Better Concrete Security for Half-Gates Garbling (in the - - PowerPoint PPT Presentation

better concrete security for half gates garbling in the
SMART_READER_LITE
LIVE PREVIEW

Better Concrete Security for Half-Gates Garbling (in the - - PowerPoint PPT Presentation

Nov 19, 2022 161 likes •376 views

Better Concrete Security for Half-Gates Garbling (in the Multi-Instance Setting) Chun Guo Jonathan Katz Xiao Wang Chenkai Weng Yu Yu Yaos garbled circuits Two-party computation (2PC) Multiple optimizations

slide-1
SLIDE 1

Better Concrete Security for Half-Gates Garbling (in the Multi-Instance Setting)

Chun Guo Jonathan Katz Xiao Wang Chenkai Weng Yu Yu

slide-2
SLIDE 2

Yao’s garbled circuits

  • Two-party computation (2PC)
  • Multiple optimizations
  • Point-and-permute
  • Free-XOR
  • Garbled-row-reduction
  • Half-gates (state-of-the-art) [1]
  • Fixed-key AES based garbling [2]

[1] S. Zahur, M. Rosulek, and D. Evans. Two halves make a whole—reducing data transfer in garbled circuits using half

  • gates. In Advances in Cryptology—Eurocrypt 2015, Part II, volume 9057 of LNCS, pages 220–250. Springer, 2015.

[2] M. Bellare, V. T. Hoang, S. Keelveedhi, and P. Rogaway. Efficient garbling from a fixed-key blockcipher. In IEEE Symposium on Security and Privacy (S&P) 2013, pages 478–492, 2013.

slide-3
SLIDE 3

Concrete security for Half-Gates (Outline)

  • An attack on current Half-Gates implementation
  • Deficiencies of current implementation
  • Inappropriate instantiation of the hash function
  • A lack of concrete security
  • A new abstraction of hash function
  • miTCCR hash
  • Better concrete security
  • Optimization/performance
slide-4
SLIDE 4

Attack overview

  • Exploit the weakness when 𝐼 ∗ instantiated with fixed-key AES
  • Attacker succeed in running time 𝑃 2!/𝐷
  • 𝑙: bit length of the labels; 𝐷: # of AND gates
  • Circuit with 𝑙 = 80 and 𝐷 = 2!" would be completely broken
  • Circuit with 𝑙 = 128 and 𝐷 = 2!" has only ~80 bit security
  • Implementation of the attack consistent with analysis
  • Can be extended to multi-instance case
slide-5
SLIDE 5

Half-gate protocol

𝑋

! ", 𝑋 ! "⨁𝑆

𝑋

# ", 𝑋 # "⨁𝑆

𝑋

$", 𝑋 $"⨁𝑆

𝑋

!

𝑋

#

𝑋

$

𝑈%, 𝑈& Generator Evaluator AND gate Garbling AND gate Evaluation 𝑈% = 𝐼 𝑋

! ", 𝑘 ⨁𝐼 𝑋 ! ', 𝑘 ⨁𝑞#𝑆

𝑈& = 𝐼 𝑋

# ", 𝑘( ⨁𝐼 𝑋 # ', 𝑘( ⨁ 𝑋 ! "

slide-6
SLIDE 6

Half-gate protocol

𝑋

! ", 𝑋 ! "⨁𝑆

𝑋

# ", 𝑋 # "⨁𝑆

𝑋

$", 𝑋 $"⨁𝑆

𝑋

!

𝑋

#

𝑋

$

𝑈%, 𝑈& Generator Evaluator AND gate Garbling AND gate Evaluation 𝑈% = 𝐼 𝑋

! ", 𝑘 ⨁𝐼 𝑋 ! ', 𝑘 ⨁𝑞#𝑆

𝑈& = 𝐼 𝑋

# ", 𝑘( ⨁𝐼 𝑋 # ', 𝑘( ⨁ 𝑋 ! "

slide-7
SLIDE 7

Details of the attack

𝑋

!

𝑋

#

𝑋

$

Evaluator

  • The evaluator receives 𝑈, = 𝐼 𝑋
  • ", 𝑘 ⨁𝐼 𝑋
  • ., 𝑘 ⨁𝑞/𝑆
  • Compute

𝐼- ≝ 𝑈, ⊕ 𝐼 𝑋

  • , 𝑘 = 𝐼 𝑋
  • ⨁𝑆, 𝑘 ⨁𝑞/𝑆
  • With prob=1/2,

𝐼- = 𝐼 𝑋

  • ⨁𝑆, 𝑘
slide-8
SLIDE 8

Details of the attack

𝑋

!

𝑋

#

𝑋

$

Evaluator

  • With prob=1/2,

𝐼- = 𝐼 𝑋

  • ⨁𝑆, 𝑘 = π 2 𝑋
  • ⨁𝑆 ⨁𝑘 ⨁2 𝑋
  • ⨁𝑆 ⨁𝑘
  • If find 𝑋∗ s.t. 𝐼- = π 𝑋∗ ⨁𝑋∗, then knows 𝑆.
  • The evaluator collects all the 𝑘, 𝑋
  • , 𝐼- pairs.

Implementation of the 𝐼 : 𝐼 𝑦, 𝑘 = π 𝐿 ⨁𝐿, where 𝐿 = 2𝑦⨁𝑘

slide-9
SLIDE 9

Details of the attack

𝑋

!

