Sublinear GMW-Style Compiler for MPC with Preprocessing

Abstract

We consider the efficiency of protocols for secure multiparty computation (MPC) with a dishonest majority. A popular approach for the design of such protocols is to employ preprocessing. Before the inputs are known, the parties generate correlated secret randomness, which is consumed by a fast and possibly “information-theoretic” online protocol.

A powerful technique for securing such protocols against malicious parties uses homomorphic MACs to authenticate the values produced by the online protocol. Compared to a baseline protocol, which is only secure against semi-honest parties, this involves a significant increase in the size of the correlated randomness, by a factor of up to a statistical security parameter. Different approaches for partially mitigating this extra storage cost come at the expense of increasing the online communication.

In this work we propose a new technique for protecting MPC with preprocessing against malicious parties. We show that for circuit evaluation protocols that satisfy mild security and structural requirements, that are met by many standard protocols with semi-honest security, the extra additive storage and online communication costs are both logarithmic in the circuit size. This applies to Boolean circuits and to arithmetic circuits over fields or rings, and to both information-theoretic and computationally secure protocols. Our protocol can be viewed as a sublinear information-theoretic variant of the celebrated “GMW compiler” that applies to natural protocols for MPC with preprocessing.

Our compiler makes a novel use of the techniques of Boneh et al. (Crypto 2019) for sublinear distributed zero knowledge, which were previously only used in the setting of honest-majority MPC.

A Protocols which are Secure-up-to-Additive-Attack

In this section, we present two instatiations for a protocol to compute an arithmetic circuit, which is secure up to additive attack, as defined in Definition 2.3 and star-sharing compliant as defined in Defintion 3.2. Recall that the requirement is that for each multiplication gate or output wire of the circuit, the parties will hold a masked value on this wire, plus an error that the adversary added, which can be extracted by a simulator.

1.1 A.1 Multiplication in the Circuit-Dependent Preprocessing Model [9]

In this model, the structure of the circuit is known in advance. At the beginning of the protocol, the parties hold two masked inputs \(\hat{x}= x-r_1\) and \(\hat{y} =y-r_2\). The parties wish to obtain \(\hat{z}=x\cdot y- r_3\). Observe that

$$\begin{aligned} \hat{z} = x\cdot y -r_3= & {} (\hat{x} + r_1)(\hat{y} +r_2) -r_3 \nonumber \\= & {} \hat{x}\cdot \hat{y}+r_1\cdot \hat{y}+r_2\cdot \hat{x} +r_1\cdot r_2 - r_3 \end{aligned}$$

(3)

and so if the parties are given an additive sharing of \(r_1,r_2,r_1\cdot r_2\) and \(r_3\), they can locally compute an additive sharing of \(\hat{z}\). Note that in this approach, if a multiplication’s output wire is entering multiple gates in the next layer, then we need to make sure that the same mask is used for the input wires of the following gates. This is why the correlated randomness for this protocol is circuit-dependent, i.e., depends on the structure of the circuit. The multiplication protocol thus works as follows:

• Inputs: Each party \(P_i\) holds: \(\hat{x}, \hat{y}, r_1^i, r_2^i, (r_1\cdot r_2)^i\) and \(r_3^i\).

• The protocol:

  1. 1.

     Each party \(P_i\) locally computes \(z^i = r_1^i\cdot \hat{y}+r_2^i\cdot \hat{x} +(r_1\cdot r_2)^i - r_3^i\) and sends \(z^i\) to \(P_1\).

  2. 2.

     Party \(P_1\) computes \(z'=\sum _{i=1}^n z^i\) and broadcasts \(z'\) to all the other parties.

  3. 3.

     The parties compute \(\hat{z} = \hat{x}\cdot \hat{y}+z'\) and store the result as the output.

Recall that when \(P_1\) broadcasting \(z'\), this amounts to sending \(z'\) to all parties and then at the end run a batch check with constant cost for the entire circuit, to assert that the same \(z'\) was sent to all parties in each gate (see Section 2.3). Thus, the overall communication cost in this protocol is \(2(n-1)\) elements, and so each party sends \(2-\frac{2}{n}\) elements per multiplication gate. Note that for 2-party computation, this comes down to sending just a single element per party per multiplication.

Security up to an additive error. The above protocol does not guarantee correctness; a corrupted party can send incorrect values and cause the output to be incorrect. However, the only attack that corrupted parties can carry-out is to add an error to the output. To see this, consider a simulator that holds \(\hat{x}, \hat{y}\) and the randomness of the corrupted parties. Such a simulator can predict the messages sent by the corrupted parties. Thus, it can interact with the adversary, by sending him random values as the messages from the honest parties. Once it receives the messages from the corrutped parties, it can compute the error by comparing the received messages and the messages that should have been sent.

1.2 A.2 Multiplication in the Circuit-Independent Preprocessing Model [1]

When the structure of the circuit to be computed is yet to be known, we view the preprocessing as a service which produces random multiplication triples (i.e., Beaver triples). These triples are later consumed by the online computation. In this model, the parties interact to compute the masked input for each multiplication gate or a circuit’s output wire. Then, they locally compute an additive sharing of the multiplication’s output value. Addition gates which are between two multiplication gates are locally computed over the additive sharing of wire values. The protocol works as follows:

• Inputs: Each party \(P_i\) holds: \(x^i\), \(y^i\), \(r_1^i\), \(r_2^i\) and \((r_1\cdot r_2)^i\).

• The protocol:

  1. 1.

     Each party computes \(x^i-r_1^i\) and \(y^i-r_2^i\) and sends it to \(P_1\).

  2. 2.

     Party \(P_1\) computes \(\displaystyle \hat{x} = x-r_1 = \sum _{i=1}^n (x^i-r_1^i)\) and \(\displaystyle \hat{y} = y-r_2 = \sum _{i=1}^n (y^i-r_2^i)\). Then, it broadcasts \(\hat{x}\) and \(\hat{y}\) to all the other parties.

  3. 3.

     Each party \(P_i\) computes \(z^i = r_1^i\cdot \hat{y} + r_2^i\cdot \hat{x} +(r_1\cdot r_2)^i\). Then, party \(P_1\) defines \(\hat{x}\cdot \hat{t}+z^1\) as its output share, where each \(P_i\), with \(i\ne 1\) defines \(z^i\) as its output share.

Observe that the communication cost here is doubled compared to the multiplication protocol in the circuit-dependent preprocessing model.

By the same reasoning which was used to compute the additive error for each multiplication gate separately in the circuit-dependent model presented above, we can compute the additive error on each multiplication’s input wire or circuit’s output wire, given the masked inputs to multiplication gates which feed these wires and the corrupted parties’ randomness.