parties after decryption, which means that sk needs to be renewed after each call to Output+. Thus, each call to their similar Output+ implementation requires n calls to the expensive InputData protocol, which does not pay off in terms of concrete efficiency.
The protocol which implements InputData+ works by first running InputData with a random value, and then later providing the difference between the random value input and the real input. This enables parallel preprocessing of the InputData procedure, thereby reducing the overall number of rounds.
The protocol which implements the RandomElement command generates an encrypted random value \({\langle x \rangle }\), unknown to any party as long as one of the parties honestly chooses his additional share \(x_i\) randomly.
The protocol which implements the RandomBit command is more elaborate, and borrows much from the equivalent operations in the SPDZ offline phase, see [10]. The basic idea is to generate an encrypted random value \({\langle x \rangle }\), unknown to any party. This value is then squared to obtain \({\langle s \rangle }\). The value of s is then publicly revealed and an arbitrary square root y is taken. As long as \(s \ne 0\) (which happens with negligible probability due to the size of p) we then have that \({\langle b \rangle }={\langle x \rangle }/y\) is an encryption of a value chosen uniformly from \(\{-1,1\}\). Since p is prime, with probability 1 / 2 the square root taken will be equal to x and with probability 1 / 2 it will be equal to \(-x\). This encryption of a value in \(\{-1,1\}\) is turned into an encryption of a value in \(\{0,1\}\) by the final step, by computing \(({\langle b \rangle }+1)/2\), which is a linear function and can be thus computed by calling Add-Scalar and Multiply-Scalar. However, unlike in SPDZ no sacrificing procedure is required as the Output+ command is actively secure.
Theorem 1
Protocol \(\pi _{\text {FHE}^+}\) securely computes \(\mathcal {F}_{\text {FHE}^+}\) in the \(\mathcal {F}_{\text {FHE}}\)-hybrid model in the UC framework, in the presence of static, active adversaries corrupting any number of parties.
Proof
(sketch). By [5], it suffices to prove the security of Protocol \(\pi _{\text {FHE}^+}\) in the SUC (simple UC) framework. We will sketch the proof for each of the processes in the functionality separately. In the \(\mathcal {F}_{\text {FHE}}\)-hybrid model the security follows in a straightforward way utilizing the security of the commands in \(\mathcal {F}_{\text {FHE}}\).
Output+: The security of Output+ relies on the security of the InputData and Output commands of \(\mathcal {F}_{\text {FHE}}\). Namely, by the security of InputData we have that all \(sk_j\) values are secret, and by the security of Output the only change that \(\mathcal {A}\) can make to the output is an additive difference e (fixed before the output is given). Thus, \(\mathcal {A}\) can only change the output if it chooses additive differences \(e_1,e_2\) with \(e_1\ne 0\) such that \((x+e_1)\cdot sk_j = x \cdot sk_j + e_2 \pmod p\), where x is the value output. This implies that \(e_1\cdot sk_j = e_2 \pmod p\). Since \(sk_j\) is secret, the adversary can cause this equality to hold with probability at most p.
We remark that the MAC key \(sk_j\) is only used for output values given to \(P_j\). Thus, it always remains secret (even when used for many outputs).
The simulator for Output+ works simply by simulating the Output interaction with \(\mathcal {F}_{\text {FHE}}\) for all honest \(P_i\). Regarding a corrupt \(P_j\), the simulator receives the value x that is supposed to be output. Furthermore, the simulator receives the value \(sk_j\) from the InputData instruction, as well as any errors that are introduced in the Output calls by corrupted parties. Thus, the simulator can construct the exact value that \(\mathcal {A}\) would receive in a real execution.
