2ModelandDe12nitionsPracticalserveraidedSFEwithasingleserverhasonlybeenachievedincertainspeci12cadversarialmodelsInparticularasshownin32thegarbledcircuitbasedprotocolofFeigeKillianandNaorfrom18isas ID: 894143
Download Pdf The PPT/PDF document "resultinginasetofoutputlabelsand4adecodi..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1 resultinginasetofoutputlabels;and(4)adec
resultinginasetofoutputlabels;and(4)adecodingprocedurethatrecoverstheoutputfromtheoutputlabels.Themainsecuritypropertyprovidedbygarbledcircuitsisinputprivacy,whichguaranteesthatnoinformationabouttheinputsisrevealedbytheevaluationanddecodingproceduresbeyondwhatcanbeinferredfromtheoutput.Ourprotocolswillrelyonaslightlydierentpropertycalledinput/outputprivacywhichguaranteesthatnoinformationabouttheinputsoroutputsarerevealedbytheevaluationprocedure(thesepropertiesareimpliedbythesecurityproofof[39]).Anotherusefulpropertyofgarbledcircuitsisunforgeabilitywhich,informally,guaranteesthatanincorrectevaluationcanbedetectedwithallbutnegligibleprobability.Thispropertyhasalsobeennotedandusedinworksasearlyas[49],butpointedoutmoreexplicitlyin[20].Cut-and-chooseandinput-consistency.Adicultythatoftencomesupwhendesigningproto-colsbasedongarbledcircuitsisverifyingwhetheracircuitwasgarbledcorrectly(thisoccurswhenadversariescanbemalicious).Severalmechanismsexisttoaddressthisbutthemostecientiscut-and-choose[47,43,45,34,56,38].Withcut-and-choose,th
2 egarblerstartsbyconstructingmanygarbledc
egarblerstartsbyconstructingmanygarbledcircuits.Theevaluatorchoosesarandomsubsetofthesecircuitsandveriestheircorrectnessbyaskingthegarblertorevealthesecretsitused.Ifthevericationgoesthrough,theevaluatorisleftwithseveralunopenedgarbledcircuitsand,withhighprobability,mostofthemareproperlyconstructed(otherwiseatleastonemalconstructedgarbledcircuitwouldhavebeendetectedduringverication).Theevaluatorthenevaluatestheremaininggarbledcircuitsandoutputsthemajorityvalue.Thislaststep,however,introducesnewproblemsandtoavoidsubtleattackstheevaluatorhastocheckthatthegarblerusedthesameinputsforalltheremainingcircuits.Thisinputcheckingstepcanbehandledusingseveraltechniques.MohasselandFranklin[45]andLindellandPinkas[38]extendthecut-and-choosetechniquetocovertheinputlabelsaswell.Unfortunately,thisrequiresaquadratic(inthesecurityparameter)numberofcommitments.Anotherapproachistousespecially-designedzero-knowledgeproofs[40,55]which,underspecicnumber-theoreticassumptions,requireonlyalinearnumberofexponentiations.Thetechniquesof[45]and[38]aree
3 xtendedtotheserver-aidedsettingin[32],wh
xtendedtotheserver-aidedsettingin[32],whereaninputcheckingmechanismisdescribedthatrequiresaquadraticnumberofcommitments.Pipelinedexecution.Finally,sincecircuitscangrowverylarge,garblingandevaluatingtheminmemorycanbeexpensive.Severalimplementations,therefore,pipelinethegenerationandevaluationofgarbledcircuits[31,28,29,42]byhavingthegarblersend(orstream)thegarbledgatesimmediatelyaftergeneratingthemandhavingtheevaluatorevaluate(orverify)themonthe y.Usingthisapproach,thepartiesstoreinmemoryonlytheintermediatewiresneededfortherestoftheevaluation.Thisleadstoveryecientimplementationssincethepartiesonlyneedtostoreintermediatevaluesandgarbledgatesondisk.Moreover,itimprovesthelatencyoftheprotocolsincethegarblerandtheevaluatorcanoperatesimultaneously.Previouswork,however,hasonlyshownhowtopipelinegarbledcircuitsinthepresenceofsemi-honestadversaries.1.2OurContributionsSecurefunctionevaluationisanimportantandpowerfulcryptographicprimitiveandmanyofitsunderlyingtechniques,suchasgarbledcircuits,oblivioustransferandsecretsharing,areimportantintheirownr
