Abstract
In this work, we present two new actively secure, constant-round multi-party computation (MPC) protocols with security against all-but-one corruptions. Our protocols both start with an actively secure MPC protocol, which may have linear round complexity in the depth of the circuit, and compile it into a constant-round protocol based on garbled circuits, with very low overhead.
-
1.
Our first protocol takes a generic approach using any secret-sharing-based MPC protocol for binary circuits, and a correlated oblivious transfer functionality.
-
2.
Our second protocol builds on secret-sharing-based MPC with information-theoretic MACs. This approach is less flexible, being based on a specific form of MPC, but requires no additional oblivious transfers to compute the garbled circuit.
In both approaches, the underlying secret-sharing-based protocol is only used for one actively secure \(\mathbb {F}_2\) multiplication per AND gate. An interesting consequence of this is that, with current techniques, constant-round MPC for binary circuits is not much more expensive than practical, non-constant-round protocols. We demonstrate the practicality of our second protocol with an implementation and perform experiments with up to 9 parties securely computing the AES and SHA-256 circuits. Our running times improve upon the best possible performance with previous protocols in this setting by 60 times.
Similar content being viewed by others
Notes
Furthermore, the environment sees all of the PRF keys of the honest parties, since these are outputs of the protocol, which seems to rule out any kind of computational reduction in the security proof.
This is needed to ensure that, for instance, if an output wire w comes from the XOR of two previous AND gates with output wires (u, v), then the public values \(\Lambda _u,\Lambda _v\) are chosen to satisfy \(\Lambda _w = \Lambda _u \oplus \Lambda _v\), as required.
If counting the total amount of data sent, in both directions, our online cost would be larger than [44], which is highly asymmetric. In practice, however, the latency depends on the largest amount of communication from any one party, which is why we measure in this way.
References
G. Asharov, Y. Lindell, T. Schneider, M. Zohner. More efficient oblivious transfer extensions with security for malicious adversaries, in Elisabeth Oswald and Marc Fischlin, editors, EUROCRYPT 2015, Part I, volume 9056 of LNCS, (Springer, Heidelberg, April 2015) pp. 673–701.
A. Aly, E. Orsini, D. Rotaru, N.P. Smart, T. Wood. Zaphod: Efficiently combining LSSS and garbled circuits in SCALE, in WAHC’19: Proceedings of the 7th ACM Workshop on Encrypted Computing & Applied Homomorphic Cryptography. (ACM, 2019). https://eprint.iacr.org/2019/974.
E. Boyle, G. Couteau, N. Gilboa, Y. Ishai, L. Kohl, and P. Scholl. Efficient pseudorandom correlation generators: Silent OT extension and more, in CRYPTO 2019, (2019).
E. Boyle, G. Couteau, N. Gilboa, Y. Ishai, L. Kohl, P. Rindal, and P. Scholl. Efficient two-round OT extension and silent non-interactive secure computation, in CCS, (2019) pp. 291–308.
D. Beaver. Efficient multiparty protocols using circuit randomization, in Joan Feigenbaum, editor, CRYPTO’91, volume 576 of LNCS. (Springer, Heidelberg, August 1992), pp. 420–432.
M. Bellare, V.T. Hoang, and P. Rogaway. Foundations of garbled circuits, in Ting Yu, George Danezis, Virgil D. Gligor, editors, ACM CCS 12, . (ACM Press, October 2012) pp. 784–796.
S.S. Burra, E. Larraia, J.B. Nielsen, P.S. Nordholt, C. Orlandi, E. Orsini, P. Scholl, N.P. Smart. High performance multi-party computation for binary circuits based on oblivious transfer. Cryptology ePrint Archive, Report 2015/472, 2015. http://eprint.iacr.org/2015/472.
A. Ben-Efraim, Y. Lindell, and E. Omri. Optimizing semi-honest secure multiparty computation for the internet, in Edgar R. Weippl, Stefan Katzenbeisser, Christopher Kruegel, Andrew C. Myers, and Shai Halevi, editors, ACM CCS 16, (ACM Press, October 2016) pp. 578–590.
