Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Slides:

Advertisements

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Advertisements

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.

Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto

Yan Huang, David Evans, Jonathan Katz

Secure Evaluation of Multivariate Polynomials

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

A. Haeberlen Having your Cake and Eating it too: Routing Security with Privacy Protections 1 HotNets-X (November 15, 2011) Alexander Gurney * Andreas Haeberlen.

GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION

Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

COVERT TWO-PARTY COMPUTATION LUIS VON AHN CARNEGIE MELLON UNIVERSITY JOINT WORK WITH NICK HOPPER JOHN LANGFORD.

Oblivious Transfer based on the McEliece Assumptions

HOW TO PLAN A COUP D’ETAT COVERT MULTI-PARTY COMPUTATION YINMENG ZHANG ALADDIN REU 2005 LUIS VON AHN MANUEL BLUM.

1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.

Privacy Preserving Data Mining Yehuda Lindell & Benny Pinkas.

Privacy Preserving Learning of Decision Trees Benny Pinkas HP Labs Joint work with Yehuda Lindell (done while at the Weizmann Institute)

Blind Vision Shai Avidan, Moshe Butman Yuval Schwartz.

Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.

Multi-Client Non-Interactive Verifiable Computation Seung Geol Choi (Columbia U.) Jonathan Katz (U. Maryland) Ranjit Kumaresan (Technion) Carlos Cid (Royal.

How to play ANY mental game

CS573 Data Privacy and Security

Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/09/08 CRYP-202 Legally-Enforceable Fairness in Secure Two-Party Computation.

1 Privacy-Preserving Distributed Information Sharing Nan Zhang and Wei Zhao Texas A&M University, USA.

Secure Computation of the k’th Ranked Element Gagan Aggarwal Stanford University Joint work with Nina Mishra and Benny Pinkas, HP Labs.

1 CIS 5371 Cryptography 3. Private-Key Encryption and Pseudorandomness B ased on: Jonathan Katz and Yehuda Lindel Introduction to Modern Cryptography.

Insert presenter logo here on slide master. See hidden slide 4 for directions  Session ID: Session Classification: SEUNG GEOL CHOI UNIVERSITY OF MARYLAND.

GARBLED CIRCUITS CHECKING GARBLED CIRCUITS MORE EFFICIENT AND SECURE TWO-PARTY COMPUTATION Payman Mohassel Ben Riva University of Calgary Tel Aviv University.

Slide 1 Vitaly Shmatikov CS 380S Yao’s Protocol. slide Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert.

Page 1 Efficient Two-Party Secure Computation on Committed Inputs Stanislaw Jarecki, UC Irvine Vitaly Shmatikov, UT Austin.

Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.

TOWARDS PRACTICAL (GENERIC) ZERO-KNOWLEDGE Claudio Orlandi – Aarhus University.

Slide 1 Yao’s Protocol. slide Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert the function into a boolean.

Privacy Preserving Data Mining Yehuda Lindell Benny Pinkas Presenter: Justin Brickell.

On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.

1 Secure Multi-party Computation Minimizing Online Rounds Seung Geol Choi Columbia University Joint work with Ariel Elbaz(Columbia University) Tal Malkin(Columbia.

1 Information Security – Theory vs. Reality , Winter Lecture 10: Garbled circuits and obfuscation Eran Tromer Slides credit: Boaz.

Rational Cryptography Some Recent Results Jonathan Katz University of Maryland.

Non-Interactive Verifiable Computing August 5, 2009 Bryan Parno Carnegie Mellon University Rosario Gennaro, Craig Gentry IBM Research.

Secure Computation (Lecture 2) Arpita Patra. Vishwaroop of MPC.

Strong Conditional Oblivious Transfer and Computing on Intervals Vladimir Kolesnikov Joint work with Ian F. Blake University of Toronto.

Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/08/08 CRYP-106 Efficient Fully-Simulatable Oblivious Transfer.

Efficient Private Matching and Set Intersection Mike Freedman, NYU Kobbi Nissim, MSR Benny Pinkas, HP Labs EUROCRYPT 2004.

Jonathan Katz University of Maryland Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/08/08 CRYP-108 Aggregate Message- Authentication.

Efficient Oblivious Transfer with Stateless Secure Tokens Alcatel-Lucent Bell Labs Vlad Kolesnikov.

CS555Spring 2012/Topic 151 Cryptography CS 555 Topic 15: HMAC, Combining Encryption & Authentication.

David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 15: From Here to Oblivion.

Verifiable Distributed Oblivious Transfer and Mobile-agent Security Speaker: Sheng Zhong (joint work with Yang Richard Yang) Yale University.

Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.

