MPC Protocol for G-module and its Application in Secure Compare and ReLU

07/08/2020 ∙ by Qizhi Zhang, et al. ∙ Ant Financial 0

Secure multi-party computation (MPC) is a subfield of cryptography. Its aim is creating methods for multiple parties to jointly compute a function over their inputs meanwhile keeping their inputs privately. The Secure Compare problem, introduced by Yao under the name millionaire's problem, is an important problem in MPC. On the other hand, Privacy Preserving Machine Learning (PPML) is an intersectional field of cryptography and machine learning. It allows a group of independent data owners to collaboratively learn a model over their data sets without exposing their private data. MPC is a common cryptographic technique commonly used in PPML. In Deep learning, ReLU is an important layer. In order to train neural network to use MPC, we need an MPC protocol for ReLU and DReLU (the derivative of ReLU) in forward propagation and backward propagation of neural network respectively. In this paper, we give two new tools "G-module action" and "G-module recover" for MPC protocol, and use them to give the protocols for Secure Compare, DReLU and ReLU. The total communication in online and offline of our protocols is much less than the state of the art.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Secure multi-party computation (MPC) is a subfield of cryptography with the goal of creating methods for parties to jointly compute a function over their inputs while keeping those inputs privately. Privacy Preserving Machine Learning (PPML) is an intersectional field of cryptography and machine learning. It allows a group of independent data owners to collaboratively learn a model over their data sets without exposing their private data. MPC is a common cryptographic techniques widely used in PPML. In Deep learning, ReLU is an important layer. In order to train neural network to use MPC, we need an MPC protocol for both ReLU and DReLU in forward propagation and backward propagation of neural network respectively.

In [4], an MPC protocol to compute DReLU and ReLU is given, its technological roadmap is as in Figure 3. First, a Private Compare protocol (PC) is given, then the Share Convert protocol (SC) is given based on the PC. Second, a Matrix Multiplication Protocol (MatMul) is given, a Most Significant Bit protocol (MSB) is based on the PC and the MatMul, then a DReLU protocol is given based on both MSB and SC, and a Select Shares protocol (SS) is also given based on the protocol MatMul. Finally, a ReLU protocol is given based on the protocol DReLU and the protocol SS.

In [12], PRF is used to reduce the communication in [4].

In our paper, the technological roadmap of MPC protocol for ReLU is in given Figure 3. Our the protocol of DReLU is based on the protocol Secure Compare (SC). Secure Comparison is a classical problem in MPC, it has been widely studied, for example, in [5], [7], [8], [9] and so on. We give a protocol (Lemma 5.1 ) to reduce the DReLU of the Secure Compare problem without any extra communication. This reduce protocol has been given in Lemma 3 in [5] for the recursion of Secure Compare problem also. But we shall supply a much simpler proof of it principle than that of [5].

For the Secure Compare problem, we give a new Secure Compare protocol SC(n), which have minimal total communication (offline+online) compare to the state of art. In particular, we give the MPC protocols G-module recover” and an MPC protocol for Secure Comparison based on the protocol G-module recover. One can compare our Secure Comparison protocol with the protocol in Secure Comparison protocol in [5], Secure Comparison protocol in [7], [8], [9]. The total communication (online+offline) of our protocols is much less than others (Table LABEL:T_Compare_SC).

We also give an MPC protocols Cross G-module action” and an MPC protocol for Secure Select Share based on the protocol Cross G-module action. Still one can compare our Secure Select Share protocol with that of [4] on both the round and total communication, our protocol is smaller (Table 6.1).

We can combine our DReLU protocol and Secure Select Share protocol to give our ReLU protocol. Compared with the DReLU, ReLU protocol in [4] and [12], our DReLU, ReLU protocols are smaller in the round and communication (Table LABEL:T_Compare_DReLU and Table 7.2).

Besides our protocol is very safe under the commodity model [10], since the assistant third party only sends message to the parties , in offline phase. In online phase, just and play the protocol. The assistant third party does not need to receive any message from the , at all. The security and robustness of our protocol is much better than that in [4], where the assistant third party needs to both send and receive message online.

Figure 1: Roadmap in SecureNN
Figure 2: Roadmap in [5].
Figure 3: Roadmap in this paper.

