Mixed-Technique Multi-Party Computations Composed of Two-Party Computations

Abstract

Protocols for secure multi-party computation are commonly composed of different sub-protocols, combining techniques such as homomorphic encryption, secret or Boolean sharing, and garbled circuits. In this paper, we design a new class of multi-party computation protocols which themselves are composed out of two-party protocols. We integrate both types of compositions, compositions of fully homomorphic encryption and garbled circuits with compositions of multi-party protocols from two-party protocols. As a result, we can construct communication-efficient protocols for special problems. Furthermore, we show how to efficiently ensure the security of composed protocols against malicious adversaries by proving in zero-knowledge that conversions between individual techniques are correct. To demonstrate the usefulness of this approach, we give an example scheme for private set analytics, i.e., private set disjointness. This scheme enjoys lower communication complexity than a solution based on generic multi-party computation and lower computation cost than fully homomorphic encryption. So, our design is more suitable for deployments in wide-area networks, such as the Internet, with many participants or problems with circuits of moderate or high multiplicative depth.

Appendices

Appendix

A A Supporting Larger Plaintext Spaces

Our presentation describes arithmetic sub-circuits operating over single bits. There, each ciphertext encrypts a single bit and homomorphic operations are over bits. This can be inefficient, as parties often want to compute on larger integers, e.g., 32 Bit integers. Homomorphic encryption schemes anyway operate over large plaintext spaces, where addition of a large, multiple bit integer is a single homomorphic operation. A large plaintext space also allows for SIMD techniques.

To improve performance, we extend conversion from operating over GF(2) plaintexts to operate over arbitrary fields GF(q) by instituting the following two modifications. In our conversions, ZK Protocols, and ZK proofs, we replace using XORs to share a single bit or combine two shares to a bit by additions and subtractions over GF(q). Random bits serving as a share for a party become random elements of GF(q). Second, n single bit encryptions \(c_i=\textsf{Enc}(b_i)\) output by our 2PC to FHE conversion are combined to a single n bit encrypted integer by each party computing \(\sum ^{n-1}_{i=0}{2^{i}\cdot {}c_{i+1}}\).

B B \(d\ge {}2\) Parties

Secure multi-party computation can be constructed from secure two-party computations in various ways. One standard way is a star topology as we present in Sect. 4. We emphasize, however, that our conversions are not limited to star topologies.

The main idea is that each party \(P_i\) engages in secure two-party computation with a central party \(P_1\) to compute some functionality. Such a centralized approach works for certain functionalities, e.g., equality of inputs, as equality is symmetric and transitive. If \(P_i\)’s input is equal to \(P_1\)’s and \(P_j\)’s input is equal to \(P_1\)’s, then \(P_i\)’s input is also equal to \(P_j\)’s. Hence, computation of the joint result using homomorphic encryption can leverage this relation.

This approach does not apply to other functionalities, e.g., larger-than comparison. If \(P_i\)’s input is larger than \(P_1\)’s, and \(P_j\)’s input is larger than \(P_1\)’s, then we cannot imply any larger-than relation between \(P_i\)’s and \(P_j\)’s input. Consequently, in this case, the alternative to maintain constant-round complexity is to engage all parties in pair-wise comparisons. This has been previously considered, e.g., in the context of sealed-bid auctions [9]. However, the result of each pairwise comparison is leaked in previous work, reducing security to a level comparable with order-preserving encryption. In contrast, constructions in this paper would enable computing the auction result, e.g., the largest input, using homomorphic encryption with constant round complexity.

In summary, there exist several practically relevant protocols with arithmetic relations between inputs which can be decomposed into an initial two-party phase followed by a combination phase of the inputs. We use secure two-party protocols during the first phase to achieve efficient implementations in a constant number of (communication) rounds. Similarly, to evaluate low multiplicative depth sub-circuits, we use homomorphic encryption efficiently. Our ZK protocols ensure that the conversion is secure against malicious adversaries.

C C Proof of Theorem 1

We emphasize that we only provide a proof-sketch that, however, should convince an expert reader about the correctness of our theorems and the security of our protocols. Before presenting this proof sketch of our main Theorem 1, we briefly recall completeness, zero-knowledge, and soundness definitions.

Let \(P \in \{ P_1, P_2 \}\) be the prover and \(V \in \{ P_1, P_2 \}\) be the verifier in a ZKP. Let \(w \in R_C\) be a witness for the correct execution of a conversion which we denote as relation \(R_C\). Let \(\langle P(w), V \rangle \) be the execution of a ZKP protocol.

