GARBLED CIRCUITS CHECKING GARBLED CIRCUITS MORE EFFICIENT AND SECURE TWO-PARTY COMPUTATION

Payman Mohassel Ben Riva University of Calgary Tel Aviv University

Secure Two-Party Computation

𝑃1 𝑃2

𝒙 𝒚

𝑓 1(𝑥 , 𝑦 ) 𝑓 2(𝑥 , 𝑦)

Privacy: Only learn the outputCorrectness: Learn the intended function

Contributions• 2PC with low overhead• Input–consistency check• Two-output functions

• New Definition• Strengthen covert adversaries• Better efficiency/security trade-off for practice• Protocols meeting the definition

4

Garbled Circuit

𝐺𝐶seed

𝐺𝐼 𝑥𝒚

𝐺𝐼 𝑦

𝐺𝐶𝐺 𝐼 𝑦

𝐺 𝐼 𝑥Eval( ) 𝐺𝑂𝐺𝑂

𝐶 (𝑥 , 𝑦 )= 𝑓 (𝑥 , 𝑦 )

𝒙 𝑇𝑇

𝑇𝑇𝒇 (𝒙 ,𝒚 )

5

Useful Properties• Privacy: Knowing , , and does no leak any info

• Output Authenticity: P2 cannot compute another valid output

𝐺𝐶𝐺 𝐼 𝑦

𝐺 𝐼 𝑥

𝐺𝑂 ‘

𝐺𝐶𝐺 𝐼 𝑦

𝐺 𝐼 𝑥 𝑇𝑇 𝒇 (𝒙 ,𝒚 )

𝐺𝐶𝐺 𝐼 𝑦

𝐺 𝐼 𝑥

𝐺𝐶1

Malicious 2PC Cut-and-Choose

𝐺𝐶1

𝐺𝐶2

𝐺𝐶 4

𝐺𝐶5 𝐺𝐶5

Open Evaluate

𝐺𝐶3

𝐺𝐶6

𝐺𝐶3

𝐺𝐶2

𝐺𝐶 4

𝐺𝐶6

𝑧 2

𝑧 4

𝑧 6

Majority

𝑧= 𝑓 (𝑥 , 𝑦)⋮

𝑥❑

𝑥❑

𝑥❑

𝑧❑

Are all inputs the same?

Is the output correct?

Question

Question

𝑃1

𝒙

𝐺𝐶1

1) Is the output correct?

𝐺𝐶1

𝐺𝐶2

𝐺𝐶 4

𝐺𝐶5 𝐺𝐶5

Open Evaluate

𝐺𝐶3

𝐺𝐶6

𝐺𝐶3

𝐺𝐶2

𝐺𝐶 4

𝐺𝐶6

𝑧 2

𝑧 4

𝑧 6

Majority

⋮

𝑥❑

𝑥❑

𝑥❑

𝑧 ,𝑮𝑶𝟐 ,𝑮𝑶𝟒 ,𝑮𝑶𝟔

𝐺𝑂2

𝐺𝑂4

𝐺𝑂6

𝑧= 𝑓 (𝑥 , 𝑦)

But this leaks info to

Send GOs as proof

𝑃1

𝒙

𝐺𝐶1

2) Is the output correct?

𝐺𝐶1

𝐺𝐶2

𝐺𝐶 4

𝐺𝐶5 𝐺𝐶5

Open Evaluate

𝐺𝐶3

𝐺𝐶6

𝐺𝐶3

𝐺𝐶2

𝐺𝐶 4

𝐺𝐶6

𝑧 2

𝑧 4

𝑧 6

Majority

⋮

𝑥❑

𝑥❑

𝑥❑

z

𝐺𝑂❑

𝐺𝑂❑

𝐺𝑂❑

𝑧= 𝑓 (𝑥 , 𝑦 ) ,𝑮𝑶

Use same output labels in all circuits

But learns labels in open phase& can forge output

𝐺𝐶1

3) Is the output correct?

