Garbling Techniques David Evans

Slides:



Advertisements
Similar presentations
Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.
Advertisements

Quantum Software Copy-Protection Scott Aaronson (MIT) |
Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.
Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto
Yan Huang, David Evans, Jonathan Katz
Secure Evaluation of Multivariate Polynomials
Computer Interfacing and Protocols
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)
GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
Chapter 13: Electronic Commerce and Information Security Invitation to Computer Science, C++ Version, Fourth Edition SP09: Contains security section (13.4)
Insert presenter logo here on slide master. See hidden slide 4 for directions  Session ID: Session Classification: SEUNG GEOL CHOI UNIVERSITY OF MARYLAND.
On the Practical Feasibility of Secure Distributed Computing A Case Study Gregory Neven, Frank Piessens, Bart De Decker Dept. of Computer Science, K.U.Leuven.
TE/CS 536 Network Security Spring 2006 – Lectures 6&7 Secret Key Cryptography.
1 Information Security – Theory vs. Reality , Winter Lecture 10: Garbled circuits (cont.), fully homomorphic encryption Eran Tromer.
Slide 1 Vitaly Shmatikov CS 380S Yao’s Protocol. slide Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert.
Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.
Slide 1 Yao’s Protocol. slide Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert the function into a boolean.
Privacy-Preserving Credit Checking Keith Frikken, Mikhail Atallah, and Chen Zhang Purdue University June 7, 2005.
Lecture 2: Introduction to Cryptography
Non-Interactive Verifiable Computing August 5, 2009 Bryan Parno Carnegie Mellon University Rosario Gennaro, Craig Gentry IBM Research.
Secure Computation (Lecture 2) Arpita Patra. Vishwaroop of MPC.
Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.
Efficient Private Matching and Set Intersection Mike Freedman, NYU Kobbi Nissim, MSR Benny Pinkas, HP Labs EUROCRYPT 2004.
Invitation to Computer Science 5 th Edition Chapter 8 Information Security.
1 / 23 Efficient Garbling from A Fixed-key Blockcipher Applied MPC workshop February 20, 2014 Mihir Bellare UC San Diego Viet Tung Hoang UC San Diego Phillip.
Efficient Oblivious Transfer with Stateless Secure Tokens Alcatel-Lucent Bell Labs Vlad Kolesnikov.
Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.
Secure Computation Basics Yan Huang Indiana University May 9, 2016.
Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.
MA/CSSE 473 Day 9 Primality Testing Encryption Intro.
Cryptography Lecture 13 Arpita Patra
Efficient Leakage Resilient Circuit Compilers
A Fixed-key Blockcipher
Topic 36: Zero-Knowledge Proofs
Searchable Encryption in Cloud
(More) Efficient Secure Computation from Garbled Circuits
Carmit Hazay (Bar-Ilan University, Israel)
Network Security.
The first Few Slides stolen from Boaz Barak
Course Business I am traveling April 25-May 3rd
Cryptography CS 555 Lecture 22
Gate Evaluation Secret Sharing and Secure Two-Party Computation
Improved Private Set Intersection against Malicious Adversaries
Cryptography Lecture 4.
Maliciously Secure Two-Party Computation
Topic 5: Constructing Secure Encryption Schemes
Cryptography Lecture 16.
Cryptography Lecture 19.
Four-Round Secure Computation without Setup
PART VII Security.
CS/ECE 478 Network Security Dr. Attila Altay Yavuz
Privacy Preserving analytics Private Set Intersection(PSI)
Multi-Party Computation: Second year
ADVANCED ENCRYPTION STANDARDADVANCED ENCRYPTION STANDARD
Network Security.
Malicious-Secure Private Set Intersection via Dual Execution
A Secret Enriched Visual Cryptography
Fast Secure Computation for Small Population over the Internet
Cryptography Lecture 3.
Oblivious Transfer.
Cryptography Lecture 18.
Florida State University
Cryptography Lecture 8 Arpita Patra © Arpita Patra.
Presentation transcript:

Garbling Techniques David Evans www.cs.virginia.edu/evans Summer School on Secure Computation University of Notre Dame 9 May 2016

Collaborators Samee Zahur (UVA) Mike Rosulek (Oregon State)

Recap: Garbled Table x a b a1 b0 Ea1,b0 (x0) a0 b1 Ea0,b1 (x0) a0 or a1 b0 or b1 Inputs Output x a b a1 b0 Ea1,b0 (x0) a0 b1 Ea0,b1 (x0) Ea1,b1 (x1) Ea0,b0 (x0) AND x

This Lecture 2 ciphertexts (AND) 0 ciphertexts (XOR) What to use for E Inputs Output x a b a1 b0 Ea1,b0 (x0) a0 b1 Ea0,b1 (x0) Ea1,b1 (x1) Ea0,b0 (x0) 2 ciphertexts (AND) 0 ciphertexts (XOR) What to use for E Open Research Questions

Garbling is a fundamental primitive Formalizing Garbling (CCS 2012) Garbling is a fundamental primitive

Garble Encode Evaluate Decode f garbled circuit F encoding info e garbled input X garbled output Y z decoding info d x

garbled circuit F Evaluate Y Garble Encode X Decode f e z x d Correctness property:

garbled circuit F Evaluate Y Garble Encode X Decode f e f(x) x d Security properties:

garbled circuit F Evaluate Y Garble Encode X Decode f e f(x) x d Security properties Privacy: F, X, and d leak reveals nothing beyond f(x) Obliviousness: F, X reveals nothing (new) Authenticity: given F, X, hard to find Y’ such that: Decode(Y’, d) ∉ { f(x), error }

garbled circuit F Evaluate Y Garble Encode X Decode f e f(x) x d Cost of Garbling Storage and Bandwidth: large functions: dominated by size of F small functions: encode also matters Computation: Garble, Evaluate Encode, Decode

FOCS 1982 Yao’s Garbling Scheme? FOCS 1986

FOCS 1982 Yao’s Garbling Scheme? FOCS 1986 Neither paper (or any other by Yao) actually describes Yao’s Garbled Circuits

Simple Garbling x a b a1 b0 Ea1,b0 (x0) a0 b1 Ea0,b1 (x0) Ea1,b1 (x1) Inputs Output x a b a1 b0 Ea1,b0 (x0) a0 b1 Ea0,b1 (x0) Ea1,b1 (x1) Ea0,b0 (x0)

Simple Garbling Ea1,b0 (x0) Ea0,b1 (x0) Ea1,b1 (x1) Ea0,b0 (x0)

Simple Garbling Ea1,b0 (x0) Ea0,b1 (x0) Ea1,b1 (x1) Ea0,b0 (x0) Try all four, can tell valid encryption output

Single Hash Garbling Ea1,b0 (x0) Ea0,b1 (x0) Ea1,b1 (x1) Ea0,b0 (x0)

Single Hash Garbling Ea1,b0 (x0) Ea0,b1 (x0) Ea1,b1 (x1) Ea0,b0 (x0) How can the evaluator know which row to decrypt?

Point-and-Permute Select random bit for each wire: rw ra = 0, rb = 0 Select random bit for each wire: rw Set last bit of w0 to rw, w1 to ¬ra Enca0,,b0,(c0) Enca0,,b1(c0) Enca0,,b0(c0) Enca1,b1(c1) Beaver, Micali and Rogaway [STOC 1990]

Point-and-Permute Select random bit for each wire: rw ra = 1, rb = 1 Select random bit for each wire: rw Set last bit of w0 to rw, w1 to ¬ra Order table canonically: 00/01/10/11 Enca1,,b1,(c1) Enca1,,b0(c0) Enca0,,b1(c0) Enca0,b0(c0) Beaver, Micali and Rogaway [STOC 1990]

Point-and-Permute Enca1,,b1,(c1) Enca1,,b0(c0) Enca0,,b1(c0) ra = 1, rb = 1 Encoding garble table entries: Enca1,,b1,(c1) Enca1,,b0(c0) Enca0,,b1(c0) Enca0,b0(c0) Output wire label Input wire labels (with selection bits) Beaver, Micali and Rogaway [STOC 1990]

garbled circuit F Evaluate Y Garble Encode X Decode f e f(x) x d

garbled circuit F Evaluate Y Garble Encode X Decode f e f(x) x d Compute: 4 hashes per gate Compute: 1 hash per gate Bandwidth: 4 ciphertexts per gate

Garbled Row Reduction Naor, Pinkas and Sumner [1999]

Garbled Row Reduction Naor, Pinkas and Sumner [1999]

Garbled Row Reduction Naor, Pinkas and Sumner [1999]

