The invention relates to a dealer device, an evaluator device, a provisioning method, a provisioning verification method, and a computer readable medium.
Multi-party computation (MPC) is a cryptographic technique for performing distributed computations on inputs of multiple mutually distrusting parties. Using MPC, such parties can learn the output of a joint computation on their respective inputs. MPC protocols typically aim to guarantee correctness, e.g., the output of the joint computation is the output that was supposed to be computed, and privacy, e.g. the parties do not learn any information about the respective inputs of the other parties other than the computation output. MPC protocols may be actively secure, e.g., they achieve these security guarantees even if up to a given threshold of parties involved in the protocol actively try to manipulate the computation.
Many MPC protocols are divided into an offline, or preprocessing, phase, and an online phase. The offline phase takes place before any of the participants have provided inputs to the computation, and it operates independently from these inputs. The online phase uses, or consumes, data computed in the offline phase in order to perform a computation on the inputs. By shifting computational effort from the online phase to the offline phase, the latency of the MPC, i.e., the time between providing the inputs and receiving the outputs, is decreased. For instance, consider an application of MPC for electronic voting. In such a setting, the counting of the votes may be performed using a MPC between multiple tallying devices to protect the confidentiality of the votes. In such a setting, it is desirable to learn the election result as soon as possible after voting doses. Hence, shifting computation from the online phase, which can only be performed after voting doses, to the offline phase, which can be performed beforehand, is beneficial.
The online and the offline phase of an MPC protocol may be regarded as two separate MPC protocols. The offline phase is an MPC protocol that, under appropriate security assumptions, is guaranteed to correctly execute a “preprocessing functionality”. The online phase is an MPC protocol that executes the actual computation assuming that the preprocessing functionality has been executed correctly, which is formalized by modelling that the preprocessing has been carried out by a dealer who is trusted by all parties in the protocol. For example, this is the approach taken in “Practical Covertly Secure MPC for Dishonest Majority—Or: Breaking the SPDZ Limits” by Ivan Damgård et al., proceedings of ESORICS 2013. Hence, there are two possibilities for using the online phase of an MPC protocol: either by selecting an external trusted party, e.g., an external dealer device, that is trusted by all protocol participants and letting that party perform the preprocessing, or by replacing the trusted party by the offline phase executed as a MPC protocol between the protocol participants. The first approach has the advantage that it is very efficient, since the dealer can execute the preprocessing phase in the plain without the need for any MPC, but it has the disadvantage that the dealer device needs to be fully trusted to correctly execute the preprocessing functionality, e.g., to not supply incorrect data, etc. The second approach does not require trust in an external dealer device, e.g., it guarantees correctness of the preprocessing information under appropriate security assumptions, but this comes at the price of decreased efficiency, e.g., a preprocessing phase executed as a MPC protocol by the protocol participants may be several orders of magnitude slower than the online phase.
Hence, there is a need to have efficient preprocessing for MPC protocols by an external dealer in which the dealer device does not need to be fully trusted.
To improve upon MPC preprocessing a dealer device and an evaluator device as defined in the claims are proposed.
A dealer device as defined in the claims performs batch-wise provisioning of preprocessing information for a multi-party computation to multiple evaluator devices. The dealer device generates secret-shares of a set of multiple random values satisfying a set of multiple polynomial checking equations and secret-shares of one or more message authentication codes for the set of multiple random values and sends to each evaluator device a respective subset of the secret-shares. The set of multiple random values is used by the multiple evaluator devices for blinding in the multi-party computation, improving privacy, and the set of multiple message authentication codes is used by the multiple evaluator devices for integrity checking in the multi-party computation, improving correctness. The dealer device also computes secret-shares of a set of proof values and sends to each evaluator device a respective subset of the secret-shares. The set of proof values is computed such that a checking polynomial defined by the set of multiple random values and the set of proof values is identical to zero, said property allowing the multiple evaluator devices to check based on a single polynomial identity that the set of multiple polynomial checking equations is satisfied on the set of multiple random values, hence decreasing the need for the evaluator devices to fully trust the dealer device.
An evaluator device as defined in the claims performs batch-wise distributed verification with one or more other evaluator devices of preprocessing information for a multi-party computation provisioned from the dealer device. The evaluator device obtains secret-shares of random values for blinding in the multi-party computation, improving privacy, and secret-shares of message authentication codes for integrity checking in the multi-party computation, improving correctness. The evaluator device also obtains proof secret-shares; determines a random evaluation point with the one or more other evaluator devices; and checks that an evaluation of a checking polynomial in the random evaluation point is equal to zero, the checking polynomial being defined from the set of multiple random values and the set of proof values. The checking polynomial comprises checking sub-expressions that can be computed from the random value secret-shares and proof secret-shares. By checking a single polynomial identity based on sub-expressions that can be computed from its secret-shares, the evaluator device can efficiently verify that a set of multiple polynomial checking equations is satisfied on the set of multiple random values, hence decreasing the need for the evaluator device to fully trust the dealer device.
Embodiments may be applied in any setting where a MPC protocol is used that is divided into an offline phase and an online phase. Various types of preprocessing information may be provided, e.g., random blinding values and/or multiplication triples. While known approaches would either require the evaluator devices to trust the dealer device or require them to perform the preprocessing as a computationally expensive MPC protocol, these disadvantages are overcome by reducing the need for the evaluator devices to trust the dealer device with a technique to provide random values and their message authentication codes, using an efficient verification based on checking a single polynomial identity in a random evaluation point.
The dealer device and the evaluator device are electronic devices; they may be computers. The provisioning method and provisioning verification method described herein may be applied in a wide range of practical applications. Such practical applications include e-voting systems, auctioning systems, and distributed data analytics systems.
Further aspects of the invention are a provisioning method and a provisioning verification method. Embodiments of the provisioning method and/or provisioning verification method may be implemented on a computer as a computer implemented method, or in dedicated hardware, or in a combination of both. Executable code for an embodiment of either method may be stored on a computer program product. Examples of computer program products include memory devices, optical storage devices, integrated circuits, servers, online software, etc. Preferably, the computer program product comprises non-transitory program code stored on a computer readable medium for performing an embodiment of the method when said program product is executed on a computer.
In an embodiment, the computer program comprises computer program code adapted to perform all the steps of an embodiment of the provisioning method or provisioning verification method when the computer program is run on a computer. Preferably, the computer program is embodied on a computer readable medium.
Another aspect of the invention provides a method of making the computer program available for downloading. This aspect is used when the computer program is uploaded into, e.g., Apple's App Store, Google's Play Store, or Microsoft's Windows Store, and when the computer program is available for downloading from such a store.
Further details, aspects, and embodiments of the invention will be described, by way of example only, with reference to the drawings. Elements in the figures are illustrated for simplicity and clarity and have not necessarily been drawn to scale. In the Figures, elements which correspond to elements already described may have the same reference numerals. In the drawings,
While this invention is susceptible of embodiment in many different forms, there are shown in the drawings and will herein be described in detail one or more specific embodiments, with the understanding that the present disclosure is to be considered as exemplary of the principles of the invention and not intended to limit the invention to the specific embodiments shown and described.
In the following, for the sake of understanding, elements of embodiments are described in operation. However, it will be apparent that the respective elements are arranged to perform the functions being described as performed by them.
Further, the invention is not limited to the embodiments, and the invention lies in each and every novel feature or combination of features described herein or recited in mutually different dependent claims.
The dealer device may also be configured for a multi-party computation (MPC), though preferably only for parts of the MPC which do not use precomputation data which was generated by the dealer in the plain. For example, the dealer device and an evaluator device may change their function, so that an evaluator device may later function as dealer device and the dealer device as an evaluator device. The latter may be used to generate preprocessing information by different devices so that all of the devices can participate in the MPC.
Returning to
Instead of communication over a digital network 150, there are other ways to constitute a multiparty computation system. For example,
Dealer device 110 is configured for batch-wise provisioning of preprocessing information for a multi-party computation (MPC) to multiple evaluator devices. As mentioned above, the MPC may be a MPC between the multiple evaluator devices. Various MPC protocols are known in which preprocessing information 231 may be used to carry out the MPC. For example, the multiparty computation may be carried out using a SPDZ-style protocol, e.g., as described in I. Damgård, M. Keller, E. Larraia, V. Pastro, P. Scholl, and N. P. Smart, “Practical covertly secure MPC for dishonest majority—or Breaking the SPDZ limits”, Proceedings of ESORICS 2013, Springer, 2013, included herein by reference. The preprocessing information 231 may be used for blinding and/or integrity checking in the MPC. Typically, preprocessing information 231 is either generated in the plain by a trusted third party or in a secret-shared fashion jointly by the evaluator devices, e.g., using a MPC. Generation by a trusted third party is more efficient than joint generation by the evaluator devices but requires the evaluator devices to trust that the preprocessing information provisioned by the trusted third party is correct. Advantageously, dealer device 110 generates preprocessing information 231 in the plain and provisions it to the evaluator devices, but also provides additional information to the evaluator devices that enables them to check that preprocessing information 231, thereby decreasing the amount of trust that the evaluator devices need to have in dealer device 110.
