On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)

Slides:



Advertisements
Similar presentations
Polylogarithmic Private Approximations and Efficient Matching
Advertisements

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.
GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION
New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.
Oblivious Transfer based on the McEliece Assumptions
A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
1 Secure Indexes Author : Eu-Jin Goh Presented by Yi Cheng Lin.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Black-Box Garbled RAM Sanjam Garg UC Berkeley Based on join works with
Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Adaptively Secure Broadcast, Revisited
Multi-Client Non-Interactive Verifiable Computation Seung Geol Choi (Columbia U.) Jonathan Katz (U. Maryland) Ranjit Kumaresan (Technion) Carlos Cid (Royal.
Ragesh Jaiswal Indian Institute of Technology Delhi Threshold Direct Product Theorems: a survey.
Insert presenter logo here on slide master. See hidden slide 4 for directions  Session ID: Session Classification: SEUNG GEOL CHOI UNIVERSITY OF MARYLAND.
CS555Spring 2012/Topic 51 Cryptography CS 555 Topic 5: Pseudorandomness and Stream Ciphers.
Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.
13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Rate-Limited Secure Function Evaluation 21. Public Key Cryptography, March 1 st, 2013 Özgür.
Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.
Slide 1 Yao’s Protocol. slide Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert the function into a boolean.
Improved Non-Committing Encryption with Application to Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia Univ.), Tal Malkin (Columbia.
Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
1 Secure Multi-party Computation Minimizing Online Rounds Seung Geol Choi Columbia University Joint work with Ariel Elbaz(Columbia University) Tal Malkin(Columbia.
1 Information Security – Theory vs. Reality , Winter Lecture 10: Garbled circuits and obfuscation Eran Tromer Slides credit: Boaz.
Rational Cryptography Some Recent Results Jonathan Katz University of Maryland.
Game-based composition for key exchange Cristina Brzuska, Marc Fischlin (University of Darmstadt) Nigel Smart, Bogdan Warinschi, Steve Williams (University.
On the Cryptographic Complexity of the Worst Functions Amos Beimel (BGU) Yuval Ishai (Technion) Ranjit Kumaresan (Technion) Eyal Kushilevitz (Technion)
Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.
Secure Computation Lecture Arpita Patra. Recap > Shamir Secret-sharing > BGW Protocol based on secret-sharing > Offline/Online phase > Creating.
Feasibility and Completeness of Cryptographic Tasks in the Quantum World Hong-Sheng Zhou (U. Maryland) Joint work with Jonathan Katz (U. Maryland) Fang.
Secure Computation (Lecture 9-10) Arpita Patra. Recap >> MPC with honest majority in i.t. settings > Protocol using (n,t)-sharing, proof of security---
Efficient Private Matching and Set Intersection Mike Freedman, NYU Kobbi Nissim, MSR Benny Pinkas, HP Labs EUROCRYPT 2004.
CS555Spring 2012/Topic 81 Cryptography CS 555 Topic 8: Pseudorandom Functions and CPA Security.
1 / 23 Efficient Garbling from A Fixed-key Blockcipher Applied MPC workshop February 20, 2014 Mihir Bellare UC San Diego Viet Tung Hoang UC San Diego Phillip.
Improved OT Extension for Transferring Short Secrets Vladimir Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion)
Secure Computation Basics Yan Huang Indiana University May 9, 2016.
Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.
Lower bounds for Unconditionally Secure MPC Ivan Damgård Jesper Buus Nielsen Antigoni Polychroniadou Aarhus University.
Garbling Techniques David Evans
A Fixed-key Blockcipher
Topic 36: Zero-Knowledge Proofs
The Exact Round Complexity of Secure Computation
Carmit Hazay (Bar-Ilan University, Israel)
On the Size of Pairing-based Non-interactive Arguments
The first Few Slides stolen from Boaz Barak
Course Business I am traveling April 25-May 3rd
B504/I538: Introduction to Cryptography
Cryptography Lecture 19.
Topic 7: Pseudorandom Functions and CPA-Security
Multi-Party Computation: Second year
Cryptography Lecture 14.
Identity Based Encryption from the Diffie-Hellman Assumption
Presentation transcript:

