We now describe the codeword authentication protocol. This protocol allows parties to authenticate shares of components of a codeword such that the output is guaranteed to be authenticated shares of a valid codeword. There are two main stages: firstly a BigMAC is constructed which consists of a (big) MAC on each component of a codeword. Then these are combined and compressed into a single MiniMAC for the entire codeword.
This functionality generates offline material used in the MiniMAC online protocol. We denote byA the set of parties controlled by the adversary.
Initialize: On input (Init, m, k, d, u, G) from all parties, store integersm, k, d, uand generator matrixGfor a linear [m, k, d]-codeCover the fieldF2u.
1. For each corrupt partyPi withi∈A, get element∆(i)∈Fm2u from the adversary.
2. Pick each share∆(i)fori6∈Auniformly at random from
Fm2u and define∆=Pn i=1∆
(i).
3. If the functionality receives the signalAbortfrom the adversary then halt and outputAbort. 4. Output∆(i)to partyP
i.
Computation: On input DataGen from all honest parties and the adversary, and only if the functionality receivedProceed(orBreakDownis set to true) it executes the data generation procedures specified in Figure 28composed with the macroBracketin Figure29.
Fig. 27.Ideal functionality for MiniMAC offline generation
This functionality generates offline material used in the MiniMAC online protocol. We denote byA the set of parties controlled by the adversary.
Schur Pair(JC(r)K∗,JC∗(s)K∗):
1. Receive the shares nC(r(i)), C∗(s(i))o
i∈A from the adversary, whereC(r (i)
) andC∗(s(i)) are equal in the firstkpositions. Similarly pick the sharesnC(r(i)), C∗
(s(i))o i6∈A
for each of the honest parties, such thatC(r(i)) andC∗
(s(i)) are equal in the firstkpositions and the followingk∗
−kpositions ofC∗(s(i))
are chosen uniformly at random. 2. Run theBracketmacrosnC(r(i)), ∆(i)o
i∈[n]
andnC∗(s(i)), ∆(i)o i∈[n]
and return the output.
Reorganization(JC(r)K∗,JC(f(r))K∗):
1. Receive the shares nC(r(i))o i∈A
from the adversary and pick the shares nC(r(i))o i6∈A
uniformly at random for each of the honest parties.
2. Run theBigBracketmacro onnC(r(i)), ∆(i)o
i∈[n] to get C(r(i)),nm((ri),h)o h∈[m] . 3. Letting JrhKbe defined by
hr[h]i,hm(r(i),h)i,h∆iforh∈[k], apply f and then C toJr1K, . . . ,JrkK, to
obtainJC(f(r))1K, . . . ,JC(f(r))kKwhereC(f(JrhK)) =JC(f(r))hK. 4. Finally return nC(r(i)),m(ri)∗ o and nC(f(r(i))),mf(i(r))∗o where m(ri)∗,m (i)∗ f(r) ∈ F m 2u and m(ri)∗[h] = m((ri),h)[h], respectivelym(fi(r))∗[h] =m((if)(r),h)[h] forh∈[m]. Multiplication(JC(a)K∗,JC(b)K∗,JC∗(c)K∗): 1. Sample sharesnC(a(i)), C(b(i))o i∈[n] and computeC∗(c(i)) =C(a(i))∗C(b(i)).
2. Run theBracketmacro onnC(a(i)), ∆(i)o i∈[n] ,nC(b(i)), ∆(i)o i∈[n] andnC∗(c(i)), ∆(i)o i∈[n] . 3. OutputJC(a)K∗,JC(b)K∗,JC∗(c)K∗.
Key queries: On input of a description of an affine subspaceS⊂(Fm2·u)n, returnSuccessif (∆(1), . . . , ∆(n))∈ S. Otherwise returnAbort.
Fig. 28.Ideal functionality for MiniMAC offline generation (continued)
We present the codeword authentication protocolΠCodeAuthin Fig.30and its ideal functionalityFCodeAuth in Fig.31. The protocol uses theFJ·K functionality, which is described in Fig.5.
