techniques for efficient secure computation based on yao
play

Techniques for Efficient Secure Computation Based on Yaos Protocol - PowerPoint PPT Presentation

Aug 11, 2023 •287 likes •689 views

Techniques for Efficient Secure Computation Based on Yaos Protocol Yehuda Lindell Bar-Ilan University, Israel PKC 2013 Yehuda Lindell Techniques for Efficient Secure Computation 28/2/2013 1 / 39 Secure Computation Background A set of

  1. Techniques for Efficient Secure Computation Based on Yao’s Protocol Yehuda Lindell Bar-Ilan University, Israel PKC 2013 Yehuda Lindell Techniques for Efficient Secure Computation 28/2/2013 1 / 39

  2. Secure Computation – Background A set of parties P 1 , . . . , P m with private inputs x 1 , . . . , x m wish to compute a joint function f of their inputs while preserving secure properties such as: ◮ Privacy: nothing but the output f ( x 1 , . . . , x m ) is revealed ◮ Correctness: the correct output is obtained ◮ Independence of inputs: no party can choose its input as a function of another party’s input Yehuda Lindell Techniques for Efficient Secure Computation 28/2/2013 2 / 39

  3. Secure Computation – Background In an election : ◮ Privacy means that individual votes are not revealed ◮ Correctness means that the candidate with the majority vote wins ◮ Independence of inputs means that you can’t vote as a function of the outcome Yehuda Lindell Techniques for Efficient Secure Computation 28/2/2013 3 / 39

  4. Secure Computation – Background Security must hold in the presence of adversarial behavior : ◮ Semi-honest: follows the protocol description but attempts to learn more than allowed ◮ Models inadvertent leakage but otherwise gives a weak guarantee Yehuda Lindell Techniques for Efficient Secure Computation 28/2/2013 4 / 39

  5. Secure Computation – Background Security must hold in the presence of adversarial behavior : ◮ Malicious: follows any arbitrary attack strategy ◮ Provides a very strong guarantee, but is hard to achieve with respect to efficiency Security is formalized by comparing the output of a secure protocol to an ideal world where an incorruptible trusted party computes the function for the parties Yehuda Lindell Techniques for Efficient Secure Computation 28/2/2013 5 / 39

  6. Secure Computation – Feasibility Despite its stringent requirements, it was shown that essentially any function can be securely computed : ◮ In the presence of semi-honest adversaries [Yao86,GMW87] ◮ In the presence of malicious adversaries [GMW87] ◮ With perfect security where a 2/3 honest majority is guaranteed [BGW88] Since the 1980s, the feasibility of secure computation has been studied heavily: ◮ Assumptions ◮ Stronger adversaries (e.g., adaptive corruptions) ◮ Composition ◮ And much much more... Yehuda Lindell Techniques for Efficient Secure Computation 28/2/2013 6 / 39

  7. Secure Computation – Theory or Practice? ◮ Due to its broad applicability, secure computation has been a foundational theoretical topic of study since the mid 1980s ◮ A rich and beautiful theory has been developed ◮ Recently, interest has grown with respect to the practicality of secure computation ◮ Governments, security organizations, industry,... Yehuda Lindell Techniques for Efficient Secure Computation 28/2/2013 7 / 39

  8. Secure Computation in Practice? In the last 5 years there has been incredible progress on making secure computation practical ◮ Today we can run semi-honest secure computation for problems like secure AES in tens of milliseconds ◮ We can run huge computations (on circuits of over a billion gates) in minutes ◮ We have protocols for malicious adversaries that give amazing amortized complexity ◮ Every year there are new significant breakthroughs This is very surprising (and exciting): we now know that secure computation can be practical for a reasonably wide range of problems ◮ Ten years ago, no one dreamed that this would be possible Yehuda Lindell Techniques for Efficient Secure Computation 28/2/2013 8 / 39

  9. Efficient Secure Computation – Semi-Honest Adversaries From 2004 to 2013 ◮ Yao’s protocol from 1986 has a constant number of rounds and uses a few symmetric encryptions per gate ◮ For many years, it was assumed that any protocol that is based on a circuit for computing the function cannot be practical ◮ In 2004, the first implementation of a general secure computation protocol was carried out ◮ Fairplay – an implementation of Yao’s protocol for semi-honest adversaries ◮ It was surprising to many that a circuit-based protocol could even run ◮ The billionaires’ problem on 32-bit integers took between 1.25 seconds (LAN) and 4.01 seconds (WAN) ◮ Median on ten 16-bit numbers (circuit of size 4383 gates) took between 7.09 and 16.63 seconds Yehuda Lindell Techniques for Efficient Secure Computation 28/2/2013 9 / 39

