210 likes | 419 Views
Fast Secure Computation for Small Population over the Internet. Megha Byali , Arun Joseph, Arpita Patra , Divya Ravi I ndian I nstitute of Sc ience, Bangalore, India. ACM Conference on Computer and Communications Security, 2018. Our Results.
E N D
Fast Secure Computation for Small Population over the Internet MeghaByali, Arun Joseph, ArpitaPatra, Divya Ravi Indian Institute of Science, Bangalore, India. ACM Conference on Computer and Communications Security, 2018
Our Results Efficient 3-Party (3PC) and 4-Party (4PC) Protocols with honest majority achieving the stronger security notions of: • Fairness • -- 4 round fair 3PC (n=3, t=1) • Guaranteed Output Delivery (god) • -- 5 round god 3PC (n=3, t=1) • -- 4 round god 4PC (n=4, t=1) • -- 5 round god 4PC (n=4, t=1) Assumptions: -- OWF/P -- Minimalistic network of point-to-point channels. -- Necessary Broadcast for 3PC god [CohenHOR16]. [CohenHOR16] Ran Cohen, IftachHaitner, EranOmri, and LiorRotem. Characterization of Secure Multiparty Computation Without Broadcast. In TCC. 2016.
Secure MultiParty Computation (MPC) Joint function: f(x1, x2, …, xn) Inputs: (x1, x2, …, xn) • Goals: • Correctness • Privacy MPC TTP f MPC: Real World emulation of TTP
Why Small Population with Honest Majority? • Real world applications: Secure ML, Danish Sugar Beet Auction, Fair Auctions. • Weaker Assumptions: Eliminate PK primitives like Oblivious Transfer (OT) altogether as symmetric-key functions are sufficient. • Light Weight Tools and Efficiency: • Customized Secret Sharing schemes. • Customized OT. • Stronger Security: The properties, fairness and guaranteed output delivery can be achieved only in the case of honest majority [Cleve86]. [Cleve86] Richard Cleve. Limits on the security of coin flips when half the processors are faulty (extended abstract). In ACM STOC, 1986.
Security Guarantees • Guaranteed output delivery (god) – Strongest Adversary cannot prevent honest parties from getting output. • Fairness If adversary gets output, all get the output. • Security with selective abort - weakest Adversary selectively deprives some honest parties of the output. y yyyyy y yyyyy ┴ ┴ ┴ ┴ ┴ ┴ • yy • y y ┴ ┴
Garbled Circuit (GC) [BellareHR12] Boolean circuit C Garbling function inputx youtput Gb d e GC Encoding function En De Decoding function X Y Ev Evaluation function [BellareHR12] MihirBellare, Viet Tung Hoang, and Phillip Rogaway.Foundations of garbled circuits. In CCS, 2012.
The Bigger Picture 3-Party Protocols 4-Party Protocols [MohasselRZ15] PaymanMohassel, Mike Rosulek, and Ye Zhang. Fast and Secure Three-party Computation: The Garbled Circuit Approach. In CCS’15. [PatraR18] Arpita Patra and Divya Ravi. On the Exact Round Complexity of Three Party Computation. In CRYPTO, 2018. [IshaiKKP15] Yuval Ishai, RanjitKumaresan, EyalKushilevitz, and AnatPaskin-Cherniavsky. Secure computation with minimal interaction, revisited. In CRYPTO, 2015.
3PC with Fairness y = f (x1, x2, x3) is the function to be computed. x2 Garbler 2 P2 x32 r P3 x3 Evaluator x31 P1 Garbler 1 x1 n=3, t=1
3PC with Fairness x2 , x32 y = f(x1, x2, x3) is the function to be computed. Use r to generate GC P2 Common Information in GC P3 x3 Verify correctness: By comparing common info in GC sent by both P1 ,P2 Common Information in GC P1 Use r to generate GC x1 , x31
3PC with Fairness y = f (x1, x2, x3) is the function to be computed. x2 P2 Y P3 x3 Evaluate the GC to obtain encoded output Y and decode Y to obtain y. Y P1 Fairness Violation? x1 • Solution: • Prevent P3from decoding Y in advance, but commit to decoding info d in advance. • Allow P1 , P2to exchange Y.
3PC with Fairness y = f(x1, x2, x3) is the function to be computed. x2 Y valid? P2 Y Yes! d P3 x3 Y Evaluate the EC to obtain only encoded output Y. Use decoding info d from P1 to compute y. Y’ P1 Y’ valid? x1 No! Fairness? How Far? Use Y from P1to compute y. Almost there!
3PC with Fairness y = f(x1, x2, x3) is the function to be computed. x2 P2 P3 x3 Y Correctness Check Failed. Abort! Correctness Violated! P1 Y valid? Yes! Accept x1 Solution: Proof mechanism that Y originated from P3
3PC with Fairness y = f(x1, x2, x3) is the function to be computed. Sample s2, compute H(s2) x2 P2 H(s2), s2 H(s1) H(s1) P3 x3 H(s2) H(s1), s1 Verify Correctness H(s2) P1 Sample s1, compute H(s1) Proof Mechanism x1
3PC with Fairness y = f(x1, x2, x3) is the function to be computed. x2 Y and proof valid? Yes! P2 Y , s1 Y , s2 Y , s1 P3 x3 On Evaluation Y , s2 P1 Y and proof valid? Yes! x1 Fairness Guaranteed!
3PC with fairness P2 P2 GC Info H(s2), s2 , H(s1) H(s1) P3 r x3 P3 H(s2) Verify checks , H(s2) H(s1), s1 P1 GC Info P1 x1 P2 P2 d Y , s1 P3 P3 Y , s1 Y , s2 d Y , s2 P1 P1
Challenges in Achieving god • Conflicting messages sent by parties: How to proceed? • Local identification of a corrupt party. • Input Consistency Issues for robustness. • Three-Party Computation: • Use broadcast to raise and resolve conflicts. • Identify an honest party as TTP. • Commitments ensure input consistency. • Four-Party Computation: • Use multiple evaluator approach to guarantee at least one honest evaluator. • Raise Conflict and identify TTP. • Commitments for input consistency.
Efficiency Overhead in Comparison to [MohasselRZ15]: Table indicates average values taken over #parties and the range is taken over the choice of circuits. (g) – gain per party.
Open Questions Minimizing the number of rounds of interaction while maintaining the similar efficiency as ours in achieving: • Fairness and Guaranteed Output Delivery in 3PC. • Guaranteed Output Delivery in 4PC.
Efficiency f3PC – 3PC fair, g4PC – 4PC god, g3PC – 3PC god Type of Circuit: 1 – AES 128, 3- MD5 , 5- SHA-256
3PC with Fairness y=f(x1, x2, x3) is the function to be computed. x2 P2 Y Decoding Info P3 x3 Y Y Y Decoding Info P1 Problems? x1 Solution: Commit on the decoding info and agree on the commitment in advance!