D. Beaver, S. Micali, P. Rogaway. The round complexity of secure protocols (extended abstract), in 22nd ACM STOC. (ACM Press, May 1990), pp. 503–513.
M. Ben-Or, S. Goldwasser, and A. Wigderson. Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract), in 20th ACM STOC, pp. 1–10. ACM Press, May 1988.
R. Canetti. Universally composable security: A new paradigm for cryptographic protocols, in 42nd FOCS. (IEEE Computer Society Press, October 2001), pp. 136–145.
R. Canetti, A. Cohen, Y. Lindell. A simpler variant of universally composable security for standard multiparty computation, in Rosario Gennaro and Matthew J. B. Robshaw, editors, CRYPTO 2015, Part II, volume 9216 of LNCS (Springer, Heidelberg, August 2015), pp. 3–22.
I. Cascudo, I. Damgård, B. David, N. Döttling, J.B. Nielsen. Rate-1, linear time and additively homomorphic UC commitments, in Matthew Robshaw and Jonathan Katz, editors, CRYPTO 2016, Part III, volume 9816 of LNCS. (Springer, Heidelberg, August 2016), pp. 179–207.
S.G. Choi, J. Katz, R. Kumaresan, H.-S. Zhou. On the security of the “free-XOR” technique, in Ronald Cramer, editor, TCC 2012, volume 7194 of LNCS. (Springer, Heidelberg, March 2012), pp. 39–53.
S.G. Choi, J. Katz, A.J. Malozemoff, V. Zikas. Efficient three-party computation from cut-and-choose, in Juan A. Garay and Rosario Gennaro, editors, CRYPTO 2014, Part II, volume 8617 of LNCS. (Springer, Heidelberg, August 2014), pp. 513–530.
I. Damgård, Y. Ishai. Scalable secure multiparty computation, in Cynthia Dwork, editor, CRYPTO 2006, volume 4117 of LNCS. (Springer, Heidelberg, August 2006), pp. 501–520.
I. Damgård, M. Keller, E. Larraia, V. Pastro, P. Scholl, N.P. Smart. Practical covertly secure MPC for dishonest majority - or: Breaking the SPDZ limits, in Jason Crampton, Sushil Jajodia, and Keith Mayes, editors, ESORICS 2013, volume 8134 of LNCS. (Springer, Heidelberg, September 2013), pp. 1–18.
I. Damgård, J.B. Nielsen. Scalable and unconditionally secure multiparty computation, in Alfred Menezes, editor, CRYPTO 2007, volume 4622 of LNCS. (Springer, Heidelberg, August 2007), pp. 572–590.
I. Damgård, J.B. Nielsen, M. Nielsen, S. Ranellucci. Gate-scrambling revisited - or: The TinyTable protocol for 2-party secure computation. Cryptology ePrint Archive, Report 2016/695, 2016. http://eprint.iacr.org/2016/695.
I. Damgård, V. Pastro, N.P. Smart, S. Zakarias. Multiparty computation from somewhat homomorphic encryption, in Reihaneh Safavi-Naini and Ran Canetti, editors, CRYPTO 2012, volume 7417 of LNCS. (Springer, Heidelberg, August 2012), pp. 643–662.
I. Damgård, S. Zakarias. Constant-overhead secure computation of Boolean circuits using preprocessing, in Amit Sahai, editor, TCC 2013, volume 7785 of LNCS. (Springer, Heidelberg, March 2013), pp. 621–641.
T.K. Frederiksen, M. Keller, E. Orsini, P. Scholl. A unified approach to MPC with preprocessing using OT, in Tetsu Iwata and Jung Hee Cheon, editors, ASIACRYPT 2015, Part I, volume 9452 of LNCS. (Springer, Heidelberg, November / December 2015), pp. 711–735.
