Secure Computation Lecture 13-14 Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto

Secure Computation Lecture 13-14

Arpita Patra

Recap

>> Improving the complexity of GMW

> Step I: Offline: O(n2 cAND) OTs; Online: i.t., no crypto

# Preprocessing of OT (on random inputs)

> Step II: Offline: k OTs + O(n2 cAND) SKE operations ; Online: i.t., no crypto

# OT Extension [IKNP] (Domain extension + OT extension)

# RO Model, Correlation-robust Hash function

>> Constant Round 2PC Yao.

> How to garble a circuit (using physical keys/boxes)

> How to use garbled circuit for 2PC

>> Complexity of GMW n-party Protocol: O(n2 cAND ) OTs

Circuit Evaluation on Clear

x1 x2 x3 x4

f(x1, x2, x3, x4)

+

x1 x4x3x2

x1 x2 x3 x4

x1 x2 + x3 x4

> When inputs to a gate g get values, say a, b, then its output wire gets value g(a,b);

Two input gate g: {0,1}2 {0,1}

>> Circuit evaluation is nothing but assigning bits to the wires

> Input wires get values from inputs

> The value for the output wire is taken as the output

>> For secure computation: We want a way to evaluate circuit that leaks nothing but the circuit output.

Garbled Circuit

Yao’s Garbled Circuit

+

Garbling a Wire: Every wire is associated with a pair of identical looking keys.

0 1

Identical looking keys ensure NO information about the assigned bit can be inferred from a key corresponding to a wire

Garbling of wires complete!

During evaluation a garbled circuit on a given input, the evaluator will get/see the keys corresponding to the assigned bits of the wires instead of the assigned bits.

Need a mechanism to hide the assigned bits of the wires during evaluation


+

Gate evaluation in Plain Circuit: Given the the assigned values, say a, b of the input wires of gate g, find the assigned value for the output wire as g(a,b). Easy!!

Gate evaluation in Garbled circuit: Given the keys corresponding to the assigned values, say a, b of the input wires of gate g, find the key for g(a,b) for the output wire

How to evaluate a gate in garbled circuit

Garble the gates!


Garbling a Gate: Every two input gate is associated with four doubly locked boxes (corresponding to four output possibilities).

Each pair of input wire keys (one from each input wire) will open one and only one box.

The box that can be opened using keys for a, b contains the key corresponding to g(a,b).

1st input wire

2nd Input wire

Output wire

Key for 0 Key for 0 Key for g(0,0)




Boxes are randomly permutated to prevent leaking of meaning of the keys!

Garbled Gates: The locked boxes


It enables one to evaluate a circuit without leaking anything but the outputx1 x2 x3 x4

f(x1, x2, x3, x4)

+

Garbling a wire: Every wire is associated with a pair of identical looking keys.

Garbling a Gate: Every two input gate is associated with four doubly locked boxes (in randomly permuted order) so that each pair of keys (one from each input wire) will open one and only one box.

Garbled Circuit: Garbled gates


It enables one to evaluate a circuit without leaking anything but the outputx1 x2 x3 x4

f(x1, x2, x3, x4)

+

Garbled Circuit: Garbled gates+ meaning of the output wire keys (output decryption tables)

1. Give input keys corresponding to the inputs and the garbled circuit.

2. For every gate, exactly one box can be opened and the key corresponding to the output value for the inputs can be obtained

3. For the output gate, the key corresponding to the output value for given inputs can be obtained.Output

Yao’s 2 Party Protocol

Y = (y1,y2,…yk )P0P1X = (x1,x2,…xk )

GC Constructor GC Evaluator

Construct a Garbled Circuit GC for Circuit C

Keys corresponding to X = (x1,x2,…xk

) and GC

OT1

y1

OTk

yk

Evaluate GC with the given input keys and interpret the output Z using output decryption tables

Z

Yao’s Garbled Circuit from “Special SKE”

+

Garbled Circuit: garbled gates (four/two locked boxes)+ meaning of the output wire keys

Physical Keys: Keys of SKE

Locked boxes: Encryptions

Doubly Locked boxes: Double Encryptions

What properties do we need from the SKE?

Some known security properties of SKE: CPA, CCA etc.

Syntax of SKE

1. Key-generation Algorithm (Gen()):

2. Encryption Algorithm (Enck(m)); m from {0,1}*:

3. Decryption Algorithm (Deck(c)):

MUST be a Randomized algorithm

Outputs a key k chosen according to some probability distribution determined by the scheme;

Deterministic/Randomized algorithm

c Enck(m) when randomized and c:=Enck(m) when deterministic

Usually deterministic

Outputs m:= Deck(c)

Syntax of SKE

Set of all possible keys output by algorithm Gen

1. Key space ( ):

Usually Gen selects a key k uniformly at random from

2. Plain-text (message) space ( ):

Set of all possible “legal” message (i.e. those supported by Enc)

3. Cipher-text space ( ):

Set of all cipher-texts output by algorithm Enc

The sets and together define the set

• Any cipher is defined by specifying (Gen, Enc, Dec) and

Yao’s Garbled Circuit from “Special” SKE

+

Garbling the Wires: Every wire is associated with a pair of identical looking SKE keys.

k0w

1

k1w

1

k0w2

k1w2

k0w3

k1w3

k0w4

k1w4

k0w5

k1w5

k0w6

k1w6

k0w7

k1w7

+

Garbling the Gates: Every two input gate is associated with four double encryptions so that each pair of keys (one from each input wire) will decrypt one and only one ciphertext where ciphertexts hide appropriate output wire key.

