1 / 21

Two Party Computing With Encrypted Data

2. Motivation. The notion of computing with encrypted data [RAD78]Bob encrypts and publishes his dataAlice performs the computationSingle encrypted message from Alice to BobBob decrypts to get the resultEquated with doubly homomorphic encryption, which we don't have!. 3. Model for Computing with Doubly Homomorphic Encryption.

dayton
Download Presentation

Two Party Computing With Encrypted Data

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. 1 Two Party Computing With Encrypted Data

    2. 2 Motivation The notion of computing with encrypted data [RAD78] Bob encrypts and publishes his data Alice performs the computation Single encrypted message from Alice to Bob Bob decrypts to get the result Equated with doubly homomorphic encryption, which we dont have! Rivest, Adleman, Dertouzos (1978) : On Data Banks and Privacy Homomorphisms Rivest, Adleman, Dertouzos (1978) : On Data Banks and Privacy Homomorphisms

    3. 3 Model for Computing with Doubly Homomorphic Encryption Offline Bob publishes her public key Anybody can encrypt data Online: Given a circuit C Alice performs the computation Alice sends the encrypted output to Bob Bob decrypts to get the result

    4. 4 Our Model for Two Party Computing with Encrypted Data Offline Alice and Bob publish their public keys Anybody can encrypt data Online: Given a circuit C Alice performs the computation Alice sends the encrypted message (garbled circuit) to Bob Bob computes the circuit to get the result

    5. 5 Road map Yaos Garbled Circuit Conditional Exposure primitive (CODE) Our Garbled Circuit The Malicious Case

    6. 6 Yaos Garbled Circuit

    7. 7

    8. 8

    9. 9 Conditional Oblivious Decryption Exposure (CODE) CODE Specification CODE( E(m1), E(m2), E(m3) ) If (m1 == m2) ? m3 If (m1 ? m2) ? random

    10. 10 Where to Use CODE Replace OT(b, (m0,m1)) with CODE(E(b), E(0), E(m0)) CODE(E(b), E(1), E(m1)) Connect output of one gate to possible inputs of another gate Non interactive: Alice sends one message to Bob, Bob completes the computation

    11. 11 Garbled Gate (1)

    12. 12 Garbled Gate (2)

    13. 13 Garbled Gate (using CODE)

    14. 14 Computing CODE c1 =(a,b) = ( gr1 ,m1yr1 ) c2 =(g,d) = ( gr2 ,m2yr2 ) c3 =(l,m) = ( gr3 ,m3yr3 )

    15. 15 Garbling a Circuit Shuffled and Encrypted truth tables CODE at the input level Matching entry in truth table reveals encrypted output value and two secret keys CODE transcripts that connect the matching output value to the next gate are encrypted with the secret keys Garbled circuit is one message Compute gate by gate

    16. 16 Advantages of CODE Input separability: circuit can be built from anyones encrypted inputs Non interactive: one message to open all CODEs Suitable to adding efficient ZK proofs on top of it

    17. 17 2PC Malicious Case Malicious party may.. What can a malicious party do? Change her input (we cant avoid that) Bias the random choices she has to make during the protocol Send messages that do not follow the protocol Stop cooperating at some point === Change her inputs, before computation starts (we cant avoid that) Change her inputs, depending on the other partys inputs Stop cooperating after computation starts Have the honest party compute a different circuit than agreed Cause abort if the honest partys input has some property What can a malicious party do? Change her input (we cant avoid that) Bias the random choices she has to make during the protocol Send messages that do not follow the protocol Stop cooperating at some point === Change her inputs, before computation starts (we cant avoid that) Change her inputs, depending on the other partys inputs Stop cooperating after computation starts Have the honest party compute a different circuit than agreed Cause abort if the honest partys input has some property

    18. 18 Previous Works - 2PC with Malicious Adversaries [LP07] cut and choose technique [JS07] computing on encrypted data [KH07] Running two copies of Yao in parallel (P1 generates the circuits) P2 -> P1: OT step 1, for all his inputs, 2s times P1 -> P2: 1. send 2s garbled circuits 2. commit to 2s copies of inputs 3. complete OT step 2, for the 2s copies 4. Coin Tossing step 1 P2 -> P1: Coin Tossing step 2. Decide on s circuits to decommit. P1 -> P2: 1. Decommit s circuits 2. Send random values for P1s inputs(P1 generates the circuits) P2 -> P1: OT step 1, for all his inputs, 2s times P1 -> P2: 1. send 2s garbled circuits 2. commit to 2s copies of inputs 3. complete OT step 2, for the 2s copies 4. Coin Tossing step 1 P2 -> P1: Coin Tossing step 2. Decide on s circuits to decommit. P1 -> P2: 1. Decommit s circuits 2. Send random values for P1s inputs

    19. 19 Malicious CODE Alice can sent malformed messages

    20. 20 Our Protocol Malicious Case Protect against possible attacks of a malicious adversary, using non-interactive ZK proofs Parties prove their public keys were chosen correctly Input contributors commit to inputs, prove they know the plaintext Alice proves the shuffled truth tables are equal to the original ones Alice proves each CODE transcript is valid All parties commit to inputs, prove they know the plaintext (why? Otherwise they can choose ciphertexts that combines with the other, committed, ciphertexts, in a way that ) Which ZK PoK we use? Here it depends on the model CRS/ROM, and the number of rounds changes between each model? Should remain the same, no? Alice proves the shuffled truth tables are equal to the original ones (otherwise, she can send a different circuit altogether with different truth tables, or affect the computation arbitrarily) Alice proves each gate is valid (otherwise, this can cause halting the execution only if some gate is reached, which gives Alice information on the inputs of Bob) All parties commit to inputs, prove they know the plaintext (why? Otherwise they can choose ciphertexts that combines with the other, committed, ciphertexts, in a way that ) Which ZK PoK we use? Here it depends on the model CRS/ROM, and the number of rounds changes between each model? Should remain the same, no? Alice proves the shuffled truth tables are equal to the original ones (otherwise, she can send a different circuit altogether with different truth tables, or affect the computation arbitrarily) Alice proves each gate is valid (otherwise, this can cause halting the execution only if some gate is reached, which gives Alice information on the inputs of Bob)

    21. 21 Our Results Input separability: anybody can contribute inputs Off-line/On-line model On-line stage only one message from Alice to Bob as in the Computing with Encrypted Data model Computing Servers can compute many on-line sessions after a single off-line stage lower amortized round complexity Computing with Encrypted Data with both parties public keys loses the strong relation to doubly homomorphic encryption!

    22. 22 THE END

More Related