J. Furukawa, Y. Lindell, A. Nof, O. Weinstein. High-throughput secure three-party computation for malicious adversaries and an honest majority, in EUROCRYPT, (2017), pp. 225–255.
T.K. Frederiksen, B. Pinkas, A. Yanai. Committed MPC - maliciously secure multiparty computation from homomorphic commitments, in Public-Key Cryptography - PKC 2018 - 21st IACR International Conference on Practice and Theory of Public-Key Cryptography, Rio de Janeiro, Brazil, March 25-29, 2018, Proceedings, Part I, pp. 587–619, (2018).
S. Goldwasser, Y. Lindell. Secure multi-party computation without agreement. Journal of Cryptology, 18(3):247–287, (2005).
O. Goldreich, S. Micali, and A. Wigderson. How to play any mental game or A completeness theorem for protocols with honest majority, in Alfred Aho, editor, 19th ACM STOC. (ACM Press, May 1987), pp. 218–229.
Y. Ishai, M. Prabhakaran, A. Sahai. Founding cryptography on oblivious transfer - efficiently, in David Wagner, editor, CRYPTO 2008, volume 5157 of LNCS. (Springer, Heidelberg, August 2008), pp. 572–591.
Y. Ishai, M. Prabhakaran, A. Sahai. Secure arithmetic computation with no honest majority, in Omer Reingold, editor, TCC 2009, volume 5444 of LNCS. (Springer, Heidelberg, March 2009), pp. 294–314.
M. Keller, E. Orsini, P. Scholl. MASCOT: Faster malicious arithmetic secure computation with oblivious transfer, in Edgar R. Weippl, Stefan Katzenbeisser, Christopher Kruegel, Andrew C. Myers, and Shai Halevi, editors, ACM CCS 16. (ACM Press, October 2016), pp. 830–842.
J. Katz, S. Ranellucci, M. Rosulek, X. Wang. Optimizing authenticated garbling for faster secure two-party computation, in CRYPTO 2018, (2018). https://eprint.iacr.org/2018/578.
V. Kolesnikov, T. Schneider. Improved garbled circuit: Free XOR gates and applications, in Luca Aceto, Ivan Damgård, Leslie Ann Goldberg, Magnús M. Halldórsson, Anna Ingólfsdóttir, and Igor Walukiewicz, editors, ICALP 2008, Part II, volume 5126 of LNCS, pp. 486–498. (Springer, Heidelberg, July 2008).
Y. Lindell, B. Pinkas. An efficient protocol for secure two-party computation in the presence of malicious adversaries, in Moni Naor, editor, EUROCRYPT 2007, volume 4515 of LNCS. (Springer, Heidelberg, May 2007), pp. 52–78.
Y. Lindell and B. Pinkas. A proof of security of Yao’s protocol for two-party computation. Journal of Cryptology, 22(2):161–188, (2009).
Y. Lindell, B. Pinkas. Secure two-party computation via cut-and-choose oblivious transfer, in Yuval Ishai, editor, TCC 2011, volume 6597 of LNCS. (Springer, Heidelberg, March 2011), pp. 329–346.
Y. Lindell, B. Pinkas, N.P. Smart, A. Yanai. Efficient constant round multi-party computation combining BMR and SPDZ, in Rosario Gennaro and Matthew J. B. Robshaw, editors, CRYPTO 2015, Part II, volume 9216 of LNCS. (Springer, Heidelberg, August 2015), pp. 319–338.
Y. Lindell, B. Riva. Blazing fast 2PC in the offline/online setting with security for malicious adversaries, in Indrajit Ray, Ninghui Li, and Christopher Kruegel:, editors, ACM CCS 15. (ACM Press, October 2015), pp. 579–590.
Y. Lindell, N.P. Smart, Eduardo Soria-Vazquez. More efficient constant-round multi-party computation from BMR and SHE, in Martin Hirt and Adam D. Smith, editors, TCC 2016-B, Part I, volume 9985 of LNCS. (Springer, Heidelberg, October / November 2016), pp. 554–581.