Let (A, +) be an abelian group, for an element in A, we call the share representation of , if and only if .

If , are two parties, we say , hold the share representation of in A”, it means that holds an , holds an such that .

2 The MPC protocol about G-module

In this section, we give three MPC protocols about G-module: the G-module action protocol, the cross G-module action protocol and the G-module recover protocol.

2.1 The MPC protocol for the G-module action

Let be a finite group, and let be a finite - module [2]. If possesses an element and possesses an element , we will give the following protocol for computing the share representation of .

1: holds an element and holds an element .
2:, obtain the share representation of .
3: generates random and , and splits as ;
4: sends and to while sends and to ;
5: computes and then sends it to ;
6: computes and then sends it to ;
7: computes
8:return .
Algorithm 1 G-Module: GM(G,A)

This protocol needs rounds, and its communication is bits.

But if we use PRF improvement, we need bits communication in offline phase, and bits communication in round in online phase per calling.

In fact, , can get and as follows: Let, and share a PRF

let and share a key , and share a key . In offline phase, for , uses as a PRF key to generate and as a PRF key to generate , then computes and finally sends it to . stores . In th calling this protocol in online phase, uses to generate , and uses to generate , and restores . Hence, the offline communication of GM(G,A) protocol is bits per calling (for sending to ), the online communication is bits in round per calling.

Protocol offline com. online comm. online round total comm.
GM(G,A) 1
Table 2.1: Communication of GM(G,A)

2.2 The MPC protocol for the cross G-module action

Let be a finite abelian group, and be a finite - module [2]. If holds , and holds , we will give a protocol for computing the share representation of .

The principle is like

where and .

1: holds , , holds .
2:, get the share representation of .
3: generates random and , and splits as ;
4: sends and to and sends and to , respectively;
5: computes and sends it to ; computes and sends it to ;
6: computes and sends it to ; computes and sends it to ;
7: computes , computes
8:return .
Algorithm 2 Cross G-Module Action: CGM(G,A)

This protocol needs rounds, and its communication is bits. But if we use PRF improvement, similarly to the protocol GM(G,A), we shall need bits communication in offline phase, and bits communication in round in online phase per calling. Hence the communication can be presented as the following Table 2.2.

Protocol offline com. online comm. online round total comm.
CGM(G,A) 1
Table 2.2: Communication of CGM(G,A)

2.3 The MPC protocol for the G-module recover

Let be a finite group, and let be a finite - module. Under the action of , has the -orbit decomposition [1] as below:

where can be generated by any single element under the Group action of .

Let hold a share representation of an element , and have a common information on the orbit of under the -action. We will give an MPC protocol for the G-module recover, i.e., in the end of the protocol, will get an element and will get an element (here is the orbit of under the -action) such that .

The idea comes from the following equation

and the algorithm is given as below:

1: hold a share representation of an element , and a common information on the orbit of under the group action of .
2: gets an element and gets an element such that .
3: generates random and , and splits as ;
4: sends and to and sends and to , respectively;
5: computes and send it to ;
6: computes and sends it to ;
7: computes ;
8:return .
Algorithm 3 G-Module Recover: GMR(G,A)

Proof of the security of the Algorithm 3: It is easy to see that the conditional distribution

is a uniform distribution on

. Hence the posterior distribution is equal to the prior distribution . Therefore can’t get any information on from . Similarly since the conditional distribution is a uniform distribution on , the posterior distribution is equal to the prior distribution . And therefore can’t get any information on from . ∎

Analysis of communication: Now we give an analysis of the communication of the -module recover. This protocol needs rounds, and its communication is bits. However if we use the PRF improvement, similarly to the case of GM(G,A), we need only bits communication in offline phase, and bits communication in round in online phase per calling which can be shown as in Table 2.3.

