Abstract
We present a simple and fast protocol to securely solve the (single source) Shortest Path Problem, based on Dijkstra’s algorithm over Secure Multiparty Computation. Our protocol improves the current state of the art by Aly et al. [FC 2013 & ICISC 2014] and can offer perfect security against both semi-honest and malicious adversaries. Furthermore, it is the first data oblivious protocol to achieve quadratic complexity in the number of communication rounds. Moreover, our protocol can be easily adapted as subroutine in other combinatorial mechanisms. Our focus is usability; hence, we provide an open source implementation and exhaustive benchmarking under different adversarial settings and players setups.
Access provided by Autonomous University of Puebla. Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
The (Single Source) Shortest Path problem (SPP), i.e. computing the shortest path between a source and all other vertices in a graph, is a commonly used subroutine in commercial applications. In many of these settings, data related to the computation of the problem such as elements of its configuration, graph topology or associated weights, can be considered private. Real life examples include telecommunication networks for banking or restricted topology combinatorial auctions, among others. In such environments, different parties could gain a competitive advantage by obtaining privately held information. Therefore, mechanisms to ensure secrecy, correctness and fairness are required.
In this work we introduce a Secure Multiparty Computation (MPC) data-oblivious protocol to securely solve the single source SPP. Just like in previous works, namely Aly et al. [2, 4], we propose a data oblivious version of Dijkstra’s algorithm, compatible with MPC. We consider all information related to the graph (aside from the number of vertices) to be privately held. The result of our computation is the length of the path and/or the path composition; the parties can then decide whether these are disclosed. Moreover, it can offer perfect securityFootnote 1 and its multiplicative complexity i.e. round complexity, is one order of magnitude lower than the current state of the art [2, 4].
1.1 Related Work
Aly et al. [2, 4] have introduced several data-oblivious protocols to solve the SPP, including adaptations of Dijkstra. However, their complexity bound on the number of sequential multiplications is cubic, whereas we only require a quadratic number of such multiplications. Brickell and Shmatikov [8] introduced a protocol for the SPP in a two-party setting against semi-honest adversaries. In contrast, our solution is not limited to the two-party case and also provides security against active adversaries. The Breadth-First-Search (BFS) proposed by Blanton et al. [7] provides complexity bounds for a special case of the SPP i.e. non-weighted graph. Conversely, we consider the general case where the graph is weighted. Furthermore, Keller and Scholl [17] implemented Dijkstra’s algorithm using Oblivious RAM (ORAM) based data-structures matching the \(\mathcal {O}(|V|^2)\) complexity of the original algorithm. However, their results show that for certain graph sizes, Aly et al. [2] can out-perform their ORAM-based implementation, as ORAM’s intrinsic overhead exceeds any asymptotic advantage.
1.2 Notation and Security
We make use of the square brackets notation for secret shared values e.g. \([\![ x ]\!]\). Furthermore, we consider all inputs to be elements of \(\mathbb {Z}_{q}\), where q is a sufficiently largeFootnote 2 prime or RSA modulus. Complexity is measured in terms of round complexity (multiplicative depth or latency) of the whole protocol. Vectors and matrices are represented by capital letters e.g. E, where |E| denotes its size. Finally, some common encapsulations used throughout our protocols are denoted as follows:
-
\([\![ z ]\!]\leftarrow _{[\![ c ]\!]}[\![ x ]\!]:[\![ y ]\!]\) is the conditional operator. It can be seen as an arithmetic replacement for the if branching instruction. Here, \([\![ c ]\!]\) represents a selection bit and \([\![ z ]\!]\) takes the value of \([\![ x ]\!]\) if \([\![ c ]\!]{\mathop {==}\limits ^{?}}1\) and \([\![ y ]\!]\) otherwise. This simple construction requires only one communication round i.e. \([\![ c ]\!]\cdot ([\![ x ]\!]-[\![ y ]\!]) + [\![ y ]\!]\).
-
exchange\((i,j,[\![ X ]\!])\) swaps the elements in the i-th and j-th position of vector X. This operation is not cryptographic in nature.
Security of MPC protocols is typically defined in the context of simulation under the UC framework [9, 10]. To simplify the analysis, we abstract the required MPC ideal functionality as an arithmetic black box or \(\mathcal {F}_{ABB} \). Initially introduced by Damgård and Nielsen [13], it can be extended to support other ideally modeled functionality e.g. secure comparisons. We offer a revision of our \(\mathcal {F}_{ABB}\), including corresponding UC secure realizations in Table 1. We proceed to define security as follows:
Definition 1
Let \(\pi _{\texttt {SP}}\) be a real protocol implemented in a multiparty setting. We say \(\pi _{\texttt {SP}}\) is UC-secure if, for any adversary \(\mathscr {A}\), there exists a simulator \(\mathscr {S}\) such that the \(\texttt{VIEW}_{\pi }(P_{i})\) of any party \(P_{i}\) interacting with the environment \(\mathscr {Z}\), cannot be distinguished (with non-negligible probability) between the real protocol \(\pi _{\texttt {SP}}\) and the ideal functionality \(\mathcal {F}_{\textit{SP}}\).
