SYSTEM AND METHOD FOR PERFORMING KEY OPERATIONS DURING A MULTI-PARTY COMPUTATION PROCESS

Abstract

A method of computing shares of an output of a function having multiple shares of a secret as input, each party of the multiple parties obtaining an initial share of the secret, such that all initial shares together operate as the secret, none of the parties reveal the initial shares of the secret throughout the entire method, each party of the multiple parties performing an arithmetic operator on the initial shares of the secret, each party of the multiple parties sending an output of the arithmetic operator on the initial share to a Multi-Party Computation (MPC) process, performing the MPC process using an arithmetic circuit, said MPC process receives the output of the arithmetic function and outputs final shares by performing a mathematical operation, the MPC process outputting one final share of the final shares to each party of the multiple parties.

Claims

1. A method of computing shares of an output of a function having multiple shares of a secret as input, the method comprising: each party of the multiple parties obtaining an initial share of the secret, such that all initial shares together operate as the secret, none of the parties reveal the initial shares of the secret throughout the entire method; each party of the multiple parties performing an arithmetic operator on the initial shares of the secret; each party of the multiple parties sending an output of the arithmetic operator on the initial share to a Multi-Party Computation (MPC) process; performing the MPC process using an arithmetic circuit, said MPC process receives the output of the arithmetic function and outputs final shares by performing a mathematical operation; the MPC process outputting one final share of the final shares to each party of the multiple parties.

2. The method of claim 1, wherein each party of the multiple parties applies the same arithmetic operator on the initial share of the secret.

3. The method of claim 1, further comprising receiving a request to exchange cryptographic keys between the multiple parties, wherein the initial shares are cryptographic keys stored in the multiple parties.

4. The method of claim 3, wherein the exchange of cryptographic keys is performed using a Diffie-Hellman process.

5. The method of claim 1, further comprising: performing an initial MPC process receiving as input the initial share of the secret from each party of the multiple parties sending; the initial MPC process outputting a plurality of fresh shares and sending one fresh share of the plurality of fresh shares to each party of the multiple parties; and each party of the multiple parties performing the arithmetic function on one fresh share received from the initial MPC process.

6. The method of claim 5, wherein the plurality of fresh shares are additive shares of multiplication of the initial shares of the secret

7. The method of claim 1, wherein the arithmetic circuit is a Boolean circuit.

8. The method of claim 1, wherein the arithmetic circuit is a garbled circuit.

9. The method of claim 8, wherein the mathematical operation is an exponentiation having a random generator of an elliptical curve as base and accumulation of the outputs of the arithmetic function as exponent.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0013] The invention may be more clearly understood upon reading of the following detailed description of non-limiting exemplary embodiments thereof, with reference to the following drawings, in which:

[0014] FIG. 1 shows a computerized environment for performing a key operation as part of a Multi-Party Computation (MPC) process between two parties and a server, according to exemplary embodiments of the invention;

[0015] FIG. 2 shows a method for performing a key operation as part of a Multi-Party Computation (MPC) process between two parties and a server, according to exemplary embodiments of the invention; and,

[0016] FIG. 3 shows a method of exchanging information between the multiple parties such that none of the parties can extract the key of the other party, according to exemplary embodiments of the invention.

[0017] The following detailed description of embodiments of the invention refers to the accompanying drawings referred to above. Dimensions of components and features shown in the figures are chosen for convenience or clarity of presentation and are not necessarily shown to scale. Wherever possible, the same reference numbers will be used throughout the drawings and the following description to refer to the same and like parts.

DETAILED DESCRIPTION

[0018] Illustrative embodiments of the invention are described below. In the interest of clarity, not all features/components of an actual implementation are necessarily described.

[0019] The invention, in embodiments thereof, provides a system and method for exchanging keys as part of a Multi-Party Computation (MPC) process. The MPC process is performed between multiple parties. The multiple parties begin the process when holding shares of a secret, such as a cryptographic key, receive a request to perform a key operation that requires exchanging the shares without revealing the entire secret during the entire process. The parties exchange information, while the heavy computation is performed by the parties, thereby outputting a shared value known to all parties.

