Re: [viff-devel] viff: Switch to prss_share_bit_double in comparisons.

Thu, 15 May 2008 06:23:23 -0700 

Hi

Martin Geisler wrote:

viff-devel@viff.dk writes:

Hi everybody,

I don't know how many of you follow the commits to the VIFF repository?
Would anybody be interested in a mailing list for it?

Anyway -- the latest commit is this:


http://hg.viff.dk/viff/rev/5dd8c277268c
changeset: 751:5dd8c277268c
user:      Martin Geisler <[EMAIL PROTECTED]>
date:      Tue May 13 16:28:41 2008 +0200
summary:   Switch to prss_share_bit_double in comparisons.


This change makes the ComparisonToft05Mixin.greater_than_equal method
actively secure and much faster!

Running three players on my home computer gives these results:

  Before: 1309 ms per comparison with 100 parallel comparisons
  After:   324 ms per comparison with 100 parallel comparisons

That is a factor of four! I measured similar improvements earlier today
when using three different machines at DAIMI.
Nice speedup. It's also possible to do a similar thing for ComparisonToft07Mixin. In the two-fields variation we need the same bit in Zp and Zq, where q<<p, say p is 500-bit and q=3001. 

Similarly to generating the same random bit in Zp and GF(256), we can

1) generate a random bit [b]_p in Zp
2) generate a pseudorandom number [r]_p (of limited size) in Zp and the same number mod q in Zq [r mod q]_q (similar to the present case, where q "implicitly" is two) 
3) c  <- open([b]_p + [r]_p)
4) [b]_q = ((c mod q) - [r mod q]_q)


Anyway. looking at this lead Mikkel and me to look at
prss_share_random in runtime.py, and there seems to be either a bug (information leak) /or/ a possibility of optimisation when sharing a bit in Zp. 


The problem is the following:
result = self.open(Share(self, field, share*share), threshold=2*self.threshold)
Is the "*" in "share*share" a multiplication protocol or a multiplication of actual values? If it is actual values, then we *cannot* simply call it shares and open it, as the polynomial is not uniformly random (this can also be done with PRSS and no communication).
If on the other hand it is an invoation of the multiplication protocol, then it is secure but can be optimised with the PRSS version mentioned above. 


Regards,
  Tomas













_______________________________________________
viff-devel mailing list (http://viff.dk/)
viff-devel@viff.dk
http://lists.viff.dk/listinfo.cgi/viff-devel-viff.dk

Reply via email to