Presentation is loading. Please wait.

Presentation is loading. Please wait.

On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)

Published byCory Fitzgerald Modified over 9 years ago

Similar presentations

Presentation on theme: "On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)"— Presentation transcript:

1 On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)

2 Research in Secure Two-party Computation (2PC) Generic protocols [Yao86, GMW87] “Tailored” protocols for specific applications [FNP04,HL08,KO97,…] Fairplay [MNPS04]: Implemented generic protocols – Hope for practicality

3 Research in Secure Two-party Computation (2PC) Active research improving concrete efficiency of generic protocols – Garbled circuit approach [PSSW09,HEKM11,KM11,LP07,LP11,…] – GMW approach [NNOB11, CHKMR12,...] Moving secure computation from theory to practice

4 Talk Outline Background on Yao GC & the Free-XOR technique [KS08] – Description in the random oracle (RO) model – Replacing RO with correlation robust hash functions? Sufficient assumptions on the hash function – Why correlation robust hash functions are not enough – New notion: Circular correlation robust hash functions – Security of the Free-XOR technique Conclusions

5 Yao Garbled Circuit (GC) [Yao86] Generic secure computation protocol Constant round solution Mostly symmetric-key operations Popular choice for efficient 2PC

6 Yao Garbled Circuit u v w AND u u v v u v v u uv XOR Credit: V. Kolesnikov

7 Yao Garbled Circuit AND XOR u0u0 u1u1 v0v0 v1v1 w0w0 w1w1 H(u 0,v 0,g) ⊕ w 0 H(u 0,v 1,g) ⊕ w 0 H(u 1,v 0,g) ⊕ w 0 H(u 1,v 1,g) ⊕ w 1 x0x0 x1x1 y0y0 y1y1 H(w 0,x 0,g’) ⊕ y 0 H(w 0,x 1,g’) ⊕ y 1 H(w 1,x 0,g’) ⊕ y 1 H(w 1,x 1,g’) ⊕ y 0 g,g’: gate indices H: hash function

8 …. GC GC Based Semi-Honest 2PC [Yao86] Alice input keys OT Bob input keys GC …. input bits Bob keys Evaluate GC using received input keys

9 Efficiency Improvements to Yao GC Garbled row reduction [NPS99,PSSW09] – Just 3 entries per garbled table Point-and-permute [MNPS04] – Decrypt only one entry Free-XOR technique [KS08] – No garbled table for XOR gates

10 Free-XOR Technique [KS08] Idea: XOR gates evaluated for “free” – No cryptographic operations or communication (like [Kol05,GMW87]) – GC based 2PC in the semi-honest setting Gains in practice? – 40% improvement for “typical” circuits – 300% improvement for universal circuits Impact – All recent implementations use Free-XOR technique [PSSW09, SS11,…] – Efforts to minimize #non-XOR gates in circuit [KS08, KSS09, PSSW09]

11 Free-XOR Technique [KS08] AND XOR u0u0 u1u1 v0v0 v1v1 w0w0 w1w1 H(u 0,v 0,g) ⊕ w 0 H(u 0,v 1,g) ⊕ w 0 H(u 1,v 0,g) ⊕ w 0 H(u 1,v 1,g) ⊕ w 1 x0x0 x1x1 y0y0 y1y1 H(w 0,x 0,g’) ⊕ y 0 H(w 0,x 1,g’) ⊕ y 1 H(w 1,x 0,g’) ⊕ y 1 H(w 1,x 1,g’) ⊕ y 0

12 AND XOR u0u0 v0v0 w0w0 x0x0 u 1 = u 0 ⊕ R v 1 = v 0 ⊕ R w 1 = w 0 ⊕ R x 1 = x 0 ⊕ R y 1 = y 0 ⊕ R y 0 = w 0 ⊕ x 0 Free-XOR Technique [KS08] H(u 0,v 0,g) ⊕ w 0 H(u 0,v 1,g) ⊕ w 0 H(u 1,v 0,g) ⊕ w 0 H(u 1,v 1,g) ⊕ w 1 H(w 0,x 0,g’) ⊕ y 0 H(w 0,x 1,g’) ⊕ y 1 H(w 1,x 0,g’) ⊕ y 1 H(w 1,x 1,g’) ⊕ y 0 R : hidden global parameter

