Developing non-interactive MPC with trusted hardware for enhanced security

Abstract

Secure multiparty computation (MPC) is a promising technology for supporting privacy-preserving computation between multiple untrusted parties. Recent work has made progress reducing the number of online messages that must be sent by each participant to one, in an effort to improve communication overhead. These non-interactive protocols (NI-MPC) are efficient but do not offer standard security guarantees. A vital next step in the research is developing NI-MPC protocols that offer traditional security guarantees in the standard model. This is challenging, because protocols that are non-interactive are vulnerable to the residual function attack, and a malicious party can evaluate a function multiple times using different inputs to deduce the inputs provided by honest users. After proving NI-MPC protocols without extra trust assumptions cannot achieve fully malicious security, fairness, or robustness in the standard model, we solve this problem using trusted hardware. We then present two novel NI-MPC protocols that achieve standard privacy and correctness, and also provide guarantees of fairness and robustness (for the latter additional communication is necessary if an attack occurs). We also introduce the first implementation of an NI-MPC protocol with a one-round online phase that is secure in the standard model. In addition, we rigorously analyze the computational and communication complexity of existing protocols that require either two rounds of communication or one round of online communication. We demonstrate that our protocol outperforms or is comparable to their complexity. Furthermore, we provide rigorous proofs of correctness, security, fairness, and robustness in the covert and malicious adversary models.

Appendices

Appendix A: Proof of Theorem 3

Theorem 5

Our protocols \(\pi _{private}\) and \(\pi _{fair+robust}\) correctly compute Boolean circuits as defined in Definition 1.

Proof

Recall that the circuit C is agreed upon prior to beginning the protocol. We note first that if the parties use their TPMs exactly as described in the protocol, they will use \(\mathsf {gen}\) to generate a \({\mathcal {W}}_i\)-time use count limited key pair (\({\mathcal {K}}_{\mathbf{p }_i}\), \({\mathcal {K}}_{\mathbf{s }_i}\)). The parties will later send their \({\mathcal {K}}_{\mathbf{p }_i}\) to the “separate” garbler. (This step is verified during attestation as described in Fig. 1.) The garbler must correctly use the garbling function \(\mathsf {garble}\) to convert the ordinary circuit C to a corresponding garbled circuit GC whose inputs map correctly to the corresponding outputs of the original circuit. Following this, the garbler takes the input wire labels \(x_{w,(0,1)}\) corresponding to wires controlled by \({\mathcal {P}}_i\) and must encrypt them with symmetric key \({\mathcal {R}}^{(i)}\) using \(\mathsf {enc\_sec}\), which is \({\mathsf {enc\_sec}({x_{w,(0,1)}})} = {\mathcal {SK}_{{\mathcal {R}}^{(i)}}(x_{w,\mathbf (0,1) })} \). Then, the garbler must use the function \(\mathsf {enc\_pub}\) to encrypt the wires with \({\mathcal {P}}_i\)’s public key \({\mathcal {K}}_{\mathbf{p }_i}\) along with a perfectly secret share (e.g., Shamir’s) of symmetric key \({\mathcal {R}}^{(i)}\) corresponding to the wire w, which is \(\mathsf {enc\_pub}(\mathcal {SK}_{{\mathcal {R}}^{(i)}}(x_{w,\mathbf (0,1) }), {\mathcal {R}}^{(i)}_w) = \mathcal {PK}_{{\mathcal {K}}{_{p_{i}}}}(\mathcal {SK}_{{\mathcal {R}}^{(i)}}(x_{w,\mathbf (0,1) }), {\mathcal {R}}^{(i)}_w\)). The garbler then must broadcast this ciphertext as \({\mathcal {C}}_{w,(0,1)}\) to party \({\mathcal {P}}_i\) along with the garbled circuit GC. Note that some index information is encoded into the ciphertext so the receiving \({\mathcal {P}}_i\) will know which ciphertext corresponds to the Boolean value 0 or 1. Because of the monotonic counter, the number of decryptions permitted using the public key is equal to the number of input wires of the garbled circuit, and each party can only decrypt one possible input for each wire. After receiving all ciphertexts \({\mathcal {C}}_{w,(0,1)}\), \({\mathcal {P}}_i\) chooses to decrypt the finite number they are permitted, that correspond to their desired input of 0 or 1 for each wire w using \(\mathsf {dec\_pub}\), which is \(\mathsf {dec\_pub} ({\mathcal {C}}_{w,\mathbf (0,1) }) = {(\mathcal {SK}_{{\mathcal {R}}^{(i)}}(x_{w,\mathbf (0,1) }), {\mathcal {R}}^{(i)}_w)}\). From here, \({\mathcal {P}}_i\) can combine the shares of \({\mathcal {R}}^{(i)}_w\) to recover \({\mathcal {R}}^{(i)}\) and use \(\mathsf {dec\_sec}\) to decrypt \(\mathcal {SK}_{{\mathcal {R}}^{(i)}}(x_{w,\mathbf (0,1) })\) and correctly recover the proper wire label as \( \mathsf {dec\_sec}(\mathcal {SK}_{{\mathcal {R}}^{(i)}}(x_{w,\mathbf (0,1) })) = x_{w,\mathbf (0,1) }\). Then, as long as the garbler properly generated the garbled circuit GC, we know that \({\mathcal {P}}_i\) can input all \(x_{w,(0,1)}\) into GC to recover the circuit’s output.\(\square \)

