the cut and choose game and its application to
play

The Cut-and-Choose Game and its Application to Cryptographic - PowerPoint PPT Presentation

Jan 28, 2023 •101 likes •424 views

The Cut-and-Choose Game and its Application to Cryptographic Protocols Ruiyu Zhu, Yan Huang, Jonathan Katz, abhi shelat Northeastern Indiana University U. Maryland University What is Cut-and-Choose What is Cut-and-Choose Applications of

  1. The Cut-and-Choose Game and its Application to Cryptographic Protocols Ruiyu Zhu, Yan Huang, Jonathan Katz, abhi shelat Northeastern Indiana University U. Maryland University

  2. What is Cut-and-Choose

  3. What is Cut-and-Choose

  4. Applications of Cut-and-Choose • Secure Computation – LP, Eurocrypt 07 SS, EuroCrypt 11 Brandão, AsiaCrypt 13 AMPR, Crypto14 Lindell, Crypto 13 HKE, Crypto13 • Zero-knowledge-proof – Blum, ICM 86 • Fair exchange of digital currency – BBSU, FC 12 • Secure delegation of computation – CKV, Crypto 10

  5. Applications of Cut-and-Choose • Secure Computation – LP, Eurocrypt 07 SS, EuroCrypt 11 Brandão, AsiaCrypt 13 AMPR, Crypto14 Lindell, Crypto 13 HKE, Crypto13 • Zero-knowledge-proof – Blum, ICM 86 • Fair exchange of digital currency – BBSU, FC 12 • Secure delegation of computation – CKV, Crypto 10

  6. Cut-and-Choose in Secure Computation Garbled Garbled Garbled Garbled Garbled Circuits Circuits Circuits Circuits Circuits Eval Chk

  7. Three Flavors of Cut-and-choose • SingleCut – Secure if at least one evaluation-circuit is correct. Lindell, Crypto 13 HKE, Crypto 13 Brandão, AsiaCrypt 13 AMPR, Crypto 14 • MajorityCut PR, – Secure if the majority of evaluation-circuits are correct. SS’ EuriCrypto 11 LP, EuroCrypt07 Woodruff, EuroCrypt 07 LP, SCN 08 LP, JoP12 • BatchedCut – Amortizing cost over multiple executions. NO, TCC09 FJN+, EuroCrypt13 LR, Crypto 14

  8. Three Flavors of Cut-and-choose • SingleCut – Secure if at least one evaluation-circuit is correct. Lindell, Crypto 13 HKE, Crypto 13 Brandão, AsiaCrypt 13 AMPR, Crypto 14 • MajorityCut – Secure if the majority of evaluation-circuits are correct. SS’ EuriCrypto 11 LP, EuroCrypt07 Woodruff, EuroCrypt 07 LP, SCN 08 LP, JoP12 • BatchedCut – Amortizing cost over multiple executions. NO, TCC09 FJN+, EuroCrypt13 LR, Crypto 14

  9. Existing SingleCut Strategy Lindell, Crypto 13 Garbled Garbled Garbled Garbled Garbled Circuits Circuits Circuits Circuits Circuits Chk Eval Chk Eval Eval Expected cost: checking cost × 𝑡 2 + evaluation cost× 𝑡 2 𝑡 :the security parameter

  10. The Cost Gap Checking Evaluation Garbled Seed Hash Garbled Circuit Circuit Bandwidth Cost Ratio 10 7 ~10 8 Time Cost Ratio 2 ~ 30 16 bytes 32 bytes

  11. Our Key Intuition Evaluate less and check more . Use mixed-strategies : determine the number of evaluation-circuits probabilistically from a custom distribution. Use linear programming to find optimal parameters.

  12. Problem Formulation Want to minimize 𝔽[cost(𝑠, 𝑇 =?@A )] “For all cheating strategies” Subject to: Pr failure 𝑇 =?@A , 𝑇 <=> ≤ 𝜁, ∀𝑇 <=> Upper-bound on the security failure rate 𝜁 Cost ratio 𝑠 𝑇 <=> Generator’s strategy 𝑇 =?@A Evaluator’s strategy

  13. Problem Formulation Want to minimize 𝔽[cost(𝑠, 𝑇 =?@A )] “For all cheating strategies” Subject to: Pr failure 𝑇 =?@A , 𝑇 <=> ≤ 𝜁, ∀𝑇 <=> Upper-bound on the security failure rate 𝜁 Cost ratio 𝑠 𝑻 𝒉𝒇𝒐 Generator’s strategy 𝑻 𝒇𝒘𝒃𝒎 Evaluator’s strategy

