9 research outputs found
Threshold-Optimal MPC With Friends and Foes
Alon et. al (Crypto 2020) initiated the study of MPC with Friends and Foes (FaF) security, which captures the desirable property that even up to honest parties should learn nothing additional about other honest parties’ inputs, even if the corrupt parties send them extra information. Alon et. al describe two flavors of FaF security: weak FaF, where the simulated view of up to honest parties should be indistinguishable from their real view, and strong FaF, where the simulated view of the honest parties should be indistinguishable from their real view even in conjunction with the simulated / real view of the corrupt parties. They give several initial FaF constructions with guaranteed output delivery (GOD); however, they leave some open problems. Their only construction which supports the optimal corruption bounds of (where denotes the number of parties) only offers weak FaF security and takes much more than the optimal three rounds of communication.
In this paper, we describe two new constructions with GOD, both of which support . Our first construction, based on threshold FHE, is the first three-round construction that matches this optimal corruption bound (though it only offers weak FaF security). Our second construction, based on a variant of BGW, is the first such construction that offers strong FaF security (though it requires more than three rounds, as well as correlated randomness).
Our final contribution is further exploration of the relationship between FaF security and similar security notions. In particular, we show that FaF security does not imply mixed adversary security (where the adversary can make active and passive corruptions), and that Best of Both Worlds security (where the adversary can make active or passive corruptions, but not both) is orthogonal to both FaF and mixed adversary security
BLAZE: Blazing Fast Privacy-Preserving Machine Learning
Machine learning tools have illustrated their potential in many significant
sectors such as healthcare and finance, to aide in deriving useful inferences.
The sensitive and confidential nature of the data, in such sectors, raise
natural concerns for the privacy of data. This motivated the area of
Privacy-preserving Machine Learning (PPML) where privacy of the data is
guaranteed. Typically, ML techniques require large computing power, which leads
clients with limited infrastructure to rely on the method of Secure Outsourced
Computation (SOC). In SOC setting, the computation is outsourced to a set of
specialized and powerful cloud servers and the service is availed on a
pay-per-use basis. In this work, we explore PPML techniques in the SOC setting
for widely used ML algorithms-- Linear Regression, Logistic Regression, and
Neural Networks.
We propose BLAZE, a blazing fast PPML framework in the three server setting
tolerating one malicious corruption over a ring (\Z{\ell}). BLAZE achieves the
stronger security guarantee of fairness (all honest servers get the output
whenever the corrupt server obtains the same). Leveraging an input-independent
preprocessing phase, BLAZE has a fast input-dependent online phase relying on
efficient PPML primitives such as: (i) A dot product protocol for which the
communication in the online phase is independent of the vector size, the first
of its kind in the three server setting; (ii) A method for truncation that
shuns evaluating expensive circuit for Ripple Carry Adders (RCA) and achieves a
constant round complexity. This improves over the truncation method of ABY3
(Mohassel et al., CCS 2018) that uses RCA and consumes a round complexity that
is of the order of the depth of RCA.
An extensive benchmarking of BLAZE for the aforementioned ML algorithms over
a 64-bit ring in both WAN and LAN settings shows massive improvements over
ABY3.Comment: The Network and Distributed System Security Symposium (NDSS) 202
High-Throughput Secure Multiparty Computation with an Honest Majority in Various Network Settings
In this work, we present novel protocols over rings for semi-honest secure three-party computation (3-PC) and malicious four-party computation (4-PC) with one corruption. Compared to state-of-the-art protocols in the same setting, our protocols require fewer low-latency and high-bandwidth links between the parties to achieve high throughput. Our protocols also reduce the computational complexity by requiring up to 50 percent fewer basic instructions per gate. Further, our protocols achieve the currently best-known communication complexity (3, resp. 5 elements per multiplication gate) with an optional preprocessing phase to reduce the communication complexity of the online phase to 2 (resp. 3) elements per multiplication gate.
In homogeneous network settings, i.e. all links between the parties share similar network bandwidth and latency, our protocols achieve up to two times higher throughput than state-of-the-art protocols.
In heterogeneous network settings, i.e. all links between the parties share different network bandwidth and latency, our protocols achieve even larger performance improvements.
We implemented our protocols and multiple other state-of-the-art protocols (Replicated 3-PC, Astra, Fantastic Four, Tetrad) in a novel open-source C++ framework optimized for achieving high throughput.
