Efficient Perfectly Secure Computation with Optimal Resilience

Abstract

Secure computation enables n mutually distrustful parties to compute a function over their private inputs jointly. In 1988, Ben-Or, Goldwasser, and Wigderson (BGW) proved that any function can be computed with perfect security in the presence of a malicious adversary corrupting at most \(t< n/3\) parties. After more than 30 years, protocols with perfect malicious security, and round complexity proportional to the circuit’s depth, still require (verifiably) sharing a total of \(O(n^2)\) values per multiplication. In contrast, only O(n) values need to be shared per multiplication to achieve semi-honest security. Sharing \(\Omega (n)\) values for a single multiplication seems to be the natural barrier for polynomial secret-sharing-based multiplication. In this paper, we construct a new secure computation protocol with perfect, optimal resilience and malicious security that incurs (verifiably) sharing O(n) values per multiplication. Our protocol requires a constant number of rounds per multiplication. Like BGW, it has an overall round complexity that is proportional only to the multiplicative depth of the circuit. Our improvement is obtained by a novel construction for weak VSS for polynomials of degree 2t, which incurs the same communication and round complexities as the state-of-the-art constructions for VSS for polynomials of degree t. Our second contribution is a method for reducing the communication complexity for any depth 1 sub-circuit to be proportional only to the size of the input and output (rather than the size of the circuit). This implies protocols with sub-linear communication complexity (in the size of the circuit) for perfectly secure computation for important functions like matrix multiplication.

Appendices

A General Secure Computation from Multiplication

1.1 A.1 Emulate a Multiplication Gate from O(n) Multiplications with a Dealer

We first show how the parties compute a multiplication gate in the \(({F_{VSS}},F_{VSS}^{mult})\)-hybrid model. Let a and b be the values on the two input wires, hidden using polynomials A(x, y) and B(x, y), respectively. The goal is that the parties would compute shares on a random degree-t polynomial C(x, y) for which \(C(0,0) = ab\). The subprotocol for computing a multiplication gate is as follows:

• Input Each party \(P_i\) holds \(f_i^a(x) = A(x,\alpha _i)\), \(g_i^a(y) = A(\alpha _i,y)\), \(f_i^b(x) = B(x,\alpha _i)\) and \(g_i^b(y) = B(\alpha _i,y)\).

• The protocol

  1. 1.

     Each party \(P_i\) invokes \(F_{VSS}^{mult}\) as a dealer while using \(f_i^a(x),f_i^b(x)\) as its input. Each party \(P_j\) uses in that invocation the shares \(g_j^a(\alpha _i),g_j^b(\alpha _i)\) as its input.

     As an output of this invocation, \(P_i\) holds a degree-t bivariate polynomial \(C_i(x,y)\) such that \(C_i(0,0)= f_i^a(0)\cdot f_i^b(0)\), and each party \(P_j\) holds \(f_j^{c_i}(x) = C_i(x,\alpha _j)\) and \(g_j^{c_i}(y) = C_i(\alpha _j,y)\).

  2. 2.

     Let \((f_j^{c_1}(x),\ldots ,f_j^{c_n}(x))\) and \((g_j^{c_1}(y),\ldots ,g_j^{c_n}(y))\) be the obtained shares from the previous step after each party served as a dealer. Each party \(P_j\) locally computes its final share \(f_j^c(x) = \sum _{i=1}^{n}\lambda _i\cdot f_j^{c_i}(x)\) and \(g_j^c(y) = \sum _{i=1}^{n} \lambda _i \cdot g_j^{c_i}(y)\), where \(\lambda _1,\ldots ,\lambda _n\) are the publicly known Lagrange coefficients.

• Output Each party outputs \(f_j^c(x),g_j^c(y)\).

The output shares correspond to the polynomial \(C(x,y)= \sum _{i=1}^{n}\lambda _i\cdot C_i(x,y)\). Its constant term is \(\sum _{i=1}^{n}\lambda _i \cdot C_i(0,0) = \sum _{i=1}^{n}\lambda _i\cdot f_i^a(0)\cdot f_i^b(0) = ab\), as required.

1.2 A.2 Emulate Arbitrary Gates with Multiplicative Depth 1

Let G be a multiplicative depth 1 sub-circuit of C, with M inputs and L outputs. Let \(a_1,\ldots ,a_M\) be the values on the M input wires, hidden using degree-t bivariate polynomials \(A_1(x,y),\ldots ,A_M(x,y)\), respectively. The goal is for the parties to compute shares on random degree-t bivariate polynomials \(C_1(x,y),\ldots ,C_L(x,y)\) such that \(\big ( C_1(0,0), \ldots , C_L(0,0) \big ) = G\big ( A_1(0,0), \ldots , A_M(0,0) \big )\). The subprotocol for achieving those shares is as follows:

• Input Each party \(P_i\) holds \(f_i^{a_m}(x) = A_m(x,\alpha _i)\) and \(g_i^{a_m}(y) = A_m(\alpha _i,y)\) for every \(m \in [M]\).

• The protocol

  1. 1.

     Each party \(P_i\) invokes \(F_{VSS}^{G}\) (Functionality 6.1) as a dealer while using \(f_i^{a_1}(x),\ldots ,f_i^{a_M}(x)\) as input. Each party \(P_j\) uses the shares \(g_j^{a_1}(\alpha _i),\ldots ,g_j^{a_M}(\alpha _i)\) as input.

     As an output of this invocation, \(P_i\) holds degree-t bivariate polynomials \(C_{i,1}(x,y),\ldots ,C_{i,L}(x,y)\) such that \(\big ( C_{i,1}(0,0),\ldots , C_{i,L}(0,0) \big ) = G\big ( f_i^{a_1}(0), \ldots , f_i^{a_M}(0) \big )\). In addition, each party \(P_j\) holds \(f_j^{C_{i,\ell }}(x) = C_{i,\ell }(x,\alpha _j)\) and \(g_j^{C_{i,\ell }}(y) = C_{i,\ell }(\alpha _j,y)\) for all \(\ell \in [L]\).

  2. 2.

     Let \((f_j^{C_{1,\ell }}(x),\ldots , f_j^{C_{n,\ell }}(x))\) and \((g_j^{C_{1,\ell }}(y),\ldots ,g_j^{C_{n,\ell }}(y))\) be the shares of \(C_{1,\ell }(x,y), \ldots , C_{n,\ell }(x,y)\) for \(\ell \in [L]\), obtained from the previous step, after each party served as a dealer.

     Each party \(P_j\) locally computes its final share \(f_j^{C_\ell }(x) = \sum _{i=1}^{n}\lambda _i\cdot f_j^{C_{i,\ell }}(x)\) and \(g_j^{C_\ell }(y) = \sum _{i=1}^{n} \lambda _i \cdot g_j^{C_{i,\ell }}(y)\), for \(\ell \in [L]\), , where \(\lambda _1,\ldots ,\lambda _n\) are the publicly known Lagrange coefficients.

• Output Each party outputs \(f_j^{C_\ell }(x)\) and \(g_j^{C_\ell }(y)\) for \(\ell \in [L]\).

For every \(\ell \in [L]\), the output shares correspond to the polynomial \(C_\ell (x,y)= \sum _{i=1}^{n}\lambda _i\cdot C_{i,\ell }(x,y)\), which is a polynomial of degree t. Let \((b_1,\ldots ,b_L) = G(a_1,\ldots ,a_M)\). The constant term of \(C_\ell \) is:

$$\begin{aligned} C_\ell (0,0)&= \sum _{i=1}^{n}\lambda _i\cdot C_{i,\ell }(0,0) = \sum _{i=1}^{n}\lambda _i\cdot G_\ell (f^{a_1}(\alpha _i),\ldots ,f^{a_M}(\alpha _i))\\&= \sum _{i=1}^{n} \lambda _i h_\ell (\alpha _i) = h_\ell (0) = b_\ell \ , \end{aligned}$$

where \(h_\ell (x) {\mathop {=}\limits ^\mathrm{def}}G_\ell (f^{a_1}(x),\ldots ,f^{a_M}(x))\) is a polynomial of degree 2, and from Functionality 6.1 it holds that \(C_{i,\ell }(0,0)=G_\ell (f^{a_1}(\alpha _i),\ldots ,f^{a_M}(\alpha _i))\).

