A New Approach to Practical Active-Secure Two-Party Computation (original) (raw)
Related papers
Faster Secure Two-Party Computation Using Garbled Circuits
Secure two-party computation enables two parties to evaluate a function cooperatively without revealing to either party anything beyond the function's output. The garbled-circuit technique, a generic approach to secure two-party computation for semi-honest participants, was developed by Yao in the 1980s, but has been viewed as being of limited practical significance due to its inefficiency. We demonstrate several techniques for improving the running time and memory requirements of the garbled-circuit technique, resulting in an implementation of generic secure two-party computation that is significantly faster than any previously reported while also scaling to arbitrarily large circuits. We validate our approach by demonstrating secure computation of circuits with over 109 gates at a rate of roughly 10 microseconds per garbled gate, and showing order-of-magnitude improvements over the best previous privacy-preserving protocols for computing Hamming distance, Levenshtein distance, Smith-Waterman genome alignment, and AES.
Efficient Two-Party Secure Computation on Committed Inputs
Lecture Notes in Computer Science, 2007
We present an efficient construction of Yao's "garbled circuits" protocol for securely computing any two-party circuit on committed inputs. The protocol is secure in a universally composable way in the presence of malicious adversaries under the decisional composite residuosity (DCR) and strong RSA assumptions, in the common reference string model. The protocol requires a constant number of rounds (four-five in the standard model, two-three in the random oracle model, depending on whether both parties receive the output), O(|C|) modular exponentiations per player, and a bandwidth of O(|C|) group elements, where |C| is the size of the computed circuit. Our technical tools are of independent interest. We propose a homomorphic, semantically secure variant of the Camenisch-Shoup verifiable cryptosystem, which uses shorter keys, is unambiguous (it is infeasible to generate two keys which successfully decrypt the same ciphertext), and allows efficient proofs that a committed plaintext is encrypted under a committed key. Our second tool is a practical four-round (two-round in ROM) protocol for committed oblivious transfer on strings (string-COT) secure against malicious participants. The string-COT protocol takes a few exponentiations per player, and is UC-secure under the DCR assumption in the common reference string model. Previous protocols of comparable efficiency achieved either committed OT on bits, or standard (non-committed) OT on strings.
Efficient Secure Computation with Garbled Circuits
Secure two-party computation enables applications in which participants compute the output of a function that depends on their private inputs, without revealing those inputs or relying on any trusted third party. In this paper, we show the potential of building privacy-preserving applications using garbled circuits, a generic technique that until recently was believed to be too inefficient to scale to realistic problems. We present a Java-based framework that uses pipelining and circuit-level optimizations to build efficient and scalable privacy-preserving applications. Although the standard garbled circuit protocol assumes a very week, honest-but-curious adversary, techniques are available for converting such protocols to resist stronger adversaries, including fully malicious adversaries. We summarize approaches to producing malicious-resistant secure computations that reduce the costs of transforming a protocol to be secure against stronger adversaries. In addition, we summarize results on ensuring fairness, the property that either both parties receive the result or neither party does. Several open problems remain, but as theory and pragmatism advance, secure computation is approaching the point where it offers practical solutions for a wide variety of important problems.
Securing Yao's garbled circuit construction against active adversaries
… Proceedings of 1st Benelux Workshop on …, 2006
We propose a new two-party computation protocol using Yao's garbled circuits, which is secure in the case of malicious behavior. To illustrate the need for the new protocol, we first discuss security issues of three existing protocols for secure two-party computation using garbled circuits, in the case of malicious behavior. The first is a protocol by Pinkas (Eurocrypt 2003), and the other two are the committed-input scheme and the k-leaked model, both presented by Mohassel and Franklin (PKC 2006). We address security flaws in all schemes, which allow leaking of information on the private inputs. In the k-leaked model leaking of some information is permitted if a participant is cheating, but then the honest participant should be aware of it. We show that this is not the case. After discussing these security issues of the known schemes, we describe our new protocol. It is based on the protocol by Pinkas, and the correction of the flaw of the scheme by Pinkas makes our protocol not only more secure, but also more efficient. We provide a detailed informal security analysis of our new protocol.