Compute: 4 hashes per gate Compute: 1 hash per gate Garble Encode Evaluate Decode f garbled circuit F e X Y f(x) d x Basic Scheme Compute: 4 hashes per gate Compute: 1 hash per gate Bandwidth: 4 ciphertexts per gate Garbled Row Reduction

Compute: 4 hashes per gate Compute: 1 hash per gate Garble Encode Evaluate Decode f garbled circuit F e X Y f(x) d x Basic Scheme Compute: 4 hashes per gate Compute: 1 hash per gate Bandwidth: 4 ciphertexts per gate Garbled Row Reduction Bandwidth: 3 ciphertexts per gate

Free-XOR Global generator secret Kolesnikov and Schneider [ICALP 2008]

Free-XOR Global generator secret Kolesnikov and Schneider [2008]

Free-XOR Global generator secret Kolesnikov and Schneider [2008]

Free-XOR XOR are free! No ciphertexts or encryption needed. Global generator secret XOR are free! No ciphertexts or encryption needed. Kolesnikov and Schneider [2008]

Security Assumptions for Free-XOR ICALP 2008 TCC 2012 Proved secure in Random Oracle model Speculated that Correlation Robustness was sufficient Correlation Robustness is not enough Proved secure with related-key and circularity assumption

4 1 3 Garbled Row Reduction Point-and-Permute Free XOR Basic Odd (AND) Generator Encryptions (H) 4 Evaluator Encryptions (H) 1 Ciphertexts Transmitted 3 Even (XOR)

Double Garbled Row Reduction (GRR2) EA0,B0 (C0) EA0,B1 (C1) EA1,B0 (C0) EA1,B1 (C0) Instead of learning output directly, need to do more work to find it Pinkas, Schneider, Smart, Williams 2009

GRR2 Pinkas, Schneider, Smart, Williams 2009

GRR2 Pinkas, Schneider, Smart, Williams 2009

GRR2 Pinkas, Schneider, Smart, Williams 2009

GRR2 C0 = P(0) C1 = P(1) Pinkas, Schneider, Smart, Williams 2009

GRR2 P(5) P(6) Garbled table: C0 = P(0) C1 = P(1) Pinkas, Schneider, Smart, Williams 2009

GRR2 P(5) P(6) Incompatible with free-XOR Garbled table: C0 = P(0) Pinkas, Schneider, Smart, Williams 2009

4 4+ 1 1+ 3 2 Basic Point-and-Permute GRR-1 Free XOR + GRR-1 + PnP Odd (AND) Generator Encryptions (H) 4 4+ Evaluator Encryptions (H) 1 1+ Ciphertexts Transmitted 3 2 Even (XOR)

FleXOR GRR-2 Gates Free-XOR Gates Single Ciphertext to Convert S Kolesnikov, Mohassel, Rosulek 2014

4 4+ 1 1+ 3 2 {0, 1, 2} Free XOR + GRR-1 + PnP GRR-2 FleXOR Basic Odd (AND) Generator Encryptions (H) 4 4+ Evaluator Encryptions (H) 1 1+ Ciphertexts Transmitted 3 2 Even (XOR) {0, 1, 2}

What cost should we be focusing on? Basic Free XOR + GRR-1 + PnP GRR-2 FleXOR Odd (AND) Generator Encryptions (H) 4 4+ Evaluator Encryptions (H) 1 1+ Ciphertexts Transmitted 3 2 Even (XOR) {0, 1, 2} What cost should we be focusing on?

cost to garble AES circuit (36K gates, 6660 AND) [HEKM 2011] Cost of Garbling HA,B(C) Garbling/evaluating time per gate ~2000/1000 ns (including network) SHA-256(A || B || gateID) ⊕ C

Cost of Garbling HA,B(C) SHA-256(A || B || gateID) ⊕ C ~2000/1000 ns Garbling/evaluating time per gate SHA-256(A || B || gateID) ⊕ C ~2000/1000 ns Actual computation cost: 12 cycles/byte ⇝ 200ns/50ns AES(kconst, K ) ⊕ K ⊕ C where K =2A⊕ 4B ⊕ gateID ~ 15/7 ns “Fixed-key AES” using AES-NI Bellare, Hoang, Keelveedhi, Rogaway 2013

cost to garble AES circuit (36K gates, 6660 AND) [HEKM 2011] Cost of Garbling HA,B(C) Garbling/evaluating time per gate SHA-256(A || B || gateID) ⊕ C ~2000/1000 ns Actual computation cost: 12 cycles/byte ⇝ 200ns/50ns AES(kconst, K ) ⊕ K ⊕ C where K =2A⊕ 4B ⊕ gateID ~ 15/7 ns Time to transmit 80-bits at 1Gbps: 80ns “Fixed-key AES” using AES-NI Bellare, Hoang, Keelveedhi, Rogaway 2013

