Ranjit Kumaresan Joint work with Seung Geol Choi Jonathan Katz and HongSheng Zhou UMD Research in Secure Twoparty Computation 2PC Generic protocols Yao86 GMW87 Tailored protocols for specific applications ID: 239042
Download Presentation The PPT/PDF document "On the Security of the “Free-XOR” Te..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
On the Security of the “Free-XOR” Technique
Ranjit
Kumaresan
Joint work with
Seung
Geol
Choi, Jonathan Katz, and Hong-Sheng Zhou
(UMD)Slide2
Research in Secure Two-party Computation (2PC)
Generic protocols [Yao86, GMW87]
“Tailored” protocols for specific applications
[FNP04,HL08,KO97,…
]
Fairplay
[MNPS04]: Implemented generic protocols
Hope for practicalitySlide3
Research in Secure Two-party Computation (2PC)
Active research improving concrete efficiency of generic protocols
G
arbled
c
ircuit approach [PSSW09,HEKM11,KM11
,LP07,LP11,…
]
GMW approach [NNOB11, CHKMR12,...]
Moving secure computation from theory to practiceSlide4
Talk Outline
Background on Yao GC & the Free-XOR technique [KS08]
Description in the
r
andom
o
racle (RO) model
Replacing RO with correlation
r
obust
h
ash functions?
Sufficient
assumptions on the hash function
Why correlation robust hash functions are not enough
New notion: Circular correlation
r
obust hash functions
Security of the Free-XOR technique
ConclusionsSlide5
Yao Garbled Circuit (GC) [Yao86]
Generic secure computation protocol
Constant round solution
Mostly symmetric-key operations
Popular
choice for efficient
2PCSlide6
Yao Garbled Circuit
u
v
w
AND
u
u
v
v
u
v
v
u
u
v
XOR
Credit: V.
KolesnikovSlide7
Yao Garbled Circuit
AND
XOR
u
0
u
1
v
0
v
1
w
0
w
1
H(
u
0
,
v
0
,g)
⊕
w
0
H(
u
0
,
v
1
,g)
⊕
w
0
H(u
1,v0,g)
⊕ w0
H(u1,v
1,g) ⊕
w1
x0
x1y
0y1
H(w
0,x0,g’)
⊕ y0
H(w0,x1
,g’) ⊕ y1
H(w1,x
0,g’)
⊕ y
1H(
w1,x1,g’)
⊕ y
0
g,g’: gate indicesH: hash functionSlide8
….
GC
GC Based Semi-Honest 2PC [Yao86]
Alice input keys
OT
Bob input keys
GC
….
input bits
Bob
keys
Evaluate GC using
r
eceived input keysSlide9
Efficiency Improvements to Yao GC
Garbled row reduction [NPS99,PSSW09]
Just 3 entries per garbled table
Point-and-permute [MNPS04]
Decrypt only one entry
Free-XOR technique [KS08]
No garbled table for XOR gatesSlide10
Free-XOR Technique [KS08]
Idea: XOR gates evaluated for “free”
N
o cryptographic operations or communication (like
[
Kol05,GMW87])
GC based 2PC in the semi-honest setting
Gains in practice?