  10. Efficient Secure Computation – Semi-Honest Adversaries From 2004 to 2013 ◮ In 2011, an implementation of Yao for semi-honest adversaries was carried out, using the state-of-the-art algorithmic improvements, and systems optimizations ◮ Secure AES computation (with 9,280 non-XOR gates) took just 0.2 seconds overall (after an additional 0.6 seconds of preprocessing that can be used for many executions) ◮ In 2013, we can do even better Yehuda Lindell Techniques for Efficient Secure Computation 28/2/2013 10 / 39

  11. Secure Computation – Malicious Adversaries From 2004 to 2013 ◮ In 2004, there were no efficient protocols whatsoever (the only way to achieve this level of security was via general zero-knowledge proofs for NP ) ◮ There were protocols that need exponentiations per gate; e.g., [SchoenmakersTuyls2004] ◮ These protocols can be efficient for small circuits but do not scale well ◮ In 2013, we have a number of efficient protocols [NO09,IPS09,DO10,LOP11,BDOZ11,NNOS12,DPSZ12] ◮ One important and influential approach is based on Yao’s garbled circuits [Y86,LP07,LP11,sS11] ◮ This approach appears to still give the lowest latency in a model with no preprocessing ◮ In 2012, an implementation of secure AES computation took < 30 seconds on 4-cores, and about 8 seconds on 16-cores Yehuda Lindell Techniques for Efficient Secure Computation 28/2/2013 11 / 39

  12. Secure Computation in Practice Secure AES Computation The problem of authentication and one-time passwords: ◮ Users have devices that compute a PRF of the current time etc. to generate one-time passwords ◮ The cryptographic keys for one-time password generation are stored at a server ◮ A server breach means that all devices must be replaced (very costly and problematic, and so is avoided) ◮ The danger can be mitigated using secure computation ◮ Share the key between two servers ◮ In order to verify a one-time password, securely compute AES (without revealing anything about the key), and then verify ◮ The same method can be used to verify “bank transaction signing” Yehuda Lindell Techniques for Efficient Secure Computation 28/2/2013 12 / 39

  13. Secure Computation in Practice Secure AES Computation Yehuda Lindell Techniques for Efficient Secure Computation 28/2/2013 13 / 39

  14. General versus Specific Protocols ◮ A general protocol can be used to compute any functionality (based on the circuit or some other general representation) ◮ For many years it was assumed that general protocols cannot compete with specific protocols ◮ In some cases, this may be true, but in many cases general protocols are the best we know ◮ And they are good! ◮ Efficient general protocols have more applicability, and they save us having to guess what people want to compute ◮ For years we talked about elections and auctions, but it appears that one-time password computation is of much more interest Yehuda Lindell Techniques for Efficient Secure Computation 28/2/2013 14 / 39

  15. This Talk Efficient Secure Computation Based on Yao’s Protocol ◮ We will briefly review Yao’s basic protocol ◮ We briefly mention the major techniques for improving efficiency in the semi-honest settings ◮ We will focus on how to deal with malicious adversaries ◮ Understanding the problem and difficulty ◮ The cut-and-choose technique and subtleties ◮ An optimization to reduce bandwidth ◮ New developments Yehuda Lindell Techniques for Efficient Secure Computation 28/2/2013 15 / 39

  16. Yao’s Garbled Circuits A garbling of a circuit C is an “encryption” of the circuit with the following properties ◮ Two secret keys are associated with each input wire; one for the 0-bit and one for the 1-bit ◮ Given a single key for each input wire, it is possible to compute the associated output and nothing else. That is: ◮ Given the keys associated with bits x 1 , . . . , x n ∈ { 0 , 1 } , it is possible to compute f ( x 1 , . . . , x n ) ◮ Given the keys associated with x 1 , . . . , x n ∈ { 0 , 1 } it is not possible to learn anything beyond f ( x 1 , . . . , x n ) ◮ How can garbled circuits be constructed? Yehuda Lindell Techniques for Efficient Secure Computation 28/2/2013 16 / 39

