MiniLEGO: Efficient Secure Two-Party Computation From General Assumptions Tore Frederiksen, Thomas Jakobsen, Jesper Nielsen, Peter Nordholt, Claudio Orlandi 06-11-2015 The LEGO Approach for Maliciously Secure Two-Party Computation.
Download ReportTranscript MiniLEGO: Efficient Secure Two-Party Computation From General Assumptions Tore Frederiksen, Thomas Jakobsen, Jesper Nielsen, Peter Nordholt, Claudio Orlandi 06-11-2015 The LEGO Approach for Maliciously Secure Two-Party Computation.
MiniLEGO: Efficient Secure Two-Party Computation From General Assumptions
Tore Frederiksen, Thomas Jakobsen, Jesper
Nielsen, Peter Nordholt, Claudio Orlandi
28-04-2020 The LEGO Approach for Maliciously Secure Two-Party Computation 1
Outline
• • • •
Introduction
– – What is the setting?
Garbled circuits – Why should we look at this?
Preliminaries – Free XOR – XOR-homomorphic commitments The LEGO approach – Overall idea – New problems Conclusion – Practical efficiency – Future work 28-04-2020 The LEGO Approach for Maliciously Secure Two-Party Computation 3
What is the problem ?
Secure two-party computation x f(x, y)=(f A (x, y), f B (x, y)) y 28-04-2020 f A (x, y) The LEGO Approach for Maliciously Secure Two-Party Computation f B (x, y) 4
Why is it worth solving?
Set intersection Patients: Alice Cooper Cher David Bowie Gary Moore Otep 28-04-2020 The LEGO Approach for Maliciously Secure Two-Party Computation Customers: Alice Cooper Chibi La Roux Madonna 5
How can it be solved?
Secure computation zoo 28-04-2020 The LEGO Approach for Maliciously Secure Two-Party Computation 6
Introduction What is the setting?
Approach:
1. Yao’s garbled circuits 2. (Gate level) Cut-and-choose approach for malicious security 3. Using XOR-homomorphic commitment 4. UC secure 5. OT-hybrid security 28-04-2020 The LEGO Approach for Maliciously Secure Two-Party Computation 7
Introduction Constructing a garbled circuit
f
(
x
,
y
) =
z
28-04-2020 The LEGO Approach for Maliciously Secure Two-Party Computation 9
Introduction Yao’s garbled circuit with passive security |
x
| ,{
x i
}
i
= 0 28-04-2020 The LEGO Approach for Maliciously Secure Two-Party Computation
x y z z
10
Introduction The cut-and-choose approach to get malicious security 28-04-2020 Commit Challenge Open The LEGO Approach for Maliciously Secure Two-Party Computation Challenge: 11
Introduction The cut-and-choose approach to get active security Open Challenge: 28-04-2020 The LEGO Approach for Maliciously Secure Two-Party Computation
z z
12
Introduction The cut-and-choose approach to get active security • • • • Simple Information theoretical security Fast (limited use of public key operations) 28-04-2020 The LEGO Approach for Maliciously Secure Two-Party Computation 13
Outline
• • • • Introduction – – What is the setting?
Garbled circuits – Why should we look at this?
Preliminaries
– Free XOR – XOR-homomorphic commitments The LEGO approach – Overall idea – New problems Conclusion – Practical efficiency – Future work 28-04-2020 The LEGO Approach for Maliciously Secure Two-Party Computation 15
Free XOR [KS08] • • Each 0-key is chosen randomly Each 1-key is the 0-key XOR’ed with a random value, common for the entire garbled circuit
k i
1-keys for i and i+1: 1 =
k i
0 Å D 1
k i
+ 1 = 0
k i
+ 1 Å D
k
Computing XOR gate:
j
=
k i
Å
k i
+ 1 0-output key for XOR gate:
k j
0 =
k i
0 Å 0
k i
+ 1 Truth table:
k j
0 =
k i
0
k j
1 =
k i
0 Å Å 0
k i
+ 1 1
k i
+ 1 =
k i
0
k j
1 =
k j
0
k i
1 Å =
k i
1 Å 0
k i
+ 1 1
k i
+ 1 =
k i
0 =
k i
0 Å Å Å 1-output key for XOR gate:
k j
1 0
k i
+ 1 Å D D Å D Å 0
k i
+ 1 0
k i
+ 1 Å =
k j
0 Å D =
k i
0 Å D 0
k i
+ 1 28-04-2020 The LEGO Approach for Maliciously Secure Two-Party Computation 16
XOR-homomorphic commitments M 1 Ä 28-04-2020 M 2 Commit Open Ä The LEGO Approach for Maliciously Secure Two-Party Computation M 1 M 1 Å M 2 17
Outline
• • • • Introduction – – What is the setting?
Garbled circuits – Why should we look at this?
Preliminaries – Free XOR – XOR-homomorphic commitments
The LEGO approach
– Overall idea – New problems Conclusion – Practical efficiency – Future work 28-04-2020 The LEGO Approach for Maliciously Secure Two-Party Computation 18
The LEGO approach The Overall idea 28-04-2020 Commit Cut-and-choose Open The LEGO Approach for Maliciously Secure Two-Party Computation 19
The LEGO approach Horizontal soldering 28-04-2020 The LEGO Approach for Maliciously Secure Two-Party Computation 20
The LEGO approach Vertical soldering 28-04-2020 The LEGO Approach for Maliciously Secure Two-Party Computation 21
The LEGO approach Vertical soldering 28-04-2020 The LEGO Approach for Maliciously Secure Two-Party Computation 22
The LEGO approach Input soldering 28-04-2020 The LEGO Approach for Maliciously Secure Two-Party Computation 23
The LEGO approach Input soldering Send inputs 28-04-2020 The LEGO Approach for Maliciously Secure Two-Party Computation 24
The LEGO approach Evaluation 28-04-2020 The LEGO Approach for Maliciously Secure Two-Party Computation 25
The LEGO approach New problems • Soldering: – Horizontal – Vertical – Input 28-04-2020 The LEGO Approach for Maliciously Secure Two-Party Computation 26
The LEGO approach Horizontal soldering Open ( 0
k L
(
i
) Å 0
k L
(
i
+ 1) ) Open ( 0
k R
(
i
) Å 0
k R
(
i
+ 1) ) Open ( 0
k L
(
i
) Å Open ( 0
k R
(
i
) Å 0
k R
(
i
+ 2) ) 0
k L
(
i
+ 2) ) head 28-04-2020 Open ( 0
k O
(
i
) Å 0
k O
(
i
+ 1) ) The LEGO Approach for Maliciously Secure Two-Party Computation Open ( 0
k O
(
i
) Å 0
k O
(
i
+ 2) ) 27
The LEGO approach Horizontal soldering
k
0
L
(
i
) ,
k
0
L
(
i
) Å D
k
0
R
(
i
) ,
k
0
R
(
i
) Å D (
k i
0 Å (
b
D ) ) Å (
k i
0 Å 0
k i
+ 1 ) = ( 0
k i
+ 1 Å (
b
D ) ) Å Å Å
k
0
L
(
i
) Å
k
0
L
(
i
+ 1)
k
0
R
(
i
) Å
k
0
R
(
i
+ 1) Å
k
0
L
(
i
) Å
k
0
L
(
i
+ 2)
k
0
R
(
i
) Å
k
0
R
(
i
+ 2) head Å
k
0
O
(
i
) Å
k
0
O
(
i
+ 1) Majority Å
k
0
O
(
i
) Å
k
0
O
(
i
+ 2) 28-04-2020 The LEGO Approach for Maliciously Secure Two-Party Computation 28
The LEGO approach Vertical soldering 28-04-2020 0
k O
(
head
(
i
)) Å (
b
D ) Å Open ( 0
k O
(
head
(
i
)) Å 0
k L
(
head
(
j
)) ) (
k i
0 Å (
b
D ) ) Å (
k i
0 Å 0
k i
+ 1 ) = ( 0
k i
+ 1 Å (
b
D ) ) Bucket j Majority The LEGO Approach for Maliciously Secure Two-Party Computation 29
The LEGO approach Input soldering 0
k L
(
i
) 0
k L
(
i
) Å D 28-04-2020
b
OT 0
k L
(
i
) Å (
b
D ) Open (
k
0
L
(
i
) Å
k
0
R
(
i
) ) head Horizontal soldering The LEGO Approach for Maliciously Secure Two-Party Computation 30
Outline
• • • • Introduction – – What is the setting?
