Cut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings

Similar documents
Fast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries

Blazing Fast 2PC in the Offline/Online Setting with Security for Malicious Adversaries

Malicious Security. 6.1 Cut-and-Choose. Figure 6.1: Summary of malicious MPC protocols discussed in this chapter.

Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension

Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols

Faster Malicious 2-party Secure Computation with Online/Offline Dual Execution

Computing on Encrypted Data

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

Authenticated Garbling and Efficient Maliciously Secure Two-Party Computation

Efficient Constant Round Multi-Party Computation Combining BMR and SPDZ

Faster Maliciously Secure Two-Party Computation Using the GPU Full version

Multiparty Computation

Amortizing Garbled Circuits

MASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer

Faster Secure Two-Party Computation in the Single-Execution Setting

Fast Large-Scale Honest-Majority MPC for Malicious Adversaries

On Achieving the Best of Both Worlds in Secure Multiparty Computation

Benny Pinkas Bar Ilan University

Lecture 14: Secure Multiparty Computation

Fast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries

ABSTRACT EFFICIENT SECURE COMPUTATION FOR REAL-WORLD SETTINGS AND SECURITY MODELS. Alex J. Malozemoff, Doctor of Philosophy, 2016

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

1 Secure two-party computation

Optimizing Authenticated Garbling for Faster Secure Two-Party Computation

Introduction to Cryptography Lecture 13

Multiparty Computation (MPC) Arpita Patra

SPDZ 2 k: Efficient MPC mod 2 k for Dishonest Majority a

1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds

Benny Pinkas. Winter School on Secure Computation and Efficiency Bar-Ilan University, Israel 30/1/2011-1/2/2011

Secure Multi-Party Computation. Lecture 17 GMW & BGW Protocols

Fundamental MPC Protocols

From Secure MPC to Efficient Zero-Knowledge

Lecture 3,4: Multiparty Computation

A New Approach to Practical Active-Secure Two-Party Computation

A Full Characterization of Functions that Imply Fair Coin Tossing and Ramifications to Fairness

More Efficient Oblivious Transfer Extensions with Security for Malicious Adversaries

Revisiting LEGOs: Optimizations, Analysis, and their Limit

Session 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University

Secure Computation. Unconditionally Secure Multi- Party Computation

JIMU: Faster LEGO-based Secure Computation using Additive Homomorphic Hashes

Round-Efficient Multi-party Computation with a Dishonest Majority

An Efficient Protocol for Fair Secure Two-Party Computation

Implementing Two-Party Computation Efficiently with Security Against Malicious Adversaries

1 Number Theory Basics

Extending Oblivious Transfers Efficiently

6.892 Computing on Encrypted Data October 28, Lecture 7

Impossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs

A New Approach to Practical Active-Secure Two-Party Computation

Introduction to Modern Cryptography Lecture 11

6.897: Selected Topics in Cryptography Lectures 11 and 12. Lecturer: Ran Canetti

Are you the one to share? Secret Transfer with Access Structure

Complete Fairness in Secure Two-Party Computation

Protocols for Multiparty Coin Toss with a Dishonest Majority

An Efficient and Secure Protocol for Privacy Preserving Set Intersection

Privacy Preserving Set Intersection Protocol Secure Against Malicious Behaviors

Secret sharing schemes

A New Approach to Practical Secure Two-Party Computation. Jesper Buus Nielsen Peter Sebastian Nordholt Claudio Orlandi Sai Sheshank

Founding Cryptography on Smooth Projective Hashing

Yuval Ishai Technion

Picnic Post-Quantum Signatures from Zero Knowledge Proofs

Perfect Secure Computation in Two Rounds

Lecture Notes 20: Zero-Knowledge Proofs

Richer Efficiency/Security Trade-offs in 2PC

Reducing Garbled Circuit Size While Preserving Circuit Gate Privacy *

Lecture 38: Secure Multi-party Computation MPC

CMSC 858K Introduction to Secure Computation October 18, Lecture 19

Oblivious Evaluation of Multivariate Polynomials. and Applications

Distributed Oblivious RAM for Secure Two-Party Computation

An Unconditionally Secure Protocol for Multi-Party Set Intersection

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

1 Basic Number Theory

On Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan)

