Abstract
Protocols for secure multi-party computation are commonly composed of different sub-protocols, combining techniques such as homomorphic encryption, secret or Boolean sharing, and garbled circuits. In this paper, we design a new class of multi-party computation protocols which themselves are composed out of two-party protocols. We integrate both types of compositions, compositions of fully homomorphic encryption and garbled circuits with compositions of multi-party protocols from two-party protocols. As a result, we can construct communication-efficient protocols for special problems. Furthermore, we show how to efficiently ensure the security of composed protocols against malicious adversaries by proving in zero-knowledge that conversions between individual techniques are correct. To demonstrate the usefulness of this approach, we give an example scheme for private set analytics, i.e., private set disjointness. This scheme enjoys lower communication complexity than a solution based on generic multi-party computation and lower computation cost than fully homomorphic encryption. So, our design is more suitable for deployments in wide-area networks, such as the Internet, with many participants or problems with circuits of moderate or high multiplicative depth.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Aly, A., Orsini, E., Rotaru, D., Smart, N.P., Wood, T.: Zaphod: efficiently combining LSSS and garbled circuits in SCALE. In: ACM WAHC (2019)
Asharov, G., Jain, A., López-Alt, A., Tromer, E., Vaikuntanathan, V., Wichs, D.: Multiparty computation with low communication, computation and interaction via threshold FHE. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 483–501. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_29
Baum, C., Cozzo, D., Smart, N.P.: Using TopGear in overdrive: a more efficient ZKPoK for SPDZ. In: SAC (2019)
Bay, A., Erkin, Z., Alishahi, M., Vos, J.: Multi-party private set intersection protocols for practical applications. In: SECRYPT (2021)
Beaver, D., Micali, S., Rogaway, P.: The round complexity of secure protocols (extended abstract). In: STOC (1990)
Bellare, M., Hoang, V.T., Rogaway, P.: Foundations of garbled circuits. In: CCS (2012)
Bendlin, R., Damgård, I.: Threshold decryption and zero-knowledge proofs for lattice-based cryptosystems. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 201–218. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11799-2_13
Benhamouda, F., Camenisch, J., Krenn, S., Lyubashevsky, V., Neven, G.: Better zero-knowledge proofs for lattice encryption and their application to group signatures. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 551–572. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_29
Blass, E.-O., Kerschbaum, F.: Strain: a secure auction for blockchains. In: Lopez, J., Zhou, J., Soriano, M. (eds.) ESORICS 2018. LNCS, vol. 11098, pp. 87–110. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-99073-6_5
Blass, E.-O., Kerschbaum, F.: Mixed-technique multi-party computations composed of two-party computations. Cryptology ePrint Archive, Report 2020/636 (2020). https://ia.cr/2020/636
Boneh, D., et al.: Threshold cryptosystems from threshold fully homomorphic encryption. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 565–596. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_19
Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. In: ITCS (2012)
Branco, P., Döttling, N., Pu, S.: Multiparty cardinality testing for threshold private intersection. In: Garay, J.A. (ed.) PKC 2021. LNCS, vol. 12711, pp. 32–60. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-75248-4_2
Büscher, N., Demmler, D., Katzenbeisser, S., Kretzmer, D., Schneider, T.: HyCC: compilation of hybrid protocols for practical secure computation. In: CCS (2018)
Chandran, N., Dasgupta, N., Gupta, D., Lakshmi Bhavana Obbattu, S., Sekar, S., Shah, A.: Efficient linear multiparty PSI and extensions to circuit/quorum PSI. In: CCS (2021)
Chillotti, I., Gama, N., Georgieva, M., Izabachène, M.: TFHE: Fast Fully Homomorphic Encryption Library (2016). https://tfhe.github.io/tfhe/
Chillotti, I., Gama, N., Georgieva, M., Izabachène, M.: TFHE: fast fully homomorphic encryption over the torus. J. Cryptol. 33(1), 34–91 (2020)
Damgård, I., López-Alt, A.: Zero-knowledge proofs with low amortized communication from lattice assumptions. In: Visconti, I., De Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 38–56. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32928-9_3
