Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.

Slides:



Advertisements
Similar presentations
Polylogarithmic Private Approximations and Efficient Matching
Advertisements

Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.
Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.
Dov Gordon & Jonathan Katz University of Maryland.
1 Cryptography: on the Hope for Privacy in a Digital World Omer Reingold VVeizmann and Harvard CRCS.
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Maximal Independent Subsets of Linear Spaces. Whats a linear space? Given a set of points V a set of lines where a line is a k-set of points each pair.
Computing with adversarial noise Aram Harrow (UW -> MIT) Matt Hastings (Duke/MSR) Anup Rao (UW)
Secure Computation Slides stolen from Joe Kilian & Vitali Shmatikov Boaz Barak.
1 Parallel Algorithms (chap. 30, 1 st edition) Parallel: perform more than one operation at a time. PRAM model: Parallel Random Access Model. p0p0 p1p1.
© 2009 IBM Corporation IBM Research Xianglong Liu 1, Junfeng He 2,3, and Bo Lang 1 1 Beihang University, Beijing, China 2 Columbia University, New York,
Ideal Parent Structure Learning School of Engineering & Computer Science The Hebrew University, Jerusalem, Israel Gal Elidan with Iftach Nachman and Nir.
2 x0 0 12/13/2014 Know Your Facts!. 2 x1 2 12/13/2014 Know Your Facts!
Off-the-Record Communication, or, Why Not To Use PGP
Secure Computation of Linear Algebraic Functions
1 Lecture 5 PRAM Algorithm: Parallel Prefix Parallel Computing Fall 2008.
5 x4. 10 x2 9 x3 10 x9 10 x4 10 x8 9 x2 9 x4.
Linear Programming – Simplex Method: Computational Problems Breaking Ties in Selection of Non-Basic Variable – if tie for non-basic variable with largest.
Computational Facility Layout
Shannon Expansion Given Boolean expression F = w 2 ’ + w 1 ’w 3 ’ + w 1 w 3 Shannon Expansion of F on a variable, say w 2, is to write F as two parts:
0 x x2 0 0 x1 0 0 x3 0 1 x7 7 2 x0 0 9 x0 0.
Faster Secure Two-Party Computation Using Garbled Circuits
Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto
Yan Huang, David Evans, Jonathan Katz
Secure Evaluation of Multivariate Polynomials
Oblivious Branching Program Evaluation
7x7=.
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Oblivious Transfer based on the McEliece Assumptions
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.
How to play ANY mental game
Secure Computation of the k’th Ranked Element Gagan Aggarwal Stanford University Joint work with Nina Mishra and Benny Pinkas, HP Labs.
Insert presenter logo here on slide master. See hidden slide 4 for directions  Session ID: Session Classification: SEUNG GEOL CHOI UNIVERSITY OF MARYLAND.
GARBLED CIRCUITS CHECKING GARBLED CIRCUITS MORE EFFICIENT AND SECURE TWO-PARTY COMPUTATION Payman Mohassel Ben Riva University of Calgary Tel Aviv University.
Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.
Password Mistyping in Two-Factor Authenticated Key Exchange Vladimir KolesnikovCharles Rackoff Bell LabsU. Toronto ICALP 2008.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
1 Information Security – Theory vs. Reality , Winter Lecture 10: Garbled circuits and obfuscation Eran Tromer Slides credit: Boaz.
Secure Computation (Lecture 2) Arpita Patra. Vishwaroop of MPC.
Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.
Secure Computation Basics Yan Huang Indiana University May 9, 2016.
Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.
Garbling Techniques David Evans
A Fixed-key Blockcipher
Topic 36: Zero-Knowledge Proofs
(More) Efficient Secure Computation from Garbled Circuits
The Exact Round Complexity of Secure Computation
MPC and Verifiable Computation on Committed Data
Committed MPC Multiparty Computation from Homomorphic Commitments
The first Few Slides stolen from Boaz Barak
A Verified DSL for MPC in
Course Business I am traveling April 25-May 3rd
Fastest 2PC in all the land
Private Graph Algorithms in the Semi-Honest Model
Multi-Party Computation: Second year
Provable Security at Implementation-level
Malicious-Secure Private Set Intersection via Dual Execution
Fast Secure Computation for Small Population over the Internet
Presentation transcript:

Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University of Maryland Picture logos instead of footnotes

Secure Two-Party Computation 2 Alice Bob Bobs Genome: ACTG… Markers (~1000): [0,1, …, 0] Alices Genome: ACTG… Markers (~1000): [0, 0, …, 1] Can Alice and Bob compute a function of their private data, without exposing anything about their data besides the result?

