Skip to main content
SpringerLink
Log in

Using TopGear in Overdrive: A More Efficient ZKPoK for SPDZ

  • Conference paper
  • First Online:
Selected Areas in Cryptography – SAC 2019 (SAC 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11959))

Included in the following conference series:

Abstract

The HighGear protocol (Eurocrypt 2018) is the fastest currently known approach to preprocessing for the SPDZ Multi-Party Computation scheme. Its backbone is formed by an Ideal Lattice-based Somewhat Homomorphic Encryption Scheme and accompanying Zero-Knowledge proofs. Unfortunately, due to certain characteristics of HighGear such current implementations limit the security parameters in a number of places. This is mainly due to memory and bandwidth consumption constraints.

In this work we present a new approach to the ZKPoKs for the SPDZ Multi-Party Computation scheme. We rigorously formalize the original approach of HighGear and show how to improve upon it using a different proof strategy. This allows us to increase the security of the underlying protocols, whilst simultaneously also increasing the performance in terms of memory and bandwidth consumption as well as overall throughput of the SPDZ offline phase.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    There do exist ZKPoKs for lattice-based primitives which prove exact bounds. Unfortunately, their computation and communication overhead makes them no match in practice for protocols having soundness slack.

  2. 2.

    In the way it is used each prover also acts as an independent verifier.

  3. 3.

    Similar values can be obtained for other values of n, we selected \(n=2\) purely for illustration here, the effect of n on the values is relatively minor.

  4. 4.

    https://bitbucket.org/malb/lwe-estimator.

References

  1. Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: Holz, T., Savage, S. (eds.) 25th USENIX Security Symposium, USENIX Security 2016, Austin, TX, USA, 10–12 August 2016, pp. 327–343. USENIX Association (2016). https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/alkim

  2. Aly, A., et al.: SCALE-MAMBA v1.2: Documentation (2018). https://homes.esat.kuleuven.be/~nsmart/SCALE/Documentation.pdf

  3. Baum, C., Bootle, J., Cerulli, A., del Pino, R., Groth, J., Lyubashevsky, V.: Sub-linear lattice-based zero-knowledge arguments for arithmetic circuits. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 669–699. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_23

    Chapter  Google Scholar 

  4. Baum, C., Damgård, I., Larsen, K.G., Nielsen, M.: How to prove knowledge of small secrets. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9816, pp. 478–498. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53015-3_17

    Chapter  Google Scholar 

  5. Baum, C., Lyubashevsky, V.: Simple amortized proofs of shortness for linear relations over polynomial rings. Cryptology ePrint Archive, Report 2017/759 (2017). http://eprint.iacr.org/2017/759

  6. Ben-Or, M., Goldwasser, S., Kilian, J., Wigderson, A.: Multi-prover interactive proofs: how to remove intractability assumptions. In: 20th Annual ACM Symposium on Theory of Computing, pp. 113–131. ACM Press, Chicago, 2–4 May 1988

    Google Scholar 

  7. Bendlin, R., Damgård, I., Orlandi, C., Zakarias, S.: Semi-homomorphic encryption and multiparty computation. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 169–188. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20465-4_11

    Chapter  Google Scholar 

  8. Benhamouda, F., Camenisch, J., Krenn, S., Lyubashevsky, V., Neven, G.: Better zero-knowledge proofs for lattice encryption and their application to group signatures. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 551–572. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_29

    Chapter  Google Scholar 

  9. Benhamouda, F., Krenn, S., Lyubashevsky, V., Pietrzak, K.: Efficient zero-knowledge proofs for commitments from learning with errors over rings. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9326, pp. 305–325. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24174-6_16

    Chapter  Google Scholar 

  10. Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. In: Goldwasser, S. (ed.) ITCS 2012: 3rd Innovations in Theoretical Computer Science, pp. 309–325. Association for Computing Machinery, Cambridge, 8–10 January 2012

    Google Scholar 

  11. Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. In: Ostrovsky, R. (ed.) 52nd Annual Symposium on Foundations of Computer Science, pp. 97–106. IEEE Computer Society Press, Palm Springs, 22–25 October 2011

    Google Scholar 

  12. Cramer, R., Damgård, I.: On the amortized complexity of zero-knowledge protocols. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 177–191. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_11

    Chapter  Google Scholar 

  13. Cramer, R., Damgård, I., Xing, C., Yuan, C.: Amortized complexity of zero-knowledge proofs revisited: achieving linear soundness slack. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 479–500. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_17

