Fastest 2PC in all the land Batch Dual Execution Fastest 2PC in all the land Peter Rindal Mike Rosulek

Yao’s Protocol 𝑦 𝑥 𝑥 𝑦 Yao 𝑓(𝑥,𝑦)

Yao’s Protocol 𝑦 𝑥 𝑥 𝑦 Yao 𝑓(𝑥,𝑦) ⋅ Secure against Alice

Dual Execution 𝑥 𝑦 𝑦 𝑥 𝑓 𝑥,𝑦 𝐵 𝑦 𝑥 𝑓 𝑥,𝑦 𝐴 [MohasselFranklin06] Yao 𝑓 𝑥,𝑦 𝐵 Yao 𝑥 𝑦 𝑓 𝑥,𝑦 𝐴

Dual Execution 𝑥 𝑦 𝑦 𝑥 𝑓 𝑥,𝑦 𝐵 𝑦 𝑥 𝑓 𝑥,𝑦 𝐴 𝑓 𝑥,𝑦 𝐵 𝑓 𝑥,𝑦 𝐵 [MohasselFranklin06] 𝑥 𝑦 Yao 𝑦 𝑥 𝑓 𝑥,𝑦 𝐵 𝑦 𝑥 Yao 𝑓 𝑥,𝑦 𝐴 𝑓 𝑥,𝑦 𝐵 𝑓 𝑥,𝑦 𝐵 Eq? First Yao secure against Alice. Second Yao secure against Bob

Malicious secure. Leaks only a single bit! Dual Execution [MohasselFranklin06] 𝑥 𝑦 Yao 𝑔 ⋅ ,𝑦 𝑦 𝑥 𝑔 𝑥,𝑦 𝐵 𝑦 𝑥 Yao 𝑓 𝑥,𝑦 𝐴 𝑔 𝑥,𝑦 𝐵 𝑓 𝑥,𝑦 𝐵 Eq? First Yao secure against Alice. Second Yao secure against Bob Equality leaks 𝑔 𝑥,𝑦 =𝑓(𝑥,𝑦) Malicious secure. Leaks only a single bit!

Dual Execution 𝑥 𝑦 𝑦 𝑥 𝑦 𝑥 𝑧 1 𝐵 ,…, 𝑧 𝑛 𝐵 𝑧 1 𝐴 ,…, 𝑧 𝑛 𝐴 [KolesnikovMohasselRivaRosulek15] 𝑥 𝑦 Yao Yao Yao Yao 𝑦 𝑥 𝑦 Yao 𝑥 Yao Yao Yao 𝑧 1 𝐵 ,…, 𝑧 𝑛 𝐵 𝑧 1 𝐴 ,…, 𝑧 𝑛 𝐴 PSI

Dual Execution 𝑥 𝑦 𝑦 𝑥 𝑦 𝑥 𝑧 1 𝐵 ,…, 𝑧 𝑛 𝐵 𝑧 1 𝐴 ,…, 𝑧 𝑛 𝐴 [KolesnikovMohasselRivaRosulek15] 𝑥 𝑦 Yao Yao Yao Yao 𝑦 𝑥 𝑦 Yao 𝑥 Yao Yao Yao 𝑧 1 𝐵 ,…, 𝑧 𝑛 𝐵 𝑧 1 𝐴 ,…, 𝑧 𝑛 𝐴 PSI 𝐏𝐫 𝒍𝒆𝒂𝒌 𝒂 𝒃𝒊𝒕 = 𝟐 −𝒔 Equality leaks ∀ 𝑖 : 𝑔 𝑖 𝑥,𝑦 ≠𝑓(𝑥,𝑦)

Online – Offline [LindellRiva14,NeilsenOrlandi08] Want to execute 𝑓 many times Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao

Online – Offline [LindellRiva14,NeilsenOrlandi08] Want to execute 𝑓 many times Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao

Online – Offline [LindellRiva14,NeilsenOrlandi08] Want to execute 𝑓 many times Later we get inputs and evaluate Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao Yao PSI

Technical Challenges Input Consistency PSI reconciliation 𝑧 1 𝐵 Only 𝑂 𝑛 decommits and communication PSI reconciliation Very light weight malicious PSI Only weak security required Yao Yao Yao Yao 𝑧 1 𝐵 { 𝑧 1 𝐴 } PSI

Fastest in all the land * Running times for 1,024 evaluations To appear in Usenix ’16 Eprint coming soon Function Amortized Offline Online AES 5.1 𝑚𝑠 1.3 𝑚𝑠 SHA-256 48.0 𝑚𝑠 8.1 𝑚𝑠 “Faster Malicious 2-party Secure Computation with Online/Offline Dual Execution” * Online + Offline

The End Thanks Peter Rindal Mike Rosulek