Revisiting the efficiency of malicious two party computation

1
Revisiting the efficiency of malicious two party
computation

• David Woodruff
• MIT

2
Secure function evaluation
Alice
Bob
y 2 0,1n
x 2 0,1n
What is f(x,y)?
Security neither party learns more about the
others input other than what follows from
his/her own input and f(x,y)
3
Application secure datamining

• For medical research, hospitals want to mine
  their joint data
• Patient confidentiality imposes strict laws on
  what can be shared. Mining cannot leak anything
  sensitive

4
American application

• Government has terrorist patterns it looks for in
  airline and credit card repositories
• Repository holders dont want to reveal
  information about their users due to user
  confidentiality
• Government doesnt want to reveal its search
  patterns, as otherwise terrorists could change
  their behavior

5
Security models
Alice
Bob
Difficult to achieve security in malicious model

• Semi-honest parties follow their instructions
  but try to learn more than what is prescribed
• Malicious parties deviate from the protocol
  arbitrarily
• - Use a different input
• - Force other party to output wrong answer
• - Abort before other party learns answer
  

6
Security in the semi-honest model

• Yao Any function f(x,y) that can be
  computed with a circuit of size C can be securely
  computed in the semi-honest model with
  communication O(C)

f(x,y) (x1 Æ y1) Ç (x2 Æ y2)
7
Security in the malicious model
GMW It suffices to design protocols secure in
the semi-honest model
The parties follow the instructions of the
protocol. Dont need to worry about weird
behavior.
What about efficiency?
8
Efficiency

• How to achieve secure function evaluation in the
  malicious model efficiently
• communication
• modular exponentiations
• symmetric key operations
• Previous work
• GMW if circuit size is C, achieve poly(C)
  communication and computation
• Inefficient in practice
• Many problem-specific solutions exist

9
Recent work

• MNPS, MF, LP design new compilers, transforming
  Yaos protocol with semi-honest security to a
  protocol secure in the malicious model
• Very efficient theoretically, and in practice
• All based on the cut-and-choose technique

10
Yaos semi-honest protocol
f(x,y) (x1 Æ y1) Ç (x2 Æ y2)
Create a garbled circuit
7
Keys K(1,0), K(1,1) K(2,0), K(2,1) K(3,0),
K(3,1) K(4,0), K(4,1) K(5,0), K(5,1) K(6,0),
K(6,1) K(7,0), K(7,1)
V
5
6
Æ
Æ
1
2
3
4
x2 y2
x1 y1
11
Yaos semi-honest protocol

• Alice
• Write f as a circuit.
• Create a garbled circuit. Send Bob the tables
• corresponding to each gate, and the keys
• representing Alices input.
• Bob
• Run oblivious transfer to privately get the keys
• representing Bobs input.
• 2. Use the tables to locally evaluate the circuit.

12
The cut-and-choose technique
Alice(x)
Bob(y)
Let C be a circuit for f(x,y)

• Let C1, , Cm be independently garbled versions
  of C.
• Send C1, , Cm to Bob
• Send Bob the keys for his
• challenged circuits.
• 4. Send the keys representing x
• for the unopened circuits

1. Challenge Alice by asking her for all the
keys of a random fraction of C1, , Cm 2.
Verify this fraction of opened circuits was
garbled correctly 3. Run oblivious transfer to
retrieve the keys representing y for each
of the unopened circuits 4. Evaluate the
unopened circuits, and print the majority
output
13
Things to worry about

• Some circuits are improperly garbled
• For some unopened Cj, Alice gives keys
• representing her input x, and for other
  unopened
• Cj she gives keys representing some other x
• For some unopened Cj, Alice gives keys
• representing Bobs input y, and for other Cj
• she gives keys representing some other y

14
High-level solutions

• By opening ½ of the circuits, guarantee the
  majority of the unopened circuits are correct
• By committing to the keys representing Alices
  inputs, guarantee Alices inputs are consistent
• By committing to the keys representing Bobs
  inputs, guarantee Bobs inputs are consistent

15
Previous results
Let g be the of gates, and I the of inputs of
circuit C Let ? be a statistical security
parameter bounding the probability that Alice
can cheat in this framework
16
Our new scheme
17
Equality-checker MF
Alice(x)
Bob(y)
Let C be a circuit for f(x,y)

• Alice lets C1, , Cm be independently garbled
  versions of C, and sends C1, , Cm to Bob
• For each input wire i of Alice, each value b in
  0,1, and each pair of circuits Cr, Cs, Alice
  commits to the tuple
• (r, s, i, K(i, b)r, K(i, b)s)
• and sends the commitments to Bob
• Bob chooses a random T µ m of size m/2 and asks
  Alice to open the Cj with j 2 T and for r, s 2 T,
  to open the commitments to (r, s, i,
  K(i,b)r,K(i,b)s)

18
Security intuition

• Alice commits to tuples (r, s, i, K(i, b)r, K(i,
  b)s)
• C1, , Cm are the nodes of a complete graph. The
  tuple (r, s, i, K(i, b)r, K(i, b)s) is an edge
  between Cr and Cs
• Bob chooses some circuits to open

C1
C2
C6
C3
C5
C4
19
Security intuition

• Say a circuit Cj is a bad vertex if it was
  garbled incorrectly
• Say a commitment to (r, s, i, K(i, b)r, K(i,
  b)s) is a bad
• edge if it was computed incorrectly
• If the complete graph contains many bad vertices
  and
• bad edges, then so will the verification graph
• Thus, if the verification test passes, with high
  probability
• the evaluation graph has few bad vertices and
  edges

20
Our observation

• Suppose the evaluation graph has a large
  connected component K of good edges and good
  vertices.
• Then, by transitivity, all of Alices inputs are
  the same to the circuits in K, which are all
  correctly garbled circuits.
• Thus, as long as K contains at least m/4 good
  vertices, a majority of the unopened circuits
  will be correct and have the same input from
  Alice.
• In the real-ideal model, the simulator for Alice
  can send the majority input to the trusted party.