InputData+: The only difference between InputData+ and InputData is that InputData+ can be run such that the actual input is only known to the party in the last round of the protocol. This is done in a straightforward way by using InputData to have a party input a random string, and then using that result to mask the real data (at the end). The simulator for this procedure therefore relies directly on the InputData procedure of \(\mathcal {F}_{\text {FHE}}\) in a straightforward way. Namely, in the \(\mathcal {F}_{\text {FHE}}\)-hybrid model when the party \(P_i\) is corrupted, the simulator receives the value \(r_i\) that party \(P_i\) sends to InputData. Then, upon receiving \(c_i\) as broadcast by \(P_i\), the simulator defines \(x_i=c_i+r_i \pmod p\) and sends \((input+,P_i,\mathsf {varid},x_i)\) to the ideal functionality as input. In the case that \(P_i\) is honest, the simulator chooses a random \(c_i\in \mathbb {F}_p\) and simulates \(P_i\) broadcasting that value. Furthermore, it simulates the (input, ...) and (add-scalar, ...) interaction with \(\mathcal {F}_{\text {FHE}}\).
The view of the adversary is identical in the simulated and real executions. In addition, since InputData is secure and \(c_i\) is broadcast and therefore the same for all parties, the protocol fully determines the input value \(x_i=c_i+r_i \pmod p\), as required.
RandomElement: This is a straightforward coin tossing protocol. The security is derived from the fact that \(\mathcal {F}_{\text {FHE}}\) provides a secure InputData protocol that reveals no information about the input values. Thus, no party knows anything about the x-values input by the others. Formally, a simulator just simulates the message interaction with \(\mathcal {F}_{\text {FHE}}\) for all of the \((input,P_i,x_i)\) and \((input,P_i,?)\) messages. As long as at least one party is honest, the distribution over the value x defined is uniform, as required.
RandomBit: The first step of this protocol is to essentially run RandomElement in order to define a random shared value x. Then, the value \(s=x^2 \pmod p\) is output to all parties, and each takes the same square-root y of s. Assume that the square root taken is the one that is between 1 and \((p-1)/2\). Now, if \(1\le x \le \frac{p-1}{2}\), then \(y=x\) and so \({\langle b \rangle }={\langle 1 \rangle }\), and we have that \({\langle \mathsf {varid} \rangle }={\langle \frac{1+1}{2} \rangle }={\langle 1 \rangle }\). Else, if \(\frac{p-1}{2}< x \le p-1\) then \({\langle b \rangle }={\langle -1 \rangle }\) and we have \({\langle \mathsf {varid} \rangle }={\langle \frac{-1+1}{2} \rangle }={\langle 0 \rangle }\). The security relies on the fact that the result is fully determined from the (input, ...) messages sent in the beginning. Relying on the security of InputData and Add/Multiply in \(\mathcal {F}_{\text {FHE}}\), and on the security of the Output+ procedure, the value x is uniformly distributed and the value s that is output to all parties equals \(x^2\) and no other value. All other steps are deterministic and thus this guarantees that the output is a uniformly distributed bit, as required.
Regarding simulation, the simulator simulates the calls to InputData, Add and Multiply as in the protocol. For the output, the simulator simply chooses a random s as the value received from Output+. The view of the parties is clearly identical to in a real execution.
This completes the proof sketch of the theorem. \(\square \)
5 The First Variant of the SHE-BMR Protocol: \(\pi _0\)
In this section we outline our basic protocol, which follows much upon the lines of the SPDZ-BMR protocol. The modifications needed for a variant using only depth three will be left to Sect. 6. We divide our discussion into three subsections. In the first section we outline the offline functionality \(\mathcal {F}_{\text {offline}}\) we require. This functionality produces a shared garbled circuit which computes the function amongst the players.
For each wire there are \(2 \cdot n\) wire labels, corresponding to two labels for each party. The wire labels are held as encrypted key values \({\langle k_{w,\beta }^i \rangle }\), where encryption is under the SHE scheme, along with encrypted masking values \({\langle \lambda _w \rangle }\); where \(1 \le w \le W\), \(\beta \in \{0,1\}\) and \(1 \le i \le n\). The garbled gates are held as a set of linear combinations of outputs from a suitable Pseudo-Random Function (PRF) which is keyed by the wire labels of all parties. These linear combinations are then used to one-time pad encrypt the output wire label, with the precise linear combination to be used in any given situation determined by the encrypted mask values. The output wire masking values are decrypted towards all parties, and the input wire masking values are decrypted towards the inputting party, but everything else remains held in encrypted form.