[0020] The invention, in embodiments thereof, provides a method computes shares of a function applied on x and y using garbled circuits without revealing x; y and without using either the function F, the group G and the operation H inside the garbled circuit. This method may be used against a semi-honest adversary, an adversary that follows the description of the protocol but tries to learn information from the transcript of the protocol. This is a limited adversary. The processes performed in the method are relatively inexpensive within a garbled circuit—Addition and multiplication

[0021] FIG. 1 shows a computerized environment for performing a key operation as part of a Multi-Party Computation (MPC) process between two parties and a server, according to exemplary embodiments of the invention. The computerized environment includes a first party 110, a second party 120 and a secure MPC process represented herein as party 130. The party 130 may be a server. The MPC process may be performed by the multiple parties 110 and 120 without the party 130. The first party 110, a second party 120 may be computerized modules or may be embedded in an electronic device such as a mobile phone, personal computer, laptop, tablet and the like. The process elaborated below may be implemented on a computerized environment having two or more parties, in addition to the party 130. Each of the first party 110, a second party 120 and a party 130 include a communication module configured to exchange messages and/or signals between each other. The messages may be of a predefined format. The communication modules of the parties 110, 120 and 130 may enable communication over the internet, such as using an internet gateway, local access network, wide access network and the like. The communication modules may also operate over a non-internet communication channel, for example using wired communication, fiber optics, USB, or wireless communication such as Bluetooth and the like.

[0022] Each of the parties 110, 120 and 130 may also have a memory unit, or access to a memory unit located in a remote device working uniquely with a specific party of the parties 110, 120 and 130. The memory unit may be either volatile memory or non-volatile memory. The memory unit may store instructions for performing the process elaborated below. The memory unit may also store the shares of the secret known to each of the parties 110, 120 and 130.

[0023] Each of the parties 110, 120 and 130 may also have a processing module configured to manage the part of the process performed in each party. The processing module may be a processor, a CPU, a microprocessor, either implemented in software, hardware or firmware.

[0024] FIG. 2 shows a method for performing a Multi-Party Computation (MPC) process on an arithmetic circuit between multiple parties, according to exemplary embodiments of the invention. The MPC process may be used to perform key exchange process between the multiple parties or another process utilizing the shares of a secret stored in the multiple parties. Exchanging the keys may include performing a Diffie-Hellman key exchange. The essence of the MPC process is to prevent a single unit from obtaining the entire secret, hence each of the parties which take part in the process of exchanging the secret hold a share of the secret. The party does not hold a share of the secret.

[0025] Step 210 shows the multiple parties holding shares of a secret. The secret may be a cryptographic key. In some cases, each share functions as a cryptographic key. The properties of each of the shares stored in each of the parties may be identical. That is, if one party holds a cryptographic key and uses the cryptographic key in the key exchange, other parties use the shares they hold that have the same properties, such as size, format and the like.

[0026] Step 220 shows receiving a request to perform a mathematical operation on the initial shares of the secret. The mathematical function may be public key operation as part of the key exchange, or any other mathematical function desired by a person skilled in the art to be performed using an arithmetic circuit, such as a Boolean circuit or garbled circuit. The request may be received from a third party communicating with one of the multiple parties, or from an application operating on one of the multiple parties. The request may be required as part of a process running on another computerized device.

[0027] Step 230 shows the parties performing an arithmetic operator on the initial shares of the secret. The arithmetic operator may be, for example, addition, subtraction, multiplication, modular elliptic curve, binary field operation, inversion, mod prime or RSA modulus and additional arithmetic operators desired by a person skilled in the art. The arithmetic operator may be performed locally at the parties, or using a server communicating with the parties, not using an MPC process.

[0028] Step 240 shows performing an MPC process receiving as input the output of the arithmetic operator from the multiple shares. The MPC process outputting a final share to each party of the multiple parties. the final shares are outputted based on a mathematical operation performed on the output of the arithmetic operator performed by the multiple parties.

[0029] The MPC process is implemented by exchanging information between the multiple parties such that none of the parties can extract the key of the other party. The information may be exchanged using a messaging application. The information may be exchanged by sending a message to a communication module to update a value in a predefined memory address in the memory module of the parties. The information is exchanged based on a predefined set of rules stored in the memory of the multiple parties. The process of exchanging information is elaborated in FIG. 3. The information may be results of mathematical processes and outputs of cryptographic functions and/or operators. The cryptographic functions and/or operators are performed by the multiple parties, while the MPC process performs the mathematical processes, mainly addition and multiplications, to improve efficiency of the process, as the MPC process is required to perform additional processes in addition to the exchange of cryptographic keys, such as generating a garbled circuit.

