Enforcing Input Correctness via Certification in Garbled Circuit Evaluation

Transcription

1 Enforcng Input Correctness va Certfcaton n Garbled Crcut Evaluaton Yhua Zhang Department of Computer Scence and Engneerng Unversty of Notre Dame yzhang16@nd.edu Marna Blanton Computer Scence and Engneerng State Unversty of New York at Buffalo mblanton@buffalo.edu Fattaneh Bayatbabolghan Department of Computer Scence and Engneerng Unversty of Notre Dame fbayatba@nd.edu Aprl 24, 2017 Abstract Secure mult-party computaton allows a number of partcpants to securely evaluate a functon on ther prvate nputs and has a growng number of applcatons. Two standard adversaral models that treat the partcpants as sem-honest or malcous, respectvely, are normally consdered for showng securty of constructons n ths framework. In ths work, we go beyond the standard securty model n the presence of malcous partcpants and treat the problem of enforcng correct nputs to be entered nto the computaton. We acheve ths by havng a certfcaton authorty certfy user s nformaton, whch s consequently used n secure two-party computaton based on garbled crcut evaluaton. The focus of ths work on enforcng correctness of garbler s nputs va certfcaton, as pror work already allows one to acheve ths goal for crcut evaluator s nput. Thus, n ths work, we put forward a novel approach for certfyng user s nput and tyng certfcaton to garbler s nput used durng secure functon evaluaton based on garbled crcuts. Our constructon acheves notable performance of addng only one (standard) sgnature verfcaton and O(nρ) symmetrc key/hash operatons to the cost of garbled crcut evaluaton n the malcous model va cut-and-choose, n whch ρ crcuts are garbled and n s the length of the garbler s nput n bts. Securty of our constructon s rgorously proved n the standard model. 1 Introducton Secure mult-party computaton (SMC) s a mature research area of computer scence that has experenced dramatc advances n recent years. A new secure mult-party constructon or protocol s expected to be shown secure aganst a formal securty defnton specfyng the adversaral model. The two most fundamental and now standard securty models correspond to modelng the computaton partcpants as sem-honest (or honest-but-curous or passve) or malcous (or actve). Wth sem-honest adversares, the partcpants are trusted to follow the prescrbed computaton, whle a malcous adversary can nstruct the partcpants under ts control to arbtrarly devate from the computaton n the attempt to learn authorzed nformaton 1

2 about the honest partes nputs. Whle these defntons are strong and do not tolerate unntended nformaton leakage, the largest lmtaton of these standard defntons s that they provde no guarantees wth respect to nputs of the computaton. 1 Thus, a dshonest partcpant s able to modfy ts nput nto the computaton, whch results n other partcpants recevng ncorrect results, whle the dshonest party tself mght be able to compute true output based on ts knowledge of the orgnal data transformaton. Ths also allows a dshonest partcpant to set ts nputs nto the computaton n such a way as to learn the maxmum amount of nformaton about nput of other partcpant(s) from the output t receves. The ssue wth nablty of honest partcpants to control nputs of malcous partcpants under the current securty defntons has been recognzed n the lterature and varous technques were proposed to mtgate the problem. Examples nclude employng game-theoretc technques to ncentvze provdng truthful nputs nto secure mult-party computaton (see, e.g., [14, 15, 27]) and nput certfcaton n the context of specfc applcatons such as prvate set ntersecton [9, 11] and anonymous credentals [8]. More recently, nput certfcaton or nput valdty verfcaton n the form of any functon has been added to general secure computaton technques. In partcular, Blanton and Bayatbabolghan [3] put forward an effcent constructon for server-aded secure two-party computaton based on garbled crcut evaluaton, where the nputs of the two users are certfed and equalty of the sgned data and nputs nto the computaton s verfed by utlzng sgnatures wth protocols. Katz et al. [16] desgn an effcent mechansm for addng nput verfcaton n the form of an arbtrary functon to two-party computaton based on garbled crcuts so that the computaton takes place only f the nputs pass verfcaton (and the computaton takes place on the same nputs that were verfed). We contnue ths lne of work n ths paper. The focus of ths artcle s on enforcng nput correctness n secure computaton va nput certfcaton. Because sgnature-based nput certfcaton s more amenable to ntegraton wth exstng malcousadversary technques based on homomorphc encrypton or secret sharng than garbled crcut evaluaton, we would lke to tackle the more nterestng case of garbled crcut evaluaton. To that extent, our startng pont was the work of Blanton and Bayatbabolghan [3] for the server-aded two-party settng. We am to enforce nput correctness of both crcut garbler and evaluator n the standard two-party settng usng garbled crcut evaluaton technques. Toward ths goal, we notce that the mechansm for enforcng nput correctness of the user evaluatng the crcut n [3] wll also work wth the regular two-party setup wth no changes. In partcular, that mechansm requres the crcut evaluator to prove va zero-knowledge proofs of knowledge that the nputs provded nto the oblvous transfer (at the tme of retrevng garbled labels correspondng to the evaluator s nputs) are consstent wth the valued sgned by a certfcaton authorty. The mechansm for enforcng nput correctness of the other user n [3], however, cannot be used for enforcng nput correctness of the crcut garbler n the conventonal setup. Thus, the focus of ths work s on desgnng an effcent mechansm for enforcng nput correctness of the garbler wth the help of a certfcaton authorty. Our setup assumes the presence of a certfcaton authorty that can certfy users data. For example, n the case of genomc or medcal data, the faclty performng genome sequencng or runnng a medcal test wll ssue certfcaton that can later be used wth secure two-party computaton. Obvously, the use of certfcaton should not reveal any nformaton about the certfed values. For example, [3] used sgnatures wth protocols that allows the sgnature owner to prove statements about sgned values n zero-knowledge. Once the certfcaton step s complete, the user wll be able to use that nformaton wth garbled crcut evaluaton to prove correctness of the suppled nputs. In ths work we put forward a novel, non-standard certfcaton constructon for use wth garbled crcut evaluaton that favorably compares wth exstng sgnature schemes and other pror work n terms of ts performance. The certfcaton authorty s work ncludes only one publc-key operaton (producng a regular sgnature) for user s nput of any sze and the number of symmetrc key or hash functon operatons s 1 Note that ths does not refer to ll-formed nputs whch can be detected n the begnnng of the computaton, but rather to well-formed ncorrect or deceptve nputs. 2