40% improvement for “typical” circuits
3
00% improvement for universal circuits
Impact
All recent implementations use Free-XOR technique [PSSW09, SS11,…]
Efforts to minimize #non-XOR gates in circuit [KS08, KSS09, PSSW09]Slide11
Free-XOR Technique [KS08]
AND
XOR
u
0
u
1
v
0
v
1
w
0
w
1
H(
u
0
,
v
0
,g)
⊕
w
0
H(
u
0
,
v
1
,g)
⊕
w
0H(
u
1,v0,g)
⊕ w0
H(u1,v1
,g) ⊕ w
1x
0x1
y0
y1
H(w0
,x0,g’)
⊕ y0
H(w0,x1,g’)
⊕ y1
H(w1,x0,g’)
⊕ y1
H(w
1,x1,g’)
⊕ y0Slide12
AND
XOR
u
0
v
0
w
0
x
0
u
1
=
u
0
⊕
R
v
1
=
v
0
⊕
R
w
1
=
w
0
⊕
R
x
1 = x0 ⊕ R
y
1 = y
0
⊕ Ry
0 = w0⊕ x
0Free-XOR Technique [KS08]
H(u0,v0,g)
⊕ w
0H(
u0,v1,g)
⊕ w
0H(
u1,v0,g)
⊕ w0
H(u1,v1
,g) ⊕ w1
H(w0,
x
0,g’) ⊕
y0
H(w0,x
1,g’) ⊕
y1
H(w1,x
0,g’) ⊕
y1
H(
w1
,x1,g’)
⊕ y0
R : hidden global parameterSlide13
Free-XOR Technique [KS08]
AND
XOR
u
v
w
x
Set y =
w
⊕
x
y
H(
u
0
,
v
0
,g)
⊕
w
0
H(
u
0
,
v
1
,g)
⊕
w
0
H(
u1,v
0,g)
⊕ w
0H(u1
,v1,g) ⊕
w1
H(w0
,x0,g’)
⊕ y0
H(w0,
x1,g’) ⊕
y1
H(w1,x0
,g’) ⊕ y1
H(w1,x
1,g’) ⊕ y0
R : hidden global parameter
Use H(
u
,v,g) to recover wSlide14
Proof in the RO Model [KS08]
Corrupt Alice: Trivial
Corrupt Bob:
Sim
creates a fake garbled circuit whose output is always correct
Intuitively,
s
ecurity reduces to proving R is completely hidden
Indistinguishability
proved by induction on topological ordering of gates
H(
u,v,g
)
⊕ w
H(
u,v
⊕R,g) ⊕ wH(
u⊕R,v,g) ⊕ w
H(
u⊕R,v⊕R,g)
⊕ (
w⊕R)
By induction, known input keys: u, v
Only w is recovered
Except with
negl
. prob., all other values are hidden
H(
u,v,g
) ⊕ wrandom
1
random2
random
3
Real table
Simulated tableSlide15
Proof in the Standard Model?
RO is not programmed
Can RO be replaced by a suitable hash function?
[KS08]: a variant of correlation robust hash functions (
CorRHF
) works
Repeated wherever Free-XOR is used [PSSW09,SS11,AHI11,NO09,…]
Our contributions
Specify variant of
CorRHF
that is sufficient
“Natural” variant of
CorRHF
is NOT sufficientSlide16
Proof in the Standard Model?
Main issue is
circularity [BK03,BRS03, HK07,
…
]
H(
u
⊕
R
,v⊕
R
,g
)
⊕(w⊕
R
)CorRHF does not capture circularity
Specify variant of CorRHF that is sufficient
“Natural” variant of CorRHF is NOT sufficient
H(
u,v,g) ⊕w
H(
u,v⊕R,g) ⊕w
H(u⊕R,v,g
) ⊕wH(u
⊕R,v
⊕R,g) ⊕ (w⊕R)
Circular Correlation Robust Hash Functions
Captures circularity
Security proof for the Free-XOR techniqueSlide17
Why is this important?
Implementors
happy with RO…
In theory, RO methodology is inherently flawed [CGH04]
Want precise formulation of concrete properties required by RO
“Natural” variant of
CorRHF
used in other contexts [AHI11,NO09]
“
CorRHF
is sufficient for Free-XOR technique” claimed in several works [PSSW09,SS11
, AHI11,…]
Assumptions required for Free-XOR tech. in Yao GC?