The BigMAC part of the protocol consists of first having each party i give as input the non-parity components x(1i), . . . ,xk(i) ∈ F2u of his shares of a systematic codeword C(x). Each component share then gets authenticated usingFCodeAuthusing anm·ubit global key. Thus each party will thus have a MAC share inFm2u of the authentication of each of thekcomponents. The authentications of the lastm−kcomponents of the shares ofC(x) are then computed through linear combinations of the BigMACs using the generator
Ideal Authentication Macros
The macros take input{x(i), ∆(i)}, C
i∈[n], where eachx (i)∈
Fk2u,C is a code of degreek and dimensionm,
and∆(i)∈ Fm2u. Bracket: 1. Letx=P i∈[n]x (i). Furthermore letm=C(x)∗∆.
2. For every corrupt partyPifori∈ Athe adversary specifies a sharem(i).
3. The functionality sets each share m(i) for i 6∈ A uniformly random under the constraint that P
i∈[n]m (i)=m.
4. If the adversary inputs (Error,{e(h,ji)}i /∈A,h∈[k],j∈[m·u]). with elements inF2m·u, set m(i) :=m(i)+e(i),
wheree(i)∈ Fm2u and e(i)[h] = m·u X j=1 e(h,ji) ·∆(ji)·X j−1
where∆(ji) denotes thej-th bit of∆ (i)
forh∈[m]. 5. Output the shares (x(i),m(i)) to each partyPi. BigBracket:
1. Let theh-th component ofx(i)be denoted byx(i)[h]. 2. Next letx[h] =P
i∈[n]x
(i)[h]. Furthermore letm
h=x[h]·∆. 3. For every corrupt partyPifori∈ Athe adversary specifies shares
n m(hi)o
h∈[k]
. 4. The functionality sets the shares nm(hi)o
h∈[k]
for i6∈ A uniformly random under the constraint that P
i∈[n]m (i)
h =mhforh∈[k].
5. If the adversary inputs (Error,{e(h,ji)}i /∈A,h∈[k],j∈[m·u]) with elements inF2m·u, setmh(i)=m(hi)+Pm·u j=1e
(i) h,j· ∆(ji)·Xj−1 where∆(i)
j denotes thej-th bit of∆ (i).
6. For i ∈ [n] andh ∈ [k+ 1;m], compute the valuesmh(i) by applying the code C to {mh(i)}h∈[k], and
similarly for{x(i)[h]}h∈[k+1;m].
7. For eachi6∈Aandh∈[m], output the shares{x(i),m(hi)}toPi.
Fig. 29.Macro for ideal MiniMAC authentication.
matrix ofC. The Compress part of the protocol then takes as input all themBigMAC shares of each party and simply uses theh’th component of the BigMAC authenticating theh’th component ofC(x) as theh’th component of the MiniMAC. That is, if we view the BigMACs as columns in a matrix (the first column being the BigMAC of the first component ofC(x) and so on up to them’th component) then the MiniMAC ofC(x) is simply the diagonal of this matrix.
The intuition of why this is secure is that since the authentication of the parity components of the code- word are computed from the authenticated non-parity components using a public algorithm (the generator matrix) then an adversary can only try to cheat locally. Furthermore, if he later on tries to change the value that is MAC’ed to, then he will have to guess the honest parties’ share of d components, because of the code’s minimal distance.
CodeAuth Security.
Lemma 13. For every static adversary A corrupting up to n−1 parties, the protocolΠCodeAuth ksecurely implementsFCodeAuthof Figure 31 in theFJ·K-hybrid model.
Proof. LetS be a simulator that has access to FCodeAuth, we show that no environmentZ can distinguish between an interaction withS and an interaction with the real adversary Aand real parties with access to the functionalityFJ·K.
Protocol ΠCodeAuth
Initialize: CallFF2u·m
J·K .(Init) to initialize the BigMAC key∆∈F2
m·u. BigMAC: On input (BigMAC, C,x(i)) from every partyP
i, wherex(i)∈Fk2u andCis a systematic, linear code
overF2u of dimensionkand lengthm, do the following:
1. For each party i ∈ [n] call F
J·K.(n-Share) with input (Authenticate,x
(i)
[1], . . . ,x(i)[k]) to obtain
{hmhi}h∈[k]and in turn the authenticated shares{Jx[h]K}h∈[k]={hx[h]i,hmhi,h∆i}h∈[k].
2. Locally encode these shares using the code C, to obtain JC(x)K, a length m vector of F2u elements,
where every component is authenticated under∆. That is,
JC(x)K=
{hC(x)[h]i,hmhi}h∈[m],h∆i
.