Appendix B: Proof of Theorem 4

We consider the multiparty setting where there is an honest majority, but a set of users A is corrupted. The simulator SIM works as follows:

1. 1.

   Unless otherwise mentioned, SIM passes messages between adversary controlled users A and the trusted hardware.

2. 2.

   Given the security parameter \(1^\lambda \), SIM generates random cryptographic keys within the TPM for the honest users P.

3. 3.

   Next, SIM calls \(\mathsf {gen}\) and queries the TPM for each user in A or P to generate a random \({\mathcal {W}}_i\) time use count limited public/private key pair (\({\mathcal {K}}_{\mathbf{p }_i}\), \({\mathcal {K}}_{\mathbf{s }_i}\)) where \({\mathcal {W}}_i\) is the number of input wires \({\mathcal {P}}_i\) controls for circuit C. If a user in A does not successfully query the TPM, but \({\mathcal {A}}\) can forge the attestation to continue the protocol, SIM outputs \(\perp _{3}\) and exits.

4. 4.

   SIM certifies \({\mathcal {K}}_{\mathbf{p }_i}\) for each \({\mathcal {P}}_i\) with an Attestation Identity Key for the TPM, and broadcasts \({\mathcal {K}}_{\mathbf{p }_i}\). If attestation fails they output \(\perp _{4}\) and abort. The simulator sees messages between \({\mathcal {A}}\) and the TPM and can see if the attestation fails but \({\mathcal {A}}\) does not abort. If this occurs, they output \(\perp _{attest}\) and exit.

5. 5.

   SIM has the garbler \({\mathcal {G}}\), take the previously agreed upon circuit C and call \(\mathsf {garble}\), to compute a corresponding garbled circuit GC.

6. 6.

   SIM has the garbler call \(\mathsf {hash}\) to compute the hash of each label and then splits one of each wire’s corresponding labels into shares using the random t out of n secret sharing scheme corresponding to each wire controlled by each player where t is the number of parties in the honest majority (i.e., \(\lfloor n/2 \rfloor + 1\) where n is the number of users). SIM then has the garbler call \(\mathsf {enc\_sec}\) to encrypt the each label with a random symmetric key, and \(\mathsf {enc\_pub}\) to encrypt each tuple of an encrypted label and share \({\mathcal {R}}^{(i)}_w\).

7. 7.

