We design a novel, communication-efficient, failure-robust protocol for secure aggregation of high-dimensional data. Our protocol allows a server to compute the sum of large, user-held data vectors from mobile devices in a secure manner (i.e. without learning each user's individual contribution), and can be used, for example, in a federated learning setting, to aggregate user-provided model updates for a deep neural network. We prove the security of our protocol in the honest-but-curious and active adversary settings, and show that security is maintained even if an arbitrarily chosen subset of users drop out at any time. We evaluate the efficiency of our protocol and show, by complexity analysis and a concrete implementation, that its runtime and communication overhead remain low even on large data sets and client pools. For 16-bit input values, our protocol offers $1.73 x communication expansion for 210 users and 220-dimensional vectors, and 1.98 x expansion for 214 users and 224-dimensional vectors over sending data in the clear.

https://dl.acm.org/doi/pdf/10.1145/3133956.3133982

Practical Secure Aggregation for Privacy-Preserving Machine Learning

Machine learning is widely used in practice to produce predictive models for applications such as image processing, speech and text recognition. These models are more accurate when trained on large amount of data collected from different sources. However, the massive data collection raises privacy concerns. In this paper, we present new and efficient protocols for privacy preserving machine learning for linear regression, logistic regression and neural network training using the stochastic gradient descent method. Our protocols fall in the two-server model where data owners distribute their private data among two non-colluding servers who train various models on the joint data using secure two-party computation (2PC). We develop new techniques to support secure arithmetic operations on shared decimal numbers, and propose MPC-friendly alternatives to non-linear functions such as sigmoid and softmax that are superior to prior work. We implement our system in C++. Our experiments validate that our protocols are several orders of magnitude faster than the state of the art implementations for privacy preserving linear and logistic regressions, and scale to millions of data samples with thousands of features. We also implement the first privacy preserving system for training neural networks.

/pdf/secureml-a-system-for-scalable-privacy-preserving-machine-2jlvrwyxkm.pdf

SecureML: A System for Scalable Privacy-Preserving Machine Learning

Federated learning (FL) is a machine learning setting where many clients (e.g. mobile devices or whole organizations) collaboratively train a model under the orchestration of a central server (e.g. service provider), while keeping the training data decentralized. FL embodies the principles of focused data collection and minimization, and can mitigate many of the systemic privacy risks and costs resulting from traditional, centralized machine learning and data science approaches. Motivated by the explosive growth in FL research, this paper discusses recent advances and presents an extensive collection of open problems and challenges.

Advances and Open Problems in Federated Learning

Secure multi-party computation has been considered by the cryptographic community for a number of years. Until recently it has been a purely theoretical area, with few implementations with which to test various ideas. This has led to a number of optimisations being proposed which are quite restricted in their application. In this paper we describe an implementation of the two-party case, using Yao's garbled circuits, and present various algorithmic protocol improvements. These optimisations are analysed both theoretically and empirically, using experiments of various adversarial situations. Our experimental data is provided for reasonably large circuits, including one which performs an AES encryption, a problem which we discuss in the context of various possible applications.

/pdf/secure-two-party-computation-is-practical-rqn7kar4pc.pdf

Secure Two-Party Computation Is Practical

from details of underlying secure computation protocol Use only fast symmetric key crypto Code is available on GitHub: http://encrypto.de/code/ABY

/pdf/aby-a-framework-for-efficient-mixed-protocol-secure-two-hozs81ospf.pdf

ABY - A Framework for Efficient Mixed-Protocol Secure Two-Party Computation

In this note, we report on the first large-scale and practical application of secure multiparty computation, which took place in January 2008. We also report on the novel cryptographic protocols that were used.

http://fc09.ifca.ai/papers/15_Secure_MPC_goes_live.pdf

Secure Multiparty Computation Goes Live

We propose an asynchronous protocol for general multiparty computation. The protocol has perfect security and communication complexity $\mathcal{O}(n^2|C|k)$, where n is the number of parties, |C | is the size of the arithmetic circuit being computed, and k is the size of elements in the underlying field. The protocol guarantees termination if the adversary allows a preprocessing phase to terminate, in which no information is released. The communication complexity of this protocol is the same as that of a passively secure solution up to a constant factor. It is secure against an adaptive and active adversary corrupting less than n /3 players. We also present a software framework for implementation of asynchronous protocols called VIFF (Virtual Ideal Functionality Framework), which allows automatic parallelization of primitive operations such as secure multiplications, without having to resort to complicated multithreading. Benchmarking of a VIFF implementation of our protocol confirms that it is applicable to practical non-trivial secure computations.

/pdf/asynchronous-multiparty-computation-theory-and-1vfcn1y5fz.pdf

Asynchronous Multiparty Computation: Theory and Implementation

We propose a protocol for secure comparison of integers based on homomorphic encryption. We also propose a homomorphic encryption scheme that can be used in our protocol, makes it more efficient than previous solutions, and can also be used as the basis of efficient and general secure Multiparty Computation (MPC). We show how our comparison protocol can be used to improve security of online auctions, and demonstrate that it is efficient enough to be used in practice. For comparison of 16 bits numbers with security based on 1024 bits RSA (executed by two parties), our implementation takes 0.28 sec including all computation and communication. Using precomputation, one can save a factor of roughly 10.

Homomorphic encryption and secure comparison

We propose a protocol for secure comparison of integers based on homomorphic encryption. We also propose a homomorphic encryption scheme that can be used in our protocol and makes it more efficient than previous solutions. Our protocol is well-suited for application in on-line auctions, both with respect to functionality and performance. It minimizes the amount of information bidders need to send, and for comparison of 16 bit numbers with security based on 1024 bit RSA (executed by two parties), our implementation takes 0.28 seconds including all computation and communication. Using precomputation, one can save a factor of roughly 10.

Efficient and secure comparison for on-line auctions

In this paper, we describe a correction to the cryptosystem proposed in Damgard et al. from Int. J. Applied Cryptography, Vol. 1, No. 1. Although, the correction is small and does not affect the performance of the protocols from Damgard et al., it is necessary, as the cryptosystem is not secure without it.

Martin Geisler

Papers

Secure Multiparty Computation Goes Live

Asynchronous Multiparty Computation: Theory and Implementation

Homomorphic encryption and secure comparison

Efficient and secure comparison for on-line auctions

A correction to 'efficient and secure comparison for on-line auctions'