Abstract
An important research direction in secure multi-party computation (MPC) is to improve the efficiency of the protocol. One idea that has recently received attention is to consider a slightly weaker security model than full malicious security – the so-called setting of covert security. In covert security, the adversary may cheat but only is detected with certain probability. Several works in covert security consider the offline/online approach, where during a costly offline phase correlated randomness is computed, which is consumed in a fast online phase. State-of-the-art protocols focus on improving the efficiency by using a covert offline phase, but ignore the online phase. In particular, the online phase is usually assumed to guarantee security against malicious adversaries. In this work, we take a fresh look at the offline/online paradigm in the covert security setting. Our main insight is that by weakening the security of the online phase from malicious to covert, we can gain significant efficiency improvements during the offline phase. Concretely, we demonstrate our technique by applying it to the online phase of the well-known TinyOT protocol (Nielsen et al., CRYPTO ’12). The main observation is that by reducing the MAC length in the online phase of TinyOT to t bits, we can guarantee covert security with a detection probability of \(1- \frac{1}{2^t}\). Since the computation carried out by the offline phase depends on the MAC length, shorter MACs result in a more efficient offline phase and thus speed up the overall computation. Our evaluation shows that our approach reduces the communication complexity of the offline protocol by at least 35% for a detection rate up to \(\frac{7}{8}\). In addition, we present a new generic composition result for analyzing the security of online/offline protocols in terms of concrete security.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Covert security with deterrence factor 1 can be realized by a maliciously secure protocol as shown by Asharov and Orlandi [AO12].
References
Archer, D.W.: From keys to databases - real-world applications of secure multi-party computation. Comput. J. 61(12), 1749–1771 (2018)
Aumann, Y., Lindell, Y.: Security against covert adversaries: efficient protocols for realistic adversaries. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 137–156. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-70936-7_8
Asharov, G., Orlandi, C.: Calling out cheaters: covert security with public verifiability. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 681–698. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_41
Boyle, E., Couteau, G., Gilboa, N., Ishai, Y., Kohl, L., Scholl, P.: Efficient pseudorandom correlation generators: silent OT extension and more. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 489–518. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_16
Boyle, E., Couteau, G., Gilboa, N., Ishai, Y., Kohl, L., Scholl, P.: Correlated pseudorandom functions from variable-density LPN. In: FOCS (2020)
Boyle, E., Couteau, G., Gilboa, N., Ishai, Y., Kohl, L., Scholl, P.: Efficient pseudorandom correlation generators from ring-LPN. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12171, pp. 387–416. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56880-1_14
Baum, C., Cozzo, D., Smart, N.P.: Using topgear in overdrive: a more efficient ZKPoK for SPDZ. In: Paterson, K.G., Stebila, D. (eds.) SAC 2019. LNCS, vol. 11959, pp. 274–302. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-38471-5_12
Burra, S.S., et al.: High-performance multi-party computation for binary circuits based on oblivious transfer. J. Cryptology 34(3), 1–87 (2021). https://doi.org/10.1007/s00145-021-09403-1
Canetti, R.: Security and composition of multiparty cryptographic protocols. J. Cryptology 13(1), 143–202 (2000). https://doi.org/10.1007/s001459910006
Cramer, R., Damgård, I., Escudero, D., Scholl, P., **ng, C.: SPD\(\mathbb{Z}_{2^k}\): efficient MPC mod \(2^k\) for dishonest majority. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 769–798. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_26
Chen, H., Kim, M., Razenshteyn, I., Rotaru, D., Song, Y., Wagh, S.: Maliciously secure matrix multiplication with applications to private deep learning. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12493, pp. 31–59. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64840-4_2
Dittmer, S., Ishai, Y., Lu, S., Ostrovsky, R.: Authenticated Garbling from Simple Correlations. In: Dodis, Y., Shrimpton, T. (eds.) Advances in Cryptology - CRYPTO 2022. LNCS, vol. 13510. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-15985-5_3
Damgård, I., Keller, M., Larraia, E., Pastro, V., Scholl, P., Smart, N.P.: Practical covertly secure MPC for dishonest majority – or: breaking the SPDZ limits. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 1–18. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40203-6_1
Damgård, I., Nielsen, J.B., Nielsen, M., Ranellucci, S.: The tinytable protocol for 2-party secure computation, or: gate-scrambling revisited. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 167–187. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_6
Damgård, I., Orlandi, C., Simkin, M.: Black-Box transformations from passive to covert security with public verifiability. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12171, pp. 647–676. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56880-1_23
Damgård, I., Pastro, V., Smart, N., Zakarias, S.: Multiparty computation from somewhat homomorphic encryption. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 643–662. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_38
Damgård, I., Zakarias, S.: Constant-overhead secure computation of boolean circuits using preprocessing. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 621–641. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36594-2_35
Faust, S., Hazay, C., Kretzler, D., Schlosser, B.: Generic compiler for publicly verifiable covert multi-party computation. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12697, pp. 782–811. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77886-6_27
Faust, S., Hazay, C., Kretzler, D., Schlosser, B.: Putting the online phase on a diet: covert security from short macs. Cryptology ePrint Archive, Paper 2023/052 (2023). https://eprint.iacr.org/2023/052
Frederiksen, T.K., Keller, M., Orsini, E., Scholl, P.: A unified approach to MPC with preprocessing using OT. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 711–735. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48797-6_29
Hazay, C., Orsini, E., Scholl, P., Soria-Vazquez, E.: Concretely efficient large-scale MPC with active security (or, TinyKeys for TinyOT). In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11274, pp. 86–117. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03332-3_4
Ishai, Y., Ostrovsky, R., Zikas, V.: Secure multi-party computation with identifiable abort. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 369–386. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44381-1_21
Keller, M., Orsini, E., Scholl, P.: MASCOT: faster malicious arithmetic secure computation with oblivious transfer. In: CCS (2016)
Keller, M., Pastro, V., Rotaru, D.: Overdrive: making SPDZ great again. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 158–189. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_6
Katz, J., Ranellucci, S., Rosulek, M., Wang, X.: Optimizing authenticated garbling for faster secure two-party computation. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10993, pp. 365–391. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96878-0_13
Knott, B., Venkataraman, S., Hannun, A., Sengupta, S., Ibrahim, M., van der Maaten, L.: Secure multi-party computation meets machine learning. In: NeurIPS, Crypten (2021)
Larraia, E., Orsini, E., Smart, N.P.: Dishonest majority multi-party computation for binary circuits. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 495–512. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44381-1_28
MPC Alliance. https://www.mpcalliance.org/. Accessed 14 Oct 2022
McQuoid, I., Rosulek, M., Roy, L.: Batching base oblivious transfers. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13092, pp. 281–310. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92078-4_10
Nielsen, J.B., Nordholt, P.S., Orlandi, C., Burra, S.S.: A new approach to practical active-secure two-party computation. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 681–700. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_40
Orsini, E.: Efficient, actively secure MPC with a dishonest majority: a survey. In: Bajard, J.C., Topuzoğlu, A. (eds.) WAIFI 2020. LNCS, vol. 12542, pp. 42–71. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-68869-1_3
Scholl, P., Simkin, M., Siniscalchi, L.: Multiparty computation with covert security and public verifiability. In: ITC (2022)
Volgushev, N., Schwarzkopf, M., Getchell, B., Varia, M., Lapets, A., Bestavros, A.: Conclave: secure multi-party computation on big data. In: EuroSys (2019)
Wang, X., Ranellucci, S., Katz, J.: Authenticated garbling and efficient maliciously secure two-party computation. In: CCS (2017)
Wang, X., Ranellucci, S., Katz, J.: Global-scale secure multiparty computation. In: CCS (2017)
Yang, K., Wang, X., Zhang, J.: More efficient MPC from improved triple generation and authenticated garbling. In: CCS (2020)
ZenGo - crypto wallet app. https://zengo.com/. Accessed 14 Oct 2022
Acknowledgments
The first, third, and fourth authors were supported by the German Federal Ministry of Education and Research (BMBF) iBlockchain project (grant nr. 16KIS0902), by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) SFB 1119 - 236615297 (CROSSING Project S7), and by the BMBF and the Hessian Ministry of Higher Education, Research, Science and the Arts within their joint support of the National Research Center for Applied Cybersecurity ATHENE. The second author was supported by the BIU Center for Research in Applied Cryptography and Cyber Security in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office, and by ISF grant No. 1316/18.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix
Discussion of Constraints on Online Protocol
In this section, we discuss the constraints on the online protocol used in our theorem. These constraints emerged from technical issues and it is unclear how to prove our deterrence replacement theorem in a more generic setting. Recall that in our proof \(\mathcal {S}\) uses the simulator \(\mathcal {S}_1\) which exists since \(\pi _\textsf{on}\) is covertly secure in the \(\mathcal {F}_\textsf{off}^1\)-hybrid world.
First, the hybrid functionality \(\mathcal {F}_\textsf{off}\) needs to be called directly at the beginning. This enables the simulator \(\mathcal {S}\) to react to the adversary’s cheating decision in the offline phase, i.e., its input to \(\mathcal {F}_\textsf{off}\), right at the start of the simulation. More specifically, \(\mathcal {S}\) uses the black-box simulator \(\mathcal {S}_1\) in case the adversary does not cheat and simulates on its own in case there is a cheating attempt. If there would be protocol interactions before the call to \(\mathcal {F}_\textsf{off}\), \(\mathcal {S}\) would have to decide whether it simulates this interactions itself or via \(\mathcal {S}_1\). This means that the adversary’s input to \(\mathcal {F}_\textsf{off}\) could require \(\mathcal {S}\) to change its decision, e.g., require \(\mathcal {S}\) to simulate the following steps itself while \(\mathcal {S}\) initially used \(\mathcal {S}_1\) for the earlier steps. This leads to a problem as \(\mathcal {S}\) uses \(\mathcal {S}_1\) in a black-box way, and hence, can only use it for all or none of the protocol steps. Rewinding does not solve the problem as a change in the simulation of the steps before the call to \(\mathcal {F}_\textsf{off}\) can influence the adversary’s input to \(\mathcal {F}_\textsf{off}\), and hence, \(\mathcal {S}\)’s decision to simulate the steps afterwards based on \(\mathcal {S}_1\) or not.
