Showing papers by "Nigel P. Smart published in 2022"

FINAL: Faster FHE instantiated with NTRU and LWE

Abstract: The NTRU problem is a promising candidate to build efficient Fully Homomorphic Encryption (FHE). However, all the existing proposals (e.g. LTV, YASHE) need so-called ‘overstretched’ parameters of NTRU to enable homomorphic operations. It was shown by Albrecht et al. (CRYPTO 2016) that these parameters are vulnerable against subfield lattice attacks. Based on a recent, more detailed analysis of the overstretched NTRU assumption by Ducas and van Woerden (ASIACRYPT 2021), we construct two FHE schemes whose NTRU parameters lie outside the overstretched range. The first scheme is based solely on NTRU and demonstrates competitive performance against the state-of-the-art FHE schemes including TFHE. Our second scheme, which is based on both the NTRU and LWE assumptions, outperforms TFHE with a 28% faster bootstrapping and 45% smaller bootstrapping and key-switching keys.

Feta: Efficient Threshold Designated-Verifier Zero-Knowledge Proofs

Abstract: Zero-Knowledge protocols have increasingly become both popular and practical in recent years due to their applicability in many areas such as blockchain systems. Unfortunately, public verifiability and small proof sizes of zero-knowledge protocols currently come at the price of strong assumptions, large prover time, or both, when considering statements with millions of gates. In this regime, the most prover-efficient protocols are in the designated verifier setting, where proofs are only valid to a single party that must keep a secret state. In this work, we bridge this gap between designated-verifier proofs and public verifiability by distributing the verifier efficiently. Here, a set of verifiers can then verify a proof and, if a given threshold t of the n verifiers is honest and trusted, can act as guarantors for the validity of a statement. We achieve this while keeping the concrete efficiency of current designated-verifier proofs, and present constructions that have small concrete computation and communication cost. We present practical protocols in the setting of threshold verifiers with t

Scooby: Improved Multi-party Homomorphic Secret Sharing Based on FHE

Abstract: We present new constructions of multi-party homomorphic secret sharing (HSS) based on a new primitive that we call homomorphic encryption with decryption to shares (HEDS). Our first construction, which we call $$\mathsf {Scooby} $$ , is based on many popular fully homomorphic encryption (FHE) schemes with a linear decryption property. $$\mathsf {Scooby} $$ achieves an n-party HSS for general circuits with complexity $$O(|F| + \log n)$$ , as opposed to $$O(n^2 \cdot |F|)$$ for the prior best construction based on multi-key FHE. $$\mathsf {Scooby} $$ can be based on (ring)-LWE with a super-polynomial modulus-to-noise ratio. In our second construction, $$\mathsf {Scrappy} $$ , assuming any generic FHE plus HSS for NC1-circuits, we obtain a HEDS scheme which does not require a super-polynomial modulus. While these schemes all require FHE, in another instantiation, $$\mathsf {Shaggy} $$ , we show how in some cases it is possible to obtain multi-party HSS without FHE, for a small number of parties and constant-degree polynomials. Finally, we show that our $$\mathsf {Scooby} $$ scheme can be adapted to use multi-key fully homomorphic encryption, giving more efficient spooky encryption and setup-free HSS. This latter scheme, $$\mathsf {Casper} $$ , if concretely instantiated with a B/FV-style multi-key FHE scheme, for functions F which do not require bootstrapping, gives an HSS complexity of $$O(n \cdot |F| + n^2 \cdot \log n)$$ .

Private Liquidity Matching Using MPC

Abstract: Many central banks, as well as blockchain systems, are looking into distributed versions of interbank payment systems, in particular the netting procedure. When executed in a distributed manner this presents a number of privacy problems. This paper studies a privacy-preserving netting protocol to solve the gridlock resolution problem in such Real Time Gross Settlement systems. Our solution utilizes Multi-party Computation and is implemented in the SCALE MAMBA system, using Shamir secret sharing scheme over three parties in an actively secure manner. Our experiments show that, even for large throughput systems, such a privacy-preserving operation is often feasible.

The Key Lattice Framework for Concurrent Group Messaging

Abstract: . Today, two-party secure messaging is well-understood and widely adopted, e.g., Signal and WhatsApp. Multiparty protocols for secure group messaging on the other hand are less mature and many protocols with different tradeoffs exist. Generally, such protocols require parties to first agree on a shared secret group key and then periodically update it while preserving forward secrecy (FS) and post compromise security (PCS). We present a new framework, called a key lattice , for managing keys in concurrent group messaging. Our framework can be seen as a “key management” layer that enables concurrent group messaging when secure pairwise channels are available. Proving security of group messaging protocols using the key lattice requires new game-based security definitions for both FS and PCS. Our new definitions are both simpler and more natural than previous ones, as our framework combines both FS and PCS into directional variants of the same abstraction, and additionally avoids dependence on time-based epochs. Additionally, we give a concrete, standalone instantiation of a concurrent group messaging protocol for dynamic groups. Our protocol provides both FS and PCS, supports concurrent updates, and only incurs O (1) overhead for securing the messaging payload, O ( n ) update cost and O ( n ) healing costs, which are optimal.

All for one and one for all: Fully decentralised privacy-preserving dark pool trading using multi-party computation

Abstract: . Financial dark pool trading venues are designed to keep pre-trade order information secret so that it cannot be misused by others. However, dark pools are vulnerable to an operator misusing the information in their system. Prior work has used MPC to tackle this problem by assuming that the dark pool is operated by a small set of two or three MPC parties. However, this raises the question of who plays the role of these operating parties and whether this scenario could be applied in the real world. In this work, we implement an MPC-based dark pool trading venue with up to 100 parties. This configuration would allow a real-world implementation where the operating parties are the active participants that trade in the venue (i.e., a “no operator” model), or where the parties are the main stakeholders of the venue (e.g., members of a non-profit partnership such as Plato). We use AWS cloud to empirically test the performance of the system. Results demonstrate that the system can achieve trading throughput required for some real-world venues, while the cost of hosting the system is negligible compared with the savings expected from guaranteeing no information leakage. i ) from all honest parties, where varid is present in memory, the functionality retrieves ( varid , y ) and outputs it to the environment. The functionality waits for an input from the envi-ronment. If this input is Deliver then y is output to all parties if i = 0, or y is output to party i if i ̸ = 0. If the adversarial input is not equal to Deliver then ∅ is output to all parties.

MPC for $$\mathcal {Q}_2$$ Access Structures over Rings and Fields

Abstract: We examine Multi-Party Computation protocols in the active-security-with-abort setting for $$\mathcal {Q}_2$$ access structures over small and large finite fields $$\mathbb {F}_p$$ and over rings $$\mathbb {Z}_{p^k}$$ . We give general protocols which work for any $$\mathcal {Q}_2$$ access structure which is realised by a multiplicative Extended Span Program. We generalize a number of techniques and protocols from various papers and compare the different methodologies. In particular we examine the expected communication cost per multiplication gate when the protocols are instantiated with different access structures.