210 likes | 339 Views
Two Party Computing With Encrypted Data. Seung Geol Choi Ariel Elbaz Ari Juels Tal Malkin Moti Yung. Motivation. The notion of computing with encrypted data [RAD78] Bob encrypts and publishes his data Alice performs the computation Single encrypted message from Alice to Bob
E N D
Two Party Computing With Encrypted Data Seung Geol Choi Ariel Elbaz Ari Juels Tal Malkin Moti Yung
Motivation • The notion of computing with encrypted data [RAD78] • Bob encrypts and publishes his data • Alice performs the computation • Single encrypted message from Alice to Bob • Bob decrypts to get the result • Equated with doubly homomorphic encryption, which we don’t have!
Model for Computing with Doubly Homomorphic Encryption Offline • Bob publishes her public key • Anybody can encrypt data Online: Given a circuit C • Alice performs the computation • Alice sends the encrypted output to Bob • Bob decrypts to get the result
Our Model for Two Party Computing with Encrypted Data Offline • Alice and Bob publish their public keys • Anybody can encrypt data Online: Given a circuit C • Alice performs the computation • Alice sends the encrypted message (garbled circuit) to Bob • Bob computes the circuit to get the result
Road map • Yao’s Garbled Circuit • Conditional Exposure primitive (CODE) • Our Garbled Circuit • The Malicious Case
Yao’s Garbled Circuit k0 k1 NAND El0,r0(k1) El1,r0(k1) El0,r1(k1) El1,r1(k0) l0 l1 r0 r1 NAND(0,1) = 1
k0 k1 El0,r0(k1) El1,r0(k1) El0,r1(k1) El1,r1(k0) k0 k0 k1 k1 El0,r0(k1) El1,r0(k1) El0,r1(k1) El1,r1(k0) El0,r0(k1) El1,r0(k1) El0,r1(k1) El1,r1(k0) l0 l1 r0 r1 l0 l0 l1 l1 r0 r0 r1 r1 Yao’s Garbled Circuit NAND
k0 k0 k1 k1 El0,r0(k1) El1,r0(k1) El0,r1(k1) El1,r1(k0) El0,r0(k1) El1,r0(k1) El0,r1(k1) El1,r1(k0) k0 k0 k0 k0 k1 k1 k1 k1 k0 k1 El0,r0(k1) El1,r0(k1) El0,r1(k1) El1,r1(k0) El0,r0(k1) El1,r0(k1) El0,r1(k1) El1,r1(k0) El0,r0(k1) El1,r0(k1) El0,r1(k1) El1,r1(k0) El0,r0(k1) El1,r0(k1) El0,r1(k1) El1,r1(k0) El0,r0(k1) El1,r0(k1) El0,r1(k1) El1,r1(k0) r0 r1 l0 l1 l0 l0 l1 l1 r0 r0 r1 r1 l0 l0 l0 l0 l1 l1 l1 l1 r0 r0 r0 r0 r1 r1 r1 r1 Yao’s Garbled Circuit : Getting the input random strings Alice’s inputs: a0, a1,…,an b0, b1,…,bn Bob’s inputs Alice sends OT(bi, (r0i, r1i)) random string r0 random string r1 random string rn random string r’0 random string r’1 random string r’n
Conditional Oblivious Decryption Exposure (CODE) CODE Specification CODE( E(m1), E(m2), E(m3) ) • If (m1 == m2) m3 • If (m1 m2) random
Where to Use CODE • Replace OT(b, (m0,m1)) with CODE(E(b), E(0), E(m0)) CODE(E(b), E(1), E(m1)) • Connect output of one gate to possible inputs of another gate • Non interactive: Alice sends one message to Bob, Bob completes the computation
Garbled Gate (1) E(0) E(1) NAND E(0), E(0), E(1) E(1), E(1), E(0) E(0), E(1), E(1) E(1), E(0), E(1) E(l) E(r) Step 1: Encrypt and Shuffle the Truth Table
Garbled Gate (2) E(0) E(1) NAND E(0), E(l0), E(0), E(r0), E(1) E(1), E(l1), E(1), E(r1), E(0) E(0), E(l0), E(1), E(r1), E(1) E(1), E(l1), E(0), E(r0), E(1) E(0) E(1) Step 2: Use CODE to connect inputs to correct entry in truth table
Computing CODE • c1 =(a,b) = ( gr1 ,m1yr1 ) c2 =(g,d) = ( gr2 ,m2yr2) c3 =(l,m) = ( gr3 ,m3yr3 ) m1yr1/m2yr2 = (m1/m2) (gr1/gr1)x CODE( E(m1), E(m2), E(m3) ) • If (m1 == m2) m3 • If (m1 m2) random e=g(r1-r2)e • Alice sends e=(a/g)e, z=(b/d)e • Alice sends DxA=(e l)xA • Bob computes DxB=(e l)xB z=(m1/m2)e¢ y(r1-r2)e DxA=(g(r1-r2)e+r3)xA DxADxB=(y(r1-r2)e+r3) • Bob computes zm/DxADxB=(m1/m2)em3
Garbling a Circuit • Shuffled and Encrypted truth tables • CODE at the input level • Matching entry in truth table reveals encrypted output value and two secret keys • CODE transcripts that connect the matching output value to the next gate are encrypted with the secret keys • Garbled circuit is one message • Compute gate by gate
Advantages of CODE • Input separability: circuit can be built from anyone’s encrypted inputs • Non interactive: one message to open all CODEs • Suitable to adding efficient ZK proofs on top of it
2PC – Malicious Case Malicious party may.. • Abort • Give malicious input, based on honest party’s input • Encrypt “garbage” / conditioned on the honest party’s bit • Have a different gate computed
Previous Works - 2PC with Malicious Adversaries • [LP07] cut and choose technique • [JS07] computing on encrypted data • [KH07] Running two copies of Yao in parallel
Malicious CODE • Alice can sent malformed messages • Alice sends e=(a/g)e, z=(b/d)e • Alice sends DxA=(e l)xA • Add ZK proofs • ZK { e : e=(a/g)e, z=(b/d)e } • ZK { xA : D=(e l)xA , yA = gxA }
Our Protocol – Malicious Case Protect against possible attacks of a malicious adversary, using non-interactive ZK proofs • Parties prove their public keys were chosen correctly • Input contributors commit to inputs, prove they know the plaintext • Alice proves the shuffled truth tables are equal to the original ones • Alice proves each CODE transcript is valid
Our Results • Input separability: anybody can contribute inputs • Off-line/On-line model • On-line stage only one message from Alice to Bob as in the Computing with Encrypted Data model • Computing Servers can compute many on-line sessions after a single off-line stage – lower amortized round complexity • Computing with Encrypted Data with both parties’ public keys loses the strong relation to doubly homomorphic encryption!