Efficient Multiparty Protocols via Log-Depth Threshold Formulae Ron Rothblum Weizmann Institute Joint work with Gil Cohen, Ivan Damgard, Yuval Ishai, Jonas

Efficient Multiparty Protocols via Log-Depth Threshold Formulae

Ron RothblumWeizmann Institute

Joint work with Gil Cohen, Ivan Damgard, Yuval Ishai, Jonas Kolker, Peter Bro Miltersen and Ran Raz

Secure Multiparty Computation (MPC) [Yao86,GMW87]

mutually distrustful parties wish to jointly perform some computational task securely.

An adversary that controls a (limited) subset of the parties learns nothing more than the inputs and outputs of the parties it controls.

Feasibility Results: Perfect Security[BGW88,CCD88]

Assume synchronous network with private channels and computationally unbounded adversary.

Passive security: Every functionality can be securely computed if adversary passively controls parties.

Active security: Every functionality can be securely computed if adversary actively controls parties.

Our Contribution

Huge body of work on secure MPC but protocols are fairly complicated.

We suggest a conceptually simple and flexible approach to designing efficient MPC protocols.

Building blocks:1. Player emulation - builds on Hirt-Maurer [HM00] but

with a different motivation.2. Simple constant-party MPC protocols.3. Threshold formulae composed of threshold gates.

Applications

1. Conceptually simple protocols for perfectly secure MPC – obtaining passive/active security.

2. New results on feasibility of MPC in a variety of settings, e.g., secure MPC over algebraic structures such as non-Abelian groups.

3. Distributed computing – broadcast/Byzantine agreement.

MPC via Player Emulation [HM00]A player in a protocol is a reactive functionality it can be emulated by other players.

Reduce the construction of -party protocols to the construction of constant-party protocols.

Designing constant–party protocols is typically easier (can be exponential in #parties).

MPC via Player Emulation

For simplicity, first consider passive security - reduce -party protocol to 3-party protocol.

Assume that for every computational task we have a 3-party protocol secure against 1 passive party.

Start with an -party protocol with a trusted party.

Minimal number of parties needed for security against one passive party

𝜏𝑦 1,…, 𝑦5= 𝑓 (𝑥1 ,…, 𝑥5 )

MPC with a Trusted Party

5

4

3

2

1𝑥1

𝑥2

𝑥3

𝑥4𝑥5

MPC with a Trusted PartyCan emulate by three virtual parties

5

4

3

2

1𝑦 1

𝑦 2

𝑦 3

𝑦 4𝑦 5

𝜏𝑦 1,…, 𝑦5= 𝑓 (𝑥1 ,…, 𝑥5 )

5

4

3

2

1

𝑣1

𝑣2𝑣3


𝑥1

𝑥2

𝑥3

𝑥4𝑥5

Parties send input to the virtual party which is emulated by .

𝜏

5

4

3

2

1

𝑣1

𝑣2𝑣3

MPC via Player Emulation emulate ’s functionality.

𝜏

5

4

3

2

1


𝜏𝑦 1

𝑦 2

𝑦 3

𝑦 4𝑦 5

The output is sent back to the parties.

𝑣1

𝑣2𝑣3


The initial protocol was secure as long as the adversary did not control the trusted party.

The new protocol is secure as long as the adversary does not control a majority of

Proceed by emulating by 3 more virtual parties

5

4

3

2

1

𝑣2

𝑣3

MPC via Player EmulationParties send input the reactive functionality .

𝑤2

𝑤1

𝑤3

𝜏 𝑣1

5

4

3

2

1

𝑣2

𝑣3

MPC via Player Emulation emulate .

𝑤2

𝑤1

𝑤3

𝜏 𝑣1

5

4

3

2

1

𝑣2

𝑣3

MPC via Player Emulation emulate

𝑤2

𝑤1

𝑤3

𝜏 𝑣1

5

4

3

2

1

𝑣2

𝑣3

MPC via Player Emulation emulate

𝑤2

𝑤1

𝑤3

𝜏 𝑣1

5

4

3

2

1

𝑣2

𝑣3

MPC via Player Emulation sends back output to parties.

𝑤2

𝑤1

𝑤3

𝜏 𝑣1

MPC via Player EmulationThe protocol is secure even if the adversary controls:1. One of and one of ; or 2. , and .

Consider the formula:

𝑀𝑎 𝑗3

𝑀𝑎 𝑗3𝑣2 𝑣3

𝑤1 𝑤3𝑤2

Associate wires with parties and place 1 on input wires that the adversary controls.

If output is 0 then the protocol is secure against this adversary.

𝑣1

𝜏

MPC via Player EmulationWe can keep doing this recursive emulation by following some given formula. The leaves are emulated by the real players.

The protocol is secure as long as the formula evaluates to 0.

If the formula computes the majority function, secure against every adversary that controls less than half of the parties (as in [BGW]).

Complexity: Every atomic operation is emulated by a constant-size protocol protocol complexity grows exponentially in the depth of the formula.

Comparison with [HM00]

The recursive emulation approach was suggested by [HM00] as a way to obtain security against general adversary structures.

They obtain exponential protocols for a rich class of adversary structures ().

We follow their approach but obtain an efficient protocol by focusing only on the adversary that controls of the parties.


1. Construct a secure 3-party protocol.

2. Majority from majorities: Construct a log-depth formula that computes majority using only gates (no constants or negations).




3-Party Protocols

Can use BGW restricted to 3 parties or better yet use the “MPC made simple” protocol of [Maurer02].

Maurer’s protocol is simple and elegant but exponential in the number of parties.

For 3 parties– not an issue!




Majority from Majorities1. A randomized construction of majority-from-

majorities [Implicit in Valiant84]. Statistical security, .

2. An explicit construction of “approximate majority” that outputs the majority value whenever at least 51% of inputs agree.

Perfect security, .

3. If exponentially strong OWF exist an explicit construction that works on every input.

Actually even

Perfect security, , conditional.

Active SecurityFollow the same paradigm except that now we reduce -party protocols to 4-party protocols.

Emulate virtual parties by 4 virtual parties – out of which 1 can be malicious.

Proceed as before but need a log-depth threshold -out-of- formula composed of 2-out-of-4 threshold gates.

We construct a formula that works if <33% or >34% of the inputs are 1.

Minimal number of parties for security against one active party

Or even

Applications

Simplifications*:1. MPC over fields ([BGW88], [CCD88], [AL13]).2. MPC over rings ([CFIK03]).3. MPC over groups ([DPSW07,DPS+12a,DPS12+b]).4. Distributed computing: broadcast, broadcast from

2-cast ([FM00]).

* Caveats: non-optimal threshold and higher polynomial complexity.

Applications

New results:1. MPC over groups:

1. Passive setting – explicit protocol for improving on of [DPS+12b].

2. Active setting – first efficient protocol, improves on inefficient protocol of [DPS+12a].

3. Two-party protocol in hybrid-OT model.

2. MPC over multilinear maps.

Conclusions and Open Questions

MPC methodology:1. Design simple constant-party protocols.2. Prove player emulation theorem.

Intriguing connections to open questions in complexity-theory:3. Explicit exact majority-from-majorities formula.4. Exact threshold-from-thresholds formula (even

non-explicit).

Thank you!

Documents

Efficient Multiparty Protocols via Log-Depth Threshold Formulae Ron Rothblum Weizmann Institute Joint work with Gil Cohen, Ivan Damgard, Yuval Ishai, Jonas