Asymptotically Good Multiplicative LSSS over Galois Rings and Applications to MPC over $\mathbb {Z}/p^k\mathbb {Z} $

We study information-theoretic multiparty computation (MPC) protocols over rings Z/pZ that have good asymptotic communication complexity for a large number of players. An important ingredient for such protocols is arithmetic secret sharing, i.e., linear secret-sharing schemes with multiplicative properties. The standard way to obtain these over fields is with a family of linear codes C, such that C, C⊥ and C are asymptotically good (strongly multiplicative). For our purposes here it suffices if the square code C is not the whole space, i.e., has codimension at least 1 (multiplicative). Our approach is to lift such a family of codes defined over a finite field F to a Galois ring, which is a local ring that has F as its residue field and that contains Z/pZ as a subring, and thus enables arithmetic that is compatible with both structures. Although arbitrary lifts preserve the distance and dual distance of a code, as we demonstrate with a counterexample, the multiplicative property is not preserved. We work around this issue by showing a dedicated lift that preserves self-orthogonality (as well as distance and dual distance), for p ≥ 3. Self-orthogonal codes are multiplicative, therefore we can use existing results of asymptotically good self-dual codes over fields to obtain arithmetic secret sharing over Galois rings. For p = 2 we obtain multiplicativity by using existing techniques of secret-sharing using both C and C⊥, incurring a constant overhead. As a result, we obtain asymptotically good arithmetic secret-sharing schemes over Galois rings. With these schemes in hand, we extend existing field-based MPC protocols to obtain MPC over Z/pZ, in the setting of a submaximal adversary corrupting less than a fraction 1/2− ε of the players, where ε > 0 is arbitrarily small. We consider 3 different corruption models. For passive and active security with abort, our protocols communicate O(n) bits per multiplication. For full security with guaranteed output delivery we use a preprocessing model and get O(n) bits per multiplication in the online c © International Association for Cryptologic Research 2020 S. Moriai and H. Wang (Eds.): ASIACRYPT 2020, LNCS 12493, pp. 151–180, 2020. https://doi.org/10.1007/978-3-030-64840-4_6 152 M. Abspoel et al. phase and O(n log n) bits per multiplication in the offline phase. Thus, we obtain true linear bit complexities, without the common assumption that the ring size depends on the number of players.

[1]  Vipul Goyal,et al.  Communication-Efficient Unconditional MPC with Guaranteed Output Delivery , 2019, IACR Cryptol. ePrint Arch..

[2]  JM Jeroen Doumen,et al.  Some applications of coding theory in cryptography , 2003 .

[3]  Martin Hirt,et al.  Efficient Multi-party Computation with Dispute Control , 2006, TCC.

[4]  Martin Hirt,et al.  Perfectly-Secure MPC with Linear Communication Complexity , 2008, TCC.

[5]  Ivan Damgård,et al.  Scalable and Unconditionally Secure Multiparty Computation , 2007, CRYPTO.

[6]  Henning Stichtenoth Transitive and Self-dual Codes Attaining the Tsfasman-Vladut-Zink Bound , 2005 .

[7]  Yuval Ishai,et al.  Practical Fully Secure Three-Party Computation via Sublinear Distributed Zero-Knowledge Proofs , 2019, CCS.

[8]  Yuval Ishai,et al.  Efficient Multi-party Computation over Rings , 2003, EUROCRYPT.

[9]  H. Stichtenoth,et al.  A tower of Artin-Schreier extensions of function fields attaining the Drinfeld-Vladut bound , 1995 .

[10]  Hao Chen,et al.  Secure Computation from Random Error Correcting Codes , 2007, EUROCRYPT.

[11]  Ivan Damgård,et al.  Communication Lower Bounds for Statistically Secure MPC, with or without Preprocessing , 2019, IACR Cryptol. ePrint Arch..

[12]  Vipul Goyal,et al.  Guaranteed Output Delivery Comes Free in Honest Majority MPC , 2020, IACR Cryptol. ePrint Arch..

[13]  Ignacio Cascudo,et al.  Amortized Complexity of Information-Theoretically Secure MPC Revisited , 2018, IACR Cryptol. ePrint Arch..

[14]  Ueli Maurer,et al.  General Secure Multi-party Computation from any Linear Secret-Sharing Scheme , 2000, EUROCRYPT.

[15]  Yehuda Lindell,et al.  A Framework for Constructing Fast MPC over Arithmetic Circuits with Malicious Adversaries and an Honest-Majority , 2017, IACR Cryptol. ePrint Arch..

[16]  Yehuda Lindell,et al.  Fast Large-Scale Honest-Majority MPC for Malicious Adversaries , 2018, Journal of Cryptology.

[17]  Daniel Escudero,et al.  An Efficient Passive-to-Active Compiler for Honest-Majority MPC over Rings , 2019, IACR Cryptol. ePrint Arch..

[18]  Ronald Cramer,et al.  Asymptotically-Good Arithmetic Secret Sharing over Z/(p^\ell Z) with Strong Multiplication and Its Applications to Efficient MPC , 2019, IACR Cryptol. ePrint Arch..

[19]  Marcel Keller,et al.  New Primitives for Actively-Secure MPC over Rings with Applications to Private Machine Learning , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[20]  Leslie Lamport,et al.  The Byzantine Generals Problem , 1982, TOPL.

[21]  Daniel E. Escudero,et al.  SPDℤ 2 k : Efficient MPC mod 2 k for Dishonest Majority. , 2018 .

[22]  Yuval Ishai,et al.  Circuits resilient to additive attacks with applications to secure computation , 2014, STOC.

[23]  Rafail Ostrovsky,et al.  Near-Linear Unconditionally-Secure Multiparty Computation with a Dishonest Minority , 2012, CRYPTO.

[24]  Ronald Cramer,et al.  Efficient Information-Theoretic Secure Multiparty Computation over ℤ/pk ℤ via Galois Rings , 2019, IACR Cryptol. ePrint Arch..

[25]  Peter Sebastian Nordholt,et al.  Minimising Communication in Honest-Majority MPC by Batchwise Multiplication Verification , 2018, IACR Cryptol. ePrint Arch..

[26]  Ivan Damgård,et al.  Asymptotically Good Multiplicative LSSS over Galois Rings and Applications to MPC over Z/p^k Z , 2020, IACR Cryptol. ePrint Arch..

[27]  Yuval Ishai,et al.  Zero-Knowledge Proofs on Secret-Shared Data via Fully Linear PCPs , 2019, CRYPTO.