WhereC(x)[h] = (x·G)[h] andmh(i)=Pkl=1ml(i)·G[l, h] whenGis the generator matrix of the code
Candxis viewed as a row vector.
Compress: On input (Compress,JC(x)K) from all parties, do the following: 1. View∆(i) andm(i)
h as elements ofF m
2u by letting each block ofubits be one component inF2u.
2. ParseJC(x)Kas {hC(x)[h]i,hmhi,h∆i}h∈[m]= n C(x(i))[h],m(hi), ∆(i)o h∈[m] i∈[n] .
3. Now define a new componentwise sharingJC(x)K∗to be
{hC(x)i,hmi,h∆i}=nC(x(i)),m(i)∗, ∆(i)o i∈[n]
,
wherem(i)∗∈Fm2u andm(i)∗[h] =m(hi)[h] forh∈[m].
Fig. 30.ProtocolΠCodeAuth- Used for codeword authentication with a BigMAC key and a MiniMAC key.
The simulator invokes an internal copy ofAand sets dummy partiesπi, i∈ P. LetAbe the set of corrupt
parties, it proceeds as follows:
1. Simulating theInitialize phase:S inputs (Init) to theFCodeAuthfunctionality, together with the setAof corrupt parties and all their extracted inputs
∆(i)
i∈A. It then runs an internal copy ofFJ·K.(Init) using
the shares it extracted from the adversary and the shares it got back fromFCodeAuth. If it receivesAbort, then it forwardsAbortto theFCodeAuthfunctionality, and it halts.
2. Simulating theBigMAC phase:S extracts the adversary’s input toFJ·K.(n-Share),
n
x(hi),m(hi)o
h∈[k] for i∈ P and passes it on toFCodeAuth.BigMAC. It then picks the shares nx(hi)o
h∈[k] for
i6∈ P uniformly at random and sends it toFCodeAuth.BigMAC, which sends back the honest parties’ MAC shares,nm(hi)o
h∈[k]. If the adversary inputs (Error,{e(h,ji)}i /∈A,h∈[k],j∈[m·u]) then the simulator passes on this call toFCodeAuth and locally updates the honest parties share by settingm(hi)=mh(i)+Pmj=1·ueh,j(i) ·∆(ji)·Xj−1where∆(i)
j
denotes thej-th bit of ∆(i).
3. Simulating the Compress phase: S simply passes on the call to the FCodeAuthfunctionality and returns what it gets back.
To argue indistinguishability first notice that if during the internal execution of the protocol an abort occurred, then an abort occurs in both the ideal and the real world, and the simulation in this case is perfect. For the rest simply notice that everything is done in perfect accordance with the ΠCodeAuth (and FJ·K) since everything is passed on directly to theFCodeAuthfunctionality or done with local computations.
FunctionalityFCodeAuth
LetAbe the indices of corrupt parties. Running with partiesP1, . . . , Pnand an ideal adversaryS, the function- ality operates as follows.
Initialize: On input (Init) the functionality activates and waits for the adversary to input a set of shares
{∆(j)}
j∈AinF2m·u. It samples random{∆(i)}i /∈A inFm2·ufor the honest parties, defining∆:=Pi∈[n]∆ (i)
. If anyj∈AoutputsAbortthen the functionality aborts.
BigMAC:On input (BigMAC, C,x(i)) from all partiesPi, wherex(i)∈Fk2u andCis a systematic, linear code
overF2u of dimensionkand lengthm:
- Run the macroBigBracketwith input(x(i)[1], ∆(i)), . . . ,(x(i)[k], ∆(i)), C
fromPi.
Compress:On input (Compress,JC(x)K) from all partiesPi, do as follows: 1. ParseJC(x)Kas {hC(x)[h]i,hmhi,h∆i}h∈[m]= n C(x(i))[h],m(hi), ∆(i)o h∈[m] i∈[n] .
Now define a new componentwise sharingJC(x)K∗to be
{hC(x)i,hmi,h∆i}=nC(x(i)),m(i)∗, ∆(i)o i∈[n]
,
wherem(i)∗∈Fm2u andm(i)∗[h] =m(hi)[h] forh∈[m].
2. ReturnJC(x(i))K∗=C(x(i)),m(i)∗, ∆(i)to each partyi.
Key queries: On input of a description of an affine subspaceS⊂(Fm2·u)n, returnSuccessif (∆(1), . . . , ∆(n))∈ S. Otherwise returnAbort.
