Transcript slides
On the Security of the “Free-XOR”
Technique
Ranjit Kumaresan
Joint work with Seung Geol Choi, Jonathan Katz, and
Hong-Sheng Zhou
(UMD)
Research in Secure Two-party
Computation (2PC)
• Generic protocols [Yao86, GMW87]
• “Tailored” protocols for specific applications
[FNP04,HL08,KO97,…]
• Fairplay [MNPS04]: Implemented generic protocols
– Hope for practicality
Research in Secure Two-party
Computation (2PC)
• Active research improving concrete efficiency of generic
protocols
– Garbled circuit approach
[PSSW09,HEKM11,KM11,LP07,LP11,…]
– GMW approach [NNOB11, CHKMR12,...]
• Moving secure computation from theory to practice
Talk Outline
• Background on Yao GC & the Free-XOR technique [KS08]
– Description in the random oracle (RO) model
– Replacing RO with correlation robust hash functions?
• Sufficient assumptions on the hash function
– Why correlation robust hash functions are not enough
– New notion: Circular correlation robust hash functions
– Security of the Free-XOR technique
• Conclusions
Yao Garbled Circuit (GC) [Yao86]
•
•
•
•
Generic secure computation protocol
Constant round solution
Mostly symmetric-key operations
Popular choice for efficient 2PC
Yao Garbled Circuit
u
v
XOR
u
v
w
u
v
AND
u
v
v
u
Credit: V. Kolesnikov
u
v
Yao Garbled Circuit
y0
H(w0,x0,g’) ⊕ y0
H(w0,x1,g’) ⊕ y1
H(w1,x0,g’) ⊕ y1
g,g’: gate indices
H: hash function
y1
XOR
H(w1,x1,g’) ⊕ y0
w0
x0
w1
x1
H(u0,v0,g) ⊕ w0
H(u0,v1,g) ⊕ w0
AND
H(u1,v0,g) ⊕ w0
H(u1,v1,g) ⊕ w1
u0
v0
u1
v1
GC Based Semi-Honest 2PC [Yao86]
GC
….
Alice input keys
Bob keys
input bits
OT
Bob input keys
Evaluate GC using
received input keys
GC
….
Efficiency Improvements to Yao GC
• Garbled row reduction [NPS99,PSSW09]
– Just 3 entries per garbled table
• Point-and-permute [MNPS04]
– Decrypt only one entry
• Free-XOR technique [KS08]
– No garbled table for XOR gates
Free-XOR Technique [KS08]
• Idea: XOR gates evaluated for “free”
– No cryptographic operations or communication (like [Kol05,GMW87])
– GC based 2PC in the semi-honest setting
• Gains in practice?
– 40% improvement for “typical” circuits
– 300% improvement for universal circuits
• Impact
– All recent implementations use Free-XOR technique [PSSW09,
SS11,…]
– Efforts to minimize #non-XOR gates in circuit [KS08, KSS09,
PSSW09]
Free-XOR Technique [KS08]
H(w0,x0,g’) ⊕ y0
y0
H(w0,x1,g’) ⊕ y1
y1
H(w1,x0,g’) ⊕ y1
XOR
H(w1,x1,g’) ⊕ y0
w0
x0
w1
x1
H(u0,v0,g) ⊕ w0
H(u0,v1,g) ⊕ w0
AND
H(u1,v0,g) ⊕ w0
H(u1,v1,g) ⊕ w1
u0
v0
u1
v1
Free-XOR Technique [KS08]
H(w0,x0,g’)
⊕
y 0 = w0 ⊕ x 0
y0
H(w0,x1,g’) ⊕ y1
: hidden
global parameter
H(w1,x0,g’)R⊕
y1
y1 = y0 ⊕
R
XOR
H(w1,x1,g’) ⊕ y0
x0
w0
w1 = w0 ⊕ R
x1 = x0 ⊕ R
H(u0,v0,g) ⊕ w0
H(u0,v1,g) ⊕ w0
AND
H(u1,v0,g) ⊕ w0
H(u1,v1,g) ⊕ w1
