Download - Payman Mohassel Yahoo Labs
GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION
Payman Mohassel Yahoo Labs
History of Garbled Circuits
1982: First oral presentation [Andrew Yao]
1987: First written account [GMW] (public-key)
1990: First use of term ``Garbled circuitsโ [BMR] (symmetric-key)
1994: First abstraction as a primitive [FKN] (minimal model for sec. comp.)
1999: First PRF-based construction [NPS] (PP-auctions)
2004: First implementation [MNPS] (Fairplay)
2004: First proof of 2PC based on garbled circuits [LP] (double-encryption)
A Garbling Scheme
๐บ๐ถseed
๐บ๐ผ ๐ฅ
๐
๐บ๐ผ ๐ฆ
๐บ๐ถ๐บ ๐ผ ๐ฆ
๐บ ๐ผ ๐ฅEval( ) ๐บ๐๐บ๐
๐ถ (๐ฅ , ๐ฆ )= ๐ (๐ฅ , ๐ฆ )
๐ ๐๐
๐๐๐ (๐ ,๐ )
Basic Properties
Privacy: Knowing , , and does no leak any info
Output Authenticity: Cannot compute another valid output
๐บ๐ถ๐บ ๐ผ ๐ฆ
๐บ ๐ผ ๐ฅ
๐บ๐ โ
๐บ๐ถ๐บ ๐ผ ๐ฆ
๐บ ๐ผ ๐ฅ ๐๐ ๐ (๐ ,๐ )
๐บ๐ถ๐บ ๐ผ ๐ฆ
๐บ ๐ผ ๐ฅ
Many Applications
Secure multi-party computation Zero-knowledge proofs Verifiable computation Homomorphic encryption One-time programs Circular-secure encryption Functional encryption ...
Emerged as a powerful building block!
Secure Multiparty Computation (MPC)
Parties learn only f(x1,โฆ,xn)
P1, x1
P2, x2
P5, x5
P4, x4
P3, x3
Correctness:honest parties learn the correct output
Privacy:Nothing but the final output is leaked
Fairness, Output Delivery, โฆ
Applications of MPC
Data mining Electronic Voting Auctions Exchanges/financial analysis Location privacy Genomic computation Electronic commerce Healthcare
When there is IP, NDA, user consent involved When you need to distribute trust
๐๐
Secure Two-Party Computation (2PC)
Garbler
๐Evaluator๐
๐ถ (๐ฅ , ๐ฆ )= ๐ (๐ฅ , ๐ฆ )
๐บ๐ถโ๐บ๐๐๐(๐ถ , ๐ ๐)๐บ ๐ผ ๐ฅโ๐บ๐ผ๐(๐ฅ ,๐ ๐)
Oblivious Transfer
๐บ๐ถ๐บ ๐ผ ๐ฆ
๐บ ๐ผ ๐ฅ
๐ (๐ ,๐ )
Yaoโs Garbled Circuit Protocol
First secure computation protocol Efficient and simple Implementations
โบ Fairplay, 2004โบ TASTY, 2010 โบ FastGarble, 2011โบ SCAPI, 2013โบ JustGarble, 2013โบ โฆ
โข Circuits with millions of gates in less than a second
Research Directions
Garbling Constructions
Functionality &Security Properties
Secure 2PC
Basic Garbling/Evaluation
AND
๐01 ,๐1
1
๐02 ,๐1
2
๐0,0=๐ธ{๐01 ,๐02 }(๐03)
๐03 ,๐1
3
๐0,1=๐ธ{๐01 ,๐12 }(๐03)
๐1,0=๐ธ{๐11 ,๐02 }(๐03)
๐1,1=๐ธ {๐11 ,๐12 }(๐13)
Garble Evaluate
๐ท๐๐ {๐๐1 ,๐๐
2 } (๐๐ ,๐)=๐๐โง๐3
AND
Constructions (Efficiency)
1990: Point-and-Permute [BMR] 1999: 3-row reduction [NPS] 2008: Free-XOR [KS] 2009: 2-row reduction [PSSW] 2013: Fixed-key block-cipher [BHKR] 2014: FleXor [KMR] 2014: Privacy-free garbling [KNO] 2015: HalfGates [ZRE] (2-row non-XORs, and 0-row XORs) How low can we get? Lower bounds? Fresh ideas for garbling needed?
Constructions (Security)
Weak Assumptions PRF double-encryption LPN Free-XOR Correlation-robustness row reduction techniques Correlation-robustness FleXor
Strong Assumptions Circular-security Free-XOR Circular-security Half-Gates Ideal-permutation Fixed-key block-cipher RO Adaptive security Can we achieve these using weak assumptions?
Standard Security Properties
Input privacyโบ Needed in most applications (not in ZK application)
Function privacyโบ Private function evaluation
Output authenticationโบ Malicious 2PC, dual-execution, verifiable comp., server-aided comp., ZK
Adaptive privacyโบ Verifiable comp, offline/online batch execution, โฆ
New Security Properties?
Only a subset of properties (e.g. privacy-free garbling)
Leaky privacy (e.g. leak a few bits, protect/leak certain functions)
Tunable security! (tunable privacy, authenticity, โฆ)
Leveled privacy (inputs with different sensitivity levels)
Functionality?
Standard onesโบ Garble, encode inputs, evaluate, authenticate outputs
Circuit property enforcing (with Rosulek and Kolesnikov)โบ Checking circuit propertiesโบ Topology, depth, input size, gate typesโบ Useful in limiting malicious behavior
Input property enforcingโบ Unique input identifier (for input consistency)โบ Enforcing input formatsโบ Enforce relation between inputs in multiple executions (beyond equality)
Output property enforcingโบ Enforcing output format
๐บ๐ถ1
Malicious 2PC
๐บ๐ถ1
๐บ๐ถ2
๐บ๐ถ 4
๐บ๐ถ5 ๐บ๐ถ5
Open Evaluate
๐บ๐ถ3
๐บ๐ถ6
๐บ๐ถ3
๐บ๐ถ2
๐บ๐ถ 4
๐บ๐ถ6
๐ง 2
๐ง 4
๐ง 6
Majority
๐ง= ๐ (๐ฅ , ๐ฆ)โฎ
๐ฅโ
๐ฅโ
๐ฅโ
๐งโ
Are all inputs the same?
Is the output correct?
๐1
๐
Secure 2PC
Malicious securityโบ Cut-and-choose (state of the art: Lindell 2013)โบ Abstracting out cut-and-choose (joint work with Seny Kamara)โบ A new paradigm?โบ Lower bounds for cut-and-choose?
RAM programsโบ Optimizing ORAM for 2PC ([WCS]: Circuit-ORAMs)โบ Implementation framework (SCVM)โบ Extending cut-and-choose to RAM programs ([AHMR])โบ Lots of interesting questions
2PC with relaxed securityโบ Covert security, leaky 2PC, one-sided securityโบ Restricting leakage functions
Quest ions?