    Chapter  Google Scholar 

  14. Damgård, I., Keller, M., Larraia, E., Pastro, V., Scholl, P., Smart, N.P.: Practical covertly secure MPC for dishonest majority – or: breaking the SPDZ limits. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 1–18. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40203-6_1

    Chapter  Google Scholar 

  15. Damgård, I., Pastro, V., Smart, N., Zakarias, S.: Multiparty computation from somewhat homomorphic encryption. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 643–662. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_38

    Chapter  Google Scholar 

  16. del Pino, R., Lyubashevsky, V.: Amortization with fewer equations for proving knowledge of small secrets. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 365–394. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_13

    Chapter  Google Scholar 

  17. del Pino, R., Lyubashevsky, V., Seiler, G.: Short discrete log proofs for FHE and ring-LWE ciphertexts. In: Lin, D., Sako, K. (eds.) PKC 2019. LNCS, vol. 11442, pp. 344–373. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17253-4_12

    Chapter  Google Scholar 

  18. Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal Gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 40–56. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_3

    Chapter  Google Scholar 

  19. Ducas, L., et al.: CRYSTALS-Dilithium: a lattice-based digital signature scheme. IACR Trans. Cryptogr. Hardw. Embedd. Syst. 2018(1), 238–268 (2018). https://tches.iacr.org/index.php/TCHES/article/view/839

  20. Gentry, C., Halevi, S., Smart, N.P.: Better bootstrapping in fully homomorphic encryption. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 1–16. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30057-8_1

    Chapter  Google Scholar 

  21. Gentry, C., Halevi, S., Smart, N.P.: Fully homomorphic encryption with polylog overhead. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 465–482. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_28

    Chapter  Google Scholar 

  22. Gentry, C., Halevi, S., Smart, N.P.: Homomorphic evaluation of the AES circuit. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 850–867. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_49

    Chapter  Google Scholar 

  23. Halevi, S., Shoup, V.: Algorithms in HElib. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 554–571. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_31

    Chapter  MATH  Google Scholar 

  24. Keller, M., Orsini, E., Scholl, P.: MASCOT: faster malicious arithmetic secure computation with oblivious transfer. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 2016: 23rd Conference on Computer and Communications Security, pp. 830–842. ACM Press, Vienna, 24–28 October 2016

    Google Scholar 

  25. Keller, M., Pastro, V., Rotaru, D.: Overdrive: making SPDZ great again. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 158–189. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_6

    Chapter  Google Scholar 

  26. Lyubashevsky, V.: Fiat-Shamir with aborts: applications to lattice and factoring-based signatures. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 598–616. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_35

    Chapter  Google Scholar 

Download references

Acknowledgments

We thank Ivan Damgård for his helpful comments. The work of Carsten has been done at Bar Ilan University, Israel. This work has been supported by the BIU Center for Research in Applied Cryptography and Cyber Security in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office, in part by the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 669255 (MPCPRO), in part by ERC Advanced Grant ERC-2015-AdG-IMPaCT, by the Defense Advanced Research Projects Agency (DARPA) and Space and Naval Warfare Systems Center, Pacific (SSC Pacific) under contract No. N66001-15-C-4070, and by the FWO under an Odysseus project GOH9718N.

Author information

Authors and Affiliations

  1. Department of Computer Science, Aarhus University, Aarhus, Denmark

    Carsten Baum

  2. imec-COSIC, KU Leuven, Leuven, Belgium

    Daniele Cozzo & Nigel P. Smart

  3. Department of Computer Science, University of Bristol, Bristol, UK

    Nigel P. Smart

Authors
  1. Carsten Baum
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Daniele Cozzo
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Nigel P. Smart
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nigel P. Smart .

Editor information

Editors and Affiliations

  1. ETH Zürich, Zurich, Switzerland

    Kenneth G. Paterson

  2. Department of Combinatorics and Optimization, University of Waterloo, Waterloo, ON, Canada

    Douglas Stebila

Appendices

A Parameter Size Table

See Table 1 for the various FHE parameter sizes for our different security levels.

