Secure Computation Lecture Arpita Patra

Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto # Preprocessing of OT (on random inputs) > Step II: Offline: k OTs + O(n 2 c AND ) SKE operations ; Online: i.t., no crypto # OT Extension [IKNP] (Domain extension + OT extension) # RO Model, Correlation-robust Hash function >> Constant Round 2PC Yao. > How to garble a circuit (using physical keys/boxes) > How to use garbled circuit for 2PC >> Complexity of GMW n-party Protocol: O(n 2 c AND ) OTs

Circuit Evaluation on Clear x1x1 x2x2 x3x3 x4x4 f(x 1, x 2, x 3, x 4 ) +   x1x1 x4x4 x3x3 x2x2 x 1  x 2 x 3  x 4 x 1  x 2 + x 3  x 4 > When inputs to a gate g get values, say a, b, then its output wire gets value g(a,b); Two input gate g: {0,1} 2  {0,1} >> Circuit evaluation is nothing but assigning bits to the wires > Input wires get values from inputs > The value for the output wire is taken as the output >> For secure computation: We want a way to evaluate circuit that leaks nothing but the circuit output. Garbled Circuit

Yao’s Garbled Circuit +   Garbling a Wire: Every wire is associated with a pair of identical looking keys. 0 1 Identical looking keys ensure NO information about the assigned bit can be inferred from a key corresponding to a wire Garbling of wires complete! During evaluation a garbled circuit on a given input, the evaluator will get/see the keys corresponding to the assigned bits of the wires instead of the assigned bits. Need a mechanism to hide the assigned bits of the wires during evaluation

Yao’s Garbled Circuit +   Gate evaluation in Plain Circuit: Given the the assigned values, say a, b of the input wires of gate g, find the assigned value for the output wire as g(a,b). Easy!! Gate evaluation in Garbled circuit: Given the keys corresponding to the assigned values, say a, b of the input wires of gate g, find the key for g(a,b) for the output wire How to evaluate a gate in garbled circuit Garble the gates!

Yao’s Garbled Circuit  Garbling a Gate: Every two input gate is associated with four doubly locked boxes (corresponding to four output possibilities). Each pair of input wire keys (one from each input wire) will open one and only one box. The box that can be opened using keys for a, b contains the key corresponding to g(a,b). 1st input wire 2 nd Input wire Output wire Key for 0 Key for g(0,0) Key for 0Key for 1Key for g(0,1) Key for 1Key for 0Key for g(0,1) Key for 1 Key for g(1,1) Boxes are randomly permutated to prevent leaking of meaning of the keys! Garbled Gates: The locked boxes

Yao’s Garbled Circuit It enables one to evaluate a circuit without leaking anything but the output x1x1 x2x2 x3x3 x4x4 f(x 1, x 2, x 3, x 4 ) +   Garbling a wire: Every wire is associated with a pair of identical looking keys. Garbling a Gate: Every two input gate is associated with four doubly locked boxes (in randomly permuted order) so that each pair of keys (one from each input wire) will open one and only one box. Garbled Circuit: Garbled gates

Yao’s Garbled Circuit It enables one to evaluate a circuit without leaking anything but the output x1x1 x2x2 x3x3 x4x4 f(x 1, x 2, x 3, x 4 ) +   Garbled Circuit: Garbled gates + meaning of the output wire keys (output decryption tables) 1. Give input keys corresponding to the inputs and the garbled circuit. 2. For every gate, exactly one box can be opened and the key corresponding to the output value for the inputs can be obtained 3. For the output gate, the key corresponding to the output value for given inputs can be obtained. Output

Yao’s 2 Party Protocol Y = (y 1,y 2,…y k ) P0P0 P1P1 X = (x 1,x 2,…x k ) GC Constructor GC Evaluator Construct a Garbled Circuit GC for Circuit C Keys corresponding to X = (x 1,x 2,…x k ) and GC OT 1 y1y1 OT k ykyk Evaluate GC with the given input keys and interpret the output Z using output decryption tables Z

Yao’s Garbled Circuit from “Special SKE” +   Garbled Circuit: garbled gates (four/two locked boxes) + meaning of the output wire keys Physical Keys: Keys of SKE Locked boxes: Encryptions Doubly Locked boxes: Double Encryptions What properties do we need from the SKE? Some known security properties of SKE: CPA, CCA etc.

Syntax of SKE 1.Key-generation Algorithm (Gen()): 2. Encryption Algorithm (Enc k (m)); m from {0,1}*: 3. Decryption Algorithm (Dec k (c)):  MUST be a Randomized algorithm  Outputs a key k chosen according to some probability distribution determined by the scheme;  Deterministic/Randomized algorithm  c  Enc k (m) when randomized and c:=Enc k (m) when deterministic  Usually deterministic  Outputs m:= Dec k (c)

Syntax of SKE  Set of all possible keys output by algorithm Gen 1.Key space ( ):  Usually Gen selects a key k uniformly at random from 2. Plain-text (message) space ( ):  Set of all possible “legal” message (i.e. those supported by Enc) 3. Cipher-text space ( ):  Set of all cipher-texts output by algorithm Enc  The sets and together define the set Any cipher is defined by specifying (Gen, Enc, Dec) and

Yao’s Garbled Circuit from “Special” SKE +   Garbling the Wires: Every wire is associated with a pair of identical looking SKE keys. k 0 w1 k 1 w1 k 0 w2 k 1 w2 k 0 w3 k 1 w3 k 0 w4 k 1 w4 k 0 w5 k 1 w5 k 0 w6 k 1 w6 k 0 w7 k 1 w7

+   Garbling the Gates: Every two input gate is associated with four double encryptions so that each pair of keys (one from each input wire) will decrypt one and only one ciphertext where ciphertexts hide appropriate output wire key. AND Gate: k 0 w1 k 1 w1 k 0 w2 k 1 w2 k 0 w3 k 1 w3 k 0 w4 k 1 w4 k 0 w5 k 1 w5 k 0 w6 k 1 w6 k 0 w7 k 1 w7 1st input wire2 nd Input wireDouble Encryptions k 0 w1 k 0 w2 k 0 w1 k 1 w2 k 1 w1 k 0 w2 k 1 w1 k 1 w2 Garbled AND Gate Similarly for other gates Yao’s Garbled Circuit from “Special” SKE In randomly permuted order

R1: K = M = C Yao’s Garbled Circuit from “Special” SKE Garbled AND Gate >> In usual SKE, a wrong key lead to a wrong message, but the decryption does not fail (SKEs are usually use OTP principle). >> Recall that one pair opens one and only one box > The ciphertext spaces must be distinct under distinct keys with high probability. > For the SKE, there must be a mechanism to verify (efficiently) if a given ciphertext belongs to the ciphertext space of a given key. >> Consequence in Yao 2PC: How does the circuit evaluator know which decrypted value is the intended output key? Correctness of 2PC will fail!! Formal definition of SKE with elusive range and efficiently verifiable range can be found in HL and correctness proof reduces to the above security property of SKE Drawbacks: Multiple trial-decryption + Huge Ciphertext size for SKEs with above security property + Involved Correctness proof

Yao’s Garbled Circuit from “Special” SKE Point & Permute [NPS99]: +   k 0 w1 |p 1 k 1 w1 |1-p 1 k 0 w2 |p 2 k 1 w2 |1-p 2 k 0 w5 |p 5 k 1 w5 |1-p 5 k 0 w3 |p 3 k 1 w3 |1-p 3 k 0 w4 |p 4 k 1 w4 |1-p 4 k 0 w6 |p 6 k 1 w6 |1-p 6 k 0 w7 |p 7 k 1 w7 |1-p 7 >> The permutation bits corresponding to input wires of a gate are used to permute the ciphertexts >> will be placed at (p 1 p 2 )th row >> assuming p 1 = p 2 = 1 Garbled AND Gate >> given just one of the permutation bits for each wire, the row where the ciphertext is placed will look random and will not leak any information about the meaning of the input and out keys! >> No requirement from SKE! Correctness of 2PC from GC taken care ! >> A random bit called permutation bit will be associated with every wire

R1: K|{0,1} = M = C Yao’s Garbled Circuit from “Special” SKE >> SKE must be such that an bad evaluator should have no information about what the three unopened ciphertext contains >> Very subtle security definition is required! >> Double encryption security >> E.g. if it can guess the unopened message are same and the gate is AND, then it knows the meaning of the key it decrypted!