  14. 𝑇 <=> and 𝑇 =?@A in SingleCut 𝑜 The total number of circuits A random variable over {0,1} > 𝑇 <=> A random variable over {0,1} > 𝑇 =?@A

  15. 𝑇 <=> and 𝑇 =?@A in SingleCut My only choices I could map are which circuits between binary to form improperly. string and strategy 0 1 0 1 1 1 1 0 1 0 Garbled Garbled Garbled Garbled Garbled Circuits Circuits Circuits Circuits Circuits Failure: 𝑇 <=> = 𝑇 =?@A So could I 0 1 0 1 1 Chk Eval Chk Eval Eval 0 1 0 1 1

  16. Expected Cost of SingleCut # of circuits to evaluate > > > > > 𝔽[cost 𝑠, 𝑇 =?@A ] = U(𝑗𝑠 + 𝑜 − 𝑗 X 1)𝑦 Z 𝔽[cost 𝑠, 𝑇 =?@A ] = U(𝑗𝑠 + 𝑜 − 𝑗 X 1)𝑦 Z 𝔽[cost 𝑠, 𝑇 =?@A ] = U(𝑗𝑠 + 𝑜 − 𝑗 X 1)𝑦 Z 𝔽[cost 𝑠, 𝑇 =?@A ] = U(𝑗𝑠 + 𝑜 − 𝑗 X 1)𝑦 Z 𝔽[cost 𝑠, 𝑇 =?@A ] = U(𝑗𝑠 + 𝑜 − 𝑗 X 1)𝑦 Z Z[\ Z[\ Z[\ Z[\ Z[\ Total # of circuits Total number of circuits 𝑜 𝑦 Z Probability of evaluating 𝑗 circuits

  17. Constraints on 𝑦 Z (because it’s a probability distribution) 𝑦 Z ≥ 0 > U 𝑦 Z = 1 Z[\ Total number of circuits 𝑜 𝑦 Z Probability of evaluating 𝑗 circuits

  18. Pr failure 𝑇 =?@A , 𝑇 <=> ≤ 𝜁 Security ∀ 𝑇 <=> , Pr 𝑇 =?@A = 𝑇 <=> ≤ 𝜁 Holds Probability that evaluator picks any ∀𝑏 ∈ 0,1 > , Pr(𝑇 =?@A = 𝑏) ≤ 𝜁 SPECIFIC strategy a is bounded by 𝜁 .

  19. ∀𝑏 ∈ 0,1 > , Pr (𝑇 =?@A = 𝑏) ≤ 𝜁 𝑦 Z ≤ 𝑜 𝑦 Z ≤ 𝑜 𝑦 Z ≤ 𝑜 𝑦 Z ≤ 𝑜 𝑦 Z ≤ 𝑜 ⋅ 𝜁 ⋅ 𝜁 ⋅ 𝜁 ⋅ 𝜁 ⋅ 𝜁 𝑗 𝑗 𝑗 𝑗 𝑗 Each pure strategy can be picked with probability at most 𝜁 . There are > Z pure strategies that evaluate 𝑗 circuits.

  20. Recap Minimize: > U(𝑗𝑠 + 𝑜 − 𝑗)𝑦 Z Z[\ Subject to: 𝑦 Z ≥ 0 > U 𝑦 Z = 1 Z[\ 𝑦 Z ≤ 𝜁 𝑜 𝑗

  21. Fractional Knapsack Problem Unit Cost: 𝑜 𝑠 + 𝑜 − 1 2𝑠 + 𝑜 − 2 𝑜𝑠 𝑜 𝑜 𝑜 𝑜 Units 0 1 2 𝑜 A greedy algorithm Capacity: solves it in linear 1/𝜁 units time.

  22. Find the Best 𝑜 • Exhaustively search every 𝑜 Achievable with the SingleCut strategy of Required by the [Lindell, Crypto13]. Range of 𝑜 security parameter 𝜁 1 𝑠 + 1 1 log d log d 𝜁 2 𝜁 to find the one with minimal cost. • Limitation: 𝑜 is publicly fixed. Followup at: https://github.com/Opt-Cut-N-Choose

  23. Sample SingleCut Strategy for AES 𝒐 = 𝟓𝟏 𝒐 = 𝟑𝟑𝟕𝟖 𝒋 𝒚 𝒋 as % 𝒋 𝒚 𝒋 as % Classical Strategy Our technique 9.09 X 10 lmm 9.09 X 10 lmm 0 0 2.06 X 10 lo ⋯ ⋯ 1 11.9 X 10 \ 2.34 X 10 l7 19 2 12.5 X 10 \ 1.77 X 10 lm 20 3 99.8 X 10 \ ⋯ ⋯ 4 9.09 X 10 lmm 40 Save 77.5% b/w Bandwidth cost ratio: 𝑠 = 4533 For AES