Computing any function F

Let \(F:\mathbb {F}^n \rightarrow \mathbb {F}^n\) be any function that maps n inputs into n outputs, i.e., we assume for simplicity that the input and output of each party is a single field element. Let C be an arithmetic circuit over \(\mathbb {F}\) that computes F. To compute the circuit C:

• Input sharing phase Each party \(P_i\) with input \(x_i\) chooses a random bivariate polynomial \(S_i\) of degree t such that \(S_i(0,0) = x_i\). It invokes \({F_{VSS}}\) on \(S_i\).

• The circuit emulation stage The parties maintain the invariant in which each wire in the circuit is hidden by a bivariate sharing. Let \(G_1,\ldots ,G_\ell \) be the predetermined topological ordering of the gates of the circuit. For \(k=1,\ldots ,\ell \) the parties work as follows.

  1. 1.

     Case 1—\(G_k\) is an addition gate Each \(P_i\) locally computes the shares on the output wires by adding the two input shares of the inputs wires of the gate.

  2. 2.

     Case 2—\(G_k\) is a general gate The circuit has M input wires and L outputs wires. We invoke the subprotocol defined above to obtain shares on the output wires.

• Output reconstruction phase The parties hold bivariate sharing of the output wires. Each party \(P_i\) is supposed to learn some output \(y_i\). The parties send to \(P_i\) all the shares on that wire and \(P_i\) can reconstruct it.

In [3] it is shown that this protocol securely computes the functionality F (when using univariate sharing and not bivariate sharing, but the difference in the proof is straightforward). By combining Corollary 5.4 and Theorem 4.9, this leads to a protocol in the plain model.

B Proof of Claims 3.6 and 3.7

Claim B.1

(Hiding I, Claim 3.6, restated) Let h(x) be an arbitrary univariate polynomial of degree q, and let \(\alpha _1,\ldots ,\alpha _k\) with \(k\le t\) be arbitrary distinct nonzero points in \(\mathbb {F}\). Consider the following distribution \(\mathsf{Dist}(h)\):

• Choose a random (q, t)-bivariate polynomial S(x, y) under the constraint that \(S(x,0) = h(x)\).

• Output \(\{(i,S(x,\alpha _i),S(\alpha _i,y))\}_{i \in [k]}\).

Then, for every two arbitrary degree-q polynomials \(h_1(x),h_2(x)\) for which \(h_1(\alpha _i) = h_2(\alpha _i)\) for every \(i \in [k]\) it holds that \(\mathsf{Dist}(h_1) \equiv \mathsf{Dist}(h_2)\).

Proof

We start with the case where \(k=t\). Fix some \(h_1(x),h_2(x)\) as above, and fix degree-q polynomials \(\{f_i(x)\}_{i \in [k]}\) and degree-t polynomials \(\{g_i(y)\}_{i \in [k]}\) for which:

1. 1.

   \(f_i(\alpha _j)=g_j(\alpha _i)\) for every \(i,j \in [k]\),

2. 2.

   \(g_i(0) = h_1(\alpha _i) = h_2(\alpha _i)\).

We have to show that:

$$\begin{aligned} \Pr \left[ \mathsf{Dist}(h_1) = \{(i,f_i(x),g_i(y))\}_{i \in [{k}]}\right] = \Pr \left[ \mathsf{Dist}(h_2) = \{(i,f_i(x),g_i(y))\}_{i \in [{k}]}\right] \end{aligned}$$

Note that if the set of polynomials \(f_i(x),g_i(y)\) does not satisfy the above two conditions, then the probability to get this set of polynomials is 0 in both distributions. Observe also that the support of the two distributions is the same. Now, by fixing the set \(\{f_i(x),g_i(y)\}_{i=1}^{k}\), we show that there exists exactly one bivariate polynomial in the support of \(\mathsf{Dist}(h_1)\). This follows from Claim 3.4 while taking \(\{f_i(x)\}_{i=1}^{k} \cup h_1(x)\). Let S(x, y) be the unique polynomial that is guaranteed to exist by the claim. For every \(j=[t], i\in [k]\), it holds that \(g_i(\alpha _j)=f_j(\alpha _i) = S(\alpha _i,\alpha _j)\). Moreover, we know that \(S(x,0)=h_1(x)\) and since \(g_i(0) = h_1(\alpha _i)\) it holds that \(g_i(0) = S(\alpha _i,0)\). We therefore conclude that \(g_i(y)\) agrees with the degree-t polynomial \(S(\alpha _i,y)\). Since \(\mathsf{Dist}(h_1)\) chooses each bivariate polynomial in the support with exactly the same probability, we get that the probability that those \(\{f_i(x),g_i(y)\}\) were chosen is exactly 1 over the support of \(\mathsf{Dist}(h_1)\). Exactly the same analysis can be applied for \(\mathsf{Dist}(h_2)\), and using the fact that the support of the two distributions is the same, we conclude that the two distributions are identical.

For the case of \(k < t\), one can just add arbitrary polynomials to \(f_i(x),g_i(y)\) (that satisfy the pairwise checks), and use the law of total probability (see [3, Claim 3.2] for a similar claim). \(\square \)

Claim B.2

(Hiding II, Claim 3.7, restated) Same as Claim 3.6, except that it holds that \(h_1(0)=h_2(0)=\beta \) for some publicly known \(\beta \in \mathbb {F}\). The output of the distribution is \(\{(i,S(x,\alpha _i),S(\alpha _i,y))\}_{i \in [k]} \cup S(0,y) \).

Proof

Let \(h_1(x),h_2(x)\) be arbitrary polynomials of degree q such that \(h_1(0)=h_2(0)=\beta \), and fix degree-q polynomials \(\{f_i(x)\}_{i \in [k]}\) and degree-t polynomials \(\{g_i(y)\}_{i \in [k]}\) for which \(g_i(0)=h_1(\alpha _i)=h_2(\alpha _i)\), and \(f_i(\alpha _j)=g_j(\alpha _i)\) for every \(i,j \in [k]\). Moreover, fix an arbitrary degree-t polynomial \(g_0(y)\) for which for every \(i\in [k]\) it holds that \(g_0(\alpha _i) = f_i(0)\). Note that in case of \(k=t\), the polynomial \(g_0(y)\) is already determined: conditioning that \(g_0(\alpha _i)=f_i(0)\) for every \(i \in [k]\) define t points on the polynomial, we know that \(g_0(0) = \beta \). So we have \(t+1\) points which uniquely define a polynomial of degree t.

We show that the probability to obtain \(\{f_i(x),g_i(y)\}_{i \in [k]} \cup \{g_0(y)\}\) is the same under both distributions. First, observe that the support of the two distributions is the same. Moreover, just like in the previous claim, for the case of \(k=t\) we can apply Claim 3.4, i.e., there exists a unique bivariate polynomial S(x, y) that is determined by the view \(\{f_i(x),g_i(y)\}_{i \in [k]} \cup \{g_0(y)\}\) in each one of the distributions. The probability of obtaining those polynomials is exactly 1 over the support size, which is the same in both cases. For the case of \(k<t\), one can just add arbitrary polynomials to the set of fixed polynomials (that satisfy the conditions), and use the law of total probability as in [3, Claim 3.2].

\(\square \)