New Primitives for Actively-Secure MPC over Rings with · New Primitives for Actively-Secure MPC...
32
New Primitives for Actively-Secure MPC over Rings with Applications to Private Machine Learning a Ivan Damg˚ ard 1 Daniel Escudero 1 Tore Frederiksen 2 Marcel Keller 3 Peter Scholl 1 Nikolaj Volgushev 2 May 19, 2019 1 Aarhus University, Denmark 2 Alexandra Institute, Denmark 3 Data61, CSIRO, Australia a This work has been supported by the European Research Council (ERC) under the European Unions Horizon 2020 research and innovation programme under grant agreements No 669255 (MPCPRO), No 731583 (SODA) and the Danish Independent Research Council under Grant-ID DFF6108-00169 (FoCC).
Transcript of New Primitives for Actively-Secure MPC over Rings with · New Primitives for Actively-Secure MPC...
-
New Primitives for Actively-Secure MPC over Rings with
Applications to Private Machine Learninga
Ivan Damg̊ard1 Daniel Escudero1 Tore Frederiksen2 Marcel Keller3 Peter Scholl1
Nikolaj Volgushev2
May 19, 2019
1Aarhus University, Denmark
2Alexandra Institute, Denmark
3Data61, CSIRO, Australia
aThis work has been supported by the European Research Council (ERC) under the European Unions Horizon 2020 research and innovation
programme under grant agreements No 669255 (MPCPRO), No 731583 (SODA) and the Danish Independent Research Council under Grant-ID
DFF6108-00169 (FoCC).
-
Introduction
-
MPC
Trusted
Party
Trusted
Party
Alice Bob
Charlie Dave
x1 x2
x3 x4
z z
z z
1
-
MPC
Trusted
Party
Trusted
Party
Alice Bob
Charlie Dave
x1 x2
x3 x4
z z
z z
1
-
MPC
Trusted
Party
Trusted
Party
Alice Bob
Charlie Dave
x1 x2
x3 x4
z z
z z
1
-
MPC
Trusted
Party
Trusted
Party
Alice Bob
Charlie Dave
x1 x2
x3 x4
z z
z z
1
-
Many different approaches to MPC
Circuits over F2
• Garbled Circuits• BMR• GMW• · · ·
Circuits over Fp
• BGW• BeDOZa• SPDZ• MASCOT• · · ·
Circuits over Z2k (dishonest majority and active security)
• SPDZ2k , Cramer et al. CRYPTO’18.
2
-
Benefits of Z2k
(Already conjectured in SPDZ2k )
• Computation modulo 264 or 232 can be done natively in hardware.• Easier compilation of pre-existing programs to MPC programs.• Computation modulo powers of 2 should be “more compatible” with computation
modulo 2.
3
-
Benefits of Z2k
(Already conjectured in SPDZ2k )
• Computation modulo 264 or 232 can be done natively in hardware.
• Easier compilation of pre-existing programs to MPC programs.• Computation modulo powers of 2 should be “more compatible” with computation
modulo 2.
3
-
Benefits of Z2k
(Already conjectured in SPDZ2k )
• Computation modulo 264 or 232 can be done natively in hardware.• Easier compilation of pre-existing programs to MPC programs.
• Computation modulo powers of 2 should be “more compatible” with computationmodulo 2.
3
-
Benefits of Z2k
(Already conjectured in SPDZ2k )
• Computation modulo 264 or 232 can be done natively in hardware.• Easier compilation of pre-existing programs to MPC programs.• Computation modulo powers of 2 should be “more compatible” with computation
modulo 2.
3
-
Our Contribution
New sub-protocols for SPDZ2k
We expand SPDZ2k with a series of sub-protocols to enhance the potential rangeof applications.
• Arithmetic-Binary share conversions• Random-bit generation• Bit-decomposition• Secure truncation, comparison and equality check.
4
-
SPDZ2k implementation
We implement the SPDZ2k protocol in Java, as part of the FRamework for Effi-cient Secure COmputation (FRESCO).
• Our implementation contains several optimizations that can be ofindependent interest.
• In the microbenchmarks we observe several improvements with respect toother protocols over fields.