We then present the online protocol \(\pi _{\text {MPC},0}\) which implements \(\mathcal {F}_{\text {MPC}}\) in the \(\mathcal {F}_{\text {offline}}\)-hybrid model. This first decrypts the input wire labels desired for each party via the distributed decryption functionality, and revealing the associated selector variables \(\varLambda _w=\rho _w \oplus \lambda _w\), where \(\rho _w\) is the actual intended wire value. The parties are then able, for each gate, to determine which linear combination to apply (using the selector variables), and can then determine the output wire label using the given linear combination. From this they can determine the output selector variable and repeat the process for the next gate, and so on. Once all gates have been processed in this way the players have learnt the selector variables \(\varLambda _w\) for the output wires, and so can compute the output wire values from \(\varLambda _w \oplus \lambda _w\), where the value of \(\lambda _w\), for the output wires, was revealed in the pre-processing phase. At the end of this section we present the offline protocol itself \(\pi _{\text {offline},0}\) which implements \(\mathcal {F}_{\text {offline}}\) in the \(\mathcal {F}_{\text {FHE}^+}\)-hybrid model.
5.1 Functionality \(\mathcal {F}_{\text {offline}}\) for the Offline Phase
We first present the offline functionality (see Fig. 6) for our main MPC protocol. This is almost identical to the offline functionality for the SPDZ-BMR protocol of [27]. The main difference is that it is built on top of our \(\mathcal {F}_{\text {FHE}^+}\) functionality from the previous section, as opposed to the SPDZ MPC protocol. In particular this means we have just a single pre-processing step as opposed to the two phases in [27], which are in turn inherited from the two phases of the SPDZ protocol.
5.2 The SHE-BMR Protocol Specification \(\pi _{\text {MPC}},0\)
We can now give our protocol \(\pi _{\text {MPC},0}\), described in Fig. 7, which securely computes the functionality \(\mathcal {F}_{MPC}\) described in Fig. 2 in the \(\mathcal {F}_{\text {offline}}\)-hybrid model. The computational and communication costs of \(\pi _{\text {MPC},0}\) are mainly in the preprocessing step, with the on-line phase adding only a depth of one to the SHE scheme and two more rounds of communication, all of these costs coming from the need for an actively secure Output+. The on-line phase is just an adaptation of BMR [3], following the trend of [27], and thus we will not discuss it in details.
5.3 The \(\pi _{\text {offline}},0\) Protocol
Protocol \(\pi _{\text {offline},0}\) in Fig. 8 implements \(\mathcal {F}_{\text {offline}}\) in the \(\mathcal {F}_{\text {FHE}^+}\)-hybrid model.
For completeness, we show how to calculate the output indicators for functions \(f_g=AND\) and \(f_g=XOR\) in Fig. 9 as shown in [27]. Note that we consume a multiplicative depth of two for both operations.
-
For \(f_g=AND\), we compute \({\langle t \rangle }={\langle \lambda _a \rangle }\cdot {\langle \lambda _2 \rangle }\) and then \({\langle x_A \rangle }=({\langle t \rangle }-{\langle \lambda _c \rangle })^2\), \({\langle x_B \rangle }=({\langle \lambda _a \rangle }-{\langle t \rangle }-{\langle \lambda _c \rangle })^2\), \({\langle x_C \rangle }=({\langle \lambda _b \rangle }-{\langle t \rangle }-{\langle \lambda _c \rangle })^2\), \({\langle x_D \rangle }=(1-{\langle \lambda _a \rangle }-{\langle \lambda _b \rangle }+{\langle t \rangle }-{\langle \lambda _c \rangle })^2\).
-
For \(f_g=XOR\), we first compute \({\langle t \rangle }={\langle \lambda _a \rangle } \oplus {\langle \lambda _b \rangle }={\langle \lambda _a \rangle }+{\langle \lambda _b \rangle }-2\cdot {\langle \lambda _a \rangle }\cdot {\langle \lambda _2 \rangle }\), and then \({\langle x_A \rangle }=({\langle t \rangle }-{\langle \lambda _c \rangle })^2\), \({\langle x_B \rangle }=(1-{\langle \lambda _a \rangle }-{\langle \lambda _b \rangle }+2\cdot {\langle t \rangle }-{\langle \lambda _c \rangle })^2\), \({\langle x_C \rangle }={\langle x_B \rangle }\), \({\langle x_D \rangle }={\langle x_A \rangle }\).