21
Expander graphs

• Expanders are d-regular, well-connected graphs,
  where d O(1).
• Let A be the adjacency matrix for an expander G,
  with eigenvalues d ?1 ?2 ?n
• Expander-mixing lemma
• For any X, Y µ V, e(X,Y) dXY/n lt
  ?2(XY)1/2.
• Induced subgraphs of expanders contain large
  connected components.

22
Our expander

• Instead of committing to all (r, s, i, K(i, b)r,
  K(i, b)s), fix an expander G on vertices 1, , m,
  and only commit to (r, s, i, K(i, b)r, K(i,
  b)s) for which r, s is in an edge of G.

C1
C2
C6
C3
C5
C4
If the two edges in the evaluation graph are
good, then C1, C4, and C5 all have the same Alice
input
23
Efficiency and security

• Instead of sending O(Im2) commitments, one for
  each tuple (r, s, i, K(i,b)r, K(i,b)s), we send
  O(IG) O(Im), one for each (r, s, i, K(i,b)r,
  K(i,b)s) for which r, s is an edge of G.
• Since G is an expander, for any subset of m/2
  vertices Bob chooses, the evaluation graph has a
  large component of correct circuits for which
  Alice has to use the same input
• Proof uses expander-mixing lemma
• Thus, the security is the same as in
  Equality-checker

24
Protocol sketch

• Alice creates garbled circuits C1, , Cm
• For Alices input wires i, b 2 0,1, and pairs
  of circuits Cr, Cs, for which r, s is an edge
  of G, Alice commits to (r, s, i, K(i, b)r, K(i,
  b)s)
• For Bobs input wires i, b 2 0,1, and Cj, Alice
  commits to (j, i, K(i, b)j)
• 4. Bob chooses a random T µ m and asks
  Alice to open Cj and the commitments to (j, i,
  K(i,b)j) with j 2 T. For r, s 2 G(T), she opens
  the commitments to (r, s, i, K(i,b)r, K(i,b)s)
  and Bob verifies correctness
• 5. Alice sends the keys for her inputs to
  the unopened circuits. Bob uses the commitments
  to (r, s, i, K(i,b)r, K(i,b)s) to verify
  consistency
• Bob uses oblivious transfer to receive the keys
  for his input and uses the commitments to (j, i,
  K(i, b)j) to verify consistency
• Bob evaluates the unopened circuits, and prints
  the majority output

25
Efficiency

• Communication O(mC mI) O(mg)
• Symmetric encryptions O(mC mI) O(mg)
• Modular exponentiations O(mI) naively, but can
  use a single oblivious transfer to retrieve m/2
  keys at once, K(i, b)1, , K(i, b)m/2
• Thus, modular exponentiations O(I).

26
Setting m

• Theorem Alice can cheat with probability at most
  2-m/4 ?
• ? O(m ln d / d1/2)
• To be less than ?, should set m O(ln 1/?)
• This is almost tight, since we give a strategy to
  cheat with almost the same probability
• We prove Equality-checker has almost the same
  cheating probability, so Expander-checker is not
  much worse for the same values of m
• Our result improves and corrects the efficiency
  analysis of MF

27
Main theorem

• Theorem Alice cheats with probability at most
  2-m/4 ?
• Proof
• Alice commits to a labeled expander G, where
  vertices and edges are labeled either bad or good
• If Alice can cheat, V(G) S B C1 C2
  Cr
• S is a set of size m/2
• B is a set of incorrectly-garbled circuits
• Ci is a set of circuits receiving the same Alice
  input
• For all i, Ci m/4
• Edges between Ci and Cj in G with i ? j are bad
  edges
• Bound the probability that Bob does not sample a
  vertex in B or the endpoints of a bad edge.
• Expander-mixing lemma implies if many of Bobs
  samples lie in Ci and many lie in Cj, he will
  obtain endpoints of a bad edge

28
A simple cheating strategy

• Let f(x,y) 1 iff the Hamming distance between x
  and y is smaller than n/10
• Alice creates m/41 circuits which compute
  1-f(x,y), and 3m/4-1 circuits computing f(x,y)
• With probability (3m/4-1 choose m/2)/(m choose
  m/2) 2-O(m), Bob doesnt sample the bad
  circuits, and thus gets the wrong answer, namely
  1-f(x,y)

29
Open questions

• Our hidden constants are large
• Cheating probability 2-m/4 ?, where ? O(m
  ln d / d1/2)
• Is our scheme impractical or is this because of a
  loose analysis?
• Is Equality-checker with our improved efficiency
  analysis the most practical to date?
• Find d-regular graphs such that any two sets of
  vertices of size O(m/d) have an edge between
  them.
• Lindell and Pinkas give a protocol with a more
  formal security analysis than that given for
  Equality-checker.
• Seems our expander-commitments can also be used
  there

30

• Thank you!