FMPC: Secure Multiparty Computation from Fourier Series and Parseval's Identity

12/05/2019 ∙ by Alberto Sonnino, et al. ∙ UCL 0

FMPC is a novel multiparty computation protocol of arithmetic circuits based on secret-sharing, capable of computing multiplication of secrets with no online communication; it thus enjoys constant online communication latency in the size of the circuit. FMPC is based on the application of Fourier series to Parseval's identity, and introduces the first generalization of Parseval's identity for Fourier series applicable to an arbitrary number of inputs. FMPC operates in a setting where users wish to compute a function over some secret inputs by submitting the computation to a set of nodes, but is only suitable for the evaluation of low-depth arithmetic circuits. FMPC relies on an offline phase consisting of traditional preprocessing as introduced by established protocols like SPDZ, and innovates on the online phase that mainly consists of each node locally evaluating specific functions. FMPC paves the way for a new kind of multiparty computation protocols capable of computing multiplication of secrets as an alternative to circuit garbling and the traditional algebra introduced by Donald Beaver in 1991.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

Multiparty computation protocols allow multiple users to compute some function of their combined secret inputs without revealing any additional information about their inputs other than the output of the function. FMPC is a secret-sharing based protocol for arithmetic circuits [6]; it operates in a setting where users wish to compute a function over some secrets by submitting the computation to a set of nodes, and is only suitable for circuits with a low number of multiplications. The users first secret-share their inputs by breaking them into multiple shares, and provide each node with one each. The nodes then perform additions and multiplications on these shares by local computations, and finally output the result of the computation. FMPC focuses on the computation of multiplication of secrets, and assumes that additions can be performed using traditional algebra as described by SPDZ [6].

As previous secret-sharing based protocols [6, 5, 9], FMPC divides execution into an offline phase and an online phase. The offline phase is performed ahead of time and does not involve any users secret input; the output of the computation is then evaluated during the online phase. Traditional secret-sharing based protocols are efficient to compute additions of secrets, but computing multiplication is expensive [6]; these are based on the algebra introduced by Donald Beaver [2] relying on the existence of some additional secret-shared values called triples, that are generated during the offline phase. Each node then broadcasts their shares of secrets blinded with these triples value. This causes high communication complexity during the online phase, especially for computations requiring many multiplications; their latency increases with the number of multiplications to evaluate.

FMPC is a novel secret-sharing technique to compute multiplication of secrets without requiring nodes to communicate with each other at all during the online phase; FMPC thus enjoys constant (and low) online communication latency in the size of the circuit. This is achieved through the application of Fourier series to Parseval’s identity. On the downside, FMPC cannot compose operations and is therefore only suitable to evaluate circuits with a small number of multiplications (see Section VIII). FMPC relies on established preprocessing techniques for the offline phase, and makes the following contributions to the online phase:

  • Section IV presents the mathematical construction behind FMPC by taking the example of a two-user computation.

  • Section V provides a concrete instantiation of FMPC and shows a practical protocol execution.

  • Section VI introduces the first generalization of Parseval’s identity for Fourier series applicable to an arbitrary number of inputs, and uses it to extend the two-user computation scheme presented in Section IV to a scheme supporting an arbitrary number of users. At the best of our knowledge, this is the first secret-sharing multiparty computation protocol scaling to an arbitrary number of inputs that enables multiplication of secrets with no online communication.

FMPC is a first of its kind attempt to analytically model MPC and aims to trigger further debates towards a working system.

Ii Threat Model and Goals

The following actors participate in a FMPC computation:

  • Users: End-user devices submit a computation over some secret inputs to a set of nodes; they wish to publish the output of a computation without revealing their secret inputs to anybody. Without loss of generality, we assume that each user hold one secret input.

  • Nodes: Infrastructure executing the computation submitted by the users.

We model the offline phase as executed by a trusted authority responsible to generate some scheme parameters and communicate them to the users; this offline phase can be distributed using traditional techniques introduced by SPDZ [6] (see Section IV-B). FMPC assumes passive adversaries who follow the protocol specification but try to learn more than allowed about the users secret inputs111We leave the extension of FMPC to active adversaries as future work; potentially adapting the MAC-based approach introduced by SPDZ [6].. Nodes can collude with each other as long as there is at least one honest non-colluding node. Under the above threat model, FMPC achieves the following design goals:

  • Private Computation - Parties only learn the output of the computation.

  • Non-Interactivity - Nodes do not communicate with each other during the online phase to perform computations.

Iii Background

We recall the theory of Fourier series and Parseval’s identity, and the expression of some useful convergent sums analytically; Appendix A shows how to compute them numerically using finite fields.

Iii-a Convolution of Fourier Series

We recall the Fourier series of the convolution between two functions and periodic on (). Assuming that and (i.e., and are square-integrable in the interval []), their respective Fourier series representations read:

(1)

where the Fourier coefficients and (for are given below:

(2)

The convolution function between and is defined as

(3)

By inserting Equation 1 into Equation 3, and by taking into account the following identities

(4)

where denotes Kronecker’s delta, we obtain the Fourier series of the convolution between two functions:

(5)

where

We also recall that the convolution operation satisfies commutativity and associativity; these properties are used in Section VI to scale FMPC to an arbitrary number of inputs.

Iii-B Parseval’s Identity

Let’s assume two functions and as defined in Equation 1

; defining the four vectors

, , and (for as below,

(6)

Parseval’s identity [8] holds for and :

(7)

Parseval’s identity only applies to two functions; Section VI-A presents our generalization of Parseval’s identity that applies to an arbitrary number of functions used to extend FMPC to an arbitrary number of inputs.

Iii-C Convergent Sums

FMPC requires the computation of scalar products of vectors with infinite components. It is therefore crucial that the infinite series produced by these scalar products are convergent, and that the results of these series can be computed efficiently and exactly (i.e., analytically). For example, in case of two users, FMPC requires the evaluation of the following convergent sums (see Section V):

(8)

These expressions can be easily calculated from the following well-known identity [8]

(9)

as below:

Section V illustrates that a convenient choice of the mask functions allows evaluating the infinite series (i.e., the scalar products) analytically.

Iv Two-users FMPC Construction

We present the mathematical constructions behind FMPC by illustrating a two-users computation protocol; Section V provides a concrete instantiation of this construction.

Iv-a Mathematical Construction

Figure 1 presents a two-users FMPC computation. We consider two users, Alice holding a secret input and Bob holding a secret input , wishing to compute the product without revealing their secret inputs. The protocol operates on the public parameters and (with ); and on the two parametric functions whose parameters are generated by the trusted authority Trusty; we refer to those functions as mask functions. The protocol is divided in two phases: an offline phase consisting of pre-computations that can be performed ahead of time as it is independent on the secret inputs, and an online phase producing the output .

Offline phase

We model the offline phase as executed by a trusted authority Trusty (Section IV-B shows how to distribute the offline phase). Trusty generates at random and , and computes the normalization coefficient given by

(10)

and computes the following normalized mask-functions:

where indicates the set of parameters  (➊). Contrarily to traditional secret-sharing protocols like SPDZ [6], FMPC pushes the complexity at the edges by offloading the offline phase to the users.

Online phase

Trusty sends to Alice and to Bob, who respectively compute and :

(11)

Alice computes the vectors and from , and Bob computes the vectors and from as defined by Equations 6 and 2 (➋). Alice sends to and to ; and Bob sends to and to . As a result, gathers the constant and cosine component of the Parseval’s identity, and gathers the sine component of the Parseval’s identity (➋). outputs , and outputs  (➍); anyone can compute according to Equation 7. The intuition behind the scheme is to decompose the product into two components that are eventually added together to compute the final result; this reduces the problem of multiplication of secret to an addition, which is enabled by Parseval’s identity. Section V presents an end-to-end example calculation, with practical choices of mask functions.

Fig. 1: Overview of FMPC execution. Trusty sends to Alice and to Bob (➊). Alice computes and , and Bob computes and according to Equation 6 (➋); Alice sends to and to , and Bob sends to and to  (➌). outputs and outputs  (➍); anyone can compute according to Equation 7.

Iv-B Decentralization of the Offline Phase

We do not innovate on the offline phase, and rely on existing established solutions. The offline phase of FMPC randomly generates the parameters of the mask functions and computes the normalization coefficient. FMPC may employ the same technique used by SPDZ [6] to generate multiplicative triples, which relies on somewhat homomorphic encryption; despite the simplicity of this approach, it incurs expensive public key cryptography and may lead to high cost. Mascot [9] overcomes this limitation by using oblivious transfer to generate the triples values during the offline phase. Section V-D shows how to use the offline phase of those protocols to instantiate a practical FMPC computation. Alternatively, FMPC may rely on a semi-trusted authority to run the offline phase; the authority is then trusted to correctly generate those parameters and to not collude with the nodes, but never learns any information about the users inputs.

V Instantiation of Two-users FMPC Computation

We illustrate a practical example of FMPC computation considering the following mask-functions:

(12)

for parameters and . For simplicity, we set , and

(13)

to obtain the following normalized mask-functions:

(14)

V-a Protocol Execution

We show how the protocol illustrated in Figure 1 executes using the mask functions given by Equation 12.

Offline phase

Algorithm 1 illustrates the offline phase; Trusty generates at random ; computes the normalization coefficients ; and sends to Alice and to Bob (➊).

Online phase

Algorithm 2 illustrates the online phase; Alice computes , and Bob computes  (➋). Alice sends to and to ; Bob sends to and to  (➌). has all information it needs to compute and (see Equation 15 of Section V-B)—those can be computed from the mere knowledge of and —and outputs . In practice, only evaluates and outputs (see Equation 17 of Section V-B). Similarly, has all information to compute and (those can be computed from and ), and outputs ; in practice, simply outputs (see Equation 18 of Section V-B). Anyone can compute , which follows from Equation 7 (➍).

All operations are performed over a finite field where is prime, is integer and ; addition, multiplication, and the modular inverse are implemented by modular arithmetic , that is .

1:procedure Trusty
2:     
3:     compute
4:     send to Alice
5:     send to Bob
Algorithm 1 FMPC example computation – Offline phase
1:procedure Alice()
2:     compute
3:     compute
4:     send to and to
5:procedure Bob()
6:     compute
7:     compute
8:     send to and to
9:procedure Node1()
10:     output
11:procedure Node2()
12:     output
Algorithm 2 FMPC example computation – Online phase

V-B Correctness of the Computation

We compute the normalization coefficients and the normalized mask functions according to Equation 10 and (IV-A); and the functions and according to Equation 11. All computations are performed using Wolfram Mathematica222http://www.wolfram.com/mathematica/

11.2, we release our script as open source

333 https://gist.github.com/asonnino/7d3abd570736d13bddf61fa429692983 . The Fourier coefficients and are then given below (for :

(15)

where:

(16)

We can easily check Parseval’s identity; computes

(17)

and computes

(18)

Equation 17 and Equation 18 are computed by evaluating the convergent sums given by Equation 8 of Section III. By adding Equation 17 to Equation 18, we finally get:

(19)

V-C Security Analysis

We show that no adversary can retrieve the secret inputs and from the knowledge of . We assume passive adversaries; i.e., they follow the protocol specification but try to learn more than allowed (see Section II). Informally, the adversary possesses five equations, i.e., the expressions of , and six unknown, i.e., . The adversary thus holds fewer equations than unknowns, which make it information-theoretically impossible to recover any unknown value. Theorem 1 presents this result more formally.

Theorem 1.

The scheme presented in Section V-A achieves perfect secrecy against a passive adversary holding ; i.e., for all distribution of and for all , we have and .

Proof.

Let us first consider the input . For any

we introduce the conditional probability

in terms of the joint probability

(20)

where the second equality is guaranteed by Bayes’ theorem. It is useful to compute

using the law of total probability. Conditioning over all

gives

(21)

Removing all constant and known factors from the expression of , we get

(22)

where,

(23)

which is independent of . Hence,

(24)

Plugging Equation 22 and Equation 24 into Equation 20, we get . The same reasoning applies to the input . ∎

This implies that nodes are not able to recover the users inputs even if they collude (but multiple nodes are still required to handle additions of secrets, as in SPDZ [6]).

V-D Discussion

We discuss convenient choice of mask functions, distribution of the offline phase, and extension to multiple nodes.

Convenient choice of mask functions

Even though FMPC applies to any kind of square-integrable functions, a convenient choice of family of mask functions (in the case of two players) is {} where parameters are randomly chosen (with and users ). The parameters and (with ) are public, and it is convenient to set them to and (see Equation 14). The main advantage of this family of mask-functions is that they forgo the need to resort to numerical calculations to compute the contributions of Parseval’s identity—calculating the numerical sums of the Parseval’s identity is never needed—users simply evaluate them using the analytic expressions provided in Section III-C. We can easily observe that it is possible to select mask-functions allowing to perform all calculations analytically even for a large number of users; mask functions composed of sums of sine and cosine ensures convergence, and can be evaluated using expressions similar to those given in Section III-C.