Preprocessing information 231 may be provisioned before the actual computation is performed, e.g., before any of the evaluator devices has provided an input to the MPC, or it may be provisioned continuously as the need for additional instances of preprocessing information 231 arises during the protocol. The provisioning may be initiated by an evaluator device, e.g., an evaluator device sends a request to dealer device 110 to provision preprocessing information, or it may be scheduled at regular time intervals, e.g., dealer device 110 provisions preprocessing information to the evaluator devices periodically, e.g., every hour or every 24 hours. The provisioning may also be repeated several times, e.g., depending on how much preprocessing information the evaluator devices have used, e.g., during a previous time interval, or depending on how much preprocessing information the evaluator devices expect to use, e.g., for their next MPC or for the MPCs in a future time interval. Preprocessing information may be used for multiple MPCs, and multiple sets of provisioned preprocessing information may be used in a single MPC.
Preprocessing information 231 comprises a set 232 of multiple random values. Random values, e.g., random value 232.1, 232.2 or 232.3, are preferably field elements, e.g., from a prime-order field, e.g., represented as numbers greater than or equal to zero and less than a prime p. Dealer device 110 generates the set of multiple random values in the plain with the goal of making them available in secret-shared form to the multiple evaluator devices, e.g., additively secret-shared wherein the sum of the secret-shares is the random value, or Shamir secret-shared, etc. Set 232 of random values may be used for blinding during the multi-party computation. Random values, e.g., random value 232.1, 232.2 or 232.3, being random and unknown to the evaluator devices is advantageous for blinding, e.g., because it allows a computation value blinded by a random value to be opened by the evaluator devices without the evaluator devices learning the computation value. For instance, in various MPC protocols known in the state of the art, an evaluator device provides an input x to the MPC by blinding the input with a random value r, e.g. random value 232.1, 232.2 or 232.3, and sending the blinded input ϵ=x−r to other evaluator devices, who compute a secret-share of input x from their respective secret-share of random value r and the blinded input E.
It is often advantageous for a set 236 of multiple polynomial checking equations, e.g. comprising polynomial checking equations 236.1 and 236.2, to be satisfied on the set 232 of multiple random values. For instance, polynomial checking equations being satisfied may allow the preprocessing information to be used for various MPC sub-routines known in the state-of-the-art, e.g., for computing two values, for inverting a value, or for computing a bit decomposition.
For instance, a polynomial checking equation, e.g., a polynomial checking equation 236.1 or 236.2, may comprise the product of a first random value a, e.g., random value 232.1, and a second random value b, e.g., random value 232.2, being equal to a third random value c, e.g., random value 232.3, e.g., the polynomial checking equation may be a·b=c, a·b−c=0, or the like. Such a set of random values a,b,c=a·b is known as a multiplication triple. Multiplication triples have the advantage that they can be used in the MPC to perform a multiplication, e.g., using “Beaver's trick”. For example, in order to compute a secret-shared product z=x·y of secret-shared values x and y, the parties carrying out the MPC may compute secret-shared values ϵ=x−a and ρ=y−b, e.g., x may be blinded by a and y may be blinded by b; exchange the secret-shares of ϵ and ρ to learn ϵ and ρ in the plain; and compute secret-shared product [z] from the opened blinded values ϵ,ρ and secret-shares [a], [b], [c] of the respective values a, b, c in the multiplication triple, e.g., [z]=ϵ·ρ+ϵ·[b]+ρ·[a]+[c]. Set 232 of random values may comprise only multiplication triples, e.g., set 232 comprises 300 random values and set 236 comprises 100 polynomial checking equations, a polynomial checking equation stating that one random value is a product of two other random values from set 232 of random values.
Apart from polynomial checking equations stating that one value is a product of two other values, also other types of polynomial checking equations are advantageous. For instance, set 236 of polynomial checking equations may comprise a polynomial checking equation x (1−x)=0, wherein a random value, e.g., random value 232.1, 232.2 or 232.3, is multiplied by the difference between 1 and the random value, implying that the random value x is a bit. This is advantageous, e.g., for performing bit decompositions and fixed-point computations in the MPC. As another example, set 236 of polynomial checking equations may comprise a polynomial checking equation x·x=y, wherein a first random value, e.g., random value 232.1, is squared to obtain a second random value, e.g., random value 232.2, which implies that random value y is a square of random value x. This is advantageous, e.g., for performing squaring computations in the MPC. Various other sets of polynomial checking equations are advantageous as well, e.g., set 236 of polynomial checking equations may comprise a system of polynomial equations stating that a first subset of set 232 of random values represents a matrix C=A·B that is a matrix product of a matrix A represented by a second subset of set 232 of random values and a matrix B represented by a third subset of set 232 of random values. This is advantageous, e.g., for computing a matrix product in the MPC.
Although set 232 of random values satisfies set 236 of multiple polynomial checking equations, the values, e.g., value 232.1, 232.2 or 232.3, may be regarded as random nonetheless. For example, although polynomial checking equation aibi=ci states that a random value ci is a product of a random value a and a random value bi, the random value ci by itself may still take on any value, e.g., it may be generated as a uniformly random nonzero value. Similarly, while polynomial checking equation x·(1−x)=0 may state that random value x is a bit, x may still be random subject to that constraint, e.g., it may be generated such that it takes on value 0 with probability one half and value 1 with probability one half.
The set 236 of polynomial equations to be satisfied may be hard-coded, or it may be chosen, e.g., by the dealer device or an evaluator device, e.g., the dealer or evaluator device may request a number of random values of a particular type, e.g., 1000 multiplication triples, or a number of random values of respective types, e.g., 800 multiplication triples and 400 random bits. For example, dealer device 110 may comprise a request interface configured to obtain a number and/or at least one type of random values to be provisioned. Dealer device 110 may be configured for preprocessing of random values satisfying particular sets 236 of multiple polynomial checking equations, e.g., it may be configured to generate multiplication triples and/or random bits, or it may be configured for preprocessing of random values satisfying arbitrary sets 236 of polynomial checking equations or sets 236 of polynomial checking equations of a particular type, e.g., polynomial checking equations of degree at most 2. It may be advantageous for dealer device 110 to be configured for preprocessing of sets 236 of polynomial checking equations of a given size, e.g., sets 236 of sizes that are powers of 2, e.g., 2, 4, 8, 16, etc., or one less than a power of 2, e.g., 3, 7, 15, etc.
Dealer device 110 has a random value generation unit 241 that generates set 232 of multiple random values satisfying the multiple polynomial checking equations 236. Generating random values can be performed in various ways. For example, random value generation unit 241 may generate a subset of the set 232 of random values, e.g., a multiplication triple (a, b, c=a b), by generating some values in the subset, e.g., (a,b), (a,c), or (b,c) randomly, and computing other values in the subset from the randomly generated values, e.g., c=a·b, b=a−1c, or a=b−1c. Alternatively, some of the random values, e.g., random value 232.1, 232.2 or 232.3, from the set 232 of random values, may be generated randomly from a given domain, e.g., they may be selected uniformly random from the set {0,1} of bits. Generic techniques for generating random values subject to conditions, e.g., the multiple polynomial checking equations 236, may also be used, e.g., rejection sampling or inversion sampling may be used. Set 232 of random values may be generated using true randomness, e.g., from atmospheric or thermal noise, or using a pseudorandom number generator, e.g., a cryptographically secure pseudorandom number generator, e.g., a stream cipher or a block cipher.
Set 232 of multiple random values and a set 234 of proof values together define a checking polynomial P(x), 235. Proof values, e.g. proof value 234.1 or 234.2 are typically from the same domain as random values, e.g., they are numbers from a prime-order field. Checking polynomial P(x), 235 may be defined from set 232 of multiple random values and set 234 of proof values in a predetermined, e.g., hard-coded way, e.g., as a formula in which x, the random values and the proof values occur as variables. Checking polynomial 235 may follow via such a formula from set of 232 of multiple random values and set 234 of proof values by substituting them in the formula and leaving x as a variable.
