GC hash definition Take advantage of the input to hash being a Garbled Circuit GC hash definition weaker than standard collision resistance Given a correctly generated garbled circuit and hash ( GC , h ) If A finds � GC such that H ( � GC ) = H ( GC ) Then, w.h.p, the garbled circuit property of � GC is broken
GC hash definition Take advantage of the input to hash being a Garbled Circuit GC hash definition weaker than standard collision resistance Given a correctly generated garbled circuit and hash ( GC , h ) If A finds � GC such that H ( � GC ) = H ( GC ) Then, w.h.p, the garbled circuit property of � GC is broken � GC will fail to evaluate
C
GC, GC , e, e , d, h C
GC, GC , e, e , d, h C H(GC) = H( GC ) = h
GC, GC , e, e , d, h C H(GC) = H( GC ) = h Ve(C, GC, d, e ) = accept
GC, GC , e, e , d, h GC, GC , e, e , d, h C H(GC) = H( GC ) = h Ve(C, GC, d, e ) = accept De( Eval( GC , En( e , x), d) ) = 丄 for all x , w.h.p
GC, GC , e, e , d, h C H(GC) = H( GC ) = h Ve(C, GC, d, e ) = accept De( Eval( GC , En( e , x), d) ) = 丄 for all x , w.h.p
GC, GC , e, e , d, h C H(GC) = H( GC ) = h Same decoding information d Ve(C, GC, d, e ) = accept De( Eval( GC , En( e , x), d) ) = 丄 for all x , w.h.p
Overview Definition of GC hash security Hashed garbling constructions – standard garbling and half-gates [ZRE’15] Implementation and evaluation Impact – Applications of free hash
Overview Definition of GC hash security Hashed garbling constructions – standard garbling and half-gates [ZRE’15] Implementation and evaluation Impact – Applications of free hash
GC hash construction Intertwine hash generation and verification with GC generation and evaluation
GC hash construction Intertwine hash generation and verification with GC generation and evaluation Attempt 1: H ( GC ) = ⊕ i GR i
a c e b d
A 0 , A 1 C 0 , C 1 E 0 , E 1 B 0 , B 1 D 0 , D 1
A 0 , A 1 C 0 , C 1 E 0 , E 1 B 0 , B 1 D 0 , D 1 GT1 E A0, B0 ( C 0 ) E A0, B1 ( C 0 ) E A1, B0 ( C 0 ) E A1, B1 ( C 1 )
A 0 , A 1 C 0 , C 1 E 0 , E 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( C 0 ) E C0, D0 ( E 0 ) E A0, B1 ( C 0 ) E C0, D1 ( E 1 ) E A1, B0 ( C 0 ) E C1, D0 ( E 1 ) E A1, B1 ( C 1 ) E C1, D1 ( E 1 )
A 0 , A 1 C 0 , C 1 E 0 , E 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( C 0 ) E C0, D0 ( E 0 ) GC = (GT1, GT2) E A0, B1 ( C 0 ) E C0, D1 ( E 1 ) E A1, B0 ( C 0 ) E C1, D0 ( E 1 ) E A1, B1 ( C 1 ) E C1, D1 ( E 1 )
A 0 , A 1 C 0 , C 1 E 0 , E 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( C 0 ) E C0, D0 ( E 0 ) GC = (GT1, GT2) E A0, B1 ( C 0 ) E C0, D1 ( E 1 ) ⊕ h = E A1, B0 ( C 0 ) E C1, D0 ( E 1 ) E A1, B1 ( C 1 ) E C1, D1 ( E 1 )
A 0 , A 1 C 0 , C 1 E 0 , E 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( C 0 ) E C0, D0 ( E 0 ) GC = (GT1, GT2) E A0, B1 ( C 0 ) E C0, D1 ( E 1 ) ⊕ h = H(GC) = h E A1, B0 ( C 0 ) E C1, D0 ( E 1 ) E A1, B1 ( C 1 ) E C1, D1 ( E 1 )