Garbled circuits – Why should we look at this?
Preliminaries – Free XOR – XOR-homomorphic commitments The LEGO approach – Overall idea – New problems
Conclusion
– Practical efficiency – Future work 28-04-2020 The LEGO Approach for Maliciously Secure Two-Party Computation 31
Conclusion Practical efficiency • • Better asymptotic complexities Practical efficiency depends directly on XOR homomorphic commitments – Or the size of the garbled circuit, because of asymptotic increase in efficiency O(s/log(|C|)) replication factor 28-04-2020 The LEGO Approach for Maliciously Secure Two-Party Computation 32
Conclusion Practical efficiency • • In [NO09] Pedersen Commitments were used – 3 public-key operations on each gate per party In [FJNNO13] XOR-homomorphic commitments constructed from error correcting codes+OT – Based on symmetric primitives when using OT extension, but codes leads to constants of around 40 28-04-2020 The LEGO Approach for Maliciously Secure Two-Party Computation 33
Conclusion Future work • • The Aarhus Crypto-group is working on making cheaper XOR-homomorphic commitments and thus a more efficient LEGO protocol.
Hopefully more efficient than normal cut-and choose even for smaller circuits 28-04-2020 The LEGO Approach for Maliciously Secure Two-Party Computation 34
Conclusion MiniLEGO
Free XOR
Yes LEGO No [LP11, sS11, sS13, L13, FN13, …] [NNOB12] Yes Yes [DPSZ12] Yes
Symmetric
O(s|C|/log(|C|)) O(s|C|/log(|C|)) O(s|C|) O(s|C|/log(|C|)) O(|C|)
Asymmetric
O(s) O(s|C|/log(|C|)) O(sn) O(s) O(|C|) s is statistical security parameter, |C| is circuit size, d is circuit depth, n is input/output bits Thanks you! Questions?
Rounds
O(1) O(1) O(1) O(d) O(d) 28-04-2020 The LEGO Approach for Maliciously Secure Two-Party Computation 35
XOR-homomorphic commitments The error correcting code 28-04-2020 The LEGO Approach for Maliciously Secure Two-Party Computation 36
XOR-homomorphic commitments The protocol - Setup 28-04-2020 The LEGO Approach for Maliciously Secure Two-Party Computation 37
XOR-homomorphic commitments The protocol - Setup 28-04-2020 The LEGO Approach for Maliciously Secure Two-Party Computation 38
XOR-homomorphic commitments The error correcting code 28-04-2020 The LEGO Approach for Maliciously Secure Two-Party Computation 39
XOR-homomorphic commitments The protocol - Setup 28-04-2020 The LEGO Approach for Maliciously Secure Two-Party Computation 40
XOR-homomorphic commitments The protocol - Setup 28-04-2020 The LEGO Approach for Maliciously Secure Two-Party Computation 41
XOR-homomorphic commitments The protocol - Setup 28-04-2020 The LEGO Approach for Maliciously Secure Two-Party Computation 42
XOR-homomorphic commitments The protocol – Committing and opening 28-04-2020 The LEGO Approach for Maliciously Secure Two-Party Computation 43
XOR-homomorphic commitments The protocol - Security 28-04-2020 The LEGO Approach for Maliciously Secure Two-Party Computation 44
XOR-homomorphic commitments Which code?
• • In [FJNNO13] we find a code that works due to Chen and Cramer based on algebraic geometry.
However, recent work shows that we can use a random matrix instead: – Binary linear by construction – Messages will be keys, so extra randomness not needed in our context – Secret sharing comes from randomness of the codewords – Efficient decoding does not seem to be needed 28-04-2020 The LEGO Approach for Maliciously Secure Two-Party Computation 45