Damgård, I., Pastro, V., Smart, N., Zakarias, S.: Multiparty computation from somewhat homomorphic encryption. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 643–662. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_38
Davidson, A., Cid, C.: An efficient toolkit for computing private set operations. In: Pieprzyk, J., Suriadi, S. (eds.) ACISP 2017. LNCS, vol. 10343, pp. 261–278. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59870-3_15
Debnath, S., Stanica, P., Kundu, N., Choudhury, T.: Secure and efficient multiparty private set intersection cardinality. Adv. Math. Commun. 15(2), 365 (2021)
Demmler, D., Schneider, T., Zohner, M.: ABY - a framework for efficient mixed-protocol secure two-party computation. In: NDSS (2015)
Escudero, D., Ghosh, S., Keller, M., Rachuri, R., Scholl, P.: Improved primitives for MPC over mixed arithmetic-binary circuits. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12171, pp. 823–852. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56880-1_29
Fan, J., Vercauteren, F.: Somewhat practical fully homomorphic encryption. IACR Cryptol. ePrint Arch., page 144 (2012). https://eprint.iacr.org/2012/144
Freedman, M.J., Nissim, K., Pinkas, B.: Efficient private matching and set intersection. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 1–19. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_1
Gentry, C.: Fully homomorphic encryption using ideal lattices. In: STOC (2009)
Goldwasser, S., Lindell, Y.: Secure multi-party computation without agreement. J. Cryptol. 18(3), 247–287 (2005). https://doi.org/10.1007/s00145-005-0319-z
Hazay, C., Venkitasubramaniam, M.: Scalable multi-party private set-intersection. In: Fehr, S. (ed.) PKC 2017. LNCS, vol. 10174, pp. 175–203. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54365-8_8
Henecka, W., Kögl, S., Sadeghi, A.-R., Schneider, T., Wehrenberg, I.: TASTY: tool for automating secure two-party computations. In: CCS (2010)
Hohenberger, S., Weis, S.A.: Honest-verifier private disjointness testing without random oracles. In: PET (2006)
Ishaq, M., Milanova, A., Zikas, V.: Efficient MPC via program analysis: a framework for efficient optimal mixing. In: CCS (2019)
Juvekar, C., Vaikuntanathan, V., Chandrakasan, A.: GAZELLE: a low latency framework for secure neural network inference. In: USENIX Security (2018)
Keller, M.: MP-SPDZ: a versatile framework for multi-party computation. IACR ePrint 2020/521 (2020)
Keller, M., Yanai, A.: Efficient maliciously secure multiparty computation for RAM. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 91–124. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_4
Keller, M., Orsini, E., Scholl, P.: MASCOT: faster malicious arithmetic secure computation with oblivious transfer. In: CCS (2016)
Keller, M., Pastro, V., Rotaru, D.: Overdrive: making SPDZ great again. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 158–189. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_6
Kiayias, A., Mitrofanova, A.: Testing disjointness of private datasets. In: Patrick, A.S., Yung, M. (eds.) FC 2005. LNCS, vol. 3570, pp. 109–124. Springer, Heidelberg (2005). https://doi.org/10.1007/11507840_13
Kissner, L., Song, D.: Privacy-preserving set operations. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 241–257. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_15
Kolesnikov, V., Sadeghi, A.-R., Schneider, T.: Improved garbled circuit building blocks and applications to auctions and computing minima. In: CANS (2009)
Kolesnikov, V., Sadeghi, A.-R., Schneider, T.: From dust to dawn: practically efficient two-party secure function evaluation protocols and their modular design. IACR ePrint 2010/079 (2010)
Kolesnikov, V., Sadeghi, A.-R., Schneider, T.: A systematic approach to practically efficient general two-party secure function evaluation protocols and their modular design. J. Comput. Secur. 21(2), 283–315 (2013)
Kolesnikov, V., Matania, N., Pinkas, B., Rosulek, M., Trieu, N.: Practical multi-party private set intersection from symmetric-key techniques. In: CCS (2017a)
Kolesnikov, V., Nielsen, J.B., Rosulek, M., Trieu, N., Trifiletti, R.: DUPLO: unifying cut-and-choose for garbled circuits. In: CCS (2017b)
Lindell, Y.: Fast cut-and-choose-based protocols for malicious and covert adversaries. J. Cryptol. 29(2), 456–490 (2015). https://doi.org/10.1007/s00145-015-9198-0
Lindell, Y., Smart, N.P., Soria-Vazquez, E.: More efficient constant-round multi-party computation from BMR and SHE. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9985, pp. 554–581. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53641-4_21
