Download presentation
Presentation is loading. Please wait.
Published by羸亚 乐正 Modified over 5 years ago
1
Fast Secure Computation for Small Population over the Internet
Megha Byali, Arun Joseph, Arpita Patra, Divya Ravi Indian Institute of Science, Bangalore, India. ACM Conference on Computer and Communications Security, 2018
2
Our Results Efficient 3-Party (3PC) and 4-Party (4PC) Protocols with honest majority achieving the stronger security notions of: Fairness -- 4 round fair 3PC (n=3, t=1) Guaranteed Output Delivery (god) -- 5 round god 3PC (n=3, t=1) -- 4 round god 4PC (n=4, t=1) -- 5 round god 4PC (n=4, t=1) Assumptions: -- OWF/P -- Minimalistic network of point-to-point channels. -- Necessary Broadcast for 3PC god [CohenHOR16]. [CohenHOR16] Ran Cohen, Iftach Haitner, Eran Omri, and Lior Rotem. Characterization of Secure Multiparty Computation Without Broadcast. In TCC
3
Secure MultiParty Computation (MPC)
Joint function: f(x1, x2, …, xn) Inputs: (x1, x2, …, xn) Goals: Correctness Privacy MPC TTP f MPC: Real World emulation of TTP
4
Why Small Population with Honest Majority?
Real world applications: Secure ML, Danish Sugar Beet Auction, Fair Auctions. Weaker Assumptions: Eliminate PK primitives like Oblivious Transfer (OT) altogether as symmetric-key functions are sufficient. Light Weight Tools and Efficiency: Customized Secret Sharing schemes. Customized OT. Stronger Security: The properties, fairness and guaranteed output delivery can be achieved only in the case of honest majority [Cleve86]. [Cleve86] Richard Cleve. Limits on the security of coin flips when half the processors are faulty (extended abstract). In ACM STOC, 1986.
5
Security Guarantees y y ┴ ┴ y y Fairness
Guaranteed output delivery (god) – Strongest Adversary cannot prevent honest parties from getting output. Fairness If adversary gets output, all get the output. Security with selective abort - weakest Adversary selectively deprives some honest parties of the output. y y y y y y y y y y y y ┴ ┴ ┴ ┴ ┴ ┴ y y ┴ ┴ y y
6
Garbled Circuit (GC) [BellareHR12]
Boolean circuit input x Garbling function y output Gb e d GC Encoding function En De Decoding function X Ev Y Evaluation function [BellareHR12] Mihir Bellare, Viet Tung Hoang, and Phillip Rogaway. Foundations of garbled circuits. In CCS, 2012.
7
The Bigger Picture 3-Party Protocols 4-Party Protocols Ref #GCs Rounds
Security Broadcast [MohasselRZ15] 1 3 Selective abort No Ref #GCs Rounds Security Broadcast [MohasselRZ15] 1 3 Selective abort No [PatraR18] >3 Fairness, god Yes [CohenHOR16] Ref #GCs Rounds Security Broadcast [MohasselRZ15] 1 3 Selective abort No [PatraR18] >3 Fairness, god Yes [CohenHOR16] This Paper 4 fairness Ref #GCs Rounds Security Broadcast [MohasselRZ15] 1 3 Selective abort No [PatraR18] >3 Fairness, god Yes [CohenHOR16] This Paper 4 fairness 5 god 3-Party Protocols Ref #GCs Rounds Security Broadcast [IshaiKKP15] 12 2 god No This Paper 4 Ref #GCs Rounds Security Broadcast [IshaiKKP15] 12 2 god No This Paper 4 1 5 Ref #GCs Rounds Security Broadcast [IshaiKKP15] 12 2 god No 4-Party Protocols [MohasselRZ15] Payman Mohassel, Mike Rosulek, and Ye Zhang. Fast and Secure Three-party Computation: The Garbled Circuit Approach. In CCS’15. [PatraR18] Arpita Patra and Divya Ravi. On the Exact Round Complexity of Three Party Computation. In CRYPTO, 2018. [IshaiKKP15] Yuval Ishai, Ranjit Kumaresan, Eyal Kushilevitz, and Anat Paskin-Cherniavsky. Secure computation with minimal interaction, revisited. In CRYPTO, 2015.
8
3PC with Fairness y = f (x1, x2, x3) is the function to be computed. x2 Garbler 2 P2 x32 r P3 x3 Evaluator x31 P1 Garbler 1 x1 n=3, t=1
9
3PC with Fairness y = f(x1, x2, x3) is the function to be computed. P2
Use r to generate GC P2 Common Information in GC P3 x3 Verify correctness: By comparing common info in GC sent by both P1 ,P2 Common Information in GC P1 Use r to generate GC x1 , x31
10
3PC with Fairness Fairness Violation? Solution:
y = f (x1, x2, x3) is the function to be computed. x2 P2 Y P3 x3 Evaluate the GC to obtain encoded output Y and decode Y to obtain y. Y P1 Fairness Violation? x1 Solution: Prevent P3 from decoding Y in advance, but commit to decoding info d in advance. Allow P1 , P2 to exchange Y.
11
Use decoding info d from P1 to compute y.
3PC with Fairness y = f(x1, x2, x3) is the function to be computed. x2 Y valid? P2 Y Yes! d P3 x3 Y Evaluate the EC to obtain only encoded output Y. Use decoding info d from P1 to compute y. Y’ P1 Y’ valid? x1 No! Fairness? How Far? Use Y from P1 to compute y. Almost there!
12
3PC with Fairness Correctness Violated!
y = f(x1, x2, x3) is the function to be computed. x2 P2 P3 x3 Y Correctness Check Failed. Abort! Correctness Violated! P1 Y valid? Yes! Accept x1 Solution: Proof mechanism that Y originated from P3
13
3PC with Fairness Proof Mechanism
y = f(x1, x2, x3) is the function to be computed. Sample s2, compute H(s2) x2 P2 H(s2), s2 H(s1) H(s1) P3 x3 H(s2) H(s1), s1 Verify Correctness H(s2) P1 Sample s1, compute H(s1) Proof Mechanism x1
14
3PC with Fairness Fairness Guaranteed!
y = f(x1, x2, x3) is the function to be computed. x2 Y and proof valid? Yes! P2 Y , s1 Y , s1 Y , s2 P3 x3 On Evaluation Y , s2 P1 Y and proof valid? Yes! x1 Fairness Guaranteed!
15
3PC with fairness P2 P2 P3 P3 P1 P1 P2 P2 P3 P3 P1 P1 r x3 x1 d d
H(s2), s2 GC Info , H(s1) H(s1) P3 r P3 x3 H(s2) Verify checks , H(s2) P1 H(s1), s1 P1 GC Info x1 P2 P2 d Y , s1 P3 Y , s1 P3 Y , s2 d Y , s2 P1 P1
16
Challenges in Achieving god
Conflicting messages sent by parties: How to proceed? Local identification of a corrupt party. Input Consistency Issues for robustness. Three-Party Computation: Use broadcast to raise and resolve conflicts. Identify an honest party as TTP. Commitments ensure input consistency. Four-Party Computation: Use multiple evaluator approach to guarantee at least one honest evaluator. Raise Conflict and identify TTP. Commitments for input consistency.
17
Efficiency Overhead in Comparison to [MohasselRZ15]: Ref
Computation (ms) LAN (ms) WAN (s) Communication (KB) 3PC Fair 0.11 0.42 0.36 8.18 4PC god 1.4 (g) 1.31 (g) 2.0 259.54(g) 3PC god 0.23 2.26 - 0.39 Ref Computation (ms) LAN (ms) WAN (s) Communication (KB) 3PC Fair 0.11 0.42 0.36 8.18 4PC god 1.4 (g) 1.31 (g) 2.0 259.54(g) Ref Computation (ms) LAN (ms) WAN (s) Communication (KB) 3PC Fair 0.11 0.42 0.36 8.18 Table indicates average values taken over #parties and the range is taken over the choice of circuits. (g) – gain per party.
18
Open Questions Minimizing the number of rounds of interaction while maintaining the similar efficiency as ours in achieving: Fairness and Guaranteed Output Delivery in 3PC. Guaranteed Output Delivery in 4PC.
20
Efficiency f3PC – 3PC fair, g4PC – 4PC god, g3PC – 3PC god
Type of Circuit: 1 – AES 128, 3- MD5 , 5- SHA-256
21
3PC with Fairness Problems?
y=f(x1, x2, x3) is the function to be computed. x2 P2 Y Decoding Info P3 x3 Y Y Y Decoding Info P1 Problems? x1 Solution: Commit on the decoding info and agree on the commitment in advance!
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.