1 / 32

On the Security of the “Free-XOR” Technique

On the Security of the “Free-XOR” Technique. Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD). Research in Secure Two-party Computation (2PC). Generic protocols [Yao86, GMW87] “Tailored” protocols for specific applications [FNP04,HL08,KO97,… ]

baris
Download Presentation

On the Security of the “Free-XOR” Technique

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. On the Security of the “Free-XOR” Technique RanjitKumaresan Joint work with Seung GeolChoi, Jonathan Katz, and Hong-Sheng Zhou (UMD)

  2. Research in Secure Two-party Computation (2PC) • Generic protocols [Yao86, GMW87] • “Tailored” protocols for specific applications [FNP04,HL08,KO97,…] • Fairplay [MNPS04]: Implemented generic protocols • Hope for practicality

  3. Research in Secure Two-party Computation (2PC) • Active research improving concrete efficiency of generic protocols • Garbled circuit approach [PSSW09,HEKM11,KM11,LP07,LP11,…] • GMW approach [NNOB11, CHKMR12,...] • Moving secure computation from theory to practice

  4. Talk Outline • Background on Yao GC & the Free-XOR technique [KS08] • Description in the random oracle (RO) model • Replacing RO with correlation robust hash functions? • Sufficientassumptions on the hash function • Why correlation robust hash functions are not enough • New notion: Circular correlation robust hash functions • Security of the Free-XOR technique • Conclusions

  5. Yao Garbled Circuit (GC) [Yao86] • Generic secure computation protocol • Constant round solution • Mostly symmetric-key operations • Popular choice for efficient 2PC

  6. v u v u u v u v v u Yao Garbled Circuit XOR w AND u v Credit: V. Kolesnikov

  7. Yao Garbled Circuit y0 g,g’: gate indices H: hash function y1 XOR x0 w0 x1 w1 AND u0 v0 u1 v1

  8. GC Based Semi-Honest 2PC [Yao86] GC …. Alice input keys Bob keys input bits OT Bob input keys Evaluate GC using received input keys GC ….

  9. Efficiency Improvements to Yao GC • Garbled row reduction [NPS99,PSSW09] • Just 3 entries per garbled table • Point-and-permute [MNPS04] • Decrypt only one entry • Free-XOR technique [KS08] • No garbled table for XOR gates

  10. Free-XOR Technique [KS08] • Idea: XOR gates evaluated for “free” • No cryptographic operations or communication (like [Kol05,GMW87]) • GC based 2PC in the semi-honest setting • Gains in practice? • 40% improvement for “typical” circuits • 300% improvement for universal circuits • Impact • All recent implementations use Free-XOR technique [PSSW09, SS11,…] • Efforts to minimize #non-XOR gates in circuit [KS08, KSS09, PSSW09]

  11. Free-XOR Technique [KS08] y0 y1 XOR x0 w0 x1 w1 AND u0 v0 u1 v1

  12. Free-XOR Technique [KS08] y0= w0⊕ x0 y1 = y0⊕ R R : hidden global parameter XOR x0 w0 w1 = w0⊕ R x1 = x0⊕ R AND u0 v0 v1 = v0⊕ R u1 = u0⊕ R

  13. Free-XOR Technique [KS08] y Set y = w⊕x R : hidden global parameter XOR x w Use H(u,v,g) to recover w AND u v

  14. Proof in the RO Model [KS08] • Corrupt Alice: Trivial • Corrupt Bob: • Sim creates a fake garbled circuit whose output is always correct • Intuitively, security reduces to proving R is completely hidden • Indistinguishability proved by induction on topological ordering of gates Real table Simulated table • By induction, known input keys: u, v • Only w is recovered • Except with negl. prob., all other values are hidden

  15. Proof in the Standard Model? • RO is not programmed • Can RO be replaced by a suitable hash function? • [KS08]: a variant of correlation robust hash functions (CorRHF) works • Repeated wherever Free-XOR is used [PSSW09,SS11,AHI11,NO09,…] • Our contributions “Natural” variant of CorRHFis NOT sufficient Specify variant of CorRHF that is sufficient