3 O(nρ), where n s the btlength of the user s nput to be certfed and ρ s a statstcal securty parameter (that determnes the number of crcuts beng garbled). The sze of a certfcate s O(n + ρ), and the cost of secure functon evaluaton s only nsgnfcantly hgher than that of regular garbled crcut evaluaton n the malcous model wth no enforcement of nput correctness. In partcular, the work assocated wth usng garbler s nput certfcaton and verfcaton n secure functon evaluaton based on garbled crcuts s only one sgnature verfcaton and O(nρ) symmetrc key/hash operatons when the garbler s nput s n bts long. The downsde of the approach s that the certfcaton authorty s work s lnear n the number of tmes the certfcate s to be used n secure computaton. That s, n order to use the same nput n up to k ndependent secure functon evaluatons (wth possbly dfferent functons), the user wll need to obtan a certfcate of sze O(n + ρk) and the certfcaton authorty s work ncreases to O(nρk). 2 Related Work Lterature on secure two-party and mult-party computaton s extensve and provdes dfferent mechansms for securely evaluatng a functon on prvate nputs. Followng the semnal work of Yao [29], t has been known that any computable functon can be securely evaluated. Consequent work focused on provdng stronger securty guarantees such as securty n the presence of malcous or covert adversares (see, e.g., [20, 10] among many others) or mprovng performance of exstng technques (see, e.g., [5, 2] among others). There s also a large varety of custom constructons optmzed for evaluatng specfc functons wth the goal of provdng more effcent solutons than ther generc counterparts (see, e.g., [22, 4] among others). The orgnal Yao s constructon s secure aganst sem-honest partcpants, and several solutons for makng t reslent to malcous behavor exst. Early examples of constructons secure n the malcous model nclude [13, 12] that utlze zero knowledge proofs of knowledge. An alternatve approach to makng secure functon evaluaton based on garbled crcuts reslent to malcous behavor s to use cut-and-choose technques [19, 23, 18], whch we further detal n Secton 3. Movng closer to the focus of ths work, several publcatons treat the ssue of nput consstency or correctness n dfferent settngs and usng dfferent mechansms. For example, the ssue of nput consstency arses n the context of garbled crcut evaluaton based on cut-and-choose technques when multple crcuts need to be evaluated on the same (consstent) nputs and was treated n several publcatons [21, 19, 28]. Another work by Kolesnkov et al. [17] proposed a soluton for nput consstency across multple user nteractons wth the help of a sem-honest server at low cost. That s, possbly malcous users engage n executons of secure two-party functon evaluaton wth each other, but the user s nput must reman the same for multple nstances of secure computaton. Wth respect to enforcng nput correctness, one lne of research apples game theory to functon desgn to ncentvze partcpants to provde ther truthful nputs nto the computaton (see, e.g., [14, 25, 15, 26, 27] among others). These publcatons typcally treat the partes as ratonal. For nstance, Shoham and Tennenholtz [25] studed the queston of whch boolean functons can be computed by ratonal agents n a dstrbuted settng and more recent work of Wallrabensten and Clfton [26, 27] revsts game specfcatons usng the specfcs of secure mult-party computaton setups. In addton, nput certfcaton was used wth certan types of functonaltes to guarantee that computaton s run on the same nputs as the nputs prevously sgned by some certfcaton authorty. For example, [9, 11] provde solutons for performng prvate set ntersecton on certfed sets and [8] ncorporates certfcaton nto anonymous credentals. These technques, however, are not applcable to general functonaltes. More recently, Blanton and Bayatbabolghan [3] ncorporated nput certfcaton nto general secure functon evaluaton based on garbled crcuts. In partcular, the computaton takes place between two possbly malcous users who use the help of an untrusted sem-honest server and ensures that the users can 3

4 only enter nputs that were prevously certfed nto the computaton. The constructon uses sgnatures wth protocols [6] for ths purpose and tes them to the way nput s provded nto the garbled crcut usng zero-knowledge proofs. Ths paper s used as the startng pont for ths work. As we mentoned earler, ther mechansm for garbler s nput certfcaton apples to regular two-party computaton based on garbled crcuts, but t s not the case for the crcut garbler and ths s why we focus on ths task n ths work. Katz et al. [16] proposed a soluton to enforce nput valdty of both garbler and evaluator n secure functon evaluaton based on garbled crcuts. It formulates nput valdaton n the form of two predcates f 1 ( ) and f 2 ( ) appled to the nput of the frst and second partcpant, respectvely. The constructon then ensures that the man functon f(, ) s evaluated on the the same nputs as those provded durng nput valdaton. The underlyng technques nclude ElGamal-based commtments and a specal form of oblvous transfer. Note that the predcates f 1 and f 2 are specfed n the form of Boolean crcuts and are evaluated usng garbled crcuts themselves, whch means that they could be used to prvately verfy a prvate sgnature on a prvate nput, but the resultng crcut s lkely to be large. Concurrently wth [16], Baum [1] treats a smlar problem, but the soluton s based on unversal hash functons. More generally, the technques of [1] mprove performance of secure functon evaluaton based on garbled crcuts when portons of the computaton (or sub-crcuts) depend only on one party s nput. We note that t s possble to combne the technques of [16, 1] wth nput certfcaton usng sgnatures wth protocols. For example, nstead of evaluatng predcate f 1 on prvate nput x of the frst party P 1, P 1 could prove n zero-knowledge that t possesses a sgnature on nput x and connect t to the evaluaton of f(x, y), where y s the nput of the second party P 2, n the same way as n [16]. Ths wll serve as an alternatve constructon to the technques presented n ths paper. Suppose that P 1 s the crcut garbler G and we only consder G s nput certfcaton, smlar to the constructon presented n ths work. Then f we take the approach of [16] and combne t wth sgnatures wth protocols (such as [6, 7]), ts performance compared to our approach can be evaluated as follows. Besdes the common components such as garblng and checkng/evaluaton of O(ρ) crcuts and executng oblvous transfer for crcut evaluator s nput, the approach based on the technques of [16] requres O((n 1 + n 3 )ρ) publc-key operatons (modulo exponentatons), where n 1 s the btlength of G s nput and n 3 s the btlength of the output. In our constructon, however, only one sgnature s verfed and the partes perform O(n 1 ρ) symmetrc key operatons (PRF or hash functon evaluatons) wth small constants hdden behnd the bg-o notaton. 3 Garbled Crcut Evaluaton The use of garbled crcuts allows two partes P 1 and P 2 to securely evaluate a Boolean crcut of ther choce. Gven an arbtrary functon f(x, y) that depends on prvate nputs x and y of P 1 and P 2, respectvely, the partes frst represent t as a Boolean crcut. One party acts as a crcut generator (or garbler) G and creates a garbled representaton of the crcut by assocatng both values of each bnary wre wth random labels. The other party acts as a crcut evaluator E and evaluates the crcut n ts garbled representaton wthout knowng the meanng of the labels that t handles durng the evaluaton. The output labels can be mapped to ther meanng and revealed to ether or both partes. Once the crcut s garbled, the garbler communcates t (n the form of garbled Boolean gates) to the evaluator together wth the labels of the nput wres correspondng to the garbler s nput bts. The labels of the nput wres correspondng to the evaluator s nput bts are communcated to the evaluator by means of 1-out-of-2 Oblvous Transfer (OT). The standard constructon used for the sem-honest settng also provdes securty n the presence of a malcous evaluator (.e., f the evaluator devates from the prescrbed computaton, the evaluaton mght abort, but the evaluator wll not be able to learn unauthorzed nformaton). However, to guarantee securty n the malcous settng (wth ether malcous garbler or evaluator) addtonal technques need to be em- 4

