A New Approach to Practical Active-Secure Two-Party Computation

Transcription

1 A New Approach to Practical Active-Secure Two-Party Computation Jesper Buus Nielsen 1, Peter Sebastian Nordholt 1, Claudio Orlandi 1, Sai Sheshank Burra 2 1 Aarhus University, Denmark 2 Indian Institute of Technology Guwahati August 21, / 19

2 Active-Secure Two-Party Computation (2PC) x y C z 2 / 19

3 Active-Secure Two-Party Computation (2PC) x y z z 2 / 19

4 Active-Secure Two-Party Computation (2PC) x y z z Correctness: C(x, y) = z 2 / 19

5 Active-Secure Two-Party Computation (2PC) x y z z Correctness: C(x, y) = z Privacy: Inputs are kept private. 2 / 19

6 Active-Secure Two-Party Computation (2PC) x y z z Correctness: C(x, y) = z Privacy: Inputs are kept private. 2 / 19

7 Active-Secure Two-Party Computation (2PC) x y z z Correctness: C(x, y) = z Privacy: Inputs are kept private. Practical: Runs in reasonable time for reasonable size circuits. 2 / 19

8 Motivation for this Work Solving real-world problems. E.g. computing outcome of auctions [BCD+09]. 3 / 19

9 Motivation for this Work Solving real-world problems. E.g. computing outcome of auctions [BCD+09]. Lack of diversity in practical 2PC. In fact all previous practical approaches uses Yao's Garbled Circuits technique. 3 / 19

10 Our approach Building blocks Passive-secure 2PC: The protocol of [GMW87] heavily utilizing Oblivious Transfer (OT). 4 / 19

11 Our approach Building blocks Passive-secure 2PC: The protocol of [GMW87] heavily utilizing Oblivious Transfer (OT). Information theoretic MACs: To ensure active security. 4 / 19

12 Our approach Building blocks Passive-secure 2PC: The protocol of [GMW87] heavily utilizing Oblivious Transfer (OT). Information theoretic MACs: To ensure active security. OT-extension: A huge amount of OT at low amortized cost from the passive-secure protocol of [IKNP03]. 4 / 19

13 Our Results New OT-extension technique with active security: 5 / 19

14 Our Results New OT-extension technique with active security: Only a factor 2 slower than the passive-secure protocol of [IKNP03]. (No asymptotic improvement). 5 / 19

15 Our Results New OT-extension technique with active security: Only a factor 2 slower than the passive-secure protocol of [IKNP03]. (No asymptotic improvement). Implements OT/sec pr. core (vs OT/sec without extension). 5 / 19

16 Our Results New OT-extension technique with active security: Only a factor 2 slower than the passive-secure protocol of [IKNP03]. (No asymptotic improvement). Implements OT/sec pr. core (vs OT/sec without extension). New practical 2PC protocol: 5 / 19

17 Our Results New OT-extension technique with active security: Only a factor 2 slower than the passive-secure protocol of [IKNP03]. (No asymptotic improvement). Implements OT/sec pr. core (vs OT/sec without extension). New practical 2PC protocol: UC secure against an active and static adversary in the Random Oracle model. 5 / 19

18 Our Results New OT-extension technique with active security: Only a factor 2 slower than the passive-secure protocol of [IKNP03]. (No asymptotic improvement). Implements OT/sec pr. core (vs OT/sec without extension). New practical 2PC protocol: UC secure against an active and static adversary in the Random Oracle model. Implements gates/sec (online gates/sec). 5 / 19

19 Our Results New OT-extension technique with active security: Only a factor 2 slower than the passive-secure protocol of [IKNP03]. (No asymptotic improvement). Implements OT/sec pr. core (vs OT/sec without extension). New practical 2PC protocol: UC secure against an active and static adversary in the Random Oracle model. Implements gates/sec (online gates/sec). Faster than all implementations based on Garbled Circuits... except for [KsS12]. 5 / 19

