1 / 19

Garbled Circuits Checking Garbled Circuits More efficient and Secure Two-Party Computation

Garbled Circuits Checking Garbled Circuits More efficient and Secure Two-Party Computation . Payman Mohassel Ben Riva University of Calgary Tel Aviv University. Secure Two-Party Computation. Privacy: Only learn the output

rasha
Download Presentation

Garbled Circuits Checking Garbled Circuits More efficient and Secure Two-Party Computation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Garbled Circuits Checking Garbled CircuitsMore efficient and Secure Two-Party Computation PaymanMohassel Ben Riva University of Calgary Tel Aviv University

  2. Secure Two-Party Computation Privacy: Only learn the output Correctness: Learn the intended function

  3. Contributions • 2PC with low overhead • Input–consistency check • Two-output functions • New Definition • Strengthen covert adversaries • Better efficiency/security trade-off for practice • Protocols meeting the definition

  4. Garbled Circuit seed Eval( )

  5. Useful Properties • Privacy: Knowing , , and does no leak any info • Output Authenticity: P2 cannot compute another valid output

  6. Malicious 2PC Cut-and-Choose Question Are all inputs the same? Evaluate Open Majority Question Is the output correct?

  7. 1) Is the output correct? Evaluate Open Majority But this leaks info to Send GOs as proof

  8. 2) Is the output correct? Evaluate Open Majority Use same output labels in all circuits But learns labels in open phase & can forge output z

  9. 3) Is the output correct? Evaluate Majority Open

  10. Extensions • Extend to two-output functions • XOR ’s output with a random value provided by him • Then apply the above solution • Make solution “streaming-friendly” • Hard to garble/evaluate circuits “on-the-fly” • Need to store circuits until they are opened • See paper for a streaming-friendly version • Similar ideas and efficiency

  11. Covert 2PC cost/payfor malicious party • Coststo get caught • Pays to cheat and win • is probability of not getting caught • Cost > Pay • maybe sufficient Question What about cost/pay for honest party?

  12. All-or-Nothing Security • What about the honest party? • with probability • His input is leaked! • He learns an incorrect output! • Paysto learn correct output • Costs to be cheated on • Pay > Cost • If is large enough • Honest parties may not participate

  13. A Stronger Definition • Increase the pay-off (of learning correct output) • Orthogonal to MPC • Reduce the cost of being cheated on! • By strengthening the security definition

  14. CovIDA Security • Guarantee correctness • Honest parties cannot be tricked into learning bad output • Only leak limited information in case of cheating • With probability nothing is leaked • With probability only one bit is leaked

  15. Dual-Ex 2PC • Correctness prob. = 1-neg(k) • Leakage prob. = 1 • Bad circuit • Different inputs Yes/no Use for authentication Yes/no

  16. Dual-Ex + Covert 2PC • Correctness prob. = 1-neg(k) • Leakage prob. = 1 • Bad circuit • Different inputs Yes/no Yes/no

  17. Dual-Ex + Covert 2PC • Correctness prob. = 1 • Leakage prob. = • Bad circuit • Different inputs It is possible make probability using a few tricks

  18. Are inputs the Same? Malicious 2PC Use same OT for x Linear in s symmetric-key Ops for input-consistency (using OT extension)

  19. Questions?

More Related