Efficient Secure Two-Party Computation · • Dyadic Security: Server breach mitigation • Sharemind: Benchmarking, satellite collision • SAP: Private smart-metering • IBM: Secure

INDOCRYPT2016Tutorial

ClaudioOrlandi,AarhusUniversity

EfficientSecureTwo-PartyComputation

Planforthenext 3hours…• Part1:SecureComputation withaTrusted Dealer

– Warmup:One-TimeTruth Tables– Evaluating CircuitswithBeaver’s trick– MAC-then-Compute forActiveSecurity

• Part2:Oblivious Transfer– OT:DefinitionsandApplications– PassiveSecureOTExtension– OTProtocolsfromDDH(Naor-Pinkas/PVW)

• Part3:Garbled Circuits– GC:DefinitionsandApplications– Garbling gate-by-gate:Basicandoptimizations– Activesecurity 101:simple-cut-andchoose,dual-execution

Want more?

• Cryptographic Computing– Foundations– http://orlandi.dk/crycom– Programming&Theory Exercises–Willbe happy toanswer questions bymail!

OnlinePoker

4

2♠, 5♠ ,2♥,5♥,J♦

Q♠,Q♣,7♣,3♥,2♦

10♠,9♣,8♣,7♦,6♦

3♠, 4♠,7♥,Q♦,10♦

PokerwithPirates

5

2♠, 5♠ ,2♥,5♥,J♦

Q♠,Q♣,7♣,3♥,2♦,

10♠,9♣,8♣,7♦,6♦

A♠,A♣,A♥,A♦,K♦

SecureComputation

6Q♠,Q♣,7♣,3♥,2♦,

2♠, 5♠ ,2♥,5♥,J♦

3♠, 4♠,7♥,Q♦,10♦

10♠,9♣,8♣,7♦,6♦

HospitalsandInsurances

7

¨ Problem: Sick people forget to claim their insurance money

¨ Solution: Insurances and hospitals could periodically compare their data to find and help these people

¨ Privacy Issue: insurance and medical records are sensitive data! No other information than what is strictly necessary must be disclosed!

MPCGoesLive(2008)Bogetoft etal.“MultipartyComputationGoesLive”• January2008• Problem:determinemarketprice

ofsugarbeetscontracts• 1200farmers• Computation:30minutes• WeaksecurityL– Passiveadversary– Honestmajority

8

Sharemind

• Benchmarking– ICTCompanies,– Publicsector

• Satellitecollisions• …

9

MPCinPRACTICE• Partisia:Secureauctions• DyadicSecurity:Serverbreachmitigation• Sharemind:Benchmarking,satellite collision• SAP:Privatesmart-metering• IBM:Securecloud computing• Google?:(lookinf forwardtorwc2017)

10

SecureComputation

• Privacy• Correctness• Inputindependence• …

11

8dx2rru3d0fW2TS

muv6tbWg32flqIo

s1e4xq13OtTzoJc

f(x,y)

x y

z

f(x,y)

x y

What kindofSecure Computation?• Dishonest majority

– Theadversary can corrupt upton-1participants(n=2).

• Static Corruptions– Theadversary chooses which partyiscorrupted before theprotocol

starts.

• Passive&ActiveCorruptions– Adversary follows theprotocol vs.

(aka semi-honest,honest-but-curious)– Adversary can behave arbitrarily

(akamalicious,byzantine)

• Noguarantees offairness ortermination– Securitywithabort

x y

z

13

(𝑟#, 𝑟%) ← 𝐷

rA rB

x y

f(x,y)

TrustedDe

aler

TrustedParty

rA rB

OnlinePh

ase

Prep

rocessing

• Independentofx,y• Tipically only depends

onsize off• Uses publickey crypto

technology (slower)

• Uses only informationtheoretic tools(order ofmagn.faster)

14

rA rB

x y

f(x,y)

Part1:SecureComputation withaTrusted Dealer

• Warmup:One-TimeTruth Tables

• Evaluating CircuitswithBeaver’s trick

• MAC-then-Compute forActiveSecurity

“Thesimplest2PCprotocolever”

16

(𝑟#, 𝑟%) ← 𝐷

rA rB

x y

f(x,y)

“Thesimplest2PCprotocolever”OTTT(Preprocessingphase)

1)WritethetruthtableofthefunctionFyouwanttocompute

0 1 2 3

0 3 2 2 2

1 3 0 0 4

2 1 0 0 4

3 1 1 4 4

y

x

17


2)Pickrandom(r,s),rotaterowsandcolumns

0 1 2 3

0 1 4 4 1

1 2 2 2 3

2 0 0 4 3

3 0 0 4 1

s=3

r=1

18


3)Secretsharethetruthtablei.e.,

Pickatrandom,andlet

1 4 4 12 2 2 30 0 4 30 0 4 1

= -

T1

T1T219

“Thesimplest2PCprotocolever”OTTT(Onlinephase)

u = x + r

v = y + s

, r T2 , s

T2[u,v]

output f(x,y) = T1[u,v] + T2[u,v]

“Privacy”:inputsmaskedw/uniform

randomvalues

20

Correctness:byconstruction

T1

Whataboutactivesecurity?

u = x + r

v = y + s + e1

, r T2 , s

T2[u,v] + e2

21

T1

Isthis cheating?

• v = y + s + e1 = (y+e1) + s = y’ + s – Input substitution, not really cheating a

(see formal definition)

• M2[u,v] + e2– Changes output to z’ = f(x,y) + e2– Example: f(x,y)=1 iff x=y (e.g. pwd check)– e2=1 the output is 1 whp (login without pwd!)• Clearly breach of security!

ForceBobtosendtherightvalue• Problem: Bobcansendthewrongshares• Solution: useMACs

– e.g.m=ax+b with(a,b)ß F

(m,x)

(x’,m’)

(a,b)

Abort if m’≠ax’+b

m=ax+b

OTTT+MAC

u = x + r

v = y + s

T1 , r T2 , s

M[u,v]

If (M[u,v]=A[u,v]*T2[u,v]+B[u,v])output f(x,y) = T1[u,v] + T2[u,v]

else abort

24

MA B

Statisticalsecurityvs.maliciousBobw.p.1-1/|F|

T2[u,v],

“Thesimplest2PCprotocolever”OTTT

• OptimalcommunicationcomplexityJ

• StorageexponentialininputsizeL

èRepresentfunctionusingcircuitinsteadof truthtable!

25





Circuitbased computation

27

x5 y5x4 y4

x3 y3x2 y2

x1 y1

z

Invariant

• Foreachwirex inthecircuitwehave– [x]:=(xA,xB)//read“xinabox”–WhereAliceholdsxA– BobholdsxB– SuchthatxA+xB=x

• Notationoverload:– xisbothther-value andthel-valueofx– usen(x)fornameofxandv(x)forvalueofxwhenindoubt.– Then[n(x)]=(xA,xB)suchthatxA+xB=v(x)

CircuitEvaluation(Onlinephase)

1) [x]ß Input(A,x):– chooses random xB andsendittoBob– setxA=x+xB //symmetric forBob

Aliceonly sends arandom bit!“Clearly”secure

2)zß Open(A,[z])://zß Open([z])ifboth get output– BobsendszB– Aliceoutputsz=zA+zB //symmetric forBob

Aliceshould learn zanyway!“Clearly”secure


2)[z]ß Add([x],[y])//attheendz=x+y– Alicecomputes zA =xA +yA– Bobcomputes zB =xB + yB

– We write [z]=[x]+[y]

Nointeraction!“Clearly”secure

“forfree”:only alocal addition!


2a)[z]ßMul(a,[x])//attheendz=a*x– Alicecomputes zA =a*xA– Bobcomputes zB =a*xB

2c)[z]ß Add(a,[x])//attheendz=a+x– Alicecomputes zA =a+xA– Bobcomputes zB =xB


3)Multiplication?Howtocompute [z]=[xy]?

Alice,BobshouldcomputezA + zB =(xA+xB)(yA+yB)

=xAyA +xByA +xAyB +xByB

Alicecancomputethis Bobcancomputethis

Howdowecomputethis?


3)[z]ßMul([x],[y]):1. Get [a],[b],[c] withc=abfromtrusted dealer

2. e=Open([a]+[x])3. d=Open([b]+[y])

4. Compute[z]=[c]+e[y]+d[x]- edab+(ay+xy)+(bx+xy)- (ab+ay+bx+xy)

Isthissecure?e,d are“one-time-pad”encryptions

ofxandyusingaandb





SecureComputation

35

[x5] [y5][x4] [y4]

[x3] [y3][x2] [y2]

[x1] [y1]

z

+e

w

*

[w]

[w+e]

ActiveSecurity?

• “Privacy?”– evenamaliciousBobdoesnotlearnanythingJ

• “Correctness?”– acorruptedBobcanchangehisshareduringany“Open”(bothfinalresultorduringmultiplication)leadingthefinaloutputtobeincorrectL

Problem2)zß Open(A,[z]):– BobsendszB +e– Aliceoutputsz=zA+zB +e //error change output

distributioninway thatcannot be simulated byinputsubstition

Solution:add MACs2)zß Open(A,[z]):– BobsendszB,mB

– Aliceoutputs• z=zA+zB if mB =zB ∆A+ kA• “abort”otherwise

• Solution: Enhancerepresentation[x]– [x]=((xA,kA,mA) ,(xB,kB,mB) )s.t.– mB =xB ∆A+kA(symmetricformA)– ∆A,∆B isthesameforallwires.

Linearrepresentation

• Given– [x]=((xA,kAx,mAx),(yB,kBx,mBx))– [y]=((yA,kAy,mAy),(yB,kBy,mBy))– Compute[z]=((zA=xA+yA , kAz=kAx+kAy , mAz=mAx+mAy ),(zB=xB+yB , kBz=kBx+kBy , mBz=mBx+mBy ),)

• And[z]isintherightformatsince…mBz =(mBz+mBy)=(kAx +xB∆A)+(kAy +yB∆A)

=(kAx +kAy)+(xB+yB)∆A =kAz +zB∆A

Recap

1. OutputGates:– ExchangesharesandMACs– AbortifMACdoesnotverify

2. InputGates:– Get arandom [r]fromtrusted dealer– rß Open(A,[r])– Alicesends Bobd=x-r,– Compute [x]=[r]+d

Allowssimulatortoextractx*=r+d*

Recap

1. AdditionGates:– Uselinearityofrepresentationtocompute

[z]=[x]+[y]2. Multiplicationgates:– Getarandomtriple[a][b][c]withc=abfromTD.– eßOpen([a]+[x]),dß Open([b]+[y])– Compute[z]=[c]+a[y]+b[x]- ed

Finalremarks

• SizeofMACs

• LazyMACchecks

Size ofMACs

1. Eachpartymuststoreamac/keypairforeachotherparty– quadraticcomplexity!L– SPDZforlinearcomplexity.

2. MACisonlyashardasguessingkey!kMACsinparallelgivesecurity1/|F|k– InTinyOT F=Z2,thenMACs/Keysarek-bitstrings– MiniMACs forconstantoverhead

Lazy MACCheck

44

[x5] [y5][x4] [y4]

[x3] [y3][x2] [y2]

[x1] [y1]

z

+e

*

[w+e]

Recap ofPart1

• Two protocols “inthetrusted dealermodel”– OneTime-Truth Table• Storage exp(inputsize)L• Communication O(inputsize)J• 1roundJ

– (SPDZ)/BeDOZa/TinyOT onlinephase• Storage linear #number ofANDgates• Communication linear#number ofANDgates• #rounds =depth ofthecircuit

– …andadd enoughMACs toget active security

45

RecapofPart1

• Todosecurecomputationisenoughtoprecomputeenoughrandommultiplications!

• Ifnosemi-trustedpartyisavailable,wecanusecryptographicassumption(next)

46

OTb m0,m1

mb






3)Multiplication?Howtocompute [z]=[xy]?

Alice,BobshouldcomputezA + zB =(xA+xB)(yA+yB)

=xAyA +xByA +xAyB +xByB

Alicecancomputethis Bobcancomputethis

Howdowecomputethis?

Part2:Oblivious Transfer

• OT:Definition,Applications(Gilboa’s protocol)

• OTProtocolsfromDDH(Naor-Pinkas/PVW)

• PassiveSecureOTExtension

1-2OT

1-2 OT

b

mb

m0,m1

Receiver Sender

• Receiver does not learn m1-b

• Sender does not learn b

1-2OT

1-2 OT

b

mb

m0,m1

Receiver Sender

• mb = (1-b) m0 + b m1

• mb = m0 + b (m1 - m0 )

1-nOT

1-n OT

i

mi

m1,…,mn

Receiver Sender

2PCvia1-nOT

1-n OT

x

f(x,y)

f(1,y),…,f(n,y)

Receiver Sender

Oblivious Transfer=

bitmultiplicationReceiver Sender

1-2 OT

b

ab+c

(c,a+c)

GILBOA’S PROTOCOL

nOTs =Arith.Multiplication

1-2 OT

bi

di=a(2ibi)+ci

(ci,a2i+ci)

Receiver Senderb=(b0,b1,…,bn-1) a (nbitnumber)

c0+…+cn-1=c

d0+…+dn-1=a(b0+2b1+…+2n-1bn-1)+(c0+…+cn-1)=ab+c


• OTdefinition,applications (Gilboa’s protocol)


• PassiveSecureOTExtension(IKNP03)

Receiver(b) Sender(m0,m1)

pkb ß G(sk)pk1-b ß Rand()

(pk0,pk1)

PassiveSecureOT

c0=E(pk0,m0), c1=E(pk1,m1)

mb = D(sk,cb)

Receiverprivacy:Realpk ≈ “random”pk

Senderprivacy:encryptionissecure

(Alicedoesnothavesk)


pkb ß G(sk)pk1-b ß Rand()

(pk0,pk1)

PassiveSecureOT

c0=E(pk0,m0), c1=E(pk1,m1)

mb = D(sk,cb)

pk0 ß G(sk0)pk1 ß G(sk1)

m0 ß D(sk0, c0)m1 ß D(sk1, c1)

Malicious


mpk ß f(crs,sk,b)mpk

ActiveSecureOT

c0=E(pk0,m0), c1=E(pk1,m1)

mb = D(sk,cb)

crs

(pk0,pk1)=G(mpk,crs)

Keys are correlated,Receivercannot learn

theskforboth


mpk = gskhb

mpk

Naor-Pinkas OT(alaChou-Orlandi)

c0=E(pk0,m0), c1=E(pk1,m1)

mb = D(sk,cb)

pk0=mpkpk1=mpk/h

EncryptionisElGamal

Frompk0=gsk0pk1=gsk1

h=pk0/pk1à

h=gsk0-sk1

crs = h (single group element)


• OTdefinition,applications (Gilboa’s protocol)


• PassiveSecureOTExtension(IKNP03)

Efficiency

• Problem: OTrequirespublickeyprimitives,inherentlyefficient

More efficient Less efficient

OTP >> SKE >> PKE >> FHE >> Obfuscation

TheCryptoToolbox

64

Weaker assumption Stronger assumption

Efficiency

• Problem: OTrequirespublickeyprimitives,inherentlyefficient

• Solution: OTextension– Likehybridencryption!– Startwithfew(expensive)OTbasedonPKE– Getmany(inexpensive)OTusingonlySKE

WARMUP:USEFUL OTPROPERTIES

ShortOTà LongOTReceiver Sender

1-2 OTb

kb

k0,k1

(u0, u1)=(prg(k0)+m0, prg(k1)+m1)

mb=prg(kb)+ub

b

poly(k)-bitstrings

m0,m1

k-bitstrings

RandomOT=OT

ROTc,rcr0,r1

(x0, x1)=((r0 + m0), (r1 +m1))mb=rc +xb

b m0,m1

ifb=c

RandomOT=OT

ROTc,rcr0,r1

b m0,m1

(x0, x1)= (r0+d+ m0), (r1+d + m1))

d = b + c

Exercise:checkthatitworks!

mb=rc +xb

(R)OTissymmetricSender

bits

ROTs0,s1b,y=sb

c, z=rc r0,r1

c = s0 + s1

z = s0

Nocommunication!

r0 = yr1 = b + r0

Exercise:checkthatitworks

OTExtension

• OTpro(v/b)ablyrequirespublic-keyprimitivies

– OTextension≈hybridencryption

– Startfromk“real”OTs

– Turnthemintopoly(k)OTsusingonlyfewsymmetricprimitivesperOT

71

X0

X1bU

OTExtension,Pictorially

72

k1-2 ROTs

k

k k

n n=poly(k)

Remember:OTstretching

(see“ShortOTà LongOT”slideearlier)

Xb1,1

X0,1

X1,1b1

ConditionforOTextension

73

X1

X0

⊕

c…c

=

Problemforactivesecurity!

Remember:“RandomOTà OT”

XbU


74

k1-2

CROTsk

k

n n=poly(k)

“CorrelatedOTs”

c

X1⊕ b1˙cX1

b1


U

⊕

X

b

=

c

𝑏 ⊗ c -. = 𝑏- ⋅ c.

OTExtension,Turnyourhead!

U

⊕

X

=

X U

=⊕

b c

bc

XbU


77

k1-2

CROTsk

k

n n=poly(k)

c

X

bU


78

n1-2

CROTs

n

k

n

k

c

Breakthecorrelation!

79U

bbb

⊕

= H

b

Y0

U= H

Y1

V X= H

Breakingthecorrelation

• UsingacorrelationrobusthashfunctionHs.t.1. {a0,…,an,H(a0+ r),…,H(an+r)}//(ai’s,rrandom)2. {a0,…,an,b0,…,bn}//(ai’s,bi’s random)arecomputationallyindistinguishable

80


81

Vk

Y0

k

n

n=poly(k)c

n

1-2 ROTs

Y1

Yc1,1

Y0,1

Y1,1

c1

Recap0.Strech kOTs from k- topoly(k)=n-bitlong strings

1. Sendcorrectionforeachpairofmessagesxi0,xi1s.t.,xi0 ⊕ xi1 =c

2. Turnyourhead(S/Rswaproles)

3. Thebitsofc arethenewchoicebits

4. Breakthecorrelation:yj0=H(uj),yj1=H(uj⊕ b)

• Notsecureagainstactiveadversaries82

Recap ofPart2

• OT:building block for2PC– Requires PKEL– OTExtension(using only SKE)J– Canbe combined withprotocols frompart1for2PCwithout atrusted dealer (using computationalassumptions)J

– #rounds =depth ofthecircuitK

83

Mul. triples

OnlinePh

ase

Prep

rocessing

x y

f(x,y)

OTs

Part1

Comingupnext…

• OT+GarbledCircuitsà Constantround2PC!

…akalaymanfully-homomorphicencryption

84

8dx2rru3d0fW2muv6tbWg32flqIo

s1e4xq13OtTzoJc

f(x,y)

x y

20ux88TqkA4I

8dx2rru3d0fWS

f(x,y)

x y

20ux88TqkA4I





Part3:Garbled Circuits

• GC:DefinitionsandApplications

• Garbling gate-by-gate:Basicandoptimizations

• Activesecurity 101:simple-cut-andchoose,dual-execution

Garbled Circuit

Cryptographic primitivethat allows toevaluate

encrypted functions

on

encrypted inputs

Garbled Circuits

EvDeGb

En

f

x

[F]

e

d

[X] [Z]

z

Correctifz=f(x)

Valuesinaboxare “garbled”

r

[F],[Y],d

x e[X]

([F],e,d)ßGb(f,r )[Y]ßEn(e,y)

[Z]ßEv([F],[X],[Y])

Alice(x) Bob(y)

z=De(d,[Z])

PassiveConstantRound2PC(Yao)

2PC(OT)

2PC(OT)[F],[Y],d

x e[X]


[Z]ßEv([F],[X],[Y])

Alice(x) Bob(y)

z=De(d,[Z])


Boblearnsnothingaboutx!

2PC(OT)[F],[Y],d

x e[X]


[Z]ßEv([F],[X],[Y])

Alice(x) Bob(y)

z=De(d,[Z])


HowmuchinformationisleakedbyGC?

Garbled Circuits:Privacy

EvDeGb

En

f

x

e [Z]

z

r[F]

d

[X]

ExistSims.t.([F],[X],d)

~Sim(f,f(x))

Orevenless/noinfoaboutf


• DefinitionsandApplications



Garbling:Gate-by-gate

94

[x5] [y5][x4] [y4]

[x3] [y3][x2] [y2]

[x1] [y1]

z

+e

w

*

[w]

[w+e]

PROJECTIVE SCHEMES:CIRCUITBASED GARBLING/EVALUATIONS

GarblingaCircuit:([F],e,d)ß Gb(f)K10,K11 • Choose 2random keys Ki0,Ki1

foreach wireinthecircuit– Input,internal and,outputwires

• Foreach gategcompute– ggß Gb(g,L0,L1,R0,R1,K0,K1)

• Output– e=(Ki0,Ki1)forallinputwires– d=(Z0,Z1)– [F]=(ggi)forallgatesi

K20,K21…

Z0,Z1

L0,L1 R0,R1

K0,K1

EncodingandDecoding

[X] =En(e,x)• e={Ki0, Ki1}• x={x1,…,xn }• [X]={K1x1,…,Knxn}

z=De(d,[Z])• d={Z0,Z1}• [Z]={K}• z=– 0 ifK=Z0,– 1 ifK=Z1,– “abort” else

EvaluatingaGC:[Z]ß Ev([F],[X])K1

• Parse[X]={K1,…,Kn}• Parse [F]={ggi}

• Foreach gatei compute– Kß Ev(ggi,L,R)

• Output– Z

K2………

Z

L R

K

gg1

gg2

ggn

ggi

ggi ggi ggi ggi

ggi ggi

ggi

INDIVIDUALGATESGARBLING/EVALUATION

Notation

gg

L0,L1 R0,R1

Z0,Z1

• Agarbled gateisagadgetthat giventwo inputskeysgivesyou therightoutputkey(andnothing else)

• ggß Gb(g,L0,L1,R0,R1,Z0,Z1)• Zg(a,b) ß Ev(gg,La,Rb)

• //andnotZ1-g(a,b)

101

YaoGateGarbling(1)

L R K

0 0 1

0 1 1

1 0 1

1 1 0

L R

K

• NANDgate

102

YaoGateGarbling(2)

L R K

L0 R0 K1L0 R1 K1L1 R0 K1L1 R1 K0

L R

K

• Chooselabels(e.g.,128bitsstrings)foreveryvalueoneverywire

103

YaoGateGarbling(3)

CC1=H(L0,R0)⊕ K1

C2=H(L0,R1)⊕ K1

C3=H(L1,R0)⊕ K1

C4=H(L1,R1)⊕ K0

L R

K

• Encrypttheoutputkeywiththeinputkeys

104

YaoGateGarbling(4)

CC1=H(L0,R0)⊕ (K1,0k)

C2=H(L0,R1)⊕ (K1,0k)

C3=H(L1,R0)⊕ (K1,0k)

C4=H(L1,R1)⊕ (K0,0k)

L R

K

• Addredundancy(laterusedtocheckifdecryptionissuccessful)

105

YaoGateGarbling(5)

L R

K

• Permutetheorderoftheciphertexts (tohideinformationaboutinputs/outputs)

CC1=H(L0,R0)⊕ (K1,0k)

C2=H(L0,R1)⊕ (K1,0k)

C3=H(L1,R0)⊕ (K1,0k)

C4=H(L1,R1)⊕ (K0,0k)

C’1,C’2,C’3,C’4 =perm(C1,C2,C3,C4)

106

YaoGateEvaluation(1)

Eval(gg,La,Rb)//nota,b• Fori=1..4

– (K,t)=C’i ⊕ H(La,Rb)– Ift=0k outputK

gg(permuted)C1=H(L0,R0)⊕ (K1,0k)

C2=H(L0,R1)⊕ (K1,0k)

C3=H(L1,R0)⊕ (K1,0k)

C4=H(L1,R1)⊕ (K0,0k)• Outputiscorrect:– t=0k onlyforrightrow

• Evaluatorlearnsnothingelse:– Encryption+permutation

GARBLING OPTIMIZATIONS:POINT-AND-PERMUTE

Point-and-permute

• Problem:Evaluatorneedstotrytodecryptall4rows

• Solution:addpermutationbitstokeys

gg

(L0,p)(L1,!p)

(R0,q)(R1,!q)

ggß Gb(g,L0,L1,p,R0,R1,q,Z0,Z1,r)(Zg(a,b),r⊕g(a,b))ß Ev(gg,La,a⊕p,Rb,b⊕q)

(Z0,r)(Z1,!r)

109

Point-and-permuteGarbling(4)

C

C1=H(L0,R0)⊕ (Kg(0,0),r⊕ g(0,0) )

C2=H(L0,R1)⊕ (Kg(0,1),r⊕ g(0,1) )

C3=H(L1,R0)⊕ (Kg(1,0),r⊕ g(1,0) )

C4=H(L1,R1)⊕ (Kg(1,1),r⊕ g(1,1) )

L R

K

• Removeredundancy• Addrandompermutationbit

110

Point-and-permuteGarbling(5)

C

C1=H(Lp,Rq)⊕ (Kg(p,q),r⊕ g(p,q))

C2=H(Lp,R!q)⊕ (Kg(p,!q),r⊕ g(p,!q))

C3=H(L!p,Rq)⊕ (Kg(!p,q),r⊕ g(!p,q))

C4=H(L!p,R!q)⊕ (Kg(!p,!q),r⊕ g(!p,!q))

• Permuterowsusingp,q

111

Point-and-permuteEvaluation

Eval(gg,L,u,R,v)//nota,b• (K,r)=C’2u+v ⊕ H(L,R)

• Outputiscorrect:– (Checkpermutation)

• Privacy:– u=p⊕a,v=q⊕b– p,q are“onetimepads”fora,b

C

C1=H(Lp,Rq)⊕ (Kg(p,q),r⊕ g(p,q))

C2=H(Lp,R!q)⊕ (Kg(p,!q),r⊕ g(p,!q))

C3=H(L!p,Rq)⊕ (Kg(!p,q),r⊕ g(!p,q))

C4=H(L!p,R!q)⊕ (Kg(!p,!q),r⊕ g(!p,!q))

GARBLING OPTIMIZATIONS:SIMPLEGARBLED ROWREDUCTION

Point-and-permute

• Problem:eachggis4ciphertexts• Solution:defineoutputkeypseudorandomlyasfunctionsofinputkeys,reducecomm.complexity

gg

L0L1

R0R1

(gg, Z0,Z1)ß Gb(g,L0,L1,R0,R1)(Zg(a,b))ß Ev(gg,La,Rb)

Z0Z1

GarblingaCircuit:([F],e,d)ß Gb(f)K10,K11 • Choose 2random keys Ki0,Ki1

foreach wireinthecircuit– Inputwireonly!

• Foreach gategcompute– (gg,K0,K1)ß Gb(g,L0,L1,R0,R1)


K20,K21…

Z0,Z1

L0,L1 R0,R1

K0,K1

115

YaoGateGarbling(3)

CC1=H(L0,R0)⊕ K1

C2=H(L0,R1)⊕ K1

C3=H(L1,R0)⊕ K1

C4=H(L1,R1)⊕ K0

L R

K

• Encrypttheoutputkeywiththeinputkeys

116

GarbledRowReductionGarbling

CK1 =H(L0,R0) (C1=0k)

C2=H(L0,R1)⊕ K1

C3=H(L1,R0)⊕ K1

C4=H(L1,R1)⊕ K0

L R

K• Defineoutputkeysasfunctionofinputkeys– (compatiblewithp&p)– Canreduce2rows,but1iscompatiblewithFree-XOR

(comingup!)

GARBLING OPTIMIZATIONS:FREE XOR

Free-XOR

• Problem:inBeDOZa lineargatesareforfree.WhataboutGC?

• Solution:introducecorrelationbetweenkeys,makeXORcomputation“free”

gg

L0L1=L0⊕Δ

R0R1=R0⊕Δ

(gg,Z0)ß Gb(g,L0,R0,Δ)(Zg(a,b))ß Ev(gg,La,Rb)

Z0Z1=Z0⊕Δ

GarblingaCircuit:([F],e,d)ß Gb(f)K10 • Choose 1random key Ki0 for

each inputwireinthecircuit– AndglobaldifferenceΔ

• Foreach gategcompute– (gg,K0)ß Gb(g,L0,R0,Δ)


K20…

Z0,Z1

L0 R0

K0

Garblingnon-lineargates

• Likebefore,butrequires“circularsecurityassumption”– (CompatiblewithGRRandp&P)

• ExampleforANDgate– Evaluatorsees

L0,R0,K0,H(L0 ⊕ Δ, R0 ⊕ Δ)⊕ K0 ⊕ Δ

– AndshouldnotbeabletocomputeΔ !

Garbling/EvaluatingXORGates

gg

L0L1=L0⊕Δ

R0R1=R0⊕Δ

(gg,,Z0)ß Gb(g,L0,R0,Δ)(Zg(a,b))ß Ev(gg,La,Rb)

Z0Z1=Z0⊕Δ

Gb(XOR,L0,R0,Δ)• OutputZ0=L0⊕R0

• (ggisempty)

Ev(XOR,La,Rb,Δ)• OutputZa⊕b=La⊕Rb

La⊕Rb= L0⊕ aΔ ⊕ R0 ⊕ bΔ = Z0 ⊕ (a⊕b)Δ =Za⊕b


• DefinitionsandApplications



ACTIVEATTACKSVSYAO

OT[F],[Y],d

x e[X]


[Z]ßEv([F],[X],[Y])

Alice Bob

z=De(d,[Z])

Yao´sprotocol

PassiveSecurityOnly1GC!

Constantround!Veryfast!

OT[F],[Y],d

x e[X]


Alice Bob

Active security of Yao

Cannotreallycheat!

OT[F],[Y],d

x e[X]


Alice Bob

ActivesecurityofYao(v2,Bobgets output)

Stillcan’tcheat,authenticity!

[Z*] z*=De(d,[Z*])

Garbled Circuits:Authenticy

EvDeGb

En

f

x

e [Z*]

z*

r[F]

d

[X]

ForallcorruptEvz*=f(x)orz*=abort

OT[F],[Y],d

x e[X]


[Z]ßEv([F],[X],[Y])

Alice(x) Bob(y)

z=De(d,[Z])

Active security of Yao

WhatifBiscorrupted?

OT[G],[Y],d

x e[X]

([G],e,d)ßGb(g,r )[Y]ßEn(e,y)

[Z]ßEv([G],[X],[Y])

Alice(x) Bob(y)

z=De(d,[Z])

Insecurity1(wrongf)

g!=fz!=f(x,y)

OT[G],[Y],d

x (K0,K1)[X]=Kx


[Z]ßEv([G],[X],[Y])

Alice(x) Bob(y)

z=De(d,[Z])

Insecurity2(selectivefailure)

OT[G],[Y],d

x (K0,K*)[X*]


[Z*]ßEv([G],[X*],[Y])

Alice(x) Bob(y)

z*=De(d,[Z*])

Insecurity2(selectivefailure)

x=0à z*=f(x,y)x=1à z*=abort

SIMPLETRICKSFORACTIVESECURITY

Cut-And-Choose

OT[F]1,[F]2,d1,d2

x e1,e2[X1],[X2] ([F]i,ei,di)ßGb(f,ri )

IfGb(f,r-j)!=[F]-jabort

else[Z]jßEv([F]j,[X]j,[Y]j)

Alice Bob

z=De(dj,[Z]j)

randjr-j,[Y]j

2PC,simplecut-and-choose

[Y]jßEn(ej,y)

OT[F]1,[F]2,d1,d2

x e1,e2[X1],[X2]

IfGb(f,r-j)!=[F]-jabort

else[Z]jßEv([F]j,[X]j,[Y]j)

Alice Bob

z=De(dj,[Z]j) CorruptBobonlywinswithprobability1/2

randjr-j,[Y]j

2PC,simplecut-and-choose

2PC,cut-and-choose

• Simplecut-and-choose– Garblek,checkk-1,evaluate1.– Security1-1/k

• “Realcut-and-choose”– UseO(k)circuits,getsecurity2-k

– Requires morecomplex techniques

DelegationviaGC

[F] ([F],e,d)ßGb(f,r )

[X]ßEn(e,x)

[Z]ßEv([F],[X])

Server Client(x)

z=De(d,[Z])

Application1:DelegationviaGC

[X]

[Z]

Preprocessing:Theclientworkisproportionalto|f|

Online:TheclientcanDelegatecomp.TheworkoftheclientIsindependentof|f|

[F] ([F],e,d)ßGb(f,r )

[X]ßEn(e,x)

Server Client(x)

z=De(d,[Z])

Application1:DelegationviaGC

[X]

[Z]

Preprocessing:Theclientworkisproportionalto|f|

Online:TheclientcanDelegatecomp.TheworkoftheclientIsindependentof|f|

Authenticity:ForallPPTA

[Z*]ß A([F],[X]),then

De([Z*],d)is

f(x)or“^”

Garbled Circuits:Authenticity

EvDeGb

En

f

x

e [Z*]

z*

r[F]

d

[X]

z*=f(x)OR

z*=abort

DualExecution

OT[F],[Y]

x e[X] ([F],e,d)ßGb(f,r )

[Y]ßEn(e,y)[Z]ßEv([F],[X],[Y])

Alice Bob

OT[F],[X]

e y[Y]([F],e,d)ßGb(f,r )

[X]ßEn(e,x)[Z]ßEv([F],[X],[Y])

De(d,[Z])==

De(d,[Z])

[Z],d [Z],d

z/abort z/abort

OT[F],[Y]


[Y]ßEn(e,y)

Alice* Bob

OT[G],[X*]

e y[Y]

[Z*]ßEv([G],[X*],[Y])

Authenticityà

[Z] istherightoutput!

f(x,y)orabort

De(d,[Z*])==

De(d,[Z])

[Z],d [Z*],d

z/abort z/abort

OT[F],[Y]


[Y]ßEn(e,y)

Alice* Bob

OT[G],[X]

e y[Y]

[Z*]ßEv([G],[X],[Y])

Selectivefailure

[Z*]=[Z]iff y=0è

1bitleakage

De(d,[Z*])==

De(d,[Z])

[Z],d [Z*],d

z/abort z/abort

Recap:Garbled Circuits

• Garbled circuits:allow toevaluate encryptedfunctions onencrypted inputs– Withpropertieslike privacy,authenticity,etc.

• Applications:constant-round 2PC• Different techniques forgarbling gates– Efficiency vs.Assumptions

• Activesecurity– Howtocheckthat therightfunction isgarbled?– Cut-and-choose andother tricks…

Want more?

• Cryptographic Computing– Foundations– http://orlandi.dk/crycom– Programming&Theory Exercises–Willbe happy toanswer questions bymail!

Documents

Efficient Secure Two-Party Computation · • Dyadic Security: Server breach mitigation • Sharemind: Benchmarking, satellite collision • SAP: Private smart-metering • IBM: Secure