Free-XOR in [GMW87, Kol05] with no other assumptionsSlide18
Correlation Robust Hash Functions [IKNP03]
Proposed by [IKNP03] for removing RO in OT extension
Definition: (
CorRHF
) H is
CorRHF
if for randomly chosen u
1
,…, u
p
, the following two distributions are comp. indistinguishable
(u
1
,…, up, H(u1⊕R), …, H(
u
p⊕R)) where R is chosen uniformly(u1
,…, up, w1,…, wp
) where each wi is chosen uniformly(Arithmetic variant) realized under PDH assumption [AHI11][KS08]: Variant can replace RO in Free-XORUse of hidden off-set in both [KS08] and [IKNP03]Slide19
“Natural” Variant of CorRHF
Definition: (weak 2-CorRHF) H is weakly 2-CorRHF if for given
u
1
,…, u
p
, v
1
,…,
v
p
,
the following two distributions are comp. indistinguishable.`where R is chosen uniformly
(w
1,…, w3p)
where each wi is chosen uniformly
H(u1⊕R,v1
,1),
H(u1,v1
⊕R,1),
H(u1⊕R,v1
⊕R,1) H(up
⊕R,vp,p), H(u
p
,vp⊕R,p),
H(u
p⊕R,vp⊕R,
p)
...Slide20
Our Working Definition of 2-CorRHF
Oracle based
Cor
R
(
u,v,g
): output
H(
u,v
⊕R,g
)
,
H(
u⊕R,v,g), H(u⊕R,
v⊕R,
g)Rand(u,v,g): if input was queried before then output answer given previously, else output a uniformly chosen stringDefinition: (2-CorRHF) H is 2-CorRHF if every non-uniform PPT adversary
A with oracle access to O (either CorR or Rand) cannot tell whether O is CorR
or Rand except with negligible advantageStronger than previous definitionOracle queries can be adaptiveSlide21
2-CorRHF and Free-XOR technique
Reduction adversary
B
for 2-CorRHF
Given
O
(either
Cor
R
or Rand)
How to create garbled table?
Choose random
u,v,w
Query
O
(
u,v,g
)
to get
h
1
, h
2, h3First 3 entries can be setHow to obtain fourth entry using h3?
Unclear how to complete reduction Reduction Table
H(
u,v,g) ⊕ w
H(
u,v⊕R,g) ⊕ w
H(u⊕R,v,g)
⊕ wH(u⊕R
,v
⊕R,g) ⊕ (w⊕R)
H(
u,v,g
) ⊕ w
random1random
2
random3
Real table
Simulated table
H(
u,v,g) ⊕ wh
1 ⊕ wh
2 ⊕ w
?Slide22
Counterexample
Rule out fully black-box reduction using two oracles H and Break
H is 2-CorRHF even if
A
has oracle access to H and Break
Free-XOR technique is insecure when
A
has access to H and Break
H(
u,v,g
)
Random function
Break
(u,v,g,z
1
,z
2
,z
3
)
Output r when
z
1
= H(
u,v
⊕r,g
)
z
2 = H(
u⊕r,v,g)z3 = H(
u
⊕r,v⊕r,g)⊕rElse output nothingSlide23
H is 2-CorRHF against
A
H, Break
O
=
Rand: uniform,
independent of
A
’s
view
O
=
CorR: uniform, independent of A’s view unless A
queries O
(u,v,g) &O(u’,v’,g) with u’⊕u = R or v
’⊕v = R, orH(u’,v’,g) with u’⊕u = R or v’
⊕v = R, or Break(u,v,g,z1,z2,z3) with z3⊕H(
u⊕R,v⊕R,g
) = R
Happens with
negligible prob.
H(
u,v,g
)
Random function
Break
(u,v,g,z
1
,z
2
,z
3
)
Output r when
z1 = H(u,v⊕r,g)
z
2 = H(u⊕r,v,g
)
z3 = H(u
⊕r,v⊕r,g)⊕rElse output nothingSlide24
Insecurity of Free-XOR Tech.:
A
H, Break
Attack:
A
acting as Bob recovers R
Recover w from gate g using H(
u,v,g
)
z
1
= c
1
⊕ wz2 = c2
⊕ wz3
= c3 ⊕ wQuery Break(u,v,g,z1,z2,z3) to get R
H(u,v,g) ⊕w
H(u,v⊕R,g)
⊕w
H(u
⊕R,v,g
) ⊕w
H(u⊕R,v⊕R,g) ⊕(
w⊕R)
AND gate g
c
1
c
3
c2
H(
u,v,g
)
Random function
Break
(u,v,g,z
1
,z
2
,z
3
)
Output r when
z1
= H(u,v⊕r,g) z
2 = H(u⊕r,v,g
)z3 = H(
u⊕r,v⊕r,g)⊕rElse output nothingSlide25