𝑋

#

𝑋

$

Evaluator Implementation of the 𝐼 : 𝐼 𝑦, 𝑘 = π 𝐿 ⨁𝐿, where 𝐿 = 2𝑦⨁𝑘

Oracle H

𝑘, 𝑋

!, 𝐼!

. . . Randomly generate 𝑋∗ 𝐼∗ = π 𝑋∗ ⨁𝑋∗

Existence check

Oracle I/O pairs

slide-10
SLIDE 10

Implementation of the attack

Result of interpolation: Breaking the circuit when k=80 using 267 machine-months & $3500.

slide-11
SLIDE 11

Better concrete security

𝒫5

678995

Abstraction

slide-12
SLIDE 12

Better concrete security

Half-Gate 𝒫5

678995

4 𝑁𝑁𝑃: Hash function Abstraction Protocol

slide-13
SLIDE 13

Abstraction of the hash function

  • Adversary given 𝑣 instances
  • Queries of form ⋆, 𝑗,⋆ at most 𝜈

𝒫5

678995 𝑥, 𝑗, 𝑐 ≝ 𝐼 𝑥⨁𝑆, 𝑗 ⨁𝑐 = 𝑆

slide-14
SLIDE 14

The hash function

  • Hash function (from ideal cipher)

! 𝑁𝑁𝑃! 𝑦, 𝑗 ≝ 𝐹 𝑗, 𝜏 𝑦 ⨁𝜏 𝑦

  • 𝜏 𝑦 is a linear orthomorphism
  • Linear if 𝜏 𝑦⨁𝑧 = 𝜏 𝑦 ⨁𝜏 𝑧
  • Orthomorphism if it is a permutation, and 𝜏! 𝑦 ≝ 𝜏 𝑦 ⨁𝑦 is also a permutation
  • 𝜏 𝑦" ∥ 𝑦# = 𝑦# ⨁ 𝑦" ∥ 𝑦"
  • 𝐹 is modeled as an ideal cipher
slide-15
SLIDE 15

Concrete security bound

  • Multi-instance tweakable circular correlation robustness (miTCCR)

𝒫"

#$%&&" 𝑥, 𝑗, 𝑐 ≝ 𝐼 𝑥⨁𝑆, 𝑗 ⨁𝑐 / 𝑆

  • Adversary given 𝑣 instances.
  • Queries of form ⋆, 𝑗,⋆ at most 𝜈.
  • Attacker advantage

𝜁 = 2𝜈𝑞 2' + 𝜈 − 1 𝑟 2'

slide-16
SLIDE 16

Better concrete security for multi-instance

  • Multi-instance tweakable circular correlation robustness (miTCCR)

𝒫"

#$%&&" 𝑥, 𝑗, 𝑐 ≝ 𝐼 𝑥⨁𝑆, 𝑗 ⨁𝑐 / 𝑆

  • Bound the queries of form ⋆, 𝑗,⋆ .
  • Before: 𝑗 starts from 1.
  • Now: 𝑗 starts from a random point.
  • Proof using “balls-and-bins”
slide-17
SLIDE 17

Better concrete security for multi-instance

  • Multi-instance tweakable circular correlation robustness (miTCCR)

𝒫"

#$%&&" 𝑥, 𝑗, 𝑐 ≝ 𝐼 𝑥⨁𝑆, 𝑗 ⨁𝑐 / 𝑆

  • Concrete security

𝜁 = 𝜈𝑞 + 𝜈 − 1 𝐷 2!() + 2𝐷 *+, 𝜈 + 1 !×2*-

slide-18
SLIDE 18

Better concrete security for multi-instance

  • Multi-instance tweakable circular correlation robustness (miTCCR)

𝒫"

#$%&&" 𝑥, 𝑗, 𝑐 ≝ 𝐼 𝑥⨁𝑆, 𝑗 ⨁𝑐 / 𝑆

  • Concrete security

𝒍 (bit) 𝑫

  • Comp. sec. (bit)
  • Sta. sec. (bit)

80 ≤ 2*+.- 78 40 128 ≤ 2.' 125 64

slide-19
SLIDE 19

Implementation & optimization

  • Linear orthomorphism
  • mask = _mm_set_epi64x(1E!,0E!)
  • 𝜏 𝑦 = _mm_shufFle_epi32 a, 78 ⨁_𝑛𝑛_𝑏𝑜𝑒_𝑡𝑗128(𝑏, mask)
  • Batch key scheduling [GLNP15]
  • Batch 8 key expansion

F 𝑁𝑁𝑃& 𝑦, 𝑗 ≝ 𝐹 𝑗, 𝜏 𝑦 ⨁𝜏 𝑦

We optimized it to 20 since then

slide-20
SLIDE 20

Implementation & optimization

  • Linear orthomorphism
  • Batch key scheduling [GLNP15]
  • Implementation in EMP-toolkit
  • https://github.com/emp-toolkit/emp-tool/blob/release-2/emp-

tool/utils/mitccrh.h

  • Full version of the paper
  • https://eprint.iacr.org/2019/1168.pdf

F 𝑁𝑁𝑃& 𝑦, 𝑗 ≝ 𝐹 𝑗, 𝜏 𝑦 ⨁𝜏 𝑦