5
-
Applications to Secure Machine Learning
We illustrate the benefits of our techniques by performing certain ML tasks in
SPDZ2k and observe several improvements with respect to other protocols overfields. We consider:
• Secure evaluation of Decision Trees• Secure evaluation of Support Vector Machines
6
-
SPDZ2k
-
SPDZ2k in a nutshell
Additive Authenticated Secret-Sharing over Z2k
x ∈ Z2k is shared, denoted by [x ]2k , if• Each Pi has x i , αi ,mi ∈ Z2k+s•∑
x i ≡k+s x ′ with x ′ ≡k x•∑αi ≡k+s α, where α ∈ Z2s is a random global key
•∑
mi ≡k+s α · x ′.
x ≡ y mod 2` is abbreviated by x ≡` y
7
-
Secure computation with preprocessing
Input phase
[xi ]2k = (xi − ri )︸ ︷︷ ︸broadcast
+[ri ]2k
where xi are the inputs and (ri , [ri ]2k ) is preprocessed.
Addition gates
[x + y ]2k = [x ]2k + [y ]2k
Multiplication gates
[x · y ]2k = [c]2k + (x − a)︸ ︷︷ ︸open
·[b]2k + (y − b)︸ ︷︷ ︸open
·[a]2k + (x − a)︸ ︷︷ ︸open
(y − b)︸ ︷︷ ︸open
where ([a]2k , [b]2k , [c]2k ) is preprocessed with c = a · b.8
-
Primitives for MPC Modulo 2k
-
Z2 Triple
[·]2k → [·]2
[·]2 → [·]2k
Random
Bit
Z2k Triple
〈·〉 → [·]2
TinyOT
Triple
TruncP
BitDec
EQZ
MSB, LTZ
BitLT
Carry
SVM
Decision
Trees
9
-
Z2 Triple
[·]2k → [·]2
[·]2 → [·]2k
Random
Bit
Z2k Triple
〈·〉 → [·]2
TinyOT
Triple
TruncP
BitDec
EQZ
MSB, LTZ
BitLT
Carry
SVM
Decision
Trees
10
-
Generating Random Bits [b]2k (Intuition)
Ideal Protocol
1. Sample [r ]2k at random and let [a]2k = [r2]2k .
2. Open a. Let c be some square root of a.
3. Compute [d ]2k = c−1[r ]2k .
• Now d is a random square root of 1, so d ∈R {−1,+1}.
4. Output [b]2k , where b = (d + 1)/2.
11
-
Generating Random Bits [b]2k (Intuition)
Ideal Protocol
1. Sample [r ]2k at random and let [a]2k = [r2]2k .
2. Open a. Let c be some square root of a.
3. Compute [d ]2k = c−1[r ]2k .
• Now d is a random square root of 1, so d ∈R {−1,+1}.
4. Output [b]2k , where b = (d + 1)/2.
11
-
Generating Random Bits [b]2k (Intuition)
Actual Protocol
1. Sample [r ]2k+2 at random, where r is odd, and let [a]2k+2 = [r2]2k+2 .
2. Open a. Let c be some square root of a.
3. Compute [d ]2k+2 = c−1[r ]2k+2
• Now d is a random square root of 1 mod 2k+2, sod ∈R {−1,+1,−1 + 2k+1,+1 + 2k+1}.
4. Output [b]2k , where b ≡k (d + 1)/2.
12
-
Share Conversions
[b]2k → [b]2
Local reduction modulo 2.a
aIn fact, it is reduction modulo 2s+1 for the extra s “MAC” bits.
[b]2 → [b]2k
1. Sample a random bit [r ]2k (r ∈ Z2)2. Convert [r ]2k to [r ]2.
3. Open [c] = [b]2 ⊕ [r ]24. Output [b]2k = [r ]2k + [c]2k − 2[r ]2k [c]2k
13
-
Bit Decomposition: [x ]2k → ([x0]2k , . . . , [xk−1]2k )
1. Sample random bits [r0]2k , . . . , [rk−1]2k and let [r ]2k =∑k−1
i=0 2i [ri ]2k .
2. Compute [a]2k = [x ]2k − [r ]2k and open a.3. Convert ([r0]2k , . . . , [rk−1]2k ) to ([r0]2, . . . , [rk−1]2).
4. Compute the binary circuit
([x0]2, . . . , [xk−1]2) = ADD ((a0, . . . , ak−1), ([r0]2, . . . , [rk−1]2)) .
