GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION

Slides:



Advertisements
Similar presentations
Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Advertisements

Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.
Secure Computation of Linear Algebraic Functions
Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto
Secure Evaluation of Multivariate Polynomials
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
Vladimir Kolesnikov (Bell Labs) Tal Malkin (Columbia U), Payman Mohassel (U Calgary), Mike Rosulek (Oregon State), Yehuda Lindell (Bar-Ilan U) Kedar Namjoshi,
On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)
New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications Dana Dachman-Soled, Tal Malkin, Mariana Raykova, Moti Yung.
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
Multi-Client Non-Interactive Verifiable Computation Seung Geol Choi (Columbia U.) Jonathan Katz (U. Maryland) Ranjit Kumaresan (Technion) Carlos Cid (Royal.
Efficient and Robust Private Set Intersection and multiparty multivariate polynomials Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung.
Overview of Privacy Preserving Techniques.  This is a high-level summary of the state-of-the-art privacy preserving techniques and research areas  Focus.
Secure Computation of the k’th Ranked Element Gagan Aggarwal Stanford University Joint work with Nina Mishra and Benny Pinkas, HP Labs.
Insert presenter logo here on slide master. See hidden slide 4 for directions  Session ID: Session Classification: SEUNG GEOL CHOI UNIVERSITY OF MARYLAND.
Scaling Secure Computation Using the Cloud
13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Rate-Limited Secure Function Evaluation 21. Public Key Cryptography, March 1 st, 2013 Özgür.
1 Information Security – Theory vs. Reality , Winter Lecture 10: Garbled circuits (cont.), fully homomorphic encryption Eran Tromer.
GARBLED CIRCUITS CHECKING GARBLED CIRCUITS MORE EFFICIENT AND SECURE TWO-PARTY COMPUTATION Payman Mohassel Ben Riva University of Calgary Tel Aviv University.
Page 1 Efficient Two-Party Secure Computation on Committed Inputs Stanislaw Jarecki, UC Irvine Vitaly Shmatikov, UT Austin.
Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.
TOWARDS PRACTICAL (GENERIC) ZERO-KNOWLEDGE Claudio Orlandi – Aarhus University.
Secure Computation Lecture Arpita Patra. Recap >> MPC with dishonest majority over Boolean circuit- [GMW87] > Oblivious Transfer (from CPA secure.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
1 Secure Multi-party Computation Minimizing Online Rounds Seung Geol Choi Columbia University Joint work with Ariel Elbaz(Columbia University) Tal Malkin(Columbia.
Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond
1 Information Security – Theory vs. Reality , Winter Lecture 10: Garbled circuits and obfuscation Eran Tromer Slides credit: Boaz.
Secure Computation (Lecture 2) Arpita Patra. Vishwaroop of MPC.
Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.
Secure Multiparty Computation and its Applications
Secure Computation Lecture Arpita Patra. Recap > Shamir Secret-sharing > BGW Protocol based on secret-sharing > Offline/Online phase > Creating.
Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/08/08 CRYP-106 Efficient Fully-Simulatable Oblivious Transfer.
Secure Computation (Lecture 9-10) Arpita Patra. Recap >> MPC with honest majority in i.t. settings > Protocol using (n,t)-sharing, proof of security---
Secure Computation with Minimal Interaction, Revisited Yuval Ishai (Technion) Ranjit Kumaresan (MIT) Eyal Kushilevitz (Technion) Anat Paskin-Cherniavsky.
1 / 23 Efficient Garbling from A Fixed-key Blockcipher Applied MPC workshop February 20, 2014 Mihir Bellare UC San Diego Viet Tung Hoang UC San Diego Phillip.
Efficient Oblivious Transfer with Stateless Secure Tokens Alcatel-Lucent Bell Labs Vlad Kolesnikov.
Verifiable Threshold Secret Sharing and Full Fair Secure Two-party Computation YE Jian-wei March 7, 2009.
The Many Faces of Garbled Circuits MIT Vinod Vaikuntanathan.
Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.
Secure Computation Basics Yan Huang Indiana University May 9, 2016.
Garbling Techniques David Evans
A Fixed-key Blockcipher
The Exact Round Complexity of Secure Computation
The Exact Round Complexity of Secure Computation
Carmit Hazay (Bar-Ilan University, Israel)
MPC and Verifiable Computation on Committed Data
Committed MPC Multiparty Computation from Homomorphic Commitments
Laconic Oblivious Transfer and its Applications
The first Few Slides stolen from Boaz Barak
Course Business I am traveling April 25-May 3rd
Gate Evaluation Secret Sharing and Secure Two-Party Computation
Verifiable Oblivious Storage
Maliciously Secure Two-Party Computation
Fastest 2PC in all the land
Four-Round Secure Computation without Setup
Cryptography for Quantum Computers
Multi-Party Computation: Second year
Malicious-Secure Private Set Intersection via Dual Execution
Fast Secure Computation for Small Population over the Internet
Cryptography Lecture 8 Arpita Patra © Arpita Patra.
Presentation transcript:

GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION Payman Mohassel Yahoo Labs

History of Garbled Circuits 1982: First oral presentation  [Andrew Yao] 1987: First written account  [GMW] (public-key) 1990: First use of term ``Garbled circuits”  [BMR] (symmetric-key) 1994: First abstraction as a primitive  [FKN] (minimal model for sec. comp.) 1999: First PRF-based construction  [NPS] (PP-auctions) 2004: First implementation  [MNPS] (Fairplay) 2004: First proof of 2PC based on garbled circuits  [LP] (double-encryption)

Eval( ) 𝐺𝐶 𝐺𝐼𝑥 𝐺𝐼𝑦 A Garbling Scheme 𝒚 𝒙 𝒇(𝒙,𝒚) seed 𝐶 𝑥,𝑦 =𝑓(𝑥,𝑦) 𝑇𝑇 𝐺 𝐼 𝑥 𝐺𝑂 Eval( ) 𝐺 𝐼 𝑦 𝑇𝑇 𝐺𝑂 𝒇(𝒙,𝒚)

Basic Properties Privacy: Knowing 𝐺 𝐼 𝑥 , 𝐺 𝐼 𝑦 , and 𝐺𝐶 does no leak any info Output Authenticity: Cannot compute another valid output 𝐺𝐶 𝐺𝐶 𝑇𝑇 𝐺 𝐼 𝑥 𝐺 𝐼 𝑥 𝒇(𝒙,𝒚) 𝐺 𝐼 𝑦 𝐺 𝐼 𝑦 𝐺𝐶 𝐺 𝐼 𝑥 𝐺𝑂‘ 𝐺 𝐼 𝑦

Many Applications Emerged as a powerful building block! Secure multi-party computation Zero-knowledge proofs Verifiable computation Homomorphic encryption One-time programs Circular-secure encryption Functional encryption ... Emerged as a powerful building block!

Secure Multiparty Computation (MPC) Correctness: honest parties learn the correct output Privacy: Nothing but the final output is leaked Fairness, Output Delivery, … P2, x2 P1, x1 P3, x3 P4, x4 P5, x5 Parties learn only f(x1,…,xn)

Applications of MPC Data mining Electronic Voting Auctions Exchanges/financial analysis Location privacy Genomic computation Electronic commerce Healthcare When there is IP, NDA, user consent involved When you need to distribute trust

Secure Two-Party Computation (2PC) 𝐶 𝑥,𝑦 =𝑓(𝑥,𝑦) 𝐺𝐶←𝐺𝑎𝑟𝑏(𝐶,𝑠𝑑) 𝐺 𝐼 𝑥 𝐺𝐶 𝑇𝑇 𝐺 𝐼 𝑥 ←𝐺𝐼𝑛(𝑥,𝑠𝑑) 𝒙 𝒚 Garbler Evaluator 𝐺 𝐼 𝑦 Oblivious Transfer 𝒇(𝒙,𝒚)

Yao’s Garbled Circuit Protocol First secure computation protocol Efficient and simple Implementations Fairplay, 2004 TASTY, 2010 FastGarble, 2011 SCAPI, 2013 JustGarble, 2013 … Circuits with millions of gates in less than a second

Research Directions Garbling Constructions Secure 2PC Functionality & Security Properties Secure 2PC