[0030] Step 250 shows each party holding a final share outputted from a mathematical operation performed on the output of the arithmetic function applied on the initial shares held by the parties in step 210. The mathematical operation may be key exchange. The mathematical operation is executed on an arithmetic circuit, such as a Boolean circuit, garbled circuit and the like. The final shares (FS) may be additive shares of the result of the mathematical operation. For example, given there are three parties, holding initial shares S.sub.1, S.sub.2 and S.sub.3, the output of the process is final shares FS.sub.1, FS.sub.2, FS.sub.3, such that FS.sub.1+FS.sub.2+FS.sub.3 equals S.sub.1+S.sub.2+S.sub.3.

[0031] FIG. 3 shows a method of exchanging information between the multiple parties such that none of the parties can extract the key of the other party, according to exemplary embodiments of the invention.

[0032] Step 300 shows each party of the multiple parties obtaining an initial share of the secret. All the initial shares, when used together, can be used as the secret. It is a functional requirement of the method that no party of the multiple parties has access to all the initial shares of the secret throughout the entire method.

[0033] Step 310 shows each party of the multiple parties sending the initial share of the secret to an initial MPC process. Sending the initial shares may be performed by sending a message over the internet, via a wired cable or via a cellular modem.

[0034] Step 320 shows the initial MPC process generates a plurality of fresh shares based on the initial shares of the secret. In some cases, the fresh shares are additive shares of multiplication of the initial shares (IS) of the secret. For example, denote the fresh shares generated by the MPC process party as values Z.sub.1 to Zn, the accumulation of the fresh shares Z.sub.1 to Zn equals IS.sub.1*IS.sub.2 . . . *Isn, IS.sub.1 is the initial share provided from party #1, IS.sub.2 is the initial share provided from party #2 etc.

[0035] Step 330 shows the initial MPC process outputting one fresh share of the plurality of fresh shares to each party of the multiple parties. For example, party #1 receives fresh share Z.sub.1, party #2 receives fresh share Z.sub.2 and the like. Sending the fresh shares may be performed by sending a message over the internet, via a wired cable or via a cellular modem. The fresh share may be stored in a predefined memory address in the memory of each of the multiple parties.

[0036] Step 340 shows each party of the multiple parties applying an arithmetic operator on the fresh share received from the initial MPC process. The arithmetic operator may be a hash function. The arithmetic operator may be computing a group G known to all the multiple parties in the order of the fresh share, also denoted as G{circumflex over ( )}Zi.

[0037] Step 350 shows each party of the multiple parties sending an output of the arithmetic operator on the fresh share to the MPC process. Sending the output of the arithmetic operator process may be performed by sending a message over the internet, via a wired cable or via a cellular modem.

[0038] Step 360 shows the MPC process computing Gin the order of (Z.sub.1+ Z.sub.2 . . . Zn). Computing the value of the group G to the power of (Z.sub.1+Z.sub.2 . . . +Zn) may be performed by multiplying the outputs of the arithmetic operator as received from the multiple parties. For example, party #1 sends G to the power of Z.sub.1, party #2 sends G to the power of Z.sub.2 and party #n sends G to the power of Z.sub.n. The MPC process multiplies the values received from all the multiple parties (G{circumflex over ( )}Z.sub.1*G{circumflex over ( )}Z.sub.2* . . . G{circumflex over ( )}Zn). The group G may be extracted from an elliptical curve used by the arithmetic circuit performing the MPC process.

[0039] Step 365 shows the MPC process outputting final shares (FS). The accumulated sum of all the final shares generated by the MPC process equals to the multiplication of the group G to the power of the accumulation of all the values Z.sub.1, Z.sub.2 . . . Zn.

[0040] Step 370 shows the MPC process sending the final shares FS.sub.1 to FSn to the parties. Each party of the multiple parties receives another final share, such that all the final shares can later be used during an MPC process performed by the parties.

[0041] While the disclosure has been described with reference to exemplary embodiments, it will be understood by those skilled in the art that various changes may be made and equivalents may be substituted for elements thereof without departing from the scope of the invention. In addition, many modifications may be made to adapt a particular situation or material to the teachings without departing from the essential scope thereof. Therefore, it is intended that the invention disclosed herein not be limited to the particular embodiment disclosed as the best mode contemplated for carrying out this invention.