  16. Proof in the Standard Model? • Main issue is circularity [BK03,BRS03, HK07, …] • H(u⊕R,v⊕R,g)⊕(w⊕R) • CorRHF does not capture circularity “Natural” variant of CorRHFis NOT sufficient Specify variant of CorRHFthat is sufficient • Circular Correlation Robust Hash Functions • Captures circularity • Security proof for the Free-XOR technique

  17. Why is this important? • Implementors happy with RO… • In theory, RO methodology is inherently flawed [CGH04] • Want precise formulation of concrete properties required by RO • “Natural” variant of CorRHF used in other contexts [AHI11,NO09] • “CorRHF is sufficient for Free-XOR technique” claimed in several works [PSSW09,SS11, AHI11,…] • Assumptions required for Free-XOR tech. in Yao GC? • Free-XOR in [GMW87, Kol05] with no other assumptions

  18. Correlation Robust Hash Functions [IKNP03] • Proposed by [IKNP03] for removing RO in OT extension • Definition: (CorRHF) H is CorRHF if for randomly chosen u1,…, up, the following two distributions are comp. indistinguishable • (u1,…, up, H(u1⊕R), …, H(up⊕R)) where R is chosen uniformly • (u1,…, up, w1,…, wp) where each wi is chosen uniformly • (Arithmetic variant) realized under PDH assumption [AHI11] • [KS08]: Variant can replace RO in Free-XOR • Use of hidden off-set in both [KS08] and [IKNP03]

  19. “Natural” Variant of CorRHF • Definition: (weak 2-CorRHF) H is weakly 2-CorRHF if for given u1,…, up, v1,…, vp,the following two distributions are comp. indistinguishable • . • ` where R is chosen uniformly • (w1,…, w3p)where each wi is chosen uniformly . . . • H(u1⊕R,v1,1), H(u1,v1⊕R,1), H(u1⊕R,v1⊕R,1) • H(up⊕R,vp,p), H(up,vp⊕R,p), H(up⊕R,vp⊕R,p)

  20. Our Working Definition of 2-CorRHF • Oracle based • CorR(u,v,g): output H(u,v⊕R,g), H(u⊕R,v,g), H(u⊕R,v⊕R,g) • Rand(u,v,g): if input was queried before then output answer given previously, else output a uniformly chosen string • Definition: (2-CorRHF) H is 2-CorRHF if every non-uniform PPT adversary A with oracle access to O(either CorR or Rand) cannot tell whether O is CorR or Rand except with negligible advantage • Stronger than previous definition • Oracle queries can be adaptive

  21. 2-CorRHF and Free-XOR technique Real table Simulated table • Reduction adversary B for 2-CorRHF • Given O (either CorR or Rand) • How to create garbled table? • Choose random u,v,w • Query O(u,v,g) to get h1, h2, h3 • First 3 entries can be set • How to obtain fourth entry using h3? • Unclear how to complete reduction Reduction Table

  22. Counterexample • Rule out fully black-box reduction using two oracles H and Break • H is 2-CorRHF even if A has oracle access to H and Break • Free-XOR technique is insecure when A has access to H and Break Break(u,v,g,z1,z2,z3) • Output r when • z1 = H(u,v⊕r,g) • z2 = H(u⊕r,v,g) • z3 = H(u⊕r,v⊕r,g)⊕r • Else output nothing H(u,v,g) • Random function

  23. H is 2-CorRHF against AH, Break • O= Rand: uniform, independent of A’s view • O = CorR: uniform, independent of A’s view unless A queries O(u,v,g) & • O(u’,v’,g) with u’⊕u = R or v’⊕v= R, or • H(u’,v’,g) with u’⊕u = R or v’⊕v = R, or • Break(u,v,g,z1,z2,z3) with z3⊕H(u⊕R,v⊕R,g) = R Happens with negligible prob. Break(u,v,g,z1,z2,z3) • Output r when • z1 = H(u,v⊕r,g) • z2 = H(u⊕r,v,g) • z3 = H(u⊕r,v⊕r,g)⊕r • Else output nothing H(u,v,g) • Random function

  24. Insecurity of Free-XOR Tech.: AH, Break Attack: A acting as Bob recovers R • Recover w from gate g using H(u,v,g) • z1 = c1⊕ w • z2= c2⊕ w • z3= c3⊕ w • Query Break(u,v,g,z1,z2,z3) to get R AND gate g c1 c3 c2 Break(u,v,g,z1,z2,z3) • Output r when • z1 = H(u,v⊕r,g) • z2 = H(u⊕r,v,g) • z3 = H(u⊕r,v⊕r,g)⊕r • Else output nothing H(u,v,g) • Random function

  25. Capturing Circularity: Circular 2-CorRHF • Recall indistinguishable oracles in 2-CorRHF • CorR(u,v,g): output H(u,v⊕R,g), H(u⊕R,v,g), H(u⊕R,v⊕R,g) • Rand(u,v,g): if input was queried before then output answer given previously, else output uniformly chosen • Oracles for Circular 2-CorRHF • CircR(u,v,g,b1,b2,b3): output H(u⊕b1R, v⊕b2R, g) ⊕ b3R • Rand(u,v,g,b1,b2,b3): same as before bR = 0 when b=0 bR = R when b=1

  26. Capturing Circularity: Circular 2-CorRHF • Recall indistinguishable oracles in 2-CorRHF • CorR(u,v,g): output H(u,v⊕R,g), H(u⊕R,v,g), H(u⊕R,v⊕R,g) • Rand(u,v,g): if input was queried before then output answer given previously, else output uniformly chosen • Oracles for Circular 2-CorRHF • CircR(u,v,g,b1,b2,b3): output H(u⊕b1R, v⊕b2R, g) ⊕ b3R • Rand(u,v,g,b1,b2,b3): same as before Allowing b3 = 1 captures circularity

  27. Circular 2-CorRHF • Oracles for Circular 2-CorRHF • CircR(u,v,g,b1,b2,b3): output H(u⊕b1R, v⊕b2R, g) ⊕ b3R • Rand(u,v,g,b1,b2,b3): same as before • Indistinguishabilityconditioned on restricted queries to CircR • No queries of the form (u,v,g,0,0,b3) • No queries on both (u,v,g,b1,b2,0) and (u,v,g,b1,b2,1) • Definition: (Circular 2-CorRHF) H is circular 2-CorRHF if every non-uniform PPT adversary Amaking legal queries to oracle Ocannot tell whether O is CircRor Rand except with negligible advantage

  28. Proof of Security for the Free-XOR Tech. • Corrupt Alice: Trivial • Corrupt Bob: Sim creates a fake garbled circuit . . . y = w⊕x • Choose random key for all wires except output wires of XOR gates • XOR chosen keys for input wires to get key for output wire of XOR gate • Populate unknown values in non-XOR gate table with random values • Set output garbled table to give correct output z XOR Simulated table w x AND u v

  29. Reduction to Circular 2-CorRHF • Reduction adversary B for Circular 2-CorRHF • B given access to O (either CircRor Rand) & real inputs for both parties . . . y = w⊕x • Choose random key for all wires except output wires of XOR gates • XOR chosen keys for input wires to get key for output wire of XOR gate • Populate unknown values in non-XOR gate table using O • Set output garbled table to give correct output z XOR Reduction Table w x AND u v

  30. Circular 2-CorRHF & Free-XOR technique Real table Simulated table Reduction Table O = CircR O = Rand Recall CircR(u,v,g,b1,b2,b3): • output H(u⊕b1R, v⊕b2R, g) ⊕ b3R

  31. Conclusions & Open Questions • Free-XOR technique extremely influential • Used in all Yao GC implementations • Secure in the random oracle model • “Natural” variant of 2-CorRHF is not sufficient • Circularity • Stronger notion of 2-CorRHF: Circular 2-CorRHF • Security proof for the Free-XOR technique • “Free” gate evaluation under OWF? • Realize Circular 2-CorRHF from standard crypto assumptions?

  32. Thank You!

More Related