Basic Garbling/Evaluation Evaluate Garble 𝑘 0 1 , 𝑘 1 1   AND 𝑘 0 3 , 𝑘 1 3 AND   𝑘 0 2 , 𝑘 1 2   𝑐 0,0 =𝐸 𝑘 0 1 , 𝑘 0 2 ( 𝑘 0 3 ) 𝑐 0,1 =𝐸 𝑘 0 1 , 𝑘 1 2 ( 𝑘 0 3 ) 𝐷𝑒 𝑐 𝑘 𝑎 1 , 𝑘 𝑏 2 𝑐 𝑎,𝑏 = 𝑘 𝑎&𝑏 3 𝑐 1,0 =𝐸 𝑘 1 1 , 𝑘 0 2 ( 𝑘 0 3 ) 𝑐 1,1 =𝐸 𝑘 1 1 , 𝑘 1 2 ( 𝑘 1 3 )

Constructions (Efficiency) 1990: Point-and-Permute  [BMR] 1999: 3-row reduction  [NPS] 2008: Free-XOR  [KS] 2009: 2-row reduction  [PSSW] 2013: Fixed-key block-cipher  [BHKR] 2014: FleXor  [KMR] 2014: Privacy-free garbling  [KNO] 2015: HalfGates  [ZRE] (2-row non-XORs, and 0-row XORs) How low can we get? Lower bounds? Fresh ideas for garbling needed?

Constructions (Security) Weak Assumptions PRF  double-encryption LPN  Free-XOR Correlation-robustness  row reduction techniques Correlation-robustness  FleXor Strong Assumptions Circular-security  Free-XOR Circular-security  Half-Gates Ideal-permutation  Fixed-key block-cipher RO  Adaptive security Can we achieve these using weak assumptions?

Standard Security Properties Input privacy Needed in most applications (not in ZK application) Function privacy Private function evaluation Output authentication Malicious 2PC, dual-execution, verifiable comp., server-aided comp., ZK Adaptive privacy Verifiable comp, offline/online batch execution, …

New Security Properties? Only a subset of properties (e.g. privacy-free garbling) Leaky privacy (e.g. leak a few bits, protect/leak certain functions) Tunable security! (tunable privacy, authenticity, …) Leveled privacy (inputs with different sensitivity levels)

Functionality? Standard ones Garble, encode inputs, evaluate, authenticate outputs Circuit property enforcing (with Rosulek and Kolesnikov) Checking circuit properties Topology, depth, input size, gate types Useful in limiting malicious behavior Input property enforcing Unique input identifier (for input consistency) Enforcing input formats Enforce relation between inputs in multiple executions (beyond equality) Output property enforcing Enforcing output format

⋮ 𝑃 1 Malicious 2PC 𝒙 Open Evaluate Majority 𝐺 𝐶 1 𝑥 𝐺 𝐶 1 𝑥 𝐺 𝐶 2 Are all inputs the same? Open Evaluate Majority 𝐺 𝐶 1 𝑥 𝐺 𝐶 1 𝑥 𝐺 𝐶 2 𝐺 𝐶 2 𝑧 2 𝒙 𝐺 𝐶 3 𝐺 𝐶 3 1−2 −Ω 𝑠 𝑠𝑒𝑐𝑢𝑟𝑖𝑡𝑦 𝑠≥40 ⋮ 𝑃 1 𝐺 𝐶 4 𝑧 4 𝐺 𝐶 4 𝑧=𝑓(𝑥,𝑦) 𝐺 𝐶 5 𝐺 𝐶 5 𝐺 𝐶 6 𝑧 6 𝑥 𝐺 𝐶 6 Is the output correct? 𝑧

Secure 2PC Malicious security RAM programs 2PC with relaxed security Cut-and-choose (state of the art: Lindell 2013) Abstracting out cut-and-choose (joint work with Seny Kamara) A new paradigm? Lower bounds for cut-and-choose? RAM programs Optimizing ORAM for 2PC ([WCS]: Circuit-ORAMs) Implementation framework (SCVM) Extending cut-and-choose to RAM programs ([AHMR]) Lots of interesting questions 2PC with relaxed security Covert security, leaky 2PC, one-sided security Restricting leakage functions

Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.