  17. A Garbled Gate Input wires i and j , and output wire ℓ Ciphertexts x y x ∧ y � �� x y x ∧ y � k 0 E k 0 E k 0 ℓ k 0 k 0 k 0 i j 0 0 0 i j ℓ � �� � k 0 E k 0 E k 1 k 0 k 1 k 0 0 1 0 ℓ i j ℓ i j k 1 k 0 k 0 � �� 1 0 0 � k 0 E k 1 E k 0 i j ℓ ℓ k 1 k 1 k 1 i j 1 1 1 � �� i j ℓ � k 1 E k 1 E k 1 ℓ i j A plain AND gate The associated keys The garbled gate (garbled values) (in random order) i and k β j for some α, β ∈ { 0 , 1 } , can obtain k α ∧ β ◮ Given k α ℓ ◮ But, nothing is revealed by this since all keys are random! Yehuda Lindell Techniques for Efficient Secure Computation 28/2/2013 17 / 39

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

System Architectures and Techniques for Efficient, Secure, and Trusted Code Execution Mario

System Architectures and Techniques for Efficient, Secure, and Trusted Code Execution Mario

System Architectures and Techniques for Efficient, Secure, and Trusted Code Execution Mario Werner May 7, 2020 Graz University of Technology Why do we care about code? www.tugraz.at 10:20 July 18 W i r e l e s s - G A D S L G

599 views • 49 slides
Secure and Efficient Access to Outsourced Data Secure and Efficient Access to Outsourced Data

Secure and Efficient Access to Outsourced Data Secure and Efficient Access to Outsourced Data

Secure and Efficient Access to Outsourced Data Secure and Efficient Access to Outsourced Data Weichao Wang, Zhiwei Li, Rodney Owens, Bharat Bhargava CCSW 2009: The ACM Cloud Computing Security Workshop 1 The Problem Providing secure and

414 views • 19 slides
Efficient Outsourcing GWAS using FHE Wenjie Lu*, Jun Sakuma * * Dept. of CS, University of

Efficient Outsourcing GWAS using FHE Wenjie Lu*, Jun Sakuma * * Dept. of CS, University of

Efficient Outsourcing GWAS using FHE Wenjie Lu*, Jun Sakuma * * Dept. of CS, University of Tsukuba, Japan JST CREST Secure Outsourcing GWAS Secure computation [Cloud] Outline of our solution [data holder] Secure

381 views • 19 slides
Secure computation With material from Matthew Green, Elaine Shi, CS Unplugged, others Secure

Secure computation With material from Matthew Green, Elaine Shi, CS Unplugged, others Secure

https://2.bp.blogspot.com/-Q_39kDXs93c/UOecpSOTX5I/AAAAAAAAA2k/WaIfMiKzQOw/s1600/eniac1+%281%29.jpg Secure computation With material from Matthew Green, Elaine Shi, CS Unplugged, others Secure computation Zero-knowledge proofs

465 views • 33 slides
Flexible, Efficient Abstractions for High Performance Computation on Current and Emerging

Flexible, Efficient Abstractions for High Performance Computation on Current and Emerging

Institute for CLEAN AND SECURE ENERGY THE UNIVERSITY OF UTAH TM Flexible, Efficient Abstractions for High Performance Computation on Current and Emerging Architectures J AMES C. S UTHERLAND Associate Professor - Chemical Engineering M ATT M

141 views • 10 slides
Secure Outsourcing of Computation Ron Rothblum MIT Outsourcing Computation Motivation: allow a

Secure Outsourcing of Computation Ron Rothblum MIT Outsourcing Computation Motivation: allow a

Secure Outsourcing of Computation Ron Rothblum MIT Outsourcing Computation Motivation: allow a computationally weak client to outsource its computation to an untrusted server. = () Main security concerns: 1. Correctness:

377 views • 4 slides
New Advances in Secure RAM Computation Sanjam Garg University of California, Berkeley Based on

New Advances in Secure RAM Computation Sanjam Garg University of California, Berkeley Based on

New Advances in Secure RAM Computation Sanjam Garg University of California, Berkeley Based on joint works with Steve Lu, Payman Mohassel, Charalampos Papamanthou, Rafail Ostrovsky and Alessandra Scafuro Yaos garbled circuits Server User

