Turning HATE Into LOVE: Homomorphic Ad Hoc Threshold Encryption for Scalable MPC

We explore large-scale fault-tolerant multiparty computation on a minimal communication graph. Our goal is to be able to privately aggregate data from thousands of users — for example, in order to obtain usage statistics from users’ phones. To reflect typical phone deployments, we limit communication to the star graph (so that all users only talk to a single central server). To provide fault-tolerance, we require the computation to complete even if some users drop out mid-computation, which is inevitable if the computing devices are personally owned smartphones. Variants of this setting have been considered for the problem of secure aggregation by Chan et al. (Financial Cryptography 2012) and Bonawitz et al. (CCS 2017). We call this setting Large-scale One-server Vanishing-participants Efficient MPC (LOVE MPC). We show that LOVE MPC requires at least three message flows, and that a three-message protocol requires some setup (such as a PKI). We then build LOVE MPC with optimal roundand communicationcomplexity (assuming semi-honest participants and a deployed PKI), using homomorphic ad hoc threshold encryption (HATE). We build the first HATE scheme with constant-size ciphertexts (although the public key length is linear in the number of users). Unfortunately, this construction is merely a feasibility result, because it relies on indistinguishability obfuscation. We also construct more practical threeand fivemessage LOVE MPC in the PKI model for addition or multiplication. Unlike in the obfuscationbased construction, the per user message length in these protocols is linear in the number of users. However, the five-message protocol still has constant amortized message length, because only the first two messages are long, but they need to be exchanged only once (i.e., are inputindependent and reusable) and thus can be viewed as setup. ? Leonid Reyzin and Sophia Yakoubov were supported in part by NSF grant 1422965. ?? Adam Smith was supported in part by NSF awards IIS-1447700 and AF-1763786 and a Sloan Foundation Research Award.

[1]  Paz Morillo,et al.  CCA2-Secure Threshold Broadcast Encryption with Shorter Ciphertexts , 2007, ProvSec.

[2]  Brent Waters,et al.  How to use indistinguishability obfuscation: deniable encryption, and more , 2014, IACR Cryptol. ePrint Arch..

[3]  George Danezis,et al.  PrivEx: Private Collection of Traffic Statistics for Anonymous Communication Networks , 2014, CCS.

[4]  Aggelos Kiayias,et al.  Delegatable pseudorandom functions and applications , 2013, IACR Cryptol. ePrint Arch..

[5]  Brent Waters,et al.  Constrained Pseudorandom Functions and Their Applications , 2013, ASIACRYPT.

[6]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[7]  Robert K. Cunningham,et al.  Catching MPC Cheaters: Identification and Openability , 2017, ICITS.

[8]  Brent Waters,et al.  Adaptive Security in Broadcast Encryption Systems (with Short Ciphertexts) , 2009, EUROCRYPT.

[9]  Leonid Reyzin,et al.  Efficient Asynchronous Accumulators for Distributed PKI , 2016, SCN.

[10]  Taher ElGamal,et al.  A public key cyryptosystem and signature scheme based on discrete logarithms , 1985 .

[11]  Jonathan Katz,et al.  Composability and On-Line Deniability of Authentication , 2009, TCC.

[12]  Shafi Goldwasser,et al.  Functional Signatures and Pseudorandom Functions , 2014, Public Key Cryptography.

[13]  Ran Canetti,et al.  Universally Composable Security with Global Setup , 2007, TCC.

[14]  Ran Canetti,et al.  Universal Composition with Joint State , 2003, CRYPTO.

[15]  John Bloom,et al.  A modular approach to key safeguarding , 1983, IEEE Trans. Inf. Theory.

[16]  Josh Benaloh,et al.  One-Way Accumulators: A Decentralized Alternative to Digital Sinatures (Extended Abstract) , 1994, EUROCRYPT.

[17]  Manuel Blum,et al.  How to generate cryptographically strong sequences of pseudo random bits , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[18]  Daniel Wichs,et al.  Two Round Multiparty Computation via Multi-key FHE , 2016, EUROCRYPT.

[19]  Yvo Desmedt,et al.  Threshold Cryptosystems , 1989, CRYPTO.

[20]  Ran Canetti,et al.  Universally composable protocols with relaxed set-up assumptions , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[21]  Suman Nath,et al.  Differentially private aggregation of distributed time-series with transformation and encryption , 2010, SIGMOD Conference.

[22]  Dan Boneh,et al.  Threshold Cryptosystems From Threshold Fully Homomorphic Encryption , 2018, IACR Cryptol. ePrint Arch..

[23]  Amit Sahai,et al.  Secure MPC: Laziness Leads to GOD , 2018, IACR Cryptol. ePrint Arch..

[24]  Jan Camenisch,et al.  Practical Verifiable Encryption and Decryption of Discrete Logarithms , 2003, CRYPTO.

[25]  Amit Sahai,et al.  On the (im)possibility of obfuscating programs , 2001, JACM.

[26]  Sarvar Patel,et al.  Practical Secure Aggregation for Privacy-Preserving Machine Learning , 2017, IACR Cryptol. ePrint Arch..

[27]  Elaine Shi,et al.  Privacy-Preserving Stream Aggregation with Fault Tolerance , 2012, Financial Cryptography.

[28]  Mark Zhandry,et al.  Differing-Inputs Obfuscation and Applications , 2013, IACR Cryptol. ePrint Arch..

[29]  Anat Paskin-Cherniavsky,et al.  Non-Interactive Secure Multiparty Computation , 2014, IACR Cryptol. ePrint Arch..

[30]  Imam Basuki,et al.  Analisis Film Adaptasi David Yates dari Novel J.K Rowling “Harry Potter and the Half Blood Prince” , 2013 .

[31]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[32]  Mark Zhandry,et al.  Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation , 2014, Algorithmica.

[33]  Mark Zhandry,et al.  Adaptively Secure Broadcast Encryption with Small System Parameters , 2014, IACR Cryptol. ePrint Arch..

[34]  Elaine Shi,et al.  Privacy-Preserving Aggregation of Time-Series Data , 2011, NDSS.