Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension

Similar documents
Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols

Lecture 14: Secure Multiparty Computation

CMSC 858K Introduction to Secure Computation October 18, Lecture 19

Cut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 10

Fast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries

Lecture 3,4: Multiparty Computation

Lecture Notes 20: Zero-Knowledge Proofs

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Multiparty Computation

An Efficient Protocol for Fair Secure Two-Party Computation

From Secure MPC to Efficient Zero-Knowledge

Introduction to Cryptography Lecture 13

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

Secure Computation. Unconditionally Secure Multi- Party Computation

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

Benny Pinkas. Winter School on Secure Computation and Efficiency Bar-Ilan University, Israel 30/1/2011-1/2/2011

More Efficient Oblivious Transfer Extensions with Security for Malicious Adversaries

Notes on Zero Knowledge

1 Secure two-party computation

Covert Multi-party Computation

Round-Efficient Multi-party Computation with a Dishonest Majority

On Achieving the Best of Both Worlds in Secure Multiparty Computation

Computing on Encrypted Data

6.897: Selected Topics in Cryptography Lectures 11 and 12. Lecturer: Ran Canetti

Secure Multi-Party Computation. Lecture 17 GMW & BGW Protocols

1 Recap: Interactive Proofs

Blazing Fast 2PC in the Offline/Online Setting with Security for Malicious Adversaries

Founding Cryptography on Smooth Projective Hashing

Extending Oblivious Transfers Efficiently

Fast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries

Impossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs

Lecture 38: Secure Multi-party Computation MPC

Faster Maliciously Secure Two-Party Computation Using the GPU Full version

6.892 Computing on Encrypted Data October 28, Lecture 7

Yuval Ishai Technion

Covert Multi-party Computation

Introduction to Modern Cryptography Lecture 11

Lecture 18: Zero-Knowledge Proofs

An Efficient and Secure Protocol for Privacy Preserving Set Intersection

A Full Characterization of Functions that Imply Fair Coin Tossing and Ramifications to Fairness

Faster Malicious 2-party Secure Computation with Online/Offline Dual Execution

Question 1. The Chinese University of Hong Kong, Spring 2018

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

Fast Large-Scale Honest-Majority MPC for Malicious Adversaries

MTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu

Malicious Security. 6.1 Cut-and-Choose. Figure 6.1: Summary of malicious MPC protocols discussed in this chapter.

Lecture Notes on Secret Sharing

Fang Song. Joint work with Sean Hallgren and Adam Smith. Computer Science and Engineering Penn State University

arxiv: v7 [quant-ph] 20 Mar 2017

Scribe for Lecture #5

Lecture 3: Interactive Proofs and Zero-Knowledge

Executable Proofs, Input-Size Hiding Secure Computation and a New Ideal World

Lectures One Way Permutations, Goldreich Levin Theorem, Commitments

Statistical WI (and more) in Two Messages

CSA E0 312: Secure Computation September 09, [Lecture 9-10]

The Exact Round Complexity of Secure Computation

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]

Lattice-Based Non-Interactive Arugment Systems

Improved Non-Committing Encryption Schemes based on a General Complexity Assumption

Efficient Constant Round Multi-Party Computation Combining BMR and SPDZ

Fundamental MPC Protocols

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

Session 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University

Lecture 5, CPA Secure Encryption from PRFs

A New Approach to Practical Active-Secure Two-Party Computation

Robust Non-Interactive Multiparty Computation Against Constant-Size Collusion

Impossibility and Feasibility Results for Zero Knowledge with Public Keys

Complete Fairness in Multi-Party Computation Without an Honest Majority

Entity Authentication

Cryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1

On the Cryptographic Complexity of the Worst Functions

Abstract. Often the core diculty in designing zero-knowledge protocols arises from having to

1 Basic Number Theory

Notes for Lecture 3... x 4

Augmented Black-Box Simulation and Zero Knowledge Argument for NP

Amortizing Garbled Circuits

A New Approach to Round-Optimal Secure Multiparty Computation

2 Message authentication codes (MACs)

Implementing Two-Party Computation Efficiently with Security Against Malicious Adversaries

Homework 3 Solutions

Zero-Knowledge Against Quantum Attacks

Constant-round Leakage-resilient Zero-knowledge from Collision Resistance *

Concurrent Non-malleable Commitments from any One-way Function

Attribute-based Encryption & Delegation of Computation

Lecture 15: Interactive Proofs

Communication Complexity and Secure Function Evaluation

On the Round Complexity of Covert Computation

1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds

Notes for Lecture 27

Privacy Preserving Set Intersection Protocol Secure Against Malicious Behaviors

1 Number Theory Basics

Garbled Protocols and Two-Round MPC from Bilinear Maps

How many rounds can Random Selection handle?