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 10

Covert Multi-party Computation

1 Introduction. Proceedings on Privacy Enhancing Technologies ; 2017 (4):

ASYMMETRIC ENCRYPTION

Katz, Lindell Introduction to Modern Cryptrography

Multi-Party Computation with Conversion of Secret Sharing

Notes on Zero Knowledge

Data-Mining on GBytes of

Foundations of Secure Computation: Perfect Security and Fairness

Lecture 2: Perfect Secrecy and its Limitations

On the Cryptographic Complexity of the Worst Functions

CSA E0 312: Secure Computation September 09, [Lecture 9-10]

Session-Key Generation using Human Passwords Only

Lecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics

Perfectly-Secure Multiplication for any t < n/3

Lecture 19: Verifiable Mix-Net Voting. The Challenges of Verifiable Mix-Net Voting

Executable Proofs, Input-Size Hiding Secure Computation and a New Ideal World

Lecture 9 - Symmetric Encryption

MTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu

k-round MPC from k-round OT via Garbled Interactive Circuits

Abstract. Often the core diculty in designing zero-knowledge protocols arises from having to

Network Oblivious Transfer

On the Round Complexity of Covert Computation

Security Protocols and Application Final Exam

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

A Gentle Introduction to Yao s Garbled Circuits

ECS 189A Final Cryptography Spring 2011

Transcription:

Cut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings Yehuda Lindell Bar-Ilan University, Israel Technion Cryptoday 2014 Yehuda Lindell Online/Offline and Batch Yao 30/12/2014 1 / 27

Secure Computation Background A set of parties P 1,..., P m with private inputs x 1,..., x m wish to compute a joint function f of their inputs while preserving secure properties such as: Privacy: nothing but the output f(x 1,..., x m ) is revealed Correctness: the correct output is obtained Independence of inputs: no party can choose its input as a function of another party s input Yehuda Lindell Online/Offline and Batch Yao 30/12/2014 2 / 27

Secure Computation Background In an election: Privacy means that individual votes are not revealed Correctness means that the candidate with the majority vote wins Independence of inputs means that you can t vote as a function of the outcome Yehuda Lindell Online/Offline and Batch Yao 30/12/2014 3 / 27

Applications Privacy: Secure DNA comparison Secure set intersection (compare lists of friends, customers, etc.) Security: Compute AES without revealing key Private database search and private searchable encryption User authentication without revealing credentials Yehuda Lindell Online/Offline and Batch Yao 30/12/2014 4 / 27

Secure Computation Background Security must hold in the presence of adversarial behavior: Semi-honest: follows the protocol description but attempts to learn more than allowed (models inadvertent leakage but otherwise gives a weak guarantee) Malicious: follows any arbitrary attack strategy (provides a very strong guarantee, but is hard to achieve with respect to efficiency) Yehuda Lindell Online/Offline and Batch Yao 30/12/2014 5 / 27

Secure Computation Feasibility Despite its stringent requirements, it was shown that essentially any function can be securely computed: In the presence of semi-honest adversaries [Yao86,GMW87] In the presence of malicious adversaries [GMW87] With perfect security where a 2/3 honest majority is guaranteed [BGW88] Since the 1980s, the feasibility of secure computation has been studied heavily In the last 5-10 years, the efficiency of secure computation has been a topic of intensive study Semi-honest general secure computation is extraordinarily fast Security for malicious adversaries has made great progress; but this is still a difficult problem Yehuda Lindell Online/Offline and Batch Yao 30/12/2014 6 / 27

Yao s Garbled Circuits A garbling of a circuit C is an encryption of the circuit with the following properties Two secret keys are associated with each input wire; one for the 0-bit and one for the 1-bit Given a single key for each input wire, it is possible to compute the associated output and nothing else. That is: Given the keys associated with bits x1,..., x n {0, 1}, it is possible to compute f(x 1,..., x n ) Given the keys associated with x1,..., x n {0, 1} it is not possible to learn anything beyond f(x 1,..., x n ) How can garbled circuits be constructed? Yehuda Lindell Online/Offline and Batch Yao 30/12/2014 7 / 27

