Efficient Secure Two-Party Computationorlandi/indocrypt/indocrypt_orlandi_tutorial.pdf · •...
Transcript of Efficient Secure Two-Party Computationorlandi/indocrypt/indocrypt_orlandi_tutorial.pdf · •...
INDOCRYPT2016Tutorial
ClaudioOrlandi,AarhusUniversity
EfficientSecureTwo-PartyComputation
Planforthenext 3hours…• Part1:SecureComputation withaTrusted Dealer
– Warmup:One-TimeTruth Tables– Evaluating CircuitswithBeaver’s trick– MAC-then-Compute forActiveSecurity
• Part2:Oblivious Transfer– OT:DefinitionsandApplications– PassiveSecureOTExtension– OTProtocolsfromDDH(Naor-Pinkas/PVW)
• Part3:Garbled Circuits– GC:DefinitionsandApplications– Garbling gate-by-gate:Basicandoptimizations– Activesecurity 101:simple-cut-andchoose,dual-execution
Want more?
• Cryptographic Computing– Foundations– http://orlandi.dk/crycom– Programming&Theory Exercises–Willbe happy toanswer questions bymail!
OnlinePoker
4
2♠, 5♠ ,2♥,5♥,J♦
Q♠,Q♣,7♣,3♥,2♦
10♠,9♣,8♣,7♦,6♦
3♠, 4♠,7♥,Q♦,10♦
PokerwithPirates
5
2♠, 5♠ ,2♥,5♥,J♦
Q♠,Q♣,7♣,3♥,2♦,
10♠,9♣,8♣,7♦,6♦
A♠,A♣,A♥,A♦,K♦
SecureComputation
6Q♠,Q♣,7♣,3♥,2♦,
2♠, 5♠ ,2♥,5♥,J♦
3♠, 4♠,7♥,Q♦,10♦
10♠,9♣,8♣,7♦,6♦
HospitalsandInsurances
7
¨ Problem: Sick people forget to claim their insurance money
¨ Solution: Insurances and hospitals could periodically compare their data to find and help these people
¨ Privacy Issue: insurance and medical records are sensitive data! No other information than what is strictly necessary must be disclosed!
MPCGoesLive(2008)Bogetoft etal.“MultipartyComputationGoesLive”• January2008• Problem:determinemarketprice
ofsugarbeetscontracts• 1200farmers• Computation:30minutes• WeaksecurityL– Passiveadversary– Honestmajority
8
Sharemind
• Benchmarking– ICTCompanies,– Publicsector
• Satellitecollisions• …
9
MPCinPRACTICE• Partisia:Secureauctions• DyadicSecurity:Serverbreachmitigation• Sharemind:Benchmarking,satellite collision• SAP:Privatesmart-metering• IBM:Securecloud computing• Google?:(lookinf forwardtorwc2017)
10
SecureComputation
• Privacy• Correctness• Inputindependence• …
11
8dx2rru3d0fW2TS
muv6tbWg32flqIo
s1e4xq13OtTzoJc
f(x,y)
x y
z
f(x,y)
x y
What kindofSecure Computation?• Dishonest majority
– Theadversary can corrupt upton-1participants(n=2).
• Static Corruptions– Theadversary chooses which partyiscorrupted before theprotocol
starts.
• Passive&ActiveCorruptions– Adversary follows theprotocol vs.
(aka semi-honest,honest-but-curious)– Adversary can behave arbitrarily
(akamalicious,byzantine)
• Noguarantees offairness ortermination– Securitywithabort
x y
z
13
(𝑟#, 𝑟%) ← 𝐷
rA rB
x y
f(x,y)
TrustedDe
aler
TrustedParty
rA rB
OnlinePh
ase
Prep
rocessing
• Independentofx,y• Tipically only depends
onsize off• Uses publickey crypto
technology (slower)
• Uses only informationtheoretic tools(order ofmagn.faster)
14
rA rB
x y
f(x,y)
Part1:SecureComputation withaTrusted Dealer
• Warmup:One-TimeTruth Tables
• Evaluating CircuitswithBeaver’s trick
• MAC-then-Compute forActiveSecurity
“Thesimplest2PCprotocolever”
16
(𝑟#, 𝑟%) ← 𝐷
rA rB
x y
f(x,y)
“Thesimplest2PCprotocolever”OTTT(Preprocessingphase)
1)WritethetruthtableofthefunctionFyouwanttocompute
0 1 2 3
0 3 2 2 2
1 3 0 0 4
2 1 0 0 4
3 1 1 4 4
y
x
17
“Thesimplest2PCprotocolever”OTTT(Preprocessingphase)
2)Pickrandom(r,s),rotaterowsandcolumns
0 1 2 3
0 1 4 4 1
1 2 2 2 3
2 0 0 4 3
3 0 0 4 1
s=3
r=1
18
“Thesimplest2PCprotocolever”OTTT(Preprocessingphase)
3)Secretsharethetruthtablei.e.,
Pickatrandom,andlet
1 4 4 12 2 2 30 0 4 30 0 4 1
= -
T1
T1T219
“Thesimplest2PCprotocolever”OTTT(Onlinephase)
u = x + r
v = y + s
, r T2 , s
T2[u,v]
output f(x,y) = T1[u,v] + T2[u,v]
“Privacy”:inputsmaskedw/uniform
randomvalues
20
Correctness:byconstruction
T1
Whataboutactivesecurity?
u = x + r
v = y + s + e1
, r T2 , s
T2[u,v] + e2
21
T1
Isthis cheating?