5 ployed. A wdely used approach to detectng ncorrectly garbled crcuts s based on cut-and-choose. Gven a securty parameter ρ, G garbles O(ρ) crcuts and sends them to E. The evaluator chooses a number of them to be opened and checks them for correctness. The remanng crcuts are evaluated by E, wth the algorthm specfyng how possble dfferences n the crcut outputs are to be reconcled (e.g., by usng the majorty) wthout dsclosng that nformaton to G. Ths approach allows for the probablty of E acceptng the output of ncorrect crcut evaluaton to be at most neglgble n ρ. There are, however, addtonal attacks that can be mounted at the tme of nput specfcaton n the attempt to learn addtonal nformaton about the other party s nput and the correspondng countermeasures. Frst, the utlzed approach must enforce that the OT protocol s reslent to malcous behavor. Second, t must enforce that both G and E nput consstent bts nto all evaluaton crcuts. Ths s typcally easy to acheve for the evaluator (.e., the evaluator specfes a sngle nput bt and learns the correspondng labels for all crcuts beng evaluated), whle addtonal technques need to be used to enforce G s nput consstency. Thrd, the protocol must be reslent to a selectve falure attack, n whch G attempts to learn a bt of E s nput by provdng ncorrect nformaton durng OT. For example, G could enter an ncorrect wre label correspondng to 0 for E s nput bt nto OT. Then f E s nput s 0, t s unable to proceed and aborts and otherwse t succeeds, allowng G to learn one bt of E s nput. A soluton to ths problem s to use ρ nput bts nto the crcut for each bt of E s nput, where all ρ bts are XORed together to result n E s orgnal nput bt. Now f G launches a selectve-falure attack on a sngle bt, the leaked bt reveals no nformaton about E s orgnal nput. Ths attack s only successful and results n revealng a bt of E s nput when G recovers all ρ correspondng bts of the nput, whch only has a neglgble (n securty parameter ρ) probablty of success. Lastly, we need to ensure that authentc output s delvered to both partes after the evaluaton. (Note that n general, farness cannot be acheved n two-party computaton, preventng one of the partes from learnng the output, but at least we can requre that only authentc outputs are accepted.) Varous mechansms for achevng ths goal exst and for the purposes of ths work any such mechansm wll suffce. However, for concreteness of our securty analyss, we wll assume the followng: the meanng of the output wre labels s opened to E. If G s also to learn the (same or dfferent) output, the functon s modfed as n [19] to compute G s output n a protected form together wth the correspondng message authentcaton tag, whch G can verfy and recover ts output f verfcaton was successful. We now proceed wth defnng securty of a two-party secure computaton protocol n the presence of malcous partcpants usng the standard real-deal model settng and smulaton paradgm. The executon of protocol Π takes place between partes P 1 and P 2 and an adversary A who can corrupt one of them. Each partcpant receves ts nput and securty parameters 1 κ and 1 ρ, where κ denotes the computaton securty parameter and ρ the statstcal securty parameter. A receves all nformaton that the party t corrupted has and can also nstruct the correspondng corrupted party to behave n a certan way. Let VIEW Π,A denote a tuple consstng of the vew of A at the end of an executon of Π and the output of the honest party. In the deal model, all partes nteract wth a trusted party TP who evaluates functon f. The executon begns wth each party recevng ts nputs and securty parameters. Each honest party sends to TP ts true nput and a malcous party can send an arbtrary value. If TP does not receve nput from both partes or f t receves an abort message, t outputs (empty) to the partcpants. Otherwse, the partcpants receve f evaluated on submtted nputs. Let VIEW f,s denote a tuple consstng of the output that smulator S wth access to the corrupted party s nformaton produces based on ts vew and the output of the honest party after deal executon of functon f. We obtan the followng securty defnton: Defnton 1. Let Π be a protocol that computes functon f : {0, 1} {0, 1} {0, 1} {0, 1} wth party P 1 contrbutng nput x and party P 2 contrbutng nput y. We say that Π securely evaluates f f for each probablstc polynomal-tme n κ adversary A n the real model and all x, y {0, 1}, there exsts probablstc S n the deal model that run n tme polynomal n A s runtme and IDEAL f,s (x, y) = 5

