Download Presentation

Loading in 3 Seconds

This presentation is the property of its rightful owner.

X

Sponsored Links

- 69 Views
- Uploaded on
- Presentation posted in: General

Quid-Pro-Quo- tocols Strengthening Semi-Honest Protocols with Dual Execution

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Quid-Pro-Quo-tocolsStrengthening Semi-Honest Protocols with Dual Execution

Yan Huang1, Jonathan Katz2, David Evans1

1. University of Virginia

2. University of Maryland

Picture logos instead of footnotes

Bob’s Genome: ACTG…

Markers (~1000): [0,1, …, 0]

Alice’s Genome: ACTG…

Markers (~1000): [0, 0, …, 1]

Alice

Bob

Can Alice and Bob compute a function of their private data, without exposing anything about their data besides the result?

Circuit-Level Application

Circuit Structure

Circuit Structure

GC Framework (Generator)

GC Framework

(Evaluator)

Pipelining: gates evaluated as they are generated

Garbled evaluation can be combined with normal execution

Circuit-level optimizations

Performance

Scalability

Non-free gates per millisecond

Largest circuit executed

(non-free gates)

Applications

biometric identification (5x speedup) [NDSS 2011]

Hamming distance (4000x), Edit distance (30x), Smith-Waterman,

AES Encryption (16x) [USENIX Sec 2011]

private set intersection (faster than best custom protocols) [NDSS 2012]

Semi-Honest: Adversary follows the protocol as specified, but tries to learn more from the protocol execution transcript

Malicious: Adversary can do anything, guarantees correctness and privacy

Reasonable performance, unreasonable assumptions

Reasonable assumptions, unreasonable performance

Privacy

Nothing is revealed other than the output

Correctness

The output of the protocol is indeed f(x,y)

Generator

Evaluator

Malicious-resistant OT

Semi-Honest GC

How can we get both correctness, while maintaining privacy?

Alice

Bob

first round execution (semi-honest)

generator

evaluator

=f(x, y)

second round execution (semi-honest)

evaluator

generator

=f(x, y)

, learned output

wire labels

fully-secure equality test

,learned output

wire labels

Pass if =and correct wire labels

[Mohassel and Franklin, PKC’06]

Correctness: guaranteed by authenticated, secure equality test

Privacy: Leaks one (extra) bit on average

adversarial circuit generator provides a circuit that fails on ½ of inputs

Malicious generator can achieve either one of the following, but not both

1. Decrease likelihood of being caught,

2.Increase information leaked when caught

On average, it is a 1-bit leak.

, an -bit value

, an -bit value

, an -entry array of labels

corresponding to

,an -entry array of labels

corresponding to

Allows Bob to convince Alice that they share the same secret value

Randomly generate ,

then compute

, accept iff

Need to run this 2-round protocol twice (parallelizable as well) to accomplish the full equality test.

Show equivalence

Ideal World

Real World

A

B

A

B

y

x

Trusted Party in Ideal World

y

x

Secure Computation Protocol

Corrupted party behaves arbitrarily

Receives:

f (x, y)

Standard Malicious Model: can’t prove this for Dual Execution

Ideal World

B

A

y

x

Trusted Party in Ideal World

g R {0, 1}

gis an arbitrary Boolean function selected by malicious adversary A

Adversary receives:

g(x, y) and optionally f (x, y)

Can prove equivalence to this for Dual Execution protocols

Circuit structure can be checked by evaluator (including free XORs)

Design circuit to limit malicious generator’s ability to partition input space.

Challenge: can lie about inputs also

Open Question:

Can we have more confidence on which one bit is not leaked?

Victim’s input space

Inputs of attacker’s interest, modeled with predicate

Goal: do not reveal output to either party, unless the equality test passes

Solution: check equality of output wires using a secure circuit that outputs results

This circuit is also executed as a Dual Execution protocol!

Alice

Bob

first round execution (semi-honest)

generator

evaluator

=f(x, y)

Recall: work to generate is 3x work to evaluate!

second round execution (semi-honest)

evaluator

generator

=f(x, y)

, learned output

wire labels

fully-secure equality test

,learned output

wire labels

Pass if =and correct wire labels

[Kreuter et al., USENIX Security 2012]

Circuits of arbitrary sizes can be done this way

first round execution (semi-honest)

=f(x, y)

second round execution (semi-honest)

=f(x, y)

fully-secure, authenticated equality test

Provides full correctness and maximum one-bit average leakage against fully malicious adversaries (formal proof using ideal/real world model)

With pipelining framework, almost free with dual-core, 40-50% over semi-honest protocol with one core.

www.MightBeEvil.org