13 Free-XOR Technique [KS08] AND XOR u v w x Set y = w ⊕ x y H(u 0,v 0,g) ⊕ w 0 H(u 0,v 1,g) ⊕ w 0 H(u 1,v 0,g) ⊕ w 0 H(u 1,v 1,g) ⊕ w 1 H(w 0,x 0,g’) ⊕ y 0 H(w 0,x 1,g’) ⊕ y 1 H(w 1,x 0,g’) ⊕ y 1 H(w 1,x 1,g’) ⊕ y 0 R : hidden global parameter Use H(u,v,g) to recover w

14 Proof in the RO Model [KS08] Corrupt Alice: Trivial Corrupt Bob: – Sim creates a fake garbled circuit whose output is always correct – Intuitively, security reduces to proving R is completely hidden – Indistinguishability proved by induction on topological ordering of gates H(u,v,g) ⊕ w H(u,v ⊕ R,g) ⊕ w H(u ⊕ R,v,g) ⊕ w H(u ⊕ R,v ⊕ R,g) ⊕ (w ⊕ R)  By induction, known input keys: u, v  Only w is recovered  Except with negl. prob., all other values are hidden H(u,v,g) ⊕ w random 1 random 2 random 3 Real table Simulated table

15 Proof in the Standard Model? RO is not programmed Can RO be replaced by a suitable hash function? – [KS08]: a variant of correlation robust hash functions (CorRHF) works – Repeated wherever Free-XOR is used [PSSW09,SS11,AHI11,NO09,…] Our contributions Specify variant of CorRHF that is sufficient “Natural” variant of CorRHF is NOT sufficient

16 Proof in the Standard Model? Main issue is circularity [BK03,BRS03, HK07, …] – H(u ⊕ R,v ⊕ R,g) ⊕ (w ⊕ R) – CorRHF does not capture circularity Specify variant of CorRHF that is sufficient “Natural” variant of CorRHF is NOT sufficient H(u,v,g) ⊕ w H(u,v ⊕ R,g) ⊕ w H(u ⊕ R,v,g) ⊕ w H(u ⊕ R,v ⊕ R,g) ⊕ (w ⊕ R) Circular Correlation Robust Hash Functions – Captures circularity – Security proof for the Free-XOR technique

17 Why is this important? Implementors happy with RO… In theory, RO methodology is inherently flawed [CGH04] – Want precise formulation of concrete properties required by RO “Natural” variant of CorRHF used in other contexts [AHI11,NO09] “CorRHF is sufficient for Free-XOR technique” claimed in several works [PSSW09,SS11, AHI11,…] Assumptions required for Free-XOR tech. in Yao GC? – Free-XOR in [GMW87, Kol05] with no other assumptions

18 Correlation Robust Hash Functions [IKNP03] Proposed by [IKNP03] for removing RO in OT extension Definition: (CorRHF) H is CorRHF if for randomly chosen u 1,…, u p, the following two distributions are comp. indistinguishable – (u 1,…, u p, H(u 1 ⊕ R), …, H(u p ⊕ R)) where R is chosen uniformly – (u 1,…, u p, w 1,…, w p ) where each w i is chosen uniformly (Arithmetic variant) realized under PDH assumption [AHI11] [KS08]: Variant can replace RO in Free-XOR – Use of hidden off-set in both [KS08] and [IKNP03]

19 “Natural” Variant of CorRHF Definition: (weak 2-CorRHF) H is weakly 2-CorRHF if for given u 1,…, u p, v 1,…, v p, the following two distributions are comp. indistinguishable –. – ` where R is chosen uniformly – (w 1,…, w 3p ) where each w i is chosen uniformly H(u 1 ⊕ R,v 1,1), H(u 1,v 1 ⊕ R,1), H(u 1 ⊕ R,v 1 ⊕ R,1) H(u p ⊕ R,v p,p), H(u p,v p ⊕ R,p), H(u p ⊕ R,v p ⊕ R,p)......

20 Our Working Definition of 2-CorRHF Oracle based – Cor R (u,v,g): output H(u,v ⊕ R,g), H(u ⊕ R,v,g), H(u ⊕ R,v ⊕ R,g) – Rand(u,v,g): if input was queried before then output answer given previously, else output a uniformly chosen string Definition: (2-CorRHF) H is 2-CorRHF if every non-uniform PPT adversary A with oracle access to O (either Cor R or Rand) cannot tell whether O is Cor R or Rand except with negligible advantage Stronger than previous definition – Oracle queries can be adaptive

21 2-CorRHF and Free-XOR technique  Reduction adversary B for 2-CorRHF  Given O (either Cor R or Rand)  How to create garbled table?  Choose random u,v,w  Query O (u,v,g) to get h 1, h 2, h 3  First 3 entries can be set  How to obtain fourth entry using h 3 ?  Unclear how to complete reduction Reduction Table H(u,v,g) ⊕ w H(u,v ⊕ R,g) ⊕ w H(u ⊕ R,v,g) ⊕ w H(u ⊕ R,v ⊕ R,g) ⊕ (w ⊕ R) H(u,v,g) ⊕ w random 1 random 2 random 3 Real table Simulated table H(u,v,g) ⊕ w h 1 ⊕ w h 2 ⊕ w ?

22 Counterexample Rule out fully black-box reduction using two oracles H and Break H is 2-CorRHF even if A has oracle access to H and Break Free-XOR technique is insecure when A has access to H and Break H(u,v,g)  Random function Break(u,v,g,z 1,z 2,z 3 )  Output r when  z 1 = H(u,v ⊕ r,g)  z 2 = H(u ⊕ r,v,g)  z 3 = H(u ⊕ r,v ⊕ r,g) ⊕ r  Else output nothing

23 H is 2-CorRHF against A H, Break O = Rand: uniform, independent of A ’s view O = Cor R : uniform, independent of A ’s view unless A queries O (u,v,g) & – O (u’,v’,g) with u’ ⊕ u = R or v’ ⊕ v = R, or – H(u’,v’,g) with u’ ⊕ u = R or v’ ⊕ v = R, or – Break(u,v,g,z 1,z 2,z 3 ) with z 3 ⊕ H(u ⊕ R,v ⊕ R,g) = R Happens with negligible prob. H(u,v,g)  Random function Break(u,v,g,z 1,z 2,z 3 )  Output r when  z 1 = H(u,v ⊕ r,g)  z 2 = H(u ⊕ r,v,g)  z 3 = H(u ⊕ r,v ⊕ r,g) ⊕ r  Else output nothing

24 Insecurity of Free-XOR Tech.: A H, Break Attack: A acting as Bob recovers R Recover w from gate g using H(u,v,g) – z 1 = c 1 ⊕ w – z 2 = c 2 ⊕ w – z 3 = c 3 ⊕ w Query Break(u,v,g,z 1,z 2,z 3 ) to get R H(u,v,g) ⊕ w H(u,v ⊕ R,g) ⊕ w H(u ⊕ R,v,g) ⊕ w H(u ⊕ R,v ⊕ R,g) ⊕ (w ⊕ R) AND gate g c1c1 c3c3 c2c2 H(u,v,g)  Random function Break(u,v,g,z 1,z 2,z 3 )  Output r when  z 1 = H(u,v ⊕ r,g)  z 2 = H(u ⊕ r,v,g)  z 3 = H(u ⊕ r,v ⊕ r,g) ⊕ r  Else output nothing

25 Capturing Circularity: Circular 2-CorRHF Recall indistinguishable oracles in 2-CorRHF – Cor R (u,v,g): output H(u,v ⊕ R,g), H(u ⊕ R,v,g), H(u ⊕ R,v ⊕ R,g) – Rand(u,v,g): if input was queried before then output answer given previously, else output uniformly chosen Oracles for Circular 2-CorRHF – Circ R (u,v,g,b 1,b 2,b 3 ): output H(u ⊕ b 1 R, v ⊕ b 2 R, g) ⊕ b 3 R – Rand(u,v,g,b 1,b 2,b 3 ): same as before bR = 0 when b=0 bR = R when b=1

