An Empirical Study and Some Improvements of the MiniMac Protocol for Secure Computation

. Recent developments in Multi-party Computation (MPC) has resulted in very eﬃcient protocols for dishonest majority in the pre-processing model. In particular, two very promising protocols for Boolean circuits have been proposed by Nielsen et al. (nicknamed TinyOT) and by Damg˚ard and Zakarias (nicknamed MiniMac). While TinyOT has already been implemented, we present in this paper the ﬁrst implementation of MiniMac, using the same platform as the existing TinyOT implementation. We also suggest several improvements of MiniMac, both on the protocol design and implementation level. In particular, we suggest a modiﬁcation of MiniMac that achieves increased parallelism at no extra communication cost. This gives an asymptotic improvement of the original protocol as well as an 8-fold speed-up of our implementation. We compare the resulting protocol to TinyOT for the case of secure computation in parallel of a large number of AES encryptions and ﬁnd that it performs better than results reported so far on TinyOT, on the same hardware.


Introduction
In Multi-party Computation (MPC), N players wish to compute a function securely on privately held inputs, where security means that the result must be correct, and be the only new information that is released about the inputs.This must hold even if T players are corrupted by an adversary.In this paper, we consider the case of active corruption (where the adversary takes full control over corrupted players) of up to N − 1 players, so-called dishonest majority.In several recent papers [2,6,5,7,9] it has been shown that we can obtain very practical MPC protocols for dishonest majority using preprocessing.
The basic idea exploited is that, while dishonest majority precludes informationtheoretic (IT) constructions, the expensive and inefficient, computationally secure (public key) cryptography can be pushed to a preprocessing phase.This phase is independent of not only the inputs, but also the function to be securely computed.The "raw-material" generated allows the use of IT-secure protocols in the online phase, i.e., protocols that are much more computationally efficient.
Two promising protocols have been proposed for the case of secure computation of Boolean circuits, namely the TinyOT protocol by Nielsen et al. [9] and the MiniMac protocol by Damgård and Zakarias [7].[7] presents a theoretical comparison between the two: For security parameter κ, it was shown that where TinyOT requires each player to do Θ(κ) elementary bit operations per gate the circuit, MiniMac requires only O(log κ) operations (or even O(1) for some instantiations, when the number of players is large).The same overhead was found for communication and the amount of preprocessing-data each player stores.
It is, however, very unclear whether these theoretical advantages translate to greater efficiency in practice.Indeed, TinyOT has been implemented with promising results, and the Θ(κ) bit operations required per gate can in most cases be performed in parallel using a single or small number of CPU instructions.On the other hand, the fact that TinyOT has larger storage requirements and communication complexity remains even on a massively parallel machine.
Our Contribution.In this paper we present the first implementation of MiniMac.We compare this to a TinyOT implementation running on the same hardware with the goal of making a meaningful comparison of the two approaches in practice.As benchmark, we use parallel computation of many AES encryptions using a binary circuit; AES is often used as the de facto standard benchmark and performing multiple parallel executions has practical relevance, e.g., when encrypting data in counter mode.Additionally, we propose a new modification of MiniMac which increases the efficiency of binary circuit evaluation in both theory and practice.Our implementation is optimized for the two party case but works for any number of players.
MiniMac is based on an error correcting code of length n and dimension k over some finite field, F, and allows k parallel evaluations of some arithmetic circuit over F. It further uses an IT-secure authentication scheme that is based on the code; a forged message authentication code (MAC) will be accepted with probability 2 −t where t = log(|F|) • (n − 2k + 1).
Our implementation uses a Reed-Solomon code over F 2 8 with (n, k) = (256, 120) or (255, 85), depending on the underlying implementation of operations on codewords; this implies (at least) 128-bit security.We note that [7] suggests alternative constructions of binary codes based on algebraic geometry, however, the constants involved are very large and no truly efficient encoding algorithm is known, thus, using these were not seen as a viable approach.
Using F 2 8 as the underlying field is a natural choice; elements can be encoded as bytes and addressed separately, while the field is sufficiently small to allow efficient multiplication through table-lookup.Further, F 2 8 has characteristic two implying that binary-XOR is simply addition.
Regarding the choice of (n, k), we strove to maximize parallel computation, i.e., maximize k.Since n is bounded by the cardinality of the field, F 2 8 , we have (n, k) = (256, 120) when aiming for security level t ≥ 128.However, for these