6 REAL Π,A (x, y). Here = denotes computatonal ndstngushablty (n the securty parameter κ). When nputs are certfed, the partcpants have access to certfcaton n the real protocol executon, whle n the deal model the smulator wll need to smulate nput certfcaton of honest partes (wthout access to ther nputs). Furthermore, f we want to guarantee that the computaton takes place on the nput equal to the nput encoded n the certfcaton, we need to show that a malcous partcpant s unable to provde an nput that dffers from the certfed nput and results n successful completed protocol wth more than a neglgble probablty. 4 Proposed Constructon In our constructon we use three ndependent hash functons h 1, h 2, and h 3 wth propertes defned below. For the purposes of our securty analyss, we need to assume that h 1 and h 2 are unversal hash functons, whle collson resstance s suffcent for h 3. In addton, we requre h 1 to support homomorphc XOR as n h 1 (x y) = h 1 (x) h 1 (y). A collecton of hash functons H = {h : A B} s called unversal f for any dstnct x, y A, the probablty that a unformly chosen h H satsfes that h(x) = h(y) s at most 1/ B,.e., ts output s unformly dstrbuted over the functon s range. An effcent mplementaton of a unversal hash functon wth homomorphc XOR can be found n [24]. Collson reslence of a hash functon h s defned as nablty of an adversary to fnd two dstnct x and y such that h(x) = h(y) wth more than a neglgble probablty n the output sze of h. For the purpose of ths work, we let the output sze of hash functons be governed by the securty parameter κ so that the probablty of fndng collsons s neglgble n κ. Collson reslence follows for our unversal hash functons h 1 and h 2. Our constructon also reles on a pseudo-random functon (PRF) F : {0, 1} κ {0, 1} κ {0, 1} κ, securty of whch s defned n a standard way. That s, for a randomly chosen key k {0, 1} κ, an adversary who can query F k on dfferent nputs a polynomal number of tmes s unable to dstngush F k from a random functon f wth more than a neglgble probablty. The ntuton behnd our constructon s to let the certfcaton authorty assocate nput bts wth random values, whch are to be used n crcut generaton and evaluaton, and generate some fngerprnt nformaton for enforcng correctness. In ths scheme, the certfcaton authorty does not need to perform sgnng of nput bts as n tradtonal sgnature schemes, but only performs symmetrc key operatons and computes one sgnature ndependent of the nput or crcut sze. The evaluator consequently wll use the fngerprnt nformaton to check crcuts, and both the garbler and evaluator use nformaton provded by the certfcaton authorty to generate nput labels. In the followng, we descrbe the proposed protocol n detal. In what follows, x s the nput to be sgned and sk s the prvate sgnng key of the certfcaton authorty S. We assume that ρ crcuts need to be garbled, where a fracton of them s beng checked and the remanng crcuts are evaluated. Input certfcaton. The nput conssts of user s nput x = x 0...x n 1 to be certfed and the sgner S holds ts prvate sgnng key sk (wth the correspondng publc key pk avalable to all users). 1. For each nput bt = 0,..., n 1, S chooses two random strngs s 0, s1 {0, 1}κ representng bts 0 and 1, respectvely. 2. S computes H 0 = h 1 (s 0 0 s0 n 1 ) and H1 = h 1 (s 1 0 s1 n 1 ). 3. S chooses a secret key k {0, 1} κ for a PRF F and for = 0,..., 2nρ 1 computes a pseudorandom strng t = F k (). 4. For j = 0,..., ρ 1, S computes P 0 j = H0 h 1 (h 2 (t 2nj ) h 2 (t 2nj+2 ) h 2 (t 2nj+2n 2 )), and P 1 j = H1 h 1 (h 2 (t 2nj+1 ) h 2 (t 2nj+3 ) h 2 (t 2nj+2n 1 )). 6

7 5. For each j = 0,..., ρ 1, S computes V 0,j = h 3 (h 1 (h 2 (t 2nj ) h 2 (t 2nj+1 ))), V 1,j = h 3 (V 0,j h 1 (h 2 (t 2nj+2 ) h 2 (t 2nj+3 )),..., V n 1,j = h 3 (V n 2,j h 1 (h 2 (t 2nj+2n 2 ) h 2 (t 2nj+2n 1 ))) and sets Q j = V n 1,j. 6. For each j = 0,..., ρ 1, S chooses a random encrypton key ck j {0, 1} κ and computes Enc ckj (P 0 j P 1 j Q j). 7. S concatenates (s x each s x s1 x ) n 1 represents nput bt x and s 1 x =0, (Enc ck j (Pj 0 P j 1 Q j)) ρ 1 j=0, and stores the resultng strng as c. Here ts complement. S sgns c as Sgn sk (c). 8. S returns c, Sgn sk (c), (ck j ) ρ 1 j=0, k to the user. Note that nformaton ncluded n c does not reveal whether x was 0 or 1. The above nformaton wll be used for producng n garbled label pars for nput wres correspondng to nput x nto ρ crcuts. As descrbed below, each garbled par for nput wre n crcut j wll be formed as l 0,j = h 1(s 0 h 2(t 2n1 j+2)) and l 1,j = h 1(s 1 h 2(t 2n1 j+2+1)). Then the values Pj 0, P j 1, and Q j are used to verfy correctness and consstency of the garbled crcut j. For each garbled crcut j, these values are opened durng the crcut checkng phase and are used by E to verfy correctness of nput labels. The ntuton behnd the checks s that Pj 0 encodes nformaton about all nputs labels correspondng to nput bts equal to 0, whle Pj 1 encodes nformaton about all labels correspondng to nput bts equal to 1. We refer to checks that use Pj 0 and P j 1 as horzontal checks. Addtonally, nformaton encoded n Q j encodes nformaton about each par of labels l 0,j, l1,j for each nput wre of the crcut. We refer to ths check as the vertcal check. Secure functon evaluaton wth certfed nputs. Garbler G holds prvate nput x = x 0...x n1 1, (ck j ) ρ 1 k and supples publc c, Sgn sk (c), where c = (s x holds prvate nput y = y 0...y n2 1. s1 x j=0, ) n 1 1 =0 (Enc ck j (P 0 j P 1 j Q j)) ρ 1 j=0. Evaluator E 0. Intal check: E verfes sgnature on c usng certfcaton authorty s publc key pk and aborts f verfcaton fals. E stores all components of c. 1. Crcut garblng: (a) For each crcut j = 0,..., ρ, G generates labels for ts own nput wres = 0,..., n 1 1 as l 0,j = h 1(s 0 h 2(t 2n1 j+2)) and l 1,j = h 1(s 1 h 2(t 2n1 j+2+1)), where each t s computed as F k (). (b) G generates the rest of the crcuts n the same way as tradtonal garbled crcuts and sends all crcuts to E. 2. Crcut checkng: (a) E select a predefned number of crcuts out of ρ of them at random as checkng crcuts and asks G to open the selected crcuts. (b) G reveals each label par for each wre of each checkng crcut and E verfed them. If any crcut s malformed, E aborts the computaton. (c) For each checkng crcut wth ts orgnal ndex j, G sends to E the key ck j. E decrypts Pj 0, Pj 1, and Q j and checks whether Pj 0 s equal to l0 0,j l0 n 1 1,j and whether P j 1 s equal to l 1 0,j l1 n 1 1,j. If any check fals, E aborts the computaton. (d) For each checkng crcut wth ts orgnal ndex j, E computes S 0,j = h 3 (l 0 0,j l1 0,j h 1(s x 0 0 ) h 1 (s 1 x 0 0 )), S 1,j = h 3 (S 0,j l 0 1,j l1 1,j h 1(s x 1 1 ) h 1(s 1 x 1 1 )),..., S n1 1,j = h 3 (S n1 1,j l 0 n 1 1,j l 1 n 1 1,j h 1(s x n 1 1 n 1 1 ) h 1(s 1 x n 1 1 n 1 1 )). If S n1 1,j s not equal to Q j, E aborts. 7

