Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Computation Lecture 13-14 Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.

Published byEustace Blair Modified over 9 years ago

Similar presentations

Presentation on theme: "Secure Computation Lecture 13-14 Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto."— Presentation transcript:

1 Secure Computation Lecture 13-14 Arpita Patra

2 Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto # Preprocessing of OT (on random inputs) > Step II: Offline: k OTs + O(n 2 c AND ) SKE operations ; Online: i.t., no crypto # OT Extension [IKNP] (Domain extension + OT extension) # RO Model, Correlation-robust Hash function >> Constant Round 2PC Yao. > How to garble a circuit (using physical keys/boxes) > How to use garbled circuit for 2PC >> Complexity of GMW n-party Protocol: O(n 2 c AND ) OTs

3 Circuit Evaluation on Clear x1x1 x2x2 x3x3 x4x4 f(x 1, x 2, x 3, x 4 ) +   x1x1 x4x4 x3x3 x2x2 x 1  x 2 x 3  x 4 x 1  x 2 + x 3  x 4 > When inputs to a gate g get values, say a, b, then its output wire gets value g(a,b); Two input gate g: {0,1} 2  {0,1} >> Circuit evaluation is nothing but assigning bits to the wires > Input wires get values from inputs > The value for the output wire is taken as the output >> For secure computation: We want a way to evaluate circuit that leaks nothing but the circuit output. Garbled Circuit

4 Yao’s Garbled Circuit +   Garbling a Wire: Every wire is associated with a pair of identical looking keys. 0 1 Identical looking keys ensure NO information about the assigned bit can be inferred from a key corresponding to a wire Garbling of wires complete! During evaluation a garbled circuit on a given input, the evaluator will get/see the keys corresponding to the assigned bits of the wires instead of the assigned bits. Need a mechanism to hide the assigned bits of the wires during evaluation

5 Yao’s Garbled Circuit +   Gate evaluation in Plain Circuit: Given the the assigned values, say a, b of the input wires of gate g, find the assigned value for the output wire as g(a,b). Easy!! Gate evaluation in Garbled circuit: Given the keys corresponding to the assigned values, say a, b of the input wires of gate g, find the key for g(a,b) for the output wire How to evaluate a gate in garbled circuit Garble the gates!

6 Yao’s Garbled Circuit  Garbling a Gate: Every two input gate is associated with four doubly locked boxes (corresponding to four output possibilities). Each pair of input wire keys (one from each input wire) will open one and only one box. The box that can be opened using keys for a, b contains the key corresponding to g(a,b). 1st input wire 2 nd Input wire Output wire Key for 0 Key for g(0,0) Key for 0Key for 1Key for g(0,1) Key for 1Key for 0Key for g(0,1) Key for 1 Key for g(1,1) Boxes are randomly permutated to prevent leaking of meaning of the keys! Garbled Gates: The locked boxes

7 Yao’s Garbled Circuit It enables one to evaluate a circuit without leaking anything but the output x1x1 x2x2 x3x3 x4x4 f(x 1, x 2, x 3, x 4 ) +   Garbling a wire: Every wire is associated with a pair of identical looking keys. Garbling a Gate: Every two input gate is associated with four doubly locked boxes (in randomly permuted order) so that each pair of keys (one from each input wire) will open one and only one box. Garbled Circuit: Garbled gates

8 Yao’s Garbled Circuit It enables one to evaluate a circuit without leaking anything but the output x1x1 x2x2 x3x3 x4x4 f(x 1, x 2, x 3, x 4 ) +   Garbled Circuit: Garbled gates + meaning of the output wire keys (output decryption tables) 1. Give input keys corresponding to the inputs and the garbled circuit. 2. For every gate, exactly one box can be opened and the key corresponding to the output value for the inputs can be obtained 3. For the output gate, the key corresponding to the output value for given inputs can be obtained. Output

9 Yao’s 2 Party Protocol Y = (y 1,y 2,…y k ) P0P0 P1P1 X = (x 1,x 2,…x k ) GC Constructor GC Evaluator Construct a Garbled Circuit GC for Circuit C Keys corresponding to X = (x 1,x 2,…x k ) and GC OT 1 y1y1 OT k ykyk Evaluate GC with the given input keys and interpret the output Z using output decryption tables Z

10 Yao’s Garbled Circuit from “Special SKE” +   Garbled Circuit: garbled gates (four/two locked boxes) + meaning of the output wire keys Physical Keys: Keys of SKE Locked boxes: Encryptions Doubly Locked boxes: Double Encryptions What properties do we need from the SKE? Some known security properties of SKE: CPA, CCA etc.

11 Syntax of SKE 1.Key-generation Algorithm (Gen()): 2. Encryption Algorithm (Enc k (m)); m from {0,1}*: 3. Decryption Algorithm (Dec k (c)):  MUST be a Randomized algorithm  Outputs a key k chosen according to some probability distribution determined by the scheme;  Deterministic/Randomized algorithm  c  Enc k (m) when randomized and c:=Enc k (m) when deterministic  Usually deterministic  Outputs m:= Dec k (c)

12 Syntax of SKE  Set of all possible keys output by algorithm Gen 1.Key space ( ):  Usually Gen selects a key k uniformly at random from 2. Plain-text (message) space ( ):  Set of all possible “legal” message (i.e. those supported by Enc) 3. Cipher-text space ( ):  Set of all cipher-texts output by algorithm Enc  The sets and together define the set Any cipher is defined by specifying (Gen, Enc, Dec) and

13 Yao’s Garbled Circuit from “Special” SKE +   Garbling the Wires: Every wire is associated with a pair of identical looking SKE keys. k 0 w1 k 1 w1 k 0 w2 k 1 w2 k 0 w3 k 1 w3 k 0 w4 k 1 w4 k 0 w5 k 1 w5 k 0 w6 k 1 w6 k 0 w7 k 1 w7

14 +   Garbling the Gates: Every two input gate is associated with four double encryptions so that each pair of keys (one from each input wire) will decrypt one and only one ciphertext where ciphertexts hide appropriate output wire key. AND Gate: k 0 w1 k 1 w1 k 0 w2 k 1 w2 k 0 w3 k 1 w3 k 0 w4 k 1 w4 k 0 w5 k 1 w5 k 0 w6 k 1 w6 k 0 w7 k 1 w7 1st input wire2 nd Input wireDouble Encryptions k 0 w1 k 0 w2 k 0 w1 k 1 w2 k 1 w1 k 0 w2 k 1 w1 k 1 w2 Garbled AND Gate Similarly for other gates Yao’s Garbled Circuit from “Special” SKE In randomly permuted order

15 R1: K = M = C Yao’s Garbled Circuit from “Special” SKE Garbled AND Gate >> In usual SKE, a wrong key lead to a wrong message, but the decryption does not fail (SKEs are usually use OTP principle). >> Recall that one pair opens one and only one box > The ciphertext spaces must be distinct under distinct keys with high probability. > For the SKE, there must be a mechanism to verify (efficiently) if a given ciphertext belongs to the ciphertext space of a given key. >> Consequence in Yao 2PC: How does the circuit evaluator know which decrypted value is the intended output key? Correctness of 2PC will fail!! Formal definition of SKE with elusive range and efficiently verifiable range can be found in HL and correctness proof reduces to the above security property of SKE Drawbacks: Multiple trial-decryption + Huge Ciphertext size for SKEs with above security property + Involved Correctness proof

16 Yao’s Garbled Circuit from “Special” SKE Point & Permute [NPS99]: +   k 0 w1 |p 1 k 1 w1 |1-p 1 k 0 w2 |p 2 k 1 w2 |1-p 2 k 0 w5 |p 5 k 1 w5 |1-p 5 k 0 w3 |p 3 k 1 w3 |1-p 3 k 0 w4 |p 4 k 1 w4 |1-p 4 k 0 w6 |p 6 k 1 w6 |1-p 6 k 0 w7 |p 7 k 1 w7 |1-p 7 >> The permutation bits corresponding to input wires of a gate are used to permute the ciphertexts >> will be placed at (p 1 p 2 )th row >> assuming p 1 = p 2 = 1 Garbled AND Gate >> given just one of the permutation bits for each wire, the row where the ciphertext is placed will look random and will not leak any information about the meaning of the input and out keys! >> No requirement from SKE! Correctness of 2PC from GC taken care ! >> A random bit called permutation bit will be associated with every wire

17 R1: K|{0,1} = M = C Yao’s Garbled Circuit from “Special” SKE >> SKE must be such that an bad evaluator should have no information about what the three unopened ciphertext contains >> Very subtle security definition is required! >> Double encryption security >> E.g. if it can guess the unopened message are same and the gate is AND, then it knows the meaning of the key it decrypted!

18 Chosen Double Encryption (CDE) Security  = (Gen, Enc, Dec),, k I can break  Let me verify Gen PrivK (k) A,  cde PPT Attacker A b  {0, 1} c 0  Enc k0 (Enc k’1 (x b )) Post-challenge Training with oracles Enc ** (Enc k’1 (**)) Enc k’0 (Enc ** (**)) b’  {0, 1} Game Output b = b’ 1 --- attacker won b  b’ 0 --- attacker lost ½ + negl(n) Pr PrivK (k) A,  cde = 1   is CDE-secure if for every PPT A, there is a negligible function negl, such that: k 0, k 1 (x 0,y 0,z 0 ), (x 1,y 1,z 1 ) k’ 0, k’ 1 c 1  Enc k’0 (Enc k1 (y b )) c 2  Enc k’0 (Enc k’1 (z b ))

19 Chosen Plain-text Attack (CPA) Security  = (Gen, Enc, Dec),, k I can break  Let me verify Gen(1 n ) k PrivK (k) A,  cpa PPT Attacker A Training Phase m 0, m 1 , |m 0 | = |m 1 | b  {0, 1} c  Enc k (m b ) Post-challenge Training b’  {0, 1} Game Output b = b’ 1 --- attacker won b  b’ 0 --- attacker lost ½ + negl(n) Pr PrivK (n) A,  cpa = 1   is CPA-secure if for every PPT A, there is a negligible function negl, such that: Every CPA-secure scheme is also CDE-secure!

20 Completing the Picture Garbled Circuit: Garbled gates + output decryption tables 1. Give input keys corresponding to the inputs and the garbled circuit. 2. For every gate, decrypt the encryption pointed by permutation bits of the input keys of a gate, get the output key and its permutation bit 3. For the output gate, the key corresponding to the output value for given inputs is obtained and is translated to correct output using the decryption tables. +   k 0 w1 |p 1 k 1 w1 |1-p 1 k 0 w2 |p 2 k 1 w2 |1-p 2 k 0 w5 |p 5 k 1 w5 |1-p 5 k 0 w3 |p 3 k 1 w3 |1-p 3 k 0 w4 |p 4 k 1 w4 |1-p 4 k 0 w6 |p 6 k 1 w6 |1-p 6 k 0 w7 |p 7 k 1 w7 |1-p 7

21 Yao’s 2 Party Protocol Y = (y 1,y 2,…y k ) P0P0 P1P1 X = (x 1,x 2,…x k ) GC Constructor GC Evaluator Construct a Garbled Circuit GC for Circuit C Keys corresponding to X = (x 1,x 2,…x k ) and GC OT 1 k 0 w1 k 1 w1 y1y1 OT k k y1 w1 k 0 wk k 1 wk ykyk k yk wk Evaluate GC with the given input keys and interpret the output Z using output decryption tables Z

22 Yao’s 2 Party Protocol- Security for P 1 Y = (y 1,y 2,…y k ) P0P0 P1P1 X = (x 1,x 2,…x k ) GC Constructor GC Evaluator Construct a Garbled Circuit GC for Circuit C Keys corresponding to X = (x 1,x 2,…x k ) and GC OT 1 k 0 w1 k 1 w1 y1y1 OT k k y1 w1 k 0 wk k 1 wk ykyk k yk wk Evaluate GC with the given input keys and interpret the output Z using output decryption tables Z Security will reduce to the OT security for the receiver

23 Yao’s 2 Party Protocol- Security for P 0 Y = (y 1,y 2,…y k ) P0P0 P1P1 X = (x 1,x 2,…x k ) GC Constructor GC Evaluator Construct a Garbled Circuit GC for Circuit C OT 1 k 0 w1 k 1 w1 y1y1 OT k k y1 w1 k 0 wk k 1 wk ykyk k yk wk Evaluate GC with the given input keys and interpret the output Z using output decryption tables Z Security will reduce to the OT security for the sender Three unopened ciphertext must not leak info- CDE security Keys corresponding to X = (x 1,x 2,…x k ) and GC

24 Chalk & Talk CT7: [GLNP15] Fast Garbling of Circuits under standard Assumptions. http://eprint.iacr.org/2015/751.pdf CT8: [BG10] Secure and Efficient Protocols for Iris and Fingerprint Identification. https://eprint.iacr.org/2010/627.pdf

25

Download ppt "Secure Computation Lecture 13-14 Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto."

Similar presentations

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Cryptography Lecture 9 Arpita Patra.

Cryptography Lecture 9 Arpita Patra.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.

CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Cryptography Lecture 8 Stefan Dziembowski

Cryptography Lecture 8 Stefan Dziembowski
Cryptography Lecture 3 Arpita Patra.

Cryptography Lecture 3 Arpita Patra.
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference.

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference.
Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.

Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.
Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.

Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.
Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.

Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.
Slide 1 Yao’s Protocol. slide 2 1 00 0 Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert the function into a boolean.

Slide 1 Yao’s Protocol. slide Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert the function into a boolean.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.

CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
Secure Computation Lecture 11-12 Arpita Patra. Recap >> MPC with dishonest majority over Boolean circuit- [GMW87] > Oblivious Transfer (from CPA secure.

Secure Computation Lecture Arpita Patra. Recap >> MPC with dishonest majority over Boolean circuit- [GMW87] > Oblivious Transfer (from CPA secure.
Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.

Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.
1 Information Security – Theory vs. Reality 0368-4474-01, Winter 2012-2013 Lecture 10: Garbled circuits and obfuscation Eran Tromer Slides credit: Boaz.

1 Information Security – Theory vs. Reality , Winter Lecture 10: Garbled circuits and obfuscation Eran Tromer Slides credit: Boaz.
Secure Computation Lecture 15-16 Arpita Patra. Recap > Shamir Secret-sharing > BGW Protocol based on secret-sharing > Offline/Online phase > Creating.

Secure Computation Lecture Arpita Patra. Recap > Shamir Secret-sharing > BGW Protocol based on secret-sharing > Offline/Online phase > Creating.
CS555Spring 2012/Topic 31 Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy.

CS555Spring 2012/Topic 31 Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy.
Cryptography Lecture 4 Arpita Patra.

Cryptography Lecture 4 Arpita Patra.

Similar presentations

Ads by Google