Yehuda uda Lindel dell, Benny Pinkas and Eli Oxman Bar-Ilan - - PowerPoint PPT Presentation

Yehuda uda Lindel dell, Benny Pinkas and Eli Oxman Bar-Ilan University, Israel

 Info

forma mation tion theoreti etic

• Uses aesthetic mathematical tools that are typically

very efficient

• Adversary is computationally unbounded
• Requires honest majority

 Computa

utatio tional nal

• Uses computational hardness for oblivious transfer,

zero knowledge and more

• Adversary runs in polynomial time
• Any number of corrupted parties

 Semi

mi-hon

• nes

est

• Corrupted parties follow protocol, but try to learn

more than allowed by inspecting transcript

 Maliciou

ious

• Corrupted parties follow any arbitrary strategy

 Covert

rt

• Corrupted parties follow any strategy
• If they follow a strategy enabling them to cheat,

then they are guaranteed to be caught with some probability (e.g., ½)

 Step 1 – construct a protocol that is secure for

semi-hone

• nest

st adversaries

 Step 2 – construct a compil

iler that transforms any protocol that is secure for semi-honest adversaries into a protocol that is secure for malicious

• us adversaries

 The GM

GMW87 comp mpiler er achieves es step 2 by using zero-knowl nowledge dge proofs fs (and more) ) to ensure re semi-hone

• nest

st behaviour

• ur

 At Crypto

to 2008, , Ishai et al. presente nted d a completel tely y diff fferent t compiler er fo for obtaining ining security ity fo for any number of c f corrupte pted d partie ies

 The buildi

ding ng blocks ks of f IPS

• An information-theoretically secure protocol for

computing the functionality (secure for mali lici cious us)

• Se

Semi-hon honest st protocols for computing simple functions (like shares of the product of shares)

 Advanta

ntage ges s of f IPS

• Excellent asymptotic efficiency
• Completely different way of working
• Black-box in the semi-honest protocols

 Si

Simul mulate te an infor formation ation-th theor eoretic etic proto

• tocol

col that at is secur ure e for

• r an hone

nest st major

• rity

ity (malici licious

• us adve

versary) rsary)

• Let be an information-theoretic protocol for n

parties/servers (n is a parameter to be determined)

 A r

A real al mu multiparty ltiparty protocol rotocol for r m p m parties rties (w (with ith m< m<n) n) works rks by having ving the m real al part rties ies simul mulate ate an executi cution

• n of 
• The m parties run secure protocols1,…,n where i is a

secure simulation of the ith server

 Se

Servers rvers are vi virt rtual al and  is call lled ed the outer ter prot

• tocol
• col

 The m real

al part rties ies are call lled ed clients ients and 1,…,n are call lled ed inner ner protocols rotocols

Client 𝑸𝟐 Client t 𝑸𝟑

Server 𝑻𝟐 Server 𝑻𝟑 Server 𝑻𝒐 Server 𝑻𝟒 Real al inner protocols 𝝆𝟐, … , 𝝆𝒐; Server 𝑻𝒋 is simulated with inner ner protocol 𝝆𝒋

 What securi

rity ty level is required ed by the inner protoc

• col
• ls

s 1,…, n?

• If they are secure against malicious, this is clearly

fine

• However, our aim is to use subprotocols that are

secure for weaker (say, semi-honest) adversaries

• If they are secure for only semi-honest, then what

stops a real malicious client from cheating?

 Consi

nsider der inner nner proto

• tocol

cols s 1,…, n that at are secur ure e for

• r

cove vert rt adve versaries rsaries

• With any cheating detected with probability ½

 In order

der to cheat at in the outer ter protoc

• tocol
• l  (which

hich is secur ure e as long ng as only nly a mi mino nority ity are corrupt rrupt), ), the adve versary rsary has to chea eat t in at least st n/2 inner ner protoco

• tocols

ls

• Cheating in an inner protocol is the only way to “corrupt”

a server in the outer simulate lated protocol 

 By the cove

vert rt guarante arantees, es, such ch cheati ating g wil ill l go undete detected cted with th probab

• babil

ility ity at most t 2-n/2

/2  The protoc

• tocol
• l is there

erefor fore secur ure e for

• r mali

lici ciou

• us

s adversaries versaries

 The challen

enge: ge: how to prevent a malicious party from cheating in a semi-honest protocol

 Watchi

hing: ng: if the randomness (and inputs) that should be used by one party is known to the

• thers, then any cheating can be detected

 The IPS watchlis

list mechanism: sm:

• Each party “watches” every other party in k out of

the n (real) inner protocols

• No party knows where it’s being watched (oblivious

transfer based setup)

• Therefore, cheating in many inner protocols is

detected with high probability (like covert)

 We study the IPS comp

mpile ler r fr from m a numb mber of f diff fferent t angles

• Opti

timi mization ations: s: we provide efficiency improvements

• n the IPS construction
• Vari

ariant ants: s: we apply the IPS paradigm to study covert security and its relation to both semi-honest and malicious adversaries

• Conc

ncrete ete effi fici cienc ency: y: we calculate the concrete effiency of IPS (in contrast to just asymptotic)

