Abstract
In this work we present a novel actively secure multiparty computation protocol in the dishonest majority setting, where the computation domain is a ring of the type \(\mathbb {Z}_{2^k}\). Instead of considering an “extension ring” of the form \(\mathbb {Z}_{2^{k+\kappa }}\) as in SPD\(\mathbb {Z}_{2^k}\) (Cramer et al., CRYPTO 2018) and its derivatives, we make use of an actual ring extension, or more precisely, a Galois ring extension \(\mathbb {Z}_{p^k}[\texttt{X}]/(h(\texttt{X}))\) of large enough degree, in order to ensure that the adversary cannot cheat except with negligible probability. These techniques have been used already in the context of honest majority MPC over \(\mathbb {Z}_{p^k}\), and to the best of our knowledge, our work constitutes the first study of the benefits of these tools in the dishonest majority setting.
Making use of Galois ring extensions requires great care in order to avoid paying an extra overhead due to the use of larger rings. To address this, reverse multiplication-friendly embeddings (RMFEs) have been used in the honest majority setting (e.g. Cascudo et al., CRYPTO 2018), and more recently in the dishonest majority setting for computation over \(\mathbb {Z}_2\) (Cascudo and Gundersen, TCC 2020). We make use of the recent RMFEs over \(\mathbb {Z}_{p^k}\) from (Cramer et al., CRYPTO 2021), together with adaptations of some RMFE optimizations introduced in (Abspoel et al., ASIACRYPT 2021) in the honest majority setting, to achieve an efficient protocol that only requires in its online phase \(12.4k(n-1)\) bits of amortized communication complexity and one round of communication for each multiplication gate. We also instantiate the necessary offline phase using Oblivious Linear Evaluation (OLE) by generalizing the approach based on Oblivious Transfer (OT) proposed in MASCOT (Keller et al., CCS 2016). To this end, and as an additional contribution of potential independent interest, we present a novel technique using Multiplication-Friendly Embeddings (MFEs) to achieve OLE over Galois ring extensions using black-box access to an OLE protocol over the base ring \(\mathbb {Z}_{p^k}\) without paying a quadratic cost in terms of the extension degree. This generalizes the approach in MASCOT based on Correlated OT Extension. Finally, along the way we also identify a bug in a central proof in MASCOT, and we implicitly present a fix in our generalized proof.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Even though our title includes \(\mathbb {Z}_{2^k}\), our results are presented for the more general \(\mathbb {Z}_{p^k}\).
- 2.
Interestingly, our techniques do not constitute a strict generalization of the ones in [21], since they are of a different nature. We leave it as future work to analyze the potential benefits of our MFE-based techniques when \(p=2\) and \(k=1\) with respect to their COT-based approach.
- 3.
However, we remark that we are not aware of any limitation that would enable these works to be ported to the setting of \(\mathbb {Z}_{p^k}\) for a more general prime p, and, furthermore, some of them already mention explicitly their ability to be generalized.
- 4.
An optimization in [14] seems to reduce this to \(4k(n-1)\) since the online phase can be modified so that only elements of \(\mathbb {Z}_{2^k}\) are transmitted, while full elements over \(\mathbb {Z}_{2^{k+\kappa }}\) only appear in the final check phase. However, a bug in this approach leads to this cost still being present in the offline phase (personal communication).
- 5.
In fact, one can reasonably easy prove that \(t\ge 2m\).
- 6.
We consider only statistical security since, even though dishonest majority MPC is known to be generally impossibly to achieve without computational assumptions, we rely in this work on an OLE functionality, and do not provide any instantiation of it. This allows us to design protocols in the statistical setting.
- 7.
This is modeled in other works with a functionality (typically denoted by \(\mathcal {F}_{\textsf{Comm}}\)), but we decided to incorporate this as part of the communication channel for simplicity.
- 8.
Notice that, since \(P_j\) knows x, the parties already hold trivial additive shares of x, namely all parties set their share to 0, and \(P_j\) sets it to x. However, in the actual protocol, \(P_j\) must also distribute actual random shares of x, since otherwise leakage may occur, for example, when adding and reconstructing shared values inputted by different parties.
- 9.
Similarly, \(P_i\)’s input must lie in the image of \(\mu \), but as we will see this deviation is not that harmful.
- 10.
- 11.