• v = y + s + e1 = (y+e1) + s = y’ + s – Input substitution, not really cheating a
(see formal definition)
• M2[u,v] + e2– Changes output to z’ = f(x,y) + e2– Example: f(x,y)=1 iff x=y (e.g. pwd check)– e2=1 the output is 1 whp (login without pwd!)• Clearly breach of security!
ForceBobtosendtherightvalue• Problem: Bobcansendthewrongshares• Solution: useMACs
– e.g.m=ax+b with(a,b)ß F
(m,x)
(x’,m’)
(a,b)
Abort if m’≠ax’+b
m=ax+b
OTTT+MAC
u = x + r
v = y + s
T1 , r T2 , s
M[u,v]
If (M[u,v]=A[u,v]*T2[u,v]+B[u,v])output f(x,y) = T1[u,v] + T2[u,v]
else abort
24
MA B
Statisticalsecurityvs.maliciousBobw.p.1-1/|F|
T2[u,v],
“Thesimplest2PCprotocolever”OTTT
• OptimalcommunicationcomplexityJ
• StorageexponentialininputsizeL
èRepresentfunctionusingcircuitinsteadof truthtable!
25
Part1:SecureComputation withaTrusted Dealer
• Warmup:One-TimeTruth Tables
• Evaluating CircuitswithBeaver’s trick
• MAC-then-Compute forActiveSecurity
Circuitbased computation
27
x5 y5x4 y4
x3 y3x2 y2
x1 y1
z
Invariant
• Foreachwirex inthecircuitwehave– [x]:=(xA,xB)//read“xinabox”–WhereAliceholdsxA– BobholdsxB– SuchthatxA+xB=x
• Notationoverload:– xisbothther-value andthel-valueofx– usen(x)fornameofxandv(x)forvalueofxwhenindoubt.– Then[n(x)]=(xA,xB)suchthatxA+xB=v(x)
CircuitEvaluation(Onlinephase)
1) [x]ß Input(A,x):– chooses random xB andsendittoBob– setxA=x+xB //symmetric forBob
Aliceonly sends arandom bit!“Clearly”secure
2)zß Open(A,[z])://zß Open([z])ifboth get output– BobsendszB– Aliceoutputsz=zA+zB //symmetric forBob
Aliceshould learn zanyway!“Clearly”secure
CircuitEvaluation(Onlinephase)
2)[z]ß Add([x],[y])//attheendz=x+y– Alicecomputes zA =xA +yA– Bobcomputes zB =xB + yB
– We write [z]=[x]+[y]
Nointeraction!“Clearly”secure
“forfree”:only alocal addition!
CircuitEvaluation(Onlinephase)
2a)[z]ßMul(a,[x])//attheendz=a*x– Alicecomputes zA =a*xA– Bobcomputes zB =a*xB
2c)[z]ß Add(a,[x])//attheendz=a+x– Alicecomputes zA =a+xA– Bobcomputes zB =xB
CircuitEvaluation(Onlinephase)
3)Multiplication?Howtocompute [z]=[xy]?
Alice,BobshouldcomputezA + zB =(xA+xB)(yA+yB)
=xAyA +xByA +xAyB +xByB
Alicecancomputethis Bobcancomputethis
Howdowecomputethis?
CircuitEvaluation(Onlinephase)
3)[z]ßMul([x],[y]):1. Get [a],[b],[c] withc=abfromtrusted dealer
2. e=Open([a]+[x])3. d=Open([b]+[y])
4. Compute[z]=[c]+e[y]+d[x]- edab+(ay+xy)+(bx+xy)- (ab+ay+bx+xy)
Isthissecure?e,d are“one-time-pad”encryptions
ofxandyusingaandb
Part1:SecureComputation withaTrusted Dealer
• Warmup:One-TimeTruth Tables
• Evaluating CircuitswithBeaver’s trick
• MAC-then-Compute forActiveSecurity
SecureComputation
35
[x5] [y5][x4] [y4]
[x3] [y3][x2] [y2]
[x1] [y1]
z
+e
w
*
[w]
[w+e]
ActiveSecurity?