387 views • 20 slides
TinyKeys: A New Approach to Efficient Multi-Party Computation Carmit Hazay , Emmanuela Orsini,

TinyKeys: A New Approach to Efficient Multi-Party Computation Carmit Hazay , Emmanuela Orsini,

TinyKeys: A New Approach to Efficient Multi-Party Computation Carmit Hazay , Emmanuela Orsini, Peter Scholl and Eduardo Soria-Vazquez Based on slides prepared by Peter Scholl and Eduardo Soria-Vazquez Secure Multi-Party Computation (MPC)

756 views • 36 slides
Round-Optimal Secure Multiparty Computation with Honest Majority Prabhanjan Ananth Arka Rai

Round-Optimal Secure Multiparty Computation with Honest Majority Prabhanjan Ananth Arka Rai

Round-Optimal Secure Multiparty Computation with Honest Majority Prabhanjan Ananth Arka Rai Choudhuri Aarushi Goel Abhishek Jain CRYPTO 2018 Secure Multiparty Computation ! # ! $ ! &quot; ! % Secure Multiparty Computation Securely compute

1.18k views • 102 slides
Secure Computation ORAM The Case of 3-Party Computation Stanislaw Jarecki, UC Irvine

Secure Computation ORAM The Case of 3-Party Computation Stanislaw Jarecki, UC Irvine

Secure Computation ORAM The Case of 3-Party Computation Stanislaw Jarecki, UC Irvine Cryptography in the RAM Model Workshop, Cambridge, MA, June 2016 AC15: Sky Faber, S.J. , Sotirios Kentros, Boyang Wei New Work: S.J. , Boyang Wei Secure

595 views • 23 slides
MULTIPARTY COMPUTATION WITH REPUTATION SYSTEMS Gilad Asharov Yehuda Lindell Hila Hila Za Zaro

MULTIPARTY COMPUTATION WITH REPUTATION SYSTEMS Gilad Asharov Yehuda Lindell Hila Hila Za Zaro

FAIR AND EFFICIENT SECURE MULTIPARTY COMPUTATION WITH REPUTATION SYSTEMS Gilad Asharov Yehuda Lindell Hila Hila Za Zaro rosim Asiacry acrypt pt 2013 2013 Secure Multi-Party Computation A set of parties who dont trust each other

794 views • 36 slides
Evolutionary Computation Techniques for Constructing SAT-based Attacks in Algebraic Cryptanalysis

Evolutionary Computation Techniques for Constructing SAT-based Attacks in Algebraic Cryptanalysis

Evolutionary Computation Techniques for Constructing SAT-based Attacks in Algebraic Cryptanalysis Artem Pavlenko , Alexander Semenov, Vladimir Ulyantsev {alpavlenko,ulyantsev}@corp.ifmo.ru ITMO University, St. Petersburg, Russia ISDCT SB RAS,

431 views • 25 slides
Optimization Techniques for BDD-based Bisimulation Computation Ralf Wimmer, Marc Herbstritt,

Optimization Techniques for BDD-based Bisimulation Computation Ralf Wimmer, Marc Herbstritt,

Optimization Techniques for BDD-based Bisimulation Computation Ralf Wimmer, Marc Herbstritt, Bernd Becker Institute of Computer Science University of Freiburg Germany Great Lakes Symposium on VLSI March 13 th , 2007 Outline Motivation 1

623 views • 30 slides
Preprocessing Based Verification of Multiparty Protocols with an Honest Majority 20.07.17 Alisa

Preprocessing Based Verification of Multiparty Protocols with an Honest Majority 20.07.17 Alisa

Preprocessing Based Verification of Multiparty Protocols with an Honest Majority 20.07.17 Alisa Pankova Roman Jagomgis Peeter Laud 1 / 10 Secure Multiparty Computation 2 / 10 Secure Multiparty Computation 2 / 10 Secure Multiparty

641 views • 38 slides
TOWARDS TRANSPARENT ZERO- KNOWLEDGE COMPUTATION - BASED ON 10 YEARS OF COMMERCIAL USE Kurt

TOWARDS TRANSPARENT ZERO- KNOWLEDGE COMPUTATION - BASED ON 10 YEARS OF COMMERCIAL USE Kurt

TOWARDS TRANSPARENT ZERO- KNOWLEDGE COMPUTATION - BASED ON 10 YEARS OF COMMERCIAL USE Kurt Nielsen (Co-founder and CEO Partisia) Transparency and scalability PROTOCOLS PLATFORMS Landmark paper Secure Multiparty Computation Goes Live