On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)

Research in Secure Two-party Computation (2PC) Generic protocols [Yao86, GMW87] “Tailored” protocols for specific applications [FNP04,HL08,KO97,…] Fairplay [MNPS04]: Implemented generic protocols – Hope for practicality

Research in Secure Two-party Computation (2PC) Active research improving concrete efficiency of generic protocols – Garbled circuit approach [PSSW09,HEKM11,KM11,LP07,LP11,…] – GMW approach [NNOB11, CHKMR12,...] Moving secure computation from theory to practice

Talk Outline Background on Yao GC & the Free-XOR technique [KS08] – Description in the random oracle (RO) model – Replacing RO with correlation robust hash functions? Sufficient assumptions on the hash function – Why correlation robust hash functions are not enough – New notion: Circular correlation robust hash functions – Security of the Free-XOR technique Conclusions

Yao Garbled Circuit (GC) [Yao86] Generic secure computation protocol Constant round solution Mostly symmetric-key operations Popular choice for efficient 2PC

Yao Garbled Circuit u v w AND u u v v u v v u uv XOR Credit: V. Kolesnikov

Yao Garbled Circuit AND XOR u0u0 u1u1 v0v0 v1v1 w0w0 w1w1 H(u 0,v 0,g) ⊕ w 0 H(u 0,v 1,g) ⊕ w 0 H(u 1,v 0,g) ⊕ w 0 H(u 1,v 1,g) ⊕ w 1 x0x0 x1x1 y0y0 y1y1 H(w 0,x 0,g’) ⊕ y 0 H(w 0,x 1,g’) ⊕ y 1 H(w 1,x 0,g’) ⊕ y 1 H(w 1,x 1,g’) ⊕ y 0 g,g’: gate indices H: hash function

…. GC GC Based Semi-Honest 2PC [Yao86] Alice input keys OT Bob input keys GC …. input bits Bob keys Evaluate GC using received input keys

Efficiency Improvements to Yao GC Garbled row reduction [NPS99,PSSW09] – Just 3 entries per garbled table Point-and-permute [MNPS04] – Decrypt only one entry Free-XOR technique [KS08] – No garbled table for XOR gates

Free-XOR Technique [KS08] Idea: XOR gates evaluated for “free” – No cryptographic operations or communication (like [Kol05,GMW87]) – GC based 2PC in the semi-honest setting Gains in practice? – 40% improvement for “typical” circuits – 300% improvement for universal circuits Impact – All recent implementations use Free-XOR technique [PSSW09, SS11,…] – Efforts to minimize #non-XOR gates in circuit [KS08, KSS09, PSSW09]

Free-XOR Technique [KS08] AND XOR u0u0 u1u1 v0v0 v1v1 w0w0 w1w1 H(u 0,v 0,g) ⊕ w 0 H(u 0,v 1,g) ⊕ w 0 H(u 1,v 0,g) ⊕ w 0 H(u 1,v 1,g) ⊕ w 1 x0x0 x1x1 y0y0 y1y1 H(w 0,x 0,g’) ⊕ y 0 H(w 0,x 1,g’) ⊕ y 1 H(w 1,x 0,g’) ⊕ y 1 H(w 1,x 1,g’) ⊕ y 0

AND XOR u0u0 v0v0 w0w0 x0x0 u 1 = u 0 ⊕ R v 1 = v 0 ⊕ R w 1 = w 0 ⊕ R x 1 = x 0 ⊕ R y 1 = y 0 ⊕ R y 0 = w 0 ⊕ x 0 Free-XOR Technique [KS08] H(u 0,v 0,g) ⊕ w 0 H(u 0,v 1,g) ⊕ w 0 H(u 1,v 0,g) ⊕ w 0 H(u 1,v 1,g) ⊕ w 1 H(w 0,x 0,g’) ⊕ y 0 H(w 0,x 1,g’) ⊕ y 1 H(w 1,x 0,g’) ⊕ y 1 H(w 1,x 1,g’) ⊕ y 0 R : hidden global parameter

