1 / 25

Circuits Resilient to Additive Manipulation with Applications to Secure Computation

Circuits Resilient to Additive Manipulation with Applications to Secure Computation. Yuval Ishai. Technion. Daniel Genkin Manoj Prabhakaran Amit Sahai Eran Tromer. Technion & TAU. UCLA. UIUC. TAU. What this talk is about. New model for fault-tolerant circuits

suchin
Download Presentation

Circuits Resilient to Additive Manipulation with Applications to Secure Computation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Circuits Resilient to Additive Manipulationwith Applications toSecure Computation Yuval Ishai Technion Daniel GenkinManojPrabhakaran Amit SahaiEranTromer Technion & TAU UCLA UIUC TAU

  2. What this talk is about • New model for fault-tolerant circuits • New approach for protecting secure computation protocols against malicious parties

  3. Part I:Fault Tolerant Circuits

  4. Dream Goal • Too much to hope for… Yet it is f(x)! x f(x)

  5. Dream Goal • Too much to hope for… Yet it is 1-f(x)! x f(x)

  6. Relaxing Goal • Random faults [vN56,DO77,Pip85,...] • Bounded number of faults [KLM94,GS95,KLR12] • This work: any number of adversarial faults • Allow fault-tolerant circuit to be randomized • Settle for detecting errors w.h.p • Still does not rule out direct tampering with input and output

  7. Further Relaxations • Allow tamper-proof input encoder (Enc)and output decoder (Dec) • Enc,Dec must be small and universal • Restricted class of faults x Enc Dec f(x) / ERR

  8. Further Relaxations • Allow tamper-proof input encoder (Enc)and output decoder (Dec) • Enc,Dec must be small and universal • Restricted class of faults • This work: additiveattacks on wires x Enc Dec f(x) / ERR

  9. Further Relaxations • Allow tamper-proof input encoder (Enc)and output decoder (Dec) • Enc,Dec must be small and universal • Restricted class of faults • This work: additiveattacks on wires + +5 -2 +3 - x Enc X Dec f(x) / ERR X X

  10. AMD Codes [CDFPW08] • Protect information against additive attacks • Our goal: protect computation x Enc Dec x / ERR +8 +5 +3 +3 +4 +5 -2 -2 -3 + - x AMD circuit Enc X Dec f(x) / ERR X X

  11. Definition: ε-correctness • Let f:FnFm • Let Enc:FnFn’, C:Fn’Fm’,Dec:Fm’Fm+1 • C is a randomized arithmetic circuit over F • Enc is randomized, Dec is deterministic • We say that (Enc,C,Dec) realizes f with ε-correctness against additive attacks if: • ∀ x∈Fn, Dec(C(Enc(x)))=(0,f(x)). • ∀ x∈Fnand every CA obtained by applying an additive attack to C, Dec(CA(Enc(x))) is either (0,f(x)) or (e,y) for e≠0, except w/prob. ≤ ε

  12. Eliminating Enc and Dec • Idea: settle for “best possible” security • Every additive attack on C can be simulated by a (possibly randomized) additive attack on inputs and outputs alone • C is “as good” as tamper-proof hardwarefor g + - +3 +5 +r -1 +2 X X X

  13. Definition: ε-security • Let f:FnFm,C:FnFm • C is a randomized arithmetic circuit over F • We say that C realizes f with ε-security against additive attacks if: • ∀ x∈Fn, C(x)=f(x) (w/prob. 1) • For every CA obtained by applying an additive attack to C, there are distributions Δx,Δys.t.∀ x∈Fn,CA(x) ≈ε C(x+Δx)+Δy

  14. Security  Correctness • Let (AEnc, ADec) be an AMD code. f’ e e x f y x’ AEnc AEnc ADec ADec y’

  15. Security  Correctness • Let (AEnc, ADec) be an AMD code. • Useful feature: whether e is set reveals almost nothing about x C’ e e x f y x’ AEnc AEnc ADec ADec y’

  16. Our Results • Large field F • Compile any C to an ε-secure C’ • |C’|=O(|C|) • ε = O(|C|/|F|) • Any field F • Compile any C to an ε-correct (Enc,C’,Dec) • Enc,Dec small and universal • |C’|=|C|.polylog(1/ε)

  17. Techniques: Large Fields • Use simple homomorphic AMD code • Input: x  (x,r,xr) • Multiplication: (a,r,ar), (b,r,br)  (ab,r2,abr2) • (a,rd,ard), (b,rd’,brd’)  (ab,rd+d’,abrd+d’) • Addition: (a,r,ar), (b,r,br)  (a+b,r,(a+b)r) • (a,rd,ard), (b,rd’,brd’), r  (a+b,rmax(d,d’),(a+b)rmax(d,d’)) • Output: (y,rd,z)  y+s.(yrd-z) • Problems • Error grows linearly with degree d (need d<<|F|) • Use constant-degree gadgets • Requires wires to be locally random • Convert C into a locally random circuit [ISW03,IPS+11] Compare with [BDOZ11]

  18. Techniques: Small Fields • Implement matrix-vector multiplication gadget • Use it to implement simple Hadamard-based linear PCP [ALMSS92] • Large constant error • Quadratic blowup in circuit size • Amplify correctness via repetition • Check input consistency using hashing • Eliminate quadratic blowup • Using small gadgets • Problems • Error grows linearly with degree d (need d<<|F|) • Use constant-degree gadgets • Requires wires to be locally random • Convert C into a locally random circuit [ISW03,IPS+11]

  19. Part II:Secure Multiparty Computation

  20. Secure Multiparty Computation [Yao86,GMW87] a b f(a,b,c) c • Every f can be realized with information-theoretic security • Assuming an honest majority [BGW88,CCD88,RB89] • Assuming an oblivious transfer oracle [GMW87,Kil88,IPS08] or OLE oracle [NP99,IPS09]

  21. Passive vs. Active Attacks • Security against active attacks is much more challenging. • Common paradigm: passive security  active security • GMW compiler: using ZK proofs [GMW87,…] • Make sub-protocols verifiable [BGW88,CCD88,…] • Cut-and-choose techniques […,LP07,…] • Use low-threshold active-secure MPC [IPS08] • Major research effort in cryptography

  22. Motivating Observation • In “natural” passive-secure MPC protocols for evaluating an arithmetic circuit C, the effect of an active adversary corresponds to an additive attack on C. • Formally: the protocol perfectly realizes an augmented ideal functionality that allows for an additive attack. • Applies to all information-theoretic protocols we know that have maximal security threshold • Active security can be achieved by applying passive-secure protocol to AMD circuit C’. • Reduces protocol design to circuit design

  23. Some Details • Need to protect inputs and outputs • Achieved via local AMD encoding of inputs and AMD decoding of outputs • Protocols only achieve “security with abort” • Often best possible • With honest majority and broadcast, can be upgraded to full security using standard methods

  24. Applications • Simplified feasibility results • Passive BGW88  RB89 (t<n/2) • Passive GMW87  Kil88/IPS09 (t<n, OLE-hybrid) • Improved efficiency • Passive DN07  Improved BFO12 t<n/2, O(n|C|+n2) field elements • Passive GMW87  Improved IPS09t<n, O(|C|) OLE calls • New feasibility • t<n, untrusted preprocessing

  25. Open Problems • AMD Circuits • Better security and efficiency over binary fields • Useful for MPC in OT-hybrid model • Better concrete efficiency over large fields • Useful for practical MPC? [IKHC14] • Generalize attack model • Settle for best possible security • MPC applications • Protocols based on “packed secret sharing” • Computationally secure protocols?

More Related