Checking polynomial P(x), 235, is for verifying at the multiple evaluator devices that the set 236 of multiple polynomial checking equations is satisfied on the set 232 of multiple random values. Checking polynomial 235 relates to set 236 of multiple checking equations via a predetermined set of checking points ω1, . . . , ωn, e.g., multiple checking points. In particular, an evaluation of checking polynomial 235 in a checking point ωi is equal to a difference, e.g., aibi−ci between a left-hand side, e.g., aibi and a right-hand side, e.g., ci, of a polynomial checking equation, e.g., aibi=ci, from the set 236 of multiple polynomial checking equations. The left-hand side and/or the right-hand side of a polynomial checking equation may be zero, e.g. the polynomial checking equation may be b·(1−b)=0 or 0=a·b·c. If the checking polynomial P(x), 235 defined by set 232 of multiple random values and set 234 of proof values is identical to zero, then in particular, an evaluation P(ωi) of the checking polynomial 235 in the checking point a is zero, indicating that the difference between the left-hand side, e.g., aibi and the right-hand side, e.g., ci of the polynomial checking equation, e.g., aibi=ci is zero, e.g., the polynomial checking equation is satisfied. Hence, advantageously, checking polynomial 235 being identical to zero may imply that multiple polynomial checking equations are satisfied at the same time. The number of checking points n in the predetermined set of checking points may be equal to the number of polynomial checking equations from set 236 of multiple polynomial checking equations and checking polynomial 235 being zero may imply that all polynomial checking equations from set 236 of multiple polynomial checking equations are satisfied.
To enable verifying that multiple polynomial checking equations are satisfied on set 232 of random values by verifying that checking polynomial 235 is identical to zero, it is beneficial if checking polynomial 235 is actually identical to zero for many appropriate sets 232 of random values, e.g., for all sets 232 of random values satisfying the set of polynomial equations. It may not generally be possible to define such a checking polynomial 235 just from set 232 of random values. Interestingly, however, because checking polynomial 235 is defined also from set 234 of proof values, it is possible to define checking polynomial 235 in such a way that, for all appropriate sets 232 of random values, a set 234 of proof values can be computed such that checking polynomial 235 is identical to zero, for example, using one of the constructions detailed below. Hence, the multiple evaluator devices may verify that the set of multiple polynomial checking equations is satisfied on the set 232 of multiple random values by performing a single check that checking polynomial 235 is identical to zero. This may be easier than checking each polynomial checking equation separately, e.g., checking that a polynomial is identical to zero may be performed probabilistically by evaluating the polynomial in a single point using the Schwartz-Zippel lemma, as described below.
In some embodiments, checking polynomial 235 comprises an evaluating polynomial E(x), a target polynomial T(x), and a quotient polynomial H(x). Such embodiments are explained with reference to a particular example shown in
An evaluation of evaluating polynomial E(x), e.g. 503, in a checking point ωi from the predetermined set of checking points ω1, . . . , ωn, e.g., set {0,1}, is equal to a difference, e.g., difference 501 or 502, between a left-hand side and a right-hand side of a polynomial checking equation.
One way to define the evaluating polynomial is by representing the differences, e.g., difference 501 or 502, in such a way that they are defined in the same way from respective linear parts. For example, differences 501, 502 are defined from respective linear parts a and d; b and 1−d; and c and 0 as the subtraction of the product of the first linear part, e.g., a or d, and the second linear part, e.g., b or 1−d, with the third linear part, e.g., c or 0. Respective linear parts may be regarded to be implicitly defined, e.g., a respective linear part may comprise a zero term and/or a one factor if it is not explicitly defined. For example, in differences a b c, e f+g between left-hand sides and right-hand sides of respective polynomial checking equations, the respective linear parts may comprise a and e; b and f; c and 1; and 0 and g, wherein linear parts 1 and 0 are implicitly defined.
For each set of respective linear parts, a Lagrange interpolating polynomial in the predetermined set of checking points may then be defined. For example, for set a, d of respective linear parts, Lagrange interpolating polynomial A(x)=x·a+(1−x)·d, 503.1, may be defined, where the Lagrange interpolating polynomial evaluates to a respective linear part in a checking point, e.g., A(0)=d and A(1)=a. Similarly, Lagrange interpolating polynomials B(x)=x·b+(1−x)·(1−d), 503.2, and C(x)=x·c+(1−x)·0, 503.3, may be defined. Evaluating polynomial E(x), e.g. 503, may be defined from the Lagrange interpolating polynomials, e.g., Lagrange interpolating polynomials 503.1, 503.2, and 503.3, in the same way that the differences, e.g., difference 501 or 502, are defined from their respective linear parts, e.g., evaluating polynomial E(x)=A(x)B(x)−C(x) may be defined as the subtraction of the product of Lagrange interpolating polynomial A(x) corresponding to the first set of respective linear parts with Lagrange interpolating polynomial B(x) corresponding to the second set of respective linear parts and Lagrange interpolating polynomial C(x) corresponding to the third set of respective linear parts.
As another example, set 232 of multiple random values may comprise random values a1, . . . , an,b1, . . . , bn,c1, . . . , cn, and respective polynomial checking equations in the set 236 of multiple polynomial checking equations may comprise equations aibi=ci, e.g., (ai,bi,ci) are multiplication triples. Evaluating polynomial E(x) may be defined as E(x)=A(x)B(x)−C(x), wherein A(x) comprises the Lagrange interpolating polynomial of points (ω1,a1), . . . , (ωn,an); B(x) comprises the Lagrange interpolating polynomial of points (ω1,b1), . . . , (ωn,bn), and C(x) comprises the Lagrange interpolating polynomial of points (ω1,a1), . . . , (ωn,an).
Roots of the target polynomial T(x) comprise the predetermined set of checking points ω1, . . . , ωn, e.g., T(x)=(x−ω1) . . . (x−ωn), e.g. T(x)=x·(x−1), 504. Checking polynomial P(x), e.g. 506 may comprise the subtraction of the evaluating polynomial E(x), e.g. 503, and the product of the target polynomial T(x), e.g. 504, with the quotient polynomial H(x), e.g. 505, e.g., P(x)=E(x)−T(x)H(x). Interestingly, in an embodiment, if the checking polynomial, e.g., P(x)=E(x)−T(x)H(x), is identical to zero, then it evaluates to zero in the predetermined set of checking points. In this case, since the target polynomial evaluates to zero in the predetermined set of checking points, also evaluating polynomial E(x) evaluates to zero in the predetermined set of checking points, which may imply that set 235 of polynomial checking equations is satisfied. On the other hand, if set 235 of polynomial checking equations is satisfied, then the evaluating polynomial evaluates to zero in the checking points, and consequently, it may be properly divisible by the target polynomial, so quotient polynomial (x) may be defined as H(x)=E(x)/T(x) such that checking polynomial P(x)=E(x)−T(x)H(x) is identical to zero. Hence, by providing quotient polynomial H(x), e.g. 505, to the multiple evaluator devices, dealer device 110 may enable the evaluator devices to verify that set 236 of multiple polynomial checking equations is satisfied on set 232 of multiple random values by verifying that checking polynomial P(x), e.g. 503, is identical to zero.
Quotient polynomial H(x), e.g. 505, is typically defined by set 234 of proof values. For example, set 234 of proof values may comprise coefficients and/or evaluations of the quotient polynomial. For example, set 234 of proof values may comprise a number of coefficients and/or evaluations that depends on the number of polynomial checking equations, e.g., the number may be equal to the number of polynomial checking equations or the number of polynomial checking equations minus one. For example, two polynomial checking equations, e.g., polynomial checking equation 501 and 502, may lead to a quotient polynomial, e.g. 505, of degree zero, set 234 of proof values comprising its constant coefficient, e.g., H(x)=h0.
In other embodiments, checking polynomial 235 comprises one or more proof sub-expressions and one or more non-proof sub-expressions. Such embodiments are explained with reference to a particular example shown in
Similarly to evaluating polynomial E(x) discussed with reference to
Both the one or more proof sub-expressions, e.g., proof sub-expression 603.3, and the one or more non-proof sub-expressions, e.g., non-proof sub-expression 603.1 or 603.2, may be defined as Lagrange interpolating polynomials. Non-proof sub-expressions may be defined as Lagrange interpolating polynomials in the set of multiple checking points, e.g., set {0,1}. For example, for set a, d of respective linear parts, non-proof sub-expression A(x)=x·a+(1−x) d, 603.1, may be defined as a Lagrange interpolating polynomial in the set of multiple checking points that evaluates to a respective linear part in a checking point, e.g., A(0)=d and A(1)=a. Similarly, non-proof sub-expression B(x)=x·b+(1−x)·(1−d), 603.2, may be defined as a Lagrange interpolating polynomial in the set of multiple checking points.
