LevioSA: Lightweight Secure Arithmetic Computation

March 15, 2019, 9:45 AM - 10:15 AM


Barrister's Hall - first floor

Boston University Law School

765 Commonwealth Avenue

Boston, MA 02215

Muthu Venkitasubramaniam, University of Rochester

We study the problem of secure two-party computation of arithmetic circuits. This problem is motivated by privacy-preserving numerical computations, such as ones arising in the context of machine learning training and classification. In this work, we design, optimize, and implement an actively secure protocol for secure two-party arithmetic computation. A distinctive feature of our protocol is that it can make a fully modular black-box use of any passively secure implementation of oblivious linear function evaluation (OLE). OLE is a commonly used primitive for secure arithmetic computation, analogously to the role of oblivious transfer in secure Boolean computation.

For typical circuits, our protocol requires roughly 4 invocations of passively secure OLE per multiplication gate. This significantly improves over the recent TinyOLE protocol (Döttling et al., ACM CCS 2017), which requires 22 invocations of actively secure OLE in general, or 44 invocations of a specific code-based passively secure OLE.

Our protocol follows the high-level approach of the IPS compiler (Ishai et al., CRYPTO 2008, TCC 2009), optimizing it in several ways. In particular, we adapt optimization ideas that were used in the context of the practical zero-knowledge argument system Ligero (Ames et al., ACM CCS 2017) to the more general setting of secure computation, and explore the possibility of boosting efficiency by employing a “leaky” passively secure OLE protocol.

We showcase the efficiency of our protocol by applying it to several useful instances of secure arithmetic computation and provide an implementation. Our benchmarks include a general passive-to-active OLE compiler, authenticated generation of “Beaver triples”, and a system for securely outsourcing neural network classification. The latter is the first actively secure implementation of its kind, strengthening the passive security provided by recent related works (Mohassel and Zhang, IEEE S&P 2017; Juvekar et al., USENIX 2018).

This is joint work with Carmit Hazay, Yuval Ishai and Antonio Marcedone.