u0
u1 = u0 ⊕ R
v0
v 1 = v0 ⊕ R
Free-XOR Technique [KS08]
y
H(w0,x0,g’) ⊕ y0
Set y = w⊕x
H(w0,x1,g’) ⊕ y1
: hidden
global parameter
H(w1,x0,g’)R⊕
y1
XOR
H(w1,x1,g’) ⊕ y0
x
w
H(u0,v0,g) ⊕ w0
Use H(u,v,g) to recover w
H(u0,v1,g) ⊕ w0
AND
H(u1,v0,g) ⊕ w0
H(u1,v1,g) ⊕ w1
u
v
Proof in the RO Model [KS08]
• Corrupt Alice: Trivial
• Corrupt Bob:
– Sim creates a fake garbled circuit whose output is always correct
– Intuitively, security reduces to proving R is completely hidden
– Indistinguishability proved by induction on topological ordering of gates
Real table
H(u,v,g) ⊕ w
Simulated table
H(u,v,g) ⊕ w
H(u,v⊕R,g) ⊕ w
random1
H(u⊕R,v,g) ⊕ w
random2
H(u⊕R,v⊕R,g) ⊕ (w⊕R)
random3
By induction, known input keys: u, v
Only w is recovered
Except with negl. prob., all other
values are hidden
Proof in the Standard Model?
• RO is not programmed
• Can RO be replaced by a suitable hash function?
– [KS08]: a variant of correlation robust hash functions (CorRHF) works
– Repeated wherever Free-XOR is used [PSSW09,SS11,AHI11,NO09,…]
• Our contributions
“Natural” variant of CorRHF is NOT sufficient
Specify variant of CorRHF that is sufficient
Proof in the Standard Model?
“Natural” variant of CorRHF is NOT sufficient
• Main issue is circularity
[BK03,BRS03, HK07, …]
– H(u⊕R,v⊕R,g) ⊕(w⊕R)
– CorRHF does not capture
circularity
H(u,v,g) ⊕w
H(u,v⊕R,g) ⊕w
H(u⊕R,v,g) ⊕w
H(u⊕R,v⊕R,g) ⊕
(w⊕R)
Specify variant of CorRHF that is sufficient
• Circular Correlation Robust Hash Functions
– Captures circularity
– Security proof for the Free-XOR technique
Why is this important?
• Implementors happy with RO…
• In theory, RO methodology is inherently flawed [CGH04]
– Want precise formulation of concrete properties required by RO
• “Natural” variant of CorRHF used in other contexts [AHI11,NO09]
• “CorRHF is sufficient for Free-XOR technique” claimed in several
works [PSSW09,SS11, AHI11,…]
• Assumptions required for Free-XOR tech. in Yao GC?
– Free-XOR in [GMW87, Kol05] with no other assumptions
Correlation Robust Hash Functions
[IKNP03]
• Proposed by [IKNP03] for removing RO in OT extension
• Definition: (CorRHF) H is CorRHF if for randomly chosen u1,…,
up, the following two distributions are comp. indistinguishable
– (u1,…, up, H(u1⊕R), …, H(up⊕R)) where R is chosen uniformly
– (u1,…, up, w1,…, wp) where each wi is chosen uniformly
• (Arithmetic variant) realized under PDH assumption [AHI11]
• [KS08]: Variant can replace RO in Free-XOR
– Use of hidden off-set in both [KS08] and [IKNP03]
“Natural” Variant of CorRHF
• Definition: (weak 2-CorRHF) H is weakly 2-CorRHF if for given
u1,…, up, v1,…, vp, the following two distributions are comp.
indistinguishable
– . H(u1⊕R,v1,1), H(u1,v1⊕R,1), H(u1⊕R,v1⊕R,1)
– `
.