  24. Improvements on SingleCut 80% 60% Savings 40% 20% 0% 10 0 10 1 10 4 10 2 10 3 Cost Ratio r cost this work Savings=1− cost best prior work

  25. Improvements on SingleCut 80% 60% Savings AES 40% fp-multiply 20% 0% 10 0 10 1 10 4 10 2 10 3 Cost Ratio r

  26. Formulation for MajorityCut Minimize: > U(𝑗𝑠 + 𝑜 − 𝑗)𝑦 Z Z[\ Subject to: 𝑦 Z ≥ 0 > U 𝑦 Z = 1 Z[\ }~• (>,d€) 𝑦 Z X 𝑜 − 𝑐 / 𝑜 U ≤ 𝜁 𝑗 − 𝑐 𝑗 Z[€ See the paper for details.

  27. Sample MajorityCut Strategy 𝒐 = 𝟐𝟖𝟔 𝒋 𝒚 𝒋 as % 𝒋 𝒚 𝒋 as % Classical Strategy 𝒐 = 𝟐𝟑𝟓 Our technique 1 X 10 l7 7 17 1.23 9 X 10 l7 9 19 5.36 𝒋 𝒚 𝒋 as % 7 X 10 lƒ 11 21 20.9 4.54 X 10 ld 23 13 72.2 43 100 15 0.25 Save 26.6% time Time cost ratio: 𝑠 = 10

  28. Improvements on MajorityCut 100% 80% 60% Savings 40% 20% 0% 10 0 10 2 10 4 10 6 10 8 Cost ratio r cost this work Savings=1− cost best prior work

  29. Improvements on MajorityCut 100% 80% 60% Savings AES 40% fp-multiply 20% 0% 10 0 10 2 10 4 10 6 10 8 Cost ratio r

  30. Improvements on BatchedCut 50% N=100 40% N is the size N=200 of the circuit. N=10000 30% Savings 20% 10% 0% 10 0 10 1 10 2 10 3 10 4 10 5 Cost ratio r cost this work Savings=1− cost best prior work

  31. Conclusion Cut-and-choose protocols should be appropriately configured based on the security requirement and the cost ratio benchmarked at run-time. The game solvers are available at https://github.com/cut-n-choose. Ruiyu Zhu: zhu52@indiana.edu

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Real Game of Life Why? How do you choose? Decision Making Game! 1) Tradeoffs 2) Unintended

The Real Game of Life Why? How do you choose? Decision Making Game! 1) Tradeoffs 2) Unintended

The Real Game of Life Why? How do you choose? Decision Making Game! 1) Tradeoffs 2) Unintended Consequences 3) Payback period 4) Risk or Uncertainty 5) Time period Rules There will be 4 rounds, and some surprises. At the beginning

456 views • 31 slides
HTML5 Game Development In-depth RICHARD DAVEY, PHOTON STORM LTD. Introduction Choose the

HTML5 Game Development In-depth RICHARD DAVEY, PHOTON STORM LTD. Introduction Choose the

HTML5 Game Development In-depth RICHARD DAVEY, PHOTON STORM LTD. Introduction Choose the platform When to use DOM / CSS Preparing Graphics What well cover Preparing Audio Game Frameworks Physics Libraries Distribution Who am I? Who do

1.08k views • 49 slides
Scalability + Performance a choose your own adventure game hosted by James Cox 1 Tuesday, 1

Scalability + Performance a choose your own adventure game hosted by James Cox 1 Tuesday, 1

Scalability + Performance a choose your own adventure game hosted by James Cox 1 Tuesday, 1 April 2008 1 Begin Your Adventure... Art &amp; The End Planning Hosting &amp; Deployment Ruby &amp; Rails Caching Testing MySQL 2 Tuesday,

229 views • 20 slides
Connect your device to application GAME ENGINE ON ANDROID Julian Chu Agenda We Love Game Why

Connect your device to application GAME ENGINE ON ANDROID Julian Chu Agenda We Love Game Why

Connect your device to application GAME ENGINE ON ANDROID Julian Chu Agenda We Love Game Why need Game Engine What is Game Engine How many Game Engine Get one for You Implementation We Love Game Do You Love Playing Game? I DO

777 views • 50 slides
Interactive Media and Game Development Frontiers 2008 Mark Claypool What Do You Think Goes

Interactive Media and Game Development Frontiers 2008 Mark Claypool What Do You Think Goes

Interactive Media and Game Development Frontiers 2008 Mark Claypool What Do You Think Goes Into Developing Games? Choose a game youre familiar with Assume you are inspired (or forced or paid) to re-engineer the game Take 1-2

572 views • 38 slides
e-Bug Junior Game Junior Game Game Style Game Process Demo Game Mechanics and

e-Bug Junior Game Junior Game Game Style Game Process Demo Game Mechanics and

e-Bug Junior Game Junior Game Game Style Game Process Demo Game Mechanics and Learning Outcomes Feedback to date and evaluation plans Game Style Game style encompasses two genres of game o Platform game fast action

575 views • 22 slides
A game of matching pennies column L R row T 2,0 0,1 B 0,1 1,0 People last names

A game of matching pennies column L R row T 2,0 0,1 B 0,1 1,0 People last names

A game of matching pennies column L R row T 2,0 0,1 B 0,1 1,0 People last names A-M play ROW (choose T, B) People last names N-Z play COLUMN (choose L, R) A game of matching pennies: Mixed-strategy equilibrium

601 views • 33 slides
e-Bug Senior Game Senior Game Game Style Game Process Demo Game Puzzles and

e-Bug Senior Game Senior Game Game Style Game Process Demo Game Puzzles and

e-Bug Senior Game Senior Game Game Style Game Process Demo Game Puzzles and Learning Outcomes Feedback to date and evaluation plans Game Style Game is a detective game where the player investigates microbial problems.

572 views • 19 slides
Lecture 8 Backward Induction 14.12 Game Theory Muhamet Yildiz 1 Road Map 1. Backward Induction

Lecture 8 Backward Induction 14.12 Game Theory Muhamet Yildiz 1 Road Map 1. Backward Induction

Lecture 8 Backward Induction 14.12 Game Theory Muhamet Yildiz 1 Road Map 1. Backward Induction 2. Examples 3. Application: Stackelberg Duopoly 4. [Next Application: Negotiation] 2 Definitions Perfect-Information game is a game in which all

331 views • 11 slides
More examples of BNE: Application to the game of chicken Felix Munoz-Garcia EconS 503 -

More examples of BNE: Application to the game of chicken Felix Munoz-Garcia EconS 503 -

More examples of BNE: Application to the game of chicken Felix Munoz-Garcia EconS 503 - Washington State University Teenagers and the Game of Chicken Rebel Without a Cause (1955) starring James Dean Two teenagers simultaneously drive their cars

290 views • 12 slides
E - L E A R N I N G G A M E EVERY GAME WILL START WITH SIMPLE MENU YOU CAN

E - L E A R N I N G G A M E EVERY GAME WILL START WITH SIMPLE MENU YOU CAN

2 D P I X E L E - L E A R N I N G G A M E EVERY GAME WILL START WITH SIMPLE MENU YOU CAN EITHER CHOOSE : PLAY : SETTINGS : QUIT HERE WE CAN ADJUST OUR RESOLUTION OR MAKE IT FULL SCREEN THE BOTTOM

118 views • 10 slides
College Application Seminar Ancaster High School September 25, 2019 WHY CHOOSE COLLEGE?

College Application Seminar Ancaster High School September 25, 2019 WHY CHOOSE COLLEGE?

College Application Seminar Ancaster High School September 25, 2019 WHY CHOOSE COLLEGE? Less theory and more practical experience 307 degree programs offered A career focused education Preparation for highly competitive

564 views • 29 slides
Meteor Fullstack JavaScript Development Retro42: Our prototype application Why did we choose

Meteor Fullstack JavaScript Development Retro42: Our prototype application Why did we choose

Meteor Fullstack JavaScript Development Retro42: Our prototype application Why did we choose Meteor? What is Meteor? Show me some code! Comparing Meteor vs. MEAN More about Meteor Raimond Reichert, Samuel Zrcher, Ergon Informatik AG

1.2k views • 92 slides
Simplifying Game-Based Definitions Indistinguishability up to correctness and its application to

Simplifying Game-Based Definitions Indistinguishability up to correctness and its application to

Simplifying Game-Based Definitions Indistinguishability up to correctness and its application to stateful AE Phillip Rogaway Yusi (James) Zhang University of California, Davis, USA C RYPTO 2018 1. Introduction 2. IND|C 3. Examples 1

523 views • 20 slides
Introduction to Game Theory Lecture Note 8: Dynamic Bayesian Games HUANG Haifeng University of

Introduction to Game Theory Lecture Note 8: Dynamic Bayesian Games HUANG Haifeng University of

