Uploads Contact
/
Login Upload
resultinginasetofoutputlabelsand4adecodingprocedurethatrecoverstheoutp resultinginasetofoutputlabelsand4adecodingprocedurethatrecoverstheoutp

resultinginasetofoutputlabelsand4adecodingprocedurethatrecoverstheoutp - PDF document

ida
ida . @ida
Follow
342 views
Uploaded On 2021-10-03
About Share Download

resultinginasetofoutputlabelsand4adecodingprocedurethatrecoverstheoutp - PPT Presentation

2ModelandDe12nitionsPracticalserveraidedSFEwithasingleserverhasonlybeenachievedincertainspeci12cadversarialmodelsInparticularasshownin32thegarbledcircuitbasedprotocolofFeigeKillianandNaorfrom18isas ID: 894143

honest forall commitments ciency forall honest ciency commitments jcj choose real beanalgorithmthat inparticular tos cient andh share wjx nielsen

Share:

Link:

Embed:

Download Presentation from below link

Download Pdf The PPT/PDF document "resultinginasetofoutputlabelsand4adecodi..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Presentation Transcript

1 resultinginasetofoutputlabels;and(4)adec
resultinginasetofoutputlabels;and(4)adecodingprocedurethatrecoverstheoutputfromtheoutputlabels.Themainsecuritypropertyprovidedbygarbledcircuitsisinputprivacy,whichguaranteesthatnoinformationabouttheinputsisrevealedbytheevaluationanddecodingproceduresbeyondwhatcanbeinferredfromtheoutput.Ourprotocolswillrelyonaslightlydi erentpropertycalledinput/outputprivacywhichguaranteesthatnoinformationabouttheinputsoroutputsarerevealedbytheevaluationprocedure(thesepropertiesareimpliedbythesecurityproofof[39]).Anotherusefulpropertyofgarbledcircuitsisunforgeabilitywhich,informally,guaranteesthatanincorrectevaluationcanbedetectedwithallbutnegligibleprobability.Thispropertyhasalsobeennotedandusedinworksasearlyas[49],butpointedoutmoreexplicitlyin[20].Cut-and-chooseandinput-consistency.Adicultythatoftencomesupwhendesigningproto-colsbasedongarbledcircuitsisverifyingwhetheracircuitwasgarbledcorrectly(thisoccurswhenadversariescanbemalicious).Severalmechanismsexisttoaddressthisbutthemostecientiscut-and-choose[47,43,45,34,56,38].Withcut-and-choose,th

2 egarblerstartsbyconstructingmanygarbledc
egarblerstartsbyconstructingmanygarbledcircuits.Theevaluatorchoosesarandomsubsetofthesecircuitsandveri estheircorrectnessbyaskingthegarblertorevealthesecretsitused.Iftheveri cationgoesthrough,theevaluatorisleftwithseveralunopenedgarbledcircuitsand,withhighprobability,mostofthemareproperlyconstructed(otherwiseatleastonemalconstructedgarbledcircuitwouldhavebeendetectedduringveri cation).Theevaluatorthenevaluatestheremaininggarbledcircuitsandoutputsthemajorityvalue.Thislaststep,however,introducesnewproblemsandtoavoidsubtleattackstheevaluatorhastocheckthatthegarblerusedthesameinputsforalltheremainingcircuits.Thisinputcheckingstepcanbehandledusingseveraltechniques.MohasselandFranklin[45]andLindellandPinkas[38]extendthecut-and-choosetechniquetocovertheinputlabelsaswell.Unfortunately,thisrequiresaquadratic(inthesecurityparameter)numberofcommitments.Anotherapproachistousespecially-designedzero-knowledgeproofs[40,55]which,underspeci cnumber-theoreticassumptions,requireonlyalinearnumberofexponentiations.Thetechniquesof[45]and[38]aree

3 xtendedtotheserver-aidedsettingin[32],wh
xtendedtotheserver-aidedsettingin[32],whereaninputcheckingmechanismisdescribedthatrequiresaquadraticnumberofcommitments.Pipelinedexecution.Finally,sincecircuitscangrowverylarge,garblingandevaluatingtheminmemorycanbeexpensive.Severalimplementations,therefore,pipelinethegenerationandevaluationofgarbledcircuits[31,28,29,42]byhavingthegarblersend(orstream)thegarbledgatesimmediatelyaftergeneratingthemandhavingtheevaluatorevaluate(orverify)themonthe y.Usingthisapproach,thepartiesstoreinmemoryonlytheintermediatewiresneededfortherestoftheevaluation.Thisleadstoveryecientimplementationssincethepartiesonlyneedtostoreintermediatevaluesandgarbledgatesondisk.Moreover,itimprovesthelatencyoftheprotocolsincethegarblerandtheevaluatorcanoperatesimultaneously.Previouswork,however,hasonlyshownhowtopipelinegarbledcircuitsinthepresenceofsemi-honestadversaries.1.2OurContributionsSecurefunctionevaluationisanimportantandpowerfulcryptographicprimitiveandmanyofitsunderlyingtechniques,suchasgarbledcircuits,oblivioustransferandsecretsharing,areimportantintheirownr