A Garbled Gate Input wires i and j, and output wire l x y x y 0 0 0 0 1 0 1 0 0 1 1 1 A plain AND gate x y x y ki 0 kj 0 kl 0 ki 0 kj 1 kl 0 ki 1 kj 0 kl 0 ki 1 kj 1 kl 1 The associated keys (garbled values) Ciphertexts ( ( ) ) E k 0 E i k 0 k 0 ( j l ( ) ) E k 0 E i k 1 k 0 ( j l ( ) ) E k 1 E i k 0 k 0 ( j l ( ) ) E k 1 E i k 1 k 1 j l The garbled gate (in random order) Given ki α and k β j for some α, β {0, 1}, can obtain kα β l But, nothing is revealed by this since all keys are random! Yehuda Lindell Online/Offline and Batch Yao 30/12/2014 8 / 27

A Garbled Circuit Input wires d, a, b, e and output wires f, g Garbled gates can be combined together naturally Given one key for every input wire, can compute the entire circuit without learning anything but the output Yehuda Lindell Online/Offline and Batch Yao 30/12/2014 9 / 27

Garbled Circuits Optimizations There are many optimisations: Evaluation while only decrypting one ciphertext Reducing number of ciphertexts in a gate from 4 to 3 to 2 Free-XOR and FlexOR Reducing the number of encryptions in each gate Utilising the AES-NI chip Reducing the size of the circuit Current state of the art: Can garble and compute the AES circuit (about 7000 AND gates, and 15,000 XOR gates) in a few hundred microseconds on a standard i7 PC Yehuda Lindell Online/Offline and Batch Yao 30/12/2014 10 / 27

Yao s Protocol Security for Semi-Honest Adversaries A protocol for securely computing f(x, y): Inputs: P 1 has x, and P 2 has y Party P 1 constructs a garbled circuit computing the function f and sends it to party P 2 Party P 1 sends the keys associated with its input x to P 2 P 1 and P 2 run 1-out-of-2 oblivious transfer for every bit of P 2 s input In the ith OT, P2 inputs y i (its ith input bit) and P 1 inputs the pair of keys ki 0, k1 i associated with this input wire P2 receives k yi i and learns nothing about k yi i Given one key for every input wire, P 2 computes the garbled circuit, obtains the output f(x, y), and sends it to P 1 Yehuda Lindell Online/Offline and Batch Yao 30/12/2014 11 / 27

Yao s Protocols with Malicious Adversaries The Main Problem Circuit Correctness Party P 1 may construct an incorrect circuit This is not just a problem of correctness, but also of privacy The circuit can compute a different function of the evaluator s input, revealing something that should remain secret Ensuring correctness the cut-and-choose paradigm: P 1 constructs many copies of the circuit P 2 challenges P 1 on half of them P 1 opens the requested half and P 2 checks that are correct The parties evaluate the remaining circuits and take output Yehuda Lindell Online/Offline and Batch Yao 30/12/2014 12 / 27

Cut-and-Choose on Yao s Protocol Opening a Pandora s Box We solve a problem but generate many new ones: The parties compute many circuits: we need to force them to use the same inputs in all Opening a circuit means providing all keys on input wires: it may be possible to construct a circuit with two sets of keys one opening it to the correct circuit and one to a different circuit The circuits may be correct, but the garbled keys may not be: P 1 can give invalid 0-keys for the first bit of P 2 s input If the first bit of P2 s input is 0, then it cannot compute and so must abort If the first bit of P 2 s input is 1, then it computes Thus, P 1 can learn the first bit of P 2 s input by observing if it aborts or not This is called a selective bit attack [KS06] Yehuda Lindell Online/Offline and Batch Yao 30/12/2014 13 / 27

