Presentation is loading. Please wait.

Presentation is loading. Please wait.

Circuits Resilient to Additive Manipulation with Applications to Secure Computation Yuval Ishai Technion Daniel Genkin Manoj Prabhakaran Amit Sahai Eran.

Published byMalakai Lanham Modified over 10 years ago

Similar presentations

Presentation on theme: "Circuits Resilient to Additive Manipulation with Applications to Secure Computation Yuval Ishai Technion Daniel Genkin Manoj Prabhakaran Amit Sahai Eran."— Presentation transcript:

1 Circuits Resilient to Additive Manipulation with Applications to Secure Computation Yuval Ishai Technion Daniel Genkin Manoj Prabhakaran Amit Sahai Eran Tromer Technion & TAU UIUC UCLA TAU

2 What this talk is about New model for fault-tolerant circuits New approach for protecting secure computation protocols against malicious parties

3 Part I: Fault Tolerant Circuits

4 Dream Goal Too much to hope for… x f(x) Yet it is f(x)!

5 Dream Goal Too much to hope for… x f(x) Yet it is 1-f(x)!

6 Relaxing Goal Random faults [vN56,DO77,Pip85,...] Bounded number of faults [KLM94,GS95,KLR12] This work: any number of adversarial faults –Allow fault-tolerant circuit to be randomized –Settle for detecting errors w.h.p –Still does not rule out direct tampering with input and output

7 Further Relaxations Allow tamper-proof input encoder (Enc) and output decoder (Dec) –Enc,Dec must be small and universal Restricted class of faults x f(x) / ERR EncDec

8 Further Relaxations Allow tamper-proof input encoder (Enc) and output decoder (Dec) –Enc,Dec must be small and universal Restricted class of faults –This work: additive attacks on wires x f(x) / ERR EncDec

9 Further Relaxations Allow tamper-proof input encoder (Enc) and output decoder (Dec) –Enc,Dec must be small and universal Restricted class of faults –This work: additive attacks on wires x f(x) / ERR EncDec X X + - X +3 -2 +5

10 AMD Codes [CDFPW08] Protect information against additive attacks Our goal: protect computation x f(x) / ERR EncDec X X + - X +3 -2 +5 x x / ERR EncDec +3+5-3-2+8+4 AMD circuit

11 Definition: ε-correctness Let f:F n  F m Let Enc:F n  F n’, C:F n’  F m’, Dec:F m’  F m+1 –C is a randomized arithmetic circuit over F –Enc is randomized, Dec is deterministic We say that (Enc,C,Dec) realizes f with ε-correctness against additive attacks if: – ∀ x ∈ F n, Dec(C(Enc(x)))=(0,f(x)). – ∀ x ∈ F n and every C A obtained by applying an additive attack to C, Dec(C A (Enc(x))) is either (0,f(x)) or (e,y) for e≠0, except w/prob. ≤ ε

12 Eliminating Enc and Dec Idea: settle for “best possible” security –Every additive attack on C can be simulated by a (possibly randomized) additive attack on inputs and outputs alone –C is “as good” as tamper-proof hardware for g X X + - X +3 +5+r +2

13 Definition: ε-security Let f:F n  F m, C:F n  F m –C is a randomized arithmetic circuit over F We say that C realizes f with ε-security against additive attacks if: – ∀ x ∈ F n, C(x)=f(x) (w/prob. 1) –For every C A obtained by applying an additive attack to C, there are distributions Δx,Δy s.t. ∀ x ∈ F n, C A (x) ≈ ε C(x+Δx)+Δy

14 Security  Correctness Let (AEnc, ADec) be an AMD code. f AEnc ADec e AEnc ADec x e y x’ y’ f’

15 Security  Correctness Let (AEnc, ADec) be an AMD code. Useful feature: whether e is set reveals almost nothing about x f AEnc ADec e AEnc ADec x e y x’ y’ C’

16 Our Results Large field F –Compile any C to an ε-secure C’ –|C’|=O(|C|) –ε = O(|C|/|F|) Any field F –Compile any C to an ε-correct (Enc,C’,Dec) –Enc,Dec small and universal –|C’|=|C|. polylog(1/ε)

17 Techniques: Large Fields Use simple homomorphic AMD code –Input: x  (x,r,xr) –Multiplication: (a,r,ar), (b,r,br)  (ab,r 2,abr 2 ) (a,r d,ar d ), (b,r d’,br d’ )  (ab,r d+d’,abr d+d’ ) –Addition: (a,r,ar), (b,r,br)  (a+b,r,(a+b)r) (a,r d,ar d ), (b,r d’,br d’ ), r  (a+b,r max(d,d’),(a+b)r max(d,d’) ) –Output: (y,r d,z)  y+s. (yr d -z) Problems –Error grows linearly with degree d (need d<<|F|) Use constant-degree gadgets –Requires wires to be locally random Convert C into a locally random circuit [ISW03,IPS+11] Compare with [BDOZ11]

18 Techniques: Small Fields Implement matrix-vector multiplication gadget Use it to implement simple Hadamard-based linear PCP [ALMSS92] –Large constant error –Quadratic blowup in circuit size Amplify correctness via repetition –Check input consistency using hashing Eliminate quadratic blowup –Using small gadgets Problems –Error grows linearly with degree d (need d<<|F|) Use constant-degree gadgets –Requires wires to be locally random Convert C into a locally random circuit [ISW03,IPS+11]

