Download presentation

Presentation is loading. Please wait.

Published byAlvaro Sarson Modified over 3 years ago

2
Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University of Maryland Picture logos instead of footnotes

3
Secure Two-Party Computation 2 Alice Bob Bobs Genome: ACTG… Markers (~1000): [0,1, …, 0] Alices Genome: ACTG… Markers (~1000): [0, 0, …, 1] Can Alice and Bob compute a function of their private data, without exposing anything about their data besides the result?

4
Enc x0 0, x 1 1 (x2 1 ) Enc x0 1,x1 1 (x2 1 ) Enc x0 1,x1 0 (x2 1 ) Enc x2 0, x2 1 (x3 0 ) Enc x2 1,x2 1 (x3 0 ) Enc x2 1,x2 0 (x3 1 ) Enc x2 0, x3 1 (x4 1 ) Enc x2 1,x3 1 (x4 1 ) Enc x2 1,x3 0 (x4 0 ) Enc x4 0, x 3 1 (x5 1 ) Enc x4 1,x3 1 (x5 0 ) Enc x4 1,x3 0 (x5 0 ) Enc x4 0, x5 1 (x6 1 ) Enc x4 1,x5 1 (x6 0 ) Enc x4 1,x5 0 (x6 0 ) Enc x3 0, x 6 1 (x7 1 ) Enc x3 1,x6 1 (x7 0 ) Enc x3 1,x6 0 (x7 1 ) Faster Garbled Circuits (Semi-honest) 3 Circuit-Level Application GC Framework (Evaluator) GC Framework (Evaluator) GC Framework (Generator) Circuit Structure Pipelining: gates evaluated as they are generated Garbled evaluation can be combined with normal execution Circuit-level optimizations

5
Results for Semi-honest Protocols Performance Scalability 4 Applications biometric identification (5x speedup) [NDSS 2011] Hamming distance (4000x), Edit distance (30x), Smith-Waterman, AES Encryption (16x) [USENIX Sec 2011] private set intersection (faster than best custom protocols) [NDSS 2012] Non-free gates per millisecond Largest circuit executed (non-free gates)

6
Standard Threat Models Semi-Honest: Adversary follows the protocol as specified, but tries to learn more from the protocol execution transcript Malicious: Adversary can do anything, guarantees correctness and privacy Reasonable performance, unreasonable assumptions Reasonable assumptions, unreasonable performance 5

7
Security Properties Privacy Nothing is revealed other than the output Correctness The output of the protocol is indeed f ( x,y ) GeneratorEvaluator Malicious-resistant OT Semi-Honest GC How can we get both correctness, while maintaining privacy? 6

8
How about Dual Execution?

9
Dual Execution Protocol [Mohassel and Franklin, PKC06] AliceBob first round execution (semi-honest) generatorevaluator generatorevaluator second round execution (semi-honest) fully-secure equality test

10
Security Properties Correctness: guaranteed by authenticated, secure equality test Privacy: Leaks one (extra) bit on average adversarial circuit generator provides a circuit that fails on ½ of inputs Malicious generator can achieve either one of the following, but not both 1. Decrease likelihood of being caught, 2. Increase information leaked when caught On average, it is a 1-bit leak. Malicious generator can achieve either one of the following, but not both 1. Decrease likelihood of being caught, 2. Increase information leaked when caught On average, it is a 1-bit leak. 9

11
Equality Test

12
One-sided Equality Test Allows Bob to convince Alice that they share the same secret value Need to run this 2-round protocol twice (parallelizable as well) to accomplish the full equality test.

13
Proving Security: Malicious 12 AB Ideal World y x Receives: f (x, y) Trusted Party in Ideal World Standard Malicious Model: cant prove this for Dual Execution Real World AB y x Show equivalence Corrupted party behaves arbitrarily Secure Computation Protocol

14
Proof of Security: One-Bit Leakage 13 A B Ideal World y x g R {0, 1} g is an arbitrary Boolean function selected by malicious adversary A Adversary receives: g(x, y) and optionally f (x, y) Trusted Party in Ideal World Can prove equivalence to this for Dual Execution protocols

15
1-bit Leak Circuit structure can be checked by evaluator (including free XORs) Design circuit to limit malicious generators ability to partition input space. Challenge: can lie about inputs also 14 Can we have more confidence on which one bit is not leaked? Open Question:

16
Delayed Revelation Goal: do not reveal output to either party, unless the equality test passes 15 Solution: check equality of output wires using a secure circuit that outputs results This circuit is also executed as a Dual Execution protocol!

17
Dual Execution Protocol AliceBob first round execution (semi-honest) generatorevaluator generatorevaluator second round execution (semi-honest) Recall: work to generate is 3x work to evaluate! 16 fully-secure equality test

18
Performance 17 Circuits of arbitrary sizes can be done this way [Kreuter et al., USENIX Security 2012]

19
Summary first round execution (semi-honest) second round execution (semi-honest) fully-secure, authenticated equality test Provides full correctness and maximum one-bit average leakage against fully malicious adversaries (formal proof using ideal/real world model) With pipelining framework, almost free with dual-core, 40-50% over semi-honest protocol with one core. 18 www.MightBeEvil.org

Similar presentations

OK

Maximal Independent Subsets of Linear Spaces. Whats a linear space? Given a set of points V a set of lines where a line is a k-set of points each pair.

Maximal Independent Subsets of Linear Spaces. Whats a linear space? Given a set of points V a set of lines where a line is a k-set of points each pair.

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt on series and parallel circuits for kids Ppt on power quality in energy conversion systems Ppt on email etiquettes presentation boards Ppt on forensic science laboratory Best ppt on steve jobs Ppt on selling techniques Ppt on resistance temperature detector definition Ppt on digital image processing gonzalez Ppt on c programming functions Ppt on edge detection filter