Download presentation

Presentation is loading. Please wait.

Published byCharlotte Lippard Modified over 2 years ago

1
Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto vlad@cs.utoronto.ca

2
Input: x 2 D 1 Input: y 2 D 2 Secure Function Evaluation f: D 1 £ D 2 D 3 f(x,y) f(x,y) One-Round … ?

3
SFE Models Semi-honest Both players follow the protocol Observe communication, try to learn additional info Malicious Players can freely cheat Solutions can be obtained by “compilation” of a semi- honest protocol

4
Approaches to SFE SFE for specific functions Greater Than, Auctions, Voting SFE for arbitrary functions Functions given as a circuit, branching program, etc. This work: SFE of any boolean formula

5
Input: b Input: secrets s 0, s 1 Learn: Learn: nothing Oblivious Transfer (OT) sbsb

6
Reduction of SFE to OT OT is a fundamental primitive Rabin ’81, Kilian ‘88 Unconditional reductions are possible OT is implementable under a variety of computational and physical assumptions

7
Previous Work Yao’s Garbled circuit Sander, Young and Yung ’99 Kilian ’88 + Cleve ’90 (also CFIK ’03) Based on Permutation Branching Programs Ishai and Kushilevitz ’00, ’02 Based on Branching Programs

8
Secure Gate Evaluation x 2 {0,1}y 2 {0,1} G(x,y)? G:{0,1} 2 {0,1} s 0 ’,s 0 ’’ G(0,0) s 0 ’,s 1 ’’ G(0,1) s 1 ’,s 0 ’’ G(1,0) s 1 ’,s 1 ’’ G(1,1) s y ’’ OT (x, (s 0 ’,s 1 ’)) G(x,y) s x ’,s y ’’ ?

9
Composition x 2 {0,1}y 2 {0,1} …… … s 0 3,s 0 4 s’ G 1 (0,0) s 00 s 0 3,s 1 4 s’ G 1 (0,1) s 01 s 1 3,s 0 4 s’ G 1 (1,0) s 10 s 1 3,s 1 4 s’ G 1 (1,1) s 11 Gate Evaluation Secret Sharing (GESS ) s 00 s 01 s 10 s 11 I

10
GESS for Gates with Binary Inputs s 00 s 01 s 10 s 11 R0R0 R1R1 R 0 © s 00 R 0 © s 01 R 1 © s 10 R 1 © s 11 Wire 1Wire 2Output wire b b 2 R {0,1} :b:b Permute if b=1 Reconstruction: (c r, r 0 r 1 ) r © r c For OR and AND gates either left or right columns of wire 2 are equal! Exponential growth with depth 0 1

11
GESS for AND/OR gates Key: view secrets as being equal, except for one column of blocks. share column-wise. 2 R ( {1..n+1} {1..n+1}) 1) 2) 3) 4) n blocks of size k example: n = 3 Shares have the same block equality properties

12
GESS Performance Given a boolean formula F Cost ¼ d i 2 ( d i – depth of leaf i) F is balanced quazilinear in |F| Rebalance F to log depth (Bonet-Buss, Spira) Previous best exponential in depth directly for circuits quadratic in |F| via Branching Programs

13
GESS Performance Cost of SFE of boolean NC 1 circuit of depth d This workO(2 d d 2 ) Previous best (2 d 2 d 1/2 ) (Kilian-Cleve, Cramer-Fehr-Ishai-Kushilevitz ‘03)

14
Other results Lower Bounds New Efficient Protocol for GT Generalization of Yao’s Garbled Circuit

15
Lower Bounds S 00 S 01 S 10 S 11 Wire 1Wire 2Output wire 0 1 A0A0 A1A1 B0B0 B1B1 When secrets are independent H(A i ) + H(B j ) ¸ 3 H(S)

Similar presentations

OK

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt on diode as rectifier circuits Ppt on statistics in maths what is median Ppt on intelligent traffic light control system Ppt on power line communication Ppt on models of business communication Ppt on economy of india Ppt on different solid figures A ppt on leonardo da vinci Ppt on 21st century skills curriculum Ppt on limits and derivatives doc