Protocol offline com. online comm. online round total comm.
GMR(G,A) 1
Table 2.3: Communication of GMR(G,A)

3 Some known protocols

In this section, we give a review of two well known MPC protocols, namely, the MPC protocol for assistant occasional transmission (AOT) and the MPC protocol for module transform:

3.1 MPC protocol for Assistant OT

Let , be two finite abelian groups, and let be the set consisting of all the map from A to B. There is a natural abelian group structure on induced from . Precisely, for any , Let

be the left shift” on Map(A, B), which is defined by with and . Then we have

for any and any . And the algorithm is as below:

1: holds , holds .
2: gets .
3: generates random , then sends to and and to respectively;
4: computes and sends to ;
5: computes , and sends to ;
6: computes , which is equal to .
Algorithm 4 Assistant OT : AOT(A,B)

This MPC protocol needs rounds, and its communication is bits. But if we use PRF improvement, similarly to the protocol of GM(G,A), we need only bits communication in offline phase, and bits communication in round in online phase per calling which is shown as Table 3.1.

Protocol offline com. online comm. online round total comm.
AOT(A,B) 1
Table 3.1: Communication of AOT(A,B)

3.2 MPC protocol for Module Transform

Now let hold a share representation of , and a common integral number . Following the MPC protocol MoT(m) in [5], at the end of the protocol, , shall get the share representation of .

Let

be a map defined by . One can use the protocol to compute . The explicit algorithm is as below:

1: hold a share representation of , and a common integral number .
2:, get the share representation of in .
3: generates random , then splits into and into , and finally sends to , send to respectively;
4: computes locally and computes locally;
5: and reconstruct by interchanging and ;
6: computes and computes ;
7:return .
Algorithm 5 Module Transform: MoT(m)

This protocol need rounds, and its communication is bits. However if we use PRF improvement, we need bits communication in offline phase, and bits communication in round in online phase per calling.

In fact, , can obtain and as follows. Let , and have a common PRF improvement by the map

Let and share a key , and share a key . In offline phase, for , shall use as PRF key to generate and use as PRF key to generate , then computes , and finally sends to . will store . In the -th calling of this protocol in online phase, uses to generate ; uses to generate , and restore . Hence, the offline communication of MoT(m) protocol is bits per calling (for sending to ), and the online communication of MoT(m) protocol is bits per calling (for interchanging and ) as shown in Table 3.2.

Protocol offline com. online comm. online round total comm.
MoT(m) 1
Table 3.2: Communication of MoT(m)

4 MPC protocol for security comparison

In this section we will supply an MPC protocol for security comparison. For that purpose we will first give the protocol for searching the first non-zero bit, and once this is done one can complete the whole procedure of security comparison by much less communication. And then we shall finish this section by supplying the MPC protocol of the security comparison.

For a positive integer , below we shall often use the notation

4.1 MPC protocol to search first non-zero bit

Let be a prime number, and let , hold a share representation of a non-zero vector in . Here vector is a vector satisfying

We will give an MPC protocol to search the first non-zero bit of . At the end of the protocol, , will get the share representation of which is in .

Let be the semi-direct product of the groups and ([3]). The underlying set of the group is the Cartesian product while the group operation is defined by

Here is the -th circular left shift operator on and is the multiply by ” operator on , i.e., for , we have

and

respectively.

It is not difficult to verify that is a non commutative group with the identity . One can define the module structure on as follows:

Then we have the following Lemma.

Lemma 4.1.

Let be the semi-direct product of the group and the group . There is a -orbit decomposition

of , where is the subset of consisting of the elements of Hamming weight .

Now we will give an MPC protocol for computing the first different bit of two private numbers . The main idea follows from the above lemma:

Lemma 4.2.

Let be a prime number, and let be a element in . Let defined as

Thus for all . Let be a map

Then we have is the unique such that .

Proof. First we claim that is the unique such that . That is because if , for , which implies ; while if , then is the only solution such that of .

Now it is not difficult to see that is the unique such that both and . Thus is the unique such that which finish the proof. ∎


Following Lemma 4.2, we will design an MPC protocol to compute the first non-zero bit of a non-zero vector in , where the input is its share representation in , and the output is a share representation in . The principle is that, if we define and as in Lemma 4.2, and and the group as in Lemma 4.1, then the orbit will be the unique orbit of Hamming weight in the decomposition in Lemma 4.1, which is a common information for every parts. If there is a and such that , then the first non-zero bit of is , where is the first non-zero bit of .