In this work we distinguish between procedures (denoted by smallcase \(\pi \)) and protocols (denoted by capital \(\varPi \)). Protocols are associated to ideal functionalities and have simulation-based proofs, whereas procedures, even though they also specify steps the parties must follow, are used as helpers within actual protocols and do not have functionalities or simulation-based proofs associated to them. This can be thought of being somewhat analogous to the difference between macros and actual functions in programming languages such as C/C++.
- 12.
As we discuss in the full version of this work there is a subtlety with this “adjustment” that originates from the fact that R has zero-divisors.
- 13.
We point out that in [21], this subtlety that enables us to consider \(z=0\) is not mentioned explicitly.
- 14.
Like in previous works, we assume the cost of broadcast-with-abort is comparable sending the messages directly.
References
Abspoel, M., et al.: Asymptotically good multiplicative LSSS over Galois rings and applications to MPC over \(\mathbb{Z}/p^k\mathbb{Z} \). In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020, Part III. LNCS, vol. 12493, pp. 151–180. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64840-4_6
Abspoel, M., Cramer, R., Damgård, I., Escudero, D., Yuan, C.: Efficient information-theoretic secure multiparty computation over \(\mathbb{Z}/p^k\mathbb{Z}\) via Galois rings. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019, Part I. LNCS, vol. 11891, pp. 471–501. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36030-6_19
Abspoel, M., Cramer, R., Escudero, D., Damgård, I., Xing, C.: Improved single-round secure multiplication using regenerating codes. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021, Part II. LNCS, vol. 13091, pp. 222–244. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92075-3_8
Baum, C., Cozzo, D., Smart, N.P.: Using TopGear in overdrive: a more efficient ZKPoK for SPDZ. In: Paterson, K.G., Stebila, D. (eds.) SAC 2019. LNCS, vol. 11959, pp. 274–302. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-38471-5_12
Bendlin, R., Damgård, I., Orlandi, C., Zakarias, S.: Semi-homomorphic encryption and multiparty computation. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 169–188. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20465-4_11
Block, A.R., Maji, H.K., Nguyen, H.H.: Secure computation with constant communication overhead using multiplication embeddings. In: Chakraborty, D., Iwata, T. (eds.) INDOCRYPT 2018. LNCS, vol. 11356, pp. 375–398. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-05378-9_20
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: FOCS 2001, Las Vegas, Nevada, USA, 14–17 October 2001, pp. 136–145. IEEE Computer Society (2001)
Cascudo, I., Cramer, R., Xing, C., Yuan, C.: Amortized complexity of information-theoretically secure MPC revisited. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part III. LNCS, vol. 10993, pp. 395–426. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96878-0_14
Cascudo, I., Gundersen, J.S.: A secret-sharing based MPC protocol for Boolean circuits with good amortized complexity. In: Pass, R., Pietrzak, K. (eds.) TCC 2020. LNCS, vol. 12551, pp. 652–682. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64378-2_23
Catalano, D., Di Raimondo, M., Fiore, D., Giacomelli, I.: Mon \(\mathbb{Z}_{2^{k}}\)a: fast maliciously secure two party computation on \(\mathbb{Z}_{2^{k}}\). In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020. LNCS, vol. 12111, pp. 357–386. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45388-6_13
Chen, H., Cramer, R.: Algebraic geometric secret sharing schemes and secure multi-party computations over small fields. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 521–536. Springer, Heidelberg (2006). https://doi.org/10.1007/11818175_31
Chen, H., Cramer, R., de Haan, R., Pueyo, I.C.: Strongly multiplicative ramp schemes from high degree rational points on curves. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 451–470. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_26
Cheon, J.H., Kim, D., Lee, K.: MHz2k: MPC from HE over \(\mathbb{Z}_{2^k}\) with new packing, simpler reshare, and better ZKP. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12826, pp. 426–456. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84245-1_15
Cramer, R., Damgård, I., Escudero, D., Scholl, P., Xing, C.: SPD\(\mathbb{Z}_{2^k}\): efficient MPC mod \(2^k\) for dishonest majority. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 769–798. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_26
Cramer, R., Rambaud, M., Xing, C.: Asymptotically-good arithmetic secret sharing over \(\mathbb{Z}/p^{\ell }\mathbb{Z}\) with strong multiplication and its applications to efficient MPC. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021, Part III. LNCS, vol. 12827, pp. 656–686. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84252-9_22