Interestingly however, in some embodiments proof sub-expressions are defined not just from evaluations in the set of multiple checking points; instead, they are defined at least partially from evaluations in an additional set of points, set 234 of proof values comprising said evaluations. Said evaluations may result in the checking polynomial being identical to zero. In the example from
are the Lagrange basis polynomials for x-values 0, 1, and 2 such that C(0)=0, C(1)=c, C(2)=c2. Checking polynomial P(x), e.g. 603, may be defined from proof sub-expressions e.g., proof sub-expression 603.3, and non-proof sub-expressions e.g., non-proof sub-expression 603.1 and 603.2, in the same way that the differences between respective polynomial equations, e.g., difference 601 or 602, are defined from their respective linear parts, e.g., checking polynomial 603 is defined as P(x)=A(x)·B(x)−C(x). The evaluations in the additional set of points, e.g., c2, may be chosen such that the checking polynomial, e.g. 603, evaluates to zero in these additional points, e.g., c2=A(2)·B(2). If the checking polynomial evaluates to zero both in the predetermined set of checking points and in the set of additional points, this may imply that the checking polynomial is identical to zero, e.g., any polynomial of degree n−1 which is zero in n distinct points may be identical to zero.
As another example, set 232 of multiple random values may comprise random values a1, . . . , an,b1, . . . , bn,c1 . . . , cn, and respective polynomial checking equations in the set 236 of multiple polynomial checking equations may comprise equations aibi=ci, e.g., (ai, bi, ci=ai·bi) are multiplication triples. Checking polynomial P(x), 235, may then be defined as P(x)=A(x)B(x)−C(x), wherein A(x),B(x) are non-proof sub-expressions defined from n predetermined checking points ω1, . . . , ωn, and C(x) is a proof sub-expression defined from the predetermined checking points and n−1 additional points. Proof sub-expressions need not be defined from both set 232 of random values and set 234 of proof values, e.g., one or more proof sub-expressions may be defined just from set 234 of proof values. For example, instead of defining checking polynomial 235 as P(x)=A(x)·B(x)−C(x) as above, checking polynomial 235 may alternatively be defined as P(x)=A(x)B(x)−C(x)+D(x), wherein A(x), B(x), C(x) are non-proof sub-expressions defined from multiplication triples (ai,bi,ci) as Lagrange interpolating polynomials in the predetermined set of checking points, and D(x) is proof sub-expression defined from set 234 of proof values as a Lagrange interpolating polynomial in the predetermined set of checking points and an additional set of points, e.g., D(ω1)==D(ωn)=0, D(ωn+1)=A(ωn+1)·B(ωn+1)−C(ωn+1), . . . , D(ω2n−1)=A(ω2n−1)·B(ω2n−1)−C(ω2n−1).
The polynomial checking equations also do not necessarily comprise three sets of respective linear parts, as above. For example, set 232 of random values may comprise inner products (ai,bi,ci,di,ei=aibi+cidi), set 236 of checking equations comprising equations aibi+cidi−ei=0, and the sets of respective linear parts comprising {a1}, {b}, {ci}, {d}, {e}. Checking polynomials 235 in this case may be P(x)=A(x)B(x)+C(x)D(x)−E(x), wherein A(x),B(x), C(x),D(x) are non-proof sub-expressions defined by Lagrange interpolation from respective subsets ai,bi,ci,di of set 232 of random values and E(x) is a proof sub-expression defined from subset ei of set 232 of random values and evaluations E(ωn+i)=A(ωn+i). B(ωn+i)+C(ωn+i)·D(ωn+i) in the additional set of points. Checking polynomial 235 may alternatively be P(x)=A(x)B(x)+C(x)D(x)−E(x)+F(x), wherein A(x), B(x), C(x), D(x), E(x) are non-proof sub-expressions defined by Lagrange interpolation from respective subsets ai,bi,ci,di,ei of set 232 of random values and F(x) is a proof sub-expression defined from evaluations F(ωn+i) in the additional set of points. There can also be multiple proof sub-expressions, e.g., it is also possible to have P(x)=A(x)B(x)+C(x)D(x)−E(x)+F1(x)+F2(x), e.g., wherein F1(x) is defined from evaluations F(ωn+i),F(ωn+3i), . . . and F2(X) is defined from evaluations F(ωn+2i), F(ωn+4i), . . . . Checking polynomial 235 may also comprise products of more than three proof sub-expressions and/or non-proof sub-expressions e.g., a product A(x)·B(x)·C(x) of three non-proof sub-expressions.
Returning to
For example, some in embodiments checking polynomial 235 comprises an evaluating polynomial E(x), a target polynomial T(x), and a quotient polynomial H(x) and set 234 of proof values comprises coefficients and/or evaluations of the quotient polynomial. In order to obtain coefficients of the target polynomial, proof value computing unit 242 may perform polynomial division, e.g., schoolbook polynomial division. Unit 242 may optionally use the obtained coefficients of the target polynomial to obtain evaluations of the quotient polynomial, e.g., by polynomial evaluation.
Returning to
In some embodiments, checking polynomial 235 comprises one or more proof sub-expressions and one or more non-proof sub-expressions, set 234 of proof values comprising evaluations of the one or more proof sub-expressions of the checking polynomial in the additional set of points. In such embodiments, proof value computing unit 242 may evaluate one or more non-proof sub-expressions of the checking polynomial in the additional set of points and compute the evaluations of the one or more proof sub-expressions of the checking polynomial in the additional set of points therefrom. For example, continuing with the example from
Returning to
Interestingly, one or more sub-expressions of checking polynomial 235 may optionally be randomized by respective elements, e.g. randomizing elements, from set 234 of proof values. Such a randomizing element may ensure that an evaluation of the sub-expression of checking polynomial 235 in a point does not leak information about the set 232 of random values and the point, e.g., the evaluation is random given the set 232 of random values and the point. In an embodiment, the multiple evaluator devices compute evaluations of randomized sub-expressions of checking polynomial 235 in the dear, which may simplify the verification by the multiple evaluator devices that set 236 of multiple polynomial checking equations is satisfied on set 232 of multiple random values. In an embodiment, proof value computing unit 242 randomly generates such randomizing elements and computes other elements from set 234 of proof values based on these randomizing elements. Randomization is not necessary and also non-randomized checking polynomials provide verification advantages.
Checking polynomial 235 may be defined from set 232 of multiple random values and set 234 of proof values in such a way that a randomizing element δ from set 234 of proof values does not affect evaluations of checking polynomial 235 in the predetermined set of checking points. For example, checking polynomial 235 may include terms comprising a randomizing element δ and a product of the predetermined set of checking points, e.g., δ·(x−ω1)· . . . ·(x−ωn). Multiple such randomizing terms may be added to checking polynomial 235, e.g., to randomize multiple sub-expressions of the checking polynomial. For example, in checking polynomial P(x)=A(x)B(x)−C(x), 235, respective randomizing terms may be included in sub-expressions A(x) and/or B(x), e.g., A(x) may include a term δa·(x−ω1)· . . . ·(x−ωn) and B(x) may include a term δb·(x−ω1)· . . . ·(x−ωn). Although a randomizing term could also be included in sub-expression C(x), this may be unnecessary since, in any given point s, evaluation C(s) may be expected to be equal to A(s)·B(s) anyway, hence evaluation C(s) may not leak information in addition to values A(s) and B(s). For example, adding randomizing terms δa,δb may allow the multiple evaluator devices to compute evaluations A(s) and/or B(s) and/or C(s) in a point s that are random given set 232 of multiple random values and the point s, e.g., the evaluations do not leak any information about the random values 232 in preprocessing information 231. The inclusion of randomizing terms, e.g., δa·(x−ω1)· . . . ·(x−ωn) or δb·(x−ω1)· . . . ·(x−ωn), may increase the degree of checking polynomial 235; if such randomizing terms are included, then typically also more proof values are used, e.g., more evaluations of the one or more proof sub-expressions.
As another example, in embodiments where checking polynomial 235, e.g., P(x)=E(x)−T(x)H(x) comprises an evaluating polynomial E(x), a target polynomial T(x) and a quotient polynomial H(x), as described above, randomizing elements may be added to subexpressions of the evaluating polynomial. For example, in evaluating polynomial E(x)=A(x)B(x)−C(x), respective randomizing terms δa,δb,δc from set 234 of proof values may be added to A(x) and/or B(x) and/or C(x), e.g., A(x) includes a term δa·(x−ω1)· . . . ·(x−ωn), B(x) includes a term δb·(x−ω1)· . . . ·(x−ωn), and C(x) includes a term δc·(x−ω1)· . . . ·(x−ωn). Randomizing terms δa, δb, δc may be generated randomly, independently from each other. Similar to above, this may ensure that the multiple evaluator devices can determine plaintext evaluations, e.g., A(s),B(s),C(s), of subexpressions of the evaluating polynomial in a point s without those values leaking information about set 232 of random values. Since the value H(s) of the quotient polynomial in the point s may follow from the value of the evaluating polynomial in the point s, e.g., it may be expected that H(s)=(A(s)B(s)−C(s))/T(s), it may protect leakage about set 232 of random values from the quotient polynomial as well. The inclusion of randomizing terms typically increases the maximal degree of evaluating polynomial E(x) and quotient polynomial H(x), so additional coefficients and/or evaluations of the quotient polynomial may be added to set 235 of proof values in such a way that the multiple evaluator devices obtain sufficient information to evaluate the quotient polynomial.