Security Protocols and Application Final Exam

Lecture Notes 17. Randomness: The verifier can toss coins and is allowed to err with some (small) probability if it is unlucky in its coin tosses.

Resettable Cryptography in Constant Rounds the Case of Zero Knowledge

Lecture 7: CPA Security, MACs, OWFs

ON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL

A Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM

Transcription:

CS 294 Secure Computation February 16 and 18, 2016 Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension Instructor: Sanjam Garg Scribe: Alex Irpan 1 Overview Garbled circuits let us securely compute functions in the semi-honest setting, but fail in the malicious setting. The GMW protocol gives information theoretic security if 1/2 of the parties are honest in the semi-honest case, and if 2/3 of the parties are honest in the malicious case. Here, we describe ways to extend garbled circuits to the malicious setting. The two main approaches are the GMW compiler and the Cut and Choose method. 2 GMW Compiler The GMW compiler is a general approach for transforming any protocol secure against semi-honest adversaries into one secure against malicious adversaries. The core idea is that parties run the semi-honest protocol, along with a zero knowledge proof that they are running the protocol correctly. Here, we show the case for just two parties, but similar ideas extend to the multiparty case. Let π be a semi-honest protocol. We can treat protocols as functions π(i, x i, r i, transcript i ) where i is the party index, x i is the ith party s input, r i is the ith party s randomness, and transcript i is a list of all messages the ith party has seen. Note π is deterministic since randomness r i is passed as an argument. At the start of the protocol, each party sends a commitment of its input and its random tape to the other. Let t 1 be the first message in the transcript, t 2 be the second, π runs in polynomial time, so the decision problem t j is consistent with π and the transcript {t 1,..., t j 1 } given the commitment to x i and r i is in NP, where the witness is the key opening the commitment. Thus, there is a zero-knowledge proof of this with computational security. Whenever a party sends t j, it also does a zero knowledge proof that it is following protocol. By running this for every message, neither party learns any more information than the semi-honest case, malicious parties cannot cheat because of soundness. These are the core ideas, but to make this fully secure we need to fix a few more things. In semi-honest protocols, we assume parties are honest in generating uniformly random bits. To make the protocol secure we must force malicious parties to use random bits. At the same time, each party s randomness r i needs to be kept secret. 9 and 10-1

This can be fixed with a simple coin-flipping protocol. Party P 1 generates r 1, r 2. P 2 generates r 2, r 1. They send commitments Com(r 1), Com(r 2 ). Then, P 1 sends r 2, P 2 sends r 1, and going forward P i uses r i r i for their random coins. 3 Cut and Choose One downside of the GMW compiler is all the zero knowledge proofs used. These proofs are very expensive because they involve reductions to NP-Complete problems like 3-Coloring or Hamiltonian Cycle, which could introduce large polynomial factors. The Cut and Choose method is a way to achieve malicious security more efficiently. Again, these ideas can be extended to the multiparty setting, but for now we consider just the two party case. Start with the semi-honest garbled circuit protocol. From here, we use S to denote sender or party 1, and R to denote receiver or party 2. S has input x, and R has input y. To motivate the construction, we first consider the attacks a malicious sender could do against an honest receiver. S sends two types of messages. The garbled circuit G(C). The labels for x (sent directly) and y (sent through OT.) Address the circuit message first. S could send an arbitrary circuit instead of the circuit for f(x, y). To handle this, the cut and choose method has S send several garbled circuits instead of just one. R then challenges S to prove some of the circuits are valid garblings. R will choose the challenge randomly. If all the challenges are valid, R has good reason to believe the remaining circuits are valid as well. Here is a first attempt at this protocol. S constructs s garbled circuits C 1,..., C s, where s is a security parameter. S sends all these circuits to R. R samples i [s], and asks S to prove every circuit except C i is valid. S sends all randomness used to generate those circuits. R verifies all these garbled circuits are valid. (A garbled circuit is valid if every logic gate is garbled correctly and the decrypted logic gates match the ungarbled circuit C.) If the circuits are valid, S and R proceed with the garbled circuit protocol for the unchecked circuit C i. However, this protocol does not work, since S can cheat with probability 1/s by sending exactly one invalid circuit. The fix is simple - R will check a random subset of circuits instead of all but one, then take the majority output of all unchecked circuits. Intuitively, S needs to change around half of the circuits to take over the majority output. Since each circuit is checked with probability 1/2, S can only cheat the process with probability 2 s/2. S constructs s garbled circuits C 1,..., C s, where s is a security parameter. S sends all these circuits to R. 9 and 10-2

R samples r {0, 1} s, and asks S to open all circuits where r j = 1. For every such j, S sends the randomness for C j. R verifies each C j is valid. If they are, S and R proceed with the garbled circuit protocol for all unchecked circuits. R evaluates the circuits and returns the majority output. This finishes the informal handling of circuit attacks, leaving attacks on the labels for inputs x and y. This case further splits into subcases. S could be inconsistent about the labels for x and y, forcing R to evaluate f(x, y) on multiple input pairs (x, y). Although R sends only the majority output, S can learn something even when the circuit outputs are unanimous. (For example, let f(x, y) = 1 when x < y. S can send a different x for each circuit, and will learn if a majority of the xs are less than y.) More subtly, S can send consistently invalid labels to learn something depending on whether R aborts or not. (For example, in the OTs for R s input bit y 1, S offers an invalid label for 0 and a valid label for 1. Then R aborts if and only if y 1 = 1. In general, S s behavior should depend only on itself, and not on the actions of any honest parties. To fix this, we first amplify C to take more input bits. For a C taking n bits of input, create a C which takes sn bits, where s is a security parameter. C is defined as C (z 1 1, z 2 1,..., z s 1, z 1 2,..., z s 2,..., z 1 n,..., z s n) = C( s i=1z i 1, s i=1z i 2,..., s i=1z i n) In a loose sense, this connects the difficulty of cheating on a single input bit to the security parameter s. Next, S will create commitments to every possible bit for each input wire. Note we are sending s circuits of sn inputs each, giving O(s 2 n) commitments total. Let ki,j b denote the key for wire i, from circuit j, representing bit b. The commitments are organized into sets {w i,j } and {w i,j }. First, S samples bits b j. Then, w i,j = {Com(b j ), Com(k b j i,1 ), Com(kb j i,2 ),..., Com(kb j i,s ) w i,j = {Com(1 b j ), Com(k 1 b j i,1 ), Com(k 1 b j i,2 ),..., Com(k 1 b j i,s ) where i [sn], j [s]. Each w i,j contains all the 0 keys or 1 keys, with the first commitment indicating which bit it is. w i,j then contains the keys for the opposite bit. Intuitively, these sets will guarantee the consistency and validity of the input bits. Note {w i,j, w i,j } is the same no matter what j is. There are s copies of each commitment set, but whether w corresponds to 0 or 1 is random. The idea is that by now, R knows the secret keys for every checked circuit from the previous challenge. R requests S to open commitments for the checked circuits, to verify each w i,j is constructed correctly. We apply the same cut and choose idea along two axes: to show a single commitment set is constructed properly, and to show all the commitment sets are constructed properly. Here is the next modification of the protocol. 9 and 10-3

S constructs s garbled circuits, sending all of them to R. S samples b j, and constructs the matrix {w i,j, w i,j } as described earlier. S sends the entire commitment matrix. S and R do OT to transfer the keys for R s input y on all circuits. Recall the circuit is modified to XOR s bits for each bit y i. When R requests keys for y i, R sends s 1 random bits to the OT, then sends the matching last bit such that everything XORs to y i. R samples two random strings, r and r, sending them to S. The first, r, tells S which circuits to R wants to check. The second, r, gives which commitment sets R wants to check. For every checked commitment set, R opens the indicator commitment and the entries for the checked circuits. Notably, R does not open the entire row. R now verifies the opened commitments are valid. The opened commitments are valid if they are consistent with the indicator bit. Verifying a random subset of entries lets R trust that entire row is valid, and verifying a random subset of rows lets R trust the entire matrix is valid. Note the opened commitments on the checked circuits include the input wires for y. So, R can verify the keys for y match the requested bit, and this doubles as a consistency check for y. If all verification passes, the protocol continues. S sends keys for x on all unchecked circuits. However, before running the unchecked circuits, R asks S to prove x is consistent. For every unchecked commitment set, S opens commitments from w i,j or w i,j, based on whether x i = 0 or 1. In those sets, S opens only the entries for unchecked circuits. 9 and 10-4

