Upload
eustace-blair
View
216
Download
0
Tags:
Embed Size (px)
Citation preview
Secure Computation Lecture 13-14
Arpita Patra
Recap
>> Improving the complexity of GMW
> Step I: Offline: O(n2 cAND) OTs; Online: i.t., no crypto
# Preprocessing of OT (on random inputs)
> Step II: Offline: k OTs + O(n2 cAND) SKE operations ; Online: i.t., no crypto
# OT Extension [IKNP] (Domain extension + OT extension)
# RO Model, Correlation-robust Hash function
>> Constant Round 2PC Yao.
> How to garble a circuit (using physical keys/boxes)
> How to use garbled circuit for 2PC
>> Complexity of GMW n-party Protocol: O(n2 cAND ) OTs
Circuit Evaluation on Clear
x1 x2 x3 x4
f(x1, x2, x3, x4)
+
x1 x4x3x2
x1 x2 x3 x4
x1 x2 + x3 x4
> When inputs to a gate g get values, say a, b, then its output wire gets value g(a,b);
Two input gate g: {0,1}2 {0,1}
>> Circuit evaluation is nothing but assigning bits to the wires
> Input wires get values from inputs
> The value for the output wire is taken as the output
>> For secure computation: We want a way to evaluate circuit that leaks nothing but the circuit output.
Garbled Circuit
Yao’s Garbled Circuit
+
Garbling a Wire: Every wire is associated with a pair of identical looking keys.
0 1
Identical looking keys ensure NO information about the assigned bit can be inferred from a key corresponding to a wire
Garbling of wires complete!
During evaluation a garbled circuit on a given input, the evaluator will get/see the keys corresponding to the assigned bits of the wires instead of the assigned bits.
Need a mechanism to hide the assigned bits of the wires during evaluation
Yao’s Garbled Circuit
+
Gate evaluation in Plain Circuit: Given the the assigned values, say a, b of the input wires of gate g, find the assigned value for the output wire as g(a,b). Easy!!
Gate evaluation in Garbled circuit: Given the keys corresponding to the assigned values, say a, b of the input wires of gate g, find the key for g(a,b) for the output wire
How to evaluate a gate in garbled circuit
Garble the gates!
Yao’s Garbled Circuit
Garbling a Gate: Every two input gate is associated with four doubly locked boxes (corresponding to four output possibilities).
Each pair of input wire keys (one from each input wire) will open one and only one box.
The box that can be opened using keys for a, b contains the key corresponding to g(a,b).
1st input wire
2nd Input wire
Output wire
Key for 0 Key for 0 Key for g(0,0)
Key for 0 Key for 1 Key for g(0,1)
Key for 1 Key for 0 Key for g(0,1)
Key for 1 Key for 1 Key for g(1,1)
Boxes are randomly permutated to prevent leaking of meaning of the keys!
Garbled Gates: The locked boxes
Yao’s Garbled Circuit
It enables one to evaluate a circuit without leaking anything but the outputx1 x2 x3 x4
f(x1, x2, x3, x4)
+
Garbling a wire: Every wire is associated with a pair of identical looking keys.
Garbling a Gate: Every two input gate is associated with four doubly locked boxes (in randomly permuted order) so that each pair of keys (one from each input wire) will open one and only one box.
Garbled Circuit: Garbled gates
Yao’s Garbled Circuit
It enables one to evaluate a circuit without leaking anything but the outputx1 x2 x3 x4
f(x1, x2, x3, x4)
+
Garbled Circuit: Garbled gates+ meaning of the output wire keys (output decryption tables)
1. Give input keys corresponding to the inputs and the garbled circuit.
2. For every gate, exactly one box can be opened and the key corresponding to the output value for the inputs can be obtained
3. For the output gate, the key corresponding to the output value for given inputs can be obtained.Output
Yao’s 2 Party Protocol
Y = (y1,y2,…yk )P0P1X = (x1,x2,…xk )
GC Constructor GC Evaluator
Construct a Garbled Circuit GC for Circuit C
Keys corresponding to X = (x1,x2,…xk
) and GC
OT1
y1
OTk
yk
Evaluate GC with the given input keys and interpret the output Z using output decryption tables
Z
Yao’s Garbled Circuit from “Special SKE”
+
Garbled Circuit: garbled gates (four/two locked boxes)+ meaning of the output wire keys
Physical Keys: Keys of SKE
Locked boxes: Encryptions
Doubly Locked boxes: Double Encryptions
What properties do we need from the SKE?
