The Cut-and-Choose Game and its Application to Cryptographic - - PowerPoint PPT Presentation

the cut and choose game and its application to
SMART_READER_LITE
LIVE PREVIEW

The Cut-and-Choose Game and its Application to Cryptographic - - PowerPoint PPT Presentation

Jan 28, 2023 101 likes •427 views

The Cut-and-Choose Game and its Application to Cryptographic Protocols Ruiyu Zhu, Yan Huang, Jonathan Katz, abhi shelat Northeastern Indiana University U. Maryland University What is Cut-and-Choose What is Cut-and-Choose Applications of

slide-1
SLIDE 1

The Cut-and-Choose Game and its Application to Cryptographic Protocols

Ruiyu Zhu, Yan Huang, Jonathan Katz, abhi shelat

Indiana University Northeastern University

  • U. Maryland
slide-2
SLIDE 2

What is Cut-and-Choose

slide-3
SLIDE 3

What is Cut-and-Choose

slide-4
SLIDE 4

Applications of Cut-and-Choose

  • Secure Computation

  • Zero-knowledge-proof

  • Fair exchange of digital currency

  • Secure delegation of computation

BBSU, FC 12 Blum, ICM 86 CKV, Crypto 10 Lindell, Crypto 13 HKE, Crypto13 AMPR, Crypto14 Brandão, AsiaCrypt 13 SS, EuroCrypt 11 LP, Eurocrypt 07

slide-5
SLIDE 5

Applications of Cut-and-Choose

  • Secure Computation

  • Zero-knowledge-proof

  • Fair exchange of digital currency

  • Secure delegation of computation

BBSU, FC 12 Blum, ICM 86 CKV, Crypto 10 Lindell, Crypto 13 HKE, Crypto13 AMPR, Crypto14 Brandão, AsiaCrypt 13 SS, EuroCrypt 11 LP, Eurocrypt 07

slide-6
SLIDE 6

Cut-and-Choose in Secure Computation

Eval Chk Garbled Circuits Garbled Circuits Garbled Circuits Garbled Circuits Garbled Circuits

slide-7
SLIDE 7

Three Flavors of Cut-and-choose

  • SingleCut

– Secure if at least one evaluation-circuit is correct.

  • MajorityCut PR,

– Secure if the majority of evaluation-circuits are correct.

  • BatchedCut

– Amortizing cost over multiple executions.

Lindell, Crypto 13 HKE, Crypto 13 AMPR, Crypto 14 Brandão, AsiaCrypt 13 LR, Crypto 14 NO, TCC09 FJN+, EuroCrypt13 LP, EuroCrypt07 LP, JoP12 LP, SCN 08 Woodruff, EuroCrypt 07 SS’ EuriCrypto 11

slide-8
SLIDE 8

Three Flavors of Cut-and-choose

  • SingleCut

– Secure if at least one evaluation-circuit is correct.

  • MajorityCut

– Secure if the majority of evaluation-circuits are correct.

  • BatchedCut

– Amortizing cost over multiple executions.

Lindell, Crypto 13 HKE, Crypto 13 AMPR, Crypto 14 Brandão, AsiaCrypt 13 LR, Crypto 14 NO, TCC09 FJN+, EuroCrypt13 LP, EuroCrypt07 LP, JoP12 LP, SCN 08 Woodruff, EuroCrypt 07 SS’ EuriCrypto 11

slide-9
SLIDE 9

Garbled Circuits Garbled Circuits Garbled Circuits Garbled Circuits Garbled Circuits

Existing SingleCut Strategy

Expected cost: checking cost × 𝑡 2 + evaluation cost× 𝑡 2

Lindell, Crypto 13

Eval Chk Eval Chk Eval 𝑡:the security parameter

slide-10
SLIDE 10

Garbled Circuit Garbled Circuit

The Cost Gap

Seed Hash

Checking Evaluation Time Cost Ratio

2 ~ 30

Bandwidth Cost Ratio 107~108

16 bytes 32 bytes

slide-11
SLIDE 11

Our Key Intuition

Evaluate less and check more. Use mixed-strategies: determine the number

  • f evaluation-circuits probabilistically from a

custom distribution. Use linear programming to find optimal parameters.

