Upload
myron-atkins
View
214
Download
0
Embed Size (px)
DESCRIPTION
3 / 23 A C D X Y B XXX Y [Yao 82, 86] Garbled gate
Citation preview
1 / 23
Efficient Garbling from
A Fixed-key Blockcipher
Applied MPC workshopFebruary 20, 2014
Mihir BellareUC San Diego
Viet Tung HoangUC San Diego
Phillip RogawayUC Davis
Sriram KeelveedhiUC San Diego
2 / 23
Garbled circuit
01 01
0 1
01
01
[Yao 82, 86]Conventional circuit
3 / 23
A C D
X Y
B
X
X
X
Y 1
2
3
4
[Yao 82, 86]Garbled gate
4 / 23
Garble circuits Garbling schemes
Traditionally viewed as a technique for 2-party SFE
Optimizations (free xor, garbled-row
reduction) are only proved for SFE setting.
Garbled circuits used in tens of applications
[BHR12]: Formalize garbled circuits as
a primitive ‒ garbling scheme
private function evaluation
verifiable computation
KDM-secure encryption
worry-free encryption
mobile oblivious computing
privacy-preserving auctions
secure database mining
semi-private function evaluation
server-aided SFE
privacy-preserving credit checking
5 / 23
Contributions
• Design new garbling schemes
Faster realization for doubly-locked boxes
Better circuit representation
- concrete security - proofs
• Attack prior implementations
[KS08, PSSW09]
• Implement schemes – JustGarble~100x speedup
6 / 23
x y
X Y
input output
garbledinput
garbledoutput
initialfunction
encodingfunction
decodingfunctiongarbled
function
f : {0,1}n® {0,1} m
Should distinguish functions ( f, e, F, d ) and strings ( f, e, F, d )
f
Gb
eF
d
ev
EvEn De
f = e F d° °
Syntax conceptual
[BHR12]
7 / 23
evf
xy
EvEn
DeGbf
1k
e
F
d
xX
Yy
A garbling scheme is a 5-tuple = (Gb, En, De, Ev, ev)
Syntax[BHR12]
Correctness
(" f, x, k), if(F, e, d) ¬ Gb(1k, f),X ¬ En(e, x),Y ¬ Ev (F, X),y ¬ De(d, Y) then y = ev(f, x)
8 / 23
evfx
y
EvEn DeGbf
1k
e
F
dx X
Yy
Privacy very informally …
Intuition: Given (F, X, d ), you learn nothing but y = f (x) = d(F
( X )) A garbled function F will leak information about f
side information
• reveal all of f ©( f ) = f
©( f ) = topo ( f )
• reveal topology of f
reveal the size of f©( f ) = size ( f )
·
• reveal topology of f + which gates are XOR
9 / 23
A (1k )
f0 f1 x0 x1 F X d
b’
Privacy
GARBLE
or ©(f0) ¹ ©(f1)If f0(x0) ¹ f1(x1) ret
(F,e,d ) ¬ Gb(1k, f0)
X ¬ En(e, x0)
(F,e,d) ¬ Gb(1k, f1)
X ¬ En(e, x1) b=1b=0
Adv (A, k) = 2Pr[b=b’] -1prv, ©
is prv secure wrt © if(" PPT A ) Adv is negligible
indistinguishability
10 / 23
A (1k)
f x
y¬ ev( f, x)(F, X, d) ¬ S(1k, y, ©(f ))
F X d
b’
(F, e, d ) ¬ Gb(1k, f) X ¬ En(e, x)
Privacysimulation
GARBLE
b=0
b=1
Adv (A, k) = 2Pr[b=b’]-1prv.sim, ©
S
is prv.sim secure wrt © if
(" PPT A ) ($ PPT S) s.t. Adv is negligible
11 / 23
Achieving prv
( )
Y
X
A
Y
B
( )X
( )X
( )X
C D
Gate 3
k bits
Scheme Ga
LSBs used to identify row of gate
Dual-key cipher
: {0,1}2k ´ {0,1}t ´ {0,1}k ® {0,1}k
keys tweak input output
12 / 23
How to make the DKC?
AES DKC
[HEKM11]:
[KSS12]:
Today: Permutation-based DKCs like
Intel AES-NI AESENC, AESDEC, etc.
Theorem: Ga[ ] is prv-secure over ©topo in the RPM
# of gates# of oracle queries
Adv (A) (48Qq + 84q2 + 30Q + 84q) / 2k
Gaprv, ©topo
pRPM
13 / 23
Free-xor optimization
Choose a secret global string R {0, 1}k – 11$
[KS08]
DA
B
C
E
Y
Z
14 / 23
Free-xor helps
Real-world circuits can be made to be rich in XORs
Basic AES circuit : ~28K gates, 56% xor-gates
Free-xor Free-xor
Size: ~ 1.75 MBGarbling: ~ 112 K enc
Size : ~ 430 KBGarbling: ~ 24 K enc
[KS08]
Optimized AES circuit :~37K gates, 82% xor-gates
Refactor
~5x
15 / 23
= H(A[1: k – 1] || T ) © H(B [1: k – 1] || T ) © X
Modeled as a random oracle
To avoid problems: a gate’s incoming wires must be distinct
Otherwise, A = B No security
With free-xor, distinct wires might have the same keys!
Attacks on [KS08, PSSW09]
16 / 23
Attacks on [KS08, PSSW09]
1
0
0
17 / 23
A = A1
B = B0
X½ (A © B © R ) © X ½ (A © B ) © X © R½ (A © B ) © X ½ (A © B © R ) © X
A © R
B © R
X © R
AND
½(x) = ¼ (x) © x
1
0
Incompatibility of with free-xor
= ¼ (K ) © K © X with K = A © B © T
18 / 23
A = A1
B = B0
X¼(A © 2B © R ) © A © 2B © X ¼(A © 2B © 3R ) © A © 2B © X © 2R¼(A © 2B ) © A © 2B © X¼(A © 2B © 2R ) © A © 2B © X © 3R
A © R
B © R
X © R
OR1
0
Breaking the symmetryMultiply in GF(2k) by
element x = 0k-210
A © 2B = (A © R) © 2(B © R)
A © 2B © 3R
= V
Compute
R = ¼-1(V © A © 2B © X) © A © 2B
= ¼ (K ) © K © X with K = A © 2B © T
19 / 23
A DKC that works
= ¼ (K ) © K © X with K = 2A © 4B © T
Multiply in GF(2k) by
element x2 = 0k-3100
2A © X = 2(A © R) © (X © R)
2A © X © 3R
Other “doubling” methods work: logical shift, SIMD shift
Theorem. GaX[ ] is prv-secure over ©xor in
RPM Adv (A) (54Qq + 99q2 + 36Q + 108q) / 2k
GaXprv, © # of gates
# of oracle queries
Scheme GaX = Ga + Free-xor
(left half >> 1) || (right half >> 1)
xor
20 / 23
Garbled-row reduction
Th: GaXR[ ] is prv-secure over ©xor in the RPM
# of gates# of oracle queries
Adv (A) (58Qq + 114q2 + 36Q + 123q) / 2k
GaXRprv, ©xor
[PSSW09]
Ga +• free-xor • garbled-row reduction
21 / 23
Experimental results
AES Circuit ~37K gates, ~82% xor-gates
Garbling time of [KSS12] : 5750 cycles per gate
Ga GaX GaXR
Evaluating 52 23 24
Garbling 221 56 57
Unit: cycles / gate
EDT-255 Circuit ~16M gates, ~59% xor-gates
• Garbling time (GaXR): 101 cycles per gate• Evaluating time (GaXR): 48 cycles per gate• Garbling time of [KSS12] : 6400 cycles per gate
22 / 23
[KSS12]: spends most time in non-cryptographic operations
Better circuit representation
One reason: complex data structure to represent circuits
[BHR12]: Formalize circuits C = (n, m, q, A, B, G)
Implement a simple circuit representation to programmatically realize [BHR12]
integers integer arrays
23 / 23
Concluding remarks
Good Foundations Good Schemes
As with• authenticated encryption• entity authentication• message authentication codes• …