Toshinori Araki

High-Throughput Semi-Honest Secure Three-Party Computation with an Honest Majority

In this paper, we describe a new information-theoretic protocol (and a computationally-secure variant) for secure three-party computation with an honest majority. The protocol has very minimal computation and communication; for Boolean circuits, each party sends only a single bit for every AND gate (and nothing is sent for XOR gates). Our protocol is (simulation-based) secure in the presence of semi-honest adversaries, and achieves privacy in the client/server model in the presence of malicious adversaries. On a cluster of three 20-core servers with a 10Gbps connection, the implementation of our protocol carries out over 1.3 million AES computations per second, which involves processing over 7 billion gates per second. In addition, we developed a Kerberos extension that replaces the ticket-granting-ticket encryption on the Key Distribution Center (KDC) in MIT-Kerberos with our protocol, using keys/ passwords that are shared between the servers. This enables the use of Kerberos while protecting passwords. Our implementation is able to support a login storm of over 35,000 logins per second, which suffices even for very large organizations. Our work demonstrates that high-throughput secure computation is possible on standard hardware.

Efficient (k, n) threshold secret sharing schemes secure against cheating from n - 1 cheaters

In (k, n) threshold secret sharing scheme, Tompa and Woll consider a problem of cheaters who try to make another participant reconstruct invalid secret. Later, the model of such cheating is formalized in some researches. Some schemes secure against cheating of these models are proposed. However, in these models, the number of colluding participants is restricted to k - 1 or less. In this paper, we consider k or more colluding participants. Of course, secrecy is not maintained to such participants. However, if considering detecting the fact of cheating, we need to consider a cheating from k or more colluding participants. In this paper, we propose a (k, n) threshold secret sharing scheme that is capable of detecting the fact of cheating from n - 1 or less colluding participants. A scheme proposed by Tompa and Woll can be proven to be a (k, n) threshold secret sharing scheme that is capable of detecting the fact of cheating from n - 1 or less colluding participants. However, our proposed scheme is much more efficient with respect to the size of shares.

Almost optimum secret sharing schemes secure against cheating for arbitrary secret distribution

We consider the problem of cheating in secret sharing schemes, cheating in which individuals submit forged shares in the secret reconstruction phase in an effort to make another participant reconstruct an invalid secret. We introduce a novel technique which uses universal hash functions to detect such cheating and propose two efficient secret sharing schemes that employ the functions. The first scheme is nearly optimum with respect to the size of shares; that is, the size of shares is only one bit longer than its existing lower bound. The second scheme possesses a particular merit in that the parameter for the probability of successful cheating can be chosen without regard to the size of the secret. Further, the proposed schemes are proven to be secure regardless of the probability distribution of the secret.

Almost Secure 1-Round Message Transmission Scheme with Polynomial-Time Message Decryption

The model of (r-round, n-channel) message transmission scheme (MTS) was introduced by Dolev et al.[5]. In their model, there are nchannels between a sender Sand a receiver R, and they do not share any information like keys. Swants to send a message to Rsecretly and reliably in r-round. But, there is an adversary Awho can observe and forge at most tinformation which sent through n-channels. In this paper, we propose almost secure (1-round, 3t+1 -channel) MTS. Proposed scheme has following two properties. (1) If sending message is large some degree, the communication bits for transmitting messages is much more efficient with comparing to the perfectly secure (1-round, 3t+1 -channel) MTS proposed by Dolev et.al[5]. (2) The running time of message decryption algorithm is polynomial in n.

Flaws in some secret sharing schemes against cheating

In this paper, we point out flaws in existing secret sharing schemes against cheating. Namely, we show that a scheme proposed by Ghodosi and Pieprzyk presented at ACISP 2000 and a one by Obana and Araki presented at Asiacrypt 2006 are both insecure against single cheater. We further show that the scheme by Obana et al. can be made secure by slight modification.

Optimized Honest-Majority MPC for Malicious Adversaries — Breaking the 1 Billion-Gate Per Second Barrier

Secure multiparty computation enables a set of parties to securely carry out a joint computation of their private inputs without revealing anything but the output. In the past few years, the efficiency of secure computation protocols has increased in leaps and bounds. However, when considering the case of security in the presence of malicious adversaries (who may arbitrarily deviate from the protocol specification), we are still very far from achieving high efficiency. In this paper, we consider the specific case of three parties and an honest majority. We provide general techniques for improving efficiency of cut-and-choose protocols on multiplication triples and utilize them to significantly improve the recently published protocol of Furukawa et al. (ePrint 2016/944). We reduce the bandwidth of their protocol down from 10 bits per AND gate to 7 bits per AND gate, and show how to improve some computationally expensive parts of their protocol. Most notably, we design cache-efficient shuffling techniques for implementing cut-and-choose without randomly permuting large arrays (which is very slow due to continual cache misses). We provide a combinatorial analysis of our techniques, bounding the cheating probability of the adversary. Our implementation achieves a rate of approximately 1.15 billion AND gates per second on a cluster of three 20-core machines with a 10Gbps network. Thus, we can securely compute 212,000 AES encryptions per second (which is hundreds of times faster than previous work for this setting). Our results demonstrate that high-throughput secure computation for malicious adversaries is possible.

Generalizing the SPDZ Compiler For Other Protocols

Protocols for secure multiparty computation (MPC) enable a set of mutually distrusting parties to compute an arbitrary function of their inputs while preserving basic security properties like privacy and correctness. The study of MPC was initiated in the 1980s where it was shown that any function can be securely computed, thus demonstrating the power of this notion. However, these proofs of feasibility were theoretical in nature and it is only recently that MPC protocols started to become efficient enough for use in practice. Today, we have protocols that can carry out large and complex computations in very reasonable time (and can even be very fast, depending on the computation and the setting). Despite this amazing progress, there is still a major obstacle to the adoption and use of MPC due to the huge expertise needed to design a specific MPC execution. In particular, the function to be computed needs to be represented as an appropriate Boolean or arithmetic circuit, and this requires very specific expertise. In order to overcome this, there has been considerable work on compilation of code to (typically) Boolean circuits. One work in this direction takes a different approach, and this is the SPDZ compiler (not to be confused with the SPDZ protocol) that takes high-level Python code and provides an MPC run-time environment for securely executing that code. The SPDZ compiler can deal with arithmetic and non-arithmetic operations and is extremely powerful. However, until now, the SPDZ compiler could only be used for the specific SPDZ family of protocols, making its general applicability and usefulness very limited. In this paper, we extend the SPDZ compiler so that it can work with general underlying protocols. Our SPDZ extensions were made in mind to enable the use of SPDZ for arbitrary protocols and to make it easy for others to integrate existing and new protocols. We integrated three different types of protocols, an honest-majority protocol for computing arithmetic circuits over a field (for any number of parties), a three-party honest majority protocol for computing arithmetic circuits over the ring of integers Z2n, and the multiparty BMR protocol for computing Boolean circuits. We show that a single high-level SPDZ-Python program can be executed using all of these underlying protocols (as well as the original SPDZ protocol), thereby making SPDZ a true general run-time MPC environment.In order to be able to handle both arithmetic and non-arithmetic operations, the SPDZ compiler relies on conversions from field elements to bits and back. However, these conversions do not apply to ring elements (in particular, they require element division), and we therefore introduce new bit decomposition and recomposition protocols for the ring over integers with replicated secret sharing. These conversions are of independent interest and utilize the structure of Z2n (which is much more amenable to bit decomposition than prime-order fields), and are thus much more efficient than all previous methods. We demonstrate our compiler extensions by running a complex SQL query and a decision tree evaluation over all protocols.