A 0 , A 1 C 0 , C 1 E 0 , E 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( C 0 ) E C0, D0 ( E 0 ) GC = (GT1, GT2) E A0, B1 ( C 0 ) E C0, D1 ( E 1 ) ⊕ h = H(GC) = h E A1, B0 ( C 0 ) E C1, D0 ( E 1 ) E A1, B1 ( C 0 ) E C1, D1 ( E 1 )
A 0 , A 1 C 0 , C 1 E 0 , E 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( C 0 ) E C0, D0 ( E 0 ) GC = (GT1, GT2) E A0, B1 ( C 0 ) E C0, D1 ( E 1 ) ⊕ h = H(GC) = h E A1, B0 ( C 0 ) E C1, D0 ( E 1 ) ĜC = (ĜT1, GT2) E A1, B1 ( C 0 ) E C1, D1 ( E 1 )
A 0 , A 1 C 0 , C 1 E 0 , E 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( C 0 ) E C0, D0 ( E 0 ) GC = (GT1, GT2) E A0, B1 ( C 0 ) E C0, D1 ( E 1 ) ⊕ h = H(GC) = h E A1, B0 ( C 0 ) E C1, D0 ( E 1 ) ĜC = (ĜT1, GT2) E A1, B1 ( C 0 ) E C1, D1 ( E 1 ) H(ĜC) = h ⊕ Δ
A 0 , A 1 C 0 , C 1 E 0 , E 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( C 0 ) E C0, D0 ( E 0 ) GC = (GT1, GT2) E A0, B1 ( C 0 ) E C0, D1 ( E 1 ) ⊕ h = H(GC) = h E A1, B0 ( C 0 ) E C1, D0 ( E 1 ) ĜC = (ĜT1, GT2) E A1, B1 ( C 0 ) E C1, D1 ( E 1 ) H(ĜC) = h ⊕ Δ
A 0 , A 1 C 0 , C 1 Inactive row E 0 , E 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( C 0 ) E C0, D0 ( E 0 ) GC = (GT1, GT2) E A0, B1 ( C 0 ) E C0, D1 ( E 1 ) ⊕ h = H(GC) = h E A1, B0 ( C 0 ) E C1, D0 ( E 1 ) ĜC = (ĜT1, GT2) E A1, B1 ( C 0 ) E C1, D1 ( E 1 ) H(ĜC) = h ⊕ Δ
A 0 , A 1 C 0 , C 1 E 0 , E 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E C0, D0 ( E 0 ) ⊕ Δ E A0, B0 ( C 0 ) GC = (GT1, GT2) E A0, B1 ( C 0 ) E C0, D1 ( E 1 ) ⊕ h = H(GC) = h E A1, B0 ( C 0 ) E C1, D0 ( E 1 ) ĜC = (ĜT1, GT2) E A1, B1 ( C 0 ) E C1, D1 ( E 1 ) H(ĜC) = h ⊕ Δ
A 0 , A 1 C 0 , C 1 E 0 , E 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( C 0 ) E C0, D0 ( E 0 ) ⊕ Δ GC = (GT1, GT2) E A0, B1 ( C 0 ) E C0, D1 ( E 1 ) ⊕ h = H(GC) = h E A1, B0 ( C 0 ) E C1, D0 ( E 1 ) ĜC = (ĜT1, GT2) E A1, B1 ( C 0 ) E C1, D1 ( E 1 ) H(ĜC) = h ⊕ Δ ⊕ Δ
A 0 , A 1 C 0 , C 1 E 0 , E 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( C 0 ) E C0, D0 ( E 0 ) ⊕ Δ GC = (GT1, GT2) E A0, B1 ( C 0 ) E C0, D1 ( E 1 ) ⊕ h = H(GC) = h E A1, B0 ( C 0 ) E C1, D0 ( E 1 ) ĜC = (ĜT1, GT2) E A1, B1 ( C 0 ) E C1, D1 ( E 1 ) H(ĜC) = h ✔
GC hash construction Make each gate’s output wire label depend on all entries of GT
GC hash construction Make each gate’s output wire label depend on all entries of GT XOR hash correction involves modifying an active GT entry
GC hash construction Make each gate’s output wire label depend on all entries of GT XOR hash correction involves modifying an active GT entry This affects the computed output wire label of the gate
GC hash construction Make each gate’s output wire label depend on all entries of GT XOR hash correction involves modifying an active GT entry This affects the computed output wire label of the gate Does this suffice?