773 views • 21 slides
Secure Multi-Party Computation Gunnar Kreitz KTH Royal Institute of Technology

Secure Multi-Party Computation Gunnar Kreitz KTH Royal Institute of Technology

Background Secure Computation Security Model Generic Protocol Applications Secure Multi-Party Computation Gunnar Kreitz KTH Royal Institute of Technology gkreitz@kth.se October 4 2012 Gunnar Kreitz Secure Multi-Party Computation

1.28k views • 59 slides
Classification: Public 1 Protect Y Your User Accounts Like Its 2019 Thomas Konrad, SBA

Classification: Public 1 Protect Y Your User Accounts Like Its 2019 Thomas Konrad, SBA

Classification: Public 1 Protect Y Your User Accounts Like Its 2019 Thomas Konrad, SBA Research sec4dev, Feb 27 th , 2019 SBA Research gGmbH, 2019 Classification: Public 2 $ whoami Thomas Konrad $ id uid=123(tom) gid=0(SBA Research)

733 views • 52 slides
Enterprise desktop: improving client side in the age of Samba AD and FreeIPA Alexander Bokovoy

Enterprise desktop: improving client side in the age of Samba AD and FreeIPA Alexander Bokovoy

Principal Software Engineer, Red Hat // Samba Team SambaXP16 Enterprise desktop: improving client side in the age of Samba AD and FreeIPA Alexander Bokovoy Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 2

1.33k views • 106 slides
Governance, Risk Management and Compliance Lect. Dr. Ana-Maria Ghiran Prof. Dr. Robert Buchmann

Governance, Risk Management and Compliance Lect. Dr. Ana-Maria Ghiran Prof. Dr. Robert Buchmann

24th International Working Conference, REFSQ 2018, Utrecht, The Netherlands, March 19-22, 2018 Security Requirements Elicitation from Engineering Governance, Risk Management and Compliance Lect. Dr. Ana-Maria Ghiran Prof. Dr. Robert Buchmann

305 views • 14 slides
Use of NSF Supercomputers Rob Gardner, University of Chicago OSG Council, Indianapolis, October

Use of NSF Supercomputers Rob Gardner, University of Chicago OSG Council, Indianapolis, October

Use of NSF Supercomputers Rob Gardner, University of Chicago OSG Council, Indianapolis, October 3, 2017 1 Acknoweledgements !! Frank Wuerthwein Edgar Fajardo Mark Neubauer, Dave Lesny &amp; Peter Onyisi Mats Rynge Rob Quick 2 Goal

676 views • 28 slides
MariaDB security features and best practices Robert Bindar Software Developer @MariaDB

MariaDB security features and best practices Robert Bindar Software Developer @MariaDB

MariaDB security features and best practices Robert Bindar Software Developer @MariaDB Foundation Percona Live Austin, 28-30 May 2019 Motivation - Users Potential public shaming through data breaches Massive loss of business

606 views • 42 slides
Title Slide Math 696 Class July 19, 2002 Line 1 Line 2 Line 3 Line 4 Line 5 Line 6 Line 7

Title Slide Math 696 Class July 19, 2002 Line 1 Line 2 Line 3 Line 4 Line 5 Line 6 Line 7

Title Slide Math 696 Class July 19, 2002 Line 1 Line 2 Line 3 Line 4 Line 5 Line 6 Line 7 1 0 sin( x ) =?

312 views • 3 slides
Point Line Duality Let , , be a set of points. Now

Point Line Duality Let , , be a set of points. Now

Point Line Duality Let , , be a set of points. Now define a set , , of lines as follows: Dual plane Primal plane Line: :

306 views • 4 slides
JUST THE MATHS SLIDES NUMBER 8.5 VECTORS 5 (Vector equations of straight lines) by

JUST THE MATHS SLIDES NUMBER 8.5 VECTORS 5 (Vector equations of straight lines) by

JUST THE MATHS SLIDES NUMBER 8.5 VECTORS 5 (Vector equations of straight lines) by A.J.Hobson 8.5.1 Introduction 8.5.2 The straight line passing through a given point and parallel to a given vector 8.5.3 The straight line passing

510 views • 18 slides

More recommend