Page 1
.
.
from circuits to RAM programsinmalicious-2PC
Abstract: Secure 2-party computation (2PC) is becoming practical insome domains. However, most approaches are limited by the factthat the desired functionality must be represented as a booleancircuit. In response, the random-access machine (RAM) model hasrecently been investigated as a promising alternative to circuits.
In this talk, I will discuss some pitfalls of basing malicious-secure 2PCon the RAMmodel rather than circuits. I will then describe two newprotocols for malicious-secure 2PC of RAM programs, whoseperformance relative to the semi-honest model matches the state ofthe art for circuit-based 2PC techniques. For malicious security withstatistical security parameter 2−s , our protocol withoutpreprocessing has overhead s compared to the semi-honest model;our protocol with preprocessing has overhead∼ 2s/ log T, whereT is the running time of the RAM program.
Arash Afshar @
Zhangxiang Hu @
Payman Mohassel @
Mike Rosulek @
.....................
Page 2
.
.
secure 2pc
....
x
.
y
.
f(x, y)
.
f(x, y)
.
.....................
Page 3
.
.
secure 2pc
....
x
.
y
.
f(x, y)
.
f(x, y)
.
.....................
Page 4
.
.
secure 2pc
....
x
.
y
.
f(x, y)
.
f(x, y)
.
.....................
Page 5
.
.
secure 2pc
..
.
.
x
.
y
.
f(x, y)
.
f(x, y)
.
.....................
Page 6
.
.
“to securely evaluate f,
first express f as a boolean circuit,
then ...”
AES S-box (need 208 of these)
AES stable marriage7
binary search7
size of circuit =Ω( size of inputs )
.....................
Page 7
.
.
“to securely evaluate f,
first express f as a boolean circuit,
then ...”
AES S-box (need 208 of these)
AES
stable marriage7
binary search7
size of circuit =Ω( size of inputs )
.....................
Page 8
.
.
“to securely evaluate f,
first express f as a boolean circuit,
then ...”
AES S-box (need 208 of these)
AES stable marriage7
binary search7
size of circuit =Ω( size of inputs )
.....................
Page 9
.
.
“to securely evaluate f,
first express f as a boolean circuit,
then ...”
AES S-box (need 208 of these)
AES stable marriage7
binary search7
size of circuit =Ω( size of inputs )
.....................
Page 10
.
.
whywe like (boolean) circuitsGarbled circuit technique [Yao86,BellareHoangRogaway12]
..
.
A0
.A1
.
B0
.
B1
.C0
.
C1
.
A0 : true
.A1 : false
.
B0 : false
.
B1 : true
.C0 : false
.
C1 : true
.
A0 : true
.A1 : false
.
B0 : false
.
B1 : true
.C0 : false
.
C1 : true
.
false false falsefalse true falsetrue false falsetrue true true.
A1 B0 C0A1 B1 C0A0 B0 C0A0 B1 C1.
EncA1,B0 (C0)EncA1,B1 (C0)EncA0,B0 (C0)EncA0,B1 (C1)
.
EncA1,B0 (C0)EncA1,B1 (C0)EncA0,B0 (C0)EncA0,B1 (C1)
.
pick two random labels for each wire
.
randomly associate labels with true/false
.
give “encrypted truth table” for each gate
Informal security proof:
Wire label leaks no information about logical value
Receiver only learns one label for each wire (induction)
.....................
Page 11
.
.
whywe like (boolean) circuitsGarbled circuit technique [Yao86,BellareHoangRogaway12]
...
A0
.A1
.
B0
.
B1
.C0
.
C1
.
A0 : true
.A1 : false
.
B0 : false
.
B1 : true
.C0 : false
.
C1 : true
.
A0 : true
.A1 : false
.
B0 : false
.
B1 : true
.C0 : false
.
C1 : true
.
false false falsefalse true falsetrue false falsetrue true true.
A1 B0 C0A1 B1 C0A0 B0 C0A0 B1 C1.
EncA1,B0 (C0)EncA1,B1 (C0)EncA0,B0 (C0)EncA0,B1 (C1)
.
EncA1,B0 (C0)EncA1,B1 (C0)EncA0,B0 (C0)EncA0,B1 (C1)
.
pick two random labels for each wire
.
randomly associate labels with true/false
.
give “encrypted truth table” for each gate
Informal security proof:
Wire label leaks no information about logical value
Receiver only learns one label for each wire (induction)
.....................
Page 12
.
.
whywe like (boolean) circuitsGarbled circuit technique [Yao86,BellareHoangRogaway12]
..
.
A0
.A1
.
B0
.
B1
.C0
.
C1
.
A0 : true
.A1 : false
.
B0 : false
.
B1 : true
.C0 : false
.
C1 : true
.
A0 : true
.A1 : false
.
B0 : false
.
B1 : true
.C0 : false
.
C1 : true
.
false false falsefalse true falsetrue false falsetrue true true.
A1 B0 C0A1 B1 C0A0 B0 C0A0 B1 C1.
EncA1,B0 (C0)EncA1,B1 (C0)EncA0,B0 (C0)EncA0,B1 (C1)
.
EncA1,B0 (C0)EncA1,B1 (C0)EncA0,B0 (C0)EncA0,B1 (C1)
.
pick two random labels for each wire
.
randomly associate labels with true/false
.
give “encrypted truth table” for each gate
Informal security proof:
Wire label leaks no information about logical value
Receiver only learns one label for each wire (induction)
.....................
Page 13
.
.
whywe like (boolean) circuitsGarbled circuit technique [Yao86,BellareHoangRogaway12]
..
.
A0
.A1
.
B0
.
B1
.C0
.
C1
.
A0 : true
.A1 : false
.
B0 : false
.
B1 : true
.C0 : false
.
C1 : true
.
A0 : true
.A1 : false
.
B0 : false
.
B1 : true
.C0 : false
.
C1 : true
.
false false falsefalse true falsetrue false falsetrue true true
.
A1 B0 C0A1 B1 C0A0 B0 C0A0 B1 C1.
EncA1,B0 (C0)EncA1,B1 (C0)EncA0,B0 (C0)EncA0,B1 (C1)
.
EncA1,B0 (C0)EncA1,B1 (C0)EncA0,B0 (C0)EncA0,B1 (C1)
.
pick two random labels for each wire
.
randomly associate labels with true/false
.
give “encrypted truth table” for each gate
Informal security proof:
Wire label leaks no information about logical value
Receiver only learns one label for each wire (induction)
.....................
Page 14
.
.
whywe like (boolean) circuitsGarbled circuit technique [Yao86,BellareHoangRogaway12]
..
.
A0
.A1
.
B0
.
B1
.C0
.
C1
.
A0 : true
.A1 : false
.
B0 : false
.
B1 : true
.C0 : false
.
C1 : true
.
A0 : true
.A1 : false
.
B0 : false
.
B1 : true
.C0 : false
.
C1 : true
.
false false falsefalse true falsetrue false falsetrue true true
.
A1 B0 C0A1 B1 C0A0 B0 C0A0 B1 C1
.
EncA1,B0 (C0)EncA1,B1 (C0)EncA0,B0 (C0)EncA0,B1 (C1)
.