In addition to or instead of including terms δ·(x−ω1)· . . . ·(x−ωn) to checking polynomial 235 as above, one or more sub-expressions of checking polynomial 235 may also comprise Lagrange interpolating polynomials in the predetermined set of checking points and one or more randomizing points, wherein the value in a randomizing point is a randomizing value from set 234 of proof values. For example, in checking polynomial P(x)=A(x)B(x)−C(x), 235, without randomizing elements, A(x) may comprise the Lagrange interpolating polynomial of points (ω1,a1), . . . , (ωn,an) defined from random values a1, . . . , an. With randomizing elements, A(x) may comprise the Lagrange interpolating polynomial of points (ω1,a1), . . . , (ωn,an) defined from values a1, . . . , an from set 232 and point (ωn+1,δa) defined from randomizing value δa from set 234 of proof values, and similarly for B(x). Similar to above, adding randomizing terms to one or more sub-expressions of evaluating polynomial 235, e.g., A(x) and B(x), may ensure that evaluations of these and other sub-expressions, e.g., A(s),B(s), C(s), may be computed in the plain by the multiple evaluator devices without leaking information about set 232 of random values; adding a randomizing element to one or more of the other sub-expressions, e.g., C(x), may not be necessary, e.g., since the value of C(s) follows from the values of A(s) and B(s) anyway and hence does not leak information about set 232 of random values.
Similarly, in embodiments where checking polynomial 235, e.g., P(x)=E(x)−T(x)H(x), comprises an evaluating polynomial E(x), a target polynomial T(x) and a quotient polynomial H(x), as described above, sub-expressions of the evaluating polynomial may be randomized by defining them as Lagrange interpolating polynomials in the predetermined set of checking points and one or more randomizing points. For example, in evaluating polynomial E(x)=A(x)B(x)−C(x), sub-expression A(x) may comprise the Lagrange interpolating polynomial of points (ω1,a1), . . . , (ωn,an) defined from set 232 of multiple random values and a point (ωn+1,δa) defined from randomizing value δa, and similarly, sub-expressions B(x) and C(x) may comprise Lagrange interpolating polynomials involving respective randomizing values δb,δc. This may ensure that A(x), B(x), C(x) and H(x) may all be evaluated in a point s without leaking information about set 232 of random values, wherein additional coefficients and/or evaluations of H(x) may be included in set 234 of proof values to account for the increased maximal degree of the evaluating polynomial.
Although in the examples above, set 234 of proof values contains one randomizing value per sub-expression, it can be beneficial to have multiple randomizing values in one sub-expression. For example, the multiple evaluator devices may evaluate checking polynomial 235 in multiple points in order to increase the probability that checking polynomial 235 is identical to zero and, to make sure this does not leak information about set 232 of random values, multiple randomizing values may be included in set 234 of proof values for randomizing a single sub-expression of checking polynomial 235. Combinations of the two techniques presented above may be used, e.g., a sub-expression A(x) may be randomized by three randomizing elements, one by defining A(x) as a Lagrange interpolating polynomial with one of the points defined by a randomizing element δ1, and two by including a term comprising randomizing elements δ2,δ3 and a product of the predetermined set of checking points, e.g., (δ2·x+δ3)·(x−ω1)· . . . ·(x−ωn).
Dealer device 110 comprises a secret-share computing unit 243 which computes random value secret-shares of one or more values in set 232 of multiple random values, for blinding in the multi-party computation, and proof secret-shares of one or more proof values in set 234 of proof values, for verifying at the multiple evaluator devices that set 236 of multiple polynomial checking equations is satisfied on set 232 of multiple random values. Various types of secret-sharing are known in the literature, e.g. Shamir secret sharing, wherein a secret-share of a value v comprises an evaluation v+r1·i+ . . . +rn·in in a non-zero point of a random polynomial that evaluates to the value v in the point zero, or additive secret sharing, wherein the shares of a value sum up to the value. Additive secret sharing is preferred since this makes the preprocessing information more suitable to be used in various multi-party computation protocols from the SPDZ family of protocols.
Secret-share computing unit 243 may compute at least one random value secret-share from a random value, e.g., random value 232.1, 232.2 or 232.3, and/or compute at least one proof secret-share from a proof value, e.g., proof value 234.1 or 234.2. For instance, using random value v as input, unit 243 may randomly generate n−1 additive shares r1, . . . , rn−1 of v and compute an nth additive secret-share of v as v−r1− . . . −rn−1. Other known secret-sharing methods may also be used. One or more secret-shares may be determined pseudo-randomly, e.g., using a pseudorandom number generator. In particular, the pseudorandom number generator may be shared with an evaluator device from the set of multiple evaluator devices, e.g., a seed of the pseudorandom number generator may be shared. This may make it unnecessary for dealer device 110 to send such a secret-share to the evaluator device since the evaluator device can compute the secret-share locally.
At the same time, at least one of the random values, e.g., random value 232.1, 232.2 or 232.3, and/or at least one of the proof values, e.g., proof value 234.1 or 234.2, may be computed from its secret-shares instead of the secret-shares being computed from the random value or proof value. For instance, secret-share computing unit 243 may randomly generate n random value secret-shares, e.g., s1, . . . , sn, of a random value s, and random value generating unit 241 may generate random value s as the sum s=s1+ . . . +sn of the random value secret-shares. Or, secret-share computing unit 243 may randomly generate n proof secret-shares, e.g., t1, . . . , tn, of a proof value t, e.g., a randomizing value, and proof value computing unit 242 may compute proof value t as the sum t=t1+ . . . +tn, of the proof value secret-shares. Also, in this case, one or more or all of the randomly generated secret-shares, e.g., random value secret-shares or proof secret-shares, may be generated pseudo-randomly, e.g., using a pseudo-random number generator shared with of the multiple evaluator devices, making it unnecessary for dealer device 110 to send such a secret-share.
In particular, one or more of the random values, e.g., random value 232.1 or 232.2, or proof values, e.g., proof value 234.1, may be computed from their secret-shares whereas other secret-shares may be computed from their random values, e.g., random value 232.3, or proof values, e.g., proof value 234.2. For example, to generate a multiplication triple (a, b, c=a·b), secret-share computing unit 243 may randomly generate random value secret-shares for random values a and b; random value computing unit 241 may compute a and b from the random value secret-shares and c from random values a and b; and secret-share computing unit 243 may compute random value secret-shares for random value c from the random value.
In addition to set 232 of random values, preprocessing information 231 comprises a set 233 of multiple message authentication codes for integrity checking in the multi-party computation. Various protocols for multi-party computation between the multiple evaluator devices rely on performing the multi-party computation both on values and on message authentication codes of the values, e.g., using the message authentication codes to check at the end of the computation whether the computation on the values was performed correctly. For example, the multi-party computation may comprise performing a given computation both on a set of values and their corresponding message authentication codes and checking if the resulting message authentication codes are correct message authentication codes for the resulting values. Set 233 of multiple message authentication codes comprises message authentication codes, e.g., message authentication code 233.1, 233.2 or 233.3, for the random values in the set 232 of multiple random values. Typically, a message authentication code, e.g., message authentication code 233.1, 233.2 or 233.3, for a random value v in the set 232 of multiple random values comprises the product of the random value with a secret MAC key α, e.g., the message authentication may be α·v. While not strictly necessary, it is preferable for all message authentication codes to use the same secret MAC key α.
Secret-share computing unit 243 additionally computes MAC secret-shares of one or more message authentication codes in set 233 of multiple message authentication codes. Advantageously, the MAC secret-shares allow the preprocessing information 231 to be used for actively secure MPC protocols, e.g., from the SPDZ family. In some embodiments, secret-share computing unit 243 generates a random secret MAC key; computes message authentication codes, e.g., message authentication code 233.1, 233.2 or 233.3, from set 232 of random values and the random secret MAC key; and computes MAC secret-shares from the message authentication codes, e.g., using the techniques to compute Shamir secret-shares or additive secret-shares described above. Instead, random values may also be computed from their MACs, e.g., secret-share computing unit 243 may randomly generate message authentication code m corresponding to random value v and random value generating unit 241 may compute random value v from the message authentication code, e.g., v=α−1 m.