P. Mohassel, M. Rosulek, Y. Zhang. Fast and secure three-party computation: The garbled circuit approach, in Indrajit Ray, Ninghui Li, and Christopher Kruegel:, editors, ACM CCS 15. (ACM Press, October 2015), pp. 591–602.
J.B. Nielsen, P.S. Nordholt, C. Orlandi, S.S. Burra. A new approach to practical active-secure two-party computation, in Reihaneh Safavi-Naini and Ran Canetti, editors, CRYPTO 2012, volume 7417 of LNCS. (Springer, Heidelberg, August 2012), pp. 681–700.
J.B. Nielsen, T. Schneider, R. Trifiletti. Constant round maliciously secure 2pc with function-independent preprocessing using lego, in 24th NDSS Symposium. The Internet Society, (2017). http://eprint.iacr.org/2016/1069.
T. Rabin and M. Ben-Or. Verifiable secret sharing and multiparty protocols with honest majority (extended abstract), in 21st ACM STOC, pp. 73–85. ACM Press, May 1989.
P. Rindal. libOTe: an efficient, portable, and easy to use Oblivious Transfer Library. https://github.com/osu-crypto/libOTe.
P. Rindal and M. Rosulek. Faster malicious 2-party secure computation with online/offline dual execution, in USENIX, pp. 297–314, 2016.
X. Wang, S. Ranellucci, and J. Katz. Authenticated garbling and efficient maliciously secure two-party computation, in CCS, pp. 21–37, 2017.
X. Wang, S. Ranellucci, and J. Katz. Global-scale secure multiparty computation, in CCS, pp. 39–56, 2017.
A.C.-C. Yao. How to generate and exchange secrets (extended abstract), in 27th FOCS, pp. 162–167. IEEE Computer Society Press, October 1986.
K. Yang, X. Wang, and J. Zhang. More efficient MPC from improved triple generation and authenticated garbling. Cryptology ePrint Archive, Report 2019/1104, 2019. https://eprint.iacr.org/2019/1104.
Acknowledgements
We are grateful to Moriya Farbstein and Lior Koskas for their valuable assistance with implementation and experiments. We also thank Yehuda Lindell for helpful feedback.
The first author was supported by the European Research Council under the ERC consolidators grant agreement No. 615172 (HIPS) and by the BIU Center for Research in Applied Cryptography and Cyber Security in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office. The second author was supported by the Defense Advanced Research Projects Agency (DARPA) and Space and Naval Warfare Systems Center, Pacific (SSC Pacific), under contract No. N66001-15-C-4070, and by the Danish Independent Research Council, Grant-ID DFF-6108-00169. The third author was supported by the European Union’s Horizon 2020 research and innovation programme under the Marie Skodowska-Curie grant agreement No. 643161.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Jonathan Katz
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Protocol for GMW-Style MPC for Binary Circuits
Protocol for GMW-Style MPC for Binary Circuits
Here, we describe the full protocol for realizing the \(\mathcal {F}_{\scriptstyle \mathrm {n \text {-}TinyOT}}\) functionality. It essentially consists of the bit triple generation protocol from [22], with some minor modifications, and a method for producing random shared bits with a consistency check that is similar to the bit/string check from Sect. 3.3.
We first recall the two-party and n-party MAC representations from Sect. 4:
where in the two-party sharing \([x^i]_{i,j}\), \(P_i\) holds the share \(x^i\) and MAC \(M^i_j\), whilst \(P_j\) holds the local key \(K^j_i\) and a fixed, global key \(R^j\). In the n-party sharing, each party \(P_i\) holds \(n-1\) MACs on \(x^i\), as well as a key on \(x^j\), for each \(j \ne i\), and a global key \(R^i\). Note that if \(P_i\) holds \(x^i\) and \(P_j\) holds the key \(R^j\), a sharing \([x^i]_{i,j}\) can easily be created using one call to the correlated OT functionality (Fig. 3), in which the correlation \(R^j\) is fixed by \(P_j\) in the initialization stage.
As required in the modified preprocessing protocol from Sect. 4, we need a method for opening [x]-shared values, both to all parties, and privately to a single party. These are straightforward, shown in Figs. 14 and 15.
The main protocol, shown in Fig. 16, consists of two main parts, for creating shared random bits, and for multiplication (AND) triples. Creating shared bits is straightforward, by using \(\mathcal {F}_{\scriptstyle \mathrm {COT}}\) to MAC random bits, then opening a random linear combination of the MACs to ensure consistency.
To create shares of a random multiplication triple (x, y, z), each party first locally samples shares \(x^i,y^i\) and then uses \(\mathcal {F}_{\scriptstyle \mathrm {COT}}\) to authenticate these shares. The MAC on a share \(x^i\) is used to obtain a sharing of the product of \(x^i\) with a random bit \((u_\ell ^{i,j} + v_\ell ^{i,j})\) known to \(P_j\) (using a hash function), and then \(P_j\) converts this to a share of \(x^i \cdot y^j\) by sending a correction bit in step 4a. This opens up an avenue for cheating, as \(P_j\) may send an incorrect correction value to some \(P_i\). This could result in the triple being correct, or, if \(x^i=0\) the triple would still be correct but \(P_j\) would learn the bit \(x^i\). These issues are addressed by the bucket-based cut-and-choose procedure in Fig. 17, which first checks correctness by sacrificing triples and then removes any potential leakage on the x values by combining several triples together. Note that the complex bucketing procedure is necessary for these steps, as opposed to simple pairwise checks, because with triples over \(\mathbb {F}_2\), one pairwise check (or leakage combiner) can only guarantee correctness (or remove leakage) if at least one of the two triples is correct (or leakage-free). So, the cut-and-choose and bucketing procedure are done so that each bucket contains at least one good triple, with overwhelming probability.
1.1 Why the Need for Key Queries?
For completeness, we briefly explain why these are needed in \(\mathcal {F}_{\scriptstyle \mathrm {n \text {-}TinyOT}}\), when using this protocol. After the protocol execution the environment learns the honest parties’ outputs, which include MAC keys \(K_i\) and R. On the other hand, during the protocol the adversary sees values of the form (simplifying things slightly):
where \(\textsf {H} \) is modelled as a random oracle. In the security proof, U is simulated as a uniformly random value U, since the simulator, \(\mathcal {S}\), does not know \(K_i\) or \(K_i + R\). This means that if the environment later queries both \(K_i\) and \((K_i + R)\) to the random oracle, then they could distinguish, as \(\mathcal {S}\) would not be able to detect this, so the response would be inconsistent with the simulated U. However, with a Key Query command in the functionality, the simulator can detect this (based on the technique from [39]):
-
For each query Q, \(\mathcal {S}\) looks up all previous queries \(Q_i\), and sends \((Q + Q_i)\) to the Key Query of the functionality.
-
If Key Query is successful then \(\mathcal {S}\) knows that \(Q + Q_i = R\), so can program the response \(\textsf {H} (Q)\) such that \(\textsf {H} (Q) + \textsf {H} (Q_i) = U\), as required (Fig. 18).
1.2 Security
In this section, we formalize the security of the implementation of the Prep command of \(\mathcal {F}_{\scriptstyle \mathrm {n \text {-}TinyOT}}\) in our \(\Pi _{\scriptstyle {\mathrm {n \text {-}TinyOT}}}\) protocol. More concretely, we focus on the consistency check in the production of m random bits. This guarantees that the MAC keys are consistent, after which the triple generation protocol can be proven secure similarly to [22]. The exact deviations that are possible by a corrupt \(P_j\) in the bit generation are:
-
1.
Provide inconsistent inputs \(R^j\) when acting as sender in the Initialize command of the \(\mathcal {F}_{\scriptstyle \mathrm {COT}}\) instances with two different honest parties.
-
2.
Input inconsistent shares \(b_\ell ^j, \ell \in [m]\) or \(r_h^{j}, h \in [\kappa ]\) when acting as receiver in the Extend command of \(\mathcal {F}_{\scriptstyle \mathrm {COT}}\) with two different honest parties.
Note that in both of these cases, we are only concerned when the other party in the \(\mathcal {F}_{\scriptstyle \mathrm {COT}}\) execution is honest, as if both parties are corrupt, then \(\mathcal {F}_{\scriptstyle \mathrm {COT}}\) does not need to be simulated in the security proof. We should also remark that preventing the first attack in the production of the random bits extends to preventing it everywhere else in the protocol, as the \(R^j\) values are fixed in the Initialize phase.
These two attacks are modelled by defining \(R^{j,i}, b_\ell ^{j,i}\) and \(r_h^{j,i}\) to be the actual inputs used by a corrupt \(P_j\) in the above two cases. Without loss of generality, we pick a honest party \(P_{i_0}\) and fix \(b_\ell ^j = b_\ell ^{j,i_0}, r_h^j = r_h^{j,i}, R^j = R^{j,i_0}\) to be the inputs by \(P_j\) that should be consistent with every other honest party. Let I be the set of corrupted parties. For each \(j \in I\), we can resume the previous statements by defining the values:
Note that \(\Delta ^{j,i}\) is fixed in the initialization of \(\mathcal {F}_{\scriptstyle \mathrm {COT}}\), whilst \(\delta ^{j,i}_\ell \) may be different for every OT. Whenever \(P_i\) and \(P_j\) are both corrupt, or both honest, for convenience we define \(\Delta ^{j,i} = 0\) and \(\delta ^{j,i} = 0\). The above means that the outputs of \(\mathcal {F}_{\scriptstyle \mathrm {COT}}\) with \((P_i,P_j)\) then satisfy:
or equivalently:
where \(\delta ^{j,i} \ne 0\) if \(P_j\) (the receiver) cheated, and \(\Delta ^{i,j} \ne 0\) if \(P_i\) (the sender) cheated. Remember from Sect. 4.1 that \(M^j_i(b_\ell ^j + \delta _\ell ^{j,i})\) represents the receiver’s MAC on the value \(b_\ell ^j + \delta _\ell ^{j,i}\) and \(K_j^i(b_\ell ^j + \delta _\ell ^{j,i})\) and represents the sender’s MAC key on that same value.
We start by assuming that the corrupted party in the couple \((P_i, P_j)\) running \(\mathcal {F}_{\scriptstyle \mathrm {COT}}\) is the sender \(P_j\), trying to have inconsistent correlations \(R^{j,i}\) with different honest parties \(P_i, i \notin I\). We prove the inconsistency impossible in the next claim:
Claim A.1
If the Prep step of \(\Pi _{\scriptstyle {\mathrm {n \text {-}TinyOT}}}\) succeeds, then all the global keys \(R^j\) are consistent and well defined, i.e. \(\Delta ^{j,i} = 0\) for every \(i, j \in [n]\).
Proof
We enumerate the possible deviations by the Adversary affecting the check \(\sum _{i=1}^n Z^i_j = 0\) in step 4g with which we want to catch inconsistent \(R^{j,i}\) values to different honest parties. These possible disruptions are two:
In step 4e, the parties broadcast \(\bar{C}^i\) values, every corrupted \(P_\ell , \ell \in I\) can send instead some adversarial value \(\hat{C}^\ell \) such that \(\sum _{j=1}^n \hat{C}^j = C + e\), where e is some additive error of the Adversary’s choice. Finally, a similar active deviation is to commit to \(\hat{Z}_j^\ell \) values, \(\ell \in I\), in such a way that \(\sum _{\ell \in I} \hat{Z}_j^\ell = \sum _{\ell \in I} Z_j^\ell + E^j\).
An active \(P_j\) trying to cheat has to pass the aforementioned mentioned check, which becomes:
As having inconsistent keys requires that there exists \(i_0, i_1 \notin I\) such that \(\Delta ^{j,i_0} \ne \Delta ^{j,i_1} \ne 0 \), the attack would require the adversary to set \(E^j + e \cdot R^j = C^{i_0} \cdot \Delta ^{j,i_0} + C^{i_1} \cdot \Delta ^{j,i_1}\). But this is negligible in \(\kappa \), as the only information the adversary has about \(C^{i_0}, C^{i_1} \in \mathbb {F}_{2^\kappa }\) at the time of committing to the values \(\hat{Z}_j^\ell , \ell \in I\) is that they are two uniform additive shares of C, due to the rerandomization in step 4d. \(\square \)
Finally, we prove that a corrupted receiver \(P_j\) cannot input inconsistent values \(b^{j,i}_\ell \) to different honest parties.
Claim A.2
If the Prep step of \(\Pi _{\scriptstyle {\mathrm {n \text {-}TinyOT}}}\) succeeds, every ordered pair \((P_i, P_j)\) holds a secret sharing of \(b_\ell ^j \cdot R^{i}\) for every \(\ell \in [m]\). In other words, \(\delta ^{j,i}_\ell =0\) for every \(i, j, \ell \).
Proof
For every ordered pair \((P_i, P_j)\), we can define \(P_j\)’s MAC on \([C^j]_{j,i}\) as
and \(P_i\)’s key on the same value as:
In step 4f of Bits, an adversarial \(P_j\) can also commit to incorrect MACs \(\hat{Z}_i^j({c}^j) = M_i^j({c}^j) + E_i^j\) and \(\hat{C}^j = C^j + e^j\). Nevertheless, in order to succeed an attack, the check \(\hat{Z}_i^j = K^i_j(C^j) + \hat{C}^j \cdot R^i\) from step 4g would have to hold. This check implies the following:
An active \(P_j\) has then just two options to cheat \(P_i\), both with only probability \(2^{-\kappa }\) to succeed:
-
1.
Setting \(E_i^j = (e^j + \sum _{\ell =1}^{m} \chi _\ell \cdot \delta _\ell ^{j,i} + \sum _{h=1}^\kappa X^{h-1} \cdot \hat{\delta }^{j,i}_h) \cdot R^{i} \ne 0\), which requires guessing the string \(R^{i} \in \mathbb {F}_{2^\kappa }\) kept secret by the honest party \(P_i\).
-
2.
Setting \(E_i^j = 0\) and \(e_j = \sum _{\ell =1}^{m} \chi _\ell \cdot \delta _\ell ^{j,i} + \sum _{h=1}^\kappa X^{h-1} \cdot \hat{\delta }^{j,i}_h\) for every \(i \notin I\). As \(\delta ^{j,i_0}_\ell = \hat{\delta }^{j,i_0}_h = 0\), this implies that \(e_j = 0\). Thus, for every \(i \notin (I \cup i_0)\) it needs to hold that
$$\begin{aligned} 0&= \sum _{\ell =1}^{m} \chi _\ell \cdot \delta _\ell ^{j,i} + \sum _{h=1}^\kappa X^{h-1} \cdot \hat{\delta }^{j,i}_h = \sum _{h=1}^\kappa X^{h-1} \cdot (\hat{\delta }^{j,i}_h + \sum _{\ell =1}^{m} \delta _\ell ^{j,i} \cdot \chi _{\ell , h} ), \end{aligned}$$where the \(\chi _{\ell , h}\) values are defined in such a way that \(\chi _\ell = \sum _{h=1}^\kappa X^{h-1} \cdot \chi _{\ell , h}\). This would need that, for every \(h \in [\kappa ]\):
$$\begin{aligned} \hat{\delta }^{j,i}_h = \sum _{\ell =1}^{m} \delta _\ell ^{j,i} \cdot \chi _{\ell , h} \in \mathbb {F}_2, \end{aligned}$$which can only happen with probability 1/2 for each of them, as \(\chi _{\ell , h} \in \mathbb {F}_2\) are uniformly random sampled field elements after the deviations \(\hat{\delta }^{j,i}_h, \delta _\ell ^{j,i}\) have been defined.
\(\square \)
1.3 Parameters
Based on the analysis from previous works [22, 23, 45], if roughly 1 million triples are created at once, then the buckets in the cut-and-choose stages can be of size \(B = 3\), to guarantee security except with probability \(2^{-40}\). The additional cut-and-choose parameter c can be as low as 3, so is insignificant as we initially need \(m' = B^2m + c\) triples to produce m final triples.
1.4 Communication Complexity
Here, we analyse the communication complexity of \(\Pi _{\scriptstyle {\mathrm {n \text {-}TinyOT}}}\). The cost of creating one shared random bit is the same as one invocation of the \(\texttt {extend} \) command in \(\mathcal {F}_{\scriptstyle \mathrm {COT}}\) between all pairs of parties, giving \(n(n-1)(\kappa + s)\) bits. (We ignore the consistency check, since this cost amortizes away when creating many bits.)
The cost of one triple (not counting the bucketing stage) is 3 calls to \(\mathcal {F}_{\scriptstyle \mathrm {COT}}\) between every pair of parties for authenticating shares of (x, y, z), plus sending one correction bit between every pair of parties, giving \(n(n-1)(3(\kappa + s) + 1)\) bits. This is then multiplied by approximately \(B^2\) to account for the bucketing. When creating a batch of at least a million triples (with \(s=40\)), we can set \(B=3\), so the overall cost per party is around \((n-1)27\cdot (\kappa + s)\) bits.
We remark that when checking a large number of MACs using \(\Pi _{\scriptstyle {\mathrm {Open}}}\) or \(\Pi _{\scriptstyle {\mathrm {Open}}}^i\), the checks can be batched together, by first computing a random linear combination of all MACs, and checking the MAC on this, as in e.g. [17, 29]. This means that the cost of checking many MACs is roughly the cost of checking one, which is why we did not factor the MAC checks into the cost of the bucketing stage.
1.5 Round Complexity
Initializing the correlated OTs can be done with any two-round OT protocol. Extending the correlated OTs using [40] and [1] takes three rounds. Note that when authenticating random bits, the s additional bits in the consistency check can be created in parallel with the original m bits, giving an overall cost of five rounds for random bits.
The triple generation consists of one set of correlated OTs (2 + 3 rounds), plus one round, plus another round of correlated OTs (3 rounds). Then, there are two rounds for \(\mathcal {F}_{\scriptstyle \mathrm {Rand}}\) in the bucketing (which can all be done in parallel), one round for the openings in step 2a and one round for step 2c. The openings in step 2a can be merged with the previous round. This gives a total of 13 rounds.
1.6 Realizing General Secure Computation
The previous protocol can easily be used to implement a general secure computation functionality such as \(\mathcal {F}_{\scriptstyle \mathrm {Bit MPC}}\). The main feature missing is the ability for parties to provide inputs, since we only need to create random bits and triples for our application to garbled circuits. However, this is easy to do with a standard technique: if \(P_i\) wishes to secret-share an input x, the parties do as follows:
-
Create a shared random bit [b].
-
Open b to \(P_i\) using \(\Pi _{\scriptstyle {\mathrm {Open}}}^i\).
-
\(P_i\) broadcasts \(d = x - b\).
-
All parties compute \([x] = [b] + d\).
Rights and permissions
About this article
Cite this article
Hazay, C., Scholl, P. & Soria-Vazquez, E. Low Cost Constant Round MPC Combining BMR and Oblivious Transfer. J Cryptol 33, 1732–1786 (2020). https://doi.org/10.1007/s00145-020-09355-y
Received:
Revised:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00145-020-09355-y