A 0 , A 1 C 0 , C 1 E 0 , E 1 B 0 , B 1 D 0 , D 1
C 0 , C 1 E 0 , E 1 A 0 , A 1 tC 0 , tC 1 tE 0 , tE 1 B 0 , B 1 D 0 , D 1
Temporary wire labels C 0 , C 1 E 0 , E 1 A 0 , A 1 tC 0 , tC 1 tE 0 , tE 1 B 0 , B 1 D 0 , D 1
C 0 , C 1 E 0 , E 1 A 0 , A 1 tC 0 , tC 1 tE 0 , tE 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( tC 0 ) E C0, D0 ( t E 0 ) E A0, B1 ( tC 0 ) E C0, D1 ( t E 1 ) E A1, B0 ( tC 0 ) E C1, D0 ( t E 1 ) E A1, B1 ( tC 1 ) E C1, D1 ( t E 1 )
C b = tC b ⊕ GT1 C 0 , C 1 E 0 , E 1 E b = tE b ⊕ GT2 A 0 , A 1 tC 0 , tC 1 tE 0 , tE 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( tC 0 ) E C0, D0 ( t E 0 ) E A0, B1 ( tC 0 ) E C0, D1 ( t E 1 ) E A1, B0 ( tC 0 ) E C1, D0 ( t E 1 ) E A1, B1 ( tC 1 ) E C1, D1 ( t E 1 )
C b = tC b ⊕ GT1 C 0 , C 1 E 0 , E 1 E b = tE b ⊕ GT2 A 0 , A 1 tC 0 , tC 1 tE 0 , tE 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( tC 0 ) E C0, D0 ( t E 0 ) GC = (GT1, GT2) E A0, B1 ( tC 0 ) E C0, D1 ( t E 1 ) ⊕ h = H(GC) = h E A1, B0 ( tC 0 ) E C1, D0 ( t E 1 ) E A1, B1 ( tC 1 ) E C1, D1 ( t E 1 )
C b = tC b ⊕ GT1 C 0 , C 1 E 0 , E 1 E b = tE b ⊕ GT2 A 0 , A 1 tC 0 , tC 1 tE 0 , tE 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( tC 0 ) E C0, D0 ( t E 0 ) GC = (GT1, GT2) E A0, B1 ( tC 0 ) E C0, D1 ( t E 1 ) ⊕ h = H(GC) = h E A1, B0 ( tC 0 ) E C1, D0 ( t E 1 ) ĜC = (ĜT1, GT2) E A1, B1 ( tC 0 ) E C1, D1 ( t E 1 ) H(ĜC) = h ⊕ Δ
C b = tC b ⊕ GT1 C 0 , C 1 E 0 , E 1 E b = tE b ⊕ GT2 A 0 , A 1 tC 0 , tC 1 tE 0 , tE 1 B 0 , B 1 D 0 , D 1 Fixes Δ for h But tC 0 ⊕ GT1 = C b ? GT1 GT2 E A0, B0 ( tC 0 ) E C0, D0 ( t E 0 ) GC = (GT1, GT2) E A0, B1 ( tC 0 ) E C0, D1 ( t E 1 ) ⊕ h = H(GC) = h E A1, B0 ( tC 0 ) E C1, D0 ( t E 1 ) ĜC = (ĜT1, GT2) E A1, B1 ( tC 0 ) E C1, D1 ( t E 1 ) H(ĜC) = h ⊕ Δ
C b = tC b ⊕ GT1 C 0 , C 1 E 0 , E 1 E b = tE b ⊕ GT2 A 0 , A 1 tC 0 , tC 1 tE 0 , tE 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( tC 0 ) E C0, D0 ( t E 0 ) GC = (GT1, GT2) E A0, B1 ( tC 0 ) E C0, D1 ( t E 1 ) ⊕ h = H(GC) = h E A1, B0 ( tC 0 ) E C1, D0 ( t E 1 ) ĜC = (ĜT1, GT2) E A1, B1 ( tC 0 ) E C1, D1 ( t E 1 ) H(ĜC) = h ⊕ Δ