In other embodiments, secret-share computing unit 243 uses a secret-shared representation of secret MAC key a. For example, secret-share computing unit 243 has secret-share [a]31,3 of an additive 2-out-of-2 sharing α=[α]11,3+[a]31,3 of secret MAC key a between dealer device 110 and a first evaluator device, and secret-share [a]32,3 of an additive 2-out-of-2 sharing α=[α]22,3+[a]32,3 of secret MAC key a between dealer device 110 and a second evaluator device. Such sharings may be obtained, e.g., from an external trusted party, or the parties can jointly generate such sharings. For example, with the multiple evaluator devices comprising two evaluator devices, unit 243 may jointly generate such sharings by jointly generating random α1, α2 with the first evaluator device and jointly generating random α5, α6 with the second evaluator device. The first evaluator device and the second evaluator device may jointly randomly generate two values α3, α4. The additive sharing with the first evaluator device may comprise secret-share [α]11,3=α1+α3+α4 of the first evaluator device and secret-share [α]31,3=α2+α5+α6 of the dealer device, and the additive sharing with the second evaluator device may comprise secret-share [α]22,3=α3+α4+α5 of the second evaluator device and secret-share [α]32,3=α1+α2+α6 of the dealer device, wherein.
Secret-share computing unit 243 may compute MAC secret-shares using a secret-shared representation of secret MAC key a, e.g., unit 243 may compute a MAC secret-share from a random value and a secret-share of the secret MAC key. With the additive 2-out-of-2 sharings above, for example, unit 243 may first compute random value secret-shares [r]1, [r]2 of a random value r for the first evaluator device and the second evaluator device, e.g., random value 232.1, 232.2 or 232.3, and then compute MAC secret-share [αv]3=[α]31,3·[r]1+[α]32,3·[r]2+δ1,3−δ2,3, wherein δ1,3 is a value shared with the first evaluator device, e.g., a random value, and δ2,3 is a value shared with the second evaluator device, e.g., a random value. Together with secret-shares [αv]1=[α]11,3·[r]1+δ1,2−δ1,3, [αv]2=[α]22,3·[r]2+δ2,3−δ1,2 that may be computed by the first and second evaluator devices, computed MAC secret-share [αv]3 may form an additive sharing of a message authentication code on random value r.
Dealer device 110 comprises a share sending unit 244 sends to each evaluator device a respective subset of the random value secret-shares, proof secret-shares, and MAC secret-shares 237, e.g., subset 237.1 or 237.2. In some embodiments, share sending unit 244 sends a random value secret-share for each random value in set 232 of random values, a proof secret-share for each proof value in set 234 of proof values, and a MAC secret-share of each message authentication code in set 233 of message authentication codes to each computation device.
In other embodiments, only a few or none of the secret-shares of a given random value, proof value, or message authentication code may be sent to respective evaluator devices. For example, secret-share computing unit 243 may compute the secret-shares of a random value from set 232 of random values using respective pseudo-random number generators shared with respective evaluator devices, in which case unit share sending 244 may send no secret-share of that value. Secret-share computing unit 243 may also compute one or more of the random values, proof, or MAC secret-shares using pseudo-random number generators shared with respective evaluator devices, computing other secret-shares from the generated shares and the respective random value, proof value, or message authentication code. In this case, share sending unit 244 may only send the computed secret-shares.
As another example, secret-share computing unit 243 may compute a MAC secret-share [av]3 of a message authentication code from set 233 of message authentication codes from a MAC key secret-share and a random value. In this case, unit 244 may send this secret-share [αv]3 to one of the evaluator devices. This evaluator device can then add this received secret-share to a secret-share it has computed locally, resulting in an additive sharing of the MAC between the multiple evaluator devices. It may be advantageous from a load-balancing perspective for share sending unit 244 to send shares of different random values, proof values, or message authentication codes to different evaluator devices of the multiple evaluator devices, e.g., share sending unit 244 may send a secret-share of a first random value to a first evaluator device, with the shares of other evaluator devices of the multiple evaluator devices obtained from a pseudorandom number generator, and send a secret-share of a second random value to a second evaluator device, with the shares of other evaluator devices of the multiple evaluator devices obtained from a pseudorandom number generator.
Dealer device 110 is optionally configured with an output receiving unit 245. Output receiving unit 245 receives from at least one of the multiple evaluator devices one or more of an output, secret-shares of the output, the output blinded by a blinding value, secret-shares of the output blinded by the blinding value, the blinding value, and secret-shares of the blinding value, and determine the output therefrom, the output or the secret-shares of the output being computed with the multi-party computation. For example, output receiving unit 245 may receive the output itself from one or more evaluator devices. In this case, unit 245 may compare all received outputs and check if there is one common output. If so, it may select this common output as the output of the multi-party computation. Output receiving unit 245 may also receive secret-shares of the output, e.g., a secret-share from multiple evaluator devices, reconstruct the output, and return it. The output may also be blinded by a blinding value. For instance, output receiving unit 245 may receive the output blinded by the blinding value or receive secret-shares of the output blinded by the blinding value and reconstruct the output blinded by the blinding value from its secret-shares. Output receiving unit 245 may also receive the blinding value or receive secret-shares of the blinding value and reconstruct the blinding value from its secret-shares, or it may obtain the blinding value in a different way, e.g. by generating it and supplying it to the evaluator devices, e.g., as secret-shares. Output receiving unit 245 may then compute the output from the output blinded by the blinding value and from the blinding value.
Evaluator device 111 is configured for batch-wise distributed verification with one or more other evaluator devices of preprocessing information, e.g., preprocessing information 231, for a multi-party computation provisioned from a dealer device, e.g., dealer device 110 of
As described in detail with reference to
Evaluator device 111 is configured with a secret-share obtaining unit 341 which obtains one or more random value secret-shares 332 of random values in the set of multiple random values generated by the dealer device, e.g., random value secret-share 332.1 or 332.2; one or more proof secret-shares 334 of proof values in the set of proof values computed by the dealer device, e.g., proof secret-share 334.1 or 334.2, and one or more MAC secret-shares of message authentication codes in the set of multiple message authentication codes, e.g. MAC secret-share 333.1 or 333.2. One or more of the random value secret-shares and/or proof secret-shares and/or MAC secret-shares may be obtained by receiving them from the dealer device, e.g., in some embodiments, all such secret-shares are received from the dealer device. Other random value secret-shares and/or proof secret shares and/or MAC secret shares may be obtained by computing them, e.g., using a pseudorandom number generator shared with the dealer device, e.g., the wherein seed of the pseudorandom number generator is shared with the dealer device.
One or more secret-shares, e.g., MAC secret-shares, may be obtained from combining locally computed data and received data. For instance, in some embodiments, secret-share obtaining unit 341 receives a MAC secret-share [αv]3 of a message authentication code for a random value v from the dealer device and combines it with a locally computed secret share, e.g., [αv], or [αv]2, e.g., by adding the two secret-shares [αv]1+[αv]3 or [αv]2+[αv]3. In some embodiments, a message authentication code for a random value v comprises the product αv of the random value with a MAC key α. In such embodiments, secret-share obtaining unit 341 may have a secret-shared representation of secret MAC key α, e.g., a secret-share [α]3i,3 of an additive 2-out-of-2 sharing α=[α]ii,3+[α]3i,3 between evaluator device 111 and the dealer device. Such sharings may be obtained, e.g., from an external trusted party, or the parties can jointly generate such sharings. For example, the multiple evaluator devices may comprise a second evaluator device apart from evaluator device 111, and secret-share obtaining unit 341 may jointly generate such sharings by jointly generating random α1, α2 or α5, α6 with the dealer device and α3, α4 with the second evaluator device. The additive sharing with the dealer device may comprise secret-share [α]11,3=α1+α3+α4 of evaluator device 111 and secret-share [α]31,3=α2+α5+α6 of the dealer device or [α]22,3=α3+α4+α5 of evaluator device 111 and secret-share [α]32,3=α1+α2+α6 of the dealer device. Secret-share obtaining unit 341 may compute a locally computed secret share, e.g., [αv]1 or [αv]2, using the secret-shared representation of secret MAC key α, e.g., unit 341 may compute the locally computed secret share from a secret-share [v]1 or [v]2 of the random value v, e.g., secret-share 332.1 or 332.2, and a secret-share of the secret MAC key. With the additive 2-out-of-2 sharing above, for example, unit 341 may compute the locally computed share as [αv]1=[α]11,3·[r]1+δ1,2−δ1,3 or [αv]2=[a]22,3·[r]2+δ2,3−δ1,2 and add this to MAC secret-share [αv]3, e.g., [αv]3=[α]31,3·[r]1+[a]32,3·[r]2+δ1,3−δ2,3, received from the dealer device to obtain a MAC secret-share, e.g., MAC secret-share 331.1 or 331.2.