Fig. 31.FunctionalityFCodeAuth- Used for generating authenticated codewords.
G.3 Multiplication Triples
In this part we describe the remaining ideal functionalities, protocols and proofs needed in order to con- struct MiniMAC multiplication triples. First, we show in Fig. 32 how to use the amplified correlation OT functionalityFACOT from Fig.3 to generate an XOR sharing of the tensor product of two unauthenticated codewords (one chosen by each party). We then describe the protocol ΠUncheckedMiniTriples in Fig. 33 (with ideal functionality FUncheckedMiniTriples described in Fig. 34 and its simulator SUncheckedMiniTriples described in Fig. 35) how to use these components of unauthenticated multiplication triples, along with the codeword authentication functionalityFCodeAuthfrom Fig.31, to construct unchecked MiniMAC multiplication triples. We then show the protocol ΠMiniTriples in Fig. 36 (whose ideal functionality is part of Fig. 28 and whose simulatorSMiniTriplesis described in Fig.37) how to combine a pair of unchecked MiniMAC triples along with the Schur triple into a MiniMAC multiplication triple.
CodeOT Subprotocol. TheCodeOTsubprotocol usesFACOTto create an XOR sharing of the component- wise product of vectors (over F2u) input by two parties. It does so by first getting an XOR sharing of two u·k bit vectors fromFACOT. These shares are then converted tokelements of the fieldF2u by viewing each element as a coefficient of an up tou−1 degree polynomial and then constructing the polynomial, that is an element ofF2u, by summing over the appropriate coefficients, multiplied with anX power to create a term. Finally, each row/column of this matrix is then expanded fromk×ktom×mby viewing each row/column as an element inFk2u and then using the linearity ofC to encode each of these. This makes it possible for the parties to end up with an XOR sharing of the outer product of an encoding of aFk2u value of each their choice.
SubprotocolCodeOTC
LetCbe a systematic, [m, k, d] linear code overF2u, and letsbe a statistical security parameter. Initialize: RunFACOT.Initialize.
Input: PR inputsa∈Fk2u andPSb∈Fk2u
Correlated OT: Run FACOTu·k,s with input a,b, so PR receives a matrixT0 ∈ Fu2·k×u·k and PS receives Q0 ∈ Fu2·k×u·k such that
Q0=T0+a⊗b Convert to field:
1. Consider Q0 andT0 as k×kblock matrices, where entry (i, j) is given by an XOR share of theu×u
matrix overF2: ai[1]·bj[1]ai[1]·bj[2]. . .ai[1]·bj[u] ai[2]·bj[1]ai[2]·bj[2]. . .ai[2]·bj[u] . . . . .. ... ai[u]·bj[1]ai[u]·bj[2]. . .ai[u]·bj[u]
2. Let entry (i, j) be theF2u field element given by:
fi,j= u X i0=1 u X j0=1 ai[i0]·bj[j0]·Xi 0 +j0−2
so nowQ0, T0 arek×k matrices overF2u, where entry (i, j) contains an XOR share of the product of a[i] andb[j].
Encode:Now expandQ0andT0 intom×mmatrices of codewords:
1. PR sets T to be the matrix obtained by applying C(·) to each row and each column of T0, seen as a vector inFk2u.
2. PS sets Qto be the matrix obtained by applyingC(·) to each row and each column of Q0, seen as a vector inFk2u.
Note thatQand T areu·m×u·mmatrices overF2, whose rows and columns are codewords inC when
viewed as vectors inFm2u.
Note that ifQi, Ti are thei-throwsofQ, T thenQi=Ti+ai·bfori∈[m], and now every column ofQ, T is a codeword.
NowPRhasT ∈Fm2u×m andPS hasQ∈Fm2u×msuch that: Q=T +C(a)⊗C(b).
Fig. 32.Subprotocol for codeword OT extension betweenPr andPs.
Since it only consists of local computation we do not model this with a separate functionality, instead just using it as a subprotocol in triple generation. We describe this subprotocol in Fig.32.
Unchecked Multiplication Triples. The protocol ΠUncheckedMiniTriples constructs weakly authenticated multiplication triples. This is done by having each party pick two random elements in Fk2u and executing theCodeOTprotocol with each other party on each of these elements to get an XOR sharing. Every party then computes a share of the Schur product based on his own chosen random values and the diagonal of each of the tensor products fromCodeOT. Finally each party authenticates their respective shares using the FCodeAuthfunctionality.
