View
44
Download
0
Category
Tags:
Preview:
DESCRIPTION
Garbled Circuits Checking Garbled Circuits More efficient and Secure Two-Party Computation . Payman Mohassel Ben Riva University of Calgary Tel Aviv University. Secure Two-Party Computation. Privacy: Only learn the output - PowerPoint PPT Presentation
Citation preview
GARBLED CIRCUITS CHECKING GARBLED CIRCUITS MORE EFFICIENT AND SECURE TWO-PARTY COMPUTATION
Payman Mohassel Ben Riva University of Calgary Tel Aviv University
Secure Two-Party Computation
๐1 ๐2
๐ ๐
๐ 1(๐ฅ , ๐ฆ ) ๐ 2(๐ฅ , ๐ฆ)
Privacy: Only learn the outputCorrectness: Learn the intended function
Contributionsโข 2PC with low overheadโข Inputโconsistency checkโข Two-output functions
โข New Definitionโข Strengthen covert adversariesโข Better efficiency/security trade-off for practiceโข Protocols meeting the definition
4
Garbled Circuit
๐บ๐ถseed
๐บ๐ผ ๐ฅ๐๐บ๐ผ ๐ฆ
๐บ๐ถ๐บ ๐ผ ๐ฆ๐บ ๐ผ ๐ฅEval( ) ๐บ๐
๐บ๐
๐ถ (๐ฅ , ๐ฆ )= ๐ (๐ฅ , ๐ฆ )
๐ ๐๐
๐๐๐ (๐ ,๐ )
5
Useful Propertiesโข Privacy: Knowing , , and does no leak any info
โข Output Authenticity: P2 cannot compute another valid output
๐บ๐ถ๐บ ๐ผ ๐ฆ๐บ ๐ผ ๐ฅ
๐บ๐ โ
๐บ๐ถ๐บ ๐ผ ๐ฆ๐บ ๐ผ ๐ฅ ๐๐ ๐ (๐ ,๐ )
๐บ๐ถ๐บ ๐ผ ๐ฆ๐บ ๐ผ ๐ฅ
๐บ๐ถ1
Malicious 2PC Cut-and-Choose
๐บ๐ถ1
๐บ๐ถ2
๐บ๐ถ 4
๐บ๐ถ5 ๐บ๐ถ5
Open Evaluate
๐บ๐ถ3
๐บ๐ถ6
๐บ๐ถ3
๐บ๐ถ2
๐บ๐ถ 4
๐บ๐ถ6
๐ง 2
๐ง 4
๐ง 6
Majority
๐ง= ๐ (๐ฅ , ๐ฆ)โฎ
๐ฅโ
๐ฅโ
๐ฅโ
๐งโ
Are all inputs the same?
Is the output correct?
Question
Question
๐1
๐
๐บ๐ถ1
1) Is the output correct?
๐บ๐ถ1
๐บ๐ถ2
๐บ๐ถ 4
๐บ๐ถ5 ๐บ๐ถ5
Open Evaluate
๐บ๐ถ3
๐บ๐ถ6
๐บ๐ถ3
๐บ๐ถ2
๐บ๐ถ 4
๐บ๐ถ6
๐ง 2
๐ง 4
๐ง 6
Majority
โฎ
๐ฅโ
๐ฅโ
๐ฅโ
๐ง ,๐ฎ๐ถ๐ ,๐ฎ๐ถ๐ ,๐ฎ๐ถ๐
๐บ๐2
๐บ๐4
๐บ๐6
๐ง= ๐ (๐ฅ , ๐ฆ)
But this leaks info to
Send GOs as proof
๐1
๐
๐บ๐ถ1
2) Is the output correct?
๐บ๐ถ1
๐บ๐ถ2
๐บ๐ถ 4
๐บ๐ถ5 ๐บ๐ถ5
Open Evaluate
๐บ๐ถ3
๐บ๐ถ6
๐บ๐ถ3
๐บ๐ถ2
๐บ๐ถ 4
๐บ๐ถ6
๐ง 2
๐ง 4
๐ง 6
Majority
โฎ
๐ฅโ
๐ฅโ
๐ฅโ
z
๐บ๐โ
๐บ๐โ
๐บ๐โ
๐ง= ๐ (๐ฅ , ๐ฆ ) ,๐ฎ๐ถ
Use same output labels in all circuits
But learns labels in open phase& can forge output
๐บ๐ถ1
3) Is the output correct?