MISC: Multi-Input Secure Two-Party Computation
The ISC International Journal of Information Security, 2023
Secure multi-party computation (MPC) allows a group of parties to compute a function on their private inputs securely. Classic MPC protocols for two parties use Yao's garbled circuit (GC) or the Goldreich-Micali-Wigderson (GMW) protocol. In this paper, we propose MISC, a multi-input secure computation protocol, by combining GC and GMW in a novel way. MISC can evaluate multi-input AND gates, which can reduce the round complexity. Moreover, MISC reduces the communication overhead by 1.7× and 2.4× for 2-input and by 2× and 2.8× for 4-input AND gates compared to the state-of-the-art GMW-style and GC-style protocols, respectively. In order to use the MISC efficiently in different applications, we redesign common building blocks with multi-input AND gates such as Equality checking, Maxpool, Comparison, and Argmax/Argmin. Results on privacy-preserving applications, e.g., circuit-based private set intersection (PSI) and private machine learning (CNN inference), show that compared to GMW, MISC improves the total communication overhead by 3× and the total run time by 1.5×. https://www.isecure-journal.com/article\_170893.html
Garbled Circuits via Structured Encryption
The garbled circuit technique transforms a circuit in such a way that it can be evaluated on encrypted inputs. Garbled circuits were originally introduced by Yao (FOCS '86) for the purpose of secure two-party computation but have since found many applications. In this work, we consider the problem of designing special-purpose garbled circuits, which are garbled circuits that handle only a specific class of functionalities. Special-purpose constructions are usually smaller than general-purpose ones and lead to more efficient two-party protocols. We propose a design framework for constructing special-purpose garbled circuits based on structured encryption schemes, which are encryption schemes that encrypt data structures in such a way that they can be queried through the use of a token. Using our framework, we show how to design more efficient garbled circuits for several graph-based functionalities (with applications to online social network analysis), Boolean circuits, deterministic finite automata, and branching programs.
An Efficient 2-Party Private Function Evaluation Protocol Based on Half Gates
The Computer Journal, 2018
Private function evaluation (PFE) is a special case of secure multi-party computation (MPC), where the function to be computed is known by only one party. PFE is useful in several real-life applications where an algorithm or a function itself needs to remain secret for reasons such as protecting intellectual property or security classification level. In this paper, we focus on improving 2-party PFE based on symmetric cryptographic primitives. In this respect, we look back at the seminal PFE framework presented by Mohassel and Sadeghian at Eurocrypt'13. We show how to adapt and utilize the well-known half gates garbling technique (Zahur et al., Eurocrypt'15) to their constant round 2-party PFE scheme. Compared to their scheme, our resulting optimization significantly improves the efficiency of both the underlying Oblivious Evaluation of Extended Permutation (OEP) and secure 2party computation (2PC) protocols, and yields a more than 40% reduction in overall communication cost (the computation time is also slightly decreased, and the number of rounds remains unchanged).
Constant-round secure two-party computation from a linear number of oblivious transfer
We construct a protocol for constant round Two-Party Secure Function Evaluation in the standard model which improves previous protocols in several ways. We are able to reduce the number of calls to Oblivious Transfer by a factor proportional to the security parameter. In addition to being more efficient than previous instantiations, our protocol only requires black box calls to OT and Commitment. This is achieved by the use of a faulty variant of the Cutand-Choose OT. The concepts of Garbling Schemes, faulty Cut-and-Choose Oblivious Transfer and Privacy Amplification are combined using the Cut-and-Choose paradigm to obtain the final protocol.
Concurrent Secure Computation via Non-Black Box Simulation
Lecture Notes in Computer Science, 2015
Recently, Goyal (STOC'13) proposed a new non-black-box simulation techniques for fully concurrent zero knowledge with straight-line simulation. Unfortunately, so far this technique is limited to the setting of concurrent zero knowledge. The goal of this paper is to study what can be achieved in the setting of concurrent secure computation using non-black-box simulation techniques, building upon the work of Goyal. The main contribution of our work is a secure computation protocol in the fully concurrent setting with a straight-line simulator, that allows us to achieve several new results: • We give first positive results for concurrent blind signatures and verifiable random functions in the plain model as per the ideal/real world security definition. Our positive result is somewhat surprising in light of the impossibility result of Lindell (STOC'03) for black-box simulation. We circumvent this impossibility using non-black-box simulation. This gives us a quite natural example of a functionality in concurrent setting which is impossible to realize using black-box simulation but can be securely realized using non-black-box simulation. • Moreover, we expand the class of realizable functionalities in the concurrent setting. Our main theorem is a positive result for concurrent secure computation as long as the ideal world satisfies the bounded pseudo-entropy condition (BPC) of Goyal (FOCS'12). The BPC requires that in the ideal world experiment, the total amount of information learnt by the adversary (via calls to the ideal functionality) should have "bounded pseudoentropy". • We also improve the round complexity of protocols in the single-input setting of Goyal (FOCS'12) both qualitatively and quantitatively. In Goyal's work, the number of rounds depended on the length of honest party inputs. In our protocol, the round complexity depends only on the security parameter, and is completely independent of the length of the honest party inputs. Our results are based on a non-black-box simulation technique using a new language (which allows the simulator to commit to an Oracle program that can access information with bounded pseudoentropy), and a simulation-sound version of the concurrent zero-knowledge protocol of Goyal (STOC'13). We assume the existence of collision resistant hash functions and constant round semi-honest oblivious transfer.