Cut-and-Choose on Yao s Protocol Another Problem What should P 2 do if not all computed circuits give the same output? Observe that a few circuits may be incorrect with good probability! If P 2 aborts, then P 1 can carry out the following attack: P 1 generates one garbled circuit that outputs garbage if the first bit of P 2 s input is 0; otherwise it computes f With probability 1/2, this circuit is not checked If the first bit of P2 s input is 0, it aborts If the first bit of P2 s input is 1, it does not abort Thus, P 1 can learn the first bit of P 2 s input by observing if it aborts or not Thus, P 2 cannot abort, even though it knows that P 1 is trying to cheat! Yehuda Lindell Online/Offline and Batch Yao 30/12/2014 14 / 27

Strategy for Determining Output Party P 2 cannot abort, and so takes the majority output This is sound since the probability that a majority of the unopened circuits are incorrect is negligible What is the function bounding the probability of cheating? This is important since it determines the number of circuits, which has a huge ramification on efficiency An inaccurate computation (let s be number of circuits): The adversary succeeds if s 4 circuits are incorrect and none of them are chosen to be checked Assume each circuit is checked w.p. 1/2, this occurs with probability 2 s/4 For security of 2 40 need 160 circuits In [LP11] proved 2 0.311s and so 128 circuits suffice In [ss11] showed that when checking 60% of the circuits, error is 2 0.32s and so 125 circuits suffice (and this is optimal) Yehuda Lindell Online/Offline and Batch Yao 30/12/2014 15 / 27

Cut-and-Choose Yao with Fewer Circuits [L13] The cheating recovery technique: If P 2 receives the same output in all circuits, then this is its output This is fine as long as at least one of the circuits is correct If P 2 receives two different outputs, then this releases a trapdoor to P 2 that enables it to learn P 1 s actual input x P 1 just locally computes f(x, y) which is certainly correct Trapdoor is actually a bootstrapping secure computation: uses 128 circuits, but each is very small Cheating probability As long as at least one evaluation circuit is correct, P 1 cannot cheat Thus, P 1 can cheat only if all check circuits are correct and all evaluation circuits are not Cheating probability for s circuits: 2 s Yehuda Lindell Online/Offline and Batch Yao 30/12/2014 16 / 27

Batched and Online/Offline Yao Presented at CRYPTO 2014; joint work with Ben Riva Consider a setting where many executions take place Batch: many executions run at the same time Online/offline: prepare in offline stage, run Yao execution fast in online Amortizing cut-and-choose P 1 can only cheat if all evaluation circuits are incorrect The aim: make the probability that all evaluation circuits are incorrect be low The idea: Generate many circuits for many executions Open a percentage to check Randomly permute the remainder into buckets for evaluation Why does this help? If P 1 generates many incorrect circuits, it will be caught If P 1 generates few incorrect circuits, the probability that a bucket will contain only incorrect circuits is very small Yehuda Lindell Online/Offline and Batch Yao 30/12/2014 17 / 27

Amortizing Cut-and-Choose Notation: Number of executions: N Size of each bucket: B Error parameter: s (allow 2 s error) Naive method: set B = s and use N B = N s circuits This requires s circuits per evaluation Randomly permute evaluation circuits: Use 2N B circuits; open half What value of B is needed? ( ) Asymptotically: O s log N circuits per evaluation Concretely: s is small and N is large, so s log N << s For s = 40 and N = 512, need 10 circuits per evaluation (5 checked and 5 evaluated) For s = 40 and N = 2 19, only 6 circuits per evaluation Yehuda Lindell Online/Offline and Batch Yao 30/12/2014 18 / 27

Amortizing Cut-and-Choose Opening a half is not optimal: Number of Executions Probability of Not Checking Bucket Size Average circuits per Execution 32 0.75 10 13.34 1,024 0.65 5 7.69 1,024 0.85 6 7.06 1,048,576 0.65 3 4.62 1,048,576 0.98 4 4.08 2 30 0.99 3 3.03 The same method is also used for the cheating recovery circuit: For N =1024, need 24 circuits per execution (instead of 125) For N =1,048,576, need 12 circuits per execution Yehuda Lindell Online/Offline and Batch Yao 30/12/2014 19 / 27