Free-XOR Technique [KS08] AND XOR u v w x Set y = w ⊕ x y H(u 0,v 0,g) ⊕ w 0 H(u 0,v 1,g) ⊕ w 0 H(u 1,v 0,g) ⊕ w 0 H(u 1,v 1,g) ⊕ w 1 H(w 0,x 0,g’) ⊕ y 0 H(w 0,x 1,g’) ⊕ y 1 H(w 1,x 0,g’) ⊕ y 1 H(w 1,x 1,g’) ⊕ y 0 R : hidden global parameter Use H(u,v,g) to recover w

Proof in the RO Model [KS08] Corrupt Alice: Trivial Corrupt Bob: – Sim creates a fake garbled circuit whose output is always correct – Intuitively, security reduces to proving R is completely hidden – Indistinguishability proved by induction on topological ordering of gates H(u,v,g) ⊕ w H(u,v ⊕ R,g) ⊕ w H(u ⊕ R,v,g) ⊕ w H(u ⊕ R,v ⊕ R,g) ⊕ (w ⊕ R)  By induction, known input keys: u, v  Only w is recovered  Except with negl. prob., all other values are hidden H(u,v,g) ⊕ w random 1 random 2 random 3 Real table Simulated table

Proof in the Standard Model? RO is not programmed Can RO be replaced by a suitable hash function? – [KS08]: a variant of correlation robust hash functions (CorRHF) works – Repeated wherever Free-XOR is used [PSSW09,SS11,AHI11,NO09,…] Our contributions Specify variant of CorRHF that is sufficient “Natural” variant of CorRHF is NOT sufficient

Proof in the Standard Model? Main issue is circularity [BK03,BRS03, HK07, …] – H(u ⊕ R,v ⊕ R,g) ⊕ (w ⊕ R) – CorRHF does not capture circularity Specify variant of CorRHF that is sufficient “Natural” variant of CorRHF is NOT sufficient H(u,v,g) ⊕ w H(u,v ⊕ R,g) ⊕ w H(u ⊕ R,v,g) ⊕ w H(u ⊕ R,v ⊕ R,g) ⊕ (w ⊕ R) Circular Correlation Robust Hash Functions – Captures circularity – Security proof for the Free-XOR technique

Why is this important? Implementors happy with RO… In theory, RO methodology is inherently flawed [CGH04] – Want precise formulation of concrete properties required by RO “Natural” variant of CorRHF used in other contexts [AHI11,NO09] “CorRHF is sufficient for Free-XOR technique” claimed in several works [PSSW09,SS11, AHI11,…] Assumptions required for Free-XOR tech. in Yao GC? – Free-XOR in [GMW87, Kol05] with no other assumptions

Correlation Robust Hash Functions [IKNP03] Proposed by [IKNP03] for removing RO in OT extension Definition: (CorRHF) H is CorRHF if for randomly chosen u 1,…, u p, the following two distributions are comp. indistinguishable – (u 1,…, u p, H(u 1 ⊕ R), …, H(u p ⊕ R)) where R is chosen uniformly – (u 1,…, u p, w 1,…, w p ) where each w i is chosen uniformly (Arithmetic variant) realized under PDH assumption [AHI11] [KS08]: Variant can replace RO in Free-XOR – Use of hidden off-set in both [KS08] and [IKNP03]

“Natural” Variant of CorRHF Definition: (weak 2-CorRHF) H is weakly 2-CorRHF if for given u 1,…, u p, v 1,…, v p, the following two distributions are comp. indistinguishable –. – ` where R is chosen uniformly – (w 1,…, w 3p ) where each w i is chosen uniformly H(u 1 ⊕ R,v 1,1), H(u 1,v 1 ⊕ R,1), H(u 1 ⊕ R,v 1 ⊕ R,1) H(u p ⊕ R,v p,p), H(u p,v p ⊕ R,p), H(u p ⊕ R,v p ⊕ R,p)......