20 Overview Protocol Overview MACs Concluding 6 / 19

21 Passive-Secure 2PC [GMW87] x y z 7 / 19

22 Passive-Secure 2PC [GMW87] x A, y A x = x A x B y = y A y B x B, y B z 7 / 19

23 Passive-Secure 2PC [GMW87] x A, y A x = x A x B y = y A y B x B, y B w z 7 / 19

24 Passive-Secure 2PC [GMW87] x A, y A x = x A x B y = y A y B x B, y B w A w = w A w B w B z 7 / 19

25 Passive-Secure 2PC [GMW87] x A, y A x = x A x B y = y A y B x B, y B w A w = w A w B w B z A z = z A z B z B 7 / 19

26 Passive-Secure 2PC [GMW87] x A, y A x = x A x B y = y A y B x B, y B w A w = w A w B w B z A z = z A z B z B z B 7 / 19

27 Active-Secure 2PC x A, y A x y x B, y B w A w w B z A z z B z B 8 / 19

28 Active-Secure 2PC x A, y A x y x B, y B M xa, M ya M xb, M yb w A, M wa w w B, M wb z A, M za z z B, M zb z B, M zb Add message authentication codes (MACs) 8 / 19

29 The Preprocessing model Preprocessing: 9 / 19

30 The Preprocessing model Preprocessing: Prepare random authenticated messages: 9 / 19

31 The Preprocessing model Preprocessing: Prepare random authenticated messages: 1 per Input-gate. 9 / 19

32 The Preprocessing model Preprocessing: Prepare random authenticated messages: 1 per Input-gate. 16B per AND-gate, for security 2 B log( C ). 9 / 19

33 The Preprocessing model Preprocessing: Prepare random authenticated messages: 1 per Input-gate. 16B per AND-gate, for security 2 B log( C ). Prove correlations between authenticated messages (think multiplication-triples). 9 / 19

34 The Preprocessing model Preprocessing: Prepare random authenticated messages: 1 per Input-gate. 16B per AND-gate, for security 2 B log( C ). Prove correlations between authenticated messages (think multiplication-triples). Online: 9 / 19

35 The Preprocessing model Preprocessing: Prepare random authenticated messages: 1 per Input-gate. 16B per AND-gate, for security 2 B log( C ). Prove correlations between authenticated messages (think multiplication-triples). Online: Use preprocessed values and simple (non-crypto) protocols to evaluate circuit on actual input. 9 / 19

36 The Preprocessing model Preprocessing: Prepare random authenticated messages: 1 per Input-gate. 16B per AND-gate, for security 2 B log( C ). Prove correlations between authenticated messages (think multiplication-triples). Online: Use preprocessed values and simple (non-crypto) protocols to evaluate circuit on actual input. 9 / 19

37 Overview Protocol Overview MACs Concluding 10 / 19

38 Information Theoretic MACs Message x R {0, 1} MAC M = K x Global key R {0, 1} n Local key K R {0, 1} n 11 / 19

39 Information Theoretic MACs Message x R {0, 1} MAC M = K x Global key R {0, 1} n Local key K R {0, 1} n Unforgeability: 11 / 19

40 Information Theoretic MACs Message x R {0, 1} MAC M = K x Global key R {0, 1} n Local key K R {0, 1} n Unforgeability: M = K x does not give information on. 11 / 19

41 Information Theoretic MACs Message x R {0, 1} MAC M = K x Global key R {0, 1} n Local key K R {0, 1} n Unforgeability: M = K x does not give information on. Let M 0 = K 0 = K and M 1 = K 1 = K. 11 / 19

42 Information Theoretic MACs Message x R {0, 1} MAC M = K x Global key R {0, 1} n Local key K R {0, 1} n Unforgeability: M = K x does not give information on. Let M 0 = K 0 = K and M 1 = K 1 = K. M 0 M 1 =. 11 / 19

43 Obtaining MACs: The Functionality x K, M = K x abit 12 / 19

44 Obtaining MACs: Protocol Steps Step 1: Obtain a few, long MACs on Alice's random bits. Step 2: Turn into many, short MACs on Bob's random bits. 13 / 19

45 Step 1: Long MACs for Alice To authenticate bits x 1, x 2,..., x n : c {0, 1} S 0, S 1 {0, 1} T S c OT 14 / 19

46 Step 1: Long MACs for Alice To authenticate bits x 1, x 2,..., x n : x i K i, K i K i x i = M i OT n 14 / 19

47 Step 1: Long MACs for Alice To authenticate bits x 1, x 2,..., x n : x i K i, K i K i x i = M i OT 2n Problem: Bob must use same in every OT. 14 / 19