19 Part II: Secure Multiparty Computation

20 Secure Multiparty Computation [Yao86,GMW87] ab c Every f can be realized with information- theoretic security –Assuming an honest majority [BGW88,CCD88,RB89] –Assuming an oblivious transfer oracle [GMW87,Kil88,IPS08] or OLE oracle [NP99,IPS09] f(a,b,c)

21 Passive vs. Active Attacks Security against active attacks is much more challenging. Common paradigm: passive security  active security –GMW compiler: using ZK proofs [GMW87,…] –Make sub-protocols verifiable [BGW88,CCD88,…] –Cut-and-choose techniques […,LP07,…] –Use low-threshold active-secure MPC [IPS08] Major research effort in cryptography

22 Motivating Observation In “natural” passive-secure MPC protocols for evaluating an arithmetic circuit C, the effect of an active adversary corresponds to an additive attack on C. –Formally: the protocol perfectly realizes an augmented ideal functionality that allows for an additive attack. –Applies to all information-theoretic protocols we know that have maximal security threshold Active security can be achieved by applying passive-secure protocol to AMD circuit C’. Reduces protocol design to circuit design

23 Some Details Need to protect inputs and outputs –Achieved via local AMD encoding of inputs and AMD decoding of outputs Protocols only achieve “security with abort” –Often best possible –With honest majority and broadcast, can be upgraded to full security using standard methods

24 Applications Simplified feasibility results –Passive BGW88  RB89 (t<n/2) –Passive GMW87  Kil88/IPS09 (t<n, OLE-hybrid) Improved efficiency –Passive DN07  Improved BFO12 t<n/2, O(n|C|+n 2 ) field elements –Passive GMW87  Improved IPS09 t<n, O(|C|) OLE calls New feasibility –t<n, untrusted preprocessing

25 Open Problems AMD Circuits –Better security and efficiency over binary fields Useful for MPC in OT-hybrid model –Better concrete efficiency over large fields Useful for practical MPC? [IKHC14] –Generalize attack model Settle for best possible security MPC applications –Protocols based on “packed secret sharing” –Computationally secure protocols?

Download ppt "Circuits Resilient to Additive Manipulation with Applications to Secure Computation Yuval Ishai Technion Daniel Genkin Manoj Prabhakaran Amit Sahai Eran."

Similar presentations

Randomness Conductors Expander Graphs Randomness Extractors Condensers Universal Hash Functions............

Randomness Conductors Expander Graphs Randomness Extractors Condensers Universal Hash Functions
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
An Introduction to Randomness Extractors Ronen Shaltiel University of Haifa Daddy, how do computers get random bits?

An Introduction to Randomness Extractors Ronen Shaltiel University of Haifa Daddy, how do computers get random bits?
EXPLICIT NON-MALLEABLE CODES RESISTANT TO PERMUTATIONS Shashank Agrawal (UIUC), Divya Gupta (UCLA), Hemanta Maji (UCLA), Omkant Pandey (UIUC), Manoj Prabhakaran.

EXPLICIT NON-MALLEABLE CODES RESISTANT TO PERMUTATIONS Shashank Agrawal (UIUC), Divya Gupta (UCLA), Hemanta Maji (UCLA), Omkant Pandey (UIUC), Manoj Prabhakaran.
PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 25. FEB 2014 CONTINUOUS NON-MALLEABLE CODES JOINT WORK WITH SEBASTIAN FAUST, JESPER.

PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 25. FEB 2014 CONTINUOUS NON-MALLEABLE CODES JOINT WORK WITH SEBASTIAN FAUST, JESPER.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits PRATYAY MUKHERJEE (Aarhus University) Joint work with Sebastian.

Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits PRATYAY MUKHERJEE (Aarhus University) Joint work with Sebastian.
PRATYAY MUKHERJEE Aarhus University Joint work with

PRATYAY MUKHERJEE Aarhus University Joint work with
I have a DREAM! (DiffeRentially privatE smArt Metering) Gergely Acs and Claude Castelluccia {gergely.acs, INRIA 2011.

I have a DREAM! (DiffeRentially privatE smArt Metering) Gergely Acs and Claude Castelluccia {gergely.acs, INRIA 2011.
Private Circuits Protecting Circuits Against Side-Channel Attacks Yuval Ishai Technion & UCLA Based on joint works with Manoj Prabhakaran, Amit Sahai,

Private Circuits Protecting Circuits Against Side-Channel Attacks Yuval Ishai Technion & UCLA Based on joint works with Manoj Prabhakaran, Amit Sahai,
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Locally Decodable Codes from Nice Subsets of Finite Fields and Prime Factors of Mersenne Numbers Kiran Kedlaya Sergey Yekhanin MIT Microsoft Research.

Locally Decodable Codes from Nice Subsets of Finite Fields and Prime Factors of Mersenne Numbers Kiran Kedlaya Sergey Yekhanin MIT Microsoft Research.
Digital Fountain Codes V. S

Digital Fountain Codes V. S
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs.

NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.

Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.

Similar presentations

Ads by Google