Second, we require that in case \(\mathcal {F}_\textsf{off}\) outputs \(\textsf{corrupted}\), the protocol \(\pi _\textsf{on}\) instructs the parties to output \(\textsf{corrupted}\) as well. This is due to some subtle detail in the security proof. As \(\mathcal {S}_1\) runs in a world, in which cheating in the offline phase is not possible, \(\mathcal {S}_1\) does not know how to deal with undetected cheating. Further, we treat the protocol \(\pi _\textsf{on}\) in a black-box way. Due to these facts, the only way for \(\mathcal {S}\) to simulate the case of undetected cheating is to follow the actual protocol. To do so in a consistent way, \(\mathcal {S}\) has to get the input of the honest parties. Hence, \(\mathcal {S}\) has to notify the ideal covert functionality \(\mathcal {F}_\textsf{on}^{\epsilon _\textsf{on}}\) about the cheating attempt in the offline phase. In case of detected cheating, \(\mathcal {F}_\textsf{on}^{\epsilon _\textsf{on}'}\) sends \(\textsf{corrupted}\) to the honest parties and thus the honest parties output \(\textsf{corrupted}\) in the ideal world. In order to achieve indistinguishability between the ideal world and the real world, \(\pi _\textsf{on}\) needs to instruct the honest parties to output \(\textsf{corrupted}\) in the real world, too.
Finally, we emphasize that known offline/online protocols (SPDZ [DPSZ12], TinyOT [NNOB12], authenticated garbling [WRK17a, WRK17b]) either directly fulfill the aforementioned requirements or can easily be adapted to do so.
Comparison of Theorem 1 with [AL07]
Aumann and Lindell [AL07] presented a sequential composition theorem for the (strong) explicit cheat formulation. The theorem shows that a protocol \(\pi \) that is covertly secure in an \((\mathcal {F}_1^{\epsilon _1}, \ldots , \mathcal {F}_{p(n)}^{\epsilon _{p(n)}})\)-hybrid world with deterrence factor \(\epsilon _\pi \), i.e., parties have access to a polynomial number of functionalities \(\mathcal {F}_1, \ldots , \mathcal {F}_{p(n)}\) with deterrence factor \(\epsilon _1, \ldots , \epsilon _{p(n)}\), respectively, is also covertly secure with deterrence \(\epsilon _\pi \) if functionality \(\mathcal {F}_i\) is replaced by a protocol \(\pi _i\) that realizes \(\mathcal {F}_i\) with deterrence factor \(\epsilon _i\) for \(i \in \{1, \ldots , p(n)\}\). This theorem allows to analyze the security of a protocol in a hybrid model and replace the hybrid functionalities with subprotocols afterwards. Aumann and Lindell already noted that the computation of the deterrence factor \(\epsilon _\pi \) needs to take all the deterrence factors of the subprotocols into account. However, the theorem does not make any statement about how the individual deterrence factors influence the deterrence factor of the overall protocol and neither analyzes the effect of changing some of the deterrence factors \(\epsilon _i\).
Out theorem takes on step further and addresses the aforementioned drawbacks. In particular, it allows to analyze the security of a protocol in a simple hybrid world, in which the hybrid functionality is associated with deterrence factor 1. As there is no successful cheating in the hybrid functionality, a proof in this hybrid world is expected to be much simpler. The same holds for the calculation of the overall deterrence factor. Once having proven a protocol to be secure in the simple hybrid world, our theorem allows to derive the security and the deterrence factor of the same protocol in the hybrid world, in which the offline phase is associated with some smaller deterrence factor, \(\epsilon ' \in [0,1]\).
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Faust, S., Hazay, C., Kretzler, D., Schlosser, B. (2023). Putting the Online Phase on a Diet: Covert Security from Short MACs. In: Rosulek, M. (eds) Topics in Cryptology – CT-RSA 2023. CT-RSA 2023. Lecture Notes in Computer Science, vol 13871. Springer, Cham. https://doi.org/10.1007/978-3-031-30872-7_14
Download citation
DOI: https://doi.org/10.1007/978-3-031-30872-7_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-30871-0
Online ISBN: 978-3-031-30872-7
eBook Packages: Computer ScienceComputer Science (R0)