AND Gate:

k0w

1

k1w

1

k0w2

k1w2

k0w3

k1w3

k0w4

k1w4

k0w5

k1w5

k0w6

k1w6

k0w7

k1w7

1st input wire

2nd Input wire

Double Encryptions

k0w1 k0

w2

k0w1 k1

w2

k1w1 k0

w2

k1w1 k1

w2

Garbled AND Gate

Similarly for other gates


In randomly permuted order

R1: K = M = C


Garbled AND Gate

>> In usual SKE, a wrong key lead to a wrong message, but the decryption does not fail (SKEs are usually use OTP principle).

>> Recall that one pair opens one and only one box

> The ciphertext spaces must be distinct under distinct keys with high probability.

> For the SKE, there must be a mechanism to verify (efficiently) if a given ciphertext belongs to the ciphertext space of a given key.

>> Consequence in Yao 2PC: How does the circuit evaluator know which decrypted value is the intended output key? Correctness of 2PC will fail!!

Formal definition of SKE with elusive range and efficiently verifiable range can be found in HL and correctness proof reduces to the above security property of SKE

Drawbacks: Multiple trial-decryption + Huge Ciphertext size for SKEs with above security property + Involved Correctness proof


Point & Permute [NPS99]:

+

k0w1|p1

k1w1|1-p1

k0w2|p2

k1w2|1-p2

k0w5|p5

k1w5|1-p5

k0w3|p3

k1w3|1-p3

k0w4|p4

k1w4|1-p4

k0w6|p6

k1w6|1-p6

k0w7|p7

k1w7|1-p7

>> The permutation bits corresponding to input wires of a gate are used to permute the ciphertexts

>> will be placed at (p1p2)th row

>> assuming p1 = p2

= 1Garbled AND Gate >> given just one of the

permutation bits for each wire, the row where the ciphertext is placed will look random and will not leak any information about the meaning of the input and out keys! >> No requirement from SKE!

Correctness of 2PC from GC taken care !

>> A random bit called permutation bit will be associated with every wire

R1: K|{0,1} = M = C


>> SKE must be such that an bad evaluator should have no information about what the three unopened ciphertext contains

>> Very subtle security definition is required!

>> Double encryption security

>> E.g. if it can guess the unopened message are same and the gate is AND, then it knows the meaning of the key it decrypted!

Chosen Double Encryption (CDE) Security

= (Gen, Enc, Dec), , k

I can break Let me verify

Gen

PrivK (k)A,

cde

PPT Attacker A

b {0, 1}

c0 Enck0 (Enck’1(xb))

Post-challenge Training with oracles Enc**(Enck’1(**)) Enck’0(Enc** (**))

b’ {0, 1}

Game Outputb = b’

1 --- attacker won

b b’0 --- attacker lost

½ + negl(n)

Pr PrivK (k)A,

cde= 1

is CDE-secure if for every PPT A, there is a negligible function negl, such that:

k0, k1 (x0,y0,z0), (x1,y1,z1)

k’0, k’1 c1 Enck’0 (Enck1 (yb))c2 Enck’0 (Enck’1 (zb))

Chosen Plain-text Attack (CPA) Security

= (Gen, Enc, Dec), , k

I can break Let me verify Gen(1n)

k

PrivK (k)A,

cpa

PPT Attacker A

Training Phase

m0, m1 , |m0| = |m1|

b {0, 1}

c Enck(mb)

Post-challenge Training

b’ {0, 1}

Game Outputb = b’

1 --- attacker won

b b’0 --- attacker lost

½ + negl(n)

Pr PrivK (n)A,

cpa= 1

is CPA-secure if for every PPT A, there is a negligible function negl, such that:

Every CPA-secure scheme is also CDE-secure!

Completing the Picture

Garbled Circuit: Garbled gates+ output decryption tables

1. Give input keys corresponding to the inputs and the garbled circuit.

2. For every gate, decrypt the encryption pointed by permutation bits of the input keys of a gate, get the output key and its permutation bit

3. For the output gate, the key corresponding to the output value for given inputs is obtained and is translated to correct output using the decryption tables.

+

k0w1|p1

k1w1|1-p1

k0w2|p2

k1w2|1-p2

k0w5|p5

k1w5|1-p5

k0w3|p3

k1w3|1-p3

k0w4|p4

k1w4|1-p4

k0w6|p6

k1w6|1-p6

k0w7|p7

k1w7|1-p7

Yao’s 2 Party Protocol

Y = (y1,y2,…yk )P0P1X = (x1,x2,…xk )



Keys corresponding to X = (x1,x2,…xk

) and GC

OT1k0

w1

k1w1

y1

OTk

ky1w1

k0wk

k1wk

yk

kykwk Evaluate GC with the

given input keys and interpret the output Z using output decryption tables

Z

Yao’s 2 Party Protocol- Security for P1

Y = (y1,y2,…yk )P0P1X = (x1,x2,…xk )



Keys corresponding to X = (x1,x2,…xk ) and GC

OT1k0

w1

k1w1

y1

OTk

ky1w1

k0wk

k1wk

yk



Z

Security will reduce to the OT security for the receiver

Yao’s 2 Party Protocol- Security for P0

Y = (y1,y2,…yk )P0P1X = (x1,x2,…xk )



OT1k0

w1

k1w1

y1

OTk

ky1w1

k0wk

k1wk

yk



Z

Security will reduce to the OT security for the sender

Three unopened ciphertext must not leak info- CDE security

Keys corresponding to X = (x1,x2,…xk ) and GC

Chalk & Talk

CT7: [GLNP15] Fast Garbling of Circuits under standard Assumptions.http://eprint.iacr.org/2015/751.pdf

CT8: [BG10] Secure and Efficient Protocols for Iris and Fingerprint Identification. https://eprint.iacr.org/2010/627.pdf

Documents

Secure Computation Lecture 13-14 Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto