1 / 21

Two Party Computing With Encrypted Data

Two Party Computing With Encrypted Data. Seung Geol Choi Ariel Elbaz Ari Juels Tal Malkin Moti Yung. Motivation. The notion of computing with encrypted data [RAD78] Bob encrypts and publishes his data Alice performs the computation Single encrypted message from Alice to Bob

olaf
Download Presentation

Two Party Computing With Encrypted Data

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Two Party Computing With Encrypted Data Seung Geol Choi Ariel Elbaz Ari Juels Tal Malkin Moti Yung

  2. Motivation • The notion of computing with encrypted data [RAD78] • Bob encrypts and publishes his data • Alice performs the computation • Single encrypted message from Alice to Bob • Bob decrypts to get the result • Equated with doubly homomorphic encryption, which we don’t have!

  3. Model for Computing with Doubly Homomorphic Encryption Offline • Bob publishes her public key • Anybody can encrypt data Online: Given a circuit C • Alice performs the computation • Alice sends the encrypted output to Bob • Bob decrypts to get the result

  4. Our Model for Two Party Computing with Encrypted Data Offline • Alice and Bob publish their public keys • Anybody can encrypt data Online: Given a circuit C • Alice performs the computation • Alice sends the encrypted message (garbled circuit) to Bob • Bob computes the circuit to get the result

  5. Road map • Yao’s Garbled Circuit • Conditional Exposure primitive (CODE) • Our Garbled Circuit • The Malicious Case

  6. Yao’s Garbled Circuit k0 k1 NAND El0,r0(k1) El1,r0(k1) El0,r1(k1) El1,r1(k0) l0 l1 r0 r1 NAND(0,1) = 1

  7. k0 k1 El0,r0(k1) El1,r0(k1) El0,r1(k1) El1,r1(k0) k0 k0 k1 k1 El0,r0(k1) El1,r0(k1) El0,r1(k1) El1,r1(k0) El0,r0(k1) El1,r0(k1) El0,r1(k1) El1,r1(k0) l0 l1 r0 r1 l0 l0 l1 l1 r0 r0 r1 r1 Yao’s Garbled Circuit NAND

  8. k0 k0 k1 k1 El0,r0(k1) El1,r0(k1) El0,r1(k1) El1,r1(k0) El0,r0(k1) El1,r0(k1) El0,r1(k1) El1,r1(k0) k0 k0 k0 k0 k1 k1 k1 k1 k0 k1 El0,r0(k1) El1,r0(k1) El0,r1(k1) El1,r1(k0) El0,r0(k1) El1,r0(k1) El0,r1(k1) El1,r1(k0) El0,r0(k1) El1,r0(k1) El0,r1(k1) El1,r1(k0) El0,r0(k1) El1,r0(k1) El0,r1(k1) El1,r1(k0) El0,r0(k1) El1,r0(k1) El0,r1(k1) El1,r1(k0) r0 r1 l0 l1 l0 l0 l1 l1 r0 r0 r1 r1 l0 l0 l0 l0 l1 l1 l1 l1 r0 r0 r0 r0 r1 r1 r1 r1 Yao’s Garbled Circuit : Getting the input random strings Alice’s inputs: a0, a1,…,an b0, b1,…,bn Bob’s inputs Alice sends OT(bi, (r0i, r1i)) random string r0 random string r1 random string rn random string r’0 random string r’1 random string r’n

  9. Conditional Oblivious Decryption Exposure (CODE) CODE Specification CODE( E(m1), E(m2), E(m3) ) • If (m1 == m2)  m3 • If (m1  m2)  random

  10. Where to Use CODE • Replace OT(b, (m0,m1)) with CODE(E(b), E(0), E(m0)) CODE(E(b), E(1), E(m1)) • Connect output of one gate to possible inputs of another gate • Non interactive: Alice sends one message to Bob, Bob completes the computation

  11. Garbled Gate (1) E(0) E(1) NAND E(0), E(0), E(1) E(1), E(1), E(0) E(0), E(1), E(1) E(1), E(0), E(1) E(l) E(r) Step 1: Encrypt and Shuffle the Truth Table

  12. Garbled Gate (2) E(0) E(1) NAND E(0), E(l0), E(0), E(r0), E(1) E(1), E(l1), E(1), E(r1), E(0) E(0), E(l0), E(1), E(r1), E(1) E(1), E(l1), E(0), E(r0), E(1) E(0) E(1) Step 2: Use CODE to connect inputs to correct entry in truth table

  13. Computing CODE • c1 =(a,b) = ( gr1 ,m1yr1 ) c2 =(g,d) = ( gr2 ,m2yr2) c3 =(l,m) = ( gr3 ,m3yr3 ) m1yr1/m2yr2 = (m1/m2) (gr1/gr1)x CODE( E(m1), E(m2), E(m3) ) • If (m1 == m2)  m3 • If (m1  m2)  random e=g(r1-r2)e • Alice sends e=(a/g)e, z=(b/d)e • Alice sends DxA=(e l)xA • Bob computes DxB=(e l)xB z=(m1/m2)e¢ y(r1-r2)e DxA=(g(r1-r2)e+r3)xA DxADxB=(y(r1-r2)e+r3) • Bob computes zm/DxADxB=(m1/m2)em3

  14. Garbling a Circuit • Shuffled and Encrypted truth tables • CODE at the input level • Matching entry in truth table reveals encrypted output value and two secret keys • CODE transcripts that connect the matching output value to the next gate are encrypted with the secret keys • Garbled circuit is one message • Compute gate by gate

  15. Advantages of CODE • Input separability: circuit can be built from anyone’s encrypted inputs • Non interactive: one message to open all CODEs • Suitable to adding efficient ZK proofs on top of it

  16. 2PC – Malicious Case Malicious party may.. • Abort • Give malicious input, based on honest party’s input • Encrypt “garbage” / conditioned on the honest party’s bit • Have a different gate computed

  17. Previous Works - 2PC with Malicious Adversaries • [LP07] cut and choose technique • [JS07] computing on encrypted data • [KH07] Running two copies of Yao in parallel

  18. Malicious CODE • Alice can sent malformed messages • Alice sends e=(a/g)e, z=(b/d)e • Alice sends DxA=(e l)xA • Add ZK proofs • ZK { e : e=(a/g)e, z=(b/d)e } • ZK { xA : D=(e l)xA , yA = gxA }

  19. Our Protocol – Malicious Case Protect against possible attacks of a malicious adversary, using non-interactive ZK proofs • Parties prove their public keys were chosen correctly • Input contributors commit to inputs, prove they know the plaintext • Alice proves the shuffled truth tables are equal to the original ones • Alice proves each CODE transcript is valid

  20. Our Results • Input separability: anybody can contribute inputs • Off-line/On-line model • On-line stage only one message from Alice to Bob as in the Computing with Encrypted Data model • Computing Servers can compute many on-line sessions after a single off-line stage – lower amortized round complexity • Computing with Encrypted Data with both parties’ public keys loses the strong relation to doubly homomorphic encryption!

  21. THE END

More Related