5. Convert the result ([x0]2, . . . , [xk−1]2) to ([x0]2k , . . . , [xk−1]2k ).
14
-
Implementation and Benchmarks
-
Online Phase - Micro Operations
Throughput in elements per second for the online phase of micro operations over 1
Gbps network. The factor columns express the runtime improvement factor of SPDZ2kover SPDZ in FRESCO.
k = 32 k = 64
SPDZ2k
(σ = 26) SPDZ (σ = 26) Factor SPDZ2k
(σ = 57) SPDZ (σ = 57) Factor
Multiplication 687041 141346 4.9x 522258 114071 4.6x
Equality 15334 3213 4.8x 6902 1282 5.4x
Comparison 9153 1769 5.2x 4514 756 6.0x
15
-
Online Phase for SVMs Evaluation
Online phase benchmarking of SVM evaluation over 1 Gbps network. The factor
columns express the runtime improvement factor of SPDZ2k over SPDZ in FRESCO.Times are in milliseconds per sample.
k = 32, σ = 26 k = 64, σ = 57
Dataset Num. Classes, Features Batch Size SPDZ2k
SPDZ Factor SPDZ2k
SPDZ Factor
CIFAR 10, 2048 1 82 ms 214 ms 2.6x 99 ms 255 ms 2.6x
MIT 67, 2048 1 379 ms 1318 ms 3.5x 499 ms 1582 ms 3.2x
ALOI 463, 128 1 242 ms 857 ms 3.5x 362 ms 1312 ms 3.6x
CIFAR 10, 2048 5 39 ms 168 ms 4.3x 57 ms 209 ms 3.7x
MIT 67, 2048 5 225 ms 1101 ms 4.9x 294 ms 1428 ms 4.9x
ALOI 463, 128 5 162 ms 741 ms 4.6x 244 ms 1220 ms 5.0x
16
-
Online Phase for Decision Trees Evaluation
Online phase benchmarking of evaluation of decision trees over 1 Gbps network. The
factor columns express the runtime improvement factor of SPDZ2k over SPDZ inFRESCO. Times are in milliseconds per sample.
k = 32, σ = 26 k = 64, σ = 57
Dataset Depth, Num. Features Batch Size SPDZ2k
SPDZ Factor SPDZ2k
SPDZ Factor
Hill Valley 3, 100 1 21 ms 24 ms 1.2x 26 ms 34 ms 1.3x
Spambase 6, 57 1 48 ms 104 ms 2.2x 56 ms 128 ms 2.3x
Diabetes 9, 8 1 80 ms 215 ms 2.7x 122 ms 443 ms 3.6x
Hill Valley 3, 100 5 6 ms 10 ms 1.7x 7 ms 15 ms 2.1x
Spambase 6, 57 5 14 ms 40 ms 2.9x 17 ms 68 ms 4.0x
Diabetes 9, 8 5 41 ms 185 ms 4.5x 78 ms 376 ms 4.8x
17
-
Triple Generation Throughput
1 2 3 4
Number of threads
0
500
1000
1500
2000
2500
3000
SPDZ2k (k = 32, σ= 26) SPDZ2k (k = 64, σ = 57) Mascot (128 bit field)Overdrive (k = 64 (128 bit field), σ = 57) Overdrive (k = 32 (64 bit field), σ = 40)
1 2 3 4
Number of threads
0500
100015002000250030003500
Thr
ough
put
[per
seco
nd]
(a) WAN (50 Mbps, 100 ms
latency)
1 2 3 4
Number of threads
05000
100001500020000250003000035000
Thr
ough
put
[per
seco
nd]
(b) LAN (1 Gbps, 0.1 ms
latency)
1 2 3 4
Number of threads
05000
100001500020000250003000035000
Thr
ough
put
[per
seco
nd]
(c) LAN (10 Gbps, 0.1 ms
latency)
18
-
Conclusions
• We implemented the SPDZ2k protocol along with practical primitives for MPCmod 2k .
• We saw up to a 5-fold improvement in computation for various tasks, and up to a85-fold reduction in online communication costs for secure comparison, as
compared to the field setting.
Future Work
• Close the gap for the preprocessing.• Expand the range of applications for computation modulo 2k .
19
-
Thank you!
19
IntroductionSPDZ2kPrimitives for MPC Modulo 2kImplementation and Benchmarks
