Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering1
FSE 2018
Modes of operations for computing on encrypted data
Dragos Rotaru, N.P. Smart, and Martijn Stam
KU Leuven, University of Bristol
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering2
Multiparty computation hijacks FSE’18
Dragos Rotaru 2
Goal: Compute F(a, b, c)
a c
b
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering3
What is the problem?
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering4
What is the problem?
42 42 42 42
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering5
What is the problem?
42 42 42 42
Enc Enc Enc
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering6
What is the problem?
42 42 42
Enc(42)
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering7
What is the problem?
42 42 42
Enc(42)
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering8
What is the problem?
42 42 42
Enc(42) Tag(E(42))
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering9
What is the problem?
Enc(42) Tag(E(42))
For free: detect malicious
encryption keys.
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering10
Prior work – PRFs in MPC (CCS’16)
Enc(42) Tag(Enc(42))
- MiMC
- Legendre PRF
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering11
Prior work – PRFs in MPC (CCS’16)
Enc(42) Tag(Enc(42))
M[1]
Enc
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering12
Prior work – PRFs in MPC (CCS’16)
Enc(42) Tag(Enc(42))
M[1] M[2]
Enc
+
Enc
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering13
Prior work – PRFs in MPC (CCS’16)
Enc(42) Tag(Enc(42))
M[1] M[2] M[3]
Enc
+ +
Enc Enc
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering14
Prior work – PRFs in MPC (CCS’16)
Enc(42) Tag(Enc(42))
M[1] M[2] M[3] M[4]
Enc
+ + +
Enc Enc EncTag
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering15
What we have done
• Analyze AE in Multiparty Computation (MPC).
• Useful MPC happens in Fp => Need AE and PRFs modp.
• Look for parallel AE: CTR+PMAC, OTR.
[42] Enc(42) Tag(42)
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering16
The story
This Photo by Unknown Author is licensed under CC BY-NC-ND
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering17
The story
‘You take the blue pill—the story ends, you wake up in your
bed and believe whatever you want to believe.
You take the red pill—you stay in Wonderland, and I show
you how deep the rabbit hole goes.’
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering18
The story
‘You take the blue pill—the story ends, you wake up in your
bed and believe whatever you want to believe.
You take the red pill—you stay in Wonderland, and I show
you how deep the rabbit hole goes.’
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering19
Down the rabbit hole - MPC with Secret Sharing
𝑥 = 𝑥1 +⋯+ 𝑥𝑛Each 𝑃𝑖 has 𝑥 ← 𝑥𝑖
𝑥 ← 𝑥1
𝑥 ← 𝑥2
𝑥 ← 𝑥3
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering20
MPC Preprocessing Phase
Generate triples
[c] = [a][b]
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering21
MPC Preprocessing Phase
Generate triples
[c] = [a][b]
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering22
MPC Preprocessing Phase
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering23
MPC Preprocessing Phase
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering24
MPC Online Phase
Use Triples.
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering25
MPC Online Phase
Use Triples.
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering26
MPC Circuit Evaluation
X Y Z
X
Y
Z
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering27
MPC Circuit Evaluation
X Y Z
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering28
MPC Circuit Evaluation
X Y Z
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering29
MPC Circuit Evaluation
X Y Z
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering30
MPC Circuit Evaluation
3 triples.
2 comm. rounds
X Y Z
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering31
Tweak your encryption to MPC
Reveal
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering32
Tweak your encryption to MPC
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering33
Tweak your encryption to MPC
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering34
How-to compute PMAC
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering35
Let’s do AE with CTR+pPMAC
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering36
Let’s do AE with CTR+pPMAC
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering37
When ideal meets real
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering38
When ideal meets real – surprise!
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering39
When ideal meets real – surprise!
Legendre
MiMC
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering40
Other competitive modes
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering41
Other competitive modes
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering42
• Preprocessing scales linearly in terms of number of
message blocks - roughly n PRFs for n messages.
• Number of rounds of a cipher vs. multiplicative depth in
MPC.
Some open problems
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering43
Thank you!
Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering44
• Questions?
Thank you!