𝐺𝐶1

𝐺𝐶2

𝐺𝐶 4

𝐺𝐶5 𝐺𝐶5

OpenEvaluate

𝐺𝐶3

𝐺𝐶6

𝐺𝐶3

𝐺𝐶2

𝐺𝐶 4

𝐺𝐶6

𝑧 2

𝑧 4

𝑧 6

Majority

⋮

𝑥❑

𝑥❑

𝑥❑

𝑐𝑜𝑚 (𝑧 ) ,𝑐𝑜𝑚¿

𝐺𝑂❑

𝐺𝑂❑

𝐺𝑂❑

z ,𝑮 𝑶❑

Extensions• Extend to two-output functions• XOR ’s output with a random value provided by him• Then apply the above solution

• Make solution “streaming-friendly”• Hard to garble/evaluate circuits “on-the-fly”• Need to store circuits until they are opened• See paper for a streaming-friendly version• Similar ideas and efficiency

Covert 2PC

𝐺𝐶1

𝐺𝐶2

𝐺𝐶 4

𝐺𝐶5

𝐺𝐶3

𝐺𝐶6

⋮

𝑥❑

𝑥❑

𝑥❑

𝑧= 𝑓 (𝑥 , 𝑦)

o Costs to get caught o Pays to cheat and wino is probability of not getting caughto Cost > Pay

o maybe sufficient

What about cost/pay for honest party?Question

cost/pay for malicious party

All-or-Nothing Security• What about the honest party?• with probability • His input is leaked!• He learns an incorrect output!

o Pays to learn correct outputo Costs to be cheated ono Pay > Cost

o If is large enougho Honest parties may not participate

A Stronger Definition

• Increase the pay-off (of learning correct output)•Orthogonal to MPC

•Reduce the cost of being cheated on!•By strengthening the security definition

CovIDA Security

• Guarantee correctness• Honest parties cannot be tricked into learning bad output

• Only leak limited information in case of cheating• With probability nothing is leaked• With probability only one bit is leaked

𝑇𝑇

Dual-Ex 2PC

𝑃1

𝒙𝑃2

𝒚

𝐺𝐶𝐺 𝐼 𝑥𝐺 𝐼 𝑦

𝑇𝑇 𝐺𝐶 𝐺 𝐼 𝑥 ′

𝐺 𝐼 𝑦 ′

𝑧 ,𝐺𝑂 𝑧

𝑧 ′ ,𝐺𝑂𝑧 ′

𝒛=? 𝒛 ′Yes/no

Yes/no Use for authentication

o Correctness prob. = 1-neg(k)o Leakage prob. = 1

o Bad circuito Different inputs

Dual-Ex + Covert 2PC

𝐺𝐶1

𝐺𝐶2

𝐺𝐶3

𝐺𝐶 4

𝐺𝐶1

𝐺𝐶2

𝐺𝐶3

𝐺𝐶 4

𝒛=? 𝒛 ′Yes/no

Yes/no

o Correctness prob. = 1-neg(k)o Leakage prob. = 1

o Bad circuito Different inputs

Dual-Ex + Covert 2PC

𝐺𝐶1

𝐺𝐶2

𝐺𝐶3

𝐺𝐶 4

𝐺𝐶1

𝐺𝐶2

𝐺𝐶3

𝐺𝐶 4

o Correctness prob. = 1o Leakage prob. =

o Bad circuito Different inputs

𝑥1𝑟1𝑥2𝑟2

𝑥3𝑟3

𝑥4𝑟 4

𝑥 ′ 1𝑟 ′ 1𝑥 ′ 2𝑟 ′ 2𝑥 ′ 3𝑟 ′ 3𝑥 ′ 4𝑟 ′ 4

𝑟1𝑟 ′ 1¿?

𝑟2𝑟 ′ 2¿?

𝑟 4𝑟 ′ 4¿?

𝑥3⊕𝑟 3𝑥3′ ⊕𝑟 ′ 3¿?

It is possible make probability using a few tricks

𝑃1

𝒙𝑃2

𝒚

Are inputs the Same? Malicious 2PC

𝐺𝐶1

𝐺𝐶2

𝐺𝐶3

𝐺𝐶 4

𝑥1𝑟1𝑥2𝑟2

𝑥3𝑟3

𝑥4𝑟 4

𝑥❑𝑟 ′ 1𝑥❑𝑟 ′ 2𝑥❑𝑟 ′ 3𝑥❑𝑟 ′ 4

𝑟1𝑟 ′ 1¿?

𝑥2⊕𝑟2𝑥⊕𝑟 ′ 2¿?

𝑟 4𝑟 ′ 4¿?

𝑥3⊕𝑟 3𝑥⊕𝑟 ′ 3¿?

⊕

⊕

⊕

⊕

Use same OT for x

𝑃1

𝒙𝑃2

𝒚

Linear in s symmetric-keyOps for input-consistency (using OT extension)

QUESTIONS?