Amortizing Cut-and-Choose Summary: For 1024 executions, the online phase requires the evaluation of 5 full circuits (and 24 tiny bootstrapping circuits) A single AES circuit can be evaluated in 350 microseconds; with multithreading should yield an online phase of just a few milliseconds Yehuda Lindell Online/Offline and Batch Yao 30/12/2014 20 / 27

Combinatorics of Multiple Cut-and-Choose An inaccurate analysis: N = 1000 executions, buckets of size 10, open half Adversary wins if there exists an all-bad bucket Adversary constructs 20,000 circuits If at least 40 are bad, probability that none are checked is 2 40 If less than 40 are bad, these are randomly thrown into 1000 buckets If there is independence (which there isn t) then each ball is bad w.p. 40/10000 = 0.004 If there is independence, a bucket gets 10 bad balls with probability 0.004 10 2 80 Yehuda Lindell Online/Offline and Batch Yao 30/12/2014 21 / 27

Challenges in Online/Offline and Batch Yao Input consistency: Current methods for ensuring P 2 s input consistency are applied to all circuits before opening The inputs are only determined after opening in online/offline; mapping of circuits to buckets is unknown Cheating recovery: All circuits have same output values on wires In multiple execution setting, this is not possible (and certainly different values need to be obtained on different wires) Moving checks to the offline phase: We wish to check consistency of P 1 s and P 2 s inputs in the offline phase The input is not yet determined; how is this possible? Yehuda Lindell Online/Offline and Batch Yao 30/12/2014 22 / 27

Changing the Functionality Instead of computing f(x, y), the parties compute f ((x 1, x 2 ), (y 1, y 2 )) = f(x 1 x 2, y 1 y 2 ) where x 1, y 1 are private, and x 2, y 2 are public Private versus public inputs: Consistency of public inputs is easy: P 1 commits to garbled values on wires in their correct order P 2 verifies that decommitments are to all first, or all second P2 can also simply tell P 1 its public input in this stage Consistency of private inputs is hard, and uses known methods Online/offline: Parties choose random x 1, y 1 for private inputs in offline After receiving x, y, parties define x 2 = x x 1 and y 2 = y y 1 and reveal x 2, y 2 to each other Yehuda Lindell Online/Offline and Batch Yao 30/12/2014 23 / 27

Reducing the Online Work Our protocol moves almost all work to the offline phase In online send garbled values, and almost nothing else; compute a few circuits and hashes only This raises a problem regarding adaptive Yao circuits Standard Yao simulation requires that the input/output of the corrupted be known before constructing a fake circuit In the standard malicious setting, this is achieved by running the the OT that determines the input before sending the circuit In the online/offline setting, the inputs have not yet been fixed In the ROM, there exist solutions to this In the standard model, we do not know how to achieve online time that is independent in the circuit size Solving adaptive Yao has important applications here Yehuda Lindell Online/Offline and Batch Yao 30/12/2014 24 / 27

Cut-and-Choose Yao over the Years Progress on the number of circuits (for 2 40 error): Lindell-Pinkas 2007: error 2 s/17 ; requires 680 circuits (but conjectures to be 2 s/4 ) and so 160 circuits Lindell-Pinkas 2011: error 2 0.311s ; requires 128 circuits shelat-shen 2011: error 2 0.32s ; requires 125 circuits (optimal for this approach) Lindell 2013: error 2 s ; requires 40 circuits (Huang-Katz-Evans 40 circuits in each direction) Lindell-Riva 2014: amortize cost, for 2 s error and 1000 executions, 7690 circuits overall and just 5 evaluations in online Yehuda Lindell Online/Offline and Batch Yao 30/12/2014 25 / 27

Summary Online/Offline and Batch Executions with Yao Cut-and-choose can be vastly improved when amortized Online/offline secure computation can be carried out also with Yao This is competitive with the SPDZ and TinyOT approaches since the online phase has few rounds Adaptive Yao is an obstacle for standard-model protocols Yehuda Lindell Online/Offline and Batch Yao 30/12/2014 26 / 27

Thank You Thank You! Yehuda Lindell Online/Offline and Batch Yao 30/12/2014 27 / 27

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback