Maliciously Secure Two-Party Computation

Slides:



Advertisements
Similar presentations
Polylogarithmic Private Approximations and Efficient Matching
Advertisements

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Secure Computation of Linear Algebraic Functions
Secure Evaluation of Multivariate Polynomials
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION
New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Oblivious Transfer based on the McEliece Assumptions
Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications Dana Dachman-Soled, Tal Malkin, Mariana Raykova, Moti Yung.
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
Multi-Client Non-Interactive Verifiable Computation Seung Geol Choi (Columbia U.) Jonathan Katz (U. Maryland) Ranjit Kumaresan (Technion) Carlos Cid (Royal.
Efficient and Robust Private Set Intersection and multiparty multivariate polynomials Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung.
Secure Computation of the k’th Ranked Element Gagan Aggarwal Stanford University Joint work with Nina Mishra and Benny Pinkas, HP Labs.
Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.
Slide 1 Vitaly Shmatikov CS 380S Yao’s Protocol. slide Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert.
Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.
Slide 1 Yao’s Protocol. slide Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert the function into a boolean.
Cryptography In the Bounded Quantum-Storage Model Christian Schaffner, BRICS University of Århus, Denmark ECRYPT Autumn School, Bertinoro Wednesday, October.
Cryptography In the Bounded Quantum-Storage Model Christian Schaffner, BRICS University of Århus, Denmark 9 th workshop on QIP 2006, Paris Tuesday, January.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
1 Secure Multi-party Computation Minimizing Online Rounds Seung Geol Choi Columbia University Joint work with Ariel Elbaz(Columbia University) Tal Malkin(Columbia.
Introduction to Quantum Key Distribution
Non-Interactive Verifiable Computing August 5, 2009 Bryan Parno Carnegie Mellon University Rosario Gennaro, Craig Gentry IBM Research.
Secure Computation (Lecture 2) Arpita Patra. Vishwaroop of MPC.
Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.
Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/08/08 CRYP-106 Efficient Fully-Simulatable Oblivious Transfer.
Jonathan Katz University of Maryland Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/08/08 CRYP-108 Aggregate Message- Authentication.
Verifiable Threshold Secret Sharing and Full Fair Secure Two-party Computation YE Jian-wei March 7, 2009.
Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.
Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.
Lower bounds for Unconditionally Secure MPC Ivan Damgård Jesper Buus Nielsen Antigoni Polychroniadou Aarhus University.
Intrusion Resilience via the Bounded-Storage Model Stefan Dziembowski Warsaw University and CNR Pisa.
On the (im)possibility of perennial message recognition protocols without public-key cryptography Peeter Laud Cybernetica AS & University of Tartu
Cryptography By: Nick Belhumeur. Overview What is Cryptography? What is Cryptography? 2 types of cryptosystems 2 types of cryptosystems Example of Encryption.
Garbling Techniques David Evans
Topic 36: Zero-Knowledge Proofs
Attacks on Public Key Encryption Algorithms
Fast Actively Secure OT Extension For Short Secrets
On the Size of Pairing-based Non-interactive Arguments
Cryptographic Hash Function
MPC and Verifiable Computation on Committed Data
Committed MPC Multiparty Computation from Homomorphic Commitments
Introduction to security goals and usage of cryptographic algorithms
The first Few Slides stolen from Boaz Barak
Course Business I am traveling April 25-May 3rd
Cryptography CS 555 Lecture 22
Gate Evaluation Secret Sharing and Secure Two-Party Computation
Improved Private Set Intersection against Malicious Adversaries
Verifiable Oblivious Storage
Four-Round Secure Computation without Setup
Cryptography for Quantum Computers
Multi-Party Computation: Second year
Cryptographic protocols 2015, Lecture 3 Key Exchange, CDH, DDH
Cryptography CS 555 Digital Signatures Continued
Information-Theoretic Security
ECE 352 Digital System Fundamentals
Malicious-Secure Private Set Intersection via Dual Execution
Helen: Maliciously Secure Coopetitive Learning for Linear Models
Oblivious Transfer.
ECE 352 Digital System Fundamentals
Outline Designing secure protocols Basic protocols Key exchange
CRYP-F02 Actively Secure 1-out-of-N OT Extension with Application to Private Set Intersection Peter Scholl (University of Bristol) Michele Orrù (ENS Paris)
ITIS 6200/8200 Chap 5 Dr. Weichao Wang.
Presentation transcript:

Maliciously Secure Two-Party Computation MiniLEGO: Efficient Secure Two-Party Computation From General Assumptions Tore Frederiksen, Thomas Jakobsen, Jesper Nielsen, Peter Nordholt, Claudio Orlandi 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

Maliciously Secure Two-Party Computation Outline Introduction What is the setting? Garbled circuits Why should we look at this? Preliminaries Free XOR XOR-homomorphic commitments The LEGO approach Overall idea New problems Conclusion Practical efficiency Future work This talk is short, so there is plenty of time for questions and details But if no questions, then I have prepared 10 more slides outlining an XOR homomorphic commitment scheme based on ECC 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

Maliciously Secure Two-Party Computation What is the problem? Secure two-party computation x y f(x, y)=(fA(x, y), fB(x, y)) Alice has private data/Bob has private data Want to compute function on data to achieve private output E.g. Millionaire problem We achieve this in different models, e.g. passive security/active security fA(x, y) fB(x, y) 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

Maliciously Secure Two-Party Computation Why is it worth solving? Set intersection Patients: Alice Cooper Cher David Bowie Gary Moore Otep Customers: Alice Cooper Chibi La Roux Madonna E.g. Set intersection without any trusted 3rd party Set intersection can be used for the following problem. 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

Maliciously Secure Two-Party Computation How can it be solved? Secure computation zoo Can be based on many things; e.g. secret sharing, homomorphic encryption, or garbled circuits Some only gives passive, some gives active, and we can compile an active protocol from a private 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

Maliciously Secure Two-Party Computation Introduction What is the setting? Approach: Yao’s garbled circuits (Gate level) Cut-and-choose approach for malicious security Using XOR-homomorphic commitment UC secure OT-hybrid security 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

Maliciously Secure Two-Party Computation Introduction Constructing a garbled circuit Consider a function expressible as a Boolean circuit, for simplicity, and in rest of talk assume output only to one party (can be fixed with encryption and mac) One party (constructor, Alice) associate random keys with each wire instead of bits. Want intermediate values to be secret for evaluator One construct garbled table for each gate (encrypt each gate). Which will then be sent to other part who evaluates View Boolean truth table of gate, but instead of output bit, have encryption of output key under input key bits (However, problem is now that we want semantic knowledge of key secret, i.e. hide intermediate values. So now since gate is based on truth table we know what the key is when we decrypt, so we randomize the order of entries However, we do not know which entry to decrypt.) Now have entire circuit and given only one key on input wire makes it possible to evaluation obliviously all the way down Final problem is output: simple solution is to have final gates encrypt a single bit instead of new key 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

Maliciously Secure Two-Party Computation Introduction Yao’s garbled circuit with passive security Protocol becomes quite intuitive from this Alice garble circuit Send one key for each input wire in correspondence her binary input -> Do OT for Bob to learn his keys. Bit select exactly one of the other parties inputs. Which he learns With this Bob can decrypt circuit and learn output Only passive secure: Alice can garble a wrong circuit 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

Maliciously Secure Two-Party Computation Introduction The cut-and-choose approach to get malicious security Challenge: Commit Challenge Use statistics: instead of having Alice garble one circuit she garbles many and Bob check half of these correct She can cheat by making some incorrectly, but if she does so with many, with large prob she will be busted She starts by making all, commit to them towards Bob Half circuits are randomly chosen as check circuits, which she opens and Bob verifies Open 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

Maliciously Secure Two-Party Computation Introduction The cut-and-choose approach to get active security Challenge: Open Alice then sends keys for her input to remaining circutis They do OT for the Bobs keys. Bob evaluates and takes majority output to be real output Need majority as malicious circuits can be correct except if Bobs first bit is 0 Notice we abstract away several issues (consistency of both alice and bob, selective failure 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

Information theoretical security Introduction The cut-and-choose approach to get active security Simple Information theoretical security Fast (limited use of public key operations) Asymptotic increase in complexity of O(s) LEGO reduces the overhead to O(s/log(|C|) Original LEGO [NO09] needs public key operations for each gate What do we get from this protocol? CnC has large asymptotic complexity, but good in practice, because of little PK primitives In fact, if no preprocessing CnC is most efficient, scales well in parallel We keep round optimal, amount of heavy operations optimal, but lower compexity Compared to original lego we also eliminate the need for public key operations for each gate. 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

Maliciously Secure Two-Party Computation Outline Introduction What is the setting? Garbled circuits Why should we look at this? Preliminaries Free XOR XOR-homomorphic commitments The LEGO approach Overall idea New problems Conclusion Practical efficiency Future work 2 min ----- Meeting Notes (08/11/13 15:36) ----- 16 min 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

Maliciously Secure Two-Party Computation Free XOR [KS08] Each 0-key is chosen randomly Each 1-key is the 0-key XOR’ed with a random value, common for the entire garbled circuit 0-output key for XOR gate: 1-keys for i and i+1: Computing XOR gate: Truth table: 1-output key for XOR gate: 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

XOR-homomorphic commitments Open M1 M1 M2 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

Maliciously Secure Two-Party Computation Outline Introduction What is the setting? Garbled circuits Why should we look at this? Preliminaries Free XOR XOR-homomorphic commitments The LEGO approach Overall idea New problems Conclusion Practical efficiency Future work 2 min ----- Meeting Notes (08/11/13 15:36) ----- 22 min 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

Maliciously Secure Two-Party Computation The LEGO approach The Overall idea Commit Cut-and-choose Remember the cut and choose approach Gates consists of garbled computation table and XOR homomorphic commitment to 0-keys Sends gates and commitments to Bob Open 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

Maliciously Secure Two-Party Computation The LEGO approach Horizontal soldering ----- Meeting Notes (08/11/13 12:23) ----- 21 min ----- Meeting Notes (08/11/13 12:51) ----- The bad gates are now randomly distributed in the buckets. We know that only a few bad gates are remaining, so with very large probability no more than 1 bad gate will end up in the same bucket. Now we can do normal majority as in generel CnC, which will be correct with large probability 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

Maliciously Secure Two-Party Computation The LEGO approach Vertical soldering 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

Maliciously Secure Two-Party Computation The LEGO approach Vertical soldering 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

Maliciously Secure Two-Party Computation The LEGO approach Input soldering 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

Maliciously Secure Two-Party Computation The LEGO approach Input soldering Send inputs 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

Maliciously Secure Two-Party Computation The LEGO approach Evaluation Send output keys 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

Maliciously Secure Two-Party Computation The LEGO approach New problems Soldering: Horizontal Vertical Input ----- Meeting Notes (08/11/13 12:30) ----- 24 min ----- Meeting Notes (08/11/13 15:36) ----- 29 min 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

Maliciously Secure Two-Party Computation The LEGO approach Horizontal soldering head 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

Maliciously Secure Two-Party Computation The LEGO approach Horizontal soldering head Majority 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

Maliciously Secure Two-Party Computation The LEGO approach Vertical soldering Bucket j Majority 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

Maliciously Secure Two-Party Computation The LEGO approach Input soldering OT head Horizontal soldering 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

Maliciously Secure Two-Party Computation Outline Introduction What is the setting? Garbled circuits Why should we look at this? Preliminaries Free XOR XOR-homomorphic commitments The LEGO approach Overall idea New problems Conclusion Practical efficiency Future work 2 min ----- Meeting Notes (08/11/13 15:36) ----- 39 min 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

Better asymptotic complexities Conclusion Practical efficiency Better asymptotic complexities Practical efficiency depends directly on XOR-homomorphic commitments Or the size of the garbled circuit, because of asymptotic increase in efficiency O(s/log(|C|)) replication factor Normal cut and choose we base replication on security parameter, here we base it on gates in circuit. Which Is in general greater. Furthermore, we use each of the result to do several majorties. The rest comes form combinatorial proof 38 min 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

Maliciously Secure Two-Party Computation Conclusion Practical efficiency In [NO09] Pedersen Commitments were used 3 public-key operations on each gate per party In [FJNNO13] XOR-homomorphic commitments constructed from error correcting codes+OT Based on symmetric primitives when using OT extension, but codes leads to constants of around 40 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

Maliciously Secure Two-Party Computation Conclusion Future work The Aarhus Crypto-group is working on making cheaper XOR-homomorphic commitments and thus a more efficient LEGO protocol. Hopefully more efficient than normal cut-and-choose even for smaller circuits 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

Maliciously Secure Two-Party Computation Conclusion Free XOR Symmetric Asymmetric Rounds MiniLEGO Yes O(s|C|/log(|C|)) O(s) O(1) LEGO No [LP11, sS11, sS13, L13, FN13, …] O(s|C|) O(sn) [NNOB12] O(d) [DPSZ12] O(|C|) 6+10+11+4 Mention test case again! s is statistical security parameter, |C| is circuit size, d is circuit depth, n is input/output bits Thanks you! Questions? 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

Maliciously Secure Two-Party Computation XOR-homomorphic commitments The error correcting code Error correction gives us large distance between codewords, which makes it impossible for Alice to get away with opening commitments wrongly since with large probability at least one watch bit position will change 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

Maliciously Secure Two-Party Computation XOR-homomorphic commitments The protocol - Setup Idea is to use an error correcting code with “nice” properties to encode messages Encoded messages are then committed to by padding some randomness (hiding), where some of the randomness is leaked to the opener (Bob) (binding) Commitments must be preprocessed. So we need an upper bound on the amount of commitments In fact messages are random and then corrected to specific values by linearity of the code We start by doing a big ROT Mu is the amount of commitments we wish to make n, is the size of a commitment (40*s). K is a small number close to s 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

Maliciously Secure Two-Party Computation XOR-homomorphic commitments The protocol - Setup View the output of the ROT as a matrix 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

Maliciously Secure Two-Party Computation XOR-homomorphic commitments The error correcting code Idea is to use the columns of the random matrix as padding 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

Maliciously Secure Two-Party Computation XOR-homomorphic commitments The protocol - Setup Alice chooses 2mu random messages and encode them. She XORs the result to the outcome of the ROT and sends this to Bob (This will work as a commitment to random messages) 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

Maliciously Secure Two-Party Computation XOR-homomorphic commitments The protocol - Setup The k row of the matrix Bob learn are known as the “watch bits” He then XORs this with the random commitments and learns k bits of each encoded message, not a problem because of secret sharing property 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

Maliciously Secure Two-Party Computation XOR-homomorphic commitments The protocol - Setup A CnC step is performed and Bob learns half of the messages. He encodes them and verifies them against the watch bits he knows 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

Maliciously Secure Two-Party Computation XOR-homomorphic commitments The protocol – Committing and opening When Alice wants to commit she sends the XORing needed to change the random encoding into what she wants to commit to. To open she sends the XOR of the padding for all the messages she wants to XOR together. Bob encodes these and verifies them against the watch bits 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

Maliciously Secure Two-Party Computation XOR-homomorphic commitments The protocol - Security If there is a different bit in the opening. Then the encoding will cascade it to many positions and with overwhelming probability one of the positions will be a watch bit 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

XOR-homomorphic commitments Which code? In [FJNNO13] we find a code that works due to Chen and Cramer based on algebraic geometry. However, recent work shows that we can use a random matrix instead: Binary linear by construction Messages will be keys, so extra randomness not needed in our context Secret sharing comes from randomness of the codewords Efficient decoding does not seem to be needed Constants will go down from around 44 to 14 14-11-2018 The LEGO Approach for Maliciously Secure Two-Party Computation

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.