Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Slides:

Advertisements

Similar presentations

Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Advertisements

Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.

Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto

Secure Evaluation of Multivariate Polynomials

Secure Multiparty Computations on Bitcoin

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

On Fair Exchange, Fair Coins and Fair Sampling Shashank Agrawal, Manoj Prabhakaran University of Illinois at Urbana-Champaign.

Achieving Byzantine Agreement and Broadcast against Rational Adversaries Adam Groce Aishwarya Thiruvengadam Ateeq Sharfuddin CMSC 858F: Algorithmic Game.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)

GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION

Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Impossibility Results for Concurrent Two-Party Computation Yehuda Lindell IBM T.J.Watson.

Oblivious Transfer based on the McEliece Assumptions

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.

Privacy Preserving Data Mining Yehuda Lindell & Benny Pinkas.

Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.

1 Cross-Domain Secure Computation Chongwon Cho (HRL Laboratories) Sanjam Garg (IBM T.J. Watson) Rafail Ostrovsky (UCLA)

Information-Theoretic Security and Security under Composition Eyal Kushilevitz (Technion) Yehuda Lindell (Bar-Ilan University) Tal Rabin (IBM T.J. Watson)

Adaptively Secure Broadcast, Revisited

Multi-Client Non-Interactive Verifiable Computation Seung Geol Choi (Columbia U.) Jonathan Katz (U. Maryland) Ranjit Kumaresan (Technion) Carlos Cid (Royal.

How to play ANY mental game

1 Privacy-Preserving Distributed Information Sharing Nan Zhang and Wei Zhao Texas A&M University, USA.

Secure Computation of the k’th Ranked Element Gagan Aggarwal Stanford University Joint work with Nina Mishra and Benny Pinkas, HP Labs.

Ragesh Jaiswal Indian Institute of Technology Delhi Threshold Direct Product Theorems: a survey.

Insert presenter logo here on slide master. See hidden slide 4 for directions  Session ID: Session Classification: SEUNG GEOL CHOI UNIVERSITY OF MARYLAND.

Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.

13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Rate-Limited Secure Function Evaluation 21. Public Key Cryptography, March 1 st, 2013 Özgür.

GARBLED CIRCUITS CHECKING GARBLED CIRCUITS MORE EFFICIENT AND SECURE TWO-PARTY COMPUTATION Payman Mohassel Ben Riva University of Calgary Tel Aviv University.

Slide 1 Vitaly Shmatikov CS 380S Yao’s Protocol. slide Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert.

Page 1 Efficient Two-Party Secure Computation on Committed Inputs Stanislaw Jarecki, UC Irvine Vitaly Shmatikov, UT Austin.

Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.

Slide 1 Yao’s Protocol. slide Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert the function into a boolean.

Improved Non-Committing Encryption with Application to Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia Univ.), Tal Malkin (Columbia.

Privacy-Preserving Credit Checking Keith Frikken, Mikhail Atallah, and Chen Zhang Purdue University June 7, 2005.

On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.

1 Secure Multi-party Computation Minimizing Online Rounds Seung Geol Choi Columbia University Joint work with Ariel Elbaz(Columbia University) Tal Malkin(Columbia.

Rational Cryptography Some Recent Results Jonathan Katz University of Maryland.

Non-Interactive Verifiable Computing August 5, 2009 Bryan Parno Carnegie Mellon University Rosario Gennaro, Craig Gentry IBM Research.

On the Cryptographic Complexity of the Worst Functions Amos Beimel (BGU) Yuval Ishai (Technion) Ranjit Kumaresan (Technion) Eyal Kushilevitz (Technion)

Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.

Secure Computation Lecture Arpita Patra. Recap > Shamir Secret-sharing > BGW Protocol based on secret-sharing > Offline/Online phase > Creating.

Vladimir Kolesnikov (Bell Labs) Steven M. Bellovin, Seung Geol Choi, Ben Fisch, Wesley George, Angelos Keromytis, Fernando Krell, Abishek Kumarasubramanian,

Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/08/08 CRYP-106 Efficient Fully-Simulatable Oblivious Transfer.

Efficient Private Matching and Set Intersection Mike Freedman, NYU Kobbi Nissim, MSR Benny Pinkas, HP Labs EUROCRYPT 2004.

Secure Computation with Minimal Interaction, Revisited Yuval Ishai (Technion) Ranjit Kumaresan (MIT) Eyal Kushilevitz (Technion) Anat Paskin-Cherniavsky.

Efficient Oblivious Transfer with Stateless Secure Tokens Alcatel-Lucent Bell Labs Vlad Kolesnikov.

Improved OT Extension for Transferring Short Secrets Vladimir Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion)

Round-Efficient Multi-Party Computation in Point-to-Point Networks Jonathan Katz Chiu-Yuen Koo University of Maryland.

Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.

Secure Computation Basics Yan Huang Indiana University May 9, 2016.

Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.