2 Privacy Preserving Single Source SPP
Let \(G = (V,E)\) be a directed graph without negative cycles where V is the set of vertices and E is the set of edges. Furthermore, G is represented as a weighted adjacency matrix \([\![ U ]\!]\) where \([\![ U ]\!]_{ij}\) is the weight of edge (i, j) \( \forall (i,j) \in E\). The intuition underlying our protocol is as follows: \([\![ U ]\!]\) is obliviously permuted before protocol execution. We then assign temporary labels to each vertex in G (i.e. each row in \([\![ U ]\!]\)). Our protocol then proceeds to identify the most suitable vertex to explore. However, unlike other works in the field, given the permutation, we are able to open the next vertex temporary label and directly explore it. Note that the label itself does not convey any information other than the position of the row in the now permuted matrix \([\![ U ]\!]\).
Complexity: Our protocol requires \(\mathcal {O}(|V|^2 \cdot log(|V|))\) secure multiplications (amount of work). Such multiplications can be parallelized achieving \(\mathcal {O}(|V|^2)\) rounds of communication. Furthermore, Protocol 1 contains two additional multiplications in line 17 and 18, which can also be parallelized. The exchange operation does not influence the complexity of the protocol, as it is done over publicly available information.
Security Analysis: Our protocol does not disclose any private information during its execution. More precisely, the call to \(\texttt{open}([v])\) (in line 12 of Protocol 1) does not reveal the original index position of the analyzed vertex, since the vertices are uniformly (and obliviously) permuted. The Achievable Security of our protocol is the same as that of the underlying MPC protocol e.g. we can achieve perfect security assuming honest majorities for the active and passive case [6]; or cryptographic security assuming dishonest majorities for the active and passive case as in(but not limited to) [5] or any SPDZ variation. More formally, we proceed to define our ideal functionality as follows:
Definition 2
(Ideal Functionality \(\mathcal {F}_{\textit{SP}}\)). Let \(G=(V,E)\) be a connected directed graph. Let the elements of the weighted adjacent matrix U and the source vertex s be elements of \(\mathbb {Z}_{q}\), and let both be privately held inputs. The ideal functionality \(\mathcal {F}_{SP}\) receives both \([\![ U ]\!]\) and \([\![ s ]\!]\) and returns the shortest path \([\![ \alpha ]\!]\) and the distances \([\![ D ]\!]\) via the \(\mathcal {F}_{ABB}\), whilst opening \([\![ v ]\!]\) at every cycle.
We now proceed to prove security for Protocol 1 (denoted as \(\pi _{\texttt {SP}}\)) as follows:
Theorem 1
The protocol \(\pi _{\texttt {SP}}\) securely implements \(\mathcal {F}_{\texttt {SP}}\) in the \(\mathcal {F}_{\textit{ABB}}\) framework.
Proof
The disclosed intermediate values v do not convey any information to the adversary i.e. Are indexes of the permuted matrix. Furthermore, the protocol flow only depends on publicly available values i.e. the upper bound on the number of vertices and the v values. The simulation of the complete protocol can be achieved by calling the \(\mathcal {F}_{ABB}\) functionality available for the atomic operations in the order fixed by the protocol flow. Since the real and ideal views for the atomic operations are themselves equal (as they are implemented by the \(\mathcal {F}_{ABB} \)), \(\texttt{VIEW}_{\pi _{SP}}(P_{i}) \equiv \texttt{VIEW}_{\mathcal {F}_{\texttt {SP}}}(P_{i})\), \(\forall \ \ P_i \in P\) where P is the set of all parties. Hence, we can argue the same for the Environment \(\mathscr {Z}\). \(\square \)
3 Computational Experiments
We built our prototype and conducted extensive experiments via the commonly used framework SCALE-MAMBA [1]. This circuit compiler and virtual execution environment, provides users with the means to run different adversarial settings and protocols. For the case at hand, we consider the reduced communication protocol based on Shamir by Smart and Wood [19] (honest majorities) and, Overdrive [16] with TopGear [5], members of the SPDZ protocol family (Full Threshold). Both provide active security. Additionally, we assume a lookup table style permutation [14, 15] (amortized). We have made our prototype fully available as opensourceFootnote 3 so that it can be further used as subroutine in other programs.
Test bed Configuraiton: Our setup consists on 5 Ubuntu 18 servers on premise. Each one has been allocated with 512 GB in RAM memory and a Intel(R) Xeon(R) Silver 4208 @ 2.10 GH CPU. Servers are connected using Gigabit LAN connections, with a ping time of 0.15 ms in average. This way, we can control network latency via /sbin/tc.