Preliminary Concepts Sequential Equilibrium Signaling Game Application: The Spence Model Application: Cheap Talk . . Introduction to Game Theory Lecture Note 8: Dynamic Bayesian Games HUANG Haifeng University of California, Merced

746 views • 46 slides
Application of Game Theory to Wireless Power Control Games Networking Equilibrium Analysis

Application of Game Theory to Wireless Power Control Games Networking Equilibrium Analysis

Application of Game Theory to Wireless Networking Tansu Alpcan Introduction Application of Game Theory to Wireless Power Control Games Networking Equilibrium Analysis Stability and Convergence Iterative Schemes Tansu Alpcan

626 views • 44 slides
Molekularer Einblick in die Evolution von Phnotypen Peter Schuster Institut fr Theoretische

Molekularer Einblick in die Evolution von Phnotypen Peter Schuster Institut fr Theoretische

Molekularer Einblick in die Evolution von Phnotypen Peter Schuster Institut fr Theoretische Chemie und Molekulare Strukturbiologie der Universitt Wien Computergesttzte Analyse evolutionrer Optimierungsprozesse in komplexen Systemen

1.26k views • 90 slides
INTRODUCTION Manisha Electrical &amp; Engineers Pvt. Ltd. is in the business of providing

INTRODUCTION Manisha Electrical &amp; Engineers Pvt. Ltd. is in the business of providing

INTRODUCTION Manisha Electrical &amp; Engineers Pvt. Ltd. is in the business of providing Comprehensive Solutions in the field of E lectrical, I nterior, F ire and S afety for last 7 long Years. Over these years, we have developed expertise in terms

669 views • 7 slides
Recorded Webinar: http://energizingentrepreneurs.adobeconnect.com/p26enl1srcs/ Preliminary

Recorded Webinar: http://energizingentrepreneurs.adobeconnect.com/p26enl1srcs/ Preliminary

Recorded Webinar: http://energizingentrepreneurs.adobeconnect.com/p26enl1srcs/ Preliminary Findings TAC Meeting Rural Maryland Transfer of Wealth Opportunity Project May 10, 2017 Charlotte Davis Welcome &amp; Introductions Don Macke 2 nd TAC

664 views • 39 slides
Mult ltidisciplinary Tool C628 2017 ANCC National Magnet Conference Friday, October 13, 2017

Mult ltidisciplinary Tool C628 2017 ANCC National Magnet Conference Friday, October 13, 2017

In Inte terprofessional Rounding using a Mult ltidisciplinary Tool C628 2017 ANCC National Magnet Conference Friday, October 13, 2017 9:30 AM Marlene Marks, BSN, RN, CCM Lillian Hershberger, BSN, RN, CCM Goshen Health Goshen, Indiana

375 views • 25 slides
September 17, 2019 National Electric Power Regulatory Authority Scheme of Todays Presentation

September 17, 2019 National Electric Power Regulatory Authority Scheme of Todays Presentation

SAARC Training for Professionals of Afghanistan on NEPRA Licensing Regime September 17, 2019 National Electric Power Regulatory Authority Scheme of Todays Presentation Licensing Regime in Power Sector of Pakistan 1. Evolution of Licensing

463 views • 19 slides
assessment Guideline fil Danish experience Lis Alban Fra vrktjslinjen klik p

assessment Guideline fil Danish experience Lis Alban Fra vrktjslinjen klik p

og vlg Gitter og hjlpelinjer St kryds ved Vis tegnehjlpelinjer p skrmen St hak ved Fastgr objekter til gitter Use of EMAs risk 2. Via indst Vlg billede og billede fra assessment Guideline

570 views • 14 slides
Advocacy, Green Chemistry, and National Policy Miriam Rotkin-Ellman and David Faulkner The

Advocacy, Green Chemistry, and National Policy Miriam Rotkin-Ellman and David Faulkner The

Advocacy, Green Chemistry, and National Policy Miriam Rotkin-Ellman and David Faulkner The Natural Resources Defense Council Founded in 1970 by environmental law students and attorneys Advocates for human rights to clean air, water, and

493 views • 9 slides
and CYP3A mRNA and protein in different reproductive tissues of breeding boars Asep Gunawan (1)(2)

and CYP3A mRNA and protein in different reproductive tissues of breeding boars Asep Gunawan (1)(2)

Expression study of ESR1, ESR2, CYP19 and CYP3A mRNA and protein in different reproductive tissues of breeding boars Asep Gunawan (1)(2) ., K.Kaewmala (2) .,U.Cinar (2) and K.Schellander (2) (2) Institute of Animal Science (1) Faculty of Animal

993 views • 35 slides

More recommend