Topic 36: Zero-Knowledge Proofs

The Exact Round Complexity of Secure Computation

Committed MPC Multiparty Computation from Homomorphic Commitments

Laconic Oblivious Transfer and its Applications

Improved Private Set Intersection against Malicious Adversaries

Maliciously Secure Two-Party Computation

Fastest 2PC in all the land

Privacy Preserving analytics Private Set Intersection(PSI)

Multi-Party Computation: Second year

Malicious-Secure Private Set Intersection via Dual Execution

Presentation transcript:

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based Secure Computation in the Offline/Online and Batch Settings Yehuda Lindell (BIU), Ben Riva (TAU)

Secure Two-Party Computation Two parties with private inputs x and y Compute joint function of their inputs while preserving – Privacy – Correctness – Input independence x f (x,y) y

Adversaries and Security Semi-honest: follow protocol specification but attempt to learn more than allowed – Highly efficient; weak guarantees Malicious: run any arbitrary attack strategy – Much more expensive

GC OT Bob input keys input bits Bob keys Yao’s Protocol (Semi-honest) Alice input keys GC

Security for Malicious Case Main Issue: Malicious Alice constructs incorrect circuit – Violates correctness – Violates privacy Can prevent using generic ZK --- but this is inefficient More practical solution --- cut & choose – Introduces new problems (relatively “minor” issues) Need to ensure input consistency across copies Need to prevent selective failure attacks

Cut & Choose Paradigm All copies of garbled circuits […,Pin03,MNPS04,MF06,LP07,…] Check Set Evaluation Set

Cost of Cut & Choose Main question: How many circuits are needed? – % of the cost is due to garbled circuits E.g.: for stat. error at most 2 -40, #circuits required: – 680 [LP07] – 128 [LP11] – 125 [sS11] – 48 [HKE13] – 40 [Lin13]

Cost of Cut-and-Choose Our motivating question: Can we reduce further the cost of cut & choose, i.e., the number of circuits required? Our approach: Explore the possibility of amortizing the cost of cut & choose in a setting where parties need to perform multiple secure function evaluations

Rest of the Talk Multiple executions Cut & choose for multiple executions – Analysis Multistage cut & choose OT

Multiple Executions Setting: – Alice and Bob execute the same function multiple times Parallel Sequential Motivation: – Amortize the cost of cut & choose – Relevant in practice – RAM model 2PC

Cut & Choose – Multiple Executions All copies of garbled circuits Check Set Evaluation Sets

Cut & Choose for Multiple Executions Inspired by LEGO [NO09,NNOB12,FJNNO13] – LEGO performs cut & choose at the gate level Alice creates many copies of NAND gates Bob opens half the copies to check & distributes remaining half randomly into “buckets” (each bucket emulates a NAND gate) Each NAND bucket output determined by majority Makes use of cheating punishment technique [Lin13] – Post-processing step uses 2PC but on a much smaller circuit – Fail only if for some evaluation set, all circuits in it are bad No need to take majority Leads to better concrete efficiency “Multistage Cut & Choose”

Multistage Cut & Choose - Analysis [HKKKM14] Maximum cheating probability Asymptotically for stat. security parameter s: Concrete values for stat. security parameter s = 40 :

More general parameters and analysis – E.g.: Better efficiency by varying fraction of circuits checked [LR14] Multistage Cut & Choose - Analysis Amortization applied to cheating-punishment circuit – E.g.: even for t = 32, only 52 circuits are required here – Amortization also results in fewer overall exponentiations

Cut & choose protocols can be preprocessed – Execute check step offline Tradeoffs between total #circuits & #circuits evaluated online Use additive sharing to improve online efficiency of – Cut & choose OT – Input consistency checks Idea: – Preprocess using random share in offline phase – Send correction in the clear during online phase All exponentiations can be pushed to the offline phase [LR14] Offline/Online Setting

Rest of the Talk Multiple executions Cut & choose for multiple executions – Analysis Multistage cut & choose OT

Selective Failure Attacks Recall: Bob obtains his keys via OT Selective failure attack: – Corrupt Alice uses valid 0-key and invalid 1-key as OT inputs – If Bob’s input is 0, then evaluation succeeds – If Bob’s input is 1, then evaluation fails Techniques to avoid selective failure – XOR-tree encodings [FKN94,LP07,…] – Cut & choose OT [LP11,Lin13] [HKKKM14,LR14] adapt cut & choose OT to multiple executions setting

Cut & Choose Oblivious Transfer [LP11,Lin13] Check value 1 st input 2 nd input Input keys and check values for each copy Both inputs Check setEvaluation set One input & check value

Multistage Cut & Choose OT Check value 1 st input 2 nd input Input keys and check values for each copy Both inputs Check setEval set 1Eval set 2Eval set 3 One input & check value... [HKKKM14]

Multistage Cut & Choose OT [HKKKM14] Useful in multiple parallel execution setting – Otherwise, need to rely on adaptively secure garbling Show information theoretic reduction to [Lin13]’s modified batch single-choice cut & choose OT – t-out-of-t additive sharing of input keys and check values – Use i th set of shares as input to i th instance of modified batch single-choice cut & choose OT – Slightly more complicated to get full sender extraction Communication cost of the reduction is quadratic in t – Cost linear in t if we allow relaxed definitions (that are sufficient for 2PC applications) [KK14]

Summary Malicious 2PC cost dominated by cost of cut & choose Multiple executions allows amortizing cut & choose cost – For 40 bits of statistical security need: Only 8 circuits/execution for 3500 executions [HKKKM14] Only 7.06 circuits/execution for 1024 executions [LR14] THANK YOU!!!