• “Privacy?”– evenamaliciousBobdoesnotlearnanythingJ
• “Correctness?”– acorruptedBobcanchangehisshareduringany“Open”(bothfinalresultorduringmultiplication)leadingthefinaloutputtobeincorrectL
Problem2)zß Open(A,[z]):– BobsendszB +e– Aliceoutputsz=zA+zB +e //error change output
distributioninway thatcannot be simulated byinputsubstition
Solution:add MACs2)zß Open(A,[z]):– BobsendszB,mB
– Aliceoutputs• z=zA+zB if mB =zB ∆A+ kA• “abort”otherwise
• Solution: Enhancerepresentation[x]– [x]=((xA,kA,mA) ,(xB,kB,mB) )s.t.– mB =xB ∆A+kA(symmetricformA)– ∆A,∆B isthesameforallwires.
Linearrepresentation
• Given– [x]=((xA,kAx,mAx),(yB,kBx,mBx))– [y]=((yA,kAy,mAy),(yB,kBy,mBy))– Compute[z]=((zA=xA+yA , kAz=kAx+kAy , mAz=mAx+mAy ),(zB=xB+yB , kBz=kBx+kBy , mBz=mBx+mBy ),)
• And[z]isintherightformatsince…mBz =(mBz+mBy)=(kAx +xB∆A)+(kAy +yB∆A)
=(kAx +kAy)+(xB+yB)∆A =kAz +zB∆A
Recap
1. OutputGates:– ExchangesharesandMACs– AbortifMACdoesnotverify
2. InputGates:– Get arandom [r]fromtrusted dealer– rß Open(A,[r])– Alicesends Bobd=x-r,– Compute [x]=[r]+d
Allowssimulatortoextractx*=r+d*
Recap
1. AdditionGates:– Uselinearityofrepresentationtocompute
[z]=[x]+[y]2. Multiplicationgates:– Getarandomtriple[a][b][c]withc=abfromTD.– eßOpen([a]+[x]),dß Open([b]+[y])– Compute[z]=[c]+a[y]+b[x]- ed
Finalremarks
• SizeofMACs
• LazyMACchecks
Size ofMACs
1. Eachpartymuststoreamac/keypairforeachotherparty– quadraticcomplexity!L– SPDZforlinearcomplexity.
2. MACisonlyashardasguessingkey!kMACsinparallelgivesecurity1/|F|k– InTinyOT F=Z2,thenMACs/Keysarek-bitstrings– MiniMACs forconstantoverhead
Lazy MACCheck
44
[x5] [y5][x4] [y4]
[x3] [y3][x2] [y2]
[x1] [y1]
z
+e
*
[w+e]
Recap ofPart1
• Two protocols “inthetrusted dealermodel”– OneTime-Truth Table• Storage exp(inputsize)L• Communication O(inputsize)J• 1roundJ
– (SPDZ)/BeDOZa/TinyOT onlinephase• Storage linear #number ofANDgates• Communication linear#number ofANDgates• #rounds =depth ofthecircuit
– …andadd enoughMACs toget active security
45
RecapofPart1
• Todosecurecomputationisenoughtoprecomputeenoughrandommultiplications!
• Ifnosemi-trustedpartyisavailable,wecanusecryptographicassumption(next)
46
OTb m0,m1
mb
Planforthenext 3hours…• Part1:SecureComputation withaTrusted Dealer
– Warmup:One-TimeTruth Tables– Evaluating CircuitswithBeaver’s trick– MAC-then-Compute forActiveSecurity
• Part2:Oblivious Transfer– OT:DefinitionsandApplications– PassiveSecureOTExtension– OTProtocolsfromDDH(Naor-Pinkas/PVW)
• Part3:Garbled Circuits– GC:DefinitionsandApplications– Garbling gate-by-gate:Basicandoptimizations– Activesecurity 101:simple-cut-andchoose,dual-execution
CircuitEvaluation(Onlinephase)
3)Multiplication?Howtocompute [z]=[xy]?
Alice,BobshouldcomputezA + zB =(xA+xB)(yA+yB)
=xAyA +xByA +xAyB +xByB
Alicecancomputethis Bobcancomputethis
Howdowecomputethis?
Part2:Oblivious Transfer
• OT:Definition,Applications(Gilboa’s protocol)
• OTProtocolsfromDDH(Naor-Pinkas/PVW)
• PassiveSecureOTExtension
1-2OT
1-2 OT
b
mb
m0,m1
Receiver Sender
• Receiver does not learn m1-b
• Sender does not learn b
1-2OT
1-2 OT
b
mb
m0,m1
Receiver Sender
• mb = (1-b) m0 + b m1
• mb = m0 + b (m1 - m0 )
1-nOT
1-n OT
i
mi
m1,…,mn
Receiver Sender
2PCvia1-nOT
1-n OT
x
f(x,y)
f(1,y),…,f(n,y)
Receiver Sender
Oblivious Transfer=
bitmultiplicationReceiver Sender
1-2 OT
b
ab+c
(c,a+c)
GILBOA’S PROTOCOL
nOTs =Arith.Multiplication
1-2 OT
bi
di=a(2ibi)+ci
(ci,a2i+ci)
Receiver Senderb=(b0,b1,…,bn-1) a (nbitnumber)
c0+…+cn-1=c
d0+…+dn-1=a(b0+2b1+…+2n-1bn-1)+(c0+…+cn-1)=ab+c
Part2:Oblivious Transfer
• OTdefinition,applications (Gilboa’s protocol)
• OTProtocolsfromDDH(Naor-Pinkas/PVW)
• PassiveSecureOTExtension(IKNP03)
Receiver(b) Sender(m0,m1)
pkb ß G(sk)pk1-b ß Rand()
(pk0,pk1)
PassiveSecureOT
c0=E(pk0,m0), c1=E(pk1,m1)
mb = D(sk,cb)
Receiverprivacy:Realpk ≈ “random”pk
Senderprivacy:encryptionissecure
(Alicedoesnothavesk)
Receiver(b) Sender(m0,m1)
pkb ß G(sk)pk1-b ß Rand()
(pk0,pk1)
PassiveSecureOT
c0=E(pk0,m0), c1=E(pk1,m1)
mb = D(sk,cb)
pk0 ß G(sk0)pk1 ß G(sk1)
m0 ß D(sk0, c0)m1 ß D(sk1, c1)
Malicious
Receiver(b) Sender(m0,m1)
mpk ß f(crs,sk,b)mpk
ActiveSecureOT
c0=E(pk0,m0), c1=E(pk1,m1)
mb = D(sk,cb)
crs
(pk0,pk1)=G(mpk,crs)
Keys are correlated,Receivercannot learn
theskforboth
Receiver(b) Sender(m0,m1)
mpk = gskhb
mpk
Naor-Pinkas OT(alaChou-Orlandi)
c0=E(pk0,m0), c1=E(pk1,m1)
mb = D(sk,cb)
pk0=mpkpk1=mpk/h
EncryptionisElGamal
Frompk0=gsk0pk1=gsk1
h=pk0/pk1à
h=gsk0-sk1
crs = h (single group element)
Part2:Oblivious Transfer
• OTdefinition,applications (Gilboa’s protocol)
• OTProtocolsfromDDH(Naor-Pinkas/PVW)
• PassiveSecureOTExtension(IKNP03)
Efficiency
• Problem: OTrequirespublickeyprimitives,inherentlyefficient
More efficient Less efficient
OTP >> SKE >> PKE >> FHE >> Obfuscation
TheCryptoToolbox
64
Weaker assumption Stronger assumption
Efficiency
• Problem: OTrequirespublickeyprimitives,inherentlyefficient
• Solution: OTextension– Likehybridencryption!– Startwithfew(expensive)OTbasedonPKE– Getmany(inexpensive)OTusingonlySKE
WARMUP:USEFUL OTPROPERTIES
ShortOTà LongOTReceiver Sender
1-2 OTb
kb
k0,k1
(u0, u1)=(prg(k0)+m0, prg(k1)+m1)
mb=prg(kb)+ub
b
poly(k)-bitstrings
m0,m1
k-bitstrings
RandomOT=OT
ROTc,rcr0,r1
(x0, x1)=((r0 + m0), (r1 +m1))mb=rc +xb
b m0,m1
ifb=c
RandomOT=OT
ROTc,rcr0,r1
b m0,m1
(x0, x1)= (r0+d+ m0), (r1+d + m1))
d = b + c
Exercise:checkthatitworks!
mb=rc +xb
(R)OTissymmetricSender
bits
ROTs0,s1b,y=sb
c, z=rc r0,r1
c = s0 + s1
z = s0
Nocommunication!
r0 = yr1 = b + r0
Exercise:checkthatitworks
OTExtension
• OTpro(v/b)ablyrequirespublic-keyprimitivies
– OTextension≈hybridencryption
– Startfromk“real”OTs
– Turnthemintopoly(k)OTsusingonlyfewsymmetricprimitivesperOT
71
X0
X1bU
OTExtension,Pictorially
72
k1-2 ROTs
k
k k
n n=poly(k)
Remember:OTstretching
(see“ShortOTà LongOT”slideearlier)
Xb1,1
X0,1
X1,1b1
ConditionforOTextension
73
X1
X0
⊕
c…c
=
Problemforactivesecurity!
Remember:“RandomOTà OT”
XbU
OTExtension,Pictorially
74
k1-2
CROTsk
k
n n=poly(k)
“CorrelatedOTs”
c
X1⊕ b1˙cX1
b1
OTExtension,Pictorially
U
⊕
X
b
=
c
𝑏 ⊗ c -. = 𝑏- ⋅ c.
OTExtension,Turnyourhead!
U
⊕
X
=
X U
=⊕
b c
bc
XbU
OTExtension,Pictorially
77
k1-2
CROTsk
k
n n=poly(k)
c
X
bU
OTExtension,Pictorially
78
n1-2
CROTs
n
k
n
k
c
Breakthecorrelation!
79U
bbb
⊕
= H
b
Y0
U= H
Y1
V X= H
Breakingthecorrelation
• UsingacorrelationrobusthashfunctionHs.t.1. {a0,…,an,H(a0+ r),…,H(an+r)}//(ai’s,rrandom)2. {a0,…,an,b0,…,bn}//(ai’s,bi’s random)arecomputationallyindistinguishable
80
OTExtension,Pictorially
81
Vk
Y0
k
n
n=poly(k)c
n
1-2 ROTs
Y1
Yc1,1
Y0,1
Y1,1
c1
Recap0.Strech kOTs from k- topoly(k)=n-bitlong strings
1. Sendcorrectionforeachpairofmessagesxi0,xi1s.t.,xi0 ⊕ xi1 =c
2. Turnyourhead(S/Rswaproles)
3. Thebitsofc arethenewchoicebits
4. Breakthecorrelation:yj0=H(uj),yj1=H(uj⊕ b)
• Notsecureagainstactiveadversaries82
Recap ofPart2
• OT:building block for2PC– Requires PKEL– OTExtension(using only SKE)J– Canbe combined withprotocols frompart1for2PCwithout atrusted dealer (using computationalassumptions)J
– #rounds =depth ofthecircuitK
83
Mul. triples
OnlinePh
ase
Prep
rocessing
x y
f(x,y)
OTs
Part1
Comingupnext…
• OT+GarbledCircuitsà Constantround2PC!
…akalaymanfully-homomorphicencryption
84
8dx2rru3d0fW2muv6tbWg32flqIo
s1e4xq13OtTzoJc
f(x,y)
x y
20ux88TqkA4I
8dx2rru3d0fWS
f(x,y)
x y
20ux88TqkA4I
Planforthenext 3hours…• Part1:SecureComputation withaTrusted Dealer
– Warmup:One-TimeTruth Tables– Evaluating CircuitswithBeaver’s trick– MAC-then-Compute forActiveSecurity
• Part2:Oblivious Transfer– OT:DefinitionsandApplications– PassiveSecureOTExtension– OTProtocolsfromDDH(Naor-Pinkas/PVW)
• Part3:Garbled Circuits– GC:DefinitionsandApplications– Garbling gate-by-gate:Basicandoptimizations– Activesecurity 101:simple-cut-andchoose,dual-execution
Part3:Garbled Circuits
• GC:DefinitionsandApplications
• Garbling gate-by-gate:Basicandoptimizations
• Activesecurity 101:simple-cut-andchoose,dual-execution
Garbled Circuit
Cryptographic primitivethat allows toevaluate
encrypted functions
on
encrypted inputs
Garbled Circuits
EvDeGb
En
f
x
[F]
e
d
[X] [Z]
z
Correctifz=f(x)
Valuesinaboxare “garbled”
r
[F],[Y],d
x e[X]
([F],e,d)ßGb(f,r )[Y]ßEn(e,y)
[Z]ßEv([F],[X],[Y])
Alice(x) Bob(y)
z=De(d,[Z])
PassiveConstantRound2PC(Yao)
2PC(OT)
2PC(OT)[F],[Y],d
x e[X]
([F],e,d)ßGb(f,r )[Y]ßEn(e,y)
[Z]ßEv([F],[X],[Y])
Alice(x) Bob(y)
z=De(d,[Z])
PassiveConstantRound2PC(Yao)
Boblearnsnothingaboutx!
2PC(OT)[F],[Y],d
x e[X]
([F],e,d)ßGb(f,r )[Y]ßEn(e,y)
[Z]ßEv([F],[X],[Y])
Alice(x) Bob(y)
z=De(d,[Z])
PassiveConstantRound2PC(Yao)
HowmuchinformationisleakedbyGC?
Garbled Circuits:Privacy
EvDeGb
En
f
x
e [Z]
z
r[F]
d
[X]
ExistSims.t.([F],[X],d)
~Sim(f,f(x))
Orevenless/noinfoaboutf
Part3:Garbled Circuits
• DefinitionsandApplications
• Garbling gate-by-gate:Basicandoptimizations
• Activesecurity 101:simple-cut-andchoose,dual-execution
Garbling:Gate-by-gate
94
[x5] [y5][x4] [y4]
[x3] [y3][x2] [y2]
[x1] [y1]
z
+e
w
*
[w]
[w+e]
PROJECTIVE SCHEMES:CIRCUITBASED GARBLING/EVALUATIONS
GarblingaCircuit:([F],e,d)ß Gb(f)K10,K11 • Choose 2random keys Ki0,Ki1
foreach wireinthecircuit– Input,internal and,outputwires
• Foreach gategcompute– ggß Gb(g,L0,L1,R0,R1,K0,K1)
• Output– e=(Ki0,Ki1)forallinputwires– d=(Z0,Z1)– [F]=(ggi)forallgatesi
K20,K21…
Z0,Z1
L0,L1 R0,R1
K0,K1
EncodingandDecoding
[X] =En(e,x)• e={Ki0, Ki1}• x={x1,…,xn }• [X]={K1x1,…,Knxn}
z=De(d,[Z])• d={Z0,Z1}• [Z]={K}• z=– 0 ifK=Z0,– 1 ifK=Z1,– “abort” else
EvaluatingaGC:[Z]ß Ev([F],[X])K1
• Parse[X]={K1,…,Kn}• Parse [F]={ggi}
• Foreach gatei compute– Kß Ev(ggi,L,R)
• Output– Z
K2………
Z
L R
K
gg1
gg2
ggn
ggi
ggi ggi ggi ggi
ggi ggi
ggi
INDIVIDUALGATESGARBLING/EVALUATION
Notation
gg
L0,L1 R0,R1
Z0,Z1
• Agarbled gateisagadgetthat giventwo inputskeysgivesyou therightoutputkey(andnothing else)
• ggß Gb(g,L0,L1,R0,R1,Z0,Z1)• Zg(a,b) ß Ev(gg,La,Rb)
• //andnotZ1-g(a,b)
101
YaoGateGarbling(1)
L R K
0 0 1
0 1 1
1 0 1
1 1 0
L R
K
• NANDgate
102
YaoGateGarbling(2)
L R K
L0 R0 K1L0 R1 K1L1 R0 K1L1 R1 K0
L R
K
• Chooselabels(e.g.,128bitsstrings)foreveryvalueoneverywire
103
YaoGateGarbling(3)
CC1=H(L0,R0)⊕ K1
C2=H(L0,R1)⊕ K1
C3=H(L1,R0)⊕ K1
C4=H(L1,R1)⊕ K0
L R
K
• Encrypttheoutputkeywiththeinputkeys
104
YaoGateGarbling(4)
CC1=H(L0,R0)⊕ (K1,0k)
C2=H(L0,R1)⊕ (K1,0k)
C3=H(L1,R0)⊕ (K1,0k)
C4=H(L1,R1)⊕ (K0,0k)
L R
K
• Addredundancy(laterusedtocheckifdecryptionissuccessful)
105
YaoGateGarbling(5)
L R
K
• Permutetheorderoftheciphertexts (tohideinformationaboutinputs/outputs)
CC1=H(L0,R0)⊕ (K1,0k)
C2=H(L0,R1)⊕ (K1,0k)
C3=H(L1,R0)⊕ (K1,0k)
C4=H(L1,R1)⊕ (K0,0k)
C’1,C’2,C’3,C’4 =perm(C1,C2,C3,C4)
106
YaoGateEvaluation(1)
Eval(gg,La,Rb)//nota,b• Fori=1..4
– (K,t)=C’i ⊕ H(La,Rb)– Ift=0k outputK
gg(permuted)C1=H(L0,R0)⊕ (K1,0k)
C2=H(L0,R1)⊕ (K1,0k)
C3=H(L1,R0)⊕ (K1,0k)
C4=H(L1,R1)⊕ (K0,0k)• Outputiscorrect:– t=0k onlyforrightrow
• Evaluatorlearnsnothingelse:– Encryption+permutation
GARBLING OPTIMIZATIONS:POINT-AND-PERMUTE
Point-and-permute
• Problem:Evaluatorneedstotrytodecryptall4rows
• Solution:addpermutationbitstokeys
gg
(L0,p)(L1,!p)
(R0,q)(R1,!q)
ggß Gb(g,L0,L1,p,R0,R1,q,Z0,Z1,r)(Zg(a,b),r⊕g(a,b))ß Ev(gg,La,a⊕p,Rb,b⊕q)
(Z0,r)(Z1,!r)
109
Point-and-permuteGarbling(4)
C
C1=H(L0,R0)⊕ (Kg(0,0),r⊕ g(0,0) )
C2=H(L0,R1)⊕ (Kg(0,1),r⊕ g(0,1) )
C3=H(L1,R0)⊕ (Kg(1,0),r⊕ g(1,0) )
C4=H(L1,R1)⊕ (Kg(1,1),r⊕ g(1,1) )
L R
K
• Removeredundancy• Addrandompermutationbit
110
Point-and-permuteGarbling(5)
C
C1=H(Lp,Rq)⊕ (Kg(p,q),r⊕ g(p,q))
C2=H(Lp,R!q)⊕ (Kg(p,!q),r⊕ g(p,!q))
C3=H(L!p,Rq)⊕ (Kg(!p,q),r⊕ g(!p,q))
C4=H(L!p,R!q)⊕ (Kg(!p,!q),r⊕ g(!p,!q))
• Permuterowsusingp,q
111
Point-and-permuteEvaluation
Eval(gg,L,u,R,v)//nota,b• (K,r)=C’2u+v ⊕ H(L,R)
• Outputiscorrect:– (Checkpermutation)
• Privacy:– u=p⊕a,v=q⊕b– p,q are“onetimepads”fora,b
C
C1=H(Lp,Rq)⊕ (Kg(p,q),r⊕ g(p,q))
C2=H(Lp,R!q)⊕ (Kg(p,!q),r⊕ g(p,!q))
C3=H(L!p,Rq)⊕ (Kg(!p,q),r⊕ g(!p,q))
C4=H(L!p,R!q)⊕ (Kg(!p,!q),r⊕ g(!p,!q))
GARBLING OPTIMIZATIONS:SIMPLEGARBLED ROWREDUCTION
Point-and-permute
• Problem:eachggis4ciphertexts• Solution:defineoutputkeypseudorandomlyasfunctionsofinputkeys,reducecomm.complexity
gg
L0L1
R0R1
(gg, Z0,Z1)ß Gb(g,L0,L1,R0,R1)(Zg(a,b))ß Ev(gg,La,Rb)
Z0Z1
GarblingaCircuit:([F],e,d)ß Gb(f)K10,K11 • Choose 2random keys Ki0,Ki1
foreach wireinthecircuit– Inputwireonly!
• Foreach gategcompute– (gg,K0,K1)ß Gb(g,L0,L1,R0,R1)
• Output– e=(Ki0,Ki1)forallinputwires– d=(Z0,Z1)– [F]=(ggi)forallgatesi
K20,K21…
Z0,Z1
L0,L1 R0,R1
K0,K1
115
YaoGateGarbling(3)
CC1=H(L0,R0)⊕ K1
C2=H(L0,R1)⊕ K1
C3=H(L1,R0)⊕ K1
C4=H(L1,R1)⊕ K0
L R
K
• Encrypttheoutputkeywiththeinputkeys
116
GarbledRowReductionGarbling
CK1 =H(L0,R0) (C1=0k)
C2=H(L0,R1)⊕ K1
C3=H(L1,R0)⊕ K1
C4=H(L1,R1)⊕ K0
L R
K• Defineoutputkeysasfunctionofinputkeys– (compatiblewithp&p)– Canreduce2rows,but1iscompatiblewithFree-XOR
(comingup!)
GARBLING OPTIMIZATIONS:FREE XOR
Free-XOR
• Problem:inBeDOZa lineargatesareforfree.WhataboutGC?
• Solution:introducecorrelationbetweenkeys,makeXORcomputation“free”
gg
L0L1=L0⊕Δ
R0R1=R0⊕Δ
(gg,Z0)ß Gb(g,L0,R0,Δ)(Zg(a,b))ß Ev(gg,La,Rb)
Z0Z1=Z0⊕Δ
GarblingaCircuit:([F],e,d)ß Gb(f)K10 • Choose 1random key Ki0 for
each inputwireinthecircuit– AndglobaldifferenceΔ
• Foreach gategcompute– (gg,K0)ß Gb(g,L0,R0,Δ)
• Output– e=(Ki0,Ki1)forallinputwires– d=(Z0,Z1)– [F]=(ggi)forallgatesi
K20…
Z0,Z1
L0 R0
K0
Garblingnon-lineargates
• Likebefore,butrequires“circularsecurityassumption”– (CompatiblewithGRRandp&P)
• ExampleforANDgate– Evaluatorsees
L0,R0,K0,H(L0 ⊕ Δ, R0 ⊕ Δ)⊕ K0 ⊕ Δ
– AndshouldnotbeabletocomputeΔ !
Garbling/EvaluatingXORGates
gg
L0L1=L0⊕Δ
R0R1=R0⊕Δ
(gg,,Z0)ß Gb(g,L0,R0,Δ)(Zg(a,b))ß Ev(gg,La,Rb)
Z0Z1=Z0⊕Δ
Gb(XOR,L0,R0,Δ)• OutputZ0=L0⊕R0
• (ggisempty)
Ev(XOR,La,Rb,Δ)• OutputZa⊕b=La⊕Rb
La⊕Rb= L0⊕ aΔ ⊕ R0 ⊕ bΔ = Z0 ⊕ (a⊕b)Δ =Za⊕b
Part3:Garbled Circuits
• DefinitionsandApplications
• Garbling gate-by-gate:Basicandoptimizations
• Activesecurity 101:simple-cut-andchoose,dual-execution
ACTIVEATTACKSVSYAO
OT[F],[Y],d
x e[X]
([F],e,d)ßGb(f,r )[Y]ßEn(e,y)
[Z]ßEv([F],[X],[Y])
Alice Bob
z=De(d,[Z])
Yao´sprotocol
PassiveSecurityOnly1GC!
Constantround!Veryfast!
OT[F],[Y],d
x e[X]
([F],e,d)ßGb(f,r )[Y]ßEn(e,y)
Alice Bob
Active security of Yao
Cannotreallycheat!
OT[F],[Y],d
x e[X]
([F],e,d)ßGb(f,r )[Y]ßEn(e,y)
Alice Bob
ActivesecurityofYao(v2,Bobgets output)
Stillcan’tcheat,authenticity!
[Z*] z*=De(d,[Z*])
Garbled Circuits:Authenticy
EvDeGb
En
f
x
e [Z*]
z*
r[F]
d
[X]
ForallcorruptEvz*=f(x)orz*=abort
OT[F],[Y],d
x e[X]
([F],e,d)ßGb(f,r )[Y]ßEn(e,y)
[Z]ßEv([F],[X],[Y])
Alice(x) Bob(y)
z=De(d,[Z])
Active security of Yao
WhatifBiscorrupted?
