Communication complexity of the forge-and-lose...

Communication complexity of the forge-and-lose technique

(@ secure evaluation of AES-128 and SHA-256 circuits)

University of Lisbon / LaSIGE (Portugal) and Carnegie Mellon University (USA)

+ Ph.D. student, supported by the Portuguese Foundation for Science and Technology (FCT) through the Carnegie Mellon Portugal Program under Grant SFRH/BD/33770/2009.

Luís Brandão+

Crypto 2013 Rump Session(Santa Barbara, USA, August 20)

1

“Communication Complexity of the forge-and-lose technique” 2012-2013 Luís Brandão Crypto 2013 Rump Session – Santa Barbara, US, August 20, 2013

S2PC via cut-and-choose of garbled circuits

2


S2PC via cut-and-choose of garbled circuitsS2PC (ideal):

Alice BobTTPx y

C(x,y)

2



Usual C&C methods

GC1…GC2 GC123

Here are 123 garbled circuits OK, let me verify that 74 are OK, and then I’ll evaluatethe other 49Alice Bob

S2PC (ideal):Alice Bob

TTPx y

C(x,y)

2



The output is OK only ifmajority of evaluation

GCs is correct

Usual C&C methods

GC1…GC2 GC123



TTPx y

C(x,y)

2




GCs is correct

Prerror≈ 1.26 ⋅ 2–0.32 s

Usual C&C methods

GC1…GC2 GC123



TTPx y

C(x,y)

2




GCs is correct

Prerror≈ 1.26 ⋅ 2–0.32 s

Usual C&C methods

GC1…GC2 GC123


s ≡ # GCs


TTPx y

C(x,y)

2




GCs is correctExample: 123GCs for Prerror< 2–40

Prerror≈ 1.26 ⋅ 2–0.32 s

Usual C&C methods

GC1…GC2 GC123


s ≡ # GCs


TTPx y

C(x,y)

2





Prerror≈ 1.26 ⋅ 2–0.32 s

Usual C&C methods

Newoptimal(?) C&C methods in 2013

The output is OK if at least oneevaluation

GC is correct

GC1…GC2 GC123


s ≡ # GCs


TTPx y

C(x,y)

2





Prerror≈ 1.26 ⋅ 2–0.32 s

Usual C&C methods



GC is correct

C&C proportions(verify vs. evaluate)

Prerror# GCs:

Prerror≤2–40

Fixed ≈1.25 ⋅ 2–s+ (log2 s)/2 44

Variable 2–s 40

GC1…GC2 GC123


s ≡ # GCs


TTPx y

C(x,y)

2





Prerror≈ 1.26 ⋅ 2–0.32 s

Usual C&C methods



GC is correct

C&C proportions(verify vs. evaluate)

Prerror# GCs:

Prerror≤2–40

Fixed ≈1.25 ⋅ 2–s+ (log2 s)/2 44

Variable 2–s 40

GC1…GC2 GC123


s ≡ # GCs

Compare against 123


TTPx y

C(x,y)

2


Three new optimal(?) C&C methods

3


Three new optimal(?) C&C methods� [Lin13] – crypto 2013 (Wednesday)

3



� [HKE13] – crypto 2013 (Wednesday)

3



� [Bra13] – crypto 2013 rump session


3





3

(now)





wire key for bit 0

wire key for bit 1

GC2output wire i

GC1output wire i

3

(now)

Forge-and-lose technique





Correct?

wire key for bit 0

wire key for bit 1

GC2output wire i

GC1output wire i

FORGED?

3

(now)

Bob






Correct?

wire key for bit 0

wire key for bit 1

GC2output wire i

GC1output wire i

FORGED?

Encodingof 1

Encodingof 0

connect

connect

(group elements)

3

(now)

Bob






Correct?

wire key for bit 0

wire key for bit 1

GC2output wire i

GC1output wire i

FORGED? (decommitmentsof same BitCom)

Encodingof 1

Encodingof 0

connect

connect

(group elements)

3

(now)

Bob






Trapdoor(Decryption key)

Correct?

wire key for bit 0

wire key for bit 1

GC2output wire i

GC1output wire i


Encodingof 1

Encodingof 0

connect

connect

(group elements)

3

(now)

Bob







Encrypted input of Alice

Correct?

wire key for bit 0

wire key for bit 1

GC2output wire i

GC1output wire i


(early in protocol)

Encodingof 1

Encodingof 0

connect

connect

(group elements)

3

(now)

Bob






Alice’sinput



Correct?

wire key for bit 0

wire key for bit 1

GC2output wire i

GC1output wire i

FORGED?

LOSES privacy

(decommitmentsof same BitCom)

(early in protocol)

Encodingof 1

Encodingof 0

connect

connect

(group elements)

3

(now)

Bob


Alice





Alice’sinput

Outputof Bob



Correct?

EvaluateBoolean circuit

wire key for bit 0

wire key for bit 1

GC2output wire i

GC1output wire i

Bob’sinput

FORGED?

LOSES privacy


(early in protocol)

Encodingof 1

Encodingof 0

connect

connect

(group elements)

3

(now)

Bob


Alice





(and Asiacrypt 2013)

Alice’sinput

Outputof Bob



Correct?

EvaluateBoolean circuit

wire key for bit 0

wire key for bit 1

GC2output wire i

GC1output wire i

Bob’sinput

FORGED?

LOSES privacy


(early in protocol)

Encodingof 1

Encodingof 0

connect

connect

(group elements)

3

(now)

Bob


Alice


Benchmarking communication in F&L

4



4

• Crypto security: 128 bits → 3,072-bit Blum integers [NIST-SP800-57]

• Statistical security: 40 bits (Prerror≤ 2–40)

• Garbled gates: 384 bits• Symmetric commitments: 256 / 384 bits



4

AES-128

|C∧| [Bri13] 6,800

lA=lB=l’ B 128

(lA+lB+l’ B)/|C∧| 5.6%

s (# GCs) 41 123

Max # evaluation GCs

20 8

RSC@GCs no yes

GCs (Mb) 107 21

Total (Mb) 161 55

Overhead from non-GCs (%)

50% 163%





SHA-256

90,825

256

0.85%

41 123

20 8

no yes

1430 279

1545 345

8% 24%


4

AES-128

|C∧| [Bri13] 6,800

lA=lB=l’ B 128

(lA+lB+l’ B)/|C∧| 5.6%

s (# GCs) 41 123


20 8

RSC@GCs no yes

GCs (Mb) 107 21

Total (Mb) 161 55


50% 163%





SHA-256

90,825

256

0.85%

41 123

20 8

no yes

1430 279

1545 345

8% 24%


4

AES-128

|C∧| [Bri13] 6,800

lA=lB=l’ B 128

(lA+lB+l’ B)/|C∧| 5.6%

s (# GCs) 41 123


20 8

RSC@GCs no yes

GCs (Mb) 107 21

Total (Mb) 161 55


50% 163%




Some aspects

• Intractability : Quadratic Residuosity

• #(exps): O(l)

• Oblivious Transfers: 2-out-of-1 OT

• Proof security: Ideal/real simulation

(with rewinding)

• BitComs input+output:

XOR-homomorphic ⇒

Efficient linkage of S2PCs


SHA-256

90,825

256

0.85%

41 123

20 8

no yes

1430 279

1545 345

8% 24%


4

AES-128

|C∧| [Bri13] 6,800

lA=lB=l’ B 128

(lA+lB+l’ B)/|C∧| 5.6%

s (# GCs) 41 123


20 8

RSC@GCs no yes

GCs (Mb) 107 21

Total (Mb) 161 55


50% 163%




Some aspects

• Intractability : Quadratic Residuosity

• #(exps): O(l)

• Oblivious Transfers: 2-out-of-1 OT

• Proof security: Ideal/real simulation

(with rewinding)

• BitComs input+output:

XOR-homomorphic ⇒

Efficient linkage of S2PCs

(Further optimizations on the way)


Thanks

5

cut-and-chosewith

forge-and-lose!

lbrandao @ {fc.ul.pt, cmu.edu}

Communication complexity of the forge-and-lose...

Documents

Transcript of Communication complexity of the forge-and-lose...