Presentation is loading. Please wait.

Presentation is loading. Please wait.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Similar presentations


Presentation on theme: "Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose."— Presentation transcript:

1 Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose Yehuda Lindell Bar-Ilan University Fast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries

2 Secure Two-Party Computation Two parties with private inputs x and y Compute a joint function of their inputs while preserving – Privacy – Correctness – Independence of inputs 2

3 Adversaries and Security Semi-honest: follow protocol description but attempt to learn more than allowed – Highly efficient, but weak guarantee Malicious: run any arbitrary attack strategy – Much more expensive Covert: behave maliciously and may succeed, but will be caught with a guaranteed probability 3

4 Yao’s Protocol (Semi-Honest) Alice Bob Compute f(x,y) (learn nothing else) Garbled (encrypted) circuit

5 Security for Malicious Alice may not construct the circuit correctly Solution – cut-and-choose 5

6 The Cut-and-choose Paradigm 6

7 7

8 8 Majority Final output

9 The Cost How many circuits are needed to make sure that the majority are correct? – With s circuits, probability of cheating is 2 -0.311s [LP11] or 2 -0.32s [sS11] – For error 2 -40, need approximately 125 circuits – For error 2 -80, need approximately 250 circuits This is a very heavy price! 9

10 These Two Works Aim: reduce the number of garbled circuits needed 1.Lindell: s circuits + some small additional overhead for 2 -s error 2.Huang-Katz-Evans: s circuits per party in parallel for 2 -s error Cut-and-choose opens up many other problems (input consistency etc.); we focus on the main issue of number of circuits 10

11 Lindell’s Solution – The Main Idea Why majority? – A malicious Alice can make most circuits correct and a few not – The incorrect circuits can compute the function if Bob’s input meets some condition; otherwise compute garbage – Bob aborts if it gets different outputs: If Bob aborts, Alice knows that Bob’s input does not meet the condition If Bob does not abort, Alice knows that Bob’s input meets the condition 11

12 Lindell’s Solution – The Main Idea Make cheating possible only if all checked circuits are correct and all evaluated circuits are incorrect – This yields error 2 -s for s circuits How? – Alice and Bob run a small secure computation in addition – If Bob received two different outputs in two different circuits, it learns Alice’s input – In this case, Bob computes f(x,y) itself – Alice doesn’t know which case happened 12

13 Lindell’s Solution – The Main Idea The secure computation – Yao’s circuit for malicious (e.g., LP11) – Number of non-XOR gates is only the number of bits in Alice’s input (very small circuit) Input consistency and other issues are dealt with as in other works – These other parameters are not optimized in the paper – This will be discusses in the next talk; their solutions can be applied here 13

14 Lindell’s Solution – More Details The garbled values on the output wires are secret (this has been used for secure delegation) If Bob learns two garbled values on a single output wire (in different circuits), then Alice must have been cheating – This is a proof that Alice cheated The secure computation checks if Bob has two such values and outputs Alice’s input x to Bob if yes This circuit can be made very small, and Alice can be forced to use the same input 14

15 Huang-Katz-Evans Solution Observation – One of the two parties is honest, all circuits generated by him is correct Approach – Let each party generate half of the circuits – Suffices to ensure at least one good evaluation circuit is generated by the adversary 15

16 16

17 17 A party uses consistent inputs in both roles Securely combine both parties’ results to obtain the final output

18 Input Consistency – The Goal 18 Evaluator / OT Receiver Generator The discrete log of C is unknown. [Naor and Pinkas, SODA2001]

19 Input Consistency – The Idea 19 Evaluator / OT Receiver Generator

20 Final output Goal: Derive the final output from both parties’ circuit evaluation results 20

21 Output Revelation Verifiable Secret Sharing 21 Generator picks a pair of secrets (s 0, s 1 )randomly

22 Output Revelation circuit check 22

23 Output Revelation circuit evaluation 23

24 Output Revelation secure equality test 24 (s 0,s 1 ) One and only one of the 2 tests can succeed. (s’ 0,s’ 1 ) (s 0, s’ 0 ) Output 0 (s 0, s’ 0 ) (s 1, s’ 1 ) Output 1 (s 1, s’ 1 )

25 Conclusions Actively secure two party computation can be done with reduced number of circuits via either punishing the cheater or symmetric cut-and-choose.


Download ppt "Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose."

Similar presentations


Ads by Google