.
.
H(up⊕R,vp,p), H(up,vp⊕R,p), H(up⊕R,vp⊕R,p)
where R is chosen uniformly
– (w1,…, w3p) where each wi is chosen uniformly
Our Working Definition of 2-CorRHF
• Oracle based
– CorR(u,v,g): output H(u,v⊕R,g), H(u⊕R,v,g), H(u⊕R,v⊕R,g)
– Rand(u,v,g): if input was queried before then output answer given
previously, else output a uniformly chosen string
• Definition: (2-CorRHF) H is 2-CorRHF if every non-uniform PPT
adversary A with oracle access to O (either CorR or Rand)
cannot tell whether O is CorR or Rand except with negligible
advantage
• Stronger than previous definition
– Oracle queries can be adaptive
2-CorRHF and Free-XOR technique
Real table
H(u,v,g) ⊕ w
Simulated table
H(u,v,g) ⊕ w
H(u,v⊕R,g) ⊕ w
random1
H(u⊕R,v,g) ⊕ w
random2
H(u⊕R,v⊕R,g) ⊕
(w⊕R)
random3
Reduction Table
H(u,v,g) ⊕ w
h1 ⊕ w
h2 ⊕ w
?
Reduction adversary B for 2-CorRHF
Given O (either CorR or Rand)
How to create garbled table?
Choose random u,v,w
Query O(u,v,g) to get h1, h2, h3
First 3 entries can be set
How to obtain fourth entry using h3?
Unclear how to complete reduction
Counterexample
• Rule out fully black-box reduction using two oracles H and Break
• H is 2-CorRHF even if A has oracle access to H and Break
• Free-XOR technique is insecure when A has access to H and
Break
H(u,v,g)
Random function
Break(u,v,g,z1,z2,z3)
Output r when
z1 = H(u,v⊕r,g)
z2 = H(u⊕r,v,g)
z3 = H(u⊕r,v⊕r,g)⊕r
Else output nothing
H is 2-CorRHF against
H,
Break
A
• O = Rand: uniform, independent of A’s view
• O = CorR: uniform, independent of A’s view unless A queries
O(u,v,g) &
– O(u’,v’,g) with u’⊕u = R or v’⊕v = R, or
– H(u’,v’,g) with u’⊕u = R or v’⊕v = R, or
– Break(u,v,g,z1,z2,z3) with z3⊕H(u⊕R,v⊕R,g) = R
H(u,v,g)
Random function
Break(u,v,g,z1,z2,z3)
Happens with
negligible prob.
Output r when
z1 = H(u,v⊕r,g)
z2 = H(u⊕r,v,g)
z3 = H(u⊕r,v⊕r,g)⊕r
Else output nothing
Insecurity of Free-XOR Tech.:
AND gate g
H(u,v,g) ⊕w
c1
H(u,v⊕R,g) ⊕w
c2
c3
H(u⊕R,v,g) ⊕w
H(u⊕R,v⊕R,g)
⊕(w⊕R)
H(u,v,g)
Random function
H,
Break
A
Attack: A acting as Bob recovers R
• Recover w from gate g using H(u,v,g)
– z1 = c1 ⊕ w
– z2 = c2 ⊕ w
– z3 = c3 ⊕ w
• Query Break(u,v,g,z1,z2,z3) to get R
Break(u,v,g,z1,z2,z3)
Output r when
z1 = H(u,v⊕r,g)
z2 = H(u⊕r,v,g)
z3 = H(u⊕r,v⊕r,g)⊕r
Else output nothing
Capturing Circularity: Circular 2-CorRHF
• Recall indistinguishable oracles in 2-CorRHF
– CorR(u,v,g): output H(u,v⊕R,g), H(u⊕R,v,g), H(u⊕R,v⊕R,g)
– Rand(u,v,g): if input was queried before then output answer given
previously, else output uniformly chosen
• Oracles for Circular 2-CorRHF
bR = 0 when b=0
bR = R when b=1
– CircR(u,v,g,b1,b2,b3): output H(u⊕b1R, v⊕b2R, g) ⊕ b3R
– Rand(u,v,g,b1,b2,b3): same as before
Capturing Circularity: Circular 2-CorRHF
• Recall indistinguishable oracles in 2-CorRHF
– CorR(u,v,g): output H(u,v⊕R,g), H(u⊕R,v,g), H(u⊕R,v⊕R,g)
– Rand(u,v,g): if input was queried before then output answer given
previously, else output uniformly chosen
• Oracles for Circular 2-CorRHF
Allowing b3 = 1 captures circularity
– CircR(u,v,g,b1,b2,b3): output H(u⊕b1R, v⊕b2R, g) ⊕ b3R
– Rand(u,v,g,b1,b2,b3): same as before
Circular 2-CorRHF
• Oracles for Circular 2-CorRHF
– CircR(u,v,g,b1,b2,b3): output H(u⊕b1R, v⊕b2R, g) ⊕ b3R
– Rand(u,v,g,b1,b2,b3): same as before
• Indistinguishability conditioned on restricted queries to CircR
– No queries of the form (u,v,g,0,0,b3)
– No queries on both (u,v,g,b1,b2,0) and (u,v,g,b1,b2,1)
• Definition: (Circular 2-CorRHF) H is circular 2-CorRHF if every
non-uniform PPT adversary A making legal queries to oracle O
cannot tell whether O is CircR or Rand except with negligible
advantage
Proof of Security for the Free-XOR Tech.
• Corrupt Alice: Trivial
• Corrupt Bob: Sim creates a fake garbled circuit
y = w⊕x
.
.
.
XOR
w
x
Simulated table
H(u,v,g) ⊕ w
random1
AND
u
random2
v
random3
Choose random key for all wires
except output wires of XOR gates
XOR chosen keys for input wires to
get key for output wire of XOR gate
Populate unknown values in nonXOR gate table with random values
Set output garbled table to give
correct output z
Reduction to Circular 2-CorRHF
• Reduction adversary B for Circular 2-CorRHF
• B given access to O (either CircR or Rand) & real inputs for
both parties
y = w⊕x
.
.
.
XOR
w
x
Reduction Table
H(u,v,g) ⊕ w
O(u,v,g,0,1,0) ⊕ w
AND
u
O(u,v,g,1,0,0) ⊕ w
v
O(u,v,g,1,1,1) ⊕ w
Choose random key for all wires
except output wires of XOR gates
XOR chosen keys for input wires to
get key for output wire of XOR gate
Populate unknown values in nonXOR gate table using O
Set output garbled table to give
correct output z
Circular 2-CorRHF & Free-XOR technique
Real table
H(u,v,g) ⊕ w
Simulated table
H(u,v,g) ⊕ w
H(u,v⊕R,g) ⊕ w
random1
H(u⊕R,v,g) ⊕ w
random2
H(u⊕R,v⊕R,g) ⊕
(w⊕R)
random3
O = CircR
Reduction Table
H(u,v,g) ⊕ w
O(u,v,g,0,1,0) ⊕ w
O(u,v,g,1,0,0) ⊕
w
O(u,v,g,1,1,1) ⊕
w
O = Rand
Recall CircR(u,v,g,b1,b2,b3):
output H(u⊕b1R, v⊕b2R, g) ⊕
b3R
Conclusions & Open Questions
• Free-XOR technique extremely influential
– Used in all Yao GC implementations
• Secure in the random oracle model
• “Natural” variant of 2-CorRHF is not sufficient
– Circularity
• Stronger notion of 2-CorRHF: Circular 2-CorRHF
– Security proof for the Free-XOR technique
• “Free” gate evaluation under OWF?
• Realize Circular 2-CorRHF from standard crypto assumptions?
Thank You!