1 / 18

Quid-Pro-Quo- tocols Strengthening Semi-Honest Protocols with Dual Execution

Quid-Pro-Quo- tocols Strengthening Semi-Honest Protocols with Dual Execution. Yan Huang 1 , Jonathan Katz 2 , David Evans 1 1. University of Virginia 2. University of Maryland. Picture logos instead of footnotes. Secure Two-Party Computation. Bob’s Genome: ACTG…

purity
Download Presentation

Quid-Pro-Quo- tocols Strengthening Semi-Honest Protocols with Dual Execution

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Quid-Pro-Quo-tocolsStrengthening Semi-Honest Protocols with Dual Execution Yan Huang1, Jonathan Katz2, David Evans1 1. University of Virginia 2. University of Maryland Picture logos instead of footnotes

  2. Secure Two-Party Computation Bob’s Genome: ACTG… Markers (~1000): [0,1, …, 0] Alice’s Genome: ACTG… Markers (~1000): [0, 0, …, 1] Alice Bob Can Alice and Bob compute a function of their private data, without exposing anything about their data besides the result?

  3. Faster Garbled Circuits (Semi-honest) Circuit-Level Application Circuit Structure Circuit Structure GC Framework (Generator) GC Framework (Evaluator) Pipelining: gates evaluated as they are generated Garbled evaluation can be combined with normal execution Circuit-level optimizations

  4. Results for Semi-honest Protocols Performance Scalability Non-free gates per millisecond Largest circuit executed (non-free gates) Applications biometric identification (5x speedup) [NDSS 2011] Hamming distance (4000x), Edit distance (30x), Smith-Waterman, AES Encryption (16x) [USENIX Sec 2011] private set intersection (faster than best custom protocols) [NDSS 2012]

  5. Standard Threat Models Semi-Honest: Adversary follows the protocol as specified, but tries to learn more from the protocol execution transcript Malicious: Adversary can do anything, guarantees correctness and privacy Reasonable performance, unreasonable assumptions Reasonable assumptions, unreasonable performance

  6. Security Properties Privacy Nothing is revealed other than the output Correctness The output of the protocol is indeed f(x,y) Generator Evaluator Malicious-resistant OT Semi-Honest GC How can we get both correctness, while maintaining privacy?

  7. How about Dual Execution?

  8. Dual Execution Protocol Alice Bob first round execution (semi-honest) generator evaluator =f(x, y) second round execution (semi-honest) evaluator generator =f(x, y) , learned output wire labels fully-secure equality test ,learned output wire labels Pass if =and correct wire labels [Mohassel and Franklin, PKC’06]

  9. Security Properties Correctness: guaranteed by authenticated, secure equality test Privacy: Leaks one (extra) bit on average adversarial circuit generator provides a circuit that fails on ½ of inputs Malicious generator can achieve either one of the following, but not both 1. Decrease likelihood of being caught, 2.Increase information leaked when caught On average, it is a 1-bit leak.

  10. Equality Test , an -bit value , an -bit value , an -entry array of labels corresponding to ,an -entry array of labels corresponding to

  11. One-sided Equality Test Allows Bob to convince Alice that they share the same secret value Randomly generate , then compute , accept iff Need to run this 2-round protocol twice (parallelizable as well) to accomplish the full equality test.

  12. Proving Security: Malicious Show equivalence Ideal World Real World A B A B y x Trusted Party in Ideal World y x Secure Computation Protocol Corrupted party behaves arbitrarily Receives: f (x, y) Standard Malicious Model: can’t prove this for Dual Execution

  13. Proof of Security: One-Bit Leakage Ideal World B A y x Trusted Party in Ideal World g R  {0, 1} gis an arbitrary Boolean function selected by malicious adversary A Adversary receives: g(x, y) and optionally f (x, y) Can prove equivalence to this for Dual Execution protocols

  14. 1-bit Leak Circuit structure can be checked by evaluator (including free XORs) Design circuit to limit malicious generator’s ability to partition input space. Challenge: can lie about inputs also Open Question: Can we have more confidence on which one bit is not leaked? Victim’s input space Inputs of attacker’s interest, modeled with predicate

  15. Delayed Revelation Goal: do not reveal output to either party, unless the equality test passes Solution: check equality of output wires using a secure circuit that outputs results This circuit is also executed as a Dual Execution protocol!

  16. Dual Execution Protocol Alice Bob first round execution (semi-honest) generator evaluator =f(x, y) Recall: work to generate is 3x work to evaluate! second round execution (semi-honest) evaluator generator =f(x, y) , learned output wire labels fully-secure equality test ,learned output wire labels Pass if =and correct wire labels

  17. Performance [Kreuter et al., USENIX Security 2012] Circuits of arbitrary sizes can be done this way

  18. Summary first round execution (semi-honest) =f(x, y) second round execution (semi-honest) =f(x, y) fully-secure, authenticated equality test Provides full correctness and maximum one-bit average leakage against fully malicious adversaries (formal proof using ideal/real world model) With pipelining framework, almost free with dual-core, 40-50% over semi-honest protocol with one core. www.MightBeEvil.org

More Related