5.4 Security
The security of our protocol follows from the proof of the security of the SPDZ-BMR protocol in [27]. Apart from the use of Gentry’s MPC protocol, as opposed to the SPDZ protocol, (which is purely an implementation change) the only difference is that the InputData in SPDZ-BMR is generated in a way that guarantees that it is random. For our basic protocol, this is not the case. However, there is nothing that forces the adversary to input the value it actually gets and security is preserved. In particular, the adversary can ignore the value it obtained and use a different one honestly, and no problem arises. So, it is no different from this case where the adversary can choose the value in InputData.
5.5 Analysis of Efficiency
Just as in our analysis of the SPDZ-BMR protocol, we wish to estimate the cost of the most expensive operations; which are the encryptions of input data and random input data.
-
Each party calls InputData once during the Initialize phase of the extended FHE functionality.
-
We perform W RandomBit operations, each of which consumes a \(C_{\mathsf {ID}}\) per party.
-
To create the encrypted PRF keys we require an additional \(2 \cdot W\) invocations of \(C_{\mathsf {ID}}\) per party.
-
Finally to enter the garbled labels we require, \(4 \cdot n^2 \cdot G\) invocations of the input data routine, which consists of \(4 \cdot n \cdot G\) invocations of InputData per party.
Thus the cost of encrypting the data for the SHE-BMR protocol is given by the expression \(\left( {2^{2^2}}4\cdot n^2 \cdot G + (3 \cdot W +1)\cdot n {2^{2^2}}\right) \cdot C_\mathsf {ID},\) which is quadratic in n as opposed to the cubic complexity of the SPDZ-BMR protocol.
6 A Modified SHE-BMR Protocol of Depth 3: \(\pi _1\)
In this section we give a description of the protocol \(\pi _1\) (see Figs. 10 and 12 for the offline and online modifications respectively) which requires only a multiplicative depth of three rather than four as in \(\pi _0\). This reduction on the depth of the SHE scheme comes directly from the reduction of the depth of the circuit used for garbling the actual circuit to evaluate. On the downside, we require additional \(2\cdot W\cdot n \cdot (n-1)\) calls to InputData and some more multiplications in the offline and online phases. The new protocol \(\pi _1\) is, in fact, just a variant of \(\pi _0\), and for which set of parameters one would be preferred in practice over the other remains to be empirically tested.
6.1 Protocol \(\pi _1\) Description
Our earlier protocol \(\pi _0\) securely computes the BMR garbled gates, as follows. For every gate the parties first compute the shares \({\langle x_A \rangle },{\langle x_B \rangle },{\langle x_C \rangle },{\langle x_D \rangle }\) and then use these shares to compute the shares \({\langle \mathbf {v}_{c,x_A} \rangle },{\langle \mathbf {v}_{c,x_B} \rangle }, {\langle \mathbf {v}_{c,x_C} \rangle },{\langle \mathbf {v}_{c,x_D} \rangle }\) of the keys \(\mathbf {k}_{c,0}\) or \(\mathbf {k}_{c,1}\) on the output wire of the gate. Finally, these are masked by the pseudorandom values provided by all parties; see Fig. 9. Considering how these equations are computed, we have that the \({\langle x_* \rangle }\) values require two multiplications and the \({\langle \mathbf {v}_{c,x_*} \rangle }\) require an additional multiplication. The final multiplication, making it depth-4, is needed for computing Output+. Thus, our aim is to compute the \({\langle \mathbf {v}_{c,x_*} \rangle }\) values directly, with just two multiplications instead of three.