8 3. Crcut evaluaton: (a) The crcuts that have not been opened n step 2 are evaluaton crcuts. For each evaluaton crcut wth the orgnal ndex j, G sends to E values t 2n1 j+x 0,..., t 2n1 j+2n 1 2+x n1 1. (b) For each evaluaton crcut wth ts orgnal ndex j, E computes labels for G s nput wres = 0,..., n 1 1 as l x,j = h 1(s x h 2 (t 2n1 j+2+x )). (c) G and E engage n OT for E to learn garbled labels correspondng to ts nput and E evaluates each evaluaton crcut and determnes the output n the same was as n tradtonal garbled crcuts. We can see that all crcuts garbled by an honest G pass the checks of steps 2(c) and 2(d). In partcular, for each crcut j, each label l 0,j s constructed as l0,j = h 1(s 0 h 2(t 2n1 j+2)), so that n 1 1 =0 l (( 0,j = n1 ) ( 1 h 1 =0 s 0 n1 )) 1 =0 h 2 (t 2n1 j+2). Ths s exactly how the value of Pj 0 = h 1 ( n 1 1 =0 s 0 ) h 1 ( (( n 1 1 n1 ) ( 1 =0 h 2 (t 2n1 j+2)) = h 1 =0 s 0 n1 )) 1 =0 h 2 (t 2n1 j+2) was constructed by the certfcaton authorty. The same apples to checkng whether Pj 1 s equal to n 1 1 =0 l 1,j. As far as the check n step 2(d) does, we see that t wll verfy f the value of S,j computed by E for each s dentcal to the value V,j computed by the certfcaton authorty n step 5 of nput certfcaton. Note that S 0,j = h 3 (l 0 0,j l 1 0,j h 1(s x 0 0 ) h 1(s 1 x 0 0 )) = h 3 (h 1 (s 0 0 h 2(t 2n1 j) h 1 (s 1 0 h 2(t 2n1 j+1)) h 1 (s x 0 0 ) h 1(s 1 x 0 0 )) = h 3 (h 1 (h 2 (t 2n1 j) h 2 (t 2n1 j+1))) = V 0,j. Smlar dervatons wll apply to other values of as well, gvng us correctness. 5 Securty Analyss We frst demonstrate securty accordng to the smulaton paradgm n Defnton 1 and then proceed wth showng that the proposed constructon enforces nput correctness. We use notaton negl to denote a functon neglgble n ts nput. To prove that no nformaton leakage takes place durng protocol executon, we rely on the followng result: Lemma 1. Informaton (s x, s1 x =0, P j 0, P j 1, Q j computed as part of certfcaton for n-bt x for some fxed j together wth pars (l 0,j = h 1(s 0 h 2(t 2nj+2 )), l 1,j = h 1(s 0 h 2(t 2nj+2+1 ))) n 1 =0 s ndstngushable for any PPT adversary from the same nformaton computed for any n-bt x x. ) n 1 Proof. We show that the above values reveal no nformaton about x, from whch the clam of the lemma wll follow. Frst, note that the values s x, s1 x were chosen unformly at random and n the absence of other nformaton about x, s 0 s or s1 1, the orderng reveals no nformaton about x. In other words, the pars s x, s1 x are dstrbuted dentcally to unformly chosen random values n the absence of addtonal nformaton. In what follows, we construct a number of hybrd vews and demonstrate that the vews are ndstngushable from each other. Hybrd 0: The same as the orgnal set of values consstng of s x for a fxed j and = 0,..., n 1. s, s1 x s, P 0 j, P 1 j, Q j, l 0,j s, and l1,j s Hybrd 1: In ths vew, we replace each h 2 (t 2nj+2 ) and h 2 (t 2nj+2+1 ) used n the creaton of P 0 j, P 1 j, Q j, and each l 0,j and l1,j wth strngs r,j,0 and r,j,1, respectvely, chosen unformly at random over h 2 range. Because we are modfyng all values consttuently, any relatonshps between them (such as P 0 j = n 1 =0 l0,j, etc.) wll stll hold. These values are ndstngushable from the values n Hybrd 0 because h 2 8