Completeness: An honest verifier accepts the proof, if the prover provides consistent input, i.e., \( w \in R_C \Longrightarrow \langle P(w), V \rangle \wedge Pr[V = \textsf{accept}] = 1. \)

Zero-Knowledge: The verifier learns nothing about the prover’s witness except that it satisfies the proof, i.e., there exists simulator \(\textsf{Sim}_P\) such that \( \langle P(w), V \rangle {\mathop {=}\limits ^{c}} \langle \textsf{Sim}_P, V \rangle .\)

Soundness: An honest verifier rejects the proof with overwhelming probability in security parameter \(\lambda \), if the prover’s secret input is not a witness for the proof, i.e., there exists extractor \(\textsf{Ext}_V\) such that \( V = \textsf{accept} \Longrightarrow \langle P(w), \textsf{Ext}_V \rangle \wedge Pr[\textsf{Ext}_V = w] = 1 - \textsf{negl}(\lambda ).\)

Proof

(Theorem 1). Completeness of ZK Protocols (1) to (3) follows immediately from their construction, so we focus on Zero-Knowledge and Soundness.

Zero-Knowledge. To prove zero-knowledge, we construct simulators \(\textsf{Sim}_{P_1}\) or \(\textsf{Sim}_{P_2}\) in the hybrid model which do not know the witness of the individual ZK Protocols (ZKPs), create views for the adversary which are indistinguishable from the real protocol, and make the verifier accept the proofs. In the hybrid model, simulators can simulate any ZK sub-proofs invoked during the protocol.

First, observe that all messages from the prover to the verifier are semantically-secure ciphertexts, random numbers or other zero-knowledge proofs.

In ZKP (1) and (2), the simulator \(\textsf{Sim}_{P_1}\), or \(\textsf{Sim}_{P_2}\) (in ZKP (2)), randomly chooses inputs \(\iota _{1, i}\) (or \(\iota _{2,i}\)) and masking bits \(\mu _{i,j}\) as their input into 2PC. The verifier inputs \(\sigma _{i,j}\) to the 2PC. After the 2PC, the simulator either receives verification bits \(t_{i,j}\) (ZKP (1)) or outputs random verification bits (ZKP (2)).

In the last step, we apply the hybrid model. The simulator invokes the simulator of the ZKP for correct decryption using those (random) verification bits and the committed (random) input and masking ciphertexts, simulating a consistent execution of the ZKP.

In ZKP (3), \(\textsf{Sim}_{P_1}\) does not have to output verification bits \(v_{i,\omega _i,j}\), but the verification is done using ZK proofs Scalar\(_i\) and Shuffle\(_i\). Hence, the simulator for ZK Protocol (3) chooses a random \(\omega _i\) and invokes the simulators for Scalar\(_i\) and Shuffle\(_i\).

Soundness. To prove soundness for ZKP (1) and (2), we construct extractors \(\textsf{Ext}_{P_1}\) or \(\textsf{Ext}_{P_2}\). We construct an extractor \(\textsf{Ext}_{P_2}\) only for ZKP (1), but stress that the extractor \(\textsf{Ext}_{P_1}\) for (2) is equivalent. The extractor starts the ZK proof and lets the prover commit to their inputs via homomorphic ciphertexts \(c_{1,j}\) (for a known shared key). Then the extractor chooses challenge bits \(\sigma _{i,j}\) and sends them to the 2PC. The prover outputs verification bits \(t_{i,j}\). The extractor rewinds the prover to just before they received the challenge bits for the 2PC. The extractor negates all challenge bits to \(\lnot \sigma _{i,j}\), sends them to the 2PC and continues the protocol. Let the prover’s verification bits after rewinding be \(t'_{i,j}\). We assume that the prover has consistent inputs and hence these inputs are extractable: the prover’s inputs in ZKP (1) are \(t_{i,j} \oplus t'_{i,j}\).

The soundness of ZKP (3) is a special case of authenticity of garbled circuits [6], and we do not need an extractor. Challenge bits \(v_{i,0,j}\) and \(v_{i,1,j}\) are input to the 2PC. Note that the soundness of the ZKP (1) ensures that the entire execution of the verifier is secure against malicious behaviour, including its conversion of the challenge bits from FHE to 2PC. The output depends on the output of the 2PC. Since the prover only evaluates the garbled circuit, it is bound to the correct or no output due to the authenticity property of garbled circuits. It can hence only produce one consistent set of output labels \(v_{i, \omega _i, j}\).

This completes our security proof. Note that only the proof of ZKP (3) is recursive to the proof of ZKP (1), and hence all proofs are valid if ordered from (1) to (3). \(\square \)