Ronald Cramer,Matthieu Rambaud,Chaoping Xing

DOI: https://doi.org/10.1007/978-3-030-84252-9_22

2021-01-01

Abstract:This paper studies information-theoretically secure multiparty computation (MPC) over rings Z/p(l)Z. In the work of [Abs+19a, TCC'19], a protocol based on the Shamir secret sharing over Z/p(l)Z was presented. As in the field case, its limitation is that the share size grows as the number of players increases. Then several MPC protocols were developed in [Abs+20, Asiacrypt'20] to overcome this limitation. However, (i) their offline multiplication gate has super-linear communication complexity in the number of players; (ii) the share size is doubled for the most important case, namely over Z/2(l)Z due to infeasible lifting of selforthogonal codes from fields to rings; (iii) most importantly, the BGW model could not be applied via the secret sharing given in [Abs+20, Asiacrypt'20] due to lack of strong multiplication. In this paper we overcome all the drawbacks mentioned above. Of independent interest, we establish an arithmetic secret sharing with strong multiplication, which is the most important primitive in the BGW model. Incidentally, our solution to (i) has some advantages over the concurrent one of [PS21, EC'21], since it is direct, is only one-page long, and furthermore carries over Z/p(l)Z. Finally, we lift Reverse Multiplication Friendly Embeddings (RMFE) from fields to rings, with same (linear) complexity. Note that RMFE has become a standard technique for communication complexity in MPC in the regime over many instances of the same circuit, as in [Cas+18, Crypto'18] and [DLN19, Crypto'19]. We thus recover the same amortized complexity of MPC over Z/2(l)Z than are free modules. To make our scheme practical, we start from good algebraic geometry codes over finite fields obtained from existing computational techniques. Then we present, and implement, an efficient algorithm to Hensel-lift the generating matrix of the code, such that the multiplicative conditions are preserved over rings. On the other hand, a random lifting of codes over rings does not preserve multiplicativity in general. Finally we provide efficient methods for sharing and reconstruction over rings.

Daniel Escudero,Eduardo Soria-Vazquez

DOI: https://doi.org/10.1007/978-3-030-84245-1_12

2021-01-01

Abstract:We construct the first efficient, unconditionally secure MPC protocol that only requires black-box access to a non-commutative ring R. Previous results in the same setting were efficient only either for a constant number of corruptions or when computing branching programs and formulas. Our techniques are based on a generalization of Shamir’s secret sharing to non-commutative rings, which we derive from the work on Reed Solomon codes by Quintin, Barbier and Chabot (IEEE Transactions on Information Theory, 2013). When the center of the ring contains a set A={α0,…,αn}documentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$A = {alpha _0, ldots , alpha _n}$$end{document} such that ∀i≠j,αi-αj∈R∗documentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$forall i e j, alpha _i ,-, alpha _j in R^*$$end{document}, the resulting secret sharing scheme is strongly multiplicative and we can generalize existing constructions over finite fields without much trouble.Most of our work is devoted to the case where the elements of A do not commute with all of R, but they just commute with each other. For such rings, the secret sharing scheme cannot be linear “on both sides” and furthermore it is not multiplicative. Nevertheless, we are still able to build MPC protocols with a concretely efficient online phase and black-box access to R. As an example we consider the ring Mm×m(Z/2kZ)documentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$mathcal {M}_{m imes m}(mathbb {Z}/2^kmathbb {Z})$$end{document}, for which when m>log(n+1)documentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$m > log (n+1)$$end{document}, we obtain protocols that require around ⌈log(n+1)⌉/2documentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$lceil log (n+1) ceil /2$$end{document} less communication and 2⌈log(n+1)⌉documentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$2lceil log (n+1) ceil $$end{document} less computation than the state of the art protocol based on Circuit Amortization Friendly Encodings (Dalskov, Lee and Soria-Vazquez, ASIACRYPT 2020).In this setting with a “less commutative” A, our black-box preprocessing phase has a less practical complexity of poly(n)documentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$mathsf {poly}(n)$$end{document}. We fix this by additionally providing specialized, concretely efficient preprocessing protocols for Mm×m(Z/2kZ)documentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$mathcal {M}_{m imes m}(mathbb {Z}/2^kmathbb {Z})$$end{document} that exploit the structure of the matrix ring.