Our Working Definition of 2-CorRHF Oracle based – Cor R (u,v,g): output H(u,v ⊕ R,g), H(u ⊕ R,v,g), H(u ⊕ R,v ⊕ R,g) – Rand(u,v,g): if input was queried before then output answer given previously, else output a uniformly chosen string Definition: (2-CorRHF) H is 2-CorRHF if every non-uniform PPT adversary A with oracle access to O (either Cor R or Rand) cannot tell whether O is Cor R or Rand except with negligible advantage Stronger than previous definition – Oracle queries can be adaptive

2-CorRHF and Free-XOR technique  Reduction adversary B for 2-CorRHF  Given O (either Cor R or Rand)  How to create garbled table?  Choose random u,v,w  Query O (u,v,g) to get h 1, h 2, h 3  First 3 entries can be set  How to obtain fourth entry using h 3 ?  Unclear how to complete reduction Reduction Table H(u,v,g) ⊕ w H(u,v ⊕ R,g) ⊕ w H(u ⊕ R,v,g) ⊕ w H(u ⊕ R,v ⊕ R,g) ⊕ (w ⊕ R) H(u,v,g) ⊕ w random 1 random 2 random 3 Real table Simulated table H(u,v,g) ⊕ w h 1 ⊕ w h 2 ⊕ w ?

Counterexample Rule out fully black-box reduction using two oracles H and Break H is 2-CorRHF even if A has oracle access to H and Break Free-XOR technique is insecure when A has access to H and Break H(u,v,g)  Random function Break(u,v,g,z 1,z 2,z 3 )  Output r when  z 1 = H(u,v ⊕ r,g)  z 2 = H(u ⊕ r,v,g)  z 3 = H(u ⊕ r,v ⊕ r,g) ⊕ r  Else output nothing

H is 2-CorRHF against A H, Break O = Rand: uniform, independent of A ’s view O = Cor R : uniform, independent of A ’s view unless A queries O (u,v,g) & – O (u’,v’,g) with u’ ⊕ u = R or v’ ⊕ v = R, or – H(u’,v’,g) with u’ ⊕ u = R or v’ ⊕ v = R, or – Break(u,v,g,z 1,z 2,z 3 ) with z 3 ⊕ H(u ⊕ R,v ⊕ R,g) = R Happens with negligible prob. H(u,v,g)  Random function Break(u,v,g,z 1,z 2,z 3 )  Output r when  z 1 = H(u,v ⊕ r,g)  z 2 = H(u ⊕ r,v,g)  z 3 = H(u ⊕ r,v ⊕ r,g) ⊕ r  Else output nothing

Insecurity of Free-XOR Tech.: A H, Break Attack: A acting as Bob recovers R Recover w from gate g using H(u,v,g) – z 1 = c 1 ⊕ w – z 2 = c 2 ⊕ w – z 3 = c 3 ⊕ w Query Break(u,v,g,z 1,z 2,z 3 ) to get R H(u,v,g) ⊕ w H(u,v ⊕ R,g) ⊕ w H(u ⊕ R,v,g) ⊕ w H(u ⊕ R,v ⊕ R,g) ⊕ (w ⊕ R) AND gate g c1c1 c3c3 c2c2 H(u,v,g)  Random function Break(u,v,g,z 1,z 2,z 3 )  Output r when  z 1 = H(u,v ⊕ r,g)  z 2 = H(u ⊕ r,v,g)  z 3 = H(u ⊕ r,v ⊕ r,g) ⊕ r  Else output nothing