   SIM has the garbler compute and broadcast \({\mathcal {C}}_{w,0} = \mathcal {PK}_{{{\mathcal {K}}}_{p_{i}}}(\mathcal {SK}_{{\mathcal {R}}^{(i)}}(x{w,0}), {\mathcal {R}}^{(i)}_w)\) and \({\mathcal {C}}_{w,1} = \mathcal {PK}_{{{\mathcal {K}}}_{p_{i}}}(\mathcal {SK}_{{\mathcal {R}}^{(i)}}(x_{w,0}), {\mathcal {R}}^{(i)}_w)\) for all \(w \in {\mathcal {W}}_i\), for all inputs controlled by honest parties along with the hash of each label and the t out of n secret shares of each parties’ input wire labels of the wire inputs corresponding to each wire controlled by each honest player. Then, SIM has the garbler compute and broadcast \({\mathcal {C}}_{w,0} = \mathcal {PK}_{{{\mathcal {K}}}_{p_{i}}}(\mathcal {SK}_{{\mathcal {R}}^{(i)}}(x_{w,0}), {\mathcal {R}}^{(i)}_w)\) and \({\mathcal {C}}_{w,1} = \mathcal {PK}_{{{\mathcal {K}}}_{p_{i}}}({\mathcal {SK}}_{{\mathcal {R}}^{(i)}}(x_{w,1}), {\mathcal {R}}^{(i)}_w)\) for all \(w \in {\mathcal {W}}_i\), for all inputs controlled by users in A along with the hash of each label and the t out of n secret shares of each parties’ input wire labels of the wire inputs corresponding to each wire controlled by each user in A.

8. 8.

   SIM has the users in P decrypt either \({\mathcal {C}}_{w,0}\) or \({\mathcal {C}}_{w,1}\) at random (for \(w \in [{\mathcal {W}}_i]\)) using their private key \({\mathcal {K}}_{\mathbf{s }_i}\) stored on their TPM to get intermediate ciphertexts \({\mathcal {T}}_{w,0} = ( \mathcal {SK}_{{\mathcal {R}}^{(i)}}(x_{w,0}), {\mathcal {R}}^{(i)}_w)\) or \({\mathcal {T}}_{w,1} = ( \mathcal {SK}_{{\mathcal {R}}^{(i)}}(x_{w,0}), {\mathcal {R}}^{(i)}_w)\), by calling \(\mathsf {dec\_pub}\). Also, the \({\mathcal {A}}\) controlled users decrypt, similarly using \({\mathcal {K}}_{\mathbf{s }_i}\) stored on their TPM to get intermediate ciphertexts.

9. 9.

   SIM extracts each \({\mathcal {R}}^{(i)}_w\) for each user in P which are then recombined to recover the symmetric key \({\mathcal {R}}^{(i)}\). Then, SIM uses each \({\mathcal {R}}^{(i)}\) to decrypt \(\mathcal {SK}_{{\mathcal {R}}^{(i)}}(x_{w,0})\), by calling \(\mathsf {dec\_sec}\), based on the choice of \({\mathcal {P}}_i\) to recover \(x_{w,0}\). The \({\mathcal {A}}\) controlled users similarly extracts each \({\mathcal {R}}^{(i)}_w\) to recover the corresponding symmetric key and decrypt their input choice using \(\mathsf {dec\_sec}\). If \({\mathcal {A}}\) deviates from the protocol (i.e., does not decrypt one input choice for each input to the function that they control), but is still able to correctly determine the missing \({\mathcal {R}}^{(i)}_w\) needed to reconstruct the symmetric key, SIM outputs \(\perp _{share}\) and exits.

10. 10.

    If \({\mathcal {A}}\) aborts at any time during the previous two steps then we send abort to the ideal functionality but continue running SIM. If \({\mathcal {A}}\) is able to provide correct inputs to the circuit for all users participating, whose hash corresponds to the hash all users valid input, SIM outputs \(\perp _{10}\) and exits.

11. 11.

    If \({\mathcal {A}}\) has not aborted, SIM broadcasts the honest parties chosen \(x_{w,i}\) to \({\mathcal {A}}\). If \({\mathcal {A}}\) does not send the inputs owned by the parties they control to SIM, but is able to provide correct inputs to the circuit for all users participating, whose hash corresponds to the hash all users valid input, SIM outputs \(\perp _{11}\) and exits.

12. 12.

    We split the behavior of SIM into the following cases:

    1. (a)

       If \({\mathcal {A}}\) responds with the set of \(x_{w,i}\) that correspond to the inputs controlled by users in A, whose hashes verify successfully, SIM outputs the plaintext circuit output.

    2. (b)

       If \({\mathcal {A}}\) responds with a set of messages that do not correspond to the inputs controlled by the users in A (i.e., \(x_{w,i}\)), but can be used to construct the correct hash of the inputs controlled by A, SIM outputs \(\perp _{12}\) and exits.

    3. (c)

       If \({\mathcal {A}}\) responds with a set of messages that do not correspond to the inputs controlled by the users in A (i.e., \(x_{w,i}\)), and cannot be used to construct the correct hash of the inputs controlled by A, SIM broadcasts each user in P’s t out of n secret shares that correspond to the malicious parties’ labels that were not successfully verified to all other honest parties. SIM combines the shares to recover all of \(x_{w,0}\) or \(x_{w,1}\) that correspond to the inputs controlled by \({\mathcal {A}}\), and input these labels into the garbled circuit GC to reveal the output and return the plaintext circuit output.

We prove indistinguishability of the real and ideal worlds through a sequence of hybrids, via the following theorem:

Theorem 6

Assuming the TPM is secure, all parties use the TPM as the protocol describes, the public key and symmetric key encrypted ciphertexts supported by the TPM are IND-CCA secure, players properly perform attestation with their keys, a cryptographically secure hash function is used, an information-theoretically secure secret sharing scheme is used, and the semi-honest, non-colluding garbler correctly garbles circuits, our protocol \(\pi _{fair + robust}\) privately, fairly, and robustly computes Boolean circuits as defined in Definitions 2,5,6.

\(Hyb_0\): Identical to the real execution.

\(Hyb_1\): Identical to \(Hyb_0\) except that we introduce the following check. Observe the users in A and the attestation messages they send to the TPM. If a user in A does not successfully query the TPM, output \(\perp _{3}\) and exit.

Claim

Assuming the TPM is secure, \(Hyb_0\) is computationally indistinguishable from \(Hyb_1\).

Proof

\(Hyb_1\) outputs \(\perp _3\) with only negligible probability. If not, we can use \({\mathcal {A}}\) to forge the attestation feature of the TPM, thus breaking the TPM’s security. \(\square \)

\(Hyb_2\): Identical to \(Hyb_1\) except that we replace all the public/private key pairs \({\mathcal {K}}_{\mathbf{p }_i}\), \({\mathcal {K}}_{\mathbf{s }_i}\) with random keys.

Claim

Assuming the IND-CCA security of the TPM’s public/private key pairs, \(Hyb_2\) is computationally indistinguishable from \(Hyb_1\).

Proof

This follows directly from the IND-CCA security. \(\square \)

\(Hyb_3\): Identical to \(Hyb_2\) except that we replace all the symmetric keys \({\mathcal {R}}^{(i)}\) with random keys.

Claim

Assuming the IND-CCA security of the symmetric key pairs, \(Hyb_3\) is computationally indistinguishable from \(Hyb_2\).

Proof

This follows directly from the IND-CCA security. \(\square \)

\(Hyb_4\): Identical to \(Hyb_3\) except that we add the following checks: 1) If for SIM, the attestation fails for the honest users in P, output \(\perp _4\) and exit. 2) If the attestation fails for a user controlled by \({\mathcal {A}}\), but they do not abort, output \(\perp _{attest}\) and exit.

Claim

Assuming the TPM is secure, \(Hyb_4\) is computationally indistinguishable from \(Hyb_3\).

Proof

\(Hyb_4\) outputs \(\perp _4\) and \(\perp _{attest}\) with only negligible probability. If not, we can use \({\mathcal {A}}\) to forge the attestation of the TPM, to break the TPM’s security. \(\square \)

\(Hyb_5\): Identical to \(Hyb_4\) except that SIM has the garbler compute and broadcast \({\mathcal {C}}_{w,\mathbf{0} }\) = \(\mathcal {PK}_{{{\mathcal {K}}}_{p_{i}}}({\mathcal {SK}_{{\mathcal {R}}^{(i)}}(x{w,\mathbf{0} })}, {\mathcal {R}}^{(i)}_w)\) and \({\mathcal {C}}_{w,1}\) = \(\mathcal {PK}_{{\mathcal {K}}_{p_{i}}}({\mathcal {SK}_{{\mathcal {R}}^{(i)}}(x_{w,\mathbf{0} })}, {\mathcal {R}}^{(i)}_w)\) for all \(w \in {\mathcal {W}}_i\), for all inputs controlled by honest parties along with the hash of each label and the t out of n secret shares of each parties’ input wire labels of the wire inputs corresponding to each wire controlled by each honest player.

Claim

Assuming the public/private and symmetric encryption schemes are IND-CCA secure, \(Hyb_5\) is computationally indistinguishable from \(Hyb_4\).

Proof

This follows from the IND-CCA of the schemes. If not, we can leverage \({\mathcal {A}}\) to break the IND-CCA security of the encryption schemes. \(\square \)

\(Hyb_6\): Identical to \(Hyb_5\) except that SIM has the users in P decrypt either \({\mathcal {C}}_{w,0}\) or \({\mathcal {C}}_{w,1}\) at random (for \(w \in [{\mathcal {W}}_i]\)) using their private key \({\mathcal {K}}_{\mathbf{s }_i}\) stored on their TPM to get intermediate ciphertexts \({\mathcal {T}}_{w,0}\) = ( \(\mathcal {SK}_{{\mathcal {R}}^{(i)}}(x_{w,\mathbf{0} }), {\mathcal {R}}^{(i)}_w)\) or \({\mathcal {T}}_{w,1} = ( {\mathcal {SK}_{{\mathcal {R}}^{(i)}}(x_{w,\mathbf{1} })}, {{\mathcal {R}}^{(i)}_w})\), by calling \(\mathsf {dec\_pub}\).

Claim

Assuming the public/private encryption scheme is IND-CCA secure, \(Hyb_6\) is computationally indistinguishable from \(Hyb_5\).

Proof

This follows from the IND-CCA of the scheme. If not, we can use \({\mathcal {A}}\) to break the IND-CCA security. \(\square \)

\(Hyb_7\): Identical to \(Hyb_6\) except SIM extracts each \({\mathcal {R}}^{(i)}_w\) for each user in P which are then recombined to recover the symmetric key \({\mathcal {R}}^{(i)}\). Then SIM uses each \({\mathcal {R}}^{(i)}\) to decrypt \(\mathcal {SK}_{{\mathcal {R}}^{(i)}}(x{w,\mathbf{0} })\), by calling \(\mathsf {dec\_sec}\), based on the choice of \({\mathcal {P}}_i\) to recover \(x_{w,0}\).

Claim

Assuming the public/private encryption scheme is IND-CCA secure, \(Hyb_7\) is computationally indistinguishable from \(Hyb_6\).

Proof

This follows from the IND-CCA of the scheme. If not, we can leverage \({\mathcal {A}}\) to break the IND-CCA security. \(\square \)

\(Hyb_8\): Identical to \(Hyb_7\), except that if \({\mathcal {A}}\) deviates from the protocol (i.e., does not decrypt one input choice for each input to the function that they control), but is still able to correctly determine the missing \({\mathcal {R}}^{(i)}_w\) needed to reconstruct the symmetric key, SIM outputs \(\perp _{share}\) and exits.

Claim

Assuming the secret sharing scheme is information-theoretically secure, \(Hyb_8\) is computationally indistinguishable from \(Hyb_7\).

Proof

\(\perp _{share}\) is output with negligible probability. This follows from the information-theoretic security of the secret sharing scheme. If \({\mathcal {A}}\) is able to determine the correct share to recover \({\mathcal {R}}^{(i)}_w\), we can leverage \({\mathcal {A}}\) to break the information-theoretic security of the secret sharing scheme. \(\square \)

\(Hyb_9\): Identical to \(Hyb_8\), except that if \({\mathcal {A}}\) aborts during steps 1–3 of the online phase, we send abort to the ideal functionality. Also we add the following check: If \({\mathcal {A}}\) is able to provide correct inputs to the circuit for all users participating, whose hash corresponds to the hash all users valid input, SIM outputs \(\perp _{10}\) and exits.

Claim

Assuming the hash is cryptographically secure (i.e., collision resistant and pre-image resistant), \(Hyb_9\) is computationally indistinguishable from \(Hyb_8\).

Proof

\(\perp _{10}\) is output with negligible probability. This follows from the collision resistance and pre-image resistance of the hash function. If \({\mathcal {A}}\) is able to provide correct inputs to the circuit for all users participating, whose hash corresponds to the hash all users valid input, we can leverage \({\mathcal {A}}\) to break the cryptographic security of the hash function. \(\square \)

\(Hyb_{10}\): Identical to \(Hyb_9\), except we add the following check: If \({\mathcal {A}}\) does not send the inputs owned by the parties they control to SIM, but is able to provide correct inputs to the circuit for all users participating, whose hash corresponds to the hash all users valid input, SIM outputs \(\perp _{11}\) and exits.

Claim

Assuming the hash is cryptographically secure (i.e., collision resistant and pre-image resistant), \(Hyb_{10}\) is computationally indistinguishable from \(Hyb_9\).

Proof

\(\perp _{11}\) is output with negligible probability. This follows from the collision resistance and pre-image resistance of the hash function. If \({\mathcal {A}}\) does not send the inputs owned by the parties they control to SIM, but is able to provide correct inputs to the circuit for all users participating, whose hash corresponds to the hash all users valid input, we can leverage \({\mathcal {A}}\) to break the cryptographic security of the hash function. \(\square \)

\(Hyb_{11}\): Identical to \(Hyb_{10}\), except we add the following checks:

1. 1.

   If \({\mathcal {A}}\) responds with the set of \(x_{w,i}\) that correspond to the inputs controlled by users in A, whose hashes verify successfully, SIM outputs the plaintext circuit output.

2. 2.

   If \({\mathcal {A}}\) responds with a set of messages that do not correspond to the inputs controlled by the users in A (i.e., \(x_{w,i}\)), but can be used to construct the correct hash of the inputs controlled by A, SIM outputs \(\perp _{12}\) and exits.

3. 3.

   If \({\mathcal {A}}\) responds with a set of messages that do not correspond to the inputs controlled by the users in A (i.e., \(x_{w,i}\)), and cannot be used to construct the correct hash of the inputs controlled by A, SIM broadcasts each user in P’s t out of n secret shares that correspond to the malicious parties’ labels that were not successfully verified to all other honest parties. SIM combines the shares to recover all of \(x_{w,0}\) or \(x_{w,1}\) that correspond to the inputs controlled by \({\mathcal {A}}\), and input these labels into the garbled circuit GC to reveal the output and return the plaintext circuit output.

Claim

Assuming the hash is cryptographically secure (i.e., collision resistant and pre-image resistant), \(Hyb_{11}\) is computationally indistinguishable from \(Hyb_{10}\).

Proof

If \({\mathcal {A}}\) can create a set of messages that do not correspond to the inputs controlled by the users in A, but can be used to construct the correct hash of the inputs controlled by A, then we can leverage \({\mathcal {A}}\) to break the cryptographic security of the hash function. Thus, \(\perp _{12}\) is output with negligible probability. \(\square \)

Note that \(Hyb_{11}\) is the same as our simulator. Also, recall it is known which wires are owned by which parties, since this is agreed upon beforehand, and so because all data sent can be traced back to the sending party who owns the wire, any cheating party can be identified. Note that by the security of the hash function, no information can be gained from the hashes of the labels sent by the garbler, as any hashed value should be equivalent to sampling from a uniformly random distribution. Recall that \({\mathcal {K}}_{\mathbf{p }_i}\) is only usable \({\mathcal {W}}_i\) times due to the monotonic counter. If the value of \({\mathcal {W}}_i\) is correctly calculated beforehand, each party will only be able to decrypt one intermediate ciphertext for each input wire. If the adversary chooses to behave maliciously during step 4 of the Online phase, the probability that this behavior will be detected during the Verify and Evaluate phase is negligible by the security of the hash function (i.e., the adversary would have to find a collision to the cryptographically secure hash function). The adversary will be able to receive their prescribed output, but all of the honest parties will be able to send and combine their t out of n secret shares that correspond to the malicious parties’ labels to recover all the labels that correspond to the malicious parties’ controlled wires, thus supporting fair/robust NI-MPC. They can then input the labels into the garbled circuit GC to reveal the output. This demonstrates that for the class of all functions F, our protocol is secure against adversaries \({\mathcal {A}}\) since:

$$\begin{aligned} {\text {IDEAL}}_{{{\mathcal {S}}}, F}\left( 1^{\lambda }, X, z\right) \approx _{c} {\text {REAL}}_{{\mathcal {A}}, \pi }\left( 1^{\lambda }, X, z\right) \end{aligned}$$

Therefore, the adversary cannot distinguish between real and simulated executions and our protocol securely computes Boolean circuits as defined in Definition 2. Furthermore, all players, regardless of whether they behave honestly or maliciously, will receive fair/robust output as discussed in Definitions 5 and/or 6.