EncA1,B0 (C0)EncA1,B1 (C0)EncA0,B0 (C0)EncA0,B1 (C1)
.
pick two random labels for each wire
.
randomly associate labels with true/false
.
give “encrypted truth table” for each gate
Informal security proof:
Wire label leaks no information about logical value
Receiver only learns one label for each wire (induction)
.....................
Page 15
.
.
whywe like (boolean) circuitsGarbled circuit technique [Yao86,BellareHoangRogaway12]
..
.
A0
.A1
.
B0
.
B1
.C0
.
C1
.
A0 : true
.A1 : false
.
B0 : false
.
B1 : true
.C0 : false
.
C1 : true
.
A0 : true
.A1 : false
.
B0 : false
.
B1 : true
.C0 : false
.
C1 : true
.
false false falsefalse true falsetrue false falsetrue true true.
A1 B0 C0A1 B1 C0A0 B0 C0A0 B1 C1
.
EncA1,B0 (C0)EncA1,B1 (C0)EncA0,B0 (C0)EncA0,B1 (C1)
.
EncA1,B0 (C0)EncA1,B1 (C0)EncA0,B0 (C0)EncA0,B1 (C1)
.
pick two random labels for each wire
.
randomly associate labels with true/false
.
give “encrypted truth table” for each gate
Informal security proof:
Wire label leaks no information about logical value
Receiver only learns one label for each wire (induction)
.....................
Page 16
.
.
whywe like (boolean) circuitsGarbled circuit technique [Yao86,BellareHoangRogaway12]
..
.
A0
.A1
.
B0
.
B1
.C0
.
C1
.
A0 : true
.A1 : false
.
B0 : false
.
B1 : true
.C0 : false
.
C1 : true
.
A0 : true
.A1 : false
.
B0 : false
.
B1 : true
.C0 : false
.
C1 : true
.
false false falsefalse true falsetrue false falsetrue true true.
A1 B0 C0A1 B1 C0A0 B0 C0A0 B1 C1.
EncA1,B0 (C0)EncA1,B1 (C0)EncA0,B0 (C0)EncA0,B1 (C1)
.
EncA1,B0 (C0)EncA1,B1 (C0)EncA0,B0 (C0)EncA0,B1 (C1)
.
pick two random labels for each wire
.
randomly associate labels with true/false
.
give “encrypted truth table” for each gate
Informal security proof:
Wire label leaks no information about logical value
Receiver only learns one label for each wire (induction)
.....................
Page 17
.
.
RAM programs
..cpu.
small internal state
.memory
.
read, addr1
.
data1
. read, addr2.data2
.
write, addr3 , data3
.
ok
Oblivious RAM (ORAM) = memory access pattern leaks nothing about
inputs/outputs/state [GoldreichOstrosvky96]
Can make any RAM program oblivious, polylog overhead in runtime &
memory [ShiChanStefanovLi11, .....]
Must still “touch” all of memory, in initialization phase
Our results only need “metadata-obliviousness” (R vs W, address)
.....................
Page 18
.
.
RAM programs
..cpu.
small internal state
.memory
.
read, addr1
.
data1
. read, addr2.data2
.
write, addr3 , data3
.
ok
Oblivious RAM (ORAM) = memory access pattern leaks nothing about
inputs/outputs/state [GoldreichOstrosvky96]
Can make any RAM program oblivious, polylog overhead in runtime &
memory [ShiChanStefanovLi11, .....]
Must still “touch” all of memory, in initialization phase
Our results only need “metadata-obliviousness” (R vs W, address)
.....................
Page 19
.
.
RAM programs
..cpu.
small internal state
.memory
.
read, addr1
.
data1
. read, addr2.data2
.
write, addr3 , data3
.
ok
Oblivious RAM (ORAM) = memory access pattern leaks nothing about
inputs/outputs/state [GoldreichOstrosvky96]
Can make any RAM program oblivious, polylog overhead in runtime &
memory [ShiChanStefanovLi11, .....]
Must still “touch” all of memory, in initialization phase
Our results only need “metadata-obliviousness” (R vs W, address)
.....................
Page 20
.
.
RAM programs
..cpu.
small internal state
.memory
.
read, addr1
.
data1
. read, addr2.data2
.
write, addr3 , data3
.
ok
Oblivious RAM (ORAM) = memory access pattern leaks nothing about
inputs/outputs/state [GoldreichOstrosvky96]
Can make any RAM program oblivious, polylog overhead in runtime &
memory [ShiChanStefanovLi11, .....]
Must still “touch” all of memory, in initialization phase
Our results only need “metadata-obliviousness” (R vs W, address)
.....................
Page 21
.
.
RAM programs
..cpu.
small internal state
.memory
.
read, addr1
.
data1
. read, addr2.data2
.
write, addr3 , data3
.
ok
Oblivious RAM (ORAM) = memory access pattern leaks nothing about
inputs/outputs/state [GoldreichOstrosvky96]
Can make any RAM program oblivious, polylog overhead in runtime &
memory [ShiChanStefanovLi11, .....]
Must still “touch” all of memory, in initialization phase
Our results only need “metadata-obliviousness” (R vs W, address)
.....................
Page 22
.
.
semi-honest RAM-2PC [GKKKMRV12]
..
Alice
.
Bob
.memory
.
stA
.
stB
.
⊕.
cpu
.
stA
.
stB
.
data in
.
memory[addr]
.
not used
.
st′
.
st′A
.
st′B
.
memory access
.
read, addr
.
write, addr, data
.
memory[addr] := data
.
initialize memory; secret share initial CPU state
.
secure 2pc of augmented CPU circuit
.
ORAM⇒ safe to let Bob handle all memory access
.
example: CPU wants to read
.
example: CPU wants to write
.....................
Page 23
.
.
semi-honest RAM-2PC [GKKKMRV12]
..
Alice
.
Bob
.memory
.
stA
.
stB
.
⊕.
cpu
.
stA
.
stB
.
data in
.
memory[addr]
.
not used
.
st′
.
st′A
.
st′B
.
memory access
.
read, addr
.
write, addr, data
.
memory[addr] := data
.
initialize memory; secret share initial CPU state
.
secure 2pc of augmented CPU circuit
.
ORAM⇒ safe to let Bob handle all memory access
.
example: CPU wants to read
.
example: CPU wants to write
.....................
Page 24
.
.
semi-honest RAM-2PC [GKKKMRV12]
..
Alice
.
Bob
.memory
.
stA
.
stB
.
⊕.
cpu
.
stA
.
stB
.
data in
.
memory[addr]
.
not used
.
st′
.
st′A
.
st′B
.
memory access
.
read, addr
.
write, addr, data
.
memory[addr] := data
.
initialize memory; secret share initial CPU state
.
secure 2pc of augmented CPU circuit
.
ORAM⇒ safe to let Bob handle all memory access
.
example: CPU wants to read
.
example: CPU wants to write
.....................
Page 25
.
.
semi-honest RAM-2PC [GKKKMRV12]
..
Alice
.
Bob
.memory
.
stA
.
stB
.
⊕.
cpu
.
stA
.
stB
.
data in
.
memory[addr]
.
not used
.
st′
.
st′A
.
st′B
.
memory access
.
read, addr
.
write, addr, data
.
memory[addr] := data
.
initialize memory; secret share initial CPU state
.
secure 2pc of augmented CPU circuit
.
ORAM⇒ safe to let Bob handle all memory access
.
example: CPU wants to read
.
example: CPU wants to write
.....................
Page 26
.
.
semi-honest RAM-2PC [GKKKMRV12]
..
Alice
.
Bob
.memory
.
stA
.
stB
.
⊕.
cpu
.
stA
.
stB
.
data in
.
memory[addr]
.
not used
.
st′
.
st′A
.
st′B
.
memory access
.
read, addr
.
write, addr, data
.
memory[addr] := data
.
initialize memory; secret share initial CPU state
.
secure 2pc of augmented CPU circuit
.
ORAM⇒ safe to let Bob handle all memory access
.
example: CPU wants to read
.
example: CPU wants to write
.....................
Page 27
.
.
semi-honest RAM-2PC [GKKKMRV12]
..
Alice
.
Bob
.memory
.
stA
.
stB
.
⊕.
cpu
.
stA
.
stB
.
data in
.
memory[addr]
.
not used
.
st′
.
st′A
.
st′B
.
memory access
.
read, addr
.
write, addr, data
.
memory[addr] := data
.
initialize memory; secret share initial CPU state
.
secure 2pc of augmented CPU circuit
.
ORAM⇒ safe to let Bob handle all memory access
.
example: CPU wants to read
.
example: CPU wants to write
.....................
Page 28
.
.
semi-honest RAM-2PC [GKKKMRV12]
..
Alice
.
Bob
.memory
.
stA
.
stB
.
⊕.
cpu
.
stA
.
stB
.
data in
.
memory[addr]
.
not used
.
st′
.
st′A
.
st′B
.
memory access
.
read, addr
.
write, addr, data
.
memory[addr] := data
.
initialize memory; secret share initial CPU state
.
secure 2pc of augmented CPU circuit
.
ORAM⇒ safe to let Bob handle all memory access
.
example: CPU wants to read
.
example: CPU wants to write
.....................
Page 29
.
.
semi-honest RAM-2PC [GKKKMRV12]
..
Alice
.
Bob
.memory
.
stA
.
stB
.
⊕.
cpu
.
stA
.
stB
.
data in
.
memory[addr]
.
not used
.
st′
.
st′A
.
st′B
.
memory access
.
read, addr
.
write, addr, data
.
memory[addr] := data
.
initialize memory; secret share initial CPU state
.
secure 2pc of augmented CPU circuit
.
ORAM⇒ safe to let Bob handle all memory access
.
example: CPU wants to read
.
example: CPU wants to write
.....................
Page 30
.
.
malicious-security pitfalls
..
⊕.
cpu
.
semi-honestmalicious 2pc
.
stA
.
junk
.
stB
.
read data
.
junk
Integrity of state
and memory!
.....................
Page 31
.
.
malicious-security pitfalls
..
⊕.
cpu
.
semi-honestmalicious 2pc
.
stA
.
junk
.
stB
.
read data
.
junk
Integrity of state
and memory!
.....................
Page 32
.
.
malicious-security pitfalls
..
⊕.
cpu
.
semi-honestmalicious 2pc
.
stA
.
junk
.
stB
.
read data
.
junk
Integrity of state
and memory!
.....................
Page 33
.
.
malicious-security pitfalls
..
⊕.
cpu
.
semi-honestmalicious 2pc
.
stA
.
junk
.
stB
.
read data
.
junk
Integrity of state and memory!
.....................
Page 34
.
.
use aMAC?
..
⊕.
cpu
.
Ver?
.
Ver?
.
Ver?
.
stA
.
stB
.
read data
.
Mac
.
Mac
.
Mac
.
data’
.
st′
This will work, but ...
Crypto circuitry
inside garbled
circuit
Many inputs
(MAC tags &
keys) to garbled
circuit
.....................
Page 35
.
.
use aMAC?
..
⊕.
cpu
.
Ver?
.
Ver?
.
Ver?
.
stA
.
stB
.
read data
.
Mac
.
Mac
.
Mac
.
data’
.
st′
This will work, but ...
Crypto circuitry
inside garbled
circuit
Many inputs
(MAC tags &
keys) to garbled
circuit
.....................
Page 36
.
.
use aMAC?
..
⊕.
cpu
.
Ver?
.
Ver?
.
Ver?
.
stA
.
stB
.
read data
.
Mac
.
Mac
.
Mac
.
data’
.
st′
This will work, but ...
Crypto circuitry
inside garbled
circuit
Many inputs
(MAC tags &
keys) to garbled
circuit
.....................
Page 37
.
.
use aMAC?
..
⊕.
cpu
.
Ver?
.
Ver?
.
Ver?
.
stA
.
stB
.
read data
.
Mac
.
Mac
.
Mac
.
data’
.
st′
This will work, but ...
Crypto circuitry
inside garbled
circuit
Many inputs
(MAC tags &
keys) to garbled
circuit
.....................
Page 38
.
.
a better idea. . .State & memory information should be:
1. Kept private
2. Protected from tampering
..cpu.
state/memory
.cpu/2pc.
garbled state/memory
.Key Idea........Directly reuse garbled values for state & memory!
.....................
Page 39
.
.
a better idea. . .State & memory information should be:
1. Kept private
2. Protected from tampering
.
.cpu.
state/memory
.cpu/2pc.
garbled state/memory
.Key Idea........Directly reuse garbled values for state & memory!
.....................
Page 40
.
.
a better idea. . .State & memory information should be:
1. Kept private2. Protected from tampering
.
.cpu.
state/memory
.cpu/2pc.
garbled state/memory
.Key Idea........Directly reuse garbled values for state & memory!
.....................
Page 41
.
.
a better idea. . .State & memory information should be:
1. Kept private2. Protected from tampering
.
.cpu.
state/memory
.cpu/2pc.
garbled state/memory
.Key Idea........Directly reuse garbled values for state & memory!
.....................
Page 42
.
.
overview
.....................
Page 43
.
.
overviewGoals:
malicious security
no extra overhead inside garbled circuits
efficiency matching state-of-the-art for circuit-based 2PC
Results:
style cost technique
streaming s× semi-honest blind cut-and-choose,
forge-and-lose
online/offline ∼ 2s/ log T× semi-honest batched cut-and-choose,
LEGO
for security 2−s
T = ORAM running time
Theme:
Re-use wire labels between evaluations of garbled CPU circuit
.....................
Page 44
.
.
overviewGoals:
malicious security
no extra overhead inside garbled circuits
efficiency matching state-of-the-art for circuit-based 2PC
Results:
style cost technique
streaming s× semi-honest blind cut-and-choose,
forge-and-lose
online/offline ∼ 2s/ log T× semi-honest batched cut-and-choose,
LEGO
for security 2−s
T = ORAM running time
Theme:
Re-use wire labels between evaluations of garbled CPU circuit
.....................
Page 45
.
.
overviewGoals:
malicious security
no extra overhead inside garbled circuits
efficiency matching state-of-the-art for circuit-based 2PC
Results:
style cost technique
streaming s× semi-honest blind cut-and-choose,
forge-and-lose
online/offline ∼ 2s/ log T× semi-honest batched cut-and-choose,
LEGO
for security 2−s
T = ORAM running time
Theme:
Re-use wire labels between evaluations of garbled CPU circuit
.....................