Capturing Circularity: Circular 2-CorRHF Recall indistinguishable oracles in 2-CorRHF – Cor R (u,v,g): output H(u,v ⊕ R,g), H(u ⊕ R,v,g), H(u ⊕ R,v ⊕ R,g) – Rand(u,v,g): if input was queried before then output answer given previously, else output uniformly chosen Oracles for Circular 2-CorRHF – Circ R (u,v,g,b 1,b 2,b 3 ): output H(u ⊕ b 1 R, v ⊕ b 2 R, g) ⊕ b 3 R – Rand(u,v,g,b 1,b 2,b 3 ): same as before bR = 0 when b=0 bR = R when b=1

Capturing Circularity: Circular 2-CorRHF Recall indistinguishable oracles in 2-CorRHF – Cor R (u,v,g): output H(u,v ⊕ R,g), H(u ⊕ R,v,g), H(u ⊕ R,v ⊕ R,g) – Rand(u,v,g): if input was queried before then output answer given previously, else output uniformly chosen Oracles for Circular 2-CorRHF – Circ R (u,v,g,b 1,b 2,b 3 ): output H(u ⊕ b 1 R, v ⊕ b 2 R, g) ⊕ b 3 R – Rand(u,v,g,b 1,b 2,b 3 ): same as before Allowing b 3 = 1 captures circularity

Circular 2-CorRHF Oracles for Circular 2-CorRHF – Circ R (u,v,g,b 1,b 2,b 3 ): output H(u ⊕ b 1 R, v ⊕ b 2 R, g) ⊕ b 3 R – Rand(u,v,g,b 1,b 2,b 3 ): same as before Indistinguishability conditioned on restricted queries to Circ R – No queries of the form (u,v,g,0,0,b 3 ) – No queries on both (u,v,g,b 1,b 2,0) and (u,v,g,b 1,b 2,1) Definition: (Circular 2-CorRHF) H is circular 2-CorRHF if every non-uniform PPT adversary A making legal queries to oracle O cannot tell whether O is Circ R or Rand except with negligible advantage

Proof of Security for the Free-XOR Tech. Corrupt Alice: Trivial Corrupt Bob: Sim creates a fake garbled circuit AND XOR u v w x y = w ⊕ x  Choose random key for all wires except output wires of XOR gates  XOR chosen keys for input wires to get key for output wire of XOR gate  Populate unknown values in non- XOR gate table with random values  Set output garbled table to give correct output z H(u,v,g) ⊕ w random 1 random 2 random 3 Simulated table......

Reduction to Circular 2-CorRHF Reduction adversary B for Circular 2-CorRHF B given access to O (either Circ R or Rand) & real inputs for both parties AND XOR u v w x y = w ⊕ x H(u,v,g) ⊕ w O (u,v,g,0,1,0) ⊕ w O (u,v,g,1,0,0) ⊕ w O (u,v,g,1,1,1) ⊕ w Reduction Table  Choose random key for all wires except output wires of XOR gates  XOR chosen keys for input wires to get key for output wire of XOR gate  Populate unknown values in non- XOR gate table using O  Set output garbled table to give correct output z

Circular 2-CorRHF & Free-XOR technique Recall Circ R (u,v,g,b 1,b 2,b 3 ):  output H(u ⊕ b 1 R, v ⊕ b 2 R, g) ⊕ b 3 R Reduction Table H(u,v,g) ⊕ w H(u,v ⊕ R,g) ⊕ w H(u ⊕ R,v,g) ⊕ w H(u ⊕ R,v ⊕ R,g) ⊕ (w ⊕ R) H(u,v,g) ⊕ w random 1 random 2 random 3 Real table Simulated table H(u,v,g) ⊕ w O (u,v,g,0,1,0) ⊕ w O (u,v,g,1,0,0) ⊕ w O (u,v,g,1,1,1) ⊕ w O = Rand O = Circ R

Conclusions & Open Questions Free-XOR technique extremely influential – Used in all Yao GC implementations Secure in the random oracle model “Natural” variant of 2-CorRHF is not sufficient – Circularity Stronger notion of 2-CorRHF: Circular 2-CorRHF – Security proof for the Free-XOR technique “Free” gate evaluation under OWF? Realize Circular 2-CorRHF from standard crypto assumptions?

Thank You!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.