Download presentation

Presentation is loading. Please wait.

Published byAlvaro Sarson Modified over 3 years ago

2
Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University of Maryland Picture logos instead of footnotes

3
Secure Two-Party Computation 2 Alice Bob Bobs Genome: ACTG… Markers (~1000): [0,1, …, 0] Alices Genome: ACTG… Markers (~1000): [0, 0, …, 1] Can Alice and Bob compute a function of their private data, without exposing anything about their data besides the result?

4
Enc x0 0, x 1 1 (x2 1 ) Enc x0 1,x1 1 (x2 1 ) Enc x0 1,x1 0 (x2 1 ) Enc x2 0, x2 1 (x3 0 ) Enc x2 1,x2 1 (x3 0 ) Enc x2 1,x2 0 (x3 1 ) Enc x2 0, x3 1 (x4 1 ) Enc x2 1,x3 1 (x4 1 ) Enc x2 1,x3 0 (x4 0 ) Enc x4 0, x 3 1 (x5 1 ) Enc x4 1,x3 1 (x5 0 ) Enc x4 1,x3 0 (x5 0 ) Enc x4 0, x5 1 (x6 1 ) Enc x4 1,x5 1 (x6 0 ) Enc x4 1,x5 0 (x6 0 ) Enc x3 0, x 6 1 (x7 1 ) Enc x3 1,x6 1 (x7 0 ) Enc x3 1,x6 0 (x7 1 ) Faster Garbled Circuits (Semi-honest) 3 Circuit-Level Application GC Framework (Evaluator) GC Framework (Evaluator) GC Framework (Generator) Circuit Structure Pipelining: gates evaluated as they are generated Garbled evaluation can be combined with normal execution Circuit-level optimizations

5
Results for Semi-honest Protocols Performance Scalability 4 Applications biometric identification (5x speedup) [NDSS 2011] Hamming distance (4000x), Edit distance (30x), Smith-Waterman, AES Encryption (16x) [USENIX Sec 2011] private set intersection (faster than best custom protocols) [NDSS 2012] Non-free gates per millisecond Largest circuit executed (non-free gates)

6
Standard Threat Models Semi-Honest: Adversary follows the protocol as specified, but tries to learn more from the protocol execution transcript Malicious: Adversary can do anything, guarantees correctness and privacy Reasonable performance, unreasonable assumptions Reasonable assumptions, unreasonable performance 5

7
Security Properties Privacy Nothing is revealed other than the output Correctness The output of the protocol is indeed f ( x,y ) GeneratorEvaluator Malicious-resistant OT Semi-Honest GC How can we get both correctness, while maintaining privacy? 6

8
How about Dual Execution?

9
Dual Execution Protocol [Mohassel and Franklin, PKC06] AliceBob first round execution (semi-honest) generatorevaluator generatorevaluator second round execution (semi-honest) fully-secure equality test

10
Security Properties Correctness: guaranteed by authenticated, secure equality test Privacy: Leaks one (extra) bit on average adversarial circuit generator provides a circuit that fails on ½ of inputs Malicious generator can achieve either one of the following, but not both 1. Decrease likelihood of being caught, 2. Increase information leaked when caught On average, it is a 1-bit leak. Malicious generator can achieve either one of the following, but not both 1. Decrease likelihood of being caught, 2. Increase information leaked when caught On average, it is a 1-bit leak. 9

11
Equality Test

12
One-sided Equality Test Allows Bob to convince Alice that they share the same secret value Need to run this 2-round protocol twice (parallelizable as well) to accomplish the full equality test.

13
Proving Security: Malicious 12 AB Ideal World y x Receives: f (x, y) Trusted Party in Ideal World Standard Malicious Model: cant prove this for Dual Execution Real World AB y x Show equivalence Corrupted party behaves arbitrarily Secure Computation Protocol

14
Proof of Security: One-Bit Leakage 13 A B Ideal World y x g R {0, 1} g is an arbitrary Boolean function selected by malicious adversary A Adversary receives: g(x, y) and optionally f (x, y) Trusted Party in Ideal World Can prove equivalence to this for Dual Execution protocols

15
1-bit Leak Circuit structure can be checked by evaluator (including free XORs) Design circuit to limit malicious generators ability to partition input space. Challenge: can lie about inputs also 14 Can we have more confidence on which one bit is not leaked? Open Question:

16
Delayed Revelation Goal: do not reveal output to either party, unless the equality test passes 15 Solution: check equality of output wires using a secure circuit that outputs results This circuit is also executed as a Dual Execution protocol!

17
Dual Execution Protocol AliceBob first round execution (semi-honest) generatorevaluator generatorevaluator second round execution (semi-honest) Recall: work to generate is 3x work to evaluate! 16 fully-secure equality test

18
Performance 17 Circuits of arbitrary sizes can be done this way [Kreuter et al., USENIX Security 2012]

19
Summary first round execution (semi-honest) second round execution (semi-honest) fully-secure, authenticated equality test Provides full correctness and maximum one-bit average leakage against fully malicious adversaries (formal proof using ideal/real world model) With pipelining framework, almost free with dual-core, 40-50% over semi-honest protocol with one core. 18 www.MightBeEvil.org

Similar presentations

OK

Password Mistyping in Two-Factor Authenticated Key Exchange Vladimir KolesnikovCharles Rackoff Bell LabsU. Toronto ICALP 2008.

Password Mistyping in Two-Factor Authenticated Key Exchange Vladimir KolesnikovCharles Rackoff Bell LabsU. Toronto ICALP 2008.

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google