1 / 19

Payman Mohassel Yahoo Labs

GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION. Payman Mohassel Yahoo Labs. History of Garbled Circuits. 1982: First oral presentation  [Andrew Yao]

awen
Download Presentation

Payman Mohassel Yahoo Labs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION Payman Mohassel Yahoo Labs

  2. History of Garbled Circuits 1982: First oral presentation  [Andrew Yao] 1987: First written account  [GMW] (public-key) 1990: First use of term ``Garbled circuits”  [BMR] (symmetric-key) 1994: First abstraction as a primitive  [FKN] (minimal model for sec. comp.) 1999: First PRF-based construction  [NPS] (PP-auctions) 2004: First implementation  [MNPS] (Fairplay) 2004: First proof of 2PC based on garbled circuits  [LP] (double-encryption)

  3. A Garbling Scheme seed Eval( )

  4. Basic Properties • Privacy: Knowing , , and does no leak any info • Output Authenticity: Cannot compute another valid output

  5. Many Applications • Secure multi-party computation • Zero-knowledge proofs • Verifiable computation • Homomorphic encryption • One-time programs • Circular-secure encryption • Functional encryption • ... Emerged as a powerful building block!

  6. Secure Multiparty Computation (MPC) Parties learn only f(x1,…,xn) • Correctness: • honest parties learn • the correct output • Privacy: • Nothing but the • final output is leaked • Fairness, Output Delivery, … P2, x2 P1, x1 P3, x3 P4, x4 P5, x5

  7. Applications of MPC • Data mining • Electronic Voting • Auctions • Exchanges/financial analysis • Location privacy • Genomic computation • Electronic commerce • Healthcare • When there is IP, NDA, user consent involved • When you need to distribute trust

  8. Secure Two-Party Computation (2PC) Evaluator Garbler Oblivious Transfer

  9. Yao’s Garbled Circuit Protocol • First secure computation protocol • Efficient and simple • Implementations • Fairplay, 2004 • TASTY, 2010 • FastGarble, 2011 • SCAPI, 2013 • JustGarble, 2013 • … • Circuits with millions of gates in less than a second

  10. Research Directions Garbling Constructions Functionality & Security Properties Secure 2PC

  11. Basic Garbling/Evaluation Evaluate Garble AND AND

  12. Constructions (Efficiency) • 1990: Point-and-Permute  [BMR] • 1999: 3-row reduction  [NPS] • 2008: Free-XOR  [KS] • 2009: 2-row reduction  [PSSW] • 2013: Fixed-key block-cipher  [BHKR] • 2014: FleXor [KMR] • 2014: Privacy-free garbling  [KNO] • 2015: HalfGates  [ZRE] (2-row non-XORs, and 0-row XORs) • How low can we get? Lower bounds? • Fresh ideas for garbling needed?

  13. Constructions (Security) Weak Assumptions • PRF  double-encryption • LPN  Free-XOR • Correlation-robustness  row reduction techniques • Correlation-robustness  FleXor Strong Assumptions • Circular-security  Free-XOR • Circular-security  Half-Gates • Ideal-permutation  Fixed-key block-cipher • RO  Adaptive security • Can we achieve these using weak assumptions?

  14. Standard Security Properties • Input privacy • Needed in most applications (not in ZK application) • Function privacy • Private function evaluation • Output authentication • Malicious 2PC, dual-execution, verifiable comp., server-aided comp., ZK • Adaptive privacy • Verifiable comp, offline/online batch execution, …

  15. New Security Properties? • Only a subset of properties (e.g. privacy-free garbling) • Leaky privacy (e.g. leak a few bits, protect/leak certain functions) • Tunable security! (tunable privacy, authenticity, …) • Leveled privacy (inputs with different sensitivity levels)

  16. Functionality? • Standard ones • Garble, encode inputs, evaluate, authenticate outputs • Circuit property enforcing (with Rosulek and Kolesnikov) • Checking circuit properties • Topology, depth, input size, gate types • Useful in limiting malicious behavior • Input property enforcing • Unique input identifier (for input consistency) • Enforcing input formats • Enforce relation between inputs in multiple executions (beyond equality) • Output property enforcing • Enforcing output format

  17. Malicious 2PC Are all inputs the same? Evaluate Open Majority Is the output correct?

  18. Secure 2PC • Malicious security • Cut-and-choose (state of the art: Lindell 2013) • Abstracting out cut-and-choose (joint work with Seny Kamara) • A new paradigm? • Lower bounds for cut-and-choose? • RAM programs • Optimizing ORAM for 2PC ([WCS]: Circuit-ORAMs) • Implementation framework (SCVM) • Extending cut-and-choose to RAM programs ([AHMR]) • Lots of interesting questions • 2PC with relaxed security • Covert security, leaky 2PC, one-sided security • Restricting leakage functions

  19. Questions?

More Related