Download presentation

Presentation is loading. Please wait.

Published byJonas Woods Modified about 1 year ago

1
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based Secure Computation in the Offline/Online and Batch Settings Yehuda Lindell (BIU), Ben Riva (TAU)

2
Secure Two-Party Computation Two parties with private inputs x and y Compute joint function of their inputs while preserving – Privacy – Correctness – Input independence x f (x,y) y

3
Adversaries and Security Semi-honest: follow protocol specification but attempt to learn more than allowed – Highly efficient; weak guarantees Malicious: run any arbitrary attack strategy – Much more expensive

4
GC OT Bob input keys input bits Bob keys Yao’s Protocol (Semi-honest) Alice input keys GC

5
Security for Malicious Case Main Issue: Malicious Alice constructs incorrect circuit – Violates correctness – Violates privacy Can prevent using generic ZK --- but this is inefficient More practical solution --- cut & choose – Introduces new problems (relatively “minor” issues) Need to ensure input consistency across copies Need to prevent selective failure attacks

6
Cut & Choose Paradigm All copies of garbled circuits […,Pin03,MNPS04,MF06,LP07,…] Check Set Evaluation Set

7
Cost of Cut & Choose Main question: How many circuits are needed? – 99.999% of the cost is due to garbled circuits E.g.: for stat. error at most 2 -40, #circuits required: – 680 [LP07] – 128 [LP11] – 125 [sS11] – 48 [HKE13] – 40 [Lin13]

8
Cost of Cut-and-Choose Our motivating question: Can we reduce further the cost of cut & choose, i.e., the number of circuits required? Our approach: Explore the possibility of amortizing the cost of cut & choose in a setting where parties need to perform multiple secure function evaluations

9
Rest of the Talk Multiple executions Cut & choose for multiple executions – Analysis Multistage cut & choose OT

10
Multiple Executions Setting: – Alice and Bob execute the same function multiple times Parallel Sequential Motivation: – Amortize the cost of cut & choose – Relevant in practice – RAM model 2PC

11
Cut & Choose – Multiple Executions All copies of garbled circuits Check Set Evaluation Sets

12
Cut & Choose for Multiple Executions Inspired by LEGO [NO09,NNOB12,FJNNO13] – LEGO performs cut & choose at the gate level Alice creates many copies of NAND gates Bob opens half the copies to check & distributes remaining half randomly into “buckets” (each bucket emulates a NAND gate) Each NAND bucket output determined by majority Makes use of cheating punishment technique [Lin13] – Post-processing step uses 2PC but on a much smaller circuit – Fail only if for some evaluation set, all circuits in it are bad No need to take majority Leads to better concrete efficiency “Multistage Cut & Choose”

13
Multistage Cut & Choose - Analysis [HKKKM14] Maximum cheating probability Asymptotically for stat. security parameter s: Concrete values for stat. security parameter s = 40 :

14
More general parameters and analysis – E.g.: Better efficiency by varying fraction of circuits checked [LR14] Multistage Cut & Choose - Analysis Amortization applied to cheating-punishment circuit – E.g.: even for t = 32, only 52 circuits are required here – Amortization also results in fewer overall exponentiations

15
Cut & choose protocols can be preprocessed – Execute check step offline Tradeoffs between total #circuits & #circuits evaluated online Use additive sharing to improve online efficiency of – Cut & choose OT – Input consistency checks Idea: – Preprocess using random share in offline phase – Send correction in the clear during online phase All exponentiations can be pushed to the offline phase [LR14] Offline/Online Setting

16
Rest of the Talk Multiple executions Cut & choose for multiple executions – Analysis Multistage cut & choose OT

17
Selective Failure Attacks Recall: Bob obtains his keys via OT Selective failure attack: – Corrupt Alice uses valid 0-key and invalid 1-key as OT inputs – If Bob’s input is 0, then evaluation succeeds – If Bob’s input is 1, then evaluation fails Techniques to avoid selective failure – XOR-tree encodings [FKN94,LP07,…] – Cut & choose OT [LP11,Lin13] [HKKKM14,LR14] adapt cut & choose OT to multiple executions setting

18
Cut & Choose Oblivious Transfer [LP11,Lin13] Check value 1 st input 2 nd input Input keys and check values for each copy Both inputs Check setEvaluation set One input & check value

19
Multistage Cut & Choose OT Check value 1 st input 2 nd input Input keys and check values for each copy Both inputs Check setEval set 1Eval set 2Eval set 3 One input & check value... [HKKKM14]

20
Multistage Cut & Choose OT [HKKKM14] Useful in multiple parallel execution setting – Otherwise, need to rely on adaptively secure garbling Show information theoretic reduction to [Lin13]’s modified batch single-choice cut & choose OT – t-out-of-t additive sharing of input keys and check values – Use i th set of shares as input to i th instance of modified batch single-choice cut & choose OT – Slightly more complicated to get full sender extraction Communication cost of the reduction is quadratic in t – Cost linear in t if we allow relaxed definitions (that are sufficient for 2PC applications) [KK14]

21
Summary Malicious 2PC cost dominated by cost of cut & choose Multiple executions allows amortizing cut & choose cost – For 40 bits of statistical security need: Only 8 circuits/execution for 3500 executions [HKKKM14] Only 7.06 circuits/execution for 1024 executions [LR14] THANK YOU!!!

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google