Five out of six implemented 3-PC and 4-PC protocols achieve more than one billion 32-bit multiplication or more than 32 billion AND gates per second using our implementation in a 25 Gbit/s LAN environment.
This is the highest throughput achieved in 3-PC and 4-PC so far and between two and three orders of magnitude higher than the throughput MP-SPDZ achieves in the same settings
ASTRA: High Throughput 3PC over Rings with Application to Secure Prediction
The concrete efficiency of secure computation has been the focus of many
recent works. In this work, we present concretely-efficient protocols for
secure -party computation (3PC) over a ring of integers modulo
tolerating one corruption, both with semi-honest and malicious security. Owing
to the fact that computation over ring emulates computation over the real-world
system architectures, secure computation over ring has gained momentum of late.
Cast in the offline-online paradigm, our constructions present the most
efficient online phase in concrete terms. In the semi-honest setting, our
protocol requires communication of ring elements per multiplication gate
during the {\it online} phase, attaining a per-party cost of {\em less than one
element}. This is achieved for the first time in the regime of 3PC. In the {\it
malicious} setting, our protocol requires communication of elements per
multiplication gate during the online phase, beating the state-of-the-art
protocol by elements. Realized with both the security notions of selective
abort and fairness, the malicious protocol with fairness involves slightly more
communication than its counterpart with abort security for the output gates
{\em alone}.
We apply our techniques from PC in the regime of secure server-aided
machine-learning (ML) inference for a range of prediction functions-- linear
regression, linear SVM regression, logistic regression, and linear SVM
classification. Our setting considers a model-owner with trained model
parameters and a client with a query, with the latter willing to learn the
prediction of her query based on the model parameters of the former. The inputs
and computation are outsourced to a set of three non-colluding servers. Our
constructions catering to both semi-honest and the malicious world, invariably
perform better than the existing constructions.Comment: This article is the full and extended version of an article appeared
in ACM CCSW 201
Broadcast-Optimal Two Round MPC with an Honest Majority
This paper closes the question of the possibility of two-round MPC protocols achieving different security guarantees with and without the availability of broadcast in any given round. Cohen et al. (Eurocrypt 2020) study this question in the dishonest majority setting; we complete the picture by studying the honest majority setting.
In the honest majority setting, given broadcast in both rounds, it is known that the strongest guarantee — guaranteed output delivery — is achievable (Gordon et al. Crypto 2015). We show that, given broadcast in the first round only, guaranteed output delivery is still achievable. Given broadcast in the second round only, we give a new construction that achieves identifiable abort, and we show that fairness — and thus guaranteed output delivery — are not achievable in this setting. Finally, if only peer-to-peer channels are available, we show that the weakest guarantee — selective abort — is the only one achievable for corruption thresholds and for and . On the other hand, it is already known that selective abort can be achieved in these cases. In the remaining cases, i.e., and , it is known (from the work of Ishai et al. at Crypto 2010, and Ishai et al. at Crypto 2015) that guaranteed output delivery (and thus all weaker guarantees) are possible
Trident: Efficient 4PC Framework for Privacy Preserving Machine Learning
Machine learning has started to be deployed in fields such as healthcare and
finance, which propelled the need for and growth of privacy-preserving machine
learning (PPML). We propose an actively secure four-party protocol (4PC), and a
framework for PPML, showcasing its applications on four of the most
widely-known machine learning algorithms -- Linear Regression, Logistic
Regression, Neural Networks, and Convolutional Neural Networks. Our 4PC
protocol tolerating at most one malicious corruption is practically efficient
as compared to the existing works. We use the protocol to build an efficient
mixed-world framework (Trident) to switch between the Arithmetic, Boolean, and
Garbled worlds. Our framework operates in the offline-online paradigm over
rings and is instantiated in an outsourced setting for machine learning. Also,
we propose conversions especially relevant to privacy-preserving machine
learning. The highlights of our framework include using a minimal number of
expensive circuits overall as compared to ABY3. This can be seen in our
technique for truncation, which does not affect the online cost of
multiplication and removes the need for any circuits in the offline phase. Our
B2A conversion has an improvement of in rounds and
in the communication complexity. The practicality of our
framework is argued through improvements in the benchmarking of the
aforementioned algorithms when compared with ABY3. All the protocols are
implemented over a 64-bit ring in both LAN and WAN settings. Our improvements
go up to for the training phase and
for the prediction phase when observed over LAN and WAN.Comment: This work appeared at the 26th Annual Network and Distributed System
Security Symposium (NDSS) 2020. Update: An improved version of this framework
is available at arXiv:2106.0285
Minimizing Setup in Broadcast-Optimal Two Round MPC
In this paper we consider two-round secure computation protocols which use different communication channels in different rounds: namely, protocols where broadcast is available in neither round, both rounds, only the first round, or only the second round. The prior works of Cohen, Garay and Zikas (Eurocrypt 2020) and Damgård, Magri, Ravi, Siniscalchi and Yakoubov (Crypto 2021) give tight characterizations of which security guarantees are achievable for various thresholds in each communication structure.
