Upload
malakai-lanham
View
213
Download
0
Embed Size (px)
Citation preview
Circuits Resilient to Additive Manipulationwith Applications to
Secure Computation
Yuval Ishai Technion
Daniel Genkin Manoj Prabhakaran Amit Sahai Eran TromerTechnion & TAU
UIUC UCLA TAU
What this talk is about
• New model for fault-tolerant circuits
• New approach for protecting secure computation protocols against malicious parties
Part I:
Fault Tolerant Circuits
Dream Goal
• Too much to hope for…
x f(x)
Yet it is f(x)!
Dream Goal
• Too much to hope for…
x f(x)
Yet it is 1-f(x)!
Relaxing Goal
• Random faults [vN56,DO77,Pip85,...]
• Bounded number of faults [KLM94,GS95,KLR12]
• This work: any number of adversarial faults– Allow fault-tolerant circuit to be randomized– Settle for detecting errors w.h.p– Still does not rule out direct tampering with
input and output
Further Relaxations
• Allow tamper-proof input encoder (Enc) and output decoder (Dec)– Enc,Dec must be small and universal
• Restricted class of faults
x f(x) / ERREnc Dec
Further Relaxations
• Allow tamper-proof input encoder (Enc) and output decoder (Dec)– Enc,Dec must be small and universal
• Restricted class of faults– This work: additive attacks on wires
x f(x) / ERREnc Dec
Further Relaxations
• Allow tamper-proof input encoder (Enc) and output decoder (Dec)– Enc,Dec must be small and universal
• Restricted class of faults– This work: additive attacks on wires
x f(x) / ERREnc Dec
X
X
+-
X
+3
-2
+5
AMD Codes [CDFPW08]
• Protect information against additive attacks• Our goal: protect computation
x f(x) / ERREnc Dec
X
X
+-
X
+3
-2
+5
x x / ERREnc Dec
+3
+5
-3
-2
+8
+4
AMD circuit
Definition: ε-correctness
• Let f:FnFm
• Let Enc:FnFn’, C:Fn’Fm’, Dec:Fm’Fm+1
– C is a randomized arithmetic circuit over F– Enc is randomized, Dec is deterministic
• We say that (Enc,C,Dec) realizes f with ε-correctness against additive attacks if:– ∀ x F∈ n, Dec(C(Enc(x)))=(0,f(x)).– ∀ x F∈ n and every CA obtained by applying an
additive attack to C, Dec(CA(Enc(x))) is either (0,f(x)) or (e,y) for e≠0, except w/prob. ≤ ε
Eliminating Enc and Dec
• Idea: settle for “best possible” security– Every additive attack on C can be simulated by
a (possibly randomized) additive attack on inputs and outputs alone
– C is “as good” as tamper-proof hardware for g
X
X
+-
X+3
+5 +r+2
-1
Definition: ε-security
• Let f:FnFm, C:FnFm
– C is a randomized arithmetic circuit over F• We say that C realizes f with ε-security
against additive attacks if:– ∀ x F∈ n, C(x)=f(x) (w/prob. 1)– For every CA obtained by applying an additive
attack to C, there are distributions Δx,Δy s.t. x F∀ ∈ n, CA(x) ≈ε C(x+Δx)+Δy
Security Correctness
• Let (AEnc, ADec) be an AMD code.
fAEncADec
e
AEnc ADecx
e
yx’ y’
f’
Security Correctness
• Let (AEnc, ADec) be an AMD code.
• Useful feature: whether e is set reveals almost nothing about x
fAEncADec
e
AEnc ADecx
e
yx’ y’
C’
Our Results
• Large field F– Compile any C to an ε-secure C’ – |C’|=O(|C|)– ε = O(|C|/|F|)
• Any field F– Compile any C to an ε-correct (Enc,C’,Dec) – Enc,Dec small and universal– |C’|=|C|.polylog(1/ε)
Techniques: Large Fields• Use simple homomorphic AMD code
– Input: x (x,r,xr)– Multiplication: (a,r,ar), (b,r,br) (ab,r2,abr2)
• (a,rd,ard), (b,rd’,brd’) (ab,rd+d’,abrd+d’)
– Addition: (a,r,ar), (b,r,br) (a+b,r,(a+b)r)• (a,rd,ard), (b,rd’,brd’), r (a+b,rmax(d,d’),(a+b)rmax(d,d’))
– Output: (y,rd,z) y+s.(yrd-z)
• Problems– Error grows linearly with degree d (need d<<|F|)
• Use constant-degree gadgets
– Requires wires to be locally random• Convert C into a locally random circuit [ISW03,IPS+11]
Compare with [BDOZ11]
Techniques: Small Fields
• Implement matrix-vector multiplication gadget
• Use it to implement simple Hadamard-based linear PCP [ALMSS92]
– Large constant error– Quadratic blowup in circuit size
• Amplify correctness via repetition– Check input consistency using hashing
• Eliminate quadratic blowup – Using small gadgets
• Problems– Error grows linearly with degree d (need d<<|F|)
• Use constant-degree gadgets
– Requires wires to be locally random• Convert C into a locally random circuit [ISW03,IPS+11]
Part II:
Secure Multiparty Computation
Secure Multiparty Computation[Yao86,GMW87]
a b
c
• Every f can be realized with information-theoretic security – Assuming an honest majority [BGW88,CCD88,RB89]
– Assuming an oblivious transfer oracle [GMW87,Kil88,IPS08] or OLE oracle [NP99,IPS09]
f(a,b,c)
Passive vs. Active Attacks
• Security against active attacks is much more challenging.
• Common paradigm: passive security active security– GMW compiler: using ZK proofs [GMW87,…]
– Make sub-protocols verifiable [BGW88,CCD88,…]
– Cut-and-choose techniques […,LP07,…]
– Use low-threshold active-secure MPC [IPS08]
• Major research effort in cryptography
Motivating Observation• In “natural” passive-secure MPC protocols
for evaluating an arithmetic circuit C, the effect of an active adversary corresponds to an additive attack on C.– Formally: the protocol perfectly realizes an augmented
ideal functionality that allows for an additive attack.– Applies to all information-theoretic protocols we know
that have maximal security threshold
• Active security can be achieved by applying passive-secure protocol to AMD circuit C’.
• Reduces protocol design to circuit design
Some Details
• Need to protect inputs and outputs– Achieved via local AMD encoding of inputs and
AMD decoding of outputs• Protocols only achieve “security with abort”
– Often best possible– With honest majority and broadcast, can be
upgraded to full security using standard methods
Applications• Simplified feasibility results
– Passive BGW88 RB89 (t<n/2)– Passive GMW87 Kil88/IPS09 (t<n, OLE-hybrid)
• Improved efficiency– Passive DN07 Improved BFO12
t<n/2, O(n|C|+n2) field elements – Passive GMW87 Improved IPS09
t<n, O(|C|) OLE calls• New feasibility
– t<n, untrusted preprocessing
Open Problems
• AMD Circuits– Better security and efficiency over binary fields
• Useful for MPC in OT-hybrid model
– Better concrete efficiency over large fields• Useful for practical MPC? [IKHC14]
– Generalize attack model• Settle for best possible security
• MPC applications– Protocols based on “packed secret sharing”– Computationally secure protocols?