4 ight.Assuch,SFEandtheunderlyingprimitive
ight.Assuch,SFEandtheunderlyingprimitivesthatenableithaveawidearrayofapplicationsandifmadepracticalcouldhavealargeimpactonthedesignofsecureandprivacy-preservingtechnologies.4 2ModelandDe nitionsPracticalserver-aidedSFEwithasingleserverhasonlybeenachievedincertainspeci cadversarialmodels.Inparticular,asshownin[32],thegarbled-circuit-basedprotocolofFeige,KillianandNaorfrom[18]isasecuresever-aidedSFEprotocolagainstasetofnon-colludingsemi-honestadversaries,thatis,adversariesthatfollowtheprotocolandareindependentinthesensethattheydonotshareanyinformationbeforeoraftertheprotocolexecution.[32]alsogivesprotocolsthataresecureinthepresenceofnon-cooperatingadversarieswhich,roughlyspeaking,areadversariesthatdeviatefromtheprotocolbutdonotsendinformationotherthanwhatprescribedbytheprotocol(notethatanon-cooperatingadversaryisstrongerthanasemi-honestadversary).Anaturalquestion,therefore,iswhethertheserelaxationsoftheadversarialmodelarenecessaryinordertoachievepracticalserver-aidedSFEandalltheadvantagesitprovides,suchasasymmetriceciency(i.e.,d

5 i erentpartiesneedingdi erentamo
i erentpartiesneedingdi erentamountsofresources)andsub-linearwork.Asymmetriceciencyinthestandardmodel?Considerasolutionthatdoesnotmakeuseoftherelaxationsdescribedabove.Inparticular,onemightattempttodesignanecientserver-aidedprotocolbetweenparties(P1:::;Pn)andaserverS,suchthat:(1)asubsetofthepartiesdosub-linearwork;and(2)theserverandtheremainingpartiesdoworkthatispolynomialinthesizeofthecircuit.Suchaprotocolwithsecurityinthestandardadversarialmodel,however,wouldyielda2SFEprotocolwithlowcommunicationandcomputationforoneparty1which,currently,canonlybeconstructedbasedonFHE[14].Server-aidedSFEfromanytwo-partySFE.Asecondpromisingattempt(andasuccessfulone)istotakeadvantageofthefactthattheserverandP1areneversimultaneouslymalicious.Withthisassumptioninplace,onecanindeeddesignpracticalprotocolswhereinallthepartiesbutP1performverylittlework(onlyproportionaltotheirowninput).Theideaisasfollows:theplayers(P2;:::;Pn)sharetheirinputsbetweenSandP1,andletthemrunageneral-purpose2SFEprotocol(withsecurityagainstmaliciousadversaries)forcomputi

6 ngthedesiredfunctionontheplayers'inputs.
ngthedesiredfunctionontheplayers'inputs.Thisapproachispromisingbutforittoworkoneneedstoenhancethe2SFEprotocolwithmechanismstoconvincetheplayersthat:(1)theirrealinputswereused(notethatthesecurityof2SFEdoesnotimplythis);and(2)theoutputofthe2SFEisdeliveredbacktothem(2SFEguaranteesoutputcorrectnessbutnothonestdeliveryoftheoutputtoP2throughPn).Wenowdescribeanecientsolutionthataddressesbothissues,andworkswithanygeneral-purpose2SFEprotocolwithsecurityagainstmaliciousadversaries.This,ofcourse,isthemostgeneralcaseonecanhopeforinthecontextofserver-aidedSFEsowegetapositivefeasibilityresultthat2SFEimpliesserver-aidedSFE|thoughperhapsnotwithoptimaleciency.Recallthatwehaveparties(P1;:::;Pn),eachwithasecretinputxi,andaserverSwithnoinputoroutput.LetCbethecircuittheywishtoevaluate.Thehigh-levelideaofthereductionisasfollows:theparties(P2;:::;Pn)sharetheirinputsbetweenSandP1whorunthe2SFEprotocol(withsecurityagainstmaliciousadversaries)toevaluatethecircuitCShcomputesC(x01x11;:::;x0nx1n),wherex0iandx1iarethesharesofxi.Thissolutionisnotsu

7 cient,however,sincethe2SFEprotocolcannot
cient,however,sincethe2SFEprotocolcannotpreventmaliciousSandP1fromchangingtheirinputs.Similarly,thepartythatlearnstheoutputofthe2SFEcansimplylieaboutittotheotherparties.Tosolvetheseproblems,wemakeuseofaone-timemessageauthenticationcode(MAC)inthe2SFEevaluation.Toverifytheoutputs,eachpartyPjpicksatrandomtwol-bitstringsv0jandv1j. 1Givensuchaserver-aidedSFEprotocolonecanconstructastandardtwo-partyprotocolbyhavingthe rstpartysimulatethesubsetofthepartieswhoperformsub-linearworkandhavingthesecondpartysimulatetheserverSandtheremainingparties.6 2.1FormalModelWerecalltheideal/real-modelsecurityde nitionforMPCinthepresenceofnon-cooperativeadver-sariespresentedin[32].Atahighlevel,thede nitioncomparesthereal-modelexecutionofaprotocolforcomputingann-partyfunctionftotheideal-modelevaluationoffbyatrustedpartyinthepresenceofmindependentadversaries(A1;:::;Am)thatareassumednottocollude.Non-collusioninMPC.ThestandardadversarialmodelsforMPCinclude:(1)semi-honestadver-sarieswhichfollowtheprotocolbutattempttolearnextrainformationfromtheirviewoftheex

8 ecution;and(2)maliciousadversarieswhichc
ecution;and(2)maliciousadversarieswhichcandeviatearbitrarilyfromtheprotocol.Therecentlyproposednotionofnon-cooperativeadversaries[32]capturesadversariesthatmaydeviatefromtheprotocolbutthatdonotshareanyinformationthatisnotprescribedbytheprotocol.De nition2.1(Non-cooperativeadversary[32]).AnadversaryAiisnon-cooperativewithrespecttoadversaryAjifthemessagesAisendstoAjrevealnoinformationaboutAi'sprivatevalues(i.e.,itscoinsandinput)toAjbeyondwhatcanbeinferredfromAj'soutputfj(x).Notethatthenotionofnon-cooperationonlyrestrictstheinformationrevealedbyAi'smessagesanddoesnotimplythatAiissemi-honest.Indeed,AicoulddeviatefromtheprotocolwithoutrevealinganyinformationtoAjaboutitsprivatevalues,e.g.,bygarblingafunctionf06=fwhenrequiredtogarblef.2.2SecurityDe nitionOursecurityde nitionissimilartotheonepresentedin[32]withtheexceptionthatitguaranteesfairnessandhandlesthecasewhentheserveriscovert.(See[22]formoredetailsabouttheidea-model/real-modelsecurityforMPC.)Atahighlevel,fairnessisguaranteedbymodifyingthebehaviorofthetrustedpartyintheideal-mode

9 lexecutionsothatitsends?toallpartiesifan
lexecutionsothatitsends?toallpartiesifanypartychoosestoabort(notethatthefairnessguaranteedoesnotextendtotheserver).Wecapturecovertnessusingtheexplicitcheatformulationof[2]whichaugmentstheideal-modelexecutionbyallowingacovertadversaryAtosendacheatinstructiontothetrustedparty.Uponreceivingthisinstruction,thetrustedpartysendsAalltheinputsandtakesoneoftwopossibleactions:withprobabilityitdisclosestoallpartiesthatAcheatedandwithprobability1�itdoesnot.Real-modelexecution.Thereal-modelexecutionofprotocoltakesplacebetweenparties(P1;:::;Pn),serverPn+1andadversaries(A1;:::;Am+1),wheremn.Atthebeginningoftheexecution,eachparty(P1;:::;Pn)receivesitsinputxi,asetofrandomcoinsri,andanauxiliaryinputziwhiletheserverPn+1receivesonlyasetofrandomcoinsrn+1andanauxiliaryinputzn+1.Eachadversary(A1;:::;Am)receivesanindexi2Ithatindicatesthepartyitcorrupts,whileadversaryAm+1receivesasetofindicesthatindicatethepartiesitwillcorrupt(thiscapturesthefactthatthesepartiescollude).ForallhonestpartiesPi,letoutidenoteitsoutputandforallcorruptedpartiesPi,l

10 etoutidenoteitsviewduringtheexecutionof&
etoutidenoteitsviewduringtheexecutionof.Theithpartialoutputofareal-modelexecutionofbetweenparties(P1;:::;Pn+1)inthepresenceofadversariesA=(A1;:::;Am+1)isde nedasreal(i)(k;x;r)def=outj:j2H [outi:whereHdenotesthesetofhonestpartiesandr=(r1;:::;rn+1).8 LetCbeacircuitthatcomputesthefunctionf.LetGC(C;r)beanalgorithmthat,givenabooleancircuitCandrandomcoinsr,outputsagarbledcircuiteC.LetGI(m;r)beanalgorithmthat,givenaninputlengthmandcoinsr,returns2minputlabels:W=w01:::w0mw11:::w1m;suchthatw0iandw1iarethelabelsof0and1,respectively,fortheithinputwire.Ifxisanm-bitstring,wedenotebyWjxthelabelvector(wx11;:::;wxmm).LetGO(r)beanalgorithmthat,givencoinsr,returnstwooutputlabels(!0;!1)andletDec(!;r)beadecodingalgorithmthat,givenanoutputlabel!andcoinsr,returnsabitb.Finally,letEval(eC;Wjx)beanevaluationalgorithmthat,givenagarbledcircuiteCandasetofinputlabelsWjx,returnsanoutputlabel!.WerequirethatforallcircuitsCandallcoinsr,EvalGC�C;r;Wjx=!f(x);andthatforb2f0;1g,Dec�!b;r=b,whereW:=GI(m;r)and(!0;!1):=GO(r).Forsec

11 urity,wealsorequireinput/outputprivacywh
urity,wealsorequireinput/outputprivacywhichguaranteesthatapair(eC;Wjx)revealnopartialinformationaboutxandf(x);andunforgeabilitywhichguaranteesthatanincorrectevaluationcanbedetected.Ourprotocolsmakeuseofseveralstandardcryptographicprimitives,includingpseudo-randomfunctions,commitments,secretsharingandsymmetrickeyencryption(see[23]andreferencesthereinforthoroughdiscussionoftheirsecuritypropertyandpointerstoinstantiations).WewilldenotebyFK()apseudo-randomfunctionwithkeyK.LetH()beaone-wayfunction(weuseSHA,butweonlyneeditsone-waynessproperty);Com(m)beacommitmenttomessagem;andEnc(k;m)bea(deterministic)symmetricencryptionofamessagemunderakeyK.Anystandardinstantiationoftheaboveprimitivesworksforusbutfollowingpreviousimplementations[52],weuseSHA-1andSHA-256aspseudo-randomfunctionsandusethemtoimplementallotherprimitives(seeSection4.1).Sharewilldenotethesharingalgorithmofan-out-of-nsecretsharingscheme,i.e.,Share(n;x)outputsnshares(1;:::;n)ofxsuchthatnopartialinformationaboutxcanberecoveredunlessallsharesareheld.Throughout,wewillassu

12 methatsharingisinstantiatedwiththesimple
methatsharingisinstantiatedwiththesimpleXORsecretsharingschemewhich,givenaninputx,returnsnshares(r1;:::;rn�1;Ln�1i=1rix),whereeachriisajxj-bitstringchosenuniformlyatrandom.Last,wedenoteby[n]thesetf1;:::;ng.3.1SecurityAgainstaCovertServerOur rstprotocolisfairandsecureinthepresenceofacovertserverwhich,roughlyspeaking,meansthattheserverisdishonestbutdoesnotwanttogetcaught.Thecovertadversarialmodelwasintro-ducedbyAumannandLindell[2]andallowsformoreecientprotocolsthanthestandardmaliciousmodel.Assumingthattheserveriscovert(asopposedtofullymalicious)seemsnaturalinsettingswheretherearestrongincentivesnottocheat.Iftheserverisalargecloudprovider(e.g.,AmazonorMicrosoft),thisassumptionisquitereasonablesincetheprovider'sreputationisatstake.Wenotethatforourprotocol,ifthecommunicationbetweenallpartiesandtheserverisdigitallysigned,thepartiescanusethetranscriptasaproofthattheservercheated.Asforfairness,weobservethatalthoughitisunachievableinthestandardSFEsetting(withadishonestmajority),itisachievableintheserver-aidedsetting,henceprovidin

13 gastrongersecurityguaranteethanstandardS
gastrongersecurityguaranteethanstandardSFEinthisrespect.Recalltheserver-aidedsettingwhereasetofparties(P1;:::;Pn)eachwithaprivateinputandaserverSwithnoinputoroutput,wanttocollectivelycomputeafunctionfovertheirprivateinputs.LetCbeaBooleancircuitofsizejCjthatevaluatesfandletx=(x1;:::;xm)beabinarystring10 Setupandinputs:EachpartyPihasanmi-bitinputwhiletheserverhasnoinput.Letm=Pi2[n]mi.TheserverSholdsasecretkeyKforapseudo-randomfunctionF.sisastatisticalsecurityparameter.Cisthecircuitthatcomputesf.DistributedOT:Forall`2[s1]:1.Scomputesr`:=FK(`).AllthecoinsusedbySforthe`thcircuitwillbederivedfromr`,2.ScomputesW`:=GI(m;r`)andforalli2[m],(01;i;:::;0n;i) Share(n;w0i)and(11;i;:::;1n;i) Share(n;w1i),3.SthensamplesanmbinarymatrixP`uniformlyatrandomandgeneratesthenmmatrixS`de nedas:S`=0BBBBB@P`1101;1;11;1:::P`1m01;m;11;m......P`n10n;1;1n;1:::P`nm0n;m;1n;m1CCCCCA;whereP`ijv0;v1def=vP`ij;v1�P`ij,4.Sthenconstructsthenmma

14 trixC`suchthatC`ij=Com�S`ij[1]&#
trixC`suchthatC`ij=Com�S`ij[1];Com�S`ij[2],whereS`ij[a]fora2f1;2gdenotestheathelementofthepairstoredatlocationijofS`,5.foralli2[n],(a)SsendstheithrowsofS`andC`andtheassociateddecommitmentstoPi,(b)ifthedecommitmentsareinvalidPiaccusesSandaborts,(c)forallj2inp(Pi),SsendsthejthcolumnofP`toPi,6.SsendstoallpartiesQ`0:=Com(!0`)andQ`1:=Com(!1`),and,H(!0`)andH(!1`)permutedinarandomorder,where(!0`;!1`):=GO(r`).Cut-and-choose:1.Forall`2[s1],SsendseC`:=GC(C;r`)toP1.2.P1sendse$ [s1]toS.3.Ssendsfrigi2[s1]�etoP1whointurnsendsittoalltheparties.4.AllpartiesverifythatallthevaluesreceivedfromSinthepreviousstepswereconstructedproperlyfromtheappropriaterandomness.Ifnot,theyaccuseSandabort.InputlabelreconstructionforPi:Forallj2inp(Pi)1.foralli06=i:(a)Pisendsbi0j:=xjPei0jtoP0i(b)Pi0returnsSei0j[bi0j](recallthatPi0receivedthei0throwfromSinstep5(a)ofthdistributedOTphase).2.Pireconstructswxjjusingthensharesobtainedintheprevioussteps. Figure1:Protocol1-CovertServer(Part1)12 Commitmentconsistencycheck:Foralli2[n],j2inp(Pi)andi06=i:1.Ss

15 endsCei0jtoPi,2.PiandPi0checkthattheyhav
endsCei0jtoPi,2.PiandPi0checkthattheyhavethesamecommitments(simplybysendingthemtoeachother).Ifnot,theyaccuseSandabort.Moreprecisely:(a)forallj2inp(Pi)[inp(Pi0)theycheckthattheybothreceivedthesamecommitmentsCeijorCei0j(dependingonwhoownswirej),(b)theycheckthattheyreceivedthesameQe0andQe1,3.Pi0sendstoPidecommitmentstoCei0j[bi0j].Ifanydecommitmentisinvalid,PiaccusesPi0andaborts.Garbledcircuitevaluation:1.AllthepartiessendtheirinputlabelsforeCetoP1.2.P1evalauteseCeandreturnsthegarbledoutputztoalltheparties.Revealingtheoutput:1.EachpartyPicomputesahashofzandveri esthatitmatchesoneofthetwohashesH(!0e)andH(!1e)theserversentearlier.Ifso,itsendsanACKmessagetotheserver.2.AfterreceivinganACKmessagesfromallplayers,SsendsthedecommitmentstoQe0andQe1toallparties.3.Usingthedecommitmentsandz,eachpartycandeterminetheoutputbit. Figure2:Protocol1-CovertServer(Part2)Asymptoticeciency.Letsbeastatisticalsecurityparameters,nthenumberofparties,andmbethecombinedlengthofallparties'inputs.Withourprotocol,SandP1workintimeO(sjCj+smn)whiletheotherpartieswor

16 kintimeO(sm),whereforthespeci cvalue
kintimeO(sm),whereforthespeci cvaluess=16(assuggestedin[52])weobtainacomplexityofO(16jCj+16mn)andO(16m),respectively.Weemphasizethatweonlyuseinexpensivecryptographicprimitivessuchashashfunctionsandcommitments.Security.WenowturntosecurityandshowinthefollowingTheoremthatourprotocolissecureaccordingtoDe nition2.2.Theorem3.1.TheprotocolfairlyandsecurelycomputesthecircuitCinthefollowingtwocorruptionscenarios:(1)Theserveriscovert(butnon-cooperativewithrespecttotheparties),whileallotherpartiesaresemi-honest,(2)theserverissemi-honest,whileallbutoneofthepartiesismalicious(butnon-cooperativewithrespecttotheserver).Proof.Fairnessisachievedbecausetheserverrevealsthetranslationoftheoutputsonlyafterallthepartiescon rmthattheyhavereceivedthesameanswer.Nextwefocusonasimulation-basedproofofprivacyandcorrectness.Fortheaboveprotocol,ourserver-aidedsecurityde nitionrequiresasimulation-basedprivacyandcorrectnessguaranteeinthefollowingtwoscenarios:(1)theserverSiscovertandnon-cooperative,whilethepartiesaresemi-honest;and(2)theserverissemi-hon