OT[G],[Y],d
x e[X]
([G],e,d)ßGb(g,r )[Y]ßEn(e,y)
[Z]ßEv([G],[X],[Y])
Alice(x) Bob(y)
z=De(d,[Z])
Insecurity1(wrongf)
g!=fz!=f(x,y)
OT[G],[Y],d
x (K0,K1)[X]=Kx
([F],e,d)ßGb(f,r )[Y]ßEn(e,y)
[Z]ßEv([G],[X],[Y])
Alice(x) Bob(y)
z=De(d,[Z])
Insecurity2(selectivefailure)
OT[G],[Y],d
x (K0,K*)[X*]
([F],e,d)ßGb(f,r )[Y]ßEn(e,y)
[Z*]ßEv([G],[X*],[Y])
Alice(x) Bob(y)
z*=De(d,[Z*])
Insecurity2(selectivefailure)
x=0à z*=f(x,y)x=1à z*=abort
SIMPLETRICKSFORACTIVESECURITY
Cut-And-Choose
OT[F]1,[F]2,d1,d2
x e1,e2[X1],[X2] ([F]i,ei,di)ßGb(f,ri )
IfGb(f,r-j)!=[F]-jabort
else[Z]jßEv([F]j,[X]j,[Y]j)
Alice Bob
z=De(dj,[Z]j)
randjr-j,[Y]j
2PC,simplecut-and-choose
[Y]jßEn(ej,y)
OT[F]1,[F]2,d1,d2
x e1,e2[X1],[X2]
IfGb(f,r-j)!=[F]-jabort
else[Z]jßEv([F]j,[X]j,[Y]j)
Alice Bob
z=De(dj,[Z]j) CorruptBobonlywinswithprobability1/2
randjr-j,[Y]j
2PC,simplecut-and-choose
2PC,cut-and-choose
• Simplecut-and-choose– Garblek,checkk-1,evaluate1.– Security1-1/k
• “Realcut-and-choose”– UseO(k)circuits,getsecurity2-k
– Requires morecomplex techniques
DelegationviaGC
[F] ([F],e,d)ßGb(f,r )
[X]ßEn(e,x)
[Z]ßEv([F],[X])
Server Client(x)
z=De(d,[Z])
Application1:DelegationviaGC
[X]
[Z]
Preprocessing:Theclientworkisproportionalto|f|
Online:TheclientcanDelegatecomp.TheworkoftheclientIsindependentof|f|
[F] ([F],e,d)ßGb(f,r )
[X]ßEn(e,x)
Server Client(x)
z=De(d,[Z])
Application1:DelegationviaGC
[X]
[Z]
Preprocessing:Theclientworkisproportionalto|f|
Online:TheclientcanDelegatecomp.TheworkoftheclientIsindependentof|f|
Authenticity:ForallPPTA
[Z*]ß A([F],[X]),then
De([Z*],d)is
f(x)or“^”
Garbled Circuits:Authenticity
EvDeGb
En
f
x
e [Z*]
z*
r[F]
d
[X]
z*=f(x)OR
z*=abort
DualExecution
OT[F],[Y]
x e[X] ([F],e,d)ßGb(f,r )
[Y]ßEn(e,y)[Z]ßEv([F],[X],[Y])
Alice Bob
OT[F],[X]
e y[Y]([F],e,d)ßGb(f,r )
[X]ßEn(e,x)[Z]ßEv([F],[X],[Y])
De(d,[Z])==
De(d,[Z])
[Z],d [Z],d
z/abort z/abort
OT[F],[Y]
x e[X] ([F],e,d)ßGb(f,r )
[Y]ßEn(e,y)
Alice* Bob
OT[G],[X*]
e y[Y]
[Z*]ßEv([G],[X*],[Y])
Authenticityà
[Z] istherightoutput!
f(x,y)orabort
De(d,[Z*])==
De(d,[Z])
[Z],d [Z*],d
z/abort z/abort
OT[F],[Y]
x e[X] ([F],e,d)ßGb(f,r )
[Y]ßEn(e,y)
Alice* Bob
OT[G],[X]
e y[Y]
[Z*]ßEv([G],[X],[Y])
Selectivefailure
[Z*]=[Z]iff y=0è
1bitleakage
De(d,[Z*])==
De(d,[Z])
[Z],d [Z*],d
z/abort z/abort
Recap:Garbled Circuits
• Garbled circuits:allow toevaluate encryptedfunctions onencrypted inputs– Withpropertieslike privacy,authenticity,etc.
• Applications:constant-round 2PC• Different techniques forgarbling gates– Efficiency vs.Assumptions
• Activesecurity– Howtocheckthat therightfunction isgarbled?– Cut-and-choose andother tricks…
Want more?
• Cryptographic Computing– Foundations– http://orlandi.dk/crycom– Programming&Theory Exercises–Willbe happy toanswer questions bymail!