9 s a unversal hash functon. In partcular, nputs t 2nj+2 and t 2nj+2+1 nto the hash functon are pseudorandom and satsfy the mn-entropy requrements for the output of h 2 to be treated as pseudo-random [24]. Hybrd 2: In ths vew, we replace s 0 r,j,0 and s 1 r,j,1 wth unformly chosen random strngs r,j,0 and r,j,1, respectvely, of the same length (or, equvalently, we replace h 1(s b r,j,b) = h 1 (s b ) h 1(r,j,b ) wth h 1 (r,j,b ) for b = {0, 1}) n the creaton of P j 0, P j 1, and each l0,j and l1,j. Ths vew s dstrbuted dentcally to Hybrd 1 because XOR of a unformly chosen strng wth any value produces a unformly chosen strng. Now we arrve at a vew where all s 0 s and s1 s have been completely elmnated. The remanng nformaton s the pars s x, s1 x and values derved from random r,j,b and r,j,b. It s clear that no nformaton about x s revealed to a computatonally bounded adversary and the clam of ths lemma follows. Now we are ready to proceed wth showng that the constructon comples wth the securty requrements for secure two-party functon evaluaton n the presence of malcous adversares. Theorem 1. The proposed constructon for secure functon evaluaton wth certfed nputs s secure accordng to Defnton 1. Proof. In our proof, we assume a secure realzaton of the OT protocol secure n the presence of malcous partes s avalable to the partcpants, whch they can call as a sub-protocol. Frst, suppose G s malcous and we denote the correspondng adversary as A G. In the deal world, smulator S G resdes between A G and the trusted party and smulates G s vew durng the protocol executon as follows: 1. S G nvokes A G on ts nput. 2. At the ntal check step, S G acts as honest E and verfes the sgnature on c. If verfcaton fals, S G aborts the executon. 3. S G contnues to act as an honest E would n steps 1 and 2,.e., t receves the crcuts, asks a predefned fracton of them at randomly chosen ndces to be opened, and checks the opened crcuts. If any of the checks fal, S G aborts the executon. 4. In step 3(a), S G smulates the OT wth A G. If any malcous behavor s detected, S G aborts the executon and otherwse receves t 2n1 j+x 0,..., t 2n1 j+2n 1 2+x n1 1 from A G for each evaluaton crcut j. 5. S G obtans f(x, y) from TP, extracts G s output, and communcates t accordng to the protocol to A G. We now need to analyze the dfferences n the real and smulated vews. The frst dfference comes from the fact that S G smulates the OT n step 4 as t does not possess E s real nput. A G, however, has a neglgble chance n observng any dfferences because of the securty of the underlyng OT protocol (.e., ts smulaton s ndstngushable from real executon). The second dfference comes from the fact that n real executon E mght fal to output the correct output because the crcuts that t evaluated were ncorrect. Ths, however, can happen only wth probablty negl(ρ). We therefore obtan that A G s unable to dstngush the vews wth more than a neglgble probablty and they are ndstngushable. Now suppose E s malcous. In the deal world, smulator S E resdes between E and TP and smulates E s vew durng the protocol executon as follows: 1. S E obtans certfcaton c, Sgn sk (c), (ck j ) ρ 1 j=0, k from the certfcaton authorty for some nput x = x 0...x n 1 1 of ts choce. 9

10 2. S E nvokes A E on ts nput. 3. S E extracts A E s choces for the crcuts to be opened durng crcut checkng and constructs those crcuts correctly as an honest G would usng nformaton from c and the correspondng strngs t s derved usng k. 4. To construct evaluaton crcuts, S E creates G s nput labels as an honest G would usng certfcaton nformaton obtaned for nput x. S E then receves f(x, y) from TP and construct the remanng porton of the garbled crcuts so that they always output f(x, y) (.e., the crcuts are nput-nsenstve). 5. S E sends all crcuts to A E and opens the checkng crcuts upon A E s request as an honest G would. 6. Durng crcut evaluaton, S E executes the OT wth A E as an honest G would. If any malcous behavor s detected, S E aborts the executon and otherwse t sends t 2n1 j+x 0,..., t 2n 1 j+2n 1 2+x n 1 1 generated usng k to A E for each evaluaton crcut j. 7. S E contnues as an honest G would. Wth ths smulaton, we have two sources of potental dfferences between the real and smulated vews. The frst comes from modfyng the way the evaluaton crcuts are constructed n step 4 to output a fxed value. Ths change has been shown n [19] to be ndstngushable to an adversary who has only a sngle set of labels correspondng to the nputs. That s, evaluaton of modfed crcuts on arbtrary nputs s ndstngushable from evaluaton of correct crcuts on nputs x and y. The second dfference s that the certfcaton corresponds to a randomly chosen x nstead of actual G s nput x, whch we need to analyze n more detal. In partcular, c that A E observes ncludes the par s x, s1 x for each nput bt x of x. Because the certfcaton authorty chooses these strngs unformly at random for any possble nput, the pars s x, s1 x and s x, s1 x are dstrbuted dentcally n the real and smulated vews. For each opened (checkng) crcut j, A E also learns the values of Pj 0, P j 1, Q j, as well as G s nput wre label pars l 0,j, l1,j for each nput wre. From Lemma 1 we learn that these values are ndstngushable for nputs x and x as well. Lastly, for each evaluaton crcut j, A E only sees values s x, s1 x, t 2n1 j+2+x, Enc ck j (Pj 0 P j 1 Q j). Assumng CPA-securty of the underlyng encrypton scheme, there s only a neglgble chance that cphertexts Enc ckj (Pj 0 P j 1 Q j) reveal any nformaton to A E. Lastly, n the absence of other relevant nformaton, trples s x, s1 x, t 2n1 j+2+x and sx, s1 x, t 2n1 j+2+x are dentcally dstrbuted, gvng A E no nformaton about the nput bt to whch the trple corresponds. Thus, the vews n deal and real executons are ndstngushable as well. We obtan that the real and smulated vews are ndstngushable when ether G or E s corrupt, whch concludes the proof. Recall that we rely on current countermeasures for defeatng G s ncorrect behavor such as cut-andchoose that nstructs garblng of O(ρ) crcuts, checkng a fracton of them, and evaluatng the rest. Then accordng to the prevously showed results, we obtan that any property verfed at the crcut checkng tme wll hold n the computed result wth probablty 1 negl(ρ). Our nput correctness result for the garbler s as follows: Theorem 2. If all checkng crcuts pass all tests at the checkng phase, the functon s evaluated usng garbler s nputs certfed by the certfcaton authorty wth probablty 1 negl(κ) negl(ρ). In order to show ths, we frst prove a supplementary result. 10