Many combinations of obtaining random value secret-shares and/or proof secret-shares and/or random value secret shares by computing such a secret-share, receiving it, or determining it from computed and received values are possible, e.g., some of the random value secret-shares may be received whereas other random value secret-shares may be computed with a pseudo-random number generator. In fact, combining the various ways of obtaining the secret-shares may be beneficial from a load-balancing perspective.
Evaluator device 111 further comprises a random point determining unit 342 which determines a random evaluation point 331 with the one or more other evaluator devices. Advantageously, random evaluation point 331 is determined in such a way that the dealer device does not know its value. This may allow the evaluator device to check with the one or more other evaluator devices that the checking polynomial is identical to zero by checking that an evaluation of the checking polynomial in random evaluation point 331 is equal to zero. Indeed, it is known that an evaluation of a non-zero polynomial in a random evaluation point is unlikely to be zero. E.g., by the Schwarz-Zippel lemma, the likelihood that a non-zero polynomial of degree n over a field evaluates to zero in a randomly chosen point is n/|| where || is the size of the field, so conversely, if a polynomial is zero in a random evaluation point selected independently from the polynomial, then it is unlikely to be a non-zero polynomial. Various ways are possible to determine random evaluation point 331 in such a way that the dealer device does not know its value, e.g., evaluator device 111 may randomly generate the random evaluation point 331 and send it to the one or more other evaluator devices, one of the one or more other evaluator devices may randomly generate the random evaluation point 331 and evaluator device 111 may receive it, both may generate it based on a shared pseudo-random number generator, etcetera. Random evaluation point 331 may also be re-used from an earlier batch-wise distributed verification.
Dealer device 111 further comprises a sub-expression evaluating unit 343 which computes secret-shares 335 of one or more checking sub-expressions of the checking polynomial evaluated in random evaluation point 331. Advantageously, the checking polynomial is defined in such a way that secret-shares 335 of the one or more checking sub-expressions can be efficiently computed from the one or more random value secret-shares, e.g., random value secret-share 332.1 or 332.2, and the one or more proof secret-shares, e.g., proof secret-share 334.1 or 334.2. This may enable efficient evaluation of the overal checking polynomial based on the secret-shares of the evaluations of the sub-expressions. For example, the checking sub-expressions may be defined in such a way that each checking sub-expression is linear in the set of multiple random values and the set of proof values and an evaluation of the checking polynomial can be computed in the plain from evaluations of the checking sub-expressions. For example, the random value secret-shares 332 and proof secret-shares 334 are secret-shared using a linear secret-sharing scheme such as Shamir secret-sharing or additive secret sharing, and secret-shares 335 of the one or more checking sub-expressions can be computed, given the random evaluation point 331, as a linear function of the random value secret-shares 332 and proof secret-shares 334 without requiring any communication with the one or more other evaluator devices.
As discussed in more detail for dealer device 110 in
In such embodiments with a quotient polynomial H(x), the set of proof values may comprise coefficients hi and/or evaluations Hi of the quotient polynomial. The one or more checking sub-expressions of checking polynomial P(x) may comprise the quotient polynomial H(x). For example, the set of proof values may comprise coefficients hi of the quotient polynomial H(x). Sub-expression evaluating unit 343 may compute secret-shares 335 of the one or more checking sub-expressions by polynomial evaluation of the quotient polynomial in random evaluation point s, 331, e.g., by computing [H(s)]=[h0]+[h1]·s+[h2]·s2+ . . . , wherein [H(s)], e.g., 335.1 or 335.2, is a secret-share of checking sub-expression H(x) evaluated in random evaluation point s, 331, and [hi] are proof secret-shares representing the coefficients of the quotient polynomial. Or, for example, the set of proof values may comprise evaluations Hi of the quotient polynomial H(x), e.g., evaluations H1, H2, . . . in respective points ω1,ω2, . . . . In this case, sub-expression evaluating unit 343 may compute secret-shares 335 of the one or more checking sub-expressions by interpolating the quotient polynomial in random evaluation point s, 331, e.g., by computing [H(s)]=λ1·[H1]+[2·H2]+ . . . , wherein [H(s)], e.g., 335.1 or 335.2, is a secret-share of checking sub-expression H(x) evaluated in random evaluation point s; λ1,λ2 . . . are Lagrange interpolation coefficients for interpolating in point s given evaluations in points Ω1,Ω2, . . . ; and [Hi] are proof secret-shares representing the evaluations of the quotient polynomial. In the particular example given in
As also discussed in more detail for dealer device 110 in
Evaluator device 111 comprises a polynomial checking unit 344 which checks that an evaluation of the checking polynomial in random evaluation point 331 is equal to zero by a distributed computation with the other evaluator devices using the secret-shares 335 of the one or more checking sub-expressions evaluated in random evaluation point 331. If the check succeeds, this may convince evaluator device 111 that the set of multiple polynomial checking equations is satisfied on the set of multiple random values of which it has obtained secret-shares 337.
Checking that an evaluation of the checking polynomial in random evaluation point 331 is zero may correspond to checking that the one or more checking sub-expressions evaluated in random evaluation point 331 that are secret-shared between the evaluator device and the respective one or more other evaluator devices satisfy a certain relation. For example, the checking polynomial may be P(x)=A(x) B(x)−C(x) and the checking sub-expressions may comprise A(x), B(x), and C(x). To check that evaluation P(s) of the checking polynomial in random evaluation point s is zero, polynomial checking unit 344 may check that the secret-shared evaluations of the one or more checking sub-expressions in the random evaluation point A(s), B(s), and C(s) satisfy the relation A(s)·B(s)=C(s). Various techniques from the literature are known to perform this check or similar checks, e.g., the check A1(s)·B (s)+ . . . +An(s)·Bn(s)=C(s) wherein A1(s),B1(s), . . . , An(s),Bn(s),C(s) are secret-shared, for example, as detailed in Z. Beerliova-Trubiniova and M. Hirt. “Efficient multi-party computation with dispute control”. In Theory of Cryptography Conference, volume 3876 of LNCS, pages 305-328. Springer, 2006 (included by reference herein), or in R. Cramer, I. Damgård, and U. Maurer, “General secure multi-party computation from any linear secret-sharing scheme”, in Advances in Cryptology-EUROCRYPT '00, volume 1807 of LNCS, pages 316-334, Springer, 2000 (included by reference herein).
Advantageously, in some embodiments, at least one of the one or more checking sub-expressions of the checking polynomial is randomized by a respective randomizing value from the set of proof values. Several ways of randomizing sub-expressions of the checking polynomial have been discussed with reference to
Evaluator device 111 is optionally configured with an output sending unit 345 that enables to provide to the dealer device an output y of the multi-party computation for which the preprocessing information is provisioned. For example, evaluator device 111 performs a multi-party computation with the one or more other evaluator devices using the provisioned preprocessing information. As a result of this multi-party computation, evaluator device may obtain one or more of the output y, a secret-share [y] of the output, the output y+b blinded by a blinding value, a secret-share [y+b] of the output blinded by the blinding value, the blinding value b, and a secret-share of the blinding value [b], and send the obtained value or values to the dealer device. For example, evaluator devices 111, 111′ obtains b as a private input to the computation, e.g., using the technique presented in “A Framework for Outsourcing of Secure Computation”, Thomas P. Jakobsen, Jesper Buus Nielsen, Claudio Orlandi, Proceedings of the 6th edition of the ACM Workshop on Cloud Computing Security (included by reference herein). Evaluator device 111 may then be configured to compute and obtain y+b using the multi-party computation, and output sending unit 245 may send y+b to the dealer device, which may then subtract b to obtain the output. Or, evaluator device 111 computes and obtains y using the multi-party computation without requiring a blinding value from the dealer device, but wherein the dealer device optionally provides other inputs to the multi-party computation, and output sending unit 245 sends y to the dealer device, which may accept this as the computation output.
Particular embodiments of dealer device 110 and/or evaluator device 111 operating in a multiparty computation system 100 with an additional evaluator device 111′ are now described with reference to
Actively secure 2PC protocols from the SPDZ family in the preprocessing model are converted into an actively secure 3PC protocol without preprocessing, secure against one corruption. For this, dealer device 110 carries out the preprocessing and provides the results to the other two parties, evaluator devices 111 and 111′, who then carry out the 2PC protocol, e.g., SPDZ, among themselves. However, for this to work, a method is needed by which evaluator devices 111, 111′ can verify that the received preprocessing information 231 is correct.
