Upload
jonas-woods
View
219
Download
0
Tags:
Embed Size (px)
Citation preview
Amortizing Garbled CircuitsYan Huang, Jonathan Katz, Alex Malozemoff (UMD)Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion)
Cut-and-Choose Yao-Based Secure Computation in the Offline/Online and Batch SettingsYehuda Lindell (BIU), Ben Riva (TAU)
Secure Two-Party Computation
• Two parties with private inputs x and y• Compute joint function of their inputs
while preserving – Privacy– Correctness– Input independence
x
f (x,y)
y
f (x,y)
Adversaries and Security
• Semi-honest: follow protocol specification but attempt to learn more than allowed– Highly efficient; weak guarantees
• Malicious: run any arbitrary attack strategy– Much more expensive
Security for Malicious Case
• Main Issue: Malicious Alice constructs incorrect circuit– Violates correctness– Violates privacy
• Can prevent using generic ZK --- but this is inefficient• More practical solution --- cut & choose– Introduces new problems (relatively “minor” issues)
• Need to ensure input consistency across copies• Need to prevent selective failure attacks
Post-processing
Cut & Choose Paradigm
Checks
All copies of garbled circuits
[…,Pin03,MNPS04,MF06,LP07,…]
Check Set
EvaluationSet
Cost of Cut & Choose• Main question: How many circuits are needed?– 99.999% of the cost is due to garbled circuits
• E.g.: for stat. error at most 2-40, #circuits required: – 680 [LP07]– 128 [LP11]– 125 [sS11]– 48 [HKE13]– 40 [Lin13]
Cost of Cut-and-Choose
• Our motivating question:
Can we reduce further the cost of cut & choose, i.e., the number of circuits required?
• Our approach:
Explore the possibility of amortizing the cost of cut & choose in a setting where parties need to perform multiple secure function evaluations
Rest of the Talk
• Multiple executions
• Cut & choose for multiple executions – Analysis
• Multistage cut & choose OT
Multiple Executions
• Setting: – Alice and Bob execute the same function multiple times
• Parallel • Sequential
• Motivation: – Amortize the cost of cut & choose– Relevant in practice– RAM model 2PC
Post-processing
Post-processing
Post-processing
Post-processing
Cut & Choose – Multiple Executions
All copies of garbled circuits
Check Set
EvaluationSets
Cut & Choose for Multiple Executions
• Inspired by LEGO [NO09,NNOB12,FJNNO13]– LEGO performs cut & choose at the gate level
• Alice creates many copies of NAND gates • Bob opens half the copies to check & distributes remaining half
randomly into “buckets” (each bucket emulates a NAND gate)• Each NAND bucket output determined by majority
• Makes use of cheating punishment technique [Lin13]– Post-processing step uses 2PC but on a much smaller circuit – Fail only if for some evaluation set, all circuits in it are bad
• No need to take majority • Leads to better concrete efficiency
“Multistage Cut & Choose”
Multistage Cut & Choose - Analysis[HKKKM14]
Maximum cheating probability
Asymptotically for stat. security parameter s:
Concrete values for stat. security parameter s = 40 :
• More general parameters and analysis– E.g.: Better efficiency by varying fraction of circuits checked
[LR14]Multistage Cut & Choose - Analysis
• Amortization applied to cheating-punishment circuit– E.g.: even for t = 32, only 52 circuits are required here– Amortization also results in fewer overall exponentiations
• Cut & choose protocols can be preprocessed– Execute check step offline
• Tradeoffs between total #circuits & #circuits evaluated online
• Use additive sharing to improve online efficiency of – Cut & choose OT – Input consistency checks
• Idea: – Preprocess using random share in offline phase– Send correction in the clear during online phase
• All exponentiations can be pushed to the offline phase
[LR14]Offline/Online Setting
Rest of the Talk
• Multiple executions
• Cut & choose for multiple executions – Analysis
• Multistage cut & choose OT
Selective Failure Attacks
• Recall: Bob obtains his keys via OT• Selective failure attack: – Corrupt Alice uses valid 0-key and invalid 1-key as OT inputs– If Bob’s input is 0, then evaluation succeeds– If Bob’s input is 1, then evaluation fails
• Techniques to avoid selective failure– XOR-tree encodings [FKN94,LP07,…]– Cut & choose OT [LP11,Lin13]
• [HKKKM14,LR14] adapt cut & choose OT to multiple executions setting
Cut & Choose Oblivious Transfer[LP11,Lin13]
Checkvalue
1st input
2nd input
Input keys and check values for each copy
Both inputs
Check set Evaluation set
One input & check value
Multistage Cut & Choose OT
Checkvalue
1st input
2nd input
Input keys and check values for each copy
Both inputs
Check set Eval set 1 Eval set 2 Eval set 3 One input &check value
. . .
[HKKKM14]
Multistage Cut & Choose OT[HKKKM14]
• Useful in multiple parallel execution setting– Otherwise, need to rely on adaptively secure garbling
• Show information theoretic reduction to [Lin13]’s modified batch single-choice cut & choose OT– t-out-of-t additive sharing of input keys and check values– Use ith set of shares as input to ith instance of modified batch
single-choice cut & choose OT– Slightly more complicated to get full sender extraction
• Communication cost of the reduction is quadratic in t– Cost linear in t if we allow relaxed definitions (that are
sufficient for 2PC applications) [KK14]