revisiting the efficiency of malicious two party computation david woodruff mit
TRANSCRIPT
Revisiting the efficiency of malicious two party computation
David Woodruff
MIT
Secure function evaluation
x 2 {0,1}n y 2 {0,1}n
Alice Bob
What is f(x,y)?
Security: neither party learns more about the other’s input
other than what follows from his/her own input and f(x,y)
Application – secure datamining
For medical research, hospitals want to mine their joint data
Patient confidentiality imposes strict laws on what can be shared. Mining cannot leak anything sensitive
American application
• Government has terrorist patterns it looks for in airline and credit card repositories
• Repository holders don’t want to reveal information about their users due to user confidentiality
• Government doesn’t want to reveal its search patterns, as otherwise terrorists could change their behavior
DBDB
Security models
Alice Bob
Semi-honest: parties follow their instructions but try to learn more than what is prescribed
Malicious: parties deviate from the protocol arbitrarily- Use a different input- Force other party to output wrong answer- Abort before other party learns answer
Difficult to achieve security in
malicious model…
Difficult to achieve security in
malicious model…
Security in the semi-honest model
[Yao] Any function f(x,y) that can be computed with a circuit of
size C can be securely computed in the semi-honest
model with communication O(C)
Æx1 y1 x2 y2
Æ
Vf(x,y) = (x1 Æ y1) Ç (x2 Æ y2)
Security in the malicious model
Protocolsecure in thesemi-honest
model
Protocolsecure in the
malicious model
[GMW] It suffices to design protocols secure in
the semi-honest model
The parties follow the instructions of the protocol.Don’t need to worry about “weird” behavior.
What about efficiency?
Efficiency• How to achieve secure function evaluation in
the malicious model efficiently– communication– modular exponentiations– symmetric key operations
• Previous work– [GMW] – if circuit size is C, achieve poly(C)
communication and computation– Inefficient in practice– Many problem-specific solutions exist
Recent work
• [MNPS, MF, LP] design new compilers, transforming Yao’s protocol with semi-honest security to a protocol secure in the malicious model
• Very efficient theoretically, and in practice
• All based on the cut-and-choose technique
Yao’s semi-honest protocol
f(x,y) = (x1 Æ y1) Ç (x2 Æ y2)
Æx1 y1
x2 y2
Æ
V
Æx1 y1 x2 y2
ÆV
1 2 3 4
5 6
7
KeysK(1,0), K(1,1)K(2,0), K(2,1)K(3,0), K(3,1)K(4,0), K(4,1)K(5,0), K(5,1)K(6,0), K(6,1)K(7,0), K(7,1)
EK(1,1), K(2, 0)(K(5,0))
EK(1,1), K(2, 1)(K(5,1))
EK(1,0), K(2, 0)(K(5,0))
EK(1,0), K(2, 1)(K(5,0))
EK(7,0)(0)
EK(7,1)(1)
Create a garbled circuit:
Yao’s semi-honest protocolAlice:1.Write f as a circuit.
2.Create a garbled circuit. Send Bob the tables corresponding to each gate, and the keys representing Alice’s input.
Bob:1.Run oblivious transfer to privately get the keys representing Bob’s input.
2. Use the tables to locally evaluate the circuit.
The cut-and-choose techniqueAlice(x) Bob(y)
Let C be a circuit for f(x,y)
1. Let C1, …, Cm be independently garbled versions of C.
2. Send C1, …, Cm to Bob
3. Send Bob the keys for his challenged circuits.
4. Send the keys representing x
for the unopened circuits
1. Challenge Alice by asking her for all the keys of a random fraction of C1, …, Cm
2. Verify this fraction of opened circuits was garbled correctly
3. Run oblivious transfer to retrieve the keys representing y for each of the unopened circuits
4. Evaluate the unopened circuits, and print the majority output
Things to worry about
• Some circuits are improperly garbled
• For some unopened Cj, Alice gives keys representing her input x, and for other unopened Cj she gives keys representing some other x’
• For some unopened Cj, Alice gives keys representing Bob’s input y, and for other Cj she gives keys representing some other y’
High-level solutions
• By opening ½ of the circuits, guarantee the majority of the unopened circuits are correct
• By committing to the keys representing Alice’s inputs, guarantee Alice’s inputs are consistent
• By committing to the keys representing Bob’s inputs, guarantee Bob’s inputs are consistent
Previous results
Scheme Symmetric encryptions
Exponentiations Communication complexity
Fairplay [MNPS] O(g/) O(I) O(g/)
Committed-input [MF] O(g ln 1/) O(I ln 1/) O(g ln 1/)
Equality-checker [MF] O(g ln 1/ + I ln2 1/ )
O(I) O(g ln 1/ + I ln2 1/ )
Lindell-Pinkas O(g ln 1/ + I ln2 1/ )
O(I) O(g ln 1/ + I ln2 1/ )
Let g be the # of gates, and I the # of inputs of circuit C
Let be a statistical security parameter bounding the probability that Alice can cheat in this framework
Our new scheme
Scheme Symmetric encryptions
Exponentiations Communication complexity
Fairplay O(g/) O(I) O(g/)
Committed-input
O(g ln 1/) O(I ln 1/) O(g ln 1/)
Equality-checker
O(g ln 1/ + I ln2 1/ )
O(I) O(g ln 1/ + I ln2 1/ )
Lindell-Pinkas O(g ln 1/ + I ln2 1/ )
O(I) O(g ln 1/ + I ln2 1/ )
Expander-checker
O(g ln 1/) O(I) O(g ln 1/)
Equality-checker [MF]Alice(x) Bob(y)
Let C be a circuit for f(x,y)
1. Alice lets C1, …, Cm be independently garbled versions of C, and sends C1, …, Cm to Bob
2. For each input wire i of Alice, each value b in {0,1}, and each pair of circuits Cr, Cs, Alice commits to the tuple
(r, s, i, K(i, b)r, K(i, b)s) and sends the commitments to Bob
3. Bob chooses a random T µ [m] of size m/2 and asks Alice to open the Cj with j 2 T and for r, s 2 T, to open the commitments to (r, s, i, K(i,b)r,K(i,b)s)
With high probability, the
majority of unopened circuits
and commitments
between them are correct!
Thus, the majority of the
unopened circuits are correct
and Alice is forced to use
consistent inputs
Security intuition• Alice commits to tuples (r, s, i, K(i, b)r, K(i, b)s)
• C1, …, Cm are the nodes of a complete graph. The tuple (r, s, i, K(i, b)r, K(i, b)s) is an edge between Cr and Cs
• Bob chooses some circuits to open
C1
C2
C3
C4
C5
C6
Verification graph
Evaluation graph
Security intuition
• Say a circuit Cj is a bad vertex if it was garbled incorrectly
• Say a commitment to (r, s, i, K(i, b)r, K(i, b)s) is a bad edge if it was computed incorrectly
• If the complete graph contains many bad vertices and bad edges, then so will the verification graph
• Thus, if the verification test passes, with high probability the evaluation graph has few bad vertices and edges
Our observation
• Suppose the evaluation graph has a large connected component K of good edges and good vertices.
• Then, by transitivity, all of Alice’s inputs are the same to the circuits in K, which are all correctly garbled circuits.
• Thus, as long as K contains at least m/4 good vertices, a majority of the unopened circuits will be correct and have the same input from Alice.
• In the real-ideal model, the simulator for Alice can send the majority input to the trusted party.
Expander graphs
• Expanders are d-regular, well-connected graphs, where d= O(1).
• Let A be the adjacency matrix for an expander G, with eigenvalues d = |1| ¸ |2| ¸ … ¸ |n|
• Expander-mixing lemma:
For any X, Y µ V, |e(X,Y) – d|X||Y|/n| <= |2|(|X||Y|)1/2.
• Induced subgraphs of expanders contain large connected components.
Our expander• Instead of committing to all (r, s, i, K(i, b)r, K(i, b)s), fix an
expander G on vertices 1, …, m, and only commit to (r, s, i, K(i, b)r, K(i, b)s) for which {r, s} is in an edge of G.
C1
C2
C3
C4
C5
C6
Verification graph
Evaluation graph
If the two edges in the evaluation graph are good, thenC1, C4, and C5 all have the same Alice input
Efficiency and security
• Instead of sending O(Im2) commitments, one for each tuple (r, s, i, K(i,b)r, K(i,b)s), we send O(I|G|) = O(Im), one for each (r, s, i, K(i,b)r, K(i,b)s) for which {r, s} is an edge of G.
• Since G is an expander, for any subset of m/2 vertices Bob chooses, the evaluation graph has a large component of correct circuits for which Alice has to use the same input– Proof uses expander-mixing lemma
• Thus, the security is the same as in Equality-checker
Protocol sketch1. Alice creates garbled circuits C1, …, Cm
2. For Alice’s input wires i, b 2 {0,1}, and pairs of circuits Cr, Cs, for which {r, s} is an edge of G, Alice commits to (r, s, i, K(i, b)r, K(i, b)s)
3. For Bob’s input wires i, b 2 {0,1}, and Cj, Alice commits to (j, i, K(i, b)j)
4. Bob chooses a random T µ [m] and asks Alice to open Cj and the commitments to (j, i, K(i,b)j) with j 2 T. For {r, s} 2 G(T), she opens the commitments to (r, s, i, K(i,b)r, K(i,b)s) and Bob verifies correctness
5. Alice sends the keys for her inputs to the unopened circuits. Bob uses the commitments to (r, s, i, K(i,b)r, K(i,b)s) to verify consistency
6. Bob uses oblivious transfer to receive the keys for his input and uses the commitments to (j, i, K(i, b)j) to verify consistency
7. Bob evaluates the unopened circuits, and prints the majority output
Efficiency
• Communication = O(m|C| + mI) = O(mg)
• Symmetric encryptions = O(m|C| + mI) = O(mg)
• Modular exponentiations = O(mI) naively, but can use a single oblivious transfer to retrieve m/2 keys at once, K(i, b)1, …, K(i, b)m/2
• Thus, modular exponentiations = O(I).
Setting m• Theorem: Alice can cheat with probability at
most 2-m/4 +
– = O(m ln d / d1/2)– To be less than , should set m = O(ln 1/)
• This is almost tight, since we give a strategy to cheat with almost the same probability
• We prove Equality-checker has almost the same cheating probability, so Expander-checker is not much worse for the same values of m– Our result improves and corrects the efficiency analysis of [MF]
Main theorem • Theorem: Alice cheats with probability at most 2-m/4 +
• Proof:– Alice commits to a labeled expander G, where vertices
and edges are labeled either bad or good– If Alice can cheat, V(G) = S [ B [ C1 [ C2 [ … [ Cr
• S is a set of size m/2• B is a set of incorrectly-garbled circuits• Ci is a set of circuits receiving the same Alice input• For all i, |Ci| · m/4
– Edges between Ci and Cj in G with i j are bad edges– Bound the probability that Bob does not sample a vertex
in B or the endpoints of a bad edge.• Expander-mixing lemma implies if many of Bob’s samples lie in
Ci and many lie in Cj, he will obtain endpoints of a bad edge
A simple cheating strategy
• Let f(x,y) = 1 iff the Hamming distance between x and y is smaller than n/10
• Alice creates m/4+1 circuits which compute 1-f(x,y), and 3m/4-1 circuits computing f(x,y)
• With probability (3m/4-1 choose m/2)/(m choose m/2) = 2-O(m), Bob doesn’t sample the bad circuits, and thus gets the wrong answer, namely 1-f(x,y)
Open questions• Our hidden constants are large
– Cheating probability = 2-m/4 + , where = O(m ln d / d1/2)
– Is our scheme impractical or is this because of a loose analysis?
– Is Equality-checker with our improved efficiency analysis the most practical to date?
• Find d-regular graphs such that any two sets of vertices of size O(m/d) have an edge between them.
• Lindell and Pinkas give a protocol with a more formal security analysis than that given for Equality-checker.
Seems our “expander-commitments” can also be used there
Thank you!