Evaluator devices 111, 111′ need to be convinced of the fact that multiple polynomial checking relations {right arrow over (a)}·{right arrow over (b)}={right arrow over (c)}, 236, hold, where {right arrow over (a)}, {right arrow over (b)},{right arrow over (c)}∈n are additively secret shared among them, and n is a batch size. This multiplication check may be phrased in terms of existence of a quotient polynomial. Specifically, let A(x) be of degree ≤n−1 be such that A(ωi)=ai, B(x) be of degree ≤n−1 be such that B(ωi)=bi, C(x) be of degree ≤n−1 be such that C(ωi)=ci. Letting E(x)=A(x)·B(x)−C(x), an evaluation E(ωi) of the evaluating polynomial in a checking point from predetermined set of checking points ω1, . . . , ωn is equal to the difference aibi−ci between the left-hand side and the right-hand side of a polynomial checking equation from the set of multiple polynomial checking equations {right arrow over (a)}·{right arrow over (b)}={right arrow over (c)}. Now, {right arrow over (a)}·{right arrow over (b)}={right arrow over (c)} if and only if T(x)|(A(x)·B(x)−C(x)), e.g., if and only if there exists a quotient polynomial H(x) such that A(x)B(x)−C(x)−H(x)·T(x)=0, the roots of T(x)=(x−ω1)· . . . ·(x−ωn) comprising the predetermined set of checking points. Hence, convincing the evaluator devices 111, 111′ that {right arrow over (a)}·{right arrow over (b)}={right arrow over (c)} may be done by convincing them that such a quotient polynomial H(x) exists.
A second observation that is used is that, to check whether checking polynomial A(x)B(x)−C(x)−H(x)·(x−ω1)· . . . ·(x−ωn), 235, is zero, it suffices to evaluate it in a random evaluation point 331: if the result is zero, then with high probability, the polynomial is zero. (This fact, the Schwarz-Zippel lemma, is well-known in the cryptography literature.) Based on these observations, the following procedure is proposed for convincing the evaluator devices. Evaluator devices 111, 111′ agree on a random evaluation point s, 331, in which to perform the evaluation, but do not tell the dealer device 110. Apart from providing random value secret shares of {right arrow over (a)}, {right arrow over (b)}, {right arrow over (c)}, dealer device 110 also provides proof secret shares of the coefficients of polynomial H(x). Next, evaluator devices 111, 111′ compute the one or more checking sub-expressions A(s),B(s),C(s) and H(s) evaluated in random evaluation point s, 331; since s is public, this can be done by locally computing the secret shares 335 of the one or more checking sub-expressions of the checking polynomial evaluated in the random evaluation point and exchanging them. Given these values, evaluator devices 111, 111′ can now verify that an evaluation of the checking polynomial A(x)·B(x)−C(x)−H(x)·(x−ω1)· . . . ·(x−ωn), 235, in the random evaluation point 331 is equal to zero in the plain.
In an embodiment, dealer device 110 and/or evaluator devices 111 perform the steps detailed below. Some of the steps provided below may be performed in a different order, e.g., evaluator devices 111, 111′ may determine random evaluation point 331 before dealer device 110 generates random MAC key α:
As an end result, evaluator devices 111, 111′ have multiplication triples 332 that they are sure are correct, and MACs 333 on these triples.
For smaller fields F, to obtain negligible error probability, the check may be repeated for several values of random evaluation point s, 331. To ensure that the evaluations of A(x), B(x), C(x) in multiple points do not reveal information about {right arrow over (a)}, {right arrow over (b)}, {right arrow over (c)}, additional randomness needs to be added, e.g., for k repetitions use A(x)+(δa,1+ . . . +δa,kxk-1)T(x).
generating (410) the set of multiple random values, e.g., ai,bi,ci, satisfying the multiple polynomial checking equations, e.g., aibi=c1,
computing (420) the set of proof values wherein the checking polynomial defined by the set of multiple random values and the set of proof values together is identical to zero,
computing (430) random value secret-shares, e.g., [ai]j,[bi]j,[ci]j, of one or more values in the set of multiple random values, proof secret-shares, e.g., [cn+i]j or [hi]j, of one or more proof values in the set of proof values, and MAC secret-shares, e.g., [αai]j,[αbi]j,[αci]j of one or more message authentication codes in the set of multiple message authentication codes,
sending (440) to each evaluator device a respective subset of the random value secret-shares, proof secret-shares, and MAC secret-shares.
obtaining (1410) one or more random value secret-shares, e.g., [ai]j,[bi]j,[ci]j, of random values in the set of multiple random values generated by the dealer device, one or more proof secret-shares, e.g., [cn+i]j or [hi]j, of proof values in the set of proof values computed by the dealer device, and one or more MAC secret-shares, e.g., [αai]j, [αbi]j, [αci]j, of message authentication codes in the set of multiple message authentication codes,
determining (1420) a random evaluation point, e.g., s, with the one or more other evaluator devices,
computing (1430) from the one or more random value secret-shares, e.g., [ai]j,[bi]j,[ci]j, and the one or more proof secret-shares, e.g., [cn+i]j, or [hi]j, secret-shares, e.g., [A(s)]j,[B(s)]j,[C(s)]j, or [A(s)]j,[B(s)]j,[C(s)]j,[H(s)]j, of one or more checking sub-expressions of the checking polynomial evaluated in the random evaluation point,
checking (1440) that an evaluation, e.g., A(s)B(s)−C(s) or A(s)B(s)−C(s)−(s−ω1) . . . (s−ωn)H(s), of the checking polynomial in the random evaluation point is equal to zero by a distributed computation with the other evaluator devices using the secret-shares of the one or more checking sub-expressions evaluated in the random evaluation point, thus verifying that the set of multiple polynomial checking equations, e.g., aibi=ci is satisfied on the set of multiple random values.
Many different ways of executing the method are possible, as will be apparent to a person skilled in the art. For example, the order of the steps can be varied or some steps may be executed in parallel. Moreover, in between steps other method steps may be inserted. The inserted steps may represent refinements of the method such as described herein, or may be unrelated to the method. For example, steps 420 and 430 may be executed, at least partially, in parallel. Moreover, a given step may not have finished completely before a next step is started.
Embodiments of the method may be executed using software, which comprises instructions for causing a processor system to perform method 400 or 1400. Software may only include those steps taken by a particular sub-entity of the system. The software may be stored in a suitable storage medium, such as a hard disk, a floppy, a memory, an optical disc, etc. The software may be sent as a signal along a wire, or wireless, or using a data network, e.g., the Internet. The software may be made available for download and/or for remote usage on a server. Embodiments of the method may be executed using a bitstream arranged to configure programmable logic, e.g., a field-programmable gate array (FPGA), to perform the method.
It will be appreciated that the invention also extends to computer programs, particularly computer programs on or in a carrier, adapted for putting the invention into practice. The program may be in the form of source code, object code, a code intermediate source, and object code such as partially compiled form, or in any other form suitable for use in the implementation of an embodiments of the method. An embodiment relating to a computer program product comprises computer executable instructions corresponding to each of the processing steps of at least one of the methods set forth. These instructions may be subdivided into subroutines and/or be stored in one or more files that may be linked statically or dynamically. Another embodiment relating to a computer program product comprises computer executable instructions corresponding to each of the means of at least one of the systems and/or products set forth.
For example, in an embodiment, processor system 1140, e.g., the dealer or evaluator device, may comprise a processor circuit and a memory circuit, the processor being arranged to execute software stored in the memory circuit. For example, the processor circuit may be an Intel Core i7 processor, ARM Cortex-R8, etc. In an embodiment, the processor circuit may be ARM Cortex M0. The memory circuit may be an ROM circuit, or a non-volatile memory, e.g., a flash memory. The memory circuit may be a volatile memory, e.g., an SRAM memory. In the latter case, the device may comprise a non-volatie software interface, e.g., a hard drive, a network interface, etc., arranged for providing the software.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design many alternative embodiments.
In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. Use of the verb ‘comprise’ and its conjugations does not exclude the presence of elements or steps other than those stated in a claim. The article ‘a’ or ‘an’ preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the device claim enumerating several means, several of these means may be embodied by one and the same item of hardware. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.
In the claims references in parentheses refer to reference signs in drawings of exemplifying embodiments or to formulas of embodiments, thus increasing the intelligibility of the claim. These references shall not be construed as limiting the claim.
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/EP2018/061278 | 5/3/2018 | WO | 00 |
Number | Date | Country | |
---|---|---|---|
62501262 | May 2017 | US |