17 est,andallbutoneofthepartiesaremalicious
est,andallbutoneofthepartiesaremalicious.Themaliciouspartiescancolludebetweenthemselves.NotethatduetoLemma2.3,wecandividetheproofintothreedi erentclaims: rstweprovesecuritywhenthepartiesandserverareindependentandsemi-honest.Then,weprovesecurityfor13 knows,forallcircuitsandcommitments,whethertheyarecorrectornot.Therearethreecasesnow.First,ifatleasttwocircuits(ortheircommitmentsorhashes)areincorrect,itsendsanabortmessagetothetrustedparty,simulatesP1abortingandoutputswhateverASdoes.Second,ifexactlyoneofthecircuits/commitments/hashesisincorrect,itsendsthe\cheat"instructiontothetrustedpartytonotifyitofbeingcorrupted.Ifthetrustedpartydisclosesthecheating,SimSrewindstothecut-and-choosestep,choosesavalueewheretheservergetscaught,simulatesP1aborting,andoutputswhateverASdoes.Ifthetrustedpartydoesnotdisclosethecheating,itrewindstothecut-and-choosestep,choosesesuchthattheserverdoesnotgetcaught,andoutputswhateverASdoes.Third,ifallcircuits/commitments/hashesarecorrect,itsendsanACKmessageonbehalfofeachpartytoASandoutputswhathedoes.Thisendsthesimu

18 lation.Notethatifmorethantwobadcircuits/
lation.Notethatifmorethantwobadcircuits/commitments/hashesexists,thehonestpartiesintheidealexecutionandtherealexecutionbothabort.Ifthereisexactlyonebadcircuit,thiswillhappeninbothmodelswithprobability1�1=s1,andifeverythingisdonecorrectly,boththerealandtheidealexecutions nishsuccessfullyandwithcorrectoutputsforthehonestparties.Claim.TheprotocolsecurelycomputesthecircuitCinpresenceofanhonestserver,andanall-but-onesetofmaliciousparties.Our nalclaimisforthecasewhereall-but-oneofthepartiesmaybemaliciousandevencollude.ConsidertheadversaryAcorruptingasubsetoftheparties.Withoutlossofgenerality,weassumethatP1isamongthecorruptedparties.ThereasonisthatthecasewhereP1isnotamongthecorruptedpartiescaneasilybeprovedasaspecialcaseoftheformer.Onemaywonderiftheproofforthiscaseisidenticaltotheproofofthe rstclaiminthecasewhereP1issemi-honest.Unfortunately,however,acomplicationarisesherethatisnotpresentinthatcase.SinceP1ismalicious,weneedtoextracthisinputduringthesimulationinordertoobtaintheoutputfromthetrustedparty,andthenusetheoutputtocreat

19 eaconsistentfakegarbledcircuit.Buttheinp
eaconsistentfakegarbledcircuit.ButtheinputdistributionstagedoesnottakeplaceuntilafterthegarbledcircuitsaresenttoP1.Hence,weneedaslightlydi erentsimulationstrategy.SimulatorSimplaystheroleofthehonestserverSandatleastonehonestpartyPiduringtheinteractionwiththerestoftheparties.Itstartsbyguessinge(theindexoftheevaluatedcircuit)andbypreparingcorrectgarbledcircuitsforalleCiwherei2[s1]�feg.ForeCe,itgarblesacircuitthatoutputsP1's rstinputbit(ofcourse,withmanydummygatestomakethegarbledcircuitindistinguishablefromavalidcircuit).Thesimulatorrunstheprotocoluntilthecut-and-choosestage.IfewasnotselectedbyP1,itrewindstheprotocolandstartsagain.AfteranexpectedO(1=s1)times,itsguesswillberight.Inthatcase,thesimulationcontinues,andinthestepinwhichP1(andtherestoftheparties)askPifortheirshares,thesimulatorlearnstheinputsofthoseparties(sinceitknowsthepermutations).Thesimulatorthensendstothetrustedpartythoseinputsandreceivestheoutputofthecomputation.Now,itchangesthesharethatPihasforP1's rstinputbitinsuchawaythatP1'sgarbledcircuitevaluationwillyield

20 anoutputtokenthatdecodestothecorrectoutp
anoutputtokenthatdecodestothecorrectoutput.NotethatthiscanbedonebecauseweuseXORtosharetheinputtokens.Indeed,thesimulatedPican ipP1'sinputbitbysimplyXORingtheshareswiththeinputtokensitwantsP1torecover.Thecommitmentsforthosesharesarerecomputedandtheprotocolcontinuesuntiltheend,whentheserverandPisendthesamecommitmentstotheotherparties.NotethatnowAevaluatesthecircuitthatreturnsthe rstbitofhisinput,andhis rstbitistheactualoutputbit.IfP1returnsaninvalidoutput,hesendsanaborttothetrustedparty,simulateshonestPiabortingandoutputswhatAdoes.15 Itiseasytoshowthatthecorruptedparties'viewwheninteractingwiththesimulatorisindistin-guishablefromtheirviewintherealprotocol: rst,duetothesecuritypropertiesofYao'sgarbledcircuits,thefakecircuitgeneratedbythesimulatorisindistinguishablefromarealone,andsecond,thecorruptedparties'viewofthehonestPi'sinputonlyconsistofuniformlyrandomsharesandhenceisidenticalinbothexecutions.Theabovethreeclaimscombined,completetheproofofsecurityforour rstserver-aidedSFEprotocolwithacovertserver. 3.2SecurityAgainstaM

21 aliciousServerOursecondprotocolissecurea
aliciousServerOursecondprotocolissecureagainstamaliciousserverandisdescribedindetailinFigure3.Wenowprovideanoverview.Overview.Inthisprotocolweassumethepartiessharerandomnessinthebeginning.Thiscanbeachievedbysimplyrunningasimulatablecointossingprotocol[37,33].Suchaprotocolemulatestheusualcoin- ippingfunctionalityinthepresenceofarbitrarymaliciousadversariesandallowsasimulatorwhocontrolsasingleplayertocontroltheoutcomeofthecoin ip.Here,P1isthegarblerandSistheevaluator.P1usesthesharedrandomnesstogeneratesgarbledcircuitswhichitsendstotheserverS.Toverifythecorrectnessofthegarblingstep,SandP1executeacut-and-chooseprotocol.Attheendofthecut-and-choose,Sisleftwithcircuits,themajorityofwhichareproperlygarbled(withhighprobability).Then,allthepartiessendthelabelsfortheirinputwirestoS(theycancomputetheselabelsusingthesharedrandomness).Sincethisisdoneformultiplecircuits,wehavetoensurethateachpartyusesthesameinputinallthecircuits.Inputchecking.Thereareseveralmechanismstocheckandenforceinputconsistency[45,38,40,55,32]butwedeviatefrompreviousapproaches

22 andintroduceanewmechanismthatismoree
andintroduceanewmechanismthatismoreecient.Inparticular,werequirethatforeachwirei2[m],eachpartysendtoSthefollowingtwohashespermutedatrandom:H�w01;ijjw0;iandH�w11;ijjw1;i,wherewbj;iistheinputlabelforbitboftheithwireofthejthcircuit(forj2[]).Theserververi esthatthehashesitreceivedfromdi erentpartiesarethesame.Assumingthatatleastonepartyishonest,thisimpliesthehashwashonestlycomputed.Then,giventhelabelsfortheithinputwire,Scancomputetheirhashandverifythattheresultindeedmatchesoneofthetwopreviouslyacceptedhashesforthesamewire.Ifthecheckpassesforallinputwires,theserverproceedstotheevaluationoftheremainingcircuits.Attheendoftheevaluation,Sisleftwithoutputlabels(theresultsoftheevaluations).Iftheserverdirectlysendstheselabelstotheparties,however,itwillleakadditionalinformationtothem(asalreadypointedoutin[32]).Weuseanewtechniqueforresolvingthisissue,thatallowstheservertooutputasinglevaluethatrepresentsthemajorityoutputwithoutrevealinganyadditionalinformation.Thisnewtechniq

23 ueismoreecientthantheobliviouscut-a
ueismoreecientthantheobliviouscut-and-choosetechniqueof[32].Asymptoticeciency.Thecomplexityoftheprotocolisasfollows:letsbethesecurityparameter(thenumberofgarbledcircuits),sbethenumberofcircuitsusedforevaluation,nbethenumberofparties,andmbethetotallengthofalltheparties'inputscombined.SandP1workintimeO(sjCj+sm)andtheotherpartiesworkintimeO(m),whereforthespeci cvaluess=132and16 Setupandinputs:EachpartyPihasanmi-bitinputwhiletheserverhasnoinput.Letm=Pijmij.AllthepartiesshareasecretkeyK.sandarestatisticalsecurityparameters.Setupsharedrandomness:1.Forall`2[s],theplayerscomputer`=FK(`)(thesewillbeusedtogarblescircuits).2.Theplayerscompute 0:=FK(s+1)and 1:=FK(s+2)(thesewillbeusedtodecodethe naloutput).CircuitGarbling:Forall`2[s],P1sendseC`:=GC(C;r`)toS.GarbledCircuitVeri cation:1.SpicksasetT[s]ofsizes�atrandom,andsendsTtoP1.2.P1sendstor`forall`2T,toS.3.Forall`2T,SchecksthateC`wascreatedusingr`.Ifso,itsendsr`toallthepartieswhoverifythatitisequaltotherandomnesstheycomputedearlier.Inputlabeltransf

24 er:LetE=[n]�Tbethesetofindicesofnon-v
er:LetE=[n]�Tbethesetofindicesofnon-veri edcircuits.EachpartyPicomputesW`:=GI(m;r`)forall`2E.ItthensendsallitsinputlabelstoS.Denotebyw`;jthelabelSreceivesforthejthinputwireofthe`thcircuit.Inputlabelconsistencycheck:Forj2[m]:1.Alltheplayerssendthehashvalueshw;b=H(wb`1;jjjwb`;j)forb2f0;1ginarandomorder,where`1;:::;`2E.2.Schecksthatitreceivesthesamehashvaluesfromalltheplayers.3.SchecksthatoneofthehashesequalsH(w`1;jjjw`;j).Garbledcircuitevaluation:SevaluatesthecircuitseC`forall`2E.DenotetheoutputofeC`byz`.Majorityoutput:Forall`2E:1.eachpartysendsthetwociphertextsEnc(!0`; 0)andEnc(!1`; 1)toSpermutedinarandomorder,where(!0`;!1`):=GO(r`),2.Schecksthatthepairsofencryptionsitreceivesfromalltheplayersareidenticalandabortsotherwise,3.Sdecryptsthetwociphertextsusingz`andrecovers `and 0`.SsendstoallpartiesthevalueWthatappearsthemostamongthesetf `; 0`g`2E.Outputrecovery:Playersoutputthebitbsuchthat b=W. Figure3:Protocol2-MaliciousServer=2s=5(assuggestedin[55])wegetacomplexityofO(132jCj+132m)andO(52

25 m),respectively.Again,westressthatweonly
m),respectively.Again,westressthatweonlyuseinexpensivecryptographicprimitives.17 overheadsmallerthan6.Recallthatinthetwo-partycase,theeciencyratiobetweensemi-honestandmalicioussecurityismorethanseveralhundreds.Side-channelsinpipelinedexecution.Wenotethatduringourexperiments,weexperienceddi erenttimingsfortheprocessingofthecircuitsthatwereevaluatedandthosethatwereveri ed.Thisseemsinevitablesincethereceiverworksharderincasehechecksagarbledcircuit.Indeed,simplesolutionslikerestrictingthereceivertoworkinconstanttimecouldwork,atthecostofeciency.However,clevertechniquesthatparallelizetheworkonseveralcircuitscouldbemoreecient.Weleavethisdirectionforfuturework. AES Editdistance Protocol1Protocol1Protocol2Protocol2 Protocol1Protocol2 2parties4parties2parties4parties 2parties2parties TotalTime 9.1214.84546 33.5240CommunicationTime 6.59.53232 26185P1/SCommunication 27777KB27777KB216749KB216749KB 165918KB1296319KBP2Communication 2443KB5539KB33KB33KB 862KB2KB Table1:Experimentalresults.Totaltimeisthesumofcommunicationtimeandcompu

26 tationtime(inseconds).P1/Scommunicationi
tationtime(inseconds).P1/Scommunicationisthecommunicationsizeofthepartywhocommunicatesthemost(eitherP1orS).P2communicationisthecommunicationsizeofanyoneoftheweakerplayers.AcknowledgmentsWewouldliketothankBennyPinkasandNigelP.SmartforprovidingustheAEScircuitfrom[52],andPeeterLaudforhisvaluablecomments.References[1]G.Asharov,A.Jain,A.Lopez-Alt,E.Tromer,V.Vaikuntanathan,andD.Wichs.Multipartycomputationwithlowcommunication,computationandinteractionviathresholdFHE.InEU-ROCRYPT,2012.[2]Y.AumannandY.Lindell.Securityagainstcovertadversaries:Ecientprotocolsforrealisticadversaries.InTCC,2007.[3]B.BarakandO.Goldreich.Universalargumentsandtheirapplications.InCCC,2002.[4]A.Ben-David,N.Nisan,andB.Pinkas.Fairplaymp:asystemforsecuremulti-partycomputation.InCCS,2008.[5]D.Bogdanov,S.Laur,andJ.Willemson.Sharemind:Aframeworkforfastprivacy-preservingcomputations.InESORICS,2008.[6]P.Bogetoft,D.Christensen,I.Damgard,M.Geisler,T.Jakobsen,M.Krigaard,J.Nielsen,J.B.Nielsen,K.Nielsen,J.Pagter,M.Schwartzbach,andT.Toft.Securemultipartycomputationgoeslive.InFC

Related Contents


Next Show more