Upload
rasha
View
44
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Garbled Circuits Checking Garbled Circuits More efficient and Secure Two-Party Computation . Payman Mohassel Ben Riva University of Calgary Tel Aviv University. Secure Two-Party Computation. Privacy: Only learn the output - PowerPoint PPT Presentation
Citation preview
GARBLED CIRCUITS CHECKING GARBLED CIRCUITS MORE EFFICIENT AND SECURE TWO-PARTY COMPUTATION
Payman Mohassel Ben Riva University of Calgary Tel Aviv University
Secure Two-Party Computation
𝑃1 𝑃2
𝒙 𝒚
𝑓 1(𝑥 , 𝑦 ) 𝑓 2(𝑥 , 𝑦)
Privacy: Only learn the outputCorrectness: Learn the intended function
Contributions• 2PC with low overhead• Input–consistency check• Two-output functions
• New Definition• Strengthen covert adversaries• Better efficiency/security trade-off for practice• Protocols meeting the definition
4
Garbled Circuit
𝐺𝐶seed
𝐺𝐼 𝑥𝒚𝐺𝐼 𝑦
𝐺𝐶𝐺 𝐼 𝑦𝐺 𝐼 𝑥Eval( ) 𝐺𝑂
𝐺𝑂
𝐶 (𝑥 , 𝑦 )= 𝑓 (𝑥 , 𝑦 )
𝒙 𝑇𝑇
𝑇𝑇𝒇 (𝒙 ,𝒚 )
5
Useful Properties• Privacy: Knowing , , and does no leak any info
• Output Authenticity: P2 cannot compute another valid output
𝐺𝐶𝐺 𝐼 𝑦𝐺 𝐼 𝑥
𝐺𝑂 ‘
𝐺𝐶𝐺 𝐼 𝑦𝐺 𝐼 𝑥 𝑇𝑇 𝒇 (𝒙 ,𝒚 )
𝐺𝐶𝐺 𝐼 𝑦𝐺 𝐼 𝑥
𝐺𝐶1
Malicious 2PC Cut-and-Choose
𝐺𝐶1
𝐺𝐶2
𝐺𝐶 4
𝐺𝐶5 𝐺𝐶5
Open Evaluate
𝐺𝐶3
𝐺𝐶6
𝐺𝐶3
𝐺𝐶2
𝐺𝐶 4
𝐺𝐶6
𝑧 2
𝑧 4
𝑧 6
Majority
𝑧= 𝑓 (𝑥 , 𝑦)⋮
𝑥❑
𝑥❑
𝑥❑
𝑧❑
Are all inputs the same?
Is the output correct?
Question
Question
𝑃1
𝒙
𝐺𝐶1
1) Is the output correct?
𝐺𝐶1
𝐺𝐶2
𝐺𝐶 4
𝐺𝐶5 𝐺𝐶5
Open Evaluate
𝐺𝐶3
𝐺𝐶6
𝐺𝐶3
𝐺𝐶2
𝐺𝐶 4
𝐺𝐶6
𝑧 2
𝑧 4
𝑧 6
Majority
⋮
𝑥❑
𝑥❑
𝑥❑
𝑧 ,𝑮𝑶𝟐 ,𝑮𝑶𝟒 ,𝑮𝑶𝟔
𝐺𝑂2
𝐺𝑂4
𝐺𝑂6
𝑧= 𝑓 (𝑥 , 𝑦)
But this leaks info to
Send GOs as proof
𝑃1
𝒙
𝐺𝐶1
2) Is the output correct?
𝐺𝐶1
𝐺𝐶2
𝐺𝐶 4
𝐺𝐶5 𝐺𝐶5
Open Evaluate
𝐺𝐶3
𝐺𝐶6
𝐺𝐶3
𝐺𝐶2
𝐺𝐶 4
𝐺𝐶6
𝑧 2
𝑧 4
𝑧 6
Majority
⋮
𝑥❑
𝑥❑
𝑥❑
z
𝐺𝑂❑
𝐺𝑂❑
𝐺𝑂❑
𝑧= 𝑓 (𝑥 , 𝑦 ) ,𝑮𝑶
Use same output labels in all circuits
But learns labels in open phase& can forge output
𝐺𝐶1
3) Is the output correct?
