# Revisiting the efficiency of malicious two party computation David Woodruff MIT.

## Presentation on theme: "Revisiting the efficiency of malicious two party computation David Woodruff MIT."— Presentation transcript:

Revisiting the efficiency of malicious two party computation David Woodruff MIT

Secure function evaluation x 2 {0,1} n y 2 {0,1} n AliceBob What is f(x,y)? Security: neither party learns more about the others input other than what follows from his/her own input and f(x,y)

Application – secure datamining For medical research, hospitals want to mine their joint data Patient confidentiality imposes strict laws on what can be shared. Mining cannot leak anything sensitive

American application Government has terrorist patterns it looks for in airline and credit card repositories Repository holders dont want to reveal information about their users due to user confidentiality Government doesnt want to reveal its search patterns, as otherwise terrorists could change their behavior DB

Security models AliceBob Semi-honest: parties follow their instructions but try to learn more than what is prescribed Malicious: parties deviate from the protocol arbitrarily - Use a different input - Force other party to output wrong answer - Abort before other party learns answer Difficult to achieve security in malicious model…

Security in the semi-honest model [Yao] Any function f(x,y) that can be computed with a circuit of size C can be securely computed in the semi-honest model with communication O(C) Æ x 1 y 1 x 2 y 2 Æ V f(x,y) = (x 1 Æ y 1 ) Ç (x 2 Æ y 2 )

Security in the malicious model Protocol secure in the semi-honest model Protocol secure in the malicious model [GMW] It suffices to design protocols secure in the semi-honest model The parties follow the instructions of the protocol. Dont need to worry about weird behavior. What about efficiency?

Efficiency How to achieve secure function evaluation in the malicious model efficiently –communication –modular exponentiations –symmetric key operations Previous work –[GMW] – if circuit size is C, achieve poly(C) communication and computation –Inefficient in practice –Many problem-specific solutions exist

Recent work [MNPS, MF, LP] design new compilers, transforming Yaos protocol with semi- honest security to a protocol secure in the malicious model Very efficient theoretically, and in practice All based on the cut-and-choose technique

Yaos semi-honest protocol f(x,y) = (x 1 Æ y 1 ) Ç (x 2 Æ y 2 ) Æ x 1 y 1 x 2 y 2 Æ V Æ x 1 y 1 x 2 y 2 Æ V 1234 56 7 Keys K(1,0), K(1,1) K(2,0), K(2,1) K(3,0), K(3,1) K(4,0), K(4,1) K(5,0), K(5,1) K(6,0), K(6,1) K(7,0), K(7,1) E K(1,1), K(2, 0) (K(5,0)) E K(1,1), K(2, 1) (K(5,1)) E K(1,0), K(2, 0) (K(5,0)) E K(1,0), K(2, 1) (K(5,0)) E K(7,0) (0) E K(7,1) (1) Create a garbled circuit:

Yaos semi-honest protocol Alice: 1.Write f as a circuit. 2.Create a garbled circuit. Send Bob the tables corresponding to each gate, and the keys representing Alices input. Bob: 1.Run oblivious transfer to privately get the keys representing Bobs input. 2. Use the tables to locally evaluate the circuit.

The cut-and-choose technique Alice(x)Bob(y) Let C be a circuit for f(x,y) 1.Let C 1, …, C m be independently garbled versions of C. 2.Send C 1, …, C m to Bob 3.Send Bob the keys for his challenged circuits. 4. Send the keys representing x for the unopened circuits 1. Challenge Alice by asking her for all the keys of a random fraction of C 1, …, C m 2. Verify this fraction of opened circuits was garbled correctly 3. Run oblivious transfer to retrieve the keys representing y for each of the unopened circuits 4. Evaluate the unopened circuits, and print the majority output

Things to worry about Some circuits are improperly garbled For some unopened C j, Alice gives keys representing her input x, and for other unopened C j she gives keys representing some other x For some unopened C j, Alice gives keys representing Bobs input y, and for other C j she gives keys representing some other y

High-level solutions By opening ½ of the circuits, guarantee the majority of the unopened circuits are correct By committing to the keys representing Alices inputs, guarantee Alices inputs are consistent By committing to the keys representing Bobs inputs, guarantee Bobs inputs are consistent

Previous results SchemeSymmetric encryptions ExponentiationsCommunication complexity Fairplay [MNPS] O(g/ ) O( I ) O(g/ ) Committed-input [MF] O(g ln 1/ )O( I ln 1/ )O(g ln 1/ ) Equality-checker [MF] O(g ln 1/ + I ln 2 1/ ) O( I ) O(g ln 1/ + I ln 2 1/ ) Lindell-Pinkas O(g ln 1/ + I ln 2 1/ ) O( I ) O(g ln 1/ + I ln 2 1/ ) Let g be the # of gates, and I the # of inputs of circuit C Let be a statistical security parameter bounding the probability that Alice can cheat in this framework

Our new scheme SchemeSymmetric encryptions ExponentiationsCommunication complexity Fairplay O(g/ ) O( I ) O(g/ ) Committed- input O(g ln 1/ )O( I ln 1/ )O(g ln 1/ ) Equality- checker O(g ln 1/ + I ln 2 1/ ) O( I ) O(g ln 1/ + I ln 2 1/ ) Lindell-Pinkas O(g ln 1/ + I ln 2 1/ ) O( I ) O(g ln 1/ + I ln 2 1/ ) Expander- checker O(g ln 1/ ) O( I ) O(g ln 1/ )

Equality-checker [MF] Alice(x)Bob(y) Let C be a circuit for f(x,y) 1.Alice lets C 1, …, C m be independently garbled versions of C, and sends C 1, …, C m to Bob 2.For each input wire i of Alice, each value b in {0,1}, and each pair of circuits C r, C s, Alice commits to the tuple (r, s, i, K(i, b) r, K(i, b) s ) and sends the commitments to Bob 3.Bob chooses a random T µ [m] of size m/2 and asks Alice to open the C j with j 2 T and for r, s 2 T, to open the commitments to (r, s, i, K(i,b) r,K(i,b) s ) With high probability, the majority of unopened circuits and commitments between them are correct! Thus, the majority of the unopened circuits are correct and Alice is forced to use consistent inputs

Security intuition Alice commits to tuples (r, s, i, K(i, b) r, K(i, b) s ) C 1, …, C m are the nodes of a complete graph. The tuple (r, s, i, K(i, b) r, K(i, b) s ) is an edge between C r and C s Bob chooses some circuits to open C1C1 C2C2 C3C3 C4C4 C5C5 C6C6 Verification graph Evaluation graph

Security intuition Say a circuit C j is a bad vertex if it was garbled incorrectly Say a commitment to (r, s, i, K(i, b) r, K(i, b) s ) is a bad edge if it was computed incorrectly If the complete graph contains many bad vertices and bad edges, then so will the verification graph Thus, if the verification test passes, with high probability the evaluation graph has few bad vertices and edges

Our observation Suppose the evaluation graph has a large connected component K of good edges and good vertices. Then, by transitivity, all of Alices inputs are the same to the circuits in K, which are all correctly garbled circuits. Thus, as long as K contains at least m/4 good vertices, a majority of the unopened circuits will be correct and have the same input from Alice. In the real-ideal model, the simulator for Alice can send the majority input to the trusted party.

Expander graphs Expanders are d-regular, well-connected graphs, where d= O(1). Let A be the adjacency matrix for an expander G, with eigenvalues d = | 1 | ¸ | 2 | ¸ … ¸ | n | Expander-mixing lemma: For any X, Y µ V, |e(X,Y) – d|X||Y|/n| <= | 2 |(|X||Y|) 1/2. Induced subgraphs of expanders contain large connected components.

Our expander Instead of committing to all (r, s, i, K(i, b) r, K(i, b) s ), fix an expander G on vertices 1, …, m, and only commit to (r, s, i, K(i, b) r, K(i, b) s ) for which {r, s} is in an edge of G. C1C1 C2C2 C3C3 C4C4 C5C5 C6C6 Verification graph Evaluation graph If the two edges in the evaluation graph are good, then C 1, C 4, and C 5 all have the same Alice input

Efficiency and security Instead of sending O( I m 2 ) commitments, one for each tuple (r, s, i, K(i,b) r, K(i,b) s ), we send O( I |G|) = O( I m), one for each (r, s, i, K(i,b) r, K(i,b) s ) for which {r, s} is an edge of G. Since G is an expander, for any subset of m/2 vertices Bob chooses, the evaluation graph has a large component of correct circuits for which Alice has to use the same input –Proof uses expander-mixing lemma Thus, the security is the same as in Equality-checker

Protocol sketch 1.Alice creates garbled circuits C 1, …, C m 2.For Alices input wires i, b 2 {0,1}, and pairs of circuits C r, C s, for which {r, s} is an edge of G, Alice commits to (r, s, i, K(i, b) r, K(i, b) s ) 3.For Bobs input wires i, b 2 {0,1}, and C j, Alice commits to (j, i, K(i, b) j ) 4. Bob chooses a random T µ [m] and asks Alice to open C j and the commitments to (j, i, K(i,b) j ) with j 2 T. For {r, s} 2 G(T), she opens the commitments to (r, s, i, K(i,b) r, K(i,b) s ) and Bob verifies correctness 5. Alice sends the keys for her inputs to the unopened circuits. Bob uses the commitments to (r, s, i, K(i,b) r, K(i,b) s ) to verify consistency 6.Bob uses oblivious transfer to receive the keys for his input and uses the commitments to (j, i, K(i, b) j ) to verify consistency 7.Bob evaluates the unopened circuits, and prints the majority output

Efficiency Communication = O(m|C| + m I ) = O(mg) Symmetric encryptions = O(m|C| + m I ) = O(mg) Modular exponentiations = O(m I ) naively, but can use a single oblivious transfer to retrieve m/2 keys at once, K(i, b) 1, …, K(i, b) m/2 Thus, modular exponentiations = O( I ).

Setting m Theorem: Alice can cheat with probability at most 2 -m/4 + – = O(m ln d / d 1/2 ) –To be less than, should set m = O(ln 1/ ) This is almost tight, since we give a strategy to cheat with almost the same probability We prove Equality-checker has almost the same cheating probability, so Expander-checker is not much worse for the same values of m –Our result improves and corrects the efficiency analysis of [MF]

Main theorem Theorem: Alice cheats with probability at most 2 -m/4 + Proof: –Alice commits to a labeled expander G, where vertices and edges are labeled either bad or good –If Alice can cheat, V(G) = S [ B [ C 1 [ C 2 [ … [ C r S is a set of size m/2 B is a set of incorrectly-garbled circuits C i is a set of circuits receiving the same Alice input For all i, |C i | · m/4 –Edges between C i and C j in G with i j are bad edges –Bound the probability that Bob does not sample a vertex in B or the endpoints of a bad edge. Expander-mixing lemma implies if many of Bobs samples lie in C i and many lie in C j, he will obtain endpoints of a bad edge

A simple cheating strategy Let f(x,y) = 1 iff the Hamming distance between x and y is smaller than n/10 Alice creates m/4+1 circuits which compute 1-f(x,y), and 3m/4-1 circuits computing f(x,y) With probability (3m/4-1 choose m/2)/(m choose m/2) = 2 -O(m), Bob doesnt sample the bad circuits, and thus gets the wrong answer, namely 1-f(x,y)

Open questions Our hidden constants are large –Cheating probability = 2 -m/4 +, where = O(m ln d / d 1/2 ) –Is our scheme impractical or is this because of a loose analysis? –Is Equality-checker with our improved efficiency analysis the most practical to date? Find d-regular graphs such that any two sets of vertices of size O(m/d) have an edge between them. Lindell and Pinkas give a protocol with a more formal security analysis than that given for Equality-checker. Seems our expander-commitments can also be used there

Thank you!

Download ppt "Revisiting the efficiency of malicious two party computation David Woodruff MIT."

Similar presentations