48 Step 1: Long MACs for Alice To authenticate bits x 1, x 2,..., x n : x i K i, K i K i x i = M i OT 2n Problem: Bob must use same in every OT. Solution: Do 2n OTs. 14 / 19

49 Step 1: Long MACs for Alice To authenticate bits x 1, x 2,..., x n : x i K i, K i K i x i = M i OT 2n Problem: Bob must use same in every OT. Solution: Do 2n OTs. Force Bob to use consistent, using a cut-n-chose-like technique. 14 / 19

50 Step 1: Long MACs for Alice To authenticate bits x 1, x 2,..., x n : x i K i, K i K i x i = M i OT 2n Problem: Bob must use same in every OT. Solution: Do 2n OTs. Force Bob to use consistent, using a cut-n-chose-like technique. Sacrice half of the authenticated messages. 14 / 19

51 Step 2: Short MACs For Bob M 1 M 2... M n = K 1 K 2... K n x 1 x 2... x n 15 / 19

52 Step 2: Short MACs For Bob K 1 K 2... K n = M 1 M 2... M n x 1 x 2... x n 15 / 19

53 Step 2: Short MACs For Bob (K 1,1,..., K 1,n) (K 2,1,..., K 2,n) (M 1,1,..., M 1,n) (M 2,1,..., M 2,n) (x 1,..., x n ) 1 (x 1,..., x n ) 2. =.. (K T,1,..., K T,n ) (M T,1,..., M T,n ) (x 1,..., x n ) T 16 / 19

54 Step 2: Short MACs For Bob N 1 L 1 (x 1,..., x n ) 1 N 2 L 2 (x 1,..., x n ) 2. =.. N T L T (x 1,..., x n ) T 16 / 19

55 Step 2: Short MACs For Bob N 1 L 1 Γ 1 N 2 L 2 Γ 2. =.. N T L T Γ T 16 / 19

56 Step 2: Short MACs For Bob N 1 L 1 Γy 1 N 2 L 2 Γy 2. =.. N T L T Γy T N i = L i y i Γ, i.e. N i is a MAC on y i w. keys L i, Γ. 16 / 19

57 Obtaining MACs: Summary OT OT OT A few (2n) OTs with long messages (T = poly(n) bits). 17 / 19

58 Obtaining MACs: Summary OT OT OT abit A few (2n) OTs with long messages (T = poly(n) bits). A few (n) long (T bits) MACs for Alice. 17 / 19

59 Obtaining MACs: Summary OT OT OT abit abit abit abit abit abit abit A few (2n) OTs with long messages (T = poly(n) bits). A few (n) long (T bits) MACs for Alice. Many (T ) short (n bits) MACs for Bob. 17 / 19

60 Obtaining MACs: Summary OT OT OT OT OT OT abit abit abit abit abit abit abit A few (2n) OTs with long messages (T = poly(n) bits). A few (n) long (T bits) MACs for Alice. Many (T ) short (n bits) MACs for Bob. Note 1: Can get long OTs from short OT using a PRG. 17 / 19

61 Obtaining MACs: Summary OT OT OT OT OT OT abit abit abit OT abit OT abit OT abit OT abit OT OT A few (2n) OTs with long messages (T = poly(n) bits). A few (n) long (T bits) MACs for Alice. Many (T ) short (n bits) MACs for Bob. Note 1: Can get long OTs from short OT using a PRG. Note 2: Can get short OT from short abit (i.e. OT-extension). 17 / 19

62 Overview Protocol Overview MACs Concluding 18 / 19

63 Concluding... Take away: Finally a non-garbled Circuits approach do practical 2PC! 19 / 19

64 Concluding... Take away: Finally a non-garbled Circuits approach do practical 2PC! It's based on GMW and OT-extension. 19 / 19

65 Concluding... Take away: Finally a non-garbled Circuits approach do practical 2PC! It's based on GMW and OT-extension. It's really fast! 19 / 19

66 Concluding... Take away: Finally a non-garbled Circuits approach do practical 2PC! It's based on GMW and OT-extension. It's really fast!... So if you're implementing a 2PC protocol, why not give this a try? 19 / 19

67 Concluding... Take away: Finally a non-garbled Circuits approach do practical 2PC! It's based on GMW and OT-extension. It's really fast!... So if you're implementing a 2PC protocol, why not give this a try? Thank you. 19 / 19