fse 2018 modes of operations for computing on encrypted data · 1 dragos rotaru, n.p. smart, m....

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering1

FSE 2018

Modes of operations for computing on encrypted data

Dragos Rotaru, N.P. Smart, and Martijn Stam

KU Leuven, University of Bristol

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering2

Multiparty computation hijacks FSE’18

Dragos Rotaru 2

Goal: Compute F(a, b, c)

a c

b

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering3

What is the problem?

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering4

What is the problem?

42 42 42 42

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering5

What is the problem?

42 42 42 42

Enc Enc Enc

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering6

What is the problem?

42 42 42

Enc(42)

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering7

What is the problem?

42 42 42

Enc(42)

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering8

What is the problem?

42 42 42

Enc(42) Tag(E(42))

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering9

What is the problem?

Enc(42) Tag(E(42))

For free: detect malicious

encryption keys.

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering10

Prior work – PRFs in MPC (CCS’16)

Enc(42) Tag(Enc(42))

- MiMC

- Legendre PRF

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering11

Prior work – PRFs in MPC (CCS’16)

Enc(42) Tag(Enc(42))

M[1]

Enc

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering12

Prior work – PRFs in MPC (CCS’16)

Enc(42) Tag(Enc(42))

M[1] M[2]

Enc

+

Enc

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering13

Prior work – PRFs in MPC (CCS’16)

Enc(42) Tag(Enc(42))

M[1] M[2] M[3]

Enc

+ +

Enc Enc

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering14

Prior work – PRFs in MPC (CCS’16)

Enc(42) Tag(Enc(42))

M[1] M[2] M[3] M[4]

Enc

+ + +

Enc Enc EncTag

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering15

What we have done

• Analyze AE in Multiparty Computation (MPC).

• Useful MPC happens in Fp => Need AE and PRFs modp.

• Look for parallel AE: CTR+PMAC, OTR.

[42] Enc(42) Tag(42)

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering16

The story

This Photo by Unknown Author is licensed under CC BY-NC-ND

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering17

The story

‘You take the blue pill—the story ends, you wake up in your

bed and believe whatever you want to believe.

You take the red pill—you stay in Wonderland, and I show

you how deep the rabbit hole goes.’

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering18

The story

‘You take the blue pill—the story ends, you wake up in your

bed and believe whatever you want to believe.

You take the red pill—you stay in Wonderland, and I show

you how deep the rabbit hole goes.’

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering19

Down the rabbit hole - MPC with Secret Sharing

𝑥 = 𝑥1 +⋯+ 𝑥𝑛Each 𝑃𝑖 has 𝑥 ← 𝑥𝑖

𝑥 ← 𝑥1

𝑥 ← 𝑥2

𝑥 ← 𝑥3

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering20

MPC Preprocessing Phase

Generate triples

[c] = [a][b]

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering21

MPC Preprocessing Phase

Generate triples

[c] = [a][b]

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering22

MPC Preprocessing Phase

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering23

MPC Preprocessing Phase

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering24

MPC Online Phase

Use Triples.

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering25

MPC Online Phase

Use Triples.

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering26

MPC Circuit Evaluation

X Y Z

X

Y

Z

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering27

MPC Circuit Evaluation

X Y Z

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering28

MPC Circuit Evaluation

X Y Z

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering29

MPC Circuit Evaluation

X Y Z

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering30

MPC Circuit Evaluation

3 triples.

2 comm. rounds

X Y Z

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering31

Tweak your encryption to MPC

Reveal

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering32

Tweak your encryption to MPC

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering33

Tweak your encryption to MPC

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering34

How-to compute PMAC

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering35

Let’s do AE with CTR+pPMAC

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering36

Let’s do AE with CTR+pPMAC

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering37

When ideal meets real

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering38

When ideal meets real – surprise!

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering39

When ideal meets real – surprise!

Legendre

MiMC

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering40

Other competitive modes

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering41

Other competitive modes

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering42

• Preprocessing scales linearly in terms of number of

message blocks - roughly n PRFs for n messages.

• Number of rounds of a cipher vs. multiplicative depth in

MPC.

Some open problems

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering43

Thank you!

Dragos Rotaru, N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering44

• Questions?

Thank you!