Mark Abspoel,Ronald Cramer,Ivan Damgård,Daniel Escudero,Matthieu Rambaud,Chaoping Xing,Chen Yuan

DOI: https://doi.org/10.1007/978-3-030-64840-4_6

2020-01-01

Abstract:We study information-theoretic multiparty computation (MPC) protocols over rings Z / p k Z that have good asymptotic communication complexity for a large number of players. An important ingredient for such protocols is arithmetic secret sharing, i.e., linear secret-sharing schemes with multiplicative properties. The standard way to obtain these over fields is with a family of linear codes C , such that C , C ⊥ and C 2 are asymptotically good (strongly multiplicative). For our purposes here it suffices if the square code C 2 is not the whole space, i.e., has codimension at least 1 (multiplicative). Our approach is to lift such a family of codes defined over a finite field F to a Galois ring, which is a local ring that has F as its residue field and that contains Z / p k Z as a subring, and thus enables arithmetic that is compatible with both structures. Although arbitrary lifts preserve the distance and dual distance of a code, as we demonstrate with a counterexample, the multiplicative property is not preserved. We work around this issue by showing a dedicated lift that preserves self-orthogonality (as well as distance and dual distance), for p ≥ 3 . Self-orthogonal codes are multiplicative, therefore we can use existing results of asymptotically good self-dual codes over fields to obtain arithmetic secret sharing over Galois rings. For p = 2 we obtain multiplicativity by using existing techniques of secret-sharing using both C and C ⊥ , incurring a constant overhead. As a result, we obtain asymptotically good arithmetic secret-sharing schemes over Galois rings. With these schemes in hand, we extend existing field-based MPC protocols to obtain MPC over Z / p k Z , in the setting of a submaximal adversary corrupting less than a fraction 1 / 2 - ε of the players, where ε > 0 is arbitrarily small. We consider 3 different corruption models. For passive and active security with abort, our protocols communicate O ( n ) bits per multiplication. For full security with guaranteed output delivery we use a preprocessing model and get O ( n ) bits per multiplication in the online phase and O ( n log n ) bits per multiplication in the offline phase. Thus, we obtain true linear bit complexities, without the common assumption that the ring size depends on the number of players.

Ignacio Cascudo,Ronald Cramer,Chaoping Xing,Chen Yuan

DOI: https://doi.org/10.1007/978-3-319-96878-0_14

2018-01-01

Abstract:A fundamental and widely-applied paradigm due to Franklin and Yung (STOC 1992) on Shamir-secret -sharing based general n-player MPC shows how one may trade the adversary threshold t against amortized communication complexity, by using a so-called packed version of Shamir's scheme. For e.g. the BGW-protocol (with active security), this trade-off means that if t 2k 2 < n/3, then k parallel evaluations of the same arithmetic circuit on different inputs can be performed at the overall cost corresponding to a single BGW-execution. In this paper we propose a novel paradigm for amortized MPC that offers a different trade-off, namely with the size of the field of the circuit which is securely computed, instead of the adversary threshold. Thus, unlike the Franklin-Yung paradigm, this leaves the adversary threshold unchanged. Therefore, for instance, this paradigm may yield constructions enjoying the maximal adversary threshold L(n 1)/3] in the BGWmodel (secure channels, perfect security, active adversary, synchronous communication). Our idea is to compile an MPC for a circuit over an extension field to a parallel MPC of the same circuit but with inputs defined over its base field and with the same adversary threshold. Key technical handles are our notion of reverse multiplication-friendly embeddings (RMFE) and our proof, by algebraic -geometric means, that these are constant-rate, as well as efficient auxiliary protocols for creating "subspace-randomness" with good amortized complexity. In the BGW-model, we show that the latter can be constructed by combining our tensored-up linear secret sharing with protocols based on hyper-invertible matrices a la BeerliovaHirt (or variations thereof). Along the way, we suggest alternatives for hyper-invertible matrices with the same functionality but which can be defined over a large enough constant size field, which we believe is of independent interest. As a demonstration of the merits of the novel paradigm, we show that, in the BGW-model and with an optimal adversary threshold L(n 1)/3], it is possible to securely compute a binary circuit with amortized complexity 0(n) of bits per gate per instance. Known results would given log n bits instead. By combining our result with the Franklin-Yung paradigm, and assuming a sub-optimal adversary (i.e., an arbitrarily small > 0 fraction below 1/3), this is improved to 0(1) bits instead of 0(n).