In order to achieve this, we directly considered AND and XOR gates, and provide direct formulae for them. The main idea is that it actually suffices to compute shares of either the key \(\mathbf {k}_{c,*}\) on the output wire or its opposite \(-\mathbf {k}_{c,*}\) modulo p. The reason that this suffices is that the square of these values is the same. Thus, we have two versions of each key: the basic-key and the squared-key. The offline protocol works by the parties calling RandomElement in order to generate each basic-key and then squaring the result and revealing the squared-key to the appropriate party. Recall that in BMR, each party has one part of the key, and inputs it in the offline phase to generate the garbled gates. The parties then compute the shares of the basic-keys on the output wire of the gate (or their negative) and mask the result with the outputs of the PRF, computed using the revealed squared-keys. Observe that in the online phase, the basic-key is revealed (since this is what is masked) and the parties then square it in order to compute the PRF values to decrypt the next garbled gate.
Since the basic-key is random and was never revealed, the parties have no idea if they received the basic-key or it’s negative. Otherwise this would leak information about the values on the wires (as we mentioned, we compute either the key or its negative, and this depends on the values on the wires). This adds \(2\cdot W\cdot n \cdot (n-1)\) calls to InputData to generate the keys via calls to RandomElement to ensure that no party knows them in the offline phase.
The AND gate. We now present the equations for computing an AND gate with input wires a, b and output wire c. In order to motivate these equations, we build the first equation for computing \({\langle \mathbf {v}_{c,x_A} \rangle }\), which is the share of the key output from the first ciphertext in the garbled gate, in detail. We denote the basic-keys (before being squared) on the output wire by \(\mathbf {\tilde{k}}_{c,0},\mathbf {\tilde{k}}_{c,1}\). If the indicator-bit \(\lambda _c\) on the output wire equals 1 then the roles of the 0-key and 1-key are reversed. Then, if the input-bit on wire a equals 0, then \({\langle \lambda _a \rangle }\) equals 0 and so the output is a function of the first row of the equation. Once a equals 0, the output equals 0 irrespective of b, since this is an AND gate. Thus, if the output indicator bit equals 0 then the output should be \({\langle \mathbf {\tilde{k}}_{c,0} \rangle }\); otherwise the output should be \({\langle \mathbf {\tilde{k}}_{c,1} \rangle }\). In contrast, if the input on wire a equals 1, then the output depends only on the second row of the equation (since \(1-{\langle \lambda _a \rangle }\) equals 0). The output in this case depends on b. If \(b=1\) and \(c=0\) or if \(b=0\) and \(c=1\) then the output should be \({\langle \mathbf {\tilde{k}}_{c,1} \rangle }\) (since in the first case \(a=b=1\) and the output is the 1-key, and in the second case the output should be the 0-key but \(c=1\) and so the roles are reversed). This is obtained by multiplying \({\langle \mathbf {\tilde{k}}_{c,1} \rangle }\) by \({\langle \lambda _b \rangle }-{\langle \lambda _c \rangle }\) which equals \(\pm 1\) in both of these cases (and 0 otherwise). We then multiply \({\langle \mathbf {\tilde{k}}_{c,0} \rangle }\) by \(1-{\langle \lambda _b \rangle }-{\langle \lambda _c \rangle }\), which equals 0 in both of these cases that \(b=0,c=1\) and \(b=1,c=0\). In contrast, if \(b=c=0\) or \(b=c=1\) then the output should be \({\langle \mathbf {\tilde{k}}_{c,0} \rangle }\) (since if \(b=c=0\) then the output is 0, and if \(b=c=1\) then the output is 1 but the 1-key is reversed). Finally leading to the equation
The remaining three equations are computed similarly, as follows:
In order to prove correctness of these equations, we present the truth table of the outputs in Fig. 11. Observe that all values are correct, but sometimes the negative value of the basic-key is obtained.
The XOR gate. We use a similar idea as above to compute the XOR gate. Intuitively, in a XOR gate, there are two cases: \(\lambda _a=\lambda _b\) and \(\lambda _a\ne \lambda _b\). Multiplying by \(\lambda _a-\lambda _b\) gives \(\pm 1\) if \(\lambda _a\ne \lambda _b\) and 0 if \(\lambda _a=\lambda _b\). Furthermore, multiplying by \(1-\lambda _a-\lambda _b\) gives the exact reverse case; it equals 0 if \(\lambda _a\ne \lambda _b\) and equals \(\pm 1\) if \(\lambda _a=\lambda _b\). Observe that \({\langle \mathbf {v}_{c,x_C} \rangle }\) and \({\langle \mathbf {v}_{c,x_D} \rangle }\) need not be computed at all since \((1-a)\oplus b=a\oplus (1-b)\) and \((1-a)\oplus (1-b)=a\oplus b\). This yields the following equations, where as above, we prove correctness via the truth table given in Fig. 11.
Security of the Modified Protocol: Observe that in the offline phase, the only difference is that the \({\langle \mathbf {v}_{c,x_*} \rangle }\) values contain the “tilde” version of the keys; more formally, the \({\langle \mathbf {v}_{c,x_*} \rangle }\) ciphertexts encrypt the square root of the keys, and not the keys themselves. Thus, in the online phase, the parties receive the square roots of the keys and need to square them before proceeding. The only issue that needs to be explained here is that the specific square root provided reveals no information. This needs to be justified because if an adversary could know that \(-\tilde{k}\) is computed or \(\tilde{k}\), then it would know some information about the masks \(\lambda _a,\lambda _b,\lambda _c\). However, since the \(\tilde{k}\) values are uniformly distributed in \(\mathbb {F}_p\), and the keys themselves revealed in the offline phase are \(k=\tilde{k}^2\), it follows that each of the two square roots of k are equally probable. Stated differently, given k, the distribution over \(\tilde{k}\) and \(-\tilde{k}\) is identical.
Analysis of Efficiency of the Modified Protocol: As we noted in the introduction, the two main sources of overhead that concern our MPC protocol are the number of rounds and the number of calls to the \(\mathsf {ID}\) protocol. The former is not changed by our \(\pi _1\) variant, but the latter does. To generate the keys in \(\pi _{\text {offline},1}\), we now perform \(2\cdot W\cdot n^2\) calls to InputData, via calls to RandomElement. In \(\pi _0\) we performed \(2\cdot W\cdot n\) calls to generate the keys, so overall we add \(2\cdot W\cdot n \cdot (n-1)\) calls to InputData. To analyse the number of homomorphic multiplications we go through each step of the protocol:
-
Generate keys step: We perform \(4 \cdot W \cdot n\) more multiplications (half of them to square the keys, the other half to Output+ them).
-
Calculate garbled gates step:
-
1.
For every AND gate, we used 13 multiplications in the first variant. Now, by careful rewriting of the equations, we can do this in 20.
-
2.
For every XOR gate, we used 7 multiplications in the first variant. Now we use 12.
-
3.
So, on average, we pass from 10 to 16 multiplications per gate.
-
1.
Thus, overall on average we perform \(4 \cdot W \cdot n + 6 \cdot G\) more homomorphic multiplications. However, in practice each homomorphic multiplication will be more efficient since the overall depth of the SHE scheme can now be three rather than four.
Notes
- 1.
Choosing at random which ciphertexts to open cannot be carried out in a single round. However, it is possible for all parties to commit to the randomness in previous rounds and only decrypt in this round.
- 2.
With reference to [27] this is one round in the preprocessing-I phase and the start of the preprocessing-II phase due to the Output commands, and three to evaluate the required circuits in step 3 of preprocessing-II (since the circuits are of depth three, and hence require three rounds of computation), plus two to verify all the associated MAC values.