Distribution of the offline phase

Established protocols like SPDZ require the generation of multiplicative triplets during the offline phase; i.e., they provide a functionality to generate three elements such that in a distributed manner. FMPC may execute twice this functionality to generate such that , and such that ; and then simply compute:

(25)

Extension to an arbitrary number of nodes

Section V-C shows that colluding nodes cannot retrieve the users inputs; multiple nodes are only required to handle addition of secrets. However, we can easily extend FMPC to an arbitrary number of nodes as we can always split the calculations of Parseval’s identity into an arbitrary number parts. This can be accomplished in many ways; for instance we may split the vectors A, B, , and in several contributions, by requiring each of the nodes to perform only a specific part of the scalar products, under the constraint that the sum of their output matches with the final values of the scalar products of Parseval’s identity. Note that for the example depicted in Equation 15 (Section V-B), we can simply split the scalars and into shares in such a way that the sum of the contributions coincides with the final scalar products (by applying appropriate normalization).

Vi Extension to Multiple Players

We introduces the first generalization of Parseval’s identity for Fourier series applicable to an arbitrary number of inputs, and uses it to extend the two-user computation scheme presented in Section IV to an arbitrary number of users.

Vi-a Generalization of Parseval’s Identity

We present the generalization of Parseval’s identity for Fourier series applicable to inputs. Parseval’s identity traditionally applies only to two functions; we overcome this drawback by using the convolution operation between two functions. We illustrate Parseval’s identity for three inputs, which can easily be generalized for an arbitrary number of inputs. Section VI-B leverages these considerations to build the -users FMPC protocol.

Firstly we observe that in the case of two users, Parseval’s identity may be cast into the following form

(26)

Let’s now consider three inputs, , and with Fourier series representations given by Equation 1 and by

(27)

respectively; the generalized Parseval’s identity reads:

(28)

or

(29)

Vectors , , , and and are respectively defined as

(30)

and

(31)

We simply include , , and in the left-hand side of the equation, and adapt the right-end side to match calculations. A mathematical formula for an arbitrary number of inputs can easily be obtained following the same logic.

Vi-B Mathematical Construction

We extend the two-user FMPC scheme presented in Section IV to a scheme supporting -users.

Fig. 2: Example execution of FMPC for 3 users and 2 nodes. Each user receives a normalized mask function from Trusty. Alice computes and sends to and to ; Bob sends to and to ; and Charlie sends to and to . outputs , and outputs ; according to Equation 28, anyone can compute .

Offline phase

Trusty generates at random the parameters of mask-functions ; it then computes the normalization coefficients similarly to Equation 10, and uses them to compute the normalized mask-functions as shown in Section IV-A. This is analogue to the offline phase of the protocol presented in Section IV-A, except that we now consider mask-functions instead of two.

Online phase

Trusty sends a normalized mask function to each user; they compute using their secret inputs , and their Fourier coefficients according to Equation 11 and Equation 2. Similarly to Section IV-A, users send the constant and cosine component of Parseval’s identity to , and the sine component to ; therefore the protocol can always be executed with two nodes. Each node then computes and outputs the scalar product of the users coefficients vector, and the product is computed by summing the output of each node according to the generalized Parseval’s identity presented in Section VI-A.

Figure 2 shows an example of execution of FMPC for three users. Each user, Alice, Bob and Charlie receives a normalized mask-function from Trusty. In this case the normalization coefficient is given by

(32)

with

(33)

and the three normalized mask-functions read

where and are two positive real numbers subject to the condition . Alice locally computes and ; Bob computes and ; and Charlie computes and similarly to Equation 2 and Equation 6. Alice sends to and to ; Bob sends to and to ; and Charlie sends to and to . Finally, outputs , and outputs ; following Equation 28, anyone can compute .

Vii Related Works

There are two main constructions of multiparty protocols: circuit garbling and secret-sharing. Circuit garbling involves encrypting keys in a specific order to simulate a circuit evaluation [1]; secret-sharing based protocol as FMPC break the inputs among all nodes who use their shares to evaluate some function through local computations [3, 7, 11, 10].

SPDZ [6] is one of the most notorious secret-sharing based multiparty computation protocol scaling to an arbitrary number of users; SPDZ is secure against active adversaries using MACs to verify the integrity of computations, and does not require any kind of trusted third parties; it requires however expensive somewhat homomorphic encryption (SHE) to generate the triples used to compute multiplication of secrets. SPDZ2 [5] offers various improvements of the offline phase of SPDZ, and allows the MACs to be checked without revealing its key, thus allowing the MAC to be re-used after it is checked. Mascot [9] uses oblivious transfer rather than SHE to further improve performances of the offline phase and generate triples.