As we can see, communications dominate complexity, hence the importance of reducing communication rounds. On benchmarking, we can appreciate how the delta, with the previous state of the art, becomes more significant when the number of vertices increases following the asymptotic complexity. We point out that further experimentation showed a similar decrease of computational cost when the graph structure is public. Note that modern compilers also use a variety of instruction optimizers to accelerate online performance e.g. parallelize non-linearities that are non-sequential. Its use however becomes prohibitive for large scale circuits. In such cases, our experimentation also shows a similar increase on performance.
Notes
- 1.
From an Ideal perspective, and under the adequate setting i.e. honest majority. In practice, the protocol is as secure as the underlying MPC realization.
- 2.
It can instantiate the underlying MPC protocol.
- 3.
References
Aly, A., et al.: SCALE and MAMBA v1.14: Documentation (2021). https://homes.esat.kuleuven.be/ nsmart/SCALE/
Aly, A., Cuvelier, E., Mawet, S., Pereira, O., Van Vyve, M.: Securely solving simple combinatorial graph problems. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 239–257. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39884-1_21
Aly, A., Nawaz, K., Salazar, E., Sucasas, V.: Through the looking-glass: benchmarking secure multi-party computation comparisons for relu’s. Cryptology ePrint Archive, Paper 2022/202 (2022). https://eprint.iacr.org/2022/202, https://eprint.iacr.org/2022/202
Aly, A., Van Vyve, M.: Securely solving classical network flow problems. In: Lee, J., Kim, J. (eds.) ICISC 2014. LNCS, vol. 8949, pp. 205–221. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-15943-0_13
Baum, C., Cozzo, D., Smart, N.P.: Using TopGear in overdrive: a more efficient ZKPoK for SPDZ. In: Paterson, K.G., Stebila, D. (eds.) SAC 2019. LNCS, vol. 11959, pp. 274–302. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-38471-5_12
Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness theorems for non-cryptographic fault-tolerant distributed computation. In: STOC, pp. 1–10. ACM (1988)
Blanton, M., Steele, A., Aliasgari, M.: Data-oblivious graph algorithms for secure computation and outsourcing. In: Chen, K., Xie, Q., Qiu, W., Li, N., Tzeng, W.G. (eds.) ASIACCS 13, pp. 207–218. ACM Press (2013)
Brickell, J., Porter, D.E., Shmatikov, V., Witchel, E.: Privacy-preserving remote diagnostics. In: ACM CCS, CCS 2007, pp. 498–507. ACM (2007)
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: FOCS 2001, pp. 136–145 (2001)
Canetti, R.: Security and composition of multiparty cryptographic protocols. J. Cryptol. 13(1), 143–202 (2000)
Catrina, O., de Hoogh, S.: Improved primitives for secure multiparty integer computation. In: Garay, J.A., De Prisco, R. (eds.) SCN 2010. LNCS, vol. 6280, pp. 182–199. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15317-4_13
Czumaj, A., Kanarek, P., Kutylowski, M., Lorys, K.: Delayed path coupling and generating random permutations via distributed stochastic processes. In: SODA 1999, Society for Industrial and Applied Mathematics, pp. 271–280. Philadelphia, PA, USA (1999). http://dl.acm.org/citation.cfm?id=314500.314571
Damgård, I., Nielsen, J.B.: Universally composable efficient multiparty computation from threshold homomorphic encryption. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 247–264. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_15
Dhooghe, S.: Applying multiparty computation to car access provision. URL: https://www.esat.kuleuven.be/cosic/publications/thesis-296.pdf, last checked on 08 Apr 2018 (2018)
Keller, M., Orsini, E., Rotaru, D., Scholl, P., Soria-Vazquez, E., Vivek, S.: Faster secure multi-party computation of AES and DES using lookup tables. In: Gollmann, D., Miyaji, A., Kikuchi, H. (eds.) ACNS 2017. LNCS, vol. 10355, pp. 229–249. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-61204-1_12
Keller, M., Pastro, V., Rotaru, D.: Overdrive: making SPDZ great again. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 158–189. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_6
Keller, M., Scholl, P.: Efficient, oblivious data structures for MPC. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 506–525. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45608-8_27
Smart, N.P., Talibi Alaoui, Y.: Distributing any elliptic curve based protocol. In: Albrecht, M. (ed.) IMACC 2019. LNCS, vol. 11929, pp. 342–366. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-35199-1_17
Smart, N.P., Wood, T.: Error detection in monotone span programs with application to communication-efficient multi-party computation. In: Matsui, M. (ed.) CT-RSA 2019. LNCS, vol. 11405, pp. 210–229. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-12612-4_11
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Aly, A., Cleemput, S. (2022). A Fast, Practical and Simple Shortest Path Protocol for Multiparty Computation. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds) Computer Security – ESORICS 2022. ESORICS 2022. Lecture Notes in Computer Science, vol 13556. Springer, Cham. https://doi.org/10.1007/978-3-031-17143-7_37
Download citation
DOI: https://doi.org/10.1007/978-3-031-17143-7_37
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-17142-0
Online ISBN: 978-3-031-17143-7
eBook Packages: Computer ScienceComputer Science (R0)