Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 / 23 Efficient Garbling from A Fixed-key Blockcipher Applied MPC workshop February 20, 2014 Mihir Bellare UC San Diego Viet Tung Hoang UC San Diego Phillip.

Published byMyron Atkins Modified over 9 years ago

Similar presentations

Presentation on theme: "1 / 23 Efficient Garbling from A Fixed-key Blockcipher Applied MPC workshop February 20, 2014 Mihir Bellare UC San Diego Viet Tung Hoang UC San Diego Phillip."— Presentation transcript:

1 1 / 23 Efficient Garbling from A Fixed-key Blockcipher Applied MPC workshop February 20, 2014 Mihir Bellare UC San Diego Viet Tung Hoang UC San Diego Phillip Rogaway UC Davis Sriram Keelveedhi UC San Diego

2 2 / 23 Garbled circuit 0 1 0 1 0 1 0 1 0 1 [Yao 82, 86] Conventional circuit

3 3 / 23 A C D X Y B XXX Y 1 2 3 4 [Yao 82, 86] Garbled gate

4 4 / 23 Garble circuits  Garbling schemes Traditionally viewed as a technique for 2-party SFE Optimizations (free xor, garbled-row reduction) are only proved for SFE setting. Garbled circuits used in tens of applications [BHR12]: Formalize garbled circuits as a primitive ‒ garbling scheme private function evaluation verifiable computation KDM-secure encryption worry-free encryption mobile oblivious computing privacy-preserving auctions secure database mining semi-private function evaluation server-aided SFE privacy-preserving credit checking

5 5 / 23 Contributions Design new garbling schemes Faster realization for doubly-locked boxes Better circuit representation - concrete security - proofs Attack prior implementations [KS08, PSSW09] Implement schemes – JustGarble ~100x speedup

6 6 / 23 xy X Y inputoutput garbled input garbled output initial function encoding function decoding function garbled function f : {0,1} n  {0,1} m Should distinguish functions ( f, e, F, d ) and strings ( f, e, F, d ) f Gb e F d ev Ev En De f = e F d ° ° Syntax conceptual [BHR12]

7 7 / 23 ev f x y Ev En De Gb f 1k1k e F d x X Y y A garbling scheme is a 5-tuple = ( Gb, En, De, Ev, ev ) Syntax [BHR12] Correctness  f, x, k), if (F, e, d)  Gb (1 k, f), X  En (e, x), Y  Ev (F, X), y  De (d, Y) then y = ev (f, x)

8 8 / 23 ev f x y Ev En De Gb f 1k1k e F d x X Y y Privacy very informally … Intuition: Given (F, X, d ), you learn nothing but y = f (x) = d ( F ( X )) A garbled function F will leak information about f side information reveal all of f © ( f ) = f © ( f ) = topo ( f ) reveal topology of f reveal the size of f © ( f ) = size ( f )  reveal topology of f + which gates are XOR

9 9 / 23 A ( 1 k ) f 0 f 1 x 0 x 1 F X d b’b’ Privacy G ARBLE or © (f 0 )  © (f 1 ) If f 0 (x 0 )  f 1 (x 1 ) ret (F,e,d )  Gb (1 k, f 0 ) X  En (e, x 0 ) (F,e,d)  Gb (1 k, f 1 ) X  En (e, x 1 ) b=1b=0 Adv ( A, k ) = 2Pr[b=b ’ ]  1 prv, © is prv secure wrt © if  PPT A ) Adv is negligible indistinguishability

10 10 / 23 A ( 1 k ) f x y  ev ( f, x) (F, X, d)  S(1 k, y, © (f )) F X d b’b’ (F, e, d )  Gb (1 k, f) X  En (e, x) Privacy simulation G ARBLE b=0 b=1 Adv ( A, k ) = 2Pr[b=b ’ ]  1 prv.sim, © S is prv.sim secure wrt © if  PPT A ) (  PPT S) s.t. Adv is negligible

11 11 / 23 Achieving prv ( ) Y X A Y B X X X C D Gate 3 k bits Scheme Ga LSBs used to identify row of gate Dual-key cipher : {0,1} 2 k   {0,1}   {0,1} k   {0,1} k keys tweakinput output

12 12 / 23 How to make the DKC? AES DKC [HEKM11]: [KSS12]: Today: Permutation-based DKCs like Intel AES-NI AESENC, AESDEC, etc. Theorem: Ga[ ] is prv-secure over © topo in the RPM # of gates # of oracle queries Adv (A)  (48Q q + 84 q 2 + 30Q + 84 q ) / 2 k Ga prv, © topo  RPM

13 13 / 23 Free-xor optimization Choose a secret global string R {0, 1} k – 1 1 $ [KS08] D A B C E Y Z

14 14 / 23 Free-xor helps Real-world circuits can be made to be rich in XORs Basic AES circuit : ~28K gates, 56% xor-gates  Free-xor Free-xor Size: ~ 1.75 MB Garbling: ~ 112 K enc Size : ~ 430 KB Garbling: ~ 24 K enc [KS08] Optimized AES circuit : ~37K gates, 82% xor-gates Refactor ~5x

15 15 / 23 = H ( A [1: k – 1]  T ) ©  H ( B [1: k – 1]  T ) ©  X Modeled as a random oracle To avoid problems: a gate’s incoming wires must be distinct Otherwise, A = B   No security With free-xor, distinct wires might have the same keys! Attacks on [KS08, PSSW09]

16 16 / 23 Attacks on [KS08, PSSW09] 1 0 0

17 17 / 23 A = A1 B = B0 X ½  ( A © B © R ) © X ½  ( A © B ) © X © R ½  ( A © B ) © X ½  ( A © B © R ) © X A © RA © R B © RB © R X © RX © R AND ½ ( x ) = ¼ ( x ) © x 1 0 Incompatibility of with free-xor = ¼ (K )  ©  K  ©  X with K = A  ©  B  ©  T

18 18 / 23 A = A1 B = B0 X ¼ ( A © 2 B © R ) © A © 2 B © X ¼ ( A © 2 B © 3 R ) © A © 2 B © X © 2 R ¼ ( A © 2 B ) © A © 2 B © X ¼ ( A © 2 B © 2 R ) © A © 2 B © X © 3 R A © RA © R B © RB © R X © RX © R OR 1 0 Breaking the symmetry Multiply in GF(2 k ) by element x = 0 k -2 10 A © 2 B = ( A © R ) © 2( B © R ) A © 2 B © 3 R = V Compute R = ¼ -1 ( V © A © 2 B © X ) © A © 2 B = ¼ (K )  ©  K  ©  X with K = A  ©  B  ©  T

19 19 / 23 A DKC that works = ¼ (K )  ©  K  ©  X with K = 2A  ©  B  ©  T Multiply in GF(2 k ) by element x 2 = 0 k -3 100 2 A © X = 2( A © R ) © ( X © R ) 2 A © X © 3 R Other “doubling” methods work: logical shift, SIMD shift Theorem. GaX[ ] is prv-secure over © xor in RPM Adv (A)  (54Q q + 99 q 2 + 36Q + 108 q ) / 2 k GaX prv, © # of gates # of oracle queries Scheme GaX = Ga + Free-xor (left half >> 1)  (right half >> 1) xor

20 20 / 23 Garbled-row reduction Th: GaXR[ ] is prv-secure over © xor in the RPM # of gates # of oracle queries Adv (A)  (58Q q + 114 q 2 + 36Q + 123 q ) / 2 k GaXR prv, © xor [PSSW09] Ga + free-xor garbled-row reduction

21 21 / 23 Experimental results AES Circuit ~37K gates, ~82% xor-gates Garbling time of [KSS12] : 5750 cycles per gate GaGaXGaXR Evaluating522324 Garbling2215657 Unit: cycles / gate EDT-255 Circuit ~16M gates, ~59% xor-gates Garbling time (GaXR): 101 cycles per gate Evaluating time (GaXR): 48 cycles per gate Garbling time of [KSS12] : 6400 cycles per gate

22 22 / 23 [KSS12]: spends most time in non-cryptographic operations Better circuit representation One reason: complex data structure to represent circuits [BHR12]: Formalize circuits C = (n, m, q, A, B, G) Implement a simple circuit representation to programmatically realize [BHR12] integersinteger arrays

23 23 / 23 Concluding remarks Good Foundations  Good Schemes As with authenticated encryption entity authentication message authentication codes …

Download ppt "1 / 23 Efficient Garbling from A Fixed-key Blockcipher Applied MPC workshop February 20, 2014 Mihir Bellare UC San Diego Viet Tung Hoang UC San Diego Phillip."

Similar presentations

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.

Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.
Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.

Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs.

NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Oblivious Transfer (OT) Alice (sender) has n secrets Alice wants to give k secrets to Bob Bob wants the secrets but does not want Alice to know which secrets.

Oblivious Transfer (OT) Alice (sender) has n secrets Alice wants to give k secrets to Bob Bob wants the secrets but does not want Alice to know which secrets.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)

On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)
Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.

Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.
GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION

GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION
New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.

New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.
1 Adaptive Witness Encryption and Asymmetric Password-based Cryptography PKC 2015 March 31, 2015 Mihir Bellare UC San Diego Viet Tung Hoang University.

1 Adaptive Witness Encryption and Asymmetric Password-based Cryptography PKC 2015 March 31, 2015 Mihir Bellare UC San Diego Viet Tung Hoang University.
#1 EAX A two-pass authenticated encryption mode Mihir BellarePhillip RogawayDavid Wagner U.C. San Diego U.C. Davis and U.C. Berkeley Chiang Mai University.

#1 EAX A two-pass authenticated encryption mode Mihir BellarePhillip RogawayDavid Wagner U.C. San Diego U.C. Davis and U.C. Berkeley Chiang Mai University.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 1 Security PART VII.

McGraw-Hill©The McGraw-Hill Companies, Inc., Security PART VII.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Slide 1 Vitaly Shmatikov CS 380S Introduction to Secure Multi-Party Computation.

Slide 1 Vitaly Shmatikov CS 380S Introduction to Secure Multi-Party Computation.

Similar presentations

Ads by Google