Chosen Double Encryption (CDE) Security  = (Gen, Enc, Dec),, k I can break  Let me verify Gen PrivK (k) A,  cde PPT Attacker A b  {0, 1} c 0  Enc k0 (Enc k’1 (x b )) Post-challenge Training with oracles Enc ** (Enc k’1 (**)) Enc k’0 (Enc ** (**)) b’  {0, 1} Game Output b = b’ attacker won b  b’ attacker lost ½ + negl(n) Pr PrivK (k) A,  cde = 1   is CDE-secure if for every PPT A, there is a negligible function negl, such that: k 0, k 1 (x 0,y 0,z 0 ), (x 1,y 1,z 1 ) k’ 0, k’ 1 c 1  Enc k’0 (Enc k1 (y b )) c 2  Enc k’0 (Enc k’1 (z b ))

Chosen Plain-text Attack (CPA) Security  = (Gen, Enc, Dec),, k I can break  Let me verify Gen(1 n ) k PrivK (k) A,  cpa PPT Attacker A Training Phase m 0, m 1 , |m 0 | = |m 1 | b  {0, 1} c  Enc k (m b ) Post-challenge Training b’  {0, 1} Game Output b = b’ attacker won b  b’ attacker lost ½ + negl(n) Pr PrivK (n) A,  cpa = 1   is CPA-secure if for every PPT A, there is a negligible function negl, such that: Every CPA-secure scheme is also CDE-secure!

Completing the Picture Garbled Circuit: Garbled gates + output decryption tables 1. Give input keys corresponding to the inputs and the garbled circuit. 2. For every gate, decrypt the encryption pointed by permutation bits of the input keys of a gate, get the output key and its permutation bit 3. For the output gate, the key corresponding to the output value for given inputs is obtained and is translated to correct output using the decryption tables. +   k 0 w1 |p 1 k 1 w1 |1-p 1 k 0 w2 |p 2 k 1 w2 |1-p 2 k 0 w5 |p 5 k 1 w5 |1-p 5 k 0 w3 |p 3 k 1 w3 |1-p 3 k 0 w4 |p 4 k 1 w4 |1-p 4 k 0 w6 |p 6 k 1 w6 |1-p 6 k 0 w7 |p 7 k 1 w7 |1-p 7

Yao’s 2 Party Protocol Y = (y 1,y 2,…y k ) P0P0 P1P1 X = (x 1,x 2,…x k ) GC Constructor GC Evaluator Construct a Garbled Circuit GC for Circuit C Keys corresponding to X = (x 1,x 2,…x k ) and GC OT 1 k 0 w1 k 1 w1 y1y1 OT k k y1 w1 k 0 wk k 1 wk ykyk k yk wk Evaluate GC with the given input keys and interpret the output Z using output decryption tables Z

Yao’s 2 Party Protocol- Security for P 1 Y = (y 1,y 2,…y k ) P0P0 P1P1 X = (x 1,x 2,…x k ) GC Constructor GC Evaluator Construct a Garbled Circuit GC for Circuit C Keys corresponding to X = (x 1,x 2,…x k ) and GC OT 1 k 0 w1 k 1 w1 y1y1 OT k k y1 w1 k 0 wk k 1 wk ykyk k yk wk Evaluate GC with the given input keys and interpret the output Z using output decryption tables Z Security will reduce to the OT security for the receiver

Yao’s 2 Party Protocol- Security for P 0 Y = (y 1,y 2,…y k ) P0P0 P1P1 X = (x 1,x 2,…x k ) GC Constructor GC Evaluator Construct a Garbled Circuit GC for Circuit C OT 1 k 0 w1 k 1 w1 y1y1 OT k k y1 w1 k 0 wk k 1 wk ykyk k yk wk Evaluate GC with the given input keys and interpret the output Z using output decryption tables Z Security will reduce to the OT security for the sender Three unopened ciphertext must not leak info- CDE security Keys corresponding to X = (x 1,x 2,…x k ) and GC

Chalk & Talk CT7: [GLNP15] Fast Garbling of Circuits under standard Assumptions. CT8: [BG10] Secure and Efficient Protocols for Iris and Fingerprint Identification.