Capturing Circularity: Circular 2-CorRHF
Recall indistinguishable oracles in 2-CorRHF
Cor
R
(
u,v,g
): output H(
u,v
⊕R,g
)
,
H(
u
⊕R,v
,g
), H(u⊕R,v⊕R,g)
Rand(u,v,g): if input was queried before then output answer given previously, else output uniformly chosenOracles for Circular 2-CorRHFCirc
R(u,v,g,b1,b2,b3): output H(u⊕b1
R, v
⊕b2R, g) ⊕ b3R
Rand
(u,v,g,b1,b2,b
3): same as before
bR = 0 when b=0bR = R when b=1Slide26
Capturing Circularity: Circular 2-CorRHF
Recall indistinguishable oracles in 2-CorRHF
Cor
R
(
u,v,g
): output H(
u,v
⊕R,g
)
,
H(
u
⊕R,v
,g
), H(u⊕R,v⊕R,g)
Rand(u,v,g): if input was queried before then output answer given previously, else output uniformly chosenOracles for Circular 2-CorRHFCirc
R(u,v,g,b1,b2,b3): output H(u⊕b
1R,
v⊕b2R, g) ⊕ b
3R
Rand(u,v,g,b1,b
2,b3): same as before
Allowing b3 = 1 captures circularitySlide27
Circular 2-CorRHF
Oracles for Circular
2-CorRHF
Circ
R
(u,v,g,b
1
,b
2
,b
3
): output H(u
⊕b
1R, v⊕b2R, g) ⊕ b3R
Rand(u,v,g,b1
,b2,b3): same as beforeIndistinguishability
conditioned on restricted queries to CircRNo queries of the form (u,v,g,0,0,b3)No queries
on both (u,v,g,b1,b2,0) and (u,v,g,b1,b
2,1)
Definition: (Circular 2-CorRHF) H is circular 2-CorRHF if every non-uniform PPT adversary A making legal queries to oracle O
cannot tell whether O is
CircR or Rand except with negligible advantageSlide28
Proof of Security for the Free-XOR Tech.
Corrupt Alice: Trivial
Corrupt Bob:
Sim
creates a fake garbled circuit
AND
XOR
u
v
w
x
y
=
w
⊕
x
Choose random key for all wires except output wires of XOR gates
XOR chosen keys for input wires to get key for output wire of XOR gate
Populate unknown values in non-XOR gate table with random values
Set output garbled table to give correct output z
H(
u,v,g
)
⊕ w
random
1
random
2
random
3
Simulated table
.
.
.Slide29
Reduction to Circular 2-CorRHF
Reduction adversary
B
for
Circular 2
-
CorRHF
B
given access to
O
(either
Circ
R
or Rand) & real inputs for both parties
AND
XOR
u
v
w
x
y
=
w
⊕
x
H(
u,v,g
)
⊕ w
O
(u,v,g,0,1,0)
⊕ w
O
(u,v,g,1,0,0)
⊕ w
O(u,v,g,1,1,1) ⊕ w
Reduction Table
.
..
Choose random key for all wires except output wires of XOR gates
XOR chosen keys for input wires to get key for output wire of XOR gate
Populate unknown values in non-XOR gate table using
O
Set output garbled table to give correct output zSlide30
Circular 2-CorRHF & Free-XOR technique
Recall
Circ
R
(u,v,g,b
1
,b
2
,b
3
):
output H(u
⊕b
1
R,
v
⊕b
2
R, g) ⊕
b
3
RReduction Table
H(u,v,g)
⊕ w
H(u,v⊕R,g
)
⊕ wH(u
⊕R,v,g) ⊕ w
H(u⊕R,v⊕R,g) ⊕ (
w⊕R
)
H(
u,v,g) ⊕ w
random1
random2
random
3
Real table
Simulated table
H(u,v,g) ⊕ w
O(u,v,g,0,1,0) ⊕ w
O(u,v,g,1,0,0) ⊕ w
O(u,v,g,1,1,1) ⊕ w
O
= Rand
O = CircRSlide31
Conclusions & Open Questions
Free-XOR technique extremely influential
Used in all Yao GC implementations
Secure in the
r
andom
o
racle model
“Natural” variant of 2-CorRHF is not sufficient
Circularity
Stronger notion of 2-CorRHF: Circular 2-CorRHF
Security proof for the Free-XOR technique
“Free” gate evaluation under
OWF?Realize Circular 2-CorRHF from standard crypto assumptions?Slide32
Thank You!