C b = tC b ⊕ GT1 C 0 , C 1 E 0 , E 1 E b = tE b ⊕ GT2 A 0 , A 1 tC 0 , tC 1 tE 0 , tE 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( tC 0 ) E C0, D0 ( t E 0 ) GC = (GT1, GT2) E A0, B1 ( tC 0 ) E C0, D1 ( t E 1 ) ⊕ h = H(GC) = h E A1, B0 ( tC 0 ) E C1, D0 ( t E 1 ) ĜC = (ĜT1, GT2) E A1, B1 ( tC 0 ) E C1, D1 ( t E 1 ) H(ĜC) = h ⊕ Δ
C b = tC b ⊕ GT1 C 0 , C 1 E 0 , E 1 E b = tE b ⊕ GT2 A 0 , A 1 tC 0 , tC 1 tE 0 , tE 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( tC 0 ) ⊕ Δ E C0, D0 ( t E 0 ) GC = (GT1, GT2) E A0, B1 ( tC 0 ) E C0, D1 ( t E 1 ) ⊕ h = H(GC) = h E A1, B0 ( tC 0 ) E C1, D0 ( t E 1 ) ĜC = (ĜT1, GT2) E A1, B1 ( tC 0 ) E C1, D1 ( t E 1 ) H(ĜC) = h ⊕ Δ
C b = tC b ⊕ GT1 C 0 , C 1 E 0 , E 1 E b = tE b ⊕ GT2 A 0 , A 1 tC 0 , tC 1 tE 0 , tE 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( tC 0 ) ⊕ Δ E C0, D0 ( t E 0 ) GC = (GT1, GT2) E A0, B1 ( tC 0 ) E C0, D1 ( t E 1 ) ⊕ h = H(GC) = h E A1, B0 ( tC 0 ) E C1, D0 ( t E 1 ) ĜC = (ĜT1, GT2) E A1, B1 ( tC 0 ) E C1, D1 ( t E 1 ) H(ĜC) = h ⊕ Δ ⊕ Δ
C b = tC b ⊕ GT1 C 0 , C 1 E 0 , E 1 E b = tE b ⊕ GT2 A 0 , A 1 tC 0 , tC 1 tE 0 , tE 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( tC 0 ) ⊕ Δ E C0, D0 ( t E 0 ) GC = (GT1, GT2) E A0, B1 ( tC 0 ) E C0, D1 ( t E 1 ) ⊕ h = H(GC) = h E A1, B0 ( tC 0 ) E C1, D0 ( t E 1 ) ĜC = (ĜT1, GT2) E A1, B1 ( tC 0 ) E C1, D1 ( t E 1 ) H(ĜC) = h ✔
C b = tC b ⊕ GT1 C 0 , C 1 E 0 , E 1 E b = tE b ⊕ GT2 A 0 , A 1 tC 0 , tC 1 tE 0 , tE 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( tC 0 ) ⊕ Δ E C0, D0 ( t E 0 ) GC = (GT1, GT2) E A0, B1 ( tC 0 ) E C0, D1 ( t E 1 ) ⊕ h = H(GC) = h E A1, B0 ( tC 0 ) E C1, D0 ( t E 1 ) ĜC = (ĜT1, GT2) E A1, B1 ( tC 0 ) E C1, D1 ( t E 1 ) H(ĜC) = h ✔ tC 0 ⊕ GT1 = C 0
C b = tC b ⊕ GT1 C 0 , C 1 E 0 , E 1 E b = tE b ⊕ GT2 A 0 , A 1 tC 0 , tC 1 tE 0 , tE 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( tC 0 ) ⊕ Δ E C0, D0 ( t E 0 ) GC = (GT1, GT2) E A0, B1 ( tC 0 ) E C0, D1 ( t E 1 ) ⊕ h = H(GC) = h E A1, B0 ( tC 0 ) E C1, D0 ( t E 1 ) ĜC = (ĜT1, GT2) E A1, B1 ( tC 0 ) E C1, D1 ( t E 1 ) H(ĜC) = h ✔ tC 0 ⊕ GT1 = C 0 ✔
Recommend
More recommend