4 ight.Assuch,SFEandtheunderlyingprimitive
ight.Assuch,SFEandtheunderlyingprimitivesthatenableithaveawidearrayofapplicationsandifmadepracticalcouldhavealargeimpactonthedesignofsecureandprivacy-preservingtechnologies.4 2ModelandDenitionsPracticalserver-aidedSFEwithasingleserverhasonlybeenachievedincertainspecicadversarialmodels.Inparticular,asshownin[32],thegarbled-circuit-basedprotocolofFeige,KillianandNaorfrom[18]isasecuresever-aidedSFEprotocolagainstasetofnon-colludingsemi-honestadversaries,thatis,adversariesthatfollowtheprotocolandareindependentinthesensethattheydonotshareanyinformationbeforeoraftertheprotocolexecution.[32]alsogivesprotocolsthataresecureinthepresenceofnon-cooperatingadversarieswhich,roughlyspeaking,areadversariesthatdeviatefromtheprotocolbutdonotsendinformationotherthanwhatprescribedbytheprotocol(notethatanon-cooperatingadversaryisstrongerthanasemi-honestadversary).Anaturalquestion,therefore,iswhethertheserelaxationsoftheadversarialmodelarenecessaryinordertoachievepracticalserver-aidedSFEandalltheadvantagesitprovides,suchasasymmetriceciency(i.e.,d
5 ierentpartiesneedingdierentamo
ierentpartiesneedingdierentamountsofresources)andsub-linearwork.Asymmetriceciencyinthestandardmodel?Considerasolutionthatdoesnotmakeuseoftherelaxationsdescribedabove.Inparticular,onemightattempttodesignanecientserver-aidedprotocolbetweenparties(P1:::;Pn)andaserverS,suchthat:(1)asubsetofthepartiesdosub-linearwork;and(2)theserverandtheremainingpartiesdoworkthatispolynomialinthesizeofthecircuit.Suchaprotocolwithsecurityinthestandardadversarialmodel,however,wouldyielda2SFEprotocolwithlowcommunicationandcomputationforoneparty1which,currently,canonlybeconstructedbasedonFHE[14].Server-aidedSFEfromanytwo-partySFE.Asecondpromisingattempt(andasuccessfulone)istotakeadvantageofthefactthattheserverandP1areneversimultaneouslymalicious.Withthisassumptioninplace,onecanindeeddesignpracticalprotocolswhereinallthepartiesbutP1performverylittlework(onlyproportionaltotheirowninput).Theideaisasfollows:theplayers(P2;:::;Pn)sharetheirinputsbetweenSandP1,andletthemrunageneral-purpose2SFEprotocol(withsecurityagainstmaliciousadversaries)forcomputi
6 ngthedesiredfunctionontheplayers'inputs.
ngthedesiredfunctionontheplayers'inputs.Thisapproachispromisingbutforittoworkoneneedstoenhancethe2SFEprotocolwithmechanismstoconvincetheplayersthat:(1)theirrealinputswereused(notethatthesecurityof2SFEdoesnotimplythis);and(2)theoutputofthe2SFEisdeliveredbacktothem(2SFEguaranteesoutputcorrectnessbutnothonestdeliveryoftheoutputtoP2throughPn).Wenowdescribeanecientsolutionthataddressesbothissues,andworkswithanygeneral-purpose2SFEprotocolwithsecurityagainstmaliciousadversaries.This,ofcourse,isthemostgeneralcaseonecanhopeforinthecontextofserver-aidedSFEsowegetapositivefeasibilityresultthat2SFEimpliesserver-aidedSFE|thoughperhapsnotwithoptimaleciency.Recallthatwehaveparties(P1;:::;Pn),eachwithasecretinputxi,andaserverSwithnoinputoroutput.LetCbethecircuittheywishtoevaluate.Thehigh-levelideaofthereductionisasfollows:theparties(P2;:::;Pn)sharetheirinputsbetweenSandP1whorunthe2SFEprotocol(withsecurityagainstmaliciousadversaries)toevaluatethecircuitCShcomputesC(x01x11;:::;x0nx1n),wherex0iandx1iarethesharesofxi.Thissolutionisnotsu
7 cient,however,sincethe2SFEprotocolcannot