๐บ๐ถ1
๐บ๐ถ2
๐บ๐ถ 4
๐บ๐ถ5 ๐บ๐ถ5
OpenEvaluate
๐บ๐ถ3
๐บ๐ถ6
๐บ๐ถ3
๐บ๐ถ2
๐บ๐ถ 4
๐บ๐ถ6
๐ง 2
๐ง 4
๐ง 6
Majority
โฎ
๐ฅโ
๐ฅโ
๐ฅโ
๐๐๐ (๐ง ) ,๐๐๐ยฟ
๐บ๐โ
๐บ๐โ
๐บ๐โ
z ,๐ฎ ๐ถโ
Extensionsโข Extend to two-output functionsโข XOR โs output with a random value provided by himโข Then apply the above solution
โข Make solution โstreaming-friendlyโโข Hard to garble/evaluate circuits โon-the-flyโโข Need to store circuits until they are openedโข See paper for a streaming-friendly versionโข Similar ideas and efficiency
Covert 2PC
๐บ๐ถ1
๐บ๐ถ2
๐บ๐ถ 4
๐บ๐ถ5
๐บ๐ถ3
๐บ๐ถ6
โฎ
๐ฅโ
๐ฅโ
๐ฅโ
๐ง= ๐ (๐ฅ , ๐ฆ)
o Costs to get caught o Pays to cheat and wino is probability of not getting caughto Cost > Pay
o maybe sufficient
What about cost/pay for honest party?Question
cost/pay for malicious party
All-or-Nothing Securityโข What about the honest party?โข with probability โข His input is leaked!โข He learns an incorrect output!
o Pays to learn correct outputo Costs to be cheated ono Pay > Cost
o If is large enougho Honest parties may not participate
A Stronger Definitionโข Increase the pay-off (of learning correct output)โขOrthogonal to MPC
โขReduce the cost of being cheated on!โขBy strengthening the security definition
CovIDA Security
โข Guarantee correctnessโข Honest parties cannot be tricked into learning bad output
โข Only leak limited information in case of cheatingโข With probability nothing is leakedโข With probability only one bit is leaked
๐๐ Dual-Ex 2PC
๐1
๐๐2
๐๐บ๐ถ๐บ ๐ผ ๐ฅ
๐บ ๐ผ ๐ฆ
๐๐ ๐บ๐ถ ๐บ ๐ผ ๐ฅ โฒ๐บ ๐ผ ๐ฆ โฒ
๐ง ,๐บ๐ ๐ง
๐ง โฒ ,๐บ๐๐ง โฒ
๐=? ๐ โฒYes/no
Yes/no Use for authentication
o Correctness prob. = 1-neg(k)o Leakage prob. = 1
o Bad circuito Different inputs
Dual-Ex + Covert 2PC
๐บ๐ถ1
๐บ๐ถ2
๐บ๐ถ3
๐บ๐ถ 4
๐บ๐ถ1
๐บ๐ถ2
๐บ๐ถ3
๐บ๐ถ 4
๐=? ๐ โฒYes/no
Yes/no
o Correctness prob. = 1-neg(k)o Leakage prob. = 1
o Bad circuito Different inputs
Dual-Ex + Covert 2PC
๐บ๐ถ1
๐บ๐ถ2
๐บ๐ถ3
๐บ๐ถ 4
๐บ๐ถ1
๐บ๐ถ2
๐บ๐ถ3
๐บ๐ถ 4
o Correctness prob. = 1o Leakage prob. =
o Bad circuito Different inputs
๐ฅ1๐1๐ฅ2๐2๐ฅ3๐3๐ฅ4๐ 4
๐ฅ โฒ 1๐ โฒ 1๐ฅ โฒ 2๐ โฒ 2๐ฅ โฒ 3๐ โฒ 3๐ฅ โฒ 4๐ โฒ 4
๐1๐ โฒ 1ยฟ?
๐2๐ โฒ 2ยฟ?
๐ 4๐ โฒ 4ยฟ?
๐ฅ3โ๐ 3๐ฅ3โฒ โ๐ โฒ 3ยฟ?
It is possible make probability using a few tricks
๐1
๐๐2
๐
Are inputs the Same? Malicious 2PC
๐บ๐ถ1
๐บ๐ถ2
๐บ๐ถ3
๐บ๐ถ 4
๐ฅ1๐1๐ฅ2๐2๐ฅ3๐3๐ฅ4๐ 4
๐ฅโ๐ โฒ 1๐ฅโ๐ โฒ 2๐ฅโ๐ โฒ 3๐ฅโ๐ โฒ 4
๐1๐ โฒ 1ยฟ?
๐ฅ2โ๐2๐ฅโ๐ โฒ 2ยฟ?
๐ 4๐ โฒ 4ยฟ?
๐ฅ3โ๐ 3๐ฅโ๐ โฒ 3ยฟ?
โ
โ
โ
โ
Use same OT for x
๐1
๐๐2
๐
Linear in s symmetric-keyOps for input-consistency (using OT extension)
QUESTIONS?
Recommended