Qian Yu,Netanel Raviv,A. Salman Avestimehr

DOI: https://doi.org/10.1109/itw.2018.8613443

2018-01-01

Abstract:We consider the problem of secure and private multiparty computation (MPC), in which the goal is to compute a general polynomial function distributedly over several workers, while keeping them oblivious to the content of the dataset, and preventing them from maliciously affecting the computation result. We demonstrate the role of Lagrange Coded Computing (LCC), a recently proposed coded computing technique that can be applied to general polynomial computations, on enabling secure and private MPC. We show that LCC offers both private and secure computation simultaneously, and is universal in the sense that all polynomials up to a certain degree can be computed on the same encoding. We also demonstrate that LCC achieves an optimal tradeoff between privacy and security, and requires a minimal amount of added randomness for privacy. Compared to prevalent algorithms in MPC (in particular the celebrated BGW scheme), we show that LCC significantly improves the storage, communication, and secret-sharing overhead needed for MPC.

Daniel Escudero,Chaoping Xing,Chen Yuan

DOI: https://doi.org/10.1007/978-3-031-15802-5_14

2022-01-01

Abstract:In this work we present a novel actively secure multiparty computation protocol in the dishonest majority setting, where the computation domain is a ring of the type $$\mathbb {Z}_{2^k}$$ . Instead of considering an “extension ring” of the form $$\mathbb {Z}_{2^{k+\kappa }}$$ as in SPD $$\mathbb {Z}_{2^k}$$ (Cramer et al., CRYPTO 2018) and its derivatives, we make use of an actual ring extension, or more precisely, a Galois ring extension $$\mathbb {Z}_{p^k}[\texttt{X}]/(h(\texttt{X}))$$ of large enough degree, in order to ensure that the adversary cannot cheat except with negligible probability. These techniques have been used already in the context of honest majority MPC over $$\mathbb {Z}_{p^k}$$ , and to the best of our knowledge, our work constitutes the first study of the benefits of these tools in the dishonest majority setting. Making use of Galois ring extensions requires great care in order to avoid paying an extra overhead due to the use of larger rings. To address this, reverse multiplication-friendly embeddings (RMFEs) have been used in the honest majority setting (e.g. Cascudo et al., CRYPTO 2018), and more recently in the dishonest majority setting for computation over $$\mathbb {Z}_2$$ (Cascudo and Gundersen, TCC 2020). We make use of the recent RMFEs over $$\mathbb {Z}_{p^k}$$ from (Cramer et al., CRYPTO 2021), together with adaptations of some RMFE optimizations introduced in (Abspoel et al., ASIACRYPT 2021) in the honest majority setting, to achieve an efficient protocol that only requires in its online phase $$12.4k(n-1)$$ bits of amortized communication complexity and one round of communication for each multiplication gate. We also instantiate the necessary offline phase using Oblivious Linear Evaluation (OLE) by generalizing the approach based on Oblivious Transfer (OT) proposed in MASCOT (Keller et al., CCS 2016). To this end, and as an additional contribution of potential independent interest, we present a novel technique using Multiplication-Friendly Embeddings (MFEs) to achieve OLE over Galois ring extensions using black-box access to an OLE protocol over the base ring $$\mathbb {Z}_{p^k}$$ without paying a quadratic cost in terms of the extension degree. This generalizes the approach in MASCOT based on Correlated OT Extension. Finally, along the way we also identify a bug in a central proof in MASCOT, and we implicitly present a fix in our generalized proof.

Hongqing Liu,Chaoping Xing,Yanjiang Yang,Chen Yuan

DOI: https://doi.org/10.1007/978-981-99-8721-4_7

2023-01-01

Abstract:Beerliova-Trubiniova and Hirt introduced hyper-invertible matrix technique to construct the first perfectly secure MPC protocol in the presence of maximal malicious corruptions left perpendicular n-1/3 right perpendicular with linear communication complexity per multiplication gate [5]. This matrix allows MPC protocol to generate correct shares of uniformly random secrets in the presence of malicious adversary. Moreover, the amortized communication complexity of generating each sharing is linear. Due to this prominent feature, the hyper-invertible matrix plays an important role in the construction of MPC protocol and zero-knowledge proof protocol where the randomness needs to be jointly generated. However, the downside of this matrix is that the size of its base field is linear in the size of its matrix. This means if we construct an n-party MPC protocol over F-q via hyper-invertible matrix, q is at least 2n. In this paper, we propose the ramp hyper-invertible matrix which can be seen as the generalization of hyper-invertible matrix. Our ramp hyper-invertible matrix can be defined over constant-size field regardless of the size of this matrix. Similar to the arithmetic secret sharing scheme, to apply our ramp hyper-invertible matrix to perfectly secure MPC protocol, the maximum number of corruptions has to be compromised to (1-epsilon)n/3. As a consequence, we present the first perfectly secure MPC protocol in the presence of (1-epsilon)n/3 malicious corruptions with constant communication complexity. Besides presenting the variant of hyper-invertible matrix, we overcome several obstacles in the construction of this MPC protocol. Our arithmetic secret sharing scheme over constant-size field is compatible with the player elimination technique, i.e., it supports the dynamic changes of party number and corrupted party number. Moreover, we rewrite the public reconstruction protocol to support the sharings over constant-size field. Putting these together leads to the constant-size field variant of celebrated MPC protocol in [5]. We note that although it was widely acknowledged that there exists an MPC protocol with constant communication complexity by replacing Shamir secret sharing scheme with arithmetic secret sharing scheme, there is no reference seriously describing such protocol in detail. Our work fills the missing detail by providing MPC primitive for any applications relying on MPC protocol of constant communication complexity. As an application of our perfectly secure MPC protocol which implies perfect robustness in the MPC-in-the-Head framework, we present the constant-rate zero-knowledge proof with 3 communication rounds. The previous work achieves constant-rate with 5 communication rounds [32] due to the statistical robustness of their MPC protocol. Another application of our ramp hyper-invertible matrix is the information-theoretic multi-verifier zero-knowledge for circuit satisfiability [44]. We manage to remove the dependence of the size of circuit and security parameter from the share size.

Daniel Escudero,Chaoping Xing,Chen Yuan

DOI: https://doi.org/10.1007/978-3-031-15802-5_14

2022-01-01

Abstract:In this work we present a novel actively secure multiparty computation protocol in the dishonest majority setting, where the computation domain is a ring of the type Z(2k). Instead of considering an "extension ring" of the form Z(2k+k), as in SPDZ(2k) (Cramer et al., CRYPTO 2018) and its derivatives, we make use of an actual ring extension, or more precisely, a Galois ring extension Z(pk)[X]/(h(X)) of large enough degree, in order to ensure that the adversary cannot cheat except with negligible probability. These techniques have been used already in the context of honest majority MPC over Z(pk), and to the best of our knowledge, our work constitutes the first study of the benefits of these tools in the dishonest majority setting. Making use of Galois ring extensions requires great care in order to avoid paying an extra overhead due to the use of larger rings. To address this, reverse multiplication-friendly embeddings (RMFEs) have been used in the honest majority setting (e.g. Cascudo et al., CRYPTO 2018), and more recently in the dishonest majority setting for computation over Z(2) (Cascudo and Gundersen, TCC 2020). We make use of the recent RMFEs over Z(pk) from (Cramer et al., CRYPTO 2021), together with adaptations of some RMFE optimizations introduced in (Abspoel et al., ASIACRYPT 2021) in the honest majority setting, to achieve an efficient protocol that only requires in its online phase 12.4k (n-1) bits of amortized communication complexity and one round of communication for each multiplication gate. We also instantiate the necessary offline phase using Oblivious Linear Evaluation (OLE) by generalizing the approach based on Oblivious Transfer (OT) proposed in MASCOT (Keller et al., CCS 2016). To this end, and as an additional contribution of potential independent interest, we present a novel technique using Multiplication-Friendly Embeddings (MFEs) to achieve OLE over Galois ring extensions using black-box access to an OLE protocol over the base ring Z(pk) without paying a quadratic cost in terms of the extension degree. This generalizes the approach in MASCOT based on Correlated OT Extension. Finally, along the way we also identify a bug in a central proof in MASCOT, and we implicitly present a fix in our generalized proof.

David Karpuk,Razane Tajeddine

2024-01-05

Abstract:We present Modular Polynomial (MP) Codes for Secure Distributed Matrix Multiplication (SDMM). The construction is based on the observation that one can decode certain proper subsets of the coefficients of a polynomial with fewer evaluations than is necessary to interpolate the entire polynomial. We also present Generalized Gap Additive Secure Polynomial (GGASP) codes. Both MP and GGASP codes are shown experimentally to perform favorably in terms of recovery threshold when compared to other comparable polynomials codes for SDMM which use the grid partition. Both MP and GGASP codes achieve the recovery threshold of Entangled Polynomial Codes for robustness against stragglers, but MP codes can decode below this recovery threshold depending on the set of worker nodes which fails. The decoding complexity of MP codes is shown to be lower than other approaches in the literature, due to the user not being tasked with interpolating an entire polynomial.

Information Theory

Qian Yu,A. Salman Avestimehr

DOI: https://doi.org/10.1109/isit44484.2020.9174167

2020-01-01

Abstract:In distributed matrix multiplication, a common scenario is to assign each worker a fraction of the multiplication task, by partitioning the input matrices into smaller submatrices. In particular, by dividing two input matrices into m-by-p and p-by-n subblocks, a single multiplication task can be viewed as computing linear combinations of pmn submatrix products, which can be assigned to pmn workers. Such block-partitioning based designs have been widely studied under the topics of secure, private, and batch computation, where the state of the arts all require computing at least "cubic" (pmn) number of submatrix multiplications. Entangled polynomial codes, first presented for straggler mitigation, provides a powerful method for breaking the cubic barrier. It achieves a subcubic recovery threshold, meaning that the final product can be recovered from any subset of multiplication results with a size order-wise smaller than pmn. In this work, we show that entangled polynomial codes can be further extended to also include these three important settings, and provide a unified framework that order-wise reduces the total computational costs upon the state of the arts by achieving subcubic recovery thresholds.

Christopher Harth-Kitzerow,Ajith Suresh,Yonqing Wang,Hossein Yalame,Georg Carle,Murali Annavaram

2024-06-29

Abstract:In this work, we present novel protocols over rings for semi-honest secure three-party computation (3PC) and malicious four-party computation (4PC) with one corruption. While most existing works focus on improving total communication complexity, challenges such as network heterogeneity and computational complexity, which impact MPC performance in practice, remain underexplored. Our protocols address these issues by tolerating multiple arbitrarily weak network links between parties without any substantial decrease in performance. Additionally, they significantly reduce computational complexity by requiring up to half the number of basic instructions per gate compared to related work. These improvements lead to up to twice the throughput of state-of-the-art protocols in homogeneous network settings and even larger performance improvements in heterogeneous settings. These advantages come at no additional cost: Our protocols maintain the best-known total communication complexity per multiplication, requiring 3 elements for 3PC and 5 elements for 4PC. We implemented our protocols alongside several state-of-the-art protocols (Replicated 3PC, ASTRA, Fantastic Four, Tetrad) in a novel open-source C++ framework optimized for high throughput. Five out of six implemented 3PC and 4PC protocols achieve more than one billion 32-bit multiplications or over 32 billion AND gates per second using our implementation in a 25 Gbit/s LAN environment. This represents the highest throughput achieved in 3PC and 4PC so far, outperforming existing frameworks like MP-SPDZ, ABY3, MPyC, and MOTION by two to three orders of magnitude.

Cryptography and Security

Daniel Escudero,Ivan Tjuawinata,Chaoping Xing

DOI: https://doi.org/10.1007/978-3-031-57722-2_7

2024-01-01

Abstract:In this work we consider the task of designing information-theoretic MPC protocols for which the state of a given party can be recovered from a small amount of parties, a property we refer to as local repairability . This is useful when considering MPC over dynamic settings where parties leave and join a computation, a scenario that has gained notable attention in recent literature. Thanks to the results of (Cramer et al. EUROCRYPT’00), designing such protocols boils down to constructing a linear secret-sharing scheme (LSSS) with good locality, that is, each share is determined by only a small amount of other shares, that also satisfies the so-called multiplicativity property. Previous constructions that achieve locality ( e.g. using locally recoverable codes—LRCs) do not enjoy multiplicativity, and LSSS that are multiplicative ( e.g. Shamir’s secret-sharing) do not satisfy locality. Our construction bridges this literature gap by showing the existence of an LSSS that achieves both properties simultaneously. Our results are obtained by making use of well known connection between error correcting codes and LSSS, in order to adapt the LRC construction by (Tamo & Barg, IEEE Transactions on Information Theory 2014) to turn it into a LSSS. With enough care, such coding-theoretic construction yields our desired locality property, but it falls short at satisfying multiplicativity. In order to address this, we perform an extensive analysis of the privacy properties of our scheme in order to identify parameter regimes where our construction satisfies multiplicativity. Finally, since our LSSS satisfies locality, every share is determined by a small amount of shares. However, in an MPC context it is not enough to let the (small set of) parties to send their shares to the repaired party, since this may leak more information than the regenerated share. To obtain our final result regarding MPC with local repairability, we construct a lightweight MPC protocol that performs such repairing process without any leakage. We provide both a passively secure construction (for the plain multiplicative regime) and an actively secure one (for strong multiplicativity).

Yehuda Lindell

Abstract:. Protocols for secure multiparty computation (MPC) enable a set of parties to interact and compute a joint function of their private inputs while revealing nothing but the output. The potential applications for MPC are huge: privacy-preserving auctions, private DNA comparisons, private machine learning, threshold cryptography, and more. Due to this, MPC has been an intensive topic of research in academia ever since it was introduced in the 1980s by Yao for the two-party case (FOCS 1986), and by Goldreich, Micali and Wigderson for the multiparty case (STOC 1987). Recently, MPC has become efficient enough to be used in practice, and has made the transition from an object of theoretical study to a technology being used in industry. In this article, we will review what MPC is, what problems it solves, and how it is being currently used. We note that the examples and references brought in this review article are far from comprehensive, and due to the lack of space many highly relevant works are not cited.

Computer Science

Mark Abspoel,Ronald Cramer,Ivan Damgård,Daniel Escudero,Matthieu Rambaud,Chaoping Xing,Chen Yuan

DOI: https://doi.org/10.1007/978-3-030-64840-4_6

2020-01-01

Abstract:We study information-theoretic multiparty computation (MPC) protocols over rings \(\mathbb {Z}/p^k\mathbb {Z} \) that have good asymptotic communication complexity for a large number of players. An important ingredient for such protocols is arithmetic secret sharing, i.e., linear secret-sharing schemes with multiplicative properties. The standard way to obtain these over fields is with a family of linear codes C, such that C, \(C^\perp \) and \(C^2\) are asymptotically good (strongly multiplicative). For our purposes here it suffices if the square code \(C^2\) is not the whole space, i.e., has codimension at least 1 (multiplicative).

Ronald Cramer,Chaoping Xing,Chen Yuan

DOI: https://doi.org/10.1007/978-3-030-64381-2_16

2019-01-01

Abstract:Since the mid 2000s, asymptotically-good strongly-multiplicative linear (ramp) secret sharing schemes over a fixed finite field have turned out as a central theoretical primitive in numerous constant-communication-rate results in multi-party cryptographic scenarios, and, surprisingly, in two-party cryptography as well. Known constructions of this most powerful class of arithmetic secret sharing schemes all rely heavily on algebraic geometry (AG), i.e., on dedicated AG codes based on asymptotically good towers of algebraic function fields defined over finite fields. It is a well-known open question since the first (explicit) constructions of such schemes appeared in CRYPTO 2006 whether the use of "heavy machinery" can be avoided here. i.e., the question is whether the mere existence of such schemes can also be proved by "elementary" techniques only (say, from classical algebraic coding theory), even disregarding effective construction. So far, there is no progress. In this paper we show the theoretical result that, (1) no matter whether this open question has an affirmative answer or not, these schemes can be constructed explicitly by elementary algorithms defined in terms of basic algebraic coding theory. This pertains to all relevant operations associated to such schemes, including, notably, the generation of an instance for a given number of players n, as well as error correction in the presence of corrupt shares. We further show that (2) the algorithms are quasi-linear time (in n); this is (asymptotically) significantly more efficient than the known constructions. That said, the analysis of the mere termination of these algorithms does still rely on algebraic geometry, in the sense that it requires "blackbox application" of suitable existence results for these schemes. Our method employs a nontrivial, novel adaptation of a classical (and ubiquitous) paradigm from coding theory that enables transformation of existence results on asymptotically good codes into explicit construction of such codes via concatenation, at some constant loss in parameters achieved. In a nutshell, our generating idea is to combine a cascade of explicit but "asymptotically-bad-yet-good-enough schemes" with an asymptotically good one in such a judicious way that the latter can be selected with exponentially small number of players in that of the compound scheme. This opens the door to efficient, elementary exhaustive search. In order to make this work, we overcome a number of nontrivial technical hurdles. Our main handles include a novel application of the recently introduced notion of Reverse Multiplication-Friendly Embeddings (RMFE) from CRYPTO 2018, as well as a novel application of a natural variant in arithmetic secret sharing from EUROCRYPT 2008.

Qizhi Zhang,Bingsheng Zhang,Lichun Li,Shan Yin,Juanjuan Sun

2021-01-01

Abstract:Secure computation enables two or more parties to jointly evaluate a function without revealing to each other their private input.G-module is an abelian groupM,where the groupG acts compatibly with the abelian group structure onM. In this work, we present several secure computation protocols forG-module operations in the online/offline mode. We then show how to instantiate those protocols to implement many widely used secure computation primitives in privacy-preserving machine learning and data mining, such as oblivious cyclic shift, oneround shared OT, oblivious permutation, oblivious shuffle, secure comparison,oblivious selection,DReLU,andReLU,etc. All the proposed protocols are constant-round, and they are 2X 10X more efficient than the-state-of-the-art constant-round protocols in terms of communication complexity.

Helene Haagh,Aleksandr Karbyshev,Sabine Oechsner,Bas Spitters,Pierre-Yves Strub

DOI: https://doi.org/10.1109/csf.2018.00016

2018-07-01

Abstract:Secure multi-party computation (MPC) is a general cryptographic technique that allows distrusting parties to compute a function of their individual inputs, while only revealing the output of the function. It has found applications in areas such as auctioning, email filtering. and secure teleconference. Given their importance, it is crucial that the protocols are specified and implemented correctly. In the programming language community, it has become good practice to use computer proof assistants to verify correctness proofs. In the field of cryptography, EasyCrypt is the state of the art proof assistant. It provides an embedded language for probabilistic programming, together with a specialized logic, embedded into an ambient general purpose higher-order logic. It allows us to conveniently express cryptographic properties. EasyCrypt has been used successfully on many applications, including public-key encryption, signatures, garbled circuits and differential privacy. Here we show for the first time that it can also be used to prove security of MPC against a malicious adversary. We formalize additive and replicated secret sharing schemes and apply them to Maurer&#x27;s MPC protocol for secure addition and multiplication. Our method extends to general polynomial functions. We follow the insights from EasyCrypt that security proofs can often be reduced to proofs about program equivalence, a topic that is well understood in the verification of programming languages. In particular, we show that for a class of MPC protocols in the passive case the non-interference-based (NI) definition is equivalent to a standard simulation-based security definition. For the active case, we provide a new non-interference based alternative to the usual simulation-based cryptographic definition that is tailored specifically to our protocol.

Ronald Cramer,Ivan Damgård,Daniel Escudero,Peter Scholl,Chaoping Xing

DOI: https://doi.org/10.1007/978-3-319-96881-0_26

2018-01-01

Abstract:Most multi-party computation protocols allow secure computation of arithmetic circuits over a finite field, such as the integers modulo a prime. In the more natural setting of integer computations modulo , which are useful for simplifying implementations and applications, no solutions with active security are known unless the majority of the participants are honest. We present a new scheme for information-theoretic MACs that are homomorphic modulo , and are as efficient as the well-known standard solutions that are homomorphic over fields. We apply this to construct an MPC protocol for dishonest majority in the preprocessing model that has efficiency comparable to the well-known SPDZ protocol (Damgård et al., CRYPTO 2012), with operations modulo instead of over a field. We also construct a matching preprocessing protocol based on oblivious transfer, which is in the style of the MASCOT protocol (Keller et al., CCS 2016) and almost as efficient.

Brandon Broadnax,Alexander Koch,Jeremias Mechler,Tobias Müller,Jörn Müller-Quade,Matthias Nagel

DOI: https://doi.org/10.2478/popets-2021-0072

2021-07-23

Proceedings on Privacy Enhancing Technologies

Abstract:Abstract In practice, there are numerous settings where mutually distrusting parties need to perform distributed computations on their private inputs. For instance, participants in a first-price sealed-bid online auction do not want their bids to be disclosed. This problem can be addressed using secure multi-party computation (MPC), where parties can evaluate a publicly known function on their private inputs by executing a specific protocol that only reveals the correct output, but nothing else about the private inputs. Such distributed computations performed over the Internet are susceptible to remote hacks that may take place during the computation. As a consequence, sensitive data such as private bids may leak. All existing MPC protocols do not provide any protection against the consequences of such remote hacks. We present the first MPC protocols that protect the remotely hacked parties’ inputs and outputs from leaking. More specifically, unless the remote hack takes place before the party received its input or all parties are corrupted, a hacker is unable to learn the parties’ inputs and outputs, and is also unable to modify them. We achieve these strong (privacy) guarantees by utilizing the fact that in practice parties may not be susceptible to remote attacks at every point in time, but only while they are online, i.e. able to receive messages. To this end, we model communication via explicit channels. In particular, we introduce channels with an airgap switch (disconnect-able by the party in control of the switch), and unidirectional data diodes . These channels and their isolation properties, together with very few, similarly simple and plausibly remotely unhackable hardware modules serve as the main ingredient for attaining such strong security guarantees. In order to formalize these strong guarantees, we propose the UC with Fortified Security (UC#) framework, a variant of the Universal Composability (UC) framework.