Secure Computation Basics Yan Huang Indiana University May 9, 2016.

Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.

Garbling Techniques David Evans

Topic 36: Zero-Knowledge Proofs

The Exact Round Complexity of Secure Computation

MPC and Verifiable Computation on Committed Data

Committed MPC Multiparty Computation from Homomorphic Commitments

The first Few Slides stolen from Boaz Barak

Course Business I am traveling April 25-May 3rd

Gate Evaluation Secret Sharing and Secure Two-Party Computation

Improved Private Set Intersection against Malicious Adversaries

Maliciously Secure Two-Party Computation

Malicious-Secure Private Set Intersection via Dual Execution

Presentation transcript:

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose Yehuda Lindell Bar-Ilan University Fast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries

Secure Two-Party Computation Two parties with private inputs x and y Compute a joint function of their inputs while preserving – Privacy – Correctness – Independence of inputs 2

Adversaries and Security Semi-honest: follow protocol description but attempt to learn more than allowed – Highly efficient, but weak guarantee Malicious: run any arbitrary attack strategy – Much more expensive Covert: behave maliciously and may succeed, but will be caught with a guaranteed probability 3

Yao’s Protocol (Semi-Honest) Alice Bob Compute f(x,y) (learn nothing else) Garbled (encrypted) circuit

Security for Malicious Alice may not construct the circuit correctly Solution – cut-and-choose 5

The Cut-and-choose Paradigm 6

7

8 Majority Final output

The Cost How many circuits are needed to make sure that the majority are correct? – With s circuits, probability of cheating is s [LP11] or s [sS11] – For error 2 -40, need approximately 125 circuits – For error 2 -80, need approximately 250 circuits This is a very heavy price! 9

These Two Works Aim: reduce the number of garbled circuits needed 1.Lindell: s circuits + some small additional overhead for 2 -s error 2.Huang-Katz-Evans: s circuits per party in parallel for 2 -s error Cut-and-choose opens up many other problems (input consistency etc.); we focus on the main issue of number of circuits 10

Lindell’s Solution – The Main Idea Why majority? – A malicious Alice can make most circuits correct and a few not – The incorrect circuits can compute the function if Bob’s input meets some condition; otherwise compute garbage – Bob aborts if it gets different outputs: If Bob aborts, Alice knows that Bob’s input does not meet the condition If Bob does not abort, Alice knows that Bob’s input meets the condition 11

Lindell’s Solution – The Main Idea Make cheating possible only if all checked circuits are correct and all evaluated circuits are incorrect – This yields error 2 -s for s circuits How? – Alice and Bob run a small secure computation in addition – If Bob received two different outputs in two different circuits, it learns Alice’s input – In this case, Bob computes f(x,y) itself – Alice doesn’t know which case happened 12

Lindell’s Solution – The Main Idea The secure computation – Yao’s circuit for malicious (e.g., LP11) – Number of non-XOR gates is only the number of bits in Alice’s input (very small circuit) Input consistency and other issues are dealt with as in other works – These other parameters are not optimized in the paper – This will be discusses in the next talk; their solutions can be applied here 13

Lindell’s Solution – More Details The garbled values on the output wires are secret (this has been used for secure delegation) If Bob learns two garbled values on a single output wire (in different circuits), then Alice must have been cheating – This is a proof that Alice cheated The secure computation checks if Bob has two such values and outputs Alice’s input x to Bob if yes This circuit can be made very small, and Alice can be forced to use the same input 14

Huang-Katz-Evans Solution Observation – One of the two parties is honest, all circuits generated by him is correct Approach – Let each party generate half of the circuits – Suffices to ensure at least one good evaluation circuit is generated by the adversary 15

16

17 A party uses consistent inputs in both roles Securely combine both parties’ results to obtain the final output

Input Consistency – The Goal 18 Evaluator / OT Receiver Generator The discrete log of C is unknown. [Naor and Pinkas, SODA2001]

Input Consistency – The Idea 19 Evaluator / OT Receiver Generator

Final output Goal: Derive the final output from both parties’ circuit evaluation results 20

Output Revelation Verifiable Secret Sharing 21 Generator picks a pair of secrets (s 0, s 1 )randomly

Output Revelation circuit check 22

Output Revelation circuit evaluation 23

Output Revelation secure equality test 24 (s 0,s 1 ) One and only one of the 2 tests can succeed. (s’ 0,s’ 1 ) (s 0, s’ 0 ) Output 0 (s 0, s’ 0 ) (s 1, s’ 1 ) Output 1 (s 1, s’ 1 )

Conclusions Actively secure two party computation can be done with reduced number of circuits via either punishing the cheater or symmetric cut-and-choose.