4 4+ 1 1+ 3 2 {0, 1, 2} Free XOR + GRR-1 + PnP GRR-2 FleXOR Basic Odd (AND) Generator Encryptions (H) 4 4+ Evaluator Encryptions (H) 1 1+ Ciphertexts Transmitted 3 2 Even (XOR) {0, 1, 2}

Half Gates Yan Huang, David Evans, and Jonathan Katz. Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? [NDSS 2012]

Yan Huang, David Evans, and Jonathan Katz Yan Huang, David Evans, and Jonathan Katz. Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? [NDSS 2012]

Journal of the ACM, January 1968 Yan Huang, David Evans, and Jonathan Katz. Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? [NDSS 2012] swap gates, configured (by generator) to do random permutation

Generator Half Gate Known to generator (but secret to evaluator)

Generator Half Gate Known to generator (but secret to evaluator)

Generator Half Gate Known to generator (but secret to evaluator)

Swapper: “Generator Half Gate” Known to generator (but secret to evaluator) With Garbled Row Reduction: Only need to send one ciphertext!

Evaluator Half-Gate Known (semantic value) to evaluator (but secret to generator)

Evaluator Half-Gate Known (semantic value) to evaluator (but secret to generator)

Implementing Generator Half-Gates Generator knows a Evaluator Half-Gates Evaluator knows b But, we need a gate where both inputs are secret…

Half + Half = Full Secret Gate random bit selected by generator unknown known unknown “leaked”

Half + Half = Full Secret Gate random bit selected by generator unknown known unknown “leaked”

Half + Half = Full Secret Gate random bit selected by generator unknown known unknown “leaked”

Half + Half = Full Secret Gate random bit selected by generator unknown known unknown “leaked” 2 ciphertexts total! generator half gate evaluator half gate

How to leak r ⊕ b? Use r as point-and-permute bit for B (false) Evaluator has r ⊕ b on obtained wire! random bit selected by generator unknown known unknown “leaked” 2 ciphertexts total! generator half gate evaluator half gate

4 4+ 1 1+ 2 3 {0, 1, 2} FleXOR Basic Half-Gates Odd (AND) Even (XOR) Free XOR + GRR-1 + PnP FleXOR Half-Gates Odd (AND) Generator Encryptions (H) 4 4+ Evaluator Encryptions (H) 1 1+ 2 Ciphertexts Transmitted 3 Even (XOR) {0, 1, 2}

Edit distance: Levenstein distance between two 200-byte strings Zahur, Rosulek, and Evans [EuroCrypt 2015] Edit distance: Levenstein distance between two 200-byte strings AES: 1 block of encryption and key expansion, iterated 10 times Set intersection: 1024, 32-bit integers, iterated 10 times

4 1 2 3 ✓ 33% 25% 21% Free-XOR+GRR+PnP Half Gates Generator Encryptions (H) 4 Evaluator Encryptions (H) 1 2 Ciphertexts Transmitted 3 XORs Free ✓ Bandwidth 33% Execution Time (edit distance) 25% Energy 21%

Can we do better?

Optimality of Two Ciphertexts Theorem (proof in ZER15 paper): Garbling a single AND gate requires 2 ciphertexts if garbling scheme is “linear”. “linear” operations: xor, polynomial interpolation

How to Do Better? Non-linear operations Gates that are not binary – chunk-ing circuit Boolean logic Reusable ciphertexts Different security assumptions …

garbled circuit F Evaluate Y Garble Encode X Decode f e f(x) x d Security properties Privacy: F, X, and d leak reveals nothing beyond f(x) Obliviousness: F, X reveals nothing (new) Authenticity: given F, X, hard to find Y’ such that: Decode(Y’, d) ∉ { f(x), error }

Mike Rosulek, Samee Zahur David Evans evans@virginia.edu www.cs.virginia.edu/evans OblivC.org mightBeEvil.org Credits: Mike Rosulek, Samee Zahur

Not Used

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.