The literature following SPDZ mainly improves the offline phase, while FMPC innovates on the online phase. Most multiparty protocols for arithmetic circuits based on secret-sharing that scale to an arbitrary number of users are based on the algebra introduced by Donald Beaver [2]. They thus require triples to compute multiplication of secrets and impose communication between nodes during the online phase; their online latency therefore increases with the number of multiplications to evaluate. FMPC comes with a different trade-off: FMPC nodes do not communicate during the online phase and thus enjoy constant (and low) online latency in the size of the circuit, at the cost of not supporting composition of operations (see Section VIII) which makes FMPC only suitable to evaluate low-depth circuits. Established secret-sharing protocols face a trade-off between security and online latency—adding nodes improves security but increases latency. FMPC forgoes this trade-off since multiplications can always be performed by two nodes (see Section VI); however its security rely on the choice of the mask functions.

Viii Limitations and Future Work

FMPC has several limitations that are beyond the scope of this work, and deferred to future work. FMPC (i) does not support composition of operations. That is, while most established scheme [6, 5, 9] can evaluate expressions like with two additions and one multiplication, FMPC needs to distribute the operation and evaluate . This limitation is problematic for large computations and makes FMPC suitable only to evaluate circuits with a relatively small number of multiplications. Other limitations are (ii) that the security and efficiency of the scheme rely on the choice of the mask functions. We also defer as future work (iv) adapting our scheme to withstand active adversaries, potentially adapting the MAC-based approach introduced by SPDZ [6].

Ix Conclusions

FMPC is a novel secret-sharing multiparty computation protocol of arithmetic circuits that requires no online communication between nodes to compute multiplication of secrets; FMPC innovates on the online phase by applying Fourier series to Parseval’s identity. FMPC enjoys of constant latency in the size of the circuit, but is only suitable to evaluate low-depth circuits. We introduce the first generalization of Parseval’s identity for Fourier series applicable to an arbitrary number of inputs, and use it to allow FMPC to operate on an arbitrary number of inputs. FMPC paves the way for new kind of multiparty computation protocols, hopefully encouraging discussions and spurring new directions to explore.

Acknowledgements

This work is supported by the EU H2020 DECODE project under grant agreement number 732546 as well as chainspace.io. We thank George Danezis for helpful suggestions on early manuscript and valuable advice, and Yiannis Psaras for comments and proofreading.

References

  • [1] B. Applebaum, Y. Ishai, and E. Kushilevitz (2014) How to garble arithmetic circuits. SIAM Journal on Computing 43 (2), pp. 905–929. Cited by: §VII.
  • [2] D. Beaver (1991) Efficient multiparty protocols using circuit randomization. In Annual International Cryptology Conference, pp. 420–432. Cited by: §I, §VII.
  • [3] R. Bendlin, I. Damgård, C. Orlandi, and S. Zakarias (2011) Semi-homomorphic encryption and multiparty computation. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 169–188. Cited by: §VII.
  • [4] J. W. Cooley and J. W. Tukey (1965) An algorithm for the machine calculation of complex fourier series. Mathematics of computation 19 (90), pp. 297–301. Cited by: Appendix A.
  • [5] I. Damgård, M. Keller, E. Larraia, V. Pastro, P. Scholl, and N. P. Smart (2013) Practical covertly secure mpc for dishonest majority–or: breaking the spdz limits. In European Symposium on Research in Computer Security, pp. 1–18. Cited by: §I, §VII, §VIII.
  • [6] I. Damgård, V. Pastro, N. Smart, and S. Zakarias (2012) Multiparty computation from somewhat homomorphic encryption. In Advances in Cryptology–CRYPTO 2012, pp. 643–662. Cited by: §I, §I, §II, §IV-A, §IV-B, §V-C, §VII, §VIII, footnote 1.
  • [7] I. Damgård and S. Zakarias (2013) Constant-overhead secure computation of boolean circuits using preprocessing. In Theory of Cryptography, pp. 621–641. Cited by: §VII.
  • [8] I. S. Gradshteyn and I. M. Ryzhik (2014) Table of integrals, series, and products. Academic press. Cited by: §III-B, §III-C.
  • [9] M. Keller, E. Orsini, and P. Scholl (2016) MASCOT: faster malicious arithmetic secure computation with oblivious transfer. In ACM SIGSAC Conference on Computer and Communications Security, pp. 830–842. Cited by: §I, §IV-B, §VII, §VIII.
  • [10] Y. Lindell, B. Pinkas, N. P. Smart, and A. Yanai (2015) Efficient constant round multi-party computation combining bmr and spdz. In Annual Cryptology Conference, pp. 319–338. Cited by: §VII.
  • [11] J. B. Nielsen, P. S. Nordholt, C. Orlandi, and S. S. Burra (2012) A new approach to practical active-secure two-party computation. In Advances in Cryptology–