Download presentation

Presentation is loading. Please wait.

Published byMalakai Lanham Modified over 2 years ago

1
Circuits Resilient to Additive Manipulation with Applications to Secure Computation Yuval Ishai Technion Daniel Genkin Manoj Prabhakaran Amit Sahai Eran Tromer Technion & TAU UIUC UCLA TAU

2
What this talk is about New model for fault-tolerant circuits New approach for protecting secure computation protocols against malicious parties

3
Part I: Fault Tolerant Circuits

4
Dream Goal Too much to hope for… x f(x) Yet it is f(x)!

5
Dream Goal Too much to hope for… x f(x) Yet it is 1-f(x)!

6
Relaxing Goal Random faults [vN56,DO77,Pip85,...] Bounded number of faults [KLM94,GS95,KLR12] This work: any number of adversarial faults –Allow fault-tolerant circuit to be randomized –Settle for detecting errors w.h.p –Still does not rule out direct tampering with input and output

7
Further Relaxations Allow tamper-proof input encoder (Enc) and output decoder (Dec) –Enc,Dec must be small and universal Restricted class of faults x f(x) / ERR EncDec

8
Further Relaxations Allow tamper-proof input encoder (Enc) and output decoder (Dec) –Enc,Dec must be small and universal Restricted class of faults –This work: additive attacks on wires x f(x) / ERR EncDec

9
Further Relaxations Allow tamper-proof input encoder (Enc) and output decoder (Dec) –Enc,Dec must be small and universal Restricted class of faults –This work: additive attacks on wires x f(x) / ERR EncDec X X + - X

10
AMD Codes [CDFPW08] Protect information against additive attacks Our goal: protect computation x f(x) / ERR EncDec X X + - X x x / ERR EncDec AMD circuit

11
Definition: ε-correctness Let f:F n F m Let Enc:F n F n’, C:F n’ F m’, Dec:F m’ F m+1 –C is a randomized arithmetic circuit over F –Enc is randomized, Dec is deterministic We say that (Enc,C,Dec) realizes f with ε-correctness against additive attacks if: – ∀ x ∈ F n, Dec(C(Enc(x)))=(0,f(x)). – ∀ x ∈ F n and every C A obtained by applying an additive attack to C, Dec(C A (Enc(x))) is either (0,f(x)) or (e,y) for e≠0, except w/prob. ≤ ε

12
Eliminating Enc and Dec Idea: settle for “best possible” security –Every additive attack on C can be simulated by a (possibly randomized) additive attack on inputs and outputs alone –C is “as good” as tamper-proof hardware for g X X + - X r +2

13
Definition: ε-security Let f:F n F m, C:F n F m –C is a randomized arithmetic circuit over F We say that C realizes f with ε-security against additive attacks if: – ∀ x ∈ F n, C(x)=f(x) (w/prob. 1) –For every C A obtained by applying an additive attack to C, there are distributions Δx,Δy s.t. ∀ x ∈ F n, C A (x) ≈ ε C(x+Δx)+Δy

14
Security Correctness Let (AEnc, ADec) be an AMD code. f AEnc ADec e AEnc ADec x e y x’ y’ f’

15
Security Correctness Let (AEnc, ADec) be an AMD code. Useful feature: whether e is set reveals almost nothing about x f AEnc ADec e AEnc ADec x e y x’ y’ C’

16
Our Results Large field F –Compile any C to an ε-secure C’ –|C’|=O(|C|) –ε = O(|C|/|F|) Any field F –Compile any C to an ε-correct (Enc,C’,Dec) –Enc,Dec small and universal –|C’|=|C|. polylog(1/ε)

17
Techniques: Large Fields Use simple homomorphic AMD code –Input: x (x,r,xr) –Multiplication: (a,r,ar), (b,r,br) (ab,r 2,abr 2 ) (a,r d,ar d ), (b,r d’,br d’ ) (ab,r d+d’,abr d+d’ ) –Addition: (a,r,ar), (b,r,br) (a+b,r,(a+b)r) (a,r d,ar d ), (b,r d’,br d’ ), r (a+b,r max(d,d’),(a+b)r max(d,d’) ) –Output: (y,r d,z) y+s. (yr d -z) Problems –Error grows linearly with degree d (need d<<|F|) Use constant-degree gadgets –Requires wires to be locally random Convert C into a locally random circuit [ISW03,IPS+11] Compare with [BDOZ11]

18
Techniques: Small Fields Implement matrix-vector multiplication gadget Use it to implement simple Hadamard-based linear PCP [ALMSS92] –Large constant error –Quadratic blowup in circuit size Amplify correctness via repetition –Check input consistency using hashing Eliminate quadratic blowup –Using small gadgets Problems –Error grows linearly with degree d (need d<<|F|) Use constant-degree gadgets –Requires wires to be locally random Convert C into a locally random circuit [ISW03,IPS+11]

19
Part II: Secure Multiparty Computation

20
Secure Multiparty Computation [Yao86,GMW87] ab c Every f can be realized with information- theoretic security –Assuming an honest majority [BGW88,CCD88,RB89] –Assuming an oblivious transfer oracle [GMW87,Kil88,IPS08] or OLE oracle [NP99,IPS09] f(a,b,c)

21
Passive vs. Active Attacks Security against active attacks is much more challenging. Common paradigm: passive security active security –GMW compiler: using ZK proofs [GMW87,…] –Make sub-protocols verifiable [BGW88,CCD88,…] –Cut-and-choose techniques […,LP07,…] –Use low-threshold active-secure MPC [IPS08] Major research effort in cryptography

22
Motivating Observation In “natural” passive-secure MPC protocols for evaluating an arithmetic circuit C, the effect of an active adversary corresponds to an additive attack on C. –Formally: the protocol perfectly realizes an augmented ideal functionality that allows for an additive attack. –Applies to all information-theoretic protocols we know that have maximal security threshold Active security can be achieved by applying passive-secure protocol to AMD circuit C’. Reduces protocol design to circuit design

23
Some Details Need to protect inputs and outputs –Achieved via local AMD encoding of inputs and AMD decoding of outputs Protocols only achieve “security with abort” –Often best possible –With honest majority and broadcast, can be upgraded to full security using standard methods

24
Applications Simplified feasibility results –Passive BGW88 RB89 (t

25
Open Problems AMD Circuits –Better security and efficiency over binary fields Useful for MPC in OT-hybrid model –Better concrete efficiency over large fields Useful for practical MPC? [IKHC14] –Generalize attack model Settle for best possible security MPC applications –Protocols based on “packed secret sharing” –Computationally secure protocols?

Similar presentations

© 2016 SlidePlayer.com Inc.

All rights reserved.

Ads by Google