slide-12
SLIDE 12

Problem Formulation

Want to minimize

𝜁 Upper-bound on the security failure rate 𝑠 Cost ratio 𝑇<=> Generator’s strategy 𝑇=?@A Evaluator’s strategy

𝔽[cost(𝑠, 𝑇=?@A)] Subject to: Prfailure 𝑇=?@A, 𝑇<=> ≤ 𝜁, ∀𝑇<=>

“For all cheating strategies”

slide-13
SLIDE 13

Prfailure 𝑇=?@A, 𝑇<=> ≤ 𝜁, ∀𝑇<=>

Problem Formulation

Subject to: Want to minimize

𝜁 Upper-bound on the security failure rate 𝑠 Cost ratio 𝑻𝒉𝒇𝒐 Generator’s strategy 𝑻𝒇𝒘𝒃𝒎 Evaluator’s strategy

𝔽[cost(𝑠, 𝑇=?@A)]

“For all cheating strategies”

slide-14
SLIDE 14

𝑇<=> and 𝑇=?@A in SingleCut

𝑜 The total number of circuits 𝑇<=> A random variable over {0,1}> 𝑇=?@A A random variable over {0,1}>

slide-15
SLIDE 15

𝑇<=> and 𝑇=?@A in SingleCut

Garbled Circuits Garbled Circuits Garbled Circuits Garbled Circuits Garbled Circuits 1 1 1 1 1 1 Eval Chk Eval Chk Eval My only choices are which circuits to form improperly. I could map between binary string and strategy So could I

Failure: 𝑇<=> = 𝑇=?@A

0 1 1 1 0 1 1 1

slide-16
SLIDE 16

𝔽[cost 𝑠, 𝑇=?@A ] = U(𝑗𝑠 + 𝑜 − 𝑗 X 1)𝑦Z

> Z[\

Expected Cost of SingleCut

𝑜 Total number of circuits 𝑦Z Probability of evaluating 𝑗 circuits

𝔽[cost 𝑠, 𝑇=?@A ] = U(𝑗𝑠 + 𝑜 − 𝑗 X 1)𝑦Z

> Z[\

𝔽[cost 𝑠, 𝑇=?@A ] = U(𝑗𝑠 + 𝑜 − 𝑗 X 1)𝑦Z

> Z[\

𝔽[cost 𝑠, 𝑇=?@A ] = U(𝑗𝑠 + 𝑜 − 𝑗 X 1)𝑦Z

> Z[\

𝔽[cost 𝑠, 𝑇=?@A ] = U(𝑗𝑠 + 𝑜 − 𝑗 X 1)𝑦Z

> Z[\

# of circuits to evaluate Total # of circuits

slide-17
SLIDE 17

𝑦Z ≥ 0

Constraints on 𝑦Z (because it’s a probability distribution)

U 𝑦Z

> Z[\

= 1

𝑜 Total number of circuits 𝑦Z Probability of evaluating 𝑗 circuits

slide-18
SLIDE 18

Prfailure 𝑇=?@A, 𝑇<=> ≤ 𝜁

Security Holds ∀ 𝑇<=>, Pr 𝑇=?@A = 𝑇<=> ≤ 𝜁 ∀𝑏 ∈ 0,1 >, Pr(𝑇=?@A = 𝑏) ≤ 𝜁

Probability that evaluator picks any SPECIFIC strategy a is bounded by 𝜁.

slide-19
SLIDE 19

There are >

Z pure strategies

that evaluate 𝑗 circuits.

∀𝑏 ∈ 0,1 >, Pr (𝑇=?@A = 𝑏) ≤ 𝜁

𝑦Z ≤ 𝑜 𝑗 ⋅ 𝜁 𝑦Z ≤ 𝑜 𝑗 ⋅ 𝜁 𝑦Z ≤ 𝑜 𝑗 ⋅ 𝜁 𝑦Z ≤ 𝑜 𝑗 ⋅ 𝜁 𝑦Z ≤ 𝑜 𝑗 ⋅ 𝜁

Each pure strategy can be picked with probability at most 𝜁.

slide-20
SLIDE 20

Recap

Subject to:

U(𝑗𝑠 + 𝑜 − 𝑗)𝑦Z

> Z[\

𝑦Z ≤ 𝜁 𝑜 𝑗 𝑦Z ≥ 0 U 𝑦Z

> Z[\

= 1

Minimize:

slide-21
SLIDE 21

Fractional Knapsack Problem

Capacity: 1/𝜁 units

Unit Cost: 𝑜 𝑠 + 𝑜 − 1 2𝑠 + 𝑜 − 2 𝑜𝑠 Units 𝑜 𝑜 1 𝑜 2 𝑜 𝑜

A greedy algorithm solves it in linear time.

slide-22
SLIDE 22

Find the Best 𝑜

  • Exhaustively search every 𝑜

to find the one with minimal cost.

  • Limitation: 𝑜 is publicly fixed. Followup at:

https://github.com/Opt-Cut-N-Choose

Required by the security parameter 𝜁 Achievable with the SingleCut strategy of [Lindell, Crypto13].

logd 1 𝜁 𝑠 + 1 2 logd 1 𝜁

Range of 𝑜

slide-23
SLIDE 23

Sample SingleCut Strategy for AES

Our technique 𝒐 = 𝟑𝟑𝟕𝟖 𝒋 𝒚𝒋 as % 9.09 X 10lmm 1 2.06 X 10lo 2 2.34 X 10l7 3 1.77 X 10lm 4 99.8 X 10\ Save 77.5% b/w Classical Strategy 𝒐 = 𝟓𝟏 𝒋 𝒚𝒋 as % 9.09 X 10lmm ⋯ ⋯ 19 11.9 X 10\ 20 12.5 X 10\ ⋯ ⋯ 40 9.09 X 10lmm

Bandwidth cost ratio: 𝑠 = 4533 For AES

slide-24
SLIDE 24

Improvements on SingleCut

0% 20% 40% 60% 80%

Savings Cost Ratio r

Savings=1− costthis work costbest prior work

100 101 102 103 104

slide-25
SLIDE 25

Improvements on SingleCut

0% 20% 40% 60% 80%

Savings Cost Ratio r

100 101 102 103 104

AES fp-multiply

slide-26
SLIDE 26

Formulation for MajorityCut

See the paper for details.

Subject to:

U(𝑗𝑠 + 𝑜 − 𝑗)𝑦Z

> Z[\

U 𝑦Z X 𝑜 − 𝑐 𝑗 − 𝑐 / 𝑜 𝑗

}~• (>,d€) Z[€

≤ 𝜁 𝑦Z ≥ 0 U 𝑦Z

> Z[\

= 1

Minimize:

slide-27
SLIDE 27

Sample MajorityCut Strategy

Our technique 𝒐 = 𝟐𝟖𝟔 𝒋 𝒚𝒋 as % 𝒋 𝒚𝒋 as % 7 1 X 10l7 17 1.23 9 9 X 10l7 19 5.36 11 7 X 10lƒ 21 20.9 13 4.54 X 10ld 23 72.2 15 0.25 Save 26.6% time

Time cost ratio: 𝑠 = 10

Classical Strategy 𝒐 = 𝟐𝟑𝟓 𝒋 𝒚𝒋 as % 43 100

slide-28
SLIDE 28

Improvements on MajorityCut

Savings=1− costthis work costbest prior work

Savings Cost ratio r

100 102 104 106 108 0% 20% 40% 60% 80% 100%

slide-29
SLIDE 29

Improvements on MajorityCut

Savings Cost ratio r

100 102 104 106 108 0% 20% 40% 60% 80% 100%

fp-multiply AES

slide-30
SLIDE 30

Improvements on BatchedCut

Savings=1− costthis work costbest prior work

Savings Cost ratio r

N=100 N=200 N=10000

N is the size

  • f the circuit.

100 101 102 103 104 105 0% 10% 20% 30% 40% 50%

slide-31
SLIDE 31

Conclusion

The game solvers are available at https://github.com/cut-n-choose.

Cut-and-choose protocols should be appropriately configured based on the security requirement and the cost ratio benchmarked at run-time.

Ruiyu Zhu: zhu52@indiana.edu