Lindell, Y., Pinkas, B., Smart, N.P., Yanai, A.: Efficient constant-round multi-party computation combining BMR and SPDZ. J. Cryptol. 32(3), 1026–1069 (2019). https://doi.org/10.1007/s00145-019-09322-2
Akhavan Mahdavi, R., et al.: Practical over-threshold multi-party private set intersection. In: ACSAC (2020)
Marconi, L., Conti, M., Di Pietro, R.: CED2: communication efficient disjointness decision. In: Jajodia, S., Zhou, J. (eds.) SecureComm 2010. LNICSSITE, vol. 50, pp. 290–306. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-16161-2_17
Meadows, C.A.: A more efficient cryptographic matchmaking protocol for use in the absence of a continuously available third party. In: IEEE S &P (1986)
Mohassel, P., Rindal, P.: ABY\({}^{\text{3}}\): a mixed protocol framework for machine learning. In: CCS (2018)
Myers, S., Sergi, M., Shelat, A.: Threshold fully homomorphic encryption and secure computation. IACR ePrint 2011/454 (2011)
Sathya Narayanan, G., Aishwarya, T., Agrawal, A., Patra, A., Choudhary, A., Pandu Rangan, C.: Multi party distributed private matching, set disjointness and cardinality of set intersection with information theoretic security. In: Garay, J.A., Miyaji, A., Otsuka, A. (eds.) CANS 2009. LNCS, vol. 5888, pp. 21–40. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10433-6_2
NETEM (2019). https://wiki.linuxfoundation.org/networking/netem
Nielsen, J.B., Orlandi, C.: LEGO for two-party secure computation. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 368–386. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00457-5_22
Pinkas, B., Schneider, T., Segev, G., Zohner, M.: Phasing: private set intersection using permutation-based hashing. In: USENIX Security (2015)
Pinkas, B., Schneider, T., Weinert, C., Wieder, U.: Efficient circuit-based PSI via cuckoo hashing. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 125–157. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_5
Pinkas, B., Schneider, T., Zohner, M.: Scalable private set intersection based on OT extension. ACM Trans. Priv. Secur. 21(2), 1–35 (2018)
Pinkas, B., Schneider, T., Tkachenko, O., Yanai, A.: Efficient circuit-based PSI with linear communication. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 122–153. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_5
Raab, M., Steger, A.: “Balls into Bins’’ — a simple and tight analysis. In: Luby, M., Rolim, J.D.P., Serna, M. (eds.) RANDOM 1998. LNCS, vol. 1518, pp. 159–170. Springer, Heidelberg (1998). https://doi.org/10.1007/3-540-49543-6_13
Riazi, M.S., Weinert, C., Tkachenko, O., Songhori, E.M., Schneider, T., Koushanfar, F.: Chameleon: a hybrid secure computation framework for machine learning applications. In: AsiaCCS (2018)
Rindal, P., Rosulek, M.: Malicious-secure private set intersection via dual execution. In: CCS (2017)
Rotaru, D., Wood, T.: MArBled circuits: mixing arithmetic and Boolean circuits with active security. In: Hao, F., Ruj, S., Sen Gupta, S. (eds.) INDOCRYPT 2019. LNCS, vol. 11898, pp. 227–249. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-35423-7_12
Strand, M.: A verifiable shuffle for the GSW cryptosystem. In: VOTING (2018)
Verizon. IP Latency Statistics (2020). https://enterprise.verizon.com/terms/latency/
Wang, X., Ranellucci, S., Katz, J.: Authenticated garbling and efficient maliciously secure two-party computation. In: CCS (2017a)
Wang, X., Ranellucci, S., Katz, J.: Global-scale secure multiparty computation. In: CCS (2017b)
Ye, Q., Wang, H., Pieprzyk, J., Zhang, X.-M.: Efficient disjointness tests for private datasets. In: Mu, Y., Susilo, W., Seberry, J. (eds.) ACISP 2008. LNCS, vol. 5107, pp. 155–169. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70500-0_12
Yung, M.: From mental poker to core business: why and how to deploy secure computation protocols? In: CCS (2015)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix
A A Supporting Larger Plaintext Spaces
Our presentation describes arithmetic sub-circuits operating over single bits. There, each ciphertext encrypts a single bit and homomorphic operations are over bits. This can be inefficient, as parties often want to compute on larger integers, e.g., 32 Bit integers. Homomorphic encryption schemes anyway operate over large plaintext spaces, where addition of a large, multiple bit integer is a single homomorphic operation. A large plaintext space also allows for SIMD techniques.
To improve performance, we extend conversion from operating over GF(2) plaintexts to operate over arbitrary fields GF(q) by instituting the following two modifications. In our conversions, ZK Protocols, and ZK proofs, we replace using XORs to share a single bit or combine two shares to a bit by additions and subtractions over GF(q). Random bits serving as a share for a party become random elements of GF(q). Second, n single bit encryptions \(c_i=\textsf{Enc}(b_i)\) output by our 2PC to FHE conversion are combined to a single n bit encrypted integer by each party computing \(\sum ^{n-1}_{i=0}{2^{i}\cdot {}c_{i+1}}\).
B B \(d\ge {}2\) Parties
Secure multi-party computation can be constructed from secure two-party computations in various ways. One standard way is a star topology as we present in Sect. 4. We emphasize, however, that our conversions are not limited to star topologies.
The main idea is that each party \(P_i\) engages in secure two-party computation with a central party \(P_1\) to compute some functionality. Such a centralized approach works for certain functionalities, e.g., equality of inputs, as equality is symmetric and transitive. If \(P_i\)’s input is equal to \(P_1\)’s and \(P_j\)’s input is equal to \(P_1\)’s, then \(P_i\)’s input is also equal to \(P_j\)’s. Hence, computation of the joint result using homomorphic encryption can leverage this relation.
This approach does not apply to other functionalities, e.g., larger-than comparison. If \(P_i\)’s input is larger than \(P_1\)’s, and \(P_j\)’s input is larger than \(P_1\)’s, then we cannot imply any larger-than relation between \(P_i\)’s and \(P_j\)’s input. Consequently, in this case, the alternative to maintain constant-round complexity is to engage all parties in pair-wise comparisons. This has been previously considered, e.g., in the context of sealed-bid auctions [9]. However, the result of each pairwise comparison is leaked in previous work, reducing security to a level comparable with order-preserving encryption. In contrast, constructions in this paper would enable computing the auction result, e.g., the largest input, using homomorphic encryption with constant round complexity.
In summary, there exist several practically relevant protocols with arithmetic relations between inputs which can be decomposed into an initial two-party phase followed by a combination phase of the inputs. We use secure two-party protocols during the first phase to achieve efficient implementations in a constant number of (communication) rounds. Similarly, to evaluate low multiplicative depth sub-circuits, we use homomorphic encryption efficiently. Our ZK protocols ensure that the conversion is secure against malicious adversaries.
C C Proof of Theorem 1
We emphasize that we only provide a proof-sketch that, however, should convince an expert reader about the correctness of our theorems and the security of our protocols. Before presenting this proof sketch of our main Theorem 1, we briefly recall completeness, zero-knowledge, and soundness definitions.
Let \(P \in \{ P_1, P_2 \}\) be the prover and \(V \in \{ P_1, P_2 \}\) be the verifier in a ZKP. Let \(w \in R_C\) be a witness for the correct execution of a conversion which we denote as relation \(R_C\). Let \(\langle P(w), V \rangle \) be the execution of a ZKP protocol.
Completeness: An honest verifier accepts the proof, if the prover provides consistent input, i.e., \( w \in R_C \Longrightarrow \langle P(w), V \rangle \wedge Pr[V = \textsf{accept}] = 1. \)
Zero-Knowledge: The verifier learns nothing about the prover’s witness except that it satisfies the proof, i.e., there exists simulator \(\textsf{Sim}_P\) such that \( \langle P(w), V \rangle {\mathop {=}\limits ^{c}} \langle \textsf{Sim}_P, V \rangle .\)
Soundness: An honest verifier rejects the proof with overwhelming probability in security parameter \(\lambda \), if the prover’s secret input is not a witness for the proof, i.e., there exists extractor \(\textsf{Ext}_V\) such that \( V = \textsf{accept} \Longrightarrow \langle P(w), \textsf{Ext}_V \rangle \wedge Pr[\textsf{Ext}_V = w] = 1 - \textsf{negl}(\lambda ).\)
Proof
(Theorem 1). Completeness of ZK Protocols (1) to (3) follows immediately from their construction, so we focus on Zero-Knowledge and Soundness.
Zero-Knowledge. To prove zero-knowledge, we construct simulators \(\textsf{Sim}_{P_1}\) or \(\textsf{Sim}_{P_2}\) in the hybrid model which do not know the witness of the individual ZK Protocols (ZKPs), create views for the adversary which are indistinguishable from the real protocol, and make the verifier accept the proofs. In the hybrid model, simulators can simulate any ZK sub-proofs invoked during the protocol.
First, observe that all messages from the prover to the verifier are semantically-secure ciphertexts, random numbers or other zero-knowledge proofs.
In ZKP (1) and (2), the simulator \(\textsf{Sim}_{P_1}\), or \(\textsf{Sim}_{P_2}\) (in ZKP (2)), randomly chooses inputs \(\iota _{1, i}\) (or \(\iota _{2,i}\)) and masking bits \(\mu _{i,j}\) as their input into 2PC. The verifier inputs \(\sigma _{i,j}\) to the 2PC. After the 2PC, the simulator either receives verification bits \(t_{i,j}\) (ZKP (1)) or outputs random verification bits (ZKP (2)).
In the last step, we apply the hybrid model. The simulator invokes the simulator of the ZKP for correct decryption using those (random) verification bits and the committed (random) input and masking ciphertexts, simulating a consistent execution of the ZKP.
In ZKP (3), \(\textsf{Sim}_{P_1}\) does not have to output verification bits \(v_{i,\omega _i,j}\), but the verification is done using ZK proofs Scalar\(_i\) and Shuffle\(_i\). Hence, the simulator for ZK Protocol (3) chooses a random \(\omega _i\) and invokes the simulators for Scalar\(_i\) and Shuffle\(_i\).
Soundness. To prove soundness for ZKP (1) and (2), we construct extractors \(\textsf{Ext}_{P_1}\) or \(\textsf{Ext}_{P_2}\). We construct an extractor \(\textsf{Ext}_{P_2}\) only for ZKP (1), but stress that the extractor \(\textsf{Ext}_{P_1}\) for (2) is equivalent. The extractor starts the ZK proof and lets the prover commit to their inputs via homomorphic ciphertexts \(c_{1,j}\) (for a known shared key). Then the extractor chooses challenge bits \(\sigma _{i,j}\) and sends them to the 2PC. The prover outputs verification bits \(t_{i,j}\). The extractor rewinds the prover to just before they received the challenge bits for the 2PC. The extractor negates all challenge bits to \(\lnot \sigma _{i,j}\), sends them to the 2PC and continues the protocol. Let the prover’s verification bits after rewinding be \(t'_{i,j}\). We assume that the prover has consistent inputs and hence these inputs are extractable: the prover’s inputs in ZKP (1) are \(t_{i,j} \oplus t'_{i,j}\).
The soundness of ZKP (3) is a special case of authenticity of garbled circuits [6], and we do not need an extractor. Challenge bits \(v_{i,0,j}\) and \(v_{i,1,j}\) are input to the 2PC. Note that the soundness of the ZKP (1) ensures that the entire execution of the verifier is secure against malicious behaviour, including its conversion of the challenge bits from FHE to 2PC. The output depends on the output of the 2PC. Since the prover only evaluates the garbled circuit, it is bound to the correct or no output due to the authenticity property of garbled circuits. It can hence only produce one consistent set of output labels \(v_{i, \omega _i, j}\).
This completes our security proof. Note that only the proof of ZKP (3) is recursive to the proof of ZKP (1), and hence all proofs are valid if ordered from (1) to (3). \(\square \)
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Blass, EO., Kerschbaum, F. (2022). Mixed-Technique Multi-Party Computations Composed of Two-Party Computations. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds) Computer Security – ESORICS 2022. ESORICS 2022. Lecture Notes in Computer Science, vol 13556. Springer, Cham. https://doi.org/10.1007/978-3-031-17143-7_15
Download citation
DOI: https://doi.org/10.1007/978-3-031-17143-7_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-17142-0
Online ISBN: 978-3-031-17143-7
eBook Packages: Computer ScienceComputer Science (R0)