circuits resilient to additive manipulation with applications to secure computation yuval ishai...
TRANSCRIPT
Circuits Resilient to Additive Manipulationwith Applications to
Secure Computation
Yuval Ishai Technion
Daniel Genkin Manoj Prabhakaran Amit Sahai Eran TromerTechnion & TAU
UIUC UCLA TAU
What this talk is about
• New model for fault-tolerant circuits
• New approach for protecting secure computation protocols against malicious parties
Part I:
Fault Tolerant Circuits
Dream Goal
• Too much to hope for…
x f(x)
Yet it is f(x)!
Dream Goal
• Too much to hope for…
x f(x)
Yet it is 1-f(x)!
Relaxing Goal
• Random faults [vN56,DO77,Pip85,...]
• Bounded number of faults [KLM94,GS95,KLR12]
• This work: any number of adversarial faults– Allow fault-tolerant circuit to be randomized– Settle for detecting errors w.h.p– Still does not rule out direct tampering with
input and output
Further Relaxations
• Allow tamper-proof input encoder (Enc) and output decoder (Dec)– Enc,Dec must be small and universal
• Restricted class of faults
x f(x) / ERREnc Dec
Further Relaxations
• Allow tamper-proof input encoder (Enc) and output decoder (Dec)– Enc,Dec must be small and universal
• Restricted class of faults– This work: additive attacks on wires
x f(x) / ERREnc Dec
Further Relaxations
• Allow tamper-proof input encoder (Enc) and output decoder (Dec)– Enc,Dec must be small and universal
• Restricted class of faults– This work: additive attacks on wires
x f(x) / ERREnc Dec
X
X
+-
X
+3
-2
+5
AMD Codes [CDFPW08]
• Protect information against additive attacks• Our goal: protect computation
x f(x) / ERREnc Dec
X
X
+-
X
+3
-2
+5
x x / ERREnc Dec
+3
+5
-3
-2
+8
+4
AMD circuit
Definition: ε-correctness
• Let f:FnFm
• Let Enc:FnFn’, C:Fn’Fm’, Dec:Fm’Fm+1
– C is a randomized arithmetic circuit over F– Enc is randomized, Dec is deterministic
• We say that (Enc,C,Dec) realizes f with ε-correctness against additive attacks if:– ∀ x F∈ n, Dec(C(Enc(x)))=(0,f(x)).– ∀ x F∈ n and every CA obtained by applying an
additive attack to C, Dec(CA(Enc(x))) is either (0,f(x)) or (e,y) for e≠0, except w/prob. ≤ ε
Eliminating Enc and Dec
• Idea: settle for “best possible” security– Every additive attack on C can be simulated by
a (possibly randomized) additive attack on inputs and outputs alone
– C is “as good” as tamper-proof hardware for g
X
X
+-
X+3
+5 +r+2
-1
Definition: ε-security
• Let f:FnFm, C:FnFm
– C is a randomized arithmetic circuit over F• We say that C realizes f with ε-security
against additive attacks if:– ∀ x F∈ n, C(x)=f(x) (w/prob. 1)– For every CA obtained by applying an additive
attack to C, there are distributions Δx,Δy s.t. x F∀ ∈ n, CA(x) ≈ε C(x+Δx)+Δy
Security Correctness
• Let (AEnc, ADec) be an AMD code.
fAEncADec
e
AEnc ADecx
e
yx’ y’
f’
Security Correctness
• Let (AEnc, ADec) be an AMD code.
• Useful feature: whether e is set reveals almost nothing about x
fAEncADec
e
AEnc ADecx
e
yx’ y’
C’
Our Results
• Large field F– Compile any C to an ε-secure C’ – |C’|=O(|C|)– ε = O(|C|/|F|)
• Any field F– Compile any C to an ε-correct (Enc,C’,Dec) – Enc,Dec small and universal– |C’|=|C|.polylog(1/ε)
Techniques: Large Fields• Use simple homomorphic AMD code
– Input: x (x,r,xr)– Multiplication: (a,r,ar), (b,r,br) (ab,r2,abr2)
• (a,rd,ard), (b,rd’,brd’) (ab,rd+d’,abrd+d’)
– Addition: (a,r,ar), (b,r,br) (a+b,r,(a+b)r)• (a,rd,ard), (b,rd’,brd’), r (a+b,rmax(d,d’),(a+b)rmax(d,d’))
– Output: (y,rd,z) y+s.(yrd-z)
• Problems– Error grows linearly with degree d (need d<<|F|)
• Use constant-degree gadgets
– Requires wires to be locally random• Convert C into a locally random circuit [ISW03,IPS+11]
Compare with [BDOZ11]
Techniques: Small Fields
• Implement matrix-vector multiplication gadget
• Use it to implement simple Hadamard-based linear PCP [ALMSS92]
– Large constant error– Quadratic blowup in circuit size
• Amplify correctness via repetition– Check input consistency using hashing
• Eliminate quadratic blowup – Using small gadgets
• Problems– Error grows linearly with degree d (need d<<|F|)
• Use constant-degree gadgets
– Requires wires to be locally random• Convert C into a locally random circuit [ISW03,IPS+11]
Part II:
Secure Multiparty Computation
Secure Multiparty Computation[Yao86,GMW87]
a b
c
• Every f can be realized with information-theoretic security – Assuming an honest majority [BGW88,CCD88,RB89]
– Assuming an oblivious transfer oracle [GMW87,Kil88,IPS08] or OLE oracle [NP99,IPS09]
f(a,b,c)
Passive vs. Active Attacks
• Security against active attacks is much more challenging.
• Common paradigm: passive security active security– GMW compiler: using ZK proofs [GMW87,…]
– Make sub-protocols verifiable [BGW88,CCD88,…]
– Cut-and-choose techniques […,LP07,…]
– Use low-threshold active-secure MPC [IPS08]
• Major research effort in cryptography
Motivating Observation• In “natural” passive-secure MPC protocols
for evaluating an arithmetic circuit C, the effect of an active adversary corresponds to an additive attack on C.– Formally: the protocol perfectly realizes an augmented
ideal functionality that allows for an additive attack.– Applies to all information-theoretic protocols we know
that have maximal security threshold
• Active security can be achieved by applying passive-secure protocol to AMD circuit C’.
• Reduces protocol design to circuit design
Some Details
• Need to protect inputs and outputs– Achieved via local AMD encoding of inputs and
AMD decoding of outputs• Protocols only achieve “security with abort”
– Often best possible– With honest majority and broadcast, can be
upgraded to full security using standard methods
Applications• Simplified feasibility results
– Passive BGW88 RB89 (t<n/2)– Passive GMW87 Kil88/IPS09 (t<n, OLE-hybrid)
• Improved efficiency– Passive DN07 Improved BFO12
t<n/2, O(n|C|+n2) field elements – Passive GMW87 Improved IPS09
t<n, O(|C|) OLE calls• New feasibility
– t<n, untrusted preprocessing
Open Problems
• AMD Circuits– Better security and efficiency over binary fields
• Useful for MPC in OT-hybrid model
– Better concrete efficiency over large fields• Useful for practical MPC? [IKHC14]
– Generalize attack model• Settle for best possible security
• MPC applications– Protocols based on “packed secret sharing”– Computationally secure protocols?