cient,however,sincethe2SFEprotocolcannotpreventmaliciousSandP1fromchangingtheirinputs.Similarly,thepartythatlearnstheoutputofthe2SFEcansimplylieaboutittotheotherparties.Tosolvetheseproblems,wemakeuseofaone-timemessageauthenticationcode(MAC)inthe2SFEevaluation.Toverifytheoutputs,eachpartyPjpicksatrandomtwol-bitstringsv0jandv1j. 1Givensuchaserver-aidedSFEprotocolonecanconstructastandardtwo-partyprotocolbyhavingtherstpartysimulatethesubsetofthepartieswhoperformsub-linearworkandhavingthesecondpartysimulatetheserverSandtheremainingparties.6 2.1FormalModelWerecalltheideal/real-modelsecuritydenitionforMPCinthepresenceofnon-cooperativeadver-sariespresentedin[32].Atahighlevel,thedenitioncomparesthereal-modelexecutionofaprotocolforcomputingann-partyfunctionftotheideal-modelevaluationoffbyatrustedpartyinthepresenceofmindependentadversaries(A1;:::;Am)thatareassumednottocollude.Non-collusioninMPC.ThestandardadversarialmodelsforMPCinclude:(1)semi-honestadver-sarieswhichfollowtheprotocolbutattempttolearnextrainformationfromtheirviewoftheex
8 ecution;and(2)maliciousadversarieswhichc
ecution;and(2)maliciousadversarieswhichcandeviatearbitrarilyfromtheprotocol.Therecentlyproposednotionofnon-cooperativeadversaries[32]capturesadversariesthatmaydeviatefromtheprotocolbutthatdonotshareanyinformationthatisnotprescribedbytheprotocol.Denition2.1(Non-cooperativeadversary[32]).AnadversaryAiisnon-cooperativewithrespecttoadversaryAjifthemessagesAisendstoAjrevealnoinformationaboutAi'sprivatevalues(i.e.,itscoinsandinput)toAjbeyondwhatcanbeinferredfromAj'soutputfj(x).Notethatthenotionofnon-cooperationonlyrestrictstheinformationrevealedbyAi'smessagesanddoesnotimplythatAiissemi-honest.Indeed,AicoulddeviatefromtheprotocolwithoutrevealinganyinformationtoAjaboutitsprivatevalues,e.g.,bygarblingafunctionf06=fwhenrequiredtogarblef.2.2SecurityDenitionOursecuritydenitionissimilartotheonepresentedin[32]withtheexceptionthatitguaranteesfairnessandhandlesthecasewhentheserveriscovert.(See[22]formoredetailsabouttheidea-model/real-modelsecurityforMPC.)Atahighlevel,fairnessisguaranteedbymodifyingthebehaviorofthetrustedpartyintheideal-mode
9 lexecutionsothatitsends?toallpartiesifan
lexecutionsothatitsends?toallpartiesifanypartychoosestoabort(notethatthefairnessguaranteedoesnotextendtotheserver).Wecapturecovertnessusingtheexplicitcheatformulationof[2]whichaugmentstheideal-modelexecutionbyallowingacovertadversaryAtosendacheatinstructiontothetrustedparty.Uponreceivingthisinstruction,thetrustedpartysendsAalltheinputsandtakesoneoftwopossibleactions:withprobabilityitdisclosestoallpartiesthatAcheatedandwithprobability1itdoesnot.Real-modelexecution.Thereal-modelexecutionofprotocoltakesplacebetweenparties(P1;:::;Pn),serverPn+1andadversaries(A1;:::;Am+1),wheremn.Atthebeginningoftheexecution,eachparty(P1;:::;Pn)receivesitsinputxi,asetofrandomcoinsri,andanauxiliaryinputziwhiletheserverPn+1receivesonlyasetofrandomcoinsrn+1andanauxiliaryinputzn+1.Eachadversary(A1;:::;Am)receivesanindexi2Ithatindicatesthepartyitcorrupts,whileadversaryAm+1receivesasetofindicesthatindicatethepartiesitwillcorrupt(thiscapturesthefactthatthesepartiescollude).ForallhonestpartiesPi,letoutidenoteitsoutputandforallcorruptedpartiesPi,l
10 etoutidenoteitsviewduringtheexecutionof&
etoutidenoteitsviewduringtheexecutionof.Theithpartialoutputofareal-modelexecutionofbetweenparties(P1;:::;Pn+1)inthepresenceofadversariesA=(A1;:::;Am+1)isdenedasreal(i)(k;x;r)def=outj:j2H [outi:whereHdenotesthesetofhonestpartiesandr=(r1;:::;rn+1).8 LetCbeacircuitthatcomputesthefunctionf.LetGC(C;r)beanalgorithmthat,givenabooleancircuitCandrandomcoinsr,outputsagarbledcircuiteC.LetGI(m;r)beanalgorithmthat,givenaninputlengthmandcoinsr,returns2minputlabels:W=w01:::w0mw11:::w1m;suchthatw0iandw1iarethelabelsof0and1,respectively,fortheithinputwire.Ifxisanm-bitstring,wedenotebyWjxthelabelvector(wx11;:::;wxmm).LetGO(r)beanalgorithmthat,givencoinsr,returnstwooutputlabels(!0;!1)andletDec(!;r)beadecodingalgorithmthat,givenanoutputlabel!andcoinsr,returnsabitb.Finally,letEval(eC;Wjx)beanevaluationalgorithmthat,givenagarbledcircuiteCandasetofinputlabelsWjx,returnsanoutputlabel!.WerequirethatforallcircuitsCandallcoinsr,EvalGCC;r;Wjx=!f(x);andthatforb2f0;1g,Dec!b;r=b,whereW:=GI(m;r)and(!0;!1):=GO(r).Forsec
11 urity,wealsorequireinput/outputprivacywh
urity,wealsorequireinput/outputprivacywhichguaranteesthatapair(eC;Wjx)revealnopartialinformationaboutxandf(x);andunforgeabilitywhichguaranteesthatanincorrectevaluationcanbedetected.Ourprotocolsmakeuseofseveralstandardcryptographicprimitives,includingpseudo-randomfunctions,commitments,secretsharingandsymmetrickeyencryption(see[23]andreferencesthereinforthoroughdiscussionoftheirsecuritypropertyandpointerstoinstantiations).WewilldenotebyFK()apseudo-randomfunctionwithkeyK.LetH()beaone-wayfunction(weuseSHA,butweonlyneeditsone-waynessproperty);Com(m)beacommitmenttomessagem;andEnc(k;m)bea(deterministic)symmetricencryptionofamessagemunderakeyK.Anystandardinstantiationoftheaboveprimitivesworksforusbutfollowingpreviousimplementations[52],weuseSHA-1andSHA-256aspseudo-randomfunctionsandusethemtoimplementallotherprimitives(seeSection4.1).Sharewilldenotethesharingalgorithmofan-out-of-nsecretsharingscheme,i.e.,Share(n;x)outputsnshares(1;:::;n)ofxsuchthatnopartialinformationaboutxcanberecoveredunlessallsharesareheld.Throughout,wewillassu
12 methatsharingisinstantiatedwiththesimple
methatsharingisinstantiatedwiththesimpleXORsecretsharingschemewhich,givenaninputx,returnsnshares(r1;:::;rn1;Ln1i=1rix),whereeachriisajxj-bitstringchosenuniformlyatrandom.Last,wedenoteby[n]thesetf1;:::;ng.3.1SecurityAgainstaCovertServerOurrstprotocolisfairandsecureinthepresenceofacovertserverwhich,roughlyspeaking,meansthattheserverisdishonestbutdoesnotwanttogetcaught.Thecovertadversarialmodelwasintro-ducedbyAumannandLindell[2]andallowsformoreecientprotocolsthanthestandardmaliciousmodel.Assumingthattheserveriscovert(asopposedtofullymalicious)seemsnaturalinsettingswheretherearestrongincentivesnottocheat.Iftheserverisalargecloudprovider(e.g.,AmazonorMicrosoft),thisassumptionisquitereasonablesincetheprovider'sreputationisatstake.Wenotethatforourprotocol,ifthecommunicationbetweenallpartiesandtheserverisdigitallysigned,thepartiescanusethetranscriptasaproofthattheservercheated.Asforfairness,weobservethatalthoughitisunachievableinthestandardSFEsetting(withadishonestmajority),itisachievableintheserver-aidedsetting,henceprovidin
13 gastrongersecurityguaranteethanstandardS
gastrongersecurityguaranteethanstandardSFEinthisrespect.Recalltheserver-aidedsettingwhereasetofparties(P1;:::;Pn)eachwithaprivateinputandaserverSwithnoinputoroutput,wanttocollectivelycomputeafunctionfovertheirprivateinputs.LetCbeaBooleancircuitofsizejCjthatevaluatesfandletx=(x1;:::;xm)beabinarystring10 Setupandinputs:EachpartyPihasanmi-bitinputwhiletheserverhasnoinput.Letm=Pi2[n]mi.TheserverSholdsasecretkeyKforapseudo-randomfunctionF.sisastatisticalsecurityparameter.Cisthecircuitthatcomputesf.DistributedOT:Forall`2[s1]:1.Scomputesr`:=FK(`).AllthecoinsusedbySforthe`thcircuitwillbederivedfromr`,2.ScomputesW`:=GI(m;r`)andforalli2[m],(01;i;:::;0n;i) Share(n;w0i)and(11;i;:::;1n;i) Share(n;w1i),3.SthensamplesanmbinarymatrixP`uniformlyatrandomandgeneratesthenmmatrixS`denedas:S`=0BBBBB@P`1101;1;11;1:::P`1m01;m;11;m......P`n10n;1;1n;1:::P`nm0n;m;1n;m1CCCCCA;whereP`ijv0;v1def=vP`ij;v1P`ij,4.Sthenconstructsthenmma
14 trixC`suchthatC`ij=ComS`ij[1]
trixC`suchthatC`ij=ComS`ij[1];ComS`ij[2],whereS`ij[a]fora2f1;2gdenotestheathelementofthepairstoredatlocationijofS`,5.foralli2[n],(a)SsendstheithrowsofS`andC`andtheassociateddecommitmentstoPi,(b)ifthedecommitmentsareinvalidPiaccusesSandaborts,(c)forallj2inp(Pi),SsendsthejthcolumnofP`toPi,6.SsendstoallpartiesQ`0:=Com(!0`)andQ`1:=Com(!1`),and,H(!0`)andH(!1`)permutedinarandomorder,where(!0`;!1`):=GO(r`).Cut-and-choose:1.Forall`2[s1],SsendseC`:=GC(C;r`)toP1.2.P1sendse$ [s1]toS.3.Ssendsfrigi2[s1]etoP1whointurnsendsittoalltheparties.4.AllpartiesverifythatallthevaluesreceivedfromSinthepreviousstepswereconstructedproperlyfromtheappropriaterandomness.Ifnot,theyaccuseSandabort.InputlabelreconstructionforPi:Forallj2inp(Pi)1.foralli06=i:(a)Pisendsbi0j:=xjPei0jtoP0i(b)Pi0returnsSei0j[bi0j](recallthatPi0receivedthei0throwfromSinstep5(a)ofthdistributedOTphase).2.Pireconstructswxjjusingthensharesobtainedintheprevioussteps. Figure1:Protocol1-CovertServer(Part1)12 Commitmentconsistencycheck:Foralli2[n],j2inp(Pi)andi06=i:1.Ss
15 endsCei0jtoPi,2.PiandPi0checkthattheyhav
endsCei0jtoPi,2.PiandPi0checkthattheyhavethesamecommitments(simplybysendingthemtoeachother).Ifnot,theyaccuseSandabort.Moreprecisely:(a)forallj2inp(Pi)[inp(Pi0)theycheckthattheybothreceivedthesamecommitmentsCeijorCei0j(dependingonwhoownswirej),(b)theycheckthattheyreceivedthesameQe0andQe1,3.Pi0sendstoPidecommitmentstoCei0j[bi0j].Ifanydecommitmentisinvalid,PiaccusesPi0andaborts.Garbledcircuitevaluation:1.AllthepartiessendtheirinputlabelsforeCetoP1.2.P1evalauteseCeandreturnsthegarbledoutputztoalltheparties.Revealingtheoutput:1.EachpartyPicomputesahashofzandveriesthatitmatchesoneofthetwohashesH(!0e)andH(!1e)theserversentearlier.Ifso,itsendsanACKmessagetotheserver.2.AfterreceivinganACKmessagesfromallplayers,SsendsthedecommitmentstoQe0andQe1toallparties.3.Usingthedecommitmentsandz,eachpartycandeterminetheoutputbit. Figure2:Protocol1-CovertServer(Part2)Asymptoticeciency.Letsbeastatisticalsecurityparameters,nthenumberofparties,andmbethecombinedlengthofallparties'inputs.Withourprotocol,SandP1workintimeO(sjCj+smn)whiletheotherpartieswor
16 kintimeO(sm),whereforthespecicvalue
kintimeO(sm),whereforthespecicvaluess=16(assuggestedin[52])weobtainacomplexityofO(16jCj+16mn)andO(16m),respectively.Weemphasizethatweonlyuseinexpensivecryptographicprimitivessuchashashfunctionsandcommitments.Security.WenowturntosecurityandshowinthefollowingTheoremthatourprotocolissecureaccordingtoDenition2.2.Theorem3.1.TheprotocolfairlyandsecurelycomputesthecircuitCinthefollowingtwocorruptionscenarios:(1)Theserveriscovert(butnon-cooperativewithrespecttotheparties),whileallotherpartiesaresemi-honest,(2)theserverissemi-honest,whileallbutoneofthepartiesismalicious(butnon-cooperativewithrespecttotheserver).Proof.Fairnessisachievedbecausetheserverrevealsthetranslationoftheoutputsonlyafterallthepartiesconrmthattheyhavereceivedthesameanswer.Nextwefocusonasimulation-basedproofofprivacyandcorrectness.Fortheaboveprotocol,ourserver-aidedsecuritydenitionrequiresasimulation-basedprivacyandcorrectnessguaranteeinthefollowingtwoscenarios:(1)theserverSiscovertandnon-cooperative,whilethepartiesaresemi-honest;and(2)theserverissemi-hon
17 est,andallbutoneofthepartiesaremalicious
est,andallbutoneofthepartiesaremalicious.Themaliciouspartiescancolludebetweenthemselves.NotethatduetoLemma2.3,wecandividetheproofintothreedierentclaims:rstweprovesecuritywhenthepartiesandserverareindependentandsemi-honest.Then,weprovesecurityfor13 knows,forallcircuitsandcommitments,whethertheyarecorrectornot.Therearethreecasesnow.First,ifatleasttwocircuits(ortheircommitmentsorhashes)areincorrect,itsendsanabortmessagetothetrustedparty,simulatesP1abortingandoutputswhateverASdoes.Second,ifexactlyoneofthecircuits/commitments/hashesisincorrect,itsendsthe\cheat"instructiontothetrustedpartytonotifyitofbeingcorrupted.Ifthetrustedpartydisclosesthecheating,SimSrewindstothecut-and-choosestep,choosesavalueewheretheservergetscaught,simulatesP1aborting,andoutputswhateverASdoes.Ifthetrustedpartydoesnotdisclosethecheating,itrewindstothecut-and-choosestep,choosesesuchthattheserverdoesnotgetcaught,andoutputswhateverASdoes.Third,ifallcircuits/commitments/hashesarecorrect,itsendsanACKmessageonbehalfofeachpartytoASandoutputswhathedoes.Thisendsthesimu
18 lation.Notethatifmorethantwobadcircuits/
lation.Notethatifmorethantwobadcircuits/commitments/hashesexists,thehonestpartiesintheidealexecutionandtherealexecutionbothabort.Ifthereisexactlyonebadcircuit,thiswillhappeninbothmodelswithprobability11=s1,andifeverythingisdonecorrectly,boththerealandtheidealexecutionsnishsuccessfullyandwithcorrectoutputsforthehonestparties.Claim.TheprotocolsecurelycomputesthecircuitCinpresenceofanhonestserver,andanall-but-onesetofmaliciousparties.Ournalclaimisforthecasewhereall-but-oneofthepartiesmaybemaliciousandevencollude.ConsidertheadversaryAcorruptingasubsetoftheparties.Withoutlossofgenerality,weassumethatP1isamongthecorruptedparties.ThereasonisthatthecasewhereP1isnotamongthecorruptedpartiescaneasilybeprovedasaspecialcaseoftheformer.OnemaywonderiftheproofforthiscaseisidenticaltotheproofoftherstclaiminthecasewhereP1issemi-honest.Unfortunately,however,acomplicationarisesherethatisnotpresentinthatcase.SinceP1ismalicious,weneedtoextracthisinputduringthesimulationinordertoobtaintheoutputfromthetrustedparty,andthenusetheoutputtocreat
19 eaconsistentfakegarbledcircuit.Buttheinp
eaconsistentfakegarbledcircuit.ButtheinputdistributionstagedoesnottakeplaceuntilafterthegarbledcircuitsaresenttoP1.Hence,weneedaslightlydierentsimulationstrategy.SimulatorSimplaystheroleofthehonestserverSandatleastonehonestpartyPiduringtheinteractionwiththerestoftheparties.Itstartsbyguessinge(theindexoftheevaluatedcircuit)andbypreparingcorrectgarbledcircuitsforalleCiwherei2[s1]feg.ForeCe,itgarblesacircuitthatoutputsP1'srstinputbit(ofcourse,withmanydummygatestomakethegarbledcircuitindistinguishablefromavalidcircuit).Thesimulatorrunstheprotocoluntilthecut-and-choosestage.IfewasnotselectedbyP1,itrewindstheprotocolandstartsagain.AfteranexpectedO(1=s1)times,itsguesswillberight.Inthatcase,thesimulationcontinues,andinthestepinwhichP1(andtherestoftheparties)askPifortheirshares,thesimulatorlearnstheinputsofthoseparties(sinceitknowsthepermutations).Thesimulatorthensendstothetrustedpartythoseinputsandreceivestheoutputofthecomputation.Now,itchangesthesharethatPihasforP1'srstinputbitinsuchawaythatP1'sgarbledcircuitevaluationwillyield
20 anoutputtokenthatdecodestothecorrectoutp
anoutputtokenthatdecodestothecorrectoutput.NotethatthiscanbedonebecauseweuseXORtosharetheinputtokens.Indeed,thesimulatedPican ipP1'sinputbitbysimplyXORingtheshareswiththeinputtokensitwantsP1torecover.Thecommitmentsforthosesharesarerecomputedandtheprotocolcontinuesuntiltheend,whentheserverandPisendthesamecommitmentstotheotherparties.NotethatnowAevaluatesthecircuitthatreturnstherstbitofhisinput,andhisrstbitistheactualoutputbit.IfP1returnsaninvalidoutput,hesendsanaborttothetrustedparty,simulateshonestPiabortingandoutputswhatAdoes.15 Itiseasytoshowthatthecorruptedparties'viewwheninteractingwiththesimulatorisindistin-guishablefromtheirviewintherealprotocol:rst,duetothesecuritypropertiesofYao'sgarbledcircuits,thefakecircuitgeneratedbythesimulatorisindistinguishablefromarealone,andsecond,thecorruptedparties'viewofthehonestPi'sinputonlyconsistofuniformlyrandomsharesandhenceisidenticalinbothexecutions.Theabovethreeclaimscombined,completetheproofofsecurityforourrstserver-aidedSFEprotocolwithacovertserver. 3.2SecurityAgainstaM
21 aliciousServerOursecondprotocolissecurea
aliciousServerOursecondprotocolissecureagainstamaliciousserverandisdescribedindetailinFigure3.Wenowprovideanoverview.Overview.Inthisprotocolweassumethepartiessharerandomnessinthebeginning.Thiscanbeachievedbysimplyrunningasimulatablecointossingprotocol[37,33].Suchaprotocolemulatestheusualcoin- ippingfunctionalityinthepresenceofarbitrarymaliciousadversariesandallowsasimulatorwhocontrolsasingleplayertocontroltheoutcomeofthecoin ip.Here,P1isthegarblerandSistheevaluator.P1usesthesharedrandomnesstogeneratesgarbledcircuitswhichitsendstotheserverS.Toverifythecorrectnessofthegarblingstep,SandP1executeacut-and-chooseprotocol.Attheendofthecut-and-choose,Sisleftwithcircuits,themajorityofwhichareproperlygarbled(withhighprobability).Then,allthepartiessendthelabelsfortheirinputwirestoS(theycancomputetheselabelsusingthesharedrandomness).Sincethisisdoneformultiplecircuits,wehavetoensurethateachpartyusesthesameinputinallthecircuits.Inputchecking.Thereareseveralmechanismstocheckandenforceinputconsistency[45,38,40,55,32]butwedeviatefrompreviousapproaches
22 andintroduceanewmechanismthatismoree
andintroduceanewmechanismthatismoreecient.Inparticular,werequirethatforeachwirei2[m],eachpartysendtoSthefollowingtwohashespermutedatrandom:Hw01;ijjw0;iandHw11;ijjw1;i,wherewbj;iistheinputlabelforbitboftheithwireofthejthcircuit(forj2[]).Theserververiesthatthehashesitreceivedfromdierentpartiesarethesame.Assumingthatatleastonepartyishonest,thisimpliesthehashwashonestlycomputed.Then,giventhelabelsfortheithinputwire,Scancomputetheirhashandverifythattheresultindeedmatchesoneofthetwopreviouslyacceptedhashesforthesamewire.Ifthecheckpassesforallinputwires,theserverproceedstotheevaluationoftheremainingcircuits.Attheendoftheevaluation,Sisleftwithoutputlabels(theresultsoftheevaluations).Iftheserverdirectlysendstheselabelstotheparties,however,itwillleakadditionalinformationtothem(asalreadypointedoutin[32]).Weuseanewtechniqueforresolvingthisissue,thatallowstheservertooutputasinglevaluethatrepresentsthemajorityoutputwithoutrevealinganyadditionalinformation.Thisnewtechniq
23 ueismoreecientthantheobliviouscut-a
ueismoreecientthantheobliviouscut-and-choosetechniqueof[32].Asymptoticeciency.Thecomplexityoftheprotocolisasfollows:letsbethesecurityparameter(thenumberofgarbledcircuits),sbethenumberofcircuitsusedforevaluation,nbethenumberofparties,andmbethetotallengthofalltheparties'inputscombined.SandP1workintimeO(sjCj+sm)andtheotherpartiesworkintimeO(m),whereforthespecicvaluess=132and16 Setupandinputs:EachpartyPihasanmi-bitinputwhiletheserverhasnoinput.Letm=Pijmij.AllthepartiesshareasecretkeyK.sandarestatisticalsecurityparameters.Setupsharedrandomness:1.Forall`2[s],theplayerscomputer`=FK(`)(thesewillbeusedtogarblescircuits).2.Theplayerscompute 0:=FK(s+1)and 1:=FK(s+2)(thesewillbeusedtodecodethenaloutput).CircuitGarbling:Forall`2[s],P1sendseC`:=GC(C;r`)toS.GarbledCircuitVerication:1.SpicksasetT[s]ofsizesatrandom,andsendsTtoP1.2.P1sendstor`forall`2T,toS.3.Forall`2T,SchecksthateC`wascreatedusingr`.Ifso,itsendsr`toallthepartieswhoverifythatitisequaltotherandomnesstheycomputedearlier.Inputlabeltransf