If the revealed keys match the keys R received, R will believe x is consistent. R can now run the circuits and return the majority output. Now, we informally argue why this setup is secure. Suppose S tried to make x inconsistent or invalid. Of the w i,j, w i,j opened right before evaluation, every single one must contain a commitment to 0 and 1. If that row {w i,j, w i,j } was picked in the check step, and the checked circuits included the entries for those two conflicting commitments, S would be caught. Similarly to the argument for valid vs invalid circuits, if S changes enough to make an input wire inconsistent, it is caught almost all the time. 3.1 Final Protocol Modifications There are a few remaining details needed for the proof of security. So far, we have assumed the receiver is honest. Suppose the receiver was malicious instead. The receiver controls the following messages The random challenge strings r and r. Which bit to ask for in the oblivious transfers What output to send back to the verifier. To fix the first, we use a coin flipping protocol. For random string r, each party samples r i, sends a commitment Com(r i ), then opens their commitments and use r = r 1 r 2. A similar process is done on r. The other two issues are simulatable given oracle access to the malicious receiver s behavior. 9 and 10-5

3.2 Simulators These will only be described informally. 3.2.1 Cheating Sender Simulator As constructed, challenges r, r are uniformly distributed even when the sender is malicious. The simulator runs the protocol until S opens the commitments as defined by r and r. The simulator then rewinds to right after S sends the circuits, and runs the protocol with new r and r. On expectation, about 1/4 of the circuits are checked the first time and unchecked the second. In the circuits checked the first time, R learns the mapping from garbled keys to input bits. In circuits evaluated the second time, R learns which keys are for S s input. Combined, R can extract S s input and get output f(x, y). 3.2.2 Cheating Receiver Simulator S first extracts R s input from the simulator for oblivious transfer. Let z = f(x, y) be the correct output. The simulator generates the garbled circuits, sometimes. Each circuit is either a valid garbling or a circuit that always outputs z, with the simulator choosing which circuits are valid randomly. The simulator then influences the generation of r such that every checked circuit is valid and every unchecked circuit always outputs z. (To do so, when creating r, the simulator runs until R opens their committed randomness r 2, then rewinds and sends the appropriate Com(r 1 ).) All validity checks will go through, and R will always get the right output z. 4 Oblivious Transfer Extension In practice, oblivious transfer is the bottleneck for secure computation protocols. It turns out we can use a small number of OTs to transfer many messages. An OT of k messages can be extended to n = poly(k) messages. This is done by constructing an appropriate circuit, then running a secure computation protocol on that circuit. Party P 1 has m 0 1, m1 1,..., m0 n, m 1 n, and P 2 has b 1,..., b n. P 1 generates 2n random strings r 0 1, r1 1,..., r0 n, r 1 n. P 2 samples x {0, 1} k. Let g : {0, 1} k {0, 1} n be a PRG. P 1 constructs a circuit C(x 1 x 2... x k ) defined as Input {ri b }, x. y g(x). Return to P 1. Return {r y i i } to P 2. Evaluate this circuit securely, where P 1 gives {r b i } and P 2 gives x. Now, P 2 knows y i, r y i i, and P 1 does not know what randomness P 2 requested. Proceed with the final message transfer. For every i, let c i := b i y i. P 2 sends all c i to P 1. 9 and 10-6

P 1 sends m 0 i rc i i, m1 i r1 c i i. P 2 XORs appropriately to get m b i i. References [1] Lindell, Yehuda. Foundations of Cryptography 89-856. Chapter 13. (2010). [2] Lindell, Yehuda, and Benny Pinkas. An efficient protocol for secure two-party computation in the presence of malicious adversaries. Advances in Cryptology-EUROCRYPT 2007. Springer Berlin Heidelberg, 2007. 52-78. [3] Ishai, Yuval, et al. Extending oblivious transfers efficiently. Advances in Cryptology-CRYPTO 2003. Springer Berlin Heidelberg, 2003. 145-161. 9 and 10-7

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback