Communication complexity of the forge-and-lose...
Transcript of Communication complexity of the forge-and-lose...
Communication complexity of the forge-and-lose technique
(@ secure evaluation of AES-128 and SHA-256 circuits)
University of Lisbon / LaSIGE (Portugal) and Carnegie Mellon University (USA)
+ Ph.D. student, supported by the Portuguese Foundation for Science and Technology (FCT) through the Carnegie Mellon Portugal Program under Grant SFRH/BD/33770/2009.
Luís Brandão+
Crypto 2013 Rump Session(Santa Barbara, USA, August 20)
1
“Communication Complexity of the forge-and-lose technique” 2012-2013 Luís Brandão Crypto 2013 Rump Session – Santa Barbara, US, August 20, 2013
S2PC via cut-and-choose of garbled circuits
2
“Communication Complexity of the forge-and-lose technique” 2012-2013 Luís Brandão Crypto 2013 Rump Session – Santa Barbara, US, August 20, 2013
S2PC via cut-and-choose of garbled circuitsS2PC (ideal):
Alice BobTTPx y
C(x,y)
2
“Communication Complexity of the forge-and-lose technique” 2012-2013 Luís Brandão Crypto 2013 Rump Session – Santa Barbara, US, August 20, 2013
S2PC via cut-and-choose of garbled circuits
Usual C&C methods
GC1…GC2 GC123
Here are 123 garbled circuits OK, let me verify that 74 are OK, and then I’ll evaluatethe other 49Alice Bob
S2PC (ideal):Alice Bob
TTPx y
C(x,y)
2
“Communication Complexity of the forge-and-lose technique” 2012-2013 Luís Brandão Crypto 2013 Rump Session – Santa Barbara, US, August 20, 2013
S2PC via cut-and-choose of garbled circuits
The output is OK only ifmajority of evaluation
GCs is correct
Usual C&C methods
GC1…GC2 GC123
Here are 123 garbled circuits OK, let me verify that 74 are OK, and then I’ll evaluatethe other 49Alice Bob
S2PC (ideal):Alice Bob
TTPx y
C(x,y)
2
“Communication Complexity of the forge-and-lose technique” 2012-2013 Luís Brandão Crypto 2013 Rump Session – Santa Barbara, US, August 20, 2013
S2PC via cut-and-choose of garbled circuits
The output is OK only ifmajority of evaluation
GCs is correct
Prerror≈ 1.26 ⋅ 2–0.32 s
Usual C&C methods
GC1…GC2 GC123
Here are 123 garbled circuits OK, let me verify that 74 are OK, and then I’ll evaluatethe other 49Alice Bob
S2PC (ideal):Alice Bob
TTPx y
C(x,y)
2
“Communication Complexity of the forge-and-lose technique” 2012-2013 Luís Brandão Crypto 2013 Rump Session – Santa Barbara, US, August 20, 2013
S2PC via cut-and-choose of garbled circuits
The output is OK only ifmajority of evaluation
GCs is correct
Prerror≈ 1.26 ⋅ 2–0.32 s
Usual C&C methods
GC1…GC2 GC123
Here are 123 garbled circuits OK, let me verify that 74 are OK, and then I’ll evaluatethe other 49Alice Bob
s ≡ # GCs
S2PC (ideal):Alice Bob
TTPx y
C(x,y)
2
“Communication Complexity of the forge-and-lose technique” 2012-2013 Luís Brandão Crypto 2013 Rump Session – Santa Barbara, US, August 20, 2013
S2PC via cut-and-choose of garbled circuits
The output is OK only ifmajority of evaluation
GCs is correctExample: 123GCs for Prerror< 2–40
Prerror≈ 1.26 ⋅ 2–0.32 s
Usual C&C methods
GC1…GC2 GC123
Here are 123 garbled circuits OK, let me verify that 74 are OK, and then I’ll evaluatethe other 49Alice Bob
s ≡ # GCs
S2PC (ideal):Alice Bob
TTPx y
C(x,y)
2
“Communication Complexity of the forge-and-lose technique” 2012-2013 Luís Brandão Crypto 2013 Rump Session – Santa Barbara, US, August 20, 2013
S2PC via cut-and-choose of garbled circuits
The output is OK only ifmajority of evaluation
GCs is correctExample: 123GCs for Prerror< 2–40
Prerror≈ 1.26 ⋅ 2–0.32 s
Usual C&C methods
Newoptimal(?) C&C methods in 2013
The output is OK if at least oneevaluation
GC is correct
GC1…GC2 GC123
Here are 123 garbled circuits OK, let me verify that 74 are OK, and then I’ll evaluatethe other 49Alice Bob
s ≡ # GCs
S2PC (ideal):Alice Bob
TTPx y
C(x,y)
2
“Communication Complexity of the forge-and-lose technique” 2012-2013 Luís Brandão Crypto 2013 Rump Session – Santa Barbara, US, August 20, 2013
S2PC via cut-and-choose of garbled circuits
The output is OK only ifmajority of evaluation
GCs is correctExample: 123GCs for Prerror< 2–40
Prerror≈ 1.26 ⋅ 2–0.32 s
Usual C&C methods
Newoptimal(?) C&C methods in 2013
The output is OK if at least oneevaluation
GC is correct
C&C proportions(verify vs. evaluate)
Prerror# GCs:
Prerror≤2–40
Fixed ≈1.25 ⋅ 2–s+ (log2 s)/2 44
Variable 2–s 40
GC1…GC2 GC123
Here are 123 garbled circuits OK, let me verify that 74 are OK, and then I’ll evaluatethe other 49Alice Bob
s ≡ # GCs
S2PC (ideal):Alice Bob
TTPx y
C(x,y)
2
“Communication Complexity of the forge-and-lose technique” 2012-2013 Luís Brandão Crypto 2013 Rump Session – Santa Barbara, US, August 20, 2013
S2PC via cut-and-choose of garbled circuits
The output is OK only ifmajority of evaluation
GCs is correctExample: 123GCs for Prerror< 2–40
Prerror≈ 1.26 ⋅ 2–0.32 s
Usual C&C methods
Newoptimal(?) C&C methods in 2013
The output is OK if at least oneevaluation
GC is correct
C&C proportions(verify vs. evaluate)
Prerror# GCs:
Prerror≤2–40
Fixed ≈1.25 ⋅ 2–s+ (log2 s)/2 44
Variable 2–s 40
GC1…GC2 GC123
Here are 123 garbled circuits OK, let me verify that 74 are OK, and then I’ll evaluatethe other 49Alice Bob
s ≡ # GCs
Compare against 123
S2PC (ideal):Alice Bob
TTPx y
C(x,y)
2
“Communication Complexity of the forge-and-lose technique” 2012-2013 Luís Brandão Crypto 2013 Rump Session – Santa Barbara, US, August 20, 2013
Three new optimal(?) C&C methods
3
“Communication Complexity of the forge-and-lose technique” 2012-2013 Luís Brandão Crypto 2013 Rump Session – Santa Barbara, US, August 20, 2013
Three new optimal(?) C&C methods� [Lin13] – crypto 2013 (Wednesday)
3
“Communication Complexity of the forge-and-lose technique” 2012-2013 Luís Brandão Crypto 2013 Rump Session – Santa Barbara, US, August 20, 2013
Three new optimal(?) C&C methods� [Lin13] – crypto 2013 (Wednesday)
� [HKE13] – crypto 2013 (Wednesday)
3
“Communication Complexity of the forge-and-lose technique” 2012-2013 Luís Brandão Crypto 2013 Rump Session – Santa Barbara, US, August 20, 2013
Three new optimal(?) C&C methods� [Lin13] – crypto 2013 (Wednesday)
� [Bra13] – crypto 2013 rump session
� [HKE13] – crypto 2013 (Wednesday)
3
“Communication Complexity of the forge-and-lose technique” 2012-2013 Luís Brandão Crypto 2013 Rump Session – Santa Barbara, US, August 20, 2013
Three new optimal(?) C&C methods� [Lin13] – crypto 2013 (Wednesday)
� [Bra13] – crypto 2013 rump session
� [HKE13] – crypto 2013 (Wednesday)
3
(now)
“Communication Complexity of the forge-and-lose technique” 2012-2013 Luís Brandão Crypto 2013 Rump Session – Santa Barbara, US, August 20, 2013
Three new optimal(?) C&C methods� [Lin13] – crypto 2013 (Wednesday)
� [Bra13] – crypto 2013 rump session
� [HKE13] – crypto 2013 (Wednesday)
wire key for bit 0
wire key for bit 1
GC2output wire i
GC1output wire i
3
(now)
Forge-and-lose technique
“Communication Complexity of the forge-and-lose technique” 2012-2013 Luís Brandão Crypto 2013 Rump Session – Santa Barbara, US, August 20, 2013
Three new optimal(?) C&C methods� [Lin13] – crypto 2013 (Wednesday)
� [Bra13] – crypto 2013 rump session
� [HKE13] – crypto 2013 (Wednesday)
Correct?
wire key for bit 0
wire key for bit 1
GC2output wire i
GC1output wire i
FORGED?
3
(now)
Bob
Forge-and-lose technique
“Communication Complexity of the forge-and-lose technique” 2012-2013 Luís Brandão Crypto 2013 Rump Session – Santa Barbara, US, August 20, 2013
Three new optimal(?) C&C methods� [Lin13] – crypto 2013 (Wednesday)
� [Bra13] – crypto 2013 rump session
� [HKE13] – crypto 2013 (Wednesday)
Correct?
wire key for bit 0
wire key for bit 1
GC2output wire i
GC1output wire i
FORGED?
Encodingof 1
Encodingof 0
connect
connect
(group elements)
3
(now)
Bob
Forge-and-lose technique
“Communication Complexity of the forge-and-lose technique” 2012-2013 Luís Brandão Crypto 2013 Rump Session – Santa Barbara, US, August 20, 2013
Three new optimal(?) C&C methods� [Lin13] – crypto 2013 (Wednesday)
� [Bra13] – crypto 2013 rump session
� [HKE13] – crypto 2013 (Wednesday)
Correct?
wire key for bit 0
wire key for bit 1
GC2output wire i
GC1output wire i
FORGED? (decommitmentsof same BitCom)
Encodingof 1
Encodingof 0
connect
connect
(group elements)
3
(now)
Bob
Forge-and-lose technique
“Communication Complexity of the forge-and-lose technique” 2012-2013 Luís Brandão Crypto 2013 Rump Session – Santa Barbara, US, August 20, 2013
Three new optimal(?) C&C methods� [Lin13] – crypto 2013 (Wednesday)
� [Bra13] – crypto 2013 rump session
� [HKE13] – crypto 2013 (Wednesday)
Trapdoor(Decryption key)
Correct?
wire key for bit 0
wire key for bit 1
GC2output wire i
GC1output wire i
FORGED? (decommitmentsof same BitCom)
Encodingof 1
Encodingof 0
connect
connect
(group elements)
3
(now)
Bob
Forge-and-lose technique
“Communication Complexity of the forge-and-lose technique” 2012-2013 Luís Brandão Crypto 2013 Rump Session – Santa Barbara, US, August 20, 2013
Three new optimal(?) C&C methods� [Lin13] – crypto 2013 (Wednesday)
� [Bra13] – crypto 2013 rump session
� [HKE13] – crypto 2013 (Wednesday)
Trapdoor(Decryption key)
Encrypted input of Alice
Correct?
wire key for bit 0
wire key for bit 1
GC2output wire i
GC1output wire i
FORGED? (decommitmentsof same BitCom)
(early in protocol)
Encodingof 1
Encodingof 0
connect
connect
(group elements)
3
(now)
Bob
Forge-and-lose technique
“Communication Complexity of the forge-and-lose technique” 2012-2013 Luís Brandão Crypto 2013 Rump Session – Santa Barbara, US, August 20, 2013
Three new optimal(?) C&C methods� [Lin13] – crypto 2013 (Wednesday)
� [Bra13] – crypto 2013 rump session
� [HKE13] – crypto 2013 (Wednesday)
Alice’sinput
Trapdoor(Decryption key)
Encrypted input of Alice
Correct?
wire key for bit 0
wire key for bit 1
GC2output wire i
GC1output wire i
FORGED?
LOSES privacy
(decommitmentsof same BitCom)
(early in protocol)
Encodingof 1
Encodingof 0
connect
connect
(group elements)
3
(now)
Bob
Forge-and-lose technique
Alice
“Communication Complexity of the forge-and-lose technique” 2012-2013 Luís Brandão Crypto 2013 Rump Session – Santa Barbara, US, August 20, 2013
Three new optimal(?) C&C methods� [Lin13] – crypto 2013 (Wednesday)
� [Bra13] – crypto 2013 rump session
� [HKE13] – crypto 2013 (Wednesday)
Alice’sinput
Outputof Bob
Trapdoor(Decryption key)
Encrypted input of Alice
Correct?
EvaluateBoolean circuit
wire key for bit 0
wire key for bit 1
GC2output wire i
GC1output wire i
Bob’sinput
FORGED?
LOSES privacy
(decommitmentsof same BitCom)
(early in protocol)
Encodingof 1
Encodingof 0
connect
connect
(group elements)
3
(now)
Bob
Forge-and-lose technique
Alice
“Communication Complexity of the forge-and-lose technique” 2012-2013 Luís Brandão Crypto 2013 Rump Session – Santa Barbara, US, August 20, 2013
Three new optimal(?) C&C methods� [Lin13] – crypto 2013 (Wednesday)
� [Bra13] – crypto 2013 rump session
� [HKE13] – crypto 2013 (Wednesday)
Alice’sinput
Outputof Bob
Trapdoor(Decryption key)
Encrypted input of Alice
Correct?
EvaluateBoolean circuit
wire key for bit 0
wire key for bit 1
GC2output wire i
GC1output wire i
Bob’sinput
FORGED?
LOSES privacy
(decommitmentsof same BitCom)
(early in protocol)
Encodingof 1
Encodingof 0
connect
connect
(group elements)
3
(now)
Bob
Forge-and-lose technique
Alice
“Communication Complexity of the forge-and-lose technique” 2012-2013 Luís Brandão Crypto 2013 Rump Session – Santa Barbara, US, August 20, 2013
Three new optimal(?) C&C methods� [Lin13] – crypto 2013 (Wednesday)
� [Bra13] – crypto 2013 rump session
� [HKE13] – crypto 2013 (Wednesday)
(and Asiacrypt 2013)
Alice’sinput
Outputof Bob
Trapdoor(Decryption key)
Encrypted input of Alice
Correct?
EvaluateBoolean circuit
wire key for bit 0
wire key for bit 1
GC2output wire i
GC1output wire i
Bob’sinput
FORGED?
LOSES privacy
(decommitmentsof same BitCom)
(early in protocol)
Encodingof 1
Encodingof 0
connect
connect
(group elements)
3
(now)
Bob
Forge-and-lose technique
Alice
“Communication Complexity of the forge-and-lose technique” 2012-2013 Luís Brandão Crypto 2013 Rump Session – Santa Barbara, US, August 20, 2013
Benchmarking communication in F&L
4
“Communication Complexity of the forge-and-lose technique” 2012-2013 Luís Brandão Crypto 2013 Rump Session – Santa Barbara, US, August 20, 2013
Benchmarking communication in F&L
4
• Crypto security: 128 bits → 3,072-bit Blum integers [NIST-SP800-57]
• Statistical security: 40 bits (Prerror≤ 2–40)
• Garbled gates: 384 bits• Symmetric commitments: 256 / 384 bits
“Communication Complexity of the forge-and-lose technique” 2012-2013 Luís Brandão Crypto 2013 Rump Session – Santa Barbara, US, August 20, 2013
Benchmarking communication in F&L
4
AES-128
|C∧| [Bri13] 6,800
lA=lB=l’ B 128
(lA+lB+l’ B)/|C∧| 5.6%
s (# GCs) 41 123
Max # evaluation GCs
20 8
RSC@GCs no yes
GCs (Mb) 107 21
Total (Mb) 161 55
Overhead from non-GCs (%)
50% 163%
• Crypto security: 128 bits → 3,072-bit Blum integers [NIST-SP800-57]
• Statistical security: 40 bits (Prerror≤ 2–40)
• Garbled gates: 384 bits• Symmetric commitments: 256 / 384 bits
“Communication Complexity of the forge-and-lose technique” 2012-2013 Luís Brandão Crypto 2013 Rump Session – Santa Barbara, US, August 20, 2013
Benchmarking communication in F&L
4
AES-128
|C∧| [Bri13] 6,800
lA=lB=l’ B 128
(lA+lB+l’ B)/|C∧| 5.6%
s (# GCs) 41 123
Max # evaluation GCs
20 8
RSC@GCs no yes
GCs (Mb) 107 21
Total (Mb) 161 55
Overhead from non-GCs (%)
50% 163%
• Crypto security: 128 bits → 3,072-bit Blum integers [NIST-SP800-57]
• Statistical security: 40 bits (Prerror≤ 2–40)
• Garbled gates: 384 bits• Symmetric commitments: 256 / 384 bits
“Communication Complexity of the forge-and-lose technique” 2012-2013 Luís Brandão Crypto 2013 Rump Session – Santa Barbara, US, August 20, 2013
Benchmarking communication in F&L
4
AES-128
|C∧| [Bri13] 6,800
lA=lB=l’ B 128
(lA+lB+l’ B)/|C∧| 5.6%
s (# GCs) 41 123
Max # evaluation GCs
20 8
RSC@GCs no yes
GCs (Mb) 107 21
Total (Mb) 161 55
Overhead from non-GCs (%)
50% 163%
• Crypto security: 128 bits → 3,072-bit Blum integers [NIST-SP800-57]
• Statistical security: 40 bits (Prerror≤ 2–40)
• Garbled gates: 384 bits• Symmetric commitments: 256 / 384 bits
“Communication Complexity of the forge-and-lose technique” 2012-2013 Luís Brandão Crypto 2013 Rump Session – Santa Barbara, US, August 20, 2013
Benchmarking communication in F&L
4
AES-128
|C∧| [Bri13] 6,800
lA=lB=l’ B 128
(lA+lB+l’ B)/|C∧| 5.6%
s (# GCs) 41 123
Max # evaluation GCs
20 8
RSC@GCs no yes
GCs (Mb) 107 21
Total (Mb) 161 55
Overhead from non-GCs (%)
50% 163%
• Crypto security: 128 bits → 3,072-bit Blum integers [NIST-SP800-57]
• Statistical security: 40 bits (Prerror≤ 2–40)
• Garbled gates: 384 bits• Symmetric commitments: 256 / 384 bits
“Communication Complexity of the forge-and-lose technique” 2012-2013 Luís Brandão Crypto 2013 Rump Session – Santa Barbara, US, August 20, 2013
Benchmarking communication in F&L
4
AES-128
|C∧| [Bri13] 6,800
lA=lB=l’ B 128
(lA+lB+l’ B)/|C∧| 5.6%
s (# GCs) 41 123
Max # evaluation GCs
20 8
RSC@GCs no yes
GCs (Mb) 107 21
Total (Mb) 161 55
Overhead from non-GCs (%)
50% 163%
• Crypto security: 128 bits → 3,072-bit Blum integers [NIST-SP800-57]
• Statistical security: 40 bits (Prerror≤ 2–40)
• Garbled gates: 384 bits• Symmetric commitments: 256 / 384 bits
“Communication Complexity of the forge-and-lose technique” 2012-2013 Luís Brandão Crypto 2013 Rump Session – Santa Barbara, US, August 20, 2013
SHA-256
90,825
256
0.85%
41 123
20 8
no yes
1430 279
1545 345
8% 24%
Benchmarking communication in F&L
4
AES-128
|C∧| [Bri13] 6,800
lA=lB=l’ B 128
(lA+lB+l’ B)/|C∧| 5.6%
s (# GCs) 41 123
Max # evaluation GCs
20 8
RSC@GCs no yes
GCs (Mb) 107 21
Total (Mb) 161 55
Overhead from non-GCs (%)
50% 163%
• Crypto security: 128 bits → 3,072-bit Blum integers [NIST-SP800-57]
• Statistical security: 40 bits (Prerror≤ 2–40)
• Garbled gates: 384 bits• Symmetric commitments: 256 / 384 bits
“Communication Complexity of the forge-and-lose technique” 2012-2013 Luís Brandão Crypto 2013 Rump Session – Santa Barbara, US, August 20, 2013
SHA-256
90,825
256
0.85%
41 123
20 8
no yes
1430 279
1545 345
8% 24%
Benchmarking communication in F&L
4
AES-128
|C∧| [Bri13] 6,800
lA=lB=l’ B 128
(lA+lB+l’ B)/|C∧| 5.6%
s (# GCs) 41 123
Max # evaluation GCs
20 8
RSC@GCs no yes
GCs (Mb) 107 21
Total (Mb) 161 55
Overhead from non-GCs (%)
50% 163%
• Crypto security: 128 bits → 3,072-bit Blum integers [NIST-SP800-57]
• Statistical security: 40 bits (Prerror≤ 2–40)
• Garbled gates: 384 bits• Symmetric commitments: 256 / 384 bits
“Communication Complexity of the forge-and-lose technique” 2012-2013 Luís Brandão Crypto 2013 Rump Session – Santa Barbara, US, August 20, 2013
SHA-256
90,825
256
0.85%
41 123
20 8
no yes
1430 279
1545 345
8% 24%
Benchmarking communication in F&L
4
AES-128
|C∧| [Bri13] 6,800
lA=lB=l’ B 128
(lA+lB+l’ B)/|C∧| 5.6%
s (# GCs) 41 123
Max # evaluation GCs
20 8
RSC@GCs no yes
GCs (Mb) 107 21
Total (Mb) 161 55
Overhead from non-GCs (%)
50% 163%
• Crypto security: 128 bits → 3,072-bit Blum integers [NIST-SP800-57]
• Statistical security: 40 bits (Prerror≤ 2–40)
• Garbled gates: 384 bits• Symmetric commitments: 256 / 384 bits
Some aspects
• Intractability : Quadratic Residuosity
• #(exps): O(l)
• Oblivious Transfers: 2-out-of-1 OT
• Proof security: Ideal/real simulation
(with rewinding)
• BitComs input+output:
XOR-homomorphic ⇒
Efficient linkage of S2PCs
“Communication Complexity of the forge-and-lose technique” 2012-2013 Luís Brandão Crypto 2013 Rump Session – Santa Barbara, US, August 20, 2013
SHA-256
90,825
256
0.85%
41 123
20 8
no yes
1430 279
1545 345
8% 24%
Benchmarking communication in F&L
4
AES-128
|C∧| [Bri13] 6,800
lA=lB=l’ B 128
(lA+lB+l’ B)/|C∧| 5.6%
s (# GCs) 41 123
Max # evaluation GCs
20 8
RSC@GCs no yes
GCs (Mb) 107 21
Total (Mb) 161 55
Overhead from non-GCs (%)
50% 163%
• Crypto security: 128 bits → 3,072-bit Blum integers [NIST-SP800-57]
• Statistical security: 40 bits (Prerror≤ 2–40)
• Garbled gates: 384 bits• Symmetric commitments: 256 / 384 bits
Some aspects
• Intractability : Quadratic Residuosity
• #(exps): O(l)
• Oblivious Transfers: 2-out-of-1 OT
• Proof security: Ideal/real simulation
(with rewinding)
• BitComs input+output:
XOR-homomorphic ⇒
Efficient linkage of S2PCs
(Further optimizations on the way)
“Communication Complexity of the forge-and-lose technique” 2012-2013 Luís Brandão Crypto 2013 Rump Session – Santa Barbara, US, August 20, 2013
Thanks
5
cut-and-chosewith
forge-and-lose!
lbrandao @ {fc.ul.pt, cmu.edu}