Table 1. SHE parameters sizes for various security parameters in HighGear and TopGear (two parties). With \(\mathsf {DD\_sec}, \mathsf {ZK\_sec}\le \mathsf {Snd\_sec}\) and \(\mathsf {DD\_sec}, \mathsf {ZK\_sec}, \mathsf {Snd\_sec}\in \{40,80,128\}\). The single checkmark for a row shows the default parameters used in SCALE-MAMBA v1.2. Two checkmarks denote the parameters we use in the experiments related to memory and throughput. The rows with three checkmarks show the parameters we would recommend.
Full size table

B Experimental Data

Table 2. Percentage memory consumption for HighGear for two players and \(\log _2 p = 128\).
Full size table
Table 3. Percentage memory consumption for TopGear for two players and \(\log _2 p = 128\).
Full size table
Table 4. Maximum Triples per Second for HighGear for two players and \(\log _2 p=128\), after computing two million triples.
Full size table
Table 5. Maximum Triples per Second for TopGear for two players and \(\log _2 p=128\), after computing two million triples.
Full size table
Table 6. Percentage memory consumption and triples per second for TopGear for two players with \(\mathsf {DD\_sec}= \mathsf {ZK\_sec}=80\) and \(\log _2 p = \mathsf {Snd\_sec}=128\). We also give (in brackets) the percentage throughput compared to the (low security) standard SCALE-MAMBA v1.2 settings using HighGear.
Full size table
Table 7. Percentage memory consumption and triples per second for TopGear for two players with \(\log _2 p = \mathsf {DD\_sec}=\mathsf {ZK\_sec}=\mathsf {Snd\_sec}=128\). Again, we also give (in brackets) the percentage throughput compared to the (low security) standard SCALE-MAMBA v1.2 settings using HighGear.
Full size table

C Run Time Graphs

In Fig. 4 we provide graphs of the throughput for HighGear in our low security, \(\mathsf {Snd\_sec}=40\), setting, with the comparable graph for TopGear in Fig. 5 for two players; given graphs up to the production of 2 million triples. The fact that the graphs are not straight, they have bumps in them, is because the triple production threads are producing triples faster than the ciphertexts can be supplied by the threads doing the ZKPoKs. Thus the triple production threads often need to wait until a ZKPoK has been completed before they can proceed. In Figs. 6 and 7 we provide similar graphs of the throughput for HighGear and TopGear in our high security setting \(\mathsf {Snd\_sec}=128\).

Fig. 4.
figure 4

Average time y to produce a triple given the number of triples that have been produced x for HighGear with parameters \(\mathsf {DD\_sec}=\mathsf {ZK\_sec}=\mathsf {Snd\_sec}=40\). Blue \(t_\mathsf {Tr}=1\), Red \(t_\mathsf {Tr}=2\), Green \(t_\mathsf {Tr}=4\), Magenta \(t_\mathsf {Tr}=8\) (Color figure online)

Full size image
Fig. 5.
figure 5

Average time y to produce a triple given the number of triples that have been produced x for TopGear with parameters \(\mathsf {DD\_sec}=\mathsf {ZK\_sec}=\mathsf {Snd\_sec}=40\). Blue \(t_\mathsf {Tr}=1\), Red \(t_\mathsf {Tr}=2\), Green \(t_\mathsf {Tr}=4\), Magenta \(t_\mathsf {Tr}=8\) (Color figure online)

Full size image
Fig. 6.
figure 6

Average time y to produce a triple given the number of triples that have been produced x for HighGear with parameters \(\mathsf {DD\_sec}=\mathsf {ZK\_sec}=40\) and \(\mathsf {Snd\_sec}=128\). Blue \(t_\mathsf {Tr}=1\), Red \(t_\mathsf {Tr}=2\), Green \(t_\mathsf {Tr}=4\), Magenta \(t_\mathsf {Tr}=8\) (Color figure online)

Full size image
Fig. 7.
figure 7

Average time y to produce a triple given the number of triples that have been produced x for TopGear with parameters \(\mathsf {DD\_sec}=\mathsf {ZK\_sec}=40\) and \(\mathsf {Snd\_sec}=128\). Blue \(t_\mathsf {Tr}=1\), Red \(t_\mathsf {Tr}=2\), Green \(t_\mathsf {Tr}=4\), Magenta \(t_\mathsf {Tr}=8\) (Color figure online)

Full size image

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Baum, C., Cozzo, D., Smart, N.P. (2020). Using TopGear in Overdrive: A More Efficient ZKPoK for SPDZ. In: Paterson, K., Stebila, D. (eds) Selected Areas in Cryptography – SAC 2019. SAC 2019. Lecture Notes in Computer Science(), vol 11959. Springer, Cham. https://doi.org/10.1007/978-3-030-38471-5_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-38471-5_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-38470-8

  • Online ISBN: 978-3-030-38471-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation