efficient secure two-party computation using symmetric cut-and-choose
DESCRIPTION
Fast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries. Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose. Yehuda Lindell Bar-Ilan University. Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia. - PowerPoint PPT PresentationTRANSCRIPT
Yan Huang, Jonathan Katz, David EvansUniversity of Maryland, University of Virginia
Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose
Yehuda LindellBar-Ilan University
Fast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries
Secure Two-Party Computation
• Two parties with private inputs x and y• Compute a joint function of their inputs while
preserving– Privacy– Correctness– Independence of inputs
2
Adversaries and Security
• Semi-honest: follow protocol description but attempt to learn more than allowed– Highly efficient, but weak guarantee
• Malicious: run any arbitrary attack strategy– Much more expensive
• Covert: behave maliciously and may succeed, but will be caught with a guaranteed probability
3
Yao’s Protocol (Semi-Honest)Alice Bob
Compute f(x,y)(learn nothing else)
Garbled (encrypted)
circuit
Security for Malicious
• Alice may not construct the circuit correctly• Solution – cut-and-choose
5
The Cut-and-choose Paradigm
6
The Cut-and-choose Paradigm
7
The Cut-and-choose Paradigm
8
Majority
Final output
The Cost
• How many circuits are needed to make sure that the majority are correct?– With s circuits, probability of cheating is 2-0.311s
[LP11] or 2-0.32s [sS11]– For error 2-40, need approximately 125 circuits– For error 2-80, need approximately 250 circuits
• This is a very heavy price!
9
These Two Works
• Aim: reduce the number of garbled circuits needed1. Lindell: s circuits + some small additional
overhead for 2-s error2. Huang-Katz-Evans: s circuits per party in parallel
for 2-s error
• Cut-and-choose opens up many other problems (input consistency etc.); we focus on the main issue of number of circuits
10
Lindell’s Solution – The Main Idea
• Why majority?– A malicious Alice can make most circuits correct
and a few not– The incorrect circuits can compute the function if
Bob’s input meets some condition; otherwise compute garbage
– Bob aborts if it gets different outputs:• If Bob aborts, Alice knows that Bob’s input does not
meet the condition• If Bob does not abort, Alice knows that Bob’s input
meets the condition11
Lindell’s Solution – The Main Idea
• Make cheating possible only if all checked circuits are correct and all evaluated circuits are incorrect– This yields error 2-s for s circuits
• How?– Alice and Bob run a small secure computation in
addition– If Bob received two different outputs in two different
circuits, it learns Alice’s input– In this case, Bob computes f(x,y) itself– Alice doesn’t know which case happened
12
Lindell’s Solution – The Main Idea
• The secure computation– Yao’s circuit for malicious (e.g., LP11)– Number of non-XOR gates is only the number of
bits in Alice’s input (very small circuit)• Input consistency and other issues are dealt
with as in other works– These other parameters are not optimized in the
paper– This will be discusses in the next talk; their
solutions can be applied here13
Lindell’s Solution – More Details
• The garbled values on the output wires are secret (this has been used for secure delegation)
• If Bob learns two garbled values on a single output wire (in different circuits), then Alice must have been cheating– This is a proof that Alice cheated
• The secure computation checks if Bob has two such values and outputs Alice’s input x to Bob if yes
• This circuit can be made very small, and Alice can be forced to use the same input
14
Huang-Katz-Evans Solution
• Observation– One of the two parties is honest, all circuits
generated by him is correct
• Approach– Let each party generate half of the circuits– Suffices to ensure at least one good evaluation
circuit is generated by the adversary
15
16
17
A party uses consistent inputs in both roles
Securely combine both parties’ results to obtain the final output
Input Consistency – The Goal
18
Evaluator / OT Receiver
Generator
The discrete log of C is unknown.
[Naor and Pinkas, SODA2001]
Input Consistency – The Idea
19
Evaluator / OT Receiver
Generator
Final output
Goal: Derive the final output from both parties’ circuit evaluation results
20
Output Revelation Verifiable Secret Sharing
21
Generator picks a pair of secrets (s0, s1)randomly
with threshold:
Output Revelationcircuit check
22
sharing threshold:
Output Revelationcircuit evaluation
23
sharing threshold:
Output Revelationsecure equality test
24
(s0,s1)
One and only one of the 2 tests can succeed.
(s’0,s’1)
(s0, s’0)Output 0
(s0, s’0)
(s1, s’1)Output 1
(s1, s’1)
Conclusions
Actively secure two party computation can be done with reduced number of circuits via either punishing the cheater or symmetric cut-and-choose.