Some known security properties of SKE: CPA, CCA etc.
Syntax of SKE
1. Key-generation Algorithm (Gen()):
2. Encryption Algorithm (Enck(m)); m from {0,1}*:
3. Decryption Algorithm (Deck(c)):
MUST be a Randomized algorithm
Outputs a key k chosen according to some probability distribution determined by the scheme;
Deterministic/Randomized algorithm
c Enck(m) when randomized and c:=Enck(m) when deterministic
Usually deterministic
Outputs m:= Deck(c)
Syntax of SKE
Set of all possible keys output by algorithm Gen
1. Key space ( ):
Usually Gen selects a key k uniformly at random from
2. Plain-text (message) space ( ):
Set of all possible “legal” message (i.e. those supported by Enc)
3. Cipher-text space ( ):
Set of all cipher-texts output by algorithm Enc
The sets and together define the set
• Any cipher is defined by specifying (Gen, Enc, Dec) and
Yao’s Garbled Circuit from “Special” SKE
+
Garbling the Wires: Every wire is associated with a pair of identical looking SKE keys.
k0w
1
k1w
1
k0w2
k1w2
k0w3
k1w3
k0w4
k1w4
k0w5
k1w5
k0w6
k1w6
k0w7
k1w7
+
Garbling the Gates: Every two input gate is associated with four double encryptions so that each pair of keys (one from each input wire) will decrypt one and only one ciphertext where ciphertexts hide appropriate output wire key.
AND Gate:
k0w
1
k1w
1
k0w2
k1w2
k0w3
k1w3
k0w4
k1w4
k0w5
k1w5
k0w6
k1w6
k0w7
k1w7
1st input wire
2nd Input wire
Double Encryptions
k0w1 k0
w2
k0w1 k1
w2
k1w1 k0
w2
k1w1 k1
w2
Garbled AND Gate
Similarly for other gates
Yao’s Garbled Circuit from “Special” SKE
In randomly permuted order
R1: K = M = C
Yao’s Garbled Circuit from “Special” SKE
Garbled AND Gate
>> In usual SKE, a wrong key lead to a wrong message, but the decryption does not fail (SKEs are usually use OTP principle).
>> Recall that one pair opens one and only one box
> The ciphertext spaces must be distinct under distinct keys with high probability.
> For the SKE, there must be a mechanism to verify (efficiently) if a given ciphertext belongs to the ciphertext space of a given key.
>> Consequence in Yao 2PC: How does the circuit evaluator know which decrypted value is the intended output key? Correctness of 2PC will fail!!
Formal definition of SKE with elusive range and efficiently verifiable range can be found in HL and correctness proof reduces to the above security property of SKE
Drawbacks: Multiple trial-decryption + Huge Ciphertext size for SKEs with above security property + Involved Correctness proof
Yao’s Garbled Circuit from “Special” SKE
Point & Permute [NPS99]:
+
k0w1|p1
k1w1|1-p1
k0w2|p2
k1w2|1-p2
k0w5|p5
k1w5|1-p5
k0w3|p3
k1w3|1-p3
k0w4|p4
k1w4|1-p4
k0w6|p6
k1w6|1-p6
k0w7|p7
k1w7|1-p7
>> The permutation bits corresponding to input wires of a gate are used to permute the ciphertexts
>> will be placed at (p1p2)th row
>> assuming p1 = p2
= 1Garbled AND Gate >> given just one of the
permutation bits for each wire, the row where the ciphertext is placed will look random and will not leak any information about the meaning of the input and out keys! >> No requirement from SKE!
Correctness of 2PC from GC taken care !
>> A random bit called permutation bit will be associated with every wire
R1: K|{0,1} = M = C
Yao’s Garbled Circuit from “Special” SKE
>> SKE must be such that an bad evaluator should have no information about what the three unopened ciphertext contains
>> Very subtle security definition is required!
