Practical Single-Input Functionality Against a Dishonest Majority
Learn about the practical and round-optimal approach of Single-Input Functionality (SIF) against a dishonest majority in multi-party computation (MPC). Explore the background, applications, and implications of SIF, MVZK, and VRS primitives as discussed in recent research.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Single-Input Functionality against a Dishonest Majority: Practical and Round-Optimal Zhelei Zhou, Zhejiang University Bingsheng Zhang, Zhejiang University Hong-Sheng Zhou, Virginia Commonwealth University Kui Ren, Zhejiang University
Multi-Party Computation (MPC) Multi-Party Computation (MPC) [Yao82,GMW87,BGW88] allows a group of people who are distrustful of each other to jointly compute a given function. ...... ?2 ?? ?2 ... ?1 ?1 ?? ?(?1, ,??) Basic Properties Completeness: Each party will get ? = ?(?1, ,??) Privacy: ??cannot learn any ?? [Yao82] Andrew C Yao. Protocols for secure computations. FOCS 1982. [GMW87] Oded Goldreich, Silvio Micali, and Avi Wigderson. How to play any mental game. STOC 1987. [BGW88] Michael Ben-Or, Shafi Goldwasser, and Avi Wigderson. Completeness theorems for non-cryptographic fault-tolerant distributed computation. STOC 1988.
Single Input Functionality (SIF) Single Input Functionality (SIF) [GIKR02] is a special case of MPC, where only one party has private input. Multi-Verifier Zero- Knowledge (MVZK) ?1 ? ? ? To be explained later ? ?(?) ...... ? ? Verifiable Relation Sharing (VRS) ?? Basic Properties Completeness: Each ??will get ? = ?(?) Privacy: ??cannot learn anything beyond ?(?) [GIKR02] Rosario Gennaro, Yuval Ishai, Eyal Kushilevitz, and Tal Rabin. On 2-round secure multiparty computation. CRYPTO 2002.
Outline Part I: Background Applications of SIF Motivation Part II: Construction The first 1-round practical SIF in the preprocessing model against a dishonest majority Experiment results Part III: Discussion and Conclusion The necessity of broadcast channels Conclusion
Part I Part I: Background
SIF Implies MVZK and VRS As pointed out by [AKP22], SIF implies two primitives: MVZK and VRS MVZK VRS ? ? ?1 ?1 ? ?1 ? ? ? If (?,?1,?2, ,??) = 1 ? ?2 ? ? ? (?,?) ?1,?2, ,?? ...... ? ...... ? ? ?? ? ? ?? ?? VRS allows a dealer (1) to share ? to verifiers; (2) convince ??that its share ??satisfies an NP relation MVZK allows a prover to prove the statement to multiple verifiers at once. [AKP22] Benny Applebaum, Eliran Kachlon, and Arpita Patra. Verifiable relation sharing and multi-verifier zero- knowledge in two rounds: Trading NIZKs with honest majority. CRYPTO 2022.
Applications SIF/VRS/MVZK can be used in the following: Distributed Key Generation Private aggregation system Verifiable Secret Sharing ??1 ?1 ...... ...... ??? ??2 ...... ?? ? ...... Servers Clients ?? A set of parties can jointly generate a public key, while each party only obtains the share of the secret key. A set of servers collect and aggregate the clients data. Each client proves to servers that his data is valid. Honest verifiers can disqualify the malicious dealer. VSS is widely used in generic MPC.
Research Question Protocol Primitive #Round for Online 1 Corruption Threshold Setup Practical Efficiency? N Assumption Prep. [LMs05] MVZK ? < ? Round-optimal [AKP22] SIF 1 Prep. N ? < (1 ?)?/2 [YW22] MVZK 2 RO Y ? < ?/2 [BJOSS22] MVZK 2 Prep.+RO Y ? < ?/3 Practical [EPSW24] MVZK 3 Prep. Y ? < 1 ? ? [ZZZR24] SIF 2 Prep. Y ? < ? Is it possible to construct a practical SIF protocol with 1-round online communication? [LMs05] Matt Lepinski, Silvio Micali, and abhi shelat. Fair-zero knowledge. TCC 2005. [YW22] Kang Yang and Xiao Wang. Non-interactive zero-knowledge proofs to multiple verifiers. ASIACRYPT 2022. [BJOSS22] Carsten Baum, Robin Jadoul, Emmanuela Orsini, Peter Scholl, and Nigel P. Smart. Feta: Efficient threshold designated-verifier zero-knowledge proofs. CCS 2022. [EPSW24] Daniel Escudero, Antigoni Polychroniadou, Yifan Song, and Chenkai Weng. Dishonest majority multi-verifier zero-knowledge proofs for any constant fraction of corrupted verifiers. CCS 2024, [ZZZR24] Zhelei Zhou, Bingsheng Zhang, Hong-Sheng Zhou, and Kui Ren. Practical constructions for single input functionality against a dishonest majority. IEEE EURO S&P, 2024.
Our Main Contribution Protocol Primitive #Round for Online 1 Corruption Threshold Setup Practical Efficiency? N Assumption Prep. [LMs05] MVZK ? < ? [AKP22] SIF 1 Prep. N ? < (1 ?)?/2 [YW22] MVZK 2 RO Y ? < ?/2 [BJOSS22] MVZK 2 Prep.+RO Y ? < ?/3 [EPSW24] MVZK 3 Prep. Y ? < 1 ? ? [ZZZR24] SIF 2 Prep. Y ? < ? This Work SIF 1 Prep.+RO Y ? < ? We propose a SIF protocol that is practical, round-optimal and can support optimal corruption threshold.