In this work, we introduce a new security notion, namely, selective identifiable abort, which guarantees that every honest party either obtains the output, or aborts identifying one corrupt party (where honest parties may potentially identify different corrupted parties). We investigate what broadcast patterns in two-round MPC allow achieving this guarantee across various settings (such as with or without PKI, with or without an honest majority).
Further, we determine what is possible in the honest majority setting without a PKI, closing a question left open by Damgård et al. We show that without a PKI, having an honest majority does not make it possible to achieve stronger security guarantees compared to the dishonest majority setting. However, if two-thirds of the parties are guaranteed to be honest, identifiable abort is additionally achievable using broadcast only in the second round.
We use fundamentally different techniques from the previous works to avoid relying on private communication in the first round when a PKI is not available, since assuming such private channels without the availability of public encryption keys is unrealistic. We also show that, somewhat surprisingly, the availability of private channels in the first round does not enable stronger security guarantees unless the corruption threshold is one
Beyond Honest Majority: The Round Complexity of Fair and Robust Multi-party Computation
Two of the most sought-after properties of Multi-party Computation (MPC) protocols are fairness and guaranteed output delivery (GOD), the latter also referred to as robustness. Achieving both, however, brings in the necessary requirement of malicious-minority. In a generalised adversarial setting where the adversary is allowed to corrupt both actively and passively, the necessary bound for a -party fair or robust protocol turns out to be , where denote the threshold for active and passive corruption with the latter subsuming the former. Subsuming the malicious-minority as a boundary special case, this setting, denoted as dynamic corruption, opens up a range of possible corruption scenarios for the adversary. While dynamic corruption includes the entire range of thresholds for starting from to , the boundary corruption restricts the adversary only to the boundary cases of and . Notably, both corruption settings empower an adversary to control majority of the parties, yet ensuring the count on active corruption never goes beyond .
We target the round complexity of fair and robust MPC tolerating dynamic and boundary adversaries. As it turns out, rounds are necessary and sufficient for fair as well as robust MPC tolerating dynamic corruption. The non-constant barrier raised by dynamic corruption can be sailed through for a boundary adversary. The round complexity of and is necessary and sufficient for fair and GOD protocols respectively, with the latter having an exception of allowing round protocols in the presence of a single active corruption. While all our lower bounds assume pair-wise private and broadcast channels and are resilient to the presence of both public (CRS) and private (PKI) setup, our upper bounds are broadcast-only and assume only public setup. The traditional and popular setting of malicious-minority, being restricted compared to both dynamic and boundary setting, requires and rounds in the presence of public and private setup respectively for both fair as well as GOD protocols
Broadcast-Optimal Two Round MPC with Asynchronous Peer-to-Peer Channels
In this paper we continue the study of two-round broadcast-optimal MPC, where broadcast is used in one of the two rounds, but not in both. We consider the realistic scenario where the round that does not use broadcast is asynchronous. Since a first asynchronous round (even when followed by a round of broadcast) does not admit any secure computation, we introduce a new notion of asynchrony which we call -asynchrony. In this new notion of asynchrony, an adversary can delay or drop up to of a given party\u27s incoming messages; we refer to as the deafness threshold. Similarly, the adversary can delay or drop up to of a given party\u27s outgoing messages; we refer to as the muteness threshold.
We determine which notions of secure two-round computation are achievable when the first round is -asynchronous, and the second round is over broadcast. Similarly, we determine which notions of secure two-round computation are achievable when the first round is over broadcast, and the second round is (fully) asynchronous. We consider the cases where a PKI is available, when only a CRS is available but private communication in the first round is possible, and the case when only a CRS is available and no private communication is possible before the parties have had a chance to exchange public keys