>> Double encryption security
>> E.g. if it can guess the unopened message are same and the gate is AND, then it knows the meaning of the key it decrypted!
Chosen Double Encryption (CDE) Security
= (Gen, Enc, Dec), , k
I can break Let me verify
Gen
PrivK (k)A,
cde
PPT Attacker A
b {0, 1}
c0 Enck0 (Enck’1(xb))
Post-challenge Training with oracles Enc**(Enck’1(**)) Enck’0(Enc** (**))
b’ {0, 1}
Game Outputb = b’
1 --- attacker won
b b’0 --- attacker lost
½ + negl(n)
Pr PrivK (k)A,
cde= 1
is CDE-secure if for every PPT A, there is a negligible function negl, such that:
k0, k1 (x0,y0,z0), (x1,y1,z1)
k’0, k’1 c1 Enck’0 (Enck1 (yb))c2 Enck’0 (Enck’1 (zb))
Chosen Plain-text Attack (CPA) Security
= (Gen, Enc, Dec), , k
I can break Let me verify Gen(1n)
k
PrivK (k)A,
cpa
PPT Attacker A
Training Phase
m0, m1 , |m0| = |m1|
b {0, 1}
c Enck(mb)
Post-challenge Training
b’ {0, 1}
Game Outputb = b’
1 --- attacker won
b b’0 --- attacker lost
½ + negl(n)
Pr PrivK (n)A,
cpa= 1
is CPA-secure if for every PPT A, there is a negligible function negl, such that:
Every CPA-secure scheme is also CDE-secure!
Completing the Picture
Garbled Circuit: Garbled gates+ output decryption tables
1. Give input keys corresponding to the inputs and the garbled circuit.
2. For every gate, decrypt the encryption pointed by permutation bits of the input keys of a gate, get the output key and its permutation bit
3. For the output gate, the key corresponding to the output value for given inputs is obtained and is translated to correct output using the decryption tables.
+
k0w1|p1
k1w1|1-p1
k0w2|p2
k1w2|1-p2
k0w5|p5
k1w5|1-p5
k0w3|p3
k1w3|1-p3
k0w4|p4
k1w4|1-p4
k0w6|p6
k1w6|1-p6
k0w7|p7
k1w7|1-p7
Yao’s 2 Party Protocol
Y = (y1,y2,…yk )P0P1X = (x1,x2,…xk )
GC Constructor GC Evaluator
Construct a Garbled Circuit GC for Circuit C
Keys corresponding to X = (x1,x2,…xk
) and GC
OT1k0
w1
k1w1
y1
OTk
ky1w1
k0wk
k1wk
yk
kykwk Evaluate GC with the
given input keys and interpret the output Z using output decryption tables
Z
Yao’s 2 Party Protocol- Security for P1
Y = (y1,y2,…yk )P0P1X = (x1,x2,…xk )
GC Constructor GC Evaluator
Construct a Garbled Circuit GC for Circuit C
Keys corresponding to X = (x1,x2,…xk ) and GC
OT1k0
w1
k1w1
y1
OTk
ky1w1
k0wk
k1wk
yk
kykwk Evaluate GC with the
given input keys and interpret the output Z using output decryption tables
Z
Security will reduce to the OT security for the receiver
Yao’s 2 Party Protocol- Security for P0
Y = (y1,y2,…yk )P0P1X = (x1,x2,…xk )
GC Constructor GC Evaluator
Construct a Garbled Circuit GC for Circuit C
OT1k0
w1
k1w1
y1
OTk
ky1w1
k0wk
k1wk
yk
kykwk Evaluate GC with the
given input keys and interpret the output Z using output decryption tables
Z
Security will reduce to the OT security for the sender
Three unopened ciphertext must not leak info- CDE security
Keys corresponding to X = (x1,x2,…xk ) and GC
Chalk & Talk
CT7: [GLNP15] Fast Garbling of Circuits under standard Assumptions.http://eprint.iacr.org/2015/751.pdf
CT8: [BG10] Secure and Efficient Protocols for Iris and Fingerprint Identification. https://eprint.iacr.org/2010/627.pdf