𝐺𝐶1
𝐺𝐶2
𝐺𝐶 4
𝐺𝐶5 𝐺𝐶5
OpenEvaluate
𝐺𝐶3
𝐺𝐶6
𝐺𝐶3
𝐺𝐶2
𝐺𝐶 4
𝐺𝐶6
𝑧 2
𝑧 4
𝑧 6
Majority
⋮
𝑥❑
𝑥❑
𝑥❑
𝑐𝑜𝑚 (𝑧 ) ,𝑐𝑜𝑚¿
𝐺𝑂❑
𝐺𝑂❑
𝐺𝑂❑
z ,𝑮 𝑶❑
Extensions• Extend to two-output functions• XOR ’s output with a random value provided by him• Then apply the above solution
• Make solution “streaming-friendly”• Hard to garble/evaluate circuits “on-the-fly”• Need to store circuits until they are opened• See paper for a streaming-friendly version• Similar ideas and efficiency
Covert 2PC
𝐺𝐶1
𝐺𝐶2
𝐺𝐶 4
𝐺𝐶5
𝐺𝐶3
𝐺𝐶6
⋮
𝑥❑
𝑥❑
𝑥❑
𝑧= 𝑓 (𝑥 , 𝑦)
o Costs to get caught o Pays to cheat and wino is probability of not getting caughto Cost > Pay
o maybe sufficient
What about cost/pay for honest party?Question
cost/pay for malicious party
All-or-Nothing Security• What about the honest party?• with probability • His input is leaked!• He learns an incorrect output!
o Pays to learn correct outputo Costs to be cheated ono Pay > Cost
o If is large enougho Honest parties may not participate
A Stronger Definition• Increase the pay-off (of learning correct output)•Orthogonal to MPC
•Reduce the cost of being cheated on!•By strengthening the security definition
CovIDA Security
• Guarantee correctness• Honest parties cannot be tricked into learning bad output
• Only leak limited information in case of cheating• With probability nothing is leaked• With probability only one bit is leaked
𝑇𝑇 Dual-Ex 2PC
𝑃1
𝒙𝑃2
𝒚𝐺𝐶𝐺 𝐼 𝑥
𝐺 𝐼 𝑦
𝑇𝑇 𝐺𝐶 𝐺 𝐼 𝑥 ′𝐺 𝐼 𝑦 ′
𝑧 ,𝐺𝑂 𝑧
𝑧 ′ ,𝐺𝑂𝑧 ′
𝒛=? 𝒛 ′Yes/no
Yes/no Use for authentication
o Correctness prob. = 1-neg(k)o Leakage prob. = 1
o Bad circuito Different inputs
Dual-Ex + Covert 2PC
𝐺𝐶1
𝐺𝐶2
𝐺𝐶3
𝐺𝐶 4
𝐺𝐶1
𝐺𝐶2
𝐺𝐶3
𝐺𝐶 4
𝒛=? 𝒛 ′Yes/no
Yes/no
o Correctness prob. = 1-neg(k)o Leakage prob. = 1
o Bad circuito Different inputs
Dual-Ex + Covert 2PC
𝐺𝐶1
𝐺𝐶2
𝐺𝐶3
𝐺𝐶 4
𝐺𝐶1
𝐺𝐶2
𝐺𝐶3
𝐺𝐶 4
o Correctness prob. = 1o Leakage prob. =
o Bad circuito Different inputs
𝑥1𝑟1𝑥2𝑟2𝑥3𝑟3𝑥4𝑟 4
𝑥 ′ 1𝑟 ′ 1𝑥 ′ 2𝑟 ′ 2𝑥 ′ 3𝑟 ′ 3𝑥 ′ 4𝑟 ′ 4
𝑟1𝑟 ′ 1¿?
𝑟2𝑟 ′ 2¿?
𝑟 4𝑟 ′ 4¿?
𝑥3⊕𝑟 3𝑥3′ ⊕𝑟 ′ 3¿?
It is possible make probability using a few tricks
𝑃1
𝒙𝑃2
𝒚
Are inputs the Same? Malicious 2PC
𝐺𝐶1
𝐺𝐶2
𝐺𝐶3
𝐺𝐶 4
𝑥1𝑟1𝑥2𝑟2𝑥3𝑟3𝑥4𝑟 4
𝑥❑𝑟 ′ 1𝑥❑𝑟 ′ 2𝑥❑𝑟 ′ 3𝑥❑𝑟 ′ 4
𝑟1𝑟 ′ 1¿?
𝑥2⊕𝑟2𝑥⊕𝑟 ′ 2¿?
𝑟 4𝑟 ′ 4¿?
𝑥3⊕𝑟 3𝑥⊕𝑟 ′ 3¿?
⊕
⊕
⊕
⊕
Use same OT for x
𝑃1
𝒙𝑃2
𝒚
Linear in s symmetric-keyOps for input-consistency (using OT extension)
QUESTIONS?