1 / 25

Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose

Fast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries. Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose. Yehuda Lindell Bar-Ilan University. Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia.

odin
Télécharger la présentation

Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Fast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose Yehuda Lindell Bar-Ilan University Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia

  2. Secure Two-Party Computation • Two parties with private inputs x and y • Compute a joint function of their inputs while preserving • Privacy • Correctness • Independence of inputs

  3. Adversaries and Security • Semi-honest: follow protocol description but attempt to learn more than allowed • Highly efficient, but weak guarantee • Malicious: run any arbitrary attack strategy • Much more expensive • Covert: behave maliciously and may succeed, but will be caught with a guaranteed probability

  4. Yao’s Protocol (Semi-Honest) Bob Alice Garbled (encrypted) circuit Compute f(x,y) (learn nothing else)

  5. Security for Malicious • Alice may not construct the circuit correctly • Solution – cut-and-choose

  6. The Cut-and-choose Paradigm

  7. The Cut-and-choose Paradigm

  8. The Cut-and-choose Paradigm Final output Majority

  9. The Cost • How many circuits are needed to make sure that the majority are correct? • With s circuits, probability of cheating is 2-0.311s [LP11] or 2-0.32s [sS11] • For error 2-40, need approximately 125 circuits • For error 2-80, need approximately 250 circuits • This is a very heavy price!

  10. These Two Works • Aim: reduce the number of garbled circuits needed • Lindell:s circuits + some small additional overhead for 2-s error • Huang-Katz-Evans:s circuits per party in parallel for 2-s error • Cut-and-choose opens up many other problems (input consistency etc.); we focus on the main issue of number of circuits

  11. Lindell’s Solution – The Main Idea • Why majority? • A malicious Alice can make most circuits correct and a few not • The incorrect circuits can compute the function if Bob’s input meets some condition; otherwise compute garbage • Bob aborts if it gets different outputs: • If Bob aborts, Alice knows that Bob’s input does not meet the condition • If Bob does not abort, Alice knows that Bob’s input meets the condition

  12. Lindell’s Solution – The Main Idea • Make cheating possible only if all checked circuits are correct and all evaluated circuits are incorrect • This yields error 2-s for s circuits • How? • Alice and Bob run a small secure computation in addition • If Bob received two different outputs in two different circuits, it learns Alice’s input • In this case, Bob computes f(x,y) itself • Alice doesn’t know which case happened

  13. Lindell’s Solution – The Main Idea • The secure computation • Yao’s circuit for malicious (e.g., LP11) • Number of non-XOR gates is only the number of bits in Alice’s input (very small circuit) • Input consistency and other issues are dealt with as in other works • These other parameters are not optimized in the paper • This will be discusses in the next talk; their solutions can be applied here

  14. Lindell’s Solution – More Details • The garbled values on the output wires are secret(this has been used for secure delegation) • If Bob learns two garbled values on a single output wire (in different circuits), then Alice must have been cheating • This is a proof that Alice cheated • The secure computation checks if Bob has two such values and outputs Alice’s input x to Bob if yes • This circuit can be made very small, and Alice can be forced to use the same input

  15. Huang-Katz-Evans Solution • Observation • One of the two parties is honest, all circuits generated by him is correct • Approach • Let each party generate half of the circuits • Suffices to ensure at least one good evaluation circuit is generated by the adversary

  16. Securely combine both parties’ results to obtain the final output A party uses consistent inputs in both roles

  17. Input Consistency – The Goal Generator Evaluator / OT Receiver [Naor and Pinkas, SODA2001] The discrete log of C is unknown.

  18. Input Consistency – The Idea Generator Evaluator / OT Receiver

  19. Final output Goal: Derive the final output from both parties’ circuit evaluation results

  20. Output Revelation Verifiable Secret Sharing Generator picks a pair of secrets (s0, s1)randomly with threshold:

  21. Output Revelationcircuit check sharing threshold:

  22. Output Revelationcircuit evaluation sharing threshold:

  23. Output Revelationsecure equality test Output 0 (s0, s’0) (s0, s’0) Output 1 (s1, s’1) (s0,s1) (s1, s’1) (s’0,s’1) • One and only one of the 2 tests can succeed.

  24. Conclusions Actively secure two party computation can be done with reduced number of circuits via either punishing the cheater or symmetric cut-and-choose.

More Related