 More eff

fficient t wa watchlist hlist setup p protoco

• col
• Based on DDH; uses a special committed oblivious

transfer type of protocol

• Our protocol also gives a more exact result,

enabling a tighter cheating probability (yielding better concrete efficiency)

• Our setup is much more efficient and allows for the

use of more servers (which can be in the thousan

• usands

ds)

 More in the paper…

 IPS constr

tructs ucts ma malicious

• us fr

from m semi mi-hon

• nes

est

 We use the IPS paradig

igm m to:

• Construct covert from semi-honest

 Just like IPS but with few watchlists

• Construct malicious from covert

 As we saw before

 Signific

ficanc nce

• Deepen understanding of covert adversary model

(open question from TCC 2010)

• Conceptually and technically simple
• Better asymptotic efficiency for some problems

 IPS has been shown

wn to have excellent nt asymp mptoti

• tic

c eff fficiency cy, , but no one knows s how it behaves s concre rete tely ly

• This is due to the high level of abstraction
• Efficiency depends on:

 The outer information-theoretic protocol used  The inner protocols used  The number of servers and watchlists to obtain a given error

 All mu

multipl plic icati ation

• n gates

s require re an interactiv ctive e inner protoco col

• Best efficiency is therefore achieved by minimizing

the number of multiplications

• This is achieved using the packed secret sharing

methodology

 Note that the mo

most eff fficient t info forma mati tion

• n-

theore reti tic c protoc

• col
• l is not necessar

aril ily y optima mal l here

 The sma

mallest st numb mber r of f servers s possible ble should uld give the best eff fficiency cy

• Less work in simulating the outer protocol

 However,

er, less servers s means less corruptio ptions ns needed by the adversar ary y to achieve ve an eff ffective ve dishone

• nest

st majority ty

• And so more watchlists to catch cheating
• And in turn more servers to maintain an honest

majority

 Instantia

ntiatin ting g IPS concre retel tely y and eff fficientl tly y require res s choose se these parame mete ters rs optimal mally ly

 We carry out an analytic

tic and nume merica cal l analysis sis

• f o

f optimal al parameter ers s fo for IPS fo for a n number r of f diff fferent t circuits ts

 We have some rather surpris

ising ing results ts

• For example, for the case of 2 parties and an outer

protocol secure for a plain honest majority 4k 4k servers is optimal (3k 3k results in effectively more servers for the same error probability)

 Recall k is the number of watchlists

 One of t

f the ma major diff fficultie ties s wi with the IPS protoc

• col
• l

is that its instanti ntiati ation

• n is diff

fferent

• For every functi

ction

• n (circuit)

 The circuit size and structure affects the choice of block size (for packed secret sharing), affecting the degree of the polynomial, affecting the number of servers and the size of the watchlists and so on

 The number of servers can in turn affect the circuit, unless the circuit is over a huge field to start with

• For every number

ber of cli lients ents

 Analyz

yzing ng the optimal al number r of f servers, s, wa watchlist list size and so on is a very diff fficult ult task

 AE

AES-type type circu rcuit it (2400 00 gates es ove ver r 100 layers) ers)

• A minimal number of OT’s and multiplications is

achieved by taking block size n/73 73 (numerical analysis)

 For

r this is blo lock ck size e (and proto

• tocol

col thre hresh shold)

• ld) we found

und “optimal” param ameters eters for r erro ror 2-40

40:

• Number of servers n=17

1752

• Number of watchlists k=207

07

 The actual

ual cost st (for

• r 2 different

fferent choi

• ices

ces of the inner nner mult ltipl iplic icati ation n pro rotoco tocol) l)

• 13.8 million OT’s and 4.5 billion field multiplications
• 5.5 million OT’s and 5.5 billion field multiplications

 What’s better? It probably

robably depends ends on the machine…

 Cave

veat ats: s:

• The estimates are based on only a partial implementation

(see full paper for details)

• The AES circuit is over GF[2

[28] ] but we have many more than 256 servers, so actually need secret sharing over a field extension (which hasn’t been studied concretely)

 Time estimates

tes

• Using software-based field multiplications the time

estimate is about 950 seconds

• Using the new Intel AES chip which gives carry-less

multiplications, the time estimate is reduced to between 79 and 94 seconds (probably a bit overly verly optim imistic istic)

 Surpris

prisingl ingly y com

• mpet

petit itive ive (and d no

• rea

eal att ttem empts ts to to fully ly

• ptimize

ize the protocol

• col)

 From

m our concre rete te analysis, is, we we believe that IPS may actually ly be concre retel tely y competit titive ive

• Even more potential for multiparty where efficient

alternatives are less common

 There are serious

us obstac acle les s and diff fficultie ties s in implementi nting ng IPS

• There is no general protocol that receives a circuit

and works (the parameters must be tailored)

• But the payoff may be worth it, and more research

may yield a way of doing this…

 A deeper understa

standing nding of t f the IPS comp mpile ler

• IPS and covert adversaries
• Optimized watchlist setup

 More efficient but also cleaner security analysis

• Better parameters for IPS

 IPS and eff

fficiency cy/pra pract ctica cali lity ty

• Very difficult to specify and implement, but may

potentially yield competitive protocols

• More work is needed for understanding concrete

costs and for optimizing for specific protocols

• New optimizations may further improve situation

 Like our new watchlist setup