Presentation is loading. Please wait.

Presentation is loading. Please wait.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Published byAnna Ilene Booker Modified over 9 years ago

Similar presentations

Presentation on theme: "Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose."— Presentation transcript:

1 Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose Yehuda Lindell Bar-Ilan University Fast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries

2 Secure Two-Party Computation Two parties with private inputs x and y Compute a joint function of their inputs while preserving – Privacy – Correctness – Independence of inputs 2

3 Adversaries and Security Semi-honest: follow protocol description but attempt to learn more than allowed – Highly efficient, but weak guarantee Malicious: run any arbitrary attack strategy – Much more expensive Covert: behave maliciously and may succeed, but will be caught with a guaranteed probability 3

4 Yao’s Protocol (Semi-Honest) Alice Bob Compute f(x,y) (learn nothing else) Garbled (encrypted) circuit

5 Security for Malicious Alice may not construct the circuit correctly Solution – cut-and-choose 5

6 The Cut-and-choose Paradigm 6

7 7

8 8 Majority Final output

9 The Cost How many circuits are needed to make sure that the majority are correct? – With s circuits, probability of cheating is 2 -0.311s [LP11] or 2 -0.32s [sS11] – For error 2 -40, need approximately 125 circuits – For error 2 -80, need approximately 250 circuits This is a very heavy price! 9

10 These Two Works Aim: reduce the number of garbled circuits needed 1.Lindell: s circuits + some small additional overhead for 2 -s error 2.Huang-Katz-Evans: s circuits per party in parallel for 2 -s error Cut-and-choose opens up many other problems (input consistency etc.); we focus on the main issue of number of circuits 10

11 Lindell’s Solution – The Main Idea Why majority? – A malicious Alice can make most circuits correct and a few not – The incorrect circuits can compute the function if Bob’s input meets some condition; otherwise compute garbage – Bob aborts if it gets different outputs: If Bob aborts, Alice knows that Bob’s input does not meet the condition If Bob does not abort, Alice knows that Bob’s input meets the condition 11

12 Lindell’s Solution – The Main Idea Make cheating possible only if all checked circuits are correct and all evaluated circuits are incorrect – This yields error 2 -s for s circuits How? – Alice and Bob run a small secure computation in addition – If Bob received two different outputs in two different circuits, it learns Alice’s input – In this case, Bob computes f(x,y) itself – Alice doesn’t know which case happened 12

13 Lindell’s Solution – The Main Idea The secure computation – Yao’s circuit for malicious (e.g., LP11) – Number of non-XOR gates is only the number of bits in Alice’s input (very small circuit) Input consistency and other issues are dealt with as in other works – These other parameters are not optimized in the paper – This will be discusses in the next talk; their solutions can be applied here 13

14 Lindell’s Solution – More Details The garbled values on the output wires are secret (this has been used for secure delegation) If Bob learns two garbled values on a single output wire (in different circuits), then Alice must have been cheating – This is a proof that Alice cheated The secure computation checks if Bob has two such values and outputs Alice’s input x to Bob if yes This circuit can be made very small, and Alice can be forced to use the same input 14

15 Huang-Katz-Evans Solution Observation – One of the two parties is honest, all circuits generated by him is correct Approach – Let each party generate half of the circuits – Suffices to ensure at least one good evaluation circuit is generated by the adversary 15

16 16

17 17 A party uses consistent inputs in both roles Securely combine both parties’ results to obtain the final output

18 Input Consistency – The Goal 18 Evaluator / OT Receiver Generator The discrete log of C is unknown. [Naor and Pinkas, SODA2001]

19 Input Consistency – The Idea 19 Evaluator / OT Receiver Generator

20 Final output Goal: Derive the final output from both parties’ circuit evaluation results 20

21 Output Revelation Verifiable Secret Sharing 21 Generator picks a pair of secrets (s 0, s 1 )randomly

22 Output Revelation circuit check 22

23 Output Revelation circuit evaluation 23

24 Output Revelation secure equality test 24 (s 0,s 1 ) One and only one of the 2 tests can succeed. (s’ 0,s’ 1 ) (s 0, s’ 0 ) Output 0 (s 0, s’ 0 ) (s 1, s’ 1 ) Output 1 (s 1, s’ 1 )

25 Conclusions Actively secure two party computation can be done with reduced number of circuits via either punishing the cheater or symmetric cut-and-choose.

Download ppt "Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose."

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.

Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.
Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto

Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto
Yan Huang, David Evans, Jonathan Katz

Yan Huang, David Evans, Jonathan Katz
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.

Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
A. Haeberlen Having your Cake and Eating it too: Routing Security with Privacy Protections 1 HotNets-X (November 15, 2011) Alexander Gurney * Andreas Haeberlen.

A. Haeberlen Having your Cake and Eating it too: Routing Security with Privacy Protections 1 HotNets-X (November 15, 2011) Alexander Gurney * Andreas Haeberlen.
GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION

GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION
Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.

Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
COVERT TWO-PARTY COMPUTATION LUIS VON AHN CARNEGIE MELLON UNIVERSITY JOINT WORK WITH NICK HOPPER JOHN LANGFORD.

COVERT TWO-PARTY COMPUTATION LUIS VON AHN CARNEGIE MELLON UNIVERSITY JOINT WORK WITH NICK HOPPER JOHN LANGFORD.

Similar presentations

Ads by Google