References
Asharov, G., Lindell, Y., Schneider, T., Zohner, M.: More efficient oblivious transfer and extensions for faster secure computation. In: Sadeghi, A.-R., Gligor, V.D., Yung, M. (eds.) 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, 4–8 November 2013, pp. 535–548. ACM (2013)
Baum, C., Damgård, I., Toft, T., Zakarias, R.: Better preprocessing for secure multiparty computation. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 327–345. Springer, Heidelberg (2016). doi:10.1007/978-3-319-39555-5_18
Beaver, D., Micali, S., Rogaway, P.: The round complexity of secure protocols. In: Ortiz, H. (ed.), 22nd STOC, pp. 503–513. ACM (1990)
Bellare, M., Hoang, V.T., Keelveedhi, S., Rogaway, P.: Efficient garbling from a fixed-key blockcipher. In: 2013 IEEE Symposium on Security and Privacy, SP 2013, 19–22 May 2013, Berkeley, CA, USA, pp. 478–492. IEEE Computer Society (2013)
Canetti, R., Cohen, A., Lindell. Y.: A simpler variant of universally composable security for standard multiparty computation. In: Gennaro and Robshaw [15], pp. 3–22 (2015)
Canetti, R., Garay, J.A. (eds.): CRYPTO 2013. LNCS, vol. 8043. Springer, Heidelberg (2013). doi:10.1007/978-3-642-40084-1_2
Choi, S.G., Hwang, K.-W., Katz, J., Malkin, T., Rubenstein, D.: Secure multi-party computation of Boolean circuits with applications to privacy in on-line marketplaces. In: Dunkelman, O. (ed.) CT-RSA 2012. LNCS, vol. 7178, pp. 416–432. Springer, Heidelberg (2012). doi:10.1007/978-3-642-27954-6_26
Choi, S.G., Katz, J., Malozemoff, A.J., Zikas, V.: Efficient three-party computation from cut-and-choose. In: Garay and Gennaro [13], pp. 513–530 (2014)
Costache, A., Smart, N.P.: Which ring based somewhat homomorphic encryption scheme is best? In: Sako, K. (ed.) CT-RSA 2016. LNCS, vol. 9610, pp. 325–340. Springer, Heidelberg (2016). doi:10.1007/978-3-319-29485-8_19
Damgård, I., Keller, M., Larraia, E., Pastro, V., Scholl, P., Smart, N.P.: Practical covertly secure MPC for dishonest majority – or: breaking the SPDZ limits. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 1–18. Springer, Heidelberg (2013). doi:10.1007/978-3-642-40203-6_1
Damgård, I., Pastro, V., Smart, N.P., Zakarias, S.: Multiparty computation from somewhat homomorphic encryption. In: Safavi-Naini and Canetti [32], pp. 643–662 (2012)
Damgård, I., Polychroniadou, A., Rao, V.: Adaptively secure multi-party computation from LWE (via equivocal FHE). In: Cheng, C.-M., et al. (eds.) PKC 2016. LNCS, vol. 9615, pp. 208–233. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49387-8_9
Garay, J.A., Gennaro, R. (eds.): CRYPTO 2014. LNCS, vol. 8617. Springer, Heidelberg (2014). doi:10.1007/978-3-662-44381-1_29
Garg, S., Mukherjee, P., Pandey, O., Polychroniadou, A.: The exact round complexity of secure computation. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 448–476. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49896-5_16
Gennaro, R., Robshaw, M. (eds.): CRYPTO 2015. LNCS, vol. 9216. Springer, Heidelberg (2015). doi:10.1007/978-3-662-48000-7_1
Gentry, C.: A fully homomorphic encryption scheme. Ph.D. thesis, Stanford University (2009). http://crypto.stanford.edu/craig
Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or A completeness theorem for protocols with honest majority. In: Aho, A.V. (ed.) Proceedings of the 19th Annual ACM Symposium on Theory of Computing, pp. 218–229. ACM, New York (1987)
Goldwasser, S., Lindell, Y.: Secure multi-party computation without agreement. J. Cryptology 18(3), 247–287 (2005)
Huang, Y., Katz, J., Evans, D.: Efficient secure two-party computation using symmetric cut-and-choose. In: Canetti and Garay [6], pp. 18–35 (2013)
Ishai, Y., Prabhakaran, M., Sahai, A.: Founding cryptography on oblivious transfer – efficiently. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 572–591. Springer, Heidelberg (2008). doi:10.1007/978-3-540-85174-5_32
Katz, J., Ostrovsky, R.: Round-optimal secure two-party computation. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 335–354. Springer, Heidelberg (2004). doi:10.1007/978-3-540-28628-8_21