24 er:LetE=[n]Tbethesetofindicesofnon-v
er:LetE=[n]Tbethesetofindicesofnon-veriedcircuits.EachpartyPicomputesW`:=GI(m;r`)forall`2E.ItthensendsallitsinputlabelstoS.Denotebyw`;jthelabelSreceivesforthejthinputwireofthe`thcircuit.Inputlabelconsistencycheck:Forj2[m]:1.Alltheplayerssendthehashvalueshw;b=H(wb`1;jjjwb`;j)forb2f0;1ginarandomorder,where`1;:::;`2E.2.Schecksthatitreceivesthesamehashvaluesfromalltheplayers.3.SchecksthatoneofthehashesequalsH(w`1;jjjw`;j).Garbledcircuitevaluation:SevaluatesthecircuitseC`forall`2E.DenotetheoutputofeC`byz`.Majorityoutput:Forall`2E:1.eachpartysendsthetwociphertextsEnc(!0`; 0)andEnc(!1`; 1)toSpermutedinarandomorder,where(!0`;!1`):=GO(r`),2.Schecksthatthepairsofencryptionsitreceivesfromalltheplayersareidenticalandabortsotherwise,3.Sdecryptsthetwociphertextsusingz`andrecovers `and 0`.SsendstoallpartiesthevalueWthatappearsthemostamongthesetf `; 0`g`2E.Outputrecovery:Playersoutputthebitbsuchthat b=W. Figure3:Protocol2-MaliciousServer=2s=5(assuggestedin[55])wegetacomplexityofO(132jCj+132m)andO(52
25 m),respectively.Again,westressthatweonly
m),respectively.Again,westressthatweonlyuseinexpensivecryptographicprimitives.17 overheadsmallerthan6.Recallthatinthetwo-partycase,theeciencyratiobetweensemi-honestandmalicioussecurityismorethanseveralhundreds.Side-channelsinpipelinedexecution.Wenotethatduringourexperiments,weexperienceddierenttimingsfortheprocessingofthecircuitsthatwereevaluatedandthosethatwereveried.Thisseemsinevitablesincethereceiverworksharderincasehechecksagarbledcircuit.Indeed,simplesolutionslikerestrictingthereceivertoworkinconstanttimecouldwork,atthecostofeciency.However,clevertechniquesthatparallelizetheworkonseveralcircuitscouldbemoreecient.Weleavethisdirectionforfuturework. AES Editdistance Protocol1Protocol1Protocol2Protocol2 Protocol1Protocol2 2parties4parties2parties4parties 2parties2parties TotalTime 9.1214.84546 33.5240CommunicationTime 6.59.53232 26185P1/SCommunication 27777KB27777KB216749KB216749KB 165918KB1296319KBP2Communication 2443KB5539KB33KB33KB 862KB2KB Table1:Experimentalresults.Totaltimeisthesumofcommunicationtimeandcompu
26 tationtime(inseconds).P1/Scommunicationi
tationtime(inseconds).P1/Scommunicationisthecommunicationsizeofthepartywhocommunicatesthemost(eitherP1orS).P2communicationisthecommunicationsizeofanyoneoftheweakerplayers.AcknowledgmentsWewouldliketothankBennyPinkasandNigelP.SmartforprovidingustheAEScircuitfrom[52],andPeeterLaudforhisvaluablecomments.References[1]G.Asharov,A.Jain,A.Lopez-Alt,E.Tromer,V.Vaikuntanathan,andD.Wichs.Multipartycomputationwithlowcommunication,computationandinteractionviathresholdFHE.InEU-ROCRYPT,2012.[2]Y.AumannandY.Lindell.Securityagainstcovertadversaries:Ecientprotocolsforrealisticadversaries.InTCC,2007.[3]B.BarakandO.Goldreich.Universalargumentsandtheirapplications.InCCC,2002.[4]A.Ben-David,N.Nisan,andB.Pinkas.Fairplaymp:asystemforsecuremulti-partycomputation.InCCS,2008.[5]D.Bogdanov,S.Laur,andJ.Willemson.Sharemind:Aframeworkforfastprivacy-preservingcomputations.InESORICS,2008.[6]P.Bogetoft,D.Christensen,I.Damgard,M.Geisler,T.Jakobsen,M.Krigaard,J.Nielsen,J.B.Nielsen,K.Nielsen,J.Pagter,M.Schwartzbach,andT.Toft.Securemultipartycomputationgoeslive.InFC