Part II Part II: Construction
Intuition Previous works follow the similar online communication pattern: (1) Dealer delivers the result ? and the proofs ?1,?2; (2) Verifiers communicate with each other to check if ?1,?2are correct. ?,?1 Our key observation: ?1 The consistency checks among Consistency check the verifiers could be pushed into ? ?,?2 the preprocessing phase. ?2
Construction Overview In the preprocessing phase: Extending Vector Oblivious Linear Evaluations (VOLE) [BDOZ11] into the multi- verifier setting. Consistency check Multi-Verifier VOLE VOLE Multi-verifier setting 2PC setting In the online phase: Extending the non-interactive multiplication protocols [DIO21][YSWW21] based on VOLE into the those based on Multiple Verifier-VOLE (MV-VOLE). [BDOZ11] Rikke Bendlin, Ivan Damgard, Claudio Orlandi, and Sarah Zakarias. Semi-homomorphic encryption and multiparty computation. EUROCRYPT 2011. [DIO21] Samuel Dittmer, Yuval Ishai, and Rafail Ostrovsky. Line-point zero knowledge and its applications. ITC 2021. [YSWW21] Kang Yang, Pratik Sarkar, Chenkai Weng, and Xiao Wang. QuickSilver: Efficient and affordable zero-knowledge proofs for circuits and polynomials over any field. ACM CCS 2021.
Introduction to VOLE VOLE (a.k.a, IT-MAC) is a widely-used two-party primitive. Global MAC key ???, which is reused for multiple times Local MAC key ?? ??? Message ? ?? MAC tag ?? ??? ? + ??= ?? Denote as [?] ?1 ?2 Basic Properties Hiding: ?2cannot learn ? Binding: ?1cannot open [?] to another ? Linear homomorphism: ?1+ ?2:= ?1+ [?2] and ?? + ? ? ? + ? for public ?,?
Multi-Verifier VOLE ?,?1,?2, ,?? For each ?: ? ?+ ??= ?? => ? is authenticated to all verifiers at once! ? Comparison with [RS22]: Similar primitive, ?,?? 2,?2 1,?1 ...... but different protocol construction. ?2 ?? ?1 Construction overview: Step 1: Dealer run VOLE protocol with VOLE different verifier using the same input ?1 Avoiding commit- Consistency checks ... and-open in [RS22] Step 2: Dealer and verifiers perform the consistency checks to convince the verifiers ? VOLE that dealer has used the same input ?? [RS22] Rahul Rachuri and Peter Scholl. Le mans: Dynamic and fluid MPC for dishonest majority. CRYPTO 2022
MV-VOLE Construction Parameter: ?1,?2 1 1 ?(?) ? VOLE ?(?) ? ?1 ... ?1 Pick ? ??? Set ? ?||? ? ? ?(?) ? ? VOLE ?(?) ?? 1 For each ? [?2]: The parties jointly generate a random ? Set ?(1) ?(?),? broadcast ?,?(1) ?1 ... Set ? ? ,? ?(?) ?(?),? ?,?(?) ? ? Generalization of [WRK17] Set ?(?) ?(?),? ?? [WRK17] Xiao Wang, Samuel Ranellucci, and Jonathan Katz. Global-scale secure multiparty computation. ACM CCS 2017.
Multiplication based on MV-VOLE Notation: MV-VOLE correlations are denoted in form of ? Given a multiplication gate with inputs ? , ? and output ? , for each ? {?,?,?},? (?)and the ?-th verifier ??holds (?),?? (?). [?], we assume the dealer ? holds ??,?? (?) ?? ? ?? ? ? ?(?)= ?? ?+ ?? ? ? ?+ ?? ? ? ?+ ?? ? ? ? = ?? ?? ?? 2 (?) ?? ? ?? ? ??+ ?? ? ?? ?? ? ?+ (?? ?? ??) ? = ?? (?) This result should be 0 if dealer is honest (?) Denoted by ?0 Denoted by ?1 (?)and ?1 (?)to ??. ??checks if ??= ?0 (?)+ ?1 (?) ?holds ? sends ?0 All multiplication gates can be handled together! Generalization of [DIO21][YSWW21]
Experiment Result Compared to [ZZZR24]: Compared to [EPSW24]: The number of verifiers ? is set to be 8 Protocol #Round for Online 3 Corruption Threshold Communication Complexity Running Time (us/gate) 1.1 Setup Assumption Prep. [EPSW24] ? < 1 ? ? ?(?) This Work 1 2.7 Prep.+RO ? < ? ?(? ?)
Part III Part III: Discussion and Conclusion
Necessity of broadcast channels Current 1-round protocols ([LMs05], [AKP22] and this work) all require broadcast channels. Assuming the preprocessing model, is it possible to construct a 1-round SIF protocol without broadcast channels? Intuition: SIF implies MVZK, and MVZK has a consensus property. ?1such that ? ?1 = 1 ?2such that ? ?2 = 0 ?1 Output 1 Break the consensus ?1 ?2 property of MVZK ? Output 0 ?2
Conclusion Recap: The first 1-round SIF protocol with practical efficiency The necessity of broadcast channels for building 1-round SIF Future directions: Constructing a 1-round SIF that has ?(?) communication complexity Exploring more real-life application scenarios of SIF Revealing connections between SIF and other useful cryptographic primitives
Thank you! Contact me: Zhelei Zhou, zl_zhou@zju.edu.cn Eprint version paper: https://eprint.iacr.org/2024/305
