1 / 30

Revisiting the efficiency of malicious two party computation

Revisiting the efficiency of malicious two party computation. David Woodruff MIT. Secure function evaluation. Alice. Bob. y 2 {0,1} n. x 2 {0,1} n. What is f(x,y)?. Security: neither party learns more about the other’s input

valmai
Download Presentation

Revisiting the efficiency of malicious two party computation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Revisiting the efficiency of malicious two party computation David Woodruff MIT

  2. Secure function evaluation Alice Bob y 2 {0,1}n x 2 {0,1}n What is f(x,y)? Security: neither party learns more about the other’s input other than what follows from his/her own input and f(x,y)

  3. Application – secure datamining • For medical research, hospitals want to mine their joint data • Patient confidentiality imposes strict laws on what can be shared. Mining cannot leak anything sensitive

  4. DB DB American application • Government has terrorist patterns it looks for in airline and credit card repositories • Repository holders don’t want to reveal information about their users due to user confidentiality • Government doesn’t want to reveal its search patterns, as otherwise terrorists could change their behavior

  5. Security models Alice Bob Difficult to achieve security in malicious model… Semi-honest: parties follow their instructions but try to learn more than what is prescribed Malicious: parties deviate from the protocol arbitrarily - Use a different input - Force other party to output wrong answer - Abort before other party learns answer

  6. V Æ Æ x1 y1 x2 y2 Security in the semi-honest model [Yao] Any function f(x,y) that can be computed with a circuit of size C can be securely computed in the semi-honest model with communication O(C) f(x,y) = (x1Æ y1) Ç (x2Æ y2)

  7. Protocol secure in the malicious model Protocol secure in the semi-honest model Security in the malicious model [GMW] It suffices to design protocols secure in the semi-honest model The parties follow the instructions of the protocol. Don’t need to worry about “weird” behavior. What about efficiency?

  8. Efficiency • How to achieve secure function evaluation in the malicious model efficiently • communication • modular exponentiations • symmetric key operations • Previous work • [GMW] – if circuit size is C, achieve poly(C) communication and computation • Inefficient in practice • Many problem-specific solutions exist

  9. Recent work • [MNPS, MF, LP] design new compilers, transforming Yao’s protocol with semi-honest security to a protocol secure in the malicious model • Very efficient theoretically, and in practice • All based on the cut-and-choose technique

  10. V Æ Æ x1 y1 x2 y2 Yao’s semi-honest protocol f(x,y) = (x1Æ y1) Ç (x2Æ y2) Create a garbled circuit: 7 Keys K(1,0), K(1,1) K(2,0), K(2,1) K(3,0), K(3,1) K(4,0), K(4,1) K(5,0), K(5,1) K(6,0), K(6,1) K(7,0), K(7,1) V 5 6 Æ Æ 1 2 3 4 x2 y2 x1 y1

  11. Yao’s semi-honest protocol • Alice: • Write f as a circuit. • Create a garbled circuit. Send Bob the tables • corresponding to each gate, and the keys • representing Alice’s input. • Bob: • Run oblivious transfer to privately get the keys • representing Bob’s input. • 2. Use the tables to locally evaluate the circuit.

  12. The cut-and-choose technique Alice(x) Bob(y) Let C be a circuit for f(x,y) • Let C1, …, Cm be independently garbled versions of C. • Send C1, …, Cm to Bob • Send Bob the keys for his • challenged circuits. • 4. Send the keys representing x • for the unopened circuits 1. Challenge Alice by asking her for all the keys of a random fraction of C1, …, Cm 2. Verify this fraction of opened circuits was garbled correctly 3. Run oblivious transfer to retrieve the keys representing y for each of the unopened circuits 4. Evaluate the unopened circuits, and print the majority output

  13. Things to worry about • Some circuits are improperly garbled • For some unopened Cj, Alice gives keys • representing her input x, and for other unopened • Cj she gives keys representing some other x’ • For some unopened Cj, Alice gives keys • representing Bob’s input y, and for other Cj • she gives keys representing some other y’

  14. High-level solutions • By opening ½ of the circuits, guarantee the majority of the unopened circuits are correct • By committing to the keys representing Alice’s inputs, guarantee Alice’s inputs are consistent • By committing to the keys representing Bob’s inputs, guarantee Bob’s inputs are consistent

  15. Previous results Let g be the # of gates, and I the # of inputs of circuit C Letbe a statistical security parameter bounding the probability that Alice can cheat in this framework

  16. Our new scheme

  17. With high probability, the majority of unopened circuits and commitments between them are correct! Thus, the majority of the unopened circuits are correct and Alice is forced to use consistent inputs Equality-checker [MF] Alice(x) Bob(y) Let C be a circuit for f(x,y) • Alice lets C1, …, Cm be independently garbled versions of C, and sends C1, …, Cm to Bob • For each input wire i of Alice, each value b in {0,1}, and each pair of circuits Cr, Cs, Alice commits to the tuple • (r, s, i, K(i, b)r, K(i, b)s) • and sends the commitments to Bob • Bob chooses a random T µ [m] of size m/2 and asks Alice to open the Cjwith j 2 T and for r, s 2 T, to open the commitments to (r, s, i, K(i,b)r,K(i,b)s)

  18. Verification graph Evaluation graph Security intuition • Alice commits to tuples (r, s, i, K(i, b)r, K(i, b)s) • C1, …, Cmare the nodes of a complete graph. The tuple (r, s, i, K(i, b)r, K(i, b)s) is an edge between Crand Cs • Bob chooses some circuits to open C1 C2 C6 C5 C3 C4

  19. Security intuition • Say a circuit Cj is a badvertex if it was garbled incorrectly • Say a commitment to (r, s, i, K(i, b)r, K(i, b)s) is a bad • edge if it was computed incorrectly • If the complete graph contains many bad vertices and • bad edges, then so will the verification graph • Thus, if the verification test passes, with high probability • the evaluation graph has few bad vertices and edges

  20. Our observation • Suppose the evaluation graph has a large connected component K of good edges and good vertices. • Then, by transitivity, all of Alice’s inputs are the same to the circuits in K, which are all correctly garbled circuits. • Thus, as long as K contains at least m/4 good vertices, a majority of the unopened circuits will be correct and have the same input from Alice. • In the real-ideal model, the simulator for Alice can send the majority input to the trusted party.

  21. Expander graphs • Expanders are d-regular, well-connected graphs, where d= O(1). • Let A be the adjacency matrix for an expander G, with eigenvalues d = |1| ¸ |2| ¸ … ¸ |n| • Expander-mixing lemma: For any X, Y µ V, |e(X,Y) – d|X||Y|/n| <= |2|(|X||Y|)1/2. • Induced subgraphs of expanders contain large connected components.

  22. Verification graph Evaluation graph Our expander • Instead of committing to all (r, s, i, K(i, b)r, K(i, b)s), fix an expanderG on vertices 1, …, m, and only commit to (r, s, i, K(i, b)r, K(i, b)s) for which {r, s} is in an edge of G. C1 C2 C6 C5 C3 C4 If the two edges in the evaluation graph are good, then C1, C4, and C5 all have the same Alice input

  23. Efficiency and security • Instead of sending O(Im2) commitments, one for each tuple (r, s, i, K(i,b)r, K(i,b)s), we send O(I|G|) = O(Im), one for each (r, s, i, K(i,b)r, K(i,b)s) for which {r, s} is an edge of G. • Since G is an expander, for any subset of m/2 vertices Bob chooses, the evaluation graph has a large component of correct circuits for which Alice has to use the same input • Proof uses expander-mixing lemma • Thus, the security is the same as in Equality-checker

  24. Protocol sketch • Alice creates garbled circuits C1, …, Cm • For Alice’s input wires i, b 2 {0,1}, and pairs of circuits Cr, Cs,for which {r, s} is an edge of G, Alice commits to (r, s, i, K(i, b)r, K(i, b)s) • For Bob’s input wires i, b 2 {0,1}, and Cj, Alice commits to (j, i, K(i, b)j) 4. Bob chooses a random T µ [m] and asks Alice to open Cjand the commitments to (j, i, K(i,b)j) with j 2 T. For {r, s} 2 G(T), she opens the commitments to (r, s, i, K(i,b)r, K(i,b)s) and Bob verifies correctness 5. Alice sends the keys for her inputs to the unopened circuits. Bob uses the commitments to (r, s, i, K(i,b)r, K(i,b)s) to verify consistency • Bob uses oblivious transfer to receive the keys for his input and uses the commitments to (j, i, K(i, b)j) to verify consistency • Bob evaluates the unopened circuits, and prints the majority output

  25. Efficiency • Communication = O(m|C| + mI) = O(mg) • Symmetric encryptions = O(m|C| + mI) = O(mg) • Modular exponentiations = O(mI) naively, but can use a single oblivious transfer to retrieve m/2 keys at once, K(i, b)1, …, K(i, b)m/2 • Thus, modular exponentiations = O(I).

  26. Setting m • Theorem: Alice can cheat with probability at most 2-m/4 +  •  = O(m ln d / d1/2) • To be less than , should set m = O(ln 1/) • This is almost tight, since we give a strategy to cheat with almost the same probability • We prove Equality-checker has almost the same cheating probability, so Expander-checker is not much worse for the same values of m • Our result improves and corrects the efficiency analysis of [MF]

  27. Main theorem • Theorem: Alice cheats with probability at most 2-m/4 +  • Proof: • Alice commits to a labeled expander G, where vertices and edges are labeled either bad or good • If Alice can cheat, V(G) = S [ B [ C1[ C2[ … [ Cr • S is a set of size m/2 • B is a set of incorrectly-garbled circuits • Ci is a set of circuits receiving the same Alice input • For all i, |Ci| · m/4 • Edges between Ci and Cj in G with i  j are bad edges • Bound the probability that Bob does not sample a vertex in B or the endpoints of a bad edge. • Expander-mixing lemma implies if many of Bob’s samples lie in Ci and many lie in Cj, he will obtain endpoints of a bad edge

  28. A simple cheating strategy • Let f(x,y) = 1 iff the Hamming distance between x and y is smaller than n/10 • Alice creates m/4+1 circuits which compute 1-f(x,y), and 3m/4-1 circuits computing f(x,y) • With probability (3m/4-1 choose m/2)/(m choose m/2) = 2-O(m), Bob doesn’t sample the bad circuits, and thus gets the wrong answer, namely 1-f(x,y)

  29. Open questions • Our hidden constants are large • Cheating probability = 2-m/4 + , where  = O(m ln d / d1/2) • Is our scheme impractical or is this because of a loose analysis? • Is Equality-checker with our improved efficiency analysis the most practical to date? • Find d-regular graphs such that any two sets of vertices of size O(m/d) have an edge between them. • Lindell and Pinkas give a protocol with a more formal security analysis than that given for Equality-checker. Seems our “expander-commitments” can also be used there

  30. Thank you!

More Related