Multi-Party 2 Computation Part 3

Size: px

Start display at page:

Download "Multi-Party 2 Computation Part 3"

Wilfred Golden
5 years ago
Views:

1 ECRYPT.NET Cloud Summer School Multi-Party 2 Computation Part 3 Claudio Orlandi, Aarhus University

2 Plan for the next 3 hours Part 1: Secure Computation with a Trusted Dealer Warmup: One-Time Truth Tables Evaluating Circuits with Beaver s trick MAC-then-Compute for Active Security Part 2: Oblivious Transfer OT: Definitions and Applications Passive Secure OT Extension OT Protocols from DDH (Naor-Pinkas/PVW) Part 3: Garbled Circuits GC: Definitions and Applications Garbling gate-by-gate: Basic and optimizations Active security 101: simple-cut-and choose, dual-execution

3 Part 3: Garbled Circuits GC: Definitions and Applications Garbling gate-by-gate: Basic and optimizations Active security 101: simple-cut-and choose, dual-execution

4 Garbled Circuit Cryptographic primitive that allows to evaluate encrypted functions on encrypted inputs

5 r Garbled Circuits d Values in a box are garbled f x Gb e En [F] [X] Ev [Z] De z Correct if z=f(x)

6 Alice Application 1: Delegation via GC Bob(x) [F] ([F],e,d) ßGb( f,r ) [X] [X]ßEn(e,x) [Z]ßEv([F],[X]) [Z] z=de(d,[z])

7 Alice Application 1: Delegation via GC Bob(x) [F] ([F],e,d) ßGb( f,r ) Authenticity: If A is corrupted and [Z*] ß A([F],[X]), then De([Z*],d) is f(x) or ^ [X] [Z*] [X]ßEn(e,x) z*=de(d,[z*])

8 Garbled Circuits: Authenticity r d f x Gb e En [F] [X] Ev [Z*] De z* z*=f(x) OR z*= abort

9 Application 2: Passive Constant Round 2PC (Yao) Alice(x) Bob(y) x [X] 2PC (OT) e ([F],e,d) ßGb( f,r ) [Y]ßEn(e,y) [Z]ßEv([F],[X],[Y]) [F], [Y], d z=de(d,[z])

10 Application 2: Passive Constant Round 2PC (Yao) Alice(x) Bob(y) x [X] 2PC (OT) e ([F],e,d) ßGb( f,r ) [Y]ßEn(e,y) [Z]ßEv([F],[X],[Y]) [F], [Y], d z=de(d,[z]) Bob learns nothing about x!

11 Application 2: Passive Constant Round 2PC (Yao) Alice(x) Bob(y) x [X] 2PC (OT) e ([F],e,d) ßGb( f,r ) [Y]ßEn(e,y) [Z]ßEv([F],[X],[Y]) [F], [Y], d z=de(d,[z]) How much information is leaked by GC?

12 Garbled Circuits: Privacy r d f x Gb e Or even less/no info about f En [F] [X] Ev [Z] Exist Sim s.t. ([F],[X],d) ~ Sim(f,f(x)) De z

13 Part 3: Garbled Circuits Definitions and Applications Garbling gate-by-gate: Basic and optimizations Active security 101: simple-cut-and choose, dual-execution

14 Garbling: Gate-by-gate [x 1 ] [y 1 ] [x 2 ] [y 2 ] [x 3 ] [y 3 ] [x 4 ] [y 4 ] [x 5 ] [y 5 ] [w] w +e z * [w+e] 14

15 PROJECTIVE SCHEMES: CIRCUIT BASED GARBLING/EVALUATIONS

16 Garbling a Circuit : ([F],e,d)ß Gb(f) K 1 0,K 1 1 K 2 0,K 2 1 L 0,L 1 R 0,R 1 K 0,K 1 Z 0,Z 1 Choose 2 random keys K i 0,K i 1 for each wire in the circuit Input, internaland, output wires For each gate g compute gg ß Gb(g,L 0,L 1,R 0,R 1,K 0,K 1 ) Output e=(k i 0,K i 1) for all input wires d=(z 0,Z 1 ) [F]=(gg i ) for all gates i

17 Encoding and Decoding [X] = En(e,x) e={ K i 0, K i 1} x= { x 1,,x n } [X]={K 1 x1,,k n xn} z=de(d,[z]) d = { Z 0,Z 1 } [Z] = { K } z= 0 if K=Z 0, 1 if K=Z 1, abort else

18 Evaluating a GC : [Z]ß Ev([F],[X]) K 1 Parse [X]={K 1,,K n } K 2 gg 1 gg i gg i gg i gg i Parse [F]={gg i } L gg 2 K R gg i gg i gg i gg i For each gate i compute K ß Ev(gg i,l,r) gg n Output Z Z

19 INDIVIDUAL GATES GARBLING/EVALUATION

20 Notation L 0,L 1 R 0,R 1 gg A garbled gate is a gadget that given two inputs keys gives you the right output key (and nothing else) gg ß Gb(g,L 0,L 1,R 0,R 1,Z 0,Z 1 ) Z g(a,b) ß Ev(gg,L a,r b ) Z 0,Z 1 //and not Z 1-g(a,b)

21 Yao Gate Garbling (1) L R K NAND gate L K R 21

22 Yao Gate Garbling (2) L R K L 0 R 0 K 1 L 0 R 1 K 1 L 1 R 0 K 1 L R L 1 R 1 K 0 K Choose labels (e.g., 128 bits strings) for every value on every wire 22

23 Yao Gate Garbling (3) C C 1 = H(L 0,R 0 ) K 1 L R C 2 = H(L 0,R 1 ) K 1 C 3 = H(L 1,R 0 ) K 1 C 4 = H(L 1,R 1 ) K 0 K Encrypt the output key with the input keys 23

24 Yao Gate Garbling (4) C C 1 = H(L 0,R 0 ) (K 1,0 k ) C 2 = H(L 0,R 1 ) (K 1,0 k ) C 3 = H(L 1,R 0 ) (K 1,0 k ) L R C 4 = H(L 1,R 1 ) (K 0,0 k ) K Add redundancy (later used to check if decryption is successful) 24

25 Yao Gate Garbling (5) C C 1 = H(L 0,R 0 ) (K 1,0 k ) C 2 = H(L 0,R 1 ) (K 1,0 k ) C 3 = H(L 1,R 0 ) (K 1,0 k ) C 4 = H(L 1,R 1 ) (K 0,0 k ) L R C 1,C 2,C 3,C 4 = perm(c 1,C 2,C 3,C 4 ) K Permute the order of the ciphertexts (to hide information about inputs/outputs) 25

26 Yao Gate Evaluation (1) Eval(gg, L a, R b ) //not a,b For i=1..4 (K,t)=C i H(L a,r b ) If t=0 k output K Output is correct: t=0 k only for right row Evaluator learns nothing else: Encryption + permutation gg (permuted) C 1 = H(L 0,R 0 ) (K 1,0 k ) C 2 = H(L 0,R 1 ) (K 1,0 k ) C 3 = H(L 1,R 0 ) (K 1,0 k ) C 4 = H(L 1,R 1 ) (K 0,0 k ) 26

27 GARBLING OPTIMIZATIONS: POINT-AND-PERMUTE

28 Point-and-permute Problem: Evaluator needs to try to decrypt all 4 rows Solution: add permutation bits to keys (L 0, p) (L 1,!p) (R 0, q) (R 1,!q) gg ß Gb(g,L 0,L 1,p,R 0,R 1,q,Z 0,Z 1,r) (Z g(a,b),r g(a,b))ß Ev(gg,L a,a p,r b,b q) gg (Z 0, r) (Z 1,!r)

29 Point-and-permute Garbling (4) C C 1 = H(L 0,R 0 ) (K g(0,0), r g(0,0) ) C 2 = H(L 0,R 1 ) (K g(0,1), r g(0,1) ) C 3 = H(L 1,R 0 ) (K g(1,0), r g(1,0) ) L R C 4 = H(L 1,R 1 ) (K g(1,1), r g(1,1) ) K Remove redundancy Add random permutation bit 29

30 Point-and-permute Garbling (5) C C 1 = H(L p,r q ) (K g(p,q), r g(p,q) ) C 2 = H(L p,r!q ) (K g(p,!q), r g(p,!q) ) C 3 = H(L!p,R q ) (K g(!p,q), r g(!p,q) ) C 4 = H(L!p,R!q ) (K g(!p,!q), r g(!p,!q) ) Permute rows using p,q 30

31 Point-and-permute Evaluation Eval(gg, L, u, R, v) //not a,b (K,r)=C 2u+v H(L,R) C C 1 = H(L p,r q ) (K g(p,q), r g(p,q) ) C 2 = H(L p,r!q ) (K g(p,!q), r g(p,!q) ) Output is correct: (Check permutation) Privacy: u=p a, v=q b p,q are one time pads for a,b C 3 = H(L!p,R q ) (K g(!p,q), r g(!p,q) ) C 4 = H(L!p,R!q ) (K g(!p,!q), r g(!p,!q) ) 31

32 GARBLING OPTIMIZATIONS: SIMPLE GARBLED ROW REDUCTION

33 Point-and-permute Problem: each gg is 4 ciphertexts Solution: define output key pseudorandomly as functions of input keys, reduce comm. complexity L 0 L 1 R 0 R 1 (gg, Z 0,Z 1 ) ß Gb(g,L 0,L 1,R 0,R 1 ) (Z g(a,b) )ß Ev(gg,L a,r b ) gg Z 0 Z 1

34 Garbling a Circuit : ([F],e,d)ß Gb(f) K 1 0,K 1 1 K 2 0,K 2 1 L 0,L 1 R 0,R 1 K 0,K 1 Z 0,Z 1 Choose 2 random keys K i 0,K i 1 for each wire in the circuit Input wire only! For each gate g compute (gg,k 0,K 1 )ß Gb(g,L 0,L 1,R 0,R 1 ) Output e=(k i 0,K i 1) for all input wires d=(z 0,Z 1 ) [F]=(gg i ) for all gates i

35 Yao Gate Garbling (3) C C 1 = H(L 0,R 0 ) K 1 L R C 2 = H(L 0,R 1 ) K 1 C 3 = H(L 1,R 0 ) K 1 C 4 = H(L 1,R 1 ) K 0 K Encrypt the output key with the input keys 35

36 Garbled Row Reduction Garbling C K 1 = H(L 0,R 0 ) (C 1 =0 k ) L R C 2 = H(L 0,R 1 ) K 1 C 3 = H(L 1,R 0 ) K 1 C 4 = H(L 1,R 1 ) K 0 K Define output keys as function of input keys (compatible with p&p) Can reduce 2 rows, but 1 is compatible with Free-XOR (coming up!) 36

37 GARBLING OPTIMIZATIONS: FREE XOR

38 Free-XOR Problem: in BeDOZa linear gates are for free. What about GC? Solution: introduce correlation between keys, make XOR computation free L 0 L 1 =L 0 Δ R 0 R 1 =R 0 Δ (gg,z 0 ) ß Gb(g,L 0,R 0,Δ) (Z g(a,b) )ß Ev(gg,L a,r b ) gg Z 0 Z 1 =Z 0 Δ

39 Garbling a Circuit : ([F],e,d)ß Gb(f) K 1 0 K 2 0 Choose 1 random key K i 0 for each input wire in the circuit And global difference Δ L 0 R 0 K 0 For each gate g compute (gg,k 0 )ß Gb(g,L 0,R 0,Δ) Z 0,Z 1 Output e=(k i 0,K i 1) for all input wires d=(z 0,Z 1 ) [F]=(gg i ) for all gates i

40 Garbling non-linear gates Like before, but requires circular security assumption (Compatible with GRR and p&p) Example for AND gate Evaluator sees L 0, R 0, K 0, H(L 0 Δ, R 0 Δ) K 0 Δ And should not be able to compute Δ!

41 Garbling/Evaluating XOR Gates L 0 L 1 =L 0 Δ R 0 R 1 =R 0 Δ Gb(XOR,L 0,R 0,Δ) gg Z 0 Z 1 =Z 0 Δ (gg,,z 0 ) ß Gb(g,L 0,R 0,Δ) (Z g(a,b) )ß Ev(gg,L a,r b ) Output Z 0 =L 0 R 0 (gg is empty) Ev(XOR,L a,r b,δ) Output Z a b =L a R b L a R b = L 0 aδ R 0 bδ = Z 0 (a b)δ = Z a b

42 Part 3: Garbled Circuits Definitions and Applications Garbling gate-by-gate: Basic and optimizations Active security 101: simple-cut-and choose, dual-execution

43 ACTIVE ATTACKS VS YAO

44 Yao s protocol Alice Bob x [X] OT e ([F],e,d) ßGb( f,r ) [Y]ßEn(e,y) [Z]ßEv([F],[X],[Y]) [F], [Y], d z=de(d,[z]) Passive Security Only 1 GC! Constant round! Very fast!

45 Active security of Yao Alice Bob x [X] OT e ([F],e,d) ßGb( f,r ) [Y]ßEn(e,y) [F], [Y], d Cannot really cheat!

46 Alice Active security of Yao (v2, Bob gets output) Bob x [X] OT e ([F],e,d) ßGb( f,r ) [Y]ßEn(e,y) [F], [Y], d [Z*] z*=de(d,[z*]) Still can t cheat, authenticity!

47 Garbled Circuits: Authenticy r d f x Gb e En [F] [X] Ev [Z*] De z* For all corrupt Ev z*=f(x) or z*=abort

48 Active security of Yao Alice(x) Bob(y) x [X] OT e ([F],e,d) ßGb( f,r ) [Y]ßEn(e,y) [Z]ßEv([F],[X],[Y]) [F], [Y], d z=de(d,[z]) What if B is corrupted?

49 Insecurity 1 (wrong f) Alice(x) Bob(y) x [X] OT e ([G],e,d) ßGb( g,r ) [Y]ßEn(e,y) [Z]ßEv([G],[X],[Y]) [G], [Y], d z=de(d,[z]) g!= f z!= f(x,y)

50 Insecurity 2 (selective failure) Alice(x) [Z]ßEv([G],[X],[Y]) z=de(d,[z]) x (K 0,K 1 ) ([F],e,d) ßGb( f,r ) [X]=K x OT [G], [Y], d Bob(y) [Y]ßEn(e,y)

51 Insecurity 2 (selective failure) Alice(x) Bob(y) x [X*] OT (K 0,K*) ([F],e,d) ßGb( f,r ) [Y]ßEn(e,y) [Z*]ßEv([G],[X*],[Y]) [G], [Y], d z*=de(d,[z*]) x=0 à z*=f(x,y) x=1 à z*=abort

52 SIMPLE TRICKS FOR ACTIVE SECURITY

53 ZKGC (Alice proves f(x)=z) Alice(x) Bob( ) x [X] OT e ([F],e,d) ßGb( f,r ) [F] [Z]ßEv([F],[X]) [Z] z=de(d,[z]) Bob has no input!

54 ZKGC (Alice proves f(x)=z) Alice(?) Bob( ) x [X] OT e ([F],e,d) ßGb( f,r ) [F] [Z*] z*=de(d,[z*]) Authenticity!

55 ZKGC (Alice proves f(x)=z) Alice Bob x [X] OT e ([F],e,d) ßGb( f,r ) [F] [Z]ßEv([F],[X]) [Z] z=de(d,[z]) Corrupt B can change f with g. Break privacy!

56 ZKGC (Alice proves f(x)=z) Alice Bob Commitment x [X] OT e ([F],e,d) ßGb( f,r ) [F] [Z]ßEv([F],[X]) [Z] If [F]!=Gb(f,r) abort else r [Z] Opening z=de(d,[z]) Active security! Only 1 GC!

57 Cut-And-Choose

58 2PC, simple cut-and-choose Alice x e 1,e 2 OT Bob [X 1 ],[X 2 ] ([F] i,e i,d i ) ßGb( f,r i ) If Gb(f,r -j )!= [F] -j abort else [Z] j ßEv([F] j,[x] j,[y] j ) [F] 1,[F] 2,d 1,d 2 rand j r -j, [Y] j [Y] j ßEn(e j,y) z=de(d j,[z] j )

59 2PC, simple cut-and-choose Alice If Gb(f,r -j )!= [F] -j abort else [Z] j ßEv([F] j,[x] j,[y] j ) x e 1,e 2 [X 1 ],[X 2 ] OT [F] 1,[F] 2,d 1,d 2 rand j r -j, [Y] j Bob z=de(d j,[z] j ) Corrupt Bob only wins with probability 1/2

60 2PC, cut-and-choose Simple cut-and-choose Garble k, check k-1, evaluate 1. Security 1-1/k

61 Dual Execution

62 Alice [Z]ßEv([F],[X],[Y]) x OT e Bob [X] ([F],e,d) ßGb( f,r ) [Y]ßEn(e,y) [F], [Y] ([F],e,d) ßGb( f,r ) [X]ßEn(e,x) e OT [F], [X] y [Y] [Z]ßEv([F],[X],[Y]) [Z],d [Z],d z/abort De(d,[Z]) == De(d,[Z]) z/abort

63 Alice x OT e Bob [X] ([F],e,d) ßGb( f,r ) [Y]ßEn(e,y) [F], [Y] Authenticity à [Z] is the right output! e OT [F*], [X] y [Y] [Z*]ßEv([F*],[X],[Y]) [Z],d [Z*],d z/abort De(d,[Z]) == De(d,[Z]) z/abort f(x,y) or abort

64 Alice x OT e Bob [X] ([F],e,d) ßGb( f,r ) [Y]ßEn(e,y) [F], [Y] e OT [F*], [X] y [Y] [Z*]ßEv([F*],[X],[Y]) [Z],d z/abort De(d,[Z]) == De(d,[Z]) [Z*],d z/abort Selective failure [Z*]=[Z] iff y=0 è 1 bit leakage

65 Forge And Lose

66 2PC, forge-and-lose (idea) Alice x OT e i Bob [X i ] ([F] i,e i,d i ) ßGb( f,r i ) { [F] i } i Cut-and-Choose Generate k, check k/2 [Y i ] [Y] i ßEn(e i,y) [Z] i ßEv([F] i,[x] i,[y] i ) [Z] i y SMAC Punish Bob If exist i, j De(d i,[z] i )!= De(d j,[z] j ) y,d i

67 2PC, forge-and-lose (idea) Alice x OT e i Bob [X i ] ([F] i,e i,d i ) ßGb( f,r i ) { [F] i } i Cut-and-Choose Generate k, check k/2 [Y i ] [Y] i ßEn(e i,y) [Z] i ßEv([F] i,[x] i,[y] i ) [Z] i y SMAC Punish Bob If exist i, j De(d i,[z] i )!= De(d j,[z] j ) y,d i Whp at least one unchecked circuit is correct à real output will be used in SMAC

68 2PC, forge-and-lose (idea) Alice x OT e i Bob [X i ] ([F] i,e i,d i ) ßGb( f,r i ) Cut-and-Choose Generate k, check k/2 [Y i ] [Y] i ßEn(e i,y) Authenticity è Corrupt Alice cannot blame honest Bob [Z] i y SMAC Punish Bob If exist i, j De(d i,[z] i )!= De(d j,[z] j ) y,d i

69 Recap: Garbled Circuits Garbled circuits: allow to evaluate encrypted functions on encryptedinputs With properties like privacy, authenticity, etc. Applications: constant-round 2PC Different techniques for garbling gates Efficiency vs. Assumptions Active security How to check that the right function is garbled? Cut-and-choose and other tricks

70 Want more? Cryptographic Computing Foundations Programming & Theory Exercises Will be happy to answer questions by mail! also the reason why I cannot stay here longer L These slides (+ references & pointers)

Efficient MPC Optimizations for Garbled Circuits

CIS 2018 Efficient MPC Optimizations for Garbled Circuits Claudio Orlandi, Aarhus University Part 3: Garbled Circuits GC: Definitions and Applications Garbling gate-by-gate: Basic and optimizations Active