Page 46
.
.
reusing wire labels: overview
.
.
garbled CPU
.
t− 1
.garbled CPU.
data in
.
data out
.t .
garbled CPU
.
t+ 1
.
state out
.
state in
.
state
.
state out
.
state in
.
state
.
mem access
.
mem access
.
(write, addr)
.
(read, addr)
.
data out
.
data in
. data
Quiz: isn’t this the same as
making a monolothic garbled
circuit for unrolled RAM
computation?
connections between
“data in/out”
determined at runtime!
later inputs can depend
on prior outputs
Note: CPU need not encrypt
data!
.....................
Page 47
.
.
reusing wire labels: overview
..
garbled CPU
.
t− 1
.garbled CPU.
data in
.
data out
.t .
garbled CPU
.
t+ 1
.
state out
.
state in
.
state
.
state out
.
state in
.
state
.
mem access
.
mem access
.
(write, addr)
.
(read, addr)
.
data out
.
data in
. data
Quiz: isn’t this the same as
making a monolothic garbled
circuit for unrolled RAM
computation?
connections between
“data in/out”
determined at runtime!
later inputs can depend
on prior outputs
Note: CPU need not encrypt
data!
.....................
Page 48
.
.
reusing wire labels: overview
..
garbled CPU
.
t− 1
.garbled CPU.
data in
.
data out
.t .
garbled CPU
.
t+ 1
.
state out
.
state in
.
state
.
state out
.
state in
.
state
.
mem access
.
mem access
.
(write, addr)
.
(read, addr)
.
data out
.
data in
. data
Quiz: isn’t this the same as
making a monolothic garbled
circuit for unrolled RAM
computation?
connections between
“data in/out”
determined at runtime!
later inputs can depend
on prior outputs
Note: CPU need not encrypt
data!
.....................
Page 49
.
.
reusing wire labels: overview
..
garbled CPU
.
t− 1
.garbled CPU.
data in
.
data out
.t .
garbled CPU
.
t+ 1
.
state out
.
state in
.
state
.
state out
.
state in
.
state
.
mem access
.
mem access
.
(write, addr)
.
(read, addr)
.
data out
.
data in
. data
Quiz: isn’t this the same as
making a monolothic garbled
circuit for unrolled RAM
computation?
connections between
“data in/out”
determined at runtime!
later inputs can depend
on prior outputs
Note: CPU need not encrypt
data!
.....................
Page 50
.
.
reusing wire labels: overview
..
garbled CPU
.
t− 1
.garbled CPU.
data in
.
data out
.t .
garbled CPU
.
t+ 1
.
state out
.
state in
.
state
.
state out
.
state in
.
state
.
mem access
.
mem access
.
(write, addr)
.
(read, addr)
.
data out
.
data in
. data
Quiz: isn’t this the same as
making a monolothic garbled
circuit for unrolled RAM
computation?
connections between
“data in/out”
determined at runtime!
later inputs can depend
on prior outputs
Note: CPU need not encrypt
data!
.....................
Page 51
.
.
reusing wire labels: overview
..
garbled CPU
.
t− 1
.garbled CPU.
data in
.
data out
.t .
garbled CPU
.
t+ 1
.
state out
.
state in
.
state
.
state out
.
state in
.
state
.
mem access
.
mem access
.
(write, addr)
.
(read, addr)
.
data out
.
data in
. data
Quiz: isn’t this the same as
making a monolothic garbled
circuit for unrolled RAM
computation?
connections between
“data in/out”
determined at runtime!
later inputs can depend
on prior outputs
Note: CPU need not encrypt
data!
.....................
Page 52
.
.
reusing wire labels: overview
..
garbled CPU
.
t− 1
.garbled CPU.
data in
.
data out
.t .
garbled CPU
.
t+ 1
.
state out
.
state in
.
state
.
state out
.
state in
.
state
.
mem access
.
mem access
.
(write, addr)
.
(read, addr)
.
data out
.
data in
. data
Quiz: isn’t this the same as
making a monolothic garbled
circuit for unrolled RAM
computation?
connections between
“data in/out”
determined at runtime!
later inputs can depend
on prior outputs
Note: CPU need not encrypt
data!
.....................
Page 53
.
.
reusing wire labels: overview
..
garbled CPU
.
t− 1
.garbled CPU.
data in
.
data out
.t .
garbled CPU
.
t+ 1
.
state out
.
state in
.
state
.
state out
.
state in
.
state
.
mem access
.
mem access
.
(write, addr)
.
(read, addr)
.
data out
.
data in
. data
Quiz: isn’t this the same as
making a monolothic garbled
circuit for unrolled RAM
computation?
connections between
“data in/out”
determined at runtime!
later inputs can depend
on prior outputs
Note: CPU need not encrypt
data!
.....................
Page 54
.
.
reusing wire labels: overview
..
garbled CPU
.
t− 1
.garbled CPU.
data in
.
data out
.t .
garbled CPU
.
t+ 1
.
state out
.
state in
.
state
.
state out
.
state in
.
state
.
mem access
.
mem access
.
(write, addr)
.
(read, addr)
.
data out
.
data in
. data
Quiz: isn’t this the same as
making a monolothic garbled
circuit for unrolled RAM
computation?
connections between
“data in/out”
determined at runtime!
later inputs can depend
on prior outputs
Note: CPU need not encrypt
data!
.....................
Page 55
.
.
how to do cut-and-choose?
.
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
. GC
. GC
. GC
. GC
. GC
. GC
. GC
. GC
. GC
. GC
. GC
.
. GC
. GC
.
. GC
. GC
.
. GC
. GC
.
. GC
. GC
.
. GC..t− 1.
t
.
generate many garbled circuits
.
open & check some fraction of them; abort if any are bad
.
evaluate remaining circuits; take majority output
.
what about in the RAM setting?
.
check circuit cannot share wire labels! (secrets revealed)
.
eval circuitmust share wire labels!
.
can’t predict check/eval when generating garbled circuits!
.....................
Page 56
.
.
how to do cut-and-choose?
.
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
. GC
. GC
. GC
. GC
. GC
. GC
. GC
. GC
. GC
. GC. GC
.
. GC
. GC
.
. GC
. GC
.
. GC
. GC
.
. GC
. GC
.
. GC
..t− 1.
t
.
generate many garbled circuits
.
open & check some fraction of them; abort if any are bad
.
evaluate remaining circuits; take majority output
.
what about in the RAM setting?
.
check circuit cannot share wire labels! (secrets revealed)
.
eval circuitmust share wire labels!
.
can’t predict check/eval when generating garbled circuits!
.....................
Page 57
.
.
how to do cut-and-choose?
.
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
. GC
. GC
. GC
. GC
. GC
. GC
. GC
. GC
. GC
. GC
. GC.
. GC
. GC.
. GC
. GC.
. GC
. GC.
. GC
. GC.
. GC
..t− 1.
t
.
generate many garbled circuits
.
open & check some fraction of them; abort if any are bad
.
evaluate remaining circuits; take majority output
.
what about in the RAM setting?
.
check circuit cannot share wire labels! (secrets revealed)
.
eval circuitmust share wire labels!
.
can’t predict check/eval when generating garbled circuits!
.....................
Page 58
.
.
how to do cut-and-choose?
.
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
. GC
. GC
. GC
. GC
. GC
. GC
. GC
. GC
. GC
. GC
. GC.
. GC
. GC.
. GC
. GC.
. GC
. GC.
. GC
. GC.
. GC
.
.t− 1.
t
.
generate many garbled circuits
.
open & check some fraction of them; abort if any are bad
.
evaluate remaining circuits; take majority output
.
what about in the RAM setting?
.
check circuit cannot share wire labels! (secrets revealed)
.
eval circuitmust share wire labels!
.
can’t predict check/eval when generating garbled circuits!
.....................
Page 59
.
.
how to do cut-and-choose?
..
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
. GC
. GC
. GC
. GC
. GC
. GC
. GC
. GC
. GC
. GC
. GC.
. GC
. GC.
. GC
. GC.
. GC
. GC.
. GC
. GC.
. GC
.
.t− 1.
t
.
generate many garbled circuits
.
open & check some fraction of them; abort if any are bad
.
evaluate remaining circuits; take majority output
.
what about in the RAM setting?
.
check circuit cannot share wire labels! (secrets revealed)
.
eval circuitmust share wire labels!
.
can’t predict check/eval when generating garbled circuits!
.....................
Page 60
.
.
how to do cut-and-choose?
.
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
. GC
. GC
. GC
. GC
. GC
. GC
. GC
. GC
. GC
. GC
. GC.
. GC
. GC.
. GC
. GC.
. GC
. GC.
. GC
. GC.
. GC..t− 1.
t
.
generate many garbled circuits
.
open & check some fraction of them; abort if any are bad
.
evaluate remaining circuits; take majority output
.
what about in the RAM setting?
.
check circuit cannot share wire labels! (secrets revealed)
.
eval circuitmust share wire labels!
.
can’t predict check/eval when generating garbled circuits!
.....................
Page 61
.
.
how to do cut-and-choose?
.
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
. GC
. GC
. GC
. GC
. GC
. GC
. GC
. GC
. GC
. GC
. GC.
. GC
. GC.
. GC
. GC.
. GC
. GC.
. GC
. GC.
. GC
.
.t− 1.
t
.
generate many garbled circuits
.
open & check some fraction of them; abort if any are bad
.
evaluate remaining circuits; take majority output
.
what about in the RAM setting?
.
check circuit cannot share wire labels! (secrets revealed)
.
eval circuitmust share wire labels!
.
can’t predict check/eval when generating garbled circuits!
.....................
Page 62
.
.
how to do cut-and-choose?
.
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
.
??
.
GC
.
GC
. GC
. GC
. GC
. GC
. GC
. GC
. GC
. GC
. GC
. GC
. GC.
. GC
. GC.
. GC
. GC.
. GC
. GC.
. GC
. GC.
. GC
.
.t− 1.
t
.
generate many garbled circuits
.
open & check some fraction of them; abort if any are bad
.
evaluate remaining circuits; take majority output
.
what about in the RAM setting?
.
check circuit cannot share wire labels! (secrets revealed)
.
eval circuitmust share wire labels!
.
can’t predict check/eval when generating garbled circuits!
.....................
Page 63
.
.
our approachBlind cut-and-choose [KamaraMohasselRiva12,KreuterShelatShen12,Mood+14]
..
#1
.
#2
.
#3
.
#4
.
#5
.
#6
.
#7
.
#8
.
#9
.
#10
.
(eval)
.
(eval)
.
(eval)
.
(eval)
.
(eval)
.
(check)
.
(check)
.
(check)
.
(check)
.
(check)
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. .
.
.
.
.
. GC.
GC
.
GC
. GC.
GC
.
GC
. .
.
.
.
.
. GC.
GC
.
GC
. GC.
GC
.
GC
. .
.
.
.
.
. GC.
GC
.
GC
. GC.
GC
.
GC
. .
.
.
.
.
. GC.
GC
.
GC
. GC.
GC
.
GC
. .
.
.
.
.
. t.
t+ 1
.
t+ 2
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
establish many threads of computation
.
receiver secretly sets each thread to “check” or “eval”
.
sender generates garbled circuits, reusing wire labels within each thread
.
check-threads: receiver gets only enough to check
.
eval-threads: receiver gets only enough to eval on sender’s input
.....................
Page 64
.
.
our approachBlind cut-and-choose [KamaraMohasselRiva12,KreuterShelatShen12,Mood+14]
..
#1
.
#2
.
#3
.
#4
.
#5
.
#6
.
#7
.
#8
.
#9
.
#10
.
(eval)
.
(eval)
.
(eval)
.
(eval)
.
(eval)
.
(check)
.
(check)
.
(check)
.
(check)
.
(check)
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. .
.
.
.
.
. GC.
GC
.
GC
. GC.
GC
.
GC
. .
.
.
.
.
. GC.
GC
.
GC
. GC.
GC
.
GC
. .
.
.
.
.
. GC.
GC
.
GC
. GC.
GC
.
GC
. .
.
.
.
.
. GC.
GC
.
GC
. GC.
GC
.
GC
. .
.
.
.
.
. t.
t+ 1
.
t+ 2
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
establish many threads of computation
.
receiver secretly sets each thread to “check” or “eval”
.
sender generates garbled circuits, reusing wire labels within each thread
.
check-threads: receiver gets only enough to check
.
eval-threads: receiver gets only enough to eval on sender’s input
.....................
Page 65
.
.
our approachBlind cut-and-choose [KamaraMohasselRiva12,KreuterShelatShen12,Mood+14]
..
#1
.
#2
.
#3
.
#4
.
#5
.
#6
.
#7
.
#8
.
#9
.
#10
.
(eval)
.
(eval)
.
(eval)
.
(eval)
.
(eval)
.
(check)
.
(check)
.
(check)
.
(check)
.
(check)
. GC
.
GC
.
GC
. GC.
GC
.
GC
. GC
.
GC
.
GC
. GC.
GC
.
GC
. GC
.
GC
.
GC
. GC.
GC
.
GC
. GC
.
GC
.
GC
. GC.
GC
.
GC
. GC
.
GC
.
GC
. GC.
GC
.
GC
. GC
.
GC
.
GC
. GC.
GC
.
GC
. .
.
.
.
.
. GC
.
GC
.
GC
. GC.
GC
.
GC
. .
.
.
.
.
. GC
.
GC
.
GC
. GC.
GC
.
GC
. .
.
.
.
.
. GC
.
GC
.
GC
. GC.
GC
.
GC
. .
.
.
.
.
. GC
.
GC
.
GC
. GC.
GC
.
GC
. .
.
.
.
.
. t
.
t+ 1
.
t+ 2
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
establish many threads of computation
.
receiver secretly sets each thread to “check” or “eval”
.
sender generates garbled circuits, reusing wire labels within each thread
.
check-threads: receiver gets only enough to check
.
eval-threads: receiver gets only enough to eval on sender’s input
.....................
Page 66
.
.
our approachBlind cut-and-choose [KamaraMohasselRiva12,KreuterShelatShen12,Mood+14]
..
#1
.
#2
.
#3
.
#4
.
#5
.
#6
.
#7
.
#8
.
#9
.
#10
.
(eval)
.
(eval)
.
(eval)
.
(eval)
.
(eval)
.
(check)
.
(check)
.
(check)
.
(check)
.
(check)
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. .
.
.
.
.
. GC.
GC
.
GC
. GC.
GC
.
GC
. .
.
.
.
.
. GC.
GC
.
GC
. GC.
GC
.
GC
. .
.
.
.
.
. GC.
GC
.
GC
. GC.
GC
.
GC
. .
.
.
.
.
. GC.
GC
.
GC
. GC.
GC
.
GC
. .
.
.
.
.
. t.
t+ 1
.
t+ 2
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
establish many threads of computation
.
receiver secretly sets each thread to “check” or “eval”
.
sender generates garbled circuits, reusing wire labels within each thread
.
check-threads: receiver gets only enough to check
.
eval-threads: receiver gets only enough to eval on sender’s input
.....................
Page 67
.
.
our approachBlind cut-and-choose [KamaraMohasselRiva12,KreuterShelatShen12,Mood+14]
..
#1
.
#2
.
#3
.
#4
.
#5
.
#6
.
#7
.
#8
.
#9
.
#10
.
(eval)
.
(eval)
.
(eval)
.
(eval)
.
(eval)
.
(check)
.
(check)
.
(check)
.
(check)
.
(check)
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. .
.
.
.
.
. GC.
GC
.
GC
. GC.
GC
.
GC
. .
.
.
.
.
. GC.
GC
.
GC
. GC.
GC
.
GC
. .
.
.
.
.
. GC.
GC
.
GC
. GC.
GC
.
GC
. .
.
.
.
.
. GC.
GC
.
GC
. GC.
GC
.
GC
. .
.
.
.
.
. t.
t+ 1
.
t+ 2
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
establish many threads of computation
.
receiver secretly sets each thread to “check” or “eval”
.
sender generates garbled circuits, reusing wire labels within each thread
.
check-threads: receiver gets only enough to check
.
eval-threads: receiver gets only enough to eval on sender’s input
.....................
Page 68
.
.
our approachBlind cut-and-choose [KamaraMohasselRiva12,KreuterShelatShen12,Mood+14]
..
#1
.
#2
.
#3
.
#4
.
#5
.
#6
.
#7
.
#8
.
#9
.
#10
.
(eval)
.
(eval)
.
(eval)
.
(eval)
.
(eval)
.
(check)
.
(check)
.
(check)
.
(check)
.
(check)
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. .
.
.
.
.
. GC.
GC
.
GC
. GC.
GC
.
GC
. .
.
.
.
.
. GC.
GC
.
GC
. GC.
GC
.
GC
. .
.
.
.
.
. GC.
GC
.
GC
. GC.
GC
.
GC
. .
.
.
.
.
. GC.
GC
.
GC
. GC.
GC
.
GC
. .
.
.
.
.
. t.
t+ 1
.
t+ 2
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
establish many threads of computation
.
receiver secretly sets each thread to “check” or “eval”
.
sender generates garbled circuits, reusing wire labels within each thread
.
check-threads: receiver gets only enough to check
.
eval-threads: receiver gets only enough to eval on sender’s input
.....................
Page 69
.
.
our approachBlind cut-and-choose [KamaraMohasselRiva12,KreuterShelatShen12,Mood+14]
..
#1
.
#2
.
#3
.
#4
.
#5
.
#6
.
#7
.
#8
.
#9
.
#10
.
(eval)
.
(eval)
.
(eval)
.
(eval)
.
(eval)
.
(check)
.
(check)
.
(check)
.
(check)
.
(check)
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. GC.
GC
.
GC
. .
.
.
.
.
. GC.
GC
.
GC
. GC.
GC
.
GC
. .
.
.
.
.
. GC.
GC
.
GC
. GC.
GC
.
GC
. .
.
.
.
.
. GC.
GC
.
GC
. GC.
GC
.
GC
. .
.
.
.
.
. GC.
GC
.
GC
. GC.
GC
.
GC
. .
.
.
.
.
. t.
t+ 1
.
t+ 2
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
establish many threads of computation
.
receiver secretly sets each thread to “check” or “eval”
.
sender generates garbled circuits, reusing wire labels within each thread
.
check-threads: receiver gets only enough to check
.
eval-threads: receiver gets only enough to eval on sender’s input
.....................
Page 70
.
.
overview of protocol #1
Cost of protocol = (# of threads)× (cost of semi-honest)
with traditional cut-and-choose: ∼ 3s threads for security 2−s
with [Lindell13] cheating-recovery trick: only s threads
we show how to perform [Lindell13] trick only once at the end;
communication independent of RAM running time!
Preprocessing, streaming?
need to remember wire labels of previous circuits!
can’t pre-process garbled circuits (wire labels have runtime
dependence)
.....................
Page 71
.
.
overview of protocol #1
Cost of protocol = (# of threads)× (cost of semi-honest)
with traditional cut-and-choose: ∼ 3s threads for security 2−s
with [Lindell13] cheating-recovery trick: only s threads
we show how to perform [Lindell13] trick only once at the end;
communication independent of RAM running time!
Preprocessing, streaming?
need to remember wire labels of previous circuits!
can’t pre-process garbled circuits (wire labels have runtime
dependence)
.....................
Page 72
.
.
preprocessing:batched cut-and-choose
Want to do 2PC of same circuit N times?
[HuangKatzKolesnikovKumaresanMalozemoff14,LindellRiva14]
.
.............................................................. .. .. .. .. .. .. .. .. ..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
.........................................
︸ ︷︷ ︸≪s
.
generate a lot of garbled circuits
.
open and check some fraction of them
.
pick a random “bucket” of available circuits and evaluate them
.
buckets of size O(s/ logN) give security 2−s
.....................
Page 73
.
.
preprocessing:batched cut-and-choose
Want to do 2PC of same circuit N times?
[HuangKatzKolesnikovKumaresanMalozemoff14,LindellRiva14]
.............................................................
.. .. .. .. .. .. .. .. .. ..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
.........................................
︸ ︷︷ ︸≪s
.
generate a lot of garbled circuits
.
open and check some fraction of them
.
pick a random “bucket” of available circuits and evaluate them
.
buckets of size O(s/ logN) give security 2−s
.....................
Page 74
.
.
preprocessing:batched cut-and-choose
Want to do 2PC of same circuit N times?
[HuangKatzKolesnikovKumaresanMalozemoff14,LindellRiva14]
............................................................... .. .. .. .. .. .. .. .. ..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
.........................................
︸ ︷︷ ︸≪s
.
generate a lot of garbled circuits
.
open and check some fraction of them
.
pick a random “bucket” of available circuits and evaluate them
.
buckets of size O(s/ logN) give security 2−s
.....................
Page 75
.
.
preprocessing:batched cut-and-choose
Want to do 2PC of same circuit N times?
[HuangKatzKolesnikovKumaresanMalozemoff14,LindellRiva14]
............................................................... .. .. .. .. .. .. .. .. ..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..........
...............................
︸ ︷︷ ︸≪s
.
generate a lot of garbled circuits
.
open and check some fraction of them
.
pick a random “bucket” of available circuits and evaluate them
.
buckets of size O(s/ logN) give security 2−s
.....................
Page 76
.
.
preprocessing:batched cut-and-choose
Want to do 2PC of same circuit N times?
[HuangKatzKolesnikovKumaresanMalozemoff14,LindellRiva14]
............................................................... .. .. .. .. .. .. .. .. ..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
....................
.....................
︸ ︷︷ ︸≪s
.
generate a lot of garbled circuits
.
open and check some fraction of them
.
pick a random “bucket” of available circuits and evaluate them
.
buckets of size O(s/ logN) give security 2−s
.....................
Page 77
.
.
preprocessing:batched cut-and-choose
Want to do 2PC of same circuit N times?
[HuangKatzKolesnikovKumaresanMalozemoff14,LindellRiva14]
............................................................... .. .. .. .. .. .. .. .. ..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..............................
...........
︸ ︷︷ ︸≪s
.
generate a lot of garbled circuits
.
open and check some fraction of them
.
pick a random “bucket” of available circuits and evaluate them
.
buckets of size O(s/ logN) give security 2−s
.....................
Page 78
.
.
preprocessing:batched cut-and-choose
Want to do 2PC of same circuit N times?
[HuangKatzKolesnikovKumaresanMalozemoff14,LindellRiva14]
............................................................... .. .. .. .. .. .. .. .. ..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
........................................
.
︸ ︷︷ ︸≪s
.
generate a lot of garbled circuits
.
open and check some fraction of them
.
pick a random “bucket” of available circuits and evaluate them
.
buckets of size O(s/ logN) give security 2−s
.....................
Page 79
.
.
preprocessing:batched cut-and-choose
Want to do 2PC of same circuit N times?
[HuangKatzKolesnikovKumaresanMalozemoff14,LindellRiva14]
............................................................... .. .. .. .. .. .. .. .. ..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
.........................................
︸ ︷︷ ︸≪s
.
generate a lot of garbled circuits
.
open and check some fraction of them
.
pick a random “bucket” of available circuits and evaluate them
.
buckets of size O(s/ logN) give security 2−s
.....................
Page 80
.
.
preprocessing for RAM-2PC?Pros:
RAM CPU circuit evaluated over and over!
Batched cut-and-choose would reduce number of garbled circuits
needed (in online phase)
Pre-processing already inherent for ORAM
Cons:
Wire-label dependence determined at runtime!
Cannot re-use wire labels if all circuits garbled beforehand
If only we had a way to “connect wires on the fly” in
existing garbled circuits!
.....................
Page 81
.
.
preprocessing for RAM-2PC?Pros:
RAM CPU circuit evaluated over and over!
Batched cut-and-choose would reduce number of garbled circuits
needed (in online phase)
Pre-processing already inherent for ORAM
Cons:
Wire-label dependence determined at runtime!
Cannot re-use wire labels if all circuits garbled beforehand
If only we had a way to “connect wires on the fly” in
existing garbled circuits!
.....................
Page 82
.
.
preprocessing for RAM-2PC?Pros:
RAM CPU circuit evaluated over and over!
Batched cut-and-choose would reduce number of garbled circuits
needed (in online phase)
Pre-processing already inherent for ORAM
Cons:
Wire-label dependence determined at runtime!
Cannot re-use wire labels if all circuits garbled beforehand
If only we had a way to “connect wires on the fly” in
existing garbled circuits!
.....................
Page 83
.
.
the LEGO approach!
Garble individual gates and connect them later
[NielsenOrlandi09,FrederiksenJakobsenNielsenNordholdOrlandi13]
We extend the technique to circuits
Some careful modifications are necessary
.....................
Page 84
.
.
our “LEGORAM” approach
LEGO set 6062 “Battering Ram”
.....................
Page 85
.
.
xor-homomorphic commitment
..
A
.
B
.
C
.
open A
.
open B⊕ C
.
commit(A)
.
commit(B)
.
commit(C)
.....................
Page 86
.
.
xor-homomorphic commitment
..
A
.
B
.
C
.
open A
.
open B⊕ C
.
commit(A)
.
commit(B)
.
commit(C)
.....................
Page 87
.
.
xor-homomorphic commitment
..
A
.
B
.
C
.
open A
.
open B⊕ C
.
commit(A)
.
commit(B)
.
commit(C)
.....................
Page 88
.
.
xor-homomorphic commitment
..
A
.
B
.
C
.
open A
.
open B⊕ C
.
commit(A)
.
commit(B)
.
commit(C)
.....................
Page 89
.
.
xor-homomorphic commitment
..
A
.
B
.
C
.
open A
.
open B⊕ C
.
commit(A)
.
commit(B)
.
commit(C)
.....................
Page 90
.
.
garbled circuit, wire labels
Each wire has a secret “parity bit”
..
A0
.
A1
.
0
.
encodes false
.
encodes true
.....................
Page 91
.
.
garbled circuit, wire labels
Each wire has a secret “parity bit”
..
A0
.
A1
.
1
.
encodes false
.
encodes true
.....................
Page 92
.
.
soldering
connect wires of garbled circuits “on the fly”
..
A0
.
A1
.
0
.
commit:
.
B0
.
B1
.
1
.
commit:
.
open:
.
xor = 1: must flip select bits
.
∆0 = A0 ⊕ B1
.
∆1 = A1 ⊕ B0
.
A0
.
⊕∆0
.B1
.....................
Page 93
.
.
soldering
connect wires of garbled circuits “on the fly”
..
A0
.
A1
.
0
.
commit:
.
B0
.
B1
.
1
.
commit:
.
open:
.
xor = 1: must flip select bits
.
∆0 = A0 ⊕ B1
.
∆1 = A1 ⊕ B0
.
A0
.
⊕∆0
.B1
.....................
Page 94
.
.
soldering
connect wires of garbled circuits “on the fly”
..
A0
.
A1
.
0
.
commit:
.
B0
.
B1
.
1
.
commit:
.
open:
.
xor = 1: must flip select bits
.
∆0 = A0 ⊕ B1
.
∆1 = A1 ⊕ B0
.
A0
.
⊕∆0
.B1
.....................
Page 95
.
.
soldering
connect wires of garbled circuits “on the fly”
..
A0
.
A1
.
0
.
commit:
.
B0
.
B1
.
1
.
commit:
.
open:
.
xor = 1: must flip select bits
.
∆0 = A0 ⊕ B1
.
∆1 = A1 ⊕ B0
.
A0
.
⊕∆0
.B1
.....................
Page 96
.
.
soldering
connect wires of garbled circuits “on the fly”
..
A0
.
A1
.
0
.
commit:
.
B0
.
B1
.
1
.
commit:
.
open:
.
xor = 1: must flip select bits
.
∆0 = A0 ⊕ B1
.
∆1 = A1 ⊕ B0
.
A0
.
⊕∆0
.B1
.....................
Page 97
.
.
soldering
connect wires of garbled circuits “on the fly”
..
A0
.
A1
.
0
.
commit:
.
B0
.
B1
.
1
.
commit:
.
open:
.
xor = 1: must flip select bits
.
∆0 = A0 ⊕ B1
.
∆1 = A1 ⊕ B0
.
A0
.
⊕∆0
.B1
.....................
Page 98
.
.
soldering
connect wires of garbled circuits “on the fly”
..
A0
.
A1
.
0
.
commit:
.
B0
.
B1
.
1
.
commit:
.
open:
.
xor = 1: must flip select bits
.
∆0 = A0 ⊕ B1
.
∆1 = A1 ⊕ B0
.
A0
.
⊕∆0
.B1
.....................
Page 99
.
.
soldering
connect wires of garbled circuits “on the fly”
..
A0
.
A1
.
0
.
commit:
.
B0
.
B1
.
1
.
commit:
.
open:
.
xor = 1: must flip select bits
.
∆0 = A0 ⊕ B1
.
∆1 = A1 ⊕ B0
.
A0
.
⊕∆0
.B1
.....................
Page 100
.
.
putting it all together
.
.............................................................. .. .. .. .. .. .. .. .. ..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
.
CPU
.
CPU
.
CPU
.
CPU
.
CPU
.........
st
..
read data
..
generate lots of garbled CPU circuits + homomorphic commitments
.
open and check some fraction of them
.
each timestep, select random “bucket” of circuits to evaluate
.
solder input/output wires together by opening commitments
.
(evaluate by taking majority wire labels of each computation path)
.
solder input wires from previous garbled circuits
.....................
Page 101
.
.
putting it all together
.............................................................
.. .. .. .. .. .. .. .. .. ..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
.
CPU
.
CPU
.
CPU
.
CPU
.
CPU
.........
st
..
read data
.
.
generate lots of garbled CPU circuits + homomorphic commitments
.
open and check some fraction of them
.
each timestep, select random “bucket” of circuits to evaluate
.
solder input/output wires together by opening commitments
.
(evaluate by taking majority wire labels of each computation path)
.
solder input wires from previous garbled circuits
.....................
Page 102
.
.
putting it all together
............................................................... .. .. .. .. .. .. .. .. ..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
.
CPU
.
CPU
.
CPU
.
CPU
.
CPU
.........
st
..
read data
..
generate lots of garbled CPU circuits + homomorphic commitments
.
open and check some fraction of them
.
each timestep, select random “bucket” of circuits to evaluate
.
solder input/output wires together by opening commitments
.
(evaluate by taking majority wire labels of each computation path)
.
solder input wires from previous garbled circuits
.....................
Page 103
.
.
putting it all together
.
.............................................................. .. .. .. .. .. .. .. .. ..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
.
CPU
.
CPU
.
CPU
.
CPU
.
CPU
.........
st
..
read data
..
generate lots of garbled CPU circuits + homomorphic commitments
.
open and check some fraction of them
.
each timestep, select random “bucket” of circuits to evaluate
.
solder input/output wires together by opening commitments
.
(evaluate by taking majority wire labels of each computation path)
.
solder input wires from previous garbled circuits
.....................
Page 104
.
.
putting it all together
.
.............................................................. .. .. .. .. .. .. .. .. ..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
.
CPU
.
CPU
.
CPU
.
CPU
.
CPU
........
.
st
..
read data
..
generate lots of garbled CPU circuits + homomorphic commitments
.
open and check some fraction of them
.
each timestep, select random “bucket” of circuits to evaluate
.
solder input/output wires together by opening commitments
.
(evaluate by taking majority wire labels of each computation path)
.
solder input wires from previous garbled circuits
.....................
Page 105
.
.
putting it all together
.
.............................................................. .. .. .. .. .. .. .. .. ..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
.
CPU
.
CPU
.
CPU
.
CPU
.
CPU
........
.
st
..
read data
..
generate lots of garbled CPU circuits + homomorphic commitments
.
open and check some fraction of them
.
each timestep, select random “bucket” of circuits to evaluate
.
solder input/output wires together by opening commitments
.
(evaluate by taking majority wire labels of each computation path)
.
solder input wires from previous garbled circuits
.....................
Page 106
.
.
putting it all together
.
.............................................................. .. .. .. .. .. .. .. .. ..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
.
CPU
.
CPU
.
CPU
.
CPU
.
CPU
.........
st
..
read data
.
.
generate lots of garbled CPU circuits + homomorphic commitments
.
open and check some fraction of them
.
each timestep, select random “bucket” of circuits to evaluate
.
solder input/output wires together by opening commitments
.
(evaluate by taking majority wire labels of each computation path)
.
solder input wires from previous garbled circuits
.....................
Page 107
.
.
overview of protocol #2Two phase protocol:
offline phase = circuit generation & batch cut-and-choose
online phase = soldering & evaluation
Online cost of protocol = (bucket size)× (cost of semi-honest)
bucket size = O(s/ log T)where T = RAM running time
concretely, for s = 40: T = 5,000⇒ bucket size = 7 T = 500,000⇒ bucket size = 5
Other cool features:
oblivious RAM = (original RAM) + (ORAM construction steps)
pre-process different circuits separately: smaller bucket size for
(common) ORAM steps
.....................
Page 108
.
.
overview of protocol #2Two phase protocol:
offline phase = circuit generation & batch cut-and-choose
online phase = soldering & evaluation
Online cost of protocol = (bucket size)× (cost of semi-honest)
bucket size = O(s/ log T)where T = RAM running time
concretely, for s = 40: T = 5,000⇒ bucket size = 7 T = 500,000⇒ bucket size = 5
Other cool features:
oblivious RAM = (original RAM) + (ORAM construction steps)
pre-process different circuits separately: smaller bucket size for
(common) ORAM steps
.....................
Page 109
.
.
overview of protocol #2Two phase protocol:
offline phase = circuit generation & batch cut-and-choose
online phase = soldering & evaluation
Online cost of protocol = (bucket size)× (cost of semi-honest)
bucket size = O(s/ log T)where T = RAM running time
concretely, for s = 40: T = 5,000⇒ bucket size = 7 T = 500,000⇒ bucket size = 5
Other cool features:
oblivious RAM = (original RAM) + (ORAM construction steps)
pre-process different circuits separately: smaller bucket size for
(common) ORAM steps
.....................
Page 110
.
.
lies and omissionsLots of other standard tools from circuit-2PC:
Input consistency checks
Output authenticity checks
Preventing selective aborts
Cheating recovery techniques
RAM stuff I didn’t mention:
Elephant in the room: ORAM initialization!
Getting inputs into the RAM
ORAM needs randomness
Safe to run many RAM invocations with same memory
.....................
Page 111
.
.
summaryGoals:
malicious security
no extra overhead inside garbled circuits
efficiency matching state-of-the-art for circuit-based 2PC
Results:
style cost technique
streaming s× semi-honest blind cut-and-choose,
forge-and-lose
online/offline ∼ 2s/ log T× semi-honest batched cut-and-choose,
LEGO
for security 2−s
T = ORAM running time
Theme:
Leverage existing security properties of wire labels in garbled circuits!
.....................
Page 112
.
.
the end!
Mike Rosulek : [email protected]
From Circuits to RAM Programs in Malicious-2PC
Arash Afshar, Zhangxiang Hu, Payman Mohassel, Mike Rosulek
appearing on eprint soon.....................