Now we give an MPC protocol to compute the first non-zero bit of a non-zero vector in Algorithm 6:

1:Let be a prime number, hold a share representation of a non-zero vector
2:, obtain the share representation of in the group .
3: compute locally for ;
4: compute the share representation of locally for ;
5: run the GMR(, ) protocol, and get an elements , obtain an element such that ;
6: take the only such that
7:return .
Algorithm 6 First non-zero bit: FNZ(p, n)

The round and communication of the protocol FNZ(p, n) are the same as those of GMR(G, ), where . Explicitly one has Table 4.1.

Protocol offline com. online comm. online round total comm.
FNZ(p, n) 1
Table 4.1: Communication of FNZ(n)

4.2 MPC protocol for security comparison

In this subsection we will give the MPC protocol for security comparison. The idea is that, for two non-zero elements and , if is the right most bit such that , then .

The algorithm is as below:

1: holds , holds .
2:, get the share representation of () in
3: writes as the binary representation such that , writes as the binary representation such that ;
4: puts , puts ;
5:For each bit , , and run the MoT(p) protocol for and independently, and , get the share representation of in ;
6:Let hold the first and second component of the share representation of seperately;
7: and run the FNZ(p, n+1) protocol for and obtain the share representation of ;
8: computes the circular left shift ;
9: and run the protocol AOT(, ), and then obtain the share representation of
10:return .
Algorithm 7 Secure compare: SC(n)

Communication analysis: The SC(n) protocol uses ED1(), 1 FNZ() and AOT(, ), where is a prime number with . The Communication is in Table 4.2.

Protocol offline com. online comm. online round total comm.
MoT(p) 1
FNZ(p, n+1) 1
AOT(, ) 1 1
SC(n) 3
  • is a prime number.

Table 4.2: Communication of SC(n)

The following Table LABEL:T_Compare_SC gives a comparison between our protocol and some known protocols, for example [7, 5, 8, 9]. Obviously our communication is much less.

n Protocol offline com. online comm. online round total comm.
n Our 3
n FSS [7] ** 2n 1
n NPSETC SC1[5]
n NPSETC SC2[5]
n NPSETC SC3[5]
32 Our 340 446 3 786
32 FSS [7] 64 1
32 NPSETC SC1[5] 15120 530 12 15650
32 NPSETC SC2[5] 12568 3125 7 15693
32 NPSETC SC3[5] 12394 622 10 13016
32 GSV07 [8] 14062 1068 6 15130
32 GSV07 [9] 12352 12320 2 24672
64 Our 784 988 3 1772
64 FSS [7] 128 1
64 NPSETC SC1[5] 31388 1120 12 32508
64 NPSETC SC2[5] 28872 4138 7 33010
64 NPSETC SC3[5] 28786 1286 10 30072
64 GSV07 [8] 29072 2208 7 31280
64 KSS09 [9] 24804 24640 2 49344
128 Our 1809 2207 3 4016
128 FSS [7] 256 1
128 NPSETC SC1[5] 52121 2101 12 54222
128 NPSETC SC2[5] 48031 5801 7 53832
128 NPSETC SC3[5] 47963 2239 10 50202
128 GSV07 [8] 59250 4500 8 63750
128 KSS09 [9] 49408 49280 2 98688
  • Here is a prime number with .

  • ** In paper [7], .

Table 4.3: Compare to exists SC protocols

5 MPC protocol for DReLU

In fixed point representation of real number, we usually use two’s complement to represent a negative number, hence in order to confirm a number is not negative ”, we need to check whether or not.

In the share representation of , one can write and in the binary form

where for all . In terms of the binary form of and , we shall use the notation and respectively.

Now we define , be two elements in as

Then we get the following lemma.

Lemma 5.1.

The boolean value of () is equal to under the identies true and false .

Proof: It is known that if and only if

One can reduce this boolean expression algebraically. We have

While simplifying the right hand side of the above equation we get

which finishes the proof of the lemma, ∎

We will give the algorithm of our DReLU protocol in the -hybrid model by Algorithm 8 and will give a list of the communication of our protocol in Table LABEL:T_DReLUn. And we shall compare our protocol DReLU(n) with some exists protocol in Table LABEL:T_Compare_DReLU also. Note that in both Table LABEL:T_DReLUn and LABEL:T_Compare_DReLU, is a prime number greater than or equal to .

1: hold a share representation in .
2:, get the share representation of () in ;
3: has the bits of and the last bit of , has the bits of and the last bit of respectively;
4: and call for and get the share representation of