Presentation
Download
Report
Transcript Presentation
GARBLED CIRCUITS
&
SECURE TWO-PARTY COMPUTATION
Payman Mohassel
Yahoo Labs
History of Garbled Circuits
1982: First oral presentation [Andrew Yao]
1987: First written account [GMW] (public-key)
1990: First use of term ``Garbled circuits” [BMR] (symmetric-key)
1994: First abstraction as a primitive [FKN] (minimal model for sec. comp.)
1999: First PRF-based construction [NPS] (PP-auctions)
2004: First implementation [MNPS] (Fairplay)
2004: First proof of 2PC based on garbled circuits [LP] (double-encryption)
A Garbling Scheme
seed
𝐶 𝑥, 𝑦 = 𝑓(𝑥, 𝑦)
𝒙
𝒚
𝑇𝑇
𝐺𝐶
𝐺𝐼𝑥
𝐺𝐼𝑦
𝐺𝐼𝑥
Eval(
𝐺𝐶
)
𝐺𝑂
𝐺𝐼𝑦
𝒇(𝒙, 𝒚)
𝑇𝑇
𝐺𝑂
Basic Properties
Privacy: Knowing 𝐺𝐼𝑥 , 𝐺𝐼𝑦 , and 𝐺𝐶 does no leak any info
𝐺𝐼𝑥
𝒇(𝒙, 𝒚)
𝐺𝐼𝑥
𝐺𝐶
𝐺𝐶
𝐺𝐼𝑦
𝑇𝑇
𝐺𝐼𝑦
Output Authenticity: Cannot compute another valid output
𝐺𝐼𝑥
𝐺𝐶
𝐺𝐼𝑦
𝐺𝑂‘
Many Applications
Secure multi-party computation
Zero-knowledge proofs
Verifiable computation
Homomorphic encryption
One-time programs
Circular-secure encryption
Functional encryption
...
Emerged as a powerful building block!
Secure Multiparty Computation (MPC)
P2, x2
P1, x1
P3, x3
P5, x5
P4, x4
Correctness:
honest parties learn
the correct output
Privacy:
Nothing but the
final output is leaked
Parties learn only f(x1,…,xn) Fairness, Output Delivery, …
Applications of MPC
Data mining
Electronic Voting
Auctions
Exchanges/financial analysis
Location privacy
Genomic computation
Electronic commerce
Healthcare
When there is IP, NDA, user consent involved
When you need to distribute trust
Secure Two-Party Computation (2PC)
𝐶 𝑥, 𝑦 = 𝑓(𝑥, 𝑦)
𝐺𝐶 ← 𝐺𝑎𝑟𝑏(𝐶, 𝑠𝑑)
𝐺𝐼𝑥 ← 𝐺𝐼𝑛(𝑥, 𝑠𝑑)
𝒙
𝐺𝐼𝑥
𝐺𝐶
𝑇𝑇
𝒚
Evaluator
Garbler
Oblivious Transfer
𝐺𝐼𝑦
𝒇(𝒙, 𝒚)
Yao’s Garbled Circuit Protocol
First secure computation protocol
Efficient and simple
Implementations
›
Fairplay, 2004
TASTY, 2010
FastGarble, 2011
SCAPI, 2013
JustGarble, 2013
›
…
›
›
›
›
•
Circuits with millions of gates in less than a second
Research Directions
Garbling
Constructions
Functionality
&
Security Properties
Secure 2PC
Basic Garbling/Evaluation
Evaluate
Garble
𝑘01 , 𝑘11
AND
𝑘02 , 𝑘12
3 3
𝑘0 , 𝑘1
AND
𝑐0,0 = 𝐸 𝑘01,𝑘02 (𝑘03 )
𝑐0,1 = 𝐸 𝑘01,𝑘12 (𝑘03 )
𝑐1,0 = 𝐸 𝑘11,𝑘02
𝑐1,1 = 𝐸 𝑘11,𝑘12
(𝑘03 )
(𝑘13 )
3
𝐷𝑒𝑐 𝑘𝑎1 ,𝑘 2 𝑐𝑎,𝑏 = 𝑘𝑎&𝑏
𝑏
Constructions (Efficiency)
1990: Point-and-Permute [BMR]
1999: 3-row reduction [NPS]
2008: Free-XOR [KS]
2009: 2-row reduction [PSSW]
2013: Fixed-key block-cipher [BHKR]
2014: FleXor [KMR]
2014: Privacy-free garbling [KNO]
2015: HalfGates [ZRE]
(2-row non-XORs, and 0-row XORs)
How low can we get? Lower bounds?
Fresh ideas for garbling needed?
Constructions (Security)
Weak Assumptions
PRF double-encryption
LPN Free-XOR
Correlation-robustness row reduction techniques
Correlation-robustness FleXor
Strong Assumptions
Circular-security Free-XOR
Circular-security Half-Gates
Ideal-permutation Fixed-key block-cipher
RO Adaptive security
Can we achieve these using weak assumptions?
Standard Security Properties
Input privacy
›
Needed in most applications (not in ZK application)
Function privacy
›
Private function evaluation
Output authentication
›
Malicious 2PC, dual-execution, verifiable comp., server-aided comp., ZK
Adaptive privacy
›
Verifiable comp, offline/online batch execution, …
New Security Properties?
Only a subset of properties (e.g. privacy-free garbling)
Leaky privacy (e.g. leak a few bits, protect/leak certain functions)
Tunable security! (tunable privacy, authenticity, …)
Leveled privacy (inputs with different sensitivity levels)
Functionality?
Standard ones
›
Garble, encode inputs, evaluate, authenticate outputs
Circuit property enforcing (with Rosulek and Kolesnikov)
›
Checking circuit properties
›
Topology, depth, input size, gate types
›
Useful in limiting malicious behavior
Input property enforcing
›
Unique input identifier (for input consistency)
›
Enforcing input formats
›
Enforce relation between inputs in multiple executions (beyond equality)
Output property enforcing
›
Enforcing output format
Malicious 2PC
Are all inputs the same?
Evaluate
Open
𝑥
𝐺𝐶1
𝑥
𝐺𝐶2
𝒙
⋮
𝑃1
𝐺𝐶3
𝑥
Is the output correct?
𝐺𝐶1
𝐺𝐶2
𝑧2
1 − 2−Ω 𝑠 𝑠𝑒𝑐𝑢𝑟𝑖𝑡𝑦
𝑠 ≥ 40
𝐺𝐶3
𝐺𝐶4
𝐺𝐶5
Majority
𝐺𝐶4
𝑧4
𝐺𝐶6
𝑧6
𝐺𝐶5
𝐺𝐶6
𝑧
𝑧 = 𝑓(𝑥, 𝑦)
Secure 2PC
Malicious security
›
›
›
›
Cut-and-choose (state of the art: Lindell 2013)
Abstracting out cut-and-choose (joint work with Seny Kamara)
A new paradigm?
Lower bounds for cut-and-choose?
RAM programs
›
›
›
›
Optimizing ORAM for 2PC ([WCS]: Circuit-ORAMs)
Implementation framework (SCVM)
Extending cut-and-choose to RAM programs ([AHMR])
Lots of interesting questions
2PC with relaxed security
›
›
Covert security, leaky 2PC, one-sided security
Restricting leakage functions
Questi ons?