11 Lemma 2. If the checks of steps 2(c) and 2(d) hold for a garbled crcut and E can successfully evaluate the crcut (.e., evaluaton does not abort), the crcut used correct label pars (l 0, l1 ) generated by the certfcaton authorty for each of G s nput wre wth probablty 1 negl(κ). Proof. For smplcty of presentaton, n ths proof we omt notaton j correspondng to the jth garbled crcut. Recall that we refer to the tests of step 2(c) as the horzontal check,.e., a consstency check performed over all nputs wth the same value (such as zero bts and one bts) across all nput bts, and the tests of step 2(d) as the vertcal check,.e., a consstency check performed over both nputs of each nput bt. Recall that E evaluates a garbled crcut on labels l x computed as h 1 (s x h 2 (t 2+x )), where each s x comes from the certfcaton authorty. Thus, the goal of a corrupt G s to create a garbled crcut n such a way that E wll compute a vald label for bt 1 x usng s x suppled by the certfcaton authorty. Ths could nvolve provdng E wth an ncorrect value of t 2+x or smply usng l x to represent bt 1 x for the th nput wre n the crcut. As we show below, the probablty that the adversary s successful n carryng out ether of ths attacks s neglgble n the securty parameter κ. Suppose that malcous G selects one specfc nput wre for whch t wants to corrupt labels. In what follows, we analyze two cases: (1) the adversary supples the correct t 2+x value to E, sets ˆl 1 x = h 1 (s x h 2 (t 2+x )) n the crcut, and adjusts other values accordngly and (2) the adversary supples an ncorrect ˆt 2+x to E, sets ˆl 1 x = h 1 (s x h 2 (ˆt 2+x )) n the crcut, and adjusts other values as needed. Recall that t s gven that the crcut passes the checks of steps 2(c) and 2(d) and that the crcut could be successfully evaluated (.e., the gates are correctly formed and use the labels that E computes). In what follows, we refer to the adversary and G nterchangeably. 1. In ths case, G communcates t 2+x to E who wll compute the value h 1 (s x h 2 (t 2+x )) at crcut evaluaton tme, whle G s ntent s to set ˆl 1 x = l x = h 1 (s x h 2 (t 2+x )) nstead of the orgnal l 1 x durng crcut garblng. Then f G sets ˆl 1 x = l x, t wll need to set ˆl x = l 1 x to be able to pass the vertcal check (or break collson resstance of h 3 whch only has a neglgble probablty of success). Now because the labels for both nput bts of the th nput wre are modfed from ther expected values, the adversary needs to use other nput labels to compensate for the dfference to be able to pass the horzontal check. In partcular, P 0 and P 1 values computed n step 2(c) of the protocol wll be dfferent by l x l 1 x from ts expected value and G mght use labels from k 1 other nput wres to compensate for the dfference. Now note that because h 1 s a unversal hash functon and ts output s dstrbuted unformly over the entre space, l x l 1 x wll also be unformly dstrbuted over the output space. Thus, f the adversary attempts to swap the nput labels for any number of other nput wres, t has only a neglgble chance of matchng the dfference exactly. That s, for every new combnaton of nput wres wth swapped labels there s only a neglgble probablty of elmnatng the dfference and the adversary s lmted to tryng a polynomal number of such combnatons. If the adversary employs some strategy other than swappng nput labels to compensate for the dfference, t wll be equvalent to solvng case 2 below. 2. In ths case, G sets ˆl 1 x = h 1 (s x h 2 (ˆt 2+x )) for some ˆt 2+x t 2+x nstead of the orgnal durng crcut garblng. We can further sub-dvde ths nto two cases: l 1 x (a) The adversary was able to produce ˆl 1 x = h 1 (s x h 2 (ˆt 2+x )) to have the same value as the expected label l 1 x = h 1 (s 1 x h 2 (t 2+x )). Then f s x h 2 (ˆt 2+x ) = s 1 x h 2 (t 2+x ) and consequently h 2 (ˆt 2+x ) = s x s 1 x h 2 (t 2+x ), the adversary has to break the one-way property of hash functon h 2 to succeed n determnng ˆt 2+x, whch t has to provde to E. Ths 11

12 has only a neglgble probablty of success. Otherwse, s x h 2 (ˆt 2+x ) s 1 x h 2 (t 2+x ) and the adversary has to break the collson resstance property of h 2 to succeed, whch also has only a neglgble probablty of success. (b) The adversary produces label ˆl 1 x = h 1 (s x h 2 (ˆt 2+x )) that dffers from the expected label l 1 x. Then n order to pass the vertcal check, the adversary wll need to compute ˆl x such that ˆl x ˆl 1 x = l x l 1 x or break the collson reslence property of hash functon h 3. The probablty of success n the latter case s neglgble n the securty parameter, whle the former case can be analyzed as follows. Suppose G computes ˆl x = ˆl 1 x l x l 1 x l x. Then the use of ˆl x wll fal the horzontal check f other labels are not modfed. Consequently, the adversary mght attempt to modfy other labels to pass the check. Suppose the adversary chooses other k 1 nput wres 1,..., k for whch t wll modfy labels l x j n the attempt to pass the horzontal check. That s, G s to compute ˆl x 1,..., ˆl x k, where k ˆl x j=1 j equals a specfc value. Frst, suppose that k = 1. Ths means that G s to compute ˆl x that smultaneously satsfes ˆl x ˆl x = t 1 and ˆl x 1 l 1 x 1 = t 2 1 for some fxed values t 1 and t 2 to pass the horzontal check usng P x and the vertcal check for nput wre 1. Because ˆl x and l 1 x 1 are produced usng hash functon h 1, ther values are unformly dstrbuted over the hash functon s output space. Ths means that ˆl x 1 of these requrements only wth a neglgble probablty f l 1 x 1 1 can meet both remans unchanged. Thus, G could also change both labels for nput wre 1 (.e., t sets ˆl x 1 1 = t 1 ˆl x and ˆl 1 x 1 1 = t 2 ˆl x 1 ). Ths, however, wll requre G to supply a consstent ˆt 21 +x 1 to E (for bt x 1 whch s equal to ether x or 1 x ) to produce ˆl x 1 1 usng authentc s x 1 1, whch n turn can be done only f G nverts h 2. Now f we generalze the analyss to k > 1, we wll stll run nto the case that there are more contradctng constrants on the values of ˆl x j than the number of labels that G needs to set resultng n nablty of the adversary to meet all of the constrants smultaneously or G wll be requred to nvert h 2 at least for one nput wre j. Thus, we obtan that the adversary can succeed n modfyng ts nput wth probablty at most neglgble n κ n every possble case, whch concludes the proof. We can now return to provng our man nput correctness result. Theorem 2. Recall that based on pror results, all propertes verfed durng the crcut checkng phase wll hold for the computed result wth probablty 1 negl(ρ). Ths means that the condtons of Lemma 2 wll also be satsfed wth probablty p 1 = 1 negl(ρ). Furthermore, the result of Theorem 2 guarantees garbler s nput correctness wth probablty p 2 = 1 negl(κ), and nput correctness wll hold when both condtons are true. Ths happens wth probablty p 1 p 2 gvng us probablty of nput correctness 1 negl(κ) negl(ρ) as desred. 6 Conclusons In ths work, we treat the problem of strengthenng the securty guarantees of tradtonal formulatons of secure mult-party computaton. Ths s acheved by enforcng nput correctness through nput certfcaton and tyng certfcaton to nstances of secure functon evaluaton. The focus of ths work s specfcally on enforcng correctness of the garbler s nput n secure two-party computaton based on garbled crcut evaluaton n the malcous model. We put forward a new certfcaton mechansm specfcally desgned 12

