Quid pro quo tocols strengthening semi honest protocols with dual execution
This presentation is the property of its rightful owner.
Sponsored Links
1 / 18

Quid-Pro-Quo- tocols Strengthening Semi-Honest Protocols with Dual Execution PowerPoint PPT Presentation


  • 76 Views
  • Uploaded on
  • Presentation posted in: General

Quid-Pro-Quo- tocols Strengthening Semi-Honest Protocols with Dual Execution. Yan Huang 1 , Jonathan Katz 2 , David Evans 1 1. University of Virginia 2. University of Maryland. Picture logos instead of footnotes. Secure Two-Party Computation. Bob’s Genome: ACTG…

Download Presentation

Quid-Pro-Quo- tocols Strengthening Semi-Honest Protocols with Dual Execution

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Quid pro quo tocols strengthening semi honest protocols with dual execution

Quid-Pro-Quo-tocolsStrengthening Semi-Honest Protocols with Dual Execution

Yan Huang1, Jonathan Katz2, David Evans1

1. University of Virginia

2. University of Maryland

Picture logos instead of footnotes


Secure two party computation

Secure Two-Party Computation

Bob’s Genome: ACTG…

Markers (~1000): [0,1, …, 0]

Alice’s Genome: ACTG…

Markers (~1000): [0, 0, …, 1]

Alice

Bob

Can Alice and Bob compute a function of their private data, without exposing anything about their data besides the result?


Faster garbled circuits semi honest

Faster Garbled Circuits (Semi-honest)

Circuit-Level Application

Circuit Structure

Circuit Structure

GC Framework (Generator)

GC Framework

(Evaluator)

Pipelining: gates evaluated as they are generated

Garbled evaluation can be combined with normal execution

Circuit-level optimizations


Results for semi honest protocols

Results for Semi-honest Protocols

Performance

Scalability

Non-free gates per millisecond

Largest circuit executed

(non-free gates)

Applications

biometric identification (5x speedup) [NDSS 2011]

Hamming distance (4000x), Edit distance (30x), Smith-Waterman,

AES Encryption (16x) [USENIX Sec 2011]

private set intersection (faster than best custom protocols) [NDSS 2012]


Standard threat models

Standard Threat Models

Semi-Honest: Adversary follows the protocol as specified, but tries to learn more from the protocol execution transcript

Malicious: Adversary can do anything, guarantees correctness and privacy

Reasonable performance, unreasonable assumptions

Reasonable assumptions, unreasonable performance


Security properties

Security Properties

Privacy

Nothing is revealed other than the output

Correctness

The output of the protocol is indeed f(x,y)

Generator

Evaluator

Malicious-resistant OT

Semi-Honest GC

How can we get both correctness, while maintaining privacy?


How about dual execution

How about Dual Execution?


Dual execution protocol

Dual Execution Protocol

Alice

Bob

first round execution (semi-honest)

generator

evaluator

=f(x, y)

second round execution (semi-honest)

evaluator

generator

=f(x, y)

, learned output

wire labels

fully-secure equality test

,learned output

wire labels

Pass if =and correct wire labels

[Mohassel and Franklin, PKC’06]


Security properties1

Security Properties

Correctness: guaranteed by authenticated, secure equality test

Privacy: Leaks one (extra) bit on average

adversarial circuit generator provides a circuit that fails on ½ of inputs

Malicious generator can achieve either one of the following, but not both

1. Decrease likelihood of being caught,

2.Increase information leaked when caught

On average, it is a 1-bit leak.


Equality test

Equality Test

, an -bit value

, an -bit value

, an -entry array of labels

corresponding to

,an -entry array of labels

corresponding to


One sided equality test

One-sided Equality Test

Allows Bob to convince Alice that they share the same secret value

Randomly generate ,

then compute

, accept iff

Need to run this 2-round protocol twice (parallelizable as well) to accomplish the full equality test.


Proving security malicious

Proving Security: Malicious

Show equivalence

Ideal World

Real World

A

B

A

B

y

x

Trusted Party in Ideal World

y

x

Secure Computation Protocol

Corrupted party behaves arbitrarily

Receives:

f (x, y)

Standard Malicious Model: can’t prove this for Dual Execution


Proof of security one bit leakage

Proof of Security: One-Bit Leakage

Ideal World

B

A

y

x

Trusted Party in Ideal World

g R  {0, 1}

gis an arbitrary Boolean function selected by malicious adversary A

Adversary receives:

g(x, y) and optionally f (x, y)

Can prove equivalence to this for Dual Execution protocols


1 bit leak

1-bit Leak

Circuit structure can be checked by evaluator (including free XORs)

Design circuit to limit malicious generator’s ability to partition input space.

Challenge: can lie about inputs also

Open Question:

Can we have more confidence on which one bit is not leaked?

Victim’s input space

Inputs of attacker’s interest, modeled with predicate


Delayed revelation

Delayed Revelation

Goal: do not reveal output to either party, unless the equality test passes

Solution: check equality of output wires using a secure circuit that outputs results

This circuit is also executed as a Dual Execution protocol!


Dual execution protocol1

Dual Execution Protocol

Alice

Bob

first round execution (semi-honest)

generator

evaluator

=f(x, y)

Recall: work to generate is 3x work to evaluate!

second round execution (semi-honest)

evaluator

generator

=f(x, y)

, learned output

wire labels

fully-secure equality test

,learned output

wire labels

Pass if =and correct wire labels


Performance

Performance

[Kreuter et al., USENIX Security 2012]

Circuits of arbitrary sizes can be done this way


Summary

Summary

first round execution (semi-honest)

=f(x, y)

second round execution (semi-honest)

=f(x, y)

fully-secure, authenticated equality test

Provides full correctness and maximum one-bit average leakage against fully malicious adversaries (formal proof using ideal/real world model)

With pipelining framework, almost free with dual-core, 40-50% over semi-honest protocol with one core.

www.MightBeEvil.org


  • Login