A New Approach to Practical Active-Secure Two ... - Semantic Scholar

Download PDF
Comment
Report 10 Downloads 164 Views
A New Approach to Practical Active-Secure Two-Party Computation

1

1

Jesper Buus Nielsen , Peter Sebastian Nordholt , Claudio 1

Orlandi , Sai Sheshank Burra

1 Aarhus 2 Indian

2

University, Denmark

Institute of Technology Guwahati

August 21, 2012

1 / 19

Active-Secure Two-Party Computation (2PC)

y

x

C

z

2 / 19

Active-Secure Two-Party Computation (2PC)

x

y

z

z

2 / 19

Active-Secure Two-Party Computation (2PC)

x

y

z

z

I Correctness: C (x , y )

=z

2 / 19

Active-Secure Two-Party Computation (2PC)

x

y

z

z

I Correctness: C (x , y )

=z

I Privacy: Inputs are kept private.

2 / 19

Active-Secure Two-Party Computation (2PC)

x

y

z

z

I Correctness: C (x , y )

=z

I Privacy: Inputs are kept private.

2 / 19

Active-Secure Two-Party Computation (2PC)

x

y

z

z

I Correctness: C (x , y )

=z

I Privacy: Inputs are kept private. I Practical: Runs in reasonable time for reasonable size circuits. 2 / 19

Motivation for this Work

I Solving real-world problems. E.g. computing outcome of auctions [BCD+09].

3 / 19

Motivation for this Work

I Solving real-world problems. E.g. computing outcome of auctions [BCD+09].

I Lack of diversity in practical 2PC. In fact all previous practical approaches uses Yao's Garbled Circuits technique.

3 / 19

Our approach

Building blocks

I Passive-secure 2PC: The protocol of [GMW87] heavily utilizing Oblivious Transfer (OT).

4 / 19

Our approach

Building blocks

I Passive-secure 2PC: The protocol of [GMW87] heavily utilizing Oblivious Transfer (OT).

I Information theoretic MACs: To ensure active security.

4 / 19

Our approach

Building blocks

I Passive-secure 2PC: The protocol of [GMW87] heavily utilizing Oblivious Transfer (OT).

I Information theoretic MACs: To ensure active security. I OT-extension: A huge amount of OT at low amortized cost from the passive-secure protocol of [IKNP03].

4 / 19

Our Results

I New OT-extension technique with active security:

5 / 19

Our Results

I New OT-extension technique with active security: I Only a factor 2 slower than the passive-secure protocol of

[IKNP03]. (No asymptotic improvement).

5 / 19

Our Results

I New OT-extension technique with active security: I Only a factor 2 slower than the passive-secure protocol of

[IKNP03]. (No asymptotic improvement). I Implements

∼ 500.000

OT/sec pr. core (vs.

∼ 1000

OT/sec

without extension).

5 / 19

Our Results

I New OT-extension technique with active security: I Only a factor 2 slower than the passive-secure protocol of

[IKNP03]. (No asymptotic improvement). I Implements

∼ 500.000

OT/sec pr. core (vs.

∼ 1000

OT/sec

without extension).

I New practical 2PC protocol:

5 / 19

Our Results

I New OT-extension technique with active security: I Only a factor 2 slower than the passive-secure protocol of

[IKNP03]. (No asymptotic improvement). I Implements

∼ 500.000

OT/sec pr. core (vs.

∼ 1000

OT/sec

without extension).

I New practical 2PC protocol: I UC secure against an active and static adversary in the

Random Oracle model.

5 / 19

Our Results

I New OT-extension technique with active security: I Only a factor 2 slower than the passive-secure protocol of

[IKNP03]. (No asymptotic improvement). I Implements

∼ 500.000

OT/sec pr. core (vs.

∼ 1000

OT/sec

without extension).

I New practical 2PC protocol: I UC secure against an active and static adversary in the

Random Oracle model.

.

I Implements 20 000 gates/sec (online

∼ 1.000.000

gates/sec).

5 / 19

Our Results

I New OT-extension technique with active security: I Only a factor 2 slower than the passive-secure protocol of

[IKNP03]. (No asymptotic improvement). I Implements

∼ 500.000

OT/sec pr. core (vs.

∼ 1000

OT/sec

without extension).

I New practical 2PC protocol: I UC secure against an active and static adversary in the

Random Oracle model.

.

I Implements 20 000 gates/sec (online

∼ 1.000.000

gates/sec).

I Faster than all implementations based on Garbled Circuits

. . . except for [KsS12].

5 / 19

Overview

Protocol Overview

MACs

Concluding

6 / 19

Passive-Secure 2PC [GMW87]

y

x

z

7 / 19

Passive-Secure 2PC [GMW87]

xA , yA

x

= xA ⊕ xB

y

= yA ⊕ yB

xB , yB

z

7 / 19

Passive-Secure 2PC [GMW87]

xA , yA

x

= xA ⊕ xB

y

= yA ⊕ yB

xB , yB

w

z

7 / 19

Passive-Secure 2PC [GMW87]

xA , yA

wA

x

= xA ⊕ xB

y

w

= yA ⊕ yB

= wA ⊕ wB

xB , yB

wB

z

7 / 19

Passive-Secure 2PC [GMW87]

xA , yA

x

= xA ⊕ xB

wA

zA

y

w

z

= yA ⊕ yB

= wA ⊕ wB

= zA ⊕ zB

xB , yB

wB

zB

7 / 19

Passive-Secure 2PC [GMW87]

xA , yA

x

= xA ⊕ xB

wA

zA

y

w

z

= yA ⊕ yB

= wA ⊕ wB

= zA ⊕ zB

xB , yB

wB

zB

zB

7 / 19

Active-Secure 2PC

xA , yA

wA

zA

y

x

w

z

xB , yB

wB

zB

zB

8 / 19

Active-Secure 2PC

xA , yA

y

x

MxA , MyA wA , MwA

zA , MzA

xB , yB MxB , MyB

w

z

wB , MwB

zB , MzB

zB , MzB Add message authentication codes (MACs) 8 / 19

The Preprocessing model

Preprocessing:

9 / 19

The Preprocessing model

Preprocessing:

I Prepare random authenticated messages:

9 / 19

The Preprocessing model

Preprocessing:

I Prepare random authenticated messages: I 1 per Input-gate.

9 / 19

The Preprocessing model

Preprocessing:

I Prepare random authenticated messages: I 1 per Input-gate.

B

I 16

per AND-gate, for security

∼ 2−B log(|C |) .

9 / 19

The Preprocessing model

Preprocessing:

I Prepare random authenticated messages: I 1 per Input-gate.

B

I 16

per AND-gate, for security

∼ 2−B log(|C |) .

I Prove correlations between authenticated messages (think multiplication-triples).

9 / 19

The Preprocessing model

Preprocessing:

I Prepare random authenticated messages: I 1 per Input-gate.

B

I 16

per AND-gate, for security

∼ 2−B log(|C |) .

I Prove correlations between authenticated messages (think multiplication-triples). Online:

9 / 19

The Preprocessing model

Preprocessing:

I Prepare random authenticated messages: I 1 per Input-gate.

B

I 16

per AND-gate, for security

∼ 2−B log(|C |) .

I Prove correlations between authenticated messages (think multiplication-triples). Online:

I Use preprocessed values and simple (non-crypto) protocols to evaluate circuit on actual input.

9 / 19

The Preprocessing model

Preprocessing:

I Prepare random authenticated messages: I 1 per Input-gate.

B

I 16

per AND-gate, for security

∼ 2−B log(|C |) .

I Prove correlations between authenticated messages (think multiplication-triples). Online:

I Use preprocessed values and simple (non-crypto) protocols to evaluate circuit on actual input.

9 / 19

Overview

Protocol Overview

MACs

Concluding

10 / 19

Information Theoretic MACs

∈R {0, 1} = K ⊕ x∆

Message x MAC M

Global key Local key

∆ ∈R {0, 1}n n K ∈R {0, 1}

11 / 19

Information Theoretic MACs

∈R {0, 1} = K ⊕ x∆

Message x MAC M

Global key Local key

∆ ∈R {0, 1}n n K ∈R {0, 1}

Unforgeability:

11 / 19

Information Theoretic MACs

∈R {0, 1} = K ⊕ x∆

Message x MAC M

Global key Local key

∆ ∈R {0, 1}n n K ∈R {0, 1}

Unforgeability:

I M

= K ⊕ x∆

does not give information on

∆.

11 / 19

Information Theoretic MACs

∈R {0, 1} = K ⊕ x∆

Message x MAC M

Global key Local key

∆ ∈R {0, 1}n n K ∈R {0, 1}

Unforgeability:

I M

= K ⊕ x∆

I Let M0

does not give information on

= K ⊕ 0∆ = K

and M1

∆.

= K ⊕ 1 ∆ = K ⊕ ∆.

11 / 19

Information Theoretic MACs

∈R {0, 1} = K ⊕ x∆

Message x MAC M

Global key Local key

∆ ∈R {0, 1}n n K ∈R {0, 1}

Unforgeability:

I M

= K ⊕ x∆

I Let M0 I M0

does not give information on

= K ⊕ 0∆ = K

and M1

∆.

= K ⊕ 1 ∆ = K ⊕ ∆.

⊕ M1 = ∆.

11 / 19

Obtaining MACs: The Functionality

K, ∆

x M

= K ⊕ x∆

aBit

12 / 19

Obtaining MACs: Protocol Steps

I Step 1: Obtain a few, long MACs on Alice's random bits. I Step 2: Turn into many, short MACs on Bob's random bits.

13 / 19

Step 1: Long MACs for Alice

n

To authenticate bits x1 , x2 , . . . , x :

S0 , S1 ∈ {0, 1}T

c ∈ {0, 1} Sc

OT

14 / 19

Step 1: Long MACs for Alice

n

To authenticate bits x1 , x2 , . . . , x :

Ki , Ki ⊕ ∆

xi K i ⊕ xi ∆ = M i

OT

n

14 / 19

Step 1: Long MACs for Alice

n

To authenticate bits x1 , x2 , . . . , x :

Ki , Ki ⊕ ∆

xi K i ⊕ xi ∆ = M i

OT

I Problem: Bob must use same

n

2



in every OT.

14 / 19

Step 1: Long MACs for Alice

n

To authenticate bits x1 , x2 , . . . , x :

Ki , Ki ⊕ ∆

xi K i ⊕ xi ∆ = M i

OT

I Problem: Bob must use same I Solution: I Do 2

n

2



in every OT.

n OTs.

14 / 19

Step 1: Long MACs for Alice

n

To authenticate bits x1 , x2 , . . . , x :

Ki , Ki ⊕ ∆

xi K i ⊕ xi ∆ = M i

OT

I Problem: Bob must use same I Solution: I Do 2

n

2



in every OT.

n OTs.

I Force Bob to use consistent

∆,

using a cut-n-chose-like

technique.

14 / 19

Step 1: Long MACs for Alice

n

To authenticate bits x1 , x2 , . . . , x :

Ki , Ki ⊕ ∆

xi K i ⊕ xi ∆ = M i

OT

I Problem: Bob must use same I Solution: I Do 2

n

2



in every OT.

n OTs.

I Force Bob to use consistent

∆,

using a cut-n-chose-like

technique. I Sacrice half of the authenticated messages.

14 / 19

Step 2: Short MACs For Bob

M1 M2

...

Mn = K1 K2

...

Kn ⊕ x1 ∆ x2 ∆

...

xn ∆

15 / 19

Step 2: Short MACs For Bob

K1 K2

...

Kn = M1 M2

...

M n ⊕ x1 ∆ x2 ∆

...

xn ∆

15 / 19

Step 2: Short MACs For Bob (K1,1 , . . . , K1,n ) (K2,1 , . . . , K2,n )

. . .

(KT ,1 , . . . , KT ,n )

(M1,1 , . . . , M1,n ) (M2,1 , . . . , M2,n )

=

. . .

(MT ,1 , . . . , MT ,n )

(x1 , . . . , xn )∆1 (x1 , . . . , xn )∆2



. . .

(x1 , . . . , xn )∆T

16 / 19

Step 2: Short MACs For Bob

N1 N2

. . .

NT

(x1 , . . . , xn )∆1 (x1 , . . . , xn )∆2

L1 L2

=

. . .

LT



. . .

(x1 , . . . , xn )∆T

16 / 19

Step 2: Short MACs For Bob

N1 N2

. . .

NT

L1 L2

=

. . .

LT

Γ∆1 Γ∆2



. . .

Γ∆T

16 / 19

Step 2: Short MACs For Bob

N1 N2

. . .

=

= Li ⊕ yi Γ,



. . .

. . .

ΓyT

LT

NT I Ni

Γy1 Γy2

L1 L2

i

i.e. N

i

is a MAC on y

i , Γ.

w. keys L

16 / 19

Obtaining MACs: Summary

OT OT OT OT OT OT

I A few (2n) OTs with long messages (T

= poly(n)

bits).

17 / 19

Obtaining MACs: Summary

OT OT OT OT OT OT

aBit aBit aBit

I A few (2n) OTs with long messages (T

= poly(n)

bits).

I A few (n) long (T bits) MACs for Alice.

17 / 19

Obtaining MACs: Summary

OT OT OT OT OT OT

aBit aBit aBit

aBit aBit aBit aBit aBit aBit aBit aBit aBit aBit aBit aBit aBit aBit aBit aBit

I A few (2n) OTs with long messages (T

= poly(n)

bits).

I A few (n) long (T bits) MACs for Alice. I Many (T ) short (n bits) MACs for Bob.

17 / 19

Obtaining MACs: Summary

OT OT OT OT OT OT

OT OT OT OT OT OT

aBit aBit aBit

aBit aBit aBit aBit aBit aBit aBit aBit aBit aBit aBit aBit aBit aBit aBit aBit

I A few (2n) OTs with long messages (T

= poly(n)

bits).

I A few (n) long (T bits) MACs for Alice. I Many (T ) short (n bits) MACs for Bob. I Note 1: Can get long OTs from short OT using a PRG.

17 / 19

Obtaining MACs: Summary

OT OT OT OT OT OT

OT OT OT OT OT OT

aBit aBit aBit

aBit OT aBit OT aBit OT aBit OT aBit OT aBit OT aBit OT aBit OT aBit OT aBit OT aBit OT aBit OT aBit OT aBit OT aBit OT aBit OT

I A few (2n) OTs with long messages (T

= poly(n)

bits).

I A few (n) long (T bits) MACs for Alice. I Many (T ) short (n bits) MACs for Bob. I Note 1: Can get long OTs from short OT using a PRG. I Note 2: Can get short OT from short aBit (i.e. OT-extension).

17 / 19

Overview

Protocol Overview

MACs

Concluding

18 / 19

Concluding . . .

Take away:

I Finally a non-Garbled Circuits approach do practical 2PC!

19 / 19

Concluding . . .

Take away:

I Finally a non-Garbled Circuits approach do practical 2PC! I It's based on GMW and OT-extension.

19 / 19

Concluding . . .

Take away:

I Finally a non-Garbled Circuits approach do practical 2PC! I It's based on GMW and OT-extension. I It's really fast!

19 / 19

Concluding . . .

Take away:

I Finally a non-Garbled Circuits approach do practical 2PC! I It's based on GMW and OT-extension. I It's really fast! I . . . So if you're implementing a 2PC protocol, why not give this a try?

19 / 19

Concluding . . .

Take away:

I Finally a non-Garbled Circuits approach do practical 2PC! I It's based on GMW and OT-extension. I It's really fast! I . . . So if you're implementing a 2PC protocol, why not give this a try? Thank you.

19 / 19

Recommend Documents