Damgård, I., Escudero, D., Frederiksen, T., Keller, M., Scholl, P., Volgushev, N.: New primitives for actively-secure MPC over rings with applications to private machine learning. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 1102–1120. IEEE (2019)
Damgård, I., Keller, M., Larraia, E., Pastro, V., Scholl, P., Smart, N.P.: Practical covertly secure MPC for dishonest majority – or: breaking the SPDZ limits. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 1–18. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40203-6_1
Damgård, I., Pastro, V., Smart, N., Zakarias, S.: Multiparty computation from somewhat homomorphic encryption. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 643–662. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_38
Damgård, I., Zakarias, S.: Constant-overhead secure computation of Boolean circuits using preprocessing. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 621–641. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36594-2_35
Frederiksen, T.K., Pinkas, B., Yanai, A.: Committed MPC - maliciously secure multiparty computation from homomorphic commitments. In: Abdalla, M., Dahab, R. (eds.) PKC 2018, Part I. LNCS, vol. 10769, pp. 587–619. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76578-5_20
Keller, M., Orsini, E., Scholl, P.: MASCOT: faster malicious arithmetic secure computation with oblivious transfer. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) CCS 2016, Vienna, Austria, 24–28 October 2016, pp. 830–842. ACM (2016)
Keller, M., Pastro, V., Rotaru, D.: Overdrive: making SPDZ great again. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part III. LNCS, vol. 10822, pp. 158–189. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_6
Larraia, E., Orsini, E., Smart, N.P.: Dishonest majority multi-party computation for binary circuits. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 495–512. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44381-1_28
Orsini, E., Smart, N.P., Vercauteren, F.: Overdrive2k: efficient secure MPC over \(\mathbb{Z}_{2^k}\) from somewhat homomorphic encryption. In: Jarecki, S. (ed.) CT-RSA 2020. LNCS, vol. 12006, pp. 254–283. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-40186-3_12
Cascudo, I., Chen, H., Cramer, R., Xing, C.: Asymptotically good ideal linear secret sharing with strong multiplication over any fixed finite field. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 466–486. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_28
Cascudo, I., Cramer, R., Xing, C.: The Torsion-limit for algebraic function fields and its application to arithmetic secret sharing. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 685–705. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_39
Rathee, D., Schneider, T., Shukla, K.K.: Improved multiplication triple generation over rings via RLWE-based AHE. In: Mu, Y., Deng, R.H., Huang, X. (eds.) CANS 2019. LNCS, vol. 11829, pp. 347–359. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-31578-8_19
Wan, Z.-X.: Lectures on Finite Fields and Galois Rings. World Scientific Publishing Company (2003)
Yao, A.C.: How to generate and exchange secrets (extended abstract). In: 27th Annual Symposium on Foundations of Computer Science, Toronto, Canada, 27–29 October 1986, pp. 162–167. IEEE Computer Society (1986)
Acknowledgement
The research of C. Xing is supported in part by the National Key Research and Development Project 2021YFE0109900 and the National Natural Science Foundation of China under Grant 12031011. The research of C. Yuan is supported in part by the National Natural Science Foundation of China under Grant 12101403. This paper was prepared in part for information purposes by the Artificial Intelligence Research group of JPMorgan Chase & Co and its affiliates (“JP Morgan”), and is not a product of the Research Department of JP Morgan. JP Morgan makes no representation and warranty whatsoever and disclaims all liability, for the completeness, accuracy or reliability of the information contained herein. This document is not intended as investment research or investment advice, or a recommendation, offer or solicitation for the purchase or sale of any security, financial instrument, financial product or service, or to be used in any way for evaluating the merits of participating in any transaction, and shall not constitute a solicitation under any jurisdiction or to any person, if such solicitation under such jurisdiction or to such person would be unlawful. 2021 JP Morgan Chase & Co. All rights reserved.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 International Association for Cryptologic Research
About this paper
Cite this paper
Escudero, D., Xing, C., Yuan, C. (2022). More Efficient Dishonest Majority Secure Computation over \(\mathbb {Z}_{2^k}\) via Galois Rings. In: Dodis, Y., Shrimpton, T. (eds) Advances in Cryptology – CRYPTO 2022. CRYPTO 2022. Lecture Notes in Computer Science, vol 13507. Springer, Cham. https://doi.org/10.1007/978-3-031-15802-5_14
Download citation
DOI: https://doi.org/10.1007/978-3-031-15802-5_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-15801-8
Online ISBN: 978-3-031-15802-5
eBook Packages: Computer ScienceComputer Science (R0)