13 to be used wth garbled crcut evaluaton and show how to ntegrate certfcates nto secure computaton to guarantee correctness of garbler s nput. Our constructon ncurs mnmal overhead and adds only one sgnature verfcaton and O(nρ) symmetrc key/hash operatons to conventonal garbled crcut evaluaton usng cut-and-choose n the malcous model that consst of garblng ρ crcuts and where n s the sze of the garbler s nput n bts. We formally prove securty of our constructon. Acknowledgments Ths work was supported n part by grants and from the Natonal Scence Foundaton and FA from the Ar Force Offce of Scentfc Research. Any opnons, fndngs, and conclusons or recommendatons expressed n ths publcaton are those of the authors and do not necessarly reflect the vews of the fundng agences. References [1] C. Baum. On garblng schemes wth and wthout prvacy. In Internatonal Conference on Securty and Cryptography for Networks (SCN), pages , [2] M. Bellare, V. Hoang, S. Keelveedh, and P. Rogaway. Effcent garblng from a fxed-key blockcpher. In IEEE Symposum on Securty and Prvacy (SP), pages , [3] M. Blanton and F. Bayatbabolghan. Effcent server-aded secure two-party functon evaluaton wth applcatons to genomc computaton. Proceedngs on Prvacy Enhancng Technologes (PoPET), 4:1 22, [4] M. Blanton and P. Gast. Secure and effcent protocols for rs and fngerprnt dentfcaton. In European Symposum on Research n Computer Securty (ESORICS), pages , [5] D. Bogdanov, S. Laur, and J. Wllemson. Sharemnd: A framework for fast prvacy-preservng computatons. In European Symposum on Research n Computer Securty (ESORICS), pages , [6] J. Camensch and A. Lysyanskaya. A sgnature scheme wth effcent protocols. In Internatonal Conference on Securty n Communcaton Networks (SCN), pages , [7] J. Camensch and A. Lysyanskaya. Sgnature schemes and anonymous credentals from blnear maps. In Advances n Cryptology CRYPTO, pages 56 72, [8] J. Camensch, D. Sommer, and R. Zmmermann. A general certfcaton framework wth applcatons to prvacy-enhancng certfcate nfrastructures. In IFIP Internatonal Informaton Securty Conference (SEC): Securty and Prvacy n Dynamc Envronments, pages 25 37, [9] J. Camensch and G. Zaverucha. Prvate ntersecton of certfed sets. In Fnancal Cryptography and Data Securty (FC), pages , [10] I. Damgård, V. Pastro, N. Smart, and S. Zakaras. Multparty computaton from somewhat homomorphc encrypton. In Advances n Cryptology CRYPTO, pages , [11] E. De Crstofaro and G. Tsudk. Practcal prvate set ntersecton protocols wth lnear complexty. In Fnancal Cryptography and Data Securty (FC), pages ,

14 [12] O. Goldrech, S. Mcal, and A. Wgderson. Proofs that yeld nothng but ther valdty or all languages n NP have zero-knowledge proof systems. Journal of the ACM, 38(3): , [13] S. Goldwasser, S. Mcal, and A. Wgderson. How to play any mental game, or a completeness theorem for protocols wth an honest majorty. In ACM Symposum on the Theory of Computng (STOC), pages , [14] J. Halpern and V. Teague. Ratonal secret sharng and multparty computaton. In ACM Symposum on Theory of Computng (STOC), pages , [15] M. Kantarcoglu and R. Nx. Incentve compatble dstrbuted data mnng. In IEEE Internatonal Conference on Prvacy, Securty, Rsk and Trust (PASSAT), [16] J. Katz, A. J. Malozemoff, and X. Wang. Effcently enforcng nput valdty n secure two-party computaton. IACR Cryptology eprnt Archve Report 2016/184, [17] V. Kolesnkov, R. Kumaresan, and A. Shkfa. Effcent verfcaton of nput consstency n serverasssted secure functon evaluaton. In Internatonal Conference on Cryptology and Network Securty (CANS), pages , [18] Y. Lndell. Fast cut-and-choose based protocols for malcous and covert adversares. In Advances n Cryptology CRYPTO, pages 1 17, [19] Y. Lndell and B. Pnkas. An effcent protocol for secure two-party computaton n the presence of malcous adversares. In Advances n Cryptology EUROCRYPT, pages 52 78, [20] Y. Lndell and B. Pnkas. A proof of securty of Yao s protocol for two-party computaton. Journal of Cryptology, 22(2): , [21] P. Mohassel and M. Frankln. Effcency tradeoffs for malcous two-party computaton. In Internatonal Workshop on Publc Key Cryptography (PKC), pages , [22] A. Sadehg, T. Schneder, and I. Wehrenberg. Effcent prvacy-preservng face recognton. In Internatonal Conference on Informaton Securty and Cryptology (ICISC), pages , [23] A. Shelat and C. Shen. Two-output secure computaton wth malcous adversares. In Advances n Cryptology EUROCRYPT, pages , [24] A. Shelat and C. H. Shen. Fast two-party secure computaton wth mnmal assumptons. In ACM Conference on Computer and Communcatons Securty (CCS), pages , [25] Y. Shoham and M. Tennenholtz. Non-cooperatve computaton: Boolean functons wth correctness and exclusvty. Theoretcal Computer Scence (TCS), 343(1):97 113, [26] J. Wallrabensten and C. Clfton. Equlbrum concepts for ratonal multparty computaton. In Internatonal Conference on Decson and Game Theory for Securty (GameSec), pages , [27] J. Wallrabensten and C. Clfton. Realzable ratonal multparty cryptographc protocols. In Internatonal Conference on Decson and Game Theory for Securty (GameSec), pages , [28] D. Woodruff. Revstng the effcency of malcous two-party computaton. In Advances n Cryptology EUROCRYPT, pages 79 96, [29] A. C. Yao. How to generate and exchange secrets. In IEEE Symposum on Foundatons of Computer Scence (FOCS), pages ,