Amortizing Garbled CircuitsYan Huang, Jonathan Katz, Alex Malozemoff (UMD)Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion)

Cut-and-Choose Yao-Based Secure Computation in the Offline/Online and Batch SettingsYehuda Lindell (BIU), Ben Riva (TAU)

Secure Two-Party Computation

• Two parties with private inputs x and y• Compute joint function of their inputs

while preserving – Privacy– Correctness– Input independence

x

f (x,y)

y

f (x,y)

Adversaries and Security

• Semi-honest: follow protocol specification but attempt to learn more than allowed– Highly efficient; weak guarantees

• Malicious: run any arbitrary attack strategy– Much more expensive

GCGC

OTBob input keys

input bitsBob keys

Yao’s Protocol (Semi-honest)

Alice input keys

GC

Security for Malicious Case

• Main Issue: Malicious Alice constructs incorrect circuit– Violates correctness– Violates privacy

• Can prevent using generic ZK --- but this is inefficient• More practical solution --- cut & choose– Introduces new problems (relatively “minor” issues)

• Need to ensure input consistency across copies• Need to prevent selective failure attacks

Post-processing

Cut & Choose Paradigm

Checks

All copies of garbled circuits

[…,Pin03,MNPS04,MF06,LP07,…]

Check Set

EvaluationSet

Cost of Cut & Choose• Main question: How many circuits are needed?– 99.999% of the cost is due to garbled circuits

• E.g.: for stat. error at most 2-40, #circuits required: – 680 [LP07]– 128 [LP11]– 125 [sS11]– 48 [HKE13]– 40 [Lin13]

Cost of Cut-and-Choose

• Our motivating question:

Can we reduce further the cost of cut & choose, i.e., the number of circuits required?

• Our approach:

Explore the possibility of amortizing the cost of cut & choose in a setting where parties need to perform multiple secure function evaluations

Rest of the Talk

• Multiple executions

• Cut & choose for multiple executions – Analysis

• Multistage cut & choose OT

Multiple Executions

• Setting: – Alice and Bob execute the same function multiple times

• Parallel • Sequential

• Motivation: – Amortize the cost of cut & choose– Relevant in practice– RAM model 2PC

Post-processing

Post-processing

Post-processing

Post-processing

Cut & Choose – Multiple Executions

All copies of garbled circuits

Check Set

EvaluationSets

Cut & Choose for Multiple Executions

• Inspired by LEGO [NO09,NNOB12,FJNNO13]– LEGO performs cut & choose at the gate level

• Alice creates many copies of NAND gates • Bob opens half the copies to check & distributes remaining half

randomly into “buckets” (each bucket emulates a NAND gate)• Each NAND bucket output determined by majority

• Makes use of cheating punishment technique [Lin13]– Post-processing step uses 2PC but on a much smaller circuit – Fail only if for some evaluation set, all circuits in it are bad

• No need to take majority • Leads to better concrete efficiency

“Multistage Cut & Choose”

Multistage Cut & Choose - Analysis[HKKKM14]

Maximum cheating probability

Asymptotically for stat. security parameter s:

Concrete values for stat. security parameter s = 40 :

• More general parameters and analysis– E.g.: Better efficiency by varying fraction of circuits checked

[LR14]Multistage Cut & Choose - Analysis

• Amortization applied to cheating-punishment circuit– E.g.: even for t = 32, only 52 circuits are required here– Amortization also results in fewer overall exponentiations

• Cut & choose protocols can be preprocessed– Execute check step offline

• Tradeoffs between total #circuits & #circuits evaluated online

• Use additive sharing to improve online efficiency of – Cut & choose OT – Input consistency checks

• Idea: – Preprocess using random share in offline phase– Send correction in the clear during online phase

• All exponentiations can be pushed to the offline phase

[LR14]Offline/Online Setting

Rest of the Talk

• Multiple executions

• Cut & choose for multiple executions – Analysis

• Multistage cut & choose OT

Selective Failure Attacks

• Recall: Bob obtains his keys via OT• Selective failure attack: – Corrupt Alice uses valid 0-key and invalid 1-key as OT inputs– If Bob’s input is 0, then evaluation succeeds– If Bob’s input is 1, then evaluation fails

• Techniques to avoid selective failure– XOR-tree encodings [FKN94,LP07,…]– Cut & choose OT [LP11,Lin13]

• [HKKKM14,LR14] adapt cut & choose OT to multiple executions setting

Cut & Choose Oblivious Transfer[LP11,Lin13]

Checkvalue

1st input

2nd input

Input keys and check values for each copy

Both inputs

Check set Evaluation set

One input & check value

Multistage Cut & Choose OT

Checkvalue

1st input

2nd input

Input keys and check values for each copy

Both inputs

Check set Eval set 1 Eval set 2 Eval set 3 One input &check value

. . .

[HKKKM14]

Multistage Cut & Choose OT[HKKKM14]

• Useful in multiple parallel execution setting– Otherwise, need to rely on adaptively secure garbling

• Show information theoretic reduction to [Lin13]’s modified batch single-choice cut & choose OT– t-out-of-t additive sharing of input keys and check values– Use ith set of shares as input to ith instance of modified batch

single-choice cut & choose OT– Slightly more complicated to get full sender extraction

• Communication cost of the reduction is quadratic in t– Cost linear in t if we allow relaxed definitions (that are

sufficient for 2PC applications) [KK14]

Summary• Malicious 2PC cost dominated by cost of cut & choose • Multiple executions allows amortizing cut & choose cost– For 40 bits of statistical security need:

• Only 8 circuits/execution for 3500 executions [HKKKM14]• Only 7.06 circuits/execution for 1024 executions [LR14]

THANK YOU!!!