The section on Secure
Multiparty Computation started with the very good presentation given
by abhi shelat on “Fast two-party Secure Computation with Minimal
Assumptions” (joint work with Chih-Hao
Shen). He started the
talk pointing out how in recent times multiparty computation have
become more and more practical: since the Yao's seminal work in 1982,
many different protocols have been proposed providing, in the last
few years, drastic improvements and efficient implementations
relevant for real-world applications.
The
approach presented in the talk for secure two-party computation is
essentially based on Yao's construction and on cut-and-choose
technique to achieve security in the active model.
Informally
speaking the protocol works as follows: we have two parties, Alice
and Bob, that want to securely and privately evaluate an arbitrary
function represented by a Boolean circuit C. Then one party, say
Alice, prepares a “garbled” (or “encrypted”) version of the
circuit C and gives it to Bob together with her appropriate input
keys, in such a way that he can evaluate the circuit without learning
anything about Alice's inputs and intermediate values. To achieve
security against active adversary Alice creates many copies of the
garbled circuit (with different randomness) and sends them to Bob.
Then he asks Alice to open a fixed fraction of these circuits
checking that they are correctly encoded.
Unfortunately
using this technique we have three main issues to resolve: 1) Input
inconsistency: we need that
Alice use the same inputs in each evaluated circuits 2) Output
authentication and privacy: a
malicious Bob could learn Alice's output or outputs an incorrect
value 3) Selective failure attack:
a malicious Alice can use inconsistent inputs in the OTs and in
creation of the garbled circuits to learn Bob's inputs. There are
many different approaches to address these issues.
Abhi
started focusing on the output authentication and privacy
issue. The problem has been studied in many prior works: in [LP07] a
very elegant solution has been proposed, but it requires O(k^2n )
symmetric operations (where k is the security parameter and n is the
inputs size); the subsequent protocols in [LP11, Kir08, SS11]
require only O(kn) symmetric operations but they also need some
extra expansive operations. The new approach they proposed consists
essentially in a new witness-indistinguishable proof and it does not
need any extra computations or any number-theoretic assumptions. To
ensure the input consistency they use an auxiliary 2-universal hash
circuit; and for the selective failure attack they propose the same
solution as in [LP07], but with a different and more efficient
implementation. All in all they manage to obtain a two-party
computation protocol in the malicious setting that is faster than
prior protocols, which use the same techniques, and with fewer
assumptions.
The
talk concluded with a brief comparison with other works on secure
computation in the malicious setting, and in particular with
[NNOB12]. More specifically the protocol in [NNOB12] turns out to
be more efficient in terms of computation complexity (it requires
O(k/log(n) C) symmetric operations in the RA model, while the one
presented in the talk requires O(kC) operations in the standard
model), but it is worst in terms of communication complexity.
Finally Abhi discussed about the advantage of using garbled circuits for
secure two-party computation, in particular because, using this
technique, we do not have any asymptotic overhead in passing from
passive to active security.
In
the second talk of the section Michael
Zohner presented a joint work with Gilad Asharov, Yehuda Lindell and
Thomas Schnesider on More
Efficient Oblivious Transfer and Extensions for Faster Secure
Computation.
In
this work the authors describe a more efficient protocol for OT
extensions in the passive model. In addition they provide specific
functionalities for OT extensions especially designed for secure
computation protocols and an open source optimized OT implementation.
The
last talk of the section was given by Marcel. He very well
presented the Bristolian work An
Architecture for Practical Actively Secure MPC with Dishonest
Majority (joint
work with Peter and Nigel).
No comments:
Post a Comment