250 likes | 382 Views
Circuits Resilient to Additive Manipulation with Applications to Secure Computation. Yuval Ishai. Technion. Daniel Genkin Manoj Prabhakaran Amit Sahai Eran Tromer. Technion & TAU. UCLA. UIUC. TAU. What this talk is about. New model for fault-tolerant circuits
E N D
Circuits Resilient to Additive Manipulationwith Applications toSecure Computation Yuval Ishai Technion Daniel GenkinManojPrabhakaran Amit SahaiEranTromer Technion & TAU UCLA UIUC TAU
What this talk is about • New model for fault-tolerant circuits • New approach for protecting secure computation protocols against malicious parties
Dream Goal • Too much to hope for… Yet it is f(x)! x f(x)
Dream Goal • Too much to hope for… Yet it is 1-f(x)! x f(x)
Relaxing Goal • Random faults [vN56,DO77,Pip85,...] • Bounded number of faults [KLM94,GS95,KLR12] • This work: any number of adversarial faults • Allow fault-tolerant circuit to be randomized • Settle for detecting errors w.h.p • Still does not rule out direct tampering with input and output
Further Relaxations • Allow tamper-proof input encoder (Enc)and output decoder (Dec) • Enc,Dec must be small and universal • Restricted class of faults x Enc Dec f(x) / ERR
Further Relaxations • Allow tamper-proof input encoder (Enc)and output decoder (Dec) • Enc,Dec must be small and universal • Restricted class of faults • This work: additiveattacks on wires x Enc Dec f(x) / ERR
Further Relaxations • Allow tamper-proof input encoder (Enc)and output decoder (Dec) • Enc,Dec must be small and universal • Restricted class of faults • This work: additiveattacks on wires + +5 -2 +3 - x Enc X Dec f(x) / ERR X X
AMD Codes [CDFPW08] • Protect information against additive attacks • Our goal: protect computation x Enc Dec x / ERR +8 +5 +3 +3 +4 +5 -2 -2 -3 + - x AMD circuit Enc X Dec f(x) / ERR X X
Definition: ε-correctness • Let f:FnFm • Let Enc:FnFn’, C:Fn’Fm’,Dec:Fm’Fm+1 • C is a randomized arithmetic circuit over F • Enc is randomized, Dec is deterministic • We say that (Enc,C,Dec) realizes f with ε-correctness against additive attacks if: • ∀ x∈Fn, Dec(C(Enc(x)))=(0,f(x)). • ∀ x∈Fnand every CA obtained by applying an additive attack to C, Dec(CA(Enc(x))) is either (0,f(x)) or (e,y) for e≠0, except w/prob. ≤ ε
Eliminating Enc and Dec • Idea: settle for “best possible” security • Every additive attack on C can be simulated by a (possibly randomized) additive attack on inputs and outputs alone • C is “as good” as tamper-proof hardwarefor g + - +3 +5 +r -1 +2 X X X
Definition: ε-security • Let f:FnFm,C:FnFm • C is a randomized arithmetic circuit over F • We say that C realizes f with ε-security against additive attacks if: • ∀ x∈Fn, C(x)=f(x) (w/prob. 1) • For every CA obtained by applying an additive attack to C, there are distributions Δx,Δys.t.∀ x∈Fn,CA(x) ≈ε C(x+Δx)+Δy
Security Correctness • Let (AEnc, ADec) be an AMD code. f’ e e x f y x’ AEnc AEnc ADec ADec y’
Security Correctness • Let (AEnc, ADec) be an AMD code. • Useful feature: whether e is set reveals almost nothing about x C’ e e x f y x’ AEnc AEnc ADec ADec y’
Our Results • Large field F • Compile any C to an ε-secure C’ • |C’|=O(|C|) • ε = O(|C|/|F|) • Any field F • Compile any C to an ε-correct (Enc,C’,Dec) • Enc,Dec small and universal • |C’|=|C|.polylog(1/ε)
Techniques: Large Fields • Use simple homomorphic AMD code • Input: x (x,r,xr) • Multiplication: (a,r,ar), (b,r,br) (ab,r2,abr2) • (a,rd,ard), (b,rd’,brd’) (ab,rd+d’,abrd+d’) • Addition: (a,r,ar), (b,r,br) (a+b,r,(a+b)r) • (a,rd,ard), (b,rd’,brd’), r (a+b,rmax(d,d’),(a+b)rmax(d,d’)) • Output: (y,rd,z) y+s.(yrd-z) • Problems • Error grows linearly with degree d (need d<<|F|) • Use constant-degree gadgets • Requires wires to be locally random • Convert C into a locally random circuit [ISW03,IPS+11] Compare with [BDOZ11]
Techniques: Small Fields • Implement matrix-vector multiplication gadget • Use it to implement simple Hadamard-based linear PCP [ALMSS92] • Large constant error • Quadratic blowup in circuit size • Amplify correctness via repetition • Check input consistency using hashing • Eliminate quadratic blowup • Using small gadgets • Problems • Error grows linearly with degree d (need d<<|F|) • Use constant-degree gadgets • Requires wires to be locally random • Convert C into a locally random circuit [ISW03,IPS+11]
Secure Multiparty Computation [Yao86,GMW87] a b f(a,b,c) c • Every f can be realized with information-theoretic security • Assuming an honest majority [BGW88,CCD88,RB89] • Assuming an oblivious transfer oracle [GMW87,Kil88,IPS08] or OLE oracle [NP99,IPS09]
Passive vs. Active Attacks • Security against active attacks is much more challenging. • Common paradigm: passive security active security • GMW compiler: using ZK proofs [GMW87,…] • Make sub-protocols verifiable [BGW88,CCD88,…] • Cut-and-choose techniques […,LP07,…] • Use low-threshold active-secure MPC [IPS08] • Major research effort in cryptography
Motivating Observation • In “natural” passive-secure MPC protocols for evaluating an arithmetic circuit C, the effect of an active adversary corresponds to an additive attack on C. • Formally: the protocol perfectly realizes an augmented ideal functionality that allows for an additive attack. • Applies to all information-theoretic protocols we know that have maximal security threshold • Active security can be achieved by applying passive-secure protocol to AMD circuit C’. • Reduces protocol design to circuit design
Some Details • Need to protect inputs and outputs • Achieved via local AMD encoding of inputs and AMD decoding of outputs • Protocols only achieve “security with abort” • Often best possible • With honest majority and broadcast, can be upgraded to full security using standard methods
Applications • Simplified feasibility results • Passive BGW88 RB89 (t<n/2) • Passive GMW87 Kil88/IPS09 (t<n, OLE-hybrid) • Improved efficiency • Passive DN07 Improved BFO12 t<n/2, O(n|C|+n2) field elements • Passive GMW87 Improved IPS09t<n, O(|C|) OLE calls • New feasibility • t<n, untrusted preprocessing
Open Problems • AMD Circuits • Better security and efficiency over binary fields • Useful for MPC in OT-hybrid model • Better concrete efficiency over large fields • Useful for practical MPC? [IKHC14] • Generalize attack model • Settle for best possible security • MPC applications • Protocols based on “packed secret sharing” • Computationally secure protocols?