Enc x0 0, x 1 1 (x2 1 ) Enc x0 1,x1 1 (x2 1 ) Enc x0 1,x1 0 (x2 1 ) Enc x2 0, x2 1 (x3 0 ) Enc x2 1,x2 1 (x3 0 ) Enc x2 1,x2 0 (x3 1 ) Enc x2 0, x3 1 (x4 1 ) Enc x2 1,x3 1 (x4 1 ) Enc x2 1,x3 0 (x4 0 ) Enc x4 0, x 3 1 (x5 1 ) Enc x4 1,x3 1 (x5 0 ) Enc x4 1,x3 0 (x5 0 ) Enc x4 0, x5 1 (x6 1 ) Enc x4 1,x5 1 (x6 0 ) Enc x4 1,x5 0 (x6 0 ) Enc x3 0, x 6 1 (x7 1 ) Enc x3 1,x6 1 (x7 0 ) Enc x3 1,x6 0 (x7 1 ) Faster Garbled Circuits (Semi-honest) 3 Circuit-Level Application GC Framework (Evaluator) GC Framework (Evaluator) GC Framework (Generator) Circuit Structure Pipelining: gates evaluated as they are generated Garbled evaluation can be combined with normal execution Circuit-level optimizations

Results for Semi-honest Protocols Performance Scalability 4 Applications biometric identification (5x speedup) [NDSS 2011] Hamming distance (4000x), Edit distance (30x), Smith-Waterman, AES Encryption (16x) [USENIX Sec 2011] private set intersection (faster than best custom protocols) [NDSS 2012] Non-free gates per millisecond Largest circuit executed (non-free gates)

Standard Threat Models Semi-Honest: Adversary follows the protocol as specified, but tries to learn more from the protocol execution transcript Malicious: Adversary can do anything, guarantees correctness and privacy Reasonable performance, unreasonable assumptions Reasonable assumptions, unreasonable performance 5

Security Properties Privacy Nothing is revealed other than the output Correctness The output of the protocol is indeed f ( x,y ) GeneratorEvaluator Malicious-resistant OT Semi-Honest GC How can we get both correctness, while maintaining privacy? 6

How about Dual Execution?

Dual Execution Protocol [Mohassel and Franklin, PKC06] AliceBob first round execution (semi-honest) generatorevaluator generatorevaluator second round execution (semi-honest) fully-secure equality test

Security Properties Correctness: guaranteed by authenticated, secure equality test Privacy: Leaks one (extra) bit on average adversarial circuit generator provides a circuit that fails on ½ of inputs Malicious generator can achieve either one of the following, but not both 1. Decrease likelihood of being caught, 2. Increase information leaked when caught On average, it is a 1-bit leak. Malicious generator can achieve either one of the following, but not both 1. Decrease likelihood of being caught, 2. Increase information leaked when caught On average, it is a 1-bit leak. 9

Equality Test

One-sided Equality Test Allows Bob to convince Alice that they share the same secret value Need to run this 2-round protocol twice (parallelizable as well) to accomplish the full equality test.

Proving Security: Malicious 12 AB Ideal World y x Receives: f (x, y) Trusted Party in Ideal World Standard Malicious Model: cant prove this for Dual Execution Real World AB y x Show equivalence Corrupted party behaves arbitrarily Secure Computation Protocol

Proof of Security: One-Bit Leakage 13 A B Ideal World y x g R {0, 1} g is an arbitrary Boolean function selected by malicious adversary A Adversary receives: g(x, y) and optionally f (x, y) Trusted Party in Ideal World Can prove equivalence to this for Dual Execution protocols

1-bit Leak Circuit structure can be checked by evaluator (including free XORs) Design circuit to limit malicious generators ability to partition input space. Challenge: can lie about inputs also 14 Can we have more confidence on which one bit is not leaked? Open Question:

Delayed Revelation Goal: do not reveal output to either party, unless the equality test passes 15 Solution: check equality of output wires using a secure circuit that outputs results This circuit is also executed as a Dual Execution protocol!

Dual Execution Protocol AliceBob first round execution (semi-honest) generatorevaluator generatorevaluator second round execution (semi-honest) Recall: work to generate is 3x work to evaluate! 16 fully-secure equality test

Performance 17 Circuits of arbitrary sizes can be done this way [Kreuter et al., USENIX Security 2012]

Summary first round execution (semi-honest) second round execution (semi-honest) fully-secure, authenticated equality test Provides full correctness and maximum one-bit average leakage against fully malicious adversaries (formal proof using ideal/real world model) With pipelining framework, almost free with dual-core, 40-50% over semi-honest protocol with one core. 18

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.