Larraia, E., Orsini, E., Smart. N.P.: Dishonest majority multi-party computation for binary circuits. In: Garay and Gennaro [13], pp. 495–512 (2014)
Lindell, Y.: Fast cut-and-choose based protocols for malicious and covert adversaries. In: Canetti and Garay [6], pp. 1–17 (2013)
Lindell, Y., Oxman, E., Pinkas, B.: The IPS compiler: optimizations, variants and concrete efficiency. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 259–276. Springer, Heidelberg (2011). doi:10.1007/978-3-642-22792-9_15
Lindell, Y., Pinkas, B.: An efficient protocol for secure two-party computation in the presence of malicious adversaries. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 52–78. Springer, Heidelberg (2007). doi:10.1007/978-3-540-72540-4_4
Lindell, Y., Pinkas, B.: Secure two-party computation via cut-and-choose oblivious transfer. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 329–346. Springer, Heidelberg (2011). doi:10.1007/978-3-642-19571-6_20
Lindell, Y., Pinkas, B., Smart, N.P., Yanai, A.: Efficient constant round multi-party computation combining BMR and SPDZ. In: Gennaro and Robshaw [15], pp. 319–338 (2015)
Lindell, Y., Riva, B.: Cut-and-choose Yao-based secure computation in the online/offline and batch settings. In: Garay and Gennaro [13], pp. 476–494 (2014)
Lindell, Y., Riva, B.: Blazing fast 2PC in the offline/online setting with security for malicious adversaries. In: Ray, I., Li, N., Kruegel, C. (eds.) Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, 12–6 October 2015, Denver, CO, USA, pp. 579–590. ACM (2015)
Nielsen, J.B., Nordholt, P.S., Orlandi, C., Burra, S.S.: A new approach to practical active-secure two-party computation. In: Safavi-Naini and Canetti [32], pp. 681–700 (2012)
Pinkas, B., Schneider, T., Smart, N.P., Williams, S.C.: Secure two-party computation is practical. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 250–267. Springer, Heidelberg (2009)
Safavi-Naini, R., Canetti, R. (eds.): CRYPTO 2012. LNCS, vol. 7417, pp. 643–662. Springer, Heidelberg (2012). doi:10.1007/978-3-642-32009-5_38
Schneider, T., Zohner, M.: GMW vs. Yao? efficient secure two-party computation with low depth circuits. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 275–292. Springer, Heidelberg (2013). doi:10.1007/978-3-642-39884-1_23
shelat, A., Shen, C.: Two-output secure computation with malicious adversaries. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 386–405. Springer, Heidelberg (2011). doi:10.1007/978-3-642-20465-4_22
Yao, A.C.-C.: Protocols for secure computations. In: 23rd Annual Symposium on Foundations of Computer Science, 3–5 November 1982, Chicago, Illinois, USA, pp. 160–164. IEEE Computer Society (1982)
Acknowledgements
The first author was supported in part by the European Research Council under the European Union’s Seventh Framework Programme (FP/2007-2013)/ERC consolidators grant agreement n. 615172 (HIPS), and by the BIU Center for Research in Applied Cryptography and Cyber Security in conjunction with the Israel National Cyber Bureau in the Prime Minster’s Office. The second author was supported in part by ERC Advanced Grant ERC-2010-AdG-267188-CRIPTO, DARPA and the US Navy under contract #N66001-15-C-4070, and by EPSRC via grants EP/I03126X and EP/N021940/1. The third author was supported in part by the Marie Sklodowska-Curie ITN ECRYPT-NET (Project Reference 643161). All authors were also supported by an award from EPSRC (grant EP/M012824), from the Ministry of Science, Technology and Space, Israel, and the UK Research Initiative in Cyber Security.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 International Association for Cryptologic Research
About this paper
Cite this paper
Lindell, Y., Smart, N.P., Soria-Vazquez, E. (2016). More Efficient Constant-Round Multi-party Computation from BMR and SHE. In: Hirt, M., Smith, A. (eds) Theory of Cryptography. TCC 2016. Lecture Notes in Computer Science(), vol 9985. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-53641-4_21
Download citation
DOI: https://doi.org/10.1007/978-3-662-53641-4_21
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-53640-7
Online ISBN: 978-3-662-53641-4
eBook Packages: Computer ScienceComputer Science (R0)