Download presentation
1
GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION
Payman Mohassel Yahoo Labs
2
History of Garbled Circuits
1982: First oral presentation [Andrew Yao] 1987: First written account [GMW] (public-key) 1990: First use of term ``Garbled circuits” [BMR] (symmetric-key) 1994: First abstraction as a primitive [FKN] (minimal model for sec. comp.) 1999: First PRF-based construction [NPS] (PP-auctions) 2004: First implementation [MNPS] (Fairplay) 2004: First proof of 2PC based on garbled circuits [LP] (double-encryption)
3
Eval( ) 𝐺𝐶 𝐺𝐼𝑥 𝐺𝐼𝑦 A Garbling Scheme 𝒚 𝒙 𝒇(𝒙,𝒚) seed 𝐶 𝑥,𝑦 =𝑓(𝑥,𝑦) 𝑇𝑇
𝐺 𝐼 𝑥 𝐺𝑂 Eval( ) 𝐺 𝐼 𝑦 𝑇𝑇 𝐺𝑂 𝒇(𝒙,𝒚)
4
Basic Properties Privacy: Knowing 𝐺 𝐼 𝑥 , 𝐺 𝐼 𝑦 , and 𝐺𝐶 does no leak any info Output Authenticity: Cannot compute another valid output 𝐺𝐶 𝐺𝐶 𝑇𝑇 𝐺 𝐼 𝑥 𝐺 𝐼 𝑥 𝒇(𝒙,𝒚) 𝐺 𝐼 𝑦 𝐺 𝐼 𝑦 𝐺𝐶 𝐺 𝐼 𝑥 𝐺𝑂‘ 𝐺 𝐼 𝑦
5
Many Applications Emerged as a powerful building block!
Secure multi-party computation Zero-knowledge proofs Verifiable computation Homomorphic encryption One-time programs Circular-secure encryption Functional encryption ... Emerged as a powerful building block!
6
Secure Multiparty Computation (MPC)
Correctness: honest parties learn the correct output Privacy: Nothing but the final output is leaked Fairness, Output Delivery, … P2, x2 P1, x1 P3, x3 P4, x4 P5, x5 Parties learn only f(x1,…,xn)
7
Applications of MPC Data mining Electronic Voting Auctions
Exchanges/financial analysis Location privacy Genomic computation Electronic commerce Healthcare When there is IP, NDA, user consent involved When you need to distribute trust
8
Secure Two-Party Computation (2PC)
𝐶 𝑥,𝑦 =𝑓(𝑥,𝑦) 𝐺𝐶←𝐺𝑎𝑟𝑏(𝐶,𝑠𝑑) 𝐺 𝐼 𝑥 𝐺𝐶 𝑇𝑇 𝐺 𝐼 𝑥 ←𝐺𝐼𝑛(𝑥,𝑠𝑑) 𝒙 𝒚 Garbler Evaluator 𝐺 𝐼 𝑦 Oblivious Transfer 𝒇(𝒙,𝒚)
9
Yao’s Garbled Circuit Protocol
First secure computation protocol Efficient and simple Implementations Fairplay, 2004 TASTY, 2010 FastGarble, 2011 SCAPI, 2013 JustGarble, 2013 … Circuits with millions of gates in less than a second
10
Research Directions Garbling Constructions Secure 2PC Functionality &
Security Properties Secure 2PC
11
Basic Garbling/Evaluation
Evaluate Garble 𝑘 0 1 , 𝑘 1 1 AND 𝑘 0 3 , 𝑘 1 3 AND 𝑘 0 2 , 𝑘 1 2 𝑐 0,0 =𝐸 𝑘 0 1 , 𝑘 ( 𝑘 0 3 ) 𝑐 0,1 =𝐸 𝑘 0 1 , 𝑘 ( 𝑘 0 3 ) 𝐷𝑒 𝑐 𝑘 𝑎 1 , 𝑘 𝑏 𝑐 𝑎,𝑏 = 𝑘 𝑎&𝑏 3 𝑐 1,0 =𝐸 𝑘 1 1 , 𝑘 ( 𝑘 0 3 ) 𝑐 1,1 =𝐸 𝑘 1 1 , 𝑘 ( 𝑘 1 3 )
12
Constructions (Efficiency)
1990: Point-and-Permute [BMR] 1999: 3-row reduction [NPS] 2008: Free-XOR [KS] 2009: 2-row reduction [PSSW] 2013: Fixed-key block-cipher [BHKR] 2014: FleXor [KMR] 2014: Privacy-free garbling [KNO] 2015: HalfGates [ZRE] (2-row non-XORs, and 0-row XORs) How low can we get? Lower bounds? Fresh ideas for garbling needed?
13
Constructions (Security)
Weak Assumptions PRF double-encryption LPN Free-XOR Correlation-robustness row reduction techniques Correlation-robustness FleXor Strong Assumptions Circular-security Free-XOR Circular-security Half-Gates Ideal-permutation Fixed-key block-cipher RO Adaptive security Can we achieve these using weak assumptions?
14
Standard Security Properties
Input privacy Needed in most applications (not in ZK application) Function privacy Private function evaluation Output authentication Malicious 2PC, dual-execution, verifiable comp., server-aided comp., ZK Adaptive privacy Verifiable comp, offline/online batch execution, …
15
New Security Properties?
Only a subset of properties (e.g. privacy-free garbling) Leaky privacy (e.g. leak a few bits, protect/leak certain functions) Tunable security! (tunable privacy, authenticity, …) Leveled privacy (inputs with different sensitivity levels)
16
Functionality? Standard ones
Garble, encode inputs, evaluate, authenticate outputs Circuit property enforcing (with Rosulek and Kolesnikov) Checking circuit properties Topology, depth, input size, gate types Useful in limiting malicious behavior Input property enforcing Unique input identifier (for input consistency) Enforcing input formats Enforce relation between inputs in multiple executions (beyond equality) Output property enforcing Enforcing output format
17
⋮ 𝑃 1 Malicious 2PC 𝒙 Open Evaluate Majority 𝐺 𝐶 1 𝑥 𝐺 𝐶 1 𝑥 𝐺 𝐶 2
Are all inputs the same? Open Evaluate Majority 𝐺 𝐶 1 𝑥 𝐺 𝐶 1 𝑥 𝐺 𝐶 2 𝐺 𝐶 2 𝑧 2 𝒙 𝐺 𝐶 3 𝐺 𝐶 3 1−2 −Ω 𝑠 𝑠𝑒𝑐𝑢𝑟𝑖𝑡𝑦 𝑠≥40 ⋮ 𝑃 1 𝐺 𝐶 4 𝑧 4 𝐺 𝐶 4 𝑧=𝑓(𝑥,𝑦) 𝐺 𝐶 5 𝐺 𝐶 5 𝐺 𝐶 6 𝑧 6 𝑥 𝐺 𝐶 6 Is the output correct? 𝑧
18
Secure 2PC Malicious security RAM programs 2PC with relaxed security
Cut-and-choose (state of the art: Lindell 2013) Abstracting out cut-and-choose (joint work with Seny Kamara) A new paradigm? Lower bounds for cut-and-choose? RAM programs Optimizing ORAM for 2PC ([WCS]: Circuit-ORAMs) Implementation framework (SCVM) Extending cut-and-choose to RAM programs ([AHMR]) Lots of interesting questions 2PC with relaxed security Covert security, leaky 2PC, one-sided security Restricting leakage functions
19
Questions?
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.