Lemma 14. For every static adversary Acorrupting up to n−1 parties, the protocol ΠUncheckedMiniTriples k securely implements the FUncheckedMiniTriples functionality in the(FACOT,FCodeAuth)-hybrid model.
Initialize: CallFCodeAuth.Initialize.
Triple Generation: This generates a triple{hC(a)i,hC(b)i,hC∗
(c)i}withC(a), C(b), C∗(c)∈Fm2u for which
it holds thatC∗(c) =C(a)∗C(b). 1. Each partyPigeneratesa(i),b(i)
$ ←Fk2u.
2. Each pair of parties (Pi, Pj) (i6=j) callsFCodeOTC with inputa(i),b(j), to obtain a random XOR sharing of them×mmatrixCii,j+C
i,j j =C(a
(i)
)⊗C(b(j)). (Note the tensor product is overF2u, so each entry
of the matrix is a product ofF2u elements.)
3. Each party Pi computesC∗(c(i)) = C(a(i))∗C(b(i)) +diag(Pj6=iC i,j i +C
j,i
i ), where diag(M) is the vector containing the diagonal entries in the matrixM.
4. Pi calls FCodeAuth.BigMAC with input (C,a(i)),(C,b(i)) and (C∗,c(i)) to obtain shares
JC(a)K,JC(b)K,JC
∗
(c)Kand then callsFCodeAuth.Compressto obtainJ·K
∗
sharings.
Fig. 33.ProtocolΠUncheckedMiniTriples- Generation of unchecked MiniMAC triples
FunctionalityFUncheckedMiniTriples
LetB denote the set of honest parties, and let ˆιbe the lowest index inB. Furthermore, letB0 =B\ {ˆι}and
A= [n]\Bthe set of corrupted parties.
Initialize:
1. Sample∆←$ F2u·m and output a random share∆(i) toPi, consistent with shares for corrupted parties input
byS.
Triple generation:
1. Sample random shares of codewordshC(a)i,hC(b)i, using shares for corrupted parties input by the adversary. 2. Wait forS to input{fa(i),f
(i) b }i∈B0, andf∈Fk2u. 3. Compute C∗(c) =C(a)∗C(b) +X i∈B0 C(a(i))∗C(fa(i)) +C(b(i))∗C(f (i) b ) +C(f) and shares ofC∗(c) that are consistent with any adversarial inputs.
4. Run the macroBracketon inputhC(a)i,hC(b)i,hC∗(c)i. 5. OutputJC(a)K∗,JC(b)K∗,JC∗(c)K∗.
Fig. 34.FunctionalityFUncheckedMiniTriples- Used for generation of unchecked MiniMAC triples
Proof. The simulation for unchecked MiniMAC triples, given in Fig. 35, is very close to the proof for unchecked SPDZ triples in F2k. The main aspect of arguing indistinguishability is if the adversary inputs Error in one of the FACOT instances. Following the same argument as the SPDZ proof, it follows that the resulting error term inF2k·u in the real world is statistically close to uniform, corresponding to the uniform valuef that is added in the simulation.
For the remaining indistinguishability argument, observe that the codewordC∗(c) that results from the output of the simulation (fromFUncheckedMiniTriples), assuming the adversary does not inputError, is given by:
C∗(c) =C(a)∗C(b) +X i∈B0 C(a(i))∗C(fa(i)) +C(b(i))∗C(fb(i)) wherefa(i),f (i)
b are adversarially chosen. In the protocol, ifAdoes not inputMultErrortoFACOT, we have
C∗(c) = n X i=1 C∗(c(i)) = n X i=1 C(a (i)) ∗C(b(i)) +diag( n X j6=i Cii,j+Cij,i)
SimulatorSUncheckedMiniTriples
Initialize:
1. Receive∆(i)∈F2m·ufori∈Aas input toFCodeAuth. 2. Input{∆(i)}
i∈A toFUncheckedMiniTriples.
Triple generation:
1. EmulateFk·u,k·u
ACOT similarly to step 1 of the simulator for SPDZ triples (Fig.26):
- Receive inputsa(i,j),b(i,j) fori∈Aandj∈Bfrom corrupt partiesPi, corresponding to their input to theFACOTinstance with honestPj.
- Calculate the errors for these inputs as in Fig.26, givingFu·k