Gate Evaluation Secret Sharing and Secure Two-Party Computation

Slides:

Advertisements

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Advertisements

Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.

Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto

Yan Huang, David Evans, Jonathan Katz

Secure Evaluation of Multivariate Polynomials

Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner WEIZMANN INSTITUTE.

Lecturer: Moni Naor Foundations of Cryptography Lecture 15: Oblivious Transfer and Secure Function Evaluation.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

ORAM – Used for Secure Computation by Venkatasatheesh Piduri 1.

GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Completeness in Two-Party Secure Computation – A Computational View

Oblivious Transfer based on the McEliece Assumptions

Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications Dana Dachman-Soled, Tal Malkin, Mariana Raykova, Moti Yung.

1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.

Exponential Functions Intro. to Logarithms Properties.

Privacy Preserving Learning of Decision Trees Benny Pinkas HP Labs Joint work with Yehuda Lindell (done while at the Weizmann Institute)

Extending Oblivious Transfers Efficiently Yuval Ishai Technion Joe Kilian Kobbi Nissim Erez Petrank NEC Microsoft Technion.

Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.

How to play ANY mental game

Slide 1 Vitaly Shmatikov CS 380S Yao’s Protocol. slide Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert.

Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.

Slide 1 Yao’s Protocol. slide Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert the function into a boolean.

Secure Computation Lecture Arpita Patra. Recap >> MPC with dishonest majority over Boolean circuit- [GMW87] > Oblivious Transfer (from CPA secure.

On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.

1 Secure Multi-party Computation Minimizing Online Rounds Seung Geol Choi Columbia University Joint work with Ariel Elbaz(Columbia University) Tal Malkin(Columbia.

Secure Computation (Lecture 2) Arpita Patra. Vishwaroop of MPC.

On the Cryptographic Complexity of the Worst Functions Amos Beimel (BGU) Yuval Ishai (Technion) Ranjit Kumaresan (Technion) Eyal Kushilevitz (Technion)

Strong Conditional Oblivious Transfer and Computing on Intervals Vladimir Kolesnikov Joint work with Ian F. Blake University of Toronto.

Secure Computation with Minimal Interaction, Revisited Yuval Ishai (Technion) Ranjit Kumaresan (MIT) Eyal Kushilevitz (Technion) Anat Paskin-Cherniavsky.

Efficient Oblivious Transfer with Stateless Secure Tokens Alcatel-Lucent Bell Labs Vlad Kolesnikov.

Improved OT Extension for Transferring Short Secrets Vladimir Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion)

Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.

1© Nokia 2016 Overlaying Circuit Clauses for Secure Computation Sean Kennedy Vladimir Kolesnikov Gordon Wilfong Bell Labs.

Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.

Lower bounds for Unconditionally Secure MPC Ivan Damgård Jesper Buus Nielsen Antigoni Polychroniadou Aarhus University.

Cryptography Lecture 13 Arpita Patra

Efficient Leakage Resilient Circuit Compilers

Garbling Techniques David Evans

The Exact Round Complexity of Secure Computation

Carmit Hazay (Bar-Ilan University, Israel)

Foundations of Secure Computation

Committed MPC Multiparty Computation from Homomorphic Commitments

Laconic Oblivious Transfer and its Applications

Oblivious Transfer and GMW MPC

The first Few Slides stolen from Boaz Barak

Course Business I am traveling April 25-May 3rd

Cryptography CS 555 Lecture 22

Verifiable Oblivious Storage

Maliciously Secure Two-Party Computation

Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems Omer Barkol Yuval Ishai Technion.

Unconditional One Time Programs and Beyond

Cryptographic protocols 2016, Lecture 9 multi-party computation

Week 7: Gates and Circuits: PART II

Multi-Party Computation: Second year

Cryptography CS 555 Digital Signatures Continued

Malicious-Secure Private Set Intersection via Dual Execution

Secret Sharing: Linear vs. Nonlinear Schemes (A Survey)

Fast Secure Computation for Small Population over the Internet

Two-Round Adaptively Secure Protocols from Standard Assumptions

Cryptography Lecture 8 Arpita Patra © Arpita Patra.

Presentation transcript:

Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto vlad@cs.utoronto.ca

Secure Function Evaluation One-Round f: D1 £ D2  D3 Input: y 2 D2 Input: x 2 D1 … f(x,y) f(x,y) ?

SFE Models Semi-honest Malicious Both players follow the protocol Observe communication, try to learn additional info Malicious Players can freely cheat Solutions can be obtained by “compilation” of a semi-honest protocol

Approaches to SFE SFE for specific functions Greater Than, Auctions, Voting SFE for arbitrary functions Functions given as a circuit, branching program, etc. This work: SFE of any boolean formula

Oblivious Transfer (OT) Input: secrets s0, s1 Input: b sb Learn: Learn: nothing

Reduction of SFE to OT OT is a fundamental primitive Rabin ’81, Kilian ‘88 Unconditional reductions are possible OT is implementable under a variety of computational and physical assumptions

Previous Work Yao’s Garbled circuit Sander, Young and Yung ’99 Kilian ’88 + Cleve ’90 (also CFIK ’03) Based on Permutation Branching Programs Ishai and Kushilevitz ’00, ’02 Based on Branching Programs

Secure Gate Evaluation x 2 {0,1} y 2 {0,1} G(x,y) ? s0’,s0’’  G(0,0) s0’,s1’’  G(0,1) s1’,s0’’  G(1,0) s1’,s1’’  G(1,1) sy’’ OT (x, (s0’,s1’)) sx’,sy’’ G(x,y) ?

Composition Gate Evaluation Secret Sharing (GESS) s00 s01 s10 s11 … … x 2 {0,1} y 2 {0,1} … s03,s04  s’G1(0,0) s00 s03,s14  s’G1(0,1) s01 s13,s04  s’G1(1,0) s10 s13,s14  s’G1(1,1) s11 I s00 s01 s10 s11 Gate Evaluation Secret Sharing (GESS)

GESS for Gates with Binary Inputs Wire 1 Wire 2 Output wire s00 b R0 R0 © s00 R1 © s10 s01 s10 1 R1 R0 © s01 R1 © s11 :b s11 Permute if b=1 b 2R {0,1} Reconstruction: (c r, r0 r1)  r © rc Exponential growth with depth  For OR and AND gates either left or right columns of wire 2 are equal!

GESS for AND/OR gates Key: view secrets as being equal, except for one column of blocks. share column-wise.  (1) (2) (4) (1) (3) (4) n blocks of size k example: n = 3  2R ( {1..n+1}  {1..n+1}) Shares have the same block equality properties

GESS Performance Given a boolean formula F Previous best Cost ¼  di2 ( di – depth of leaf i) F is balanced  quazilinear in |F| Rebalance F to log depth (Bonet-Buss, Spira) Previous best exponential in depth directly for circuits quadratic in |F| via Branching Programs

GESS Performance Cost of SFE of boolean NC1 circuit of depth d This work O(2d d2) Previous best (2d 2d1/2) (Kilian-Cleve, Cramer-Fehr-Ishai-Kushilevitz ‘03)

Other results Lower Bounds New Efficient Protocol for GT Generalization of Yao’s Garbled Circuit

Lower Bounds When secrets are independent H(Ai) + H(Bj) ¸ 3 H(S) Wire 1 Wire 2 Output wire S00 A0 B0 S01 1 S10 A1 B1 S11 When secrets are independent H(Ai) + H(Bj) ¸ 3 H(S)