26 Capturing Circularity: Circular 2-CorRHF Recall indistinguishable oracles in 2-CorRHF – Cor R (u,v,g): output H(u,v ⊕ R,g), H(u ⊕ R,v,g), H(u ⊕ R,v ⊕ R,g) – Rand(u,v,g): if input was queried before then output answer given previously, else output uniformly chosen Oracles for Circular 2-CorRHF – Circ R (u,v,g,b 1,b 2,b 3 ): output H(u ⊕ b 1 R, v ⊕ b 2 R, g) ⊕ b 3 R – Rand(u,v,g,b 1,b 2,b 3 ): same as before Allowing b 3 = 1 captures circularity

27 Circular 2-CorRHF Oracles for Circular 2-CorRHF – Circ R (u,v,g,b 1,b 2,b 3 ): output H(u ⊕ b 1 R, v ⊕ b 2 R, g) ⊕ b 3 R – Rand(u,v,g,b 1,b 2,b 3 ): same as before Indistinguishability conditioned on restricted queries to Circ R – No queries of the form (u,v,g,0,0,b 3 ) – No queries on both (u,v,g,b 1,b 2,0) and (u,v,g,b 1,b 2,1) Definition: (Circular 2-CorRHF) H is circular 2-CorRHF if every non-uniform PPT adversary A making legal queries to oracle O cannot tell whether O is Circ R or Rand except with negligible advantage

28 Proof of Security for the Free-XOR Tech. Corrupt Alice: Trivial Corrupt Bob: Sim creates a fake garbled circuit AND XOR u v w x y = w ⊕ x  Choose random key for all wires except output wires of XOR gates  XOR chosen keys for input wires to get key for output wire of XOR gate  Populate unknown values in non- XOR gate table with random values  Set output garbled table to give correct output z H(u,v,g) ⊕ w random 1 random 2 random 3 Simulated table......

29 Reduction to Circular 2-CorRHF Reduction adversary B for Circular 2-CorRHF B given access to O (either Circ R or Rand) & real inputs for both parties AND XOR u v w x y = w ⊕ x H(u,v,g) ⊕ w O (u,v,g,0,1,0) ⊕ w O (u,v,g,1,0,0) ⊕ w O (u,v,g,1,1,1) ⊕ w Reduction Table......  Choose random key for all wires except output wires of XOR gates  XOR chosen keys for input wires to get key for output wire of XOR gate  Populate unknown values in non- XOR gate table using O  Set output garbled table to give correct output z

30 Circular 2-CorRHF & Free-XOR technique Recall Circ R (u,v,g,b 1,b 2,b 3 ):  output H(u ⊕ b 1 R, v ⊕ b 2 R, g) ⊕ b 3 R Reduction Table H(u,v,g) ⊕ w H(u,v ⊕ R,g) ⊕ w H(u ⊕ R,v,g) ⊕ w H(u ⊕ R,v ⊕ R,g) ⊕ (w ⊕ R) H(u,v,g) ⊕ w random 1 random 2 random 3 Real table Simulated table H(u,v,g) ⊕ w O (u,v,g,0,1,0) ⊕ w O (u,v,g,1,0,0) ⊕ w O (u,v,g,1,1,1) ⊕ w O = Rand O = Circ R

31 Conclusions & Open Questions Free-XOR technique extremely influential – Used in all Yao GC implementations Secure in the random oracle model “Natural” variant of 2-CorRHF is not sufficient – Circularity Stronger notion of 2-CorRHF: Circular 2-CorRHF – Security proof for the Free-XOR technique “Free” gate evaluation under OWF? Realize Circular 2-CorRHF from standard crypto assumptions?

32 Thank You!

Download ppt "On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)"

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.

Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),

Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.

Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.
GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION

GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION
New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.

New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.

1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.
Oblivious Transfer based on the McEliece Assumptions

Oblivious Transfer based on the McEliece Assumptions

Similar presentations

Ads by Google