Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based Secure Computation in the Offline/Online and Batch Settings Yehuda Lindell (BIU), Ben Riva (TAU)
21
Embed
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Amortizing Garbled CircuitsYan Huang, Jonathan Katz, Alex Malozemoff (UMD)Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion)
Cut-and-Choose Yao-Based Secure Computation in the Offline/Online and Batch SettingsYehuda Lindell (BIU), Ben Riva (TAU)
Secure Two-Party Computation
• Two parties with private inputs x and y• Compute joint function of their inputs
while preserving – Privacy– Correctness– Input independence
x
f (x,y)
y
f (x,y)
Adversaries and Security
• Semi-honest: follow protocol specification but attempt to learn more than allowed– Highly efficient; weak guarantees
• Malicious: run any arbitrary attack strategy– Much more expensive
GCGC
OTBob input keys
input bitsBob keys
Yao’s Protocol (Semi-honest)
Alice input keys
GC
Security for Malicious Case
• Main Issue: Malicious Alice constructs incorrect circuit– Violates correctness– Violates privacy
• Can prevent using generic ZK --- but this is inefficient• More practical solution --- cut & choose– Introduces new problems (relatively “minor” issues)
• Need to ensure input consistency across copies• Need to prevent selective failure attacks
Post-processing
Cut & Choose Paradigm
Checks
All copies of garbled circuits
[…,Pin03,MNPS04,MF06,LP07,…]
Check Set
EvaluationSet
Cost of Cut & Choose• Main question: How many circuits are needed?– 99.999% of the cost is due to garbled circuits
• E.g.: for stat. error at most 2-40, #circuits required: – 680 [LP07]– 128 [LP11]– 125 [sS11]– 48 [HKE13]– 40 [Lin13]
Cost of Cut-and-Choose
• Our motivating question:
Can we reduce further the cost of cut & choose, i.e., the number of circuits required?
• Our approach:
Explore the possibility of amortizing the cost of cut & choose in a setting where parties need to perform multiple secure function evaluations
Rest of the Talk
• Multiple executions
• Cut & choose for multiple executions – Analysis
• Multistage cut & choose OT
Multiple Executions
• Setting: – Alice and Bob execute the same function multiple times
• Parallel • Sequential
• Motivation: – Amortize the cost of cut & choose– Relevant in practice– RAM model 2PC
Post-processing
Post-processing
Post-processing
Post-processing
Cut & Choose – Multiple Executions
All copies of garbled circuits
Check Set
EvaluationSets
Cut & Choose for Multiple Executions
• Inspired by LEGO [NO09,NNOB12,FJNNO13]– LEGO performs cut & choose at the gate level
• Alice creates many copies of NAND gates • Bob opens half the copies to check & distributes remaining half
randomly into “buckets” (each bucket emulates a NAND gate)• Each NAND bucket output determined by majority
• Makes use of cheating punishment technique [Lin13]– Post-processing step uses 2PC but on a much smaller circuit – Fail only if for some evaluation set, all circuits in it are bad
• No need to take majority • Leads to better concrete efficiency
“Multistage Cut & Choose”
Multistage Cut & Choose - Analysis[HKKKM14]
Maximum cheating probability
Asymptotically for stat. security parameter s:
Concrete values for stat. security parameter s = 40 :
• More general parameters and analysis– E.g.: Better efficiency by varying fraction of circuits checked
[LR14]Multistage Cut & Choose - Analysis
• Amortization applied to cheating-punishment circuit– E.g.: even for t = 32, only 52 circuits are required here– Amortization also results in fewer overall exponentiations
• Cut & choose protocols can be preprocessed– Execute check step offline
• Tradeoffs between total #circuits & #circuits evaluated online
• Use additive sharing to improve online efficiency of – Cut & choose OT – Input consistency checks
• Idea: – Preprocess using random share in offline phase– Send correction in the clear during online phase
• All exponentiations can be pushed to the offline phase
[LR14]Offline/Online Setting
Rest of the Talk
• Multiple executions
• Cut & choose for multiple executions – Analysis
• Multistage cut & choose OT
Selective Failure Attacks
• Recall: Bob obtains his keys via OT• Selective failure attack: – Corrupt Alice uses valid 0-key and invalid 1-key as OT inputs– If Bob’s input is 0, then evaluation succeeds– If Bob’s input is 1, then evaluation fails
• Techniques to avoid selective failure– XOR-tree encodings [FKN94,LP07,…]– Cut & choose OT [LP11,Lin13]
• [HKKKM14,LR14] adapt cut & choose OT to multiple executions setting
Cut & Choose Oblivious Transfer[LP11,Lin13]
Checkvalue
1st input
2nd input
Input keys and check values for each copy
Both inputs
Check set Evaluation set
One input & check value
Multistage Cut & Choose OT
Checkvalue
1st input
2nd input
Input keys and check values for each copy
Both inputs
Check set Eval set 1 Eval set 2 Eval set 3 One input &check value
. . .
[HKKKM14]
Multistage Cut & Choose OT[HKKKM14]
• Useful in multiple parallel execution setting– Otherwise, need to rely on adaptively secure garbling
• Show information theoretic reduction to [Lin13]’s modified batch single-choice cut & choose OT– t-out-of-t additive sharing of input keys and check values– Use ith set of shares as input to ith instance of modified batch
single-choice cut & choose OT– Slightly more complicated to get full sender extraction
• Communication cost of the reduction is quadratic in t– Cost linear in t if we allow relaxed definitions (that are
sufficient for 2PC applications) [KK14]
Summary• Malicious 2PC cost dominated by cost of cut & choose • Multiple executions allows amortizing cut & choose cost– For 40 bits of statistical security need:
• Only 8 circuits/execution for 3500 executions [HKKKM14]• Only 7.06 circuits/execution for 1024 executions [LR14]