Technische Universität Darmstadt System Security Lab System Security Lab Technische Universität Darmstadt !"#$%&'( !*&+$'#$, - ./ 0",123"#3 4566 !$*7,$( .,723$# "+# .,72389,3&: ;91<7=+%( >",3 6 ?#@"+*$# !AB 6 Advanced Topics in Secure Function Evaluation Course Secure, Trusted and Trustworthy Computing, Part 1 System Security Lab http://trust.cased.de Technische Universität Darmstadt Prof. Dr.-Ing. Ahmad-Reza Sadeghi Dipl.-Inf. Thomas Schneider January 21, 2011
23
Embed
Advanced Topics in Secure Function Evaluation fileAdvanced Topics in Secure Function Evaluation ... ! =>9=?-_.99C)]9,)?7391"=+%)!$*7,$).89P
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Technische Universität Darmstadt System Security LabSystem Security LabTechnische Universität Darmstadt
Additively Homomorphic Encryption allows to multiply a ciphertext
EncAdd(m) with a plaintext constant c > 0 as
EncAdd(c ·m) = EncAdd(m)c .
Similarly, Multiplicatively Homomorphic Encryption allows to
exponentiate a ciphertext EncMul(m) with a constant c > 0 as
EncMul(mc) = EncMul(m)
c .
Both can be computed efficiently with the square-and-multiplyalgorithm which requires on average O(|c |) squarings and O(|c |/2)multiplications on ciphertexts.
Recall the square-and-multiply algorithm.
However, purely additively / multiplicatively homomorphic
encryption does not allow to multiply / exponentiate two ciphertexts.
Sadeghi@TU Darmstadt, Schneider@RUB, 2010 Secure, Trusted and Trustworthy Computing, Part 1 Basics of Secure Computing 16 / 41
Y)@$,']:)*9,,$*3+$22
Technische Universität Darmstadt System Security Lab
TASTY and compare different protocols against each otherand with existing SFE implementations: multiplication cir-cuits and protocols based on GC or HE (§5.1), SFE of anAES circuit generated by the Fairplay compiler (§5.2), andSFE of large GCs (§5.3).
System Setup. All performance measurements are per-formed on two desktop PCs with Intel Core 2 Duo CPU(E6850) running at 3.00GHz and 4GB RAM connected viaGigabit Ethernet. The system runs on 64 bit Gentoo Linuxwith Python version 2.6.5, gmpy version 1.11 and GMP ver-sion 4.3.2. Unless stated otherwise, all measurements wereperformed for short-term security (cf. Table 4) and usingpoint compression for elliptic curves (cf. §4.3).
5.1 Multiplication Circuits and ProtocolsAs arithmetic circuits can express arbitrary computations
as sequence of additions and multiplications, multiplicationis a fundamental basic operation. Indeed, the main differ-ence between SFE protocols based on arithmetic and booleancircuits is the cost for multiplications. We present efficientmultiplication circuits in §5.1.1 and compare the perfor-mance of secure multiplication protocols in §5.1.2.
5.1.1 Multiplication CircuitsTextbook Multiplication. The usual way of multi-
plying two unsigned �-bit integers x and y, called “Text-book Method”, multiplies x with each bit of y and addsup all the properly shifted results according to the formulax · y =
��−1i=0 xyi2
i. This results in a circuit with 2�2 − �non-XOR 2-input gates [28].
Karatsuba Multiplication. As observed by Karatsuba[26], multiplication can be performed more efficiently usingthe following recursive method (details in Algorithm 1): xand y are split into two halves as x = xh2
��/2� + xl andy = yh2
��/2� + yl. Then, the product can be computed asxy = (xh2
��/2�+xl)(yh2��/2�+yl) = zh2
2��/2�+zd2��/2�+zl.
After computing zh = xhyh and zl = xlyl, zd can be com-puted with only one multiplication as zd = (xh + xl)(yh +yl) − zh − zl. This process is continued recursively untilthe numbers are sufficiently small (� = 19 in our case asdescribed below) and multiplied with the classical schoolmethod. Overall, multiplying two � bit numbers with Karat-suba’s method requires three multiplications of �/2 bit num-bers and some additions and subtractions with linear bitcomplexity resulting in costs
TKara(�) = 3TKara (�/2) + c�+ d
for constants c and d. The master theorem [8, §4.3f] yieldsasymptotic complexity TKara(�) ∈ O(�log2 3) ≈ O(�1.585).
Algorithm 1 Karatsuba multiplication
1: function karatsuba(x, y) � x, y are �-bit integers2: xh||xl ← x � x = xh2
Circuit Complexity. In TASTY we have implementedboth methods for multiplication based on efficient additionand subtraction circuits of [28]. As shown in Fig. 6 and Ta-ble 5, Karatsuba multiplication is more efficient, i.e., resultsin circuits with less non-XOR gates, than Textbook multipli-cation already for multiplication of 20 bit operands. By in-terpolating through the points for bitlength � ∈ {32, 64, 128}and solving the resulting system of linear equations we ob-tain as approximation for the number of non-XOR gates
TKara(�) ≈ 9.0165�1.585 − 13.375�− 34.
Figure 6: Size of Multiplication Circuits
Table 5: Size of Multiplication Circuits (in number
5.1.2 Multiplication ProtocolsUsing TASTY we compare the performance of different
secure multiplication protocols based on homomorphic en-cryption (HE) and garbled circuits (GC). For this we con-structed four basic test cases. For each SFE paradigm, weconsider the case where both inputs are provided by oneparty (S for GC1 and C for HE1), or one by each of theparties (GC2 and HE2). The inputs are Unsigned �-bit val-ues and the output, a 2�-bit Unsigned value is convertedinto a Plain output for C. In the following, we comparethe communication- and the computation complexity of thesetup- and online phase of the protocols.Communication (cf. Fig. 7). Our experiments show
that GC-based multiplication requires a substantial amountof setup communication (for transfer of GCs) whereas theonline communication of GC is better than HE for mul-tiplication of small values. The online communication formultiplying with HE is independent of the bitlength � as a
<K4)"-K-@)@"EFG7 L-MK6MK)"-#NK-"-NO-@)@"EFG7
H^$+$*S"W!!T65L
Technische Universität Darmstadt System Security Lab